readme and dockerfile fix for v0.3 update

Bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible

.gitignore

@@ -1,5 +1,7 @@
 compose.yml
 go-proxy.yml
+config.yml
+providers.yml
 bin/go-proxy.bak
 logs/
 log/

Dockerfile

@@ -6,12 +6,15 @@ RUN apk add --no-cache bash tzdata
 RUN mkdir /app
 COPY bin/go-proxy entrypoint.sh /app/
 COPY templates/ /app/templates
+COPY config.example.yml /app/config.yml
 
 RUN chmod +x /app/go-proxy /app/entrypoint.sh
 ENV DOCKER_HOST unix:///var/run/docker.sock
-ENV VERBOSITY=1
+ENV GOPROXY_DEBUG 0
+ENV GOPROXY_REDIRECT_HTTP 1
 
 EXPOSE 80
+EXPOSE 8080
 EXPOSE 443
 EXPOSE 8443
 

Makefile

@@ -4,7 +4,7 @@ all: build quick-restart logs
 
 build:
 	mkdir -p bin
-	CGO_ENABLED=0 GOOS=linux go build -o bin/go-proxy src/go-proxy/*.go
+	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy src/go-proxy/*.go
 
 up:
 	docker compose up -d --build go-proxy

README.md

@@ -1,15 +1,22 @@
 # go-proxy
 
-A simple auto docker reverse proxy for home use. *Written in **Go***
+A simple auto docker reverse proxy for home use. **Written in _Go_**
 
 In the examples domain `x.y.z` is used, replace them with your domain
 
 ## Table of content
 
-- [Features](#features)
-- [Why am I making this](#why-am-i-making-this)
+- [Key Points](#key-points)
 - [How to use](#how-to-use)
+  - [Binary](#binary)
+  - [Docker](#docker)
 - [Configuration](#configuration)
+  - [Labels](#labels)
+  - [Environment Variables](#environment-variables)
+  - [Config File](#config-file)
+  - [Provider File](#provider-file)
+  - [Supported Cert Providers](#supported-cert-providers)
+- [Examples](#examples)
   - [Single Port Configuration](#single-port-configuration-example)
   - [Multiple Ports Configuration](#multiple-ports-configuration-example)
   - [TCP/UDP Configuration](#tcpudp-configuration-example)
@@ -18,51 +25,95 @@ In the examples domain `x.y.z` is used, replace them with your domain
 - [Benchmarks](#benchmarks)
 - [Memory usage](#memory-usage)
 - [Build it yourself](#build-it-yourself)
-- [Getting SSL certs](#getting-ssl-certs)
 
-## Features
+## Key Points
 
+- fast, nearly no performance penalty for end users when comparing to direct IP connections (See [benchmarks](#benchmarks))
+- auto detect reverse proxies from docker
+- additional reverse proxies from provider yaml file
+- allow multiple docker / file providers by custom `config.yml` file
+- auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported Cert Providers](#supported-cert-providers))
 - subdomain matching **(domain name doesn't matter)**
 - path matching
 - HTTP proxy
 - TCP/UDP Proxy
-- HTTP round robin load balance support (same subdomain and path across containers replicas)
-- Auto hot-reload when container start / die / stop.
+- HTTP round robin load balance support (same subdomain and path across different hosts)
+- Auto hot-reload on container start / die / stop or config changes.
 - Simple panel to see all reverse proxies and health (visit port [panel port] of go-proxy `https://*.y.z:[panel port]`)
 
-    ![panel screenshot](screenshots/panel.png)
+  - you can customize it by modifying [templates/panel.html](templates/panel.html)
 
-## Why am I making this
-
-1. It's fun.
-2. I have tried different reverse proxy services, i.e. [nginx proxy manager](https://nginxproxymanager.com/), [traefik](https://github.com/traefik/traefik), [nginx-proxy](https://github.com/nginx-proxy/nginx-proxy). I have found that `traefik` is not easy to use, and I don't want to click buttons every time I spin up a new container (`nginx proxy manager`). For `nginx-proxy` I found it buggy and quite unusable.
+  ![panel screenshot](screenshots/panel.png)
 
 ## How to use
 
-1. Clone the repo git clone `https://github.com/yusing/go-proxy`
+1. Download and extract the latest release (or clone the repository if you want to try out experimental features)
 
-2. Copy content from [compose.example.yml](compose.example.yml) and create your own `compose.yml`
+2. Copy `config.example.yml` to `config.yml` and modify the content to fit your needs
 
-3. Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+3. Do the same for `providers.example.yml`
 
-4. Modify the path to your SSL certs. See [Getting SSL Certs](#getting-ssl-certs)
+4. See [Binary](#binary) or [docker](#docker)
 
-5. Start `go-proxy` with `docker compose up -d` or `make up`.
+### Binary
 
-6. (Optional) If you are using ufw with vpn that drop all inbound traffic except vpn, run below to allow docker containers to connect to `go-proxy`
+1. (Optional) enabled HTTPS
 
-    In case the network of your container is in subnet `172.16.0.0/16` (bridge),
-    and vpn network is under `100.64.0.0/10` (i.e. tailscale)
+   - Use autocert feature by completing `autocert` in `config.yml`
 
-    `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+   - Use existing certificate
 
-    You can also list CIDRs of all docker bridge networks by:
+     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
 
-    `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+     - cert / chain / fullchain: `./certs/cert.crt`
+     - private key: `./certs/priv.key`
 
-7. start your docker app, and visit <container_name>.y.z
+2. run the binary `bin/go-proxy`
 
-8. check the logs with `docker compose logs` or `make logs` to see if there is any error, check panel at [panel port] for active proxies
+3. enjoy
+
+### Docker
+
+1. Copy content from [compose.example.yml](compose.example.yml) and create your own `compose.yml`
+
+2. Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+
+3. (Optional) enable HTTPS
+
+   - Use autocert feature
+
+     1. mount `./certs` to `/app/certs`
+     ```yaml
+     go-proxy:
+      ...
+      volumes:
+        - ./certs:/app/certs
+     ```
+     2. complete `autocert` in `config.yml`
+
+   - Use existing certificate
+
+     Mount your wildcard (`*.y.z`) SSL cert to enable https. See [Getting SSL Certs](#getting-ssl-certs)
+
+     - cert / chain / fullchain -> `/app/certs/cert.crt`
+     - private key -> `/app/certs/priv.key`
+
+4. Start `go-proxy` with `docker compose up -d` or `make up`.
+
+5. (Optional) If you are using ufw with vpn that drop all inbound traffic except vpn, run below to allow docker containers to connect to `go-proxy`
+
+   In case the network of your container is in subnet `172.16.0.0/16` (bridge),
+   and vpn network is under `100.64.0.0/10` (i.e. tailscale)
+
+   `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+
+   You can also list CIDRs of all docker bridge networks by:
+
+   `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+
+6. start your docker app, and visit <container_name>.y.z
+
+7. check the logs with `docker compose logs` or `make logs` to see if there is any error, check panel at [panel port] for active proxies
 
 ## Known issues
 
@@ -70,12 +121,13 @@ None
 
 ## Configuration
 
-With container name, no label needs to be added.
+With container name, most of the time no label needs to be added.
 
-However, there are some labels you can manipulate with:
+### Labels
 
 - `proxy.aliases`: comma separated aliases for subdomain matching
   - defaults to `container_name`
+- `proxy.*.<field>`: wildcard config for all aliases
 - `proxy.<alias>.scheme`: container port protocol (`http` or `https`)
   - defaults to `http`
 - `proxy.<alias>.host`: proxy host
@@ -84,10 +136,13 @@ However, there are some labels you can manipulate with:
   - http/https: defaults to first expose port (declared in `Dockerfile` or `docker-compose.yml`)
   - tcp/udp: is in format of `[<listeningPort>:]<targetPort>`
     - when `listeningPort` is omitted (not suggested), a free port will be used automatically.
-    - `targetPort` must be a number, or the predefined names (see [stream.go](src/go-proxy/stream.go#L28))
+    - `targetPort` must be a number, or the predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
+- `proxy.<alias>.no_tls_verify`: whether skip tls verify when scheme is https
+  - defaults to false
 - `proxy.<alias>.path`: path matching (for http proxy only)
   - defaults to empty
 - `proxy.<alias>.path_mode`: mode for path handling
+
   - defaults to empty
   - allowed: \<empty>, forward, sub
     - empty: remove path prefix from URL when proxying
@@ -102,6 +157,34 @@ However, there are some labels you can manipulate with:
 - `proxy.<alias>.load_balance`: enable load balance
   - allowed: `1`, `true`
 
+### Environment variables
+
+- `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
+- `GOPROXY_REDIRECT_HTTP`: set to `0` or `false` to disable http to https redirect (only when certs are located)
+
+### Config File
+
+See [config.example.yml](config.example.yml)
+
+### Provider File
+
+See [providers.example.yml](providers.example.yml)
+
+### Supported cert providers
+
+- Cloudflare
+
+  ```yaml
+  autocert:
+    ...
+    options:
+      auth_token: "YOUR_ZONE_API_TOKEN"
+  ```
+
+  Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
+
+## Examples
+
 ### Single port configuration example
 
 ```yaml
@@ -150,7 +233,7 @@ app-db:
     - proxy.app-db.scheme=tcp
 
     # Optional (first free port will be used for listening port)
-    - proxy.app-db.port=20000:postgres  
+    - proxy.app-db.port=20000:postgres
 
 # In go-proxy
 go-proxy:
@@ -186,47 +269,109 @@ A: Make sure the container is running, and \<subdomain> matches any container na
 
 Benchmarked with `wrk` connecting `traefik/whoami`'s `/bench` endpoint
 
-Direct connection
+Remote benchmark (client running wrk and `go-proxy` server are different devices)
 
-```shell
-% wrk -t20 -c100 -d10s --latency http://homelab:4999/bench
-Running 10s test @ http://homelab:4999/bench
-  20 threads and 100 connections
-  Thread Stats   Avg      Stdev     Max   +/- Stdev
-    Latency     3.74ms    1.19ms  19.94ms   81.53%
-    Req/Sec     1.35k   103.96     1.60k    73.60%
-  Latency Distribution
-     50%    3.46ms
-     75%    4.16ms
-     90%    4.98ms
-     99%    8.04ms
-  269696 requests in 10.01s, 32.41MB read
-Requests/sec:  26950.35
-Transfer/sec:      3.24MB
-```
+- Direct connection
 
-With **go-proxy** reverse proxy
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
+  Running 10s test @ http://10.0.100.3:8003/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    94.75ms  199.92ms   1.68s    91.27%
+      Req/Sec     4.24k     1.79k   18.79k    72.13%
+    Latency Distribution
+      50%    1.14ms
+      75%  120.23ms
+      90%  245.63ms
+      99%    1.03s
+    423444 requests in 10.10s, 50.88MB read
+    Socket errors: connect 0, read 0, write 0, timeout 29
+  Requests/sec:  41926.32
+  Transfer/sec:      5.04MB
+  ```
 
