added explicit only mode for docker provider, updated dependencies

ci speedup
fixed some containers being excluded on restart
2026-01-14 06:13:33 +01:00 · 2024-09-29 11:24:41 +08:00 · 2024-09-29 06:00:52 +08:00 · 2024-09-28 12:34:06 +08:00 · 2024-09-28 11:55:26 +08:00 · 2024-09-28 11:51:47 +08:00
188 changed files with 10721 additions and 5231 deletions
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,14 +1,132 @@
 name: Docker Image CI

 on:
-  push:
-    tags:
-      - "*"
+    push:
+        tags: ["*"]
+
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
+
 jobs:
-  build_and_push:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Build and Push Container to ghcr.io
-        uses: GlueOps/github-actions-build-push-containers@v0.3.7
-        with:
-          tags: latest,${{ github.ref_name }}
+    build:
+        name: Build multi-platform Docker image
+        runs-on: self-hosted
+
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+            attestations: write
+
+        strategy:
+            fail-fast: false
+            matrix:
+                platform:
+                    - linux/amd64
+                    - linux/arm/v6
+                    - linux/arm/v7
+                    - linux/arm64
+        steps:
+            - name: Prepare
+              run: |
+                  platform=${{ matrix.platform }}
+                  echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Login to registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Build and push by digest
+              id: build
+              uses: docker/build-push-action@v6
+              with:
+                  platforms: ${{ matrix.platform }}
+                  labels: ${{ steps.meta.outputs.labels }}
+                  outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
+
+            - name: Generate artifact attestation
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+                  subject-digest: ${{ steps.build.outputs.digest }}
+                  push-to-registry: true
+
+            - name: Export digest
+              run: |
+                  mkdir -p /tmp/digests
+                  digest="${{ steps.build.outputs.digest }}"
+                  touch "/tmp/digests/${digest#sha256:}"
+
+            - name: Upload digest
+              uses: actions/upload-artifact@v4
+              with:
+                  name: digests-${{ env.PLATFORM_PAIR }}
+                  path: /tmp/digests/*
+                  if-no-files-found: error
+                  retention-days: 1
+    merge:
+        runs-on: self-hosted
+        needs:
+            - build
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+        steps:
+            - name: Download digests
+              uses: actions/download-artifact@v4
+              with:
+                  path: /tmp/digests
+                  pattern: digests-*
+                  merge-multiple: true
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+            - name: Login to registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Create manifest list and push
+              id: push
+              working-directory: /tmp/digests
+              run: |
+                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+            - name: Inspect image
+              run: |
+                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+
+            - name: Tag as latest
+              if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref_name, '-')
+              run: |
+                  docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+                  docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,30 +0,0 @@
-# This workflow will build a golang project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
-
-name: Go
-
-on:
-  push:
-    tags:
-      - "*"
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: "1.22.1"
-
-      - name: Build
-        run: make build
-
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: bin/go-proxy
-    #- name: Test
-    #  run: go test -v ./...
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,21 @@
 compose.yml

-config/
-certs/
+config*/
+certs*/
 bin/
-templates/codemirror/
+error_pages/

 logs/
-log/
+log/
+
+.vscode/settings.json
+
+go.work.sum
+
+!cmd/**/
+!internal/**/
+
+todo.md
+
+.*.swp
+.aider*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -0,0 +1,15 @@
+build-image:
+  image: docker
+  rules:
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      variables:
+        CI_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE:latest
+    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
+      variables:
+        CI_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH
+  before_script:
+    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
+  script:
+    - echo building $CI_REGISTRY_IMAGE
+    - docker build --pull -t $CI_REGISTRY_IMAGE .
+    - docker push $CI_REGISTRY_IMAGE
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -0,0 +1,13 @@
+{
+  "yaml.schemas": {
+    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
+      "config.example.yml",
+      "config.yml"
+    ],
+    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
+      "providers.example.yml",
+      "*.providers.yml",
+      "providers.yml"
+    ]
+  }
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,16 +0,0 @@
-{
-    "go.inferGopath": false,
-    "yaml.schemas": {
-        // "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
-        //     "config.example.yml",
-        //     "config.yml"
-        // ],
-        "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
-            "providers.example.yml",
-            "*.providers.yml"
-        ],
-        "file:///config/workspace/go-proxy/schema/config.schema.json": [
-            "file:///config/workspace/go-proxy/config.example.yml"
-        ]
-    }
-}
--- a/58
+++ b/58
@@ -1,39 +1,51 @@
-FROM alpine:latest AS codemirror
-RUN apk add --no-cache unzip wget make
-COPY Makefile .
-RUN make setup-codemirror
+# Stage 1: Builder
+FROM golang:1.23.1-alpine AS builder
+RUN apk add --no-cache tzdata

-FROM golang:1.22.1-alpine as builder
-COPY src/ /src
-COPY go.mod go.sum /src/go-proxy
-WORKDIR /src/go-proxy
+WORKDIR /src
+
+# Only copy go.mod and go.sum initially for better caching
+COPY go.mod go.sum /src
+
+# Utilize build cache
 RUN --mount=type=cache,target="/go/pkg/mod" \
-    go mod download
+    go mod graph | awk '{if ($1 !~ "@") print $2}' | xargs go get

 ENV GOCACHE=/root/.cache/go-build
+
+# Build the application with better caching
 RUN --mount=type=cache,target="/go/pkg/mod" \
    --mount=type=cache,target="/root/.cache/go-build" \
-    CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o go-proxy
+    --mount=type=bind,src=cmd,dst=/src/cmd \
+    --mount=type=bind,src=internal,dst=/src/internal \
+    CGO_ENABLED=0 GOOS=linux go build -ldflags '-w -s' -pgo=auto -o /app/go-proxy ./cmd && \
+    mkdir /app/error_pages /app/certs

-FROM alpine:latest
+# Stage 2: Final image
+FROM scratch

 LABEL maintainer="yusing@6uo.me"
+LABEL proxy.exclude=1

-RUN apk add --no-cache tzdata
-RUN mkdir -p /app/templates
-COPY --from=codemirror templates/codemirror/ /app/templates/codemirror
-COPY templates/ /app/templates
-COPY schema/ /app/schema
-COPY --from=builder /src/go-proxy /app/
+# copy timezone data
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

-RUN chmod +x /app/go-proxy
-ENV DOCKER_HOST unix:///var/run/docker.sock
-ENV GOPROXY_DEBUG 0
+# copy binary
+COPY --from=builder /app /app
+
+# copy schema directory
+COPY schema/ /app/schema/
+
+# copy certs
+COPY --from=builder /etc/ssl/certs /etc/ssl/certs
+
+ENV DOCKER_HOST=unix:///var/run/docker.sock
+ENV GOPROXY_DEBUG=0

 EXPOSE 80
-EXPOSE 8080
+EXPOSE 8888
 EXPOSE 443
-EXPOSE 8443

 WORKDIR /app
-CMD ["/app/go-proxy"]
+
+CMD ["/app/go-proxy"]
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 [fullname]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/62
+++ b/62
@@ -1,41 +1,57 @@
-.PHONY: all build up quick-restart restart logs get udp-server
+BUILD_FLAG ?= -s -w

-all: build quick-restart logs
+.PHONY: all setup build test up restart logs get debug run archive repush rapid-crash debug-list-containers
+
+all: debug

 setup:
 	mkdir -p config certs
 	[ -f config/config.yml ] || cp config.example.yml config/config.yml
 	[ -f config/providers.yml ] || touch config/providers.yml

-setup-codemirror:
-	wget https://codemirror.net/5/codemirror.zip
-	unzip codemirror.zip
-	rm codemirror.zip
-	mkdir -p templates
-	mv codemirror-* templates/codemirror
-
 build:
 	mkdir -p bin
-	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy src/go-proxy/*.go
+	CGO_ENABLED=0 GOOS=linux \
+		go build -ldflags '${BUILD_FLAG}' -pgo=auto -o bin/go-proxy ./cmd
+
+test:
+	go test ./internal/...

 up:
-	docker compose up -d --build app
+	docker compose up -d

 restart:
-	docker kill go-proxy
-	docker compose up -d app
+	docker compose restart -t 0

 logs:
-	tail -f log/go-proxy.log
+	docker compose logs -f

 get:
-	go get -d -u ./src/go-proxy
+	cd cmd && go get -u && go mod tidy && cd ..

-udp-server:
-	docker run -it --rm \
-		-p 9999:9999/udp \
-		--label proxy.test-udp.scheme=udp \
-		--label proxy.test-udp.port=20003:9999 \
-		--network host \
-		--name test-udp \
-		$$(docker build -q -f udp-test-server.Dockerfile .)
+debug:
+	make BUILD_FLAG="" build && sudo GOPROXY_DEBUG=1 bin/go-proxy
+
+run:
+	make build && sudo bin/go-proxy
+
+archive:
+	git archive HEAD -o ../go-proxy-$$(date +"%Y%m%d%H%M").zip
+
+repush:
+	git reset --soft HEAD^
+	git add -A
+	git commit -m "repush"
+	git push gitlab dev --force
+
+rapid-crash:
+	sudo docker run --restart=always --name test_crash debian:bookworm-slim /bin/cat &&\
+	sleep 3 &&\
+	sudo docker rm -f test_crash
+
+debug-list-containers:
+	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+
+ci-test:
+	mkdir -p /tmp/artifacts
+	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
--- a/README.md
+++ b/README.md
@@ -1,408 +1,146 @@
 # go-proxy

-A simple auto docker reverse proxy for home use. **Written in _Go_**
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)

-In the examples domain `x.y.z` is used, replace them with your domain
+[繁體中文文檔請看此](README_CHT.md)
+
+A lightweight, easy-to-use, and [performant](docs/benchmark_result.md) reverse proxy with a web UI.

 ## Table of content

+<!-- TOC -->
+
 - [go-proxy](#go-proxy)
  - [Table of content](#table-of-content)
  - [Key Points](#key-points)
-  - [How to use](#how-to-use)
-  - [Command-line args](#command-line-args)
-    - [Commands](#commands)
-  - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
-  - [Configuration](#configuration)
-    - [Labels (docker)](#labels-docker)
+  - [Getting Started](#getting-started)
+    - [Setup](#setup)
+    - [Commands line arguments](#commands-line-arguments)
    - [Environment variables](#environment-variables)
+    - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
    - [Config File](#config-file)
-      - [Fields](#fields)
-      - [Provider Kinds](#provider-kinds)
-    - [Provider File](#provider-file)
-    - [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
-  - [Examples](#examples)
-    - [Single port configuration example](#single-port-configuration-example)
-    - [Multiple ports configuration example](#multiple-ports-configuration-example)
-    - [TCP/UDP configuration example](#tcpudp-configuration-example)
-  - [Load balancing Configuration Example](#load-balancing-configuration-example)
-  - [Troubleshooting](#troubleshooting)
-  - [Benchmarks](#benchmarks)
-  - [Known issues](#known-issues)
-  - [Memory usage](#memory-usage)
+    - [Include Files](#include-files)
+  - [Showcase](#showcase)
+    - [idlesleeper](#idlesleeper)
  - [Build it yourself](#build-it-yourself)

 ## Key Points

- Fast (See [benchmarks](#benchmarks))
- Auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported DNS Challenge Providers](#supported-dns-challenge-providers))
- Auto detect reverse proxies from docker
- Auto hot-reload on container `start` / `die` / `stop` or config file changes
- Custom proxy entries with `config.yml` and additional provider files
- Subdomain matching + Path matching **(domain name doesn't matter)**
- HTTP(s) proxy + TCP/UDP Proxy (UDP is _experimental_)
- HTTP(s) round robin load balance support (same subdomain and path across different hosts)
- Web UI on port 8080 (http) and port 8443 (https)
+-   Easy to use
+    -   Effortless configuration
+    -   Simple multi-node setup
+    -   Error messages is clear and detailed, easy troubleshooting
+-   Auto SSL cert management (See [Supported DNS Challenge Providers](docs/dns_providers.md)) 
+-   Auto configuration for docker containers
+-   Auto hot-reload on container state / config file changes
+-   **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [showcase](#idlesleeper))_
+-   HTTP(s) reserve proxy
+-   [HTTP middleware support](docs/middlewares.md) _(experimental)_
+-   [Custom error pages support](docs/middlewares.md#custom-error-pages)
+-   TCP and UDP port forwarding
+-   Web UI for configuration and monitoring (See [screenshots](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots))
+-   Supports linux/amd64, linux/arm64, linux/arm/v7, linux/arm/v6 multi-platform
+-   Written in **[Go](https://go.dev)**

-  - a simple panel to see all reverse proxies and health
+[🔼Back to top](#table-of-content)

-    ![panel screenshot](screenshots/panel.png)
+## Getting Started

-  - a config editor to edit config and provider files with validation
+### Setup

-    **Validate and save file with Ctrl+S**
+1.  Pull docker image 
+    
+    ```shell
+    docker pull ghcr.io/yusing/go-proxy:latest
+    ```

-    ![config editor screenshot](screenshots/config_editor.png)
+2.  Create new directory, `cd` into it, then run setup

-## How to use
+    ```shell
+    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
+    ```

-1. Setup DNS Records to your machine's IP address
+3.  Setup DNS Records point to machine which runs `go-proxy`, e.g.

-   - A Record: `*.y.z` -> `10.0.10.1`
-   - AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+    -   A Record: `*.y.z` -> `10.0.10.1`
+    -   AAAA Record: `*.y.z` -> `::ffff:a00:a01`

-2. Start `go-proxy` (see [Binary](docs/binary.md) or [docker](docs/docker.md))
+4.  Setup `docker-socket-proxy` other docker nodes _(if any)_ (see [example](docs/docker_socket_proxy.md)) and then them inside `config.yml`

-3. Start editing config files
-   - with text editor (i.e. Visual Studio Code)
-   - or with web config editor by navigate to `ip:8080`
+5.  Done. You may now do some extra configuration
+    -   With text editor (e.g. Visual Studio Code)
+    -   With Web UI via `gp.y.z`
+    -   For more info, [See docker.md](docs/docker.md)

-## Command-line args
+[🔼Back to top](#table-of-content)

-`go-proxy [command]`
+### Commands line arguments

-### Commands
+| Argument    | Description                      | Example                    |
+| ----------- | -------------------------------- | -------------------------- |
+| empty       | start proxy server               |                            |
+| `validate`  | validate config and exit         |                            |
+| `reload`    | trigger a force reload of config |                            |
+| `ls-config` | list config and exit             | `go-proxy ls-config \| jq` |
+| `ls-route`  | list proxy entries and exit      | `go-proxy ls-route \| jq`  |

- empty: start proxy server
- validate: validate config and exit
- reload: trigger a force reload of config
-
-Examples:
-
- Binary: `go-proxy reload`
- Docker: `docker exec -it go-proxy /app/go-proxy reload`
-
-## Use JSON Schema in VSCode
-
-Modify `.vscode/settings.json` to fit your needs
-
-```json
-{
-  "yaml.schemas": {
-    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
-      "config.example.yml",
-      "config.yml"
-    ],
-    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
-      "providers.example.yml",
-      "*.providers.yml"
-    ]
-  }
-}
-```
-
-## Configuration
-
-With container name, no label needs to be added _(most of the time)_.
-
-### Labels (docker)
-
-See [compose.example.yml](compose.example.yml) for more
-
- `proxy.aliases`: comma separated aliases for subdomain matching
-
-  - default: container name
-
- `proxy.*.<field>`: wildcard label for all aliases
-
-Below labels has a **`proxy.<alias>.`** prefix (i.e. `proxy.nginx.scheme: http`)
-
- `scheme`: proxy protocol
-  - default: `http`
-  - allowed: `http`, `https`, `tcp`, `udp`
- `host`: proxy host
-  - default: `container_name`
- `port`: proxy port
-  - default: first expose port (declared in `Dockerfile` or `docker-compose.yml`)
-  - `http(s)`: number in range og `0 - 65535`
-  - `tcp/udp`: `[<listeningPort>:]<targetPort>`
-    - `listeningPort`: number, when it is omitted (not suggested), a free port starting from 20000 will be used.
-    - `targetPort`: number, or predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
- `no_tls_verify`: whether skip tls verify when scheme is https
-  - default: `false`
- `path`: proxy path _(http(s) proxy only)_
-  - default: empty
- `path_mode`: mode for path handling
-
-  - default: empty
-  - allowed: empty, `forward`, `sub`
-    - `empty`: remove path prefix from URL when proxying
-      1. apps.y.z/webdav -> webdav:80
-      2. apps.y.z./webdav/path/to/file -> webdav:80/path/to/file
-    - `forward`: path remain unchanged
-      1. apps.y.z/webdav -> webdav:80/webdav
-      2. apps.y.z./webdav/path/to/file -> webdav:80/webdav/path/to/file
-    - `sub`: (experimental) remove path prefix from URL and also append path to HTML link attributes (`src`, `href` and `action`) and Javascript `fetch(url)` by response body substitution
-      e.g. apps.y.z/app1 -> webdav:80, `href="/app1/path/to/file"` -> `href="/path/to/file"`
-
- `load_balance`: enable load balance (docker only)
-  - allowed: `1`, `true`
+**run with `docker exec go-proxy /app/go-proxy <command>`**

 ### Environment variables

- `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
+| Environment Variable           | Description                                 | Default          | Values        |
+| ------------------------------ | ------------------------------------------- | ---------------- | ------------- |
+| `GOPROXY_NO_SCHEMA_VALIDATION` | disable schema validation                   | `false`          | boolean       |
+| `GOPROXY_DEBUG`                | enable debug behaviors                      | `false`          | boolean       |
+| `GOPROXY_HTTP_ADDR`            | http server listening address               | `:80`            | `[host]:port` |
+| `GOPROXY_HTTPS_ADDR`           | https server listening address (if enabled) | `:443`           | `[host]:port` |
+| `GOPROXY_API_ADDR`             | api server listening address                | `127.0.0.1:8888` | `[host]:port` |
+
+### Use JSON Schema in VSCode
+
+Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify it to fit your needs
+
+[🔼Back to top](#table-of-content)

 ### Config File

-See [config.example.yml](config.example.yml) for more
+See [config.example.yml](config.example.yml)

-#### Fields
+[🔼Back to top](#table-of-content)

- `autocert`: autocert configuration
+### Include Files

-  - `email`: ACME Email
-  - `domains`: a list of domains for cert registration
-  - `provider`: DNS Challenge provider, see [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
-  - `options`: provider specific options
+These are files that include standalone proxy entries

- `providers`: reverse proxy providers configuration
-  - `kind`: provider kind (string), see [Provider Kinds](#provider-kinds)
-  - `value`: provider specific value
-
-#### Provider Kinds
-
- `docker`: load reverse proxies from docker
-
-  values:
-
-  - `FROM_ENV`: value from environment (`DOCKER_HOST`)
-  - full url to docker host (i.e. `tcp://host:2375`)
-
- `file`: load reverse proxies from provider file
-
-  value: relative path of file to `config/`
-
-### Provider File
-
-Fields are same as [docker labels](#labels-docker) starting from `scheme`
+See [Fields](docs/docker.md#fields)

 See [providers.example.yml](providers.example.yml) for examples

-### Supported DNS Challenge Providers
+[🔼Back to top](#table-of-content)

- Cloudflare
+## Showcase

-  - `auth_token`: your zone API token
+### idlesleeper

-  Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
+![idlesleeper](showcase/idlesleeper.webp)

-To add more provider support, see [this](docs/add_dns_provider.md)
-
-## Examples
-
-See [docker.md](docs/docker.md#docker-compose-example) for complete examples
-
-### Single port configuration example
-
-```yaml
-# (default) https://<container_name>.y.z
-whoami:
-  image: traefik/whoami
-  container_name: whoami # => whoami.y.z
-
-# enable both subdomain and path matching:
-whoami:
-  image: traefik/whoami
-  container_name: whoami
-  labels:
-    - proxy.aliases=whoami,apps
-    - proxy.apps.path=/whoami
-# 1. visit https://whoami.y.z
-# 2. visit https://apps.y.z/whoami
-```
-
-### Multiple ports configuration example
-
-```yaml
-minio:
-  image: quay.io/minio/minio
-  container_name: minio
-  ...
-  labels:
-    - proxy.aliases=minio,minio-console
-    - proxy.minio.port=9000
-    - proxy.minio-console.port=9001
-
-# visit https://minio.y.z to access minio
-# visit https://minio-console.y.z/whoami to access minio console
-```
-
-### TCP/UDP configuration example
-
-```yaml
-# In the app
-app-db:
-  image: postgres:15
-  container_name: app-db
-  ...
-  labels:
-    # Optional (postgres is in the known image map)
-    - proxy.app-db.scheme=tcp
-
-    # Optional (first free port will be used for listening port)
-    - proxy.app-db.port=20000:postgres
-
-# In go-proxy
-go-proxy:
-  ...
-  ports:
-    - 80:80
-    ...
-    - <your desired port>:20000/tcp
-    # or 20000-20010:20000-20010/tcp to declare large range at once
-
-# access app-db via <*>.y.z:20000
-```
-
-## Load balancing Configuration Example
-
-```yaml
-nginx:
-  ...
-  deploy:
-    mode: replicated
-    replicas: 3
-  labels:
-    - proxy.nginx.load_balance=1 # allowed: [1, true]
-```
-
-## Troubleshooting
-
-Q: How to fix when it shows "no matching route for subdomain \<subdomain>"?
-
-A: Make sure the container is running, and \<subdomain> matches any container name / alias
-
-## Benchmarks
-
-Benchmarked with `wrk` connecting `traefik/whoami`'s `/bench` endpoint
-
-Remote benchmark (client running wrk and `go-proxy` server are different devices)
-
- Direct connection
-
-  ```shell
-  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
-  Running 10s test @ http://10.0.100.3:8003/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency    94.75ms  199.92ms   1.68s    91.27%
-      Req/Sec     4.24k     1.79k   18.79k    72.13%
-    Latency Distribution
-      50%    1.14ms
-      75%  120.23ms
-      90%  245.63ms
-      99%    1.03s
-    423444 requests in 10.10s, 50.88MB read
-    Socket errors: connect 0, read 0, write 0, timeout 29
-  Requests/sec:  41926.32
-  Transfer/sec:      5.04MB
-  ```
-
- With reverse proxy
-
-  ```shell
-  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
-  Running 10s test @ http://10.0.1.7/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency    79.35ms  169.79ms   1.69s    92.55%
-      Req/Sec     4.27k     1.90k   19.61k    75.81%
-    Latency Distribution
-      50%    1.12ms
-      75%  105.66ms
-      90%  200.22ms
-      99%  814.59ms
-    409836 requests in 10.10s, 49.25MB read
-    Socket errors: connect 0, read 0, write 0, timeout 18
-  Requests/sec:  40581.61
-  Transfer/sec:      4.88MB
-  ```
-
-Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
-
- Direct connection
-
-  ```shell
-  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
-  Running 10s test @ http://10.0.100.1/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency   434.08us  539.35us   8.76ms   85.28%
-      Req/Sec    67.71k     6.31k   87.21k    71.20%
-    Latency Distribution
-      50%  153.00us
-      75%  646.00us
-      90%    1.18ms
-      99%    2.38ms
-    6739591 requests in 10.01s, 809.85MB read
-  Requests/sec: 673608.15
-  Transfer/sec:     80.94MB
-  ```
-
- With `go-proxy` reverse proxy
-
-  ```shell
-  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
-  Running 10s test @ http://10.0.1.7/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     1.23ms    0.96ms  11.43ms   72.09%
-      Req/Sec    17.48k     1.76k   21.48k    70.20%
-    Latency Distribution
-      50%    0.98ms
-      75%    1.76ms
-      90%    2.54ms
-      99%    4.24ms
-    1739079 requests in 10.01s, 208.97MB read
-  Requests/sec: 173779.44
-  Transfer/sec:     20.88MB
-  ```
-
- With `traefik-v3`
-
-  ```shell
-  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
-  Running 10s test @ http://127.0.0.1:8000/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     2.81ms   10.36ms 180.26ms   98.57%
-      Req/Sec    11.35k     1.74k   13.76k    85.54%
-    Latency Distribution
-      50%    1.59ms
-      75%    2.27ms
-      90%    3.17ms
-      99%   37.91ms
-    1125723 requests in 10.01s, 109.50MB read
-  Requests/sec: 112499.59
-  Transfer/sec:     10.94MB
-  ```
-
-## Known issues
-
-UDP proxy does not work for PalWorld Dedicated Server
-
-## Memory usage
-
-It takes ~15 MB for 50 proxy entries
+[🔼Back to top](#table-of-content)

 ## Build it yourself

-1. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already
+1. Clone the repository `git clone https://github.com/yusing/go-proxy --depth=1`

-2. Clear cache if you have built this before (go < 1.22) with `go clean -cache`
+2. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already

-3. get dependencies with `make get`
+3. Clear cache if you have built this before (go < 1.22) with `go clean -cache`

-4. build binary with `make build`
+4. get dependencies with `make get`

-5. start your container with `make up` (docker) or `bin/go-proxy` (binary)
+5. build binary with `make build`
+
+[🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -0,0 +1,140 @@
+# go-proxy
+
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)
+
+一個輕量化、易用且[高效](docs/benchmark_result.md)的反向代理和端口轉發工具
+
+## 目錄
+
+<!-- TOC -->
+
+- [go-proxy](#go-proxy)
+  - [目錄](#目錄)
+  - [重點](#重點)
+  - [入門指南](#入門指南)
+    - [安裝](#安裝)
+    - [命令行參數](#命令行參數)
+    - [環境變量](#環境變量)
+    - [VSCode 中使用 JSON Schema](#vscode-中使用-json-schema)
+    - [配置文件](#配置文件)
+    - [透過文件配置](#透過文件配置)
+  - [展示](#展示)
+    - [idlesleeper](#idlesleeper)
+  - [源碼編譯](#源碼編譯)
+
+## 重點
+
+-   易用
+    -   不需花費太多時間就能輕鬆配置
+    -   支持多個docker節點
+    -   除錯簡單
+-   自動配置 SSL 證書（參見[可用的 DNS 供應商](docs/dns_providers.md)）
+-   透過 Docker 容器自動配置
+-   容器狀態變更時自動熱重載
+-   容器閒置時自動暫停/停止，入站時自動喚醒
+-   HTTP(s) 反向代理
+-   TCP/UDP 端口轉發
+-   用於配置和監控的前端 Web 面板（[截圖](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots)）
+-   支持 linux/amd64、linux/arm64、linux/arm/v7、linux/arm/v6 多平台
+-   使用 **[Go](https://go.dev)** 編寫
+
+[🔼 返回頂部](#目錄)
+
+## 入門指南
+
+### 安裝
+
+1. 抓取Docker鏡像
+
+    ```shell
+    docker pull ghcr.io/yusing/go-proxy:latest
+    ```
+
+2. 建立新的目錄，並切換到該目錄，並執行
+   
+   ```shell
+    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
+    ```
+
+3. 設置 DNS 記錄，例如：
+
+    - A 記錄: `*.y.z` -> `10.0.10.1`
+    - AAAA 記錄: `*.y.z` -> `::ffff:a00:a01`
+
+4. 配置 `docker-socket-proxy` 其他 Docker 節點（如有） (參見 [範例](docs/docker_socket_proxy.md)) 然後加到 `config.yml` 中
+
+5. 大功告成，你可以做一些額外的配置
+    - 使用文本編輯器 (推薦 Visual Studio Code [參見 VSCode 使用 schema](#vscode-中使用-json-schema))
+    - 或通過 `http://gp.y.z` 使用網頁配置編輯器
+    - 詳情請參閱 [docker.md](docs/docker.md)
+
+[🔼 返回頂部](#目錄)
+
+### 命令行參數
+
+| 參數        | 描述           | 示例                       |
+| ----------- | -------------- | -------------------------- |
+| 空          | 啟動代理服務器 |                            |
+| `validate`  | 驗證配置並退出 |                            |
+| `reload`    | 強制刷新配置   |                            |
+| `ls-config` | 列出配置並退出 | `go-proxy ls-config \| jq` |
+| `ls-route`  | 列出路由並退出 | `go-proxy ls-route \| jq`  |
+
+**使用 `docker exec go-proxy /app/go-proxy <參數>` 運行**
+
+### 環境變量
+
+| 環境變量                       | 描述             | 默認             | 格式          |
+| ------------------------------ | ---------------- | ---------------- | ------------- |
+| `GOPROXY_NO_SCHEMA_VALIDATION` | 禁用 schema 驗證 | `false`          | boolean       |
+| `GOPROXY_DEBUG`                | 啟用調試輸出     | `false`          | boolean       |
+| `GOPROXY_HTTP_ADDR`            | http 收聽地址    | `:80`            | `[host]:port` |
+| `GOPROXY_HTTPS_ADDR`           | https 收聽地址   | `:443`           | `[host]:port` |
+| `GOPROXY_API_ADDR`             | api 收聽地址     | `127.0.0.1:8888` | `[host]:port` |
+
+### VSCode 中使用 JSON Schema
+
+複製 [`.vscode/settings.example.json`](.vscode/settings.example.json) 到 `.vscode/settings.json` 並根據需求修改
+
+[🔼 返回頂部](#目錄)
+
+### 配置文件
+
+參見 [config.example.yml](config.example.yml)
+
+[🔼 返回頂部](#目錄)
+
+### 透過文件配置
+
+參見 [Fields](docs/docker.md#fields)
+
+參見範例 [providers.example.yml](providers.example.yml)
+
+[🔼 返回頂部](#目錄)
+
+## 展示
+
+### idlesleeper
+
+![idlesleeper](showcase/idlesleeper.webp)
+
+[🔼 返回頂部](#目錄)
+
+## 源碼編譯
+
+1. 獲取源碼 `git clone https://github.com/yusing/go-proxy --depth=1`
+
+2. 安裝/升級 [go 版本 (>=1.22)](https://go.dev/doc/install) 和 `make`（如果尚未安裝）
+
+3. 如果之前編譯過（go 版本 < 1.22），請使用 `go clean -cache` 清除緩存
+
+4. 使用 `make get` 獲取依賴項
+
+5. 使用 `make build` 編譯
+
+[🔼 返回頂部](#目錄)
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -0,0 +1,215 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"reflect"
+	"runtime"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/yusing/go-proxy/internal"
+	"github.com/yusing/go-proxy/internal/api"
+	apiUtils "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/docker/idlewatcher"
+	E "github.com/yusing/go-proxy/internal/error"
+	R "github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/server"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+func main() {
+	args := common.GetArgs()
+
+	if args.Command == common.CommandSetup {
+		internal.Setup()
+		return
+	}
+
+	l := logrus.WithField("module", "main")
+	onShutdown := F.NewSlice[func()]()
+
+	if common.IsDebug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+
+	if args.Command != common.CommandStart {
+		logrus.SetOutput(io.Discard)
+	} else {
+		logrus.SetFormatter(&logrus.TextFormatter{
+			DisableSorting:  true,
+			FullTimestamp:   true,
+			ForceColors:     true,
+			TimestampFormat: "01-02 15:04:05",
+		})
+	}
+
+	if args.Command == common.CommandReload {
+		if err := apiUtils.ReloadServer(); err.HasError() {
+			log.Fatal(err)
+		}
+		log.Print("ok")
+		return
+	}
+
+	// exit if only validate config
+	if args.Command == common.CommandValidate {
+		data, err := os.ReadFile(common.ConfigPath)
+		if err == nil {
+			err = config.Validate(data).Error()
+		}
+		if err != nil {
+			log.Fatal("config error: ", err)
+		}
+		log.Print("config OK")
+		return
+	}
+
+	for _, dir := range common.RequiredDirectories {
+		prepareDirectory(dir)
+	}
+
+	err := config.Load()
+	if err != nil {
+		logrus.Warn(err)
+	}
+	cfg := config.GetInstance()
+
+	switch args.Command {
+	case common.CommandListConfigs:
+		printJSON(cfg.Value())
+		return
+	case common.CommandListRoutes:
+		printJSON(cfg.RoutesByAlias())
+		return
+	case common.CommandDebugListEntries:
+		printJSON(cfg.DumpEntries())
+		return
+	case common.CommandDebugListProviders:
+		printJSON(cfg.DumpProviders())
+		return
+	}
+
+	if common.IsDebug {
+		printJSON(docker.GetRegisteredNamespaces())
+	}
+
+	cfg.StartProxyProviders()
+
+	if err.HasError() {
+		l.Warn(err)
+	}
+
+	cfg.WatchChanges()
+
+	onShutdown.Add(docker.CloseAllClients)
+	onShutdown.Add(cfg.Dispose)
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGINT)
+	signal.Notify(sig, syscall.SIGTERM)
+	signal.Notify(sig, syscall.SIGHUP)
+
+	autocert := cfg.GetAutoCertProvider()
+
+	if autocert != nil {
+		ctx, cancel := context.WithCancel(context.Background())
+		if err = autocert.Setup(ctx); err != nil {
+			l.Fatal(err)
+		} else {
+			onShutdown.Add(cancel)
+		}
+	} else {
+		l.Info("autocert not configured")
+	}
+
+	proxyServer := server.InitProxyServer(server.Options{
+		Name:            "proxy",
+		CertProvider:    autocert,
+		HTTPAddr:        common.ProxyHTTPAddr,
+		HTTPSAddr:       common.ProxyHTTPSAddr,
+		Handler:         http.HandlerFunc(R.ProxyHandler),
+		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
+	})
+	apiServer := server.InitAPIServer(server.Options{
+		Name:            "api",
+		CertProvider:    autocert,
+		HTTPAddr:        common.APIHTTPAddr,
+		Handler:         api.NewHandler(cfg),
+		RedirectToHTTPS: cfg.Value().RedirectToHTTPS,
+	})
+
+	proxyServer.Start()
+	apiServer.Start()
+	onShutdown.Add(proxyServer.Stop)
+	onShutdown.Add(apiServer.Stop)
+
+	go idlewatcher.Start()
+	onShutdown.Add(idlewatcher.Stop)
+
+	// wait for signal
+	<-sig
+
+	// grafully shutdown
+	logrus.Info("shutting down")
+	done := make(chan struct{}, 1)
+
+	var wg sync.WaitGroup
+	wg.Add(onShutdown.Size())
+	onShutdown.ForEach(func(f func()) {
+		go func() {
+			l.Debugf("waiting for %s to complete...", funcName(f))
+			f()
+			l.Debugf("%s done", funcName(f))
+			wg.Done()
+		}()
+	})
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	timeout := time.After(time.Duration(cfg.Value().TimeoutShutdown) * time.Second)
+	select {
+	case <-done:
+		logrus.Info("shutdown complete")
+	case <-timeout:
+		logrus.Info("timeout waiting for shutdown")
+		onShutdown.ForEach(func(f func()) {
+			l.Warnf("%s() is still running", funcName(f))
+		})
+	}
+}
+
+func prepareDirectory(dir string) {
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err = os.MkdirAll(dir, 0755); err != nil {
+			logrus.Fatalf("failed to create directory %s: %v", dir, err)
+		}
+	}
+}
+
+func funcName(f func()) string {
+	parts := strings.Split(runtime.FuncForPC(reflect.ValueOf(f).Pointer()).Name(), "/go-proxy/")
+	return parts[len(parts)-1]
+}
+
+func printJSON(obj any) {
+	j, err := E.Check(json.MarshalIndent(obj, "", "  "))
+	if err.HasError() {
+		logrus.Fatal(err)
+	}
+	rawLogger := log.New(os.Stdout, "", 0)
+	rawLogger.Printf("%s", j) // raw output for convenience using "jq"
+}
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,45 +1,33 @@
-version: '3'
 services:
+  frontend:
+    image: ghcr.io/yusing/go-proxy-frontend:latest
+    container_name: go-proxy-frontend
+    restart: unless-stopped
+    network_mode: host
+    labels:
+      - proxy.aliases=gp
+      - proxy.gp.port=3000
+    depends_on:
+      - app
  app:
    image: ghcr.io/yusing/go-proxy:latest
    container_name: go-proxy
    restart: always
-    networks: # ^also add here
-      - default
-    ports:
-      - 80:80 # http proxy
-      - 8080:8080 # http panel
-      # - 443:443 # optional, https proxy
-      # - 8443:8443 # optional, https panel
-
-      # optional, if you declared any tcp/udp proxy, set a range you want to use
-      # - 20000:20100/tcp
-      # - 20000:20100/udp
+    network_mode: host
+    environment:
+      # (Optional) change this to your timezone to get correct log timestamp
+      TZ: ETC/UTC
    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/app/config

