dependencies upgrade

2026-02-08 03:29:31 +01:00 · 2024-05-29 16:46:07 +00:00
538 changed files with 6803 additions and 62990 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,78 +0,0 @@
-# docker image tag (latest, nightly)
-TAG=latest
-
-# set timezone to get correct log timestamp
-TZ=ETC/UTC
-
-# container uid and gid (must match the owner of mounted directories)
-GODOXY_UID=1000
-GODOXY_GID=1000
-
-# Set GODOXY_API_JWT_SECURE=false to allow http
-GODOXY_API_JWT_SECURE=true
-# API JWT Configuration (common)
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-# the JWT token time-to-live
-# leave empty to use default (24 hours)
-# format: https://pkg.go.dev/time#Duration
-GODOXY_API_JWT_TOKEN_TTL=
-
-# API/WebUI user password login credentials (optional)
-# These fields are not required for OIDC authentication
-GODOXY_API_USER=admin
-GODOXY_API_PASSWORD=password
-
-# OIDC Configuration (optional)
-# Uncomment and configure these values to enable OIDC authentication.
-#
-# GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
-# GODOXY_OIDC_CLIENT_ID=your-client-id
-# GODOXY_OIDC_CLIENT_SECRET=your-client-secret
-# GODOXY_OIDC_SCOPES=openid, profile, email, groups # you may also include `offline_access` if your Idp supports it (e.g. Authentik, Pocket ID)
-#
-# User definitions: Uncomment and configure these values to restrict access to specific users or groups.
-# These two fields act as a logical AND operator. For example, given the following membership:
-#   user1, group1
-#   user2, group1
-#   user3, group2
-#   user1, group2
-# You can allow access to user3 AND all users of group1 by providing:
-#   # GODOXY_OIDC_ALLOWED_USERS=user3
-#   # GODOXY_OIDC_ALLOWED_GROUPS=group1
-#
-# Comma-separated list of allowed users.
-# GODOXY_OIDC_ALLOWED_USERS=user1,user2
-# Optional: Comma-separated list of allowed groups.
-# GODOXY_OIDC_ALLOWED_GROUPS=group1,group2
-
-# Proxy listening address
-GODOXY_HTTP_ADDR=:80
-GODOXY_HTTPS_ADDR=:443
-
-# Enable HTTP3
-GODOXY_HTTP3_ENABLED=true
-
-# API listening address
-GODOXY_API_ADDR=127.0.0.1:8888
-
-# Metrics
-GODOXY_METRICS_DISABLE_CPU=false
-GODOXY_METRICS_DISABLE_MEMORY=false
-GODOXY_METRICS_DISABLE_DISK=false
-GODOXY_METRICS_DISABLE_NETWORK=false
-GODOXY_METRICS_DISABLE_SENSORS=false
-
-# Frontend listening port
-GODOXY_FRONTEND_PORT=3000
-
-# Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com)
-GODOXY_FRONTEND_ALIASES=godoxy
-
-# Docker socket
-# /var/run/podman/podman.sock for podman
-DOCKER_SOCKET=/var/run/docker.sock
-SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375
-
-# Debug mode
-GODOXY_DEBUG=false
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,15 +0,0 @@
-# These are supported funding model platforms
-
-github: yusing # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-patreon: # Replace with a single Patreon username
-open_collective: # Replace with a single Open Collective username
-ko_fi: # Replace with a single Ko-fi username
-tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
-community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
-liberapay: # Replace with a single Liberapay username
-issuehunt: # Replace with a single IssueHunt username
-lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
-polar: # Replace with a single Polar username
-buy_me_a_coffee: yusingwysq # Replace with a single Buy Me a Coffee username
-thanks_dev: # Replace with a single thanks.dev username
-custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/workflows/agent-binary.yml
+++ b/.github/workflows/agent-binary.yml
@@ -1,48 +0,0 @@
-name: GoDoxy agent binary
-
-on:
-  push:
-    tags:
-      - v*
-    paths:
-      - "agent/**"
-
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - runner: ubuntu-latest
-            platform: linux/amd64
-            binary_name: godoxy-agent-linux-amd64
-          - runner: ubuntu-24.04-arm
-            platform: linux/arm64
-            binary_name: godoxy-agent-linux-arm64
-    name: Build ${{ matrix.platform }}
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: write
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-      - name: Verify dependencies
-        run: go mod verify
-      - name: Build
-        run: |
-          make agent=1 NAME=${{ matrix.binary_name }} build
-      - name: Check binary
-        run: |
-          file bin/${{ matrix.binary_name }}
-      - name: Upload
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.binary_name }}
-          path: bin/${{ matrix.binary_name }}
-      - name: Upload to release
-        uses: softprops/action-gh-release@v2
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          files: bin/${{ matrix.binary_name }}
--- a/.github/workflows/docker-image-nightly.yml
+++ b/.github/workflows/docker-image-nightly.yml
@@ -1,24 +0,0 @@
-name: Docker Image CI (nightly)
-
-on:
-  push:
-    branches:
-      - "*" # matches every branch that doesn't contain a '/'
-      - "*/*" # matches every branch containing a single '/'
-      - "**" # matches every branch
-      - "!dependabot/*"
-      - "!main" # excludes main
-
-jobs:
-  build-nightly:
-    uses: ./.github/workflows/docker-image.yml
-    with:
-      image_name: ${{ github.repository_owner }}/godoxy
-      tag: nightly
-      target: main
-  build-nightly-agent:
-    uses: ./.github/workflows/docker-image.yml
-    with:
-      image_name: ${{ github.repository_owner }}/godoxy-agent
-      tag: nightly
-      target: agent
--- a/.github/workflows/docker-image-prod.yml
+++ b/.github/workflows/docker-image-prod.yml
@@ -1,21 +0,0 @@
-name: Docker Image CI
-
-on:
-  push:
-    tags:
-      - v*
-
-jobs:
-  build-prod:
-    uses: ./.github/workflows/docker-image.yml
-    with:
-      image_name: ${{ github.repository_owner }}/godoxy
-      old_image_name: ${{ github.repository_owner }}/go-proxy
-      tag: latest
-      target: main
-  build-prod-agent:
-    uses: ./.github/workflows/docker-image.yml
-    with:
-      image_name: ${{ github.repository_owner }}/godoxy-agent
-      tag: latest
-      target: agent
--- a/.github/workflows/docker-image-socket-proxy.yml
+++ b/.github/workflows/docker-image-socket-proxy.yml
@@ -1,23 +0,0 @@
-name: Docker Image CI (socket-proxy)
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "socket-proxy/**"
-    tags-ignore:
-      - '**'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    uses: ./.github/workflows/docker-image.yml
-    with:
-      image_name: ${{ github.repository_owner }}/socket-proxy
-      tag: latest
-      target: socket-proxy
-      dockerfile: socket-proxy.Dockerfile
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,172 +1,14 @@
 name: Docker Image CI

 on:
-  workflow_call:
-    inputs:
-      tag:
-        required: true
-        type: string
-      image_name:
-        required: true
-        type: string
-      old_image_name:
-        required: false
-        type: string
-      target:
-        required: true
-        type: string
-      dockerfile:
-        required: false
-        type: string
-        default: Dockerfile
-
-env:
-  REGISTRY: ghcr.io
-  MAKE_ARGS: ${{ inputs.target }}=1
-  DIGEST_PATH: /tmp/digests/${{ inputs.target }}
-  DIGEST_NAME_SUFFIX: ${{ inputs.target }}
-  DOCKERFILE: ${{ inputs.dockerfile }}
-
+  push:
+    tags:
+      - "*"
 jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-latest
-            platform: linux/amd64
-          - runner: ubuntu-24.04-arm
-            platform: linux/arm64
-
-    name: Build ${{ matrix.platform }}
-    runs-on: ${{ matrix.runner }}
-
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-
-    steps:
-      - name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
-          tags: |
-            type=raw,value=${{ inputs.tag }},event=branch
-            type=ref,event=tag
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          platforms: ${{ matrix.platform }}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.meta.outputs.labels }}
-          file: ${{ env.DOCKERFILE }}
-          outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
-          cache-from: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}
-          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
-          cache-to: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max
-          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
-          build-args: |
-            VERSION=${{ github.ref_name }}
-            MAKE_ARGS=${{ env.MAKE_ARGS }}
-
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v1
-        with:
-          subject-name: ${{ env.REGISTRY }}/${{ inputs.image_name }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
-
-      - name: Export digest
-        run: |
-          mkdir -p ${{ env.DIGEST_PATH }}
-          digest="${{ steps.build.outputs.digest }}"
-          touch "${{ env.DIGEST_PATH }}/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-${{ env.PLATFORM_PAIR }}-${{ env.DIGEST_NAME_SUFFIX }}
-          path: ${{ env.DIGEST_PATH }}/*
-          if-no-files-found: error
-          retention-days: 1
-
-  merge:
-    needs: build
+  build_and_push:
    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-
    steps:
-      - name: Download digests
-        uses: actions/download-artifact@v4
+      - name: Build and Push Container to ghcr.io
+        uses: GlueOps/github-actions-build-push-containers@v0.3.7
        with:
-          path: ${{ env.DIGEST_PATH }}
-          pattern: digests-*-${{ env.DIGEST_NAME_SUFFIX }}
-          merge-multiple: true
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
-          tags: |
-            type=raw,value=${{ inputs.tag }},event=branch
-            type=ref,event=tag
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create manifest list and push
-        id: push
-        working-directory: ${{ env.DIGEST_PATH }}
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY }}/${{ inputs.image_name }}@sha256:%s ' *)
-
-      - name: Old image name
-        if: inputs.old_image_name != ''
-        run: |
-          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}\
-            ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
-
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
-
-      - name: Inspect image (old)
-        if: inputs.old_image_name != ''
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}
+          tags: latest,${{ github.ref_name }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -0,0 +1,30 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.22.1"
+
+      - name: Build
+        run: make build
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: bin/go-proxy
+    #- name: Test
+    #  run: go test -v ./...
--- a/.gitignore
+++ b/.gitignore
@@ -1,41 +1,10 @@
 compose.yml
-*.compose.yml

-config
-certs
-config*/
-!schemas/**
-certs*/
+config/
+certs/
 bin/
-error_pages/
-!examples/error_pages/
-profiles/
-data/
-debug/
+templates/codemirror/

 logs/
 log/
-
-.vscode/settings.json
-
-go.work.sum
-
-!cmd/**/
-!internal/**/
-
-todo.md
-
-.*.swp
-.aider*
-mtrace.json
-.env
-.cursorrules
-.cursor/
-.windsurfrules
-test.Dockerfile
-
-node_modules/
-tsconfig.tsbuildinfo
-
-!agent.compose.yml
-!agent/pkg/**
+.vscode/settings.json
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -11,5 +11,5 @@ build-image:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
  script:
    - echo building $CI_REGISTRY_IMAGE
-    - docker build --no-cache --build-arg VERSION=$CI_COMMIT_REF_NAME -t $CI_REGISTRY_IMAGE .
-    - docker push $CI_REGISTRY_IMAGE
+    - docker build --pull -t $CI_REGISTRY_IMAGE .
+    - docker push $CI_REGISTRY_IMAGE
--- a/.gitmodules
+++ b/.gitmodules
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,153 +0,0 @@
-version: "2"
-linters:
-  default: all
-  disable:
-    # - bodyclose
-    - containedctx
-    # - contextcheck
-    - cyclop
-    - depguard
-    # - dupl
-    - err113
-    - exhaustive
-    - exhaustruct
-    - funcorder
-    - forcetypeassert
-    - gochecknoglobals
-    - gochecknoinits
-    - gocognit
-    - goconst
-    - gocyclo
-    - godot
-    - gomoddirectives
-    - gosmopolitan
-    - ireturn
-    - lll
-    - maintidx
-    - makezero
-    - mnd
-    - nakedret
-    - nestif
-    - nlreturn
-    - nonamedreturns
-    - noinlineerr
-    - paralleltest
-    - revive
-    - rowserrcheck
-    - sqlclosecheck
-    - tagalign
-    - tagliatelle
-    - testpackage
-    - tparallel
-    - varnamelen
-    - wrapcheck
-    - wsl
-    - wsl_v5
-  settings:
-    errcheck:
-      exclude-functions:
-        - fmt.Fprintln
-    forbidigo:
-      forbid:
-        - pattern: ^print(ln)?$
-    funlen:
-      lines: -1
-      statements: 120
-    gocyclo:
-      min-complexity: 14
-    godox:
-      keywords:
-        - FIXME
-    gomoddirectives:
-      replace-allow-list:
-        - github.com/abbot/go-http-auth
-        - github.com/gorilla/mux
-        - github.com/mailgun/minheap
-        - github.com/mailgun/multibuf
-        - github.com/jaguilar/vt100
-        - github.com/cucumber/godog
-        - github.com/http-wasm/http-wasm-host-go
-    govet:
-      disable:
-        - shadow
-        - fieldalignment
-      enable-all: true
-    misspell:
-      locale: US
-    revive:
-      rules:
-        - name: struct-tag
-        - name: blank-imports
-        - name: context-as-argument
-        - name: context-keys-type
-        - name: error-return
-        - name: error-strings
-        - name: error-naming
-        - name: exported
-          disabled: true
-        - name: if-return
-        - name: increment-decrement
-        - name: var-naming
-        - name: var-declaration
-        - name: package-comments
-          disabled: true
-        - name: range
-        - name: receiver-naming
-        - name: time-naming
-        - name: unexported-return
-        - name: indent-error-flow
-        - name: errorf
-        - name: empty-block
-        - name: superfluous-else
-        - name: unused-parameter
-          disabled: true
-        - name: unreachable-code
-        - name: redefines-builtin-id
-    staticcheck:
-      checks:
-        - all
-        - -SA1019
-      dot-import-whitelist:
-        - github.com/yusing/go-proxy/internal/utils/testing
-        - github.com/yusing/go-proxy/internal/api/v1/utils
-    tagalign:
-      align: false
-      sort: true
-      order:
-        - description
-        - json
-        - toml
-        - yaml
-        - yml
-        - label
-        - label-slice-as-struct
-        - file
-        - kv
-        - export
-    testifylint:
-      disable:
-        - suite-dont-use-pkg
-        - require-error
-        - go-require
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
-formatters:
-  enable:
-    - gofmt
-    - gofumpt
-    - goimports
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
--- a/.trunk/.gitignore
+++ b/.trunk/.gitignore
@@ -1,9 +0,0 @@
-*out
-*logs
-*actions
-*notifications
-*tools
-plugins
-user_trunk.yaml
-user.yaml
-tmp
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -1,42 +0,0 @@
-# This file controls the behavior of Trunk: https://docs.trunk.io/cli
-# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
-version: 0.1
-cli:
-  version: 1.25.0
-# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
-plugins:
-  sources:
-    - id: trunk
-      ref: v1.7.2
-      uri: https://github.com/trunk-io/plugins
-# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
-runtimes:
-  enabled:
-    - node@22.16.0
-    - python@3.10.8
-    - go@1.24.3
-# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
-lint:
-  disabled:
-    - markdownlint
-    - yamllint
-  enabled:
-    - checkov@3.2.467
-    - golangci-lint2@2.4.0
-    - hadolint@2.12.1-beta
-    - actionlint@1.7.7
-    - git-diff-check
-    - gofmt@1.20.4
-    - osv-scanner@2.2.2
-    - oxipng@9.1.5
-    - prettier@3.6.2
-    - shellcheck@0.11.0
-    - shfmt@3.6.0
-    - trufflehog@3.90.5
-actions:
-  disabled:
-    - trunk-announce
-    - trunk-check-pre-push
-    - trunk-fmt-pre-commit
-  enabled:
-    - trunk-upgrade-available
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -1,11 +1,12 @@
 {
-  "yaml.schemas": {
-    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/config.schema.json": [
-      "config.example.yml",
-      "config.yml"
-    ],
-    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/routes.schema.json": [
-      "providers.example.yml"
-    ]
-  }
+    "yaml.schemas": {
+        "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+            "config.example.yml",
+            "config.yml"
+        ],
+        "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+            "providers.example.yml",
+            "*.providers.yml"
+        ]
+    }
 }
--- a/81
+++ b/81
@@ -1,64 +1,39 @@
-# Stage 1: deps
-FROM golang:1.25.0-alpine AS deps
-HEALTHCHECK NONE
+FROM alpine:latest AS codemirror
+RUN apk add --no-cache unzip wget make
+COPY Makefile .
+RUN make setup-codemirror

-# package version does not matter
-# trunk-ignore(hadolint/DL3018)
-RUN apk add --no-cache tzdata make libcap-setcap
-
-ENV GOPATH=/root/go
-
-WORKDIR /src
-
-COPY go.mod go.sum ./
-
-# remove godoxy stuff from go.mod first
-RUN sed -i '/^module github\.com\/yusing\/go-proxy/!{/github\.com\/yusing\/go-proxy/d}' go.mod && \
-  go mod download -x
-
-# Stage 2: builder
-FROM deps AS builder
-
-WORKDIR /src
-
-COPY go.mod go.sum ./
-COPY Makefile ./
-COPY cmd ./cmd
-COPY internal ./internal
-COPY pkg ./pkg
-COPY agent ./agent
-COPY socket-proxy ./socket-proxy
-
-ARG VERSION
-ENV VERSION=${VERSION}
-
-ARG MAKE_ARGS
-ENV MAKE_ARGS=${MAKE_ARGS}
+FROM golang:1.22.2-alpine as builder
+COPY src/ /src
+COPY go.mod go.sum /src/go-proxy
+WORKDIR /src/go-proxy
+RUN --mount=type=cache,target="/go/pkg/mod" \
+    go mod download

 ENV GOCACHE=/root/.cache/go-build
-ENV GOPATH=/root/go
+RUN --mount=type=cache,target="/go/pkg/mod" \
+    --mount=type=cache,target="/root/.cache/go-build" \
+    CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o go-proxy

-RUN --mount=type=cache,target=/root/.cache/go-build \
-  --mount=type=cache,target=/root/go/pkg/mod \
-  make ${MAKE_ARGS} docker=1 build
-
-# Stage 3: Final image
-FROM scratch
+FROM alpine:latest

 LABEL maintainer="yusing@6uo.me"
-LABEL proxy.exclude=1

-# copy timezone data
-COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+RUN apk add --no-cache tzdata
+RUN mkdir -p /app/templates
+COPY --from=codemirror templates/codemirror/ /app/templates/codemirror
+COPY templates/ /app/templates
+COPY schema/ /app/schema
+COPY --from=builder /src/go-proxy /app/

-# copy binary
-COPY --from=builder /app/run /app/run
+RUN chmod +x /app/go-proxy
+ENV DOCKER_HOST unix:///var/run/docker.sock
+ENV GOPROXY_DEBUG 0

-# copy certs
-COPY --from=builder /etc/ssl/certs /etc/ssl/certs
-
-ENV DOCKER_HOST=unix:///var/run/docker.sock
+EXPOSE 80
+EXPOSE 8080
+EXPOSE 443
+EXPOSE 8443

 WORKDIR /app
-
-CMD ["/app/run"]
+CMD ["/app/go-proxy"]
--- a/26
+++ b/26
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2024 - present Yusing
+Copyright (c) 2024 [fullname]

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -19,27 +19,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-
---
-
-internal/net/gphttp/reverseproxy/reverse_proxy_mod.go is copied from et/http/httputil/reverseproxy.go with modifications to adapt to this project.
-
-Copyright 2011 The Go Authors. All rights reserved.
-Use of this source code is governed by a BSD-style
-license that can be found in the LICENSE file.
-
---
-
-internal/utils/io.go has a modified version of io.Copy with context and HTTP flusher handling.
-
-Copyright 2009 The Go Authors. All rights reserved.
-Use of this source code is governed by a BSD-style
-license that can be found in the LICENSE file.
-
---
-
-internal/utils/strutils/split_join.go is copied from strings.Split and strings.Join with modifications to adapt to this project.
-
-Copyright 2009 The Go Authors. All rights reserved.
-Use of this source code is governed by a BSD-style
-license that can be found in the LICENSE file.
--- a/176
+++ b/176
@@ -1,151 +1,49 @@
-shell := /bin/sh
-export VERSION ?= $(shell git describe --tags --abbrev=0)
-export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
-export GOOS = linux
+.PHONY: all build up quick-restart restart logs get udp-server

-WEBUI_DIR ?= ../godoxy-frontend
-DOCS_DIR ?= ../godoxy-wiki
+all: build quick-restart logs

-LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
+setup:
+	mkdir -p config certs
+	[ -f config/config.yml ] || cp config.example.yml config/config.yml
+	[ -f config/providers.yml ] || touch config/providers.yml

-ifeq ($(agent), 1)
-	NAME = godoxy-agent
-	PWD = ${shell pwd}/agent
-else ifeq ($(socket-proxy), 1)
-	NAME = godoxy-socket-proxy
-	PWD = ${shell pwd}/socket-proxy
-else
-	NAME = godoxy
-	PWD = ${shell pwd}
-endif
-
-ifeq ($(trace), 1)
-	debug = 1
-	GODOXY_TRACE ?= 1
-	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
-endif
-
-ifeq ($(race), 1)
-	debug = 1
-  BUILD_FLAGS += -race
-endif
-
-ifeq ($(debug), 1)
-	CGO_ENABLED = 1
-	GODOXY_DEBUG = 1
-	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug -asan
-else ifeq ($(pprof), 1)
-	CGO_ENABLED = 1
-	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
-	BUILD_FLAGS += -tags pprof
-	VERSION := ${VERSION}-pprof
-else
-	CGO_ENABLED = 0
-	LDFLAGS += -s -w
-	BUILD_FLAGS += -pgo=auto -tags production
-endif
-
-BUILD_FLAGS += -ldflags='$(LDFLAGS)'
-BIN_PATH := $(shell pwd)/bin/${NAME}
-
-export NAME
-export CGO_ENABLED
-export GODOXY_DEBUG
-export GODOXY_TRACE
-export GODEBUG
-export GORACE
-export BUILD_FLAGS
-
-ifeq ($(shell id -u), 0)
-	SETCAP_CMD = setcap
-else
-	SETCAP_CMD = sudo setcap
-endif
-
-
-# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
-POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
-ifeq ($(docker), 1)
-	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
-endif
-
-.PHONY: debug
-
-test:
-	GODOXY_TEST=1 go test ./internal/...
-
-docker-build-test:
-	docker build -t godoxy .
-	docker build --build-arg=MAKE_ARGS=agent=1 -t godoxy-agent .
-
-go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
-files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
-gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
-
-update-go:
-	for file in ${files}; do \
-		echo "updating $$file"; \
-		sed -i 's|go \([0-9]\+\.[0-9]\+\.[0-9]\+\)|go ${go_ver}|g' $$file; \
-		sed -i 's|FROM golang:.*-alpine|FROM golang:${go_ver}-alpine|g' $$file; \
-	done
-	for path in ${gomod_paths}; do \
-		echo "go mod tidy $$path"; \
-		cd ${PWD}/$$path && go mod tidy; \
-	done
-
-update-deps:
-	for path in ${gomod_paths}; do \
-		echo "go get -u $$path"; \
-		cd ${PWD}/$$path && go get -u ./... && go mod tidy; \
-	done
-
-mod-tidy:
-	for path in ${gomod_paths}; do \
-		echo "go mod tidy $$path"; \
-		cd ${PWD}/$$path && go mod tidy; \
-	done
+setup-codemirror:
+	wget https://codemirror.net/5/codemirror.zip
+	unzip codemirror.zip
+	rm codemirror.zip
+	mkdir -p templates
+	mv codemirror-* templates/codemirror

 build:
-	mkdir -p $(shell dirname ${BIN_PATH})
-	cd ${PWD} && go build ${BUILD_FLAGS} -o ${BIN_PATH} ./cmd
-	${POST_BUILD}
+	mkdir -p bin
+	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy src/go-proxy/*.go

-run:
-	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+test:
+	go test src/go-proxy/*.go

-debug:
-	make NAME="godoxy-test" debug=1 build
-	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
+up:
+	docker compose up -d

-mtrace:
-	 ${BIN_PATH} debug-ls-mtrace > mtrace.json
+restart:
+	docker compose restart -t 0

-rapid-crash:
-	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
-	sleep 3 &&\
-	docker rm -f test_crash
+logs:
+	tail -f log/go-proxy.log

-debug-list-containers:
-	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+get:
+	go get -d -u ./src/go-proxy

-ci-test:
-	mkdir -p /tmp/artifacts
-	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
+repush:
+	git reset --soft HEAD^
+	git add -A
+	git commit -m "repush"
+	git push gitlab dev --force

-cloc:
-	cloc --include-lang=Go --not-match-f '_test.go$$' .
-
-push-github:
-	git push origin $(shell git rev-parse --abbrev-ref HEAD)
-
-gen-swagger:
-	swag init --parseDependency --parseInternal -g handler.go -d internal/api -o internal/api/v1/docs
-	python3 scripts/fix-swagger-json.py
-
-gen-swagger-markdown: gen-swagger
-	swagger generate markdown -f internal/api/v1/docs/swagger.yaml --skip-validation --output ${DOCS_DIR}/src/API.md
-
-gen-api-types: gen-swagger
-	# --disable-throw-on-error
-	pnpx swagger-typescript-api generate --sort-types --generate-union-enums --axios --add-readonly --route-types \
-		 --responses -o ${WEBUI_DIR}/src/lib -n api.ts -p internal/api/v1/docs/swagger.json
+udp-server:
+	docker run -it --rm \
+		-p 9999:9999/udp \
+		--label proxy.test-udp.scheme=udp \
+		--label proxy.test-udp.port=20003:9999 \
+		--network host \
+		--name test-udp \
+		$$(docker build -q -f udp-test-server.Dockerfile .)
--- a/README.md
+++ b/README.md
@@ -1,204 +1,346 @@
-<div align="center">
+# go-proxy

