fix(route): handle synthetic load balancer routes consistently

Synthetic load balancer routes were created with SchemeNone and a zero
proxy port, so the embedded Route logic treated them as excluded routes.
That caused them to be keyed like excluded routes instead of by alias,
which broke HTTP route lookup in reverse proxy load balancer tests.

Override Key and ShouldExclude for synthetic load balancer routes so
they stay addressable through the HTTP route pool while preserving the
existing behavior for normal backend routes.

Also guard addToLoadBalancer against a nil Homepage on an existing
linked route, and update the reverse proxy test to use the in-memory
test entrypoint rather than depending on real listener setup.

.github/workflows/cli-binary.yml

@@ -47,14 +47,20 @@ jobs:
 
       - name: Build CLI
         run: |
-          make CLI_BIN_PATH=bin/${{ matrix.binary_name }} build-cli
+          make cli=1 NAME=${{ matrix.binary_name }} build
 
       - name: Check binary
         run: |
           file bin/${{ matrix.binary_name }}
 
-      - name: Upload artifact
+      - name: Upload
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.binary_name }}
           path: bin/${{ matrix.binary_name }}
+
+      - name: Upload to release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: bin/${{ matrix.binary_name }}

.github/workflows/merge-main-into-compat.yml

@@ -1,4 +1,4 @@
-name: Cherry-pick into Compat
+name: Refresh Compat from Main Patch
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
       - ".github/workflows/merge-main-into-compat.yml"
 
 jobs:
-  cherry-pick:
+  refresh-compat:
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -20,20 +20,9 @@ jobs:
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-      - name: Cherry-pick commits from last tag
+      - name: Refresh compat with single patch commit
         run: |
-          git fetch origin compat
-          git checkout compat
-          CURRENT_TAG=${{ github.ref_name }}
-          PREV_TAG=$(git describe --tags --abbrev=0 $CURRENT_TAG^ 2>/dev/null || echo "")
-
-          if [ -z "$PREV_TAG" ]; then
-            echo "No previous tag found. Cherry-picking all commits up to $CURRENT_TAG"
-            git rev-list --reverse --no-merges $CURRENT_TAG | xargs -r git cherry-pick
-          else
-            echo "Cherry-picking commits from $PREV_TAG to $CURRENT_TAG"
-            git rev-list --reverse --no-merges $PREV_TAG..$CURRENT_TAG | xargs -r git cherry-pick
-          fi
+          ./scripts/refresh-compat.sh
       - name: Push compat
         run: |
-          git push origin compat
+          git push origin compat --force

AGENTS.md

@@ -0,0 +1,32 @@
+# AGENTS.md
+
+## Development Commands
+
+- Build: You should not run build command.
+- Test: `go test -ldflags="-checklinkname=0" ...`
+
+## Documentation
+
+Update package level `README.md` if exists after making significant changes.
+
+## Go Guidelines
+
+1. Use builtin `min` and `max` functions instead of creating custom ones
+2. Prefer `for i := range 10` over `for i := 0; i < 10; i++`
+3. Beware of variable shadowing when making edits
+4. Use `internal/task/task.go` for lifetime management:
+   - `task.RootTask()` for background operations
+   - `parent.Subtask()` for nested tasks
+   - `OnFinished()` and `OnCancel()` callbacks for cleanup
+5. Use `gperr "goutils/errs"` to build pretty nested errors:
+   - `gperr.Multiline()` for multiple operation attempts
+   - `gperr.NewBuilder()` to collect errors
+   - `gperr.NewGroup() + group.Go()` to collect errors of multiple concurrent operations
+   - `gperr.PrependSubject()` to prepend subject to errors
+6. Use `github.com/puzpuzpuz/xsync/v4` for lock-free thread safe maps
+7. Use `goutils/synk` to retrieve and put byte buffer
+
+## Testing
+
+- Run scoped tests instead of `./...`
+- Use `testify`, no manual assertions.

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.26.0-alpine AS deps
+FROM golang:1.26.1-alpine AS deps
 HEALTHCHECK NONE
 
 # package version does not matter

Makefile

@@ -6,8 +6,8 @@ export GOOS = linux
 
 REPO_URL ?= https://github.com/yusing/godoxy
 
-WEBUI_DIR ?= ../godoxy-webui
-DOCS_DIR ?= wiki
+WEBUI_DIR ?= $(shell pwd)/../godoxy-webui
+DOCS_DIR ?= ${WEBUI_DIR}/wiki
 
 ifneq ($(BRANCH), compat)
 	GO_TAGS = sonic
@@ -17,15 +17,22 @@ endif
 
 LDFLAGS = -X github.com/yusing/goutils/version.version=${VERSION} -checklinkname=0
 
+PACKAGE ?= ./cmd
+
 ifeq ($(agent), 1)
 	NAME = godoxy-agent
 	PWD = ${shell pwd}/agent
 else ifeq ($(socket-proxy), 1)
 	NAME = godoxy-socket-proxy
 	PWD = ${shell pwd}/socket-proxy
+else ifeq ($(cli), 1)
+	NAME = godoxy-cli
+	PWD = ${shell pwd}/cmd/cli
+	PACKAGE = .
 else
 	NAME = godoxy
 	PWD = ${shell pwd}
+	godoxy = 1
 endif
 
 ifeq ($(trace), 1)
@@ -58,7 +65,6 @@ endif
 
 BUILD_FLAGS += -tags '$(GO_TAGS)' -ldflags='$(LDFLAGS)'
 BIN_PATH := $(shell pwd)/bin/${NAME}
-CLI_BIN_PATH ?= $(shell pwd)/bin/godoxy-cli
 
 export NAME
 export CGO_ENABLED
@@ -76,7 +82,11 @@ endif
 
 
 # CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
-POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
+POST_BUILD = echo;
+
+ifeq ($(godoxy), 1)
+	POST_BUILD += $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
+endif
 ifeq ($(docker), 1)
 	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
 endif
@@ -133,13 +143,18 @@ minify-js:
 		done \
 	fi
 
-build: minify-js
+build:
+	@if [ "${godoxy}" = "1" ]; then \
+		make minify-js; \
+	elif [ "${cli}" = "1" ]; then \
+		make gen-cli; \
+	fi
 	mkdir -p $(shell dirname ${BIN_PATH})
-	go build -C ${PWD} ${BUILD_FLAGS} -o ${BIN_PATH} ./cmd
+	go build -C ${PWD} ${BUILD_FLAGS} -o ${BIN_PATH} ${PACKAGE}
 	${POST_BUILD}
 
 run: minify-js
-	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${PACKAGE}
 
 dev:
 	docker compose -f dev.compose.yml $(args)
@@ -186,13 +201,10 @@ gen-api-types: gen-swagger
 	bunx --bun swagger-typescript-api generate --sort-types --generate-union-enums --axios --add-readonly --route-types \
 		 --responses -o ${WEBUI_DIR}/src/lib -n api.ts -p internal/api/v1/docs/swagger.json
 
+.PHONY: gen-cli build-cli update-wiki
+
 gen-cli:
 	cd cmd/cli && go run ./gen
 
-build-cli: gen-cli
-	mkdir -p $(shell dirname ${CLI_BIN_PATH})
-	go build -C cmd/cli -o ${CLI_BIN_PATH} .
-
-.PHONY: gen-cli build-cli update-wiki
 update-wiki:
 	DOCS_DIR=${DOCS_DIR} REPO_URL=${REPO_URL} bun --bun scripts/update-wiki/main.ts

agent/go.mod

@@ -1,10 +1,12 @@
 module github.com/yusing/godoxy/agent
 
-go 1.26.0
+go 1.26.1
 
 exclude (
 	github.com/moby/moby/api v1.53.0 // allow older daemon versions
+	github.com/moby/moby/api v1.54.0 // allow older daemon versions
 	github.com/moby/moby/client v0.2.2 // allow older daemon versions
+	github.com/moby/moby/client v0.3.0 // allow older daemon versions
 )
 
 replace (
@@ -21,13 +23,13 @@ exclude github.com/containerd/nerdctl/mod/tigron v0.0.0
 
 require (
 	github.com/bytedance/sonic v1.15.0
-	github.com/gin-gonic/gin v1.11.0
+	github.com/gin-gonic/gin v1.12.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/pion/dtls/v3 v3.1.2
 	github.com/pion/transport/v3 v3.1.1
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.11.1
-	github.com/yusing/godoxy v0.26.0
+	github.com/yusing/godoxy v0.27.2
 	github.com/yusing/godoxy/socketproxy v0.0.0-00010101000000-000000000000
 	github.com/yusing/goutils v0.7.0
 )
@@ -43,10 +45,10 @@ require (
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v29.2.1+incompatible // indirect
+	github.com/docker/cli v29.3.0+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
@@ -81,7 +83,7 @@ require (
 	github.com/puzpuzpuz/xsync/v4 v4.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
-	github.com/shirou/gopsutil/v4 v4.26.1 // indirect
+	github.com/shirou/gopsutil/v4 v4.26.2 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/tklauser/go-sysconf v0.3.16 // indirect
 	github.com/tklauser/numcpus v0.11.0 // indirect
@@ -91,18 +93,19 @@ require (
 	github.com/valyala/fasthttp v1.69.0 // indirect
 	github.com/yusing/ds v0.4.1 // indirect
 	github.com/yusing/gointernals v0.2.0 // indirect
-	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260218062549-0b0fa3a059ec // indirect
-	github.com/yusing/goutils/http/websocket v0.0.0-20260218062549-0b0fa3a059ec // indirect
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260228084019-4912690d409d // indirect
+	github.com/yusing/goutils/http/websocket v0.0.0-20260228084019-4912690d409d // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
-	golang.org/x/arch v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
+	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	golang.org/x/arch v0.25.0 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

agent/go.sum

@@ -37,14 +37,14 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg=
-github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
+github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
-github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/ISU=
+github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -53,8 +53,8 @@ github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
 github.com/go-acme/lego/v4 v4.32.0 h1:z7Ss7aa1noabhKj+DBzhNCO2SM96xhE3b0ucVW3x8Tc=
 github.com/go-acme/lego/v4 v4.32.0/go.mod h1:lI2fZNdgeM/ymf9xQ9YKbgZm6MeDuf91UrohMQE4DhI=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
@@ -93,8 +93,8 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotify/server/v2 v2.9.0 h1:2zRCl28wkq0oc6YNbyJS2n0dDOOVvOS3Oez5AG2ij54=
-github.com/gotify/server/v2 v2.9.0/go.mod h1:249wwlUqHTr0QsiKARGtFVqds0pNLIMjYLinHyMACdQ=
+github.com/gotify/server/v2 v2.9.1 h1:wsQUCdYJ4ZvP7RIRKDLtAtmFQc3kxbrv3QqccO5RWzs=
+github.com/gotify/server/v2 v2.9.1/go.mod h1:8scw0hiExomp4rJDrXBwRIcgQm7kv74P4Z4B+iM4l8w=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
@@ -115,8 +115,8 @@ github.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88 h1:PTw+yKnXcOFCR6
 github.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
 github.com/luthermonson/go-proxmox v0.4.0 h1:LKXpG9d64zTaQF79wV0kfOnnSwIcdG39m7sc4ga+XZs=
 github.com/luthermonson/go-proxmox v0.4.0/go.mod h1:U6dAkJ+iiwaeb1g/LMWpWuWN4nmvWeXhmoMuYJMumS4=
-github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
-github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/magefile/mage v1.16.0 h1:2naaPmNwrMicCdLBCRDw288hcyClO9lmnm6FMpXyJ5I=
+github.com/magefile/mage v1.16.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -172,8 +172,8 @@ github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
-github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/lo v1.53.0 h1:t975lj2py4kJPQ6haz1QMgtId2gtmfktACxIXArw3HM=
+github.com/samber/lo v1.53.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 github.com/samber/slog-common v0.20.0 h1:WaLnm/aCvBJSk5nR5aXZTFBaV0B47A+AEaEOiZDeUnc=
 github.com/samber/slog-common v0.20.0/go.mod h1:+Ozat1jgnnE59UAlmNX1IF3IByHsODnnwf9jUcBZ+m8=
 github.com/samber/slog-zerolog/v2 v2.9.1 h1:RMOq8XqzfuGx1X0TEIlS9OXbbFmqLY2/wJppghz66YY=
@@ -214,48 +214,50 @@ github.com/yusing/gointernals v0.2.0 h1:jyWB3kdUPkuU6s0r8QY/sS5h2WNBF4Kfisly8dtS
 github.com/yusing/gointernals v0.2.0/go.mod h1:xGzNbPGMm5Z8kG0t4JYISMscw+gMQlgghkLxlgRZv5Y=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
-golang.org/x/arch v0.24.0 h1:qlJ3M9upxvFfwRM51tTg3Yl+8CP9vCC1E7vlFpgv99Y=
-golang.org/x/arch v0.24.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+golang.org/x/arch v0.25.0 h1:qnk6Ksugpi5Bz32947rkUgDt9/s5qvqDPl/gBKdMJLE=
+golang.org/x/arch v0.25.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
 golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
 golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

cmd/bench_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.26.0-alpine AS builder
+FROM golang:1.26.1-alpine AS builder
 
 HEALTHCHECK NONE
 

cmd/bench_server/go.mod

@@ -1,3 +1,3 @@
 module github.com/yusing/godoxy/cmd/bench_server
 
-go 1.26.0
+go 1.26.1

cmd/cli/go.mod

@@ -1,6 +1,6 @@
 module github.com/yusing/godoxy/cli
 
-go 1.26.0
+go 1.26.1
 
 require (
 	github.com/gorilla/websocket v1.5.3

cmd/h2c_test_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.26.0-alpine AS builder
+FROM golang:1.26.1-alpine AS builder
 
 HEALTHCHECK NONE
 

cmd/h2c_test_server/go.mod

@@ -1,7 +1,7 @@
 module github.com/yusing/godoxy/cmd/h2c_test_server
 
-go 1.26.0
+go 1.26.1
 
-require golang.org/x/net v0.50.0
+require golang.org/x/net v0.51.0
 
 require golang.org/x/text v0.34.0 // indirect

cmd/h2c_test_server/go.sum

@@ -1,4 +1,4 @@
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=

config.example.yml

@@ -52,6 +52,9 @@ entrypoint:
   # Note that HTTP/3 with proxy protocol is not supported yet.
   support_proxy_protocol: false
 
+  # To relay the client address to a TCP upstream, enable `relay_proxy_protocol_header: true`
+  # on that specific TCP route. UDP relay is not supported yet.
+
   # Below define an example of middleware config
   # 1. set security headers
   # 2. block non local IP connections

examples/docker-compose/netbird.yml

@@ -0,0 +1,46 @@
+services:
+  netbird-dashboard:
+    image: netbirdio/dashboard:latest
+    container_name: netbird-dashboard
+    restart: unless-stopped
+    networks: [netbird-net]
+    env_file: dashboard.env
+    labels:
+      proxy.aliases: netbird
+      proxy.#1.port: 80
+      proxy.#1.scheme: http
+      proxy.#1.homepage.name: NetBird
+      proxy.#1.homepage.icon: "@selfhst/netbird.svg"
+      proxy.#1.homepage.category: networking
+      proxy.#1.rules: | # https://docs.netbird.io/selfhosted/configuration-files
+        path glob(/signalexchange.SignalExchange/**) | path glob(/management.ManagementService/**) | path glob(/management.ProxyService/**) {
+          route netbird-grpc
+        }
+        path glob(/relay*) | path glob(/ws-proxy/**) | path glob(/api*) | path glob(/oauth2*) {
+          route netbird-api
+        }
+        default {
+          pass
+        }
+  netbird-server:
+    image: netbirdio/netbird-server:latest
+    container_name: netbird-server
+    restart: unless-stopped
+    networks:
+      - netbird-net
+    volumes:
+      - netbird_data:/var/lib/netbird
+      - ./config.yaml:/etc/netbird/config.yaml
+    command: ["--config", "/etc/netbird/config.yaml"]
+    labels:
+      proxy.aliases: netbird-api, netbird-grpc
+      proxy.*.port: 80
+      proxy.*.homepage.show: false
+      proxy.#1.scheme: http
+      proxy.#2.scheme: h2c
+
+networks:
+  netbird-net:
+
+volumes:
+  netbird_data:

go.mod

@@ -1,10 +1,12 @@
 module github.com/yusing/godoxy
 
-go 1.26.0
+go 1.26.1
 
 exclude (
 	github.com/moby/moby/api v1.53.0 // allow older daemon versions
+	github.com/moby/moby/api v1.54.0 // allow older daemon versions
 	github.com/moby/moby/client v0.2.2 // allow older daemon versions
+	github.com/moby/moby/client v0.3.0 // allow older daemon versions
 )
 
 replace (
@@ -24,28 +26,28 @@ require (
 	github.com/cenkalti/backoff/v5 v5.0.3 // backoff for retrying operations
 	github.com/coreos/go-oidc/v3 v3.17.0 // oidc authentication
 	github.com/fsnotify/fsnotify v1.9.0 // file watcher
-	github.com/gin-gonic/gin v1.11.0 // api server
+	github.com/gin-gonic/gin v1.12.0 // api server
 	github.com/go-acme/lego/v4 v4.32.0 // acme client
 	github.com/go-playground/validator/v10 v10.30.1 // validator
 	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
 	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
-	github.com/gotify/server/v2 v2.9.0 // reference the Message struct for json response
+	github.com/gotify/server/v2 v2.9.1 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
 	github.com/pires/go-proxyproto v0.11.0 // proxy protocol support
 	github.com/puzpuzpuz/xsync/v4 v4.4.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
 	golang.org/x/crypto v0.48.0 // encrypting password with bcrypt
-	golang.org/x/net v0.50.0 // HTTP header utilities
-	golang.org/x/oauth2 v0.35.0 // oauth2 authentication
-	golang.org/x/sync v0.19.0 // errgroup and singleflight for concurrent operations
-	golang.org/x/time v0.14.0 // time utilities
+	golang.org/x/net v0.51.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.36.0 // oauth2 authentication
+	golang.org/x/sync v0.20.0 // errgroup and singleflight for concurrent operations
+	golang.org/x/time v0.15.0 // time utilities
 )
 