-      # if local docker provider is used
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      
-      # use existing certificate
-      # - /path/to/cert.pem:/app/certs/cert.crt:ro
-      # - /path/to/privkey.pem:/app/certs/priv.key:ro
+      # (Optional) choose one of below to enable https
+      # 1. use existing certificate
+      # if your cert is not named `cert.crt` change `cert_path` in `config/config.yml`
+      # if your cert key is not named `priv.key` change `key_path` in `config/config.yml`
+
+      # - /path/to/certs:/app/certs
+
+      # 2. use autocert, certs will be stored in ./certs (or other path you specify)

-      # store autocert obtained cert
      # - ./certs:/app/certs
-    
-    # workaround for "lookup: no such host"
-    # dns:
-    #   - 127.0.0.1
-
-    # if you have container running in "host" network mode
-    # extra_hosts:
-    #   - host.docker.internal:host-gateway
-    logging:
-      driver: 'json-file'
-      options:
-        max-file: '1'
-        max-size: 128k
-networks: # ^you may add other external networks
-  default:
-    driver: bridge
--- a/config.example.yml
+++ b/config.example.yml
@@ -1,21 +1,69 @@
-# Autocert (uncomment to enable)
-# autocert: # (optional, if you need autocert feature)
-#   email: "user@domain.com" # (required) email for acme certificate
-#   domains: # (required)
-#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
-#   provider: cloudflare # (required) dns challenge provider (string)
-#   options: # provider specific options
-#     auth_token: "YOUR_ZONE_API_TOKEN"
-providers:
-  local:
-    kind: docker
-    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    # i.e. FROM_ENV, ssh://user@10.0.1.1:22, tcp://10.0.2.1:2375
-    value: FROM_ENV
-  providers:
-    kind: file
-    value: providers.yml
+# Autocert (choose one below and uncomment to enable)
+#
+# 1. use existing cert
+#
+# autocert:
+#   provider: local
+#
+#   cert_path: certs/cert.crt         # optional, uncomment only if you need to change it
+#   key_path: certs/priv.key          # optional, uncomment only if you need to change it
+#
+# 2. cloudflare
+#
+# autocert:
+#   provider: cloudflare
+#   email: abc@gmail.com                            # ACME Email
+#   domains:                                        # a list of domains for cert registration
+#     - "*.y.z"                                     # remember to use double quotes to surround wildcard domain
+#   options:
+#     auth_token: c1234565789-abcdefghijklmnopqrst  # your zone API token
+#
+# 3. other providers, check docs/dns_providers.md for more

-# Fixed options (optional, non hot-reloadable)
+providers:
+  # include files are standalone yaml files under `config/` directory
+  #
+  # include:
+  #   - file1.yml
+  #   - file2.yml
+
+  docker:
+    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
+    local: $DOCKER_HOST
+    # explicit only mode
+    # only containers with explicit aliases will be proxied
+    # add "!" after provider name to enable explicit only mode
+    #
+    # local!: $DOCKER_HOST
+    #
+    # add more docker providers if needed
+    # for value format, see https://docs.docker.com/reference/cli/dockerd/
+    #
+    # remote-1: tcp://10.0.2.1:2375
+    # remote-2: ssh://root:1234@10.0.2.2
+# if match_domains not defined
+# any host = alias+[any domain] will match
+# i.e. https://app1.y.z       will match alias app1 for any domain y.z
+#  but https://app1.node1.y.z will only match alias "app.node1"
+#
+# if match_domains defined
+# only host = alias+[one of match_domains] will match
+# i.e. match_domains = [node1.my.app, my.site]
+# https://app1.my.app, https://app1.my.net, etc. will not match even if app1 exists
+# only https://*.node1.my.app and https://*.my.site will match
+#
+#
+# match_domains:
+#   - my.site
+#   - node1.my.app
+
+# Below are fixed options (non hot-reloadable)
+
+# timeout for shutdown (in seconds)
+#
 # timeout_shutdown: 5
-# redirect_to_https: false
+
+# global setting redirect http requests to https (if https available, otherwise this will be ignored)
+# proxy.<alias>.middlewares.redirect_http will override this
+#
+# redirect_to_https: false
--- a/docs/add_dns_provider.md
+++ b/docs/add_dns_provider.md
@@ -7,7 +7,7 @@
   ```go
   var providersGenMap = map[string]ProviderGenerator{
     "cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-     // add here, i.e.
+     // add here, e.g.
     "clouddns": providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
   }
   ```
@@ -37,5 +37,5 @@
       password: b9841238feb177a84330f
   ```

-5. Run and test if it works
+5. Run with `GOPROXY_NO_SCHEMA_VALIDATION=1` and test if it works
 6. Commit and create pull request
--- a/docs/benchmark_result.md
+++ b/docs/benchmark_result.md
@@ -0,0 +1,104 @@
+# Benchmarks
+
+Benchmarked with `wrk` and `traefik/whoami`'s `/bench` endpoint
+
+## Remote benchmark
+
+- Direct connection
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
+  Running 10s test @ http://10.0.100.3:8003/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    94.75ms  199.92ms   1.68s    91.27%
+      Req/Sec     4.24k     1.79k   18.79k    72.13%
+    Latency Distribution
+      50%    1.14ms
+      75%  120.23ms
+      90%  245.63ms
+      99%    1.03s
+    423444 requests in 10.10s, 50.88MB read
+    Socket errors: connect 0, read 0, write 0, timeout 29
+  Requests/sec:  41926.32
+  Transfer/sec:      5.04MB
+  ```
+
+- With reverse proxy
+
+  ```shell
+  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency    79.35ms  169.79ms   1.69s    92.55%
+      Req/Sec     4.27k     1.90k   19.61k    75.81%
+    Latency Distribution
+      50%    1.12ms
+      75%  105.66ms
+      90%  200.22ms
+      99%  814.59ms
+    409836 requests in 10.10s, 49.25MB read
+    Socket errors: connect 0, read 0, write 0, timeout 18
+  Requests/sec:  40581.61
+  Transfer/sec:      4.88MB
+  ```
+
+## Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
+
+- Direct connection
+
+  ```shell
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
+  Running 10s test @ http://10.0.100.1/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency   434.08us  539.35us   8.76ms   85.28%
+      Req/Sec    67.71k     6.31k   87.21k    71.20%
+    Latency Distribution
+      50%  153.00us
+      75%  646.00us
+      90%    1.18ms
+      99%    2.38ms
+    6739591 requests in 10.01s, 809.85MB read
+  Requests/sec: 673608.15
+  Transfer/sec:     80.94MB
+  ```
+
+- With `go-proxy` reverse proxy
+
+  ```shell
+  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
+  Running 10s test @ http://10.0.1.7/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     1.23ms    0.96ms  11.43ms   72.09%
+      Req/Sec    17.48k     1.76k   21.48k    70.20%
+    Latency Distribution
+      50%    0.98ms
+      75%    1.76ms
+      90%    2.54ms
+      99%    4.24ms
+    1739079 requests in 10.01s, 208.97MB read
+  Requests/sec: 173779.44
+  Transfer/sec:     20.88MB
+  ```
+
+- With `traefik-v3`
+
+  ```shell
+  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
+  Running 10s test @ http://127.0.0.1:8000/bench
+    10 threads and 200 connections
+    Thread Stats   Avg      Stdev     Max   +/- Stdev
+      Latency     2.81ms   10.36ms 180.26ms   98.57%
+      Req/Sec    11.35k     1.74k   13.76k    85.54%
+    Latency Distribution
+      50%    1.59ms
+      75%    2.27ms
+      90%    3.17ms
+      99%   37.91ms
+    1125723 requests in 10.01s, 109.50MB read
+  Requests/sec: 112499.59
+  Transfer/sec:     10.94MB
+  ```
--- a/docs/binary.md
+++ b/docs/binary.md
@@ -1,59 +0,0 @@
-# Getting started with `go-proxy` (binary)
-
-## Setup
-
-1. Install `bash`, `make` and `wget` if not already
-
-2. Run setup script
-
-   To specitfy a version _(optional)_
-
-   ```shell
-   export VERSION=latest # will be resolved into real version number
-   export VERSION=<version>
-   ```
-
-   If you don't need web config editor
-
-   ```shell
-   export SETUP_CODEMIRROR=0
-   ```
-
-   Setup
-
-   ```shell
-   wget -qO- https://6uo.me/go-proxy-setup-binary | sudo bash
-   ```
-
-   What it does:
-
-   - Download source file and binary into /opt/go-proxy/$VERSION
-   - Setup `config.yml` and `providers.yml`
-   - Setup `template/codemirror` which is a dependency for web config editor
-   - Create a systemd service (if available) in `/etc/systemd/system/go-proxy.service`
-   - Enable and start `go-proxy` service
-
-3. Start editing config files in `http://<ip>:8080`
-
-4. Check logs / status with `systemctl status go-proxy`
-
-## Setup (alternative method)
-
-1. Download the latest release and extract somewhere
-
-2. Run `make setup` and _(optional) `make setup-codemirror`_
-
-3. Enable HTTPS _(optional)_
-
-   - To use autocert feature
-
-     complete `autocert` in `config/config.yml`
-
-   - To use existing certificate
-
-     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
-
-     - cert / chain / fullchain: `certs/cert.crt`
-     - private key: `certs/priv.key`
-
-4. Run the binary `bin/go-proxy`
--- a/docs/dns_providers.md
+++ b/docs/dns_providers.md
@@ -0,0 +1,81 @@
+# Supported DNS Providers
+
+<!-- TOC -->
+
+- [Supported DNS Providers](#supported-dns-providers)
+  - [Cloudflare](#cloudflare)
+  - [CloudDNS](#clouddns)
+  - [DuckDNS](#duckdns)
+  - [OVHCloud](#ovhcloud)
+  - [Implement other DNS providers](#implement-other-dns-providers)
+
+## Cloudflare
+
+```yaml
+autocert:
+    provider: cloudflare
+    options:
+        auth_token:
+```
+
+`auth_token` your zone API token
+
+Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
+
+## CloudDNS
+
+```yaml
+autocert:
+    provider: clouddns
+    options:
+        client_id:
+        email:
+        password:
+```
+
+## DuckDNS
+
+```yaml
+autocert:
+    provider: duckdns
+    options:
+        token:
+```
+
+Tested by [earvingad](https://github.com/earvingad)
+
+## OVHCloud
+
+```yaml
+autocert:
+    provider: ovh
+    options:
+        api_endpoint:
+        application_key:
+        application_secret:
+        consumer_key:
+        oauth2_config:
+            client_id:
+            client_secret:
+```
+
+_Note, `application_key` and `oauth2_config` **CANNOT** be used together_
+
+-   `api_endpoint`: Endpoint URL, or one of
+    -   `ovh-eu`,
+    -   `ovh-ca`,
+    -   `ovh-us`,
+    -   `kimsufi-eu`,
+    -   `kimsufi-ca`,
+    -   `soyoustart-eu`,
+    -   `soyoustart-ca`
+-   `application_secret`
+-   `application_key`
+-   `consumer_key`
+-   `oauth2_config`: Client ID and Client Secret
+    -   `client_id`
+    -   `client_secret`
+
+## Implement other DNS providers
+
+See [add_dns_provider.md](docs/add_dns_provider.md)
--- a/docs/docker.md
+++ b/docs/docker.md
@@ -1,52 +1,182 @@
-# Getting started with `go-proxy` docker container
+# Docker compose guide

-## Setup
+## Table of content

-1. Install `wget` if not already
+<!-- TOC -->

-2. Run setup script
+- [Docker compose guide](#docker-compose-guide)
+  - [Table of content](#table-of-content)
+  - [Additional setup](#additional-setup)
+  - [Labels](#labels)
+    - [Syntax](#syntax)
+    - [Fields](#fields)
+      - [Key-value mapping example](#key-value-mapping-example)
+      - [List example](#list-example)
+  - [Troubleshooting](#troubleshooting)
+  - [Docker compose examples](#docker-compose-examples)
+    - [Services URLs for above examples](#services-urls-for-above-examples)

-   `bash <(wget -qO- https://6uo.me/go-proxy-setup-docker)`
+## Additional setup

-   What it does:
+1.  Enable HTTPs _(optional)_

-   - Create required directories
-   - Setup `config.yml` and `compose.yml`
+    Mount a folder to store obtained certs or to load existing cert

-3. Verify folder structure and then `cd go-proxy`
-
-    ```plain
-    go-proxy
-    ├── certs
-    ├── compose.yml
-    └── config
-        ├── config.yml
-        └── providers.yml
+    ```yaml
+    services:
+      go-proxy:
+        ...
+        volumes:
+          - ./certs:/app/certs
    ```

-4. Enable HTTPs _(optional)_
-   - To use autocert feature
-     - completing `autocert` section in `config/config.yml`
-     - mount `certs/` to `/app/certs` to store obtained certs
+    To use **autocert**, complete that section in `config.yml`, e.g.

-   - To use existing certificate
+    ```yaml
+    autocert:
+        email: john.doe@x.y.z # ACME Email
+        domains: # a list of domains for cert registration
+            - y.z
+            - *.y.z
+        provider: cloudflare
+        options:
+            auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
+    ```

-     mount your wildcard (`*.y.z`) SSL cert
+    To use **existing certificate**, set path for cert and key in `config.yml`, e.g.

-     - cert / chain / fullchain -> `/app/certs/cert.crt`
-     - private key -> `/app/certs/priv.key`
+    ```yaml
+    autocert:
+        provider: local
+        cert_path: /app/certs/cert.crt
+        key_path: /app/certs/priv.key
+    ```

-5. Modify `compose.yml` fit your needs
+2.  Modify `compose.yml` to fit your needs

-    Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
+3.  Run `docker compose up -d` to start the container

-6. Run `docker compose up -d` to start the container
+4.  Navigate to Web panel `http://gp.yourdomain.com` or use **Visual Studio Code (provides schema check)** to edit proxy config

-7. Start editing config files in `http://<ip>:8080`
+[🔼Back to top](#table-of-content)
+
+## Labels
+
+**Parts surrounded by `[]` are optional**
+
+### Syntax
+
+| Label                                        | Description                                                                                                                                                         | Example                                                                                                                                                                                                                     | Default                     | Accepted values                                                           |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | ------------------------------------------------------------------------- |
+| `proxy.aliases`                              | comma separated aliases for subdomain and label matching                                                                                                            | `gitlab,gitlab-reg,gitlab-ssh`                                                                                                                                                                                              | `container_name`            | any                                                                       |
+| `proxy.exclude`                              | to be excluded from `go-proxy`                                                                                                                                      |                                                                                                                                                                                                                             | false                       | boolean                                                                   |
+| `proxy.idle_timeout`                         | time for idle (no traffic) before put it into sleep **(http/s only)**<br> _**NOTE: idlewatcher will only be enabled containers that has non-empty `idle_timeout`**_ | `1h`                                                                                                                                                                                                                        | empty or `0` **(disabled)** | `number[unit]...`, e.g. `1m30s`                                           |
+| `proxy.wake_timeout`                         | time to wait for target site to be ready                                                                                                                            |                                                                                                                                                                                                                             | `30s`                       | `number[unit]...`                                                         |
+| `proxy.stop_method`                          | method to stop after `idle_timeout`                                                                                                                                 |                                                                                                                                                                                                                             | `stop`                      | `stop`, `pause`, `kill`                                                   |
+| `proxy.stop_timeout`                         | time to wait for stop command                                                                                                                                       |                                                                                                                                                                                                                             | `10s`                       | `number[unit]...`                                                         |
+| `proxy.stop_signal`                          | signal sent to container for `stop` and `kill` methods                                                                                                              |                                                                                                                                                                                                                             | docker's default            | `SIGINT`, `SIGTERM`, `SIGHUP`, `SIGQUIT` and those without **SIG** prefix |
+| `proxy.<alias>.<field>`                      | set field for specific alias                                                                                                                                        | `proxy.gitlab-ssh.scheme`                                                                                                                                                                                                   | N/A                         | N/A                                                                       |
+| `proxy.#<index>.<field>`                     | set field for specific alias at index (starting from **1**)                                                                                                         | `proxy.#3.port`                                                                                                                                                                                                             | N/A                         | N/A                                                                       |
+| `proxy.*.<field>`                            | set field for all aliases                                                                                                                                           | `proxy.*.set_headers`                                                                                                                                                                                                       | N/A                         | N/A                                                                       |
+| `proxy.?.middlewares.<middleware>[.<field>]` | enable and set field for specific middleware                                                                                                                        | **?** here means `<alias>` / `$<index>` / `*` <ul><li>`proxy.#1.middlewares.modify_request.set_headers`</li><li>`proxy.*.middlewares.modify_response.hide_headers`</li><li>`proxy.app1.middlewares.redirect_http`</li></ul> | N/A                         | Middleware specific<br>See [middlewares.md](middlewares.md) for more      |
+
+### Fields
+
+| Field           | Description                                                                                    | Default                                                                          | Allowed Values / Syntax                                                                                                                                                                                                 |
+| --------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `scheme`        | proxy protocol                                                                                 | <ul><li>`http` for numeric port</li><li>`tcp` for `x:y` port</li></ul>           | `http`, `https`, `tcp`, `udp`                                                                                                                                                                                           |
+| `host`          | proxy host                                                                                     | <ul><li>Docker: docker client IP / hostname </li><li>File: `localhost`</li></ul> | IP address, hostname                                                                                                                                                                                                    |
+| `port`          | proxy port **(http/s)**                                                                        | first port returned from docker                                                  | number in range of `1 - 65535`                                                                                                                                                                                          |
+| `port`          | proxy port **(tcp/udp)**                                                                       | `0:first_port`                                                                   | `x:y` <br><ul><li>**x**: port for `go-proxy` to listen on.<br>**x** can be 0, which means listen on a random port</li><li>**y**: port or [_service name_](../src/common/constants.go#L55) of target container</li></ul> |
+| `no_tls_verify` | whether skip tls verify **(https only)**                                                       | `false`                                                                          | boolean                                                                                                                                                                                                                 |
+| `path_patterns` | proxy path patterns **(http/s only)**<br> only requests that matched a pattern will be proxied | `/` **(proxy all requests)**                                                     | yaml style list[<sup>1</sup>](#list-example) of ([path patterns](https://pkg.go.dev/net/http#hdr-Patterns-ServeMux))                                                                                                    |
+
+
+[🔼Back to top](#table-of-content)
+
+#### Key-value mapping example
+
+Docker Compose
+
+```yaml
+services:
+  nginx:
+    ...
+    labels:
+      proxy.nginx.middlewares.modify_request.set_headers: | # remember to add the '|'
+        X-Custom-Header1: value1, value2
+        X-Custom-Header2: value3, value4
+```
+
+File Provider
+
+```yaml
+service_a:
+    host: service_a.internal
+    middlewares:
+        modify_request:
+            set_headers:
+                X-Custom-Header1: value1, value2
+                X-Custom-Header2: value3
+```
+
+[🔼Back to top](#table-of-content)
+
+#### List example
+
+Docker Compose
+
+```yaml
+services:
+  nginx:
+    ...
+    labels:
+      proxy.nginx.path_patterns: | # remember to add the '|'
+        - GET /
+        - POST /auth
+      proxy.nginx.middlewares.modify_request.hide_headers: | # remember to add the '|'
+        - X-Custom-Header1
+        - X-Custom-Header2
+```
+
+Include file
+
+```yaml
+service_a:
+    host: service_a.internal
+    path_patterns:
+        - GET /
+        - POST /auth
+    middlewares:
+        modify_request:
+            hide_headers:
+                - X-Custom-Header1
+                - X-Custom-Header2
+```
+
+[🔼Back to top](#table-of-content)

 ## Troubleshooting

- Firewall issues
+-   Container not showing up in proxies list
+
+    Please check that either `ports` or label `proxy.<alias>.port` is declared, e.g.
+
+    ```yaml
+    services:
+      nginx-1: # Option 1
+        ...
+        ports:
+          - 80
+      nginx-2: # Option 2
+        ...
+        container_name: nginx-2
+        network_mode: host
+        labels:
+          proxy.nginx-2.port: 80
+    ```
+
+-   Firewall issues

    If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:

@@ -62,63 +192,105 @@

    `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`

-## Docker compose example
+[🔼Back to top](#table-of-content)
+
+## Docker compose examples
+
+More examples in [here](examples/)

 ```yaml
 volumes:
-  adg-work:
-  adg-conf:
-  mc-data:
+    adg-work:
+    adg-conf:
+    mc-data:
+    palworld:
+    nginx:
 services:
    adg:
        image: adguard/adguardhome
        restart: unless-stopped
        labels:
-        - proxy.aliases=adg,adg-dns,adg-setup
-        - proxy.adg.port=80
-        - proxy.adg-setup.port=3000
-        - proxy.adg-dns.scheme=udp
-        - proxy.adg-dns.port=20000:dns
+            - proxy.aliases=adg,adg-dns,adg-setup
+            - proxy.#1.port=80
+            - proxy.#2.scheme=udp
+            - proxy.#2.port=20000:dns
+            - proxy.#3.port=3000
        volumes:
-        - adg-work:/opt/adguardhome/work
-        - adg-conf:/opt/adguardhome/conf
+            - adg-work:/opt/adguardhome/work
+            - adg-conf:/opt/adguardhome/conf
+        ports:
+            - 80
+            - 3000
+            - 53/udp
    mc:
        image: itzg/minecraft-server
        tty: true
        stdin_open: true
        container_name: mc
        restart: unless-stopped
+        ports:
+            - 25565
        labels:
-        - proxy.mc.scheme=tcp
-        - proxy.mc.port=20001:25565
+            - proxy.mc.port=20001:25565
        environment:
-        EULA: "TRUE"
+            - EULA=TRUE
        volumes:
-        - mc-data:/data
+            - mc-data:/data
+    palworld:
+        image: thijsvanloef/palworld-server-docker:latest
+        restart: unless-stopped
+        container_name: pal
+        stop_grace_period: 30s
+        ports:
+            - 8211/udp
+            - 27015/udp
+        labels:
+            - proxy.aliases=pal1,pal2
+            - proxy.*.scheme=udp
+            - proxy.#1.port=20002:8211
+            - proxy.#2.port=20003:27015
+        environment: ...
+        volumes:
+            - palworld:/palworld
+    nginx:
+        image: nginx
+        container_name: nginx
+        volumes:
+            - nginx:/usr/share/nginx/html
+        ports:
+            - 80
+        labels:
+            proxy.idle_timeout: 1m
    go-proxy:
-        image: ghcr.io/yusing/go-proxy
+        image: ghcr.io/yusing/go-proxy:latest
        container_name: go-proxy
        restart: always
-        ports:
-        - 80:80 # http
-        - 443:443 # optional, https
-        - 8080:8080 # http panel
-        - 8443:8443 # optional, https panel
-
-        - 53:20000/udp # adguardhome
-        - 25565:20001/tcp # minecraft
+        network_mode: host
        volumes:
-        - ./config:/app/config
-        - /var/run/docker.sock:/var/run/docker.sock:ro
+            - ./config:/app/config
+            - /var/run/docker.sock:/var/run/docker.sock
+    go-proxy-frontend:
+        image: ghcr.io/yusing/go-proxy-frontend:latest
+        container_name: go-proxy-frontend
+        restart: unless-stopped
+        network_mode: host
        labels:
-        - proxy.aliases=gp
-        - proxy.panel.port=8080
+            - proxy.aliases=gp
+            - proxy.gp.port=3000
+        depends_on:
+            - go-proxy
 ```

-### Services URLs
+[🔼Back to top](#table-of-content)

