fix(fileserver): correct middleware handler to avoid self recursion

- fixed url being overridden
- fixed sub-subdomain being stripped
- fixed empty url for routes with FQDN aliases

.env.example

@@ -8,6 +8,8 @@ TZ=ETC/UTC
 GODOXY_UID=1000
 GODOXY_GID=1000
 
+# Set GODOXY_API_JWT_SECURE=false to allow http
+GODOXY_API_JWT_SECURE=true
 # API JWT Configuration (common)
 # generate secret with `openssl rand -base64 32`
 GODOXY_API_JWT_SECRET=

.github/workflows/docker-image.yml

@@ -84,10 +84,10 @@ jobs:
           outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
           cache-from: |
             type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}
-            type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
+          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
           cache-to: |
             type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max
-            type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
+          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
           build-args: |
             VERSION=${{ github.ref_name }}
             MAKE_ARGS=${{ env.MAKE_ARGS }}

.gitignore

@@ -30,6 +30,7 @@ todo.md
 mtrace.json
 .env
 .cursorrules
+.cursor/
 .windsurfrules
 test.Dockerfile
 
@@ -37,4 +38,4 @@ node_modules/
 tsconfig.tsbuildinfo
 
 !agent.compose.yml
-!agent/pkg/**
+!agent/pkg/**

.golangci.yml

@@ -2,23 +2,24 @@ version: "2"
 linters:
   default: all
   disable:
-    - bodyclose
+    # - bodyclose
     - containedctx
-    - contextcheck
+    # - contextcheck
     - cyclop
     - depguard
-    - dupl
+    # - dupl
     - err113
     - exhaustive
     - exhaustruct
+    - funcorder
     - forcetypeassert
     - gochecknoglobals
     - gochecknoinits
     - gocognit
     - goconst
     - gocyclo
+    - godot
     - gomoddirectives
-    - gosec
     - gosmopolitan
     - ireturn
     - lll
@@ -27,20 +28,21 @@ linters:
     - mnd
     - nakedret
     - nestif
-    - nilnil
     - nlreturn
-    - noctx
     - nonamedreturns
+    - noinlineerr
     - paralleltest
-    - prealloc
+    - revive
     - rowserrcheck
     - sqlclosecheck
+    - tagalign
     - tagliatelle
     - testpackage
     - tparallel
     - varnamelen
     - wrapcheck
     - wsl
+    - wsl_v5
   settings:
     errcheck:
       exclude-functions:

.trunk/trunk.yaml

@@ -2,17 +2,17 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.15
+  version: 1.24.0
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
     - id: trunk
-      ref: v1.6.8
+      ref: v1.7.1
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
   enabled:
-    - node@18.20.5
+    - node@22.16.0
     - python@3.10.8
     - go@1.24.3
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
@@ -21,18 +21,18 @@ lint:
     - markdownlint
     - yamllint
   enabled:
-    - checkov@3.2.416
-    - golangci-lint2@2.1.6
+    - checkov@3.2.457
+    - golangci-lint2@2.3.0
     - hadolint@2.12.1-beta
     - actionlint@1.7.7
     - git-diff-check
     - gofmt@1.20.4
-    - osv-scanner@2.0.2
+    - osv-scanner@2.0.3
     - oxipng@9.1.5
-    - prettier@3.5.3
+    - prettier@3.6.2
     - shellcheck@0.10.0
     - shfmt@3.6.0
-    - trufflehog@3.88.29
+    - trufflehog@3.90.2
 actions:
   disabled:
     - trunk-announce

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.24.3-alpine AS deps
+FROM golang:1.25.0-alpine AS deps
 HEALTHCHECK NONE
 
 # package version does not matter

Makefile

@@ -3,8 +3,10 @@ export VERSION ?= $(shell git describe --tags --abbrev=0)
 export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux
 
-LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
+WEBUI_DIR ?= ../godoxy-frontend
+DOCS_DIR ?= ../godoxy-wiki
 
+LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
 
 ifeq ($(agent), 1)
 	NAME = godoxy-agent
@@ -29,9 +31,9 @@ ifeq ($(race), 1)
 endif
 
 ifeq ($(debug), 1)
-	CGO_ENABLED = 0
+	CGO_ENABLED = 1
 	GODOXY_DEBUG = 1
-	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug
+	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug -asan
 else ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
@@ -134,4 +136,16 @@ cloc:
 	cloc --include-lang=Go --not-match-f '_test.go$$' .
 
 push-github:
-	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+
+gen-swagger:
+	swag init --parseDependency --parseInternal -g handler.go -d internal/api -o internal/api/v1/docs
+	python3 scripts/fix-swagger-json.py
+
+gen-swagger-markdown: gen-swagger
+	swagger generate markdown -f internal/api/v1/docs/swagger.yaml --skip-validation --output ${DOCS_DIR}/src/API.md
+
+gen-api-types: gen-swagger
+	# --disable-throw-on-error
+	pnpx swagger-typescript-api generate --sort-types --generate-union-enums --axios --add-readonly --route-types \
+		 --responses -o ${WEBUI_DIR}/src/lib -n api.ts -p internal/api/v1/docs/swagger.json

README.md

@@ -16,6 +16,8 @@ A lightweight, simple, and performant reverse proxy with WebUI.
 
 <h5>EN | <a href="README_CHT.md">中文</a></h5>
 
+Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)! (Thanks to [@ismesid](https://github.com/arevindh))
+
 <img src="screenshots/webui.jpg" style="max-width: 650">
 
 </div>

README_CHT.md

@@ -16,6 +16,8 @@
 
 <h5><a href="README.md">EN</a> | 中文</h5>
 
+有疑問? 問 [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)！（鳴謝 [@ismesid](https://github.com/arevindh)）
+
 <img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
 
 </div>

agent/cmd/main.go

@@ -1,11 +1,14 @@
 package main
 
 import (
+	"os"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/env"
 	"github.com/yusing/go-proxy/agent/pkg/server"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	httpServer "github.com/yusing/go-proxy/internal/net/gphttp/server"
 	"github.com/yusing/go-proxy/internal/task"
@@ -14,6 +17,12 @@ import (
 )
 
 func main() {
+	writer := zerolog.ConsoleWriter{
+		Out:        os.Stderr,
+		TimeFormat: "01-02 15:04",
+	}
+	zerolog.TimeFieldFormat = writer.TimeFormat
+	log.Logger = zerolog.New(writer).Level(zerolog.InfoLevel).With().Timestamp().Logger()
 	ca := &agent.PEMPair{}
 	err := ca.Load(env.AgentCACert)
 	if err != nil {
@@ -34,11 +43,11 @@ func main() {
 		gperr.LogFatal("init SSL error", err)
 	}
 
-	logging.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
-	logging.Info().Msgf("Agent name: %s", env.AgentName)
-	logging.Info().Msgf("Agent port: %d", env.AgentPort)
+	log.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
+	log.Info().Msgf("Agent name: %s", env.AgentName)
+	log.Info().Msgf("Agent port: %d", env.AgentPort)
 
-	logging.Info().Msg(`
+	log.Info().Msg(`
 Tips:
 1. To change the agent name, you can set the AGENT_NAME environment variable.
 2. To change the agent port, you can set the AGENT_PORT environment variable.
@@ -54,7 +63,7 @@ Tips:
 	server.StartAgentServer(t, opts)
 
 	if socketproxy.ListenAddr != "" {
-		logging.Info().Msgf("Docker socket listening on: %s", socketproxy.ListenAddr)
+		log.Info().Msgf("Docker socket listening on: %s", socketproxy.ListenAddr)
 		opts := httpServer.Options{
 			Name:     "docker",
 			HTTPAddr: socketproxy.ListenAddr,

agent/go.mod

@@ -1,92 +1,109 @@
 module github.com/yusing/go-proxy/agent
 
-go 1.24.3
+go 1.25.0
 
 replace github.com/yusing/go-proxy => ..
 
 replace github.com/yusing/go-proxy/socketproxy => ../socket-proxy
 
-replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
+replace github.com/yusing/go-proxy/internal/utils => ../internal/utils
 
-replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97
+replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d
 
 require (
-	github.com/coder/websocket v1.8.13
+	github.com/gorilla/websocket v1.5.3
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.10.0
 	github.com/yusing/go-proxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/go-proxy/internal/utils v0.0.0
 	github.com/yusing/go-proxy/socketproxy v0.0.0-00010101000000-000000000000
 )
 
 require (
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/PuerkitoBio/goquery v1.10.3 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/buger/goterm v1.0.4 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/bytedance/sonic v1.14.0 // indirect
+	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/djherbis/times v1.6.0 // indirect
-	github.com/docker/cli v28.1.1+incompatible // indirect
-	github.com/docker/docker v28.1.1+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/cli v28.3.3+incompatible // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.3 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
-	github.com/go-acme/lego/v4 v4.23.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/gin-gonic/gin v1.10.1 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.26.0 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/goccy/go-yaml v1.17.1 // indirect
+	github.com/go-playground/validator/v10 v10.27.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/gotify/server/v2 v2.6.3 // indirect
-	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
-	github.com/luthermonson/go-proxmox v0.2.2 // indirect
-	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.66 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/puzpuzpuz/xsync/v4 v4.1.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.51.0 // indirect
-	github.com/samber/lo v1.50.0 // indirect
-	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/quic-go/quic-go v0.54.0 // indirect
+	github.com/samber/lo v1.51.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
 	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.4 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.7 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/spf13/afero v1.14.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
+	github.com/yusing/ds v0.1.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/mock v0.5.2 // indirect
-	golang.org/x/crypto v0.38.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/sync v0.14.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.25.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/arch v0.20.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

agent/go.sum

@@ -6,12 +6,18 @@ github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiU
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
-github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
-github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
-github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
+github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
+github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
+github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
@@ -19,30 +25,29 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/diskfs/go-diskfs v1.6.0 h1:YmK5+vLSfkwC6kKKRTRPGaDGNF+Xh8FXeiNHwryDfu4=
-github.com/diskfs/go-diskfs v1.6.0/go.mod h1:bRFumZeGFCO8C2KNswrQeuj2m1WCVr4Ms5IjWMczMDk=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
-github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
-github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo=
+github.com/docker/cli v28.3.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.8.3 h1:K+0AjQp63JEZTEMZiwsI9g0+hAMNohwUOtY0RPGexmc=
-github.com/ebitengine/purego v0.8.3/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw=
+github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
 github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
-github.com/go-acme/lego/v4 v4.23.1 h1:lZ5fGtGESA2L9FB8dNTvrQUq3/X4QOb8ExkKyY7LSV4=
-github.com/go-acme/lego/v4 v4.23.1/go.mod h1:7UMVR7oQbIYw6V7mTgGwi4Er7B6Ww0c+c8feiBM0EgI=
-github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
-github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
+github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
@@ -54,26 +59,21 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
-github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
-github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
-github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
-github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
+github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1 h1:fsSqE28vU0PRkq9FdekirRoDBeYJ+UaJ9dTErdXflWg=
-github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1/go.mod h1:av6ggKWQz6SEkFyShjDEgVqiIB0RHvEQNIkPeqgJEeE=
-github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97 h1:i52gBYamrKs4DHT1+SiobW2im5UgTMVXK1KIL1djSeA=
-github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97/go.mod h1:XvbfPmmrdpLrsKwj3irYkxt5ygyMcDsTQTJ7cnZ9RNQ=
+github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d h1:bNqtnmyhGDxpBSaFYIo7ferYRIc/QzlaGfIhh/JmMPk=
+github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d/go.mod h1:7iQ/w4jyGYJCZ56dZLNztwM4atNxj5C2HNTBxhLvV8A=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4=
-github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -82,18 +82,16 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotify/server/v2 v2.6.3 h1:2sLDRsQ/No1+hcFwFDvjNtwKepfCSIR8L3BkXl/Vz1I=
 github.com/gotify/server/v2 v2.6.3/go.mod h1:IyeQ/iL3vetcuqUAzkCMVObIMGGJx4zb13/mVatIwE8=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
-github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
-github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
-github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
-github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
-github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
-github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
@@ -102,10 +100,6 @@ github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/luthermonson/go-proxmox v0.2.2 h1:BZ7VEj302wxw2i/EwTcyEiBzQib8teocB2SSkLHyySY=
-github.com/luthermonson/go-proxmox v0.2.2/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
-github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
-github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -113,8 +107,6 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
-github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
@@ -123,46 +115,43 @@ github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7z
 github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
 github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
 github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
-github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
-github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
-github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/puzpuzpuz/xsync/v4 v4.1.0 h1:x9eHRl4QhZFIPJ17yl4KKW9xLyVWbb3/Yq4SXpjF71U=
 github.com/puzpuzpuz/xsync/v4 v4.1.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
-github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
+github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
+github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
-github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
-github.com/samber/slog-common v0.18.1 h1:c0EipD/nVY9HG5shgm/XAs67mgpWDMF+MmtptdJNCkQ=
-github.com/samber/slog-common v0.18.1/go.mod h1:QNZiNGKakvrfbJ2YglQXLCZauzkI9xZBjOhWFKS3IKk=
+github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
+github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
+github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
 github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
 github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
@@ -170,44 +159,57 @@ github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuL
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
 github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
 github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
 github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
+github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yusing/ds v0.1.0 h1:aiZs7jPMN3MEChUsddMYjpZFHhhAmkxrwRyIUnGy5AU=
+github.com/yusing/ds v0.1.0/go.mod h1:KC785+mtt+Bau0LLR+slExDaUjeiqLT1k9Or6Rpryh4=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 h1:lUsI2TYsQw2r1IASwoROaCnjdj2cvC2+Jbxvk6nHnWU=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0/go.mod h1:2HpZxxQurfGxJlJDblybejHB6RX6pmExPNe517hREw4=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
-go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI=
-go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
+go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
+go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
+go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
 go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
+golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -216,8 +218,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -225,8 +227,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -239,8 +241,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -250,18 +252,17 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -273,8 +274,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -293,10 +294,10 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
-golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -305,24 +306,23 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 h1:GVIKPyP/kLIyVOgOnTwFOrvQaQUzOzGMCxgFUOEmm24=
-google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422/go.mod h1:b6h1vNKhxaSoEI+5jc3PJUCustfli/mRab7295pY7rw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 h1:IkAfh6J/yllPtpYFU0zZN1hUPYdT0ogkBT/9hMxHjvg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8=
+google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a h1:tPE/Kp+x9dMSwUm/uM0JKK0IfdiJkwAbSMSeZBXXJXc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
+google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
+google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
+google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
+google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

agent/pkg/agent/agent_pool.go

@@ -0,0 +1,57 @@
+package agent
+
+import (
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+var agentPool = functional.NewMapOf[string, *AgentConfig]()
+
+func init() {
+	if common.IsTest {
+		agentPool.Store("test-agent", &AgentConfig{
+			Addr: "test-agent",
+		})
+	}
+}
+
+func GetAgent(agentAddrOrDockerHost string) (*AgentConfig, bool) {
+	if !IsDockerHostAgent(agentAddrOrDockerHost) {
+		return getAgentByAddr(agentAddrOrDockerHost)
+	}
+	return getAgentByAddr(GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
+}
+
+func GetAgentByName(name string) (*AgentConfig, bool) {
+	for _, agent := range agentPool.Range {
+		if agent.Name == name {
+			return agent, true
+		}
+	}
+	return nil, false
+}
+
+func AddAgent(agent *AgentConfig) {
+	agentPool.Store(agent.Addr, agent)
+}
+
+func RemoveAgent(agent *AgentConfig) {
+	agentPool.Delete(agent.Addr)
+}
+
+func RemoveAllAgents() {
+	agentPool.Clear()
+}
+
+func ListAgents() []*AgentConfig {
+	agents := make([]*AgentConfig, 0, agentPool.Size())
+	for _, agent := range agentPool.Range {
+		agents = append(agents, agent)
+	}
+	return agents
+}
+
+func getAgentByAddr(addr string) (agent *AgentConfig, ok bool) {
+	agent, ok = agentPool.Load(addr)
+	return
+}

agent/pkg/agent/config.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
@@ -15,20 +14,20 @@ import (
 	"time"
 
 	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/agent/pkg/certs"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/pkg"
 )
 
 type AgentConfig struct {
-	Addr string
+	Addr    string `json:"addr"`
+	Name    string `json:"name"`
+	Version string `json:"version"`
 
 	httpClient *http.Client
 	tlsConfig  *tls.Config
-	name       string
-	version    string
 	l          zerolog.Logger
-}
+} // @name Agent
 
 const (
 	EndpointVersion    = "/version"
@@ -113,9 +112,9 @@ func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte)
 		return err
 	}
 
-	cfg.name = string(name)
+	cfg.Name = string(name)
 
-	cfg.l = logging.With().Str("agent", cfg.name).Logger()
+	cfg.l = log.With().Str("agent", cfg.Name).Logger()
 
 	// check agent version
 	agentVersionBytes, _, err := cfg.Fetch(ctx, EndpointVersion)
@@ -123,14 +122,14 @@ func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte)
 		return err
 	}
 
-	cfg.version = string(agentVersionBytes)
-	agentVersion := pkg.ParseVersion(cfg.version)
+	cfg.Version = string(agentVersionBytes)
+	agentVersion := pkg.ParseVersion(cfg.Version)
 
 	if serverVersion.IsNewerMajorThan(agentVersion) {
-		logging.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.name, serverVersion, agentVersion)
+		log.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.Name, serverVersion, agentVersion)
 	}
 
-	logging.Info().Msgf("agent %q initialized", cfg.name)
+	log.Info().Msgf("agent %q initialized", cfg.Name)
 	return nil
 }
 
@@ -180,18 +179,6 @@ func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
 	return dialer.DialContext(ctx, "tcp", cfg.Addr)
 }
 
-func (cfg *AgentConfig) Name() string {
-	return cfg.name
-}
-
 func (cfg *AgentConfig) String() string {
-	return cfg.name + "@" + cfg.Addr
-}
-
-func (cfg *AgentConfig) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]string{
-		"name":    cfg.Name(),
-		"addr":    cfg.Addr,
-		"version": cfg.version,
-	})
+	return cfg.Name + "@" + cfg.Addr
 }

agent/pkg/agent/http_requests.go

@@ -5,7 +5,7 @@ import (
 	"io"
 	"net/http"
 
-	"github.com/coder/websocket"
+	"github.com/gorilla/websocket"
 )
 
 func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
@@ -42,8 +42,12 @@ func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int
 }
 
 func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
-	return websocket.Dial(ctx, APIBaseURL+endpoint, &websocket.DialOptions{
-		HTTPClient: cfg.NewHTTPClient(),
-		Host:       AgentHost,
+	transport := cfg.Transport()
+	dialer := websocket.Dialer{
+		NetDialContext:    transport.DialContext,
+		NetDialTLSContext: transport.DialTLSContext,
+	}
+	return dialer.DialContext(ctx, APIBaseURL+endpoint, http.Header{
+		"Host": {AgentHost},
 	})
 }

agent/pkg/agent/new_agent.go

@@ -1,6 +1,8 @@
 package agent
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
@@ -8,6 +10,7 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
+	"io"
 	"math/big"
 	"strings"
 	"time"
@@ -74,6 +77,62 @@ func (p *PEMPair) Load(data string) (err error) {
 	return nil
 }
 
+func (p *PEMPair) Encrypt(encKey []byte) (PEMPair, error) {
+	cert, err := encrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := encrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func (p *PEMPair) Decrypt(encKey []byte) (PEMPair, error) {
+	cert, err := decrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := decrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func encrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	return gcm.Seal(nonce, nonce, data, nil), nil
+}
+
+func decrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := data[:gcm.NonceSize()]
+	ciphertext := data[gcm.NonceSize():]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
 func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
 	cert, err := tls.X509KeyPair(p.Cert, p.Key)
 	return &cert, err

agent/pkg/agent/new_agent_test.go

@@ -1,6 +1,7 @@
 package agent
 
 import (
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -89,3 +90,23 @@ func TestServerClient(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, resp.StatusCode, http.StatusOK)
 }
+
+func TestPEMPairEncryptDecrypt(t *testing.T) {
+	encKey := make([]byte, 32)
+	_, err := rand.Read(encKey)
+	require.NoError(t, err)
+
+	ca, _, _, err := NewAgent()
+	require.NoError(t, err)
+
+	encCA, err := ca.Encrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, encCA)
+
+	decCA, err := encCA.Decrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, decCA)
+
+	require.Equal(t, string(ca.Cert), string(decCA.Cert))
+	require.Equal(t, string(ca.Key), string(decCA.Key))
+}

agent/pkg/handler/check_health.go

@@ -8,11 +8,11 @@ import (
 	"os"
 	"strings"
 
