revert github workflow

Dev

See merge request yusing/go-proxy!3

.github/workflows/docker-image.yml

@@ -0,0 +1,14 @@
+name: Docker Image CI
+
+on:
+  push:
+    tags:
+      - "*"
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build and Push Container to ghcr.io
+        uses: GlueOps/github-actions-build-push-containers@v0.3.7
+        with:
+          tags: latest,${{ github.ref_name }}

.github/workflows/go.yml

@@ -0,0 +1,30 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.22.1"
+
+      - name: Build
+        run: make build
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: bin/go-proxy
+    #- name: Test
+    #  run: go test -v ./...

.gitignore

@@ -1,10 +1,10 @@
 compose.yml
 
-config/**
-
-bin/go-proxy.bak
+config/
+certs/
+bin/
+templates/codemirror/
 
 logs/
 log/
-
-config-editor/
+.vscode/settings.json

.gitlab-ci.yml

@@ -0,0 +1,15 @@
+build-image:
+  image: docker
+  rules:
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      variables:
+        CI_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE:latest
+    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
+      variables:
+        CI_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH
+  before_script:
+    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
+  script:
+    - echo building $CI_REGISTRY_IMAGE
+    - docker build --pull -t $CI_REGISTRY_IMAGE .
+    - docker push $CI_REGISTRY_IMAGE

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "templates/codemirror"]
-	path = templates/codemirror
-	url = https://github.com/codemirror/codemirror5.git

.vscode/settings.example.json

@@ -1,10 +1,8 @@
 {
-    "go.inferGopath": false,
     "yaml.schemas": {
         "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
             "config.example.yml",
-            "config.yml",
-            "file:///config/workspace/go-proxy/config.example.yml"
+            "config.yml"
         ],
         "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
             "providers.example.yml",

Dockerfile

@@ -1,17 +1,34 @@
+FROM alpine:latest AS codemirror
+RUN apk add --no-cache unzip wget make
+COPY Makefile .
+RUN make setup-codemirror
+
+FROM golang:1.22.2-alpine as builder
+COPY src/ /src
+COPY go.mod go.sum /src/go-proxy
+WORKDIR /src/go-proxy
+RUN --mount=type=cache,target="/go/pkg/mod" \
+    go mod download
+
+ENV GOCACHE=/root/.cache/go-build
+RUN --mount=type=cache,target="/go/pkg/mod" \
+    --mount=type=cache,target="/root/.cache/go-build" \
+    CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o go-proxy
+
 FROM alpine:latest
 
 LABEL maintainer="yusing@6uo.me"
 
-RUN apk add --no-cache bash tzdata
-RUN mkdir /app
-COPY bin/go-proxy entrypoint.sh /app/
+RUN apk add --no-cache tzdata
+RUN mkdir -p /app/templates
+COPY --from=codemirror templates/codemirror/ /app/templates/codemirror
 COPY templates/ /app/templates
-COPY config.example.yml /app/config/config.yml
+COPY schema/ /app/schema
+COPY --from=builder /src/go-proxy /app/
 
-RUN chmod +x /app/go-proxy /app/entrypoint.sh
+RUN chmod +x /app/go-proxy
 ENV DOCKER_HOST unix:///var/run/docker.sock
 ENV GOPROXY_DEBUG 0
-ENV GOPROXY_REDIRECT_HTTP 1
 
 EXPOSE 80
 EXPOSE 8080
@@ -19,4 +36,4 @@ EXPOSE 443
 EXPOSE 8443
 
 WORKDIR /app
-ENTRYPOINT /app/entrypoint.sh
+CMD ["/app/go-proxy"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 [fullname]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -2,22 +2,30 @@
 
 all: build quick-restart logs
 
+setup:
+	mkdir -p config certs
+	[ -f config/config.yml ] || cp config.example.yml config/config.yml
+	[ -f config/providers.yml ] || touch config/providers.yml
+
+setup-codemirror:
+	wget https://codemirror.net/5/codemirror.zip
+	unzip codemirror.zip
+	rm codemirror.zip
+	mkdir -p templates
+	mv codemirror-* templates/codemirror
+
 build:
 	mkdir -p bin
 	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy src/go-proxy/*.go
 
-up:
-	docker compose up -d --build go-proxy
+test:
+	go test src/go-proxy/*.go
 
-quick-restart: # quick restart without restarting the container
-	docker cp bin/go-proxy go-proxy:/app/go-proxy
-	docker cp templates/* go-proxy:/app/templates
-	docker cp entrypoint.sh go-proxy:/app/entrypoint.sh
-	docker exec -d go-proxy bash /app/entrypoint.sh restart
+up:
+	docker compose up -d
 
 restart:
-	docker kill go-proxy
-	docker compose up -d go-proxy
+	docker compose restart -t 0
 
 logs:
 	tail -f log/go-proxy.log
@@ -25,11 +33,17 @@ logs:
 get:
 	go get -d -u ./src/go-proxy
 
+repush:
+	git reset --soft HEAD^
+	git add -A
+	git commit -m "repush"
+	git push gitlab dev --force
+
 udp-server:
 	docker run -it --rm \
 		-p 9999:9999/udp \
 		--label proxy.test-udp.scheme=udp \
 		--label proxy.test-udp.port=20003:9999 \
-		--network data_default \
+		--network host \
 		--name test-udp \
 		$$(docker build -q -f udp-test-server.Dockerfile .)

README.md

@@ -6,228 +6,182 @@ In the examples domain `x.y.z` is used, replace them with your domain
 
 ## Table of content
 
-- [go-proxy](#go-proxy)
-  - [Table of content](#table-of-content)
-  - [Key Points](#key-points)
-  - [How to use](#how-to-use)
-    - [Binary](#binary)
-    - [Docker](#docker)
-  - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
-  - [Configuration](#configuration)
-    - [Labels (docker)](#labels-docker)
-    - [Environment variables](#environment-variables)
-    - [Config File](#config-file)
-      - [Fields](#fields)
-      - [Provider Kinds](#provider-kinds)
-    - [Provider File](#provider-file)
-    - [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
-  - [Examples](#examples)
-    - [Single port configuration example](#single-port-configuration-example)
-    - [Multiple ports configuration example](#multiple-ports-configuration-example)
-    - [TCP/UDP configuration example](#tcpudp-configuration-example)
-  - [Load balancing Configuration Example](#load-balancing-configuration-example)
-  - [Troubleshooting](#troubleshooting)
-  - [Benchmarks](#benchmarks)
-  - [Known issues](#known-issues)
-  - [Memory usage](#memory-usage)
-  - [Build it yourself](#build-it-yourself)
+<!-- TOC -->
+- [Table of content](#table-of-content)
+- [Key Points](#key-points)
+- [How to use](#how-to-use)
+- [Tested Services](#tested-services)
+  - [HTTP/HTTPs Reverse Proxy](#httphttps-reverse-proxy)
+  - [TCP Proxy](#tcp-proxy)
+  - [UDP Proxy](#udp-proxy)
+- [Command-line args](#command-line-args)
+  - [Commands](#commands)
+- [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
+- [Environment variables](#environment-variables)
+- [Config File](#config-file)
+  - [Fields](#fields)
+  - [Provider Kinds](#provider-kinds)
+  - [Provider File](#provider-file)
+  - [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
+- [Troubleshooting](#troubleshooting)
+- [Benchmarks](#benchmarks)
+- [Known issues](#known-issues)
+- [Memory usage](#memory-usage)
+- [Build it yourself](#build-it-yourself)
+<!-- /TOC -->
 
 ## Key Points
 
 - Fast (See [benchmarks](#benchmarks))
 - Auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported DNS Challenge Providers](#supported-dns-challenge-providers))
 - Auto detect reverse proxies from docker
+- Auto hot-reload on container `start` / `die` / `stop` or config file changes
 - Custom proxy entries with `config.yml` and additional provider files
 - Subdomain matching + Path matching **(domain name doesn't matter)**
-- HTTP(s) proxy + TCP/UDP Proxy
+- HTTP(s) reverse proxy + TCP/UDP Proxy
 - HTTP(s) round robin load balance support (same subdomain and path across different hosts)
-- Auto hot-reload on container `start` / `die` / `stop` or config file changes
-- Simple panel to see all reverse proxies and health available on port [panel_port_http] (http) and port [panel_port_https] (https)
+- Web UI on port 8080 (http) and port 8443 (https)
 
-  ![panel screenshot](screenshots/panel.png)
-- Config editor to edit config and provider files with validation
+  - a simple panel to see all reverse proxies and health
 
-  **Validate and save file with Ctrl+S**
+    ![panel screenshot](screenshots/panel.png)
 
-  ![config editor screenshot](screenshots/config_editor.png)
+  - a config editor to edit config and provider files with validation
+
+    **Validate and save file with Ctrl+S**
+
+    ![config editor screenshot](screenshots/config_editor.png)
+
+[🔼Back to top](#table-of-content)
 
 ## How to use
 
-1. Download and extract the latest release (or clone the repository if you want to try out experimental features)
+1. Setup DNS Records to your machine's IP address
 
-2. Copy `config.example.yml` to `config/config.yml` and modify the content to fit your needs
+   - A Record: `*.y.z` -> `10.0.10.1`
+   - AAAA Record: `*.y.z` -> `::ffff:a00:a01`
 
-3. (Optional) write your own `config/providers.yml` from `providers.example.yml`
+2. Start `go-proxy` by
 
-4. See [Binary](#binary) or [docker](#docker)
+   - [Running from binary or as a system service](docs/binary.md)
+   - [Running as a docker container](docs/docker.md)
 
-### Binary
+3. Start editing config files
+   - with text editor (i.e. Visual Studio Code)
+   - or with web config editor by navigate to `http://ip:8080`
 
-1. (Optional) enabled HTTPS
+[🔼Back to top](#table-of-content)
 
-   - Use autocert feature by completing `autocert` in `config.yml`
+## Tested Services
 
-   - Use existing certificate
+### HTTP/HTTPs Reverse Proxy
 
-     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
+- Nginx
+- Minio
+- AdguardHome Dashboard
+- etc.
 
-     - cert / chain / fullchain: `./certs/cert.crt`
-     - private key: `./certs/priv.key`
+### TCP Proxy
 
-2. run the binary `bin/go-proxy`
+- Minecraft server
+- PostgreSQL
+- MariaDB
 
-3. enjoy
+### UDP Proxy
 
-### Docker
+- Adguardhome DNS
+- Palworld Dedicated Server
 
-1. Copy content from [compose.example.yml](compose.example.yml) and create your own `compose.yml`
+[🔼Back to top](#table-of-content)
 
-2. Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+## Command-line args
 
-3. (Optional) enable HTTPS
+`go-proxy [command]`
 
-   - Use autocert feature
+### Commands
 
-     1. mount `./certs` to `/app/certs`
+- empty: start proxy server
+- validate: validate config and exit
+- reload: trigger a force reload of config
 
-        ```yaml
-        go-proxy:
-          ...
-          volumes:
-            - ./certs:/app/certs
-        ```
+Examples:
 
-     2. complete `autocert` in `config.yml`
+- Binary: `go-proxy reload`
+- Docker: `docker exec -it go-proxy /app/go-proxy reload`
 
-   - Use existing certificate
-
-     Mount your wildcard (`*.y.z`) SSL cert to enable https.
-
-     - cert / chain / fullchain -> `/app/certs/cert.crt`
-     - private key -> `/app/certs/priv.key`
-
-4. Start `go-proxy` with `docker compose up -d` or `make up`.
-
-5. (Optional) If you are using ufw with vpn that drop all inbound traffic except vpn, run below to allow docker containers to connect to `go-proxy`
-
-   In case the network of your container is in subnet `172.16.0.0/16` (bridge),
-   and vpn network is under `100.64.0.0/10` (i.e. tailscale)
-
-   `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
-
-   You can also list CIDRs of all docker bridge networks by:
-
-   `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
-
-6. start your docker app, and visit <container_name>.y.z
-
-7. check the logs with `docker compose logs` or `make logs` to see if there is any error, check panel at [panel port] for active proxies
+[🔼Back to top](#table-of-content)
 
 ## Use JSON Schema in VSCode
 
-Modify `.vscode/settings.json` to fit your needs
+Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify to fit your needs
 
 ```json
 {
-    "yaml.schemas": {
-        "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
-            "config.example.yml",
-            "config.yml"
-        ],
-        "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
-            "providers.example.yml",
-            "*.providers.yml",
-        ]
-    }
+  "yaml.schemas": {
+    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+      "config.example.yml",
+      "config.yml"
+    ],
+    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+      "providers.example.yml",
+      "*.providers.yml"
+    ]
+  }
 }
 ```
 
-## Configuration
+[🔼Back to top](#table-of-content)
 
-With container name, most of the time no label needs to be added.
-
-### Labels (docker)
-
-- `proxy.aliases`: comma separated aliases for subdomain matching
-
-  - default: `container_name`
-
-- `proxy.*.<field>`: wildcard label for all aliases
-
-Below labels has a **`proxy.<alias>`** prefix (i.e. `proxy.nginx.scheme: http`)
-
-- `scheme`: proxy protocol
-  - default: `http`
-  - allowed: `http`, `https`, `tcp`, `udp`
-- `host`: proxy host
-  - default: `container_name`
-- `port`: proxy port
-  - default: first expose port (declared in `Dockerfile` or `docker-compose.yml`)
-  - `http(s)`: number in range og `0 - 65535`
-  - `tcp/udp`: `[<listeningPort>:]<targetPort>`
-    - `listeningPort`: number, when it is omitted (not suggested), a free port starting from 20000 will be used.
-    - `targetPort`: number, or predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
-- `no_tls_verify`: whether skip tls verify when scheme is https
-  - default: `false`
-- `path`: proxy path _(http(s) proxy only)_
-  - default: empty
-- `path_mode`: mode for path handling
-
-  - default: empty
-  - allowed: empty, `forward`, `sub`
-    - `empty`: remove path prefix from URL when proxying
-      1. apps.y.z/webdav -> webdav:80
-      2. apps.y.z./webdav/path/to/file -> webdav:80/path/to/file
-    - `forward`: path remain unchanged
-      1. apps.y.z/webdav -> webdav:80/webdav
-      2. apps.y.z./webdav/path/to/file -> webdav:80/webdav/path/to/file
-    - `sub`: (experimental) remove path prefix from URL and also append path to HTML link attributes (`src`, `href` and `action`) and Javascript `fetch(url)` by response body substitution
-      e.g. apps.y.z/app1 -> webdav:80, `href="/app1/path/to/file"` -> `href="/path/to/file"`
-
-- `load_balance`: enable load balance (docker only)
-  - allowed: `1`, `true`
-
-### Environment variables
+## Environment variables
 
 - `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
-- `GOPROXY_REDIRECT_HTTP`: set to `0` or `false` to disable http to https redirect (only when certs are located)
+- `GOPROXY_HOST_NETWORK`: _(Docker only)_ set to `1` when `network_mode: host`
+- `GOPROXY_NO_SCHEMA_VALIDATION`: disable schema validation on config load / reload **(for testing new DNS Challenge providers)**
 
-### Config File
+[🔼Back to top](#table-of-content)
+
+## Config File
 
 See [config.example.yml](config.example.yml) for more
 
-#### Fields
+### Fields
 
 - `autocert`: autocert configuration
 
   - `email`: ACME Email
   - `domains`: a list of domains for cert registration
   - `provider`: DNS Challenge provider, see [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
-  - `options`: provider specific options
+  - `options`: [provider specific options](#supported-dns-challenge-providers)
 
 - `providers`: reverse proxy providers configuration
   - `kind`: provider kind (string), see [Provider Kinds](#provider-kinds)
   - `value`: provider specific value
 
-#### Provider Kinds
+[🔼Back to top](#table-of-content)
+
+### Provider Kinds
 
 - `docker`: load reverse proxies from docker
 
   values:
 
-  - `FROM_ENV`: value from environment
+  - `FROM_ENV`: value from environment (`DOCKER_HOST`)
   - full url to docker host (i.e. `tcp://host:2375`)
 
 - `file`: load reverse proxies from provider file
 
   value: relative path of file to `config/`
 
+[🔼Back to top](#table-of-content)
+
 ### Provider File
 
-Fields are same as [docker labels](#labels-docker) starting from `scheme`
+Fields are same as [docker labels](docs/docker.md#labels) starting from `scheme`
 
 See [providers.example.yml](providers.example.yml) for examples
 
+[🔼Back to top](#table-of-content)
+
 ### Supported DNS Challenge Providers
 
 - Cloudflare
@@ -236,81 +190,19 @@ See [providers.example.yml](providers.example.yml) for examples
 
   Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
 
-## Examples
+- CloudDNS
 
-### Single port configuration example
+  - `client_id`
+  - `email`
+  - `password`
 
-```yaml
-# (default) https://<container_name>.y.z
-whoami:
-  image: traefik/whoami
-  container_name: whoami # => whoami.y.z
+- DuckDNS (thanks [earvingad](https://github.com/earvingad))
 
-# enable both subdomain and path matching:
-whoami:
-  image: traefik/whoami
-  container_name: whoami
-  labels:
-    - proxy.aliases=whoami,apps
-    - proxy.apps.path=/whoami
-# 1. visit https://whoami.y.z
-# 2. visit https://apps.y.z/whoami
-```
+  - `token`: DuckDNS Token
 
-### Multiple ports configuration example
+To add more provider support, see [this](docs/add_dns_provider.md)
 
-```yaml
-minio:
-  image: quay.io/minio/minio
-  container_name: minio
-  ...
-  labels:
-    - proxy.aliases=minio,minio-console
-    - proxy.minio.port=9000
-    - proxy.minio-console.port=9001
-
-# visit https://minio.y.z to access minio
-# visit https://minio-console.y.z/whoami to access minio console
-```
-
-### TCP/UDP configuration example
-
-```yaml
-# In the app
-app-db:
-  image: postgres:15
-  container_name: app-db
-  ...
-  labels:
-    # Optional (postgres is in the known image map)
-    - proxy.app-db.scheme=tcp
-
-    # Optional (first free port will be used for listening port)
-    - proxy.app-db.port=20000:postgres
-
-# In go-proxy
-go-proxy:
-  ...
-  ports:
-    - 80:80
-    ...
-    - 20000:20000/tcp
-    # or 20000-20010:20000-20010/tcp to declare large range at once
-
-# access app-db via <*>.y.z:20000
-```
-
-## Load balancing Configuration Example
-
-```yaml
-nginx:
-  ...
-  deploy:
-    mode: replicated
-    replicas: 3
-  labels:
-    - proxy.nginx.load_balance=1 # allowed: [1, true]
-```
+[🔼Back to top](#table-of-content)
 
 ## Troubleshooting
 
@@ -318,6 +210,8 @@ Q: How to fix when it shows "no matching route for subdomain \<subdomain>"?
 