- `gp.yourdomain.com`: go-proxy web panel
- `adg-setup.yourdomain.com`: adguard setup (first time running)
- `adg.yourdomain.com`: adguard dashboard
- `yourdomain.com:53`: adguard dns
- `yourdomain.com:25565`: minecraft server
+### Services URLs for above examples
+
+-   `gp.yourdomain.com`: go-proxy web panel
+-   `adg-setup.yourdomain.com`: adguard setup (first time setup)
+-   `adg.yourdomain.com`: adguard dashboard
+-   `nginx.yourdomain.com`: nginx
+-   `yourdomain.com:2000`: adguard dns (udp)
+-   `yourdomain.com:20001`: minecraft server
+-   `yourdomain.com:20002`: palworld server
+
+[🔼Back to top](#table-of-content)
--- a/docs/docker_socket_proxy.md
+++ b/docs/docker_socket_proxy.md
@@ -0,0 +1,40 @@
+## Docker Socket Proxy
+
+For docker client on other machine, set this up, then add `name: tcp://<machine_ip>:2375` to `config.yml` under `docker` section
+
+```yml
+# compose.yml on remote machine (e.g. server1)
+docker-proxy:
+  container_name: docker-proxy
+  image: tecnativa/docker-socket-proxy
+  privileged: true
+  environment:
+    - ALLOW_START=1
+    - ALLOW_STOP=1
+    - ALLOW_RESTARTS=1
+    - CONTAINERS=1
+    - EVENTS=1
+    - PING=1
+    - POST=1
+    - VERSION=1
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+  restart: always
+  ports:
+    - 2375:2375
+    # or more secure
+    - <machine_private_ip>:2375:2375
+```
+
+```yml
+# config.yml on go-proxy machine
+autocert:
+  ... # your config
+
+providers:
+  include:
+    ...
+  docker:
+    ...
+    server1: tcp://<machine_ip>:2375
+```
--- a/docs/middlewares.md
+++ b/docs/middlewares.md
@@ -0,0 +1,333 @@
+# Middlewares
+
+## Table of content
+
+<!-- TOC -->
+
+- [Middlewares](#middlewares)
+  - [Table of content](#table-of-content)
+  - [Available middlewares](#available-middlewares)
+    - [Redirect http](#redirect-http)
+    - [Custom error pages](#custom-error-pages)
+    - [Modify request or response](#modify-request-or-response)
+      - [Set headers](#set-headers)
+      - [Add headers](#add-headers)
+      - [Hide headers](#hide-headers)
+    - [X-Forwarded-\* Headers](#x-forwarded--headers)
+      - [Add X-Forwarded-\*](#add-x-forwarded-)
+      - [Set X-Forwarded-\*](#set-x-forwarded-)
+    - [Forward Authorization header (experimental)](#forward-authorization-header-experimental)
+  - [Examples](#examples)
+    - [Authentik (untested, experimental)](#authentik-untested-experimental)
+
+<!-- TOC -->
+
+## Available middlewares
+
+### Redirect http
+
+Redirect http requests to https
+
+```yaml
+# docker labels
+proxy.app1.middlewares.redirect_http:
+
+# include file
+app1:
+  middlewares:
+    redirect_http:
+```
+
+nginx equivalent:
+```nginx
+server {
+    listen 80;
+    server_name domain.tld;
+    return 301 https://$host$request_uri;
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+### Custom error pages
+
+To enable custom error pages, mount a folder containing your `html`, `js`, `css` files to `/app/error_pages` of _go-proxy_ container **(subfolders are ignored, please place all files in root directory)**
+
+Any path under `error_pages` directory (e.g. `href` tag), should starts with `/$gperrorpage/`
+
+Example:
+```html
+<html>
+<head>
+    <title>404 Not Found</title>
+    <link type="text/css" rel="stylesheet" href="/$gperrorpage/style.css" />
+</head>
+<body>
+    ...
+</body>
+</html>
+```
+
+Hot-reloading is **supported**, you can **edit**, **rename** or **delete** files **without restarting**. Changes will be reflected after page reload
+
+Error page will be served if:
+
+- route does not exist or domain does not match any of `match_domains`
+
+or 
+
+- status code is not in range of 200 to 300, and
+- content type is `text/html`, `application/xhtml+xml` or `text/plain`
+
+Error page will be served:
+
+- from file `<statusCode>.html` if exists
+- otherwise from `404.html`
+- if they don't exist, original response will be served
+
+```yaml
+# docker labels
+proxy.app1.middlewares.custom_error_page:
+
+# include file
+app1:
+  middlewares:
+    custom_error_page:
+```
+
+nginx equivalent:
+```nginx
+location / {
+    try_files $uri $uri/ /error_pages/404.html =404;
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+### Modify request or response
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.field:
+proxy.app1.middlewares.modify_response.field:
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      field:
+    modify_response:
+      field:
+```
+
+#### Set headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.set_headers: |
+  X-Custom-Header1: value1, value2
+  X-Custom-Header2: value3
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      set_headers:
+        X-Custom-Header1: value1, value2
+        X-Custom-Header2: value3
+```
+
+nginx equivalent:
+```nginx
+location / {
+    add_header X-Custom-Header1 value1, value2;
+    add_header X-Custom-Header2 value3;
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Add headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.add_headers: |
+  X-Custom-Header1: value1, value2
+  X-Custom-Header2: value3
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      add_headers:
+        X-Custom-Header1: value1, value2
+        X-Custom-Header2: value3
+```
+
+nginx equivalent:
+```nginx
+location / {
+    more_set_headers "X-Custom-Header1: value1, value2";
+    more_set_headers "X-Custom-Header2: value3";
+}
+```
+
+[🔼Back to top](#table-of-content)
+
+#### Hide headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.hide_headers: |
+  - X-Custom-Header1
+  - X-Custom-Header2
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      hide_headers:
+        - X-Custom-Header1
+        - X-Custom-Header2
+```
+
+nginx equivalent:
+```nginx
+location / {
+    more_clear_headers "X-Custom-Header1";
+    more_clear_headers "X-Custom-Header2";
+}
+```
+
+### X-Forwarded-* Headers
+
+#### Add X-Forwarded-*
+
+Append `X-Forwarded-*` headers to existing headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.add_x_forwarded:
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      add_x_forwarded:
+```
+
+#### Set X-Forwarded-*
+
+Replace existing `X-Forwarded-*` headers with `go-proxy` provided headers
+
+```yaml
+# docker labels
+proxy.app1.middlewares.modify_request.set_x_forwarded:
+
+# include file
+app1:
+  middlewares:
+    modify_request:
+      set_x_forwarded:
+```
+
+[🔼Back to top](#table-of-content)
+
+### Forward Authorization header (experimental)
+
+Fields:
+- `address`: authentication provider URL _(required)_
+- `trust_forward_header`: whether to trust `X-Forwarded-*` headers from upstream proxies _(default: `false`)_
+- `auth_response_headers`: list of headers to copy from auth response _(default: empty)_
+- `add_auth_cookies_to_response`: list of cookies to add to response _(default: empty)_
+
+```yaml
+# docker labels
+proxy.app1.middlewares.forward_auth.address: https://auth.example.com
+proxy.app1.middlewares.forward_auth.trust_forward_header: true
+proxy.app1.middlewares.forward_auth.auth_response_headers: |
+  - X-Auth-Token
+  - X-Auth-User
+proxy.app1.middlewares.forward_auth.add_auth_cookies_to_response: |
+  - uid
+  - session_id
+
+# include file
+app1:
+  middlewares:
+    forward_authorization:
+        address: https://auth.example.com
+        trust_forward_header: true
+        auth_response_headers:
+            - X-Auth-Token
+            - X-Auth-User
+        add_auth_cookies_to_response:
+            - uid
+            - session_id
+```
+
+Traefik equivalent:
+```yaml
+# docker labels
+traefik.http.middlewares.authentik.forwardauth.address: https://auth.example.com
+traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
+traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-Auth-Token, X-Auth-User
+traefik.http.middlewares.authentik.forwardauth.addAuthCookiesToResponse: uid, session_id
+
+# standalone
+http:
+  middlewares:
+    forwardAuth:
+        address: https://auth.example.com
+        trustForwardHeader: true
+        authResponseHeaders:
+            - X-Auth-Token
+            - X-Auth-User
+        addAuthCookiesToResponse:
+            - uid
+            - session_id
+```
+
+[🔼Back to top](#table-of-content)
+
+## Examples
+
+### Authentik (untested, experimental)
+
+```yaml
+# docker compose
+services:
+  ...
+  server:
+    ...
+    container_name: authentik
+    labels:
+      proxy.authentik.middlewares.redirect_http:
+      proxy.authentik.middlewares.set_x_forwarded:
+      proxy.authentik.middlewares.modify_request.add_headers: |
+        Strict-Transport-Security: "max-age=63072000" always
+
+  whoami:
+    image: containous/whoami
+    container_name: whoami
+    ports:
+      - 80
+    labels:
+      proxy.#1.middlewares.forward_auth.address: https://your_authentik_forward_address
+      proxy.#1.middlewares.forward_auth.trustForwardHeader: true
+      proxy.#1.middlewares.forward_auth.authResponseHeaders: |
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
+    restart: unless-stopped
+```
+
+[🔼Back to top](#table-of-content)
--- a/examples/microbin.yml
+++ b/examples/microbin.yml
@@ -0,0 +1,16 @@
+services:
+  app:
+    container_name: microbin
+    cpu_shares: 10
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    env_file: .env
+    image: docker.i.sh/danielszabo99/microbin:latest
+    ports:
+      - 8080
+    restart: unless-stopped
+    volumes:
+      - ./data:/app/microbin_data
+# microbin.domain.tld
--- a/examples/siyuan.yml
+++ b/examples/siyuan.yml
@@ -0,0 +1,16 @@
+services:
+  main:
+    image: b3log/siyuan:v3.1.0
+    container_name: siyuan
+    command:
+      - --workspace=/siyuan/workspace/
+      - --accessAuthCode=<some password>
+    user: 1000:1000
+    volumes:
+      - ./workspace:/siyuan/workspace
+    restart: unless-stopped
+    environment:
+      - TZ=Asia/Hong_Kong
+    ports:
+      - 6806
+# siyuan.domain.tld
--- a/go.mod
+++ b/go.mod
@@ -1,62 +1,58 @@
 module github.com/yusing/go-proxy

