docs and makefile changes

api: also validate for middleware compose files
fix stream task stuck on reload and udp mutex not unlocked properly
2026-01-14 06:13:33 +01:00 · 2025-01-05 03:58:56 +08:00 · 2025-01-05 03:29:03 +08:00 · 2025-01-05 03:26:31 +08:00 · 2025-01-05 03:16:59 +08:00 · 2025-01-05 00:02:31 +08:00
338 changed files with 20315 additions and 7366 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,25 @@
+# set timezone to get correct log timestamp
+TZ=ETC/UTC
+
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+
+# the JWT token time-to-live
+GODOXY_API_JWT_TOKEN_TTL=1h
+
+# API/WebUI login credentials
+GODOXY_API_USER=admin
+GODOXY_API_PASSWORD=password
+
+# Proxy listening address
+GODOXY_HTTP_ADDR=:80
+GODOXY_HTTPS_ADDR=:443
+
+# API listening address
+GODOXY_API_ADDR=127.0.0.1:8888
+
+# Prometheus Metrics listening address (uncomment to enable)
+#GODOXY_PROMETHEUS_ADDR=:8889
+
+# Debug mode
+GODOXY_DEBUG=false
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,21 +1,128 @@
 name: Docker Image CI

 on:
-  push:
-    tags:
-      - "*"
-jobs:
-  build_and_push:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up Docker Build and Push
-        id: docker_build_push
-        uses: GlueOps/github-actions-build-push-containers@v0.3.7
-        with:
-          tags: ${{ github.ref_name }}
+    push:
+        tags: ["*"]

-      - name: Tag as latest
-        if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref_name, '-')
-        run: |
-          docker tag ghcr.io/${{ github.repository }}:${{ github.ref_name }} ghcr.io/${{ github.repository }}:latest
-          docker push ghcr.io/${{ github.repository }}:latest
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+    build:
+        name: Build multi-platform Docker image
+        runs-on: ubuntu-22.04
+
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+            attestations: write
+
+        strategy:
+            fail-fast: false
+            matrix:
+                platform:
+                    - linux/amd64
+                    # - linux/arm/v6
+                    # - linux/arm/v7
+                    - linux/arm64
+        steps:
+            - name: Prepare
+              run: |
+                  platform=${{ matrix.platform }}
+                  echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Login to registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Build and push by digest
+              id: build
+              uses: docker/build-push-action@v6
+              with:
+                  platforms: ${{ matrix.platform }}
+                  labels: ${{ steps.meta.outputs.labels }}
+                  outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
+                  build-args: |
+                      VERSION=${{ github.ref_name }}
+
+            - name: Generate artifact attestation
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+                  subject-digest: ${{ steps.build.outputs.digest }}
+                  push-to-registry: true
+
+            - name: Export digest
+              run: |
+                  mkdir -p /tmp/digests
+                  digest="${{ steps.build.outputs.digest }}"
+                  touch "/tmp/digests/${digest#sha256:}"
+
+            - name: Upload digest
+              uses: actions/upload-artifact@v4
+              with:
+                  name: digests-${{ env.PLATFORM_PAIR }}
+                  path: /tmp/digests/*
+                  if-no-files-found: error
+                  retention-days: 1
+    merge:
+        runs-on: ubuntu-22.04
+        needs:
+            - build
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+        steps:
+            - name: Download digests
+              uses: actions/download-artifact@v4
+              with:
+                  path: /tmp/digests
+                  pattern: digests-*
+                  merge-multiple: true
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+            - name: Login to registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Create manifest list and push
+              id: push
+              working-directory: /tmp/digests
+              run: |
+                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+            - name: Inspect image
+              run: |
+                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,13 @@
 compose.yml
+*.compose.yml

+config
+certs
 config*/
 certs*/
 bin/
-
-templates/codemirror/
+error_pages/
+!examples/error_pages/

 logs/
 log/
@@ -13,8 +16,13 @@ log/

 go.work.sum

-!src/**/
+!cmd/**/
+!internal/**/

 todo.md

-.*.swp
+.*.swp
+.aider*
+mtrace.json
+.env
+test.Dockerfile
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -11,5 +11,5 @@ build-image:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
  script:
    - echo building $CI_REGISTRY_IMAGE
-    - docker build --pull -t $CI_REGISTRY_IMAGE .
-    - docker push $CI_REGISTRY_IMAGE
+    - docker build --no-cache --build-arg VERSION=$CI_COMMIT_REF_NAME -t $CI_REGISTRY_IMAGE .
+    - docker push $CI_REGISTRY_IMAGE
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
-[submodule "frontend"]
-	path = frontend
-	url = https://github.com/yusing/go-proxy-frontend
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,137 @@
+run:
+  timeout: 10m
+
+linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      - shadow
+      - fieldalignment
+  gocyclo:
+    min-complexity: 14
+  goconst:
+    min-len: 3
+    min-occurrences: 4
+  misspell:
+    locale: US
+  funlen:
+    lines: -1
+    statements: 120
+  forbidigo:
+    forbid:
+      - ^print(ln)?$
+  godox:
+    keywords:
+      - FIXME
+  tagalign:
+    align: false
+    sort: true
+    order:
+      - description
+      - json
+      - toml
+      - yaml
+      - yml
+      - label
+      - label-slice-as-struct
+      - file
+      - kv
+      - export
+  stylecheck:
+    dot-import-whitelist:
+      - github.com/yusing/go-proxy/internal/utils/testing # go tests only
+      - github.com/yusing/go-proxy/internal/api/v1/utils # api only
+  revive:
+    rules:
+      - name: struct-tag
+      - name: blank-imports
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: error-return
+      - name: error-strings
+      - name: error-naming
+      - name: exported
+        disabled: true
+      - name: if-return
+      - name: increment-decrement
+      - name: var-naming
+      - name: var-declaration
+      - name: package-comments
+        disabled: true
+      - name: range
+      - name: receiver-naming
+      - name: time-naming
+      - name: unexported-return
+      - name: indent-error-flow
+      - name: errorf
+      - name: empty-block
+      - name: superfluous-else
+      - name: unused-parameter
+        disabled: true
+      - name: unreachable-code
+      - name: redefines-builtin-id
+  gomoddirectives:
+    replace-allow-list:
+      - github.com/abbot/go-http-auth
+      - github.com/gorilla/mux
+      - github.com/mailgun/minheap
+      - github.com/mailgun/multibuf
+      - github.com/jaguilar/vt100
+      - github.com/cucumber/godog
+      - github.com/http-wasm/http-wasm-host-go
+  testifylint:
+    disable:
+      - suite-dont-use-pkg
+      - require-error
+      - go-require
+  staticcheck:
+    checks:
+      - all
+      - -SA1019
+  errcheck:
+    exclude-functions:
+      - fmt.Fprintln
+linters:
+  enable-all: true
+  disable:
+    - execinquery # deprecated
+    - gomnd # deprecated
+    - sqlclosecheck # not relevant (SQL)
+    - rowserrcheck # not relevant (SQL)
+    - cyclop # duplicate of gocyclo
+    - depguard # Not relevant
+    - nakedret # Too strict
+    - lll # Not relevant
+    - gocyclo # FIXME must be fixed
+    - gocognit # Too strict
+    - nestif # Too many false-positive.
+    - prealloc # Too many false-positive.
+    - makezero # Not relevant
+    - dupl # Too strict
+    - gci # I don't care
+    - gosec # Too strict
+    - gochecknoinits
+    - gochecknoglobals
+    - wsl # Too strict
+    - nlreturn # Not relevant
+    - mnd # Too strict
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - paralleltest # Not relevant
+    - exhaustive # Not relevant
+    - exhaustruct # Not relevant
+    - err113 # Too strict
+    - wrapcheck # Too strict
+    - noctx # Too strict
+    - bodyclose # too many false-positive
+    - forcetypeassert # Too strict
+    - tagliatelle # Too strict
+    - varnamelen # Not relevant
+    - nilnil # Not relevant
+    - ireturn # Not relevant
+    - contextcheck # too many false-positive
+    - containedctx # too many false-positive
+    - maintidx # kind of duplicate of gocyclo
+    - nonamedreturns # Too strict
+    - gosmopolitan # not relevant
+    - exportloopref # Not relevant since go1.22
--- a/.trunk/.gitignore
+++ b/.trunk/.gitignore
@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -0,0 +1,42 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.22.8
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.6.6
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - node@18.20.5
+    - python@3.10.8
+    - go@1.23.2
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  disabled:
+    - markdownlint
+    - yamllint
+  enabled:
+    - hadolint@2.12.1-beta
+    - actionlint@1.7.5
+    - checkov@3.2.346
+    - git-diff-check
+    - gofmt@1.20.4
+    - golangci-lint@1.62.2
+    - osv-scanner@1.9.2
+    - oxipng@9.1.3
+    - prettier@3.4.2
+    - shellcheck@0.10.0
+    - shfmt@3.6.0
+    - trufflehog@3.88.0
+actions:
+  disabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+  enabled:
+    - trunk-upgrade-available
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -5,9 +5,7 @@
      "config.yml"
    ],
    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
-      "providers.example.yml",
-      "*.providers.yml",
-      "providers.yml"
+      "providers.example.yml"
    ]
  }
-}
+}
--- a/51
+++ b/51
@@ -1,33 +1,62 @@
-FROM golang:1.23.1-alpine AS builder
-RUN apk add --no-cache tzdata
-COPY src /src
-ENV GOCACHE=/root/.cache/go-build
+# Stage 1: Builder
+FROM golang:1.23.4-alpine AS builder
+HEALTHCHECK NONE
+
+# package version does not matter
+# trunk-ignore(hadolint/DL3018)
+RUN apk add --no-cache tzdata make
+
 WORKDIR /src
+
+# Only copy go.mod and go.sum initially for better caching
+COPY go.mod go.sum /src/
+
+# Utilize build cache
+RUN --mount=type=cache,target="/go/pkg/mod" \
+    go mod download -x
+
+ENV GOCACHE=/root/.cache/go-build
+
+ARG VERSION
+ENV VERSION=${VERSION}
+
+COPY scripts /src/scripts
+COPY Makefile /src/
+COPY cmd /src/cmd
+COPY internal /src/internal
+COPY pkg /src/pkg
+
 RUN --mount=type=cache,target="/go/pkg/mod" \
    --mount=type=cache,target="/root/.cache/go-build" \
-    go mod download && \
-    CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o go-proxy github.com/yusing/go-proxy
+    make build && \
+    mkdir -p /app/error_pages /app/certs && \
+    mv bin/godoxy /app/godoxy

+# Stage 2: Final image
 FROM scratch

 LABEL maintainer="yusing@6uo.me"
+LABEL proxy.exclude=1

 # copy timezone data
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

 # copy binary
-COPY --from=builder /src/go-proxy /app/
-COPY schema/ /app/schema
+COPY --from=builder /app /app

-# copy cert required for setup
+# copy example config
+COPY config.example.yml /app/config/config.yml
+
+# copy certs
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs

 ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GOPROXY_DEBUG=0
+ENV GODOXY_DEBUG=0

 EXPOSE 80
 EXPOSE 8888
 EXPOSE 443

 WORKDIR /app
-CMD ["/app/go-proxy"]
+
+CMD ["/app/godoxy"]
--- a/66
+++ b/66
@@ -1,18 +1,20 @@
-.PHONY: all build up quick-restart restart logs get udp-server
+VERSION ?= $(shell git describe --tags --abbrev=0)
+BUILD_FLAGS ?= -s -w
+BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
+export VERSION
+export BUILD_FLAGS
+export CGO_ENABLED = 0
+export GOOS = linux
+
+.PHONY: all setup build test up restart logs get debug run archive repush rapid-crash debug-list-containers

 all: debug

-setup:
-	mkdir -p config certs
-	[ -f config/config.yml ] || cp config.example.yml config/config.yml
-	[ -f config/providers.yml ] || touch config/providers.yml
-
 build:
-	mkdir -p bin
-	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy github.com/yusing/go-proxy
+	scripts/build.sh

 test:
-	go test ./src/...
+	GODOXY_TEST=1 go test ./internal/...

 up:
 	docker compose up -d
@@ -24,24 +26,48 @@ logs:
 	docker compose logs -f

 get:
-	cd src && go get -u && go mod tidy && cd ..
+	go get -u ./cmd && go mod tidy

 debug:
-	make build && sudo GOPROXY_DEBUG=1 bin/go-proxy
+	GODOXY_DEBUG=1 BUILD_FLAGS="" make run

-archive:
-	git archive HEAD -o ../go-proxy-$$(date +"%Y%m%d%H%M").zip
+debug-trace:
+	GODOXY_TRACE=1 make debug

-repush:
-	git reset --soft HEAD^
-	git add -A
-	git commit -m "repush"
-	git push gitlab dev --force
+profile:
+	GODEBUG=gctrace=1 make debug
+
+run: build
+	sudo setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy
+	bin/godoxy
+
+mtrace:
+	bin/godoxy debug-ls-mtrace > mtrace.json

 rapid-crash:
-	sudo docker run --restart=always --name test_crash debian:bookworm-slim /bin/cat &&\
+	sudo docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
 	sleep 3 &&\
 	sudo docker rm -f test_crash

 debug-list-containers:
-	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+
+ci-test:
+	mkdir -p /tmp/artifacts
+	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
+
+cloc:
+	cloc --not-match-f '_test.go$$' cmd internal pkg
+
+push-docker-io:
+	BUILDER=build docker buildx build \
+		--platform linux/arm64,linux/amd64 \
+		-f Dockerfile \
+		-t docker.io/yusing/godoxy-nightly \
+		-t docker.io/yusing/godoxy-nightly:${VERSION}-${BUILD_DATE} \
+		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
+		--push .
+
+build-docker:
+	docker build -t godoxy-nightly \
+		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" .
--- a/README.md
+++ b/README.md
@@ -1,101 +1,136 @@
-# go-proxy
+# GoDoxy

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)

 [繁體中文文檔請看此](README_CHT.md)

-A lightweight, easy-to-use, and [performant](docs/benchmark_result.md) reverse proxy with a web UI.
+A lightweight, easy-to-use, and [performant](https://github.com/yusing/go-proxy/wiki/Benchmarks) reverse proxy with a Web UI and dashboard.
+
+![Screenshot](screenshots/webui.png)
+
+_Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_

 ## Table of content

 <!-- TOC -->

- [go-proxy](#go-proxy)
+- [GoDoxy](#godoxy)
  - [Table of content](#table-of-content)
-  - [Key Points](#key-points)
+  - [Key Features](#key-features)
  - [Getting Started](#getting-started)
+    - [Prerequisites](#prerequisites)
    - [Setup](#setup)
-    - [Commands line arguments](#commands-line-arguments)
-    - [Environment variables](#environment-variables)
+    - [Manual Setup](#manual-setup)
+    - [Folder structrue](#folder-structrue)
    - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
-    - [Config File](#config-file)
-    - [Provider File](#provider-file)
-  - [Showcase](#showcase)
+  - [Screenshots](#screenshots)
    - [idlesleeper](#idlesleeper)
  - [Build it yourself](#build-it-yourself)

-## Key Points
+## Key Features

-   Easy to use
-    -   Effortless configuration
-    -   Simple multi-node setup
-    -   Error messages is clear and detailed, easy troubleshooting
-   Auto certificate obtaining and renewal (See [Supported DNS Challenge Providers](docs/dns_providers.md))
-   Auto configuration for docker containers
-   Auto hot-reload on container state / config file changes
-   **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [showcase](#idlesleeper))_
-   HTTP(s) reserve proxy
-   TCP and UDP port forwarding
-   Web UI for configuration and monitoring (See [screenshots](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots))
-   Written in **[Go](https://go.dev)**
+- Easy to use
+  - Effortless configuration
+  - Simple multi-node setup
+  - Error messages is clear and detailed, easy troubleshooting
+- Auto SSL cert management (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
+- Auto configuration for docker containers
+- Auto hot-reload on container state / config file changes
+- **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [screenshots](#idlesleeper))_
+- HTTP(s) reserve proxy
+- [HTTP middleware support](https://github.com/yusing/go-proxy/wiki/Middlewares)
+- [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+- TCP and UDP port forwarding
+- **Web UI with App dashboard and config editor**
+- Supports linux/amd64, linux/arm64
+- Written in **[Go](https://go.dev)**

 [🔼Back to top](#table-of-content)

 ## Getting Started

+For full documentation, **[See Wiki](https://github.com/yusing/go-proxy/wiki)**
+
+### Prerequisites
+
+Setup DNS Records point to machine which runs `GoDoxy`, e.g.
+
+- A Record: `*.y.z` -> `10.0.10.1`
+- AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+
 ### Setup

-1.  Pull docker image 
-    
+1.  Pull the latest docker images
+
    ```shell
    docker pull ghcr.io/yusing/go-proxy:latest
    ```

-2.  Create new directory, `cd` into it, then run setup
+2.  Create new directory, `cd` into it, then run setup, or [set up manually](#manual-setup)

    ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/go-proxy setup
+    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/godoxy setup
    ```

-3.  Setup DNS Records point to machine which runs `go-proxy`, e.g.
+3.  _(Optional)_ setup WebUI login

-    -   A Record: `*.y.z` -> `10.0.10.1`
-    -   AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+    - set random JWT secret

-4.  Setup `docker-socket-proxy` other docker nodes _(if any)_ (see [example](docs/docker_socket_proxy.md)) and then them inside `config.yml`
+      ```shell
+      sed -i "s|API_JWT_SECRET=.*|API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
+      ```

-5.  Done. You may now do some extra configuration
-    -   With text editor (e.g. Visual Studio Code)
-    -   With Web UI via `gp.y.z`
-    -   For more info, [See docker.md](docs/docker.md)
+    - change username and password for WebUI authentication
+      ```shell
+      sed -i "s|API_USERNAME=.*|API_USERNAME=admin|g" .env
+      sed -i "s|API_PASSWORD=.*|API_PASSWORD=some-strong-password|g" .env
+      ```
+
+4.  _(Optional)_ setup `docker-socket-proxy` other docker nodes (see [Multi docker nodes setup](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)) then add them inside `config.yml`
+
+5.  Start the container `docker compose up -d`
+
+6.  You may now do some extra configuration
+    - With text editor (e.g. Visual Studio Code)
+    - With Web UI via `https://gp.y.z`

 [🔼Back to top](#table-of-content)

-### Commands line arguments
+### Manual Setup

-| Argument    | Description                      | Example                    |
-| ----------- | -------------------------------- | -------------------------- |
-| empty       | start proxy server               |                            |
-| `validate`  | validate config and exit         |                            |
-| `reload`    | trigger a force reload of config |                            |
-| `ls-config` | list config and exit             | `go-proxy ls-config \| jq` |
-| `ls-route`  | list proxy entries and exit      | `go-proxy ls-route \| jq`  |
+1. Make `config` directory then grab `config.example.yml` into `config/config.yml`

-**run with `docker exec <container_name> /app/go-proxy <command>`**
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/config.example.yml -O config/config.yml`

-### Environment variables
+2. Grab `.env.example` into `.env`

-| Environment Variable           | Description                                 | Default          | Values        |
-| ------------------------------ | ------------------------------------------- | ---------------- | ------------- |
-| `GOPROXY_NO_SCHEMA_VALIDATION` | disable schema validation                   | `false`          | boolean       |
-| `GOPROXY_DEBUG`                | enable debug behaviors                      | `false`          | boolean       |
-| `GOPROXY_HTTP_ADDR`            | http server listening address               | `:80`            | `[host]:port` |
-| `GOPROXY_HTTPS_ADDR`           | https server listening address (if enabled) | `:443`           | `[host]:port` |
-| `GOPROXY_API_ADDR`             | api server listening address                | `127.0.0.1:8888` | `[host]:port` |
+   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/.env.example -O .env`
+
+3. Grab `compose.example.yml` into `compose.yml`
+
+   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/compose.example.yml -O compose.yml`
+
+### Folder structrue
+
+```shell
+├── certs
+│   ├── cert.crt
+│   └── priv.key
+├── compose.yml
+├── config
+│   ├── config.yml
+│   ├── middlewares
+│   │   ├── middleware1.yml
+│   │   ├── middleware2.yml
+│   ├── provider1.yml
+│   └── provider2.yml
+└── .env
+```

 ### Use JSON Schema in VSCode

@@ -103,45 +138,11 @@ Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscod

 [🔼Back to top](#table-of-content)

-### Config File
-
-See [config.example.yml](config.example.yml) for more
-
-```yaml
-# autocert configuration
-autocert:
-    email: # ACME Email
-    domains: # a list of domains for cert registration
-    provider: # DNS Challenge provider
-    options: # provider specific options
-        - ...
-# reverse proxy providers configuration
-providers:
-    include:
-        - providers.yml
-        - other_file_1.yml
-        - ...
-    docker:
-        local: $DOCKER_HOST
-        remote-1: tcp://10.0.2.1:2375
-        remote-2: ssh://root:1234@10.0.2.2
-```
-
-[🔼Back to top](#table-of-content)
-
-### Provider File
-
-See [Fields](docs/docker.md#fields)
-
-See [providers.example.yml](providers.example.yml) for examples
-
-[🔼Back to top](#table-of-content)
-
-## Showcase
+## Screenshots

 ### idlesleeper

-![idlesleeper](showcase/idlesleeper.webp)
+![idlesleeper](screenshots/idlesleeper.webp)

 [🔼Back to top](#table-of-content)

--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,144 +1,161 @@
-# go-proxy
+# GoDoxy

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)

-一個輕量化、易用且[高效](docs/benchmark_result.md)的反向代理和端口轉發工具
+[English Documentation](README.md)
+
+一個輕量級、易於使用且[高效能](https://github.com/yusing/go-proxy/wiki/Benchmarks)的反向代理，具有網頁介面和儀表板。
+
+![截圖](screenshots/webui.png)
+
+_加入我們的 [Discord](https://discord.gg/umReR62nRd) 獲取幫助和討論_

 ## 目錄

 <!-- TOC -->

- [go-proxy](#go-proxy)
+- [GoDoxy](#godoxy)
  - [目錄](#目錄)
-  - [重點](#重點)
+  - [主要特點](#主要特點)
  - [入門指南](#入門指南)
+    - [前置需求](#前置需求)
    - [安裝](#安裝)
-    - [命令行參數](#命令行參數)
-    - [環境變量](#環境變量)
-    - [VSCode 中使用 JSON Schema](#vscode-中使用-json-schema)
-    - [配置文件](#配置文件)
-    - [透過文件配置](#透過文件配置)
-  - [展示](#展示)
-    - [idlesleeper](#idlesleeper)
-  - [源碼編譯](#源碼編譯)
+    - [手動安裝](#手動安裝)
+    - [資料夾結構](#資料夾結構)
+    - [在 VSCode 中使用 JSON Schema](#在-vscode-中使用-json-schema)
+  - [截圖](#截圖)
+    - [閒置休眠](#閒置休眠)
+  - [自行編譯](#自行編譯)

-## 重點
+## 主要特點

-   易用
-    -   不需花費太多時間就能輕鬆配置
-    -   除錯簡單
-   自動處理 HTTPS 證書（參見[可用的 DNS 供應商](docs/dns_providers.md)）
-   透過 Docker 容器自動配置
-   容器狀態變更時自動熱重載
-   容器閒置時自動暫停/停止，入站時自動喚醒
-   HTTP(s)反向代理
-   TCP/UDP 端口轉發
-   用於配置和監控的前端 Web 面板（[截圖](https://github.com/yusing/go-proxy-frontend?tab=readme-ov-file#screenshots)）
-   使用 **[Go](https://go.dev)** 編寫
+- 容易使用
+  - 輕鬆配置
+  - 簡單的多節點設置
+  - 錯誤訊息清晰詳細，易於排除故障
+- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers)）
+- 自動配置 Docker 容器
+- 容器狀態/配置文件變更時自動熱重載
+- **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
+- HTTP(s) 反向代理
+- [HTTP 中介軟體支援](https://github.com/yusing/go-proxy/wiki/Middlewares)
+- [自訂錯誤頁面支援](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+- TCP 和 UDP 埠轉發
+- **網頁介面，具有應用儀表板和配置編輯器**
+- 支援 linux/amd64、linux/arm64
+- 使用 **[Go](https://go.dev)** 編寫

-[🔼 返回頂部](#目錄)
+[🔼回到頂部](#目錄)

 ## 入門指南

+完整文檔請參見 **[Wiki](https://github.com/yusing/go-proxy/wiki)**
+
+### 前置需求
+
+設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：
+
+- A 記錄：`*.y.z` -> `10.0.10.1`
+- AAAA 記錄：`*.y.z` -> `::ffff:a00:a01`
+
 ### 安裝

-1. 設置 DNS 記錄，例如：
+1.  拉取最新的 Docker 映像

-    - A 記錄: `*.y.z` -> `10.0.10.1`
-    - AAAA 記錄: `*.y.z` -> `::ffff:a00:a01`
+    ```shell
+    docker pull ghcr.io/yusing/go-proxy:latest
+    ```

-2. 安裝 `go-proxy` [參見這裡](docs/docker.md)
+2.  建立新目錄，`cd` 進入後運行安裝，或[手動安裝](#手動安裝)

-3. 配置 `go-proxy`
-    - 使用文本編輯器 (推薦 Visual Studio Code [參見 VSCode 使用 schema](#vscode-中使用-json-schema))
-    - 或通過 `http://gp.y.z` 使用網頁配置編輯器
+    ```shell
+    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/godoxy setup
+    ```

-[🔼 返回頂部](#目錄)
+3.  _（可選）_ 設置網頁介面登入

-### 命令行參數
+    - 設置隨機 JWT 密鑰

-| 參數        | 描述           | 示例                       |
-| ----------- | -------------- | -------------------------- |
-| 空          | 啟動代理服務器 |                            |
-| `validate`  | 驗證配置並退出 |                            |
-| `reload`    | 強制刷新配置   |                            |
-| `ls-config` | 列出配置並退出 | `go-proxy ls-config \| jq` |
-| `ls-route`  | 列出路由並退出 | `go-proxy ls-route \| jq`  |
+      ```shell
+      sed -i "s|API_JWT_SECRET=.*|API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
+      ```

-**使用 `docker exec <容器名稱> /app/go-proxy <參數>` 運行**
+    - 更改網頁介面認證的使用者名稱和密碼
+      ```shell
+      sed -i "s|API_USERNAME=.*|API_USERNAME=admin|g" .env
+      sed -i "s|API_PASSWORD=.*|API_PASSWORD=some-strong-password|g" .env
+      ```

-### 環境變量
+4.  _（可選）_ 設置其他 Docker 節點的 `docker-socket-proxy`（參見 [多 Docker 節點設置](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)），然後在 `config.yml` 中添加它們

-| 環境變量                       | 描述             | 默認             | 格式          |
-| ------------------------------ | ---------------- | ---------------- | ------------- |
-| `GOPROXY_NO_SCHEMA_VALIDATION` | 禁用 schema 驗證 | `false`          | boolean       |
-| `GOPROXY_DEBUG`                | 啟用調試輸出     | `false`          | boolean       |
-| `GOPROXY_HTTP_ADDR`            | http 收聽地址    | `:80`            | `[host]:port` |
-| `GOPROXY_HTTPS_ADDR`           | https 收聽地址   | `:443`           | `[host]:port` |
-| `GOPROXY_API_ADDR`             | api 收聽地址     | `127.0.0.1:8888` | `[host]:port` |
+5.  啟動容器 `docker compose up -d`

-### VSCode 中使用 JSON Schema
+6.  現在您可以進行額外的配置
+    - 使用文字編輯器（如 Visual Studio Code）
+    - 通過網頁介面 `https://gp.y.z`

-複製 [`.vscode/settings.example.json`](.vscode/settings.example.json) 到 `.vscode/settings.json` 並根據需求修改
+[🔼回到頂部](#目錄)

-[🔼 返回頂部](#目錄)
+### 手動安裝

-### 配置文件
+1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`

-參見 [config.example.yml](config.example.yml) 了解更多
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/config.example.yml -O config/config.yml`

-```yaml
-# autocert 配置
-autocert:
-    email: # ACME 電子郵件
-    domains: # 域名列表
-    provider: # DNS 供應商
-    options: # 供應商個別配置
-        - ...
-# 配置文件 / docker
-providers:
-    include:
-        - providers.yml
-        - other_file_1.yml
-        - ...
-    docker:
-        local: $DOCKER_HOST
-        remote-1: tcp://10.0.2.1:2375
-        remote-2: ssh://root:1234@10.0.2.2
+2. 將 `.env.example` 下載到 `.env`
+
+   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/.env.example -O .env`
+
+3. 將 `compose.example.yml` 下載到 `compose.yml`
+
+   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.8/compose.example.yml -O compose.yml`
+
+### 資料夾結構
+
+```shell
+├── certs
+│   ├── cert.crt
+│   └── priv.key
+├── compose.yml
+├── config
+│   ├── config.yml
+│   ├── middlewares
+│   │   ├── middleware1.yml
+│   │   ├── middleware2.yml
+│   ├── provider1.yml
+│   └── provider2.yml
+└── .env
 ```

