feat: hCaptcha middleware

- moved maxmind to separate module
- code refactored
- simplified test

.env.example

@@ -1,27 +1,33 @@
+# docker image tag (latest, nightly)
+TAG=latest
+
 # set timezone to get correct log timestamp
 TZ=ETC/UTC
 
+# container uid and gid (must match the owner of mounted directories)
+GODOXY_UID=1000
+GODOXY_GID=1000
+
+# API JWT Configuration (common)
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+# the JWT token time-to-live
+# leave empty to use default (24 hours)
+# format: https://pkg.go.dev/time#Duration
+GODOXY_API_JWT_TOKEN_TTL=
+
 # API/WebUI user password login credentials (optional)
 # These fields are not required for OIDC authentication
 GODOXY_API_USER=admin
 GODOXY_API_PASSWORD=password
 
-# Enable `secure` cookie flag
-GODOXY_API_JWT_SECURE=true
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-# the JWT token time-to-live
-GODOXY_API_JWT_TOKEN_TTL=1h
-
 # OIDC Configuration (optional)
 # Uncomment and configure these values to enable OIDC authentication.
+#
 # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
 # GODOXY_OIDC_CLIENT_ID=your-client-id
 # GODOXY_OIDC_CLIENT_SECRET=your-client-secret
-# Keep /api/auth/callback as the redirect URL, change the domain to match your setup.
-# GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback
-# Comma-separated list of scopes
-# GODOXY_OIDC_SCOPES=openid, profile, email
+# GODOXY_OIDC_SCOPES=openid, profile, email, groups # you may also include `offline_access` if your Idp supports it (e.g. Authentik, Pocket ID)
 #
 # User definitions: Uncomment and configure these values to restrict access to specific users or groups.
 # These two fields act as a logical AND operator. For example, given the following membership:
@@ -42,14 +48,29 @@ GODOXY_API_JWT_TOKEN_TTL=1h
 GODOXY_HTTP_ADDR=:80
 GODOXY_HTTPS_ADDR=:443
 
+# Enable HTTP3
+GODOXY_HTTP3_ENABLED=true
+
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888
 
+# Metrics
+GODOXY_METRICS_DISABLE_CPU=false
+GODOXY_METRICS_DISABLE_MEMORY=false
+GODOXY_METRICS_DISABLE_DISK=false
+GODOXY_METRICS_DISABLE_NETWORK=false
+GODOXY_METRICS_DISABLE_SENSORS=false
+
 # Frontend listening port
 GODOXY_FRONTEND_PORT=3000
 
-# Prometheus Metrics
-GODOXY_PROMETHEUS_ENABLED=true
+# Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com)
+GODOXY_FRONTEND_ALIASES=godoxy
+
+# Docker socket
+# /var/run/podman/podman.sock for podman
+DOCKER_SOCKET=/var/run/docker.sock
+SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375
 
 # Debug mode
 GODOXY_DEBUG=false

.github/workflows/agent-binary.yml

@@ -36,9 +36,6 @@ jobs:
       - name: Check binary
         run: |
           file bin/${{ matrix.binary_name }}
-      - name: Test
-        run: |
-          go test -v ./agent/...
       - name: Upload
         uses: actions/upload-artifact@v4
         with:

.gitignore

@@ -29,6 +29,8 @@ todo.md
 .aider*
 mtrace.json
 .env
+.cursorrules
+.windsurfrules
 test.Dockerfile
 
 node_modules/

.vscode/settings.example.json

@@ -1,10 +1,10 @@
 {
   "yaml.schemas": {
-    "https://github.com/yusing/go-proxy/raw/main/schemas/config.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/config.schema.json": [
       "config.example.yml",
       "config.yml"
     ],
-    "https://github.com/yusing/go-proxy/raw/main/schemas/routes.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/routes.schema.json": [
       "providers.example.yml"
     ]
   }

Dockerfile

@@ -6,12 +6,14 @@ HEALTHCHECK NONE
 # trunk-ignore(hadolint/DL3018)
 RUN apk add --no-cache tzdata make libcap-setcap
 
+ENV GOPATH=/root/go
+
 WORKDIR /src
 
-# Only copy go.mod and go.sum initially for better caching
-COPY go.mod go.sum /src/
+COPY go.mod go.sum ./
+COPY agent ./agent
+COPY internal/dnsproviders ./internal/dnsproviders
 
-ENV GOPATH=/root/go
 RUN go mod download -x
 
 # Stage 2: builder
@@ -24,7 +26,6 @@ COPY cmd ./cmd
 COPY internal ./internal
 COPY pkg ./pkg
 COPY agent ./agent
-COPY migrations ./migrations
 
 ARG VERSION
 ENV VERSION=${VERSION}
@@ -34,9 +35,8 @@ ENV MAKE_ARGS=${MAKE_ARGS}
 
 ENV GOCACHE=/root/.cache/go-build
 ENV GOPATH=/root/go
-RUN make ${MAKE_ARGS} build link-binary && \
-    mv bin /app/ && \
-    mkdir -p /app/error_pages /app/certs
+
+RUN make ${MAKE_ARGS} docker=1 build
 
 # Stage 3: Final image
 FROM scratch
@@ -48,10 +48,7 @@ LABEL proxy.exclude=1
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 
 # copy binary
-COPY --from=builder /app /app
-
-# copy example config
-COPY config.example.yml /app/config/config.yml
+COPY --from=builder /app/run /app/run
 
 # copy certs
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs
@@ -60,4 +57,4 @@ ENV DOCKER_HOST=unix:///var/run/docker.sock
 
 WORKDIR /app
 
-CMD ["/app/run"]
+CMD ["/app/run"]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 [fullname]
+Copyright (c) 2024 - present Yusing
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -19,3 +19,27 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
+
+---
+
+internal/net/gphttp/reverseproxy/reverse_proxy_mod.go is copied from et/http/httputil/reverseproxy.go with modifications to adapt to this project.
+
+Copyright 2011 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+---
+
+internal/utils/io.go has a modified version of io.Copy with context and HTTP flusher handling.
+
+Copyright 2009 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+---
+
+internal/utils/strutils/split_join.go is copied from strings.Split and strings.Join with modifications to adapt to this project.
+
+Copyright 2009 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.

Makefile

@@ -1,3 +1,4 @@
+shell := /bin/sh
 export VERSION ?= $(shell git describe --tags --abbrev=0)
 export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux
@@ -7,10 +8,12 @@ LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
 
 ifeq ($(agent), 1)
 	NAME = godoxy-agent
-	CMD_PATH = ./agent/cmd
+	CMD_PATH = ./cmd
+	PWD = ${shell pwd}/agent
 else
 	NAME = godoxy
 	CMD_PATH = ./cmd
+	PWD = ${shell pwd}
 endif
 
 ifeq ($(trace), 1)
@@ -40,6 +43,7 @@ else
 endif
 
 BUILD_FLAGS += -ldflags='$(LDFLAGS)'
+BIN_PATH := $(shell pwd)/bin/${NAME}
 
 export NAME
 export CMD_PATH
@@ -50,21 +54,35 @@ export GODEBUG
 export GORACE
 export BUILD_FLAGS
 
+ifeq ($(shell id -u), 0)
+	SETCAP_CMD = setcap
+else
+	SETCAP_CMD = sudo setcap
+endif
+
+
+# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
+ifeq ($(docker), 1)
+	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
+endif
+
 .PHONY: debug
 
 test:
 	GODOXY_TEST=1 go test ./internal/...
 
+docker-build-test:
+	docker build -t godoxy .
+	docker build --build-arg=MAKE_ARGS=agent=1 -t godoxy-agent .
+
 get:
-	go get -u ./cmd && go mod tidy
+	for dir in ${PWD} ${PWD}/agent; do cd $$dir && go get -u ./... && go mod tidy; done
 
 build:
-	mkdir -p bin
-	go build ${BUILD_FLAGS} -o bin/${NAME} ${CMD_PATH}
-	if [ $(shell id -u) -eq 0 ]; \
-		then setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
-		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
-	fi
+	mkdir -p $(shell dirname ${BIN_PATH})
+	cd ${PWD} && go build ${BUILD_FLAGS} -o ${BIN_PATH} ${CMD_PATH}
+	${POST_BUILD}
 
 run:
 	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}
@@ -74,7 +92,7 @@ debug:
 	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
 
 mtrace:
-	bin/godoxy debug-ls-mtrace > mtrace.json
+	 ${BIN_PATH} debug-ls-mtrace > mtrace.json
 
 rapid-crash:
 	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
@@ -91,8 +109,5 @@ ci-test:
 cloc:
 	cloc --not-match-f '_test.go$$' cmd internal pkg
 
-link-binary:
-	ln -s /app/${NAME} bin/run
-
 push-github:
 	git push origin $(shell git rev-parse --abbrev-ref HEAD)

README.md

@@ -5,14 +5,16 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
-![Demo](https://img.shields.io/website?url=https%3A%2F%2Fgodoxy.demo.6uo.me&label=Demo&link=https%3A%2F%2Fgodoxy.demo.6uo.me)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
 
 A lightweight, simple, and [performant](https://github.com/yusing/godoxy/wiki/Benchmarks) reverse proxy with WebUI.
 
-For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki)**
+<h5>
+<a href="https://docs.godoxy.dev">Website</a> | <a href="https://docs.godoxy.dev/Home.html">Wiki</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
+</h5>
 
-**EN** | <a href="README_CHT.md">中文</a>
+<h5>EN | <a href="README_CHT.md">中文</a></h5>
 
 <img src="screenshots/webui.jpg" style="max-width: 650">
 
@@ -27,8 +29,8 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
   - [Running demo](#running-demo)
   - [Key Features](#key-features)
   - [Prerequisites](#prerequisites)
-  - [How does GoDoxy work](#how-does-godoxy-work)
   - [Setup](#setup)
+  - [How does GoDoxy work](#how-does-godoxy-work)
   - [Screenshots](#screenshots)
     - [idlesleeper](#idlesleeper)
     - [Metrics and Logs](#metrics-and-logs)
@@ -38,46 +40,52 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
 
 ## Running demo
 
-<https://godoxy.demo.6uo.me>
+<https://demo.godoxy.dev>
 
 [![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
 
 ## Key Features
 
-- Easy to use
-  - Effortless configuration
-  - Simple multi-node setup with GoDoxy agents or Docker Socket Proxies
-  - Error messages is clear and detailed, easy troubleshooting
-- **Auto SSL** with Let's Encrypt (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
-- **Auto hot-reload** on container state / config file changes
-- **Container aware**: create routes dynamically from running docker containers
-- **idlesleeper**: stop and wake containers based on traffic _(optional, see [screenshots](#idlesleeper))_
-- HTTP reserve proxy and TCP/UDP port forwarding
-- **OpenID Connect integration**: SSO and secure your apps easily
-- [HTTP middleware](https://github.com/yusing/go-proxy/wiki/Middlewares) and [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
-- **Web UI with App dashboard, config editor, _uptime and system metrics_, _docker logs viewer_**
-- Supports **linux/amd64** and **linux/arm64**
-- Written in **[Go](https://go.dev)**
+- **Simple**
+  - Effortless configuration with [simple labels](https://github.com/yusing/godoxy/wiki/Docker-labels-and-Route-Files) or WebUI
+  - [Simple multi-node setup](https://github.com/yusing/godoxy/wiki/Configurations#multi-docker-nodes-setup)
+  - Detailed error messages for easy troubleshooting.
+- **ACL**: connection / request level access control
+  - IP/CIDR
+  - Country **(Maxmind account required)**
+  - Timezone **(Maxmind account required)**
+  - **Access logging**
+- **Advanced Automation**
+  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
+  - Auto-configuration for Docker containers
+  - Hot-reloading of configurations and container state changes
+- **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
+  - Docker containers
+  - Proxmox LXCs
+- **Traffic Management**
+  - HTTP reserve proxy
+  - TCP/UDP port forwarding
+  - **OpenID Connect support**: SSO and secure your apps easily
+- **Customization**
+  - [HTTP middlewares](https://github.com/yusing/go-proxy/wiki/Middlewares)
+  - [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+- **Web UI**
+  - App Dashboard
+  - Config Editor
+  - Uptime and System Metrics
+  - Docker Logs Viewer
+- **Cross-Platform support**
+  - Supports **linux/amd64** and **linux/arm64**
+- **Efficient and Performant**
+  - Written in **[Go](https://go.dev)**
 
 ## Prerequisites
 
-Setup Wildcard DNS Record(s) for machine running `GoDoxy`, e.g.
+Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 
 - A Record: `*.domain.com` -> `10.0.10.1`
 - AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`
 
-## How does GoDoxy work
-
-1. List all the containers
-2. Read container name, labels and port configurations for each of them
-3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
-4. Watch for container / config changes and update automatically
-
-> [!NOTE]
-> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
->
-> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
-
 ## Setup
 
 > [!NOTE]
@@ -89,12 +97,24 @@ Setup Wildcard DNS Record(s) for machine running `GoDoxy`, e.g.
 
 2. Run setup script inside the directory, or [set up manually](#manual-setup)
 
-    ```shell
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
-    ```
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```
 
 3. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
 
+## How does GoDoxy work
+
+1. List all the containers
+2. Read container name, labels and port configurations for each of them
+3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
+4. Watch for container / config changes and update automatically
+
+> [!NOTE]
+> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
+>
+> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
+
 ## Screenshots
 
 ### idlesleeper

README_CHT.md

@@ -5,14 +5,16 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-![Demo](https://img.shields.io/website?url=https%3A%2F%2Fgodoxy.demo.6uo.me&label=Demo&link=https%3A%2F%2Fgodoxy.demo.6uo.me)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
 
 輕量、易用、 [高效能](https://github.com/yusing/godoxy/wiki/Benchmarks)，且帶有主頁和配置面板的反向代理
 
-完整文檔請查閱 **[Wiki](https://github.com/yusing/godoxy/wiki)**（暫未有中文翻譯）
+<h5>
+<a href="https://docs.godoxy.dev">網站</a> | <a href="https://docs.godoxy.dev/Home.html">文檔</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
+</h5>
 
-<a href="README.md">EN</a> | **中文**
+<h5><a href="README.md">EN</a> | 中文</h5>
 
 <img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
 
@@ -37,7 +39,7 @@
 
 ## 運行示例
 
-<https://godoxy.demo.6uo.me>
+<https://demo.godoxy.dev>
 
 [![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
 
@@ -52,13 +54,13 @@
 - 容器狀態/配置文件變更時自動熱重載
 - **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
 - OpenID Connect：輕鬆實現單點登入
-- HTTP(s) 反向代理和TCP 和 UDP 埠轉發
+- HTTP(s) 反向代理和 TCP 和 UDP 埠轉發
 - [HTTP 中介軟體](https://github.com/yusing/godoxy/wiki/Middlewares) 和 [自定義錯誤頁面](https://github.com/yusing/godoxy/wiki/Middlewares#custom-error-pages)
 - **網頁介面，具有應用儀表板和配置編輯器**
 - 支援 linux/amd64、linux/arm64
 - 使用 **[Go](https://go.dev)** 編寫
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)
 
 ## 前置需求
 
@@ -78,13 +80,13 @@
 
 2. 在目錄內運行安裝腳本，或[手動安裝](#手動安裝)
 
-    ```shell
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
-    ```
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```
 
 3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)
 
 ### 手動安裝
 
@@ -127,7 +129,7 @@
 
 ![閒置休眠](screenshots/idlesleeper.webp)
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)
 
 ### 監控
 
@@ -166,4 +168,4 @@
 
 5. 使用 `make build` 編譯二進制檔案
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)

agent/go.mod

@@ -0,0 +1,91 @@
+module github.com/yusing/go-proxy/agent
+
+go 1.24.2
+
+replace github.com/yusing/go-proxy => ..
+
+require (
+	github.com/coder/websocket v1.8.13
+	github.com/docker/docker v28.1.1+incompatible
+	github.com/rs/zerolog v1.34.0
+	github.com/stretchr/testify v1.10.0
+	github.com/yusing/go-proxy v0.12.0
+)
+
+replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
+
+replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/PuerkitoBio/goquery v1.10.3 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.6.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/docker/cli v28.1.1+incompatible // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-acme/lego/v4 v4.23.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.26.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-yaml v1.17.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/gotify/server/v2 v2.6.3 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lithammer/fuzzysearch v1.1.8 // indirect
+	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/luthermonson/go-proxmox v0.2.2 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/quic-go v0.51.0 // indirect
+	github.com/samber/lo v1.50.0 // indirect
+	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.4 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/spf13/afero v1.14.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/vincent-petithory/dataurl v1.0.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.2 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

agent/go.sum

@@ -0,0 +1,338 @@
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
+github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
+github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
+github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
+github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
+github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
+github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/diskfs/go-diskfs v1.6.0 h1:YmK5+vLSfkwC6kKKRTRPGaDGNF+Xh8FXeiNHwryDfu4=
+github.com/diskfs/go-diskfs v1.6.0/go.mod h1:bRFumZeGFCO8C2KNswrQeuj2m1WCVr4Ms5IjWMczMDk=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
+github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
+github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
+github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
+github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
+github.com/go-acme/lego/v4 v4.23.1 h1:lZ5fGtGESA2L9FB8dNTvrQUq3/X4QOb8ExkKyY7LSV4=
+github.com/go-acme/lego/v4 v4.23.1/go.mod h1:7UMVR7oQbIYw6V7mTgGwi4Er7B6Ww0c+c8feiBM0EgI=
+github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
+github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
+github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
+github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
+github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1 h1:fsSqE28vU0PRkq9FdekirRoDBeYJ+UaJ9dTErdXflWg=
+github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1/go.mod h1:av6ggKWQz6SEkFyShjDEgVqiIB0RHvEQNIkPeqgJEeE=
+github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97 h1:i52gBYamrKs4DHT1+SiobW2im5UgTMVXK1KIL1djSeA=
+github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97/go.mod h1:XvbfPmmrdpLrsKwj3irYkxt5ygyMcDsTQTJ7cnZ9RNQ=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4=
+github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gotify/server/v2 v2.6.3 h1:2sLDRsQ/No1+hcFwFDvjNtwKepfCSIR8L3BkXl/Vz1I=
+github.com/gotify/server/v2 v2.6.3/go.mod h1:IyeQ/iL3vetcuqUAzkCMVObIMGGJx4zb13/mVatIwE8=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
+github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
+github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
+github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
+github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
+github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/luthermonson/go-proxmox v0.2.2 h1:BZ7VEj302wxw2i/EwTcyEiBzQib8teocB2SSkLHyySY=
+github.com/luthermonson/go-proxmox v0.2.2/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
+github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
+github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
+github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
+github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
+github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
+github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
+github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
+github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/puzpuzpuz/xsync/v3 v3.5.1 h1:GJYJZwO6IdxN/IKbneznS6yPkVC+c3zyY/j19c++5Fg=
+github.com/puzpuzpuz/xsync/v3 v3.5.1/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
+github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
+github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
+github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
+github.com/samber/slog-common v0.18.1 h1:c0EipD/nVY9HG5shgm/XAs67mgpWDMF+MmtptdJNCkQ=
+github.com/samber/slog-common v0.18.1/go.mod h1:QNZiNGKakvrfbJ2YglQXLCZauzkI9xZBjOhWFKS3IKk=
+github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
+github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
+github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
+github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
+github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
+github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
+github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
+github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f h1:tjZsroqekhC63+WMqzmWyW5Twj/ZfR5HAlpd5YQ1Vs0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f/go.mod h1:Cd8IzgPo5Akum2c9R6FsXNaZbH3Jpa2gpHlW89FqlyQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250428153025-10db94c68c34 h1:h6p3mQqrmT1XkHVTfzLdNz1u7IhINeZkz67/xTbOuWs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250428153025-10db94c68c34/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
+google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=

agent/pkg/agent/agents.go

@@ -1,16 +0,0 @@
-package agent
-
-import (
-	"github.com/yusing/go-proxy/internal/utils/pool"
-)
-
-type agents struct{ pool.Pool[*AgentConfig] }
-
-var Agents = agents{pool.New[*AgentConfig]("agents")}
-
-func (agents agents) Get(agentAddrOrDockerHost string) (*AgentConfig, bool) {
-	if !IsDockerHostAgent(agentAddrOrDockerHost) {
-		return agents.Base().Load(agentAddrOrDockerHost)
-	}
-	return agents.Base().Load(GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
-}

agent/pkg/agent/config.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/json"
 	"net"
 	"net/http"
 	"net/url"
@@ -11,9 +12,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/agent/pkg/certs"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/logging"
+	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
 )
 
@@ -23,6 +27,7 @@ type AgentConfig struct {
 	httpClient *http.Client
 	tlsConfig  *tls.Config
 	name       string
+	l          zerolog.Logger
 }
 
 const (
@@ -44,21 +49,20 @@ const (
 	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
 )
 
+func mustParseURL(urlStr string) *url.URL {
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
 var (
-	AgentURL, _           = url.Parse(APIBaseURL)
-	HTTPProxyURL, _       = url.Parse(APIBaseURL + EndpointProxyHTTP)
+	AgentURL              = mustParseURL(APIBaseURL)
+	HTTPProxyURL          = mustParseURL(APIBaseURL + EndpointProxyHTTP)
 	HTTPProxyURLPrefixLen = len(APIEndpointBase + EndpointProxyHTTP)
 )
 
-// TestAgentConfig is a helper function to create an AgentConfig for testing purposes.
-// Not used in production.
-func TestAgentConfig(name string, addr string) *AgentConfig {
-	return &AgentConfig{
-		name: name,
-		Addr: addr,
-	}
-}
-
 func IsDockerHostAgent(dockerHost string) bool {
 	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
 }
@@ -67,11 +71,6 @@ func GetAgentAddrFromDockerHost(dockerHost string) string {
 	return dockerHost[FakeDockerHostPrefixLen:]
 }
 
-// Key implements pool.Object
-func (cfg *AgentConfig) Key() string {
-	return cfg.Addr
-}
-
 func (cfg *AgentConfig) FakeDockerHost() string {
 	return FakeDockerHostPrefix + cfg.Addr
 }
@@ -81,7 +80,7 @@ func (cfg *AgentConfig) Parse(addr string) error {
 	return nil
 }
 
-func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte) error {
+func (cfg *AgentConfig) StartWithCerts(parent task.Parent, ca, crt, key []byte) error {
 	clientCert, err := tls.X509KeyPair(crt, key)
 	if err != nil {
 		return err
@@ -103,21 +102,9 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 	// create transport and http client
 	cfg.httpClient = cfg.NewHTTPClient()
 
-	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	ctx, cancel := context.WithTimeout(parent.Context(), 5*time.Second)
 	defer cancel()
 
-	// check agent version
-	version, _, err := cfg.Fetch(ctx, EndpointVersion)
-	if err != nil {
-		return err
-	}
-
-	agentVer := pkg.ParseVersion(string(version))
-	serverVer := pkg.GetVersion()
-	if !agentVer.IsEqual(serverVer) {
-		return gperr.Errorf("agent version mismatch: server: %s, agent: %s", serverVer, agentVer)
-	}
-
 	// get agent name
 	name, _, err := cfg.Fetch(ctx, EndpointName)
 	if err != nil {
@@ -125,10 +112,26 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 	}
 
 	cfg.name = string(name)
+
+	cfg.l = logging.With().Str("agent", cfg.name).Logger()
+
+	// check agent version
+	agentVersionBytes, _, err := cfg.Fetch(ctx, EndpointVersion)
+	if err != nil {
+		return err
+	}
+
+	agentVersion := string(agentVersionBytes)
+
+	if pkg.GetVersion().IsNewerMajorThan(pkg.ParseVersion(agentVersion)) {
+		logging.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.name, pkg.GetVersion(), agentVersion)
+	}
+
+	logging.Info().Msgf("agent %q initialized", cfg.name)
 	return nil
 }
 
-func (cfg *AgentConfig) Init(ctx context.Context) gperr.Error {
+func (cfg *AgentConfig) Start(parent task.Parent) gperr.Error {
 	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
 	if !ok {
 		return gperr.New("invalid agent host").Subject(cfg.Addr)
@@ -144,7 +147,7 @@ func (cfg *AgentConfig) Init(ctx context.Context) gperr.Error {
 		return gperr.Wrap(err, "failed to extract agent certs")
 	}
 
-	return gperr.Wrap(cfg.InitWithCerts(ctx, ca, crt, key))
+	return gperr.Wrap(cfg.StartWithCerts(parent, ca, crt, key))
 }
 
 func (cfg *AgentConfig) NewHTTPClient() *http.Client {
@@ -172,10 +175,6 @@ func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
 	return gphttp.DefaultDialer.DialContext(ctx, "tcp", cfg.Addr)
 }
 
-func (cfg *AgentConfig) IsInitialized() bool {
-	return cfg.name != ""
-}
-
 func (cfg *AgentConfig) Name() string {
 	return cfg.name
 }
@@ -184,10 +183,9 @@ func (cfg *AgentConfig) String() string {
 	return cfg.name + "@" + cfg.Addr
 }
 
-// MarshalMap implements pool.Object
-func (cfg *AgentConfig) MarshalMap() map[string]any {
-	return map[string]any{
+func (cfg *AgentConfig) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]string{
 		"name": cfg.Name(),
 		"addr": cfg.Addr,
-	}
+	})
 }

agent/pkg/certs/zip.go

@@ -6,10 +6,11 @@ import (
 	"io"
 	"path/filepath"
 
-	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
+const AgentCertsBasePath = "certs"
+
 func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
 	w, err := zipWriter.CreateHeader(&zip.FileHeader{
 		Name:   name,
@@ -59,7 +60,7 @@ func AgentCertsFilepath(host string) (filepathOut string, ok bool) {
 	if !isValidAgentHost(host) {
 		return "", false
 	}
-	return filepath.Join(common.CertsDir, host+".zip"), true
+	return filepath.Join(AgentCertsBasePath, host+".zip"), true
 }
 
 func ExtractCert(data []byte) (ca, crt, key []byte, err error) {

agent/pkg/certs/zip_test.go

@@ -1,19 +1,20 @@
-package certs
+package certs_test
 
 import (
 	"testing"
 
-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
 )
 
 func TestZipCert(t *testing.T) {
 	ca, crt, key := []byte("test1"), []byte("test2"), []byte("test3")
-	zipData, err := ZipCert(ca, crt, key)
-	ExpectNoError(t, err)
+	zipData, err := certs.ZipCert(ca, crt, key)
+	require.NoError(t, err)
 
