chore(deps): update plugin and linter versions in trunk.yaml

- Updated trunk plugin reference from v1.7.2 to v1.7.4
- Upgraded Go runtime from 1.24.3 to 1.25.6
- Updated linting tools: checkov to 3.2.500, golangci-lint2 to 2.8.0, actionlint to 1.7.10, osv-scanner to 2.3.2, oxipng to 10.1.0, and prettier to 3.8.1
- Updated trufflehog to 3.93.1
- Added ignore rule for all linters in internal/api/v1/docs/**

.gitignore

@@ -40,4 +40,8 @@ tsconfig.tsbuildinfo
 
 !agent.compose.yml
 !agent/pkg/**
-dev-data/
+dev-data/
+
+RELEASE_NOTES.md
+CLAUDE.md
+.kilocode/**

.trunk/trunk.yaml

@@ -7,32 +7,37 @@ cli:
 plugins:
   sources:
     - id: trunk
-      ref: v1.7.2
+      ref: v1.7.4
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
   enabled:
     - node@22.16.0
     - python@3.10.8
-    - go@1.24.3
+    - go@1.25.6
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
   disabled:
     - markdownlint
     - yamllint
   enabled:
-    - checkov@3.2.471
-    - golangci-lint2@2.5.0
+    - checkov@3.2.500
+    - golangci-lint2@2.8.0
     - hadolint@2.14.0
-    - actionlint@1.7.7
+    - actionlint@1.7.10
     - git-diff-check
     - gofmt@1.20.4
-    - osv-scanner@2.2.2
-    - oxipng@9.1.5
-    - prettier@3.6.2
+    - osv-scanner@2.3.2
+    - oxipng@10.1.0
+    - prettier@3.8.1
     - shellcheck@0.11.0
     - shfmt@3.6.0
-    - trufflehog@3.90.8
+    - trufflehog@3.93.1
+  ignore:
+    - linters: [ALL]
+      paths:
+        - internal/api/v1/docs/**
+
 actions:
   disabled:
     - trunk-announce

CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+yusing@6uo.me.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.25.6-alpine AS deps
+FROM golang:1.25.7-alpine AS deps
 HEALTHCHECK NONE
 
 # package version does not matter

Makefile

@@ -92,7 +92,7 @@ docker-build-test:
 
 go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
 files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
-gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
+gomod_paths := $(shell find . -name go.mod -type f | grep -vE '^./internal/(go-oidc|go-proxmox|gopsutil)/' | xargs dirname)
 
 update-go:
 	for file in ${files}; do \

agent/cmd/main.go

@@ -19,7 +19,6 @@ import (
 	"github.com/yusing/godoxy/agent/pkg/handler"
 	"github.com/yusing/godoxy/internal/metrics/systeminfo"
 	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
-	gperr "github.com/yusing/goutils/errs"
 	strutils "github.com/yusing/goutils/strings"
 	"github.com/yusing/goutils/task"
 	"github.com/yusing/goutils/version"
@@ -72,7 +71,7 @@ Tips:
 	// - Otherwise: route to HTTPS API handler
 	tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{Port: env.AgentPort})
 	if err != nil {
-		gperr.LogFatal("failed to listen on port", err)
+		log.Fatal().Err(err).Msg("failed to listen on port")
 	}
 
 	caCertPool := x509.NewCertPool()
@@ -148,7 +147,7 @@ Tips:
 		log.Info().Msgf("%s socket listening on: %s", runtime, socketproxy.ListenAddr)
 		l, err := net.Listen("tcp", socketproxy.ListenAddr)
 		if err != nil {
-			gperr.LogFatal("failed to listen on port", err)
+			log.Fatal().Err(err).Msg("failed to listen on port")
 		}
 		errLog := log.Logger.With().Str("level", "error").Str("component", "socketproxy").Logger()
 		srv := http.Server{
@@ -158,10 +157,15 @@ Tips:
 			},
 			ErrorLog: stdlog.New(&errLog, "", 0),
 		}
-		srv.Serve(l)
+		go func() {
+			err := srv.Serve(l)
+			if err != nil && !errors.Is(err, http.ErrServerClosed) {
+				log.Error().Err(err).Msg("socket proxy server stopped with error")
+			}
+		}()
 	}
 
-	systeminfo.Poller.Start()
+	systeminfo.Poller.Start(t)
 
 	task.WaitExit(3)
 }

agent/go.mod

@@ -1,6 +1,11 @@
 module github.com/yusing/godoxy/agent
 
-go 1.25.6
+go 1.25.7
+
+exclude (
+	github.com/moby/moby/api v1.53.0 // allow older daemon versions
+	github.com/moby/moby/client v0.2.2 // allow older daemon versions
+)
 
 replace (
 	github.com/shirou/gopsutil/v4 => ../internal/gopsutil
@@ -22,7 +27,7 @@ require (
 	github.com/pion/transport/v3 v3.1.1
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.11.1
-	github.com/yusing/godoxy v0.25.0
+	github.com/yusing/godoxy v0.25.3
 	github.com/yusing/godoxy/socketproxy v0.0.0-00010101000000-000000000000
 	github.com/yusing/goutils v0.7.0
 )
@@ -38,12 +43,12 @@ require (
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v29.1.5+incompatible // indirect
+	github.com/docker/cli v29.2.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -76,7 +81,7 @@ require (
 	github.com/puzpuzpuz/xsync/v4 v4.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.12 // indirect
+	github.com/shirou/gopsutil/v4 v4.26.1 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/tklauser/go-sysconf v0.3.16 // indirect
 	github.com/tklauser/numcpus v0.11.0 // indirect
@@ -85,15 +90,15 @@ require (
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasthttp v1.69.0 // indirect
 	github.com/yusing/ds v0.4.1 // indirect
-	github.com/yusing/gointernals v0.1.16 // indirect
-	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260125040745-bcc4b498f878 // indirect
-	github.com/yusing/goutils/http/websocket v0.0.0-20260125040745-bcc4b498f878 // indirect
+	github.com/yusing/gointernals v0.1.18 // indirect
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260207122228-56663372deda // indirect
+	github.com/yusing/goutils/http/websocket v0.0.0-20260207122228-56663372deda // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
-	go.opentelemetry.io/otel v1.39.0 // indirect
-	go.opentelemetry.io/otel/metric v1.39.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	golang.org/x/arch v0.23.0 // indirect
 	golang.org/x/crypto v0.47.0 // indirect
 	golang.org/x/net v0.49.0 // indirect

agent/go.sum

@@ -37,8 +37,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.1.5+incompatible h1:GckbANUt3j+lsnQ6eCcQd70mNSOismSHWt8vk2AX8ao=
-github.com/docker/cli v29.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg=
+github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -49,8 +49,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
@@ -82,8 +82,8 @@ github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PU
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -153,8 +153,8 @@ github.com/pion/transport/v3 v3.1.1 h1:Tr684+fnnKlhPceU+ICdrw6KKkTms+5qHMgw6bIkY
 github.com/pion/transport/v3 v3.1.1/go.mod h1:+c2eewC5WJQHiAA46fkMMzoYZSuGzA/7E2FPrOYHctQ=
 github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o=
 github.com/pion/transport/v4 v4.0.1/go.mod h1:nEuEA4AD5lPdcIegQDpVLgNoDGreqM/YqmEx3ovP4jM=
-github.com/pires/go-proxyproto v0.9.1 h1:wTPjpyk41pJm1Im9BqHtPLuhxfjxL+qNfSikx9ux0WY=
-github.com/pires/go-proxyproto v0.9.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pires/go-proxyproto v0.10.0 h1:08wrdt9NQYTjLWeag3EBIS7ZNi6Vwl3rGsEjVLaAhvU=
+github.com/pires/go-proxyproto v0.10.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
@@ -174,10 +174,10 @@ github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
 github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
-github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
-github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
-github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
-github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
+github.com/samber/slog-common v0.20.0 h1:WaLnm/aCvBJSk5nR5aXZTFBaV0B47A+AEaEOiZDeUnc=
+github.com/samber/slog-common v0.20.0/go.mod h1:+Ozat1jgnnE59UAlmNX1IF3IByHsODnnwf9jUcBZ+m8=
+github.com/samber/slog-zerolog/v2 v2.9.1 h1:RMOq8XqzfuGx1X0TEIlS9OXbbFmqLY2/wJppghz66YY=
+github.com/samber/slog-zerolog/v2 v2.9.1/go.mod h1:DQYYve14WgCRN/XnKeHl4266jXK0DgYkYXkfZ4Fp98k=
 github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
@@ -210,24 +210,24 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yusing/ds v0.4.1 h1:syMCh7hO6Yw8xfcFkEaln3W+lVeWB/U/meYv6Wf2/Ig=
 github.com/yusing/ds v0.4.1/go.mod h1:XhKV4l7cZwBbbl7lRzNC9zX27zvCM0frIwiuD40ULRk=
-github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
-github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
+github.com/yusing/gointernals v0.1.18 h1:ou8/0tPURUgAOBJu3TN/iWF4S/5ZYQaap+rVkaJNUMw=
+github.com/yusing/gointernals v0.1.18/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=

agent/pkg/agent/config.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -16,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/bytedance/sonic"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/yusing/godoxy/agent/pkg/agent/common"
@@ -150,7 +150,7 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 		// test stream server connection
 		const fakeAddress = "localhost:8080" // it won't be used, just for testing
 		// test TCP stream support
-		err := agentstream.TCPHealthCheck(cfg.Addr, cfg.caCert, cfg.clientCert)
+		err := agentstream.TCPHealthCheck(ctx, cfg.Addr, cfg.caCert, cfg.clientCert)
 		if err != nil {
 			streamUnsupportedErrs.Addf("failed to connect to stream server via TCP: %w", err)
 		} else {
@@ -158,7 +158,7 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 		}
 
 		// test UDP stream support
-		err = agentstream.UDPHealthCheck(cfg.Addr, cfg.caCert, cfg.clientCert)
+		err = agentstream.UDPHealthCheck(ctx, cfg.Addr, cfg.caCert, cfg.clientCert)
 		if err != nil {
 			streamUnsupportedErrs.Addf("failed to connect to stream server via UDP: %w", err)
 		} else {
@@ -216,7 +216,7 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 	cfg.l = log.With().Str("agent", cfg.Name).Logger()
 
 	if err := streamUnsupportedErrs.Error(); err != nil {
-		gperr.LogWarn("agent has limited/no stream tunneling support, TCP and UDP routes via agent will not work", err, &cfg.l)
+		cfg.l.Warn().Err(err).Msg("agent has limited/no stream tunneling support, TCP and UDP routes via agent will not work")
 	}
 
 	if serverVersion.IsNewerThanMajor(cfg.Version) {
@@ -313,8 +313,18 @@ func (cfg *AgentConfig) do(ctx context.Context, method, endpoint string, body io
 	if err != nil {
 		return nil, err
 	}
+
+	timeout := 5 * time.Second
+	if deadline, ok := ctx.Deadline(); ok {
+		remaining := time.Until(deadline)
+		if remaining > 0 {
+			timeout = remaining
+		}
+	}
+
 	client := http.Client{
 		Transport: cfg.Transport(),
+		Timeout:   timeout,
 	}
 	return client.Do(req)
 }
@@ -356,7 +366,7 @@ func (cfg *AgentConfig) fetchJSON(ctx context.Context, endpoint string, out any)
 		return resp.StatusCode, nil
 	}
 
-	err = json.Unmarshal(data, out)
+	err = sonic.Unmarshal(data, out)
 	if err != nil {
 		return 0, err
 	}

agent/pkg/agent/stream/tcp_client.go

@@ -1,6 +1,7 @@
 package stream
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
@@ -34,13 +35,13 @@ func NewTCPClient(serverAddr, targetAddress string, caCert *x509.Certificate, cl
 		return nil, err
 	}
 
-	return newTCPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	return newTCPClientWIthHeader(context.Background(), serverAddr, header, caCert, clientCert)
 }
 
-func TCPHealthCheck(serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
+func TCPHealthCheck(ctx context.Context, serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
 	header := NewStreamHealthCheckHeader()
 
-	conn, err := newTCPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	conn, err := newTCPClientWIthHeader(ctx, serverAddr, header, caCert, clientCert)
 	if err != nil {
 		return err
 	}
@@ -49,7 +50,7 @@ func TCPHealthCheck(serverAddr string, caCert *x509.Certificate, clientCert *tls
 	return nil
 }
 
-func newTCPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
+func newTCPClientWIthHeader(ctx context.Context, serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
 	// Setup TLS configuration
 	caCertPool := x509.NewCertPool()
 	caCertPool.AddCert(caCert)
@@ -62,17 +63,43 @@ func newTCPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCe
 		ServerName:   common.CertsDNSName,
 	}
 
+	dialer := &net.Dialer{
+		Timeout: dialTimeout,
+	}
+	tlsDialer := &tls.Dialer{
+		NetDialer: dialer,
+		Config:    tlsConfig,
+	}
+
 	// Establish TLS connection
-	conn, err := tls.DialWithDialer(&net.Dialer{Timeout: dialTimeout}, "tcp", serverAddr, tlsConfig)
+	conn, err := tlsDialer.DialContext(ctx, "tcp", serverAddr)
 	if err != nil {
 		return nil, err
 	}
+
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		err := conn.SetWriteDeadline(deadline)
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
 	// Send the stream header once as a handshake.
 	if _, err := conn.Write(header.Bytes()); err != nil {
 		_ = conn.Close()
 		return nil, err
 	}
 
+	if hasDeadline {
+		// reset write deadline
+		err = conn.SetWriteDeadline(time.Time{})
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
+
 	return &TCPClient{
 		conn: conn,
 	}, nil

agent/pkg/agent/stream/tests/healthcheck_test.go

@@ -12,7 +12,7 @@ func TestTCPHealthCheck(t *testing.T) {
 
 	srv := startTCPServer(t, certs)
 
-	err := stream.TCPHealthCheck(srv.Addr.String(), certs.CaCert, certs.ClientCert)
+	err := stream.TCPHealthCheck(t.Context(), srv.Addr.String(), certs.CaCert, certs.ClientCert)
 	require.NoError(t, err, "health check")
 }
 
@@ -21,6 +21,6 @@ func TestUDPHealthCheck(t *testing.T) {
 
 	srv := startUDPServer(t, certs)
 
-	err := stream.UDPHealthCheck(srv.Addr.String(), certs.CaCert, certs.ClientCert)
+	err := stream.UDPHealthCheck(t.Context(), srv.Addr.String(), certs.CaCert, certs.ClientCert)
 	require.NoError(t, err, "health check")
 }

agent/pkg/agent/stream/udp_client.go

@@ -1,6 +1,7 @@
 package stream
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
@@ -35,10 +36,10 @@ func NewUDPClient(serverAddr, targetAddress string, caCert *x509.Certificate, cl
 		return nil, err
 	}
 
-	return newUDPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	return newUDPClientWIthHeader(context.Background(), serverAddr, header, caCert, clientCert)
 }
 
-func newUDPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
+func newUDPClientWIthHeader(ctx context.Context, serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
 	// Setup DTLS configuration
 	caCertPool := x509.NewCertPool()
 	caCertPool.AddCert(caCert)
@@ -62,21 +63,40 @@ func newUDPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCe
 	if err != nil {
 		return nil, err
 	}
+
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		err := conn.SetWriteDeadline(deadline)
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
+
 	// Send the stream header once as a handshake.
 	if _, err := conn.Write(header.Bytes()); err != nil {
 		_ = conn.Close()
 		return nil, err
 	}
 
+	if hasDeadline {
+		// reset write deadline
+		err = conn.SetWriteDeadline(time.Time{})
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
+
 	return &UDPClient{
 		conn: conn,
 	}, nil
 }
 
-func UDPHealthCheck(serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
+func UDPHealthCheck(ctx context.Context, serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
 	header := NewStreamHealthCheckHeader()
 
-	conn, err := newUDPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	conn, err := newUDPClientWIthHeader(ctx, serverAddr, header, caCert, clientCert)
 	if err != nil {
 		return err
 	}

cmd/bench_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25.6-alpine AS builder
+FROM golang:1.25.7-alpine AS builder
 
 HEALTHCHECK NONE
 

cmd/bench_server/go.mod

@@ -1,3 +1,3 @@
 module github.com/yusing/godoxy/cmd/bench_server
 
-go 1.25.6
+go 1.25.7

cmd/debug_page.go

@@ -181,7 +181,6 @@ func newApiHandler(debugMux *debugMux) *gin.Engine {
 		registerGinRoute(v1, "GET", "Route favicon", "/favicon", apiV1.FavIcon)
 		registerGinRoute(v1, "GET", "Route health", "/health", apiV1.Health)
 		registerGinRoute(v1, "GET", "List icons", "/icons", apiV1.Icons)
-		registerGinRoute(v1, "POST", "Config reload", "/reload", apiV1.Reload)
 		registerGinRoute(v1, "GET", "Route stats", "/stats", apiV1.Stats)
 
 		route := v1.Group("/route")

cmd/h2c_test_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25.6-alpine AS builder
+FROM golang:1.25.7-alpine AS builder
 
 HEALTHCHECK NONE
 

cmd/h2c_test_server/go.mod

@@ -1,6 +1,6 @@
 module github.com/yusing/godoxy/cmd/h2c_test_server
 
-go 1.25.6
+go 1.25.7
 
 require golang.org/x/net v0.49.0
 

cmd/main.go

@@ -1,12 +1,12 @@
 package main
 
 import (
+	"errors"
 	"os"
 	"sync"
 	"time"
 
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/godoxy/internal/api"
 	"github.com/yusing/godoxy/internal/auth"
 	"github.com/yusing/godoxy/internal/common"
 	"github.com/yusing/godoxy/internal/config"
@@ -14,12 +14,8 @@ import (
 	iconlist "github.com/yusing/godoxy/internal/homepage/icons/list"
 	"github.com/yusing/godoxy/internal/logging"
 	"github.com/yusing/godoxy/internal/logging/memlogger"
-	"github.com/yusing/godoxy/internal/metrics/systeminfo"
-	"github.com/yusing/godoxy/internal/metrics/uptime"
 	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
 	"github.com/yusing/godoxy/internal/route/rules"
-	gperr "github.com/yusing/goutils/errs"
-	"github.com/yusing/goutils/server"
 	"github.com/yusing/goutils/task"
 	"github.com/yusing/goutils/version"
 )
@@ -38,7 +34,7 @@ func main() {
 		select {
 		case <-done:
 			return
-		case <-time.After(time.Second * 10):
+		case <-time.After(common.InitTimeout):
 			log.Fatal().Msgf("timeout waiting for initialization to complete, exiting...")
 		}
 	}()
@@ -51,7 +47,6 @@ func main() {
 	parallel(
 		dnsproviders.InitProviders,
 		iconlist.InitCache,
-		systeminfo.Poller.Start,
 		middleware.LoadComposeFiles,
 	)
 
@@ -66,35 +61,20 @@ func main() {
 
 	err := config.Load()
 	if err != nil {
-		gperr.LogWarn("errors in config", err)
+		var criticalErr config.CriticalError
+		if errors.As(err, &criticalErr) {
+			log.Fatal().Err(criticalErr).Msg("critical error in config")
+		}
+		log.Warn().Err(err).Msg("errors in config")
 	}
 
-	config.StartProxyServers()
-
 	if err := auth.Initialize(); err != nil {
 		log.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
 	rules.InitAuthHandler(auth.AuthOrProceed)
 
-	// API Handler needs to start after auth is initialized.
-	server.StartServer(task.RootTask("api_server", false), server.Options{
-		Name:     "api",
-		HTTPAddr: common.APIHTTPAddr,
-		Handler:  api.NewHandler(true),
-	})
-
-	// Local API Handler is used for unauthenticated access.
-	if common.LocalAPIHTTPAddr != "" {
-		server.StartServer(task.RootTask("local_api_server", false), server.Options{
-			Name:     "local_api",
-			HTTPAddr: common.LocalAPIHTTPAddr,
-			Handler:  api.NewHandler(false),
-		})
-	}
-
 	listenDebugServer()
 
-	uptime.Poller.Start()
 	config.WatchChanges()
 
 	close(done)

compose.example.yml

@@ -31,8 +31,8 @@ services:
     user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
     read_only: true
     tmpfs:
-      - /app/.next/cache # next image caching
-
+      - /tmp:rw
+      - /app/node_modules/.cache:rw
       # for lite variant, do not change uid/gid
       # - /var/cache/nginx:uid=101,gid=101
       # - /run:uid=101,gid=101

go.mod

@@ -1,6 +1,11 @@
 module github.com/yusing/godoxy
 
-go 1.25.6
+go 1.25.7
+
+exclude (
+	github.com/moby/moby/api v1.53.0 // allow older daemon versions
+	github.com/moby/moby/client v0.2.2 // allow older daemon versions
+)
 
 replace (
 	github.com/coreos/go-oidc/v3 => ./internal/go-oidc
@@ -25,7 +30,7 @@ require (
 	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
 	github.com/gotify/server/v2 v2.8.0 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/pires/go-proxyproto v0.9.1 // proxy protocol support
+	github.com/pires/go-proxyproto v0.10.0 // proxy protocol support
 	github.com/puzpuzpuz/xsync/v4 v4.4.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
@@ -39,26 +44,26 @@ require (
 require (
 	github.com/bytedance/gopkg v0.1.3 // xxhash64 for fast hash
 	github.com/bytedance/sonic v1.15.0 // fast json parsing
-	github.com/docker/cli v29.1.5+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
+	github.com/docker/cli v29.2.1+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
 	github.com/goccy/go-yaml v1.19.2 // yaml parsing for different config files
-	github.com/golang-jwt/jwt/v5 v5.3.0 // jwt authentication
+	github.com/golang-jwt/jwt/v5 v5.3.1 // jwt authentication
 	github.com/luthermonson/go-proxmox v0.3.2 // proxmox API client
 	github.com/moby/moby/api v1.52.0 // docker API
 	github.com/moby/moby/client v0.2.1 // docker client
 	github.com/oschwald/maxminddb-golang v1.13.1 // maxminddb for geoip database
 	github.com/quic-go/quic-go v0.59.0 // http3 support
-	github.com/shirou/gopsutil/v4 v4.25.12 // system information
+	github.com/shirou/gopsutil/v4 v4.26.1 // system information
 	github.com/spf13/afero v1.15.0 // afero for file system operations
 	github.com/stretchr/testify v1.11.1 // testing framework
 	github.com/valyala/fasthttp v1.69.0 // fast http for health check
 	github.com/yusing/ds v0.4.1 // data structures and algorithms
-	github.com/yusing/godoxy/agent v0.0.0-20260125091326-9c2051840fd9
-	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20260124133347-9a96f3cc539e
-	github.com/yusing/gointernals v0.1.16
+	github.com/yusing/godoxy/agent v0.0.0-20260208011746-31b4fedf728b
+	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20260208011746-31b4fedf728b
+	github.com/yusing/gointernals v0.1.18
 	github.com/yusing/goutils v0.7.0
-	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260125040745-bcc4b498f878
-	github.com/yusing/goutils/http/websocket v0.0.0-20260125040745-bcc4b498f878
-	github.com/yusing/goutils/server v0.0.0-20260125040745-bcc4b498f878
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260207122228-56663372deda
+	github.com/yusing/goutils/http/websocket v0.0.0-20260207122228-56663372deda
+	github.com/yusing/goutils/server v0.0.0-20260207122228-56663372deda
 )
 
 require (
@@ -84,7 +89,7 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -94,7 +99,7 @@ require (
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
-	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
@@ -119,25 +124,25 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/samber/lo v1.52.0 // indirect
-	github.com/samber/slog-common v0.19.0 // indirect
-	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/samber/slog-common v0.20.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.1 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/sony/gobreaker v1.0.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
-	go.opentelemetry.io/otel v1.39.0 // indirect
-	go.opentelemetry.io/otel/metric v1.39.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.uber.org/atomic v1.11.0
 	go.uber.org/ratelimit v0.3.1 // indirect
 	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
-	google.golang.org/api v0.262.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d // indirect
+	google.golang.org/api v0.265.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect
@@ -167,11 +172,11 @@ require (
 	github.com/klauspost/compress v1.18.3 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
-	github.com/linode/linodego v1.64.0 // indirect
+	github.com/linode/linodego v1.65.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.1 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.1 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pion/dtls/v3 v3.0.10 // indirect
 	github.com/pion/logging v0.2.4 // indirect
@@ -185,7 +190,7 @@ require (
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/vultr/govultr/v3 v3.26.1 // indirect
+	github.com/vultr/govultr/v3 v3.27.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	golang.org/x/arch v0.23.0 // indirect
 )