-[🔼 返回頂部](#目錄)
+### 在 VSCode 中使用 JSON Schema

-### 透過文件配置
+複製 [`.vscode/settings.example.json`](.vscode/settings.example.json) 到 `.vscode/settings.json` 並根據需要修改

-參見 [Fields](docs/docker.md#fields)
+[🔼回到頂部](#目錄)

-參見範例 [providers.example.yml](providers.example.yml)
+## 截圖

-[🔼 返回頂部](#目錄)
+### 閒置休眠

-## 展示
+![閒置休眠](screenshots/idlesleeper.webp)

-### idlesleeper
+[🔼回到頂部](#目錄)

-![idlesleeper](showcase/idlesleeper.webp)
+## 自行編譯

-[🔼 返回頂部](#目錄)
+1. 克隆儲存庫 `git clone https://github.com/yusing/go-proxy --depth=1`

-## 源碼編譯
+2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`

-1. 獲取源碼 `git clone https://github.com/yusing/go-proxy --depth=1`
+3. 如果之前編譯過（go < 1.22），請使用 `go clean -cache` 清除快取

-2. 安裝/升級 [go 版本 (>=1.22)](https://go.dev/doc/install) 和 `make`（如果尚未安裝）
+4. 使用 `make get` 獲取依賴

-3. 如果之前編譯過（go 版本 < 1.22），請使用 `go clean -cache` 清除緩存
+5. 使用 `make build` 編譯二進制檔案

-4. 使用 `make get` 獲取依賴項
-
-5. 使用 `make build` 編譯
-
-[🔼 返回頂部](#目錄)
+[🔼回到頂部](#目錄)
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -0,0 +1,180 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/yusing/go-proxy/internal"
+	"github.com/yusing/go-proxy/internal/api"
+	"github.com/yusing/go-proxy/internal/api/v1/query"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/entrypoint"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/metrics"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/net/http/server"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+func main() {
+	args := common.GetArgs()
+
+	switch args.Command {
+	case common.CommandSetup:
+		internal.Setup()
+		return
+	case common.CommandReload:
+		if err := query.ReloadServer(); err != nil {
+			E.LogFatal("server reload error", err)
+		}
+		logging.Info().Msg("ok")
+		return
+	case common.CommandListIcons:
+		icons, err := internal.ListAvailableIcons()
+		if err != nil {
+			log.Fatal(err)
+		}
+		printJSON(icons)
+		return
+	case common.CommandListRoutes:
+		routes, err := query.ListRoutes()
+		if err != nil {
+			log.Printf("failed to connect to api server: %s", err)
+			log.Printf("falling back to config file")
+		} else {
+			printJSON(routes)
+			return
+		}
+	case common.CommandDebugListMTrace:
+		trace, err := query.ListMiddlewareTraces()
+		if err != nil {
+			log.Fatal(err)
+		}
+		printJSON(trace)
+		return
+	}
+
+	if args.Command == common.CommandStart {
+		logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
+		logging.Trace().Msg("trace enabled")
+		// logging.AddHook(notif.GetDispatcher())
+	} else {
+		logging.DiscardLogger()
+	}
+
+	if args.Command == common.CommandValidate {
+		data, err := os.ReadFile(common.ConfigPath)
+		if err == nil {
+			err = config.Validate(data)
+		}
+		if err != nil {
+			log.Fatal("config error: ", err)
+		}
+		log.Print("config OK")
+		return
+	}
+
+	for _, dir := range common.RequiredDirectories {
+		prepareDirectory(dir)
+	}
+
+	middleware.LoadComposeFiles()
+
+	var cfg *config.Config
+	var err E.Error
+	if cfg, err = config.Load(); err != nil {
+		E.LogWarn("errors in config", err)
+	}
+
+	switch args.Command {
+	case common.CommandListRoutes:
+		cfg.StartProxyProviders()
+		printJSON(config.RoutesByAlias())
+		return
+	case common.CommandListConfigs:
+		printJSON(config.Value())
+		return
+	case common.CommandDebugListEntries:
+		printJSON(config.DumpEntries())
+		return
+	case common.CommandDebugListProviders:
+		printJSON(config.DumpProviders())
+		return
+	}
+
+	if common.APIJWTSecret == nil {
+		logging.Warn().Msg("API JWT secret is empty, authentication is disabled")
+	}
+
+	cfg.StartProxyProviders()
+	config.WatchChanges()
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGINT)
+	signal.Notify(sig, syscall.SIGTERM)
+	signal.Notify(sig, syscall.SIGHUP)
+
+	autocert := config.GetAutoCertProvider()
+	if autocert != nil {
+		if err := autocert.Setup(); err != nil {
+			E.LogFatal("autocert setup error", err)
+		}
+	} else {
+		logging.Info().Msg("autocert not configured")
+	}
+
+	server.StartServer(server.Options{
+		Name:         "proxy",
+		CertProvider: autocert,
+		HTTPAddr:     common.ProxyHTTPAddr,
+		HTTPSAddr:    common.ProxyHTTPSAddr,
+		Handler:      http.HandlerFunc(entrypoint.Handler),
+	})
+	server.StartServer(server.Options{
+		Name:         "api",
+		CertProvider: autocert,
+		HTTPAddr:     common.APIHTTPAddr,
+		Handler:      api.NewHandler(),
+	})
+
+	if common.PrometheusEnabled {
+		server.StartServer(server.Options{
+			Name:         "metrics",
+			CertProvider: autocert,
+			HTTPAddr:     common.MetricsHTTPAddr,
+			Handler:      metrics.NewHandler(),
+		})
+	}
+
+	// wait for signal
+	<-sig
+
+	// grafully shutdown
+	logging.Info().Msg("shutting down")
+	_ = task.GracefulShutdown(time.Second * time.Duration(config.Value().TimeoutShutdown))
+}
+
+func prepareDirectory(dir string) {
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err = os.MkdirAll(dir, 0o755); err != nil {
+			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
+		}
+	}
+}
+
+func printJSON(obj any) {
+	j, err := json.MarshalIndent(obj, "", "  ")
+	if err != nil {
+		logging.Fatal().Err(err).Send()
+	}
+	rawLogger := log.New(os.Stdout, "", 0)
+	rawLogger.Print(string(j)) // raw output for convenience using "jq"
+}
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,33 +1,42 @@
+---
 services:
  frontend:
    image: ghcr.io/yusing/go-proxy-frontend:latest
-    container_name: go-proxy-frontend
+    container_name: godoxy-frontend
    restart: unless-stopped
    network_mode: host
-    labels:
-      - proxy.aliases=gp
-      - proxy.gp.port=3000
+    env_file: .env
    depends_on:
      - app
+    # modify below to fit your needs
+    labels:
+      proxy.aliases: gp
+      proxy.#1.port: 3000
+      # proxy.#1.middlewares.cidr_whitelist.status: 403
+      # proxy.#1.middlewares.cidr_whitelist.message: IP not allowed
+      # proxy.#1.middlewares.cidr_whitelist.allow: |
+      #     - 127.0.0.1
+      #     - 10.0.0.0/8
+      #     - 192.168.0.0/16
+      #     - 172.16.0.0/12
  app:
    image: ghcr.io/yusing/go-proxy:latest
-    container_name: go-proxy
+    container_name: godoxy
    restart: always
    network_mode: host
-    environment:
-      # (Optional) change this to your timezone to get correct log timestamp
-      TZ: ETC/UTC
+    env_file: .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/app/config
+      - ./error_pages:/app/error_pages

      # (Optional) choose one of below to enable https
      # 1. use existing certificate
-      # if your cert is not named `cert.crt` change `cert_path` in `config/config.yml`
-      # if your cert key is not named `priv.key` change `key_path` in `config/config.yml`

-      # - /path/to/certs:/app/certs
+      # - /path/to/certs/cert.crt:/app/certs/cert.crt
+      # - /path/to/certs/priv.key:/app/certs/priv.key

-      # 2. use autocert, certs will be stored in ./certs (or other path you specify)
+      # 2. use autocert, certs will be stored in ./certs
+      #    you can also use a docker volume to store it

      # - ./certs:/app/certs
--- a/config.example.yml
+++ b/config.example.yml
@@ -1,36 +1,136 @@
 # Autocert (choose one below and uncomment to enable)
-
+#
 # 1. use existing cert
+#
 # autocert:
 #   provider: local
-#   cert_path: certs/cert.crt # optional, uncomment only if you need to change it
-#   key_path: certs/priv.key # optional, uncomment only if you need to change it
-
+#
+#   cert_path: certs/cert.crt         # optional, uncomment only if you need to change it
+#   key_path: certs/priv.key          # optional, uncomment only if you need to change it
+#
 # 2. cloudflare
+#
 # autocert:
 #   provider: cloudflare
-#   email: # ACME Email
-#   domains: # a list of domains for cert registration
-#     - x.y.z
+#   email: abc@gmail.com                            # ACME Email
+#   domains:                                        # a list of domains for cert registration
+#     - "*.y.z"                                     # remember to use double quotes to surround wildcard domain
 #   options:
-#     - auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
-
+#     auth_token: c1234565789-abcdefghijklmnopqrst  # your zone API token
+#
 # 3. other providers, check docs/dns_providers.md for more

+entrypoint:
+  middlewares:
+    - use: CIDRWhitelist
+      allow:
+        - "127.0.0.1"
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+      status: 403
+      message: "Forbidden"
+    - use: RedirectHTTP
+  # access_log:
+  #   buffer_size: 1024
+  #   path: /var/log/example.log
+  #   filters:
+  #     status_codes:
+  #       values:
+  #         - 200-299
+  #         - 101
+  #     method:
+  #       values:
+  #         - GET
+  #     host:
+  #       values:
+  #         - example.y.z
+  #     headers:
+  #       negative: true
+  #       values:
+  #         - foo=bar
+  #         - baz
+  #     cidr:
+  #       values:
+  #         - 192.168.10.0/24
+  #   fields:
+  #     headers:
+  #       default: keep
+  #       config:
+  #         foo: redact
+  #     query:
+  #       default: drop
+  #       config:
+  #         foo: keep
+  #     cookies:
+  #       default: redact
+  #       config:
+  #         foo: keep
+
 providers:
+  # include files are standalone yaml files under `config/` directory
+  #
  # include:
-  #   - providers.yml # config/providers.yml
-  #   # add some more below if you want
-  #   - file1.yml # config/file_1.yml
+  #   - file1.yml
  #   - file2.yml
+
  docker:
-    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    # $DOCKER_HOST implies unix:///var/run/docker.sock by default
+    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
    local: $DOCKER_HOST
+    # explicit only mode
+    # only containers with explicit aliases will be proxied
+    # add "!" after provider name to enable explicit only mode
+    #
+    # local!: $DOCKER_HOST
+    #
    # add more docker providers if needed
+    # for value format, see https://docs.docker.com/reference/cli/dockerd/
+    #
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2
-# Fixed options (optional, non hot-reloadable)

