docs: update README and config example for v0.11.0

chore(idlesleep): increase wake/sleep timeout to 3 minutes
chore: change ACL iso field to country
2026-01-15 23:03:50 +01:00 · 2025-04-25 14:24:28 +08:00 · 2025-04-25 13:36:04 +08:00 · 2025-04-25 13:25:45 +08:00 · 2025-04-25 12:32:02 +08:00 · 2025-04-25 11:26:24 +08:00
239 changed files with 12639 additions and 4784 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,23 +1,26 @@
 # set timezone to get correct log timestamp
 TZ=ETC/UTC

+# API JWT Configuration (common)
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+# the JWT token time-to-live
+# leave empty to use default (24 hours)
+# format: https://pkg.go.dev/time#Duration
+GODOXY_API_JWT_TOKEN_TTL=
+
 # API/WebUI user password login credentials (optional)
 # These fields are not required for OIDC authentication
 GODOXY_API_USER=admin
 GODOXY_API_PASSWORD=password
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-# the JWT token time-to-live
-GODOXY_API_JWT_TOKEN_TTL=1h

 # OIDC Configuration (optional)
 # Uncomment and configure these values to enable OIDC authentication.
+# For `GODOXY_OIDC_SCOPES` you may also include `offline_access` if your Idp supports it (e.g. Authentik)
+#
 # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
 # GODOXY_OIDC_CLIENT_ID=your-client-id
 # GODOXY_OIDC_CLIENT_SECRET=your-client-secret
-# Keep /api/auth/callback as the redirect URL, change the domain to match your setup.
-# GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback
-# Comma-separated list of scopes
 # GODOXY_OIDC_SCOPES=openid, profile, email
 #
 # User definitions: Uncomment and configure these values to restrict access to specific users or groups.
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ error_pages/
 !examples/error_pages/
 profiles/
 data/
+debug/

 logs/
 log/
@@ -28,6 +29,8 @@ todo.md
 .aider*
 mtrace.json
 .env
+.cursorrules
+.windsurfrules
 test.Dockerfile

 node_modules/
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.24.1-alpine AS deps
+FROM golang:1.24.2-alpine AS deps
 HEALTHCHECK NONE

 # package version does not matter
--- a/67
+++ b/67
@@ -27,18 +27,16 @@ endif
 ifeq ($(debug), 1)
 	CGO_ENABLED = 0
 	GODOXY_DEBUG = 1
-	BUILD_FLAGS += -gcflags=all='-N -l'
-endif
-
-ifeq ($(pprof), 1)
+	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug
+else ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
-	BUILD_FLAGS = -tags pprof
+	BUILD_FLAGS += -tags pprof
 	VERSION := ${VERSION}-pprof
 else
 	CGO_ENABLED = 0
 	LDFLAGS += -s -w
-	BUILD_FLAGS = -pgo=auto -tags production
+	BUILD_FLAGS += -pgo=auto -tags production
 endif

 BUILD_FLAGS += -ldflags='$(LDFLAGS)'
@@ -52,6 +50,14 @@ export GODEBUG
 export GORACE
 export BUILD_FLAGS

+ifeq ($(shell id -u), 0)
+	SETCAP_CMD = setcap
+else
+	SETCAP_CMD = sudo setcap
+endif
+
+.PHONY: debug
+
 test:
 	GODOXY_TEST=1 go test ./internal/...

@@ -61,14 +67,17 @@ get:
 build:
 	mkdir -p bin
 	go build ${BUILD_FLAGS} -o bin/${NAME} ${CMD_PATH}
-	if [ $(shell id -u) -eq 0 ]; \
-		then setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
-		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
-	fi
+
+	# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+	$(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep bin/${NAME}

 run:
 	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}

+debug:
+	make NAME="godoxy-test" debug=1 build
+	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
+
 mtrace:
 	bin/godoxy debug-ls-mtrace > mtrace.json

@@ -90,43 +99,5 @@ cloc:
 link-binary:
 	ln -s /app/${NAME} bin/run

-# To generate schema
-# comment out this part from typescript-json-schema.js#L884
-#
-#	if (indexType.flags !== ts.TypeFlags.Number && !isIndexedObject) {
-#			throw new Error("Not supported: IndexSignatureDeclaration with index symbol other than a number or a string");
-#	}
-
-gen-schema-single:
-	bun --bun run typescript-json-schema --noExtraProps --required --skipLibCheck --tsNodeRegister=true -o schemas/${OUT} schemas/${IN} ${CLASS}
-	# minify
-	python3 -c "import json; f=open('schemas/${OUT}', 'r'); j=json.load(f); f.close(); f=open('schemas/${OUT}', 'w'); json.dump(j, f, separators=(',', ':'));"
-
-gen-schema:
-	cd schemas && bun --bun tsc
-	make IN=config/config.ts \
-			CLASS=Config \
-			OUT=config.schema.json \
-			gen-schema-single
-	make IN=providers/routes.ts \
-			CLASS=Routes \
-			OUT=routes.schema.json \
-			gen-schema-single
-	make IN=middlewares/middleware_compose.ts \
-			CLASS=MiddlewareCompose \
-			OUT=middleware_compose.schema.json \
-			gen-schema-single
-	make IN=docker.ts \
-			CLASS=DockerRoutes \
-			OUT=docker_routes.schema.json \
-			gen-schema-single
-	cd ..
-
-publish-schema:
-	cd schemas && bun publish && cd ..
-
-update-schema-generator:
-	pnpm up -g typescript-json-schema
-
 push-github:
 	git push origin $(shell git rev-parse --abbrev-ref HEAD)
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fgodoxy.demo.6uo.me&label=Demo&link=https%3A%2F%2Fgodoxy.demo.6uo.me)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

 A lightweight, simple, and [performant](https://github.com/yusing/godoxy/wiki/Benchmarks) reverse proxy with WebUI.
@@ -13,10 +14,6 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki

 **EN** | <a href="README_CHT.md">中文</a>

-<!-- [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy) -->
-
 <img src="screenshots/webui.jpg" style="max-width: 650">

 </div>
@@ -27,10 +24,11 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki

 - [GoDoxy](#godoxy)
  - [Table of content](#table-of-content)
+  - [Running demo](#running-demo)
  - [Key Features](#key-features)
  - [Prerequisites](#prerequisites)
-  - [How does GoDoxy work](#how-does-godoxy-work)
  - [Setup](#setup)
+  - [How does GoDoxy work](#how-does-godoxy-work)
  - [Screenshots](#screenshots)
    - [idlesleeper](#idlesleeper)
    - [Metrics and Logs](#metrics-and-logs)
@@ -38,32 +36,71 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
    - [Folder structrue](#folder-structrue)
  - [Build it yourself](#build-it-yourself)

+## Running demo
+
+<https://godoxy.demo.6uo.me>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+
 ## Key Features

- Easy to use
-  - Effortless configuration
-  - Simple multi-node setup with GoDoxy agents or Docker Socket Proxies
-  - Error messages is clear and detailed, easy troubleshooting
- Auto SSL with Let's Encrypt (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
- Auto hot-reload on container state / config file changes
- Container aware: create routes dynamically from running docker containers
- **idlesleeper**: stop and wake containers based on traffic _(optional, see [screenshots](#idlesleeper))_
- HTTP reserve proxy and TCP/UDP port forwarding
- OpenID Connect integration: SSO and secure your apps easily
- [HTTP middleware](https://github.com/yusing/go-proxy/wiki/Middlewares) and [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
- **Web UI with App dashboard, config editor, _uptime and system metrics_, _docker logs viewer_**
- Supports linux/amd64 and linux/arm64
- Written in **[Go](https://go.dev)**
-
-[🔼Back to top](#table-of-content)
+- **Simple**
+  - Effortless configuration with [simple labels](https://github.com/yusing/godoxy/wiki/Docker-labels-and-Route-Files) or WebUI
+  - [Simple multi-node setup](https://github.com/yusing/godoxy/wiki/Configurations#multi-docker-nodes-setup)
+  - Detailed error messages for easy troubleshooting.
+- **ACL**: connection / request level access control
+  - IP/CIDR
+  - Country **(Maxmind account required)**
+  - Timezone **(Maxmind account required)**
+  - **Access logging**
+- **Advanced Automation**
+  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
+  - Auto-configuration for Docker containers
+  - Hot-reloading of configurations and container state changes
+- **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
+  - Docker containers
+  - Proxmox LXCs
+- **Traffic Management**
+  - HTTP reserve proxy
+  - TCP/UDP port forwarding
+  - **OpenID Connect support**: SSO and secure your apps easily
+- **Customization**
+  - [HTTP middlewares](https://github.com/yusing/go-proxy/wiki/Middlewares)
+  - [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+- **Web UI**
+  - App Dashboard
+  - Config Editor
+  - Uptime and System Metrics
+  - Docker Logs Viewer
+- **Cross-Platform support**
+  - Supports **linux/amd64** and **linux/arm64**
+- **Efficient and Performant**
+  - Written in **[Go](https://go.dev)**

 ## Prerequisites

-Setup Wildcard DNS Record(s) for machine running `GoDoxy`, e.g.
+Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.

 - A Record: `*.domain.com` -> `10.0.10.1`
 - AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`

+## Setup
+
+> [!NOTE]
+> GoDoxy is designed to be running in `host` network mode, do not change it.
+>
+> To change listening ports, modify `.env`.
+
+1. Prepare a new directory for docker compose and config files.
+
+2. Run setup script inside the directory, or [set up manually](#manual-setup)
+
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```
+
+3. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
+
 ## How does GoDoxy work

 1. List all the containers
@@ -71,27 +108,10 @@ Setup Wildcard DNS Record(s) for machine running `GoDoxy`, e.g.
 3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
 4. Watch for container / config changes and update automatically

-GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
-
-For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
-
-## Setup
-
-**NOTE:** GoDoxy is designed to be (and only works when) running in `host` network mode, do not change it. To change listening ports, modify `.env`.
-
-1. Prepare a new directory for docker compose and config files.
-
-2. Run setup script inside the directory, or [set up manually](#manual-setup)
-
-    ```shell
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
-    ```
-
-3. Start the container `docker compose up -d` and wait for it to be ready
-
-4. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
-
-[🔼Back to top](#table-of-content)
+> [!NOTE]
+> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
+>
+> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.

 ## Screenshots

@@ -124,8 +144,6 @@ For example, with the label `proxy.aliases: qbt` you can access your app via `qb
  </table>
 </div>

-[🔼Back to top](#table-of-content)
-
 ## Manual Setup

 1. Make `config` directory then grab `config.example.yml` into `config/config.yml`
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -5,16 +5,13 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fgodoxy.demo.6uo.me&label=Demo&link=https%3A%2F%2Fgodoxy.demo.6uo.me)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

 輕量、易用、 [高效能](https://github.com/yusing/godoxy/wiki/Benchmarks)，且帶有主頁和配置面板的反向代理

 完整文檔請查閱 **[Wiki](https://github.com/yusing/godoxy/wiki)**（暫未有中文翻譯）

-<!-- [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy) -->
-
 <a href="README.md">EN</a> | **中文**

 <img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
@@ -27,6 +24,7 @@

 - [GoDoxy](#godoxy)
  - [目錄](#目錄)
+  - [運行示例](#運行示例)
  - [主要特點](#主要特點)
  - [前置需求](#前置需求)
  - [安裝](#安裝)
@@ -37,6 +35,12 @@
    - [監控](#監控)
  - [自行編譯](#自行編譯)

+## 運行示例
+
+<https://godoxy.demo.6uo.me>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+
 ## 主要特點

 - 容易使用
@@ -65,7 +69,10 @@

 ## 安裝

-**注意：** GoDoxy 設計為（且僅在）`host` 網路模式下運作，請勿更改。如需更改監聽埠，請修改 `.env`。
+> [!NOTE]
+> GoDoxy 僅在 `host` 網路模式下運作，請勿更改。
+>
+> 如需更改監聽埠，請修改 `.env`。

 1. 準備一個新目錄用於 docker compose 和配置文件。

@@ -75,9 +82,7 @@
    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
    ```

-3. 啟動容器 `docker compose up -d` 並等待就緒
-
-4. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置
+3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置

 [🔼回到頂部](#目錄)

--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -1,6 +1,7 @@
 package agent

 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
@@ -18,7 +19,6 @@ import (
 	"github.com/yusing/go-proxy/internal/net/types"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
-	"golang.org/x/net/context"
 )

 type AgentConfig struct {
--- a/agent/pkg/agent/requests.go
+++ b/agent/pkg/agent/requests.go
@@ -1,11 +1,11 @@
 package agent

 import (
+	"context"
 	"io"
 	"net/http"

 	"github.com/coder/websocket"
-	"golang.org/x/net/context"
 )

 func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@@ -8,7 +8,6 @@ import (
 	"strings"

 	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/types"
 	"github.com/yusing/go-proxy/internal/watcher/health"
 	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
 )
@@ -44,11 +43,11 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
 			return
 		}
-		result, err = monitor.NewHTTPHealthChecker(types.NewURL(&url.URL{
+		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
 			Scheme: scheme,
 			Host:   host,
 			Path:   path,
-		}), defaultHealthConfig).CheckHealth()
+		}, defaultHealthConfig).CheckHealth()
 	case "tcp", "udp":
 		host := query.Get("host")
 		if host == "" {
@@ -63,10 +62,10 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
 			return
 		}
-		result, err = monitor.NewRawHealthChecker(types.NewURL(&url.URL{
+		result, err = monitor.NewRawHealthMonitor(&url.URL{
 			Scheme: scheme,
 			Host:   host,
-		}), defaultHealthConfig).CheckHealth()
+		}, defaultHealthConfig).CheckHealth()
 	}

 	if err != nil {
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -13,13 +13,12 @@ import (
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
 	"github.com/yusing/go-proxy/internal/net/types"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

 func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
 	host := r.Header.Get(agentproxy.HeaderXProxyHost)
-	isHTTPS := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
-	skipTLSVerify := strutils.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
+	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
+	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
 	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
 	if err != nil {
 		responseHeaderTimeout = 0
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -40,5 +40,5 @@ func StartAgentServer(parent task.Parent, opt Options) {
 		TLSConfig: tlsConfig,
 	}

-	server.Start(parent, agentServer, logger)
+	server.Start(parent, agentServer, nil, logger)
 }
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -7,19 +7,17 @@ import (
 	"sync"

 	"github.com/yusing/go-proxy/internal"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
-	"github.com/yusing/go-proxy/internal/api/v1/favicon"
 	"github.com/yusing/go-proxy/internal/api/v1/query"
+	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/internal/metrics/uptime"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/route/routes"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
 )
@@ -80,8 +78,6 @@ func main() {
 		logging.Trace().Msg("trace enabled")
 		parallel(
 			internal.InitIconListCache,
-			homepage.InitOverridesConfig,
-			favicon.InitIconCache,
 			systeminfo.Poller.Start,
 		)

@@ -121,7 +117,7 @@ func main() {
 	switch args.Command {
 	case common.CommandListRoutes:
 		cfg.StartProxyProviders()
-		printJSON(routequery.RoutesByAlias())
+		printJSON(routes.ByAlias())
 		return
 	case common.CommandListConfigs:
 		printJSON(cfg.Value())
--- a/cmd/pprof_production.go
+++ b/cmd/pprof_production.go
@@ -1,4 +1,4 @@
-//go:build production
+//go:build !pprof

 package main

--- a/config.example.yml
+++ b/config.example.yml
@@ -17,6 +17,25 @@

 # 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers

+# acl:
+#   default: allow # or deny (default: allow)
+#   allow_local: true # or false (default: true)
+#   allow:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   deny:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
+#     buffer_size: 65536 # (default: 64KB)
+#     path: /app/logs/acl.log # (default: none)
+#     stdout: false # (default: false)
+#     keep: last 10 # (default: none)
+
 entrypoint:
  # Below define an example of middleware config
  # 1. block non local IP connections
@@ -73,6 +92,14 @@ providers:
  #     url: https://discord.com/api/webhooks/...
  #     template: discord # this means use payload template from internal/notif/templates/discord.json

+  # Proxmox providers (for idlesleep support for proxmox LXCs)
+  #
+  # proxmox:
+  #   - url: https://pve.domain.com:8006/api2/json
+  #     token_id: root@pam!abcdef
+  #     secret: aaaa-bbbb-cccc-dddd
+  #     no_tls_verify: true
+
 # Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
 # for explaination of `match_domains`
 #
--- a/go.mod
+++ b/go.mod
@@ -1,96 +1,248 @@
 module github.com/yusing/go-proxy

-go 1.24.1
+go 1.24.2

 require (
-	github.com/PuerkitoBio/goquery v1.10.2 // parsing HTML for extract fav icon
+	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
 	github.com/coder/websocket v1.8.13 // websocket for API and agent
-	github.com/coreos/go-oidc/v3 v3.13.0 // oidc authentication
-	github.com/docker/docker v28.0.4+incompatible // docker daemon
-	github.com/fsnotify/fsnotify v1.8.0 // file watcher
-	github.com/go-acme/lego/v4 v4.22.2 // acme client
-	github.com/go-playground/validator/v10 v10.25.0 // validator
+	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
+	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/fsnotify/fsnotify v1.9.0 // file watcher
+	github.com/go-acme/lego/v4 v4.23.1 // acme client
+	github.com/go-playground/validator/v10 v10.26.0 // validator
 	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
-	github.com/golang-jwt/jwt/v5 v5.2.2 // jwt for default auth
 	github.com/gotify/server/v2 v2.6.1 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/prometheus/client_golang v1.21.1 // metrics
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
-	github.com/shirou/gopsutil/v4 v4.25.2 // system info metrics
+	github.com/shirou/gopsutil/v4 v4.25.3 // system info metrics
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-	golang.org/x/crypto v0.36.0 // encrypting password with bcrypt
-	golang.org/x/net v0.38.0 // HTTP header utilities
-	golang.org/x/oauth2 v0.28.0 // oauth2 authentication
-	golang.org/x/text v0.23.0 // string utilities
+	golang.org/x/crypto v0.37.0 // encrypting password with bcrypt
+	golang.org/x/net v0.39.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.29.0 // oauth2 authentication
+	golang.org/x/text v0.24.0 // string utilities
 	golang.org/x/time v0.11.0 // time utilities
-	gopkg.in/yaml.v3 v3.0.1 // yaml parsing for different config files
+	gopkg.in/yaml.v3 v3.0.1 // indirect; yaml parsing for different config files
 )

+replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
+
 require (
-	github.com/docker/cli v28.0.4+incompatible
-	github.com/docker/go-connections v0.5.0
+	github.com/bytedance/sonic v1.13.2
+	github.com/docker/cli v28.1.1+incompatible
+	github.com/goccy/go-yaml v1.17.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/luthermonson/go-proxmox v0.2.2
+	github.com/oschwald/maxminddb-golang v1.13.1
+	github.com/quic-go/quic-go v0.51.0
+	github.com/samber/slog-zerolog/v2 v2.7.3
+	github.com/spf13/afero v1.14.0
 	github.com/stretchr/testify v1.10.0
+	go.uber.org/atomic v1.11.0
 )

+replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e
+
 require (
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.106 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.224 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/bytedance/sonic/loader v0.2.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/civo/civogo v0.3.98 // indirect
 	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.14 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gophercloud/gophercloud v1.14.1 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.146 // indirect
+	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.9.0 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
+	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/linode/linodego v1.49.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.64 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
+	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
+	github.com/nrdcg/desec v0.11.0 // indirect
+	github.com/nrdcg/freemyip v0.3.0 // indirect
+	github.com/nrdcg/goacmedns v0.2.0 // indirect
+	github.com/nrdcg/goinwx v0.11.0 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/namesilo v0.2.1 // indirect
+	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/nzdjb/go-metaname v1.0.0 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.89.2 // indirect
 	github.com/ovh/go-ovh v1.7.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/peterhellberg/link v1.2.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.16.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.9 // indirect
+	github.com/sacloud/iaas-api-go v1.14.0 // indirect
+	github.com/sacloud/packages-go v0.0.11 // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/samber/lo v1.49.1 // indirect
+	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
+	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
+	github.com/softlayer/softlayer-go v1.1.7 // indirect
+	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1150 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/transip/gotransip/v6 v6.26.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
+	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.205 // indirect
+	github.com/vultr/govultr/v3 v3.19.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver v1.17.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
 	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.1 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
+	golang.org/x/arch v0.16.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/api v0.230.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/grpc v1.72.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.33.0 // indirect
+	k8s.io/apimachinery v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/acl/city_cache.go
+++ b/internal/acl/city_cache.go
@@ -0,0 +1,39 @@
+package acl
+
+import (
+	"github.com/puzpuzpuz/xsync/v3"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"go.uber.org/atomic"
+)
+
+var cityCache = xsync.NewMapOf[string, *acl.City]()
+var numCachedLookup atomic.Uint64
+
+func (cfg *MaxMindConfig) lookupCity(ip *acl.IPInfo) (*acl.City, bool) {
+	if ip.City != nil {
+		return ip.City, true
+	}
+
+	if cfg.db.Reader == nil {
+		return nil, false
+	}
+
+	city, ok := cityCache.Load(ip.Str)
+	if ok {
+		numCachedLookup.Inc()
+		return city, true
+	}
+
+	cfg.db.RLock()
+	defer cfg.db.RUnlock()
+
+	city = new(acl.City)
+	err := cfg.db.Lookup(ip.IP, city)
+	if err != nil {
+		return nil, false
+	}
+
+	cityCache.Store(ip.Str, city)
+	ip.City = city
+	return city, true
+}
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -0,0 +1,215 @@
+package acl
+
+import (
+	"net"
+	"sync"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/puzpuzpuz/xsync/v3"
+	"github.com/rs/zerolog"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Config struct {
+	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
+	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
+	Allow      []string                   `json:"allow"`
+	Deny       []string                   `json:"deny"`
+	Log        *accesslog.ACLLoggerConfig `json:"log"`
+
+	MaxMind *MaxMindConfig `json:"maxmind" validate:"omitempty"`
+
+	config
+}
+
+type (
+	MaxMindDatabaseType string
+	MaxMindConfig       struct {
+		AccountID  string              `json:"account_id" validate:"required"`
+		LicenseKey string              `json:"license_key" validate:"required"`
+		Database   MaxMindDatabaseType `json:"database" validate:"required,oneof=geolite geoip2"`
+
+		logger     zerolog.Logger
+		lastUpdate time.Time
+		db         struct {
+			*maxminddb.Reader
+			sync.RWMutex
+		}
+	}
+)
+
+type config struct {
+	defaultAllow bool
+	allowLocal   bool
+	allow        []matcher
+	deny         []matcher
+	ipCache      *xsync.MapOf[string, *checkCache]
+	logAllowed   bool
+	logger       *accesslog.AccessLogger
+}
+
+type checkCache struct {
+	*acl.IPInfo
+	allow   bool
+	created time.Time
+}
+
+const cacheTTL = 1 * time.Minute
+
+func (c *checkCache) Expired() bool {
+	return c.created.Add(cacheTTL).After(utils.TimeNow())
+}
+
+//TODO: add stats
+
+const (
+	ACLAllow = "allow"
+	ACLDeny  = "deny"
+)
+
+const (
+	MaxMindGeoLite MaxMindDatabaseType = "geolite"
+	MaxMindGeoIP2  MaxMindDatabaseType = "geoip2"
+)
+
+func (c *Config) Validate() gperr.Error {
+	switch c.Default {
+	case "", ACLAllow:
+		c.defaultAllow = true
+	case ACLDeny:
+		c.defaultAllow = false
+	default:
+		return gperr.New("invalid default value").Subject(c.Default)
+	}
+
+	if c.AllowLocal != nil {
+		c.allowLocal = *c.AllowLocal
+	} else {
+		c.allowLocal = true
+	}
+
+	if c.MaxMind != nil {
+		c.MaxMind.logger = logging.With().Str("type", string(c.MaxMind.Database)).Logger()
+	}
+
+	if c.Log != nil {
+		c.logAllowed = c.Log.LogAllowed
+	}
+
+	errs := gperr.NewBuilder("syntax error")
+	c.allow = make([]matcher, 0, len(c.Allow))
+	c.deny = make([]matcher, 0, len(c.Deny))
+
+	for _, s := range c.Allow {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.allow = append(c.allow, m)
+	}
+	for _, s := range c.Deny {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.deny = append(c.deny, m)
+	}
+
+	if errs.HasError() {
+		c.allow = nil
+		c.deny = nil
+		return errMatcherFormat.With(errs.Error())
+	}
+
+	c.ipCache = xsync.NewMapOf[string, *checkCache]()
+	return nil
+}
+
+func (c *Config) Valid() bool {
+	return c != nil && (len(c.allow) > 0 || len(c.deny) > 0 || c.allowLocal)
+}
+
+func (c *Config) Start(parent *task.Task) gperr.Error {
+	if c.MaxMind != nil {
+		if err := c.MaxMind.LoadMaxMindDB(parent); err != nil {
+			return err
+		}
+	}
+	if c.Log != nil {
+		logger, err := accesslog.NewAccessLogger(parent, c.Log)
+		if err != nil {
+			return gperr.New("failed to start access logger").With(err)
+		}
+		c.logger = logger
+	}
+	return nil
+}
+
+func (c *config) cacheRecord(info *acl.IPInfo, allow bool) {
+	c.ipCache.Store(info.Str, &checkCache{
+		IPInfo:  info,
+		allow:   allow,
+		created: utils.TimeNow(),
+	})
+}
+
+func (c *config) log(info *acl.IPInfo, allowed bool) {
+	if c.logger == nil {
+		return
+	}
+	if !allowed || c.logAllowed {
+		c.logger.LogACL(info, !allowed)
+	}
+}
+
+func (c *Config) IPAllowed(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// always allow private and loopback
+	// loopback is not logged
+	if ip.IsLoopback() {
+		return true
+	}
+
+	if c.allowLocal && ip.IsPrivate() {
+		c.log(&acl.IPInfo{IP: ip, Str: ip.String()}, true)
+		return true
+	}
+
+	ipStr := ip.String()
+	record, ok := c.ipCache.Load(ipStr)
+	if ok && !record.Expired() {
+		c.log(record.IPInfo, record.allow)
+		return record.allow
+	}
+
+	ipAndStr := &acl.IPInfo{IP: ip, Str: ipStr}
+	for _, m := range c.allow {
+		if m(ipAndStr) {
+			c.log(ipAndStr, true)
+			c.cacheRecord(ipAndStr, true)
+			return true
+		}
+	}
+	for _, m := range c.deny {
+		if m(ipAndStr) {
+			c.log(ipAndStr, false)
+			c.cacheRecord(ipAndStr, false)
+			return false
+		}
+	}
+
+	c.log(ipAndStr, c.defaultAllow)
+	c.cacheRecord(ipAndStr, c.defaultAllow)
+	return c.defaultAllow
+}
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@@ -0,0 +1,99 @@
+package acl
+
+import (
+	"net"
+	"strings"
+
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type matcher func(*acl.IPInfo) bool
+
+const (
+	MatcherTypeIP       = "ip"
+	MatcherTypeCIDR     = "cidr"
+	MatcherTypeTimeZone = "tz"
+	MatcherTypeCountry  = "country"
+)
+
+var errMatcherFormat = gperr.Multiline().AddLines(
+	"invalid matcher format, expect {type}:{value}",
+	"Available types: ip|cidr|tz|country",
+	"ip:127.0.0.1",
+	"cidr:127.0.0.0/8",
+	"tz:Asia/Shanghai",
+	"country:GB",
+)
+var (
+	errSyntax               = gperr.New("syntax error")
+	errInvalidIP            = gperr.New("invalid IP")
+	errInvalidCIDR          = gperr.New("invalid CIDR")
+	errMaxMindNotConfigured = gperr.New("MaxMind not configured")
+)
+
+func (cfg *Config) parseMatcher(s string) (matcher, gperr.Error) {
+	parts := strings.Split(s, ":")
+	if len(parts) != 2 {
+		return nil, errSyntax
+	}
+
+	switch parts[0] {
+	case MatcherTypeIP:
+		ip := net.ParseIP(parts[1])
+		if ip == nil {
+			return nil, errInvalidIP
+		}
+		return matchIP(ip), nil
+	case MatcherTypeCIDR:
+		_, net, err := net.ParseCIDR(parts[1])
+		if err != nil {
+			return nil, errInvalidCIDR
+		}
+		return matchCIDR(net), nil
+	case MatcherTypeTimeZone:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchTimeZone(parts[1]), nil
+	case MatcherTypeCountry:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchISOCode(parts[1]), nil
+	default:
+		return nil, errSyntax
+	}
+}
+
+func matchIP(ip net.IP) matcher {
+	return func(ip2 *acl.IPInfo) bool {
+		return ip.Equal(ip2.IP)
+	}
+}
+
+func matchCIDR(n *net.IPNet) matcher {
+	return func(ip *acl.IPInfo) bool {
+		return n.Contains(ip.IP)
+	}
+}
+
+func (cfg *MaxMindConfig) matchTimeZone(tz string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Location.TimeZone == tz
+	}
+}
+
+func (cfg *MaxMindConfig) matchISOCode(iso string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Country.IsoCode == iso
+	}
+}
--- a/internal/acl/maxmind.go
+++ b/internal/acl/maxmind.go
@@ -0,0 +1,281 @@
+package acl
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+var (
+	updateInterval = 24 * time.Hour
+	httpClient     = &http.Client{
+		Timeout: 10 * time.Second,
+	}
+	ErrResponseNotOK   = gperr.New("response not OK")
+	ErrDownloadFailure = gperr.New("download failure")
+)
+
+func dbPathImpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return filepath.Join(dataDir, "GeoLite2-City.mmdb")
+	}
+	return filepath.Join(dataDir, "GeoIP2-City.mmdb")
+}
+
+func dbURLimpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
+	}
+	return "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"
+}
+
+func dbFilename(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "GeoLite2-City.mmdb"
+	}
+	return "GeoIP2-City.mmdb"
+}
+
+func (cfg *MaxMindConfig) LoadMaxMindDB(parent task.Parent) gperr.Error {
+	if cfg.Database == "" {
+		return nil
+	}
+
+	path := dbPath(cfg.Database)
+	reader, err := maxmindDBOpen(path)
+	exists := true
+	if err != nil {
+		switch {
+		case errors.Is(err, os.ErrNotExist):
+		default:
+			// ignore invalid error, just download it again
+			var invalidErr maxminddb.InvalidDatabaseError
+			if !errors.As(err, &invalidErr) {
+				return gperr.Wrap(err)
+			}
+		}
+		exists = false
+	}
+
+	if !exists {
+		cfg.logger.Info().Msg("MaxMind DB not found/invalid, downloading...")
+		reader, err = cfg.download()
+		if err != nil {
+			return ErrDownloadFailure.With(err)
+		}
+	}
+	cfg.logger.Info().Msg("MaxMind DB loaded")
+
+	cfg.db.Reader = reader
+	go cfg.scheduleUpdate(parent)
+	return nil
+}
+
+func (cfg *MaxMindConfig) loadLastUpdate() {
+	f, err := os.Stat(dbPath(cfg.Database))
+	if err != nil {
+		return
+	}
+	cfg.lastUpdate = f.ModTime()
+}
+
+func (cfg *MaxMindConfig) setLastUpdate(t time.Time) {
+	cfg.lastUpdate = t
+	_ = os.Chtimes(dbPath(cfg.Database), t, t)
+}
+
+func (cfg *MaxMindConfig) scheduleUpdate(parent task.Parent) {
+	task := parent.Subtask("schedule_update", true)
+	ticker := time.NewTicker(updateInterval)
+
+	cfg.loadLastUpdate()
+	cfg.update()
+
+	defer func() {
+		ticker.Stop()
+		if cfg.db.Reader != nil {
+			cfg.db.Reader.Close()
+		}
+		task.Finish(nil)
+	}()
+
+	for {
+		select {
+		case <-task.Context().Done():
+			return
+		case <-ticker.C:
+			cfg.update()
+		}
+	}
+}
+
+func (cfg *MaxMindConfig) update() {
+	// check for update
+	cfg.logger.Info().Msg("checking for MaxMind DB update...")
+	remoteLastModified, err := cfg.checkLastest()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to check MaxMind DB update")
+		return
+	}
+	if remoteLastModified.Equal(cfg.lastUpdate) {
+		cfg.logger.Info().Msg("MaxMind DB is up to date")
+		return
+	}
+
+	cfg.logger.Info().
+		Time("latest", remoteLastModified.Local()).
+		Time("current", cfg.lastUpdate).
+		Msg("MaxMind DB update available")
+	reader, err := cfg.download()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to update MaxMind DB")
+		return
+	}
+	cfg.db.Lock()
+	cfg.db.Close()
+	cfg.db.Reader = reader
+	cfg.setLastUpdate(*remoteLastModified)
+	cfg.db.Unlock()
+
+	cfg.logger.Info().Msg("MaxMind DB updated")
+}
+
+func (cfg *MaxMindConfig) newReq(method string) (*http.Response, error) {
+	req, err := http.NewRequest(method, dbURL(cfg.Database), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.SetBasicAuth(cfg.AccountID, cfg.LicenseKey)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+func (cfg *MaxMindConfig) checkLastest() (lastModifiedT *time.Time, err error) {
+	resp, err := newReq(cfg, http.MethodHead)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	lastModified := resp.Header.Get("Last-Modified")
+	if lastModified == "" {
+		cfg.logger.Warn().Msg("MaxMind responded no last modified time, update skipped")
+		return nil, nil
+	}
+
+	lastModifiedTime, err := time.Parse(http.TimeFormat, lastModified)
+	if err != nil {
+		cfg.logger.Warn().Err(err).Msg("MaxMind responded invalid last modified time, update skipped")
+		return nil, err
+	}
+
+	return &lastModifiedTime, nil
+}
+
+func (cfg *MaxMindConfig) download() (*maxminddb.Reader, error) {
+	resp, err := newReq(cfg, http.MethodGet)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	path := dbPath(cfg.Database)
+	tmpPath := path + "-tmp.tar.gz"
+	file, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.logger.Info().Msg("MaxMind DB downloading...")
+
+	_, err = io.Copy(file, resp.Body)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	file.Close()
+
+	// extract .tar.gz and move only the dbFilename to path
+	err = extractFileFromTarGz(tmpPath, dbFilename(cfg.Database), path)
+	if err != nil {
+		return nil, gperr.New("failed to extract database from archive").With(err)
+	}
+	// cleanup the tar.gz file
+	_ = os.Remove(tmpPath)
+
+	db, err := maxmindDBOpen(path)
+	if err != nil {
+		return nil, err
+	}
+	return db, nil
+}
+
+func extractFileFromTarGz(tarGzPath, targetFilename, destPath string) error {
+	f, err := os.Open(tarGzPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	gzr, err := gzip.NewReader(f)
+	if err != nil {
+		return err
+	}
+	defer gzr.Close()
+
+	tr := tar.NewReader(gzr)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return err
+		}
+		// Only extract the file that matches targetFilename (basename match)
+		if filepath.Base(hdr.Name) == targetFilename {
+			outFile, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, hdr.FileInfo().Mode())
+			if err != nil {
+				return err
+			}
+			defer outFile.Close()
+			_, err = io.Copy(outFile, tr)
+			if err != nil {
+				return err
+			}
+			return nil // Done
+		}
+	}
+	return fmt.Errorf("file %s not found in archive", targetFilename)
+}
+
+var (
+	dataDir       = common.DataDir
+	dbURL         = dbURLimpl
+	dbPath        = dbPathImpl
+	maxmindDBOpen = maxminddb.Open
+	newReq        = (*MaxMindConfig).newReq
+)
--- a/internal/acl/maxmind_test.go
+++ b/internal/acl/maxmind_test.go
@@ -0,0 +1,213 @@
+package acl
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+func Test_dbPath(t *testing.T) {
+	tmpDataDir := "/tmp/testdata"
+	oldDataDir := dataDir
+	dataDir = tmpDataDir
+	defer func() { dataDir = oldDataDir }()
+
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, filepath.Join(tmpDataDir, "GeoLite2-City.mmdb")},
+		{"GeoIP2", MaxMindGeoIP2, filepath.Join(tmpDataDir, "GeoIP2-City.mmdb")},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbPath(tt.dbType); got != tt.want {
+				t.Errorf("dbPath() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_dbURL(t *testing.T) {
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"},
+		{"GeoIP2", MaxMindGeoIP2, "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbURL(tt.dbType); got != tt.want {
+				t.Errorf("dbURL() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+// --- Helper for MaxMindConfig ---
+type testLogger struct{ zerolog.Logger }
+
+func (testLogger) Info() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Warn() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Err(_ error) *zerolog.Event { return &zerolog.Event{} }
+
+func Test_MaxMindConfig_newReq(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "testid",
+		LicenseKey: "testkey",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+
+	// Patch httpClient to use httptest
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if u, p, ok := r.BasicAuth(); !ok || u != "testid" || p != "testkey" {
+			t.Errorf("basic auth not set correctly")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	resp, err := cfg.newReq(http.MethodGet)
+	if err != nil {
+		t.Fatalf("newReq() error = %v", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("unexpected status: %v", resp.StatusCode)
+	}
+}
+
+func Test_MaxMindConfig_checkUpdate(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	lastMod := time.Now().UTC().Format(http.TimeFormat)
+	buildTime := time.Now().Add(-time.Hour)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Last-Modified", lastMod)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	latest, err := cfg.checkLastest()
+	if err != nil {
+		t.Fatalf("checkUpdate() error = %v", err)
+	}
+	if latest.Equal(buildTime) {
+		t.Errorf("expected update needed")
+	}
+}
+
+type fakeReadCloser struct {
+	firstRead bool
+	closed    bool
+}
+
+func (c *fakeReadCloser) Read(p []byte) (int, error) {
+	if !c.firstRead {
+		c.firstRead = true
+		return strings.NewReader("FAKEMMDB").Read(p)
+	}
+	return 0, io.EOF
+}
+
+func (c *fakeReadCloser) Close() error {
+	c.closed = true
+	return nil
+}
+
+func Test_MaxMindConfig_download(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.Copy(w, strings.NewReader("FAKEMMDB"))
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	tmpDir := t.TempDir()
+	oldDataDir := dataDir
+	dataDir = tmpDir
+	defer func() { dataDir = oldDataDir }()
+
+	// Patch maxminddb.Open to always succeed
+	origOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = origOpen }()
+
+	rw := &fakeReadCloser{}
+	oldNewReq := newReq
+	newReq = func(cfg *MaxMindConfig, method string) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Body:       rw,
+		}, nil
+	}
+	defer func() { newReq = oldNewReq }()
+
+	db, err := cfg.download()
+	if err != nil {
+		t.Fatalf("download() error = %v", err)
+	}
+	if db == nil {
+		t.Error("expected db instance")
+	}
+	if !rw.closed {
+		t.Error("expected rw to be closed")
+	}
+}
+
+func Test_MaxMindConfig_loadMaxMindDB(t *testing.T) {
+	// This test should cover both the path where DB exists and where it does not
+	// For brevity, only the non-existing path is tested here
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	oldOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = oldOpen }()
+
+	oldDBPath := dbPath
+	dbPath = func(MaxMindDatabaseType) string { return filepath.Join(t.TempDir(), "maxmind.mmdb") }
+	defer func() { dbPath = oldDBPath }()
+
+	task := task.RootTask("test")
+	defer task.Finish(nil)
+	err := cfg.LoadMaxMindDB(task)
+	if err != nil {
+		t.Errorf("loadMaxMindDB() error = %v", err)
+	}
+}
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@@ -0,0 +1,46 @@
+package acl
+
+import (
+	"net"
+)
+
+type TCPListener struct {
+	acl *Config
+	lis net.Listener
+}
+
+func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
+	if cfg == nil {
+		return lis
+	}
+	return &TCPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *TCPListener) Addr() net.Addr {
+	return s.lis.Addr()
+}
+
+func (s *TCPListener) Accept() (net.Conn, error) {
+	c, err := s.lis.Accept()
+	if err != nil {
+		return nil, err
+	}
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		// Not a TCPAddr, drop
+		c.Close()
+		return nil, nil
+	}
+	if !s.acl.IPAllowed(addr.IP) {
+		c.Close()
+		return nil, nil
+	}
+	return c, nil
+}
+
+func (s *TCPListener) Close() error {
+	return s.lis.Close()
+}
--- a/internal/acl/types/city_info.go
+++ b/internal/acl/types/city_info.go
@@ -0,0 +1,10 @@
+package acl
+
+type City struct {
+	Location struct {
+		TimeZone string `maxminddb:"time_zone"`
+	} `maxminddb:"location"`
+	Country struct {
+		IsoCode string `maxminddb:"iso_code"`
+	} `maxminddb:"country"`
+}
--- a/internal/acl/types/ip_info.go
+++ b/internal/acl/types/ip_info.go
@@ -0,0 +1,9 @@
+package acl
+
+import "net"
+
+type IPInfo struct {
+	IP   net.IP
+	Str  string
+	City *City
+}
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@@ -0,0 +1,79 @@
+package acl
+
+import (
+	"net"
+	"time"
+)
+
+type UDPListener struct {
+	acl *Config
+	lis net.PacketConn
+}
+
+func (cfg *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if cfg == nil {
+		return lis
+	}
+	return &UDPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *UDPListener) LocalAddr() net.Addr {
+	return s.lis.LocalAddr()
+}
+
+func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
+	for {
+		n, addr, err := s.lis.ReadFrom(p)
+		if err != nil {
+			return n, addr, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet from disallowed IP
+			continue
+		}
+		return n, addr, nil
+	}
+}
+
+func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
+	for {
+		n, err := s.lis.WriteTo(p, addr)
+		if err != nil {
+			return n, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet to disallowed IP
+			continue
+		}
+		return n, nil
+	}
+}
+
+func (s *UDPListener) SetDeadline(t time.Time) error {
+	return s.lis.SetDeadline(t)
+}
+
+func (s *UDPListener) SetReadDeadline(t time.Time) error {
+	return s.lis.SetReadDeadline(t)
+}
+
+func (s *UDPListener) SetWriteDeadline(t time.Time) error {
+	return s.lis.SetWriteDeadline(t)
+}
+
+func (s *UDPListener) Close() error {
+	return s.lis.Close()
+}
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -4,15 +4,12 @@ import (
 	"fmt"
 	"net/http"