-go 1.22
+go 1.23.1

 require (
-	github.com/docker/cli v26.0.0+incompatible
-	github.com/docker/docker v26.0.0+incompatible
+	github.com/docker/cli v27.3.1+incompatible
+	github.com/docker/docker v27.3.1+incompatible
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/go-acme/lego/v4 v4.16.1
+	github.com/go-acme/lego/v4 v4.18.0
+	github.com/puzpuzpuz/xsync/v3 v3.4.0
 	github.com/santhosh-tekuri/jsonschema v1.2.4
 	github.com/sirupsen/logrus v1.9.3
-	golang.org/x/net v0.22.0
+	golang.org/x/net v0.29.0
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.92.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.106.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
-	github.com/miekg/dns v1.1.58 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/ovh/go-ovh v1.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 // indirect
-	google.golang.org/grpc v1.61.1 // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
+	go.opentelemetry.io/otel v1.30.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
+	go.opentelemetry.io/otel/metric v1.30.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
+	go.opentelemetry.io/otel/trace v1.30.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.25.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,75 +1,65 @@
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cloudflare/cloudflare-go v0.92.0 h1:ltJvGvqZ4G6Fm2hHOYZ5RWpJQcrM0oDrsjjZydZhFJQ=
-github.com/cloudflare/cloudflare-go v0.92.0/go.mod h1:nUqvBUUDRxNzsDSQjbqUNWHEIYAoUlgRmcAzMKlFdKs=
+github.com/cloudflare/cloudflare-go v0.106.0 h1:q41gC5Wc1nfi0D1ZhSHokWcd9mGMbqC7RE7qiP+qE00=
+github.com/cloudflare/cloudflare-go v0.106.0/go.mod h1:pfUQ4PIG4ISI0/Mmc21Bp86UnFU0ktmPf3iTgbSL+cM=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUyzJVPxD30I=
-github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
-github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ=
+github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
+github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-acme/lego/v4 v4.16.1 h1:JxZ93s4KG0jL27rZ30UsIgxap6VGzKuREsSkkyzeoCQ=
-github.com/go-acme/lego/v4 v4.16.1/go.mod h1:AVvwdPned/IWpD/ihHhMsKnveF7HHYAz/CmtXi7OZoE=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-acme/lego/v4 v4.18.0 h1:2hH8KcdRBSb+p5o9VZIm61GAOXYALgILUCSs1Q+OYsk=
+github.com/go-acme/lego/v4 v4.18.0/go.mod h1:Blkg3izvXpl3zxk7WKngIuwR2I/hvYVP3vRnvgBp7m8=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
-github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
+github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
+github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
@@ -80,96 +70,102 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/ovh/go-ovh v1.6.0 h1:ixLOwxQdzYDx296sXcgS35TOPEahJkpjMGtzPadCjQI=
+github.com/ovh/go-ovh v1.6.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
-github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/puzpuzpuz/xsync/v3 v3.4.0 h1:DuVBAdXuGFHv8adVXjWWZ63pJq+NRXOWVXlKDBZ+mJ4=
+github.com/puzpuzpuz/xsync/v3 v3.4.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
 github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
-go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
-go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
-go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
-go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
-go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
-go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
-go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
-go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
-go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
-go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI=
+go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts=
+go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
+go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w=
+go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ=
+go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE=
+go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg=
+go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc=
+go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
-golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
-golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
+golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE=
+golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
-google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM=
-google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1:6G8oQ016D88m1xAKljMlBOOGWDZkes4kMhgGFlf8WcQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU=
-google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY=
-google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY=
+google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc=
+google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM=
+google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -0,0 +1,58 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	"github.com/yusing/go-proxy/internal/api/v1/error_page"
+	. "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func NewServeMux() ServeMux {
+	return ServeMux{http.NewServeMux()}
+}
+
+func (mux ServeMux) HandleFunc(method, endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(fmt.Sprintf("%s %s", method, endpoint), checkHost(handler))
+}
+
+func NewHandler(cfg *config.Config) http.Handler {
+	mux := NewServeMux()
+	mux.HandleFunc("GET", "/v1", v1.Index)
+	mux.HandleFunc("GET", "/v1/checkhealth", wrap(cfg, v1.CheckHealth))
+	mux.HandleFunc("HEAD", "/v1/checkhealth", wrap(cfg, v1.CheckHealth))
+	mux.HandleFunc("POST", "/v1/reload", wrap(cfg, v1.Reload))
+	mux.HandleFunc("GET", "/v1/list", wrap(cfg, v1.List))
+	mux.HandleFunc("GET", "/v1/list/{what}", wrap(cfg, v1.List))
+	mux.HandleFunc("GET", "/v1/file", v1.GetFileContent)
+	mux.HandleFunc("GET", "/v1/file/{filename}", v1.GetFileContent)
+	mux.HandleFunc("POST", "/v1/file/{filename}", v1.SetFileContent)
+	mux.HandleFunc("PUT", "/v1/file/{filename}", v1.SetFileContent)
+	mux.HandleFunc("GET", "/v1/stats", wrap(cfg, v1.Stats))
+	mux.HandleFunc("GET", "/v1/error_page", error_page.GetHandleFunc())
+	return mux
+}
+
+// allow only requests to API server with host matching common.APIHTTPAddr
+func checkHost(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Host != common.APIHTTPAddr {
+			Logger.Warnf("invalid request to API server with host: %s, expect %s", r.Host, common.APIHTTPAddr)
+			w.WriteHeader(http.StatusNotFound)
+			w.Write([]byte("invalid request"))
+			return
+		}
+		f(w, r)
+	}
+}
+
+func wrap(cfg *config.Config, f func(cfg *config.Config, w http.ResponseWriter, r *http.Request)) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		f(cfg, w, r)
+	}
+}
--- a/internal/api/v1/checkhealth.go
+++ b/internal/api/v1/checkhealth.go
@@ -0,0 +1,42 @@
+package v1
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+	R "github.com/yusing/go-proxy/internal/route"
+)
+
+func CheckHealth(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+	target := r.FormValue("target")
+	if target == "" {
+		U.HandleErr(w, r, U.ErrMissingKey("target"), http.StatusBadRequest)
+		return
+	}
+
+	var ok bool
+	route := cfg.FindRoute(target)
+
+	switch {
+	case route == nil:
+		U.HandleErr(w, r, U.ErrNotFound("target", target), http.StatusNotFound)
+		return
+	case route.Type() == R.RouteTypeReverseProxy:
+		ok = U.IsSiteHealthy(route.URL().String())
+	case route.Type() == R.RouteTypeStream:
+		entry := route.Entry()
+		ok = U.IsStreamHealthy(
+			strings.Split(entry.Scheme, ":")[1], // target scheme
+			fmt.Sprintf("%s:%v", entry.Host, strings.Split(entry.Port, ":")[1]),
+		)
+	}
+
+	if ok {
+		w.WriteHeader(http.StatusOK)
+	} else {
+		w.WriteHeader(http.StatusRequestTimeout)
+	}
+}
--- a/internal/api/v1/error_page/error_page.go
+++ b/internal/api/v1/error_page/error_page.go
@@ -0,0 +1,88 @@
+package error_page
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"sync"
+
+	api "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+	W "github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
+)
+
+const errPagesBasePath = common.ErrorPagesBasePath
+
+var setup = sync.OnceFunc(func() {
+	dirWatcher = W.NewDirectoryWatcher(context.Background(), errPagesBasePath)
+	loadContent()
+	go watchDir()
+})
+
+func GetStaticFile(filename string) ([]byte, bool) {
+	return fileContentMap.Load(filename)
+}
+
+// try <statusCode>.html -> 404.html -> not ok
+func GetErrorPageByStatus(statusCode int) (content []byte, ok bool) {
+	content, ok = fileContentMap.Load(fmt.Sprintf("%d.html", statusCode))
+	if !ok && statusCode != 404 {
+		return fileContentMap.Load("404.html")
+	}
+	return
+}
+
+func loadContent() {
+	files, err := U.ListFiles(errPagesBasePath, 0)
+	if err != nil {
+		api.Logger.Error(err)
+		return
+	}
+	for _, file := range files {
+		if fileContentMap.Has(file) {
+			continue
+		}
+		content, err := os.ReadFile(file)
+		if err != nil {
+			api.Logger.Errorf("failed to read error page resource %s: %s", file, err)
+			continue
+		}
+		file = path.Base(file)
+		api.Logger.Infof("error page resource %s loaded", file)
+		fileContentMap.Store(file, content)
+	}
+}
+
+func watchDir() {
+	eventCh, errCh := dirWatcher.Events(context.Background())
+	for {
+		select {
+		case event, ok := <-eventCh:
+			if !ok {
+				return
+			}
+			filename := event.ActorName
+			switch event.Action {
+			case events.ActionFileWritten:
+				fileContentMap.Delete(filename)
+				loadContent()
+			case events.ActionFileDeleted:
+				fileContentMap.Delete(filename)
+				api.Logger.Infof("error page resource %s deleted", filename)
+			case events.ActionFileRenamed:
+				api.Logger.Infof("error page resource %s deleted", filename)
+				fileContentMap.Delete(filename)
+				loadContent()
+			}
+		case err := <-errCh:
+			api.Logger.Errorf("error watching error page directory: %s", err)
+		}
+	}
+}
+
+var dirWatcher W.Watcher
+var fileContentMap = F.NewMapOf[string, []byte]()
--- a/internal/api/v1/error_page/http_handler.go
+++ b/internal/api/v1/error_page/http_handler.go
@@ -0,0 +1,25 @@
+package error_page
+
+import "net/http"
+
+func GetHandleFunc() http.HandlerFunc {
+	setup()
+	return serveHTTP
+}
+
+func serveHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	if r.URL.Path == "/" {
+		http.Error(w, "invalid path", http.StatusNotFound)
+		return
+	}
+	content, ok := fileContentMap.Load(r.URL.Path)
+	if !ok {
+		http.Error(w, "404 not found", http.StatusNotFound)
+		return
+	}
+	w.Write(content)
+}
--- a/internal/api/v1/file.go
+++ b/internal/api/v1/file.go
@@ -0,0 +1,59 @@
+package v1
+
+import (
+	"io"
+	"net/http"
+	"os"
+	"path"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/proxy/provider"
+)
+
+func GetFileContent(w http.ResponseWriter, r *http.Request) {
+	filename := r.PathValue("filename")
+	if filename == "" {
+		filename = common.ConfigFileName
+	}
+	content, err := os.ReadFile(path.Join(common.ConfigBasePath, filename))
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	w.Write(content)
+}
+
+func SetFileContent(w http.ResponseWriter, r *http.Request) {
+	filename := r.PathValue("filename")
+	if filename == "" {
+		U.HandleErr(w, r, U.ErrMissingKey("filename"), http.StatusBadRequest)
+		return
+	}
+	content, err := io.ReadAll(r.Body)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+
+	var validateErr E.NestedError
+	if filename == common.ConfigFileName {
+		validateErr = config.Validate(content)
+	} else {
+		validateErr = provider.Validate(content)
+	}
+
+	if validateErr != nil {
+		U.RespondJson(w, validateErr.JSONObject(), http.StatusBadRequest)
+		return
+	}
+
+	err = os.WriteFile(path.Join(common.ConfigBasePath, filename), content, 0644)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+}
--- a/internal/api/v1/index.go
+++ b/internal/api/v1/index.go
@@ -0,0 +1,7 @@
+package v1
+
+import "net/http"
+
+func Index(w http.ResponseWriter, r *http.Request) {
+	w.Write([]byte("API ready"))
+}
--- a/internal/api/v1/list.go
+++ b/internal/api/v1/list.go
@@ -0,0 +1,61 @@
+package v1
+
+import (
+	"encoding/json"
+	"net/http"
+	"os"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+)
+
+func List(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+	what := r.PathValue("what")
+	if what == "" {
+		what = "routes"
+	}
+
+	switch what {
+	case "routes":
+		listRoutes(cfg, w, r)
+	case "config_files":
+		listConfigFiles(w, r)
+	default:
+		U.HandleErr(w, r, U.ErrInvalidKey("what"), http.StatusBadRequest)
+	}
+}
+
+func listRoutes(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+	routes := cfg.RoutesByAlias()
+	typeFilter := r.FormValue("type")
+	if typeFilter != "" {
+		for k, v := range routes {
+			if v["type"] != typeFilter {
+				delete(routes, k)
+			}
+		}
+	}
+
+	if err := U.RespondJson(w, routes); err != nil {
+		U.HandleErr(w, r, err)
+	}
+}
+
+func listConfigFiles(w http.ResponseWriter, r *http.Request) {
+	files, err := os.ReadDir(common.ConfigBasePath)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	filenames := make([]string, len(files))
+	for i, f := range files {
+		filenames[i] = f.Name()
+	}
+	resp, err := json.Marshal(filenames)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	w.Write(resp)
+}
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -0,0 +1,16 @@
+package v1
+
+import (
+	"net/http"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+)
+
+func Reload(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+	if err := cfg.Reload(); err != nil {
+		U.RespondJson(w, err.JSONObject(), http.StatusInternalServerError)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -0,0 +1,20 @@
+package v1
+
+import (
+	"net/http"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/server"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+func Stats(cfg *config.Config, w http.ResponseWriter, r *http.Request) {
+	stats := map[string]any{
+		"proxies": cfg.Statistics(),
+		"uptime":  utils.FormatDuration(server.GetProxyServer().Uptime()),
+	}
+	if err := U.RespondJson(w, stats); err != nil {
+		U.HandleErr(w, r, err)
+	}
+}
--- a/internal/api/v1/utils/error.go
+++ b/internal/api/v1/utils/error.go
@@ -0,0 +1,34 @@
+package utils
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+var Logger = logrus.WithField("module", "api")
+
+func HandleErr(w http.ResponseWriter, r *http.Request, origErr error, code ...int) {
+	err := E.From(origErr).Subjectf("%s %s", r.Method, r.URL)
+	Logger.Error(err)
+	if len(code) > 0 {
+		http.Error(w, err.String(), code[0])
+		return
+	}
+	http.Error(w, err.String(), http.StatusInternalServerError)
+}
+
+func ErrMissingKey(k string) error {
+	return errors.New("missing key '" + k + "' in query or request body")
+}
+
+func ErrInvalidKey(k string) error {
+	return errors.New("invalid key '" + k + "' in query or request body")
+}
+
+func ErrNotFound(k, v string) error {
+	return fmt.Errorf("key %q with value %q not found", k, v)
+}
--- a/internal/api/v1/utils/health_check.go
+++ b/internal/api/v1/utils/health_check.go
@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"net"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+func IsSiteHealthy(url string) bool {
+	// try HEAD first
+	// if HEAD is not allowed, try GET
+	resp, err := httpClient.Head(url)
+	if resp != nil {
+		resp.Body.Close()
+	}
+	if err != nil && resp != nil && resp.StatusCode == http.StatusMethodNotAllowed {
+		_, err = httpClient.Get(url)
+	}
+	if resp != nil {
+		resp.Body.Close()
+	}
+	return err == nil
+}
+
+func IsStreamHealthy(scheme, address string) bool {
+	conn, err := net.DialTimeout(scheme, address, common.DialTimeout)
+	if err != nil {
+		return false
+	}
+	conn.Close()
+	return true
+}
--- a/internal/api/v1/utils/http_client.go
+++ b/internal/api/v1/utils/http_client.go
@@ -0,0 +1,23 @@
+package utils
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+var httpClient = &http.Client{
+	Timeout: common.ConnectionTimeout,
+	Transport: &http.Transport{
+		Proxy:             http.ProxyFromEnvironment,
+		DisableKeepAlives: true,
+		ForceAttemptHTTP2: true,
+		DialContext: (&net.Dialer{
+			Timeout:   common.DialTimeout,
+			KeepAlive: common.KeepAlive, // this is different from DisableKeepAlives
+		}).DialContext,
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	},
+}
--- a/internal/api/v1/utils/localhost.go
+++ b/internal/api/v1/utils/localhost.go
@@ -0,0 +1,31 @@
+package utils
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func ReloadServer() E.NestedError {
+	resp, err := httpClient.Post(fmt.Sprintf("%s/v1/reload", common.APIHTTPURL), "", nil)
+	if err != nil {
+		return E.From(err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		failure := E.Failure("server reload").Extraf("status code: %v", resp.StatusCode)
+		b, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return failure.Extraf("unable to read response body: %s", err)
+		}
+		reloadErr, ok := E.FromJSON(b)
+		if ok {
+			return E.Join("reload success, but server returned error", reloadErr)
+		}
+		return failure.Extraf("unable to read response body")
+	}
+	return nil
+}
--- a/internal/api/v1/utils/utils.go
+++ b/internal/api/v1/utils/utils.go
@@ -0,0 +1,20 @@
+package utils
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+func RespondJson(w http.ResponseWriter, data any, code ...int) error {
+	if len(code) > 0 {
+		w.WriteHeader(code[0])
+	}
+	w.Header().Set("Content-Type", "application/json")
+	j, err := json.MarshalIndent(data, "", "  ")
+	if err != nil {
+		return err
+	} else {
+		w.Write(j)
+	}
+	return nil
+}
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -0,0 +1,75 @@
+package autocert
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/lego"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+)
+
+type Config M.AutoCertConfig
+
+func NewConfig(cfg *M.AutoCertConfig) *Config {
+	if cfg.CertPath == "" {
+		cfg.CertPath = CertFileDefault
+	}
+	if cfg.KeyPath == "" {
+		cfg.KeyPath = KeyFileDefault
+	}
+	if cfg.Provider == "" {
+		cfg.Provider = ProviderLocal
+	}
+	return (*Config)(cfg)
+}
+
+func (cfg *Config) GetProvider() (provider *Provider, res E.NestedError) {
+	b := E.NewBuilder("unable to initialize autocert")
+	defer b.To(&res)
+
+	if cfg.Provider != ProviderLocal {
+		if len(cfg.Domains) == 0 {
+			b.Addf("%s", "no domains specified")
+		}
+		if cfg.Provider == "" {
+			b.Addf("%s", "no provider specified")
+		}
+		if cfg.Email == "" {
+			b.Addf("%s", "no email specified")
+		}
+		// check if provider is implemented
+		_, ok := providersGenMap[cfg.Provider]
+		if !ok {
+			b.Addf("unknown provider: %q", cfg.Provider)
+		}
+	}
+
+	if b.HasError() {
+		return
+	}
+
+	privKey, err := E.Check(ecdsa.GenerateKey(elliptic.P256(), rand.Reader))
+	if err.HasError() {
+		b.Add(E.FailWith("generate private key", err))
+		return
+	}
+
+	user := &User{
+		Email: cfg.Email,
+		key:   privKey,
+	}
+
+	legoCfg := lego.NewConfig(user)
+	legoCfg.Certificate.KeyType = certcrypto.RSA2048
+
+	provider = &Provider{
+		cfg:     cfg,
+		user:    user,
+		legoCfg: legoCfg,
+	}
+
+	return
+}
--- a/internal/autocert/constants.go
+++ b/internal/autocert/constants.go
@@ -0,0 +1,40 @@
+package autocert
+
+import (
+	"errors"
+
+	"github.com/go-acme/lego/v4/providers/dns/clouddns"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/providers/dns/duckdns"
+	"github.com/go-acme/lego/v4/providers/dns/ovh"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	certBasePath     = "certs/"
+	CertFileDefault  = certBasePath + "cert.crt"
+	KeyFileDefault   = certBasePath + "priv.key"
+	RegistrationFile = certBasePath + "registration.json"
+)
+
+const (
+	ProviderLocal      = "local"
+	ProviderCloudflare = "cloudflare"
+	ProviderClouddns   = "clouddns"
+	ProviderDuckdns    = "duckdns"
+	ProviderOVH        = "ovh"
+)
+
+var providersGenMap = map[string]ProviderGenerator{
+	ProviderLocal:      providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
+	ProviderCloudflare: providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+	ProviderClouddns:   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
+	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
+	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
+}
+
+var (
+	ErrGetCertFailure = errors.New("get certificate failed")
+)
+
+var logger = logrus.WithField("module", "autocert")
--- a/internal/autocert/dummy.go
+++ b/internal/autocert/dummy.go
@@ -0,0 +1,20 @@
+package autocert
+
+type DummyConfig struct{}
+type DummyProvider struct{}
+
+func NewDummyDefaultConfig() *DummyConfig {
+	return &DummyConfig{}
+}
+
+func NewDummyDNSProviderConfig(*DummyConfig) (*DummyProvider, error) {
+	return &DummyProvider{}, nil
+}
+
+func (DummyProvider) Present(domain, token, keyAuth string) error {
+	return nil
+}
+
+func (DummyProvider) CleanUp(domain, token, keyAuth string) error {
+	return nil
+}
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -0,0 +1,295 @@
+package autocert
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"os"
+	"path"
+	"reflect"
+	"sort"
+	"time"
+
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	U "github.com/yusing/go-proxy/internal/utils"
+)
+
+type Provider struct {
+	cfg     *Config
+	user    *User
+	legoCfg *lego.Config
+	client  *lego.Client
+
+	tlsCert      *tls.Certificate
+	certExpiries CertExpiries
+}
+
+type ProviderGenerator func(M.AutocertProviderOpt) (challenge.Provider, E.NestedError)
+type CertExpiries map[string]time.Time
+
+func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if p.tlsCert == nil {
+		return nil, ErrGetCertFailure
+	}
+	return p.tlsCert, nil
+}
+
+func (p *Provider) GetName() string {
+	return p.cfg.Provider
+}
+
+func (p *Provider) GetCertPath() string {
+	return p.cfg.CertPath
+}
+
+func (p *Provider) GetKeyPath() string {
+	return p.cfg.KeyPath
+}
+
+func (p *Provider) GetExpiries() CertExpiries {
+	return p.certExpiries
+}
+
+func (p *Provider) ObtainCert() (res E.NestedError) {
+	b := E.NewBuilder("failed to obtain certificate")
+	defer b.To(&res)
+
+	if p.cfg.Provider == ProviderLocal {
+		return nil
+	}
+
+	if p.client == nil {
+		if err := p.initClient(); err.HasError() {
+			b.Add(E.FailWith("init autocert client", err))
+			return
+		}
+	}
+
+	if p.user.Registration == nil {
+		if err := p.registerACME(); err.HasError() {
+			b.Add(E.FailWith("register ACME", err))
+			return
+		}
+	}
+
+	client := p.client
+	req := certificate.ObtainRequest{
+		Domains: p.cfg.Domains,
+		Bundle:  true,
+	}
+	cert, err := E.Check(client.Certificate.Obtain(req))
+	if err.HasError() {
+		b.Add(err)
+		return
+	}
+
+	if err = p.saveCert(cert); err.HasError() {
+		b.Add(E.FailWith("save certificate", err))
+		return
+	}
+
+	tlsCert, err := E.Check(tls.X509KeyPair(cert.Certificate, cert.PrivateKey))
+	if err.HasError() {
+		b.Add(E.FailWith("parse obtained certificate", err))
+		return
+	}
+
+	expiries, err := getCertExpiries(&tlsCert)
+	if err.HasError() {
+		b.Add(E.FailWith("get certificate expiry", err))
+		return
+	}
+	p.tlsCert = &tlsCert
+	p.certExpiries = expiries
+
+	return nil
+}
+
+func (p *Provider) LoadCert() E.NestedError {
+	cert, err := E.Check(tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath))
+	if err.HasError() {
+		return err
+	}
+	expiries, err := getCertExpiries(&cert)
+	if err.HasError() {
+		return err
+	}
+	p.tlsCert = &cert
+	p.certExpiries = expiries
+
+	logger.Infof("next renewal in %v", U.FormatDuration(time.Until(p.ShouldRenewOn())))
+	return p.renewIfNeeded()
+}
+
+func (p *Provider) ShouldRenewOn() time.Time {
+	for _, expiry := range p.certExpiries {
+		return expiry.AddDate(0, -1, 0) // 1 month before
+	}
+	// this line should never be reached
+	panic("no certificate available")
+}
+
+func (p *Provider) ScheduleRenewal(ctx context.Context) {
+	if p.GetName() == ProviderLocal {
+		return
+	}
+
+	logger.Debug("started renewal scheduler")
+	defer logger.Debug("renewal scheduler stopped")
+
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C: // check every 5 seconds
+			if err := p.renewIfNeeded(); err.HasError() {
+				logger.Warn(err)
+			}
+		}
+	}
+}
+
+func (p *Provider) initClient() E.NestedError {
+	legoClient, err := E.Check(lego.NewClient(p.legoCfg))
+	if err.HasError() {
+		return E.FailWith("create lego client", err)
+	}
+
+	legoProvider, err := providersGenMap[p.cfg.Provider](p.cfg.Options)
+	if err.HasError() {
+		return E.FailWith("create lego provider", err)
+	}
+
+	err = E.From(legoClient.Challenge.SetDNS01Provider(legoProvider))
+	if err.HasError() {
+		return E.FailWith("set challenge provider", err)
+	}
+
+	p.client = legoClient
+	return nil
+}
+
+func (p *Provider) registerACME() E.NestedError {
+	if p.user.Registration != nil {
+		return nil
+	}
+	reg, err := E.Check(p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true}))
+	if err.HasError() {
+		return err
+	}
+	p.user.Registration = reg
+
+	return nil
+}
+
+func (p *Provider) saveCert(cert *certificate.Resource) E.NestedError {
+	//* This should have been done in setup
+	//* but double check is always a good choice
+	_, err := os.Stat(path.Dir(p.cfg.CertPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			if err = os.MkdirAll(path.Dir(p.cfg.CertPath), 0o755); err != nil {
+				return E.FailWith("create cert directory", err)
+			}
+		} else {
+			return E.FailWith("stat cert directory", err)
+		}
+	}
+	err = os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
+	if err != nil {
+		return E.FailWith("write key file", err)
+	}
+	err = os.WriteFile(p.cfg.CertPath, cert.Certificate, 0o644) // -rw-r--r--
+	if err != nil {
+		return E.FailWith("write cert file", err)
+	}
+	return nil
+}
+
+func (p *Provider) certState() CertState {
+	if time.Now().After(p.ShouldRenewOn()) {
+		return CertStateExpired
+	}
+
+	certDomains := make([]string, len(p.certExpiries))
+	wantedDomains := make([]string, len(p.cfg.Domains))
+	i := 0
+	for domain := range p.certExpiries {
+		certDomains[i] = domain
+		i++
+	}
+	copy(wantedDomains, p.cfg.Domains)
+	sort.Strings(wantedDomains)
+	sort.Strings(certDomains)
+
+	if !reflect.DeepEqual(certDomains, wantedDomains) {
+		logger.Debugf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
+		return CertStateMismatch
+	}
+
+	return CertStateValid
+}
+
+func (p *Provider) renewIfNeeded() E.NestedError {
+	if p.cfg.Provider == ProviderLocal {
+		return nil
+	}
+
+	switch p.certState() {
+	case CertStateExpired:
+		logger.Info("certs expired, renewing")
+	case CertStateMismatch:
+		logger.Info("cert domains mismatch with config, renewing")
+	default:
+		return nil
+	}
+
+	if err := p.ObtainCert(); err.HasError() {
+		return E.FailWith("renew certificate", err)
+	}
+	return nil
+}
+
+func getCertExpiries(cert *tls.Certificate) (CertExpiries, E.NestedError) {
+	r := make(CertExpiries, len(cert.Certificate))
+	for _, cert := range cert.Certificate {
+		x509Cert, err := E.Check(x509.ParseCertificate(cert))
+		if err.HasError() {
+			return nil, E.FailWith("parse certificate", err)
+		}
+		if x509Cert.IsCA {
+			continue
+		}
+		r[x509Cert.Subject.CommonName] = x509Cert.NotAfter
+		for i := range x509Cert.DNSNames {
+			r[x509Cert.DNSNames[i]] = x509Cert.NotAfter
+		}
+	}
+	return r, nil
+}
+
+func providerGenerator[CT any, PT challenge.Provider](
+	defaultCfg func() *CT,
+	newProvider func(*CT) (PT, error),
+) ProviderGenerator {
+	return func(opt M.AutocertProviderOpt) (challenge.Provider, E.NestedError) {
+		cfg := defaultCfg()
+		err := U.Deserialize(opt, cfg)
+		if err.HasError() {
+			return nil, err
+		}
+		p, err := E.Check(newProvider(cfg))
+		if err.HasError() {
+			return nil, err
+		}
+		return p, nil
+	}
+}
--- a/internal/autocert/provider_test/ovh_test.go
+++ b/internal/autocert/provider_test/ovh_test.go
@@ -0,0 +1,50 @@
+package provider_test
+
+import (
+	"testing"
+
+	"github.com/go-acme/lego/v4/providers/dns/ovh"
+	U "github.com/yusing/go-proxy/internal/utils"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+	"gopkg.in/yaml.v3"
+)
+
+// type Config struct {
+// 	APIEndpoint string
+
+// 	ApplicationKey    string
+// 	ApplicationSecret string
+// 	ConsumerKey       string
+
+// 	OAuth2Config *OAuth2Config
+
+// 	PropagationTimeout time.Duration
+// 	PollingInterval    time.Duration
+// 	TTL                int
+// 	HTTPClient         *http.Client
+// }
+
+func TestOVH(t *testing.T) {
+	cfg := &ovh.Config{}
+	testYaml := `
+api_endpoint: https://eu.api.ovh.com
+application_key: <application_key>
+application_secret: <application_secret>
+consumer_key: <consumer_key>
+oauth2_config:
+  client_id: <client_id>
+  client_secret: <client_secret>
+`
+	cfgExpected := &ovh.Config{
+		APIEndpoint:       "https://eu.api.ovh.com",
+		ApplicationKey:    "<application_key>",
+		ApplicationSecret: "<application_secret>",
+		ConsumerKey:       "<consumer_key>",
+		OAuth2Config:      &ovh.OAuth2Config{ClientID: "<client_id>", ClientSecret: "<client_secret>"},
+	}
+	testYaml = testYaml[1:] // remove first \n
+	opt := make(map[string]any)
+	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), opt))
+	ExpectTrue(t, U.Deserialize(opt, cfg).NoError())
+	ExpectDeepEqual(t, cfg, cfgExpected)
+}
--- a/internal/autocert/setup.go
+++ b/internal/autocert/setup.go
@@ -0,0 +1,29 @@
+package autocert
+
+import (
+	"context"
+	"os"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func (p *Provider) Setup(ctx context.Context) (err E.NestedError) {
+	if err = p.LoadCert(); err != nil {
+		if !err.Is(os.ErrNotExist) { // ignore if cert doesn't exist
+			return err
+		}
+		logger.Debug("obtaining cert due to error loading cert")
+		if err = p.ObtainCert(); err != nil {
+			return err
+		}
+	}
+
+	go p.ScheduleRenewal(ctx)
+
+	for _, expiry := range p.GetExpiries() {
+		logger.Infof("certificate expire on %s", expiry)
+		break
+	}
+
+	return nil
+}
--- a/internal/autocert/state.go
+++ b/internal/autocert/state.go
@@ -0,0 +1,9 @@
+package autocert
+
+type CertState int
+
+const (
+	CertStateValid CertState = iota
+	CertStateExpired
+	CertStateMismatch
+)
--- a/internal/autocert/user.go
+++ b/internal/autocert/user.go
@@ -0,0 +1,22 @@
+package autocert
+
+import (
+	"github.com/go-acme/lego/v4/registration"
+	"crypto"
+)
+
+type User struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *User) GetEmail() string {
+	return u.Email
+}
+func (u *User) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *User) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
--- a/internal/common/args.go
+++ b/internal/common/args.go
@@ -0,0 +1,53 @@
+package common
+
+import (
+	"flag"
+
+	"github.com/sirupsen/logrus"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Args struct {
+	Command string
+}
+
+const (
+	CommandStart              = ""
+	CommandSetup              = "setup"
+	CommandValidate           = "validate"
+	CommandListConfigs        = "ls-config"
+	CommandListRoutes         = "ls-routes"
+	CommandReload             = "reload"
+	CommandDebugListEntries   = "debug-ls-entries"
+	CommandDebugListProviders = "debug-ls-providers"
+)
+
+var ValidCommands = []string{
+	CommandStart,
+	CommandSetup,
+	CommandValidate,
+	CommandListConfigs,
+	CommandListRoutes,
+	CommandReload,
+	CommandDebugListEntries,
+	CommandDebugListProviders,
+}
+
+func GetArgs() Args {
+	var args Args
+	flag.Parse()
+	args.Command = flag.Arg(0)
+	if err := validateArg(args.Command); err.HasError() {
+		logrus.Fatal(err)
+	}
+	return args
+}
+
+func validateArg(arg string) E.NestedError {
+	for _, v := range ValidCommands {
+		if arg == v {
+			return nil
+		}
+	}
+	return E.Invalid("argument", arg)
+}
--- a/internal/common/constants.go
+++ b/internal/common/constants.go
@@ -0,0 +1,52 @@
+package common
+
+import (
+	"time"
+)
+
+const (
+	ConnectionTimeout = 5 * time.Second
+	DialTimeout       = 3 * time.Second
+	KeepAlive         = 60 * time.Second
+)
+
+// file, folder structure
+
+const (
+	ConfigBasePath        = "config"
+	ConfigFileName        = "config.yml"
+	ConfigExampleFileName = "config.example.yml"
+	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
+)
+
+const (
+	SchemaBasePath         = "schema"
+	ConfigSchemaPath       = SchemaBasePath + "/config.schema.json"
+	FileProviderSchemaPath = SchemaBasePath + "/providers.schema.json"
+)
+
+const (
+	ComposeFileName        = "compose.yml"
+	ComposeExampleFileName = "compose.example.yml"
+)
+
+const (
+	ErrorPagesBasePath = "error_pages"
+)
+
+var (
+	RequiredDirectories = []string{
+		ConfigBasePath,
+		SchemaBasePath,
+		ErrorPagesBasePath,
+	}
+)
+
+const DockerHostFromEnv = "$DOCKER_HOST"
+
+const (
+	IdleTimeoutDefault = "0"
+	WakeTimeoutDefault = "30s"
+	StopTimeoutDefault = "10s"
+	StopMethodDefault  = "stop"
+)
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -0,0 +1,59 @@
+package common
+
+import (
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/sirupsen/logrus"
+	U "github.com/yusing/go-proxy/internal/utils"
+)
+
+var (
+	NoSchemaValidation = GetEnvBool("GOPROXY_NO_SCHEMA_VALIDATION", false)
+	IsDebug            = GetEnvBool("GOPROXY_DEBUG", false)
+
+	ProxyHTTPAddr,
+	ProxyHTTPHost,
+	ProxyHTTPPort,
+	ProxyHTTPURL = GetAddrEnv("GOPROXY_HTTP_ADDR", ":80", "http")
+
+	ProxyHTTPSAddr,
+	ProxyHTTPSHost,
+	ProxyHTTPSPort,
+	ProxyHTTPSURL = GetAddrEnv("GOPROXY_HTTPS_ADDR", ":443", "https")
+
+	APIHTTPAddr,
+	APIHTTPHost,
+	APIHTTPPort,
+	APIHTTPURL = GetAddrEnv("GOPROXY_API_ADDR", "127.0.0.1:8888", "http")
+)
+
+func GetEnvBool(key string, defaultValue bool) bool {
+	value, ok := os.LookupEnv(key)
+	if !ok || value == "" {
+		return defaultValue
+	}
+	return U.ParseBool(value)
+}
+
+func GetEnv(key, defaultValue string) string {
+	value, ok := os.LookupEnv(key)
+	if !ok || value == "" {
+		value = defaultValue
+	}
+	return value
+}
+
+func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL string) {
+	addr = GetEnv(key, defaultValue)
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		logrus.Fatalf("Invalid address: %s", addr)
+	}
+	if host == "" {
+		host = "localhost"
+	}
+	fullURL = fmt.Sprintf("%s://%s:%s", scheme, host, port)
+	return
+}
--- a/internal/common/http.go
+++ b/internal/common/http.go
@@ -0,0 +1,27 @@
+package common
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"time"
+)
+
+var (
+	defaultDialer = net.Dialer{
+		Timeout:   60 * time.Second,
+		KeepAlive: 60 * time.Second,
+	}
+	DefaultTransport = &http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
+		DialContext:         defaultDialer.DialContext,
+		MaxIdleConnsPerHost: 1000,
+	}
+	DefaultTransportNoTLS = func() *http.Transport {
+		var clone = DefaultTransport.Clone()
+		clone.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		return clone
+	}()
+)
+
+const StaticFilePathPrefix = "/$gperrorpage/"
--- a/internal/common/ports.go
+++ b/internal/common/ports.go
@@ -0,0 +1,75 @@
+package common
+
+var (
+	WellKnownHTTPPorts = map[string]bool{
+		"80":   true,
+		"8000": true,
+		"8008": true,
+		"8080": true,
+		"3000": true,
+	}
+
+	ServiceNamePortMapTCP = map[string]int{
+		"mssql":            1433,
+		"mysql":            3306,
+		"mariadb":          3306,
+		"postgres":         5432,
+		"rabbitmq":         5672,
+		"redis":            6379,
+		"memcached":        11211,
+		"mongo":            27017,
+		"minecraft-server": 25565,
+
+		"ssh":  22,
+		"ftp":  21,
+		"smtp": 25,
+		"dns":  53,
+		"pop3": 110,
+		"imap": 143,
+	}
+
+	ImageNamePortMap = func() (m map[string]int) {
+		m = make(map[string]int, len(ServiceNamePortMapTCP)+len(imageNamePortMap))
+		for k, v := range ServiceNamePortMapTCP {
+			m[k] = v
+		}
+		for k, v := range imageNamePortMap {
+			m[k] = v
+		}
+		return
+	}()
+
+	imageNamePortMap = map[string]int{
+		"adguardhome":         3000,
+		"bazarr":              6767,
+		"calibre-web":         8083,
+		"changedetection.io":  3000,
+		"dockge":              5001,
+		"gitea":               3000,
+		"gogs":                3000,
+		"grafana":             3000,
+		"home-assistant":      8123,
+		"homebridge":          8581,
+		"httpd":               80,
+		"immich":              3001,
+		"jellyfin":            8096,
+		"lidarr":              8686,
+		"microbin":            8080,
+		"nginx":               80,
+		"nginx-proxy-manager": 81,
+		"open-webui":          8080,
+		"plex":                32400,
+		"portainer-be":        9443,
+		"portainer-ce":        9443,
+		"prometheus":          9090,
+		"prowlarr":            9696,
+		"radarr":              7878,
+		"radarr-sma":          7878,
+		"rsshub":              1200,
+		"rss-bridge":          80,
+		"sonarr":              8989,
+		"sonarr-sma":          8989,
+		"uptime-kuma":         3001,
+		"whisparr":            6969,
+	}
+)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -0,0 +1,235 @@
+package config
+
+import (
+	"context"
+	"os"
+
+	"github.com/sirupsen/logrus"
+	"github.com/yusing/go-proxy/internal/autocert"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	PR "github.com/yusing/go-proxy/internal/proxy/provider"
+	R "github.com/yusing/go-proxy/internal/route"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+	W "github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
+	"gopkg.in/yaml.v3"
+)
+
+type Config struct {
+	value            *M.Config
+	proxyProviders   F.Map[string, *PR.Provider]
+	autocertProvider *autocert.Provider
+
+	l logrus.FieldLogger
+
+	watcher       W.Watcher
+	watcherCtx    context.Context
+	watcherCancel context.CancelFunc
+	reloadReq     chan struct{}
+}
+
+var instance *Config
+
+func GetInstance() *Config {
+	return instance
+}
+
+func Load() E.NestedError {
+	if instance != nil {
+		return nil
+	}
+	instance = &Config{
+		value:          M.DefaultConfig(),
+		proxyProviders: F.NewMapOf[string, *PR.Provider](),
+		l:              logrus.WithField("module", "config"),
+		watcher:        W.NewConfigFileWatcher(common.ConfigFileName),
+		reloadReq:      make(chan struct{}, 1),
+	}
+	return instance.load()
+}
+
+func Validate(data []byte) E.NestedError {
+	return U.ValidateYaml(U.GetSchema(common.ConfigSchemaPath), data)
+}
+
+func MatchDomains() []string {
+	if instance == nil {
+		logrus.Panic("config has not been loaded, please check if there is any errors")
+	}
+	return instance.value.MatchDomains
+}
+
+func (cfg *Config) Value() M.Config {
+	if cfg == nil {
+		logrus.Panic("config has not been loaded, please check if there is any errors")
+	}
+	return *cfg.value
+}
+
+func (cfg *Config) GetAutoCertProvider() *autocert.Provider {
+	if instance == nil {
+		logrus.Panic("config has not been loaded, please check if there is any errors")
+	}
+	return cfg.autocertProvider
+}
+
+func (cfg *Config) Dispose() {
+	if cfg.watcherCancel != nil {
+		cfg.watcherCancel()
+		cfg.l.Debug("stopped watcher")
+	}
+	cfg.stopProviders()
+}
+
+func (cfg *Config) Reload() (err E.NestedError) {
+	cfg.stopProviders()
+	err = cfg.load()
+	cfg.StartProxyProviders()
+	return
+}
+
+func (cfg *Config) StartProxyProviders() {
+	cfg.controlProviders("start", (*PR.Provider).StartAllRoutes)
+}
+
+func (cfg *Config) WatchChanges() {
+	cfg.watcherCtx, cfg.watcherCancel = context.WithCancel(context.Background())
+	go func() {
+		for {
+			select {
+			case <-cfg.watcherCtx.Done():
+				return
+			case <-cfg.reloadReq:
+				if err := cfg.Reload(); err.HasError() {
+					cfg.l.Error(err)
+				}
+			}
+		}
+	}()
+	go func() {
+		eventCh, errCh := cfg.watcher.Events(cfg.watcherCtx)
+		for {
+			select {
+			case <-cfg.watcherCtx.Done():
+				return
+			case event := <-eventCh:
+				if event.Action == events.ActionFileDeleted || event.Action == events.ActionFileRenamed {
+					cfg.l.Error("config file deleted or renamed, ignoring...")
+					continue
+				} else {
+					cfg.reloadReq <- struct{}{}
+				}
+			case err := <-errCh:
+				cfg.l.Error(err)
+				continue
+			}
+		}
+	}()
+}
+
+func (cfg *Config) forEachRoute(do func(alias string, r R.Route, p *PR.Provider)) {
+	cfg.proxyProviders.RangeAll(func(_ string, p *PR.Provider) {
+		p.RangeRoutes(func(a string, r R.Route) {
+			do(a, r, p)
+		})
+	})
+}
+
+func (cfg *Config) load() (res E.NestedError) {
+	b := E.NewBuilder("errors loading config")
+	defer b.To(&res)
+
+	cfg.l.Debug("loading config")
+	defer cfg.l.Debug("loaded config")
+
+	data, err := E.Check(os.ReadFile(common.ConfigPath))
+	if err.HasError() {
+		b.Add(E.FailWith("read config", err))
+		logrus.Fatal(b.Build())
+	}
+
+	if !common.NoSchemaValidation {
+		if err = Validate(data); err.HasError() {
+			b.Add(E.FailWith("schema validation", err))
+			logrus.Fatal(b.Build())
+		}
+	}
+
+	model := M.DefaultConfig()
+	if err := E.From(yaml.Unmarshal(data, model)); err.HasError() {
+		b.Add(E.FailWith("parse config", err))
+		logrus.Fatal(b.Build())
+	}
+
+	// errors are non fatal below
+	b.Add(cfg.initAutoCert(&model.AutoCert))
+	b.Add(cfg.loadProviders(&model.Providers))
+
+	cfg.value = model
+	R.SetFindMuxDomains(model.MatchDomains)
+	return
+}
+
+func (cfg *Config) initAutoCert(autocertCfg *M.AutoCertConfig) (err E.NestedError) {
+	if cfg.autocertProvider != nil {
+		return
+	}
+
+	cfg.l.Debug("initializing autocert")
+	defer cfg.l.Debug("initialized autocert")
+
+	cfg.autocertProvider, err = autocert.NewConfig(autocertCfg).GetProvider()
+	if err.HasError() {
+		err = E.FailWith("autocert provider", err)
+	}
+	return
+}
+
+func (cfg *Config) loadProviders(providers *M.ProxyProviders) (res E.NestedError) {
+	cfg.l.Debug("loading providers")
+	defer cfg.l.Debug("loaded providers")
+
+	b := E.NewBuilder("errors loading providers")
+	defer b.To(&res)
+
+	for _, filename := range providers.Files {
+		p, err := PR.NewFileProvider(filename)
+		if err != nil {
+			b.Add(err.Subject(filename))
+			continue
+		}
+		cfg.proxyProviders.Store(p.GetName(), p)
+		b.Add(p.LoadRoutes().Subject(filename))
+	}
+	for name, dockerHost := range providers.Docker {
+		p, err := PR.NewDockerProvider(name, dockerHost)
+		if err != nil {
+			b.Add(err.Subjectf("%s (%s)", name, dockerHost))
+			continue
+		}
+		cfg.proxyProviders.Store(p.GetName(), p)
+		b.Add(p.LoadRoutes().Subject(dockerHost))
+	}
+	return
+}
+
+func (cfg *Config) controlProviders(action string, do func(*PR.Provider) E.NestedError) {
+	errors := E.NewBuilder("errors in %s these providers", action)
+
+	cfg.proxyProviders.RangeAll(func(name string, p *PR.Provider) {
+		if err := do(p); err.HasError() {
+			errors.Add(err.Subject(p))
+		}
+	})
+
+	if err := errors.Build(); err.HasError() {
+		cfg.l.Error(err)
+	}
+}
+
+func (cfg *Config) stopProviders() {
+	cfg.controlProviders("stop routes", (*PR.Provider).StopAllRoutes)
+}
--- a/internal/config/query.go
+++ b/internal/config/query.go
@@ -0,0 +1,82 @@
+package config
+
+import (
+	M "github.com/yusing/go-proxy/internal/models"
+	PR "github.com/yusing/go-proxy/internal/proxy/provider"
+	R "github.com/yusing/go-proxy/internal/route"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+func (cfg *Config) DumpEntries() map[string]*M.RawEntry {
+	entries := make(map[string]*M.RawEntry)
+	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
+		entries[alias] = r.Entry()
+	})
+	return entries
+}
+
+func (cfg *Config) DumpProviders() map[string]*PR.Provider {
+	entries := make(map[string]*PR.Provider)
+	cfg.proxyProviders.RangeAll(func(name string, p *PR.Provider) {
+		entries[name] = p
+	})
+	return entries
+}
+
+func (cfg *Config) RoutesByAlias() map[string]U.SerializedObject {
+	routes := make(map[string]U.SerializedObject)
+	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
+		obj, err := U.Serialize(r)
+		if err.HasError() {
+			cfg.l.Error(err)
+			return
+		}
+		obj["provider"] = p.GetName()
+		obj["type"] = string(r.Type())
+		routes[alias] = obj
+	})
+	return routes
+}
+
+func (cfg *Config) Statistics() map[string]any {
+	nTotalStreams := 0
+	nTotalRPs := 0
+	providerStats := make(map[string]any)
+
+	cfg.forEachRoute(func(alias string, r R.Route, p *PR.Provider) {
+		s, ok := providerStats[p.GetName()]
+		if !ok {
+			s = make(map[string]int)
+		}
+
+		stats := s.(map[string]int)
+		switch r.Type() {
+		case R.RouteTypeStream:
+			stats["num_streams"]++
+			nTotalStreams++
+		case R.RouteTypeReverseProxy:
+			stats["num_reverse_proxies"]++
+			nTotalRPs++
+		default:
+			panic("bug: should not reach here")
+		}
+	})
+
+	return map[string]any{
+		"num_total_streams":         nTotalStreams,
+		"num_total_reverse_proxies": nTotalRPs,
+		"providers":                 providerStats,
+	}
+}
+
+func (cfg *Config) FindRoute(alias string) R.Route {
+	return F.MapFind(cfg.proxyProviders,
+		func(p *PR.Provider) (R.Route, bool) {
+			if route, ok := p.GetRoute(alias); ok {
+				return route, true
+			}
+			return nil, false
+		},
+	)
+}
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -0,0 +1,153 @@
+package docker
+
+import (
+	"net/http"
+	"sync"
+	"sync/atomic"
+
+	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/docker/client"
+	"github.com/sirupsen/logrus"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+type Client struct {
+	key      string
+	refCount *atomic.Int32
+	*client.Client
+
+	l logrus.FieldLogger
+}
+
+func ParseDockerHostname(host string) (string, E.NestedError) {
+	switch host {
+	case common.DockerHostFromEnv, "":
+		return "localhost", nil
+	}
+	url, err := E.Check(client.ParseHostURL(host))
+	if err != nil {
+		return "", E.Invalid("host", host).With(err)
+	}
+	return url.Hostname(), nil
+}
+
+func (c Client) DaemonHostname() string {
+	// DaemonHost should always return a valid host
+	hostname, _ := ParseDockerHostname(c.DaemonHost())
+	return hostname
+}
+
+func (c Client) Connected() bool {
+	return c.Client != nil
+}
+
+// if the client is still referenced, this is no-op
+func (c *Client) Close() error {
+	if c.refCount.Add(-1) > 0 {
+		return nil
+	}
+
+	clientMap.Delete(c.key)
+
+	client := c.Client
+	c.Client = nil
+
+	c.l.Debugf("client closed")
+
+	if client != nil {
+		return client.Close()
+	}
+	return nil
+}
+
+// ConnectClient creates a new Docker client connection to the specified host.
+//
+// Returns existing client if available.
+//
+// Parameters:
+//   - host: the host to connect to (either a URL or common.DockerHostFromEnv).
+//
+// Returns:
+//   - Client: the Docker client connection.
+//   - error: an error if the connection failed.
+func ConnectClient(host string) (Client, E.NestedError) {
+	clientMapMu.Lock()
+	defer clientMapMu.Unlock()
+
+	// check if client exists
+	if client, ok := clientMap.Load(host); ok {
+		client.refCount.Add(1)
+		return client, nil
+	}
+
+	// create client
+	var opt []client.Opt
+
+	switch host {
+	case common.DockerHostFromEnv:
+		opt = clientOptEnvHost
+	default:
+		helper, err := E.Check(connhelper.GetConnectionHelper(host))
+		if err.HasError() {
+			return Client{}, E.UnexpectedError(err.Error())
+		}
+		if helper != nil {
+			httpClient := &http.Client{
+				Transport: &http.Transport{
+					DialContext: helper.Dialer,
+				},
+			}
+			opt = []client.Opt{
+				client.WithHTTPClient(httpClient),
+				client.WithHost(helper.Host),
+				client.WithAPIVersionNegotiation(),
+				client.WithDialContext(helper.Dialer),
+			}
+		} else {
+			opt = []client.Opt{
+				client.WithHost(host),
+				client.WithAPIVersionNegotiation(),
+			}
+		}
+	}
+
+	client, err := E.Check(client.NewClientWithOpts(opt...))
+
+	if err.HasError() {
+		return Client{}, err
+	}
+
+	c := Client{
+		Client:   client,
+		key:      host,
+		refCount: &atomic.Int32{},
+		l:        logger.WithField("docker_client", client.DaemonHost()),
+	}
+	c.refCount.Add(1)
+	c.l.Debugf("client connected")
+
+	clientMap.Store(host, c)
+	return c, nil
+}
+
+func CloseAllClients() {
+	clientMap.RangeAll(func(_ string, c Client) {
+		c.Client.Close()
+	})
+	clientMap.Clear()
+	logger.Debug("closed all clients")
+}
+
+var (
+	clientMap   F.Map[string, Client] = F.NewMapOf[string, Client]()
+	clientMapMu sync.Mutex
+
+	clientOptEnvHost = []client.Opt{
+		client.WithHostFromEnv(),
+		client.WithAPIVersionNegotiation(),
+	}
+
+	logger = logrus.WithField("module", "docker")
+)
--- a/internal/docker/client_info.go
+++ b/internal/docker/client_info.go
@@ -0,0 +1,54 @@
+package docker
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type ClientInfo struct {
+	Client     Client
+	Containers []types.Container
+}
+
+var listOptions = container.ListOptions{
+	// Filters: filters.NewArgs(
+	// 	filters.Arg("health", "healthy"),
+	// 	filters.Arg("health", "none"),
+	// 	filters.Arg("health", "starting"),
+	// ),
+	All: true,
+}
+
+func GetClientInfo(clientHost string, getContainer bool) (*ClientInfo, E.NestedError) {
+	dockerClient, err := ConnectClient(clientHost)