 A: Make sure the container is running, and \<subdomain> matches any container name / alias
 
+[🔼Back to top](#table-of-content)
+
 ## Benchmarks
 
 Benchmarked with `wrk` connecting `traefik/whoami`'s `/bench` endpoint
@@ -423,13 +317,19 @@ Local benchmark (client running wrk and `go-proxy` server are under same proxmox
   Transfer/sec:     10.94MB
   ```
 
+[🔼Back to top](#table-of-content)
+
 ## Known issues
 
-None
+- Cert "renewal" is actually obtaining a new cert instead of renewing the existing one
+
+[🔼Back to top](#table-of-content)
 
 ## Memory usage
 
-It takes ~13 MB for 50 proxy entries
+It takes ~15 MB for 50 proxy entries
+
+[🔼Back to top](#table-of-content)
 
 ## Build it yourself
 
@@ -443,5 +343,4 @@ It takes ~13 MB for 50 proxy entries
 
 5. start your container with `make up` (docker) or `bin/go-proxy` (binary)
 
-[panel_port_http]: 8080
-[panel_port_https]: 8443
+[🔼Back to top](#table-of-content)

compose.example.yml

@@ -1,41 +1,40 @@
 version: '3'
 services:
   app:
-    build: .
+    image: ghcr.io/yusing/go-proxy:latest
     container_name: go-proxy
     restart: always
     networks: # ^also add here
       - default
-    # environment:
-      # - GOPROXY_DEBUG=1 # (optional, enable only for debug)
-      # - GOPROXY_REDIRECT_HTTP=0 # (optional, uncomment to disable http redirect (http -> https))
     ports:
-      - 80:80 # http
-      # - 443:443 # optional, https
+      - 80:80 # http proxy
       - 8080:8080 # http panel
+      # - 443:443 # optional, https proxy
       # - 8443:8443 # optional, https panel
 
       # optional, if you declared any tcp/udp proxy, set a range you want to use
       # - 20000:20100/tcp
       # - 20000:20100/udp
     volumes:
+      - ./config:/app/config
+
+      # if local docker provider is used
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      
       # use existing certificate
       # - /path/to/cert.pem:/app/certs/cert.crt:ro
       # - /path/to/privkey.pem:/app/certs/priv.key:ro
 
-      # use autocert feature
+      # store autocert obtained cert
       # - ./certs:/app/certs
+    
+    # workaround for "lookup: no such host"
+    # dns:
+    #   - 127.0.0.1
 
-      # if local docker provider is used (by default)
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-
-      # to use custom config and providers
-      # - ./config:/app/config
-    dns:
-      - 127.0.0.1 # workaround for "lookup: no such host"
-    extra_hosts:
-      # required if you use local docker provider and have containers in `host` network_mode
-      - host.docker.internal:host-gateway
+    # if you have container running in "host" network mode
+    # extra_hosts:
+    #   - host.docker.internal:host-gateway
     logging:
       driver: 'json-file'
       options:

config.example.yml

@@ -1,25 +1,21 @@
-# uncomment to use autocert
-autocert: # (optional, if you need autocert feature)
-  email: "user@domain.com" # (required) email for acme certificate
-  domains: # (required)
-    - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
-  provider: cloudflare # (required) dns challenge provider (string)
-  options: # provider specific options
-    auth_token: "YOUR_ZONE_API_TOKEN"
+# Autocert (uncomment to enable)
+# autocert: # (optional, if you need autocert feature)
+#   email: "user@domain.com" # (required) email for acme certificate
+#   domains: # (required)
+#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
+#   provider: cloudflare # (required) dns challenge provider (string)
+#   options: # provider specific options
+#     auth_token: "YOUR_ZONE_API_TOKEN"
 providers:
   local:
     kind: docker
     # for value format, see https://docs.docker.com/reference/cli/dockerd/
+    # i.e. FROM_ENV, ssh://user@10.0.1.1:22, tcp://10.0.2.1:2375
     value: FROM_ENV
-  # remote1:
-  #   kind: docker
-  #   value: ssh://user@10.0.1.1
-  # remote2:
-  #   kind: docker
-  #   value: tcp://10.0.1.1:2375
-  # provider1:
-  #   kind: file
-  #   value: provider1.yml
-  # provider2:
-  #   kind: file
-  #   value: provider2.yml
+  providers:
+    kind: file
+    value: providers.yml
+
+# Fixed options (optional, non hot-reloadable)
+# timeout_shutdown: 5
+# redirect_to_https: false

docs/add_dns_provider.md

@@ -0,0 +1,41 @@
+# Adding provider support
+
+## **CloudDNS** as an example
+
+1. Fork this repo, modify [autocert.go](../src/go-proxy/autocert.go#L305)
+
+   ```go
+   var providersGenMap = map[string]ProviderGenerator{
+     "cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+     // add here, i.e.
+     "clouddns": providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
+   }
+   ```
+
+2. Go to [https://go-acme.github.io/lego/dns/clouddns](https://go-acme.github.io/lego/dns/clouddns/) and check for required config
+
+3. Build `go-proxy` with `make build`
+
+4. Set required config in `config.yml` `autocert` -> `options` section
+
+   ```shell
+   # From https://go-acme.github.io/lego/dns/clouddns/
+   CLOUDDNS_CLIENT_ID=bLsdFAks23429841238feb177a572aX \
+   CLOUDDNS_EMAIL=you@example.com \
+   CLOUDDNS_PASSWORD=b9841238feb177a84330f \
+   lego --email you@example.com --dns clouddns --domains my.example.org run
+   ```
+
+   Should turn into:
+
+   ```yaml
+   autocert:
+     ...
+     options:
+       client_id: bLsdFAks23429841238feb177a572aX
+       email: you@example.com
+       password: b9841238feb177a84330f
+   ```
+
+5. Run with `GOPROXY_NO_SCHEMA_VALIDATION=1` and test if it works
+6. Commit and create pull request

docs/binary.md

@@ -0,0 +1,59 @@
+# Getting started with `go-proxy` (binary)
+
+## Setup
+
+1. Install `bash`, `make` and `wget` if not already
+
+2. Run setup script
+
+   To specitfy a version _(optional)_
+
+   ```shell
+   export VERSION=latest # will be resolved into real version number
+   export VERSION=<version>
+   ```
+
+   If you don't need web config editor
+
+   ```shell
+   export SETUP_CODEMIRROR=0
+   ```
+
+   Setup
+
+   ```shell
+   wget -qO- https://6uo.me/go-proxy-setup-binary | sudo bash
+   ```
+
+   What it does:
+
+   - Download source file and binary into /opt/go-proxy/$VERSION
+   - Setup `config.yml` and `providers.yml`
+   - Setup `template/codemirror` which is a dependency for web config editor
+   - Create a systemd service (if available) in `/etc/systemd/system/go-proxy.service`
+   - Enable and start `go-proxy` service
+
+3. Start editing config files in `http://<ip>:8080`
+
+4. Check logs / status with `systemctl status go-proxy`
+
+## Setup (alternative method)
+
+1. Download the latest release and extract somewhere
+
+2. Run `make setup` and _(optional) `make setup-codemirror`_
+
+3. Enable HTTPS _(optional)_
+
+   - To use autocert feature
+
+     complete `autocert` in `config/config.yml`
+
+   - To use existing certificate
+
+     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
+
+     - cert / chain / fullchain: `certs/cert.crt`
+     - private key: `certs/priv.key`
+
+4. Run the binary `bin/go-proxy`

docs/docker.md

@@ -0,0 +1,371 @@
+# Docker container guide
+
+## Table of content
+
+<!-- TOC -->
+
+- [Table of content](#table-of-content)
+- [Setup](#setup)
+- [Labels](#labels)
+- [Labels (docker specific)](#labels-docker-specific)
+- [Troubleshooting](#troubleshooting)
+- [Docker compose examples](#docker-compose-examples)
+  - [Local docker provider in bridge network](#local-docker-provider-in-bridge-network)
+  - [Remote docker provider](#remote-docker-provider)
+    - [Explaination](#explaination)
+    - [Remote setup](#remote-setup)
+    - [Proxy setup](#proxy-setup)
+  - [Local docker provider in host network](#local-docker-provider-in-host-network)
+    - [Proxy setup](#proxy-setup)
+  - [Services URLs for above examples](#services-urls-for-above-examples)
+  <!-- /TOC -->
+
+## Setup
+
+1. Install `wget` if not already
+
+2. Run setup script
+
+   `bash <(wget -qO- https://6uo.me/go-proxy-setup-docker)`
+
+   What it does:
+
+   - Create required directories
+   - Setup `config.yml` and `compose.yml`
+
+3. Verify folder structure and then `cd go-proxy`
+
+   ```plain
+   go-proxy
+   ├── certs
+   ├── compose.yml
+   └── config
+       ├── config.yml
+       └── providers.yml
+   ```
+
+4. Enable HTTPs _(optional)_
+
+   - To use autocert feature
+
+     - completing `autocert` section in `config/config.yml`
+     - mount `certs/` to `/app/certs` to store obtained certs
+
+   - To use existing certificate
+
+     mount your wildcard (`*.y.z`) SSL cert
+
+     - cert / chain / fullchain -> `/app/certs/cert.crt`
+     - private key -> `/app/certs/priv.key`
+
+5. Modify `compose.yml` fit your needs
+
+   Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+
+6. Run `docker compose up -d` to start the container
+
+7. Start editing config files in `http://<ip>:8080`
+
+[🔼Back to top](#table-of-content)
+
+## Labels
+
+- `proxy.aliases`: comma separated aliases for subdomain matching
+
+  - default: container name
+
+- `proxy.*.<field>`: wildcard label for all aliases
+
+Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.nginx.scheme: http`)
+
+- `scheme`: proxy protocol
+  - default: `http`
+  - allowed: `http`, `https`, `tcp`, `udp`
+- `host`: proxy host
+  - default: `container_name`
+- `port`: proxy port
+  - default: first expose port (declared in `Dockerfile` or `docker-compose.yml`)
+  - `http(s)`: number in range og `0 - 65535`
+  - `tcp/udp`: `[<listeningPort>:]<targetPort>`
+    - `listeningPort`: number, when it is omitted (not suggested), a free port starting from 20000 will be used.
+    - `targetPort`: number, or predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
+- `no_tls_verify`: whether skip tls verify when scheme is https
+  - default: `false`
+- `path`: proxy path _(http(s) proxy only)_
+  - default: empty
+- `path_mode`: mode for path handling
+
+  - default: empty
+  - allowed: empty, `forward`, `sub`
+
+    - `empty`: remove path prefix from URL when proxying
+      1. apps.y.z/webdav -> webdav:80
+      2. apps.y.z./webdav/path/to/file -> webdav:80/path/to/file
+    - `forward`: path remain unchanged
+      1. apps.y.z/webdav -> webdav:80/webdav
+      2. apps.y.z./webdav/path/to/file -> webdav:80/webdav/path/to/file
+    - `sub`: **(experimental)** remove path prefix from URL and also append path to HTML link attributes (`src`, `href` and `action`) and Javascript `fetch(url)` by response body substitution
+      e.g. apps.y.z/app1 -> webdav:80, `href="/app1/path/to/file"` -> `href="/path/to/file"`
+
+  - `set_headers`: a list of header to set, (key:value, one by line)
+
+    Duplicated keys will be treated as multiple-value headers
+
+    ```yaml
+    labels:
+      - |
+        proxy.app.set_headers=
+        X-Custom-Header1: value1
+        X-Custom-Header1: value2
+        X-Custom-Header2: value2
+    ```
+
+  - `hide_headers`: comma seperated list of headers to hide
+
+[🔼Back to top](#table-of-content)
+
+## Labels (docker specific)
+
+Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.app.headers.hide: X-Powered-By,X-Custom-Header`)
+
+- `headers.set.<header>`: value of header to set
+
+- `headers.hide`: comma seperated list of headers to hide
+
+- `load_balance`: enable load balance
+  - allowed: `1`, `true`
+
+[🔼Back to top](#table-of-content)
+
+## Troubleshooting
+
+- Firewall issues
+
+  If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:
+
+  `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
+
+  Explaination:
+
+  Docker network is usually `172.16.0.0/16`
+
+  Tailscale is used as an example, `100.64.0.0/10` will be the CIDR
+
+  You can also list CIDRs of all docker bridge networks by:
+
+  `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
+
+[🔼Back to top](#table-of-content)
+
+## Docker compose examples
+
+### Local docker provider in bridge network
+
+```yaml
+volumes:
+  adg-work:
+  adg-conf:
+  mc-data:
+  palworld:
+  nginx:
+services:
+  adg:
+    image: adguard/adguardhome
+    restart: unless-stopped
+    labels:
+      - proxy.aliases=adg,adg-dns,adg-setup
+      - proxy.adg.port=80
+      - proxy.adg-setup.port=3000
+      - proxy.adg-dns.scheme=udp
+      - proxy.adg-dns.port=20000:dns
+    volumes:
+      - adg-work:/opt/adguardhome/work
+      - adg-conf:/opt/adguardhome/conf
+  mc:
+    image: itzg/minecraft-server
+    tty: true
+    stdin_open: true
+    container_name: mc
+    restart: unless-stopped
+    labels:
+      - proxy.mc.scheme=tcp
+      - proxy.mc.port=20001:25565
+    environment:
+      - EULA=TRUE
+    volumes:
+      - mc-data:/data
+  palworld:
+    image: thijsvanloef/palworld-server-docker:latest
+    restart: unless-stopped
+    container_name: pal
+    stop_grace_period: 30s
+    labels:
+      - proxy.aliases=pal1,pal2
+      - proxy.*.scheme=udp
+      - proxy.pal1.port=20002:8211
+      - proxy.pal2.port=20003:27015
+    environment: ...
+    volumes:
+      - palworld:/palworld
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - nginx:/usr/share/nginx/html
+  go-proxy:
+    image: ghcr.io/yusing/go-proxy
+    container_name: go-proxy
+    restart: always
+    ports:
+      - 80:80 # http
+      - 443:443 # optional, https
+      - 8080:8080 # http panel
+      - 8443:8443 # optional, https panel
+
+      - 53:20000/udp # adguardhome
+      - 25565:20001/tcp # minecraft
+      - 8211:20002/udp # palworld
+      - 27015:20003/udp # palworld
+    volumes:
+      - ./config:/app/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      - proxy.aliases=gp
+      - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Remote docker provider
+
+#### Explaination
+
+- Expose container ports to random port in remote host
+- Use container port with an asterisk sign **(\*)** before to find remote port automatically
+
+#### Remote setup
+
+```yaml
+volumes:
+  adg-work:
+  adg-conf:
+  mc-data:
+  palworld:
+  nginx:
+services:
+  adg:
+    image: adguard/adguardhome
+    restart: unless-stopped
+    ports: # map container ports
+      - 80
+      - 3000
+      - 53/udp
+      - 53/tcp
+    labels:
+      - proxy.aliases=adg,adg-dns,adg-setup
+      # add an asterisk (*) before to find host port automatically
+      - proxy.adg.port=*80
+      - proxy.adg-setup.port=*3000
+      - proxy.adg-dns.scheme=udp
+      - proxy.adg-dns.port=*53
+    volumes:
+      - adg-work:/opt/adguardhome/work
+      - adg-conf:/opt/adguardhome/conf
+  mc:
+    image: itzg/minecraft-server
+    tty: true
+    stdin_open: true
+    container_name: mc
+    restart: unless-stopped
+    ports:
+      - 25565
+    labels:
+      - proxy.mc.scheme=tcp
+      - proxy.mc.port=*25565
+    environment:
+      - EULA=TRUE
+    volumes:
+      - mc-data:/data
+  palworld:
+    image: thijsvanloef/palworld-server-docker:latest
+    restart: unless-stopped
+    container_name: pal
+    stop_grace_period: 30s
+    ports:
+      - 8211/udp
+      - 27015/udp
+    labels:
+      - proxy.aliases=pal1,pal2
+      - proxy.*.scheme=udp
+      - proxy.pal1.port=*8211
+      - proxy.pal2.port=*27015
+    environment: ...
+    volumes:
+      - palworld:/palworld
+  nginx:
+    image: nginx
+    container_name: nginx
+    # for single port container, host port will be found automatically
+    ports:
+      - 80
+    volumes:
+      - nginx:/usr/share/nginx/html
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Proxy setup
+
+```yaml
+go-proxy:
+  image: ghcr.io/yusing/go-proxy
+  container_name: go-proxy
+  restart: always
+  network_mode: host
+  volumes:
+    - ./config:/app/config
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+  labels:
+    - proxy.aliases=gp
+    - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Local docker provider in host network
+
+Mostly as remote docker setup, see [remote setup](#remote-setup)
+
+With `GOPROXY_HOST_NETWORK=1` to treat it as remote docker provider
+
+#### Proxy setup
+
+```yaml
+go-proxy:
+  image: ghcr.io/yusing/go-proxy
+  container_name: go-proxy
+  restart: always
+  network_mode: host
+  environment: # this part is needed for local docker in host mode
+    - GOPROXY_HOST_NETWORK=1
+  volumes:
+    - ./config:/app/config
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+  labels:
+    - proxy.aliases=gp
+    - proxy.gp.port=8080
+```
+
+[🔼Back to top](#table-of-content)
+
+### Services URLs for above examples
+
+- `gp.yourdomain.com`: go-proxy web panel
+- `adg-setup.yourdomain.com`: adguard setup (first time setup)
+- `adg.yourdomain.com`: adguard dashboard
+- `nginx.yourdomain.com`: nginx
+- `yourdomain.com:53`: adguard dns
+- `yourdomain.com:25565`: minecraft server
+- `yourdomain.com:8211`: palworld server
+
+[🔼Back to top](#table-of-content)

entrypoint.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-if [ "$1" == "restart" ]; then
-    echo "restarting"
-    killall go-proxy
-fi
-if [ "$GOPROXY_DEBUG" == "1" ]; then
-    /app/go-proxy 2> log/go-proxy.log &
-    tail -f /dev/null
-else
-    /app/go-proxy
-fi

go.mod

@@ -9,16 +9,16 @@ require (
 	github.com/go-acme/lego/v4 v4.16.1
 	github.com/santhosh-tekuri/jsonschema v1.2.4
 	github.com/sirupsen/logrus v1.9.3
-	golang.org/x/net v0.22.0
+	golang.org/x/net v0.24.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.91.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.92.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/distribution/reference v0.5.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -37,17 +37,18 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
+	go.opentelemetry.io/otel v1.25.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.25.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	go.opentelemetry.io/otel/trace v1.25.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
+	golang.org/x/tools v0.20.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )

go.sum

@@ -1,24 +1,18 @@
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
-github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
-github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cloudflare/cloudflare-go v0.86.0 h1:jEKN5VHNYNYtfDL2lUFLTRo+nOVNPFxpXTstVx0rqHI=
-github.com/cloudflare/cloudflare-go v0.86.0/go.mod h1:wYW/5UP02TUfBToa/yKbQHV+r6h1NnJ1Je7XjuGM4Jw=
-github.com/cloudflare/cloudflare-go v0.91.0 h1:L7IR+86qrZuEMSjGFg4cwRwtHqC8uCPmMUkP7BD4CPw=
-github.com/cloudflare/cloudflare-go v0.91.0/go.mod h1:nUqvBUUDRxNzsDSQjbqUNWHEIYAoUlgRmcAzMKlFdKs=
+github.com/cloudflare/cloudflare-go v0.92.0 h1:ltJvGvqZ4G6Fm2hHOYZ5RWpJQcrM0oDrsjjZydZhFJQ=
+github.com/cloudflare/cloudflare-go v0.92.0/go.mod h1:nUqvBUUDRxNzsDSQjbqUNWHEIYAoUlgRmcAzMKlFdKs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
-github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUyzJVPxD30I=
 github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
@@ -64,7 +58,6 @@ github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT
 github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -85,7 +78,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -94,63 +86,57 @@ github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XF
 github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
 github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
 github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
-go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
-go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8=
+go.opentelemetry.io/otel v1.25.0 h1:gldB5FfhRl7OJQbUHt/8s0a7cE8fbsPAtdpRaApKy4k=
+go.opentelemetry.io/otel v1.25.0/go.mod h1:Wa2ds5NOXEMkCmUou1WA7ZBfLTHWIsp034OVD7AO+Vg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
-go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
-go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/metric v1.25.0 h1:LUKbS7ArpFL/I2jJHdJcqMGxkRdxpPHE0VU/D4NuEwA=
+go.opentelemetry.io/otel/metric v1.25.0/go.mod h1:rkDLUSd2lC5lq2dFNrX9LGAbINP5B7WBkC78RXCpH5s=
 go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
 go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
-go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
-go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
+go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM=
+go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I=
 go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
 go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
-golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
@@ -161,10 +147,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
-golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
-golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
+golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
+golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

providers.example.yml

@@ -1,16 +1,26 @@
 example: # matching `app.y.z`
   # optional, defaults to http
-  scheme:
+  scheme: http
   # required, proxy target
   host: 10.0.0.1
   # optional, defaults to 80 for http, 443 for https
-  port: 80
+  port: "80"
   # optional, defaults to empty
   path:
-  # optional, defaults to sub
+  # optional, defaults to empty
   path_mode:
   # optional (https only)
   # no_tls_verify: false
+  # optional headers to set / override (http(s) only)
+  set_headers:
+    HEADER_A:
+      - VALUE_1
+      - VALUE_2
+    HEADER_B: [VALUE_3]
+  # optional headers to hide (http(s) only)
+  hide_headers:
+    - HEADER_C
+    - HEADER_D
 app1: # matching `app1.y.z` -> http://x.y.z
   host: x.y.z
 app2: # `app2` has no effect for tcp / udp, but still has to be unique across files
@@ -22,4 +32,7 @@ app3: # matching `app3.y.z` -> https://10.0.0.1/app3
   host: 10.0.0.1
   path: /app3
   path_mode: forward
-  no_tls_verify: false
+  no_tls_verify: false
+  set_headers:
+    X-Forwarded-Proto: [https]
+    X-Forwarded-Host: [app3.y.z]

schema/config.schema.json

@@ -24,28 +24,89 @@
         "provider": {
           "description": "DNS Challenge Provider",
           "type": "string",
-          "enum": ["cloudflare"]
+          "enum": ["cloudflare", "clouddns", "duckdns"]
         },
         "options": {
           "description": "Provider specific options",
-          "type": "object",
-          "properties": {
-            "auth_token": {
-              "description": "Cloudflare API Token with Zone Scope",
-              "type": "string"
-            }
-          }
+          "type": "object"
         }
       },
       "required": ["email", "domains", "provider", "options"],
-      "anyOf": [
+      "allOf": [
         {
-          "properties": {
-            "provider": {
-              "const": "cloudflare"
-            },
-            "options": {
-              "required": ["auth_token"]
+          "if": {
+            "properties": {
+              "provider": {
+                "const": "cloudflare"
+              }
+            }
+          },
+          "then": {
+            "properties": {
+              "options": {
+                "required": ["auth_token"],
+                "additionalProperties": false,
+                "properties": {
+                  "auth_token": {
+                    "description": "Cloudflare API Token with Zone Scope",
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": {
+              "provider": {
+                "const": "clouddns"
+              }
+            }
+          },
+          "then": {
+            "properties": {
+              "options": {
+                "required": ["client_id", "email", "password"],
+                "additionalProperties": false,
+                "properties": {
+                  "client_id": {
+                    "description": "CloudDNS Client ID",
+                    "type": "string"
+                  },
+                  "email": {
+                    "description": "CloudDNS Email",
+                    "type": "string"
+                  },
+                  "password": {
+                    "description": "CloudDNS Password",
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": {
+              "provider": {
+                "const": "duckdns"
+              }
+            }
+          },
+          "then": {
+            "properties": {
+              "options": {
+                "required": ["token"],
+                "additionalProperties": false,
+                "properties": {
+                  "token": {
+                    "description": "DuckDNS Token",
+                    "type": "string"
+                  }
+                }
+              }
             }
           }
         }
@@ -117,7 +178,17 @@
           ]
         }
       }
+    },
+    "timeout_shutdown": {
+      "title": "Shutdown timeout (in seconds)",
+      "type": "integer",
+      "minimum": 0
+    },
+    "redirect_to_https": {
+      "title": "Redirect to HTTPS",
+      "type": "boolean"
     }
   },
-  "additionalProperties": false
+  "additionalProperties": false,
+  "required": ["providers"]
 }

schema/providers.schema.json

@@ -1,7 +1,14 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "type": "object",
   "title": "go-proxy providers file",
+  "anyOf": [
+    {
+      "type":"object"
+    },
+    {
+      "type":"null"
+    }
+  ],
   "patternProperties": {
     "^[a-zA-Z0-9_-]+$": {
       "title": "Proxy entry",
@@ -48,7 +55,9 @@
         "no_tls_verify": {
           "description": "Disable TLS verification for https proxy",
           "type": "boolean"
-        }
+        },
+        "set_headers": {},
+        "hide_headers": {}
       },
       "required": ["host"],
       "additionalProperties": false,
@@ -122,6 +131,23 @@
                     "type": "null"
                   }
                 ]
+              }, 
+              "set_headers": {
+                "type": "object",
+                "description": "Proxy headers to set",
+                "additionalProperties": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "hide_headers": {
+                "type":"array",
+                "description": "Proxy headers to hide",
+                "items": {
+                  "type": "string"
+                }
               }
             }
           },
@@ -138,6 +164,12 @@
               },
               "path_mode": {
                 "not": true
+              },
+              "set_headers": {
+                "not": true
+              },
+              "hide_headers": {
+                "not": true
               }
             },
             "required": ["port"]

setup-binary.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+set -e
+REPO_URL=https://github.com/yusing/go-proxy
+BIN_URL="${REPO_URL}/releases/download/${VERSION}/go-proxy"
+SRC_URL="${REPO_URL}/archive/refs/tags/${VERSION}.tar.gz"
+APP_ROOT="/opt/go-proxy/${VERSION}"
+LOG_FILE="/tmp/go-proxy-setup.log"
+
+if [ -z "$VERSION" ] || [ "$VERSION" = "latest" ]; then
+    VERSION_URL="${REPO_URL}/raw/main/version.txt"
+    VERSION=$(wget -qO- "$VERSION_URL")
+fi
+
+if [ -d "$APP_ROOT" ]; then
+    echo "$APP_ROOT already exists"
+    exit 1
+fi
+
+# check if wget exists
+if ! [ -x "$(command -v wget)" ]; then
+    echo "wget is not installed"
+    exit 1
+fi
+
+# check if make exists
+if ! [ -x "$(command -v make)" ]; then
+    echo "make is not installed"
+    exit 1
+fi
+
+dl_source() {
+    cd /tmp
+    echo "Downloading go-proxy source ${VERSION}"
+    wget -c "${SRC_URL}" -O go-proxy.tar.gz &> $LOG_FILE
+    if [ $? -gt 0 ]; then
+        echo "Source download failed, check your internet connection and version number"
+        exit 1
+    fi
+    echo "Done"
+    echo "Extracting go-proxy source ${VERSION}"
+    tar xzf go-proxy.tar.gz &> $LOG_FILE
+    if [ $? -gt 0 ]; then
+        echo "failed to untar go-proxy.tar.gz"
+        exit 1
+    fi
+    rm go-proxy.tar.gz
+    mkdir -p "$(dirname "${APP_ROOT}")"
+    mv "go-proxy-${VERSION}" "$APP_ROOT"
+    cd "$APP_ROOT"
+    echo "Done"
+}
+dl_binary() {
+    mkdir -p bin
+    echo "Downloading go-proxy binary ${VERSION}"
+    wget -c "${BIN_URL}" -O bin/go-proxy &> $LOG_FILE
+    if [ $? -gt 0 ]; then
+        echo "Binary download failed, check your internet connection and version number"
+        exit 1
+    fi
+    chmod +x bin/go-proxy
+    echo "Done"
+}
+setup() {
+    make setup &> $LOG_FILE
+    if [ $? -gt 0 ]; then
+        echo "make setup failed"
+        exit 1
+    fi
+    # SETUP_CODEMIRROR = 1
+    if [ "$SETUP_CODEMIRROR" != "0" ]; then
+        make setup-codemirror &> $LOG_FILE || echo "make setup-codemirror failed, ignored"
+    fi
+}
+
+dl_source
+dl_binary
+setup
+
+# setup systemd
+
+# check if systemctl exists
+if ! command -v systemctl is-system-running > /dev/null 2>&1; then
+    echo "systemctl not found, skipping systemd setup"
+    exit 0
+fi
+systemctl_failed() {
+    echo "Failed to enable and start go-proxy"
+    systemctl status go-proxy
+    exit 1
+}
+echo "Setting up systemd service"
+cat <<EOF > /etc/systemd/system/go-proxy.service
+[Unit]
+Description=go-proxy reverse proxy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+[Service]
+Type=simple
+ExecStart=${APP_ROOT}/bin/go-proxy
+WorkingDirectory=${APP_ROOT}
+Environment="GOPROXY_IS_SYSTEMD=1"
+Restart=on-failure
+RestartSec=1s
+KillMode=process
+KillSignal=SIGINT
+TimeoutStartSec=5s
+TimeoutStopSec=5s
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload &>$LOG_FILE || systemctl_failed
+systemctl enable --now go-proxy &>$LOG_FILE || systemctl_failed
+echo "Done"
+echo "Setup complete"

setup-docker.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+if [ -z "$BRANCH" ]; then
+    BRANCH="main"
+fi
+BASE_URL="https://github.com/yusing/go-proxy/raw/${BRANCH}"
+mkdir -p go-proxy
+cd go-proxy
+mkdir -p config
+mkdir -p certs
+[ -f compose.yml ] || wget -cO - ${BASE_URL}/compose.example.yml > compose.yml
+[ -f config/config.yml ] || wget -cO - ${BASE_URL}/config.example.yml > config/config.yml
+[ -f config/providers.yml ] || touch config/providers.yml

src/go-proxy/args.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"flag"
+
+	"github.com/sirupsen/logrus"
+)
+
+type Args struct {
+	Command string
+}
+
+const (
+	CommandStart    = ""
+	CommandValidate = "validate"
+	CommandReload   = "reload"
+)