-# timeout_shutdown: 5
-# redirect_to_https: false # redirect http requests to https (if enabled)
+  # notification providers (notify when service health changes)
+  #
+  # notification:
+  #   - name: gotify
+  #     provider: gotify
+  #     url: https://gotify.domain.tld
+  #     token: abcd
+  #   - name: discord
+  #     provider: webhook
+  #     url: https://discord.com/api/webhooks/...
+  #     template: discord
+  #     # payload: | # discord template implies the following
+  #     #   {
+  #     #     "embeds": [
+  #     #       {
+  #     #         "title": $title,
+  #     #         "fields": $fields,
+  #     #         "color": "$color"
+  #     #       }
+  #     #     ]
+  #     #   }
+# if match_domains not defined
+# any host = alias+[any domain] will match
+# i.e. https://app1.y.z       will match alias app1 for any domain y.z
+#  but https://app1.node1.y.z will only match alias "app.node1"
+#
+# if match_domains defined
+# only host = alias+[one of match_domains] will match
+# i.e. match_domains = [node1.my.app, my.site]
+# https://app1.my.app, https://app1.my.net, etc. will not match even if app1 exists
+# only https://*.node1.my.app and https://*.my.site will match
+#
+#
+# match_domains:
+#   - my.site
+#   - node1.my.app
+
+# homepage config
+homepage:
+  # use default app categories detected from alias or docker image name
+  use_default_categories: true
+
+# Below are fixed options (non hot-reloadable)
+
+# timeout for shutdown (in seconds)
+timeout_shutdown: 5
--- a/docs/add_dns_provider.md
+++ b/docs/add_dns_provider.md
@@ -1,41 +0,0 @@
-# Adding provider support
-
-## **CloudDNS** as an example
-
-1. Fork this repo, modify [autocert.go](../src/go-proxy/autocert.go#L305)
-
-   ```go
-   var providersGenMap = map[string]ProviderGenerator{
-     "cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-     // add here, e.g.
-     "clouddns": providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
-   }
-   ```
-
-2. Go to [https://go-acme.github.io/lego/dns/clouddns](https://go-acme.github.io/lego/dns/clouddns/) and check for required config
-
-3. Build `go-proxy` with `make build`
-
-4. Set required config in `config.yml` `autocert` -> `options` section
-
-   ```shell
-   # From https://go-acme.github.io/lego/dns/clouddns/
-   CLOUDDNS_CLIENT_ID=bLsdFAks23429841238feb177a572aX \
-   CLOUDDNS_EMAIL=you@example.com \
-   CLOUDDNS_PASSWORD=b9841238feb177a84330f \
-   lego --email you@example.com --dns clouddns --domains my.example.org run
-   ```
-
-   Should turn into:
-
-   ```yaml
-   autocert:
-     ...
-     options:
-       client_id: bLsdFAks23429841238feb177a572aX
-       email: you@example.com
-       password: b9841238feb177a84330f
-   ```
-
-5. Run with `GOPROXY_NO_SCHEMA_VALIDATION=1` and test if it works
-6. Commit and create pull request
--- a/docs/benchmark_result.md
+++ b/docs/benchmark_result.md
@@ -1,104 +0,0 @@
-# Benchmarks
-
-Benchmarked with `wrk` and `traefik/whoami`'s `/bench` endpoint
-
-## Remote benchmark
-
- Direct connection
-
-  ```shell
-  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
-  Running 10s test @ http://10.0.100.3:8003/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency    94.75ms  199.92ms   1.68s    91.27%
-      Req/Sec     4.24k     1.79k   18.79k    72.13%
-    Latency Distribution
-      50%    1.14ms
-      75%  120.23ms
-      90%  245.63ms
-      99%    1.03s
-    423444 requests in 10.10s, 50.88MB read
-    Socket errors: connect 0, read 0, write 0, timeout 29
-  Requests/sec:  41926.32
-  Transfer/sec:      5.04MB
-  ```
-
- With reverse proxy
-
-  ```shell
-  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
-  Running 10s test @ http://10.0.1.7/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency    79.35ms  169.79ms   1.69s    92.55%
-      Req/Sec     4.27k     1.90k   19.61k    75.81%
-    Latency Distribution
-      50%    1.12ms
-      75%  105.66ms
-      90%  200.22ms
-      99%  814.59ms
-    409836 requests in 10.10s, 49.25MB read
-    Socket errors: connect 0, read 0, write 0, timeout 18
-  Requests/sec:  40581.61
-  Transfer/sec:      4.88MB
-  ```
-
-## Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
-
- Direct connection
-
-  ```shell
-  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
-  Running 10s test @ http://10.0.100.1/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency   434.08us  539.35us   8.76ms   85.28%
-      Req/Sec    67.71k     6.31k   87.21k    71.20%
-    Latency Distribution
-      50%  153.00us
-      75%  646.00us
-      90%    1.18ms
-      99%    2.38ms
-    6739591 requests in 10.01s, 809.85MB read
-  Requests/sec: 673608.15
-  Transfer/sec:     80.94MB
-  ```
-
- With `go-proxy` reverse proxy
-
-  ```shell
-  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
-  Running 10s test @ http://10.0.1.7/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     1.23ms    0.96ms  11.43ms   72.09%
-      Req/Sec    17.48k     1.76k   21.48k    70.20%
-    Latency Distribution
-      50%    0.98ms
-      75%    1.76ms
-      90%    2.54ms
-      99%    4.24ms
-    1739079 requests in 10.01s, 208.97MB read
-  Requests/sec: 173779.44
-  Transfer/sec:     20.88MB
-  ```
-
- With `traefik-v3`
-
-  ```shell
-  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
-  Running 10s test @ http://127.0.0.1:8000/bench
-    10 threads and 200 connections
-    Thread Stats   Avg      Stdev     Max   +/- Stdev
-      Latency     2.81ms   10.36ms 180.26ms   98.57%
-      Req/Sec    11.35k     1.74k   13.76k    85.54%
-    Latency Distribution
-      50%    1.59ms
-      75%    2.27ms
-      90%    3.17ms
-      99%   37.91ms
-    1125723 requests in 10.01s, 109.50MB read
-  Requests/sec: 112499.59
-  Transfer/sec:     10.94MB
-  ```
--- a/docs/dns_providers.md
+++ b/docs/dns_providers.md
@@ -1,81 +0,0 @@
-# Supported DNS Providers
-
-<!-- TOC -->
-
- [Supported DNS Providers](#supported-dns-providers)
-  - [Cloudflare](#cloudflare)
-  - [CloudDNS](#clouddns)
-  - [DuckDNS](#duckdns)
-  - [OVHCloud](#ovhcloud)
-  - [Implement other DNS providers](#implement-other-dns-providers)
-
-## Cloudflare
-
-```yaml
-autocert:
-    provider: cloudflare
-    options:
-        auth_token:
-```
-
-`auth_token` your zone API token
-
-Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
-
-## CloudDNS
-
-```yaml
-autocert:
-    provider: clouddns
-    options:
-        client_id:
-        email:
-        password:
-```
-
-## DuckDNS
-
-```yaml
-autocert:
-    provider: duckdns
-    options:
-        token:
-```
-
-Tested by [earvingad](https://github.com/earvingad)
-
-## OVHCloud
-
-```yaml
-autocert:
-    provider: ovh
-    options:
-        api_endpoint:
-        application_key:
-        application_secret:
-        consumer_key:
-        oauth2_config:
-            client_id:
-            client_secret:
-```
-
-_Note, `application_key` and `oauth2_config` **CANNOT** be used together_
-
-   `api_endpoint`: Endpoint URL, or one of
-    -   `ovh-eu`,
-    -   `ovh-ca`,
-    -   `ovh-us`,
-    -   `kimsufi-eu`,
-    -   `kimsufi-ca`,
-    -   `soyoustart-eu`,
-    -   `soyoustart-ca`
-   `application_secret`
-   `application_key`
-   `consumer_key`
-   `oauth2_config`: Client ID and Client Secret
-    -   `client_id`
-    -   `client_secret`
-
-## Implement other DNS providers
-
-See [add_dns_provider.md](docs/add_dns_provider.md)
--- a/docs/docker.md
+++ b/docs/docker.md
@@ -1,293 +0,0 @@
-# Docker compose guide
-
-## Table of content
-
-<!-- TOC -->
-
- [Docker compose guide](#docker-compose-guide)
-  - [Table of content](#table-of-content)
-  - [Additional setup](#additional-setup)
-  - [Labels](#labels)
-    - [Syntax](#syntax)
-    - [Fields](#fields)
-      - [Key-value mapping example](#key-value-mapping-example)
-      - [List example](#list-example)
-  - [Troubleshooting](#troubleshooting)
-  - [Docker compose examples](#docker-compose-examples)
-    - [Services URLs for above examples](#services-urls-for-above-examples)
-
-## Additional setup
-
-1.  Enable HTTPs _(optional)_
-
-    Mount a folder to store obtained certs or to load existing cert
-
-    ```yaml
-    services:
-      go-proxy:
-        ...
-        volumes:
-          - ./certs:/app/certs
-    ```
-
-    To use **autocert**, complete that section in `config.yml`, e.g.
-
-    ```yaml
-    autocert:
-        email: john.doe@x.y.z # ACME Email
-        domains: # a list of domains for cert registration
-            - x.y.z
-        provider: cloudflare
-        options:
-            - auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
-    ```
-
-    To use **existing certificate**, set path for cert and key in `config.yml`, e.g.
-
-    ```yaml
-    autocert:
-        provider: local
-        cert_path: /app/certs/cert.crt
-        key_path: /app/certs/priv.key
-    ```
-
-2.  Modify `compose.yml` to fit your needs
-
-3.  Run `docker compose up -d` to start the container
-
-4.  Navigate to Web panel `http://gp.yourdomain.com` or use **Visual Studio Code (provides schema check)** to edit proxy config
-
-[🔼Back to top](#table-of-content)
-
-## Labels
-
-### Syntax
-
-| Label                    | Description                                                                                                                                                         | Example                        | Default                     | Accepted values                                                           |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | --------------------------- | ------------------------------------------------------------------------- |
-| `proxy.aliases`          | comma separated aliases for subdomain and label matching                                                                                                            | `gitlab,gitlab-reg,gitlab-ssh` | `container_name`            | any                                                                       |
-| `proxy.exclude`          | to be excluded from `go-proxy`                                                                                                                                      |                                | false                       | boolean                                                                   |
-| `proxy.idle_timeout`     | time for idle (no traffic) before put it into sleep **(http/s only)**<br> _**NOTE: idlewatcher will only be enabled containers that has non-empty `idle_timeout`**_ | `1h`                           | empty or `0` **(disabled)** | `number[unit]...`, e.g. `1m30s`                                           |
-| `proxy.wake_timeout`     | time to wait for target site to be ready                                                                                                                            |                                | `30s`                       | `number[unit]...`                                                         |
-| `proxy.stop_method`      | method to stop after `idle_timeout`                                                                                                                                 |                                | `stop`                      | `stop`, `pause`, `kill`                                                   |
-| `proxy.stop_timeout`     | time to wait for stop command                                                                                                                                       |                                | `10s`                       | `number[unit]...`                                                         |
-| `proxy.stop_signal`      | signal sent to container for `stop` and `kill` methods                                                                                                              |                                | docker's default            | `SIGINT`, `SIGTERM`, `SIGHUP`, `SIGQUIT` and those without **SIG** prefix |
-| `proxy.<alias>.<field>`  | set field for specific alias                                                                                                                                        | `proxy.gitlab-ssh.scheme`      | N/A                         | N/A                                                                       |
-| `proxy.$<index>.<field>` | set field for specific alias at index (starting from **1**)                                                                                                         | `proxy.$3.port`                | N/A                         | N/A                                                                       |
-| `proxy.*.<field>`        | set field for all aliases                                                                                                                                           | `proxy.*.set_headers`          | N/A                         | N/A                                                                       |
-
-### Fields
-
-| Field           | Description                                                                                    | Default                                                                          | Allowed Values / Syntax                                                                                                                                                                                                 |
-| --------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `scheme`        | proxy protocol                                                                                 | <ul><li>`http` for numeric port</li><li>`tcp` for `x:y` port</li></ul>           | `http`, `https`, `tcp`, `udp`                                                                                                                                                                                           |
-| `host`          | proxy host                                                                                     | <ul><li>Docker: docker client IP / hostname </li><li>File: `localhost`</li></ul> | IP address, hostname                                                                                                                                                                                                    |
-| `port`          | proxy port **(http/s)**                                                                        | first port returned from docker                                                  | number in range of `1 - 65535`                                                                                                                                                                                          |
-| `port`          | proxy port **(tcp/udp)**                                                                       | `0:first_port`                                                                   | `x:y` <br><ul><li>**x**: port for `go-proxy` to listen on.<br>**x** can be 0, which means listen on a random port</li><li>**y**: port or [_service name_](../src/common/constants.go#L55) of target container</li></ul> |
-| `no_tls_verify` | whether skip tls verify **(https only)**                                                       | `false`                                                                          | boolean                                                                                                                                                                                                                 |
-| `path_patterns` | proxy path patterns **(http/s only)**<br> only requests that matched a pattern will be proxied | `/` **(proxy all requests)**                                                     | yaml style list[<sup>1</sup>](#list-example) of ([path patterns](https://pkg.go.dev/net/http#hdr-Patterns-ServeMux))                                                                                                    |
-| `set_headers`   | header to set **(http/s only)**                                                                | empty                                                                            | yaml style key-value mapping[<sup>2</sup>](#key-value-mapping-example) of header-value pairs                                                                                                                            |
-| `hide_headers`  | header to hide **(http/s only)**                                                               | empty                                                                            | yaml style list[<sup>1</sup>](#list-example) of headers                                                                                                                                                                 |
-
-[🔼Back to top](#table-of-content)
-
-#### Key-value mapping example
-
-Docker Compose
-
-```yaml
-services:
-  nginx:
-    ...
-    labels:
-      # values from duplicated header keys will be combined
-      proxy.nginx.set_headers: | # remember to add the '|'
-        X-Custom-Header1: value1, value2
-        X-Custom-Header2: value3
-        X-Custom-Header2: value4
-      # X-Custom-Header2 will be "value3, value4"
-```
-
-File Provider
-
-```yaml
-service_a:
-    host: service_a.internal
-    set_headers:
-        # do not duplicate header keys, as it is not allowed in YAML
-        X-Custom-Header1: value1, value2
-        X-Custom-Header2: value3
-```
-
-[🔼Back to top](#table-of-content)
-
-#### List example
-
-Docker Compose
-
-```yaml
-services:
-  nginx:
-    ...
-    labels:
-      proxy.nginx.path_patterns: | # remember to add the '|'
-        - GET /
-        - POST /auth
-      proxy.nginx.hide_headers: | # remember to add the '|'
-        - X-Custom-Header1
-        - X-Custom-Header2
-```
-
-File Provider
-
-```yaml
-service_a:
-    host: service_a.internal
-    path_patterns:
-        - GET /
-        - POST /auth
-    hide_headers:
-        - X-Custom-Header1
-        - X-Custom-Header2
-```
-
-[🔼Back to top](#table-of-content)
-
-## Troubleshooting
-
-   Container not showing up in proxies list
-
-    Please check that either `ports` or label `proxy.<alias>.port` is declared, e.g.
-
-    ```yaml
-    services:
-      nginx-1: # Option 1
-        ...
-        ports:
-          - 80
-      nginx-2: # Option 2
-        ...
-        container_name: nginx-2
-        network_mode: host
-        labels:
-          proxy.nginx-2.port: 80
-    ```
-
-   Firewall issues
-
-    If you are using `ufw` with vpn that drop all inbound traffic except vpn, run below:
-
-    `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
-
-    Explaination:
-
-    Docker network is usually `172.16.0.0/16`
-
-    Tailscale is used as an example, `100.64.0.0/10` will be the CIDR
-
-    You can also list CIDRs of all docker bridge networks by:
-
-    `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
-
-[🔼Back to top](#table-of-content)
-
-## Docker compose examples
-
-More examples in [here](examples/)
-
-```yaml
-volumes:
-    adg-work:
-    adg-conf:
-    mc-data:
-    palworld:
-    nginx:
-services:
-    adg:
-        image: adguard/adguardhome
-        restart: unless-stopped
-        labels:
-            - proxy.aliases=adg,adg-dns,adg-setup
-            - proxy.$1.port=80
-            - proxy.$2.scheme=udp
-            - proxy.$2.port=20000:dns
-            - proxy.$3.port=3000
-        volumes:
-            - adg-work:/opt/adguardhome/work
-            - adg-conf:/opt/adguardhome/conf
-        ports:
-            - 80
-            - 3000
-            - 53/udp
-    mc:
-        image: itzg/minecraft-server
-        tty: true
-        stdin_open: true
-        container_name: mc
-        restart: unless-stopped
-        ports:
-            - 25565
-        labels:
-            - proxy.mc.port=20001:25565
-        environment:
-            - EULA=TRUE
-        volumes:
-            - mc-data:/data
-    palworld:
-        image: thijsvanloef/palworld-server-docker:latest
-        restart: unless-stopped
-        container_name: pal
-        stop_grace_period: 30s
-        ports:
-            - 8211/udp
-            - 27015/udp
-        labels:
-            - proxy.aliases=pal1,pal2
-            - proxy.*.scheme=udp
-            - proxy.$1.port=20002:8211
-            - proxy.$2.port=20003:27015
-        environment: ...
-        volumes:
-            - palworld:/palworld
-    nginx:
-        image: nginx
-        container_name: nginx
-        volumes:
-            - nginx:/usr/share/nginx/html
-        ports:
-            - 80
-        labels:
-            proxy.idle_timeout: 1m
-    go-proxy:
-        image: ghcr.io/yusing/go-proxy:latest
-        container_name: go-proxy
-        restart: always
-        network_mode: host
-        volumes:
-            - ./config:/app/config
-            - /var/run/docker.sock:/var/run/docker.sock
-    go-proxy-frontend:
-        image: ghcr.io/yusing/go-proxy-frontend:latest
-        container_name: go-proxy-frontend
-        restart: unless-stopped
-        network_mode: host
-        labels:
-            - proxy.aliases=gp
-            - proxy.gp.port=3000
-        depends_on:
-            - go-proxy
-```
-
-[🔼Back to top](#table-of-content)
-
-### Services URLs for above examples
-
-   `gp.yourdomain.com`: go-proxy web panel
-   `adg-setup.yourdomain.com`: adguard setup (first time setup)
-   `adg.yourdomain.com`: adguard dashboard
-   `nginx.yourdomain.com`: nginx
-   `yourdomain.com:2000`: adguard dns (udp)
-   `yourdomain.com:20001`: minecraft server
-   `yourdomain.com:20002`: palworld server
-
-[🔼Back to top](#table-of-content)
--- a/docs/docker_socket_proxy.md
+++ b/docs/docker_socket_proxy.md
@@ -1,40 +0,0 @@
-## Docker Socket Proxy
-
-For docker client on other machine, set this up, then add `name: tcp://<machine_ip>:2375` to `config.yml` under `docker` section
-
-```yml
-# compose.yml on remote machine (e.g. server1)
-docker-proxy:
-  container_name: docker-proxy
-  image: tecnativa/docker-socket-proxy
-  privileged: true
-  environment:
-    - ALLOW_START=1
-    - ALLOW_STOP=1
-    - ALLOW_RESTARTS=1
-    - CONTAINERS=1
-    - EVENTS=1
-    - PING=1
-    - POST=1
-    - VERSION=1
-  volumes:
-    - /var/run/docker.sock:/var/run/docker.sock
-  restart: always
-  ports:
-    - 2375:2375
-    # or more secure
-    - <machine_private_ip>:2375:2375
-```
-
-```yml
-# config.yml on go-proxy machine
-autocert:
-  ... # your config
-
-providers:
-  include:
-    ...
-  docker:
-    ...
-    server1: tcp://<machine_ip>:2375
-```
--- a/examples/docker-compose/n8n.yml
+++ b/examples/docker-compose/n8n.yml
@@ -0,0 +1,27 @@
+---
+services:
+  n8n:
+    image: n8nio/n8n
+    container_name: n8n
+    restart: always
+    expose:
+      - 5678
+    labels:
+      proxy.n8n.middlewares.request.set_headers: |
+        SSLRedirect: true
+        STSSeconds: 315360000
+        browserXSSFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        SSLHost: ${DOMAIN_NAME}
+        STSIncludeSubdomains: true
+        STSPreload: true
+    environment:
+      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
+      - N8N_PORT=5678
+      - N8N_PROTOCOL=https
+      - NODE_ENV=production
+      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
+      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
+    volumes:
+      - ./data:/home/node/.n8n
--- a/examples/error_pages/404.css
+++ b/examples/error_pages/404.css
@@ -0,0 +1,288 @@
+@import url("https://fonts.googleapis.com/css?family=Audiowide&display=swap");
+
+html,
+body {
+    margin: 0px;
+    overflow: hidden;
+}
+
+div {
+    position: absolute;
+    top: 0%;
+    left: 0%;
+    height: 100%;
+    width: 100%;
+    margin: 0px;
+    background: radial-gradient(circle, #240015 0%, #12000b 100%);
+    overflow: hidden;
+}
+
+.wrap {
+    position: absolute;
+    left: 50%;
+    top: 50%;
+    transform: translate(-50%, -50%);
+}
+
+h2 {
+    position: absolute;
+    top: 50%;
+    left: 50%;
+    margin-top: 150px;
+    font-size: 32px;
+    text-transform: uppercase;
+    transform: translate(-50%, -50%);
+    display: block;
+    color: #12000a;
+    font-weight: 300;
+    font-family: Audiowide;
+    text-shadow: 0px 0px 4px #12000a;
+    animation: fadeInText 3s ease-in 3.5s forwards,
+        flicker4 5s linear 7.5s infinite, hueRotate 6s ease-in-out 3s infinite;
+}
+
+#svgWrap_1,
+#svgWrap_2 {
+    position: absolute;
+    height: auto;
+    width: 600px;
+    max-width: 100%;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+}
+
+#svgWrap_1,
+#svgWrap_2,
+div {
+    animation: hueRotate 6s ease-in-out 3s infinite;
+}
+
+#id1_1,
+#id2_1,
+#id3_1 {
+    stroke: #ff005d;
+    stroke-width: 3px;
+    fill: transparent;
+    filter: url(#glow);
+}
+
+#id1_2,
+#id2_2,
+#id3_2 {
+    stroke: #12000a;
+    stroke-width: 3px;
+    fill: transparent;
+    filter: url(#glow);
+}
+
+#id3_1 {
+    stroke-dasharray: 940px;
+    stroke-dashoffset: -940px;
+    animation: drawLine3 2.5s ease-in-out 0s forwards,
+        flicker3 4s linear 4s infinite;
+}
+
+#id2_1 {
+    stroke-dasharray: 735px;
+    stroke-dashoffset: -735px;
+    animation: drawLine2 2.5s ease-in-out 0.5s forwards,
+        flicker2 4s linear 4.5s infinite;
+}
+
+#id1_1 {
+    stroke-dasharray: 940px;
+    stroke-dashoffset: -940px;
+    animation: drawLine1 2.5s ease-in-out 1s forwards,
+        flicker1 4s linear 5s infinite;
+}
+
+@keyframes drawLine1 {
+    0% {
+        stroke-dashoffset: -940px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes drawLine2 {
+    0% {
+        stroke-dashoffset: -735px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes drawLine3 {
+    0% {
+        stroke-dashoffset: -940px;
+    }
+    100% {
+        stroke-dashoffset: 0px;
+    }
+}
+
+@keyframes flicker1 {
+    0% {
+        stroke: #ff005d;
+    }
+    1% {
+        stroke: transparent;
+    }
+    3% {
+        stroke: transparent;
+    }
+    4% {
+        stroke: #ff005d;
+    }
+    6% {
+        stroke: #ff005d;
+    }
+    7% {
+        stroke: transparent;
+    }
+    13% {
+        stroke: transparent;
+    }
+    14% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker2 {
+    0% {
+        stroke: #ff005d;
+    }
+    50% {
+        stroke: #ff005d;
+    }
+    51% {
+        stroke: transparent;
+    }
+    61% {
+        stroke: transparent;
+    }
+    62% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker3 {
+    0% {
+        stroke: #ff005d;
+    }
+    1% {
+        stroke: transparent;
+    }
+    10% {
+        stroke: transparent;
+    }
+    11% {
+        stroke: #ff005d;
+    }
+    40% {
+        stroke: #ff005d;
+    }
+    41% {
+        stroke: transparent;
+    }
+    45% {
+        stroke: transparent;
+    }
+    46% {
+        stroke: #ff005d;
+    }
+    100% {
+        stroke: #ff005d;
+    }
+}
+
+@keyframes flicker4 {
+    0% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    30% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    31% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    32% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    36% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    37% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    41% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    42% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    85% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    86% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    95% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    96% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+    100% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+}
+
+@keyframes fadeInText {
+    1% {
+        color: #12000a;
+        text-shadow: 0px 0px 4px #12000a;
+    }
+    70% {
+        color: #ff005d;
+        text-shadow: 0px 0px 14px #ff005d;
+    }
+    100% {
+        color: #ff005d;
+        text-shadow: 0px 0px 4px #ff005d;
+    }
+}
+
+@keyframes hueRotate {
+    0% {
+        filter: hue-rotate(0deg);
+    }
+    50% {
+        filter: hue-rotate(-120deg);
+    }
+    100% {
+        filter: hue-rotate(0deg);
+    }
+}
--- a/examples/error_pages/404.html
+++ b/examples/error_pages/404.html
@@ -0,0 +1,51 @@
+{{/* Credit: https://codepen.io/code2rithik/pen/XWpVvYL */}}
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8" />
+  <title>Page Not Found</title>
+  <link rel="stylesheet" href="/$gperrorpage/404.css" type="text/css">
+  <!-- <script src="/$gperrorpage/404.js"> </script> -->
+</head>
+
+<body>
+  <script>0</script>
+  <div></div>
+  <svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
+    <g>
+      <path id="id3_2"
+        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
+      <path id="id2_2"
+        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
+      <path id="id1_2"
+        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
+    </g>
+  </svg>
+  <svg id="svgWrap_1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
+    <g>
+      <path id="id3_1"
+        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
+      <path id="id2_1"
+        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
+      <path id="id1_1"
+        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
+    </g>
+  </svg>
+
+  <svg>
+    <defs>
+      <filter id="glow">
+        <fegaussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur>
+        <femerge>
+          <femergenode in="coloredBlur"></femergenode>
+          <femergenode in="SourceGraphic"></femergenode>
+        </femerge>
+      </filter>
+    </defs>
+  </svg>
+
+  <h2>Page Not Found</h2>
+</body>
+
+</html>
--- a/examples/grafana_template.json
+++ b/examples/grafana_template.json
--- a/examples/microbin.yml
+++ b/examples/microbin.yml
@@ -1,16 +0,0 @@
-services:
-  app:
-    container_name: microbin
-    cpu_shares: 10
-    deploy:
-      resources:
-        limits:
-          memory: 256M
-    env_file: .env
-    image: docker.i.sh/danielszabo99/microbin:latest
-    ports:
-      - 8080
-    restart: unless-stopped
-    volumes:
-      - ./data:/app/microbin_data
-# microbin.domain.tld
--- a/examples/siyuan.yml
+++ b/examples/siyuan.yml
@@ -1,16 +0,0 @@
-services:
-  main:
-    image: b3log/siyuan:v3.1.0
-    container_name: siyuan
-    command:
-      - --workspace=/siyuan/workspace/
-      - --accessAuthCode=<some password>
-    user: 1000:1000
-    volumes:
-      - ./workspace:/siyuan/workspace
-    restart: unless-stopped
-    environment:
-      - TZ=Asia/Hong_Kong
-    ports:
-      - 6806
-# siyuan.domain.tld
--- a/1
+++ b/1
--- a/go.mod
+++ b/go.mod
@@ -0,0 +1,76 @@
+module github.com/yusing/go-proxy
+
+go 1.23.4
+
+require (
+	github.com/coder/websocket v1.8.12
+	github.com/docker/cli v27.4.1+incompatible
+	github.com/docker/docker v27.4.1+incompatible
+	github.com/fsnotify/fsnotify v1.8.0
+	github.com/go-acme/lego/v4 v4.21.0
+	github.com/go-playground/validator/v10 v10.23.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/gotify/server/v2 v2.6.1
+	github.com/prometheus/client_golang v1.20.5
+	github.com/puzpuzpuz/xsync/v3 v3.4.0
+	github.com/rs/zerolog v1.33.0
+	golang.org/x/net v0.33.0
+	golang.org/x/text v0.21.0
+	golang.org/x/time v0.9.0
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.113.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/term v0.5.0 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/ovh/go-ovh v1.6.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.61.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
+	go.opentelemetry.io/otel/metric v1.33.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
+	go.opentelemetry.io/otel/trace v1.33.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/tools v0.28.0 // indirect
+	google.golang.org/protobuf v1.36.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+)
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,222 @@
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudflare/cloudflare-go v0.113.0 h1:qnOXmA6RbgZ4rg5gNBK5QGk0Pzbv8pnUYV3C4+8CU6w=
+github.com/cloudflare/cloudflare-go v0.113.0/go.mod h1:Dlm4BAnycHc0i8yLxQZb9b+OlMwYOAoDJsUOEFgpVvo=
+github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
+github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI=
+github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v27.4.1+incompatible h1:ZJvcY7gfwHn1JF48PfbyXg7Jyt9ZCWDW+GGXOIxEwp4=
+github.com/docker/docker v27.4.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/go-acme/lego/v4 v4.21.0 h1:arEW+8o5p7VI8Bk1kr/PDlgD1DrxtTH1gJ4b7mehL8o=
+github.com/go-acme/lego/v4 v4.21.0/go.mod h1:HrSWzm3Ckj45Ie3i+p1zKVobbQoMOaGu9m4up0dUeDI=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o=
+github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gotify/server/v2 v2.6.1 h1:Kf7v5fzBxzELzZa/jonWfwJMkqYqh1LBzBpCmt5QIAI=
+github.com/gotify/server/v2 v2.6.1/go.mod h1:Dk8HLyTVDqmXM8YEg6tjROBen6mxyHZFRggJFHTwZLc=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
+github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
+github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/ovh/go-ovh v1.6.0 h1:ixLOwxQdzYDx296sXcgS35TOPEahJkpjMGtzPadCjQI=
+github.com/ovh/go-ovh v1.6.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
+github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/puzpuzpuz/xsync/v3 v3.4.0 h1:DuVBAdXuGFHv8adVXjWWZ63pJq+NRXOWVXlKDBZ+mJ4=
+github.com/puzpuzpuz/xsync/v3 v3.4.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
+go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw=
+go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
+go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ=
+go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M=
+go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE=
+go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg=
+go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
+go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
+golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
+google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
+google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
--- a/go.work
+++ b/go.work
@@ -1,5 +0,0 @@
-go 1.22.0
-
-toolchain go1.23.1
-
-use ./src
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -0,0 +1,73 @@
+package api
+
+import (
+	"net"
+	"net/http"
+
+	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	"github.com/yusing/go-proxy/internal/api/v1/auth"
+	. "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func NewServeMux() ServeMux {
+	return ServeMux{http.NewServeMux()}
+}
+
+func (mux ServeMux) HandleFunc(method, endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(method+" "+endpoint, checkHost(rateLimited(handler)))
+}
+
+func NewHandler() http.Handler {
+	mux := NewServeMux()
+	mux.HandleFunc("GET", "/v1", v1.Index)
+	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
+	mux.HandleFunc("POST", "/v1/login", auth.LoginHandler)
+	mux.HandleFunc("GET", "/v1/logout", auth.LogoutHandler)
+	mux.HandleFunc("POST", "/v1/logout", auth.LogoutHandler)
+	mux.HandleFunc("POST", "/v1/reload", v1.Reload)
+	mux.HandleFunc("GET", "/v1/list", auth.RequireAuth(v1.List))
+	mux.HandleFunc("GET", "/v1/list/{what}", auth.RequireAuth(v1.List))
+	mux.HandleFunc("GET", "/v1/list/{what}/{which}", auth.RequireAuth(v1.List))
+	mux.HandleFunc("GET", "/v1/file", auth.RequireAuth(v1.GetFileContent))
+	mux.HandleFunc("GET", "/v1/file/{filename...}", auth.RequireAuth(v1.GetFileContent))
+	mux.HandleFunc("POST", "/v1/file/{filename...}", auth.RequireAuth(v1.SetFileContent))
+	mux.HandleFunc("PUT", "/v1/file/{filename...}", auth.RequireAuth(v1.SetFileContent))
+	mux.HandleFunc("GET", "/v1/stats", v1.Stats)
+	mux.HandleFunc("GET", "/v1/stats/ws", v1.StatsWS)
+	return mux
+}
+
+// allow only requests to API server with localhost.
+func checkHost(f http.HandlerFunc) http.HandlerFunc {
+	if common.IsDebug {
+		return f
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		host, _, _ := net.SplitHostPort(r.RemoteAddr)
+		if host != "127.0.0.1" && host != "localhost" && host != "[::1]" {
+			LogWarn(r).Msgf("blocked API request from %s", host)
+			http.Error(w, "forbidden", http.StatusForbidden)
+			return
+		}
+		LogDebug(r).Interface("headers", r.Header).Msg("API request")
+		f(w, r)
+	}
+}
+
+func rateLimited(f http.HandlerFunc) http.HandlerFunc {
+	m, err := middleware.RateLimiter.New(middleware.OptionsRaw{
+		"average": 10,
+		"burst":   10,
+	})
+	if err != nil {
+		logging.Fatal().Err(err).Msg("unable to create API rate limiter")
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		m.ModifyRequest(f, w, r)
+	}
+}
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -0,0 +1,135 @@
+package auth
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type (
+	Credentials struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}
+	Claims struct {
+		Username string `json:"username"`
+		jwt.RegisteredClaims
+	}
+)
+
+var (
+	ErrInvalidUsername = E.New("invalid username")
+	ErrInvalidPassword = E.New("invalid password")
+)
+
+func validatePassword(cred *Credentials) error {
+	if cred.Username != common.APIUser {
+		return ErrInvalidUsername.Subject(cred.Username)
+	}
+	if !bytes.Equal(common.HashPassword(cred.Password), common.APIPasswordHash) {
+		return ErrInvalidPassword.Subject(cred.Password)
+	}
+	return nil
+}
+
+func LoginHandler(w http.ResponseWriter, r *http.Request) {
+	var creds Credentials
+	err := json.NewDecoder(r.Body).Decode(&creds)
+	if err != nil {
+		U.HandleErr(w, r, err, http.StatusBadRequest)
+		return
+	}
+	if err := validatePassword(&creds); err != nil {
+		U.HandleErr(w, r, err, http.StatusUnauthorized)
+		return
+	}
+
+	expiresAt := time.Now().Add(common.APIJWTTokenTTL)
+	claim := &Claims{
+		Username: creds.Username,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
+		},
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS512, claim)
+	tokenStr, err := token.SignedString(common.APIJWTSecret)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "token",
+		Value:    tokenStr,
+		Expires:  expiresAt,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	})
+	w.WriteHeader(http.StatusOK)
+}
+
+func LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     "token",
+		Value:    "",
+		Expires:  time.Unix(0, 0),
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	})
+	w.Header().Set("location", "/login")
+	w.WriteHeader(http.StatusTemporaryRedirect)
+}
+
+func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
+	if common.IsDebugSkipAuth || common.APIJWTSecret == nil {
+		return next
+	}
+
+	return func(w http.ResponseWriter, r *http.Request) {
+		if checkToken(w, r) {
+			next(w, r)
+		}
+	}
+}
+
+func checkToken(w http.ResponseWriter, r *http.Request) (ok bool) {
+	tokenCookie, err := r.Cookie("token")
+	if err != nil {
+		U.RespondError(w, E.New("missing token"), http.StatusUnauthorized)
+		return false
+	}
+	var claims Claims
+	token, err := jwt.ParseWithClaims(tokenCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return common.APIJWTSecret, nil
+	})
+
+	switch {
+	case err != nil:
+		break
+	case !token.Valid:
+		err = E.New("invalid token")
+	case claims.Username != common.APIUser:
+		err = E.New("username mismatch").Subject(claims.Username)
+	case claims.ExpiresAt.Before(time.Now()):
+		err = E.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
+	}
+
+	if err != nil {
+		U.RespondError(w, err, http.StatusForbidden)
+		return false
+	}
+
+	return true
+}
--- a/internal/api/v1/file.go
+++ b/internal/api/v1/file.go
@@ -5,11 +5,14 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"strings"

-	U "github.com/yusing/go-proxy/api/v1/utils"
-	"github.com/yusing/go-proxy/common"
-	"github.com/yusing/go-proxy/config"
-	"github.com/yusing/go-proxy/proxy/provider"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/route/provider"
 )

 func GetFileContent(w http.ResponseWriter, r *http.Request) {
@@ -22,7 +25,7 @@ func GetFileContent(w http.ResponseWriter, r *http.Request) {
 		U.HandleErr(w, r, err)
 		return
 	}
-	w.Write(content)
+	U.WriteBody(w, content)
 }

 func SetFileContent(w http.ResponseWriter, r *http.Request) {
@@ -37,18 +40,24 @@ func SetFileContent(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if filename == common.ConfigFileName {
-		err = config.Validate(content).Error()
-	} else {
-		err = provider.Validate(content).Error()
+	var valErr E.Error
+	switch {
+	case filename == common.ConfigFileName:
+		valErr = config.Validate(content)
+	case strings.HasPrefix(filename, path.Base(common.MiddlewareComposeBasePath)):
+		errs := E.NewBuilder("middleware errors")
+		middleware.BuildMiddlewaresFromYAML(filename, content, errs)
+		valErr = errs.Error()
+	default:
+		valErr = provider.Validate(content)
 	}

-	if err != nil {
-		U.HandleErr(w, r, err, http.StatusBadRequest)
+	if valErr != nil {
+		U.RespondError(w, valErr, http.StatusBadRequest)
 		return
 	}