 require (
 	github.com/bytedance/gopkg v0.1.3 // xxhash64 for fast hash
 	github.com/bytedance/sonic v1.15.0 // fast json parsing
-	github.com/docker/cli v29.2.1+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
+	github.com/docker/cli v29.3.0+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
 	github.com/goccy/go-yaml v1.19.2 // yaml parsing for different config files
 	github.com/golang-jwt/jwt/v5 v5.3.1 // jwt authentication
 	github.com/luthermonson/go-proxmox v0.4.0 // proxmox API client
@@ -53,18 +55,18 @@ require (
 	github.com/moby/moby/client v0.2.1 // docker client
 	github.com/oschwald/maxminddb-golang v1.13.1 // maxminddb for geoip database
 	github.com/quic-go/quic-go v0.59.0 // http3 support
-	github.com/shirou/gopsutil/v4 v4.26.1 // system information
+	github.com/shirou/gopsutil/v4 v4.26.2 // system information
 	github.com/spf13/afero v1.15.0 // afero for file system operations
 	github.com/stretchr/testify v1.11.1 // testing framework
 	github.com/valyala/fasthttp v1.69.0 // fast http for health check
 	github.com/yusing/ds v0.4.1 // data structures and algorithms
-	github.com/yusing/godoxy/agent v0.0.0-20260218101334-add7884a365e
-	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20260218101334-add7884a365e
+	github.com/yusing/godoxy/agent v0.0.0-20260228194043-59238adb5b6e
+	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20260228194043-59238adb5b6e
 	github.com/yusing/gointernals v0.2.0
 	github.com/yusing/goutils v0.7.0
-	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260218062549-0b0fa3a059ec
-	github.com/yusing/goutils/http/websocket v0.0.0-20260218062549-0b0fa3a059ec
-	github.com/yusing/goutils/server v0.0.0-20260218062549-0b0fa3a059ec
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260228084019-4912690d409d
+	github.com/yusing/goutils/http/websocket v0.0.0-20260228084019-4912690d409d
+	github.com/yusing/goutils/server v0.0.0-20260228084019-4912690d409d
 )
 
 require (
@@ -77,7 +79,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
@@ -88,7 +90,7 @@ require (
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
@@ -99,7 +101,7 @@ require (
 	github.com/gofrs/flock v0.13.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.12 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
@@ -107,7 +109,7 @@ require (
 	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/magefile/mage v1.15.0 // indirect
+	github.com/magefile/mage v1.16.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.72 // indirect
@@ -124,7 +126,7 @@ require (
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
-	github.com/samber/lo v1.52.0 // indirect
+	github.com/samber/lo v1.53.0 // indirect
 	github.com/samber/slog-common v0.20.0 // indirect
 	github.com/samber/slog-zerolog/v2 v2.9.1 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
@@ -132,19 +134,19 @@ require (
 	github.com/sony/gobreaker v1.0.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
+	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.uber.org/atomic v1.11.0
 	go.uber.org/ratelimit v0.3.1 // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect
-	google.golang.org/api v0.267.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect
-	google.golang.org/grpc v1.79.1 // indirect
+	google.golang.org/api v0.270.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/grpc v1.79.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -172,11 +174,11 @@ require (
 	github.com/klauspost/compress v1.18.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
-	github.com/linode/linodego v1.65.0 // indirect
+	github.com/linode/linodego v1.66.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.109.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.109.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pion/dtls/v3 v3.1.2 // indirect
 	github.com/pion/logging v0.2.4 // indirect
@@ -190,7 +192,8 @@ require (
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/vultr/govultr/v3 v3.27.0 // indirect
+	github.com/vultr/govultr/v3 v3.28.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	golang.org/x/arch v0.24.0 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
+	golang.org/x/arch v0.25.0 // indirect
 )

go.sum

@@ -25,8 +25,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 h1:4iB+IesclUXdP0ICgAabvq2FYLXrJWKx1fJQ+GxSo3Y=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
@@ -76,14 +76,14 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg=
-github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
+github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
-github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/ISU=
+github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
 github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
@@ -98,8 +98,8 @@ github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
 github.com/go-acme/lego/v4 v4.32.0 h1:z7Ss7aa1noabhKj+DBzhNCO2SM96xhE3b0ucVW3x8Tc=
 github.com/go-acme/lego/v4 v4.32.0/go.mod h1:lI2fZNdgeM/ymf9xQ9YKbgZm6MeDuf91UrohMQE4DhI=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
@@ -151,14 +151,14 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.12 h1:Fg+zsqzYEs1ZnvmcztTYxhgCBsx3eEhEwQ1W/lHq/sQ=
-github.com/googleapis/enterprise-certificate-proxy v0.3.12/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
 github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotify/server/v2 v2.9.0 h1:2zRCl28wkq0oc6YNbyJS2n0dDOOVvOS3Oez5AG2ij54=
-github.com/gotify/server/v2 v2.9.0/go.mod h1:249wwlUqHTr0QsiKARGtFVqds0pNLIMjYLinHyMACdQ=
+github.com/gotify/server/v2 v2.9.1 h1:wsQUCdYJ4ZvP7RIRKDLtAtmFQc3kxbrv3QqccO5RWzs=
+github.com/gotify/server/v2 v2.9.1/go.mod h1:8scw0hiExomp4rJDrXBwRIcgQm7kv74P4Z4B+iM4l8w=
 github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
 github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
@@ -191,14 +191,14 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/linode/linodego v1.65.0 h1:SdsuGD8VSsPWeShXpE7ihl5vec+fD3MgwhnfYC/rj7k=
-github.com/linode/linodego v1.65.0/go.mod h1:tOFiTErdjkbVnV+4S0+NmIE9dqqZUEM2HsJaGu8wMh8=
+github.com/linode/linodego v1.66.0 h1:rK8QJFaV53LWOEJvb/evhTg/dP5ElvtuZmx4iv4RJds=
+github.com/linode/linodego v1.66.0/go.mod h1:12ykGs9qsvxE+OU3SXuW2w+DTruWF35FPlXC7gGk2tU=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88 h1:PTw+yKnXcOFCR6+8hHTyWBeQ/P4Nb7dd4/0ohEcWQuM=
 github.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
-github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/magefile/mage v1.16.0 h1:2naaPmNwrMicCdLBCRDw288hcyClO9lmnm6FMpXyJ5I=
+github.com/magefile/mage v1.16.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -227,10 +227,10 @@ github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0
 github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
 github.com/nrdcg/goinwx v0.12.0 h1:ujdUqDBnaRSFwzVnImvPHYw3w3m9XgmGImNUw1GyMb4=
 github.com/nrdcg/goinwx v0.12.0/go.mod h1:IrVKd3ZDbFiMjdPgML4CSxZAY9wOoqLvH44zv3NodJ0=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2 h1:OWijzl3nHUApvTivl+3+78dbBwmyEHOnb+W9m6ixGbk=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2 h1:9LsjN/zaIN7H8JE61NHpbWhxF0UGY96+kMlk3g8OvGU=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2/go.mod h1:32vZH06TuwZSn+IDMO1qcDvC2vHVlzUALCwXGWPA+dc=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.109.0 h1:r/RTdSUa7oUSTkDku6Bz8QTcYr5nhoiCURAgFZ0Z7EY=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.109.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.109.0 h1:dia9msUR1RHXMn4RHiyOI/8Ud2v3EZyDoHGVRTaq3/I=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.109.0/go.mod h1:xUUiSvfkzsJIhCtjNE15qvfdHORt+9C2uRRtbz10R4Q=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -276,8 +276,8 @@ github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
-github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/lo v1.53.0 h1:t975lj2py4kJPQ6haz1QMgtId2gtmfktACxIXArw3HM=
+github.com/samber/lo v1.53.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 github.com/samber/slog-common v0.20.0 h1:WaLnm/aCvBJSk5nR5aXZTFBaV0B47A+AEaEOiZDeUnc=
 github.com/samber/slog-common v0.20.0/go.mod h1:+Ozat1jgnnE59UAlmNX1IF3IByHsODnnwf9jUcBZ+m8=
 github.com/samber/slog-zerolog/v2 v2.9.1 h1:RMOq8XqzfuGx1X0TEIlS9OXbbFmqLY2/wJppghz66YY=
@@ -320,8 +320,8 @@ github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZy
 github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
-github.com/vultr/govultr/v3 v3.27.0 h1:J8etMyu/Jh5+idMsu2YZpOWmDXXHeW4VZnkYXmJYHx8=
-github.com/vultr/govultr/v3 v3.27.0/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
+github.com/vultr/govultr/v3 v3.28.1 h1:KR3LhppYARlBujY7+dcrE7YKL0Yo9qXL+msxykKQrLI=
+github.com/vultr/govultr/v3 v3.28.1/go.mod h1:2zyUw9yADQaGwKnwDesmIOlBNLrm7edsCfWHFJpWKf8=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
@@ -333,30 +333,32 @@ github.com/yusing/gointernals v0.2.0 h1:jyWB3kdUPkuU6s0r8QY/sS5h2WNBF4Kfisly8dtS
 github.com/yusing/gointernals v0.2.0/go.mod h1:xGzNbPGMm5Z8kG0t4JYISMscw+gMQlgghkLxlgRZv5Y=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
 go.uber.org/ratelimit v0.3.1/go.mod h1:6euWsTB6U/Nb3X++xEUXA8ciPJvr19Q/0h1+oDcJhRk=
-golang.org/x/arch v0.24.0 h1:qlJ3M9upxvFfwRM51tTg3Yl+8CP9vCC1E7vlFpgv99Y=
-golang.org/x/arch v0.24.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/arch v0.25.0 h1:qnk6Ksugpi5Bz32947rkUgDt9/s5qvqDPl/gBKdMJLE=
+golang.org/x/arch v0.25.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
@@ -381,10 +383,10 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -392,8 +394,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -412,8 +414,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -434,8 +436,8 @@ golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -447,16 +449,16 @@ golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
-google.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0=
+google.golang.org/api v0.270.0 h1:4rJZbIuWSTohczG9mG2ukSDdt9qKx4sSSHIydTN26L4=
+google.golang.org/api v0.270.0/go.mod h1:5+H3/8DlXpQWrSz4RjGGwz5HfJAQSEI8Bc6JqQNH77U=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/api/v1/docs/swagger.json

@@ -5125,10 +5125,7 @@
           "$ref": "#/definitions/MockResponse"
         },
         "rules": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/routeApi.RawRule"
-          },
+          "type": "string",
           "x-nullable": false,
           "x-omitempty": false
         }
@@ -6926,28 +6923,6 @@
       "x-nullable": false,
       "x-omitempty": false
     },
-    "routeApi.RawRule": {
-      "type": "object",
-      "properties": {
-        "do": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "name": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "on": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        }
-      },
-      "x-nullable": false,
-      "x-omitempty": false
-    },
     "routeApi.RoutesByProvider": {
       "type": "object",
       "additionalProperties": {

internal/api/v1/docs/swagger.yaml

@@ -905,9 +905,7 @@ definitions:
       mockResponse:
         $ref: '#/definitions/MockResponse'
       rules:
-        items:
-          $ref: '#/definitions/routeApi.RawRule'
-        type: array
+        type: string
     required:
     - rules
     type: object
@@ -1858,15 +1856,6 @@ definitions:
       uptime:
         type: string
     type: object
-  routeApi.RawRule:
-    properties:
-      do:
-        type: string
-      name:
-        type: string
-      "on":
-        type: string
-    type: object
   routeApi.RoutesByProvider:
     additionalProperties:
       items:

internal/api/v1/route/playground.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/goccy/go-yaml"
 	"github.com/yusing/godoxy/internal/common"
 	"github.com/yusing/godoxy/internal/route/rules"
 	apitypes "github.com/yusing/goutils/apitypes"
@@ -23,7 +24,7 @@ type RawRule struct {
 }
 
 type PlaygroundRequest struct {
-	Rules        []RawRule    `json:"rules" binding:"required"`
+	Rules        string       `json:"rules" binding:"required"`
 	MockRequest  MockRequest  `json:"mockRequest"`
 	MockResponse MockResponse `json:"mockResponse"`
 } // @name PlaygroundRequest
@@ -255,7 +256,35 @@ func handlerWithRecover(w http.ResponseWriter, r *http.Request, h http.HandlerFu
 	h(w, r)
 }
 
-func parseRules(rawRules []RawRule) ([]ParsedRule, rules.Rules, error) {
+func parseRules(config string) ([]ParsedRule, rules.Rules, error) {
+	config = strings.TrimSpace(config)
+	if config == "" {
+		return []ParsedRule{}, nil, nil
+	}
+
+	var rawRules []RawRule
+	if err := yaml.Unmarshal([]byte(config), &rawRules); err == nil && len(rawRules) > 0 {
+		return parseRawRules(rawRules)
+	}
+
+	var rulesList rules.Rules
+	if err := rulesList.Parse(config); err != nil {
+		return nil, nil, err
+	}
+
+	parsedRules := make([]ParsedRule, 0, len(rulesList))
+	for _, rule := range rulesList {
+		parsedRules = append(parsedRules, ParsedRule{
+			Name: rule.Name,
+			On:   rule.On.String(),
+			Do:   rule.Do.String(),
+		})
+	}
+
+	return parsedRules, rulesList, nil
+}
+
+func parseRawRules(rawRules []RawRule) ([]ParsedRule, rules.Rules, error) {
 	parsedRules := make([]ParsedRule, 0, len(rawRules))
 	rulesList := make(rules.Rules, 0, len(rawRules))
 

internal/api/v1/route/playground_test.go

@@ -22,13 +22,10 @@ func TestPlayground(t *testing.T) {
 		{
 			name: "simple path matching rule",
 			request: PlaygroundRequest{
-				Rules: []RawRule{
-					{
-						Name: "test rule",
-						On:   "path /api",
-						Do:   "pass",
-					},
-				},
+				Rules: `- name: test rule
+  on: path /api
+  do: pass
+`,
 				MockRequest: MockRequest{
 					Method: "GET",
 					Path:   "/api",
@@ -53,13 +50,10 @@ func TestPlayground(t *testing.T) {
 		{
 			name: "header matching rule",
 			request: PlaygroundRequest{
-				Rules: []RawRule{
-					{
-						Name: "check user agent",
-						On:   "header User-Agent Chrome",
-						Do:   "error 403 Forbidden",
-					},
-				},
+				Rules: `- name: check user agent
+  on: header User-Agent Chrome
+  do: error 403 Forbidden
+`,
 				MockRequest: MockRequest{
 					Method: "GET",
 					Path:   "/",
@@ -90,13 +84,10 @@ func TestPlayground(t *testing.T) {
 		{
 			name: "invalid rule syntax",
 			request: PlaygroundRequest{
-				Rules: []RawRule{
-					{
-						Name: "bad rule",
-						On:   "invalid_checker something",
-						Do:   "pass",
-					},
-				},
+				Rules: `- name: bad rule
+  on: invalid_checker something
+  do: pass
+`,
 				MockRequest: MockRequest{
 					Method: "GET",
 					Path:   "/",
@@ -115,13 +106,10 @@ func TestPlayground(t *testing.T) {
 		{
 			name: "rewrite path rule",
 			request: PlaygroundRequest{
-				Rules: []RawRule{
-					{
-						Name: "rewrite rule",
-						On:   "path glob(/api/*)",
-						Do:   "rewrite /api/ /v1/",
-					},
-				},
+				Rules: `- name: rewrite rule
+  on: path glob(/api/*)
+  do: rewrite /api/ /v1/
+`,
 				MockRequest: MockRequest{
 					Method: "GET",
 					Path:   "/api/users",
@@ -148,13 +136,10 @@ func TestPlayground(t *testing.T) {
 		{
 			name: "method matching rule",
 			request: PlaygroundRequest{
-				Rules: []RawRule{
-					{
-						Name: "block POST",
-						On:   "method POST",
-						Do:   `error "405" "Method Not Allowed"`,
-					},
-				},
+				Rules: `- name: block POST
+  on: method POST
+  do: error "405" "Method Not Allowed"
+`,
 				MockRequest: MockRequest{
 					Method: "POST",
 					Path:   "/api",
@@ -173,6 +158,63 @@ func TestPlayground(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "block syntax default rule",
+			request: PlaygroundRequest{
+				Rules: `default {
+  pass
+}`,
+				MockRequest: MockRequest{
+					Method: "GET",
+					Path:   "/",
+				},
+			},
+			wantStatusCode: http.StatusOK,
+			checkResponse: func(t *testing.T, resp PlaygroundResponse) {
+				if len(resp.ParsedRules) != 1 {
+					t.Errorf("expected 1 parsed rule, got %d", len(resp.ParsedRules))
+				}
+				if resp.ParsedRules[0].ValidationError != nil {
+					t.Errorf("expected rule to be valid, got error: %v", resp.ParsedRules[0].ValidationError)
+				}
+				if !resp.UpstreamCalled {
+					t.Error("expected upstream to be called")
+				}
+			},
+		},
+		{
+			name: "block syntax conditional rule",
+			request: PlaygroundRequest{
+				Rules: `header User-Agent Chrome {
+  error 403 Forbidden
+}`,
+				MockRequest: MockRequest{
+					Method: "GET",
+					Path:   "/",
+					Headers: map[string][]string{
+						"User-Agent": {"Chrome"},
+					},
+				},
+			},
+			wantStatusCode: http.StatusOK,
+			checkResponse: func(t *testing.T, resp PlaygroundResponse) {
+				if len(resp.ParsedRules) != 1 {
+					t.Errorf("expected 1 parsed rule, got %d", len(resp.ParsedRules))
+				}
+				if resp.ParsedRules[0].ValidationError != nil {
+					t.Errorf("expected rule to be valid, got error: %v", resp.ParsedRules[0].ValidationError)
+				}
+				if len(resp.MatchedRules) != 1 {
+					t.Errorf("expected 1 matched rule, got %d", len(resp.MatchedRules))
+				}
+				if resp.FinalResponse.StatusCode != http.StatusForbidden {
+					t.Errorf("expected status 403, got %d", resp.FinalResponse.StatusCode)
+				}
+				if resp.UpstreamCalled {
+					t.Error("expected upstream not to be called")
+				}
+			},
+		},
 	}
 
 	for _, tt := range tests {

internal/dnsproviders/go.mod

@@ -1,12 +1,12 @@
 module github.com/yusing/godoxy/internal/dnsproviders
 
-go 1.26.0
+go 1.26.1
 
 replace github.com/yusing/godoxy => ../..
 