-```shell
-% wrk -t20 -c100 -d10s --latency https://whoami.mydomain.com/bench
-Running 10s test @ https://whoami.6uo.me/bench
-  20 threads and 100 connections
-  Thread Stats   Avg      Stdev     Max   +/- Stdev
-    Latency     4.02ms    2.13ms  47.49ms   95.14%
-    Req/Sec     1.28k   139.15     1.47k    91.67%
-  Latency Distribution
-     50%    3.60ms
-     75%    4.36ms
-     90%    5.29ms
-     99%    8.83ms
-  253874 requests in 10.02s, 24.70MB read
-Requests/sec:  25342.46
-Transfer/sec:      2.47MB
-```
+- With reverse proxy
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    79.35ms  169.79ms   1.69s    92.55%
+      Req/Sec     4.27k     1.90k   19.61k    75.81%
+    Latency Distribution
+      50%    1.12ms
+      75%  105.66ms
+      90%  200.22ms
+      99%  814.59ms
+    409836 requests in 10.10s, 49.25MB read
+    Socket errors: connect 0, read 0, write 0, timeout 18
+  Requests/sec:  40581.61
+  Transfer/sec:      4.88MB
+  ```
+
+Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
+
+- Direct connection
+
+  ```
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
+  Running 10s test @ http://10.0.100.1/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency   434.08us  539.35us   8.76ms   85.28%
+      Req/Sec    67.71k     6.31k   87.21k    71.20%
+    Latency Distribution
+      50%  153.00us
+      75%  646.00us
+      90%    1.18ms
+      99%    2.38ms
+    6739591 requests in 10.01s, 809.85MB read
+  Requests/sec: 673608.15
+  Transfer/sec:     80.94MB
+  ```
+
+- With `go-proxy` reverse proxy
+
+  ```
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     1.23ms    0.96ms  11.43ms   72.09%
+      Req/Sec    17.48k     1.76k   21.48k    70.20%
+    Latency Distribution
+      50%    0.98ms
+      75%    1.76ms
+      90%    2.54ms
+      99%    4.24ms
+    1739079 requests in 10.01s, 208.97MB read
+  Requests/sec: 173779.44
+  Transfer/sec:     20.88MB
+  ```
+
+- With `traefik-v3`
+  ```
+  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
+  Running 10s test @ http://127.0.0.1:8000/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     2.81ms   10.36ms 180.26ms   98.57%
+      Req/Sec    11.35k     1.74k   13.76k    85.54%
+    Latency Distribution
+      50%    1.59ms
+      75%    2.27ms
+      90%    3.17ms
+      99%   37.91ms
+    1125723 requests in 10.01s, 109.50MB read
+  Requests/sec: 112499.59
+  Transfer/sec:     10.94MB
+  ```
 
 ## Memory usage
 
-It takes ~ 0.1-0.4MB for each HTTP Proxy, and <2MB for each TCP/UDP Proxy
+It takes ~30 MB for 50 proxy entries
 
 ## Build it yourself
 
@@ -236,10 +381,6 @@ It takes ~ 0.1-0.4MB for each HTTP Proxy, and <2MB for each TCP/UDP Proxy
 
 3. build binary with `make build`
 
-4. start your container with `docker compose up -d`
-
-## Getting SSL certs
-
-I personally use `nginx-proxy-manager` to get SSL certs with auto renewal by Cloudflare DNS challenge. You may symlink the certs from `nginx-proxy-manager` to somewhere else, and mount them to `go-proxy`'s `/certs`
+4. start your container with `make up` (docker) or `bin/go-proxy` (binary)
 
 [panel port]: 8443

compose.example.yml

@@ -3,28 +3,44 @@ services:
   app:
     build: .
     container_name: go-proxy
-    hostname: go-proxy # set hostname to prevent adding itself to proxy list
     restart: always
     networks: # ^also add here
       - default
-    environment:
-      - VERBOSITY=1 # LOG LEVEL (optional, defaults to 1)
-      - DEBUG=1 # (optional enable only for debug)
+    # environment:
+      # - GOPROXY_DEBUG=1 # (optional, enable only for debug)
+      # - GOPROXY_REDIRECT_HTTP=0 # (optional, uncomment to disable http redirect (http -> https))
     ports:
       - 80:80 # http
-      - 443:443 # https
-      - 8443:8443 # panel
-      - 20000:20100/tcp # tcp (optional, if you have proxy.<app>.scheme == tcp)
-      - 20000:20100/udp # tcp (optional, if you have proxy.<app>.scheme == udp)
+      # - 443:443 # optional, https
+      - 8080:8080 # http panel
+      # - 8443:8443 # optional, https panel
+
+      # optional, if you declared any tcp/udp proxy, set a range you want to use
+      # - 20000:20100/tcp
+      # - 20000:20100/udp
     volumes:
-      - /path/to/cert.pem:/certs/cert.crt:ro
-      - /path/to/privkey.pem:/certs/priv.key:ro
-      - ./log:/app/log # path to logs
+      # use existing certificate
+      # - /path/to/cert.pem:/app/certs/cert.crt:ro
+      # - /path/to/privkey.pem:/app/certs/priv.key:ro
+
+      # use autocert feature
+      # - ./certs:/app/certs
+
+      # if local docker provider is used (by default)
       - /var/run/docker.sock:/var/run/docker.sock:ro
+
+      # to use custom config
+      # - path/to/config.yml:/app/config.yml
+
+      # mount file provider yaml files
+      # - path/to/provider1.yml:/app/provider1.yml
+      # - path/to/provider2.yml:/app/provider2.yml
+      # etc.
     dns:
       - 127.0.0.1 # workaround for "lookup: no such host"
     extra_hosts:
-      - host.docker.internal:host-gateway # required if you have containers in `host` network_mode
+      # required if you use local docker provider and have containers in `host` network_mode
+      - host.docker.internal:host-gateway
     logging:
       driver: 'json-file'
       options:

config.example.yml

@@ -0,0 +1,25 @@
+# uncomment to use autocert
+# autocert:
+#   email: "user@y.z" # email for acme certificate
+#   domains:
+#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
+#   provider: cloudflare
+#   options:
+#     auth_token: "YOUR_ZONE_API_TOKEN"
+providers:
+  local:
+    kind: docker
+    # for value format, see https://docs.docker.com/reference/cli/dockerd/
+    value: FROM_ENV
+  # remote1:
+  #   kind: docker
+  #   value: ssh://user@10.0.1.1
+  # remote2:
+  #   kind: docker
+  #   value: tcp://10.0.1.1:2375
+  # provider1:
+  #   kind: file
+  #   value: provider1.yml
+  # provider2:
+  #   kind: file
+  #   value: provider2.yml

entrypoint.sh

@@ -3,13 +3,9 @@ if [ "$1" == "restart" ]; then
     echo "restarting"
     killall go-proxy
 fi
-if [ -z "$VERBOSITY" ]; then
-    VERBOSITY=1
-fi
-echo "starting with verbosity $VERBOSITY" > log/go-proxy.log
-if [ "$DEBUG" == "1" ]; then
-    /app/go-proxy -v=$VERBOSITY -log_dir=log --stderrthreshold=0 2>> log/go-proxy.log &
+if [ "$GOPROXY_DEBUG" == "1" ]; then
+    /app/go-proxy 2> log/go-proxy.log &
     tail -f /dev/null
 else
-    /app/go-proxy -v=$VERBOSITY -log_dir=log --stderrthreshold=0 2>> log/go-proxy.log
+    /app/go-proxy
 fi

go.mod

@@ -2,38 +2,51 @@ module github.com/yusing/go-proxy
 
 go 1.21.7
 
-require github.com/docker/docker v25.0.3+incompatible
-
-require github.com/golang/glog v1.2.0
-
 require (
-	github.com/containerd/log v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
+	github.com/docker/cli v26.0.0+incompatible
+	github.com/docker/docker v26.0.0+incompatible
+	github.com/fsnotify/fsnotify v1.7.0
+	github.com/go-acme/lego/v4 v4.16.1
+	github.com/sirupsen/logrus v1.9.3
+	golang.org/x/net v0.22.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cloudflare/cloudflare-go v0.91.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/term v0.5.0 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/net v0.22.0
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
 )

go.sum

@@ -1,40 +1,80 @@
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cloudflare/cloudflare-go v0.86.0 h1:jEKN5VHNYNYtfDL2lUFLTRo+nOVNPFxpXTstVx0rqHI=
+github.com/cloudflare/cloudflare-go v0.86.0/go.mod h1:wYW/5UP02TUfBToa/yKbQHV+r6h1NnJ1Je7XjuGM4Jw=
+github.com/cloudflare/cloudflare-go v0.91.0 h1:L7IR+86qrZuEMSjGFg4cwRwtHqC8uCPmMUkP7BD4CPw=
+github.com/cloudflare/cloudflare-go v0.91.0/go.mod h1:nUqvBUUDRxNzsDSQjbqUNWHEIYAoUlgRmcAzMKlFdKs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v25.0.3+incompatible h1:D5fy/lYmY7bvZa0XTZ5/UJPljor41F+vdyJG5luQLfQ=
-github.com/docker/docker v25.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUyzJVPxD30I=
+github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
+github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-acme/lego/v4 v4.16.1 h1:JxZ93s4KG0jL27rZ30UsIgxap6VGzKuREsSkkyzeoCQ=
+github.com/go-acme/lego/v4 v4.16.1/go.mod h1:AVvwdPned/IWpD/ihHhMsKnveF7HHYAz/CmtXi7OZoE=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=
-github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
+github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
+github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -43,14 +83,23 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
+github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
@@ -72,8 +121,12 @@ go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7e
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
 golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -87,9 +140,12 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -102,12 +158,15 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
 golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
 google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM=
 google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1:6G8oQ016D88m1xAKljMlBOOGWDZkes4kMhgGFlf8WcQ=
@@ -116,6 +175,10 @@ google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY=
 google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
 google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
 google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=

providers.example.yml

@@ -0,0 +1,15 @@
+app: # matching `app.y.z`
+  # optional
+  scheme: http
+  # required, proxy target
+  host: 10.0.0.1
+  # optional
+  port: 80
+  # optional, defaults to empty
+  path:
+  # optional
+  path_mode:
+  # optional
+  notlsverify: false
+# app2:
+#   ...

src/go-proxy/autocert.go

@@ -0,0 +1,233 @@
+package main
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+	"path"
+	"sync"
+	"time"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+type AutoCertConfig struct {
+	Email    string
+	Domains  []string `yaml:",flow"`
+	Provider string
+	Options  map[string]string `yaml:",flow"`
+}
+
+type AutoCertUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *AutoCertUser) GetEmail() string {
+	return u.Email
+}
+func (u *AutoCertUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *AutoCertUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+type AutoCertProvider interface {
+	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
+	GetName() string
+	GetExpiry() time.Time
+	LoadCert() bool
+	ObtainCert() error
+
+	needRenew() bool
+}
+
+func (cfg AutoCertConfig) GetProvider() (AutoCertProvider, error) {
+	if len(cfg.Domains) == 0 {
+		return nil, fmt.Errorf("no domains specified")
+	}
+	if cfg.Provider == "" {
+		return nil, fmt.Errorf("no provider specified")
+	}
+	if cfg.Email == "" {
+		return nil, fmt.Errorf("no email specified")
+	}
+
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate private key: %v", err)
+	}
+	user := &AutoCertUser{
+		Email: cfg.Email,
+		key:   privKey,
+	}
+	legoCfg := lego.NewConfig(user)
+	legoCfg.Certificate.KeyType = certcrypto.RSA2048
+	legoClient, err := lego.NewClient(legoCfg)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create lego client: %v", err)
+	}
+	base := &AutoCertProviderBase{
+		name:    cfg.Provider,
+		cfg:     cfg,
+		user:    user,
+		legoCfg: legoCfg,
+		client:  legoClient,
+	}
+	switch cfg.Provider {
+	case "cloudflare":
+		return NewAutoCertCFProvider(base, cfg.Options)
+	}
+	return nil, fmt.Errorf("unknown provider: %s", cfg.Provider)
+}
+
+type AutoCertProviderBase struct {
+	name    string
+	cfg     AutoCertConfig
+	user    *AutoCertUser
+	legoCfg *lego.Config
+	client  *lego.Client
+
+	tlsCert *tls.Certificate
+	expiry  time.Time
+	mutex   sync.Mutex
+}
+
+func (p *AutoCertProviderBase) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if p.tlsCert == nil {
+		aclog.Fatal("no certificate available")
+	}
+	if p.needRenew() {
+		p.mutex.Lock()
+		defer p.mutex.Unlock()
+		if p.needRenew() {
+			err := p.ObtainCert()
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	return p.tlsCert, nil
+}
+
+func (p *AutoCertProviderBase) GetName() string {
+	return p.name
+}
+
+func (p *AutoCertProviderBase) GetExpiry() time.Time {
+	return p.expiry
+}
+
+func (p *AutoCertProviderBase) ObtainCert() error {
+	client := p.client
+	if p.user.Registration == nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return err
+		}
+		p.user.Registration = reg
+	}
+	req := certificate.ObtainRequest{
+		Domains: p.cfg.Domains,
+		Bundle:  true,
+	}
+	cert, err := client.Certificate.Obtain(req)
+	if err != nil {
+		return err
+	}
+	err = p.saveCert(cert)
+	if err != nil {
+		return err
+	}
+	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
+	if err != nil {
+		return err
+	}
+	p.tlsCert = &tlsCert
+	x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[len(tlsCert.Certificate)-1])
+	if err != nil {
+		return err
+	}
+	p.expiry = x509Cert.NotAfter
+	return nil
+}
+
+func (p *AutoCertProviderBase) LoadCert() bool {
+	cert, err := tls.LoadX509KeyPair(certFileDefault, keyFileDefault)
+	if err != nil {
+		return false
+	}
+	x509Cert, err := x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-1])
+	if err != nil {
+		return false
+	}
+	p.tlsCert = &cert
+	p.expiry = x509Cert.NotAfter
+	return true
+}
+
+func (p *AutoCertProviderBase) saveCert(cert *certificate.Resource) error {
+	err := os.MkdirAll(path.Dir(certFileDefault), 0644)
+	if err != nil {
+		return fmt.Errorf("unable to create cert directory: %v", err)
+	}
+	err = os.WriteFile(keyFileDefault, cert.PrivateKey, 0600) // -rw-------
+	if err != nil {
+		return fmt.Errorf("unable to write key file: %v", err)
+	}
+	err = os.WriteFile(certFileDefault, cert.Certificate, 0644) // -rw-r--r--
+	if err != nil {
+		return fmt.Errorf("unable to write cert file: %v", err)
+	}
+	return nil
+}
+
+func (p *AutoCertProviderBase) needRenew() bool {
+	return p.expiry.Before(time.Now().Add(24 * time.Hour))
+}
+
+type AutoCertCFProvider struct {
+	*AutoCertProviderBase
+	*cloudflare.Config
+}
+
+func NewAutoCertCFProvider(base *AutoCertProviderBase, opt map[string]string) (*AutoCertCFProvider, error) {
+	p := &AutoCertCFProvider{
+		base,
+		cloudflare.NewDefaultConfig(),
+	}
+	err := setOptions(p.Config, opt)
+	if err != nil {
+		return nil, err
+	}