-	err = os.WriteFile(path.Join(common.ConfigBasePath, filename), content, 0644)
+	err = os.WriteFile(path.Join(common.ConfigBasePath, filename), content, 0o644)
 	if err != nil {
 		U.HandleErr(w, r, err)
 		return
--- a/internal/api/v1/index.go
+++ b/internal/api/v1/index.go
@@ -0,0 +1,11 @@
+package v1
+
+import (
+	"net/http"
+
+	. "github.com/yusing/go-proxy/internal/api/v1/utils"
+)
+
+func Index(w http.ResponseWriter, r *http.Request) {
+	WriteBody(w, []byte("API ready"))
+}
--- a/internal/api/v1/list.go
+++ b/internal/api/v1/list.go
@@ -0,0 +1,83 @@
+package v1
+
+import (
+	"net/http"
+	"strings"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+const (
+	ListRoute            = "route"
+	ListRoutes           = "routes"
+	ListConfigFiles      = "config_files"
+	ListMiddlewares      = "middlewares"
+	ListMiddlewareTraces = "middleware_trace"
+	ListMatchDomains     = "match_domains"
+	ListHomepageConfig   = "homepage_config"
+	ListTasks            = "tasks"
+)
+
+func List(w http.ResponseWriter, r *http.Request) {
+	what := r.PathValue("what")
+	if what == "" {
+		what = ListRoutes
+	}
+	which := r.PathValue("which")
+
+	switch what {
+	case ListRoute:
+		if route := listRoute(which); route == nil {
+			http.NotFound(w, r)
+			return
+		} else {
+			U.RespondJSON(w, r, route)
+		}
+	case ListRoutes:
+		U.RespondJSON(w, r, config.RoutesByAlias(route.RouteType(r.FormValue("type"))))
+	case ListConfigFiles:
+		listConfigFiles(w, r)
+	case ListMiddlewares:
+		U.RespondJSON(w, r, middleware.All())
+	case ListMiddlewareTraces:
+		U.RespondJSON(w, r, middleware.GetAllTrace())
+	case ListMatchDomains:
+		U.RespondJSON(w, r, config.Value().MatchDomains)
+	case ListHomepageConfig:
+		U.RespondJSON(w, r, config.HomepageConfig())
+	case ListTasks:
+		U.RespondJSON(w, r, task.DebugTaskList())
+	default:
+		U.HandleErr(w, r, U.ErrInvalidKey("what"), http.StatusBadRequest)
+	}
+}
+
+func listRoute(which string) any {
+	if which == "" || which == "all" {
+		return config.RoutesByAlias()
+	}
+	routes := config.RoutesByAlias()
+	route, ok := routes[which]
+	if !ok {
+		return nil
+	}
+	return route
+}
+
+func listConfigFiles(w http.ResponseWriter, r *http.Request) {
+	files, err := utils.ListFiles(common.ConfigBasePath, 1)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	for i := range files {
+		files[i] = strings.TrimPrefix(files[i], common.ConfigBasePath+"/")
+	}
+	U.RespondJSON(w, r, files)
+}
--- a/internal/api/v1/query/query.go
+++ b/internal/api/v1/query/query.go
@@ -0,0 +1,64 @@
+package query
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
+)
+
+func ReloadServer() E.Error {
+	resp, err := U.Post(common.APIHTTPURL+"/v1/reload", "", nil)
+	if err != nil {
+		return E.From(err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		failure := E.Errorf("server reload status %v", resp.StatusCode)
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return failure.With(err)
+		}
+		reloadErr := string(body)
+		return failure.Withf(reloadErr)
+	}
+	return nil
+}
+
+func List[T any](what string) (_ T, outErr E.Error) {
+	resp, err := U.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, what))
+	if err != nil {
+		outErr = E.From(err)
+		return
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		outErr = E.Errorf("list %s: failed, status %v", what, resp.StatusCode)
+		return
+	}
+	var res T
+	err = json.NewDecoder(resp.Body).Decode(&res)
+	if err != nil {
+		outErr = E.From(err)
+		return
+	}
+	return res, nil
+}
+
+func ListRoutes() (map[string]map[string]any, E.Error) {
+	return List[map[string]map[string]any](v1.ListRoutes)
+}
+
+func ListMiddlewareTraces() (middleware.Traces, E.Error) {
+	return List[middleware.Traces](v1.ListMiddlewareTraces)
+}
+
+func DebugListTasks() (map[string]any, E.Error) {
+	return List[map[string]any](v1.ListTasks)
+}
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -0,0 +1,16 @@
+package v1
+
+import (
+	"net/http"
+
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/config"
+)
+
+func Reload(w http.ResponseWriter, r *http.Request) {
+	if err := config.Reload(); err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	U.WriteBody(w, []byte("OK"))
+}
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -0,0 +1,70 @@
+package v1
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+func Stats(w http.ResponseWriter, r *http.Request) {
+	U.RespondJSON(w, r, getStats())
+}
+
+func StatsWS(w http.ResponseWriter, r *http.Request) {
+	var originPats []string
+
+	localAddresses := []string{"127.0.0.1", "10.0.*.*", "172.16.*.*", "192.168.*.*"}
+
+	if len(config.Value().MatchDomains) == 0 {
+		U.LogWarn(r).Msg("no match domains configured, accepting websocket API request from all origins")
+		originPats = []string{"*"}
+	} else {
+		originPats = make([]string, len(config.Value().MatchDomains))
+		for i, domain := range config.Value().MatchDomains {
+			originPats[i] = "*" + domain
+		}
+		originPats = append(originPats, localAddresses...)
+	}
+	if common.IsDebug {
+		originPats = []string{"*"}
+	}
+	conn, err := websocket.Accept(w, r, &websocket.AcceptOptions{
+		OriginPatterns: originPats,
+	})
+	if err != nil {
+		U.LogError(r).Err(err).Msg("failed to upgrade websocket")
+		return
+	}
+	/* trunk-ignore(golangci-lint/errcheck) */
+	defer conn.CloseNow()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		stats := getStats()
+		if err := wsjson.Write(ctx, conn, stats); err != nil {
+			U.LogError(r).Msg("failed to write JSON")
+			return
+		}
+	}
+}
+
+var startTime = time.Now()
+
+func getStats() map[string]any {
+	return map[string]any{
+		"proxies": config.Statistics(),
+		"uptime":  strutils.FormatDuration(time.Since(startTime)),
+	}
+}
--- a/internal/api/v1/utils/error.go
+++ b/internal/api/v1/utils/error.go
@@ -0,0 +1,43 @@
+package utils
+
+import (
+	"net/http"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
+)
+
+// HandleErr logs the error and returns an HTTP error response to the client.
+// If code is specified, it will be used as the HTTP status code; otherwise,
+// http.StatusInternalServerError is used.
+//
+// The error is only logged but not returned to the client.
+func HandleErr(w http.ResponseWriter, r *http.Request, err error, code ...int) {
+	if err == nil {
+		return
+	}
+	LogError(r).Msg(err.Error())
+	if len(code) == 0 {
+		code = []int{http.StatusInternalServerError}
+	}
+	http.Error(w, http.StatusText(code[0]), code[0])
+}
+
+func RespondError(w http.ResponseWriter, err error, code ...int) {
+	if len(code) == 0 {
+		code = []int{http.StatusBadRequest}
+	}
+	http.Error(w, ansi.StripANSI(err.Error()), code[0])
+}
+
+func ErrMissingKey(k string) error {
+	return E.New("missing key '" + k + "' in query or request body")
+}
+
+func ErrInvalidKey(k string) error {
+	return E.New("invalid key '" + k + "' in query or request body")
+}
+
+func ErrNotFound(k, v string) error {
+	return E.Errorf("key %q with value %q not found", k, v)
+}
--- a/internal/api/v1/utils/http_client.go
+++ b/internal/api/v1/utils/http_client.go
@@ -0,0 +1,28 @@
+package utils
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+var (
+	httpClient = &http.Client{
+		Timeout: common.ConnectionTimeout,
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+			ForceAttemptHTTP2: false,
+			DialContext: (&net.Dialer{
+				Timeout:   common.DialTimeout,
+				KeepAlive: common.KeepAlive, // this is different from DisableKeepAlives
+			}).DialContext,
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+
+	Get  = httpClient.Get
+	Post = httpClient.Post
+	Head = httpClient.Head
+)
--- a/internal/api/v1/utils/logging.go
+++ b/internal/api/v1/utils/logging.go
@@ -0,0 +1,20 @@
+package utils
+
+import (
+	"net/http"
+
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/logging"
+)
+
+func reqLogger(r *http.Request, level zerolog.Level) *zerolog.Event {
+	return logging.WithLevel(level).
+		Str("module", "api").
+		Str("remote", r.RemoteAddr).
+		Str("uri", r.Method+" "+r.RequestURI)
+}
+
+func LogError(r *http.Request) *zerolog.Event { return reqLogger(r, zerolog.ErrorLevel) }
+func LogWarn(r *http.Request) *zerolog.Event  { return reqLogger(r, zerolog.WarnLevel) }
+func LogInfo(r *http.Request) *zerolog.Event  { return reqLogger(r, zerolog.InfoLevel) }
+func LogDebug(r *http.Request) *zerolog.Event { return reqLogger(r, zerolog.DebugLevel) }
--- a/internal/api/v1/utils/utils.go
+++ b/internal/api/v1/utils/utils.go
@@ -0,0 +1,48 @@
+package utils
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
+)
+
+func WriteBody(w http.ResponseWriter, body []byte) {
+	if _, err := w.Write(body); err != nil {
+		HandleErr(w, nil, err)
+	}
+}
+
+func RespondJSON(w http.ResponseWriter, r *http.Request, data any, code ...int) (canProceed bool) {
+	if len(code) > 0 {
+		w.WriteHeader(code[0])
+	}
+	w.Header().Set("Content-Type", "application/json")
+	var j []byte
+	var err error
+
+	switch data := data.(type) {
+	case string:
+		j = []byte(fmt.Sprintf("%q", data))
+	case []byte:
+		j = data
+	case error:
+		j, err = json.Marshal(ansi.StripANSI(data.Error()))
+	default:
+		j, err = json.MarshalIndent(data, "", "  ")
+	}
+
+	if err != nil {
+		logging.Panic().Err(err).Msg("failed to marshal json")
+		return false
+	}
+
+	_, err = w.Write(j)
+	if err != nil {
+		HandleErr(w, r, err)
+		return false
+	}
+	return true
+}
--- a/internal/api/v1/version.go
+++ b/internal/api/v1/version.go
@@ -0,0 +1,12 @@
+package v1
+
+import (
+	"net/http"
+
+	. "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+func GetVersion(w http.ResponseWriter, r *http.Request) {
+	WriteBody(w, []byte(pkg.GetVersion()))
+}
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -0,0 +1,120 @@
+package autocert
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"os"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/lego"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+
+	"github.com/yusing/go-proxy/internal/config/types"
+)
+
+type Config types.AutoCertConfig
+
+var (
+	ErrMissingDomain   = E.New("missing field 'domains'")
+	ErrMissingEmail    = E.New("missing field 'email'")
+	ErrMissingProvider = E.New("missing field 'provider'")
+	ErrUnknownProvider = E.New("unknown provider")
+)
+
+func NewConfig(cfg *types.AutoCertConfig) *Config {
+	if cfg == nil {
+		cfg = new(types.AutoCertConfig)
+	}
+	if cfg.CertPath == "" {
+		cfg.CertPath = CertFileDefault
+	}
+	if cfg.KeyPath == "" {
+		cfg.KeyPath = KeyFileDefault
+	}
+	if cfg.Provider == "" {
+		cfg.Provider = ProviderLocal
+	}
+	if cfg.ACMEKeyPath == "" {
+		cfg.ACMEKeyPath = ACMEKeyFileDefault
+	}
+	return (*Config)(cfg)
+}
+
+func (cfg *Config) GetProvider() (*Provider, E.Error) {
+	b := E.NewBuilder("autocert errors")
+
+	if cfg.Provider != ProviderLocal {
+		if len(cfg.Domains) == 0 {
+			b.Add(ErrMissingDomain)
+		}
+		if cfg.Provider == "" {
+			b.Add(ErrMissingProvider)
+		}
+		if cfg.Email == "" {
+			b.Add(ErrMissingEmail)
+		}
+		// check if provider is implemented
+		_, ok := providersGenMap[cfg.Provider]
+		if !ok {
+			b.Add(ErrUnknownProvider.
+				Subject(cfg.Provider).
+				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providersGenMap))))
+		}
+	}
+
+	if b.HasError() {
+		return nil, b.Error()
+	}
+
+	var privKey *ecdsa.PrivateKey
+	var err error
+
+	if cfg.Provider != ProviderLocal {
+		if privKey, err = cfg.loadACMEKey(); err != nil {
+			logging.Info().Err(err).Msg("load ACME private key failed")
+			logging.Info().Msg("generate new ACME private key")
+			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+			if err != nil {
+				return nil, E.New("generate ACME private key").With(err)
+			}
+			if err = cfg.saveACMEKey(privKey); err != nil {
+				return nil, E.New("save ACME private key").With(err)
+			}
+		}
+	}
+
+	user := &User{
+		Email: cfg.Email,
+		key:   privKey,
+	}
+
+	legoCfg := lego.NewConfig(user)
+	legoCfg.Certificate.KeyType = certcrypto.RSA2048
+
+	return &Provider{
+		cfg:     cfg,
+		user:    user,
+		legoCfg: legoCfg,
+	}, nil
+}
+
+func (cfg *Config) loadACMEKey() (*ecdsa.PrivateKey, error) {
+	data, err := os.ReadFile(cfg.ACMEKeyPath)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseECPrivateKey(data)
+}
+
+func (cfg *Config) saveACMEKey(key *ecdsa.PrivateKey) error {
+	data, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
+}
--- a/internal/autocert/constants.go
+++ b/internal/autocert/constants.go
@@ -1,20 +1,17 @@
 package autocert

 import (
-	"errors"
-
 	"github.com/go-acme/lego/v4/providers/dns/clouddns"
 	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
 	"github.com/go-acme/lego/v4/providers/dns/duckdns"
 	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	"github.com/sirupsen/logrus"
 )

 const (
-	certBasePath     = "certs/"
-	CertFileDefault  = certBasePath + "cert.crt"
-	KeyFileDefault   = certBasePath + "priv.key"
-	RegistrationFile = certBasePath + "registration.json"
+	certBasePath       = "certs/"
+	CertFileDefault    = certBasePath + "cert.crt"
+	KeyFileDefault     = certBasePath + "priv.key"
+	ACMEKeyFileDefault = certBasePath + "acme.key"
 )

 const (
@@ -32,9 +29,3 @@ var providersGenMap = map[string]ProviderGenerator{
 	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
 	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
 }
-
-var (
-	ErrGetCertFailure = errors.New("get certificate failed")
-)
-
-var logger = logrus.WithField("module", "autocert")
--- a/internal/autocert/dummy.go
+++ b/internal/autocert/dummy.go
--- a/internal/autocert/logger.go
+++ b/internal/autocert/logger.go
@@ -0,0 +1,5 @@
+package autocert
+
+import "github.com/yusing/go-proxy/internal/logging"
+
+var logger = logging.With().Str("module", "autocert").Logger()
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -0,0 +1,315 @@
+package autocert
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"os"
+	"path"
+	"reflect"
+	"sort"
+	"time"
+
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
+	"github.com/yusing/go-proxy/internal/config/types"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/task"
+	U "github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type (
+	Provider struct {
+		cfg     *Config
+		user    *User
+		legoCfg *lego.Config
+		client  *lego.Client
+
+		legoCert     *certificate.Resource
+		tlsCert      *tls.Certificate
+		certExpiries CertExpiries
+	}
+	ProviderGenerator func(types.AutocertProviderOpt) (challenge.Provider, E.Error)
+
+	CertExpiries map[string]time.Time
+)
+
+var ErrGetCertFailure = errors.New("get certificate failed")
+
+func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if p.tlsCert == nil {
+		return nil, ErrGetCertFailure
+	}
+	return p.tlsCert, nil
+}
+
+func (p *Provider) GetName() string {
+	return p.cfg.Provider
+}
+
+func (p *Provider) GetCertPath() string {
+	return p.cfg.CertPath
+}
+
+func (p *Provider) GetKeyPath() string {
+	return p.cfg.KeyPath
+}
+
+func (p *Provider) GetExpiries() CertExpiries {
+	return p.certExpiries
+}
+
+func (p *Provider) ObtainCert() E.Error {
+	if p.cfg.Provider == ProviderLocal {
+		return nil
+	}
+
+	if p.client == nil {
+		if err := p.initClient(); err != nil {
+			return err
+		}
+	}
+
+	if p.user.Registration == nil {
+		if err := p.registerACME(); err != nil {
+			return E.From(err)
+		}
+	}
+
+	var cert *certificate.Resource
+	var err error
+
+	if p.legoCert != nil {
+		cert, err = p.client.Certificate.RenewWithOptions(*p.legoCert, &certificate.RenewOptions{
+			Bundle: true,
+		})
+		if err != nil {
+			p.legoCert = nil
+			logger.Err(err).Msg("cert renew failed, fallback to obtain")
+		} else {
+			p.legoCert = cert
+		}
+	}
+
+	if cert == nil {
+		cert, err = p.client.Certificate.Obtain(certificate.ObtainRequest{
+			Domains: p.cfg.Domains,
+			Bundle:  true,
+		})
+		if err != nil {
+			return E.From(err)
+		}
+	}
+
+	if err = p.saveCert(cert); err != nil {
+		return E.From(err)
+	}
+
+	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
+	if err != nil {
+		return E.From(err)
+	}
+
+	expiries, err := getCertExpiries(&tlsCert)
+	if err != nil {
+		return E.From(err)
+	}
+	p.tlsCert = &tlsCert
+	p.certExpiries = expiries
+
+	return nil
+}
+
+func (p *Provider) LoadCert() E.Error {
+	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
+	if err != nil {
+		return E.Errorf("load SSL certificate: %w", err)
+	}
+	expiries, err := getCertExpiries(&cert)
+	if err != nil {
+		return E.Errorf("parse SSL certificate: %w", err)
+	}
+	p.tlsCert = &cert
+	p.certExpiries = expiries
+
+	logger.Info().Msgf("next renewal in %v", strutils.FormatDuration(time.Until(p.ShouldRenewOn())))
+	return p.renewIfNeeded()
+}
+
+// ShouldRenewOn returns the time at which the certificate should be renewed.
+func (p *Provider) ShouldRenewOn() time.Time {
+	for _, expiry := range p.certExpiries {
+		return expiry.AddDate(0, -1, 0) // 1 month before
+	}
+	// this line should never be reached
+	panic("no certificate available")
+}
+
+func (p *Provider) ScheduleRenewal() {
+	if p.GetName() == ProviderLocal {
+		return
+	}
+	go func() {
+		task := task.RootTask("cert-renew-scheduler", true)
+		defer task.Finish(nil)
+
+		for {
+			renewalTime := p.ShouldRenewOn()
+			timer := time.NewTimer(time.Until(renewalTime))
+
+			select {
+			case <-task.Context().Done():
+				timer.Stop()
+				return
+			case <-timer.C:
+				if err := p.renewIfNeeded(); err != nil {
+					E.LogWarn("cert renew failed", err, &logger)
+					// Retry after 1 hour on failure
+					time.Sleep(time.Hour)
+				}
+			}
+		}
+	}()
+}
+
+func (p *Provider) initClient() E.Error {
+	legoClient, err := lego.NewClient(p.legoCfg)
+	if err != nil {
+		return E.From(err)
+	}
+
+	generator := providersGenMap[p.cfg.Provider]
+	legoProvider, pErr := generator(p.cfg.Options)
+	if pErr != nil {
+		return pErr
+	}
+
+	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
+	if err != nil {
+		return E.From(err)
+	}
+
+	p.client = legoClient
+	return nil
+}
+
+func (p *Provider) registerACME() error {
+	if p.user.Registration != nil {
+		return nil
+	}
+	if reg, err := p.client.Registration.ResolveAccountByKey(); err == nil {
+		p.user.Registration = reg
+		logger.Info().Msg("reused acme registration from private key")
+		return nil
+	}
+
+	reg, err := p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	if err != nil {
+		return err
+	}
+	p.user.Registration = reg
+	logger.Info().Interface("reg", reg).Msg("acme registered")
+	return nil
+}
+
+func (p *Provider) saveCert(cert *certificate.Resource) error {
+	/* This should have been done in setup
+	but double check is always a good choice.*/
+	_, err := os.Stat(path.Dir(p.cfg.CertPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			if err = os.MkdirAll(path.Dir(p.cfg.CertPath), 0o755); err != nil {
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+	err = os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(p.cfg.CertPath, cert.Certificate, 0o644) // -rw-r--r--
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (p *Provider) certState() CertState {
+	if time.Now().After(p.ShouldRenewOn()) {
+		return CertStateExpired
+	}
+
+	certDomains := make([]string, len(p.certExpiries))
+	wantedDomains := make([]string, len(p.cfg.Domains))
+	i := 0
+	for domain := range p.certExpiries {
+		certDomains[i] = domain
+		i++
+	}
+	copy(wantedDomains, p.cfg.Domains)
+	sort.Strings(wantedDomains)
+	sort.Strings(certDomains)
+
+	if !reflect.DeepEqual(certDomains, wantedDomains) {
+		logger.Info().Msgf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
+		return CertStateMismatch
+	}
+
+	return CertStateValid
+}
+
+func (p *Provider) renewIfNeeded() E.Error {
+	if p.cfg.Provider == ProviderLocal {
+		return nil
+	}
+
+	switch p.certState() {
+	case CertStateExpired:
+		logger.Info().Msg("certs expired, renewing")
+	case CertStateMismatch:
+		logger.Info().Msg("cert domains mismatch with config, renewing")
+	default:
+		return nil
+	}
+
+	return p.ObtainCert()
+}
+
+func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
+	r := make(CertExpiries, len(cert.Certificate))
+	for _, cert := range cert.Certificate {
+		x509Cert, err := x509.ParseCertificate(cert)
+		if err != nil {
+			return nil, err
+		}
+		if x509Cert.IsCA {
+			continue
+		}
+		r[x509Cert.Subject.CommonName] = x509Cert.NotAfter
+		for i := range x509Cert.DNSNames {
+			r[x509Cert.DNSNames[i]] = x509Cert.NotAfter
+		}
+	}
+	return r, nil
+}
+
+func providerGenerator[CT any, PT challenge.Provider](
+	defaultCfg func() *CT,
+	newProvider func(*CT) (PT, error),
+) ProviderGenerator {
+	return func(opt types.AutocertProviderOpt) (challenge.Provider, E.Error) {
+		cfg := defaultCfg()
+		err := U.Deserialize(opt, cfg)
+		if err != nil {
+			return nil, err
+		}
+		p, pErr := newProvider(cfg)
+		return p, E.From(pErr)
+	}
+}
--- a/internal/autocert/provider_test/ovh_test.go
+++ b/internal/autocert/provider_test/ovh_test.go
@@ -4,8 +4,8 @@ import (
 	"testing"

 	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	U "github.com/yusing/go-proxy/utils"
-	. "github.com/yusing/go-proxy/utils/testing"
+	U "github.com/yusing/go-proxy/internal/utils"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
 	"gopkg.in/yaml.v3"
 )

@@ -45,6 +45,6 @@ oauth2_config:
 	testYaml = testYaml[1:] // remove first \n
 	opt := make(map[string]any)
 	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), opt))
-	ExpectTrue(t, U.Deserialize(opt, cfg).NoError())
+	ExpectNoError(t, U.Deserialize(opt, cfg))
 	ExpectDeepEqual(t, cfg, cfgExpected)
 }
--- a/internal/autocert/setup.go
+++ b/internal/autocert/setup.go
@@ -0,0 +1,29 @@
+package autocert
+
+import (
+	"os"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+func (p *Provider) Setup() (err E.Error) {
+	if err = p.LoadCert(); err != nil {
+		if !err.Is(os.ErrNotExist) { // ignore if cert doesn't exist
+			return err
+		}
+		logger.Debug().Msg("obtaining cert due to error loading cert")
+		if err = p.ObtainCert(); err != nil {
+			return err
+		}
+	}
+
+	p.ScheduleRenewal()
+
+	for _, expiry := range p.GetExpiries() {
+		logger.Info().Msg("certificate expire on " + strutils.FormatTime(expiry))
+		break
+	}
+
+	return nil
+}
--- a/internal/autocert/state.go
+++ b/internal/autocert/state.go
--- a/internal/autocert/user.go
+++ b/internal/autocert/user.go
@@ -1,8 +1,9 @@
 package autocert

 import (
-	"github.com/go-acme/lego/v4/registration"
 	"crypto"
+
+	"github.com/go-acme/lego/v4/registration"
 )

 type User struct {
@@ -19,4 +20,4 @@ func (u *User) GetRegistration() *registration.Resource {
 }
 func (u *User) GetPrivateKey() crypto.PrivateKey {
 	return u.key
-}
+}
--- a/internal/common/args.go
+++ b/internal/common/args.go
@@ -2,9 +2,8 @@ package common

 import (
 	"flag"
-
-	"github.com/sirupsen/logrus"
-	E "github.com/yusing/go-proxy/error"
+	"fmt"
+	"log"
 )

 type Args struct {
@@ -17,9 +16,11 @@ const (
 	CommandValidate           = "validate"
 	CommandListConfigs        = "ls-config"
 	CommandListRoutes         = "ls-routes"
+	CommandListIcons          = "ls-icons"
 	CommandReload             = "reload"
 	CommandDebugListEntries   = "debug-ls-entries"
 	CommandDebugListProviders = "debug-ls-providers"
+	CommandDebugListMTrace    = "debug-ls-mtrace"
 )

 var ValidCommands = []string{
@@ -28,26 +29,28 @@ var ValidCommands = []string{
 	CommandValidate,
 	CommandListConfigs,
 	CommandListRoutes,
+	CommandListIcons,
 	CommandReload,
 	CommandDebugListEntries,
 	CommandDebugListProviders,
+	CommandDebugListMTrace,
 }

 func GetArgs() Args {
 	var args Args
 	flag.Parse()
 	args.Command = flag.Arg(0)
-	if err := validateArg(args.Command); err.HasError() {
-		logrus.Fatal(err)
+	if err := validateArg(args.Command); err != nil {
+		log.Fatalf("invalid command: %s", err)
 	}
 	return args
 }

