fix(Makefile): exclude specific directories from gomod_paths search

fix(api): prevent timeout during agent verification
Send early HTTP 100 Continue response before processing to avoid timeouts, and propagate request context through the verification flow for proper cancellation handling.
2026-02-02 08:43:39 +01:00 · 2026-01-31 23:49:47 +08:00 · 2026-01-31 19:11:48 +08:00 · 2026-01-31 18:57:15 +08:00 · 2026-01-31 18:56:16 +08:00 · 2026-01-31 18:51:15 +08:00
6 changed files with 34 additions and 7 deletions
--- a/2
+++ b/2
@@ -92,7 +92,7 @@ docker-build-test:

 go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
 files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
-gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
+gomod_paths := $(shell find . -name go.mod -type f | grep -vE '^./internal/(go-oidc|go-proxmox|gopsutil)/' | xargs dirname)

 update-go:
 	for file in ${files}; do \
--- a/internal/api/v1/agent/verify.go
+++ b/internal/api/v1/agent/verify.go
@@ -1,6 +1,7 @@
 package agentapi

 import (
+	"context"
 	"fmt"
 	"net/http"
 	"os"
@@ -36,6 +37,9 @@ type VerifyNewAgentRequest struct {
 // @Failure		500		{object}	ErrorResponse
 // @Router			/agent/verify [post]
 func Verify(c *gin.Context) {
+	// avoid timeout waiting for response headers
+	c.Status(http.StatusContinue)
+
 	var request VerifyNewAgentRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
@@ -60,7 +64,7 @@ func Verify(c *gin.Context) {
 		return
 	}

-	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
+	nRoutesAdded, err := verifyNewAgent(c.Request.Context(), request.Host, ca, client, request.ContainerRuntime)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
@@ -82,7 +86,7 @@ func Verify(c *gin.Context) {

 var errAgentAlreadyExists = gperr.New("agent already exists")

-func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+func verifyNewAgent(ctx context.Context, host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
 	var agentCfg agent.AgentConfig
 	agentCfg.Addr = host
 	agentCfg.Runtime = containerRuntime
@@ -99,7 +103,7 @@ func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, contain
 		return 0, errAgentAlreadyExists
 	}

-	err := agentCfg.InitWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
+	err := agentCfg.InitWithCerts(ctx, ca.Cert, client.Cert, client.Key)
 	if err != nil {
 		return 0, gperr.Wrap(err, "failed to initialize agent config")
 	}
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -222,8 +222,9 @@ func (p *Provider) ObtainCertIfNotExistsAll() error {
 		})
 	}

+	err := errs.Wait().Error()
 	p.rebuildSNIMatcher()
-	return errs.Wait().Error()
+	return err
 }

 // obtainCertIfNotExists obtains a new certificate for this provider if it does not exist.
@@ -261,7 +262,10 @@ func (p *Provider) ObtainCertAll() error {
 			return nil
 		})
 	}
-	return errs.Wait().Error()
+
+	err := errs.Wait().Error()
+	p.rebuildSNIMatcher()
+	return err
 }

 // ObtainCert renews existing certificate or obtains a new certificate for this provider.
--- a/internal/health/check/stream.go
+++ b/internal/health/check/stream.go
@@ -12,6 +12,14 @@ import (
 )

 func Stream(ctx context.Context, url *url.URL, timeout time.Duration) (types.HealthCheckResult, error) {
+	if port := url.Port(); port == "" || port == "0" {
+		return types.HealthCheckResult{
+			Latency: 0,
+			Healthy: false,
+			Detail:  "no port specified",
+		}, nil
+	}
+
 	dialer := net.Dialer{
 		Timeout:       timeout,
 		FallbackDelay: -1,
--- a/internal/route/route.go
+++ b/internal/route/route.go
@@ -254,7 +254,7 @@ func (r *Route) validate() gperr.Error {
 	}

 	// return error if route is localhost:<godoxy_port> but route is not agent
-	if !r.IsAgent() {
+	if !r.IsAgent() && !r.ShouldExclude() {
 		switch r.Host {
 		case "localhost", "127.0.0.1":
 			switch r.Port.Proxy {
@@ -749,6 +749,7 @@ const (
 	ExcludedReasonNoPortSpecified
 	ExcludedReasonBlacklisted
 	ExcludedReasonBuildx
+	ExcludedReasonYAMLAnchor
 	ExcludedReasonOld
 )