-	ca2, crt2, key2, err := ExtractCert(zipData)
-	ExpectNoError(t, err)
-	ExpectEqual(t, ca, ca2)
-	ExpectEqual(t, crt, crt2)
-	ExpectEqual(t, key, key2)
+	ca2, crt2, key2, err := certs.ExtractCert(zipData)
+	require.NoError(t, err)
+	require.Equal(t, ca, ca2)
+	require.Equal(t, crt, crt2)
+	require.Equal(t, key, key2)
 }

agent/pkg/handler/check_health_test.go

@@ -1,6 +1,7 @@
 package handler_test
 
 import (
+	"encoding/json"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -8,8 +9,6 @@ import (
 	"strconv"
 	"testing"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/handler"

agent/pkg/handler/docker_socket.go

@@ -9,6 +9,7 @@ import (
 	"github.com/yusing/go-proxy/internal/docker"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
 )
 
 func serviceUnavailable(w http.ResponseWriter, r *http.Request) {
@@ -21,10 +22,10 @@ func DockerSocketHandler() http.HandlerFunc {
 		logging.Warn().Err(err).Msg("failed to connect to docker client")
 		return serviceUnavailable
 	}
-	rp := reverseproxy.NewReverseProxy("docker", &url.URL{
+	rp := reverseproxy.NewReverseProxy("docker", types.NewURL(&url.URL{
 		Scheme: "http",
 		Host:   client.DummyHost,
-	}, dockerClient.HTTPClient().Transport)
+	}), dockerClient.HTTPClient().Transport)
 
 	return rp.ServeHTTP
 }

agent/pkg/handler/handler.go

@@ -7,10 +7,10 @@ import (
 
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/env"
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/go-proxy/pkg"
 )
 
 type ServeMux struct{ *http.ServeMux }
@@ -37,7 +37,7 @@ func NewAgentHandler() http.Handler {
 	mux := ServeMux{http.NewServeMux()}
 
 	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
-	mux.HandleMethods("GET", agent.EndpointVersion, v1.GetVersion)
+	mux.HandleMethods("GET", agent.EndpointVersion, pkg.GetVersionHTTPHandler())
 	mux.HandleMethods("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, env.AgentName)
 	})

agent/pkg/handler/proxy_http.go

@@ -12,13 +12,13 @@ import (
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/go-proxy/internal/net/types"
 )
 
 func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
 	host := r.Header.Get(agentproxy.HeaderXProxyHost)
-	isHTTPS := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
-	skipTLSVerify := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
+	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
+	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
 	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
 	if err != nil {
 		responseHeaderTimeout = 0
@@ -54,9 +54,9 @@ func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
 
 	logging.Debug().Msgf("proxy http request: %s %s", r.Method, r.URL.String())
 
-	rp := reverseproxy.NewReverseProxy("agent", &url.URL{
+	rp := reverseproxy.NewReverseProxy("agent", types.NewURL(&url.URL{
 		Scheme: scheme,
 		Host:   host,
-	}, transport)
+	}), transport)
 	rp.ServeHTTP(w, r)
 }

agent/pkg/server/server.go

@@ -40,5 +40,5 @@ func StartAgentServer(parent task.Parent, opt Options) {
 		TLSConfig: tlsConfig,
 	}
 
-	server.Start(parent, agentServer, logger)
+	server.Start(parent, agentServer, nil, logger)
 }

cmd/main.go

@@ -6,11 +6,11 @@ import (
 	"os"
 	"sync"
 
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
-	debugapi "github.com/yusing/go-proxy/internal/api/v1/debug"
 	"github.com/yusing/go-proxy/internal/api/v1/query"
+	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/dnsproviders"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/logging"
@@ -18,9 +18,8 @@ import (
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/internal/metrics/uptime"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/route/routes"
 	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/migrations"
 	"github.com/yusing/go-proxy/pkg"
 )
 
@@ -40,9 +39,7 @@ func parallel(fns ...func()) {
 
 func main() {
 	initProfiling()
-	if err := migrations.RunMigrations(); err != nil {
-		gperr.LogFatal("migration error", err)
-	}
+	dnsproviders.InitProviders()
 	args := pkg.GetArgs(common.MainServerCommandValidator{})
 
 	switch args.Command {
@@ -83,8 +80,6 @@ func main() {
 		logging.Trace().Msg("trace enabled")
 		parallel(
 			homepage.InitIconListCache,
-			homepage.InitIconCache,
-			homepage.InitOverridesConfig,
 			systeminfo.Poller.Start,
 		)
 
@@ -124,7 +119,7 @@ func main() {
 	switch args.Command {
 	case common.CommandListRoutes:
 		cfg.StartProxyProviders()
-		printJSON(routequery.RoutesByAlias())
+		printJSON(routes.ByAlias())
 		return
 	case common.CommandListConfigs:
 		printJSON(cfg.Value())
@@ -151,8 +146,6 @@ func main() {
 	uptime.Poller.Start()
 	config.WatchChanges()
 
-	debugapi.StartServer(cfg)
-
 	task.WaitExit(cfg.Value().TimeoutShutdown)
 }
 

compose.example.yml

@@ -1,21 +1,48 @@
 ---
 services:
+  socket-proxy:
+    container_name: socket-proxy
+    image: lscr.io/linuxserver/socket-proxy:latest
+    environment:
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - CONTAINERS=1
+      - EVENTS=1
+      - INFO=1
+      - PING=1
+      - POST=1
+      - VERSION=1
+    volumes:
+      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
+    restart: unless-stopped
+    tmpfs:
+      - /run
+    ports:
+      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
+    labels:
+      proxy.exclude: true
   frontend:
-    image: ghcr.io/yusing/godoxy-frontend:latest
+    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
     container_name: godoxy-frontend
     restart: unless-stopped
     network_mode: host # do not change this
     env_file: .env
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
     depends_on:
       - app
     environment:
+      HOSTNAME: 127.0.0.1
       PORT: ${GODOXY_FRONTEND_PORT:-3000}
-
-    # modify below to fit your needs
     labels:
-      proxy.aliases: godoxy
-      proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
-      # proxy.godoxy.middlewares.cidr_whitelist: |
+      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
+      proxy.#1.port: ${GODOXY_FRONTEND_PORT:-3000}
+      # proxy.#1.middlewares.cidr_whitelist: |
       #   status: 403
       #   message: IP not allowed
       #   allow:
@@ -24,16 +51,27 @@ services:
       #     - 192.168.0.0/16
       #     - 172.16.0.0/12
   app:
-    image: ghcr.io/yusing/godoxy:latest
+    image: ghcr.io/yusing/godoxy:${TAG:-latest}
     container_name: godoxy
     restart: always
     network_mode: host # do not change this
     env_file: .env
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    depends_on:
+      socket-proxy:
+        condition: service_started
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
+    cap_add:
+      - NET_BIND_SERVICE
+    environment:
+      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
       - ./config:/app/config
       - ./logs:/app/logs
-      - ./error_pages:/app/error_pages
+      - ./error_pages:/app/error_pages:ro
       - ./data:/app/data
 
       # To use autocert, certs will be stored in "./certs".

config.example.yml

@@ -17,6 +17,25 @@
 
 # 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
 
+# acl:
+#   default: allow # or deny (default: allow)
+#   allow_local: true # or false (default: true)
+#   allow:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   deny:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
+#     buffer_size: 65536 # (default: 64KB)
+#     path: /app/logs/acl.log # (default: none)
+#     stdout: false # (default: false)
+#     keep: last 10 # (default: none)
+
 entrypoint:
   # Below define an example of middleware config
   # 1. block non local IP connections
@@ -73,6 +92,14 @@ providers:
   #     url: https://discord.com/api/webhooks/...
   #     template: discord # this means use payload template from internal/notif/templates/discord.json
 
+  # Proxmox providers (for idlesleep support for proxmox LXCs)
+  #
+  # proxmox:
+  #   - url: https://pve.domain.com:8006/api2/json
+  #     token_id: root@pam!abcdef
+  #     secret: aaaa-bbbb-cccc-dddd
+  #     no_tls_verify: true
+
 # Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
 # for explaination of `match_domains`
 #

go.mod

@@ -2,148 +2,255 @@ module github.com/yusing/go-proxy
 
 go 1.24.2
 
-// misc
+replace github.com/yusing/go-proxy/agent => ./agent
 
-require (
-	github.com/bytedance/sonic v1.13.2 // faster json unmarshal (for marshal it's using custom implementation)
-	github.com/fsnotify/fsnotify v1.9.0 // file watcher
-	github.com/go-acme/lego/v4 v4.22.2 // acme client
-	github.com/go-playground/validator/v10 v10.26.0 // validator
-	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
-	github.com/goccy/go-yaml v1.17.1 // yaml parsing for different config files
-	github.com/gotify/server/v2 v2.6.1 // reference the Message struct for json response
-	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/puzpuzpuz/xsync/v3 v3.5.1 // lock free map for concurrent operations
-	golang.org/x/text v0.24.0 // string utilities
-	golang.org/x/time v0.11.0 // time utilities
-)
+replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
 
-// http
-
-require (
-	github.com/coder/websocket v1.8.13 // websocket for API and agent
-	github.com/quic-go/quic-go v0.50.1 // http3 server
-	golang.org/x/net v0.39.0 // HTTP header utilities
-)
-
-// authentication
-
-require (
-	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
-	github.com/golang-jwt/jwt/v5 v5.2.2 // jwt for default auth
-	golang.org/x/crypto v0.37.0 // encrypting password with bcrypt
-	golang.org/x/oauth2 v0.29.0 // oauth2 authentication
-)
-
-// favicon extraction
 require (
 	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
-	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-)
-
-// docker
-
-require (
-	github.com/docker/cli v28.0.4+incompatible // docker cli
-	github.com/docker/docker v28.0.4+incompatible // docker daemon
-	github.com/docker/go-connections v0.5.0 // docker connection utilities
-)
-
-// logging
-
-require (
+	github.com/coder/websocket v1.8.13 // websocket for API and agent
+	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
+	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/fsnotify/fsnotify v1.9.0 // file watcher
+	github.com/go-acme/lego/v4 v4.23.1 // acme client
+	github.com/go-playground/validator/v10 v10.26.0 // validator
+	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
+	github.com/gotify/server/v2 v2.6.3 // reference the Message struct for json response
+	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
+	github.com/puzpuzpuz/xsync/v3 v3.5.1 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
-	github.com/samber/slog-zerolog/v2 v2.7.3 // zerlog to slog adapter for quic-go
+	github.com/shirou/gopsutil/v4 v4.25.4 // system info metrics
+	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
+	golang.org/x/crypto v0.37.0 // encrypting password with bcrypt
+	golang.org/x/net v0.39.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.29.0 // oauth2 authentication
+	golang.org/x/text v0.24.0 // string utilities
+	golang.org/x/time v0.11.0 // time utilities
+	gopkg.in/yaml.v3 v3.0.1 // indirect; yaml parsing for different config files
 )
 
-// metrics
+replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
 
 require (
-	github.com/prometheus/client_golang v1.22.0 // metrics
-	github.com/shirou/gopsutil/v4 v4.25.3 // system info metrics
-	github.com/stretchr/testify v1.10.0 // testing utilities
+	github.com/docker/cli v28.1.1+incompatible
+	github.com/goccy/go-yaml v1.17.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/luthermonson/go-proxmox v0.2.2
+	github.com/oschwald/maxminddb-golang v1.13.1
+	github.com/quic-go/quic-go v0.51.0
+	github.com/samber/slog-zerolog/v2 v2.7.3
+	github.com/spf13/afero v1.14.0
+	github.com/stretchr/testify v1.10.0
+	github.com/yusing/go-proxy/agent v0.0.0-20250503173201-5f780f490224
+	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-20250503173201-5f780f490224
+	go.uber.org/atomic v1.11.0
 )
 
-require github.com/luthermonson/go-proxmox v0.2.2
+require (
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+)
+
+replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
+
+replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97
 
 require (
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.225 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
-	github.com/bytedance/sonic/loader v0.2.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/civo/civogo v0.4.1 // indirect
 	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
-	github.com/cloudwego/base64x v0.1.5 // indirect
-	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.16 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect; indirectindirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
+	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gophercloud/gophercloud v1.14.1 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.147 // indirect
+	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
+	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
+	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/linode/linodego v1.49.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.65 // indirect
+	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
+	github.com/nrdcg/desec v0.11.0 // indirect
+	github.com/nrdcg/freemyip v0.3.0 // indirect
+	github.com/nrdcg/goacmedns v0.2.0 // indirect
+	github.com/nrdcg/goinwx v0.11.0 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/namesilo v0.2.1 // indirect
+	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.89.3 // indirect
 	github.com/ovh/go-ovh v1.7.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/peterhellberg/link v1.2.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.16.0 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/samber/lo v1.49.1 // indirect
+	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.9 // indirect
+	github.com/sacloud/iaas-api-go v1.14.0 // indirect
+	github.com/sacloud/packages-go v0.0.11 // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/samber/lo v1.50.0 // indirect
 	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
+	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
+	github.com/softlayer/softlayer-go v1.1.7 // indirect
+	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/cast v1.8.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1158 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
-	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/transip/gotransip/v6 v6.26.0 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
+	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.206 // indirect
+	github.com/vultr/govultr/v3 v3.19.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver v1.17.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
 	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/mock v0.5.1 // indirect
-	golang.org/x/arch v0.16.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	go.uber.org/mock v0.5.2 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/sync v0.13.0 // indirect
 	golang.org/x/sys v0.32.0 // indirect
 	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/api v0.231.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250428153025-10db94c68c34 // indirect
+	google.golang.org/grpc v1.72.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.3 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.33.0 // indirect
+	k8s.io/apimachinery v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

internal/acl/config.go

@@ -0,0 +1,154 @@
+package acl
+
+import (
+	"net"
+	"time"
+
+	"github.com/puzpuzpuz/xsync/v3"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
+	"github.com/yusing/go-proxy/internal/maxmind"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Config struct {
+	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
+	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
+	Allow      Matchers                   `json:"allow"`
+	Deny       Matchers                   `json:"deny"`
+	Log        *accesslog.ACLLoggerConfig `json:"log"`
+
+	config
+}
+
+type config struct {
+	defaultAllow bool
+	allowLocal   bool
+	ipCache      *xsync.MapOf[string, *checkCache]
+	logAllowed   bool
+	logger       *accesslog.AccessLogger
+}
+
+type checkCache struct {
+	*maxmind.IPInfo
+	allow   bool
+	created time.Time
+}
+
+const cacheTTL = 1 * time.Minute
+
+func (c *checkCache) Expired() bool {
+	return c.created.Add(cacheTTL).Before(utils.TimeNow())
+}
+
+//TODO: add stats
+
+const (
+	ACLAllow = "allow"
+	ACLDeny  = "deny"
+)
+
+func (c *Config) Validate() gperr.Error {
+	switch c.Default {
+	case "", ACLAllow:
+		c.defaultAllow = true
+	case ACLDeny:
+		c.defaultAllow = false
+	default:
+		return gperr.New("invalid default value").Subject(c.Default)
+	}
+
+	if c.AllowLocal != nil {
+		c.allowLocal = *c.AllowLocal
+	} else {
+		c.allowLocal = true
+	}
+
+	if c.Log != nil {
+		c.logAllowed = c.Log.LogAllowed
+	}
+
+	c.ipCache = xsync.NewMapOf[string, *checkCache]()
+	return nil
+}
+
+func (c *Config) Valid() bool {
+	return c != nil && (len(c.Allow) > 0 || len(c.Deny) > 0 || c.allowLocal)
+}
+
+func (c *Config) Start(parent *task.Task) gperr.Error {
+	if c.Log != nil {
+		logger, err := accesslog.NewAccessLogger(parent, c.Log)
+		if err != nil {
+			return gperr.New("failed to start access logger").With(err)
+		}
+		c.logger = logger
+	}
+	return nil
+}
+
+func (c *Config) cacheRecord(info *maxmind.IPInfo, allow bool) {
+	if common.ForceResolveCountry && info.City == nil {
+		maxmind.LookupCity(info)
+	}
+	c.ipCache.Store(info.Str, &checkCache{
+		IPInfo:  info,
+		allow:   allow,
+		created: utils.TimeNow(),
+	})
+}
+
+func (c *config) log(info *maxmind.IPInfo, allowed bool) {
+	if c.logger == nil {
+		return
+	}
+	if !allowed || c.logAllowed {
+		c.logger.LogACL(info, !allowed)
+	}
+}
+
+func (c *Config) IPAllowed(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// always allow loopback
+	// loopback is not logged
+	if ip.IsLoopback() {
+		return true
+	}
+
+	if c.allowLocal && ip.IsPrivate() {
+		c.log(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
+		return true
+	}
+
+	ipStr := ip.String()
+	record, ok := c.ipCache.Load(ipStr)
+	if ok && !record.Expired() {
+		c.log(record.IPInfo, record.allow)
+		return record.allow
+	}
+
+	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
+	for _, m := range c.Allow {
+		if m(ipAndStr) {
+			c.log(ipAndStr, true)
+			c.cacheRecord(ipAndStr, true)
+			return true
+		}
+	}
+	for _, m := range c.Deny {
+		if m(ipAndStr) {
+			c.log(ipAndStr, false)
+			c.cacheRecord(ipAndStr, false)
+			return false
+		}
+	}
+
+	c.log(ipAndStr, c.defaultAllow)
+	c.cacheRecord(ipAndStr, c.defaultAllow)
+	return c.defaultAllow
+}

internal/acl/matcher.go

@@ -0,0 +1,109 @@
+package acl
+
+import (
+	"net"
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/maxmind"
+)
+
+type Matcher func(*maxmind.IPInfo) bool
+type Matchers []Matcher
+
+const (
+	MatcherTypeIP       = "ip"
+	MatcherTypeCIDR     = "cidr"
+	MatcherTypeTimeZone = "tz"
+	MatcherTypeCountry  = "country"
+)
+
+var errMatcherFormat = gperr.Multiline().AddLines(
+	"invalid matcher format, expect {type}:{value}",
+	"Available types: ip|cidr|tz|country",
+	"ip:127.0.0.1",
+	"cidr:127.0.0.0/8",
+	"tz:Asia/Shanghai",
+	"country:GB",
+)
+var (
+	errSyntax               = gperr.New("syntax error")
+	errInvalidIP            = gperr.New("invalid IP")
+	errInvalidCIDR          = gperr.New("invalid CIDR")
+	errMaxMindNotConfigured = gperr.New("MaxMind not configured")
+)
+
+func ParseMatcher(s string) (Matcher, gperr.Error) {
+	parts := strings.Split(s, ":")
+	if len(parts) != 2 {
+		return nil, errSyntax
+	}
+
+	switch parts[0] {
+	case MatcherTypeIP:
+		ip := net.ParseIP(parts[1])
+		if ip == nil {
+			return nil, errInvalidIP
+		}
+		return matchIP(ip), nil
+	case MatcherTypeCIDR:
+		_, net, err := net.ParseCIDR(parts[1])
+		if err != nil {
+			return nil, errInvalidCIDR
+		}
+		return matchCIDR(net), nil
+	case MatcherTypeTimeZone:
+		if !maxmind.HasInstance() {
+			return nil, errMaxMindNotConfigured
+		}
+		return matchTimeZone(parts[1]), nil
+	case MatcherTypeCountry:
+		if !maxmind.HasInstance() {
+			return nil, errMaxMindNotConfigured
+		}
+		return matchISOCode(parts[1]), nil
+	default:
+		return nil, errSyntax
+	}
+}
+
+func (matchers Matchers) Match(ip *maxmind.IPInfo) bool {
+	for _, m := range matchers {
+		if m(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func matchIP(ip net.IP) Matcher {
+	return func(ip2 *maxmind.IPInfo) bool {
+		return ip.Equal(ip2.IP)
+	}
+}
+
+func matchCIDR(n *net.IPNet) Matcher {
+	return func(ip *maxmind.IPInfo) bool {
+		return n.Contains(ip.IP)
+	}
+}
+
+func matchTimeZone(tz string) Matcher {
+	return func(ip *maxmind.IPInfo) bool {
+		city, ok := maxmind.LookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Location.TimeZone == tz
+	}
+}
+
+func matchISOCode(iso string) Matcher {
+	return func(ip *maxmind.IPInfo) bool {
+		city, ok := maxmind.LookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Country.IsoCode == iso
+	}
+}

internal/acl/tcp_listener.go

@@ -0,0 +1,59 @@
+package acl
+
+import (
+	"io"
+	"net"
+	"time"
+)
+
+type TCPListener struct {
+	acl *Config
+	lis net.Listener
+}
+
+type noConn struct{}
+
+func (noConn) Read(b []byte) (int, error)         { return 0, io.EOF }
+func (noConn) Write(b []byte) (int, error)        { return 0, io.EOF }
+func (noConn) Close() error                       { return nil }
+func (noConn) LocalAddr() net.Addr                { return nil }
+func (noConn) RemoteAddr() net.Addr               { return nil }
+func (noConn) SetDeadline(t time.Time) error      { return nil }
+func (noConn) SetReadDeadline(t time.Time) error  { return nil }
+func (noConn) SetWriteDeadline(t time.Time) error { return nil }
+
+func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
+	if cfg == nil {
+		return lis
+	}
+	return &TCPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *TCPListener) Addr() net.Addr {
+	return s.lis.Addr()
+}
+
+func (s *TCPListener) Accept() (net.Conn, error) {
+	c, err := s.lis.Accept()
+	if err != nil {
+		return nil, err
+	}
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		// Not a TCPAddr, drop
+		c.Close()
+		return noConn{}, nil
+	}
+	if !s.acl.IPAllowed(addr.IP) {
+		c.Close()
+		return noConn{}, nil
+	}
+	return c, nil
+}
+
+func (s *TCPListener) Close() error {
+	return s.lis.Close()
+}

internal/acl/udp_listener.go

@@ -0,0 +1,79 @@
+package acl
+
+import (
+	"net"
+	"time"
+)
+
+type UDPListener struct {
+	acl *Config
+	lis net.PacketConn
+}
+
+func (cfg *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if cfg == nil {
+		return lis
+	}
+	return &UDPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *UDPListener) LocalAddr() net.Addr {
+	return s.lis.LocalAddr()
+}
+
+func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
+	for {
+		n, addr, err := s.lis.ReadFrom(p)
+		if err != nil {
+			return n, addr, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet from disallowed IP
+			continue
+		}
+		return n, addr, nil
+	}
+}
+
+func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
+	for {
+		n, err := s.lis.WriteTo(p, addr)
+		if err != nil {
+			return n, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet to disallowed IP
+			continue
+		}
+		return n, nil
+	}
+}
+
+func (s *UDPListener) SetDeadline(t time.Time) error {
+	return s.lis.SetDeadline(t)
+}
+
+func (s *UDPListener) SetReadDeadline(t time.Time) error {
+	return s.lis.SetReadDeadline(t)
+}
+
+func (s *UDPListener) SetWriteDeadline(t time.Time) error {
+	return s.lis.SetWriteDeadline(t)
+}
+
+func (s *UDPListener) Close() error {
+	return s.lis.Close()
+}

internal/api/handler.go

@@ -1,26 +1,72 @@
 package api
 
 import (
+	"fmt"
 	"net/http"
 
-	"github.com/prometheus/client_golang/prometheus/promhttp"
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
 	"github.com/yusing/go-proxy/internal/api/v1/certapi"
 	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
 	"github.com/yusing/go-proxy/internal/api/v1/favicon"
-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/auth"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/metrics/uptime"
-	"github.com/yusing/go-proxy/internal/net/gphttp/servemux"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/go-proxy/pkg"
 )
 
+type (
+	ServeMux struct {
+		*http.ServeMux
+		cfg config.ConfigInstance
+	}
+	WithCfgHandler = func(config.ConfigInstance, http.ResponseWriter, *http.Request)
+)
+
+func (mux ServeMux) HandleFunc(methods, endpoint string, h any, requireAuth ...bool) {
+	var handler http.HandlerFunc
+	switch h := h.(type) {
+	case func(http.ResponseWriter, *http.Request):
+		handler = h
+	case http.Handler:
+		handler = h.ServeHTTP
+	case WithCfgHandler:
+		handler = func(w http.ResponseWriter, r *http.Request) {
+			h(mux.cfg, w, r)
+		}
+	default:
+		panic(fmt.Errorf("unsupported handler type: %T", h))
+	}
+
+	matchDomains := mux.cfg.Value().MatchDomains
+	if len(matchDomains) > 0 {
+		origHandler := handler
+		handler = func(w http.ResponseWriter, r *http.Request) {
+			if httpheaders.IsWebsocket(r.Header) {
+				httpheaders.SetWebsocketAllowedDomains(r.Header, matchDomains)
+			}
+			origHandler(w, r)
+		}
+	}
+
+	if len(requireAuth) > 0 && requireAuth[0] {
+		handler = auth.RequireAuth(handler)
+	}
+	if methods == "" {
+		mux.ServeMux.HandleFunc(endpoint, handler)
+	} else {
+		for _, m := range strutils.CommaSeperatedList(methods) {
+			mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
+		}
+	}
+}
+
 func NewHandler(cfg config.ConfigInstance) http.Handler {
-	mux := servemux.NewServeMux(cfg)
+	mux := ServeMux{http.NewServeMux(), cfg}
 	mux.HandleFunc("GET", "/v1", v1.Index)
-	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
+	mux.HandleFunc("GET", "/v1/version", pkg.GetVersionHTTPHandler())
 
 	mux.HandleFunc("GET", "/v1/stats", v1.Stats, true)
 	mux.HandleFunc("POST", "/v1/reload", v1.Reload, true)
@@ -45,26 +91,14 @@ func NewHandler(cfg config.ConfigInstance) http.Handler {
 	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
 	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)
 
-	if common.PrometheusEnabled {
-		mux.Handle("GET /v1/metrics", promhttp.Handler())
-		logging.Info().Msg("prometheus metrics enabled")
+	defaultAuth := auth.GetDefaultAuth()
+	if defaultAuth == nil {
+		return mux
 	}
 