-	"github.com/prometheus/client_golang/prometheus/promhttp"
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
 	"github.com/yusing/go-proxy/internal/api/v1/certapi"
 	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
 	"github.com/yusing/go-proxy/internal/api/v1/favicon"
-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/auth"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/metrics/uptime"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
@@ -93,26 +90,14 @@ func NewHandler(cfg config.ConfigInstance) http.Handler {
 	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
 	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)

-	if common.PrometheusEnabled {
-		mux.Handle("GET /v1/metrics", promhttp.Handler())
-		logging.Info().Msg("prometheus metrics enabled")
+	defaultAuth := auth.GetDefaultAuth()
+	if defaultAuth == nil {
+		return mux
 	}

-	defaultAuth := auth.GetDefaultAuth()
-	if defaultAuth != nil {
-		mux.HandleFunc("GET", "/v1/auth/redirect", defaultAuth.RedirectLoginPage)
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			if err := defaultAuth.CheckToken(r); err != nil {
-				http.Error(w, err.Error(), http.StatusUnauthorized)
-				return
-			}
-		})
-		mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.LoginCallbackHandler)
-		mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutCallbackHandler)
-	} else {
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-		})
-	}
+	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
+	mux.HandleFunc("GET", "/v1/auth/redirect", defaultAuth.LoginHandler)
+	mux.HandleFunc("GET", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
 	return mux
 }
--- a/internal/api/v1/auth/oidc.go
+++ b/internal/api/v1/auth/oidc.go
@@ -1,308 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"mime"
-	"net/http"
-	"net/url"
-	"slices"
-	"strings"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"golang.org/x/oauth2"
-)
-
-type (
-	OIDCProvider struct {
-		oauthConfig       *oauth2.Config
-		oidcProvider      *oidc.Provider
-		oidcVerifier      *oidc.IDTokenVerifier
-		oidcEndSessionURL *url.URL
-		allowedUsers      []string
-		allowedGroups     []string
-		isMiddleware      bool
-	}
-
-	providerJSON struct {
-		oidc.ProviderConfig
-		EndSessionURL string `json:"end_session_endpoint"`
-	}
-)
-
-const CookieOauthState = "godoxy_oidc_state"
-
-const (
-	OIDCMiddlewareCallbackPath = "/auth/callback"
-	OIDCLogoutPath             = "/auth/logout"
-)
-
-func NewOIDCProvider(issuerURL, clientID, clientSecret, redirectURL string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
-	if len(allowedUsers)+len(allowedGroups) == 0 {
-		return nil, errors.New("OIDC users, groups, or both must not be empty")
-	}
-
-	wellKnown := strings.TrimSuffix(issuerURL, "/") + "/.well-known/openid-configuration"
-	resp, err := gphttp.Get(wellKnown)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("oidc: unable to read response body: %v", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("oidc: %s: %s", resp.Status, body)
-	}
-
-	var p providerJSON
-	err = json.Unmarshal(body, &p)
-	if err != nil {
-		mimeType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
-		if err == nil && mimeType != "application/json" {
-			return nil, fmt.Errorf("oidc: unexpected content type: %q from OIDC provider discovery, have you configured the correct issuer URL?", mimeType)
-		}
-		return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err)
-	}
-
-	if p.IssuerURL != issuerURL {
-		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuerURL, p.IssuerURL)
-	}
-
-	var endSessionURL *url.URL
-	if p.EndSessionURL != "" {
-		endSessionURL, err = url.Parse(p.EndSessionURL)
-		if err != nil {
-			return nil, fmt.Errorf("oidc: failed to parse end session URL: %w", err)
-		}
-	}
-
-	provider := p.NewProvider(context.Background())
-	return &OIDCProvider{
-		oauthConfig: &oauth2.Config{
-			ClientID:     clientID,
-			ClientSecret: clientSecret,
-			RedirectURL:  redirectURL,
-			Endpoint:     provider.Endpoint(),
-			Scopes:       strutils.CommaSeperatedList(common.OIDCScopes),
-		},
-		oidcProvider: provider,
-		oidcVerifier: provider.Verifier(&oidc.Config{
-			ClientID: clientID,
-		}),
-		oidcEndSessionURL: endSessionURL,
-		allowedUsers:      allowedUsers,
-		allowedGroups:     allowedGroups,
-	}, nil
-}
-
-// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
-func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
-	return NewOIDCProvider(
-		common.OIDCIssuerURL,
-		common.OIDCClientID,
-		common.OIDCClientSecret,
-		common.OIDCRedirectURL,
-		common.OIDCAllowedUsers,
-		common.OIDCAllowedGroups,
-	)
-}
-
-func (auth *OIDCProvider) TokenCookieName() string {
-	return "godoxy_oidc_token"
-}
-
-func (auth *OIDCProvider) SetIsMiddleware(enabled bool) {
-	auth.isMiddleware = enabled
-	auth.oauthConfig.RedirectURL = ""
-}
-
-func (auth *OIDCProvider) SetAllowedUsers(users []string) {
-	auth.allowedUsers = users
-}
-
-func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
-	auth.allowedGroups = groups
-}
-
-func (auth *OIDCProvider) CheckToken(r *http.Request) error {
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		return ErrMissingToken
-	}
-
-	// checks for Expiry, Audience == ClientID, Issuer, etc.
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), token.Value)
-	if err != nil {
-		return fmt.Errorf("failed to verify ID token: %w: %w", ErrInvalidToken, err)
-	}
-
-	if len(idToken.Audience) == 0 {
-		return ErrInvalidToken
-	}
-
-	var claims struct {
-		Email    string   `json:"email"`
-		Username string   `json:"preferred_username"`
-		Groups   []string `json:"groups"`
-	}
-	if err := idToken.Claims(&claims); err != nil {
-		return fmt.Errorf("failed to parse claims: %w", err)
-	}
-
-	// Logical AND between allowed users and groups.
-	allowedUser := slices.Contains(auth.allowedUsers, claims.Username)
-	allowedGroup := len(utils.Intersect(claims.Groups, auth.allowedGroups)) > 0
-	if !allowedUser && !allowedGroup {
-		return ErrUserNotAllowed
-	}
-	return nil
-}
-
-// generateState generates a random string for OIDC state.
-const oidcStateLength = 32
-
-func generateState() (string, error) {
-	b := make([]byte, oidcStateLength)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength], nil
-}
-
-// RedirectOIDC initiates the OIDC login flow.
-func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	state, err := generateState()
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	http.SetCookie(w, &http.Cookie{
-		Name:     CookieOauthState,
-		Value:    state,
-		MaxAge:   300,
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   common.APIJWTSecure,
-		Path:     "/",
-	})
-
-	redirURL := auth.oauthConfig.AuthCodeURL(state)
-	if auth.isMiddleware {
-		u, err := r.URL.Parse(redirURL)
-		if err != nil {
-			gphttp.ServerError(w, r, err)
-			return
-		}
-		q := u.Query()
-		q.Set("redirect_uri", "https://"+r.Host+OIDCMiddlewareCallbackPath+q.Get("redirect_uri"))
-		u.RawQuery = q.Encode()
-		redirURL = u.String()
-	}
-	http.Redirect(w, r, redirURL, http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) exchange(r *http.Request) (*oauth2.Token, error) {
-	if auth.isMiddleware {
-		cfg := *auth.oauthConfig
-		cfg.RedirectURL = "https://" + r.Host + OIDCMiddlewareCallbackPath
-		return cfg.Exchange(r.Context(), r.URL.Query().Get("code"))
-	}
-	return auth.oauthConfig.Exchange(r.Context(), r.URL.Query().Get("code"))
-}
-
-// OIDCCallbackHandler handles the OIDC callback.
-func (auth *OIDCProvider) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	// For testing purposes, skip provider verification
-	if common.IsTest {
-		auth.handleTestCallback(w, r)
-		return
-	}
-
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		gphttp.BadRequest(w, "missing state cookie")
-		return
-	}
-
-	query := r.URL.Query()
-	if query.Get("state") != state.Value {
-		gphttp.BadRequest(w, "invalid oauth state")
-		return
-	}
-
-	oauth2Token, err := auth.exchange(r)
-	if err != nil {
-		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
-		return
-	}
-
-	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
-	if !ok {
-		gphttp.BadRequest(w, "missing id_token")
-		return
-	}
-
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), rawIDToken)
-	if err != nil {
-		gphttp.ServerError(w, r, fmt.Errorf("failed to verify ID token: %w", err))
-		return
-	}
-
-	setTokenCookie(w, r, auth.TokenCookieName(), rawIDToken, time.Until(idToken.Expiry))
-
-	// Redirect to home page
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	if auth.oidcEndSessionURL == nil {
-		DefaultLogoutCallbackHandler(auth, w, r)
-		return
-	}
-
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		gphttp.BadRequest(w, "missing token cookie")
-		return
-	}
-	clearTokenCookie(w, r, auth.TokenCookieName())
-
-	logoutURL := *auth.oidcEndSessionURL
-	logoutURL.Query().Add("id_token_hint", token.Value)
-
-	http.Redirect(w, r, logoutURL.String(), http.StatusFound)
-}
-
-// handleTestCallback handles OIDC callback in test environment.
-func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		gphttp.BadRequest(w, "missing state cookie")
-		return
-	}
-
-	if r.URL.Query().Get("state") != state.Value {
-		gphttp.BadRequest(w, "invalid oauth state")
-		return
-	}
-
-	// Create test JWT token
-	setTokenCookie(w, r, auth.TokenCookieName(), "test", time.Hour)
-
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}
--- a/internal/api/v1/auth/provider.go
+++ b/internal/api/v1/auth/provider.go
@@ -1,13 +0,0 @@
-package auth
-
-import (
-	"net/http"
-)
-
-type Provider interface {
-	TokenCookieName() string
-	CheckToken(r *http.Request) error
-	RedirectLoginPage(w http.ResponseWriter, r *http.Request)
-	LoginCallbackHandler(w http.ResponseWriter, r *http.Request)
-	LogoutCallbackHandler(w http.ResponseWriter, r *http.Request)
-}
--- a/internal/api/v1/dockerapi/info.go
+++ b/internal/api/v1/dockerapi/info.go
@@ -25,7 +25,7 @@ func (d *dockerInfo) MarshalJSON() ([]byte, error) {
 		},
 		"images": d.Images,
 		"n_cpu":  d.NCPU,
-		"memory": strutils.FormatByteSizeWithUnit(d.MemTotal),
+		"memory": strutils.FormatByteSize(d.MemTotal),
 	})
 }

--- a/internal/api/v1/dockerapi/logs.go
+++ b/internal/api/v1/dockerapi/logs.go
@@ -2,6 +2,7 @@ package dockerapi

 import (
 	"net/http"
+	"strconv"

 	"github.com/coder/websocket"
 	"github.com/docker/docker/api/types/container"
@@ -9,15 +10,14 @@ import (
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

 func Logs(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	server := r.PathValue("server")
 	containerID := r.PathValue("container")
-	stdout := strutils.ParseBool(query.Get("stdout"))
-	stderr := strutils.ParseBool(query.Get("stderr"))
+	stdout, _ := strconv.ParseBool(query.Get("stdout"))
+	stderr, _ := strconv.ParseBool(query.Get("stderr"))
 	since := query.Get("from")
 	until := query.Get("to")
 	levels := query.Get("levels") // TODO: implement levels
--- a/internal/api/v1/favicon/favicon.go
+++ b/internal/api/v1/favicon/favicon.go
@@ -1,49 +1,13 @@
 package favicon

 import (
-	"bytes"
-	"context"
 	"errors"
-	"io"
 	"net/http"
-	"net/url"
-	"strings"
-	"time"

-	"github.com/PuerkitoBio/goquery"
-	"github.com/vincent-petithory/dataurl"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/logging"
-	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type fetchResult struct {
-	icon        []byte
-	contentType string
-	statusCode  int
-	errMsg      string
-}
-
-func (res *fetchResult) OK() bool {
-	return res.icon != nil
-}
-
-func (res *fetchResult) ContentType() string {
-	if res.contentType == "" {
-		if bytes.HasPrefix(res.icon, []byte("<svg")) || bytes.HasPrefix(res.icon, []byte("<?xml")) {
-			return "image/svg+xml"
-		}
-		return "image/x-icon"
-	}
-	return res.contentType
-}
-
-const (
-	MaxRedirectDepth = 5
 )

 // GetFavIcon returns the favicon of the route
@@ -72,213 +36,42 @@ func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 			gphttp.ClientError(w, err, http.StatusBadRequest)
 			return
 		}
-		fetchResult := getFavIconFromURL(&iconURL)
+		fetchResult := homepage.FetchFavIconFromURL(req.Context(), &iconURL)
 		if !fetchResult.OK() {
-			http.Error(w, fetchResult.errMsg, fetchResult.statusCode)
+			http.Error(w, fetchResult.ErrMsg, fetchResult.StatusCode)
 			return
 		}
 		w.Header().Set("Content-Type", fetchResult.ContentType())
-		gphttp.WriteBody(w, fetchResult.icon)
+		gphttp.WriteBody(w, fetchResult.Icon)
 		return
 	}

-	// try with route.Homepage.Icon
-	r, ok := routes.GetHTTPRoute(alias)
+	// try with route.Icon
+	r, ok := routes.HTTP.Get(alias)
 	if !ok {
 		gphttp.ClientError(w, errors.New("no such route"), http.StatusNotFound)
 		return
 	}

-	var result *fetchResult
+	var result *homepage.FetchResult
 	hp := r.HomepageItem()
 	if hp.Icon != nil {
 		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = findIcon(r, req, hp.Icon.Value)
+			result = homepage.FindIcon(req.Context(), r, hp.Icon.Value)
 		} else {
-			result = getFavIconFromURL(hp.Icon)
+			result = homepage.FetchFavIconFromURL(req.Context(), hp.Icon)
 		}
 	} else {
 		// try extract from "link[rel=icon]"
-		result = findIcon(r, req, "/")
+		result = homepage.FindIcon(req.Context(), r, "/")
 	}
-	if result.statusCode == 0 {
-		result.statusCode = http.StatusOK
+	if result.StatusCode == 0 {
+		result.StatusCode = http.StatusOK
 	}
 	if !result.OK() {
-		http.Error(w, result.errMsg, result.statusCode)
+		http.Error(w, result.ErrMsg, result.StatusCode)
 		return
 	}
 	w.Header().Set("Content-Type", result.ContentType())
-	gphttp.WriteBody(w, result.icon)
-}
-
-func getFavIconFromURL(iconURL *homepage.IconURL) *fetchResult {
-	switch iconURL.IconSource {
-	case homepage.IconSourceAbsolute:
-		return fetchIconAbsolute(iconURL.URL())
-	case homepage.IconSourceRelative:
-		return &fetchResult{statusCode: http.StatusBadRequest, errMsg: "unexpected relative icon"}
-	case homepage.IconSourceWalkXCode, homepage.IconSourceSelfhSt:
-		return fetchKnownIcon(iconURL)
-	}
-	return &fetchResult{statusCode: http.StatusBadRequest, errMsg: "invalid icon source"}
-}
-
-func fetchIconAbsolute(url string) *fetchResult {
-	if result := loadIconCache(url); result != nil {
-		return result
-	}
-
-	resp, err := gphttp.Get(url)
-	if err != nil || resp.StatusCode != http.StatusOK {
-		if err == nil {
-			err = errors.New(resp.Status)
-		}
-		logging.Error().Err(err).
-			Str("url", url).
-			Msg("failed to get icon")
-		return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
-	}
-
-	defer resp.Body.Close()
-	icon, err := io.ReadAll(resp.Body)
-	if err != nil {
-		logging.Error().Err(err).
-			Str("url", url).
-			Msg("failed to read icon")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-	}
-
-	storeIconCache(url, icon)
-	return &fetchResult{icon: icon}
-}
-
-var nameSanitizer = strings.NewReplacer(
-	"_", "-",
-	" ", "-",
-	"(", "",
-	")", "",
-)
-
-func sanitizeName(name string) string {
-	return strings.ToLower(nameSanitizer.Replace(name))
-}
-
-func fetchKnownIcon(url *homepage.IconURL) *fetchResult {
-	// if icon isn't in the list, no need to fetch
-	if !url.HasIcon() {
-		logging.Debug().
-			Str("value", url.String()).
-			Str("url", url.URL()).
-			Msg("no such icon")
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "no such icon"}
-	}
-
-	return fetchIconAbsolute(url.URL())
-}
-
-func fetchIcon(filetype, filename string) *fetchResult {
-	result := fetchKnownIcon(homepage.NewSelfhStIconURL(filename, filetype))
-	if result.icon == nil {
-		return result
-	}
-	return fetchKnownIcon(homepage.NewWalkXCodeIconURL(filename, filetype))
-}
-
-func findIcon(r route.HTTPRoute, req *http.Request, uri string) *fetchResult {
-	key := routeKey(r)
-	if result := loadIconCache(key); result != nil {
-		return result
-	}
-
-	result := fetchIcon("png", sanitizeName(r.TargetName()))
-	cont := r.ContainerInfo()
-	if !result.OK() && cont != nil {
-		result = fetchIcon("png", sanitizeName(cont.Image.Name))
-	}
-	if !result.OK() {
-		// fallback to parse html
-		result = findIconSlow(r, req, uri, 0)
-	}
-	if result.OK() {
-		storeIconCache(key, result.icon)
-	}
-	return result
-}
-
-func findIconSlow(r route.HTTPRoute, req *http.Request, uri string, depth int) *fetchResult {
-	ctx, cancel := context.WithTimeoutCause(req.Context(), 3*time.Second, errors.New("favicon request timeout"))
-	defer cancel()
-	newReq := req.WithContext(ctx)
-	newReq.Header.Set("Accept-Encoding", "identity") // disable compression
-	u, err := url.ParseRequestURI(strutils.SanitizeURI(uri))
-	if err != nil {
-		logging.Error().Err(err).
-			Str("route", r.TargetName()).
-			Str("path", uri).
-			Msg("failed to parse uri")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "cannot parse uri"}
-	}
-	newReq.URL.Path = u.Path
-	newReq.URL.RawPath = u.RawPath
-	newReq.URL.RawQuery = u.RawQuery
-	newReq.RequestURI = u.String()
-
-	c := newContent()
-	r.ServeHTTP(c, newReq)
-	if c.status != http.StatusOK {
-		switch c.status {
-		case 0:
-			return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
-		default:
-			if loc := c.Header().Get("Location"); loc != "" {
-				if depth > MaxRedirectDepth {
-					return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "too many redirects"}
-				}
-				loc = strutils.SanitizeURI(loc)
-				if loc == "/" || loc == newReq.URL.Path {
-					return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "circular redirect"}
-				}
-				return findIconSlow(r, req, loc, depth+1)
-			}
-		}
-		return &fetchResult{statusCode: c.status, errMsg: "upstream error: " + string(c.data)}
-	}
-	// return icon data
-	if !gphttp.GetContentType(c.header).IsHTML() {
-		return &fetchResult{icon: c.data, contentType: c.header.Get("Content-Type")}
-	}
-	// try extract from "link[rel=icon]" from path "/"
-	doc, err := goquery.NewDocumentFromReader(bytes.NewBuffer(c.data))
-	if err != nil {
-		logging.Error().Err(err).
-			Str("route", r.TargetName()).
-			Msg("failed to parse html")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-	}
-	ele := doc.Find("head > link[rel=icon]").First()
-	if ele.Length() == 0 {
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "icon element not found"}
-	}
-	href := ele.AttrOr("href", "")
-	if href == "" {
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "icon href not found"}
-	}
-	// https://en.wikipedia.org/wiki/Data_URI_scheme
-	if strings.HasPrefix(href, "data:image/") {
-		dataURI, err := dataurl.DecodeString(href)
-		if err != nil {
-			logging.Error().Err(err).
-				Str("route", r.TargetName()).
-				Msg("failed to decode favicon")
-			return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-		}
-		return &fetchResult{icon: dataURI.Data, contentType: dataURI.ContentType()}
-	}
-	switch {
-	case strings.HasPrefix(href, "http://"), strings.HasPrefix(href, "https://"):
-		return fetchIconAbsolute(href)
-	default:
-		return findIconSlow(r, req, href, 0)
-	}
+	gphttp.WriteBody(w, result.Icon)
 }
--- a/internal/api/v1/health.go
+++ b/internal/api/v1/health.go
@@ -9,15 +9,15 @@ import (
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/route/routes"
 )

