Merge branch 'main' into dev

refactor(state): replace Entrypoint method with ShortLinkMatcher interface
- Cleaned up agent go.mod by removing unused indirect dependencies.
2026-01-12 05:20:33 +01:00 · 2026-01-04 12:43:18 +08:00 · 2026-01-04 12:43:05 +08:00 · 2026-01-04 12:28:32 +08:00 · 2026-01-04 00:37:26 +08:00 · 2026-01-03 20:06:31 +08:00
627 changed files with 42758 additions and 25120 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,15 @@
+# docker image tag (latest, nightly)
+TAG=latest
+
 # set timezone to get correct log timestamp
 TZ=ETC/UTC

+# container uid and gid (must match the owner of mounted directories)
+GODOXY_UID=1000
+GODOXY_GID=1000
+
+# Set GODOXY_API_JWT_SECURE=false to allow http
+GODOXY_API_JWT_SECURE=true
 # API JWT Configuration (common)
 # generate secret with `openssl rand -base64 32`
 GODOXY_API_JWT_SECRET=
@@ -41,14 +50,26 @@ GODOXY_API_PASSWORD=password
 GODOXY_HTTP_ADDR=:80
 GODOXY_HTTPS_ADDR=:443

+# Enable HTTP3
+GODOXY_HTTP3_ENABLED=true
+
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888

-# Frontend listening port
-GODOXY_FRONTEND_PORT=3000
+# Metrics
+GODOXY_METRICS_DISABLE_CPU=false
+GODOXY_METRICS_DISABLE_MEMORY=false
+GODOXY_METRICS_DISABLE_DISK=false
+GODOXY_METRICS_DISABLE_NETWORK=false
+GODOXY_METRICS_DISABLE_SENSORS=false

-# Prometheus Metrics
-GODOXY_PROMETHEUS_ENABLED=true
+# Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com)
+GODOXY_FRONTEND_ALIASES=godoxy
+
+# Docker socket
+# /var/run/podman/podman.sock for podman
+DOCKER_SOCKET=/var/run/docker.sock
+SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375

 # Debug mode
 GODOXY_DEBUG=false
--- a/.github/workflows/agent-binary.yml
+++ b/.github/workflows/agent-binary.yml
@@ -25,6 +25,8 @@ jobs:
      id-token: write
    steps:
      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
--- a/.github/workflows/docker-image-nightly.yml
+++ b/.github/workflows/docker-image-nightly.yml
@@ -15,9 +15,10 @@ jobs:
    with:
      image_name: ${{ github.repository_owner }}/godoxy
      tag: nightly
+      target: main
  build-nightly-agent:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy-agent
      tag: nightly
-      agent: true
+      target: agent
--- a/.github/workflows/docker-image-prod.yml
+++ b/.github/workflows/docker-image-prod.yml
@@ -10,11 +10,11 @@ jobs:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy
-      old_image_name: ${{ github.repository_owner }}/go-proxy
      tag: latest
+      target: main
  build-prod-agent:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy-agent
      tag: latest
-      agent: true
+      target: agent
--- a/.github/workflows/docker-image-socket-proxy.yml
+++ b/.github/workflows/docker-image-socket-proxy.yml
@@ -0,0 +1,22 @@
+name: Docker Image CI (socket-proxy)
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "socket-proxy/**"
+      - "socket-proxy.Dockerfile"
+      - ".github/workflows/docker-image-socket-proxy.yml"
+    tags-ignore:
+      - "**"
+  workflow_dispatch:
+
+jobs:
+  build:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/socket-proxy
+      tag: latest
+      target: socket-proxy
+      dockerfile: socket-proxy.Dockerfile
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -9,19 +9,20 @@ on:
      image_name:
        required: true
        type: string
-      old_image_name:
+      target:
+        required: true
+        type: string
+      dockerfile:
        required: false
        type: string
-      agent:
-        required: false
-        default: false
-        type: boolean
+        default: Dockerfile

 env:
  REGISTRY: ghcr.io
-  MAKE_ARGS: agent=${{ inputs.agent && '1' || '0' }}
-  DIGEST_PATH: /tmp/digests/${{ inputs.agent && 'agent' || 'main' }}
-  DIGEST_NAME_SUFFIX: ${{ inputs.agent && 'agent' || 'main' }}
+  MAKE_ARGS: ${{ inputs.target }}=1
+  DIGEST_PATH: /tmp/digests/${{ inputs.target }}
+  DIGEST_NAME_SUFFIX: ${{ inputs.target }}
+  DOCKERFILE: ${{ inputs.dockerfile }}

 jobs:
  build:
@@ -76,11 +77,14 @@ jobs:
        with:
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
+          file: ${{ env.DOCKERFILE }}
          outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
          cache-from: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}-${{ inputs.tag }}
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}
+          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
          cache-to: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}-${{ inputs.tag }},mode=max
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max
+          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
          build-args: |
            VERSION=${{ github.ref_name }}
            MAKE_ARGS=${{ env.MAKE_ARGS }}
@@ -149,17 +153,6 @@ jobs:
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY }}/${{ inputs.image_name }}@sha256:%s ' *)

-      - name: Old image name
-        if: inputs.old_image_name != ''
-        run: |
-          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}\
-            ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
-
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
-
-      - name: Inspect image (old)
-        if: inputs.old_image_name != ''
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}
--- a/.github/workflows/merge-main-into-compat.yml
+++ b/.github/workflows/merge-main-into-compat.yml
@@ -0,0 +1,39 @@
+name: Cherry-pick into Compat
+
+on:
+  push:
+    tags:
+      - v*
+    paths:
+      - ".github/workflows/merge-main-into-compat.yml"
+
+jobs:
+  cherry-pick:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Configure git user
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      - name: Cherry-pick commits from last tag
+        run: |
+          git fetch origin compat
+          git checkout compat
+          CURRENT_TAG=${{ github.ref_name }}
+          PREV_TAG=$(git describe --tags --abbrev=0 $CURRENT_TAG^ 2>/dev/null || echo "")
+
+          if [ -z "$PREV_TAG" ]; then
+            echo "No previous tag found. Cherry-picking all commits up to $CURRENT_TAG"
+            git rev-list --reverse --no-merges $CURRENT_TAG | xargs -r git cherry-pick
+          else
+            echo "Cherry-picking commits from $PREV_TAG to $CURRENT_TAG"
+            git rev-list --reverse --no-merges $PREV_TAG..$CURRENT_TAG | xargs -r git cherry-pick
+          fi
+      - name: Push compat
+        run: |
+          git push origin compat
--- a/.gitignore
+++ b/.gitignore
@@ -29,7 +29,9 @@ todo.md
 .aider*
 mtrace.json
 .env
+*.env
 .cursorrules
+.cursor/
 .windsurfrules
 test.Dockerfile