-	defaultAuth := auth.GetDefaultAuth()
-	if defaultAuth != nil {
-		mux.HandleFunc("GET", "/v1/auth/redirect", defaultAuth.RedirectLoginPage)
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			if err := defaultAuth.CheckToken(r); err != nil {
-				http.Error(w, err.Error(), http.StatusUnauthorized)
-				return
-			}
-		})
-		mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.LoginCallbackHandler)
-		mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutCallbackHandler)
-	} else {
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-		})
-	}
+	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/redirect", defaultAuth.LoginHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
 	return mux
 }

internal/api/v1/agents.go

@@ -4,11 +4,21 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
 	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 )
 
 func ListAgents(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	gpwebsocket.DynamicJSONHandler(w, r, agent.Agents.Slice, 10*time.Second)
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 10*time.Second, func(conn *websocket.Conn) error {
+			wsjson.Write(r.Context(), conn, cfg.ListAgents())
+			return nil
+		})
+	} else {
+		gphttp.RespondJSON(w, r, cfg.ListAgents())
+	}
 }

internal/api/v1/auth/auth.go

@@ -1,52 +0,0 @@
-package auth
-
-import (
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-)
-
-var defaultAuth Provider
-
-// Initialize sets up authentication providers.
-func Initialize() error {
-	if !IsEnabled() {
-		return nil
-	}
-
-	var err error
-	// Initialize OIDC if configured.
-	if common.OIDCIssuerURL != "" {
-		defaultAuth, err = NewOIDCProviderFromEnv()
-	} else {
-		defaultAuth, err = NewUserPassAuthFromEnv()
-	}
-
-	return err
-}
-
-func GetDefaultAuth() Provider {
-	return defaultAuth
-}
-
-func IsEnabled() bool {
-	return !common.DebugDisableAuth && (common.APIJWTSecret != nil || IsOIDCEnabled())
-}
-
-func IsOIDCEnabled() bool {
-	return common.OIDCIssuerURL != ""
-}
-
-func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
-	if IsEnabled() {
-		return func(w http.ResponseWriter, r *http.Request) {
-			if err := defaultAuth.CheckToken(r); err != nil {
-				gphttp.ClientError(w, err, http.StatusUnauthorized)
-			} else {
-				next(w, r)
-			}
-		}
-	}
-	return next
-}

internal/api/v1/auth/oidc.go

@@ -1,309 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"io"
-	"mime"
-	"net/http"
-	"net/url"
-	"slices"
-	"strings"
-	"time"
-
-	"github.com/yusing/go-proxy/pkg/json"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"golang.org/x/oauth2"
-)
-
-type (
-	OIDCProvider struct {
-		oauthConfig       *oauth2.Config
-		oidcProvider      *oidc.Provider
-		oidcVerifier      *oidc.IDTokenVerifier
-		oidcEndSessionURL *url.URL
-		allowedUsers      []string
-		allowedGroups     []string
-		isMiddleware      bool
-	}
-
-	providerJSON struct {
-		oidc.ProviderConfig
-		EndSessionURL string `json:"end_session_endpoint"`
-	}
-)
-
-const CookieOauthState = "godoxy_oidc_state"
-
-const (
-	OIDCMiddlewareCallbackPath = "/auth/callback"
-	OIDCLogoutPath             = "/auth/logout"
-)
-
-func NewOIDCProvider(issuerURL, clientID, clientSecret, redirectURL string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
-	if len(allowedUsers)+len(allowedGroups) == 0 {
-		return nil, errors.New("OIDC users, groups, or both must not be empty")
-	}
-
-	wellKnown := strings.TrimSuffix(issuerURL, "/") + "/.well-known/openid-configuration"
-	resp, err := gphttp.Get(wellKnown)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("oidc: unable to read response body: %v", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("oidc: %s: %s", resp.Status, body)
-	}
-
-	var p providerJSON
-	err = json.Unmarshal(body, &p)
-	if err != nil {
-		mimeType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
-		if err == nil && mimeType != "application/json" {
-			return nil, fmt.Errorf("oidc: unexpected content type: %q from OIDC provider discovery, have you configured the correct issuer URL?", mimeType)
-		}
-		return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err)
-	}
-
-	if p.IssuerURL != issuerURL {
-		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuerURL, p.IssuerURL)
-	}
-
-	var endSessionURL *url.URL
-	if p.EndSessionURL != "" {
-		endSessionURL, err = url.Parse(p.EndSessionURL)
-		if err != nil {
-			return nil, fmt.Errorf("oidc: failed to parse end session URL: %w", err)
-		}
-	}
-
-	provider := p.NewProvider(context.Background())
-	return &OIDCProvider{
-		oauthConfig: &oauth2.Config{
-			ClientID:     clientID,
-			ClientSecret: clientSecret,
-			RedirectURL:  redirectURL,
-			Endpoint:     provider.Endpoint(),
-			Scopes:       strutils.CommaSeperatedList(common.OIDCScopes),
-		},
-		oidcProvider: provider,
-		oidcVerifier: provider.Verifier(&oidc.Config{
-			ClientID: clientID,
-		}),
-		oidcEndSessionURL: endSessionURL,
-		allowedUsers:      allowedUsers,
-		allowedGroups:     allowedGroups,
-	}, nil
-}
-
-// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
-func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
-	return NewOIDCProvider(
-		common.OIDCIssuerURL,
-		common.OIDCClientID,
-		common.OIDCClientSecret,
-		common.OIDCRedirectURL,
-		common.OIDCAllowedUsers,
-		common.OIDCAllowedGroups,
-	)
-}
-
-func (auth *OIDCProvider) TokenCookieName() string {
-	return "godoxy_oidc_token"
-}
-
-func (auth *OIDCProvider) SetIsMiddleware(enabled bool) {
-	auth.isMiddleware = enabled
-	auth.oauthConfig.RedirectURL = ""
-}
-
-func (auth *OIDCProvider) SetAllowedUsers(users []string) {
-	auth.allowedUsers = users
-}
-
-func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
-	auth.allowedGroups = groups
-}
-
-func (auth *OIDCProvider) CheckToken(r *http.Request) error {
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		return ErrMissingToken
-	}
-
-	// checks for Expiry, Audience == ClientID, Issuer, etc.
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), token.Value)
-	if err != nil {
-		return fmt.Errorf("failed to verify ID token: %w: %w", ErrInvalidToken, err)
-	}
-
-	if len(idToken.Audience) == 0 {
-		return ErrInvalidToken
-	}
-
-	var claims struct {
-		Email    string   `json:"email"`
-		Username string   `json:"preferred_username"`
-		Groups   []string `json:"groups"`
-	}
-	if err := idToken.Claims(&claims); err != nil {
-		return fmt.Errorf("failed to parse claims: %w", err)
-	}
-
-	// Logical AND between allowed users and groups.
-	allowedUser := slices.Contains(auth.allowedUsers, claims.Username)
-	allowedGroup := len(utils.Intersect(claims.Groups, auth.allowedGroups)) > 0
-	if !allowedUser && !allowedGroup {
-		return ErrUserNotAllowed
-	}
-	return nil
-}
-
-// generateState generates a random string for OIDC state.
-const oidcStateLength = 32
-
-func generateState() (string, error) {
-	b := make([]byte, oidcStateLength)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength], nil
-}
-
-// RedirectOIDC initiates the OIDC login flow.
-func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	state, err := generateState()
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	http.SetCookie(w, &http.Cookie{
-		Name:     CookieOauthState,
-		Value:    state,
-		MaxAge:   300,
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   common.APIJWTSecure,
-		Path:     "/",
-	})
-
-	redirURL := auth.oauthConfig.AuthCodeURL(state)
-	if auth.isMiddleware {
-		u, err := r.URL.Parse(redirURL)
-		if err != nil {
-			gphttp.ServerError(w, r, err)
-			return
-		}
-		q := u.Query()
-		q.Set("redirect_uri", "https://"+r.Host+OIDCMiddlewareCallbackPath+q.Get("redirect_uri"))
-		u.RawQuery = q.Encode()
-		redirURL = u.String()
-	}
-	http.Redirect(w, r, redirURL, http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) exchange(r *http.Request) (*oauth2.Token, error) {
-	if auth.isMiddleware {
-		cfg := *auth.oauthConfig
-		cfg.RedirectURL = "https://" + r.Host + OIDCMiddlewareCallbackPath
-		return cfg.Exchange(r.Context(), r.URL.Query().Get("code"))
-	}
-	return auth.oauthConfig.Exchange(r.Context(), r.URL.Query().Get("code"))
-}
-
-// OIDCCallbackHandler handles the OIDC callback.
-func (auth *OIDCProvider) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	// For testing purposes, skip provider verification
-	if common.IsTest {
-		auth.handleTestCallback(w, r)
-		return
-	}
-
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		gphttp.BadRequest(w, "missing state cookie")
-		return
-	}
-
-	query := r.URL.Query()
-	if query.Get("state") != state.Value {
-		gphttp.BadRequest(w, "invalid oauth state")
-		return
-	}
-
-	oauth2Token, err := auth.exchange(r)
-	if err != nil {
-		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
-		return
-	}
-
-	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
-	if !ok {
-		gphttp.BadRequest(w, "missing id_token")
-		return
-	}
-
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), rawIDToken)
-	if err != nil {
-		gphttp.ServerError(w, r, fmt.Errorf("failed to verify ID token: %w", err))
-		return
-	}
-
-	setTokenCookie(w, r, auth.TokenCookieName(), rawIDToken, time.Until(idToken.Expiry))
-
-	// Redirect to home page
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	if auth.oidcEndSessionURL == nil {
-		DefaultLogoutCallbackHandler(auth, w, r)
-		return
-	}
-
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		gphttp.BadRequest(w, "missing token cookie")
-		return
-	}
-	clearTokenCookie(w, r, auth.TokenCookieName())
-
-	logoutURL := *auth.oidcEndSessionURL
-	logoutURL.Query().Add("id_token_hint", token.Value)
-
-	http.Redirect(w, r, logoutURL.String(), http.StatusFound)
-}
-
-// handleTestCallback handles OIDC callback in test environment.
-func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		gphttp.BadRequest(w, "missing state cookie")
-		return
-	}
-
-	if r.URL.Query().Get("state") != state.Value {
-		gphttp.BadRequest(w, "invalid oauth state")
-		return
-	}
-
-	// Create test JWT token
-	setTokenCookie(w, r, auth.TokenCookieName(), "test", time.Hour)
-
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}

internal/api/v1/auth/provider.go

@@ -1,13 +0,0 @@
-package auth
-
-import (
-	"net/http"
-)
-
-type Provider interface {
-	TokenCookieName() string
-	CheckToken(r *http.Request) error
-	RedirectLoginPage(w http.ResponseWriter, r *http.Request)
-	LoginCallbackHandler(w http.ResponseWriter, r *http.Request)
-	LogoutCallbackHandler(w http.ResponseWriter, r *http.Request)
-}

internal/api/v1/auth/utils.go

@@ -1,70 +0,0 @@
-package auth
-
-import (
-	"net"
-	"net/http"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-var (
-	ErrMissingToken   = gperr.New("missing token")
-	ErrInvalidToken   = gperr.New("invalid token")
-	ErrUserNotAllowed = gperr.New("user not allowed")
-)
-
-// cookieFQDN returns the fully qualified domain name of the request host
-// with subdomain stripped.
-//
-// If the request host does not have a subdomain,
-// an empty string is returned
-//
-//	"abc.example.com" -> "example.com"
-//	"example.com" -> ""
-func cookieFQDN(r *http.Request) string {
-	host, _, err := net.SplitHostPort(r.Host)
-	if err != nil {
-		host = r.Host
-	}
-	parts := strutils.SplitRune(host, '.')
-	if len(parts) < 2 {
-		return ""
-	}
-	parts[0] = ""
-	return strutils.JoinRune(parts, '.')
-}
-
-func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     name,
-		Value:    value,
-		MaxAge:   int(ttl.Seconds()),
-		Domain:   cookieFQDN(r),
-		HttpOnly: true,
-		Secure:   common.APIJWTSecure,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	})
-}
-
-func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     name,
-		Value:    "",
-		MaxAge:   -1,
-		Domain:   cookieFQDN(r),
-		HttpOnly: true,
-		Secure:   common.APIJWTSecure,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	})
-}
-
-// DefaultLogoutCallbackHandler clears the token cookie and redirects to the login page..
-func DefaultLogoutCallbackHandler(auth Provider, w http.ResponseWriter, r *http.Request) {
-	clearTokenCookie(w, r, auth.TokenCookieName())
-	auth.RedirectLoginPage(w, r)
-}

internal/api/v1/certapi/cert_info.go

@@ -1,10 +1,9 @@
 package certapi
 
 import (
+	"encoding/json"
 	"net/http"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	config "github.com/yusing/go-proxy/internal/config/types"
 )
 

internal/api/v1/config_file.go

@@ -1,6 +1,7 @@
 package v1
 
 import (
+	"fmt"
 	"io"
 	"net/http"
 	"os"
@@ -27,7 +28,7 @@ func fileType(file string) FileType {
 	switch {
 	case strings.HasPrefix(path.Base(file), "config."):
 		return FileTypeConfig
-	case strings.HasPrefix(file, common.MiddlewareComposeDir):
+	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
 		return FileTypeMiddleware
 	}
 	return FileTypeProvider
@@ -43,20 +44,20 @@ func (t FileType) IsValid() bool {
 
 func (t FileType) GetPath(filename string) string {
 	if t == FileTypeMiddleware {
-		return path.Join(common.MiddlewareComposeDir, filename)
+		return path.Join(common.MiddlewareComposeBasePath, filename)
 	}
-	return path.Join(common.ConfigDir, filename)
+	return path.Join(common.ConfigBasePath, filename)
 }
 
 func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
 	fileType = FileType(r.PathValue("type"))
 	if !fileType.IsValid() {
-		err = gphttp.ErrInvalidKey("type")
+		err = fmt.Errorf("invalid file type: %s", fileType)
 		return
 	}
 	filename = r.PathValue("filename")
 	if filename == "" {
-		err = gphttp.ErrMissingKey("filename")
+		err = fmt.Errorf("missing filename")
 	}
 	return
 }

internal/api/v1/debug/handler.go

@@ -1,75 +0,0 @@
-//go:build debug
-
-package debugapi
-
-import (
-	"iter"
-	"net/http"
-	"sort"
-	"time"
-
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/idlewatcher"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/net/gphttp/servemux"
-	"github.com/yusing/go-proxy/internal/net/gphttp/server"
-	"github.com/yusing/go-proxy/internal/proxmox"
-	"github.com/yusing/go-proxy/internal/task"
-)
-
-func StartServer(cfg config.ConfigInstance) {
-	srv := server.NewServer(server.Options{
-		Name:     "debug",
-		HTTPAddr: "127.0.0.1:7777",
-		Handler:  newHandler(cfg),
-	})
-	srv.Start(task.RootTask("debug_server", false))
-}
-
-type debuggable interface {
-	MarshalMap() map[string]any
-	Key() string
-}
-
-func toSortedSlice[T debuggable](data iter.Seq2[string, T]) []map[string]any {
-	s := make([]map[string]any, 0)
-	for _, v := range data {
-		m := v.MarshalMap()
-		m["key"] = v.Key()
-		s = append(s, m)
-	}
-	sort.Slice(s, func(i, j int) bool {
-		return s[i]["key"].(string) < s[j]["key"].(string)
-	})
-	return s
-}
-
-func jsonHandler[T debuggable](getData iter.Seq2[string, T]) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		gpwebsocket.DynamicJSONHandler(w, r, func() []map[string]any {
-			return toSortedSlice(getData)
-		}, 200*time.Millisecond)
-	}
-}
-
-func iterMap[K comparable, V debuggable](m func() map[K]V) iter.Seq2[K, V] {
-	return func(yield func(K, V) bool) {
-		for k, v := range m() {
-			if !yield(k, v) {
-				break
-			}
-		}
-	}
-}
-
-func newHandler(cfg config.ConfigInstance) http.Handler {
-	mux := servemux.NewServeMux(cfg)
-	mux.HandleFunc("GET", "/tasks", jsonHandler(task.AllTasks()))
-	mux.HandleFunc("GET", "/idlewatcher", jsonHandler(idlewatcher.Watchers()))
-	mux.HandleFunc("GET", "/agents", jsonHandler(agent.Agents.Iter))
-	mux.HandleFunc("GET", "/proxmox", jsonHandler(proxmox.Clients.Iter))
-	mux.HandleFunc("GET", "/docker", jsonHandler(iterMap(docker.Clients)))
-	return mux
-}

internal/api/v1/debug/handler_production.go

@@ -1,11 +0,0 @@
-//go:build !debug
-
-package debugapi
-
-import (
-	config "github.com/yusing/go-proxy/internal/config/types"
-)
-
-func StartServer(cfg config.ConfigInstance) {
-	// do nothing
-}

internal/api/v1/dockerapi/containers.go

@@ -18,7 +18,7 @@ type Container struct {
 }
 
 func Containers(w http.ResponseWriter, r *http.Request) {
-	serveHTTP[Container](w, r, GetContainers)
+	serveHTTP[Container, []Container](w, r, GetContainers)
 }
 
 func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {

internal/api/v1/dockerapi/info.go

@@ -2,11 +2,10 @@ package dockerapi
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 	"sort"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	dockerSystem "github.com/docker/docker/api/types/system"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
@@ -14,8 +13,8 @@ import (
 
 type dockerInfo dockerSystem.Info
 
-func (d *dockerInfo) MarshalJSONTo(buf []byte) []byte {
-	return json.MarshalTo(map[string]any{
+func (d *dockerInfo) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]any{
 		"name":    d.Name,
 		"version": d.ServerVersion,
 		"containers": map[string]int{
@@ -27,7 +26,7 @@ func (d *dockerInfo) MarshalJSONTo(buf []byte) []byte {
 		"images": d.Images,
 		"n_cpu":  d.NCPU,
 		"memory": strutils.FormatByteSize(d.MemTotal),
-	}, buf)
+	})
 }
 
 func DockerInfo(w http.ResponseWriter, r *http.Request) {

internal/api/v1/dockerapi/logs.go

@@ -2,6 +2,7 @@ package dockerapi
 
 import (
 	"net/http"
+	"strconv"
 
 	"github.com/coder/websocket"
 	"github.com/docker/docker/api/types/container"
@@ -9,20 +10,19 @@ import (
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 func Logs(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	server := r.PathValue("server")
 	containerID := r.PathValue("container")
-	stdout := strutils.ParseBool(query.Get("stdout"))
-	stderr := strutils.ParseBool(query.Get("stderr"))
+	stdout, _ := strconv.ParseBool(query.Get("stdout"))
+	stderr, _ := strconv.ParseBool(query.Get("stderr"))
 	since := query.Get("from")
 	until := query.Get("to")
 	levels := query.Get("levels") // TODO: implement levels
 
-	dockerClient, found, err := getDockerClient(server)
+	dockerClient, found, err := getDockerClient(w, server)
 	if err != nil {
 		gphttp.BadRequest(w, err.Error())
 		return

internal/api/v1/dockerapi/utils.go

@@ -2,14 +2,12 @@ package dockerapi
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 	"time"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/docker"
 	"github.com/yusing/go-proxy/internal/gperr"
@@ -46,7 +44,7 @@ func getDockerClients() (DockerClients, gperr.Error) {
 		dockerClients[name] = dockerClient
 	}
 
-	for _, agent := range agent.Agents.Iter {
+	for _, agent := range cfg.ListAgents() {
 		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
 		if err != nil {
 			connErrs.Add(err)
@@ -58,7 +56,7 @@ func getDockerClients() (DockerClients, gperr.Error) {
 	return dockerClients, connErrs.Error()
 }
 
-func getDockerClient(server string) (*docker.SharedClient, bool, error) {
+func getDockerClient(w http.ResponseWriter, server string) (*docker.SharedClient, bool, error) {
 	cfg := config.GetInstance()
 	var host string
 	for name, h := range cfg.Value().Providers.Docker {
@@ -67,7 +65,7 @@ func getDockerClient(server string) (*docker.SharedClient, bool, error) {
 			break
 		}
 	}
-	for _, agent := range agent.Agents.Iter {
+	for _, agent := range cfg.ListAgents() {
 		if agent.Name() == server {
 			host = agent.FakeDockerHost()
 			break
@@ -121,6 +119,6 @@ func serveHTTP[V any, T ResultType[V]](w http.ResponseWriter, r *http.Request, g
 		})
 	} else {
 		result, err := getResult(r.Context(), dockerClients)
-		handleResult[V](w, err, result)
+		handleResult[V, T](w, err, result)
 	}
 }

internal/api/v1/favicon/favicon.go

@@ -1,10 +1,8 @@
 package favicon
 
 import (
-	"errors"
 	"net/http"
 
-	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
@@ -21,11 +19,11 @@ import (
 func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	url, alias := req.FormValue("url"), req.FormValue("alias")
 	if url == "" && alias == "" {
-		gphttp.ClientError(w, gphttp.ErrMissingKey("url or alias"), http.StatusBadRequest)
+		gphttp.MissingKey(w, "url or alias")
 		return
 	}
 	if url != "" && alias != "" {
-		gphttp.ClientError(w, gperr.New("url and alias are mutually exclusive"), http.StatusBadRequest)
+		gphttp.BadRequest(w, "url and alias are mutually exclusive")
 		return
 	}
 
@@ -33,10 +31,10 @@ func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	if url != "" {
 		var iconURL homepage.IconURL
 		if err := iconURL.Parse(url); err != nil {
-			gphttp.ClientError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, req, err, http.StatusBadRequest)
 			return
 		}
-		fetchResult := homepage.FetchFavIconFromURL(&iconURL)
+		fetchResult := homepage.FetchFavIconFromURL(req.Context(), &iconURL)
 		if !fetchResult.OK() {
 			http.Error(w, fetchResult.ErrMsg, fetchResult.StatusCode)
 			return
@@ -47,9 +45,9 @@ func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	}
 
 	// try with route.Icon
-	r, ok := routes.GetHTTPRoute(alias)
+	r, ok := routes.HTTP.Get(alias)
 	if !ok {
-		gphttp.ClientError(w, errors.New("no such route"), http.StatusNotFound)
+		gphttp.ValueNotFound(w, "route", alias)
 		return
 	}
 
@@ -57,9 +55,9 @@ func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	hp := r.HomepageItem()
 	if hp.Icon != nil {
 		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = homepage.FindIcon(req.Context(), r, hp.Icon.Value)
+			result = homepage.FindIcon(req.Context(), r, *hp.Icon.FullURL)
 		} else {
-			result = homepage.FetchFavIconFromURL(hp.Icon)
+			result = homepage.FetchFavIconFromURL(req.Context(), hp.Icon)
 		}
 	} else {
 		// try extract from "link[rel=icon]"

internal/api/v1/health.go

@@ -4,10 +4,20 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/route/routes"
 )
 
 func Health(w http.ResponseWriter, r *http.Request) {
-	gpwebsocket.DynamicJSONHandler(w, r, routequery.HealthMap, 1*time.Second)
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
+			return wsjson.Write(r.Context(), conn, routes.HealthMap())
+		})
+	} else {
+		gphttp.RespondJSON(w, r, routes.HealthMap())
+	}
 }

internal/api/v1/homepage_overrides.go

@@ -1,12 +1,12 @@
 package v1
 
 import (
+	"encoding/json"
 	"io"
 	"net/http"
 
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/pkg/json"
 )
 
 const (
@@ -43,7 +43,7 @@ func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
 
 	data, err := io.ReadAll(r.Body)
 	if err != nil {
-		gphttp.ClientError(w, err, http.StatusBadRequest)
+		gphttp.ClientError(w, r, err, http.StatusBadRequest)
 		return
 	}
 	r.Body.Close()
@@ -53,21 +53,21 @@ func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
 	case HomepageOverrideItem:
 		var params HomepageOverrideItemParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		overrides.OverrideItem(params.Which, &params.Value)
 	case HomepageOverrideItemsBatch:
 		var params HomepageOverrideItemsBatchParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		overrides.OverrideItems(params.Value)
 	case HomepageOverrideItemVisible: // POST /v1/item_visible [a,b,c], false => hide a, b, c
 		var params HomepageOverrideItemVisibleParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		if params.Value {
@@ -78,7 +78,7 @@ func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
 	case HomepageOverrideCategoryOrder:
 		var params HomepageOverrideCategoryOrderParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		overrides.SetCategoryOrder(params.Which, params.Value)

internal/api/v1/list.go

@@ -11,8 +11,9 @@ import (
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/route/routes"
 	route "github.com/yusing/go-proxy/internal/route/types"
+	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 
@@ -27,6 +28,7 @@ const (
 	ListRouteProviders     = "route_providers"
 	ListHomepageCategories = "homepage_categories"
 	ListIcons              = "icons"
+	ListTasks              = "tasks"
 )
 
 func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
@@ -45,7 +47,7 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 			gphttp.RespondJSON(w, r, route)
 		}
 	case ListRoutes:
-		gphttp.RespondJSON(w, r, routequery.RoutesByAlias(route.RouteType(r.FormValue("type"))))
+		gphttp.RespondJSON(w, r, routes.ByAlias(route.RouteType(r.FormValue("type"))))
 	case ListFiles:
 		listFiles(w, r)
 	case ListMiddlewares:
@@ -55,11 +57,11 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	case ListMatchDomains:
 		gphttp.RespondJSON(w, r, cfg.Value().MatchDomains)
 	case ListHomepageConfig:
-		gphttp.RespondJSON(w, r, routequery.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
+		gphttp.RespondJSON(w, r, routes.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
 	case ListRouteProviders:
 		gphttp.RespondJSON(w, r, cfg.RouteProviderList())
 	case ListHomepageCategories:
-		gphttp.RespondJSON(w, r, routequery.HomepageCategories())
+		gphttp.RespondJSON(w, r, routes.HomepageCategories())
 	case ListIcons:
 		limit, err := strconv.Atoi(r.FormValue("limit"))
 		if err != nil {
@@ -67,13 +69,12 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 		}
 		icons, err := homepage.SearchIcons(r.FormValue("keyword"), limit)
 		if err != nil {
-			gphttp.ClientError(w, err)
+			gphttp.ClientError(w, r, err)
 			return
 		}
-		if icons == nil {
-			icons = []string{}
-		}
 		gphttp.RespondJSON(w, r, icons)
+	case ListTasks:
+		gphttp.RespondJSON(w, r, task.DebugTaskList())
 	default:
 		gphttp.BadRequest(w, fmt.Sprintf("invalid what: %s", what))
 	}
@@ -83,9 +84,9 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 // otherwise, return a single Route with alias which or nil if not found.
 func listRoute(which string) any {
 	if which == "" || which == "all" {
-		return routequery.RoutesByAlias()
+		return routes.ByAlias()
 	}
-	routes := routequery.RoutesByAlias()
+	routes := routes.ByAlias()
 	route, ok := routes[which]
 	if !ok {
 		return nil
@@ -94,7 +95,7 @@ func listRoute(which string) any {
 }
 
 func listFiles(w http.ResponseWriter, r *http.Request) {
-	files, err := utils.ListFiles(common.ConfigDir, 0, true)
+	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
@@ -107,17 +108,17 @@ func listFiles(w http.ResponseWriter, r *http.Request) {
 
 	for _, file := range files {
 		t := fileType(file)
-		file = strings.TrimPrefix(file, common.ConfigDir+"/")
+		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
 		resp[t] = append(resp[t], file)
 	}
 
-	mids, err := utils.ListFiles(common.MiddlewareComposeDir, 0, true)
+	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	for _, mid := range mids {
-		mid = strings.TrimPrefix(mid, common.MiddlewareComposeDir+"/")
+		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
 		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
 	}
 	gphttp.RespondJSON(w, r, resp)

internal/api/v1/new_agent.go

@@ -1,48 +1,46 @@
 package v1
 
 import (
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"strconv"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	_ "embed"
 