+	legoProvider, err := cloudflare.NewDNSProviderConfig(p.Config)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create cloudflare provider: %v", err)
+	}
+	err = p.client.Challenge.SetDNS01Provider(legoProvider)
+	if err != nil {
+		return nil, fmt.Errorf("unable to set challenge provider: %v", err)
+	}
+	return p, nil
+}
+
+func setOptions[T interface{}](cfg *T, opt map[string]string) error {
+	for k, v := range opt {
+		err := SetFieldFromSnake(cfg, k, v)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

src/go-proxy/config.go

@@ -0,0 +1,108 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"sync"
+
+	"gopkg.in/yaml.v3"
+)
+
+// commented out if unused
+type Config interface {
+	// Load() error
+	MustLoad()
+	GetAutoCertProvider() (AutoCertProvider, error)
+	// MustReload()
+	// Reload() error
+	StartProviders()
+	StopProviders()
+	WatchChanges()
+	StopWatching()
+}
+
+func NewConfig() Config {
+	cfg := &config{}
+	cfg.watcher = NewFileWatcher(
+		configPath,
+		cfg.MustReload,        // OnChange
+		func() { os.Exit(1) }, // OnDelete
+	)
+	return cfg
+}
+
+func (cfg *config) Load() error {
+	cfg.mutex.Lock()
+	defer cfg.mutex.Unlock()
+
+	// unload if any
+	cfg.StopProviders()
+
+	data, err := os.ReadFile(configPath)
+	if err != nil {
+		return fmt.Errorf("unable to read config file: %v", err)
+	}
+
+	cfg.Providers = make(map[string]*Provider)
+	if err = yaml.Unmarshal(data, &cfg); err != nil {
+		return fmt.Errorf("unable to parse config file: %v", err)
+	}
+
+	for name, p := range cfg.Providers {
+		err := p.Init(name)
+		if err != nil {
+			cfgl.Errorf("failed to initialize provider %q %v", name, err)
+			cfg.Providers[name] = nil
+		}
+	}
+
+	return nil
+}
+
+func (cfg *config) MustLoad() {
+	if err := cfg.Load(); err != nil {
+		cfgl.Fatal(err)
+	}
+}
+
+func (cfg *config) GetAutoCertProvider() (AutoCertProvider, error) {
+	return cfg.AutoCert.GetProvider()
+}
+
+func (cfg *config) Reload() error {
+	return cfg.Load()
+}
+
+func (cfg *config) MustReload() {
+	cfg.MustLoad()
+}
+
+func (cfg *config) StartProviders() {
+	if cfg.Providers == nil {
+		cfgl.Fatal("providers not loaded")
+	}
+	// Providers have their own mutex, no lock needed
+	ParallelForEachValue(cfg.Providers, (*Provider).StartAllRoutes)
+}
+
+func (cfg *config) StopProviders() {
+	if cfg.Providers != nil {
+		// Providers have their own mutex, no lock needed
+		ParallelForEachValue(cfg.Providers, (*Provider).StopAllRoutes)
+	}
+}
+
+func (cfg *config) WatchChanges() {
+	cfg.watcher.Start()
+}
+
+func (cfg *config) StopWatching() {
+	cfg.watcher.Stop()
+}
+
+type config struct {
+	Providers map[string]*Provider `yaml:",flow"`
+	AutoCert  AutoCertConfig       `yaml:",flow"`
+	watcher   Watcher
+	mutex     sync.Mutex
+}

src/go-proxy/constants.go

@@ -1,6 +1,14 @@
 package main
 
-import "time"
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
 
 var (
 	ImageNamePortMap = map[string]string{
@@ -34,14 +42,14 @@ var (
 )
 
 var (
-	StreamSchemes = []string{TCPStreamType, UDPStreamType} // TODO: support "tcp:udp", "udp:tcp"
+	StreamSchemes = []string{StreamType_TCP, StreamType_UDP} // TODO: support "tcp:udp", "udp:tcp"
 	HTTPSchemes   = []string{"http", "https"}
 	ValidSchemes  = append(StreamSchemes, HTTPSchemes...)
 )
 
 const (
-	UDPStreamType = "udp"
-	TCPStreamType = "tcp"
+	StreamType_UDP = "udp"
+	StreamType_TCP = "tcp"
 )
 
 const (
@@ -50,8 +58,51 @@ const (
 	ProxyPathMode_RemovedPath = ""
 )
 
+const (
+	ProviderKind_Docker = "docker"
+	ProviderKind_File   = "file"
+)
+
+// TODO: default + per proxy
+var (
+	transport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   60 * time.Second,
+			KeepAlive: 60 * time.Second,
+		}).DialContext,
+		MaxIdleConns:        1000,
+		MaxIdleConnsPerHost: 1000,
+	}
+
+	transportNoTLS = func() *http.Transport {
+		var clone = transport.Clone()
+		clone.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		return clone
+	}()
+)
+
+const wildcardLabelPrefix = "proxy.*."
+
+const clientUrlFromEnv = "FROM_ENV"
+
+const (
+	certFileDefault = "certs/cert.crt"
+	keyFileDefault  = "certs/priv.key"
+	configPath      = "config.yml"
+	templatePath    = "templates/panel.html"
+)
+
 const StreamStopListenTimeout = 1 * time.Second
 
-const templateFile = "/app/templates/panel.html"
-
 const udpBufferSize = 1500
+
+var logLevel = func() logrus.Level {
+	switch os.Getenv("GOPROXY_DEBUG") {
+	case "1", "true":
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	return logrus.GetLevel()
+}()
+
+var redirectHTTP = os.Getenv("GOPROXY_REDIRECT_HTTP") != "0" && os.Getenv("GOPROXY_REDIRECT_HTTP") != "false"

src/go-proxy/docker.go

@@ -1,139 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-	"reflect"
-	"sort"
-	"strings"
-	"sync"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-	"github.com/golang/glog"
-	"golang.org/x/net/context"
-)
-
-var dockerClient *client.Client
-
-func buildContainerRoute(container types.Container) {
-	var aliases []string
-	var wg sync.WaitGroup
-
-	container_name := strings.TrimPrefix(container.Names[0], "/")
-	aliases_label, ok := container.Labels["proxy.aliases"]
-	if !ok {
-		aliases = []string{container_name}
-	} else {
-		aliases = strings.Split(aliases_label, ",")
-	}
-
-	for _, alias := range aliases {
-		config := NewProxyConfig()
-		prefix := fmt.Sprintf("proxy.%s.", alias)
-		for label, value := range container.Labels {
-			if strings.HasPrefix(label, prefix) {
-				field := strings.TrimPrefix(label, prefix)
-				field = utils.snakeToCamel(field)
-				prop := reflect.ValueOf(&config).Elem().FieldByName(field)
-				if prop.Kind() == 0 {
-					glog.Infof("[Build] %s: ignoring unknown field %s", alias, field)
-					continue
-				}
-				prop.Set(reflect.ValueOf(value))
-			}
-		}
-		if config.Port == "" {
-			// usually the smaller port is the http one
-			// so make it the last one to be set (if 80 or 8080 are not exposed)
-			sort.Slice(container.Ports, func(i, j int) bool {
-				return container.Ports[i].PrivatePort > container.Ports[j].PrivatePort
-			})
-			for _, port := range container.Ports {
-				// set first, but keep trying
-				config.Port = fmt.Sprintf("%d", port.PrivatePort)
-				// until we find 80 or 8080
-				if port.PrivatePort == 80 || port.PrivatePort == 8080 {
-					break
-				}
-			}
-		}
-		if config.Port == "" {
-			// no ports exposed or specified
-			glog.Infof("[Build] %s has no port exposed", alias)
-			return
-		}
-		if config.Scheme == "" {
-			if strings.HasSuffix(config.Port, "443") {
-				config.Scheme = "https"
-			} else if strings.HasPrefix(container.Image, "sha256:") {
-				config.Scheme = "http"
-			} else {
-				imageSplit := strings.Split(container.Image, "/")
-				imageSplit = strings.Split(imageSplit[len(imageSplit)-1], ":")
-				imageName := imageSplit[0]
-				_, isKnownImage := ImageNamePortMap[imageName]
-				if isKnownImage {
-					config.Scheme = "tcp"
-				} else {
-					config.Scheme = "http"
-				}
-			}
-		}
-		if !isValidScheme(config.Scheme) {
-			glog.Infof("%s: unsupported scheme: %s, using http", container_name, config.Scheme)
-			config.Scheme = "http"
-		}
-		if config.Host == "" {
-			switch {
-			case container.HostConfig.NetworkMode == "host":
-				config.Host = "host.docker.internal"
-			case config.LoadBalance == "true":
-			case config.LoadBalance == "1":
-				for _, network := range container.NetworkSettings.Networks {
-					config.Host = network.IPAddress
-					break
-				}
-			default:
-				for _, network := range container.NetworkSettings.Networks {
-					for _, alias := range network.Aliases {
-						config.Host = alias
-						break
-					}
-				}
-			}
-		}
-		if config.Host == "" {
-			config.Host = container_name
-		}
-		config.Alias = alias
-		config.UpdateId()
-
-		wg.Add(1)
-		go func() {
-			CreateRoute(&config)
-			wg.Done()
-		}()
-	}
-	wg.Wait()
-}
-
-func buildRoutes() {
-	InitRoutes()
-	containerSlice, err := dockerClient.ContainerList(context.Background(), container.ListOptions{})
-	if err != nil {
-		glog.Fatal(err)
-	}
-	hostname, err := os.Hostname()
-	if err != nil {
-		hostname = "go-proxy"
-	}
-	for _, container := range containerSlice {
-		if container.Names[0] == hostname { // skip self
-			glog.Infof("[Build] Skipping %s", container.Names[0])
-			continue
-		}
-		buildContainerRoute(container)
-	}
-}

src/go-proxy/docker_provider.go

@@ -0,0 +1,202 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"golang.org/x/net/context"
+)
+
+func (p *Provider) setConfigField(c *ProxyConfig, label string, value string, prefix string) error {
+	if strings.HasPrefix(label, prefix) {
+		field := strings.TrimPrefix(label, prefix)
+		SetFieldFromSnake(c, field, value)
+	}
+	return nil
+}
+
+func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP string) []*ProxyConfig {
+	var aliases []string
+
+	cfgs := make([]*ProxyConfig, 0)
+
+	container_name := strings.TrimPrefix(container.Names[0], "/")
+	aliases_label, ok := container.Labels["proxy.aliases"]
+
+	if !ok {
+		aliases = []string{container_name}
+	} else {
+		aliases = strings.Split(aliases_label, ",")
+	}
+
+	isRemote := clientIP != ""
+
+	for _, alias := range aliases {
+		l := p.l.WithField("container", container_name).WithField("alias", alias)
+		config := NewProxyConfig(p)
+		prefix := fmt.Sprintf("proxy.%s.", alias)
+		for label, value := range container.Labels {
+			err := p.setConfigField(&config, label, value, prefix)
+			if err != nil {
+				l.Error(err)
+			}
+			err = p.setConfigField(&config, label, value, wildcardLabelPrefix)
+			if err != nil {
+				l.Error(err)
+			}
+		}
+		if config.Port == "" {
+			config.Port = fmt.Sprintf("%d", selectPort(container))
+		}
+		if config.Port == "0" {
+			// no ports exposed or specified
+			l.Debugf("no ports exposed, ignored")
+			continue
+		}
+		if config.Scheme == "" {
+			switch {
+			case strings.HasSuffix(config.Port, "443"):
+				config.Scheme = "https"
+			case strings.HasPrefix(container.Image, "sha256:"):
+				config.Scheme = "http"
+			default:
+				imageSplit := strings.Split(container.Image, "/")
+				imageSplit = strings.Split(imageSplit[len(imageSplit)-1], ":")
+				imageName := imageSplit[0]
+				_, isKnownImage := ImageNamePortMap[imageName]
+				if isKnownImage {
+					config.Scheme = "tcp"
+				} else {
+					config.Scheme = "http"
+				}
+			}
+		}
+		if !isValidScheme(config.Scheme) {
+			l.Warnf("unsupported scheme: %s, using http", config.Scheme)
+			config.Scheme = "http"
+		}
+		if config.Host == "" {
+			switch {
+			case isRemote:
+				config.Host = clientIP
+			case container.HostConfig.NetworkMode == "host":
+				config.Host = "host.docker.internal"
+			case config.LoadBalance == "true", config.LoadBalance == "1":
+				for _, network := range container.NetworkSettings.Networks {
+					config.Host = network.IPAddress
+					break
+				}
+			default:
+				for _, network := range container.NetworkSettings.Networks {
+					for _, alias := range network.Aliases {
+						config.Host = alias
+						break
+					}
+				}
+			}
+		}
+		if config.Host == "" {
+			config.Host = container_name
+		}
+		config.Alias = alias
+
+		cfgs = append(cfgs, &config)
+	}
+	return cfgs
+}
+
+func (p *Provider) getDockerClient() (*client.Client, error) {
+	var dockerOpts []client.Opt
+	if p.Value == clientUrlFromEnv {
+		dockerOpts = []client.Opt{
+			client.WithHostFromEnv(),
+			client.WithAPIVersionNegotiation(),
+		}
+	} else {
+		helper, err := connhelper.GetConnectionHelper(p.Value)
+		if err != nil {
+			p.l.Fatal("unexpected error: ", err)
+		}
+		if helper != nil {
+			httpClient := &http.Client{
+				Transport: &http.Transport{
+					DialContext: helper.Dialer,
+				},
+			}
+			dockerOpts = []client.Opt{
+				client.WithHTTPClient(httpClient),
+				client.WithHost(helper.Host),
+				client.WithAPIVersionNegotiation(),
+				client.WithDialContext(helper.Dialer),
+			}
+		} else {
+			dockerOpts = []client.Opt{
+				client.WithHost(p.Value),
+				client.WithAPIVersionNegotiation(),
+			}
+		}
+	}
+	return client.NewClientWithOpts(dockerOpts...)
+}
+
+func (p *Provider) getDockerProxyConfigs() ([]*ProxyConfig, error) {
+	var clientIP string
+
+	if p.Value == clientUrlFromEnv {
+		clientIP = ""
+	} else {
+		url, err := client.ParseHostURL(p.Value)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse docker host url: %v", err)
+		}
+		clientIP = strings.Split(url.Host, ":")[0]
+	}
+
+	dockerClient, err := p.getDockerClient()
+
+	if err != nil {
+		return nil, fmt.Errorf("unable to create docker client: %v", err)
+	}
+
+	ctx, _ := context.WithTimeout(context.Background(), 3*time.Second)
+	containerSlice, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
+
+	if err != nil {
+		return nil, fmt.Errorf("unable to list containers: %v", err)
+	}
+
+	cfgs := make([]*ProxyConfig, 0)
+
+	for _, container := range containerSlice {
+		cfgs = append(cfgs, p.getContainerProxyConfigs(container, clientIP)...)
+	}
+
+	return cfgs, nil
+}
+
+// var dockerUrlRegex = regexp.MustCompile(`^(?P<scheme>\w+)://(?P<host>[^:]+)(?P<port>:\d+)?(?P<path>/.*)?$`)
+
+func getPublicPort(p types.Port) uint16  { return p.PublicPort }
+func getPrivatePort(p types.Port) uint16 { return p.PrivatePort }
+
+func selectPort(c types.Container) uint16 {
+	if c.HostConfig.NetworkMode == "host" {
+		return selectPortInternal(c, getPrivatePort)
+	}
+	return selectPortInternal(c, getPublicPort)
+}
+
+func selectPortInternal(c types.Container, getPort func(types.Port) uint16) uint16 {
+	for _, p := range c.Ports {
+		if port := getPort(p); port != 0 {
+			return port
+		}
+	}
+	return 0
+}

src/go-proxy/file_provider.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+)
+
+func (p *Provider) getFileProxyConfigs() ([]*ProxyConfig, error) {
+	path := p.Value
+
+	if _, err := os.Stat(path); err == nil {
+		data, err := os.ReadFile(path)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read config file %q: %v", path, err)
+		}
+		configMap := make(map[string]ProxyConfig, 0)
+		configs := make([]*ProxyConfig, 0)
+		err = yaml.Unmarshal(data, &configMap)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse config file %q: %v", path, err)
+		}
+
+		for alias, cfg := range configMap {
+			cfg.Alias = alias
+			err = cfg.SetDefaults()
+			if err != nil {
+				return nil, err
+			}
+			configs = append(configs, &cfg)
+		}