-	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/go-proxy/internal/types"
 	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
 )
 
-var defaultHealthConfig = health.DefaultHealthConfig()
+var defaultHealthConfig = types.DefaultHealthConfig()
 
 func CheckHealth(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
@@ -22,7 +22,7 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var result *health.HealthCheckResult
+	var result *types.HealthCheckResult
 	var err error
 	switch scheme {
 	case "fileserver":
@@ -32,7 +32,7 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		_, err := os.Stat(path)
-		result = &health.HealthCheckResult{Healthy: err == nil}
+		result = &types.HealthCheckResult{Healthy: err == nil}
 		if err != nil {
 			result.Detail = err.Error()
 		}

agent/pkg/handler/check_health_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/go-proxy/internal/types"
 )
 
 func TestCheckHealthHTTP(t *testing.T) {
@@ -81,7 +81,7 @@ func TestCheckHealthHTTP(t *testing.T) {
 			require.Equal(t, recorder.Code, tt.expectedStatus)
 
 			if tt.expectedStatus == http.StatusOK {
-				var result health.HealthCheckResult
+				var result types.HealthCheckResult
 				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 				require.Equal(t, result.Healthy, tt.expectedHealthy)
 			}
@@ -125,7 +125,7 @@ func TestCheckHealthFileServer(t *testing.T) {
 
 			require.Equal(t, recorder.Code, tt.expectedStatus)
 
-			var result health.HealthCheckResult
+			var result types.HealthCheckResult
 			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 			require.Equal(t, result.Healthy, tt.expectedHealthy)
 			require.Equal(t, result.Detail, tt.expectedDetail)
@@ -172,9 +172,9 @@ func TestCheckHealthTCPUDP(t *testing.T) {
 		{
 			name:            "InvalidHost",
 			scheme:          "tcp",
-			host:            "invalid",
+			host:            "",
 			port:            8080,
-			expectedStatus:  http.StatusOK,
+			expectedStatus:  http.StatusBadRequest,
 			expectedHealthy: false,
 		},
 		{
@@ -188,9 +188,17 @@ func TestCheckHealthTCPUDP(t *testing.T) {
 		{
 			name:            "InvalidHost",
 			scheme:          "udp",
-			host:            "invalid",
+			host:            "",
 			port:            8080,
-			expectedStatus:  http.StatusOK,
+			expectedStatus:  http.StatusBadRequest,
+			expectedHealthy: false,
+		},
+		{
+			name:            "Port in both host and port",
+			scheme:          "tcp",
+			host:            "localhost:1234",
+			port:            1234,
+			expectedStatus:  http.StatusBadRequest,
 			expectedHealthy: false,
 		},
 	}
@@ -208,9 +216,11 @@ func TestCheckHealthTCPUDP(t *testing.T) {
 
 			require.Equal(t, recorder.Code, tt.expectedStatus)
 
-			var result health.HealthCheckResult
-			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
-			require.Equal(t, result.Healthy, tt.expectedHealthy)
+			if tt.expectedStatus == http.StatusOK {
+				var result types.HealthCheckResult
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+				require.Equal(t, result.Healthy, tt.expectedHealthy)
+			}
 		})
 	}
 }

agent/pkg/handler/handler.go

@@ -1,18 +1,16 @@
 package handler
 
 import (
-	"context"
 	"fmt"
-	"net"
 	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"time"
 
+	"github.com/gin-gonic/gin"
+	"github.com/gorilla/websocket"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/env"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/pkg"
+	socketproxy "github.com/yusing/go-proxy/socketproxy/pkg"
 )
 
 type ServeMux struct{ *http.ServeMux }
@@ -25,33 +23,35 @@ func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
 	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
 }
 
-var dialer = &net.Dialer{KeepAlive: 1 * time.Second}
-
-func dialDockerSocket(ctx context.Context, _, _ string) (net.Conn, error) {
-	return dialer.DialContext(ctx, "unix", env.DockerSocket)
-}
-
-func dockerSocketHandler() http.HandlerFunc {
-	rp := httputil.NewSingleHostReverseProxy(&url.URL{
-		Scheme: "http",
-		Host:   "api.moby.localhost",
-	})
-	rp.Transport = &http.Transport{
-		DialContext: dialDockerSocket,
-	}
-	return rp.ServeHTTP
+var upgrader = &websocket.Upgrader{
+	// no origin check needed for internal websocket
+	CheckOrigin: func(r *http.Request) bool {
+		return true
+	},
 }
 
 func NewAgentHandler() http.Handler {
+	gin.SetMode(gin.ReleaseMode)
 	mux := ServeMux{http.NewServeMux()}
 
+	metricsHandler := gin.Default()
+	{
+		metrics := metricsHandler.Group(agent.APIEndpointBase)
+		metrics.GET(agent.EndpointSystemInfo, func(c *gin.Context) {
+			c.Set("upgrader", upgrader)
+			systeminfo.Poller.ServeHTTP(c)
+		})
+	}
+
 	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
-	mux.HandleEndpoint("GET", agent.EndpointVersion, pkg.GetVersionHTTPHandler())
+	mux.HandleEndpoint("GET", agent.EndpointVersion, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, pkg.GetVersion())
+	})
 	mux.HandleEndpoint("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, env.AgentName)
 	})
 	mux.HandleEndpoint("GET", agent.EndpointHealth, CheckHealth)
-	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, systeminfo.Poller.ServeHTTP)
-	mux.ServeMux.HandleFunc("/", dockerSocketHandler())
+	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, metricsHandler.ServeHTTP)
+	mux.ServeMux.HandleFunc("/", socketproxy.DockerSocketHandler(env.DockerSocket))
 	return mux
 }

agent/pkg/server/server.go

@@ -6,9 +6,9 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/agent/pkg/env"
 	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp/server"
 	"github.com/yusing/go-proxy/internal/task"
 )
@@ -33,12 +33,11 @@ func StartAgentServer(parent task.Parent, opt Options) {
 		tlsConfig.ClientAuth = tls.NoClientCert
 	}
 
-	logger := logging.GetLogger()
 	agentServer := &http.Server{
 		Addr:      fmt.Sprintf(":%d", opt.Port),
 		Handler:   handler.NewAgentHandler(),
 		TLSConfig: tlsConfig,
 	}
 
-	server.Start(parent, agentServer, nil, logger)
+	server.Start(parent, agentServer, nil, &log.Logger)
 }

cmd/main.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"sync"
 
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
@@ -22,11 +23,7 @@ import (
 func parallel(fns ...func()) {
 	var wg sync.WaitGroup
 	for _, fn := range fns {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			fn()
-		}()
+		wg.Go(fn)
 	}
 	wg.Wait()
 }
@@ -35,8 +32,8 @@ func main() {
 	initProfiling()
 
 	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
-	logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
-	logging.Trace().Msg("trace enabled")
+	log.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
+	log.Trace().Msg("trace enabled")
 	parallel(
 		dnsproviders.InitProviders,
 		homepage.InitIconListCache,
@@ -45,7 +42,7 @@ func main() {
 	)
 
 	if common.APIJWTSecret == nil {
-		logging.Warn().Msg("API_JWT_SECRET is not set, using random key")
+		log.Warn().Msg("API_JWT_SECRET is not set, using random key")
 		common.APIJWTSecret = common.RandomJWTKey()
 	}
 
@@ -62,7 +59,7 @@ func main() {
 		Proxy: true,
 	})
 	if err := auth.Initialize(); err != nil {
-		logging.Fatal().Err(err).Msg("failed to initialize authentication")
+		log.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
 	// API Handler needs to start after auth is initialized.
 	cfg.StartServers(&config.StartServersOptions{
@@ -78,7 +75,7 @@ func main() {
 func prepareDirectory(dir string) {
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 		if err = os.MkdirAll(dir, 0o755); err != nil {
-			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
+			log.Fatal().Msgf("failed to create directory %s: %v", dir, err)
 		}
 	}
 }

cmd/pprof_prof.go

@@ -3,18 +3,43 @@
 package main
 
 import (
-	"log"
 	"net/http"
 	_ "net/http/pprof"
 	"runtime"
 	"runtime/debug"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
+const mb = 1024 * 1024
+
 func initProfiling() {
-	runtime.GOMAXPROCS(2)
-	debug.SetMemoryLimit(100 * 1024 * 1024)
-	debug.SetMaxStack(15 * 1024 * 1024)
+	debug.SetGCPercent(-1)
+	debug.SetMemoryLimit(50 * mb)
+	debug.SetMaxStack(4 * mb)
+
 	go func() {
-		log.Println(http.ListenAndServe(":7777", nil))
+		log.Info().Msgf("pprof server started at http://localhost:7777/debug/pprof/")
+		log.Error().Err(http.ListenAndServe(":7777", nil)).Msg("pprof server failed")
+	}()
+	go func() {
+		ticker := time.NewTicker(time.Second * 10)
+		defer ticker.Stop()
+		for range ticker.C {
+			var m runtime.MemStats
+			runtime.ReadMemStats(&m)
+			log.Info().Msgf("-----------------------------------------------------")
+			log.Info().Msgf("Timestamp: %s", time.Now().Format(time.RFC3339))
+			log.Info().Msgf("  Go Heap - In Use (Alloc/HeapAlloc): %s", strutils.FormatByteSize(m.Alloc))
+			log.Info().Msgf("  Go Heap - Reserved from OS (HeapSys): %s", strutils.FormatByteSize(m.HeapSys))
+			log.Info().Msgf("  Go Stacks - In Use (StackInuse): %s", strutils.FormatByteSize(m.StackInuse))
+			log.Info().Msgf("  Go Runtime - Other Sys (MSpanInuse, MCacheInuse, BuckHashSys, GCSys, OtherSys): %s", strutils.FormatByteSize(m.MSpanInuse+m.MCacheInuse+m.BuckHashSys+m.GCSys+m.OtherSys))
+			log.Info().Msgf("  Go Runtime - Total from OS (Sys): %s", strutils.FormatByteSize(m.Sys))
+			log.Info().Msgf("  Number of Goroutines: %d", runtime.NumGoroutine())
+			log.Info().Msgf("  Number of GCs: %d", m.NumGC)
+			log.Info().Msg("-----------------------------------------------------")
+		}
 	}()
 }

compose.example.yml

@@ -50,7 +50,7 @@ services:
       #     - 172.16.0.0/12
   app:
     image: ghcr.io/yusing/godoxy:${TAG:-latest}
-    container_name: godoxy
+    container_name: godoxy-proxy
     restart: always
     network_mode: host # do not change this
     env_file: .env

config.example.yml

@@ -15,7 +15,7 @@
 #   options:
 #     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
 
-# 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
+# 3. other providers, see https://docs.godoxy.dev/DNS-01-Providers
 
 # acl:
 #   default: allow # or deny (default: allow)
@@ -115,7 +115,7 @@ providers:
   #     secret: aaaa-bbbb-cccc-dddd
   #     no_tls_verify: true
 
-# Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
+# Check https://docs.godoxy.dev/Certificates-and-domain-matching
 # for explaination of `match_domains`
 #
 # match_domains:

go.mod

@@ -1,61 +1,62 @@
 module github.com/yusing/go-proxy
 
-go 1.24.3
+go 1.25.0
 
 replace github.com/yusing/go-proxy/agent => ./agent
 
 replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
 
-replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
+replace github.com/yusing/go-proxy/internal/utils => ./internal/utils
 
-replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
+replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.0.0-20250816044348-0630187cb14b
 
-replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97
+replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d
 
 require (
 	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
-	github.com/coder/websocket v1.8.13 // websocket for API and agent
-	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
-	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/coreos/go-oidc/v3 v3.15.0 // oidc authentication
+	github.com/docker/docker v28.3.3+incompatible // docker daemon
 	github.com/fsnotify/fsnotify v1.9.0 // file watcher
-	github.com/go-acme/lego/v4 v4.23.1 // acme client
-	github.com/go-playground/validator/v10 v10.26.0 // validator
+	github.com/go-acme/lego/v4 v4.25.2 // acme client
+	github.com/go-playground/validator/v10 v10.27.0 // validator
 	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
+	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
 	github.com/gotify/server/v2 v2.6.3 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
 	github.com/puzpuzpuz/xsync/v4 v4.1.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
-	github.com/shirou/gopsutil/v4 v4.25.4 // system info metrics
+	github.com/shirou/gopsutil/v4 v4.25.7 // system info metrics
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-	golang.org/x/crypto v0.38.0 // encrypting password with bcrypt
-	golang.org/x/net v0.40.0 // HTTP header utilities
+	golang.org/x/crypto v0.41.0 // encrypting password with bcrypt
+	golang.org/x/net v0.43.0 // HTTP header utilities
 	golang.org/x/oauth2 v0.30.0 // oauth2 authentication
-	golang.org/x/time v0.11.0 // time utilities
+	golang.org/x/sync v0.16.0
+	golang.org/x/time v0.12.0 // time utilities
 )
 
 require (
-	github.com/docker/cli v28.1.1+incompatible
-	github.com/goccy/go-yaml v1.17.1 // yaml parsing for different config files
-	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/docker/cli v28.3.3+incompatible
+	github.com/goccy/go-yaml v1.18.0 // yaml parsing for different config files
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/luthermonson/go-proxmox v0.2.2
 	github.com/oschwald/maxminddb-golang v1.13.1
-	github.com/quic-go/quic-go v0.51.0
+	github.com/quic-go/quic-go v0.54.0
 	github.com/samber/slog-zerolog/v2 v2.7.3
 	github.com/spf13/afero v1.14.0
 	github.com/stretchr/testify v1.10.0
-	github.com/yusing/go-proxy/agent v0.0.0-00010101000000-000000000000
-	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-00010101000000-000000000000
-	go.uber.org/atomic v1.11.0
+	github.com/yusing/go-proxy/agent v0.0.0-20250727134911-fce9ce21c90b
+	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-20250727134911-fce9ce21c90b
+	github.com/yusing/go-proxy/internal/utils v0.0.0
 )
 
 require (
-	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth v0.16.5 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/compute/metadata v0.8.0 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
@@ -63,95 +64,84 @@ require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.38.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
-	github.com/aws/smithy-go v1.22.3 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.226 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.47.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.56.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 // indirect
+	github.com/aws/smithy-go v1.22.5 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.240 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
-	github.com/boombuler/barcode v1.0.2 // indirect
+	github.com/boombuler/barcode v1.1.0 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/civo/civogo v0.5.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
-	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
-	github.com/docker/go-connections v0.5.0
+	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.3 // indirect
-	github.com/exoscale/egoscale/v3 v3.1.17 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.25 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-resty/resty/v2 v2.16.5 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect; indirectindirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gophercloud/gophercloud v1.14.1 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
-	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.149 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.163 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.50.0 // indirect
+	github.com/linode/linodego v1.55.0 // indirect
 	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.66 // indirect
+	github.com/miekg/dns v1.1.68 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
 	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
 	github.com/nrdcg/desec v0.11.0 // indirect
@@ -163,12 +153,9 @@ require (
 	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/oracle/oci-go-sdk/v65 v65.91.0 // indirect
-	github.com/ovh/go-ovh v1.7.0 // indirect
+	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterhellberg/link v1.2.0 // indirect
@@ -176,76 +163,110 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/pquerna/otp v1.4.0 // indirect
+	github.com/pquerna/otp v1.5.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/api-client-go v0.3.2 // indirect
 	github.com/sacloud/go-http v0.1.9 // indirect
-	github.com/sacloud/iaas-api-go v1.15.0 // indirect
+	github.com/sacloud/iaas-api-go v1.17.0 // indirect
 	github.com/sacloud/packages-go v0.0.11 // indirect
-	github.com/sagikazarmark/locafero v0.9.0 // indirect
-	github.com/samber/lo v1.50.0 // indirect
-	github.com/samber/slog-common v0.18.1 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/sagikazarmark/locafero v0.10.0 // indirect
+	github.com/samber/lo v1.51.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.34 // indirect
 	github.com/selectel/domains-go v1.1.0 // indirect
-	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.1.7 // indirect
+	github.com/softlayer/softlayer-go v1.2.0 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/sony/gobreaker v1.0.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/cast v1.8.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/cast v1.9.2 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/spf13/viper v1.20.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1164 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.11 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/transip/gotransip/v6 v6.26.0 // indirect
-	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419 // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.207 // indirect
-	github.com/vultr/govultr/v3 v3.20.0 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.217 // indirect
+	github.com/vultr/govultr/v3 v3.22.1 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.mongodb.org/mongo-driver v1.17.3 // indirect
+	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.uber.org/atomic v1.11.0
 	go.uber.org/mock v0.5.2 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sync v0.14.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.25.0
-	golang.org/x/tools v0.33.0 // indirect
-	google.golang.org/api v0.233.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	google.golang.org/api v0.247.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/grpc v1.74.2 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.14.3 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.4 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.33.0 // indirect
-	k8s.io/apimachinery v0.33.0 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+)
+
+require (
+	github.com/gin-gonic/gin v1.10.1
+	github.com/swaggo/files v1.0.1
+	github.com/swaggo/gin-swagger v1.6.0
+	github.com/swaggo/swag v1.16.6
+	github.com/yusing/ds v0.1.0
+)
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.10 // indirect
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/tea v1.3.10 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
+	github.com/aliyun/credentials-go v1.4.7 // indirect
+	github.com/bytedance/sonic v1.14.0 // indirect
+	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/dnsimple/dnsimple-go/v4 v4.0.0 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-acme/alidns-20150109/v4 v4.5.11 // indirect
+	github.com/go-acme/tencentclouddnspod v1.0.1208 // indirect
+	github.com/go-openapi/jsonpointer v0.21.2 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/namedotcom/go/v4 v4.0.2 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.98.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.98.0 // indirect
+	github.com/selectel/go-selvpcclient/v4 v4.1.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
+	golang.org/x/arch v0.20.0 // indirect
+	gotest.tools/v3 v3.5.2 // indirect
 )

internal/acl/config.go

@@ -5,9 +5,9 @@ import (
 	"time"
 
 	"github.com/puzpuzpuz/xsync/v4"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/accesslog"
 	"github.com/yusing/go-proxy/internal/maxmind"
 	"github.com/yusing/go-proxy/internal/task"
@@ -45,7 +45,7 @@ func (c *checkCache) Expired() bool {
 	return c.created.Add(cacheTTL).Before(utils.TimeNow())
 }
 
-//TODO: add stats
+// TODO: add stats
 
 const (
 	ACLAllow = "allow"
@@ -97,7 +97,7 @@ func (c *Config) Start(parent *task.Task) gperr.Error {
 	if c.valErr != nil {
 		return c.valErr
 	}
-	logging.Info().
+	log.Info().
 		Str("default", c.Default).
 		Bool("allow_local", c.allowLocal).
 		Int("allow_rules", len(c.Allow)).

internal/acl/matcher_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	maxmind "github.com/yusing/go-proxy/internal/maxmind/types"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/serialization"
 )
 
 func TestMatchers(t *testing.T) {
@@ -16,7 +16,7 @@ func TestMatchers(t *testing.T) {
 	}
 
 	var mathers Matchers
-	err := utils.Convert(reflect.ValueOf(strMatchers), reflect.ValueOf(&mathers), false)
+	err := serialization.Convert(reflect.ValueOf(strMatchers), reflect.ValueOf(&mathers), false)
 	if err != nil {
 		t.Fatal(err)
 	}

internal/acl/tcp_listener.go

@@ -22,12 +22,12 @@ func (noConn) SetDeadline(t time.Time) error      { return nil }
 func (noConn) SetReadDeadline(t time.Time) error  { return nil }
 func (noConn) SetWriteDeadline(t time.Time) error { return nil }
 
-func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
-	if cfg == nil {
+func (c *Config) WrapTCP(lis net.Listener) net.Listener {
+	if c == nil {
 		return lis
 	}
 	return &TCPListener{
-		acl: cfg,
+		acl: c,
 		lis: lis,
 	}
 }

internal/api/handler.go

@@ -1,111 +1,198 @@
 package api
 
 import (
-	"fmt"
 	"net/http"
 