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/certs"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 func NewAgent(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 	name := q.Get("name")
 	if name == "" {
-		gphttp.ClientError(w, gphttp.ErrMissingKey("name"))
+		gphttp.MissingKey(w, "name")
 		return
 	}
 	host := q.Get("host")
 	if host == "" {
-		gphttp.ClientError(w, gphttp.ErrMissingKey("host"))
+		gphttp.MissingKey(w, "host")
 		return
 	}
 	portStr := q.Get("port")
 	if portStr == "" {
-		gphttp.ClientError(w, gphttp.ErrMissingKey("port"))
+		gphttp.MissingKey(w, "port")
 		return
 	}
 	port, err := strconv.Atoi(portStr)
 	if err != nil || port < 1 || port > 65535 {
-		gphttp.ClientError(w, gphttp.ErrInvalidKey("port"))
+		gphttp.InvalidKey(w, "port")
 		return
 	}
 	hostport := fmt.Sprintf("%s:%d", host, port)
-	if _, ok := agent.Agents.Get(hostport); ok {
-		gphttp.ClientError(w, gphttp.ErrAlreadyExists("agent", hostport), http.StatusConflict)
+	if _, ok := config.GetInstance().GetAgent(hostport); ok {
+		gphttp.KeyAlreadyExists(w, "agent", hostport)
 		return
 	}
 	t := q.Get("type")
@@ -50,14 +48,14 @@ func NewAgent(w http.ResponseWriter, r *http.Request) {
 	case "docker", "system":
 		break
 	case "":
-		gphttp.ClientError(w, gphttp.ErrMissingKey("type"))
+		gphttp.MissingKey(w, "type")
 		return
 	default:
-		gphttp.ClientError(w, gphttp.ErrInvalidKey("type"))
+		gphttp.InvalidKey(w, "type")
 		return
 	}
 
-	nightly := strutils.ParseBool(q.Get("nightly"))
+	nightly, _ := strconv.ParseBool(q.Get("nightly"))
 	var image string
 	if nightly {
 		image = agent.DockerImageNightly
@@ -111,13 +109,13 @@ func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := json.Unmarshal(clientPEMData, &data); err != nil {
-		gphttp.ClientError(w, err, http.StatusBadRequest)
+		gphttp.ClientError(w, r, err)
 		return
 	}
 
 	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(data.Host, data.CA, data.Client)
 	if err != nil {
-		gphttp.ClientError(w, err)
+		gphttp.ClientError(w, r, err)
 		return
 	}
 
@@ -129,7 +127,7 @@ func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
 
 	filename, ok := certs.AgentCertsFilepath(data.Host)
 	if !ok {
-		gphttp.ClientError(w, gphttp.ErrInvalidKey("host"))
+		gphttp.InvalidKey(w, "host")
 		return
 	}
 

internal/api/v1/query/query.go

@@ -1,12 +1,11 @@
 package query
 
 import (
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
@@ -59,3 +58,7 @@ func ListRoutes() (map[string]map[string]any, gperr.Error) {
 func ListMiddlewareTraces() (middleware.Traces, gperr.Error) {
 	return List[middleware.Traces](v1.ListMiddlewareTraces)
 }
+
+func DebugListTasks() (map[string]any, gperr.Error) {
+	return List[map[string]any](v1.ListTasks)
+}

internal/api/v1/stats.go

@@ -4,18 +4,30 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
 	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 func Stats(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	gpwebsocket.DynamicJSONHandler(w, r, func() map[string]any {
-		return map[string]any{
-			"proxies": cfg.Statistics(),
-			"uptime":  strutils.FormatDuration(time.Since(startTime)),
-		}
-	}, 1*time.Second)
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
+			return wsjson.Write(r.Context(), conn, getStats(cfg))
+		})
+	} else {
+		gphttp.RespondJSON(w, r, getStats(cfg))
+	}
 }
 
 var startTime = time.Now()
+
+func getStats(cfg config.ConfigInstance) map[string]any {
+	return map[string]any{
+		"proxies": cfg.Statistics(),
+		"uptime":  strutils.FormatDuration(time.Since(startTime)),
+	}
+}

internal/api/v1/system_info.go

@@ -3,16 +3,17 @@ package v1
 import (
 	"net/http"
 
-	"github.com/yusing/go-proxy/agent/pkg/agent"
 	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
+	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
 )
 
-func SystemInfo(w http.ResponseWriter, r *http.Request) {
+func SystemInfo(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	agentAddr := query.Get("agent_addr")
 	query.Del("agent_addr")
@@ -21,7 +22,7 @@ func SystemInfo(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	agent, ok := agent.Agents.Get(agentAddr)
+	agent, ok := cfg.GetAgent(agentAddr)
 	if !ok {
 		gphttp.NotFound(w, "agent_addr")
 		return
@@ -40,7 +41,7 @@ func SystemInfo(w http.ResponseWriter, r *http.Request) {
 		}
 		gphttp.WriteBody(w, respData)
 	} else {
-		rp := reverseproxy.NewReverseProxy("agent", agentPkg.AgentURL, agent.Transport())
+		rp := reverseproxy.NewReverseProxy("agent", types.NewURL(agentPkg.AgentURL), agent.Transport())
 		header := r.Header.Clone()
 		r, err := http.NewRequestWithContext(r.Context(), r.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
 		if err != nil {

internal/api/v1/version.go

@@ -1,12 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/pkg"
-)
-
-func GetVersion(w http.ResponseWriter, r *http.Request) {
-	gphttp.WriteBody(w, []byte(pkg.GetVersion().String()))
-}

internal/auth/auth.go

@@ -0,0 +1,79 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+)
+
+var defaultAuth Provider
+
+// Initialize sets up authentication providers.
+func Initialize() error {
+	if !IsEnabled() {
+		return nil
+	}
+
+	var err error
+	// Initialize OIDC if configured.
+	if common.OIDCIssuerURL != "" {
+		defaultAuth, err = NewOIDCProviderFromEnv()
+	} else {
+		defaultAuth, err = NewUserPassAuthFromEnv()
+	}
+
+	return err
+}
+
+func GetDefaultAuth() Provider {
+	return defaultAuth
+}
+
+func IsEnabled() bool {
+	return !common.DebugDisableAuth && (common.APIJWTSecret != nil || IsOIDCEnabled())
+}
+
+func IsOIDCEnabled() bool {
+	return common.OIDCIssuerURL != ""
+}
+
+type nextHandler struct{}
+
+var nextHandlerContextKey = nextHandler{}
+
+func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
+	if !IsEnabled() {
+		return next
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		if err := defaultAuth.CheckToken(r); err != nil {
+			if IsFrontend(r) {
+				r = r.WithContext(context.WithValue(r.Context(), nextHandlerContextKey, next))
+				defaultAuth.LoginHandler(w, r)
+			} else {
+				gphttp.Unauthorized(w, err.Error())
+			}
+			return
+		}
+		next(w, r)
+	}
+}
+
+func ProceedNext(w http.ResponseWriter, r *http.Request) {
+	next, ok := r.Context().Value(nextHandlerContextKey).(http.HandlerFunc)
+	if ok {
+		next(w, r)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+func AuthCheckHandler(w http.ResponseWriter, r *http.Request) {
+	if err := defaultAuth.CheckToken(r); err != nil {
+		defaultAuth.LoginHandler(w, r)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}

internal/auth/oauth_refresh.go

@@ -0,0 +1,222 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/jsonstore"
+	"github.com/yusing/go-proxy/internal/logging"
+	"golang.org/x/oauth2"
+)
+
+type oauthRefreshToken struct {
+	Username     string    `json:"username"`
+	RefreshToken string    `json:"refresh_token"`
+	Expiry       time.Time `json:"expiry"`
+
+	result *refreshResult
+	err    error
+	mu     sync.Mutex
+}
+
+type Session struct {
+	SessionID sessionID `json:"session_id"`
+	Username  string    `json:"username"`
+	Groups    []string  `json:"groups"`
+}
+
+type refreshResult struct {
+	newSession Session
+	jwt        string
+	jwtExpiry  time.Time
+}
+
+type sessionClaims struct {
+	Session
+	jwt.RegisteredClaims
+}
+
+type sessionID string
+
+var oauthRefreshTokens jsonstore.MapStore[*oauthRefreshToken]
+
+var (
+	defaultRefreshTokenExpiry = 30 * 24 * time.Hour // 1 month
+	refreshBefore             = 30 * time.Second
+	sessionInvalidateDelay    = 3 * time.Second
+)
+
+var (
+	errNoRefreshToken      = errors.New("no refresh token")
+	ErrRefreshTokenFailure = errors.New("failed to refresh token")
+)
+
+const sessionTokenIssuer = "GoDoxy"
+
+func init() {
+	if IsOIDCEnabled() {
+		oauthRefreshTokens = jsonstore.Store[*oauthRefreshToken]("oauth_refresh_tokens")
+	}
+}
+
+func (token *oauthRefreshToken) expired() bool {
+	return time.Now().After(token.Expiry)
+}
+
+func newSessionID() sessionID {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return sessionID(hex.EncodeToString(b))
+}
+
+func newSession(username string, groups []string) Session {
+	return Session{
+		SessionID: newSessionID(),
+		Username:  username,
+		Groups:    groups,
+	}
+}
+
+// getOAuthRefreshToken returns the refresh token for the given session.
+func getOAuthRefreshToken(claims *Session) (*oauthRefreshToken, bool) {
+	token, ok := oauthRefreshTokens.Load(string(claims.SessionID))
+	if !ok {
+		return nil, false
+	}
+
+	if token.expired() {
+		invalidateOAuthRefreshToken(claims.SessionID)
+		return nil, false
+	}
+
+	if claims.Username != token.Username {
+		return nil, false
+	}
+	return token, true
+}
+
+func storeOAuthRefreshToken(sessionID sessionID, username, token string) {
+	oauthRefreshTokens.Store(string(sessionID), &oauthRefreshToken{
+		Username:     username,
+		RefreshToken: token,
+		Expiry:       time.Now().Add(defaultRefreshTokenExpiry),
+	})
+	logging.Debug().Str("username", username).Msg("stored oauth refresh token")
+}
+
+func invalidateOAuthRefreshToken(sessionID sessionID) {
+	logging.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
+	oauthRefreshTokens.Delete(string(sessionID))
+}
+
+func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.Request, session Session) {
+	claims := &sessionClaims{
+		Session: session,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    sessionTokenIssuer,
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(common.APIJWTTokenTTL)),
+		},
+	}
+	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
+	signed, err := jwtToken.SignedString(common.APIJWTSecret)
+	if err != nil {
+		logging.Err(err).Msg("failed to sign session token")
+		return
+	}
+	SetTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
+}
+
+func (auth *OIDCProvider) parseSessionJWT(sessionJWT string) (claims *sessionClaims, valid bool, err error) {
+	claims = &sessionClaims{}
+	sessionToken, err := jwt.ParseWithClaims(sessionJWT, claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return common.APIJWTSecret, nil
+	})
+	if err != nil {
+		return nil, false, err
+	}
+	return claims, sessionToken.Valid && claims.Issuer == sessionTokenIssuer, nil
+}
+
+func (auth *OIDCProvider) TryRefreshToken(ctx context.Context, sessionJWT string) (*refreshResult, error) {
+	// verify the session cookie
+	claims, valid, err := auth.parseSessionJWT(sessionJWT)
+	if err != nil {
+		return nil, fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrInvalidSessionToken, err)
+	}
+	if !valid {
+		return nil, ErrInvalidSessionToken
+	}
+
+	// check if refresh is possible
+	refreshToken, ok := getOAuthRefreshToken(&claims.Session)
+	if !ok {
+		return nil, errNoRefreshToken
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return nil, ErrUserNotAllowed
+	}
+
+	return auth.doRefreshToken(ctx, refreshToken, &claims.Session)
+}
+
+func (auth *OIDCProvider) doRefreshToken(ctx context.Context, refreshToken *oauthRefreshToken, claims *Session) (*refreshResult, error) {
+	refreshToken.mu.Lock()
+	defer refreshToken.mu.Unlock()
+
+	// already refreshed
+	// this must be called after refresh but before invalidate
+	if refreshToken.result != nil || refreshToken.err != nil {
+		return refreshToken.result, refreshToken.err
+	}
+
+	// this step refreshes the token
+	// see https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.29.0:oauth2.go;l=313
+	newToken, err := auth.oauthConfig.TokenSource(ctx, &oauth2.Token{
+		RefreshToken: refreshToken.RefreshToken,
+	}).Token()
+	if err != nil {
+		refreshToken.err = fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrRefreshTokenFailure, err)
+		return nil, refreshToken.err
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(ctx, newToken)
+	if err != nil {
+		refreshToken.err = fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrRefreshTokenFailure, err)
+		return nil, refreshToken.err
+	}
+
+	// in case there're multiple requests for the same session to refresh
+	// invalidate the token after a short delay
+	go func() {
+		<-time.After(sessionInvalidateDelay)
+		invalidateOAuthRefreshToken(claims.SessionID)
+	}()
+
+	sessionID := newSessionID()
+
+	logging.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
+	storeOAuthRefreshToken(sessionID, claims.Username, newToken.RefreshToken)
+
+	refreshToken.result = &refreshResult{
+		newSession: Session{
+			SessionID: sessionID,
+			Username:  claims.Username,
+			Groups:    claims.Groups,
+		},
+		jwt:       idTokenJWT,
+		jwtExpiry: idToken.Expiry,
+	}
+	return refreshToken.result, nil
+}

internal/auth/oidc.go

@@ -0,0 +1,329 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"slices"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/utils"
+	"golang.org/x/oauth2"
+)
+
+type (
+	OIDCProvider struct {
+		oauthConfig   *oauth2.Config
+		oidcProvider  *oidc.Provider
+		oidcVerifier  *oidc.IDTokenVerifier
+		endSessionURL *url.URL
+		allowedUsers  []string
+		allowedGroups []string
+	}
+
+	IDTokenClaims struct {
+		Username string   `json:"preferred_username"`
+		Groups   []string `json:"groups"`
+	}
+)
+
+const (
+	CookieOauthState        = "godoxy_oidc_state"
+	CookieOauthToken        = "godoxy_oauth_token"
+	CookieOauthSessionToken = "godoxy_session_token"
+)
+
+const (
+	OIDCAuthInitPath = "/"
+	OIDCPostAuthPath = "/auth/callback"
+	OIDCLogoutPath   = "/auth/logout"
+)
+
+var (
+	errMissingIDToken = errors.New("missing id_token field from oauth token")
+
+	ErrMissingOAuthToken = gperr.New("missing oauth token")
+	ErrInvalidOAuthToken = gperr.New("invalid oauth token")
+)
+
+// generateState generates a random string for OIDC state.
+const oidcStateLength = 32
+
+func generateState() string {
+	b := make([]byte, oidcStateLength)
+	_, _ = rand.Read(b)
+	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength]
+}
+
+func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
+	if len(allowedUsers)+len(allowedGroups) == 0 {
+		return nil, errors.New("oidc.allowed_users or oidc.allowed_groups are both empty")
+	}
+	provider, err := oidc.NewProvider(context.Background(), issuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
+	}
+
+	endSessionURL, err := url.Parse(provider.EndSessionEndpoint())
+	if err != nil && provider.EndSessionEndpoint() != "" {
+		// non critical, just warn
+		logging.Warn().
+			Str("issuer", issuerURL).
+			Err(err).
+			Msg("failed to parse end session URL")
+	}
+
+	return &OIDCProvider{
+		oauthConfig: &oauth2.Config{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			RedirectURL:  "",
+			Endpoint:     provider.Endpoint(),
+			Scopes:       common.OIDCScopes,
+		},
+		oidcProvider: provider,
+		oidcVerifier: provider.Verifier(&oidc.Config{
+			ClientID: clientID,
+		}),
+		endSessionURL: endSessionURL,
+		allowedUsers:  allowedUsers,
+		allowedGroups: allowedGroups,
+	}, nil
+}
+
+// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
+func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
+	return NewOIDCProvider(
+		common.OIDCIssuerURL,
+		common.OIDCClientID,
+		common.OIDCClientSecret,
+		common.OIDCAllowedUsers,
+		common.OIDCAllowedGroups,
+	)
+}
+
+func (auth *OIDCProvider) SetAllowedUsers(users []string) {
+	auth.allowedUsers = users
+}
+
+func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
+	auth.allowedGroups = groups
+}
+
+// optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
+// parameter of the authorization URL to the post auth path of the current
+// request host.
+func optRedirectPostAuth(r *http.Request) oauth2.AuthCodeOption {
+	return oauth2.SetAuthURLParam("redirect_uri", "https://"+requestHost(r)+OIDCPostAuthPath)
+}
+
+func (auth *OIDCProvider) getIdToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
+	idTokenJWT, ok := oauthToken.Extra("id_token").(string)
+	if !ok {
+		return "", nil, errMissingIDToken
+	}
+	idToken, err := auth.oidcVerifier.Verify(ctx, idTokenJWT)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to verify ID token: %w", err)
+	}
+	return idTokenJWT, idToken, nil
+}
+
+func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
+	if r.TLS == nil && r.Header.Get("X-Forwarded-Proto") != "https" {
+		http.Redirect(w, r, "https://"+requestHost(r)+OIDCAuthInitPath, http.StatusFound)
+		return
+	}
+	switch r.URL.Path {
+	case OIDCAuthInitPath:
+		auth.LoginHandler(w, r)
+	case OIDCPostAuthPath:
+		auth.PostAuthCallbackHandler(w, r)
+	case OIDCLogoutPath:
+		auth.LogoutHandler(w, r)
+	default:
+		http.Redirect(w, r, OIDCAuthInitPath, http.StatusFound)
+	}
+}
+
+func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	// check for session token
+	sessionToken, err := r.Cookie(CookieOauthSessionToken)
+	if err == nil { // session token exists
+		result, err := auth.TryRefreshToken(r.Context(), sessionToken.Value)
+		// redirect back to where they requested
+		// when token refresh is ok
+		if err == nil {
+			auth.setIDTokenCookie(w, r, result.jwt, time.Until(result.jwtExpiry))
+			auth.setSessionTokenCookie(w, r, result.newSession)
+			ProceedNext(w, r)
+			return
+		}
+		// clear cookies then redirect to home
+		logging.Err(err).Msg("failed to refresh token")
+		auth.clearCookie(w, r)
+		http.Redirect(w, r, "/", http.StatusFound)
+		return
+	}
+
+	state := generateState()
+	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
+	// redirect user to Idp
+	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
+}
+
+func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
+	var claim IDTokenClaims
+	if err := idToken.Claims(&claim); err != nil {
+		return nil, fmt.Errorf("failed to parse claims: %w", err)
+	}
+	if claim.Username == "" {
+		return nil, fmt.Errorf("missing username in ID token")
+	}
+	return &claim, nil
+}
+
+func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
+	userAllowed := slices.Contains(auth.allowedUsers, user)
+	if !userAllowed {
+		return false
+	}
+	if len(auth.allowedGroups) == 0 {
+		return true
+	}
+	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
+}
+
+func (auth *OIDCProvider) CheckToken(r *http.Request) error {
+	tokenCookie, err := r.Cookie(CookieOauthToken)
+	if err != nil {
+		return ErrMissingOAuthToken
+	}
+
+	idToken, err := auth.oidcVerifier.Verify(r.Context(), tokenCookie.Value)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	claims, err := parseClaims(idToken)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+	return nil
+}
+
+func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+	// For testing purposes, skip provider verification
+	if common.IsTest {
+		auth.handleTestCallback(w, r)
+		return
+	}
+
+	// verify state
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	code := r.URL.Query().Get("code")
+	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code, optRedirectPostAuth(r))
+	if err != nil {
+		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
+		return
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), oauth2Token)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	if oauth2Token.RefreshToken != "" {
+		claims, err := parseClaims(idToken)
+		if err != nil {
+			gphttp.ServerError(w, r, err)
+			return
+		}
+		session := newSession(claims.Username, claims.Groups)
+		storeOAuthRefreshToken(session.SessionID, claims.Username, oauth2Token.RefreshToken)
+		auth.setSessionTokenCookie(w, r, session)
+	}
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+
+	// Redirect to home page
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	oauthToken, _ := r.Cookie(CookieOauthToken)
+	sessionToken, _ := r.Cookie(CookieOauthSessionToken)
+	auth.clearCookie(w, r)
+
+	if sessionToken != nil {
+		claims, _, err := auth.parseSessionJWT(sessionToken.Value)
+		if err == nil {
+			invalidateOAuthRefreshToken(claims.SessionID)
+		}
+	}
+
+	url := "/"
+	if auth.endSessionURL != nil && oauthToken != nil {
+		query := auth.endSessionURL.Query()
+		query.Set("id_token_hint", oauthToken.Value)
+		query.Set("post_logout_redirect_uri", "https://"+requestHost(r))
+
+		clone := *auth.endSessionURL
+		clone.RawQuery = query.Encode()
+		url = clone.String()
+	} else if auth.endSessionURL != nil {
+		url = auth.endSessionURL.String()
+	}
+
+	http.Redirect(w, r, url, http.StatusFound)
+}
+
+func (auth *OIDCProvider) setIDTokenCookie(w http.ResponseWriter, r *http.Request, jwt string, ttl time.Duration) {
+	SetTokenCookie(w, r, CookieOauthToken, jwt, ttl)
+}
+
+func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
+	ClearTokenCookie(w, r, CookieOauthToken)
+	ClearTokenCookie(w, r, CookieOauthSessionToken)
+}
+
+// handleTestCallback handles OIDC callback in test environment.
+func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	// Create test JWT token
+	SetTokenCookie(w, r, CookieOauthToken, "test", time.Hour)
+
+	http.Redirect(w, r, "/", http.StatusFound)
+}

internal/auth/oidc_test.go

@@ -5,13 +5,13 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/yusing/go-proxy/internal/common"
@@ -36,7 +36,8 @@ func setupMockOIDC(t *testing.T) {
 			},
 			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 		},
-		oidcProvider: provider,
+		endSessionURL: Must(url.Parse("http://mock-provider/logout")),
+		oidcProvider:  provider,
 		oidcVerifier: provider.Verifier(&oidc.Config{
 			ClientID: "test-client",
 		}),
@@ -149,17 +150,17 @@ func TestOIDCLoginHandler(t *testing.T) {
 	}{
 		{
 			name:         "Success - Redirects to provider",
-			wantStatus:   http.StatusTemporaryRedirect,
+			wantStatus:   http.StatusFound,
 			wantRedirect: true,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/auth/redirect", nil)
+			req := httptest.NewRequest(http.MethodGet, OIDCAuthInitPath, nil)
 			w := httptest.NewRecorder()
 
-			defaultAuth.RedirectLoginPage(w, req)
+			defaultAuth.(*OIDCProvider).HandleAuth(w, req)
 
 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCLoginHandler() status = %v, want %v", got, tt.wantStatus)
@@ -195,7 +196,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			state:      "valid-state",
 			code:       "valid-code",
 			setupMocks: true,
-			wantStatus: http.StatusTemporaryRedirect,
+			wantStatus: http.StatusFound,
 		},
 		{
 			name:       "Failure - Missing state",
@@ -220,7 +221,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			}
 			w := httptest.NewRecorder()
 
-			defaultAuth.LoginCallbackHandler(w, req)
+			defaultAuth.(*OIDCProvider).PostAuthCallbackHandler(w, req)
 
 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCCallbackHandler() status = %v, want %v", got, tt.wantStatus)
@@ -228,7 +229,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 
 			if tt.wantStatus == http.StatusTemporaryRedirect {
 				setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
-				ExpectEqual(t, setCookie.Name, defaultAuth.TokenCookieName())
+				ExpectEqual(t, setCookie.Name, CookieOauthToken)
 				ExpectTrue(t, setCookie.Value != "")
 				ExpectEqual(t, setCookie.Path, "/")
 				ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
@@ -271,7 +272,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:    server.URL,
 			clientID:     "client_id",
 			clientSecret: "client_secret",
-			redirectURL:  "https://example.com/callback",
 			allowedUsers: []string{"user1", "user2"},
 			wantErr:      false,
 		},
@@ -280,7 +280,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
-			redirectURL:   "https://example.com/callback",
 			allowedGroups: []string{"group1", "group2"},
 			wantErr:       false,
 		},
@@ -289,7 +288,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
-			redirectURL:   "https://example.com/callback",
 			logoutURL:     "https://example.com/logout",
 			allowedUsers:  []string{"user1", "user2"},
 			allowedGroups: []string{"group1", "group2"},
@@ -300,14 +298,13 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:    "https://example.com",
 			clientID:     "client_id",
 			clientSecret: "client_secret",
-			redirectURL:  "https://example.com/callback",
 			wantErr:      true,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.redirectURL, tt.allowedUsers, tt.allowedGroups)
+			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.allowedUsers, tt.allowedGroups)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("InitOIDC() error = %v, wantErr %v", err, tt.wantErr)
 			}
@@ -401,7 +398,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns incorrect audience",
@@ -412,7 +409,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns expired token",
@@ -423,7 +420,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 	}
 	for _, tc := range tests {
@@ -439,7 +436,7 @@ func TestCheckToken(t *testing.T) {
 			// Craft a test HTTP request that includes the token as a cookie.
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
 			req.AddCookie(&http.Cookie{
-				Name:  auth.TokenCookieName(),
+				Name:  CookieOauthToken,
 				Value: signedToken,
 			})
 
@@ -453,3 +450,35 @@ func TestCheckToken(t *testing.T) {
 		})
 	}
 }
+
+func TestLogoutHandler(t *testing.T) {
+	t.Helper()
+
+	setupMockOIDC(t)
+
+	req := httptest.NewRequest(http.MethodGet, OIDCLogoutPath, nil)
+	w := httptest.NewRecorder()
+
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthToken,
+		Value: "test-token",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthSessionToken,
+		Value: "test-session-token",
+	})
+
+	defaultAuth.(*OIDCProvider).LogoutHandler(w, req)
+
+	if got := w.Code; got != http.StatusFound {
+		t.Errorf("LogoutHandler() status = %v, want %v", got, http.StatusFound)
+	}
+
+	if got := w.Header().Get("Location"); got == "" {
+		t.Error("LogoutHandler() missing redirect location")
+	}
+
+	if len(w.Header().Values("Set-Cookie")) != 2 {
+		t.Error("LogoutHandler() did not clear all cookies")
+	}
+}

internal/auth/provider.go

@@ -0,0 +1,10 @@
+package auth
+
+import "net/http"
+
+type Provider interface {
+	CheckToken(r *http.Request) error
+	LoginHandler(w http.ResponseWriter, r *http.Request)
+	PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request)
+	LogoutHandler(w http.ResponseWriter, r *http.Request)
+}

internal/auth/userpass.go

@@ -1,12 +1,11 @@
 package auth
 
 import (
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
@@ -77,7 +76,7 @@ func (auth *UserPassAuth) NewToken() (token string, err error) {
 func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	jwtCookie, err := r.Cookie(auth.TokenCookieName())
 	if err != nil {
-		return ErrMissingToken
+		return ErrMissingSessionToken
 	}
 	var claims UserPassClaims
 	token, err := jwt.ParseWithClaims(jwtCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
@@ -91,7 +90,7 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	}
 	switch {
 	case !token.Valid:
-		return ErrInvalidToken
+		return ErrInvalidSessionToken
 	case claims.Username != auth.username:
 		return ErrUserNotAllowed.Subject(claims.Username)
 	case claims.ExpiresAt.Before(time.Now()):
@@ -101,11 +100,7 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	return nil
 }
 