+		return configs, nil
+	} else if !os.IsNotExist(err) {
+		return nil, fmt.Errorf("file not found: %s", path)
+	} else {
+		return nil, err
+	}
+}

src/go-proxy/functional.go

@@ -0,0 +1,39 @@
+package main
+
+import "sync"
+
+func ParallelForEach[T interface{}](obj []T, do func(T)) {
+	var wg sync.WaitGroup
+	wg.Add(len(obj))
+	for _, v := range obj {
+		go func(v T) {
+			do(v)
+			wg.Done()
+		}(v)
+	}
+	wg.Wait()
+}
+
+func ParallelForEachValue[K comparable, V interface{}](obj map[K]V, do func(V)) {
+	var wg sync.WaitGroup
+	wg.Add(len(obj))
+	for _, v := range obj {
+		go func(v V) {
+			do(v)
+			wg.Done()
+		}(v)
+	}
+	wg.Wait()
+}
+
+func ParallelForEachKeyValue[K comparable, V interface{}](obj map[K]V, do func(K, V)) {
+	var wg sync.WaitGroup
+	wg.Add(len(obj))
+	for k, v := range obj {
+		go func(k K, v V) {
+			do(k, v)
+			wg.Done()
+		}(k, v)
+	}
+	wg.Wait()
+}

src/go-proxy/http_lbpool.go

@@ -20,3 +20,10 @@ func (p *httpLoadBalancePool) Add(route *HTTPRoute) {
 func (p *httpLoadBalancePool) Iterator() []*HTTPRoute {
 	return p.pool
 }
+
+func (p *httpLoadBalancePool) Pick() *HTTPRoute {
+	// round-robin
+	index := int(p.curentIndex.Load())
+	defer p.curentIndex.Add(1)
+	return p.pool[index%len(p.pool)]
+}

src/go-proxy/http_route.go

@@ -2,78 +2,75 @@ package main
 
 import (
 	"fmt"
-	"net"
+
 	"net/http"
-	"net/http/httputil"
 	"net/url"
 	"strings"
-	"time"
 
-	"github.com/golang/glog"
+	"github.com/sirupsen/logrus"
 )
 
 type HTTPRoute struct {
+	Alias    string
 	Url      *url.URL
 	Path     string
 	PathMode string
-	Proxy    *httputil.ReverseProxy
-}
+	Proxy    *ReverseProxy
 
-func isValidProxyPathMode(mode string) bool {
-	switch mode {
-	case ProxyPathMode_Forward, ProxyPathMode_Sub, ProxyPathMode_RemovedPath:
-		return true
-	default:
-		return false
-	}
+	l logrus.FieldLogger
 }
 
 func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 	url, err := url.Parse(fmt.Sprintf("%s://%s:%s", config.Scheme, config.Host, config.Port))
 	if err != nil {
-		glog.Infoln(err)
 		return nil, err
 	}
 
-	proxy := httputil.NewSingleHostReverseProxy(url)
-	proxy.Transport = transport
+	var tr *http.Transport
+	if config.NoTLSVerify {
+		tr = transportNoTLS
+	} else {
+		tr = transport
+	}
+
+	proxy := NewSingleHostReverseProxy(url, tr)
 
 	if !isValidProxyPathMode(config.PathMode) {
 		return nil, fmt.Errorf("invalid path mode: %s", config.PathMode)
 	}
 
 	route := &HTTPRoute{
+		Alias:    config.Alias,
 		Url:      url,
 		Path:     config.Path,
 		Proxy:    proxy,
 		PathMode: config.PathMode,
+		l: hrlog.WithFields(logrus.Fields{
+			"alias":     config.Alias,
+			"path":      config.Path,
+			"path_mode": config.PathMode,
+		}),
 	}
 
-	director := proxy.Director
-	proxy.Director = nil
-
-	initRewrite := func(pr *httputil.ProxyRequest) {
-		director(pr.Out)
-	}
-	rewrite := initRewrite
+	var rewriteBegin = proxy.Rewrite
+	var rewrite func(*ProxyRequest)
+	var modifyResponse func(*http.Response) error
 
 	switch {
 	case config.Path == "", config.PathMode == ProxyPathMode_Forward:
-		break
+		rewrite = rewriteBegin
 	case config.PathMode == ProxyPathMode_Sub:
-		rewrite = func(pr *httputil.ProxyRequest) {
-			initRewrite(pr)
+		rewrite = func(pr *ProxyRequest) {
+			rewriteBegin(pr)
 			// disable compression
 			pr.Out.Header.Set("Accept-Encoding", "identity")
 			// remove path prefix
 			pr.Out.URL.Path = strings.TrimPrefix(pr.Out.URL.Path, config.Path)
 		}
-		route.Proxy.ModifyResponse = func(r *http.Response) error {
+		modifyResponse = func(r *http.Response) error {
 			contentType, ok := r.Header["Content-Type"]
 			if !ok || len(contentType) == 0 {
-				if glog.V(3) {
-					glog.Infof("[Path sub] unknown content type for %s", r.Request.URL.String())
-				}
+				route.l.Debug("unknown content type for ", r.Request.URL.String())
 				return nil
 			}
 			// disable cache
@@ -86,28 +83,36 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 			case strings.HasPrefix(contentType[0], "application/javascript"):
 				err = utils.respJSSubPath(r, config.Path)
 			default:
-				glog.V(4).Infof("[Path sub] unknown content type(s): %s", contentType)
+				route.l.Debug("unknown content type(s): ", contentType)
 			}
 			if err != nil {
-				err = fmt.Errorf("[Path sub] failed to remove path prefix %s: %v", config.Path, err)
+				err = fmt.Errorf("failed to remove path prefix %s: %v", config.Path, err)
+				route.l.WithField("action", "path_sub").Error(err)
 				r.Status = err.Error()
 				r.StatusCode = http.StatusInternalServerError
 			}
 			return err
 		}
 	default:
-		rewrite = func(pr *httputil.ProxyRequest) {
-			initRewrite(pr)
+		rewrite = func(pr *ProxyRequest) {
+			rewriteBegin(pr)
 			pr.Out.URL.Path = strings.TrimPrefix(pr.Out.URL.Path, config.Path)
 		}
 	}
 
-	if glog.V(3) {
-		route.Proxy.Rewrite = func(pr *httputil.ProxyRequest) {
+	if logLevel == logrus.DebugLevel {
+		route.Proxy.Rewrite = func(pr *ProxyRequest) {
 			rewrite(pr)
-			r := pr.In
-			glog.Infof("[Request] %s %s%s", r.Method, r.Host, r.URL.Path)
-			glog.V(5).InfoDepthf(1, "Headers: %v", r.Header)
+			route.l.Debug("request URL: ", pr.In.Host, pr.In.URL.Path)
+			route.l.Debug("request headers: ", pr.In.Header)
+		}
+		route.Proxy.ModifyResponse = func(r *http.Response) error {
+			route.l.Debug("response URL: ", r.Request.URL.String())
+			route.l.Debug("response headers: ", r.Header)
+			if modifyResponse != nil {
+				return modifyResponse(r)
+			}
+			return nil
 		}
 	} else {
 		route.Proxy.Rewrite = rewrite
@@ -116,14 +121,21 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 	return route, nil
 }
 
-func (p *httpLoadBalancePool) Pick() *HTTPRoute {
-	// round-robin
-	index := int(p.curentIndex.Load())
-	defer p.curentIndex.Add(1)
-	return p.pool[index%len(p.pool)]
+func (r *HTTPRoute) Start() {}
+func (r *HTTPRoute) Stop() {
+	httpRoutes.Delete(r.Alias)
 }
 
-func redirectToTLS(w http.ResponseWriter, r *http.Request) {
+func isValidProxyPathMode(mode string) bool {
+	switch mode {
+	case ProxyPathMode_Forward, ProxyPathMode_Sub, ProxyPathMode_RemovedPath:
+		return true
+	default:
+		return false
+	}
+}
+
+func redirectToTLSHandler(w http.ResponseWriter, r *http.Request) {
 	// Redirect to the same host but with HTTPS
 	var redirectCode int
 	if r.Method == http.MethodGet {
@@ -136,35 +148,30 @@ func redirectToTLS(w http.ResponseWriter, r *http.Request) {
 
 func findHTTPRoute(host string, path string) (*HTTPRoute, error) {
 	subdomain := strings.Split(host, ".")[0]
-	routeMap, ok := routes.HTTPRoutes.UnsafeGet(subdomain)
-	if !ok {
-		return nil, fmt.Errorf("no matching route for subdomain %s", subdomain)
+	routeMap, ok := httpRoutes.UnsafeGet(subdomain)
+	if ok {
+		return routeMap.FindMatch(path)
 	}
-	return routeMap.FindMatch(path)
+	return nil, fmt.Errorf("no matching route for subdomain %s", subdomain)
 }
 
-func httpProxyHandler(w http.ResponseWriter, r *http.Request) {
+func proxyHandler(w http.ResponseWriter, r *http.Request) {
 	route, err := findHTTPRoute(r.Host, r.URL.Path)
 	if err != nil {
-		err = fmt.Errorf("[Request] failed %s %s%s, error: %v",
+		err = fmt.Errorf("request failed %s %s%s, error: %v",
 			r.Method,
 			r.Host,
 			r.URL.Path,
 			err,
 		)
+		logrus.Error(err)
 		http.Error(w, err.Error(), http.StatusNotFound)
 		return
 	}
 	route.Proxy.ServeHTTP(w, r)
 }
 
-// TODO: default + per proxy
-var transport = &http.Transport{
-	Proxy: http.ProxyFromEnvironment,
-	DialContext: (&net.Dialer{
-		Timeout:   60 * time.Second,
-		KeepAlive: 60 * time.Second,
-	}).DialContext,
-	MaxIdleConns:        1000,
-	MaxIdleConnsPerHost: 1000,
-}
+// alias -> (path -> routes)
+type HTTPRoutes = SafeMap[string, *pathPoolMap]
+
+var httpRoutes HTTPRoutes = NewSafeMap[string](newPathPoolMap)

src/go-proxy/httputil_mod.go

@@ -0,0 +1,833 @@
+package main
+
+// A small mod on net/http/httputils
+// that doubled the performance
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/textproto"
+	"net/url"
+	"strings"
+	"time"
+
+	"golang.org/x/net/http/httpguts"
+)
+
+// A ProxyRequest contains a request to be rewritten by a [ReverseProxy].
+type ProxyRequest struct {
+	// In is the request received by the proxy.
+	// The Rewrite function must not modify In.
+	In *http.Request
+
+	// Out is the request which will be sent by the proxy.
+	// The Rewrite function may modify or replace this request.
+	// Hop-by-hop headers are removed from this request
+	// before Rewrite is called.
+	Out *http.Request
+}
+
+// SetURL routes the outbound request to the scheme, host, and base path
+// provided in target. If the target's path is "/base" and the incoming
+// request was for "/dir", the target request will be for "/base/dir".
+//
+// SetURL rewrites the outbound Host header to match the target's host.
+// To preserve the inbound request's Host header (the default behavior
+// of [NewSingleHostReverseProxy]):
+//
+//	rewriteFunc := func(r *httputil.ProxyRequest) {
+//		r.SetURL(url)
+//		r.Out.Host = r.In.Host
+//	}
+func (r *ProxyRequest) SetURL(target *url.URL) {
+	rewriteRequestURL(r.Out, target)
+	r.Out.Host = ""
+}
+
+// SetXForwarded sets the X-Forwarded-For, X-Forwarded-Host, and
+// X-Forwarded-Proto headers of the outbound request.
+//
+//   - The X-Forwarded-For header is set to the client IP address.
+//   - The X-Forwarded-Host header is set to the host name requested
+//     by the client.
+//   - The X-Forwarded-Proto header is set to "http" or "https", depending
+//     on whether the inbound request was made on a TLS-enabled connection.
+//
+// If the outbound request contains an existing X-Forwarded-For header,
+// SetXForwarded appends the client IP address to it. To append to the
+// inbound request's X-Forwarded-For header (the default behavior of
+// [ReverseProxy] when using a Director function), copy the header
+// from the inbound request before calling SetXForwarded:
+//
+//	rewriteFunc := func(r *httputil.ProxyRequest) {
+//		r.Out.Header["X-Forwarded-For"] = r.In.Header["X-Forwarded-For"]
+//		r.SetXForwarded()
+//	}
+func (r *ProxyRequest) SetXForwarded() {
+	clientIP, _, err := net.SplitHostPort(r.In.RemoteAddr)
+	if err == nil {
+		prior := r.Out.Header["X-Forwarded-For"]
+		if len(prior) > 0 {
+			clientIP = strings.Join(prior, ", ") + ", " + clientIP
+		}
+		r.Out.Header.Set("X-Forwarded-For", clientIP)
+	} else {
+		r.Out.Header.Del("X-Forwarded-For")
+	}
+	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
+	if r.In.TLS == nil {
+		r.Out.Header.Set("X-Forwarded-Proto", "http")
+	} else {
+		r.Out.Header.Set("X-Forwarded-Proto", "https")
+	}
+}
+
+// ReverseProxy is an HTTP Handler that takes an incoming request and
+// sends it to another server, proxying the response back to the
+// client.
+//
+// 1xx responses are forwarded to the client if the underlying
+// transport supports ClientTrace.Got1xxResponse.
+type ReverseProxy struct {
+	// Rewrite must be a function which modifies
+	// the request into a new request to be sent
+	// using Transport. Its response is then copied
+	// back to the original client unmodified.
+	// Rewrite must not access the provided ProxyRequest
+	// or its contents after returning.
+	//
+	// The Forwarded, X-Forwarded, X-Forwarded-Host,
+	// and X-Forwarded-Proto headers are removed from the
+	// outbound request before Rewrite is called. See also
+	// the ProxyRequest.SetXForwarded method.
+	//
+	// Unparsable query parameters are removed from the
+	// outbound request before Rewrite is called.
+	// The Rewrite function may copy the inbound URL's
+	// RawQuery to the outbound URL to preserve the original
+	// parameter string. Note that this can lead to security
+	// issues if the proxy's interpretation of query parameters
+	// does not match that of the downstream server.
+	//
+	// At most one of Rewrite or Director may be set.
+	Rewrite func(*ProxyRequest)
+
+	// The transport used to perform proxy requests.
+	// If nil, http.DefaultTransport is used.
+	Transport http.RoundTripper
+
+	// FlushInterval specifies the flush interval
+	// to flush to the client while copying the
+	// response body.
+	// If zero, no periodic flushing is done.
+	// A negative value means to flush immediately
+	// after each write to the client.
+	// The FlushInterval is ignored when ReverseProxy
+	// recognizes a response as a streaming response, or
+	// if its ContentLength is -1; for such responses, writes
+	// are flushed to the client immediately.
+	FlushInterval time.Duration
+
+	// ErrorLog specifies an optional logger for errors
+	// that occur when attempting to proxy the request.
+	// If nil, logging is done via the log package's standard logger.
+	ErrorLog *log.Logger
+
+	// BufferPool optionally specifies a buffer pool to
+	// get byte slices for use by io.CopyBuffer when
+	// copying HTTP response bodies.
+	BufferPool BufferPool
+
+	// ModifyResponse is an optional function that modifies the
+	// Response from the backend. It is called if the backend
+	// returns a response at all, with any HTTP status code.
+	// If the backend is unreachable, the optional ErrorHandler is
+	// called without any call to ModifyResponse.
+	//
+	// If ModifyResponse returns an error, ErrorHandler is called
+	// with its error value. If ErrorHandler is nil, its default
+	// implementation is used.
+	ModifyResponse func(*http.Response) error
+
+	// ErrorHandler is an optional function that handles errors
+	// reaching the backend or errors from ModifyResponse.
+	//
+	// If nil, the default is to log the provided error and return
+	// a 502 Status Bad Gateway response.
+	ErrorHandler func(http.ResponseWriter, *http.Request, error)
+}
+
+// A BufferPool is an interface for getting and returning temporary
+// byte slices for use by [io.CopyBuffer].
+type BufferPool interface {
+	Get() []byte
+	Put([]byte)
+}
+
+func singleJoiningSlash(a, b string) string {
+	aslash := strings.HasSuffix(a, "/")
+	bslash := strings.HasPrefix(b, "/")
+	switch {
+	case aslash && bslash:
+		return a + b[1:]
+	case !aslash && !bslash:
+		return a + "/" + b
+	}
+	return a + b
+}
+
+func joinURLPath(a, b *url.URL) (path, rawpath string) {
+	if a.RawPath == "" && b.RawPath == "" {
+		return singleJoiningSlash(a.Path, b.Path), ""
+	}
+	// Same as singleJoiningSlash, but uses EscapedPath to determine