-func validateArg(arg string) E.NestedError {
+func validateArg(arg string) error {
 	for _, v := range ValidCommands {
 		if arg == v {
 			return nil
 		}
 	}
-	return E.Invalid("argument", arg)
+	return fmt.Errorf("invalid command %q", arg)
 }
--- a/internal/common/constants.go
+++ b/internal/common/constants.go
@@ -7,34 +7,50 @@ import (
 const (
 	ConnectionTimeout = 5 * time.Second
 	DialTimeout       = 3 * time.Second
-	KeepAlive         = 5 * time.Second
+	KeepAlive         = 60 * time.Second
 )

 // file, folder structure

 const (
+	DotEnvPath        = ".env"
+	DotEnvExamplePath = ".env.example"
+
 	ConfigBasePath        = "config"
 	ConfigFileName        = "config.yml"
 	ConfigExampleFileName = "config.example.yml"
 	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
-)

-const (
+	JWTKeyPath = ConfigBasePath + "/jwt.key"
+
+	MiddlewareComposeBasePath = ConfigBasePath + "/middlewares"
+
 	SchemaBasePath         = "schema"
 	ConfigSchemaPath       = SchemaBasePath + "/config.schema.json"
 	FileProviderSchemaPath = SchemaBasePath + "/providers.schema.json"
-)

-const (
 	ComposeFileName        = "compose.yml"
 	ComposeExampleFileName = "compose.example.yml"
+
+	ErrorPagesBasePath = "error_pages"
 )

+var RequiredDirectories = []string{
+	ConfigBasePath,
+	SchemaBasePath,
+	ErrorPagesBasePath,
+	MiddlewareComposeBasePath,
+}
+
 const DockerHostFromEnv = "$DOCKER_HOST"