-# GoDoxy
+A simple auto docker reverse proxy for home use. **Written in _Go_**

-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=go-proxy)
-![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
-[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
-
-A lightweight, simple, and performant reverse proxy with WebUI.
-
-<h5>
-<a href="https://docs.godoxy.dev">Website</a> | <a href="https://docs.godoxy.dev/Home.html">Wiki</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
-</h5>
-
-<h5>EN | <a href="README_CHT.md">中文</a></h5>
-
-Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)! (Thanks to [@ismesid](https://github.com/arevindh))
-
-<img src="screenshots/webui.jpg" style="max-width: 650">
-
-</div>
+In the examples domain `x.y.z` is used, replace them with your domain

 ## Table of content

 <!-- TOC -->
+- [Table of content](#table-of-content)
+- [Key Points](#key-points)
+- [How to use](#how-to-use)
+- [Tested Services](#tested-services)
+  - [HTTP/HTTPs Reverse Proxy](#httphttps-reverse-proxy)
+  - [TCP Proxy](#tcp-proxy)
+  - [UDP Proxy](#udp-proxy)
+- [Command-line args](#command-line-args)
+  - [Commands](#commands)
+- [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
+- [Environment variables](#environment-variables)
+- [Config File](#config-file)
+  - [Fields](#fields)
+  - [Provider Kinds](#provider-kinds)
+  - [Provider File](#provider-file)
+  - [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
+- [Troubleshooting](#troubleshooting)
+- [Benchmarks](#benchmarks)
+- [Known issues](#known-issues)
+- [Memory usage](#memory-usage)
+- [Build it yourself](#build-it-yourself)
+<!-- /TOC -->

- [GoDoxy](#godoxy)
-  - [Table of content](#table-of-content)
-  - [Running demo](#running-demo)
-  - [Key Features](#key-features)
-  - [Prerequisites](#prerequisites)
-  - [Setup](#setup)
-  - [How does GoDoxy work](#how-does-godoxy-work)
-  - [Screenshots](#screenshots)
-    - [idlesleeper](#idlesleeper)
-    - [Metrics and Logs](#metrics-and-logs)
-  - [Manual Setup](#manual-setup)
-    - [Folder structrue](#folder-structrue)
-  - [Build it yourself](#build-it-yourself)
+## Key Points

-## Running demo
+- Fast (See [benchmarks](#benchmarks))
+- Auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported DNS Challenge Providers](#supported-dns-challenge-providers))
+- Auto detect reverse proxies from docker
+- Auto hot-reload on container `start` / `die` / `stop` or config file changes
+- Custom proxy entries with `config.yml` and additional provider files
+- Subdomain matching + Path matching **(domain name doesn't matter)**
+- HTTP(s) reverse proxy + TCP/UDP Proxy
+- HTTP(s) round robin load balance support (same subdomain and path across different hosts)
+- Web UI on port 8080 (http) and port 8443 (https)

-<https://demo.godoxy.dev>
+  - a simple panel to see all reverse proxies and health

-[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+    ![panel screenshot](screenshots/panel.png)

-## Key Features
+  - a config editor to edit config and provider files with validation

- **Simple**
-  - Effortless configuration with [simple labels](https://docs.godoxy.dev/Docker-labels-and-Route-Files) or WebUI
-  - [Simple multi-node setup](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
-  - Detailed error messages for easy troubleshooting.
- **ACL**: connection / request level access control
-  - IP/CIDR
-  - Country **(Maxmind account required)**
-  - Timezone **(Maxmind account required)**
-  - **Access logging**
- **Advanced Automation**
-  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://docs.godoxy.dev/DNS-01-Providers))
-  - Auto-configuration for Docker containers
-  - Hot-reloading of configurations and container state changes
- **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
-  - Docker containers
-  - Proxmox LXCs
- **Traffic Management**
-  - HTTP reserve proxy
-  - TCP/UDP port forwarding
-  - **OpenID Connect support**: SSO and secure your apps easily
- **Customization**
-  - [HTTP middlewares](https://docs.godoxy.dev/Middlewares)
-  - [Custom error pages support](https://docs.godoxy.dev/Custom-Error-Pages)
- **Web UI**
-  - App Dashboard
-  - Config Editor
-  - Uptime and System Metrics
-  - Docker Logs Viewer
- **Cross-Platform support**
-  - Supports **linux/amd64** and **linux/arm64**
- **Efficient and Performant**
-  - Written in **[Go](https://go.dev)**
+    **Validate and save file with Ctrl+S**

-## Prerequisites
+    ![config editor screenshot](screenshots/config_editor.png)

-Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
+[🔼Back to top](#table-of-content)

- A Record: `*.domain.com` -> `10.0.10.1`
- AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`
+## How to use

-## Setup
+1. Setup DNS Records to your machine's IP address

-> [!NOTE]
-> GoDoxy is designed to be running in `host` network mode, do not change it.
->
-> To change listening ports, modify `.env`.
+   - A Record: `*.y.z` -> `10.0.10.1`
+   - AAAA Record: `*.y.z` -> `::ffff:a00:a01`

-1. Prepare a new directory for docker compose and config files.
+2. Start `go-proxy` by

-2. Run setup script inside the directory, or [set up manually](#manual-setup)
+   - [Running from binary or as a system service](docs/binary.md)
+   - [Running as a docker container](docs/docker.md)

-   ```shell
-   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
-   ```
+3. Start editing config files
+   - with text editor (i.e. Visual Studio Code)
+   - or with web config editor by navigate to `http://ip:8080`

-3. Start the docker compose service from generated `compose.yml`:
+[🔼Back to top](#table-of-content)

-   ```shell
-   docker compose up -d
-   ```
+## Tested Services

-4. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
+### HTTP/HTTPs Reverse Proxy

-## How does GoDoxy work
+- Nginx
+- Minio
+- AdguardHome Dashboard
+- etc.

-1. List all the containers
-2. Read container name, labels and port configurations for each of them
-3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
-4. Watch for container / config changes and update automatically
+### TCP Proxy

-> [!NOTE]
-> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
->
-> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
+- Minecraft server
+- PostgreSQL
+- MariaDB

-## Screenshots
+### UDP Proxy

-### idlesleeper
+- Adguardhome DNS
+- Palworld Dedicated Server

-![idlesleeper](screenshots/idlesleeper.webp)
+[🔼Back to top](#table-of-content)

-### Metrics and Logs
+## Command-line args

-<div align="center">
-  <table>
-    <tr>
-      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
-      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>Uptime Monitor</b></td>
-      <td align="center"><b>Docker Logs</b></td>
-      <td align="center"><b>Server Overview</b></td>
-    </tr>
-        <tr>
-      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>System Monitor</b></td>
-      <td align="center"><b>Graphs</b></td>
-    </tr>
-  </table>
-</div>
+`go-proxy [command]`

-## Manual Setup
+### Commands

-1. Make `config` directory then grab `config.example.yml` into `config/config.yml`
+- empty: start proxy server
+- validate: validate config and exit
+- reload: trigger a force reload of config

-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`
+Examples:

-2. Grab `.env.example` into `.env`
+- Binary: `go-proxy reload`
+- Docker: `docker exec -it go-proxy /app/go-proxy reload`

-   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`
+[🔼Back to top](#table-of-content)

-3. Grab `compose.example.yml` into `compose.yml`
+## Use JSON Schema in VSCode

-   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`
+Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify to fit your needs