+
+var ValidCommands = []string{CommandStart, CommandValidate, CommandReload}
+
+func getArgs() Args {
+	var args Args
+	flag.Parse()
+	args.Command = flag.Arg(0)
+	if err := validateArgs(args.Command, ValidCommands); err != nil {
+		logrus.Fatal(err)
+	}
+	return args
+}
+
+func validateArgs[T comparable](arg T, validArgs []T) error {
+	for _, v := range validArgs {
+		if arg == v {
+			return nil
+		}
+	}
+	return NewNestedError("invalid argument").Subjectf("%v", arg)
+}

src/go-proxy/autocert.go

@@ -9,6 +9,7 @@ import (
 	"crypto/x509"
 	"os"
 	"path"
+	"slices"
 	"sync"
 	"time"
 
@@ -16,13 +17,15 @@ import (
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/dns/clouddns"
 	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/providers/dns/duckdns"
 	"github.com/go-acme/lego/v4/registration"
 )
 
-type ProviderOptions = map[string]string
-type ProviderGenerator = func(ProviderOptions) (challenge.Provider, error)
-type CertExpiries = map[string]time.Time
+type ProviderOptions map[string]string
+type ProviderGenerator func(ProviderOptions) (challenge.Provider, error)
+type CertExpiries map[string]time.Time
 
 type AutoCertConfig struct {
 	Email    string          `json:"email"`
@@ -53,7 +56,7 @@ type AutoCertProvider interface {
 	GetExpiries() CertExpiries
 	LoadCert() bool
 	ObtainCert() NestedErrorLike
-	RenewalOn() time.Time
+	ShouldRenewOn() time.Time
 	ScheduleRenewal()
 }
 
@@ -71,7 +74,7 @@ func (cfg AutoCertConfig) GetProvider() (AutoCertProvider, error) {
 	}
 	gen, ok := providersGenMap[cfg.Provider]
 	if !ok {
-		ne.Extraf("unknown provider: %s", cfg.Provider)
+		ne.Extraf("unknown provider: %q", cfg.Provider)
 	}
 	if ne.HasExtras() {
 		return nil, ne
@@ -188,13 +191,9 @@ func (p *autoCertProvider) LoadCert() bool {
 	return true
 }
 
-func (p *autoCertProvider) RenewalOn() time.Time {
-	t := time.Now().AddDate(0, 0, 3)
+func (p *autoCertProvider) ShouldRenewOn() time.Time {
 	for _, expiry := range p.certExpiries {
-		if expiry.Before(t) {
-			return time.Now()
-		}
-		return t
+		return expiry.AddDate(0, -1, 0)
 	}
 	// this line should never be reached
 	panic("no certificate available")
@@ -202,8 +201,8 @@ func (p *autoCertProvider) RenewalOn() time.Time {
 
 func (p *autoCertProvider) ScheduleRenewal() {
 	for {
-		t := time.Until(p.RenewalOn())
-		aclog.Infof("next renewal in %v", t)
+		t := time.Until(p.ShouldRenewOn())
+		aclog.Infof("next renewal in %v", t.Round(time.Second))
 		time.Sleep(t)
 		err := p.renewIfNeeded()
 		if err != nil {
@@ -229,7 +228,29 @@ func (p *autoCertProvider) saveCert(cert *certificate.Resource) NestedErrorLike
 }
 
 func (p *autoCertProvider) needRenewal() bool {
-	return time.Now().After(p.RenewalOn())
+	expired := time.Now().After(p.ShouldRenewOn())
+	if expired {
+		return true
+	}
+	if len(p.cfg.Domains) != len(p.certExpiries) {
+		return true
+	}
+	wantedDomains := make([]string, len(p.cfg.Domains))
+	certDomains := make([]string, len(p.certExpiries))
+	copy(wantedDomains, p.cfg.Domains)
+	i := 0
+	for domain := range p.certExpiries {
+		certDomains[i] = domain
+		i++
+	}
+	slices.Sort(wantedDomains)
+	slices.Sort(certDomains)
+	for i, domain := range certDomains {
+		if domain != wantedDomains[i] {
+			return true
+		}
+	}
+	return false
 }
 
 func (p *autoCertProvider) renewIfNeeded() NestedErrorLike {
@@ -248,6 +269,7 @@ func (p *autoCertProvider) renewIfNeeded() NestedErrorLike {
 	for {
 		err := p.ObtainCert()
 		if err == nil {
+			aclog.Info("renewed certificate")
 			return nil
 		}
 		trials++
@@ -304,4 +326,6 @@ func setOptions[T interface{}](cfg *T, opt ProviderOptions) error {
 
 var providersGenMap = map[string]ProviderGenerator{
 	"cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+	"clouddns":   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
+	"duckdns":    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
 }

src/go-proxy/config.go

@@ -1,14 +1,16 @@
 package main
 
 import (
-	"os"
 	"sync"
+	"time"
 
+	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 )
 
 // commented out if unused
 type Config interface {
+	Value() configModel
 	// Load() error
 	MustLoad()
 	GetAutoCertProvider() (AutoCertProvider, error)
@@ -21,12 +23,12 @@ type Config interface {
 }
 
 func NewConfig(path string) Config {
-	cfg := &config{reader: &FileReader{Path: path}}
-	cfg.watcher = NewFileWatcher(
-		path,
-		cfg.MustReload,        // OnChange
-		func() { os.Exit(1) }, // OnDelete
-	)
+	cfg := &config{
+		reader: &FileReader{Path: path},
+		l:      cfgl,
+	}
+	// must init fields above before creating watcher
+	cfg.watcher = cfg.NewFileWatcher()
 	return cfg
 }
 
@@ -35,10 +37,11 @@ func ValidateConfig(data []byte) error {
 	return cfg.Load()
 }
 
-func (cfg *config) Load(reader ...Reader) error {
-	cfg.mutex.Lock()
-	defer cfg.mutex.Unlock()
+func (cfg *config) Value() configModel {
+	return *cfg.m
+}
 
+func (cfg *config) Load() error {
 	if cfg.reader == nil {
 		panic("config reader not set")
 	}
@@ -48,7 +51,7 @@ func (cfg *config) Load(reader ...Reader) error {
 		return NewNestedError("unable to read config file").With(err)
 	}
 
-	model := &configModel{}
+	model := defaultConfig()
 	if err := yaml.Unmarshal(data, model); err != nil {
 		return NewNestedError("unable to parse config file").With(err)
 	}
@@ -60,7 +63,7 @@ func (cfg *config) Load(reader ...Reader) error {
 		ne.With(err)
 	}
 
-	pErrs := NewNestedError("errors in these providers")
+	pErrs := NewNestedError("these providers have errors")
 
 	for name, p := range model.Providers {
 		if p.Kind != ProviderKind_File {
@@ -82,13 +85,16 @@ func (cfg *config) Load(reader ...Reader) error {
 		return ne
 	}
 
+	cfg.mutex.Lock()
+	defer cfg.mutex.Unlock()
+
 	cfg.m = model
 	return nil
 }
 
 func (cfg *config) MustLoad() {
 	if err := cfg.Load(); err != nil {
-		cfgl.Fatal(err)
+		cfg.l.Fatal(err)
 	}
 }
 
@@ -107,7 +113,7 @@ func (cfg *config) Reload() error {
 
 func (cfg *config) MustReload() {
 	if err := cfg.Reload(); err != nil {
-		cfgl.Fatal(err)
+		cfg.l.Fatal(err)
 	}
 }
 
@@ -136,7 +142,7 @@ func (cfg *config) StartProviders() {
 	cfg.providerInitialized = true
 
 	if pErrs.HasExtras() {
-		cfgl.Error(pErrs)
+		cfg.l.Error(pErrs)
 	}
 }
 
@@ -170,13 +176,23 @@ func (cfg *config) StopWatching() {
 }
 
 type configModel struct {
-	Providers map[string]*Provider `yaml:",flow" json:"providers"`
-	AutoCert  AutoCertConfig       `yaml:",flow" json:"autocert"`
+	Providers       map[string]*Provider `yaml:",flow" json:"providers"`
+	AutoCert        AutoCertConfig       `yaml:",flow" json:"autocert"`
+	TimeoutShutdown time.Duration        `yaml:"timeout_shutdown" json:"timeout_shutdown"`
+	RedirectToHTTPS bool                 `yaml:"redirect_to_https" json:"redirect_to_https"`
+}
+
+func defaultConfig() *configModel {
+	return &configModel{
+		TimeoutShutdown: 3 * time.Second,
+		RedirectToHTTPS: false,
+	}
 }
 
 type config struct {
-	m *configModel	
+	m *configModel
 
+	l                   logrus.FieldLogger
 	reader              Reader
 	watcher             Watcher
 	mutex               sync.Mutex

src/go-proxy/constants.go

@@ -12,7 +12,7 @@ import (
 )
 
 var (
-	ImageNamePortMap = map[string]string{
+	ImageNamePortMapTCP = map[string]string{
 		"postgres":  "5432",
 		"mysql":     "3306",
 		"mariadb":   "3306",
@@ -22,7 +22,7 @@ var (
 		"rabbitmq":  "5672",
 		"mongo":     "27017",
 	}
-	ExtraNamePortMap = map[string]string{
+	ExtraNamePortMapTCP = map[string]string{
 		"dns":  "53",
 		"ssh":  "22",
 		"ftp":  "21",
@@ -30,18 +30,44 @@ var (
 		"pop3": "110",
 		"imap": "143",
 	}
-	NamePortMap = func() map[string]string {
+	NamePortMapTCP = func() map[string]string {
 		m := make(map[string]string)
-		for k, v := range ImageNamePortMap {
+		for k, v := range ImageNamePortMapTCP {
 			m[k] = v
 		}
-		for k, v := range ExtraNamePortMap {
+		for k, v := range ExtraNamePortMapTCP {
 			m[k] = v
 		}
 		return m
 	}()
 )
 
+var ImageNamePortMapHTTP = map[string]uint16{
+	"nginx":               80,
+	"httpd":               80,
+	"adguardhome":         3000,
+	"gogs":                3000,
+	"gitea":               3000,
+	"portainer":           9000,
+	"portainer-ce":        9000,
+	"home-assistant":      8123,
+	"homebridge":          8581,
+	"uptime-kuma":         3001,
+	"changedetection.io":  3000,
+	"prometheus":          9090,
+	"grafana":             3000,
+	"dockge":              5001,
+	"nginx-proxy-manager": 81,
+}
+
+var wellKnownHTTPPorts = map[uint16]bool{
+	80:   true,
+	8000: true,
+	8008: true,
+	8080: true,
+	3000: true,
+}
+
 var (
 	StreamSchemes = []string{StreamType_TCP, StreamType_UDP} // TODO: support "tcp:udp", "udp:tcp"
 	HTTPSchemes   = []string{"http", "https"}
@@ -92,11 +118,12 @@ var (
 				Timeout:   5 * time.Second,
 				KeepAlive: 5 * time.Second,
 			}).DialContext,
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		},
 	}
 )
 
-const wildcardLabelPrefix = "proxy.*."
+const wildcardAlias = "*"
 
 const clientUrlFromEnv = "FROM_ENV"
 
@@ -120,18 +147,6 @@ const (
 var (
 	configSchema    *jsonschema.Schema
 	providersSchema *jsonschema.Schema
-	_               = func() *jsonschema.Compiler {
-		c := jsonschema.NewCompiler()
-		c.Draft = jsonschema.Draft7
-		var err error
-		if configSchema, err = c.Compile(configSchemaPath); err != nil {
-			panic(err)
-		}
-		if providersSchema, err = c.Compile(providersSchemaPath); err != nil {
-			panic(err)
-		}
-		return c
-	}()
 )
 
 const (
@@ -141,12 +156,36 @@ const (
 
 const udpBufferSize = 1500
 
+var isHostNetworkMode = getEnvBool("GOPROXY_HOST_NETWORK")
+
 var logLevel = func() logrus.Level {
-	switch os.Getenv("GOPROXY_DEBUG") {
-	case "1", "true":
+	if getEnvBool("GOPROXY_DEBUG") {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
 	return logrus.GetLevel()
 }()
 
-var redirectToHTTPS = os.Getenv("GOPROXY_REDIRECT_HTTP") != "0" && os.Getenv("GOPROXY_REDIRECT_HTTP") != "false"
+var isRunningAsService = getEnvBool("IS_SYSTEMD") || getEnvBool("GOPROXY_IS_SYSTEMD") // IS_SYSTEMD is deprecated
+
+var noSchemaValidation = getEnvBool("GOPROXY_NO_SCHEMA_VALIDATION")
+
+func getEnvBool(key string) bool {
+	v := os.Getenv(key)
+	return v == "1" || v == "true"
+}
+
+func initSchema() {
+	if noSchemaValidation {
+		return
+	}
+
+	c := jsonschema.NewCompiler()
+	c.Draft = jsonschema.Draft7
+	var err error
+	if configSchema, err = c.Compile(configSchemaPath); err != nil {
+		panic(err)
+	}
+	if providersSchema, err = c.Compile(providersSchemaPath); err != nil {
+		panic(err)
+	}
+}

src/go-proxy/docker_provider.go

@@ -1,8 +1,10 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -13,20 +15,15 @@ import (
 	"golang.org/x/net/context"
 )
 
-func (p *Provider) setConfigField(c *ProxyConfig, label string, value string, prefix string) error {
-	if strings.HasPrefix(label, prefix) {
-		field := strings.TrimPrefix(label, prefix)
-		if err := setFieldFromSnake(c, field, value); err != nil {
-			return err
-		}
-	}
-	return nil
+func setConfigField(pl *ProxyLabel, c *ProxyConfig) error {
+	return setFieldFromSnake(c, pl.Field, pl.Value)
 }
 
-func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP string) ProxyConfigSlice {
+func (p *Provider) getContainerProxyConfigs(container *types.Container, clientIP string) (ProxyConfigSlice, error) {
 	var aliases []string
 
 	cfgs := make(ProxyConfigSlice, 0)
+	cfgMap := make(map[string]*ProxyConfig)
 
 	containerName := strings.TrimPrefix(container.Names[0], "/")
 	aliasesLabel, ok := container.Labels["proxy.aliases"]
@@ -34,50 +31,66 @@ func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP
 	if !ok {
 		aliases = []string{containerName}
 	} else {
-		aliases = strings.Split(aliasesLabel, ",")
+		v, _ := commaSepParser(aliasesLabel)
+		aliases = v.([]string)
 	}
 
+	if clientIP == "" && isHostNetworkMode {
+		clientIP = "127.0.0.1"
+	}
 	isRemote := clientIP != ""
 
-	ne := NewNestedError("invalid label config").Subjectf("container %s", containerName)
-	defer func() {
-		if ne.HasExtras() {
-			p.l.Error(ne)
-		}
-	}()
-
 	for _, alias := range aliases {
-		l := p.l.WithField("container", containerName).WithField("alias", alias)
-		config := NewProxyConfig(p)
-		prefix := fmt.Sprintf("proxy.%s.", alias)
-		for label, value := range container.Labels {
-			err := p.setConfigField(&config, label, value, prefix)
-			if err != nil {
-				ne.ExtraError(NewNestedErrorFrom(err).Subjectf("alias %s", alias))
-			}
-			err = p.setConfigField(&config, label, value, wildcardLabelPrefix)
-			if err != nil {
-				ne.ExtraError(NewNestedErrorFrom(err).Subjectf("alias %s", alias))
+		cfgMap[alias] = &ProxyConfig{}
+	}
+
+	ne := NewNestedError("these labels have errors").Subject(containerName)
+
+	for label, value := range container.Labels {
+		pl, err := parseProxyLabel(label, value)
+		if err != nil {
+			if !errors.Is(err, errNotProxyLabel) {
+				ne.ExtraError(NewNestedErrorFrom(err).Subject(label))
 			}
+			continue
 		}
+		if pl.Alias == wildcardAlias {
+			for alias := range cfgMap {
+				pl.Alias = alias
+				err = setConfigField(pl, cfgMap[alias])
+				if err != nil {
+					ne.ExtraError(NewNestedErrorFrom(err).Subject(pl.Alias))
+				}
+			}
+			continue
+		}
+		config, ok := cfgMap[pl.Alias]
+		if !ok {
+			ne.ExtraError(NewNestedError("unknown alias").Subject(pl.Alias))
+			continue
+		}
+		err = setConfigField(pl, config)
+		if err != nil {
+			ne.ExtraError(NewNestedErrorFrom(err).Subject(pl.Alias))
+		}
+	}
+
+	for alias, config := range cfgMap {
+		l := p.l.WithField("alias", alias)
 		if config.Port == "" {
-			config.Port = fmt.Sprintf("%d", selectPort(container))
+			config.Port = fmt.Sprintf("%d", selectPort(container, isRemote))
 		}
 		if config.Port == "0" {
-			l.Debugf("no ports exposed, ignored")
+			l.Infof("no ports exposed, ignored")
 			continue
 		}
 		if config.Scheme == "" {
 			switch {
 			case strings.HasSuffix(config.Port, "443"):
 				config.Scheme = "https"
-			case strings.HasPrefix(container.Image, "sha256:"):
-				config.Scheme = "http"
 			default:
-				imageSplit := strings.Split(container.Image, "/")
-				imageSplit = strings.Split(imageSplit[len(imageSplit)-1], ":")
-				imageName := imageSplit[0]
-				_, isKnownImage := ImageNamePortMap[imageName]
+				imageName := getImageName(container)
+				_, isKnownImage := ImageNamePortMapTCP[imageName]
 				if isKnownImage {
 					config.Scheme = "tcp"
 				} else {
@@ -86,9 +99,22 @@ func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP
 			}
 		}
 		if !isValidScheme(config.Scheme) {
-			l.Warnf("unsupported scheme: %s, using http", config.Scheme)
-			config.Scheme = "http"
+			ne.Extra("unsupported scheme").Subject(config.Scheme)
 		}
+
+		if isRemote && strings.HasPrefix(config.Port, "*") {
+			var err error
+			// find matching port
+			srcPort := config.Port[1:]
+			config.Port, err = findMatchingContainerPort(container, srcPort)
+			if err != nil {
+				ne.ExtraError(NewNestedErrorFrom(err).Subjectf("alias %s", alias))
+			}
+			if isStreamScheme(config.Scheme) {