go.sum

@@ -76,8 +76,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.1.5+incompatible h1:GckbANUt3j+lsnQ6eCcQd70mNSOismSHWt8vk2AX8ao=
-github.com/docker/cli v29.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg=
+github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -94,8 +94,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
@@ -137,8 +137,8 @@ github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
 github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -153,8 +153,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
 github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
-github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y=
-github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14=
+github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
+github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotify/server/v2 v2.8.0 h1:E3UDDn/3rFZi1sjZfbuhXNnxJP3ACZhdcw/iySegPRA=
@@ -191,8 +191,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/linode/linodego v1.64.0 h1:If6pULIwHuQytgogtpQaBdVLX7z2TTHUF5u1tj2TPiY=
-github.com/linode/linodego v1.64.0/go.mod h1:GoiwLVuLdBQcAebxAVKVL3mMYUgJZR/puOUSla04xBE=
+github.com/linode/linodego v1.65.0 h1:SdsuGD8VSsPWeShXpE7ihl5vec+fD3MgwhnfYC/rj7k=
+github.com/linode/linodego v1.65.0/go.mod h1:tOFiTErdjkbVnV+4S0+NmIE9dqqZUEM2HsJaGu8wMh8=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k=
@@ -227,10 +227,10 @@ github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0
 github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
 github.com/nrdcg/goinwx v0.12.0 h1:ujdUqDBnaRSFwzVnImvPHYw3w3m9XgmGImNUw1GyMb4=
 github.com/nrdcg/goinwx v0.12.0/go.mod h1:IrVKd3ZDbFiMjdPgML4CSxZAY9wOoqLvH44zv3NodJ0=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.1 h1:+fx2mbWeR8XX/vidwpRMepJMtRIYQP44Iezm2oeObVM=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.1/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.1 h1:GDhBiaIAm/QXLzHJ0ASDdY/6R/9w60+gk8lY5rgfxEQ=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.1/go.mod h1:EHScJdbM0gg5Is7e3C0ceRYAFMMsfP4Vf8sBRoxoTgk=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.0 h1:SgXDi/vitC+FA9jPl7T7i0d7kiC1JMFuS2FTlpg3B7o=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.0 h1:rOYbG56bYaW+skuCvzZyFoTPPXXUIOPhuQkilf6tkqo=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.0/go.mod h1:LTEIH1X6CBKyDtOT7CTTTgvvb2ANtGS7vLkEGt5zdog=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -251,8 +251,8 @@ github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8=
 github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so=
 github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o=
 github.com/pion/transport/v4 v4.0.1/go.mod h1:nEuEA4AD5lPdcIegQDpVLgNoDGreqM/YqmEx3ovP4jM=
-github.com/pires/go-proxyproto v0.9.1 h1:wTPjpyk41pJm1Im9BqHtPLuhxfjxL+qNfSikx9ux0WY=
-github.com/pires/go-proxyproto v0.9.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pires/go-proxyproto v0.10.0 h1:08wrdt9NQYTjLWeag3EBIS7ZNi6Vwl3rGsEjVLaAhvU=
+github.com/pires/go-proxyproto v0.10.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -278,10 +278,10 @@ github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
 github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
-github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
-github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
-github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
-github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
+github.com/samber/slog-common v0.20.0 h1:WaLnm/aCvBJSk5nR5aXZTFBaV0B47A+AEaEOiZDeUnc=
+github.com/samber/slog-common v0.20.0/go.mod h1:+Ozat1jgnnE59UAlmNX1IF3IByHsODnnwf9jUcBZ+m8=
+github.com/samber/slog-zerolog/v2 v2.9.1 h1:RMOq8XqzfuGx1X0TEIlS9OXbbFmqLY2/wJppghz66YY=
+github.com/samber/slog-zerolog/v2 v2.9.1/go.mod h1:DQYYve14WgCRN/XnKeHl4266jXK0DgYkYXkfZ4Fp98k=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 h1:ObX9hZmK+VmijreZO/8x9pQ8/P/ToHD/bdSb4Eg4tUo=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36/go.mod h1:LEsDu4BubxK7/cWhtlQWfuxwL4rf/2UEpxXz1o1EMtM=
 github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
@@ -320,8 +320,8 @@ github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZy
 github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
-github.com/vultr/govultr/v3 v3.26.1 h1:G/M0rMQKwVSmL+gb0UgETbW5mcQi0Vf/o/ZSGdBCxJw=
-github.com/vultr/govultr/v3 v3.26.1/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
+github.com/vultr/govultr/v3 v3.27.0 h1:J8etMyu/Jh5+idMsu2YZpOWmDXXHeW4VZnkYXmJYHx8=
+github.com/vultr/govultr/v3 v3.27.0/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
@@ -329,26 +329,26 @@ github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfS
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusing/ds v0.4.1 h1:syMCh7hO6Yw8xfcFkEaln3W+lVeWB/U/meYv6Wf2/Ig=
 github.com/yusing/ds v0.4.1/go.mod h1:XhKV4l7cZwBbbl7lRzNC9zX27zvCM0frIwiuD40ULRk=
-github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
-github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
+github.com/yusing/gointernals v0.1.18 h1:ou8/0tPURUgAOBJu3TN/iWF4S/5ZYQaap+rVkaJNUMw=
+github.com/yusing/gointernals v0.1.18/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
@@ -447,14 +447,14 @@ golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.262.0 h1:4B+3u8He2GwyN8St3Jhnd3XRHlIvc//sBmgHSp78oNY=
-google.golang.org/api v0.262.0/go.mod h1:jNwmH8BgUBJ/VrUG6/lIl9YiildyLd09r9ZLHiQ6cGI=
-google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934=
-google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d h1:xXzuihhT3gL/ntduUZwHECzAn57E8dA6l8SOtYWdD8Q=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/api v0.265.0 h1:FZvfUdI8nfmuNrE34aOWFPmLC+qRBEiNm3JdivTvAAU=
+google.golang.org/api v0.265.0/go.mod h1:uAvfEl3SLUj/7n6k+lJutcswVojHPp2Sp08jWCu8hLY=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

internal/acl/README.md

@@ -54,13 +54,13 @@ type Matchers []Matcher
 ### Exported functions and methods
 
 ```go
-func (c *Config) Validate() gperr.Error
+func (c *Config) Validate() error
 ```
 
 Validates configuration and sets defaults. Must be called before `Start`.
 
 ```go
-func (c *Config) Start(parent task.Parent) gperr.Error
+func (c *Config) Start(parent task.Parent) error
 ```
 
 Initializes the ACL, starts the logger and notification goroutines.
@@ -169,14 +169,14 @@ Configuration is loaded from `config/config.yml` under the `acl` key.
 
 ```yaml
 acl:
-  default: "allow"              # "allow" or "deny"
-  allow_local: true             # Allow private/loopback IPs
+  default: "allow" # "allow" or "deny"
+  allow_local: true # Allow private/loopback IPs
   log:
-    log_allowed: false          # Log allowed connections
+    log_allowed: false # Log allowed connections
   notify:
-    to: ["gotify"]              # Notification providers
-    interval: "1m"              # Notification interval
-    include_allowed: false      # Include allowed in notifications
+    to: ["gotify"] # Notification providers
+    interval: "1m" # Notification interval
+    include_allowed: false # Include allowed in notifications
 ```
 
 ### Hot-reloading

internal/acl/config.go

@@ -74,8 +74,6 @@ type ipLog struct {
 	allowed bool
 }
 
-type ContextKey struct{}
-
 const cacheTTL = 1 * time.Minute
 
 func (c *checkCache) Expired() bool {
@@ -89,7 +87,7 @@ const (
 	ACLDeny  = "deny"
 )
 
-func (c *Config) Validate() gperr.Error {
+func (c *Config) Validate() error {
 	switch c.Default {
 	case "", ACLAllow:
 		c.defaultAllow = true
@@ -106,7 +104,7 @@ func (c *Config) Validate() gperr.Error {
 		c.allowLocal = true
 	}
 
-	if c.Notify.Interval < 0 {
+	if c.Notify.Interval <= 0 {
 		c.Notify.Interval = defaultNotifyInterval
 	}
 
@@ -133,7 +131,7 @@ func (c *Config) Valid() bool {
 	return c != nil && c.valErr == nil
 }
 
-func (c *Config) Start(parent task.Parent) gperr.Error {
+func (c *Config) Start(parent task.Parent) error {
 	if c.Log != nil {
 		logger, err := accesslog.NewAccessLogger(parent, c.Log)
 		if err != nil {

internal/acl/matcher.go

@@ -2,6 +2,7 @@ package acl
 
 import (
 	"bytes"
+	"errors"
 	"net"
 	"strings"
 
@@ -38,9 +39,9 @@ var errMatcherFormat = gperr.Multiline().AddLines(
 )
 
 var (
-	errSyntax      = gperr.New("syntax error")
-	errInvalidIP   = gperr.New("invalid IP")
-	errInvalidCIDR = gperr.New("invalid CIDR")
+	errSyntax      = errors.New("syntax error")
+	errInvalidIP   = errors.New("invalid IP")
+	errInvalidCIDR = errors.New("invalid CIDR")
 )
 
 func (matcher *Matcher) Parse(s string) error {

internal/acl/types/acl.go

@@ -0,0 +1,9 @@
+package acl
+
+import "net"
+
+type ACL interface {
+	IPAllowed(ip net.IP) bool
+	WrapTCP(l net.Listener) net.Listener
+	WrapUDP(l net.PacketConn) net.PacketConn
+}

internal/acl/types/context.go

@@ -0,0 +1,16 @@
+package acl
+
+import "context"
+
+type ContextKey struct{}
+
+func SetCtx(ctx interface{ SetValue(any, any) }, acl ACL) {
+	ctx.SetValue(ContextKey{}, acl)
+}
+
+func FromCtx(ctx context.Context) ACL {
+	if acl, ok := ctx.Value(ContextKey{}).(ACL); ok {
+		return acl
+	}
+	return nil
+}

internal/agentpool/agent.go

@@ -27,6 +27,7 @@ func newAgent(cfg *agent.AgentConfig) *Agent {
 		AgentConfig: cfg,
 		httpClient: &http.Client{
 			Transport: transport,
+			Timeout:   5 * time.Second,
 		},
 		fasthttpHcClient: &fasthttp.Client{
 			DialTimeout: func(addr string, timeout time.Duration) (net.Conn, error) {

internal/api/handler.go

@@ -21,7 +21,6 @@ import (
 	"github.com/yusing/godoxy/internal/auth"
 	"github.com/yusing/godoxy/internal/common"
 	apitypes "github.com/yusing/goutils/apitypes"
-	gperr "github.com/yusing/goutils/errs"
 )
 
 // @title           GoDoxy API
@@ -76,7 +75,6 @@ func NewHandler(requireAuth bool) *gin.Engine {
 		v1.GET("/favicon", apiV1.FavIcon)
 		v1.GET("/health", apiV1.Health)
 		v1.GET("/icons", apiV1.Icons)
-		v1.POST("/reload", apiV1.Reload)
 		v1.GET("/stats", apiV1.Stats)
 
 		route := v1.Group("/route")
@@ -86,6 +84,8 @@ func NewHandler(requireAuth bool) *gin.Engine {
 			route.GET("/providers", routeApi.Providers)
 			route.GET("/by_provider", routeApi.ByProvider)
 			route.POST("/playground", routeApi.Playground)
+			route.GET("/validate", routeApi.Validate) // websocket
+			route.POST("/validate", routeApi.Validate)
 		}
 
 		file := v1.Group("/file")
@@ -146,6 +146,8 @@ func NewHandler(requireAuth bool) *gin.Engine {
 
 		proxmox := v1.Group("/proxmox")
 		{
+			proxmox.GET("/tail", proxmoxApi.Tail)
+			proxmox.GET("/journalctl", proxmoxApi.Journalctl)
 			proxmox.GET("/journalctl/:node", proxmoxApi.Journalctl)
 			proxmox.GET("/journalctl/:node/:vmid", proxmoxApi.Journalctl)
 			proxmox.GET("/journalctl/:node/:vmid/:service", proxmoxApi.Journalctl)
@@ -200,9 +202,8 @@ func ErrorHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Next()
 		if len(c.Errors) > 0 {
-			logger := log.With().Str("uri", c.Request.RequestURI).Logger()
 			for _, err := range c.Errors {
-				gperr.LogError("Internal error", err.Err, &logger)
+				log.Err(err.Err).Str("uri", c.Request.RequestURI).Msg("Internal error")
 			}
 			if !c.IsWebsocket() {
 				c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))

internal/api/v1/agent/verify.go

@@ -1,6 +1,8 @@
 package agentapi
 
 import (
+	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -12,7 +14,6 @@ import (
 	config "github.com/yusing/godoxy/internal/config/types"
 	"github.com/yusing/godoxy/internal/route/provider"
 	apitypes "github.com/yusing/goutils/apitypes"
-	gperr "github.com/yusing/goutils/errs"
 )
 
 type VerifyNewAgentRequest struct {
@@ -36,6 +37,9 @@ type VerifyNewAgentRequest struct {
 // @Failure		500		{object}	ErrorResponse
 // @Router			/agent/verify [post]
 func Verify(c *gin.Context) {
+	// avoid timeout waiting for response headers
+	c.Status(http.StatusContinue)
+
 	var request VerifyNewAgentRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
@@ -60,7 +64,7 @@ func Verify(c *gin.Context) {
 		return
 	}
 
-	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
+	nRoutesAdded, err := verifyNewAgent(c.Request.Context(), request.Host, ca, client, request.ContainerRuntime)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
@@ -80,9 +84,9 @@ func Verify(c *gin.Context) {
 	c.JSON(http.StatusOK, apitypes.Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
 }
 
-var errAgentAlreadyExists = gperr.New("agent already exists")
+var errAgentAlreadyExists = errors.New("agent already exists")
 
-func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+func verifyNewAgent(ctx context.Context, host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, error) {
 	var agentCfg agent.AgentConfig
 	agentCfg.Addr = host
 	agentCfg.Runtime = containerRuntime
@@ -99,14 +103,14 @@ func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, contain
 		return 0, errAgentAlreadyExists
 	}
 
-	err := agentCfg.InitWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
+	err := agentCfg.InitWithCerts(ctx, ca.Cert, client.Cert, client.Key)
 	if err != nil {
-		return 0, gperr.Wrap(err, "failed to initialize agent config")
+		return 0, fmt.Errorf("failed to initialize agent config: %w", err)
 	}
 
 	provider := provider.NewAgentProvider(&agentCfg)
 	if _, loaded := cfgState.LoadOrStoreProvider(provider.String(), provider); loaded {
-		return 0, gperr.Errorf("provider %s already exists", provider.String())
+		return 0, fmt.Errorf("provider %s already exists", provider.String())
 	}
 
 	// agent must be added before loading routes
@@ -118,7 +122,7 @@ func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, contain
 	if err != nil {
 		cfgState.DeleteProvider(provider.String())
 		agentpool.Remove(&agentCfg)
-		return 0, gperr.Wrap(err, "failed to load routes")
+		return 0, fmt.Errorf("failed to load routes: %w", err)
 	}
 
 	return provider.NumRoutes(), nil

internal/api/v1/docker/containers.go

@@ -7,6 +7,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/moby/moby/api/types/container"
 	"github.com/moby/moby/client"
+	"github.com/rs/zerolog/log"
 	gperr "github.com/yusing/goutils/errs"
 
 	_ "github.com/yusing/goutils/apitypes"
@@ -36,18 +37,18 @@ func Containers(c *gin.Context) {
 	serveHTTP[Container](c, GetContainers)
 }
 
-func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
+func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, error) {
 	errs := gperr.NewBuilder("failed to get containers")
 	containers := make([]Container, 0)
-	for server, dockerClient := range dockerClients {
+	for name, dockerClient := range dockerClients {
 		conts, err := dockerClient.ContainerList(ctx, client.ContainerListOptions{All: true})
 		if err != nil {
-			errs.Add(err)
+			errs.AddSubject(err, name)
 			continue
 		}
 		for _, cont := range conts.Items {
 			containers = append(containers, Container{
-				Server: server,
+				Server: name,
 				Name:   cont.Names[0],
 				ID:     cont.ID,
 				Image:  cont.Image,
@@ -59,11 +60,10 @@ func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Containe
 		return containers[i].Name < containers[j].Name
 	})
 	if err := errs.Error(); err != nil {
-		gperr.LogError("failed to get containers", err)
-		if len(containers) == 0 {
-			return nil, err
+		if len(containers) > 0 {
+			log.Err(err).Msg("failed to get containers from some servers")
+			return containers, nil
 		}
-		return containers, nil
 	}
-	return containers, nil
+	return containers, errs.Error()
 }

internal/api/v1/docker/info.go

@@ -59,7 +59,7 @@ func Info(c *gin.Context) {
 	serveHTTP[dockerInfo](c, GetDockerInfo)
 }
 
-func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
+func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, error) {
 	errs := gperr.NewBuilder("failed to get docker info")
 	dockerInfos := make([]dockerInfo, len(dockerClients))
 
@@ -67,7 +67,7 @@ func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerIn
 	for name, dockerClient := range dockerClients {
 		info, err := dockerClient.Info(ctx, client.InfoOptions{})
 		if err != nil {
-			errs.Add(err)
+			errs.AddSubject(err, name)
 			continue
 		}
 		info.Info.Name = name

internal/api/v1/docker/logs.go

@@ -23,7 +23,7 @@ type LogsQueryParams struct {
 	Since  string `form:"from"`
 	Until  string `form:"to"`
 	Levels string `form:"levels"`
-	Limit  int    `form:"limit,default=100" binding:"omitempty,min=1,max=1000"`
+	Limit  int    `form:"limit,default=100" binding:"min=1,max=1000"`
 } //	@name	LogsQueryParams
 
 // @x-id				"logs"

internal/api/v1/docker/stats.go

@@ -10,7 +10,7 @@ import (
 	"github.com/moby/moby/api/types/container"
 	"github.com/moby/moby/client"
 	"github.com/yusing/godoxy/internal/docker"
-	"github.com/yusing/godoxy/internal/route/routes"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/types"
 	apitypes "github.com/yusing/goutils/apitypes"
 	"github.com/yusing/goutils/http/httpheaders"
@@ -44,7 +44,7 @@ func Stats(c *gin.Context) {
 	dockerCfg, ok := docker.GetDockerCfgByContainerID(id)
 	if !ok {
 		var route types.Route
-		route, ok = routes.GetIncludeExcluded(id)
+		route, ok = entrypoint.FromCtx(c.Request.Context()).GetRoute(id)
 		if ok {
 			cont := route.ContainerInfo()
 			if cont == nil {

internal/api/v1/docker/utils.go

@@ -8,7 +8,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/yusing/godoxy/internal/docker"
 	apitypes "github.com/yusing/goutils/apitypes"
-	gperr "github.com/yusing/goutils/errs"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
 )
@@ -39,7 +38,7 @@ func handleResult[V any, T ResultType[V]](c *gin.Context, errs error, result T)
 	c.JSON(http.StatusOK, result)
 }
 
-func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
+func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, error)) {
 	dockerClients := docker.Clients()
 	defer closeAllClients(dockerClients)
 

internal/api/v1/docs/swagger.json

@@ -1087,7 +1087,7 @@
       "post": {
         "description": "Validate file",
         "consumes": [
-          "text/plain"
+          "application/yaml"
         ],
         "produces": [
           "application/json"
@@ -1171,7 +1171,10 @@
           "200": {
             "description": "Health info by route name",
             "schema": {
-              "$ref": "#/definitions/HealthMap"
+              "type": "object",
+              "additionalProperties": {
+                "$ref": "#/definitions/HealthStatusString"
+              }
             }
           },
           "403": {
@@ -1219,6 +1222,12 @@
             "schema": {
               "$ref": "#/definitions/ErrorResponse"
             }
+          },
+          "500": {
+            "description": "Internal Server Error",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
           }
         },
         "x-id": "categories",
@@ -1337,6 +1346,12 @@
             "schema": {
               "$ref": "#/definitions/ErrorResponse"
             }
+          },
+          "500": {
+            "description": "Internal Server Error",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
           }
         },
         "x-id": "items",
@@ -2077,6 +2092,90 @@
         "operationId": "uptime"
       }
     },
+    "/proxmox/journalctl": {
+      "get": {
+        "description": "Get journalctl output for node or LXC container. If vmid is not provided, streams node journalctl.",
+        "consumes": [
+          "application/json"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "proxmox",
+          "websocket"
+        ],
+        "summary": "Get journalctl output",
+        "parameters": [
+          {
+            "maximum": 1000,
+            "minimum": 1,
+            "type": "integer",
+            "default": 100,
+            "description": "Limit output lines (1-1000)",
+            "name": "limit",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Node name",
+            "name": "node",
+            "in": "query",
+            "required": true
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "csv",
+            "description": "Service names",
+            "name": "service",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "Container VMID (optional - if not provided, streams node journalctl)",
+            "name": "vmid",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Journalctl output",
+            "schema": {
+              "type": "string"
+            }
+          },
+          "400": {
+            "description": "Invalid request",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "403": {
+            "description": "Unauthorized",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "404": {
+            "description": "Node not found",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          }
+        },
+        "x-id": "journalctl",
+        "operationId": "journalctl"
+      }
+    },
     "/proxmox/journalctl/{node}": {
       "get": {
         "description": "Get journalctl output for node or LXC container. If vmid is not provided, streams node journalctl.",
@@ -2092,18 +2191,44 @@
         ],
         "summary": "Get journalctl output",
         "parameters": [
+          {
+            "maximum": 1000,
+            "minimum": 1,
+            "type": "integer",
+            "default": 100,
+            "description": "Limit output lines (1-1000)",
+            "name": "limit",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Node name",
+            "name": "node",
+            "in": "query",
+            "required": true
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "csv",
+            "description": "Service names",
+            "name": "service",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "Container VMID (optional - if not provided, streams node journalctl)",
+            "name": "vmid",
+            "in": "query"
+          },
           {
             "type": "string",
             "description": "Node name",
             "name": "node",
             "in": "path",
             "required": true
-          },
-          {
-            "type": "integer",
-            "description": "Limit output lines (1-1000)",
-            "name": "limit",
-            "in": "query"
           }
         ],
         "responses": {
@@ -2157,6 +2282,38 @@
         ],
         "summary": "Get journalctl output",
         "parameters": [
+          {
+            "maximum": 1000,
+            "minimum": 1,
+            "type": "integer",
+            "default": 100,
+            "description": "Limit output lines (1-1000)",
+            "name": "limit",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Node name",
+            "name": "node",
+            "in": "query",
+            "required": true
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "csv",
+            "description": "Service names",
+            "name": "service",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "Container VMID (optional - if not provided, streams node journalctl)",
+            "name": "vmid",
+            "in": "query"
+          },
           {
             "type": "string",
             "description": "Node name",
@@ -2169,12 +2326,6 @@
             "description": "Container VMID (optional - if not provided, streams node journalctl)",
             "name": "vmid",
             "in": "path"
-          },
-          {
-            "type": "integer",
-            "description": "Limit output lines (1-1000)",
-            "name": "limit",
-            "in": "query"
           }
         ],
         "responses": {
@@ -2228,6 +2379,38 @@
         ],
         "summary": "Get journalctl output",
         "parameters": [
+          {
+            "maximum": 1000,
+            "minimum": 1,
+            "type": "integer",
+            "default": 100,
+            "description": "Limit output lines (1-1000)",
+            "name": "limit",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Node name",
+            "name": "node",
+            "in": "query",
+            "required": true
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "csv",
+            "description": "Service names",
+            "name": "service",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "Container VMID (optional - if not provided, streams node journalctl)",
+            "name": "vmid",
+            "in": "query"
+          },
           {
             "type": "string",
             "description": "Node name",
@@ -2236,22 +2419,20 @@
             "required": true
           },
           {
-            "type": "integer",
-            "description": "Container VMID (optional - if not provided, streams node journalctl)",
-            "name": "vmid",
-            "in": "path"
-          },
-          {
-            "type": "string",
-            "description": "Service name (e.g., 'pveproxy' for node, 'container@.service' format for LXC)",
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "csv",
+            "description": "Service names",
             "name": "service",
             "in": "path"
           },
           {
             "type": "integer",
-            "description": "Limit output lines (1-1000)",
-            "name": "limit",
-            "in": "query"
+            "description": "Container VMID (optional - if not provided, streams node journalctl)",
+            "name": "vmid",
+            "in": "path"
           }
         ],
         "responses": {
@@ -2569,9 +2750,9 @@
         "operationId": "vmStats"
       }
     },
-    "/reload": {
-      "post": {
-        "description": "Reload config",
+    "/proxmox/tail": {
+      "get": {
+        "description": "Get tail output for node or LXC container. If vmid is not provided, streams node tail.",
         "consumes": [
           "application/json"
         ],
@@ -2579,31 +2760,79 @@
           "application/json"
         ],
         "tags": [
-          "v1"
+          "proxmox",
+          "websocket"
+        ],
+        "summary": "Get tail output",
+        "parameters": [
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "csv",
+            "description": "File paths",
+            "name": "file",
+            "in": "query",
+            "required": true
+          },
+          {
+            "maximum": 1000,
+            "minimum": 1,
+            "type": "integer",
+            "default": 100,
+            "description": "Limit output lines (1-1000)",
+            "name": "limit",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Node name",
+            "name": "node",
+            "in": "query",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "description": "Container VMID (optional - if not provided, streams node journalctl)",
+            "name": "vmid",
+            "in": "query"
+          }
         ],
-        "summary": "Reload config",
         "responses": {
           "200": {
-            "description": "OK",
+            "description": "Tail output",
             "schema": {
-              "$ref": "#/definitions/SuccessResponse"
+              "type": "string"
+            }
+          },
+          "400": {
+            "description": "Invalid request",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
             }
           },
           "403": {
-            "description": "Forbidden",
+            "description": "Unauthorized",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "404": {
+            "description": "Node not found",
             "schema": {
               "$ref": "#/definitions/ErrorResponse"
             }
           },
           "500": {
-            "description": "Internal Server Error",
+            "description": "Internal server error",
             "schema": {
               "$ref": "#/definitions/ErrorResponse"
             }
           }
         },
-        "x-id": "reload",
-        "operationId": "reload"
+        "x-id": "tail",
+        "operationId": "tail"
       }
     },
     "/route/by_provider": {
@@ -2775,6 +3004,122 @@
         "operationId": "providers"
       }
     },
+    "/route/validate": {
+      "get": {
+        "description": "Validate route,",
+        "consumes": [
+          "application/yaml"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "route",
+          "websocket"
+        ],
+        "summary": "Validate route",
+        "parameters": [
+          {
+            "description": "Route",
+            "name": "route",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/Route"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Route validated",
+            "schema": {
+              "$ref": "#/definitions/SuccessResponse"
+            }
+          },
+          "400": {
+            "description": "Bad request",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "403": {
+            "description": "Forbidden",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "417": {
+            "description": "Validation failed",
+            "schema": {}
+          },
+          "500": {
+            "description": "Internal server error",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          }
+        },
+        "x-id": "validate",
+        "operationId": "validate"
+      },
+      "post": {
+        "description": "Validate route,",
+        "consumes": [
+          "application/yaml"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "route",
+          "websocket"
+        ],
+        "summary": "Validate route",
+        "parameters": [
+          {
+            "description": "Route",
+            "name": "route",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/Route"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Route validated",
+            "schema": {
+              "$ref": "#/definitions/SuccessResponse"
+            }
+          },
+          "400": {
+            "description": "Bad request",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "403": {
+            "description": "Forbidden",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          },
+          "417": {
+            "description": "Validation failed",
+            "schema": {}
+          },
+          "500": {
+            "description": "Internal server error",
+            "schema": {
+              "$ref": "#/definitions/ErrorResponse"
+            }
+          }
+        },
+        "x-id": "validate",
+        "operationId": "validate"
+      }
+    },
     "/route/{which}": {
       "get": {
         "description": "List route",
@@ -3389,33 +3734,6 @@
       "x-nullable": false,
       "x-omitempty": false
     },
-    "DockerConfig": {
-      "type": "object",
-      "required": [
-        "container_id",
-        "container_name",
-        "docker_cfg"
-      ],
-      "properties": {
-        "container_id": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "container_name": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "docker_cfg": {
-          "$ref": "#/definitions/DockerProviderConfig",
-          "x-nullable": false,
-          "x-omitempty": false
-        }
-      },
-      "x-nullable": false,
-      "x-omitempty": false
-    },
     "DockerProviderConfig": {
       "type": "object",
       "properties": {
@@ -3731,14 +4049,6 @@
       "x-nullable": false,
       "x-omitempty": false
     },
-    "HealthMap": {
-      "type": "object",
-      "additionalProperties": {
-        "$ref": "#/definitions/HealthStatusString"
-      },
-      "x-nullable": false,
-      "x-omitempty": false
-    },
     "HealthStatusString": {
       "type": "string",
       "enum": [
@@ -4164,7 +4474,7 @@
           "x-omitempty": false
         },
         "docker": {
-          "$ref": "#/definitions/DockerConfig",
+          "$ref": "#/definitions/IdlewatcherDockerConfig",
           "x-nullable": false,
           "x-omitempty": false
         },
@@ -4184,7 +4494,7 @@
           "x-omitempty": false
         },
         "proxmox": {
-          "$ref": "#/definitions/ProxmoxNodeConfig",
+          "$ref": "#/definitions/IdlewatcherProxmoxNodeConfig",
           "x-nullable": false,
           "x-omitempty": false
         },
@@ -4218,6 +4528,54 @@
       "x-nullable": false,
       "x-omitempty": false
     },
+    "IdlewatcherDockerConfig": {
+      "type": "object",
+      "required": [
+        "container_id",
+        "container_name",
+        "docker_cfg"
+      ],
+      "properties": {
+        "container_id": {
+          "type": "string",
+          "x-nullable": false,
+          "x-omitempty": false
+        },
+        "container_name": {
+          "type": "string",
+          "x-nullable": false,
+          "x-omitempty": false
+        },
+        "docker_cfg": {
+          "$ref": "#/definitions/DockerProviderConfig",
+          "x-nullable": false,
+          "x-omitempty": false
+        }
+      },
+      "x-nullable": false,
+      "x-omitempty": false
+    },
+    "IdlewatcherProxmoxNodeConfig": {
+      "type": "object",
+      "required": [
+        "node",
+        "vmid"
+      ],
+      "properties": {
+        "node": {
+          "type": "string",
+          "x-nullable": false,
+          "x-omitempty": false
+        },
+        "vmid": {
+          "type": "integer",
+          "x-nullable": false,
+          "x-omitempty": false
+        }
+      },
+      "x-nullable": false,
+      "x-omitempty": false
+    },
     "ListFilesResponse": {
       "type": "object",
       "properties": {
@@ -4805,26 +5163,38 @@
     },
     "ProxmoxNodeConfig": {
       "type": "object",
-      "required": [
-        "node",
-        "vmid"
-      ],
       "properties": {
+        "files": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-nullable": false,
+          "x-omitempty": false
+        },
         "node": {
           "type": "string",
           "x-nullable": false,
           "x-omitempty": false
         },
-        "service": {
-          "type": "string"
+        "services": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-nullable": false,
+          "x-omitempty": false
         },
         "vmid": {
+          "description": "unset: auto discover; explicit 0: node-level route; >0: lxc/qemu resource route",
           "type": "integer",
           "x-nullable": false,
           "x-omitempty": false
         },
         "vmname": {
-          "type": "string"
+          "type": "string",
+          "x-nullable": false,
+          "x-omitempty": false
         }
       },
       "x-nullable": false,
@@ -4929,7 +5299,6 @@
           "x-omitempty": false
         },
         "bind": {
-          "description": "for TCP and UDP routes, bind address to listen on",
           "type": "string",
           "x-nullable": true
         },
@@ -6461,229 +6830,6 @@
       "x-nullable": false,
       "x-omitempty": false
     },
-    "route.Route": {
-      "type": "object",
-      "properties": {
-        "access_log": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/RequestLoggerConfig"
-            }
-          ],
-          "x-nullable": true
-        },
-        "agent": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "alias": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "bind": {
-          "description": "for TCP and UDP routes, bind address to listen on",
-          "type": "string",
-          "x-nullable": true
-        },
-        "container": {
-          "description": "Docker only",
-          "allOf": [
-            {
-              "$ref": "#/definitions/Container"
-            }
-          ],
-          "x-nullable": true
-        },
-        "disable_compression": {
-          "type": "boolean",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "excluded": {
-          "type": "boolean",
-          "x-nullable": true
-        },
-        "excluded_reason": {
-          "type": "string",
-          "x-nullable": true
-        },
-        "health": {
-          "description": "for swagger",
-          "allOf": [
-            {
-              "$ref": "#/definitions/HealthJSON"
-            }
-          ],
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "healthcheck": {
-          "description": "null on load-balancer routes",
-          "allOf": [
-            {
-              "$ref": "#/definitions/HealthCheckConfig"
-            }
-          ],
-          "x-nullable": true
-        },
-        "homepage": {
-          "$ref": "#/definitions/HomepageItemConfig",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "host": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "idlewatcher": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/IdlewatcherConfig"
-            }
-          ],
-          "x-nullable": true
-        },
-        "index": {
-          "description": "Index file to serve for single-page app mode",
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "load_balance": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/LoadBalancerConfig"
-            }
-          ],
-          "x-nullable": true
-        },
-        "lurl": {
-          "description": "private fields",
-          "type": "string",
-          "x-nullable": true
-        },
-        "middlewares": {
-          "type": "object",
-          "additionalProperties": {
-            "$ref": "#/definitions/types.LabelMap"
-          },
-          "x-nullable": true
-        },
-        "no_tls_verify": {
-          "type": "boolean",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "path_patterns": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "x-nullable": true
-        },
-        "port": {
-          "$ref": "#/definitions/Port",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "provider": {
-          "description": "for backward compatibility",
-          "type": "string",
-          "x-nullable": true
-        },
-        "proxmox": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/ProxmoxNodeConfig"
-            }
-          ],
-          "x-nullable": true
-        },
-        "purl": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "response_header_timeout": {
-          "type": "integer",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "root": {
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "rule_file": {
-          "type": "string",
-          "x-nullable": true
-        },
-        "rules": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/rules.Rule"
-          },
-          "x-nullable": true
-        },
-        "scheme": {
-          "type": "string",
-          "enum": [
-            "http",
-            "https",
-            "h2c",
-            "tcp",
-            "udp",
-            "fileserver"
-          ],
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "spa": {
-          "description": "Single-page app mode: serves index for non-existent paths",
-          "type": "boolean",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "ssl_certificate": {
-          "description": "Path to client certificate",
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "ssl_certificate_key": {
-          "description": "Path to client certificate key",
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "ssl_protocols": {
-          "description": "Allowed TLS protocols",
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "ssl_server_name": {
-          "description": "SSL/TLS proxy options (nginx-like)",
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        },
-        "ssl_trusted_certificate": {
-          "description": "Path to trusted CA certificates",
-          "type": "string",
-          "x-nullable": false,
-          "x-omitempty": false
-        }
-      },
-      "x-nullable": false,
-      "x-omitempty": false
-    },
     "routeApi.RawRule": {
       "type": "object",
       "properties": {
@@ -6711,7 +6857,7 @@
       "additionalProperties": {
         "type": "array",
         "items": {
-          "$ref": "#/definitions/route.Route"
+          "$ref": "#/definitions/Route"
         }
       },
       "x-nullable": false,