-### Folder structrue
-
-```shell
-├── certs
-│   ├── cert.crt
-│   └── priv.key
-├── compose.yml
-├── config
-│   ├── config.yml
-│   ├── middlewares
-│   │   ├── middleware1.yml
-│   │   ├── middleware2.yml
-│   ├── provider1.yml
-│   └── provider2.yml
-├── data
-│   ├── metrics # metrics data
-│   │   ├── uptime.json
-│   │   └── system_info.json
-└── .env
+```json
+{
+  "yaml.schemas": {
+    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+      "config.example.yml",
+      "config.yml"
+    ],
+    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+      "providers.example.yml",
+      "*.providers.yml"
+    ]
+  }
+}
 ```

+[🔼Back to top](#table-of-content)
+
+## Environment variables
+
+- `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
+- `GOPROXY_HOST_NETWORK`: _(Docker only)_ set to `1` when `network_mode: host`
+- `GOPROXY_NO_SCHEMA_VALIDATION`: disable schema validation on config load / reload **(for testing new DNS Challenge providers)**
+
+[🔼Back to top](#table-of-content)
+
+## Config File
+
+See [config.example.yml](config.example.yml) for more
+
+### Fields
+
+- `autocert`: autocert configuration
+
+  - `email`: ACME Email
+  - `domains`: a list of domains for cert registration
+  - `provider`: DNS Challenge provider, see [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
+  - `options`: [provider specific options](#supported-dns-challenge-providers)
+
+- `providers`: reverse proxy providers configuration
+  - `kind`: provider kind (string), see [Provider Kinds](#provider-kinds)
+  - `value`: provider specific value
+
+[🔼Back to top](#table-of-content)
+
+### Provider Kinds
+
+- `docker`: load reverse proxies from docker
+
+  values:
+
+  - `FROM_ENV`: value from environment (`DOCKER_HOST`)
+  - full url to docker host (i.e. `tcp://host:2375`)
+
+- `file`: load reverse proxies from provider file
+
+  value: relative path of file to `config/`
+
+[🔼Back to top](#table-of-content)
+
+### Provider File
+
+Fields are same as [docker labels](docs/docker.md#labels) starting from `scheme`
+
+See [providers.example.yml](providers.example.yml) for examples
+
+[🔼Back to top](#table-of-content)
+
+### Supported DNS Challenge Providers
+
+- Cloudflare
+
+  - `auth_token`: your zone API token
+
+  Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
+
+- CloudDNS
+
+  - `client_id`
+  - `email`
+  - `password`
+
+- DuckDNS (thanks [earvingad](https://github.com/earvingad))
+
+  - `token`: DuckDNS Token
+
+To add more provider support, see [this](docs/add_dns_provider.md)
+
+[🔼Back to top](#table-of-content)
+
+## Troubleshooting
+
+Q: How to fix when it shows "no matching route for subdomain \<subdomain>"?
+
+A: Make sure the container is running, and \<subdomain> matches any container name / alias
+
+[🔼Back to top](#table-of-content)
+
+## Benchmarks
+
+Benchmarked with `wrk` connecting `traefik/whoami`'s `/bench` endpoint
+
+Remote benchmark (client running wrk and `go-proxy` server are different devices)
+
+- Direct connection
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
+  Running 10s test @ http://10.0.100.3:8003/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    94.75ms  199.92ms   1.68s    91.27%
+      Req/Sec     4.24k     1.79k   18.79k    72.13%
+    Latency Distribution
+      50%    1.14ms
+      75%  120.23ms
+      90%  245.63ms
+      99%    1.03s
+    423444 requests in 10.10s, 50.88MB read
+    Socket errors: connect 0, read 0, write 0, timeout 29
+  Requests/sec:  41926.32
+  Transfer/sec:      5.04MB
+  ```
+
+- With reverse proxy
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    79.35ms  169.79ms   1.69s    92.55%
+      Req/Sec     4.27k     1.90k   19.61k    75.81%
+    Latency Distribution
+      50%    1.12ms
+      75%  105.66ms
+      90%  200.22ms
+      99%  814.59ms
+    409836 requests in 10.10s, 49.25MB read
+    Socket errors: connect 0, read 0, write 0, timeout 18
+  Requests/sec:  40581.61
+  Transfer/sec:      4.88MB
+  ```
+
+Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
+
+- Direct connection
+
+  ```shell
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
+  Running 10s test @ http://10.0.100.1/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency   434.08us  539.35us   8.76ms   85.28%
+      Req/Sec    67.71k     6.31k   87.21k    71.20%
+    Latency Distribution
+      50%  153.00us
+      75%  646.00us
+      90%    1.18ms
+      99%    2.38ms
+    6739591 requests in 10.01s, 809.85MB read
+  Requests/sec: 673608.15
+  Transfer/sec:     80.94MB
+  ```
+
+- With `go-proxy` reverse proxy
+
+  ```shell
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     1.23ms    0.96ms  11.43ms   72.09%
+      Req/Sec    17.48k     1.76k   21.48k    70.20%
+    Latency Distribution
+      50%    0.98ms
+      75%    1.76ms
+      90%    2.54ms
+      99%    4.24ms
+    1739079 requests in 10.01s, 208.97MB read
+  Requests/sec: 173779.44
+  Transfer/sec:     20.88MB
+  ```
+
+- With `traefik-v3`
+
+  ```shell
+  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
+  Running 10s test @ http://127.0.0.1:8000/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     2.81ms   10.36ms 180.26ms   98.57%
+      Req/Sec    11.35k     1.74k   13.76k    85.54%
+    Latency Distribution
+      50%    1.59ms
+      75%    2.27ms
+      90%    3.17ms
+      99%   37.91ms
+    1125723 requests in 10.01s, 109.50MB read
+  Requests/sec: 112499.59
+  Transfer/sec:     10.94MB
+  ```
+
+[🔼Back to top](#table-of-content)
+
+## Known issues
+
+- Cert "renewal" is actually obtaining a new cert instead of renewing the existing one
+
+[🔼Back to top](#table-of-content)
+
+## Memory usage
+
+It takes ~15 MB for 50 proxy entries
+
+[🔼Back to top](#table-of-content)
+
 ## Build it yourself

-1. Clone the repository `git clone https://github.com/yusing/godoxy --depth=1`
+1. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already

-2. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already
+2. Clear cache if you have built this before (go < 1.22) with `go clean -cache`

-3. Clear cache if you have built this before (go < 1.22) with `go clean -cache`
+3. get dependencies with `make get`

-4. get dependencies with `make get`
+4. build binary with `make build`

-5. build binary with `make build`
+5. start your container with `make up` (docker) or `bin/go-proxy` (binary)

 [🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,191 +0,0 @@
-<div align="center">
-
-# GoDoxy
-
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
-[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
-
-輕量、易用、 高效能，且帶有主頁和配置面板的反向代理
-
-<h5>
-<a href="https://docs.godoxy.dev">網站</a> | <a href="https://docs.godoxy.dev/Home.html">文檔</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
-</h5>
-
-<h5><a href="README.md">EN</a> | 中文</h5>
-
-有疑問? 問 [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)！（鳴謝 [@ismesid](https://github.com/arevindh)）
-
-<img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
-
-</div>
-
-## 目錄
-
-<!-- TOC -->
-
- [GoDoxy](#godoxy)
-  - [目錄](#目錄)
-  - [運行示例](#運行示例)
-  - [主要特點](#主要特點)
-  - [前置需求](#前置需求)
-  - [安裝](#安裝)
-    - [手動安裝](#手動安裝)
-    - [資料夾結構](#資料夾結構)
-  - [截圖](#截圖)
-    - [閒置休眠](#閒置休眠)
-    - [監控](#監控)
-  - [自行編譯](#自行編譯)
-
-## 運行示例
-
-<https://demo.godoxy.dev>
-
-[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
-
-## 主要特點
-
- **簡單易用**
-  - 透過 Docker[標籤](https://docs.godoxy.dev/Docker-labels-and-Route-Files)或 WebUI 輕鬆設定
-  - [簡單的多節點設置](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
-  - 詳細的錯誤訊息，便於故障排除
- **存取控制 (ACL)**：連線/請求層級存取控制
-  - IP/CIDR
-  - 國家 **(需要 Maxmind 帳戶)**
-  - 時區 **(需要 Maxmind 帳戶)**
-  - **存取日誌記錄**
- **自動化**
-  - 使用 Let's Encrypt 自動管理 SSL 憑證 ([使用 DNS-01 驗證](https://docs.godoxy.dev/DNS-01-Providers))
-  - Docker 容器自動配置
-  - 設定檔與容器狀態變更時自動熱重載
- **閒置休眠**：根據流量停止和喚醒容器 _(參見[截圖](#閒置休眠))_
-  - Docker 容器
-  - Proxmox LXC 容器
- **流量管理**
-  - HTTP 反向代理
-  - TCP/UDP 連接埠轉送
-  - **OpenID Connect 支援**：輕鬆實現單點登入 (SSO) 並保護您的應用程式
- **客製化**
-  - [HTTP 中介軟體](https://docs.godoxy.dev/Middlewares)
-  - [支援自訂錯誤頁面](https://docs.godoxy.dev/Custom-Error-Pages)
- **網頁使用者介面 (Web UI)**
-  - 應用程式一覽
-  - 設定編輯器
-  - 執行時間與系統指標
-  - Docker 日誌檢視器
- **跨平台支援**
-  - 支援 **linux/amd64** 與 **linux/arm64**
- **高效能**
-  - 以 **[Go](https://go.dev)** 語言編寫
-
-[🔼 回到頂部](#目錄)
-
-## 前置需求
-
-設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：
-
- A 記錄：`*.y.z` -> `10.0.10.1`
- AAAA 記錄：`*.y.z` -> `::ffff:a00:a01`
-
-## 安裝
-
-> [!NOTE]
-> GoDoxy 僅在 `host` 網路模式下運作，請勿更改。
->
-> 如需更改監聽埠，請修改 `.env`。
-
-1. 準備一個新目錄用於 docker compose 和配置文件。
-
-2. 在目錄內運行安裝腳本，或[手動安裝](#手動安裝)
-
-   ```shell
-   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
-   ```
-
-3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置
-
-[🔼 回到頂部](#目錄)
-
-### 手動安裝
-
-1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`
-
-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`
-
-2. 將 `.env.example` 下載到 `.env`
-
-   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`
-
-3. 將 `compose.example.yml` 下載到 `compose.yml`
-
-   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`
-
-### 資料夾結構
-
-```shell
-├── certs
-│   ├── cert.crt
-│   └── priv.key
-├── compose.yml
-├── config
-│   ├── config.yml
-│   ├── middlewares
-│   │   ├── middleware1.yml
-│   │   ├── middleware2.yml
-│   ├── provider1.yml
-│   └── provider2.yml
-├── data
-│   ├── metrics # metrics data
-│   │   ├── uptime.json
-│   │   └── system_info.json
-└── .env
-```
-
-## 截圖
-
-### 閒置休眠
-
-![閒置休眠](screenshots/idlesleeper.webp)
-
-[🔼 回到頂部](#目錄)
-
-### 監控
-
-<div align="center">
-  <table>
-    <tr>
-      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
-      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>運行時間監控</b></td>
-      <td align="center"><b>Docker 日誌</b></td>
-      <td align="center"><b>伺服器概覽</b></td>
-    </tr>
-        <tr>
-      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>系統監控</b></td>
-      <td align="center"><b>圖表</b></td>
-    </tr>
-  </table>
-</div>
-
-## 自行編譯
-
-1. 克隆儲存庫 `git clone https://github.com/yusing/godoxy --depth=1`
-
-2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`
-
-3. 如果之前編譯過（go < 1.22），請使用 `go clean -cache` 清除快取
-
-4. 使用 `make get` 獲取依賴
-
-5. 使用 `make build` 編譯二進制檔案
-
-[🔼 回到頂部](#目錄)
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -1,78 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/agent/pkg/server"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	httpServer "github.com/yusing/go-proxy/internal/net/gphttp/server"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
-	socketproxy "github.com/yusing/go-proxy/socketproxy/pkg"
-)
-
-func main() {
-	writer := zerolog.ConsoleWriter{
-		Out:        os.Stderr,
-		TimeFormat: "01-02 15:04",
-	}
-	zerolog.TimeFieldFormat = writer.TimeFormat
-	log.Logger = zerolog.New(writer).Level(zerolog.InfoLevel).With().Timestamp().Logger()
-	ca := &agent.PEMPair{}
-	err := ca.Load(env.AgentCACert)
-	if err != nil {
-		gperr.LogFatal("init CA error", err)
-	}
-	caCert, err := ca.ToTLSCert()
-	if err != nil {
-		gperr.LogFatal("init CA error", err)
-	}
-
-	srv := &agent.PEMPair{}
-	srv.Load(env.AgentSSLCert)
-	if err != nil {
-		gperr.LogFatal("init SSL error", err)
-	}
-	srvCert, err := srv.ToTLSCert()
-	if err != nil {
-		gperr.LogFatal("init SSL error", err)
-	}
-
-	log.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
-	log.Info().Msgf("Agent name: %s", env.AgentName)
-	log.Info().Msgf("Agent port: %d", env.AgentPort)
-
-	log.Info().Msg(`
-Tips:
-1. To change the agent name, you can set the AGENT_NAME environment variable.
-2. To change the agent port, you can set the AGENT_PORT environment variable.
-`)
-
-	t := task.RootTask("agent", false)
-	opts := server.Options{
-		CACert:     caCert,
-		ServerCert: srvCert,
-		Port:       env.AgentPort,
-	}
-
-	server.StartAgentServer(t, opts)
-
-	if socketproxy.ListenAddr != "" {
-		log.Info().Msgf("Docker socket listening on: %s", socketproxy.ListenAddr)
-		opts := httpServer.Options{
-			Name:     "docker",
-			HTTPAddr: socketproxy.ListenAddr,
-			Handler:  socketproxy.NewHandler(),
-		}
-		httpServer.StartServer(t, opts)
-	}
-
-	systeminfo.Poller.Start()
-
-	task.WaitExit(3)
-}
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -1,109 +0,0 @@
-module github.com/yusing/go-proxy/agent
-
-go 1.25.0
-
-replace github.com/yusing/go-proxy => ..
-
-replace github.com/yusing/go-proxy/socketproxy => ../socket-proxy
-
-replace github.com/yusing/go-proxy/internal/utils => ../internal/utils
-
-replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d
-
-require (
-	github.com/gin-gonic/gin v1.10.1
-	github.com/gorilla/websocket v1.5.3
-	github.com/rs/zerolog v1.34.0
-	github.com/stretchr/testify v1.11.1
-	github.com/yusing/go-proxy v0.17.1
-	github.com/yusing/go-proxy/internal/utils v0.0.0
-	github.com/yusing/go-proxy/socketproxy v0.0.0-00010101000000-000000000000
-)
-
-require (
-	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/PuerkitoBio/goquery v1.10.3 // indirect
-	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
-	github.com/bytedance/sonic/loader v0.3.0 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
-	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v28.3.3+incompatible // indirect
-	github.com/docker/docker v28.3.3+incompatible // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
-	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-playground/locales v0.14.1 // indirect
-	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.27.0 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/gotify/server/v2 v2.6.3 // indirect
-	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
-	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/lithammer/fuzzysearch v1.1.8 // indirect
-	github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.2 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/puzpuzpuz/xsync/v4 v4.1.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.0 // indirect
-	github.com/samber/lo v1.51.0 // indirect
-	github.com/samber/slog-common v0.19.0 // indirect
-	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.7 // indirect
-	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/spf13/afero v1.14.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
-	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.0 // indirect
-	github.com/vincent-petithory/dataurl v1.0.0 // indirect
-	github.com/yusing/ds v0.1.0 // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/mock v0.6.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/crypto v0.41.0 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.5.2 // indirect
-)
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -1,330 +0,0 @@
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
-github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
-github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
-github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
-github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
-github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
-github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
-github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
-github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
-github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
-github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
-github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
-github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
-github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo=
-github.com/docker/cli v28.3.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
-github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw=
-github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
-github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
-github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
-github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
-github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
-github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
-github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
-github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
-github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
-github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
-github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
-github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
-github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d h1:bNqtnmyhGDxpBSaFYIo7ferYRIc/QzlaGfIhh/JmMPk=
-github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d/go.mod h1:7iQ/w4jyGYJCZ56dZLNztwM4atNxj5C2HNTBxhLvV8A=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
-github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
-github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotify/server/v2 v2.6.3 h1:2sLDRsQ/No1+hcFwFDvjNtwKepfCSIR8L3BkXl/Vz1I=
-github.com/gotify/server/v2 v2.6.3/go.mod h1:IyeQ/iL3vetcuqUAzkCMVObIMGGJx4zb13/mVatIwE8=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
-github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
-github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
-github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
-github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
-github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
-github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 h1:mFWunSatvkQQDhpdyuFAYwyAan3hzCuma+Pz8sqvOfg=
-github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
-github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
-github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
-github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
-github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/puzpuzpuz/xsync/v4 v4.1.0 h1:x9eHRl4QhZFIPJ17yl4KKW9xLyVWbb3/Yq4SXpjF71U=
-github.com/puzpuzpuz/xsync/v4 v4.1.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
-github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
-github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
-github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
-github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
-github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
-github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
-github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
-github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
-github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
-github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
-github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
-github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
-github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
-github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
-github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
-github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yusing/ds v0.1.0 h1:aiZs7jPMN3MEChUsddMYjpZFHhhAmkxrwRyIUnGy5AU=
-github.com/yusing/ds v0.1.0/go.mod h1:KC785+mtt+Bau0LLR+slExDaUjeiqLT1k9Or6Rpryh4=
-github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
-github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
-go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
-go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20250811230008-5f3141c8851a h1:V8Zj/61zlL7B+VH151iV5hJlUnYc3fUNTEhLtyr9Kzc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b h1:ULiyYQ0FdsJhwwZUwbaXpZF5yUE3h+RA+gxvBu37ucc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:oDOGiMSXHL4sDTJvFvIB9nRQCGdLP1o/iVaqQK8zB+M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a h1:tPE/Kp+x9dMSwUm/uM0JKK0IfdiJkwAbSMSeZBXXJXc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
-google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
-google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
-gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
--- a/agent/pkg/agent/agent_pool.go
+++ b/agent/pkg/agent/agent_pool.go
@@ -1,57 +0,0 @@
-package agent
-
-import (
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/utils/functional"
-)
-
-var agentPool = functional.NewMapOf[string, *AgentConfig]()
-
-func init() {
-	if common.IsTest {
-		agentPool.Store("test-agent", &AgentConfig{
-			Addr: "test-agent",
-		})
-	}
-}
-
-func GetAgent(agentAddrOrDockerHost string) (*AgentConfig, bool) {
-	if !IsDockerHostAgent(agentAddrOrDockerHost) {
-		return getAgentByAddr(agentAddrOrDockerHost)
-	}
-	return getAgentByAddr(GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
-}
-
-func GetAgentByName(name string) (*AgentConfig, bool) {
-	for _, agent := range agentPool.Range {
-		if agent.Name == name {
-			return agent, true
-		}
-	}
-	return nil, false
-}
-
-func AddAgent(agent *AgentConfig) {
-	agentPool.Store(agent.Addr, agent)
-}
-
-func RemoveAgent(agent *AgentConfig) {
-	agentPool.Delete(agent.Addr)
-}
-
-func RemoveAllAgents() {
-	agentPool.Clear()
-}
-
-func ListAgents() []*AgentConfig {
-	agents := make([]*AgentConfig, 0, agentPool.Size())
-	for _, agent := range agentPool.Range {
-		agents = append(agents, agent)
-	}
-	return agents
-}
-
-func getAgentByAddr(addr string) (agent *AgentConfig, ok bool) {
-	agent, ok = agentPool.Load(addr)
-	return
-}
--- a/agent/pkg/agent/bare_metal.go
+++ b/agent/pkg/agent/bare_metal.go
@@ -1,23 +0,0 @@
-package agent
-
-import (
-	"bytes"
-	"text/template"
-)
-
-var (
-	installScript = `AGENT_NAME="{{.Name}}" \
-	AGENT_PORT="{{.Port}}" \
-	AGENT_CA_CERT="{{.CACert}}" \
-	AGENT_SSL_CERT="{{.SSLCert}}" \
-	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/install-agent.sh)"`
-	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
-)
-
-func (c *AgentEnvConfig) Generate() (string, error) {
-	buf := bytes.NewBuffer(make([]byte, 0, 4096))
-	if err := installScriptTemplate.Execute(buf, c); err != nil {
-		return "", err
-	}
-	return buf.String(), nil
-}
--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -1,184 +0,0 @@
-package agent
-
-import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-	"github.com/yusing/go-proxy/pkg"
-)
-
-type AgentConfig struct {
-	Addr    string `json:"addr"`
-	Name    string `json:"name"`
-	Version string `json:"version"`
-
-	httpClient *http.Client
-	tlsConfig  *tls.Config
-	l          zerolog.Logger
-} // @name Agent
-
-const (
-	EndpointVersion    = "/version"
-	EndpointName       = "/name"
-	EndpointProxyHTTP  = "/proxy/http"
-	EndpointHealth     = "/health"
-	EndpointLogs       = "/logs"
-	EndpointSystemInfo = "/system_info"
-
-	AgentHost = CertsDNSName
-
-	APIEndpointBase = "/godoxy/agent"
-	APIBaseURL      = "https://" + AgentHost + APIEndpointBase
-
-	DockerHost = "https://" + AgentHost
-
-	FakeDockerHostPrefix    = "agent://"
-	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
-)
-
-func mustParseURL(urlStr string) *url.URL {
-	u, err := url.Parse(urlStr)
-	if err != nil {
-		panic(err)
-	}
-	return u
-}
-
-var (
-	AgentURL              = mustParseURL(APIBaseURL)
-	HTTPProxyURL          = mustParseURL(APIBaseURL + EndpointProxyHTTP)
-	HTTPProxyURLPrefixLen = len(APIEndpointBase + EndpointProxyHTTP)
-)
-
-func IsDockerHostAgent(dockerHost string) bool {
-	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
-}
-
-func GetAgentAddrFromDockerHost(dockerHost string) string {
-	return dockerHost[FakeDockerHostPrefixLen:]
-}
-
-func (cfg *AgentConfig) FakeDockerHost() string {
-	return FakeDockerHostPrefix + cfg.Addr
-}
-
-func (cfg *AgentConfig) Parse(addr string) error {
-	cfg.Addr = addr
-	return nil
-}
-
-var serverVersion = pkg.GetVersion()
-
-func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte) error {
-	clientCert, err := tls.X509KeyPair(crt, key)
-	if err != nil {
-		return err
-	}
-
-	// create tls config
-	caCertPool := x509.NewCertPool()
-	ok := caCertPool.AppendCertsFromPEM(ca)
-	if !ok {
-		return errors.New("invalid ca certificate")
-	}
-
-	cfg.tlsConfig = &tls.Config{
-		Certificates: []tls.Certificate{clientCert},
-		RootCAs:      caCertPool,
-		ServerName:   CertsDNSName,
-	}
-
-	// create transport and http client
-	cfg.httpClient = cfg.NewHTTPClient()
-
-	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
-	defer cancel()
-
-	// get agent name
-	name, _, err := cfg.Fetch(ctx, EndpointName)
-	if err != nil {
-		return err
-	}
-
-	cfg.Name = string(name)
-
-	cfg.l = log.With().Str("agent", cfg.Name).Logger()
-
-	// check agent version
-	agentVersionBytes, _, err := cfg.Fetch(ctx, EndpointVersion)
-	if err != nil {
-		return err
-	}
-
-	cfg.Version = string(agentVersionBytes)
-	agentVersion := pkg.ParseVersion(cfg.Version)
-
-	if serverVersion.IsNewerMajorThan(agentVersion) {
-		log.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.Name, serverVersion, agentVersion)
-	}
-
-	log.Info().Msgf("agent %q initialized", cfg.Name)
-	return nil
-}
-
-func (cfg *AgentConfig) Start(ctx context.Context) error {
-	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
-	if !ok {
-		return fmt.Errorf("invalid agent host: %s", cfg.Addr)
-	}
-
-	certData, err := os.ReadFile(filepath)
-	if err != nil {
-		return fmt.Errorf("failed to read agent certs: %w", err)
-	}
-
-	ca, crt, key, err := certs.ExtractCert(certData)
-	if err != nil {
-		return fmt.Errorf("failed to extract agent certs: %w", err)
-	}
-
-	return cfg.StartWithCerts(ctx, ca, crt, key)
-}
-
-func (cfg *AgentConfig) NewHTTPClient() *http.Client {
-	return &http.Client{
-		Transport: cfg.Transport(),
-	}
-}
-
-func (cfg *AgentConfig) Transport() *http.Transport {
-	return &http.Transport{
-		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			if addr != AgentHost+":443" {
-				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
-			}
-			if network != "tcp" {
-				return nil, &net.OpError{Op: "dial", Net: network, Source: nil, Addr: nil}
-			}
-			return cfg.DialContext(ctx)
-		},
-		TLSClientConfig: cfg.tlsConfig,
-	}
-}
-
-var dialer = &net.Dialer{Timeout: 5 * time.Second}
-
-func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
-	return dialer.DialContext(ctx, "tcp", cfg.Addr)
-}
-
-func (cfg *AgentConfig) String() string {
-	return cfg.Name + "@" + cfg.Addr
-}
--- a/agent/pkg/agent/docker_compose.go
+++ b/agent/pkg/agent/docker_compose.go
@@ -1,27 +0,0 @@
-package agent
-
-import (
-	"bytes"
-	"text/template"
-
-	_ "embed"
-)
-
-var (
-	//go:embed templates/agent.compose.yml
-	agentComposeYAML         string
-	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml").Parse(agentComposeYAML))
-)
-
-const (
-	DockerImageProduction = "ghcr.io/yusing/godoxy-agent:latest"
-	DockerImageNightly    = "ghcr.io/yusing/godoxy-agent:nightly"
-)
-
-func (c *AgentComposeConfig) Generate() (string, error) {
-	buf := bytes.NewBuffer(make([]byte, 0, 1024))
-	if err := agentComposeYAMLTemplate.Execute(buf, c); err != nil {
-		return "", err
-	}
-	return buf.String(), nil
-}
--- a/agent/pkg/agent/env.go
+++ b/agent/pkg/agent/env.go
@@ -1,17 +0,0 @@
-package agent
-
-type (
-	AgentEnvConfig struct {
-		Name    string
-		Port    int
-		CACert  string
-		SSLCert string
-	}
-	AgentComposeConfig struct {
-		Image string
-		*AgentEnvConfig
-	}
-	Generator interface {
-		Generate() (string, error)
-	}
-)
--- a/agent/pkg/agent/http_requests.go
+++ b/agent/pkg/agent/http_requests.go
@@ -1,53 +0,0 @@
-package agent
-
-import (
-	"context"
-	"io"
-	"net/http"
-
-	"github.com/gorilla/websocket"
-)
-
-func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
-	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
-	if err != nil {
-		return nil, err
-	}
-	return cfg.httpClient.Do(req)
-}
-
-func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) ([]byte, int, error) {
-	req = req.WithContext(req.Context())