@@ -37,4 +39,5 @@ node_modules/
 tsconfig.tsbuildinfo

 !agent.compose.yml
-!agent/pkg/**
+!agent/pkg/**
+dev-data/
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "internal/gopsutil"]
+	path = internal/gopsutil
+	url = https://github.com/godoxy-app/gopsutil.git
+[submodule "internal/go-oidc"]
+	path = internal/go-oidc
+	url = https://github.com/godoxy-app/go-oidc.git
+[submodule "goutils"]
+	path = goutils
+	url = https://github.com/yusing/goutils.git
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,135 +1,151 @@
-run:
-  timeout: 10m
-
-linters-settings:
-  govet:
-    enable-all: true
-    disable:
-      - shadow
-      - fieldalignment
-  gocyclo:
-    min-complexity: 14
-  misspell:
-    locale: US
-  funlen:
-    lines: -1
-    statements: 120
-  forbidigo:
-    forbid:
-      - ^print(ln)?$
-  godox:
-    keywords:
-      - FIXME
-  tagalign:
-    align: false
-    sort: true
-    order:
-      - description
-      - json
-      - toml
-      - yaml
-      - yml
-      - label
-      - label-slice-as-struct
-      - file
-      - kv
-      - export
-  stylecheck:
-    dot-import-whitelist:
-      - github.com/yusing/go-proxy/internal/utils/testing # go tests only
-      - github.com/yusing/go-proxy/internal/api/v1/utils # api only
-  revive:
-    rules:
-      - name: struct-tag
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-        disabled: true
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-        disabled: true
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-        disabled: true
-      - name: unreachable-code
-      - name: redefines-builtin-id
-  gomoddirectives:
-    replace-allow-list:
-      - github.com/abbot/go-http-auth
-      - github.com/gorilla/mux
-      - github.com/mailgun/minheap
-      - github.com/mailgun/multibuf
-      - github.com/jaguilar/vt100
-      - github.com/cucumber/godog
-      - github.com/http-wasm/http-wasm-host-go
-  testifylint:
-    disable:
-      - suite-dont-use-pkg
-      - require-error
-      - go-require
-  staticcheck:
-    checks:
-      - all
-      - -SA1019
-  errcheck:
-    exclude-functions:
-      - fmt.Fprintln
+version: "2"
 linters:
-  enable-all: true
+  default: all
  disable:
-    - execinquery # deprecated
-    - gomnd # deprecated
-    - sqlclosecheck # not relevant (SQL)
-    - rowserrcheck # not relevant (SQL)
-    - cyclop # duplicate of gocyclo
-    - depguard # Not relevant
-    - nakedret # Too strict
-    - lll # Not relevant
-    - gocyclo # must be fixed
-    - gocognit # Too strict
-    - nestif # Too many false-positive.
-    - prealloc # Too many false-positive.
-    - makezero # Not relevant
-    - dupl # Too strict
-    - gci # I don't care
-    - goconst # Too annoying
-    - gosec # Too strict
-    - gochecknoinits
+    # - bodyclose
+    - containedctx
+    # - contextcheck
+    - cyclop
+    - depguard
+    # - dupl
+    - err113
+    - exhaustive
+    - exhaustruct
+    - funcorder
+    - forcetypeassert
    - gochecknoglobals
-    - wsl # Too strict
-    - nlreturn # Not relevant
-    - mnd # Too strict
-    - testpackage # Too strict
-    - tparallel # Not relevant
-    - paralleltest # Not relevant
-    - exhaustive # Not relevant
-    - exhaustruct # Not relevant
-    - err113 # Too strict
-    - wrapcheck # Too strict
-    - noctx # Too strict
-    - bodyclose # too many false-positive
-    - forcetypeassert # Too strict
-    - tagliatelle # Too strict
-    - varnamelen # Not relevant
-    - nilnil # Not relevant
-    - ireturn # Not relevant
-    - contextcheck # too many false-positive
-    - containedctx # too many false-positive
-    - maintidx # kind of duplicate of gocyclo
-    - nonamedreturns # Too strict
-    - gosmopolitan # not relevant
-    - exportloopref # Not relevant since go1.22
+    - gochecknoinits
+    - gocognit
+    - goconst
+    - gocyclo
+    - godot
+    - gomoddirectives
+    - gosmopolitan
+    - ireturn
+    - lll
+    - maintidx
+    - makezero
+    - mnd
+    - nakedret
+    - nestif
+    - nlreturn
+    - nonamedreturns
+    - noinlineerr
+    - paralleltest
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - tagalign
+    - tagliatelle
+    - testpackage
+    - tparallel
+    - varnamelen
+    - wrapcheck
+    - wsl
+    - wsl_v5
+  settings:
+    errcheck:
+      exclude-functions:
+        - fmt.Fprintln
+    forbidigo:
+      forbid:
+        - pattern: ^print(ln)?$
+    funlen:
+      lines: -1
+      statements: 120
+    gocyclo:
+      min-complexity: 14
+    godox:
+      keywords:
+        - FIXME
+    gomoddirectives:
+      replace-allow-list:
+        - github.com/abbot/go-http-auth
+        - github.com/gorilla/mux
+        - github.com/mailgun/minheap
+        - github.com/mailgun/multibuf
+        - github.com/jaguilar/vt100
+        - github.com/cucumber/godog
+        - github.com/http-wasm/http-wasm-host-go
+    govet:
+      disable:
+        - shadow
+      enable-all: true
+    misspell:
+      locale: US
+    revive:
+      rules:
+        - name: struct-tag
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+          disabled: true
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: package-comments
+          disabled: true
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: empty-block
+        - name: superfluous-else
+        - name: unused-parameter
+          disabled: true
+        - name: unreachable-code
+        - name: redefines-builtin-id
+    staticcheck:
+      checks:
+        - all
+        - -SA1019
+      dot-import-whitelist:
+        - github.com/yusing/godoxy/internal/utils/testing
+    tagalign:
+      align: false
+      sort: true
+      order:
+        - description
+        - json
+        - toml
+        - yaml
+        - yml
+        - label
+        - label-slice-as-struct
+        - file
+        - kv
+        - export
+    testifylint:
+      disable:
+        - suite-dont-use-pkg
+        - require-error
+        - go-require
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -2,36 +2,37 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.10
+  version: 1.25.0
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
  sources:
    - id: trunk
-      ref: v1.6.7
+      ref: v1.7.2
      uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
  enabled:
-    - node@18.20.5
+    - node@22.16.0
    - python@3.10.8
-    - go@1.23.2
+    - go@1.24.3
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
  disabled:
    - markdownlint
    - yamllint
  enabled:
-    - hadolint@2.12.1-beta
+    - checkov@3.2.471
+    - golangci-lint2@2.5.0
+    - hadolint@2.14.0
    - actionlint@1.7.7
    - git-diff-check
    - gofmt@1.20.4
-    - golangci-lint@1.64.5
-    - osv-scanner@1.9.2
-    - oxipng@9.1.4
-    - prettier@3.5.1
-    - shellcheck@0.10.0
+    - osv-scanner@2.2.2
+    - oxipng@9.1.5
+    - prettier@3.6.2
+    - shellcheck@0.11.0
    - shfmt@3.6.0
-    - trufflehog@3.88.9
+    - trufflehog@3.90.8
 actions:
  disabled:
    - trunk-announce
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -1,10 +1,10 @@
 {
  "yaml.schemas": {
-    "https://github.com/yusing/go-proxy/raw/main/schemas/config.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/types/godoxy/config.schema.json": [
      "config.example.yml",
      "config.yml"
    ],
-    "https://github.com/yusing/go-proxy/raw/main/schemas/routes.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/types/godoxy/routes.schema.json": [
      "providers.example.yml"
    ]
  }
--- a/42
+++ b/42
@@ -1,27 +1,41 @@
 # Stage 1: deps
-FROM golang:1.24.2-alpine AS deps
+FROM golang:1.25.5-alpine AS deps
 HEALTHCHECK NONE

 # package version does not matter
 # trunk-ignore(hadolint/DL3018)
 RUN apk add --no-cache tzdata make libcap-setcap

+ENV GOPATH=/root/go
+ENV GOCACHE=/root/.cache/go-build
+
+WORKDIR /src
+
+COPY goutils/go.mod goutils/go.sum ./goutils/
+COPY internal/go-oidc/go.mod internal/go-oidc/go.sum ./internal/go-oidc/
+COPY internal/gopsutil/go.mod internal/gopsutil/go.sum ./internal/gopsutil/
+COPY go.mod go.sum ./
+
+# remove godoxy stuff from go.mod first
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  --mount=type=cache,target=/root/go/pkg/mod \
+  sed -i '/^module github\.com\/yusing\/godoxy/!{/github\.com\/yusing\/godoxy/d}' go.mod && \
+  sed -i '/^module github\.com\/yusing\/goutils/!{/github\.com\/yusing\/goutils/d}' go.mod && \
+  go mod download -x
+
 # Stage 2: builder
 FROM deps AS builder