 const (
-	IdleTimeoutDefault = "0"
+	HealthCheckIntervalDefault = 5 * time.Second
+	HealthCheckTimeoutDefault  = 5 * time.Second
+
 	WakeTimeoutDefault = "30s"
 	StopTimeoutDefault = "10s"
 	StopMethodDefault  = "stop"
 )
+
+const HeaderCheckRedirect = "X-Goproxy-Check-Redirect"
--- a/internal/common/crypto.go
+++ b/internal/common/crypto.go
@@ -0,0 +1,25 @@
+package common
+
+import (
+	"crypto/sha512"
+	"encoding/base64"
+
+	"github.com/rs/zerolog/log"
+)
+
+func HashPassword(pwd string) []byte {
+	h := sha512.New()
+	h.Write([]byte(pwd))
+	return h.Sum(nil)
+}
+
+func decodeJWTKey(key string) []byte {
+	if key == "" {
+		return nil
+	}
+	bytes, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		log.Panic().Err(err).Msg("failed to decode jwt key")
+	}
+	return bytes
+}
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -0,0 +1,98 @@
+package common
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog/log"
+)
+
+var (
+	prefixes = []string{"GODOXY_", "GOPROXY_", ""}
+
+	IsTest          = GetEnvBool("TEST", false) || strings.HasSuffix(os.Args[0], ".test")
+	IsDebug         = GetEnvBool("DEBUG", IsTest)
+	IsDebugSkipAuth = GetEnvBool("DEBUG_SKIP_AUTH", false)
+	IsTrace         = GetEnvBool("TRACE", false) && IsDebug
+	IsProduction    = !IsTest && !IsDebug
+
+	ProxyHTTPAddr,
+	ProxyHTTPHost,
+	ProxyHTTPPort,
+	ProxyHTTPURL = GetAddrEnv("HTTP_ADDR", ":80", "http")
+
+	ProxyHTTPSAddr,
+	ProxyHTTPSHost,
+	ProxyHTTPSPort,
+	ProxyHTTPSURL = GetAddrEnv("HTTPS_ADDR", ":443", "https")
+
+	APIHTTPAddr,
+	APIHTTPHost,
+	APIHTTPPort,
+	APIHTTPURL = GetAddrEnv("API_ADDR", "127.0.0.1:8888", "http")
+
+	MetricsHTTPAddr,
+	MetricsHTTPHost,
+	MetricsHTTPPort,
+	MetricsHTTPURL = GetAddrEnv("PROMETHEUS_ADDR", "", "http")
+	PrometheusEnabled = MetricsHTTPURL != ""
+
+	APIJWTSecret    = decodeJWTKey(GetEnvString("API_JWT_SECRET", ""))
+	APIJWTTokenTTL  = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour)
+	APIUser         = GetEnvString("API_USER", "admin")
+	APIPasswordHash = HashPassword(GetEnvString("API_PASSWORD", "password"))
+)
+
+func GetEnv[T any](key string, defaultValue T, parser func(string) (T, error)) T {
+	var value string
+	var ok bool
+	for _, prefix := range prefixes {
+		value, ok = os.LookupEnv(prefix + key)
+		if ok && value != "" {
+			break
+		}
+	}
+	if !ok || value == "" {
+		return defaultValue
+	}
+	parsed, err := parser(value)
+	if err == nil {
+		return parsed
+	}
+	log.Fatal().Err(err).Msgf("env %s: invalid %T value: %s", key, parsed, value)
+	return defaultValue
+}
+
+func GetEnvString(key string, defaultValue string) string {
+	return GetEnv(key, defaultValue, func(s string) (string, error) {
+		return s, nil
+	})
+}
+
+func GetEnvBool(key string, defaultValue bool) bool {
+	return GetEnv(key, defaultValue, strconv.ParseBool)
+}
+
+func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL string) {
+	addr = GetEnvString(key, defaultValue)
+	if addr == "" {
+		return
+	}
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		log.Fatal().Msgf("env %s: invalid address: %s", key, addr)
+	}
+	if host == "" {
+		host = "localhost"
+	}
+	fullURL = fmt.Sprintf("%s://%s:%s", scheme, host, port)
+	return
+}
+
+func GetDurationEnv(key string, defaultValue time.Duration) time.Duration {
+	return GetEnv(key, defaultValue, time.ParseDuration)
+}
--- a/internal/common/ports.go
+++ b/internal/common/ports.go
@@ -59,8 +59,8 @@ var (
 		"nginx-proxy-manager": 81,
 		"open-webui":          8080,
 		"plex":                32400,
-		"portainer":           9000,
-		"portainer-ce":        9000,
+		"portainer-be":        9443,
+		"portainer-ce":        9443,
 		"prometheus":          9090,
 		"prowlarr":            9696,
 		"radarr":              7878,
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -0,0 +1,243 @@
+package config
+
+import (
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/autocert"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/entrypoint"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/notif"
+	proxy "github.com/yusing/go-proxy/internal/route/provider"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+	"github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
+)
+
+type Config struct {
+	value            *types.Config
+	providers        F.Map[string, *proxy.Provider]
+	autocertProvider *autocert.Provider
+	task             *task.Task
+}
+
+var (
+	instance   *Config
+	cfgWatcher watcher.Watcher
+	logger     = logging.With().Str("module", "config").Logger()
+	reloadMu   sync.Mutex
+)
+
+const configEventFlushInterval = 500 * time.Millisecond
+
+const (
+	cfgRenameWarn = `Config file renamed, not reloading.
+Make sure you rename it back before next time you start.`
+	cfgDeleteWarn = `Config file deleted, not reloading.
+You may run "ls-config" to show or dump the current config.`
+)
+
+func GetInstance() *Config {
+	return instance
+}
+
+func newConfig() *Config {
+	return &Config{
+		value:     types.DefaultConfig(),
+		providers: F.NewMapOf[string, *proxy.Provider](),
+		task:      task.RootTask("config", false),
+	}
+}
+
+func Load() (*Config, E.Error) {
+	if instance != nil {
+		return instance, nil
+	}
+	instance = newConfig()
+	cfgWatcher = watcher.NewConfigFileWatcher(common.ConfigFileName)
+	return instance, instance.load()
+}
+
+func Validate(data []byte) E.Error {
+	var model types.Config
+	return utils.DeserializeYAML(data, &model)
+}
+
+func MatchDomains() []string {
+	return instance.value.MatchDomains
+}
+
+func WatchChanges() {
+	t := task.RootTask("config_watcher", true)
+	eventQueue := events.NewEventQueue(
+		t,
+		configEventFlushInterval,
+		OnConfigChange,
+		func(err E.Error) {
+			E.LogError("config reload error", err, &logger)
+		},
+	)
+	eventQueue.Start(cfgWatcher.Events(t.Context()))
+}
+
+func OnConfigChange(ev []events.Event) {
+	// no matter how many events during the interval
+	// just reload once and check the last event
+	switch ev[len(ev)-1].Action {
+	case events.ActionFileRenamed:
+		logger.Warn().Msg(cfgRenameWarn)
+		return
+	case events.ActionFileDeleted:
+		logger.Warn().Msg(cfgDeleteWarn)
+		return
+	}
+
+	if err := Reload(); err != nil {
+		// recovered in event queue
+		panic(err)
+	}
+}
+
+func Reload() E.Error {
+	// avoid race between config change and API reload request
+	reloadMu.Lock()
+	defer reloadMu.Unlock()
+
+	newCfg := newConfig()
+	err := newCfg.load()
+	if err != nil {
+		newCfg.task.Finish(err)
+		return err
+	}
+
+	// cancel all current subtasks -> wait
+	// -> replace config -> start new subtasks
+	instance.task.Finish("config changed")
+	instance = newCfg
+	instance.StartProxyProviders()
+	return nil
+}
+
+func Value() types.Config {
+	return *instance.value
+}
+
+func GetAutoCertProvider() *autocert.Provider {
+	return instance.autocertProvider
+}
+
+func (cfg *Config) Task() *task.Task {
+	return cfg.task
+}
+
+func (cfg *Config) StartProxyProviders() {
+	errs := cfg.providers.CollectErrorsParallel(
+		func(_ string, p *proxy.Provider) error {
+			return p.Start(cfg.task)
+		})
+
+	if err := E.Join(errs...); err != nil {
+		E.LogError("route provider errors", err, &logger)
+	}
+}
+
+func (cfg *Config) load() E.Error {
+	const errMsg = "config load error"
+
+	data, err := os.ReadFile(common.ConfigPath)
+	if err != nil {
+		E.LogFatal(errMsg, err, &logger)
+	}
+
+	model := types.DefaultConfig()
+	if err := utils.DeserializeYAML(data, model); err != nil {
+		E.LogFatal(errMsg, err, &logger)
+	}
+
+	// errors are non fatal below
+	errs := E.NewBuilder(errMsg)
+	errs.Add(entrypoint.SetMiddlewares(model.Entrypoint.Middlewares))
+	errs.Add(entrypoint.SetAccessLogger(cfg.task, model.Entrypoint.AccessLog))
+	errs.Add(cfg.initNotification(model.Providers.Notification))
+	errs.Add(cfg.initAutoCert(model.AutoCert))
+	errs.Add(cfg.loadRouteProviders(&model.Providers))
+
+	cfg.value = model
+	for i, domain := range model.MatchDomains {
+		if !strings.HasPrefix(domain, ".") {
+			model.MatchDomains[i] = "." + domain
+		}
+	}
+	entrypoint.SetFindRouteDomains(model.MatchDomains)
+	return errs.Error()
+}
+
+func (cfg *Config) initNotification(notifCfg []types.NotificationConfig) (err E.Error) {
+	if len(notifCfg) == 0 {
+		return
+	}
+	dispatcher := notif.StartNotifDispatcher(cfg.task)
+	errs := E.NewBuilder("notification providers load errors")
+	for i, notifier := range notifCfg {
+		_, err := dispatcher.RegisterProvider(notifier)
+		if err == nil {
+			continue
+		}
+		errs.Add(err.Subjectf("[%d]", i))
+	}
+	return errs.Error()
+}
+
+func (cfg *Config) initAutoCert(autocertCfg *types.AutoCertConfig) (err E.Error) {
+	if cfg.autocertProvider != nil {
+		return
+	}
+
+	cfg.autocertProvider, err = autocert.NewConfig(autocertCfg).GetProvider()
+	return
+}
+
+func (cfg *Config) loadRouteProviders(providers *types.Providers) E.Error {
+	errs := E.NewBuilder("route provider errors")
+	results := E.NewBuilder("loaded route providers")
+
+	lenLongestName := 0
+	for _, filename := range providers.Files {
+		p, err := proxy.NewFileProvider(filename)
+		if err != nil {
+			errs.Add(E.PrependSubject(filename, err))
+			continue
+		}
+		cfg.providers.Store(p.GetName(), p)
+		if len(p.GetName()) > lenLongestName {
+			lenLongestName = len(p.GetName())
+		}
+	}
+	for name, dockerHost := range providers.Docker {
+		p, err := proxy.NewDockerProvider(name, dockerHost)
+		if err != nil {
+			errs.Add(E.PrependSubject(name, err))
+			continue
+		}
+		cfg.providers.Store(p.GetName(), p)
+		if len(p.GetName()) > lenLongestName {
+			lenLongestName = len(p.GetName())
+		}
+	}
+	cfg.providers.RangeAllParallel(func(_ string, p *proxy.Provider) {
+		if err := p.LoadRoutes(); err != nil {
+			errs.Add(err.Subject(p.String()))
+		}
+		results.Addf("%-"+strconv.Itoa(lenLongestName)+"s %d routes", p.GetName(), p.NumRoutes())
+	})
+	logger.Info().Msg(results.String())
+	return errs.Error()
+}
--- a/internal/config/query.go
+++ b/internal/config/query.go
@@ -0,0 +1,138 @@
+package config
+
+import (
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/homepage"
+	route "github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/route/entry"
+	proxy "github.com/yusing/go-proxy/internal/route/provider"
+	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/yusing/go-proxy/internal/route/types"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+func DumpEntries() map[string]*types.RawEntry {
+	entries := make(map[string]*types.RawEntry)
+	instance.providers.RangeAll(func(_ string, p *proxy.Provider) {
+		p.RangeRoutes(func(alias string, r *route.Route) {
+			entries[alias] = r.Entry
+		})
+	})
+	return entries
+}
+
+func DumpProviders() map[string]*proxy.Provider {
+	entries := make(map[string]*proxy.Provider)
+	instance.providers.RangeAll(func(name string, p *proxy.Provider) {
+		entries[name] = p
+	})
+	return entries
+}
+
+func HomepageConfig() homepage.Config {
+	hpCfg := homepage.NewHomePageConfig()
+	routes.GetHTTPRoutes().RangeAll(func(alias string, r types.HTTPRoute) {
+		en := r.RawEntry()
+		item := en.Homepage
+		if item == nil {
+			item = new(homepage.Item)
+			item.Show = true
+		}
+
+		if !item.IsEmpty() {
+			item.Show = true
+		}
+
+		if !item.Show {
+			return
+		}
+
+		item.Alias = alias
+
+		if item.Name == "" {
+			item.Name = strutils.Title(
+				strings.ReplaceAll(
+					strings.ReplaceAll(alias, "-", " "),
+					"_", " ",
+				),
+			)
+		}
+
+		if instance.value.Homepage.UseDefaultCategories {
+			if en.Container != nil && item.Category == "" {
+				if category, ok := homepage.PredefinedCategories[en.Container.ImageName]; ok {
+					item.Category = category
+				}
+			}
+
+			if item.Category == "" {
+				if category, ok := homepage.PredefinedCategories[strings.ToLower(alias)]; ok {
+					item.Category = category
+				}
+			}
+		}
+
+		switch {
+		case entry.IsDocker(r):
+			if item.Category == "" {
+				item.Category = "Docker"
+			}
+			item.SourceType = string(proxy.ProviderTypeDocker)
+		case entry.UseLoadBalance(r):
+			if item.Category == "" {
+				item.Category = "Load-balanced"
+			}
+			item.SourceType = "loadbalancer"
+		default:
+			if item.Category == "" {
+				item.Category = "Others"
+			}
+			item.SourceType = string(proxy.ProviderTypeFile)
+		}
+
+		item.AltURL = r.TargetURL().String()
+		hpCfg.Add(item)
+	})
+	return hpCfg
+}
+
+func RoutesByAlias(typeFilter ...route.RouteType) map[string]any {
+	rts := make(map[string]any)
+	if len(typeFilter) == 0 || typeFilter[0] == "" {
+		typeFilter = []route.RouteType{route.RouteTypeReverseProxy, route.RouteTypeStream}
+	}
+	for _, t := range typeFilter {
+		switch t {
+		case route.RouteTypeReverseProxy:
+			routes.GetHTTPRoutes().RangeAll(func(alias string, r types.HTTPRoute) {
+				rts[alias] = r
+			})
+		case route.RouteTypeStream:
+			routes.GetStreamRoutes().RangeAll(func(alias string, r types.StreamRoute) {
+				rts[alias] = r
+			})
+		}
+	}
+	return rts
+}
+
+func Statistics() map[string]any {
+	nTotalStreams := 0
+	nTotalRPs := 0
+	providerStats := make(map[string]proxy.ProviderStats)
+
+	instance.providers.RangeAll(func(name string, p *proxy.Provider) {
+		stats := p.Statistics()
+		providerStats[name] = stats
+
+		nTotalRPs += stats.NumRPs
+		nTotalStreams += stats.NumStreams
+	})
+
+	return map[string]any{
+		"num_total_streams":         nTotalStreams,
+		"num_total_reverse_proxies": nTotalRPs,
+		"providers":                 providerStats,
+	}
+}
--- a/internal/config/types/autocert_config.go
+++ b/internal/config/types/autocert_config.go
@@ -0,0 +1,14 @@
+package types
+
+type (
+	AutoCertConfig struct {
+		Email       string              `json:"email,omitempty" validate:"email"`
+		Domains     []string            `json:"domains,omitempty"`
+		CertPath    string              `json:"cert_path,omitempty" validate:"omitempty,filepath"`
+		KeyPath     string              `json:"key_path,omitempty" validate:"omitempty,filepath"`
+		ACMEKeyPath string              `json:"acme_key_path,omitempty" validate:"omitempty,filepath"`
+		Provider    string              `json:"provider,omitempty"`
+		Options     AutocertProviderOpt `json:"options,omitempty"`
+	}
+	AutocertProviderOpt map[string]any
+)
--- a/internal/config/types/config.go
+++ b/internal/config/types/config.go
@@ -0,0 +1,40 @@
+package types
+
+import (
+	"github.com/yusing/go-proxy/internal/net/http/accesslog"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type (
+	Config struct {
+		AutoCert        *AutoCertConfig `json:"autocert" validate:"omitempty"`
+		Entrypoint      Entrypoint      `json:"entrypoint"`
+		Providers       Providers       `json:"providers"`
+		MatchDomains    []string        `json:"match_domains" validate:"dive,fqdn"`
+		Homepage        HomepageConfig  `json:"homepage"`
+		TimeoutShutdown int             `json:"timeout_shutdown" validate:"gte=0"`
+	}
+	Providers struct {
+		Files        []string             `json:"include" validate:"dive,filepath"`
+		Docker       map[string]string    `json:"docker" validate:"dive,unix_addr|url"`
+		Notification []NotificationConfig `json:"notification"`
+	}
+	Entrypoint struct {
+		Middlewares []map[string]any  `json:"middlewares"`
+		AccessLog   *accesslog.Config `json:"access_log" validate:"omitempty"`
+	}
+	NotificationConfig map[string]any
+)
+
+func DefaultConfig() *Config {
+	return &Config{
+		TimeoutShutdown: 3,
+		Homepage: HomepageConfig{
+			UseDefaultCategories: true,
+		},
+	}
+}
+
+func init() {
+	utils.RegisterDefaultValueFactory(DefaultConfig)
+}
--- a/internal/config/types/homepage_config.go
+++ b/internal/config/types/homepage_config.go
@@ -0,0 +1,5 @@
+package types
+
+type HomepageConfig struct {
+	UseDefaultCategories bool `json:"use_default_categories"`
+}
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -0,0 +1,138 @@
+package docker
+
+import (
+	"errors"
+	"net/http"
+	"sync"
+
+	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/docker/client"
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/task"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+type (
+	SharedClient struct {
+		*client.Client
+
+		key      string
+		refCount *U.RefCount
+
+		l zerolog.Logger
+	}
+)
+
+var (
+	clientMap   F.Map[string, *SharedClient] = F.NewMapOf[string, *SharedClient]()
+	clientMapMu sync.Mutex
+
+	clientOptEnvHost = []client.Opt{
+		client.WithHostFromEnv(),
+		client.WithAPIVersionNegotiation(),
+	}
+)
+
+func init() {
+	task.OnProgramExit("docker_clients_cleanup", func() {
+		clientMap.RangeAllParallel(func(_ string, c *SharedClient) {
+			if c.Connected() {
+				c.Client.Close()
+			}
+		})
+	})
+}
+
+func (c *SharedClient) Connected() bool {
+	return c != nil && c.Client != nil
+}
+
+// if the client is still referenced, this is no-op.
+func (c *SharedClient) Close() {
+	if c.Connected() {
+		c.refCount.Sub()
+	}
+}
+
+// ConnectClient creates a new Docker client connection to the specified host.
+//
+// Returns existing client if available.
+//
+// Parameters:
+//   - host: the host to connect to (either a URL or common.DockerHostFromEnv).
+//
+// Returns:
+//   - Client: the Docker client connection.
+//   - error: an error if the connection failed.
+func ConnectClient(host string) (*SharedClient, error) {
+	clientMapMu.Lock()
+	defer clientMapMu.Unlock()
+
+	// check if client exists
+	if client, ok := clientMap.Load(host); ok {
+		client.refCount.Add()
+		return client, nil
+	}
+
+	// create client
+	var opt []client.Opt
+
+	switch host {
+	case "":
+		return nil, errors.New("empty docker host")
+	case common.DockerHostFromEnv:
+		opt = clientOptEnvHost
+	default:
+		helper, err := connhelper.GetConnectionHelper(host)
+		if err != nil {
+			logging.Panic().Err(err).Msg("failed to get connection helper")
+		}
+		if helper != nil {
+			httpClient := &http.Client{
+				Transport: &http.Transport{
+					DialContext: helper.Dialer,
+				},
+			}
+			opt = []client.Opt{
+				client.WithHTTPClient(httpClient),
+				client.WithHost(helper.Host),
+				client.WithAPIVersionNegotiation(),
+				client.WithDialContext(helper.Dialer),
+			}
+		} else {
+			opt = []client.Opt{
+				client.WithHost(host),
+				client.WithAPIVersionNegotiation(),
+			}
+		}
+	}
+
+	client, err := client.NewClientWithOpts(opt...)
+	if err != nil {
+		return nil, err
+	}
+
+	c := &SharedClient{
+		Client:   client,
+		key:      host,
+		refCount: U.NewRefCounter(),
+		l:        logger.With().Str("address", client.DaemonHost()).Logger(),
+	}
+	c.l.Trace().Msg("client connected")
+
+	clientMap.Store(host, c)
+
+	go func() {
+		<-c.refCount.Zero()
+		clientMap.Delete(c.key)
+
+		if c.Connected() {
+			c.Client.Close()
+			c.l.Trace().Msg("client closed")
+		}
+	}()
+	return c, nil
+}
--- a/internal/docker/container.go
+++ b/internal/docker/container.go
@@ -0,0 +1,144 @@
+package docker
+
+import (
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	U "github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type (
+	PortMapping = map[string]types.Port
+	Container   struct {
+		_ U.NoCopy
+
+		DockerHost    string `json:"docker_host"`
+		ContainerName string `json:"container_name"`
+		ContainerID   string `json:"container_id"`
+		ImageName     string `json:"image_name"`
+
+		Labels map[string]string `json:"-"`
+
+		PublicPortMapping  PortMapping `json:"public_ports"`  // non-zero publicPort:types.Port
+		PrivatePortMapping PortMapping `json:"private_ports"` // privatePort:types.Port
+		PublicIP           string      `json:"public_ip"`
+		PrivateIP          string      `json:"private_ip"`
+		NetworkMode        string      `json:"network_mode"`
+
+		Aliases     []string `json:"aliases"`
+		IsExcluded  bool     `json:"is_excluded"`
+		IsExplicit  bool     `json:"is_explicit"`
+		IsDatabase  bool     `json:"is_database"`
+		IdleTimeout string   `json:"idle_timeout,omitempty"`
+		WakeTimeout string   `json:"wake_timeout,omitempty"`
+		StopMethod  string   `json:"stop_method,omitempty"`
+		StopTimeout string   `json:"stop_timeout,omitempty"` // stop_method = "stop" only
+		StopSignal  string   `json:"stop_signal,omitempty"`  // stop_method = "stop" | "kill" only
+		Running     bool     `json:"running"`
+	}
+)
+
+var DummyContainer = new(Container)
+
+func FromDocker(c *types.Container, dockerHost string) (res *Container) {
+	isExplicit := c.Labels[LabelAliases] != ""
+	helper := containerHelper{c}
+	res = &Container{
+		DockerHost:    dockerHost,
+		ContainerName: helper.getName(),
+		ContainerID:   c.ID,
+		ImageName:     helper.getImageName(),
+
+		Labels: c.Labels,
+
+		PublicPortMapping:  helper.getPublicPortMapping(),
+		PrivatePortMapping: helper.getPrivatePortMapping(),
+		NetworkMode:        c.HostConfig.NetworkMode,
+
+		Aliases:     helper.getAliases(),
+		IsExcluded:  strutils.ParseBool(helper.getDeleteLabel(LabelExclude)),
+		IsExplicit:  isExplicit,
+		IsDatabase:  helper.isDatabase(),
+		IdleTimeout: helper.getDeleteLabel(LabelIdleTimeout),
+		WakeTimeout: helper.getDeleteLabel(LabelWakeTimeout),
+		StopMethod:  helper.getDeleteLabel(LabelStopMethod),
+		StopTimeout: helper.getDeleteLabel(LabelStopTimeout),
+		StopSignal:  helper.getDeleteLabel(LabelStopSignal),
+		Running:     c.Status == "running" || c.State == "running",
+	}
+	res.setPrivateIP(helper)
+	res.setPublicIP()
+	return
+}
+
+func FromJSON(json types.ContainerJSON, dockerHost string) *Container {
+	ports := make([]types.Port, 0)
+	for k, bindings := range json.NetworkSettings.Ports {
+		privPortStr, proto := k.Port(), k.Proto()
+		privPort, _ := strconv.ParseUint(privPortStr, 10, 16)
+		ports = append(ports, types.Port{
+			PrivatePort: uint16(privPort),
+			Type:        proto,
+		})
+		for _, v := range bindings {
+			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
+			ports = append(ports, types.Port{
+				IP:          v.HostIP,
+				PublicPort:  uint16(pubPort),
+				PrivatePort: uint16(privPort),
+				Type:        proto,
+			})
+		}
+	}
+	cont := FromDocker(&types.Container{
+		ID:     json.ID,
+		Names:  []string{strings.TrimPrefix(json.Name, "/")},
+		Image:  json.Image,
+		Ports:  ports,
+		Labels: json.Config.Labels,
+		State:  json.State.Status,
+		Status: json.State.Status,
+		Mounts: json.Mounts,
+		NetworkSettings: &types.SummaryNetworkSettings{
+			Networks: json.NetworkSettings.Networks,
+		},
+	}, dockerHost)
+	cont.NetworkMode = string(json.HostConfig.NetworkMode)
+	return cont
+}
+
+func (c *Container) setPublicIP() {
+	if !c.Running {
+		return
+	}
+	if strings.HasPrefix(c.DockerHost, "unix://") {
+		c.PublicIP = "127.0.0.1"
+		return
+	}
+	url, err := url.Parse(c.DockerHost)
+	if err != nil {
+		logger.Err(err).Msgf("invalid docker host %q, falling back to 127.0.0.1", c.DockerHost)
+		c.PublicIP = "127.0.0.1"
+		return
+	}
+	c.PublicIP = url.Hostname()
+}
+
+func (c *Container) setPrivateIP(helper containerHelper) {
+	if !strings.HasPrefix(c.DockerHost, "unix://") {
+		return
+	}
+	if helper.NetworkSettings == nil {
+		return
+	}
+	for _, v := range helper.NetworkSettings.Networks {
+		if v.IPAddress == "" {
+			continue
+		}
+		c.PrivateIP = v.IPAddress
+		return
+	}
+}
--- a/internal/docker/container_helper.go
+++ b/internal/docker/container_helper.go
@@ -0,0 +1,90 @@
+package docker
+
+import (
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type containerHelper struct {
+	*types.Container
+}
+
+// getDeleteLabel gets the value of a label and then deletes it from the container.
+// If the label does not exist, an empty string is returned.
+func (c containerHelper) getDeleteLabel(label string) string {
+	if l, ok := c.Labels[label]; ok {
+		delete(c.Labels, label)
+		return l
+	}
+	return ""
+}
+
+func (c containerHelper) getAliases() []string {
+	if l := c.getDeleteLabel(LabelAliases); l != "" {
+		return strutils.CommaSeperatedList(l)
+	}
+	return []string{c.getName()}
+}
+
+func (c containerHelper) getName() string {
+	return strings.TrimPrefix(c.Names[0], "/")
+}
+
+func (c containerHelper) getImageName() string {
+	colonSep := strutils.SplitRune(c.Image, ':')
+	slashSep := strutils.SplitRune(colonSep[0], '/')
+	return slashSep[len(slashSep)-1]
+}
+
+func (c containerHelper) getPublicPortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		if v.PublicPort == 0 {
+			continue
+		}
+		res[strutils.PortString(v.PublicPort)] = v
+	}
+	return res
+}
+
+func (c containerHelper) getPrivatePortMapping() PortMapping {
+	res := make(PortMapping)
+	for _, v := range c.Ports {
+		res[strutils.PortString(v.PrivatePort)] = v
+	}
+	return res
+}
+
+var databaseMPs = map[string]struct{}{
+	"/var/lib/postgresql/data": {},
+	"/var/lib/mysql":           {},
+	"/var/lib/mongodb":         {},
+	"/var/lib/mariadb":         {},
+	"/var/lib/memcached":       {},
+	"/var/lib/rabbitmq":        {},
+}
+
+var databasePrivPorts = map[uint16]struct{}{
+	5432:  {}, // postgres
+	3306:  {}, // mysql, mariadb
+	6379:  {}, // redis
+	11211: {}, // memcached
+	27017: {}, // mongodb
+}
+
+func (c containerHelper) isDatabase() bool {
+	for _, m := range c.Mounts {
+		if _, ok := databaseMPs[m.Destination]; ok {
+			return true
+		}
+	}
+
+	for _, v := range c.Ports {
+		if _, ok := databasePrivPorts[v.PrivatePort]; ok {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/docker/idlewatcher/html/loading_page.html