-	req.URL.Host = AgentHost
-	req.URL.Scheme = "https"
-	req.URL.Path = APIEndpointBase + endpoint
-	req.RequestURI = ""
-	resp, err := cfg.httpClient.Do(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer resp.Body.Close()
-	data, _ := io.ReadAll(resp.Body)
-	return data, resp.StatusCode, nil
-}
-
-func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int, error) {
-	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer resp.Body.Close()
-	data, _ := io.ReadAll(resp.Body)
-	return data, resp.StatusCode, nil
-}
-
-func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
-	transport := cfg.Transport()
-	dialer := websocket.Dialer{
-		NetDialContext:    transport.DialContext,
-		NetDialTLSContext: transport.DialTLSContext,
-	}
-	return dialer.DialContext(ctx, APIBaseURL+endpoint, http.Header{
-		"Host": {AgentHost},
-	})
-}
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@@ -1,248 +0,0 @@
-package agent
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/base64"
-	"encoding/pem"
-	"errors"
-	"io"
-	"math/big"
-	"strings"
-	"time"
-
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"fmt"
-)
-
-const (
-	CertsDNSName = "godoxy.agent"
-)
-
-func toPEMPair(certDER []byte, key *ecdsa.PrivateKey) *PEMPair {
-	marshaledKey, err := marshalECPrivateKey(key)
-	if err != nil {
-		// This is a critical internal error during PEM encoding of a newly generated key.
-		// Panicking is acceptable here as it indicates a fundamental issue.
-		panic(fmt.Sprintf("failed to marshal EC private key for PEM encoding: %v", err))
-	}
-	return &PEMPair{
-		Cert: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
-		Key:  pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: marshaledKey}),
-	}
-}
-
-func marshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
-	derBytes, err := x509.MarshalECPrivateKey(key)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal EC private key: %w", err)
-	}
-	return derBytes, nil
-}
-
-func b64Encode(data []byte) string {
-	return base64.StdEncoding.EncodeToString(data)
-}
-
-func b64Decode(data string) ([]byte, error) {
-	return base64.StdEncoding.DecodeString(data)
-}
-
-type PEMPair struct {
-	Cert, Key []byte
-}
-
-func (p *PEMPair) String() string {
-	return b64Encode(p.Cert) + ";" + b64Encode(p.Key)
-}
-
-func (p *PEMPair) Load(data string) (err error) {
-	parts := strings.Split(data, ";")
-	if len(parts) != 2 {
-		return errors.New("invalid PEM pair")
-	}
-	p.Cert, err = b64Decode(parts[0])
-	if err != nil {
-		return err
-	}
-	p.Key, err = b64Decode(parts[1])
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (p *PEMPair) Encrypt(encKey []byte) (PEMPair, error) {
-	cert, err := encrypt(p.Cert, encKey)
-	if err != nil {
-		return PEMPair{}, err
-	}
-	key, err := encrypt(p.Key, encKey)
-	if err != nil {
-		return PEMPair{}, err
-	}
-	return PEMPair{Cert: cert, Key: key}, nil
-}
-
-func (p *PEMPair) Decrypt(encKey []byte) (PEMPair, error) {
-	cert, err := decrypt(p.Cert, encKey)
-	if err != nil {
-		return PEMPair{}, err
-	}
-	key, err := decrypt(p.Key, encKey)
-	if err != nil {
-		return PEMPair{}, err
-	}
-	return PEMPair{Cert: cert, Key: key}, nil
-}
-
-func encrypt(data []byte, key []byte) ([]byte, error) {
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	gcm, err := cipher.NewGCM(block)
-	if err != nil {
-		return nil, err
-	}
-	nonce := make([]byte, gcm.NonceSize())
-	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
-		return nil, err
-	}
-	return gcm.Seal(nonce, nonce, data, nil), nil
-}
-
-func decrypt(data []byte, key []byte) ([]byte, error) {
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-	gcm, err := cipher.NewGCM(block)
-	if err != nil {
-		return nil, err
-	}
-
-	nonce := data[:gcm.NonceSize()]
-	ciphertext := data[gcm.NonceSize():]
-	return gcm.Open(nil, nonce, ciphertext, nil)
-}
-
-func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
-	cert, err := tls.X509KeyPair(p.Cert, p.Key)
-	return &cert, err
-}
-
-func newSerialNumber() (*big.Int, error) {
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) // 128-bit random number
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate serial number: %w", err)
-	}
-	return serialNumber, nil
-}
-
-func NewAgent() (ca, srv, client *PEMPair, err error) {
-	caSerialNumber, err := newSerialNumber()
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	// Create the CA's certificate
-	caTemplate := &x509.Certificate{
-		SerialNumber: caSerialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"GoDoxy"},
-			CommonName:   CertsDNSName,
-		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().AddDate(1000, 0, 0), // 1000 years
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-		MaxPathLen:            0,
-		MaxPathLenZero:        true,
-		SignatureAlgorithm:    x509.ECDSAWithSHA256,
-	}
-
-	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	caDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	ca = toPEMPair(caDER, caKey)
-
-	// Generate a new private key for the server certificate
-	serverKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	serverSerialNumber, err := newSerialNumber()
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	srvTemplate := &x509.Certificate{
-		SerialNumber: serverSerialNumber,
-		Issuer:       caTemplate.Subject,
-		Subject: pkix.Name{
-			Organization:       caTemplate.Subject.Organization,
-			OrganizationalUnit: []string{"Server"},
-			CommonName:         CertsDNSName,
-		},
-		DNSNames:           []string{CertsDNSName},
-		NotBefore:          time.Now(),
-		NotAfter:           time.Now().AddDate(1000, 0, 0), // Add validity period
-		KeyUsage:           x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		SignatureAlgorithm: x509.ECDSAWithSHA256,
-	}
-
-	srvCertDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, caTemplate, &serverKey.PublicKey, caKey)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	srv = toPEMPair(srvCertDER, serverKey)
-
-	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	clientSerialNumber, err := newSerialNumber()
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	clientTemplate := &x509.Certificate{
-		SerialNumber: clientSerialNumber,
-		Issuer:       caTemplate.Subject,
-		Subject: pkix.Name{
-			Organization:       caTemplate.Subject.Organization,
-			OrganizationalUnit: []string{"Client"},
-			CommonName:         CertsDNSName,
-		},
-		DNSNames:           []string{CertsDNSName},
-		NotBefore:          time.Now(),
-		NotAfter:           time.Now().AddDate(1000, 0, 0),
-		KeyUsage:           x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-		SignatureAlgorithm: x509.ECDSAWithSHA256,
-	}
-	clientCertDER, err := x509.CreateCertificate(rand.Reader, clientTemplate, caTemplate, &clientKey.PublicKey, caKey)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	client = toPEMPair(clientCertDER, clientKey)
-	return
-}
--- a/agent/pkg/agent/new_agent_test.go
+++ b/agent/pkg/agent/new_agent_test.go
@@ -1,112 +0,0 @@
-package agent
-
-import (
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewAgent(t *testing.T) {
-	ca, srv, client, err := NewAgent()
-	require.NoError(t, err)
-	require.NotNil(t, ca)
-	require.NotNil(t, srv)
-	require.NotNil(t, client)
-}
-
-func TestPEMPair(t *testing.T) {
-	ca, srv, client, err := NewAgent()
-	require.NoError(t, err)
-
-	for i, p := range []*PEMPair{ca, srv, client} {
-		t.Run(fmt.Sprintf("load-%d", i), func(t *testing.T) {
-			var pp PEMPair
-			err := pp.Load(p.String())
-			require.NoError(t, err)
-			require.Equal(t, p.Cert, pp.Cert)
-			require.Equal(t, p.Key, pp.Key)
-		})
-	}
-}
-
-func TestPEMPairToTLSCert(t *testing.T) {
-	ca, srv, client, err := NewAgent()
-	require.NoError(t, err)
-
-	for i, p := range []*PEMPair{ca, srv, client} {
-		t.Run(fmt.Sprintf("toTLSCert-%d", i), func(t *testing.T) {
-			cert, err := p.ToTLSCert()
-			require.NoError(t, err)
-			require.NotNil(t, cert)
-		})
-	}
-}
-
-func TestServerClient(t *testing.T) {
-	ca, srv, client, err := NewAgent()
-	require.NoError(t, err)
-
-	srvTLS, err := srv.ToTLSCert()
-	require.NoError(t, err)
-	require.NotNil(t, srvTLS)
-
-	clientTLS, err := client.ToTLSCert()
-	require.NoError(t, err)
-	require.NotNil(t, clientTLS)
-
-	caPool := x509.NewCertPool()
-	require.True(t, caPool.AppendCertsFromPEM(ca.Cert))
-
-	srvTLSConfig := &tls.Config{
-		Certificates: []tls.Certificate{*srvTLS},
-		ClientCAs:    caPool,
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-
-	clientTLSConfig := &tls.Config{
-		Certificates: []tls.Certificate{*clientTLS},
-		RootCAs:      caPool,
-		ServerName:   CertsDNSName,
-	}
-
-	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
-	server.TLS = srvTLSConfig
-	server.StartTLS()
-	defer server.Close()
-
-	httpClient := &http.Client{
-		Transport: &http.Transport{TLSClientConfig: clientTLSConfig},
-	}
-
-	resp, err := httpClient.Get(server.URL)
-	require.NoError(t, err)
-	require.Equal(t, resp.StatusCode, http.StatusOK)
-}
-
-func TestPEMPairEncryptDecrypt(t *testing.T) {
-	encKey := make([]byte, 32)
-	_, err := rand.Read(encKey)
-	require.NoError(t, err)
-
-	ca, _, _, err := NewAgent()
-	require.NoError(t, err)
-
-	encCA, err := ca.Encrypt(encKey)
-	require.NoError(t, err)
-	require.NotNil(t, encCA)
-
-	decCA, err := encCA.Decrypt(encKey)
-	require.NoError(t, err)
-	require.NotNil(t, decCA)
-
-	require.Equal(t, string(ca.Cert), string(decCA.Cert))
-	require.Equal(t, string(ca.Key), string(decCA.Key))
-}
--- a/agent/pkg/agent/templates/agent.compose.yml
+++ b/agent/pkg/agent/templates/agent.compose.yml
@@ -1,44 +0,0 @@
-services:
-  agent:
-    image: "{{.Image}}"
-    container_name: godoxy-agent
-    restart: always
-    network_mode: host # do not change this
-    environment:
-      AGENT_NAME: "{{.Name}}"
-      AGENT_PORT: "{{.Port}}"
-      AGENT_CA_CERT: "{{.CACert}}"
-      AGENT_SSL_CERT: "{{.SSLCert}}"
-      # use agent as a docker socket proxy: [host]:port
-      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
-      LISTEN_ADDR:
-      POST: false
-      ALLOW_RESTARTS: false
-      ALLOW_START: false
-      ALLOW_STOP: false
-      AUTH: false
-      BUILD: false
-      COMMIT: false
-      CONFIGS: false
-      CONTAINERS: false
-      DISTRIBUTION: false
-      EVENTS: true
-      EXEC: false
-      GRPC: false
-      IMAGES: false
-      INFO: false
-      NETWORKS: false
-      NODES: false
-      PING: true
-      PLUGINS: false
-      SECRETS: false
-      SERVICES: false
-      SESSION: false
-      SWARM: false
-      SYSTEM: false
-      TASKS: false
-      VERSION: true
-      VOLUMES: false
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./data:/app/data
--- a/agent/pkg/agentproxy/headers.go
+++ b/agent/pkg/agentproxy/headers.go
@@ -1,27 +0,0 @@
-package agentproxy
-
-import (
-	"net/http"
-	"strconv"
-)
-
-const (
-	HeaderXProxyHost                  = "X-Proxy-Host"
-	HeaderXProxyHTTPS                 = "X-Proxy-Https"
-	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
-	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
-)
-
-type AgentProxyHeaders struct {
-	Host                  string
-	IsHTTPS               bool
-	SkipTLSVerify         bool
-	ResponseHeaderTimeout int
-}
-
-func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
-	r.Header.Set(HeaderXProxyHost, headers.Host)
-	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
-	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
-	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
-}
--- a/agent/pkg/certs/zip.go
+++ b/agent/pkg/certs/zip.go
@@ -1,85 +0,0 @@
-package certs
-
-import (
-	"archive/zip"
-	"bytes"
-	"io"
-	"path/filepath"
-
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-const AgentCertsBasePath = "certs"
-
-func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
-	w, err := zipWriter.CreateHeader(&zip.FileHeader{
-		Name:   name,
-		Method: zip.Store,
-	})
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(data)
-	return err
-}
-
-func readFile(f *zip.File) ([]byte, error) {
-	r, err := f.Open()
-	if err != nil {
-		return nil, err
-	}
-	defer r.Close()
-	return io.ReadAll(r)
-}
-
-func ZipCert(ca, crt, key []byte) ([]byte, error) {
-	data := bytes.NewBuffer(make([]byte, 0, 6144))
-	zipWriter := zip.NewWriter(data)
-	defer zipWriter.Close()
-
-	if err := writeFile(zipWriter, "ca.pem", ca); err != nil {
-		return nil, err
-	}
-	if err := writeFile(zipWriter, "cert.pem", crt); err != nil {
-		return nil, err
-	}
-	if err := writeFile(zipWriter, "key.pem", key); err != nil {
-		return nil, err
-	}
-	if err := zipWriter.Close(); err != nil {
-		return nil, err
-	}
-	return data.Bytes(), nil
-}
-
-func isValidAgentHost(host string) bool {
-	return strutils.IsValidFilename(host + ".zip")
-}
-
-func AgentCertsFilepath(host string) (filepathOut string, ok bool) {
-	if !isValidAgentHost(host) {
-		return "", false
-	}
-	return filepath.Join(AgentCertsBasePath, host+".zip"), true
-}
-
-func ExtractCert(data []byte) (ca, crt, key []byte, err error) {
-	zipReader, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	for _, file := range zipReader.File {
-		switch file.Name {
-		case "ca.pem":
-			ca, err = readFile(file)
-		case "cert.pem":
-			crt, err = readFile(file)
-		case "key.pem":
-			key, err = readFile(file)
-		}
-		if err != nil {
-			return nil, nil, nil, err
-		}
-	}
-	return ca, crt, key, nil
-}
--- a/agent/pkg/certs/zip_test.go
+++ b/agent/pkg/certs/zip_test.go
@@ -1,20 +0,0 @@
-package certs_test
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-)
-
-func TestZipCert(t *testing.T) {
-	ca, crt, key := []byte("test1"), []byte("test2"), []byte("test3")
-	zipData, err := certs.ZipCert(ca, crt, key)
-	require.NoError(t, err)
-
-	ca2, crt2, key2, err := certs.ExtractCert(zipData)
-	require.NoError(t, err)
-	require.Equal(t, ca, ca2)
-	require.Equal(t, crt, crt2)
-	require.Equal(t, key, key2)
-}
--- a/agent/pkg/env/env.go
+++ b/agent/pkg/env/env.go
@@ -1,38 +0,0 @@
-package env
-
-import (
-	"os"
-
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-func DefaultAgentName() string {
-	name, err := os.Hostname()
-	if err != nil {
-		return "agent"
-	}
-	return name
-}
-
-var (
-	AgentName                string
-	AgentPort                int
-	AgentSkipClientCertCheck bool
-	AgentCACert              string
-	AgentSSLCert             string
-	DockerSocket             string
-)
-
-func init() {
-	Load()
-}
-
-func Load() {
-	DockerSocket = common.GetEnvString("DOCKER_SOCKET", "/var/run/docker.sock")
-	AgentName = common.GetEnvString("AGENT_NAME", DefaultAgentName())
-	AgentPort = common.GetEnvInt("AGENT_PORT", 8890)
-	AgentSkipClientCertCheck = common.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
-
-	AgentCACert = common.GetEnvString("AGENT_CA_CERT", "")
-	AgentSSLCert = common.GetEnvString("AGENT_SSL_CERT", "")
-}
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@@ -1,80 +0,0 @@
-package handler
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/types"
-	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
-)
-
-var defaultHealthConfig = types.DefaultHealthConfig()
-
-func CheckHealth(w http.ResponseWriter, r *http.Request) {
-	query := r.URL.Query()
-	scheme := query.Get("scheme")
-	if scheme == "" {
-		http.Error(w, "missing scheme", http.StatusBadRequest)
-		return
-	}
-
-	var result *types.HealthCheckResult
-	var err error
-	switch scheme {
-	case "fileserver":
-		path := query.Get("path")
-		if path == "" {
-			http.Error(w, "missing path", http.StatusBadRequest)
-			return
-		}
-		_, err := os.Stat(path)
-		result = &types.HealthCheckResult{Healthy: err == nil}
-		if err != nil {
-			result.Detail = err.Error()
-		}
-	case "http", "https": // path is optional
-		host := query.Get("host")
-		path := query.Get("path")
-		if host == "" {
-			http.Error(w, "missing host", http.StatusBadRequest)
-			return
-		}
-		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
-			Scheme: scheme,
-			Host:   host,
-			Path:   path,
-		}, defaultHealthConfig).CheckHealth()
-	case "tcp", "udp":
-		host := query.Get("host")
-		if host == "" {
-			http.Error(w, "missing host", http.StatusBadRequest)
-			return
-		}
-		hasPort := strings.Contains(host, ":")
-		port := query.Get("port")
-		if port != "" && hasPort {
-			http.Error(w, "port and host with port cannot both be provided", http.StatusBadRequest)
-			return
-		}
-		if port != "" {
-			host = fmt.Sprintf("%s:%s", host, port)
-		}
-		result, err = monitor.NewRawHealthMonitor(&url.URL{
-			Scheme: scheme,
-			Host:   host,
-		}, defaultHealthConfig).CheckHealth()
-	}
-
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadGateway)
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(result)
-}
--- a/agent/pkg/handler/check_health_test.go
+++ b/agent/pkg/handler/check_health_test.go
@@ -1,226 +0,0 @@
-package handler_test
-
-import (
-	"encoding/json"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"strconv"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/types"
-)
-
-func TestCheckHealthHTTP(t *testing.T) {
-	tests := []struct {
-		name            string
-		setupServer     func() *httptest.Server
-		queryParams     map[string]string
-		expectedStatus  int
-		expectedHealthy bool
-	}{
-		{
-			name: "Valid",
-			setupServer: func() *httptest.Server {
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-					w.WriteHeader(http.StatusOK)
-				}))
-			},
-			queryParams: map[string]string{
-				"scheme": "http",
-				"host":   "localhost",
-				"path":   "/",
-			},
-			expectedStatus:  http.StatusOK,
-			expectedHealthy: true,
-		},
-		{
-			name:        "InvalidQuery",
-			setupServer: nil,
-			queryParams: map[string]string{
-				"scheme": "http",
-			},
-			expectedStatus: http.StatusBadRequest,
-		},
-		{
-			name:        "ConnectionError",
-			setupServer: nil,
-			queryParams: map[string]string{
-				"scheme": "http",
-				"host":   "localhost:12345",
-			},
-			expectedStatus:  http.StatusOK,
-			expectedHealthy: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var server *httptest.Server
-			if tt.setupServer != nil {
-				server = tt.setupServer()
-				defer server.Close()
-				u, _ := url.Parse(server.URL)
-				tt.queryParams["scheme"] = u.Scheme
-				tt.queryParams["host"] = u.Host
-				tt.queryParams["path"] = u.Path
-			}
-
-			recorder := httptest.NewRecorder()
-			query := url.Values{}
-			for key, value := range tt.queryParams {
-				query.Set(key, value)
-			}
-			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
-			handler.CheckHealth(recorder, request)
-
-			require.Equal(t, recorder.Code, tt.expectedStatus)
-
-			if tt.expectedStatus == http.StatusOK {
-				var result types.HealthCheckResult
-				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
-				require.Equal(t, result.Healthy, tt.expectedHealthy)
-			}
-		})
-	}
-}
-
-func TestCheckHealthFileServer(t *testing.T) {
-	tests := []struct {
-		name            string
-		path            string
-		expectedStatus  int
-		expectedHealthy bool
-		expectedDetail  string
-	}{
-		{
-			name:            "ValidPath",
-			path:            t.TempDir(),
-			expectedStatus:  http.StatusOK,
-			expectedHealthy: true,
-			expectedDetail:  "",
-		},
-		{
-			name:            "InvalidPath",
-			path:            "/invalid",
-			expectedStatus:  http.StatusOK,
-			expectedHealthy: false,
-			expectedDetail:  "stat /invalid: no such file or directory",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			query := url.Values{}
-			query.Set("scheme", "fileserver")
-			query.Set("path", tt.path)
-
-			recorder := httptest.NewRecorder()
-			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
-			handler.CheckHealth(recorder, request)
-
-			require.Equal(t, recorder.Code, tt.expectedStatus)
-
-			var result types.HealthCheckResult
-			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
-			require.Equal(t, result.Healthy, tt.expectedHealthy)
-			require.Equal(t, result.Detail, tt.expectedDetail)
-		})
-	}
-}
-
-func TestCheckHealthTCPUDP(t *testing.T) {
-	tcp, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-	go func() {
-		conn, err := tcp.Accept()
-		require.NoError(t, err)
-		conn.Close()
-	}()
-
-	udp, err := net.ListenPacket("udp", "localhost:0")
-	require.NoError(t, err)
-	go func() {
-		buf := make([]byte, 1024)
-		n, addr, err := udp.ReadFrom(buf)
-		require.NoError(t, err)
-		require.Equal(t, string(buf[:n]), "ping")
-		_, _ = udp.WriteTo([]byte("pong"), addr)
-		udp.Close()
-	}()
-
-	tests := []struct {
-		name            string
-		scheme          string
-		host            string
-		port            int
-		expectedStatus  int
-		expectedHealthy bool
-	}{
-		{
-			name:            "ValidTCP",
-			scheme:          "tcp",
-			host:            "localhost",
-			port:            tcp.Addr().(*net.TCPAddr).Port,
-			expectedStatus:  http.StatusOK,
-			expectedHealthy: true,
-		},
-		{
-			name:            "InvalidHost",
-			scheme:          "tcp",
-			host:            "",
-			port:            8080,
-			expectedStatus:  http.StatusBadRequest,
-			expectedHealthy: false,
-		},
-		{
-			name:            "ValidUDP",
-			scheme:          "udp",
-			host:            "localhost",
-			port:            udp.LocalAddr().(*net.UDPAddr).Port,
-			expectedStatus:  http.StatusOK,
-			expectedHealthy: true,
-		},
-		{
-			name:            "InvalidHost",
-			scheme:          "udp",
-			host:            "",
-			port:            8080,
-			expectedStatus:  http.StatusBadRequest,
-			expectedHealthy: false,
-		},
-		{
-			name:            "Port in both host and port",
-			scheme:          "tcp",
-			host:            "localhost:1234",
-			port:            1234,
-			expectedStatus:  http.StatusBadRequest,
-			expectedHealthy: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			query := url.Values{}
-			query.Set("scheme", tt.scheme)
-			query.Set("host", tt.host)
-			query.Set("port", strconv.Itoa(tt.port))
-
-			recorder := httptest.NewRecorder()
-			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
-			handler.CheckHealth(recorder, request)
-
-			require.Equal(t, recorder.Code, tt.expectedStatus)
-
-			if tt.expectedStatus == http.StatusOK {
-				var result types.HealthCheckResult
-				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
-				require.Equal(t, result.Healthy, tt.expectedHealthy)
-			}
-		})
-	}
-}
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@@ -1,57 +0,0 @@
-package handler
-
-import (
-	"fmt"
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gorilla/websocket"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/pkg"
-	socketproxy "github.com/yusing/go-proxy/socketproxy/pkg"
-)
-
-type ServeMux struct{ *http.ServeMux }
-
-func (mux ServeMux) HandleEndpoint(method, endpoint string, handler http.HandlerFunc) {
-	mux.ServeMux.HandleFunc(method+" "+agent.APIEndpointBase+endpoint, handler)
-}
-
-func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
-	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
-}
-
-var upgrader = &websocket.Upgrader{
-	// no origin check needed for internal websocket
-	CheckOrigin: func(r *http.Request) bool {
-		return true
-	},
-}
-
-func NewAgentHandler() http.Handler {
-	gin.SetMode(gin.ReleaseMode)
-	mux := ServeMux{http.NewServeMux()}
-
-	metricsHandler := gin.Default()
-	{
-		metrics := metricsHandler.Group(agent.APIEndpointBase)
-		metrics.GET(agent.EndpointSystemInfo, func(c *gin.Context) {
-			c.Set("upgrader", upgrader)
-			systeminfo.Poller.ServeHTTP(c)
-		})
-	}
-
-	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
-	mux.HandleEndpoint("GET", agent.EndpointVersion, func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprint(w, pkg.GetVersion())
-	})
-	mux.HandleEndpoint("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprint(w, env.AgentName)
-	})
-	mux.HandleEndpoint("GET", agent.EndpointHealth, CheckHealth)
-	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, metricsHandler.ServeHTTP)
-	mux.ServeMux.HandleFunc("/", socketproxy.DockerSocketHandler(env.DockerSocket))
-	return mux
-}
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -1,67 +0,0 @@
-package handler
-
-import (
-	"crypto/tls"
-	"net/http"
-	"net/http/httputil"
-	"strconv"
-	"time"
-
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/agentproxy"
-)
-
-func NewTransport() *http.Transport {
-	return &http.Transport{
-		MaxIdleConnsPerHost:   100,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 1 * time.Second,
-		ResponseHeaderTimeout: 60 * time.Second,
-		WriteBufferSize:       16 * 1024, // 16KB
-		ReadBufferSize:        16 * 1024, // 16KB
-	}
-}
-
-func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
-	host := r.Header.Get(agentproxy.HeaderXProxyHost)
-	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
-	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
-	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
-	if err != nil {
-		responseHeaderTimeout = 0
-	}
-
-	if host == "" {
-		http.Error(w, "missing required headers", http.StatusBadRequest)
-		return
-	}
-
-	scheme := "http"
-	if isHTTPS {
-		scheme = "https"
-	}
-
-	transport := NewTransport()
-	if skipTLSVerify {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-
-	if responseHeaderTimeout > 0 {
-		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
-	}
-
-	r.URL.Scheme = ""
-	r.URL.Host = ""
-	r.URL.Path = r.URL.Path[agent.HTTPProxyURLPrefixLen:] // strip the {API_BASE}/proxy/http prefix
-	r.RequestURI = r.URL.String()
-
-	rp := &httputil.ReverseProxy{
-		Director: func(r *http.Request) {
-			r.URL.Scheme = scheme
-			r.URL.Host = host
-		},
-		Transport: transport,
-	}
-	rp.ServeHTTP(w, r)
-}
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -1,43 +0,0 @@
-package server
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"net/http"
-
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/net/gphttp/server"
-	"github.com/yusing/go-proxy/internal/task"
-)
-
-type Options struct {
-	CACert, ServerCert *tls.Certificate
-	Port               int
-}
-
-func StartAgentServer(parent task.Parent, opt Options) {
-	caCertPool := x509.NewCertPool()
-	caCertPool.AddCert(opt.CACert.Leaf)
-
-	// Configure TLS
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{*opt.ServerCert},
-		ClientCAs:    caCertPool,
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-
-	if env.AgentSkipClientCertCheck {
-		tlsConfig.ClientAuth = tls.NoClientCert
-	}
-
-	agentServer := &http.Server{
-		Addr:      fmt.Sprintf(":%d", opt.Port),
-		Handler:   handler.NewAgentHandler(),
-		TLSConfig: tlsConfig,
-	}
-
-	server.Start(parent, agentServer, nil, &log.Logger)
-}
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,81 +0,0 @@
-package main
-
-import (
-	"os"
-	"sync"
-
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/auth"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/dnsproviders"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
-)
-
-func parallel(fns ...func()) {
-	var wg sync.WaitGroup
-	for _, fn := range fns {
-		wg.Go(fn)
-	}
-	wg.Wait()
-}
-
-func main() {
-	initProfiling()
-
-	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
-	log.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
-	log.Trace().Msg("trace enabled")
-	parallel(
-		dnsproviders.InitProviders,
-		homepage.InitIconListCache,
-		systeminfo.Poller.Start,
-		middleware.LoadComposeFiles,
-	)
-
-	if common.APIJWTSecret == nil {
-		log.Warn().Msg("API_JWT_SECRET is not set, using random key")
-		common.APIJWTSecret = common.RandomJWTKey()
-	}
-
-	for _, dir := range common.RequiredDirectories {
-		prepareDirectory(dir)
-	}
-
-	cfg, err := config.Load()
-	if err != nil {
-		gperr.LogWarn("errors in config", err)
-	}
-