+	if err.HasError() {
+		return nil, E.FailWith("connect to docker", err)
+	}
+	defer dockerClient.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	var containers []types.Container
+	if getContainer {
+		containers, err = E.Check(dockerClient.ContainerList(ctx, listOptions))
+		if err.HasError() {
+			return nil, E.FailWith("list containers", err)
+		}
+	}
+
+	return &ClientInfo{
+		Client:     dockerClient,
+		Containers: containers,
+	}, nil
+}
+
+func IsErrConnectionFailed(err error) bool {
+	return client.IsErrConnectionFailed(err)
+}
--- a/internal/docker/container.go
+++ b/internal/docker/container.go
@@ -0,0 +1,109 @@
+package docker
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	U "github.com/yusing/go-proxy/internal/utils"
+)
+
+type Container struct {
+	*types.Container
+	*ProxyProperties
+}
+
+func FromDocker(c *types.Container, dockerHost string) (res Container) {
+	res.Container = c
+	isExplicit := c.Labels[LabelAliases] != ""
+	res.ProxyProperties = &ProxyProperties{
+		DockerHost:         dockerHost,
+		ContainerName:      res.getName(),
+		ImageName:          res.getImageName(),
+		PublicPortMapping:  res.getPublicPortMapping(),
+		PrivatePortMapping: res.getPrivatePortMapping(),
+		NetworkMode:        c.HostConfig.NetworkMode,
+		Aliases:            res.getAliases(),
+		IsExcluded:         U.ParseBool(res.getDeleteLabel(LabelExclude)),
+		IsExplicit:         isExplicit,
+		IdleTimeout:        res.getDeleteLabel(LabelIdleTimeout),
+		WakeTimeout:        res.getDeleteLabel(LabelWakeTimeout),
+		StopMethod:         res.getDeleteLabel(LabelStopMethod),
+		StopTimeout:        res.getDeleteLabel(LabelStopTimeout),
+		StopSignal:         res.getDeleteLabel(LabelStopSignal),
+		Running:            c.Status == "running" || c.State == "running",
+	}
+	return
+}
+
+func FromJson(json types.ContainerJSON, dockerHost string) Container {
+	ports := make([]types.Port, 0)
+	for k, bindings := range json.NetworkSettings.Ports {
+		for _, v := range bindings {
+			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
+			privPort, _ := strconv.ParseUint(k.Port(), 10, 16)
+			ports = append(ports, types.Port{
+				IP:          v.HostIP,
+				PublicPort:  uint16(pubPort),
+				PrivatePort: uint16(privPort),
+			})
+		}
+	}
+	cont := FromDocker(&types.Container{
+		ID:     json.ID,
+		Names:  []string{json.Name},
+		Image:  json.Image,
+		Ports:  ports,
+		Labels: json.Config.Labels,
+		State:  json.State.Status,
+		Status: json.State.Status,
+	}, dockerHost)
+	cont.NetworkMode = string(json.HostConfig.NetworkMode)
+	return cont
+}
+
+func (c Container) getDeleteLabel(label string) string {
+	if l, ok := c.Labels[label]; ok {
+		delete(c.Labels, label)
+		return l
+	}
+	return ""
+}
+
+func (c Container) getAliases() []string {
+	if l := c.getDeleteLabel(LabelAliases); l != "" {
+		return U.CommaSeperatedList(l)
+	} else {
+		return []string{c.getName()}
+	}
+}
+
+func (c Container) getName() string {
+	return strings.TrimPrefix(c.Names[0], "/")
+}
+
+func (c Container) getImageName() string {
+	colonSep := strings.Split(c.Image, ":")
+	slashSep := strings.Split(colonSep[0], "/")
+	return slashSep[len(slashSep)-1]
+}
+
+func (c Container) getPublicPortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		if v.PublicPort == 0 {
+			continue
+		}
+		res[fmt.Sprint(v.PublicPort)] = v
+	}
+	return res
+}
+
+func (c Container) getPrivatePortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		res[fmt.Sprint(v.PrivatePort)] = v
+	}
+	return res
+}
--- a/internal/docker/homepage_label.go
+++ b/internal/docker/homepage_label.go
@@ -0,0 +1,32 @@
+package docker
+
+type (
+	HomePageConfig   struct{ m map[string]HomePageCategory }
+	HomePageCategory []HomePageItem
+
+	HomePageItem struct {
+		Name         string
+		Icon         string
+		Category     string
+		Description  string
+		WidgetConfig map[string]any
+	}
+)
+
+func NewHomePageConfig() *HomePageConfig {
+	return &HomePageConfig{m: make(map[string]HomePageCategory)}
+}
+
+func NewHomePageItem() *HomePageItem {
+	return &HomePageItem{}
+}
+
+func (c *HomePageConfig) Clear() {
+	c.m = make(map[string]HomePageCategory)
+}
+
+func (c *HomePageConfig) Add(item HomePageItem) {
+	c.m[item.Category] = HomePageCategory{item}
+}
+
+const NSHomePage = "homepage"
--- a/internal/docker/idlewatcher/html/loading_page.html
+++ b/internal/docker/idlewatcher/html/loading_page.html
@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <title>{{.Title}}</title>
+        <style>
+            /* Global Styles */
+            * {
+                box-sizing: border-box;
+                margin: 0;
+                padding: 0;
+            }
+            body {
+                font-family: Inter, Arial, sans-serif;
+                font-size: 16px;
+                line-height: 1.5;
+                color: #fff;
+                background-color: #212121;
+                display: flex;
+                justify-content: center;
+                align-items: center;
+                height: 100vh;
+                margin: 0;
+            }
+
+            /* Spinner Styles */
+            .spinner {
+                width: 120px;
+                height: 120px;
+                border: 16px solid #333;
+                border-radius: 50%;
+                border-top: 16px solid #66d9ef;
+                animation: spin 2s linear infinite;
+            }
+            @keyframes spin {
+                0% {
+                    transform: rotate(0deg);
+                }
+                100% {
+                    transform: rotate(360deg);
+                }
+            }
+
+            /* Error Styles */
+            .error {
+                display: inline-block;
+                text-align: center;
+                justify-content: center;
+            }
+            .error::before {
+                content: "\26A0"; /* Unicode for warning symbol */
+                font-size: 40px;
+                color: #ff9900;
+            }
+
+            /* Message Styles */
+            .message {
+                font-size: 24px;
+                font-weight: bold;
+                padding-left: 32px;
+                text-align: center;
+            }
+        </style>
+    </head>
+    <body>
+        <script>
+            window.onload = async function () {
+                let result = await fetch(window.location.href, {
+                    headers: {
+                        {{ range $key, $value := .RequestHeaders }}
+                        '{{ $key }}' : {{ $value }}
+                        {{ end }}
+                    },
+                }).then((resp) => resp.text())
+                    .catch((err) => {
+                        document.getElementById("message").innerText = err;
+                    });
+                if (result) {
+                    document.documentElement.innerHTML = result
+                }
+            };
+        </script>
+        <div class="{{.SpinnerClass}}"></div>
+        <div class="message">{{.Message}}</div>
+    </body>
+</html>
--- a/internal/docker/idlewatcher/http.go
+++ b/internal/docker/idlewatcher/http.go
@@ -0,0 +1,87 @@
+package idlewatcher
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"text/template"
+)
+
+type templateData struct {
+	Title          string
+	Message        string
+	RequestHeaders http.Header
+	SpinnerClass   string
+}
+
+//go:embed html/loading_page.html
+var loadingPage []byte
+var loadingPageTmpl = template.Must(template.New("loading_page").Parse(string(loadingPage)))
+
+const (
+	htmlContentType = "text/html; charset=utf-8"
+
+	errPrefix = "\u1000"
+
+	headerGoProxyTargetURL = "X-GoProxy-Target"
+	headerContentType      = "Content-Type"
+
+	spinnerClassSpinner   = "spinner"
+	spinnerClassErrorSign = "error"
+)
+
+func (w *watcher) makeSuccResp(redirectURL string, resp *http.Response) (*http.Response, error) {
+	h := make(http.Header)
+	h.Set("Location", redirectURL)
+	h.Set("Content-Length", "0")
+	h.Set(headerContentType, htmlContentType)
+	return &http.Response{
+		StatusCode: http.StatusTemporaryRedirect,
+		Header:     h,
+		Body:       http.NoBody,
+		TLS:        resp.TLS,
+	}, nil
+}
+
+func (w *watcher) makeErrResp(errFmt string, args ...any) (*http.Response, error) {
+	return w.makeResp(errPrefix+errFmt, args...)
+}
+
+func (w *watcher) makeResp(format string, args ...any) (*http.Response, error) {
+	msg := fmt.Sprintf(format, args...)
+
+	data := new(templateData)
+	data.Title = w.ContainerName
+	data.Message = strings.ReplaceAll(msg, "\n", "<br>")
+	data.Message = strings.ReplaceAll(data.Message, " ", "&ensp;")
+	data.RequestHeaders = make(http.Header)
+	data.RequestHeaders.Add(headerGoProxyTargetURL, "window.location.href")
+	if strings.HasPrefix(data.Message, errPrefix) {
+		data.Message = strings.TrimLeft(data.Message, errPrefix)
+		data.SpinnerClass = spinnerClassErrorSign
+	} else {
+		data.SpinnerClass = spinnerClassSpinner
+	}
+
+	buf := bytes.NewBuffer(make([]byte, 128)) // more than enough
+	err := loadingPageTmpl.Execute(buf, data)
+	if err != nil { // should never happen
+		panic(err)
+	}
+	return &http.Response{
+		StatusCode: http.StatusAccepted,
+		Header: http.Header{
+			headerContentType: {htmlContentType},
+			"Cache-Control": {
+				"no-cache",
+				"no-store",
+				"must-revalidate",
+			},
+		},
+		Body:          io.NopCloser(buf),
+		ContentLength: int64(buf.Len()),
+	}, nil
+}
--- a/internal/docker/idlewatcher/round_trip.go
+++ b/internal/docker/idlewatcher/round_trip.go
@@ -0,0 +1,83 @@
+package idlewatcher
+
+import (
+	"context"
+	"net/http"
+)
+
+type (
+	roundTripper struct {
+		patched roundTripFunc
+	}
+	roundTripFunc func(*http.Request) (*http.Response, error)
+)
+
+func (rt roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rt.patched(req)
+}
+
+func (w *watcher) roundTrip(origRoundTrip roundTripFunc, req *http.Request) (*http.Response, error) {
+	// wake the container
+	select {
+	case w.wakeCh <- struct{}{}:
+	default:
+	}
+
+	// target site is ready, passthrough
+	if w.ready.Load() {
+		return origRoundTrip(req)
+	}
+
+	// initial request
+	targetUrl := req.Header.Get(headerGoProxyTargetURL)
+	if targetUrl == "" {
+		return w.makeResp(
+			"%s is starting... Please wait",
+			w.ContainerName,
+		)
+	}
+
+	w.l.Debug("serving event")
+
+	// stream request
+	rtDone := make(chan *http.Response, 1)
+	ctx, cancel := context.WithTimeout(req.Context(), w.WakeTimeout)
+	defer cancel()
+
+	// loop original round trip until success in a goroutine
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-w.ctx.Done():
+				return
+			default:
+				resp, err := origRoundTrip(req)
+				if err == nil {
+					w.ready.Store(true)
+					rtDone <- resp
+					return
+				}
+			}
+		}
+	}()
+
+	for {
+		select {
+		case resp := <-rtDone:
+			return w.makeSuccResp(targetUrl, resp)
+		case err := <-w.wakeDone:
+			if err != nil {
+				return w.makeErrResp("error waking up %s\n%s", w.ContainerName, err.Error())
+			}
+		case <-ctx.Done():
+			if ctx.Err() == context.DeadlineExceeded {
+				return w.makeErrResp("Timed out waiting for %s to fully wake", w.ContainerName)
+			}
+			return w.makeErrResp("idlewatcher has stopped\n%s", w.ctx.Err().Error())
+		case <-w.ctx.Done():
+			return w.makeErrResp("idlewatcher has stopped\n%s", w.ctx.Err().Error())
+		}
+	}
+}
--- a/internal/docker/idlewatcher/watcher.go
+++ b/internal/docker/idlewatcher/watcher.go
@@ -0,0 +1,276 @@
+package idlewatcher
+
+import (
+	"context"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/sirupsen/logrus"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	P "github.com/yusing/go-proxy/internal/proxy"
+	PT "github.com/yusing/go-proxy/internal/proxy/fields"
+	W "github.com/yusing/go-proxy/internal/watcher"
+)
+
+type (
+	watcher struct {
+		*P.ReverseProxyEntry
+
+		client D.Client
+
+		ready        atomic.Bool  // whether the site is ready to accept connection
+		stopByMethod StopCallback // send a docker command w.r.t. `stop_method`
+
+		wakeCh   chan struct{}
+		wakeDone chan E.NestedError
+
+		ctx      context.Context
+		cancel   context.CancelFunc
+		refCount *sync.WaitGroup
+
+		l logrus.FieldLogger
+	}
+
+	WakeDone     <-chan error
+	WakeFunc     func() WakeDone
+	StopCallback func() E.NestedError
+)
+
+var (
+	mainLoopCtx    context.Context
+	mainLoopCancel context.CancelFunc
+	mainLoopWg     sync.WaitGroup
+
+	watcherMap   = make(map[string]*watcher)
+	watcherMapMu sync.Mutex
+
+	newWatcherCh = make(chan *watcher)
+
+	logger = logrus.WithField("module", "idle_watcher")
+)
+
+func Register(entry *P.ReverseProxyEntry) (*watcher, E.NestedError) {
+	failure := E.Failure("idle_watcher register")
+
+	if entry.IdleTimeout == 0 {
+		return nil, failure.With(E.Invalid("idle_timeout", 0))
+	}
+
+	watcherMapMu.Lock()
+	defer watcherMapMu.Unlock()
+
+	if w, ok := watcherMap[entry.ContainerName]; ok {
+		w.refCount.Add(1)
+		w.ReverseProxyEntry = entry
+		return w, nil
+	}
+
+	client, err := D.ConnectClient(entry.DockerHost)
+	if err.HasError() {
+		return nil, failure.With(err)
+	}
+
+	w := &watcher{
+		ReverseProxyEntry: entry,
+		client:            client,
+		refCount:          &sync.WaitGroup{},
+		wakeCh:            make(chan struct{}),
+		wakeDone:          make(chan E.NestedError),
+		l:                 logger.WithField("container", entry.ContainerName),
+	}
+	w.refCount.Add(1)
+	w.stopByMethod = w.getStopCallback()
+
+	watcherMap[w.ContainerName] = w
+
+	go func() {
+		newWatcherCh <- w
+	}()
+
+	return w, nil
+}
+
+func Unregister(containerName string) {
+	if w, ok := watcherMap[containerName]; ok {
+		w.refCount.Add(-1)
+	}
+}
+
+func Start() {
+	logger.Debug("started")
+	defer logger.Debug("stopped")
+
+	mainLoopCtx, mainLoopCancel = context.WithCancel(context.Background())
+
+	for {
+		select {
+		case <-mainLoopCtx.Done():
+			return
+		case w := <-newWatcherCh:
+			w.l.Debug("registered")
+			mainLoopWg.Add(1)
+			go func() {
+				w.watchUntilCancel()
+				w.refCount.Wait() // wait for 0 ref count
+
+				w.client.Close()
+				delete(watcherMap, w.ContainerName)
+				w.l.Debug("unregistered")
+				mainLoopWg.Done()
+			}()
+		}
+	}
+}
+
+func Stop() {
+	mainLoopCancel()
+	mainLoopWg.Wait()
+}
+
+func (w *watcher) PatchRoundTripper(rtp http.RoundTripper) roundTripper {
+	return roundTripper{patched: func(r *http.Request) (*http.Response, error) {
+		return w.roundTrip(rtp.RoundTrip, r)
+	}}
+}
+
+func (w *watcher) containerStop() error {
+	return w.client.ContainerStop(w.ctx, w.ContainerName, container.StopOptions{
+		Signal:  string(w.StopSignal),
+		Timeout: &w.StopTimeout})
+}
+
+func (w *watcher) containerPause() error {
+	return w.client.ContainerPause(w.ctx, w.ContainerName)
+}
+
+func (w *watcher) containerKill() error {
+	return w.client.ContainerKill(w.ctx, w.ContainerName, string(w.StopSignal))
+}
+
+func (w *watcher) containerUnpause() error {
+	return w.client.ContainerUnpause(w.ctx, w.ContainerName)
+}
+
+func (w *watcher) containerStart() error {
+	return w.client.ContainerStart(w.ctx, w.ContainerName, container.StartOptions{})
+}
+
+func (w *watcher) containerStatus() (string, E.NestedError) {
+	json, err := w.client.ContainerInspect(w.ctx, w.ContainerName)
+	if err != nil {
+		return "", E.FailWith("inspect container", err)
+	}
+	return json.State.Status, nil
+}
+
+func (w *watcher) wakeIfStopped() E.NestedError {
+	status, err := w.containerStatus()
+
+	if err.HasError() {
+		return err
+	}
+	// "created", "running", "paused", "restarting", "removing", "exited", or "dead"
+	switch status {
+	case "exited", "dead":
+		return E.From(w.containerStart())
+	case "paused":
+		return E.From(w.containerUnpause())
+	case "running":
+		return nil
+	default:
+		return E.Unexpected("container state", status)
+	}
+}
+
+func (w *watcher) getStopCallback() StopCallback {
+	var cb func() error
+	switch w.StopMethod {
+	case PT.StopMethodPause:
+		cb = w.containerPause
+	case PT.StopMethodStop:
+		cb = w.containerStop
+	case PT.StopMethodKill:
+		cb = w.containerKill
+	default:
+		panic("should not reach here")
+	}
+	return func() E.NestedError {
+		status, err := w.containerStatus()
+		if err.HasError() {
+			return err
+		}
+		if status != "running" {
+			return nil
+		}
+		return E.From(cb())
+	}
+}
+
+func (w *watcher) watchUntilCancel() {
+	defer close(w.wakeCh)
+
+	w.ctx, w.cancel = context.WithCancel(context.Background())
+
+	dockerWatcher := W.NewDockerWatcherWithClient(w.client)
+	dockerEventCh, dockerEventErrCh := dockerWatcher.EventsWithOptions(w.ctx, W.DockerListOptions{
+		Filters: W.NewDockerFilter(
+			W.DockerFilterContainer,
+			W.DockerrFilterContainerName(w.ContainerName),
+			W.DockerFilterStart,
+			W.DockerFilterStop,
+			W.DockerFilterDie,
+			W.DockerFilterKill,
+			W.DockerFilterPause,
+			W.DockerFilterUnpause,
+		),
+	})
+
+	ticker := time.NewTicker(w.IdleTimeout)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-mainLoopCtx.Done():
+			w.cancel()
+		case <-w.ctx.Done():
+			w.l.Debug("stopped")
+			return
+		case err := <-dockerEventErrCh:
+			if err != nil && err.IsNot(context.Canceled) {
+				w.l.Error(E.FailWith("docker watcher", err))
+			}
+		case e := <-dockerEventCh:
+			switch {
+			// create / start / unpause
+			case e.Action.IsContainerWake():
+				ticker.Reset(w.IdleTimeout)
+				w.l.Info(e)
+			default: // stop / pause / kill
+				ticker.Stop()
+				w.ready.Store(false)
+				w.l.Info(e)
+			}
+		case <-ticker.C:
+			w.l.Debug("idle timeout")
+			ticker.Stop()
+			if err := w.stopByMethod(); err != nil && err.IsNot(context.Canceled) {
+				w.l.Error(E.FailWith("stop", err).Extraf("stop method: %s", w.StopMethod))
+			}
+		case <-w.wakeCh:
+			w.l.Debug("wake signal received")
+			ticker.Reset(w.IdleTimeout)
+			err := w.wakeIfStopped()
+			if err != nil && err.IsNot(context.Canceled) {
+				w.l.Error(E.FailWith("wake", err))
+			}
+			select {
+			case w.wakeDone <- err: // this is passed to roundtrip
+			default:
+			}
+		}
+	}
+}
--- a/internal/docker/inspect.go
+++ b/internal/docker/inspect.go
@@ -0,0 +1,19 @@
+package docker
+
+import (
+	"context"
+	"time"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func (c Client) Inspect(containerID string) (Container, E.NestedError) {
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	json, err := c.ContainerInspect(ctx, containerID)
+	if err != nil {
+		return Container{}, E.From(err)
+	}
+	return FromJson(json, c.key), nil
+}
--- a/internal/docker/label.go
+++ b/internal/docker/label.go
@@ -0,0 +1,151 @@
+package docker
+
+import (
+	"reflect"
+	"strings"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+/*
+Formats:
+  - namespace.attribute
+  - namespace.target.attribute
+  - namespace.target.attribute.namespace2.attribute
+*/
+type (
+	Label struct {
+		Namespace string
+		Target    string
+		Attribute string
+		Value     any
+	}
+	NestedLabelMap map[string]U.SerializedObject
+	ValueParser    func(string) (any, E.NestedError)
+	ValueParserMap map[string]ValueParser
+)
+
+func (l *Label) String() string {
+	if l.Attribute == "" {
+		return l.Namespace + "." + l.Target
+	}
+	return l.Namespace + "." + l.Target + "." + l.Attribute
+}
+
+// Apply applies the value of a Label to the corresponding field in the given object.
+//
+// Parameters:
+//   - obj: a pointer to the object to which the Label value will be applied.
+//   - l: a pointer to the Label containing the attribute and value to be applied.
+//
+// Returns:
+//   - error: an error if the field does not exist.
+func ApplyLabel[T any](obj *T, l *Label) E.NestedError {
+	if obj == nil {
+		return E.Invalid("nil object", l)
+	}
+	switch nestedLabel := l.Value.(type) {
+	case *Label:
+		var field reflect.Value
+		objType := reflect.TypeFor[T]()
+		for i := 0; i < reflect.TypeFor[T]().NumField(); i++ {
+			if objType.Field(i).Tag.Get("yaml") == l.Attribute {
+				field = reflect.ValueOf(obj).Elem().Field(i)
+				break
+			}
+		}
+		if !field.IsValid() {
+			return E.NotExist("field", l.Attribute)
+		}
+		dst, ok := field.Interface().(NestedLabelMap)
+		if !ok {
+			return E.Invalid("type", field.Type())
+		}
+		if dst == nil {
+			field.Set(reflect.MakeMap(reflect.TypeFor[NestedLabelMap]()))
+			dst = field.Interface().(NestedLabelMap)
+		}
+		if dst[nestedLabel.Namespace] == nil {
+			dst[nestedLabel.Namespace] = make(U.SerializedObject)
+		}
+		dst[nestedLabel.Namespace][nestedLabel.Attribute] = nestedLabel.Value
+		return nil
+	default:
+		return U.Deserialize(U.SerializedObject{l.Attribute: l.Value}, obj)
+	}
+}
+
+func ParseLabel(label string, value string) (*Label, E.NestedError) {
+	parts := strings.Split(label, ".")
+
+	if len(parts) < 2 {
+		return &Label{
+			Namespace: label,
+			Value:     value,
+		}, nil
+	}
+
+	l := &Label{
+		Namespace: parts[0],
+		Target:    parts[1],
+		Value:     value,
+	}
+
+	switch len(parts) {
+	case 2:
+		l.Attribute = l.Target
+	case 3:
+		l.Attribute = parts[2]
+	default:
+		l.Attribute = parts[2]
+		nestedLabel, err := ParseLabel(strings.Join(parts[3:], "."), value)
+		if err.HasError() {
+			return nil, err
+		}
+		l.Value = nestedLabel
+	}
+
+	// find if namespace has value parser
+	pm, ok := valueParserMap.Load(U.ToLowerNoSnake(l.Namespace))
+	if !ok {
+		return l, nil
+	}
+	// find if attribute has value parser
+	p, ok := pm[U.ToLowerNoSnake(l.Attribute)]
+	if !ok {
+		return l, nil
+	}
+	// try to parse value
+	v, err := p(value)
+	if err.HasError() {
+		return nil, err.Subject(label)
+	}
+	l.Value = v
+	return l, nil
+}
+
+func RegisterNamespace(namespace string, pm ValueParserMap) {
+	pmCleaned := make(ValueParserMap, len(pm))
+	for k, v := range pm {
+		pmCleaned[U.ToLowerNoSnake(k)] = v
+	}
+	valueParserMap.Store(U.ToLowerNoSnake(namespace), pmCleaned)
+}
+
+func GetRegisteredNamespaces() map[string][]string {
+	r := make(map[string][]string)
+
+	valueParserMap.RangeAll(func(ns string, vpm ValueParserMap) {
+		r[ns] = make([]string, 0, len(vpm))
+		for attr := range vpm {
+			r[ns] = append(r[ns], attr)
+		}
+	})
+
+	return r
+}
+
+// namespace:target.attribute -> func(string) (any, error)
+var valueParserMap = F.NewMapOf[string, ValueParserMap]()
--- a/internal/docker/label_parser.go
+++ b/internal/docker/label_parser.go
@@ -0,0 +1,78 @@
+package docker
+
+import (
+	"strings"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	NSProxy                    = "proxy"
+	ProxyAttributePathPatterns = "path_patterns"
+	ProxyAttributeNoTLSVerify  = "no_tls_verify"
+	ProxyAttributeMiddlewares  = "middlewares"
+)
+
+var _ = func() int {
+	RegisterNamespace(NSProxy, ValueParserMap{
+		ProxyAttributePathPatterns: YamlStringListParser,
+		ProxyAttributeNoTLSVerify:  BoolParser,
+	})
+	return 0
+}()
+
+func YamlStringListParser(value string) (any, E.NestedError) {
+	/*
+		- foo
+		- bar
+		- baz
+	*/
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return []string{}, nil
+	}
+	var data []string
+	err := E.From(yaml.Unmarshal([]byte(value), &data))
+	return data, err
+}
+
+func YamlLikeMappingParser(allowDuplicate bool) func(string) (any, E.NestedError) {
+	return func(value string) (any, E.NestedError) {
+		/*
+			foo: bar
+			boo: baz
+		*/
+		value = strings.TrimSpace(value)
+		lines := strings.Split(value, "\n")
+		h := make(map[string]string)
+		for _, line := range lines {
+			parts := strings.SplitN(line, ":", 2)
+			if len(parts) != 2 {
+				return nil, E.Invalid("syntax", line).With("too many colons")
+			}
+			key := strings.TrimSpace(parts[0])
+			val := strings.TrimSpace(parts[1])
+			if existing, ok := h[key]; ok {
+				if !allowDuplicate {
+					return nil, E.Duplicated("key", key)
+				}
+				h[key] = existing + ", " + val
+			} else {
+				h[key] = val
+			}
+		}
+		return h, nil
+	}
+}
+
+func BoolParser(value string) (any, E.NestedError) {
+	switch strings.ToLower(value) {
+	case "true", "yes", "1":
+		return true, nil
+	case "false", "no", "0":
+		return false, nil
+	default:
+		return nil, E.Invalid("boolean value", value)
+	}
+}
--- a/internal/docker/label_parser_test.go
+++ b/internal/docker/label_parser_test.go
@@ -0,0 +1,106 @@
+package docker
+
+import (
+	"fmt"
+	"testing"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func makeLabel(namespace string, alias string, field string) string {
+	return fmt.Sprintf("%s.%s.%s", namespace, alias, field)
+}
+
+func TestParseLabel(t *testing.T) {
+	alias := "foo"
+	field := "ip"
+	v := "bar"
+	pl, err := ParseLabel(makeLabel(NSHomePage, alias, field), v)
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, pl.Namespace, NSHomePage)
+	ExpectEqual(t, pl.Target, alias)
+	ExpectEqual(t, pl.Attribute, field)
+	ExpectEqual(t, pl.Value.(string), v)
+}
+
+func TestStringProxyLabel(t *testing.T) {
+	v := "bar"
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", "ip"), v)
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, pl.Value.(string), v)
+}
+
+func TestBoolProxyLabelValid(t *testing.T) {
+	tests := map[string]bool{
+		"true":  true,
+		"TRUE":  true,
+		"yes":   true,
+		"1":     true,
+		"false": false,
+		"FALSE": false,
+		"no":    false,
+		"0":     false,
+	}
+
+	for k, v := range tests {
+		pl, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeNoTLSVerify), k)
+		ExpectNoError(t, err.Error())
+		ExpectEqual(t, pl.Value.(bool), v)
+	}
+}
+
+func TestBoolProxyLabelInvalid(t *testing.T) {
+	_, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeNoTLSVerify), "invalid")
+	if !err.Is(E.ErrInvalid) {
+		t.Errorf("Expected err InvalidProxyLabel, got %s", err.Error())
+	}
+}
+
+// func TestSetHeaderProxyLabelValid(t *testing.T) {
+// 	v := `
+// X-Custom-Header1: foo, bar
+// X-Custom-Header1: baz
+// X-Custom-Header2: boo`
+// 	v = strings.TrimPrefix(v, "\n")
+// 	h := map[string]string{
+// 		"X-Custom-Header1": "foo, bar, baz",
+// 		"X-Custom-Header2": "boo",
+// 	}
+
+// 	pl, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeSetHeaders), v)
+// 	ExpectNoError(t, err.Error())
+// 	hGot := ExpectType[map[string]string](t, pl.Value)
+// 	ExpectFalse(t, hGot == nil)
+// 	ExpectDeepEqual(t, h, hGot)
+// }
+
+// func TestSetHeaderProxyLabelInvalid(t *testing.T) {
+// 	tests := []string{
+// 		"X-Custom-Header1 = bar",
+// 		"X-Custom-Header1",
+// 		"- X-Custom-Header1",
+// 	}
+
+// 	for _, v := range tests {
+// 		_, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeSetHeaders), v)
+// 		if !err.Is(E.ErrInvalid) {
+// 			t.Errorf("Expected invalid err for %q, got %s", v, err.Error())
+// 		}
+// 	}
+// }
+
+// func TestHideHeadersProxyLabel(t *testing.T) {
+// 	v := `
+// - X-Custom-Header1
+// - X-Custom-Header2
+// - X-Custom-Header3
+// `
+// 	v = strings.TrimPrefix(v, "\n")
+// 	pl, err := ParseLabel(makeLabel(NSProxy, "foo", ProxyAttributeHideHeaders), v)
+// 	ExpectNoError(t, err.Error())
+// 	sGot := ExpectType[[]string](t, pl.Value)
+// 	sWant := []string{"X-Custom-Header1", "X-Custom-Header2", "X-Custom-Header3"}
+// 	ExpectFalse(t, sGot == nil)
+// 	ExpectDeepEqual(t, sGot, sWant)
+// }
--- a/internal/docker/label_test.go
+++ b/internal/docker/label_test.go
@@ -0,0 +1,85 @@
+package docker
+
+import (
+	"fmt"
+	"testing"
+
+	U "github.com/yusing/go-proxy/internal/utils"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestNestedLabel(t *testing.T) {
+	mName := "middleware1"
+	mAttr := "prop1"
+	v := "value1"
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s.%s", ProxyAttributeMiddlewares, mName, mAttr)), v)
+	ExpectNoError(t, err.Error())
+	sGot := ExpectType[*Label](t, pl.Value)
+	ExpectFalse(t, sGot == nil)
+	ExpectEqual(t, sGot.Namespace, mName)
+	ExpectEqual(t, sGot.Attribute, mAttr)
+}
+
+func TestApplyNestedLabel(t *testing.T) {
+	entry := new(struct {
+		Middlewares NestedLabelMap `yaml:"middlewares"`
+	})
+	mName := "middleware1"
+	mAttr := "prop1"
+	v := "value1"
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s.%s", ProxyAttributeMiddlewares, mName, mAttr)), v)
+	ExpectNoError(t, err.Error())
+	err = ApplyLabel(entry, pl)
+	ExpectNoError(t, err.Error())
+	middleware1, ok := entry.Middlewares[mName]
+	ExpectTrue(t, ok)
+	got := ExpectType[string](t, middleware1[mAttr])
+	ExpectEqual(t, got, v)
+}
+
+func TestApplyNestedLabelExisting(t *testing.T) {
+	mName := "middleware1"
+	mAttr := "prop1"
+	v := "value1"
+
+	checkAttr := "prop2"
+	checkV := "value2"
+	entry := new(struct {
+		Middlewares NestedLabelMap `yaml:"middlewares"`
+	})
+	entry.Middlewares = make(NestedLabelMap)
+	entry.Middlewares[mName] = make(U.SerializedObject)
+	entry.Middlewares[mName][checkAttr] = checkV
+
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s.%s", ProxyAttributeMiddlewares, mName, mAttr)), v)
+	ExpectNoError(t, err.Error())
+	err = ApplyLabel(entry, pl)
+	ExpectNoError(t, err.Error())
+	middleware1, ok := entry.Middlewares[mName]
+	ExpectTrue(t, ok)
+	got := ExpectType[string](t, middleware1[mAttr])
+	ExpectEqual(t, got, v)
+
+	// check if prop2 is affected
+	ExpectFalse(t, middleware1[checkAttr] == nil)
+	got = ExpectType[string](t, middleware1[checkAttr])
+	ExpectEqual(t, got, checkV)
+}
+
+func TestApplyNestedLabelNoAttr(t *testing.T) {
+	mName := "middleware1"
+	v := "value1"
+
+	entry := new(struct {
+		Middlewares NestedLabelMap `yaml:"middlewares"`
+	})
+	entry.Middlewares = make(NestedLabelMap)
+	entry.Middlewares[mName] = make(U.SerializedObject)
+
+	pl, err := ParseLabel(makeLabel(NSProxy, "foo", fmt.Sprintf("%s.%s", ProxyAttributeMiddlewares, mName)), v)
+	ExpectNoError(t, err.Error())
+	err = ApplyLabel(entry, pl)
+	ExpectNoError(t, err.Error())
+	_, ok := entry.Middlewares[mName]
+	ExpectTrue(t, ok)
+}
--- a/internal/docker/labels.go
+++ b/internal/docker/labels.go
@@ -0,0 +1,13 @@
+package docker
+
+const (
+	WildcardAlias = "*"
+
+	LabelAliases     = NSProxy + ".aliases"
+	LabelExclude     = NSProxy + ".exclude"
+	LabelIdleTimeout = NSProxy + ".idle_timeout"
+	LabelWakeTimeout = NSProxy + ".wake_timeout"
+	LabelStopMethod  = NSProxy + ".stop_method"
+	LabelStopTimeout = NSProxy + ".stop_timeout"
+	LabelStopSignal  = NSProxy + ".stop_signal"
+)
--- a/internal/docker/proxy_properties.go
+++ b/internal/docker/proxy_properties.go
@@ -0,0 +1,23 @@
+package docker
+
+import "github.com/docker/docker/api/types"
+
+type PortMapping = map[string]types.Port
+type ProxyProperties struct {
+	DockerHost         string      `yaml:"-" json:"docker_host"`
+	ContainerName      string      `yaml:"-" json:"container_name"`
+	ImageName          string      `yaml:"-" json:"image_name"`
+	PublicPortMapping  PortMapping `yaml:"-" json:"public_port_mapping"`  // non-zero publicPort:types.Port
+	PrivatePortMapping PortMapping `yaml:"-" json:"private_port_mapping"` // privatePort:types.Port
+	NetworkMode        string      `yaml:"-" json:"network_mode"`
+
+	Aliases     []string `yaml:"-" json:"aliases"`
+	IsExcluded  bool     `yaml:"-" json:"is_excluded"`
+	IsExplicit  bool     `yaml:"-" json:"is_explicit"`
+	IdleTimeout string   `yaml:"-" json:"idle_timeout"`
+	WakeTimeout string   `yaml:"-" json:"wake_timeout"`
+	StopMethod  string   `yaml:"-" json:"stop_method"`
+	StopTimeout string   `yaml:"-" json:"stop_timeout"` // stop_method = "stop" only
+	StopSignal  string   `yaml:"-" json:"stop_signal"`  // stop_method = "stop" | "kill" only
+	Running     bool     `yaml:"-" json:"running"`
+}
--- a/internal/error/builder.go
+++ b/internal/error/builder.go
@@ -0,0 +1,70 @@
+package error
+
+import (
+	"fmt"
+	"sync"
+)
+
+type Builder struct {
+	*builder
+}
+
+type builder struct {
+	message string
+	errors  []NestedError
+	sync.Mutex
+}
+
+func NewBuilder(format string, args ...any) Builder {
+	return Builder{&builder{message: fmt.Sprintf(format, args...)}}
+}
+
+// adding nil / nil is no-op,
+// you may safely pass expressions returning error to it
+func (b Builder) Add(err NestedError) Builder {
+	if err != nil {
+		b.Lock()
+		// TODO: if err severity is higher than b.severity, update b.severity
+		b.errors = append(b.errors, err)
+		b.Unlock()
+	}
+	return b
+}
+
+func (b Builder) AddE(err error) Builder {
+	return b.Add(From(err))
+}
+
+func (b Builder) Addf(format string, args ...any) Builder {
+	return b.Add(errorf(format, args...))
+}
+
+// Build builds a NestedError based on the errors collected in the Builder.
+//
+// If there are no errors in the Builder, it returns a Nil() NestedError.
+// Otherwise, it returns a NestedError with the message and the errors collected.
+//
+// Returns:
+//   - NestedError: the built NestedError.
+func (b Builder) Build() NestedError {
+	if len(b.errors) == 0 {
+		return nil
+	} else if len(b.errors) == 1 {
+		return b.errors[0]
+	}
+	return Join(b.message, b.errors...)
+}
+
+func (b Builder) To(ptr *NestedError) {
+	if ptr == nil {
+		return
+	} else if *ptr == nil {
+		*ptr = b.Build()
+	} else {
+		(*ptr).With(b.Build())
+	}
+}
+
+func (b Builder) HasError() bool {
+	return len(b.errors) > 0
+}
--- a/internal/error/builder_test.go
+++ b/internal/error/builder_test.go
@@ -0,0 +1,53 @@
+package error
+
+import (
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestBuilderEmpty(t *testing.T) {
+	eb := NewBuilder("qwer")
+	ExpectTrue(t, eb.Build() == nil)
+	ExpectTrue(t, eb.Build().NoError())
+	ExpectFalse(t, eb.HasError())
+}
+
+func TestBuilderAddNil(t *testing.T) {
+	eb := NewBuilder("asdf")
+	var err NestedError
+	for range 3 {
+		eb.Add(nil)
+	}
+	for range 3 {
+		eb.Add(err)
+	}
+	ExpectTrue(t, eb.Build() == nil)
+	ExpectTrue(t, eb.Build().NoError())
+	ExpectFalse(t, eb.HasError())
+}
+
+func TestBuilderNested(t *testing.T) {
+	eb := NewBuilder("error occurred")
+	eb.Add(Failure("Action 1").With(Invalid("Inner", "1")).With(Invalid("Inner", "2")))
+	eb.Add(Failure("Action 2").With(Invalid("Inner", "3")))
+
+	got := eb.Build().String()
+	expected1 :=
+		(`error occurred:
+  - Action 1 failed:
+    - invalid Inner: 1
+    - invalid Inner: 2
+  - Action 2 failed:
+    - invalid Inner: 3`)
+	expected2 :=
+		(`error occurred:
+  - Action 1 failed:
+    - invalid Inner: "1"
+    - invalid Inner: "2"
+  - Action 2 failed:
+    - invalid Inner: "3"`)
+	if got != expected1 && got != expected2 {
+		t.Errorf("expected \n%s, got \n%s", expected1, got)
+	}
+}
--- a/internal/error/error.go
+++ b/internal/error/error.go
@@ -0,0 +1,295 @@
+package error
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+)
+
+type (
+	NestedError = *nestedError
+	nestedError struct {
+		subject string
+		err     error
+		extras  []nestedError
+	}
+	jsonNestedError struct {
+		Subject string
+		Err     string
+		Extras  []jsonNestedError
+	}
+)
+
+func From(err error) NestedError {
+	if IsNil(err) {
+		return nil
+	}
+	return &nestedError{err: err}
+}
+
+func FromJSON(data []byte) (NestedError, bool) {
+	var j jsonNestedError
+	if err := json.Unmarshal(data, &j); err != nil {
+		return nil, false
+	}
+	if j.Err == "" {
+		return nil, false
+	}
+	extras := make([]nestedError, len(j.Extras))
+	for i, e := range j.Extras {
+		extra, ok := fromJSONObject(e)
+		if !ok {
+			return nil, false
+		}
+		extras[i] = *extra
+	}
+	return &nestedError{
+		subject: j.Subject,
+		err:     errors.New(j.Err),
+		extras:  extras,
+	}, true
+}
+
+// Check is a helper function that
+// convert (T, error) to (T, NestedError).
+func Check[T any](obj T, err error) (T, NestedError) {
+	return obj, From(err)
+}
+
+func Join(message string, err ...NestedError) NestedError {
+	extras := make([]nestedError, len(err))
+	nErr := 0
+	for i, e := range err {
+		if e == nil {
+			continue
+		}
+		extras[i] = *e
+		nErr += 1
+	}
+	if nErr == 0 {
+		return nil
+	}
+	return &nestedError{
+		err:    errors.New(message),
+		extras: extras,
+	}
+}
+
+func JoinE(message string, err ...error) NestedError {
+	b := NewBuilder(message)
+	for _, e := range err {
+		b.AddE(e)
+	}
+	return b.Build()
+}
+
+func IsNil(err error) bool {
+	return err == nil
+}
+
+func IsNotNil(err error) bool {
+	return err != nil
+}
+
+func (ne NestedError) String() string {
+	var buf strings.Builder
+	ne.writeToSB(&buf, 0, "")
+	return buf.String()
+}
+
+func (ne NestedError) Is(err error) bool {
+	if ne == nil {
+		return err == nil
+	}
+	// return errors.Is(ne.err, err)
+	if errors.Is(ne.err, err) {
+		return true
+	}
+	for _, e := range ne.extras {
+		if e.Is(err) {
+			return true
+		}
+	}
+	return false
+}
+
+func (ne NestedError) IsNot(err error) bool {
+	return !ne.Is(err)
+}
+
+func (ne NestedError) Error() error {
+	if ne == nil {
+		return nil
+	}
+	return ne.buildError(0, "")
+}
+
+func (ne NestedError) With(s any) NestedError {
+	if ne == nil {
+		return ne
+	}
+	var msg string
+	switch ss := s.(type) {
+	case nil:
+		return ne
+	case NestedError:
+		return ne.withError(ss)
+	case error:
+		return ne.withError(From(ss))
+	case string:
+		msg = ss
+	case fmt.Stringer:
+		return ne.appendMsg(ss.String())
+	default:
+		return ne.appendMsg(fmt.Sprint(s))
+	}
+	return ne.withError(From(errors.New(msg)))
+}
+
+func (ne NestedError) Extraf(format string, args ...any) NestedError {
+	return ne.With(errorf(format, args...))
+}
+
+func (ne NestedError) Subject(s any) NestedError {
+	if ne == nil {
+		return ne
+	}
+	var subject string
+	switch ss := s.(type) {
+	case string:
+		subject = ss
+	case fmt.Stringer:
+		subject = ss.String()
+	default:
+		subject = fmt.Sprint(s)
+	}
+	if ne.subject == "" {
+		ne.subject = subject
+	} else {
+		ne.subject = fmt.Sprintf("%s > %s", subject, ne.subject)
+	}
+	return ne
+}
+
+func (ne NestedError) Subjectf(format string, args ...any) NestedError {
+	if ne == nil {
+		return ne
+	}
+	if strings.Contains(format, "%q") {
+		panic("Subjectf format should not contain %q")
+	}
+	if strings.Contains(format, "%w") {
+		panic("Subjectf format should not contain %w")
+	}
+	ne.subject = fmt.Sprintf(format, args...)
+	return ne
+}
+
+func (ne NestedError) JSONObject() jsonNestedError {
+	extras := make([]jsonNestedError, len(ne.extras))
+	for i, e := range ne.extras {
+		extras[i] = e.JSONObject()
+	}
+	return jsonNestedError{
+		Subject: ne.subject,
+		Err:     ne.err.Error(),
+		Extras:  extras,
+	}
+}
+
+func (ne NestedError) JSON() []byte {
+	b, _ := json.MarshalIndent(ne.JSONObject(), "", "  ")
+	return b
+}
+
+func (ne NestedError) NoError() bool {
+	return ne == nil
+}
+
+func (ne NestedError) HasError() bool {
+	return ne != nil
+}
+
+func errorf(format string, args ...any) NestedError {
+	return From(fmt.Errorf(format, args...))
+}
+
+func fromJSONObject(obj jsonNestedError) (NestedError, bool) {
+	data, err := json.Marshal(obj)
+	if err != nil {
+		return nil, false
+	}
+	return FromJSON(data)
+}
+
+func (ne NestedError) withError(err NestedError) NestedError {
+	if ne != nil && err != nil {
+		ne.extras = append(ne.extras, *err)
+	}
+	return ne
+}
+
+func (ne NestedError) appendMsg(msg string) NestedError {
+	if ne == nil {
+		return nil
+	}
+	ne.err = fmt.Errorf("%w %s", ne.err, msg)
+	return ne
+}
+
+func (ne NestedError) writeToSB(sb *strings.Builder, level int, prefix string) {
+	for i := 0; i < level; i++ {
+		sb.WriteString("  ")
+	}
+	sb.WriteString(prefix)
+
+	if ne.NoError() {
+		sb.WriteString("nil")
+		return
+	}
+
+	sb.WriteString(ne.err.Error())
+	if ne.subject != "" {
+		sb.WriteString(fmt.Sprintf(" for %q", ne.subject))
+	}
+	if len(ne.extras) > 0 {
+		sb.WriteRune(':')
+		for _, extra := range ne.extras {
+			sb.WriteRune('\n')
+			extra.writeToSB(sb, level+1, "- ")
+		}
+	}
+}
+
+func (ne NestedError) buildError(level int, prefix string) error {
+	var res error
+	var sb strings.Builder
+
+	for i := 0; i < level; i++ {
+		sb.WriteString("  ")
+	}
+	sb.WriteString(prefix)
+
+	if ne.NoError() {
+		sb.WriteString("nil")
+		return errors.New(sb.String())
+	}
+
+	res = fmt.Errorf("%s%w", sb.String(), ne.err)
+	sb.Reset()
+
+	if ne.subject != "" {
+		sb.WriteString(fmt.Sprintf(" for %q", ne.subject))
+	}
+	if len(ne.extras) > 0 {
+		sb.WriteRune(':')
+		res = fmt.Errorf("%w%s", res, sb.String())
+		for _, extra := range ne.extras {
+			res = errors.Join(res, extra.buildError(level+1, "- "))
+		}
+	} else {
+		res = fmt.Errorf("%w%s", res, sb.String())
+	}
+	return res
+}
--- a/internal/error/error_test.go
+++ b/internal/error/error_test.go
@@ -0,0 +1,109 @@
+package error_test
+
+import (
+	"errors"
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestErrorIs(t *testing.T) {
+	ExpectTrue(t, Failure("foo").Is(ErrFailure))
+	ExpectTrue(t, Failure("foo").With("bar").Is(ErrFailure))
+	ExpectFalse(t, Failure("foo").With("bar").Is(ErrInvalid))
+	ExpectFalse(t, Failure("foo").With("bar").With("baz").Is(ErrInvalid))
+
+	ExpectTrue(t, Invalid("foo", "bar").Is(ErrInvalid))
+	ExpectFalse(t, Invalid("foo", "bar").Is(ErrFailure))
+
+	ExpectFalse(t, Invalid("foo", "bar").Is(nil))
+
+	ExpectTrue(t, errors.Is(Failure("foo").Error(), ErrFailure))
+	ExpectTrue(t, errors.Is(Failure("foo").With(Invalid("bar", "baz")).Error(), ErrInvalid))
+	ExpectTrue(t, errors.Is(Failure("foo").With(Invalid("bar", "baz")).Error(), ErrFailure))
+	ExpectFalse(t, errors.Is(Failure("foo").With(Invalid("bar", "baz")).Error(), ErrNotExists))
+}
+
+func TestErrorNestedIs(t *testing.T) {
+	var err NestedError
+	ExpectTrue(t, err.Is(nil))
+
+	err = Failure("some reason")
+	ExpectTrue(t, err.Is(ErrFailure))
+	ExpectFalse(t, err.Is(ErrDuplicated))
+
+	err.With(Duplicated("something", ""))
+	ExpectTrue(t, err.Is(ErrFailure))
+	ExpectTrue(t, err.Is(ErrDuplicated))
+	ExpectFalse(t, err.Is(ErrInvalid))
+}
+
+func TestIsNil(t *testing.T) {
+	var err NestedError
+	ExpectTrue(t, err.Is(nil))
+	ExpectFalse(t, err.HasError())
+	ExpectTrue(t, err == nil)
+	ExpectTrue(t, err.NoError())
+
+	eb := NewBuilder("")
+	returnNil := func() error {
+		return eb.Build().Error()
+	}
+	ExpectTrue(t, IsNil(returnNil()))
+	ExpectTrue(t, returnNil() == nil)
+
+	ExpectTrue(t, (err.
+		Subject("any").
+		With("something").
+		Extraf("foo %s", "bar")) == nil)
+}
+
+func TestErrorSimple(t *testing.T) {
+	ne := Failure("foo bar")
+	ExpectEqual(t, ne.String(), "foo bar failed")
+	ne = ne.Subject("baz")
+	ExpectEqual(t, ne.String(), "foo bar failed for \"baz\"")
+}
+
+func TestErrorWith(t *testing.T) {
+	ne := Failure("foo").With("bar").With("baz")
+	ExpectEqual(t, ne.String(), "foo failed:\n  - bar\n  - baz")
+}
+
+func TestErrorNested(t *testing.T) {
+	inner := Failure("inner").
+		With("1").
+		With("1")
+	inner2 := Failure("inner2").
+		Subject("action 2").
+		With("2").
+		With("2")
+	inner3 := Failure("inner3").
+		Subject("action 3").
+		With("3").
+		With("3")
+	ne := Failure("foo").
+		With("bar").
+		With("baz").
+		With(inner).
+		With(inner.With(inner2.With(inner3)))
+	want :=
+		`foo failed:
+  - bar
+  - baz
+  - inner failed:
+    - 1
+    - 1
+  - inner failed:
+    - 1
+    - 1
+    - inner2 failed for "action 2":
+      - 2
+      - 2
+      - inner3 failed for "action 3":
+        - 3
+        - 3`
+	ExpectEqual(t, ne.String(), want)
+	ExpectEqual(t, ne.Error().Error(), want)
+}
--- a/internal/error/errors.go
+++ b/internal/error/errors.go
@@ -0,0 +1,62 @@
+package error
+
+import (
+	stderrors "errors"
+)
+
+var (
+	ErrFailure     = stderrors.New("failed")
+	ErrInvalid     = stderrors.New("invalid")
+	ErrUnsupported = stderrors.New("unsupported")
+	ErrUnexpected  = stderrors.New("unexpected")
+	ErrNotExists   = stderrors.New("does not exist")
+	ErrMissing     = stderrors.New("missing")
+	ErrDuplicated  = stderrors.New("duplicated")
+	ErrOutOfRange  = stderrors.New("out of range")
+)
+
+const fmtSubjectWhat = "%w %v: %q"
+
+func Failure(what string) NestedError {
+	return errorf("%s %w", what, ErrFailure)
+}
+
+func FailedWhy(what string, why string) NestedError {
+	return Failure(what).With(why)
+}
+
+func FailWith(what string, err any) NestedError {
+	return Failure(what).With(err)
+}
+
+func Invalid(subject, what any) NestedError {
+	return errorf(fmtSubjectWhat, ErrInvalid, subject, what)
+}
+
+func Unsupported(subject, what any) NestedError {
+	return errorf(fmtSubjectWhat, ErrUnsupported, subject, what)
+}
+
+func Unexpected(subject, what any) NestedError {
+	return errorf(fmtSubjectWhat, ErrUnexpected, subject, what)
+}
+
+func UnexpectedError(err error) NestedError {
+	return errorf("%w error: %w", ErrUnexpected, err)
+}
+
+func NotExist(subject, what any) NestedError {
+	return errorf("%v %w: %v", subject, ErrNotExists, what)
+}
+
+func Missing(subject any) NestedError {
+	return errorf("%w %v", ErrMissing, subject)
+}
+
+func Duplicated(subject, what any) NestedError {
+	return errorf("%w %v: %v", ErrDuplicated, subject, what)
+}
+
+func OutOfRange(subject string, value any) NestedError {
+	return errorf("%v %w: %v", subject, ErrOutOfRange, value)
+}
--- a/internal/http/content_type.go
+++ b/internal/http/content_type.go
@@ -0,0 +1,32 @@
+package http
+
+import (
+	"mime"
+	"net/http"
+)
+
+type ContentType string
+
+func GetContentType(h http.Header) ContentType {
+	ct := h.Get("Content-Type")
+	if ct == "" {
+		return ""
+	}
+	ct, _, err := mime.ParseMediaType(ct)
+	if err != nil {
+		return ""
+	}
+	return ContentType(ct)
+}
+
+func (ct ContentType) IsHTML() bool {
+	return ct == "text/html" || ct == "application/xhtml+xml"
+}
+
+func (ct ContentType) IsJSON() bool {
+	return ct == "application/json"
+}
+
+func (ct ContentType) IsPlainText() bool {
+	return ct == "text/plain"
+}
--- a/internal/http/header_utils.go
+++ b/internal/http/header_utils.go
@@ -0,0 +1,42 @@
+package http
+
+import (
+	"net/http"
+	"slices"
+)
+
+func RemoveHop(h http.Header) {
+	reqUpType := UpgradeType(h)
+	RemoveHopByHopHeaders(h)
+
+	if reqUpType != "" {
+		h.Set("Connection", "Upgrade")
+		h.Set("Upgrade", reqUpType)
+	} else {
+		h.Del("Connection")
+	}
+}
+
+func CopyHeader(dst, src http.Header) {
+	for k, vv := range src {
+		for _, v := range vv {
+			dst.Add(k, v)
+		}
+	}
+}
+
+func FilterHeaders(h http.Header, allowed []string) {
+	if allowed == nil {
+		return
+	}
+
+	for i := range allowed {
+		allowed[i] = http.CanonicalHeaderKey(allowed[i])
+	}
+
+	for key := range h {
+		if !slices.Contains(allowed, key) {
+			h.Del(key)
+		}
+	}
+}
--- a/internal/http/modify_response_writer.go
+++ b/internal/http/modify_response_writer.go
@@ -0,0 +1,96 @@
+// Modified from Traefik Labs's MIT-licensed code (https://github.com/traefik/traefik/blob/master/pkg/middlewares/response_modifier.go)
+// Copyright (c) 2020-2024 Traefik Labs
+
+package http
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"net/http"
+)
+
+type ModifyResponseFunc func(*http.Response) error
+type ModifyResponseWriter struct {
+	w http.ResponseWriter
+	r *http.Request
+
+	headerSent bool
+	code       int
+
+	modifier    ModifyResponseFunc
+	modified    bool
+	modifierErr error
+}
+
+func NewModifyResponseWriter(w http.ResponseWriter, r *http.Request, f ModifyResponseFunc) *ModifyResponseWriter {
+	return &ModifyResponseWriter{
+		w:        w,
+		r:        r,
+		modifier: f,
+		code:     http.StatusOK,
+	}
+}
+
+func (w *ModifyResponseWriter) WriteHeader(code int) {
+	if w.headerSent {
+		return
+	}
+
+	if code >= http.StatusContinue && code < http.StatusOK {
+		w.w.WriteHeader(code)
+	}
+
+	defer func() {
+		w.headerSent = true
+		w.code = code
+	}()
+
+	if w.modifier == nil || w.modified {
+		w.w.WriteHeader(code)
+		return
+	}
+
+	resp := http.Response{
+		Header:  w.w.Header(),
+		Request: w.r,
+	}
+
+	if err := w.modifier(&resp); err != nil {
+		w.modifierErr = err
+		logger.Errorf("error modifying response: %s", err)
+		w.w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	w.modified = true
+	w.w.WriteHeader(code)
+}
+
+func (w *ModifyResponseWriter) Header() http.Header {
+	return w.w.Header()
+}
+
+func (w *ModifyResponseWriter) Write(b []byte) (int, error) {
+	w.WriteHeader(w.code)
+	if w.modifierErr != nil {
+		return 0, w.modifierErr
+	}
+	return w.w.Write(b)
+}
+
+// Hijack hijacks the connection.
+func (w *ModifyResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	if h, ok := w.w.(http.Hijacker); ok {
+		return h.Hijack()
+	}
+
+	return nil, nil, fmt.Errorf("not a hijacker: %T", w.w)
+}
+
+// Flush sends any buffered data to the client.
+func (w *ModifyResponseWriter) Flush() {
+	if flusher, ok := w.w.(http.Flusher); ok {
+		flusher.Flush()
+	}
+}
--- a/internal/http/reverse_proxy_mod.go
+++ b/internal/http/reverse_proxy_mod.go
@@ -1,22 +1,28 @@
-package main
+// Copyright 2011 The Go Authors.
+// Modified from the Go project under the a BSD-style License (https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/net/http/httputil/reverseproxy.go)
+// https://cs.opensource.google/go/go/+/master:LICENSE