 WORKDIR /src

+COPY go.mod go.sum ./
 COPY Makefile ./
 COPY cmd ./cmd
 COPY internal ./internal
 COPY pkg ./pkg
 COPY agent ./agent
-
-# Only copy go.mod and go.sum initially for better caching
-COPY go.mod go.sum /src/
-
-ENV GOPATH=/root/go
-RUN go mod download -x
+COPY socket-proxy ./socket-proxy
+COPY goutils ./goutils

 ARG VERSION
 ENV VERSION=${VERSION}
@@ -29,26 +43,22 @@ ENV VERSION=${VERSION}
 ARG MAKE_ARGS
 ENV MAKE_ARGS=${MAKE_ARGS}

-ENV GOCACHE=/root/.cache/go-build
-ENV GOPATH=/root/go
-RUN make ${MAKE_ARGS} build link-binary && \
-    mv bin /app/ && \
-    mkdir -p /app/error_pages /app/certs
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  --mount=type=cache,target=/root/go/pkg/mod \
+  make ${MAKE_ARGS} docker=1 build

 # Stage 3: Final image
 FROM scratch

 LABEL maintainer="yusing@6uo.me"
 LABEL proxy.exclude=1
+LABEL proxy.#1.healthcheck.disable=true

 # copy timezone data
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

 # copy binary
-COPY --from=builder /app /app
-
-# copy example config
-COPY config.example.yml /app/config/config.yml
+COPY --from=builder /app/run /app/run

 # copy certs
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs
--- a/11
+++ b/11
@@ -0,0 +1,11 @@
+node {
+  stage('SCM') {
+    checkout scm
+  }
+  stage('SonarQube Analysis') {
+    def scannerHome = tool 'SonarScanner';
+    withSonarQubeEnv() {
+      sh "${scannerHome}/bin/sonar-scanner"
+    }
+  }
+}
--- a/26
+++ b/26
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2024 [fullname]
+Copyright (c) 2024 - present Yusing

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -19,3 +19,27 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
+
+---
+
+internal/net/gphttp/reverseproxy/reverse_proxy_mod.go is copied from et/http/httputil/reverseproxy.go with modifications to adapt to this project.
+
+Copyright 2011 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+---
+
+internal/utils/io.go has a modified version of io.Copy with context and HTTP flusher handling.
+
+Copyright 2009 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+---
+
+internal/utils/strutils/split_join.go is copied from strings.Split and strings.Join with modifications to adapt to this project.
+
+Copyright 2009 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
--- a/136
+++ b/136
@@ -1,17 +1,22 @@
+shell := /bin/sh
 export VERSION ?= $(shell git describe --tags --abbrev=0)
 export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux

-LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
+WEBUI_DIR ?= ../godoxy-webui
+DOCS_DIR ?= ${WEBUI_DIR}/wiki

+GO_TAGS = sonic
+LDFLAGS = -X github.com/yusing/goutils/version.version=${VERSION} -checklinkname=0

 ifeq ($(agent), 1)
 	NAME = godoxy-agent
-	CMD_PATH = ./cmd
 	PWD = ${shell pwd}/agent
+else ifeq ($(socket-proxy), 1)
+	NAME = godoxy-socket-proxy
+	PWD = ${shell pwd}/socket-proxy
 else
 	NAME = godoxy
-	CMD_PATH = ./cmd
 	PWD = ${shell pwd}
 endif

@@ -22,30 +27,31 @@ ifeq ($(trace), 1)
 endif

 ifeq ($(race), 1)
-	debug = 1
-  BUILD_FLAGS += -race
-endif
-
-ifeq ($(debug), 1)
-	CGO_ENABLED = 0
-	GODOXY_DEBUG = 1
-	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug
-else ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
+	GODOXY_DEBUG = 1
+	GO_TAGS += debug
+	BUILD_FLAGS += -race
+else ifeq ($(debug), 1)
+	CGO_ENABLED = 1
+	GODOXY_DEBUG = 1
+	GO_TAGS += debug
+	# FIXME: BUILD_FLAGS += -asan -gcflags=all='-N -l'
+else ifeq ($(pprof), 1)
+	CGO_ENABLED = 0
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
-	BUILD_FLAGS += -tags pprof
+	GO_TAGS += pprof
 	VERSION := ${VERSION}-pprof
 else
 	CGO_ENABLED = 0
 	LDFLAGS += -s -w
-	BUILD_FLAGS += -pgo=auto -tags production
+	GO_TAGS += production
+	BUILD_FLAGS += -pgo=auto
 endif

-BUILD_FLAGS += -ldflags='$(LDFLAGS)'
+BUILD_FLAGS += -tags '$(GO_TAGS)' -ldflags='$(LDFLAGS)'
 BIN_PATH := $(shell pwd)/bin/${NAME}

 export NAME
-export CMD_PATH
 export CGO_ENABLED
 export GODOXY_DEBUG
 export GODOXY_TRACE
@@ -59,30 +65,78 @@ else
 	SETCAP_CMD = sudo setcap
 endif

+
+# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
+ifeq ($(docker), 1)
+	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
+endif
+
 .PHONY: debug

 test:
-	GODOXY_TEST=1 go test ./internal/...
+	go test -v -race ./internal/...

-get:
-	for dir in ${PWD} ${PWD}/agent; do cd $$dir && go get -u ./... && go mod tidy; done
+docker-build-test:
+	docker build -t godoxy .
+	docker build --build-arg=MAKE_ARGS=agent=1 -t godoxy-agent .
+	docker build --build-arg=MAKE_ARGS=socket-proxy=1 -t godoxy-socket-proxy .
+
+go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
+files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
+gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
+
+update-go:
+	for file in ${files}; do \
+		echo "updating $$file"; \
+		sed -i 's|go \([0-9]\+\.[0-9]\+\.[0-9]\+\)|go ${go_ver}|g' $$file; \
+		sed -i 's|FROM golang:.*-alpine|FROM golang:${go_ver}-alpine|g' $$file; \
+	done
+	for path in ${gomod_paths}; do \
+		echo "go mod tidy $$path"; \
+		cd ${PWD}/$$path && go mod tidy; \
+	done
+
+update-deps:
+	for path in ${gomod_paths}; do \
+		echo "go get -u $$path"; \
+		cd ${PWD}/$$path && go get -u ./... && go mod tidy; \
+	done
+
+mod-tidy:
+	for path in ${gomod_paths}; do \
+		echo "go mod tidy $$path"; \
+		cd ${PWD}/$$path && go mod tidy; \
+	done

 build:
-	mkdir -p bin
-	cd ${PWD} && go build ${BUILD_FLAGS} -o ${BIN_PATH} ${CMD_PATH}
-
-	# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
-	$(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH}
+	mkdir -p $(shell dirname ${BIN_PATH})
+	go build -C ${PWD} ${BUILD_FLAGS} -o ${BIN_PATH} ./cmd
+	${POST_BUILD}

 run:
-	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}
+	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd

-debug:
-	make NAME="godoxy-test" debug=1 build
-	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
+dev:
+	docker compose -f dev.compose.yml $(args)
+
+dev-build: build
+	docker compose -f dev.compose.yml up -t 0 -d app --force-recreate
+
+benchmark:
+	@if [ -z "$(TARGET)" ]; then \
+		docker compose -f dev.compose.yml up -d --force-recreate godoxy traefik caddy nginx; \
+	else \
+		docker compose -f dev.compose.yml up -d --force-recreate $(TARGET); \
+	fi
+	sleep 1
+	@./scripts/benchmark.sh
+
+dev-run: build
+	cd dev-data && ${BIN_PATH}

 mtrace:
-	bin/godoxy debug-ls-mtrace > mtrace.json
+	 ${BIN_PATH} debug-ls-mtrace > mtrace.json

 rapid-crash:
 	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
@@ -97,10 +151,24 @@ ci-test:
 	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"

 cloc:
-	cloc --not-match-f '_test.go$$' cmd internal pkg
-
-link-binary:
-	ln -s /app/${NAME} bin/run
+	scc -w -i go --not-match '_test.go$$'

 push-github:
-	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+
+gen-swagger:
+  # go install github.com/swaggo/swag/cmd/swag@latest
+	swag init --parseDependency --parseInternal --parseFuncBody -g handler.go -d internal/api -o internal/api/v1/docs
+	python3 scripts/fix-swagger-json.py
+	# we don't need this
+	rm internal/api/v1/docs/docs.go
+
+gen-swagger-markdown: gen-swagger
+  # brew tap go-swagger/go-swagger && brew install go-swagger
+	swagger generate markdown -f internal/api/v1/docs/swagger.yaml --skip-validation --output ${DOCS_DIR}/src/API.md
+
+gen-api-types: gen-swagger
+	# --disable-throw-on-error
+	bunx --bun swagger-typescript-api generate --sort-types --generate-union-enums --axios --add-readonly --route-types \
+		 --responses -o ${WEBUI_DIR}/lib -n api.ts -p internal/api/v1/docs/swagger.json
+	bunx --bun prettier --config ${WEBUI_DIR}/.prettierrc --write ${WEBUI_DIR}/lib/api.ts
--- a/README.md
+++ b/README.md
@@ -1,40 +1,46 @@
 <div align="center">

-# GoDoxy
+<img src="assets/godoxy.png" width="200">

-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
+[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=go-proxy)
+
 ![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

-A lightweight, simple, and [performant](https://github.com/yusing/godoxy/wiki/Benchmarks) reverse proxy with WebUI.
+A lightweight, simple, and performant reverse proxy with WebUI.

-For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki)**
+<h5>
+<a href="https://docs.godoxy.dev">Website</a> | <a href="https://docs.godoxy.dev/Home.html">Wiki</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
+</h5>

-**EN** | <a href="README_CHT.md">中文</a>
+<h5>EN | <a href="README_CHT.md">中文</a></h5>

 <img src="screenshots/webui.jpg" style="max-width: 650">

+Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)! (Thanks to [@ismesid](https://github.com/arevindh))
+
 </div>

 ## Table of content

 <!-- TOC -->

- [GoDoxy](#godoxy)
-  - [Table of content](#table-of-content)
-  - [Running demo](#running-demo)
-  - [Key Features](#key-features)
-  - [Prerequisites](#prerequisites)
-  - [Setup](#setup)
-  - [How does GoDoxy work](#how-does-godoxy-work)
-  - [Screenshots](#screenshots)
-    - [idlesleeper](#idlesleeper)
-    - [Metrics and Logs](#metrics-and-logs)
-  - [Manual Setup](#manual-setup)
-    - [Folder structrue](#folder-structrue)
-  - [Build it yourself](#build-it-yourself)
+- [Table of content](#table-of-content)
+- [Running demo](#running-demo)
+- [Key Features](#key-features)
+- [Prerequisites](#prerequisites)
+- [Setup](#setup)
+- [How does GoDoxy work](#how-does-godoxy-work)
+- [Update / Uninstall system agent](#update--uninstall-system-agent)
+- [Screenshots](#screenshots)
+  - [idlesleeper](#idlesleeper)
+  - [Metrics and Logs](#metrics-and-logs)
+- [Manual Setup](#manual-setup)
+  - [Folder structrue](#folder-structrue)
+- [Build it yourself](#build-it-yourself)
+- [Star History](#star-history)

 ## Running demo

@@ -45,18 +51,22 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
 ## Key Features