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/certapi"
-	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
-	"github.com/yusing/go-proxy/internal/api/v1/favicon"
+	"github.com/gin-gonic/gin"
+	"github.com/gorilla/websocket"
+	"github.com/rs/zerolog/log"
+	swaggerFiles "github.com/swaggo/files"
+	ginSwagger "github.com/swaggo/gin-swagger"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	apiV1 "github.com/yusing/go-proxy/internal/api/v1"
+	agentApi "github.com/yusing/go-proxy/internal/api/v1/agent"
+	authApi "github.com/yusing/go-proxy/internal/api/v1/auth"
+	certApi "github.com/yusing/go-proxy/internal/api/v1/cert"
+	dockerApi "github.com/yusing/go-proxy/internal/api/v1/docker"
+	"github.com/yusing/go-proxy/internal/api/v1/docs"
+	fileApi "github.com/yusing/go-proxy/internal/api/v1/file"
+	homepageApi "github.com/yusing/go-proxy/internal/api/v1/homepage"
+	metricsApi "github.com/yusing/go-proxy/internal/api/v1/metrics"
+	routeApi "github.com/yusing/go-proxy/internal/api/v1/route"
 	"github.com/yusing/go-proxy/internal/auth"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/yusing/go-proxy/internal/common"
 )
 
-type (
-	ServeMux struct {
-		*http.ServeMux
-		cfg config.ConfigInstance
+// @title           GoDoxy API
+// @version         1.0
+// @description     GoDoxy API
+// @termsOfService  https://github.com/yusing/godoxy/blob/main/LICENSE
+
+// @contact.name   Yusing
+// @contact.url    https://github.com/yusing/godoxy/issues
+
+// @license.name  MIT
+// @license.url   https://github.com/yusing/godoxy/blob/main/LICENSE
+
+// @BasePath  /api/v1
+
+// @externalDocs.description  GoDoxy Docs
+// @externalDocs.url          https://docs.godoxy.dev
+func NewHandler() *gin.Engine {
+	gin.SetMode("release")
+	r := gin.New()
+	r.Use(NoCache())
+	r.Use(ErrorHandler())
+	r.Use(ErrorLoggingMiddleware())
+
+	docs.SwaggerInfo.Title = "GoDoxy API"
+	docs.SwaggerInfo.BasePath = "/api/v1"
+
+	v1Auth := r.Group("/api/v1/auth")
+	{
+		v1Auth.HEAD("/check", authApi.Check)
+		v1Auth.POST("/login", authApi.Login)
+		v1Auth.GET("/callback", authApi.Callback)
+		v1Auth.POST("/callback", authApi.Callback)
+		v1Auth.POST("/logout", authApi.Logout)
 	}
-	WithCfgHandler = func(config.ConfigInstance, http.ResponseWriter, *http.Request)
-)
 
-func (mux ServeMux) HandleFunc(methods, endpoint string, h any, requireAuth ...bool) {
-	var handler http.HandlerFunc
-	switch h := h.(type) {
-	case func(http.ResponseWriter, *http.Request):
-		handler = h
-	case http.Handler:
-		handler = h.ServeHTTP
-	case WithCfgHandler:
-		handler = func(w http.ResponseWriter, r *http.Request) {
-			h(mux.cfg, w, r)
+	v1Swagger := r.Group("/api/v1/swagger")
+	{
+		v1Swagger.GET("/:any", func(c *gin.Context) {
+			c.Redirect(http.StatusTemporaryRedirect, "/api/v1/swagger/index.html")
+		})
+		v1Swagger.GET("/:any/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))
+	}
+
+	v1 := r.Group("/api/v1")
+	if auth.IsEnabled() {
+		v1.Use(AuthMiddleware())
+	}
+	if common.APISkipOriginCheck {
+		v1.Use(SkipOriginCheckMiddleware())
+	}
+	{
+		v1.GET("/favicon", apiV1.FavIcon)
+		v1.GET("/health", apiV1.Health)
+		v1.GET("/icons", apiV1.Icons)
+		v1.POST("/reload", apiV1.Reload)
+		v1.GET("/stats", apiV1.Stats)
+		v1.GET("/version", apiV1.Version)
+
+		route := v1.Group("/route")
+		{
+			route.GET("/list", routeApi.Routes)
+			route.GET("/:which", routeApi.Route)
+			route.GET("/providers", routeApi.Providers)
+			route.GET("/by_provider", routeApi.ByProvider)
+		}
+
+		file := v1.Group("/file")
+		{
+			file.GET("/list", fileApi.List)
+			file.GET("/content", fileApi.Get)
+			file.PUT("/content", fileApi.Set)
+			file.POST("/content", fileApi.Set)
+			file.POST("/validate", fileApi.Validate)
+		}
+
+		homepage := v1.Group("/homepage")
+		{
+			homepage.GET("/categories", homepageApi.Categories)
+			homepage.GET("/items", homepageApi.Items)
+			homepage.POST("/set/item", homepageApi.SetItem)
+			homepage.POST("/set/items_batch", homepageApi.SetItemsBatch)
+			homepage.POST("/set/item_visible", homepageApi.SetItemVisible)
+			homepage.POST("/set/category_order", homepageApi.SetCategoryOrder)
+		}
+
+		cert := v1.Group("/cert")
+		{
+			cert.GET("/info", certApi.Info)
+			cert.GET("/renew", certApi.Renew)
+		}
+
+		agent := v1.Group("/agent")
+		{
+			agent.GET("/list", agentApi.List)
+			agent.POST("/create", agentApi.Create)
+			agent.POST("/verify", agentApi.Verify)
+		}
+
+		metrics := v1.Group("/metrics")
+		{
+			metrics.GET("/system_info", metricsApi.SystemInfo)
+			metrics.GET("/uptime", metricsApi.Uptime)
+		}
+
+		docker := v1.Group("/docker")
+		{
+			docker.GET("/containers", dockerApi.Containers)
+			docker.GET("/info", dockerApi.Info)
+			docker.GET("/logs/:server/:container", dockerApi.Logs)
 		}
-	default:
-		panic(fmt.Errorf("unsupported handler type: %T", h))
 	}
 
-	matchDomains := mux.cfg.Value().MatchDomains
-	if len(matchDomains) > 0 {
-		origHandler := handler
-		handler = func(w http.ResponseWriter, r *http.Request) {
-			if httpheaders.IsWebsocket(r.Header) {
-				gpwebsocket.SetWebsocketAllowedDomains(r.Header, matchDomains)
+	return r
+}
+
+func NoCache() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Cache-Control", "no-cache, no-store, must-revalidate")
+		c.Header("Pragma", "no-cache")
+		c.Header("Expires", "0")
+		c.Next()
+	}
+}
+
+func AuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		err := auth.GetDefaultAuth().CheckToken(c.Request)
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, apitypes.Error("Unauthorized", err))
+			c.Abort()
+			return
+		}
+		c.Next()
+	}
+}
+
+func SkipOriginCheckMiddleware() gin.HandlerFunc {
+	upgrader := &websocket.Upgrader{
+		CheckOrigin: func(r *http.Request) bool {
+			return true
+		},
+	}
+	return func(c *gin.Context) {
+		c.Set("upgrader", upgrader)
+		c.Next()
+	}
+}
+
+func ErrorHandler() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Next()
+		if len(c.Errors) > 0 {
+			for _, err := range c.Errors {
+				log.Err(err.Err).Str("uri", c.Request.RequestURI).Msg("Internal error")
+			}
+			if !isWebSocketRequest(c) {
+				c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
 			}
-			origHandler(w, r)
-		}
-	}
-
-	if len(requireAuth) > 0 && requireAuth[0] {
-		handler = auth.RequireAuth(handler)
-	}
-	if methods == "" {
-		mux.ServeMux.HandleFunc(endpoint, handler)
-	} else {
-		for _, m := range strutils.CommaSeperatedList(methods) {
-			mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
 		}
 	}
 }
 
-func NewHandler(cfg config.ConfigInstance) http.Handler {
-	mux := ServeMux{http.NewServeMux(), cfg}
-	mux.HandleFunc("GET", "/v1", v1.Index)
-	mux.HandleFunc("GET", "/v1/version", pkg.GetVersionHTTPHandler())
-
-	mux.HandleFunc("GET", "/v1/stats", v1.Stats, true)
-	mux.HandleFunc("POST", "/v1/reload", v1.Reload, true)
-	mux.HandleFunc("GET", "/v1/list", v1.ListRoutesHandler, true)
-	mux.HandleFunc("GET", "/v1/list/routes", v1.ListRoutesHandler, true)
-	mux.HandleFunc("GET", "/v1/list/route/{which}", v1.ListRouteHandler, true)
-	mux.HandleFunc("GET", "/v1/list/routes_by_provider", v1.ListRoutesByProviderHandler, true)
-	mux.HandleFunc("GET", "/v1/list/files", v1.ListFilesHandler, true)
-	mux.HandleFunc("GET", "/v1/list/homepage_config", v1.ListHomepageConfigHandler, true)
-	mux.HandleFunc("GET", "/v1/list/route_providers", v1.ListRouteProvidersHandler, true)
-	mux.HandleFunc("GET", "/v1/list/homepage_categories", v1.ListHomepageCategoriesHandler, true)
-	mux.HandleFunc("GET", "/v1/list/icons", v1.ListIconsHandler, true)
-	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", v1.GetFileContent, true)
-	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", v1.SetFileContent, true)
-	mux.HandleFunc("POST", "/v1/file/validate/{type}", v1.ValidateFile, true)
-	mux.HandleFunc("GET", "/v1/health", v1.Health, true)
-	mux.HandleFunc("GET", "/v1/logs", memlogger.Handler(), true)
-	mux.HandleFunc("GET", "/v1/favicon", favicon.GetFavIcon, true)
-	mux.HandleFunc("POST", "/v1/homepage/set", v1.SetHomePageOverrides, true)
-	mux.HandleFunc("GET", "/v1/agents", v1.ListAgents, true)
-	mux.HandleFunc("GET", "/v1/agents/new", v1.NewAgent, true)
-	mux.HandleFunc("POST", "/v1/agents/verify", v1.VerifyNewAgent, true)
-	mux.HandleFunc("GET", "/v1/metrics/system_info", v1.SystemInfo, true)
-	mux.HandleFunc("GET", "/v1/metrics/uptime", uptime.Poller.ServeHTTP, true)
-	mux.HandleFunc("GET", "/v1/cert/info", certapi.GetCertInfo, true)
-	mux.HandleFunc("", "/v1/cert/renew", certapi.RenewCert, true)
-	mux.HandleFunc("GET", "/v1/docker/info", dockerapi.DockerInfo, true)
-	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
-	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)
-
-	defaultAuth := auth.GetDefaultAuth()
-	if defaultAuth == nil {
-		return mux
-	}
-
-	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
-	mux.HandleFunc("GET,POST", "/v1/auth/redirect", defaultAuth.LoginHandler)
-	mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
-	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
-	return mux
+func ErrorLoggingMiddleware() gin.HandlerFunc {
+	return gin.CustomRecoveryWithWriter(nil, func(c *gin.Context, err any) {
+		log.Error().Any("error", err).Str("uri", c.Request.RequestURI).Msg("Internal error")
+		if !isWebSocketRequest(c) {
+			c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
+		}
+	})
+}
+
+func isWebSocketRequest(c *gin.Context) bool {
+	return c.GetHeader("Upgrade") == "websocket"
 }

internal/api/types/error.go

@@ -0,0 +1,55 @@
+package apitypes
+
+import (
+	"errors"
+
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type ErrorResponse struct {
+	Message string `json:"message"`
+	Error   string `json:"error,omitempty" extensions:"x-nullable"`
+} // @name ErrorResponse
+
+type serverError struct {
+	Message string
+	Err     error
+}
+
+// Error returns a generic error response
+func Error(message string, err ...error) ErrorResponse {
+	if len(err) > 0 {
+		var gpErr gperr.Error
+		if errors.As(err[0], &gpErr) {
+			return ErrorResponse{
+				Message: message,
+				Error:   string(gpErr.Plain()),
+			}
+		}
+		return ErrorResponse{
+			Message: message,
+			Error:   err[0].Error(),
+		}
+	}
+	return ErrorResponse{
+		Message: message,
+	}
+}
+
+func InternalServerError(err error, message string) error {
+	return serverError{
+		Message: message,
+		Err:     err,
+	}
+}
+
+func (e serverError) Error() string {
+	if e.Err != nil {
+		return e.Message + ": " + e.Err.Error()
+	}
+	return e.Message
+}
+
+func (e serverError) Unwrap() error {
+	return e.Err
+}

internal/api/types/error_code.go

@@ -0,0 +1,17 @@
+package apitypes
+
+type ErrorCode int
+
+const (
+	ErrorCodeUnauthorized ErrorCode = iota + 1
+	ErrorCodeNotFound
+	ErrorCodeInternalServerError
+)
+
+func (e ErrorCode) String() string {
+	return []string{
+		"Unauthorized",
+		"Not Found",
+		"Internal Server Error",
+	}[e]
+}

internal/api/types/query.go

@@ -0,0 +1,29 @@
+package apitypes
+
+type QueryOptions struct {
+	Limit   int                 `binding:"required,min=1,max=20" form:"limit"`
+	Offset  int                 `binding:"omitempty,min=0" form:"offset"`
+	OrderBy QueryOrder          `binding:"omitempty,oneof=created_at updated_at" form:"order_by"`
+	Order   QueryOrderDirection `binding:"omitempty,oneof=asc desc" form:"order"`
+}
+
+type QueryOrder string
+
+const (
+	QueryOrderCreatedAt QueryOrder = "created_at"
+	QueryOrderUpdatedAt QueryOrder = "updated_at"
+)
+
+type QueryOrderDirection string
+
+const (
+	QueryOrderDirectionAsc  QueryOrderDirection = "asc"
+	QueryOrderDirectionDesc QueryOrderDirection = "desc"
+)
+
+type QueryResponse struct {
+	Total   int64 `json:"total"`
+	Limit   int   `json:"limit"`
+	Offset  int   `json:"offset"`
+	HasMore bool  `json:"has_more"`
+}

internal/api/types/success.go

@@ -0,0 +1,18 @@
+package apitypes
+
+type SuccessResponse struct {
+	Message string         `json:"message"`
+	Details map[string]any `json:"details,omitempty" extensions:"x-nullable"`
+} // @name SuccessResponse
+
+func Success(message string, extra ...map[string]any) SuccessResponse {
+	if len(extra) > 0 {
+		return SuccessResponse{
+			Message: message,
+			Details: extra[0],
+		}
+	}
+	return SuccessResponse{
+		Message: message,
+	}
+}

internal/api/v1/agent/common.go

@@ -0,0 +1,67 @@
+package agentapi
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"sync/atomic"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+)
+
+type PEMPairResponse struct {
+	Cert string `json:"cert" format:"base64"`
+	Key  string `json:"key" format:"base64"`
+} // @name PEMPairResponse
+
+var encryptionKey atomic.Value
+
+const rotateKeyInterval = 15 * time.Minute
+
+func init() {
+	if err := rotateKey(); err != nil {
+		log.Panic().Err(err).Msg("failed to generate encryption key")
+	}
+	go func() {
+		for range time.Tick(rotateKeyInterval) {
+			if err := rotateKey(); err != nil {
+				log.Error().Err(err).Msg("failed to rotate encryption key")
+			}
+		}
+	}()
+}
+
+func getEncryptionKey() []byte {
+	return encryptionKey.Load().([]byte)
+}
+
+func rotateKey() error {
+	// generate a random 32 bytes key
+	key := make([]byte, 32)
+	if _, err := rand.Read(key); err != nil {
+		return err
+	}
+	encryptionKey.Store(key)
+	return nil
+}
+
+func toPEMPairResponse(encPEMPair agent.PEMPair) PEMPairResponse {
+	return PEMPairResponse{
+		Cert: base64.StdEncoding.EncodeToString(encPEMPair.Cert),
+		Key:  base64.StdEncoding.EncodeToString(encPEMPair.Key),
+	}
+}
+
+func fromEncryptedPEMPairResponse(pemPair PEMPairResponse) (agent.PEMPair, error) {
+	encCert, err := base64.StdEncoding.DecodeString(pemPair.Cert)
+	if err != nil {
+		return agent.PEMPair{}, err
+	}
+	encKey, err := base64.StdEncoding.DecodeString(pemPair.Key)
+	if err != nil {
+		return agent.PEMPair{}, err
+	}
+	pair := agent.PEMPair{Cert: encCert, Key: encKey}
+	return pair.Decrypt(getEncryptionKey())
+}

internal/api/v1/agent/create.go

@@ -0,0 +1,104 @@
+package agentapi
+
+import (
+	"net"
+	"net/http"
+	"strconv"
+
+	_ "embed"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+)
+
+type NewAgentRequest struct {
+	Name    string `form:"name" validate:"required"`
+	Host    string `form:"host" validate:"required"`
+	Port    int    `form:"port" validate:"required,min=1,max=65535"`
+	Type    string `form:"type" validate:"required,oneof=docker system"`
+	Nightly bool   `form:"nightly" validate:"omitempty"`
+} // @name NewAgentRequest
+
+type NewAgentResponse struct {
+	Compose string          `json:"compose"`
+	CA      PEMPairResponse `json:"ca"`
+	Client  PEMPairResponse `json:"client"`
+} // @name NewAgentResponse
+
+// @x-id				"create"
+// @BasePath		/api/v1
+// @Summary		Create a new agent
+// @Description	Create a new agent and return the docker compose file, encrypted CA and client PEMs
+// @Description	The returned PEMs are encrypted with a random key and will be used for verification when adding a new agent
+// @Tags			agent
+// @Accept			json
+// @Produce		json
+// @Param			request	body		NewAgentRequest	true	"Request"
+// @Success		200		{object}	NewAgentResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		403		{object}	apitypes.ErrorResponse
+// @Failure		409		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/agent/create [post]
+func Create(c *gin.Context) {
+	var request NewAgentRequest
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	hostport := net.JoinHostPort(request.Host, strconv.Itoa(request.Port))
+	if _, ok := agent.GetAgent(hostport); ok {
+		c.JSON(http.StatusConflict, apitypes.Error("agent already exists"))
+		return
+	}
+
+	var image string
+	if request.Nightly {
+		image = agent.DockerImageNightly
+	} else {
+		image = agent.DockerImageProduction
+	}
+
+	ca, srv, client, err := agent.NewAgent()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create agent"))
+		return
+	}
+
+	var cfg agent.Generator = &agent.AgentEnvConfig{
+		Name:    request.Name,
+		Port:    request.Port,
+		CACert:  ca.String(),
+		SSLCert: srv.String(),
+	}
+	if request.Type == "docker" {
+		cfg = &agent.AgentComposeConfig{
+			Image:          image,
+			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
+		}
+	}
+	template, err := cfg.Generate()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to generate agent config"))
+		return
+	}
+
+	key := getEncryptionKey()
+	encCA, err := ca.Encrypt(key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to encrypt CA PEMs"))
+		return
+	}
+	encClient, err := client.Encrypt(key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to encrypt client PEMs"))
+		return
+	}
+
+	c.JSON(http.StatusOK, NewAgentResponse{
+		Compose: template,
+		CA:      toPEMPairResponse(encCA),
+		Client:  toPEMPairResponse(encClient),
+	})
+}

internal/api/v1/agent/list.go

@@ -0,0 +1,32 @@
+package agentapi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+)
+
+// @x-id				"list"
+// @BasePath		/api/v1
+// @Summary		List agents
+// @Description	List agents
+// @Tags			agent,websocket
+// @Accept			json
+// @Produce		json
+// @Success		200	{array}		Agent
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/agent/list [get]
+func List(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 10*time.Second, func() (any, error) {
+			return agent.ListAgents(), nil
+		})
+	} else {
+		c.JSON(http.StatusOK, agent.ListAgents())
+	}
+}

internal/api/v1/agent/verify.go

@@ -0,0 +1,76 @@
+package agentapi
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+	. "github.com/yusing/go-proxy/internal/api/types"
+	config "github.com/yusing/go-proxy/internal/config/types"
+)
+
+type VerifyNewAgentRequest struct {
+	Host   string          `json:"host"`
+	CA     PEMPairResponse `json:"ca"`
+	Client PEMPairResponse `json:"client"`
+} // @name VerifyNewAgentRequest
+
+// @x-id          "verify"
+// @BasePath		/api/v1
+// @Summary		Verify a new agent
+// @Description	Verify a new agent and return the number of routes added
+// @Tags			agent
+// @Accept			json
+// @Produce		json
+// @Param			request	body		VerifyNewAgentRequest	true	"Request"
+// @Success		200		{object}	SuccessResponse
+// @Failure		400		{object}	ErrorResponse
+// @Failure		403		{object}	ErrorResponse
+// @Failure		500		{object}	ErrorResponse
+// @Router			/agent/verify [post]
+func Verify(c *gin.Context) {
+	var request VerifyNewAgentRequest
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, Error("invalid request", err))
+		return
+	}
+
+	filename, ok := certs.AgentCertsFilepath(request.Host)
+	if !ok {
+		c.JSON(http.StatusBadRequest, Error("invalid host", nil))
+		return
+	}
+
+	ca, err := fromEncryptedPEMPairResponse(request.CA)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, Error("invalid CA", err))
+		return
+	}
+
+	client, err := fromEncryptedPEMPairResponse(request.Client)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, Error("invalid client", err))
+		return
+	}
+
+	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(request.Host, ca, client)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, Error("invalid request", err))
+		return
+	}
+
+	zip, err := certs.ZipCert(ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		c.Error(InternalServerError(err, "failed to zip certs"))
+		return
+	}
+
+	if err := os.WriteFile(filename, zip, 0o600); err != nil {
+		c.Error(InternalServerError(err, "failed to write certs"))
+		return
+	}
+
+	c.JSON(http.StatusOK, Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
+}