 require (
 	github.com/go-acme/lego/v4 v4.32.0
-	github.com/yusing/godoxy v0.26.0
+	github.com/yusing/godoxy v0.27.2
 )
 
 require (
@@ -19,7 +19,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/boombuler/barcode v1.1.0 // indirect
@@ -48,16 +48,16 @@ require (
 	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.12 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
-	github.com/gotify/server/v2 v2.9.0 // indirect
+	github.com/gotify/server/v2 v2.9.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.65.0 // indirect
+	github.com/linode/linodego v1.66.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/maxatome/go-testdeep v1.14.0 // indirect
@@ -65,8 +65,8 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.109.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.109.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -79,28 +79,28 @@ require (
 	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/vultr/govultr/v3 v3.27.0 // indirect
+	github.com/vultr/govultr/v3 v3.28.1 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusing/gointernals v0.2.0 // indirect
 	github.com/yusing/goutils v0.7.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
+	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
-	golang.org/x/arch v0.24.0 // indirect
+	golang.org/x/arch v0.25.0 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
-	golang.org/x/oauth2 v0.35.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect
-	google.golang.org/api v0.267.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect
-	google.golang.org/grpc v1.79.1 // indirect
+	google.golang.org/api v0.270.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/grpc v1.79.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

internal/dnsproviders/go.sum

@@ -25,8 +25,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 h1:4iB+IesclUXdP0ICgAabvq2FYLXrJWKx1fJQ+GxSo3Y=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 h1:h/33OxYLqBk0BYmEbSUy7MlvgQR/m1w1/7OJFKoPL1I=
 github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0/go.mod h1:rvh3imDA6EaQi+oM/GQHkQAOHbXPKJ7EWJvfjuw141Q=
 github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
@@ -103,12 +103,12 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.12 h1:Fg+zsqzYEs1ZnvmcztTYxhgCBsx3eEhEwQ1W/lHq/sQ=
-github.com/googleapis/enterprise-certificate-proxy v0.3.12/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
 github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
-github.com/gotify/server/v2 v2.9.0 h1:2zRCl28wkq0oc6YNbyJS2n0dDOOVvOS3Oez5AG2ij54=
-github.com/gotify/server/v2 v2.9.0/go.mod h1:249wwlUqHTr0QsiKARGtFVqds0pNLIMjYLinHyMACdQ=
+github.com/gotify/server/v2 v2.9.1 h1:wsQUCdYJ4ZvP7RIRKDLtAtmFQc3kxbrv3QqccO5RWzs=
+github.com/gotify/server/v2 v2.9.1/go.mod h1:8scw0hiExomp4rJDrXBwRIcgQm7kv74P4Z4B+iM4l8w=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
@@ -131,8 +131,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/linode/linodego v1.65.0 h1:SdsuGD8VSsPWeShXpE7ihl5vec+fD3MgwhnfYC/rj7k=
-github.com/linode/linodego v1.65.0/go.mod h1:tOFiTErdjkbVnV+4S0+NmIE9dqqZUEM2HsJaGu8wMh8=
+github.com/linode/linodego v1.66.0 h1:rK8QJFaV53LWOEJvb/evhTg/dP5ElvtuZmx4iv4RJds=
+github.com/linode/linodego v1.66.0/go.mod h1:12ykGs9qsvxE+OU3SXuW2w+DTruWF35FPlXC7gGk2tU=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -150,10 +150,10 @@ github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0
 github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
 github.com/nrdcg/goinwx v0.12.0 h1:ujdUqDBnaRSFwzVnImvPHYw3w3m9XgmGImNUw1GyMb4=
 github.com/nrdcg/goinwx v0.12.0/go.mod h1:IrVKd3ZDbFiMjdPgML4CSxZAY9wOoqLvH44zv3NodJ0=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2 h1:OWijzl3nHUApvTivl+3+78dbBwmyEHOnb+W9m6ixGbk=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2 h1:9LsjN/zaIN7H8JE61NHpbWhxF0UGY96+kMlk3g8OvGU=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2/go.mod h1:32vZH06TuwZSn+IDMO1qcDvC2vHVlzUALCwXGWPA+dc=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.109.0 h1:r/RTdSUa7oUSTkDku6Bz8QTcYr5nhoiCURAgFZ0Z7EY=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.109.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.109.0 h1:dia9msUR1RHXMn4RHiyOI/8Ud2v3EZyDoHGVRTaq3/I=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.109.0/go.mod h1:xUUiSvfkzsJIhCtjNE15qvfdHORt+9C2uRRtbz10R4Q=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/ovh/go-ovh v1.9.0 h1:6K8VoL3BYjVV3In9tPJUdT7qMx9h0GExN9EXx1r2kKE=
@@ -193,8 +193,8 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/vultr/govultr/v3 v3.27.0 h1:J8etMyu/Jh5+idMsu2YZpOWmDXXHeW4VZnkYXmJYHx8=
-github.com/vultr/govultr/v3 v3.27.0/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
+github.com/vultr/govultr/v3 v3.28.1 h1:KR3LhppYARlBujY7+dcrE7YKL0Yo9qXL+msxykKQrLI=
+github.com/vultr/govultr/v3 v3.28.1/go.mod h1:2zyUw9yADQaGwKnwDesmIOlBNLrm7edsCfWHFJpWKf8=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/yusing/gointernals v0.2.0 h1:jyWB3kdUPkuU6s0r8QY/sS5h2WNBF4Kfisly8dtSVvg=
@@ -205,60 +205,60 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
 go.uber.org/ratelimit v0.3.1/go.mod h1:6euWsTB6U/Nb3X++xEUXA8ciPJvr19Q/0h1+oDcJhRk=
-golang.org/x/arch v0.24.0 h1:qlJ3M9upxvFfwRM51tTg3Yl+8CP9vCC1E7vlFpgv99Y=
-golang.org/x/arch v0.24.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/arch v0.25.0 h1:qnk6Ksugpi5Bz32947rkUgDt9/s5qvqDPl/gBKdMJLE=
+golang.org/x/arch v0.25.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
 golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
 golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
-google.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0=
+google.golang.org/api v0.270.0 h1:4rJZbIuWSTohczG9mG2ukSDdt9qKx4sSSHIydTN26L4=
+google.golang.org/api v0.270.0/go.mod h1:5+H3/8DlXpQWrSz4RjGGwz5HfJAQSEI8Bc6JqQNH77U=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/entrypoint/README.md

@@ -122,9 +122,9 @@ classDiagram
         +accessLogger AccessLogger
         +findRouteFunc findRouteFunc
         +shortLinkMatcher *ShortLinkMatcher
-        +streamRoutes *pool.Pool[types.StreamRoute]
-        +excludedRoutes *pool.Pool[types.Route]
-        +servers *xsync.Map[string, *httpServer]
+        +streamRoutes *pool.Pool\[types.StreamRoute\]
+        +excludedRoutes *pool.Pool\[types.Route\]
+        +servers *xsync.Map\[string, *httpServer\]
         +SupportProxyProtocol() bool
         +StartAddRoute(r) error
         +IterRoutes(yield)
@@ -132,7 +132,7 @@ classDiagram
     }
 
     class httpServer {
-        +routes *pool.Pool[types.HTTPRoute]
+        +routes *pool.Pool\[types.HTTPRoute\]
         +ServeHTTP(w, r)
         +AddRoute(route)
         +DelRoute(route)
@@ -154,8 +154,8 @@ classDiagram
     }
 
     class ShortLinkMatcher {
-        +fqdnRoutes *xsync.Map[string, string]
-        +subdomainRoutes *xsync.Map[string, struct{}]
+        +fqdnRoutes *xsync.Map\[string, string\]
+        +subdomainRoutes *xsync.Map\[string, emptyStruct\]
         +ServeHTTP(w, r)
         +AddRoute(alias)
         +DelRoute(alias)

internal/metrics/systeminfo/system_info.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net/url"
+	"strings"
 	"syscall"
 	"time"
 
@@ -152,19 +153,24 @@ func (s *SystemInfo) collectDisksInfo(ctx context.Context, lastResult *SystemInf
 		}
 	}
 
-	partitions, err := disk.PartitionsWithContext(ctx, false)
+	partitions, err := disk.PartitionsWithContext(ctx, true)
 	if err != nil {
 		return err
 	}
+
 	s.Disks = make(map[string]disk.UsageStat, len(partitions))
 	errs := gperr.NewBuilder("failed to get disks info")
 	for _, partition := range partitions {
+		if !shouldCollectPartition(partition) {
+			continue
+		}
 		diskInfo, err := disk.UsageWithContext(ctx, partition.Mountpoint)
 		if err != nil {
 			errs.Add(err)
 			continue
 		}
-		s.Disks[partition.Device] = diskInfo
+		key := diskKey(partition)
+		s.Disks[key] = diskInfo
 	}
 
 	if errs.HasError() {
@@ -176,6 +182,41 @@ func (s *SystemInfo) collectDisksInfo(ctx context.Context, lastResult *SystemInf
 	return nil
 }
 
+func shouldCollectPartition(partition disk.PartitionStat) bool {
+	if partition.Mountpoint == "/" {
+		return true
+	}
+
+	if partition.Mountpoint == "" {
+		return false
+	}
+
+	// includes WSL mounts like /mnt/c, but exclude /mnt/ itself and /mnt/wsl*
+	if len(partition.Mountpoint) >= len("/mnt/") &&
+		strings.HasPrefix(partition.Mountpoint, "/mnt/") &&
+		!strings.HasPrefix(partition.Mountpoint, "/mnt/wsl") {
+		return true
+	}
+
+	if strings.HasPrefix(partition.Device, "/dev/") {
+		return true
+	}
+
+	return false
+}
+
+func diskKey(partition disk.PartitionStat) string {
+	if partition.Device == "" || partition.Device == "none" {
+		return partition.Mountpoint
+	}
+
+	if partition.Device == "/dev/root" {
+		return partition.Mountpoint
+	}
+
+	return partition.Device
+}
+
 func (s *SystemInfo) collectNetworkInfo(ctx context.Context, lastResult *SystemInfo) error {
 	networkIO, err := net.IOCountersWithContext(ctx, false)
 	if err != nil {

internal/net/gphttp/middleware/README.md

@@ -13,6 +13,8 @@ This package implements a flexible HTTP middleware system for GoDoxy. Middleware
 - **Bypass Rules**: Skip middleware based on request properties
 - **Dynamic Loading**: Load middleware definitions from files at runtime
 