 - **Simple**
-  - Effortless configuration with [simple labels](https://github.com/yusing/godoxy/wiki/Docker-labels-and-Route-Files) or WebUI
-  - [Simple multi-node setup](https://github.com/yusing/godoxy/wiki/Configurations#multi-docker-nodes-setup)
+  - Effortless configuration with [simple labels](https://docs.godoxy.dev/Docker-labels-and-Route-Files) or WebUI
+  - [Simple multi-node setup](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
  - Detailed error messages for easy troubleshooting.
 - **ACL**: connection / request level access control
  - IP/CIDR
  - Country **(Maxmind account required)**
  - Timezone **(Maxmind account required)**
  - **Access logging**
+  - Periodic notification of access summaries for number of allowed and blocked connections
 - **Advanced Automation**
-  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
+  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://docs.godoxy.dev/DNS-01-Providers))
  - Auto-configuration for Docker containers
  - Hot-reloading of configurations and container state changes
+- **Container Runtime Support**
+  - Docker
+  - Podman
 - **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
  - Docker containers
  - Proxmox LXCs
@@ -64,9 +74,10 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
  - HTTP reserve proxy
  - TCP/UDP port forwarding
  - **OpenID Connect support**: SSO and secure your apps easily
+  - **ForwardAuth support**: integrate with any auth provider (e.g. TinyAuth)
 - **Customization**
-  - [HTTP middlewares](https://github.com/yusing/go-proxy/wiki/Middlewares)
-  - [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+  - [HTTP middlewares](https://docs.godoxy.dev/Middlewares)
+  - [Custom error pages support](https://docs.godoxy.dev/Custom-Error-Pages)
 - **Web UI**
  - App Dashboard
  - Config Editor
@@ -99,7 +110,13 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
   ```

-3. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
+3. Start the docker compose service from generated `compose.yml`:
+
+   ```shell
+   docker compose up -d
+   ```
+
+4. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`

 ## How does GoDoxy work

@@ -113,6 +130,20 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 >
 > For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.

+## Update / Uninstall system agent
+
+Update:
+
+```bash
+bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- update
+```
+
+Uninstall:
+
+```bash
+bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- uninstall
+```
+
 ## Screenshots

 ### idlesleeper
@@ -124,22 +155,12 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 <div align="center">
  <table>
    <tr>
-      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
-      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+      <td align="center"><img src="screenshots/routes.jpg" alt="Routes" width="350"/></td>
+      <td align="center"><img src="screenshots/servers.jpg" alt="Servers" width="350"/></td>
    </tr>
    <tr>
-      <td align="center"><b>Uptime Monitor</b></td>
-      <td align="center"><b>Docker Logs</b></td>
-      <td align="center"><b>Server Overview</b></td>
-    </tr>
-        <tr>
-      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>System Monitor</b></td>
-      <td align="center"><b>Graphs</b></td>
+      <td align="center"><b>Routes</b></td>
+      <td align="center"><b>Servers</b></td>
    </tr>
  </table>
 </div>
@@ -191,4 +212,8 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.

 5. build binary with `make build`

+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=yusing/godoxy&type=Date)](https://www.star-history.com/#yusing/godoxy&Date)
+
 [🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,39 +1,45 @@
 <div align="center">

-# GoDoxy
+<img src="assets/godoxy.png" width="200">

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+
 ![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

-輕量、易用、 [高效能](https://github.com/yusing/godoxy/wiki/Benchmarks)，且帶有主頁和配置面板的反向代理
+輕量、易用、 高效能，且帶有主頁和配置面板的反向代理

-完整文檔請查閱 **[Wiki](https://github.com/yusing/godoxy/wiki)**（暫未有中文翻譯）
+<h5>
+<a href="https://docs.godoxy.dev">網站</a> | <a href="https://docs.godoxy.dev/Home.html">文檔</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
+</h5>

-<a href="README.md">EN</a> | **中文**
+<h5><a href="README.md">EN</a> | 中文</h5>

 <img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">

+有疑問? 問 [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)！（鳴謝 [@ismesid](https://github.com/arevindh)）
+
 </div>

 ## 目錄

 <!-- TOC -->

- [GoDoxy](#godoxy)
-  - [目錄](#目錄)
-  - [運行示例](#運行示例)
-  - [主要特點](#主要特點)
-  - [前置需求](#前置需求)
-  - [安裝](#安裝)
-    - [手動安裝](#手動安裝)
-    - [資料夾結構](#資料夾結構)
-  - [截圖](#截圖)
-    - [閒置休眠](#閒置休眠)
-    - [監控](#監控)
-  - [自行編譯](#自行編譯)
+- [目錄](#目錄)
+- [運行示例](#運行示例)
+- [主要特點](#主要特點)
+- [前置需求](#前置需求)
+- [安裝](#安裝)
+  - [手動安裝](#手動安裝)
+  - [資料夾結構](#資料夾結構)
+- [更新 / 卸載系統代理 (System Agent)](#更新--卸載系統代理-system-agent)
+- [截圖](#截圖)
+  - [閒置休眠](#閒置休眠)
+  - [監控](#監控)
+- [自行編譯](#自行編譯)
+- [Star History](#star-history)

 ## 運行示例

@@ -43,22 +49,43 @@

 ## 主要特點

- 容易使用
-  - 輕鬆配置
-  - 簡單的多節點設置
-  - 錯誤訊息清晰詳細，易於排除故障
- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers)）
- 自動配置 Docker 容器
- 容器狀態/配置文件變更時自動熱重載
- **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
- OpenID Connect：輕鬆實現單點登入
- HTTP(s) 反向代理和 TCP 和 UDP 埠轉發
- [HTTP 中介軟體](https://github.com/yusing/godoxy/wiki/Middlewares) 和 [自定義錯誤頁面](https://github.com/yusing/godoxy/wiki/Middlewares#custom-error-pages)
- **網頁介面，具有應用儀表板和配置編輯器**
- 支援 linux/amd64、linux/arm64
- 使用 **[Go](https://go.dev)** 編寫
-
-[🔼 回到頂部](#目錄)
+- **簡單易用**
+  - 透過 Docker[標籤](https://docs.godoxy.dev/Docker-labels-and-Route-Files)或 WebUI 輕鬆設定
+  - [簡單的多節點設置](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
+  - 詳細的錯誤訊息，便於故障排除
+- **存取控制 (ACL)**：連線/請求層級存取控制
+  - IP/CIDR
+  - 國家 **(需要 Maxmind 帳戶)**
+  - 時區 **(需要 Maxmind 帳戶)**
+  - **存取日誌記錄**
+  - 定時發送摘要 (允許和拒絕的連線次數)
+- **自動化**
+  - 使用 Let's Encrypt 自動管理 SSL 憑證 ([使用 DNS-01 驗證](https://docs.godoxy.dev/DNS-01-Providers))
+  - Docker 容器自動配置
+  - 設定檔與容器狀態變更時自動熱重載
+- **容器運行時支援**
+  - Docker
+  - Podman
+- **閒置休眠**：根據流量停止和喚醒容器 _(參見[截圖](#閒置休眠))_
+  - Docker 容器
+  - Proxmox LXC 容器
+- **流量管理**
+  - HTTP 反向代理
+  - TCP/UDP 連接埠轉送
+  - **OpenID Connect 支援**：輕鬆實現單點登入 (SSO) 並保護您的應用程式
+  - **ForwardAuth 支援**：整合任何 auth provider (例如 TinyAuth)
+- **客製化**
+  - [HTTP 中介軟體](https://docs.godoxy.dev/Middlewares)
+  - [支援自訂錯誤頁面](https://docs.godoxy.dev/Custom-Error-Pages)
+- **網頁使用者介面 (Web UI)**
+  - 應用程式一覽
+  - 設定編輯器
+  - 執行時間與系統指標
+  - Docker 日誌檢視器
+- **跨平台支援**
+  - 支援 **linux/amd64** 與 **linux/arm64**
+- **高效能**
+  - 以 **[Go](https://go.dev)** 語言編寫

 ## 前置需求

@@ -84,8 +111,6 @@

 3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置

-[🔼 回到頂部](#目錄)
-
 ### 手動安裝

 1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`
@@ -121,35 +146,37 @@
 └── .env
 ```

+## 更新 / 卸載系統代理 (System Agent)
+
+更新：
+
+```bash
+sudo /bin/bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- update
+```
+
+卸載：
+
+```bash
+sudo /bin/bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- uninstall
+```
+
 ## 截圖

 ### 閒置休眠

 ![閒置休眠](screenshots/idlesleeper.webp)

-[🔼 回到頂部](#目錄)
-
 ### 監控

 <div align="center">
  <table>
    <tr>
-      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
-      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+      <td align="center"><img src="screenshots/routes.jpg" alt="Routes" width="350"/></td>
+      <td align="center"><img src="screenshots/servers.jpg" alt="Servers" width="350"/></td>
    </tr>
    <tr>
-      <td align="center"><b>運行時間監控</b></td>
-      <td align="center"><b>Docker 日誌</b></td>
-      <td align="center"><b>伺服器概覽</b></td>
-    </tr>
-        <tr>
-      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>系統監控</b></td>
-      <td align="center"><b>圖表</b></td>
+      <td align="center"><b>路由</b></td>
+      <td align="center"><b>伺服器</b></td>
    </tr>
  </table>
 </div>
@@ -166,4 +193,8 @@

 5. 使用 `make build` 編譯二進制檔案

+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=yusing/godoxy&type=Date)](https://www.star-history.com/#yusing/godoxy&Date)
+
 [🔼 回到頂部](#目錄)
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -3,45 +3,52 @@ package main
 import (
 	"os"

-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/agent/pkg/server"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/agent/pkg/server"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
+	httpServer "github.com/yusing/goutils/server"
+	strutils "github.com/yusing/goutils/strings"
+	"github.com/yusing/goutils/task"
+	"github.com/yusing/goutils/version"
 )

 func main() {
-	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
-
+	writer := zerolog.ConsoleWriter{
+		Out:        os.Stderr,
+		TimeFormat: "01-02 15:04",
+	}
+	zerolog.TimeFieldFormat = writer.TimeFormat
+	log.Logger = zerolog.New(writer).Level(zerolog.InfoLevel).With().Timestamp().Logger()
 	ca := &agent.PEMPair{}
 	err := ca.Load(env.AgentCACert)
 	if err != nil {
-		gperr.LogFatal("init CA error", err)
+		log.Fatal().Err(err).Msg("init CA error")
 	}
 	caCert, err := ca.ToTLSCert()
 	if err != nil {
-		gperr.LogFatal("init CA error", err)
+		log.Fatal().Err(err).Msg("init CA error")
 	}

 	srv := &agent.PEMPair{}
 	srv.Load(env.AgentSSLCert)
 	if err != nil {
-		gperr.LogFatal("init SSL error", err)
+		log.Fatal().Err(err).Msg("init SSL error")
 	}
 	srvCert, err := srv.ToTLSCert()
 	if err != nil {
-		gperr.LogFatal("init SSL error", err)
+		log.Fatal().Err(err).Msg("init SSL error")
 	}