internal/api/v1/agents.go

@@ -1,24 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-)
-
-func ListAgents(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 10*time.Second, func(conn *websocket.Conn) error {
-			wsjson.Write(r.Context(), conn, cfg.ListAgents())
-			return nil
-		})
-	} else {
-		gphttp.RespondJSON(w, r, cfg.ListAgents())
-	}
-}

internal/api/v1/auth/callback.go

@@ -0,0 +1,25 @@
+//nolint:dupword
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/auth"
+)
+
+// @x-id				"callback"
+// @Base			/api/v1
+// @Summary		Auth Callback
+// @Description	Handles the callback from the provider after successful authentication
+// @Tags			auth
+// @Produce		plain
+// @Param		  body	body	auth.UserPassAuthCallbackRequest	true	"Userpass only"
+// @Success		200	{string}	string	"Userpass: OK"
+// @Success		302	{string}	string	"OIDC: Redirects to home page"
+// @Failure		400	{string}	string	"OIDC: invalid request (missing state cookie or oauth state)"
+// @Failure		400	{string}	string	"Userpass: invalid request / credentials"
+// @Failure		500	{string}	string	"Internal server error"
+// @Router			/auth/callback [get]
+// @Router			/auth/callback [post]
+func Callback(c *gin.Context) {
+	auth.GetDefaultAuth().PostAuthCallbackHandler(c.Writer, c.Request)
+}

internal/api/v1/auth/check.go

@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/auth"
+)
+
+// @x-id				"check"
+// @Base			/api/v1
+// @Summary		Check authentication status
+// @Description	Checks if the user is authenticated by validating their token
+// @Tags			auth
+// @Produce		plain
+// @Success		200	{string}	string	"OK"
+// @Failure		403	{string}	string	"Forbidden: use X-Redirect-To header to redirect to login page"
+// @Router			/auth/check [head]
+func Check(c *gin.Context) {
+	auth.AuthCheckHandler(c.Writer, c.Request)
+}

internal/api/v1/auth/login.go

@@ -0,0 +1,20 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/auth"
+)
+
+// @x-id       "login"
+// @Base       /api/v1
+// @Summary    Login
+// @Description Initiates the login process by redirecting the user to the provider's login page
+// @Tags       auth
+// @Produce    plain
+// @Success    302 {string} string "Redirects to login page or IdP"
+// @Failure    403 {string} string "Forbidden(webui): follow X-Redirect-To header"
+// @Failure    429 {string} string "Too Many Requests"
+// @Router     /auth/login [post]
+func Login(c *gin.Context) {
+	auth.GetDefaultAuth().LoginHandler(c.Writer, c.Request)
+}

internal/api/v1/auth/logout.go

@@ -0,0 +1,18 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/auth"
+)
+
+// @x-id				"logout"
+// @Base			/api/v1
+// @Summary		Logout
+// @Description	Logs out the user by invalidating the token
+// @Tags			auth
+// @Produce		plain
+// @Success		302	{string} string	"Redirects to home page"
+// @Router			/auth/logout [post]
+func Logout(c *gin.Context) {
+	auth.GetDefaultAuth().LogoutHandler(c.Writer, c.Request)
+}

internal/api/v1/cert/info.go

@@ -1,9 +1,10 @@
 package certapi
 
 import (
-	"encoding/json"
 	"net/http"
 
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
 	config "github.com/yusing/go-proxy/internal/config/types"
 )
 
@@ -14,18 +15,29 @@ type CertInfo struct {
 	NotAfter       int64    `json:"not_after"`
 	DNSNames       []string `json:"dns_names"`
 	EmailAddresses []string `json:"email_addresses"`
-}
+} // @name CertInfo
 
-func GetCertInfo(w http.ResponseWriter, r *http.Request) {
+// @x-id				"info"
+// @BasePath		/api/v1
+// @Summary		Get cert info
+// @Description	Get cert info
+// @Tags			cert
+// @Produce		json
+// @Success		200	{object}	CertInfo
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/cert/info [get]
+func Info(c *gin.Context) {
 	autocert := config.GetInstance().AutoCertProvider()
 	if autocert == nil {
-		http.Error(w, "autocert is not enabled", http.StatusNotFound)
+		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
 		return
 	}
 
 	cert, err := autocert.GetCert(nil)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		c.Error(apitypes.InternalServerError(err, "failed to get cert info"))
 		return
 	}
 
@@ -37,5 +49,5 @@ func GetCertInfo(w http.ResponseWriter, r *http.Request) {
 		DNSNames:       cert.Leaf.DNSNames,
 		EmailAddresses: cert.Leaf.EmailAddresses,
 	}
-	json.NewEncoder(w).Encode(&certInfo)
+	c.JSON(http.StatusOK, certInfo)
 }

internal/api/v1/cert/renew.go

@@ -0,0 +1,72 @@
+package certapi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+)
+
+// @x-id				"renew"
+// @BasePath		/api/v1
+// @Summary		Renew cert
+// @Description	Renew cert
+// @Tags			cert,websocket
+// @Produce		plain
+// @Success		200	{object}	apitypes.SuccessResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/cert/renew [get]
+func Renew(c *gin.Context) {
+	autocert := config.GetInstance().AutoCertProvider()
+	if autocert == nil {
+		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
+		return
+	}
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+		return
+	}
+	defer manager.Close()
+
+	logs, cancel := memlogger.Events()
+	defer cancel()
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+
+		err = autocert.ObtainCert()
+		if err != nil {
+			gperr.LogError("failed to obtain cert", err)
+			_ = manager.WriteData(websocket.TextMessage, []byte(err.Error()), 10*time.Second)
+		} else {
+			log.Info().Msg("cert obtained successfully")
+		}
+	}()
+
+	for {
+		select {
+		case l := <-logs:
+			if err != nil {
+				return
+			}
+
+			err = manager.WriteData(websocket.TextMessage, l, 10*time.Second)
+			if err != nil {
+				return
+			}
+		case <-done:
+			return
+		}
+	}
+}

internal/api/v1/certapi/renew.go

@@ -1,56 +0,0 @@
-package certapi
-
-import (
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-)
-
-func RenewCert(w http.ResponseWriter, r *http.Request) {
-	autocert := config.GetInstance().AutoCertProvider()
-	if autocert == nil {
-		http.Error(w, "autocert is not enabled", http.StatusNotFound)
-		return
-	}
-
-	conn, err := gpwebsocket.Initiate(w, r)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	//nolint:errcheck
-	defer conn.CloseNow()
-
-	logs, cancel := memlogger.Events()
-	defer cancel()
-
-	done := make(chan struct{})
-
-	go func() {
-		defer close(done)
-		err = autocert.ObtainCert()
-		if err != nil {
-			gperr.LogError("failed to obtain cert", err)
-			gpwebsocket.WriteText(r, conn, err.Error())
-		} else {
-			logging.Info().Msg("cert obtained successfully")
-		}
-	}()
-	for {
-		select {
-		case l := <-logs:
-			if err != nil {
-				return
-			}
-			if !gpwebsocket.WriteText(r, conn, string(l)) {
-				return
-			}
-		case <-done:
-			return
-		}
-	}
-}

internal/api/v1/config_file.go

@@ -1,133 +0,0 @@
-package v1
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/provider"
-)
-
-type FileType string
-
-const (
-	FileTypeConfig     FileType = "config"
-	FileTypeProvider   FileType = "provider"
-	FileTypeMiddleware FileType = "middleware"
-)
-
-func fileType(file string) FileType {
-	switch {
-	case strings.HasPrefix(path.Base(file), "config."):
-		return FileTypeConfig
-	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
-		return FileTypeMiddleware
-	}
-	return FileTypeProvider
-}
-
-func (t FileType) IsValid() bool {
-	switch t {
-	case FileTypeConfig, FileTypeProvider, FileTypeMiddleware:
-		return true
-	}
-	return false
-}
-
-func (t FileType) GetPath(filename string) string {
-	if t == FileTypeMiddleware {
-		return path.Join(common.MiddlewareComposeBasePath, filename)
-	}
-	return path.Join(common.ConfigBasePath, filename)
-}
-
-func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
-	fileType = FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		err = fmt.Errorf("invalid file type: %s", fileType)
-		return
-	}
-	filename = r.PathValue("filename")
-	if filename == "" {
-		err = fmt.Errorf("missing filename")
-	}
-	return
-}
-
-func GetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	content, err := os.ReadFile(fileType.GetPath(filename))
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	gphttp.WriteBody(w, content)
-}
-
-func validateFile(fileType FileType, content []byte) gperr.Error {
-	switch fileType {
-	case FileTypeConfig:
-		return config.Validate(content)
-	case FileTypeMiddleware:
-		errs := gperr.NewBuilder("middleware errors")
-		middleware.BuildMiddlewaresFromYAML("", content, errs)
-		return errs.Error()
-	}
-	return provider.Validate(content)
-}
-
-func ValidateFile(w http.ResponseWriter, r *http.Request) {
-	fileType := FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		gphttp.BadRequest(w, "invalid file type")
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	r.Body.Close()
-	if valErr := validateFile(fileType, content); valErr != nil {
-		gphttp.JSONError(w, valErr, http.StatusBadRequest)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
-
-func SetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	if valErr := validateFile(fileType, content); valErr != nil {
-		gphttp.JSONError(w, valErr, http.StatusBadRequest)
-		return
-	}
-
-	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}

internal/api/v1/docker/containers.go

@@ -2,23 +2,35 @@ package dockerapi
 
 import (
 	"context"
-	"net/http"
 	"sort"
 
 	"github.com/docker/docker/api/types/container"
+	"github.com/gin-gonic/gin"
 	"github.com/yusing/go-proxy/internal/gperr"
 )
 
-type Container struct {
-	Server string `json:"server"`
-	Name   string `json:"name"`
-	ID     string `json:"id"`
-	Image  string `json:"image"`
-	State  string `json:"state"`
-}
+type ContainerState = container.ContainerState // @name ContainerState
 
-func Containers(w http.ResponseWriter, r *http.Request) {
-	serveHTTP[Container](w, r, GetContainers)
+type Container struct {
+	Server string         `json:"server"`
+	Name   string         `json:"name"`
+	ID     string         `json:"id"`
+	Image  string         `json:"image"`
+	State  ContainerState `json:"state"`
+} // @name ContainerResponse
+
+// @x-id				"containers"
+// @BasePath		/api/v1
+// @Summary		Get containers
+// @Description	Get containers
+// @Tags			docker
+// @Produce		json
+// @Success		200	{array}		Container
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/containers [get]
+func Containers(c *gin.Context) {
+	serveHTTP[Container](c, GetContainers)
 }
 
 func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {

internal/api/v1/docker/info.go

@@ -0,0 +1,79 @@
+package dockerapi
+
+import (
+	"context"
+	"sort"
+
+	dockerSystem "github.com/docker/docker/api/types/system"
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type containerStats struct {
+	Total   int `json:"total"`
+	Running int `json:"running"`
+	Paused  int `json:"paused"`
+	Stopped int `json:"stopped"`
+} // @name ContainerStats
+
+type dockerInfo struct {
+	Name          string         `json:"name"`
+	ServerVersion string         `json:"version"`
+	Containers    containerStats `json:"containers"`
+	Images        int            `json:"images"`
+	NCPU          int            `json:"n_cpu"`
+	MemTotal      string         `json:"memory"`
+} // @name ServerInfo
+
+func toDockerInfo(info dockerSystem.Info) dockerInfo {
+	return dockerInfo{
+		Name:          info.Name,
+		ServerVersion: info.ServerVersion,
+		Containers: containerStats{
+			Total:   info.ContainersRunning,
+			Running: info.ContainersRunning,
+			Paused:  info.ContainersPaused,
+			Stopped: info.ContainersStopped,
+		},
+		Images:   info.Images,
+		NCPU:     info.NCPU,
+		MemTotal: strutils.FormatByteSize(info.MemTotal),
+	}
+}
+
+// @x-id				"info"
+// @BasePath		/api/v1
+// @Summary		Get docker info
+// @Description	Get docker info
+// @Tags			docker
+// @Produce		json
+// @Success		200	{object}		dockerInfo
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/info [get]
+func Info(c *gin.Context) {
+	serveHTTP[dockerInfo](c, GetDockerInfo)
+}
+
+func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get docker info")
+	dockerInfos := make([]dockerInfo, len(dockerClients))
+
+	i := 0
+	for name, dockerClient := range dockerClients {
+		info, err := dockerClient.Info(ctx)
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		info.Name = name
+		dockerInfos[i] = toDockerInfo(info)
+		i++
+	}
+
+	sort.Slice(dockerInfos, func(i, j int) bool {
+		return dockerInfos[i].Name < dockerInfos[j].Name
+	})
+	return dockerInfos, errs.Error()
+}

internal/api/v1/docker/logs.go

@@ -0,0 +1,113 @@
+package dockerapi
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+type LogsPathParams struct {
+	Server      string `uri:"server" binding:"required"`
+	ContainerID string `uri:"container" binding:"required"`
+} //	@name	LogsPathParams
+
+type LogsQueryParams struct {
+	Stdout bool   `form:"stdout,default=true"`
+	Stderr bool   `form:"stderr,default=true"`
+	Since  string `form:"from"`
+	Until  string `form:"to"`
+	Levels string `form:"levels"`
+} //	@name	LogsQueryParams
+
+// @x-id				"logs"
+// @BasePath		/api/v1
+// @Summary		Get docker container logs
+// @Description	Get docker container logs
+// @Tags			docker,websocket
+// @Accept			json
+// @Produce		json
+// @Param			server		path	string	true	"server name"
+// @Param			container	path	string	true	"container id"
+// @Param			stdout		query	bool	false	"show stdout"
+// @Param			stderr		query	bool	false	"show stderr"
+// @Param			from		query	string	false	"from timestamp"
+// @Param			to			query	string	false	"to timestamp"
+// @Param			levels		query	string	false	"levels"
+// @Success		200
+// @Failure		400	{object}	apitypes.ErrorResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/logs/{server}/{container} [get]
+func Logs(c *gin.Context) {
+	var pathParams LogsPathParams
+	var queryParams LogsQueryParams
+	if err := c.ShouldBindQuery(&queryParams); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid query params"))
+		return
+	}
+	if err := c.ShouldBindUri(&pathParams); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid path params"))
+		return
+	}
+	// TODO: implement levels
+
+	dockerClient, found, err := getDockerClient(pathParams.Server)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get docker client"))
+		return
+	}
+	if !found {
+		c.JSON(http.StatusNotFound, apitypes.Error("server not found"))
+		return
+	}
+	defer dockerClient.Close()
+
+	opts := container.LogsOptions{
+		ShowStdout: queryParams.Stdout,
+		ShowStderr: queryParams.Stderr,
+		Since:      queryParams.Since,
+		Until:      queryParams.Until,
+		Timestamps: true,
+		Follow:     true,
+		Tail:       "100",
+	}
+	if queryParams.Levels != "" {
+		opts.Details = true
+	}
+
+	logs, err := dockerClient.ContainerLogs(c.Request.Context(), pathParams.ContainerID, opts)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get container logs"))
+		return
+	}
+	defer logs.Close()
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+
+	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
+	if err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, task.ErrProgramExiting) {
+			return
+		}
+		log.Err(err).
+			Str("server", pathParams.Server).
+			Str("container", pathParams.ContainerID).
+			Msg("failed to de-multiplex logs")
+	}
+}

internal/api/v1/docker/utils.go

@@ -2,17 +2,17 @@ package dockerapi
 
 import (
 	"context"
-	"encoding/json"
 	"net/http"
 	"time"
 
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/docker"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
 )
 
 type (
@@ -44,13 +44,13 @@ func getDockerClients() (DockerClients, gperr.Error) {
 		dockerClients[name] = dockerClient
 	}
 
-	for _, agent := range cfg.ListAgents() {
+	for _, agent := range agent.ListAgents() {
 		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
 		if err != nil {
 			connErrs.Add(err)
 			continue
 		}
-		dockerClients[agent.Name()] = dockerClient
+		dockerClients[agent.Name] = dockerClient
 	}
 
 	return dockerClients, connErrs.Error()
@@ -65,10 +65,12 @@ func getDockerClient(server string) (*docker.SharedClient, bool, error) {
 			break
 		}
 	}
-	for _, agent := range cfg.ListAgents() {
-		if agent.Name() == server {
-			host = agent.FakeDockerHost()
-			break
+	if host == "" {
+		for _, agent := range agent.ListAgents() {
+			if agent.Name == server {
+				host = agent.FakeDockerHost()
+				break
+			}
 		}
 	}
 	if host == "" {
@@ -90,35 +92,30 @@ func closeAllClients(dockerClients DockerClients) {
 	}
 }
 
-func handleResult[V any, T ResultType[V]](w http.ResponseWriter, errs error, result T) {
+func handleResult[V any, T ResultType[V]](c *gin.Context, errs error, result T) {
 	if errs != nil {
-		gperr.LogError("docker errors", errs)
 		if len(result) == 0 {
-			http.Error(w, "docker errors", http.StatusInternalServerError)
+			c.Error(apitypes.InternalServerError(errs, "docker errors"))
 			return
 		}
 	}
-	json.NewEncoder(w).Encode(result) //nolint
+	c.JSON(http.StatusOK, result)
 }
 
-func serveHTTP[V any, T ResultType[V]](w http.ResponseWriter, r *http.Request, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
+func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
 	dockerClients, err := getDockerClients()
 	if err != nil {
-		handleResult[V, T](w, err, nil)
+		handleResult[V, T](c, err, nil)
 		return
 	}
 	defer closeAllClients(dockerClients)
 