+	// whether a slash should be added
+	apath := a.EscapedPath()
+	bpath := b.EscapedPath()
+
+	aslash := strings.HasSuffix(apath, "/")
+	bslash := strings.HasPrefix(bpath, "/")
+
+	switch {
+	case aslash && bslash:
+		return a.Path + b.Path[1:], apath + bpath[1:]
+	case !aslash && !bslash:
+		return a.Path + "/" + b.Path, apath + "/" + bpath
+	}
+	return a.Path + b.Path, apath + bpath
+}
+
+// NewSingleHostReverseProxy returns a new [ReverseProxy] that routes
+// URLs to the scheme, host, and base path provided in target. If the
+// target's path is "/base" and the incoming request was for "/dir",
+// the target request will be for /base/dir.
+//
+// NewSingleHostReverseProxy does not rewrite the Host header.
+//
+// To customize the ReverseProxy behavior beyond what
+// NewSingleHostReverseProxy provides, use ReverseProxy directly
+// with a Rewrite function. The ProxyRequest SetURL method
+// may be used to route the outbound request. (Note that SetURL,
+// unlike NewSingleHostReverseProxy, rewrites the Host header
+// of the outbound request by default.)
+//
+//	proxy := &ReverseProxy{
+//		Rewrite: func(r *ProxyRequest) {
+//			r.SetURL(target)
+//			r.Out.Host = r.In.Host // if desired
+//		},
+//	}
+func NewSingleHostReverseProxy(target *url.URL, transport *http.Transport) *ReverseProxy {
+	return &ReverseProxy{Rewrite: func(pr *ProxyRequest) {
+		rewriteRequestURL(pr.Out, target)
+	}, Transport: transport}
+}
+
+func rewriteRequestURL(req *http.Request, target *url.URL) {
+	targetQuery := target.RawQuery
+	req.URL.Scheme = target.Scheme
+	req.URL.Host = target.Host
+	req.URL.Path, req.URL.RawPath = joinURLPath(target, req.URL)
+	if targetQuery == "" || req.URL.RawQuery == "" {
+		req.URL.RawQuery = targetQuery + req.URL.RawQuery
+	} else {
+		req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
+	}
+}
+
+func copyHeader(dst, src http.Header) {
+	for k, vv := range src {
+		for _, v := range vv {
+			dst.Add(k, v)
+		}
+	}
+}
+
+// Hop-by-hop headers. These are removed when sent to the backend.
+// As of RFC 7230, hop-by-hop headers are required to appear in the
+// Connection header field. These are the headers defined by the
+// obsoleted RFC 2616 (section 13.5.1) and are used for backward
+// compatibility.
+// var hopHeaders = []string{
+// 	"Connection",
+// 	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+// 	"Keep-Alive",
+// 	"Proxy-Authenticate",
+// 	"Proxy-Authorization",
+// 	"Te",      // canonicalized version of "TE"
+// 	"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
+// 	"Transfer-Encoding",
+// 	"Upgrade",
+// }
+
+// NOTE: getErrorHandler and DefaultErrorHandler removed
+
+func (p *ReverseProxy) errorHandler(rw http.ResponseWriter, _ *http.Request, err error) {
+	p.logf("http: proxy error: %v", err)
+	rw.WriteHeader(http.StatusBadGateway)
+}
+
+// modifyResponse conditionally runs the optional ModifyResponse hook
+// and reports whether the request should proceed.
+func (p *ReverseProxy) modifyResponse(rw http.ResponseWriter, res *http.Response, req *http.Request) bool {
+	if p.ModifyResponse == nil {
+		return true
+	}
+	if err := p.ModifyResponse(res); err != nil {
+		res.Body.Close()
+		p.errorHandler(rw, req, err)
+		return false
+	}
+	return true
+}
+
+func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	transport := p.Transport
+	// Note: removed
+	// if transport == nil {
+	// 	transport = http.DefaultTransport
+	// }
+
+	ctx := req.Context()
+	if ctx.Done() != nil {
+		// CloseNotifier predates context.Context, and has been
+		// entirely superseded by it. If the request contains
+		// a Context that carries a cancellation signal, don't
+		// bother spinning up a goroutine to watch the CloseNotify
+		// channel (if any).
+		//
+		// If the request Context has a nil Done channel (which
+		// means it is either context.Background, or a custom
+		// Context implementation with no cancellation signal),
+		// then consult the CloseNotifier if available.
+	} else if cn, ok := rw.(http.CloseNotifier); ok {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithCancel(ctx)
+		defer cancel()
+		notifyChan := cn.CloseNotify()
+		go func() {
+			select {
+			case <-notifyChan:
+				cancel()
+			case <-ctx.Done():
+			}
+		}()
+	}
+
+	outreq := req.Clone(ctx)
+	if req.ContentLength == 0 {
+		outreq.Body = nil // Issue 16036: nil Body for http.Transport retries
+	}
+	if outreq.Body != nil {
+		// Reading from the request body after returning from a handler is not
+		// allowed, and the RoundTrip goroutine that reads the Body can outlive
+		// this handler. This can lead to a crash if the handler panics (see
+		// Issue 46866). Although calling Close doesn't guarantee there isn't
+		// any Read in flight after the handle returns, in practice it's safe to
+		// read after closing it.
+		defer outreq.Body.Close()
+	}
+	if outreq.Header == nil {
+		outreq.Header = make(http.Header) // Issue 33142: historical behavior was to always allocate
+	}
+
+	// NOTE: removed
+	// if (p.Director != nil) == (p.Rewrite != nil) {
+	// 	p.errorHandler(rw, req, errors.New("ReverseProxy must have exactly one of Director or Rewrite set"))
+	// 	return
+	// }
+
+	// if p.Director != nil {
+	// 	p.Director(outreq)
+	// 	if outreq.Form != nil {
+	// 		outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
+	// 	}
+	// }
+	outreq.Close = false
+
+	reqUpType := upgradeType(outreq.Header)
+	if !IsPrint(reqUpType) {
+		p.errorHandler(rw, req, fmt.Errorf("client tried to switch to invalid protocol %q", reqUpType))
+		return
+	}
+	// NOTE: removed
+	// removeHopByHopHeaders(outreq.Header)
+
+	// Issue 21096: tell backend applications that care about trailer support
+	// that we support trailers. (We do, but we don't go out of our way to
+	// advertise that unless the incoming client request thought it was worth
+	// mentioning.) Note that we look at req.Header, not outreq.Header, since
+	// the latter has passed through removeHopByHopHeaders.
+	if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
+		outreq.Header.Set("Te", "trailers")
+	}
+
+	// After stripping all the hop-by-hop connection headers above, add back any
+	// necessary for protocol upgrades, such as for websockets.
+	if reqUpType != "" {
+		outreq.Header.Set("Connection", "Upgrade")
+		outreq.Header.Set("Upgrade", reqUpType)
+	}
+
+	// NOTE: removed
+	// if p.Rewrite != nil {
+	// Strip client-provided forwarding headers.
+	// The Rewrite func may use SetXForwarded to set new values
+	// for these or copy the previous values from the inbound request.
+	// outreq.Header.Del("Forwarded")
+	// outreq.Header.Del("X-Forwarded-For")
+	// outreq.Header.Del("X-Forwarded-Host")
+	// outreq.Header.Del("X-Forwarded-Proto")
+
+	// NOTE: removed
+	// Remove unparsable query parameters from the outbound request.
+	// outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
+
+	pr := &ProxyRequest{
+		In:  req,
+		Out: outreq,
+	}
+	pr.SetXForwarded() // NOTE: added
+	p.Rewrite(pr)
+	outreq = pr.Out
+	// NOTE: removed
+	// } else {
+	// 	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+	// 		// If we aren't the first proxy retain prior
+	// 		// X-Forwarded-For information as a comma+space
+	// 		// separated list and fold multiple headers into one.
+	// 		prior, ok := outreq.Header["X-Forwarded-For"]
+	// 		omit := ok && prior == nil // Issue 38079: nil now means don't populate the header
+	// 		if len(prior) > 0 {
+	// 			clientIP = strings.Join(prior, ", ") + ", " + clientIP
+	// 		}
+	// 		if !omit {
+	// 			outreq.Header.Set("X-Forwarded-For", clientIP)
+	// 		}
+	// 	}
+	// }
+
+	if _, ok := outreq.Header["User-Agent"]; !ok {
+		// If the outbound request doesn't have a User-Agent header set,
+		// don't send the default Go HTTP client User-Agent.
+		outreq.Header.Set("User-Agent", "")
+	}
+
+	trace := &httptrace.ClientTrace{
+		Got1xxResponse: func(code int, header textproto.MIMEHeader) error {
+			h := rw.Header()
+			// copyHeader(h, http.Header(header))
+			for k, vv := range header {
+				for _, v := range vv {
+					h.Add(k, v)
+				}
+			}
+			rw.WriteHeader(code)
+
+			// Clear headers, it's not automatically done by ResponseWriter.WriteHeader() for 1xx responses
+			clear(h)
+			return nil
+		},
+	}
+	outreq = outreq.WithContext(httptrace.WithClientTrace(outreq.Context(), trace))
+
+	res, err := transport.RoundTrip(outreq)
+	if err != nil {
+		p.errorHandler(rw, outreq, err)
+		return
+	}
+
+	// Deal with 101 Switching Protocols responses: (WebSocket, h2c, etc)
+	if res.StatusCode == http.StatusSwitchingProtocols {
+		if !p.modifyResponse(rw, res, outreq) {
+			return
+		}
+		p.handleUpgradeResponse(rw, outreq, res)
+		return
+	}
+
+	// NOTE: removed
+	// removeHopByHopHeaders(res.Header)
+
+	if !p.modifyResponse(rw, res, outreq) {
+		return
+	}
+
+	copyHeader(rw.Header(), res.Header)
+
+	// The "Trailer" header isn't included in the Transport's response,
+	// at least for *http.Transport. Build it up from Trailer.
+	announcedTrailers := len(res.Trailer)
+	if announcedTrailers > 0 {
+		trailerKeys := make([]string, 0, len(res.Trailer))
+		for k := range res.Trailer {
+			trailerKeys = append(trailerKeys, k)
+		}
+		rw.Header().Add("Trailer", strings.Join(trailerKeys, ", "))
+	}
+
+	rw.WriteHeader(res.StatusCode)
+
+	// NOTE: changing this line extremely improve throughput 
+	// err = p.copyResponse(rw, res.Body, p.flushInterval(res))
+	_, err = io.Copy(rw, res.Body)
+	if err != nil {
+		defer res.Body.Close()
+		// note: removed
+		// Since we're streaming the response, if we run into an error all we can do
+		// is abort the request. Issue 23643: ReverseProxy should use ErrAbortHandler
+		// on read error while copying body.
+		// if !shouldPanicOnCopyError(req) {
+		// 	p.logf("suppressing panic for copyResponse error in test; copy error: %v", err)
+		// 	return
+		// }
+		panic(http.ErrAbortHandler)
+	}
+	res.Body.Close() // close now, instead of defer, to populate res.Trailer
+
+	if len(res.Trailer) > 0 {
+		// Force chunking if we saw a response trailer.
+		// This prevents net/http from calculating the length for short
+		// bodies and adding a Content-Length.
+		http.NewResponseController(rw).Flush()
+	}
+
+	if len(res.Trailer) == announcedTrailers {
+		copyHeader(rw.Header(), res.Trailer)
+		return
+	}
+
+	for k, vv := range res.Trailer {
+		k = http.TrailerPrefix + k
+		for _, v := range vv {
+			rw.Header().Add(k, v)
+		}
+	}
+}
+
+// var inOurTests bool // whether we're in our own tests
+
+// NOTE: removed
+// shouldPanicOnCopyError reports whether the reverse proxy should
+// panic with http.ErrAbortHandler. This is the right thing to do by
+// default, but Go 1.10 and earlier did not, so existing unit tests
+// weren't expecting panics. Only panic in our own tests, or when
+// running under the HTTP server.
+// func shouldPanicOnCopyError(req *http.Request) bool {
+// 	if inOurTests {
+// 		// Our tests know to handle this panic.
+// 		return true
+// 	}
+// 	if req.Context().Value(http.ServerContextKey) != nil {
+// 		// We seem to be running under an HTTP server, so
+// 		// it'll recover the panic.
+// 		return true
+// 	}
+// 	// Otherwise act like Go 1.10 and earlier to not break
+// 	// existing tests.
+// 	return false
+// }
+
+// removeHopByHopHeaders removes hop-by-hop headers.
+//
+// func removeHopByHopHeaders(h http.Header) {
+// 	// RFC 7230, section 6.1: Remove headers listed in the "Connection" header.
+// 	for _, f := range h["Connection"] {
+// 		for _, sf := range strings.Split(f, ",") {
+// 			if sf = textproto.TrimString(sf); sf != "" {
+// 				h.Del(sf)
+// 			}
+// 		}
+// 	}
+// 	// RFC 2616, section 13.5.1: Remove a set of known hop-by-hop headers.
+// 	// This behavior is superseded by the RFC 7230 Connection header, but
+// 	// preserve it for backwards compatibility.
+// 	for _, f := range hopHeaders {
+// 		h.Del(f)
+// 	}
+// }
+
+// NOTE: removed
+// flushInterval returns the p.FlushInterval value, conditionally
+// overriding its value for a specific request/response.
+// func (p *ReverseProxy) flushInterval(res *http.Response) time.Duration {
+// 	resCT := res.Header.Get("Content-Type")
+
+// 	// For Server-Sent Events responses, flush immediately.
+// 	// The MIME type is defined in https://www.w3.org/TR/eventsource/#text-event-stream
+// 	if baseCT, _, _ := mime.ParseMediaType(resCT); baseCT == "text/event-stream" {
+// 		return -1 // negative means immediately
+// 	}
+
+// 	// We might have the case of streaming for which Content-Length might be unset.
+// 	if res.ContentLength == -1 {
+// 		return -1
+// 	}
+
+// 	return p.FlushInterval
+// }
+
+// NOTE: removed
+// func (p *ReverseProxy) copyResponse(dst http.ResponseWriter, src io.Reader, flushInterval time.Duration) error {
+// 	var w io.Writer = dst
+
+// 	if flushInterval != 0 {
+// 		mlw := &maxLatencyWriter{
+// 			dst:     dst,
+// 			flush:   http.NewResponseController(dst).Flush,
+// 			latency: flushInterval,
+// 		}
+// 		defer mlw.stop()
+
+// 		// set up initial timer so headers get flushed even if body writes are delayed
+// 		mlw.flushPending = true
+// 		mlw.t = time.AfterFunc(flushInterval, mlw.delayedFlush)
+
+// 		w = mlw
+// 	}
+
+// 	var buf []byte
+// 	if p.BufferPool != nil {
+// 		buf = p.BufferPool.Get()
+// 		defer p.BufferPool.Put(buf)
+// 	}
+// 	_, err := p.copyBuffer(w, src, buf)
+// 	return err
+// }
+
+// copyBuffer returns any write errors or non-EOF read errors, and the amount
+// of bytes written.
+
+// NOTE: removed
+// func (p *ReverseProxy) copyBuffer(dst io.Writer, src io.Reader, buf []byte) (int64, error) {
+// 	if len(buf) == 0 {
+// 		buf = make([]byte, 32*1024)
+// 	}
+// 	var written int64
+// 	for {
+// 		nr, rerr := src.Read(buf)
+// 		if rerr != nil && rerr != io.EOF && rerr != context.Canceled {
+// 			p.logf("httputil: ReverseProxy read error during body copy: %v", rerr)
+// 		}
+// 		if nr > 0 {
+// 			nw, werr := dst.Write(buf[:nr])
+// 			if nw > 0 {
+// 				written += int64(nw)
+// 			}
+// 			if werr != nil {
+// 				return written, werr
+// 			}
+// 			if nr != nw {
+// 				return written, io.ErrShortWrite
+// 			}
+// 		}
+// 		if rerr != nil {
+// 			if rerr == io.EOF {
+// 				rerr = nil
+// 			}
+// 			return written, rerr
+// 		}
+// 	}
+// }
+