-	logging.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
-	logging.Info().Msgf("Agent name: %s", env.AgentName)
-	logging.Info().Msgf("Agent port: %d", env.AgentPort)
+	log.Info().Msgf("GoDoxy Agent version %s", version.Get())
+	log.Info().Msgf("Agent name: %s", env.AgentName)
+	log.Info().Msgf("Agent port: %d", env.AgentPort)
+	log.Info().Msgf("Agent runtime: %s", env.Runtime)

-	logging.Info().Msg(`
+	log.Info().Msg(`
 Tips:
 1. To change the agent name, you can set the AGENT_NAME environment variable.
 2. To change the agent port, you can set the AGENT_PORT environment variable.
@@ -55,6 +62,19 @@ Tips:
 	}

 	server.StartAgentServer(t, opts)
+
+	if socketproxy.ListenAddr != "" {
+		runtime := strutils.Title(string(env.Runtime))
+
+		log.Info().Msgf("%s socket listening on: %s", runtime, socketproxy.ListenAddr)
+		opts := httpServer.Options{
+			Name:     runtime,
+			HTTPAddr: socketproxy.ListenAddr,
+			Handler:  socketproxy.NewHandler(),
+		}
+		httpServer.StartServer(t, opts)
+	}
+
 	systeminfo.Poller.Start()

 	task.WaitExit(3)
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -1,88 +1,127 @@
-module github.com/yusing/go-proxy/agent
+module github.com/yusing/godoxy/agent

-go 1.24.2
+go 1.25.5

-replace github.com/yusing/go-proxy => ..
-
-require (
-	github.com/coder/websocket v1.8.13
-	github.com/docker/docker v28.1.1+incompatible
-	github.com/rs/zerolog v1.34.0
-	github.com/stretchr/testify v1.10.0
-	github.com/yusing/go-proxy v0.11.1
+replace (
+	github.com/shirou/gopsutil/v4 => ../internal/gopsutil
+	github.com/yusing/godoxy => ../
+	github.com/yusing/godoxy/socketproxy => ../socket-proxy
+	github.com/yusing/goutils => ../goutils
+	github.com/yusing/goutils/http/reverseproxy => ../goutils/http/reverseproxy
+	github.com/yusing/goutils/http/websocket => ../goutils/http/websocket
+	github.com/yusing/goutils/server => ../goutils/server
 )

-replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e
+exclude github.com/containerd/nerdctl/mod/tigron v0.0.0
+
+require (
+	github.com/bytedance/sonic v1.14.2
+	github.com/gin-gonic/gin v1.11.0
+	github.com/gorilla/websocket v1.5.3
+	github.com/puzpuzpuz/xsync/v4 v4.2.0
+	github.com/rs/zerolog v1.34.0
+	github.com/stretchr/testify v1.11.1
+	github.com/valyala/fasthttp v1.68.0
+	github.com/yusing/godoxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/godoxy/socketproxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/goutils v0.7.0
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20251217162119-cb0f79b51ce2
+	github.com/yusing/goutils/server v0.0.0-20251217162119-cb0f79b51ce2
+)