-func (auth *UserPassAuth) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)
-}
-
-func (auth *UserPassAuth) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
+func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	var creds struct {
 		User string `json:"username"`
 		Pass string `json:"password"`
@@ -124,12 +119,17 @@ func (auth *UserPassAuth) LoginCallbackHandler(w http.ResponseWriter, r *http.Re
 		gphttp.ServerError(w, r, err)
 		return
 	}
-	setTokenCookie(w, r, auth.TokenCookieName(), token, auth.tokenTTL)
+	SetTokenCookie(w, r, auth.TokenCookieName(), token, auth.tokenTTL)
 	w.WriteHeader(http.StatusOK)
 }
 
-func (auth *UserPassAuth) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	DefaultLogoutCallbackHandler(auth, w, r)
+func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	http.Redirect(w, r, "/login", http.StatusFound) // redirects to WebUI login page
+}
+
+func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	ClearTokenCookie(w, r, auth.TokenCookieName())
+	http.Redirect(w, r, "/", http.StatusFound)
 }
 
 func (auth *UserPassAuth) validatePassword(user, pass string) error {

internal/auth/userpass_test.go

@@ -2,14 +2,13 @@ package auth
 
 import (
 	"bytes"
+	"encoding/json"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 
-	"github.com/yusing/go-proxy/pkg/json"
-
 	. "github.com/yusing/go-proxy/internal/utils/testing"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -99,7 +98,7 @@ func TestUserPassLoginCallbackHandler(t *testing.T) {
 			Host: "app.example.com",
 			Body: io.NopCloser(bytes.NewReader(Must(json.Marshal(tt.creds)))),
 		}
-		auth.LoginCallbackHandler(w, req)
+		auth.PostAuthCallbackHandler(w, req)
 		if tt.wantErr {
 			ExpectEqual(t, w.Code, http.StatusUnauthorized)
 		} else {

internal/auth/utils.go

@@ -0,0 +1,71 @@
+package auth
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+var (
+	ErrMissingSessionToken = gperr.New("missing session token")
+	ErrInvalidSessionToken = gperr.New("invalid session token")
+	ErrUserNotAllowed      = gperr.New("user not allowed")
+)
+
+func IsFrontend(r *http.Request) bool {
+	return r.Host == common.APIHTTPAddr
+}
+
+func requestHost(r *http.Request) string {
+	// check if it's from backend
+	if IsFrontend(r) {
+		return r.Header.Get("X-Forwarded-Host")
+	}
+	return r.Host
+}
+
+// cookieDomain returns the fully qualified domain name of the request host
+// with subdomain stripped.
+//
+// If the request host does not have a subdomain,
+// an empty string is returned
+//
+//	"abc.example.com" -> ".example.com" (cross subdomain)
+//	"example.com" -> "" (same domain only)
+func cookieDomain(r *http.Request) string {
+	parts := strutils.SplitRune(requestHost(r), '.')
+	if len(parts) < 2 {
+		return ""
+	}
+	parts[0] = ""
+	return strutils.JoinRune(parts, '.')
+}
+
+func SetTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    value,
+		MaxAge:   int(ttl.Seconds()),
+		Domain:   cookieDomain(r),
+		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+}
+
+func ClearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		Domain:   cookieDomain(r),
+		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+}

internal/autocert/config.go

@@ -13,21 +13,17 @@ import (
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
-type (
-	AutocertConfig struct {
-		Email       string      `json:"email,omitempty"`
-		Domains     []string    `json:"domains,omitempty"`
-		CertPath    string      `json:"cert_path,omitempty"`
-		KeyPath     string      `json:"key_path,omitempty"`
-		ACMEKeyPath string      `json:"acme_key_path,omitempty"`
-		Provider    string      `json:"provider,omitempty"`
-		Options     ProviderOpt `json:"options,omitempty"`
-	}
-	ProviderOpt map[string]any
-)
+type Config struct {
+	Email       string         `json:"email,omitempty"`
+	Domains     []string       `json:"domains,omitempty"`
+	CertPath    string         `json:"cert_path,omitempty"`
+	KeyPath     string         `json:"key_path,omitempty"`
+	ACMEKeyPath string         `json:"acme_key_path,omitempty"`
+	Provider    string         `json:"provider,omitempty"`
+	Options     map[string]any `json:"options,omitempty"`
+}
 
 var (
 	ErrMissingDomain   = gperr.New("missing field 'domains'")
@@ -37,10 +33,15 @@ var (
 	ErrUnknownProvider = gperr.New("unknown provider")
 )
 
+const (
+	ProviderLocal  = "local"
+	ProviderPseudo = "pseudo"
+)
+
 var domainOrWildcardRE = regexp.MustCompile(`^\*?([^.]+\.)+[^.]+$`)
 
 // Validate implements the utils.CustomValidator interface.
-func (cfg *AutocertConfig) Validate() gperr.Error {
+func (cfg *Config) Validate() gperr.Error {
 	if cfg == nil {
 		return nil
 	}
@@ -64,11 +65,11 @@ func (cfg *AutocertConfig) Validate() gperr.Error {
 			}
 		}
 		// check if provider is implemented
-		providerConstructor, ok := providersGenMap[cfg.Provider]
+		providerConstructor, ok := Providers[cfg.Provider]
 		if !ok {
 			b.Add(ErrUnknownProvider.
 				Subject(cfg.Provider).
-				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providersGenMap))))
+				With(gperr.DoYouMean(utils.NearestField(cfg.Provider, Providers))))
 		} else {
 			_, err := providerConstructor(cfg.Options)
 			if err != nil {
@@ -79,13 +80,9 @@ func (cfg *AutocertConfig) Validate() gperr.Error {
 	return b.Error()
 }
 
-func (cfg *AutocertConfig) GetProvider() (*Provider, gperr.Error) {
-	if cfg == nil {
-		cfg = new(AutocertConfig)
-	}
-
+func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 	if err := cfg.Validate(); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if cfg.CertPath == "" {
@@ -102,35 +99,31 @@ func (cfg *AutocertConfig) GetProvider() (*Provider, gperr.Error) {
 	var err error
 
 	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
-		if privKey, err = cfg.loadACMEKey(); err != nil {
+		if privKey, err = cfg.LoadACMEKey(); err != nil {
 			logging.Info().Err(err).Msg("load ACME private key failed")
 			logging.Info().Msg("generate new ACME private key")
 			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			if err != nil {
-				return nil, gperr.New("generate ACME private key").With(err)
+				return nil, nil, gperr.New("generate ACME private key").With(err)
 			}
-			if err = cfg.saveACMEKey(privKey); err != nil {
-				return nil, gperr.New("save ACME private key").With(err)
+			if err = cfg.SaveACMEKey(privKey); err != nil {
+				return nil, nil, gperr.New("save ACME private key").With(err)
 			}
 		}
 	}
 
 	user := &User{
 		Email: cfg.Email,
-		key:   privKey,
+		Key:   privKey,
 	}
 
 	legoCfg := lego.NewConfig(user)
 	legoCfg.Certificate.KeyType = certcrypto.RSA2048
 
-	return &Provider{
-		cfg:     cfg,
-		user:    user,
-		legoCfg: legoCfg,
-	}, nil
+	return user, legoCfg, nil
 }
 
-func (cfg *AutocertConfig) loadACMEKey() (*ecdsa.PrivateKey, error) {
+func (cfg *Config) LoadACMEKey() (*ecdsa.PrivateKey, error) {
 	data, err := os.ReadFile(cfg.ACMEKeyPath)
 	if err != nil {
 		return nil, err
@@ -138,7 +131,7 @@ func (cfg *AutocertConfig) loadACMEKey() (*ecdsa.PrivateKey, error) {
 	return x509.ParseECPrivateKey(data)
 }
 
-func (cfg *AutocertConfig) saveACMEKey(key *ecdsa.PrivateKey) error {
+func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
 	data, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		return err

internal/autocert/constants.go

@@ -1,38 +0,0 @@
-package autocert
-
-import (
-	"path/filepath"
-
-	"github.com/go-acme/lego/v4/providers/dns/clouddns"
-	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
-	"github.com/go-acme/lego/v4/providers/dns/duckdns"
-	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	"github.com/go-acme/lego/v4/providers/dns/porkbun"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-var (
-	CertFileDefault    = filepath.Join(common.CertsDir, "cert.crt")
-	KeyFileDefault     = filepath.Join(common.CertsDir, "priv.key")
-	ACMEKeyFileDefault = filepath.Join(common.CertsDir, "acme.key")
-)
-
-const (
-	ProviderLocal      = "local"
-	ProviderCloudflare = "cloudflare"
-	ProviderClouddns   = "clouddns"
-	ProviderDuckdns    = "duckdns"
-	ProviderOVH        = "ovh"
-	ProviderPseudo     = "pseudo" // for testing
-	ProviderPorkbun    = "porkbun"
-)
-
-var providersGenMap = map[string]ProviderGenerator{
-	ProviderLocal:      providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderCloudflare: providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-	ProviderClouddns:   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
-	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
-	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
-	ProviderPseudo:     providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderPorkbun:    providerGenerator(porkbun.NewDefaultConfig, porkbun.NewDNSProviderConfig),
-}

internal/autocert/paths.go

@@ -0,0 +1,8 @@
+package autocert
+
+const (
+	certBasePath       = "certs/"
+	CertFileDefault    = certBasePath + "cert.crt"
+	KeyFileDefault     = certBasePath + "priv.key"
+	ACMEKeyFileDefault = certBasePath + "acme.key"
+)

internal/autocert/provider.go

@@ -13,19 +13,19 @@ import (
 	"time"
 
 	"github.com/go-acme/lego/v4/certificate"
-	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
+	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/notif"
 	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 type (
 	Provider struct {
-		cfg     *AutocertConfig
+		cfg     *Config
 		user    *User
 		legoCfg *lego.Config
 		client  *lego.Client
@@ -36,13 +36,20 @@ type (
 
 		obtainMu sync.Mutex
 	}
-	ProviderGenerator func(ProviderOpt) (challenge.Provider, gperr.Error)
 
 	CertExpiries map[string]time.Time
 )
 
 var ErrGetCertFailure = errors.New("get certificate failed")
 
+func NewProvider(cfg *Config, user *User, legoCfg *lego.Config) *Provider {
+	return &Provider{
+		cfg:     cfg,
+		user:    user,
+		legoCfg: legoCfg,
+	}
+}
+
 func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if p.tlsCert == nil {
 		return nil, ErrGetCertFailure
@@ -188,8 +195,18 @@ func (p *Provider) ScheduleRenewal(parent task.Parent) {
 				if err := p.renewIfNeeded(); err != nil {
 					gperr.LogWarn("cert renew failed", err)
 					lastErrOn = time.Now()
+					notif.Notify(&notif.LogMessage{
+						Level: zerolog.ErrorLevel,
+						Title: "SSL certificate renewal failed",
+						Body:  notif.MessageBody(err.Error()),
+					})
 					continue
 				}
+				notif.Notify(&notif.LogMessage{
+					Level: zerolog.InfoLevel,
+					Title: "SSL certificate renewed",
+					Body:  notif.ListBody(p.cfg.Domains),
+				})
 				// Reset on success
 				lastErrOn = time.Time{}
 				renewalTime = p.ShouldRenewOn()
@@ -205,7 +222,7 @@ func (p *Provider) initClient() error {
 		return err
 	}
 
-	generator := providersGenMap[p.cfg.Provider]
+	generator := Providers[p.cfg.Provider]
 	legoProvider, pErr := generator(p.cfg.Options)
 	if pErr != nil {
 		return pErr
@@ -322,18 +339,3 @@ func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
 	}
 	return r, nil
 }
-
-func providerGenerator[CT any, PT challenge.Provider](
-	defaultCfg func() *CT,
-	newProvider func(*CT) (PT, error),
-) ProviderGenerator {
-	return func(opt ProviderOpt) (challenge.Provider, gperr.Error) {
-		cfg := defaultCfg()
-		err := utils.MapUnmarshalValidate(opt, &cfg)
-		if err != nil {
-			return nil, err
-		}
-		p, pErr := newProvider(cfg)
-		return p, gperr.Wrap(pErr)
-	}
-}

internal/autocert/provider_test/ovh_test.go

@@ -5,8 +5,8 @@ import (
 
 	"github.com/go-acme/lego/v4/providers/dns/ovh"
 	"github.com/goccy/go-yaml"
+	"github.com/stretchr/testify/require"
 	"github.com/yusing/go-proxy/internal/utils"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
 )
 
 // type Config struct {
@@ -44,7 +44,7 @@ oauth2_config:
 	}
 	testYaml = testYaml[1:] // remove first \n
 	opt := make(map[string]any)
-	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), &opt))
-	ExpectNoError(t, utils.MapUnmarshalValidate(opt, cfg))
-	ExpectEqual(t, cfg, cfgExpected)
+	require.NoError(t, yaml.Unmarshal([]byte(testYaml), &opt))
+	require.NoError(t, utils.MapUnmarshalValidate(opt, cfg))
+	require.Equal(t, cfg, cfgExpected)
 }

internal/autocert/providers.go

@@ -0,0 +1,26 @@
+package autocert
+
+import (
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Generator func(map[string]any) (challenge.Provider, gperr.Error)
+
+var Providers = make(map[string]Generator)
+
+func DNSProvider[CT any, PT challenge.Provider](
+	defaultCfg func() *CT,
+	newProvider func(*CT) (PT, error),
+) Generator {
+	return func(opt map[string]any) (challenge.Provider, gperr.Error) {
+		cfg := defaultCfg()
+		err := utils.MapUnmarshalValidate(opt, &cfg)
+		if err != nil {
+			return nil, err
+		}
+		p, pErr := newProvider(cfg)
+		return p, gperr.Wrap(pErr)
+	}
+}

internal/autocert/types/provider.go

@@ -0,0 +1,14 @@
+package autocert
+
+import (
+	"crypto/tls"
+
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+type Provider interface {
+	Setup() error
+	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
+	ScheduleRenewal(task.Parent)
+	ObtainCert() error
+}

internal/autocert/user.go

@@ -9,7 +9,7 @@ import (
 type User struct {
 	Email        string
 	Registration *registration.Resource
-	key          crypto.PrivateKey
+	Key          crypto.PrivateKey
 }
 
 func (u *User) GetEmail() string {
@@ -21,5 +21,5 @@ func (u *User) GetRegistration() *registration.Resource {
 }
 
 func (u *User) GetPrivateKey() crypto.PrivateKey {
-	return u.key
+	return u.Key
 }

internal/common/constants.go

@@ -1,10 +1,47 @@
 package common
 
-import "time"
+import (
+	"time"
+)
+
+// file, folder structure
+
+const (
+	DotEnvPath        = ".env"
+	DotEnvExamplePath = ".env.example"
+
+	ConfigBasePath        = "config"
+	ConfigFileName        = "config.yml"
+	ConfigExampleFileName = "config.example.yml"
+	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
+
+	DataDir           = "data"
+	IconListCachePath = DataDir + "/.icon_list_cache.json"
+
+	NamespaceHomepageOverrides = ".homepage"
+	NamespaceIconCache         = ".icon_cache"
+
+	MiddlewareComposeBasePath = ConfigBasePath + "/middlewares"
+
+	ComposeFileName        = "compose.yml"
+	ComposeExampleFileName = "compose.example.yml"
+	ErrorPagesBasePath     = "error_pages"
+)
+
+var RequiredDirectories = []string{
+	ConfigBasePath,
+	DataDir,
+	ErrorPagesBasePath,
+	MiddlewareComposeBasePath,
+}
 
 const DockerHostFromEnv = "$DOCKER_HOST"
 
 const (
 	HealthCheckIntervalDefault = 5 * time.Second
 	HealthCheckTimeoutDefault  = 5 * time.Second
+
+	WakeTimeoutDefault = "3m"
+	StopTimeoutDefault = "3m"
+	StopMethodDefault  = "stop"
 )

internal/common/crypto.go

@@ -13,7 +13,7 @@ func decodeJWTKey(key string) []byte {
 	}
 	bytes, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
-		log.Panic().Err(err).Msg("failed to decode jwt key")
+		log.Fatal().Str("key", key).Err(err).Msg("failed to decode secret")
 	}
 	return bytes
 }
@@ -22,7 +22,7 @@ func RandomJWTKey() []byte {
 	key := make([]byte, 32)
 	_, err := rand.Read(key)
 	if err != nil {
-		log.Panic().Err(err).Msg("failed to generate random jwt key")
+		log.Fatal().Err(err).Msg("failed to generate random jwt key")
 	}
 	return key
 }

internal/common/env.go

@@ -19,8 +19,6 @@ var (
 	IsDebug = GetEnvBool("DEBUG", IsTest)
 	IsTrace = GetEnvBool("TRACE", false) && IsDebug
 
-	RootDir = GetEnvString("ROOT_DIR", "./")
-
 	HTTP3Enabled = GetEnvBool("HTTP3_ENABLED", true)
 
 	ProxyHTTPAddr,
@@ -38,11 +36,9 @@ var (
 	APIHTTPPort,
 	APIHTTPURL = GetAddrEnv("API_ADDR", "127.0.0.1:8888", "http")
 
-	PrometheusEnabled = GetEnvBool("PROMETHEUS_ENABLED", false)
-
 	APIJWTSecure   = GetEnvBool("API_JWT_SECURE", true)
 	APIJWTSecret   = decodeJWTKey(GetEnvString("API_JWT_SECRET", ""))
-	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour)
+	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", 24*time.Hour)
 	APIUser        = GetEnvString("API_USER", "admin")
 	APIPassword    = GetEnvString("API_PASSWORD", "password")
 
@@ -52,8 +48,7 @@ var (
 	OIDCIssuerURL     = GetEnvString("OIDC_ISSUER_URL", "")
 	OIDCClientID      = GetEnvString("OIDC_CLIENT_ID", "")
 	OIDCClientSecret  = GetEnvString("OIDC_CLIENT_SECRET", "")
-	OIDCRedirectURL   = GetEnvString("OIDC_REDIRECT_URL", "")
-	OIDCScopes        = GetEnvString("OIDC_SCOPES", "openid, profile, email")
+	OIDCScopes        = GetCommaSepEnv("OIDC_SCOPES", "openid, profile, email, groups")
 	OIDCAllowedUsers  = GetCommaSepEnv("OIDC_ALLOWED_USERS", "")
 	OIDCAllowedGroups = GetCommaSepEnv("OIDC_ALLOWED_GROUPS", "")
 
@@ -63,6 +58,8 @@ var (
 	MetricsDisableDisk    = GetEnvBool("METRICS_DISABLE_DISK", false)
 	MetricsDisableNetwork = GetEnvBool("METRICS_DISABLE_NETWORK", false)
 	MetricsDisableSensors = GetEnvBool("METRICS_DISABLE_SENSORS", false)
+
+	ForceResolveCountry = GetEnvBool("FORCE_RESOLVE_COUNTRY", false)
 )
 
 func GetEnv[T any](key string, defaultValue T, parser func(string) (T, error)) T {

internal/common/paths.go

@@ -1,33 +0,0 @@
-package common
-
-import (
-	"path/filepath"
-)
-
-// file, folder structure
-
-var (
-	ConfigDir             = filepath.Join(RootDir, "config")
-	ConfigFileName        = "config.yml"
-	ConfigExampleFileName = "config.example.yml"
-	ConfigPath            = filepath.Join(ConfigDir, ConfigFileName)
-
-	MiddlewareComposeDir = filepath.Join(ConfigDir, "middlewares")
-	ErrorPagesDir        = filepath.Join(RootDir, "error_pages")
-	CertsDir             = filepath.Join(RootDir, "certs")
-
-	DataDir        = filepath.Join(RootDir, "data")
-	MetricsDataDir = filepath.Join(DataDir, "metrics")
-
-	HomepageJSONConfigPath = filepath.Join(DataDir, "homepage.json")
-	IconListCachePath      = filepath.Join(DataDir, "icon_list_cache.json")
-	IconCachePath          = filepath.Join(DataDir, "icon_cache.json")
-)
-
-var RequiredDirectories = []string{
-	ConfigDir,
-	ErrorPagesDir,
-	MiddlewareComposeDir,
-	DataDir,
-	MetricsDataDir,
-}

internal/config/agent_pool.go

@@ -0,0 +1,66 @@
+package config
+
+import (
+	"slices"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/route/provider"
+	"github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+var agentPool = functional.NewMapOf[string, *agent.AgentConfig]()
+
+func addAgent(agent *agent.AgentConfig) {
+	agentPool.Store(agent.Addr, agent)
+}
+
+func removeAllAgents() {
+	agentPool.Clear()
+}
+
+func GetAgent(addr string) (agent *agent.AgentConfig, ok bool) {
+	agent, ok = agentPool.Load(addr)
+	return
+}
+
+func (cfg *Config) GetAgent(agentAddrOrDockerHost string) (*agent.AgentConfig, bool) {
+	if !agent.IsDockerHostAgent(agentAddrOrDockerHost) {
+		return GetAgent(agentAddrOrDockerHost)
+	}
+	return GetAgent(agent.GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
+}
+
+func (cfg *Config) VerifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair) (int, gperr.Error) {
+	if slices.ContainsFunc(cfg.value.Providers.Agents, func(a *agent.AgentConfig) bool {
+		return a.Addr == host
+	}) {
+		return 0, gperr.New("agent already exists")
+	}
+
+	var agentCfg agent.AgentConfig
+	agentCfg.Addr = host
+	err := agentCfg.StartWithCerts(cfg.Task(), ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to start agent")
+	}
+	addAgent(&agentCfg)
+
+	provider := provider.NewAgentProvider(&agentCfg)
+	if err := cfg.errIfExists(provider); err != nil {
+		return 0, err
+	}
+	err = provider.LoadRoutes()
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to load routes")
+	}
+	return provider.NumRoutes(), nil
+}
+
+func (cfg *Config) ListAgents() []*agent.AgentConfig {
+	agents := make([]*agent.AgentConfig, 0, agentPool.Size())
+	agentPool.RangeAll(func(key string, value *agent.AgentConfig) {
+		agents = append(agents, value)
+	})
+	return agents
+}

internal/config/config.go

@@ -9,14 +9,15 @@ import (
 	"sync"
 	"time"
 
-	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal/api"
-	"github.com/yusing/go-proxy/internal/autocert"
+	autocert "github.com/yusing/go-proxy/internal/autocert"
 	"github.com/yusing/go-proxy/internal/common"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/entrypoint"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/maxmind"
 	"github.com/yusing/go-proxy/internal/net/gphttp/server"
 	"github.com/yusing/go-proxy/internal/notif"
 	"github.com/yusing/go-proxy/internal/proxmox"
@@ -24,6 +25,7 @@ import (
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
 	F "github.com/yusing/go-proxy/internal/utils/functional"
+	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
 	"github.com/yusing/go-proxy/internal/watcher"
 	"github.com/yusing/go-proxy/internal/watcher/events"
 )
@@ -53,8 +55,6 @@ You may run "ls-config" to show or dump the current config.`
 
 var Validate = config.Validate
 
-var ErrProviderNameConflict = gperr.New("provider name conflict")
-
 func newConfig() *Config {
 	return &Config{
 		value:      config.DefaultConfig(),
@@ -84,7 +84,9 @@ func WatchChanges() {
 		t,
 		configEventFlushInterval,
 		OnConfigChange,
-		onReloadError,
+		func(err gperr.Error) {
+			gperr.LogError("config reload error", err)
+		},
 	)
 	eventQueue.Start(cfgWatcher.Events(t.Context()))
 }
@@ -107,10 +109,6 @@ func OnConfigChange(ev []events.Event) {
 	}
 }
 
-func onReloadError(err gperr.Error) {
-	logging.Error().Msgf("config reload error: %s", err)
-}
-
 func Reload() gperr.Error {
 	// avoid race between config change and API reload request
 	reloadMu.Lock()
@@ -120,7 +118,7 @@ func Reload() gperr.Error {
 	err := newCfg.load()
 	if err != nil {
 		newCfg.task.Finish(err)
-		return gperr.New("using last config").With(err)
+		return gperr.New(ansi.Warning("using last config")).With(err)
 	}
 
 	// cancel all current subtasks -> wait
@@ -203,6 +201,7 @@ func (cfg *Config) StartServers(opts ...*StartServersOptions) {
 			HTTPAddr:     common.ProxyHTTPAddr,
 			HTTPSAddr:    common.ProxyHTTPSAddr,
 			Handler:      cfg.entrypoint,
+			ACL:          cfg.value.ACL,
 		})
 	}
 	if opt.API {
@@ -216,23 +215,26 @@ func (cfg *Config) StartServers(opts ...*StartServersOptions) {
 }
 
 func (cfg *Config) load() gperr.Error {
+	const errMsg = "config load error"
+
 	data, err := os.ReadFile(common.ConfigPath)
 	if err != nil {
-		gperr.LogFatal("error reading config", err)
+		gperr.LogFatal(errMsg, err)
 	}
 
 	model := config.DefaultConfig()
 	if err := utils.UnmarshalValidateYAML(data, model); err != nil {
-		gperr.LogFatal("error unmarshalling config", err)
+		gperr.LogFatal(errMsg, err)
 	}
 
 	// errors are non fatal below
-	errs := gperr.NewBuilder()
+	errs := gperr.NewBuilder(errMsg)
 	errs.Add(cfg.entrypoint.SetMiddlewares(model.Entrypoint.Middlewares))
 	errs.Add(cfg.entrypoint.SetAccessLogger(cfg.task, model.Entrypoint.AccessLog))
+	errs.Add(cfg.initMaxMind(model.Providers.MaxMind))
 	cfg.initNotification(model.Providers.Notification)
-	errs.Add(cfg.initProxmox(model.Providers.Proxmox))
 	errs.Add(cfg.initAutoCert(model.AutoCert))
+	errs.Add(cfg.initProxmox(model.Providers.Proxmox))
 	errs.Add(cfg.loadRouteProviders(&model.Providers))
 
 	cfg.value = model
@@ -242,8 +244,31 @@ func (cfg *Config) load() gperr.Error {
 		}
 	}
 	cfg.entrypoint.SetFindRouteDomains(model.MatchDomains)
+	if model.ACL.Valid() {
+		err := model.ACL.Start(cfg.task)
+		if err != nil {
+			errs.Add(err)
+		} else {
+			logging.Info().Msg("ACL started")
+		}
+	}
 
-	return errs.Error()
+	if errs.HasError() {
+		notif.Notify(&notif.LogMessage{
+			Level: zerolog.ErrorLevel,
+			Title: "Config Reload Error",
+			Body:  notif.ErrorBody{Error: errs.Error()},
+		})
+		return errs.Error()
+	}
+	return nil
+}
+
+func (cfg *Config) initMaxMind(maxmindCfg *maxmind.Config) gperr.Error {
+	if maxmindCfg != nil {
+		return maxmind.SetInstance(cfg.task, maxmindCfg)
+	}
+	return nil
 }
 
 func (cfg *Config) initNotification(notifCfg []notif.NotificationConfig) {
@@ -256,92 +281,86 @@ func (cfg *Config) initNotification(notifCfg []notif.NotificationConfig) {
 	}
 }
 