-	cfg.Start(&config.StartServersOptions{
-		Proxy: true,
-	})
-	if err := auth.Initialize(); err != nil {
-		log.Fatal().Err(err).Msg("failed to initialize authentication")
-	}
-	// API Handler needs to start after auth is initialized.
-	cfg.StartServers(&config.StartServersOptions{
-		API: true,
-	})
-
-	uptime.Poller.Start()
-	config.WatchChanges()
-
-	task.WaitExit(cfg.Value().TimeoutShutdown)
-}
-
-func prepareDirectory(dir string) {
-	if _, err := os.Stat(dir); os.IsNotExist(err) {
-		if err = os.MkdirAll(dir, 0o755); err != nil {
-			log.Fatal().Msgf("failed to create directory %s: %v", dir, err)
-		}
-	}
-}
--- a/cmd/pprof_production.go
+++ b/cmd/pprof_production.go
@@ -1,7 +0,0 @@
-//go:build !pprof
-
-package main
-
-func initProfiling() {
-	// no profiling in production
-}
--- a/cmd/pprof_prof.go
+++ b/cmd/pprof_prof.go
@@ -1,45 +0,0 @@
-//go:build pprof
-
-package main
-
-import (
-	"net/http"
-	_ "net/http/pprof"
-	"runtime"
-	"runtime/debug"
-	"time"
-
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-const mb = 1024 * 1024
-
-func initProfiling() {
-	debug.SetGCPercent(-1)
-	debug.SetMemoryLimit(50 * mb)
-	debug.SetMaxStack(4 * mb)
-
-	go func() {
-		log.Info().Msgf("pprof server started at http://localhost:7777/debug/pprof/")
-		log.Error().Err(http.ListenAndServe(":7777", nil)).Msg("pprof server failed")
-	}()
-	go func() {
-		ticker := time.NewTicker(time.Second * 10)
-		defer ticker.Stop()
-		for range ticker.C {
-			var m runtime.MemStats
-			runtime.ReadMemStats(&m)
-			log.Info().Msgf("-----------------------------------------------------")
-			log.Info().Msgf("Timestamp: %s", time.Now().Format(time.RFC3339))
-			log.Info().Msgf("  Go Heap - In Use (Alloc/HeapAlloc): %s", strutils.FormatByteSize(m.Alloc))
-			log.Info().Msgf("  Go Heap - Reserved from OS (HeapSys): %s", strutils.FormatByteSize(m.HeapSys))
-			log.Info().Msgf("  Go Stacks - In Use (StackInuse): %s", strutils.FormatByteSize(m.StackInuse))
-			log.Info().Msgf("  Go Runtime - Other Sys (MSpanInuse, MCacheInuse, BuckHashSys, GCSys, OtherSys): %s", strutils.FormatByteSize(m.MSpanInuse+m.MCacheInuse+m.BuckHashSys+m.GCSys+m.OtherSys))
-			log.Info().Msgf("  Go Runtime - Total from OS (Sys): %s", strutils.FormatByteSize(m.Sys))
-			log.Info().Msgf("  Number of Goroutines: %d", runtime.NumGoroutine())
-			log.Info().Msgf("  Number of GCs: %d", m.NumGC)
-			log.Info().Msg("-----------------------------------------------------")
-		}
-	}()
-}
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,81 +1,45 @@
---
+version: '3'
 services:
-  socket-proxy:
-    container_name: socket-proxy
-    image: ghcr.io/yusing/socket-proxy:latest
-    environment:
-      - ALLOW_START=1
-      - ALLOW_STOP=1
-      - ALLOW_RESTARTS=1
-      - CONTAINERS=1
-      - EVENTS=1
-      - INFO=1
-      - PING=1
-      - POST=1
-      - VERSION=1
-    volumes:
-      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
-    restart: unless-stopped
-    tmpfs:
-      - /run
-    ports:
-      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
-  frontend:
-    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
-    container_name: godoxy-frontend
-    restart: unless-stopped
-    network_mode: host # do not change this
-    env_file: .env
-    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
-    read_only: true
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - all
-    depends_on:
-      - app
-    environment:
-      HOSTNAME: 127.0.0.1
-      PORT: ${GODOXY_FRONTEND_PORT:-3000}
-    labels:
-      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
-      proxy.#1.port: ${GODOXY_FRONTEND_PORT:-3000}
-      # proxy.#1.middlewares.cidr_whitelist: |
-      #   status: 403
-      #   message: IP not allowed
-      #   allow:
-      #     - 127.0.0.1
-      #     - 10.0.0.0/8
-      #     - 192.168.0.0/16
-      #     - 172.16.0.0/12
  app:
-    image: ghcr.io/yusing/godoxy:${TAG:-latest}
-    container_name: godoxy-proxy
+    image: ghcr.io/yusing/go-proxy:latest
+    container_name: go-proxy
    restart: always
-    network_mode: host # do not change this
-    env_file: .env
-    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
-    depends_on:
-      socket-proxy:
-        condition: service_started
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - all
-    cap_add:
-      - NET_BIND_SERVICE
-    environment:
-      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}
+    networks: # ^also add here
+      - default
+    ports:
+      - 80:80 # http proxy
+      - 8080:8080 # http panel
+      # - 443:443 # optional, https proxy
+      # - 8443:8443 # optional, https panel
+
+      # optional, if you declared any tcp/udp proxy, set a range you want to use
+      # - 20000:20100/tcp
+      # - 20000:20100/udp
    volumes:
      - ./config:/app/config
-      - ./logs:/app/logs
-      - ./error_pages:/app/error_pages:ro
-      - ./data:/app/data

-      # To use autocert, certs will be stored in "./certs".
-      # You can also use a docker volume to store it
-      - ./certs:/app/certs
+      # if local docker provider is used
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      
+      # use existing certificate
+      # - /path/to/cert.pem:/app/certs/cert.crt:ro
+      # - /path/to/privkey.pem:/app/certs/priv.key:ro

-      # remove "./certs:/app/certs" and uncomment below to use existing certificate
-      # - /path/to/certs/cert.crt:/app/certs/cert.crt
-      # - /path/to/certs/priv.key:/app/certs/priv.key
+      # store autocert obtained cert
+      # - ./certs:/app/certs
+    
+    # workaround for "lookup: no such host"
+    # dns:
+    #   - 127.0.0.1
+
+    # if you have container running in "host" network mode
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
+    logging:
+      driver: 'json-file'
+      options:
+        max-file: '1'
+        max-size: 128k
+networks: # ^you may add other external networks
+  default:
+    driver: bridge
--- a/config.example.yml
+++ b/config.example.yml
@@ -1,133 +1,21 @@
-# Autocert (choose one below and uncomment to enable)
-#
-# 1. use existing cert
-
-# autocert:
-#   provider: local
-
-# 2. cloudflare
-# autocert:
-#   provider: cloudflare
-#   email: abc@gmail.com # ACME Email
-#   domains: # a list of domains for cert registration
-#     - "*.domain.com"
-#     - "domain.com"
-#   options:
-#     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
-
-# 3. other providers, see https://docs.godoxy.dev/DNS-01-Providers
-
-# acl:
-#   default: allow # or deny (default: allow)
-#   allow_local: true # or false (default: true)
-#   allow:
-#     - ip:1.2.3.4
-#     - cidr:1.2.3.4/32
-#     - country:US
-#     - timezone:Asia/Shanghai
-#   deny:
-#     - ip:1.2.3.4
-#     - cidr:1.2.3.4/32
-#     - country:US
-#     - timezone:Asia/Shanghai
-#   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
-#     buffer_size: 65536 # (default: 64KB)
-#     path: /app/logs/acl.log # (default: none)
-#     stdout: false # (default: false)
-#     keep: last 10 # (default: none)
-
-entrypoint:
-  # Below define an example of middleware config
-  # 1. set security headers
-  # 2. block non local IP connections
-  # 3. redirect HTTP to HTTPS
-  #
-  middlewares:
-    - use: CloudflareRealIP
-    - use: ModifyResponse
-      set_headers:
-        Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
-        Access-Control-Allow-Headers: "*"
-        Access-Control-Allow-Origin: "*"
-        Access-Control-Max-Age: 180
-        Vary: "*"
-        X-XSS-Protection: 1; mode=block
-        Content-Security-Policy: "object-src 'self'; frame-ancestors 'self';"
-        X-Content-Type-Options: nosniff
-        X-Frame-Options: SAMEORIGIN
-        Referrer-Policy: same-origin
-        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
-    # - use: CIDRWhitelist
-    #   allow:
-    #     - "127.0.0.1"
-    #     - "10.0.0.0/8"
-    #     - "172.16.0.0/12"
-    #     - "192.168.0.0/16"
-    #   status: 403
-    #   message: "Forbidden"
-    # - use: RedirectHTTP
-
-  # below enables access log
-  access_log:
-    format: combined
-    path: /app/logs/entrypoint.log
-
+# Autocert (uncomment to enable)
+# autocert: # (optional, if you need autocert feature)
+#   email: "user@domain.com" # (required) email for acme certificate
+#   domains: # (required)
+#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
+#   provider: cloudflare # (required) dns challenge provider (string)
+#   options: # provider specific options
+#     auth_token: "YOUR_ZONE_API_TOKEN"
 providers:
-  # include files are standalone yaml files under `config/` directory
-  #
-  # include:
-  #   - file1.yml
-  #   - file2.yml
-
-  docker:
-    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
-    local: $DOCKER_HOST
-
-    # explicit only mode
-    # only containers with explicit aliases will be proxied
-    # add "!" after provider name to enable explicit only mode
-    #
-    # local!: $DOCKER_HOST
-    #
-    # add more docker providers if needed
+  local:
+    kind: docker
    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    #
-    # remote-1: tcp://10.0.2.1:2375
-    # remote-2: ssh://root:1234@10.0.2.2
+    # i.e. FROM_ENV, ssh://user@10.0.1.1:22, tcp://10.0.2.1:2375
+    value: FROM_ENV
+  providers:
+    kind: file
+    value: providers.yml

-  # notification providers (notify when service health changes)
-  #
-  # notification:
-  #   - name: gotify
-  #     provider: gotify
-  #     url: https://gotify.domain.tld
-  #     token: abcd
-  #   - name: discord
-  #     provider: webhook
-  #     url: https://discord.com/api/webhooks/...
-  #     template: discord # this means use payload template from internal/notif/templates/discord.json
-
-  # Proxmox providers (for idlesleep support for proxmox LXCs)
-  #
-  # proxmox:
-  #   - url: https://pve.domain.com:8006/api2/json
-  #     token_id: root@pam!abcdef
-  #     secret: aaaa-bbbb-cccc-dddd
-  #     no_tls_verify: true
-
-# Check https://docs.godoxy.dev/Certificates-and-domain-matching
-# for explaination of `match_domains`
-#
-# match_domains:
-#   - my.site
-#   - node1.my.app
-
-# homepage config
-homepage:
-  # use default app categories detected from alias or docker image name
-  use_default_categories: true
-
-# Below are fixed options (non hot-reloadable)
-
-# timeout for shutdown (in seconds)
-timeout_shutdown: 5
+# Fixed options (optional, non hot-reloadable)
+# timeout_shutdown: 5
+# redirect_to_https: false
--- a/docs/add_dns_provider.md
+++ b/docs/add_dns_provider.md
@@ -0,0 +1,41 @@
+# Adding provider support
+
+## **CloudDNS** as an example
+
+1. Fork this repo, modify [autocert.go](../src/go-proxy/autocert.go#L305)
+
+   ```go
+   var providersGenMap = map[string]ProviderGenerator{
+     "cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+     // add here, i.e.
+     "clouddns": providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
+   }
+   ```
+
+2. Go to [https://go-acme.github.io/lego/dns/clouddns](https://go-acme.github.io/lego/dns/clouddns/) and check for required config
+
+3. Build `go-proxy` with `make build`
+
+4. Set required config in `config.yml` `autocert` -> `options` section
+
+   ```shell
+   # From https://go-acme.github.io/lego/dns/clouddns/
+   CLOUDDNS_CLIENT_ID=bLsdFAks23429841238feb177a572aX \
+   CLOUDDNS_EMAIL=you@example.com \
+   CLOUDDNS_PASSWORD=b9841238feb177a84330f \
+   lego --email you@example.com --dns clouddns --domains my.example.org run
+   ```
+
+   Should turn into:
+
+   ```yaml
+   autocert:
+     ...
+     options:
+       client_id: bLsdFAks23429841238feb177a572aX
+       email: you@example.com
+       password: b9841238feb177a84330f
+   ```
+
+5. Run with `GOPROXY_NO_SCHEMA_VALIDATION=1` and test if it works
+6. Commit and create pull request
--- a/docs/binary.md
+++ b/docs/binary.md
@@ -0,0 +1,59 @@
+# Getting started with `go-proxy` (binary)
+
+## Setup
+
+1. Install `bash`, `make` and `wget` if not already
+
+2. Run setup script
+
+   To specitfy a version _(optional)_
+
+   ```shell
+   export VERSION=latest # will be resolved into real version number
+   export VERSION=<version>
+   ```
+
+   If you don't need web config editor
+
+   ```shell
+   export SETUP_CODEMIRROR=0
+   ```
+
+   Setup
+
+   ```shell
+   wget -qO- https://6uo.me/go-proxy-setup-binary | sudo bash
+   ```
+
+   What it does:
+
+   - Download source file and binary into /opt/go-proxy/$VERSION
+   - Setup `config.yml` and `providers.yml`
+   - Setup `template/codemirror` which is a dependency for web config editor
+   - Create a systemd service (if available) in `/etc/systemd/system/go-proxy.service`
+   - Enable and start `go-proxy` service
+
+3. Start editing config files in `http://<ip>:8080`
+
+4. Check logs / status with `systemctl status go-proxy`
+
+## Setup (alternative method)
+
+1. Download the latest release and extract somewhere
+
+2. Run `make setup` and _(optional) `make setup-codemirror`_
+
+3. Enable HTTPS _(optional)_
+
+   - To use autocert feature
+
+     complete `autocert` in `config/config.yml`
+
+   - To use existing certificate
+
+     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
+
+     - cert / chain / fullchain: `certs/cert.crt`
+     - private key: `certs/priv.key`
+
+4. Run the binary `bin/go-proxy`
--- a/docs/docker.md
+++ b/docs/docker.md
@@ -0,0 +1,365 @@
+# Docker container guide
+
+## Table of content
+
+<!-- TOC -->
+- [Table of content](#table-of-content)
+- [Setup](#setup)
+- [Labels](#labels)
+- [Labels (docker specific)](#labels-docker-specific)
+- [Troubleshooting](#troubleshooting)
+- [Docker compose examples](#docker-compose-examples)
+  - [Local docker provider in bridge network](#local-docker-provider-in-bridge-network)
+  - [Remote docker provider](#remote-docker-provider)
+    - [Explaination](#explaination)
+    - [Remote setup](#remote-setup)
+    - [Proxy setup](#proxy-setup)
+  - [Local docker provider in host network](#local-docker-provider-in-host-network)
+    - [Proxy setup](#proxy-setup)
+  - [Services URLs for above examples](#services-urls-for-above-examples)
+<!-- /TOC -->
+
+## Setup
+
+1. Install `wget` if not already
+
+2. Run setup script
+
+   `bash <(wget -qO- https://6uo.me/go-proxy-setup-docker)`
+
+   What it does:
+
+   - Create required directories
+   - Setup `config.yml` and `compose.yml`
+
+3. Verify folder structure and then `cd go-proxy`
+
+   ```plain
+   go-proxy
+   ├── certs
+   ├── compose.yml
+   └── config
+       ├── config.yml
+       └── providers.yml
+   ```
+
+4. Enable HTTPs _(optional)_
+
+   - To use autocert feature
+
+     - completing `autocert` section in `config/config.yml`
+     - mount `certs/` to `/app/certs` to store obtained certs
+
+   - To use existing certificate
+
+     mount your wildcard (`*.y.z`) SSL cert
+
+     - cert / chain / fullchain -> `/app/certs/cert.crt`
+     - private key -> `/app/certs/priv.key`
+
+5. Modify `compose.yml` fit your needs
+
+   Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+
+6. Run `docker compose up -d` to start the container
+
+7. Start editing config files in `http://<ip>:8080`
+
+[🔼Back to top](#table-of-content)
+
+## Labels
+
+- `proxy.aliases`: comma separated aliases for subdomain matching
+
+  - default: container name
+
+- `proxy.*.<field>`: wildcard label for all aliases
+
+Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.nginx.scheme: http`)
+
+- `scheme`: proxy protocol
+  - default: `http`
+  - allowed: `http`, `https`, `tcp`, `udp`
+- `host`: proxy host
+  - default: `container_name`
+- `port`: proxy port
+  - default: first expose port (declared in `Dockerfile` or `docker-compose.yml`)
+  - `http(s)`: number in range og `0 - 65535`
+  - `tcp/udp`: `[<listeningPort>:]<targetPort>`
+    - `listeningPort`: number, when it is omitted (not suggested), a free port starting from 20000 will be used.
+    - `targetPort`: number, or predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
+- `no_tls_verify`: whether skip tls verify when scheme is https
+  - default: `false`
+- `path`: proxy path _(http(s) proxy only)_
+  - default: empty
+- `path_mode`: mode for path handling
+
+  - default: empty
+  - allowed: empty, `forward`, `sub`
+
+    - `empty`: remove path prefix from URL when proxying
+      1. apps.y.z/webdav -> webdav:80
+      2. apps.y.z./webdav/path/to/file -> webdav:80/path/to/file
+    - `forward`: path remain unchanged
+      1. apps.y.z/webdav -> webdav:80/webdav
+      2. apps.y.z./webdav/path/to/file -> webdav:80/webdav/path/to/file
+    - `sub`: **(experimental)** remove path prefix from URL and also append path to HTML link attributes (`src`, `href` and `action`) and Javascript `fetch(url)` by response body substitution
+      e.g. apps.y.z/app1 -> webdav:80, `href="/app1/path/to/file"` -> `href="/path/to/file"`
+
+  - `set_headers`: a list of header to set, (key:value, one by line)
+
+    Duplicated keys will be treated as multiple-value headers
+
+    ```yaml
+    labels:
+      proxy.app.set_headers: |
+        X-Custom-Header1: value1
+        X-Custom-Header1: value2
+        X-Custom-Header2: value2
+    ```
+
+  - `hide_headers`: comma seperated list of headers to hide
+
+[🔼Back to top](#table-of-content)
+
+## Labels (docker specific)
+
+Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.app.load_balance=1`)
+
+- `load_balance`: enable load balance
+  - allowed: `1`, `true`
+
+[🔼Back to top](#table-of-content)
+
+## Troubleshooting
+
+- Firewall issues
+
+  If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:
+
+  `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+
+  Explaination:
+
+  Docker network is usually `172.16.0.0/16`
+
+  Tailscale is used as an example, `100.64.0.0/10` will be the CIDR
+
+  You can also list CIDRs of all docker bridge networks by:
+
+  `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+
+[🔼Back to top](#table-of-content)
+
+## Docker compose examples
+
+### Local docker provider in bridge network
+
+```yaml
+volumes:
+  adg-work:
+  adg-conf:
+  mc-data:
+  palworld:
+  nginx:
+services:
+  adg:
+    image: adguard/adguardhome
+    restart: unless-stopped
+    labels:
+      - proxy.aliases=adg,adg-dns,adg-setup
+      - proxy.adg.port=80
+      - proxy.adg-setup.port=3000
+      - proxy.adg-dns.scheme=udp
+      - proxy.adg-dns.port=20000:dns
+    volumes:
+      - adg-work:/opt/adguardhome/work
+      - adg-conf:/opt/adguardhome/conf
+  mc:
+    image: itzg/minecraft-server
+    tty: true
+    stdin_open: true
+    container_name: mc
+    restart: unless-stopped
+    labels:
+      - proxy.mc.scheme=tcp
+      - proxy.mc.port=20001:25565
+    environment:
+      - EULA=TRUE
+    volumes:
+      - mc-data:/data
+  palworld:
+    image: thijsvanloef/palworld-server-docker:latest
+    restart: unless-stopped
+    container_name: pal
+    stop_grace_period: 30s
+    labels:
+      - proxy.aliases=pal1,pal2
+      - proxy.*.scheme=udp
+      - proxy.pal1.port=20002:8211
+      - proxy.pal2.port=20003:27015
+    environment: ...
+    volumes:
+      - palworld:/palworld
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - nginx:/usr/share/nginx/html
+  go-proxy:
+    image: ghcr.io/yusing/go-proxy
+    container_name: go-proxy
+    restart: always
+    ports:
+      - 80:80 # http
+      - 443:443 # optional, https
+      - 8080:8080 # http panel
+      - 8443:8443 # optional, https panel
+
+      - 53:20000/udp # adguardhome
+      - 25565:20001/tcp # minecraft
+      - 8211:20002/udp # palworld
+      - 27015:20003/udp # palworld
+    volumes:
+      - ./config:/app/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      - proxy.aliases=gp
+      - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Remote docker provider
+
+#### Explaination
+
+- Expose container ports to random port in remote host
+- Use container port with an asterisk sign **(\*)** before to find remote port automatically
+
+#### Remote setup
+
+```yaml
+volumes:
+  adg-work:
+  adg-conf:
+  mc-data:
+  palworld:
+  nginx:
+services:
+  adg:
+    image: adguard/adguardhome
+    restart: unless-stopped
+    ports: # map container ports
+      - 80
+      - 3000
+      - 53/udp
+      - 53/tcp
+    labels:
+      - proxy.aliases=adg,adg-dns,adg-setup
+      # add an asterisk (*) before to find host port automatically
+      - proxy.adg.port=*80
+      - proxy.adg-setup.port=*3000
+      - proxy.adg-dns.scheme=udp
+      - proxy.adg-dns.port=*53
+    volumes:
+      - adg-work:/opt/adguardhome/work
+      - adg-conf:/opt/adguardhome/conf
+  mc:
+    image: itzg/minecraft-server
+    tty: true
+    stdin_open: true
+    container_name: mc
+    restart: unless-stopped
+    ports:
+      - 25565
+    labels:
+      - proxy.mc.scheme=tcp
+      - proxy.mc.port=*25565
+    environment:
+      - EULA=TRUE
+    volumes:
+      - mc-data:/data
+  palworld:
+    image: thijsvanloef/palworld-server-docker:latest
+    restart: unless-stopped
+    container_name: pal
+    stop_grace_period: 30s
+    ports:
+      - 8211/udp
+      - 27015/udp
+    labels:
+      - proxy.aliases=pal1,pal2
+      - proxy.*.scheme=udp
+      - proxy.pal1.port=*8211
+      - proxy.pal2.port=*27015
+    environment: ...
+    volumes:
+      - palworld:/palworld
+  nginx:
+    image: nginx
+    container_name: nginx
+    # for single port container, host port will be found automatically
+    ports:
+      - 80
+    volumes:
+      - nginx:/usr/share/nginx/html
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Proxy setup
+
+```yaml
+go-proxy:
+  image: ghcr.io/yusing/go-proxy
+  container_name: go-proxy
+  restart: always
+  network_mode: host
+  volumes:
+    - ./config:/app/config
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+  labels:
+    - proxy.aliases=gp
+    - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Local docker provider in host network
+
+Mostly as remote docker setup, see [remote setup](#remote-setup)
+
+With `GOPROXY_HOST_NETWORK=1` to treat it as remote docker provider
+
+#### Proxy setup
+
+```yaml
+go-proxy:
+  image: ghcr.io/yusing/go-proxy
+  container_name: go-proxy
+  restart: always
+  network_mode: host
+  environment: # this part is needed for local docker in host mode
+    - GOPROXY_HOST_NETWORK=1
+  volumes:
+    - ./config:/app/config
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+  labels:
+    - proxy.aliases=gp
+    - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Services URLs for above examples
+
+- `gp.yourdomain.com`: go-proxy web panel
+- `adg-setup.yourdomain.com`: adguard setup (first time setup)
+- `adg.yourdomain.com`: adguard dashboard
+- `nginx.yourdomain.com`: nginx
+- `yourdomain.com:53`: adguard dns
+- `yourdomain.com:25565`: minecraft server
+- `yourdomain.com:8211`: palworld server
+
+[🔼Back to top](#table-of-content)
--- a/examples/docker-compose/n8n.yml
+++ b/examples/docker-compose/n8n.yml
@@ -1,27 +0,0 @@
---
-services:
-  n8n:
-    image: n8nio/n8n
-    container_name: n8n
-    restart: always
-    expose:
-      - 5678
-    labels:
-      proxy.n8n.middlewares.request.set_headers: |
-        SSLRedirect: true
-        STSSeconds: 315360000
-        browserXSSFilter: true
-        contentTypeNosniff: true
-        forceSTSHeader: true
-        SSLHost: ${DOMAIN_NAME}
-        STSIncludeSubdomains: true
-        STSPreload: true
-    environment:
-      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
-      - N8N_PORT=5678
-      - N8N_PROTOCOL=https
-      - NODE_ENV=production
-      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
-      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
-    volumes:
-      - ./data:/home/node/.n8n
--- a/examples/error_pages/404.css
+++ b/examples/error_pages/404.css
@@ -1,288 +0,0 @@
-@import url("https://fonts.googleapis.com/css?family=Audiowide&display=swap");
-
-html,
-body {
-    margin: 0px;
-    overflow: hidden;
-}
-
-div {
-    position: absolute;
-    top: 0%;
-    left: 0%;
-    height: 100%;
-    width: 100%;
-    margin: 0px;
-    background: radial-gradient(circle, #240015 0%, #12000b 100%);
-    overflow: hidden;
-}
-
-.wrap {
-    position: absolute;
-    left: 50%;
-    top: 50%;
-    transform: translate(-50%, -50%);
-}
-
-h2 {
-    position: absolute;
-    top: 50%;
-    left: 50%;
-    margin-top: 150px;
-    font-size: 32px;
-    text-transform: uppercase;
-    transform: translate(-50%, -50%);
-    display: block;
-    color: #12000a;
-    font-weight: 300;
-    font-family: Audiowide;
-    text-shadow: 0px 0px 4px #12000a;
-    animation: fadeInText 3s ease-in 3.5s forwards,
-        flicker4 5s linear 7.5s infinite, hueRotate 6s ease-in-out 3s infinite;
-}
-
-#svgWrap_1,
-#svgWrap_2 {
-    position: absolute;
-    height: auto;
-    width: 600px;
-    max-width: 100%;
-    top: 50%;
-    left: 50%;
-    transform: translate(-50%, -50%);
-}
-
-#svgWrap_1,
-#svgWrap_2,
-div {
-    animation: hueRotate 6s ease-in-out 3s infinite;
-}
-
-#id1_1,
-#id2_1,
-#id3_1 {
-    stroke: #ff005d;
-    stroke-width: 3px;
-    fill: transparent;
-    filter: url(#glow);
-}
-
-#id1_2,
-#id2_2,
-#id3_2 {
-    stroke: #12000a;
-    stroke-width: 3px;
-    fill: transparent;
-    filter: url(#glow);
-}
-
-#id3_1 {
-    stroke-dasharray: 940px;
-    stroke-dashoffset: -940px;
-    animation: drawLine3 2.5s ease-in-out 0s forwards,
-        flicker3 4s linear 4s infinite;
-}
-
-#id2_1 {
-    stroke-dasharray: 735px;
-    stroke-dashoffset: -735px;
-    animation: drawLine2 2.5s ease-in-out 0.5s forwards,
-        flicker2 4s linear 4.5s infinite;
-}
-
-#id1_1 {
-    stroke-dasharray: 940px;
-    stroke-dashoffset: -940px;
-    animation: drawLine1 2.5s ease-in-out 1s forwards,
-        flicker1 4s linear 5s infinite;
-}
-
-@keyframes drawLine1 {
-    0% {
-        stroke-dashoffset: -940px;
-    }
-    100% {
-        stroke-dashoffset: 0px;
-    }
-}
-
-@keyframes drawLine2 {
-    0% {
-        stroke-dashoffset: -735px;
-    }
-    100% {
-        stroke-dashoffset: 0px;
-    }
-}
-
-@keyframes drawLine3 {
-    0% {
-        stroke-dashoffset: -940px;
-    }
-    100% {
-        stroke-dashoffset: 0px;
-    }
-}
-
-@keyframes flicker1 {
-    0% {
-        stroke: #ff005d;
-    }
-    1% {
-        stroke: transparent;
-    }
-    3% {
-        stroke: transparent;
-    }
-    4% {
-        stroke: #ff005d;
-    }
-    6% {
-        stroke: #ff005d;
-    }
-    7% {
-        stroke: transparent;
-    }
-    13% {
-        stroke: transparent;
-    }
-    14% {
-        stroke: #ff005d;
-    }
-    100% {
-        stroke: #ff005d;
-    }
-}
-
-@keyframes flicker2 {
-    0% {
-        stroke: #ff005d;
-    }
-    50% {
-        stroke: #ff005d;
-    }
-    51% {
-        stroke: transparent;
-    }
-    61% {
-        stroke: transparent;
-    }
-    62% {
-        stroke: #ff005d;
-    }
-    100% {
-        stroke: #ff005d;
-    }
-}
-
-@keyframes flicker3 {
-    0% {
-        stroke: #ff005d;
-    }
-    1% {
-        stroke: transparent;
-    }
-    10% {
-        stroke: transparent;
-    }
-    11% {
-        stroke: #ff005d;
-    }
-    40% {
-        stroke: #ff005d;
-    }
-    41% {
-        stroke: transparent;
-    }
-    45% {
-        stroke: transparent;
-    }
-    46% {
-        stroke: #ff005d;
-    }
-    100% {
-        stroke: #ff005d;
-    }
-}
-
-@keyframes flicker4 {