 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/PuerkitoBio/goquery v1.10.3 // indirect
+	github.com/PuerkitoBio/goquery v1.11.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/bytedance/sonic v1.13.2 // indirect
-	github.com/bytedance/sonic/loader v0.2.4 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v28.1.1+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/docker/cli v29.1.3+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.2 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
-	github.com/go-acme/lego/v4 v4.23.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-acme/lego/v4 v4.30.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.26.0 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-yaml v1.17.1 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
-	github.com/gotify/server/v2 v2.6.1 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.19.1 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/gotify/server/v2 v2.7.3 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
-	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
+	github.com/luthermonson/go-proxmox v0.2.4 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.65 // indirect
+	github.com/miekg/dns v1.1.69 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
+	github.com/moby/moby/api v1.52.0 // indirect
+	github.com/moby/moby/client v0.2.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.51.0 // indirect
-	github.com/samber/lo v1.49.1 // indirect
-	github.com/samber/slog-common v0.18.1 // indirect
-	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.3 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.58.0 // indirect
+	github.com/samber/lo v1.52.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.11 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/spf13/afero v1.14.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
+	github.com/yusing/ds v0.3.1 // indirect
+	github.com/yusing/gointernals v0.1.16 // indirect
+	github.com/yusing/goutils/http/websocket v0.0.0-20251217162119-cb0f79b51ce2 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/mock v0.5.1 // indirect
-	golang.org/x/arch v0.16.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.32.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	golang.org/x/arch v0.23.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -1,58 +1,71 @@
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
-github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
+github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
+github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
+github.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs=
+github.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
 github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
-github.com/bytedance/sonic v1.13.2 h1:8/H1FempDZqC4VqjptGo14QQlJx8VdZJegxs6wwfqpQ=
-github.com/bytedance/sonic v1.13.2/go.mod h1:o68xyaF9u2gvVBuGHPlUVCy+ZfmNNO5ETf1+KgkJhz4=
-github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.4 h1:ZWCw4stuXUsn1/+zQDqeE7JKP+QO47tz7QCNan80NzY=
-github.com/bytedance/sonic/loader v0.2.4/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
-github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
-github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
-github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
+github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
+github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
+github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/diskfs/go-diskfs v1.6.0 h1:YmK5+vLSfkwC6kKKRTRPGaDGNF+Xh8FXeiNHwryDfu4=
-github.com/diskfs/go-diskfs v1.6.0/go.mod h1:bRFumZeGFCO8C2KNswrQeuj2m1WCVr4Ms5IjWMczMDk=
+github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
+github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
-github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/cli v29.1.3+incompatible h1:+kz9uDWgs+mAaIZojWfFt4d53/jv0ZUOOoSh5ZnH36c=
+github.com/docker/cli v29.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
-github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
+github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
-github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
-github.com/go-acme/lego/v4 v4.23.1 h1:lZ5fGtGESA2L9FB8dNTvrQUq3/X4QOb8ExkKyY7LSV4=
-github.com/go-acme/lego/v4 v4.23.1/go.mod h1:7UMVR7oQbIYw6V7mTgGwi4Er7B6Ww0c+c8feiBM0EgI=
-github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
-github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/go-acme/lego/v4 v4.30.1 h1:tmb6U0lvy8Mc3lQbqKwTat7oAhE8FUYNJ3D0gSg6pJU=
+github.com/go-acme/lego/v4 v4.30.1/go.mod h1:V7m/Ip+EeFkjOe028+zeH+SwWtESxw1LHelwMIfAjm4=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
@@ -64,52 +77,55 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
-github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
-github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
+github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
+github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
-github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.19.1 h1:3rG3+v8pkhRqoQ/88NYNMHYVGYztCOCIZ7UQhu7H+NE=
+github.com/goccy/go-yaml v1.19.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e h1:LEbMtJ6loEubxetD+Aw8+1x0rShor5iMoy9WuFQ8hN8=
-github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e/go.mod h1:3tMTnTkH7IN5smn7PX83XdmRnNj4Nw2/Pt8GgReqnKM=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 h1:gD0vax+4I+mAj+jEChEf25Ia07Jq7kYOFO5PPhAxFl4=
-github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotify/server/v2 v2.6.1 h1:Kf7v5fzBxzELzZa/jonWfwJMkqYqh1LBzBpCmt5QIAI=
-github.com/gotify/server/v2 v2.6.1/go.mod h1:Dk8HLyTVDqmXM8YEg6tjROBen6mxyHZFRggJFHTwZLc=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
+github.com/gotify/server/v2 v2.7.3 h1:nro/ZnxdlZFvxFcw9LREGA8zdk6CK744azwhuhX/A4g=
+github.com/gotify/server/v2 v2.7.3/go.mod h1:VAtE1RIc/2j886PYs9WPQbMjqbFsoyQ0G8IdFtnAxU0=
+github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
+github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
-github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
-github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/luthermonson/go-proxmox v0.2.2 h1:BZ7VEj302wxw2i/EwTcyEiBzQib8teocB2SSkLHyySY=
-github.com/luthermonson/go-proxmox v0.2.2/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/luthermonson/go-proxmox v0.2.4 h1:XQ6YNUTVvHS7N4EJxWpuqWLW2s1VPtsIblxLV/rGHLw=
+github.com/luthermonson/go-proxmox v0.2.4/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
 github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
@@ -119,129 +135,132 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
-github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
+github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
-github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
-github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/moby/moby/api v1.52.0 h1:00BtlJY4MXkkt84WhUZPRqt5TvPbgig2FZvTbe3igYg=
+github.com/moby/moby/api v1.52.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/client v0.2.1 h1:1Grh1552mvv6i+sYOdY+xKKVTvzJegcVMhuXocyDz/k=
+github.com/moby/moby/client v0.2.1/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/puzpuzpuz/xsync/v3 v3.5.1 h1:GJYJZwO6IdxN/IKbneznS6yPkVC+c3zyY/j19c++5Fg=
-github.com/puzpuzpuz/xsync/v3 v3.5.1/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
-github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
+github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
+github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.58.0 h1:ggY2pvZaVdB9EyojxL1p+5mptkuHyX5MOSv4dgWF4Ug=
+github.com/quic-go/quic-go v0.58.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew=
-github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
-github.com/samber/slog-common v0.18.1 h1:c0EipD/nVY9HG5shgm/XAs67mgpWDMF+MmtptdJNCkQ=
-github.com/samber/slog-common v0.18.1/go.mod h1:QNZiNGKakvrfbJ2YglQXLCZauzkI9xZBjOhWFKS3IKk=
-github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
-github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
-github.com/shirou/gopsutil/v4 v4.25.3 h1:SeA68lsu8gLggyMbmCn8cmp97V1TI9ld9sVzAUcKcKE=
-github.com/shirou/gopsutil/v4 v4.25.3/go.mod h1:xbuxyoZj+UsgnZrENu3lQivsngRR5BdjbJwf2fv4szA=
+github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
+github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
+github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
+github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
+github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
-github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
-github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
-github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=
+github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=
+github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=
+github.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.68.0 h1:v12Nx16iepr8r9ySOwqI+5RBJ/DqTxhOy1HrHoDFnok=
+github.com/valyala/fasthttp v1.68.0/go.mod h1:5EXiRfYQAoiO/khu4oU9VISC/eVY6JqmSpPJoHCKsz4=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yusing/ds v0.3.1 h1:mCqTgTQD8RhiBpcysvii5kZ7ZBmqcknVsFubNALGLbY=
+github.com/yusing/ds v0.3.1/go.mod h1:XhKV4l7cZwBbbl7lRzNC9zX27zvCM0frIwiuD40ULRk=
+github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
+github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
-go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/mock v0.5.1 h1:ASgazW/qBmR+A32MYFDB6E2POoTgOwT509VP0CT/fjs=
-go.uber.org/mock v0.5.1/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
-golang.org/x/arch v0.16.0 h1:foMtLTdyOmIniqWCHjY6+JxuC54XP1fDwx4N0ASyW+U=
-golang.org/x/arch v0.16.0/go.mod h1:JmwW7aLIoRUKgaTzhkiEFxvcEiQGyOg9BMonBJUS7EE=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
+golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -250,29 +269,27 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -284,8 +301,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -304,39 +321,28 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
-golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f h1:tjZsroqekhC63+WMqzmWyW5Twj/ZfR5HAlpd5YQ1Vs0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f/go.mod h1:Cd8IzgPo5Akum2c9R6FsXNaZbH3Jpa2gpHlW89FqlyQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250425173222-7b384671a197 h1:29cjnHVylHwTzH66WfFZqgSQgnxzvWE+jvBwpZCLRxY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250425173222-7b384671a197/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
-google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/agent/pkg/agent/agent_pool.go
+++ b/agent/pkg/agent/agent_pool.go
@@ -0,0 +1,68 @@
+package agent
+
+import (
+	"iter"
+	"os"
+	"strings"
+
+	"github.com/puzpuzpuz/xsync/v4"
+)
+
+var agentPool = xsync.NewMap[string, *AgentConfig](xsync.WithPresize(10))
+
+func init() {
+	if strings.HasSuffix(os.Args[0], ".test") {
+		agentPool.Store("test-agent", &AgentConfig{
+			Addr: "test-agent",
+		})
+	}
+}
+
+func GetAgent(agentAddrOrDockerHost string) (*AgentConfig, bool) {
+	if !IsDockerHostAgent(agentAddrOrDockerHost) {
+		return getAgentByAddr(agentAddrOrDockerHost)
+	}
+	return getAgentByAddr(GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
+}
+
+func GetAgentByName(name string) (*AgentConfig, bool) {
+	for _, agent := range agentPool.Range {
+		if agent.Name == name {
+			return agent, true
+		}
+	}
+	return nil, false
+}
+
+func AddAgent(agent *AgentConfig) {
+	agentPool.Store(agent.Addr, agent)
+}
+
+func RemoveAgent(agent *AgentConfig) {
+	agentPool.Delete(agent.Addr)
+}
+
+func RemoveAllAgents() {
+	agentPool.Clear()
+}
+
+func ListAgents() []*AgentConfig {
+	agents := make([]*AgentConfig, 0, agentPool.Size())
+	for _, agent := range agentPool.Range {
+		agents = append(agents, agent)
+	}
+	return agents
+}
+
+func IterAgents() iter.Seq2[string, *AgentConfig] {
+	return agentPool.Range
+}
+
+func NumAgents() int {
+	return agentPool.Size()
+}
+
+func getAgentByAddr(addr string) (agent *AgentConfig, ok bool) {
+	agent, ok = agentPool.Load(addr)
+	return agent, ok
+}
--- a/agent/pkg/agent/bare_metal.go
+++ b/agent/pkg/agent/bare_metal.go
@@ -10,7 +10,17 @@ var (
 	AGENT_PORT="{{.Port}}" \
 	AGENT_CA_CERT="{{.CACert}}" \
 	AGENT_SSL_CERT="{{.SSLCert}}" \
-	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/install-agent.sh)"`
+	{{ if eq .ContainerRuntime "nerdctl" -}}
+	DOCKER_SOCKET="/var/run/containerd/containerd.sock" \
+	RUNTIME="nerdctl" \
+	{{ else if eq .ContainerRuntime "podman" -}}
+	DOCKER_SOCKET="/var/run/podman/podman.sock" \
+	RUNTIME="podman" \
+	{{ else -}}
+	DOCKER_SOCKET="/var/run/docker.sock" \
+	RUNTIME="docker" \
+	{{ end -}}
+	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/install-agent.sh)"`
 	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
 )

--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -4,7 +4,8 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/json"
+	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"net/url"
@@ -13,26 +14,28 @@ import (
 	"time"

 	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/rs/zerolog/log"
+	"github.com/valyala/fasthttp"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+	"github.com/yusing/goutils/version"
 )

 type AgentConfig struct {
-	Addr string
+	Addr    string           `json:"addr"`
+	Name    string           `json:"name"`
+	Version version.Version  `json:"version" swaggertype:"string"`
+	Runtime ContainerRuntime `json:"runtime"`