+func (p *ReverseProxy) logf(format string, args ...any) {
+	if p.ErrorLog != nil {
+		p.ErrorLog.Printf(format, args...)
+	} else {
+		hrlog.Printf(format, args...)
+	}
+}
+
+// NOTE: removed
+// type maxLatencyWriter struct {
+// 	dst     io.Writer
+// 	flush   func() error
+// 	latency time.Duration // non-zero; negative means to flush immediately
+
+// 	mu           sync.Mutex // protects t, flushPending, and dst.Flush
+// 	t            *time.Timer
+// 	flushPending bool
+// }
+
+// NOTE: removed
+// func (m *maxLatencyWriter) Write(p []byte) (n int, err error) {
+// 	m.mu.Lock()
+// 	defer m.mu.Unlock()
+// 	n, err = m.dst.Write(p)
+// 	if m.latency < 0 {
+// 		m.flush()
+// 		return
+// 	}
+// 	if m.flushPending {
+// 		return
+// 	}
+// 	if m.t == nil {
+// 		m.t = time.AfterFunc(m.latency, m.delayedFlush)
+// 	} else {
+// 		m.t.Reset(m.latency)
+// 	}
+// 	m.flushPending = true
+// 	return
+// }
+
+// func (m *maxLatencyWriter) delayedFlush() {
+// 	m.mu.Lock()
+// 	defer m.mu.Unlock()
+// 	if !m.flushPending { // if stop was called but AfterFunc already started this goroutine
+// 		return
+// 	}
+// 	m.flush()
+// 	m.flushPending = false
+// }
+
+// func (m *maxLatencyWriter) stop() {
+// 	m.mu.Lock()
+// 	defer m.mu.Unlock()
+// 	m.flushPending = false
+// 	if m.t != nil {
+// 		m.t.Stop()
+// 	}
+// }
+
+func upgradeType(h http.Header) string {
+	if !httpguts.HeaderValuesContainsToken(h["Connection"], "Upgrade") {
+		return ""
+	}
+	return h.Get("Upgrade")
+}
+
+func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.Request, res *http.Response) {
+	reqUpType := upgradeType(req.Header)
+	resUpType := upgradeType(res.Header)
+	if !IsPrint(resUpType) { // We know reqUpType is ASCII, it's checked by the caller.
+		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch to invalid protocol %q", resUpType))
+	}
+	if !strings.EqualFold(reqUpType, resUpType) {
+		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch protocol %q when %q was requested", resUpType, reqUpType))
+		return
+	}
+
+	backConn, ok := res.Body.(io.ReadWriteCloser)
+	if !ok {
+		p.errorHandler(rw, req, fmt.Errorf("internal error: 101 switching protocols response with non-writable body"))
+		return
+	}
+
+	rc := http.NewResponseController(rw)
+	conn, brw, hijackErr := rc.Hijack()
+	if errors.Is(hijackErr, http.ErrNotSupported) {
+		p.errorHandler(rw, req, fmt.Errorf("can't switch protocols using non-Hijacker ResponseWriter type %T", rw))
+		return
+	}
+
+	backConnCloseCh := make(chan bool)
+	go func() {
+		// Ensure that the cancellation of a request closes the backend.
+		// See issue https://golang.org/issue/35559.
+		select {
+		case <-req.Context().Done():
+		case <-backConnCloseCh:
+		}
+		backConn.Close()
+	}()
+	defer close(backConnCloseCh)
+
+	if hijackErr != nil {
+		p.errorHandler(rw, req, fmt.Errorf("hijack failed on protocol switch: %v", hijackErr))
+		return
+	}
+	defer conn.Close()
+
+	copyHeader(rw.Header(), res.Header)
+
+	res.Header = rw.Header()
+	res.Body = nil // so res.Write only writes the headers; we have res.Body in backConn above
+	if err := res.Write(brw); err != nil {
+		p.errorHandler(rw, req, fmt.Errorf("response write: %v", err))
+		return
+	}
+	if err := brw.Flush(); err != nil {
+		p.errorHandler(rw, req, fmt.Errorf("response flush: %v", err))
+		return
+	}
+	errc := make(chan error, 1)
+	// NOTE: removed
+	// spc := switchProtocolCopier{user: conn, backend: backConn}
+	// go spc.copyToBackend(errc)
+	// go spc.copyFromBackend(errc)
+	go func() {
+		_, err := io.Copy(conn, backConn)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(backConn, conn)
+		errc <- err
+	}()
+	<-errc
+}
+
+// NOTE: removed
+// switchProtocolCopier exists so goroutines proxying data back and
+// forth have nice names in stacks.
+// type switchProtocolCopier struct {
+// 	user, backend io.ReadWriter
+// }
+
+// func (c switchProtocolCopier) copyFromBackend(errc chan<- error) {
+// 	_, err := io.Copy(c.user, c.backend)
+// 	errc <- err
+// }
+
+// func (c switchProtocolCopier) copyToBackend(errc chan<- error) {
+// 	_, err := io.Copy(c.backend, c.user)
+// 	errc <- err
+// }
+
+// NOTE: removed
+// func cleanQueryParams(s string) string {
+// 	reencode := func(s string) string {
+// 		v, _ := url.ParseQuery(s)
+// 		return v.Encode()
+// 	}
+// 	for i := 0; i < len(s); {
+// 		switch s[i] {
+// 		case ';':
+// 			return reencode(s)
+// 		case '%':
+// 			if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) {
+// 				return reencode(s)
+// 			}
+// 			i += 3
+// 		default:
+// 			i++
+// 		}
+// 	}
+// 	return s
+// }
+
+// func ishex(c byte) bool {
+// 	switch {
+// 	case '0' <= c && c <= '9':
+// 		return true
+// 	case 'a' <= c && c <= 'f':
+// 		return true
+// 	case 'A' <= c && c <= 'F':
+// 		return true
+// 	}
+// 	return false
+// }
+
+func IsPrint(s string) bool {
+	for i := 0; i < len(s); i++ {
+		if s[i] < ' ' || s[i] > '~' {
+			return false
+		}
+	}
+	return true
+}

src/go-proxy/loggers.go

@@ -0,0 +1,11 @@
+package main
+
+import "github.com/sirupsen/logrus"
+
+var palog = logrus.WithField("component", "panel")
+var prlog = logrus.WithField("component", "provider")
+var cfgl = logrus.WithField("component", "config")
+var hrlog = logrus.WithField("component", "http_proxy")
+var srlog = logrus.WithField("component", "stream")
+var wlog = logrus.WithField("component", "watcher")
+var aclog = logrus.WithField("component", "autocert")

src/go-proxy/main.go

@@ -1,84 +1,95 @@
 package main
 
 import (
-	"flag"
 	"net/http"
+	"os"
+	"os/signal"
 	"runtime"
-	"time"
+	"syscall"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/client"
-	"github.com/golang/glog"
-	"golang.org/x/net/context"
+	"github.com/sirupsen/logrus"
 )
 
 func main() {
-	var err error
-	flag.Parse()
+	// flag.Parse()
 	runtime.GOMAXPROCS(runtime.NumCPU())
-	time.Now().Zone()
 
-	dockerClient, err = client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	logrus.SetFormatter(&logrus.TextFormatter{
+		ForceColors:   true,
+		DisableColors: false,
+		FullTimestamp: true,
+	})
+
+	cfg := NewConfig()
+	cfg.MustLoad()
+
+	autoCertProvider, err := cfg.GetAutoCertProvider()
+
 	if err != nil {
-		glog.Fatal(err)
+		aclog.Warn(err)
+		autoCertProvider = nil
 	}
 
-	buildRoutes()
-	glog.Infof("[Build] built %v reverse proxies", CountRoutes())
-	BeginListenStreams()
+	var httpProxyHandler http.Handler
+	var httpPanelHandler http.Handler
 
-	go func() {
-		filter := filters.NewArgs(
-			filters.Arg("type", "container"),
-			filters.Arg("event", "start"),
-			filters.Arg("event", "die"), // stop seems like triggering die
-			// filters.Arg("event", "stop"),
-		)
-		msgChan, errChan := dockerClient.Events(context.Background(), types.EventsOptions{Filters: filter})
+	var proxyServer *Server
+	var panelServer *Server
 
-		for {
-			select {
-			case msg := <-msgChan:
-				// TODO: handle actor only
-				glog.Infof("[Event] %s %s caused rebuild", msg.Action, msg.Actor.Attributes["name"])
-				EndListenStreams()
-				buildRoutes()
-				glog.Infof("[Build] rebuilt %v reverse proxies", CountRoutes())
-				BeginListenStreams()
-			case err := <-errChan:
-				glog.Infof("[Event] %s", err)
-				msgChan, errChan = dockerClient.Events(context.Background(), types.EventsOptions{Filters: filter})
+	if redirectHTTP {
+		httpProxyHandler = http.HandlerFunc(redirectToTLSHandler)
+		httpPanelHandler = http.HandlerFunc(redirectToTLSHandler)
+	} else {
+		httpProxyHandler = http.HandlerFunc(proxyHandler)
+		httpPanelHandler = http.HandlerFunc(panelHandler)
+	}
+
+	if autoCertProvider != nil {
+		ok := autoCertProvider.LoadCert()
+		if !ok {
+			err := autoCertProvider.ObtainCert()
+			if err != nil {
+				aclog.Fatal("error obtaining certificate ", err)
 			}
 		}
-	}()
-
-	go func() {
-		for range time.Tick(100 * time.Millisecond) {
-			glog.Flush()
-		}
-	}()
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", httpProxyHandler)
-
-	go func() {
-		glog.Infoln("Starting HTTP server on port 80")
-		err := http.ListenAndServe(":80", http.HandlerFunc(redirectToTLS))
-		if err != nil {
-			glog.Fatal("HTTP server error", err)
-		}
-	}()
-	go func() {
-		glog.Infoln("Starting HTTPS panel on port 8443")
-		err := http.ListenAndServeTLS(":8443", "/certs/cert.crt", "/certs/priv.key", http.HandlerFunc(panelHandler))
-		if err != nil {
-			glog.Fatal("HTTP server error", err)
-		}
-	}()
-	glog.Infoln("Starting HTTPS server on port 443")
-	err = http.ListenAndServeTLS(":443", "/certs/cert.crt", "/certs/priv.key", mux)
-	if err != nil {
-		glog.Fatal("HTTPS Server error: ", err)
+		aclog.Infof("certificate will be expired at %v and get renewed", autoCertProvider.GetExpiry())
 	}
+	proxyServer = NewServer(
+		"proxy",
+		autoCertProvider,
+		":80",
+		httpProxyHandler,
+		":443",
+		http.HandlerFunc(proxyHandler),
+	)
+	panelServer = NewServer(
+		"panel",
+		autoCertProvider,
+		":8080",
+		httpPanelHandler,
+		":8443",
+		http.HandlerFunc(panelHandler),
+	)
+
+	proxyServer.Start()
+	panelServer.Start()
+
+	InitFSWatcher()
+	InitDockerWatcher()
+
+	cfg.StartProviders()
+	cfg.WatchChanges()
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGINT)
+	signal.Notify(sig, syscall.SIGTERM)
+	signal.Notify(sig, syscall.SIGHUP)
+
+	<-sig
+	cfg.StopWatching()
+	StopFSWatcher()
+	StopDockerWatcher()
+	cfg.StopProviders()
+	panelServer.Stop()
+	proxyServer.Stop()
 }

src/go-proxy/map.go

@@ -2,11 +2,19 @@ package main
 
 import "sync"
 
-type SafeMapInterface[KT comparable, VT interface{}] interface {
+type safeMap[KT comparable, VT interface{}] struct {
+	SafeMap[KT, VT]
+	m              map[KT]VT
+	mutex          sync.Mutex
+	defaultFactory func() VT
+}
+
+type SafeMap[KT comparable, VT interface{}] interface {
 	Set(key KT, value VT)
 	Ensure(key KT)
 	Get(key KT) VT
-	TryGet(key KT) (VT, bool)
+	UnsafeGet(key KT) (VT, bool)
+	Delete(key KT)
 	Clear()
 	Size() int
 	Contains(key KT) bool
@@ -14,32 +22,25 @@ type SafeMapInterface[KT comparable, VT interface{}] interface {
 	Iterator() map[KT]VT
 }
 
-type SafeMap[KT comparable, VT interface{}] struct {
-	SafeMapInterface[KT, VT]
-	m              map[KT]VT
-	mutex          sync.Mutex
-	defaultFactory func() VT
-}
-
-func NewSafeMap[KT comparable, VT interface{}](df ...func() VT) *SafeMap[KT, VT] {
+func NewSafeMap[KT comparable, VT interface{}](df ...func() VT) SafeMap[KT, VT] {
 	if len(df) == 0 {
-		return &SafeMap[KT, VT]{
+		return &safeMap[KT, VT]{
 			m: make(map[KT]VT),
 		}
 	}
-	return &SafeMap[KT, VT]{
+	return &safeMap[KT, VT]{
 		m:              make(map[KT]VT),
 		defaultFactory: df[0],
 	}
 }
 
-func (m *SafeMap[KT, VT]) Set(key KT, value VT) {
+func (m *safeMap[KT, VT]) Set(key KT, value VT) {
 	m.mutex.Lock()
 	m.m[key] = value
 	m.mutex.Unlock()
 }
 
-func (m *SafeMap[KT, VT]) Ensure(key KT) {
+func (m *safeMap[KT, VT]) Ensure(key KT) {
 	m.mutex.Lock()
 	if _, ok := m.m[key]; !ok {
 		m.m[key] = m.defaultFactory()
@@ -47,39 +48,45 @@ func (m *SafeMap[KT, VT]) Ensure(key KT) {
 	m.mutex.Unlock()
 }
 
-func (m *SafeMap[KT, VT]) Get(key KT) VT {
+func (m *safeMap[KT, VT]) Get(key KT) VT {
 	m.mutex.Lock()
 	value := m.m[key]
 	m.mutex.Unlock()
 	return value
 }
 
-func (m *SafeMap[KT, VT]) UnsafeGet(key KT) (VT, bool) {
+func (m *safeMap[KT, VT]) UnsafeGet(key KT) (VT, bool) {
 	value, ok := m.m[key]
 	return value, ok
 }
 
-func (m *SafeMap[KT, VT]) Clear() {
+func (m *safeMap[KT, VT]) Delete(key KT) {
+	m.mutex.Lock()
+	delete(m.m, key)
+	m.mutex.Unlock()
+}
+
+func (m *safeMap[KT, VT]) Clear() {
 	m.mutex.Lock()
 	m.m = make(map[KT]VT)
 	m.mutex.Unlock()
 }
 
-func (m *SafeMap[KT, VT]) Size() int {
+func (m *safeMap[KT, VT]) Size() int {
 	m.mutex.Lock()
 	size := len(m.m)
 	m.mutex.Unlock()
 	return size
 }
 
-func (m *SafeMap[KT, VT]) Contains(key KT) bool {
+func (m *safeMap[KT, VT]) Contains(key KT) bool {
 	m.mutex.Lock()
 	_, ok := m.m[key]
 	m.mutex.Unlock()
 	return ok
 }
 
-func (m *SafeMap[KT, VT]) ForEach(fn func(key KT, value VT)) {
+func (m *safeMap[KT, VT]) ForEach(fn func(key KT, value VT)) {
 	m.mutex.Lock()
 	for k, v := range m.m {
 		fn(k, v)
@@ -87,6 +94,6 @@ func (m *SafeMap[KT, VT]) ForEach(fn func(key KT, value VT)) {
 	m.mutex.Unlock()
 }
 
-func (m *SafeMap[KT, VT]) Iterator() map[KT]VT {
+func (m *safeMap[KT, VT]) Iterator() map[KT]VT {
 	return m.m
 }

src/go-proxy/panel.go

@@ -6,8 +6,6 @@ import (
 	"net/http"
 	"net/url"
 	"time"
-
-	"github.com/golang/glog"
 )
 
 var healthCheckHttpClient = &http.Client{
@@ -32,6 +30,7 @@ func panelHandler(w http.ResponseWriter, r *http.Request) {
 		panelCheckTargetHealth(w, r)
 		return
 	default:
+		palog.Errorf("%s not found", r.URL.Path)
 		http.NotFound(w, r)
 		return
 	}
@@ -39,26 +38,36 @@ func panelHandler(w http.ResponseWriter, r *http.Request) {
 
 func panelIndex(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 
-	tmpl, err := template.ParseFiles(templateFile)
+	tmpl, err := template.ParseFiles(templatePath)
 
 	if err != nil {
+		palog.Error(err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
-	err = tmpl.Execute(w, &routes)
+	type allRoutes struct {
+		HTTPRoutes   HTTPRoutes
+		StreamRoutes StreamRoutes
+	}
+
+	err = tmpl.Execute(w, allRoutes{
+		HTTPRoutes:   httpRoutes,
+		StreamRoutes: streamRoutes,
+	})
 	if err != nil {
+		palog.Error(err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
 }
 
 func panelCheckTargetHealth(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodHead {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 
@@ -71,7 +80,7 @@ func panelCheckTargetHealth(w http.ResponseWriter, r *http.Request) {
 
 	url, err := url.Parse(targetUrl)
 	if err != nil {
-		glog.Infof("[Panel] failed to parse %s, error: %v", targetUrl, err)
+		palog.Infof("failed to parse url %q, error: %v", targetUrl, err)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}

src/go-proxy/path_pool_map.go

@@ -6,11 +6,11 @@ import (
 )
 
 type pathPoolMap struct {
-	*SafeMap[string, *httpLoadBalancePool]
+	SafeMap[string, *httpLoadBalancePool]
 }
 
-func newPathPoolMap() pathPoolMap {
-	return pathPoolMap{
+func newPathPoolMap() *pathPoolMap {
+	return &pathPoolMap{
 		NewSafeMap[string](NewHTTPLoadBalancePool),
 	}
 }
@@ -21,7 +21,7 @@ func (m pathPoolMap) Add(path string, route *HTTPRoute) {
 }
 
 func (m pathPoolMap) FindMatch(pathGot string) (*HTTPRoute, error) {