+				config.Port = fmt.Sprintf("%s:%s", srcPort, config.Port)
+			}
+		}
+
 		if config.Host == "" {
 			switch {
 			case isRemote:
@@ -114,9 +140,16 @@ func (p *Provider) getContainerProxyConfigs(container types.Container, clientIP
 		}
 		config.Alias = alias
 
-		cfgs = append(cfgs, config)
+		if ne.HasExtras() {
+			continue
+		}
+		cfgs = append(cfgs, *config)
 	}
-	return cfgs
+
+	if ne.HasExtras() {
+		return nil, ne
+	}
+	return cfgs, nil
 }
 
 func (p *Provider) getDockerClient() (*client.Client, error) {
@@ -181,26 +214,73 @@ func (p *Provider) getDockerProxyConfigs() (ProxyConfigSlice, error) {
 
 	cfgs := make(ProxyConfigSlice, 0)
 
+	ne := NewNestedError("these containers have errors")
 	for _, container := range containerSlice {
-		cfgs = append(cfgs, p.getContainerProxyConfigs(container, clientIP)...)
+		ccfgs, err := p.getContainerProxyConfigs(&container, clientIP)
+		if err != nil {
+			ne.ExtraError(err)
+			continue
+		}
+		cfgs = append(cfgs, ccfgs...)
+	}
+
+	if ne.HasExtras() {
+		// print but ignore
+		p.l.Error(ne)
 	}
 
 	return cfgs, nil
 }
 
 // var dockerUrlRegex = regexp.MustCompile(`^(?P<scheme>\w+)://(?P<host>[^:]+)(?P<port>:\d+)?(?P<path>/.*)?$`)
+func getImageName(c *types.Container) string {
+	imageSplit := strings.Split(c.Image, "/")
+	imageSplit = strings.Split(imageSplit[len(imageSplit)-1], ":")
+	return imageSplit[0]
+}
 
 func getPublicPort(p types.Port) uint16  { return p.PublicPort }
 func getPrivatePort(p types.Port) uint16 { return p.PrivatePort }
 
-func selectPort(c types.Container) uint16 {
-	if c.HostConfig.NetworkMode == "host" {
-		return selectPortInternal(c, getPrivatePort)
+func selectPort(c *types.Container, isRemote bool) uint16 {
+	if isRemote || c.HostConfig.NetworkMode == "host" {
+		return selectPortInternal(c, getPublicPort)
 	}
-	return selectPortInternal(c, getPublicPort)
+	return selectPortInternal(c, getPrivatePort)
 }
 
-func selectPortInternal(c types.Container, getPort func(types.Port) uint16) uint16 {
+// used when isRemote is true
+func findMatchingContainerPort(c *types.Container, ps string) (string, error) {
+	p, err := strconv.Atoi(ps)
+	if err != nil {
+		return "", err
+	}
+	pWant := uint16(p)
+	for _, pGot := range c.Ports {
+		if pGot.PrivatePort == pWant {
+			return fmt.Sprintf("%d", pGot.PublicPort), nil
+		}
+	}
+	return "", fmt.Errorf("port %d not found", p)
+}
+
+func selectPortInternal(c *types.Container, getPort func(types.Port) uint16) uint16 {
+	imageName := getImageName(c)
+	// if is known image -> use known port
+	if port, isKnown := ImageNamePortMapHTTP[imageName]; isKnown {
+		for _, p := range c.Ports {
+			if p.PrivatePort == port {
+				return getPort(p)
+			}
+		}
+	}
+	// if it has known http port -> use it
+	for _, p := range c.Ports {
+		if isWellKnownHTTPPort(p.PrivatePort) {
+			return getPort(p)
+		}
+	}
+	// if it has any port -> use it
 	for _, p := range c.Ports {
 		if port := getPort(p); port != 0 {
 			return port
@@ -208,3 +288,8 @@ func selectPortInternal(c types.Container, getPort func(types.Port) uint16) uint
 	}
 	return 0
 }
+
+func isWellKnownHTTPPort(port uint16) bool {
+	_, ok := wellKnownHTTPPorts[port]
+	return ok
+}

src/go-proxy/error.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -46,6 +47,10 @@ func NewNestedErrorFrom(err error) NestedErrorLike {
 	if err == nil {
 		panic("cannot convert nil error to NestedError")
 	}
+	errUnwrap := errors.Unwrap(err)
+	if errUnwrap != nil {
+		return NewNestedErrorFrom(errUnwrap)
+	}
 	return NewNestedError(err.Error())
 }
 
@@ -92,23 +97,23 @@ func (ne *NestedError) Level() int {
 	return ne.level
 }
 
-func (ef *NestedError) Error() string {
+func (ne *NestedError) Error() string {
 	var buf strings.Builder
-	ef.writeToSB(&buf, "")
+	ne.writeToSB(&buf, ne.level, "")
 	return buf.String()
 }
 
-func (ef *NestedError) HasInner() bool {
-	return ef.inner != nil
+func (ne *NestedError) HasInner() bool {
+	return ne.inner != nil
 }
 
-func (ef *NestedError) HasExtras() bool {
-	return len(ef.extras) > 0
+func (ne *NestedError) HasExtras() bool {
+	return len(ne.extras) > 0
 }
 
-func (ef *NestedError) With(inner error) NestedErrorLike {
-	ef.Lock()
-	defer ef.Unlock()
+func (ne *NestedError) With(inner error) NestedErrorLike {
+	ne.Lock()
+	defer ne.Unlock()
 
 	var in *NestedError
 
@@ -116,79 +121,75 @@ func (ef *NestedError) With(inner error) NestedErrorLike {
 	case NestedErrorLike:
 		in = t.copy()
 	default:
-		in = &NestedError{extras: []string{t.Error()}}
+		in = &NestedError{message: t.Error()}
 	}
-	if ef.inner == nil {
-		ef.inner = in
+	if ne.inner == nil {
+		ne.inner = in
 	} else {
-		ef.inner.ExtraError(in)
+		ne.inner.ExtraError(in)
 	}
-	root := ef
+	root := ne
 	for root.inner != nil {
 		root.inner.level = root.level + 1
 		root = root.inner
 	}
-	return ef
+	return ne
 }
 
-func (ef *NestedError) addLevel(level int) NestedErrorLike {
-	ef.level += level
-	if ef.inner != nil {
-		ef.inner.addLevel(level)
+func (ne *NestedError) addLevel(level int) NestedErrorLike {
+	ne.level += level
+	if ne.inner != nil {
+		ne.inner.addLevel(level)
 	}
-	return ef
+	return ne
 }
 
-func (ef *NestedError) copy() *NestedError {
+func (ne *NestedError) copy() *NestedError {
 	var inner *NestedError
-	if ef.inner != nil {
-		inner = ef.inner.copy()
+	if ne.inner != nil {
+		inner = ne.inner.copy()
 	}
 	return &NestedError{
-		subject: ef.subject,
-		message: ef.message,
-		extras:  ef.extras,
+		subject: ne.subject,
+		message: ne.message,
+		extras:  ne.extras,
 		inner:   inner,
-		level:   ef.level,
 	}
 }
 
-func (ef *NestedError) writeIndents(sb *strings.Builder, level int) {
+func (ne *NestedError) writeIndents(sb *strings.Builder, level int) {
 	for i := 0; i < level; i++ {
 		sb.WriteString("  ")
 	}
 }
 
-func (ef *NestedError) writeToSB(sb *strings.Builder, prefix string) {
-	ef.writeIndents(sb, ef.level)
+func (ne *NestedError) writeToSB(sb *strings.Builder, level int, prefix string) {
+	ne.writeIndents(sb, level)
 	sb.WriteString(prefix)
 
-	if ef.subject != "" {
-		sb.WriteRune('"')
-		sb.WriteString(ef.subject)
-		sb.WriteRune('"')
-		if ef.message != "" {
-			sb.WriteString(":\n")
-		} else {
-			sb.WriteRune('\n')
+	if ne.subject != "" {
+		sb.WriteString(ne.subject)
+		if ne.message != "" {
+			sb.WriteString(": ")
 		}
 	}
-	if ef.message != "" {
-		ef.writeIndents(sb, ef.level)
-		sb.WriteString(ef.message)
-		sb.WriteRune('\n')
+	if ne.message != "" {
+		sb.WriteString(ne.message)
 	}
-	for _, l := range ef.extras {
-		l = strings.TrimSpace(l)
+	if ne.HasExtras() || ne.HasInner() {
+		sb.WriteString(":\n")
+	}
+	level += 1
+	for _, l := range ne.extras {
 		if l == "" {
 			continue
 		}
-		ef.writeIndents(sb, ef.level)
+		ne.writeIndents(sb, level)
 		sb.WriteString("- ")
 		sb.WriteString(l)
 		sb.WriteRune('\n')
 	}
-	if ef.inner != nil {
-		ef.inner.writeToSB(sb, "- ")
+	if ne.inner != nil {
+		ne.inner.writeToSB(sb, level, "- ")
 	}
 }

src/go-proxy/error_test.go

@@ -0,0 +1,66 @@
+package main
+
+import (
+	"testing"
+)
+
+func AssertEq(t *testing.T, got, want string) {
+	t.Helper()
+	if got != want {
+		t.Errorf("expected %q, got %q", want, got)
+	}
+}
+
+func TestErrorSimple(t *testing.T) {
+	ne := NewNestedError("foo bar")
+	AssertEq(t, ne.Error(), "foo bar")
+	ne.Subject("baz")
+	AssertEq(t, ne.Error(), "baz: foo bar")
+}
+
+func TestErrorSubjectOnly(t *testing.T) {
+	ne := NewNestedError("").Subject("bar")
+	AssertEq(t, ne.Error(), "bar")
+}
+
+func TestErrorExtra(t *testing.T) {
+	ne := NewNestedError("foo").Extra("bar").Extra("baz")
+	AssertEq(t, ne.Error(), "foo:\n  - bar\n  - baz\n")
+}
+
+func TestErrorNested(t *testing.T) {
+	inner := NewNestedError("inner").
+		Extra("123").
+		Extra("456")
+	inner2 := NewNestedError("inner").
+		Subject("2").
+		Extra("456").
+		Extra("789")
+	inner3 := NewNestedError("inner").
+		Subject("3").
+		Extra("456").
+		Extra("789")
+	ne := NewNestedError("foo").
+		Extra("bar").
+		Extra("baz").
+		ExtraError(inner).
+		With(inner.With(inner2.With(inner3)))
+	want :=
+		`foo:
+  - bar
+  - baz
+  - inner:
+    - 123
+    - 456
+  - inner:
+    - 123
+    - 456
+    - 2: inner:
+      - 456
+      - 789
+      - 3: inner:
+        - 456
+        - 789
+`
+	AssertEq(t, ne.Error(), want)
+}

src/go-proxy/file_reader.go

@@ -1,23 +0,0 @@
-package main
-
-import "os"
-
-type Reader interface {
-	Read() ([]byte, error)
-}
-
-type FileReader struct {
-	Path string
-}
-
-func (r *FileReader) Read() ([]byte, error) {
-	return os.ReadFile(r.Path)
-}
-
-type ByteReader struct {
-	Data []byte
-}
-
-func (r *ByteReader) Read() ([]byte, error) {
-	return r.Data, nil
-}

src/go-proxy/http_route.go

@@ -34,7 +34,7 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 		tr = transport
 	}
 
-	proxy := NewSingleHostReverseProxy(url, tr)
+	proxy := NewReverseProxy(url, tr, config)
 
 	route := &HTTPRoute{
 		Alias:    config.Alias,
@@ -42,36 +42,35 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 		Path:     config.Path,
 		Proxy:    proxy,
 		PathMode: config.PathMode,
-		l: hrlog.WithFields(logrus.Fields{
-			"alias":     config.Alias,
-			"path":      config.Path,
-			"path_mode": config.PathMode,
-		}),
+		l:        logrus.WithField("alias", config.Alias),
 	}
 
 	var rewriteBegin = proxy.Rewrite
 	var rewrite func(*ProxyRequest)
 	var modifyResponse func(*http.Response) error
 
-	switch {
-	case config.Path == "", config.PathMode == ProxyPathMode_Forward:
+	// no path or forward path
+	if config.Path == "" || config.PathMode == ProxyPathMode_Forward {
 		rewrite = rewriteBegin
-	case config.PathMode == ProxyPathMode_RemovedPath:
-		rewrite = func(pr *ProxyRequest) {
-			rewriteBegin(pr)
-			pr.Out.URL.Path = strings.TrimPrefix(pr.Out.URL.Path, config.Path)
+	} else {
+		switch config.PathMode {
+		case ProxyPathMode_RemovedPath:
+			rewrite = func(pr *ProxyRequest) {
+				rewriteBegin(pr)
+				pr.Out.URL.Path = strings.TrimPrefix(pr.Out.URL.Path, config.Path)
+			}
+		case ProxyPathMode_Sub:
+			rewrite = func(pr *ProxyRequest) {
+				rewriteBegin(pr)
+				// disable compression
+				pr.Out.Header.Set("Accept-Encoding", "identity")
+				// remove path prefix
+				pr.Out.URL.Path = strings.TrimPrefix(pr.Out.URL.Path, config.Path)
+			}
+			modifyResponse = config.pathSubModResp
+		default:
+			return nil, NewNestedError("invalid path mode").Subject(config.PathMode)
 		}
-	case config.PathMode == ProxyPathMode_Sub:
-		rewrite = func(pr *ProxyRequest) {
-			rewriteBegin(pr)
-			// disable compression
-			pr.Out.Header.Set("Accept-Encoding", "identity")
-			// remove path prefix
-			pr.Out.URL.Path = strings.TrimPrefix(pr.Out.URL.Path, config.Path)
-		}
-		modifyResponse = config.pathSubModResp
-	default:
-		return nil, NewNestedError("invalid path mode").Subject(config.PathMode)
 	}
 
 	if logLevel == logrus.DebugLevel {
@@ -96,8 +95,9 @@ func NewHTTPRoute(config *ProxyConfig) (*HTTPRoute, error) {
 }
 
 func (r *HTTPRoute) Start() {
-	// dummy
+	httpRoutes.Get(r.Alias).Add(r.Path, r)
 }
+
 func (r *HTTPRoute) Stop() {
 	httpRoutes.Delete(r.Alias)
 }
@@ -157,6 +157,6 @@ func (config *ProxyConfig) pathSubModResp(r *http.Response) error {
 }
 
 // alias -> (path -> routes)
-type HTTPRoutes = SafeMap[string, pathPoolMap]
+type HTTPRoutes SafeMap[string, pathPoolMap]
 
 var httpRoutes HTTPRoutes = NewSafeMapOf[HTTPRoutes](newPathPoolMap)

src/go-proxy/io.go

@@ -2,13 +2,37 @@ package main
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"io"
-	"sync"
+	"os"
+	"sync/atomic"
 )
 
+type Reader interface {
+	Read() ([]byte, error)
+}
+
+type FileReader struct {
+	Path string
+}
+
+func (r *FileReader) Read() ([]byte, error) {
+	return os.ReadFile(r.Path)
+}
+
+type ByteReader struct {
+	Data []byte
+}
+
+func (r *ByteReader) Read() ([]byte, error) {
+	return r.Data, nil
+}
+
 type ReadCloser struct {
-	ctx context.Context
-	r   io.ReadCloser
+	ctx    context.Context
+	r      io.ReadCloser
+	closed atomic.Bool
 }
 
 func (r *ReadCloser) Read(p []byte) (int, error) {
@@ -21,13 +45,16 @@ func (r *ReadCloser) Read(p []byte) (int, error) {
 }
 
 func (r *ReadCloser) Close() error {
+	if r.closed.Load() {
+		return nil
+	}
+	r.closed.Store(true)
 	return r.r.Close()
 }
 
 type Pipe struct {
 	r      ReadCloser
 	w      io.WriteCloser
-	wg     sync.WaitGroup
 	ctx    context.Context
 	cancel context.CancelFunc
 }
@@ -35,32 +62,24 @@ type Pipe struct {
 func NewPipe(ctx context.Context, r io.ReadCloser, w io.WriteCloser) *Pipe {
 	ctx, cancel := context.WithCancel(ctx)
 	return &Pipe{
-		r:      ReadCloser{ctx, r},
+		r:      ReadCloser{ctx: ctx, r: r},
 		w:      w,
 		ctx:    ctx,
 		cancel: cancel,
 	}
 }
 
-func (p *Pipe) Start() {
-	p.wg.Add(1)
-	go func() {
-		Copy(p.ctx, p.w, &p.r)
-		p.wg.Done()
-	}()
+func (p *Pipe) Start() error {
+	return Copy(p.ctx, p.w, &p.r)
 }
 
-func (p *Pipe) Stop() {
+func (p *Pipe) Stop() error {
 	p.cancel()
-	p.wg.Wait()
+	return errors.Join(fmt.Errorf("read: %w", p.r.Close()), fmt.Errorf("write: %w", p.w.Close()))
 }
 
-func (p *Pipe) Close() (error, error) {
-	return p.r.Close(), p.w.Close()
-}
-
-func (p *Pipe) Wait() {
-	p.wg.Wait()
+func (p *Pipe) Write(b []byte) (int, error) {
+	return p.w.Write(b)
 }
 
 type BidirectionalPipe struct {
@@ -75,26 +94,34 @@ func NewBidirectionalPipe(ctx context.Context, rw1 io.ReadWriteCloser, rw2 io.Re
 	}
 }
 
-func (p *BidirectionalPipe) Start() {
-	p.pSrcDst.Start()
-	p.pDstSrc.Start()
+func NewBidirectionalPipeIntermediate(ctx context.Context, listener io.ReadCloser, client io.ReadWriteCloser, target io.ReadWriteCloser) *BidirectionalPipe {
+	return &BidirectionalPipe{
+		pSrcDst: *NewPipe(ctx, listener, client),
+		pDstSrc: *NewPipe(ctx, client, target),
+	}
 }
 
-func (p *BidirectionalPipe) Stop() {
-	p.pSrcDst.Stop()
-	p.pDstSrc.Stop()
+func (p *BidirectionalPipe) Start() error {
+	errCh := make(chan error, 2)
+	go func() {
+		errCh <- p.pSrcDst.Start()
+	}()
+	go func() {
+		errCh <- p.pDstSrc.Start()
+	}()
+	for err := range errCh {
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
-func (p *BidirectionalPipe) Close() (error, error) {
-	return p.pSrcDst.Close()
-}
-
-func (p *BidirectionalPipe) Wait() {
-	p.pSrcDst.Wait()
-	p.pDstSrc.Wait()
+func (p *BidirectionalPipe) Stop() error {
+	return errors.Join(p.pSrcDst.Stop(), p.pDstSrc.Stop())
 }
 
 func Copy(ctx context.Context, dst io.WriteCloser, src io.ReadCloser) error {
-	_, err := io.Copy(dst, &ReadCloser{ctx, src})
+	_, err := io.Copy(dst, &ReadCloser{ctx: ctx, r: src})
 	return err
 }

src/go-proxy/loggers.go

@@ -2,10 +2,9 @@ package main
 
 import "github.com/sirupsen/logrus"
 
-var palog = logrus.WithField("component", "panel")
-var prlog = logrus.WithField("component", "provider")
-var cfgl = logrus.WithField("component", "config")
-var hrlog = logrus.WithField("component", "http_proxy")
-var srlog = logrus.WithField("component", "stream")
-var wlog = logrus.WithField("component", "watcher")
-var aclog = logrus.WithField("component", "autocert")
+var palog = logrus.WithField("?", "panel")