internal/api/v1/docs/swagger.yaml

@@ -269,19 +269,6 @@ definitions:
     - ContainerStopMethodPause
     - ContainerStopMethodStop
     - ContainerStopMethodKill
-  DockerConfig:
-    properties:
-      container_id:
-        type: string
-      container_name:
-        type: string
-      docker_cfg:
-        $ref: '#/definitions/DockerProviderConfig'
-    required:
-    - container_id
-    - container_name
-    - docker_cfg
-    type: object
   DockerProviderConfig:
     properties:
       tls:
@@ -432,10 +419,6 @@ definitions:
       url:
         type: string
     type: object
-  HealthMap:
-    additionalProperties:
-      $ref: '#/definitions/HealthStatusString'
-    type: object
   HealthStatusString:
     enum:
     - unknown
@@ -630,7 +613,7 @@ definitions:
           type: string
         type: array
       docker:
-        $ref: '#/definitions/DockerConfig'
+        $ref: '#/definitions/IdlewatcherDockerConfig'
       idle_timeout:
         allOf:
         - $ref: '#/definitions/time.Duration'
@@ -641,7 +624,7 @@ definitions:
       no_loading_page:
         type: boolean
       proxmox:
-        $ref: '#/definitions/ProxmoxNodeConfig'
+        $ref: '#/definitions/IdlewatcherProxmoxNodeConfig'
       start_endpoint:
         description: Optional path that must be hit to start container
         type: string
@@ -654,6 +637,29 @@ definitions:
       wake_timeout:
         $ref: '#/definitions/time.Duration'
     type: object
+  IdlewatcherDockerConfig:
+    properties:
+      container_id:
+        type: string
+      container_name:
+        type: string
+      docker_cfg:
+        $ref: '#/definitions/DockerProviderConfig'
+    required:
+    - container_id
+    - container_name
+    - docker_cfg
+    type: object
+  IdlewatcherProxmoxNodeConfig:
+    properties:
+      node:
+        type: string
+      vmid:
+        type: integer
+    required:
+    - node
+    - vmid
+    type: object
   ListFilesResponse:
     properties:
       config:
@@ -935,17 +941,22 @@ definitions:
     - ProviderTypeAgent
   ProxmoxNodeConfig:
     properties:
+      files:
+        items:
+          type: string
+        type: array
       node:
         type: string
-      service:
-        type: string
+      services:
+        items:
+          type: string
+        type: array
       vmid:
+        description: 'unset: auto discover; explicit 0: node-level route; >0: lxc/qemu
+          resource route'
         type: integer
       vmname:
         type: string
-    required:
-    - node
-    - vmid
     type: object
   ProxyStats:
     properties:
@@ -992,7 +1003,6 @@ definitions:
       alias:
         type: string
       bind:
-        description: for TCP and UDP routes, bind address to listen on
         type: string
         x-nullable: true
       container:
@@ -1792,12 +1802,12 @@ definitions:
         type: string
       kernel_version:
         type: string
+      load_avg_5m:
+        type: string
       load_avg_15m:
         type: string
       load_avg_1m:
         type: string
-      load_avg_5m:
-        type: string
       mem_pct:
         type: string
       mem_total:
@@ -1815,127 +1825,6 @@ definitions:
       uptime:
         type: string
     type: object
-  route.Route:
-    properties:
-      access_log:
-        allOf:
-        - $ref: '#/definitions/RequestLoggerConfig'
-        x-nullable: true
-      agent:
-        type: string
-      alias:
-        type: string
-      bind:
-        description: for TCP and UDP routes, bind address to listen on
-        type: string
-        x-nullable: true
-      container:
-        allOf:
-        - $ref: '#/definitions/Container'
-        description: Docker only
-        x-nullable: true
-      disable_compression:
-        type: boolean
-      excluded:
-        type: boolean
-        x-nullable: true
-      excluded_reason:
-        type: string
-        x-nullable: true
-      health:
-        allOf:
-        - $ref: '#/definitions/HealthJSON'
-        description: for swagger
-      healthcheck:
-        allOf:
-        - $ref: '#/definitions/HealthCheckConfig'
-        description: null on load-balancer routes
-        x-nullable: true
-      homepage:
-        $ref: '#/definitions/HomepageItemConfig'
-      host:
-        type: string
-      idlewatcher:
-        allOf:
-        - $ref: '#/definitions/IdlewatcherConfig'
-        x-nullable: true
-      index:
-        description: Index file to serve for single-page app mode
-        type: string
-      load_balance:
-        allOf:
-        - $ref: '#/definitions/LoadBalancerConfig'
-        x-nullable: true
-      lurl:
-        description: private fields
-        type: string
-        x-nullable: true
-      middlewares:
-        additionalProperties:
-          $ref: '#/definitions/types.LabelMap'
-        type: object
-        x-nullable: true
-      no_tls_verify:
-        type: boolean
-      path_patterns:
-        items:
-          type: string
-        type: array
-        x-nullable: true
-      port:
-        $ref: '#/definitions/Port'
-      provider:
-        description: for backward compatibility
-        type: string
-        x-nullable: true
-      proxmox:
-        allOf:
-        - $ref: '#/definitions/ProxmoxNodeConfig'
-        x-nullable: true
-      purl:
-        type: string
-      response_header_timeout:
-        type: integer
-      root:
-        type: string
-      rule_file:
-        type: string
-        x-nullable: true
-      rules:
-        items:
-          $ref: '#/definitions/rules.Rule'
-        type: array
-        x-nullable: true
-      scheme:
-        enum:
-        - http
-        - https
-        - h2c
-        - tcp
-        - udp
-        - fileserver
-        type: string
-      spa:
-        description: 'Single-page app mode: serves index for non-existent paths'
-        type: boolean
-      ssl_certificate:
-        description: Path to client certificate
-        type: string
-      ssl_certificate_key:
-        description: Path to client certificate key
-        type: string
-      ssl_protocols:
-        description: Allowed TLS protocols
-        items:
-          type: string
-        type: array
-      ssl_server_name:
-        description: SSL/TLS proxy options (nginx-like)
-        type: string
-      ssl_trusted_certificate:
-        description: Path to trusted CA certificates
-        type: string
-    type: object
   routeApi.RawRule:
     properties:
       do:
@@ -1948,7 +1837,7 @@ definitions:
   routeApi.RoutesByProvider:
     additionalProperties:
       items:
-        $ref: '#/definitions/route.Route'
+        $ref: '#/definitions/Route'
       type: array
     type: object
   rules.Rule:
@@ -2726,7 +2615,7 @@ paths:
   /file/validate:
     post:
       consumes:
-      - text/plain
+      - application/yaml
       description: Validate file
       parameters:
       - description: Type
@@ -2781,7 +2670,9 @@ paths:
         "200":
           description: Health info by route name
           schema:
-            $ref: '#/definitions/HealthMap'
+            additionalProperties:
+              $ref: '#/definitions/HealthStatusString'
+            type: object
         "403":
           description: Forbidden
           schema:
@@ -2813,6 +2704,10 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/ErrorResponse'
       summary: List homepage categories
       tags:
       - homepage
@@ -2890,6 +2785,10 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/ErrorResponse'
       summary: Homepage items
       tags:
       - homepage
@@ -3392,6 +3291,64 @@ paths:
       - metrics
       - websocket
       x-id: uptime
+  /proxmox/journalctl:
+    get:
+      consumes:
+      - application/json
+      description: Get journalctl output for node or LXC container. If vmid is not
+        provided, streams node journalctl.
+      parameters:
+      - default: 100
+        description: Limit output lines (1-1000)
+        in: query
+        maximum: 1000
+        minimum: 1
+        name: limit
+        type: integer
+      - description: Node name
+        in: query
+        name: node
+        required: true
+        type: string
+      - collectionFormat: csv
+        description: Service names
+        in: query
+        items:
+          type: string
+        name: service
+        type: array
+      - description: Container VMID (optional - if not provided, streams node journalctl)
+        in: query
+        name: vmid
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: Journalctl output
+          schema:
+            type: string
+        "400":
+          description: Invalid request
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "403":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "404":
+          description: Node not found
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "500":
+          description: Internal server error
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+      summary: Get journalctl output
+      tags:
+      - proxmox
+      - websocket
+      x-id: journalctl
   /proxmox/journalctl/{node}:
     get:
       consumes:
@@ -3399,15 +3356,34 @@ paths:
       description: Get journalctl output for node or LXC container. If vmid is not
         provided, streams node journalctl.
       parameters:
+      - default: 100
+        description: Limit output lines (1-1000)
+        in: query
+        maximum: 1000
+        minimum: 1
+        name: limit
+        type: integer
+      - description: Node name
+        in: query
+        name: node
+        required: true
+        type: string
+      - collectionFormat: csv
+        description: Service names
+        in: query
+        items:
+          type: string
+        name: service
+        type: array
+      - description: Container VMID (optional - if not provided, streams node journalctl)
+        in: query
+        name: vmid
+        type: integer
       - description: Node name
         in: path
         name: node
         required: true
         type: string
-      - description: Limit output lines (1-1000)
-        in: query
-        name: limit
-        type: integer
       produces:
       - application/json
       responses:
@@ -3443,6 +3419,29 @@ paths:
       description: Get journalctl output for node or LXC container. If vmid is not
         provided, streams node journalctl.
       parameters:
+      - default: 100
+        description: Limit output lines (1-1000)
+        in: query
+        maximum: 1000
+        minimum: 1
+        name: limit
+        type: integer
+      - description: Node name
+        in: query
+        name: node
+        required: true
+        type: string
+      - collectionFormat: csv
+        description: Service names
+        in: query
+        items:
+          type: string
+        name: service
+        type: array
+      - description: Container VMID (optional - if not provided, streams node journalctl)
+        in: query
+        name: vmid
+        type: integer
       - description: Node name
         in: path
         name: node
@@ -3452,10 +3451,6 @@ paths:
         in: path
         name: vmid
         type: integer
-      - description: Limit output lines (1-1000)
-        in: query
-        name: limit
-        type: integer
       produces:
       - application/json
       responses:
@@ -3491,24 +3486,45 @@ paths:
       description: Get journalctl output for node or LXC container. If vmid is not
         provided, streams node journalctl.
       parameters:
+      - default: 100
+        description: Limit output lines (1-1000)
+        in: query
+        maximum: 1000
+        minimum: 1
+        name: limit
+        type: integer
+      - description: Node name
+        in: query
+        name: node
+        required: true
+        type: string
+      - collectionFormat: csv
+        description: Service names
+        in: query
+        items:
+          type: string
+        name: service
+        type: array
+      - description: Container VMID (optional - if not provided, streams node journalctl)
+        in: query
+        name: vmid
+        type: integer
       - description: Node name
         in: path
         name: node
         required: true
         type: string
+      - collectionFormat: csv
+        description: Service names
+        in: path
+        items:
+          type: string
+        name: service
+        type: array
       - description: Container VMID (optional - if not provided, streams node journalctl)
         in: path
         name: vmid
         type: integer
-      - description: Service name (e.g., 'pveproxy' for node, 'container@.service'
-          format for LXC)
-        in: path
-        name: service
-        type: string
-      - description: Limit output lines (1-1000)
-        in: query
-        name: limit
-        type: integer
       produces:
       - application/json
       responses:
@@ -3720,30 +3736,65 @@ paths:
       - proxmox
       - websocket
       x-id: vmStats
-  /reload:
-    post:
+  /proxmox/tail:
+    get:
       consumes:
       - application/json
-      description: Reload config
+      description: Get tail output for node or LXC container. If vmid is not provided,
+        streams node tail.
+      parameters:
+      - collectionFormat: csv
+        description: File paths
+        in: query
+        items:
+          type: string
+        name: file
+        required: true
+        type: array
+      - default: 100
+        description: Limit output lines (1-1000)
+        in: query
+        maximum: 1000
+        minimum: 1
+        name: limit
+        type: integer
+      - description: Node name
+        in: query
+        name: node
+        required: true
+        type: string
+      - description: Container VMID (optional - if not provided, streams node journalctl)
+        in: query
+        name: vmid
+        type: integer
       produces:
       - application/json
       responses:
         "200":
-          description: OK
+          description: Tail output
           schema:
-            $ref: '#/definitions/SuccessResponse'
+            type: string
+        "400":
+          description: Invalid request
+          schema:
+            $ref: '#/definitions/ErrorResponse'
         "403":
-          description: Forbidden
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "404":
+          description: Node not found
           schema:
             $ref: '#/definitions/ErrorResponse'
         "500":
-          description: Internal Server Error
+          description: Internal server error
           schema:
             $ref: '#/definitions/ErrorResponse'
-      summary: Reload config
+      summary: Get tail output
       tags:
-      - v1
-      x-id: reload
+      - proxmox
+      - websocket
+      x-id: tail
   /route/{which}:
     get:
       consumes:
@@ -3888,6 +3939,83 @@ paths:
       - route
       - websocket
       x-id: providers
+  /route/validate:
+    get:
+      consumes:
+      - application/yaml
+      description: Validate route,
+      parameters:
+      - description: Route
+        in: body
+        name: route
+        required: true
+        schema:
+          $ref: '#/definitions/Route'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: Route validated
+          schema:
+            $ref: '#/definitions/SuccessResponse'
+        "400":
+          description: Bad request
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "417":
+          description: Validation failed
+          schema: {}
+        "500":
+          description: Internal server error
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+      summary: Validate route
+      tags:
+      - route
+      - websocket
+      x-id: validate
+    post:
+      consumes:
+      - application/yaml
+      description: Validate route,
+      parameters:
+      - description: Route
+        in: body
+        name: route
+        required: true
+        schema:
+          $ref: '#/definitions/Route'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: Route validated
+          schema:
+            $ref: '#/definitions/SuccessResponse'
+        "400":
+          description: Bad request
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+        "417":
+          description: Validation failed
+          schema: {}
+        "500":
+          description: Internal server error
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+      summary: Validate route
+      tags:
+      - route
+      - websocket
+      x-id: validate
   /stats:
     get:
       consumes:

internal/api/v1/favicon.go

@@ -5,9 +5,9 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/homepage/icons"
 	iconfetch "github.com/yusing/godoxy/internal/homepage/icons/fetch"
-	"github.com/yusing/godoxy/internal/route/routes"
 	apitypes "github.com/yusing/goutils/apitypes"
 
 	_ "unsafe"
@@ -73,7 +73,11 @@ func FavIcon(c *gin.Context) {
 //go:linkname GetFavIconFromAlias v1.GetFavIconFromAlias
 func GetFavIconFromAlias(ctx context.Context, alias string, variant icons.Variant) (iconfetch.Result, error) {
 	// try with route.Icon
-	r, ok := routes.HTTP.Get(alias)
+	ep := entrypoint.FromCtx(ctx)
+	if ep == nil { // impossible, but just in case
+		return iconfetch.FetchResultWithErrorf(http.StatusInternalServerError, "entrypoint not initialized")
+	}
+	r, ok := ep.HTTPRoutes().Get(alias)
 	if !ok {
 		return iconfetch.FetchResultWithErrorf(http.StatusNotFound, "route not found")
 	}

internal/api/v1/file/validate.go

@@ -20,7 +20,7 @@ type ValidateFileRequest struct {
 // @Summary		Validate file
 // @Description	Validate file
 // @Tags			file
-// @Accept			text/plain
+// @Accept		application/yaml
 // @Produce		json
 // @Param			type	query		FileType	true	"Type"
 // @Param			file	body		string		true	"File content"
@@ -29,7 +29,7 @@ type ValidateFileRequest struct {
 // @Failure		403		{object}	apitypes.ErrorResponse "Forbidden"
 // @Failure		417		{object}	any "Validation failed"
 // @Failure		500		{object}	apitypes.ErrorResponse "Internal server error"
-// @Router			/file/validate [post]
+// @Router		/file/validate [post]
 func Validate(c *gin.Context) {
 	var request ValidateFileRequest
 	if err := c.ShouldBindQuery(&request); err != nil {
@@ -51,7 +51,7 @@ func Validate(c *gin.Context) {
 	c.JSON(http.StatusOK, apitypes.Success("file validated"))
 }
 
-func validateFile(fileType FileType, content []byte) gperr.Error {
+func validateFile(fileType FileType, content []byte) error {
 	switch fileType {
 	case FileTypeConfig:
 		return config.Validate(content)

internal/api/v1/health.go

@@ -5,11 +5,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/godoxy/internal/route/routes"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	"github.com/yusing/goutils/apitypes"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
-
-	_ "github.com/yusing/goutils/apitypes"
 )
 
 // @x-id				"health"
@@ -19,16 +18,21 @@ import (
 // @Tags			v1,websocket
 // @Accept			json
 // @Produce		json
-// @Success		200	{object}	routes.HealthMap "Health info by route name"
+// @Success		200	{object}	map[string]types.HealthStatusString "Health info by route name"
 // @Failure		403	{object}	apitypes.ErrorResponse
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/health [get]
 func Health(c *gin.Context) {
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
 	if httpheaders.IsWebsocket(c.Request.Header) {
 		websocket.PeriodicWrite(c, 1*time.Second, func() (any, error) {
-			return routes.GetHealthInfoSimple(), nil
+			return ep.GetHealthInfoSimple(), nil
 		})
 	} else {
-		c.JSON(http.StatusOK, routes.GetHealthInfoSimple())
+		c.JSON(http.StatusOK, ep.GetHealthInfoSimple())
 	}
 }

internal/api/v1/homepage/categories.go

@@ -4,10 +4,11 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/homepage"
-	"github.com/yusing/godoxy/internal/route/routes"
 
 	_ "github.com/yusing/goutils/apitypes"
+	apitypes "github.com/yusing/goutils/apitypes"
 )
 
 // @x-id				"categories"
@@ -19,17 +20,23 @@ import (
 // @Produce		json
 // @Success		200	{array}		string
 // @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/homepage/categories [get]
 func Categories(c *gin.Context) {
-	c.JSON(http.StatusOK, HomepageCategories())
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
+	c.JSON(http.StatusOK, HomepageCategories(ep))
 }
 
-func HomepageCategories() []string {
+func HomepageCategories(ep entrypoint.Entrypoint) []string {
 	check := make(map[string]struct{})
 	categories := make([]string, 0)
 	categories = append(categories, homepage.CategoryAll)
 	categories = append(categories, homepage.CategoryFavorites)
-	for _, r := range routes.HTTP.Iter {
+	for _, r := range ep.HTTPRoutes().Iter {
 		item := r.HomepageItem()
 		if item.Category == "" {
 			continue

internal/api/v1/homepage/items.go

@@ -10,8 +10,8 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/lithammer/fuzzysearch/fuzzy"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/homepage"
-	"github.com/yusing/godoxy/internal/route/routes"
 	apitypes "github.com/yusing/goutils/apitypes"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
@@ -36,6 +36,7 @@ type HomepageItemsRequest struct {
 // @Success		200			{object}	homepage.Homepage
 // @Failure		400			{object}	apitypes.ErrorResponse
 // @Failure		403			{object}	apitypes.ErrorResponse
+// @Failure		500			{object}	apitypes.ErrorResponse
 // @Router			/homepage/items [get]
 func Items(c *gin.Context) {
 	var request HomepageItemsRequest
@@ -53,29 +54,35 @@ func Items(c *gin.Context) {
 		hostname = host
 	}
 
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil {
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not found in context", nil))
+		return
+	}
+
 	if httpheaders.IsWebsocket(c.Request.Header) {
 		websocket.PeriodicWrite(c, 2*time.Second, func() (any, error) {
-			return HomepageItems(proto, hostname, &request), nil
+			return HomepageItems(ep, proto, hostname, &request), nil
 		})
 	} else {
-		c.JSON(http.StatusOK, HomepageItems(proto, hostname, &request))
+		c.JSON(http.StatusOK, HomepageItems(ep, proto, hostname, &request))
 	}
 }
 
-func HomepageItems(proto, hostname string, request *HomepageItemsRequest) homepage.Homepage {
+func HomepageItems(ep entrypoint.Entrypoint, proto, hostname string, request *HomepageItemsRequest) homepage.Homepage {
 	switch proto {
 	case "http", "https":
 	default:
 		proto = "http"
 	}
 