-	for pathWant, v := range m.m {
+	for pathWant, v := range m.Iterator() {
 		if strings.HasPrefix(pathGot, pathWant) {
 			return v.Pick(), nil
 		}

src/go-proxy/provider.go

@@ -0,0 +1,101 @@
+package main
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/sirupsen/logrus"
+)
+
+type Provider struct {
+	Kind  string // docker, file
+	Value string
+
+	watcher Watcher
+	routes  map[string]Route // id -> Route
+	mutex   sync.Mutex
+	l       logrus.FieldLogger
+}
+
+// Init is called after LoadProxyConfig
+func (p *Provider) Init(name string) error {
+	p.l = prlog.WithFields(logrus.Fields{"kind": p.Kind, "name": name})
+
+	if err := p.loadProxyConfig(); err != nil {
+		return err
+	}
+
+	p.initWatcher()
+	return nil
+}
+
+func (p *Provider) StartAllRoutes() {
+	ParallelForEachValue(p.routes, Route.Start)
+	p.watcher.Start()
+}
+
+func (p *Provider) StopAllRoutes() {
+	p.watcher.Stop()
+	ParallelForEachValue(p.routes, Route.Stop)
+	p.routes = make(map[string]Route)
+}
+
+func (p *Provider) ReloadRoutes() {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+
+	p.StopAllRoutes()
+	err := p.loadProxyConfig()
+	if err != nil {
+		p.l.Error("failed to reload routes: ", err)
+		return
+	}
+	p.StartAllRoutes()
+}
+
+func (p *Provider) loadProxyConfig() error {
+	var cfgs []*ProxyConfig
+	var err error
+
+	switch p.Kind {
+	case ProviderKind_Docker:
+		cfgs, err = p.getDockerProxyConfigs()
+	case ProviderKind_File:
+		cfgs, err = p.getFileProxyConfigs()
+	default:
+		// this line should never be reached
+		return fmt.Errorf("unknown provider kind")
+	}
+
+	if err != nil {
+		return err
+	}
+	p.l.Infof("loaded %d proxy configurations", len(cfgs))
+
+	p.routes = make(map[string]Route, len(cfgs))
+	for _, cfg := range cfgs {
+		r, err := NewRoute(cfg)
+		if err != nil {
+			p.l.Errorf("error creating route %s: %v", cfg.Alias, err)
+			continue
+		}
+		p.routes[cfg.GetID()] = r
+	}
+
+	return nil
+}
+
+func (p *Provider) initWatcher() error {
+	switch p.Kind {
+	case ProviderKind_Docker:
+		var err error
+		dockerClient, err := p.getDockerClient()
+		if err != nil {
+			return fmt.Errorf("unable to create docker client: %v", err)
+		}
+		p.watcher = NewDockerWatcher(dockerClient, p.ReloadRoutes)
+	case ProviderKind_File:
+		p.watcher = NewFileWatcher(p.Value, p.ReloadRoutes, p.StopAllRoutes)
+	}
+	return nil
+}

src/go-proxy/proxy_config.go

@@ -3,20 +3,41 @@ package main
 import "fmt"
 
 type ProxyConfig struct {
-	id          string
 	Alias       string
 	Scheme      string
 	Host        string
 	Port        string
-	LoadBalance string
+	LoadBalance string // docker provider only
+	NoTLSVerify bool   // http proxy only
 	Path        string // http proxy only
-	PathMode    string // http proxy only
+	PathMode    string `yaml:"path_mode"` // http proxy only
+
+	provider *Provider
 }
 
-func NewProxyConfig() ProxyConfig {
-	return ProxyConfig{}
+func NewProxyConfig(provider *Provider) ProxyConfig {
+	return ProxyConfig{
+		provider: provider,
+	}
 }
 
-func (cfg *ProxyConfig) UpdateId() {
-	cfg.id = fmt.Sprintf("%s-%s-%s-%s-%s", cfg.Alias, cfg.Scheme, cfg.Host, cfg.Port, cfg.Path)
+// used by `GetFileProxyConfigs`
+func (cfg *ProxyConfig) SetDefaults() error {
+	if cfg.Alias == "" {
+		return fmt.Errorf("alias is required")
+	}
+	if cfg.Scheme == "" {
+		cfg.Scheme = "http"
+	}
+	if cfg.Host == "" {
+		return fmt.Errorf("host is required for %q", cfg.Alias)
+	}
+	if cfg.Port == "" {
+		cfg.Port = "80"
+	}
+	return nil
+}
+
+func (cfg *ProxyConfig) GetID() string {
+	return fmt.Sprintf("%s-%s-%s-%s-%s", cfg.Alias, cfg.Scheme, cfg.Host, cfg.Port, cfg.Path)
 }

src/go-proxy/route.go

@@ -1,66 +1,56 @@
 package main
 
 import (
-	"sync"
-
-	"github.com/golang/glog"
+	"fmt"
 )
 
-type Routes struct {
-	HTTPRoutes   *SafeMap[string, pathPoolMap] // id -> (path -> routes)
-	StreamRoutes *SafeMap[string, StreamRoute] // id -> target
-	Mutex        sync.Mutex
+type Route interface {
+	Start()
+	Stop()
 }
 
-var routes = Routes{}
-
-func isValidScheme(scheme string) bool {
-	for _, v := range ValidSchemes {
-		if v == scheme {
-			return true
+func NewRoute(cfg *ProxyConfig) (Route, error) {
+	if isStreamScheme(cfg.Scheme) {
+		id := cfg.GetID()
+		if streamRoutes.Contains(id) {
+			return nil, fmt.Errorf("duplicated %s stream %s, ignoring", cfg.Scheme, id)
 		}
-	}
-	return false
-}
-
-func isStreamScheme(scheme string) bool {
-	for _, v := range StreamSchemes {
-		if v == scheme {
-			return true
-		}
-	}
-	return false
-}
-
-func InitRoutes() {
-	utils.resetPortsInUse()
-	routes.HTTPRoutes = NewSafeMap[string](newPathPoolMap)
-	routes.StreamRoutes = NewSafeMap[string, StreamRoute]()
-}
-
-func CountRoutes() int {
-	return routes.HTTPRoutes.Size() + routes.StreamRoutes.Size()
-}
-
-func CreateRoute(config *ProxyConfig) {
-	if isStreamScheme(config.Scheme) {
-		if routes.StreamRoutes.Contains(config.id) {
-			glog.Infof("[Build] Duplicated %s stream %s, ignoring", config.Scheme, config.id)
-			return
-		}
-		route, err := NewStreamRoute(config)
+		route, err := NewStreamRoute(cfg)
 		if err != nil {
-			glog.Infoln(err)
-			return
+			return nil, err
 		}
-		routes.StreamRoutes.Set(config.id, route)
+		streamRoutes.Set(id, route)
+		return route, nil
 	} else {
-		routes.HTTPRoutes.Ensure(config.Alias)
-		route, err := NewHTTPRoute(config)
+		httpRoutes.Ensure(cfg.Alias)
+		route, err := NewHTTPRoute(cfg)
 		if err != nil {
-			glog.Infoln(err)
-			return
+			return nil, err
 		}
-		routes.HTTPRoutes.Get(config.Alias).Add(config.Path, route)
+		httpRoutes.Get(cfg.Alias).Add(cfg.Path, route)
+		return route, nil
 	}
 }
+
+func isValidScheme(s string) bool {
+	for _, v := range ValidSchemes {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
+
+func isStreamScheme(s string) bool {
+	for _, v := range StreamSchemes {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
+
+// id    -> target
+type StreamRoutes = SafeMap[string, StreamRoute]
+
+var streamRoutes = NewSafeMap[string, StreamRoute]()

src/go-proxy/server.go

@@ -0,0 +1,97 @@
+package main
+
+import (
+	"crypto/tls"
+	"net/http"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/context"
+)
+
+type Server struct {
+	Name         string
+	KeyFile      string
+	CertFile     string
+	CertProvider AutoCertProvider
+	http         *http.Server
+	https        *http.Server
+	httpStarted  bool
+	httpsStarted bool
+}
+
+func NewServer(name string, provider AutoCertProvider, httpAddr string, httpHandler http.Handler, httpsAddr string, httpsHandler http.Handler) *Server {
+	if provider != nil {
+		return &Server{
+			Name:         name,
+			CertProvider: provider,
+			http: &http.Server{
+				Addr:    httpAddr,
+				Handler: httpHandler,
+			},
+			https: &http.Server{
+				Addr:    httpsAddr,
+				Handler: httpsHandler,
+				TLSConfig: &tls.Config{
+					GetCertificate: provider.GetCert,
+				},
+			},
+		}
+	}
+	return &Server{
+		Name:     name,
+		KeyFile:  keyFileDefault,
+		CertFile: certFileDefault,
+		http: &http.Server{
+			Addr:    httpAddr,
+			Handler: httpHandler,
+		},
+		https: &http.Server{
+			Addr:    httpsAddr,
+			Handler: httpsHandler,
+		},
+	}
+}
+
+func (s *Server) Start() {
+	if s.http != nil {
+		s.httpStarted = true
+		logrus.Printf("starting http %s server on %s", s.Name, s.http.Addr)
+		go func() {
+			err := s.http.ListenAndServe()
+			s.handleErr("http", err)
+		}()
+	}
+
+	if s.https != nil && (s.CertProvider != nil || utils.fileOK(s.CertFile) && utils.fileOK(s.KeyFile)) {
+		s.httpsStarted = true
+		logrus.Printf("starting https %s server on %s", s.Name, s.https.Addr)
+		go func() {
+			err := s.https.ListenAndServeTLS(s.CertFile, s.KeyFile)
+			s.handleErr("https", err)
+		}()
+	}
+}
+
+func (s *Server) Stop() {
+	ctx, _ := context.WithTimeout(context.Background(), 3*time.Second)
+
+	if s.httpStarted {
+		errHTTP := s.http.Shutdown(ctx)
+		s.handleErr("http", errHTTP)
+	}
+
+	if s.httpsStarted {
+		errHTTPS := s.https.Shutdown(ctx)
+		s.handleErr("https", errHTTPS)
+	}
+}
+
+func (s *Server) handleErr(scheme string, err error) {
+	switch err {
+	case nil, http.ErrServerClosed:
+		return
+	default:
+		logrus.Fatalf("failed to start %s %s server: %v", scheme, s.Name, err)
+	}
+}

src/go-proxy/stream_route.go

@@ -8,20 +8,18 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/sirupsen/logrus"
 )
 
 type StreamRoute interface {
-	SetupListen()
-	Listen()
-	StopListening()
-	Logf(string, ...interface{})
-	PrintError(error)
+	Route
 	ListeningUrl() string
 	TargetUrl() string
+	Logger() logrus.FieldLogger
 
 	closeListeners()
 	closeChannel()
+	unmarkPort()
 	wait()
 }
 
@@ -29,17 +27,19 @@ type StreamRouteBase struct {
 	Alias           string // to show in panel
 	Type            string
 	ListeningScheme string
-	ListeningPort   string
+	ListeningPort   int
 	TargetScheme    string
 	TargetHost      string
-	TargetPort      string
+	TargetPort      int
 
+	id        string
 	wg        sync.WaitGroup
 	stopChann chan struct{}
+	l         logrus.FieldLogger
 }
 
 func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
-	var streamType string = TCPStreamType
+	var streamType string = StreamType_TCP
 	var srcPort string
 	var dstPort string
 	var srcScheme string
@@ -47,8 +47,7 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
 
 	port_split := strings.Split(config.Port, ":")
 	if len(port_split) != 2 {
-		glog.Infof(`[Build] %s: Invalid stream port %s, `+
-			`assuming it's targetPort`, config.Alias, config.Port)
+		cfgl.Warnf("invalid port %s, assuming it is target port", config.Port)
 		srcPort = "0"
 		dstPort = config.Port
 	} else {
@@ -56,26 +55,23 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
 		dstPort = port_split[1]
 	}
 
-	port, hasName := NamePortMap[dstPort]
-	if hasName {
+	if port, hasName := NamePortMap[dstPort]; hasName {
 		dstPort = port
 	}
 
 	srcPortInt, err := strconv.Atoi(srcPort)
 	if err != nil {
 		return nil, fmt.Errorf(
-			"[Build] %s: Unrecognized stream source port %s, ignoring",
-			config.Alias, srcPort,
+			"invalid stream source port %s, ignoring", srcPort,
 		)
 	}
 
 	utils.markPortInUse(srcPortInt)
 
-	_, err = strconv.Atoi(dstPort)
+	dstPortInt, err := strconv.Atoi(dstPort)
 	if err != nil {
 		return nil, fmt.Errorf(
-			"[Build] %s: Unrecognized stream target port %s, ignoring",
-			config.Alias, dstPort,
+			"invalid stream target port %s, ignoring", dstPort,
 		)
 	}
 
@@ -93,69 +89,57 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
 		Alias:           config.Alias,
 		Type:            streamType,
 		ListeningScheme: srcScheme,
-		ListeningPort:   srcPort,
+		ListeningPort:   srcPortInt,
 		TargetScheme:    dstScheme,
 		TargetHost:      config.Host,
-		TargetPort:      dstPort,
+		TargetPort:      dstPortInt,
 
+		id:        config.GetID(),
 		wg:        sync.WaitGroup{},
-		stopChann: make(chan struct{}),
+		stopChann: make(chan struct{}, 1),
+		l: srlog.WithFields(logrus.Fields{
+			"alias": config.Alias,
+			"src":   fmt.Sprintf("%s://:%d", srcScheme, srcPortInt),
+			"dst":   fmt.Sprintf("%s://%s:%d", dstScheme, config.Host, dstPortInt),
+		}),
 	}, nil
 }
 
 func NewStreamRoute(config *ProxyConfig) (StreamRoute, error) {
 	switch config.Scheme {
-	case TCPStreamType:
+	case StreamType_TCP:
 		return NewTCPRoute(config)
-	case UDPStreamType:
+	case StreamType_UDP:
 		return NewUDPRoute(config)
 	default:
 		return nil, errors.New("unknown stream type")
 	}
 }
 
-func (route *StreamRouteBase) PrintError(err error) {
-	if err == nil {
-		return
-	}
-	glog.Errorf("[%s -> %s] %s: %v",
-		route.ListeningScheme,
-		route.TargetScheme,
-		route.Alias,
-		err,
-	)
-}
-
-func (route *StreamRouteBase) Logf(format string, v ...interface{}) {
-	glog.Infof("[%s -> %s] %s: "+format,
-		append([]interface{}{
-			route.ListeningScheme,
-			route.TargetScheme,
-			route.Alias},
-			v...,
-		)...,
-	)
-}
-
 func (route *StreamRouteBase) ListeningUrl() string {
-	return fmt.Sprintf("%s:%s", route.ListeningScheme, route.ListeningPort)
+	return fmt.Sprintf("%s:%v", route.ListeningScheme, route.ListeningPort)
 }
 
 func (route *StreamRouteBase) TargetUrl() string {
-	return fmt.Sprintf("%s://%s:%s", route.TargetScheme, route.TargetHost, route.TargetPort)
+	return fmt.Sprintf("%s://%s:%v", route.TargetScheme, route.TargetHost, route.TargetPort)
 }
 
-func (route *StreamRouteBase) SetupListen() {
-	if route.ListeningPort == "0" {
+func (route *StreamRouteBase) Logger() logrus.FieldLogger {
+	return route.l
+}
+
+func (route *StreamRouteBase) setupListen() {
+	if route.ListeningPort == 0 {
 		freePort, err := utils.findUseFreePort(20000)
 		if err != nil {
-			route.PrintError(err)
+			route.l.Error(err)
 			return
 		}
-		route.ListeningPort = fmt.Sprintf("%d", freePort)
-		route.Logf("Assigned free port %s", route.ListeningPort)
+		route.ListeningPort = freePort
+		route.l.Info("listening on free port ", route.ListeningPort)
+		return
 	}
-	route.Logf("Listening on %s", route.ListeningUrl())
+	route.l.Info("listening on ", route.ListeningUrl())
 }
 
 func (route *StreamRouteBase) wait() {
@@ -166,51 +150,32 @@ func (route *StreamRouteBase) closeChannel() {
 	close(route.stopChann)
 }
 
+func (route *StreamRouteBase) unmarkPort() {
+	utils.unmarkPortInUse(route.ListeningPort)
+}
+
 func stopListening(route StreamRoute) {
-	route.Logf("Stopping listening")
+	l := route.Logger()
+	l.Debug("stopping listening")
+
+	// close channel -> wait -> close listeners
+
 	route.closeChannel()
-	route.closeListeners()
 
 	done := make(chan struct{})
-
+	
 	go func() {
 		route.wait()
 		close(done)
+		route.unmarkPort()
 	}()
 
 	select {
 	case <-done:
-		route.Logf("Stopped listening")
-		return
+		l.Info("stopped listening")
 	case <-time.After(StreamStopListenTimeout):
-		route.Logf("timed out waiting for connections")
-		return
-	}
-}
-
-func allStreamsDo(msg string, fn ...func(StreamRoute)) {
-	glog.Infof("[Stream] %s", msg)
-
-	var wg sync.WaitGroup
-
-	for _, route := range routes.StreamRoutes.Iterator() {
-		wg.Add(1)
-		go func(r StreamRoute) {
-			for _, f := range fn {
-				f(r)
-			}
-			wg.Done()
-		}(route)
+		l.Error("timed out waiting for connections")
 	}
 
-	wg.Wait()
-	glog.Infof("[Stream] Finished %s", msg)
-}
-
-func BeginListenStreams() {
-	allStreamsDo("Start", StreamRoute.SetupListen, StreamRoute.Listen)