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
-			result, err := getResult(r.Context(), dockerClients)
-			if err != nil {
-				return err
-			}
-			return wsjson.Write(r.Context(), conn, result)
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
+			return getResult(c.Request.Context(), dockerClients)
 		})
 	} else {
-		result, err := getResult(r.Context(), dockerClients)
-		handleResult[V](w, err, result)
+		result, err := getResult(c.Request.Context(), dockerClients)
+		handleResult[V](c, err, result)
 	}
 }

internal/api/v1/dockerapi/info.go

@@ -1,56 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"sort"
-
-	dockerSystem "github.com/docker/docker/api/types/system"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type dockerInfo dockerSystem.Info
-
-func (d *dockerInfo) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]any{
-		"name":    d.Name,
-		"version": d.ServerVersion,
-		"containers": map[string]int{
-			"total":   d.Containers,
-			"running": d.ContainersRunning,
-			"paused":  d.ContainersPaused,
-			"stopped": d.ContainersStopped,
-		},
-		"images": d.Images,
-		"n_cpu":  d.NCPU,
-		"memory": strutils.FormatByteSize(d.MemTotal),
-	})
-}
-
-func DockerInfo(w http.ResponseWriter, r *http.Request) {
-	serveHTTP[dockerInfo](w, r, GetDockerInfo)
-}
-
-func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
-	errs := gperr.NewBuilder("failed to get docker info")
-	dockerInfos := make([]dockerInfo, len(dockerClients))
-
-	i := 0
-	for name, dockerClient := range dockerClients {
-		info, err := dockerClient.Info(ctx)
-		if err != nil {
-			errs.Add(err)
-			continue
-		}
-		info.Name = name
-		dockerInfos[i] = dockerInfo(info)
-		i++
-	}
-
-	sort.Slice(dockerInfos, func(i, j int) bool {
-		return dockerInfos[i].Name < dockerInfos[j].Name
-	})
-	return dockerInfos, errs.Error()
-}

internal/api/v1/dockerapi/logs.go

@@ -1,69 +0,0 @@
-package dockerapi
-
-import (
-	"net/http"
-	"strconv"
-
-	"github.com/coder/websocket"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-)
-
-func Logs(w http.ResponseWriter, r *http.Request) {
-	query := r.URL.Query()
-	server := r.PathValue("server")
-	containerID := r.PathValue("container")
-	stdout, _ := strconv.ParseBool(query.Get("stdout"))
-	stderr, _ := strconv.ParseBool(query.Get("stderr"))
-	since := query.Get("from")
-	until := query.Get("to")
-	levels := query.Get("levels") // TODO: implement levels
-
-	dockerClient, found, err := getDockerClient(server)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	if !found {
-		gphttp.NotFound(w, "server not found")
-		return
-	}
-
-	opts := container.LogsOptions{
-		ShowStdout: stdout,
-		ShowStderr: stderr,
-		Since:      since,
-		Until:      until,
-		Timestamps: true,
-		Follow:     true,
-		Tail:       "100",
-	}
-	if levels != "" {
-		opts.Details = true
-	}
-
-	logs, err := dockerClient.ContainerLogs(r.Context(), containerID, opts)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	defer logs.Close()
-
-	conn, err := gpwebsocket.Initiate(w, r)
-	if err != nil {
-		return
-	}
-	defer conn.CloseNow()
-
-	writer := gpwebsocket.NewWriter(r.Context(), conn, websocket.MessageText)
-	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
-	if err != nil {
-		logging.Err(err).
-			Str("server", server).
-			Str("container", containerID).
-			Msg("failed to de-multiplex logs")
-	}
-}

internal/api/v1/favicon.go

@@ -0,0 +1,91 @@
+package v1
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/homepage"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+type GetFavIconRequest struct {
+	URL   string `form:"url" binding:"required_without=Alias"`
+	Alias string `form:"alias" binding:"required_without=URL"`
+} //	@name	GetFavIconRequest
+
+// @x-id				"favicon"
+// @BasePath		/api/v1
+// @Summary		Get favicon
+// @Description	Get favicon
+// @Tags			v1
+// @Accept			json
+// @Produce		image/svg+xml,image/x-icon,image/png,image/webp
+// @Param			url		query		string	false	"URL of the route"
+// @Param			alias	query		string	false	"Alias of the route"
+// @Success		200		{array}		homepage.FetchResult
+// @Failure		400		{object}	apitypes.ErrorResponse "Bad Request: alias is empty or route is not HTTPRoute"
+// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden: unauthorized"
+// @Failure		404		{object}	apitypes.ErrorResponse "Not Found: route or icon not found"
+// @Failure		500		{object}	apitypes.ErrorResponse "Internal Server Error: internal error"
+// @Router			/favicon [get]
+func FavIcon(c *gin.Context) {
+	var request GetFavIconRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	// try with url
+	if request.URL != "" {
+		var iconURL homepage.IconURL
+		if err := iconURL.Parse(request.URL); err != nil {
+			c.JSON(http.StatusBadRequest, apitypes.Error("invalid url", err))
+			return
+		}
+		fetchResult := homepage.FetchFavIconFromURL(c.Request.Context(), &iconURL)
+		if !fetchResult.OK() {
+			c.JSON(fetchResult.StatusCode, apitypes.Error(fetchResult.ErrMsg))
+			return
+		}
+		c.Data(fetchResult.StatusCode, fetchResult.ContentType(), fetchResult.Icon)
+		return
+	}
+
+	// try with alias
+	result := GetFavIconFromAlias(c.Request.Context(), request.Alias)
+	if !result.OK() {
+		c.JSON(result.StatusCode, apitypes.Error(result.ErrMsg))
+		return
+	}
+	c.Data(result.StatusCode, result.ContentType(), result.Icon)
+}
+
+func GetFavIconFromAlias(ctx context.Context, alias string) *homepage.FetchResult {
+	// try with route.Icon
+	r, ok := routes.HTTP.Get(alias)
+	if !ok {
+		return &homepage.FetchResult{
+			StatusCode: http.StatusNotFound,
+			ErrMsg:     "route not found",
+		}
+	}
+
+	var result *homepage.FetchResult
+	hp := r.HomepageItem()
+	if hp.Icon != nil {
+		if hp.Icon.IconSource == homepage.IconSourceRelative {
+			result = homepage.FindIcon(ctx, r, *hp.Icon.FullURL)
+		} else {
+			result = homepage.FetchFavIconFromURL(ctx, hp.Icon)
+		}
+	} else {
+		// try extract from "link[rel=icon]"
+		result = homepage.FindIcon(ctx, r, "/")
+	}
+	if result.StatusCode == 0 {
+		result.StatusCode = http.StatusOK
+	}
+	return result
+}

internal/api/v1/favicon/favicon.go

@@ -1,75 +0,0 @@
-package favicon
-
-import (
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-// GetFavIcon returns the favicon of the route
-//
-// Returns:
-//   - 200 OK: if icon found
-//   - 400 Bad Request: if alias is empty or route is not HTTPRoute
-//   - 404 Not Found: if route or icon not found
-//   - 500 Internal Server Error: if internal error
-//   - others: depends on route handler response
-func GetFavIcon(w http.ResponseWriter, req *http.Request) {
-	url, alias := req.FormValue("url"), req.FormValue("alias")
-	if url == "" && alias == "" {
-		gphttp.MissingKey(w, "url or alias")
-		return
-	}
-	if url != "" && alias != "" {
-		gphttp.BadRequest(w, "url and alias are mutually exclusive")
-		return
-	}
-
-	// try with url
-	if url != "" {
-		var iconURL homepage.IconURL
-		if err := iconURL.Parse(url); err != nil {
-			gphttp.ClientError(w, req, err, http.StatusBadRequest)
-			return
-		}
-		fetchResult := homepage.FetchFavIconFromURL(req.Context(), &iconURL)
-		if !fetchResult.OK() {
-			http.Error(w, fetchResult.ErrMsg, fetchResult.StatusCode)
-			return
-		}
-		w.Header().Set("Content-Type", fetchResult.ContentType())
-		gphttp.WriteBody(w, fetchResult.Icon)
-		return
-	}
-
-	// try with route.Icon
-	r, ok := routes.HTTP.Get(alias)
-	if !ok {
-		gphttp.ValueNotFound(w, "route", alias)
-		return
-	}
-
-	var result *homepage.FetchResult
-	hp := r.HomepageItem()
-	if hp.Icon != nil {
-		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = homepage.FindIcon(req.Context(), r, *hp.Icon.FullURL)
-		} else {
-			result = homepage.FetchFavIconFromURL(req.Context(), hp.Icon)
-		}
-	} else {
-		// try extract from "link[rel=icon]"
-		result = homepage.FindIcon(req.Context(), r, "/")
-	}
-	if result.StatusCode == 0 {
-		result.StatusCode = http.StatusOK
-	}
-	if !result.OK() {
-		http.Error(w, result.ErrMsg, result.StatusCode)
-		return
-	}
-	w.Header().Set("Content-Type", result.ContentType())
-	gphttp.WriteBody(w, result.Icon)
-}

internal/api/v1/file/get.go

@@ -0,0 +1,73 @@
+package fileapi
+
+import (
+	"net/http"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+type FileType string // @name FileType
+
+const (
+	FileTypeConfig     FileType = "config"     // @name FileTypeConfig
+	FileTypeProvider   FileType = "provider"   // @name FileTypeProvider
+	FileTypeMiddleware FileType = "middleware" // @name FileTypeMiddleware
+)
+
+type GetFileContentRequest struct {
+	FileType FileType `form:"type" binding:"required,oneof=config provider middleware"`
+	Filename string   `form:"filename" binding:"required" format:"filename"`
+} //	@name	GetFileContentRequest
+
+// @x-id				"get"
+// @BasePath		/api/v1
+// @Summary		Get file content
+// @Description	Get file content
+// @Tags			file
+// @Accept			json
+// @Produce		json,application/godoxy+yaml
+// @Param			query	query		GetFileContentRequest	true	"Request"
+// @Success		200			{string}	application/godoxy+yaml	"File content"
+// @Failure		400			{object}	apitypes.ErrorResponse
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Failure		500			{object}	apitypes.ErrorResponse
+// @Router			/file/content [get]
+func Get(c *gin.Context) {
+	var request GetFileContentRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	content, err := os.ReadFile(request.FileType.GetPath(request.Filename))
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to read file"))
+		return
+	}
+
+	// RFC 9512: https://www.rfc-editor.org/rfc/rfc9512.html
+	// xxx/yyy+yaml
+	c.Data(http.StatusOK, "application/godoxy+yaml", content)
+}
+
+func GetFileType(file string) FileType {
+	switch {
+	case strings.HasPrefix(path.Base(file), "config."):
+		return FileTypeConfig
+	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
+		return FileTypeMiddleware
+	}
+	return FileTypeProvider
+}
+
+func (t FileType) GetPath(filename string) string {
+	if t == FileTypeMiddleware {
+		return path.Join(common.MiddlewareComposeBasePath, filename)
+	}
+	return path.Join(common.ConfigBasePath, filename)
+}

internal/api/v1/file/list.go

@@ -0,0 +1,62 @@
+package fileapi
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type ListFilesResponse struct {
+	Config     []string `json:"config"`
+	Provider   []string `json:"provider"`
+	Middleware []string `json:"middleware"`
+} // @name ListFilesResponse
+
+// @x-id				"list"
+// @BasePath		/api/v1
+// @Summary		List files
+// @Description	List files
+// @Tags			file
+// @Accept			json
+// @Produce		json
+// @Success		200	{object}	ListFilesResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/file/list [get]
+func List(c *gin.Context) {
+	resp := map[FileType][]string{
+		FileTypeConfig:     make([]string, 0),
+		FileTypeProvider:   make([]string, 0),
+		FileTypeMiddleware: make([]string, 0),
+	}
+
+	// config/
+	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to list files"))
+		return
+	}
+
+	for _, file := range files {
+		t := GetFileType(file)
+		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
+		resp[t] = append(resp[t], file)
+	}
+
+	// config/middlewares/
+	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to list files"))
+		return
+	}
+	for _, mid := range mids {
+		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
+		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
+	}
+
+	c.JSON(http.StatusOK, resp)
+}

internal/api/v1/file/set.go

@@ -0,0 +1,52 @@
+package fileapi
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+)
+
+type SetFileContentRequest GetFileContentRequest
+
+// @x-id				"set"
+// @BasePath		/api/v1
+// @Summary		Set file content
+// @Description	Set file content
+// @Tags			file
+// @Accept			text/plain
+// @Produce		json
+// @Param			type		query		FileType	true	"Type"
+// @Param			filename	query		string		true	"Filename"
+// @Param			file		body		string		true	"File"
+// @Success		200			{object}	apitypes.SuccessResponse
+// @Failure		400			{object}	apitypes.ErrorResponse
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Failure		500			{object}	apitypes.ErrorResponse
+// @Router			/file/content [put]
+func Set(c *gin.Context) {
+	var request SetFileContentRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	content, err := c.GetRawData()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to read file"))
+		return
+	}
+
+	if valErr := validateFile(request.FileType, content); valErr != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid file", valErr))
+		return
+	}
+
+	err = os.WriteFile(request.FileType.GetPath(request.Filename), content, 0o644)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to write file"))
+		return
+	}
+	c.JSON(http.StatusOK, apitypes.Success("file set"))
+}

internal/api/v1/file/validate.go

@@ -0,0 +1,64 @@
+package fileapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
+	"github.com/yusing/go-proxy/internal/route/provider"
+)
+
+type ValidateFileRequest struct {
+	FileType FileType `form:"type" validate:"required,oneof=config provider middleware"`
+} //	@name	ValidateFileRequest
+
+// @x-id				"validate"
+// @BasePath		/api/v1
+// @Summary		Validate file
+// @Description	Validate file
+// @Tags			file
+// @Accept			text/plain
+// @Produce		json
+// @Param			type	query		FileType	true	"Type"
+// @Param			file	body		string		true	"File content"
+// @Success		200		{object}	apitypes.SuccessResponse "File validated"
+// @Failure		400		{object}	apitypes.ErrorResponse "Bad request"
+// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden"
+// @Failure		417		{object}	any "Validation failed"
+// @Failure		500		{object}	apitypes.ErrorResponse "Internal server error"
+// @Router			/file/validate [post]
+func Validate(c *gin.Context) {
+	var request ValidateFileRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	content, err := c.GetRawData()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to read file"))
+		return
+	}
+	c.Request.Body.Close()
+
+	if valErr := validateFile(request.FileType, content); valErr != nil {
+		c.JSON(http.StatusExpectationFailed, valErr)
+		return
+	}
+	c.JSON(http.StatusOK, apitypes.Success("file validated"))
+}
+
+func validateFile(fileType FileType, content []byte) gperr.Error {
+	switch fileType {
+	case FileTypeConfig:
+		return config.Validate(content)
+	case FileTypeMiddleware:
+		errs := gperr.NewBuilder("middleware errors")
+		middleware.BuildMiddlewaresFromYAML("", content, errs)
+		return errs.Error()
+	}
+	return provider.Validate(content)
+}

internal/api/v1/health.go

@@ -4,20 +4,31 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/gin-gonic/gin"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 
-func Health(w http.ResponseWriter, r *http.Request) {
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
-			return wsjson.Write(r.Context(), conn, routes.HealthMap())
+type HealthMap = map[string]routes.HealthInfo //	@name	HealthMap
+
+// @x-id				"health"
+// @BasePath		/api/v1
+// @Summary		Get routes health info
+// @Description	Get health info by route name
+// @Tags			v1,websocket
+// @Accept			json
+// @Produce		json
+// @Success		200	{object}	HealthMap "Health info by route name"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/health [get]
+func Health(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 1*time.Second, func() (any, error) {
+			return routes.GetHealthInfo(), nil
 		})
 	} else {
-		gphttp.RespondJSON(w, r, routes.HealthMap())
+		c.JSON(http.StatusOK, routes.GetHealthInfo())
 	}
 }

internal/api/v1/homepage/categories.go

@@ -0,0 +1,22 @@
+package homepageapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+// @x-id				"categories"
+// @BasePath		/api/v1
+// @Summary		List homepage categories
+// @Description	List homepage categories
+// @Tags			homepage
+// @Accept			json
+// @Produce		json
+// @Success		200	{array}		string
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Router			/homepage/categories [get]
+func Categories(c *gin.Context) {
+	c.JSON(http.StatusOK, routes.HomepageCategories())
+}

internal/api/v1/homepage/items.go

@@ -0,0 +1,46 @@
+package homepageapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+type HomepageItemsRequest struct {
+	Category string `form:"category" validate:"omitempty"`
+	Provider string `form:"provider" validate:"omitempty"`
+} //	@name	HomepageItemsRequest
+
+// @x-id				"items"
+// @BasePath		/api/v1
+// @Summary		Homepage items
+// @Description	Homepage items
+// @Tags			homepage
+// @Accept			json
+// @Produce		json
+// @Param			category	query		string	false	"Category filter"
+// @Param			provider	query		string	false	"Provider filter"
+// @Success		200			{object}	homepage.Homepage
+// @Failure		400			{object}	apitypes.ErrorResponse
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Router			/homepage/items [get]
+func Items(c *gin.Context) {
+	var request HomepageItemsRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	proto := "http"
+	if c.Request.TLS != nil || c.GetHeader("X-Forwarded-Proto") == "https" {
+		proto = "https"
+	}
+	hostname := c.Request.Host
+	if host := c.GetHeader("X-Forwarded-Host"); host != "" {
+		hostname = host
+	}
+
+	c.JSON(http.StatusOK, routes.HomepageItems(proto, hostname, request.Category, request.Provider))
+}

internal/api/v1/homepage/overrides.go

@@ -0,0 +1,145 @@
+package homepageapi
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/homepage"
+)
+
+type (
+	HomepageOverrideItemParams struct {
+		Which string              `json:"which"`
+		Value homepage.ItemConfig `json:"value"`
+	} //	@name	HomepageOverrideItemParams
+	HomepageOverrideItemsBatchParams struct {
+		Value map[string]*homepage.ItemConfig `json:"value"`
+	} //	@name	HomepageOverrideItemsBatchParams
+	HomepageOverrideCategoryOrderParams struct {
+		Which string `json:"which"`
+		Value int    `json:"value"`
+	} //	@name	HomepageOverrideCategoryOrderParams
+	HomepageOverrideItemVisibleParams struct {
+		Which []string `json:"which"`
+		Value bool     `json:"value"`
+	} //	@name	HomepageOverrideItemVisibleParams
+)
+
+// @x-id				"set-item"
+// @BasePath		/api/v1
+// @Summary		Override single homepage item
+// @Description	Override single homepage item.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemParams	true	"Override single item"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/item [post]
+func SetItem(c *gin.Context) {
+	var params HomepageOverrideItemParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.OverrideItem(params.Which, &params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-items-batch"
+// @BasePath		/api/v1
+// @Summary		Override multiple homepage items
+// @Description	Override multiple homepage items.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemsBatchParams	true	"Override multiple items"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/items_batch [post]
+func SetItemsBatch(c *gin.Context) {
+	var params HomepageOverrideItemsBatchParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		data, derr := c.GetRawData()
+		if derr != nil {
+			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
+			return
+		}
+		if uerr := json.Unmarshal(data, &params); uerr != nil {
+			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
+			return
+		}
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.OverrideItems(params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-item-visible"
+// @BasePath		/api/v1
+// @Summary		Set homepage item visibility
+// @Description	POST list of item ids and visibility value.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemVisibleParams	true	"Set item visibility"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/item_visible [post]
+func SetItemVisible(c *gin.Context) {
+	var params HomepageOverrideItemVisibleParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		data, derr := c.GetRawData()
+		if derr != nil {
+			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
+			return
+		}
+		if uerr := json.Unmarshal(data, &params); uerr != nil {
+			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
+			return
+		}
+	}
+	overrides := homepage.GetOverrideConfig()
+	if params.Value {
+		overrides.UnhideItems(params.Which)
+	} else {
+		overrides.HideItems(params.Which)
+	}
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-category-order"
+// @BasePath		/api/v1
+// @Summary		Set homepage category order
+// @Description	Set homepage category order.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideCategoryOrderParams	true	"Override category order"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/category_order [post]
+func SetCategoryOrder(c *gin.Context) {
+	var params HomepageOverrideCategoryOrderParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		data, derr := c.GetRawData()
+		if derr != nil {
+			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
+			return
+		}
+		if uerr := json.Unmarshal(data, &params); uerr != nil {
+			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
+			return
+		}
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.SetCategoryOrder(params.Which, params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}

internal/api/v1/homepage_overrides.go

@@ -1,90 +0,0 @@
-package v1
-
-import (
-	"encoding/json"
-	"io"
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-)
-
-const (
-	HomepageOverrideItem          = "item"
-	HomepageOverrideItemsBatch    = "items_batch"
-	HomepageOverrideCategoryOrder = "category_order"
-	HomepageOverrideItemVisible   = "item_visible"
-)
-
-type (
-	HomepageOverrideItemParams struct {
-		Which string              `json:"which"`
-		Value homepage.ItemConfig `json:"value"`
-	}
-	HomepageOverrideItemsBatchParams struct {
-		Value map[string]*homepage.ItemConfig `json:"value"`
-	}
-	HomepageOverrideCategoryOrderParams struct {
-		Which string `json:"which"`
-		Value int    `json:"value"`
-	}
-	HomepageOverrideItemVisibleParams struct {
-		Which []string `json:"which"`
-		Value bool     `json:"value"`
-	}
-)
-
-func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
-	what := r.FormValue("what")
-	if what == "" {
-		gphttp.BadRequest(w, "missing what or which")
-		return
-	}
-
-	data, err := io.ReadAll(r.Body)
-	if err != nil {
-		gphttp.ClientError(w, r, err, http.StatusBadRequest)
-		return
-	}
-	r.Body.Close()
-
-	overrides := homepage.GetOverrideConfig()
-	switch what {
-	case HomepageOverrideItem:
-		var params HomepageOverrideItemParams
-		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, r, err, http.StatusBadRequest)
-			return
-		}
-		overrides.OverrideItem(params.Which, &params.Value)
-	case HomepageOverrideItemsBatch:
-		var params HomepageOverrideItemsBatchParams
-		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, r, err, http.StatusBadRequest)
-			return
-		}
-		overrides.OverrideItems(params.Value)
-	case HomepageOverrideItemVisible: // POST /v1/item_visible [a,b,c], false => hide a, b, c
-		var params HomepageOverrideItemVisibleParams
-		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, r, err, http.StatusBadRequest)
-			return
-		}
-		if params.Value {
-			overrides.UnhideItems(params.Which)
-		} else {
-			overrides.HideItems(params.Which)
-		}
-	case HomepageOverrideCategoryOrder:
-		var params HomepageOverrideCategoryOrderParams
-		if err := json.Unmarshal(data, &params); err != nil {
-			gphttp.ClientError(w, r, err, http.StatusBadRequest)
-			return
-		}
-		overrides.SetCategoryOrder(params.Which, params.Value)
-	default:
-		http.Error(w, "invalid what", http.StatusBadRequest)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}