-	hp := homepage.NewHomepageMap(routes.HTTP.Size())
+	hp := homepage.NewHomepageMap(ep.HTTPRoutes().Size())
 
 	if strings.Count(hostname, ".") > 1 {
 		_, hostname, _ = strings.Cut(hostname, ".") // remove the subdomain
 	}
 
-	for _, r := range routes.HTTP.Iter {
+	for _, r := range ep.HTTPRoutes().Iter {
 		if request.Provider != "" && r.ProviderName() != request.Provider {
 			continue
 		}

internal/api/v1/metrics/all_system_info.go

@@ -113,7 +113,7 @@ func AllSystemInfo(c *gin.Context) {
 			data, err := systeminfo.Poller.GetRespData(req.Period, query)
 			if err != nil {
 				numErrs.Add(1)
-				return gperr.PrependSubject("Main server", err)
+				return gperr.PrependSubject(err, "Main server")
 			}
 			select {
 			case <-manager.Done():
@@ -133,7 +133,7 @@ func AllSystemInfo(c *gin.Context) {
 				data, err := getAgentSystemInfoWithRetry(manager.Context(), a, queryEncoded)
 				if err != nil {
 					numErrs.Add(1)
-					return gperr.PrependSubject("Agent "+a.Name, err)
+					return gperr.PrependSubject(err, "Agent "+a.Name)
 				}
 				select {
 				case <-manager.Done():
@@ -170,7 +170,7 @@ func AllSystemInfo(c *gin.Context) {
 					c.Error(apitypes.InternalServerError(err, "failed to get all system info"))
 					return
 				}
-				gperr.LogWarn("failed to get some system info", err)
+				log.Warn().Err(err).Msg("failed to get some system info")
 			}
 		}
 	}

internal/api/v1/proxmox/common.go

@@ -3,4 +3,4 @@ package proxmoxapi
 type ActionRequest struct {
 	Node string `uri:"node" binding:"required"`
 	VMID int    `uri:"vmid" binding:"required"`
-}
+} //	@name	ProxmoxVMActionRequest

internal/api/v1/proxmox/journalctl.go

@@ -1,6 +1,7 @@
 package proxmoxapi
 
 import (
+	"errors"
 	"io"
 	"net/http"
 
@@ -10,36 +11,40 @@ import (
 	"github.com/yusing/goutils/http/websocket"
 )
 
+// e.g. ws://localhost:8889/api/v1/proxmox/journalctl?node=pve&vmid=127&service=pveproxy&service=pvedaemon&limit=10
+// e.g. ws://localhost:8889/api/v1/proxmox/journalctl/pve/127?service=pveproxy&service=pvedaemon&limit=10
+
 type JournalctlRequest struct {
-	Node    string `uri:"node" binding:"required"`
-	VMID    *int   `uri:"vmid"` // optional - if not provided, streams node journalctl
-	Service string `uri:"service"`
-	Limit   int    `query:"limit" binding:"omitempty,min=1,max=1000"`
-}
+	Node     string   `form:"node" uri:"node" binding:"required"`                       // Node name
+	VMID     *int     `form:"vmid" uri:"vmid"`                                          // Container VMID (optional - if not provided, streams node journalctl)
+	Services []string `form:"service" uri:"service"`                                    // Service names
+	Limit    *int     `form:"limit" uri:"limit" default:"100" binding:"min=1,max=1000"` // Limit output lines (1-1000)
+} //	@name	ProxmoxJournalctlRequest
 
 // @x-id				"journalctl"
 // @BasePath		/api/v1
 // @Summary		Get journalctl output
 // @Description	Get journalctl output for node or LXC container. If vmid is not provided, streams node journalctl.
 // @Tags			proxmox,websocket
-// @Accept			json
+// @Accept		json
 // @Produce		application/json
-// @Param			node		path		string	true	"Node name"
-// @Param			vmid		path		int		  false	"Container VMID (optional - if not provided, streams node journalctl)"
-// @Param			service	path		string	false	"Service name (e.g., 'pveproxy' for node, 'container@.service' format for LXC)"
-// @Param			limit		query		int		  false	"Limit output lines (1-1000)"
+// @Param			query		query		JournalctlRequest	true	"Request"
+// @Param			path		path		JournalctlRequest	true	"Request"
 // @Success		200			string	plain	  "Journalctl output"
 // @Failure		400			{object}	apitypes.ErrorResponse	"Invalid request"
 // @Failure		403			{object}	apitypes.ErrorResponse	"Unauthorized"
 // @Failure		404			{object}	apitypes.ErrorResponse	"Node not found"
 // @Failure		500			{object}	apitypes.ErrorResponse	"Internal server error"
+// @Router		/proxmox/journalctl [get]
 // @Router		/proxmox/journalctl/{node} [get]
 // @Router		/proxmox/journalctl/{node}/{vmid} [get]
 // @Router		/proxmox/journalctl/{node}/{vmid}/{service} [get]
 func Journalctl(c *gin.Context) {
 	var request JournalctlRequest
-	if err := c.ShouldBindUri(&request); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+	uriErr := c.ShouldBindUri(&request)
+	queryErr := c.ShouldBindQuery(&request)
+	if uriErr != nil && queryErr != nil { // allow both uri and query parameters to be set
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", errors.Join(uriErr, queryErr)))
 		return
 	}
 
@@ -49,18 +54,14 @@ func Journalctl(c *gin.Context) {
 		return
 	}
 
-	manager, err := websocket.NewManagerWithUpgrade(c)
-	if err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
-		return
-	}
-	defer manager.Close()
+	c.Status(http.StatusContinue)
 
 	var reader io.ReadCloser
+	var err error
 	if request.VMID == nil {
-		reader, err = node.NodeJournalctl(c.Request.Context(), request.Service, request.Limit)
+		reader, err = node.NodeJournalctl(c.Request.Context(), request.Services, *request.Limit)
 	} else {
-		reader, err = node.LXCJournalctl(c.Request.Context(), *request.VMID, request.Service, request.Limit)
+		reader, err = node.LXCJournalctl(c.Request.Context(), *request.VMID, request.Services, *request.Limit)
 	}
 	if err != nil {
 		c.Error(apitypes.InternalServerError(err, "failed to get journalctl output"))
@@ -68,6 +69,13 @@ func Journalctl(c *gin.Context) {
 	}
 	defer reader.Close()
 
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
 	writer := manager.NewWriter(websocket.TextMessage)
 	_, err = io.Copy(writer, reader)
 	if err != nil {

internal/api/v1/proxmox/tail.go

@@ -0,0 +1,77 @@
+package proxmoxapi
+
+import (
+	"io"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	"github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+// e.g. ws://localhost:8889/api/v1/proxmox/tail?node=pve&vmid=127&file=/var/log/immich/web.log&file=/var/log/immich/ml.log&limit=10
+
+type TailRequest struct {
+	Node  string   `form:"node" binding:"required"`                      // Node name
+	VMID  *int     `form:"vmid"`                                         // Container VMID (optional - if not provided, streams node journalctl)
+	Files []string `form:"file" binding:"required,dive,filepath"`        // File paths
+	Limit int      `form:"limit" default:"100" binding:"min=1,max=1000"` // Limit output lines (1-1000)
+} //	@name	ProxmoxTailRequest
+
+// @x-id				"tail"
+// @BasePath		/api/v1
+// @Summary		Get tail output
+// @Description	Get tail output for node or LXC container. If vmid is not provided, streams node tail.
+// @Tags			proxmox,websocket
+// @Accept		json
+// @Produce		application/json
+// @Param			query		query		TailRequest	true	"Request"
+// @Success		200			string	plain	  "Tail output"
+// @Failure		400			{object}	apitypes.ErrorResponse	"Invalid request"
+// @Failure		403			{object}	apitypes.ErrorResponse	"Unauthorized"
+// @Failure		404			{object}	apitypes.ErrorResponse	"Node not found"
+// @Failure		500			{object}	apitypes.ErrorResponse	"Internal server error"
+// @Router		/proxmox/tail [get]
+func Tail(c *gin.Context) {
+	var request TailRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(request.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	c.Status(http.StatusContinue)
+
+	var reader io.ReadCloser
+	var err error
+	if request.VMID == nil {
+		reader, err = node.NodeTail(c.Request.Context(), request.Files, request.Limit)
+	} else {
+		reader, err = node.LXCTail(c.Request.Context(), *request.VMID, request.Files, request.Limit)
+	}
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get journalctl output"))
+		return
+	}
+	defer reader.Close()
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+	_, err = io.Copy(writer, reader)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to copy journalctl output"))
+		return
+	}
+}

internal/api/v1/reload.go

@@ -1,28 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/godoxy/internal/config"
-	apitypes "github.com/yusing/goutils/apitypes"
-)
-
-// @x-id				"reload"
-// @BasePath		/api/v1
-// @Summary		Reload config
-// @Description	Reload config
-// @Tags			v1
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	apitypes.SuccessResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/reload [post]
-func Reload(c *gin.Context) {
-	if err := config.Reload(); err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to reload config"))
-		return
-	}
-	c.JSON(http.StatusOK, apitypes.Success("config reloaded"))
-}

internal/api/v1/route/by_provider.go

@@ -4,10 +4,10 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 
-	_ "github.com/yusing/goutils/apitypes"
+	apitypes "github.com/yusing/goutils/apitypes"
 )
 
 type RoutesByProvider map[string][]route.Route
@@ -24,5 +24,10 @@ type RoutesByProvider map[string][]route.Route
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/route/by_provider [get]
 func ByProvider(c *gin.Context) {
-	c.JSON(http.StatusOK, routes.ByProvider())
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
+	c.JSON(http.StatusOK, ep.RoutesByProvider())
 }

internal/api/v1/route/playground.go

@@ -1,6 +1,7 @@
 package routeApi
 
 import (
+	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -54,16 +55,16 @@ type PlaygroundResponse struct {
 	MatchedRules   []string      `json:"matchedRules"`
 	FinalRequest   FinalRequest  `json:"finalRequest"`
 	FinalResponse  FinalResponse `json:"finalResponse"`
-	ExecutionError gperr.Error   `json:"executionError,omitempty"`
+	ExecutionError error         `json:"executionError,omitempty"` // we need the structured error, not the plain string
 	UpstreamCalled bool          `json:"upstreamCalled"`
 } // @name PlaygroundResponse
 
 type ParsedRule struct {
-	Name            string      `json:"name"`
-	On              string      `json:"on"`
-	Do              string      `json:"do"`
-	ValidationError gperr.Error `json:"validationError,omitempty"`
-	IsResponseRule  bool        `json:"isResponseRule"`
+	Name            string `json:"name"`
+	On              string `json:"on"`
+	Do              string `json:"do"`
+	ValidationError error  `json:"validationError,omitempty"` // we need the structured error, not the plain string
+	IsResponseRule  bool   `json:"isResponseRule"`
 } // @name ParsedRule
 
 type FinalRequest struct {
@@ -138,7 +139,7 @@ func Playground(c *gin.Context) {
 	// Execute rules
 	matchedRules := []string{}
 	upstreamCalled := false
-	var executionError gperr.Error
+	var executionError error
 
 	// Variables to capture modified request state
 	var finalReqMethod, finalReqPath, finalReqHost string
@@ -244,21 +245,23 @@ func Playground(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }
 
-func handlerWithRecover(w http.ResponseWriter, r *http.Request, h http.HandlerFunc, outErr *gperr.Error) {
+func handlerWithRecover(w http.ResponseWriter, r *http.Request, h http.HandlerFunc, outErr *error) {
 	defer func() {
 		if r := recover(); r != nil {
 			if outErr != nil {
-				*outErr = gperr.Errorf("panic during rule execution: %v", r)
+				*outErr = fmt.Errorf("panic during rule execution: %v", r)
 			}
 		}
 	}()
 	h(w, r)
 }
 
-func parseRules(rawRules []RawRule) ([]ParsedRule, rules.Rules, gperr.Error) {
+func parseRules(rawRules []RawRule) ([]ParsedRule, rules.Rules, error) {
 	var parsedRules []ParsedRule
 	var rulesList rules.Rules
 
+	var valErrs gperr.Builder
+
 	// Parse each rule individually to capture per-rule errors
 	for _, rawRule := range rawRules {
 		var rule rules.Rule
@@ -284,7 +287,11 @@ func parseRules(rawRules []RawRule) ([]ParsedRule, rules.Rules, gperr.Error) {
 
 		// Determine if valid
 		isValid := onErr == nil && doErr == nil
-		validationErr := gperr.Join(gperr.PrependSubject("on", onErr), gperr.PrependSubject("do", doErr))
+		var validationErr error
+		if !isValid {
+			validationErr = gperr.Join(gperr.PrependSubject(onErr, "on"), gperr.PrependSubject(doErr, "do"))
+			valErrs.Add(validationErr)
+		}
 
 		parsedRules = append(parsedRules, ParsedRule{
 			Name:            name,
@@ -300,7 +307,7 @@ func parseRules(rawRules []RawRule) ([]ParsedRule, rules.Rules, gperr.Error) {
 		}
 	}
 
-	return parsedRules, rulesList, nil
+	return parsedRules, rulesList, valErrs.Error()
 }
 
 func createMockRequest(mock MockRequest) *http.Request {

internal/api/v1/route/route.go

@@ -4,7 +4,7 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/godoxy/internal/route/routes"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	apitypes "github.com/yusing/goutils/apitypes"
 )
 
@@ -32,10 +32,16 @@ func Route(c *gin.Context) {
 		return
 	}
 
-	route, ok := routes.GetIncludeExcluded(request.Which)
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
+
+	route, ok := ep.GetRoute(request.Which)
 	if ok {
 		c.JSON(http.StatusOK, route)
 		return
 	}
-	c.JSON(http.StatusNotFound, nil)
+	c.JSON(http.StatusNotFound, apitypes.Error("route not found"))
 }

internal/api/v1/route/routes.go

@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
@@ -32,14 +32,16 @@ func Routes(c *gin.Context) {
 		return
 	}
 
+	ep := entrypoint.FromCtx(c.Request.Context())
+
 	provider := c.Query("provider")
 	if provider == "" {
-		c.JSON(http.StatusOK, slices.Collect(routes.IterAll))
+		c.JSON(http.StatusOK, slices.Collect(ep.IterRoutes))
 		return
 	}
 
-	rts := make([]types.Route, 0, routes.NumAllRoutes())
-	for r := range routes.IterAll {
+	rts := make([]types.Route, 0, ep.NumRoutes())
+	for r := range ep.IterRoutes {
 		if r.ProviderName() == provider {
 			rts = append(rts, r)
 		}
@@ -48,17 +50,19 @@ func Routes(c *gin.Context) {
 }
 
 func RoutesWS(c *gin.Context) {
+	ep := entrypoint.FromCtx(c.Request.Context())
+
 	provider := c.Query("provider")
 	if provider == "" {
 		websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
-			return slices.Collect(routes.IterAll), nil
+			return slices.Collect(ep.IterRoutes), nil
 		})
 		return
 	}
 
 	websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
-		rts := make([]types.Route, 0, routes.NumAllRoutes())
-		for r := range routes.IterAll {
+		rts := make([]types.Route, 0, ep.NumRoutes())
+		for r := range ep.IterRoutes {
 			if r.ProviderName() == provider {
 				rts = append(rts, r)
 			}

internal/api/v1/route/validate.go

@@ -0,0 +1,69 @@
+package routeApi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/goccy/go-yaml"
+	"github.com/yusing/godoxy/internal/route"
+	"github.com/yusing/godoxy/internal/serialization"
+	apitypes "github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+type _ = route.Route
+
+// @x-id			"validate"
+// @BasePath	/api/v1
+// @Summary		Validate route
+// @Description	Validate route,
+// @Tags			route,websocket
+// @Accept		application/yaml
+// @Produce		json
+// @Param			route body route.Route true "Route"
+// @Success		200		{object}	apitypes.SuccessResponse "Route validated"
+// @Failure		400		{object}	apitypes.ErrorResponse "Bad request"
+// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden"
+// @Failure		417		{object}	any "Validation failed"
+// @Failure		500		{object}	apitypes.ErrorResponse "Internal server error"
+// @Router		/route/validate [get]
+// @Router		/route/validate [post]
+func Validate(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		ValidateWS(c)
+		return
+	}
+	var request route.Route
+	if err := c.ShouldBindWith(&request, serialization.GinYAMLBinding{}); err != nil {
+		c.JSON(http.StatusExpectationFailed, err)
+		return
+	}
+	c.JSON(http.StatusOK, apitypes.Success("route validated"))
+}
+
+func ValidateWS(c *gin.Context) {
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	const writeTimeout = 5 * time.Second
+
+	for {
+		select {
+		case <-manager.Done():
+			return
+		case msg := <-manager.ReadCh():
+			var request route.Route
+			if err := serialization.UnmarshalValidate(msg, &request, yaml.Unmarshal); err != nil {
+				manager.WriteJSON(gin.H{"error": err}, writeTimeout)
+				continue
+			}
+			manager.WriteJSON(gin.H{"message": "route validated"}, writeTimeout)
+		}
+	}
+}

internal/auth/oidc.go

@@ -17,7 +17,6 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/yusing/godoxy/internal/common"
 	"github.com/yusing/godoxy/internal/utils"
-	gperr "github.com/yusing/goutils/errs"
 	httputils "github.com/yusing/goutils/http"
 	"golang.org/x/oauth2"
 	"golang.org/x/time/rate"
@@ -76,8 +75,8 @@ const (
 var (
 	errMissingIDToken = errors.New("missing id_token field from oauth token")
 
-	ErrMissingOAuthToken = gperr.New("missing oauth token")
-	ErrInvalidOAuthToken = gperr.New("invalid oauth token")
+	ErrMissingOAuthToken = errors.New("missing oauth token")
+	ErrInvalidOAuthToken = errors.New("invalid oauth token")
 )
 
 // generateState generates a random string for OIDC state.

internal/auth/userpass.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -8,16 +9,12 @@ import (
 	"github.com/bytedance/sonic"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/yusing/godoxy/internal/common"
-	gperr "github.com/yusing/goutils/errs"
 	httputils "github.com/yusing/goutils/http"
 	strutils "github.com/yusing/goutils/strings"
 	"golang.org/x/crypto/bcrypt"
 )
 
-var (
-	ErrInvalidUsername = gperr.New("invalid username")
-	ErrInvalidPassword = gperr.New("invalid password")
-)
+var ErrInvalidUsername = errors.New("invalid username")
 
 type (
 	UserPassAuth struct {
@@ -94,9 +91,9 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	case !token.Valid:
 		return ErrInvalidSessionToken
 	case claims.Username != auth.username:
-		return ErrUserNotAllowed.Subject(claims.Username)
+		return fmt.Errorf("%w: %s", ErrUserNotAllowed, claims.Username)
 	case claims.ExpiresAt.Before(time.Now()):
-		return gperr.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
+		return fmt.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
 	}
 
 	return nil
@@ -140,10 +137,10 @@ func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request)
 
 func (auth *UserPassAuth) validatePassword(user, pass string) error {
 	if user != auth.username {
-		return ErrInvalidUsername.Subject(user)
+		return ErrInvalidUsername
 	}
 	if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil {
-		return ErrInvalidPassword.With(err).Subject(pass)
+		return err
 	}
 	return nil
 }

internal/auth/userpass_test.go

@@ -27,7 +27,7 @@ func TestUserPassValidateCredentials(t *testing.T) {
 	err := auth.validatePassword("username", "password")
 	expect.NoError(t, err)
 	err = auth.validatePassword("username", "wrong-password")
-	expect.ErrorIs(t, ErrInvalidPassword, err)
+	expect.ErrorIs(t, bcrypt.ErrMismatchedHashAndPassword, err)
 	err = auth.validatePassword("wrong-username", "password")
 	expect.ErrorIs(t, ErrInvalidUsername, err)
 }

internal/auth/utils.go

@@ -1,20 +1,20 @@
 package auth
 
 import (
+	"errors"
 	"net"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/yusing/godoxy/internal/common"
-	gperr "github.com/yusing/goutils/errs"
 	strutils "github.com/yusing/goutils/strings"
 )
 
 var (
-	ErrMissingSessionToken = gperr.New("missing session token")
-	ErrInvalidSessionToken = gperr.New("invalid session token")
-	ErrUserNotAllowed      = gperr.New("user not allowed")
+	ErrMissingSessionToken = errors.New("missing session token")
+	ErrInvalidSessionToken = errors.New("invalid session token")
+	ErrUserNotAllowed      = errors.New("user not allowed")
 )
 
 func IsFrontend(r *http.Request) bool {

internal/autocert/config.go

@@ -4,10 +4,13 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"fmt"
 	"net/http"
 	"os"
+	"path/filepath"
 	"regexp"
 
 	"github.com/go-acme/lego/v4/certcrypto"
@@ -27,7 +30,7 @@ type Config struct {
 	CertPath    string                       `json:"cert_path,omitempty"`
 	KeyPath     string                       `json:"key_path,omitempty"`
 	Extra       []ConfigExtra                `json:"extra,omitempty"`
-	ACMEKeyPath string                       `json:"acme_key_path,omitempty"` // shared by all extra providers
+	ACMEKeyPath string                       `json:"acme_key_path,omitempty"` // shared by all extra providers with the same CA directory URL
 	Provider    string                       `json:"provider,omitempty"`
 	Options     map[string]strutils.Redacted `json:"options,omitempty"`
 
@@ -63,13 +66,13 @@ const (
 
 var domainOrWildcardRE = regexp.MustCompile(`^\*?([^.]+\.)+[^.]+$`)
 
-// Validate implements the utils.CustomValidator interface.
-func (cfg *Config) Validate() gperr.Error {
+// Validate implements the serialization.CustomValidator interface.
+func (cfg *Config) Validate() error {
 	seenPaths := make(map[string]int) // path -> provider idx (0 for main, 1+ for extras)
 	return cfg.validate(seenPaths)
 }
 
-func (cfg *ConfigExtra) Validate() gperr.Error {
+func (cfg *ConfigExtra) Validate() error {
 	return nil // done by main config's validate
 }
 
@@ -77,7 +80,7 @@ func (cfg *ConfigExtra) AsConfig() *Config {
 	return (*Config)(cfg)
 }
 
-func (cfg *Config) validate(seenPaths map[string]int) gperr.Error {
+func (cfg *Config) validate(seenPaths map[string]int) error {
 	if cfg.Provider == "" {
 		cfg.Provider = ProviderLocal
 	}
@@ -88,7 +91,7 @@ func (cfg *Config) validate(seenPaths map[string]int) gperr.Error {
 		cfg.KeyPath = KeyFileDefault
 	}
 	if cfg.ACMEKeyPath == "" {
-		cfg.ACMEKeyPath = ACMEKeyFileDefault
+		cfg.ACMEKeyPath = acmeKeyPath(cfg.CADirURL)
 	}
 
 	b := gperr.NewBuilder("certificate error")
@@ -154,7 +157,7 @@ func (cfg *Config) validate(seenPaths map[string]int) gperr.Error {
 			cfg.Extra[i].AsConfig().idx = i + 1
 			err := cfg.Extra[i].AsConfig().validate(seenPaths)
 			if err != nil {
-				b.Add(err.Subjectf("extra[%d]", i))
+				b.AddSubjectf(err, "extra[%d]", i)
 			}
 		}
 	}
@@ -176,10 +179,10 @@ func (cfg *Config) GetLegoConfig() (*User, *lego.Config, error) {
 			log.Info().Err(err).Msg("failed to load ACME private key, generating a now one")
 			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			if err != nil {
-				return nil, nil, gperr.New("generate ACME private key").With(err)
+				return nil, nil, fmt.Errorf("generate ACME private key: %w", err)
 			}
 			if err = cfg.SaveACMEKey(privKey); err != nil {
-				return nil, nil, gperr.New("save ACME private key").With(err)
+				return nil, nil, fmt.Errorf("save ACME private key: %w", err)
 			}
 		}
 	}
@@ -203,7 +206,7 @@ func (cfg *Config) GetLegoConfig() (*User, *lego.Config, error) {
 	if len(cfg.CACerts) > 0 {
 		certPool, err := lego.CreateCertPool(cfg.CACerts, true)
 		if err != nil {
-			return nil, nil, gperr.New("failed to create cert pool").With(err)
+			return nil, nil, fmt.Errorf("failed to create cert pool: %w", err)
 		}
 		legoCfg.HTTPClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = certPool
 	}
@@ -272,3 +275,16 @@ func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
 	}
 	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
 }
+
+// acmeKeyPath returns the path to the ACME key file based on the CA directory URL.
+// Different CA directory URLs will use different key files to avoid key conflicts.
+func acmeKeyPath(caDirURL string) string {
+	// Use a hash of the CA directory URL to create a unique key filename
+	// Default to "acme" if no custom CA is configured (Let's Encrypt default)
+	filename := "acme"
+	if caDirURL != "" {
+		hash := sha256.Sum256([]byte(caDirURL))
+		filename = "acme_" + hex.EncodeToString(hash[:])[:16]
+	}
+	return filepath.Join(certBasePath, filename+".key")
+}

internal/autocert/config_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/godoxy/internal/autocert"
 	"github.com/yusing/godoxy/internal/dnsproviders"
@@ -25,9 +26,9 @@ func TestEABConfigRequired(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			yaml := fmt.Appendf(nil, "eab_kid: %s\neab_hmac: %s", test.cfg.EABKid, test.cfg.EABHmac)
+			yamlCfg := fmt.Appendf(nil, "eab_kid: %s\neab_hmac: %s", test.cfg.EABKid, test.cfg.EABHmac)
 			cfg := autocert.Config{}
-			err := serialization.UnmarshalValidateYAML(yaml, &cfg)
+			err := serialization.UnmarshalValidate(yamlCfg, &cfg, yaml.Unmarshal)
 			if (err != nil) != test.wantErr {
 				t.Errorf("Validate() error = %v, wantErr %v", err, test.wantErr)
 			}

internal/autocert/paths.go

@@ -1,8 +1,7 @@
 package autocert
 
 const (
-	certBasePath       = "certs/"
-	CertFileDefault    = certBasePath + "cert.crt"
-	KeyFileDefault     = certBasePath + "priv.key"
-	ACMEKeyFileDefault = certBasePath + "acme.key"
+	certBasePath    = "certs/"
+	CertFileDefault = certBasePath + "cert.crt"
+	KeyFileDefault  = certBasePath + "priv.key"
 )

internal/autocert/provider.go

@@ -150,7 +150,7 @@ func (p *Provider) GetName() string {
 }
 
 func (p *Provider) fmtError(err error) error {
-	return gperr.PrependSubject(fmt.Sprintf("provider: %s", p.GetName()), err)
+	return gperr.PrependSubject(err, "provider: "+p.GetName())
 }
 
 func (p *Provider) GetCertPath() string {
@@ -216,19 +216,20 @@ func (p *Provider) ObtainCertIfNotExistsAll() error {
 	for _, provider := range p.allProviders() {
 		errs.Go(func() error {
 			if err := provider.obtainCertIfNotExists(); err != nil {
-				return fmt.Errorf("failed to obtain cert for %s: %w", provider.GetName(), err)
+				return gperr.PrependSubject(err, provider.GetName())
 			}
 			return nil
 		})
 	}
 