 func Health(w http.ResponseWriter, r *http.Request) {
 	if httpheaders.IsWebsocket(r.Header) {
 		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
-			return wsjson.Write(r.Context(), conn, routequery.HealthMap())
+			return wsjson.Write(r.Context(), conn, routes.HealthMap())
 		})
 	} else {
-		gphttp.RespondJSON(w, r, routequery.HealthMap())
+		gphttp.RespondJSON(w, r, routes.HealthMap())
 	}
 }
--- a/internal/api/v1/list.go
+++ b/internal/api/v1/list.go
@@ -11,7 +11,7 @@ import (
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/route/routes"
 	route "github.com/yusing/go-proxy/internal/route/types"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
@@ -47,7 +47,7 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 			gphttp.RespondJSON(w, r, route)
 		}
 	case ListRoutes:
-		gphttp.RespondJSON(w, r, routequery.RoutesByAlias(route.RouteType(r.FormValue("type"))))
+		gphttp.RespondJSON(w, r, routes.ByAlias(route.RouteType(r.FormValue("type"))))
 	case ListFiles:
 		listFiles(w, r)
 	case ListMiddlewares:
@@ -57,11 +57,11 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	case ListMatchDomains:
 		gphttp.RespondJSON(w, r, cfg.Value().MatchDomains)
 	case ListHomepageConfig:
-		gphttp.RespondJSON(w, r, routequery.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
+		gphttp.RespondJSON(w, r, routes.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
 	case ListRouteProviders:
 		gphttp.RespondJSON(w, r, cfg.RouteProviderList())
 	case ListHomepageCategories:
-		gphttp.RespondJSON(w, r, routequery.HomepageCategories())
+		gphttp.RespondJSON(w, r, routes.HomepageCategories())
 	case ListIcons:
 		limit, err := strconv.Atoi(r.FormValue("limit"))
 		if err != nil {
@@ -87,9 +87,9 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 // otherwise, return a single Route with alias which or nil if not found.
 func listRoute(which string) any {
 	if which == "" || which == "all" {
-		return routequery.RoutesByAlias()
+		return routes.ByAlias()
 	}
-	routes := routequery.RoutesByAlias()
+	routes := routes.ByAlias()
 	route, ok := routes[which]
 	if !ok {
 		return nil
--- a/internal/api/v1/new_agent.go
+++ b/internal/api/v1/new_agent.go
@@ -14,7 +14,6 @@ import (
 	"github.com/yusing/go-proxy/agent/pkg/certs"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

 func NewAgent(w http.ResponseWriter, r *http.Request) {
@@ -56,7 +55,7 @@ func NewAgent(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	nightly := strutils.ParseBool(q.Get("nightly"))
+	nightly, _ := strconv.ParseBool(q.Get("nightly"))
 	var image string
 	if nightly {
 		image = agent.DockerImageNightly
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -50,3 +50,11 @@ func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
 	}
 	return next
 }
+
+func AuthCheckHandler(w http.ResponseWriter, r *http.Request) {
+	if err := defaultAuth.CheckToken(r); err != nil {
+		http.Redirect(w, r, "/v1/auth/login", http.StatusFound)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}
--- a/internal/api/v1/auth/block_page.go
+++ b/internal/api/v1/auth/block_page.go
--- a/internal/api/v1/auth/block_page.html
+++ b/internal/api/v1/auth/block_page.html
--- a/internal/auth/oauth_refresh.go
+++ b/internal/auth/oauth_refresh.go
@@ -0,0 +1,185 @@
+package auth
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/jsonstore"
+	"github.com/yusing/go-proxy/internal/logging"
+	"golang.org/x/oauth2"
+)
+
+type oauthRefreshToken struct {
+	Username     string    `json:"username"`
+	RefreshToken string    `json:"refresh_token"`
+	Expiry       time.Time `json:"expiry"`
+}
+
+type Session struct {
+	SessionID sessionID `json:"session_id"`
+	Username  string    `json:"username"`
+	Groups    []string  `json:"groups"`
+}
+
+type sessionClaims struct {
+	Session
+	jwt.RegisteredClaims
+}
+
+type sessionID string
+
+var oauthRefreshTokens jsonstore.MapStore[oauthRefreshToken]
+
+var (
+	defaultRefreshTokenExpiry = 30 * 24 * time.Hour // 1 month
+	refreshBefore             = 30 * time.Second
+)
+
+var (
+	errNoRefreshToken      = errors.New("no refresh token")
+	ErrRefreshTokenFailure = errors.New("failed to refresh token")
+)
+
+const sessionTokenIssuer = "GoDoxy"
+
+func init() {
+	if IsOIDCEnabled() {
+		oauthRefreshTokens = jsonstore.Store[oauthRefreshToken]("oauth_refresh_tokens")
+	}
+}
+
+func (token *oauthRefreshToken) expired() bool {
+	return time.Now().After(token.Expiry)
+}
+
+func newSessionID() sessionID {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return sessionID(base64.StdEncoding.EncodeToString(b))
+}
+
+func newSession(username string, groups []string) Session {
+	return Session{
+		SessionID: newSessionID(),
+		Username:  username,
+		Groups:    groups,
+	}
+}
+
+// getOnceOAuthRefreshToken returns the refresh token for the given session.
+//
+// The token is removed from the store after retrieval.
+func getOnceOAuthRefreshToken(claims *Session) (*oauthRefreshToken, bool) {
+	token, ok := oauthRefreshTokens.Load(string(claims.SessionID))
+	if !ok {
+		return nil, false
+	}
+	invalidateOAuthRefreshToken(claims.SessionID)
+	if token.expired() {
+		return nil, false
+	}
+	if claims.Username != token.Username {
+		return nil, false
+	}
+	return &token, true
+}
+
+func storeOAuthRefreshToken(sessionID sessionID, username, token string) {
+	oauthRefreshTokens.Store(string(sessionID), oauthRefreshToken{
+		Username:     username,
+		RefreshToken: token,
+		Expiry:       time.Now().Add(defaultRefreshTokenExpiry),
+	})
+	logging.Debug().Str("username", username).Msg("stored oauth refresh token")
+}
+
+func invalidateOAuthRefreshToken(sessionID sessionID) {
+	logging.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
+	oauthRefreshTokens.Delete(string(sessionID))
+}
+
+func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.Request, session Session) {
+	claims := &sessionClaims{
+		Session: session,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    sessionTokenIssuer,
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(common.APIJWTTokenTTL)),
+		},
+	}
+	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
+	signed, err := jwtToken.SignedString(common.APIJWTSecret)
+	if err != nil {
+		logging.Err(err).Msg("failed to sign session token")
+		return
+	}
+	setTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
+}
+
+func (auth *OIDCProvider) parseSessionJWT(sessionJWT string) (claims *sessionClaims, valid bool, err error) {
+	claims = &sessionClaims{}
+	sessionToken, err := jwt.ParseWithClaims(sessionJWT, claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return common.APIJWTSecret, nil
+	})
+	if err != nil {
+		return nil, false, err
+	}
+	return claims, sessionToken.Valid && claims.Issuer == sessionTokenIssuer, nil
+}
+
+func (auth *OIDCProvider) TryRefreshToken(w http.ResponseWriter, r *http.Request, sessionJWT string) error {
+	// verify the session cookie
+	claims, valid, err := auth.parseSessionJWT(sessionJWT)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidSessionToken, err)
+	}
+	if !valid {
+		return ErrInvalidSessionToken
+	}
+
+	// check if refresh is possible
+	refreshToken, ok := getOnceOAuthRefreshToken(&claims.Session)
+	if !ok {
+		return errNoRefreshToken
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+
+	// this step refreshes the token
+	// see https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.29.0:oauth2.go;l=313
+	newToken, err := auth.oauthConfig.TokenSource(r.Context(), &oauth2.Token{
+		RefreshToken: refreshToken.RefreshToken,
+	}).Token()
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrRefreshTokenFailure, err)
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), newToken)
+	if err != nil {
+		return err
+	}
+
+	sessionID := newSessionID()
+
+	logging.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
+	storeOAuthRefreshToken(sessionID, claims.Username, newToken.RefreshToken)
+
+	// set new idToken and new sessionToken
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+	auth.setSessionTokenCookie(w, r, Session{
+		SessionID: sessionID,
+		Username:  claims.Username,
+		Groups:    claims.Groups,
+	})
+	return nil
+}
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -0,0 +1,314 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"slices"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"golang.org/x/oauth2"
+)
+
+type (
+	OIDCProvider struct {
+		oauthConfig   *oauth2.Config
+		oidcProvider  *oidc.Provider
+		oidcVerifier  *oidc.IDTokenVerifier
+		endSessionURL *url.URL
+		allowedUsers  []string
+		allowedGroups []string
+	}
+
+	IDTokenClaims struct {
+		Username string   `json:"preferred_username"`
+		Groups   []string `json:"groups"`
+	}
+)
+
+const (
+	CookieOauthState        = "godoxy_oidc_state"
+	CookieOauthSessionID    = "godoxy_session_id"
+	CookieOauthToken        = "godoxy_oauth_token"
+	CookieOauthSessionToken = "godoxy_session_token"
+)
+
+const (
+	OIDCAuthInitPath = "/"
+	OIDCPostAuthPath = "/auth/callback"
+	OIDCLogoutPath   = "/auth/logout"
+)
+
+var errMissingIDToken = errors.New("missing id_token field from oauth token")
+
+// generateState generates a random string for OIDC state.
+const oidcStateLength = 32
+
+func generateState() string {
+	b := make([]byte, oidcStateLength)
+	_, _ = rand.Read(b)
+	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength]
+}
+
+func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
+	if len(allowedUsers)+len(allowedGroups) == 0 {
+		return nil, errors.New("OIDC users, groups, or both must not be empty")
+	}
+	provider, err := oidc.NewProvider(context.Background(), issuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
+	}
+
+	endSessionURL, err := url.Parse(provider.EndSessionEndpoint())
+	if err != nil && provider.EndSessionEndpoint() != "" {
+		// non critical, just warn
+		logging.Warn().
+			Str("issuer", issuerURL).
+			Err(err).
+			Msg("failed to parse end session URL")
+	}
+
+	return &OIDCProvider{
+		oauthConfig: &oauth2.Config{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			RedirectURL:  "",
+			Endpoint:     provider.Endpoint(),
+			Scopes:       strutils.CommaSeperatedList(common.OIDCScopes),
+		},
+		oidcProvider: provider,
+		oidcVerifier: provider.Verifier(&oidc.Config{
+			ClientID: clientID,
+		}),
+		endSessionURL: endSessionURL,
+		allowedUsers:  allowedUsers,
+		allowedGroups: allowedGroups,
+	}, nil
+}
+
+// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
+func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
+	return NewOIDCProvider(
+		common.OIDCIssuerURL,
+		common.OIDCClientID,
+		common.OIDCClientSecret,
+		common.OIDCAllowedUsers,
+		common.OIDCAllowedGroups,
+	)
+}
+
+func (auth *OIDCProvider) SetAllowedUsers(users []string) {
+	auth.allowedUsers = users
+}
+
+func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
+	auth.allowedGroups = groups
+}
+
+// optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
+// parameter of the authorization URL to the post auth path of the current
+// request host.
+func optRedirectPostAuth(r *http.Request) oauth2.AuthCodeOption {
+	return oauth2.SetAuthURLParam("redirect_uri", "https://"+requestHost(r)+OIDCPostAuthPath)
+}
+
+func (auth *OIDCProvider) getIdToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
+	idTokenJWT, ok := oauthToken.Extra("id_token").(string)
+	if !ok {
+		return "", nil, errMissingIDToken
+	}
+	idToken, err := auth.oidcVerifier.Verify(ctx, idTokenJWT)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to verify ID token: %w", err)
+	}
+	return idTokenJWT, idToken, nil
+}
+
+func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case OIDCAuthInitPath:
+		auth.LoginHandler(w, r)
+	case OIDCPostAuthPath:
+		auth.PostAuthCallbackHandler(w, r)
+	case OIDCLogoutPath:
+		auth.LogoutHandler(w, r)
+	default:
+		http.Redirect(w, r, OIDCAuthInitPath, http.StatusFound)
+	}
+}
+
+func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	// check for session token
+	sessionToken, err := r.Cookie(CookieOauthSessionToken)
+	if err == nil {
+		err = auth.TryRefreshToken(w, r, sessionToken.Value)
+		if err != nil {
+			logging.Debug().Err(err).Msg("failed to refresh token")
+			auth.clearCookie(w, r)
+		}
+		http.Redirect(w, r, "/", http.StatusFound)
+		return
+	}
+
+	state := generateState()
+	setTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
+	// redirect user to Idp
+	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
+}
+
+func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
+	var claim IDTokenClaims
+	if err := idToken.Claims(&claim); err != nil {
+		return nil, fmt.Errorf("failed to parse claims: %w", err)
+	}
+	if claim.Username == "" {
+		return nil, fmt.Errorf("missing username in ID token")
+	}
+	return &claim, nil
+}
+
+func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
+	userAllowed := slices.Contains(auth.allowedUsers, user)
+	if !userAllowed {
+		return false
+	}
+	if len(auth.allowedGroups) == 0 {
+		return true
+	}
+	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
+}
+
+func (auth *OIDCProvider) CheckToken(r *http.Request) error {
+	tokenCookie, err := r.Cookie(CookieOauthToken)
+	if err != nil {
+		return ErrMissingOAuthToken
+	}
+
+	idToken, err := auth.oidcVerifier.Verify(r.Context(), tokenCookie.Value)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	claims, err := parseClaims(idToken)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+	return nil
+}
+
+func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+	// For testing purposes, skip provider verification
+	if common.IsTest {
+		auth.handleTestCallback(w, r)
+		return
+	}
+
+	// verify state
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	code := r.URL.Query().Get("code")
+	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code, optRedirectPostAuth(r))
+	if err != nil {
+		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
+		return
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), oauth2Token)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	if oauth2Token.RefreshToken != "" {
+		claims, err := parseClaims(idToken)
+		if err != nil {
+			gphttp.ServerError(w, r, err)
+			return
+		}
+		session := newSession(claims.Username, claims.Groups)
+		storeOAuthRefreshToken(session.SessionID, claims.Username, oauth2Token.RefreshToken)
+		auth.setSessionTokenCookie(w, r, session)
+	}
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+
+	// Redirect to home page
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	oauthToken, _ := r.Cookie(CookieOauthToken)
+	sessionToken, _ := r.Cookie(CookieOauthSessionToken)
+	auth.clearCookie(w, r)
+
+	if sessionToken != nil {
+		claims, _, err := auth.parseSessionJWT(sessionToken.Value)
+		if err == nil {
+			invalidateOAuthRefreshToken(claims.SessionID)
+		}
+	}
+
+	url := "/"
+	if auth.endSessionURL != nil && oauthToken != nil {
+		query := auth.endSessionURL.Query()
+		query.Set("id_token_hint", oauthToken.Value)
+		query.Set("post_logout_redirect_uri", "https://"+requestHost(r))
+
+		clone := *auth.endSessionURL
+		clone.RawQuery = query.Encode()
+		url = clone.String()
+	} else if auth.endSessionURL != nil {
+		url = auth.endSessionURL.String()
+	}
+
+	http.Redirect(w, r, url, http.StatusFound)
+}
+
+func (auth *OIDCProvider) setIDTokenCookie(w http.ResponseWriter, r *http.Request, jwt string, ttl time.Duration) {
+	setTokenCookie(w, r, CookieOauthToken, jwt, ttl)
+}
+
+func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
+	clearTokenCookie(w, r, CookieOauthToken)
+	clearTokenCookie(w, r, CookieOauthSessionToken)
+}
+
+// handleTestCallback handles OIDC callback in test environment.
+func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	// Create test JWT token
+	setTokenCookie(w, r, CookieOauthToken, "test", time.Hour)
+
+	http.Redirect(w, r, "/", http.StatusFound)
+}
--- a/internal/api/v1/auth/oidc_test.go
+++ b/internal/api/v1/auth/oidc_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"

@@ -35,7 +36,8 @@ func setupMockOIDC(t *testing.T) {
 			},
 			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 		},
-		oidcProvider: provider,
+		endSessionURL: Must(url.Parse("http://mock-provider/logout")),
+		oidcProvider:  provider,
 		oidcVerifier: provider.Verifier(&oidc.Config{
 			ClientID: "test-client",
 		}),
@@ -148,17 +150,17 @@ func TestOIDCLoginHandler(t *testing.T) {
 	}{
 		{
 			name:         "Success - Redirects to provider",
-			wantStatus:   http.StatusTemporaryRedirect,
+			wantStatus:   http.StatusFound,
 			wantRedirect: true,
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/auth/redirect", nil)
+			req := httptest.NewRequest(http.MethodGet, OIDCAuthInitPath, nil)
 			w := httptest.NewRecorder()

-			defaultAuth.RedirectLoginPage(w, req)
+			defaultAuth.(*OIDCProvider).HandleAuth(w, req)

 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCLoginHandler() status = %v, want %v", got, tt.wantStatus)
@@ -194,7 +196,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			state:      "valid-state",
 			code:       "valid-code",
 			setupMocks: true,
-			wantStatus: http.StatusTemporaryRedirect,
+			wantStatus: http.StatusFound,
 		},
 		{
 			name:       "Failure - Missing state",
@@ -219,7 +221,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			}
 			w := httptest.NewRecorder()

-			defaultAuth.LoginCallbackHandler(w, req)
+			defaultAuth.(*OIDCProvider).PostAuthCallbackHandler(w, req)

 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCCallbackHandler() status = %v, want %v", got, tt.wantStatus)
@@ -227,7 +229,7 @@ func TestOIDCCallbackHandler(t *testing.T) {

 			if tt.wantStatus == http.StatusTemporaryRedirect {
 				setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
-				ExpectEqual(t, setCookie.Name, defaultAuth.TokenCookieName())
+				ExpectEqual(t, setCookie.Name, CookieOauthToken)
 				ExpectTrue(t, setCookie.Value != "")
 				ExpectEqual(t, setCookie.Path, "/")
 				ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
@@ -270,7 +272,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:    server.URL,
 			clientID:     "client_id",
 			clientSecret: "client_secret",
-			redirectURL:  "https://example.com/callback",
 			allowedUsers: []string{"user1", "user2"},
 			wantErr:      false,
 		},
@@ -279,7 +280,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
-			redirectURL:   "https://example.com/callback",
 			allowedGroups: []string{"group1", "group2"},
 			wantErr:       false,
 		},
@@ -288,7 +288,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
-			redirectURL:   "https://example.com/callback",
 			logoutURL:     "https://example.com/logout",
 			allowedUsers:  []string{"user1", "user2"},
 			allowedGroups: []string{"group1", "group2"},
@@ -299,14 +298,13 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:    "https://example.com",
 			clientID:     "client_id",
 			clientSecret: "client_secret",
-			redirectURL:  "https://example.com/callback",
 			wantErr:      true,
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.redirectURL, tt.allowedUsers, tt.allowedGroups)
+			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.allowedUsers, tt.allowedGroups)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("InitOIDC() error = %v, wantErr %v", err, tt.wantErr)
 			}
@@ -400,7 +398,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns incorrect audience",
@@ -411,7 +409,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns expired token",
@@ -422,7 +420,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 	}
 	for _, tc := range tests {
@@ -438,7 +436,7 @@ func TestCheckToken(t *testing.T) {
 			// Craft a test HTTP request that includes the token as a cookie.
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
 			req.AddCookie(&http.Cookie{
-				Name:  auth.TokenCookieName(),
+				Name:  CookieOauthToken,
 				Value: signedToken,
 			})

@@ -452,3 +450,35 @@ func TestCheckToken(t *testing.T) {
 		})
 	}
 }
+
+func TestLogoutHandler(t *testing.T) {
+	t.Helper()
+
+	setupMockOIDC(t)
+
+	req := httptest.NewRequest(http.MethodGet, OIDCLogoutPath, nil)
+	w := httptest.NewRecorder()
+
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthToken,
+		Value: "test-token",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthSessionToken,
+		Value: "test-session-token",
+	})
+
+	defaultAuth.(*OIDCProvider).LogoutHandler(w, req)
+
+	if got := w.Code; got != http.StatusFound {
+		t.Errorf("LogoutHandler() status = %v, want %v", got, http.StatusFound)
+	}
+
+	if got := w.Header().Get("Location"); got == "" {
+		t.Error("LogoutHandler() missing redirect location")
+	}
+
+	if len(w.Header().Values("Set-Cookie")) != 2 {
+		t.Error("LogoutHandler() did not clear all cookies")
+	}
+}
--- a/internal/auth/provider.go
+++ b/internal/auth/provider.go
@@ -0,0 +1,10 @@
+package auth
+
+import "net/http"
+
+type Provider interface {
+	CheckToken(r *http.Request) error
+	LoginHandler(w http.ResponseWriter, r *http.Request)
+	PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request)
+	LogoutHandler(w http.ResponseWriter, r *http.Request)
+}
--- a/internal/api/v1/auth/userpass.go
+++ b/internal/api/v1/auth/userpass.go
@@ -76,7 +76,7 @@ func (auth *UserPassAuth) NewToken() (token string, err error) {
 func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	jwtCookie, err := r.Cookie(auth.TokenCookieName())
 	if err != nil {
-		return ErrMissingToken
+		return ErrMissingSessionToken
 	}
 	var claims UserPassClaims
 	token, err := jwt.ParseWithClaims(jwtCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
@@ -90,7 +90,7 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	}
 	switch {
 	case !token.Valid:
-		return ErrInvalidToken
+		return ErrInvalidSessionToken
 	case claims.Username != auth.username:
 		return ErrUserNotAllowed.Subject(claims.Username)
 	case claims.ExpiresAt.Before(time.Now()):
@@ -100,11 +100,7 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	return nil
 }

-func (auth *UserPassAuth) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)
-}
-
-func (auth *UserPassAuth) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
+func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	var creds struct {
 		User string `json:"username"`
 		Pass string `json:"password"`
@@ -127,8 +123,13 @@ func (auth *UserPassAuth) LoginCallbackHandler(w http.ResponseWriter, r *http.Re
 	w.WriteHeader(http.StatusOK)
 }

-func (auth *UserPassAuth) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	DefaultLogoutCallbackHandler(auth, w, r)
+func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	clearTokenCookie(w, r, auth.TokenCookieName())
+	http.Redirect(w, r, "/", http.StatusFound)
 }

 func (auth *UserPassAuth) validatePassword(user, pass string) error {
--- a/internal/api/v1/auth/userpass_test.go
+++ b/internal/api/v1/auth/userpass_test.go
@@ -98,7 +98,7 @@ func TestUserPassLoginCallbackHandler(t *testing.T) {
 			Host: "app.example.com",
 			Body: io.NopCloser(bytes.NewReader(Must(json.Marshal(tt.creds)))),
 		}
-		auth.LoginCallbackHandler(w, req)
+		auth.LoginHandler(w, req)
 		if tt.wantErr {
 			ExpectEqual(t, w.Code, http.StatusUnauthorized)
 		} else {
--- a/internal/api/v1/auth/utils.go
+++ b/internal/api/v1/auth/utils.go
@@ -1,7 +1,6 @@
 package auth

 import (
-	"net"
 	"net/http"
 	"time"

@@ -11,25 +10,34 @@ import (
 )

 var (
-	ErrMissingToken   = gperr.New("missing token")
-	ErrInvalidToken   = gperr.New("invalid token")
-	ErrUserNotAllowed = gperr.New("user not allowed")
+	ErrMissingOAuthToken   = gperr.New("missing oauth token")
+	ErrMissingSessionToken = gperr.New("missing session token")
+	ErrInvalidOAuthToken   = gperr.New("invalid oauth token")
+	ErrInvalidSessionToken = gperr.New("invalid session token")
+	ErrUserNotAllowed      = gperr.New("user not allowed")
 )

-// cookieFQDN returns the fully qualified domain name of the request host
+func requestHost(r *http.Request) string {
+	// check if it's from backend
+	switch r.Host {
+	case common.APIHTTPAddr:
+		// use XFH
+		return r.Header.Get("X-Forwarded-Host")
+	default:
+		return r.Host
+	}
+}
+
+// cookieDomain returns the fully qualified domain name of the request host
 // with subdomain stripped.
 //
 // If the request host does not have a subdomain,
 // an empty string is returned
 //
-//	"abc.example.com" -> "example.com"
-//	"example.com" -> ""
-func cookieFQDN(r *http.Request) string {
-	host, _, err := net.SplitHostPort(r.Host)
-	if err != nil {
-		host = r.Host
-	}
-	parts := strutils.SplitRune(host, '.')
+//	"abc.example.com" -> ".example.com" (cross subdomain)
+//	"example.com" -> "" (same domain only)
+func cookieDomain(r *http.Request) string {
+	parts := strutils.SplitRune(requestHost(r), '.')
 	if len(parts) < 2 {
 		return ""
 	}
@@ -42,7 +50,7 @@ func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string,
 		Name:     name,
 		Value:    value,
 		MaxAge:   int(ttl.Seconds()),
-		Domain:   cookieFQDN(r),
+		Domain:   cookieDomain(r),
 		HttpOnly: true,
 		Secure:   common.APIJWTSecure,
 		SameSite: http.SameSiteLaxMode,
@@ -55,16 +63,10 @@ func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
 		Name:     name,
 		Value:    "",
 		MaxAge:   -1,
-		Domain:   cookieFQDN(r),
+		Domain:   cookieDomain(r),
 		HttpOnly: true,
 		Secure:   common.APIJWTSecure,
 		SameSite: http.SameSiteLaxMode,
 		Path:     "/",
 	})
 }
-
-// DefaultLogoutCallbackHandler clears the token cookie and redirects to the login page..
-func DefaultLogoutCallbackHandler(auth Provider, w http.ResponseWriter, r *http.Request) {
-	clearTokenCookie(w, r, auth.TokenCookieName())
-	auth.RedirectLoginPage(w, r)
-}
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -64,11 +64,11 @@ func (cfg *AutocertConfig) Validate() gperr.Error {
 			}
 		}
 		// check if provider is implemented
-		providerConstructor, ok := providersGenMap[cfg.Provider]
+		providerConstructor, ok := providers[cfg.Provider]
 		if !ok {
 			b.Add(ErrUnknownProvider.
 				Subject(cfg.Provider).
-				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providersGenMap))))
+				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providers))))
 		} else {
 			_, err := providerConstructor(cfg.Options)
 			if err != nil {
--- a/internal/autocert/constants.go
+++ b/internal/autocert/constants.go
@@ -1,36 +0,0 @@
-package autocert
-
-import (
-	"github.com/go-acme/lego/v4/providers/dns/clouddns"
-	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
-	"github.com/go-acme/lego/v4/providers/dns/duckdns"
-	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	"github.com/go-acme/lego/v4/providers/dns/porkbun"
-)
-
-const (
-	certBasePath       = "certs/"
-	CertFileDefault    = certBasePath + "cert.crt"
-	KeyFileDefault     = certBasePath + "priv.key"
-	ACMEKeyFileDefault = certBasePath + "acme.key"
-)
-
-const (
-	ProviderLocal      = "local"
-	ProviderCloudflare = "cloudflare"
-	ProviderClouddns   = "clouddns"
-	ProviderDuckdns    = "duckdns"
-	ProviderOVH        = "ovh"
-	ProviderPseudo     = "pseudo" // for testing
-	ProviderPorkbun    = "porkbun"
-)
-
-var providersGenMap = map[string]ProviderGenerator{
-	ProviderLocal:      providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderCloudflare: providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-	ProviderClouddns:   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
-	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
-	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
-	ProviderPseudo:     providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderPorkbun:    providerGenerator(porkbun.NewDefaultConfig, porkbun.NewDNSProviderConfig),
-}
--- a/internal/autocert/gen.py
+++ b/internal/autocert/gen.py
@@ -0,0 +1,53 @@
+import requests
+import os
+
+class Entry:
+  def __init__(self, name: str, type: str, **kwargs) -> None:
+    self.name = name
+    self.type = type
+  
+url = "https://api.github.com/repos/go-acme/lego/contents/providers/dns"
+response = requests.get(url)
+data: list[Entry] = [Entry(**i) for i in response.json()]
+
+header = "//go:generate /usr/bin/python3 gen.py\n\npackage autocert\n\n"
+names: list[str] = [
+  "ProviderLocal = \"local\"",
+  "ProviderPseudo = \"pseudo\"",
+]
+imports: list[str] = []
+genMap: list[str] = [
+  "ProviderLocal: providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),",
+  "ProviderPseudo: providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),",
+]
+
+blacklists = [
+  "internal",
+  # deprecated 
+  "azure",
+  "brandit",
+  "cloudxns",
+  "dnspod",
+  "mythicbeasts", 
+  "yandexcloud"
+]
+
+for item in data:
+    if item.type != "dir" or item.name in blacklists:
+      continue
+    imports.append(f"import \"github.com/go-acme/lego/v4/providers/dns/{item.name}\"")
+    names.append(f"Provider{item.name} = \"{item.name}\"")
+    genMap.append(f"Provider{item.name}: providerGenerator({item.name}.NewDefaultConfig, {item.name}.NewDNSProviderConfig),")
+    
+with open("providers.go", "w") as f:
+  f.write(header)
+  f.write("\n".join(imports))
+  f.write("\n\n")
+  f.write("const (\n")
+  f.write("\n".join(names))
+  f.write("\n)\n\n")
+  f.write("var providers = map[string]ProviderGenerator{\n")
+  f.write("\n".join(genMap))
+  f.write("\n}\n\n")
+  
+os.execvp("go", ["go", "fmt", "providers.go"])
--- a/internal/autocert/paths.go
+++ b/internal/autocert/paths.go
@@ -0,0 +1,8 @@
+package autocert
+
+const (
+	certBasePath       = "certs/"
+	CertFileDefault    = certBasePath + "cert.crt"
+	KeyFileDefault     = certBasePath + "priv.key"
+	ACMEKeyFileDefault = certBasePath + "acme.key"
+)
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -205,7 +205,7 @@ func (p *Provider) initClient() error {
 		return err
 	}

-	generator := providersGenMap[p.cfg.Provider]
+	generator := providers[p.cfg.Provider]
 	legoProvider, pErr := generator(p.cfg.Options)
 	if pErr != nil {
 		return pErr
--- a/internal/autocert/provider_test/ovh_test.go
+++ b/internal/autocert/provider_test/ovh_test.go
@@ -4,9 +4,9 @@ import (
 	"testing"

 	"github.com/go-acme/lego/v4/providers/dns/ovh"
+	"github.com/goccy/go-yaml"
 	U "github.com/yusing/go-proxy/internal/utils"
 	. "github.com/yusing/go-proxy/internal/utils/testing"
-	"gopkg.in/yaml.v3"
 )