-    0% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    30% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    31% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    32% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    36% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    37% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    41% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    42% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    85% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    86% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    95% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    96% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-    100% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-}
-
-@keyframes fadeInText {
-    1% {
-        color: #12000a;
-        text-shadow: 0px 0px 4px #12000a;
-    }
-    70% {
-        color: #ff005d;
-        text-shadow: 0px 0px 14px #ff005d;
-    }
-    100% {
-        color: #ff005d;
-        text-shadow: 0px 0px 4px #ff005d;
-    }
-}
-
-@keyframes hueRotate {
-    0% {
-        filter: hue-rotate(0deg);
-    }
-    50% {
-        filter: hue-rotate(-120deg);
-    }
-    100% {
-        filter: hue-rotate(0deg);
-    }
-}
--- a/examples/error_pages/404.html
+++ b/examples/error_pages/404.html
@@ -1,51 +0,0 @@
-{{/* Credit: https://codepen.io/code2rithik/pen/XWpVvYL */}}
-<!DOCTYPE html>
-<html lang="en">
-
-<head>
-  <meta charset="UTF-8" />
-  <title>Page Not Found</title>
-  <link rel="stylesheet" href="/$gperrorpage/404.css" type="text/css">
-  <!-- <script src="/$gperrorpage/404.js"> </script> -->
-</head>
-
-<body>
-  <script>0</script>
-  <div></div>
-  <svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
-    <g>
-      <path id="id3_2"
-        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
-      <path id="id2_2"
-        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
-      <path id="id1_2"
-        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
-    </g>
-  </svg>
-  <svg id="svgWrap_1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
-    <g>
-      <path id="id3_1"
-        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
-      <path id="id2_1"
-        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
-      <path id="id1_1"
-        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
-    </g>
-  </svg>
-
-  <svg>
-    <defs>
-      <filter id="glow">
-        <fegaussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur>
-        <femerge>
-          <femergenode in="coloredBlur"></femergenode>
-          <femergenode in="SourceGraphic"></femergenode>
-        </femerge>
-      </filter>
-    </defs>
-  </svg>
-
-  <h2>Page Not Found</h2>
-</body>
-
-</html>
--- a/examples/grafana_template.json
+++ b/examples/grafana_template.json
--- a/go.mod
+++ b/go.mod
@@ -1,297 +1,54 @@
 module github.com/yusing/go-proxy

-go 1.25.0
-
-replace github.com/yusing/go-proxy/agent => ./agent
-
-replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
-
-replace github.com/yusing/go-proxy/internal/utils => ./internal/utils
-
-replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.0.0-20250816044348-0630187cb14b
-
-replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d
+go 1.22

 require (
-	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
-	github.com/coreos/go-oidc/v3 v3.15.0 // oidc authentication
-	github.com/docker/docker v28.3.3+incompatible // docker daemon
-	github.com/fsnotify/fsnotify v1.9.0 // file watcher
-	github.com/go-acme/lego/v4 v4.25.2 // acme client
-	github.com/go-playground/validator/v10 v10.27.0 // validator
-	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
-	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
-	github.com/gotify/server/v2 v2.6.3 // reference the Message struct for json response
-	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/puzpuzpuz/xsync/v4 v4.1.0 // lock free map for concurrent operations
-	github.com/rs/zerolog v1.34.0 // logging
-	github.com/shirou/gopsutil/v4 v4.25.7 // system info metrics
-	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-	golang.org/x/crypto v0.41.0 // encrypting password with bcrypt
-	golang.org/x/net v0.43.0 // HTTP header utilities
-	golang.org/x/oauth2 v0.30.0 // oauth2 authentication
-	golang.org/x/sync v0.16.0
-	golang.org/x/time v0.12.0 // time utilities
+	github.com/docker/cli v26.1.3+incompatible
+	github.com/docker/docker v26.1.3+incompatible
+	github.com/fsnotify/fsnotify v1.7.0
+	github.com/go-acme/lego/v4 v4.17.3
+	github.com/santhosh-tekuri/jsonschema v1.2.4
+	github.com/sirupsen/logrus v1.9.3
+	golang.org/x/net v0.25.0
+	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	github.com/docker/cli v28.3.3+incompatible
-	github.com/goccy/go-yaml v1.18.0 // yaml parsing for different config files
-	github.com/golang-jwt/jwt/v5 v5.3.0
-	github.com/luthermonson/go-proxmox v0.2.2
-	github.com/oschwald/maxminddb-golang v1.13.1
-	github.com/quic-go/quic-go v0.54.0
-	github.com/samber/slog-zerolog/v2 v2.7.3
-	github.com/spf13/afero v1.14.0
-	github.com/stretchr/testify v1.11.1
-	github.com/yusing/go-proxy/agent v0.0.0-20250819142638-5e15fd4bbef0
-	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-20250819142638-5e15fd4bbef0
-	github.com/yusing/go-proxy/internal/utils v0.0.0
-)
-
-require (
-	cloud.google.com/go/auth v0.16.5 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.8.0 // indirect
-	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
-	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
-	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.31.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.8 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.48.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.57.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.28.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.1 // indirect
-	github.com/aws/smithy-go v1.23.0 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.241 // indirect
-	github.com/benbjohnson/clock v1.3.5 // indirect
-	github.com/boombuler/barcode v1.1.0 // indirect
-	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/diskfs/go-diskfs v1.7.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.96.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/djherbis/times v1.6.0 // indirect
-	github.com/docker/go-connections v0.6.0
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
-	github.com/exoscale/egoscale/v3 v3.1.25 // indirect
-	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
-	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-playground/locales v0.14.1 // indirect
-	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-resty/resty/v2 v2.16.5 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/gofrs/flock v0.12.1 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
-	github.com/gophercloud/gophercloud v1.14.1 // indirect
-	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.166 // indirect
-	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
-	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
-	github.com/jinzhu/copier v0.4.0 // indirect
-	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
-	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
-	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
-	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
-	github.com/labbsr0x/goh v1.0.1 // indirect
-	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.56.0 // indirect
-	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
-	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
-	github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 // indirect
-	github.com/magefile/mage v1.15.0 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.68 // indirect
-	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.6 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/nrdcg/auroradns v1.1.0 // indirect
-	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
-	github.com/nrdcg/desec v0.11.0 // indirect
-	github.com/nrdcg/freemyip v0.3.0 // indirect
-	github.com/nrdcg/goacmedns v0.2.0 // indirect
-	github.com/nrdcg/goinwx v0.11.0 // indirect
-	github.com/nrdcg/mailinabox v0.2.0 // indirect
-	github.com/nrdcg/namesilo v0.2.1 // indirect
-	github.com/nrdcg/nodion v0.1.0 // indirect
-	github.com/nrdcg/porkbun v0.4.0 // indirect
-	github.com/nzdjb/go-metaname v1.0.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/ovh/go-ovh v1.9.0 // indirect
-	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/peterhellberg/link v1.2.0 // indirect
-	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/pquerna/otp v1.5.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sacloud/api-client-go v0.3.3 // indirect
-	github.com/sacloud/go-http v0.1.9 // indirect
-	github.com/sacloud/iaas-api-go v1.17.0 // indirect
-	github.com/sacloud/packages-go v0.0.11 // indirect
-	github.com/sagikazarmark/locafero v0.10.0 // indirect
-	github.com/samber/lo v1.51.0 // indirect
-	github.com/samber/slog-common v0.19.0 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.34 // indirect
-	github.com/selectel/domains-go v1.1.0 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.2.0 // indirect
-	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
-	github.com/sony/gobreaker v1.0.0 // indirect
-	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
-	github.com/spf13/cast v1.9.2 // indirect
-	github.com/spf13/pflag v1.0.7 // indirect
-	github.com/spf13/viper v1.20.1 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.18 // indirect
-	github.com/tjfoc/gmsm v1.4.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
-	github.com/transip/gotransip/v6 v6.26.0 // indirect
-	github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419 // indirect
-	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.219 // indirect
-	github.com/vultr/govultr/v3 v3.23.0 // indirect
-	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.mongodb.org/mongo-driver v1.17.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	go.uber.org/atomic v1.11.0
-	go.uber.org/mock v0.6.0 // indirect
-	go.uber.org/ratelimit v0.3.1 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	google.golang.org/api v0.248.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect
-	google.golang.org/grpc v1.75.0
-	google.golang.org/protobuf v1.36.8 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.15.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-)
-
-require (
-	github.com/containerd/containerd/v2 v2.1.4
-	github.com/containerd/nerdctl/v2 v2.1.3
-	github.com/gin-gonic/gin v1.10.1
-	github.com/swaggo/swag v1.16.6
-	github.com/yusing/ds v0.1.0
-)
-
-require (
-	github.com/KyleBanks/depth v1.2.1 // indirect
-	github.com/Microsoft/hcsshim v0.13.0 // indirect
-	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
-	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.11 // indirect
-	github.com/alibabacloud-go/debug v1.0.1 // indirect
-	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
-	github.com/alibabacloud-go/tea v1.3.11 // indirect
-	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
-	github.com/aliyun/credentials-go v1.4.7 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
-	github.com/bytedance/sonic/loader v0.3.0 // indirect
-	github.com/clbanning/mxj/v2 v2.7.0 // indirect
-	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/containerd/cgroups/v3 v3.0.5 // indirect
-	github.com/containerd/containerd/api v1.9.0 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/containerd/fifo v1.1.0 // indirect
-	github.com/containerd/go-cni v1.1.13 // indirect
-	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.1 // indirect
-	github.com/containerd/plugin v1.0.0 // indirect
-	github.com/containerd/ttrpc v1.2.7 // indirect
-	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/containernetworking/cni v1.3.0 // indirect
-	github.com/dnsimple/dnsimple-go/v4 v4.0.0 // indirect
-	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-acme/alidns-20150109/v4 v4.5.11 // indirect
-	github.com/go-acme/tencentclouddnspod v1.0.1208 // indirect
-	github.com/go-openapi/jsonpointer v0.21.2 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.1 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
-	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/sys/atomicwriter v0.1.0 // indirect
-	github.com/moby/sys/mountinfo v0.7.2 // indirect
-	github.com/moby/sys/sequential v0.6.0 // indirect
-	github.com/moby/sys/signal v0.7.1 // indirect
-	github.com/moby/sys/user v0.4.0 // indirect
-	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/namedotcom/go/v4 v4.0.2 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.99.1 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.99.1 // indirect
-	github.com/opencontainers/runtime-spec v1.2.1 // indirect
-	github.com/opencontainers/selinux v1.12.0 // indirect
-	github.com/petermattis/goid v0.0.0-20250813065127-a731cc31b4fe // indirect
-	github.com/sasha-s/go-deadlock v0.3.5 // indirect
-	github.com/selectel/go-selvpcclient/v4 v4.1.0 // indirect
-	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.0 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	google.golang.org/genproto v0.0.0-20250811230008-5f3141c8851a // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
+	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.21.0 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -1,166 +0,0 @@
-package acl
-
-import (
-	"net"
-	"time"
-
-	"github.com/puzpuzpuz/xsync/v4"
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging/accesslog"
-	"github.com/yusing/go-proxy/internal/maxmind"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-type Config struct {
-	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
-	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
-	Allow      Matchers                   `json:"allow"`
-	Deny       Matchers                   `json:"deny"`
-	Log        *accesslog.ACLLoggerConfig `json:"log"`
-
-	config
-	valErr gperr.Error
-}
-
-type config struct {
-	defaultAllow bool
-	allowLocal   bool
-	ipCache      *xsync.Map[string, *checkCache]
-	logAllowed   bool
-	logger       *accesslog.AccessLogger
-}
-
-type checkCache struct {
-	*maxmind.IPInfo
-	allow   bool
-	created time.Time
-}
-
-const cacheTTL = 1 * time.Minute
-
-func (c *checkCache) Expired() bool {
-	return c.created.Add(cacheTTL).Before(utils.TimeNow())
-}
-
-// TODO: add stats
-
-const (
-	ACLAllow = "allow"
-	ACLDeny  = "deny"
-)
-
-func (c *Config) Validate() gperr.Error {
-	switch c.Default {
-	case "", ACLAllow:
-		c.defaultAllow = true
-	case ACLDeny:
-		c.defaultAllow = false
-	default:
-		c.valErr = gperr.New("invalid default value").Subject(c.Default)
-		return c.valErr
-	}
-
-	if c.AllowLocal != nil {
-		c.allowLocal = *c.AllowLocal
-	} else {
-		c.allowLocal = true
-	}
-
-	if c.Log != nil {
-		c.logAllowed = c.Log.LogAllowed
-	}
-
-	if !c.allowLocal && !c.defaultAllow && len(c.Allow) == 0 {
-		c.valErr = gperr.New("allow_local is false and default is deny, but no allow rules are configured")
-		return c.valErr
-	}
-
-	c.ipCache = xsync.NewMap[string, *checkCache]()
-	return nil
-}
-
-func (c *Config) Valid() bool {
-	return c != nil && c.valErr == nil
-}
-
-func (c *Config) Start(parent *task.Task) gperr.Error {
-	if c.Log != nil {
-		logger, err := accesslog.NewAccessLogger(parent, c.Log)
-		if err != nil {
-			return gperr.New("failed to start access logger").With(err)
-		}
-		c.logger = logger
-	}
-	if c.valErr != nil {
-		return c.valErr
-	}
-	log.Info().
-		Str("default", c.Default).
-		Bool("allow_local", c.allowLocal).
-		Int("allow_rules", len(c.Allow)).
-		Int("deny_rules", len(c.Deny)).
-		Msg("ACL started")
-	return nil
-}
-
-func (c *Config) cacheRecord(info *maxmind.IPInfo, allow bool) {
-	if common.ForceResolveCountry && info.City == nil {
-		maxmind.LookupCity(info)
-	}
-	c.ipCache.Store(info.Str, &checkCache{
-		IPInfo:  info,
-		allow:   allow,
-		created: utils.TimeNow(),
-	})
-}
-
-func (c *config) log(info *maxmind.IPInfo, allowed bool) {
-	if c.logger == nil {
-		return
-	}
-	if !allowed || c.logAllowed {
-		c.logger.LogACL(info, !allowed)
-	}
-}
-
-func (c *Config) IPAllowed(ip net.IP) bool {
-	if ip == nil {
-		return false
-	}
-
-	// always allow loopback, not logged
-	if ip.IsLoopback() {
-		return true
-	}
-
-	if c.allowLocal && ip.IsPrivate() {
-		c.log(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
-		return true
-	}
-
-	ipStr := ip.String()
-	record, ok := c.ipCache.Load(ipStr)
-	if ok && !record.Expired() {
-		c.log(record.IPInfo, record.allow)
-		return record.allow
-	}
-
-	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
-	if c.Allow.Match(ipAndStr) {
-		c.log(ipAndStr, true)
-		c.cacheRecord(ipAndStr, true)
-		return true
-	}
-	if c.Deny.Match(ipAndStr) {
-		c.log(ipAndStr, false)
-		c.cacheRecord(ipAndStr, false)
-		return false
-	}
-
-	c.log(ipAndStr, c.defaultAllow)
-	c.cacheRecord(ipAndStr, c.defaultAllow)
-	return c.defaultAllow
-}
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@@ -1,112 +0,0 @@
-package acl
-
-import (
-	"net"
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/maxmind"
-)
-
-type MatcherFunc func(*maxmind.IPInfo) bool
-
-type Matcher struct {
-	match MatcherFunc
-}
-
-type Matchers []Matcher
-
-const (
-	MatcherTypeIP       = "ip"
-	MatcherTypeCIDR     = "cidr"
-	MatcherTypeTimeZone = "tz"
-	MatcherTypeCountry  = "country"
-)
-
-// TODO: use this error in the future
-//
-//nolint:unused
-var errMatcherFormat = gperr.Multiline().AddLines(
-	"invalid matcher format, expect {type}:{value}",
-	"Available types: ip|cidr|tz|country",
-	"ip:127.0.0.1",
-	"cidr:127.0.0.0/8",
-	"tz:Asia/Shanghai",
-	"country:GB",
-)
-
-var (
-	errSyntax      = gperr.New("syntax error")
-	errInvalidIP   = gperr.New("invalid IP")
-	errInvalidCIDR = gperr.New("invalid CIDR")
-)
-
-func (matcher *Matcher) Parse(s string) error {
-	parts := strings.Split(s, ":")
-	if len(parts) != 2 {
-		return errSyntax
-	}
-
-	switch parts[0] {
-	case MatcherTypeIP:
-		ip := net.ParseIP(parts[1])
-		if ip == nil {
-			return errInvalidIP
-		}
-		matcher.match = matchIP(ip)
-	case MatcherTypeCIDR:
-		_, net, err := net.ParseCIDR(parts[1])
-		if err != nil {
-			return errInvalidCIDR
-		}
-		matcher.match = matchCIDR(net)
-	case MatcherTypeTimeZone:
-		matcher.match = matchTimeZone(parts[1])
-	case MatcherTypeCountry:
-		matcher.match = matchISOCode(parts[1])
-	default:
-		return errSyntax
-	}
-	return nil
-}
-
-func (matchers Matchers) Match(ip *maxmind.IPInfo) bool {
-	for _, m := range matchers {
-		if m.match(ip) {
-			return true
-		}
-	}
-	return false
-}
-
-func matchIP(ip net.IP) MatcherFunc {
-	return func(ip2 *maxmind.IPInfo) bool {
-		return ip.Equal(ip2.IP)
-	}
-}
-
-func matchCIDR(n *net.IPNet) MatcherFunc {
-	return func(ip *maxmind.IPInfo) bool {
-		return n.Contains(ip.IP)
-	}
-}
-
-func matchTimeZone(tz string) MatcherFunc {
-	return func(ip *maxmind.IPInfo) bool {
-		city, ok := maxmind.LookupCity(ip)
-		if !ok {
-			return false
-		}
-		return city.Location.TimeZone == tz
-	}
-}
-
-func matchISOCode(iso string) MatcherFunc {
-	return func(ip *maxmind.IPInfo) bool {
-		city, ok := maxmind.LookupCity(ip)
-		if !ok {
-			return false
-		}
-		return city.Country.IsoCode == iso
-	}
-}
--- a/internal/acl/matcher_test.go
+++ b/internal/acl/matcher_test.go
@@ -1,49 +0,0 @@
-package acl
-
-import (
-	"net"
-	"reflect"
-	"testing"
-
-	maxmind "github.com/yusing/go-proxy/internal/maxmind/types"
-	"github.com/yusing/go-proxy/internal/serialization"
-)
-
-func TestMatchers(t *testing.T) {
-	strMatchers := []string{
-		"ip:127.0.0.1",
-		"cidr:10.0.0.0/8",
-	}
-
-	var mathers Matchers
-	err := serialization.Convert(reflect.ValueOf(strMatchers), reflect.ValueOf(&mathers), false)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tests := []struct {
-		ip   string
-		want bool
-	}{
-		{"127.0.0.1", true},
-		{"10.0.0.1", true},
-		{"127.0.0.2", false},
-		{"192.168.0.1", false},
-		{"11.0.0.1", false},
-	}
-
-	for _, test := range tests {
-		ip := net.ParseIP(test.ip)
-		if ip == nil {
-			t.Fatalf("invalid ip: %s", test.ip)
-		}
-
-		got := mathers.Match(&maxmind.IPInfo{
-			IP:  ip,
-			Str: test.ip,
-		})
-		if got != test.want {
-			t.Errorf("mathers.Match(%s) = %v, want %v", test.ip, got, test.want)
-		}
-	}
-}
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@@ -1,59 +0,0 @@
-package acl
-
-import (
-	"io"
-	"net"
-	"time"
-)
-
-type TCPListener struct {
-	acl *Config
-	lis net.Listener
-}
-
-type noConn struct{}
-
-func (noConn) Read(b []byte) (int, error)         { return 0, io.EOF }
-func (noConn) Write(b []byte) (int, error)        { return 0, io.EOF }
-func (noConn) Close() error                       { return nil }
-func (noConn) LocalAddr() net.Addr                { return nil }
-func (noConn) RemoteAddr() net.Addr               { return nil }
-func (noConn) SetDeadline(t time.Time) error      { return nil }
-func (noConn) SetReadDeadline(t time.Time) error  { return nil }
-func (noConn) SetWriteDeadline(t time.Time) error { return nil }
-
-func (c *Config) WrapTCP(lis net.Listener) net.Listener {
-	if c == nil {
-		return lis
-	}
-	return &TCPListener{
-		acl: c,
-		lis: lis,
-	}
-}
-
-func (s *TCPListener) Addr() net.Addr {
-	return s.lis.Addr()
-}
-
-func (s *TCPListener) Accept() (net.Conn, error) {
-	c, err := s.lis.Accept()
-	if err != nil {
-		return nil, err
-	}
-	addr, ok := c.RemoteAddr().(*net.TCPAddr)
-	if !ok {
-		// Not a TCPAddr, drop
-		c.Close()
-		return noConn{}, nil
-	}
-	if !s.acl.IPAllowed(addr.IP) {
-		c.Close()
-		return noConn{}, nil
-	}
-	return c, nil
-}
-
-func (s *TCPListener) Close() error {
-	return s.lis.Close()
-}
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@@ -1,79 +0,0 @@
-package acl
-
-import (
-	"net"
-	"time"
-)
-
-type UDPListener struct {
-	acl *Config
-	lis net.PacketConn
-}
-
-func (c *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
-	if c == nil {
-		return lis
-	}
-	return &UDPListener{
-		acl: c,
-		lis: lis,
-	}
-}
-
-func (s *UDPListener) LocalAddr() net.Addr {
-	return s.lis.LocalAddr()
-}
-
-func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
-	for {
-		n, addr, err := s.lis.ReadFrom(p)
-		if err != nil {
-			return n, addr, err
-		}
-		udpAddr, ok := addr.(*net.UDPAddr)
-		if !ok {
-			// Not a UDPAddr, drop
-			continue
-		}
-		if !s.acl.IPAllowed(udpAddr.IP) {
-			// Drop packet from disallowed IP
-			continue
-		}
-		return n, addr, nil
-	}
-}
-
-func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
-	for {
-		n, err := s.lis.WriteTo(p, addr)
-		if err != nil {
-			return n, err
-		}
-		udpAddr, ok := addr.(*net.UDPAddr)
-		if !ok {
-			// Not a UDPAddr, drop
-			continue
-		}
-		if !s.acl.IPAllowed(udpAddr.IP) {
-			// Drop packet to disallowed IP
-			continue
-		}
-		return n, nil
-	}
-}
-
-func (s *UDPListener) SetDeadline(t time.Time) error {
-	return s.lis.SetDeadline(t)
-}
-
-func (s *UDPListener) SetReadDeadline(t time.Time) error {
-	return s.lis.SetReadDeadline(t)
-}
-
-func (s *UDPListener) SetWriteDeadline(t time.Time) error {
-	return s.lis.SetWriteDeadline(t)
-}
-
-func (s *UDPListener) Close() error {
-	return s.lis.Close()
-}
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -1,210 +0,0 @@
-package api
-
-import (
-	"net/http"
-	"strconv"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gorilla/websocket"
-	"github.com/rs/zerolog/log"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	apiV1 "github.com/yusing/go-proxy/internal/api/v1"
-	agentApi "github.com/yusing/go-proxy/internal/api/v1/agent"
-	authApi "github.com/yusing/go-proxy/internal/api/v1/auth"
-	certApi "github.com/yusing/go-proxy/internal/api/v1/cert"
-	dockerApi "github.com/yusing/go-proxy/internal/api/v1/docker"
-	"github.com/yusing/go-proxy/internal/api/v1/docs"
-	fileApi "github.com/yusing/go-proxy/internal/api/v1/file"
-	homepageApi "github.com/yusing/go-proxy/internal/api/v1/homepage"
-	metricsApi "github.com/yusing/go-proxy/internal/api/v1/metrics"
-	routeApi "github.com/yusing/go-proxy/internal/api/v1/route"
-	"github.com/yusing/go-proxy/internal/auth"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-// @title           GoDoxy API
-// @version         1.0
-// @description     GoDoxy API
-// @termsOfService  https://github.com/yusing/godoxy/blob/main/LICENSE
-
-// @contact.name   Yusing
-// @contact.url    https://github.com/yusing/godoxy/issues
-
-// @license.name  MIT
-// @license.url   https://github.com/yusing/godoxy/blob/main/LICENSE
-
-// @BasePath  /api/v1
-
-// @externalDocs.description  GoDoxy Docs
-// @externalDocs.url          https://docs.godoxy.dev
-func NewHandler() *gin.Engine {
-	gin.SetMode("release")
-	r := gin.New()
-	r.Use(ErrorHandler())
-	r.Use(ErrorLoggingMiddleware())
-
-	docs.SwaggerInfo.Title = "GoDoxy API"
-	docs.SwaggerInfo.BasePath = "/api/v1"
-
-	r.GET("/api/v1/version", apiV1.Version)
-
-	v1Auth := r.Group("/api/v1/auth")
-	{
-		v1Auth.HEAD("/check", authApi.Check)
-		v1Auth.POST("/login", authApi.Login)
-		v1Auth.GET("/callback", authApi.Callback)
-		v1Auth.POST("/callback", authApi.Callback)
-		v1Auth.POST("/logout", authApi.Logout)
-	}
-
-	v1 := r.Group("/api/v1")
-	if auth.IsEnabled() {
-		v1.Use(AuthMiddleware())
-	}
-	if common.APISkipOriginCheck {
-		v1.Use(SkipOriginCheckMiddleware())
-	}
-	{
-		// enable cache for favicon
-		v1.GET("/favicon", apiV1.FavIcon).Use(Cache(time.Hour * 24))
-		v1.GET("/health", apiV1.Health)
-		v1.GET("/icons", apiV1.Icons)
-		v1.POST("/reload", apiV1.Reload)
-		v1.GET("/stats", apiV1.Stats)
-
-		route := v1.Group("/route")
-		{
-			route.GET("/list", routeApi.Routes)
-			route.GET("/:which", routeApi.Route)
-			route.GET("/providers", routeApi.Providers)
-			route.GET("/by_provider", routeApi.ByProvider)
-		}
-
-		file := v1.Group("/file")
-		{
-			file.GET("/list", fileApi.List)
-			file.GET("/content", fileApi.Get)
-			file.PUT("/content", fileApi.Set)
-			file.POST("/content", fileApi.Set)
-			file.POST("/validate", fileApi.Validate)
-		}
-
-		homepage := v1.Group("/homepage")
-		{
-			homepage.GET("/categories", homepageApi.Categories)
-			homepage.GET("/items", homepageApi.Items)
-			homepage.POST("/set/item", homepageApi.SetItem)
-			homepage.POST("/set/items_batch", homepageApi.SetItemsBatch)
-			homepage.POST("/set/item_visible", homepageApi.SetItemVisible)
-			homepage.POST("/set/category_order", homepageApi.SetCategoryOrder)
-		}
-
-		cert := v1.Group("/cert")
-		{
-			cert.GET("/info", certApi.Info)
-			cert.GET("/renew", certApi.Renew)
-		}
-
-		agent := v1.Group("/agent")
-		{
-			agent.GET("/list", agentApi.List)
-			agent.POST("/create", agentApi.Create)
-			agent.POST("/verify", agentApi.Verify)
-		}
-
-		metrics := v1.Group("/metrics")
-		{
-			metrics.GET("/system_info", metricsApi.SystemInfo)
-			metrics.GET("/uptime", metricsApi.Uptime)
-		}
-
-		docker := v1.Group("/docker")
-		{
-			docker.GET("/containers", dockerApi.Containers)
-			docker.GET("/info", dockerApi.Info)
-			docker.GET("/logs/:server/:container", dockerApi.Logs)
-		}
-	}
-
-	// disable cache by default
-	r.Use(NoCache())
-	return r
-}
-
-func NoCache() gin.HandlerFunc {
-	return func(c *gin.Context) {
-		// skip cache if Cache-Control header is set or if caching is explicitly enabled
-		if !c.GetBool("cache_enabled") && c.Writer.Header().Get("Cache-Control") == "" {
-			c.Header("Cache-Control", "no-cache, no-store, must-revalidate")
-			c.Header("Pragma", "no-cache")
-			c.Header("Expires", "0")
-		}
-		c.Next()
-	}
-}
-
-func Cache(duration time.Duration) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		// Signal to NoCache middleware that caching is intended
-		c.Set("cache_enabled", true)
-		// skip cache if Cache-Control header is set
-		if c.Writer.Header().Get("Cache-Control") == "" {