+	err := errs.Wait().Error()
 	p.rebuildSNIMatcher()
-	return errs.Wait().Error()
+	return err
 }
 
 // obtainCertIfNotExists obtains a new certificate for this provider if it does not exist.
 func (p *Provider) obtainCertIfNotExists() error {
-	err := p.LoadCert()
+	err := p.loadCert()
 	if err == nil {
 		return nil
 	}
@@ -261,7 +262,10 @@ func (p *Provider) ObtainCertAll() error {
 			return nil
 		})
 	}
-	return errs.Wait().Error()
+
+	err := errs.Wait().Error()
+	p.rebuildSNIMatcher()
+	return err
 }
 
 // ObtainCert renews existing certificate or obtains a new certificate for this provider.
@@ -346,29 +350,32 @@ func (p *Provider) ObtainCert() error {
 	return nil
 }
 
-func (p *Provider) LoadCert() error {
+func (p *Provider) LoadCertAll() error {
 	var errs gperr.Builder
+	for _, provider := range p.allProviders() {
+		if err := provider.loadCert(); err != nil {
+			errs.Add(provider.fmtError(err))
+		}
+	}
+	p.rebuildSNIMatcher()
+	return errs.Error()
+}
+
+func (p *Provider) loadCert() error {
 	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
 	if err != nil {
-		errs.Addf("load SSL certificate: %w", p.fmtError(err))
+		return err
 	}
 
 	expiries, err := getCertExpiries(&cert)
 	if err != nil {
-		errs.Addf("parse SSL certificate: %w", p.fmtError(err))
+		return err
 	}
 
 	p.tlsCert = &cert
 	p.certExpiries = expiries
 
-	for _, ep := range p.extraProviders {
-		if err := ep.LoadCert(); err != nil {
-			errs.Add(err)
-		}
-	}
-
-	p.rebuildSNIMatcher()
-	return errs.Error()
+	return nil
 }
 
 // PrintCertExpiriesAll prints the certificate expiries for this provider and all extra providers.
@@ -468,7 +475,7 @@ func (p *Provider) scheduleRenewal(parent task.Parent) {
 
 		renewed, err := p.renew(renewMode)
 		if err != nil {
-			gperr.LogWarn("autocert: cert renew failed", p.fmtError(err))
+			log.Warn().Err(p.fmtError(err)).Msg("autocert: cert renew failed")
 			notif.Notify(&notif.LogMessage{
 				Level: zerolog.ErrorLevel,
 				Title: fmt.Sprintf("SSL certificate renewal failed for %s", p.GetName()),
@@ -487,7 +494,7 @@ func (p *Provider) scheduleRenewal(parent task.Parent) {
 
 			// Reset on success
 			if err := p.ClearLastFailure(); err != nil {
-				gperr.LogWarn("autocert: failed to clear last failure", p.fmtError(err))
+				log.Warn().Err(p.fmtError(err)).Msg("autocert: failed to clear last failure")
 			}
 			timer.Reset(time.Until(p.ShouldRenewOn()))
 		}

internal/autocert/provider_test/multi_cert_test.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/godoxy/internal/autocert"
 	"github.com/yusing/godoxy/internal/serialization"
@@ -41,7 +42,7 @@ func TestMultipleCertificatesLifecycle(t *testing.T) {
 	cfg.HTTPClient = acmeServer.httpClient()
 
 	/* unmarshal yaml config with multiple certs */
-	err := error(serialization.UnmarshalValidateYAML(yamlConfig, &cfg))
+	err := error(serialization.UnmarshalValidate(yamlConfig, &cfg, yaml.Unmarshal))
 	require.NoError(t, err)
 	require.Equal(t, []string{"main.example.com"}, cfg.Domains)
 	require.Len(t, cfg.Extra, 2)

internal/autocert/provider_test/sni_test.go

@@ -81,7 +81,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "a.internal.example.com"})
@@ -113,7 +113,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})
@@ -145,7 +145,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "unknown.domain.com"})
@@ -171,7 +171,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(nil)
@@ -197,7 +197,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: ""})
@@ -229,7 +229,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "FOO.EXAMPLE.COM"})
@@ -261,7 +261,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "  foo.example.com.  "})
@@ -293,7 +293,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.a.example.com"})
@@ -319,7 +319,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "bar.example.com"})
@@ -355,7 +355,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.test.com"})
@@ -392,7 +392,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})

internal/autocert/providers.go

@@ -3,11 +3,10 @@ package autocert
 import (
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/yusing/godoxy/internal/serialization"
-	gperr "github.com/yusing/goutils/errs"
 	strutils "github.com/yusing/goutils/strings"
 )
 
-type Generator func(map[string]strutils.Redacted) (challenge.Provider, gperr.Error)
+type Generator func(map[string]strutils.Redacted) (challenge.Provider, error)
 
 var Providers = make(map[string]Generator)
 
@@ -15,7 +14,7 @@ func DNSProvider[CT any, PT challenge.Provider](
 	defaultCfg func() *CT,
 	newProvider func(*CT) (PT, error),
 ) Generator {
-	return func(opt map[string]strutils.Redacted) (challenge.Provider, gperr.Error) {
+	return func(opt map[string]strutils.Redacted) (challenge.Provider, error) {
 		cfg := defaultCfg()
 		if len(opt) > 0 {
 			err := serialization.MapUnmarshalValidate(serialization.ToSerializedObject(opt), &cfg)
@@ -24,6 +23,6 @@ func DNSProvider[CT any, PT challenge.Provider](
 			}
 		}
 		p, pErr := newProvider(cfg)
-		return p, gperr.Wrap(pErr)
+		return p, pErr
 	}
 }

internal/autocert/setup.go

@@ -4,7 +4,7 @@ import (
 	gperr "github.com/yusing/goutils/errs"
 )
 
-func (p *Provider) setupExtraProviders() gperr.Error {
+func (p *Provider) setupExtraProviders() error {
 	p.sniMatcher = sniMatcher{}
 	if len(p.cfg.Extra) == 0 {
 		return nil

internal/autocert/setup_test.go

@@ -3,6 +3,7 @@ package autocert_test
 import (
 	"testing"
 
+	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/godoxy/internal/autocert"
 	"github.com/yusing/godoxy/internal/dnsproviders"
@@ -42,7 +43,7 @@ extra:
 `
 
 	var cfg autocert.Config
-	err := error(serialization.UnmarshalValidateYAML([]byte(cfgYAML), &cfg))
+	err := error(serialization.UnmarshalValidate([]byte(cfgYAML), &cfg, yaml.Unmarshal))
 	require.NoError(t, err)
 
 	// Test: extra[0] inherits all fields from main except CertPath and KeyPath.

internal/autocert/types/context.go

@@ -0,0 +1,16 @@
+package autocert
+
+import "context"
+
+type ContextKey struct{}
+
+func SetCtx(ctx interface{ SetValue(any, any) }, p Provider) {
+	ctx.SetValue(ContextKey{}, p)
+}
+
+func FromCtx(ctx context.Context) Provider {
+	if provider, ok := ctx.Value(ContextKey{}).(Provider); ok {
+		return provider
+	}
+	return nil
+}

internal/autocert/types/provider.go

@@ -7,7 +7,6 @@ import (
 )
 
 type Provider interface {
-	Setup() error
 	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
 	ScheduleRenewalAll(task.Parent)
 	ObtainCertAll() error

internal/common/env.go

@@ -13,6 +13,8 @@ var (
 	IsDebug = env.GetEnvBool("DEBUG", IsTest)
 	IsTrace = env.GetEnvBool("TRACE", false) && IsDebug
 
+	InitTimeout = env.GetEnvDuation("INIT_TIMEOUT", 1*time.Minute)
+
 	ShortLinkPrefix = env.GetEnvString("SHORTLINK_PREFIX", "go")
 
 	ProxyHTTPAddr,

internal/config/README.md

@@ -54,7 +54,7 @@ type State interface {
     Task() *task.Task
     Context() context.Context
     Value() *Config
-    EntrypointHandler() http.Handler
+    Entrypoint() entrypoint.Entrypoint
     ShortLinkMatcher() config.ShortLinkMatcher
     AutoCertProvider() server.CertProvider
     LoadOrStoreProvider(key string, value types.RouteProvider) (actual types.RouteProvider, loaded bool)
@@ -62,6 +62,12 @@ type State interface {
     IterProviders() iter.Seq2[string, types.RouteProvider]
     StartProviders() error
     NumProviders() int
+
+    // Lifecycle management
+    StartAPIServers()
+    StartMetrics()
+
+    FlushTmpLog()
 }
 ```
 
@@ -214,12 +220,15 @@ Configuration supports hot-reloading via editing `config/config.yml`.
 
 - `internal/acl` - Access control configuration
 - `internal/autocert` - SSL certificate management
-- `internal/entrypoint` - HTTP entrypoint setup
+- `internal/entrypoint` - HTTP entrypoint setup (now via interface)
 - `internal/route/provider` - Route providers (Docker, file, agent)
 - `internal/maxmind` - GeoIP configuration
 - `internal/notif` - Notification providers
 - `internal/proxmox` - LXC container management
 - `internal/homepage/types` - Dashboard configuration
+- `internal/api` - REST API servers
+- `internal/metrics/systeminfo` - System metrics polling
+- `internal/metrics/uptime` - Uptime tracking
 - `github.com/yusing/goutils/task` - Object lifecycle management
 
 ### External dependencies
@@ -312,5 +321,8 @@ for name, provider := range config.GetState().IterProviders() {
 
 ```go
 state := config.GetState()
-http.Handle("/", state.EntrypointHandler())
+// Get entrypoint interface for route management
+ep := state.Entrypoint()
+// Add routes directly to entrypoint
+ep.AddRoute(route)
 ```

internal/config/events.go

@@ -7,14 +7,13 @@ import (
 	"time"
 
 	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/godoxy/internal/common"
 	config "github.com/yusing/godoxy/internal/config/types"
 	"github.com/yusing/godoxy/internal/notif"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/watcher"
 	"github.com/yusing/godoxy/internal/watcher/events"
 	gperr "github.com/yusing/goutils/errs"
-	"github.com/yusing/goutils/server"
 	"github.com/yusing/goutils/strings/ansi"
 	"github.com/yusing/goutils/task"
 )
@@ -34,7 +33,7 @@ You may run "ls-config" to show or dump the current config.`
 )
 
 func logNotifyError(action string, err error) {
-	gperr.LogError("config "+action+" error", err)
+	log.Error().Err(err).Msg("config " + action + " error")
 	notif.Notify(&notif.LogMessage{
 		Level: zerolog.ErrorLevel,
 		Title: fmt.Sprintf("Config %s error", action),
@@ -43,7 +42,7 @@ func logNotifyError(action string, err error) {
 }
 
 func logNotifyWarn(action string, err error) {
-	gperr.LogWarn("config "+action+" error", err)
+	log.Warn().Err(err).Msg("config " + action + " warning")
 	notif.Notify(&notif.LogMessage{
 		Level: zerolog.WarnLevel,
 		Title: fmt.Sprintf("Config %s warning", action),
@@ -60,20 +59,30 @@ func Load() error {
 
 	cfgWatcher = watcher.NewConfigFileWatcher(common.ConfigFileName)
 
-	// disable pool logging temporary since we already have pretty logging
-	routes.HTTP.DisableLog(true)
-	routes.Stream.DisableLog(true)
+	initErr := state.InitFromFile(common.ConfigPath)
+	if initErr != nil {
+		// if error is critical, notify and return it without starting providers
+		var criticalErr CriticalError
+		if errors.As(initErr, &criticalErr) {
+			logNotifyError("init", criticalErr.err)
+			return criticalErr.err
+		}
+	}
 
+	// disable pool logging temporary since we already have pretty logging
+	state.Entrypoint().DisablePoolsLog(true)
 	defer func() {
-		routes.HTTP.DisableLog(false)
-		routes.Stream.DisableLog(false)
+		state.Entrypoint().DisablePoolsLog(false)
 	}()
 
-	initErr := state.InitFromFile(common.ConfigPath)
 	err := errors.Join(initErr, state.StartProviders())
 	if err != nil {
 		logNotifyError("init", err)
 	}
+
+	state.StartAPIServers()
+	state.StartMetrics()
+
 	SetState(state)
 
 	// flush temporary log
@@ -81,7 +90,7 @@ func Load() error {
 	return nil
 }
 
-func Reload() gperr.Error {
+func Reload() error {
 	// avoid race between config change and API reload request
 	reloadMu.Lock()
 	defer reloadMu.Unlock()
@@ -108,7 +117,9 @@ func Reload() gperr.Error {
 		logNotifyError("start providers", err)
 		return nil // continue
 	}
-	StartProxyServers()
+
+	newState.StartAPIServers()
+	newState.StartMetrics()
 	return nil
 }
 
@@ -118,7 +129,7 @@ func WatchChanges() {
 		t,
 		configEventFlushInterval,
 		OnConfigChange,
-		func(err gperr.Error) {
+		func(err error) {
 			logNotifyError("reload", err)
 		},
 	)
@@ -142,16 +153,3 @@ func OnConfigChange(ev []events.Event) {
 		panic(err)
 	}
 }
-
-func StartProxyServers() {
-	cfg := GetState()
-	server.StartServer(cfg.Task(), server.Options{
-		Name:                 "proxy",
-		CertProvider:         cfg.AutoCertProvider(),
-		HTTPAddr:             common.ProxyHTTPAddr,
-		HTTPSAddr:            common.ProxyHTTPSAddr,
-		Handler:              cfg.EntrypointHandler(),
-		ACL:                  cfg.Value().ACL,
-		SupportProxyProtocol: cfg.Value().Entrypoint.SupportProxyProtocol,
-	})
-}

internal/config/state.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io/fs"
 	"iter"
-	"net/http"
 	"os"
 	"strconv"
 	"strings"
@@ -18,14 +17,20 @@ import (
 	"github.com/goccy/go-yaml"
 	"github.com/puzpuzpuz/xsync/v4"
 	"github.com/rs/zerolog"
-	"github.com/yusing/godoxy/internal/acl"
+	acl "github.com/yusing/godoxy/internal/acl/types"
 	"github.com/yusing/godoxy/internal/agentpool"
+	"github.com/yusing/godoxy/internal/api"
 	"github.com/yusing/godoxy/internal/autocert"
+	autocertctx "github.com/yusing/godoxy/internal/autocert/types"
+	"github.com/yusing/godoxy/internal/common"
 	config "github.com/yusing/godoxy/internal/config/types"
 	"github.com/yusing/godoxy/internal/entrypoint"
+	entrypointctx "github.com/yusing/godoxy/internal/entrypoint/types"
 	homepage "github.com/yusing/godoxy/internal/homepage/types"
 	"github.com/yusing/godoxy/internal/logging"
 	"github.com/yusing/godoxy/internal/maxmind"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	"github.com/yusing/godoxy/internal/metrics/uptime"
 	"github.com/yusing/godoxy/internal/notif"
 	route "github.com/yusing/godoxy/internal/route/provider"
 	"github.com/yusing/godoxy/internal/serialization"
@@ -40,7 +45,7 @@ type state struct {
 
 	providers        *xsync.Map[string, types.RouteProvider]
 	autocertProvider *autocert.Provider
-	entrypoint       entrypoint.Entrypoint
+	entrypoint       *entrypoint.Entrypoint
 
 	task *task.Task
 
@@ -50,14 +55,25 @@ type state struct {
 	tmpLog    zerolog.Logger
 }
 
+type CriticalError struct {
+	err error
+}
+
+func (e CriticalError) Error() string {
+	return e.err.Error()
+}
+
+func (e CriticalError) Unwrap() error {
+	return e.err
+}
+
 func NewState() config.State {
 	tmpLogBuf := bytes.NewBuffer(make([]byte, 0, 4096))
 	return &state{
-		providers:  xsync.NewMap[string, types.RouteProvider](),
-		entrypoint: entrypoint.NewEntrypoint(),
-		task:       task.RootTask("config", false),
-		tmpLogBuf:  tmpLogBuf,
-		tmpLog:     logging.NewLoggerWithFixedLevel(zerolog.InfoLevel, tmpLogBuf),
+		providers: xsync.NewMap[string, types.RouteProvider](),
+		task:      task.RootTask("config", false),
+		tmpLogBuf: tmpLogBuf,
+		tmpLog:    logging.NewLoggerWithFixedLevel(zerolog.InfoLevel, tmpLogBuf),
 	}
 }
 
@@ -73,7 +89,6 @@ func SetState(state config.State) {
 
 	cfg := state.Value()
 	config.ActiveState.Store(state)
-	entrypoint.ActiveConfig.Store(&cfg.Entrypoint)
 	homepage.ActiveConfig.Store(&cfg.Homepage)
 	if autocertProvider := state.AutoCertProvider(); autocertProvider != nil {
 		autocert.ActiveProvider.Store(autocertProvider.(*autocert.Provider))
@@ -96,16 +111,16 @@ func (state *state) InitFromFile(filename string) error {
 		if errors.Is(err, fs.ErrNotExist) {
 			state.Config = config.DefaultConfig()
 		} else {
-			return err
+			return CriticalError{err}
 		}
 	}
 	return state.Init(data)
 }
 
 func (state *state) Init(data []byte) error {
-	err := serialization.UnmarshalValidateYAML(data, &state.Config)
+	err := serialization.UnmarshalValidate(data, &state.Config, yaml.Unmarshal)
 	if err != nil {
-		return err
+		return CriticalError{err}
 	}
 
 	g := gperr.NewGroup("config load error")
@@ -117,7 +132,9 @@ func (state *state) Init(data []byte) error {
 	// these won't benefit from running on goroutines
 	errs.Add(state.initNotification())
 	errs.Add(state.initACL())
-	errs.Add(state.initEntrypoint())
+	if err := state.initEntrypoint(); err != nil {
+		errs.Add(CriticalError{err})
+	}
 	errs.Add(state.loadRouteProviders())
 	return errs.Error()
 }
@@ -134,8 +151,8 @@ func (state *state) Value() *config.Config {
 	return &state.Config
 }
 
-func (state *state) EntrypointHandler() http.Handler {
-	return &state.entrypoint
+func (state *state) Entrypoint() entrypointctx.Entrypoint {
+	return state.entrypoint
 }
 
 func (state *state) ShortLinkMatcher() config.ShortLinkMatcher {
@@ -190,6 +207,29 @@ func (state *state) FlushTmpLog() {
 	state.tmpLogBuf.Reset()
 }
 
+func (state *state) StartAPIServers() {
+	// API Handler needs to start after auth is initialized.
+	server.StartServer(state.task.Subtask("api_server", false), server.Options{
+		Name:     "api",
+		HTTPAddr: common.APIHTTPAddr,
+		Handler:  api.NewHandler(true),
+	})
+
+	// Local API Handler is used for unauthenticated access.
+	if common.LocalAPIHTTPAddr != "" {
+		server.StartServer(state.task.Subtask("local_api_server", false), server.Options{
+			Name:     "local_api",
+			HTTPAddr: common.LocalAPIHTTPAddr,
+			Handler:  api.NewHandler(false),
+		})
+	}
+}
+
+func (state *state) StartMetrics() {
+	systeminfo.Poller.Start(state.task)
+	uptime.Poller.Start(state.task)
+}
+
 // initACL initializes the ACL.
 func (state *state) initACL() error {
 	if !state.ACL.Valid() {
@@ -199,7 +239,7 @@ func (state *state) initACL() error {
 	if err != nil {
 		return err
 	}
-	state.task.SetValue(acl.ContextKey{}, state.ACL)
+	acl.SetCtx(state.task, state.ACL)
 	return nil
 }
 
@@ -207,6 +247,7 @@ func (state *state) initEntrypoint() error {
 	epCfg := state.Config.Entrypoint
 	matchDomains := state.MatchDomains
 
+	state.entrypoint = entrypoint.NewEntrypoint(state.task, &epCfg)
 	state.entrypoint.SetFindRouteDomains(matchDomains)
 	state.entrypoint.SetNotFoundRules(epCfg.Rules.NotFound)
 
@@ -220,6 +261,8 @@ func (state *state) initEntrypoint() error {
 		}
 	}
 
+	entrypointctx.SetCtx(state.task, state.entrypoint)
+
 	errs := gperr.NewBuilder("entrypoint error")
 	errs.Add(state.entrypoint.SetMiddlewares(epCfg.Middlewares))
 	errs.Add(state.entrypoint.SetAccessLogger(state.task, epCfg.AccessLog))
@@ -296,6 +339,7 @@ func (state *state) initAutoCert() error {
 	p.PrintCertExpiriesAll()
 
 	state.autocertProvider = p
+	autocertctx.SetCtx(state.task, p)
 	return nil
 }
 
@@ -309,7 +353,7 @@ func (state *state) initProxmox() error {
 	for _, cfg := range proxmoxCfg {
 		errs.Go(func() error {
 			if err := cfg.Init(state.task.Context()); err != nil {
-				return err.Subject(cfg.URL)
+				return gperr.PrependSubject(err, cfg.URL)
 			}
 			return nil
 		})
@@ -317,67 +361,50 @@ func (state *state) initProxmox() error {
 	return errs.Wait().Error()
 }
 
-func (state *state) storeProvider(p types.RouteProvider) {
-	state.providers.Store(p.String(), p)
-}
-
 func (state *state) loadRouteProviders() error {
-	providers := &state.Providers
+	providers := state.Providers
 	errs := gperr.NewGroup("route provider errors")
-	results := gperr.NewGroup("loaded route providers")
 
 	agentpool.RemoveAll()
 
-	numProviders := len(providers.Agents) + len(providers.Files) + len(providers.Docker)
-	providersCh := make(chan types.RouteProvider, numProviders)
-
-	// start providers concurrently
-	var providersConsumer sync.WaitGroup
-	providersConsumer.Go(func() {
-		for p := range providersCh {
-			if actual, loaded := state.providers.LoadOrStore(p.String(), p); loaded {
-				errs.Add(gperr.Errorf("provider %s already exists, first: %s, second: %s", p.String(), actual.GetType(), p.GetType()))
-				continue
-			}
-			state.storeProvider(p)
+	registerProvider := func(p types.RouteProvider) {
+		if actual, loaded := state.providers.LoadOrStore(p.String(), p); loaded {
+			errs.Addf("provider %s already exists, first: %s, second: %s", p.String(), actual.GetType(), p.GetType())
 		}
-	})
+	}
 
-	var providersProducer sync.WaitGroup
+	agentErrs := gperr.NewGroup("agent init errors")
 	for _, a := range providers.Agents {
-		providersProducer.Go(func() {
+		agentErrs.Go(func() error {
 			if err := a.Init(state.task.Context()); err != nil {
-				errs.Add(gperr.PrependSubject(a.String(), err))
-				return
+				return gperr.PrependSubject(err, a.String())
 			}
 			agentpool.Add(a)
-			p := route.NewAgentProvider(a)
-			providersCh <- p
+			return nil
 		})
 	}
 
+	if err := agentErrs.Wait().Error(); err != nil {
+		errs.Add(err)
+	}
+
+	for _, a := range providers.Agents {
+		registerProvider(route.NewAgentProvider(a))
+	}
+
 	for _, filename := range providers.Files {
-		providersProducer.Go(func() {
-			p, err := route.NewFileProvider(filename)
-			if err != nil {
-				errs.Add(gperr.PrependSubject(filename, err))
-			} else {
-				providersCh <- p
-			}
-		})
+		p, err := route.NewFileProvider(filename)
+		if err != nil {
+			errs.Add(gperr.PrependSubject(err, filename))
+			return err
+		}
+		registerProvider(p)
 	}
 
 	for name, dockerCfg := range providers.Docker {
-		providersProducer.Go(func() {
-			providersCh <- route.NewDockerProvider(name, dockerCfg)
-		})
+		registerProvider(route.NewDockerProvider(name, dockerCfg))
 	}
 
-	providersProducer.Wait()
-
-	close(providersCh)
-	providersConsumer.Wait()
-
 	lenLongestName := 0
 	for k := range state.providers.Range {
 		if len(k) > lenLongestName {
@@ -386,18 +413,26 @@ func (state *state) loadRouteProviders() error {
 	}
 
 	// load routes concurrently
-	var providersLoader sync.WaitGroup
+	loadErrs := gperr.NewGroup("route load errors")
+
+	results := gperr.NewBuilder("loaded route providers")
+	resultsMu := sync.Mutex{}
 	for _, p := range state.providers.Range {
-		providersLoader.Go(func() {
+		loadErrs.Go(func() error {
 			if err := p.LoadRoutes(); err != nil {
-				errs.Add(err.Subject(p.String()))
+				return gperr.PrependSubject(err, p.String())
 			}
+			resultsMu.Lock()
 			results.Addf("%-"+strconv.Itoa(lenLongestName)+"s %d routes", p.String(), p.NumRoutes())
+			resultsMu.Unlock()
+			return nil
 		})
 	}
-	providersLoader.Wait()
+	if err := loadErrs.Wait().Error(); err != nil {
+		errs.Add(err)
+	}
 
-	state.tmpLog.Info().Msg(results.Wait().String())
+	state.tmpLog.Info().Msg(results.String())
 	state.printRoutesByProvider(lenLongestName)
 	state.printState()
 	return errs.Wait().Error()

internal/config/types/config.go

@@ -4,17 +4,17 @@ import (
 	"regexp"
 
 	"github.com/go-playground/validator/v10"
+	"github.com/goccy/go-yaml"
 	"github.com/yusing/godoxy/agent/pkg/agent"
 	"github.com/yusing/godoxy/internal/acl"
 	"github.com/yusing/godoxy/internal/autocert"
-	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	"github.com/yusing/godoxy/internal/entrypoint"
 	homepage "github.com/yusing/godoxy/internal/homepage/types"
 	maxmind "github.com/yusing/godoxy/internal/maxmind/types"
 	"github.com/yusing/godoxy/internal/notif"
 	"github.com/yusing/godoxy/internal/proxmox"
 	"github.com/yusing/godoxy/internal/serialization"
 	"github.com/yusing/godoxy/internal/types"
-	gperr "github.com/yusing/goutils/errs"
 )
 
 type (
@@ -41,9 +41,9 @@ type (
 	}
 )
 
-func Validate(data []byte) gperr.Error {
+func Validate(data []byte) error {
 	var model Config
-	return serialization.UnmarshalValidateYAML(data, &model)
+	return serialization.UnmarshalValidate(data, &model, yaml.Unmarshal)
 }
 
 func DefaultConfig() Config {

internal/config/types/state.go

@@ -6,6 +6,7 @@ import (
 	"iter"
 	"net/http"
 
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/goutils/server"
 	"github.com/yusing/goutils/synk"
@@ -21,7 +22,7 @@ type State interface {
 
 	Value() *Config
 
-	EntrypointHandler() http.Handler
+	Entrypoint() entrypoint.Entrypoint
 	ShortLinkMatcher() ShortLinkMatcher
 	AutoCertProvider() server.CertProvider
 
@@ -32,6 +33,9 @@ type State interface {
 	StartProviders() error
 
 	FlushTmpLog()
+
+	StartAPIServers()
+	StartMetrics()
 }
 
 type ShortLinkMatcher interface {

internal/dnsproviders/go.mod

@@ -1,12 +1,12 @@
 module github.com/yusing/godoxy/internal/dnsproviders
 
-go 1.25.6
+go 1.25.7
 
 replace github.com/yusing/godoxy => ../..
 
 require (
 	github.com/go-acme/lego/v4 v4.31.0
-	github.com/yusing/godoxy v0.25.0
+	github.com/yusing/godoxy v0.25.3
 )
 
 require (
@@ -32,7 +32,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -44,12 +44,12 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/gofrs/flock v0.13.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
-	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/gotify/server/v2 v2.8.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
@@ -57,7 +57,7 @@ require (
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.64.0 // indirect
+	github.com/linode/linodego v1.65.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/maxatome/go-testdeep v1.14.0 // indirect
@@ -65,8 +65,8 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.1 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.1 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -79,15 +79,15 @@ require (
 	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/vultr/govultr/v3 v3.26.1 // indirect
+	github.com/vultr/govultr/v3 v3.27.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	github.com/yusing/gointernals v0.1.16 // indirect
+	github.com/yusing/gointernals v0.1.18 // indirect
 	github.com/yusing/goutils v0.7.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
-	go.opentelemetry.io/otel v1.39.0 // indirect
-	go.opentelemetry.io/otel/metric v1.39.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
 	golang.org/x/arch v0.23.0 // indirect
 	golang.org/x/crypto v0.47.0 // indirect
@@ -98,8 +98,8 @@ require (
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
-	google.golang.org/api v0.262.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d // indirect
+	google.golang.org/api v0.265.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect

internal/dnsproviders/go.sum

@@ -60,8 +60,8 @@ github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/go-acme/lego/v4 v4.31.0 h1:gd4oUYdfs83PR1/SflkNdit9xY1iul2I4EystnU8NXM=
 github.com/go-acme/lego/v4 v4.31.0/go.mod h1:m6zcfX/zcbMYDa8s6AnCMnoORWNP8Epnei+6NBCTUGs=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
@@ -90,8 +90,8 @@ github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
 github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -105,8 +105,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
 github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
-github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y=
-github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14=
+github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
+github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
 github.com/gotify/server/v2 v2.8.0 h1:E3UDDn/3rFZi1sjZfbuhXNnxJP3ACZhdcw/iySegPRA=
 github.com/gotify/server/v2 v2.8.0/go.mod h1:6ci5adxcE2hf1v+2oowKiQmixOxXV8vU+CRLKP6sqZA=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
@@ -131,8 +131,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/linode/linodego v1.64.0 h1:If6pULIwHuQytgogtpQaBdVLX7z2TTHUF5u1tj2TPiY=
-github.com/linode/linodego v1.64.0/go.mod h1:GoiwLVuLdBQcAebxAVKVL3mMYUgJZR/puOUSla04xBE=
+github.com/linode/linodego v1.65.0 h1:SdsuGD8VSsPWeShXpE7ihl5vec+fD3MgwhnfYC/rj7k=
+github.com/linode/linodego v1.65.0/go.mod h1:tOFiTErdjkbVnV+4S0+NmIE9dqqZUEM2HsJaGu8wMh8=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -150,10 +150,10 @@ github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0
 github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
 github.com/nrdcg/goinwx v0.12.0 h1:ujdUqDBnaRSFwzVnImvPHYw3w3m9XgmGImNUw1GyMb4=
 github.com/nrdcg/goinwx v0.12.0/go.mod h1:IrVKd3ZDbFiMjdPgML4CSxZAY9wOoqLvH44zv3NodJ0=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.1 h1:+fx2mbWeR8XX/vidwpRMepJMtRIYQP44Iezm2oeObVM=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.1/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.1 h1:GDhBiaIAm/QXLzHJ0ASDdY/6R/9w60+gk8lY5rgfxEQ=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.1/go.mod h1:EHScJdbM0gg5Is7e3C0ceRYAFMMsfP4Vf8sBRoxoTgk=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.0 h1:SgXDi/vitC+FA9jPl7T7i0d7kiC1JMFuS2FTlpg3B7o=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.0 h1:rOYbG56bYaW+skuCvzZyFoTPPXXUIOPhuQkilf6tkqo=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.0/go.mod h1:LTEIH1X6CBKyDtOT7CTTTgvvb2ANtGS7vLkEGt5zdog=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/ovh/go-ovh v1.9.0 h1:6K8VoL3BYjVV3In9tPJUdT7qMx9h0GExN9EXx1r2kKE=
@@ -193,30 +193,30 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/vultr/govultr/v3 v3.26.1 h1:G/M0rMQKwVSmL+gb0UgETbW5mcQi0Vf/o/ZSGdBCxJw=
-github.com/vultr/govultr/v3 v3.26.1/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
+github.com/vultr/govultr/v3 v3.27.0 h1:J8etMyu/Jh5+idMsu2YZpOWmDXXHeW4VZnkYXmJYHx8=
+github.com/vultr/govultr/v3 v3.27.0/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
-github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
-github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
+github.com/yusing/gointernals v0.1.18 h1:ou8/0tPURUgAOBJu3TN/iWF4S/5ZYQaap+rVkaJNUMw=
+github.com/yusing/gointernals v0.1.18/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
 github.com/yusing/goutils v0.7.0 h1:I5hd8GwZ+3WZqFPK0tWqek1Q5MY6Xg29hKZcwwQi4SY=
 github.com/yusing/goutils v0.7.0/go.mod h1:CtF/KFH4q8jkr7cvBpkaExnudE0lLu8sLe43F73Bn5Q=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
@@ -249,14 +249,14 @@ golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
 golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.262.0 h1:4B+3u8He2GwyN8St3Jhnd3XRHlIvc//sBmgHSp78oNY=
-google.golang.org/api v0.262.0/go.mod h1:jNwmH8BgUBJ/VrUG6/lIl9YiildyLd09r9ZLHiQ6cGI=
-google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934=
-google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d h1:xXzuihhT3gL/ntduUZwHECzAn57E8dA6l8SOtYWdD8Q=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260122232226-8e98ce8d340d/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/api v0.265.0 h1:FZvfUdI8nfmuNrE34aOWFPmLC+qRBEiNm3JdivTvAAU=
+google.golang.org/api v0.265.0/go.mod h1:uAvfEl3SLUj/7n6k+lJutcswVojHPp2Sp08jWCu8hLY=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

internal/docker/client.go

@@ -152,7 +152,7 @@ func NewClient(cfg types.DockerProviderConfig, unique ...bool) (*SharedClient, e
 	if agent.IsDockerHostAgent(host) {
 		a, ok := agentpool.Get(host)
 		if !ok {
-			panic(fmt.Errorf("agent %q not found", host))
+			return nil, fmt.Errorf("agent %q not found", host)
 		}
 		opt = []client.Opt{
 			client.WithHost(agent.DockerHost),

internal/docker/label.go

@@ -1,6 +1,7 @@
 package docker
 
 import (
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
@@ -11,7 +12,7 @@ import (
 	strutils "github.com/yusing/goutils/strings"
 )
 
-var ErrInvalidLabel = gperr.New("invalid label")
+var ErrInvalidLabel = errors.New("invalid label")
 
 const nsProxyDot = NSProxy + "."
 
@@ -23,7 +24,7 @@ var refPrefixes = func() []string {
 	return prefixes
 }()
 
-func ParseLabels(labels map[string]string, aliases ...string) (types.LabelMap, gperr.Error) {
+func ParseLabels(labels map[string]string, aliases ...string) (types.LabelMap, error) {
 	nestedMap := make(types.LabelMap)
 	errs := gperr.NewBuilder("labels error")
 
@@ -35,7 +36,7 @@ func ParseLabels(labels map[string]string, aliases ...string) (types.LabelMap, g
 			continue
 		}
 		if len(parts) == 1 {
-			errs.Add(ErrInvalidLabel.Subject(lbl))
+			errs.AddSubject(ErrInvalidLabel, lbl)
 			continue
 		}
 		parts = parts[1:]

internal/entrypoint/README.md

@@ -1,10 +1,10 @@
 # Entrypoint
 
-The entrypoint package provides the main HTTP entry point for GoDoxy, handling domain-based routing, middleware application, short link matching, and access logging.
+The entrypoint package provides the main HTTP entry point for GoDoxy, handling domain-based routing, middleware application, short link matching, access logging, and HTTP server lifecycle management.
 
 ## Overview
 
-The entrypoint package implements the primary HTTP handler that receives all incoming requests, determines the target route based on hostname, applies middleware, and forwards requests to the appropriate route handler.
+The entrypoint package implements the primary HTTP handler that receives all incoming requests, manages the lifecycle of HTTP servers, determines the target route based on hostname, applies middleware, and forwards requests to the appropriate route handler.
 
 ### Key Features
 
@@ -14,103 +14,350 @@ The entrypoint package implements the primary HTTP handler that receives all inc
 - Access logging for all requests
 - Configurable not-found handling
 - Per-domain route resolution
+- HTTP server management (HTTP/HTTPS)
+- Route pool abstractions via [`PoolLike`](internal/entrypoint/types/entrypoint.go:27) and [`RWPoolLike`](internal/entrypoint/types/entrypoint.go:33) interfaces
 
-## Architecture
+### Primary Consumers
 
-```mermaid
-graph TD
-    A[HTTP Request] --> B[Entrypoint Handler]
-    B --> C{Access Logger?}
-    C -->|Yes| D[Wrap Response Recorder]
-    C -->|No| E[Skip Logging]
+- **HTTP servers**: Per-listen-addr servers dispatch requests to routes
+- **Route providers**: Register routes via [`StartAddRoute`](internal/entrypoint/routes.go:48)
+- **Configuration layer**: Validates and applies middleware/access-logging config
 
-    D --> F[Find Route by Host]
-    E --> F
+### Non-goals
 
-    F --> G{Route Found?}
-    G -->|Yes| H{Middleware?}
-    G -->|No| I{Short Link?}
-    I -->|Yes| J[Short Link Handler]
-    I -->|No| K{Not Found Handler?}
-    K -->|Yes| L[Not Found Handler]
-    K -->|No| M[Serve 404]
+- Does not implement route discovery (delegates to providers)
+- Does not handle TLS certificate management (delegates to autocert)
+- Does not implement health checks (delegates to `internal/health/monitor`)
+- Does not manage TCP/UDP listeners directly (only HTTP/HTTPS via `goutils/server`)
 
-    H -->|Yes| N[Apply Middleware]
-    H -->|No| O[Direct Route]
-    N --> O
+### Stability
 
-    O --> P[Route ServeHTTP]
-    P --> Q[Response]
-
-    L --> R[404 Response]
-    J --> Q
-    M --> R
-```
-
-## Core Components
-
-### Entrypoint Structure
-
-```go
-type Entrypoint struct {
-    middleware      *middleware.Middleware
-    notFoundHandler http.Handler
-    accessLogger    accesslog.AccessLogger
-    findRouteFunc   func(host string) types.HTTPRoute
-    shortLinkTree   *ShortLinkMatcher
-}
-```
-
-### Active Config
-
-```go
-var ActiveConfig atomic.Pointer[entrypoint.Config]
-```
+Internal package with stable core interfaces. The [`Entrypoint`](internal/entrypoint/types/entrypoint.go:7) interface is the public contract.
 
 ## Public API
 
-### Creation
+### Entrypoint Interface
 