 // type Config struct {
@@ -44,7 +44,7 @@ oauth2_config:
 	}
 	testYaml = testYaml[1:] // remove first \n
 	opt := make(map[string]any)
-	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), opt))
+	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), &opt))
 	ExpectNoError(t, U.Deserialize(opt, cfg))
 	ExpectEqual(t, cfg, cfgExpected)
 }
--- a/internal/autocert/providers.go
+++ b/internal/autocert/providers.go
@@ -0,0 +1,452 @@
+//go:generate /usr/bin/python3 gen.py
+
+package autocert
+
+import "github.com/go-acme/lego/v4/providers/dns/acmedns"
+import "github.com/go-acme/lego/v4/providers/dns/active24"
+import "github.com/go-acme/lego/v4/providers/dns/alidns"
+import "github.com/go-acme/lego/v4/providers/dns/allinkl"
+import "github.com/go-acme/lego/v4/providers/dns/arvancloud"
+import "github.com/go-acme/lego/v4/providers/dns/auroradns"
+import "github.com/go-acme/lego/v4/providers/dns/autodns"
+import "github.com/go-acme/lego/v4/providers/dns/axelname"
+import "github.com/go-acme/lego/v4/providers/dns/azuredns"
+import "github.com/go-acme/lego/v4/providers/dns/baiducloud"
+import "github.com/go-acme/lego/v4/providers/dns/bindman"
+import "github.com/go-acme/lego/v4/providers/dns/bluecat"
+import "github.com/go-acme/lego/v4/providers/dns/bookmyname"
+import "github.com/go-acme/lego/v4/providers/dns/bunny"
+import "github.com/go-acme/lego/v4/providers/dns/checkdomain"
+import "github.com/go-acme/lego/v4/providers/dns/civo"
+import "github.com/go-acme/lego/v4/providers/dns/clouddns"
+import "github.com/go-acme/lego/v4/providers/dns/cloudflare"
+import "github.com/go-acme/lego/v4/providers/dns/cloudns"
+import "github.com/go-acme/lego/v4/providers/dns/cloudru"
+import "github.com/go-acme/lego/v4/providers/dns/conoha"
+import "github.com/go-acme/lego/v4/providers/dns/constellix"
+import "github.com/go-acme/lego/v4/providers/dns/corenetworks"
+import "github.com/go-acme/lego/v4/providers/dns/cpanel"
+import "github.com/go-acme/lego/v4/providers/dns/derak"
+import "github.com/go-acme/lego/v4/providers/dns/desec"
+import "github.com/go-acme/lego/v4/providers/dns/designate"
+import "github.com/go-acme/lego/v4/providers/dns/digitalocean"
+import "github.com/go-acme/lego/v4/providers/dns/directadmin"
+import "github.com/go-acme/lego/v4/providers/dns/dnshomede"
+import "github.com/go-acme/lego/v4/providers/dns/dnsimple"
+import "github.com/go-acme/lego/v4/providers/dns/dnsmadeeasy"
+import "github.com/go-acme/lego/v4/providers/dns/dode"
+import "github.com/go-acme/lego/v4/providers/dns/domeneshop"
+import "github.com/go-acme/lego/v4/providers/dns/dreamhost"
+import "github.com/go-acme/lego/v4/providers/dns/duckdns"
+import "github.com/go-acme/lego/v4/providers/dns/dyn"
+import "github.com/go-acme/lego/v4/providers/dns/dynu"
+import "github.com/go-acme/lego/v4/providers/dns/easydns"
+import "github.com/go-acme/lego/v4/providers/dns/edgedns"
+import "github.com/go-acme/lego/v4/providers/dns/efficientip"
+import "github.com/go-acme/lego/v4/providers/dns/epik"
+import "github.com/go-acme/lego/v4/providers/dns/exec"
+import "github.com/go-acme/lego/v4/providers/dns/exoscale"
+import "github.com/go-acme/lego/v4/providers/dns/f5xc"
+import "github.com/go-acme/lego/v4/providers/dns/freemyip"
+import "github.com/go-acme/lego/v4/providers/dns/gandi"
+import "github.com/go-acme/lego/v4/providers/dns/gandiv5"
+import "github.com/go-acme/lego/v4/providers/dns/gcloud"
+import "github.com/go-acme/lego/v4/providers/dns/gcore"
+import "github.com/go-acme/lego/v4/providers/dns/glesys"
+import "github.com/go-acme/lego/v4/providers/dns/godaddy"
+import "github.com/go-acme/lego/v4/providers/dns/googledomains"
+import "github.com/go-acme/lego/v4/providers/dns/hetzner"
+import "github.com/go-acme/lego/v4/providers/dns/hostingde"
+import "github.com/go-acme/lego/v4/providers/dns/hosttech"
+import "github.com/go-acme/lego/v4/providers/dns/httpnet"
+import "github.com/go-acme/lego/v4/providers/dns/httpreq"
+import "github.com/go-acme/lego/v4/providers/dns/huaweicloud"
+import "github.com/go-acme/lego/v4/providers/dns/hurricane"
+import "github.com/go-acme/lego/v4/providers/dns/hyperone"
+import "github.com/go-acme/lego/v4/providers/dns/ibmcloud"
+import "github.com/go-acme/lego/v4/providers/dns/iij"
+import "github.com/go-acme/lego/v4/providers/dns/iijdpf"
+import "github.com/go-acme/lego/v4/providers/dns/infoblox"
+import "github.com/go-acme/lego/v4/providers/dns/infomaniak"
+import "github.com/go-acme/lego/v4/providers/dns/internetbs"
+import "github.com/go-acme/lego/v4/providers/dns/inwx"
+import "github.com/go-acme/lego/v4/providers/dns/ionos"
+import "github.com/go-acme/lego/v4/providers/dns/ipv64"
+import "github.com/go-acme/lego/v4/providers/dns/iwantmyname"
+import "github.com/go-acme/lego/v4/providers/dns/joker"
+import "github.com/go-acme/lego/v4/providers/dns/liara"
+import "github.com/go-acme/lego/v4/providers/dns/lightsail"
+import "github.com/go-acme/lego/v4/providers/dns/limacity"
+import "github.com/go-acme/lego/v4/providers/dns/linode"
+import "github.com/go-acme/lego/v4/providers/dns/liquidweb"
+import "github.com/go-acme/lego/v4/providers/dns/loopia"
+import "github.com/go-acme/lego/v4/providers/dns/luadns"
+import "github.com/go-acme/lego/v4/providers/dns/mailinabox"
+import "github.com/go-acme/lego/v4/providers/dns/manageengine"
+import "github.com/go-acme/lego/v4/providers/dns/metaname"
+import "github.com/go-acme/lego/v4/providers/dns/metaregistrar"
+import "github.com/go-acme/lego/v4/providers/dns/mijnhost"
+import "github.com/go-acme/lego/v4/providers/dns/mittwald"
+import "github.com/go-acme/lego/v4/providers/dns/myaddr"
+import "github.com/go-acme/lego/v4/providers/dns/mydnsjp"
+import "github.com/go-acme/lego/v4/providers/dns/namecheap"
+import "github.com/go-acme/lego/v4/providers/dns/namedotcom"
+import "github.com/go-acme/lego/v4/providers/dns/namesilo"
+import "github.com/go-acme/lego/v4/providers/dns/nearlyfreespeech"
+import "github.com/go-acme/lego/v4/providers/dns/netcup"
+import "github.com/go-acme/lego/v4/providers/dns/netlify"
+import "github.com/go-acme/lego/v4/providers/dns/nicmanager"
+import "github.com/go-acme/lego/v4/providers/dns/nifcloud"
+import "github.com/go-acme/lego/v4/providers/dns/njalla"
+import "github.com/go-acme/lego/v4/providers/dns/nodion"
+import "github.com/go-acme/lego/v4/providers/dns/ns1"
+import "github.com/go-acme/lego/v4/providers/dns/oraclecloud"
+import "github.com/go-acme/lego/v4/providers/dns/otc"
+import "github.com/go-acme/lego/v4/providers/dns/ovh"
+import "github.com/go-acme/lego/v4/providers/dns/pdns"
+import "github.com/go-acme/lego/v4/providers/dns/plesk"
+import "github.com/go-acme/lego/v4/providers/dns/porkbun"
+import "github.com/go-acme/lego/v4/providers/dns/rackspace"
+import "github.com/go-acme/lego/v4/providers/dns/rainyun"
+import "github.com/go-acme/lego/v4/providers/dns/rcodezero"
+import "github.com/go-acme/lego/v4/providers/dns/regfish"
+import "github.com/go-acme/lego/v4/providers/dns/regru"
+import "github.com/go-acme/lego/v4/providers/dns/rfc2136"
+import "github.com/go-acme/lego/v4/providers/dns/rimuhosting"
+import "github.com/go-acme/lego/v4/providers/dns/route53"
+import "github.com/go-acme/lego/v4/providers/dns/safedns"
+import "github.com/go-acme/lego/v4/providers/dns/sakuracloud"
+import "github.com/go-acme/lego/v4/providers/dns/scaleway"
+import "github.com/go-acme/lego/v4/providers/dns/selectel"
+import "github.com/go-acme/lego/v4/providers/dns/selectelv2"
+import "github.com/go-acme/lego/v4/providers/dns/selfhostde"
+import "github.com/go-acme/lego/v4/providers/dns/servercow"
+import "github.com/go-acme/lego/v4/providers/dns/shellrent"
+import "github.com/go-acme/lego/v4/providers/dns/simply"
+import "github.com/go-acme/lego/v4/providers/dns/sonic"
+import "github.com/go-acme/lego/v4/providers/dns/spaceship"
+import "github.com/go-acme/lego/v4/providers/dns/stackpath"
+import "github.com/go-acme/lego/v4/providers/dns/technitium"
+import "github.com/go-acme/lego/v4/providers/dns/tencentcloud"
+import "github.com/go-acme/lego/v4/providers/dns/timewebcloud"
+import "github.com/go-acme/lego/v4/providers/dns/transip"
+import "github.com/go-acme/lego/v4/providers/dns/ultradns"
+import "github.com/go-acme/lego/v4/providers/dns/variomedia"
+import "github.com/go-acme/lego/v4/providers/dns/vegadns"
+import "github.com/go-acme/lego/v4/providers/dns/vercel"
+import "github.com/go-acme/lego/v4/providers/dns/versio"
+import "github.com/go-acme/lego/v4/providers/dns/vinyldns"
+import "github.com/go-acme/lego/v4/providers/dns/vkcloud"
+import "github.com/go-acme/lego/v4/providers/dns/volcengine"
+import "github.com/go-acme/lego/v4/providers/dns/vscale"
+import "github.com/go-acme/lego/v4/providers/dns/vultr"
+import "github.com/go-acme/lego/v4/providers/dns/webnames"
+import "github.com/go-acme/lego/v4/providers/dns/websupport"
+import "github.com/go-acme/lego/v4/providers/dns/wedos"
+import "github.com/go-acme/lego/v4/providers/dns/westcn"
+import "github.com/go-acme/lego/v4/providers/dns/yandex"
+import "github.com/go-acme/lego/v4/providers/dns/yandex360"
+import "github.com/go-acme/lego/v4/providers/dns/zoneee"
+import "github.com/go-acme/lego/v4/providers/dns/zonomi"
+
+const (
+	ProviderLocal            = "local"
+	ProviderPseudo           = "pseudo"
+	Provideracmedns          = "acmedns"
+	Provideractive24         = "active24"
+	Provideralidns           = "alidns"
+	Providerallinkl          = "allinkl"
+	Providerarvancloud       = "arvancloud"
+	Providerauroradns        = "auroradns"
+	Providerautodns          = "autodns"
+	Provideraxelname         = "axelname"
+	Providerazuredns         = "azuredns"
+	Providerbaiducloud       = "baiducloud"
+	Providerbindman          = "bindman"
+	Providerbluecat          = "bluecat"
+	Providerbookmyname       = "bookmyname"
+	Providerbunny            = "bunny"
+	Providercheckdomain      = "checkdomain"
+	Providercivo             = "civo"
+	Providerclouddns         = "clouddns"
+	Providercloudflare       = "cloudflare"
+	Providercloudns          = "cloudns"
+	Providercloudru          = "cloudru"
+	Providerconoha           = "conoha"
+	Providerconstellix       = "constellix"
+	Providercorenetworks     = "corenetworks"
+	Providercpanel           = "cpanel"
+	Providerderak            = "derak"
+	Providerdesec            = "desec"
+	Providerdesignate        = "designate"
+	Providerdigitalocean     = "digitalocean"
+	Providerdirectadmin      = "directadmin"
+	Providerdnshomede        = "dnshomede"
+	Providerdnsimple         = "dnsimple"
+	Providerdnsmadeeasy      = "dnsmadeeasy"
+	Providerdode             = "dode"
+	Providerdomeneshop       = "domeneshop"
+	Providerdreamhost        = "dreamhost"
+	Providerduckdns          = "duckdns"
+	Providerdyn              = "dyn"
+	Providerdynu             = "dynu"
+	Providereasydns          = "easydns"
+	Provideredgedns          = "edgedns"
+	Providerefficientip      = "efficientip"
+	Providerepik             = "epik"
+	Providerexec             = "exec"
+	Providerexoscale         = "exoscale"
+	Providerf5xc             = "f5xc"
+	Providerfreemyip         = "freemyip"
+	Providergandi            = "gandi"
+	Providergandiv5          = "gandiv5"
+	Providergcloud           = "gcloud"
+	Providergcore            = "gcore"
+	Providerglesys           = "glesys"
+	Providergodaddy          = "godaddy"
+	Providergoogledomains    = "googledomains"
+	Providerhetzner          = "hetzner"
+	Providerhostingde        = "hostingde"
+	Providerhosttech         = "hosttech"
+	Providerhttpnet          = "httpnet"
+	Providerhttpreq          = "httpreq"
+	Providerhuaweicloud      = "huaweicloud"
+	Providerhurricane        = "hurricane"
+	Providerhyperone         = "hyperone"
+	Provideribmcloud         = "ibmcloud"
+	Provideriij              = "iij"
+	Provideriijdpf           = "iijdpf"
+	Providerinfoblox         = "infoblox"
+	Providerinfomaniak       = "infomaniak"
+	Providerinternetbs       = "internetbs"
+	Providerinwx             = "inwx"
+	Providerionos            = "ionos"
+	Provideripv64            = "ipv64"
+	Provideriwantmyname      = "iwantmyname"
+	Providerjoker            = "joker"
+	Providerliara            = "liara"
+	Providerlightsail        = "lightsail"
+	Providerlimacity         = "limacity"
+	Providerlinode           = "linode"
+	Providerliquidweb        = "liquidweb"
+	Providerloopia           = "loopia"
+	Providerluadns           = "luadns"
+	Providermailinabox       = "mailinabox"
+	Providermanageengine     = "manageengine"
+	Providermetaname         = "metaname"
+	Providermetaregistrar    = "metaregistrar"
+	Providermijnhost         = "mijnhost"
+	Providermittwald         = "mittwald"
+	Providermyaddr           = "myaddr"
+	Providermydnsjp          = "mydnsjp"
+	Providernamecheap        = "namecheap"
+	Providernamedotcom       = "namedotcom"
+	Providernamesilo         = "namesilo"
+	Providernearlyfreespeech = "nearlyfreespeech"
+	Providernetcup           = "netcup"
+	Providernetlify          = "netlify"
+	Providernicmanager       = "nicmanager"
+	Providernifcloud         = "nifcloud"
+	Providernjalla           = "njalla"
+	Providernodion           = "nodion"
+	Providerns1              = "ns1"
+	Provideroraclecloud      = "oraclecloud"
+	Providerotc              = "otc"
+	Providerovh              = "ovh"
+	Providerpdns             = "pdns"
+	Providerplesk            = "plesk"
+	Providerporkbun          = "porkbun"
+	Providerrackspace        = "rackspace"
+	Providerrainyun          = "rainyun"
+	Providerrcodezero        = "rcodezero"
+	Providerregfish          = "regfish"
+	Providerregru            = "regru"
+	Providerrfc2136          = "rfc2136"
+	Providerrimuhosting      = "rimuhosting"
+	Providerroute53          = "route53"
+	Providersafedns          = "safedns"
+	Providersakuracloud      = "sakuracloud"
+	Providerscaleway         = "scaleway"
+	Providerselectel         = "selectel"
+	Providerselectelv2       = "selectelv2"
+	Providerselfhostde       = "selfhostde"
+	Providerservercow        = "servercow"
+	Providershellrent        = "shellrent"
+	Providersimply           = "simply"
+	Providersonic            = "sonic"
+	Providerspaceship        = "spaceship"
+	Providerstackpath        = "stackpath"
+	Providertechnitium       = "technitium"
+	Providertencentcloud     = "tencentcloud"
+	Providertimewebcloud     = "timewebcloud"
+	Providertransip          = "transip"
+	Providerultradns         = "ultradns"
+	Providervariomedia       = "variomedia"
+	Providervegadns          = "vegadns"
+	Providervercel           = "vercel"
+	Providerversio           = "versio"
+	Providervinyldns         = "vinyldns"
+	Providervkcloud          = "vkcloud"
+	Providervolcengine       = "volcengine"
+	Providervscale           = "vscale"
+	Providervultr            = "vultr"
+	Providerwebnames         = "webnames"
+	Providerwebsupport       = "websupport"
+	Providerwedos            = "wedos"
+	Providerwestcn           = "westcn"
+	Provideryandex           = "yandex"
+	Provideryandex360        = "yandex360"
+	Providerzoneee           = "zoneee"
+	Providerzonomi           = "zonomi"
+)
+
+var providers = map[string]ProviderGenerator{
+	ProviderLocal:            providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
+	ProviderPseudo:           providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
+	Provideracmedns:          providerGenerator(acmedns.NewDefaultConfig, acmedns.NewDNSProviderConfig),
+	Provideractive24:         providerGenerator(active24.NewDefaultConfig, active24.NewDNSProviderConfig),
+	Provideralidns:           providerGenerator(alidns.NewDefaultConfig, alidns.NewDNSProviderConfig),
+	Providerallinkl:          providerGenerator(allinkl.NewDefaultConfig, allinkl.NewDNSProviderConfig),
+	Providerarvancloud:       providerGenerator(arvancloud.NewDefaultConfig, arvancloud.NewDNSProviderConfig),
+	Providerauroradns:        providerGenerator(auroradns.NewDefaultConfig, auroradns.NewDNSProviderConfig),
+	Providerautodns:          providerGenerator(autodns.NewDefaultConfig, autodns.NewDNSProviderConfig),
+	Provideraxelname:         providerGenerator(axelname.NewDefaultConfig, axelname.NewDNSProviderConfig),
+	Providerazuredns:         providerGenerator(azuredns.NewDefaultConfig, azuredns.NewDNSProviderConfig),
+	Providerbaiducloud:       providerGenerator(baiducloud.NewDefaultConfig, baiducloud.NewDNSProviderConfig),
+	Providerbindman:          providerGenerator(bindman.NewDefaultConfig, bindman.NewDNSProviderConfig),
+	Providerbluecat:          providerGenerator(bluecat.NewDefaultConfig, bluecat.NewDNSProviderConfig),
+	Providerbookmyname:       providerGenerator(bookmyname.NewDefaultConfig, bookmyname.NewDNSProviderConfig),
+	Providerbunny:            providerGenerator(bunny.NewDefaultConfig, bunny.NewDNSProviderConfig),
+	Providercheckdomain:      providerGenerator(checkdomain.NewDefaultConfig, checkdomain.NewDNSProviderConfig),
+	Providercivo:             providerGenerator(civo.NewDefaultConfig, civo.NewDNSProviderConfig),
+	Providerclouddns:         providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
+	Providercloudflare:       providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
+	Providercloudns:          providerGenerator(cloudns.NewDefaultConfig, cloudns.NewDNSProviderConfig),
+	Providercloudru:          providerGenerator(cloudru.NewDefaultConfig, cloudru.NewDNSProviderConfig),
+	Providerconoha:           providerGenerator(conoha.NewDefaultConfig, conoha.NewDNSProviderConfig),
+	Providerconstellix:       providerGenerator(constellix.NewDefaultConfig, constellix.NewDNSProviderConfig),
+	Providercorenetworks:     providerGenerator(corenetworks.NewDefaultConfig, corenetworks.NewDNSProviderConfig),
+	Providercpanel:           providerGenerator(cpanel.NewDefaultConfig, cpanel.NewDNSProviderConfig),
+	Providerderak:            providerGenerator(derak.NewDefaultConfig, derak.NewDNSProviderConfig),
+	Providerdesec:            providerGenerator(desec.NewDefaultConfig, desec.NewDNSProviderConfig),
+	Providerdesignate:        providerGenerator(designate.NewDefaultConfig, designate.NewDNSProviderConfig),
+	Providerdigitalocean:     providerGenerator(digitalocean.NewDefaultConfig, digitalocean.NewDNSProviderConfig),
+	Providerdirectadmin:      providerGenerator(directadmin.NewDefaultConfig, directadmin.NewDNSProviderConfig),
+	Providerdnshomede:        providerGenerator(dnshomede.NewDefaultConfig, dnshomede.NewDNSProviderConfig),
+	Providerdnsimple:         providerGenerator(dnsimple.NewDefaultConfig, dnsimple.NewDNSProviderConfig),
+	Providerdnsmadeeasy:      providerGenerator(dnsmadeeasy.NewDefaultConfig, dnsmadeeasy.NewDNSProviderConfig),
+	Providerdode:             providerGenerator(dode.NewDefaultConfig, dode.NewDNSProviderConfig),
+	Providerdomeneshop:       providerGenerator(domeneshop.NewDefaultConfig, domeneshop.NewDNSProviderConfig),
+	Providerdreamhost:        providerGenerator(dreamhost.NewDefaultConfig, dreamhost.NewDNSProviderConfig),
+	Providerduckdns:          providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
+	Providerdyn:              providerGenerator(dyn.NewDefaultConfig, dyn.NewDNSProviderConfig),
+	Providerdynu:             providerGenerator(dynu.NewDefaultConfig, dynu.NewDNSProviderConfig),
+	Providereasydns:          providerGenerator(easydns.NewDefaultConfig, easydns.NewDNSProviderConfig),
+	Provideredgedns:          providerGenerator(edgedns.NewDefaultConfig, edgedns.NewDNSProviderConfig),
+	Providerefficientip:      providerGenerator(efficientip.NewDefaultConfig, efficientip.NewDNSProviderConfig),
+	Providerepik:             providerGenerator(epik.NewDefaultConfig, epik.NewDNSProviderConfig),
+	Providerexec:             providerGenerator(exec.NewDefaultConfig, exec.NewDNSProviderConfig),
+	Providerexoscale:         providerGenerator(exoscale.NewDefaultConfig, exoscale.NewDNSProviderConfig),
+	Providerf5xc:             providerGenerator(f5xc.NewDefaultConfig, f5xc.NewDNSProviderConfig),
+	Providerfreemyip:         providerGenerator(freemyip.NewDefaultConfig, freemyip.NewDNSProviderConfig),
+	Providergandi:            providerGenerator(gandi.NewDefaultConfig, gandi.NewDNSProviderConfig),
+	Providergandiv5:          providerGenerator(gandiv5.NewDefaultConfig, gandiv5.NewDNSProviderConfig),
+	Providergcloud:           providerGenerator(gcloud.NewDefaultConfig, gcloud.NewDNSProviderConfig),
+	Providergcore:            providerGenerator(gcore.NewDefaultConfig, gcore.NewDNSProviderConfig),
+	Providerglesys:           providerGenerator(glesys.NewDefaultConfig, glesys.NewDNSProviderConfig),
+	Providergodaddy:          providerGenerator(godaddy.NewDefaultConfig, godaddy.NewDNSProviderConfig),
+	Providergoogledomains:    providerGenerator(googledomains.NewDefaultConfig, googledomains.NewDNSProviderConfig),
+	Providerhetzner:          providerGenerator(hetzner.NewDefaultConfig, hetzner.NewDNSProviderConfig),
+	Providerhostingde:        providerGenerator(hostingde.NewDefaultConfig, hostingde.NewDNSProviderConfig),
+	Providerhosttech:         providerGenerator(hosttech.NewDefaultConfig, hosttech.NewDNSProviderConfig),
+	Providerhttpnet:          providerGenerator(httpnet.NewDefaultConfig, httpnet.NewDNSProviderConfig),
+	Providerhttpreq:          providerGenerator(httpreq.NewDefaultConfig, httpreq.NewDNSProviderConfig),
+	Providerhuaweicloud:      providerGenerator(huaweicloud.NewDefaultConfig, huaweicloud.NewDNSProviderConfig),
+	Providerhurricane:        providerGenerator(hurricane.NewDefaultConfig, hurricane.NewDNSProviderConfig),
+	Providerhyperone:         providerGenerator(hyperone.NewDefaultConfig, hyperone.NewDNSProviderConfig),
+	Provideribmcloud:         providerGenerator(ibmcloud.NewDefaultConfig, ibmcloud.NewDNSProviderConfig),
+	Provideriij:              providerGenerator(iij.NewDefaultConfig, iij.NewDNSProviderConfig),
+	Provideriijdpf:           providerGenerator(iijdpf.NewDefaultConfig, iijdpf.NewDNSProviderConfig),
+	Providerinfoblox:         providerGenerator(infoblox.NewDefaultConfig, infoblox.NewDNSProviderConfig),
+	Providerinfomaniak:       providerGenerator(infomaniak.NewDefaultConfig, infomaniak.NewDNSProviderConfig),
+	Providerinternetbs:       providerGenerator(internetbs.NewDefaultConfig, internetbs.NewDNSProviderConfig),
+	Providerinwx:             providerGenerator(inwx.NewDefaultConfig, inwx.NewDNSProviderConfig),
+	Providerionos:            providerGenerator(ionos.NewDefaultConfig, ionos.NewDNSProviderConfig),
+	Provideripv64:            providerGenerator(ipv64.NewDefaultConfig, ipv64.NewDNSProviderConfig),
+	Provideriwantmyname:      providerGenerator(iwantmyname.NewDefaultConfig, iwantmyname.NewDNSProviderConfig),
+	Providerjoker:            providerGenerator(joker.NewDefaultConfig, joker.NewDNSProviderConfig),
+	Providerliara:            providerGenerator(liara.NewDefaultConfig, liara.NewDNSProviderConfig),
+	Providerlightsail:        providerGenerator(lightsail.NewDefaultConfig, lightsail.NewDNSProviderConfig),
+	Providerlimacity:         providerGenerator(limacity.NewDefaultConfig, limacity.NewDNSProviderConfig),
+	Providerlinode:           providerGenerator(linode.NewDefaultConfig, linode.NewDNSProviderConfig),
+	Providerliquidweb:        providerGenerator(liquidweb.NewDefaultConfig, liquidweb.NewDNSProviderConfig),
+	Providerloopia:           providerGenerator(loopia.NewDefaultConfig, loopia.NewDNSProviderConfig),
+	Providerluadns:           providerGenerator(luadns.NewDefaultConfig, luadns.NewDNSProviderConfig),
+	Providermailinabox:       providerGenerator(mailinabox.NewDefaultConfig, mailinabox.NewDNSProviderConfig),
+	Providermanageengine:     providerGenerator(manageengine.NewDefaultConfig, manageengine.NewDNSProviderConfig),
+	Providermetaname:         providerGenerator(metaname.NewDefaultConfig, metaname.NewDNSProviderConfig),
+	Providermetaregistrar:    providerGenerator(metaregistrar.NewDefaultConfig, metaregistrar.NewDNSProviderConfig),
+	Providermijnhost:         providerGenerator(mijnhost.NewDefaultConfig, mijnhost.NewDNSProviderConfig),
+	Providermittwald:         providerGenerator(mittwald.NewDefaultConfig, mittwald.NewDNSProviderConfig),
+	Providermyaddr:           providerGenerator(myaddr.NewDefaultConfig, myaddr.NewDNSProviderConfig),
+	Providermydnsjp:          providerGenerator(mydnsjp.NewDefaultConfig, mydnsjp.NewDNSProviderConfig),
+	Providernamecheap:        providerGenerator(namecheap.NewDefaultConfig, namecheap.NewDNSProviderConfig),
+	Providernamedotcom:       providerGenerator(namedotcom.NewDefaultConfig, namedotcom.NewDNSProviderConfig),
+	Providernamesilo:         providerGenerator(namesilo.NewDefaultConfig, namesilo.NewDNSProviderConfig),
+	Providernearlyfreespeech: providerGenerator(nearlyfreespeech.NewDefaultConfig, nearlyfreespeech.NewDNSProviderConfig),
+	Providernetcup:           providerGenerator(netcup.NewDefaultConfig, netcup.NewDNSProviderConfig),
+	Providernetlify:          providerGenerator(netlify.NewDefaultConfig, netlify.NewDNSProviderConfig),
+	Providernicmanager:       providerGenerator(nicmanager.NewDefaultConfig, nicmanager.NewDNSProviderConfig),
+	Providernifcloud:         providerGenerator(nifcloud.NewDefaultConfig, nifcloud.NewDNSProviderConfig),
+	Providernjalla:           providerGenerator(njalla.NewDefaultConfig, njalla.NewDNSProviderConfig),
+	Providernodion:           providerGenerator(nodion.NewDefaultConfig, nodion.NewDNSProviderConfig),
+	Providerns1:              providerGenerator(ns1.NewDefaultConfig, ns1.NewDNSProviderConfig),
+	Provideroraclecloud:      providerGenerator(oraclecloud.NewDefaultConfig, oraclecloud.NewDNSProviderConfig),
+	Providerotc:              providerGenerator(otc.NewDefaultConfig, otc.NewDNSProviderConfig),
+	Providerovh:              providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
+	Providerpdns:             providerGenerator(pdns.NewDefaultConfig, pdns.NewDNSProviderConfig),
+	Providerplesk:            providerGenerator(plesk.NewDefaultConfig, plesk.NewDNSProviderConfig),
+	Providerporkbun:          providerGenerator(porkbun.NewDefaultConfig, porkbun.NewDNSProviderConfig),
+	Providerrackspace:        providerGenerator(rackspace.NewDefaultConfig, rackspace.NewDNSProviderConfig),
+	Providerrainyun:          providerGenerator(rainyun.NewDefaultConfig, rainyun.NewDNSProviderConfig),
+	Providerrcodezero:        providerGenerator(rcodezero.NewDefaultConfig, rcodezero.NewDNSProviderConfig),
+	Providerregfish:          providerGenerator(regfish.NewDefaultConfig, regfish.NewDNSProviderConfig),
+	Providerregru:            providerGenerator(regru.NewDefaultConfig, regru.NewDNSProviderConfig),
+	Providerrfc2136:          providerGenerator(rfc2136.NewDefaultConfig, rfc2136.NewDNSProviderConfig),
+	Providerrimuhosting:      providerGenerator(rimuhosting.NewDefaultConfig, rimuhosting.NewDNSProviderConfig),
+	Providerroute53:          providerGenerator(route53.NewDefaultConfig, route53.NewDNSProviderConfig),
+	Providersafedns:          providerGenerator(safedns.NewDefaultConfig, safedns.NewDNSProviderConfig),
+	Providersakuracloud:      providerGenerator(sakuracloud.NewDefaultConfig, sakuracloud.NewDNSProviderConfig),
+	Providerscaleway:         providerGenerator(scaleway.NewDefaultConfig, scaleway.NewDNSProviderConfig),
+	Providerselectel:         providerGenerator(selectel.NewDefaultConfig, selectel.NewDNSProviderConfig),
+	Providerselectelv2:       providerGenerator(selectelv2.NewDefaultConfig, selectelv2.NewDNSProviderConfig),
+	Providerselfhostde:       providerGenerator(selfhostde.NewDefaultConfig, selfhostde.NewDNSProviderConfig),
+	Providerservercow:        providerGenerator(servercow.NewDefaultConfig, servercow.NewDNSProviderConfig),
+	Providershellrent:        providerGenerator(shellrent.NewDefaultConfig, shellrent.NewDNSProviderConfig),
+	Providersimply:           providerGenerator(simply.NewDefaultConfig, simply.NewDNSProviderConfig),
+	Providersonic:            providerGenerator(sonic.NewDefaultConfig, sonic.NewDNSProviderConfig),
+	Providerspaceship:        providerGenerator(spaceship.NewDefaultConfig, spaceship.NewDNSProviderConfig),
+	Providerstackpath:        providerGenerator(stackpath.NewDefaultConfig, stackpath.NewDNSProviderConfig),
+	Providertechnitium:       providerGenerator(technitium.NewDefaultConfig, technitium.NewDNSProviderConfig),
+	Providertencentcloud:     providerGenerator(tencentcloud.NewDefaultConfig, tencentcloud.NewDNSProviderConfig),
+	Providertimewebcloud:     providerGenerator(timewebcloud.NewDefaultConfig, timewebcloud.NewDNSProviderConfig),
+	Providertransip:          providerGenerator(transip.NewDefaultConfig, transip.NewDNSProviderConfig),
+	Providerultradns:         providerGenerator(ultradns.NewDefaultConfig, ultradns.NewDNSProviderConfig),
+	Providervariomedia:       providerGenerator(variomedia.NewDefaultConfig, variomedia.NewDNSProviderConfig),
+	Providervegadns:          providerGenerator(vegadns.NewDefaultConfig, vegadns.NewDNSProviderConfig),
+	Providervercel:           providerGenerator(vercel.NewDefaultConfig, vercel.NewDNSProviderConfig),
+	Providerversio:           providerGenerator(versio.NewDefaultConfig, versio.NewDNSProviderConfig),
+	Providervinyldns:         providerGenerator(vinyldns.NewDefaultConfig, vinyldns.NewDNSProviderConfig),
+	Providervkcloud:          providerGenerator(vkcloud.NewDefaultConfig, vkcloud.NewDNSProviderConfig),
+	Providervolcengine:       providerGenerator(volcengine.NewDefaultConfig, volcengine.NewDNSProviderConfig),
+	Providervscale:           providerGenerator(vscale.NewDefaultConfig, vscale.NewDNSProviderConfig),
+	Providervultr:            providerGenerator(vultr.NewDefaultConfig, vultr.NewDNSProviderConfig),
+	Providerwebnames:         providerGenerator(webnames.NewDefaultConfig, webnames.NewDNSProviderConfig),
+	Providerwebsupport:       providerGenerator(websupport.NewDefaultConfig, websupport.NewDNSProviderConfig),
+	Providerwedos:            providerGenerator(wedos.NewDefaultConfig, wedos.NewDNSProviderConfig),
+	Providerwestcn:           providerGenerator(westcn.NewDefaultConfig, westcn.NewDNSProviderConfig),
+	Provideryandex:           providerGenerator(yandex.NewDefaultConfig, yandex.NewDNSProviderConfig),
+	Provideryandex360:        providerGenerator(yandex360.NewDefaultConfig, yandex360.NewDNSProviderConfig),
+	Providerzoneee:           providerGenerator(zoneee.NewDefaultConfig, zoneee.NewDNSProviderConfig),
+	Providerzonomi:           providerGenerator(zonomi.NewDefaultConfig, zonomi.NewDNSProviderConfig),
+}
--- a/internal/common/constants.go
+++ b/internal/common/constants.go
@@ -10,19 +10,24 @@ const (
 	DotEnvPath        = ".env"
 	DotEnvExamplePath = ".env.example"

