fix: remove redundant entrypoint.FromCtx(ctx) call

- Introduced `NewTestRoute` function to simplify route creation in benchmark tests.
- Replaced direct route validation and starting with error handling using `require.NoError`.
- Updated server retrieval to use `common.ProxyHTTPAddr` for consistency.
- Improved logging for HTTP route addition errors in `AddRoute` method.

.github/workflows/docker-image.yml

@@ -45,11 +45,37 @@ jobs:
       attestations: write
 
     steps:
+      - name: Checkout (for tag resolution)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
       - name: Prepare
         run: |
           platform=${{ matrix.platform }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
 
+      - name: Compute VERSION for build
+        run: |
+          if [ "${GITHUB_REF_TYPE}" = "tag" ]; then
+            version="${GITHUB_REF_NAME}"
+            cache_variant="release"
+          elif [ "${GITHUB_REF_NAME}" = "main" ] || [ "${GITHUB_REF_NAME}" = "compat" ]; then
+            git fetch --tags origin main
+            version="$(git describe --tags --abbrev=0 origin/main 2>/dev/null || git describe --tags --abbrev=0 main 2>/dev/null || echo v0.0.0)"
+            cache_variant="${GITHUB_REF_NAME}"
+          else
+            version="v$(date -u +'%Y%m%d-%H%M')"
+            cache_variant="nightly"
+          fi
+          echo "VERSION_FOR_BUILD=$version" >> $GITHUB_ENV
+          echo "CACHE_VARIANT=$cache_variant" >> $GITHUB_ENV
+          if [ "${GITHUB_REF_TYPE}" = "branch" ]; then
+            echo "BRANCH_FOR_BUILD=${GITHUB_REF_NAME}" >> $GITHUB_ENV
+          else
+            echo "BRANCH_FOR_BUILD=" >> $GITHUB_ENV
+          fi
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -80,14 +106,15 @@ jobs:
           file: ${{ env.DOCKERFILE }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
           cache-from: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}
-          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
+            type=gha,scope=${{ github.workflow }}-${{ env.CACHE_VARIANT }}-${{ env.PLATFORM_PAIR }}
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.CACHE_VARIANT }}-${{ env.PLATFORM_PAIR }}
           cache-to: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max
-          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
+            type=gha,scope=${{ github.workflow }}-${{ env.CACHE_VARIANT }}-${{ env.PLATFORM_PAIR }},mode=max
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.CACHE_VARIANT }}-${{ env.PLATFORM_PAIR }},mode=max
           build-args: |
-            VERSION=${{ github.ref_name }}
+            VERSION=${{ env.VERSION_FOR_BUILD }}
             MAKE_ARGS=${{ env.MAKE_ARGS }}
+            BRANCH=${{ env.BRANCH_FOR_BUILD }}
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1

.gitignore

@@ -40,4 +40,8 @@ tsconfig.tsbuildinfo
 
 !agent.compose.yml
 !agent/pkg/**
-dev-data/
+dev-data/
+
+RELEASE_NOTES.md
+CLAUDE.md
+.kilocode/**

.gitmodules

@@ -7,3 +7,6 @@
 [submodule "goutils"]
 	path = goutils
 	url = https://github.com/yusing/goutils.git
+[submodule "internal/go-proxmox"]
+	path = internal/go-proxmox
+	url = https://github.com/yusing/go-proxmox

CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+yusing@6uo.me.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.25.6-alpine AS deps
+FROM golang:1.25.7-alpine AS deps
 HEALTHCHECK NONE
 
 # package version does not matter
@@ -14,6 +14,7 @@ WORKDIR /src
 COPY goutils/go.mod goutils/go.sum ./goutils/
 COPY internal/go-oidc/go.mod internal/go-oidc/go.sum ./internal/go-oidc/
 COPY internal/gopsutil/go.mod internal/gopsutil/go.sum ./internal/gopsutil/
+COPY internal/go-proxmox/go.mod internal/go-proxmox/go.sum ./internal/go-proxmox/
 COPY go.mod go.sum ./
 
 # remove godoxy stuff from go.mod first
@@ -43,6 +44,9 @@ ENV VERSION=${VERSION}
 ARG MAKE_ARGS
 ENV MAKE_ARGS=${MAKE_ARGS}
 
+ARG BRANCH
+ENV BRANCH=${BRANCH}
+
 RUN --mount=type=cache,target=/root/.cache/go-build \
   --mount=type=cache,target=/root/go/pkg/mod \
   make ${MAKE_ARGS} docker=1 build

Makefile

@@ -1,5 +1,6 @@
 shell := /bin/sh
 export VERSION ?= $(shell git describe --tags --abbrev=0)
+export BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux
 
@@ -8,7 +9,12 @@ REPO_URL ?= https://github.com/yusing/godoxy
 WEBUI_DIR ?= ../godoxy-webui
 DOCS_DIR ?= ${WEBUI_DIR}/wiki
 
-GO_TAGS = sonic
+ifneq ($(BRANCH), compat)
+	GO_TAGS = sonic
+else
+	GO_TAGS =
+endif
+
 LDFLAGS = -X github.com/yusing/goutils/version.version=${VERSION} -checklinkname=0
 
 ifeq ($(agent), 1)
@@ -86,7 +92,7 @@ docker-build-test:
 
 go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
 files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
-gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
+gomod_paths := $(shell find . -name go.mod -type f | grep -vE '^./internal/(go-oidc|go-proxmox|gopsutil)/' | xargs dirname)
 
 update-go:
 	for file in ${files}; do \
@@ -137,9 +143,6 @@ benchmark:
 dev-run: build
 	cd dev-data && ${BIN_PATH}
 
-mtrace:
-	 ${BIN_PATH} debug-ls-mtrace > mtrace.json
-
 rapid-crash:
 	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
 	sleep 3 &&\
@@ -156,7 +159,7 @@ cloc:
 	scc -w -i go --not-match '_test.go$$'
 
 push-github:
-	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+	git push origin $(BRANCH)
 
 gen-swagger:
   # go install github.com/swaggo/swag/cmd/swag@latest

README.md

@@ -33,6 +33,10 @@ Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e4
 - [Prerequisites](#prerequisites)
 - [Setup](#setup)
 - [How does GoDoxy work](#how-does-godoxy-work)
+- [Proxmox Integration](#proxmox-integration)
+  - [Automatic Route Binding](#automatic-route-binding)
+  - [WebUI Management](#webui-management)
+  - [API Endpoints](#api-endpoints)
 - [Update / Uninstall system agent](#update--uninstall-system-agent)
 - [Screenshots](#screenshots)
   - [idlesleeper](#idlesleeper)
@@ -67,7 +71,11 @@ Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e4
   - Podman
 - **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
   - Docker containers
-  - Proxmox LXCs
+  - Proxmox LXC containers
+- **Proxmox Integration**
+  - **Automatic route binding**: Routes automatically bind to Proxmox nodes or LXC containers by matching hostname, IP, or alias
+  - **LXC lifecycle control**: Start, stop, restart containers directly from WebUI
+  - **Real-time logs**: Stream journalctl logs from nodes and LXC containers via WebSocket
 - **Traffic Management**
   - HTTP reserve proxy
   - TCP/UDP port forwarding
@@ -80,7 +88,12 @@ Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e4
   - App Dashboard
   - Config Editor
   - Uptime and System Metrics
-  - Docker Logs Viewer
+  - **Docker**
+    - Container lifecycle management (start, stop, restart)
+    - Real-time container logs via WebSocket
+  - **Proxmox**
+    - LXC container lifecycle management (start, stop, restart)
+    - Real-time node and LXC journalctl logs via WebSocket
 - **Cross-Platform support**
   - Supports **linux/amd64** and **linux/arm64**
 - **Efficient and Performant**
@@ -128,6 +141,50 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 >
 > For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
 
+## Proxmox Integration
+
+GoDoxy can automatically discover and manage Proxmox nodes and LXC containers through configured providers.
+
+### Automatic Route Binding
+
+Routes are automatically linked to Proxmox resources through reverse lookup:
+
+1. **Node-level routes** (VMID = 0): When hostname, IP, or alias matches a Proxmox node name or IP
+2. **Container-level routes** (VMID > 0): When hostname, IP, or alias matches an LXC container
+
+This enables seamless proxy configuration without manual binding:
+
+```yaml
+routes:
+  pve-node-01:
+    host: pve-node-01.internal
+    port: 8006
+    # Automatically links to Proxmox node pve-node-01
+```
+
+### WebUI Management
+
+From the WebUI, you can:
+
+- **LXC Lifecycle Control**: Start, stop, restart containers
+- **Node Logs**: Stream real-time journalctl output from nodes
+- **LXC Logs**: Stream real-time journalctl output from containers
+
+### API Endpoints
+
+```http
+# Node journalctl (WebSocket)
+GET /api/v1/proxmox/journalctl/:node
+
+# LXC journalctl (WebSocket)
+GET /api/v1/proxmox/journalctl/:node/:vmid
+
+# LXC lifecycle control
+POST /api/v1/proxmox/lxc/:node/:vmid/start
+POST /api/v1/proxmox/lxc/:node/:vmid/stop
+POST /api/v1/proxmox/lxc/:node/:vmid/restart
+```
+
 ## Update / Uninstall system agent
 
 Update:

README_CHT.md

@@ -34,6 +34,10 @@
 - [安裝](#安裝)
   - [手動安裝](#手動安裝)
   - [資料夾結構](#資料夾結構)
+- [Proxmox 整合](#proxmox-整合)
+  - [自動路由綁定](#自動路由綁定)
+  - [WebUI 管理](#webui-管理)
+  - [API 端點](#api-端點)
 - [更新 / 卸載系統代理 (System Agent)](#更新--卸載系統代理-system-agent)
 - [截圖](#截圖)
   - [閒置休眠](#閒置休眠)
@@ -67,6 +71,10 @@
 - **閒置休眠**：根據流量停止和喚醒容器 _(參見[截圖](#閒置休眠))_
   - Docker 容器
   - Proxmox LXC 容器
+- **Proxmox 整合**
+  - **自動路由綁定**：透過比對主機名稱、IP 或別名自動將路由綁定至 Proxmox 節點或 LXC 容器
+  - **LXC 生命週期控制**：可直接從 WebUI 啟動、停止、重新啟動容器
+  - **即時日誌**：透過 WebSocket 串流節點和 LXC 容器的 journalctl 日誌
 - **流量管理**
   - HTTP 反向代理
   - TCP/UDP 連接埠轉送
@@ -79,7 +87,12 @@
   - 應用程式一覽
   - 設定編輯器
   - 執行時間與系統指標
-  - Docker 日誌檢視器
+  - **Docker**
+    - 容器生命週期管理 (啟動、停止、重新啟動)
+    - 透過 WebSocket 即時串流容器日誌
+  - **Proxmox**
+    - LXC 容器生命週期管理 (啟動、停止、重新啟動)
+    - 透過 WebSocket 即時串流節點和 LXC 容器 journalctl 日誌
 - **跨平台支援**
   - 支援 **linux/amd64** 與 **linux/arm64**
 - **高效能**
@@ -144,6 +157,50 @@
 └── .env
 ```
 
+## Proxmox 整合
+
+GoDoxy 可透過配置的提供者自動探索和管理 Proxmox 節點和 LXC 容器。
+
+### 自動路由綁定
+
+路由透過反向查詢自動連結至 Proxmox 資源：
+
+1. **節點級路由** (VMID = 0)：當主機名稱、IP 或別名符合 Proxmox 節點名稱或 IP 時
+2. **容器級路由** (VMID > 0)：當主機名稱、IP 或別名符合 LXC 容器時
+
+這可實現無需手動綁定的無縫代理配置：
+
+```yaml
+routes:
+  pve-node-01:
+    host: pve-node-01.internal
+    port: 8006
+    # 自動連結至 Proxmox 節點 pve-node-01
+```
+
+### WebUI 管理
+
+您可以從 WebUI：
+
+- **LXC 生命週期控制**：啟動、停止、重新啟動容器
+- **節點日誌**：串流來自節點的即時 journalctl 輸出
+- **LXC 日誌**：串流來自容器的即時 journalctl 輸出
+
+### API 端點
+
+```http
+# 節點 journalctl (WebSocket)
+GET /api/v1/proxmox/journalctl/:node
+
+# LXC journalctl (WebSocket)
+GET /api/v1/proxmox/journalctl/:node/:vmid
+
+# LXC 生命週期控制
+POST /api/v1/proxmox/lxc/:node/:vmid/start
+POST /api/v1/proxmox/lxc/:node/:vmid/stop
+POST /api/v1/proxmox/lxc/:node/:vmid/restart
+```
+
 ## 更新 / 卸載系統代理 (System Agent)
 
 更新：

agent/cmd/main.go

@@ -161,7 +161,7 @@ Tips:
 		srv.Serve(l)
 	}
 
-	systeminfo.Poller.Start()
+	systeminfo.Poller.Start(t)
 
 	task.WaitExit(3)
 }

agent/go.mod

@@ -1,6 +1,11 @@
 module github.com/yusing/godoxy/agent
 
-go 1.25.6
+go 1.25.7
+
+exclude (
+	github.com/moby/moby/api v1.53.0 // allow older daemon versions
+	github.com/moby/moby/client v0.2.2 // allow older daemon versions
+)
 
 replace (
 	github.com/shirou/gopsutil/v4 => ../internal/gopsutil
@@ -15,14 +20,14 @@ replace (
 exclude github.com/containerd/nerdctl/mod/tigron v0.0.0
 
 require (
-	github.com/bytedance/sonic v1.14.2
+	github.com/bytedance/sonic v1.15.0
 	github.com/gin-gonic/gin v1.11.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/pion/dtls/v3 v3.0.10
 	github.com/pion/transport/v3 v3.1.1
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.11.1
-	github.com/yusing/godoxy v0.24.1
+	github.com/yusing/godoxy v0.25.2
 	github.com/yusing/godoxy/socketproxy v0.0.0-00010101000000-000000000000
 	github.com/yusing/goutils v0.7.0
 )
@@ -31,14 +36,14 @@ require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v29.1.4+incompatible // indirect
+	github.com/docker/cli v29.2.0+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
@@ -73,7 +78,7 @@ require (
 	github.com/pion/transport/v4 v4.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/puzpuzpuz/xsync/v4 v4.3.0 // indirect
+	github.com/puzpuzpuz/xsync/v4 v4.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.12 // indirect
@@ -86,8 +91,8 @@ require (
 	github.com/valyala/fasthttp v1.69.0 // indirect
 	github.com/yusing/ds v0.4.1 // indirect
 	github.com/yusing/gointernals v0.1.16 // indirect
-	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260116021320-b12ef77f3743 // indirect
-	github.com/yusing/goutils/http/websocket v0.0.0-20260116021320-b12ef77f3743 // indirect
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260129081554-24e52ede7468 // indirect
+	github.com/yusing/goutils/http/websocket v0.0.0-20260129081554-24e52ede7468 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect

agent/go.sum

@@ -10,10 +10,10 @@ github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
 github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
-github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
-github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
-github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
+github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -37,8 +37,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.1.4+incompatible h1:AI8fwZhqsAsrqZnVv9h6lbexeW/LzNTasf6A4vcNN8M=
-github.com/docker/cli v29.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
+github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -82,8 +82,8 @@ github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PU
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -124,8 +124,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
-github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/moby/api v1.52.0 h1:00BtlJY4MXkkt84WhUZPRqt5TvPbgig2FZvTbe3igYg=
@@ -153,16 +153,16 @@ github.com/pion/transport/v3 v3.1.1 h1:Tr684+fnnKlhPceU+ICdrw6KKkTms+5qHMgw6bIkY
 github.com/pion/transport/v3 v3.1.1/go.mod h1:+c2eewC5WJQHiAA46fkMMzoYZSuGzA/7E2FPrOYHctQ=
 github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o=
 github.com/pion/transport/v4 v4.0.1/go.mod h1:nEuEA4AD5lPdcIegQDpVLgNoDGreqM/YqmEx3ovP4jM=
-github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
-github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pires/go-proxyproto v0.9.2 h1:H1UdHn695zUVVmB0lQ354lOWHOy6TZSpzBl3tgN0s1U=
+github.com/pires/go-proxyproto v0.9.2/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/puzpuzpuz/xsync/v4 v4.3.0 h1:w/bWkEJdYuRNYhHn5eXnIT8LzDM1O629X1I9MJSkD7Q=
-github.com/puzpuzpuz/xsync/v4 v4.3.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/puzpuzpuz/xsync/v4 v4.4.0 h1:vlSN6/CkEY0pY8KaB0yqo/pCLZvp9nhdbBdjipT4gWo=
+github.com/puzpuzpuz/xsync/v4 v4.4.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=

agent/pkg/agent/config.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -16,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/bytedance/sonic"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/yusing/godoxy/agent/pkg/agent/common"
@@ -150,7 +150,7 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 		// test stream server connection
 		const fakeAddress = "localhost:8080" // it won't be used, just for testing
 		// test TCP stream support
-		err := agentstream.TCPHealthCheck(cfg.Addr, cfg.caCert, cfg.clientCert)
+		err := agentstream.TCPHealthCheck(ctx, cfg.Addr, cfg.caCert, cfg.clientCert)
 		if err != nil {
 			streamUnsupportedErrs.Addf("failed to connect to stream server via TCP: %w", err)
 		} else {
@@ -158,7 +158,7 @@ func (cfg *AgentConfig) InitWithCerts(ctx context.Context, ca, crt, key []byte)
 		}
 
 		// test UDP stream support
-		err = agentstream.UDPHealthCheck(cfg.Addr, cfg.caCert, cfg.clientCert)
+		err = agentstream.UDPHealthCheck(ctx, cfg.Addr, cfg.caCert, cfg.clientCert)
 		if err != nil {
 			streamUnsupportedErrs.Addf("failed to connect to stream server via UDP: %w", err)
 		} else {
@@ -313,8 +313,18 @@ func (cfg *AgentConfig) do(ctx context.Context, method, endpoint string, body io
 	if err != nil {
 		return nil, err
 	}
+
+	timeout := 5 * time.Second
+	if deadline, ok := ctx.Deadline(); ok {
+		remaining := time.Until(deadline)
+		if remaining > 0 {
+			timeout = remaining
+		}
+	}
+
 	client := http.Client{
 		Transport: cfg.Transport(),
+		Timeout:   timeout,
 	}
 	return client.Do(req)
 }
@@ -356,7 +366,7 @@ func (cfg *AgentConfig) fetchJSON(ctx context.Context, endpoint string, out any)
 		return resp.StatusCode, nil
 	}
 
-	err = json.Unmarshal(data, out)
+	err = sonic.Unmarshal(data, out)
 	if err != nil {
 		return 0, err
 	}

agent/pkg/agent/stream/tcp_client.go

@@ -1,6 +1,7 @@
 package stream
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
@@ -34,13 +35,13 @@ func NewTCPClient(serverAddr, targetAddress string, caCert *x509.Certificate, cl
 		return nil, err
 	}
 
-	return newTCPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	return newTCPClientWIthHeader(context.Background(), serverAddr, header, caCert, clientCert)
 }
 
-func TCPHealthCheck(serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
+func TCPHealthCheck(ctx context.Context, serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
 	header := NewStreamHealthCheckHeader()
 
-	conn, err := newTCPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	conn, err := newTCPClientWIthHeader(ctx, serverAddr, header, caCert, clientCert)
 	if err != nil {
 		return err
 	}
@@ -49,7 +50,7 @@ func TCPHealthCheck(serverAddr string, caCert *x509.Certificate, clientCert *tls
 	return nil
 }
 
-func newTCPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
+func newTCPClientWIthHeader(ctx context.Context, serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
 	// Setup TLS configuration
 	caCertPool := x509.NewCertPool()
 	caCertPool.AddCert(caCert)
@@ -62,17 +63,43 @@ func newTCPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCe
 		ServerName:   common.CertsDNSName,
 	}
 
+	dialer := &net.Dialer{
+		Timeout: dialTimeout,
+	}
+	tlsDialer := &tls.Dialer{
+		NetDialer: dialer,
+		Config:    tlsConfig,
+	}
+
 	// Establish TLS connection
-	conn, err := tls.DialWithDialer(&net.Dialer{Timeout: dialTimeout}, "tcp", serverAddr, tlsConfig)
+	conn, err := tlsDialer.DialContext(ctx, "tcp", serverAddr)
 	if err != nil {
 		return nil, err
 	}
+
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		err := conn.SetWriteDeadline(deadline)
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
 	// Send the stream header once as a handshake.
 	if _, err := conn.Write(header.Bytes()); err != nil {
 		_ = conn.Close()
 		return nil, err
 	}
 
+	if hasDeadline {
+		// reset write deadline
+		err = conn.SetWriteDeadline(time.Time{})
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
+
 	return &TCPClient{
 		conn: conn,
 	}, nil

agent/pkg/agent/stream/tests/healthcheck_test.go

@@ -12,7 +12,7 @@ func TestTCPHealthCheck(t *testing.T) {
 
 	srv := startTCPServer(t, certs)
 
-	err := stream.TCPHealthCheck(srv.Addr.String(), certs.CaCert, certs.ClientCert)
+	err := stream.TCPHealthCheck(t.Context(), srv.Addr.String(), certs.CaCert, certs.ClientCert)
 	require.NoError(t, err, "health check")
 }
 
@@ -21,6 +21,6 @@ func TestUDPHealthCheck(t *testing.T) {
 
 	srv := startUDPServer(t, certs)
 
-	err := stream.UDPHealthCheck(srv.Addr.String(), certs.CaCert, certs.ClientCert)
+	err := stream.UDPHealthCheck(t.Context(), srv.Addr.String(), certs.CaCert, certs.ClientCert)
 	require.NoError(t, err, "health check")
 }

agent/pkg/agent/stream/udp_client.go

@@ -1,6 +1,7 @@
 package stream
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
@@ -35,10 +36,10 @@ func NewUDPClient(serverAddr, targetAddress string, caCert *x509.Certificate, cl
 		return nil, err
 	}
 
-	return newUDPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	return newUDPClientWIthHeader(context.Background(), serverAddr, header, caCert, clientCert)
 }
 
-func newUDPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
+func newUDPClientWIthHeader(ctx context.Context, serverAddr string, header *StreamRequestHeader, caCert *x509.Certificate, clientCert *tls.Certificate) (net.Conn, error) {
 	// Setup DTLS configuration
 	caCertPool := x509.NewCertPool()
 	caCertPool.AddCert(caCert)
@@ -62,21 +63,40 @@ func newUDPClientWIthHeader(serverAddr string, header *StreamRequestHeader, caCe
 	if err != nil {
 		return nil, err
 	}
+
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		err := conn.SetWriteDeadline(deadline)
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
+
 	// Send the stream header once as a handshake.
 	if _, err := conn.Write(header.Bytes()); err != nil {
 		_ = conn.Close()
 		return nil, err
 	}
 
+	if hasDeadline {
+		// reset write deadline
+		err = conn.SetWriteDeadline(time.Time{})
+		if err != nil {
+			_ = conn.Close()
+			return nil, err
+		}
+	}
+
 	return &UDPClient{
 		conn: conn,
 	}, nil
 }
 
-func UDPHealthCheck(serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
+func UDPHealthCheck(ctx context.Context, serverAddr string, caCert *x509.Certificate, clientCert *tls.Certificate) error {
 	header := NewStreamHealthCheckHeader()
 
-	conn, err := newUDPClientWIthHeader(serverAddr, header, caCert, clientCert)
+	conn, err := newUDPClientWIthHeader(ctx, serverAddr, header, caCert, clientCert)
 	if err != nil {
 		return err
 	}

cmd/bench_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25.6-alpine AS builder
+FROM golang:1.25.7-alpine AS builder
 
 HEALTHCHECK NONE
 

cmd/bench_server/go.mod

@@ -1,3 +1,3 @@
 module github.com/yusing/godoxy/cmd/bench_server
 
-go 1.25.6
+go 1.25.7

cmd/debug_page.go

@@ -181,7 +181,6 @@ func newApiHandler(debugMux *debugMux) *gin.Engine {
 		registerGinRoute(v1, "GET", "Route favicon", "/favicon", apiV1.FavIcon)
 		registerGinRoute(v1, "GET", "Route health", "/health", apiV1.Health)
 		registerGinRoute(v1, "GET", "List icons", "/icons", apiV1.Icons)
-		registerGinRoute(v1, "POST", "Config reload", "/reload", apiV1.Reload)
 		registerGinRoute(v1, "GET", "Route stats", "/stats", apiV1.Stats)
 
 		route := v1.Group("/route")

cmd/h2c_test_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25.6-alpine AS builder
+FROM golang:1.25.7-alpine AS builder
 
 HEALTHCHECK NONE
 

cmd/h2c_test_server/go.mod

@@ -1,6 +1,6 @@
 module github.com/yusing/godoxy/cmd/h2c_test_server
 
-go 1.25.6
+go 1.25.7
 
 require golang.org/x/net v0.49.0
 

cmd/main.go

@@ -1,11 +1,12 @@
 package main
 
 import (
+	"errors"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/godoxy/internal/api"
 	"github.com/yusing/godoxy/internal/auth"
 	"github.com/yusing/godoxy/internal/common"
 	"github.com/yusing/godoxy/internal/config"
@@ -13,12 +14,9 @@ import (
 	iconlist "github.com/yusing/godoxy/internal/homepage/icons/list"
 	"github.com/yusing/godoxy/internal/logging"
 	"github.com/yusing/godoxy/internal/logging/memlogger"
-	"github.com/yusing/godoxy/internal/metrics/systeminfo"
-	"github.com/yusing/godoxy/internal/metrics/uptime"
 	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
 	"github.com/yusing/godoxy/internal/route/rules"
 	gperr "github.com/yusing/goutils/errs"
-	"github.com/yusing/goutils/server"
 	"github.com/yusing/goutils/task"
 	"github.com/yusing/goutils/version"
 )
@@ -32,6 +30,16 @@ func parallel(fns ...func()) {
 }
 
 func main() {
+	done := make(chan struct{}, 1)
+	go func() {
+		select {
+		case <-done:
+			return
+		case <-time.After(common.InitTimeout):
+			log.Fatal().Msgf("timeout waiting for initialization to complete, exiting...")
+		}
+	}()
+
 	initProfiling()
 
 	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
@@ -40,7 +48,6 @@ func main() {
 	parallel(
 		dnsproviders.InitProviders,
 		iconlist.InitCache,
-		systeminfo.Poller.Start,
 		middleware.LoadComposeFiles,
 	)
 
@@ -55,28 +62,24 @@ func main() {
 
 	err := config.Load()
 	if err != nil {
+		var criticalErr config.CriticalError
+		if errors.As(err, &criticalErr) {
+			gperr.LogFatal("critical error in config", criticalErr)
+		}
 		gperr.LogWarn("errors in config", err)
 	}
 
-	config.StartProxyServers()
-
 	if err := auth.Initialize(); err != nil {
 		log.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
 	rules.InitAuthHandler(auth.AuthOrProceed)
 
-	// API Handler needs to start after auth is initialized.
-	server.StartServer(task.RootTask("api_server", false), server.Options{
-		Name:     "api",
-		HTTPAddr: common.APIHTTPAddr,
-		Handler:  api.NewHandler(),
-	})
-
 	listenDebugServer()
 
-	uptime.Poller.Start()
 	config.WatchChanges()
 
+	close(done)
+
 	task.WaitExit(config.Value().TimeoutShutdown)
 }
 

compose.example.yml

@@ -31,8 +31,8 @@ services:
     user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
     read_only: true
     tmpfs:
-      - /app/.next/cache # next image caching
-
+      - /tmp:rw
+      - /app/node_modules/.cache:rw
       # for lite variant, do not change uid/gid
       # - /var/cache/nginx:uid=101,gid=101
       # - /run:uid=101,gid=101

go.mod

@@ -1,9 +1,15 @@
 module github.com/yusing/godoxy
 
-go 1.25.6
+go 1.25.7
+
+exclude (
+	github.com/moby/moby/api v1.53.0 // allow older daemon versions
+	github.com/moby/moby/client v0.2.2 // allow older daemon versions
+)
 
 replace (
 	github.com/coreos/go-oidc/v3 => ./internal/go-oidc
+	github.com/luthermonson/go-proxmox => ./internal/go-proxmox
 	github.com/shirou/gopsutil/v4 => ./internal/gopsutil
 	github.com/yusing/godoxy/agent => ./agent
 	github.com/yusing/godoxy/internal/dnsproviders => ./internal/dnsproviders
@@ -24,8 +30,8 @@ require (
 	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
 	github.com/gotify/server/v2 v2.8.0 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/pires/go-proxyproto v0.8.1 // proxy protocol support
-	github.com/puzpuzpuz/xsync/v4 v4.3.0 // lock free map for concurrent operations
+	github.com/pires/go-proxyproto v0.9.2 // proxy protocol support
+	github.com/puzpuzpuz/xsync/v4 v4.4.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
 	golang.org/x/crypto v0.47.0 // encrypting password with bcrypt
@@ -37,10 +43,10 @@ require (
 
 require (
 	github.com/bytedance/gopkg v0.1.3 // xxhash64 for fast hash
-	github.com/bytedance/sonic v1.14.2 // fast json parsing
-	github.com/docker/cli v29.1.4+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
+	github.com/bytedance/sonic v1.15.0 // fast json parsing
+	github.com/docker/cli v29.2.0+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
 	github.com/goccy/go-yaml v1.19.2 // yaml parsing for different config files
-	github.com/golang-jwt/jwt/v5 v5.3.0 // jwt authentication
+	github.com/golang-jwt/jwt/v5 v5.3.1 // jwt authentication
 	github.com/luthermonson/go-proxmox v0.3.2 // proxmox API client
 	github.com/moby/moby/api v1.52.0 // docker API
 	github.com/moby/moby/client v0.2.1 // docker client
@@ -51,17 +57,17 @@ require (
 	github.com/stretchr/testify v1.11.1 // testing framework
 	github.com/valyala/fasthttp v1.69.0 // fast http for health check
 	github.com/yusing/ds v0.4.1 // data structures and algorithms
-	github.com/yusing/godoxy/agent v0.0.0-20260116020954-edcde00dcc3a
-	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20260116020954-edcde00dcc3a
+	github.com/yusing/godoxy/agent v0.0.0-20260129101716-0f13004ad6ba
+	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20260129101716-0f13004ad6ba
 	github.com/yusing/gointernals v0.1.16
 	github.com/yusing/goutils v0.7.0
-	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260116021320-b12ef77f3743
-	github.com/yusing/goutils/http/websocket v0.0.0-20260116021320-b12ef77f3743
-	github.com/yusing/goutils/server v0.0.0-20260116021320-b12ef77f3743
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20260129081554-24e52ede7468
+	github.com/yusing/goutils/http/websocket v0.0.0-20260129081554-24e52ede7468
+	github.com/yusing/goutils/server v0.0.0-20260129081554-24e52ede7468
 )
 
 require (
-	cloud.google.com/go/auth v0.18.0 // indirect
+	cloud.google.com/go/auth v0.18.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 // indirect
@@ -103,7 +109,7 @@ require (
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.70 // indirect
+	github.com/miekg/dns v1.1.72 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -135,8 +141,8 @@ require (
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
-	google.golang.org/api v0.260.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 // indirect
+	google.golang.org/api v0.263.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect
@@ -148,7 +154,7 @@ require (
 	github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/boombuler/barcode v1.1.0 // indirect
-	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
@@ -169,8 +175,8 @@ require (
 	github.com/linode/linodego v1.64.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.0 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.0 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.107.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.107.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pion/dtls/v3 v3.0.10 // indirect
 	github.com/pion/logging v0.2.4 // indirect

go.sum

@@ -1,5 +1,5 @@
-cloud.google.com/go/auth v0.18.0 h1:wnqy5hrv7p3k7cShwAU/Br3nzod7fxoqG+k0VZ+/Pk0=
-cloud.google.com/go/auth v0.18.0/go.mod h1:wwkPM1AgE1f2u6dG443MiWoD8C3BtOywNsUMcUTVDRo=
+cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
+cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
@@ -51,10 +51,10 @@ github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
 github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
-github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
-github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
-github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
+github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -76,8 +76,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.1.4+incompatible h1:AI8fwZhqsAsrqZnVv9h6lbexeW/LzNTasf6A4vcNN8M=
-github.com/docker/cli v29.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
+github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -137,8 +137,8 @@ github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
 github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -197,8 +197,6 @@ github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k=
 github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/luthermonson/go-proxmox v0.3.2 h1:/zUg6FCl9cAABx0xU3OIgtDtClY0gVXxOCsrceDNylc=
-github.com/luthermonson/go-proxmox v0.3.2/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
 github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
@@ -210,8 +208,8 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/maxatome/go-testdeep v1.14.0 h1:rRlLv1+kI8eOI3OaBXZwb3O7xY3exRzdW5QyX48g9wI=
 github.com/maxatome/go-testdeep v1.14.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
-github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
-github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -229,10 +227,10 @@ github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0
 github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
 github.com/nrdcg/goinwx v0.12.0 h1:ujdUqDBnaRSFwzVnImvPHYw3w3m9XgmGImNUw1GyMb4=
 github.com/nrdcg/goinwx v0.12.0/go.mod h1:IrVKd3ZDbFiMjdPgML4CSxZAY9wOoqLvH44zv3NodJ0=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.0 h1:4MRzV6spwPHKct+4/ETqkEtr39Hq+0KvxhsgqbgQ2Bo=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.0 h1:RxraLVYX3eMUfQ1pDtJVvykEFGheky2YsrUt2HHRDcw=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.0/go.mod h1:JLMEKMX8IYPZ1TUSVHAVAbtnNSfP/I8OZQkAnfEMA0I=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.107.0 h1:eMzyN+jGJbxG4ut278uwIsUo9XacXc711lFjhKnaUso=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.107.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.107.0 h1:t34IpOa+8NfmjkU8bdWtYrLrmr346/FGhu8FlpJDQok=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.107.0/go.mod h1:p95/OxVsdx71I2Qrck1GtIS87sRxcTRKXzUi5nWm9NY=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -253,8 +251,8 @@ github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8=
 github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so=
 github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o=
 github.com/pion/transport/v4 v4.0.1/go.mod h1:nEuEA4AD5lPdcIegQDpVLgNoDGreqM/YqmEx3ovP4jM=
-github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
-github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pires/go-proxyproto v0.9.2 h1:H1UdHn695zUVVmB0lQ354lOWHOy6TZSpzBl3tgN0s1U=
+github.com/pires/go-proxyproto v0.9.2/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -267,8 +265,8 @@ github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/puzpuzpuz/xsync/v4 v4.3.0 h1:w/bWkEJdYuRNYhHn5eXnIT8LzDM1O629X1I9MJSkD7Q=
-github.com/puzpuzpuz/xsync/v4 v4.3.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/puzpuzpuz/xsync/v4 v4.4.0 h1:vlSN6/CkEY0pY8KaB0yqo/pCLZvp9nhdbBdjipT4gWo=
+github.com/puzpuzpuz/xsync/v4 v4.4.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
@@ -449,14 +447,14 @@ golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.260.0 h1:XbNi5E6bOVEj/uLXQRlt6TKuEzMD7zvW/6tNwltE4P4=
-google.golang.org/api v0.260.0/go.mod h1:Shj1j0Phr/9sloYrKomICzdYgsSDImpTxME8rGLaZ/o=
+google.golang.org/api v0.263.0 h1:UFs7qn8gInIdtk1ZA6eXRXp5JDAnS4x9VRsRVCeKdbk=
+google.golang.org/api v0.263.0/go.mod h1:fAU1xtNNisHgOF5JooAs8rRaTkl2rT3uaoNGo9NS3R8=
 google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934=
 google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 h1:C4WAdL+FbjnGlpp2S+HMVhBeCq2Lcib4xZqfPNF6OoQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

internal/acl/config.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"math"
 	"net"
-	"sync/atomic"
 	"time"
 
 	"github.com/puzpuzpuz/xsync/v4"
@@ -27,9 +26,9 @@ type Config struct {
 	Log        *accesslog.ACLLoggerConfig `json:"log"`
 
 	Notify struct {
-		To             []string      `json:"to"`              // list of notification providers
-		Interval       time.Duration `json:"interval"`        // interval between notifications
-		IncludeAllowed *bool         `json:"include_allowed"` // default: false
+		To             []string      `json:"to,omitempty"`             // list of notification providers
+		Interval       time.Duration `json:"interval,omitempty"`       // interval between notifications
+		IncludeAllowed *bool         `json:"include_allowed,omitzero"` // default: false
 	} `json:"notify"`
 
 	config
@@ -75,9 +74,6 @@ type ipLog struct {
 	allowed bool
 }
 
-// could be nil
-var ActiveConfig atomic.Pointer[Config]
-
 const cacheTTL = 1 * time.Minute
 
 func (c *checkCache) Expired() bool {
@@ -108,7 +104,7 @@ func (c *Config) Validate() gperr.Error {
 		c.allowLocal = true
 	}
 
-	if c.Notify.Interval < 0 {
+	if c.Notify.Interval <= 0 {
 		c.Notify.Interval = defaultNotifyInterval
 	}
 
@@ -292,16 +288,16 @@ func (c *Config) IPAllowed(ip net.IP) bool {
 	}
 
 	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
-	if c.Allow.Match(ipAndStr) {
-		c.logAndNotify(ipAndStr, true)
-		c.cacheRecord(ipAndStr, true)
-		return true
-	}
 	if c.Deny.Match(ipAndStr) {
 		c.logAndNotify(ipAndStr, false)
 		c.cacheRecord(ipAndStr, false)
 		return false
 	}
+	if c.Allow.Match(ipAndStr) {
+		c.logAndNotify(ipAndStr, true)
+		c.cacheRecord(ipAndStr, true)
+		return true
+	}
 
 	c.logAndNotify(ipAndStr, c.defaultAllow)
 	c.cacheRecord(ipAndStr, c.defaultAllow)

internal/acl/matcher.go

@@ -1,6 +1,7 @@
 package acl
 
 import (
+	"bytes"
 	"net"
 	"strings"
 
@@ -12,6 +13,7 @@ type MatcherFunc func(*maxmind.IPInfo) bool
 
 type Matcher struct {
 	match MatcherFunc
+	raw   string
 }
 
 type Matchers []Matcher
@@ -46,6 +48,7 @@ func (matcher *Matcher) Parse(s string) error {
 	if len(parts) != 2 {
 		return errSyntax
 	}
+	matcher.raw = s
 
 	switch parts[0] {
 	case MatcherTypeIP:
@@ -79,6 +82,18 @@ func (matchers Matchers) Match(ip *maxmind.IPInfo) bool {
 	return false
 }
 
+func (matchers Matchers) MarshalText() ([]byte, error) {
+	if len(matchers) == 0 {
+		return []byte("[]"), nil
+	}
+	var buf bytes.Buffer
+	for _, m := range matchers {
+		buf.WriteString(m.raw)
+		buf.WriteByte('\n')
+	}
+	return buf.Bytes(), nil
+}
+
 func matchIP(ip net.IP) MatcherFunc {
 	return func(ip2 *maxmind.IPInfo) bool {
 		return ip.Equal(ip2.IP)

internal/acl/types/acl.go

@@ -0,0 +1,9 @@
+package acl
+
+import "net"
+
+type ACL interface {
+	IPAllowed(ip net.IP) bool
+	WrapTCP(l net.Listener) net.Listener
+	WrapUDP(l net.PacketConn) net.PacketConn
+}

internal/acl/types/context.go

@@ -0,0 +1,16 @@
+package acl
+
+import "context"
+
+type ContextKey struct{}
+
+func SetCtx(ctx interface{ SetValue(any, any) }, acl ACL) {
+	ctx.SetValue(ContextKey{}, acl)
+}
+
+func FromCtx(ctx context.Context) ACL {
+	if acl, ok := ctx.Value(ContextKey{}).(ACL); ok {
+		return acl
+	}
+	return nil
+}

internal/agentpool/agent.go

@@ -27,6 +27,7 @@ func newAgent(cfg *agent.AgentConfig) *Agent {
 		AgentConfig: cfg,
 		httpClient: &http.Client{
 			Transport: transport,
+			Timeout:   5 * time.Second,
 		},
 		fasthttpHcClient: &fasthttp.Client{
 			DialTimeout: func(addr string, timeout time.Duration) (net.Conn, error) {

internal/api/handler.go

@@ -16,6 +16,7 @@ import (
 	fileApi "github.com/yusing/godoxy/internal/api/v1/file"
 	homepageApi "github.com/yusing/godoxy/internal/api/v1/homepage"
 	metricsApi "github.com/yusing/godoxy/internal/api/v1/metrics"
+	proxmoxApi "github.com/yusing/godoxy/internal/api/v1/proxmox"
 	routeApi "github.com/yusing/godoxy/internal/api/v1/route"
 	"github.com/yusing/godoxy/internal/auth"
 	"github.com/yusing/godoxy/internal/common"
@@ -38,7 +39,7 @@ import (
 
 // @externalDocs.description  GoDoxy Docs
 // @externalDocs.url          https://docs.godoxy.dev
-func NewHandler() *gin.Engine {
+func NewHandler(requireAuth bool) *gin.Engine {
 	if !common.IsDebug {
 		gin.SetMode("release")
 	}
@@ -51,7 +52,7 @@ func NewHandler() *gin.Engine {
 
 	r.GET("/api/v1/version", apiV1.Version)
 
-	if auth.IsEnabled() {
+	if auth.IsEnabled() && requireAuth {
 		v1Auth := r.Group("/api/v1/auth")
 		{
 			v1Auth.HEAD("/check", authApi.Check)
@@ -64,7 +65,7 @@ func NewHandler() *gin.Engine {
 	}
 
 	v1 := r.Group("/api/v1")
-	if auth.IsEnabled() {
+	if auth.IsEnabled() && requireAuth {
 		v1.Use(AuthMiddleware())
 	}
 	if common.APISkipOriginCheck {
@@ -75,7 +76,6 @@ func NewHandler() *gin.Engine {
 		v1.GET("/favicon", apiV1.FavIcon)
 		v1.GET("/health", apiV1.Health)
 		v1.GET("/icons", apiV1.Icons)
-		v1.POST("/reload", apiV1.Reload)
 		v1.GET("/stats", apiV1.Stats)
 
 		route := v1.Group("/route")
@@ -85,6 +85,8 @@ func NewHandler() *gin.Engine {
 			route.GET("/providers", routeApi.Providers)
 			route.GET("/by_provider", routeApi.ByProvider)
 			route.POST("/playground", routeApi.Playground)
+			route.GET("/validate", routeApi.Validate) // websocket
+			route.POST("/validate", routeApi.Validate)
 		}
 
 		file := v1.Group("/file")
@@ -140,6 +142,21 @@ func NewHandler() *gin.Engine {
 			docker.POST("/start", dockerApi.Start)
 			docker.POST("/stop", dockerApi.Stop)
 			docker.POST("/restart", dockerApi.Restart)
+			docker.GET("/stats/:id", dockerApi.Stats)
+		}
+
+		proxmox := v1.Group("/proxmox")
+		{
+			proxmox.GET("/tail", proxmoxApi.Tail)
+			proxmox.GET("/journalctl", proxmoxApi.Journalctl)
+			proxmox.GET("/journalctl/:node", proxmoxApi.Journalctl)
+			proxmox.GET("/journalctl/:node/:vmid", proxmoxApi.Journalctl)
+			proxmox.GET("/journalctl/:node/:vmid/:service", proxmoxApi.Journalctl)
+			proxmox.GET("/stats/:node", proxmoxApi.NodeStats)
+			proxmox.GET("/stats/:node/:vmid", proxmoxApi.VMStats)
+			proxmox.POST("/lxc/:node/:vmid/start", proxmoxApi.Start)
+			proxmox.POST("/lxc/:node/:vmid/stop", proxmoxApi.Stop)
+			proxmox.POST("/lxc/:node/:vmid/restart", proxmoxApi.Restart)
 		}
 	}
 

internal/api/v1/README.md

@@ -44,6 +44,7 @@ Types are defined in `goutils/apitypes`:
 | `file`     | Configuration file read/write operations       |
 | `auth`     | Authentication and session management          |
 | `agent`    | Remote agent creation and management           |
+| `proxmox`  | Proxmox API management and monitoring          |
 
 ## Architecture
 
@@ -77,15 +78,16 @@ API listening address is configured with `GODOXY_API_ADDR` environment variable.
 
 ### Internal Dependencies
 
-| Package                 | Purpose                     |
-| ----------------------- | --------------------------- |
-| `internal/route/routes` | Route storage and iteration |
-| `internal/docker`       | Docker client management    |
-| `internal/config`       | Configuration access        |
-| `internal/metrics`      | System metrics collection   |
-| `internal/homepage`     | Homepage item generation    |
-| `internal/agentpool`    | Remote agent management     |
-| `internal/auth`         | Authentication services     |
+| Package                 | Purpose                               |
+| ----------------------- | ------------------------------------- |
+| `internal/route/routes` | Route storage and iteration           |
+| `internal/docker`       | Docker client management              |
+| `internal/config`       | Configuration access                  |
+| `internal/metrics`      | System metrics collection             |
+| `internal/homepage`     | Homepage item generation              |
+| `internal/agentpool`    | Remote agent management               |
+| `internal/auth`         | Authentication services               |
+| `internal/proxmox`      | Proxmox API management and monitoring |
 
 ### External Dependencies
 

internal/api/v1/agent/verify.go

@@ -1,6 +1,7 @@
 package agentapi
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"os"
@@ -36,6 +37,9 @@ type VerifyNewAgentRequest struct {
 // @Failure		500		{object}	ErrorResponse
 // @Router			/agent/verify [post]
 func Verify(c *gin.Context) {
+	// avoid timeout waiting for response headers
+	c.Status(http.StatusContinue)
+
 	var request VerifyNewAgentRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
@@ -60,7 +64,7 @@ func Verify(c *gin.Context) {
 		return
 	}
 
-	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
+	nRoutesAdded, err := verifyNewAgent(c.Request.Context(), request.Host, ca, client, request.ContainerRuntime)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
@@ -82,7 +86,7 @@ func Verify(c *gin.Context) {
 
 var errAgentAlreadyExists = gperr.New("agent already exists")
 
-func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+func verifyNewAgent(ctx context.Context, host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
 	var agentCfg agent.AgentConfig
 	agentCfg.Addr = host
 	agentCfg.Runtime = containerRuntime
@@ -99,7 +103,7 @@ func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, contain
 		return 0, errAgentAlreadyExists
 	}
 
-	err := agentCfg.InitWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
+	err := agentCfg.InitWithCerts(ctx, ca.Cert, client.Cert, client.Key)
 	if err != nil {
 		return 0, gperr.Wrap(err, "failed to initialize agent config")
 	}

internal/api/v1/docker/logs.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strconv"
 
 	"github.com/gin-gonic/gin"
 	"github.com/moby/moby/api/pkg/stdcopy"
@@ -22,6 +23,7 @@ type LogsQueryParams struct {
 	Since  string `form:"from"`
 	Until  string `form:"to"`
 	Levels string `form:"levels"`
+	Limit  int    `form:"limit,default=100" binding:"min=1,max=1000"`
 } //	@name	LogsQueryParams
 
 // @x-id				"logs"
@@ -34,9 +36,10 @@ type LogsQueryParams struct {
 // @Param			id	path	string	true	"container id"
 // @Param			stdout		query	bool	false	"show stdout"
 // @Param			stderr		query	bool	false	"show stderr"
-// @Param			from		query	string	false	"from timestamp"
-// @Param			to			query	string	false	"to timestamp"
+// @Param			from		  query	string	false	"from timestamp"
+// @Param			to			  query	string	false	"to timestamp"
 // @Param			levels		query	string	false	"levels"
+// @Param			limit		  query	int	false	"limit"
 // @Success		200
 // @Failure		400	{object}	apitypes.ErrorResponse
 // @Failure		403	{object}	apitypes.ErrorResponse
@@ -77,7 +80,7 @@ func Logs(c *gin.Context) {
 		Until:      queryParams.Until,
 		Timestamps: true,
 		Follow:     true,
-		Tail:       "100",
+		Tail:       strconv.Itoa(queryParams.Limit),
 	}
 	if queryParams.Levels != "" {
 		opts.Details = true

internal/api/v1/docker/stats.go

@@ -0,0 +1,117 @@
+package dockerapi