 ```go
-// NewEntrypoint creates a new entrypoint instance.
-func NewEntrypoint() Entrypoint
+type Entrypoint interface {
+    // Server capabilities
+    SupportProxyProtocol() bool
+    DisablePoolsLog(v bool)
+
+    // Route registry access
+    GetRoute(alias string) (types.Route, bool)
+    StartAddRoute(r types.Route) error
+    IterRoutes(yield func(r types.Route) bool)
+    NumRoutes() int
+    RoutesByProvider() map[string][]types.Route
+
+    // Route pool accessors
+    HTTPRoutes() PoolLike[types.HTTPRoute]
+    StreamRoutes() PoolLike[types.StreamRoute]
+    ExcludedRoutes() RWPoolLike[types.Route]
+
+    // Health info queries
+    GetHealthInfo() map[string]types.HealthInfo
+    GetHealthInfoWithoutDetail() map[string]types.HealthInfoWithoutDetail
+    GetHealthInfoSimple() map[string]types.HealthStatus
+
+    // Configuration
+    SetFindRouteDomains(domains []string)
+    SetMiddlewares(mws []map[string]any) error
+    SetNotFoundRules(rules rules.Rules)
+    SetAccessLogger(parent task.Parent, cfg *accesslog.RequestLoggerConfig) error
+
+    // Context integration
+    ShortLinkMatcher() *ShortLinkMatcher
+}
+```
+
+### Pool Interfaces
+
+```go
+type PoolLike[Route types.Route] interface {
+    Get(alias string) (Route, bool)
+    Iter(yield func(alias string, r Route) bool)
+    Size() int
+}
+
+type RWPoolLike[Route types.Route] interface {
+    PoolLike[Route]
+    Add(r Route)
+    Del(r Route)
+}
 ```
 
 ### Configuration
 
 ```go
-// SetFindRouteDomains configures domain-based route lookup.
-func (ep *Entrypoint) SetFindRouteDomains(domains []string)
-
-// SetMiddlewares loads and configures middleware chain.
-func (ep *Entrypoint) SetMiddlewares(mws []map[string]any) error
-
-// SetNotFoundRules configures the not-found handler.
-func (ep *Entrypoint) SetNotFoundRules(rules rules.Rules)
-
-// SetAccessLogger initializes access logging.
-func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.RequestLoggerConfig) error
-
-// ShortLinkMatcher returns the short link matcher.
-func (ep *Entrypoint) ShortLinkMatcher() *ShortLinkMatcher
+type Config struct {
+    SupportProxyProtocol bool                     `json:"support_proxy_protocol"`
+    Rules                struct {
+        NotFound rules.Rules                     `json:"not_found"`
+    }                                               `json:"rules"`
+    Middlewares          []map[string]any          `json:"middlewares"`
+    AccessLog            *accesslog.RequestLoggerConfig `json:"access_log" validate:"omitempty"`
+}
 ```
 
-### Request Handling
+### Context Functions
 
 ```go
-// ServeHTTP is the main HTTP handler.
-func (ep *Entrypoint) ServeHTTP(w http.ResponseWriter, r *http.Request)
-
-// FindRoute looks up a route by hostname.
-func (ep *Entrypoint) FindRoute(s string) types.HTTPRoute
+func SetCtx(ctx interface{ SetValue(any, any) }, ep Entrypoint)
+func FromCtx(ctx context.Context) Entrypoint
 ```
 
-## Usage
+## Architecture
+
+### Core Components
+
+```mermaid
+classDiagram
+    class Entrypoint {
+        +task *task.new_task
+        +cfg *Config
+        +middleware *middleware.Middleware
+        +notFoundHandler http.Handler
+        +accessLogger AccessLogger
+        +findRouteFunc findRouteFunc
+        +shortLinkMatcher *ShortLinkMatcher
+        +streamRoutes *pool.Pool[types.StreamRoute]
+        +excludedRoutes *pool.Pool[types.Route]
+        +servers *xsync.Map[string, *httpServer]
+        +SupportProxyProtocol() bool
+        +StartAddRoute(r) error
+        +IterRoutes(yield)
+        +HTTPRoutes() PoolLike
+    }
+
+    class httpServer {
+        +routes *pool.Pool[types.HTTPRoute]
+        +ServeHTTP(w, r)
+        +AddRoute(route)
+        +DelRoute(route)
+        +FindRoute(s) types.HTTPRoute
+    }
+
+    class PoolLike {
+        <<interface>>
+        +Get(alias) (Route, bool)
+        +Iter(yield) bool
+        +Size() int
+    }
+
+    class RWPoolLike {
+        <<interface>>
+        +PoolLike
+        +Add(r Route)
+        +Del(r Route)
+    }
+
+    class ShortLinkMatcher {
+        +fqdnRoutes *xsync.Map[string, string]
+        +subdomainRoutes *xsync.Map[string, struct{}]
+        +ServeHTTP(w, r)
+        +AddRoute(alias)
+        +DelRoute(alias)
+        +SetDefaultDomainSuffix(suffix)
+    }
+
+    Entrypoint --> httpServer : manages
+    Entrypoint --> ShortLinkMatcher : owns
+    Entrypoint --> PoolLike : HTTPRoutes()
+    Entrypoint --> RWPoolLike : ExcludedRoutes()
+    httpServer --> PoolLike : routes pool
+```
+
+### Request Processing Pipeline
+
+```mermaid
+flowchart TD
+    A[HTTP Request] --> B[Find Route by Host]
+    B --> C{Route Found?}
+    C -->|Yes| D{Middleware?}
+    C -->|No| E{Short Link?}
+    E -->|Yes| F[Short Link Handler]
+    E -->|No| G{Not Found Handler?}
+    G -->|Yes| H[Not Found Handler]
+    G -->|No| I[Serve 404]
+
+    D -->|Yes| J[Apply Middleware Chain]
+    D -->|No| K[Direct Route Handler]
+    J --> K
+
+    K --> L[Route ServeHTTP]
+    L --> M[Response]
+
+    F --> M
+    H --> N[404 Response]
+    I --> N
+```
+
+### Server Lifecycle
+
+```mermaid
+stateDiagram-v2
+    [*] --> Empty: NewEntrypoint()
+
+    Empty --> Listening: StartAddRoute()
+    Listening --> Listening: StartAddRoute()
+    Listening --> Listening: delHTTPRoute()
+    Listening --> [*]: Cancel()
+
+    Listening --> AddingServer: addHTTPRoute()
+    AddingServer --> Listening: Server starts
+
+    note right of Listening
+        servers map: addr -> httpServer
+        For HTTPS, routes are added to ProxyHTTPSAddr
+        Default routes added to both HTTP and HTTPS
+    end note
+```
+
+## Data Flow
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant httpServer
+    participant Entrypoint
+    participant Middleware
+    participant Route
+
+    Client->>httpServer: GET /path
+    httpServer->>Entrypoint: FindRoute(host)
+
+    alt Route Found
+        Entrypoint-->>httpServer: HTTPRoute
+        httpServer->>Middleware: ServeHTTP(routeHandler)
+        alt Has Middleware
+            Middleware->>Middleware: Process Chain
+        end
+        Middleware->>Route: Forward Request
+        Route-->>Middleware: Response
+        Middleware-->>httpServer: Response
+    else Short Link (go.example.com/alias)
+        httpServer->>ShortLinkMatcher: Match short code
+        ShortLinkMatcher-->>httpServer: Redirect
+    else Not Found
+        httpServer->>NotFoundHandler: Serve 404
+        NotFoundHandler-->>httpServer: 404 Page
+    end
+
+    httpServer-->>Client: Response
+```
+
+## Route Registry
+
+Routes are managed per-entrypoint:
+
+```go
+// Adding a route (main entry point for providers)
+if err := ep.StartAddRoute(route); err != nil {
+    return err
+}
+
+// Iterating all routes including excluded
+ep.IterRoutes(func(r types.Route) bool {
+    log.Info().Str("alias", r.Name()).Msg("route")
+    return true // continue iteration
+})
+
+// Querying by alias
+route, ok := ep.GetRoute("myapp")
+
+// Grouping by provider
+byProvider := ep.RoutesByProvider()
+```
+
+## Configuration Surface
+
+### Config Source
+
+Environment variables and YAML config file:
+
+```yaml
+entrypoint:
+  support_proxy_protocol: true
+  middlewares:
+    - rate_limit:
+        requests_per_second: 100
+  rules:
+    not_found:
+      # not-found rules configuration
+  access_log:
+    path: /var/log/godoxy/access.log
+```
+
+### Environment Variables
+
+| Variable                       | Description                   |
+| ------------------------------ | ----------------------------- |
+| `PROXY_SUPPORT_PROXY_PROTOCOL` | Enable PROXY protocol support |
+
+## Dependency and Integration Map
+
+| Dependency                         | Purpose                     |
+| ---------------------------------- | --------------------------- |
+| `internal/route`                   | Route types and handlers    |
+| `internal/route/rules`             | Not-found rules processing  |
+| `internal/logging/accesslog`       | Request logging             |
+| `internal/net/gphttp/middleware`   | Middleware chain            |
+| `internal/types`                   | Route and health types      |
+| `github.com/puzpuzpuz/xsync/v4`    | Concurrent server map       |
+| `github.com/yusing/goutils/pool`   | Route pool implementations  |
+| `github.com/yusing/goutils/task`   | Lifecycle management        |
+| `github.com/yusing/goutils/server` | HTTP/HTTPS server lifecycle |
+
+## Observability
+
+### Logs
+
+| Level   | Context               | Description             |
+| ------- | --------------------- | ----------------------- |
+| `DEBUG` | `route`, `listen_url` | Route addition/removal  |
+| `DEBUG` | `addr`, `proto`       | Server lifecycle        |
+| `ERROR` | `route`, `listen_url` | Server startup failures |
+
+### Metrics
+
+Route metrics exposed via [`GetHealthInfo`](internal/entrypoint/query.go:10) methods:
+
+```go
+// Health info for all routes
+healthMap := ep.GetHealthInfo()
+// {
+//   "myapp": {Status: "healthy", Uptime: 3600, Latency: 5ms},
+//   "excluded-route": {Status: "unknown", Detail: "n/a"},
+// }
+```
+
+## Security Considerations
+
+- Route lookup is read-only from route pools
+- Middleware chain is applied per-request
+- Proxy protocol support must be explicitly enabled
+- Access logger captures request metadata before processing
+- Short link matching is limited to configured domains
+
+## Failure Modes and Recovery
+
+| Failure               | Behavior                        | Recovery                     |
+| --------------------- | ------------------------------- | ---------------------------- |
+| Server bind fails     | Error returned, route not added | Fix port/address conflict    |
+| Route start fails     | Route excluded, error logged    | Fix route configuration      |
+| Middleware load fails | SetMiddlewares returns error    | Fix middleware configuration |
+| Context cancelled     | All servers stopped gracefully  | Restart entrypoint           |
+
+## Usage Examples
 
 ### Basic Setup
 
 ```go
-ep := entrypoint.NewEntrypoint()
+ep := entrypoint.NewEntrypoint(parent, &entrypoint.Config{
+    SupportProxyProtocol: false,
+})
 
 // Configure domain matching
 ep.SetFindRouteDomains([]string{".example.com", "example.com"})
@@ -120,7 +367,7 @@ err := ep.SetMiddlewares([]map[string]any{
     {"rate_limit": map[string]any{"requests_per_second": 100}},
 })
 if err != nil {
-    log.Fatal(err)
+    return err
 }
 
 // Configure access logging
@@ -128,181 +375,58 @@ err = ep.SetAccessLogger(parent, &accesslog.RequestLoggerConfig{
     Path: "/var/log/godoxy/access.log",
 })
 if err != nil {
-    log.Fatal(err)
+    return err
 }
-
-// Start server
-http.ListenAndServe(":80", &ep)
 ```
 
-### Route Lookup Logic
-
-The entrypoint uses multiple strategies to find routes:
-
-1. **Subdomain Matching**: For `sub.domain.com`, looks for `sub`
-1. **Exact Match**: Looks for the full hostname
-1. **Port Stripping**: Strips port from host if present
+### Route Querying
 
 ```go
-func findRouteAnyDomain(host string) types.HTTPRoute {
-    // Try subdomain (everything before first dot)
-    idx := strings.IndexByte(host, '.')
-    if idx != -1 {
-        target := host[:idx]
-        if r, ok := routes.HTTP.Get(target); ok {
-            return r
-        }
-    }
+// Iterate all routes including excluded
+ep.IterRoutes(func(r types.Route) bool {
+    log.Info().
+        Str("alias", r.Name()).
+        Str("provider", r.ProviderName()).
+        Bool("excluded", r.ShouldExclude()).
+        Msg("route")
+    return true // continue iteration
+})
 
-    // Try exact match
-    if r, ok := routes.HTTP.Get(host); ok {
-        return r
-    }
-
-    // Try stripping port
-    if before, _, ok := strings.Cut(host, ":"); ok {
-        if r, ok := routes.HTTP.Get(before); ok {
-            return r
-        }
-    }
-
-    return nil
+// Get health info for all routes
+healthMap := ep.GetHealthInfoSimple()
+for alias, status := range healthMap {
+    log.Info().Str("alias", alias).Str("status", string(status)).Msg("health")
 }
 ```
 
-### Short Links
+### Route Addition
 
-Short links use a special `.short` domain:
+Routes are typically added by providers via `StartAddRoute`:
 
 ```go
-// Request to: https://abc.short.example.com
-// Looks for route with alias "abc"
-if strings.EqualFold(host, common.ShortLinkPrefix) {
-    // Handle short link
-    ep.shortLinkTree.ServeHTTP(w, r)
+// StartAddRoute handles route registration and server creation
+if err := ep.StartAddRoute(route); err != nil {
+    return err
 }
 ```
 
-## Data Flow
+### Context Integration
 
-```mermaid
-sequenceDiagram
-    participant Client
-    participant Entrypoint
-    participant Middleware
-    participant Route
-    participant Logger
-
-    Client->>Entrypoint: GET /path
-    Entrypoint->>Entrypoint: FindRoute(host)
-    alt Route Found
-        Entrypoint->>Logger: Get ResponseRecorder
-        Logger-->>Entrypoint: Recorder
-        Entrypoint->>Middleware: ServeHTTP(routeHandler)
-        alt Has Middleware
-            Middleware->>Middleware: Process Chain
-        end
-        Middleware->>Route: Forward Request
-        Route-->>Middleware: Response
-        Middleware-->>Entrypoint: Response
-    else Short Link
-        Entrypoint->>ShortLinkTree: Match short code
-        ShortLinkTree-->>Entrypoint: Redirect
-    else Not Found
-        Entrypoint->>NotFoundHandler: Serve 404
-        NotFoundHandler-->>Entrypoint: 404 Page
-    end
-
-    Entrypoint->>Logger: Log Request
-    Logger-->>Entrypoint: Complete
-    Entrypoint-->>Client: Response
-```
-
-## Not-Found Handling
-
-When no route is found, the entrypoint:
-
-1. Attempts to serve a static error page file
-1. Logs the 404 request
-1. Falls back to the configured error page
-1. Returns 404 status code
+Routes can access the entrypoint from request context:
 