-	ConfigBasePath         = "config"
-	ConfigFileName         = "config.yml"
-	ConfigExampleFileName  = "config.example.yml"
-	ConfigPath             = ConfigBasePath + "/" + ConfigFileName
-	HomepageJSONConfigPath = ConfigBasePath + "/.homepage.json"
-	IconListCachePath      = ConfigBasePath + "/.icon_list_cache.json"
-	IconCachePath          = ConfigBasePath + "/.icon_cache.json"
+	ConfigBasePath        = "config"
+	ConfigFileName        = "config.yml"
+	ConfigExampleFileName = "config.example.yml"
+	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
+
+	IconListCachePath = ConfigBasePath + "/.icon_list_cache.json"
+	IconCachePath     = ConfigBasePath + "/.icon_cache.json"
+
+	NamespaceHomepageOverrides = ".homepage"
+	NamespaceIconCache         = ".icon_cache"

 	MiddlewareComposeBasePath = ConfigBasePath + "/middlewares"

 	ComposeFileName        = "compose.yml"
 	ComposeExampleFileName = "compose.example.yml"

+	DataDir = "data"
+
 	ErrorPagesBasePath = "error_pages"

 	AgentCertsBasePath = "certs"
@@ -40,7 +45,7 @@ const (
 	HealthCheckIntervalDefault = 5 * time.Second
 	HealthCheckTimeoutDefault  = 5 * time.Second

-	WakeTimeoutDefault = "30s"
-	StopTimeoutDefault = "30s"
+	WakeTimeoutDefault = "3m"
+	StopTimeoutDefault = "3m"
 	StopMethodDefault  = "stop"
 )
--- a/internal/common/crypto.go
+++ b/internal/common/crypto.go
@@ -13,7 +13,7 @@ func decodeJWTKey(key string) []byte {
 	}
 	bytes, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
-		log.Panic().Err(err).Msg("failed to decode jwt key")
+		log.Fatal().Str("key", key).Err(err).Msg("failed to decode secret")
 	}
 	return bytes
 }
@@ -22,7 +22,7 @@ func RandomJWTKey() []byte {
 	key := make([]byte, 32)
 	_, err := rand.Read(key)
 	if err != nil {
-		log.Panic().Err(err).Msg("failed to generate random jwt key")
+		log.Fatal().Err(err).Msg("failed to generate random jwt key")
 	}
 	return key
 }
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -19,6 +19,8 @@ var (
 	IsDebug = GetEnvBool("DEBUG", IsTest)
 	IsTrace = GetEnvBool("TRACE", false) && IsDebug

+	HTTP3Enabled = GetEnvBool("HTTP3_ENABLED", true)
+
 	ProxyHTTPAddr,
 	ProxyHTTPHost,
 	ProxyHTTPPort,
@@ -34,11 +36,9 @@ var (
 	APIHTTPPort,
 	APIHTTPURL = GetAddrEnv("API_ADDR", "127.0.0.1:8888", "http")

-	PrometheusEnabled = GetEnvBool("PROMETHEUS_ENABLED", false)
-
 	APIJWTSecure   = GetEnvBool("API_JWT_SECURE", true)
 	APIJWTSecret   = decodeJWTKey(GetEnvString("API_JWT_SECRET", ""))
-	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour)
+	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", 24*time.Hour)
 	APIUser        = GetEnvString("API_USER", "admin")
 	APIPassword    = GetEnvString("API_PASSWORD", "password")

@@ -48,7 +48,6 @@ var (
 	OIDCIssuerURL     = GetEnvString("OIDC_ISSUER_URL", "")
 	OIDCClientID      = GetEnvString("OIDC_CLIENT_ID", "")
 	OIDCClientSecret  = GetEnvString("OIDC_CLIENT_SECRET", "")
-	OIDCRedirectURL   = GetEnvString("OIDC_REDIRECT_URL", "")
 	OIDCScopes        = GetEnvString("OIDC_SCOPES", "openid, profile, email")
 	OIDCAllowedUsers  = GetCommaSepEnv("OIDC_ALLOWED_USERS", "")
 	OIDCAllowedGroups = GetCommaSepEnv("OIDC_ALLOWED_GROUPS", "")
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -197,6 +197,7 @@ func (cfg *Config) StartServers(opts ...*StartServersOptions) {
 			HTTPAddr:     common.ProxyHTTPAddr,
 			HTTPSAddr:    common.ProxyHTTPSAddr,
 			Handler:      cfg.entrypoint,
+			ACL:          cfg.value.ACL,
 		})
 	}
 	if opt.API {
@@ -237,6 +238,14 @@ func (cfg *Config) load() gperr.Error {
 		}
 	}
 	cfg.entrypoint.SetFindRouteDomains(model.MatchDomains)
+	if model.ACL.Valid() {
+		err := model.ACL.Start(cfg.task)
+		if err != nil {
+			errs.Add(err)
+		} else {
+			logging.Info().Msg("ACL started")
+		}
+	}

 	return errs.Error()
 }
@@ -319,6 +328,7 @@ func (cfg *Config) loadRouteProviders(providers *config.Providers) gperr.Error {
 			lenLongestName = len(k)
 		}
 	})
+	results.EnableConcurrency()
 	cfg.providers.RangeAllParallel(func(_ string, p *proxy.Provider) {
 		if err := p.LoadRoutes(); err != nil {
 			errs.Add(err.Subject(p.String()))
--- a/internal/config/types/config.go
+++ b/internal/config/types/config.go
@@ -1,4 +1,4 @@
-package types
+package config

 import (
 	"context"
@@ -7,15 +7,17 @@ import (

 	"github.com/go-playground/validator/v10"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/internal/acl"
 	"github.com/yusing/go-proxy/internal/autocert"
 	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/accesslog"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
 	"github.com/yusing/go-proxy/internal/notif"
 	"github.com/yusing/go-proxy/internal/utils"
 )

 type (
 	Config struct {
+		ACL             *acl.Config              `json:"acl"`
 		AutoCert        *autocert.AutocertConfig `json:"autocert"`
 		Entrypoint      Entrypoint               `json:"entrypoint"`
 		Providers       Providers                `json:"providers"`
@@ -30,8 +32,11 @@ type (
 		Notification []notif.NotificationConfig `json:"notification" yaml:"notification,omitempty"`
 	}
 	Entrypoint struct {
-		Middlewares []map[string]any  `json:"middlewares"`
-		AccessLog   *accesslog.Config `json:"access_log" validate:"omitempty"`
+		Middlewares []map[string]any               `json:"middlewares"`
+		AccessLog   *accesslog.RequestLoggerConfig `json:"access_log" validate:"omitempty"`
+	}
+	HomepageConfig struct {
+		UseDefaultCategories bool `json:"use_default_categories"`
 	}

 	ConfigInstance interface {
--- a/internal/config/types/homepage_config.go
+++ b/internal/config/types/homepage_config.go
@@ -1,5 +0,0 @@
-package types
-
-type HomepageConfig struct {
-	UseDefaultCategories bool `json:"use_default_categories"`
-}
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"net"
 	"net/http"
 	"sync"
@@ -23,10 +24,10 @@ type (
 	SharedClient struct {
 		*client.Client

-		key      string
 		refCount uint32
 		closedOn int64

+		key  string
 		addr string
 		dial func(ctx context.Context) (net.Conn, error)
 	}
@@ -45,7 +46,7 @@ const (
 )

 func initClientCleaner() {
-	cleaner := task.RootTask("docker_clients_cleaner")
+	cleaner := task.RootTask("docker_clients_cleaner", false)
 	go func() {
 		ticker := time.NewTicker(cleanInterval)
 		defer ticker.Stop()
@@ -66,7 +67,7 @@ func initClientCleaner() {
 		defer clientMapMu.Unlock()

 		for _, c := range clientMap {
-			delete(clientMap, c.key)
+			delete(clientMap, c.Key())
 			c.Client.Close()
 		}
 	})
@@ -80,30 +81,20 @@ func closeTimedOutClients() {

 	for _, c := range clientMap {
 		if atomic.LoadUint32(&c.refCount) == 0 && now-atomic.LoadInt64(&c.closedOn) > clientTTLSecs {
-			delete(clientMap, c.key)
+			delete(clientMap, c.Key())
 			c.Client.Close()
-			logging.Debug().Str("host", c.key).Msg("docker client closed")
+			logging.Debug().Str("host", c.DaemonHost()).Msg("docker client closed")
 		}
 	}
 }

-func (c *SharedClient) Address() string {
-	return c.addr
-}
+func Clients() map[string]*SharedClient {
+	clientMapMu.RLock()
+	defer clientMapMu.RUnlock()

-func (c *SharedClient) CheckConnection(ctx context.Context) error {
-	conn, err := c.dial(ctx)
-	if err != nil {
-		return err
-	}
-	conn.Close()
-	return nil
-}
-
-// if the client is still referenced, this is no-op.
-func (c *SharedClient) Close() {
-	atomic.StoreInt64(&c.closedOn, time.Now().Unix())
-	atomic.AddUint32(&c.refCount, ^uint32(0))
+	clients := make(map[string]*SharedClient, len(clientMap))
+	maps.Copy(clients, clientMap)
+	return clients
 }

 // NewClient creates a new Docker client connection to the specified host.
@@ -187,9 +178,9 @@ func NewClient(host string) (*SharedClient, error) {

 	c := &SharedClient{
 		Client:   client,
-		key:      host,
 		refCount: 1,
 		addr:     addr,
+		key:      host,
 		dial:     dial,
 	}

@@ -197,9 +188,35 @@ func NewClient(host string) (*SharedClient, error) {
 	if c.dial == nil {
 		c.dial = client.Dialer()
 	}
+	if c.addr == "" {
+		c.addr = c.Client.DaemonHost()
+	}

 	defer logging.Debug().Str("host", host).Msg("docker client initialized")

-	clientMap[c.key] = c
+	clientMap[c.Key()] = c
 	return c, nil
 }
+
+func (c *SharedClient) Key() string {
+	return c.key
+}
+
+func (c *SharedClient) Address() string {
+	return c.addr
+}
+
+func (c *SharedClient) CheckConnection(ctx context.Context) error {
+	conn, err := c.dial(ctx)
+	if err != nil {
+		return err
+	}
+	conn.Close()
+	return nil
+}
+
+// if the client is still referenced, this is no-op.
+func (c *SharedClient) Close() {
+	atomic.StoreInt64(&c.closedOn, time.Now().Unix())
+	atomic.AddUint32(&c.refCount, ^uint32(0))
+}
--- a/internal/docker/container.go
+++ b/internal/docker/container.go
@@ -6,12 +6,13 @@ import (
 	"strings"

 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/go-connections/nat"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	idlewatcher "github.com/yusing/go-proxy/internal/idlewatcher/types"
 	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/utils"
 	U "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

 type (
@@ -26,7 +27,8 @@ type (

 		Agent *agent.AgentConfig `json:"agent"`

-		Labels map[string]string `json:"-"`
+		Labels            map[string]string   `json:"-"`
+		IdlewatcherConfig *idlewatcher.Config `json:"idlewatcher_config"`

 		Mounts []string `json:"mounts"`

@@ -35,16 +37,10 @@ type (
 		PublicHostname     string      `json:"public_hostname"`
 		PrivateHostname    string      `json:"private_hostname"`

-		Aliases       []string `json:"aliases"`
-		IsExcluded    bool     `json:"is_excluded"`
-		IsExplicit    bool     `json:"is_explicit"`
-		IdleTimeout   string   `json:"idle_timeout,omitempty"`
-		WakeTimeout   string   `json:"wake_timeout,omitempty"`
-		StopMethod    string   `json:"stop_method,omitempty"`
-		StopTimeout   string   `json:"stop_timeout,omitempty"` // stop_method = "stop" only
-		StopSignal    string   `json:"stop_signal,omitempty"`  // stop_method = "stop" | "kill" only
-		StartEndpoint string   `json:"start_endpoint,omitempty"`
-		Running       bool     `json:"running"`
+		Aliases    []string `json:"aliases"`
+		IsExcluded bool     `json:"is_excluded"`
+		IsExplicit bool     `json:"is_explicit"`
+		Running    bool     `json:"running"`
 	}
 	ContainerImage struct {
 		Author string `json:"author,omitempty"`
@@ -55,7 +51,7 @@ type (

 var DummyContainer = new(Container)

-func FromDocker(c *container.Summary, dockerHost string) (res *Container) {
+func FromDocker(c *container.SummaryTrimmed, dockerHost string) (res *Container) {
 	isExplicit := false
 	helper := containerHelper{c}
 	for lbl := range c.Labels {
@@ -65,6 +61,8 @@ func FromDocker(c *container.Summary, dockerHost string) (res *Container) {
 			delete(c.Labels, lbl)
 		}
 	}
+
+	isExcluded, _ := strconv.ParseBool(helper.getDeleteLabel(LabelExclude))
 	res = &Container{
 		DockerHost:    dockerHost,
 		Image:         helper.parseImage(),
@@ -78,16 +76,10 @@ func FromDocker(c *container.Summary, dockerHost string) (res *Container) {
 		PublicPortMapping:  helper.getPublicPortMapping(),
 		PrivatePortMapping: helper.getPrivatePortMapping(),

-		Aliases:       helper.getAliases(),
-		IsExcluded:    strutils.ParseBool(helper.getDeleteLabel(LabelExclude)),
-		IsExplicit:    isExplicit,
-		IdleTimeout:   helper.getDeleteLabel(LabelIdleTimeout),
-		WakeTimeout:   helper.getDeleteLabel(LabelWakeTimeout),
-		StopMethod:    helper.getDeleteLabel(LabelStopMethod),
-		StopTimeout:   helper.getDeleteLabel(LabelStopTimeout),
-		StopSignal:    helper.getDeleteLabel(LabelStopSignal),
-		StartEndpoint: helper.getDeleteLabel(LabelStartEndpoint),
-		Running:       c.Status == "running" || c.State == "running",
+		Aliases:    helper.getAliases(),
+		IsExcluded: isExcluded,
+		IsExplicit: isExplicit,
+		Running:    c.Status == "running" || c.State == "running",
 	}

 	if agent.IsDockerHostAgent(dockerHost) {
@@ -100,44 +92,10 @@ func FromDocker(c *container.Summary, dockerHost string) (res *Container) {

 	res.setPrivateHostname(helper)
 	res.setPublicHostname()
+	res.loadDeleteIdlewatcherLabels(helper)
 	return
 }

-func FromInspectResponse(json container.InspectResponse, dockerHost string) *Container {
-	ports := make([]container.Port, 0)
-	for k, bindings := range json.NetworkSettings.Ports {
-		proto, privPortStr := nat.SplitProtoPort(string(k))
-		privPort, _ := strconv.ParseUint(privPortStr, 10, 16)
-		ports = append(ports, container.Port{
-			PrivatePort: uint16(privPort),
-			Type:        proto,
-		})
-		for _, v := range bindings {
-			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
-			ports = append(ports, container.Port{
-				IP:          v.HostIP,
-				PublicPort:  uint16(pubPort),
-				PrivatePort: uint16(privPort),
-				Type:        proto,
-			})
-		}
-	}
-	cont := FromDocker(&container.Summary{
-		ID:     json.ID,
-		Names:  []string{strings.TrimPrefix(json.Name, "/")},
-		Image:  json.Image,
-		Ports:  ports,
-		Labels: json.Config.Labels,
-		State:  json.State.Status,
-		Status: json.State.Status,
-		Mounts: json.Mounts,
-		NetworkSettings: &container.NetworkSettingsSummary{
-			Networks: json.NetworkSettings.Networks,
-		},
-	}, dockerHost)
-	return cont
-}
-
 func (c *Container) IsBlacklisted() bool {
 	return c.Image.IsBlacklisted() || c.isDatabase()
 }
@@ -200,3 +158,31 @@ func (c *Container) setPrivateHostname(helper containerHelper) {
 		return
 	}
 }
+
+func (c *Container) loadDeleteIdlewatcherLabels(helper containerHelper) {
+	cfg := map[string]any{
+		"idle_timeout":   helper.getDeleteLabel(LabelIdleTimeout),
+		"wake_timeout":   helper.getDeleteLabel(LabelWakeTimeout),
+		"stop_method":    helper.getDeleteLabel(LabelStopMethod),
+		"stop_timeout":   helper.getDeleteLabel(LabelStopTimeout),
+		"stop_signal":    helper.getDeleteLabel(LabelStopSignal),
+		"start_endpoint": helper.getDeleteLabel(LabelStartEndpoint),
+	}
+	// set only if idlewatcher is enabled
+	idleTimeout := cfg["idle_timeout"]
+	if idleTimeout != "" {
+		idwCfg := &idlewatcher.Config{
+			Docker: &idlewatcher.DockerConfig{
+				DockerHost:    c.DockerHost,
+				ContainerID:   c.ContainerID,
+				ContainerName: c.ContainerName,
+			},
+		}
+		err := utils.Deserialize(cfg, idwCfg)
+		if err != nil {
+			gperr.LogWarn("invalid idlewatcher config", gperr.PrependSubject(c.ContainerName, err))
+		} else {
+			c.IdlewatcherConfig = idwCfg
+		}
+	}
+}
--- a/internal/docker/container_helper.go
+++ b/internal/docker/container_helper.go
@@ -8,7 +8,7 @@ import (
 )

 type containerHelper struct {
-	*container.Summary
+	*container.SummaryTrimmed
 }