-// A small mod on net/http/httputils
-// that doubled the performance
+package http
+
+// This is a small mod on net/http/httputil/reverseproxy.go
+// that boosts performance in some cases
+// and compatible to other modules of this project
+// Copyright (c) 2024 yusing

 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/textproto"
 	"net/url"
 	"strings"
-	"time"

+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/http/httpguts"
 )

@@ -33,23 +39,6 @@ type ProxyRequest struct {
 	Out *http.Request
 }

-// SetURL routes the outbound request to the scheme, host, and base path
-// provided in target. If the target's path is "/base" and the incoming
-// request was for "/dir", the target request will be for "/base/dir".
-//
-// SetURL rewrites the outbound Host header to match the target's host.
-// To preserve the inbound request's Host header (the default behavior
-// of [NewSingleHostReverseProxy]):
-//
-//	rewriteFunc := func(r *httputil.ProxyRequest) {
-//		r.SetURL(url)
-//		r.Out.Host = r.In.Host
-//	}
-func (r *ProxyRequest) SetURL(target *url.URL) {
-	rewriteRequestURL(r.Out, target)
-	r.Out.Host = ""
-}
-
 // SetXForwarded sets the X-Forwarded-For, X-Forwarded-Host, and
 // X-Forwarded-Proto headers of the outbound request.
 //
@@ -70,6 +59,21 @@ func (r *ProxyRequest) SetURL(target *url.URL) {
 //		r.SetXForwarded()
 //	}
 func (r *ProxyRequest) SetXForwarded() {
+	clientIP, _, err := net.SplitHostPort(r.In.RemoteAddr)
+	if err == nil {
+		r.Out.Header.Set("X-Forwarded-For", clientIP)
+	} else {
+		r.Out.Header.Del("X-Forwarded-For")
+	}
+	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
+	if r.In.TLS == nil {
+		r.Out.Header.Set("X-Forwarded-Proto", "http")
+	} else {
+		r.Out.Header.Set("X-Forwarded-Proto", "https")
+	}
+}
+
+func (r *ProxyRequest) AddXForwarded() {
 	clientIP, _, err := net.SplitHostPort(r.In.RemoteAddr)
 	if err == nil {
 		prior := r.Out.Header["X-Forwarded-For"]
@@ -122,45 +126,18 @@ type ReverseProxy struct {
 	// If nil, http.DefaultTransport is used.
 	Transport http.RoundTripper

-	// FlushInterval specifies the flush interval
-	// to flush to the client while copying the
-	// response body.
-	// If zero, no periodic flushing is done.
-	// A negative value means to flush immediately
-	// after each write to the client.
-	// The FlushInterval is ignored when ReverseProxy
-	// recognizes a response as a streaming response, or
-	// if its ContentLength is -1; for such responses, writes
-	// are flushed to the client immediately.
-	FlushInterval time.Duration
-
-	// ErrorLog specifies an optional logger for errors
-	// that occur when attempting to proxy the request.
-	// If nil, logging is done via the log package's standard logger.
-	ErrorLog *log.Logger
-
-	// BufferPool optionally specifies a buffer pool to
-	// get byte slices for use by io.CopyBuffer when
-	// copying HTTP response bodies.
-	BufferPool BufferPool
-
 	// ModifyResponse is an optional function that modifies the
 	// Response from the backend. It is called if the backend
 	// returns a response at all, with any HTTP status code.
 	// If the backend is unreachable, the optional ErrorHandler is
-	// called without any call to ModifyResponse.
+	// called before ModifyResponse.
 	//
 	// If ModifyResponse returns an error, ErrorHandler is called
 	// with its error value. If ErrorHandler is nil, its default
 	// implementation is used.
 	ModifyResponse func(*http.Response) error

-	// ErrorHandler is an optional function that handles errors
-	// reaching the backend or errors from ModifyResponse.
-	//
-	// If nil, the default is to log the provided error and return
-	// a 502 Status Bad Gateway response.
-	ErrorHandler func(http.ResponseWriter, *http.Request, error)
+	ServeHTTP http.HandlerFunc
 }

 // A BufferPool is an interface for getting and returning temporary
@@ -203,18 +180,18 @@ func joinURLPath(a, b *url.URL) (path, rawpath string) {
 	return a.Path + b.Path, apath + bpath
 }

-// NewSingleHostReverseProxy returns a new [ReverseProxy] that routes
+// NewReverseProxy returns a new [ReverseProxy] that routes
 // URLs to the scheme, host, and base path provided in target. If the
 // target's path is "/base" and the incoming request was for "/dir",
 // the target request will be for /base/dir.
 //
-// NewSingleHostReverseProxy does not rewrite the Host header.
+// NewReverseProxy does not rewrite the Host header.
 //
 // To customize the ReverseProxy behavior beyond what
-// NewSingleHostReverseProxy provides, use ReverseProxy directly
+// NewReverseProxy provides, use ReverseProxy directly
 // with a Rewrite function. The ProxyRequest SetURL method
 // may be used to route the outbound request. (Note that SetURL,
-// unlike NewSingleHostReverseProxy, rewrites the Host header
+// unlike NewReverseProxy, rewrites the Host header
 // of the outbound request by default.)
 //
 //	proxy := &ReverseProxy{
@@ -223,10 +200,16 @@ func joinURLPath(a, b *url.URL) (path, rawpath string) {
 //			r.Out.Host = r.In.Host // if desired
 //		},
 //	}
-func NewSingleHostReverseProxy(target *url.URL, transport *http.Transport) *ReverseProxy {
-	return &ReverseProxy{Rewrite: func(pr *ProxyRequest) {
-		rewriteRequestURL(pr.Out, target)
-	}, Transport: transport}
+//
+
+func NewReverseProxy(target *url.URL, transport http.RoundTripper) *ReverseProxy {
+	rp := &ReverseProxy{
+		Rewrite: func(pr *ProxyRequest) {
+			rewriteRequestURL(pr.Out, target)
+		}, Transport: transport,
+	}
+	rp.ServeHTTP = rp.serveHTTP
+	return rp
 }

 func rewriteRequestURL(req *http.Request, target *url.URL) {
@@ -241,6 +224,23 @@ func rewriteRequestURL(req *http.Request, target *url.URL) {
 	}
 }

+// Hop-by-hop headers. These are removed when sent to the backend.
+// As of RFC 7230, hop-by-hop headers are required to appear in the
+// Connection header field. These are the headers defined by the
+// obsoleted RFC 2616 (section 13.5.1) and are used for backward
+// compatibility.
+var hopHeaders = []string{
+	"Connection",
+	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+	"Keep-Alive",
+	"Proxy-Authenticate",
+	"Proxy-Authorization",
+	"Te",      // canonicalized version of "TE"
+	"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
+	"Transfer-Encoding",
+	"Upgrade",
+}
+
 func copyHeader(dst, src http.Header) {
 	for k, vv := range src {
 		for _, v := range vv {
@@ -249,28 +249,11 @@ func copyHeader(dst, src http.Header) {
 	}
 }

-// Hop-by-hop headers. These are removed when sent to the backend.
-// As of RFC 7230, hop-by-hop headers are required to appear in the
-// Connection header field. These are the headers defined by the
-// obsoleted RFC 2616 (section 13.5.1) and are used for backward
-// compatibility.
-// var hopHeaders = []string{
-// 	"Connection",
-// 	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
-// 	"Keep-Alive",
-// 	"Proxy-Authenticate",
-// 	"Proxy-Authorization",
-// 	"Te",      // canonicalized version of "TE"
-// 	"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
-// 	"Transfer-Encoding",
-// 	"Upgrade",
-// }
-
-// NOTE: getErrorHandler and DefaultErrorHandler removed
-
-func (p *ReverseProxy) errorHandler(rw http.ResponseWriter, _ *http.Request, err error) {
-	p.logf("http: proxy error: %v", err)
-	rw.WriteHeader(http.StatusBadGateway)
+func (p *ReverseProxy) errorHandler(rw http.ResponseWriter, r *http.Request, err error, writeHeader bool) {
+	logger.Errorf("http proxy to %s failed: %s", r.URL.String(), err)
+	if writeHeader {
+		rw.WriteHeader(http.StatusBadGateway)
+	}
 }

 // modifyResponse conditionally runs the optional ModifyResponse hook
@@ -281,18 +264,14 @@ func (p *ReverseProxy) modifyResponse(rw http.ResponseWriter, res *http.Response
 	}
 	if err := p.ModifyResponse(res); err != nil {
 		res.Body.Close()
-		p.errorHandler(rw, req, err)
+		p.errorHandler(rw, req, err, true)
 		return false
 	}
 	return true
 }

-func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+func (p *ReverseProxy) serveHTTP(rw http.ResponseWriter, req *http.Request) {
 	transport := p.Transport
-	// Note: removed
-	// if transport == nil {
-	// 	transport = http.DefaultTransport
-	// }

 	ctx := req.Context()
 	if ctx.Done() != nil {
@@ -337,27 +316,15 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		outreq.Header = make(http.Header) // Issue 33142: historical behavior was to always allocate
 	}

-	// NOTE: removed
-	// if (p.Director != nil) == (p.Rewrite != nil) {
-	// 	p.errorHandler(rw, req, errors.New("ReverseProxy must have exactly one of Director or Rewrite set"))
-	// 	return
-	// }
-
-	// if p.Director != nil {
-	// 	p.Director(outreq)
-	// 	if outreq.Form != nil {
-	// 		outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
-	// 	}
-	// }
 	outreq.Close = false

-	reqUpType := upgradeType(outreq.Header)
+	reqUpType := UpgradeType(outreq.Header)
 	if !IsPrint(reqUpType) {
-		p.errorHandler(rw, req, fmt.Errorf("client tried to switch to invalid protocol %q", reqUpType))
+		p.errorHandler(rw, req, fmt.Errorf("client tried to switch to invalid protocol %q", reqUpType), true)
 		return
 	}
-	// NOTE: removed
-	// removeHopByHopHeaders(outreq.Header)
+
+	RemoveHopByHopHeaders(outreq.Header)

 	// Issue 21096: tell backend applications that care about trailer support
 	// that we support trailers. (We do, but we don't go out of our way to
@@ -375,43 +342,17 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		outreq.Header.Set("Upgrade", reqUpType)
 	}

-	// NOTE: removed
-	// if p.Rewrite != nil {
-	// Strip client-provided forwarding headers.
-	// The Rewrite func may use SetXForwarded to set new values
-	// for these or copy the previous values from the inbound request.
-	// outreq.Header.Del("Forwarded")
+	outreq.Header.Del("Forwarded")
 	// outreq.Header.Del("X-Forwarded-For")
 	// outreq.Header.Del("X-Forwarded-Host")
 	// outreq.Header.Del("X-Forwarded-Proto")

-	// NOTE: removed
-	// Remove unparsable query parameters from the outbound request.
-	// outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
-
 	pr := &ProxyRequest{
 		In:  req,
 		Out: outreq,
 	}
-	pr.SetXForwarded() // NOTE: added
 	p.Rewrite(pr)
 	outreq = pr.Out
-	// NOTE: removed
-	// } else {
-	// 	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-	// 		// If we aren't the first proxy retain prior
-	// 		// X-Forwarded-For information as a comma+space
-	// 		// separated list and fold multiple headers into one.
-	// 		prior, ok := outreq.Header["X-Forwarded-For"]
-	// 		omit := ok && prior == nil // Issue 38079: nil now means don't populate the header
-	// 		if len(prior) > 0 {
-	// 			clientIP = strings.Join(prior, ", ") + ", " + clientIP
-	// 		}
-	// 		if !omit {
-	// 			outreq.Header.Set("X-Forwarded-For", clientIP)
-	// 		}
-	// 	}
-	// }

 	if _, ok := outreq.Header["User-Agent"]; !ok {
 		// If the outbound request doesn't have a User-Agent header set,
@@ -439,8 +380,20 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	res, err := transport.RoundTrip(outreq)
 	if err != nil {
-		p.errorHandler(rw, outreq, err)
-		return
+		p.errorHandler(rw, outreq, err, false)
+		errMsg := err.Error()
+		res = &http.Response{
+			Status:        http.StatusText(http.StatusBadGateway),
+			StatusCode:    http.StatusBadGateway,
+			Proto:         outreq.Proto,
+			ProtoMajor:    outreq.ProtoMajor,
+			ProtoMinor:    outreq.ProtoMinor,
+			Header:        make(http.Header),
+			Body:          io.NopCloser(bytes.NewReader([]byte(errMsg))),
+			Request:       outreq,
+			ContentLength: int64(len(errMsg)),
+			TLS:           outreq.TLS,
+		}
 	}