-			c.Header("Cache-Control", "public, max-age="+strconv.FormatFloat(duration.Seconds(), 'f', 0, 64)+", immutable")
-			c.Header("Pragma", "public")
-			c.Header("Expires", time.Now().Add(duration).Format(time.RFC1123))
-		}
-		c.Next()
-	}
-}
-
-func AuthMiddleware() gin.HandlerFunc {
-	return func(c *gin.Context) {
-		err := auth.GetDefaultAuth().CheckToken(c.Request)
-		if err != nil {
-			c.JSON(http.StatusUnauthorized, apitypes.Error("Unauthorized", err))
-			c.Abort()
-			return
-		}
-		c.Next()
-	}
-}
-
-func SkipOriginCheckMiddleware() gin.HandlerFunc {
-	upgrader := &websocket.Upgrader{
-		CheckOrigin: func(r *http.Request) bool {
-			return true
-		},
-	}
-	return func(c *gin.Context) {
-		c.Set("upgrader", upgrader)
-		c.Next()
-	}
-}
-
-func ErrorHandler() gin.HandlerFunc {
-	return func(c *gin.Context) {
-		c.Next()
-		if len(c.Errors) > 0 {
-			for _, err := range c.Errors {
-				log.Err(err.Err).Str("uri", c.Request.RequestURI).Msg("Internal error")
-			}
-			if !isWebSocketRequest(c) {
-				c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
-			}
-		}
-	}
-}
-
-func ErrorLoggingMiddleware() gin.HandlerFunc {
-	return gin.CustomRecoveryWithWriter(nil, func(c *gin.Context, err any) {
-		log.Error().Any("error", err).Str("uri", c.Request.RequestURI).Msg("Internal error")
-		if !isWebSocketRequest(c) {
-			c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
-		}
-	})
-}
-
-func isWebSocketRequest(c *gin.Context) bool {
-	return c.GetHeader("Upgrade") == "websocket"
-}
--- a/internal/api/types/error.go
+++ b/internal/api/types/error.go
@@ -1,55 +0,0 @@
-package apitypes
-
-import (
-	"errors"
-
-	"github.com/yusing/go-proxy/internal/gperr"
-)
-
-type ErrorResponse struct {
-	Message string `json:"message"`
-	Error   string `json:"error,omitempty" extensions:"x-nullable"`
-} // @name ErrorResponse
-
-type serverError struct {
-	Message string
-	Err     error
-}
-
-// Error returns a generic error response
-func Error(message string, err ...error) ErrorResponse {
-	if len(err) > 0 {
-		var gpErr gperr.Error
-		if errors.As(err[0], &gpErr) {
-			return ErrorResponse{
-				Message: message,
-				Error:   string(gpErr.Plain()),
-			}
-		}
-		return ErrorResponse{
-			Message: message,
-			Error:   err[0].Error(),
-		}
-	}
-	return ErrorResponse{
-		Message: message,
-	}
-}
-
-func InternalServerError(err error, message string) error {
-	return serverError{
-		Message: message,
-		Err:     err,
-	}
-}
-
-func (e serverError) Error() string {
-	if e.Err != nil {
-		return e.Message + ": " + e.Err.Error()
-	}
-	return e.Message
-}
-
-func (e serverError) Unwrap() error {
-	return e.Err
-}
--- a/internal/api/types/error_code.go
+++ b/internal/api/types/error_code.go
@@ -1,17 +0,0 @@
-package apitypes
-
-type ErrorCode int
-
-const (
-	ErrorCodeUnauthorized ErrorCode = iota + 1
-	ErrorCodeNotFound
-	ErrorCodeInternalServerError
-)
-
-func (e ErrorCode) String() string {
-	return []string{
-		"Unauthorized",
-		"Not Found",
-		"Internal Server Error",
-	}[e]
-}
--- a/internal/api/types/query.go
+++ b/internal/api/types/query.go
@@ -1,29 +0,0 @@
-package apitypes
-
-type QueryOptions struct {
-	Limit   int                 `binding:"required,min=1,max=20" form:"limit"`
-	Offset  int                 `binding:"omitempty,min=0" form:"offset"`
-	OrderBy QueryOrder          `binding:"omitempty,oneof=created_at updated_at" form:"order_by"`
-	Order   QueryOrderDirection `binding:"omitempty,oneof=asc desc" form:"order"`
-}
-
-type QueryOrder string
-
-const (
-	QueryOrderCreatedAt QueryOrder = "created_at"
-	QueryOrderUpdatedAt QueryOrder = "updated_at"
-)
-
-type QueryOrderDirection string
-
-const (
-	QueryOrderDirectionAsc  QueryOrderDirection = "asc"
-	QueryOrderDirectionDesc QueryOrderDirection = "desc"
-)
-
-type QueryResponse struct {
-	Total   int64 `json:"total"`
-	Limit   int   `json:"limit"`
-	Offset  int   `json:"offset"`
-	HasMore bool  `json:"has_more"`
-}
--- a/internal/api/types/success.go
+++ b/internal/api/types/success.go
@@ -1,18 +0,0 @@
-package apitypes
-
-type SuccessResponse struct {
-	Message string         `json:"message"`
-	Details map[string]any `json:"details,omitempty" extensions:"x-nullable"`
-} // @name SuccessResponse
-
-func Success(message string, extra ...map[string]any) SuccessResponse {
-	if len(extra) > 0 {
-		return SuccessResponse{
-			Message: message,
-			Details: extra[0],
-		}
-	}
-	return SuccessResponse{
-		Message: message,
-	}
-}
--- a/internal/api/v1/agent/common.go
+++ b/internal/api/v1/agent/common.go
@@ -1,67 +0,0 @@
-package agentapi
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"sync/atomic"
-	"time"
-
-	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-)
-
-type PEMPairResponse struct {
-	Cert string `json:"cert" format:"base64"`
-	Key  string `json:"key" format:"base64"`
-} // @name PEMPairResponse
-
-var encryptionKey atomic.Value
-
-const rotateKeyInterval = 15 * time.Minute
-
-func init() {
-	if err := rotateKey(); err != nil {
-		log.Panic().Err(err).Msg("failed to generate encryption key")
-	}
-	go func() {
-		for range time.Tick(rotateKeyInterval) {
-			if err := rotateKey(); err != nil {
-				log.Error().Err(err).Msg("failed to rotate encryption key")
-			}
-		}
-	}()
-}
-
-func getEncryptionKey() []byte {
-	return encryptionKey.Load().([]byte)
-}
-
-func rotateKey() error {
-	// generate a random 32 bytes key
-	key := make([]byte, 32)
-	if _, err := rand.Read(key); err != nil {
-		return err
-	}
-	encryptionKey.Store(key)
-	return nil
-}
-
-func toPEMPairResponse(encPEMPair agent.PEMPair) PEMPairResponse {
-	return PEMPairResponse{
-		Cert: base64.StdEncoding.EncodeToString(encPEMPair.Cert),
-		Key:  base64.StdEncoding.EncodeToString(encPEMPair.Key),
-	}
-}
-
-func fromEncryptedPEMPairResponse(pemPair PEMPairResponse) (agent.PEMPair, error) {
-	encCert, err := base64.StdEncoding.DecodeString(pemPair.Cert)
-	if err != nil {
-		return agent.PEMPair{}, err
-	}
-	encKey, err := base64.StdEncoding.DecodeString(pemPair.Key)
-	if err != nil {
-		return agent.PEMPair{}, err
-	}
-	pair := agent.PEMPair{Cert: encCert, Key: encKey}
-	return pair.Decrypt(getEncryptionKey())
-}
--- a/internal/api/v1/agent/create.go
+++ b/internal/api/v1/agent/create.go
@@ -1,104 +0,0 @@
-package agentapi
-
-import (
-	"net"
-	"net/http"
-	"strconv"
-
-	_ "embed"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-)
-
-type NewAgentRequest struct {
-	Name    string `form:"name" validate:"required"`
-	Host    string `form:"host" validate:"required"`
-	Port    int    `form:"port" validate:"required,min=1,max=65535"`
-	Type    string `form:"type" validate:"required,oneof=docker system"`
-	Nightly bool   `form:"nightly" validate:"omitempty"`
-} // @name NewAgentRequest
-
-type NewAgentResponse struct {
-	Compose string          `json:"compose"`
-	CA      PEMPairResponse `json:"ca"`
-	Client  PEMPairResponse `json:"client"`
-} // @name NewAgentResponse
-
-// @x-id				"create"
-// @BasePath		/api/v1
-// @Summary		Create a new agent
-// @Description	Create a new agent and return the docker compose file, encrypted CA and client PEMs
-// @Description	The returned PEMs are encrypted with a random key and will be used for verification when adding a new agent
-// @Tags			agent
-// @Accept			json
-// @Produce		json
-// @Param			request	body		NewAgentRequest	true	"Request"
-// @Success		200		{object}	NewAgentResponse
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		403		{object}	apitypes.ErrorResponse
-// @Failure		409		{object}	apitypes.ErrorResponse
-// @Failure		500		{object}	apitypes.ErrorResponse
-// @Router			/agent/create [post]
-func Create(c *gin.Context) {
-	var request NewAgentRequest
-	if err := c.ShouldBindJSON(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-	hostport := net.JoinHostPort(request.Host, strconv.Itoa(request.Port))
-	if _, ok := agent.GetAgent(hostport); ok {
-		c.JSON(http.StatusConflict, apitypes.Error("agent already exists"))
-		return
-	}
-
-	var image string
-	if request.Nightly {
-		image = agent.DockerImageNightly
-	} else {
-		image = agent.DockerImageProduction
-	}
-
-	ca, srv, client, err := agent.NewAgent()
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to create agent"))
-		return
-	}
-
-	var cfg agent.Generator = &agent.AgentEnvConfig{
-		Name:    request.Name,
-		Port:    request.Port,
-		CACert:  ca.String(),
-		SSLCert: srv.String(),
-	}
-	if request.Type == "docker" {
-		cfg = &agent.AgentComposeConfig{
-			Image:          image,
-			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
-		}
-	}
-	template, err := cfg.Generate()
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to generate agent config"))
-		return
-	}
-
-	key := getEncryptionKey()
-	encCA, err := ca.Encrypt(key)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to encrypt CA PEMs"))
-		return
-	}
-	encClient, err := client.Encrypt(key)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to encrypt client PEMs"))
-		return
-	}
-
-	c.JSON(http.StatusOK, NewAgentResponse{
-		Compose: template,
-		CA:      toPEMPairResponse(encCA),
-		Client:  toPEMPairResponse(encClient),
-	})
-}
--- a/internal/api/v1/agent/list.go
+++ b/internal/api/v1/agent/list.go
@@ -1,32 +0,0 @@
-package agentapi
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-)
-
-// @x-id				"list"
-// @BasePath		/api/v1
-// @Summary		List agents
-// @Description	List agents
-// @Tags			agent,websocket
-// @Accept			json
-// @Produce		json
-// @Success		200	{array}		Agent
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/agent/list [get]
-func List(c *gin.Context) {
-	if httpheaders.IsWebsocket(c.Request.Header) {
-		websocket.PeriodicWrite(c, 10*time.Second, func() (any, error) {
-			return agent.ListAgents(), nil
-		})
-	} else {
-		c.JSON(http.StatusOK, agent.ListAgents())
-	}
-}
--- a/internal/api/v1/agent/verify.go
+++ b/internal/api/v1/agent/verify.go
@@ -1,76 +0,0 @@
-package agentapi
-
-import (
-	"fmt"
-	"net/http"
-	"os"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-	. "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-)
-
-type VerifyNewAgentRequest struct {
-	Host   string          `json:"host"`
-	CA     PEMPairResponse `json:"ca"`
-	Client PEMPairResponse `json:"client"`
-} // @name VerifyNewAgentRequest
-
-// @x-id          "verify"
-// @BasePath		/api/v1
-// @Summary		Verify a new agent
-// @Description	Verify a new agent and return the number of routes added
-// @Tags			agent
-// @Accept			json
-// @Produce		json
-// @Param			request	body		VerifyNewAgentRequest	true	"Request"
-// @Success		200		{object}	SuccessResponse
-// @Failure		400		{object}	ErrorResponse
-// @Failure		403		{object}	ErrorResponse
-// @Failure		500		{object}	ErrorResponse
-// @Router			/agent/verify [post]
-func Verify(c *gin.Context) {
-	var request VerifyNewAgentRequest
-	if err := c.ShouldBindJSON(&request); err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid request", err))
-		return
-	}
-
-	filename, ok := certs.AgentCertsFilepath(request.Host)
-	if !ok {
-		c.JSON(http.StatusBadRequest, Error("invalid host", nil))
-		return
-	}
-
-	ca, err := fromEncryptedPEMPairResponse(request.CA)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid CA", err))
-		return
-	}
-
-	client, err := fromEncryptedPEMPairResponse(request.Client)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid client", err))
-		return
-	}
-
-	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(request.Host, ca, client)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid request", err))
-		return
-	}
-
-	zip, err := certs.ZipCert(ca.Cert, client.Cert, client.Key)
-	if err != nil {
-		c.Error(InternalServerError(err, "failed to zip certs"))
-		return
-	}
-
-	if err := os.WriteFile(filename, zip, 0o600); err != nil {
-		c.Error(InternalServerError(err, "failed to write certs"))
-		return
-	}
-
-	c.JSON(http.StatusOK, Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
-}
--- a/internal/api/v1/auth/callback.go
+++ b/internal/api/v1/auth/callback.go
@@ -1,25 +0,0 @@
-//nolint:dupword
-package auth
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
-)
-
-// @x-id				"callback"
-// @Base			/api/v1
-// @Summary		Auth Callback
-// @Description	Handles the callback from the provider after successful authentication
-// @Tags			auth
-// @Produce		plain
-// @Param		  body	body	auth.UserPassAuthCallbackRequest	true	"Userpass only"
-// @Success		200	{string}	string	"Userpass: OK"
-// @Success		302	{string}	string	"OIDC: Redirects to home page"
-// @Failure		400	{string}	string	"OIDC: invalid request (missing state cookie or oauth state)"
-// @Failure		400	{string}	string	"Userpass: invalid request / credentials"
-// @Failure		500	{string}	string	"Internal server error"
-// @Router			/auth/callback [get]
-// @Router			/auth/callback [post]
-func Callback(c *gin.Context) {
-	auth.GetDefaultAuth().PostAuthCallbackHandler(c.Writer, c.Request)
-}
--- a/internal/api/v1/auth/check.go
+++ b/internal/api/v1/auth/check.go
@@ -1,19 +0,0 @@
-package auth
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
-)
-
-// @x-id				"check"
-// @Base			/api/v1
-// @Summary		Check authentication status
-// @Description	Checks if the user is authenticated by validating their token
-// @Tags			auth
-// @Produce		plain
-// @Success		200	{string}	string	"OK"
-// @Failure		403	{string}	string	"Forbidden: use X-Redirect-To header to redirect to login page"
-// @Router			/auth/check [head]
-func Check(c *gin.Context) {
-	auth.AuthCheckHandler(c.Writer, c.Request)
-}
--- a/internal/api/v1/auth/login.go
+++ b/internal/api/v1/auth/login.go
@@ -1,20 +0,0 @@
-package auth
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
-)
-
-// @x-id       "login"
-// @Base       /api/v1
-// @Summary    Login
-// @Description Initiates the login process by redirecting the user to the provider's login page
-// @Tags       auth
-// @Produce    plain
-// @Success    302 {string} string "Redirects to login page or IdP"
-// @Failure    403 {string} string "Forbidden(webui): follow X-Redirect-To header"
-// @Failure    429 {string} string "Too Many Requests"
-// @Router     /auth/login [post]
-func Login(c *gin.Context) {
-	auth.GetDefaultAuth().LoginHandler(c.Writer, c.Request)
-}
--- a/internal/api/v1/auth/logout.go
+++ b/internal/api/v1/auth/logout.go
@@ -1,18 +0,0 @@
-package auth
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
-)
-
-// @x-id				"logout"
-// @Base			/api/v1
-// @Summary		Logout
-// @Description	Logs out the user by invalidating the token
-// @Tags			auth
-// @Produce		plain
-// @Success		302	{string} string	"Redirects to home page"
-// @Router			/auth/logout [post]
-func Logout(c *gin.Context) {
-	auth.GetDefaultAuth().LogoutHandler(c.Writer, c.Request)
-}
--- a/internal/api/v1/cert/info.go
+++ b/internal/api/v1/cert/info.go
@@ -1,53 +0,0 @@
-package certapi
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-)
-
-type CertInfo struct {
-	Subject        string   `json:"subject"`
-	Issuer         string   `json:"issuer"`
-	NotBefore      int64    `json:"not_before"`
-	NotAfter       int64    `json:"not_after"`
-	DNSNames       []string `json:"dns_names"`
-	EmailAddresses []string `json:"email_addresses"`
-} // @name CertInfo
-
-// @x-id				"info"
-// @BasePath		/api/v1
-// @Summary		Get cert info
-// @Description	Get cert info
-// @Tags			cert
-// @Produce		json
-// @Success		200	{object}	CertInfo
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		404	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/cert/info [get]
-func Info(c *gin.Context) {
-	autocert := config.GetInstance().AutoCertProvider()
-	if autocert == nil {
-		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
-		return
-	}
-
-	cert, err := autocert.GetCert(nil)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to get cert info"))
-		return
-	}
-
-	certInfo := CertInfo{
-		Subject:        cert.Leaf.Subject.CommonName,
-		Issuer:         cert.Leaf.Issuer.CommonName,
-		NotBefore:      cert.Leaf.NotBefore.Unix(),
-		NotAfter:       cert.Leaf.NotAfter.Unix(),
-		DNSNames:       cert.Leaf.DNSNames,
-		EmailAddresses: cert.Leaf.EmailAddresses,
-	}
-	c.JSON(http.StatusOK, certInfo)
-}
--- a/internal/api/v1/cert/renew.go
+++ b/internal/api/v1/cert/renew.go
@@ -1,72 +0,0 @@
-package certapi
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/rs/zerolog/log"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-)
-
-// @x-id				"renew"
-// @BasePath		/api/v1
-// @Summary		Renew cert
-// @Description	Renew cert
-// @Tags			cert,websocket
-// @Produce		plain
-// @Success		200	{object}	apitypes.SuccessResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/cert/renew [get]
-func Renew(c *gin.Context) {
-	autocert := config.GetInstance().AutoCertProvider()
-	if autocert == nil {
-		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
-		return
-	}
-
-	manager, err := websocket.NewManagerWithUpgrade(c)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
-		return
-	}
-	defer manager.Close()
-
-	logs, cancel := memlogger.Events()
-	defer cancel()
-
-	done := make(chan struct{})
-
-	go func() {
-		defer close(done)
-
-		err = autocert.ObtainCert()
-		if err != nil {
-			gperr.LogError("failed to obtain cert", err)
-			_ = manager.WriteData(websocket.TextMessage, []byte(err.Error()), 10*time.Second)
-		} else {
-			log.Info().Msg("cert obtained successfully")
-		}
-	}()
-
-	for {
-		select {
-		case l := <-logs:
-			if err != nil {
-				return
-			}
-
-			err = manager.WriteData(websocket.TextMessage, l, 10*time.Second)
-			if err != nil {
-				return
-			}
-		case <-done:
-			return
-		}
-	}
-}
--- a/internal/api/v1/docker/containers.go
+++ b/internal/api/v1/docker/containers.go
@@ -1,66 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"sort"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/gperr"
-)
-
-type ContainerState = container.ContainerState // @name ContainerState
-
-type Container struct {
-	Server string         `json:"server"`
-	Name   string         `json:"name"`
-	ID     string         `json:"id"`
-	Image  string         `json:"image"`
-	State  ContainerState `json:"state"`
-} // @name ContainerResponse
-
-// @x-id				"containers"
-// @BasePath		/api/v1
-// @Summary		Get containers
-// @Description	Get containers
-// @Tags			docker
-// @Produce		json
-// @Success		200	{array}		Container
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/docker/containers [get]
-func Containers(c *gin.Context) {
-	serveHTTP[Container](c, GetContainers)
-}
-
-func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
-	errs := gperr.NewBuilder("failed to get containers")
-	containers := make([]Container, 0)
-	for server, dockerClient := range dockerClients {
-		conts, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
-		if err != nil {
-			errs.Add(err)
-			continue
-		}
-		for _, cont := range conts {
-			containers = append(containers, Container{
-				Server: server,
-				Name:   cont.Names[0],
-				ID:     cont.ID,
-				Image:  cont.Image,
-				State:  cont.State,
-			})
-		}
-	}
-	sort.Slice(containers, func(i, j int) bool {
-		return containers[i].Name < containers[j].Name
-	})
-	if err := errs.Error(); err != nil {
-		gperr.LogError("failed to get containers", err)
-		if len(containers) == 0 {
-			return nil, err
-		}
-		return containers, nil
-	}
-	return containers, nil
-}
--- a/internal/api/v1/docker/info.go
+++ b/internal/api/v1/docker/info.go
@@ -1,79 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"sort"
-
-	dockerSystem "github.com/docker/docker/api/types/system"
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type containerStats struct {
-	Total   int `json:"total"`
-	Running int `json:"running"`
-	Paused  int `json:"paused"`
-	Stopped int `json:"stopped"`
-} // @name ContainerStats
-
-type dockerInfo struct {
-	Name          string         `json:"name"`
-	ServerVersion string         `json:"version"`
-	Containers    containerStats `json:"containers"`
-	Images        int            `json:"images"`
-	NCPU          int            `json:"n_cpu"`
-	MemTotal      string         `json:"memory"`
-} // @name ServerInfo
-
-func toDockerInfo(info dockerSystem.Info) dockerInfo {
-	return dockerInfo{
-		Name:          info.Name,
-		ServerVersion: info.ServerVersion,
-		Containers: containerStats{
-			Total:   info.ContainersRunning,
-			Running: info.ContainersRunning,
-			Paused:  info.ContainersPaused,
-			Stopped: info.ContainersStopped,
-		},
-		Images:   info.Images,
-		NCPU:     info.NCPU,
-		MemTotal: strutils.FormatByteSize(info.MemTotal),
-	}
-}
-
-// @x-id				"info"
-// @BasePath		/api/v1
-// @Summary		Get docker info
-// @Description	Get docker info
-// @Tags			docker
-// @Produce		json
-// @Success		200	{object}		dockerInfo
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/docker/info [get]
-func Info(c *gin.Context) {
-	serveHTTP[dockerInfo](c, GetDockerInfo)
-}
-
-func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
-	errs := gperr.NewBuilder("failed to get docker info")
-	dockerInfos := make([]dockerInfo, len(dockerClients))
-
-	i := 0
-	for name, dockerClient := range dockerClients {
-		info, err := dockerClient.Info(ctx)
-		if err != nil {
-			errs.Add(err)
-			continue
-		}
-		info.Name = name
-		dockerInfos[i] = toDockerInfo(info)
-		i++
-	}
-
-	sort.Slice(dockerInfos, func(i, j int) bool {
-		return dockerInfos[i].Name < dockerInfos[j].Name
-	})
-	return dockerInfos, errs.Error()
-}
--- a/internal/api/v1/docker/logs.go
+++ b/internal/api/v1/docker/logs.go
@@ -1,113 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"errors"
-	"net/http"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/gin-gonic/gin"
-	"github.com/rs/zerolog/log"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/task"
-)
-
-type LogsPathParams struct {
-	Server      string `uri:"server" binding:"required"`
-	ContainerID string `uri:"container" binding:"required"`
-} //	@name	LogsPathParams
-
-type LogsQueryParams struct {
-	Stdout bool   `form:"stdout,default=true"`
-	Stderr bool   `form:"stderr,default=true"`
-	Since  string `form:"from"`
-	Until  string `form:"to"`
-	Levels string `form:"levels"`
-} //	@name	LogsQueryParams
-
-// @x-id				"logs"
-// @BasePath		/api/v1
-// @Summary		Get docker container logs
-// @Description	Get docker container logs
-// @Tags			docker,websocket
-// @Accept			json
-// @Produce		json
-// @Param			server		path	string	true	"server name"
-// @Param			container	path	string	true	"container id"
-// @Param			stdout		query	bool	false	"show stdout"
-// @Param			stderr		query	bool	false	"show stderr"
-// @Param			from		query	string	false	"from timestamp"
-// @Param			to			query	string	false	"to timestamp"
-// @Param			levels		query	string	false	"levels"
-// @Success		200
-// @Failure		400	{object}	apitypes.ErrorResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		404	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/docker/logs/{server}/{container} [get]
-func Logs(c *gin.Context) {
-	var pathParams LogsPathParams
-	var queryParams LogsQueryParams
-	if err := c.ShouldBindQuery(&queryParams); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid query params"))
-		return
-	}
-	if err := c.ShouldBindUri(&pathParams); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid path params"))
-		return
-	}
-	// TODO: implement levels
-
-	dockerClient, found, err := getDockerClient(pathParams.Server)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to get docker client"))
-		return
-	}
-	if !found {
-		c.JSON(http.StatusNotFound, apitypes.Error("server not found"))
-		return
-	}
-	defer dockerClient.Close()
-
-	opts := container.LogsOptions{
-		ShowStdout: queryParams.Stdout,
-		ShowStderr: queryParams.Stderr,
-		Since:      queryParams.Since,
-		Until:      queryParams.Until,
-		Timestamps: true,
-		Follow:     true,
-		Tail:       "100",
-	}
-	if queryParams.Levels != "" {
-		opts.Details = true
-	}
-
-	logs, err := dockerClient.ContainerLogs(c.Request.Context(), pathParams.ContainerID, opts)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to get container logs"))
-		return
-	}
-	defer logs.Close()
-
-	manager, err := websocket.NewManagerWithUpgrade(c)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
-		return
-	}
-	defer manager.Close()
-
-	writer := manager.NewWriter(websocket.TextMessage)
-
-	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
-	if err != nil {
-		if errors.Is(err, context.Canceled) || errors.Is(err, task.ErrProgramExiting) {
-			return
-		}
-		log.Err(err).
-			Str("server", pathParams.Server).
-			Str("container", pathParams.ContainerID).
-			Msg("failed to de-multiplex logs")
-	}
-}
--- a/internal/api/v1/docker/utils.go
+++ b/internal/api/v1/docker/utils.go
@@ -1,121 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-)
-
-type (
-	DockerClients     map[string]*docker.SharedClient
-	ResultType[T any] interface {
-		map[string]T | []T
-	}
-)
-
-// getDockerClients returns a map of docker clients for the current config.
-//
-// Returns a map of docker clients by server name and an error if any.
-//
-// Even if there are errors, the map of docker clients might not be empty.
-func getDockerClients() (DockerClients, gperr.Error) {
-	cfg := config.GetInstance()
-
-	dockerHosts := cfg.Value().Providers.Docker
-	dockerClients := make(DockerClients)
-
-	connErrs := gperr.NewBuilder("failed to connect to docker")
-
-	for name, host := range dockerHosts {
-		dockerClient, err := docker.NewClient(host)
-		if err != nil {
-			connErrs.Add(err)
-			continue
-		}
-		dockerClients[name] = dockerClient
-	}
-
-	for _, agent := range agent.ListAgents() {
-		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
-		if err != nil {
-			connErrs.Add(err)
-			continue
-		}
-		dockerClients[agent.Name] = dockerClient
-	}
-
-	return dockerClients, connErrs.Error()
-}
-
-func getDockerClient(server string) (*docker.SharedClient, bool, error) {
-	cfg := config.GetInstance()
-	var host string
-	for name, h := range cfg.Value().Providers.Docker {
-		if name == server {
-			host = h
-			break
-		}
-	}
-	if host == "" {
-		for _, agent := range agent.ListAgents() {
-			if agent.Name == server {
-				host = agent.FakeDockerHost()
-				break
-			}
-		}
-	}
-	if host == "" {
-		return nil, false, nil
-	}
-	dockerClient, err := docker.NewClient(host)
-	if err != nil {
-		return nil, false, err
-	}
-	return dockerClient, true, nil
-}
-
-// closeAllClients closes all docker clients after a delay.
-//
-// This is used to ensure that all docker clients are closed after the http handler returns.
-func closeAllClients(dockerClients DockerClients) {
-	for _, dockerClient := range dockerClients {
-		dockerClient.Close()
-	}
-}
-
-func handleResult[V any, T ResultType[V]](c *gin.Context, errs error, result T) {
-	if errs != nil {
-		if len(result) == 0 {
-			c.Error(apitypes.InternalServerError(errs, "docker errors"))
-			return
-		}
-	}
-	c.JSON(http.StatusOK, result)
-}
-
-func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
-	dockerClients, err := getDockerClients()
-	if err != nil {
-		handleResult[V, T](c, err, nil)
-		return
-	}
-	defer closeAllClients(dockerClients)
-
-	if httpheaders.IsWebsocket(c.Request.Header) {
-		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
-			return getResult(c.Request.Context(), dockerClients)
-		})
-	} else {
-		result, err := getResult(c.Request.Context(), dockerClients)
-		handleResult[V](c, err, result)
-	}
-}
--- a/internal/api/v1/docs/docs.go
+++ b/internal/api/v1/docs/docs.go
--- a/internal/api/v1/docs/swagger.json
+++ b/internal/api/v1/docs/swagger.json
--- a/internal/api/v1/docs/swagger.yaml