 // getDeleteLabel gets the value of a label and then deletes it from the container.
--- a/internal/docker/container_test.go
+++ b/internal/docker/container_test.go
@@ -36,7 +36,7 @@ func TestContainerExplicit(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := FromDocker(&container.Summary{Names: []string{"test"}, State: "test", Labels: tt.labels}, "")
+			c := FromDocker(&container.SummaryTrimmed{Names: []string{"test"}, State: "test", Labels: tt.labels}, "")
 			ExpectEqual(t, c.IsExplicit, tt.isExplicit)
 		})
 	}
--- a/internal/docker/idlewatcher/container.go
+++ b/internal/docker/idlewatcher/container.go
@@ -1,60 +0,0 @@
-package idlewatcher
-
-import (
-	"context"
-	"errors"
-
-	"github.com/docker/docker/api/types/container"
-)
-
-type (
-	containerMeta struct {
-		ContainerID, ContainerName string
-	}
-	containerState struct {
-		running bool
-		ready   bool
-		err     error
-	}
-)
-
-func (w *Watcher) ContainerID() string {
-	return w.route.ContainerInfo().ContainerID
-}
-
-func (w *Watcher) ContainerName() string {
-	return w.route.ContainerInfo().ContainerName
-}
-
-func (w *Watcher) containerStop(ctx context.Context) error {
-	return w.client.ContainerStop(ctx, w.ContainerID(), container.StopOptions{
-		Signal:  string(w.Config().StopSignal),
-		Timeout: &w.Config().StopTimeout,
-	})
-}
-
-func (w *Watcher) containerPause(ctx context.Context) error {
-	return w.client.ContainerPause(ctx, w.ContainerID())
-}
-
-func (w *Watcher) containerKill(ctx context.Context) error {
-	return w.client.ContainerKill(ctx, w.ContainerID(), string(w.Config().StopSignal))
-}
-
-func (w *Watcher) containerUnpause(ctx context.Context) error {
-	return w.client.ContainerUnpause(ctx, w.ContainerID())
-}
-
-func (w *Watcher) containerStart(ctx context.Context) error {
-	return w.client.ContainerStart(ctx, w.ContainerID(), container.StartOptions{})
-}
-
-func (w *Watcher) containerStatus() (string, error) {
-	ctx, cancel := context.WithTimeoutCause(w.task.Context(), dockerReqTimeout, errors.New("docker request timeout"))
-	defer cancel()
-	json, err := w.client.ContainerInspect(ctx, w.ContainerID())
-	if err != nil {
-		return "", err
-	}
-	return json.State.Status, nil
-}
--- a/internal/docker/idlewatcher/state.go
+++ b/internal/docker/idlewatcher/state.go
@@ -1,39 +0,0 @@
-package idlewatcher
-
-func (w *Watcher) running() bool {
-	return w.state.Load().running
-}
-
-func (w *Watcher) ready() bool {
-	return w.state.Load().ready
-}
-
-func (w *Watcher) error() error {
-	return w.state.Load().err
-}
-
-func (w *Watcher) setReady() {
-	w.state.Store(&containerState{
-		running: true,
-		ready:   true,
-	})
-}
-
-func (w *Watcher) setStarting() {
-	w.state.Store(&containerState{
-		running: true,
-		ready:   false,
-	})
-}
-
-func (w *Watcher) setNapping() {
-	w.setError(nil)
-}
-
-func (w *Watcher) setError(err error) {
-	w.state.Store(&containerState{
-		running: false,
-		ready:   false,
-		err:     err,
-	})
-}
--- a/internal/docker/idlewatcher/types/config.go
+++ b/internal/docker/idlewatcher/types/config.go
@@ -1,110 +0,0 @@
-package types
-
-import (
-	"errors"
-	"net/url"
-	"strings"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/gperr"
-)
-
-type (
-	Config struct {
-		IdleTimeout   time.Duration `json:"idle_timeout,omitempty"`
-		WakeTimeout   time.Duration `json:"wake_timeout,omitempty"`
-		StopTimeout   int           `json:"stop_timeout,omitempty"` // docker api takes integer seconds for timeout argument
-		StopMethod    StopMethod    `json:"stop_method,omitempty"`
-		StopSignal    Signal        `json:"stop_signal,omitempty"`
-		StartEndpoint string        `json:"start_endpoint,omitempty"` // Optional path that must be hit to start container
-	}
-	StopMethod string
-	Signal     string
-)
-
-const (
-	StopMethodPause StopMethod = "pause"
-	StopMethodStop  StopMethod = "stop"
-	StopMethodKill  StopMethod = "kill"
-)
-
-var validSignals = map[string]struct{}{
-	"":       {},
-	"SIGINT": {}, "SIGTERM": {}, "SIGHUP": {}, "SIGQUIT": {},
-	"INT": {}, "TERM": {}, "HUP": {}, "QUIT": {},
-}
-
-func ValidateConfig(cont *docker.Container) (*Config, gperr.Error) {
-	if cont == nil || cont.IdleTimeout == "" {
-		return nil, nil
-	}
-
-	errs := gperr.NewBuilder("invalid idlewatcher config")
-
-	idleTimeout := gperr.Collect(errs, validateDurationPostitive, cont.IdleTimeout)
-	wakeTimeout := gperr.Collect(errs, validateDurationPostitive, cont.WakeTimeout)
-	stopTimeout := gperr.Collect(errs, validateDurationPostitive, cont.StopTimeout)
-	stopMethod := gperr.Collect(errs, validateStopMethod, cont.StopMethod)
-	signal := gperr.Collect(errs, validateSignal, cont.StopSignal)
-	startEndpoint := gperr.Collect(errs, validateStartEndpoint, cont.StartEndpoint)
-
-	if errs.HasError() {
-		return nil, errs.Error()
-	}
-
-	return &Config{
-		IdleTimeout:   idleTimeout,
-		WakeTimeout:   wakeTimeout,
-		StopTimeout:   int(stopTimeout.Seconds()),
-		StopMethod:    stopMethod,
-		StopSignal:    signal,
-		StartEndpoint: startEndpoint,
-	}, nil
-}
-
-func validateDurationPostitive(value string) (time.Duration, error) {
-	d, err := time.ParseDuration(value)
-	if err != nil {
-		return 0, err
-	}
-	if d < 0 {
-		return 0, errors.New("duration must be positive")
-	}
-	return d, nil
-}
-
-func validateSignal(s string) (Signal, error) {
-	if _, ok := validSignals[s]; ok {
-		return Signal(s), nil
-	}
-	return "", errors.New("invalid signal " + s)
-}
-
-func validateStopMethod(s string) (StopMethod, error) {
-	sm := StopMethod(s)
-	switch sm {
-	case StopMethodPause, StopMethodStop, StopMethodKill:
-		return sm, nil
-	default:
-		return "", errors.New("invalid stop method " + s)
-	}
-}
-
-func validateStartEndpoint(s string) (string, error) {
-	if s == "" {
-		return "", nil
-	}
-	// checks needed as of Go 1.6 because of change https://github.com/golang/go/commit/617c93ce740c3c3cc28cdd1a0d712be183d0b328#diff-6c2d018290e298803c0c9419d8739885L195
-	// emulate browser and strip the '#' suffix prior to validation. see issue-#237
-	if i := strings.Index(s, "#"); i > -1 {
-		s = s[:i]
-	}
-	if len(s) == 0 {
-		return "", errors.New("start endpoint must not be empty if defined")
-	}
-	if _, err := url.ParseRequestURI(s); err != nil {
-		return "", err
-	}
-	return s, nil
-}
--- a/internal/docker/idlewatcher/waker.go
+++ b/internal/docker/idlewatcher/waker.go
@@ -1,181 +0,0 @@
-package idlewatcher
-
-import (
-	"time"
-
-	"github.com/yusing/go-proxy/internal/docker/idlewatcher/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/metrics"
-	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	net "github.com/yusing/go-proxy/internal/net/types"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/watcher/health"
-	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
-)
-
-type (
-	Waker = types.Waker
-	waker struct {
-		_ U.NoCopy
-
-		rp     *reverseproxy.ReverseProxy
-		stream net.Stream
-		hc     health.HealthChecker
-		metric *metrics.Gauge
-	}
-)
-
-const (
-	idleWakerCheckInterval = 100 * time.Millisecond
-	idleWakerCheckTimeout  = time.Second
-)
-
-// TODO: support stream
-
-func newWaker(parent task.Parent, route route.Route, rp *reverseproxy.ReverseProxy, stream net.Stream) (Waker, gperr.Error) {
-	hcCfg := route.HealthCheckConfig()
-	hcCfg.Timeout = idleWakerCheckTimeout
-
-	waker := &waker{
-		rp:     rp,
-		stream: stream,
-	}
-	watcher, err := registerWatcher(parent, route, waker)
-	if err != nil {
-		return nil, gperr.Errorf("register watcher: %w", err)
-	}
-
-	switch {
-	case route.IsAgent():
-		waker.hc = monitor.NewAgentProxiedMonitor(route.Agent(), hcCfg, monitor.AgentTargetFromURL(route.TargetURL()))
-	case rp != nil:
-		waker.hc = monitor.NewHTTPHealthChecker(route.TargetURL(), hcCfg)
-	case stream != nil:
-		waker.hc = monitor.NewRawHealthChecker(route.TargetURL(), hcCfg)
-	default:
-		panic("both nil")
-	}
-
-	return watcher, nil
-}
-
-// lifetime should follow route provider.
-func NewHTTPWaker(parent task.Parent, route route.Route, rp *reverseproxy.ReverseProxy) (Waker, gperr.Error) {
-	return newWaker(parent, route, rp, nil)
-}
-
-func NewStreamWaker(parent task.Parent, route route.Route, stream net.Stream) (Waker, gperr.Error) {
-	return newWaker(parent, route, nil, stream)
-}
-
-// Start implements health.HealthMonitor.
-func (w *Watcher) Start(parent task.Parent) gperr.Error {
-	w.task.OnCancel("route_cleanup", func() {
-		parent.Finish(w.task.FinishCause())
-		if w.metric != nil {
-			w.metric.Reset()
-		}
-	})
-	return nil
-}
-
-// Task implements health.HealthMonitor.
-func (w *Watcher) Task() *task.Task {
-	return w.task
-}
-
-// Finish implements health.HealthMonitor.
-func (w *Watcher) Finish(reason any) {
-	if w.stream != nil {
-		w.stream.Close()
-	}
-}
-
-// Name implements health.HealthMonitor.
-func (w *Watcher) Name() string {
-	return w.String()
-}
-
-// String implements health.HealthMonitor.
-func (w *Watcher) String() string {
-	return w.ContainerName()
-}
-
-// Uptime implements health.HealthMonitor.
-func (w *Watcher) Uptime() time.Duration {
-	return 0
-}
-
-// Latency implements health.HealthMonitor.
-func (w *Watcher) Latency() time.Duration {
-	return 0
-}
-
-// Status implements health.HealthMonitor.
-func (w *Watcher) Status() health.Status {
-	state := w.state.Load()
-	if state.err != nil {
-		return health.StatusError
-	}
-	if state.ready {
-		return health.StatusHealthy
-	}
-	if state.running {
-		return health.StatusStarting
-	}
-	return health.StatusNapping
-}
-
-func (w *Watcher) checkUpdateState() (ready bool, err error) {
-	// already ready
-	if w.ready() {
-		return true, nil
-	}
-
-	if !w.running() {
-		return false, nil
-	}
-
-	if w.metric != nil {
-		defer w.metric.Set(float64(w.Status()))
-	}
-
-	// the new container info not yet updated
-	if w.hc.URL().Host == "" {
-		return false, nil
-	}
-
-	res, err := w.hc.CheckHealth()
-	if err != nil {
-		w.setError(err)
-		return false, err
-	}
-
-	if res.Healthy {
-		w.setReady()
-		return true, nil
-	}
-	w.setStarting()
-	return false, nil
-}
-
-// MarshalJSON implements health.HealthMonitor.
-func (w *Watcher) MarshalJSON() ([]byte, error) {
-	var url *net.URL
-	if w.hc.URL().Port() != "0" {
-		url = w.hc.URL()
-	}
-	var detail string
-	if err := w.error(); err != nil {
-		detail = err.Error()
-	}
-	return (&monitor.JSONRepresentation{
-		Name:   w.Name(),
-		Status: w.Status(),
-		Config: w.hc.Config(),
-		URL:    url,
-		Detail: detail,
-	}).MarshalJSON()
-}
--- a/internal/docker/idlewatcher/watcher.go
+++ b/internal/docker/idlewatcher/watcher.go
@@ -1,279 +0,0 @@
-package idlewatcher
-
-import (
-	"context"
-	"errors"
-	"sync"
-	"time"
-
-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal/docker"
-	idlewatcher "github.com/yusing/go-proxy/internal/docker/idlewatcher/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/atomic"
-	"github.com/yusing/go-proxy/internal/watcher"
-	"github.com/yusing/go-proxy/internal/watcher/events"
-)
-
-type (
-	Watcher struct {
-		_ U.NoCopy
-
-		zerolog.Logger
-
-		*waker
-
-		route route.Route
-
-		client *docker.SharedClient
-		state  atomic.Value[*containerState]
-
-		stopByMethod StopCallback // send a docker command w.r.t. `stop_method`
-		ticker       *time.Ticker
-		lastReset    time.Time
-		task         *task.Task
-	}
-
-	StopCallback func() error
-)
-
-var (
-	watcherMap   = make(map[string]*Watcher)
-	watcherMapMu sync.RWMutex
-
-	errShouldNotReachHere = errors.New("should not reach here")
-)
-
-const dockerReqTimeout = 3 * time.Second
-
-func registerWatcher(parent task.Parent, route route.Route, waker *waker) (*Watcher, error) {
-	cfg := route.IdlewatcherConfig()
-	cont := route.ContainerInfo()
-	key := cont.ContainerID
-
-	watcherMapMu.Lock()
-	defer watcherMapMu.Unlock()
-	w, ok := watcherMap[key]
-	if !ok {
-		client, err := docker.NewClient(cont.DockerHost)
-		if err != nil {
-			return nil, err
-		}
-
-		w = &Watcher{
-			Logger: logging.With().Str("name", cont.ContainerName).Logger(),
-			client: client,
-			task:   parent.Subtask("idlewatcher." + cont.ContainerName),
-			ticker: time.NewTicker(cfg.IdleTimeout),
-		}
-	}
-
-	// FIXME: possible race condition here
-	w.waker = waker
-	w.route = route
-	w.ticker.Reset(cfg.IdleTimeout)
-
-	if cont.Running {
-		w.setStarting()
-	} else {
-		w.setNapping()
-	}
-
-	if !ok {
-		w.stopByMethod = w.getStopCallback()
-		watcherMap[key] = w
-
-		go func() {
-			cause := w.watchUntilDestroy()
-
-			watcherMapMu.Lock()
-			defer watcherMapMu.Unlock()
-			delete(watcherMap, key)
-
-			w.ticker.Stop()
-			w.client.Close()
-			w.task.Finish(cause)
-		}()
-	}
-
-	return w, nil
-}
-
-func (w *Watcher) Config() *idlewatcher.Config {
-	return w.route.IdlewatcherConfig()
-}
-
-func (w *Watcher) Wake() error {
-	return w.wakeIfStopped()
-}
-
-// WakeDebug logs a debug message related to waking the container.
-func (w *Watcher) WakeDebug() *zerolog.Event {
-	//nolint:zerologlint
-	return w.Debug().Str("action", "wake")
-}
-
-func (w *Watcher) WakeTrace() *zerolog.Event {
-	//nolint:zerologlint
-	return w.Trace().Str("action", "wake")
-}
-
-func (w *Watcher) WakeError(err error) {
-	w.Err(err).Str("action", "wake").Msg("error")
-}
-
-func (w *Watcher) wakeIfStopped() error {
-	if w.running() {
-		return nil
-	}
-
-	status, err := w.containerStatus()
-	if err != nil {
-		return err
-	}
-
-	ctx, cancel := context.WithTimeout(w.task.Context(), w.Config().WakeTimeout)
-	defer cancel()
-
-	// !Hard coded here since theres no constants from Docker API
-	switch status {
-	case "exited", "dead":
-		return w.containerStart(ctx)
-	case "paused":
-		return w.containerUnpause(ctx)
-	case "running":
-		return nil
-	default:
-		return gperr.Errorf("unexpected container status: %s", status)
-	}
-}
-
-func (w *Watcher) getStopCallback() StopCallback {
-	var cb func(context.Context) error
-	switch w.Config().StopMethod {
-	case idlewatcher.StopMethodPause:
-		cb = w.containerPause
-	case idlewatcher.StopMethodStop:
-		cb = w.containerStop
-	case idlewatcher.StopMethodKill:
-		cb = w.containerKill
-	default:
-		panic(errShouldNotReachHere)
-	}
-	return func() error {
-		ctx, cancel := context.WithTimeout(w.task.Context(), time.Duration(w.Config().StopTimeout)*time.Second)
-		defer cancel()
-		return cb(ctx)
-	}
-}
-
-func (w *Watcher) resetIdleTimer() {
-	w.Trace().Msg("reset idle timer")
-	w.ticker.Reset(w.Config().IdleTimeout)
-	w.lastReset = time.Now()
-}
-
-func (w *Watcher) expires() time.Time {
-	return w.lastReset.Add(w.Config().IdleTimeout)
-}
-
-func (w *Watcher) getEventCh(ctx context.Context, dockerWatcher *watcher.DockerWatcher) (eventCh <-chan events.Event, errCh <-chan gperr.Error) {
-	eventCh, errCh = dockerWatcher.EventsWithOptions(ctx, watcher.DockerListOptions{
-		Filters: watcher.NewDockerFilter(
-			watcher.DockerFilterContainer,
-			watcher.DockerFilterContainerNameID(w.route.ContainerInfo().ContainerID),
-			watcher.DockerFilterStart,
-			watcher.DockerFilterStop,
-			watcher.DockerFilterDie,
-			watcher.DockerFilterKill,
-			watcher.DockerFilterDestroy,
-			watcher.DockerFilterPause,
-			watcher.DockerFilterUnpause,
-		),
-	})
-	return
-}
-
-// watchUntilDestroy waits for the container to be created, started, or unpaused,
-// and then reset the idle timer.
-//
-// When the container is stopped, paused,
-// or killed, the idle timer is stopped and the ContainerRunning flag is set to false.
-//
-// When the idle timer fires, the container is stopped according to the
-// stop method.
-//
-// it exits only if the context is canceled, the container is destroyed,
-// errors occurred on docker client, or route provider died (mainly caused by config reload).
-func (w *Watcher) watchUntilDestroy() (returnCause error) {
-	eventCtx, eventCancel := context.WithCancel(w.task.Context())
-	defer eventCancel()
-
-	dockerWatcher := watcher.NewDockerWatcher(w.client.DaemonHost())
-	dockerEventCh, dockerEventErrCh := w.getEventCh(eventCtx, dockerWatcher)
-
-	for {
-		select {
-		case <-w.task.Context().Done():
-			return w.task.FinishCause()
-		case err := <-dockerEventErrCh:
-			if !err.Is(context.Canceled) {
-				gperr.LogError("idlewatcher error", err, &w.Logger)
-			}
-			return err
-		case e := <-dockerEventCh:
-			switch {
-			case e.Action == events.ActionContainerDestroy:
-				w.setError(errors.New("container destroyed"))
-				w.Info().Str("reason", "container destroyed").Msg("watcher stopped")
-				return errors.New("container destroyed")
-			// create / start / unpause
-			case e.Action.IsContainerWake():
-				w.setStarting()
-				w.resetIdleTimer()
-				w.Info().Msg("awaken")
-			case e.Action.IsContainerSleep(): // stop / pause / kil
-				w.setNapping()
-				w.resetIdleTimer()
-				w.ticker.Stop()
-			default:
-				w.Error().Msg("unexpected docker event: " + e.String())
-			}
-			// container name changed should also change the container id
-			// if w.ContainerName != e.ActorName {
-			// 	w.Debug().Msgf("renamed %s -> %s", w.ContainerName, e.ActorName)
-			// 	w.ContainerName = e.ActorName
-			// }
-			// if w.ContainerID != e.ActorID {
-			// 	w.Debug().Msgf("id changed %s -> %s", w.ContainerID, e.ActorID)
-			// 	w.ContainerID = e.ActorID
-			// 	// recreate event stream
-			// 	eventCancel()
-
-			// 	eventCtx, eventCancel = context.WithCancel(w.task.Context())
-			// 	defer eventCancel()
-			// 	dockerEventCh, dockerEventErrCh = w.getEventCh(eventCtx, dockerWatcher)
-			// }
-		case <-w.ticker.C:
-			w.ticker.Stop()
-			if w.running() {
-				err := w.stopByMethod()
-				switch {
-				case errors.Is(err, context.Canceled):
-					continue
-				case err != nil:
-					if errors.Is(err, context.DeadlineExceeded) {
-						err = errors.New("timeout waiting for container to stop, please set a higher value for `stop_timeout`")
-					}
-					w.Err(err).Msgf("container stop with method %q failed", w.Config().StopMethod)
-				default:
-					w.Info().Str("reason", "idle timeout").Msg("container stopped")
-				}
-			}
-		}
-	}
-}
--- a/internal/docker/inspect.go
+++ b/internal/docker/inspect.go
@@ -1,28 +0,0 @@
-package docker
-
-import (
-	"context"
-	"errors"
-	"time"
-)
-
-func Inspect(dockerHost string, containerID string) (*Container, error) {
-	client, err := NewClient(dockerHost)
-	if err != nil {
-		return nil, err
-	}
-
-	defer client.Close()
-	return client.Inspect(containerID)
-}
-
-func (c *SharedClient) Inspect(containerID string) (*Container, error) {
-	ctx, cancel := context.WithTimeoutCause(context.Background(), 3*time.Second, errors.New("docker container inspect timeout"))
-	defer cancel()
-
-	json, err := c.ContainerInspect(ctx, containerID)
-	if err != nil {
-		return nil, err
-	}
-	return FromInspectResponse(json, c.key), nil
-}
--- a/internal/docker/list_containers.go
+++ b/internal/docker/list_containers.go
@@ -21,7 +21,7 @@ var listOptions = container.ListOptions{
 	All: true,
 }

-func ListContainers(clientHost string) ([]container.Summary, error) {
+func ListContainers(clientHost string) ([]container.SummaryTrimmed, error) {
 	dockerClient, err := NewClient(clientHost)
 	if err != nil {
 		return nil, err
--- a/internal/entrypoint/entrypoint.go
+++ b/internal/entrypoint/entrypoint.go
@@ -7,12 +7,11 @@ import (
 	"strings"

 	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
 	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/accesslog"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware/errorpage"
 	"github.com/yusing/go-proxy/internal/route/routes"
-	route "github.com/yusing/go-proxy/internal/route/types"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
@@ -20,7 +19,7 @@ import (
 type Entrypoint struct {
 	middleware    *middleware.Middleware
 	accessLogger  *accesslog.AccessLogger
-	findRouteFunc func(host string) (route.HTTPRoute, error)
+	findRouteFunc func(host string) (routes.HTTPRoute, error)
 }

 var ErrNoSuchRoute = errors.New("no such route")
@@ -55,13 +54,13 @@ func (ep *Entrypoint) SetMiddlewares(mws []map[string]any) error {
 	return nil
 }

-func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.Config) (err error) {
+func (ep *Entrypoint) SetAccessLogger(parent task.Parent, cfg *accesslog.RequestLoggerConfig) (err error) {
 	if cfg == nil {
 		ep.accessLogger = nil
 		return
 	}

-	ep.accessLogger, err = accesslog.NewFileAccessLogger(parent, cfg)
+	ep.accessLogger, err = accesslog.NewAccessLogger(parent, cfg)
 	if err != nil {
 		return
 	}
@@ -108,7 +107,7 @@ func (ep *Entrypoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func findRouteAnyDomain(host string) (route.HTTPRoute, error) {
+func findRouteAnyDomain(host string) (routes.HTTPRoute, error) {
 	hostSplit := strutils.SplitRune(host, '.')
 	target := hostSplit[0]

@@ -118,19 +117,19 @@ func findRouteAnyDomain(host string) (route.HTTPRoute, error) {
 	return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, target)
 }

-func findRouteByDomains(domains []string) func(host string) (route.HTTPRoute, error) {
-	return func(host string) (route.HTTPRoute, error) {
+func findRouteByDomains(domains []string) func(host string) (routes.HTTPRoute, error) {
+	return func(host string) (routes.HTTPRoute, error) {
 		for _, domain := range domains {
 			if strings.HasSuffix(host, domain) {
 				target := strings.TrimSuffix(host, domain)
-				if r, ok := routes.GetHTTPRoute(target); ok {
+				if r, ok := routes.HTTP.Get(target); ok {
 					return r, nil
 				}
 			}
 		}

 		// fallback to exact match
-		if r, ok := routes.GetHTTPRoute(host); ok {
+		if r, ok := routes.HTTP.Get(host); ok {
 			return r, nil
 		}
 		return nil, fmt.Errorf("%w: %s", ErrNoSuchRoute, host)
--- a/internal/entrypoint/entrypoint_test.go
+++ b/internal/entrypoint/entrypoint_test.go
@@ -5,37 +5,43 @@ import (

 	"github.com/yusing/go-proxy/internal/route"
 	"github.com/yusing/go-proxy/internal/route/routes"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
+
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
 )

-var (
-	r  route.ReveseProxyRoute
-	ep = NewEntrypoint()
-)
+var ep = NewEntrypoint()
+
+func addRoute(alias string) {
+	routes.HTTP.Add(&route.ReveseProxyRoute{
+		Route: &route.Route{
+			Alias: alias,
+		},
+	})
+}

 func run(t *testing.T, match []string, noMatch []string) {
 	t.Helper()
-	t.Cleanup(routes.TestClear)
+	t.Cleanup(routes.Clear)
 	t.Cleanup(func() { ep.SetFindRouteDomains(nil) })

 	for _, test := range match {
 		t.Run(test, func(t *testing.T) {
 			found, err := ep.findRouteFunc(test)
-			ExpectNoError(t, err)
-			ExpectTrue(t, found == &r)
+			expect.NoError(t, err)
+			expect.NotNil(t, found)
 		})
 	}

 	for _, test := range noMatch {
 		t.Run(test, func(t *testing.T) {
 			_, err := ep.findRouteFunc(test)
-			ExpectError(t, ErrNoSuchRoute, err)
+			expect.ErrorIs(t, ErrNoSuchRoute, err)
 		})
 	}
 }

 func TestFindRouteAnyDomain(t *testing.T) {
-	routes.SetHTTPRoute("app1", &r)
+	addRoute("app1")

 	tests := []string{
 		"app1.com",
@@ -66,7 +72,7 @@ func TestFindRouteExactHostMatch(t *testing.T) {
 	}

 	for _, test := range tests {
-		routes.SetHTTPRoute(test, &r)
+		addRoute(test)
 	}

 	run(t, tests, testsNoMatch)
@@ -78,7 +84,7 @@ func TestFindRouteByDomains(t *testing.T) {
 		".sub.domain.com",
 	})

-	routes.SetHTTPRoute("app1", &r)
+	addRoute("app1")

 	tests := []string{
 		"app1.domain.com",
@@ -103,7 +109,7 @@ func TestFindRouteByDomainsExactMatch(t *testing.T) {
 		".sub.domain.com",
 	})

-	routes.SetHTTPRoute("app1.foo.bar", &r)
+	addRoute("app1.foo.bar")

 	tests := []string{
 		"app1.foo.bar", // exact match
--- a/internal/gperr/builder.go
+++ b/internal/gperr/builder.go
@@ -5,44 +5,69 @@ import (
 	"sync"
 )

+type noLock struct{}
+
+func (noLock) Lock()    {}
+func (noLock) Unlock()  {}
+func (noLock) RLock()   {}
+func (noLock) RUnlock() {}
+
+type rwLock interface {
+	sync.Locker
+	RLock()
+	RUnlock()
+}
+
 type Builder struct {
 	about string
 	errs  []error
-	sync.Mutex
+	rwLock
 }

-func NewBuilder(about string) *Builder {
-	return &Builder{about: about}
+type multiline struct {
+	*Builder
+}
+
+// NewBuilder creates a new Builder.
+//
+// If about is not provided, the Builder will not have a subject
+// and will expand when adding to another builder.
+func NewBuilder(about ...string) *Builder {
+	if len(about) == 0 {
+		return &Builder{rwLock: noLock{}}
+	}
+	return &Builder{about: about[0], rwLock: noLock{}}
+}
+
+func NewBuilderWithConcurrency(about ...string) *Builder {
+	if len(about) == 0 {
+		return &Builder{rwLock: new(sync.RWMutex)}
+	}
+	return &Builder{about: about[0], rwLock: new(sync.RWMutex)}
+}
+
+func (b *Builder) EnableConcurrency() {
+	b.rwLock = new(sync.RWMutex)
 }

 func (b *Builder) About() string {
-	if !b.HasError() {
-		return ""
-	}
 	return b.about
 }

-//go:inline
 func (b *Builder) HasError() bool {
+	// no need to lock, when this is called, the Builder is not used anymore
 	return len(b.errs) > 0
 }

-func (b *Builder) error() Error {
-	if !b.HasError() {
+func (b *Builder) Error() Error {
+	if len(b.errs) == 0 {
 		return nil
 	}
 	return &nestedError{Err: New(b.about), Extras: b.errs}
 }

-func (b *Builder) Error() Error {
-	if len(b.errs) == 1 {
-		return wrap(b.errs[0])
-	}
-	return b.error()
-}
-
 func (b *Builder) String() string {
-	err := b.error()
+	err := b.Error()
 	if err == nil {
 		return ""
 	}
@@ -52,15 +77,19 @@ func (b *Builder) String() string {
 // Add adds an error to the Builder.
 //
 // adding nil is no-op.
-func (b *Builder) Add(err error) *Builder {
+func (b *Builder) Add(err error) {
 	if err == nil {
-		return b
+		return
 	}

 	b.Lock()
 	defer b.Unlock()

-	switch err := wrap(err).(type) {
+	b.add(err)
+}
+
+func (b *Builder) add(err error) {
+	switch err := err.(type) {
 	case *baseError:
 		b.errs = append(b.errs, err.Err)
 	case *nestedError:
@@ -69,21 +98,20 @@ func (b *Builder) Add(err error) *Builder {
 		} else {
 			b.errs = append(b.errs, err)
 		}
+	case *MultilineError:
+		b.add(&err.nestedError)
 	default:
-		panic("bug: should not reach here")
+		b.errs = append(b.errs, err)
 	}
-
-	return b
 }

-func (b *Builder) Adds(err string) *Builder {
+func (b *Builder) Adds(err string) {
 	b.Lock()
 	defer b.Unlock()
 	b.errs = append(b.errs, newError(err))
-	return b
 }

-func (b *Builder) Addf(format string, args ...any) *Builder {
+func (b *Builder) Addf(format string, args ...any) {
 	if len(args) > 0 {
 		b.Lock()
 		defer b.Unlock()
@@ -91,13 +119,11 @@ func (b *Builder) Addf(format string, args ...any) *Builder {
 	} else {
 		b.Adds(format)
 	}
-
-	return b
 }

-func (b *Builder) AddFrom(other *Builder, flatten bool) *Builder {
+func (b *Builder) AddFrom(other *Builder, flatten bool) {
 	if other == nil || !other.HasError() {
-		return b
+		return
 	}

 	b.Lock()
@@ -105,26 +131,32 @@ func (b *Builder) AddFrom(other *Builder, flatten bool) *Builder {
 	if flatten {
 		b.errs = append(b.errs, other.errs...)
 	} else {
-		b.errs = append(b.errs, other.error())
+		b.errs = append(b.errs, other.Error())
 	}
-	return b
 }

-func (b *Builder) AddRange(errs ...error) *Builder {
-	b.Lock()
-	defer b.Unlock()
-
+func (b *Builder) AddRange(errs ...error) {
+	nonNilErrs := make([]error, 0, len(errs))
 	for _, err := range errs {
 		if err != nil {
-			b.errs = append(b.errs, err)
+			nonNilErrs = append(nonNilErrs, err)
 		}
 	}

-	return b
+	b.Lock()
+	defer b.Unlock()
+
+	for _, err := range nonNilErrs {
+		b.add(err)
+	}
 }

 func (b *Builder) ForEach(fn func(error)) {
-	for _, err := range b.errs {
+	b.RLock()
+	errs := b.errs
+	b.RUnlock()
+
+	for _, err := range errs {
 		fn(err)
 	}
 }
--- a/internal/gperr/error_test.go
+++ b/internal/gperr/error_test.go
@@ -5,11 +5,12 @@ import (
 	"strings"
 	"testing"

-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
 )

 func TestBaseString(t *testing.T) {
-	ExpectEqual(t, New("error").Error(), "error")
+	expect.Equal(t, New("error").Error(), "error")
 }

 func TestBaseWithSubject(t *testing.T) {
@@ -17,13 +18,13 @@ func TestBaseWithSubject(t *testing.T) {
 	withSubject := err.Subject("foo")
 	withSubjectf := err.Subjectf("%s %s", "foo", "bar")

-	ExpectError(t, err, withSubject)
-	ExpectEqual(t, withSubject.Error(), "foo: error")
-	ExpectTrue(t, withSubject.Is(err))
+	expect.ErrorIs(t, err, withSubject)
+	expect.Equal(t, ansi.StripANSI(withSubject.Error()), "foo: error")
+	expect.True(t, withSubject.Is(err))

-	ExpectError(t, err, withSubjectf)
-	ExpectEqual(t, withSubjectf.Error(), "foo bar: error")
-	ExpectTrue(t, withSubjectf.Is(err))
+	expect.ErrorIs(t, err, withSubjectf)
+	expect.Equal(t, ansi.StripANSI(withSubjectf.Error()), "foo bar: error")
+	expect.True(t, withSubjectf.Is(err))
 }

 func TestBaseWithExtra(t *testing.T) {
@@ -31,22 +32,22 @@ func TestBaseWithExtra(t *testing.T) {
 	extra := New("bar").Subject("baz")
 	withExtra := err.With(extra)

-	ExpectTrue(t, withExtra.Is(extra))
-	ExpectTrue(t, withExtra.Is(err))
+	expect.True(t, withExtra.Is(extra))
+	expect.True(t, withExtra.Is(err))

-	ExpectTrue(t, errors.Is(withExtra, extra))
-	ExpectTrue(t, errors.Is(withExtra, err))
+	expect.True(t, errors.Is(withExtra, extra))
+	expect.True(t, errors.Is(withExtra, err))

-	ExpectTrue(t, strings.Contains(withExtra.Error(), err.Error()))
-	ExpectTrue(t, strings.Contains(withExtra.Error(), extra.Error()))
-	ExpectTrue(t, strings.Contains(withExtra.Error(), "baz"))
+	expect.True(t, strings.Contains(withExtra.Error(), err.Error()))
+	expect.True(t, strings.Contains(withExtra.Error(), extra.Error()))
+	expect.True(t, strings.Contains(withExtra.Error(), "baz"))
 }

 func TestBaseUnwrap(t *testing.T) {
 	err := errors.New("err")
 	wrapped := Wrap(err)

-	ExpectError(t, err, errors.Unwrap(wrapped))
+	expect.ErrorIs(t, err, errors.Unwrap(wrapped))
 }

 func TestNestedUnwrap(t *testing.T) {
@@ -55,24 +56,24 @@ func TestNestedUnwrap(t *testing.T) {
 	wrapped := Wrap(err).Subject("foo").With(err2.Subject("bar"))

 	unwrapper, ok := wrapped.(interface{ Unwrap() []error })
-	ExpectTrue(t, ok)
+	expect.True(t, ok)

-	ExpectError(t, err, wrapped)
-	ExpectError(t, err2, wrapped)
-	ExpectEqual(t, len(unwrapper.Unwrap()), 2)
+	expect.ErrorIs(t, err, wrapped)
+	expect.ErrorIs(t, err2, wrapped)
+	expect.Equal(t, len(unwrapper.Unwrap()), 2)
 }

 func TestErrorIs(t *testing.T) {
 	from := errors.New("error")
 	err := Wrap(from)
-	ExpectError(t, from, err)
+	expect.ErrorIs(t, from, err)

-	ExpectTrue(t, err.Is(from))
-	ExpectFalse(t, err.Is(New("error")))
+	expect.True(t, err.Is(from))
+	expect.False(t, err.Is(New("error")))

-	ExpectTrue(t, errors.Is(err.Subject("foo"), from))
-	ExpectTrue(t, errors.Is(err.Withf("foo"), from))
-	ExpectTrue(t, errors.Is(err.Subject("foo").Withf("bar"), from))
+	expect.True(t, errors.Is(err.Subject("foo"), from))
+	expect.True(t, errors.Is(err.Withf("foo"), from))
+	expect.True(t, errors.Is(err.Subject("foo").Withf("bar"), from))
 }

 func TestErrorImmutability(t *testing.T) {
@@ -82,14 +83,14 @@ func TestErrorImmutability(t *testing.T) {
 	for range 3 {
 		// t.Logf("%d: %v %T %s", i, errors.Unwrap(err), err, err)
 		_ = err.Subject("foo")
-		ExpectFalse(t, strings.Contains(err.Error(), "foo"))
+		expect.False(t, strings.Contains(err.Error(), "foo"))

 		_ = err.With(err2)
-		ExpectFalse(t, strings.Contains(err.Error(), "extra"))
-		ExpectFalse(t, err.Is(err2))
+		expect.False(t, strings.Contains(err.Error(), "extra"))
+		expect.False(t, err.Is(err2))

 		err = err.Subject("bar").Withf("baz")
-		ExpectTrue(t, err != nil)
+		expect.True(t, err != nil)
 	}
 }

@@ -99,24 +100,24 @@ func TestErrorWith(t *testing.T) {

 	err3 := err1.With(err2)

-	ExpectTrue(t, err3.Is(err1))
-	ExpectTrue(t, err3.Is(err2))
+	expect.True(t, err3.Is(err1))
+	expect.True(t, err3.Is(err2))

 	_ = err2.Subject("foo")

-	ExpectTrue(t, err3.Is(err1))
-	ExpectTrue(t, err3.Is(err2))
+	expect.True(t, err3.Is(err1))
+	expect.True(t, err3.Is(err2))

 	// check if err3 is affected by err2.Subject
-	ExpectFalse(t, strings.Contains(err3.Error(), "foo"))
+	expect.False(t, strings.Contains(err3.Error(), "foo"))
 }

 func TestErrorStringSimple(t *testing.T) {
 	errFailure := New("generic failure")
 	ne := errFailure.Subject("foo bar")
-	ExpectEqual(t, ne.Error(), "foo bar: generic failure")
+	expect.Equal(t, ansi.StripANSI(ne.Error()), "foo bar: generic failure")
 	ne = ne.Subject("baz")
-	ExpectEqual(t, ne.Error(), "baz > foo bar: generic failure")
+	expect.Equal(t, ansi.StripANSI(ne.Error()), "baz > foo bar: generic failure")
 }

 func TestErrorStringNested(t *testing.T) {
@@ -153,5 +154,5 @@ func TestErrorStringNested(t *testing.T) {
      • action 3 > inner3: generic failure
        • 3
        • 3`
-	ExpectEqual(t, ne.Error(), want)
+	expect.Equal(t, ansi.StripANSI(ne.Error()), want)
 }
--- a/internal/gperr/log.go
+++ b/internal/gperr/log.go
@@ -1,6 +1,8 @@
 package gperr

 import (
+	"os"
+
 	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/logging"
@@ -13,7 +15,13 @@ func log(msg string, err error, level zerolog.Level, logger ...*zerolog.Logger)
 	} else {
 		l = logging.GetLogger()
 	}
-	l.WithLevel(level).Msg(msg + ": " + err.Error())
+	l.WithLevel(level).Msg(New(highlight(msg)).With(err).Error())
+	switch level {
+	case zerolog.FatalLevel:
+		os.Exit(1)
+	case zerolog.PanicLevel:
+		panic(err)
+	}
 }

 func LogFatal(msg string, err error, logger ...*zerolog.Logger) {
--- a/internal/gperr/multiline.go
+++ b/internal/gperr/multiline.go
@@ -0,0 +1,45 @@
+package gperr
+
+import (
+	"fmt"
+	"reflect"
+)
+
+type MultilineError struct {
+	nestedError
+}
+
+func Multiline() *MultilineError {
+	return &MultilineError{}
+}
+
+func (m *MultilineError) add(err error) {
+	m.Extras = append(m.Extras, err)
+}
+
+func (m *MultilineError) Addf(format string, args ...any) *MultilineError {
+	m.add(fmt.Errorf(format, args...))
+	return m
+}
+
+func (m *MultilineError) Adds(s string) *MultilineError {
+	m.add(newError(s))
+	return m
+}
+
+func (m *MultilineError) AddLines(lines ...any) *MultilineError {
+	v := reflect.ValueOf(lines)
+	if v.Kind() == reflect.Slice {
+		for i := range v.Len() {
+			switch v := v.Index(i).Interface().(type) {
+			case string:
+				m.add(newError(v))
+			case error:
+				m.add(v)
+			default:
+				m.add(fmt.Errorf("%v", v))
+			}
+		}
+	}
+	return m
+}
--- a/internal/gperr/multiline_test.go
+++ b/internal/gperr/multiline_test.go
@@ -0,0 +1,29 @@
+package gperr
+
+import (
+	"net"
+	"testing"
+
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestWrapMultiline(t *testing.T) {
+	multiline := Multiline()
+	var wrapper error = wrap(multiline)
+	_, ok := wrapper.(*MultilineError)
+	if !ok {
+		t.Errorf("wrapper is not a MultilineError")
+	}
+}
+
+func TestPrependSubjectMultiline(t *testing.T) {
+	multiline := Multiline()
+	multiline.Addf("line 1 %s", "test")
+	multiline.Adds("line 2")
+	multiline.AddLines([]any{1, "2", 3.0, net.IPv4(127, 0, 0, 1)})
+	multiline.Subject("subject")
+
+	builder := NewBuilder()
+	builder.Add(multiline)
+	expect.Equal(t, len(multiline.Extras), len(builder.errs))
+}
--- a/internal/gperr/nested_error.go
+++ b/internal/gperr/nested_error.go
@@ -15,7 +15,7 @@ type nestedError struct {

 func (err nestedError) Subject(subject string) Error {
 	if err.Err == nil {
-		err.Err = newError(subject)
+		err.Err = PrependSubject(subject, errStr(""))
 	} else {
 		err.Err = PrependSubject(subject, err.Err)
 	}
@@ -72,14 +72,13 @@ func (err *nestedError) Error() string {
 		return makeLine("<nil>", 0)
 	}