-func (cfg *Config) initProxmox(proxmoxCfgs []proxmox.Config) (err gperr.Error) {
-	errs := gperr.NewBuilder("proxmox config errors")
-	for _, proxmoxCfg := range proxmoxCfgs {
-		if err := proxmoxCfg.Init(); err != nil {
-			errs.Add(err.Subject(proxmoxCfg.URL))
-		} else {
-			proxmox.Clients.Add(proxmoxCfg.Client())
+func (cfg *Config) initAutoCert(autocertCfg *autocert.Config) gperr.Error {
+	if cfg.autocertProvider != nil {
+		return nil
+	}
+
+	if autocertCfg == nil {
+		autocertCfg = new(autocert.Config)
+	}
+
+	user, legoCfg, err := autocertCfg.GetLegoConfig()
+	if err != nil {
+		return err
+	}
+
+	cfg.autocertProvider = autocert.NewProvider(autocertCfg, user, legoCfg)
+	return nil
+}
+
+func (cfg *Config) initProxmox(proxmoxCfg []proxmox.Config) gperr.Error {
+	proxmox.Clients.Clear()
+	var errs = gperr.NewBuilder()
+	for _, cfg := range proxmoxCfg {
+		if err := cfg.Init(); err != nil {
+			errs.Add(err.Subject(cfg.URL))
 		}
 	}
 	return errs.Error()
 }
 
-func (cfg *Config) initAutoCert(autocertCfg *autocert.AutocertConfig) (err gperr.Error) {
-	if cfg.autocertProvider != nil {
-		return
-	}
-
-	cfg.autocertProvider, err = autocertCfg.GetProvider()
-	return
-}
-
 func (cfg *Config) errIfExists(p *proxy.Provider) gperr.Error {
-	if conflict, ok := cfg.providers.Load(p.String()); ok {
-		return ErrProviderNameConflict.
-			Subject(p.String()).
-			Withf("one is %q", conflict.Type()).
-			Withf("the other is %q", p.Type())
+	if _, ok := cfg.providers.Load(p.String()); ok {
+		return gperr.Errorf("provider %s already exists", p.String())
 	}
 	return nil
 }
 
-func (cfg *Config) initAgents(agentCfgs []*agent.AgentConfig) gperr.Error {
-	var wg sync.WaitGroup
-
-	errs := gperr.NewBuilderWithConcurrency()
-	wg.Add(len(agentCfgs))
-	for _, agentCfg := range agentCfgs {
-		go func(agentCfg *agent.AgentConfig) {
-			defer wg.Done()
-			if err := agentCfg.Init(cfg.task.Context()); err != nil {
-				errs.Add(err.Subject(agentCfg.String()))
-			} else {
-				agent.Agents.Add(agentCfg)
-			}
-		}(agentCfg)
-	}
-	wg.Wait()
-	return errs.Error()
+func (cfg *Config) storeProvider(p *proxy.Provider) {
+	cfg.providers.Store(p.String(), p)
 }
 
 func (cfg *Config) loadRouteProviders(providers *config.Providers) gperr.Error {
 	errs := gperr.NewBuilder("route provider errors")
 	results := gperr.NewBuilder("loaded route providers")
 
-	agent.Agents.Clear()
+	removeAllAgents()
 
-	n := len(providers.Agents) + len(providers.Docker) + len(providers.Files)
-	if n == 0 {
-		return nil
-	}
-
-	routeProviders := make([]*proxy.Provider, 0, n)
-
-	errs.Add(cfg.initAgents(providers.Agents))
-
-	for _, a := range providers.Agents {
-		if !a.IsInitialized() { // failed to initialize
+	for _, agent := range providers.Agents {
+		if err := agent.Start(cfg.task); err != nil {
+			errs.Add(err.Subject(agent.String()))
 			continue
 		}
-		agent.Agents.Add(a)
-		routeProviders = append(routeProviders, proxy.NewAgentProvider(a))
+		addAgent(agent)
+		p := proxy.NewAgentProvider(agent)
+		if err := cfg.errIfExists(p); err != nil {
+			errs.Add(err.Subject(p.String()))
+			continue
+		}
+		cfg.storeProvider(p)
 	}
 	for _, filename := range providers.Files {
-		routeProviders = append(routeProviders, proxy.NewFileProvider(filename))
-	}
-	for name, dockerHost := range providers.Docker {
-		routeProviders = append(routeProviders, proxy.NewDockerProvider(name, dockerHost))
-	}
-
-	// check if all providers are unique (should not happen but just in case)
-	for _, p := range routeProviders {
-		if err := cfg.errIfExists(p); err != nil {
-			errs.Add(err)
+		p, err := proxy.NewFileProvider(filename)
+		if err == nil {
+			err = cfg.errIfExists(p)
+		}
+		if err != nil {
+			errs.Add(gperr.PrependSubject(filename, err))
 			continue
 		}
-		cfg.providers.Store(p.String(), p)
+		cfg.storeProvider(p)
+	}
+	for name, dockerHost := range providers.Docker {
+		p := proxy.NewDockerProvider(name, dockerHost)
+		if err := cfg.errIfExists(p); err != nil {
+			errs.Add(err.Subject(p.String()))
+			continue
+		}
+		cfg.storeProvider(p)
+	}
+	if cfg.providers.Size() == 0 {
+		return nil
 	}
 
 	lenLongestName := 0
@@ -350,7 +369,6 @@ func (cfg *Config) loadRouteProviders(providers *config.Providers) gperr.Error {
 			lenLongestName = len(k)
 		}
 	})
-	errs.EnableConcurrency()
 	results.EnableConcurrency()
 	cfg.providers.RangeAllParallel(func(_ string, p *proxy.Provider) {
 		if err := p.LoadRoutes(); err != nil {

internal/config/config_test.go

@@ -1,202 +0,0 @@
-package config
-
-import (
-	"os"
-	"path"
-	"testing"
-
-	"github.com/goccy/go-yaml"
-	"github.com/stretchr/testify/assert"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/route/provider"
-	"github.com/yusing/go-proxy/internal/utils"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-)
-
-func TestFileProviderValidate(t *testing.T) {
-	tests := []struct {
-		name                  string
-		filenames             []string
-		init, cleanup         func(filepath string) error
-		expectedErrorContains string
-	}{
-		{
-			name:                  "file not exists",
-			filenames:             []string{"not_exists.yaml"},
-			expectedErrorContains: "config_file_exists",
-		},
-		{
-			name:                  "file is a directory",
-			filenames:             []string{"testdata"},
-			expectedErrorContains: "config_file_exists",
-		},
-		{
-			name:                  "same file exists multiple times",
-			filenames:             []string{"test.yml", "test.yml"},
-			expectedErrorContains: "unique",
-		},
-		{
-			name:      "file ok",
-			filenames: []string{"routes.yaml"},
-			init: func(filepath string) error {
-				os.MkdirAll(path.Dir(filepath), 0755)
-				_, err := os.Create(filepath)
-				return err
-			},
-			cleanup: func(filepath string) error {
-				return os.RemoveAll(path.Dir(filepath))
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cfg := config.DefaultConfig()
-			if tt.init != nil {
-				for _, filename := range tt.filenames {
-					filepath := path.Join(common.ConfigDir, filename)
-					assert.NoError(t, tt.init(filepath))
-				}
-			}
-			err := utils.UnmarshalValidateYAML(Must(yaml.Marshal(map[string]any{
-				"providers": map[string]any{
-					"include": tt.filenames,
-				},
-			})), cfg)
-			if tt.cleanup != nil {
-				for _, filename := range tt.filenames {
-					filepath := path.Join(common.ConfigDir, filename)
-					assert.NoError(t, tt.cleanup(filepath))
-				}
-			}
-			if tt.expectedErrorContains != "" {
-				assert.ErrorContains(t, err, tt.expectedErrorContains)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestLoadRouteProviders(t *testing.T) {
-	tests := []struct {
-		name          string
-		providers     *config.Providers
-		expectedError bool
-	}{
-		{
-			name: "duplicate file provider",
-			providers: &config.Providers{
-				Files: []string{"routes.yaml", "routes.yaml"},
-			},
-			expectedError: true,
-		},
-		{
-			name: "duplicate docker provider",
-			providers: &config.Providers{
-				Docker: map[string]string{
-					"docker1": "unix:///var/run/docker.sock",
-					"docker2": "unix:///var/run/docker.sock",
-				},
-			},
-			expectedError: true,
-		},
-		{
-			name: "docker provider with different hosts",
-			providers: &config.Providers{
-				Docker: map[string]string{
-					"docker1": "unix:///var/run/docker1.sock",
-					"docker2": "unix:///var/run/docker2.sock",
-				},
-			},
-			expectedError: false,
-		},
-		{
-			name: "duplicate agent addresses",
-			providers: &config.Providers{
-				Agents: []*agent.AgentConfig{
-					{Addr: "192.168.1.100:8080"},
-					{Addr: "192.168.1.100:8080"},
-				},
-			},
-			expectedError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := utils.Validate(tt.providers)
-			if tt.expectedError {
-				assert.ErrorContains(t, err, "unique")
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestProviderNameUniqueness(t *testing.T) {
-	file := provider.NewFileProvider("routes.yaml")
-	docker := provider.NewDockerProvider("routes", "unix:///var/run/docker.sock")
-	agent := provider.NewAgentProvider(agent.TestAgentConfig("routes", "192.168.1.100:8080"))
-
-	assert.True(t, file.String() != docker.String())
-	assert.True(t, file.String() != agent.String())
-	assert.True(t, docker.String() != agent.String())
-}
-
-func TestFileProviderNameFromFilename(t *testing.T) {
-	tests := []struct {
-		filename     string
-		expectedName string
-	}{
-		{"routes.yaml", "routes"},
-		{"service.yml", "service"},
-		{"complex-name.yaml", "complex-name"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.filename, func(t *testing.T) {
-			p := provider.NewFileProvider(tt.filename)
-			assert.Equal(t, tt.expectedName, p.ShortName())
-		})
-	}
-}
-
-func TestDockerProviderString(t *testing.T) {
-	tests := []struct {
-		name       string
-		dockerHost string
-		expected   string
-	}{
-		{"docker1", "unix:///var/run/docker.sock", "docker@docker1"},
-		{"host2", "tcp://192.168.1.100:2375", "docker@host2"},
-		{"explicit!", "unix:///var/run/docker.sock", "docker@explicit!"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			p := provider.NewDockerProvider(tt.name, tt.dockerHost)
-			assert.Equal(t, tt.expected, p.String())
-		})
-	}
-}
-
-func TestExplicitOnlyProvider(t *testing.T) {
-	tests := []struct {
-		name         string
-		expectedFlag bool
-	}{
-		{"docker", false},
-		{"explicit!", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			p := provider.NewDockerProvider(tt.name, "unix:///var/run/docker.sock")
-			assert.Equal(t, tt.expectedFlag, p.IsExplicitOnly())
-		})
-	}
-}

internal/config/query.go

@@ -1,10 +1,6 @@
 package config
 
 import (
-	"slices"
-
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/route"
 	"github.com/yusing/go-proxy/internal/route/provider"
 )
@@ -55,32 +51,3 @@ func (cfg *Config) Statistics() map[string]any {
 		"providers":       providerStats,
 	}
 }
-
-func (cfg *Config) VerifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair) (int, gperr.Error) {
-	if slices.ContainsFunc(cfg.value.Providers.Agents, func(a *agent.AgentConfig) bool {
-		return a.Addr == host
-	}) {
-		return 0, gperr.New("agent already exists")
-	}
-
-	agentCfg := new(agent.AgentConfig)
-	agentCfg.Addr = host
-	err := agentCfg.InitWithCerts(cfg.task.Context(), ca.Cert, client.Cert, client.Key)
-	if err != nil {
-		return 0, gperr.Wrap(err, "failed to start agent")
-	}
-	// must add it first to let LoadRoutes() reference from it
-	agent.Agents.Add(agentCfg)
-
-	provider := provider.NewAgentProvider(agentCfg)
-	if err := cfg.errIfExists(provider); err != nil {
-		agent.Agents.Del(agentCfg)
-		return 0, err
-	}
-	err = provider.LoadRoutes()
-	if err != nil {
-		agent.Agents.Del(agentCfg)
-		return 0, gperr.Wrap(err, "failed to load routes")
-	}
-	return provider.NumRoutes(), nil
-}

internal/config/types/config.go

@@ -2,17 +2,16 @@ package config
 
 import (
 	"context"
-	"os"
-	"path"
 	"regexp"
 	"sync"
 
 	"github.com/go-playground/validator/v10"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/internal/acl"
 	"github.com/yusing/go-proxy/internal/autocert"
-	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/accesslog"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
+	maxmind "github.com/yusing/go-proxy/internal/maxmind/types"
 	"github.com/yusing/go-proxy/internal/notif"
 	"github.com/yusing/go-proxy/internal/proxmox"
 	"github.com/yusing/go-proxy/internal/utils"
@@ -20,23 +19,28 @@ import (
 
 type (
 	Config struct {
-		AutoCert        *autocert.AutocertConfig `json:"autocert"`
-		Entrypoint      Entrypoint               `json:"entrypoint"`
-		Providers       Providers                `json:"providers"`
-		MatchDomains    []string                 `json:"match_domains" validate:"domain_name"`
-		Homepage        HomepageConfig           `json:"homepage"`
-		TimeoutShutdown int                      `json:"timeout_shutdown" validate:"gte=0"`
+		ACL             *acl.Config      `json:"acl"`
+		AutoCert        *autocert.Config `json:"autocert"`
+		Entrypoint      Entrypoint       `json:"entrypoint"`
+		Providers       Providers        `json:"providers"`
+		MatchDomains    []string         `json:"match_domains" validate:"domain_name"`
+		Homepage        HomepageConfig   `json:"homepage"`
+		TimeoutShutdown int              `json:"timeout_shutdown" validate:"gte=0"`
 	}
 	Providers struct {
-		Files        []string                   `json:"include" validate:"unique,dive,config_file_exists"`
-		Docker       map[string]string          `json:"docker" validate:"unique,dive,unix_addr|url"`
-		Proxmox      []proxmox.Config           `json:"proxmox"`
-		Agents       []*agent.AgentConfig       `json:"agents" validate:"unique=Addr"`
-		Notification []notif.NotificationConfig `json:"notification" validate:"unique=ProviderName"`
+		Files        []string                   `json:"include" yaml:"include,omitempty" validate:"dive,filepath"`
+		Docker       map[string]string          `json:"docker" yaml:"docker,omitempty" validate:"non_empty_docker_keys,dive,unix_addr|url"`
+		Agents       []*agent.AgentConfig       `json:"agents" yaml:"agents,omitempty"`
+		Notification []notif.NotificationConfig `json:"notification" yaml:"notification,omitempty"`
+		Proxmox      []proxmox.Config           `json:"proxmox" yaml:"proxmox,omitempty"`
+		MaxMind      *maxmind.Config            `json:"maxmind" yaml:"maxmind,omitempty"`
 	}
 	Entrypoint struct {
-		Middlewares []map[string]any  `json:"middlewares"`
-		AccessLog   *accesslog.Config `json:"access_log" validate:"omitempty"`
+		Middlewares []map[string]any               `json:"middlewares"`
+		AccessLog   *accesslog.RequestLoggerConfig `json:"access_log" validate:"omitempty"`
+	}
+	HomepageConfig struct {
+		UseDefaultCategories bool `json:"use_default_categories"`
 	}
 
 	ConfigInstance interface {
@@ -45,7 +49,9 @@ type (
 		Statistics() map[string]any
 		RouteProviderList() []string
 		Context() context.Context
+		GetAgent(agentAddrOrDockerHost string) (*agent.AgentConfig, bool)
 		VerifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair) (int, gperr.Error)
+		ListAgents() []*agent.AgentConfig
 		AutoCertProvider() *autocert.Provider
 	}
 )
@@ -100,9 +106,13 @@ func init() {
 		}
 		return true
 	})
-	utils.MustRegisterValidation("config_file_exists", func(fl validator.FieldLevel) bool {
-		filename := fl.Field().Interface().(string)
-		info, err := os.Stat(path.Join(common.ConfigDir, filename))
-		return err == nil && !info.IsDir()
+	utils.MustRegisterValidation("non_empty_docker_keys", func(fl validator.FieldLevel) bool {
+		m := fl.Field().Interface().(map[string]string)
+		for k := range m {
+			if k == "" {
+				return false
+			}
+		}
+		return true
 	})
 }

internal/config/types/homepage_config.go

@@ -1,5 +0,0 @@
-package config
-
-type HomepageConfig struct {
-	UseDefaultCategories bool `json:"use_default_categories"`
-}

internal/dnsproviders/dummy.go

@@ -1,4 +1,4 @@
-package autocert
+package dnsproviders
 
 type DummyConfig struct{}
 type DummyProvider struct{}

internal/dnsproviders/gen.py

@@ -0,0 +1,55 @@
+import requests
+import os
+
+class Entry:
+  def __init__(self, name: str, type: str, **kwargs) -> None:
+    self.name = name
+    self.type = type
+  
+url = "https://api.github.com/repos/go-acme/lego/contents/providers/dns"
+response = requests.get(url)
+data: list[Entry] = [Entry(**i) for i in response.json()]
+
+header = "//go:generate /usr/bin/python3 gen.py\n\npackage dnsproviders\n\n"
+names: list[str] = [
+  "Local = \"local\"",
+  "Pseudo = \"pseudo\"",
+]
+imports: list[str] = [
+  "\"github.com/yusing/go-proxy/internal/autocert\""
+]
+genMap: list[str] = [
+  "autocert.Providers[Local] = autocert.DNSProvider(NewDummyDefaultConfig, NewDummyDNSProviderConfig)",
+  "autocert.Providers[Pseudo] = autocert.DNSProvider(NewDummyDefaultConfig, NewDummyDNSProviderConfig)",
+]
+
+blacklists = [
+  "internal",
+  # deprecated 
+  "azure",
+  "brandit",
+  "cloudxns",
+  "dnspod",
+  "mythicbeasts", 
+  "yandexcloud"
+]
+
+for item in data:
+    if item.type != "dir" or item.name in blacklists:
+      continue
+    imports.append(f"\"github.com/go-acme/lego/v4/providers/dns/{item.name}\"")
+    genMap.append(f"autocert.Providers[\"{item.name}\"] = autocert.DNSProvider({item.name}.NewDefaultConfig, {item.name}.NewDNSProviderConfig)")
+    
+with open("providers.go", "w") as f:
+  f.write(header)
+  f.write("import (\n")
+  f.write("\n".join(imports))
+  f.write("\n)\n\n")
+  f.write("const (\n")
+  f.write("\n".join(names))
+  f.write("\n)\n\n")
+  f.write("func InitProviders() {\n")
+  f.write("\n".join(genMap))
+  f.write("\n}\n\n")
+  
+os.execvp("go", ["go", "fmt", "providers.go"])

internal/dnsproviders/go.mod

@@ -0,0 +1,194 @@
+module github.com/yusing/go-proxy/internal/dnsproviders
+
+go 1.24.2
+
+replace github.com/yusing/go-proxy => ../..
+
+require (
+	github.com/go-acme/lego/v4 v4.23.1
+	github.com/yusing/go-proxy v0.0.0-00010101000000-000000000000
+)
+
+require (
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.106 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.224 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/civo/civogo v0.3.98 // indirect
+	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.14 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.26.0 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.17.1 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gophercloud/gophercloud v1.14.1 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.146 // indirect
+	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.9.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
+	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
+	github.com/labbsr0x/goh v1.0.1 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/linode/linodego v1.49.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
+	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
+	github.com/nrdcg/desec v0.11.0 // indirect
+	github.com/nrdcg/freemyip v0.3.0 // indirect
+	github.com/nrdcg/goacmedns v0.2.0 // indirect
+	github.com/nrdcg/goinwx v0.11.0 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/namesilo v0.2.1 // indirect
+	github.com/nrdcg/nodion v0.1.0 // indirect
+	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/nzdjb/go-metaname v1.0.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.89.2 // indirect
+	github.com/ovh/go-ovh v1.7.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/peterhellberg/link v1.2.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
+	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
+	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
+	github.com/rs/zerolog v1.34.0 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.9 // indirect
+	github.com/sacloud/iaas-api-go v1.14.0 // indirect
+	github.com/sacloud/packages-go v0.0.11 // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
+	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
+	github.com/softlayer/softlayer-go v1.1.7 // indirect
+	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.14.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1150 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/transip/gotransip/v6 v6.26.0 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
+	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.205 // indirect
+	github.com/vultr/govultr/v3 v3.19.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	go.mongodb.org/mongo-driver v1.17.3 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/api v0.230.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.33.0 // indirect
+	k8s.io/apimachinery v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)