-}
-
-func EndListenStreams() {
-	allStreamsDo("Stop", StreamRoute.StopListening)
+	route.closeListeners()
 }

src/go-proxy/tcp_route.go

@@ -7,8 +7,6 @@ import (
 	"net"
 	"sync"
 	"time"
-
-	"github.com/golang/glog"
 )
 
 const tcpDialTimeout = 5 * time.Second
@@ -24,7 +22,7 @@ func NewTCPRoute(config *ProxyConfig) (StreamRoute, error) {
 	if err != nil {
 		return nil, err
 	}
-	if base.TargetScheme != TCPStreamType {
+	if base.TargetScheme != StreamType_TCP {
 		return nil, fmt.Errorf("tcp to %s not yet supported", base.TargetScheme)
 	}
 	return &TCPRoute{
@@ -34,10 +32,11 @@ func NewTCPRoute(config *ProxyConfig) (StreamRoute, error) {
 	}, nil
 }
 
-func (route *TCPRoute) Listen() {
-	in, err := net.Listen("tcp", ":"+route.ListeningPort)
+func (route *TCPRoute) Start() {
+	route.setupListen()
+	in, err := net.Listen("tcp", fmt.Sprintf(":%v", route.ListeningPort))
 	if err != nil {
-		route.PrintError(err)
+		route.l.Error(err)
 		return
 	}
 	route.listener = in
@@ -46,8 +45,9 @@ func (route *TCPRoute) Listen() {
 	go route.grHandleConnections()
 }
 
-func (route *TCPRoute) StopListening() {
+func (route *TCPRoute) Stop() {
 	stopListening(route)
+	streamRoutes.Delete(route.id)
 }
 
 func (route *TCPRoute) closeListeners() {
@@ -68,7 +68,7 @@ func (route *TCPRoute) grAcceptConnections() {
 		default:
 			conn, err := route.listener.Accept()
 			if err != nil {
-				route.PrintError(err)
+				route.l.Error(err)
 				continue
 			}
 			route.connChan <- conn
@@ -97,11 +97,11 @@ func (route *TCPRoute) grHandleConnection(clientConn net.Conn) {
 	ctx, cancel := context.WithTimeout(context.Background(), tcpDialTimeout)
 	defer cancel()
 
-	serverAddr := fmt.Sprintf("%s:%s", route.TargetHost, route.TargetPort)
+	serverAddr := fmt.Sprintf("%s:%v", route.TargetHost, route.TargetPort)
 	dialer := &net.Dialer{}
 	serverConn, err := dialer.DialContext(ctx, route.TargetScheme, serverAddr)
 	if err != nil {
-		glog.Infof("[Stream Dial] %v", err)
+		route.l.WithField("stage", "dial").Infof("%v", err)
 		return
 	}
 	route.tcpPipe(clientConn, serverConn)
@@ -118,13 +118,13 @@ func (route *TCPRoute) tcpPipe(src net.Conn, dest net.Conn) {
 
 	go func() {
 		_, err := io.Copy(src, dest)
-		route.PrintError(err)
+		route.l.Error(err)
 		close()
 		wg.Done()
 	}()
 	go func() {
 		_, err := io.Copy(dest, src)
-		route.PrintError(err)
+		route.l.Error(err)
 		close()
 		wg.Done()
 	}()

src/go-proxy/udp_route.go

@@ -5,6 +5,8 @@ import (
 	"io"
 	"net"
 	"sync"
+
+	"github.com/sirupsen/logrus"
 )
 
 type UDPRoute struct {
@@ -32,7 +34,7 @@ func NewUDPRoute(config *ProxyConfig) (StreamRoute, error) {
 		return nil, err
 	}
 
-	if base.TargetScheme != UDPStreamType {
+	if base.TargetScheme != StreamType_UDP {
 		return nil, fmt.Errorf("udp to %s not yet supported", base.TargetScheme)
 	}
 
@@ -43,16 +45,18 @@ func NewUDPRoute(config *ProxyConfig) (StreamRoute, error) {
 	}, nil
 }
 
-func (route *UDPRoute) Listen() {
-	source, err := net.ListenPacket(route.ListeningScheme, fmt.Sprintf(":%s", route.ListeningPort))
+func (route *UDPRoute) Start() {
+	route.setupListen()
+
+	source, err := net.ListenPacket(route.ListeningScheme, fmt.Sprintf(":%v", route.ListeningPort))
 	if err != nil {
-		route.PrintError(err)
+		route.l.Error(err)
 		return
 	}
 
-	target, err := net.Dial(route.TargetScheme, fmt.Sprintf("%s:%s", route.TargetHost, route.TargetPort))
+	target, err := net.Dial(route.TargetScheme, fmt.Sprintf("%s:%v", route.TargetHost, route.TargetPort))
 	if err != nil {
-		route.PrintError(err)
+		route.l.Error(err)
 		source.Close()
 		return
 	}
@@ -65,22 +69,24 @@ func (route *UDPRoute) Listen() {
 	go route.grHandleConnections()
 }
 
-func (route *UDPRoute) StopListening() {
+func (route *UDPRoute) Stop() {
 	stopListening(route)
+	streamRoutes.Delete(route.id)
 }
 
 func (route *UDPRoute) closeListeners() {
 	if route.listeningConn != nil {
 		route.listeningConn.Close()
+		route.listeningConn = nil
 	}
 	if route.targetConn != nil {
 		route.targetConn.Close()
+		route.targetConn = nil
 	}
-	route.listeningConn = nil
-	route.targetConn = nil
 	for _, conn := range route.connMap {
 		conn.(*net.UDPConn).Close() // TODO: change on non udp target
 	}
+	route.connMap = make(map[net.Addr]net.Conn)
 }
 
 func (route *UDPRoute) grAcceptConnections() {
@@ -93,7 +99,7 @@ func (route *UDPRoute) grAcceptConnections() {
 		default:
 			conn, err := route.accept()
 			if err != nil {
-				route.PrintError(err)
+				route.l.Error(err)
 				continue
 			}
 			route.connChan <- conn
@@ -112,7 +118,7 @@ func (route *UDPRoute) grHandleConnections() {
 			go func() {
 				err := route.handleConnection(conn)
 				if err != nil {
-					route.PrintError(err)
+					route.l.Error(err)
 				}
 			}()
 		}
@@ -133,8 +139,16 @@ func (route *UDPRoute) handleConnection(conn *UDPConn) error {
 		route.connMapMutex.Unlock()
 	}
 
+	var forwarder func(*UDPConn, net.Conn) error
+
+	if logLevel == logrus.DebugLevel {
+		forwarder = route.forwardReceivedDebug
+	} else {
+		forwarder = route.forwardReceivedReal
+	}
+
 	// initiate connection to target
-	err = route.forwardReceived(conn, route.targetConn)
+	err = forwarder(conn, route.targetConn)
 	if err != nil {
 		return err
 	}
@@ -150,7 +164,7 @@ func (route *UDPRoute) handleConnection(conn *UDPConn) error {
 				return err
 			}
 			// forward to source
-			err = route.forwardReceived(conn, srcConn)
+			err = forwarder(conn, srcConn)
 			if err != nil {
 				return err
 			}
@@ -160,7 +174,7 @@ func (route *UDPRoute) handleConnection(conn *UDPConn) error {
 				continue
 			}
 			// forward to target
-			err = route.forwardReceived(conn, route.targetConn)
+			err = forwarder(conn, route.targetConn)
 			if err != nil {
 				return err
 			}
@@ -209,13 +223,7 @@ func (route *UDPRoute) readFrom(src net.Conn, buffer []byte) (*UDPConn, error) {
 	}, nil
 }
 
-func (route *UDPRoute) forwardReceived(receivedConn *UDPConn, dest net.Conn) error {
-	route.Logf(
-		"forwarding %d bytes %s -> %s",
-		receivedConn.nReceived,
-		receivedConn.remoteAddr.String(),
-		dest.RemoteAddr().String(),
-	)
+func (route *UDPRoute) forwardReceivedReal(receivedConn *UDPConn, dest net.Conn) error {
 	nWritten, err := dest.Write(receivedConn.bytesReceived)
 
 	if nWritten != receivedConn.nReceived {
@@ -224,3 +232,12 @@ func (route *UDPRoute) forwardReceived(receivedConn *UDPConn, dest net.Conn) err
 
 	return err
 }
+
+func (route *UDPRoute) forwardReceivedDebug(receivedConn *UDPConn, dest net.Conn) error {
+	route.l.WithField("size", receivedConn.nReceived).Debugf(
+		"forwarding from %s to %s",
+		receivedConn.remoteAddr.String(),
+		dest.RemoteAddr().String(),
+	)
+	return route.forwardReceivedReal(receivedConn, dest)
+}

src/go-proxy/utils.go

@@ -6,24 +6,26 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"os"
 	"path"
 	"path/filepath"
+	"reflect"
 	"regexp"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/sirupsen/logrus"
 	xhtml "golang.org/x/net/html"
 )
 
 type Utils struct {
-	PortsInUse      map[int]bool
+	portsInUse      map[int]bool
 	portsInUseMutex sync.Mutex
 }
 
 var utils = &Utils{
-	PortsInUse:      make(map[int]bool),
+	portsInUse:      make(map[int]bool),
 	portsInUseMutex: sync.Mutex{},
 }
 
@@ -31,13 +33,13 @@ func (u *Utils) findUseFreePort(startingPort int) (int, error) {
 	u.portsInUseMutex.Lock()
 	defer u.portsInUseMutex.Unlock()
 	for port := startingPort; port <= startingPort+100 && port <= 65535; port++ {
-		if u.PortsInUse[port] {
+		if u.portsInUse[port] {
 			continue
 		}
 		addr := fmt.Sprintf(":%d", port)
 		l, err := net.Listen("tcp", addr)
 		if err == nil {
-			u.PortsInUse[port] = true
+			u.portsInUse[port] = true
 			l.Close()
 			return port, nil
 		}
@@ -46,24 +48,22 @@ func (u *Utils) findUseFreePort(startingPort int) (int, error) {
 	if err == nil {
 		// NOTE: may not be after 20000
 		port := l.Addr().(*net.TCPAddr).Port
-		u.PortsInUse[port] = true
+		u.portsInUse[port] = true
 		l.Close()
 		return port, nil
 	}
 	return -1, fmt.Errorf("unable to find free port: %v", err)
 }
 
-func (u *Utils) resetPortsInUse() {
+func (u *Utils) markPortInUse(port int) {
 	u.portsInUseMutex.Lock()
-	for port := range u.PortsInUse {
-		u.PortsInUse[port] = false
-	}
+	u.portsInUse[port] = true
 	u.portsInUseMutex.Unlock()
 }
 
-func (u *Utils) markPortInUse(port int) {
+func (u *Utils) unmarkPortInUse(port int) {
 	u.portsInUseMutex.Lock()
-	u.PortsInUse[port] = true
+	delete(u.portsInUse, port)
 	u.portsInUseMutex.Unlock()
 }
 
@@ -92,7 +92,7 @@ func (*Utils) healthCheckStream(scheme, host string) error {
 	return nil
 }
 
-func (*Utils) snakeToCamel(s string) string {
+func (*Utils) snakeToPascal(s string) string {
 	toHyphenCamel := http.CanonicalHeaderKey(strings.ReplaceAll(s, "_", "-"))
 	return strings.ReplaceAll(toHyphenCamel, "-", "")
 }
@@ -112,10 +112,9 @@ func tryAppendPathPrefixImpl(pOrig, pAppend string) string {
 
 var tryAppendPathPrefix func(string, string) string
 var _ = func() int {
-	if glog.V(4) {
+	if logLevel == logrus.DebugLevel {
 		tryAppendPathPrefix = func(s1, s2 string) string {
 			replaced := tryAppendPathPrefixImpl(s1, s2)
-			glog.Infof("[Path sub] %s -> %s", s1, replaced)
 			return replaced
 		}
 	} else {
@@ -189,3 +188,18 @@ func (*Utils) respJSSubPath(r *http.Response, p string) error {
 	r.Body = io.NopCloser(strings.NewReader(js))
 	return nil
 }
+
+func (*Utils) fileOK(path string) bool {
+	_, err := os.Stat(path)
+	return err == nil
+}
+
+func SetFieldFromSnake[T interface{}, VT interface{}](obj *T, field string, value VT) error {
+	field = utils.snakeToPascal(field)
+	prop := reflect.ValueOf(obj).Elem().FieldByName(field)
+	if prop.Kind() == 0 {
+		return fmt.Errorf("unknown field %s", field)
+	}
+	prop.Set(reflect.ValueOf(value))
+	return nil
+}

src/go-proxy/watcher.go

@@ -0,0 +1,219 @@
+package main
+
+import (
+	"path"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+	"github.com/fsnotify/fsnotify"
+	"github.com/sirupsen/logrus"
+
+	"golang.org/x/net/context"
+)
+
+type Watcher interface {
+	Start()
+	Stop()
+	Dispose()
+}
+
+type watcherBase struct {
+	name     string // for log / error output
+	kind     string // for log / error output
+	onChange func()
+	l        logrus.FieldLogger
+}
+
+type fileWatcher struct {
+	*watcherBase
+	path     string
+	onDelete func()
+}
+
+type dockerWatcher struct {
+	*watcherBase
+	client *client.Client
+	stopCh chan struct{}
+	wg     sync.WaitGroup
+}
+
+func newWatcher(kind string, name string, onChange func()) *watcherBase {
+	return &watcherBase{
+		kind:     kind,
+		name:     name,
+		onChange: onChange,
+		l:        wlog.WithFields(logrus.Fields{"kind": kind, "name": name}),
+	}
+}
+func NewFileWatcher(p string, onChange func(), onDelete func()) Watcher {
+	return &fileWatcher{
+		watcherBase: newWatcher("File", path.Base(p), onChange),
+		path:        p,
+		onDelete:    onDelete,
+	}
+}
+
+func NewDockerWatcher(c *client.Client, onChange func()) Watcher {
+	return &dockerWatcher{
+		watcherBase: newWatcher("Docker", c.DaemonHost(), onChange),
+		client:      c,
+		stopCh:      make(chan struct{}, 1),
+	}
+}
+
+func (w *fileWatcher) Start() {
+	if fsWatcher == nil {
+		return
+	}
+	err := fsWatcher.Add(w.path)
+	if err != nil {
+		w.l.Error("failed to start: ", err)
+		return
+	}
+	fileWatchMap.Set(w.path, w)
+}
+
+func (w *fileWatcher) Stop() {
+	if fsWatcher == nil {
+		return
+	}
+	fileWatchMap.Delete(w.path)
+	err := fsWatcher.Remove(w.path)
+	if err != nil {
+		w.l.WithField("action", "stop").Error(err)
+	}
+}
+
+func (w *fileWatcher) Dispose() {
+	w.Stop()
+}
+
+func (w *dockerWatcher) Start() {
+	dockerWatchMap.Set(w.name, w)
+	w.wg.Add(1)
+	go w.watch()
+}
+
+func (w *dockerWatcher) Stop() {
+	if w.stopCh == nil {
+		return
+	}
+	close(w.stopCh)
+	w.wg.Wait()
+	w.stopCh = nil
+	dockerWatchMap.Delete(w.name)
+}
+
+func (w *dockerWatcher) Dispose() {
+	w.Stop()
+	w.client.Close()
+}
+
+func InitFSWatcher() {
+	w, err := fsnotify.NewWatcher()
+	if err != nil {
+		wlog.Errorf("unable to create file watcher: %v", err)
+		return
+	}
+	fsWatcher = w
+	fsWatcherWg.Add(1)
+	go watchFiles()
+}
+
+func InitDockerWatcher() {
+	// stop all docker client on watcher stop
+	go func() {
+		defer dockerWatcherWg.Done()
+		<-dockerWatcherStop
+		ParallelForEachValue(
+			dockerWatchMap.Iterator(),
+			(*dockerWatcher).Dispose,
+		)
+	}()
+}
+
+func StopFSWatcher() {
+	close(fsWatcherStop)
+	fsWatcherWg.Wait()
+}
+
+func StopDockerWatcher() {
+	close(dockerWatcherStop)
+	dockerWatcherWg.Wait()
+}
+
+func watchFiles() {
+	defer fsWatcher.Close()
+	defer fsWatcherWg.Done()
+	for {
+		select {
+		case <-fsWatcherStop:
+			return
+		case event, ok := <-fsWatcher.Events:
+			if !ok {
+				wlog.Error("file watcher channel closed")
+				return
+			}
+			w, ok := fileWatchMap.UnsafeGet(event.Name)
+			if !ok {
+				wlog.Errorf("watcher for %s not found", event.Name)
+			}
+			switch {
+			case event.Has(fsnotify.Write):
+				w.l.Info("file changed")
+				go w.onChange()
+			case event.Has(fsnotify.Remove), event.Has(fsnotify.Rename):
+				w.l.Info("file renamed / deleted")
+				go w.onDelete()
+			}
+		case err := <-fsWatcher.Errors:
+			wlog.Error(err)
+		}
+	}
+}
+
+func (w *dockerWatcher) watch() {
+	defer w.wg.Done()
+
+	filter := filters.NewArgs(
+		filters.Arg("type", "container"),
+		filters.Arg("event", "start"),
+		filters.Arg("event", "die"), // 'stop' already triggering 'die'
+	)
+	listen := func() (<-chan events.Message, <-chan error) {
+		return w.client.Events(context.Background(), types.EventsOptions{Filters: filter})
+	}
+	msgChan, errChan := listen()
+
+	for {
+		select {
+		case <-w.stopCh:
+			return
+		case msg := <-msgChan:
+			w.l.Infof("container %s %s", msg.Actor.Attributes["name"], msg.Action)
+			go w.onChange()
+		case err := <-errChan:
+			w.l.Errorf("%s, retrying in 1s", err)
+			time.Sleep(1 * time.Second)
+			msgChan, errChan = listen()
+		}
+	}
+}
+
+var fsWatcher *fsnotify.Watcher
+var (
+	fileWatchMap   = NewSafeMap[string, *fileWatcher]()
+	dockerWatchMap = NewSafeMap[string, *dockerWatcher]()
+)
+var (
+	fsWatcherStop     = make(chan struct{}, 1)
+	dockerWatcherStop = make(chan struct{}, 1)
+)
+var (
+	fsWatcherWg     sync.WaitGroup
+	dockerWatcherWg sync.WaitGroup
+)