+Response body rewriting is only applied to unencoded, text-like content types (for example `text/*`, JSON, YAML, XML). Response status and headers can always be modified.
+
 ## Architecture
 
 ```mermaid

internal/net/gphttp/middleware/custom_error_page.go

@@ -20,6 +20,8 @@ var CustomErrorPage = NewMiddleware[customErrorPage]()
 
 const StaticFilePathPrefix = "/$gperrorpage/"
 
+func (customErrorPage) isBodyResponseModifier() {}
+
 // before implements RequestModifier.
 func (customErrorPage) before(w http.ResponseWriter, r *http.Request) (proceed bool) {
 	return !ServeStaticErrorPageFile(w, r)

internal/net/gphttp/middleware/middleware.go

@@ -3,9 +3,12 @@ package middleware
 import (
 	"fmt"
 	"maps"
+	"mime"
 	"net/http"
 	"reflect"
 	"sort"
+	"strconv"
+	"strings"
 
 	"github.com/bytedance/sonic"
 	"github.com/rs/zerolog"
@@ -16,6 +19,12 @@ import (
 	"github.com/yusing/goutils/http/reverseproxy"
 )
 
+const (
+	mimeEventStream   = "text/event-stream"
+	headerContentType = "Content-Type"
+	maxModifiableBody = 4 * 1024 * 1024 // 4MB
+)
+
 type (
 	ReverseProxy = reverseproxy.ReverseProxy
 	ProxyRequest = reverseproxy.ProxyRequest
@@ -45,7 +54,11 @@ type (
 	RequestModifier interface {
 		before(w http.ResponseWriter, r *http.Request) (proceed bool)
 	}
-	ResponseModifier             interface{ modifyResponse(r *http.Response) error }
+	ResponseModifier     interface{ modifyResponse(r *http.Response) error }
+	BodyResponseModifier interface {
+		ResponseModifier
+		isBodyResponseModifier()
+	}
 	MiddlewareWithSetup          interface{ setup() }
 	MiddlewareFinalizer          interface{ finalize() }
 	MiddlewareFinalizerWithError interface {
@@ -189,60 +202,154 @@ func (m *Middleware) ServeHTTP(next http.HandlerFunc, w http.ResponseWriter, r *
 		}
 	}
 
-	if httpheaders.IsWebsocket(r.Header) || r.Header.Get("Accept") == "text/event-stream" {
+	if httpheaders.IsWebsocket(r.Header) || strings.Contains(strings.ToLower(r.Header.Get("Accept")), mimeEventStream) {
 		next(w, r)
 		return
 	}
 
-	if exec, ok := m.impl.(ResponseModifier); ok {
-		lrm := httputils.NewLazyResponseModifier(w, needsBuffering)
-		defer func() {
-			_, err := lrm.FlushRelease()
-			if err != nil {
-				m.LogError(r).Err(err).Msg("failed to flush response")
-			}
-		}()
-		next(lrm, r)
-
-		// Skip modification if response wasn't buffered (non-HTML content)
-		if !lrm.IsBuffered() {
-			return
-		}
-
-		rm := lrm.ResponseModifier()
-		currentBody := rm.BodyReader()
-		currentResp := &http.Response{
-			StatusCode:    rm.StatusCode(),
-			Header:        rm.Header(),
-			ContentLength: int64(rm.ContentLength()),
-			Body:          currentBody,
-			Request:       r,
-		}
-		if err := exec.modifyResponse(currentResp); err != nil {
-			log.Err(err).Str("middleware", m.Name()).Str("url", fullURL(r)).Msg("failed to modify response")
-		}
-
-		// override the response status code
-		rm.WriteHeader(currentResp.StatusCode)
-
-		// overriding the response header
-		maps.Copy(rm.Header(), currentResp.Header)
-
-		// override the content length and body if changed
-		if currentResp.Body != currentBody {
-			if err := rm.SetBody(currentResp.Body); err != nil {
-				m.LogError(r).Err(err).Msg("failed to set response body")
-			}
-		}
-	} else {
+	exec, ok := m.impl.(ResponseModifier)
+	if !ok {
 		next(w, r)
+		return
+	}
+	isBodyModifier := isBodyResponseModifier(exec)
+
+	shouldBuffer := canBufferAndModifyResponseBody
+	if !isBodyModifier {
+		// Header-only response modifiers do not need body rewrite capability checks.
+		// We still respect max buffer limits and may fall back to passthrough for large bodies.
+		shouldBuffer = func(http.Header) bool { return true }
+	}
+	lrm := httputils.NewLazyResponseModifier(w, shouldBuffer)
+	lrm.SetMaxBufferedBytes(maxModifiableBody)
+	defer func() {
+		_, err := lrm.FlushRelease()
+		if err != nil {
+			m.LogError(r).Err(err).Msg("failed to flush response")
+		}
+	}()
+	next(lrm, r)
+
+	// Skip modification if response wasn't buffered
+	if !lrm.IsBuffered() {
+		return
+	}
+
+	rm := lrm.ResponseModifier()
+	if rm.IsPassthrough() {
+		return
+	}
+	currentBody := rm.BodyReader()
+	currentResp := &http.Response{
+		StatusCode:    rm.StatusCode(),
+		Header:        rm.Header(),
+		ContentLength: int64(rm.ContentLength()),
+		Body:          currentBody,
+		Request:       r,
+	}
+	respToModify := currentResp
+	if err := exec.modifyResponse(respToModify); err != nil {
+		log.Err(err).Str("middleware", m.Name()).Str("url", fullURL(r)).Msg("failed to modify response")
+		return // skip modification if failed
+	}
+
+	// override the response status code
+	rm.WriteHeader(respToModify.StatusCode)
+
+	// overriding the response header
+	maps.Copy(rm.Header(), respToModify.Header)
+
+	// override the body if changed
+	if isBodyModifier && respToModify.Body != currentBody {
+		err := rm.SetBody(respToModify.Body)
+		if err != nil {
+			m.LogError(r).Err(err).Msg("failed to set response body")
+			return // skip modification if failed
+		}
 	}
 }
 
-// needsBuffering determines if a response should be buffered for modification.
-// Only HTML responses need buffering; streaming content (video, audio, etc.) should pass through.
-func needsBuffering(header http.Header) bool {
-	return httputils.GetContentType(header).IsHTML()
+// canBufferAndModifyResponseBody checks if the response body can be buffered and modified.
+//
+// A body can be buffered and modified if:
+// - The response is not a websocket and is not an event stream
+// - The response has identity transfer encoding
+// - The response has identity content encoding
+// - The response has a content length
+// - The content length is less than 4MB
+// - The content type is text-like
+func canBufferAndModifyResponseBody(respHeader http.Header) bool {
+	if httpheaders.IsWebsocket(respHeader) {
+		return false
+	}
+	contentType := respHeader.Get("Content-Type")
+	if contentType == "" { // safe default: skip if no content type
+		return false
+	}
+	contentType = strings.ToLower(contentType)
+	if strings.Contains(contentType, mimeEventStream) {
+		return false
+	}
+	// strip charset or any other parameters
+	contentType, _, err := mime.ParseMediaType(contentType)
+	if err != nil { // skip if invalid content type
+		return false
+	}
+	if hasNonIdentityEncoding(respHeader.Values("Transfer-Encoding")) {
+		return false
+	}
+	if hasNonIdentityEncoding(respHeader.Values("Content-Encoding")) {
+		return false
+	}
+	if contentLengthRaw := respHeader.Get("Content-Length"); contentLengthRaw != "" {
+		contentLength, err := strconv.ParseInt(contentLengthRaw, 10, 64)
+		if err != nil || contentLength >= maxModifiableBody {
+			return false
+		}
+	}
+	if !isTextLikeMediaType(contentType) {
+		return false
+	}
+	return true
+}
+
+func hasNonIdentityEncoding(values []string) bool {
+	for _, value := range values {
+		for token := range strings.SplitSeq(value, ",") {
+			token = strings.TrimSpace(token)
+			if token == "" || strings.EqualFold(token, "identity") {
+				continue
+			}
+			return true
+		}
+	}
+	return false
+}
+
+func isTextLikeMediaType(contentType string) bool {
+	if contentType == "" {
+		return false
+	}
+	contentType = strings.ToLower(contentType)
+	if strings.HasPrefix(contentType, "text/") {
+		return true
+	}
+	if contentType == "application/json" || strings.HasSuffix(contentType, "+json") {
+		return true
+	}
+	if contentType == "application/xml" || strings.HasSuffix(contentType, "+xml") {
+		return true
+	}
+	if strings.Contains(contentType, "yaml") || strings.Contains(contentType, "toml") {
+		return true
+	}
+	if strings.Contains(contentType, "javascript") || strings.Contains(contentType, "ecmascript") {
+		return true
+	}
+	if strings.Contains(contentType, "csv") {
+		return true
+	}
+	return contentType == "application/x-www-form-urlencoded"
 }
 
 func (m *Middleware) LogWarn(req *http.Request) *zerolog.Event {

internal/net/gphttp/middleware/middleware_chain.go

@@ -8,8 +8,9 @@ import (
 )
 
 type middlewareChain struct {
-	befores  []RequestModifier
-	modResps []ResponseModifier
+	befores    []RequestModifier
+	respHeader []ResponseModifier
+	respBody   []ResponseModifier
 }
 
 // TODO: check conflict or duplicates.
@@ -22,7 +23,11 @@ func NewMiddlewareChain(name string, chain []*Middleware) *Middleware {
 			chainMid.befores = append(chainMid.befores, before)
 		}
 		if mr, ok := comp.impl.(ResponseModifier); ok {
-			chainMid.modResps = append(chainMid.modResps, mr)
+			if isBodyResponseModifier(mr) {
+				chainMid.respBody = append(chainMid.respBody, mr)
+			} else {
+				chainMid.respHeader = append(chainMid.respHeader, mr)
+			}
 		}
 	}
 	return m
@@ -43,13 +48,41 @@ func (m *middlewareChain) before(w http.ResponseWriter, r *http.Request) (procee
 
 // modifyResponse implements ResponseModifier.
 func (m *middlewareChain) modifyResponse(resp *http.Response) error {
-	if len(m.modResps) == 0 {
-		return nil
-	}
-	for i, mr := range m.modResps {
+	for i, mr := range m.respHeader {
 		if err := mr.modifyResponse(resp); err != nil {
 			return gperr.PrependSubject(err, strconv.Itoa(i))
 		}
 	}
+	if len(m.respBody) == 0 || !canBufferAndModifyResponseBody(responseHeaderForBodyRewriteGate(resp)) {
+		return nil
+	}
+	headerLen := len(m.respHeader)
+	for i, mr := range m.respBody {
+		if err := mr.modifyResponse(resp); err != nil {
+			return gperr.PrependSubject(err, strconv.Itoa(i+headerLen))
+		}
+	}
 	return nil
 }
+
+func isBodyResponseModifier(mr ResponseModifier) bool {
+	if chain, ok := mr.(*middlewareChain); ok {
+		return len(chain.respBody) > 0
+	}
+	if bypass, ok := mr.(*checkBypass); ok {
+		return isBodyResponseModifier(bypass.modRes)
+	}
+	_, ok := mr.(BodyResponseModifier)
+	return ok
+}
+
+func responseHeaderForBodyRewriteGate(resp *http.Response) http.Header {
+	h := resp.Header.Clone()
+	if len(resp.TransferEncoding) > 0 && len(h.Values("Transfer-Encoding")) == 0 {
+		h["Transfer-Encoding"] = append([]string(nil), resp.TransferEncoding...)
+	}
+	if resp.ContentLength >= 0 && h.Get("Content-Length") == "" {
+		h.Set("Content-Length", strconv.FormatInt(resp.ContentLength, 10))
+	}
+	return h
+}

internal/net/gphttp/middleware/middleware_test.go

@@ -1,7 +1,9 @@
 package middleware
 
 import (
+	"io"
 	"net/http"
+	"net/http/httptest"
 	"strconv"
 	"strings"
 	"testing"
@@ -14,12 +16,37 @@ type testPriority struct {
 }
 
 var test = NewMiddleware[testPriority]()
+var responseHeaderRewrite = NewMiddleware[testHeaderRewrite]()
+var responseBodyRewrite = NewMiddleware[testBodyRewrite]()
 
 func (t testPriority) before(w http.ResponseWriter, r *http.Request) bool {
 	w.Header().Add("Test-Value", strconv.Itoa(t.Value))
 	return true
 }
 
+type testHeaderRewrite struct {
+	StatusCode int    `json:"status_code"`
+	HeaderKey  string `json:"header_key"`
+	HeaderVal  string `json:"header_val"`
+}
+
+func (t testHeaderRewrite) modifyResponse(resp *http.Response) error {
+	resp.StatusCode = t.StatusCode
+	resp.Header.Set(t.HeaderKey, t.HeaderVal)
+	return nil
+}
+
+type testBodyRewrite struct {
+	Body string `json:"body"`
+}
+
+func (t testBodyRewrite) modifyResponse(resp *http.Response) error {
+	resp.Body = io.NopCloser(strings.NewReader(t.Body))
+	return nil
+}
+
+func (testBodyRewrite) isBodyResponseModifier() {}
+
 func TestMiddlewarePriority(t *testing.T) {
 	priorities := []int{4, 7, 9, 0}
 	chain := make([]*Middleware, len(priorities))
@@ -35,3 +62,215 @@ func TestMiddlewarePriority(t *testing.T) {
 	expect.NoError(t, err)
 	expect.Equal(t, strings.Join(res.ResponseHeaders["Test-Value"], ","), "3,0,1,2")
 }
+
+func TestMiddlewareResponseRewriteGate(t *testing.T) {
+	headerOpts := OptionsRaw{
+		"status_code": 418,
+		"header_key":  "X-Rewrite",
+		"header_val":  "1",
+	}
+	bodyOpts := OptionsRaw{
+		"body": "rewritten-body",
+	}
+	headerMid, err := responseHeaderRewrite.New(headerOpts)
+	expect.NoError(t, err)
+	bodyMid, err := responseBodyRewrite.New(bodyOpts)
+	expect.NoError(t, err)
+
+	tests := []struct {
+		name         string
+		respHeaders  http.Header
+		respBody     []byte
+		expectStatus int
+		expectHeader string
+		expectBody   string
+	}{
+		{
+			name: "allow_body_rewrite_for_html",
+			respHeaders: http.Header{
+				"Content-Type": []string{"text/html; charset=utf-8"},
+			},
+			respBody:     []byte("<html><body>original</body></html>"),
+			expectStatus: http.StatusTeapot,
+			expectHeader: "1",
+			expectBody:   "rewritten-body",
+		},
+		{
+			name: "allow_body_rewrite_for_json",
+			respHeaders: http.Header{
+				"Content-Type": []string{"application/json"},
+			},
+			respBody:     []byte(`{"message":"original"}`),
+			expectStatus: http.StatusTeapot,
+			expectHeader: "1",
+			expectBody:   "rewritten-body",
+		},
+		{
+			name: "allow_body_rewrite_for_yaml",
+			respHeaders: http.Header{
+				"Content-Type": []string{"application/yaml"},
+			},
+			respBody:     []byte("k: v"),
+			expectStatus: http.StatusTeapot,
+			expectHeader: "1",
+			expectBody:   "rewritten-body",
+		},
+		{
+			name: "block_body_rewrite_for_binary_content",
+			respHeaders: http.Header{
+				"Content-Type": []string{"application/octet-stream"},
+			},
+			respBody:     []byte("binary"),
+			expectStatus: http.StatusTeapot,
+			expectHeader: "1",
+			expectBody:   "binary",
+		},
+		{
+			name: "block_body_rewrite_for_transfer_encoded_html",
+			respHeaders: http.Header{
+				"Content-Type":      []string{"text/html"},
+				"Transfer-Encoding": []string{"chunked"},
+			},
+			respBody:     []byte("<html><body>original</body></html>"),
+			expectStatus: http.StatusTeapot,
+			expectHeader: "1",
+			expectBody:   "<html><body>original</body></html>",
+		},
+		{
+			name: "block_body_rewrite_for_content_encoded_html",
+			respHeaders: http.Header{
+				"Content-Type":     []string{"text/html"},
+				"Content-Encoding": []string{"gzip"},
+			},
+			respBody:     []byte("<html><body>original</body></html>"),
+			expectStatus: http.StatusTeapot,
+			expectHeader: "1",
+			expectBody:   "<html><body>original</body></html>",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := newMiddlewaresTest([]*Middleware{headerMid, bodyMid}, &testArgs{
+				respHeaders: tc.respHeaders,
+				respBody:    tc.respBody,
+				respStatus:  http.StatusOK,
+			})
+			expect.NoError(t, err)
+			expect.Equal(t, result.ResponseStatus, tc.expectStatus)
+			expect.Equal(t, result.ResponseHeaders.Get("X-Rewrite"), tc.expectHeader)
+			expect.Equal(t, string(result.Data), tc.expectBody)
+		})
+	}
+}
+
+func TestMiddlewareResponseRewriteGateServeHTTP(t *testing.T) {
+	headerOpts := OptionsRaw{
+		"status_code": 418,
+		"header_key":  "X-Rewrite",
+		"header_val":  "1",
+	}
+	bodyOpts := OptionsRaw{
+		"body": "rewritten-body",
+	}
+	headerMid, err := responseHeaderRewrite.New(headerOpts)
+	expect.NoError(t, err)
+	bodyMid, err := responseBodyRewrite.New(bodyOpts)
+	expect.NoError(t, err)
+	mid := NewMiddlewareChain("test", []*Middleware{headerMid, bodyMid})
+
+	tests := []struct {
+		name             string
+		respHeaders      http.Header
+		respBody         string
+		expectStatusCode int
+		expectHeader     string
+		expectBody       string
+	}{
+		{
+			name: "allow_body_rewrite_for_html",
+			respHeaders: http.Header{
+				"Content-Type": []string{"text/html; charset=utf-8"},
+			},
+			respBody:         "<html><body>original</body></html>",
+			expectStatusCode: http.StatusTeapot,
+			expectHeader:     "1",
+			expectBody:       "rewritten-body",
+		},
+		{
+			name: "block_body_rewrite_for_binary_content",
+			respHeaders: http.Header{
+				"Content-Type": []string{"application/octet-stream"},
+			},
+			respBody:         "binary",
+			expectStatusCode: http.StatusOK,
+			expectHeader:     "",
+			expectBody:       "binary",
+		},
+		{
+			name: "block_body_rewrite_for_transfer_encoded_html",
+			respHeaders: http.Header{
+				"Content-Type":      []string{"text/html"},
+				"Transfer-Encoding": []string{"chunked"},
+			},
+			respBody:         "<html><body>original</body></html>",
+			expectStatusCode: http.StatusOK,
+			expectHeader:     "",
+			expectBody:       "<html><body>original</body></html>",
+		},
+		{
+			name: "block_body_rewrite_for_content_encoded_html",
+			respHeaders: http.Header{
+				"Content-Type":     []string{"text/html"},
+				"Content-Encoding": []string{"gzip"},
+			},
+			respBody:         "<html><body>original</body></html>",
+			expectStatusCode: http.StatusOK,
+			expectHeader:     "",
+			expectBody:       "<html><body>original</body></html>",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "http://example.com", nil)
+			rw := httptest.NewRecorder()
+
+			next := func(w http.ResponseWriter, _ *http.Request) {
+				for key, values := range tc.respHeaders {
+					for _, value := range values {
+						w.Header().Add(key, value)
+					}
+				}
+				w.WriteHeader(http.StatusOK)
+				_, _ = w.Write([]byte(tc.respBody))
+			}
+
+			mid.ServeHTTP(next, rw, req)
+
+			resp := rw.Result()
+			defer resp.Body.Close()
+			data, readErr := io.ReadAll(resp.Body)
+			expect.NoError(t, readErr)
+
+			expect.Equal(t, resp.StatusCode, tc.expectStatusCode)
+			expect.Equal(t, resp.Header.Get("X-Rewrite"), tc.expectHeader)
+			expect.Equal(t, string(data), tc.expectBody)
+		})
+	}
+}
+
+func TestThemedSkipsBodyRewriteWhenRewriteBlocked(t *testing.T) {
+	result, err := newMiddlewareTest(Themed, &testArgs{
+		middlewareOpt: OptionsRaw{
+			"theme": DarkTheme,
+		},
+		respHeaders: http.Header{
+			"Content-Type":      []string{"text/html; charset=utf-8"},
+			"Transfer-Encoding": []string{"chunked"},
+		},
+		respBody: []byte("<html><body>original</body></html>"),
+	})
+	expect.NoError(t, err)
+	expect.Equal(t, string(result.Data), "<html><body>original</body></html>")
+}

internal/net/gphttp/middleware/modify_html.go

@@ -22,6 +22,8 @@ type modifyHTML struct {
 
 var ModifyHTML = NewMiddleware[modifyHTML]()
 
+func (*modifyHTML) isBodyResponseModifier() {}
+
 func (m *modifyHTML) before(_ http.ResponseWriter, req *http.Request) bool {
 	req.Header.Set("Accept-Encoding", "identity")
 	return true

internal/net/gphttp/middleware/test_utils_test.go

@@ -7,6 +7,7 @@ import (
 	"maps"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 
 	"github.com/bytedance/sonic"
 	"github.com/yusing/godoxy/internal/common"
@@ -54,7 +55,7 @@ func (rt *requestRecorder) RoundTrip(req *http.Request) (resp *http.Response, er
 		resp = &http.Response{
 			Status:        http.StatusText(rt.args.respStatus),
 			StatusCode:    rt.args.respStatus,
-			Header:        testHeaders,
+			Header:        maps.Clone(testHeaders),
 			Body:          io.NopCloser(bytes.NewReader(rt.args.respBody)),
 			ContentLength: int64(len(rt.args.respBody)),
 			Request:       req,
@@ -65,9 +66,27 @@ func (rt *requestRecorder) RoundTrip(req *http.Request) (resp *http.Response, er
 		return nil, err
 	}
 	maps.Copy(resp.Header, rt.args.respHeaders)
+	if transferEncoding := resp.Header.Values("Transfer-Encoding"); len(transferEncoding) > 0 {
+		resp.TransferEncoding = parseHeaderTokens(transferEncoding)
+		resp.ContentLength = -1
+	}
 	return resp, nil
 }
 
+func parseHeaderTokens(values []string) []string {
+	var tokens []string
+	for _, value := range values {
+		for token := range strings.SplitSeq(value, ",") {
+			token = strings.TrimSpace(token)
+			if token == "" {
+				continue
+			}
+			tokens = append(tokens, token)
+		}
+	}
+	return tokens
+}
+
 type TestResult struct {
 	RequestHeaders  http.Header
 	ResponseHeaders http.Header

internal/net/gphttp/middleware/themed.go

@@ -54,6 +54,8 @@ func (m *themed) modifyResponse(resp *http.Response) error {
 	return m.m.modifyResponse(resp)
 }
 
+func (*themed) isBodyResponseModifier() {}
+
 func (m *themed) finalize() error {
 	m.m.Target = "body"
 	if m.FontURL != "" && m.FontFamily != "" {

internal/route/provider/all_fields.yaml

@@ -3,6 +3,7 @@ example: # matching `example.y.z`
   host: 10.0.0.254
   port: 80
   bind: 0.0.0.0
+  relay_proxy_protocol_header: false # tcp only, sends PROXY header to upstream
   root: /var/www/example
   spa: true
   index: index.html

internal/route/reverse_proxy.go

@@ -123,6 +123,24 @@ func (r *ReverseProxyRoute) ReverseProxy() *reverseproxy.ReverseProxy {
 	return r.rp
 }
 
+func (r *ReverseProxyRoute) isSyntheticLoadBalancerRoute() bool {
+	return r.loadBalancer != nil && r.rp == nil
+}
+
+func (r *ReverseProxyRoute) Key() string {
+	if r.isSyntheticLoadBalancerRoute() {
+		return r.Alias
+	}
+	return r.Route.Key()
+}
+
+func (r *ReverseProxyRoute) ShouldExclude() bool {
+	if r.isSyntheticLoadBalancerRoute() {
+		return false
+	}
+	return r.Route.ShouldExclude()
+}
+
 // Start implements task.TaskStarter.
 func (r *ReverseProxyRoute) Start(parent task.Parent) error {
 	r.task = parent.Subtask("http."+r.Name(), false)
@@ -206,7 +224,7 @@ func (r *ReverseProxyRoute) addToLoadBalancer(parent task.Parent, ep entrypoint.
 		linked = l.(*ReverseProxyRoute) // it must be a reverse proxy route
 		lb = linked.loadBalancer
 		lb.UpdateConfigIfNeeded(cfg)
-		if linked.Homepage.Name == "" {
+		if linked.Homepage == nil || linked.Homepage.Name == "" {
 			linked.Homepage = r.Homepage
 		}
 	} else {

internal/route/reverse_proxy_test.go

@@ -1,16 +1,165 @@
 package route
 
 import (
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"sync"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	"github.com/yusing/godoxy/internal/homepage"
 	route "github.com/yusing/godoxy/internal/route/types"
 	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/task"
 )
 
+type testPool[T interface{ Key() string }] struct {
+	mu    sync.RWMutex
+	items map[string]T
+}
+
+func newTestPool[T interface{ Key() string }]() *testPool[T] {
+	return &testPool[T]{items: make(map[string]T)}
+}
+
+func (p *testPool[T]) Get(alias string) (T, bool) {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	v, ok := p.items[alias]
+	return v, ok
+}
+
+func (p *testPool[T]) Iter(yield func(alias string, r T) bool) {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	for alias, r := range p.items {
+		if !yield(alias, r) {
+			return
+		}
+	}
+}
+
+func (p *testPool[T]) Size() int {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return len(p.items)
+}
+
+func (p *testPool[T]) Add(r T) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.items[r.Key()] = r
+}
+
+func (p *testPool[T]) Del(r T) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	delete(p.items, r.Key())
+}
+
+type testEntrypoint struct {
+	httpRoutes     *testPool[types.HTTPRoute]
+	streamRoutes   *testPool[types.StreamRoute]
+	excludedRoutes *testPool[types.Route]
+}
+
+func newTestEntrypoint() *testEntrypoint {
+	return &testEntrypoint{
+		httpRoutes:     newTestPool[types.HTTPRoute](),
+		streamRoutes:   newTestPool[types.StreamRoute](),
+		excludedRoutes: newTestPool[types.Route](),
+	}
+}
+
+func (ep *testEntrypoint) SupportProxyProtocol() bool { return false }
+func (ep *testEntrypoint) DisablePoolsLog(bool)       {}
+
+func (ep *testEntrypoint) GetRoute(alias string) (types.Route, bool) {
+	if r, ok := ep.httpRoutes.Get(alias); ok {
+		return r, true
+	}
+	if r, ok := ep.streamRoutes.Get(alias); ok {
+		return r, true
+	}
+	if r, ok := ep.excludedRoutes.Get(alias); ok {
+		return r, true
+	}
+	return nil, false
+}
+
+func (ep *testEntrypoint) StartAddRoute(r types.Route) error {
+	if r.ShouldExclude() {
+		ep.excludedRoutes.Add(r)
+		return nil
+	}
+	switch rt := r.(type) {
+	case types.HTTPRoute:
+		ep.httpRoutes.Add(rt)
+		return nil
+	case types.StreamRoute:
+		ep.streamRoutes.Add(rt)
+		return nil
+	default:
+		return fmt.Errorf("unknown route type: %T", r)
+	}
+}
+
+func (ep *testEntrypoint) IterRoutes(yield func(r types.Route) bool) {
+	ep.httpRoutes.Iter(func(_ string, r types.HTTPRoute) bool {
+		return yield(r)
+	})
+	ep.streamRoutes.Iter(func(_ string, r types.StreamRoute) bool {
+		return yield(r)
+	})
+	ep.excludedRoutes.Iter(func(_ string, r types.Route) bool {
+		return yield(r)
+	})
+}
+
+func (ep *testEntrypoint) NumRoutes() int {
+	return ep.httpRoutes.Size() + ep.streamRoutes.Size() + ep.excludedRoutes.Size()
+}
+
+func (ep *testEntrypoint) RoutesByProvider() map[string][]types.Route {
+	return map[string][]types.Route{}
+}
+
+func (ep *testEntrypoint) HTTPRoutes() entrypoint.PoolLike[types.HTTPRoute] {
+	return ep.httpRoutes
+}
+
+func (ep *testEntrypoint) StreamRoutes() entrypoint.PoolLike[types.StreamRoute] {
+	return ep.streamRoutes
+}
+
+func (ep *testEntrypoint) ExcludedRoutes() entrypoint.RWPoolLike[types.Route] {
+	return ep.excludedRoutes
+}
+
+func (ep *testEntrypoint) GetHealthInfo() map[string]types.HealthInfo {
+	return nil
+}
+
+func (ep *testEntrypoint) GetHealthInfoWithoutDetail() map[string]types.HealthInfoWithoutDetail {
+	return nil
+}
+
+func (ep *testEntrypoint) GetHealthInfoSimple() map[string]types.HealthStatus {
+	return nil
+}
+
 func TestReverseProxyRoute(t *testing.T) {
 	t.Run("LinkToLoadBalancer", func(t *testing.T) {
+		testTask := task.GetTestTask(t)
+		entrypoint.SetCtx(testTask, newTestEntrypoint())
+
 		cfg := Route{
 			Alias:  "test",
 			Scheme: route.SchemeHTTP,
@@ -36,4 +185,75 @@ func TestReverseProxyRoute(t *testing.T) {
 		require.NoError(t, err)
 		assert.NotNil(t, r2)
 	})
+	t.Run("LoadBalancerRoute", func(t *testing.T) {
+		testTask := task.GetTestTask(t)
+		entrypoint.SetCtx(testTask, newTestEntrypoint())
+
+		newServer := func() *httptest.Server {
+			return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+		}
+
+		srv1 := newServer()
+		t.Cleanup(srv1.Close)
+		srv2 := newServer()
+		t.Cleanup(srv2.Close)
+		srv3 := newServer()
+		t.Cleanup(srv3.Close)
+
+		makeRoute := func(alias string, target *httptest.Server) *Route {
+			t.Helper()
+
+			targetURL, err := url.Parse(target.URL)
+			require.NoError(t, err)
+
+			host, portStr, err := net.SplitHostPort(targetURL.Host)
+			require.NoError(t, err)
+			port, err := strconv.Atoi(portStr)
+			require.NoError(t, err)
+
+			return &Route{
+				Alias:  alias,
+				Scheme: route.SchemeHTTP,
+				Host:   host,
+				Port:   Port{Proxy: port},
+				Homepage: &homepage.ItemConfig{
+					Show: true,
+				},
+				LoadBalance: &types.LoadBalancerConfig{
+					Link: "lb-test",
+				},
+				HealthCheck: types.HealthCheckConfig{
+					Path:     "/",
+					Interval: 2 * time.Second,
+					Timeout:  time.Second,
+					UseGet:   true,
+				},
+			}
+		}
+
+		_, err := NewStartedTestRoute(t, makeRoute("lb-1", srv1))
+		require.NoError(t, err)
+		_, err = NewStartedTestRoute(t, makeRoute("lb-2", srv2))
+		require.NoError(t, err)
+		_, err = NewStartedTestRoute(t, makeRoute("lb-3", srv3))
+		require.NoError(t, err)
+
+		ep := entrypoint.FromCtx(testTask.Context())
+		require.NotNil(t, ep)
+
+		lbRoute, ok := ep.HTTPRoutes().Get("lb-test")
+		require.True(t, ok)
+
+		lb, ok := lbRoute.(*ReverseProxyRoute)
+		require.True(t, ok)
+		require.False(t, lb.ShouldExclude())
+		require.NotNil(t, lb.loadBalancer)
+		require.NotNil(t, lb.HealthMonitor())
+		assert.Equal(t, route.SchemeNone, lb.Scheme)
+		assert.Empty(t, lb.Host)
+		assert.Zero(t, lb.Port.Proxy)
+		assert.Equal(t, "3/3 servers are healthy", lb.HealthMonitor().Detail())
+	})
 }

internal/route/route.go

@@ -54,15 +54,16 @@ type (
 		Index string `json:"index,omitempty"` // Index file to serve for single-page app mode
 
 		route.HTTPConfig
-		PathPatterns []string                       `json:"path_patterns,omitempty" extensions:"x-nullable"`
-		Rules        rules.Rules                    `json:"rules,omitempty" extensions:"x-nullable"`
-		RuleFile     string                         `json:"rule_file,omitempty" extensions:"x-nullable"`
-		HealthCheck  types.HealthCheckConfig        `json:"healthcheck,omitzero" extensions:"x-nullable"` // null on load-balancer routes
-		LoadBalance  *types.LoadBalancerConfig      `json:"load_balance,omitempty" extensions:"x-nullable"`
-		Middlewares  map[string]types.LabelMap      `json:"middlewares,omitempty" extensions:"x-nullable"`
-		Homepage     *homepage.ItemConfig           `json:"homepage"`
-		AccessLog    *accesslog.RequestLoggerConfig `json:"access_log,omitempty" extensions:"x-nullable"`
-		Agent        string                         `json:"agent,omitempty"`
+		PathPatterns             []string                       `json:"path_patterns,omitempty" extensions:"x-nullable"`
+		Rules                    rules.Rules                    `json:"rules,omitempty" extensions:"x-nullable"`
+		RuleFile                 string                         `json:"rule_file,omitempty" extensions:"x-nullable"`
+		HealthCheck              types.HealthCheckConfig        `json:"healthcheck,omitzero" extensions:"x-nullable"` // null on load-balancer routes
+		LoadBalance              *types.LoadBalancerConfig      `json:"load_balance,omitempty" extensions:"x-nullable"`
+		Middlewares              map[string]types.LabelMap      `json:"middlewares,omitempty" extensions:"x-nullable"`
+		Homepage                 *homepage.ItemConfig           `json:"homepage"`
+		AccessLog                *accesslog.RequestLoggerConfig `json:"access_log,omitempty" extensions:"x-nullable"`
+		RelayProxyProtocolHeader bool                           `json:"relay_proxy_protocol_header,omitempty"` // TCP only: relay PROXY protocol header to the destination
+		Agent                    string                         `json:"agent,omitempty"`
 
 		Proxmox *proxmox.NodeConfig `json:"proxmox,omitempty" extensions:"x-nullable"`
 
@@ -310,6 +311,9 @@ func (r *Route) validate() error {
 	if !r.UseHealthCheck() && (r.UseLoadBalance() || r.UseIdleWatcher()) {
 		errs.Adds("cannot disable healthcheck when loadbalancer or idle watcher is enabled")
 	}
+	if r.RelayProxyProtocolHeader && r.Scheme != route.SchemeTCP {
+		errs.Adds("relay_proxy_protocol_header is only supported for tcp routes")
+	}
 
 	if errs.HasError() {
 		return errs.Error()

internal/route/route_test.go

@@ -78,6 +78,19 @@ func TestRouteValidate(t *testing.T) {
 		require.NotNil(t, r.impl, "Impl should be initialized")
 	})
 
+	t.Run("RelayProxyProtocolHeaderTCPOnly", func(t *testing.T) {
+		r := &Route{
+			Alias:                    "test-udp-relay",
+			Scheme:                   route.SchemeUDP,
+			Host:                     "127.0.0.1",
+			Port:                     route.Port{Proxy: 53, Listening: 53},
+			RelayProxyProtocolHeader: true,
+		}
+		err := r.Validate()
+		require.Error(t, err, "Validate should reject proxy protocol relay on UDP routes")
+		require.ErrorContains(t, err, "relay_proxy_protocol_header is only supported for tcp routes")
+	})
+
 	t.Run("DockerContainer", func(t *testing.T) {
 		r := &Route{
 			Alias:  "test",

internal/route/rules/README.md

@@ -309,7 +309,8 @@ nested_block := on_expr ws* '{' do_body '}'
 
 Notes:
 
-- A nested block is recognized when a line ends with an unquoted `{` (ignoring trailing whitespace).
+- A nested block is recognized when a logical header ends with an unquoted `{`.
+- Logical headers can continue to the next line when the current line ends with `|` or `&`.
 - `on_expr` uses the same syntax as rule `on` (supports `|`, `&`, quoting/backticks, matcher functions, etc.).
 - The nested block executes **in sequence**, at the point where it appears in the parent `do` list.
 - Nested blocks are evaluated in the same phase the parent rule runs (no special phase promotion).
@@ -424,6 +425,15 @@ path !glob("/public/*")
 
 # OR within a line
 method GET | method POST
+
+# OR across multiple lines (line continuation)
+method GET |
+method POST |
+method PUT
+
+# AND across multiple lines
+header Connection Upgrade &
+header Upgrade websocket
 ```
 