+var cfgl = logrus.WithField("?", "config")
+var hrlog = logrus.WithField("?", "http")
+var srlog = logrus.WithField("?", "stream")
+var wlog = logrus.WithField("?", "watcher")
+var aclog = logrus.WithField("?", "autocert")

src/go-proxy/main.go

@@ -1,12 +1,13 @@
 package main
 
 import (
-	"flag"
 	"net/http"
 	"os"
 	"os/signal"
 	"runtime"
+	"sync"
 	"syscall"
+	"time"
 
 	"github.com/sirupsen/logrus"
 )
@@ -16,21 +17,38 @@ var cfg Config
 func main() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
 
-	var verifyOnly bool 
-	flag.BoolVar(&verifyOnly, "verify", false, "verify config without starting server")
-	flag.Parse()
+	args := getArgs()
 
-	logrus.SetFormatter(&logrus.TextFormatter{
-		ForceColors:   true,
-		DisableColors: false,
-		FullTimestamp: true,
-		TimestampFormat: "01-02 15:04:05",
-	})
+	if isRunningAsService {
+		logrus.SetFormatter(&logrus.TextFormatter{
+			DisableColors:    true,
+			DisableTimestamp: true,
+			DisableSorting:   true,
+		})
+	} else {
+		logrus.SetFormatter(&logrus.TextFormatter{
+			ForceColors:     true,
+			DisableColors:   false,
+			DisableSorting:  true,
+			FullTimestamp:   true,
+			TimestampFormat: "01-02 15:04:05",
+		})
+	}
+
+	if args.Command == CommandReload {
+		err := utils.reloadServer()
+		if err != nil {
+			logrus.Fatal(err)
+		}
+		return
+	}
+
+	initSchema()
 
 	cfg = NewConfig(configPath)
 	cfg.MustLoad()
 
-	if verifyOnly {
+	if args.Command == CommandValidate {
 		logrus.Printf("config OK")
 		return
 	}
@@ -63,7 +81,7 @@ func main() {
 		HTTPAddr:        ":80",
 		HTTPSAddr:       ":443",
 		Handler:         http.HandlerFunc(proxyHandler),
-		RedirectToHTTPS: redirectToHTTPS,
+		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
 	})
 	panelServer = NewServer(ServerOptions{
 		Name:            "panel",
@@ -71,7 +89,7 @@ func main() {
 		HTTPAddr:        ":8080",
 		HTTPSAddr:       ":8443",
 		Handler:         panelHandler,
-		RedirectToHTTPS: redirectToHTTPS,
+		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
 	})
 
 	proxyServer.Start()
@@ -88,10 +106,32 @@ func main() {
 	signal.Notify(sig, syscall.SIGHUP)
 
 	<-sig
-	// cfg.StopWatching()
-	StopFSWatcher()
-	StopDockerWatcher()
-	cfg.StopProviders()
-	panelServer.Stop()
-	proxyServer.Stop()
+	logrus.Info("shutting down")
+	done := make(chan struct{}, 1)
+
+	var wg sync.WaitGroup
+	wg.Add(3)
+
+	go func() {
+		StopFSWatcher()
+		StopDockerWatcher()
+		cfg.StopProviders()
+		wg.Done()
+	}()
+	go func() {
+		panelServer.Stop()
+		proxyServer.Stop()
+		wg.Done()
+	}()
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		logrus.Info("shutdown complete")
+	case <-time.After(cfg.Value().TimeoutShutdown * time.Second):
+		logrus.Info("timeout waiting for shutdown")
+	}
 }

src/go-proxy/panel.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"errors"
+	"fmt"
 	"html/template"
 	"net/http"
 	"net/url"
@@ -68,7 +69,7 @@ func panelCheckTargetHealth(w http.ResponseWriter, r *http.Request) {
 func panelConfigEditor(w http.ResponseWriter, r *http.Request) {
 	cfgFiles := make([]string, 0)
 	cfgFiles = append(cfgFiles, path.Base(configPath))
-	for _, p := range cfg.(*config).m.Providers {
+	for _, p := range cfg.Value().Providers {
 		if p.Kind != ProviderKind_File {
 			continue
 		}
@@ -99,12 +100,20 @@ func panelConfigUpdate(w http.ResponseWriter, r *http.Request) {
 		panelHandleErr(w, r, err)
 		return
 	}
-	err = os.WriteFile(path.Join(configBasePath, p), content, 0644)
+	p = path.Join(configBasePath, p)
+	_, err = os.Stat(p)
+	exists := !errors.Is(err, os.ErrNotExist)
+	err = os.WriteFile(p, content, 0644)
 	if err != nil {
 		panelHandleErr(w, r, NewNestedError("unable to write config file").With(err))
 		return
 	}
 	w.WriteHeader(http.StatusOK)
+	if !exists {
+		w.Write([]byte(fmt.Sprintf("Config file %s created, remember to add it to config.yml!", p)))
+		return
+	}
+	w.Write([]byte(fmt.Sprintf("Config file %s updated", p)))
 }
 
 func panelServeFile(w http.ResponseWriter, r *http.Request) {
@@ -141,4 +150,4 @@ func panelHandleErr(w http.ResponseWriter, r *http.Request, err error, code ...i
 		return
 	}
 	http.Error(w, err.Error(), http.StatusInternalServerError)
-}
+}

src/go-proxy/provider.go

@@ -1,8 +1,6 @@
 package main
 
 import (
-	"sync"
-
 	"github.com/sirupsen/logrus"
 )
 
@@ -10,15 +8,17 @@ type Provider struct {
 	Kind  string `json:"kind"` // docker, file
 	Value string `json:"value"`
 
-	watcher Watcher
-	routes  map[string]Route // id -> Route
-	mutex   sync.Mutex
-	l       logrus.FieldLogger
+	watcher     Watcher
+	routes      map[string]Route // id -> Route
+	l           logrus.FieldLogger
+	reloadReqCh chan struct{}
 }
 
 // Init is called after LoadProxyConfig
 func (p *Provider) Init(name string) error {
-	p.l = prlog.WithFields(logrus.Fields{"kind": p.Kind, "name": name})
+	p.l = logrus.WithField("provider", name)
+	p.reloadReqCh = make(chan struct{}, 1)
+
 	defer p.initWatcher()
 
 	if err := p.loadProxyConfig(); err != nil {
@@ -40,16 +40,23 @@ func (p *Provider) StopAllRoutes() {
 }
 
 func (p *Provider) ReloadRoutes() {
-	p.mutex.Lock()
-	defer p.mutex.Unlock()
+	select {
+	case p.reloadReqCh <- struct{}{}:
+		defer func() {
+			<-p.reloadReqCh
+		}()
 
-	p.StopAllRoutes()
-	err := p.loadProxyConfig()
-	if err != nil {
-		p.l.Error("failed to reload routes: ", err)
+		p.StopAllRoutes()
+		err := p.loadProxyConfig()
+		if err != nil {
+			p.l.Error("failed to reload routes: ", err)
+			return
+		}
+		p.StartAllRoutes()
+	default:
+		p.l.Info("reload request already in progress")
 		return
 	}
-	p.StartAllRoutes()
 }
 
 func (p *Provider) loadProxyConfig() error {
@@ -97,9 +104,9 @@ func (p *Provider) initWatcher() error {
 		if err != nil {
 			return NewNestedError("unable to create docker client").With(err)
 		}
-		p.watcher = NewDockerWatcher(dockerClient, p.ReloadRoutes)
+		p.watcher = p.NewDockerWatcher(dockerClient)
 	case ProviderKind_File:
-		p.watcher = NewFileWatcher(p.GetFilePath(), p.ReloadRoutes, p.StopAllRoutes)
+		p.watcher = p.NewFileWatcher()
 	}
 	return nil
 }

src/go-proxy/proxy_config.go

@@ -1,28 +1,25 @@
 package main
 
-import "fmt"
+import (
+	"fmt"
+	"net/http"
+)
 
 type ProxyConfig struct {
-	Alias       string `yaml:"-" json:"-"`
-	Scheme      string `yaml:"scheme" json:"scheme"`
-	Host        string `yaml:"host" json:"host"`
-	Port        string `yaml:"port" json:"port"`
-	LoadBalance string `yaml:"-" json:"-"`                         // docker provider only
-	NoTLSVerify bool   `yaml:"no_tls_verify" json:"no_tls_verify"` // http proxy only
-	Path        string `yaml:"path" json:"path"`                   // http proxy only
-	PathMode    string `yaml:"path_mode" json:"path_mode"`         // http proxy only
-
-	provider *Provider
+	Alias       string      `yaml:"-" json:"-"`
+	Scheme      string      `yaml:"scheme" json:"scheme"`
+	Host        string      `yaml:"host" json:"host"`
+	Port        string      `yaml:"port" json:"port"`
+	LoadBalance string      `yaml:"-" json:"-"`                         // docker provider only
+	NoTLSVerify bool        `yaml:"no_tls_verify" json:"no_tls_verify"` // http proxy only
+	Path        string      `yaml:"path" json:"path"`                   // http proxy only
+	PathMode    string      `yaml:"path_mode" json:"path_mode"`         // http proxy only
+	SetHeaders  http.Header `yaml:"set_headers" json:"set_headers"`     // http proxy only
+	HideHeaders []string    `yaml:"hide_headers" json:"hide_headers"`   // http proxy only
 }
 
-type ProxyConfigMap = map[string]ProxyConfig
-type ProxyConfigSlice = []ProxyConfig
-
-func NewProxyConfig(provider *Provider) ProxyConfig {
-	return ProxyConfig{
-		provider: provider,
-	}
-}
+type ProxyConfigMap map[string]ProxyConfig
+type ProxyConfigSlice []ProxyConfig
 
 // used by `GetFileProxyConfigs`
 func (cfg *ProxyConfig) SetDefaults() error {
@@ -55,4 +52,4 @@ func (cfg *ProxyConfig) SetDefaults() error {
 
 func (cfg *ProxyConfig) GetID() string {
 	return fmt.Sprintf("%s-%s-%s-%s-%s", cfg.Alias, cfg.Scheme, cfg.Host, cfg.Port, cfg.Path)
-}
+}

src/go-proxy/proxy_label.go

@@ -0,0 +1,92 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+type ProxyLabel struct {
+	Alias string
+	Field string
+	Value any
+}
+
+var errNotProxyLabel = errors.New("not a proxy label")
+var errInvalidSetHeaderLine = errors.New("invalid set header line")
+var errInvalidBoolean = errors.New("invalid boolean")
+
+const proxyLabelNamespace = "proxy"
+
+func parseProxyLabel(label string, value string) (*ProxyLabel, error) {
+	ns := strings.Split(label, ".")
+	var v any = value
+
+	if len(ns) != 3 {
+		return nil, errNotProxyLabel
+	}
+
+	if ns[0] != proxyLabelNamespace {
+		return nil, errNotProxyLabel
+	}
+
+	field := ns[2]
+
+	var err error
+	parser, ok := valueParser[field]
+
+	if ok {
+		v, err = parser(v.(string))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &ProxyLabel{
+		Alias: ns[1],
+		Field: field,
+		Value: v,
+	}, nil
+}
+
+func setHeadersParser(value string) (any, error) {
+	value = strings.TrimSpace(value)
+	lines := strings.Split(value, "\n")
+	h := make(http.Header)
+	for _, line := range lines {
+		parts := strings.SplitN(line, ":", 2)
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("%w: %q", errInvalidSetHeaderLine, line)
+		}
+		key := strings.TrimSpace(parts[0])
+		val := strings.TrimSpace(parts[1])
+		h.Add(key, val)
+	}
+	return h, nil
+}
+
+func commaSepParser(value string) (any, error) {
+	v := strings.Split(value, ",")
+	for i := range v {
+		v[i] = strings.TrimSpace(v[i])
+	}
+	return v, nil
+}
+
+func boolParser(value string) (any, error) {
+	switch strings.ToLower(value) {
+	case "true", "yes", "1":
+		return true, nil
+	case "false", "no", "0":
+		return false, nil
+	default:
+		return nil, fmt.Errorf("%w: %q", errInvalidBoolean, value)
+	}
+}
+
+var valueParser = map[string]func(string) (any, error){
+	"set_headers":   setHeadersParser,
+	"hide_headers":  commaSepParser,
+	"no_tls_verify": boolParser,
+}

src/go-proxy/proxy_label_test.go

@@ -0,0 +1,186 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+func makeLabel(alias string, field string) string {
+	return fmt.Sprintf("proxy.%s.%s", alias, field)
+}
+
+func TestNotProxyLabel(t *testing.T) {
+	pl, err := parseProxyLabel("foo.bar", "1234")
+	if !errors.Is(err, errNotProxyLabel) {
+		t.Errorf("expected err NotProxyLabel, got %v", err)
+	}
+	if pl != nil {
+		t.Errorf("expected nil, got %v", pl)
+	}
+	_, err = parseProxyLabel("proxy.foo", "bar")
+	if !errors.Is(err, errNotProxyLabel) {
+		t.Errorf("expected err InvalidProxyLabel, got %v", err)
+	}
+}
+
+func TestStringProxyLabel(t *testing.T) {
+	alias := "foo"
+	field := "ip"
+	v := "bar"
+	pl, err := parseProxyLabel(makeLabel(alias, field), v)
+	if err != nil {
+		t.Errorf("expected err=nil, got %v", err)
+	}
+	if pl.Alias != alias {
+		t.Errorf("expected alias=%s, got %s", alias, pl.Alias)
+	}
+	if pl.Field != field {
+		t.Errorf("expected field=%s, got %s", field, pl.Field)
+	}
+	if pl.Value != v {
+		t.Errorf("expected value=%q, got %s", v, pl.Value)
+	}
+}
+
+func TestBoolProxyLabelValid(t *testing.T) {
+	alias := "foo"
+	field := "no_tls_verify"
+	tests := map[string]bool{
+		"true":  true,
+		"TRUE":  true,
+		"yes":   true,
+		"1":     true,
+		"false": false,
+		"FALSE": false,
+		"no":    false,
+		"0":     false,
+	}
+
+	for k, v := range tests {
+		pl, err := parseProxyLabel(makeLabel(alias, field), k)
+		if err != nil {
+			t.Errorf("expected err=nil, got %v", err)
+		}
+		if pl.Alias != alias {
+			t.Errorf("expected alias=%s, got %s", alias, pl.Alias)
+		}
+		if pl.Field != field {
+			t.Errorf("expected field=%s, got %s", field, pl.Field)
+		}
+		if pl.Value != v {
+			t.Errorf("expected value=%v, got %v", v, pl.Value)
+		}
+	}
+}
+
+func TestBoolProxyLabelInvalid(t *testing.T) {
+	alias := "foo"
+	field := "no_tls_verify"
+	_, err := parseProxyLabel(makeLabel(alias, field), "invalid")
+	if !errors.Is(err, errInvalidBoolean) {
+		t.Errorf("expected err InvalidProxyLabel, got %v", err)
+	}
+}
+
+func TestHeaderProxyLabelValid(t *testing.T) {
+	alias := "foo"
+	field := "set_headers"
+	v := `
+	X-Custom-Header1: foo
+	X-Custom-Header1: bar
+	X-Custom-Header2: baz
+	`
+	h := make(http.Header, 0)
+	h.Set("X-Custom-Header1", "foo")
+	h.Add("X-Custom-Header1", "bar")
+	h.Set("X-Custom-Header2", "baz")
+
+	pl, err := parseProxyLabel(makeLabel(alias, field), v)
+	if err != nil {
+		t.Errorf("expected err=nil, got %v", err)
+	}
+	if pl.Alias != alias {
+		t.Errorf("expected alias=%s, got %s", alias, pl.Alias)
+	}
+	if pl.Field != field {
+		t.Errorf("expected field=%s, got %s", field, pl.Field)
+	}
+	hGot, ok := pl.Value.(http.Header)
+	if !ok {
+		t.Error("value is not http.Header")
+		return
+	}
+	for k, vWant := range h {
+		vGot := hGot[k]
+		if !reflect.DeepEqual(vGot, vWant) {
+			t.Errorf("expected %s=%q, got %q", k, vWant, vGot)
+		}
+	}
+}
+
+func TestHeaderProxyLabelInvalid(t *testing.T) {
+	alias := "foo"
+	field := "set_headers"
+	tests := []string{
+		"X-Custom-Header1 = bar",
+		"X-Custom-Header1",
+	}
+
+	for _, v := range tests {
+		_, err := parseProxyLabel(makeLabel(alias, field), v)
+		if !errors.Is(err, errInvalidSetHeaderLine) {
+			t.Errorf("expected err InvalidProxyLabel for %q, got %v", v, err)
+		}
+	}
+}
+
+func TestCommaSepProxyLabelSingle(t *testing.T) {
+	alias := "foo"
+	field := "hide_headers"
+	v := "X-Custom-Header1"
+	pl, err := parseProxyLabel(makeLabel(alias, field), v)
+	if err != nil {
+		t.Errorf("expected err=nil, got %v", err)
+	}
+	if pl.Alias != alias {
+		t.Errorf("expected alias=%s, got %s", alias, pl.Alias)
+	}
+	if pl.Field != field {
+		t.Errorf("expected field=%s, got %s", field, pl.Field)
+	}
+	sGot, ok := pl.Value.([]string)
+	sWant := []string{"X-Custom-Header1"}
+	if !ok {
+		t.Error("value is not []string")
+	}
+	if !reflect.DeepEqual(sGot, sWant) {
+		t.Errorf("expected %q, got %q", sWant, sGot)
+	}
+}
+
+func TestCommaSepProxyLabelMulti(t *testing.T) {
+	alias := "foo"
+	field := "hide_headers"
+	v := "X-Custom-Header1, X-Custom-Header2,X-Custom-Header3"
+	pl, err := parseProxyLabel(makeLabel(alias, field), v)
+	if err != nil {
+		t.Errorf("expected err=nil, got %v", err)
+	}
+	if pl.Alias != alias {
+		t.Errorf("expected alias=%s, got %s", alias, pl.Alias)
+	}
+	if pl.Field != field {
+		t.Errorf("expected field=%s, got %s", field, pl.Field)
+	}
+	sGot, ok := pl.Value.([]string)
+	sWant := []string{"X-Custom-Header1", "X-Custom-Header2", "X-Custom-Header3"}
+	if !ok {
+		t.Error("value is not []string")
+	}
+	if !reflect.DeepEqual(sGot, sWant) {
+		t.Errorf("expected %q, got %q", sWant, sGot)
+	}
+}

src/go-proxy/reverse_proxy_mod.go

@@ -1,6 +1,6 @@
 package main
 
-// A small mod on net/http/httputils
+// A small mod on net/http/httputil/reverseproxy.go
 // that doubled the performance
 
 import (
@@ -8,14 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/textproto"
 	"net/url"
 	"strings"
-	"time"
 
 	"golang.org/x/net/http/httpguts"
 )
@@ -39,16 +37,16 @@ type ProxyRequest struct {