internal/dnsproviders/providers.go

@@ -0,0 +1,309 @@
+//go:generate /usr/bin/python3 gen.py
+
+package dnsproviders
+
+import (
+	"github.com/go-acme/lego/v4/providers/dns/acmedns"
+	"github.com/go-acme/lego/v4/providers/dns/active24"
+	"github.com/go-acme/lego/v4/providers/dns/alidns"
+	"github.com/go-acme/lego/v4/providers/dns/allinkl"
+	"github.com/go-acme/lego/v4/providers/dns/arvancloud"
+	"github.com/go-acme/lego/v4/providers/dns/auroradns"
+	"github.com/go-acme/lego/v4/providers/dns/autodns"
+	"github.com/go-acme/lego/v4/providers/dns/axelname"
+	"github.com/go-acme/lego/v4/providers/dns/azuredns"
+	"github.com/go-acme/lego/v4/providers/dns/baiducloud"
+	"github.com/go-acme/lego/v4/providers/dns/bindman"
+	"github.com/go-acme/lego/v4/providers/dns/bluecat"
+	"github.com/go-acme/lego/v4/providers/dns/bookmyname"
+	"github.com/go-acme/lego/v4/providers/dns/bunny"
+	"github.com/go-acme/lego/v4/providers/dns/checkdomain"
+	"github.com/go-acme/lego/v4/providers/dns/civo"
+	"github.com/go-acme/lego/v4/providers/dns/clouddns"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/providers/dns/cloudns"
+	"github.com/go-acme/lego/v4/providers/dns/cloudru"
+	"github.com/go-acme/lego/v4/providers/dns/conoha"
+	"github.com/go-acme/lego/v4/providers/dns/constellix"
+	"github.com/go-acme/lego/v4/providers/dns/corenetworks"
+	"github.com/go-acme/lego/v4/providers/dns/cpanel"
+	"github.com/go-acme/lego/v4/providers/dns/derak"
+	"github.com/go-acme/lego/v4/providers/dns/desec"
+	"github.com/go-acme/lego/v4/providers/dns/designate"
+	"github.com/go-acme/lego/v4/providers/dns/digitalocean"
+	"github.com/go-acme/lego/v4/providers/dns/directadmin"
+	"github.com/go-acme/lego/v4/providers/dns/dnshomede"
+	"github.com/go-acme/lego/v4/providers/dns/dnsimple"
+	"github.com/go-acme/lego/v4/providers/dns/dnsmadeeasy"
+	"github.com/go-acme/lego/v4/providers/dns/dode"
+	"github.com/go-acme/lego/v4/providers/dns/domeneshop"
+	"github.com/go-acme/lego/v4/providers/dns/dreamhost"
+	"github.com/go-acme/lego/v4/providers/dns/duckdns"
+	"github.com/go-acme/lego/v4/providers/dns/dyn"
+	"github.com/go-acme/lego/v4/providers/dns/dynu"
+	"github.com/go-acme/lego/v4/providers/dns/easydns"
+	"github.com/go-acme/lego/v4/providers/dns/edgedns"
+	"github.com/go-acme/lego/v4/providers/dns/efficientip"
+	"github.com/go-acme/lego/v4/providers/dns/epik"
+	"github.com/go-acme/lego/v4/providers/dns/exec"
+	"github.com/go-acme/lego/v4/providers/dns/exoscale"
+	"github.com/go-acme/lego/v4/providers/dns/f5xc"
+	"github.com/go-acme/lego/v4/providers/dns/freemyip"
+	"github.com/go-acme/lego/v4/providers/dns/gandi"
+	"github.com/go-acme/lego/v4/providers/dns/gandiv5"
+	"github.com/go-acme/lego/v4/providers/dns/gcloud"
+	"github.com/go-acme/lego/v4/providers/dns/gcore"
+	"github.com/go-acme/lego/v4/providers/dns/glesys"
+	"github.com/go-acme/lego/v4/providers/dns/godaddy"
+	"github.com/go-acme/lego/v4/providers/dns/googledomains"
+	"github.com/go-acme/lego/v4/providers/dns/hetzner"
+	"github.com/go-acme/lego/v4/providers/dns/hostingde"
+	"github.com/go-acme/lego/v4/providers/dns/hosttech"
+	"github.com/go-acme/lego/v4/providers/dns/httpnet"
+	"github.com/go-acme/lego/v4/providers/dns/httpreq"
+	"github.com/go-acme/lego/v4/providers/dns/huaweicloud"
+	"github.com/go-acme/lego/v4/providers/dns/hurricane"
+	"github.com/go-acme/lego/v4/providers/dns/hyperone"
+	"github.com/go-acme/lego/v4/providers/dns/ibmcloud"
+	"github.com/go-acme/lego/v4/providers/dns/iij"
+	"github.com/go-acme/lego/v4/providers/dns/iijdpf"
+	"github.com/go-acme/lego/v4/providers/dns/infoblox"
+	"github.com/go-acme/lego/v4/providers/dns/infomaniak"
+	"github.com/go-acme/lego/v4/providers/dns/internetbs"
+	"github.com/go-acme/lego/v4/providers/dns/inwx"
+	"github.com/go-acme/lego/v4/providers/dns/ionos"
+	"github.com/go-acme/lego/v4/providers/dns/ipv64"
+	"github.com/go-acme/lego/v4/providers/dns/iwantmyname"
+	"github.com/go-acme/lego/v4/providers/dns/joker"
+	"github.com/go-acme/lego/v4/providers/dns/liara"
+	"github.com/go-acme/lego/v4/providers/dns/lightsail"
+	"github.com/go-acme/lego/v4/providers/dns/limacity"
+	"github.com/go-acme/lego/v4/providers/dns/linode"
+	"github.com/go-acme/lego/v4/providers/dns/liquidweb"
+	"github.com/go-acme/lego/v4/providers/dns/loopia"
+	"github.com/go-acme/lego/v4/providers/dns/luadns"
+	"github.com/go-acme/lego/v4/providers/dns/mailinabox"
+	"github.com/go-acme/lego/v4/providers/dns/manageengine"
+	"github.com/go-acme/lego/v4/providers/dns/metaname"
+	"github.com/go-acme/lego/v4/providers/dns/metaregistrar"
+	"github.com/go-acme/lego/v4/providers/dns/mijnhost"
+	"github.com/go-acme/lego/v4/providers/dns/mittwald"
+	"github.com/go-acme/lego/v4/providers/dns/myaddr"
+	"github.com/go-acme/lego/v4/providers/dns/mydnsjp"
+	"github.com/go-acme/lego/v4/providers/dns/namecheap"
+	"github.com/go-acme/lego/v4/providers/dns/namedotcom"
+	"github.com/go-acme/lego/v4/providers/dns/namesilo"
+	"github.com/go-acme/lego/v4/providers/dns/nearlyfreespeech"
+	"github.com/go-acme/lego/v4/providers/dns/netcup"
+	"github.com/go-acme/lego/v4/providers/dns/netlify"
+	"github.com/go-acme/lego/v4/providers/dns/nicmanager"
+	"github.com/go-acme/lego/v4/providers/dns/nifcloud"
+	"github.com/go-acme/lego/v4/providers/dns/njalla"
+	"github.com/go-acme/lego/v4/providers/dns/nodion"
+	"github.com/go-acme/lego/v4/providers/dns/ns1"
+	"github.com/go-acme/lego/v4/providers/dns/oraclecloud"
+	"github.com/go-acme/lego/v4/providers/dns/otc"
+	"github.com/go-acme/lego/v4/providers/dns/ovh"
+	"github.com/go-acme/lego/v4/providers/dns/pdns"
+	"github.com/go-acme/lego/v4/providers/dns/plesk"
+	"github.com/go-acme/lego/v4/providers/dns/porkbun"
+	"github.com/go-acme/lego/v4/providers/dns/rackspace"
+	"github.com/go-acme/lego/v4/providers/dns/rainyun"
+	"github.com/go-acme/lego/v4/providers/dns/rcodezero"
+	"github.com/go-acme/lego/v4/providers/dns/regfish"
+	"github.com/go-acme/lego/v4/providers/dns/regru"
+	"github.com/go-acme/lego/v4/providers/dns/rfc2136"
+	"github.com/go-acme/lego/v4/providers/dns/rimuhosting"
+	"github.com/go-acme/lego/v4/providers/dns/route53"
+	"github.com/go-acme/lego/v4/providers/dns/safedns"
+	"github.com/go-acme/lego/v4/providers/dns/sakuracloud"
+	"github.com/go-acme/lego/v4/providers/dns/scaleway"
+	"github.com/go-acme/lego/v4/providers/dns/selectel"
+	"github.com/go-acme/lego/v4/providers/dns/selectelv2"
+	"github.com/go-acme/lego/v4/providers/dns/selfhostde"
+	"github.com/go-acme/lego/v4/providers/dns/servercow"
+	"github.com/go-acme/lego/v4/providers/dns/shellrent"
+	"github.com/go-acme/lego/v4/providers/dns/simply"
+	"github.com/go-acme/lego/v4/providers/dns/sonic"
+	"github.com/go-acme/lego/v4/providers/dns/spaceship"
+	"github.com/go-acme/lego/v4/providers/dns/stackpath"
+	"github.com/go-acme/lego/v4/providers/dns/technitium"
+	"github.com/go-acme/lego/v4/providers/dns/tencentcloud"
+	"github.com/go-acme/lego/v4/providers/dns/timewebcloud"
+	"github.com/go-acme/lego/v4/providers/dns/transip"
+	"github.com/go-acme/lego/v4/providers/dns/ultradns"
+	"github.com/go-acme/lego/v4/providers/dns/variomedia"
+	"github.com/go-acme/lego/v4/providers/dns/vegadns"
+	"github.com/go-acme/lego/v4/providers/dns/vercel"
+	"github.com/go-acme/lego/v4/providers/dns/versio"
+	"github.com/go-acme/lego/v4/providers/dns/vinyldns"
+	"github.com/go-acme/lego/v4/providers/dns/vkcloud"
+	"github.com/go-acme/lego/v4/providers/dns/volcengine"
+	"github.com/go-acme/lego/v4/providers/dns/vscale"
+	"github.com/go-acme/lego/v4/providers/dns/vultr"
+	"github.com/go-acme/lego/v4/providers/dns/webnames"
+	"github.com/go-acme/lego/v4/providers/dns/websupport"
+	"github.com/go-acme/lego/v4/providers/dns/wedos"
+	"github.com/go-acme/lego/v4/providers/dns/westcn"
+	"github.com/go-acme/lego/v4/providers/dns/yandex"
+	"github.com/go-acme/lego/v4/providers/dns/yandex360"
+	"github.com/go-acme/lego/v4/providers/dns/zoneee"
+	"github.com/go-acme/lego/v4/providers/dns/zonomi"
+	"github.com/yusing/go-proxy/internal/autocert"
+)
+
+const (
+	Local  = "local"
+	Pseudo = "pseudo"
+)
+
+func InitProviders() {
+	autocert.Providers[Local] = autocert.DNSProvider(NewDummyDefaultConfig, NewDummyDNSProviderConfig)
+	autocert.Providers[Pseudo] = autocert.DNSProvider(NewDummyDefaultConfig, NewDummyDNSProviderConfig)
+	autocert.Providers["acmedns"] = autocert.DNSProvider(acmedns.NewDefaultConfig, acmedns.NewDNSProviderConfig)
+	autocert.Providers["active24"] = autocert.DNSProvider(active24.NewDefaultConfig, active24.NewDNSProviderConfig)
+	autocert.Providers["alidns"] = autocert.DNSProvider(alidns.NewDefaultConfig, alidns.NewDNSProviderConfig)
+	autocert.Providers["allinkl"] = autocert.DNSProvider(allinkl.NewDefaultConfig, allinkl.NewDNSProviderConfig)
+	autocert.Providers["arvancloud"] = autocert.DNSProvider(arvancloud.NewDefaultConfig, arvancloud.NewDNSProviderConfig)
+	autocert.Providers["auroradns"] = autocert.DNSProvider(auroradns.NewDefaultConfig, auroradns.NewDNSProviderConfig)
+	autocert.Providers["autodns"] = autocert.DNSProvider(autodns.NewDefaultConfig, autodns.NewDNSProviderConfig)
+	autocert.Providers["axelname"] = autocert.DNSProvider(axelname.NewDefaultConfig, axelname.NewDNSProviderConfig)
+	autocert.Providers["azuredns"] = autocert.DNSProvider(azuredns.NewDefaultConfig, azuredns.NewDNSProviderConfig)
+	autocert.Providers["baiducloud"] = autocert.DNSProvider(baiducloud.NewDefaultConfig, baiducloud.NewDNSProviderConfig)
+	autocert.Providers["bindman"] = autocert.DNSProvider(bindman.NewDefaultConfig, bindman.NewDNSProviderConfig)
+	autocert.Providers["bluecat"] = autocert.DNSProvider(bluecat.NewDefaultConfig, bluecat.NewDNSProviderConfig)
+	autocert.Providers["bookmyname"] = autocert.DNSProvider(bookmyname.NewDefaultConfig, bookmyname.NewDNSProviderConfig)
+	autocert.Providers["bunny"] = autocert.DNSProvider(bunny.NewDefaultConfig, bunny.NewDNSProviderConfig)
+	autocert.Providers["checkdomain"] = autocert.DNSProvider(checkdomain.NewDefaultConfig, checkdomain.NewDNSProviderConfig)
+	autocert.Providers["civo"] = autocert.DNSProvider(civo.NewDefaultConfig, civo.NewDNSProviderConfig)
+	autocert.Providers["clouddns"] = autocert.DNSProvider(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig)
+	autocert.Providers["cloudflare"] = autocert.DNSProvider(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig)
+	autocert.Providers["cloudns"] = autocert.DNSProvider(cloudns.NewDefaultConfig, cloudns.NewDNSProviderConfig)
+	autocert.Providers["cloudru"] = autocert.DNSProvider(cloudru.NewDefaultConfig, cloudru.NewDNSProviderConfig)
+	autocert.Providers["conoha"] = autocert.DNSProvider(conoha.NewDefaultConfig, conoha.NewDNSProviderConfig)
+	autocert.Providers["constellix"] = autocert.DNSProvider(constellix.NewDefaultConfig, constellix.NewDNSProviderConfig)
+	autocert.Providers["corenetworks"] = autocert.DNSProvider(corenetworks.NewDefaultConfig, corenetworks.NewDNSProviderConfig)
+	autocert.Providers["cpanel"] = autocert.DNSProvider(cpanel.NewDefaultConfig, cpanel.NewDNSProviderConfig)
+	autocert.Providers["derak"] = autocert.DNSProvider(derak.NewDefaultConfig, derak.NewDNSProviderConfig)
+	autocert.Providers["desec"] = autocert.DNSProvider(desec.NewDefaultConfig, desec.NewDNSProviderConfig)
+	autocert.Providers["designate"] = autocert.DNSProvider(designate.NewDefaultConfig, designate.NewDNSProviderConfig)
+	autocert.Providers["digitalocean"] = autocert.DNSProvider(digitalocean.NewDefaultConfig, digitalocean.NewDNSProviderConfig)
+	autocert.Providers["directadmin"] = autocert.DNSProvider(directadmin.NewDefaultConfig, directadmin.NewDNSProviderConfig)
+	autocert.Providers["dnshomede"] = autocert.DNSProvider(dnshomede.NewDefaultConfig, dnshomede.NewDNSProviderConfig)
+	autocert.Providers["dnsimple"] = autocert.DNSProvider(dnsimple.NewDefaultConfig, dnsimple.NewDNSProviderConfig)
+	autocert.Providers["dnsmadeeasy"] = autocert.DNSProvider(dnsmadeeasy.NewDefaultConfig, dnsmadeeasy.NewDNSProviderConfig)
+	autocert.Providers["dode"] = autocert.DNSProvider(dode.NewDefaultConfig, dode.NewDNSProviderConfig)
+	autocert.Providers["domeneshop"] = autocert.DNSProvider(domeneshop.NewDefaultConfig, domeneshop.NewDNSProviderConfig)
+	autocert.Providers["dreamhost"] = autocert.DNSProvider(dreamhost.NewDefaultConfig, dreamhost.NewDNSProviderConfig)
+	autocert.Providers["duckdns"] = autocert.DNSProvider(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig)
+	autocert.Providers["dyn"] = autocert.DNSProvider(dyn.NewDefaultConfig, dyn.NewDNSProviderConfig)
+	autocert.Providers["dynu"] = autocert.DNSProvider(dynu.NewDefaultConfig, dynu.NewDNSProviderConfig)
+	autocert.Providers["easydns"] = autocert.DNSProvider(easydns.NewDefaultConfig, easydns.NewDNSProviderConfig)
+	autocert.Providers["edgedns"] = autocert.DNSProvider(edgedns.NewDefaultConfig, edgedns.NewDNSProviderConfig)
+	autocert.Providers["efficientip"] = autocert.DNSProvider(efficientip.NewDefaultConfig, efficientip.NewDNSProviderConfig)
+	autocert.Providers["epik"] = autocert.DNSProvider(epik.NewDefaultConfig, epik.NewDNSProviderConfig)
+	autocert.Providers["exec"] = autocert.DNSProvider(exec.NewDefaultConfig, exec.NewDNSProviderConfig)
+	autocert.Providers["exoscale"] = autocert.DNSProvider(exoscale.NewDefaultConfig, exoscale.NewDNSProviderConfig)
+	autocert.Providers["f5xc"] = autocert.DNSProvider(f5xc.NewDefaultConfig, f5xc.NewDNSProviderConfig)
+	autocert.Providers["freemyip"] = autocert.DNSProvider(freemyip.NewDefaultConfig, freemyip.NewDNSProviderConfig)
+	autocert.Providers["gandi"] = autocert.DNSProvider(gandi.NewDefaultConfig, gandi.NewDNSProviderConfig)
+	autocert.Providers["gandiv5"] = autocert.DNSProvider(gandiv5.NewDefaultConfig, gandiv5.NewDNSProviderConfig)
+	autocert.Providers["gcloud"] = autocert.DNSProvider(gcloud.NewDefaultConfig, gcloud.NewDNSProviderConfig)
+	autocert.Providers["gcore"] = autocert.DNSProvider(gcore.NewDefaultConfig, gcore.NewDNSProviderConfig)
+	autocert.Providers["glesys"] = autocert.DNSProvider(glesys.NewDefaultConfig, glesys.NewDNSProviderConfig)
+	autocert.Providers["godaddy"] = autocert.DNSProvider(godaddy.NewDefaultConfig, godaddy.NewDNSProviderConfig)
+	autocert.Providers["googledomains"] = autocert.DNSProvider(googledomains.NewDefaultConfig, googledomains.NewDNSProviderConfig)
+	autocert.Providers["hetzner"] = autocert.DNSProvider(hetzner.NewDefaultConfig, hetzner.NewDNSProviderConfig)
+	autocert.Providers["hostingde"] = autocert.DNSProvider(hostingde.NewDefaultConfig, hostingde.NewDNSProviderConfig)
+	autocert.Providers["hosttech"] = autocert.DNSProvider(hosttech.NewDefaultConfig, hosttech.NewDNSProviderConfig)
+	autocert.Providers["httpnet"] = autocert.DNSProvider(httpnet.NewDefaultConfig, httpnet.NewDNSProviderConfig)
+	autocert.Providers["httpreq"] = autocert.DNSProvider(httpreq.NewDefaultConfig, httpreq.NewDNSProviderConfig)
+	autocert.Providers["huaweicloud"] = autocert.DNSProvider(huaweicloud.NewDefaultConfig, huaweicloud.NewDNSProviderConfig)
+	autocert.Providers["hurricane"] = autocert.DNSProvider(hurricane.NewDefaultConfig, hurricane.NewDNSProviderConfig)
+	autocert.Providers["hyperone"] = autocert.DNSProvider(hyperone.NewDefaultConfig, hyperone.NewDNSProviderConfig)
+	autocert.Providers["ibmcloud"] = autocert.DNSProvider(ibmcloud.NewDefaultConfig, ibmcloud.NewDNSProviderConfig)
+	autocert.Providers["iij"] = autocert.DNSProvider(iij.NewDefaultConfig, iij.NewDNSProviderConfig)
+	autocert.Providers["iijdpf"] = autocert.DNSProvider(iijdpf.NewDefaultConfig, iijdpf.NewDNSProviderConfig)
+	autocert.Providers["infoblox"] = autocert.DNSProvider(infoblox.NewDefaultConfig, infoblox.NewDNSProviderConfig)
+	autocert.Providers["infomaniak"] = autocert.DNSProvider(infomaniak.NewDefaultConfig, infomaniak.NewDNSProviderConfig)
+	autocert.Providers["internetbs"] = autocert.DNSProvider(internetbs.NewDefaultConfig, internetbs.NewDNSProviderConfig)
+	autocert.Providers["inwx"] = autocert.DNSProvider(inwx.NewDefaultConfig, inwx.NewDNSProviderConfig)
+	autocert.Providers["ionos"] = autocert.DNSProvider(ionos.NewDefaultConfig, ionos.NewDNSProviderConfig)
+	autocert.Providers["ipv64"] = autocert.DNSProvider(ipv64.NewDefaultConfig, ipv64.NewDNSProviderConfig)
+	autocert.Providers["iwantmyname"] = autocert.DNSProvider(iwantmyname.NewDefaultConfig, iwantmyname.NewDNSProviderConfig)
+	autocert.Providers["joker"] = autocert.DNSProvider(joker.NewDefaultConfig, joker.NewDNSProviderConfig)
+	autocert.Providers["liara"] = autocert.DNSProvider(liara.NewDefaultConfig, liara.NewDNSProviderConfig)
+	autocert.Providers["lightsail"] = autocert.DNSProvider(lightsail.NewDefaultConfig, lightsail.NewDNSProviderConfig)
+	autocert.Providers["limacity"] = autocert.DNSProvider(limacity.NewDefaultConfig, limacity.NewDNSProviderConfig)
+	autocert.Providers["linode"] = autocert.DNSProvider(linode.NewDefaultConfig, linode.NewDNSProviderConfig)
+	autocert.Providers["liquidweb"] = autocert.DNSProvider(liquidweb.NewDefaultConfig, liquidweb.NewDNSProviderConfig)
+	autocert.Providers["loopia"] = autocert.DNSProvider(loopia.NewDefaultConfig, loopia.NewDNSProviderConfig)
+	autocert.Providers["luadns"] = autocert.DNSProvider(luadns.NewDefaultConfig, luadns.NewDNSProviderConfig)
+	autocert.Providers["mailinabox"] = autocert.DNSProvider(mailinabox.NewDefaultConfig, mailinabox.NewDNSProviderConfig)
+	autocert.Providers["manageengine"] = autocert.DNSProvider(manageengine.NewDefaultConfig, manageengine.NewDNSProviderConfig)
+	autocert.Providers["metaname"] = autocert.DNSProvider(metaname.NewDefaultConfig, metaname.NewDNSProviderConfig)
+	autocert.Providers["metaregistrar"] = autocert.DNSProvider(metaregistrar.NewDefaultConfig, metaregistrar.NewDNSProviderConfig)
+	autocert.Providers["mijnhost"] = autocert.DNSProvider(mijnhost.NewDefaultConfig, mijnhost.NewDNSProviderConfig)
+	autocert.Providers["mittwald"] = autocert.DNSProvider(mittwald.NewDefaultConfig, mittwald.NewDNSProviderConfig)
+	autocert.Providers["myaddr"] = autocert.DNSProvider(myaddr.NewDefaultConfig, myaddr.NewDNSProviderConfig)
+	autocert.Providers["mydnsjp"] = autocert.DNSProvider(mydnsjp.NewDefaultConfig, mydnsjp.NewDNSProviderConfig)
+	autocert.Providers["namecheap"] = autocert.DNSProvider(namecheap.NewDefaultConfig, namecheap.NewDNSProviderConfig)
+	autocert.Providers["namedotcom"] = autocert.DNSProvider(namedotcom.NewDefaultConfig, namedotcom.NewDNSProviderConfig)
+	autocert.Providers["namesilo"] = autocert.DNSProvider(namesilo.NewDefaultConfig, namesilo.NewDNSProviderConfig)
+	autocert.Providers["nearlyfreespeech"] = autocert.DNSProvider(nearlyfreespeech.NewDefaultConfig, nearlyfreespeech.NewDNSProviderConfig)
+	autocert.Providers["netcup"] = autocert.DNSProvider(netcup.NewDefaultConfig, netcup.NewDNSProviderConfig)
+	autocert.Providers["netlify"] = autocert.DNSProvider(netlify.NewDefaultConfig, netlify.NewDNSProviderConfig)
+	autocert.Providers["nicmanager"] = autocert.DNSProvider(nicmanager.NewDefaultConfig, nicmanager.NewDNSProviderConfig)
+	autocert.Providers["nifcloud"] = autocert.DNSProvider(nifcloud.NewDefaultConfig, nifcloud.NewDNSProviderConfig)
+	autocert.Providers["njalla"] = autocert.DNSProvider(njalla.NewDefaultConfig, njalla.NewDNSProviderConfig)
+	autocert.Providers["nodion"] = autocert.DNSProvider(nodion.NewDefaultConfig, nodion.NewDNSProviderConfig)
+	autocert.Providers["ns1"] = autocert.DNSProvider(ns1.NewDefaultConfig, ns1.NewDNSProviderConfig)
+	autocert.Providers["oraclecloud"] = autocert.DNSProvider(oraclecloud.NewDefaultConfig, oraclecloud.NewDNSProviderConfig)
+	autocert.Providers["otc"] = autocert.DNSProvider(otc.NewDefaultConfig, otc.NewDNSProviderConfig)
+	autocert.Providers["ovh"] = autocert.DNSProvider(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig)
+	autocert.Providers["pdns"] = autocert.DNSProvider(pdns.NewDefaultConfig, pdns.NewDNSProviderConfig)
+	autocert.Providers["plesk"] = autocert.DNSProvider(plesk.NewDefaultConfig, plesk.NewDNSProviderConfig)
+	autocert.Providers["porkbun"] = autocert.DNSProvider(porkbun.NewDefaultConfig, porkbun.NewDNSProviderConfig)
+	autocert.Providers["rackspace"] = autocert.DNSProvider(rackspace.NewDefaultConfig, rackspace.NewDNSProviderConfig)
+	autocert.Providers["rainyun"] = autocert.DNSProvider(rainyun.NewDefaultConfig, rainyun.NewDNSProviderConfig)
+	autocert.Providers["rcodezero"] = autocert.DNSProvider(rcodezero.NewDefaultConfig, rcodezero.NewDNSProviderConfig)
+	autocert.Providers["regfish"] = autocert.DNSProvider(regfish.NewDefaultConfig, regfish.NewDNSProviderConfig)
+	autocert.Providers["regru"] = autocert.DNSProvider(regru.NewDefaultConfig, regru.NewDNSProviderConfig)
+	autocert.Providers["rfc2136"] = autocert.DNSProvider(rfc2136.NewDefaultConfig, rfc2136.NewDNSProviderConfig)
+	autocert.Providers["rimuhosting"] = autocert.DNSProvider(rimuhosting.NewDefaultConfig, rimuhosting.NewDNSProviderConfig)
+	autocert.Providers["route53"] = autocert.DNSProvider(route53.NewDefaultConfig, route53.NewDNSProviderConfig)
+	autocert.Providers["safedns"] = autocert.DNSProvider(safedns.NewDefaultConfig, safedns.NewDNSProviderConfig)
+	autocert.Providers["sakuracloud"] = autocert.DNSProvider(sakuracloud.NewDefaultConfig, sakuracloud.NewDNSProviderConfig)
+	autocert.Providers["scaleway"] = autocert.DNSProvider(scaleway.NewDefaultConfig, scaleway.NewDNSProviderConfig)
+	autocert.Providers["selectel"] = autocert.DNSProvider(selectel.NewDefaultConfig, selectel.NewDNSProviderConfig)
+	autocert.Providers["selectelv2"] = autocert.DNSProvider(selectelv2.NewDefaultConfig, selectelv2.NewDNSProviderConfig)
+	autocert.Providers["selfhostde"] = autocert.DNSProvider(selfhostde.NewDefaultConfig, selfhostde.NewDNSProviderConfig)
+	autocert.Providers["servercow"] = autocert.DNSProvider(servercow.NewDefaultConfig, servercow.NewDNSProviderConfig)
+	autocert.Providers["shellrent"] = autocert.DNSProvider(shellrent.NewDefaultConfig, shellrent.NewDNSProviderConfig)
+	autocert.Providers["simply"] = autocert.DNSProvider(simply.NewDefaultConfig, simply.NewDNSProviderConfig)
+	autocert.Providers["sonic"] = autocert.DNSProvider(sonic.NewDefaultConfig, sonic.NewDNSProviderConfig)
+	autocert.Providers["spaceship"] = autocert.DNSProvider(spaceship.NewDefaultConfig, spaceship.NewDNSProviderConfig)
+	autocert.Providers["stackpath"] = autocert.DNSProvider(stackpath.NewDefaultConfig, stackpath.NewDNSProviderConfig)
+	autocert.Providers["technitium"] = autocert.DNSProvider(technitium.NewDefaultConfig, technitium.NewDNSProviderConfig)
+	autocert.Providers["tencentcloud"] = autocert.DNSProvider(tencentcloud.NewDefaultConfig, tencentcloud.NewDNSProviderConfig)
+	autocert.Providers["timewebcloud"] = autocert.DNSProvider(timewebcloud.NewDefaultConfig, timewebcloud.NewDNSProviderConfig)
+	autocert.Providers["transip"] = autocert.DNSProvider(transip.NewDefaultConfig, transip.NewDNSProviderConfig)
+	autocert.Providers["ultradns"] = autocert.DNSProvider(ultradns.NewDefaultConfig, ultradns.NewDNSProviderConfig)
+	autocert.Providers["variomedia"] = autocert.DNSProvider(variomedia.NewDefaultConfig, variomedia.NewDNSProviderConfig)
+	autocert.Providers["vegadns"] = autocert.DNSProvider(vegadns.NewDefaultConfig, vegadns.NewDNSProviderConfig)
+	autocert.Providers["vercel"] = autocert.DNSProvider(vercel.NewDefaultConfig, vercel.NewDNSProviderConfig)
+	autocert.Providers["versio"] = autocert.DNSProvider(versio.NewDefaultConfig, versio.NewDNSProviderConfig)
+	autocert.Providers["vinyldns"] = autocert.DNSProvider(vinyldns.NewDefaultConfig, vinyldns.NewDNSProviderConfig)
+	autocert.Providers["vkcloud"] = autocert.DNSProvider(vkcloud.NewDefaultConfig, vkcloud.NewDNSProviderConfig)
+	autocert.Providers["volcengine"] = autocert.DNSProvider(volcengine.NewDefaultConfig, volcengine.NewDNSProviderConfig)
+	autocert.Providers["vscale"] = autocert.DNSProvider(vscale.NewDefaultConfig, vscale.NewDNSProviderConfig)
+	autocert.Providers["vultr"] = autocert.DNSProvider(vultr.NewDefaultConfig, vultr.NewDNSProviderConfig)
+	autocert.Providers["webnames"] = autocert.DNSProvider(webnames.NewDefaultConfig, webnames.NewDNSProviderConfig)
+	autocert.Providers["websupport"] = autocert.DNSProvider(websupport.NewDefaultConfig, websupport.NewDNSProviderConfig)
+	autocert.Providers["wedos"] = autocert.DNSProvider(wedos.NewDefaultConfig, wedos.NewDNSProviderConfig)
+	autocert.Providers["westcn"] = autocert.DNSProvider(westcn.NewDefaultConfig, westcn.NewDNSProviderConfig)
+	autocert.Providers["yandex"] = autocert.DNSProvider(yandex.NewDefaultConfig, yandex.NewDNSProviderConfig)
+	autocert.Providers["yandex360"] = autocert.DNSProvider(yandex360.NewDefaultConfig, yandex360.NewDNSProviderConfig)
+	autocert.Providers["zoneee"] = autocert.DNSProvider(zoneee.NewDefaultConfig, zoneee.NewDNSProviderConfig)
+	autocert.Providers["zonomi"] = autocert.DNSProvider(zonomi.NewDefaultConfig, zonomi.NewDNSProviderConfig)
+}

internal/docker/client.go

@@ -15,9 +15,9 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/internal/common"
+	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 type (
@@ -46,7 +46,7 @@ const (
 )
 
 func initClientCleaner() {
-	cleaner := task.RootTask("docker_clients_cleaner")
+	cleaner := task.RootTask("docker_clients_cleaner", false)
 	go func() {
 		ticker := time.NewTicker(cleanInterval)
 		defer ticker.Stop()
@@ -125,7 +125,7 @@ func NewClient(host string) (*SharedClient, error) {
 	var dial func(ctx context.Context) (net.Conn, error)
 
 	if agent.IsDockerHostAgent(host) {
-		cfg, ok := agent.Agents.Get(host)
+		cfg, ok := config.GetInstance().GetAgent(host)
 		if !ok {
 			panic(fmt.Errorf("agent %q not found", host))
 		}
@@ -220,12 +220,3 @@ func (c *SharedClient) Close() {
 	atomic.StoreInt64(&c.closedOn, time.Now().Unix())
 	atomic.AddUint32(&c.refCount, ^uint32(0))
 }
-
-func (c *SharedClient) MarshalMap() map[string]any {
-	return map[string]any{
-		"host":      c.DaemonHost(),
-		"addr":      c.addr,
-		"ref_count": c.refCount,
-		"closed_on": strutils.FormatUnixTime(c.closedOn),
-	}
-}

internal/docker/container.go

@@ -6,19 +6,19 @@ import (
 	"strings"
 