-	lines := make([]string, 0, 1+len(err.Extras))
 	if err.Err != nil {
+		lines := make([]string, 0, 1+len(err.Extras))
 		lines = append(lines, makeLine(err.Err.Error(), 0))
 		lines = append(lines, makeLines(err.Extras, 1)...)
-	} else {
-		lines = append(lines, makeLines(err.Extras, 0)...)
+		return strutils.JoinLines(lines)
 	}
-	return strutils.JoinLines(lines)
+	return strutils.JoinLines(makeLines(err.Extras, 0))
 }

 //go:inline
@@ -103,8 +102,10 @@ func makeLines(errs []error, level int) []string {
 		case *nestedError:
 			if err.Err != nil {
 				lines = append(lines, makeLine(err.Err.Error(), level))
+				lines = append(lines, makeLines(err.Extras, level+1)...)
+			} else {
+				lines = append(lines, makeLines(err.Extras, level)...)
 			}
-			lines = append(lines, makeLines(err.Extras, level+1)...)
 		default:
 			lines = append(lines, makeLine(err.Error(), level))
 		}
--- a/internal/gperr/subject.go
+++ b/internal/gperr/subject.go
@@ -2,6 +2,8 @@ package gperr

 import (
 	"encoding/json"
+	"errors"
+	"slices"
 	"strings"

 	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
@@ -59,7 +61,7 @@ func (err *withSubject) Prepend(subject string) *withSubject {
 }

 func (err *withSubject) Is(other error) bool {
-	return err.Err == other
+	return errors.Is(other, err.Err)
 }

 func (err *withSubject) Unwrap() error {
@@ -89,10 +91,8 @@ func (err *withSubject) Error() string {

 // MarshalJSON implements the json.Marshaler interface.
 func (err *withSubject) MarshalJSON() ([]byte, error) {
-	subjects := make([]string, len(err.Subjects))
-	for i, s := range err.Subjects {
-		subjects[len(err.Subjects)-i-1] = s
-	}
+	subjects := slices.Clone(err.Subjects)
+	slices.Reverse(subjects)
 	reversed := struct {
 		Subjects []string `json:"subjects"`
 		Err      error    `json:"err"`
--- a/internal/gperr/utils.go
+++ b/internal/gperr/utils.go
@@ -41,6 +41,18 @@ func Wrap(err error, message ...string) Error {
 	return &baseError{fmt.Errorf("%s: %w", message[0], err)}
 }

+func Unwrap(err error) Error {
+	//nolint:errorlint
+	switch err := err.(type) {
+	case interface{ Unwrap() []error }:
+		return &nestedError{Extras: err.Unwrap()}
+	case interface{ Unwrap() error }:
+		return &baseError{err.Unwrap()}
+	default:
+		return &baseError{err}
+	}
+}
+
 func wrap(err error) Error {
 	if err == nil {
 		return nil
--- a/internal/api/v1/favicon/content.go
+++ b/internal/api/v1/favicon/content.go
@@ -1,4 +1,4 @@
-package favicon
+package homepage

 import (
 	"bufio"
--- a/internal/homepage/favicon.go
+++ b/internal/homepage/favicon.go
@@ -0,0 +1,222 @@
+package homepage
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/PuerkitoBio/goquery"
+	"github.com/vincent-petithory/dataurl"
+	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type FetchResult struct {
+	Icon       []byte
+	StatusCode int
+	ErrMsg     string
+
+	contentType string
+}
+
+const faviconFetchTimeout = 3 * time.Second
+
+func (res *FetchResult) OK() bool {
+	return len(res.Icon) > 0
+}
+
+func (res *FetchResult) ContentType() string {
+	if res.contentType == "" {
+		if bytes.HasPrefix(res.Icon, []byte("<svg")) || bytes.HasPrefix(res.Icon, []byte("<?xml")) {
+			return "image/svg+xml"
+		}
+		return "image/x-icon"
+	}
+	return res.contentType
+}
+
+const maxRedirectDepth = 5
+
+func FetchFavIconFromURL(ctx context.Context, iconURL *IconURL) *FetchResult {
+	switch iconURL.IconSource {
+	case IconSourceAbsolute:
+		return fetchIconAbsolute(ctx, iconURL.URL())
+	case IconSourceRelative:
+		return &FetchResult{StatusCode: http.StatusBadRequest, ErrMsg: "unexpected relative icon"}
+	case IconSourceWalkXCode, IconSourceSelfhSt:
+		return fetchKnownIcon(ctx, iconURL)
+	}
+	return &FetchResult{StatusCode: http.StatusBadRequest, ErrMsg: "invalid icon source"}
+}
+
+func fetchIconAbsolute(ctx context.Context, url string) *FetchResult {
+	if result := loadIconCache(url); result != nil {
+		return result
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
+			return &FetchResult{StatusCode: http.StatusBadGateway, ErrMsg: "request timeout"}
+		}
+		return &FetchResult{StatusCode: http.StatusInternalServerError, ErrMsg: err.Error()}
+	}
+
+	resp, err := gphttp.Do(req)
+	if err == nil {
+		defer resp.Body.Close()
+	}
+	if err != nil || resp.StatusCode != http.StatusOK {
+		return &FetchResult{StatusCode: http.StatusBadGateway, ErrMsg: "connection error"}
+	}
+
+	icon, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return &FetchResult{StatusCode: http.StatusInternalServerError, ErrMsg: "internal error"}
+	}
+
+	if len(icon) == 0 {
+		return &FetchResult{StatusCode: http.StatusNotFound, ErrMsg: "empty icon"}
+	}
+
+	res := &FetchResult{Icon: icon}
+	if contentType := resp.Header.Get("Content-Type"); contentType != "" {
+		res.contentType = contentType
+	}
+	// else leave it empty
+	storeIconCache(url, res)
+	return res
+}
+
+var nameSanitizer = strings.NewReplacer(
+	"_", "-",
+	" ", "-",
+	"(", "",
+	")", "",
+)
+
+func sanitizeName(name string) string {
+	return strings.ToLower(nameSanitizer.Replace(name))
+}
+
+func fetchKnownIcon(ctx context.Context, url *IconURL) *FetchResult {
+	// if icon isn't in the list, no need to fetch
+	if !url.HasIcon() {
+		return &FetchResult{StatusCode: http.StatusNotFound, ErrMsg: "no such icon"}
+	}
+
+	return fetchIconAbsolute(ctx, url.URL())
+}
+
+func fetchIcon(ctx context.Context, filetype, filename string) *FetchResult {
+	result := fetchKnownIcon(ctx, NewSelfhStIconURL(filename, filetype))
+	if result.OK() {
+		return result
+	}
+	return fetchKnownIcon(ctx, NewWalkXCodeIconURL(filename, filetype))
+}
+
+func FindIcon(ctx context.Context, r route, uri string) *FetchResult {
+	if result := loadIconCache(r.Key()); result != nil {
+		return result
+	}
+
+	result := fetchIcon(ctx, "png", sanitizeName(r.Reference()))
+	if !result.OK() {
+		if r, ok := r.(httpRoute); ok {
+			// fallback to parse html
+			result = findIconSlow(ctx, r, uri, nil)
+		}
+	}
+	if result.OK() {
+		storeIconCache(r.Key(), result)
+	}
+	return result
+}
+
+func findIconSlow(ctx context.Context, r httpRoute, uri string, stack []string) *FetchResult {
+	select {
+	case <-ctx.Done():
+		return &FetchResult{StatusCode: http.StatusBadGateway, ErrMsg: "request timeout"}
+	default:
+	}
+
+	if len(stack) > maxRedirectDepth {
+		return &FetchResult{StatusCode: http.StatusBadGateway, ErrMsg: "too many redirects"}
+	}
+
+	ctx, cancel := context.WithTimeoutCause(ctx, faviconFetchTimeout, errors.New("favicon request timeout"))
+	defer cancel()
+
+	newReq, err := http.NewRequestWithContext(ctx, "GET", r.TargetURL().String(), nil)
+	if err != nil {
+		return &FetchResult{StatusCode: http.StatusInternalServerError, ErrMsg: "cannot create request"}
+	}
+	newReq.Header.Set("Accept-Encoding", "identity") // disable compression
+
+	u, err := url.ParseRequestURI(strutils.SanitizeURI(uri))
+	if err != nil {
+		return &FetchResult{StatusCode: http.StatusInternalServerError, ErrMsg: "cannot parse uri"}
+	}
+	newReq.URL.Path = u.Path
+	newReq.URL.RawPath = u.RawPath
+	newReq.URL.RawQuery = u.RawQuery
+	newReq.RequestURI = u.String()
+
+	c := newContent()
+	r.ServeHTTP(c, newReq)
+	if c.status != http.StatusOK {
+		switch c.status {
+		case 0:
+			return &FetchResult{StatusCode: http.StatusBadGateway, ErrMsg: "connection error"}
+		default:
+			if loc := c.Header().Get("Location"); loc != "" {
+				loc = strutils.SanitizeURI(loc)
+				if loc == "/" || loc == newReq.URL.Path || slices.Contains(stack, loc) {
+					return &FetchResult{StatusCode: http.StatusBadGateway, ErrMsg: "circular redirect"}
+				}
+				// append current path to stack
+				// handles redirect to the same path with different query
+				return findIconSlow(ctx, r, loc, append(stack, newReq.URL.Path))
+			}
+		}
+		return &FetchResult{StatusCode: c.status, ErrMsg: "upstream error: " + string(c.data)}
+	}
+	// return icon data
+	if !gphttp.GetContentType(c.header).IsHTML() {
+		return &FetchResult{Icon: c.data, contentType: c.header.Get("Content-Type")}
+	}
+	// try extract from "link[rel=icon]" from path "/"
+	doc, err := goquery.NewDocumentFromReader(bytes.NewBuffer(c.data))
+	if err != nil {
+		return &FetchResult{StatusCode: http.StatusInternalServerError, ErrMsg: "failed to parse html"}
+	}
+	ele := doc.Find("head > link[rel=icon]").First()
+	if ele.Length() == 0 {
+		return &FetchResult{StatusCode: http.StatusNotFound, ErrMsg: "icon element not found"}
+	}
+	href := ele.AttrOr("href", "")
+	if href == "" {
+		return &FetchResult{StatusCode: http.StatusNotFound, ErrMsg: "icon href not found"}
+	}
+	// https://en.wikipedia.org/wiki/Data_URI_scheme
+	if strings.HasPrefix(href, "data:image/") {
+		dataURI, err := dataurl.DecodeString(href)
+		if err != nil {
+			return &FetchResult{StatusCode: http.StatusInternalServerError, ErrMsg: "failed to decode favicon"}
+		}
+		return &FetchResult{Icon: dataURI.Data, contentType: dataURI.ContentType()}
+	}
+	switch {
+	case strings.HasPrefix(href, "http://"), strings.HasPrefix(href, "https://"):
+		return fetchIconAbsolute(ctx, href)
+	default:
+		return findIconSlow(ctx, r, href, append(stack, newReq.URL.Path))
+	}
+}
--- a/internal/homepage/homepage_test.go
+++ b/internal/homepage/homepage_test.go
@@ -7,7 +7,6 @@ import (
 )

 func TestOverrideItem(t *testing.T) {
-	InitOverridesConfig()
 	a := &Item{
 		Alias: "foo",
 		ItemConfig: &ItemConfig{
--- a/internal/api/v1/favicon/cache.go
+++ b/internal/api/v1/favicon/cache.go
@@ -1,20 +1,22 @@
-package favicon
+package homepage

 import (
+	"encoding/base64"
 	"encoding/json"
 	"sync"
 	"time"

 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/logging"
-	route "github.com/yusing/go-proxy/internal/route/types"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/utils/atomic"
 )

 type cacheEntry struct {
-	Icon       []byte    `json:"icon"`
-	LastAccess time.Time `json:"lastAccess"`
+	Icon        []byte                  `json:"icon"`
+	ContentType string                  `json:"content_type"`
+	LastAccess  atomic.Value[time.Time] `json:"last_access"`
 }

 // cache key can be absolute url or route name.
@@ -25,7 +27,9 @@ var (

 const (
 	iconCacheTTL    = 3 * 24 * time.Hour
-	cleanUpInterval = time.Hour
+	cleanUpInterval = time.Minute
+	maxCacheSize    = 1024 * 1024 // 1MB
+	maxCacheEntries = 100
 )

 func InitIconCache() {
@@ -77,61 +81,79 @@ func pruneExpiredIconCache() {
 			nPruned++
 		}
 	}
+	if len(iconCache) > maxCacheEntries {
+		newIconCache := make(map[string]*cacheEntry, maxCacheEntries)
+		i := 0
+		for key, icon := range iconCache {
+			if i == maxCacheEntries {
+				break
+			}
+			if !icon.IsExpired() {
+				newIconCache[key] = icon
+				i++
+			}
+		}
+		iconCache = newIconCache
+	}
 	if nPruned > 0 {
 		logging.Info().Int("pruned", nPruned).Msg("pruned expired icon cache")
 	}
 }

-func routeKey(r route.HTTPRoute) string {
-	return r.ProviderName() + ":" + r.TargetName()
-}
-
-func PruneRouteIconCache(route route.HTTPRoute) {
+func PruneRouteIconCache(route route) {
 	iconCacheMu.Lock()
 	defer iconCacheMu.Unlock()
-	delete(iconCache, routeKey(route))
+	delete(iconCache, route.Key())
 }

-func loadIconCache(key string) *fetchResult {
+func loadIconCache(key string) *FetchResult {
 	iconCacheMu.RLock()
 	defer iconCacheMu.RUnlock()

 	icon, ok := iconCache[key]
-	if ok && icon != nil {
+	if ok && len(icon.Icon) > 0 {
 		logging.Debug().
 			Str("key", key).
 			Msg("icon found in cache")
-		icon.LastAccess = time.Now()
-		return &fetchResult{icon: icon.Icon}
+		icon.LastAccess.Store(time.Now())
+		return &FetchResult{Icon: icon.Icon, contentType: icon.ContentType}
 	}
 	return nil
 }

-func storeIconCache(key string, icon []byte) {
+func storeIconCache(key string, result *FetchResult) {
+	icon := result.Icon
+	if len(icon) > maxCacheSize {
+		logging.Debug().Int("size", len(icon)).Msg("icon cache size exceeds max cache size")
+		return
+	}
 	iconCacheMu.Lock()
 	defer iconCacheMu.Unlock()
-	iconCache[key] = &cacheEntry{Icon: icon, LastAccess: time.Now()}
+	entry := &cacheEntry{Icon: icon, ContentType: result.contentType}
+	entry.LastAccess.Store(time.Now())
+	iconCache[key] = entry
+	logging.Debug().Str("key", key).Int("size", len(icon)).Msg("stored icon cache")
 }

 func (e *cacheEntry) IsExpired() bool {
-	return time.Since(e.LastAccess) > iconCacheTTL
+	return time.Since(e.LastAccess.Load()) > iconCacheTTL
 }

 func (e *cacheEntry) UnmarshalJSON(data []byte) error {
-	attempt := struct {
-		Icon       []byte    `json:"icon"`
-		LastAccess time.Time `json:"lastAccess"`
-	}{}
-	err := json.Unmarshal(data, &attempt)
-	if err == nil {
-		e.Icon = attempt.Icon
-		e.LastAccess = attempt.LastAccess
-		return nil
+	// check if data is json
+	if json.Valid(data) {
+		err := json.Unmarshal(data, &e)
+		// return only if unmarshal is successful
+		// otherwise fallback to base64
+		if err == nil {
+			return nil
+		}
 	}
-	// fallback to bytes
-	err = json.Unmarshal(data, &e.Icon)
+	// fallback to base64
+	icon, err := base64.StdEncoding.DecodeString(string(data))
 	if err == nil {
-		e.LastAccess = time.Now()
+		e.Icon = icon
+		e.LastAccess.Store(time.Now())
 		return nil
 	}
 	return err
--- a/internal/homepage/icon_url.go
+++ b/internal/homepage/icon_url.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"strings"

-	"github.com/yusing/go-proxy/internal"
 	"github.com/yusing/go-proxy/internal/gperr"
 )

@@ -62,10 +61,10 @@ func NewWalkXCodeIconURL(name, format string) *IconURL {
 // otherwise returns true.
 func (u *IconURL) HasIcon() bool {
 	if u.IconSource == IconSourceSelfhSt {
-		return internal.HasSelfhstIcon(u.Extra.Name, u.Extra.FileType)
+		return HasSelfhstIcon(u.Extra.Name, u.Extra.FileType)
 	}
 	if u.IconSource == IconSourceWalkXCode {
-		return internal.HasWalkxCodeIcon(u.Extra.Name, u.Extra.FileType)
+		return HasWalkxCodeIcon(u.Extra.Name, u.Extra.FileType)
 	}
 	return true
 }
--- a/internal/homepage/icon_url_test.go
+++ b/internal/homepage/icon_url_test.go
@@ -3,7 +3,7 @@ package homepage
 import (
 	"testing"

-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
 )

 func TestIconURL(t *testing.T) {
@@ -114,11 +114,11 @@ func TestIconURL(t *testing.T) {
 			u := &IconURL{}
 			err := u.Parse(tc.input)
 			if tc.wantErr {
-				ExpectError(t, ErrInvalidIconURL, err)
+				expect.ErrorIs(t, ErrInvalidIconURL, err)
 			} else {
 				tc.wantValue.FullValue = tc.input
-				ExpectNoError(t, err)
-				ExpectEqual(t, u, tc.wantValue)
+				expect.NoError(t, err)
+				expect.Equal(t, u, tc.wantValue)
 			}
 		})
 	}
--- a/internal/homepage/list-icons.go
+++ b/internal/homepage/list-icons.go
@@ -0,0 +1,297 @@
+package homepage
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/lithammer/fuzzysearch/fuzzy"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type GitHubContents struct { //! keep this, may reuse in future
+	Type string `json:"type"`
+	Path string `json:"path"`
+	Name string `json:"name"`
+	Sha  string `json:"sha"`
+	Size int    `json:"size"`
+}
+
+type (
+	IconsMap map[string]map[string]struct{}
+	IconList []string
+	Cache    struct {
+		WalkxCode, Selfhst IconsMap
+		DisplayNames       ReferenceDisplayNameMap
+		IconList           IconList // combined into a single list
+	}
+	ReferenceDisplayNameMap map[string]string
+)
+
+func (icons *Cache) needUpdate() bool {
+	return len(icons.WalkxCode) == 0 || len(icons.Selfhst) == 0 || len(icons.IconList) == 0 || len(icons.DisplayNames) == 0
+}
+
+const updateInterval = 2 * time.Hour
+
+var (
+	iconsCache   *Cache
+	iconsCahceMu sync.RWMutex
+	lastUpdate   time.Time
+)
+
+const (
+	walkxcodeIcons = "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/tree.json"
+	selfhstIcons   = "https://cdn.selfh.st/directory/icons.json"
+)
+
+func InitIconListCache() {
+	iconsCahceMu.Lock()
+	defer iconsCahceMu.Unlock()
+
+	iconsCache = &Cache{
+		WalkxCode:    make(IconsMap),
+		Selfhst:      make(IconsMap),
+		DisplayNames: make(ReferenceDisplayNameMap),
+		IconList:     []string{},
+	}
+	err := utils.LoadJSONIfExist(common.IconListCachePath, iconsCache)
+	if err != nil {
+		logging.Error().Err(err).Msg("failed to load icon list cache config")
+	} else if len(iconsCache.IconList) > 0 {
+		logging.Info().
+			Int("icons", len(iconsCache.IconList)).
+			Int("display_names", len(iconsCache.DisplayNames)).
+			Msg("icon list cache loaded")
+	}
+}
+
+func ListAvailableIcons() (*Cache, error) {
+	iconsCahceMu.RLock()
+	if time.Since(lastUpdate) < updateInterval {
+		if !iconsCache.needUpdate() {
+			iconsCahceMu.RUnlock()
+			return iconsCache, nil
+		}
+	}
+	iconsCahceMu.RUnlock()
+
+	iconsCahceMu.Lock()
+	defer iconsCahceMu.Unlock()
+
+	logging.Info().Msg("updating icon data")
+	icons, err := fetchIconData()
+	if err != nil {
+		return nil, err
+	}
+	logging.Info().
+		Int("icons", len(icons.IconList)).
+		Int("display_names", len(icons.DisplayNames)).
+		Msg("icons list updated")
+
+	iconsCache = icons
+	lastUpdate = time.Now()
+
+	err = utils.SaveJSON(common.IconListCachePath, iconsCache, 0o644)
+	if err != nil {
+		logging.Warn().Err(err).Msg("failed to save icon list cache")
+	}
+	return icons, nil
+}
+
+func SearchIcons(keyword string, limit int) ([]string, error) {
+	icons, err := ListAvailableIcons()
+	if err != nil {
+		return nil, err
+	}
+	if keyword == "" {
+		return utils.Slice(icons.IconList, limit), nil
+	}
+	return utils.Slice(fuzzy.Find(keyword, icons.IconList), limit), nil
+}
+
+func HasWalkxCodeIcon(name string, filetype string) bool {
+	icons, err := ListAvailableIcons()
+	if err != nil {
+		logging.Error().Err(err).Msg("failed to list icons")
+		return false
+	}
+	if _, ok := icons.WalkxCode[filetype]; !ok {
+		return false
+	}
+	_, ok := icons.WalkxCode[filetype][name+"."+filetype]
+	return ok
+}
+
+func HasSelfhstIcon(name string, filetype string) bool {
+	icons, err := ListAvailableIcons()
+	if err != nil {
+		logging.Error().Err(err).Msg("failed to list icons")
+		return false
+	}
+	if _, ok := icons.Selfhst[filetype]; !ok {
+		return false
+	}
+	_, ok := icons.Selfhst[filetype][name+"."+filetype]
+	return ok
+}
+
+func GetDisplayName(reference string) (string, bool) {
+	icons, err := ListAvailableIcons()
+	if err != nil {
+		logging.Error().Err(err).Msg("failed to list icons")
+		return "", false
+	}
+	displayName, ok := icons.DisplayNames[reference]
+	return displayName, ok
+}
+
+func fetchIconData() (*Cache, error) {
+	walkxCodeIconMap, walkxCodeIconList, err := fetchWalkxCodeIcons()
+	if err != nil {
+		return nil, err
+	}
+
+	n := 0
+	for _, items := range walkxCodeIconMap {
+		n += len(items)
+	}
+
+	selfhstIconMap, selfhstIconList, referenceToNames, err := fetchSelfhstIcons()
+	if err != nil {
+		return nil, err
+	}
+
+	return &Cache{
+		WalkxCode:    walkxCodeIconMap,
+		Selfhst:      selfhstIconMap,
+		DisplayNames: referenceToNames,
+		IconList:     append(walkxCodeIconList, selfhstIconList...),
+	}, nil
+}
+
+/*
+format:
+
+	{
+		"png": [
+			"*.png",
+		],
+		"svg": [
+			"*.svg",
+		],
+		"webp": [
+			"*.webp",
+		]
+	}
+*/
+func fetchWalkxCodeIcons() (IconsMap, IconList, error) {
+	req, err := http.NewRequest(http.MethodGet, walkxcodeIcons, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	data := make(map[string][]string)
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return nil, nil, err
+	}
+	icons := make(IconsMap, len(data))
+	iconList := make(IconList, 0, 2000)
+	for fileType, files := range data {
+		icons[fileType] = make(map[string]struct{}, len(files))
+		for _, icon := range files {
+			icons[fileType][icon] = struct{}{}
+			iconList = append(iconList, "@walkxcode/"+icon)
+		}
+	}
+	return icons, iconList, nil
+}
+
+/*
+format:
+
+	{
+			"Name": "2FAuth",
+			"Reference": "2fauth",
+			"SVG": "Yes",
+			"PNG": "Yes",
+			"WebP": "Yes",
+			"Light": "Yes",
+			"Category": "Self-Hosted",
+			"CreatedAt": "2024-08-16 00:27:23+00:00"
+	}
+*/
+func fetchSelfhstIcons() (IconsMap, IconList, ReferenceDisplayNameMap, error) {
+	type SelfhStIcon struct {
+		Name      string `json:"Name"`
+		Reference string `json:"Reference"`
+		SVG       string `json:"SVG"`
+		PNG       string `json:"PNG"`
+		WebP      string `json:"WebP"`
+		// Light          string
+		// Category       string
+		// CreatedAt      string
+	}
+
+	req, err := http.NewRequest(http.MethodGet, selfhstIcons, nil)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	data := make([]SelfhStIcon, 0, 2000)
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	iconList := make(IconList, 0, len(data)*3)
+	icons := make(IconsMap)
+	icons["svg"] = make(map[string]struct{}, len(data))
+	icons["png"] = make(map[string]struct{}, len(data))
+	icons["webp"] = make(map[string]struct{}, len(data))
+
+	referenceToNames := make(ReferenceDisplayNameMap, len(data))
+
+	for _, item := range data {
+		if item.SVG == "Yes" {
+			icons["svg"][item.Reference+".svg"] = struct{}{}
+			iconList = append(iconList, "@selfhst/"+item.Reference+".svg")
+		}
+		if item.PNG == "Yes" {
+			icons["png"][item.Reference+".png"] = struct{}{}
+			iconList = append(iconList, "@selfhst/"+item.Reference+".png")
+		}
+		if item.WebP == "Yes" {
+			icons["webp"][item.Reference+".webp"] = struct{}{}
+			iconList = append(iconList, "@selfhst/"+item.Reference+".webp")
+		}
+		referenceToNames[item.Reference] = item.Name
+	}
+
+	return icons, iconList, referenceToNames, nil
+}
--- a/internal/homepage/override_config.go
+++ b/internal/homepage/override_config.go
@@ -1,12 +1,11 @@
 package homepage

 import (
+	"maps"
 	"sync"

 	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/go-proxy/internal/jsonstore"
 )

 type OverrideConfig struct {
@@ -17,39 +16,19 @@ type OverrideConfig struct {
 	mu             sync.RWMutex
 }

-var overrideConfigInstance = &OverrideConfig{
-	ItemOverrides:  make(map[string]*ItemConfig),
-	DisplayOrder:   make(map[string]int),
-	CategoryOrder:  make(map[string]int),
-	ItemVisibility: make(map[string]bool),
-}
-
-func InitOverridesConfig() {
-	overrideConfigInstance.mu.Lock()
-	defer overrideConfigInstance.mu.Unlock()
-
-	err := utils.LoadJSONIfExist(common.HomepageJSONConfigPath, overrideConfigInstance)
-	if err != nil {
-		logging.Error().Err(err).Msg("failed to load homepage overrides config")
-	} else if len(overrideConfigInstance.ItemOverrides) > 0 {
-		logging.Info().
-			Int("count", len(overrideConfigInstance.ItemOverrides)).
-			Msg("homepage overrides config loaded")
-	}
-	task.OnProgramExit("save_homepage_json_config", func() {
-		if len(overrideConfigInstance.ItemOverrides) == 0 {
-			return
-		}
-		if err := utils.SaveJSON(common.HomepageJSONConfigPath, overrideConfigInstance, 0o644); err != nil {
-			logging.Error().Err(err).Msg("failed to save homepage overrides config")
-		}
-	})
-}
+var overrideConfigInstance = jsonstore.Object[*OverrideConfig](common.NamespaceHomepageOverrides)

 func GetOverrideConfig() *OverrideConfig {
 	return overrideConfigInstance
 }

+func (c *OverrideConfig) Initialize() {
+	c.ItemOverrides = make(map[string]*ItemConfig)
+	c.DisplayOrder = make(map[string]int)
+	c.CategoryOrder = make(map[string]int)
+	c.ItemVisibility = make(map[string]bool)
+}
+
 func (c *OverrideConfig) OverrideItem(alias string, override *ItemConfig) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
@@ -59,9 +38,7 @@ func (c *OverrideConfig) OverrideItem(alias string, override *ItemConfig) {
 func (c *OverrideConfig) OverrideItems(items map[string]*ItemConfig) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	for key, value := range items {
-		c.ItemOverrides[key] = value
-	}
+	maps.Copy(c.ItemOverrides, items)
 }

 func (c *OverrideConfig) GetOverride(alias string, item *ItemConfig) *ItemConfig {
--- a/internal/homepage/route.go
+++ b/internal/homepage/route.go
@@ -0,0 +1,20 @@
+package homepage
+
+import (
+	"net/http"
+
+	gpnet "github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/go-proxy/internal/utils/pool"
+)
+
+type route interface {
+	pool.Object
+	ProviderName() string
+	Reference() string
+	TargetURL() *gpnet.URL
+}
+
+type httpRoute interface {
+	route
+	http.Handler
+}
--- a/internal/idlewatcher/common.go
+++ b/internal/idlewatcher/common.go
@@ -0,0 +1,13 @@
+package idlewatcher
+
+import "context"
+
+func (w *Watcher) cancelled(reqCtx context.Context) bool {
+	select {
+	case <-reqCtx.Done():
+		w.l.Debug().AnErr("cause", context.Cause(reqCtx)).Msg("wake canceled")
+		return true
+	default:
+		return false
+	}
+}
--- a/internal/idlewatcher/debug.go
+++ b/internal/idlewatcher/debug.go
@@ -0,0 +1,40 @@
+package idlewatcher
+
+import (
+	"iter"
+	"strconv"
+
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type watcherDebug struct {
+	*Watcher
+}
+
+func (w watcherDebug) MarshalMap() map[string]any {
+	state := w.state.Load()
+	return map[string]any{
+		"name": w.Name(),
+		"state": map[string]string{
+			"status": string(state.status),
+			"ready":  strconv.FormatBool(state.ready),
+			"err":    fmtErr(state.err),
+		},
+		"expires":    strutils.FormatTime(w.expires()),
+		"last_reset": strutils.FormatTime(w.lastReset.Load()),
+		"config":     w.cfg,
+	}
+}
+
+func Watchers() iter.Seq2[string, watcherDebug] {
+	return func(yield func(string, watcherDebug) bool) {
+		watcherMapMu.RLock()
+		defer watcherMapMu.RUnlock()
+
+		for k, w := range watcherMap {
+			if !yield(k, watcherDebug{w}) {
+				return
+			}
+		}
+	}
+}
--- a/internal/docker/idlewatcher/waker_http.go
+++ b/internal/docker/idlewatcher/waker_http.go
@@ -42,20 +42,6 @@ func (w *Watcher) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	}
 }