 //
 // SetURL rewrites the outbound Host header to match the target's host.
 // To preserve the inbound request's Host header (the default behavior
-// of [NewSingleHostReverseProxy]):
+// of [NewReverseProxy]):
 //
 //	rewriteFunc := func(r *httputil.ProxyRequest) {
 //		r.SetURL(url)
 //		r.Out.Host = r.In.Host
 //	}
-func (r *ProxyRequest) SetURL(target *url.URL) {
-	rewriteRequestURL(r.Out, target)
-	r.Out.Host = ""
-}
+// func (r *ProxyRequest) SetURL(target *url.URL) {
+// 	rewriteRequestURL(r.Out, target)
+// 	r.Out.Host = ""
+// }
 
 // SetXForwarded sets the X-Forwarded-For, X-Forwarded-Host, and
 // X-Forwarded-Proto headers of the outbound request.
@@ -132,17 +130,17 @@ type ReverseProxy struct {
 	// recognizes a response as a streaming response, or
 	// if its ContentLength is -1; for such responses, writes
 	// are flushed to the client immediately.
-	FlushInterval time.Duration
+	// FlushInterval time.Duration
 
 	// ErrorLog specifies an optional logger for errors
 	// that occur when attempting to proxy the request.
 	// If nil, logging is done via the log package's standard logger.
-	ErrorLog *log.Logger
+	// ErrorLog *log.Logger
 
 	// BufferPool optionally specifies a buffer pool to
 	// get byte slices for use by io.CopyBuffer when
 	// copying HTTP response bodies.
-	BufferPool BufferPool
+	// BufferPool BufferPool
 
 	// ModifyResponse is an optional function that modifies the
 	// Response from the backend. It is called if the backend
@@ -203,18 +201,18 @@ func joinURLPath(a, b *url.URL) (path, rawpath string) {
 	return a.Path + b.Path, apath + bpath
 }
 
-// NewSingleHostReverseProxy returns a new [ReverseProxy] that routes
+// NewReverseProxy returns a new [ReverseProxy] that routes
 // URLs to the scheme, host, and base path provided in target. If the
 // target's path is "/base" and the incoming request was for "/dir",
 // the target request will be for /base/dir.
 //
-// NewSingleHostReverseProxy does not rewrite the Host header.
+// NewReverseProxy does not rewrite the Host header.
 //
 // To customize the ReverseProxy behavior beyond what
-// NewSingleHostReverseProxy provides, use ReverseProxy directly
+// NewReverseProxy provides, use ReverseProxy directly
 // with a Rewrite function. The ProxyRequest SetURL method
 // may be used to route the outbound request. (Note that SetURL,
-// unlike NewSingleHostReverseProxy, rewrites the Host header
+// unlike NewReverseProxy, rewrites the Host header
 // of the outbound request by default.)
 //
 //	proxy := &ReverseProxy{
@@ -223,9 +221,34 @@ func joinURLPath(a, b *url.URL) (path, rawpath string) {
 //			r.Out.Host = r.In.Host // if desired
 //		},
 //	}
-func NewSingleHostReverseProxy(target *url.URL, transport *http.Transport) *ReverseProxy {
+func NewReverseProxy(target *url.URL, transport *http.Transport, config *ProxyConfig) *ReverseProxy {
+	// check on init rather than on request
+	var setHeaders = func(r *http.Request) {}
+	var hideHeaders = func(r *http.Request) {}
+	if len(config.SetHeaders) > 0 {
+		setHeaders = func(r *http.Request) {
+			h := config.SetHeaders.Clone()
+			for k, vv := range h {
+				if k == "Host" {
+					r.Host = vv[0]
+				} else {
+					r.Header[k] = vv
+				}
+			}
+		}
+	}
+	if len(config.HideHeaders) > 0 {
+		hideHeaders = func(r *http.Request) {
+			for _, k := range config.HideHeaders {
+				r.Header.Del(k)
+			}
+		}
+	}
 	return &ReverseProxy{Rewrite: func(pr *ProxyRequest) {
 		rewriteRequestURL(pr.Out, target)
+		pr.SetXForwarded()
+		setHeaders(pr.Out)
+		hideHeaders(pr.Out)
 	}, Transport: transport}
 }
 
@@ -380,7 +403,7 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	// Strip client-provided forwarding headers.
 	// The Rewrite func may use SetXForwarded to set new values
 	// for these or copy the previous values from the inbound request.
-	// outreq.Header.Del("Forwarded")
+	outreq.Header.Del("Forwarded")
 	// outreq.Header.Del("X-Forwarded-For")
 	// outreq.Header.Del("X-Forwarded-Host")
 	// outreq.Header.Del("X-Forwarded-Proto")
@@ -388,29 +411,27 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	// NOTE: removed
 	// Remove unparsable query parameters from the outbound request.
 	// outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
-
 	pr := &ProxyRequest{
 		In:  req,
 		Out: outreq,
 	}
-	pr.SetXForwarded() // NOTE: added
 	p.Rewrite(pr)
 	outreq = pr.Out
 	// NOTE: removed
 	// } else {
-	// 	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-	// 		// If we aren't the first proxy retain prior
-	// 		// X-Forwarded-For information as a comma+space
-	// 		// separated list and fold multiple headers into one.
-	// 		prior, ok := outreq.Header["X-Forwarded-For"]
-	// 		omit := ok && prior == nil // Issue 38079: nil now means don't populate the header
-	// 		if len(prior) > 0 {
-	// 			clientIP = strings.Join(prior, ", ") + ", " + clientIP
-	// 		}
-	// 		if !omit {
-	// 			outreq.Header.Set("X-Forwarded-For", clientIP)
-	// 		}
+	// if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+	// 	// If we aren't the first proxy retain prior
+	// 	// X-Forwarded-For information as a comma+space
+	// 	// separated list and fold multiple headers into one.
+	// 	prior, ok := outreq.Header["X-Forwarded-For"]
+	// 	omit := ok && prior == nil // Issue 38079: nil now means don't populate the header
+	// 	if len(prior) > 0 {
+	// 		clientIP = strings.Join(prior, ", ") + ", " + clientIP
 	// 	}
+	// 	if !omit {
+	// 		outreq.Header.Set("X-Forwarded-For", clientIP)
+	// 	}
+	// }
 	// }
 
 	if _, ok := outreq.Header["User-Agent"]; !ok {
@@ -637,11 +658,11 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 // }
 
 func (p *ReverseProxy) logf(format string, args ...any) {
-	if p.ErrorLog != nil {
-		p.ErrorLog.Printf(format, args...)
-	} else {
-		hrlog.Printf(format, args...)
-	}
+	// if p.ErrorLog != nil {
+	// 	p.ErrorLog.Printf(format, args...)
+	// } else {
+	hrlog.Errorf(format, args...)
+	// }
 }
 
 // NOTE: removed

src/go-proxy/reverse_proxy_mod_test.go

@@ -0,0 +1,102 @@
+package main
+
+import (
+	"net/http"
+	"net/url"
+	"os"
+	"reflect"
+	"testing"
+	"time"
+)
+
+var proxyCfg ProxyConfig
+var proxyUrl, _ = url.Parse("http://127.0.0.1:8181")
+var proxyServer = NewServer(ServerOptions{
+	Name:     "proxy",
+	HTTPAddr: ":8080",
+	Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		NewReverseProxy(proxyUrl, &http.Transport{}, &proxyCfg).ServeHTTP(w, r)
+	}),
+})
+
+var testServer = NewServer(ServerOptions{
+	Name:     "test",
+	HTTPAddr: ":8181",
+	Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h := r.Header
+		for k, vv := range h {
+			for _, v := range vv {
+				w.Header().Add(k, v)
+			}
+		}
+		w.WriteHeader(http.StatusOK)
+	}),
+})
+
+var httpClient = http.DefaultClient
+
+func TestMain(m *testing.M) {
+	proxyServer.Start()
+	testServer.Start()
+	time.Sleep(100 * time.Millisecond)
+	code := m.Run()
+	proxyServer.Stop()
+	testServer.Stop()
+	os.Exit(code)
+}
+
+func TestSetHeader(t *testing.T) {
+	hWant := http.Header{"X-Test": []string{"foo", "bar"}, "X-Test2": []string{"baz"}}
+	proxyCfg = ProxyConfig{
+		Alias:      "test",
+		Scheme:     "http",
+		Host:       "127.0.0.1",
+		Port:       "8181",
+		SetHeaders: hWant,
+	}
+	req, err := http.NewRequest("HEAD", "http://127.0.0.1:8080", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	hGot := resp.Header
+	t.Log("headers: ", hGot)
+	for k, v := range hWant {
+		if !reflect.DeepEqual(hGot[k], v) {
+			t.Errorf("header %s: expected %v, got %v", k, v, hGot[k])
+		}
+	}
+}
+
+func TestHideHeader(t *testing.T) {
+	hHide := []string{"X-Test", "X-Test2"}
+	proxyCfg = ProxyConfig{
+		Alias:       "test",
+		Scheme:      "http",
+		Host:        "127.0.0.1",
+		Port:        "8181",
+		HideHeaders: hHide,
+	}
+	req, err := http.NewRequest("HEAD", "http://127.0.0.1:8080", nil)
+	for _, k := range hHide {
+		req.Header.Set(k, "foo")
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	hGot := resp.Header
+	t.Log("headers: ", hGot)
+	for _, v := range hHide {
+		_, ok := hGot[v]
+		if ok {
+			t.Errorf("header %s: expected hidden, got %v", v, hGot[v])
+		}
+	}
+}

src/go-proxy/route.go

@@ -15,7 +15,6 @@ func NewRoute(cfg *ProxyConfig) (Route, error) {
 		if err != nil {
 			return nil, NewNestedErrorFrom(err).Subject(cfg.Alias)
 		}
-		streamRoutes.Set(id, route)
 		return route, nil
 	} else {
 		httpRoutes.Ensure(cfg.Alias)
@@ -23,7 +22,6 @@ func NewRoute(cfg *ProxyConfig) (Route, error) {
 		if err != nil {
 			return nil, NewNestedErrorFrom(err).Subject(cfg.Alias)
 		}
-		httpRoutes.Get(cfg.Alias).Add(cfg.Path, route)
 		return route, nil
 	}
 }
@@ -45,8 +43,3 @@ func isStreamScheme(s string) bool {
 	}
 	return false
 }
-
-// id    -> target
-type StreamRoutes = SafeMap[string, StreamRoute]
-
-var streamRoutes StreamRoutes = NewSafeMapOf[StreamRoutes]()

src/go-proxy/server.go

@@ -31,15 +31,16 @@ type ServerOptions struct {
 }
 
 type LogrusWrapper struct {
-	l *logrus.Entry
+	*logrus.Entry
 }
 
 func (l LogrusWrapper) Write(b []byte) (int, error) {
-	return l.l.Logger.WriterLevel(logrus.ErrorLevel).Write(b)
+	return l.Logger.WriterLevel(logrus.ErrorLevel).Write(b)
 }
 
 func NewServer(opt ServerOptions) *Server {
 	var httpHandler http.Handler
+	var s *Server
 	if opt.RedirectToHTTPS {
 		httpHandler = http.HandlerFunc(redirectToTLSHandler)
 	} else {
@@ -50,7 +51,7 @@ func NewServer(opt ServerOptions) *Server {
 		logrus.WithFields(logrus.Fields{"component": "server", "name": opt.Name}),
 	})
 	if opt.CertProvider != nil {
-		return &Server{
+		s = &Server{
 			Name:         opt.Name,
 			CertProvider: opt.CertProvider,
 			http: &http.Server{
@@ -68,7 +69,7 @@ func NewServer(opt ServerOptions) *Server {
 			},
 		}
 	}
-	return &Server{
+	s = &Server{
 		Name:     opt.Name,
 		KeyFile:  keyFileDefault,
 		CertFile: certFileDefault,
@@ -83,6 +84,10 @@ func NewServer(opt ServerOptions) *Server {
 			ErrorLog: logger,
 		},
 	}
+	if !s.certsOK() {
+		s.http.Handler = opt.Handler
+	}
+	return s
 }
 
 func (s *Server) Start() {
@@ -95,7 +100,7 @@ func (s *Server) Start() {
 		}()
 	}
 
-	if s.https != nil && (s.CertProvider != nil || utils.fileOK(s.CertFile) && utils.fileOK(s.KeyFile)) {
+	if s.https != nil && (s.CertProvider != nil || s.certsOK()) {
 		s.httpsStarted = true
 		logrus.Printf("starting https %s server on %s", s.Name, s.https.Addr)
 		go func() {
@@ -129,3 +134,7 @@ func (s *Server) handleErr(scheme string, err error) {
 		logrus.Fatalf("failed to start %s %s server: %v", scheme, s.Name, err)
 	}
 }
+
+func (s *Server) certsOK() bool {
+	return utils.fileOK(s.CertFile) && utils.fileOK(s.KeyFile)
+}

src/go-proxy/stream_route.go

@@ -45,22 +45,28 @@ type StreamRouteBase struct {
 
 func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
 	var streamType string = StreamType_TCP
-	var srcPort string
-	var dstPort string
-	var srcScheme string
-	var dstScheme string
+	var srcPort, dstPort string
+	var srcScheme, dstScheme string
 
+	l := srlog.WithFields(logrus.Fields{
+		"alias": config.Alias,
+	})
 	portSplit := strings.Split(config.Port, ":")
 	if len(portSplit) != 2 {
-		cfgl.Warnf("invalid port %s, assuming it is target port", config.Port)
-		srcPort = "0"
+		l.Warnf(
+			`%s: invalid port %s, 
+			assuming it is target port`,
+			config.Alias,
+			config.Port,
+		)
+		srcPort = "0" // will assign later
 		dstPort = config.Port
 	} else {
 		srcPort = portSplit[0]
 		dstPort = portSplit[1]
 	}
 
-	if port, hasName := NamePortMap[dstPort]; hasName {
+	if port, hasName := NamePortMapTCP[dstPort]; hasName {
 		dstPort = port
 	}
 
@@ -85,6 +91,10 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
 		dstScheme = config.Scheme
 	}
 
+	if srcScheme != dstScheme {
+		return nil, NewNestedError("unsupported").Subjectf("%v -> %v", srcScheme, dstScheme)
+	}
+
 	return &StreamRouteBase{
 		Alias:           config.Alias,
 		Type:            streamType,
@@ -99,23 +109,24 @@ func newStreamRouteBase(config *ProxyConfig) (*StreamRouteBase, error) {
 		stopCh:  make(chan struct{}, 1),
 		connCh:  make(chan interface{}),
 		started: false,
-		l: srlog.WithFields(logrus.Fields{
-			"alias": config.Alias,
-			"src":   fmt.Sprintf("%s://:%d", srcScheme, srcPortInt),
-			"dst":   fmt.Sprintf("%s://%s:%d", dstScheme, config.Host, dstPortInt),
-		}),
+		l:       l,
 	}, nil
 }
 
 func NewStreamRoute(config *ProxyConfig) (StreamRoute, error) {
+	base, err := newStreamRouteBase(config)
+	if err != nil {
+		return nil, err
+	}
 	switch config.Scheme {
 	case StreamType_TCP:
-		return NewTCPRoute(config)
+		base.StreamImpl = NewTCPRoute(base)
 	case StreamType_UDP:
-		return NewUDPRoute(config)
+		base.StreamImpl = NewUDPRoute(base)
 	default:
 		return nil, NewNestedError("invalid stream type").Subject(config.Scheme)
 	}
+	return base, nil
 }
 
 func (route *StreamRouteBase) ListeningUrl() string {
@@ -131,12 +142,14 @@ func (route *StreamRouteBase) Logger() logrus.FieldLogger {
 }
 
 func (route *StreamRouteBase) Start() {
+	route.wg.Wait()
 	route.ensurePort()
 	if err := route.Setup(); err != nil {
 		route.l.Errorf("failed to setup: %v", err)
 		return
 	}
 	route.started = true
+	streamRoutes.Set(route.id, route)
 	route.wg.Add(2)
 	go route.grAcceptConnections()
 	go route.grHandleConnections()
@@ -222,3 +235,8 @@ func (route *StreamRouteBase) grHandleConnections() {
 		}
 	}
 }
+
+// id    -> target
+type StreamRoutes SafeMap[string, StreamRoute]
+
+var streamRoutes StreamRoutes = NewSafeMapOf[StreamRoutes]()

src/go-proxy/tcp_route.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sync"
 	"time"
 )
 
@@ -14,21 +15,16 @@ type Pipes []*BidirectionalPipe
 type TCPRoute struct {
 	*StreamRouteBase
 	listener net.Listener
+	pipe     Pipes
+	mu       sync.Mutex
 }
 
-func NewTCPRoute(config *ProxyConfig) (StreamRoute, error) {
-	base, err := newStreamRouteBase(config)
-	if err != nil {
-		return nil, NewNestedErrorFrom(err).Subject(config.Alias)
-	}
-	if base.TargetScheme != StreamType_TCP {
-		return nil, NewNestedError("unsupported").Subjectf("tcp -> %s", base.TargetScheme)
-	}
-	base.StreamImpl = &TCPRoute{
+func NewTCPRoute(base *StreamRouteBase) StreamImpl {
+	return &TCPRoute{
 		StreamRouteBase: base,
 		listener:        nil,
+		pipe:            make(Pipes, 0),
 	}
-	return base, nil
 }
 
 func (route *TCPRoute) Setup() error {
@@ -44,11 +40,10 @@ func (route *TCPRoute) Accept() (interface{}, error) {
 	return route.listener.Accept()
 }
 
-func (route *TCPRoute) HandleConnection(c interface{}) error {
+func (route *TCPRoute) Handle(c interface{}) error {
 	clientConn := c.(net.Conn)
 
 	defer clientConn.Close()
-	defer route.wg.Done()
 
 	ctx, cancel := context.WithTimeout(context.Background(), tcpDialTimeout)
 	defer cancel()
@@ -66,11 +61,12 @@ func (route *TCPRoute) HandleConnection(c interface{}) error {
 		<-route.stopCh
 		pipeCancel()
 	}()
+
+	route.mu.Lock()
 	pipe := NewBidirectionalPipe(pipeCtx, clientConn, serverConn)
-	pipe.Start()
-	pipe.Wait()
-	pipe.Close()
-	return nil
+	route.pipe = append(route.pipe, pipe)