+++ b/internal/api/v1/docs/swagger.yaml
--- a/internal/api/v1/favicon.go
+++ b/internal/api/v1/favicon.go
@@ -1,91 +0,0 @@
-package v1
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-type GetFavIconRequest struct {
-	URL   string `form:"url" binding:"required_without=Alias"`
-	Alias string `form:"alias" binding:"required_without=URL"`
-} //	@name	GetFavIconRequest
-
-// @x-id				"favicon"
-// @BasePath		/api/v1
-// @Summary		Get favicon
-// @Description	Get favicon
-// @Tags			v1
-// @Accept			json
-// @Produce		image/svg+xml,image/x-icon,image/png,image/webp
-// @Param			url		query		string	false	"URL of the route"
-// @Param			alias	query		string	false	"Alias of the route"
-// @Success		200		{array}		homepage.FetchResult
-// @Failure		400		{object}	apitypes.ErrorResponse "Bad Request: alias is empty or route is not HTTPRoute"
-// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden: unauthorized"
-// @Failure		404		{object}	apitypes.ErrorResponse "Not Found: route or icon not found"
-// @Failure		500		{object}	apitypes.ErrorResponse "Internal Server Error: internal error"
-// @Router			/favicon [get]
-func FavIcon(c *gin.Context) {
-	var request GetFavIconRequest
-	if err := c.ShouldBindQuery(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-
-	// try with url
-	if request.URL != "" {
-		var iconURL homepage.IconURL
-		if err := iconURL.Parse(request.URL); err != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid url", err))
-			return
-		}
-		fetchResult := homepage.FetchFavIconFromURL(c.Request.Context(), &iconURL)
-		if !fetchResult.OK() {
-			c.JSON(fetchResult.StatusCode, apitypes.Error(fetchResult.ErrMsg))
-			return
-		}
-		c.Data(fetchResult.StatusCode, fetchResult.ContentType(), fetchResult.Icon)
-		return
-	}
-
-	// try with alias
-	result := GetFavIconFromAlias(c.Request.Context(), request.Alias)
-	if !result.OK() {
-		c.JSON(result.StatusCode, apitypes.Error(result.ErrMsg))
-		return
-	}
-	c.Data(result.StatusCode, result.ContentType(), result.Icon)
-}
-
-func GetFavIconFromAlias(ctx context.Context, alias string) *homepage.FetchResult {
-	// try with route.Icon
-	r, ok := routes.HTTP.Get(alias)
-	if !ok {
-		return &homepage.FetchResult{
-			StatusCode: http.StatusNotFound,
-			ErrMsg:     "route not found",
-		}
-	}
-
-	var result *homepage.FetchResult
-	hp := r.HomepageItem()
-	if hp.Icon != nil {
-		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = homepage.FindIcon(ctx, r, *hp.Icon.FullURL)
-		} else {
-			result = homepage.FetchFavIconFromURL(ctx, hp.Icon)
-		}
-	} else {
-		// try extract from "link[rel=icon]"
-		result = homepage.FindIcon(ctx, r, "/")
-	}
-	if result.StatusCode == 0 {
-		result.StatusCode = http.StatusOK
-	}
-	return result
-}
--- a/internal/api/v1/file/get.go
+++ b/internal/api/v1/file/get.go
@@ -1,73 +0,0 @@
-package fileapi
-
-import (
-	"net/http"
-	"os"
-	"path"
-	"strings"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/common"
-)
-
-type FileType string // @name FileType
-
-const (
-	FileTypeConfig     FileType = "config"     // @name FileTypeConfig
-	FileTypeProvider   FileType = "provider"   // @name FileTypeProvider
-	FileTypeMiddleware FileType = "middleware" // @name FileTypeMiddleware
-)
-
-type GetFileContentRequest struct {
-	FileType FileType `form:"type" binding:"required,oneof=config provider middleware"`
-	Filename string   `form:"filename" binding:"required" format:"filename"`
-} //	@name	GetFileContentRequest
-
-// @x-id				"get"
-// @BasePath		/api/v1
-// @Summary		Get file content
-// @Description	Get file content
-// @Tags			file
-// @Accept			json
-// @Produce		json,application/godoxy+yaml
-// @Param			query	query		GetFileContentRequest	true	"Request"
-// @Success		200			{string}	application/godoxy+yaml	"File content"
-// @Failure		400			{object}	apitypes.ErrorResponse
-// @Failure		403			{object}	apitypes.ErrorResponse
-// @Failure		500			{object}	apitypes.ErrorResponse
-// @Router			/file/content [get]
-func Get(c *gin.Context) {
-	var request GetFileContentRequest
-	if err := c.ShouldBindQuery(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-
-	content, err := os.ReadFile(request.FileType.GetPath(request.Filename))
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to read file"))
-		return
-	}
-
-	// RFC 9512: https://www.rfc-editor.org/rfc/rfc9512.html
-	// xxx/yyy+yaml
-	c.Data(http.StatusOK, "application/godoxy+yaml", content)
-}
-
-func GetFileType(file string) FileType {
-	switch {
-	case strings.HasPrefix(path.Base(file), "config."):
-		return FileTypeConfig
-	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
-		return FileTypeMiddleware
-	}
-	return FileTypeProvider
-}
-
-func (t FileType) GetPath(filename string) string {
-	if t == FileTypeMiddleware {
-		return path.Join(common.MiddlewareComposeBasePath, filename)
-	}
-	return path.Join(common.ConfigBasePath, filename)
-}
--- a/internal/api/v1/file/list.go
+++ b/internal/api/v1/file/list.go
@@ -1,62 +0,0 @@
-package fileapi
-
-import (
-	"net/http"
-	"strings"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-type ListFilesResponse struct {
-	Config     []string `json:"config"`
-	Provider   []string `json:"provider"`
-	Middleware []string `json:"middleware"`
-} // @name ListFilesResponse
-
-// @x-id				"list"
-// @BasePath		/api/v1
-// @Summary		List files
-// @Description	List files
-// @Tags			file
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	ListFilesResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/file/list [get]
-func List(c *gin.Context) {
-	resp := map[FileType][]string{
-		FileTypeConfig:     make([]string, 0),
-		FileTypeProvider:   make([]string, 0),
-		FileTypeMiddleware: make([]string, 0),
-	}
-
-	// config/
-	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to list files"))
-		return
-	}
-
-	for _, file := range files {
-		t := GetFileType(file)
-		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
-		resp[t] = append(resp[t], file)
-	}
-
-	// config/middlewares/
-	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to list files"))
-		return
-	}
-	for _, mid := range mids {
-		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
-		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
-	}
-
-	c.JSON(http.StatusOK, resp)
-}
--- a/internal/api/v1/file/set.go
+++ b/internal/api/v1/file/set.go
@@ -1,52 +0,0 @@
-package fileapi
-
-import (
-	"net/http"
-	"os"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-)
-
-type SetFileContentRequest GetFileContentRequest
-
-// @x-id				"set"
-// @BasePath		/api/v1
-// @Summary		Set file content
-// @Description	Set file content
-// @Tags			file
-// @Accept			text/plain
-// @Produce		json
-// @Param			type		query		FileType	true	"Type"
-// @Param			filename	query		string		true	"Filename"
-// @Param			file		body		string		true	"File"
-// @Success		200			{object}	apitypes.SuccessResponse
-// @Failure		400			{object}	apitypes.ErrorResponse
-// @Failure		403			{object}	apitypes.ErrorResponse
-// @Failure		500			{object}	apitypes.ErrorResponse
-// @Router			/file/content [put]
-func Set(c *gin.Context) {
-	var request SetFileContentRequest
-	if err := c.ShouldBindQuery(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-
-	content, err := c.GetRawData()
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to read file"))
-		return
-	}
-
-	if valErr := validateFile(request.FileType, content); valErr != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid file", valErr))
-		return
-	}
-
-	err = os.WriteFile(request.FileType.GetPath(request.Filename), content, 0o644)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to write file"))
-		return
-	}
-	c.JSON(http.StatusOK, apitypes.Success("file set"))
-}
--- a/internal/api/v1/file/validate.go
+++ b/internal/api/v1/file/validate.go
@@ -1,64 +0,0 @@
-package fileapi
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/provider"
-)
-
-type ValidateFileRequest struct {
-	FileType FileType `form:"type" validate:"required,oneof=config provider middleware"`
-} //	@name	ValidateFileRequest
-
-// @x-id				"validate"
-// @BasePath		/api/v1
-// @Summary		Validate file
-// @Description	Validate file
-// @Tags			file
-// @Accept			text/plain
-// @Produce		json
-// @Param			type	query		FileType	true	"Type"
-// @Param			file	body		string		true	"File content"
-// @Success		200		{object}	apitypes.SuccessResponse "File validated"
-// @Failure		400		{object}	apitypes.ErrorResponse "Bad request"
-// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden"
-// @Failure		417		{object}	any "Validation failed"
-// @Failure		500		{object}	apitypes.ErrorResponse "Internal server error"
-// @Router			/file/validate [post]
-func Validate(c *gin.Context) {
-	var request ValidateFileRequest
-	if err := c.ShouldBindQuery(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-
-	content, err := c.GetRawData()
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to read file"))
-		return
-	}
-	c.Request.Body.Close()
-
-	if valErr := validateFile(request.FileType, content); valErr != nil {
-		c.JSON(http.StatusExpectationFailed, valErr)
-		return
-	}
-	c.JSON(http.StatusOK, apitypes.Success("file validated"))
-}
-
-func validateFile(fileType FileType, content []byte) gperr.Error {
-	switch fileType {
-	case FileTypeConfig:
-		return config.Validate(content)
-	case FileTypeMiddleware:
-		errs := gperr.NewBuilder("middleware errors")
-		middleware.BuildMiddlewaresFromYAML("", content, errs)
-		return errs.Error()
-	}
-	return provider.Validate(content)
-}
--- a/internal/api/v1/health.go
+++ b/internal/api/v1/health.go
@@ -1,34 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-type HealthMap = map[string]routes.HealthInfo //	@name	HealthMap
-
-// @x-id				"health"
-// @BasePath		/api/v1
-// @Summary		Get routes health info
-// @Description	Get health info by route name
-// @Tags			v1,websocket
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	HealthMap "Health info by route name"
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/health [get]
-func Health(c *gin.Context) {
-	if httpheaders.IsWebsocket(c.Request.Header) {
-		websocket.PeriodicWrite(c, 1*time.Second, func() (any, error) {
-			return routes.GetHealthInfo(), nil
-		})
-	} else {
-		c.JSON(http.StatusOK, routes.GetHealthInfo())
-	}
-}
--- a/internal/api/v1/homepage/categories.go
+++ b/internal/api/v1/homepage/categories.go
@@ -1,22 +0,0 @@
-package homepageapi
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-// @x-id				"categories"
-// @BasePath		/api/v1
-// @Summary		List homepage categories
-// @Description	List homepage categories
-// @Tags			homepage
-// @Accept			json
-// @Produce		json
-// @Success		200	{array}		string
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Router			/homepage/categories [get]
-func Categories(c *gin.Context) {
-	c.JSON(http.StatusOK, routes.HomepageCategories())
-}
--- a/internal/api/v1/homepage/items.go
+++ b/internal/api/v1/homepage/items.go
@@ -1,46 +0,0 @@
-package homepageapi
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-type HomepageItemsRequest struct {
-	Category string `form:"category" validate:"omitempty"`
-	Provider string `form:"provider" validate:"omitempty"`
-} //	@name	HomepageItemsRequest
-
-// @x-id				"items"
-// @BasePath		/api/v1
-// @Summary		Homepage items
-// @Description	Homepage items
-// @Tags			homepage
-// @Accept			json
-// @Produce		json
-// @Param			category	query		string	false	"Category filter"
-// @Param			provider	query		string	false	"Provider filter"
-// @Success		200			{object}	homepage.Homepage
-// @Failure		400			{object}	apitypes.ErrorResponse
-// @Failure		403			{object}	apitypes.ErrorResponse
-// @Router			/homepage/items [get]
-func Items(c *gin.Context) {
-	var request HomepageItemsRequest
-	if err := c.ShouldBindQuery(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-
-	proto := "http"
-	if c.Request.TLS != nil || c.GetHeader("X-Forwarded-Proto") == "https" {
-		proto = "https"
-	}
-	hostname := c.Request.Host
-	if host := c.GetHeader("X-Forwarded-Host"); host != "" {
-		hostname = host
-	}
-
-	c.JSON(http.StatusOK, routes.HomepageItems(proto, hostname, request.Category, request.Provider))
-}
--- a/internal/api/v1/homepage/overrides.go
+++ b/internal/api/v1/homepage/overrides.go
@@ -1,145 +0,0 @@
-package homepageapi
-
-import (
-	"encoding/json"
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/homepage"
-)
-
-type (
-	HomepageOverrideItemParams struct {
-		Which string              `json:"which"`
-		Value homepage.ItemConfig `json:"value"`
-	} //	@name	HomepageOverrideItemParams
-	HomepageOverrideItemsBatchParams struct {
-		Value map[string]*homepage.ItemConfig `json:"value"`
-	} //	@name	HomepageOverrideItemsBatchParams
-	HomepageOverrideCategoryOrderParams struct {
-		Which string `json:"which"`
-		Value int    `json:"value"`
-	} //	@name	HomepageOverrideCategoryOrderParams
-	HomepageOverrideItemVisibleParams struct {
-		Which []string `json:"which"`
-		Value bool     `json:"value"`
-	} //	@name	HomepageOverrideItemVisibleParams
-)
-
-// @x-id				"set-item"
-// @BasePath		/api/v1
-// @Summary		Override single homepage item
-// @Description	Override single homepage item.
-// @Tags			homepage
-// @Accept		json
-// @Produce		json
-// @Param		request	body		HomepageOverrideItemParams	true	"Override single item"
-// @Success		200		{object}	apitypes.SuccessResponse
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		500		{object}	apitypes.ErrorResponse
-// @Router			/homepage/set/item [post]
-func SetItem(c *gin.Context) {
-	var params HomepageOverrideItemParams
-	if err := c.ShouldBindJSON(&params); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-	overrides := homepage.GetOverrideConfig()
-	overrides.OverrideItem(params.Which, &params.Value)
-	c.JSON(http.StatusOK, apitypes.Success("success"))
-}
-
-// @x-id				"set-items-batch"
-// @BasePath		/api/v1
-// @Summary		Override multiple homepage items
-// @Description	Override multiple homepage items.
-// @Tags			homepage
-// @Accept		json
-// @Produce		json
-// @Param		request	body		HomepageOverrideItemsBatchParams	true	"Override multiple items"
-// @Success		200		{object}	apitypes.SuccessResponse
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		500		{object}	apitypes.ErrorResponse
-// @Router			/homepage/set/items_batch [post]
-func SetItemsBatch(c *gin.Context) {
-	var params HomepageOverrideItemsBatchParams
-	if err := c.ShouldBindJSON(&params); err != nil {
-		data, derr := c.GetRawData()
-		if derr != nil {
-			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
-			return
-		}
-		if uerr := json.Unmarshal(data, &params); uerr != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
-			return
-		}
-	}
-	overrides := homepage.GetOverrideConfig()
-	overrides.OverrideItems(params.Value)
-	c.JSON(http.StatusOK, apitypes.Success("success"))
-}
-
-// @x-id				"set-item-visible"
-// @BasePath		/api/v1
-// @Summary		Set homepage item visibility
-// @Description	POST list of item ids and visibility value.
-// @Tags			homepage
-// @Accept		json
-// @Produce		json
-// @Param		request	body		HomepageOverrideItemVisibleParams	true	"Set item visibility"
-// @Success		200		{object}	apitypes.SuccessResponse
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		500		{object}	apitypes.ErrorResponse
-// @Router			/homepage/set/item_visible [post]
-func SetItemVisible(c *gin.Context) {
-	var params HomepageOverrideItemVisibleParams
-	if err := c.ShouldBindJSON(&params); err != nil {
-		data, derr := c.GetRawData()
-		if derr != nil {
-			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
-			return
-		}
-		if uerr := json.Unmarshal(data, &params); uerr != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
-			return
-		}
-	}
-	overrides := homepage.GetOverrideConfig()
-	if params.Value {
-		overrides.UnhideItems(params.Which)
-	} else {
-		overrides.HideItems(params.Which)
-	}
-	c.JSON(http.StatusOK, apitypes.Success("success"))
-}
-
-// @x-id				"set-category-order"
-// @BasePath		/api/v1
-// @Summary		Set homepage category order
-// @Description	Set homepage category order.
-// @Tags			homepage
-// @Accept		json
-// @Produce		json
-// @Param		request	body		HomepageOverrideCategoryOrderParams	true	"Override category order"
-// @Success		200		{object}	apitypes.SuccessResponse
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		500		{object}	apitypes.ErrorResponse
-// @Router			/homepage/set/category_order [post]
-func SetCategoryOrder(c *gin.Context) {
-	var params HomepageOverrideCategoryOrderParams
-	if err := c.ShouldBindJSON(&params); err != nil {
-		data, derr := c.GetRawData()
-		if derr != nil {
-			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
-			return
-		}
-		if uerr := json.Unmarshal(data, &params); uerr != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
-			return
-		}
-	}
-	overrides := homepage.GetOverrideConfig()
-	overrides.SetCategoryOrder(params.Which, params.Value)
-	c.JSON(http.StatusOK, apitypes.Success("success"))
-}
--- a/internal/api/v1/icons.go
+++ b/internal/api/v1/icons.go
@@ -1,37 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/homepage"
-)
-
-type ListIconsRequest struct {
-	Limit   int    `form:"limit" validate:"omitempty,min=0"`
-	Keyword string `form:"keyword" validate:"required"`
-} //	@name	ListIconsRequest
-
-// @x-id				"icons"
-// @BasePath		/api/v1
-// @Summary		List icons
-// @Description	List icons
-// @Tags			v1
-// @Accept			json
-// @Produce		json
-// @Param			limit	query		int		false	"Limit"
-// @Param			keyword	query		string	false	"Keyword"
-// @Success		200		{array}		homepage.IconMetaSearch
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		403		{object}	apitypes.ErrorResponse
-// @Router			/icons [get]
-func Icons(c *gin.Context) {
-	var request ListIconsRequest
-	if err := c.ShouldBindQuery(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-	icons := homepage.SearchIcons(request.Keyword, request.Limit)
-	c.JSON(http.StatusOK, icons)
-}
--- a/internal/api/v1/metrics/system_info.go
+++ b/internal/api/v1/metrics/system_info.go
@@ -1,76 +0,0 @@
-package metrics
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/metrics/period"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	nettypes "github.com/yusing/go-proxy/internal/net/types"
-)
-
-type SystemInfoRequest struct {
-	AgentAddr string                             `query:"agent_addr"`
-	Aggregate systeminfo.SystemInfoAggregateMode `query:"aggregate"`
-	Period    period.Filter                      `query:"period"`
-} // @name SystemInfoRequest
-
-type SystemInfoAggregate period.ResponseType[systeminfo.Aggregated] // @name SystemInfoAggregate
-
-// @x-id				"system_info"
-// @BasePath		/api/v1
-// @Summary		Get system info
-// @Description	Get system info
-// @Tags			metrics,websocket
-// @Produce		json
-// @Param			request	query		SystemInfoRequest	false	"Request"
-// @Success		200			{object}	systeminfo.SystemInfo "no period specified"
-// @Success		200			{object}	SystemInfoAggregate "period specified"
-// @Failure		400			{object}	apitypes.ErrorResponse
-// @Failure		403			{object}	apitypes.ErrorResponse
-// @Failure		404			{object}	apitypes.ErrorResponse
-// @Failure		500			{object}	apitypes.ErrorResponse
-// @Router	 /metrics/system_info [get]
-func SystemInfo(c *gin.Context) {
-	query := c.Request.URL.Query()
-	agentAddr := query.Get("agent_addr")
-	query.Del("agent_addr")
-	if agentAddr == "" {
-		systeminfo.Poller.ServeHTTP(c)
-		return
-	}
-
-	agent, ok := agentPkg.GetAgent(agentAddr)
-	if !ok {
-		c.JSON(http.StatusNotFound, apitypes.Error("agent_addr not found"))
-		return
-	}
-
-	isWS := httpheaders.IsWebsocket(c.Request.Header)
-	if !isWS {
-		respData, status, err := agent.Forward(c.Request, agentPkg.EndpointSystemInfo)
-		if err != nil {
-			c.Error(apitypes.InternalServerError(err, "failed to forward request to agent"))
-			return
-		}
-		if status != http.StatusOK {
-			c.JSON(status, apitypes.Error(string(respData)))
-			return
-		}
-		c.JSON(status, respData)
-	} else {
-		rp := reverseproxy.NewReverseProxy("agent", nettypes.NewURL(agentPkg.AgentURL), agent.Transport())
-		header := c.Request.Header.Clone()
-		r, err := http.NewRequestWithContext(c.Request.Context(), c.Request.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
-		if err != nil {
-			c.Error(apitypes.InternalServerError(err, "failed to create request"))
-			return
-		}
-		r.Header = header
-		rp.ServeHTTP(c.Writer, r)
-	}
-}
--- a/internal/api/v1/metrics/upime.go
+++ b/internal/api/v1/metrics/upime.go
@@ -1,34 +0,0 @@
-package metrics
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/metrics/period"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
-)
-
-type UptimeRequest struct {
-	Limit    int           `query:"limit" example:"10" default:"0"`
-	Offset   int           `query:"offset" example:"10" default:"0"`
-	Interval period.Filter `query:"interval" example:"1m"`
-	Keyword  string        `query:"keyword" example:""`
-} // @name UptimeRequest
-
-type UptimeAggregate period.ResponseType[uptime.Aggregated] // @name UptimeAggregate
-
-// @x-id				"uptime"
-// @BasePath		/api/v1
-// @Summary		Get uptime
-// @Description	Get uptime
-// @Tags			metrics,websocket
-// @Produce   json
-// @Param			request	query		UptimeRequest	false	"Request"
-// @Success		200		{object}	uptime.StatusByAlias "no period specified"
-// @Success		200		{object}	UptimeAggregate "period specified"
-// @Success   204   {object}	apitypes.ErrorResponse
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		403		{object}	apitypes.ErrorResponse
-// @Failure		500		{object}	apitypes.ErrorResponse
-// @Router			/metrics/uptime [get]
-func Uptime(c *gin.Context) {
-	uptime.Poller.ServeHTTP(c)
-}
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -1,28 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-)
-
-// @x-id				"reload"
-// @BasePath		/api/v1
-// @Summary		Reload config
-// @Description	Reload config
-// @Tags			v1
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	apitypes.SuccessResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/reload [post]
-func Reload(c *gin.Context) {
-	if err := config.GetInstance().Reload(); err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to reload config"))
-		return
-	}
-	c.JSON(http.StatusOK, apitypes.Success("config reloaded"))
-}
--- a/internal/api/v1/route/by_provider.go
+++ b/internal/api/v1/route/by_provider.go
@@ -1,26 +0,0 @@
-package routeApi
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-type RoutesByProvider map[string][]route.Route
-
-// @x-id				"byProvider"
-// @BasePath		/api/v1
-// @Summary		List routes by provider
-// @Description	List routes by provider
-// @Tags			route
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	RoutesByProvider
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/route/by_provider [get]
-func ByProvider(c *gin.Context) {
-	c.JSON(http.StatusOK, routes.ByProvider())
-}
--- a/internal/api/v1/route/providers.go
+++ b/internal/api/v1/route/providers.go
@@ -1,33 +0,0 @@
-package routeApi
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-)
-
-// @x-id				"providers"
-// @BasePath		/api/v1
-// @Summary		List route providers
-// @Description	List route providers
-// @Tags			route,websocket
-// @Accept			json
-// @Produce		json
-// @Success		200	{array}		config.RouteProviderListResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/route/providers [get]
-func Providers(c *gin.Context) {
-	cfg := config.GetInstance()
-	if httpheaders.IsWebsocket(c.Request.Header) {
-		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
-			return config.GetInstance().RouteProviderList(), nil
-		})
-	} else {
-		c.JSON(http.StatusOK, cfg.RouteProviderList())
-	}
-}
--- a/internal/api/v1/route/route.go
+++ b/internal/api/v1/route/route.go
@@ -1,41 +0,0 @@
-package routeApi
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/route/routes"
-)
-
-type ListRouteRequest struct {
-	Which string `uri:"which" validate:"required"`
-} //	@name	ListRouteRequest
-
-// @x-id				"route"
-// @BasePath		/api/v1
-// @Summary		List route
-// @Description	List route
-// @Tags			route
-// @Accept			json
-// @Produce		json
-// @Param			which	path		string	true	"Route name"
-// @Success		200		{object}	RouteType
-// @Failure		400		{object}	apitypes.ErrorResponse
-// @Failure		403		{object}	apitypes.ErrorResponse
-// @Failure		404		{object}	apitypes.ErrorResponse
-// @Router			/route/{which} [get]
-func Route(c *gin.Context) {
-	var request ListRouteRequest
-	if err := c.ShouldBindUri(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
-		return
-	}
-
-	route, ok := routes.Get(request.Which)
-	if ok {
-		c.JSON(http.StatusOK, route)
-	} else {
-		c.JSON(http.StatusNotFound, nil)
-	}
-}
--- a/internal/api/v1/route/routes.go
+++ b/internal/api/v1/route/routes.go
@@ -1,68 +0,0 @@
-package routeApi
-
-import (
-	"net/http"
-	"slices"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	"github.com/yusing/go-proxy/internal/types"
-)
-
-type RouteType route.Route // @name Route
-
-// @x-id				"routes"
-// @BasePath		/api/v1
-// @Summary		List routes
-// @Description	List routes
-// @Tags			route,websocket
-// @Accept			json
-// @Produce		json
-// @Param			provider	query		string	false	"Provider"
-// @Success		200			{array}		RouteType
-// @Failure		403			{object}	apitypes.ErrorResponse
-// @Router			/route/list [get]
-func Routes(c *gin.Context) {
-	if httpheaders.IsWebsocket(c.Request.Header) {
-		RoutesWS(c)
-		return
-	}
-
-	provider := c.Query("provider")
-	if provider == "" {
-		c.JSON(http.StatusOK, slices.Collect(routes.Iter))
-		return
-	}
-
-	rts := make([]types.Route, 0, routes.NumRoutes())
-	for r := range routes.Iter {
-		if r.ProviderName() == provider {
-			rts = append(rts, r)
-		}
-	}
-	c.JSON(http.StatusOK, rts)
-}
-
-func RoutesWS(c *gin.Context) {
-	provider := c.Query("provider")
-	if provider == "" {
-		websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
-			return slices.Collect(routes.Iter), nil
-		})
-		return
-	}
-
-	websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
-		rts := make([]types.Route, 0, routes.NumRoutes())
-		for r := range routes.Iter {
-			if r.ProviderName() == provider {
-				rts = append(rts, r)
-			}
-		}
-		return rts, nil
-	})
-}
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -1,55 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/types"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type StatsResponse struct {
-	Proxies ProxyStats `json:"proxies"`
-	Uptime  string     `json:"uptime"`
-} //	@name	StatsResponse
-
-type ProxyStats struct {
-	Total          uint16                         `json:"total"`
-	ReverseProxies types.RouteStats               `json:"reverse_proxies"`
-	Streams        types.RouteStats               `json:"streams"`
-	Providers      map[string]types.ProviderStats `json:"providers"`
-} //	@name	ProxyStats
-
-// @x-id				"stats"
-// @BasePath		/api/v1
-// @Summary		Get GoDoxy stats
-// @Description	Get stats
-// @Tags			v1,websocket
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	StatsResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/stats [get]
-func Stats(c *gin.Context) {
-	cfg := config.GetInstance()
-	getStats := func() (any, error) {
-		return map[string]any{
-			"proxies": cfg.Statistics(),
-			"uptime":  strutils.FormatDuration(time.Since(startTime)),
-		}, nil
-	}
-
-	if httpheaders.IsWebsocket(c.Request.Header) {
-		websocket.PeriodicWrite(c, time.Second, getStats)
-	} else {
-		stats, _ := getStats()
-		c.JSON(http.StatusOK, stats)
-	}
-}
-
-var startTime = time.Now()
--- a/Show More
+++ b/Show More