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/go-connections/nat"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
+	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/gperr"
 	idlewatcher "github.com/yusing/go-proxy/internal/idlewatcher/types"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	U "github.com/yusing/go-proxy/internal/utils"
 )
 
 type (
-	PortMapping = map[int]*container.Port
+	PortMapping = map[int]container.Port
 	Container   struct {
-		_ utils.NoCopy
+		_ U.NoCopy
 
 		DockerHost    string          `json:"docker_host"`
 		Image         *ContainerImage `json:"image"`
@@ -27,7 +27,7 @@ type (
 
 		Agent *agent.AgentConfig `json:"agent"`
 
-		RouteConfig       map[string]string   `json:"route_config"`
+		Labels            map[string]string   `json:"-"`
 		IdlewatcherConfig *idlewatcher.Config `json:"idlewatcher_config"`
 
 		Mounts []string `json:"mounts"`
@@ -51,29 +51,40 @@ type (
 
 var DummyContainer = new(Container)
 
-func FromDocker(c *container.Summary, dockerHost string) (res *Container) {
+func FromDocker(c *container.SummaryTrimmed, dockerHost string) (res *Container) {
 	isExplicit := false
 	helper := containerHelper{c}
+	for lbl := range c.Labels {
+		if strings.HasPrefix(lbl, NSProxy+".") {
+			isExplicit = true
+		} else {
+			delete(c.Labels, lbl)
+		}
+	}
+
+	isExcluded, _ := strconv.ParseBool(helper.getDeleteLabel(LabelExclude))
 	res = &Container{
 		DockerHost:    dockerHost,
 		Image:         helper.parseImage(),
 		ContainerName: helper.getName(),
 		ContainerID:   c.ID,
 
+		Labels: c.Labels,
+
 		Mounts: helper.getMounts(),
 
 		PublicPortMapping:  helper.getPublicPortMapping(),
 		PrivatePortMapping: helper.getPrivatePortMapping(),
 
 		Aliases:    helper.getAliases(),
-		IsExcluded: strutils.ParseBool(helper.getDeleteLabel(LabelExclude)),
+		IsExcluded: isExcluded,
 		IsExplicit: isExplicit,
 		Running:    c.Status == "running" || c.State == "running",
 	}
 
 	if agent.IsDockerHostAgent(dockerHost) {
 		var ok bool
-		res.Agent, ok = agent.Agents.Get(dockerHost)
+		res.Agent, ok = config.GetInstance().GetAgent(dockerHost)
 		if !ok {
 			logging.Error().Msgf("agent %q not found", dockerHost)
 		}
@@ -82,53 +93,9 @@ func FromDocker(c *container.Summary, dockerHost string) (res *Container) {
 	res.setPrivateHostname(helper)
 	res.setPublicHostname()
 	res.loadDeleteIdlewatcherLabels(helper)
-
-	for lbl := range c.Labels {
-		if strings.HasPrefix(lbl, NSProxy+".") {
-			isExplicit = true
-		} else {
-			delete(c.Labels, lbl)
-		}
-	}
-	res.RouteConfig = utils.FitMap(c.Labels)
 	return
 }
 
-func FromInspectResponse(json container.InspectResponse, dockerHost string) *Container {
-	ports := make([]container.Port, 0, len(json.NetworkSettings.Ports))
-	for k, bindings := range json.NetworkSettings.Ports {
-		proto, privPortStr := nat.SplitProtoPort(string(k))
-		privPort, _ := strconv.ParseUint(privPortStr, 10, 16)
-		ports = append(ports, container.Port{
-			PrivatePort: uint16(privPort),
-			Type:        proto,
-		})
-		for _, v := range bindings {
-			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
-			ports = append(ports, container.Port{
-				IP:          v.HostIP,
-				PublicPort:  uint16(pubPort),
-				PrivatePort: uint16(privPort),
-				Type:        proto,
-			})
-		}
-	}
-	cont := FromDocker(&container.Summary{
-		ID:     json.ID,
-		Names:  []string{strings.TrimPrefix(json.Name, "/")},
-		Image:  json.Image,
-		Ports:  ports,
-		Labels: json.Config.Labels,
-		State:  json.State.Status,
-		Status: json.State.Status,
-		Mounts: json.Mounts,
-		NetworkSettings: &container.NetworkSettingsSummary{
-			Networks: json.NetworkSettings.Networks,
-		},
-	}, dockerHost)
-	return cont
-}
-
 func (c *Container) IsBlacklisted() bool {
 	return c.Image.IsBlacklisted() || c.isDatabase()
 }
@@ -159,11 +126,27 @@ func (c *Container) isDatabase() bool {
 	return false
 }
 
+func (c *Container) isLocal() bool {
+	if strings.HasPrefix(c.DockerHost, "unix://") {
+		return true
+	}
+	url, err := url.Parse(c.DockerHost)
+	if err != nil {
+		return false
+	}
+	switch url.Hostname() {
+	case "localhost", "127.0.0.1", "::1":
+		return true
+	default:
+		return false
+	}
+}
+
 func (c *Container) setPublicHostname() {
 	if !c.Running {
 		return
 	}
-	if strings.HasPrefix(c.DockerHost, "unix://") {
+	if c.isLocal() {
 		c.PublicHostname = "127.0.0.1"
 		return
 	}
@@ -177,18 +160,17 @@ func (c *Container) setPublicHostname() {
 }
 
 func (c *Container) setPrivateHostname(helper containerHelper) {
-	if !strings.HasPrefix(c.DockerHost, "unix://") && c.Agent == nil {
+	if !c.isLocal() && c.Agent == nil {
 		return
 	}
 	if helper.NetworkSettings == nil {
 		return
 	}
 	for _, v := range helper.NetworkSettings.Networks {
-		if v.IPAddress == "" {
-			continue
+		if v.IPAddress != "" {
+			c.PrivateHostname = v.IPAddress
+			return
 		}
-		c.PrivateHostname = v.IPAddress
-		return
 	}
 }
 

internal/docker/container_helper.go

@@ -4,12 +4,11 @@ import (
 	"strings"
 
 	"github.com/docker/docker/api/types/container"
-	"github.com/yusing/go-proxy/internal/utils"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 type containerHelper struct {
-	*container.Summary
+	*container.SummaryTrimmed
 }
 
 // getDeleteLabel gets the value of a label and then deletes it from the container.
@@ -63,15 +62,15 @@ func (c containerHelper) getPublicPortMapping() PortMapping {
 		if v.PublicPort == 0 {
 			continue
 		}
-		res[int(v.PublicPort)] = &v
-	}
-	return utils.FitMap(res)
-}
-
-func (c containerHelper) getPrivatePortMapping() PortMapping {
-	res := make(PortMapping, len(c.Ports))
-	for _, v := range c.Ports {
-		res[int(v.PrivatePort)] = &v
+		res[int(v.PublicPort)] = v
+	}
+	return res
+}
+
+func (c containerHelper) getPrivatePortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		res[int(v.PrivatePort)] = v
 	}
 	return res
 }

internal/docker/container_test.go

@@ -36,7 +36,7 @@ func TestContainerExplicit(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := FromDocker(&container.Summary{Names: []string{"test"}, State: "test", Labels: tt.labels}, "")
+			c := FromDocker(&container.SummaryTrimmed{Names: []string{"test"}, State: "test", Labels: tt.labels}, "")
 			ExpectEqual(t, c.IsExplicit, tt.isExplicit)
 		})
 	}

internal/docker/inspect.go

@@ -1,28 +0,0 @@
-package docker
-
-import (
-	"context"
-	"errors"
-	"time"
-)
-
-func Inspect(dockerHost string, containerID string) (*Container, error) {
-	client, err := NewClient(dockerHost)
-	if err != nil {
-		return nil, err
-	}
-
-	defer client.Close()
-	return client.Inspect(containerID)
-}
-
-func (c *SharedClient) Inspect(containerID string) (*Container, error) {
-	ctx, cancel := context.WithTimeoutCause(context.Background(), 3*time.Second, errors.New("docker container inspect timeout"))
-	defer cancel()
-
-	json, err := c.ContainerInspect(ctx, containerID)
-	if err != nil {
-		return nil, err
-	}
-	return FromInspectResponse(json, c.DaemonHost()), nil
-}

internal/docker/list_containers.go

@@ -21,7 +21,7 @@ var listOptions = container.ListOptions{
 	All: true,
 }
 
-func ListContainers(clientHost string) ([]container.Summary, error) {
+func ListContainers(clientHost string) ([]container.SummaryTrimmed, error) {
 	dockerClient, err := NewClient(clientHost)
 	if err != nil {
 		return nil, err

internal/entrypoint/entrypoint.go

@@ -7,12 +7,11 @@ import (
 	"strings"
 
 	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
 	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/accesslog"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware/errorpage"
 	"github.com/yusing/go-proxy/internal/route/routes"
-	route "github.com/yusing/go-proxy/internal/route/types"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
@@ -20,7 +19,7 @@ import (
 type Entrypoint struct {
 	middleware    *middleware.Middleware
 	accessLogger  *accesslog.AccessLogger
-	findRouteFunc func(host string) (route.HTTPRoute, error)
+	findRouteFunc func(host string) (routes.HTTPRoute, error)
 }
 
 var ErrNoSuchRoute = errors.New("no such route")
@@ -55,7 +54,7 @@ func (ep *Entrypoint) SetMiddlewares(mws []map[string]any) error {
 	return nil
 }
 
-func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.Config) (err error) {
+func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.RequestLoggerConfig) (err error) {
 	if cfg == nil {
 		ep.accessLogger = nil
 		return
@@ -108,7 +107,7 @@ func (ep *Entrypoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func findRouteAnyDomain(host string) (route.HTTPRoute, error) {
+func findRouteAnyDomain(host string) (routes.HTTPRoute, error) {
 	hostSplit := strutils.SplitRune(host, '.')
 	target := hostSplit[0]
 
@@ -118,19 +117,19 @@ func findRouteAnyDomain(host string) (route.HTTPRoute, error) {
 	return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, target)
 }
 
-func findRouteByDomains(domains []string) func(host string) (route.HTTPRoute, error) {
-	return func(host string) (route.HTTPRoute, error) {
+func findRouteByDomains(domains []string) func(host string) (routes.HTTPRoute, error) {
+	return func(host string) (routes.HTTPRoute, error) {
 		for _, domain := range domains {
 			if strings.HasSuffix(host, domain) {
 				target := strings.TrimSuffix(host, domain)
-				if r, ok := routes.GetHTTPRoute(target); ok {
+				if r, ok := routes.HTTP.Get(target); ok {
 					return r, nil
 				}
 			}
 		}
 
 		// fallback to exact match
-		if r, ok := routes.GetHTTPRoute(host); ok {
+		if r, ok := routes.HTTP.Get(host); ok {
 			return r, nil
 		}
 		return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, host)

internal/entrypoint/entrypoint_test.go

@@ -5,37 +5,43 @@ import (
 
 	"github.com/yusing/go-proxy/internal/route"
 	"github.com/yusing/go-proxy/internal/route/routes"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
+
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
 )
 
-var (
-	r  route.ReveseProxyRoute
-	ep = NewEntrypoint()
-)
+var ep = NewEntrypoint()
+
+func addRoute(alias string) {
+	routes.HTTP.Add(&route.ReveseProxyRoute{
+		Route: &route.Route{
+			Alias: alias,
+		},
+	})
+}
 
 func run(t *testing.T, match []string, noMatch []string) {
 	t.Helper()
-	t.Cleanup(routes.TestClear)
+	t.Cleanup(routes.Clear)
 	t.Cleanup(func() { ep.SetFindRouteDomains(nil) })
 
 	for _, test := range match {
 		t.Run(test, func(t *testing.T) {
 			found, err := ep.findRouteFunc(test)
-			ExpectNoError(t, err)
-			ExpectTrue(t, found == &r)
+			expect.NoError(t, err)
+			expect.NotNil(t, found)
 		})
 	}
 
 	for _, test := range noMatch {
 		t.Run(test, func(t *testing.T) {
 			_, err := ep.findRouteFunc(test)
-			ExpectError(t, ErrNoSuchRoute, err)
+			expect.ErrorIs(t, ErrNoSuchRoute, err)
 		})
 	}
 }
 
 func TestFindRouteAnyDomain(t *testing.T) {
-	routes.SetHTTPRoute("app1", &r)
+	addRoute("app1")
 
 	tests := []string{
 		"app1.com",
@@ -66,7 +72,7 @@ func TestFindRouteExactHostMatch(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		routes.SetHTTPRoute(test, &r)
+		addRoute(test)
 	}
 
 	run(t, tests, testsNoMatch)
@@ -78,7 +84,7 @@ func TestFindRouteByDomains(t *testing.T) {
 		".sub.domain.com",
 	})
 
-	routes.SetHTTPRoute("app1", &r)
+	addRoute("app1")
 
 	tests := []string{
 		"app1.domain.com",
@@ -103,7 +109,7 @@ func TestFindRouteByDomainsExactMatch(t *testing.T) {
 		".sub.domain.com",
 	})
 
-	routes.SetHTTPRoute("app1.foo.bar", &r)
+	addRoute("app1.foo.bar")
 
 	tests := []string{
 		"app1.foo.bar", // exact match

internal/gperr/base.go

@@ -1,10 +1,9 @@
 package gperr
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
-
-	"github.com/yusing/go-proxy/pkg/json"
 )
 
 // baseError is an immutable wrapper around an error.
@@ -38,17 +37,36 @@ func (err *baseError) Subjectf(format string, args ...any) Error {
 }
 
 func (err baseError) With(extra error) Error {
-	return &nestedError{&err, []error{extra}}
+	return &nestedError{err.Err, []error{extra}}
 }
 
 func (err baseError) Withf(format string, args ...any) Error {
-	return &nestedError{&err, []error{fmt.Errorf(format, args...)}}
+	return &nestedError{err.Err, []error{fmt.Errorf(format, args...)}}
 }
 
 func (err *baseError) Error() string {
 	return err.Err.Error()
 }
 
-func (err *baseError) MarshalJSONTo(buf []byte) []byte {
-	return json.MarshalTo(err.Err, buf)
+// MarshalJSON implements the json.Marshaler interface.
+func (err *baseError) MarshalJSON() ([]byte, error) {
+	//nolint:errorlint
+	switch err := err.Err.(type) {
+	case Error, *withSubject:
+		return json.Marshal(err)
+	case json.Marshaler:
+		return err.MarshalJSON()
+	case interface{ MarshalText() ([]byte, error) }:
+		return err.MarshalText()
+	default:
+		return json.Marshal(err.Error())
+	}
+}
+
+func (err *baseError) Plain() []byte {
+	return Plain(err.Err)
+}
+
+func (err *baseError) Markdown() []byte {
+	return Markdown(err.Err)
 }

internal/gperr/builder.go

@@ -77,16 +77,15 @@ func (b *Builder) String() string {
 // Add adds an error to the Builder.
 //
 // adding nil is no-op.
-func (b *Builder) Add(err error) *Builder {
+func (b *Builder) Add(err error) {
 	if err == nil {
-		return b
+		return
 	}
 
 	b.Lock()
 	defer b.Unlock()
 
 	b.add(err)
-	return b
 }
 
 func (b *Builder) add(err error) {
@@ -106,14 +105,13 @@ func (b *Builder) add(err error) {
 	}
 }
 
-func (b *Builder) Adds(err string) *Builder {
+func (b *Builder) Adds(err string) {
 	b.Lock()
 	defer b.Unlock()
 	b.errs = append(b.errs, newError(err))
-	return b
 }
 
-func (b *Builder) Addf(format string, args ...any) *Builder {
+func (b *Builder) Addf(format string, args ...any) {
 	if len(args) > 0 {
 		b.Lock()
 		defer b.Unlock()
@@ -121,13 +119,11 @@ func (b *Builder) Addf(format string, args ...any) *Builder {
 	} else {
 		b.Adds(format)
 	}
-
-	return b
 }
 
-func (b *Builder) AddFrom(other *Builder, flatten bool) *Builder {
+func (b *Builder) AddFrom(other *Builder, flatten bool) {
 	if other == nil || !other.HasError() {
-		return b
+		return
 	}
 
 	b.Lock()
@@ -137,10 +133,9 @@ func (b *Builder) AddFrom(other *Builder, flatten bool) *Builder {
 	} else {
 		b.errs = append(b.errs, other.Error())
 	}
-	return b
 }
 
-func (b *Builder) AddRange(errs ...error) *Builder {
+func (b *Builder) AddRange(errs ...error) {
 	nonNilErrs := make([]error, 0, len(errs))
 	for _, err := range errs {
 		if err != nil {
@@ -154,7 +149,6 @@ func (b *Builder) AddRange(errs ...error) *Builder {
 	for _, err := range nonNilErrs {
 		b.add(err)
 	}
-	return b
 }
 
 func (b *Builder) ForEach(fn func(error)) {

internal/gperr/builder_test.go

@@ -50,6 +50,7 @@ func TestBuilderNested(t *testing.T) {
     • Inner: 1
     • Inner: 2
   • Action 2
-    • Inner: 3`
+    • Inner: 3
+`
 	ExpectEqual(t, got, expected)
 }

internal/gperr/error.go

@@ -20,6 +20,16 @@ type Error interface {
 	Subject(subject string) Error
 	// Subjectf is a wrapper for Subject(fmt.Sprintf(format, args...)).
 	Subjectf(format string, args ...any) Error
+	PlainError
+	MarkdownError
+}
+
+type PlainError interface {
+	Plain() []byte
+}
+
+type MarkdownError interface {
+	Markdown() []byte
 }
 
 // this makes JSON marshaling work,

internal/gperr/error_test.go

@@ -6,11 +6,11 @@ import (
 	"testing"
 
 	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
 )
 
 func TestBaseString(t *testing.T) {
-	ExpectEqual(t, New("error").Error(), "error")
+	expect.Equal(t, New("error").Error(), "error")
 }
 
 func TestBaseWithSubject(t *testing.T) {
@@ -18,13 +18,13 @@ func TestBaseWithSubject(t *testing.T) {
 	withSubject := err.Subject("foo")
 	withSubjectf := err.Subjectf("%s %s", "foo", "bar")
 
-	ExpectError(t, err, withSubject)
-	ExpectEqual(t, ansi.StripANSI(withSubject.Error()), "foo: error")
-	ExpectTrue(t, withSubject.Is(err))
+	expect.ErrorIs(t, err, withSubject)
+	expect.Equal(t, ansi.StripANSI(withSubject.Error()), "foo: error")
+	expect.True(t, withSubject.Is(err))
 
-	ExpectError(t, err, withSubjectf)
-	ExpectEqual(t, ansi.StripANSI(withSubjectf.Error()), "foo bar: error")
-	ExpectTrue(t, withSubjectf.Is(err))
+	expect.ErrorIs(t, err, withSubjectf)
+	expect.Equal(t, ansi.StripANSI(withSubjectf.Error()), "foo bar: error")
+	expect.True(t, withSubjectf.Is(err))
 }
 
 func TestBaseWithExtra(t *testing.T) {
@@ -32,22 +32,22 @@ func TestBaseWithExtra(t *testing.T) {
 	extra := New("bar").Subject("baz")
 	withExtra := err.With(extra)
 
-	ExpectTrue(t, withExtra.Is(extra))
-	ExpectTrue(t, withExtra.Is(err))
+	expect.True(t, withExtra.Is(extra))
+	expect.True(t, withExtra.Is(err))
 
-	ExpectTrue(t, errors.Is(withExtra, extra))
-	ExpectTrue(t, errors.Is(withExtra, err))
+	expect.True(t, errors.Is(withExtra, extra))
+	expect.True(t, errors.Is(withExtra, err))
 
-	ExpectTrue(t, strings.Contains(withExtra.Error(), err.Error()))
-	ExpectTrue(t, strings.Contains(withExtra.Error(), extra.Error()))
-	ExpectTrue(t, strings.Contains(withExtra.Error(), "baz"))
+	expect.True(t, strings.Contains(withExtra.Error(), err.Error()))
+	expect.True(t, strings.Contains(withExtra.Error(), extra.Error()))
+	expect.True(t, strings.Contains(withExtra.Error(), "baz"))
 }
 
 func TestBaseUnwrap(t *testing.T) {
 	err := errors.New("err")
 	wrapped := Wrap(err)
 
-	ExpectError(t, err, errors.Unwrap(wrapped))
+	expect.ErrorIs(t, err, errors.Unwrap(wrapped))
 }
 
 func TestNestedUnwrap(t *testing.T) {
@@ -56,24 +56,24 @@ func TestNestedUnwrap(t *testing.T) {
 	wrapped := Wrap(err).Subject("foo").With(err2.Subject("bar"))
 
 	unwrapper, ok := wrapped.(interface{ Unwrap() []error })
-	ExpectTrue(t, ok)
+	expect.True(t, ok)
 
-	ExpectError(t, err, wrapped)
-	ExpectError(t, err2, wrapped)
-	ExpectEqual(t, len(unwrapper.Unwrap()), 2)
+	expect.ErrorIs(t, err, wrapped)
+	expect.ErrorIs(t, err2, wrapped)
+	expect.Equal(t, len(unwrapper.Unwrap()), 2)
 }
 
 func TestErrorIs(t *testing.T) {
 	from := errors.New("error")
 	err := Wrap(from)
-	ExpectError(t, from, err)
+	expect.ErrorIs(t, from, err)
 
-	ExpectTrue(t, err.Is(from))
-	ExpectFalse(t, err.Is(New("error")))
+	expect.True(t, err.Is(from))
+	expect.False(t, err.Is(New("error")))
 
-	ExpectTrue(t, errors.Is(err.Subject("foo"), from))
-	ExpectTrue(t, errors.Is(err.Withf("foo"), from))
-	ExpectTrue(t, errors.Is(err.Subject("foo").Withf("bar"), from))
+	expect.True(t, errors.Is(err.Subject("foo"), from))
+	expect.True(t, errors.Is(err.Withf("foo"), from))
+	expect.True(t, errors.Is(err.Subject("foo").Withf("bar"), from))
 }
 
 func TestErrorImmutability(t *testing.T) {
@@ -83,14 +83,14 @@ func TestErrorImmutability(t *testing.T) {
 	for range 3 {
 		// t.Logf("%d: %v %T %s", i, errors.Unwrap(err), err, err)
 		_ = err.Subject("foo")
-		ExpectFalse(t, strings.Contains(err.Error(), "foo"))
+		expect.False(t, strings.Contains(err.Error(), "foo"))
 
 		_ = err.With(err2)
-		ExpectFalse(t, strings.Contains(err.Error(), "extra"))
-		ExpectFalse(t, err.Is(err2))
+		expect.False(t, strings.Contains(err.Error(), "extra"))
+		expect.False(t, err.Is(err2))
 
 		err = err.Subject("bar").Withf("baz")
-		ExpectTrue(t, err != nil)
+		expect.True(t, err != nil)
 	}
 }
 
@@ -100,24 +100,24 @@ func TestErrorWith(t *testing.T) {
 
 	err3 := err1.With(err2)
 
-	ExpectTrue(t, err3.Is(err1))
-	ExpectTrue(t, err3.Is(err2))
+	expect.True(t, err3.Is(err1))
+	expect.True(t, err3.Is(err2))
 
 	_ = err2.Subject("foo")
 
-	ExpectTrue(t, err3.Is(err1))
-	ExpectTrue(t, err3.Is(err2))
+	expect.True(t, err3.Is(err1))
+	expect.True(t, err3.Is(err2))
 
 	// check if err3 is affected by err2.Subject
-	ExpectFalse(t, strings.Contains(err3.Error(), "foo"))
+	expect.False(t, strings.Contains(err3.Error(), "foo"))
 }
 
 func TestErrorStringSimple(t *testing.T) {
 	errFailure := New("generic failure")
 	ne := errFailure.Subject("foo bar")
-	ExpectEqual(t, ansi.StripANSI(ne.Error()), "foo bar: generic failure")
+	expect.Equal(t, ansi.StripANSI(ne.Error()), "foo bar: generic failure")
 	ne = ne.Subject("baz")
-	ExpectEqual(t, ansi.StripANSI(ne.Error()), "baz > foo bar: generic failure")
+	expect.Equal(t, ansi.StripANSI(ne.Error()), "baz > foo bar: generic failure")
 }
 
 func TestErrorStringNested(t *testing.T) {
@@ -153,6 +153,7 @@ func TestErrorStringNested(t *testing.T) {
       • 2
       • action 3 > inner3: generic failure
         • 3
-        • 3`
-	ExpectEqual(t, ansi.StripANSI(ne.Error()), want)
+        • 3
+`
+	expect.Equal(t, ansi.StripANSI(ne.Error()), want)
 }

internal/gperr/hint.go

@@ -0,0 +1,43 @@
+package gperr
+
+import "github.com/yusing/go-proxy/internal/utils/strutils/ansi"
+
+type Hint struct {
+	Prefix  string
+	Message string
+	Suffix  string
+}
+
+var _ PlainError = (*Hint)(nil)
+var _ MarkdownError = (*Hint)(nil)
+
+func (h *Hint) Error() string {
+	return h.Prefix + ansi.Info(h.Message) + h.Suffix
+}
+
+func (h *Hint) Plain() []byte {
+	return []byte(h.Prefix + h.Message + h.Suffix)
+}
+
+func (h *Hint) Markdown() []byte {
+	return []byte(h.Prefix + "**" + h.Message + "**" + h.Suffix)
+}
+
+func (h *Hint) MarshalText() ([]byte, error) {
+	return h.Plain(), nil
+}
+
+func (h *Hint) String() string {
+	return h.Error()
+}
+
+func DoYouMean(s string) *Hint {
+	if s == "" {
+		return nil
+	}
+	return &Hint{
+		Prefix:  "Do you mean ",
+		Message: s,
+		Suffix:  "?",
+	}
+}

internal/gperr/log.go

@@ -1,19 +1,27 @@
 package gperr
 
 import (
+	"os"
+
 	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/logging"
 )
 
-func log(_ string, err error, level zerolog.Level, logger ...*zerolog.Logger) {
+func log(msg string, err error, level zerolog.Level, logger ...*zerolog.Logger) {
 	var l *zerolog.Logger
 	if len(logger) > 0 {
 		l = logger[0]
 	} else {
 		l = logging.GetLogger()
 	}
-	l.WithLevel(level).Msg(err.Error())
+	l.WithLevel(level).Msg(New(highlightANSI(msg)).With(err).Error())
+	switch level {
+	case zerolog.FatalLevel:
+		os.Exit(1)
+	case zerolog.PanicLevel:
+		panic(err)
+	}
 }
 
 func LogFatal(msg string, err error, logger ...*zerolog.Logger) {