+++ b/internal/docker/idlewatcher/html/loading_page.html
@@ -66,22 +66,23 @@
    <body>
        <script>
            window.onload = async function () {
-                let result = await fetch(window.location.href, {
+                let resp = await fetch(window.location.href, {
                    headers: {
-                        {{ range $key, $value := .RequestHeaders }}
-                        '{{ $key }}' : {{ $value }}
-                        {{ end }}
+                        "{{.CheckRedirectHeader}}": "1",
                    },
-                }).then((resp) => resp.text())
-                    .catch((err) => {
-                        document.getElementById("message").innerText = err;
-                    });
-                if (result) {
-                    document.documentElement.innerHTML = result
+                });
+                if (resp.ok) {
+                    window.location.href = resp.url;
+                } else {
+                    document.getElementById("message").innerText =
+                        await resp.text();
+                    document
+                        .getElementById("spinner")
+                        .classList.replace("spinner", "error");
                }
            };
        </script>
-        <div class="{{.SpinnerClass}}"></div>
-        <div class="message">{{.Message}}</div>
+        <div id="spinner" class="spinner"></div>
+        <div id="message" class="message">{{.Message}}</div>
    </body>
 </html>
--- a/internal/docker/idlewatcher/loading_page.go
+++ b/internal/docker/idlewatcher/loading_page.go
@@ -0,0 +1,36 @@
+package idlewatcher
+
+import (
+	"bytes"
+	_ "embed"
+	"strings"
+	"text/template"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+type templateData struct {
+	CheckRedirectHeader string
+	Title               string
+	Message             string
+}
+
+//go:embed html/loading_page.html
+var loadingPage []byte
+var loadingPageTmpl = template.Must(template.New("loading_page").Parse(string(loadingPage)))
+
+func (w *Watcher) makeLoadingPageBody() []byte {
+	msg := w.ContainerName + " is starting..."
+
+	data := new(templateData)
+	data.CheckRedirectHeader = common.HeaderCheckRedirect
+	data.Title = w.ContainerName
+	data.Message = strings.ReplaceAll(msg, " ", "&ensp;")
+
+	buf := bytes.NewBuffer(make([]byte, len(loadingPage)+len(data.Title)+len(data.Message)+len(common.HeaderCheckRedirect)))
+	err := loadingPageTmpl.Execute(buf, data)
+	if err != nil { // should never happen in production
+		panic(err)
+	}
+	return buf.Bytes()
+}
--- a/internal/docker/idlewatcher/types/config.go
+++ b/internal/docker/idlewatcher/types/config.go
@@ -0,0 +1,106 @@
+package types
+
+import (
+	"errors"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/docker"
+	E "github.com/yusing/go-proxy/internal/error"
+)
+
+type (
+	Config struct {
+		IdleTimeout time.Duration `json:"idle_timeout,omitempty"`
+		WakeTimeout time.Duration `json:"wake_timeout,omitempty"`
+		StopTimeout int           `json:"stop_timeout,omitempty"` // docker api takes integer seconds for timeout argument
+		StopMethod  StopMethod    `json:"stop_method,omitempty"`
+		StopSignal  Signal        `json:"stop_signal,omitempty"`
+
+		DockerHost       string `json:"docker_host,omitempty"`
+		ContainerName    string `json:"container_name,omitempty"`
+		ContainerID      string `json:"container_id,omitempty"`
+		ContainerRunning bool   `json:"container_running,omitempty"`
+	}
+	StopMethod string
+	Signal     string
+)
+
+const (
+	StopMethodPause StopMethod = "pause"
+	StopMethodStop  StopMethod = "stop"
+	StopMethodKill  StopMethod = "kill"
+)
+
+var validSignals = map[string]struct{}{
+	"":       {},
+	"SIGINT": {}, "SIGTERM": {}, "SIGHUP": {}, "SIGQUIT": {},
+	"INT": {}, "TERM": {}, "HUP": {}, "QUIT": {},
+}
+
+func ValidateConfig(cont *docker.Container) (*Config, E.Error) {
+	if cont == nil {
+		return nil, nil
+	}
+
+	if cont.IdleTimeout == "" {
+		return &Config{
+			DockerHost:       cont.DockerHost,
+			ContainerName:    cont.ContainerName,
+			ContainerID:      cont.ContainerID,
+			ContainerRunning: cont.Running,
+		}, nil
+	}
+
+	errs := E.NewBuilder("invalid idlewatcher config")
+
+	idleTimeout := E.Collect(errs, validateDurationPostitive, cont.IdleTimeout)
+	wakeTimeout := E.Collect(errs, validateDurationPostitive, cont.WakeTimeout)
+	stopTimeout := E.Collect(errs, validateDurationPostitive, cont.StopTimeout)
+	stopMethod := E.Collect(errs, validateStopMethod, cont.StopMethod)
+	signal := E.Collect(errs, validateSignal, cont.StopSignal)
+
+	if errs.HasError() {
+		return nil, errs.Error()
+	}
+
+	return &Config{
+		IdleTimeout: idleTimeout,
+		WakeTimeout: wakeTimeout,
+		StopTimeout: int(stopTimeout.Seconds()),
+		StopMethod:  stopMethod,
+		StopSignal:  signal,
+
+		DockerHost:       cont.DockerHost,
+		ContainerName:    cont.ContainerName,
+		ContainerID:      cont.ContainerID,
+		ContainerRunning: cont.Running,
+	}, nil
+}
+
+func validateDurationPostitive(value string) (time.Duration, error) {
+	d, err := time.ParseDuration(value)
+	if err != nil {
+		return 0, err
+	}
+	if d < 0 {
+		return 0, errors.New("duration must be positive")
+	}
+	return d, nil
+}
+
+func validateSignal(s string) (Signal, error) {
+	if _, ok := validSignals[s]; ok {
+		return Signal(s), nil
+	}
+	return "", errors.New("invalid signal " + s)
+}
+
+func validateStopMethod(s string) (StopMethod, error) {
+	sm := StopMethod(s)
+	switch sm {
+	case StopMethodPause, StopMethodStop, StopMethodKill:
+		return sm, nil
+	default:
+		return "", errors.New("invalid stop method " + s)
+	}
+}
--- a/internal/docker/idlewatcher/types/waker.go
+++ b/internal/docker/idlewatcher/types/waker.go
@@ -0,0 +1,15 @@
+package types
+
+import (
+	"net/http"
+
+	net "github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+)
+
+type Waker interface {
+	health.HealthMonitor
+	http.Handler
+	net.Stream
+	Wake() error
+}
--- a/internal/docker/idlewatcher/waker.go
+++ b/internal/docker/idlewatcher/waker.go
@@ -0,0 +1,163 @@
+package idlewatcher
+
+import (
+	"sync/atomic"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/docker/idlewatcher/types"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/metrics"
+	gphttp "github.com/yusing/go-proxy/internal/net/http"
+	net "github.com/yusing/go-proxy/internal/net/types"
+	route "github.com/yusing/go-proxy/internal/route/types"
+	"github.com/yusing/go-proxy/internal/task"
+	U "github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
+)
+
+type (
+	Waker = types.Waker
+	waker struct {
+		_ U.NoCopy
+
+		rp     *gphttp.ReverseProxy
+		stream net.Stream
+		hc     health.HealthChecker
+		metric *metrics.Gauge
+
+		ready atomic.Bool
+	}
+)
+
+const (
+	idleWakerCheckInterval = 100 * time.Millisecond
+	idleWakerCheckTimeout  = time.Second
+)
+
+// TODO: support stream
+
+func newWaker(parent task.Parent, entry route.Entry, rp *gphttp.ReverseProxy, stream net.Stream) (Waker, E.Error) {
+	hcCfg := entry.RawEntry().HealthCheck
+	hcCfg.Timeout = idleWakerCheckTimeout
+
+	waker := &waker{
+		rp:     rp,
+		stream: stream,
+	}
+	task := parent.Subtask("idlewatcher." + entry.TargetName())
+	watcher, err := registerWatcher(task, entry, waker)
+	if err != nil {
+		return nil, E.Errorf("register watcher: %w", err)
+	}
+
+	switch {
+	case rp != nil:
+		waker.hc = monitor.NewHTTPHealthChecker(entry.TargetURL(), hcCfg)
+	case stream != nil:
+		waker.hc = monitor.NewRawHealthChecker(entry.TargetURL(), hcCfg)
+	default:
+		panic("both nil")
+	}
+
+	if common.PrometheusEnabled {
+		m := metrics.GetServiceMetrics()
+		fqn := parent.Name() + "/" + entry.TargetName()
+		waker.metric = m.HealthStatus.With(metrics.HealthMetricLabels(fqn))
+		waker.metric.Set(float64(watcher.Status()))
+	}
+	return watcher, nil
+}
+
+// lifetime should follow route provider.
+func NewHTTPWaker(parent task.Parent, entry route.Entry, rp *gphttp.ReverseProxy) (Waker, E.Error) {
+	return newWaker(parent, entry, rp, nil)
+}
+
+func NewStreamWaker(parent task.Parent, entry route.Entry, stream net.Stream) (Waker, E.Error) {
+	return newWaker(parent, entry, nil, stream)
+}
+
+// Start implements health.HealthMonitor.
+func (w *Watcher) Start(parent task.Parent) E.Error {
+	w.task.OnCancel("route_cleanup", func() {
+		parent.Finish(w.task.FinishCause())
+		if w.metric != nil {
+			w.metric.Reset()
+		}
+	})
+	return nil
+}
+
+// Task implements health.HealthMonitor.
+func (w *Watcher) Task() *task.Task {
+	return w.task
+}
+
+// Finish implements health.HealthMonitor.
+func (w *Watcher) Finish(reason any) {
+	if w.stream != nil {
+		w.stream.Close()
+	}
+}
+
+// Name implements health.HealthMonitor.
+func (w *Watcher) Name() string {
+	return w.String()
+}
+
+// String implements health.HealthMonitor.
+func (w *Watcher) String() string {
+	return w.ContainerName
+}
+
+// Uptime implements health.HealthMonitor.
+func (w *Watcher) Uptime() time.Duration {
+	return 0
+}
+
+// Status implements health.HealthMonitor.
+func (w *Watcher) Status() health.Status {
+	status := w.getStatusUpdateReady()
+	if w.metric != nil {
+		w.metric.Set(float64(status))
+	}
+	return status
+}
+
+func (w *Watcher) getStatusUpdateReady() health.Status {
+	if !w.ContainerRunning {
+		return health.StatusNapping
+	}
+
+	if w.ready.Load() {
+		return health.StatusHealthy
+	}
+
+	result, err := w.hc.CheckHealth()
+	switch {
+	case err != nil:
+		w.ready.Store(false)
+		return health.StatusError
+	case result.Healthy:
+		w.ready.Store(true)
+		return health.StatusHealthy
+	default:
+		return health.StatusStarting
+	}
+}
+
+// MarshalJSON implements health.HealthMonitor.
+func (w *Watcher) MarshalJSON() ([]byte, error) {
+	var url net.URL
+	if w.hc.URL().Port() != "0" {
+		url = w.hc.URL()
+	}
+	return (&monitor.JSONRepresentation{
+		Name:   w.Name(),
+		Status: w.Status(),
+		Config: w.hc.Config(),
+		URL:    url,
+	}).MarshalJSON()
+}
--- a/internal/docker/idlewatcher/waker_http.go
+++ b/internal/docker/idlewatcher/waker_http.go
@@ -0,0 +1,108 @@
+package idlewatcher
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/common"
+	gphttp "github.com/yusing/go-proxy/internal/net/http"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+)
+
+// ServeHTTP implements http.Handler.
+func (w *Watcher) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	shouldNext := w.wakeFromHTTP(rw, r)
+	if !shouldNext {
+		return
+	}
+	select {
+	case <-r.Context().Done():
+		return
+	default:
+		w.rp.ServeHTTP(rw, r)
+	}
+}
+
+func (w *Watcher) wakeFromHTTP(rw http.ResponseWriter, r *http.Request) (shouldNext bool) {
+	w.resetIdleTimer()
+
+	// pass through if container is already ready
+	if w.ready.Load() {
+		return true
+	}
+
+	if r.Body != nil {
+		defer r.Body.Close()
+	}
+
+	accept := gphttp.GetAccept(r.Header)
+	acceptHTML := (r.Method == http.MethodGet && accept.AcceptHTML() || r.RequestURI == "/" && accept.IsEmpty())
+
+	isCheckRedirect := r.Header.Get(common.HeaderCheckRedirect) != ""
+	if !isCheckRedirect && acceptHTML {
+		// Send a loading response to the client
+		body := w.makeLoadingPageBody()
+		rw.Header().Set("Content-Type", "text/html; charset=utf-8")
+		rw.Header().Set("Content-Length", strconv.Itoa(len(body)))
+		rw.Header().Add("Cache-Control", "no-cache")
+		rw.Header().Add("Cache-Control", "no-store")
+		rw.Header().Add("Cache-Control", "must-revalidate")
+		rw.Header().Add("Connection", "close")
+		if _, err := rw.Write(body); err != nil {
+			w.Err(err).Msg("error writing http response")
+		}
+		return false
+	}
+
+	ctx, cancel := context.WithTimeoutCause(r.Context(), w.WakeTimeout, errors.New("wake timeout"))
+	defer cancel()
+
+	checkCanceled := func() (canceled bool) {
+		select {
+		case <-ctx.Done():
+			w.WakeDebug().Str("cause", context.Cause(ctx).Error()).Msg("canceled")
+			return true
+		case <-w.task.Context().Done():
+			w.WakeDebug().Str("cause", w.task.FinishCause().Error()).Msg("canceled")
+			http.Error(rw, "Service unavailable", http.StatusServiceUnavailable)
+			return true
+		default:
+			return false
+		}
+	}
+
+	if checkCanceled() {
+		return false
+	}
+
+	w.WakeTrace().Msg("signal received")
+	err := w.wakeIfStopped()
+	if err != nil {
+		w.WakeError(err)
+		http.Error(rw, "Error waking container", http.StatusInternalServerError)
+		return false
+	}
+
+	for {
+		if checkCanceled() {
+			return false
+		}
+
+		if w.Status() == health.StatusHealthy {
+			w.resetIdleTimer()
+			if isCheckRedirect {
+				w.Debug().Msgf("redirecting to %s ...", w.hc.URL())
+				rw.WriteHeader(http.StatusOK)
+				return false
+			}
+			w.Debug().Msgf("passing through to %s ...", w.hc.URL())
+			return true
+		}
+
+		// retry until the container is ready or timeout
+		time.Sleep(idleWakerCheckInterval)
+	}
+}
--- a/internal/docker/idlewatcher/waker_stream.go
+++ b/internal/docker/idlewatcher/waker_stream.go
@@ -0,0 +1,90 @@
+package idlewatcher
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+)
+
+// Setup implements types.Stream.
+func (w *Watcher) Addr() net.Addr {
+	return w.stream.Addr()
+}
+
+// Setup implements types.Stream.
+func (w *Watcher) Setup() error {
+	return w.stream.Setup()
+}
+
+// Accept implements types.Stream.
+func (w *Watcher) Accept() (conn types.StreamConn, err error) {
+	conn, err = w.stream.Accept()
+	if err != nil {
+		return
+	}
+	if wakeErr := w.wakeFromStream(); wakeErr != nil {
+		w.WakeError(wakeErr)
+	}
+	return
+}
+
+// Handle implements types.Stream.
+func (w *Watcher) Handle(conn types.StreamConn) error {
+	if err := w.wakeFromStream(); err != nil {
+		return err
+	}
+	return w.stream.Handle(conn)
+}
+
+// Close implements types.Stream.
+func (w *Watcher) Close() error {
+	return w.stream.Close()
+}
+
+func (w *Watcher) wakeFromStream() error {
+	w.resetIdleTimer()
+
+	// pass through if container is already ready
+	if w.ready.Load() {
+		return nil
+	}
+
+	w.WakeDebug().Msg("wake signal received")
+	wakeErr := w.wakeIfStopped()
+	if wakeErr != nil {
+		wakeErr = fmt.Errorf("%s failed: %w", w.String(), wakeErr)
+		w.WakeError(wakeErr)
+		return wakeErr
+	}
+
+	ctx, cancel := context.WithTimeoutCause(w.task.Context(), w.WakeTimeout, errors.New("wake timeout"))
+	defer cancel()
+
+	for {
+		select {
+		case <-w.task.Context().Done():
+			cause := w.task.FinishCause()
+			w.WakeDebug().Str("cause", cause.Error()).Msg("canceled")
+			return cause
+		case <-ctx.Done():
+			cause := context.Cause(ctx)
+			w.WakeDebug().Str("cause", cause.Error()).Msg("timeout")
+			return cause
+		default:
+		}
+
+		if w.Status() == health.StatusHealthy {
+			w.resetIdleTimer()
+			w.Debug().Msg("container is ready, passing through to " + w.hc.URL().String())
+			return nil
+		}
+
+		// retry until the container is ready or timeout
+		time.Sleep(idleWakerCheckInterval)
+	}
+}
--- a/internal/docker/idlewatcher/watcher.go
+++ b/internal/docker/idlewatcher/watcher.go
@@ -0,0 +1,298 @@
+package idlewatcher
+
+import (
+	"context"
+	"errors"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/rs/zerolog"
+	D "github.com/yusing/go-proxy/internal/docker"
+	idlewatcher "github.com/yusing/go-proxy/internal/docker/idlewatcher/types"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/logging"
+	route "github.com/yusing/go-proxy/internal/route/types"
+	"github.com/yusing/go-proxy/internal/task"
+	U "github.com/yusing/go-proxy/internal/utils"
+	F "github.com/yusing/go-proxy/internal/utils/functional"
+	"github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
+)
+
+type (
+	Watcher struct {
+		_ U.NoCopy
+
+		zerolog.Logger
+
+		*idlewatcher.Config
+		*waker
+
+		client       *D.SharedClient
+		stopByMethod StopCallback // send a docker command w.r.t. `stop_method`
+		ticker       *time.Ticker
+		task         *task.Task
+	}
+
+	WakeDone     <-chan error
+	WakeFunc     func() WakeDone
+	StopCallback func() error
+)
+
+var (
+	watcherMap   = F.NewMapOf[string, *Watcher]()
+	watcherMapMu sync.Mutex
+
+	errShouldNotReachHere = errors.New("should not reach here")
+
+	logger = logging.With().Str("module", "idle_watcher").Logger()
+)
+
+const dockerReqTimeout = 3 * time.Second
+
+func registerWatcher(watcherTask *task.Task, entry route.Entry, waker *waker) (*Watcher, error) {
+	cfg := entry.IdlewatcherConfig()
+
+	if cfg.IdleTimeout == 0 {
+		panic(errShouldNotReachHere)
+	}
+
+	watcherMapMu.Lock()
+	defer watcherMapMu.Unlock()
+
+	key := cfg.ContainerID
+
+	if w, ok := watcherMap.Load(key); ok {
+		w.Config = cfg
+		w.waker = waker
+		w.resetIdleTimer()
+		watcherTask.Finish("used existing watcher")
+		return w, nil
+	}
+
+	client, err := D.ConnectClient(cfg.DockerHost)
+	if err != nil {
+		return nil, err
+	}
+
+	w := &Watcher{
+		Logger: logger.With().Str("name", cfg.ContainerName).Logger(),
+		Config: cfg,
+		waker:  waker,
+		client: client,
+		task:   watcherTask,
+		ticker: time.NewTicker(cfg.IdleTimeout),
+	}
+	w.stopByMethod = w.getStopCallback()
+	watcherMap.Store(key, w)
+
+	go func() {
+		cause := w.watchUntilDestroy()
+
+		watcherMap.Delete(w.ContainerID)
+
+		w.ticker.Stop()
+		w.client.Close()
+		w.task.Finish(cause)
+	}()
+
+	return w, nil
+}
+
+func (w *Watcher) Wake() error {
+	return w.wakeIfStopped()
+}
+
+// WakeDebug logs a debug message related to waking the container.
+func (w *Watcher) WakeDebug() *zerolog.Event {
+	//nolint:zerologlint
+	return w.Debug().Str("action", "wake")
+}
+
+func (w *Watcher) WakeTrace() *zerolog.Event {
+	//nolint:zerologlint
+	return w.Trace().Str("action", "wake")
+}
+
+func (w *Watcher) WakeError(err error) {
+	w.Err(err).Str("action", "wake").Msg("error")
+}
+
+func (w *Watcher) LogReason(action, reason string) {
+	w.Info().Str("reason", reason).Msg(action)
+}
+
+func (w *Watcher) containerStop(ctx context.Context) error {
+	return w.client.ContainerStop(ctx, w.ContainerID, container.StopOptions{
+		Signal:  string(w.StopSignal),
+		Timeout: &w.StopTimeout,
+	})
+}
+
+func (w *Watcher) containerPause(ctx context.Context) error {
+	return w.client.ContainerPause(ctx, w.ContainerID)
+}
+
+func (w *Watcher) containerKill(ctx context.Context) error {
+	return w.client.ContainerKill(ctx, w.ContainerID, string(w.StopSignal))
+}
+
+func (w *Watcher) containerUnpause(ctx context.Context) error {
+	return w.client.ContainerUnpause(ctx, w.ContainerID)
+}
+
+func (w *Watcher) containerStart(ctx context.Context) error {
+	return w.client.ContainerStart(ctx, w.ContainerID, container.StartOptions{})
+}
+
+func (w *Watcher) containerStatus() (string, error) {
+	if !w.client.Connected() {
+		return "", errors.New("docker client not connected")
+	}
+	ctx, cancel := context.WithTimeoutCause(w.task.Context(), dockerReqTimeout, errors.New("docker request timeout"))
+	defer cancel()
+	json, err := w.client.ContainerInspect(ctx, w.ContainerID)
+	if err != nil {
+		return "", err
+	}
+	return json.State.Status, nil
+}
+
+func (w *Watcher) wakeIfStopped() error {
+	if w.ContainerRunning {
+		return nil
+	}
+
+	status, err := w.containerStatus()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(w.task.Context(), w.WakeTimeout)
+	defer cancel()
+
+	// !Hard coded here since theres no constants from Docker API
+	switch status {
+	case "exited", "dead":
+		return w.containerStart(ctx)
+	case "paused":
+		return w.containerUnpause(ctx)
+	case "running":
+		return nil
+	default:
+		panic(errShouldNotReachHere)
+	}
+}
+
+func (w *Watcher) getStopCallback() StopCallback {
+	var cb func(context.Context) error
+	switch w.StopMethod {
+	case idlewatcher.StopMethodPause:
+		cb = w.containerPause
+	case idlewatcher.StopMethodStop:
+		cb = w.containerStop
+	case idlewatcher.StopMethodKill:
+		cb = w.containerKill
+	default:
+		panic(errShouldNotReachHere)
+	}
+	return func() error {
+		ctx, cancel := context.WithTimeout(w.task.Context(), time.Duration(w.StopTimeout)*time.Second)
+		defer cancel()
+		return cb(ctx)
+	}
+}
+
+func (w *Watcher) resetIdleTimer() {
+	w.Trace().Msg("reset idle timer")
+	w.ticker.Reset(w.IdleTimeout)
+}
+
+func (w *Watcher) getEventCh(dockerWatcher watcher.DockerWatcher) (eventCh <-chan events.Event, errCh <-chan E.Error) {
+	eventCh, errCh = dockerWatcher.EventsWithOptions(w.Task().Context(), watcher.DockerListOptions{
+		Filters: watcher.NewDockerFilter(
+			watcher.DockerFilterContainer,
+			watcher.DockerFilterContainerNameID(w.ContainerID),
+			watcher.DockerFilterStart,
+			watcher.DockerFilterStop,
+			watcher.DockerFilterDie,
+			watcher.DockerFilterKill,
+			watcher.DockerFilterDestroy,
+			watcher.DockerFilterPause,
+			watcher.DockerFilterUnpause,
+		),
+	})
+	return
+}
+
+// watchUntilDestroy waits for the container to be created, started, or unpaused,
+// and then reset the idle timer.
+//
+// When the container is stopped, paused,
+// or killed, the idle timer is stopped and the ContainerRunning flag is set to false.
+//
+// When the idle timer fires, the container is stopped according to the
+// stop method.
+//
+// it exits only if the context is canceled, the container is destroyed,
+// errors occurred on docker client, or route provider died (mainly caused by config reload).
+func (w *Watcher) watchUntilDestroy() (returnCause error) {
+	dockerWatcher := watcher.NewDockerWatcherWithClient(w.client)
+	dockerEventCh, dockerEventErrCh := w.getEventCh(dockerWatcher)
+
+	for {
+		select {
+		case <-w.task.Context().Done():
+			return w.task.FinishCause()
+		case err := <-dockerEventErrCh:
+			if !err.Is(context.Canceled) {
+				E.LogError("idlewatcher error", err, &w.Logger)
+			}
+			return err
+		case e := <-dockerEventCh:
+			switch {
+			case e.Action == events.ActionContainerDestroy:
+				w.ContainerRunning = false
+				w.ready.Store(false)
+				w.LogReason("watcher stopped", "container destroyed")
+				return errors.New("container destroyed")
+			// create / start / unpause
+			case e.Action.IsContainerWake():
+				w.ContainerRunning = true
+				w.resetIdleTimer()
+				w.Info().Msg("awaken")
+			case e.Action.IsContainerSleep(): // stop / pause / kil
+				w.ContainerRunning = false
+				w.ready.Store(false)
+				w.ticker.Stop()
+			default:
+				w.Error().Msg("unexpected docker event: " + e.String())
+			}
+			// container name changed should also change the container id
+			if w.ContainerName != e.ActorName {
+				w.Debug().Msgf("renamed %s -> %s", w.ContainerName, e.ActorName)
+				w.ContainerName = e.ActorName
+			}
+			if w.ContainerID != e.ActorID {
+				w.Debug().Msgf("id changed %s -> %s", w.ContainerID, e.ActorID)
+				w.ContainerID = e.ActorID
+				// recreate event stream
+				dockerEventCh, dockerEventErrCh = w.getEventCh(dockerWatcher)
+			}
+		case <-w.ticker.C:
+			w.ticker.Stop()
+			if w.ContainerRunning {
+				err := w.stopByMethod()
+				switch {
+				case errors.Is(err, context.Canceled):
+					continue
+				case err != nil:
+					w.Err(err).Msgf("container stop with method %q failed", w.StopMethod)
+				default:
+					w.LogReason("container stopped", "idle timeout")
+				}
+			}
+		}
+	}
+}
--- a/internal/docker/inspect.go
+++ b/internal/docker/inspect.go
@@ -0,0 +1,28 @@
+package docker
+
+import (
+	"context"
+	"errors"
+	"time"
+)
+
+func Inspect(dockerHost string, containerID string) (*Container, error) {
+	client, err := ConnectClient(dockerHost)
+	if err != nil {
+		return nil, err
+	}
+
+	defer client.Close()
+	return client.Inspect(containerID)
+}
+
+func (c *SharedClient) Inspect(containerID string) (*Container, error) {
+	ctx, cancel := context.WithTimeoutCause(context.Background(), 3*time.Second, errors.New("docker container inspect timeout"))
+	defer cancel()
+
+	json, err := c.ContainerInspect(ctx, containerID)
+	if err != nil {
+		return nil, err
+	}
+	return FromJSON(json, c.key), nil
+}
--- a/internal/docker/label.go
+++ b/internal/docker/label.go
@@ -0,0 +1,52 @@
+package docker
+
+import (
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type LabelMap = map[string]any
+
+var ErrInvalidLabel = E.New("invalid label")
+
+func ParseLabels(labels map[string]string) (LabelMap, E.Error) {
+	nestedMap := make(LabelMap)
+	errs := E.NewBuilder("labels error")
+
+	for lbl, value := range labels {
+		parts := strutils.SplitRune(lbl, '.')
+		if parts[0] != NSProxy {
+			continue
+		}
+		if len(parts) == 1 {
+			errs.Add(ErrInvalidLabel.Subject(lbl))
+			continue
+		}
+		parts = parts[1:]
+		currentMap := nestedMap
+
+		for i, k := range parts {
+			if i == len(parts)-1 {
+				// Last element, set the value
+				currentMap[k] = value
+			} else {
+				// If the key doesn't exist, create a new map
+				if _, exists := currentMap[k]; !exists {
+					currentMap[k] = make(LabelMap)
+				}
+				// Move deeper into the nested map
+				m, ok := currentMap[k].(LabelMap)
+				if !ok && currentMap[k] != "" {
+					errs.Add(E.Errorf("expect mapping, got %T", currentMap[k]).Subject(lbl))
+					continue
+				} else if !ok {
+					m = make(LabelMap)
+					currentMap[k] = m
+				}
+				currentMap = m
+			}
+		}
+	}
+
+	return nestedMap, errs.Error()
+}
--- a/internal/docker/labels.go
+++ b/internal/docker/labels.go
@@ -3,6 +3,8 @@ package docker
 const (
 	WildcardAlias = "*"