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	"github.com/yusing/godoxy/internal/types"
+	apitypes "github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+	"github.com/yusing/goutils/synk"
+	"github.com/yusing/goutils/task"
+)
+
+type ContainerStatsResponse container.StatsResponse // @name ContainerStatsResponse
+
+// @x-id				"stats"
+// @BasePath		/api/v1
+// @Summary		Get container stats
+// @Description	Get container stats by container id
+// @Tags			docker,websocket
+// @Produce		json
+// @Param			id	path		string	true	"Container ID or route alias"
+// @Success		200	{object}	ContainerStatsResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request: id is required or route is not a docker container"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/stats/{id} [get]
+func Stats(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("id is required"))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(id)
+	if !ok {
+		var route types.Route
+		route, ok = entrypoint.FromCtx(c.Request.Context()).GetRoute(id)
+		if ok {
+			cont := route.ContainerInfo()
+			if cont == nil {
+				c.JSON(http.StatusBadRequest, apitypes.Error("route is not a docker container"))
+				return
+			}
+			dockerCfg = cont.DockerCfg
+			id = cont.ContainerID
+		}
+	}
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container or route not found"))
+		return
+	}
+
+	dockerClient, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+	defer dockerClient.Close()
+
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		stats, err := dockerClient.ContainerStats(c.Request.Context(), id, client.ContainerStatsOptions{Stream: true})
+		if err != nil {
+			c.Error(apitypes.InternalServerError(err, "failed to get container stats"))
+			return
+		}
+		defer stats.Body.Close()
+
+		manager, err := websocket.NewManagerWithUpgrade(c)
+		if err != nil {
+			c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+			return
+		}
+		defer manager.Close()
+
+		buf := synk.GetSizedBytesPool().GetSized(4096)
+		defer synk.GetSizedBytesPool().Put(buf)
+
+		for {
+			select {
+			case <-manager.Done():
+				return
+			default:
+				_, err = io.CopyBuffer(manager.NewWriter(websocket.TextMessage), stats.Body, buf)
+				if err != nil {
+					if errors.Is(err, context.Canceled) || errors.Is(err, task.ErrProgramExiting) {
+						return
+					}
+					c.Error(apitypes.InternalServerError(err, "failed to copy container stats"))
+					return
+				}
+			}
+		}
+	}
+
+	stats, err := dockerClient.ContainerStats(c.Request.Context(), id, client.ContainerStatsOptions{Stream: false})
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get container stats"))
+		return
+	}
+	defer stats.Body.Close()
+
+	_, err = io.Copy(c.Writer, stats.Body)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to copy container stats"))
+		return
+	}
+}

internal/api/v1/favicon.go

@@ -5,9 +5,9 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/homepage/icons"
 	iconfetch "github.com/yusing/godoxy/internal/homepage/icons/fetch"
-	"github.com/yusing/godoxy/internal/route/routes"
 	apitypes "github.com/yusing/goutils/apitypes"
 
 	_ "unsafe"
@@ -73,7 +73,11 @@ func FavIcon(c *gin.Context) {
 //go:linkname GetFavIconFromAlias v1.GetFavIconFromAlias
 func GetFavIconFromAlias(ctx context.Context, alias string, variant icons.Variant) (iconfetch.Result, error) {
 	// try with route.Icon
-	r, ok := routes.HTTP.Get(alias)
+	ep := entrypoint.FromCtx(ctx)
+	if ep == nil { // impossible, but just in case
+		return iconfetch.FetchResultWithErrorf(http.StatusInternalServerError, "entrypoint not initialized")
+	}
+	r, ok := ep.HTTPRoutes().Get(alias)
 	if !ok {
 		return iconfetch.FetchResultWithErrorf(http.StatusNotFound, "route not found")
 	}

internal/api/v1/file/validate.go

@@ -20,7 +20,7 @@ type ValidateFileRequest struct {
 // @Summary		Validate file
 // @Description	Validate file
 // @Tags			file
-// @Accept			text/plain
+// @Accept		application/yaml
 // @Produce		json
 // @Param			type	query		FileType	true	"Type"
 // @Param			file	body		string		true	"File content"
@@ -29,7 +29,7 @@ type ValidateFileRequest struct {
 // @Failure		403		{object}	apitypes.ErrorResponse "Forbidden"
 // @Failure		417		{object}	any "Validation failed"
 // @Failure		500		{object}	apitypes.ErrorResponse "Internal server error"
-// @Router			/file/validate [post]
+// @Router		/file/validate [post]
 func Validate(c *gin.Context) {
 	var request ValidateFileRequest
 	if err := c.ShouldBindQuery(&request); err != nil {

internal/api/v1/health.go

@@ -5,11 +5,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/godoxy/internal/route/routes"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	apitypes "github.com/yusing/goutils/apitypes"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
-
-	_ "github.com/yusing/goutils/apitypes"
 )
 
 // @x-id				"health"
@@ -24,11 +23,16 @@ import (
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/health [get]
 func Health(c *gin.Context) {
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
 	if httpheaders.IsWebsocket(c.Request.Header) {
 		websocket.PeriodicWrite(c, 1*time.Second, func() (any, error) {
-			return routes.GetHealthInfoSimple(), nil
+			return ep.GetHealthInfoSimple(), nil
 		})
 	} else {
-		c.JSON(http.StatusOK, routes.GetHealthInfoSimple())
+		c.JSON(http.StatusOK, ep.GetHealthInfoSimple())
 	}
 }

internal/api/v1/homepage/categories.go

@@ -4,10 +4,11 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/homepage"
-	"github.com/yusing/godoxy/internal/route/routes"
 
 	_ "github.com/yusing/goutils/apitypes"
+	apitypes "github.com/yusing/goutils/apitypes"
 )
 
 // @x-id				"categories"
@@ -21,15 +22,20 @@ import (
 // @Failure		403	{object}	apitypes.ErrorResponse
 // @Router			/homepage/categories [get]
 func Categories(c *gin.Context) {
-	c.JSON(http.StatusOK, HomepageCategories())
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
+	c.JSON(http.StatusOK, HomepageCategories(ep))
 }
 
-func HomepageCategories() []string {
+func HomepageCategories(ep entrypoint.Entrypoint) []string {
 	check := make(map[string]struct{})
 	categories := make([]string, 0)
 	categories = append(categories, homepage.CategoryAll)
 	categories = append(categories, homepage.CategoryFavorites)
-	for _, r := range routes.HTTP.Iter {
+	for _, r := range ep.HTTPRoutes().Iter {
 		item := r.HomepageItem()
 		if item.Category == "" {
 			continue

internal/api/v1/homepage/items.go

@@ -10,8 +10,8 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/lithammer/fuzzysearch/fuzzy"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/homepage"
-	"github.com/yusing/godoxy/internal/route/routes"
 	apitypes "github.com/yusing/goutils/apitypes"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
@@ -53,29 +53,30 @@ func Items(c *gin.Context) {
 		hostname = host
 	}
 
+	ep := entrypoint.FromCtx(c.Request.Context())
 	if httpheaders.IsWebsocket(c.Request.Header) {
 		websocket.PeriodicWrite(c, 2*time.Second, func() (any, error) {
-			return HomepageItems(proto, hostname, &request), nil
+			return HomepageItems(ep, proto, hostname, &request), nil
 		})
 	} else {
-		c.JSON(http.StatusOK, HomepageItems(proto, hostname, &request))
+		c.JSON(http.StatusOK, HomepageItems(ep, proto, hostname, &request))
 	}
 }
 
-func HomepageItems(proto, hostname string, request *HomepageItemsRequest) homepage.Homepage {
+func HomepageItems(ep entrypoint.Entrypoint, proto, hostname string, request *HomepageItemsRequest) homepage.Homepage {
 	switch proto {
 	case "http", "https":
 	default:
 		proto = "http"
 	}
 
-	hp := homepage.NewHomepageMap(routes.HTTP.Size())
+	hp := homepage.NewHomepageMap(ep.HTTPRoutes().Size())
 
 	if strings.Count(hostname, ".") > 1 {
 		_, hostname, _ = strings.Cut(hostname, ".") // remove the subdomain
 	}
 
-	for _, r := range routes.HTTP.Iter {
+	for _, r := range ep.HTTPRoutes().Iter {
 		if request.Provider != "" && r.ProviderName() != request.Provider {
 			continue
 		}

internal/api/v1/proxmox/common.go

@@ -0,0 +1,6 @@
+package proxmoxapi
+
+type ActionRequest struct {
+	Node string `uri:"node" binding:"required"`
+	VMID int    `uri:"vmid" binding:"required"`
+} //	@name	ProxmoxVMActionRequest

internal/api/v1/proxmox/journalctl.go

@@ -0,0 +1,85 @@
+package proxmoxapi
+
+import (
+	"errors"
+	"io"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	"github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+// e.g. ws://localhost:8889/api/v1/proxmox/journalctl?node=pve&vmid=127&service=pveproxy&service=pvedaemon&limit=10
+// e.g. ws://localhost:8889/api/v1/proxmox/journalctl/pve/127?service=pveproxy&service=pvedaemon&limit=10
+
+type JournalctlRequest struct {
+	Node     string   `form:"node" uri:"node" binding:"required"`                       // Node name
+	VMID     *int     `form:"vmid" uri:"vmid"`                                          // Container VMID (optional - if not provided, streams node journalctl)
+	Services []string `form:"service" uri:"service"`                                    // Service names
+	Limit    *int     `form:"limit" uri:"limit" default:"100" binding:"min=1,max=1000"` // Limit output lines (1-1000)
+} //	@name	ProxmoxJournalctlRequest
+
+// @x-id				"journalctl"
+// @BasePath		/api/v1
+// @Summary		Get journalctl output
+// @Description	Get journalctl output for node or LXC container. If vmid is not provided, streams node journalctl.
+// @Tags			proxmox,websocket
+// @Accept		json
+// @Produce		application/json
+// @Param			query		query		JournalctlRequest	true	"Request"
+// @Param			path		path		JournalctlRequest	true	"Request"
+// @Success		200			string	plain	  "Journalctl output"
+// @Failure		400			{object}	apitypes.ErrorResponse	"Invalid request"
+// @Failure		403			{object}	apitypes.ErrorResponse	"Unauthorized"
+// @Failure		404			{object}	apitypes.ErrorResponse	"Node not found"
+// @Failure		500			{object}	apitypes.ErrorResponse	"Internal server error"
+// @Router		/proxmox/journalctl [get]
+// @Router		/proxmox/journalctl/{node} [get]
+// @Router		/proxmox/journalctl/{node}/{vmid} [get]
+// @Router		/proxmox/journalctl/{node}/{vmid}/{service} [get]
+func Journalctl(c *gin.Context) {
+	var request JournalctlRequest
+	uriErr := c.ShouldBindUri(&request)
+	queryErr := c.ShouldBindQuery(&request)
+	if uriErr != nil && queryErr != nil { // allow both uri and query parameters to be set
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", errors.Join(uriErr, queryErr)))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(request.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	c.Status(http.StatusContinue)
+
+	var reader io.ReadCloser
+	var err error
+	if request.VMID == nil {
+		reader, err = node.NodeJournalctl(c.Request.Context(), request.Services, *request.Limit)
+	} else {
+		reader, err = node.LXCJournalctl(c.Request.Context(), *request.VMID, request.Services, *request.Limit)
+	}
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get journalctl output"))
+		return
+	}
+	defer reader.Close()
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+	_, err = io.Copy(writer, reader)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to copy journalctl output"))
+		return
+	}
+}

internal/api/v1/proxmox/restart.go

@@ -0,0 +1,42 @@
+package proxmoxapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"lxcRestart"
+// @BasePath		/api/v1
+// @Summary		Restart LXC container
+// @Description	Restart LXC container by node and vmid
+// @Tags			proxmox
+// @Produce		json
+// @Param			path		path		ActionRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		404	{object}	apitypes.ErrorResponse "Node not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router		/proxmox/lxc/:node/:vmid/restart [post]
+func Restart(c *gin.Context) {
+	var req ActionRequest
+	if err := c.ShouldBindUri(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(req.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	if err := node.LXCAction(c.Request.Context(), req.VMID, proxmox.LXCReboot); err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to restart container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container restarted"))
+}

internal/api/v1/proxmox/start.go

@@ -0,0 +1,42 @@
+package proxmoxapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"lxcStart"
+// @BasePath		/api/v1
+// @Summary		Start LXC container
+// @Description	Start LXC container by node and vmid
+// @Tags			proxmox
+// @Produce		json
+// @Param			path		path		ActionRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		404	{object}	apitypes.ErrorResponse "Node not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router		/proxmox/lxc/:node/:vmid/start [post]
+func Start(c *gin.Context) {
+	var req ActionRequest
+	if err := c.ShouldBindUri(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(req.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	if err := node.LXCAction(c.Request.Context(), req.VMID, proxmox.LXCStart); err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to start container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container started"))
+}

internal/api/v1/proxmox/stats.go

@@ -0,0 +1,139 @@
+package proxmoxapi
+
+import (
+	"io"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	"github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+type StatsRequest struct {
+	Node string `uri:"node" binding:"required"`
+	VMID int    `uri:"vmid" binding:"required"`
+}
+
+// @x-id			"nodeStats"
+// @BasePath	/api/v1
+// @Summary		Get proxmox node stats
+// @Description	Get proxmox node stats in json
+// @Tags			proxmox,websocket
+// @Produce		application/json
+// @Param			node		path	  	string	true	"Node name"
+// @Success		200			{object}	proxmox.NodeStats	      "Stats output"
+// @Failure		400			{object}	apitypes.ErrorResponse	"Invalid request"
+// @Failure		403			{object}	apitypes.ErrorResponse	"Unauthorized"
+// @Failure		404			{object}	apitypes.ErrorResponse	"Node not found"
+// @Failure		500			{object}	apitypes.ErrorResponse	"Internal server error"
+// @Router		/proxmox/stats/{node} [get]
+func NodeStats(c *gin.Context) {
+	nodeName := c.Param("node")
+	if nodeName == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("node name is required"))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(nodeName)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	isWs := httpheaders.IsWebsocket(c.Request.Header)
+
+	reader, err := node.NodeStats(c.Request.Context(), isWs)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get stats"))
+		return
+	}
+	defer reader.Close()
+
+	if !isWs {
+		var line [512]byte
+		n, err := reader.Read(line[:])
+		if err != nil {
+			c.Error(apitypes.InternalServerError(err, "failed to copy stats"))
+			return
+		}
+		c.Data(http.StatusOK, "application/json", line[:n])
+		return
+	}
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+	_, err = io.Copy(writer, reader)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to copy stats"))
+		return
+	}
+}
+
+// @x-id			"vmStats"
+// @BasePath	/api/v1
+// @Summary		Get proxmox VM stats
+// @Description	Get proxmox VM stats in format of "STATUS|CPU%%|MEM USAGE/LIMIT|MEM%%|NET I/O|BLOCK I/O"
+// @Tags			proxmox,websocket
+// @Produce		text/plain
+// @Param			path		path		StatsRequest	true	"Request"
+// @Success		200			string		plain	"Stats output"
+// @Failure		400			{object}	apitypes.ErrorResponse	"Invalid request"
+// @Failure		403			{object}	apitypes.ErrorResponse	"Unauthorized"
+// @Failure		404			{object}	apitypes.ErrorResponse	"Node not found"
+// @Failure		500			{object}	apitypes.ErrorResponse	"Internal server error"
+// @Router		/proxmox/stats/{node}/{vmid} [get]
+func VMStats(c *gin.Context) {
+	var request StatsRequest
+	if err := c.ShouldBindUri(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(request.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	isWs := httpheaders.IsWebsocket(c.Request.Header)
+
+	reader, err := node.LXCStats(c.Request.Context(), request.VMID, isWs)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get stats"))
+		return
+	}
+	defer reader.Close()
+
+	if !isWs {
+		var line [128]byte
+		n, err := reader.Read(line[:])
+		if err != nil {
+			c.Error(apitypes.InternalServerError(err, "failed to copy stats"))
+			return
+		}
+		c.Data(http.StatusOK, "text/plain; charset=utf-8", line[:n])
+		return
+	}
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+	_, err = io.Copy(writer, reader)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to copy stats"))
+		return
+	}
+}

internal/api/v1/proxmox/stop.go

@@ -0,0 +1,42 @@
+package proxmoxapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"lxcStop"
+// @BasePath		/api/v1
+// @Summary		Stop LXC container
+// @Description	Stop LXC container by node and vmid
+// @Tags			proxmox
+// @Produce		json
+// @Param			path		path		ActionRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		404	{object}	apitypes.ErrorResponse "Node not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router		/proxmox/lxc/:node/:vmid/stop [post]
+func Stop(c *gin.Context) {
+	var req ActionRequest
+	if err := c.ShouldBindUri(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(req.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	if err := node.LXCAction(c.Request.Context(), req.VMID, proxmox.LXCShutdown); err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to stop container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container stopped"))
+}

internal/api/v1/proxmox/tail.go

@@ -0,0 +1,77 @@
+package proxmoxapi
+
+import (
+	"io"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/proxmox"
+	"github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+// e.g. ws://localhost:8889/api/v1/proxmox/tail?node=pve&vmid=127&file=/var/log/immich/web.log&file=/var/log/immich/ml.log&limit=10
+
+type TailRequest struct {
+	Node  string   `form:"node" binding:"required"`                      // Node name
+	VMID  *int     `form:"vmid"`                                         // Container VMID (optional - if not provided, streams node journalctl)
+	Files []string `form:"file" binding:"required,dive,filepath"`        // File paths
+	Limit int      `form:"limit" default:"100" binding:"min=1,max=1000"` // Limit output lines (1-1000)
+} //	@name	ProxmoxTailRequest
+
+// @x-id				"tail"
+// @BasePath		/api/v1
+// @Summary		Get tail output
+// @Description	Get tail output for node or LXC container. If vmid is not provided, streams node tail.
+// @Tags			proxmox,websocket
+// @Accept		json
+// @Produce		application/json
+// @Param			query		query		TailRequest	true	"Request"
+// @Success		200			string	plain	  "Tail output"
+// @Failure		400			{object}	apitypes.ErrorResponse	"Invalid request"
+// @Failure		403			{object}	apitypes.ErrorResponse	"Unauthorized"
+// @Failure		404			{object}	apitypes.ErrorResponse	"Node not found"
+// @Failure		500			{object}	apitypes.ErrorResponse	"Internal server error"
+// @Router		/proxmox/tail [get]
+func Tail(c *gin.Context) {
+	var request TailRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	node, ok := proxmox.Nodes.Get(request.Node)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("node not found"))
+		return
+	}
+
+	c.Status(http.StatusContinue)
+
+	var reader io.ReadCloser
+	var err error
+	if request.VMID == nil {
+		reader, err = node.NodeTail(c.Request.Context(), request.Files, request.Limit)
+	} else {
+		reader, err = node.LXCTail(c.Request.Context(), *request.VMID, request.Files, request.Limit)
+	}
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get journalctl output"))
+		return
+	}
+	defer reader.Close()
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+	_, err = io.Copy(writer, reader)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to copy journalctl output"))
+		return
+	}
+}

internal/api/v1/reload.go

@@ -1,28 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/yusing/godoxy/internal/config"
-	apitypes "github.com/yusing/goutils/apitypes"
-)
-
-// @x-id				"reload"
-// @BasePath		/api/v1
-// @Summary		Reload config
-// @Description	Reload config
-// @Tags			v1
-// @Accept			json
-// @Produce		json
-// @Success		200	{object}	apitypes.SuccessResponse
-// @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/reload [post]
-func Reload(c *gin.Context) {
-	if err := config.Reload(); err != nil {
-		c.Error(apitypes.InternalServerError(err, "failed to reload config"))
-		return
-	}
-	c.JSON(http.StatusOK, apitypes.Success("config reloaded"))
-}

internal/api/v1/route/by_provider.go

@@ -4,10 +4,11 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 
 	_ "github.com/yusing/goutils/apitypes"
+	apitypes "github.com/yusing/goutils/apitypes"
 )
 
 type RoutesByProvider map[string][]route.Route
@@ -24,5 +25,10 @@ type RoutesByProvider map[string][]route.Route
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/route/by_provider [get]
 func ByProvider(c *gin.Context) {
-	c.JSON(http.StatusOK, routes.ByProvider())
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
+	c.JSON(http.StatusOK, ep.RoutesByProvider())
 }

internal/api/v1/route/route.go

@@ -4,8 +4,7 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
-	statequery "github.com/yusing/godoxy/internal/config/query"
-	"github.com/yusing/godoxy/internal/route/routes"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	apitypes "github.com/yusing/goutils/apitypes"
 )
 
@@ -33,17 +32,16 @@ func Route(c *gin.Context) {
 		return
 	}
 
-	route, ok := routes.Get(request.Which)
+	ep := entrypoint.FromCtx(c.Request.Context())
+	if ep == nil { // impossible, but just in case
+		c.JSON(http.StatusInternalServerError, apitypes.Error("entrypoint not initialized"))
+		return
+	}
+
+	route, ok := ep.GetRoute(request.Which)
 	if ok {
 		c.JSON(http.StatusOK, route)
 		return
 	}
-
-	// also search for excluded routes
-	route = statequery.SearchRoute(request.Which)
-	if route != nil {
-		c.JSON(http.StatusOK, route)
-		return
-	}
-	c.JSON(http.StatusNotFound, nil)
+	c.JSON(http.StatusNotFound, apitypes.Error("route not found"))
 }

internal/api/v1/route/routes.go

@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/goutils/http/httpheaders"
 	"github.com/yusing/goutils/http/websocket"
@@ -32,14 +32,16 @@ func Routes(c *gin.Context) {
 		return
 	}
 
+	ep := entrypoint.FromCtx(c.Request.Context())
+
 	provider := c.Query("provider")
 	if provider == "" {
-		c.JSON(http.StatusOK, slices.Collect(routes.IterAll))
+		c.JSON(http.StatusOK, slices.Collect(ep.IterRoutes))
 		return
 	}
 
-	rts := make([]types.Route, 0, routes.NumAllRoutes())
-	for r := range routes.IterAll {
+	rts := make([]types.Route, 0, ep.NumRoutes())
+	for r := range ep.IterRoutes {
 		if r.ProviderName() == provider {
 			rts = append(rts, r)
 		}
@@ -48,17 +50,19 @@ func Routes(c *gin.Context) {
 }
 
 func RoutesWS(c *gin.Context) {
+	ep := entrypoint.FromCtx(c.Request.Context())
+
 	provider := c.Query("provider")
 	if provider == "" {
 		websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
-			return slices.Collect(routes.IterAll), nil
+			return slices.Collect(ep.IterRoutes), nil
 		})
 		return
 	}
 
 	websocket.PeriodicWrite(c, 3*time.Second, func() (any, error) {
-		rts := make([]types.Route, 0, routes.NumAllRoutes())
-		for r := range routes.IterAll {
+		rts := make([]types.Route, 0, ep.NumRoutes())
+		for r := range ep.IterRoutes {
 			if r.ProviderName() == provider {
 				rts = append(rts, r)
 			}

internal/api/v1/route/validate.go

@@ -0,0 +1,69 @@
+package routeApi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/goccy/go-yaml"
+	"github.com/yusing/godoxy/internal/route"
+	"github.com/yusing/godoxy/internal/serialization"
+	apitypes "github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+type _ = route.Route
+
+// @x-id			"validate"
+// @BasePath	/api/v1
+// @Summary		Validate route
+// @Description	Validate route,
+// @Tags			route,websocket
+// @Accept		application/yaml
+// @Produce		json
+// @Param			route body route.Route true "Route"
+// @Success		200		{object}	apitypes.SuccessResponse "Route validated"
+// @Failure		400		{object}	apitypes.ErrorResponse "Bad request"
+// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden"
+// @Failure		417		{object}	any "Validation failed"
+// @Failure		500		{object}	apitypes.ErrorResponse "Internal server error"
+// @Router		/route/validate [get]
+// @Router		/route/validate [post]
+func Validate(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		ValidateWS(c)
+		return
+	}
+	var request route.Route
+	if err := c.ShouldBindWith(&request, serialization.GinYAMLBinding{}); err != nil {
+		c.JSON(http.StatusExpectationFailed, err)
+		return
+	}
+	c.JSON(http.StatusOK, apitypes.Success("route validated"))
+}
+
+func ValidateWS(c *gin.Context) {
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	const writeTimeout = 5 * time.Second
+
+	for {
+		select {
+		case <-manager.Done():
+			return
+		case msg := <-manager.ReadCh():
+			var request route.Route
+			if err := serialization.UnmarshalValidate(msg, &request, yaml.Unmarshal); err != nil {
+				manager.WriteJSON(gin.H{"error": err}, writeTimeout)
+				continue
+			}
+			manager.WriteJSON(gin.H{"message": "route validated"}, writeTimeout)
+		}
+	}
+}

internal/autocert/config.go

@@ -4,10 +4,13 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"fmt"
 	"net/http"
 	"os"
+	"path/filepath"
 	"regexp"
 
 	"github.com/go-acme/lego/v4/certcrypto"
@@ -27,7 +30,7 @@ type Config struct {
 	CertPath    string                       `json:"cert_path,omitempty"`
 	KeyPath     string                       `json:"key_path,omitempty"`
 	Extra       []ConfigExtra                `json:"extra,omitempty"`
-	ACMEKeyPath string                       `json:"acme_key_path,omitempty"` // shared by all extra providers
+	ACMEKeyPath string                       `json:"acme_key_path,omitempty"` // shared by all extra providers with the same CA directory URL
 	Provider    string                       `json:"provider,omitempty"`
 	Options     map[string]strutils.Redacted `json:"options,omitempty"`
 
@@ -88,7 +91,7 @@ func (cfg *Config) validate(seenPaths map[string]int) gperr.Error {
 		cfg.KeyPath = KeyFileDefault
 	}
 	if cfg.ACMEKeyPath == "" {
-		cfg.ACMEKeyPath = ACMEKeyFileDefault
+		cfg.ACMEKeyPath = acmeKeyPath(cfg.CADirURL)
 	}
 
 	b := gperr.NewBuilder("certificate error")
@@ -272,3 +275,16 @@ func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
 	}
 	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
 }
+
+// acmeKeyPath returns the path to the ACME key file based on the CA directory URL.
+// Different CA directory URLs will use different key files to avoid key conflicts.
+func acmeKeyPath(caDirURL string) string {
+	// Use a hash of the CA directory URL to create a unique key filename
+	// Default to "acme" if no custom CA is configured (Let's Encrypt default)
+	filename := "acme"
+	if caDirURL != "" {
+		hash := sha256.Sum256([]byte(caDirURL))
+		filename = "acme_" + hex.EncodeToString(hash[:])[:16]
+	}
+	return filepath.Join(certBasePath, filename+".key")
+}

internal/autocert/config_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/godoxy/internal/autocert"
 	"github.com/yusing/godoxy/internal/dnsproviders"
@@ -25,9 +26,9 @@ func TestEABConfigRequired(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			yaml := fmt.Appendf(nil, "eab_kid: %s\neab_hmac: %s", test.cfg.EABKid, test.cfg.EABHmac)
+			yamlCfg := fmt.Appendf(nil, "eab_kid: %s\neab_hmac: %s", test.cfg.EABKid, test.cfg.EABHmac)
 			cfg := autocert.Config{}
-			err := serialization.UnmarshalValidateYAML(yaml, &cfg)
+			err := serialization.UnmarshalValidate(yamlCfg, &cfg, yaml.Unmarshal)
 			if (err != nil) != test.wantErr {
 				t.Errorf("Validate() error = %v, wantErr %v", err, test.wantErr)
 			}

internal/autocert/paths.go

@@ -1,8 +1,7 @@
 package autocert
 
 const (
-	certBasePath       = "certs/"
-	CertFileDefault    = certBasePath + "cert.crt"
-	KeyFileDefault     = certBasePath + "priv.key"
-	ACMEKeyFileDefault = certBasePath + "acme.key"
+	certBasePath    = "certs/"
+	CertFileDefault = certBasePath + "cert.crt"
+	KeyFileDefault  = certBasePath + "priv.key"
 )

internal/autocert/provider.go

@@ -222,13 +222,14 @@ func (p *Provider) ObtainCertIfNotExistsAll() error {
 		})
 	}
 
+	err := errs.Wait().Error()
 	p.rebuildSNIMatcher()
-	return errs.Wait().Error()
+	return err
 }
 
 // obtainCertIfNotExists obtains a new certificate for this provider if it does not exist.
 func (p *Provider) obtainCertIfNotExists() error {
-	err := p.LoadCert()
+	err := p.loadCert()
 	if err == nil {
 		return nil
 	}
@@ -261,7 +262,10 @@ func (p *Provider) ObtainCertAll() error {
 			return nil
 		})
 	}
-	return errs.Wait().Error()
+
+	err := errs.Wait().Error()
+	p.rebuildSNIMatcher()
+	return err
 }
 
 // ObtainCert renews existing certificate or obtains a new certificate for this provider.
@@ -346,29 +350,32 @@ func (p *Provider) ObtainCert() error {
 	return nil
 }
 
-func (p *Provider) LoadCert() error {
+func (p *Provider) LoadCertAll() error {
 	var errs gperr.Builder
+	for _, provider := range p.allProviders() {
+		if err := provider.loadCert(); err != nil {
+			errs.Add(provider.fmtError(err))
+		}
+	}
+	p.rebuildSNIMatcher()
+	return errs.Error()
+}
+
+func (p *Provider) loadCert() error {
 	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
 	if err != nil {
-		errs.Addf("load SSL certificate: %w", p.fmtError(err))
+		return err
 	}
 
 	expiries, err := getCertExpiries(&cert)
 	if err != nil {
-		errs.Addf("parse SSL certificate: %w", p.fmtError(err))
+		return err
 	}
 
 	p.tlsCert = &cert
 	p.certExpiries = expiries
 
-	for _, ep := range p.extraProviders {
-		if err := ep.LoadCert(); err != nil {
-			errs.Add(err)
-		}
-	}
-
-	p.rebuildSNIMatcher()
-	return errs.Error()
+	return nil
 }
 
 // PrintCertExpiriesAll prints the certificate expiries for this provider and all extra providers.

internal/autocert/provider_test/multi_cert_test.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/godoxy/internal/autocert"
 	"github.com/yusing/godoxy/internal/serialization"
@@ -41,7 +42,7 @@ func TestMultipleCertificatesLifecycle(t *testing.T) {
 	cfg.HTTPClient = acmeServer.httpClient()
 
 	/* unmarshal yaml config with multiple certs */
-	err := error(serialization.UnmarshalValidateYAML(yamlConfig, &cfg))
+	err := error(serialization.UnmarshalValidate(yamlConfig, &cfg, yaml.Unmarshal))
 	require.NoError(t, err)
 	require.Equal(t, []string{"main.example.com"}, cfg.Domains)
 	require.Len(t, cfg.Extra, 2)

internal/autocert/provider_test/sni_test.go

@@ -81,7 +81,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "a.internal.example.com"})
@@ -113,7 +113,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})
@@ -145,7 +145,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "unknown.domain.com"})
@@ -171,7 +171,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(nil)
@@ -197,7 +197,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: ""})
@@ -229,7 +229,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "FOO.EXAMPLE.COM"})
@@ -261,7 +261,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "  foo.example.com.  "})
@@ -293,7 +293,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.a.example.com"})
@@ -319,7 +319,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "bar.example.com"})
@@ -355,7 +355,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.test.com"})
@@ -392,7 +392,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
 
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 
 		cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})

internal/autocert/setup_test.go

@@ -3,6 +3,7 @@ package autocert_test
 import (
 	"testing"
 
+	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/godoxy/internal/autocert"
 	"github.com/yusing/godoxy/internal/dnsproviders"
@@ -42,7 +43,7 @@ extra:
 `
 
 	var cfg autocert.Config
-	err := error(serialization.UnmarshalValidateYAML([]byte(cfgYAML), &cfg))
+	err := error(serialization.UnmarshalValidate([]byte(cfgYAML), &cfg, yaml.Unmarshal))
 	require.NoError(t, err)
 
 	// Test: extra[0] inherits all fields from main except CertPath and KeyPath.

internal/autocert/types/context.go

@@ -0,0 +1,16 @@
+package autocert
+
+import "context"
+
+type ContextKey struct{}
+
+func SetCtx(ctx interface{ SetValue(any, any) }, p Provider) {
+	ctx.SetValue(ContextKey{}, p)
+}
+
+func FromCtx(ctx context.Context) Provider {
+	if provider, ok := ctx.Value(ContextKey{}).(Provider); ok {
+		return provider
+	}
+	return nil
+}

internal/autocert/types/provider.go

@@ -7,7 +7,6 @@ import (
 )
 
 type Provider interface {
-	Setup() error
 	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
 	ScheduleRenewalAll(task.Parent)
 	ObtainCertAll() error

internal/common/env.go

@@ -13,6 +13,8 @@ var (
 	IsDebug = env.GetEnvBool("DEBUG", IsTest)
 	IsTrace = env.GetEnvBool("TRACE", false) && IsDebug
 
+	InitTimeout = env.GetEnvDuation("INIT_TIMEOUT", 1*time.Minute)
+
 	ShortLinkPrefix = env.GetEnvString("SHORTLINK_PREFIX", "go")
 
 	ProxyHTTPAddr,
@@ -30,6 +32,11 @@ var (
 	APIHTTPPort,
 	APIHTTPURL = env.GetAddrEnv("API_ADDR", "127.0.0.1:8888", "http")
 
+	LocalAPIHTTPAddr,
+	LocalAPIHTTPHost,
+	LocalAPIHTTPPort,
+	LocalAPIHTTPURL = env.GetAddrEnv("LOCAL_API_ADDR", "", "http")
+
 	APIJWTSecure   = env.GetEnvBool("API_JWT_SECURE", true)
 	APIJWTSecret   = decodeJWTKey(env.GetEnvString("API_JWT_SECRET", ""))
 	APIJWTTokenTTL = env.GetEnvDuation("API_JWT_TOKEN_TTL", 24*time.Hour)

internal/config/events.go

@@ -13,7 +13,6 @@ import (
 	"github.com/yusing/godoxy/internal/watcher"
 	"github.com/yusing/godoxy/internal/watcher/events"
 	gperr "github.com/yusing/goutils/errs"
-	"github.com/yusing/goutils/server"
 	"github.com/yusing/goutils/strings/ansi"
 	"github.com/yusing/goutils/task"
 )
@@ -60,10 +59,29 @@ func Load() error {
 	cfgWatcher = watcher.NewConfigFileWatcher(common.ConfigFileName)
 
 	initErr := state.InitFromFile(common.ConfigPath)
+	if initErr != nil {
+		// if error is critical, notify and return it without starting providers
+		var criticalErr CriticalError
+		if errors.As(initErr, &criticalErr) {
+			logNotifyError("init", criticalErr.err)
+			return criticalErr.err
+		}
+	}
+
+	// disable pool logging temporary since we already have pretty logging
+	state.Entrypoint().DisablePoolsLog(true)
+	defer func() {
+		state.Entrypoint().DisablePoolsLog(false)
+	}()
+
 	err := errors.Join(initErr, state.StartProviders())
 	if err != nil {
 		logNotifyError("init", err)
 	}
+
+	state.StartAPIServers()
+	state.StartMetrics()
+
 	SetState(state)
 
 	// flush temporary log
@@ -98,7 +116,9 @@ func Reload() gperr.Error {
 		logNotifyError("start providers", err)
 		return nil // continue
 	}
-	StartProxyServers()
+
+	newState.StartAPIServers()
+	newState.StartMetrics()
 	return nil
 }
 
@@ -132,16 +152,3 @@ func OnConfigChange(ev []events.Event) {
 		panic(err)
 	}
 }
-
-func StartProxyServers() {
-	cfg := GetState()
-	server.StartServer(cfg.Task(), server.Options{
-		Name:                 "proxy",
-		CertProvider:         cfg.AutoCertProvider(),
-		HTTPAddr:             common.ProxyHTTPAddr,
-		HTTPSAddr:            common.ProxyHTTPSAddr,
-		Handler:              cfg.EntrypointHandler(),
-		ACL:                  cfg.Value().ACL,
-		SupportProxyProtocol: cfg.Value().Entrypoint.SupportProxyProtocol,
-	})
-}

internal/config/query/README.md

@@ -54,12 +54,6 @@ Returns all route providers as a map keyed by their short name. Thread-safe acce
 func RouteProviderList() []RouteProviderListResponse
 ```
 