-func (w *Watcher) cancelled(reqCtx context.Context, rw http.ResponseWriter) bool {
-	select {
-	case <-reqCtx.Done():
-		w.WakeDebug().Str("cause", context.Cause(reqCtx).Error()).Msg("canceled")
-		return true
-	case <-w.task.Context().Done():
-		w.WakeDebug().Str("cause", w.task.FinishCause().Error()).Msg("canceled")
-		http.Error(rw, "Service unavailable", http.StatusServiceUnavailable)
-		return true
-	default:
-		return false
-	}
-}
-
 func isFaviconPath(path string) bool {
 	return path == "/favicon.ico"
 }
@@ -70,13 +56,13 @@ func (w *Watcher) wakeFromHTTP(rw http.ResponseWriter, r *http.Request) (shouldN

 	// handle favicon request
 	if isFaviconPath(r.URL.Path) {
-		r.URL.RawQuery = "alias=" + w.route.TargetName()
+		r.URL.RawQuery = "alias=" + w.rp.TargetName
 		favicon.GetFavIcon(rw, r)
 		return false
 	}

 	// Check if start endpoint is configured and request path matches
-	if w.Config().StartEndpoint != "" && r.URL.Path != w.Config().StartEndpoint {
+	if w.cfg.StartEndpoint != "" && r.URL.Path != w.cfg.StartEndpoint {
 		http.Error(rw, "Forbidden: Container can only be started via configured start endpoint", http.StatusForbidden)
 		return false
 	}
@@ -95,44 +81,48 @@ func (w *Watcher) wakeFromHTTP(rw http.ResponseWriter, r *http.Request) (shouldN
 		rw.Header().Add("Cache-Control", "must-revalidate")
 		rw.Header().Add("Connection", "close")
 		if _, err := rw.Write(body); err != nil {
-			w.Err(err).Msg("error writing http response")
+			return false
 		}
 		return false
 	}

-	ctx, cancel := context.WithTimeoutCause(r.Context(), w.Config().WakeTimeout, errors.New("wake timeout"))
+	ctx, cancel := context.WithTimeoutCause(r.Context(), w.cfg.WakeTimeout, errors.New("wake timeout"))
 	defer cancel()

-	if w.cancelled(ctx, rw) {
+	if w.cancelled(ctx) {
+		gphttp.ServerError(rw, r, context.Cause(ctx), http.StatusServiceUnavailable)
 		return false
 	}

-	w.WakeTrace().Msg("signal received")
+	w.l.Trace().Msg("signal received")
 	err := w.wakeIfStopped()
 	if err != nil {
-		w.WakeError(err)
-		http.Error(rw, "Error waking container", http.StatusInternalServerError)
+		gphttp.ServerError(rw, r, err)
 		return false
 	}

+	var ready bool
+
 	for {
-		if w.cancelled(ctx, rw) {
+		w.resetIdleTimer()
+
+		if w.cancelled(ctx) {
+			gphttp.ServerError(rw, r, context.Cause(ctx), http.StatusServiceUnavailable)
 			return false
 		}

-		ready, err := w.checkUpdateState()
+		w, ready, err = checkUpdateState(w.Key())
 		if err != nil {
-			http.Error(rw, "Error waking container", http.StatusInternalServerError)
+			gphttp.ServerError(rw, r, err)
 			return false
 		}
 		if ready {
-			w.resetIdleTimer()
 			if isCheckRedirect {
-				w.Debug().Msgf("redirecting to %s ...", w.hc.URL())
+				w.l.Debug().Stringer("url", w.hc.URL()).Msg("container is ready, redirecting")
 				rw.WriteHeader(http.StatusOK)
 				return false
 			}
-			w.Debug().Msgf("passing through to %s ...", w.hc.URL())
+			w.l.Debug().Stringer("url", w.hc.URL()).Msg("container is ready, passing through")
 			return true
 		}

--- a/internal/docker/idlewatcher/waker_stream.go
+++ b/internal/docker/idlewatcher/waker_stream.go
@@ -3,11 +3,10 @@ package idlewatcher
 import (
 	"context"
 	"errors"
-	"fmt"
 	"net"
 	"time"

-	"github.com/yusing/go-proxy/internal/net/types"
+	gpnet "github.com/yusing/go-proxy/internal/net/types"
 )

 // Setup implements types.Stream.
@@ -21,19 +20,19 @@ func (w *Watcher) Setup() error {
 }

 // Accept implements types.Stream.
-func (w *Watcher) Accept() (conn types.StreamConn, err error) {
+func (w *Watcher) Accept() (conn gpnet.StreamConn, err error) {
 	conn, err = w.stream.Accept()
 	if err != nil {
 		return
 	}
 	if wakeErr := w.wakeFromStream(); wakeErr != nil {
-		w.WakeError(wakeErr)
+		w.l.Err(wakeErr).Msg("error waking container")
 	}
 	return
 }

 // Handle implements types.Stream.
-func (w *Watcher) Handle(conn types.StreamConn) error {
+func (w *Watcher) Handle(conn gpnet.StreamConn) error {
 	if err := w.wakeFromStream(); err != nil {
 		return err
 	}
@@ -53,35 +52,29 @@ func (w *Watcher) wakeFromStream() error {
 		return nil
 	}

-	w.WakeDebug().Msg("wake signal received")
-	wakeErr := w.wakeIfStopped()
-	if wakeErr != nil {
-		wakeErr = fmt.Errorf("%s failed: %w", w.String(), wakeErr)
-		w.WakeError(wakeErr)
-		return wakeErr
+	w.l.Debug().Msg("wake signal received")
+	err := w.wakeIfStopped()
+	if err != nil {
+		return err
 	}

-	ctx, cancel := context.WithTimeoutCause(w.task.Context(), w.Config().WakeTimeout, errors.New("wake timeout"))
+	ctx, cancel := context.WithTimeoutCause(w.task.Context(), w.cfg.WakeTimeout, errors.New("wake timeout"))
 	defer cancel()

+	var ready bool
+
 	for {
-		select {
-		case <-w.task.Context().Done():
-			cause := w.task.FinishCause()
-			w.WakeDebug().Str("cause", cause.Error()).Msg("canceled")
-			return cause
-		case <-ctx.Done():
-			cause := context.Cause(ctx)
-			w.WakeDebug().Str("cause", cause.Error()).Msg("timeout")
-			return cause
-		default:
+		if w.cancelled(ctx) {
+			return context.Cause(ctx)
 		}

-		if ready, err := w.checkUpdateState(); err != nil {
+		w, ready, err = checkUpdateState(w.Key())
+		if err != nil {
 			return err
-		} else if ready {
+		}
+		if ready {
 			w.resetIdleTimer()
-			w.Debug().Msg("container is ready, passing through to " + w.hc.URL().String())
+			w.l.Debug().Stringer("url", w.hc.URL()).Msg("container is ready, passing through")
 			return nil
 		}

--- a/internal/idlewatcher/health.go
+++ b/internal/idlewatcher/health.go
@@ -0,0 +1,122 @@
+package idlewatcher
+
+import (
+	"errors"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/gperr"
+	idlewatcher "github.com/yusing/go-proxy/internal/idlewatcher/types"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+)
+
+// Start implements health.HealthMonitor.
+func (w *Watcher) Start(parent task.Parent) gperr.Error {
+	w.task.OnCancel("route_cleanup", func() {
+		parent.Finish(w.task.FinishCause())
+	})
+	return nil
+}
+
+// Task implements health.HealthMonitor.
+func (w *Watcher) Task() *task.Task {
+	return w.task
+}
+
+// Finish implements health.HealthMonitor.
+func (w *Watcher) Finish(reason any) {
+	if w.stream != nil {
+		w.stream.Close()
+	}
+}
+
+// Name implements health.HealthMonitor.
+func (w *Watcher) Name() string {
+	return w.cfg.ContainerName()
+}
+
+// String implements health.HealthMonitor.
+func (w *Watcher) String() string {
+	return w.Name()
+}
+
+// Uptime implements health.HealthMonitor.
+func (w *Watcher) Uptime() time.Duration {
+	return 0
+}
+
+// Latency implements health.HealthMonitor.
+func (w *Watcher) Latency() time.Duration {
+	return 0
+}
+
+// Status implements health.HealthMonitor.
+func (w *Watcher) Status() health.Status {
+	state := w.state.Load()
+	if state.err != nil {
+		return health.StatusError
+	}
+	if state.ready {
+		return health.StatusHealthy
+	}
+	if state.status == idlewatcher.ContainerStatusRunning {
+		return health.StatusStarting
+	}
+	return health.StatusNapping
+}
+
+func checkUpdateState(key string) (w *Watcher, ready bool, err error) {
+	watcherMapMu.RLock()
+	w, ok := watcherMap[key]
+	if !ok {
+		watcherMapMu.RUnlock()
+		return nil, false, errors.New("watcher not found")
+	}
+	watcherMapMu.RUnlock()
+
+	// already ready
+	if w.ready() {
+		return w, true, nil
+	}
+
+	if !w.running() {
+		return w, false, nil
+	}
+
+	// the new container info not yet updated
+	if w.hc.URL().Host == "" {
+		return w, false, nil
+	}
+
+	res, err := w.hc.CheckHealth()
+	if err != nil {
+		w.setError(err)
+		return w, false, err
+	}
+
+	if res.Healthy {
+		w.setReady()
+		return w, true, nil
+	}
+	w.setStarting()
+	return w, false, nil
+}
+
+// MarshalMap implements health.HealthMonitor.
+func (w *Watcher) MarshalMap() map[string]any {
+	url := w.hc.URL()
+	if url.Port() == "0" {
+		url = nil
+	}
+	var detail string
+	if err := w.error(); err != nil {
+		detail = err.Error()
+	}
+	return (&health.JSONRepresentation{
+		Name:   w.Name(),
+		Status: w.Status(),
+		Config: dummyHealthCheckConfig,
+		URL:    url,
+		Detail: detail,
+	}).MarshalMap()
+}
--- a/internal/docker/idlewatcher/html/loading_page.html
+++ b/internal/docker/idlewatcher/html/loading_page.html
--- a/internal/docker/idlewatcher/loading_page.go
+++ b/internal/docker/idlewatcher/loading_page.go
@@ -19,11 +19,11 @@ var loadingPage []byte
 var loadingPageTmpl = template.Must(template.New("loading_page").Parse(string(loadingPage)))

 func (w *Watcher) makeLoadingPageBody() []byte {
-	msg := w.ContainerName() + " is starting..."
+	msg := w.cfg.ContainerName() + " is starting..."

 	data := new(templateData)
 	data.CheckRedirectHeader = httpheaders.HeaderGoDoxyCheckRedirect
-	data.Title = w.route.HomepageItem().Name
+	data.Title = w.cfg.ContainerName()
 	data.Message = msg

 	buf := bytes.NewBuffer(make([]byte, len(loadingPage)+len(data.Title)+len(data.Message)+len(httpheaders.HeaderGoDoxyCheckRedirect)))
--- a/internal/idlewatcher/provider/docker.go
+++ b/internal/idlewatcher/provider/docker.go
@@ -0,0 +1,90 @@
+package provider
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/gperr"
+	idlewatcher "github.com/yusing/go-proxy/internal/idlewatcher/types"
+	"github.com/yusing/go-proxy/internal/watcher"
+)
+
+type DockerProvider struct {
+	client      *docker.SharedClient
+	watcher     *watcher.DockerWatcher
+	containerID string
+}
+
+var startOptions = container.StartOptions{}
+
+func NewDockerProvider(dockerHost, containerID string) (idlewatcher.Provider, error) {
+	client, err := docker.NewClient(dockerHost)
+	if err != nil {
+		return nil, err
+	}
+	return &DockerProvider{
+		client:      client,
+		watcher:     watcher.NewDockerWatcher(dockerHost),
+		containerID: containerID,
+	}, nil
+}
+
+func (p *DockerProvider) ContainerPause(ctx context.Context) error {
+	return p.client.ContainerPause(ctx, p.containerID)
+}
+
+func (p *DockerProvider) ContainerUnpause(ctx context.Context) error {
+	return p.client.ContainerUnpause(ctx, p.containerID)
+}
+
+func (p *DockerProvider) ContainerStart(ctx context.Context) error {
+	return p.client.ContainerStart(ctx, p.containerID, startOptions)
+}
+
+func (p *DockerProvider) ContainerStop(ctx context.Context, signal idlewatcher.Signal, timeout int) error {
+	return p.client.ContainerStop(ctx, p.containerID, container.StopOptions{
+		Signal:  string(signal),
+		Timeout: &timeout,
+	})
+}
+
+func (p *DockerProvider) ContainerKill(ctx context.Context, signal idlewatcher.Signal) error {
+	return p.client.ContainerKill(ctx, p.containerID, string(signal))
+}
+
+func (p *DockerProvider) ContainerStatus(ctx context.Context) (idlewatcher.ContainerStatus, error) {
+	status, err := p.client.ContainerInspect(ctx, p.containerID)
+	if err != nil {
+		return idlewatcher.ContainerStatusError, err
+	}
+	switch status.State.Status {
+	case "running":
+		return idlewatcher.ContainerStatusRunning, nil
+	case "exited", "dead", "restarting":
+		return idlewatcher.ContainerStatusStopped, nil
+	case "paused":
+		return idlewatcher.ContainerStatusPaused, nil
+	}
+	return idlewatcher.ContainerStatusError, idlewatcher.ErrUnexpectedContainerStatus.Subject(status.State.Status)
+}
+
+func (p *DockerProvider) Watch(ctx context.Context) (eventCh <-chan watcher.Event, errCh <-chan gperr.Error) {
+	return p.watcher.EventsWithOptions(ctx, watcher.DockerListOptions{
+		Filters: watcher.NewDockerFilter(
+			watcher.DockerFilterContainer,
+			watcher.DockerFilterContainerNameID(p.containerID),
+			watcher.DockerFilterStart,
+			watcher.DockerFilterStop,
+			watcher.DockerFilterDie,
+			watcher.DockerFilterKill,
+			watcher.DockerFilterDestroy,
+			watcher.DockerFilterPause,
+			watcher.DockerFilterUnpause,
+		),
+	})
+}
+
+func (p *DockerProvider) Close() {
+	p.client.Close()
+}
--- a/internal/idlewatcher/provider/proxmox.go
+++ b/internal/idlewatcher/provider/proxmox.go
@@ -0,0 +1,129 @@
+package provider
+
+import (
+	"context"
+	"strconv"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/gperr"
+	idlewatcher "github.com/yusing/go-proxy/internal/idlewatcher/types"
+	"github.com/yusing/go-proxy/internal/proxmox"
+	"github.com/yusing/go-proxy/internal/watcher"
+	"github.com/yusing/go-proxy/internal/watcher/events"
+)
+
+type ProxmoxProvider struct {
+	*proxmox.Node
+	vmid    int
+	lxcName string
+	running bool
+}
+
+const proxmoxStateCheckInterval = 1 * time.Second
+
+var ErrNodeNotFound = gperr.New("node not found in pool")
+
+func NewProxmoxProvider(nodeName string, vmid int) (idlewatcher.Provider, error) {
+	node, ok := proxmox.Nodes.Get(nodeName)
+	if !ok {
+		return nil, ErrNodeNotFound.Subject(nodeName).
+			Withf("available nodes: %s", proxmox.AvailableNodeNames())
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	lxcName, err := node.LXCName(ctx, vmid)
+	if err != nil {
+		return nil, err
+	}
+	return &ProxmoxProvider{Node: node, vmid: vmid, lxcName: lxcName}, nil
+}
+
+func (p *ProxmoxProvider) ContainerPause(ctx context.Context) error {
+	return p.LXCAction(ctx, p.vmid, proxmox.LXCSuspend)
+}
+
+func (p *ProxmoxProvider) ContainerUnpause(ctx context.Context) error {
+	return p.LXCAction(ctx, p.vmid, proxmox.LXCResume)
+}
+
+func (p *ProxmoxProvider) ContainerStart(ctx context.Context) error {
+	return p.LXCAction(ctx, p.vmid, proxmox.LXCStart)
+}
+
+func (p *ProxmoxProvider) ContainerStop(ctx context.Context, _ idlewatcher.Signal, _ int) error {
+	return p.LXCAction(ctx, p.vmid, proxmox.LXCShutdown)
+}
+
+func (p *ProxmoxProvider) ContainerKill(ctx context.Context, _ idlewatcher.Signal) error {
+	return p.LXCAction(ctx, p.vmid, proxmox.LXCShutdown)
+}
+
+func (p *ProxmoxProvider) ContainerStatus(ctx context.Context) (idlewatcher.ContainerStatus, error) {
+	status, err := p.LXCStatus(ctx, p.vmid)
+	if err != nil {
+		return idlewatcher.ContainerStatusError, err
+	}
+	switch status {
+	case proxmox.LXCStatusRunning:
+		return idlewatcher.ContainerStatusRunning, nil
+	case proxmox.LXCStatusStopped:
+		return idlewatcher.ContainerStatusStopped, nil
+	}
+	return idlewatcher.ContainerStatusError, idlewatcher.ErrUnexpectedContainerStatus.Subject(string(status))
+}
+
+func (p *ProxmoxProvider) Watch(ctx context.Context) (<-chan watcher.Event, <-chan gperr.Error) {
+	eventCh := make(chan watcher.Event)
+	errCh := make(chan gperr.Error)
+
+	go func() {
+		defer close(eventCh)
+		defer close(errCh)
+
+		var err error
+		p.running, err = p.LXCIsRunning(ctx, p.vmid)
+		if err != nil {
+			errCh <- gperr.Wrap(err)
+			return
+		}
+
+		ticker := time.NewTicker(proxmoxStateCheckInterval)
+		defer ticker.Stop()
+
+		event := watcher.Event{
+			Type:      events.EventTypeDocker,
+			ActorID:   strconv.Itoa(p.vmid),
+			ActorName: p.lxcName,
+		}
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				status, err := p.ContainerStatus(ctx)
+				if err != nil {
+					errCh <- gperr.Wrap(err)
+					return
+				}
+				running := status == idlewatcher.ContainerStatusRunning
+				if p.running != running {
+					p.running = running
+					if running {
+						event.Action = events.ActionContainerStart
+					} else {
+						event.Action = events.ActionContainerStop
+					}
+					eventCh <- event
+				}
+			}
+		}
+	}()
+
+	return eventCh, errCh
+}
+
+func (p *ProxmoxProvider) Close() {
+	// noop
+}
--- a/internal/idlewatcher/state.go
+++ b/internal/idlewatcher/state.go
@@ -0,0 +1,44 @@
+package idlewatcher
+
+import idlewatcher "github.com/yusing/go-proxy/internal/idlewatcher/types"
+
+func (w *Watcher) running() bool {
+	return w.state.Load().status == idlewatcher.ContainerStatusRunning
+}
+
+func (w *Watcher) ready() bool {
+	return w.state.Load().ready
+}
+
+func (w *Watcher) error() error {
+	return w.state.Load().err
+}
+
+func (w *Watcher) setReady() {
+	w.state.Store(&containerState{
+		status: idlewatcher.ContainerStatusRunning,
+		ready:  true,
+	})
+}
+
+func (w *Watcher) setStarting() {
+	w.state.Store(&containerState{
+		status: idlewatcher.ContainerStatusRunning,
+		ready:  false,
+	})
+}
+
+func (w *Watcher) setNapping(status idlewatcher.ContainerStatus) {
+	w.state.Store(&containerState{
+		status: status,
+		ready:  false,
+	})
+}
+
+func (w *Watcher) setError(err error) {
+	w.state.Store(&containerState{
+		status: idlewatcher.ContainerStatusError,
+		ready:  false,
+		err:    err,
+	})
+}
--- a/internal/idlewatcher/types/config.go
+++ b/internal/idlewatcher/types/config.go
@@ -0,0 +1,128 @@
+package idlewatcher
+
+import (
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type (
+	Config struct {
+		Proxmox *ProxmoxConfig `json:"proxmox,omitempty"`
+		Docker  *DockerConfig  `json:"docker,omitempty"`
+
+		IdleTimeout   time.Duration `json:"idle_timeout" json_ext:"duration"`
+		WakeTimeout   time.Duration `json:"wake_timeout" json_ext:"duration"`
+		StopTimeout   time.Duration `json:"stop_timeout" json_ext:"duration"`
+		StopMethod    StopMethod    `json:"stop_method"`
+		StopSignal    Signal        `json:"stop_signal,omitempty"`
+		StartEndpoint string        `json:"start_endpoint,omitempty"` // Optional path that must be hit to start container
+	}
+	StopMethod string
+	Signal     string
+
+	DockerConfig struct {
+		DockerHost    string `json:"docker_host" validate:"required"`
+		ContainerID   string `json:"container_id" validate:"required"`
+		ContainerName string `json:"container_name" validate:"required"`
+	}
+	ProxmoxConfig struct {
+		Node string `json:"node" validate:"required"`
+		VMID int    `json:"vmid" validate:"required"`
+	}
+)
+
+const (
+	WakeTimeoutDefault = 30 * time.Second
+	StopTimeoutDefault = 1 * time.Minute
+
+	StopMethodPause StopMethod = "pause"
+	StopMethodStop  StopMethod = "stop"
+	StopMethodKill  StopMethod = "kill"
+)
+
+func (c *Config) Key() string {
+	if c.Docker != nil {
+		return c.Docker.ContainerID
+	}
+	return c.Proxmox.Node + ":" + strconv.Itoa(c.Proxmox.VMID)
+}
+
+func (c *Config) ContainerName() string {
+	if c.Docker != nil {
+		return c.Docker.ContainerName
+	}
+	return "lxc " + strconv.Itoa(c.Proxmox.VMID)
+}
+
+func (c *Config) Validate() gperr.Error {
+	if c.IdleTimeout == 0 { // no idle timeout means no idle watcher
+		return nil
+	}
+	errs := gperr.NewBuilder("idlewatcher config validation error")
+	errs.AddRange(
+		c.validateProvider(),
+		c.validateTimeouts(),
+		c.validateStopMethod(),
+		c.validateStopSignal(),
+		c.validateStartEndpoint(),
+	)
+	return errs.Error()
+}
+
+func (c *Config) validateProvider() error {
+	if c.Docker == nil && c.Proxmox == nil {
+		return gperr.New("missing idlewatcher provider config")
+	}
+	return nil
+}
+
+func (c *Config) validateTimeouts() error {
+	if c.WakeTimeout == 0 {
+		c.WakeTimeout = WakeTimeoutDefault
+	}
+	if c.StopTimeout == 0 {
+		c.StopTimeout = StopTimeoutDefault
+	}
+	return nil
+}
+
+func (c *Config) validateStopMethod() error {
+	switch c.StopMethod {
+	case "":
+		c.StopMethod = StopMethodStop
+		return nil
+	case StopMethodPause, StopMethodStop, StopMethodKill:
+		return nil
+	default:
+		return gperr.New("invalid stop method").Subject(string(c.StopMethod))
+	}
+}
+
+func (c *Config) validateStopSignal() error {
+	switch c.StopSignal {
+	case "", "SIGINT", "SIGTERM", "SIGQUIT", "SIGHUP", "INT", "TERM", "QUIT", "HUP":
+		return nil
+	default:
+		return gperr.New("invalid stop signal").Subject(string(c.StopSignal))
+	}
+}
+
+func (c *Config) validateStartEndpoint() error {
+	if c.StartEndpoint == "" {
+		return nil
+	}
+	// checks needed as of Go 1.6 because of change https://github.com/golang/go/commit/617c93ce740c3c3cc28cdd1a0d712be183d0b328#diff-6c2d018290e298803c0c9419d8739885L195
+	// emulate browser and strip the '#' suffix prior to validation. see issue-#237
+	if i := strings.Index(c.StartEndpoint, "#"); i > -1 {
+		c.StartEndpoint = c.StartEndpoint[:i]
+	}
+	if len(c.StartEndpoint) == 0 {
+		return gperr.New("start endpoint must not be empty if defined")
+	}
+	_, err := url.ParseRequestURI(c.StartEndpoint)
+	return err
+}
--- a/internal/docker/idlewatcher/types/config_test.go
+++ b/internal/docker/idlewatcher/types/config_test.go
@@ -1,9 +1,9 @@
-package types
+package idlewatcher

 import (
 	"testing"

-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	expect "github.com/yusing/go-proxy/internal/utils/testing"
 )

 func TestValidateStartEndpoint(t *testing.T) {
@@ -35,9 +35,10 @@ func TestValidateStartEndpoint(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			s, err := validateStartEndpoint(tc.input)
+			cfg := Config{StartEndpoint: tc.input}
+			err := cfg.validateStartEndpoint()
 			if err == nil {
-				ExpectEqual(t, s, tc.input)
+				expect.Equal(t, cfg.StartEndpoint, tc.input)
 			}
 			if (err != nil) != tc.wantErr {
 				t.Errorf("validateStartEndpoint() error = %v, wantErr %t", err, tc.wantErr)
--- a/internal/idlewatcher/types/container_status.go
+++ b/internal/idlewatcher/types/container_status.go
@@ -0,0 +1,14 @@
+package idlewatcher
+
+import "github.com/yusing/go-proxy/internal/gperr"
+
+type ContainerStatus string
+
+const (
+	ContainerStatusError   ContainerStatus = "error"
+	ContainerStatusRunning ContainerStatus = "running"
+	ContainerStatusPaused  ContainerStatus = "paused"
+	ContainerStatusStopped ContainerStatus = "stopped"
+)
+
+var ErrUnexpectedContainerStatus = gperr.New("unexpected container status")
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
yusing	759995972d	docs: update README and config example for v0.11.0	2025-04-25 14:24:28 +08:00
yusing	03401488f6	chore(idlesleep): increase wake/sleep timeout to 3 minutes	2025-04-25 13:36:04 +08:00
yusing	1e790be70c	chore: change ACL iso field to country	2025-04-25 13:25:45 +08:00
yusing	4410637f8b	feat(autocert): added all available lego supported dns providers	2025-04-25 12:32:02 +08:00
yusing	3947152336	fix: uptime metrics	2025-04-25 11:26:24 +08:00
yusing	af8d2c74f6	revert(oidc): api breaking changes	2025-04-25 11:10:21 +08:00
yusing	e107f8d476	doc: checkout README from main	2025-04-25 10:49:05 +08:00
yusing	b427ff1f88	feat(acl): connection level ip/geo blocking - fixed access log logic - implement acl at connection level - acl logging - ip/cidr blocking - geoblocking with MaxMind database	2025-04-25 10:47:52 +08:00
yusing	e513db62b0	refactor: move accesslog to logging/accesslog	2025-04-25 08:37:39 +08:00
yusing	2f33ee02d9	chore: replace gopkg.in/yaml.v3 with goccy/go-yaml	2025-04-25 08:36:54 +08:00
yusing	59490dcac0	refactor: move mock time to utils	2025-04-25 08:26:00 +08:00
yusing	5afa93a8f1	fix: json data not being loaded from disk correctly, logging	2025-04-25 08:26:00 +08:00
yusing	c8e9ed8440	fix: fatal and panic does not terminate the program	2025-04-25 08:26:00 +08:00
yusing	8363dfe257	fix: json marshal/unmarshal	2025-04-25 08:25:37 +08:00
yusing	080bbc18eb	chore: completely drop prometheus support	2025-04-24 20:02:07 +08:00
yusing	1a0edc8bfe	chore: deps upgrade	2025-04-24 16:39:05 +08:00
yusing	e8d1d524b9	fix: missing route handler iniitialization	2025-04-24 16:11:55 +08:00
yusing	edada22ac0	fix: tests	2025-04-24 15:45:34 +08:00
Yuzerion	76fb0cfdbb	Feat/http3 (#84 ) * chore(deps): update go-playground/validator to v10.26.0 * chore(deps): update Go version to 1.24.2 and dependencies, reorganize dependencies into categorized sections * chore(deps): update Go version to 1.24.2 in Dockerfile * refactor(agent): replace deprecated context import with standard context package * feat(http3): add HTTP/3 support and refactor server handling code into utility functions --------- Co-authored-by: yusing <yusing@6uo.me>	2025-04-24 15:37:12 +08:00
yusing	5df2553774	merge: better favicon handling	2025-04-24 15:34:47 +08:00
yusing	31812430f1	merge: access log rotation and enhancements	2025-04-24 15:29:18 +08:00
yusing	d668b03175	fix: tests	2025-04-24 15:09:46 +08:00
yusing	663a107c06	merge: main branch	2025-04-24 15:02:31 +08:00
yusing	806184e98b	fix: redirectHTTP middleware redirect loop when behind another proxy	2025-04-24 09:27:10 +08:00
yusing	08ee82d7b0	fix(docker): docker clients not being cached correctly	2025-04-24 06:29:19 +08:00
yusing	bcc19167d4	feat: enhanced string utilities - relative time formatting - better relative duration formatting	2025-04-24 06:27:32 +08:00
yusing	858f65ee5a	fix: update code for error handling changes, remove unused code	2025-04-24 06:24:28 +08:00
yusing	43566bbcfd	feat: enhanced error handling library	2025-04-24 06:19:22 +08:00
yusing	ec8cca1245	feat: trie implementation	2025-04-24 05:56:03 +08:00
yusing	4a65de99a8	refactor: unify json load/saving with jsonstore	2025-04-24 05:49:32 +08:00
yusing	7461344004	fix: json store marshaling, api handler - code clean up - uncomment and simplify api auth handler - fix redirect url for frontend - proper redirect	2025-04-24 04:47:42 +08:00
yusing	b815c6fd69	feat(oidc): support token refreshing via offline_access scope - refactored code - moved api/v1/auth to auth/ - security enhancement - env example update - default jwt ttl changed to 24 hours	2025-04-23 17:50:22 +08:00
yusing	28c9a2e9d0	chore(oidc): remove debug logging	2025-04-23 02:02:17 +08:00
yusing	9e0bdd964c	fix(oidc): rewrite login flow, fixed end_session_url retrieval and redirect issue	2025-04-22 19:29:19 +08:00
yusing	077641beaa	refactor(oidc): simplify exchange method	2025-04-22 19:29:19 +08:00
yusing	ef483403da	security: drop service headers	2025-04-22 19:28:58 +08:00
yusing	0a8aa2b215	fix(oidc): use XFH header from backend for cookie domain	2025-04-22 09:57:44 +08:00
yusing	5a984f5c0c	chore: remove unused debugging printing	2025-04-22 09:54:19 +08:00
yusing	d60688c66f	fix(route): error not being returned	2025-04-22 09:18:25 +08:00
yusing	23482da259	fix(route): panic on middleware error	2025-04-22 07:18:51 +08:00
yusing	62776229cb	refactor(oidc): simplify initiialization flow, replace go-oidc with own forked version	2025-04-22 04:14:40 +08:00
yusing	36fab0cd50	fix(oidc): simplify and fix oidc middleware url handling	2025-04-22 03:55:43 +08:00
yusing	8f03662982	chore: upgrade go to 1.24.2 and dependencies	2025-04-22 03:21:42 +08:00
yusing	aad44031c4	chore: add rule files and debug dir to .gitignore	2025-04-22 03:19:05 +08:00
yusing	51813e6030	refactor(agent): replace deprecated context import with standard context package	2025-04-02 15:31:50 +08:00