 	// Deal with 101 Switching Protocols responses: (WebSocket, h2c, etc)
@@ -452,9 +405,6 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}

-	// NOTE: removed
-	// removeHopByHopHeaders(res.Header)
-
 	if !p.modifyResponse(rw, res, outreq) {
 		return
 	}
@@ -474,20 +424,11 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	rw.WriteHeader(res.StatusCode)

-	// NOTE: changing this line extremely improve throughput
-	// err = p.copyResponse(rw, res.Body, p.flushInterval(res))
 	_, err = io.Copy(rw, res.Body)
 	if err != nil {
-		defer res.Body.Close()
-		// note: removed
-		// Since we're streaming the response, if we run into an error all we can do
-		// is abort the request. Issue 23643: ReverseProxy should use ErrAbortHandler
-		// on read error while copying body.
-		// if !shouldPanicOnCopyError(req) {
-		// 	p.logf("suppressing panic for copyResponse error in test; copy error: %v", err)
-		// 	return
-		// }
-		panic(http.ErrAbortHandler)
+		p.errorHandler(rw, req, err, true)
+		res.Body.Close()
+		return
 	}
 	res.Body.Close() // close now, instead of defer, to populate res.Trailer

@@ -511,218 +452,52 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 }

-// var inOurTests bool // whether we're in our own tests
-
-// NOTE: removed
-// shouldPanicOnCopyError reports whether the reverse proxy should
-// panic with http.ErrAbortHandler. This is the right thing to do by
-// default, but Go 1.10 and earlier did not, so existing unit tests
-// weren't expecting panics. Only panic in our own tests, or when
-// running under the HTTP server.
-// func shouldPanicOnCopyError(req *http.Request) bool {
-// 	if inOurTests {
-// 		// Our tests know to handle this panic.
-// 		return true
-// 	}
-// 	if req.Context().Value(http.ServerContextKey) != nil {
-// 		// We seem to be running under an HTTP server, so
-// 		// it'll recover the panic.
-// 		return true
-// 	}
-// 	// Otherwise act like Go 1.10 and earlier to not break
-// 	// existing tests.
-// 	return false
-// }
-
-// removeHopByHopHeaders removes hop-by-hop headers.
-//
-// func removeHopByHopHeaders(h http.Header) {
-// 	// RFC 7230, section 6.1: Remove headers listed in the "Connection" header.
-// 	for _, f := range h["Connection"] {
-// 		for _, sf := range strings.Split(f, ",") {
-// 			if sf = textproto.TrimString(sf); sf != "" {
-// 				h.Del(sf)
-// 			}
-// 		}
-// 	}
-// 	// RFC 2616, section 13.5.1: Remove a set of known hop-by-hop headers.
-// 	// This behavior is superseded by the RFC 7230 Connection header, but
-// 	// preserve it for backwards compatibility.
-// 	for _, f := range hopHeaders {
-// 		h.Del(f)
-// 	}
-// }
-
-// NOTE: removed
-// flushInterval returns the p.FlushInterval value, conditionally
-// overriding its value for a specific request/response.
-// func (p *ReverseProxy) flushInterval(res *http.Response) time.Duration {
-// 	resCT := res.Header.Get("Content-Type")
-
-// 	// For Server-Sent Events responses, flush immediately.
-// 	// The MIME type is defined in https://www.w3.org/TR/eventsource/#text-event-stream
-// 	if baseCT, _, _ := mime.ParseMediaType(resCT); baseCT == "text/event-stream" {
-// 		return -1 // negative means immediately
-// 	}
-
-// 	// We might have the case of streaming for which Content-Length might be unset.
-// 	if res.ContentLength == -1 {
-// 		return -1
-// 	}
-
-// 	return p.FlushInterval
-// }
-
-// NOTE: removed
-// func (p *ReverseProxy) copyResponse(dst http.ResponseWriter, src io.Reader, flushInterval time.Duration) error {
-// 	var w io.Writer = dst
-
-// 	if flushInterval != 0 {
-// 		mlw := &maxLatencyWriter{
-// 			dst:     dst,
-// 			flush:   http.NewResponseController(dst).Flush,
-// 			latency: flushInterval,
-// 		}
-// 		defer mlw.stop()
-
-// 		// set up initial timer so headers get flushed even if body writes are delayed
-// 		mlw.flushPending = true
-// 		mlw.t = time.AfterFunc(flushInterval, mlw.delayedFlush)
-
-// 		w = mlw
-// 	}
-
-// 	var buf []byte
-// 	if p.BufferPool != nil {
-// 		buf = p.BufferPool.Get()
-// 		defer p.BufferPool.Put(buf)
-// 	}
-// 	_, err := p.copyBuffer(w, src, buf)
-// 	return err
-// }
-
-// copyBuffer returns any write errors or non-EOF read errors, and the amount
-// of bytes written.
-
-// NOTE: removed
-// func (p *ReverseProxy) copyBuffer(dst io.Writer, src io.Reader, buf []byte) (int64, error) {
-// 	if len(buf) == 0 {
-// 		buf = make([]byte, 32*1024)
-// 	}
-// 	var written int64
-// 	for {
-// 		nr, rerr := src.Read(buf)
-// 		if rerr != nil && rerr != io.EOF && rerr != context.Canceled {
-// 			p.logf("httputil: ReverseProxy read error during body copy: %v", rerr)
-// 		}
-// 		if nr > 0 {
-// 			nw, werr := dst.Write(buf[:nr])
-// 			if nw > 0 {
-// 				written += int64(nw)
-// 			}
-// 			if werr != nil {
-// 				return written, werr
-// 			}
-// 			if nr != nw {
-// 				return written, io.ErrShortWrite
-// 			}
-// 		}
-// 		if rerr != nil {
-// 			if rerr == io.EOF {
-// 				rerr = nil
-// 			}
-// 			return written, rerr
-// 		}
-// 	}
-// }
-
-func (p *ReverseProxy) logf(format string, args ...any) {
-	if p.ErrorLog != nil {
-		p.ErrorLog.Printf(format, args...)
-	} else {
-		hrlog.Printf(format, args...)
-	}
-}
-
-// NOTE: removed
-// type maxLatencyWriter struct {
-// 	dst     io.Writer
-// 	flush   func() error
-// 	latency time.Duration // non-zero; negative means to flush immediately
-
-// 	mu           sync.Mutex // protects t, flushPending, and dst.Flush
-// 	t            *time.Timer
-// 	flushPending bool
-// }
-
-// NOTE: removed
-// func (m *maxLatencyWriter) Write(p []byte) (n int, err error) {
-// 	m.mu.Lock()
-// 	defer m.mu.Unlock()
-// 	n, err = m.dst.Write(p)
-// 	if m.latency < 0 {
-// 		m.flush()
-// 		return
-// 	}
-// 	if m.flushPending {
-// 		return
-// 	}
-// 	if m.t == nil {
-// 		m.t = time.AfterFunc(m.latency, m.delayedFlush)
-// 	} else {
-// 		m.t.Reset(m.latency)
-// 	}
-// 	m.flushPending = true
-// 	return
-// }
-
-// func (m *maxLatencyWriter) delayedFlush() {
-// 	m.mu.Lock()
-// 	defer m.mu.Unlock()
-// 	if !m.flushPending { // if stop was called but AfterFunc already started this goroutine
-// 		return
-// 	}
-// 	m.flush()
-// 	m.flushPending = false
-// }
-
-// func (m *maxLatencyWriter) stop() {
-// 	m.mu.Lock()
-// 	defer m.mu.Unlock()
-// 	m.flushPending = false
-// 	if m.t != nil {
-// 		m.t.Stop()
-// 	}
-// }
-
-func upgradeType(h http.Header) string {
+func UpgradeType(h http.Header) string {
 	if !httpguts.HeaderValuesContainsToken(h["Connection"], "Upgrade") {
 		return ""
 	}
 	return h.Get("Upgrade")
 }

+// RemoveHopByHopHeaders removes hop-by-hop headers.
+func RemoveHopByHopHeaders(h http.Header) {
+	// RFC 7230, section 6.1: Remove headers listed in the "Connection" header.
+	for _, f := range h["Connection"] {
+		for _, sf := range strings.Split(f, ",") {
+			if sf = textproto.TrimString(sf); sf != "" {
+				h.Del(sf)
+			}
+		}
+	}
+	// RFC 2616, section 13.5.1: Remove a set of known hop-by-hop headers.
+	// This behavior is superseded by the RFC 7230 Connection header, but
+	// preserve it for backwards compatibility.
+	for _, f := range hopHeaders {
+		h.Del(f)
+	}
+}
+
 func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.Request, res *http.Response) {
-	reqUpType := upgradeType(req.Header)
-	resUpType := upgradeType(res.Header)
+	reqUpType := UpgradeType(req.Header)
+	resUpType := UpgradeType(res.Header)
 	if !IsPrint(resUpType) { // We know reqUpType is ASCII, it's checked by the caller.
-		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch to invalid protocol %q", resUpType))
+		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch to invalid protocol %q", resUpType), true)
 	}
 	if !strings.EqualFold(reqUpType, resUpType) {
-		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch protocol %q when %q was requested", resUpType, reqUpType))
+		p.errorHandler(rw, req, fmt.Errorf("backend tried to switch protocol %q when %q was requested", resUpType, reqUpType), true)
 		return
 	}

 	backConn, ok := res.Body.(io.ReadWriteCloser)
 	if !ok {
-		p.errorHandler(rw, req, fmt.Errorf("internal error: 101 switching protocols response with non-writable body"))
+		p.errorHandler(rw, req, fmt.Errorf("internal error: 101 switching protocols response with non-writable body"), true)
 		return
 	}

 	rc := http.NewResponseController(rw)
 	conn, brw, hijackErr := rc.Hijack()
 	if errors.Is(hijackErr, http.ErrNotSupported) {
-		p.errorHandler(rw, req, fmt.Errorf("can't switch protocols using non-Hijacker ResponseWriter type %T", rw))
+		p.errorHandler(rw, req, fmt.Errorf("can't switch protocols using non-Hijacker ResponseWriter type %T", rw), true)
 		return
 	}

@@ -739,7 +514,7 @@ func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.R
 	defer close(backConnCloseCh)

 	if hijackErr != nil {
-		p.errorHandler(rw, req, fmt.Errorf("hijack failed on protocol switch: %v", hijackErr))
+		p.errorHandler(rw, req, fmt.Errorf("hijack failed on protocol switch: %w", hijackErr), true)
 		return
 	}
 	defer conn.Close()
@@ -749,18 +524,15 @@ func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.R
 	res.Header = rw.Header()
 	res.Body = nil // so res.Write only writes the headers; we have res.Body in backConn above
 	if err := res.Write(brw); err != nil {
-		p.errorHandler(rw, req, fmt.Errorf("response write: %v", err))
+		p.errorHandler(rw, req, fmt.Errorf("response write: %s", err), true)
 		return
 	}
 	if err := brw.Flush(); err != nil {
-		p.errorHandler(rw, req, fmt.Errorf("response flush: %v", err))
+		p.errorHandler(rw, req, fmt.Errorf("response flush: %s", err), true)
 		return
 	}
 	errc := make(chan error, 1)
-	// NOTE: removed
-	// spc := switchProtocolCopier{user: conn, backend: backConn}
-	// go spc.copyToBackend(errc)
-	// go spc.copyFromBackend(errc)
+
 	go func() {
 		_, err := io.Copy(conn, backConn)
 		errc <- err
@@ -772,57 +544,6 @@ func (p *ReverseProxy) handleUpgradeResponse(rw http.ResponseWriter, req *http.R
 	<-errc
 }