-Returns a list of route providers with their short and full names. Useful for API responses.
-
-```go
-func SearchRoute(alias string) types.Route
-```
-
 Searches for a route by alias across all providers. Returns `nil` if not found.
 
 ```go
@@ -179,15 +173,6 @@ for shortName, provider := range providers {
 }
 ```
 
-### Searching for a route
-
-```go
-route := statequery.SearchRoute("my-service")
-if route != nil {
-    fmt.Printf("Found route: %s\n", route.Alias())
-}
-```
-
 ### Getting system statistics
 
 ```go
@@ -213,14 +198,4 @@ func handleGetStats(w http.ResponseWriter, r *http.Request) {
     w.Header().Set("Content-Type", "application/json")
     json.NewEncoder(w).Encode(stats)
 }
-
-func handleFindRoute(w http.ResponseWriter, r *http.Request) {
-    alias := r.URL.Query().Get("alias")
-    route := statequery.SearchRoute(alias)
-    if route == nil {
-        http.NotFound(w, r)
-        return
-    }
-    json.NewEncoder(w).Encode(route)
-}
 ```

internal/config/query/query.go

@@ -30,13 +30,3 @@ func RouteProviderList() []RouteProviderListResponse {
 	}
 	return list
 }
-
-func SearchRoute(alias string) types.Route {
-	state := config.ActiveState.Load()
-	for _, p := range state.IterProviders() {
-		if r, ok := p.GetRoute(alias); ok {
-			return r
-		}
-	}
-	return nil
-}

internal/config/state.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io/fs"
 	"iter"
-	"net/http"
 	"os"
 	"strconv"
 	"strings"
@@ -18,17 +17,22 @@ import (
 	"github.com/goccy/go-yaml"
 	"github.com/puzpuzpuz/xsync/v4"
 	"github.com/rs/zerolog"
-	"github.com/yusing/godoxy/internal/acl"
+	acl "github.com/yusing/godoxy/internal/acl/types"
 	"github.com/yusing/godoxy/internal/agentpool"
+	"github.com/yusing/godoxy/internal/api"
 	"github.com/yusing/godoxy/internal/autocert"
+	autocertctx "github.com/yusing/godoxy/internal/autocert/types"
+	"github.com/yusing/godoxy/internal/common"
 	config "github.com/yusing/godoxy/internal/config/types"
 	"github.com/yusing/godoxy/internal/entrypoint"
+	entrypointctx "github.com/yusing/godoxy/internal/entrypoint/types"
 	homepage "github.com/yusing/godoxy/internal/homepage/types"
 	"github.com/yusing/godoxy/internal/logging"
 	"github.com/yusing/godoxy/internal/maxmind"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	"github.com/yusing/godoxy/internal/metrics/uptime"
 	"github.com/yusing/godoxy/internal/notif"
 	route "github.com/yusing/godoxy/internal/route/provider"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/serialization"
 	"github.com/yusing/godoxy/internal/types"
 	gperr "github.com/yusing/goutils/errs"
@@ -41,7 +45,7 @@ type state struct {
 
 	providers        *xsync.Map[string, types.RouteProvider]
 	autocertProvider *autocert.Provider
-	entrypoint       entrypoint.Entrypoint
+	entrypoint       *entrypoint.Entrypoint
 
 	task *task.Task
 
@@ -51,14 +55,25 @@ type state struct {
 	tmpLog    zerolog.Logger
 }
 
+type CriticalError struct {
+	err error
+}
+
+func (e CriticalError) Error() string {
+	return e.err.Error()
+}
+
+func (e CriticalError) Unwrap() error {
+	return e.err
+}
+
 func NewState() config.State {
 	tmpLogBuf := bytes.NewBuffer(make([]byte, 0, 4096))
 	return &state{
-		providers:  xsync.NewMap[string, types.RouteProvider](),
-		entrypoint: entrypoint.NewEntrypoint(),
-		task:       task.RootTask("config", false),
-		tmpLogBuf:  tmpLogBuf,
-		tmpLog:     logging.NewLoggerWithFixedLevel(zerolog.InfoLevel, tmpLogBuf),
+		providers: xsync.NewMap[string, types.RouteProvider](),
+		task:      task.RootTask("config", false),
+		tmpLogBuf: tmpLogBuf,
+		tmpLog:    logging.NewLoggerWithFixedLevel(zerolog.InfoLevel, tmpLogBuf),
 	}
 }
 
@@ -74,8 +89,6 @@ func SetState(state config.State) {
 
 	cfg := state.Value()
 	config.ActiveState.Store(state)
-	acl.ActiveConfig.Store(cfg.ACL)
-	entrypoint.ActiveConfig.Store(&cfg.Entrypoint)
 	homepage.ActiveConfig.Store(&cfg.Homepage)
 	if autocertProvider := state.AutoCertProvider(); autocertProvider != nil {
 		autocert.ActiveProvider.Store(autocertProvider.(*autocert.Provider))
@@ -98,29 +111,31 @@ func (state *state) InitFromFile(filename string) error {
 		if errors.Is(err, fs.ErrNotExist) {
 			state.Config = config.DefaultConfig()
 		} else {
-			return err
+			return CriticalError{err}
 		}
 	}
 	return state.Init(data)
 }
 
 func (state *state) Init(data []byte) error {
-	err := serialization.UnmarshalValidateYAML(data, &state.Config)
+	err := serialization.UnmarshalValidate(data, &state.Config, yaml.Unmarshal)
 	if err != nil {
-		return err
+		return CriticalError{err}
 	}
 
 	g := gperr.NewGroup("config load error")
 	g.Go(state.initMaxMind)
 	g.Go(state.initProxmox)
-	g.Go(state.loadRouteProviders)
 	g.Go(state.initAutoCert)
 
 	errs := g.Wait()
 	// these won't benefit from running on goroutines
 	errs.Add(state.initNotification())
-	errs.Add(state.initAccessLogger())
-	errs.Add(state.initEntrypoint())
+	errs.Add(state.initACL())
+	if err := state.initEntrypoint(); err != nil {
+		errs.Add(CriticalError{err})
+	}
+	errs.Add(state.loadRouteProviders())
 	return errs.Error()
 }
 
@@ -136,8 +151,8 @@ func (state *state) Value() *config.Config {
 	return &state.Config
 }
 
-func (state *state) EntrypointHandler() http.Handler {
-	return &state.entrypoint
+func (state *state) Entrypoint() entrypointctx.Entrypoint {
+	return state.entrypoint
 }
 
 func (state *state) ShortLinkMatcher() config.ShortLinkMatcher {
@@ -192,18 +207,47 @@ func (state *state) FlushTmpLog() {
 	state.tmpLogBuf.Reset()
 }
 
-// this one is connection level access logger, different from entrypoint access logger
-func (state *state) initAccessLogger() error {
+func (state *state) StartAPIServers() {
+	// API Handler needs to start after auth is initialized.
+	server.StartServer(state.task.Subtask("api_server", false), server.Options{
+		Name:     "api",
+		HTTPAddr: common.APIHTTPAddr,
+		Handler:  api.NewHandler(true),
+	})
+
+	// Local API Handler is used for unauthenticated access.
+	if common.LocalAPIHTTPAddr != "" {
+		server.StartServer(state.task.Subtask("local_api_server", false), server.Options{
+			Name:     "local_api",
+			HTTPAddr: common.LocalAPIHTTPAddr,
+			Handler:  api.NewHandler(false),
+		})
+	}
+}
+
+func (state *state) StartMetrics() {
+	systeminfo.Poller.Start(state.task)
+	uptime.Poller.Start(state.task)
+}
+
+// initACL initializes the ACL.
+func (state *state) initACL() error {
 	if !state.ACL.Valid() {
 		return nil
 	}
-	return state.ACL.Start(state.task)
+	err := state.ACL.Start(state.task)
+	if err != nil {
+		return err
+	}
+	acl.SetCtx(state.task, state.ACL)
+	return nil
 }
 
 func (state *state) initEntrypoint() error {
 	epCfg := state.Config.Entrypoint
 	matchDomains := state.MatchDomains
 