+	route.mu.Unlock()
+	return pipe.Start()
 }
 
 func (route *TCPRoute) CloseListeners() {
@@ -79,4 +75,9 @@ func (route *TCPRoute) CloseListeners() {
 	}
 	route.listener.Close()
 	route.listener = nil
+	for _, pipe := range route.pipe {
+		if err := pipe.Stop(); err != nil {
+			route.l.Error(err)
+		}
+	}
 }

src/go-proxy/udp_route.go

@@ -1,62 +1,55 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net"
 	"sync"
-
-	"github.com/sirupsen/logrus"
 )
 
 type UDPRoute struct {
 	*StreamRouteBase
 
-	connMap      map[net.Addr]net.Conn
+	connMap      UDPConnMap
 	connMapMutex sync.Mutex
 
 	listeningConn *net.UDPConn
-	targetConn    *net.UDPConn
+	targetAddr    *net.UDPAddr
 }
 
 type UDPConn struct {
-	remoteAddr    net.Addr
-	buffer        []byte
-	bytesReceived []byte
-	nReceived     int
+	src *net.UDPConn
+	dst *net.UDPConn
+	*BidirectionalPipe
 }
 
-func NewUDPRoute(config *ProxyConfig) (StreamRoute, error) {
-	base, err := newStreamRouteBase(config)
-	if err != nil {
-		return nil, err
-	}
+type UDPConnMap map[string]*UDPConn
 
-	if base.TargetScheme != StreamType_UDP {
-		return nil, NewNestedError("unsupported").Subjectf("udp->%s", base.TargetScheme)
-	}
-
-	base.StreamImpl = &UDPRoute{
+func NewUDPRoute(base *StreamRouteBase) StreamImpl {
+	return &UDPRoute{
 		StreamRouteBase: base,
-		connMap:         make(map[net.Addr]net.Conn),
+		connMap:         make(UDPConnMap),
 	}
-	return base, nil
 }
 
 func (route *UDPRoute) Setup() error {
-	source, err := net.ListenPacket(route.ListeningScheme, fmt.Sprintf(":%v", route.ListeningPort))
+	laddr, err := net.ResolveUDPAddr(route.ListeningScheme, fmt.Sprintf(":%v", route.ListeningPort))
 	if err != nil {
 		return err
 	}
-
-	target, err := net.Dial(route.TargetScheme, fmt.Sprintf("%s:%v", route.TargetHost, route.TargetPort))
+	source, err := net.ListenUDP(route.ListeningScheme, laddr)
+	if err != nil {
+		return err
+	}
+	raddr, err := net.ResolveUDPAddr(route.TargetScheme, fmt.Sprintf("%s:%v", route.TargetHost, route.TargetPort))
 	if err != nil {
 		source.Close()
 		return err
 	}
 
-	route.listeningConn = source.(*net.UDPConn)
-	route.targetConn = target.(*net.UDPConn)
+	route.listeningConn = source
+	route.targetAddr = raddr
 	return nil
 }
 
@@ -74,71 +67,42 @@ func (route *UDPRoute) Accept() (interface{}, error) {
 		return nil, io.ErrShortBuffer
 	}
 
-	conn := &UDPConn{
-		remoteAddr:    srcAddr,
-		buffer:        buffer,
-		bytesReceived: buffer[:nRead],
-		nReceived:     nRead,
-	}
-	return conn, nil
-}
+	key := srcAddr.String()
+	conn, ok := route.connMap[key]
 
-func (route *UDPRoute) HandleConnection(c interface{}) error {
-	var err error
-
-	conn := c.(*UDPConn)
-	srcConn, ok := route.connMap[conn.remoteAddr]
 	if !ok {
 		route.connMapMutex.Lock()
-		srcConn, err = net.DialUDP("udp", nil, conn.remoteAddr.(*net.UDPAddr))
-		if err != nil {
-			return err
+		if conn, ok = route.connMap[key]; !ok {
+			srcConn, err := net.DialUDP("udp", nil, srcAddr)
+			if err != nil {
+				return nil, err
+			}
+			dstConn, err := net.DialUDP("udp", nil, route.targetAddr)
+			if err != nil {
+				srcConn.Close()
+				return nil, err
+			}
+			pipeCtx, pipeCancel := context.WithCancel(context.Background())
+			go func() {
+				<-route.stopCh
+				pipeCancel()
+			}()
+			conn = &UDPConn{
+				srcConn,
+				dstConn,
+				NewBidirectionalPipe(pipeCtx, sourceRWCloser{in, dstConn}, sourceRWCloser{in, srcConn}),
+			}
+			route.connMap[key] = conn
 		}
-		route.connMap[conn.remoteAddr] = srcConn
 		route.connMapMutex.Unlock()
 	}
 
-	var forwarder func(*UDPConn, net.Conn) error
+	_, err = conn.dst.Write(buffer[:nRead])
+	return conn, err
+}
 
-	if logLevel == logrus.DebugLevel {
-		forwarder = route.forwardReceivedDebug
-	} else {
-		forwarder = route.forwardReceivedReal
-	}
-
-	// initiate connection to target
-	err = forwarder(conn, route.targetConn)
-	if err != nil {
-		return err
-	}
-
-	for {
-		select {
-		case <-route.stopCh:
-			return nil
-		default:
-			// receive from target
-			conn, err = route.readFrom(route.targetConn, conn.buffer)
-			if err != nil {
-				return err
-			}
-			// forward to source
-			err = forwarder(conn, srcConn)
-			if err != nil {
-				return err
-			}
-			// read from source
-			conn, err = route.readFrom(srcConn, conn.buffer)
-			if err != nil {
-				continue
-			}
-			// forward to target
-			err = forwarder(conn, route.targetConn)
-			if err != nil {
-				return err
-			}
-		}
-	}
+func (route *UDPRoute) Handle(c interface{}) error {
+	return c.(*UDPConn).Start()
 }
 
 func (route *UDPRoute) CloseListeners() {
@@ -146,50 +110,22 @@ func (route *UDPRoute) CloseListeners() {
 		route.listeningConn.Close()
 		route.listeningConn = nil
 	}
-	if route.targetConn != nil {
-		route.targetConn.Close()
-		route.targetConn = nil
-	}
 	for _, conn := range route.connMap {
-		conn.(*net.UDPConn).Close() // TODO: change on non udp target
+		if err := conn.src.Close(); err != nil {
+			route.l.Errorf("error closing src conn: %w", err)
+		}
+		if err := conn.dst.Close(); err != nil {
+			route.l.Error("error closing dst conn: %w", err)
+		}
 	}
-	route.connMap = make(map[net.Addr]net.Conn)
+	route.connMap = make(UDPConnMap)
 }
 
-func (route *UDPRoute) readFrom(src net.Conn, buffer []byte) (*UDPConn, error) {
-	nRead, err := src.Read(buffer)
-
-	if err != nil {
-		return nil, err
-	}
-
-	if nRead == 0 {
-		return nil, io.ErrShortBuffer
-	}
-
-	return &UDPConn{
-		remoteAddr:    src.RemoteAddr(),
-		buffer:        buffer,
-		bytesReceived: buffer[:nRead],
-		nReceived:     nRead,
-	}, nil
+type sourceRWCloser struct {
+	server *net.UDPConn
+	*net.UDPConn
 }
 
-func (route *UDPRoute) forwardReceivedReal(receivedConn *UDPConn, dest net.Conn) error {
-	nWritten, err := dest.Write(receivedConn.bytesReceived)
-
-	if nWritten != receivedConn.nReceived {
-		err = io.ErrShortWrite
-	}
-
-	return err
-}
-
-func (route *UDPRoute) forwardReceivedDebug(receivedConn *UDPConn, dest net.Conn) error {
-	route.l.WithField("size", receivedConn.nReceived).Debugf(
-		"forwarding from %s to %s",
-		receivedConn.remoteAddr.String(),
-		dest.RemoteAddr().String(),
-	)
-	return route.forwardReceivedReal(receivedConn, dest)
+func (w sourceRWCloser) Write(p []byte) (int, error) {
+	return w.server.WriteToUDP(p, w.RemoteAddr().(*net.UDPAddr)) // TODO: support non udp
 }

src/go-proxy/utils.go

@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -94,6 +95,18 @@ func (*Utils) healthCheckStream(scheme, host string) error {
 	return nil
 }
 
+func (*Utils) reloadServer() error {
+	resp, err := healthCheckHttpClient.Post("http://localhost:8080/reload", "", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return NewNestedError("server reload failed").Subjectf("%d", resp.StatusCode)
+	}
+	return nil
+}
+
 func (*Utils) snakeToPascal(s string) string {
 	toHyphenCamel := http.CanonicalHeaderKey(strings.ReplaceAll(s, "_", "-"))
 	return strings.ReplaceAll(toHyphenCamel, "-", "")
@@ -200,13 +213,17 @@ func setFieldFromSnake[T interface{}, VT interface{}](obj *T, field string, valu
 	field = utils.snakeToPascal(field)
 	prop := reflect.ValueOf(obj).Elem().FieldByName(field)
 	if prop.Kind() == 0 {
-		return NewNestedError("unknown field").Subject(field)
+		return errors.New("unknown field")
 	}
 	prop.Set(reflect.ValueOf(value))
 	return nil
 }
 
 func validateYaml(schema *jsonschema.Schema, data []byte) error {
+	if noSchemaValidation {
+		return nil
+	}
+
 	var i interface{}
 
 	err := yaml.Unmarshal(data, &i)

src/go-proxy/watcher.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"path"
+	"strings"
 	"sync"
 	"time"
 
@@ -22,8 +22,6 @@ type Watcher interface {
 }
 
 type watcherBase struct {
-	name     string // for log / error output
-	kind     string // for log / error output
 	onChange func()
 	l        logrus.FieldLogger
 	sync.Mutex
@@ -42,30 +40,44 @@ type dockerWatcher struct {
 	wg     sync.WaitGroup
 }
 
-func newWatcher(kind string, name string, onChange func()) *watcherBase {
+func (p *Provider) newWatcher() *watcherBase {
 	return &watcherBase{
-		kind:     kind,
-		name:     name,
-		onChange: onChange,
-		l:        wlog.WithFields(logrus.Fields{"kind": kind, "name": name}),
-	}
-}
-func NewFileWatcher(p string, onChange func(), onDelete func()) Watcher {
-	return &fileWatcher{
-		watcherBase: newWatcher("File", path.Base(p), onChange),
-		path:        p,
-		onDelete:    onDelete,
+		onChange: p.ReloadRoutes,
+		l:        p.l,
 	}
 }
 
-func NewDockerWatcher(c *client.Client, onChange func()) Watcher {
+func (p *Provider) NewFileWatcher() Watcher {
+	return &fileWatcher{
+		watcherBase: p.newWatcher(),
+		path:        p.GetFilePath(),
+		onDelete:    p.StopAllRoutes,
+	}
+}
+
+func (p *Provider) NewDockerWatcher(c *client.Client) Watcher {
 	return &dockerWatcher{
-		watcherBase: newWatcher("Docker", c.DaemonHost(), onChange),
+		watcherBase: p.newWatcher(),
 		client:      c,
 		stopCh:      make(chan struct{}, 1),
 	}
 }
 
+func (c *config) newWatcher() *watcherBase {
+	return &watcherBase{
+		onChange: c.MustReload,
+		l:        c.l,
+	}
+}
+
+func (c *config) NewFileWatcher() Watcher {
+	return &fileWatcher{
+		watcherBase: c.newWatcher(),
+		path:        c.reader.(*FileReader).Path,
+		onDelete:    func() { c.l.Fatal("config file deleted") },
+	}
+}
+
 func (w *fileWatcher) Start() {
 	w.Lock()
 	defer w.Unlock()
@@ -89,7 +101,7 @@ func (w *fileWatcher) Stop() {
 	fileWatchMap.Delete(w.path)
 	err := fsWatcher.Remove(w.path)
 	if err != nil {
-		w.l.WithField("action", "stop").Error(err)
+		w.l.Error(err)
 	}
 }
 
@@ -100,7 +112,7 @@ func (w *fileWatcher) Dispose() {
 func (w *dockerWatcher) Start() {
 	w.Lock()
 	defer w.Unlock()
-	dockerWatchMap.Set(w.name, w)
+	dockerWatchMap.Set(w.client.DaemonHost(), w)
 	w.wg.Add(1)
 	go w.watch()
 }
@@ -114,7 +126,7 @@ func (w *dockerWatcher) Stop() {
 	close(w.stopCh)
 	w.wg.Wait()
 	w.stopCh = nil
-	dockerWatchMap.Delete(w.name)
+	dockerWatchMap.Delete(w.client.DaemonHost())
 }
 
 func (w *dockerWatcher) Dispose() {
@@ -164,10 +176,10 @@ func watchFiles() {
 			}
 			switch {
 			case event.Has(fsnotify.Write):
-				w.l.Info("file changed")
+				w.l.Info("file changed: ", event.Name)
 				go w.onChange()
 			case event.Has(fsnotify.Remove), event.Has(fsnotify.Rename):
-				w.l.Info("file renamed / deleted")
+				w.l.Info("file renamed / deleted: ", event.Name)
 				go w.onDelete()
 			}
 		case err := <-fsWatcher.Errors:
@@ -194,16 +206,20 @@ func (w *dockerWatcher) watch() {
 		case <-w.stopCh:
 			return
 		case msg := <-msgChan:
-			w.l.Infof("container %s %s", msg.Actor.Attributes["name"], msg.Action)
+			containerName := msg.Actor.Attributes["name"]
+			if strings.HasPrefix(containerName, "buildx_buildkit_builder-") {
+				continue
+			}
+			w.l.Infof("container %s %s", containerName, msg.Action)
 			go w.onChange()
 		case err := <-errChan:
 			switch {
 			case client.IsErrConnectionFailed(err):
-				w.l.Error(NewNestedError("connection failed").Subject(w.name))
+				w.l.Error("watcher: connection failed")
 			case client.IsErrNotFound(err):
-				w.l.Error(NewNestedError("endpoint not found").Subject(w.name))
+				w.l.Error("watcher: endpoint not found")
 			default:
-				w.l.Error(NewNestedErrorFrom(err).Subject(w.name))
+				w.l.Errorf("watcher: %v", err)
 			}
 			time.Sleep(1 * time.Second)
 			msgChan, errChan = listen()

templates/config_editor/index.html

@@ -18,6 +18,9 @@
             <a class="unselectable">{{$cfgFile}}</a>
           </li>
           {{- end}}
+          <li id="new-file">
+            <a class="unselectable">+</a>
+          </li>
         </ul>
       </div>
       <div id="config-editor"></div>

templates/config_editor/index.js

@@ -11,25 +11,43 @@ let editor = CodeMirror(editorElement, {
   tabSize: 2
 });
 
-function loadFile(fileName) {
-  if (fileName === undefined) {
+function setCurrentFile(filename) {
+  let old_nav_item = document.getElementById(`file-${currentFile}`);
+  if (old_nav_item !== null) {
+    old_nav_item.classList.remove("active");
+  }
+  currentFile = filename;
+  document.title = `${currentFile} - Config Editor`;
+  let new_nav_item = document.getElementById(`file-${currentFile}`);
+  if (new_nav_item === null) {
+    new_file_btn = document.getElementById("new-file");
+    file_list = document.getElementById("file-list");
+    new_nav_item = document.createElement("li");
+    new_nav_item.id = `file-${currentFile}`;
+    new_nav_item.innerHTML = `<a class="unselectable">${currentFile}</a>`;
+    file_list.insertBefore(new_nav_item, new_file_btn);
+  }
+  new_nav_item.classList.add("active");
+}
+
+function loadFile(filename) {
+  if (filename === undefined) {
+    return;
+  }
+  if (filename === '+') {
+    newFile();
     return;
   }
   let req = new XMLHttpRequest();
-  req.open("GET", `/config/${fileName}`, true);
+  req.open("GET", `/config/${filename}`, true);
   req.onreadystatechange = function () {
     if (req.readyState == 4) {
       if (req.status == 200) {
-        let old_nav_item = document.getElementById(`file-${currentFile}`);
-        old_nav_item.classList.remove("active");
         editor.setValue(req.responseText);
-        currentFile = fileName;
-        let new_nav_item = document.getElementById(`file-${currentFile}`);
-        new_nav_item.classList.add("active");
-        document.title = `${currentFile} - Config Editor`;
+        setCurrentFile(filename);
         console.log(`loaded ${currentFile}`);
       } else {
-        let msg = `Failed to load ${fileName}: ` + req.responseText;
+        let msg = `Failed to load ${filename}: ` + req.responseText;
         alert(msg);
         console.log(msg);
       }
@@ -46,14 +64,35 @@ function saveFile(filename, content) {
   req.onreadystatechange = function () {
     if (req.readyState == 4) {
       if (req.status == 200) {
-        alert("Saved " + filename);
+        alert(req.responseText);
       } else {
-        alert("Error: " + req.responseText);
+        alert("Error:\n" + req.responseText);
       }
     }
   };
 }
 
+function newFile() {
+  let filename = prompt("Enter filename:");
+  if (filename === undefined || filename === "") {
+    alert("File name cannot be empty");
+    return;
+  }
+  if (!filename.endsWith(".yml") && !filename.endsWith(".yaml")) {
+    alert("File name must end with .yml or .yaml");
+    return;
+  }
+  let files = document.getElementById("file-list").children;
+  for (let i = 0; i < files.length; i++) {
+    if (files[i].id === `file-${filename}`) {
+      alert("File already exists");
+      return;
+    }
+  }
+  editor.setValue("");
+  setCurrentFile(filename);
+}
+
 editor.setSize("100wh", "100vh");
 editor.setOption("extraKeys", {
   Tab: function (cm) {

templates/config_editor/style.css

@@ -36,6 +36,10 @@ body {
   padding-right: 4em;
   display: block;
 }
+#new-file {
+  color: #f8f8f2 !important;
+  font-weight: bold;
+}
 .active {
   font-weight: bold;
   background: rgba(255, 255, 255, 0.1);

version.txt

@@ -0,0 +1 @@
+0.4.8