 ```go
-func (ep *Entrypoint) serveNotFound(w http.ResponseWriter, r *http.Request) {
-    if served := middleware.ServeStaticErrorPageFile(w, r); !served {
-        log.Error().
-            Str("method", r.Method).
-            Str("url", r.URL.String()).
-            Str("remote", r.RemoteAddr).
-            Msgf("not found: %s", r.Host)
+// Set entrypoint in context (typically during initialization)
+entrypoint.SetCtx(task, ep)
 
-        errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
-        if ok {
-            w.WriteHeader(http.StatusNotFound)
-            w.Header().Set("Content-Type", "text/html; charset=utf-8")
-            w.Write(errorPage)
-        } else {
-            http.NotFound(w, r)
-        }
-    }
+// Get entrypoint from context
+if ep := entrypoint.FromCtx(r.Context()); ep != nil {
+    route, ok := ep.GetRoute("alias")
 }
 ```
 
-## Configuration Structure
+## Testing Notes
 
-```go
-type Config struct {
-    Middlewares []map[string]any `json:"middlewares"`
-    Rules       rules.Rules      `json:"rules"`
-    AccessLog   *accesslog.RequestLoggerConfig `json:"access_log"`
-}
-```
-
-## Middleware Integration
-
-The entrypoint supports middleware chains configured via YAML:
-
-```yaml
-entrypoint:
-  middlewares:
-    - use: rate_limit
-      average: 100
-      burst: 200
-      bypass:
-        - remote 192.168.1.0/24
-    - use: redirect_http
-```
-
-## Access Logging
-
-Access logging wraps the response recorder to capture:
-
-- Request method and URL
-- Response status code
-- Response size
-- Request duration
-- Client IP address
-
-```go
-func (ep *Entrypoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-    if ep.accessLogger != nil {
-        rec := accesslog.GetResponseRecorder(w)
-        w = rec
-        defer func() {
-            ep.accessLogger.Log(r, rec.Response())
-            accesslog.PutResponseRecorder(rec)
-        }()
-    }
-    // ... handle request
-}
-```
-
-## Integration Points
-
-The entrypoint integrates with:
-
-- **Route Registry**: HTTP route lookup
-- **Middleware**: Request processing chain
-- **AccessLog**: Request logging
-- **ErrorPage**: 404 error pages
-- **ShortLink**: Short link handling
+- Benchmark tests in [`entrypoint_benchmark_test.go`](internal/entrypoint/entrypoint_benchmark_test.go)
+- Integration tests in [`entrypoint_test.go`](internal/entrypoint/entrypoint_test.go)
+- Mock route pools for unit testing
+- Short link tests in [`shortlink_test.go`](internal/entrypoint/shortlink_test.go)

internal/entrypoint/entrypoint.go

@@ -4,44 +4,112 @@ import (
 	"net/http"
 	"strings"
 	"sync/atomic"
+	"testing"
 
+	"github.com/puzpuzpuz/xsync/v4"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/godoxy/internal/common"
 	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/logging/accesslog"
 	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
-	"github.com/yusing/godoxy/internal/net/gphttp/middleware/errorpage"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/route/rules"
 	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/pool"
 	"github.com/yusing/goutils/task"
 )
 
+type HTTPRoutes interface {
+	Get(alias string) (types.HTTPRoute, bool)
+}
+
+type findRouteFunc func(HTTPRoutes, string) types.HTTPRoute
+
 type Entrypoint struct {
-	middleware      *middleware.Middleware
-	notFoundHandler http.Handler
-	accessLogger    accesslog.AccessLogger
-	findRouteFunc   func(host string) types.HTTPRoute
-	shortLinkTree   *ShortLinkMatcher
+	task *task.Task
+
+	cfg *Config
+
+	middleware       *middleware.Middleware
+	notFoundHandler  http.Handler
+	accessLogger     accesslog.AccessLogger
+	findRouteFunc    findRouteFunc
+	shortLinkMatcher *ShortLinkMatcher
+
+	streamRoutes   *pool.Pool[types.StreamRoute]
+	excludedRoutes *pool.Pool[types.Route]
+
+	// this only affects future http servers creation
+	httpPoolDisableLog atomic.Bool
+
+	servers *xsync.Map[string, *httpServer] // listen addr -> server
 }
 
-// nil-safe
-var ActiveConfig atomic.Pointer[entrypoint.Config]
+var _ entrypoint.Entrypoint = &Entrypoint{}
 
-func init() {
-	// make sure it's not nil
-	ActiveConfig.Store(&entrypoint.Config{})
+var emptyCfg Config
+
+func NewTestEntrypoint(t testing.TB, cfg *Config) *Entrypoint {
+	t.Helper()
+
+	testTask := task.GetTestTask(t)
+	ep := NewEntrypoint(testTask, cfg)
+	entrypoint.SetCtx(testTask, ep)
+	return ep
 }
 
-func NewEntrypoint() Entrypoint {
-	return Entrypoint{
-		findRouteFunc: findRouteAnyDomain,
-		shortLinkTree: newShortLinkTree(),
+func NewEntrypoint(parent task.Parent, cfg *Config) *Entrypoint {
+	if cfg == nil {
+		cfg = &emptyCfg
 	}
+
+	ep := &Entrypoint{
+		task:             parent.Subtask("entrypoint", false),
+		cfg:              cfg,
+		findRouteFunc:    findRouteAnyDomain,
+		shortLinkMatcher: newShortLinkMatcher(),
+		streamRoutes:     pool.New[types.StreamRoute]("stream_routes"),
+		excludedRoutes:   pool.New[types.Route]("excluded_routes"),
+		servers:          xsync.NewMap[string, *httpServer](),
+	}
+	return ep
+}
+
+func (ep *Entrypoint) Task() *task.Task {
+	return ep.task
+}
+
+func (ep *Entrypoint) SupportProxyProtocol() bool {
+	return ep.cfg.SupportProxyProtocol
+}
+
+func (ep *Entrypoint) DisablePoolsLog(v bool) {
+	ep.httpPoolDisableLog.Store(v)
+	// apply to all running http servers
+	for _, srv := range ep.servers.Range {
+		srv.routes.DisableLog(v)
+	}
+	// apply to other pools
+	ep.streamRoutes.DisableLog(v)
+	ep.excludedRoutes.DisableLog(v)
 }
 
 func (ep *Entrypoint) ShortLinkMatcher() *ShortLinkMatcher {
-	return ep.shortLinkTree
+	return ep.shortLinkMatcher
+}
+
+func (ep *Entrypoint) HTTPRoutes() entrypoint.PoolLike[types.HTTPRoute] {
+	return newHTTPPoolAdapter(ep)
+}
+
+func (ep *Entrypoint) StreamRoutes() entrypoint.PoolLike[types.StreamRoute] {
+	return ep.streamRoutes
+}
+
+func (ep *Entrypoint) ExcludedRoutes() entrypoint.RWPoolLike[types.Route] {
+	return ep.excludedRoutes
+}
+
+func (ep *Entrypoint) GetServer(addr string) (HTTPServer, bool) {
+	return ep.servers.Load(addr)
 }
 
 func (ep *Entrypoint) SetFindRouteDomains(domains []string) {
@@ -74,7 +142,7 @@ func (ep *Entrypoint) SetMiddlewares(mws []map[string]any) error {
 }
 
 func (ep *Entrypoint) SetNotFoundRules(rules rules.Rules) {
-	ep.notFoundHandler = rules.BuildHandler(http.HandlerFunc(ep.serveNotFound))
+	ep.notFoundHandler = rules.BuildHandler(serveNotFound)
 }
 
 func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.RequestLoggerConfig) (err error) {
@@ -91,111 +159,39 @@ func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.Request
 	return err
 }
 
-func (ep *Entrypoint) FindRoute(s string) types.HTTPRoute {
-	return ep.findRouteFunc(s)
-}
-
-func (ep *Entrypoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if ep.accessLogger != nil {
-		rec := accesslog.GetResponseRecorder(w)
-		w = rec
-		defer func() {
-			ep.accessLogger.LogRequest(r, rec.Response())
-			accesslog.PutResponseRecorder(rec)
-		}()
-	}
-
-	route := ep.findRouteFunc(r.Host)
-	switch {
-	case route != nil:
-		r = routes.WithRouteContext(r, route)
-		if ep.middleware != nil {
-			ep.middleware.ServeHTTP(route.ServeHTTP, w, r)
-		} else {
-			route.ServeHTTP(w, r)
-		}
-	case ep.tryHandleShortLink(w, r):
-		return
-	case ep.notFoundHandler != nil:
-		ep.notFoundHandler.ServeHTTP(w, r)
-	default:
-		ep.serveNotFound(w, r)
-	}
-}
-
-func (ep *Entrypoint) tryHandleShortLink(w http.ResponseWriter, r *http.Request) (handled bool) {
-	host := r.Host
-	if before, _, ok := strings.Cut(host, ":"); ok {
-		host = before
-	}
-	if strings.EqualFold(host, common.ShortLinkPrefix) {
-		if ep.middleware != nil {
-			ep.middleware.ServeHTTP(ep.shortLinkTree.ServeHTTP, w, r)
-		} else {
-			ep.shortLinkTree.ServeHTTP(w, r)
-		}
-		return true
-	}
-	return false
-}
-
-func (ep *Entrypoint) serveNotFound(w http.ResponseWriter, r *http.Request) {
-	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
-	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
-	// Then scraper / scanners will know the subdomain is invalid.
-	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
-	if served := middleware.ServeStaticErrorPageFile(w, r); !served {
-		log.Error().
-			Str("method", r.Method).
-			Str("url", r.URL.String()).
-			Str("remote", r.RemoteAddr).
-			Msgf("not found: %s", r.Host)
-		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
-		if ok {
-			w.WriteHeader(http.StatusNotFound)
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			if _, err := w.Write(errorPage); err != nil {
-				log.Err(err).Msg("failed to write error page")
-			}
-		} else {
-			http.NotFound(w, r)
-		}
-	}
-}
-
-func findRouteAnyDomain(host string) types.HTTPRoute {
+func findRouteAnyDomain(routes HTTPRoutes, host string) types.HTTPRoute {
 	idx := strings.IndexByte(host, '.')
 	if idx != -1 {
 		target := host[:idx]
-		if r, ok := routes.HTTP.Get(target); ok {
+		if r, ok := routes.Get(target); ok {
 			return r
 		}
 	}
-	if r, ok := routes.HTTP.Get(host); ok {
+	if r, ok := routes.Get(host); ok {
 		return r
 	}
 	// try striping the trailing :port from the host
 	if before, _, ok := strings.Cut(host, ":"); ok {
-		if r, ok := routes.HTTP.Get(before); ok {
+		if r, ok := routes.Get(before); ok {
 			return r
 		}
 	}
 	return nil
 }
 
-func findRouteByDomains(domains []string) func(host string) types.HTTPRoute {
-	return func(host string) types.HTTPRoute {
+func findRouteByDomains(domains []string) func(routes HTTPRoutes, host string) types.HTTPRoute {
+	return func(routes HTTPRoutes, host string) types.HTTPRoute {
 		host, _, _ = strings.Cut(host, ":") // strip the trailing :port
 		for _, domain := range domains {
 			if target, ok := strings.CutSuffix(host, domain); ok {
-				if r, ok := routes.HTTP.Get(target); ok {
+				if r, ok := routes.Get(target); ok {
 					return r
 				}
 			}
 		}
 
 		// fallback to exact match
-		if r, ok := routes.HTTP.Get(host); ok {
+		if r, ok := routes.Get(host); ok {
 			return r
 		}
 		return nil

internal/entrypoint/entrypoint_benchmark_test.go

@@ -10,9 +10,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/godoxy/internal/common"
 	. "github.com/yusing/godoxy/internal/entrypoint"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 	routeTypes "github.com/yusing/godoxy/internal/route/types"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/goutils/task"
@@ -48,13 +50,15 @@ func (t noopTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 }
 
 func BenchmarkEntrypointReal(b *testing.B) {
-	var ep Entrypoint
+	task := task.GetTestTask(b)
+	ep := NewEntrypoint(task, nil)
 	req := http.Request{
 		Method: "GET",
 		URL:    &url.URL{Path: "/", RawPath: "/"},
 		Host:   "test.domain.tld",
 	}
 	ep.SetFindRouteDomains([]string{})
+	entrypoint.SetCtx(task, ep)
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Length", "1")
@@ -77,48 +81,48 @@ func BenchmarkEntrypointReal(b *testing.B) {
 		b.Fatal(err)
 	}
 
-	r := &route.Route{
+	r, err := route.NewStartedTestRoute(b, &route.Route{
 		Alias:       "test",
 		Scheme:      routeTypes.SchemeHTTP,
 		Host:        host,
 		Port:        route.Port{Proxy: portInt},
 		HealthCheck: types.HealthCheckConfig{Disable: true},
-	}
+	})
 
-	err = r.Validate()
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	err = r.Start(task.RootTask("test", false))
-	if err != nil {
-		b.Fatal(err)
-	}
+	require.NoError(b, err)
+	require.False(b, r.ShouldExclude())
 
 	var w noopResponseWriter
 
+	server, ok := ep.GetServer(common.ProxyHTTPAddr)
+	if !ok {
+		b.Fatal("server not found")
+	}
+
 	b.ResetTimer()
 	for b.Loop() {
-		ep.ServeHTTP(&w, &req)
-		// if w.statusCode != http.StatusOK {
-		// 	b.Fatalf("status code is not 200: %d", w.statusCode)
-		// }
-		// if string(w.written) != "1" {
-		// 	b.Fatalf("written is not 1: %s", string(w.written))
-		// }
+		server.ServeHTTP(&w, &req)
+		if w.statusCode != http.StatusOK {
+			b.Fatalf("status code is not 200: %d", w.statusCode)
+		}
+		if string(w.written) != "1" {
+			b.Fatalf("written is not 1: %s", string(w.written))
+		}
 	}
 }
 
 func BenchmarkEntrypoint(b *testing.B) {
-	var ep Entrypoint
+	task := task.GetTestTask(b)
+	ep := NewEntrypoint(task, nil)
 	req := http.Request{
 		Method: "GET",
 		URL:    &url.URL{Path: "/", RawPath: "/"},
 		Host:   "test.domain.tld",
 	}
 	ep.SetFindRouteDomains([]string{})
+	entrypoint.SetCtx(task, ep)
 
-	r := &route.Route{
+	r, err := route.NewStartedTestRoute(b, &route.Route{
 		Alias:  "test",
 		Scheme: routeTypes.SchemeHTTP,
 		Host:   "localhost",
@@ -128,29 +132,23 @@ func BenchmarkEntrypoint(b *testing.B) {
 		HealthCheck: types.HealthCheckConfig{
 			Disable: true,
 		},
-	}
+	})
 
-	err := r.Validate()
-	if err != nil {
-		b.Fatal(err)
-	}
+	require.NoError(b, err)
+	require.False(b, r.ShouldExclude())
 
-	err = r.Start(task.RootTask("test", false))
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	rev, ok := routes.HTTP.Get("test")
-	if !ok {
-		b.Fatal("route not found")
-	}
-	rev.(types.ReverseProxyRoute).ReverseProxy().Transport = noopTransport{}
+	r.(types.ReverseProxyRoute).ReverseProxy().Transport = noopTransport{}
 
 	var w noopResponseWriter
 
+	server, ok := ep.GetServer(common.ProxyHTTPAddr)
+	if !ok {
+		b.Fatal("server not found")
+	}
+
 	b.ResetTimer()
 	for b.Loop() {
-		ep.ServeHTTP(&w, &req)
+		server.ServeHTTP(&w, &req)
 		if w.statusCode != http.StatusOK {
 			b.Fatalf("status code is not 200: %d", w.statusCode)
 		}

internal/entrypoint/entrypoint_test.go

@@ -3,48 +3,70 @@ package entrypoint_test
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	. "github.com/yusing/godoxy/internal/entrypoint"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
-
+	routeTypes "github.com/yusing/godoxy/internal/route/types"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/task"
 	expect "github.com/yusing/goutils/testing"
 )
 
-var ep = NewEntrypoint()
+func addRoute(t *testing.T, alias string) {
+	t.Helper()
 
-func addRoute(alias string) {
-	routes.HTTP.Add(&route.ReveseProxyRoute{
-		Route: &route.Route{
-			Alias: alias,
-			Port: route.Port{
-				Proxy: 80,
-			},
+	ep := entrypoint.FromCtx(task.GetTestTask(t).Context())
+	require.NotNil(t, ep)
+
+	_, err := route.NewStartedTestRoute(t, &route.Route{
+		Alias:  alias,
+		Scheme: routeTypes.SchemeHTTP,
+		Port: route.Port{
+			Listening: 1000,
+			Proxy:     8080,
+		},
+		HealthCheck: types.HealthCheckConfig{
+			Disable: true,
 		},
 	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	route, ok := ep.HTTPRoutes().Get(alias)
+	require.True(t, ok, "route not found")
+	require.NotNil(t, route)
 }
 
-func run(t *testing.T, match []string, noMatch []string) {
+func run(t *testing.T, ep *Entrypoint, match []string, noMatch []string) {
 	t.Helper()
-	t.Cleanup(routes.Clear)
-	t.Cleanup(func() { ep.SetFindRouteDomains(nil) })
+
+	server, ok := ep.GetServer(":1000")
+	require.True(t, ok, "server not found")
+	require.NotNil(t, server)
 
 	for _, test := range match {
 		t.Run(test, func(t *testing.T) {
-			found := ep.FindRoute(test)
-			expect.NotNil(t, found)
+			route := server.FindRoute(test)
+			assert.NotNil(t, route)
 		})
 	}
 
 	for _, test := range noMatch {
 		t.Run(test, func(t *testing.T) {
-			found := ep.FindRoute(test)
-			expect.Nil(t, found)
+			found, ok := ep.HTTPRoutes().Get(test)
+			assert.False(t, ok)
+			assert.Nil(t, found)
 		})
 	}
 }
 
 func TestFindRouteAnyDomain(t *testing.T) {
-	addRoute("app1")
+	ep := NewTestEntrypoint(t, nil)
+
+	addRoute(t, "app1")
 
 	tests := []string{
 		"app1.com",
@@ -58,10 +80,12 @@ func TestFindRouteAnyDomain(t *testing.T) {
 		"app2.sub.domain.com",
 	}
 
-	run(t, tests, testsNoMatch)
+	run(t, ep, tests, testsNoMatch)
 }
 
 func TestFindRouteExactHostMatch(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
 	tests := []string{
 		"app2.com",
 		"app2.domain.com",
@@ -75,19 +99,20 @@ func TestFindRouteExactHostMatch(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		addRoute(test)
+		addRoute(t, test)
 	}
 
-	run(t, tests, testsNoMatch)
+	run(t, ep, tests, testsNoMatch)
 }
 
 func TestFindRouteByDomains(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
 	ep.SetFindRouteDomains([]string{
 		".domain.com",
 		".sub.domain.com",
 	})
 
-	addRoute("app1")
+	addRoute(t, "app1")
 
 	tests := []string{
 		"app1.domain.com",
@@ -103,16 +128,17 @@ func TestFindRouteByDomains(t *testing.T) {
 		"app2.sub.domain.com",
 	}
 
-	run(t, tests, testsNoMatch)
+	run(t, ep, tests, testsNoMatch)
 }
 
 func TestFindRouteByDomainsExactMatch(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
 	ep.SetFindRouteDomains([]string{
 		".domain.com",
 		".sub.domain.com",
 	})
 
-	addRoute("app1.foo.bar")
+	addRoute(t, "app1.foo.bar")
 
 	tests := []string{
 		"app1.foo.bar", // exact match
@@ -126,13 +152,14 @@ func TestFindRouteByDomainsExactMatch(t *testing.T) {
 		"app1.sub.domain.com",
 	}
 
-	run(t, tests, testsNoMatch)
+	run(t, ep, tests, testsNoMatch)
 }
 
 func TestFindRouteWithPort(t *testing.T) {
 	t.Run("AnyDomain", func(t *testing.T) {
-		addRoute("app1")
-		addRoute("app2.com")
+		ep := NewTestEntrypoint(t, nil)
+		addRoute(t, "app1")
+		addRoute(t, "app2.com")
 
 		tests := []string{
 			"app1:8080",
@@ -144,16 +171,17 @@ func TestFindRouteWithPort(t *testing.T) {
 			"app2.co",
 			"app2.co:8080",
 		}
-		run(t, tests, testsNoMatch)
+		run(t, ep, tests, testsNoMatch)
 	})
 
 	t.Run("ByDomains", func(t *testing.T) {
+		ep := NewTestEntrypoint(t, nil)
 		ep.SetFindRouteDomains([]string{
 			".domain.com",
 		})
-		addRoute("app1")
-		addRoute("app2")
-		addRoute("app3.domain.com")
+		addRoute(t, "app1")
+		addRoute(t, "app2")
+		addRoute(t, "app3.domain.com")
 
 		tests := []string{
 			"app1.domain.com:8080",
@@ -169,6 +197,120 @@ func TestFindRouteWithPort(t *testing.T) {
 			"app3.domain.co",
 			"app3.domain.co:8080",
 		}
-		run(t, tests, testsNoMatch)
+		run(t, ep, tests, testsNoMatch)
 	})
 }
+
+func TestHealthInfoQueries(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	// Add routes without health monitors (default case)
+	addRoute(t, "app1")
+	addRoute(t, "app2")
+
+	// Test GetHealthInfo
+	t.Run("GetHealthInfo", func(t *testing.T) {
+		info := ep.GetHealthInfo()
+		expect.Equal(t, 2, len(info))
+		for _, health := range info {
+			expect.Equal(t, types.StatusUnknown, health.Status)
+			expect.Equal(t, "n/a", health.Detail)
+		}
+	})
+
+	// Test GetHealthInfoWithoutDetail
+	t.Run("GetHealthInfoWithoutDetail", func(t *testing.T) {
+		info := ep.GetHealthInfoWithoutDetail()
+		expect.Equal(t, 2, len(info))
+		for _, health := range info {
+			expect.Equal(t, types.StatusUnknown, health.Status)
+		}
+	})
+
+	// Test GetHealthInfoSimple
+	t.Run("GetHealthInfoSimple", func(t *testing.T) {
+		info := ep.GetHealthInfoSimple()
+		expect.Equal(t, 2, len(info))
+		for _, status := range info {
+			expect.Equal(t, types.StatusUnknown, status)
+		}
+	})
+}
+
+func TestRoutesByProvider(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	// Add routes with provider info
+	addRoute(t, "app1")
+	addRoute(t, "app2")
+
+	byProvider := ep.RoutesByProvider()
+	expect.Equal(t, 1, len(byProvider)) // All routes are from same implicit provider
+
+	routes, ok := byProvider[""]
+	expect.True(t, ok)
+	expect.Equal(t, 2, len(routes))
+}
+
+func TestNumRoutes(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	expect.Equal(t, 0, ep.NumRoutes())
+
+	addRoute(t, "app1")
+	expect.Equal(t, 1, ep.NumRoutes())
+
+	addRoute(t, "app2")
+	expect.Equal(t, 2, ep.NumRoutes())
+}
+
+func TestIterRoutes(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	addRoute(t, "app1")
+	addRoute(t, "app2")
+	addRoute(t, "app3")
+
+	count := 0
+	for r := range ep.IterRoutes {
+		count++
+		expect.NotNil(t, r)
+	}
+	expect.Equal(t, 3, count)
+}
+
+func TestGetRoute(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	// Route not found case
+	_, ok := ep.GetRoute("nonexistent")
+	expect.False(t, ok)
+
+	addRoute(t, "app1")
+
+	route, ok := ep.GetRoute("app1")
+	expect.True(t, ok)
+	expect.NotNil(t, route)
+}
+
+func TestHTTPRoutesPool(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	pool := ep.HTTPRoutes()
+	expect.Equal(t, 0, pool.Size())
+
+	addRoute(t, "app1")
+	expect.Equal(t, 1, pool.Size())
+
+	// Verify route is accessible
+	route, ok := pool.Get("app1")
+	expect.True(t, ok)
+	expect.NotNil(t, route)
+}
+
+func TestExcludedRoutesPool(t *testing.T) {
+	ep := NewTestEntrypoint(t, nil)
+
+	excludedPool := ep.ExcludedRoutes()
+	expect.Equal(t, 0, excludedPool.Size())
+}

internal/entrypoint/http_pool_adapter.go

@@ -0,0 +1,51 @@
+package entrypoint
+
+import (
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/types"
+)
+
+// httpPoolAdapter implements the PoolLike interface for the HTTP routes.
+type httpPoolAdapter struct {
+	ep *Entrypoint
+}
+
+func newHTTPPoolAdapter(ep *Entrypoint) httpPoolAdapter {
+	return httpPoolAdapter{ep: ep}
+}
+
+func (h httpPoolAdapter) Iter(yield func(alias string, route types.HTTPRoute) bool) {
+	for addr, srv := range h.ep.servers.Range {
+		// default routes are added to both HTTP and HTTPS servers, we don't need to iterate over them twice.
+		if addr == common.ProxyHTTPSAddr {
+			continue
+		}
+		for alias, route := range srv.routes.Iter {
+			if !yield(alias, route) {
+				return
+			}
+		}
+	}
+}
+
+func (h httpPoolAdapter) Get(alias string) (types.HTTPRoute, bool) {
+	for addr, srv := range h.ep.servers.Range {
+		if addr == common.ProxyHTTPSAddr {
+			continue
+		}
+		if route, ok := srv.routes.Get(alias); ok {
+			return route, true
+		}
+	}
+	return nil, false
+}
+
+func (h httpPoolAdapter) Size() (n int) {
+	for addr, srv := range h.ep.servers.Range {
+		if addr == common.ProxyHTTPSAddr {
+			continue
+		}
+		n += srv.routes.Size()
+	}
+	return
+}

internal/entrypoint/http_server.go

@@ -0,0 +1,173 @@
+package entrypoint
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/rs/zerolog/log"
+	acl "github.com/yusing/godoxy/internal/acl/types"
+	autocert "github.com/yusing/godoxy/internal/autocert/types"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/logging/accesslog"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware/errorpage"
+	"github.com/yusing/godoxy/internal/route/routes"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/pool"
+	"github.com/yusing/goutils/server"
+)
+
+// httpServer is a server that listens on a given address and serves HTTP routes.
+type HTTPServer interface {
+	Listen(addr string, proto HTTPProto) error
+	AddRoute(route types.HTTPRoute)
+	DelRoute(route types.HTTPRoute)
+	FindRoute(s string) types.HTTPRoute
+	ServeHTTP(w http.ResponseWriter, r *http.Request)
+}
+
+type httpServer struct {
+	ep *Entrypoint
+
+	stopFunc func(reason any)
+
+	addr   string
+	routes *pool.Pool[types.HTTPRoute]
+}
+
+type HTTPProto string
+
+const (
+	HTTPProtoHTTP  HTTPProto = "http"
+	HTTPProtoHTTPS HTTPProto = "https"
+)
+
+func NewHTTPServer(ep *Entrypoint) HTTPServer {
+	return newHTTPServer(ep)
+}
+
+func newHTTPServer(ep *Entrypoint) *httpServer {
+	return &httpServer{ep: ep}
+}
+
+// Listen starts the server and stop when entrypoint is stopped.
+func (srv *httpServer) Listen(addr string, proto HTTPProto) error {
+	if srv.addr != "" {
+		return errors.New("server already started")
+	}
+
+	opts := server.Options{
+		Name:                 addr,
+		Handler:              srv,
+		ACL:                  acl.FromCtx(srv.ep.task.Context()),
+		SupportProxyProtocol: srv.ep.cfg.SupportProxyProtocol,
+	}
+
+	switch proto {
+	case HTTPProtoHTTP:
+		opts.HTTPAddr = addr
+	case HTTPProtoHTTPS:
+		opts.HTTPSAddr = addr
+		opts.CertProvider = autocert.FromCtx(srv.ep.task.Context())
+	}
+
+	task := srv.ep.task.Subtask("http_server", false)
+	_, err := server.StartServer(task, opts)
+	if err != nil {
+		return err
+	}
+	srv.stopFunc = task.FinishAndWait
+	srv.addr = addr
+	srv.routes = pool.New[types.HTTPRoute](fmt.Sprintf("[%s] %s", proto, addr))
+	srv.routes.DisableLog(srv.ep.httpPoolDisableLog.Load())
+	return nil
+}
+
+func (srv *httpServer) Close() {
+	if srv.stopFunc == nil {
+		return
+	}
+	srv.stopFunc(nil)
+}
+
+func (srv *httpServer) AddRoute(route types.HTTPRoute) {
+	srv.routes.Add(route)
+}
+
+func (srv *httpServer) DelRoute(route types.HTTPRoute) {
+	srv.routes.Del(route)
+}
+
+func (srv *httpServer) FindRoute(s string) types.HTTPRoute {
+	return srv.ep.findRouteFunc(srv.routes, s)
+}
+
+func (srv *httpServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if srv.ep.accessLogger != nil {
+		rec := accesslog.GetResponseRecorder(w)
+		w = rec
+		defer func() {
+			srv.ep.accessLogger.LogRequest(r, rec.Response())
+			accesslog.PutResponseRecorder(rec)
+		}()
+	}
+
+	route := srv.ep.findRouteFunc(srv.routes, r.Host)
+	switch {
+	case route != nil:
+		r = routes.WithRouteContext(r, route)
+		if srv.ep.middleware != nil {
+			srv.ep.middleware.ServeHTTP(route.ServeHTTP, w, r)
+		} else {
+			route.ServeHTTP(w, r)
+		}
+	case srv.tryHandleShortLink(w, r):
+		return
+	case srv.ep.notFoundHandler != nil:
+		srv.ep.notFoundHandler.ServeHTTP(w, r)
+	default:
+		serveNotFound(w, r)
+	}
+}
+
+func (srv *httpServer) tryHandleShortLink(w http.ResponseWriter, r *http.Request) (handled bool) {
+	host := r.Host
+	if before, _, ok := strings.Cut(host, ":"); ok {
+		host = before
+	}
+	if strings.EqualFold(host, common.ShortLinkPrefix) {
+		if srv.ep.middleware != nil {
+			srv.ep.middleware.ServeHTTP(srv.ep.shortLinkMatcher.ServeHTTP, w, r)
+		} else {
+			srv.ep.shortLinkMatcher.ServeHTTP(w, r)
+		}
+		return true
+	}
+	return false
+}
+
+func serveNotFound(w http.ResponseWriter, r *http.Request) {
+	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
+	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
+	// Then scraper / scanners will know the subdomain is invalid.
+	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
+	if served := middleware.ServeStaticErrorPageFile(w, r); !served {
+		log.Error().
+			Str("method", r.Method).
+			Str("url", r.URL.String()).
+			Str("remote", r.RemoteAddr).
+			Msgf("not found: %s", r.Host)
+		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
+		if ok {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			w.WriteHeader(http.StatusNotFound)
+			if _, err := w.Write(errorPage); err != nil {
+				log.Err(err).Msg("failed to write error page")
+			}
+		} else {
+			http.NotFound(w, r)
+		}
+	}
+}

internal/entrypoint/query.go

@@ -0,0 +1,91 @@
+package entrypoint
+
+import (
+	"github.com/yusing/godoxy/internal/types"
+)
+
+// GetHealthInfo returns a map of route name to health info.
+//
+// The health info is for all routes, including excluded routes.
+func (ep *Entrypoint) GetHealthInfo() map[string]types.HealthInfo {
+	healthMap := make(map[string]types.HealthInfo, ep.NumRoutes())
+	for r := range ep.IterRoutes {
+		healthMap[r.Name()] = getHealthInfo(r)
+	}
+	return healthMap
+}
+
+// GetHealthInfoWithoutDetail returns a map of route name to health info without detail.
+//
+// The health info is for all routes, including excluded routes.
+func (ep *Entrypoint) GetHealthInfoWithoutDetail() map[string]types.HealthInfoWithoutDetail {
+	healthMap := make(map[string]types.HealthInfoWithoutDetail, ep.NumRoutes())
+	for r := range ep.IterRoutes {
+		healthMap[r.Name()] = getHealthInfoWithoutDetail(r)
+	}
+	return healthMap
+}
+
+// GetHealthInfoSimple returns a map of route name to health status.
+//
+// The health status is for all routes, including excluded routes.
+func (ep *Entrypoint) GetHealthInfoSimple() map[string]types.HealthStatus {
+	healthMap := make(map[string]types.HealthStatus, ep.NumRoutes())
+	for r := range ep.IterRoutes {
+		healthMap[r.Name()] = getHealthInfoSimple(r)
+	}
+	return healthMap
+}
+
+// RoutesByProvider returns a map of provider name to routes.
+//
+// The routes are all routes, including excluded routes.
+func (ep *Entrypoint) RoutesByProvider() map[string][]types.Route {
+	rts := make(map[string][]types.Route)
+	for r := range ep.IterRoutes {
+		rts[r.ProviderName()] = append(rts[r.ProviderName()], r)
+	}
+	return rts
+}
+
+func getHealthInfo(r types.Route) types.HealthInfo {
+	mon := r.HealthMonitor()
+	if mon == nil {
+		return types.HealthInfo{
+			HealthInfoWithoutDetail: types.HealthInfoWithoutDetail{
+				Status: types.StatusUnknown,
+			},
+			Detail: "n/a",
+		}
+	}
+	return types.HealthInfo{
+		HealthInfoWithoutDetail: types.HealthInfoWithoutDetail{
+			Status:  mon.Status(),
+			Uptime:  mon.Uptime(),
+			Latency: mon.Latency(),
+		},
+		Detail: mon.Detail(),
+	}
+}
+
+func getHealthInfoWithoutDetail(r types.Route) types.HealthInfoWithoutDetail {
+	mon := r.HealthMonitor()
+	if mon == nil {
+		return types.HealthInfoWithoutDetail{
+			Status: types.StatusUnknown,
+		}
+	}
+	return types.HealthInfoWithoutDetail{
+		Status:  mon.Status(),
+		Uptime:  mon.Uptime(),
+		Latency: mon.Latency(),
+	}
+}
+
+func getHealthInfoSimple(r types.Route) types.HealthStatus {
+	mon := r.HealthMonitor()
+	if mon == nil {
+		return types.StatusUnknown
+	}
+	return mon.Status()
+}

internal/entrypoint/routes.go

@@ -0,0 +1,145 @@
+package entrypoint
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/types"
+)
+
+func (ep *Entrypoint) IterRoutes(yield func(r types.Route) bool) {
+	for _, r := range ep.HTTPRoutes().Iter {
+		if !yield(r) {
+			return
+		}
+	}
+	for _, r := range ep.streamRoutes.Iter {
+		if !yield(r) {
+			return
+		}
+	}
+	for _, r := range ep.excludedRoutes.Iter {
+		if !yield(r) {
+			return
+		}
+	}
+}
+
+func (ep *Entrypoint) NumRoutes() int {
+	return ep.HTTPRoutes().Size() + ep.streamRoutes.Size() + ep.excludedRoutes.Size()
+}
+
+func (ep *Entrypoint) GetRoute(alias string) (types.Route, bool) {
+	if r, ok := ep.HTTPRoutes().Get(alias); ok {
+		return r, true
+	}
+	if r, ok := ep.streamRoutes.Get(alias); ok {
+		return r, true
+	}
+	if r, ok := ep.excludedRoutes.Get(alias); ok {
+		return r, true
+	}
+	return nil, false
+}
+
+func (ep *Entrypoint) StartAddRoute(r types.Route) error {
+	if r.ShouldExclude() {
+		ep.excludedRoutes.Add(r)
+		r.Task().OnCancel("remove_route", func() {
+			ep.excludedRoutes.Del(r)
+		})
+		return nil
+	}
+	switch r := r.(type) {
+	case types.HTTPRoute:
+		if err := ep.AddHTTPRoute(r); err != nil {
+			return err
+		}
+		ep.shortLinkMatcher.AddRoute(r.Key())
+		r.Task().OnCancel("remove_route", func() {
+			ep.delHTTPRoute(r)
+			ep.shortLinkMatcher.DelRoute(r.Key())
+		})
+	case types.StreamRoute:
+		err := r.ListenAndServe(r.Task().Context(), nil, nil)
+		if err != nil {
+			return err
+		}
+		ep.streamRoutes.Add(r)
+
+		r.Task().OnCancel("remove_route", func() {
+			r.Stream().Close()
+			ep.streamRoutes.Del(r)
+		})
+	default:
+		return fmt.Errorf("unknown route type: %T", r)
+	}
+	return nil
+}
+
+func getAddr(route types.HTTPRoute) (httpAddr, httpsAddr string) {
+	if port := route.ListenURL().Port(); port == "" || port == "0" {
+		host := route.ListenURL().Hostname()
+		if host == "" {
+			httpAddr = common.ProxyHTTPAddr
+			httpsAddr = common.ProxyHTTPSAddr
+		} else {
+			httpAddr = net.JoinHostPort(host, strconv.Itoa(common.ProxyHTTPPort))
+			httpsAddr = net.JoinHostPort(host, strconv.Itoa(common.ProxyHTTPSPort))
+		}
+		return httpAddr, httpsAddr
+	}
+
+	httpsAddr = route.ListenURL().Host
+	return
+}
+
+// AddHTTPRoute adds a HTTP route to the entrypoint's server.
+//
+// If the server does not exist, it will be created, started and return any error.
+func (ep *Entrypoint) AddHTTPRoute(route types.HTTPRoute) error {
+	httpAddr, httpsAddr := getAddr(route)
+	var httpErr, httpsErr error
+	if httpAddr != "" {
+		httpErr = ep.addHTTPRoute(route, httpAddr, HTTPProtoHTTP)
+	}
+	if httpsAddr != "" {
+		httpsErr = ep.addHTTPRoute(route, httpsAddr, HTTPProtoHTTPS)
+	}
+	return errors.Join(httpErr, httpsErr)
+}
+
+func (ep *Entrypoint) addHTTPRoute(route types.HTTPRoute, addr string, proto HTTPProto) error {
+	var err error
+	srv, _ := ep.servers.LoadOrCompute(addr, func() (newSrv *httpServer, cancel bool) {
+		newSrv = newHTTPServer(ep)
+		err = newSrv.Listen(addr, proto)
+		cancel = err != nil
+		return
+	})
+	if err != nil {
+		return err
+	}
+
+	srv.AddRoute(route)
+	return nil
+}
+
+func (ep *Entrypoint) delHTTPRoute(route types.HTTPRoute) {
+	httpAddr, httpsAddr := getAddr(route)
+	if httpAddr != "" {
+		srv, _ := ep.servers.Load(httpAddr)
+		if srv != nil {
+			srv.DelRoute(route)
+		}
+	}
+	if httpsAddr != "" {
+		srv, _ := ep.servers.Load(httpsAddr)
+		if srv != nil {
+			srv.DelRoute(route)
+		}
+	}
+}

internal/entrypoint/shortlink.go

@@ -14,7 +14,7 @@ type ShortLinkMatcher struct {
 	subdomainRoutes *xsync.Map[string, struct{}]
 }
 
-func newShortLinkTree() *ShortLinkMatcher {
+func newShortLinkMatcher() *ShortLinkMatcher {
 	return &ShortLinkMatcher{
 		fqdnRoutes:      xsync.NewMap[string, string](),
 		subdomainRoutes: xsync.NewMap[string, struct{}](),

internal/entrypoint/shortlink_test.go

@@ -6,13 +6,15 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/yusing/godoxy/internal/common"
 	. "github.com/yusing/godoxy/internal/entrypoint"
+	"github.com/yusing/goutils/task"
 )
 
 func TestShortLinkMatcher_FQDNAlias(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.GetTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.AddRoute("app.domain.com")
 
@@ -45,7 +47,7 @@ func TestShortLinkMatcher_FQDNAlias(t *testing.T) {
 }
 
 func TestShortLinkMatcher_SubdomainAlias(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.GetTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.SetDefaultDomainSuffix(".example.com")
 	matcher.AddRoute("app")
@@ -70,7 +72,7 @@ func TestShortLinkMatcher_SubdomainAlias(t *testing.T) {
 }
 
 func TestShortLinkMatcher_NotFound(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.GetTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.SetDefaultDomainSuffix(".example.com")
 	matcher.AddRoute("app")
@@ -93,7 +95,7 @@ func TestShortLinkMatcher_NotFound(t *testing.T) {
 }
 
 func TestShortLinkMatcher_AddDelRoute(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.GetTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.SetDefaultDomainSuffix(".example.com")
 
@@ -131,7 +133,7 @@ func TestShortLinkMatcher_AddDelRoute(t *testing.T) {
 }
 
 func TestShortLinkMatcher_NoDefaultDomainSuffix(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.GetTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	// no SetDefaultDomainSuffix called
 
@@ -158,15 +160,19 @@ func TestShortLinkMatcher_NoDefaultDomainSuffix(t *testing.T) {
 }
 
 func TestEntrypoint_ShortLinkDispatch(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.GetTestTask(t), nil)
 	ep.ShortLinkMatcher().SetDefaultDomainSuffix(".example.com")
 	ep.ShortLinkMatcher().AddRoute("app")
 
+	server := NewHTTPServer(ep)
+	err := server.Listen("localhost:0", HTTPProtoHTTP)
+	require.NoError(t, err)
+
 	t.Run("shortlink host", func(t *testing.T) {
 		req := httptest.NewRequest("GET", "/app", nil)
 		req.Host = common.ShortLinkPrefix
 		w := httptest.NewRecorder()
-		ep.ServeHTTP(w, req)
+		server.ServeHTTP(w, req)
 
 		assert.Equal(t, http.StatusTemporaryRedirect, w.Code)
 		assert.Equal(t, "https://app.example.com/", w.Header().Get("Location"))
@@ -176,7 +182,7 @@ func TestEntrypoint_ShortLinkDispatch(t *testing.T) {
 		req := httptest.NewRequest("GET", "/app", nil)
 		req.Host = common.ShortLinkPrefix + ":8080"
 		w := httptest.NewRecorder()
-		ep.ServeHTTP(w, req)
+		server.ServeHTTP(w, req)
 
 		assert.Equal(t, http.StatusTemporaryRedirect, w.Code)
 		assert.Equal(t, "https://app.example.com/", w.Header().Get("Location"))
@@ -186,7 +192,7 @@ func TestEntrypoint_ShortLinkDispatch(t *testing.T) {
 		req := httptest.NewRequest("GET", "/app", nil)
 		req.Host = "app.example.com"
 		w := httptest.NewRecorder()
-		ep.ServeHTTP(w, req)
+		server.ServeHTTP(w, req)
 
 		// Should not redirect, should try normal route lookup (which will 404)
 		assert.NotEqual(t, http.StatusTemporaryRedirect, w.Code)

internal/entrypoint/types/context.go

@@ -0,0 +1,18 @@
+package entrypoint
+
+import (
+	"context"
+)
+
+type ContextKey struct{}
+
+func SetCtx(ctx interface{ SetValue(any, any) }, ep Entrypoint) {
+	ctx.SetValue(ContextKey{}, ep)
+}
+
+func FromCtx(ctx context.Context) Entrypoint {
+	if ep, ok := ctx.Value(ContextKey{}).(Entrypoint); ok {
+		return ep
+	}
+	return nil
+}

internal/entrypoint/types/entrypoint.go

@@ -0,0 +1,37 @@
+package entrypoint
+
+import (
+	"github.com/yusing/godoxy/internal/types"
+)
+
+type Entrypoint interface {
+	SupportProxyProtocol() bool
+
+	DisablePoolsLog(v bool)
+
+	GetRoute(alias string) (types.Route, bool)
+	StartAddRoute(r types.Route) error
+	IterRoutes(yield func(r types.Route) bool)
+	NumRoutes() int
+	RoutesByProvider() map[string][]types.Route
+
+	HTTPRoutes() PoolLike[types.HTTPRoute]
+	StreamRoutes() PoolLike[types.StreamRoute]
+	ExcludedRoutes() RWPoolLike[types.Route]
+
+	GetHealthInfo() map[string]types.HealthInfo
+	GetHealthInfoWithoutDetail() map[string]types.HealthInfoWithoutDetail
+	GetHealthInfoSimple() map[string]types.HealthStatus
+}
+
+type PoolLike[Route types.Route] interface {
+	Get(alias string) (Route, bool)
+	Iter(yield func(alias string, r Route) bool)
+	Size() int
+}
+
+type RWPoolLike[Route types.Route] interface {
+	PoolLike[Route]
+	Add(r Route)
+	Del(r Route)
+}

internal/health/check/http.go

@@ -76,8 +76,11 @@ func H2C(ctx context.Context, url *url.URL, method, path string, timeout time.Du
 
 	setCommonHeaders(req.Header.Set)
 
+	client := *h2cClient
+	client.Timeout = timeout
+
 	start := time.Now()
-	resp, err := h2cClient.Do(req)
+	resp, err := client.Do(req)
 	lat := time.Since(start)
 
 	if resp != nil {

internal/health/check/stream.go

@@ -12,6 +12,14 @@ import (
 )
 
 func Stream(ctx context.Context, url *url.URL, timeout time.Duration) (types.HealthCheckResult, error) {
+	if port := url.Port(); port == "" || port == "0" {
+		return types.HealthCheckResult{
+			Latency: 0,
+			Healthy: false,
+			Detail:  "no port specified",
+		}, nil
+	}
+
 	dialer := net.Dialer{
 		Timeout:       timeout,
 		FallbackDelay: -1,

internal/health/monitor/README.md

@@ -41,7 +41,7 @@ type HealthCheckFunc func(url *url.URL) (result types.HealthCheckResult, err err
 