 ### Variable Substitution
@@ -439,8 +449,19 @@ $remote_host     # Client IP
 # Dynamic variables
 $header(Name)           # Request header
 $header(Name, index)    # Header at index
+$resp_header(Name)      # Response header
 $arg(Name)              # Query argument
 $form(Name)             # Form field
+$postform(Name)         # POST form field
+$cookie(Name)           # Cookie value
+
+# Function composition: pass result of one function to another
+$redacted($header(Authorization))   # Redact the Authorization header value
+$redacted($arg(token))              # Redact a query parameter value
+$redacted($cookie(session))         # Redact a cookie value
+
+# $redacted: masks a value, showing only first 2 and last 2 characters
+$redacted(value)                    # Redact a plain string
 
 # Environment variables
 ${ENV_VAR}

internal/route/rules/do.go

@@ -1,6 +1,7 @@
 package rules
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -233,6 +234,9 @@ var commands = map[string]struct {
 			route := args.(string)
 			return func(w *httputils.ResponseModifier, req *http.Request, upstream http.HandlerFunc) error {
 				ep := entrypoint.FromCtx(req.Context())
+				if ep == nil {
+					return errors.New("entrypoint not found")
+				}
 				r, ok := ep.HTTPRoutes().Get(route)
 				if !ok {
 					excluded, has := ep.ExcludedRoutes().Get(route)

internal/route/rules/do_blocks.go

@@ -292,6 +292,20 @@ func parseAtBlockChain(src string, blockPos int) (CommandHandler, int, error) {
 }
 
 func lineEndsWithUnquotedOpenBrace(src string, lineStart int, lineEnd int) bool {
+	return lineEndsWithUnquotedToken(src, lineStart, lineEnd) == '{'
+}
+
+func lineContinuationOperator(src string, lineStart int, lineEnd int) byte {
+	token := lineEndsWithUnquotedToken(src, lineStart, lineEnd)
+	switch token {
+	case '|', '&':
+		return token
+	default:
+		return 0
+	}
+}
+
+func lineEndsWithUnquotedToken(src string, lineStart int, lineEnd int) byte {
 	quote := byte(0)
 	lastSignificant := byte(0)
 	atLineStart := true
@@ -334,13 +348,22 @@ func lineEndsWithUnquotedOpenBrace(src string, lineStart int, lineEnd int) bool
 		atLineStart = false
 		prevIsSpace = false
 	}
-	return quote == 0 && lastSignificant == '{'
+	if quote != 0 {
+		return 0
+	}
+	return lastSignificant
 }
 
 // parseDoWithBlocks parses a do-body containing plain command lines and nested blocks.
 // It returns the outer command handlers and the require phase.
 //
-// A nested block is recognized when a line ends with an unquoted '{' (ignoring trailing whitespace).
+// A nested block is recognized when a logical header ends with an unquoted '{'.
+// Logical headers may span lines using trailing '|' or '&', for example:
+//
+//	remote 127.0.0.1 |
+//	remote 192.168.0.0/16 {
+//	  set header X-Remote-Type private
+//	}
 func parseDoWithBlocks(src string) (handlers []CommandHandler, err error) {
 	pos := 0
 	length := len(src)
@@ -400,12 +423,38 @@ func parseDoWithBlocks(src string) (handlers []CommandHandler, err error) {
 				linePos++
 			}
 
-			lineEnd := linePos
-			for lineEnd < length && src[lineEnd] != '\n' {
-				lineEnd++
+			logicalEnd := linePos
+			for logicalEnd < length && src[logicalEnd] != '\n' {
+				logicalEnd++
 			}
 
-			if linePos < length && lineEndsWithUnquotedOpenBrace(src, linePos, lineEnd) {
+			for linePos < length && lineContinuationOperator(src, linePos, logicalEnd) != 0 {
+				nextPos := logicalEnd
+				if nextPos < length && src[nextPos] == '\n' {
+					nextPos++
+				}
+				for nextPos < length {
+					c := rune(src[nextPos])
+					if c == '\n' {
+						nextPos++
+						continue
+					}
+					if c == '\r' || unicode.IsSpace(c) {
+						nextPos++
+						continue
+					}
+					break
+				}
+				if nextPos >= length {
+					break
+				}
+				logicalEnd = nextPos
+				for logicalEnd < length && src[logicalEnd] != '\n' {
+					logicalEnd++
+				}
+			}
+
+			if linePos < length && lineEndsWithUnquotedOpenBrace(src, linePos, logicalEnd) {
 				h, next, err := parseAtBlockChain(src, linePos)
 				if err != nil {
 					return nil, err
@@ -417,10 +466,10 @@ func parseDoWithBlocks(src string) (handlers []CommandHandler, err error) {
 			}
 