+	NSProxy = "proxy"
+
 	LabelAliases     = NSProxy + ".aliases"
 	LabelExclude     = NSProxy + ".exclude"
 	LabelIdleTimeout = NSProxy + ".idle_timeout"
--- a/internal/docker/list_containers.go
+++ b/internal/docker/list_containers.go
@@ -0,0 +1,44 @@
+package docker
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+)
+
+var listOptions = container.ListOptions{
+	// created|restarting|running|removing|paused|exited|dead
+	// Filters: filters.NewArgs(
+	// 	filters.Arg("status", "created"),
+	// 	filters.Arg("status", "restarting"),
+	// 	filters.Arg("status", "running"),
+	// 	filters.Arg("status", "paused"),
+	// 	filters.Arg("status", "exited"),
+	// ),
+	All: true,
+}
+
+func ListContainers(clientHost string) ([]types.Container, error) {
+	dockerClient, err := ConnectClient(clientHost)
+	if err != nil {
+		return nil, err
+	}
+	defer dockerClient.Close()
+
+	ctx, cancel := context.WithTimeoutCause(context.Background(), 3*time.Second, errors.New("list containers timeout"))
+	defer cancel()
+
+	containers, err := dockerClient.ContainerList(ctx, listOptions)
+	if err != nil {
+		return nil, err
+	}
+	return containers, nil
+}
+
+func IsErrConnectionFailed(err error) bool {
+	return client.IsErrConnectionFailed(err)
+}
--- a/internal/docker/logger.go
+++ b/internal/docker/logger.go
@@ -0,0 +1,7 @@
+package docker
+
+import (
+	"github.com/yusing/go-proxy/internal/logging"
+)
+
+var logger = logging.With().Str("module", "docker").Logger()
--- a/internal/entrypoint/entrypoint.go
+++ b/internal/entrypoint/entrypoint.go
@@ -0,0 +1,148 @@
+package entrypoint
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"sync"
+
+	gphttp "github.com/yusing/go-proxy/internal/net/http"
+	"github.com/yusing/go-proxy/internal/net/http/accesslog"
+	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/net/http/middleware/errorpage"
+	"github.com/yusing/go-proxy/internal/route/routes"
+	route "github.com/yusing/go-proxy/internal/route/types"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+var findRouteFunc = findRouteAnyDomain
+
+var (
+	epMiddleware   *middleware.Middleware
+	epMiddlewareMu sync.Mutex
+
+	epAccessLogger   *accesslog.AccessLogger
+	epAccessLoggerMu sync.Mutex
+)
+
+var ErrNoSuchRoute = errors.New("no such route")
+
+func SetFindRouteDomains(domains []string) {
+	if len(domains) == 0 {
+		findRouteFunc = findRouteAnyDomain
+	} else {
+		findRouteFunc = findRouteByDomains(domains)
+	}
+}
+
+func SetMiddlewares(mws []map[string]any) error {
+	epMiddlewareMu.Lock()
+	defer epMiddlewareMu.Unlock()
+
+	if len(mws) == 0 {
+		epMiddleware = nil
+		return nil
+	}
+
+	mid, err := middleware.BuildMiddlewareFromChainRaw("entrypoint", mws)
+	if err != nil {
+		return err
+	}
+	epMiddleware = mid
+
+	logger.Debug().Msg("entrypoint middleware loaded")
+	return nil
+}
+
+func SetAccessLogger(parent task.Parent, cfg *accesslog.Config) (err error) {
+	epAccessLoggerMu.Lock()
+	defer epAccessLoggerMu.Unlock()
+
+	if cfg == nil {
+		epAccessLogger = nil
+		return
+	}
+
+	epAccessLogger, err = accesslog.NewFileAccessLogger(parent, cfg)
+	if err != nil {
+		return
+	}
+	logger.Debug().Msg("entrypoint access logger created")
+	return
+}
+
+func Handler(w http.ResponseWriter, r *http.Request) {
+	mux, err := findRouteFunc(r.Host)
+	if err == nil {
+		if epAccessLogger != nil {
+			epMiddlewareMu.Lock()
+			if epAccessLogger != nil {
+				w = gphttp.NewModifyResponseWriter(w, r, func(resp *http.Response) error {
+					epAccessLogger.Log(r, resp)
+					return nil
+				})
+			}
+			epMiddlewareMu.Unlock()
+		}
+		if epMiddleware != nil {
+			epMiddlewareMu.Lock()
+			if epMiddleware != nil {
+				mid := epMiddleware
+				epMiddlewareMu.Unlock()
+				mid.ServeHTTP(mux.ServeHTTP, w, r)
+				return
+			}
+			epMiddlewareMu.Unlock()
+		}
+		mux.ServeHTTP(w, r)
+		return
+	}
+	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
+	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
+	// Then scraper / scanners will know the subdomain is invalid.
+	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
+	if served := middleware.ServeStaticErrorPageFile(w, r); !served {
+		logger.Err(err).Str("method", r.Method).Str("url", r.URL.String()).Msg("request")
+		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
+		if ok {
+			w.WriteHeader(http.StatusNotFound)
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			if _, err := w.Write(errorPage); err != nil {
+				logger.Err(err).Msg("failed to write error page")
+			}
+		} else {
+			http.Error(w, err.Error(), http.StatusNotFound)
+		}
+	}
+}
+
+func findRouteAnyDomain(host string) (route.HTTPRoute, error) {
+	hostSplit := strutils.SplitRune(host, '.')
+	target := hostSplit[0]
+
+	if r, ok := routes.GetHTTPRouteOrExact(target, host); ok {
+		return r, nil
+	}
+	return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, target)
+}
+
+func findRouteByDomains(domains []string) func(host string) (route.HTTPRoute, error) {
+	return func(host string) (route.HTTPRoute, error) {
+		for _, domain := range domains {
+			if strings.HasSuffix(host, domain) {
+				target := strings.TrimSuffix(host, domain)
+				if r, ok := routes.GetHTTPRoute(target); ok {
+					return r, nil
+				}
+			}
+		}
+
+		// fallback to exact match
+		if r, ok := routes.GetHTTPRoute(host); ok {
+			return r, nil
+		}
+		return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, host)
+	}
+}
--- a/internal/entrypoint/entrypoint_test.go
+++ b/internal/entrypoint/entrypoint_test.go
@@ -0,0 +1,120 @@
+package entrypoint
+
+import (
+	"testing"
+
+	"github.com/yusing/go-proxy/internal/route"
+	"github.com/yusing/go-proxy/internal/route/routes"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+var r route.HTTPRoute
+
+func run(t *testing.T, match []string, noMatch []string) {
+	t.Helper()
+	t.Cleanup(routes.TestClear)
+	t.Cleanup(func() {
+		SetFindRouteDomains(nil)
+	})
+
+	for _, test := range match {
+		t.Run(test, func(t *testing.T) {
+			found, err := findRouteFunc(test)
+			ExpectNoError(t, err)
+			ExpectTrue(t, found == &r)
+		})
+	}
+
+	for _, test := range noMatch {
+		t.Run(test, func(t *testing.T) {
+			_, err := findRouteFunc(test)
+			ExpectError(t, ErrNoSuchRoute, err)
+		})
+	}
+}
+
+func TestFindRouteAnyDomain(t *testing.T) {
+	routes.SetHTTPRoute("app1", &r)
+
+	tests := []string{
+		"app1.com",
+		"app1.domain.com",
+		"app1.sub.domain.com",
+	}
+	testsNoMatch := []string{
+		"sub.app1.com",
+		"app2.com",
+		"app2.domain.com",
+		"app2.sub.domain.com",
+	}
+
+	run(t, tests, testsNoMatch)
+}
+
+func TestFindRouteExactHostMatch(t *testing.T) {
+	tests := []string{
+		"app2.com",
+		"app2.domain.com",
+		"app2.sub.domain.com",
+	}
+	testsNoMatch := []string{
+		"sub.app2.com",
+		"app1.com",
+		"app1.domain.com",
+		"app1.sub.domain.com",
+	}
+
+	for _, test := range tests {
+		routes.SetHTTPRoute(test, &r)
+	}
+
+	run(t, tests, testsNoMatch)
+}
+
+func TestFindRouteByDomains(t *testing.T) {
+	SetFindRouteDomains([]string{
+		".domain.com",
+		".sub.domain.com",
+	})
+
+	routes.SetHTTPRoute("app1", &r)
+
+	tests := []string{
+		"app1.domain.com",
+		"app1.sub.domain.com",
+	}
+	testsNoMatch := []string{
+		"sub.app1.com",
+		"app1.com",
+		"app1.domain.co",
+		"app1.domain.com.hk",
+		"app1.sub.domain.co",
+		"app2.domain.com",
+		"app2.sub.domain.com",
+	}
+
+	run(t, tests, testsNoMatch)
+}
+
+func TestFindRouteByDomainsExactMatch(t *testing.T) {
+	SetFindRouteDomains([]string{
+		".domain.com",
+		".sub.domain.com",
+	})
+
+	routes.SetHTTPRoute("app1.foo.bar", &r)
+
+	tests := []string{
+		"app1.foo.bar", // exact match
+		"app1.foo.bar.domain.com",
+		"app1.foo.bar.sub.domain.com",
+	}
+	testsNoMatch := []string{
+		"sub.app1.foo.bar",
+		"sub.app1.foo.bar.com",
+		"app1.domain.com",
+		"app1.sub.domain.com",
+	}
+
+	run(t, tests, testsNoMatch)
+}
--- a/internal/entrypoint/logger.go
+++ b/internal/entrypoint/logger.go
@@ -0,0 +1,7 @@
+package entrypoint
+
+import (
+	"github.com/yusing/go-proxy/internal/logging"
+)
+
+var logger = logging.With().Str("module", "entrypoint").Logger()
--- a/internal/error/base.go
+++ b/internal/error/base.go
@@ -0,0 +1,48 @@
+package err
+
+import (
+	"errors"
+	"fmt"
+)
+
+// baseError is an immutable wrapper around an error.
+//
+//nolint:recvcheck
+type baseError struct {
+	Err error `json:"err"`
+}
+
+func (err *baseError) Unwrap() error {
+	return err.Err
+}
+
+func (err *baseError) Is(other error) bool {
+	if other, ok := other.(*baseError); ok {
+		return errors.Is(err.Err, other.Err)
+	}
+	return errors.Is(err.Err, other)
+}
+
+func (err baseError) Subject(subject string) Error {
+	err.Err = PrependSubject(subject, err.Err)
+	return &err
+}
+
+func (err *baseError) Subjectf(format string, args ...any) Error {
+	if len(args) > 0 {
+		return err.Subject(fmt.Sprintf(format, args...))
+	}
+	return err.Subject(format)
+}
+
+func (err baseError) With(extra error) Error {
+	return &nestedError{&err, []error{extra}}
+}
+
+func (err baseError) Withf(format string, args ...any) Error {
+	return &nestedError{&err, []error{fmt.Errorf(format, args...)}}
+}
+
+func (err *baseError) Error() string {
+	return err.Err.Error()
+}
--- a/internal/error/builder.go
+++ b/internal/error/builder.go
@@ -0,0 +1,124 @@
+package err
+
+import (
+	"fmt"
+	"sync"
+)
+
+type Builder struct {
+	about string
+	errs  []error
+	sync.Mutex
+}
+
+func NewBuilder(about string) *Builder {
+	return &Builder{about: about}
+}
+
+func (b *Builder) About() string {
+	if !b.HasError() {
+		return ""
+	}
+	return b.about
+}
+
+//go:inline
+func (b *Builder) HasError() bool {
+	return len(b.errs) > 0
+}
+
+func (b *Builder) error() Error {
+	if !b.HasError() {
+		return nil
+	}
+	return &nestedError{Err: New(b.about), Extras: b.errs}
+}
+
+func (b *Builder) Error() Error {
+	if len(b.errs) == 1 {
+		return From(b.errs[0])
+	}
+	return b.error()
+}
+
+func (b *Builder) String() string {
+	err := b.error()
+	if err == nil {
+		return ""
+	}
+	return err.Error()
+}
+
+// Add adds an error to the Builder.
+//
+// adding nil is no-op.
+func (b *Builder) Add(err error) *Builder {
+	if err == nil {
+		return b
+	}
+
+	b.Lock()
+	defer b.Unlock()
+
+	switch err := From(err).(type) {
+	case *baseError:
+		b.errs = append(b.errs, err.Err)
+	case *nestedError:
+		if err.Err == nil {
+			b.errs = append(b.errs, err.Extras...)
+		} else {
+			b.errs = append(b.errs, err)
+		}
+	default:
+		panic("bug: should not reach here")
+	}
+
+	return b
+}
+
+func (b *Builder) Adds(err string) *Builder {
+	b.Lock()
+	defer b.Unlock()
+	b.errs = append(b.errs, newError(err))
+	return b
+}
+
+func (b *Builder) Addf(format string, args ...any) *Builder {
+	if len(args) > 0 {
+		b.Lock()
+		defer b.Unlock()
+		b.errs = append(b.errs, fmt.Errorf(format, args...))
+	} else {
+		b.Adds(format)
+	}
+
+	return b
+}
+
+func (b *Builder) AddFrom(other *Builder, flatten bool) *Builder {
+	if other == nil || !other.HasError() {
+		return b
+	}
+
+	b.Lock()
+	defer b.Unlock()
+	if flatten {
+		b.errs = append(b.errs, other.errs...)
+	} else {
+		b.errs = append(b.errs, other.error())
+	}
+	return b
+}
+
+func (b *Builder) AddRange(errs ...error) *Builder {
+	b.Lock()
+	defer b.Unlock()
+
+	for _, err := range errs {
+		if err != nil {
+			b.errs = append(b.errs, err)
+		}
+	}
+
+	return b
+}
--- a/internal/error/builder_test.go
+++ b/internal/error/builder_test.go
@@ -0,0 +1,55 @@
+package err_test
+
+import (
+	"context"
+	"errors"
+	"io"
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestBuilderEmpty(t *testing.T) {
+	eb := NewBuilder("foo")
+	ExpectTrue(t, errors.Is(eb.Error(), nil))
+	ExpectFalse(t, eb.HasError())
+}
+
+func TestBuilderAddNil(t *testing.T) {
+	eb := NewBuilder("foo")
+	var err Error
+	for range 3 {
+		eb.Add(nil)
+	}
+	for range 3 {
+		eb.Add(err)
+	}
+	eb.AddRange(nil, nil, err)
+	ExpectFalse(t, eb.HasError())
+	ExpectTrue(t, eb.Error() == nil)
+}
+
+func TestBuilderIs(t *testing.T) {
+	eb := NewBuilder("foo")
+	eb.Add(context.Canceled)
+	eb.Add(io.ErrShortBuffer)
+	ExpectTrue(t, eb.HasError())
+	ExpectError(t, io.ErrShortBuffer, eb.Error())
+	ExpectError(t, context.Canceled, eb.Error())
+}
+
+func TestBuilderNested(t *testing.T) {
+	eb := NewBuilder("action failed")
+	eb.Add(New("Action 1").Withf("Inner: 1").Withf("Inner: 2"))
+	eb.Add(New("Action 2").Withf("Inner: 3"))
+
+	got := eb.String()
+	expected := `action failed
+  • Action 1
+    • Inner: 1
+    • Inner: 2
+  • Action 2
+    • Inner: 3`
+	ExpectEqual(t, got, expected)
+}
--- a/internal/error/error.go
+++ b/internal/error/error.go
@@ -0,0 +1,33 @@
+package err
+
+type Error interface {
+	error
+
+	// Is is a wrapper for errors.Is when there is no sub-error.
+	//
+	// When there are sub-errors, they will also be checked.
+	Is(other error) bool
+	// With appends a sub-error to the error.
+	With(extra error) Error
+	// Withf is a wrapper for With(fmt.Errorf(format, args...)).
+	Withf(format string, args ...any) Error
+	// Subject prepends the given subject with a colon and space to the error message.
+	//
+	// If there is already a subject in the error message, the subject will be
+	// prepended to the existing subject with " > ".
+	//
+	// Subject empty string is ignored.
+	Subject(subject string) Error
+	// Subjectf is a wrapper for Subject(fmt.Sprintf(format, args...)).
+	Subjectf(format string, args ...any) Error
+}
+
+// this makes JSON marshaling work,
+// as the builtin one doesn't.
+//
+//nolint:errname
+type errStr string
+
+func (err errStr) Error() string {
+	return string(err)
+}
--- a/internal/error/error_test.go
+++ b/internal/error/error_test.go
@@ -0,0 +1,157 @@
+package err
+
+import (
+	"errors"
+	"strings"
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestBaseString(t *testing.T) {
+	ExpectEqual(t, New("error").Error(), "error")
+}
+
+func TestBaseWithSubject(t *testing.T) {
+	err := New("error")
+	withSubject := err.Subject("foo")
+	withSubjectf := err.Subjectf("%s %s", "foo", "bar")
+
+	ExpectError(t, err, withSubject)
+	ExpectEqual(t, withSubject.Error(), "foo: error")
+	ExpectTrue(t, withSubject.Is(err))
+
+	ExpectError(t, err, withSubjectf)
+	ExpectEqual(t, withSubjectf.Error(), "foo bar: error")
+	ExpectTrue(t, withSubjectf.Is(err))
+}
+
+func TestBaseWithExtra(t *testing.T) {
+	err := New("error")
+	extra := New("bar").Subject("baz")
+	withExtra := err.With(extra)
+
+	ExpectTrue(t, withExtra.Is(extra))
+	ExpectTrue(t, withExtra.Is(err))
+
+	ExpectTrue(t, errors.Is(withExtra, extra))
+	ExpectTrue(t, errors.Is(withExtra, err))
+
+	ExpectTrue(t, strings.Contains(withExtra.Error(), err.Error()))
+	ExpectTrue(t, strings.Contains(withExtra.Error(), extra.Error()))
+	ExpectTrue(t, strings.Contains(withExtra.Error(), "baz"))
+}
+
+func TestBaseUnwrap(t *testing.T) {
+	err := errors.New("err")
+	wrapped := From(err)
+
+	ExpectError(t, err, errors.Unwrap(wrapped))
+}
+
+func TestNestedUnwrap(t *testing.T) {
+	err := errors.New("err")
+	err2 := New("err2")
+	wrapped := From(err).Subject("foo").With(err2.Subject("bar"))
+
+	unwrapper, ok := wrapped.(interface{ Unwrap() []error })
+	ExpectTrue(t, ok)
+
+	ExpectError(t, err, wrapped)
+	ExpectError(t, err2, wrapped)
+	ExpectEqual(t, len(unwrapper.Unwrap()), 2)
+}
+
+func TestErrorIs(t *testing.T) {
+	from := errors.New("error")
+	err := From(from)
+	ExpectError(t, from, err)
+
+	ExpectTrue(t, err.Is(from))
+	ExpectFalse(t, err.Is(New("error")))
+
+	ExpectTrue(t, errors.Is(err.Subject("foo"), from))
+	ExpectTrue(t, errors.Is(err.Withf("foo"), from))
+	ExpectTrue(t, errors.Is(err.Subject("foo").Withf("bar"), from))
+}
+
+func TestErrorImmutability(t *testing.T) {
+	err := New("err")
+	err2 := New("err2")
+
+	for range 3 {
+		// t.Logf("%d: %v %T %s", i, errors.Unwrap(err), err, err)
+		_ = err.Subject("foo")
+		ExpectFalse(t, strings.Contains(err.Error(), "foo"))
+
+		_ = err.With(err2)
+		ExpectFalse(t, strings.Contains(err.Error(), "extra"))
+		ExpectFalse(t, err.Is(err2))
+
+		err = err.Subject("bar").Withf("baz")
+		ExpectTrue(t, err != nil)
+	}
+}
+
+func TestErrorWith(t *testing.T) {
+	err1 := New("err1")
+	err2 := New("err2")
+
+	err3 := err1.With(err2)
+
+	ExpectTrue(t, err3.Is(err1))
+	ExpectTrue(t, err3.Is(err2))
+
+	_ = err2.Subject("foo")
+
+	ExpectTrue(t, err3.Is(err1))
+	ExpectTrue(t, err3.Is(err2))
+
+	// check if err3 is affected by err2.Subject
+	ExpectFalse(t, strings.Contains(err3.Error(), "foo"))
+}
+
+func TestErrorStringSimple(t *testing.T) {
+	errFailure := New("generic failure")
+	ne := errFailure.Subject("foo bar")
+	ExpectEqual(t, ne.Error(), "foo bar: generic failure")
+	ne = ne.Subject("baz")
+	ExpectEqual(t, ne.Error(), "baz > foo bar: generic failure")
+}
+
+func TestErrorStringNested(t *testing.T) {
+	errFailure := New("generic failure")
+	inner := errFailure.Subject("inner").
+		Withf("1").
+		Withf("1")
+	inner2 := errFailure.Subject("inner2").
+		Subject("action 2").
+		Withf("2").
+		Withf("2")
+	inner3 := errFailure.Subject("inner3").
+		Subject("action 3").
+		Withf("3").
+		Withf("3")
+	ne := errFailure.
+		Subject("foo").
+		Withf("bar").
+		Withf("baz").
+		With(inner).
+		With(inner.With(inner2.With(inner3)))
+	want := `foo: generic failure
+  • bar
+  • baz
+  • inner: generic failure
+    • 1
+    • 1
+  • inner: generic failure
+    • 1
+    • 1
+    • action 2 > inner2: generic failure
+      • 2
+      • 2
+      • action 3 > inner3: generic failure
+        • 3
+        • 3`
+	ExpectEqual(t, ne.Error(), want)
+}
--- a/internal/error/log.go
+++ b/internal/error/log.go
@@ -0,0 +1,43 @@
+package err
+
+import (
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/logging"
+)
+
+func getLogger(logger ...*zerolog.Logger) *zerolog.Logger {
+	if len(logger) > 0 {
+		return logger[0]
+	}
+	return logging.GetLogger()
+}
+
+//go:inline
+func LogFatal(msg string, err error, logger ...*zerolog.Logger) {
+	getLogger(logger...).Fatal().Msg(err.Error())
+}
+
+//go:inline
+func LogError(msg string, err error, logger ...*zerolog.Logger) {
+	getLogger(logger...).Error().Msg(err.Error())
+}
+
+//go:inline
+func LogWarn(msg string, err error, logger ...*zerolog.Logger) {
+	getLogger(logger...).Warn().Msg(err.Error())
+}
+
+//go:inline
+func LogPanic(msg string, err error, logger ...*zerolog.Logger) {
+	getLogger(logger...).Panic().Msg(err.Error())
+}
+
+//go:inline
+func LogInfo(msg string, err error, logger ...*zerolog.Logger) {
+	getLogger(logger...).Info().Msg(err.Error())
+}
+
+//go:inline
+func LogDebug(msg string, err error, logger ...*zerolog.Logger) {
+	getLogger(logger...).Debug().Msg(err.Error())
+}
--- a/internal/error/nested_error.go
+++ b/internal/error/nested_error.go
@@ -0,0 +1,115 @@
+package err
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+//nolint:recvcheck
+type nestedError struct {
+	Err    error   `json:"err"`
+	Extras []error `json:"extras"`
+}
+
+func (err nestedError) Subject(subject string) Error {
+	if err.Err == nil {
+		err.Err = newError(subject)
+	} else {
+		err.Err = PrependSubject(subject, err.Err)
+	}
+	return &err
+}
+
+func (err *nestedError) Subjectf(format string, args ...any) Error {
+	if len(args) > 0 {
+		return err.Subject(fmt.Sprintf(format, args...))
+	}
+	return err.Subject(format)
+}
+
+func (err nestedError) With(extra error) Error {
+	if extra != nil {
+		err.Extras = append(err.Extras, extra)
+	}
+	return &err
+}
+
+func (err nestedError) Withf(format string, args ...any) Error {
+	if len(args) > 0 {
+		err.Extras = append(err.Extras, fmt.Errorf(format, args...))
+	} else {
+		err.Extras = append(err.Extras, newError(format))
+	}
+	return &err
+}
+
+func (err *nestedError) Unwrap() []error {
+	if err.Err == nil {
+		if len(err.Extras) == 0 {
+			return nil
+		}
+		return err.Extras
+	}
+	return append([]error{err.Err}, err.Extras...)
+}
+
+func (err *nestedError) Is(other error) bool {
+	if errors.Is(err.Err, other) {
+		return true
+	}
+	for _, e := range err.Extras {
+		if errors.Is(e, other) {
+			return true
+		}
+	}
+	return false
+}
+
+func (err *nestedError) Error() string {
+	if err == nil {
+		return makeLine("<nil>", 0)
+	}
+
+	lines := make([]string, 0, 1+len(err.Extras))
+	if err.Err != nil {
+		lines = append(lines, makeLine(err.Err.Error(), 0))
+	}
+	if extras := makeLines(err.Extras, 1); len(extras) > 0 {
+		lines = append(lines, extras...)
+	}
+	return strutils.JoinLines(lines)
+}
+
+//go:inline
+func makeLine(err string, level int) string {
+	const bulletPrefix = "• "
+	const spaces = "                "
+
+	if level == 0 {
+		return err
+	}
+	return spaces[:2*level] + bulletPrefix + err
+}
+
+func makeLines(errs []error, level int) []string {
+	if len(errs) == 0 {
+		return nil
+	}
+	lines := make([]string, 0, len(errs))
+	for _, err := range errs {
+		switch err := From(err).(type) {
+		case *nestedError:
+			if err.Err != nil {
+				lines = append(lines, makeLine(err.Err.Error(), level))
+			}
+			if extras := makeLines(err.Extras, level+1); len(extras) > 0 {
+				lines = append(lines, extras...)
+			}
+		default:
+			lines = append(lines, makeLine(err.Error(), level))
+		}
+	}
+	return lines
+}
--- a/internal/error/subject.go
+++ b/internal/error/subject.go
@@ -0,0 +1,56 @@
+package err
+
+import (
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
+)
+
+//nolint:errname
+type withSubject struct {
+	Subject string `json:"subject"`
+	Err     error  `json:"err"`
+}
+
+const subjectSep = " > "
+
+func highlight(subject string) string {
+	return ansi.HighlightRed + subject + ansi.Reset
+}
+
+func PrependSubject(subject string, err error) error {
+	if err == nil {
+		return nil
+	}
+
+	//nolint:errorlint
+	switch err := err.(type) {
+	case *withSubject:
+		return err.Prepend(subject)
+	case Error:
+		return err.Subject(subject)
+	}
+	return &withSubject{subject, err}
+}
+
+func (err *withSubject) Prepend(subject string) *withSubject {
+	clone := *err
+	if subject != "" {
+		clone.Subject = subject + subjectSep + clone.Subject
+	}
+	return &clone
+}
+
+func (err *withSubject) Is(other error) bool {
+	return err.Err == other
+}
+
+func (err *withSubject) Unwrap() error {
+	return err.Err
+}
+
+func (err *withSubject) Error() string {
+	subjects := strings.Split(err.Subject, subjectSep)
+	subjects[len(subjects)-1] = highlight(subjects[len(subjects)-1])
+	return strings.Join(subjects, subjectSep) + ": " + err.Err.Error()
+}
--- a/internal/error/utils.go
+++ b/internal/error/utils.go
@@ -0,0 +1,74 @@
+package err
+
+import (
+	"fmt"
+)
+
+func newError(message string) error {
+	return errStr(message)
+}
+
+func New(message string) Error {
+	if message == "" {
+		return nil
+	}
+	return &baseError{newError(message)}
+}
+
+func Errorf(format string, args ...any) Error {
+	return &baseError{fmt.Errorf(format, args...)}
+}
+
+func From(err error) Error {
+	if err == nil {
+		return nil
+	}
+	//nolint:errorlint
+	switch err := err.(type) {
+	case *baseError:
+		return err
+	case *nestedError:
+		return err
+	}
+	return &baseError{err}
+}
+
+func Must[T any](v T, err error) T {
+	if err != nil {
+		LogPanic("must failed", err)
+	}
+	return v
+}
+
+func Join(errors ...error) Error {
+	n := 0
+	for _, err := range errors {
+		if err != nil {
+			n++
+		}
+	}
+	if n == 0 {
+		return nil
+	}
+	errs := make([]error, n)
+	i := 0
+	for _, err := range errors {
+		if err != nil {
+			errs[i] = err
+			i++
+		}
+	}
+	return &nestedError{Extras: errs}
+}
+
+func Collect[T any, Err error, Arg any, Func func(Arg) (T, Err)](eb *Builder, fn Func, arg Arg) T {
+	result, err := fn(arg)
+	eb.Add(err)
+	return result
+}
+
+func Collect2[T any, Err error, Arg1 any, Arg2 any, Func func(Arg1, Arg2) (T, Err)](eb *Builder, fn Func, arg1 Arg1, arg2 Arg2) T {
+	result, err := fn(arg1, arg2)
+	eb.Add(err)
+	return result
+}
--- a/internal/homepage/categories.go
+++ b/internal/homepage/categories.go
@@ -0,0 +1,64 @@
+package homepage
+
+// PredefinedCategories by alias or docker image name.
+var PredefinedCategories = map[string]string{
+	"sonarr":       "Torrenting",
+	"radarr":       "Torrenting",
+	"bazarr":       "Torrenting",
+	"lidarr":       "Torrenting",
+	"readarr":      "Torrenting",
+	"prowlarr":     "Torrenting",
+	"watcharr":     "Torrenting",
+	"qbittorrent":  "Torrenting",
+	"qbit":         "Torrenting",
+	"qbt":          "Torrenting",
+	"transmission": "Torrenting",
+
+	"jellyfin":   "Media",
+	"jellyseerr": "Media",
+	"emby":       "Media",
+	"plex":       "Media",
+	"navidrome":  "Media",
+	"immich":     "Media",
+	"tautulli":   "Media",
+	"nextcloud":  "Media",
+	"invidious":  "Media",
+
+	"uptime":             "Monitoring",
+	"uptime-kuma":        "Monitoring",
+	"prometheus":         "Monitoring",
+	"grafana":            "Monitoring",
+	"netdata":            "Monitoring",
+	"changedetection.io": "Monitoring",
+	"changedetection":    "Monitoring",
+	"influxdb":           "Monitoring",
+	"influx":             "Monitoring",
+	"dozzle":             "Monitoring",
+
+	"adguardhome":  "Networking",
+	"adgh":         "Networking",
+	"adg":          "Networking",
+	"pihole":       "Networking",
+	"flaresolverr": "Networking",
+
+	"homebridge":     "Home Automation",
+	"home-assistant": "Home Automation",
+
+	"dockge":       "Container Management",
+	"portainer-ce": "Container Management",
+	"portainer-be": "Container Management",
+
+	"rss":        "RSS",
+	"rsshub":     "RSS",
+	"rss-bridge": "RSS",
+	"miniflux":   "RSS",
+	"freshrss":   "RSS",
+
+	"paperless":     "Documents",
+	"paperless-ngx": "Documents",
+	"s-pdf":         "Documents",
+
+	"minio":       "Storage",
+	"filebrowser": "Storage",
+	"rclone":      "Storage",
+}
--- a/internal/homepage/homepage.go
+++ b/internal/homepage/homepage.go
@@ -0,0 +1,45 @@
+package homepage
+
+type (
+	//nolint:recvcheck
+	Config   map[string]Category
+	Category []*Item
+
+	Item struct {
+		Show         bool           `json:"show"`
+		Name         string         `json:"name"` // display name
+		Icon         string         `json:"icon"`
+		URL          string         `json:"url"` // alias + domain
+		Category     string         `json:"category"`
+		Description  string         `json:"description" aliases:"desc"`
+		WidgetConfig map[string]any `json:"widget_config" aliases:"widget"`
+
+		Alias      string `json:"alias"` // proxy alias
+		SourceType string `json:"source_type"`
+		AltURL     string `json:"alt_url"` // original proxy target
+	}
+)
+
+func (item *Item) IsEmpty() bool {
+	return item == nil || (item.Name == "" &&
+		item.Icon == "" &&
+		item.URL == "" &&
+		item.Category == "" &&
+		item.Description == "" &&
+		len(item.WidgetConfig) == 0)
+}
+
+func NewHomePageConfig() Config {
+	return Config(make(map[string]Category))
+}
+
+func (c *Config) Clear() {
+	*c = make(Config)
+}
+
+func (c Config) Add(item *Item) {
+	if c[item.Category] == nil {
+		c[item.Category] = make(Category, 0)
+	}
+	c[item.Category] = append(c[item.Category], item)
+}
--- a/internal/list-icons.go
+++ b/internal/list-icons.go
@@ -0,0 +1,101 @@
+package internal
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type GitHubContents struct { //! keep this, may reuse in future
+	Type string `json:"type"`
+	Path string `json:"path"`
+	Name string `json:"name"`
+	Sha  string `json:"sha"`
+	Size int    `json:"size"`
+}
+
+const (
+	iconsCachePath = "/tmp/icons_cache.json"
+	updateInterval = 1 * time.Hour
+)
+
+func ListAvailableIcons() ([]string, error) {
+	owner := "walkxcode"
+	repo := "dashboard-icons"
+	ref := "main"
+
+	var lastUpdate time.Time
+
+	icons := make([]string, 0)
+	info, err := os.Stat(iconsCachePath)
+	if err == nil {
+		lastUpdate = info.ModTime().Local()
+	}
+	if time.Since(lastUpdate) < updateInterval {
+		err := utils.LoadJSON(iconsCachePath, &icons)
+		if err == nil {
+			return icons, nil
+		}
+	}
+
+	contents, err := getRepoContents(http.DefaultClient, owner, repo, ref, "")
+	if err != nil {
+		return nil, err
+	}
+	for _, content := range contents {
+		if content.Type != "dir" {
+			icons = append(icons, content.Path)
+		}
+	}
+	err = utils.SaveJSON(iconsCachePath, &icons, 0o644)
+	if err != nil {
+		log.Print("error saving cache", err)
+	}
+	return icons, nil
+}
+
+func getRepoContents(client *http.Client, owner string, repo string, ref string, path string) ([]GitHubContents, error) {
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("https://api.github.com/repos/%s/%s/contents/%s?ref=%s", owner, repo, path, ref), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var contents []GitHubContents
+	err = json.Unmarshal(body, &contents)
+	if err != nil {
+		return nil, err
+	}
+
+	filesAndDirs := make([]GitHubContents, 0)
+	for _, content := range contents {
+		if content.Type == "dir" {
+			subContents, err := getRepoContents(client, owner, repo, ref, content.Path)
+			if err != nil {
+				return nil, err
+			}
+			filesAndDirs = append(filesAndDirs, subContents...)
+		} else {
+			filesAndDirs = append(filesAndDirs, content)
+		}
+	}
+
+	return filesAndDirs, nil
+}
--- a/internal/logging/logging.go
+++ b/internal/logging/logging.go
@@ -0,0 +1,72 @@
+//nolint:zerologlint
+package logging
+
+import (
+	"os"
+	"strings"
+
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+var logger zerolog.Logger
+
+func init() {
+	var timeFmt string
+	var level zerolog.Level
+	var exclude []string
+
+	switch {
+	case common.IsTrace:
+		timeFmt = "04:05"
+		level = zerolog.TraceLevel
+	case common.IsDebug:
+		timeFmt = "01-02 15:04"
+		level = zerolog.DebugLevel
+	default:
+		timeFmt = "01-02 15:04"
+		level = zerolog.InfoLevel
+		exclude = []string{"module"}
+	}
+
+	prefixLength := len(timeFmt) + 5 // level takes 3 + 2 spaces
+	prefix := strings.Repeat(" ", prefixLength)
+
+	logger = zerolog.New(
+		zerolog.ConsoleWriter{
+			Out:           os.Stderr,
+			TimeFormat:    timeFmt,
+			FieldsExclude: exclude,
+			FormatMessage: func(msgI interface{}) string { // pad spaces for each line
+				msg := msgI.(string)
+				lines := strutils.SplitRune(msg, '\n')
+				if len(lines) == 1 {
+					return msg
+				}
+				for i := 1; i < len(lines); i++ {
+					lines[i] = prefix + lines[i]
+				}
+				return strutils.JoinRune(lines, '\n')
+			},
+		},
+	).Level(level).With().Timestamp().Logger()
+}
+
+func DiscardLogger() { zerolog.SetGlobalLevel(zerolog.Disabled) }
+
+func AddHook(h zerolog.Hook) { logger = logger.Hook(h) }
+
+func GetLogger() *zerolog.Logger { return &logger }
+func With() zerolog.Context      { return logger.With() }
+
+func WithLevel(level zerolog.Level) *zerolog.Event { return logger.WithLevel(level) }
+
+func Info() *zerolog.Event         { return logger.Info() }
+func Warn() *zerolog.Event         { return logger.Warn() }
+func Error() *zerolog.Event        { return logger.Error() }
+func Err(err error) *zerolog.Event { return logger.Err(err) }
+func Debug() *zerolog.Event        { return logger.Debug() }
+func Fatal() *zerolog.Event        { return logger.Fatal() }
+func Panic() *zerolog.Event        { return logger.Panic() }
+func Trace() *zerolog.Event        { return logger.Trace() }
--- a/internal/metrics/http_handler.go
+++ b/internal/metrics/http_handler.go
@@ -0,0 +1,13 @@
+package metrics
+
+import (
+	"net/http"
+
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+func NewHandler() http.Handler {
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", promhttp.Handler())
+	return mux
+}
--- a/internal/metrics/labels.go
+++ b/internal/metrics/labels.go
@@ -0,0 +1,36 @@
+package metrics
+
+import "github.com/prometheus/client_golang/prometheus"
+
+type (
+	HTTPRouteMetricLabels struct {
+		Service, Method, Host, Visitor, Path string
+	}
+	StreamRouteMetricLabels struct {
+		Service, Visitor string
+	}
+	HealthMetricLabels string
+)
+
+func (lbl *HTTPRouteMetricLabels) toPromLabels() prometheus.Labels {
+	return prometheus.Labels{
+		"service": lbl.Service,
+		"method":  lbl.Method,
+		"host":    lbl.Host,
+		"visitor": lbl.Visitor,
+		"path":    lbl.Path,
+	}
+}
+
+func (lbl *StreamRouteMetricLabels) toPromLabels() prometheus.Labels {
+	return prometheus.Labels{
+		"service": lbl.Service,
+		"visitor": lbl.Visitor,
+	}
+}
+
+func (lbl HealthMetricLabels) toPromLabels() prometheus.Labels {
+	return prometheus.Labels{
+		"service": string(lbl),
+	}
+}
--- a/internal/metrics/metric.go
+++ b/internal/metrics/metric.go
@@ -0,0 +1,89 @@
+package metrics
+
+import "github.com/prometheus/client_golang/prometheus"
+
+type (
+	Counter struct {
+		mv        *prometheus.CounterVec
+		collector prometheus.Counter
+	}
+	Gauge struct {
+		mv        *prometheus.GaugeVec
+		collector prometheus.Gauge
+	}
+	Labels interface {
+		toPromLabels() prometheus.Labels
+	}
+)
+
+func NewCounter(opts prometheus.CounterOpts, labels ...string) *Counter {
+	m := &Counter{
+		mv: prometheus.NewCounterVec(opts, labels),
+	}
+	if len(labels) == 0 {
+		m.collector = m.mv.WithLabelValues()
+		m.collector.Add(0)
+	}
+	prometheus.MustRegister(m)
+	return m
+}
+
+func NewGauge(opts prometheus.GaugeOpts, labels ...string) *Gauge {
+	m := &Gauge{
+		mv: prometheus.NewGaugeVec(opts, labels),
+	}
+	if len(labels) == 0 {
+		m.collector = m.mv.WithLabelValues()
+		m.collector.Set(0)
+	}
+	prometheus.MustRegister(m)
+	return m
+}
+
+func (c *Counter) Collect(ch chan<- prometheus.Metric) {
+	c.mv.Collect(ch)
+}
+
+func (c *Counter) Describe(ch chan<- *prometheus.Desc) {
+	c.mv.Describe(ch)
+}
+
+func (c *Counter) Inc() {
+	c.collector.Inc()
+}
+
+func (c *Counter) With(l Labels) *Counter {
+	return &Counter{mv: c.mv, collector: c.mv.With(l.toPromLabels())}
+}
+
+func (c *Counter) Delete(l Labels) {
+	c.mv.Delete(l.toPromLabels())
+}
+
+func (c *Counter) Reset() {
+	c.mv.Reset()
+}
+
+func (g *Gauge) Collect(ch chan<- prometheus.Metric) {
+	g.mv.Collect(ch)
+}
+
+func (g *Gauge) Describe(ch chan<- *prometheus.Desc) {
+	g.mv.Describe(ch)
+}
+
+func (g *Gauge) Set(v float64) {
+	g.collector.Set(v)
+}
+
+func (g *Gauge) With(l Labels) *Gauge {
+	return &Gauge{mv: g.mv, collector: g.mv.With(l.toPromLabels())}
+}
+
+func (g *Gauge) Delete(l Labels) {
+	g.mv.Delete(l.toPromLabels())
+}
+
+func (g *Gauge) Reset() {
+	g.mv.Reset()
+}
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -0,0 +1,105 @@
+package metrics
+
+import (
+	"strings"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+type (
+	RouteMetrics struct {
+		HTTPReqTotal,
+		HTTP2xx3xx,
+		HTTP4xx,
+		HTTP5xx *Counter
+		HTTPReqElapsed *Gauge
+	}
+
+	ServiceMetrics struct {
+		HealthStatus *Gauge
+	}
+)
+
+var (
+	rm RouteMetrics
+	sm ServiceMetrics
+)
+
+const (
+	routerNamespace     = "router"
+	routerHTTPSubsystem = "http"
+
+	serviceNamespace = "service"
+)
+
+func GetRouteMetrics() *RouteMetrics {
+	return &rm
+}
+
+func GetServiceMetrics() *ServiceMetrics {
+	return &sm
+}
+
+func (rm *RouteMetrics) UnregisterService(service string) {
+	lbls := &HTTPRouteMetricLabels{Service: service}
+	rm.HTTP2xx3xx.Delete(lbls)
+	rm.HTTP4xx.Delete(lbls)
+	rm.HTTP5xx.Delete(lbls)
+	rm.HTTPReqElapsed.Delete(lbls)
+}
+
+func init() {
+	if !common.PrometheusEnabled {
+		return
+	}
+	initRouteMetrics()
+	initServiceMetrics()
+}
+
+func initRouteMetrics() {
+	lbls := []string{"service", "method", "host", "visitor", "path"}
+	partitionsHelp := ", partitioned by " + strings.Join(lbls, ", ")
+	rm = RouteMetrics{
+		HTTPReqTotal: NewCounter(prometheus.CounterOpts{
+			Namespace: routerNamespace,
+			Subsystem: routerHTTPSubsystem,
+			Name:      "req_total",
+			Help:      "How many requests processed in total",
+		}),
+		HTTP2xx3xx: NewCounter(prometheus.CounterOpts{
+			Namespace: routerNamespace,
+			Subsystem: routerHTTPSubsystem,
+			Name:      "req_ok_count",
+			Help:      "How many 2xx-3xx requests processed" + partitionsHelp,
+		}, lbls...),
+		HTTP4xx: NewCounter(prometheus.CounterOpts{
+			Namespace: routerNamespace,
+			Subsystem: routerHTTPSubsystem,
+			Name:      "req_4xx_count",
+			Help:      "How many 4xx requests processed" + partitionsHelp,
+		}, lbls...),
+		HTTP5xx: NewCounter(prometheus.CounterOpts{
+			Namespace: routerNamespace,
+			Subsystem: routerHTTPSubsystem,
+			Name:      "req_5xx_count",
+			Help:      "How many 5xx requests processed" + partitionsHelp,
+		}, lbls...),
+		HTTPReqElapsed: NewGauge(prometheus.GaugeOpts{
+			Namespace: routerNamespace,
+			Subsystem: routerHTTPSubsystem,
+			Name:      "req_elapsed_ms",
+			Help:      "How long it took to process the request and respond a status code" + partitionsHelp,
+		}, lbls...),
+	}
+}
+
+func initServiceMetrics() {
+	sm = ServiceMetrics{
+		HealthStatus: NewGauge(prometheus.GaugeOpts{
+			Namespace: serviceNamespace,
+			Name:      "health_status",
+			Help:      "The health status of the router by service",
+		}, "service"),
+	}
+}
--- a/internal/metrics/router_metrics.go
+++ b/internal/metrics/router_metrics.go
@@ -0,0 +1,26 @@
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+func InitRouterMetrics(getRPsCount func() int, getStreamsCount func() int) {
+	if !common.PrometheusEnabled {
+		return
+	}
+	prometheus.MustRegister(prometheus.NewGaugeFunc(prometheus.GaugeOpts{
+		Namespace: "entrypoint",
+		Name:      "num_reverse_proxies",
+		Help:      "The number of reverse proxies",
+	}, func() float64 {
+		return float64(getRPsCount())
+	}))
+	prometheus.MustRegister(prometheus.NewGaugeFunc(prometheus.GaugeOpts{
+		Namespace: "entrypoint",
+		Name:      "num_streams",
+		Help:      "The number of streams",
+	}, func() float64 {
+		return float64(getStreamsCount())
+	}))
+}
--- a/Show More
+++ b/Show More