+	state.entrypoint = entrypoint.NewEntrypoint(state.task, &epCfg)
 	state.entrypoint.SetFindRouteDomains(matchDomains)
 	state.entrypoint.SetNotFoundRules(epCfg.Rules.NotFound)
 
@@ -217,6 +261,8 @@ func (state *state) initEntrypoint() error {
 		}
 	}
 
+	entrypointctx.SetCtx(state.task, state.entrypoint)
+
 	errs := gperr.NewBuilder("entrypoint error")
 	errs.Add(state.entrypoint.SetMiddlewares(epCfg.Middlewares))
 	errs.Add(state.entrypoint.SetAccessLogger(state.task, epCfg.AccessLog))
@@ -293,6 +339,7 @@ func (state *state) initAutoCert() error {
 	p.PrintCertExpiriesAll()
 
 	state.autocertProvider = p
+	autocertctx.SetCtx(state.task, p)
 	return nil
 }
 
@@ -314,76 +361,50 @@ func (state *state) initProxmox() error {
 	return errs.Wait().Error()
 }
 
-func (state *state) storeProvider(p types.RouteProvider) {
-	state.providers.Store(p.String(), p)
-}
-
 func (state *state) loadRouteProviders() error {
-	// disable pool logging temporary since we will have pretty logging below
-	routes.HTTP.ToggleLog(false)
-	routes.Stream.ToggleLog(false)
-
-	defer func() {
-		routes.HTTP.ToggleLog(true)
-		routes.Stream.ToggleLog(true)
-	}()
-
-	providers := &state.Providers
+	providers := state.Providers
 	errs := gperr.NewGroup("route provider errors")
-	results := gperr.NewGroup("loaded route providers")
 
 	agentpool.RemoveAll()
 
-	numProviders := len(providers.Agents) + len(providers.Files) + len(providers.Docker)
-	providersCh := make(chan types.RouteProvider, numProviders)
-
-	// start providers concurrently
-	var providersConsumer sync.WaitGroup
-	providersConsumer.Go(func() {
-		for p := range providersCh {
-			if actual, loaded := state.providers.LoadOrStore(p.String(), p); loaded {
-				errs.Add(gperr.Errorf("provider %s already exists, first: %s, second: %s", p.String(), actual.GetType(), p.GetType()))
-				continue
-			}
-			state.storeProvider(p)
+	registerProvider := func(p types.RouteProvider) {
+		if actual, loaded := state.providers.LoadOrStore(p.String(), p); loaded {
+			errs.Addf("provider %s already exists, first: %s, second: %s", p.String(), actual.GetType(), p.GetType())
 		}
-	})
+	}
 
-	var providersProducer sync.WaitGroup
+	agentErrs := gperr.NewGroup("agent init errors")
 	for _, a := range providers.Agents {
-		providersProducer.Go(func() {
+		agentErrs.Go(func() error {
 			if err := a.Init(state.task.Context()); err != nil {
-				errs.Add(gperr.PrependSubject(a.String(), err))
-				return
+				return gperr.PrependSubject(a.String(), err)
 			}
 			agentpool.Add(a)
-			p := route.NewAgentProvider(a)
-			providersCh <- p
+			return nil
 		})
 	}
 
+	if err := agentErrs.Wait().Error(); err != nil {
+		errs.Add(err)
+	}
+
+	for _, a := range providers.Agents {
+		registerProvider(route.NewAgentProvider(a))
+	}
+
 	for _, filename := range providers.Files {
-		providersProducer.Go(func() {
-			p, err := route.NewFileProvider(filename)
-			if err != nil {
-				errs.Add(gperr.PrependSubject(filename, err))
-			} else {
-				providersCh <- p
-			}
-		})
+		p, err := route.NewFileProvider(filename)
+		if err != nil {
+			errs.Add(gperr.PrependSubject(filename, err))
+			return err
+		}
+		registerProvider(p)
 	}
 
 	for name, dockerCfg := range providers.Docker {
-		providersProducer.Go(func() {
-			providersCh <- route.NewDockerProvider(name, dockerCfg)
-		})
+		registerProvider(route.NewDockerProvider(name, dockerCfg))
 	}
 
-	providersProducer.Wait()
-
-	close(providersCh)
-	providersConsumer.Wait()
-
 	lenLongestName := 0
 	for k := range state.providers.Range {
 		if len(k) > lenLongestName {
@@ -392,18 +413,26 @@ func (state *state) loadRouteProviders() error {
 	}
 
 	// load routes concurrently
-	var providersLoader sync.WaitGroup
+	loadErrs := gperr.NewGroup("route load errors")
+
+	results := gperr.NewBuilder("loaded route providers")
+	resultsMu := sync.Mutex{}
 	for _, p := range state.providers.Range {
-		providersLoader.Go(func() {
+		loadErrs.Go(func() error {
 			if err := p.LoadRoutes(); err != nil {
-				errs.Add(err.Subject(p.String()))
+				return err.Subject(p.String())
 			}
+			resultsMu.Lock()
 			results.Addf("%-"+strconv.Itoa(lenLongestName)+"s %d routes", p.String(), p.NumRoutes())
+			resultsMu.Unlock()
+			return nil
 		})
 	}
-	providersLoader.Wait()
+	if err := loadErrs.Wait().Error(); err != nil {
+		errs.Add(err)
+	}
 
-	state.tmpLog.Info().Msg(results.Wait().String())
+	state.tmpLog.Info().Msg(results.String())
 	state.printRoutesByProvider(lenLongestName)
 	state.printState()
 	return errs.Wait().Error()

internal/config/types/config.go

@@ -4,10 +4,11 @@ import (
 	"regexp"
 
 	"github.com/go-playground/validator/v10"
+	"github.com/goccy/go-yaml"
 	"github.com/yusing/godoxy/agent/pkg/agent"
 	"github.com/yusing/godoxy/internal/acl"
 	"github.com/yusing/godoxy/internal/autocert"
-	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	"github.com/yusing/godoxy/internal/entrypoint"
 	homepage "github.com/yusing/godoxy/internal/homepage/types"
 	maxmind "github.com/yusing/godoxy/internal/maxmind/types"
 	"github.com/yusing/godoxy/internal/notif"
@@ -36,14 +37,14 @@ type (
 		Docker       map[string]types.DockerProviderConfig `json:"docker" yaml:"docker,omitempty" validate:"non_empty_docker_keys"`
 		Agents       []*agent.AgentConfig                  `json:"agents" yaml:"agents,omitempty"`
 		Notification []*notif.NotificationConfig           `json:"notification" yaml:"notification,omitempty"`
-		Proxmox      []proxmox.Config                      `json:"proxmox" yaml:"proxmox,omitempty"`
+		Proxmox      []*proxmox.Config                     `json:"proxmox" yaml:"proxmox,omitempty"`
 		MaxMind      *maxmind.Config                       `json:"maxmind" yaml:"maxmind,omitempty"`
 	}
 )
 
 func Validate(data []byte) gperr.Error {
 	var model Config
-	return serialization.UnmarshalValidateYAML(data, &model)
+	return serialization.UnmarshalValidate(data, &model, yaml.Unmarshal)
 }
 
 func DefaultConfig() Config {

internal/config/types/state.go

@@ -6,6 +6,7 @@ import (
 	"iter"
 	"net/http"
 
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/goutils/server"
 	"github.com/yusing/goutils/synk"
@@ -21,7 +22,7 @@ type State interface {
 
 	Value() *Config
 
-	EntrypointHandler() http.Handler
+	Entrypoint() entrypoint.Entrypoint
 	ShortLinkMatcher() ShortLinkMatcher
 	AutoCertProvider() server.CertProvider
 
@@ -32,6 +33,9 @@ type State interface {
 	StartProviders() error
 
 	FlushTmpLog()
+
+	StartAPIServers()
+	StartMetrics()
 }
 
 type ShortLinkMatcher interface {

internal/dnsproviders/go.mod

@@ -1,16 +1,16 @@
 module github.com/yusing/godoxy/internal/dnsproviders
 
-go 1.25.6
+go 1.25.7
 
 replace github.com/yusing/godoxy => ../..
 
 require (
 	github.com/go-acme/lego/v4 v4.31.0
-	github.com/yusing/godoxy v0.24.1
+	github.com/yusing/godoxy v0.25.2
 )
 
 require (
-	cloud.google.com/go/auth v0.18.0 // indirect
+	cloud.google.com/go/auth v0.18.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 // indirect
@@ -24,8 +24,8 @@ require (
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/boombuler/barcode v1.1.0 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic v1.14.2 // indirect
-	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
@@ -44,7 +44,7 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/gofrs/flock v0.13.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -61,18 +61,18 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/maxatome/go-testdeep v1.14.0 // indirect
-	github.com/miekg/dns v1.1.70 // indirect
+	github.com/miekg/dns v1.1.72 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.0 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.0 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.107.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.107.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/otp v1.5.0 // indirect
-	github.com/puzpuzpuz/xsync/v4 v4.3.0 // indirect
+	github.com/puzpuzpuz/xsync/v4 v4.4.0 // indirect
 	github.com/rs/zerolog v1.34.0 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
 	github.com/sony/gobreaker v1.0.0 // indirect
@@ -98,8 +98,8 @@ require (
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
-	google.golang.org/api v0.260.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 // indirect
+	google.golang.org/api v0.263.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect

internal/dnsproviders/go.sum

@@ -1,5 +1,5 @@
-cloud.google.com/go/auth v0.18.0 h1:wnqy5hrv7p3k7cShwAU/Br3nzod7fxoqG+k0VZ+/Pk0=
-cloud.google.com/go/auth v0.18.0/go.mod h1:wwkPM1AgE1f2u6dG443MiWoD8C3BtOywNsUMcUTVDRo=
+cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
+cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
@@ -39,10 +39,10 @@ github.com/boombuler/barcode v1.1.0 h1:ChaYjBR63fr4LFyGn8E8nt7dBSt3MiU3zMOZqFvVk
 github.com/boombuler/barcode v1.1.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
-github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
-github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
-github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
+github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -90,8 +90,8 @@ github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
 github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -142,18 +142,18 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/maxatome/go-testdeep v1.14.0 h1:rRlLv1+kI8eOI3OaBXZwb3O7xY3exRzdW5QyX48g9wI=
 github.com/maxatome/go-testdeep v1.14.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
-github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
-github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0=
 github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
 github.com/nrdcg/goinwx v0.12.0 h1:ujdUqDBnaRSFwzVnImvPHYw3w3m9XgmGImNUw1GyMb4=
 github.com/nrdcg/goinwx v0.12.0/go.mod h1:IrVKd3ZDbFiMjdPgML4CSxZAY9wOoqLvH44zv3NodJ0=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.0 h1:4MRzV6spwPHKct+4/ETqkEtr39Hq+0KvxhsgqbgQ2Bo=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.106.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.0 h1:RxraLVYX3eMUfQ1pDtJVvykEFGheky2YsrUt2HHRDcw=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.106.0/go.mod h1:JLMEKMX8IYPZ1TUSVHAVAbtnNSfP/I8OZQkAnfEMA0I=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.107.0 h1:eMzyN+jGJbxG4ut278uwIsUo9XacXc711lFjhKnaUso=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.107.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.107.0 h1:t34IpOa+8NfmjkU8bdWtYrLrmr346/FGhu8FlpJDQok=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.107.0/go.mod h1:p95/OxVsdx71I2Qrck1GtIS87sRxcTRKXzUi5nWm9NY=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/ovh/go-ovh v1.9.0 h1:6K8VoL3BYjVV3In9tPJUdT7qMx9h0GExN9EXx1r2kKE=
@@ -166,8 +166,8 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/puzpuzpuz/xsync/v4 v4.3.0 h1:w/bWkEJdYuRNYhHn5eXnIT8LzDM1O629X1I9MJSkD7Q=
-github.com/puzpuzpuz/xsync/v4 v4.3.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/puzpuzpuz/xsync/v4 v4.4.0 h1:vlSN6/CkEY0pY8KaB0yqo/pCLZvp9nhdbBdjipT4gWo=
+github.com/puzpuzpuz/xsync/v4 v4.4.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
@@ -249,14 +249,14 @@ golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
 golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.260.0 h1:XbNi5E6bOVEj/uLXQRlt6TKuEzMD7zvW/6tNwltE4P4=
-google.golang.org/api v0.260.0/go.mod h1:Shj1j0Phr/9sloYrKomICzdYgsSDImpTxME8rGLaZ/o=
+google.golang.org/api v0.263.0 h1:UFs7qn8gInIdtk1ZA6eXRXp5JDAnS4x9VRsRVCeKdbk=
+google.golang.org/api v0.263.0/go.mod h1:fAU1xtNNisHgOF5JooAs8rRaTkl2rT3uaoNGo9NS3R8=
 google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934=
 google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 h1:C4WAdL+FbjnGlpp2S+HMVhBeCq2Lcib4xZqfPNF6OoQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
 google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

internal/docker/client.go

@@ -152,7 +152,7 @@ func NewClient(cfg types.DockerProviderConfig, unique ...bool) (*SharedClient, e
 	if agent.IsDockerHostAgent(host) {
 		a, ok := agentpool.Get(host)
 		if !ok {
-			panic(fmt.Errorf("agent %q not found", host))
+			return nil, fmt.Errorf("agent %q not found", host)
 		}
 		opt = []client.Opt{
 			client.WithHost(agent.DockerHost),

internal/docker/container.go

@@ -210,23 +210,25 @@ func setPrivateHostname(c *types.Container, helper containerHelper) {
 		return
 	}
 	if c.Network != "" {
-		v, ok := helper.NetworkSettings.Networks[c.Network]
-		if ok && v.IPAddress.IsValid() {
+		v, hasNetwork := helper.NetworkSettings.Networks[c.Network]
+		if hasNetwork && v.IPAddress.IsValid() {
 			c.PrivateHostname = v.IPAddress.String()
 			return
 		}
+		var hasComposeNetwork bool
 		// try {project_name}_{network_name}
 		if proj := DockerComposeProject(c); proj != "" {
-			oldNetwork, newNetwork := c.Network, fmt.Sprintf("%s_%s", proj, c.Network)
-			if newNetwork != oldNetwork {
-				v, ok = helper.NetworkSettings.Networks[newNetwork]
-				if ok && v.IPAddress.IsValid() {
-					c.Network = newNetwork // update network to the new one
-					c.PrivateHostname = v.IPAddress.String()
-					return
-				}
+			newNetwork := fmt.Sprintf("%s_%s", proj, c.Network)
+			v, hasComposeNetwork = helper.NetworkSettings.Networks[newNetwork]
+			if hasComposeNetwork && v.IPAddress.IsValid() {
+				c.Network = newNetwork // update network to the new one
+				c.PrivateHostname = v.IPAddress.String()
+				return
 			}
 		}
+		if hasNetwork || hasComposeNetwork { // network is found, but no IP assigned yet
+			return
+		}
 		nearest := gperr.DoYouMeanField(c.Network, helper.NetworkSettings.Networks)
 		addError(c, fmt.Errorf("network %q not found, %w", c.Network, nearest))
 		return

internal/entrypoint/entrypoint.go

@@ -1,47 +1,129 @@
 package entrypoint
 
 import (
+	"net"
 	"net/http"
 	"strings"
 	"sync/atomic"
 
+	"github.com/puzpuzpuz/xsync/v4"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/godoxy/internal/common"
 	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/logging/accesslog"
 	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
-	"github.com/yusing/godoxy/internal/net/gphttp/middleware/errorpage"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/route/rules"
 	"github.com/yusing/godoxy/internal/types"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/pool"
 	"github.com/yusing/goutils/task"
 )
 
+type HTTPRoutes interface {
+	Get(alias string) (types.HTTPRoute, bool)
+}
+
+type findRouteFunc func(HTTPRoutes, string) types.HTTPRoute
+
 type Entrypoint struct {
-	middleware      *middleware.Middleware
-	notFoundHandler http.Handler
-	accessLogger    accesslog.AccessLogger
-	findRouteFunc   func(host string) types.HTTPRoute
-	shortLinkTree   *ShortLinkMatcher
+	task *task.Task
+
+	cfg *Config
+
+	middleware       *middleware.Middleware
+	notFoundHandler  http.Handler
+	accessLogger     accesslog.AccessLogger
+	findRouteFunc    findRouteFunc
+	shortLinkMatcher *ShortLinkMatcher
+
+	streamRoutes   *pool.Pool[types.StreamRoute]
+	excludedRoutes *pool.Pool[types.Route]
+
+	// this only affects future http servers creation
+	httpPoolDisableLog atomic.Bool
+
+	servers      *xsync.Map[string, *httpServer]    // listen addr -> server
+	tcpListeners *xsync.Map[string, net.Listener]   // listen addr -> listener
+	udpListeners *xsync.Map[string, net.PacketConn] // listen addr -> listener
 }
 
-// nil-safe
-var ActiveConfig atomic.Pointer[entrypoint.Config]
+var _ entrypoint.Entrypoint = &Entrypoint{}
 
-func init() {
-	// make sure it's not nil
-	ActiveConfig.Store(&entrypoint.Config{})
-}
+var emptyCfg Config
 
-func NewEntrypoint() Entrypoint {
-	return Entrypoint{
-		findRouteFunc: findRouteAnyDomain,
-		shortLinkTree: newShortLinkTree(),
+func NewEntrypoint(parent task.Parent, cfg *Config) *Entrypoint {
+	if cfg == nil {
+		cfg = &emptyCfg
 	}
+
+	ep := &Entrypoint{
+		task:             parent.Subtask("entrypoint", false),
+		cfg:              cfg,
+		findRouteFunc:    findRouteAnyDomain,
+		shortLinkMatcher: newShortLinkMatcher(),
+		streamRoutes:     pool.New[types.StreamRoute]("stream_routes"),
+		excludedRoutes:   pool.New[types.Route]("excluded_routes"),
+		servers:          xsync.NewMap[string, *httpServer](),
+		tcpListeners:     xsync.NewMap[string, net.Listener](),
+		udpListeners:     xsync.NewMap[string, net.PacketConn](),
+	}
+	ep.task.OnCancel("stop", func() {
+		// servers stop on their own when context is cancelled
+		var errs gperr.Group
+		for _, listener := range ep.tcpListeners.Range {
+			errs.Go(func() error {
+				return listener.Close()
+			})
+		}
+		for _, listener := range ep.udpListeners.Range {
+			errs.Go(func() error {
+				return listener.Close()
+			})
+		}
+		if err := errs.Wait().Error(); err != nil {
+			gperr.LogError("failed to stop entrypoint listeners", err)
+		}
+	})
+	ep.task.OnFinished("cleanup", func() {
+		ep.servers.Clear()
+		ep.tcpListeners.Clear()
+		ep.udpListeners.Clear()
+	})
+	return ep
+}
+
+func (ep *Entrypoint) SupportProxyProtocol() bool {
+	return ep.cfg.SupportProxyProtocol
+}
+
+func (ep *Entrypoint) DisablePoolsLog(v bool) {
+	ep.httpPoolDisableLog.Store(v)
+	// apply to all running http servers
+	for _, srv := range ep.servers.Range {
+		srv.routes.DisableLog(v)
+	}
+	// apply to other pools
+	ep.streamRoutes.DisableLog(v)
+	ep.excludedRoutes.DisableLog(v)
 }
 
 func (ep *Entrypoint) ShortLinkMatcher() *ShortLinkMatcher {
-	return ep.shortLinkTree
+	return ep.shortLinkMatcher
+}
+
+func (ep *Entrypoint) HTTPRoutes() entrypoint.PoolLike[types.HTTPRoute] {
+	return newHTTPPoolAdapter(ep)
+}
+
+func (ep *Entrypoint) StreamRoutes() entrypoint.PoolLike[types.StreamRoute] {
+	return ep.streamRoutes
+}
+
+func (ep *Entrypoint) ExcludedRoutes() entrypoint.RWPoolLike[types.Route] {
+	return ep.excludedRoutes
+}
+
+func (ep *Entrypoint) GetServer(addr string) (http.Handler, bool) {
+	return ep.servers.Load(addr)
 }
 
 func (ep *Entrypoint) SetFindRouteDomains(domains []string) {
@@ -74,7 +156,7 @@ func (ep *Entrypoint) SetMiddlewares(mws []map[string]any) error {
 }
 
 func (ep *Entrypoint) SetNotFoundRules(rules rules.Rules) {
-	ep.notFoundHandler = rules.BuildHandler(http.HandlerFunc(ep.serveNotFound))
+	ep.notFoundHandler = rules.BuildHandler(serveNotFound)
 }
 
 func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.RequestLoggerConfig) (err error) {
@@ -91,111 +173,39 @@ func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.Request
 	return err
 }
 
-func (ep *Entrypoint) FindRoute(s string) types.HTTPRoute {
-	return ep.findRouteFunc(s)
-}
-
-func (ep *Entrypoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if ep.accessLogger != nil {
-		rec := accesslog.GetResponseRecorder(w)
-		w = rec
-		defer func() {
-			ep.accessLogger.Log(r, rec.Response())
-			accesslog.PutResponseRecorder(rec)
-		}()
-	}
-
-	route := ep.findRouteFunc(r.Host)
-	switch {
-	case route != nil:
-		r = routes.WithRouteContext(r, route)
-		if ep.middleware != nil {
-			ep.middleware.ServeHTTP(route.ServeHTTP, w, r)
-		} else {
-			route.ServeHTTP(w, r)
-		}
-	case ep.tryHandleShortLink(w, r):
-		return
-	case ep.notFoundHandler != nil:
-		ep.notFoundHandler.ServeHTTP(w, r)
-	default:
-		ep.serveNotFound(w, r)
-	}
-}
-
-func (ep *Entrypoint) tryHandleShortLink(w http.ResponseWriter, r *http.Request) (handled bool) {
-	host := r.Host
-	if before, _, ok := strings.Cut(host, ":"); ok {
-		host = before
-	}
-	if strings.EqualFold(host, common.ShortLinkPrefix) {
-		if ep.middleware != nil {
-			ep.middleware.ServeHTTP(ep.shortLinkTree.ServeHTTP, w, r)
-		} else {
-			ep.shortLinkTree.ServeHTTP(w, r)
-		}
-		return true
-	}
-	return false
-}
-
-func (ep *Entrypoint) serveNotFound(w http.ResponseWriter, r *http.Request) {
-	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
-	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
-	// Then scraper / scanners will know the subdomain is invalid.
-	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
-	if served := middleware.ServeStaticErrorPageFile(w, r); !served {
-		log.Error().
-			Str("method", r.Method).
-			Str("url", r.URL.String()).
-			Str("remote", r.RemoteAddr).
-			Msgf("not found: %s", r.Host)
-		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
-		if ok {
-			w.WriteHeader(http.StatusNotFound)
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			if _, err := w.Write(errorPage); err != nil {
-				log.Err(err).Msg("failed to write error page")
-			}
-		} else {
-			http.NotFound(w, r)
-		}
-	}
-}
-
-func findRouteAnyDomain(host string) types.HTTPRoute {
+func findRouteAnyDomain(routes HTTPRoutes, host string) types.HTTPRoute {
 	idx := strings.IndexByte(host, '.')
 	if idx != -1 {
 		target := host[:idx]
-		if r, ok := routes.HTTP.Get(target); ok {
+		if r, ok := routes.Get(target); ok {
 			return r
 		}
 	}
-	if r, ok := routes.HTTP.Get(host); ok {
+	if r, ok := routes.Get(host); ok {
 		return r
 	}
 	// try striping the trailing :port from the host
 	if before, _, ok := strings.Cut(host, ":"); ok {
-		if r, ok := routes.HTTP.Get(before); ok {
+		if r, ok := routes.Get(before); ok {
 			return r
 		}
 	}
 	return nil
 }
 