 			// Not a nested block; parse the rest of this line as a command.
-			if lerr := appendLineCommand(src[pos:lineEnd]); lerr != nil {
+			if lerr := appendLineCommand(src[pos:logicalEnd]); lerr != nil {
 				return nil, lerr
 			}
-			pos = lineEnd
+			pos = logicalEnd
 			lineStart = true
 			continue
 		}

internal/route/rules/do_blocks_test.go

@@ -71,3 +71,38 @@ func TestIfElseBlockCommandServeHTTP_ConditionalMatchedNilDoNotFallsThrough(t *t
 	require.NoError(t, err)
 	assert.False(t, elseCalled)
 }
+
+func TestParseDoWithBlocks_MultilineBlockHeaderContinuation(t *testing.T) {
+	tests := []struct {
+		name string
+		src  string
+	}{
+		{
+			name: "or continuation",
+			src: `
+remote 127.0.0.1 |
+remote 192.168.0.0/16 {
+  set header X-Remote-Type private
+}
+`,
+		},
+		{
+			name: "and continuation",
+			src: `
+method GET &
+remote 127.0.0.1 {
+  set header X-Remote-Type private
+}
+`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			handlers, err := parseDoWithBlocks(tt.src)
+			require.NoError(t, err)
+			require.Len(t, handlers, 1)
+			require.IsType(t, IfBlockCommand{}, handlers[0])
+		})
+	}
+}

internal/route/rules/http_flow_block_test.go

@@ -456,7 +456,8 @@ func TestHTTPFlow_NestedBlocks_RemoteOverride(t *testing.T) {
 	err := parseRules(`
 header X-Test-Header {
   set header X-Remote-Type public
-  remote 127.0.0.1 | remote 192.168.0.0/16 {
+  remote 127.0.0.1 |
+	remote 192.168.0.0/16 {
     set header X-Remote-Type private
   }
 }

internal/route/rules/on.go

@@ -505,62 +505,70 @@ var (
 	andSeps    = [256]uint8{'&': 1, '\n': 1}
 )
 
-func indexAnd(s string) int {
-	for i := range s {
-		if andSeps[s[i]] != 0 {
-			return i
-		}
-	}
-	return -1
-}
-
-func countAnd(s string) int {
-	n := 0
-	for i := range s {
-		if andSeps[s[i]] != 0 {
-			n++
-		}
-	}
-	return n
-}
-
-// splitAnd splits a string by "&" and "\n" with all spaces removed.
-// empty strings are not included in the result.
+// splitAnd splits a condition string into AND parts.
+// It treats '&' and newline as AND separators, except when a line ends with
+// an unescaped '|' (OR continuation), where the newline stays in the same part.
+// Empty parts are omitted.
 func splitAnd(s string) []string {
 	if s == "" {
 		return []string{}
 	}
-	n := countAnd(s)
-	a := make([]string, n+1)
-	i := 0
-	for i < n {
-		end := indexAnd(s)
-		if end == -1 {
-			break
+	result := []string{}
+	forEachAndPart(s, func(part string) {
+		result = append(result, part)
+	})
+	return result
+}
+
+func lineEndsWithUnescapedPipe(s string, start, end int) bool {
+	for i := end - 1; i >= start; i-- {
+		if asciiSpace[s[i]] != 0 {
+			continue
 		}
-		beg := 0
-		// trim leading spaces
-		for beg < end && asciiSpace[s[beg]] != 0 {
-			beg++
+		if s[i] != '|' {
+			return false
 		}
-		// trim trailing spaces
-		next := end + 1
-		for end-1 > beg && asciiSpace[s[end-1]] != 0 {
-			end--
+		escapes := 0
+		for j := i - 1; j >= start && s[j] == '\\'; j-- {
+			escapes++
 		}
-		// skip empty segments
-		if end > beg {
-			a[i] = s[beg:end]
-			i++
-		}
-		s = s[next:]
+		return escapes%2 == 0
 	}
-	s = strings.TrimSpace(s)
-	if s != "" {
-		a[i] = s
-		i++
+	return false
+}
+
+func advanceSplitState(s string, i *int, quote *byte, brackets *int) bool {
+	c := s[*i]
+	if *quote != 0 {
+		if c == '\\' && *i+1 < len(s) {
+			*i++
+			return true
+		}
+		if c == *quote {
+			*quote = 0
+		}
+		return true
 	}
-	return a[:i]
+
+	switch c {
+	case '\\':
+		if *i+1 < len(s) {
+			*i++
+			return true
+		}
+	case '"', '\'', '`':
+		*quote = c
+		return true
+	case '(':
+		*brackets++
+		return true
+	case ')':
+		if *brackets > 0 {
+			*brackets--
+		}
+		return true
+	}
+	return false
 }
 
 // splitPipe splits a string by "|" but respects quotes, brackets, and escaped characters.
@@ -578,8 +586,26 @@ func splitPipe(s string) []string {
 }
 
 func forEachAndPart(s string, fn func(part string)) {
+	quote := byte(0)
+	brackets := 0
 	start := 0
+
 	for i := 0; i <= len(s); i++ {
+		if i < len(s) {
+			c := s[i]
+			if advanceSplitState(s, &i, &quote, &brackets) {
+				continue
+			}
+
+			if c == '\n' {
+				if brackets > 0 || lineEndsWithUnescapedPipe(s, start, i) {
+					continue
+				}
+			} else if c != '&' || brackets > 0 {
+				continue
+			}
+		}
+
 		if i < len(s) && andSeps[s[i]] == 0 {
 			continue
 		}
@@ -597,30 +623,14 @@ func forEachPipePart(s string, fn func(part string)) {
 	start := 0
 
 	for i := 0; i < len(s); i++ {
-		switch s[i] {
-		case '\\':
-			if i+1 < len(s) {
-				i++
-			}
-		case '"', '\'', '`':
-			if quote == 0 && brackets == 0 {
-				quote = s[i]
-			} else if s[i] == quote {
-				quote = 0
-			}
-		case '(':
-			brackets++
-		case ')':
-			if brackets > 0 {
-				brackets--
-			}
-		case '|':
-			if quote == 0 && brackets == 0 {
-				if part := strings.TrimSpace(s[start:i]); part != "" {
-					fn(part)
-				}
-				start = i + 1
+		if advanceSplitState(s, &i, &quote, &brackets) {
+			continue
+		}
+		if s[i] == '|' && brackets == 0 {
+			if part := strings.TrimSpace(s[start:i]); part != "" {
+				fn(part)
 			}
+			start = i + 1
 		}
 	}
 	if start < len(s) {

internal/route/rules/on_internal_test.go

@@ -1,6 +1,8 @@
 package rules
 
 import (
+	"net/http"
+	"net/url"
 	"testing"
 
 	gperr "github.com/yusing/goutils/errs"
@@ -133,6 +135,16 @@ func TestSplitAnd(t *testing.T) {
 			input: " rule1\nrule2 & rule3 ",
 			want:  []string{"rule1", "rule2", "rule3"},
 		},
+		{
+			name:  "newline_after_pipe_is_or_continuation",
+			input: "path /abc |\npath /bcd",
+			want:  []string{"path /abc |\npath /bcd"},
+		},
+		{
+			name:  "newline_after_pipe_with_spaces_is_or_continuation",
+			input: "path /abc |   \n  path /bcd",
+			want:  []string{"path /abc |   \n  path /bcd"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -280,6 +292,11 @@ func TestParseOn(t *testing.T) {
 			input:   `method GET | path regex("^(_next/static|_next/image|favicon.ico).*$") | header Authorization`,
 			wantErr: nil,
 		},
+		{
+			name:    "pipe_multiline_continuation",
+			input:   "path /abc |\npath /bcd |",
+			wantErr: nil,
+		},
 	}
 
 	for _, tt := range tests {
@@ -294,3 +311,18 @@ func TestParseOn(t *testing.T) {
 		})
 	}
 }
+
+func TestRuleOnParse_MultilineOrContinuation(t *testing.T) {
+	var on RuleOn
+	err := on.Parse("path /abc |\npath /bcd |")
+	expect.NoError(t, err)
+
+	w := http.ResponseWriter(nil)
+	reqABC := &http.Request{URL: &url.URL{Path: "/abc"}}
+	reqBCD := &http.Request{URL: &url.URL{Path: "/bcd"}}
+	reqXYZ := &http.Request{URL: &url.URL{Path: "/xyz"}}
+
+	expect.Equal(t, on.Check(w, reqABC), true)
+	expect.Equal(t, on.Check(w, reqBCD), true)
+	expect.Equal(t, on.Check(w, reqXYZ), false)
+}

internal/route/rules/rules.go

@@ -27,22 +27,21 @@ type (
 			Example:
 
 				proxy.app1.rules: |
-					- name: default
-						do: |
-							rewrite / /index.html
-							serve /var/www/goaccess
-					- name: ws
-						on: |
-							header Connection Upgrade
-							header Upgrade websocket
-						do: bypass
+					default {
+						rewrite / /index.html
+						serve /var/www/goaccess
+					}
+					header Connection Upgrade & header Upgrade websocket {
+						bypass
+					}
 
 				proxy.app2.rules: |
-					- name: default
-						do: bypass
-					- name: block POST and PUT
-						on: method POST | method PUT
-						do: error 403 Forbidden
+					default {
+						bypass
+					}
+					method POST | method PUT {
+						error 403 Forbidden
+					}
 	*/
 	//nolint:recvcheck
 	Rules []Rule

internal/route/rules/vars.go

@@ -152,6 +152,12 @@ func ExpandVars(w *httputils.ResponseModifier, req *http.Request, src string, ds
 					return phase, err
 				}
 				i = nextIdx
+				// Expand any nested $func(...) expressions in args
+				args, argPhase, err := expandArgs(args, w, req)
+				if err != nil {
+					return phase, err
+				}
+				phase |= argPhase
 				actual, err = getter.get(args, w, req)
 				if err != nil {
 					return phase, err
@@ -221,6 +227,18 @@ func extractArgs(src string, i int, funcName string) (args []string, nextIdx int
 			continue
 		}
 
+		// Nested function call: $func(...) as an argument
+		if ch == '$' && arg.Len() == 0 {
+			// Capture the entire $func(...) expression as a raw argument token
+			nestedEnd, nestedErr := extractNestedFuncExpr(src, nextIdx)
+			if nestedErr != nil {
+				return nil, 0, nestedErr
+			}
+			args = append(args, src[nextIdx:nestedEnd+1])
+			nextIdx = nestedEnd + 1
+			continue
+		}
+
 		if ch == ')' {
 			// End of arguments
 			if arg.Len() > 0 {
@@ -256,3 +274,70 @@ func extractArgs(src string, i int, funcName string) (args []string, nextIdx int
 	}
 	return nil, 0, ErrUnterminatedParenthesis.Withf("func %q", funcName)
 }
+
+// extractNestedFuncExpr finds the end index (inclusive) of a $func(...) expression
+// starting at position start in src. It handles nested parentheses.
+func extractNestedFuncExpr(src string, start int) (endIdx int, err error) {
+	// src[start] must be '$'
+	i := start + 1
+	// skip the function name (valid var name chars)
+	for i < len(src) && validVarNameCharset[src[i]] {
+		i++
+	}
+	if i >= len(src) || src[i] != '(' {
+		return 0, ErrUnterminatedParenthesis.Withf("nested func at position %d", start)
+	}
+	// Now find the matching closing parenthesis, respecting quotes and nesting
+	depth := 0
+	var quote byte
+	for i < len(src) {
+		ch := src[i]
+		if quote != 0 {
+			if ch == quote {
+				quote = 0
+			}
+			i++
+			continue
+		}
+		if quoteChars[ch] {
+			quote = ch
+			i++
+			continue
+		}
+		switch ch {
+		case '(':
+			depth++
+		case ')':
+			depth--
+			if depth == 0 {
+				return i, nil
+			}
+		}
+		i++
+	}
+	if quote != 0 {
+		return 0, ErrUnterminatedQuotes.Withf("nested func at position %d", start)
+	}
+	return 0, ErrUnterminatedParenthesis.Withf("nested func at position %d", start)
+}
+
+// expandArgs expands any args that are nested dynamic var expressions (starting with '$').
+// It returns the expanded args and the combined phase flags.
+func expandArgs(args []string, w *httputils.ResponseModifier, req *http.Request) (expanded []string, phase PhaseFlag, err error) {
+	expanded = make([]string, len(args))
+	for i, arg := range args {
+		if len(arg) > 0 && arg[0] == '$' {
+			var buf strings.Builder
+			var argPhase PhaseFlag
+			argPhase, err = ExpandVars(w, req, arg, &buf)
+			if err != nil {
+				return nil, phase, err
+			}
+			phase |= argPhase
+			expanded[i] = buf.String()
+		} else {
+			expanded[i] = arg
+		}
+	}
+	return expanded, phase, nil
+}

internal/route/rules/vars_dynamic.go

@@ -6,6 +6,7 @@ import (
 	"strconv"
 
 	httputils "github.com/yusing/goutils/http"
+	strutils "github.com/yusing/goutils/strings"
 )
 
 var (
@@ -15,6 +16,7 @@ var (
 	VarQuery          = "arg"
 	VarForm           = "form"
 	VarPostForm       = "postform"
+	VarRedacted       = "redacted"
 )
 
 type dynamicVarGetter struct {
@@ -94,6 +96,17 @@ var dynamicVarSubsMap = map[string]dynamicVarGetter{
 			return getValueByKeyAtIndex(req.PostForm, key, index)
 		},
 	},
+	// VarRedacted wraps the result of its single argument (which may be another dynamic var
+	// expression, already expanded by expandArgs) with strutils.Redact.
+	VarRedacted: {
+		phase: PhaseNone,
+		get: func(args []string, w *httputils.ResponseModifier, req *http.Request) (string, error) {
+			if len(args) != 1 {
+				return "", ErrExpectOneArg
+			}
+			return strutils.Redact(args[0]), nil
+		},
+	},
 }
 
 func getValueByKeyAtIndex[Values http.Header | url.Values](values Values, key string, index int) (string, error) {

internal/route/rules/vars_test.go

@@ -189,6 +189,64 @@ func TestExtractArgs(t *testing.T) {
 	}
 }
 
+func TestExtractArgs_NestedFunc(t *testing.T) {
+	tests := []struct {
+		name        string
+		src         string
+		startPos    int
+		funcName    string
+		wantArgs    []string
+		wantNextIdx int
+		wantErr     bool
+	}{
+		{
+			name:        "nested func as single arg",
+			src:         "redacted($header(Authorization))",
+			startPos:    0,
+			funcName:    "redacted",
+			wantArgs:    []string{"$header(Authorization)"},
+			wantNextIdx: 31,
+		},
+		{
+			name:        "nested func with quoted arg inside",
+			src:         `redacted($header("X-Secret"))`,
+			startPos:    0,
+			funcName:    "redacted",
+			wantArgs:    []string{`$header("X-Secret")`},
+			wantNextIdx: 28,
+		},
+		{
+			name:        "nested func with two args inside",
+			src:         "redacted($header(X-Multi, 1))",
+			startPos:    0,
+			funcName:    "redacted",
+			wantArgs:    []string{"$header(X-Multi, 1)"},
+			wantNextIdx: 28,
+		},
+		{
+			name:     "nested func missing closing paren",
+			src:      "redacted($header(Authorization)",
+			startPos: 0,
+			funcName: "redacted",
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args, nextIdx, err := extractArgs(tt.src, tt.startPos, tt.funcName)
+
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, tt.wantArgs, args)
+				require.Equal(t, tt.wantNextIdx, nextIdx)
+			}
+		})
+	}
+}
+
 func TestExpandVars(t *testing.T) {
 	// Create a comprehensive test request with form data
 	formData := url.Values{}
@@ -446,6 +504,27 @@ func TestExpandVars(t *testing.T) {
 			input: "Header: $header(User-Agent), Status: $status_code",
 			want:  "Header: test-agent/1.0, Status: 200",
 		},
+		// $redacted function
+		{
+			name:  "redacted with plain string arg",
+			input: "$redacted(secret)",
+			want:  "se**et",
+		},
+		{
+			name:  "redacted wrapping header",
+			input: "$redacted($header(User-Agent))",
+			want:  "te**********.0",
+		},
+		{
+			name:  "redacted wrapping arg",
+			input: "$redacted($arg(param1))",
+			want:  "va**e1",
+		},
+		{
+			name:    "redacted with no args",
+			input:   "$redacted()",
+			wantErr: true,
+		},
 		// Escaped dollar signs
 		{
 			name:  "escaped dollar",

internal/route/stream.go

@@ -110,7 +110,14 @@ func (r *StreamRoute) initStream() (nettypes.Stream, error) {
 
 	switch rScheme {
 	case "tcp":
-		return stream.NewTCPTCPStream(lurl.Scheme, rurl.Scheme, laddr, rurl.Host, r.GetAgent())
+		return stream.NewTCPTCPStream(
+			lurl.Scheme,
+			rurl.Scheme,
+			laddr,
+			rurl.Host,
+			r.GetAgent(),
+			r.RelayProxyProtocolHeader,
+		)
 	case "udp":
 		return stream.NewUDPUDPStream(lurl.Scheme, rurl.Scheme, laddr, rurl.Host, r.GetAgent())
 	}

internal/route/stream/README.md

@@ -181,6 +181,7 @@ routes:
     scheme: tcp4
       bind: 0.0.0.0 # optional
       port: 2222:22 # listening port: target port
+      relay_proxy_protocol_header: true # optional, tcp only
 
   dns-proxy:
     scheme: udp4
@@ -223,6 +224,7 @@ Log context includes: `protocol`, `listen`, `dst`, `action`
 