-// NOTE: removed
-// switchProtocolCopier exists so goroutines proxying data back and
-// forth have nice names in stacks.
-// type switchProtocolCopier struct {
-// 	user, backend io.ReadWriter
-// }
-
-// func (c switchProtocolCopier) copyFromBackend(errc chan<- error) {
-// 	_, err := io.Copy(c.user, c.backend)
-// 	errc <- err
-// }
-
-// func (c switchProtocolCopier) copyToBackend(errc chan<- error) {
-// 	_, err := io.Copy(c.backend, c.user)
-// 	errc <- err
-// }
-
-// NOTE: removed
-// func cleanQueryParams(s string) string {
-// 	reencode := func(s string) string {
-// 		v, _ := url.ParseQuery(s)
-// 		return v.Encode()
-// 	}
-// 	for i := 0; i < len(s); {
-// 		switch s[i] {
-// 		case ';':
-// 			return reencode(s)
-// 		case '%':
-// 			if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) {
-// 				return reencode(s)
-// 			}
-// 			i += 3
-// 		default:
-// 			i++
-// 		}
-// 	}
-// 	return s
-// }
-
-// func ishex(c byte) bool {
-// 	switch {
-// 	case '0' <= c && c <= '9':
-// 		return true
-// 	case 'a' <= c && c <= 'f':
-// 		return true
-// 	case 'A' <= c && c <= 'F':
-// 		return true
-// 	}
-// 	return false
-// }
-
 func IsPrint(s string) bool {
 	for i := 0; i < len(s); i++ {
 		if s[i] < ' ' || s[i] > '~' {
@@ -831,3 +552,5 @@ func IsPrint(s string) bool {
 	}
 	return true
 }
+
+var logger = logrus.WithField("module", "http")
--- a/internal/http/status_code.go
+++ b/internal/http/status_code.go
@@ -0,0 +1,7 @@
+package http
+
+import "net/http"
+
+func IsSuccess(status int) bool {
+	return status >= http.StatusOK && status < http.StatusMultipleChoices
+}
--- a/internal/models/autocert_config.go
+++ b/internal/models/autocert_config.go
@@ -0,0 +1,13 @@
+package model
+
+type (
+	AutoCertConfig struct {
+		Email    string              `json:"email"`
+		Domains  []string            `yaml:",flow" json:"domains"`
+		CertPath string              `yaml:"cert_path" json:"cert_path"`
+		KeyPath  string              `yaml:"key_path" json:"key_path"`
+		Provider string              `json:"provider"`
+		Options  AutocertProviderOpt `yaml:",flow" json:"options"`
+	}
+	AutocertProviderOpt map[string]any
+)
--- a/internal/models/config.go
+++ b/internal/models/config.go
@@ -0,0 +1,18 @@
+package model
+
+type Config struct {
+	Providers       ProxyProviders `yaml:",flow" json:"providers"`
+	AutoCert        AutoCertConfig `yaml:",flow" json:"autocert"`
+	ExplicitOnly    bool           `yaml:"explicit_only" json:"explicit_only"`
+	MatchDomains    []string       `yaml:"match_domains" json:"match_domains"`
+	TimeoutShutdown int            `yaml:"timeout_shutdown" json:"timeout_shutdown"`
+	RedirectToHTTPS bool           `yaml:"redirect_to_https" json:"redirect_to_https"`
+}
+
+func DefaultConfig() *Config {
+	return &Config{
+		Providers:       ProxyProviders{},
+		TimeoutShutdown: 3,
+		RedirectToHTTPS: false,
+	}
+}
--- a/internal/models/proxy_providers.go
+++ b/internal/models/proxy_providers.go
@@ -0,0 +1,6 @@
+package model
+
+type ProxyProviders struct {
+	Files  []string          `yaml:"include" json:"include"` // docker, file
+	Docker map[string]string `yaml:"docker" json:"docker"`
+}
--- a/internal/models/raw_entry.go
+++ b/internal/models/raw_entry.go
@@ -0,0 +1,151 @@
+package model
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	. "github.com/yusing/go-proxy/internal/common"
+	D "github.com/yusing/go-proxy/internal/docker"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+type (
+	RawEntry struct {
+		// raw entry object before validation
+		// loaded from docker labels or yaml file
+		Alias        string           `yaml:"-" json:"-"`
+		Scheme       string           `yaml:"scheme" json:"scheme"`
+		Host         string           `yaml:"host" json:"host"`
+		Port         string           `yaml:"port" json:"port"`
+		NoTLSVerify  bool             `yaml:"no_tls_verify" json:"no_tls_verify"` // https proxy only
+		PathPatterns []string         `yaml:"path_patterns" json:"path_patterns"` // http(s) proxy only
+		Middlewares  D.NestedLabelMap `yaml:"middlewares" json:"middlewares"`
+
+		/* Docker only */
+		*D.ProxyProperties `yaml:"-" json:"proxy_properties"`
+	}
+
+	RawEntries = F.Map[string, *RawEntry]
+)
+
+var NewProxyEntries = F.NewMapOf[string, *RawEntry]
+
+func (e *RawEntry) FillMissingFields() bool {
+	isDocker := e.ProxyProperties != nil
+	if !isDocker {
+		e.ProxyProperties = &D.ProxyProperties{}
+	}
+
+	lp, pp, extra := e.splitPorts()
+
+	if port, ok := ServiceNamePortMapTCP[e.ImageName]; ok {
+		if pp == "" {
+			pp = strconv.Itoa(port)
+		}
+		if e.Scheme == "" {
+			e.Scheme = "tcp"
+		}
+	} else if port, ok := ImageNamePortMap[e.ImageName]; ok {
+		if pp == "" {
+			pp = strconv.Itoa(port)
+		}
+		if e.Scheme == "" {
+			e.Scheme = "http"
+		}
+	} else if pp == "" && e.Scheme == "https" {
+		pp = "443"
+	} else if pp == "" {
+		if p, ok := F.FirstValueOf(e.PrivatePortMapping); ok {
+			pp = fmt.Sprint(p.PrivatePort)
+		} else {
+			pp = "80"
+		}
+	}
+
+	// replace private port with public port (if any)
+	if isDocker && e.NetworkMode != "host" {
+		if p, ok := e.PrivatePortMapping[pp]; ok {
+			pp = fmt.Sprint(p.PublicPort)
+		}
+		if _, ok := e.PublicPortMapping[pp]; !ok { // port is not exposed, but specified
+			// try to fallback to first public port
+			if p, ok := F.FirstValueOf(e.PublicPortMapping); ok {
+				pp = fmt.Sprint(p.PublicPort)
+			}
+			// ignore only if it is NOT RUNNING
+			// because stopped containers
+			// will have empty port mapping got from docker
+			if e.Running {
+				return false
+			}
+		}
+	}
+
+	if e.Scheme == "" && isDocker {
+		if p, ok := e.PublicPortMapping[pp]; ok && p.Type == "udp" {
+			e.Scheme = "udp"
+		}
+	}
+
+	if e.Scheme == "" {
+		if lp != "" {
+			e.Scheme = "tcp"
+		} else if strings.HasSuffix(pp, "443") {
+			e.Scheme = "https"
+		} else if _, ok := WellKnownHTTPPorts[pp]; ok {
+			e.Scheme = "http"
+		} else {
+			// assume its http
+			e.Scheme = "http"
+		}
+	}
+
+	if e.Host == "" {
+		e.Host = "localhost"
+	}
+	if e.IdleTimeout == "" {
+		e.IdleTimeout = IdleTimeoutDefault
+	}
+	if e.WakeTimeout == "" {
+		e.WakeTimeout = WakeTimeoutDefault
+	}
+	if e.StopTimeout == "" {
+		e.StopTimeout = StopTimeoutDefault
+	}
+	if e.StopMethod == "" {
+		e.StopMethod = StopMethodDefault
+	}
+
+	e.Port = joinPorts(lp, pp, extra)
+
+	return true
+}
+
+func (e *RawEntry) splitPorts() (lp string, pp string, extra string) {
+	portSplit := strings.Split(e.Port, ":")
+	if len(portSplit) == 1 {
+		pp = portSplit[0]
+	} else {
+		lp = portSplit[0]
+		pp = portSplit[1]
+	}
+	if len(portSplit) > 2 {
+		extra = strings.Join(portSplit[2:], ":")
+	}
+	return
+}
+
+func joinPorts(lp string, pp string, extra string) string {
+	s := make([]string, 0, 3)
+	if lp != "" {
+		s = append(s, lp)
+	}
+	if pp != "" {
+		s = append(s, pp)
+	}
+	if extra != "" {
+		s = append(s, extra)
+	}
+	return strings.Join(s, ":")
+}
--- a/internal/proxy/entry.go
+++ b/internal/proxy/entry.go
@@ -0,0 +1,142 @@
+package proxy
+
+import (
+	"fmt"
+	"net/url"
+	"time"
+
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	T "github.com/yusing/go-proxy/internal/proxy/fields"
+)
+
+type (
+	ReverseProxyEntry struct { // real model after validation
+		Alias        T.Alias
+		Scheme       T.Scheme
+		URL          *url.URL
+		NoTLSVerify  bool
+		PathPatterns T.PathPatterns
+		Middlewares  D.NestedLabelMap
+
+		/* Docker only */
+		IdleTimeout      time.Duration
+		WakeTimeout      time.Duration
+		StopMethod       T.StopMethod
+		StopTimeout      int
+		StopSignal       T.Signal
+		DockerHost       string
+		ContainerName    string
+		ContainerRunning bool
+	}
+	StreamEntry struct {
+		Alias  T.Alias        `json:"alias"`
+		Scheme T.StreamScheme `json:"scheme"`
+		Host   T.Host         `json:"host"`
+		Port   T.StreamPort   `json:"port"`
+	}
+)
+
+func (rp *ReverseProxyEntry) UseIdleWatcher() bool {
+	return rp.IdleTimeout > 0 && rp.DockerHost != ""
+}
+
+func ValidateEntry(m *M.RawEntry) (any, E.NestedError) {
+	if !m.FillMissingFields() {
+		return nil, E.Missing("fields")
+	}
+
+	scheme, err := T.NewScheme(m.Scheme)
+	if err.HasError() {
+		return nil, err
+	}
+
+	var entry any
+	e := E.NewBuilder("error validating entry")
+	if scheme.IsStream() {
+		entry = validateStreamEntry(m, e)
+	} else {
+		entry = validateRPEntry(m, scheme, e)
+	}
+	if err := e.Build(); err.HasError() {
+		return nil, err
+	}
+	return entry, nil
+}
+
+func validateRPEntry(m *M.RawEntry, s T.Scheme, b E.Builder) *ReverseProxyEntry {
+	var stopTimeOut time.Duration
+
+	host, err := T.ValidateHost(m.Host)
+	b.Add(err)
+
+	port, err := T.ValidatePort(m.Port)
+	b.Add(err)
+
+	pathPatterns, err := T.ValidatePathPatterns(m.PathPatterns)
+	b.Add(err)
+
+	url, err := E.Check(url.Parse(fmt.Sprintf("%s://%s:%d", s, host, port)))
+	b.Add(err)
+
+	idleTimeout, err := T.ValidateDurationPostitive(m.IdleTimeout)
+	b.Add(err)
+
+	wakeTimeout, err := T.ValidateDurationPostitive(m.WakeTimeout)
+	b.Add(err)
+
+	stopMethod, err := T.ValidateStopMethod(m.StopMethod)
+	b.Add(err)
+
+	if stopMethod == T.StopMethodStop {
+		stopTimeOut, err = T.ValidateDurationPostitive(m.StopTimeout)
+		b.Add(err)
+	}
+
+	stopSignal, err := T.ValidateSignal(m.StopSignal)
+	b.Add(err)
+
+	if err.HasError() {
+		return nil
+	}
+
+	return &ReverseProxyEntry{
+		Alias:            T.NewAlias(m.Alias),
+		Scheme:           s,
+		URL:              url,
+		NoTLSVerify:      m.NoTLSVerify,
+		PathPatterns:     pathPatterns,
+		Middlewares:      m.Middlewares,
+		IdleTimeout:      idleTimeout,
+		WakeTimeout:      wakeTimeout,
+		StopMethod:       stopMethod,
+		StopTimeout:      int(stopTimeOut.Seconds()), // docker api takes integer seconds for timeout argument
+		StopSignal:       stopSignal,
+		DockerHost:       m.DockerHost,
+		ContainerName:    m.ContainerName,
+		ContainerRunning: m.Running,
+	}
+}
+
+func validateStreamEntry(m *M.RawEntry, b E.Builder) *StreamEntry {
+	host, err := T.ValidateHost(m.Host)
+	b.Add(err)
+
+	port, err := T.ValidateStreamPort(m.Port)
+	b.Add(err)
+
+	scheme, err := T.ValidateStreamScheme(m.Scheme)
+	b.Add(err)
+
+	if b.HasError() {
+		return nil
+	}
+
+	return &StreamEntry{
+		Alias:  T.NewAlias(m.Alias),
+		Scheme: *scheme,
+		Host:   host,
+		Port:   port,
+	}
+}
--- a/internal/proxy/fields/alias.go
+++ b/internal/proxy/fields/alias.go
@@ -0,0 +1,6 @@
+package fields
+
+type (
+	Alias    string
+	NewAlias = Alias
+)
--- a/internal/proxy/fields/headers.go
+++ b/internal/proxy/fields/headers.go
@@ -0,0 +1,19 @@
+package fields
+
+import (
+	"net/http"
+	"strings"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func ValidateHTTPHeaders(headers map[string]string) (http.Header, E.NestedError) {
+	h := make(http.Header)
+	for k, v := range headers {
+		vSplit := strings.Split(v, ",")
+		for _, header := range vSplit {
+			h.Add(k, strings.TrimSpace(header))
+		}
+	}
+	return h, nil
+}
--- a/internal/proxy/fields/host.go
+++ b/internal/proxy/fields/host.go
@@ -0,0 +1,12 @@
+package fields
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Host string
+type Subdomain = Alias
+
+func ValidateHost[String ~string](s String) (Host, E.NestedError) {
+	return Host(s), nil
+}
--- a/internal/proxy/fields/path_mode.go
+++ b/internal/proxy/fields/path_mode.go
@@ -0,0 +1,24 @@
+package fields
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type PathMode string
+
+func NewPathMode(pm string) (PathMode, E.NestedError) {
+	switch pm {
+	case "", "forward":
+		return PathMode(pm), nil
+	default:
+		return "", E.Invalid("path mode", pm)
+	}
+}
+
+func (p PathMode) IsRemove() bool {
+	return p == ""
+}
+
+func (p PathMode) IsForward() bool {
+	return p == "forward"
+}
--- a/internal/proxy/fields/path_pattern.go
+++ b/internal/proxy/fields/path_pattern.go
@@ -0,0 +1,37 @@
+package fields
+
+import (
+	"regexp"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type PathPattern string
+type PathPatterns = []PathPattern
+
+func NewPathPattern(s string) (PathPattern, E.NestedError) {
+	if len(s) == 0 {
+		return "", E.Invalid("path", "must not be empty")
+	}
+	if !pathPattern.MatchString(s) {
+		return "", E.Invalid("path pattern", s)
+	}
+	return PathPattern(s), nil
+}
+
+func ValidatePathPatterns(s []string) (PathPatterns, E.NestedError) {
+	if len(s) == 0 {
+		return []PathPattern{"/"}, nil
+	}
+	pp := make(PathPatterns, len(s))
+	for i, v := range s {
+		if pattern, err := NewPathPattern(v); err.HasError() {
+			return nil, err
+		} else {
+			pp[i] = pattern
+		}
+	}
+	return pp, nil
+}
+
+var pathPattern = regexp.MustCompile(`^(/[-\w./]*({\$\})?|((GET|POST|DELETE|PUT|HEAD|OPTION) /[-\w./]*({\$\})?))$`)
--- a/internal/proxy/fields/path_pattern_test.go
+++ b/internal/proxy/fields/path_pattern_test.go
@@ -0,0 +1,47 @@
+package fields
+
+import (
+	"testing"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	U "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var validPatterns = []string{
+	"/",
+	"/index.html",
+	"/somepage/",
+	"/drive/abc.mp4",
+	"/{$}",
+	"/some-page/{$}",
+	"GET /",
+	"GET /static/{$}",
+	"GET /drive/abc.mp4",
+	"GET /drive/abc.mp4/{$}",
+	"POST /auth",
+	"DELETE /user/",
+	"PUT /storage/id/",
+}
+
+var invalidPatterns = []string{
+	"/$",
+	"/{$}{$}",
+	"/{$}/{$}",
+	"/index.html$",
+	"get /",
+	"GET/",
+	"GET /$",
+	"GET /drive/{$}/abc.mp4/",
+	"OPTION /config/{$}/abc.conf/{$}",
+}
+
+func TestPathPatternRegex(t *testing.T) {
+	for _, pattern := range validPatterns {
+		_, err := NewPathPattern(pattern)
+		U.ExpectNoError(t, err.Error())
+	}
+	for _, pattern := range invalidPatterns {
+		_, err := NewPathPattern(pattern)
+		U.ExpectError2(t, pattern, E.ErrInvalid, err.Error())
+	}
+}
--- a/internal/proxy/fields/port.go
+++ b/internal/proxy/fields/port.go
@@ -0,0 +1,41 @@
+package fields
+
+import (
+	"strconv"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Port int
+
+func ValidatePort[String ~string](v String) (Port, E.NestedError) {
+	p, err := strconv.Atoi(string(v))
+	if err != nil {
+		return ErrPort, E.Invalid("port number", v).With(err)
+	}
+	return ValidatePortInt(p)
+}
+
+func ValidatePortInt[Int int | uint16](v Int) (Port, E.NestedError) {
+	p := Port(v)
+	if !p.inBound() {
+		return ErrPort, E.OutOfRange("port", p)
+	}
+	return p, nil
+}
+
+func (p Port) inBound() bool {
+	return p >= MinPort && p <= MaxPort
+}
+
+func (p Port) String() string {
+	return strconv.Itoa(int(p))
+}
+
+const (
+	MinPort  = 0
+	MaxPort  = 65535
+	ErrPort  = Port(-1)
+	NoPort   = Port(-1)
+	ZeroPort = Port(0)
+)
--- a/internal/proxy/fields/scheme.go
+++ b/internal/proxy/fields/scheme.go
@@ -0,0 +1,21 @@
+package fields
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Scheme string
+
+func NewScheme[String ~string](s String) (Scheme, E.NestedError) {
+	switch s {
+	case "http", "https", "tcp", "udp":
+		return Scheme(s), nil
+	}
+	return "", E.Invalid("scheme", s)
+}
+
+func (s Scheme) IsHTTP() bool   { return s == "http" }
+func (s Scheme) IsHTTPS() bool  { return s == "https" }
+func (s Scheme) IsTCP() bool    { return s == "tcp" }
+func (s Scheme) IsUDP() bool    { return s == "udp" }
+func (s Scheme) IsStream() bool { return s.IsTCP() || s.IsUDP() }
--- a/internal/proxy/fields/signal.go
+++ b/internal/proxy/fields/signal.go
@@ -0,0 +1,17 @@
+package fields
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type Signal string
+
+func ValidateSignal(s string) (Signal, E.NestedError) {
+	switch s {
+	case "", "SIGINT", "SIGTERM", "SIGHUP", "SIGQUIT",
+		"INT", "TERM", "HUP", "QUIT":
+		return Signal(s), nil
+	}
+
+	return "", E.Invalid("signal", s)
+}
--- a/internal/proxy/fields/stop_method.go
+++ b/internal/proxy/fields/stop_method.go
@@ -0,0 +1,23 @@
+package fields
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type StopMethod string
+
+const (
+	StopMethodPause StopMethod = "pause"
+	StopMethodStop  StopMethod = "stop"
+	StopMethodKill  StopMethod = "kill"
+)
+
+func ValidateStopMethod(s string) (StopMethod, E.NestedError) {
+	sm := StopMethod(s)
+	switch sm {
+	case StopMethodPause, StopMethodStop, StopMethodKill:
+		return sm, nil
+	default:
+		return "", E.Invalid("stop_method", sm)
+	}
+}
--- a/internal/proxy/fields/stream_port.go
+++ b/internal/proxy/fields/stream_port.go
@@ -0,0 +1,56 @@
+package fields
+
+import (
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type StreamPort struct {
+	ListeningPort Port `json:"listening"`
+	ProxyPort     Port `json:"proxy"`
+}
+
+func ValidateStreamPort(p string) (StreamPort, E.NestedError) {
+	split := strings.Split(p, ":")
+
+	switch len(split) {
+	case 1:
+		split = []string{"0", split[0]}
+	case 2:
+		break
+	default:
+		return ErrStreamPort, E.Invalid("stream port", p).With("too many colons")
+	}
+
+	listeningPort, err := ValidatePort(split[0])
+	if err != nil {
+		return ErrStreamPort, err.Subject("listening port")
+	}
+
+	proxyPort, err := ValidatePort(split[1])
+
+	if err.Is(E.ErrOutOfRange) {
+		return ErrStreamPort, err.Subject("proxy port")
+	} else if proxyPort == 0 {
+		return ErrStreamPort, E.Invalid("proxy port", p)
+	} else if err != nil {
+		proxyPort, err = parseNameToPort(split[1])
+		if err != nil {
+			return ErrStreamPort, E.Invalid("proxy port", proxyPort)
+		}
+	}
+
+	return StreamPort{listeningPort, proxyPort}, nil
+}
+
+func parseNameToPort(name string) (Port, E.NestedError) {
+	port, ok := common.ServiceNamePortMapTCP[name]
+	if !ok {
+		return ErrPort, E.Invalid("service", name)
+	}
+	return Port(port), nil
+}
+
+var ErrStreamPort = StreamPort{ErrPort, ErrPort}
--- a/internal/proxy/fields/stream_port_test.go
+++ b/internal/proxy/fields/stream_port_test.go
@@ -0,0 +1,48 @@
+package fields
+
+import (
+	"testing"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var validPorts = []string{
+	"1234:5678",
+	"0:2345",
+	"2345",
+	"1234:postgres",
+}
+
+var invalidPorts = []string{
+	"",
+	"123:",
+	"0:",
+	":1234",
+	"1234:1234:1234",
+	"qwerty",
+	"asdfgh:asdfgh",
+	"1234:asdfgh",
+}
+
+var outOfRangePorts = []string{
+	"-1:1234",
+	"1234:-1",
+	"65536",
+	"0:65536",
+}
+
+func TestStreamPort(t *testing.T) {
+	for _, port := range validPorts {
+		_, err := ValidateStreamPort(port)
+		ExpectNoError(t, err.Error())
+	}
+	for _, port := range invalidPorts {
+		_, err := ValidateStreamPort(port)
+		ExpectError2(t, port, E.ErrInvalid, err.Error())
+	}
+	for _, port := range outOfRangePorts {
+		_, err := ValidateStreamPort(port)
+		ExpectError2(t, port, E.ErrOutOfRange, err.Error())
+	}
+}
--- a/internal/proxy/fields/stream_scheme.go
+++ b/internal/proxy/fields/stream_scheme.go
@@ -0,0 +1,43 @@
+package fields
+
+import (
+	"fmt"
+	"strings"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type StreamScheme struct {
+	ListeningScheme Scheme `json:"listening"`
+	ProxyScheme     Scheme `json:"proxy"`
+}
+
+func ValidateStreamScheme(s string) (ss *StreamScheme, err E.NestedError) {
+	ss = &StreamScheme{}
+	parts := strings.Split(s, ":")
+	if len(parts) == 1 {
+		parts = []string{s, s}
+	} else if len(parts) != 2 {
+		return nil, E.Invalid("stream scheme", s)
+	}
+	ss.ListeningScheme, err = NewScheme(parts[0])
+	if err.HasError() {
+		return nil, err
+	}
+	ss.ProxyScheme, err = NewScheme(parts[1])
+	if err.HasError() {
+		return nil, err
+	}
+	return ss, nil
+}
+
+func (s StreamScheme) String() string {
+	return fmt.Sprintf("%s:%s", s.ListeningScheme, s.ProxyScheme)
+}
+
+// IsCoherent checks if the ListeningScheme and ProxyScheme of the StreamScheme are equal.
+//
+// It returns a boolean value indicating whether the ListeningScheme and ProxyScheme are equal.
+func (s StreamScheme) IsCoherent() bool {
+	return s.ListeningScheme == s.ProxyScheme
+}
--- a/internal/proxy/fields/timeout.go
+++ b/internal/proxy/fields/timeout.go
@@ -0,0 +1,18 @@
+package fields
+
+import (
+	"time"
+
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+func ValidateDurationPostitive(value string) (time.Duration, E.NestedError) {
+	d, err := time.ParseDuration(value)
+	if err != nil {
+		return 0, E.Invalid("duration", value)
+	}
+	if d < 0 {
+		return 0, E.Invalid("duration", "negative value")
+	}
+	return d, nil
+}
--- a/internal/proxy/provider/docker.go
+++ b/internal/proxy/provider/docker.go
@@ -0,0 +1,208 @@
+package provider
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	M "github.com/yusing/go-proxy/internal/models"
+	R "github.com/yusing/go-proxy/internal/route"
+	W "github.com/yusing/go-proxy/internal/watcher"
+)
+
+type DockerProvider struct {
+	dockerHost, hostname string
+	ExplicitOnly         bool
+}
+
+var AliasRefRegex = regexp.MustCompile(`#\d+`)
+var AliasRefRegexOld = regexp.MustCompile(`\$\d+`)
+
+func DockerProviderImpl(dockerHost string, explicitOnly bool) (ProviderImpl, E.NestedError) {
+	hostname, err := D.ParseDockerHostname(dockerHost)
+	if err.HasError() {
+		return nil, err
+	}
+	return &DockerProvider{dockerHost, hostname, explicitOnly}, nil
+}
+
+func (p *DockerProvider) String() string {
+	return fmt.Sprintf("docker:%s", p.dockerHost)
+}
+
+func (p *DockerProvider) NewWatcher() W.Watcher {
+	return W.NewDockerWatcher(p.dockerHost)
+}
+
+func (p *DockerProvider) LoadRoutesImpl() (routes R.Routes, err E.NestedError) {
+	routes = R.NewRoutes()
+	entries := M.NewProxyEntries()
+
+	info, err := D.GetClientInfo(p.dockerHost, true)
+	if err.HasError() {
+		return routes, E.FailWith("connect to docker", err)
+	}
+
+	errors := E.NewBuilder("errors when parse docker labels")
+
+	for _, c := range info.Containers {
+		container := D.FromDocker(&c, p.dockerHost)
+		if container.IsExcluded {
+			continue
+		}
+
+		newEntries, err := p.entriesFromContainerLabels(container)
+		if err.HasError() {
+			errors.Add(err)
+		}
+		// although err is not nil
+		// there may be some valid entries in `en`
+		dups := entries.MergeFrom(newEntries)
+		// add the duplicate proxy entries to the error
+		dups.RangeAll(func(k string, v *M.RawEntry) {
+			errors.Addf("duplicate alias %s", k)
+		})
+	}
+
+	entries.RangeAll(func(_ string, e *M.RawEntry) {
+		e.DockerHost = p.dockerHost
+	})
+
+	routes, err = R.FromEntries(entries)
+	errors.Add(err)
+
+	return routes, errors.Build()
+}
+
+func (p *DockerProvider) OnEvent(event W.Event, routes R.Routes) (res EventResult) {
+	b := E.NewBuilder("event %s error", event)
+	defer b.To(&res.err)
+
+	routes.RangeAll(func(k string, v R.Route) {
+		if v.Entry().ContainerName == event.ActorName {
+			b.Add(v.Stop())
+			routes.Delete(k)
+			res.nRemoved++
+		}
+	})
+
+	client, err := D.ConnectClient(p.dockerHost)
+	if err.HasError() {
+		b.Add(E.FailWith("connect to docker", err))
+		return
+	}
+	defer client.Close()
+	cont, err := client.Inspect(event.ActorID)
+	if err.HasError() {
+		b.Add(E.FailWith("inspect container", err))
+		return
+	}
+	entries, err := p.entriesFromContainerLabels(cont)
+	b.Add(err)
+
+	entries.RangeAll(func(alias string, entry *M.RawEntry) {
+		if routes.Has(alias) {
+			b.Add(E.Duplicated("alias", alias))
+		} else {
+			if route, err := R.NewRoute(entry); err.HasError() {
+				b.Add(err)
+			} else {
+				routes.Store(alias, route)
+				b.Add(route.Start())
+				res.nAdded++
+			}
+		}
+	})
+
+	return
+}
+
+// Returns a list of proxy entries for a container.
+// Always non-nil
+func (p *DockerProvider) entriesFromContainerLabels(container D.Container) (entries M.RawEntries, _ E.NestedError) {
+	entries = M.NewProxyEntries()
+
+	if container.IsExcluded ||
+		!container.IsExplicit && p.ExplicitOnly {
+		return
+	}
+
+	// init entries map for all aliases
+	for _, a := range container.Aliases {
+		entries.Store(a, &M.RawEntry{
+			Alias:           a,
+			Host:            p.hostname,
+			ProxyProperties: container.ProxyProperties,
+		})
+	}
+
+	errors := E.NewBuilder("failed to apply label")
+	for key, val := range container.Labels {
+		errors.Add(p.applyLabel(container, entries, key, val))
+	}
+
+	// remove all entries that failed to fill in missing fields
+	entries.RemoveAll(func(re *M.RawEntry) bool {
+		return !re.FillMissingFields()
+	})
+
+	return entries, errors.Build().Subject(container.ContainerName)
+}
+
+func (p *DockerProvider) applyLabel(container D.Container, entries M.RawEntries, key, val string) (res E.NestedError) {
+	b := E.NewBuilder("errors in label %s", key)
+	defer b.To(&res)
+
+	refErr := E.NewBuilder("errors parsing alias references")
+	replaceIndexRef := func(ref string) string {
+		index, err := strconv.Atoi(ref[1:])
+		if err != nil {
+			refErr.Add(E.Invalid("integer", ref))
+			return ref
+		}
+		if index < 1 || index > len(container.Aliases) {
+			refErr.Add(E.OutOfRange("index", ref))
+			return ref
+		}
+		return container.Aliases[index-1]
+	}
+
+	lbl, err := D.ParseLabel(key, val)
+	if err.HasError() {
+		b.Add(err.Subject(key))
+	}
+	if lbl.Namespace != D.NSProxy {
+		return
+	}
+	if lbl.Target == D.WildcardAlias {
+		// apply label for all aliases
+		entries.RangeAll(func(a string, e *M.RawEntry) {
+			if err = D.ApplyLabel(e, lbl); err.HasError() {
+				b.Add(err.Subjectf("alias %s", lbl.Target))
+			}
+		})
+	} else {
+		lbl.Target = AliasRefRegex.ReplaceAllStringFunc(lbl.Target, replaceIndexRef)
+		lbl.Target = AliasRefRegexOld.ReplaceAllStringFunc(lbl.Target, func(s string) string {
+			logrus.Warnf("%q should now be %q, old syntax will be removed in a future version", lbl, strings.ReplaceAll(lbl.String(), "$", "#"))
+			return replaceIndexRef(s)
+		})
+		if refErr.HasError() {
+			b.Add(refErr.Build())
+			return
+		}
+		config, ok := entries.Load(lbl.Target)
+		if !ok {
+			b.Add(E.NotExist("alias", lbl.Target))
+			return
+		}
+		if err = D.ApplyLabel(config, lbl); err.HasError() {
+			b.Add(err.Subjectf("alias %s", lbl.Target))
+		}
+	}
+	return
+}
--- a/internal/proxy/provider/docker_test.go
+++ b/internal/proxy/provider/docker_test.go
@@ -0,0 +1,307 @@
+package provider
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/yusing/go-proxy/internal/common"
+	D "github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+	P "github.com/yusing/go-proxy/internal/proxy"
+	T "github.com/yusing/go-proxy/internal/proxy/fields"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var dummyNames = []string{"/a"}
+
+func TestApplyLabelFieldValidity(t *testing.T) {
+	pathPatterns := `
+- /
+- POST /upload/{$}
+- GET /static
+`[1:]
+	pathPatternsExpect := []string{
+		"/",
+		"POST /upload/{$}",
+		"GET /static",
+	}
+	middlewaresExpect := D.NestedLabelMap{
+		"middleware1": {
+			"prop1": "value1",
+			"prop2": "value2",
+		},
+		"middleware2": {
+			"prop3": "value3",
+			"prop4": "value4",
+		},
+	}
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:                          "a,b",
+			D.LabelIdleTimeout:                      common.IdleTimeoutDefault,
+			D.LabelStopMethod:                       common.StopMethodDefault,
+			D.LabelStopSignal:                       "SIGTERM",
+			D.LabelStopTimeout:                      common.StopTimeoutDefault,
+			D.LabelWakeTimeout:                      common.WakeTimeoutDefault,
+			"proxy.*.no_tls_verify":                 "true",
+			"proxy.*.scheme":                        "https",
+			"proxy.*.host":                          "app",
+			"proxy.*.port":                          "4567",
+			"proxy.a.no_tls_verify":                 "true",
+			"proxy.a.path_patterns":                 pathPatterns,
+			"proxy.a.middlewares.middleware1.prop1": "value1",
+			"proxy.a.middlewares.middleware1.prop2": "value2",
+			"proxy.a.middlewares.middleware2.prop3": "value3",
+			"proxy.a.middlewares.middleware2.prop4": "value4",
+		},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 4567, PublicPort: 8888},
+		}}, ""))
+	ExpectNoError(t, err.Error())
+
+	a, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+	b, ok := entries.Load("b")
+	ExpectTrue(t, ok)
+
+	ExpectEqual(t, a.Scheme, "https")
+	ExpectEqual(t, b.Scheme, "https")
+
+	ExpectEqual(t, a.Host, "app")
+	ExpectEqual(t, b.Host, "app")
+
+	ExpectEqual(t, a.Port, "8888")
+	ExpectEqual(t, b.Port, "8888")
+
+	ExpectTrue(t, a.NoTLSVerify)
+	ExpectTrue(t, b.NoTLSVerify)
+
+	ExpectDeepEqual(t, a.PathPatterns, pathPatternsExpect)
+	ExpectEqual(t, len(b.PathPatterns), 0)
+
+	ExpectDeepEqual(t, a.Middlewares, middlewaresExpect)
+	ExpectEqual(t, len(b.Middlewares), 0)
+
+	ExpectEqual(t, a.IdleTimeout, common.IdleTimeoutDefault)
+	ExpectEqual(t, b.IdleTimeout, common.IdleTimeoutDefault)
+
+	ExpectEqual(t, a.StopTimeout, common.StopTimeoutDefault)
+	ExpectEqual(t, b.StopTimeout, common.StopTimeoutDefault)
+
+	ExpectEqual(t, a.StopMethod, common.StopMethodDefault)
+	ExpectEqual(t, b.StopMethod, common.StopMethodDefault)
+
+	ExpectEqual(t, a.WakeTimeout, common.WakeTimeoutDefault)
+	ExpectEqual(t, b.WakeTimeout, common.WakeTimeoutDefault)
+
+	ExpectEqual(t, a.StopSignal, "SIGTERM")
+	ExpectEqual(t, b.StopSignal, "SIGTERM")
+}
+
+func TestApplyLabel(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a,b,c",
+			"proxy.a.no_tls_verify": "true",
+			"proxy.a.port":          "3333",
+			"proxy.b.port":          "1234",
+			"proxy.c.scheme":        "https",
+		},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 3333, PublicPort: 1111},
+			{Type: "tcp", PrivatePort: 4444, PublicPort: 1234},
+		}}, "",
+	))
+	a, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+	b, ok := entries.Load("b")
+	ExpectTrue(t, ok)
+	c, ok := entries.Load("c")
+	ExpectTrue(t, ok)
+
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, a.Scheme, "http")
+	ExpectEqual(t, a.Port, "1111")
+	ExpectEqual(t, a.NoTLSVerify, true)
+	ExpectEqual(t, b.Scheme, "http")
+	ExpectEqual(t, b.Port, "1234")
+	ExpectEqual(t, c.Scheme, "https")
+	// map does not necessary follow the order above
+	ExpectEqualAny(t, c.Port, []string{"1111", "1234"})
+}
+
+func TestApplyLabelWithRef(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:    "a,b,c",
+			"proxy.#1.host":   "localhost",
+			"proxy.#1.port":   "4444",
+			"proxy.#2.port":   "9999",
+			"proxy.#3.port":   "1111",
+			"proxy.#3.scheme": "https",
+		},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 3333, PublicPort: 9999},
+			{Type: "tcp", PrivatePort: 4444, PublicPort: 5555},
+			{Type: "tcp", PrivatePort: 1111, PublicPort: 2222},
+		}}, ""))
+	a, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+	b, ok := entries.Load("b")
+	ExpectTrue(t, ok)
+	c, ok := entries.Load("c")
+	ExpectTrue(t, ok)
+
+	ExpectNoError(t, err.Error())
+	ExpectEqual(t, a.Scheme, "http")
+	ExpectEqual(t, a.Host, "localhost")
+	ExpectEqual(t, a.Port, "5555")
+	ExpectEqual(t, b.Port, "9999")
+	ExpectEqual(t, c.Scheme, "https")
+	ExpectEqual(t, c.Port, "2222")
+}
+
+func TestApplyLabelWithRefIndexError(t *testing.T) {
+	var p DockerProvider
+	var c = D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:    "a,b",
+			"proxy.#1.host":   "localhost",
+			"proxy.#4.scheme": "https",
+		}}, "")
+	_, err := p.entriesFromContainerLabels(c)
+	ExpectError(t, E.ErrOutOfRange, err.Error())
+	ExpectTrue(t, strings.Contains(err.String(), "index out of range"))
+
+	_, err = p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:  "a,b",
+			"proxy.#0.host": "localhost",
+		}}, ""))
+	ExpectError(t, E.ErrOutOfRange, err.Error())
+	ExpectTrue(t, strings.Contains(err.String(), "index out of range"))
+}
+
+func TestStreamDefaultValues(t *testing.T) {
+	var p DockerProvider
+	var c = D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a",
+			"proxy.*.no_tls_verify": "true",
+		},
+		Ports: []types.Port{
+			{Type: "udp", PrivatePort: 1234, PublicPort: 5678},
+		}}, "",
+	)
+	entries, err := p.entriesFromContainerLabels(c)
+	ExpectNoError(t, err.Error())
+
+	raw, ok := entries.Load("a")
+	ExpectTrue(t, ok)
+
+	entry, err := P.ValidateEntry(raw)
+	ExpectNoError(t, err.Error())
+
+	a := ExpectType[*P.StreamEntry](t, entry)
+	ExpectEqual(t, a.Scheme.ListeningScheme, T.Scheme("udp"))
+	ExpectEqual(t, a.Scheme.ProxyScheme, T.Scheme("udp"))
+	ExpectEqual(t, a.Port.ListeningPort, 0)
+	ExpectEqual(t, a.Port.ProxyPort, 5678)
+}
+
+func TestExplicitExclude(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a",
+			D.LabelExclude:          "true",
+			"proxy.a.no_tls_verify": "true",
+		}}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("a")
+	ExpectFalse(t, ok)
+}
+
+func TestImplicitExclude(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Names: dummyNames,
+		Labels: map[string]string{
+			D.LabelAliases:          "a",
+			"proxy.a.no_tls_verify": "true",
+		},
+		State: "running",
+	}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("a")
+	ExpectFalse(t, ok)
+}
+
+func TestImplicitExcludeNoExposedPort(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Image: "redis",
+		Names: []string{"redis"},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 6379, PublicPort: 0}, // not exposed
+		},
+		State: "running",
+	}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("redis")
+	ExpectFalse(t, ok)
+}
+
+func TestNotExcludeSpecifiedPort(t *testing.T) {
+	var p DockerProvider
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(&types.Container{
+		Image: "redis",
+		Names: []string{"redis"},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 6379, PublicPort: 0}, // not exposed
+		},
+		Labels: map[string]string{
+			"proxy.redis.port": "6379:6379", // but specified in label
+		},
+	}, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("redis")
+	ExpectTrue(t, ok)
+}
+
+func TestNotExcludeNonExposedPortHostNetwork(t *testing.T) {
+	var p DockerProvider
+	cont := &types.Container{
+		Image: "redis",
+		Names: []string{"redis"},
+		Ports: []types.Port{
+			{Type: "tcp", PrivatePort: 6379, PublicPort: 0}, // not exposed
+		},
+		Labels: map[string]string{
+			"proxy.redis.port": "6379:6379",
+		},
+	}
+	cont.HostConfig.NetworkMode = "host"
+
+	entries, err := p.entriesFromContainerLabels(D.FromDocker(cont, ""))
+	ExpectNoError(t, err.Error())
+
+	_, ok := entries.Load("redis")
+	ExpectTrue(t, ok)
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
yusing	415f169f48	added explicit only mode for docker provider, updated dependencies	2024-09-29 11:24:41 +08:00
yusing	e2b08d8667	ci speedup	2024-09-29 06:00:52 +08:00
yusing	91e7f4894a	fixed some containers being excluded on restart	2024-09-28 12:34:06 +08:00
yusing	a78dba5191	added response message on invalid api request host	2024-09-28 11:55:26 +08:00
yusing	c7208c90c6	updated example	2024-09-28 11:51:47 +08:00
yusing	da6a2756fa	custom error page enabled for default for non-exist routes and invalid host	2024-09-28 11:45:01 +08:00
yusing	9a6a66f5a8	fixing dockerfile	2024-09-28 09:58:08 +08:00
yusing	90487bfde6	restructured the project to comply community guideline, for others check release note	2024-09-28 09:51:34 +08:00
yusing	4120fd8d1c	fixed unchecked integer conversion, fixed 'invalid host' bug, corrected error message	2024-09-28 01:20:18 +08:00
yusing	6f3a5ebe6e	Update documentation for Docker labels and middlewares, now fields works for snake cases, camel cases, pascal cases	2024-09-27 23:44:45 +08:00
yusing	a935f200a3	removed config example from README, check config.example.yml for complete explaination	2024-09-27 09:59:36 +08:00
yusing	f474ae4f75	added support for a few middlewares, added `match_domain` option, changed index reference prefix from $ to #, etc.	2024-09-27 09:57:57 +08:00
yusing	345a4417a6	changing alias index prefix from '$' to '#', to avoid unquoted/unescaped dollar sign being treated as interpolation	2024-09-27 00:34:14 +08:00
yusing	8cca83723c	added discord invite badge	2024-09-27 00:23:46 +08:00
Yuzerion	aa2fcd47c2	Update docker.md	2024-09-26 22:52:56 +08:00
Yuzerion	0580a7d3cd	Update config.example.yml	2024-09-26 22:51:29 +08:00
Yuzerion	a43c242c66	fixing wrong format for config example	2024-09-26 22:50:56 +08:00
yusing	45d4b92fc6	Fixed missing error subject	2024-09-26 20:11:05 +08:00
yusing	72df9ff3e4	Initial abstract implementation of middlewares	2024-09-25 14:12:40 +08:00
yusing	48bf31fd0e	refactor file names, readme updates, removed frontend submodule as it is being built independently	2024-09-25 11:22:25 +08:00
yusing	4ee5383f7d	github ci fix attempt, speedup docker build on CI	2024-09-25 10:46:45 +08:00
yusing	33fb60a32d	Refactor Docker CI workflow for multi-platform builds	2024-09-25 10:09:50 +08:00
yusing	d10d0e49fa	Update default wake timeout to 30 seconds, fixed port selection, improved idlewatcher	2024-09-25 05:27:12 +08:00
yusing	dc3575c8fd	Refactoring	2024-09-25 03:43:47 +08:00
yusing	17115cfb0b	Refactor and fixed port and scheme assignment logic in FillMissingFields. Fixed issue that when a container is stopped or network=host, it will be excluded.	2024-09-25 03:40:57 +08:00
yusing	498082f7e5	no longer exclude a stopped container that have user specified port	2024-09-25 00:56:33 +08:00
yusing	99216ffe59	fixed subdomain matching for sub-sub-subdomain and so on, now return 404 when subdomain is missing	2024-09-24 18:30:25 +08:00
yusing	f426dbc9cf	removed save registration.json since it does not work properly	2024-09-24 18:18:37 +08:00
yusing	1c611cc9b9	example fix	2024-09-24 03:13:39 +08:00
yusing	dc43e26770	Format README for better clarity in setup instructions	2024-09-24 03:09:50 +08:00
yusing	79ae26f1b5	new simpler setup method, readme and doc update	2024-09-23 22:10:13 +08:00
yusing	109c2460fa	fixed container being excluded in host network_mode	2024-09-23 20:34:46 +08:00
yusing	71e8e4a462	smarter scheme and port detection	2024-09-23 20:16:38 +08:00
yusing	8e2cc56afb	Fixed nil dereferencing and added missing fields validation	2024-09-23 16:14:34 +08:00
yusing	6728bc39d2	fixed nil dereferencing	2024-09-23 07:19:47 +08:00
yusing	daca4b7735	shrink docker image size in half, adding back ForceColor for logrus	2024-09-23 05:34:50 +08:00
yusing	3b597eea29	support '0' listening port, readme update, showcase added	2024-09-23 04:09:56 +08:00
yusing	090b73d287	fixed tcp/udp I/O, deadlock, nil dereference; improved docker watcher, idlewatcher, loading page	2024-09-23 00:49:46 +08:00
yusing	96bce79e4b	changed env GOPROXY__PORT to GOPROXY__ADDR, changed api server default to listen on localhost only, readme update	2024-09-22 06:06:24 +08:00
yusing	d9fd399e43	fix stuck loading in some scenerios for ls-* command line options	2024-09-22 05:01:36 +08:00
yusing	46281aa3b0	renamed ProxyEntry to RawEntry to avoid confusion with src/proxy/entry.go	2024-09-22 04:13:42 +08:00
yusing	d39b68bfd8	fixed possible resource leak	2024-09-22 04:11:02 +08:00
yusing	a11ce46028	added some docker compose examples; fixed defaults to wrong host; updated watcher behavior to retry connection every 3 secs until success or until cancelled	2024-09-22 04:00:08 +08:00
yusing	6388d9d44d	fixed outputing error in ls-config, ls-routes, etc.	2024-09-21 18:47:38 +08:00
yusing	69361aea1b	fixed host set to localhost even on remote docker, fixed one error in provider causing all routes not to load	2024-09-21 18:23:20 +08:00
yusing	26e2154c64	fixed startup crash for file provider	2024-09-21 17:22:17 +08:00
Yuzerion	a29bf880bc	Update docker.md Too sleepy...	2024-09-21 16:08:11 +08:00
Yuzerion	1f6d03bdbb	Update compose.example.yml	2024-09-21 16:07:12 +08:00
Yuzerion	4a7d898b8e	Update docker.md	2024-09-21 16:06:32 +08:00
Yuzerion	521b694aec	Update docker.md	2024-09-21 15:56:39 +08:00
yusing	a351de7441	github CI fix attempt	2024-09-21 14:32:52 +08:00
yusing	ab2dc26b76	fixing udp stream listening on wrong port	2024-09-21 14:18:29 +08:00
yusing	9a81b13b67	fixing tcp/udp error on closing	2024-09-21 13:40:20 +08:00
yusing	626bd9666b	check release	2024-09-21 12:45:56 +08:00
yusing	d7eab2ebcd	fixing idlewatcher	2024-09-21 09:42:40 +08:00
yusing	e48b9bbb0a	新增繁中README (未完成)	2024-09-19 21:16:38 +08:00
yusing	339411530b	v0.5.0-rc5: merge	2024-09-19 20:42:12 +08:00
yusing	4a2d42bfa9	v0.5.0-rc5: check release	2024-09-19 20:40:03 +08:00
Yuzerion	81da9ad83a	small fix	2024-09-18 09:10:41 +08:00
yusing	be7a766cb2	v0.5.0-rc5: added proxy.exclude label, refactored some code	2024-09-17 17:56:41 +08:00
yusing	83d1d027c6	added TZ env to docker compose example	2024-09-17 12:36:13 +08:00
yusing	21fcceb391	v0.5.0-rc4: initial support for ovh, provider generator implementation update, replaced all interface{} to any	2024-09-17 12:06:58 +08:00
yusing	82f06374f7	v0.5.0-rc4: fixing autocert issue, cache ACME registration, added ls-config option	2024-09-17 08:41:36 +08:00
yusing	04fd6543fd	README update for sonarcloud badges, simplify some test code, fixed some sonarlint issues	2024-09-17 04:51:26 +08:00
yusing	409a18df38	update default branch for setup script	2024-09-17 03:54:55 +08:00
yusing	4e5a8d0985	v0.5-rc3: version bump	2024-09-17 03:19:21 +08:00
yusing	16b507bc7c	v0.5-rc3: update docker port detect mechanism, docker compose file and doc update	2024-09-17 03:11:04 +08:00
yusing	1120991019	v0.5-rc2: fixed port being overridden to 80 or 443	2024-09-17 00:30:26 +08:00
yusing	c0ebd9f8c0	v0.5-rc2: added reload cooldown, fixed auto reload, updated API	2024-09-17 00:10:25 +08:00
yusing	996b418ea9	v0.5-rc1: updated Dockerfile to conform latest format	2024-09-16 13:24:53 +08:00
yusing	4cddd4ff71	v0.5-rc1: schema fixes, provider file example update	2024-09-16 13:19:24 +08:00
yusing	7a0478164f	v0.5: (BREAKING) replacing path with path_patterns, improved docker monitoring mechanism, bug fixes	2024-09-16 13:05:04 +08:00
yusing	2e7ba51521	v0.5: (BREAKING) new syntax for set_headers and hide_headers, updated label parser, error.Nil().String() will now return 'nil', better readme	2024-09-16 07:21:45 +08:00
yusing	5be8659a99	v0.5: (BREAKING) simplified config format, improved output formatting, fixed docker watcher	2024-09-16 03:48:39 +08:00
default	719693deb7	v0.5: (BREAKING) simplified config format, improved error output, updated proxy entry default value for 'port'	2024-08-14 02:41:11 +08:00
default	23e7d06081	v0.5: removed system service env, log output format fix	2024-08-13 06:00:22 +08:00
default	85fb637551	v0.5: fixed nil dereference for empty autocert config, fixed and simplified 'error' module, small readme and docs update	2024-08-13 04:59:34 +08:00
default	2fc82c3790	v0.5: remove binary build	2024-08-09 07:09:42 +08:00
default	a5a31a0d63	v0.5: readme and dockerfile update, removed old panel sources, added new frontend as submodule	2024-08-09 07:03:24 +08:00
default	73e481bc96	v0.5: dependencies update, EOF fix for PUT/POST /v1/file	2024-08-09 02:10:48 +08:00
default	93359110a2	preparing for v0.5	2024-08-01 10:06:42 +08:00
yusing	24778d1093	doc fix	2024-04-09 06:53:54 +00:00
yusing	830d0bdadd	revert github workflow	2024-04-08 05:34:41 +00:00
yusing w	e12b356d0d	Merge branch 'dev' into 'main' Dev See merge request yusing/go-proxy!3	2024-04-08 05:07:27 +00:00
yusing w	52549b6446	Dev	2024-04-08 05:07:27 +00:00
yusing	8694987ef9	version bump	2024-04-01 04:09:22 +00:00
yusing	b125b14bf6	added license	2024-04-01 04:08:48 +00:00
yusing	c782f365f9	readme update	2024-04-01 03:29:34 +00:00
yusing	72418a2056	added host network mode support, docs update, UDP fix	2024-04-01 03:23:30 +00:00