internal/api/v1/icons.go

@@ -0,0 +1,37 @@
+package v1
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/homepage"
+)
+
+type ListIconsRequest struct {
+	Limit   int    `form:"limit" validate:"omitempty,min=0"`
+	Keyword string `form:"keyword" validate:"required"`
+} //	@name	ListIconsRequest
+
+// @x-id				"icons"
+// @BasePath		/api/v1
+// @Summary		List icons
+// @Description	List icons
+// @Tags			v1
+// @Accept			json
+// @Produce		json
+// @Param			limit	query		int		false	"Limit"
+// @Param			keyword	query		string	false	"Keyword"
+// @Success		200		{array}		homepage.IconMetaSearch
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		403		{object}	apitypes.ErrorResponse
+// @Router			/icons [get]
+func Icons(c *gin.Context) {
+	var request ListIconsRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	icons := homepage.SearchIcons(request.Keyword, request.Limit)
+	c.JSON(http.StatusOK, icons)
+}

internal/api/v1/index.go

@@ -1,11 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-)
-
-func Index(w http.ResponseWriter, r *http.Request) {
-	gphttp.WriteBody(w, []byte("API ready"))
-}

internal/api/v1/list_files.go

@@ -1,41 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-func ListFilesHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	resp := map[FileType][]string{
-		FileTypeConfig:     make([]string, 0),
-		FileTypeProvider:   make([]string, 0),
-		FileTypeMiddleware: make([]string, 0),
-	}
-
-	for _, file := range files {
-		t := fileType(file)
-		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
-		resp[t] = append(resp[t], file)
-	}
-
-	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	for _, mid := range mids {
-		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
-		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
-	}
-	gphttp.RespondJSON(w, r, resp)
-}

internal/api/v1/list_homepage_categories.go

@@ -1,13 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-func ListHomepageCategoriesHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	gphttp.RespondJSON(w, r, routes.HomepageCategories())
-}

internal/api/v1/list_homepage_config.go

@@ -1,13 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-func ListHomepageConfigHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	gphttp.RespondJSON(w, r, routes.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
-}

internal/api/v1/list_icons.go

@@ -1,23 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"strconv"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-)
-
-func ListIconsHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	limit, err := strconv.Atoi(r.FormValue("limit"))
-	if err != nil {
-		limit = 0
-	}
-	icons, err := homepage.SearchIcons(r.FormValue("keyword"), limit)
-	if err != nil {
-		gphttp.ClientError(w, r, err)
-		return
-	}
-	gphttp.RespondJSON(w, r, icons)
-}

internal/api/v1/list_route.go

@@ -1,19 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-func ListRouteHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	which := r.PathValue("which")
-	route, ok := routes.Get(which)
-	if ok {
-		gphttp.RespondJSON(w, r, route)
-	} else {
-		gphttp.RespondJSON(w, r, nil)
-	}
-}

internal/api/v1/list_route_providers.go

@@ -1,23 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-)
-
-func ListRouteProvidersHandler(cfgInstance config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
-			return wsjson.Write(r.Context(), conn, cfgInstance.RouteProviderList())
-		})
-	} else {
-		gphttp.RespondJSON(w, r, cfgInstance.RouteProviderList())
-	}
-}

internal/api/v1/list_routes.go

@@ -1,25 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"slices"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-func ListRoutesHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	rts := make([]routes.Route, 0)
-	provider := r.FormValue("provider")
-	if provider == "" {
-		gphttp.RespondJSON(w, r, slices.Collect(routes.Iter))
-		return
-	}
-	for r := range routes.Iter {
-		if r.ProviderName() == provider {
-			rts = append(rts, r)
-		}
-	}
-	gphttp.RespondJSON(w, r, rts)
-}

internal/api/v1/list_routes_by_provider.go

@@ -1,13 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-func ListRoutesByProviderHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	gphttp.RespondJSON(w, r, routes.ByProvider())
-}

internal/api/v1/metrics/system_info.go

@@ -0,0 +1,76 @@
+package metrics
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/metrics/period"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	nettypes "github.com/yusing/go-proxy/internal/net/types"
+)
+
+type SystemInfoRequest struct {
+	AgentAddr string                             `query:"agent_addr"`
+	Aggregate systeminfo.SystemInfoAggregateMode `query:"aggregate"`
+	Period    period.Filter                      `query:"period"`
+} // @name SystemInfoRequest
+
+type SystemInfoAggregate period.ResponseType[systeminfo.Aggregated] // @name SystemInfoAggregate
+
+// @x-id				"system_info"
+// @BasePath		/api/v1
+// @Summary		Get system info
+// @Description	Get system info
+// @Tags			metrics,websocket
+// @Produce		json
+// @Param			request	query		SystemInfoRequest	false	"Request"
+// @Success		200			{object}	systeminfo.SystemInfo "no period specified"
+// @Success		200			{object}	SystemInfoAggregate "period specified"
+// @Failure		400			{object}	apitypes.ErrorResponse
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Failure		404			{object}	apitypes.ErrorResponse
+// @Failure		500			{object}	apitypes.ErrorResponse
+// @Router	 /metrics/system_info [get]
+func SystemInfo(c *gin.Context) {
+	query := c.Request.URL.Query()
+	agentAddr := query.Get("agent_addr")
+	query.Del("agent_addr")
+	if agentAddr == "" {
+		systeminfo.Poller.ServeHTTP(c)
+		return
+	}
+
+	agent, ok := agentPkg.GetAgent(agentAddr)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("agent_addr not found"))
+		return
+	}
+
+	isWS := httpheaders.IsWebsocket(c.Request.Header)
+	if !isWS {
+		respData, status, err := agent.Forward(c.Request, agentPkg.EndpointSystemInfo)
+		if err != nil {
+			c.Error(apitypes.InternalServerError(err, "failed to forward request to agent"))
+			return
+		}
+		if status != http.StatusOK {
+			c.JSON(status, apitypes.Error(string(respData)))
+			return
+		}
+		c.JSON(status, respData)
+	} else {
+		rp := reverseproxy.NewReverseProxy("agent", nettypes.NewURL(agentPkg.AgentURL), agent.Transport())
+		header := c.Request.Header.Clone()
+		r, err := http.NewRequestWithContext(c.Request.Context(), c.Request.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
+		if err != nil {
+			c.Error(apitypes.InternalServerError(err, "failed to create request"))
+			return
+		}
+		r.Header = header
+		rp.ServeHTTP(c.Writer, r)
+	}
+}

internal/api/v1/metrics/upime.go

@@ -0,0 +1,34 @@
+package metrics
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/metrics/period"
+	"github.com/yusing/go-proxy/internal/metrics/uptime"
+)
+
+type UptimeRequest struct {
+	Limit    int           `query:"limit" example:"10" default:"0"`
+	Offset   int           `query:"offset" example:"10" default:"0"`
+	Interval period.Filter `query:"interval" example:"1m"`
+	Keyword  string        `query:"keyword" example:""`
+} // @name UptimeRequest
+
+type UptimeAggregate period.ResponseType[uptime.Aggregated] // @name UptimeAggregate
+
+// @x-id				"uptime"
+// @BasePath		/api/v1
+// @Summary		Get uptime
+// @Description	Get uptime
+// @Tags			metrics,websocket
+// @Produce   json
+// @Param			request	query		UptimeRequest	false	"Request"
+// @Success		200		{object}	uptime.StatusByAlias "no period specified"
+// @Success		200		{object}	UptimeAggregate "period specified"
+// @Success   204   {object}	apitypes.ErrorResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		403		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/metrics/uptime [get]
+func Uptime(c *gin.Context) {
+	uptime.Poller.ServeHTTP(c)
+}

internal/api/v1/new_agent.go

@@ -1,141 +0,0 @@
-package v1
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"strconv"
-
-	_ "embed"
-
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-)
-
-func NewAgent(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
-	name := q.Get("name")
-	if name == "" {
-		gphttp.MissingKey(w, "name")
-		return
-	}
-	host := q.Get("host")
-	if host == "" {
-		gphttp.MissingKey(w, "host")
-		return
-	}
-	portStr := q.Get("port")
-	if portStr == "" {
-		gphttp.MissingKey(w, "port")
-		return
-	}
-	port, err := strconv.Atoi(portStr)
-	if err != nil || port < 1 || port > 65535 {
-		gphttp.InvalidKey(w, "port")
-		return
-	}
-	hostport := fmt.Sprintf("%s:%d", host, port)
-	if _, ok := config.GetInstance().GetAgent(hostport); ok {
-		gphttp.KeyAlreadyExists(w, "agent", hostport)
-		return
-	}
-	t := q.Get("type")
-	switch t {
-	case "docker", "system":
-		break
-	case "":
-		gphttp.MissingKey(w, "type")
-		return
-	default:
-		gphttp.InvalidKey(w, "type")
-		return
-	}
-
-	nightly, _ := strconv.ParseBool(q.Get("nightly"))
-	var image string
-	if nightly {
-		image = agent.DockerImageNightly
-	} else {
-		image = agent.DockerImageProduction
-	}
-
-	ca, srv, client, err := agent.NewAgent()
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	var cfg agent.Generator = &agent.AgentEnvConfig{
-		Name:    name,
-		Port:    port,
-		CACert:  ca.String(),
-		SSLCert: srv.String(),
-	}
-	if t == "docker" {
-		cfg = &agent.AgentComposeConfig{
-			Image:          image,
-			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
-		}
-	}
-	template, err := cfg.Generate()
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	gphttp.RespondJSON(w, r, map[string]any{
-		"compose": template,
-		"ca":      ca,
-		"client":  client,
-	})
-}
-
-func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
-	defer r.Body.Close()
-	clientPEMData, err := io.ReadAll(r.Body)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	var data struct {
-		Host   string        `json:"host"`
-		CA     agent.PEMPair `json:"ca"`
-		Client agent.PEMPair `json:"client"`
-	}
-
-	if err := json.Unmarshal(clientPEMData, &data); err != nil {
-		gphttp.ClientError(w, r, err)
-		return
-	}
-
-	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(data.Host, data.CA, data.Client)
-	if err != nil {
-		gphttp.ClientError(w, r, err)
-		return
-	}
-
-	zip, err := certs.ZipCert(data.CA.Cert, data.Client.Cert, data.Client.Key)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	filename, ok := certs.AgentCertsFilepath(data.Host)
-	if !ok {
-		gphttp.InvalidKey(w, "host")
-		return
-	}
-
-	if err := os.WriteFile(filename, zip, 0600); err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	w.WriteHeader(http.StatusOK)
-	w.Write(fmt.Appendf(nil, "Added %d routes", nRoutesAdded))
-}

internal/api/v1/reload.go

@@ -3,14 +3,26 @@ package v1
 import (
 	"net/http"
 
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 
-func Reload(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	if err := cfg.Reload(); err != nil {
-		gphttp.ServerError(w, r, err)
+// @x-id				"reload"
+// @BasePath		/api/v1
+// @Summary		Reload config
+// @Description	Reload config
+// @Tags			v1
+// @Accept			json
+// @Produce		json
+// @Success		200	{object}	apitypes.SuccessResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/reload [post]
+func Reload(c *gin.Context) {
+	if err := config.GetInstance().Reload(); err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to reload config"))
 		return
 	}
-	gphttp.WriteBody(w, []byte("OK"))
+	c.JSON(http.StatusOK, apitypes.Success("config reloaded"))
 }

internal/api/v1/route/by_provider.go

@@ -0,0 +1,26 @@
+package routeApi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+type RoutesByProvider map[string][]route.Route
+
+// @x-id				"byProvider"
+// @BasePath		/api/v1
+// @Summary		List routes by provider
+// @Description	List routes by provider
+// @Tags			route
+// @Accept			json
+// @Produce		json
+// @Success		200	{object}	RoutesByProvider
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/route/by_provider [get]
+func ByProvider(c *gin.Context) {
+	c.JSON(http.StatusOK, routes.ByProvider())
+}

internal/api/v1/route/providers.go

@@ -0,0 +1,33 @@
+package routeApi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+)
+
+// @x-id				"providers"
+// @BasePath		/api/v1
+// @Summary		List route providers
+// @Description	List route providers
+// @Tags			route,websocket
+// @Accept			json
+// @Produce		json
+// @Success		200	{array}		config.RouteProviderListResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/route/providers [get]
+func Providers(c *gin.Context) {
+	cfg := config.GetInstance()
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
+			return config.GetInstance().RouteProviderList(), nil
+		})
+	} else {
+		c.JSON(http.StatusOK, cfg.RouteProviderList())
+	}
+}

internal/api/v1/route/route.go

@@ -0,0 +1,41 @@
+package routeApi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/go-proxy/internal/route/routes"
+)
+
+type ListRouteRequest struct {
+	Which string `uri:"which" validate:"required"`
+} //	@name	ListRouteRequest
+
+// @x-id				"route"
+// @BasePath		/api/v1
+// @Summary		List route
+// @Description	List route
+// @Tags			route
+// @Accept			json
+// @Produce		json
+// @Param			which	path		string	true	"Route name"
+// @Success		200		{object}	RouteType
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		403		{object}	apitypes.ErrorResponse
+// @Failure		404		{object}	apitypes.ErrorResponse
+// @Router			/route/{which} [get]
+func Route(c *gin.Context) {
+	var request ListRouteRequest
+	if err := c.ShouldBindUri(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	route, ok := routes.Get(request.Which)
+	if ok {
+		c.JSON(http.StatusOK, route)
+	} else {
+		c.JSON(http.StatusNotFound, nil)
+	}
+}

internal/api/v1/route/routes.go

@@ -0,0 +1,68 @@
+package routeApi
+
+import (
+	"net/http"
+	"slices"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	"github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/yusing/go-proxy/internal/types"
+)
+
+type RouteType route.Route // @name Route
+
+// @x-id				"routes"
+// @BasePath		/api/v1
+// @Summary		List routes
+// @Description	List routes
+// @Tags			route,websocket
+// @Accept			json
+// @Produce		json
+// @Param			provider	query		string	false	"Provider"
+// @Success		200			{array}		RouteType
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Router			/route/list [get]
+func Routes(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		RoutesWS(c)
+		return
+	}
+
+	provider := c.Query("provider")
+	if provider == "" {
+		c.JSON(http.StatusOK, slices.Collect(routes.Iter))
+		return
+	}
+
+	rts := make([]types.Route, 0, routes.NumRoutes())
+	for r := range routes.Iter {
+		if r.ProviderName() == provider {
+			rts = append(rts, r)
+		}
+	}
+	c.JSON(http.StatusOK, rts)
+}
+
+func RoutesWS(c *gin.Context) {
+	provider := c.Query("provider")
+	if provider == "" {
+		websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
+			return slices.Collect(routes.Iter), nil
+		})
+		return
+	}
+
+	websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
+		rts := make([]types.Route, 0, routes.NumRoutes())
+		for r := range routes.Iter {
+			if r.ProviderName() == provider {
+				rts = append(rts, r)
+			}
+		}
+		return rts, nil
+	})
+}

internal/api/v1/stats.go

@@ -4,30 +4,52 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
+	"github.com/gin-gonic/gin"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	"github.com/yusing/go-proxy/internal/types"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
-func Stats(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
-			return wsjson.Write(r.Context(), conn, getStats(cfg))
-		})
+type StatsResponse struct {
+	Proxies ProxyStats `json:"proxies"`
+	Uptime  string     `json:"uptime"`
+} //	@name	StatsResponse
+
+type ProxyStats struct {
+	Total          uint16                         `json:"total"`
+	ReverseProxies types.RouteStats               `json:"reverse_proxies"`
+	Streams        types.RouteStats               `json:"streams"`
+	Providers      map[string]types.ProviderStats `json:"providers"`
+} //	@name	ProxyStats
+
+// @x-id				"stats"
+// @BasePath		/api/v1
+// @Summary		Get GoDoxy stats
+// @Description	Get stats
+// @Tags			v1,websocket
+// @Accept			json
+// @Produce		json
+// @Success		200	{object}	StatsResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/stats [get]
+func Stats(c *gin.Context) {
+	cfg := config.GetInstance()
+	getStats := func() (any, error) {
+		return map[string]any{
+			"proxies": cfg.Statistics(),
+			"uptime":  strutils.FormatDuration(time.Since(startTime)),
+		}, nil
+	}
+
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, time.Second, getStats)
 	} else {
-		gphttp.RespondJSON(w, r, getStats(cfg))
+		stats, _ := getStats()
+		c.JSON(http.StatusOK, stats)
 	}
 }
 
 var startTime = time.Now()
-
-func getStats(cfg config.ConfigInstance) map[string]any {
-	return map[string]any{
-		"proxies": cfg.Statistics(),
-		"uptime":  strutils.FormatDuration(time.Since(startTime)),
-	}
-}

internal/api/v1/system_info.go

@@ -1,54 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	"github.com/yusing/go-proxy/internal/net/types"
-)
-
-func SystemInfo(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	query := r.URL.Query()
-	agentAddr := query.Get("agent_addr")
-	query.Del("agent_addr")
-	if agentAddr == "" {
-		systeminfo.Poller.ServeHTTP(w, r)
-		return
-	}
-
-	agent, ok := cfg.GetAgent(agentAddr)
-	if !ok {
-		gphttp.NotFound(w, "agent_addr")
-		return
-	}
-
-	isWS := httpheaders.IsWebsocket(r.Header)
-	if !isWS {
-		respData, status, err := agent.Forward(r, agentPkg.EndpointSystemInfo)
-		if err != nil {
-			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to forward request to agent"))
-			return
-		}
-		if status != http.StatusOK {
-			http.Error(w, string(respData), status)
-			return
-		}
-		gphttp.WriteBody(w, respData)
-	} else {
-		rp := reverseproxy.NewReverseProxy("agent", types.NewURL(agentPkg.AgentURL), agent.Transport())
-		header := r.Header.Clone()
-		r, err := http.NewRequestWithContext(r.Context(), r.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
-		if err != nil {
-			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to create request"))
-			return
-		}
-		r.Header = header
-		rp.ServeHTTP(w, r)
-	}
-}

internal/api/v1/version.go

@@ -0,0 +1,21 @@
+package v1
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+// @x-id				"version"
+// @BasePath		/api/v1
+// @Summary		Get version
+// @Description	Get the version of the GoDoxy
+// @Tags			v1
+// @Accept			json
+// @Produce		plain
+// @Success		200	{string}	string	"version"
+// @Router			/version [get]
+func Version(c *gin.Context) {
+	c.JSON(http.StatusOK, pkg.GetVersion().String())
+}

internal/auth/auth.go

@@ -4,7 +4,6 @@ import (
 	"net/http"
 
 	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 
 var defaultAuth Provider
@@ -42,19 +41,6 @@ type nextHandler struct{}
 
 var nextHandlerContextKey = nextHandler{}
 
-func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
-	if !IsEnabled() {
-		return next
-	}
-	return func(w http.ResponseWriter, r *http.Request) {
-		if err := defaultAuth.CheckToken(r); err != nil {
-			gphttp.Unauthorized(w, err.Error())
-			return
-		}
-		next(w, r)
-	}
-}
-
 func ProceedNext(w http.ResponseWriter, r *http.Request) {
 	next, ok := r.Context().Value(nextHandlerContextKey).(http.HandlerFunc)
 	if ok {
@@ -65,7 +51,8 @@ func ProceedNext(w http.ResponseWriter, r *http.Request) {
 }
 
 func AuthCheckHandler(w http.ResponseWriter, r *http.Request) {
-	if err := defaultAuth.CheckToken(r); err != nil {
+	err := defaultAuth.CheckToken(r)
+	if err != nil {
 		defaultAuth.LoginHandler(w, r)
 	} else {
 		w.WriteHeader(http.StatusOK)

internal/auth/oauth_refresh.go

@@ -11,9 +11,9 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/jsonstore"
-	"github.com/yusing/go-proxy/internal/logging"
 	"golang.org/x/oauth2"
 )
 