-func findRouteByDomains(domains []string) func(host string) types.HTTPRoute {
-	return func(host string) types.HTTPRoute {
+func findRouteByDomains(domains []string) func(routes HTTPRoutes, host string) types.HTTPRoute {
+	return func(routes HTTPRoutes, host string) types.HTTPRoute {
 		host, _, _ = strings.Cut(host, ":") // strip the trailing :port
 		for _, domain := range domains {
 			if target, ok := strings.CutSuffix(host, domain); ok {
-				if r, ok := routes.HTTP.Get(target); ok {
+				if r, ok := routes.Get(target); ok {
 					return r
 				}
 			}
 		}
 
 		// fallback to exact match
-		if r, ok := routes.HTTP.Get(host); ok {
+		if r, ok := routes.Get(host); ok {
 			return r
 		}
 		return nil

internal/entrypoint/entrypoint_benchmark_test.go

@@ -10,9 +10,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/godoxy/internal/common"
 	. "github.com/yusing/godoxy/internal/entrypoint"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 	routeTypes "github.com/yusing/godoxy/internal/route/types"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/goutils/task"
@@ -48,13 +50,15 @@ func (t noopTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 }
 
 func BenchmarkEntrypointReal(b *testing.B) {
-	var ep Entrypoint
+	task := task.NewTestTask(b)
+	ep := NewEntrypoint(task, nil)
 	req := http.Request{
 		Method: "GET",
 		URL:    &url.URL{Path: "/", RawPath: "/"},
 		Host:   "test.domain.tld",
 	}
 	ep.SetFindRouteDomains([]string{})
+	entrypoint.SetCtx(task, ep)
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Length", "1")
@@ -77,48 +81,48 @@ func BenchmarkEntrypointReal(b *testing.B) {
 		b.Fatal(err)
 	}
 
-	r := &route.Route{
+	r, err := route.NewTestRoute(b, task, &route.Route{
 		Alias:       "test",
 		Scheme:      routeTypes.SchemeHTTP,
 		Host:        host,
 		Port:        route.Port{Proxy: portInt},
 		HealthCheck: types.HealthCheckConfig{Disable: true},
-	}
+	})
 
-	err = r.Validate()
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	err = r.Start(task.RootTask("test", false))
-	if err != nil {
-		b.Fatal(err)
-	}
+	require.NoError(b, err)
+	require.False(b, r.ShouldExclude())
 
 	var w noopResponseWriter
 
+	server, ok := ep.GetServer(common.ProxyHTTPAddr)
+	if !ok {
+		b.Fatal("server not found")
+	}
+
 	b.ResetTimer()
 	for b.Loop() {
-		ep.ServeHTTP(&w, &req)
-		// if w.statusCode != http.StatusOK {
-		// 	b.Fatalf("status code is not 200: %d", w.statusCode)
-		// }
-		// if string(w.written) != "1" {
-		// 	b.Fatalf("written is not 1: %s", string(w.written))
-		// }
+		server.ServeHTTP(&w, &req)
+		if w.statusCode != http.StatusOK {
+			b.Fatalf("status code is not 200: %d", w.statusCode)
+		}
+		if string(w.written) != "1" {
+			b.Fatalf("written is not 1: %s", string(w.written))
+		}
 	}
 }
 
 func BenchmarkEntrypoint(b *testing.B) {
-	var ep Entrypoint
+	task := task.NewTestTask(b)
+	ep := NewEntrypoint(task, nil)
 	req := http.Request{
 		Method: "GET",
 		URL:    &url.URL{Path: "/", RawPath: "/"},
 		Host:   "test.domain.tld",
 	}
 	ep.SetFindRouteDomains([]string{})
+	entrypoint.SetCtx(task, ep)
 
-	r := &route.Route{
+	r, err := route.NewTestRoute(b, task, &route.Route{
 		Alias:  "test",
 		Scheme: routeTypes.SchemeHTTP,
 		Host:   "localhost",
@@ -128,29 +132,23 @@ func BenchmarkEntrypoint(b *testing.B) {
 		HealthCheck: types.HealthCheckConfig{
 			Disable: true,
 		},
-	}
+	})
 
-	err := r.Validate()
-	if err != nil {
-		b.Fatal(err)
-	}
+	require.NoError(b, err)
+	require.False(b, r.ShouldExclude())
 
-	err = r.Start(task.RootTask("test", false))
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	rev, ok := routes.HTTP.Get("test")
-	if !ok {
-		b.Fatal("route not found")
-	}
-	rev.(types.ReverseProxyRoute).ReverseProxy().Transport = noopTransport{}
+	r.(types.ReverseProxyRoute).ReverseProxy().Transport = noopTransport{}
 
 	var w noopResponseWriter
 
+	server, ok := ep.GetServer(common.ProxyHTTPAddr)
+	if !ok {
+		b.Fatal("server not found")
+	}
+
 	b.ResetTimer()
 	for b.Loop() {
-		ep.ServeHTTP(&w, &req)
+		server.ServeHTTP(&w, &req)
 		if w.statusCode != http.StatusOK {
 			b.Fatalf("status code is not 200: %d", w.statusCode)
 		}

internal/entrypoint/entrypoint_test.go

@@ -5,15 +5,13 @@ import (
 
 	. "github.com/yusing/godoxy/internal/entrypoint"
 	"github.com/yusing/godoxy/internal/route"
-	"github.com/yusing/godoxy/internal/route/routes"
 
+	"github.com/yusing/goutils/task"
 	expect "github.com/yusing/goutils/testing"
 )
 
-var ep = NewEntrypoint()
-
-func addRoute(alias string) {
-	routes.HTTP.Add(&route.ReveseProxyRoute{
+func addRoute(ep *Entrypoint, alias string) {
+	ep.AddRoute(&route.ReveseProxyRoute{
 		Route: &route.Route{
 			Alias: alias,
 			Port: route.Port{
@@ -25,26 +23,28 @@ func addRoute(alias string) {
 
 func run(t *testing.T, match []string, noMatch []string) {
 	t.Helper()
-	t.Cleanup(routes.Clear)
-	t.Cleanup(func() { ep.SetFindRouteDomains(nil) })
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 
 	for _, test := range match {
 		t.Run(test, func(t *testing.T) {
-			found := ep.FindRoute(test)
+			found, ok := ep.HTTPRoutes().Get(test)
+			expect.True(t, ok)
 			expect.NotNil(t, found)
 		})
 	}
 
 	for _, test := range noMatch {
 		t.Run(test, func(t *testing.T) {
-			found := ep.FindRoute(test)
+			found, ok := ep.HTTPRoutes().Get(test)
+			expect.False(t, ok)
 			expect.Nil(t, found)
 		})
 	}
 }
 
 func TestFindRouteAnyDomain(t *testing.T) {
-	addRoute("app1")
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
+	addRoute(ep, "app1")
 
 	tests := []string{
 		"app1.com",
@@ -62,6 +62,7 @@ func TestFindRouteAnyDomain(t *testing.T) {
 }
 
 func TestFindRouteExactHostMatch(t *testing.T) {
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	tests := []string{
 		"app2.com",
 		"app2.domain.com",
@@ -75,19 +76,20 @@ func TestFindRouteExactHostMatch(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		addRoute(test)
+		addRoute(ep, test)
 	}
 
 	run(t, tests, testsNoMatch)
 }
 
 func TestFindRouteByDomains(t *testing.T) {
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	ep.SetFindRouteDomains([]string{
 		".domain.com",
 		".sub.domain.com",
 	})
 
-	addRoute("app1")
+	addRoute(ep, "app1")
 
 	tests := []string{
 		"app1.domain.com",
@@ -107,12 +109,13 @@ func TestFindRouteByDomains(t *testing.T) {
 }
 
 func TestFindRouteByDomainsExactMatch(t *testing.T) {
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	ep.SetFindRouteDomains([]string{
 		".domain.com",
 		".sub.domain.com",
 	})
 
-	addRoute("app1.foo.bar")
+	addRoute(ep, "app1.foo.bar")
 
 	tests := []string{
 		"app1.foo.bar", // exact match
@@ -131,8 +134,9 @@ func TestFindRouteByDomainsExactMatch(t *testing.T) {
 
 func TestFindRouteWithPort(t *testing.T) {
 	t.Run("AnyDomain", func(t *testing.T) {
-		addRoute("app1")
-		addRoute("app2.com")
+		ep := NewEntrypoint(task.NewTestTask(t), nil)
+		addRoute(ep, "app1")
+		addRoute(ep, "app2.com")
 
 		tests := []string{
 			"app1:8080",
@@ -148,12 +152,13 @@ func TestFindRouteWithPort(t *testing.T) {
 	})
 
 	t.Run("ByDomains", func(t *testing.T) {
+		ep := NewEntrypoint(task.NewTestTask(t), nil)
 		ep.SetFindRouteDomains([]string{
 			".domain.com",
 		})
-		addRoute("app1")
-		addRoute("app2")
-		addRoute("app3.domain.com")
+		addRoute(ep, "app1")
+		addRoute(ep, "app2")
+		addRoute(ep, "app3.domain.com")
 
 		tests := []string{
 			"app1.domain.com:8080",

internal/entrypoint/http_pool_adapter.go

@@ -0,0 +1,51 @@
+package entrypoint
+
+import (
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/types"
+)
+
+// httpPoolAdapter implements the PoolLike interface for the HTTP routes.
+type httpPoolAdapter struct {
+	ep *Entrypoint
+}
+
+func newHTTPPoolAdapter(ep *Entrypoint) httpPoolAdapter {
+	return httpPoolAdapter{ep: ep}
+}
+
+func (h httpPoolAdapter) Iter(yield func(alias string, route types.HTTPRoute) bool) {
+	for addr, srv := range h.ep.servers.Range {
+		// default routes are added to both HTTP and HTTPS servers, we don't need to iterate over them twice.
+		if addr == common.ProxyHTTPSAddr {
+			continue
+		}
+		for alias, route := range srv.routes.Iter {
+			if !yield(alias, route) {
+				return
+			}
+		}
+	}
+}
+
+func (h httpPoolAdapter) Get(alias string) (types.HTTPRoute, bool) {
+	for addr, srv := range h.ep.servers.Range {
+		if addr == common.ProxyHTTPSAddr {
+			continue
+		}
+		if route, ok := srv.routes.Get(alias); ok {
+			return route, true
+		}
+	}
+	return nil, false
+}
+
+func (h httpPoolAdapter) Size() (n int) {
+	for addr, srv := range h.ep.servers.Range {
+		if addr == common.ProxyHTTPSAddr {
+			continue
+		}
+		n += srv.routes.Size()
+	}
+	return
+}

internal/entrypoint/http_server.go

@@ -0,0 +1,172 @@
+package entrypoint
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/rs/zerolog/log"
+	acl "github.com/yusing/godoxy/internal/acl/types"
+	autocert "github.com/yusing/godoxy/internal/autocert/types"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/logging/accesslog"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware/errorpage"
+	"github.com/yusing/godoxy/internal/route/routes"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/pool"
+	"github.com/yusing/goutils/server"
+)
+
+// httpServer is a server that listens on a given address and serves HTTP routes.
+type HTTPServer interface {
+	Listen(addr string, proto HTTPProto) error
+	AddRoute(route types.HTTPRoute)
+	DelRoute(route types.HTTPRoute)
+	FindRoute(s string) types.HTTPRoute
+	ServeHTTP(w http.ResponseWriter, r *http.Request)
+}
+
+type httpServer struct {
+	srv *server.Server
+	ep  *Entrypoint
+
+	stopFunc func(reason any)
+
+	addr   string
+	routes *pool.Pool[types.HTTPRoute]
+}
+
+type HTTPProto string
+
+const (
+	HTTPProtoHTTP  HTTPProto = "http"
+	HTTPProtoHTTPS HTTPProto = "https"
+)
+
+func NewHTTPServer(ep *Entrypoint) HTTPServer {
+	return newHTTPServer(ep)
+}
+
+func newHTTPServer(ep *Entrypoint) *httpServer {
+	return &httpServer{ep: ep}
+}
+
+// Listen starts the server and stop when entrypoint is stopped.
+func (srv *httpServer) Listen(addr string, proto HTTPProto) error {
+	if srv.srv != nil {
+		return errors.New("server already started")
+	}
+
+	opts := server.Options{
+		Name:                 addr,
+		Handler:              srv,
+		ACL:                  acl.FromCtx(srv.ep.task.Context()),
+		SupportProxyProtocol: srv.ep.cfg.SupportProxyProtocol,
+	}
+
+	switch proto {
+	case HTTPProtoHTTP:
+		opts.HTTPAddr = addr
+	case HTTPProtoHTTPS:
+		opts.HTTPSAddr = addr
+		opts.CertProvider = autocert.FromCtx(srv.ep.task.Context())
+	}
+
+	task := srv.ep.task.Subtask("http_server", false)
+	server, err := server.StartServer(task, opts)
+	if err != nil {
+		return err
+	}
+	srv.stopFunc = task.FinishAndWait
+	srv.addr = addr
+	srv.srv = server
+	srv.routes = pool.New[types.HTTPRoute](fmt.Sprintf("[%s] %s", proto, addr))
+	srv.routes.DisableLog(srv.ep.httpPoolDisableLog.Load())
+	return nil
+}
+
+func (srv *httpServer) Close() {
+	srv.stopFunc(nil)
+}
+
+func (srv *httpServer) AddRoute(route types.HTTPRoute) {
+	srv.routes.Add(route)
+}
+
+func (srv *httpServer) DelRoute(route types.HTTPRoute) {
+	srv.routes.Del(route)
+}
+
+func (srv *httpServer) FindRoute(s string) types.HTTPRoute {
+	return srv.ep.findRouteFunc(srv.routes, s)
+}
+
+func (srv *httpServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if srv.ep.accessLogger != nil {
+		rec := accesslog.GetResponseRecorder(w)
+		w = rec
+		defer func() {
+			srv.ep.accessLogger.LogRequest(r, rec.Response())
+			accesslog.PutResponseRecorder(rec)
+		}()
+	}
+
+	route := srv.ep.findRouteFunc(srv.routes, r.Host)
+	switch {
+	case route != nil:
+		r = routes.WithRouteContext(r, route)
+		if srv.ep.middleware != nil {
+			srv.ep.middleware.ServeHTTP(route.ServeHTTP, w, r)
+		} else {
+			route.ServeHTTP(w, r)
+		}
+	case srv.tryHandleShortLink(w, r):
+		return
+	case srv.ep.notFoundHandler != nil:
+		srv.ep.notFoundHandler.ServeHTTP(w, r)
+	default:
+		serveNotFound(w, r)
+	}
+}
+
+func (srv *httpServer) tryHandleShortLink(w http.ResponseWriter, r *http.Request) (handled bool) {
+	host := r.Host
+	if before, _, ok := strings.Cut(host, ":"); ok {
+		host = before
+	}
+	if strings.EqualFold(host, common.ShortLinkPrefix) {
+		if srv.ep.middleware != nil {
+			srv.ep.middleware.ServeHTTP(srv.ep.shortLinkMatcher.ServeHTTP, w, r)
+		} else {
+			srv.ep.shortLinkMatcher.ServeHTTP(w, r)
+		}
+		return true
+	}
+	return false
+}
+
+func serveNotFound(w http.ResponseWriter, r *http.Request) {
+	// Why use StatusNotFound instead of StatusBadRequest or StatusBadGateway?
+	// On nginx, when route for domain does not exist, it returns StatusBadGateway.
+	// Then scraper / scanners will know the subdomain is invalid.
+	// With StatusNotFound, they won't know whether it's the path, or the subdomain that is invalid.
+	if served := middleware.ServeStaticErrorPageFile(w, r); !served {
+		log.Error().
+			Str("method", r.Method).
+			Str("url", r.URL.String()).
+			Str("remote", r.RemoteAddr).
+			Msgf("not found: %s", r.Host)
+		errorPage, ok := errorpage.GetErrorPageByStatus(http.StatusNotFound)
+		if ok {
+			w.WriteHeader(http.StatusNotFound)
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			if _, err := w.Write(errorPage); err != nil {
+				log.Err(err).Msg("failed to write error page")
+			}
+		} else {
+			http.NotFound(w, r)
+		}
+	}
+}

internal/entrypoint/query.go

@@ -0,0 +1,91 @@
+package entrypoint
+
+import (
+	"github.com/yusing/godoxy/internal/types"
+)
+
+// GetHealthInfo returns a map of route name to health info.
+//
+// The health info is for all routes, including excluded routes.
+func (ep *Entrypoint) GetHealthInfo() map[string]types.HealthInfo {
+	healthMap := make(map[string]types.HealthInfo, ep.NumRoutes())
+	for r := range ep.IterRoutes {
+		healthMap[r.Name()] = getHealthInfo(r)
+	}
+	return healthMap
+}
+
+// GetHealthInfoWithoutDetail returns a map of route name to health info without detail.
+//
+// The health info is for all routes, including excluded routes.
+func (ep *Entrypoint) GetHealthInfoWithoutDetail() map[string]types.HealthInfoWithoutDetail {
+	healthMap := make(map[string]types.HealthInfoWithoutDetail, ep.NumRoutes())
+	for r := range ep.IterRoutes {
+		healthMap[r.Name()] = getHealthInfoWithoutDetail(r)
+	}
+	return healthMap
+}
+
+// GetHealthInfoSimple returns a map of route name to health status.
+//
+// The health status is for all routes, including excluded routes.
+func (ep *Entrypoint) GetHealthInfoSimple() map[string]types.HealthStatus {
+	healthMap := make(map[string]types.HealthStatus, ep.NumRoutes())
+	for r := range ep.IterRoutes {
+		healthMap[r.Name()] = getHealthInfoSimple(r)
+	}
+	return healthMap
+}
+
+// RoutesByProvider returns a map of provider name to routes.
+//
+// The routes are all routes, including excluded routes.
+func (ep *Entrypoint) RoutesByProvider() map[string][]types.Route {
+	rts := make(map[string][]types.Route)
+	for r := range ep.IterRoutes {
+		rts[r.ProviderName()] = append(rts[r.ProviderName()], r)
+	}
+	return rts
+}
+
+func getHealthInfo(r types.Route) types.HealthInfo {
+	mon := r.HealthMonitor()
+	if mon == nil {
+		return types.HealthInfo{
+			HealthInfoWithoutDetail: types.HealthInfoWithoutDetail{
+				Status: types.StatusUnknown,
+			},
+			Detail: "n/a",
+		}
+	}
+	return types.HealthInfo{
+		HealthInfoWithoutDetail: types.HealthInfoWithoutDetail{
+			Status:  mon.Status(),
+			Uptime:  mon.Uptime(),
+			Latency: mon.Latency(),
+		},
+		Detail: mon.Detail(),
+	}
+}
+
+func getHealthInfoWithoutDetail(r types.Route) types.HealthInfoWithoutDetail {
+	mon := r.HealthMonitor()
+	if mon == nil {
+		return types.HealthInfoWithoutDetail{
+			Status: types.StatusUnknown,
+		}
+	}
+	return types.HealthInfoWithoutDetail{
+		Status:  mon.Status(),
+		Uptime:  mon.Uptime(),
+		Latency: mon.Latency(),
+	}
+}
+
+func getHealthInfoSimple(r types.Route) types.HealthStatus {
+	mon := r.HealthMonitor()
+	if mon == nil {
+		return types.StatusUnknown
+	}
+	return mon.Status()
+}

internal/entrypoint/routes.go

@@ -0,0 +1,121 @@
+package entrypoint
+
+import (
+	"errors"
+	"net"
+	"strconv"
+
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/types"
+)
+
+func (ep *Entrypoint) IterRoutes(yield func(r types.Route) bool) {
+	for _, r := range ep.HTTPRoutes().Iter {
+		if !yield(r) {
+			break
+		}
+	}
+	for _, r := range ep.streamRoutes.Iter {
+		if !yield(r) {
+			break
+		}
+	}
+	for _, r := range ep.excludedRoutes.Iter {
+		if !yield(r) {
+			break
+		}
+	}
+}
+
+func (ep *Entrypoint) NumRoutes() int {
+	return ep.HTTPRoutes().Size() + ep.streamRoutes.Size() + ep.excludedRoutes.Size()
+}
+
+func (ep *Entrypoint) GetRoute(alias string) (types.Route, bool) {
+	if r, ok := ep.HTTPRoutes().Get(alias); ok {
+		return r, true
+	}
+	if r, ok := ep.streamRoutes.Get(alias); ok {
+		return r, true
+	}
+	if r, ok := ep.excludedRoutes.Get(alias); ok {
+		return r, true
+	}
+	return nil, false
+}
+
+func (ep *Entrypoint) AddRoute(r types.Route) {
+	if r.ShouldExclude() {
+		ep.excludedRoutes.Add(r)
+		r.Task().OnCancel("remove_route", func() {
+			ep.excludedRoutes.Del(r)
+		})
+		return
+	}
+	switch r := r.(type) {
+	case types.HTTPRoute:
+		if err := ep.AddHTTPRoute(r); err != nil {
+			log.Error().
+				Err(err).
+				Str("route", r.Key()).
+				Str("listen_url", r.ListenURL().String()).
+				Msg("failed to add HTTP route")
+		}
+		ep.shortLinkMatcher.AddRoute(r.Key())
+		r.Task().OnCancel("remove_route", func() {
+			ep.delHTTPRoute(r)
+			ep.shortLinkMatcher.DelRoute(r.Key())
+		})
+	case types.StreamRoute:
+		ep.streamRoutes.Add(r)
+		r.Task().OnCancel("remove_route", func() {
+			ep.streamRoutes.Del(r)
+		})
+	}
+}
+
+// AddHTTPRoute adds a HTTP route to the entrypoint's server.
+//
+// If the server does not exist, it will be created, started and return any error.
+func (ep *Entrypoint) AddHTTPRoute(route types.HTTPRoute) error {
+	if port := route.ListenURL().Port(); port == "" || port == "0" {
+		host := route.ListenURL().Hostname()
+		var httpAddr, httpsAddr string
+		if host == "" {
+			httpAddr = common.ProxyHTTPAddr
+			httpsAddr = common.ProxyHTTPSAddr
+		} else {
+			httpAddr = net.JoinHostPort(host, strconv.Itoa(common.ProxyHTTPPort))
+			httpsAddr = net.JoinHostPort(host, strconv.Itoa(common.ProxyHTTPSPort))
+		}
+		return errors.Join(ep.addHTTPRoute(route, httpAddr, HTTPProtoHTTP), ep.addHTTPRoute(route, httpsAddr, HTTPProtoHTTPS))
+	}
+
+	return ep.addHTTPRoute(route, route.ListenURL().Host, HTTPProtoHTTPS)
+}
+
+func (ep *Entrypoint) addHTTPRoute(route types.HTTPRoute, addr string, proto HTTPProto) error {
+	var err error
+	srv, _ := ep.servers.LoadOrCompute(addr, func() (newSrv *httpServer, cancel bool) {
+		newSrv = newHTTPServer(ep)
+		err = newSrv.Listen(addr, proto)
+		cancel = err != nil
+		return
+	})
+	if err != nil {
+		return err
+	}
+
+	srv.AddRoute(route)
+	return nil
+}
+
+func (ep *Entrypoint) delHTTPRoute(route types.HTTPRoute) {
+	addr := route.ListenURL().Host
+	srv, _ := ep.servers.Load(addr)
+	if srv != nil {
+		srv.DelRoute(route)
+	}
+	// TODO: close if no servers left
+}

internal/entrypoint/shortlink.go

@@ -14,7 +14,7 @@ type ShortLinkMatcher struct {
 	subdomainRoutes *xsync.Map[string, struct{}]
 }
 