 - ACL wrapping available for TCP and UDP listeners
 - PROXY protocol support for original client IP
+- TCP routes can optionally emit a fresh upstream PROXY v2 header with `relay_proxy_protocol_header: true`
 - No protocol validation (relies on upstream)
 - Connection limits managed by OS
 

internal/route/stream/proxyproto.go

@@ -0,0 +1,37 @@
+package stream
+
+import (
+	"fmt"
+	"io"
+	"net"
+
+	"github.com/pires/go-proxyproto"
+)
+
+func writeProxyProtocolHeader(dst io.Writer, src net.Conn) error {
+	srcAddr, ok := src.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		return fmt.Errorf("unexpected source address type %T", src.RemoteAddr())
+	}
+	dstAddr, ok := src.LocalAddr().(*net.TCPAddr)
+	if !ok {
+		return fmt.Errorf("unexpected destination address type %T", src.LocalAddr())
+	}
+
+	header := &proxyproto.Header{
+		Version:           2,
+		Command:           proxyproto.PROXY,
+		TransportProtocol: transportProtocol(srcAddr, dstAddr),
+		SourceAddr:        srcAddr,
+		DestinationAddr:   dstAddr,
+	}
+	_, err := header.WriteTo(dst)
+	return err
+}
+
+func transportProtocol(src, dst *net.TCPAddr) proxyproto.AddressFamilyAndProtocol {
+	if src.IP.To4() != nil && dst.IP.To4() != nil {
+		return proxyproto.TCPv4
+	}
+	return proxyproto.TCPv6
+}

internal/route/stream/tcp_tcp.go

@@ -25,13 +25,15 @@ type TCPTCPStream struct {
 	dst   *net.TCPAddr
 	agent *agentpool.Agent
 
+	relayProxyProtocolHeader bool
+
 	preDial nettypes.HookFunc
 	onRead  nettypes.HookFunc
 
 	closed atomic.Bool
 }
 
-func NewTCPTCPStream(network, dstNetwork, listenAddr, dstAddr string, agent *agentpool.Agent) (nettypes.Stream, error) {
+func NewTCPTCPStream(network, dstNetwork, listenAddr, dstAddr string, agent *agentpool.Agent, relayProxyProtocolHeader bool) (nettypes.Stream, error) {
 	dst, err := net.ResolveTCPAddr(dstNetwork, dstAddr)
 	if err != nil {
 		return nil, err
@@ -40,7 +42,14 @@ func NewTCPTCPStream(network, dstNetwork, listenAddr, dstAddr string, agent *age
 	if err != nil {
 		return nil, err
 	}
-	return &TCPTCPStream{network: network, dstNetwork: dstNetwork, laddr: laddr, dst: dst, agent: agent}, nil
+	return &TCPTCPStream{
+		network:                  network,
+		dstNetwork:               dstNetwork,
+		laddr:                    laddr,
+		dst:                      dst,
+		agent:                    agent,
+		relayProxyProtocolHeader: relayProxyProtocolHeader,
+	}, nil
 }
 
 func (s *TCPTCPStream) ListenAndServe(ctx context.Context, preDial, onRead nettypes.HookFunc) error {
@@ -158,6 +167,14 @@ func (s *TCPTCPStream) handle(ctx context.Context, conn net.Conn) {
 	if s.closed.Load() {
 		return
 	}
+	if s.relayProxyProtocolHeader {
+		if err := writeProxyProtocolHeader(dstConn, conn); err != nil {
+			if !s.closed.Load() {
+				logErr(s, err, "failed to write proxy protocol header")
+			}
+			return
+		}
+	}
 
 	src := conn
 	dst := dstConn

internal/route/stream/tcp_tcp_test.go

@@ -0,0 +1,148 @@
+package stream
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"net"
+	"testing"
+
+	"github.com/pires/go-proxyproto"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint"
+	entrypointtypes "github.com/yusing/godoxy/internal/entrypoint/types"
+	"github.com/yusing/goutils/task"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTCPTCPStreamRelayProxyProtocolHeader(t *testing.T) {
+	t.Run("Disabled", func(t *testing.T) {
+		upstreamLn, err := net.Listen("tcp", "127.0.0.1:0")
+		require.NoError(t, err)
+		defer upstreamLn.Close()
+
+		s, err := NewTCPTCPStream("tcp", "tcp", "127.0.0.1:0", upstreamLn.Addr().String(), nil, false)
+		require.NoError(t, err)
+
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+		require.NoError(t, s.ListenAndServe(ctx, nil, nil))
+		defer s.Close()
+
+		client, err := net.Dial("tcp", s.LocalAddr().String())
+		require.NoError(t, err)
+		defer client.Close()
+
+		_, err = client.Write([]byte("ping"))
+		require.NoError(t, err)
+
+		upstreamConn, err := upstreamLn.Accept()
+		require.NoError(t, err)
+		defer upstreamConn.Close()
+
+		payload := make([]byte, 4)
+		_, err = io.ReadFull(upstreamConn, payload)
+		require.NoError(t, err)
+		require.Equal(t, []byte("ping"), payload)
+	})
+
+	t.Run("Enabled", func(t *testing.T) {
+		upstreamLn, err := net.Listen("tcp", "127.0.0.1:0")
+		require.NoError(t, err)
+		defer upstreamLn.Close()
+
+		s, err := NewTCPTCPStream("tcp", "tcp", "127.0.0.1:0", upstreamLn.Addr().String(), nil, true)
+		require.NoError(t, err)
+
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+		require.NoError(t, s.ListenAndServe(ctx, nil, nil))
+		defer s.Close()
+
+		client, err := net.Dial("tcp", s.LocalAddr().String())
+		require.NoError(t, err)
+		defer client.Close()
+
+		_, err = client.Write([]byte("ping"))
+		require.NoError(t, err)
+
+		upstreamConn, err := upstreamLn.Accept()
+		require.NoError(t, err)
+		defer upstreamConn.Close()
+
+		reader := bufio.NewReader(upstreamConn)
+		header, err := proxyproto.Read(reader)
+		require.NoError(t, err)
+		require.Equal(t, proxyproto.PROXY, header.Command)
+
+		srcAddr, ok := header.SourceAddr.(*net.TCPAddr)
+		require.True(t, ok)
+		dstAddr, ok := header.DestinationAddr.(*net.TCPAddr)
+		require.True(t, ok)
+		require.Equal(t, client.LocalAddr().String(), srcAddr.String())
+		require.Equal(t, s.LocalAddr().String(), dstAddr.String())
+
+		payload := make([]byte, 4)
+		_, err = io.ReadFull(reader, payload)
+		require.NoError(t, err)
+		require.Equal(t, []byte("ping"), payload)
+	})
+}
+
+func TestTCPTCPStreamRelayProxyProtocolUsesIncomingProxyHeader(t *testing.T) {
+	upstreamLn, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer upstreamLn.Close()
+
+	s, err := NewTCPTCPStream("tcp", "tcp", "127.0.0.1:0", upstreamLn.Addr().String(), nil, true)
+	require.NoError(t, err)
+
+	parent := task.GetTestTask(t)
+	ep := entrypoint.NewEntrypoint(parent, &entrypoint.Config{
+		SupportProxyProtocol: true,
+	})
+	entrypointtypes.SetCtx(parent, ep)
+
+	ctx, cancel := context.WithCancel(parent.Context())
+	defer cancel()
+	require.NoError(t, s.ListenAndServe(ctx, nil, nil))
+	defer s.Close()
+
+	client, err := net.Dial("tcp", s.LocalAddr().String())
+	require.NoError(t, err)
+	defer client.Close()
+
+	downstreamHeader := &proxyproto.Header{
+		Version:           2,
+		Command:           proxyproto.PROXY,
+		TransportProtocol: proxyproto.TCPv4,
+		SourceAddr: &net.TCPAddr{
+			IP:   net.ParseIP("203.0.113.10"),
+			Port: 42300,
+		},
+		DestinationAddr: &net.TCPAddr{
+			IP:   net.ParseIP("127.0.0.1"),
+			Port: s.LocalAddr().(*net.TCPAddr).Port,
+		},
+	}
+	_, err = downstreamHeader.WriteTo(client)
+	require.NoError(t, err)
+
+	_, err = client.Write([]byte("pong"))
+	require.NoError(t, err)
+
+	upstreamConn, err := upstreamLn.Accept()
+	require.NoError(t, err)
+	defer upstreamConn.Close()
+
+	reader := bufio.NewReader(upstreamConn)
+	header, err := proxyproto.Read(reader)
+	require.NoError(t, err)
+	require.Equal(t, downstreamHeader.SourceAddr.String(), header.SourceAddr.String())
+	require.Equal(t, downstreamHeader.DestinationAddr.String(), header.DestinationAddr.String())
+
+	payload := make([]byte, 4)
+	_, err = io.ReadFull(reader, payload)
+	require.NoError(t, err)
+	require.Equal(t, []byte("pong"), payload)
+}

providers.example.yml

@@ -26,3 +26,9 @@ app2:
   scheme: udp
   host: 10.0.0.2
   port: 2223:dns
+
+ssh-with-proxy-protocol:
+  scheme: tcp
+  host: 10.0.0.3
+  port: 2222:22
+  relay_proxy_protocol_header: true

scripts/refresh-compat.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+set -euo pipefail
+
+if ! git diff --quiet || ! git diff --cached --quiet; then
+	echo "Working tree is not clean. Commit or stash changes before running refresh-compat.sh." >&2
+	exit 1
+fi
+
+git fetch origin main compat
+git checkout -B compat origin/compat
+patch_file="$(mktemp)"
+trap 'rm -f "$patch_file"' EXIT
+git diff origin/main -- ':(glob)**/*.go' >"$patch_file"
+git checkout -B main origin/main
+git branch -D compat
+git checkout -b compat
+git apply "$patch_file"
+mapfile -t changed_go_files < <(git diff --name-only -- '*.go')
+fmt_go_files=()
+for file in "${changed_go_files[@]}"; do
+	[ -f "$file" ] || continue
+	sed -i 's/sonic\./json\./g' "$file"
+	sed -i 's/"github.com\/bytedance\/sonic"/"encoding\/json"/g' "$file"
+	sed -E -i 's/\bsonic[[:space:]]+"encoding\/json"/json "encoding\/json"/g' "$file"
+	fmt_go_files+=("$file")
+done
+if [ "${#fmt_go_files[@]}" -gt 0 ]; then
+	gofmt -w "${fmt_go_files[@]}"
+fi
+
+# create placeholder files for minified JS files so go vet won't complain
+while IFS= read -r file; do
+	ext="${file##*.}"
+	base="${file%.*}"
+	min_file="${base}-min.${ext}"
+	[ -f "$min_file" ] || : >"$min_file"
+done < <(find internal/ -name '*.js' ! -name '*-min.js')
+
+docker_version="$(
+	git show origin/compat:go.mod |
+		sed -n 's/^[[:space:]]*github.com\/docker\/docker[[:space:]]\+\(v[^[:space:]]\+\).*/\1/p' |
+		head -n 1
+)"
+if [ -n "$docker_version" ]; then
+	go mod edit -droprequire=github.com/docker/docker/api || true
+	go mod edit -droprequire=github.com/docker/docker/client || true
+	go mod edit -require="github.com/docker/docker@${docker_version}"
+fi
+
+go mod tidy
+go mod -C agent tidy
+git add -A
+git commit -m "Apply compat patch"
+go vet ./...
+go vet -C agent ./...

scripts/update-wiki/main.ts

@@ -4,335 +4,336 @@ import { Glob } from "bun";
 import { md2mdx } from "./api-md2mdx";
 
 type ImplDoc = {
-	/** Directory path relative to this repo, e.g. "internal/health/check" */
-	pkgPath: string;
-	/** File name in wiki `src/impl/`, e.g. "internal-health-check.md" */
-	docFileName: string;
-	/** VitePress route path (extensionless), e.g. "/impl/internal-health-check" */
-	docRoute: string;
-	/** Absolute source README path */
-	srcPathAbs: string;
-	/** Absolute destination doc path */
-	dstPathAbs: string;
+  /** Directory path relative to this repo, e.g. "internal/health/check" */
+  pkgPath: string;
+  /** File name in wiki `src/impl/`, e.g. "internal-health-check.md" */
+  docFileName: string;
+  /** VitePress route path (extensionless), e.g. "/impl/internal-health-check" */
+  docRoute: string;
+  /** Absolute source README path */
+  srcPathAbs: string;
+  /** Absolute destination doc path */
+  dstPathAbs: string;
 };
 
 const skipSubmodules = [
-	"internal/go-oidc/",
-	"internal/gopsutil/",
-	"internal/go-proxmox/",
+  "internal/go-oidc/",
+  "internal/gopsutil/",
+  "internal/go-proxmox/",
 ];
 
 function normalizeRepoUrl(raw: string) {
-	let url = (raw ?? "").trim();
-	if (!url) return "";
-	// Common typo: "https://https://github.com/..."
-	url = url.replace(/^https?:\/\/https?:\/\//i, "https://");
-	if (!/^https?:\/\//i.test(url)) url = `https://${url}`;
-	url = url.replace(/\/+$/, "");
-	return url;
+  let url = (raw ?? "").trim();
+  if (!url) return "";
+  // Common typo: "https://https://github.com/..."
+  url = url.replace(/^https?:\/\/https?:\/\//i, "https://");
+  if (!/^https?:\/\//i.test(url)) url = `https://${url}`;
+  url = url.replace(/\/+$/, "");
+  return url;
 }
 
 function sanitizeFileStemFromPkgPath(pkgPath: string) {
-	// Convert a package path into a stable filename.
-	// Example: "internal/go-oidc/example" -> "internal-go-oidc-example"
-	// Keep it readable and unique (uses full path).
-	const parts = pkgPath
-		.split("/")
-		.filter(Boolean)
-		.map((p) => p.replace(/[^A-Za-z0-9._-]+/g, "-"));
-	const joined = parts.join("-");
-	return joined.replace(/-+/g, "-").replace(/^-|-$/g, "");
+  // Convert a package path into a stable filename.
+  // Example: "internal/go-oidc/example" -> "internal-go-oidc-example"
+  // Keep it readable and unique (uses full path).
+  const parts = pkgPath
+    .split("/")
+    .filter(Boolean)
+    .map((p) => p.replace(/[^A-Za-z0-9._-]+/g, "-"));
+  const joined = parts.join("-");
+  return joined.replace(/-+/g, "-").replace(/^-|-$/g, "");
 }
 
 function splitUrlAndFragment(url: string): {
-	urlNoFragment: string;
-	fragment: string;
+  urlNoFragment: string;
+  fragment: string;
 } {
-	const i = url.indexOf("#");
-	if (i === -1) return { urlNoFragment: url, fragment: "" };
-	return { urlNoFragment: url.slice(0, i), fragment: url.slice(i) };
+  const i = url.indexOf("#");
+  if (i === -1) return { urlNoFragment: url, fragment: "" };
+  return { urlNoFragment: url.slice(0, i), fragment: url.slice(i) };
 }
 
 function isExternalOrAbsoluteUrl(url: string) {
-	// - absolute site links: "/foo"
-	// - pure fragments: "#bar"
-	// - external schemes: "https:", "mailto:", "vscode:", etc.
-	//   IMPORTANT: don't treat "config.go:29" as a scheme.
-	if (url.startsWith("/") || url.startsWith("#")) return true;
-	if (url.includes("://")) return true;
-	return /^(https?|mailto|tel|vscode|file|data|ssh|git):/i.test(url);
+  // - absolute site links: "/foo"
+  // - pure fragments: "#bar"
+  // - external schemes: "https:", "mailto:", "vscode:", etc.
+  //   IMPORTANT: don't treat "config.go:29" as a scheme.
+  if (url.startsWith("/") || url.startsWith("#")) return true;
+  if (url.includes("://")) return true;
+  return /^(https?|mailto|tel|vscode|file|data|ssh|git):/i.test(url);
 }
 
 function isRepoSourceFilePath(filePath: string) {
-	// Conservative allow-list: avoid rewriting .md (non-README) which may be VitePress docs.
-	return /\.(go|ts|tsx|js|jsx|py|sh|yml|yaml|json|toml|env|css|html|txt)$/i.test(
-		filePath,
-	);
+  // Conservative allow-list: avoid rewriting .md (non-README) which may be VitePress docs.
+  return /\.(go|ts|tsx|js|jsx|py|sh|yml|yaml|json|toml|env|css|html|txt)$/i.test(
+    filePath,
+  );
 }
 
 function parseFileLineSuffix(urlNoFragment: string): {
-	filePath: string;
-	line?: string;
+  filePath: string;
+  line?: string;
 } {
-	// Match "file.ext:123" (line suffix), while leaving "file.ext" untouched.
-	const m = urlNoFragment.match(/^(.*?):(\d+)$/);
-	if (!m) return { filePath: urlNoFragment };
-	return { filePath: m[1] ?? urlNoFragment, line: m[2] };
+  // Match "file.ext:123" (line suffix), while leaving "file.ext" untouched.
+  const m = urlNoFragment.match(/^(.*?):(\d+)$/);
+  if (!m) return { filePath: urlNoFragment };
+  return { filePath: m[1] ?? urlNoFragment, line: m[2] };
 }
 
 function rewriteMarkdownLinksOutsideFences(
-	md: string,
-	rewriteInline: (url: string) => string,
+  md: string,
+  rewriteInline: (url: string) => string,
 ) {
-	const lines = md.split("\n");
-	let inFence = false;
+  const lines = md.split("\n");
+  let inFence = false;
 
-	for (let i = 0; i < lines.length; i++) {
-		const line = lines[i] ?? "";
-		const trimmed = line.trimStart();
-		if (trimmed.startsWith("```")) {
-			inFence = !inFence;
-			continue;
-		}
-		if (inFence) continue;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    const trimmed = line.trimStart();
+    if (trimmed.startsWith("```")) {
+      inFence = !inFence;
+      continue;
+    }
+    if (inFence) continue;
 
-		// Inline markdown links/images: [text](url "title") / ![alt](url)
-		lines[i] = line.replace(
-			/\]\(([^)\s]+)(\s+"[^"]*")?\)/g,
-			(_full, urlRaw: string, maybeTitle: string | undefined) => {
-				const rewritten = rewriteInline(urlRaw);
-				return `](${rewritten}${maybeTitle ?? ""})`;
-			},
-		);
-	}
+    // Inline markdown links/images: [text](url "title") / ![alt](url)
+    lines[i] = line.replace(
+      /\]\(([^)\s]+)(\s+"[^"]*")?\)/g,
+      (_full, urlRaw: string, maybeTitle: string | undefined) => {
+        const rewritten = rewriteInline(urlRaw);
+        return `](${rewritten}${maybeTitle ?? ""})`;
+      },
+    );
+  }
 