@@ -108,11 +108,11 @@ func storeOAuthRefreshToken(sessionID sessionID, username, token string) {
 		RefreshToken: token,
 		Expiry:       time.Now().Add(defaultRefreshTokenExpiry),
 	})
-	logging.Debug().Str("username", username).Msg("stored oauth refresh token")
+	log.Debug().Str("username", username).Msg("stored oauth refresh token")
 }
 
 func invalidateOAuthRefreshToken(sessionID sessionID) {
-	logging.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
+	log.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
 	oauthRefreshTokens.Delete(string(sessionID))
 }
 
@@ -127,7 +127,7 @@ func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.R
 	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
 	signed, err := jwtToken.SignedString(common.APIJWTSecret)
 	if err != nil {
-		logging.Err(err).Msg("failed to sign session token")
+		log.Err(err).Msg("failed to sign session token")
 		return
 	}
 	SetTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
@@ -190,7 +190,7 @@ func (auth *OIDCProvider) doRefreshToken(ctx context.Context, refreshToken *oaut
 		return nil, refreshToken.err
 	}
 
-	idTokenJWT, idToken, err := auth.getIdToken(ctx, newToken)
+	idTokenJWT, idToken, err := auth.getIDToken(ctx, newToken)
 	if err != nil {
 		refreshToken.err = fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrRefreshTokenFailure, err)
 		return nil, refreshToken.err
@@ -205,7 +205,7 @@ func (auth *OIDCProvider) doRefreshToken(ctx context.Context, refreshToken *oaut
 
 	sessionID := newSessionID()
 
-	logging.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
+	log.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
 	storeOAuthRefreshToken(sessionID, claims.Username, newToken.RefreshToken)
 
 	refreshToken.result = &RefreshResult{

internal/auth/oidc.go

@@ -12,12 +12,13 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils"
 	"golang.org/x/oauth2"
+	"golang.org/x/time/rate"
 )
 
 type (
@@ -36,10 +37,12 @@ type (
 	}
 )
 
+var _ Provider = (*OIDCProvider)(nil)
+
 const (
 	CookieOauthState        = "godoxy_oidc_state"
-	CookieOauthToken        = "godoxy_oauth_token"
-	CookieOauthSessionToken = "godoxy_session_token"
+	CookieOauthToken        = "godoxy_oauth_token"   //nolint:gosec
+	CookieOauthSessionToken = "godoxy_session_token" //nolint:gosec
 )
 
 const (
@@ -79,7 +82,7 @@ func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, all
 	endSessionURL, err := url.Parse(provider.EndSessionEndpoint())
 	if err != nil && provider.EndSessionEndpoint() != "" {
 		// non critical, just warn
-		logging.Warn().
+		log.Warn().
 			Str("issuer", issuerURL).
 			Err(err).
 			Msg("failed to parse end session URL")
@@ -129,7 +132,7 @@ func optRedirectPostAuth(r *http.Request) oauth2.AuthCodeOption {
 	return oauth2.SetAuthURLParam("redirect_uri", "https://"+requestHost(r)+OIDCPostAuthPath)
 }
 
-func (auth *OIDCProvider) getIdToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
+func (auth *OIDCProvider) getIDToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
 	idTokenJWT, ok := oauthToken.Extra("id_token").(string)
 	if !ok {
 		return "", nil, errMissingIDToken
@@ -162,6 +165,8 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+var rateLimit = rate.NewLimiter(rate.Every(time.Second), 1)
+
 func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	// check for session token
 	sessionToken, err := r.Cookie(CookieOauthSessionToken)
@@ -176,16 +181,27 @@ func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		// clear cookies then redirect to home
-		logging.Err(err).Msg("failed to refresh token")
+		log.Err(err).Msg("failed to refresh token")
 		auth.clearCookie(w, r)
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
 
+	if !rateLimit.Allow() {
+		http.Error(w, "auth rate limit exceeded", http.StatusTooManyRequests)
+		return
+	}
+
 	state := generateState()
 	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
 	// redirect user to Idp
-	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
+	url := auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r))
+	if IsFrontend(r) {
+		w.Header().Set("X-Redirect-To", url)
+		w.WriteHeader(http.StatusForbidden)
+	} else {
+		http.Redirect(w, r, url, http.StatusFound)
+	}
 }
 
 func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
@@ -201,11 +217,12 @@ func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
 
 func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
 	userAllowed := slices.Contains(auth.allowedUsers, user)
-	if !userAllowed {
-		return false
+	if userAllowed {
+		return true
 	}
 	if len(auth.allowedGroups) == 0 {
-		return true
+		// user is not allowed, but no groups are allowed
+		return false
 	}
 	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
 }
@@ -242,11 +259,11 @@ func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 	// verify state
 	state, err := r.Cookie(CookieOauthState)
 	if err != nil {
-		gphttp.BadRequest(w, "missing state cookie")
+		http.Error(w, "missing state cookie", http.StatusBadRequest)
 		return
 	}
 	if r.URL.Query().Get("state") != state.Value {
-		gphttp.BadRequest(w, "invalid oauth state")
+		http.Error(w, "invalid oauth state", http.StatusBadRequest)
 		return
 	}
 
@@ -257,7 +274,7 @@ func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 		return
 	}
 
-	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), oauth2Token)
+	idTokenJWT, idToken, err := auth.getIDToken(r.Context(), oauth2Token)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
@@ -320,12 +337,12 @@ func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
 func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
 	state, err := r.Cookie(CookieOauthState)
 	if err != nil {
-		gphttp.BadRequest(w, "missing state cookie")
+		http.Error(w, "missing state cookie", http.StatusBadRequest)
 		return
 	}
 
 	if r.URL.Query().Get("state") != state.Value {
-		gphttp.BadRequest(w, "invalid oauth state")
+		http.Error(w, "invalid oauth state", http.StatusBadRequest)
 		return
 	}
 

internal/auth/userpass.go

@@ -32,6 +32,8 @@ type (
 	}
 )
 
+var _ Provider = (*UserPassAuth)(nil)
+
 func NewUserPassAuth(username, password string, secret []byte, tokenTTL time.Duration) (*UserPassAuth, error) {
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
@@ -100,18 +102,21 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	return nil
 }
 
+type UserPassAuthCallbackRequest struct {
+	User string `json:"username"`
+	Pass string `json:"password"`
+}
+
 func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	var creds struct {
-		User string `json:"username"`
-		Pass string `json:"password"`
-	}
+	var creds UserPassAuthCallbackRequest
 	err := json.NewDecoder(r.Body).Decode(&creds)
 	if err != nil {
-		gphttp.Unauthorized(w, "invalid credentials")
+		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
 	}
 	if err := auth.validatePassword(creds.User, creds.Pass); err != nil {
-		gphttp.Unauthorized(w, "invalid credentials")
+		// NOTE: do not include the actual error here
+		http.Error(w, "invalid credentials", http.StatusBadRequest)
 		return
 	}
 	token, err := auth.NewToken()
@@ -124,7 +129,8 @@ func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 }
 
 func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
-	http.Redirect(w, r, "/login", http.StatusFound) // redirects to WebUI login page
+	w.Header().Set("X-Redirect-To", "/login")
+	w.WriteHeader(http.StatusForbidden)
 }
 
 func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {

internal/auth/utils.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"net"
 	"net/http"
 	"time"
 
@@ -16,7 +17,15 @@ var (
 )
 
 func IsFrontend(r *http.Request) bool {
-	return r.Host == common.APIHTTPAddr
+	return requestRemoteIP(r) == "127.0.0.1"
+}
+
+func requestRemoteIP(r *http.Request) string {
+	ip, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		return ""
+	}
+	return ip
 }
 
 func requestHost(r *http.Request) string {

internal/autocert/config.go

@@ -5,13 +5,16 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"net/http"
 	"os"
 	"regexp"
 
 	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/lego"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 
@@ -23,12 +26,25 @@ type Config struct {
 	ACMEKeyPath string         `json:"acme_key_path,omitempty"`
 	Provider    string         `json:"provider,omitempty"`
 	Options     map[string]any `json:"options,omitempty"`
+
+	// Custom ACME CA
+	CADirURL string   `json:"ca_dir_url,omitempty"`
+	CACerts  []string `json:"ca_certs,omitempty"`
+
+	// EAB
+	EABKid  string `json:"eab_kid,omitempty" validate:"required_with=EABHmac"`
+	EABHmac string `json:"eab_hmac,omitempty" validate:"required_with=EABKid"` // base64 encoded
+
+	HTTPClient *http.Client `json:"-"` // for tests only
+
+	challengeProvider challenge.Provider
 }
 
 var (
 	ErrMissingDomain   = gperr.New("missing field 'domains'")
 	ErrMissingEmail    = gperr.New("missing field 'email'")
 	ErrMissingProvider = gperr.New("missing field 'provider'")
+	ErrMissingCADirURL = gperr.New("missing field 'ca_dir_url'")
 	ErrInvalidDomain   = gperr.New("invalid domain")
 	ErrUnknownProvider = gperr.New("unknown provider")
 )
@@ -36,6 +52,7 @@ var (
 const (
 	ProviderLocal  = "local"
 	ProviderPseudo = "pseudo"
+	ProviderCustom = "custom"
 )
 
 var domainOrWildcardRE = regexp.MustCompile(`^\*?([^.]+\.)+[^.]+$`)
@@ -52,6 +69,10 @@ func (cfg *Config) Validate() gperr.Error {
 	}
 
 	b := gperr.NewBuilder("autocert errors")
+	if cfg.Provider == ProviderCustom && cfg.CADirURL == "" {
+		b.Add(ErrMissingCADirURL)
+	}
+
 	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
 		if len(cfg.Domains) == 0 {
 			b.Add(ErrMissingDomain)
@@ -59,24 +80,34 @@ func (cfg *Config) Validate() gperr.Error {
 		if cfg.Email == "" {
 			b.Add(ErrMissingEmail)
 		}
-		for i, d := range cfg.Domains {
-			if !domainOrWildcardRE.MatchString(d) {
-				b.Add(ErrInvalidDomain.Subjectf("domains[%d]", i))
+		if cfg.Provider != ProviderCustom {
+			for i, d := range cfg.Domains {
+				if !domainOrWildcardRE.MatchString(d) {
+					b.Add(ErrInvalidDomain.Subjectf("domains[%d]", i))
+				}
 			}
 		}
 		// check if provider is implemented
 		providerConstructor, ok := Providers[cfg.Provider]
 		if !ok {
-			b.Add(ErrUnknownProvider.
-				Subject(cfg.Provider).
-				With(gperr.DoYouMean(utils.NearestField(cfg.Provider, Providers))))
+			if cfg.Provider != ProviderCustom {
+				b.Add(ErrUnknownProvider.
+					Subject(cfg.Provider).
+					With(gperr.DoYouMean(utils.NearestField(cfg.Provider, Providers))))
+			}
 		} else {
-			_, err := providerConstructor(cfg.Options)
+			provider, err := providerConstructor(cfg.Options)
 			if err != nil {
 				b.Add(err)
+			} else {
+				cfg.challengeProvider = provider
 			}
 		}
 	}
+
+	if cfg.challengeProvider == nil {
+		cfg.challengeProvider, _ = Providers[ProviderLocal](nil)
+	}
 	return b.Error()
 }
 
@@ -100,8 +131,7 @@ func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 
 	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
 		if privKey, err = cfg.LoadACMEKey(); err != nil {
-			logging.Info().Err(err).Msg("load ACME private key failed")
-			logging.Info().Msg("generate new ACME private key")
+			log.Info().Err(err).Msg("failed to load ACME private key, generating a now one")
 			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			if err != nil {
 				return nil, nil, gperr.New("generate ACME private key").With(err)
@@ -118,12 +148,31 @@ func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 	}
 
 	legoCfg := lego.NewConfig(user)
-	legoCfg.Certificate.KeyType = certcrypto.RSA2048
+	legoCfg.Certificate.KeyType = certcrypto.EC256
+
+	if cfg.HTTPClient != nil {
+		legoCfg.HTTPClient = cfg.HTTPClient
+	}
+
+	if cfg.CADirURL != "" {
+		legoCfg.CADirURL = cfg.CADirURL
+	}
+
+	if len(cfg.CACerts) > 0 {
+		certPool, err := lego.CreateCertPool(cfg.CACerts, true)
+		if err != nil {
+			return nil, nil, gperr.New("failed to create cert pool").With(err)
+		}
+		legoCfg.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = certPool
+	}
 
 	return user, legoCfg, nil
 }
 
 func (cfg *Config) LoadACMEKey() (*ecdsa.PrivateKey, error) {
+	if common.IsTest {
+		return nil, os.ErrNotExist
+	}
 	data, err := os.ReadFile(cfg.ACMEKeyPath)
 	if err != nil {
 		return nil, err
@@ -132,6 +181,9 @@ func (cfg *Config) LoadACMEKey() (*ecdsa.PrivateKey, error) {
 }
 
 func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
+	if common.IsTest {
+		return nil
+	}
 	data, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		return err

internal/autocert/config_test.go

@@ -0,0 +1,31 @@
+package autocert
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/yusing/go-proxy/internal/serialization"
+)
+
+func TestEABConfigRequired(t *testing.T) {
+	tests := []struct {
+		name    string
+		cfg     *Config
+		wantErr bool
+	}{
+		{name: "Missing EABKid", cfg: &Config{EABHmac: "1234567890"}, wantErr: true},
+		{name: "Missing EABHmac", cfg: &Config{EABKid: "1234567890"}, wantErr: true},
+		{name: "Valid EAB", cfg: &Config{EABKid: "1234567890", EABHmac: "1234567890"}, wantErr: false},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			yaml := fmt.Appendf(nil, "eab_kid: %s\neab_hmac: %s", test.cfg.EABKid, test.cfg.EABHmac)
+			cfg := Config{}
+			err := serialization.UnmarshalValidateYAML(yaml, &cfg)
+			if (err != nil) != test.wantErr {
+				t.Errorf("Validate() error = %v, wantErr %v", err, test.wantErr)
+			}
+		})
+	}
+}

internal/autocert/paths.go

@@ -5,4 +5,5 @@ const (
 	CertFileDefault    = certBasePath + "cert.crt"
 	KeyFileDefault     = certBasePath + "priv.key"
 	ACMEKeyFileDefault = certBasePath + "acme.key"
+	LastFailureFile    = certBasePath + ".last_failure"
 )

internal/autocert/provider.go

@@ -5,18 +5,20 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"maps"
 	"os"
 	"path"
-	"reflect"
-	"sort"
+	"slices"
+	"strings"
 	"time"
 
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
 	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/notif"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
@@ -24,10 +26,11 @@ import (
 
 type (
 	Provider struct {
-		cfg     *Config
-		user    *User
-		legoCfg *lego.Config
-		client  *lego.Client
+		cfg         *Config
+		user        *User
+		legoCfg     *lego.Config
+		client      *lego.Client
+		lastFailure time.Time
 
 		legoCert     *certificate.Resource
 		tlsCert      *tls.Certificate
@@ -39,6 +42,13 @@ type (
 
 var ErrGetCertFailure = errors.New("get certificate failed")
 
+const (
+	// renew failed for whatever reason, 1 hour cooldown
+	renewalCooldownDuration = 1 * time.Hour
+	// prevents cert request docker compose across restarts with `restart: always` (non-zero exit code)
+	requestCooldownDuration = 15 * time.Second
+)
+
 func NewProvider(cfg *Config, user *User, legoCfg *lego.Config) *Provider {
 	return &Provider{
 		cfg:     cfg,
@@ -70,28 +80,74 @@ func (p *Provider) GetExpiries() CertExpiries {
 	return p.certExpiries
 }
 
+func (p *Provider) GetLastFailure() (time.Time, error) {
+	if common.IsTest {
+		return time.Time{}, nil
+	}
+
+	if p.lastFailure.IsZero() {
+		data, err := os.ReadFile(LastFailureFile)
+		if err != nil {
+			if !os.IsNotExist(err) {
+				return time.Time{}, err
+			}
+		} else {
+			p.lastFailure, _ = time.Parse(time.RFC3339, string(data))
+		}
+	}
+	return p.lastFailure, nil
+}
+
+func (p *Provider) UpdateLastFailure() error {
+	if common.IsTest {
+		return nil
+	}
+	t := time.Now()
+	p.lastFailure = t
+	return os.WriteFile(LastFailureFile, t.AppendFormat(nil, time.RFC3339), 0o600)
+}
+
+func (p *Provider) ClearLastFailure() error {
+	if common.IsTest {
+		return nil
+	}
+	p.lastFailure = time.Time{}
+	return os.Remove(LastFailureFile)
+}
+
 func (p *Provider) ObtainCert() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}
 
 	if p.cfg.Provider == ProviderPseudo {
-		t := time.NewTicker(1000 * time.Millisecond)
-		defer t.Stop()
-		logging.Info().Msg("init client for pseudo provider")
-		<-t.C
-		logging.Info().Msg("registering acme for pseudo provider")
-		<-t.C
-		logging.Info().Msg("obtained cert for pseudo provider")
+		log.Info().Msg("init client for pseudo provider")
+		<-time.After(time.Second)
+		log.Info().Msg("registering acme for pseudo provider")
+		<-time.After(time.Second)
+		log.Info().Msg("obtained cert for pseudo provider")
 		return nil
 	}
 
+	if lastFailure, err := p.GetLastFailure(); err != nil {
+		return err
+	} else if time.Since(lastFailure) < requestCooldownDuration {
+		return fmt.Errorf("%w: still in cooldown until %s", ErrGetCertFailure, strutils.FormatTime(lastFailure.Add(requestCooldownDuration).Local()))
+	}
+
 	if p.client == nil {
 		if err := p.initClient(); err != nil {
 			return err
 		}
 	}
 
+	// mark it as failed first, clear it later if successful
+	// in case the process crashed / failed to renew, we put it on a cooldown
+	// this prevents rate limiting by the ACME server
+	if err := p.UpdateLastFailure(); err != nil {
+		return fmt.Errorf("failed to update last failure: %w", err)
+	}
+
 	if p.user.Registration == nil {
 		if err := p.registerACME(); err != nil {
 			return err
@@ -107,7 +163,7 @@ func (p *Provider) ObtainCert() error {
 		})
 		if err != nil {
 			p.legoCert = nil
-			logging.Err(err).Msg("cert renew failed, fallback to obtain")
+			log.Err(err).Msg("cert renew failed, fallback to obtain")
 		} else {
 			p.legoCert = cert
 		}
@@ -139,6 +195,9 @@ func (p *Provider) ObtainCert() error {
 	p.tlsCert = &tlsCert
 	p.certExpiries = expiries
 
+	if err := p.ClearLastFailure(); err != nil {
+		return fmt.Errorf("failed to clear last failure: %w", err)
+	}
 	return nil
 }
 
@@ -154,7 +213,7 @@ func (p *Provider) LoadCert() error {
 	p.tlsCert = &cert
 	p.certExpiries = expiries
 
-	logging.Info().Msgf("next renewal in %v", strutils.FormatDuration(time.Until(p.ShouldRenewOn())))
+	log.Info().Msgf("next cert renewal in %s", strutils.FormatDuration(time.Until(p.ShouldRenewOn())))
 	return p.renewIfNeeded()
 }
 
@@ -172,12 +231,11 @@ func (p *Provider) ScheduleRenewal(parent task.Parent) {
 		return
 	}
 	go func() {
-		lastErrOn := time.Time{}
 		renewalTime := p.ShouldRenewOn()
 		timer := time.NewTimer(time.Until(renewalTime))
 		defer timer.Stop()
 
-		task := parent.Subtask("cert-renew-scheduler")
+		task := parent.Subtask("cert-renew-scheduler", true)
 		defer task.Finish(nil)
 
 		for {
@@ -186,12 +244,19 @@ func (p *Provider) ScheduleRenewal(parent task.Parent) {
 				return
 			case <-timer.C:
 				// Retry after 1 hour on failure
-				if !lastErrOn.IsZero() && time.Now().Before(lastErrOn.Add(time.Hour)) {
+				lastFailure, err := p.GetLastFailure()
+				if err != nil {
+					gperr.LogWarn("autocert: failed to get last failure", err)
+					continue
+				}
+				if !lastFailure.IsZero() && time.Since(lastFailure) < renewalCooldownDuration {
 					continue
 				}
 				if err := p.renewIfNeeded(); err != nil {
-					gperr.LogWarn("cert renew failed", err)
-					lastErrOn = time.Now()
+					gperr.LogWarn("autocert: cert renew failed", err)
+					if err := p.UpdateLastFailure(); err != nil {
+						gperr.LogWarn("autocert: failed to update last failure", err)
+					}
 					notif.Notify(&notif.LogMessage{
 						Level: zerolog.ErrorLevel,
 						Title: "SSL certificate renewal failed",
@@ -205,7 +270,9 @@ func (p *Provider) ScheduleRenewal(parent task.Parent) {
 					Body:  notif.ListBody(p.cfg.Domains),
 				})
 				// Reset on success
-				lastErrOn = time.Time{}
+				if err := p.ClearLastFailure(); err != nil {
+					gperr.LogWarn("autocert: failed to clear last failure", err)
+				}
 				renewalTime = p.ShouldRenewOn()
 				timer.Reset(time.Until(renewalTime))
 			}
@@ -219,13 +286,7 @@ func (p *Provider) initClient() error {
 		return err
 	}
 