-func newShortLinkTree() *ShortLinkMatcher {
+func newShortLinkMatcher() *ShortLinkMatcher {
 	return &ShortLinkMatcher{
 		fqdnRoutes:      xsync.NewMap[string, string](),
 		subdomainRoutes: xsync.NewMap[string, struct{}](),

internal/entrypoint/shortlink_test.go

@@ -6,13 +6,15 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/yusing/godoxy/internal/common"
 	. "github.com/yusing/godoxy/internal/entrypoint"
+	"github.com/yusing/goutils/task"
 )
 
 func TestShortLinkMatcher_FQDNAlias(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.AddRoute("app.domain.com")
 
@@ -45,7 +47,7 @@ func TestShortLinkMatcher_FQDNAlias(t *testing.T) {
 }
 
 func TestShortLinkMatcher_SubdomainAlias(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.SetDefaultDomainSuffix(".example.com")
 	matcher.AddRoute("app")
@@ -70,7 +72,7 @@ func TestShortLinkMatcher_SubdomainAlias(t *testing.T) {
 }
 
 func TestShortLinkMatcher_NotFound(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.SetDefaultDomainSuffix(".example.com")
 	matcher.AddRoute("app")
@@ -93,7 +95,7 @@ func TestShortLinkMatcher_NotFound(t *testing.T) {
 }
 
 func TestShortLinkMatcher_AddDelRoute(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	matcher.SetDefaultDomainSuffix(".example.com")
 
@@ -131,7 +133,7 @@ func TestShortLinkMatcher_AddDelRoute(t *testing.T) {
 }
 
 func TestShortLinkMatcher_NoDefaultDomainSuffix(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	matcher := ep.ShortLinkMatcher()
 	// no SetDefaultDomainSuffix called
 
@@ -158,15 +160,19 @@ func TestShortLinkMatcher_NoDefaultDomainSuffix(t *testing.T) {
 }
 
 func TestEntrypoint_ShortLinkDispatch(t *testing.T) {
-	ep := NewEntrypoint()
+	ep := NewEntrypoint(task.NewTestTask(t), nil)
 	ep.ShortLinkMatcher().SetDefaultDomainSuffix(".example.com")
 	ep.ShortLinkMatcher().AddRoute("app")
 
+	server := NewHTTPServer(ep)
+	err := server.Listen("localhost:0", HTTPProtoHTTP)
+	require.NoError(t, err)
+
 	t.Run("shortlink host", func(t *testing.T) {
 		req := httptest.NewRequest("GET", "/app", nil)
 		req.Host = common.ShortLinkPrefix
 		w := httptest.NewRecorder()
-		ep.ServeHTTP(w, req)
+		server.ServeHTTP(w, req)
 
 		assert.Equal(t, http.StatusTemporaryRedirect, w.Code)
 		assert.Equal(t, "https://app.example.com/", w.Header().Get("Location"))
@@ -176,7 +182,7 @@ func TestEntrypoint_ShortLinkDispatch(t *testing.T) {
 		req := httptest.NewRequest("GET", "/app", nil)
 		req.Host = common.ShortLinkPrefix + ":8080"
 		w := httptest.NewRecorder()
-		ep.ServeHTTP(w, req)
+		server.ServeHTTP(w, req)
 
 		assert.Equal(t, http.StatusTemporaryRedirect, w.Code)
 		assert.Equal(t, "https://app.example.com/", w.Header().Get("Location"))
@@ -186,7 +192,7 @@ func TestEntrypoint_ShortLinkDispatch(t *testing.T) {
 		req := httptest.NewRequest("GET", "/app", nil)
 		req.Host = "app.example.com"
 		w := httptest.NewRecorder()
-		ep.ServeHTTP(w, req)
+		server.ServeHTTP(w, req)
 
 		// Should not redirect, should try normal route lookup (which will 404)
 		assert.NotEqual(t, http.StatusTemporaryRedirect, w.Code)

internal/entrypoint/types/context.go

@@ -0,0 +1,18 @@
+package entrypoint
+
+import (
+	"context"
+)
+
+type ContextKey struct{}
+
+func SetCtx(ctx interface{ SetValue(any, any) }, ep Entrypoint) {
+	ctx.SetValue(ContextKey{}, ep)
+}
+
+func FromCtx(ctx context.Context) Entrypoint {
+	if ep, ok := ctx.Value(ContextKey{}).(Entrypoint); ok {
+		return ep
+	}
+	return nil
+}

internal/entrypoint/types/entrypoint.go

@@ -0,0 +1,37 @@
+package entrypoint
+
+import (
+	"github.com/yusing/godoxy/internal/types"
+)
+
+type Entrypoint interface {
+	SupportProxyProtocol() bool
+
+	DisablePoolsLog(v bool)
+
+	GetRoute(alias string) (types.Route, bool)
+	AddRoute(r types.Route)
+	IterRoutes(yield func(r types.Route) bool)
+	NumRoutes() int
+	RoutesByProvider() map[string][]types.Route
+
+	HTTPRoutes() PoolLike[types.HTTPRoute]
+	StreamRoutes() PoolLike[types.StreamRoute]
+	ExcludedRoutes() RWPoolLike[types.Route]
+
+	GetHealthInfo() map[string]types.HealthInfo
+	GetHealthInfoWithoutDetail() map[string]types.HealthInfoWithoutDetail
+	GetHealthInfoSimple() map[string]types.HealthStatus
+}
+
+type PoolLike[Route types.Route] interface {
+	Get(alias string) (Route, bool)
+	Iter(yield func(alias string, r Route) bool)
+	Size() int
+}
+
+type RWPoolLike[Route types.Route] interface {
+	PoolLike[Route]
+	Add(r Route)
+	Del(r Route)
+}

internal/health/check/http.go

@@ -76,8 +76,11 @@ func H2C(ctx context.Context, url *url.URL, method, path string, timeout time.Du
 
 	setCommonHeaders(req.Header.Set)
 
+	client := *h2cClient
+	client.Timeout = timeout
+
 	start := time.Now()
-	resp, err := h2cClient.Do(req)
+	resp, err := client.Do(req)
 	lat := time.Since(start)
 
 	if resp != nil {

internal/health/check/stream.go

@@ -12,6 +12,14 @@ import (
 )
 
 func Stream(ctx context.Context, url *url.URL, timeout time.Duration) (types.HealthCheckResult, error) {
+	if port := url.Port(); port == "" || port == "0" {
+		return types.HealthCheckResult{
+			Latency: 0,
+			Healthy: false,
+			Detail:  "no port specified",
+		}, nil
+	}
+
 	dialer := net.Dialer{
 		Timeout:       timeout,
 		FallbackDelay: -1,

internal/homepage/README.md

@@ -1,6 +1,6 @@
 # Homepage
 
-The homepage package provides the GoDoxy WebUI dashboard with support for categories, favorites, widgets, and dynamic item configuration.
+The homepage package provides the GoDoxy WebUI dashboard with support for categories, favorites, widgets, dynamic item configuration, and icon management.
 
 ## Overview
 
@@ -194,18 +194,6 @@ Widgets can display various types of information:
 - **Links**: Quick access links
 - **Custom**: Provider-specific data
 
-## Icon Handling
-
-Icons are handled via `IconURL` type:
-
-```go
-type IconURL struct {
-    // Icon URL with various sources
-}
-
-// Automatic favicon fetching from item URL
-```
-
 ## Categories
 
 ### Default Categories

internal/homepage/icons/README.md

@@ -0,0 +1,491 @@
+# Icons Package
+
+Icon URL parsing, fetching, and listing for the homepage dashboard.
+
+## Overview
+
+The icons package manages icon resources from multiple sources with support for light/dark variants and multiple image formats. It provides a unified API for parsing icon URLs, checking icon availability, fetching icon data, and searching available icons from CDN repositories.
+
+### Purpose
+
+- Parse and validate icon URLs from various sources
+- Fetch icon data with caching and fallback strategies
+- Maintain a searchable index of available icons from walkxcode and selfh.st CDNs
+- Support light/dark theme variants and multiple image formats (SVG, PNG, WebP)
+
+### Primary Consumers
+
+- `internal/homepage/` - Homepage route management and icon assignment
+- `internal/api/` - Icon search and listing API endpoints
+- `internal/route/` - Route icon resolution for proxy targets
+
+### Non-goals
+
+- Icon generation or modification (only fetching)
+- Authentication for remote icon sources (public CDNs only)
+- Icon validation beyond format checking
+
+### Stability
+
+This package exposes a stable public API. Internal implementations (caching strategies, fetch logic) may change without notice.
+
+## Concepts and Terminology
+
+| Term         | Definition                                                                            |
+| ------------ | ------------------------------------------------------------------------------------- |
+| **Source**   | The origin type of an icon (absolute URL, relative path, walkxcode CDN, selfh.st CDN) |
+| **Variant**  | Theme variant: none, light, or dark                                                   |
+| **Key**      | Unique identifier combining source and reference (e.g., `@walkxcode/nginx`)           |
+| **Meta**     | Metadata describing available formats and variants for an icon                        |
+| **Provider** | Interface for checking icon existence without fetching data                           |
+
+## Public API
+
+### Exported Types
+
+#### Source
+
+Source identifies the origin of an icon. Use the constants defined below.
+
+```go
+type Source string
+
+const (
+    // SourceAbsolute is a full URL (http:// or https://)
+    SourceAbsolute Source = "https://"
+
+    // SourceRelative is a path relative to the target service (@target or leading /)
+    SourceRelative Source = "@target"
+
+    // SourceWalkXCode is the walkxcode dashboard-icons CDN
+    SourceWalkXCode Source = "@walkxcode"
+
+    // SourceSelfhSt is the selfh.st icons CDN
+    SourceSelfhSt Source = "@selfhst"
+)
+```
+
+#### Variant
+
+Variant indicates the theme preference for icons that support light/dark modes.
+
+```go
+type Variant string
+
+const (
+    VariantNone  Variant = ""     // Default, no variant suffix
+    VariantLight Variant = "light" // Light theme variant (-light suffix)
+    VariantDark  Variant = "dark"  // Dark theme variant (-dark suffix)
+)
+```
+
+#### URL
+
+URL represents a parsed icon URL with its source and metadata.
+
+```go
+type URL struct {
+    // Source identifies the icon origin
+    Source `json:"source"`
+
+    // FullURL contains the resolved URL for absolute/relative sources
+    FullURL *string `json:"value,omitempty"`
+
+    // Extra contains metadata for CDN sources (walkxcode/selfhst)
+    Extra *Extra `json:"extra,omitempty"`
+}
+```
+
+**URL Methods:**
+
+- `Parse(v string) error` - Parses an icon URL string (implements `strutils.Parser`)
+- `URL() string` - Returns the absolute URL for fetching
+- `HasIcon() bool` - Checks if the icon exists (requires Provider to be set)
+- `WithVariant(variant Variant) *URL` - Returns a new URL with the specified variant
+- `String() string` - Returns the original URL representation
+- `MarshalText() ([]byte, error)` - Serializes to text (implements `encoding.TextMarshaler`)
+- `UnmarshalText(data []byte) error` - Deserializes from text (implements `encoding.TextUnmarshaler`)
+
+#### Extra
+
+Extra contains metadata for icons from CDN sources.
+
+```go
+type Extra struct {
+    // Key is the unique icon key
+    Key Key `json:"key"`
+
+    // Ref is the icon reference name (without variant suffix)
+    Ref string `json:"ref"`
+
+    // FileType is the image format: "svg", "png", or "webp"
+    FileType string `json:"file_type"`
+
+    // IsLight indicates if this is a light variant
+    IsLight bool `json:"is_light"`
+
+    // IsDark indicates if this is a dark variant
+    IsDark bool `json:"is_dark"`
+}
+```
+
+#### Key
+
+Key is a unique identifier for an icon from a specific source.
+
+```go
+type Key string
+
+// NewKey creates a key from source and reference
+func NewKey(source Source, reference string) Key
+
+// SourceRef extracts the source and reference from a key
+func (k Key) SourceRef() (Source, string)
+```
+
+#### Meta
+
+Meta stores availability metadata for an icon.
+
+```go
+type Meta struct {
+    // Available formats
+    SVG  bool `json:"SVG"`  // SVG format available
+    PNG  bool `json:"PNG"`  // PNG format available
+    WebP bool `json:"WebP"` // WebP format available
+
+    // Available variants
+    Light bool `json:"Light"` // Light variant available
+    Dark  bool `json:"Dark"`  // Dark variant available
+
+    // DisplayName is the human-readable name (selfh.st only)
+    DisplayName string `json:"-"`
+
+    // Tag is the category tag (selfh.st only)
+    Tag string `json:"-"`
+}
+
+// Filenames returns all available filename variants for this icon
+func (icon *Meta) Filenames(ref string) []string
+```
+
+### Exported Functions
+
+```go
+// NewURL creates a URL for a CDN source with the given reference and format
+func NewURL(source Source, refOrName, format string) *URL
+
+// ErrInvalidIconURL is returned when icon URL parsing fails
+var ErrInvalidIconURL = gperr.New("invalid icon url")
+```
+
+### Provider Interface
+
+```go
+type Provider interface {
+    // HasIcon returns true if the icon exists in the provider's catalog
+    HasIcon(u *URL) bool
+}
+
+// SetProvider sets the global icon provider for existence checks
+func SetProvider(p Provider)
+```
+
+The provider pattern allows the icons package to check icon existence without fetching data. The `list` subpackage registers a provider that checks against the cached icon list.
+
+## Architecture
+
+### Core Components
+
+```mermaid
+graph TD
+    subgraph icons/
+        URL["URL"] --> Parser[URL Parser]
+        URL --> VariantHandler[Variant Handler]
+        Key --> Provider
+    end
+
+    subgraph fetch/
+        FetchFavIconFromURL --> FetchIconAbsolute
+        FetchFavIconFromURL --> FindIcon
+        FindIcon --> fetchKnownIcon
+        FindIcon --> findIconSlow
+        fetchKnownIcon --> FetchIconAbsolute
+    end
+
+    subgraph list/
+        InitCache --> updateIcons
+        updateIcons --> UpdateWalkxCodeIcons
+        updateIcons --> UpdateSelfhstIcons
+        SearchIcons --> fuzzyRank[Fuzzy Rank Match]
+        HasIcon --> ListAvailableIcons
+    end
+
+    style URL fill:#22553F,color:#fff
+    style list fill:#22553F,color:#fff
+    style fetch fill:#22553F,color:#fff
+```
+
+### Component Interactions
+
+1. **URL Parsing** (`url.go`): Parses icon URL strings and validates format
+2. **Icon Existence** (`provider.go`): Delegates to registered Provider
+3. **Icon Fetching** (`fetch/fetch.go`): Fetches icon data with caching
+4. **Icon Listing** (`list/list_icons.go`): Maintains cached index of available icons
+
+### Data Flow
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant URLParser
+    participant Provider
+    participant FetchCache
+    participant ExternalCDN
+
+    Client->>URLParser: Parse("@walkxcode/nginx.svg")
+    URLParser->>Provider: HasIcon(icon)
+    Provider->>FetchCache: Check cached list
+    FetchCache-->>Provider: exists
+    Provider-->>URLParser: true
+    URLParser-->>Client: URL object
+
+    Client->>FetchCache: FetchFavIconFromURL(url)
+    FetchCache->>ExternalCDN: GET https://...
+    ExternalCDN-->>FetchCache: icon data
+    FetchCache-->>Client: Result{Icon: [...], StatusCode: 200}
+```
+
+## Subpackages
+
+### fetch/
+
+Icon fetching implementation with caching and fallback strategies.
+
+```go
+type Result struct {
+    Icon       []byte  // Raw icon image data
+    StatusCode int     // HTTP status code from fetch
+}
+
+// FetchFavIconFromURL fetches an icon from a parsed URL
+func FetchFavIconFromURL(ctx context.Context, iconURL *URL) (Result, error)
+
+// FindIcon finds an icon for a route with variant support
+func FindIcon(ctx context.Context, r route, uri string, variant Variant) (Result, error)
+```
+
+**Key behaviors:**
+
+- `FetchIconAbsolute` is cached with 200 entries and 4-hour TTL
+- `findIconSlow` has infinite retries with 15-second backoff
+- HTML parsing fallback extracts `<link rel=icon>` from target pages
+
+### list/
+
+Icon catalog management with search and caching.
+
+```go
+type IconMap map[Key]*Meta
+type IconMetaSearch struct {
+    *Meta
+    Source Source `json:"Source"`
+    Ref    string `json:"Ref"`
+    rank   int
+}
+
+// InitCache loads icon metadata from cache or remote sources
+func InitCache()
+
+// ListAvailableIcons returns the current icon catalog
+func ListAvailableIcons() IconMap
+
+// SearchIcons performs fuzzy search on icon names
+func SearchIcons(keyword string, limit int) []*IconMetaSearch
+
+// HasIcon checks if an icon exists in the catalog
+func HasIcon(icon *URL) bool
+```
+
+**Key behaviors:**
+
+- Updates from walkxcode and selfh.st CDNs every 2 hours
+- Persists cache to disk for fast startup
+- Fuzzy search uses Levenshtein distance ranking
+
+## Configuration
+
+### Cache Location
+
+Icons cache is stored at the path specified by `common.IconListCachePath`.
+
+### Environment Variables
+
+No direct environment variable configuration. Cache is managed internally.
+
+### Reloading
+
+Icon cache updates automatically every 2 hours in the background. Manual refresh requires program restart.
+
+## Observability
+
+### Logs
+
+- `failed to load icons` - Cache load failure at startup
+- `icons loaded` - Successful cache load with entry count
+- `updating icon data` - Background update started
+- `icons list updated` - Successful cache refresh with entry count
+- `failed to save icons` - Cache persistence failure
+
+### Metrics
+
+No metrics exposed directly. Status codes in `Result` can be monitored via HTTP handlers.
+
+### Tracing
+
+Standard `context.Context` propagation is used throughout. Fetch operations respect context cancellation and deadlines.
+
+## Security Considerations
+
+- **Input Validation**: Icon URLs are strictly validated for format and source
+- **SSRF Protection**: Only absolute URLs passed directly; no arbitrary URL construction
+- **Content-Type**: Detected from response headers or inferred from SVG magic bytes
+- **Size Limits**: Cache limited to 200 entries; no explicit size limit on icon data
+- **Timeouts**: 3-second timeout on favicon fetches, 5-second timeout on list updates
+
+## Performance Characteristics
+
+- **Parsing**: O(1) string parsing with early validation
+- **Caching**: LRU-style cache with TTL for fetched icons
+- **Background Updates**: Non-blocking updates every 2 hours
+- **Search**: O(n) fuzzy match with early exit at rank > 3
+- **Memory**: Icon list typically contains ~2000 entries
+
+## Failure Modes and Recovery
+
+| Failure                | Behavior                                 | Recovery                         |
+| ---------------------- | ---------------------------------------- | -------------------------------- |
+| CDN fetch timeout      | Return cached data or fail               | Automatic retry with backoff     |
+| Cache load failure     | Attempt legacy format, then remote fetch | Manual cache reset if persistent |
+| Icon not found in list | Return error from Parse                  | User must select valid icon      |
+| HTML parse failure     | Return "icon element not found"          | Manual icon selection            |
+
+## Usage Examples
+
+### Basic: Parse and Generate URL
+
+```go
+package main
+
+import (
+    "fmt"
+    "github.com/yusing/godoxy/internal/homepage/icons"
+)
+
+func main() {
+    // Parse a CDN icon URL
+    url := &icons.URL{}
+    err := url.Parse("@walkxcode/nginx.svg")
+    if err != nil {
+        panic(err)
+    }
+
+    // Get the actual fetchable URL
+    fmt.Println(url.URL())
+    // Output: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/svg/nginx.svg
+
+    // Get string representation
+    fmt.Println(url.String())
+    // Output: @walkxcode/nginx.svg
+
+    // Create with dark variant
+    darkUrl := url.WithVariant(icons.VariantDark)
+    fmt.Println(darkUrl.URL())
+    // Output: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/svg/nginx-dark.svg
+}
+```
+
+### Advanced: Fetch Icon Data
+
+```go
+package main
+
+import (
+    "context"
+    "fmt"
+    "net/http"
+
+    "github.com/yusing/godoxy/internal/homepage/icons/fetch"
+)
+
+func main() {
+    // Initialize the icon list cache first
+    iconlist.InitCache()
+
+    // Parse icon URL
+    url := &icons.URL{}
+    if err := url.Parse("@walkxcode/nginx.svg"); err != nil {
+        panic(err)
+    }
+
+    // Fetch icon data
+    ctx := context.Background()
+    result, err := fetch.FetchFavIconFromURL(ctx, url)
+    if err != nil {
+        fmt.Printf("Fetch failed: %v\n", err)
+        return
+    }
+
+    if result.StatusCode != http.StatusOK {
+        fmt.Printf("HTTP %d\n", result.StatusCode)
+        return
+    }
+
+    fmt.Printf("Fetched %d bytes, Content-Type: %s\n",
+        len(result.Icon), result.ContentType())
+}
+```
+
+### Integration: Search Available Icons
+
+```go
+package main
+
+import (
+    "fmt"
+
+    "github.com/yusing/godoxy/internal/homepage/icons/list"
+)
+
+func main() {
+    // Initialize cache
+    list.InitCache()
+
+    // Search for icons matching a keyword
+    results := list.SearchIcons("nginx", 5)
+
+    for _, icon := range results {
+        source, ref := icon.Key.SourceRef()
+        fmt.Printf("[%s] %s - SVG:%v PNG:%v WebP:%v\n",
+            source, ref, icon.SVG, icon.PNG, icon.WebP)
+    }
+}
+```
+
+## Testing Notes
+
+- Unit tests in `url_test.go` validate parsing and serialization
+- Test mode (`common.IsTest`) bypasses existence checks
+- Mock HTTP in list tests via `MockHTTPGet()`
+- Golden tests not used; test fixtures embedded in test cases
+
+## Icon URL Formats
+
+| Format        | Example                        | Output URL                                                            |
+| ------------- | ------------------------------ | --------------------------------------------------------------------- |
+| Absolute      | `https://example.com/icon.png` | `https://example.com/icon.png`                                        |
+| Relative      | `@target/favicon.ico`          | `/favicon.ico`                                                        |
+| WalkXCode     | `@walkxcode/nginx.svg`         | `https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/svg/nginx.svg` |
+| Selfh.st      | `@selfhst/adguard-home.webp`   | `https://cdn.jsdelivr.net/gh/selfhst/icons/webp/adguard-home.webp`    |
+| Light variant | `@walkxcode/nginx-light.png`   | `.../nginx-light.png`                                                 |
+| Dark variant  | `@walkxcode/nginx-dark.svg`    | `.../nginx-dark.svg`                                                  |

internal/homepage/icons/list/list_icons.go

@@ -55,20 +55,20 @@ func init() {
 
 func InitCache() {
 	m := make(IconMap)
-	err := serialization.LoadJSONIfExist(common.IconListCachePath, &m)
+	err := serialization.LoadFileIfExist(common.IconListCachePath, &m, sonic.Unmarshal)
 	if err != nil {
 		// backward compatible
 		oldFormat := struct {
 			Icons      IconMap
 			LastUpdate time.Time
 		}{}
-		err = serialization.LoadJSONIfExist(common.IconListCachePath, &oldFormat)
+		err = serialization.LoadFileIfExist(common.IconListCachePath, &oldFormat, sonic.Unmarshal)
 		if err != nil {
 			log.Error().Err(err).Msg("failed to load icons")
 		} else {
 			m = oldFormat.Icons
 			// store it to disk immediately
-			_ = serialization.SaveJSON(common.IconListCachePath, &m, 0o644)
+			_ = serialization.SaveFile(common.IconListCachePath, &m, 0o644, sonic.Marshal)
 		}
 	} else if len(m) > 0 {
 		log.Info().
@@ -84,7 +84,7 @@ func InitCache() {
 
 	task.OnProgramExit("save_icons_cache", func() {
 		icons := iconsCache.Load()
-		_ = serialization.SaveJSON(common.IconListCachePath, &icons, 0o644)
+		_ = serialization.SaveFile(common.IconListCachePath, &icons, 0o644, sonic.Marshal)
 	})
 
 	go backgroundUpdateIcons()
@@ -105,7 +105,7 @@ func backgroundUpdateIcons() {
 				// swap old cache with new cache
 				iconsCache.Store(newCache)
 				// save it to disk
-				err := serialization.SaveJSON(common.IconListCachePath, &newCache, 0o644)
+				err := serialization.SaveFile(common.IconListCachePath, &newCache, 0o644, sonic.Marshal)
 				if err != nil {
 					log.Warn().Err(err).Msg("failed to save icons")
 				}

internal/homepage/types/README.md

@@ -0,0 +1,13 @@
+# Types Package
+
+Configuration types for the homepage package.
+
+## Config
+
+```go
+type Config struct {
+    UseDefaultCategories bool `json:"use_default_categories"`
+}
+
+var ActiveConfig atomic.Pointer[Config]
+```

internal/idlewatcher/provider/proxmox.go

@@ -26,6 +26,10 @@ const proxmoxStateCheckInterval = 1 * time.Second
 var ErrNodeNotFound = gperr.New("node not found in pool")
 
 func NewProxmoxProvider(ctx context.Context, nodeName string, vmid int) (idlewatcher.Provider, error) {
+	if nodeName == "" || vmid == 0 {
+		return nil, gperr.New("node name and vmid are required")
+	}
+
 	node, ok := proxmox.Nodes.Get(nodeName)
 	if !ok {
 		return nil, ErrNodeNotFound.Subject(nodeName).