-	return lines.join("\n");
+  return lines.join("\n");
 }
 
 function rewriteImplMarkdown(params: {
-	md: string;
-	pkgPath: string;
-	readmeRelToDocRoute: Map<string, string>;
-	dirPathToDocRoute: Map<string, string>;
-	repoUrl: string;
+  md: string;
+  pkgPath: string;
+  readmeRelToDocRoute: Map<string, string>;
+  dirPathToDocRoute: Map<string, string>;
+  repoUrl: string;
 }) {
-	const { md, pkgPath, readmeRelToDocRoute, dirPathToDocRoute, repoUrl } =
-		params;
+  const { md, pkgPath, readmeRelToDocRoute, dirPathToDocRoute, repoUrl } =
+    params;
 
-	return rewriteMarkdownLinksOutsideFences(md, (urlRaw) => {
-		// Handle angle-bracketed destinations: (<./foo/README.md>)
-		const angleWrapped =
-			urlRaw.startsWith("<") && urlRaw.endsWith(">")
-				? urlRaw.slice(1, -1)
-				: urlRaw;
+  return rewriteMarkdownLinksOutsideFences(md, (urlRaw) => {
+    // Handle angle-bracketed destinations: (<./foo/README.md>)
+    const angleWrapped =
+      urlRaw.startsWith("<") && urlRaw.endsWith(">")
+        ? urlRaw.slice(1, -1)
+        : urlRaw;
 
-		const { urlNoFragment, fragment } = splitUrlAndFragment(angleWrapped);
-		if (!urlNoFragment) return urlRaw;
-		if (isExternalOrAbsoluteUrl(urlNoFragment)) return urlRaw;
+    const { urlNoFragment, fragment } = splitUrlAndFragment(angleWrapped);
+    if (!urlNoFragment) return urlRaw;
+    if (isExternalOrAbsoluteUrl(urlNoFragment)) return urlRaw;
 
-		// 1) Directory links like "common" or "common/" that have a README
-		const dirPathNormalized = urlNoFragment.replace(/\/+$/, "");
-		let rewritten: string | undefined;
-		// First try exact match
-		if (dirPathToDocRoute.has(dirPathNormalized)) {
-			rewritten = `${dirPathToDocRoute.get(dirPathNormalized)}${fragment}`;
-		} else {
-			// Fallback: check parent directories for a README
-			// This handles paths like "internal/watcher/events" where only the parent has a README
-			let parentPath = dirPathNormalized;
-			while (parentPath.includes("/")) {
-				parentPath = parentPath.slice(0, parentPath.lastIndexOf("/"));
-				if (dirPathToDocRoute.has(parentPath)) {
-					rewritten = `${dirPathToDocRoute.get(parentPath)}${fragment}`;
-					break;
-				}
-			}
-		}
-		if (rewritten) {
-			return angleWrapped === urlRaw ? rewritten : `<${rewritten}>`;
-		}
+    // 1) Directory links like "common" or "common/" that have a README
+    const dirPathNormalized = urlNoFragment.replace(/\/+$/, "");
+    let rewritten: string | undefined;
+    // First try exact match
+    if (dirPathToDocRoute.has(dirPathNormalized)) {
+      rewritten = `${dirPathToDocRoute.get(dirPathNormalized)}${fragment}`;
+    } else {
+      // Fallback: check parent directories for a README
+      // This handles paths like "internal/watcher/events" where only the parent has a README
+      let parentPath = dirPathNormalized;
+      while (parentPath.includes("/")) {
+        parentPath = parentPath.slice(0, parentPath.lastIndexOf("/"));
+        if (dirPathToDocRoute.has(parentPath)) {
+          rewritten = `${dirPathToDocRoute.get(parentPath)}${fragment}`;
+          break;
+        }
+      }
+    }
+    if (rewritten) {
+      return angleWrapped === urlRaw ? rewritten : `<${rewritten}>`;
+    }
 
-		// 2) Intra-repo README links -> VitePress impl routes
-		if (/(^|\/)README\.md$/.test(urlNoFragment)) {
-			const targetReadmeRel = path.posix.normalize(
-				path.posix.join(pkgPath, urlNoFragment),
-			);
-			const route = readmeRelToDocRoute.get(targetReadmeRel);
-			if (route) {
-				const rewritten = `${route}${fragment}`;
-				return angleWrapped === urlRaw ? rewritten : `<${rewritten}>`;
-			}
-			return urlRaw;
-		}
+    // 2) Intra-repo README links -> VitePress impl routes
+    if (/(^|\/)README\.md$/.test(urlNoFragment)) {
+      const targetReadmeRel = path.posix.normalize(
+        path.posix.join(pkgPath, urlNoFragment),
+      );
+      const route = readmeRelToDocRoute.get(targetReadmeRel);
+      if (route) {
+        const rewritten = `${route}${fragment}`;
+        return angleWrapped === urlRaw ? rewritten : `<${rewritten}>`;
+      }
+      return urlRaw;
+    }
 
-		// 3) Local source-file references like "config.go:29" -> GitHub blob link
-		if (repoUrl) {
-			const { filePath, line } = parseFileLineSuffix(urlNoFragment);
-			if (isRepoSourceFilePath(filePath)) {
-				const repoRel = path.posix.normalize(
-					path.posix.join(pkgPath, filePath),
-				);
-				const githubUrl = `${repoUrl}/blob/main/${repoRel}${
-					line ? `#L${line}` : ""
-				}`;
-				const rewritten = `${githubUrl}${fragment}`;
-				return angleWrapped === urlRaw ? rewritten : `<${rewritten}>`;
-			}
-		}
+    // 3) Local source-file references like "config.go:29" -> GitHub blob link
+    if (repoUrl) {
+      const { filePath, line } = parseFileLineSuffix(urlNoFragment);
+      if (isRepoSourceFilePath(filePath)) {
+        const repoRel = path.posix.normalize(
+          path.posix.join(pkgPath, filePath),
+        );
+        const githubUrl = `${repoUrl}/blob/main/${repoRel}${
+          line ? `#L${line}` : ""
+        }`;
+        const rewritten = `${githubUrl}${fragment}`;
+        return angleWrapped === urlRaw ? rewritten : `<${rewritten}>`;
+      }
+    }
 
-		return urlRaw;
-	});
+    return urlRaw;
+  });
 }
 
 async function listRepoReadmes(repoRootAbs: string): Promise<string[]> {
-	const glob = new Glob("**/README.md");
-	const readmes: string[] = [];
+  const glob = new Glob("**/README.md");
+  const readmes: string[] = [];
 
-	for await (const rel of glob.scan({
-		cwd: repoRootAbs,
-		onlyFiles: true,
-		dot: false,
-	})) {
-		// Bun returns POSIX-style rel paths.
-		if (rel === "README.md") continue; // exclude root README
-		if (rel.startsWith(".git/") || rel.includes("/.git/")) continue;
-		if (rel.startsWith("node_modules/") || rel.includes("/node_modules/"))
-			continue;
-		let skip = false;
-		for (const submodule of skipSubmodules) {
-			if (rel.startsWith(submodule)) {
-				skip = true;
-				break;
-			}
-		}
-		if (skip) continue;
-		readmes.push(rel);
-	}
+  for await (const rel of glob.scan({
+    cwd: repoRootAbs,
+    onlyFiles: true,
+    dot: false,
+  })) {
+    // Bun returns POSIX-style rel paths.
+    if (rel === "README.md") continue; // exclude root README
+    if (rel.startsWith(".git/") || rel.includes("/.git/")) continue;
+    if (rel.startsWith("node_modules/") || rel.includes("/node_modules/"))
+      continue;
+    let skip = false;
+    for (const submodule of skipSubmodules) {
+      if (rel.startsWith(submodule)) {
+        skip = true;
+        break;
+      }
+    }
+    if (skip) continue;
+    readmes.push(rel);
+  }
 
-	// Deterministic order.
-	readmes.sort((a, b) => a.localeCompare(b));
-	return readmes;
+  // Deterministic order.
+  readmes.sort((a, b) => a.localeCompare(b));
+  return readmes;
 }
 
-async function writeImplDocCopy(params: {
-	srcAbs: string;
-	dstAbs: string;
-	pkgPath: string;
-	readmeRelToDocRoute: Map<string, string>;
-	dirPathToDocRoute: Map<string, string>;
-	repoUrl: string;
+async function writeImplDocToMdx(params: {
+  srcAbs: string;
+  dstAbs: string;
+  pkgPath: string;
+  readmeRelToDocRoute: Map<string, string>;
+  dirPathToDocRoute: Map<string, string>;
+  repoUrl: string;
 }) {
-	const {
-		srcAbs,
-		dstAbs,
-		pkgPath,
-		readmeRelToDocRoute,
-		dirPathToDocRoute,
-		repoUrl,
-	} = params;
-	await mkdir(path.dirname(dstAbs), { recursive: true });
-	await rm(dstAbs, { force: true });
+  const {
+    srcAbs,
+    dstAbs,
+    pkgPath,
+    readmeRelToDocRoute,
+    dirPathToDocRoute,
+    repoUrl,
+  } = params;
+  await mkdir(path.dirname(dstAbs), { recursive: true });
 
-	const original = await readFile(srcAbs, "utf8");
-	const rewritten = rewriteImplMarkdown({
-		md: original,
-		pkgPath,
-		readmeRelToDocRoute,
-		dirPathToDocRoute,
-		repoUrl,
-	});
-	await writeFile(dstAbs, md2mdx(rewritten));
+  const original = await readFile(srcAbs, "utf8");
+  const current = await readFile(dstAbs, "utf-8");
+  const rewritten = md2mdx(
+    rewriteImplMarkdown({
+      md: original,
+      pkgPath,
+      readmeRelToDocRoute,
+      dirPathToDocRoute,
+      repoUrl,
+    }),
+  );
+
+  if (current === rewritten) {
+    return;
+  }
+
+  await writeFile(dstAbs, rewritten, "utf-8");
+  console.log(`[W] ${srcAbs} -> ${dstAbs}`);
 }
 
 async function syncImplDocs(
-	repoRootAbs: string,
-	wikiRootAbs: string,
-): Promise<ImplDoc[]> {
-	const implDirAbs = path.join(wikiRootAbs, "content", "docs", "impl");
-	await mkdir(implDirAbs, { recursive: true });
+  repoRootAbs: string,
+  wikiRootAbs: string,
+): Promise<void> {
+  const implDirAbs = path.join(wikiRootAbs, "content", "docs", "impl");
+  await mkdir(implDirAbs, { recursive: true });
 
-	const readmes = await listRepoReadmes(repoRootAbs);
-	const docs: ImplDoc[] = [];
-	const expectedFileNames = new Set<string>();
-	expectedFileNames.add("index.mdx");
-	expectedFileNames.add("meta.json");
+  const readmes = await listRepoReadmes(repoRootAbs);
+  const expectedFileNames = new Set<string>();
+  expectedFileNames.add("index.mdx");
+  expectedFileNames.add("meta.json");
 
-	const repoUrl = normalizeRepoUrl(
-		Bun.env.REPO_URL ?? "https://github.com/yusing/godoxy",
-	);
+  const repoUrl = normalizeRepoUrl(
+    Bun.env.REPO_URL ?? "https://github.com/yusing/godoxy",
+  );
 
-	// Precompute mapping from repo-relative README path -> VitePress route.
-	// This lets us rewrite intra-repo README links when copying content.
-	const readmeRelToDocRoute = new Map<string, string>();
+  // Precompute mapping from repo-relative README path -> VitePress route.
+  // This lets us rewrite intra-repo README links when copying content.
+  const readmeRelToDocRoute = new Map<string, string>();
 
-	// Also precompute mapping from directory path -> VitePress route.
-	// This handles links like "[`common/`](common)" that point to directories with READMEs.
-	const dirPathToDocRoute = new Map<string, string>();
+  // Also precompute mapping from directory path -> VitePress route.
+  // This handles links like "[`common/`](common)" that point to directories with READMEs.
+  const dirPathToDocRoute = new Map<string, string>();
 
-	for (const readmeRel of readmes) {
-		const pkgPath = path.posix.dirname(readmeRel);
-		if (!pkgPath || pkgPath === ".") continue;
+  for (const readmeRel of readmes) {
+    const pkgPath = path.posix.dirname(readmeRel);
+    if (!pkgPath || pkgPath === ".") continue;
 
-		const docStem = sanitizeFileStemFromPkgPath(pkgPath);
-		if (!docStem) continue;
-		const route = `/impl/${docStem}`;
-		readmeRelToDocRoute.set(readmeRel, route);
-		dirPathToDocRoute.set(pkgPath, route);
-	}
+    const docStem = sanitizeFileStemFromPkgPath(pkgPath);
+    if (!docStem) continue;
+    const route = `/impl/${docStem}`;
+    readmeRelToDocRoute.set(readmeRel, route);
+    dirPathToDocRoute.set(pkgPath, route);
+  }
 
-	for (const readmeRel of readmes) {
-		const pkgPath = path.posix.dirname(readmeRel);
-		if (!pkgPath || pkgPath === ".") continue;
+  for (const readmeRel of readmes) {
+    const pkgPath = path.posix.dirname(readmeRel);
+    if (!pkgPath || pkgPath === ".") continue;
 
-		const docStem = sanitizeFileStemFromPkgPath(pkgPath);
-		if (!docStem) continue;
-		const docFileName = `${docStem}.mdx`;
-		const docRoute = `/impl/${docStem}`;
+    const docStem = sanitizeFileStemFromPkgPath(pkgPath);
+    if (!docStem) continue;
+    const docFileName = `${docStem}.mdx`;
 
-		const srcPathAbs = path.join(repoRootAbs, readmeRel);
-		const dstPathAbs = path.join(implDirAbs, docFileName);
+    const srcPathAbs = path.join(repoRootAbs, readmeRel);
+    const dstPathAbs = path.join(implDirAbs, docFileName);
 
-		await writeImplDocCopy({
-			srcAbs: srcPathAbs,
-			dstAbs: dstPathAbs,
-			pkgPath,
-			readmeRelToDocRoute,
-			dirPathToDocRoute,
-			repoUrl,
-		});
+    await writeImplDocToMdx({
+      srcAbs: srcPathAbs,
+      dstAbs: dstPathAbs,
+      pkgPath,
+      readmeRelToDocRoute,
+      dirPathToDocRoute,
+      repoUrl,
+    });
 
-		docs.push({ pkgPath, docFileName, docRoute, srcPathAbs, dstPathAbs });
-		expectedFileNames.add(docFileName);
-	}
+    expectedFileNames.add(docFileName);
+  }
 
-	// Clean orphaned impl docs.
-	const existing = await readdir(implDirAbs, { withFileTypes: true });
-	for (const ent of existing) {
-		if (!ent.isFile()) continue;
-		if (!ent.name.endsWith(".md")) continue;
-		if (expectedFileNames.has(ent.name)) continue;
-		await rm(path.join(implDirAbs, ent.name), { force: true });
-	}
-
-	// Deterministic for sidebar.
-	docs.sort((a, b) => a.pkgPath.localeCompare(b.pkgPath));
-	return docs;
+  // Clean orphaned impl docs.
+  const existing = await readdir(implDirAbs, { withFileTypes: true });
+  for (const ent of existing) {
+    if (!ent.isFile()) continue;
+    if (!ent.name.endsWith(".md")) continue;
+    if (expectedFileNames.has(ent.name)) continue;
+    await rm(path.join(implDirAbs, ent.name), { force: true });
+  }
 }
 
 async function main() {
-	// This script lives in `scripts/update-wiki/`, so repo root is two levels up.
-	const repoRootAbs = path.resolve(import.meta.dir);
+  // This script lives in `scripts/update-wiki/`, so repo root is two levels up.
+  const repoRootAbs = path.resolve(import.meta.dir, "../..");
 
-	// Required by task, but allow overriding via env for convenience.
-	const wikiRootAbs = Bun.env.DOCS_DIR
-		? path.resolve(repoRootAbs, Bun.env.DOCS_DIR)
-		: undefined;
+  // Required by task, but allow overriding via env for convenience.
+  const wikiRootAbs = Bun.env.DOCS_DIR
+    ? path.resolve(repoRootAbs, Bun.env.DOCS_DIR)
+    : undefined;
 
-	if (!wikiRootAbs) {
-		throw new Error("DOCS_DIR is not set");
-	}
+  if (!wikiRootAbs) {
+    throw new Error("DOCS_DIR is not set");
+  }
 
-	await syncImplDocs(repoRootAbs, wikiRootAbs);
+  await syncImplDocs(repoRootAbs, wikiRootAbs);
 }
 
 await main();

socket-proxy.Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.26.0-alpine AS deps
+FROM golang:1.26.1-alpine AS deps
 HEALTHCHECK NONE
 
 # package version does not matter

socket-proxy/go.mod

@@ -1,13 +1,13 @@
 module github.com/yusing/godoxy/socketproxy
 
-go 1.26.0
+go 1.26.1
 
 replace github.com/yusing/goutils => ../goutils
 
 require (
 	github.com/gorilla/mux v1.8.1
 	github.com/yusing/goutils v0.7.0
-	golang.org/x/net v0.50.0
+	golang.org/x/net v0.51.0
 )
 
 require (
@@ -17,6 +17,6 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/puzpuzpuz/xsync/v4 v4.4.0 // indirect
 	github.com/rs/zerolog v1.34.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 )

socket-proxy/go.sum

@@ -21,13 +21,13 @@ github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=