@@ -768,6 +769,8 @@ func (re ExcludedReason) String() string {
 		return "Blacklisted (backend service or database)"
 	case ExcludedReasonBuildx:
 		return "Buildx"
+	case ExcludedReasonYAMLAnchor:
+		return "YAML anchor or reference"
 	case ExcludedReasonOld:
 		return "Container renaming intermediate state"
 	default:
@@ -802,6 +805,12 @@ func (r *Route) findExcludedReason() ExcludedReason {
 	} else if r.IsZeroPort() && r.Scheme != route.SchemeFileServer {
 		return ExcludedReasonNoPortSpecified
 	}
+	// this should happen on validation API only,
+	// those routes are removed before validation.
+	// see removeXPrefix in provider/file.go
+	if strings.HasPrefix(r.Alias, "x-") { // for YAML anchors and references
+		return ExcludedReasonYAMLAnchor
+	}
 	if strings.HasSuffix(r.Alias, "-old") {
 		return ExcludedReasonOld
 	}
--- a/socket-proxy.Dockerfile
+++ b/socket-proxy.Dockerfile
@@ -49,5 +49,7 @@ COPY --from=builder /app/run /app/run

 WORKDIR /app

+LABEL proxy.#1.healthcheck.disable=true
+
 ENV LISTEN_ADDR=0.0.0.0:2375
 CMD ["/app/run"]
Author	SHA1	Message	Date
yusing	fb96a2a4f1	fix(Makefile): exclude specific directories from gomod_paths search	2026-01-31 23:49:47 +08:00
yusing	fdfb682e2a	fix(api): prevent timeout during agent verification Send early HTTP 100 Continue response before processing to avoid timeouts, and propagate request context through the verification flow for proper cancellation handling.	2026-01-31 19:11:48 +08:00
yusing	8d56c61826	fix(autocert): rebuild SNI matcher after ObtainCertAll operations The ObtainCertAll method was missing a call to rebuildSNIMatcher(), which could leave the SNI configuration stale after certificate renewals. Both ObtainCertIfNotExistsAll and ObtainCertAll now consistently rebuild the SNI matcher after their operations. This was introduced in `3ad6e98a17`, not a bug fix for previous version	2026-01-31 18:57:15 +08:00
yusing	d1fca7e987	feat(route): add YAML anchor exclusion reason Add ExcludedReasonYAMLAnchor to explicitly identify routes with "x-" prefix used for YAML anchors and references. These routes are removed before validation.	2026-01-31 18:56:16 +08:00
yusing	95f88a6f3c	fix(route): allow excluded routes to use localhost addresses Routes marked for exclusion should bypass normal validation checks, including the restriction on localhost/127.0.0.1 hostnames.	2026-01-31 18:51:15 +08:00
yusing	c0e2cf63b5	fix(health/check): validate URL port before dialing in Stream check Add port validation to return an unhealthy result with descriptive message when URL has no port specified, preventing potential dialing errors on zero port.	2026-01-31 18:50:13 +08:00
yusing	6388d07f64	chore: disable godoxy health checking for socket-proxy	2026-01-31 17:09:00 +08:00
yusing	15e50322c9	feat(autocert): generate unique ACME key paths per CA directory URL Previously, ACME keys were stored at a single default path regardless of which CA directory URL was configured. This caused key conflicts when using multiple different ACME CAs. Now, the key path is derived from a SHA256 hash of the CA directory URL, allowing each CA to have its own key file: - Default CA (Let's Encrypt): certs/acme.key - Custom CA: certs/acme_<url_hash_16chars>.key This enables running certificates against multiple ACME providers without key collision issues.	2026-01-31 16:49:44 +08:00
yusing	3ad6e98a17	fix(autocert): correct ObtainCert error handling - ObtainCertIfNotExistsAll longer fail on fs.ErrNotExists - Separate public LoadCertAll (loads all providers) from private loadCert - LoadCertAll now uses allProviders() for iteration - Updated tests to use LoadCertAll	2026-01-31 16:49:37 +08:00