internal/idlewatcher/types/config.go

@@ -1 +0,0 @@
-package idlewatcher

internal/idlewatcher/watcher.go

@@ -14,11 +14,11 @@ import (
 	"github.com/yusing/ds/ordered"
 	config "github.com/yusing/godoxy/internal/config/types"
 	"github.com/yusing/godoxy/internal/docker"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
 	"github.com/yusing/godoxy/internal/health/monitor"
 	"github.com/yusing/godoxy/internal/idlewatcher/provider"
 	idlewatcher "github.com/yusing/godoxy/internal/idlewatcher/types"
 	nettypes "github.com/yusing/godoxy/internal/net/types"
-	"github.com/yusing/godoxy/internal/route/routes"
 	"github.com/yusing/godoxy/internal/types"
 	"github.com/yusing/godoxy/internal/watcher/events"
 	gperr "github.com/yusing/goutils/errs"
@@ -173,7 +173,7 @@ func NewWatcher(parent task.Parent, r types.Route, cfg *types.IdlewatcherConfig)
 		}
 
 		if !ok {
-			depRoute, ok = routes.Get(dep)
+			depRoute, ok = entrypoint.FromCtx(parent.Context()).GetRoute(dep)
 			if !ok {
 				depErrors.Addf("dependency %q not found", dep)
 				continue
@@ -612,10 +612,6 @@ func (w *Watcher) watchUntilDestroy() (returnCause error) {
 				if ready {
 					// Container is now ready, notify waiting handlers
 					w.healthTicker.Stop()
-					select {
-					case w.readyNotifyCh <- struct{}{}:
-					default: // channel full, notification already pending
-					}
 					w.resetIdleTimer()
 				}
 				// If not ready yet, keep checking on next tick

internal/jsonstore/jsonstore.go

@@ -83,7 +83,8 @@ func loadNS[T store](ns namespace) T {
 func save() error {
 	errs := gperr.NewBuilder("failed to save data stores")
 	for ns, store := range stores {
-		if err := serialization.SaveJSON(filepath.Join(storesPath, string(ns)+".json"), &store, 0o644); err != nil {
+		path := filepath.Join(storesPath, string(ns)+".json")
+		if err := serialization.SaveFile(path, &store, 0o644, sonic.Marshal); err != nil {
 			errs.Add(err)
 		}
 	}

internal/logging/accesslog/back_scanner.go

@@ -13,10 +13,9 @@ type ReaderAtSeeker interface {
 
 // BackScanner provides an interface to read a file backward line by line.
 type BackScanner struct {
-	file      ReaderAtSeeker
-	size      int64
-	chunkSize int
-	chunkBuf  []byte
+	file     ReaderAtSeeker
+	size     int64
+	chunkBuf []byte
 
 	offset int64
 	chunk  []byte
@@ -27,16 +26,25 @@ type BackScanner struct {
 // NewBackScanner creates a new Scanner to read the file backward.
 // chunkSize determines the size of each read chunk from the end of the file.
 func NewBackScanner(file ReaderAtSeeker, fileSize int64, chunkSize int) *BackScanner {
-	return newBackScanner(file, fileSize, make([]byte, chunkSize))
+	return newBackScanner(file, fileSize, sizedPool.GetSized(chunkSize))
 }
 
 func newBackScanner(file ReaderAtSeeker, fileSize int64, buf []byte) *BackScanner {
 	return &BackScanner{
-		file:      file,
-		size:      fileSize,
-		offset:    fileSize,
-		chunkSize: len(buf),
-		chunkBuf:  buf,
+		file:     file,
+		size:     fileSize,
+		offset:   fileSize,
+		chunkBuf: buf,
+	}
+}
+
+// Release releases the buffer back to the pool.
+func (s *BackScanner) Release() {
+	sizedPool.Put(s.chunkBuf)
+	s.chunkBuf = nil
+	if s.chunk != nil {
+		sizedPool.Put(s.chunk)
+		s.chunk = nil
 	}
 }
 
@@ -64,13 +72,14 @@ func (s *BackScanner) Scan() bool {
 				// No more data to read; check remaining buffer
 				if len(s.chunk) > 0 {
 					s.line = s.chunk
+					sizedPool.Put(s.chunk)
 					s.chunk = nil
 					return true
 				}
 				return false
 			}
 
-			newOffset := max(0, s.offset-int64(s.chunkSize))
+			newOffset := max(0, s.offset-int64(len(s.chunkBuf)))
 			chunkSize := s.offset - newOffset
 			chunk := s.chunkBuf[:chunkSize]
 
@@ -85,8 +94,19 @@ func (s *BackScanner) Scan() bool {
 			}
 
 			// Prepend the chunk to the buffer
-			clone := append([]byte{}, chunk[:n]...)
-			s.chunk = append(clone, s.chunk...)
+			if s.chunk == nil { // first chunk
+				s.chunk = sizedPool.GetSized(2 * len(s.chunkBuf))
+				copy(s.chunk, chunk[:n])
+				s.chunk = s.chunk[:n]
+			} else {
+				neededSize := n + len(s.chunk)
+				newChunk := sizedPool.GetSized(max(neededSize, 2*len(s.chunkBuf)))
+				copy(newChunk, chunk[:n])
+				copy(newChunk[n:], s.chunk)
+				sizedPool.Put(s.chunk)
+				s.chunk = newChunk[:neededSize]
+			}
+
 			s.offset = newOffset
 
 			// Check for newline in the updated buffer
@@ -111,12 +131,3 @@ func (s *BackScanner) Bytes() []byte {
 func (s *BackScanner) Err() error {
 	return s.err
 }
-
-func (s *BackScanner) Reset() error {
-	_, err := s.file.Seek(0, io.SeekStart)
-	if err != nil {
-		return err
-	}
-	*s = *newBackScanner(s.file, s.size, s.chunkBuf)
-	return nil
-}

internal/logging/accesslog/back_scanner_test.go

@@ -1,15 +1,17 @@
 package accesslog
 
 import (
+	"bytes"
 	"fmt"
+	"math/rand/v2"
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"strconv"
 	"strings"
 	"testing"
 
 	"github.com/spf13/afero"
-	expect "github.com/yusing/goutils/testing"
 
 	strutils "github.com/yusing/goutils/strings"
 	"github.com/yusing/goutils/task"
@@ -135,88 +137,40 @@ func TestBackScannerWithVaryingChunkSizes(t *testing.T) {
 	}
 }
 
-func logEntry() []byte {
+var logEntry = func() func() []byte {
 	accesslog := NewMockAccessLogger(task.RootTask("test", false), &RequestLoggerConfig{
 		Format: FormatJSON,
 	})
+
+	contentTypes := []string{"application/json", "text/html", "text/plain", "application/xml", "application/x-www-form-urlencoded"}
+	userAgents := []string{"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/120.0", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/120.0", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/120.0"}
+	methods := []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"}
+	paths := []string{"/", "/about", "/contact", "/login", "/logout", "/register", "/profile"}
+
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, _ = w.Write([]byte("hello"))
+		allocSize := rand.IntN(8192)
+		w.Header().Set("Content-Type", contentTypes[rand.IntN(len(contentTypes))])
+		w.Header().Set("Content-Length", strconv.Itoa(allocSize))
+		w.WriteHeader(http.StatusOK)
 	}))
 	srv.URL = "http://localhost:8080"
-	defer srv.Close()
-	// make a request to the server
-	req, _ := http.NewRequest(http.MethodGet, srv.URL, nil)
-	res := httptest.NewRecorder()
-	// server the request
-	srv.Config.Handler.ServeHTTP(res, req)
-	b := accesslog.(RequestFormatter).AppendRequestLog(nil, req, res.Result())
-	if b[len(b)-1] != '\n' {
-		b = append(b, '\n')
-	}
-	return b
-}
 
-func TestReset(t *testing.T) {
-	file, err := afero.TempFile(afero.NewOsFs(), "", "accesslog")
-	if err != nil {
-		t.Fatalf("failed to create temp file: %v", err)
+	return func() []byte {
+		// make a request to the server
+		req, _ := http.NewRequest(http.MethodGet, srv.URL, nil)
+		res := httptest.NewRecorder()
+		req.Header.Set("User-Agent", userAgents[rand.IntN(len(userAgents))])
+		req.Method = methods[rand.IntN(len(methods))]
+		req.URL.Path = paths[rand.IntN(len(paths))]
+		// server the request
+		srv.Config.Handler.ServeHTTP(res, req)
+		b := bytes.NewBuffer(make([]byte, 0, 1024))
+		accesslog.(RequestFormatter).AppendRequestLog(b, req, res.Result())
+		return b.Bytes()
 	}
-	defer os.Remove(file.Name())
-	line := logEntry()
-	nLines := 1000
-	for range nLines {
-		_, err := file.Write(line)
-		if err != nil {
-			t.Fatalf("failed to write to temp file: %v", err)
-		}
-	}
-	linesRead := 0
-	stat, _ := file.Stat()
-	s := NewBackScanner(file, stat.Size(), defaultChunkSize)
-	for s.Scan() {
-		linesRead++
-	}
-	if err := s.Err(); err != nil {
-		t.Errorf("scanner error: %v", err)
-	}
-	expect.Equal(t, linesRead, nLines)
-	err = s.Reset()
-	if err != nil {
-		t.Errorf("failed to reset scanner: %v", err)
-	}
-
-	linesRead = 0
-	for s.Scan() {
-		linesRead++
-	}
-	if err := s.Err(); err != nil {
-		t.Errorf("scanner error: %v", err)
-	}
-	expect.Equal(t, linesRead, nLines)
-}
+}()
 
 // 100000 log entries.
-func BenchmarkBackScanner(b *testing.B) {
-	mockFile := NewMockFile(false)
-	line := logEntry()
-	for range 100000 {
-		_, _ = mockFile.Write(line)
-	}
-	for i := range 14 {
-		chunkSize := (2 << i) * kilobyte
-		scanner := NewBackScanner(mockFile, mockFile.MustSize(), chunkSize)
-		name := strutils.FormatByteSize(chunkSize)
-		b.ResetTimer()
-		b.Run(name, func(b *testing.B) {
-			for b.Loop() {
-				_ = scanner.Reset()
-				for scanner.Scan() {
-				}
-			}
-		})
-	}
-}
-
 func BenchmarkBackScannerRealFile(b *testing.B) {
 	file, err := afero.TempFile(afero.NewOsFs(), "", "accesslog")
 	if err != nil {
@@ -224,51 +178,58 @@ func BenchmarkBackScannerRealFile(b *testing.B) {
 	}
 	defer os.Remove(file.Name())
 
-	for range 10000 {
-		_, err = file.Write(logEntry())
-		if err != nil {
-			b.Fatalf("failed to write to temp file: %v", err)
-		}
+	buf := bytes.NewBuffer(nil)
+	for range 100000 {
+		buf.Write(logEntry())
 	}
 
-	stat, _ := file.Stat()
-	scanner := NewBackScanner(file, stat.Size(), 256*kilobyte)
-	b.ResetTimer()
-	for scanner.Scan() {
+	fSize := int64(buf.Len())
+	_, err = file.Write(buf.Bytes())
+	if err != nil {
+		b.Fatalf("failed to write to file: %v", err)
 	}
-	if err := scanner.Err(); err != nil {
-		b.Errorf("scanner error: %v", err)
+
+	// file position does not matter, Seek not needed
+
+	for i := range 12 {
+		chunkSize := (2 << i) * kilobyte
+		name := strutils.FormatByteSize(chunkSize)
+		b.ResetTimer()
+		b.Run(name, func(b *testing.B) {
+			for b.Loop() {
+				scanner := NewBackScanner(file, fSize, chunkSize)
+				for scanner.Scan() {
+				}
+				scanner.Release()
+			}
+		})
 	}
 }
 
 /*
-BenchmarkBackScanner
-BenchmarkBackScanner/2_KiB
-BenchmarkBackScanner/2_KiB-20         	      52	  23254071 ns/op	67596663 B/op	   26420 allocs/op
-BenchmarkBackScanner/4_KiB
-BenchmarkBackScanner/4_KiB-20         	      55	  20961059 ns/op	62529378 B/op	   13211 allocs/op
-BenchmarkBackScanner/8_KiB
-BenchmarkBackScanner/8_KiB-20         	      64	  18242460 ns/op	62951141 B/op	    6608 allocs/op
-BenchmarkBackScanner/16_KiB
-BenchmarkBackScanner/16_KiB-20        	      52	  20162076 ns/op	62940256 B/op	    3306 allocs/op
-BenchmarkBackScanner/32_KiB
-BenchmarkBackScanner/32_KiB-20        	      54	  19247968 ns/op	67553645 B/op	    1656 allocs/op
-BenchmarkBackScanner/64_KiB
-BenchmarkBackScanner/64_KiB-20        	      60	  20909046 ns/op	64053342 B/op	     827 allocs/op
-BenchmarkBackScanner/128_KiB
-BenchmarkBackScanner/128_KiB-20       	      68	  17759890 ns/op	62201945 B/op	     414 allocs/op
-BenchmarkBackScanner/256_KiB
-BenchmarkBackScanner/256_KiB-20       	      52	  19531877 ns/op	61030487 B/op	     208 allocs/op
-BenchmarkBackScanner/512_KiB
-BenchmarkBackScanner/512_KiB-20       	      54	  19124656 ns/op	61030485 B/op	     208 allocs/op
-BenchmarkBackScanner/1_MiB
-BenchmarkBackScanner/1_MiB-20         	      67	  17078936 ns/op	61030495 B/op	     208 allocs/op
-BenchmarkBackScanner/2_MiB
-BenchmarkBackScanner/2_MiB-20         	      66	  18467421 ns/op	61030492 B/op	     208 allocs/op
-BenchmarkBackScanner/4_MiB
-BenchmarkBackScanner/4_MiB-20         	      68	  17214573 ns/op	61030486 B/op	     208 allocs/op
-BenchmarkBackScanner/8_MiB
-BenchmarkBackScanner/8_MiB-20         	      57	  18235229 ns/op	61030492 B/op	     208 allocs/op
-BenchmarkBackScanner/16_MiB
-BenchmarkBackScanner/16_MiB-20        	      57	  19343441 ns/op	61030499 B/op	     208 allocs/op
+BenchmarkBackScannerRealFile
+BenchmarkBackScannerRealFile/2_KiB
+BenchmarkBackScannerRealFile/2_KiB-10                 21          51796773 ns/op             619 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/4_KiB
+BenchmarkBackScannerRealFile/4_KiB-10                 36          32081281 ns/op             699 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/8_KiB
+BenchmarkBackScannerRealFile/8_KiB-10                 57          22155619 ns/op             847 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/16_KiB
+BenchmarkBackScannerRealFile/16_KiB-10                62          21323125 ns/op            1449 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/32_KiB
+BenchmarkBackScannerRealFile/32_KiB-10                63          17534883 ns/op            2729 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/64_KiB
+BenchmarkBackScannerRealFile/64_KiB-10                73          17877029 ns/op            4617 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/128_KiB
+BenchmarkBackScannerRealFile/128_KiB-10               75          17797267 ns/op            8866 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/256_KiB
+BenchmarkBackScannerRealFile/256_KiB-10               67          16732108 ns/op           19691 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/512_KiB
+BenchmarkBackScannerRealFile/512_KiB-10               70          17121683 ns/op           37577 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/1_MiB
+BenchmarkBackScannerRealFile/1_MiB-10                 51          19615791 ns/op          102930 B/op          1 allocs/op
+BenchmarkBackScannerRealFile/2_MiB
+BenchmarkBackScannerRealFile/2_MiB-10                 26          41744928 ns/op        77595287 B/op         57 allocs/op
+BenchmarkBackScannerRealFile/4_MiB
+BenchmarkBackScannerRealFile/4_MiB-10                 22          48081521 ns/op        79692224 B/op         49 allocs/op
 */

internal/logging/accesslog/config.go

@@ -1,6 +1,7 @@
 package accesslog
 
 import (
+	"net/http"
 	"time"
 
 	"github.com/yusing/godoxy/internal/serialization"
@@ -9,16 +10,15 @@ import (
 
 type (
 	ConfigBase struct {
-		B              int           `json:"buffer_size"` // Deprecated: buffer size is adjusted dynamically
-		Path           string        `json:"path"`
+		Path           string        `json:"path,omitempty"`
 		Stdout         bool          `json:"stdout"`
 		Retention      *Retention    `json:"retention" aliases:"keep"`
 		RotateInterval time.Duration `json:"rotate_interval,omitempty" swaggertype:"primitive,integer"`
-	}
+	} // @name AccessLoggerConfigBase
 	ACLLoggerConfig struct {
 		ConfigBase
 		LogAllowed bool `json:"log_allowed"`
-	}
+	} // @name ACLLoggerConfig
 	RequestLoggerConfig struct {
 		ConfigBase
 		Format  Format  `json:"format" validate:"oneof=common combined json"`
@@ -32,21 +32,21 @@ type (
 	}
 	AnyConfig interface {
 		ToConfig() *Config
-		Writers() ([]Writer, error)
+		Writers() ([]File, error)
 	}
 
 	Format  string
 	Filters struct {
-		StatusCodes LogFilter[*StatusCodeRange] `json:"status_codes"`
-		Method      LogFilter[HTTPMethod]       `json:"method"`
-		Host        LogFilter[Host]             `json:"host"`
-		Headers     LogFilter[*HTTPHeader]      `json:"headers"` // header exists or header == value
-		CIDR        LogFilter[*CIDR]            `json:"cidr"`
+		StatusCodes LogFilter[*StatusCodeRange] `json:"status_codes,omitzero"`
+		Method      LogFilter[HTTPMethod]       `json:"method,omitzero"`
+		Host        LogFilter[Host]             `json:"host,omitzero"`
+		Headers     LogFilter[*HTTPHeader]      `json:"headers,omitzero"` // header exists or header == value
+		CIDR        LogFilter[*CIDR]            `json:"cidr,omitzero"`
 	}
 	Fields struct {
-		Headers FieldConfig `json:"headers" aliases:"header"`
-		Query   FieldConfig `json:"query" aliases:"queries"`
-		Cookies FieldConfig `json:"cookies" aliases:"cookie"`
+		Headers FieldConfig `json:"headers,omitzero" aliases:"header"`
+		Query   FieldConfig `json:"query,omitzero" aliases:"queries"`
+		Cookies FieldConfig `json:"cookies,omitzero" aliases:"cookie"`
 	}
 )
 
@@ -66,17 +66,17 @@ func (cfg *ConfigBase) Validate() gperr.Error {
 }
 
 // Writers returns a list of writers for the config.
-func (cfg *ConfigBase) Writers() ([]Writer, error) {
-	writers := make([]Writer, 0, 2)
+func (cfg *ConfigBase) Writers() ([]File, error) {
+	writers := make([]File, 0, 2)
 	if cfg.Path != "" {
-		io, err := NewFileIO(cfg.Path)
+		f, err := OpenFile(cfg.Path)
 		if err != nil {
 			return nil, err
 		}
-		writers = append(writers, io)
+		writers = append(writers, f)
 	}
 	if cfg.Stdout {
-		writers = append(writers, NewStdout())
+		writers = append(writers, stdout)
 	}
 	return writers, nil
 }
@@ -95,6 +95,16 @@ func (cfg *RequestLoggerConfig) ToConfig() *Config {
 	}
 }
 
+func (cfg *Config) ShouldLogRequest(req *http.Request, res *http.Response) bool {
+	if cfg.req == nil {
+		return true
+	}
+	return cfg.req.Filters.StatusCodes.CheckKeep(req, res) &&
+		cfg.req.Filters.Method.CheckKeep(req, res) &&
+		cfg.req.Filters.Headers.CheckKeep(req, res) &&
+		cfg.req.Filters.CIDR.CheckKeep(req, res)
+}
+
 func DefaultRequestLoggerConfig() *RequestLoggerConfig {
 	return &RequestLoggerConfig{
 		ConfigBase: ConfigBase{