 ```go
 type HealthMonitor interface {
-    Start(parent task.Parent) gperr.Error
+    Start(parent task.Parent) error
     Task() *task.Task
     Finish(reason any)
     UpdateURL(url *url.URL)

internal/health/monitor/monitor.go

@@ -2,6 +2,7 @@ package monitor
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"math/rand"
 	"net/url"
@@ -13,7 +14,6 @@ import (
 	config "github.com/yusing/godoxy/internal/config/types"
 	"github.com/yusing/godoxy/internal/notif"
 	"github.com/yusing/godoxy/internal/types"
-	gperr "github.com/yusing/goutils/errs"
 	strutils "github.com/yusing/goutils/strings"
 	"github.com/yusing/goutils/synk"
 	"github.com/yusing/goutils/task"
@@ -42,7 +42,7 @@ type (
 	}
 )
 
-var ErrNegativeInterval = gperr.New("negative interval")
+var ErrNegativeInterval = errors.New("negative interval")
 
 func (mon *monitor) init(u *url.URL, cfg types.HealthCheckConfig, healthCheckFunc HealthCheckFunc) {
 	if state := config.WorkingState.Load(); state != nil {
@@ -79,7 +79,7 @@ func (mon *monitor) CheckHealth() (types.HealthCheckResult, error) {
 }
 
 // Start implements task.TaskStarter.
-func (mon *monitor) Start(parent task.Parent) gperr.Error {
+func (mon *monitor) Start(parent task.Parent) error {
 	if mon.config.Interval <= 0 {
 		return ErrNegativeInterval
 	}

internal/homepage/icons/README.md

@@ -176,7 +176,7 @@ func (icon *Meta) Filenames(ref string) []string
 func NewURL(source Source, refOrName, format string) *URL
 
 // ErrInvalidIconURL is returned when icon URL parsing fails
-var ErrInvalidIconURL = gperr.New("invalid icon url")
+var ErrInvalidIconURL = errors.New("invalid icon url")
 ```
 
 ### Provider Interface

internal/homepage/icons/list/list_icons.go

@@ -55,20 +55,20 @@ func init() {
 
 func InitCache() {
 	m := make(IconMap)
-	err := serialization.LoadJSONIfExist(common.IconListCachePath, &m)
+	err := serialization.LoadFileIfExist(common.IconListCachePath, &m, sonic.Unmarshal)
 	if err != nil {
 		// backward compatible
 		oldFormat := struct {
 			Icons      IconMap
 			LastUpdate time.Time
 		}{}
-		err = serialization.LoadJSONIfExist(common.IconListCachePath, &oldFormat)
+		err = serialization.LoadFileIfExist(common.IconListCachePath, &oldFormat, sonic.Unmarshal)
 		if err != nil {
 			log.Error().Err(err).Msg("failed to load icons")
 		} else {
 			m = oldFormat.Icons
 			// store it to disk immediately
-			_ = serialization.SaveJSON(common.IconListCachePath, &m, 0o644)
+			_ = serialization.SaveFile(common.IconListCachePath, &m, 0o644, sonic.Marshal)
 		}
 	} else if len(m) > 0 {
 		log.Info().
@@ -84,7 +84,7 @@ func InitCache() {
 
 	task.OnProgramExit("save_icons_cache", func() {
 		icons := iconsCache.Load()
-		_ = serialization.SaveJSON(common.IconListCachePath, &icons, 0o644)
+		_ = serialization.SaveFile(common.IconListCachePath, &icons, 0o644, sonic.Marshal)
 	})
 
 	go backgroundUpdateIcons()
@@ -105,7 +105,7 @@ func backgroundUpdateIcons() {
 				// swap old cache with new cache
 				iconsCache.Store(newCache)
 				// save it to disk
-				err := serialization.SaveJSON(common.IconListCachePath, &newCache, 0o644)
+				err := serialization.SaveFile(common.IconListCachePath, &newCache, 0o644, sonic.Marshal)
 				if err != nil {
 					log.Warn().Err(err).Msg("failed to save icons")
 				}

internal/homepage/icons/url.go

@@ -1,6 +1,7 @@
 package icons
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
@@ -40,7 +41,7 @@ const (
 	VariantDark  Variant = "dark"
 )
 
-var ErrInvalidIconURL = gperr.New("invalid icon url")
+var ErrInvalidIconURL = errors.New("invalid icon url")
 
 func NewURL(source Source, refOrName, format string) *URL {
 	switch source {
@@ -119,7 +120,7 @@ func (u *URL) parse(v string, checkExists bool) error {
 	case "@target", "": // @target/favicon.ico, /favicon.ico
 		url := v[slashIndex:]
 		if url == "/" {
-			return ErrInvalidIconURL.Withf("%s", "empty path")
+			return fmt.Errorf("%w: empty path", ErrInvalidIconURL)
 		}
 		u.FullURL = &url
 		u.Source = SourceRelative
@@ -131,7 +132,7 @@ func (u *URL) parse(v string, checkExists bool) error {
 		}
 		parts := strings.Split(v[slashIndex+1:], ".")
 		if len(parts) != 2 {
-			return ErrInvalidIconURL.Withf("expect @%s/<reference>.<format>, e.g. @%s/adguard-home.webp", beforeSlash, beforeSlash)
+			return fmt.Errorf("%w: expect %s/<reference>.<format>, e.g. %s/adguard-home.webp", ErrInvalidIconURL, beforeSlash, beforeSlash)
 		}
 		reference, format := parts[0], strings.ToLower(parts[1])
 		if reference == "" || format == "" {
@@ -140,7 +141,7 @@ func (u *URL) parse(v string, checkExists bool) error {
 		switch format {
 		case "svg", "png", "webp":
 		default:
-			return ErrInvalidIconURL.Withf("%s", "invalid image format, expect svg/png/webp")
+			return fmt.Errorf("%w: invalid image format, expect svg/png/webp", ErrInvalidIconURL)
 		}
 		isLight, isDark := false, false
 		if strings.HasSuffix(reference, "-light") {
@@ -158,10 +159,10 @@ func (u *URL) parse(v string, checkExists bool) error {
 			IsDark:   isDark,
 		}
 		if checkExists && !u.HasIcon() {
-			return ErrInvalidIconURL.Withf("no such icon %s.%s from %s", reference, format, u.Source)
+			return fmt.Errorf("%w: no such icon %s.%s from %s", ErrInvalidIconURL, reference, format, u.Source)
 		}
 	default:
-		return ErrInvalidIconURL.Subject(v)
+		return gperr.PrependSubject(ErrInvalidIconURL, v)
 	}
 
 	return nil

internal/homepage/integrations/qbittorrent/client.go

@@ -2,13 +2,13 @@ package qbittorrent
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 
 	"github.com/bytedance/sonic"
 	"github.com/yusing/godoxy/internal/homepage/widgets"
-	gperr "github.com/yusing/goutils/errs"
 )
 
 type Client struct {
@@ -46,7 +46,7 @@ func (c *Client) doRequest(ctx context.Context, method, endpoint string, query u
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, gperr.Errorf("%w: %d %s", widgets.ErrHTTPStatus, resp.StatusCode, resp.Status)
+		return nil, fmt.Errorf("%w: %d %s", widgets.ErrHTTPStatus, resp.StatusCode, resp.Status)
 	}
 
 	return resp, nil

internal/homepage/widgets/README.md

@@ -50,8 +50,7 @@ const (
 ### Errors
 
 ```go
-var ErrInvalidProvider = gperr.New("invalid provider")
-var ErrHTTPStatus = gperr.New("http status")
+var ErrInvalidProvider = errors.New("invalid provider")
 ```
 
 ## API Reference