-	generator := Providers[p.cfg.Provider]
-	legoProvider, pErr := generator(p.cfg.Options)
-	if pErr != nil {
-		return pErr
-	}
-
-	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
+	err = legoClient.Challenge.SetDNS01Provider(p.cfg.challengeProvider)
 	if err != nil {
 		return err
 	}
@@ -238,22 +299,35 @@ func (p *Provider) registerACME() error {
 	if p.user.Registration != nil {
 		return nil
 	}
-	if reg, err := p.client.Registration.ResolveAccountByKey(); err == nil {
+
+	reg, err := p.client.Registration.ResolveAccountByKey()
+	if err == nil {
 		p.user.Registration = reg
-		logging.Info().Msg("reused acme registration from private key")
+		log.Info().Msg("reused acme registration from private key")
 		return nil
 	}
 
-	reg, err := p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	if p.cfg.EABKid != "" && p.cfg.EABHmac != "" {
+		reg, err = p.client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  p.cfg.EABKid,
+			HmacEncoded:          p.cfg.EABHmac,
+		})
+	} else {
+		reg, err = p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	}
 	if err != nil {
 		return err
 	}
 	p.user.Registration = reg
-	logging.Info().Interface("reg", reg).Msg("acme registered")
+	log.Info().Interface("reg", reg).Msg("acme registered")
 	return nil
 }
 
 func (p *Provider) saveCert(cert *certificate.Resource) error {
+	if common.IsTest {
+		return nil
+	}
 	/* This should have been done in setup
 	but double check is always a good choice.*/
 	_, err := os.Stat(path.Dir(p.cfg.CertPath))
@@ -283,22 +357,19 @@ func (p *Provider) certState() CertState {
 		return CertStateExpired
 	}
 
-	certDomains := make([]string, len(p.certExpiries))
-	wantedDomains := make([]string, len(p.cfg.Domains))
-	i := 0
-	for domain := range p.certExpiries {
-		certDomains[i] = domain
-		i++
-	}
-	copy(wantedDomains, p.cfg.Domains)
-	sort.Strings(wantedDomains)
-	sort.Strings(certDomains)
-
-	if !reflect.DeepEqual(certDomains, wantedDomains) {
-		logging.Info().Msgf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
+	if len(p.certExpiries) != len(p.cfg.Domains) {
 		return CertStateMismatch
 	}
 
+	for i := range len(p.cfg.Domains) {
+		if _, ok := p.certExpiries[p.cfg.Domains[i]]; !ok {
+			log.Info().Msgf("autocert domains mismatch: cert: %s, wanted: %s",
+				strings.Join(slices.Collect(maps.Keys(p.certExpiries)), ", "),
+				strings.Join(p.cfg.Domains, ", "))
+			return CertStateMismatch
+		}
+	}
+
 	return CertStateValid
 }
 
@@ -309,9 +380,9 @@ func (p *Provider) renewIfNeeded() error {
 
 	switch p.certState() {
 	case CertStateExpired:
-		logging.Info().Msg("certs expired, renewing")
+		log.Info().Msg("certs expired, renewing")
 	case CertStateMismatch:
-		logging.Info().Msg("cert domains mismatch with config, renewing")
+		log.Info().Msg("cert domains mismatch with config, renewing")
 	default:
 		return nil
 	}

internal/autocert/provider_test/custom_test.go

@@ -0,0 +1,507 @@
+//nolint:errchkjson,errcheck
+package provider_test
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"io"
+	"math/big"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/go-proxy/internal/autocert"
+	"github.com/yusing/go-proxy/internal/dnsproviders"
+)
+
+func TestMain(m *testing.M) {
+	dnsproviders.InitProviders()
+	m.Run()
+}
+
+func TestCustomProvider(t *testing.T) {
+	t.Run("valid custom provider with step-ca", func(t *testing.T) {
+		cfg := &autocert.Config{
+			Email:       "test@example.com",
+			Domains:     []string{"example.com", "*.example.com"},
+			Provider:    autocert.ProviderCustom,
+			CADirURL:    "https://ca.example.com:9000/acme/acme/directory",
+			CertPath:    "certs/custom.crt",
+			KeyPath:     "certs/custom.key",
+			ACMEKeyPath: "certs/custom-acme.key",
+		}
+
+		err := cfg.Validate()
+		require.NoError(t, err)
+
+		user, legoCfg, err := cfg.GetLegoConfig()
+		require.NoError(t, err)
+		require.NotNil(t, user)
+		require.NotNil(t, legoCfg)
+		require.Equal(t, "https://ca.example.com:9000/acme/acme/directory", legoCfg.CADirURL)
+		require.Equal(t, "test@example.com", user.Email)
+	})
+
+	t.Run("custom provider missing CADirURL", func(t *testing.T) {
+		cfg := &autocert.Config{
+			Email:    "test@example.com",
+			Domains:  []string{"example.com"},
+			Provider: autocert.ProviderCustom,
+			// CADirURL is missing
+		}
+
+		err := cfg.Validate()
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "missing field 'ca_dir_url'")
+	})
+
+	t.Run("custom provider with step-ca internal CA", func(t *testing.T) {
+		cfg := &autocert.Config{
+			Email:       "admin@internal.com",
+			Domains:     []string{"internal.example.com", "api.internal.example.com"},
+			Provider:    autocert.ProviderCustom,
+			CADirURL:    "https://step-ca.internal:443/acme/acme/directory",
+			CertPath:    "certs/internal.crt",
+			KeyPath:     "certs/internal.key",
+			ACMEKeyPath: "certs/internal-acme.key",
+		}
+
+		err := cfg.Validate()
+		require.NoError(t, err)
+
+		user, legoCfg, err := cfg.GetLegoConfig()
+		require.NoError(t, err)
+		require.NotNil(t, user)
+		require.NotNil(t, legoCfg)
+		require.Equal(t, "https://step-ca.internal:443/acme/acme/directory", legoCfg.CADirURL)
+		require.Equal(t, "admin@internal.com", user.Email)
+
+		provider := autocert.NewProvider(cfg, user, legoCfg)
+		require.NotNil(t, provider)
+		require.Equal(t, autocert.ProviderCustom, provider.GetName())
+		require.Equal(t, "certs/internal.crt", provider.GetCertPath())
+		require.Equal(t, "certs/internal.key", provider.GetKeyPath())
+	})
+}
+
+func TestObtainCertFromCustomProvider(t *testing.T) {
+	// Create a test ACME server
+	acmeServer := newTestACMEServer(t)
+	defer acmeServer.Close()
+
+	t.Run("obtain cert from custom step-ca server", func(t *testing.T) {
+		cfg := &autocert.Config{
+			Email:       "test@example.com",
+			Domains:     []string{"test.example.com"},
+			Provider:    autocert.ProviderCustom,
+			CADirURL:    acmeServer.URL() + "/acme/acme/directory",
+			CertPath:    "certs/stepca-test.crt",
+			KeyPath:     "certs/stepca-test.key",
+			ACMEKeyPath: "certs/stepca-test-acme.key",
+			HTTPClient:  acmeServer.httpClient(),
+		}
+
+		err := error(cfg.Validate())
+		require.NoError(t, err)
+
+		user, legoCfg, err := cfg.GetLegoConfig()
+		require.NoError(t, err)
+		require.NotNil(t, user)
+		require.NotNil(t, legoCfg)
+
+		provider := autocert.NewProvider(cfg, user, legoCfg)
+		require.NotNil(t, provider)
+
+		// Test obtaining certificate
+		err = provider.ObtainCert()
+		require.NoError(t, err)
+
+		// Verify certificate was obtained
+		cert, err := provider.GetCert(nil)
+		require.NoError(t, err)
+		require.NotNil(t, cert)
+
+		// Verify certificate properties
+		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+		require.NoError(t, err)
+		require.Contains(t, x509Cert.DNSNames, "test.example.com")
+		require.True(t, time.Now().Before(x509Cert.NotAfter))
+		require.True(t, time.Now().After(x509Cert.NotBefore))
+	})
+
+	t.Run("obtain cert with EAB from custom step-ca server", func(t *testing.T) {
+		cfg := &autocert.Config{
+			Email:       "test@example.com",
+			Domains:     []string{"test.example.com"},
+			Provider:    autocert.ProviderCustom,
+			CADirURL:    acmeServer.URL() + "/acme/acme/directory",
+			CertPath:    "certs/stepca-eab-test.crt",
+			KeyPath:     "certs/stepca-eab-test.key",
+			ACMEKeyPath: "certs/stepca-eab-test-acme.key",
+			HTTPClient:  acmeServer.httpClient(),
+			EABKid:      "kid-123",
+			EABHmac:     base64.RawURLEncoding.EncodeToString([]byte("secret")),
+		}
+
+		err := error(cfg.Validate())
+		require.NoError(t, err)
+
+		user, legoCfg, err := cfg.GetLegoConfig()
+		require.NoError(t, err)
+		require.NotNil(t, user)
+		require.NotNil(t, legoCfg)
+
+		provider := autocert.NewProvider(cfg, user, legoCfg)
+		require.NotNil(t, provider)
+
+		err = provider.ObtainCert()
+		require.NoError(t, err)
+
+		cert, err := provider.GetCert(nil)
+		require.NoError(t, err)
+		require.NotNil(t, cert)
+
+		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+		require.NoError(t, err)
+		require.Contains(t, x509Cert.DNSNames, "test.example.com")
+		require.True(t, time.Now().Before(x509Cert.NotAfter))
+		require.True(t, time.Now().After(x509Cert.NotBefore))
+	})
+}
+
+// testACMEServer implements a minimal ACME server for testing.
+type testACMEServer struct {
+	server     *httptest.Server
+	caCert     *x509.Certificate
+	caKey      *rsa.PrivateKey
+	clientCSRs map[string]*x509.CertificateRequest
+	orderID    string
+}
+
+func newTestACMEServer(t *testing.T) *testACMEServer {
+	t.Helper()
+
+	// Generate CA certificate and key
+	caKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization:  []string{"Test CA"},
+			Country:       []string{"US"},
+			Province:      []string{""},
+			Locality:      []string{"Test"},
+			StreetAddress: []string{""},
+			PostalCode:    []string{""},
+		},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
+		IsCA:                  true,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caCertDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	require.NoError(t, err)
+
+	caCert, err := x509.ParseCertificate(caCertDER)
+	require.NoError(t, err)
+
+	acme := &testACMEServer{
+		caCert:     caCert,
+		caKey:      caKey,
+		clientCSRs: make(map[string]*x509.CertificateRequest),
+		orderID:    "test-order-123",
+	}
+
+	mux := http.NewServeMux()
+	acme.setupRoutes(mux)
+
+	acme.server = httptest.NewUnstartedServer(mux)
+	acme.server.TLS = &tls.Config{
+		Certificates: []tls.Certificate{
+			{
+				Certificate: [][]byte{caCert.Raw},
+				PrivateKey:  caKey,
+			},
+		},
+		MinVersion: tls.VersionTLS12,
+	}
+	acme.server.StartTLS()
+	return acme
+}
+
+func (s *testACMEServer) Close() {
+	s.server.Close()
+}
+
+func (s *testACMEServer) URL() string {
+	return s.server.URL
+}
+
+func (s *testACMEServer) httpClient() *http.Client {
+	certPool := x509.NewCertPool()
+	certPool.AddCert(s.caCert)
+
+	return &http.Client{
+		Transport: &http.Transport{
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			TLSHandshakeTimeout:   30 * time.Second,
+			ResponseHeaderTimeout: 30 * time.Second,
+			TLSClientConfig: &tls.Config{
+				RootCAs:    certPool,
+				MinVersion: tls.VersionTLS12,
+			},
+		},
+	}
+}
+
+func (s *testACMEServer) setupRoutes(mux *http.ServeMux) {
+	// ACME directory endpoint
+	mux.HandleFunc("/acme/acme/directory", s.handleDirectory)
+
+	// ACME endpoints
+	mux.HandleFunc("/acme/new-nonce", s.handleNewNonce)
+	mux.HandleFunc("/acme/new-account", s.handleNewAccount)
+	mux.HandleFunc("/acme/new-order", s.handleNewOrder)
+	mux.HandleFunc("/acme/authz/", s.handleAuthorization)
+	mux.HandleFunc("/acme/chall/", s.handleChallenge)
+	mux.HandleFunc("/acme/order/", s.handleOrder)
+	mux.HandleFunc("/acme/cert/", s.handleCertificate)
+}
+
+func (s *testACMEServer) handleDirectory(w http.ResponseWriter, r *http.Request) {
+	directory := map[string]interface{}{
+		"newNonce":   s.server.URL + "/acme/new-nonce",
+		"newAccount": s.server.URL + "/acme/new-account",
+		"newOrder":   s.server.URL + "/acme/new-order",
+		"keyChange":  s.server.URL + "/acme/key-change",
+		"meta": map[string]interface{}{
+			"termsOfService": s.server.URL + "/terms",
+		},
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(directory)
+}
+
+func (s *testACMEServer) handleNewNonce(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Replay-Nonce", "test-nonce-12345")
+	w.WriteHeader(http.StatusOK)
+}
+
+func (s *testACMEServer) handleNewAccount(w http.ResponseWriter, r *http.Request) {
+	account := map[string]interface{}{
+		"status":  "valid",
+		"contact": []string{"mailto:test@example.com"},
+		"orders":  s.server.URL + "/acme/orders",
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Location", s.server.URL+"/acme/account/1")
+	w.Header().Set("Replay-Nonce", "test-nonce-67890")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(account)
+}
+
+func (s *testACMEServer) handleNewOrder(w http.ResponseWriter, r *http.Request) {
+	authzID := "test-authz-456"
+
+	order := map[string]interface{}{
+		"status":         "ready", // Skip pending state for simplicity
+		"expires":        time.Now().Add(24 * time.Hour).Format(time.RFC3339),
+		"identifiers":    []map[string]string{{"type": "dns", "value": "test.example.com"}},
+		"authorizations": []string{s.server.URL + "/acme/authz/" + authzID},
+		"finalize":       s.server.URL + "/acme/order/" + s.orderID + "/finalize",
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Location", s.server.URL+"/acme/order/"+s.orderID)
+	w.Header().Set("Replay-Nonce", "test-nonce-order")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(order)
+}
+
+func (s *testACMEServer) handleAuthorization(w http.ResponseWriter, r *http.Request) {
+	authz := map[string]interface{}{
+		"status":     "valid", // Skip challenge validation for simplicity
+		"expires":    time.Now().Add(24 * time.Hour).Format(time.RFC3339),
+		"identifier": map[string]string{"type": "dns", "value": "test.example.com"},
+		"challenges": []map[string]interface{}{
+			{
+				"type":   "dns-01",
+				"status": "valid",
+				"url":    s.server.URL + "/acme/chall/test-chall-789",
+				"token":  "test-token-abc123",
+			},
+		},
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Replay-Nonce", "test-nonce-authz")
+	json.NewEncoder(w).Encode(authz)
+}
+
+func (s *testACMEServer) handleChallenge(w http.ResponseWriter, r *http.Request) {
+	challenge := map[string]interface{}{
+		"type":   "dns-01",
+		"status": "valid",
+		"url":    r.URL.String(),
+		"token":  "test-token-abc123",
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Replay-Nonce", "test-nonce-chall")
+	json.NewEncoder(w).Encode(challenge)
+}
+
+func (s *testACMEServer) handleOrder(w http.ResponseWriter, r *http.Request) {
+	if strings.HasSuffix(r.URL.Path, "/finalize") {
+		s.handleFinalize(w, r)
+		return
+	}
+
+	certURL := s.server.URL + "/acme/cert/" + s.orderID
+	order := map[string]interface{}{
+		"status":      "valid",
+		"expires":     time.Now().Add(24 * time.Hour).Format(time.RFC3339),
+		"identifiers": []map[string]string{{"type": "dns", "value": "test.example.com"}},
+		"certificate": certURL,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Replay-Nonce", "test-nonce-order-get")
+	json.NewEncoder(w).Encode(order)
+}
+
+func (s *testACMEServer) handleFinalize(w http.ResponseWriter, r *http.Request) {
+	// Read the JWS payload
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		http.Error(w, "Failed to read request", http.StatusBadRequest)
+		return
+	}
+
+	// Extract CSR from JWS payload
+	csr, err := s.extractCSRFromJWS(body)
+	if err != nil {
+		http.Error(w, "Invalid CSR: "+err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// Store the CSR for certificate generation
+	s.clientCSRs[s.orderID] = csr
+
+	certURL := s.server.URL + "/acme/cert/" + s.orderID
+	order := map[string]interface{}{
+		"status":      "valid",
+		"expires":     time.Now().Add(24 * time.Hour).Format(time.RFC3339),
+		"identifiers": []map[string]string{{"type": "dns", "value": "test.example.com"}},
+		"certificate": certURL,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Location", strings.TrimSuffix(r.URL.String(), "/finalize"))
+	w.Header().Set("Replay-Nonce", "test-nonce-finalize")
+	json.NewEncoder(w).Encode(order)
+}
+
+func (s *testACMEServer) extractCSRFromJWS(jwsData []byte) (*x509.CertificateRequest, error) {
+	// Parse the JWS structure
+	var jws struct {
+		Protected string `json:"protected"`
+		Payload   string `json:"payload"`
+		Signature string `json:"signature"`
+	}
+
+	if err := json.Unmarshal(jwsData, &jws); err != nil {
+		return nil, err
+	}
+
+	// Decode the payload
+	payloadBytes, err := base64.RawURLEncoding.DecodeString(jws.Payload)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse the finalize request
+	var finalizeReq struct {
+		CSR string `json:"csr"`
+	}
+
+	if err := json.Unmarshal(payloadBytes, &finalizeReq); err != nil {
+		return nil, err
+	}
+
+	// Decode the CSR
+	csrBytes, err := base64.RawURLEncoding.DecodeString(finalizeReq.CSR)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse the CSR
+	csr, err := x509.ParseCertificateRequest(csrBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return csr, nil
+}
+
+func (s *testACMEServer) handleCertificate(w http.ResponseWriter, r *http.Request) {
+	// Extract order ID from URL
+	orderID := strings.TrimPrefix(r.URL.Path, "/acme/cert/")
+
+	// Get the CSR for this order
+	csr, exists := s.clientCSRs[orderID]
+	if !exists {
+		http.Error(w, "No CSR found for order", http.StatusBadRequest)
+		return
+	}
+
+	// Create certificate using the public key from the client's CSR
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			Organization: []string{"Test Cert"},
+			Country:      []string{"US"},
+		},
+		DNSNames:              csr.DNSNames,
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(90 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	// Use the public key from the CSR and sign with CA key
+	certDER, err := x509.CreateCertificate(rand.Reader, template, s.caCert, csr.PublicKey, s.caKey)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Return certificate chain
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	caPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.caCert.Raw})
+
+	w.Header().Set("Content-Type", "application/pem-certificate-chain")
+	w.Header().Set("Replay-Nonce", "test-nonce-cert")
+	w.Write(append(certPEM, caPEM...))
+}

internal/autocert/provider_test/ovh_test.go

@@ -6,7 +6,7 @@ import (
 	"github.com/go-acme/lego/v4/providers/dns/ovh"
 	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/serialization"
 )
 
 // type Config struct {
@@ -45,6 +45,6 @@ oauth2_config:
 	testYaml = testYaml[1:] // remove first \n
 	opt := make(map[string]any)
 	require.NoError(t, yaml.Unmarshal([]byte(testYaml), &opt))
-	require.NoError(t, utils.MapUnmarshalValidate(opt, cfg))
+	require.NoError(t, serialization.MapUnmarshalValidate(opt, cfg))
 	require.Equal(t, cfgExpected, cfg)
 }