-	httpClient *http.Client
-	tlsConfig  *tls.Config
-	name       string
-	l          zerolog.Logger
-}
+	httpClient                *http.Client
+	fasthttpClientHealthCheck *fasthttp.Client
+	tlsConfig                 tls.Config
+	l                         zerolog.Logger
+} // @name Agent

 const (
 	EndpointVersion    = "/version"
 	EndpointName       = "/name"
+	EndpointRuntime    = "/runtime"
 	EndpointProxyHTTP  = "/proxy/http"
 	EndpointHealth     = "/health"
 	EndpointLogs       = "/logs"
@@ -80,7 +83,9 @@ func (cfg *AgentConfig) Parse(addr string) error {
 	return nil
 }

-func (cfg *AgentConfig) StartWithCerts(parent task.Parent, ca, crt, key []byte) error {
+var serverVersion = version.Get()
+
+func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte) error {
 	clientCert, err := tls.X509KeyPair(crt, key)
 	if err != nil {
 		return err
@@ -90,10 +95,10 @@ func (cfg *AgentConfig) StartWithCerts(parent task.Parent, ca, crt, key []byte)
 	caCertPool := x509.NewCertPool()
 	ok := caCertPool.AppendCertsFromPEM(ca)
 	if !ok {
-		return gperr.New("invalid ca certificate")
+		return errors.New("invalid ca certificate")
 	}

-	cfg.tlsConfig = &tls.Config{
+	cfg.tlsConfig = tls.Config{
 		Certificates: []tls.Certificate{clientCert},
 		RootCAs:      caCertPool,
 		ServerName:   CertsDNSName,
@@ -101,53 +106,80 @@ func (cfg *AgentConfig) StartWithCerts(parent task.Parent, ca, crt, key []byte)

 	// create transport and http client
 	cfg.httpClient = cfg.NewHTTPClient()
+	applyNormalTransportConfig(cfg.httpClient)

-	ctx, cancel := context.WithTimeout(parent.Context(), 5*time.Second)
+	cfg.fasthttpClientHealthCheck = cfg.NewFastHTTPHealthCheckClient()
+
+	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()

 	// get agent name
-	name, _, err := cfg.Fetch(ctx, EndpointName)
+	name, _, err := cfg.fetchString(ctx, EndpointName)
 	if err != nil {
 		return err
 	}

-	cfg.name = string(name)
+	cfg.Name = name

-	cfg.l = logging.With().Str("agent", cfg.name).Logger()
+	cfg.l = log.With().Str("agent", cfg.Name).Logger()

 	// check agent version
-	agentVersionBytes, _, err := cfg.Fetch(ctx, EndpointVersion)
+	agentVersion, _, err := cfg.fetchString(ctx, EndpointVersion)
 	if err != nil {
 		return err
 	}

-	agentVersion := string(agentVersionBytes)
-
-	if pkg.GetVersion().IsNewerMajorThan(pkg.ParseVersion(agentVersion)) {
-		logging.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.name, pkg.GetVersion(), agentVersion)
+	// check agent runtime
+	runtime, status, err := cfg.fetchString(ctx, EndpointRuntime)
+	if err != nil {
+		return err
+	}
+	switch status {
+	case http.StatusOK:
+		switch runtime {
+		case "docker":
+			cfg.Runtime = ContainerRuntimeDocker
+		// case "nerdctl":
+		// 	cfg.Runtime = ContainerRuntimeNerdctl
+		case "podman":
+			cfg.Runtime = ContainerRuntimePodman
+		default:
+			return fmt.Errorf("invalid agent runtime: %s", runtime)
+		}
+	case http.StatusNotFound:
+		// backward compatibility, old agent does not have runtime endpoint
+		cfg.Runtime = ContainerRuntimeDocker
+	default:
+		return fmt.Errorf("failed to get agent runtime: HTTP %d %s", status, runtime)
 	}

-	logging.Info().Msgf("agent %q initialized", cfg.name)
+	cfg.Version = version.Parse(agentVersion)
+
+	if serverVersion.IsNewerThanMajor(cfg.Version) {
+		log.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.Name, serverVersion, cfg.Version)
+	}
+
+	log.Info().Msgf("agent %q initialized", cfg.Name)
 	return nil
 }

-func (cfg *AgentConfig) Start(parent task.Parent) gperr.Error {
+func (cfg *AgentConfig) Start(ctx context.Context) error {
 	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
 	if !ok {
-		return gperr.New("invalid agent host").Subject(cfg.Addr)
+		return fmt.Errorf("invalid agent host: %s", cfg.Addr)
 	}

 	certData, err := os.ReadFile(filepath)
 	if err != nil {
-		return gperr.Wrap(err, "failed to read agent certs")
+		return fmt.Errorf("failed to read agent certs: %w", err)
 	}

 	ca, crt, key, err := certs.ExtractCert(certData)
 	if err != nil {
-		return gperr.Wrap(err, "failed to extract agent certs")
+		return fmt.Errorf("failed to extract agent certs: %w", err)
 	}

-	return gperr.Wrap(cfg.StartWithCerts(parent, ca, crt, key))
+	return cfg.StartWithCerts(ctx, ca, crt, key)
 }

 func (cfg *AgentConfig) NewHTTPClient() *http.Client {
@@ -156,6 +188,25 @@ func (cfg *AgentConfig) NewHTTPClient() *http.Client {
 	}
 }

+func (cfg *AgentConfig) NewFastHTTPHealthCheckClient() *fasthttp.Client {
+	return &fasthttp.Client{
+		Dial: func(addr string) (net.Conn, error) {
+			if addr != AgentHost+":443" {
+				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
+			}
+			return net.Dial("tcp", cfg.Addr)
+		},
+		TLSConfig:                     &cfg.tlsConfig,
+		ReadTimeout:                   5 * time.Second,
+		WriteTimeout:                  3 * time.Second,
+		DisableHeaderNamesNormalizing: true,
+		DisablePathNormalizing:        true,
+		NoDefaultUserAgentHeader:      true,
+		ReadBufferSize:                1024,
+		WriteBufferSize:               1024,
+	}
+}
+
 func (cfg *AgentConfig) Transport() *http.Transport {
 	return &http.Transport{
 		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
@@ -167,25 +218,24 @@ func (cfg *AgentConfig) Transport() *http.Transport {
 			}
 			return cfg.DialContext(ctx)
 		},
-		TLSClientConfig: cfg.tlsConfig,
+		TLSClientConfig: &cfg.tlsConfig,
 	}
 }

-func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
-	return gphttp.DefaultDialer.DialContext(ctx, "tcp", cfg.Addr)
-}
+var dialer = &net.Dialer{Timeout: 5 * time.Second}

-func (cfg *AgentConfig) Name() string {
-	return cfg.name
+func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
+	return dialer.DialContext(ctx, "tcp", cfg.Addr)
 }

 func (cfg *AgentConfig) String() string {
-	return cfg.name + "@" + cfg.Addr
+	return cfg.Name + "@" + cfg.Addr
 }

-func (cfg *AgentConfig) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]string{
-		"name": cfg.Name(),
-		"addr": cfg.Addr,
-	})
+func applyNormalTransportConfig(client *http.Client) {
+	transport := client.Transport.(*http.Transport)
+	transport.MaxIdleConns = 100
+	transport.MaxIdleConnsPerHost = 100
+	transport.ReadBufferSize = 16384
+	transport.WriteBufferSize = 16384
 }
--- a/agent/pkg/agent/docker_compose.go
+++ b/agent/pkg/agent/docker_compose.go
@@ -8,9 +8,9 @@ import (
 )

 var (
-	//go:embed templates/agent.compose.yml
+	//go:embed templates/agent.compose.yml.tmpl
 	agentComposeYAML         string
-	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml").Parse(agentComposeYAML))
+	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml.tmpl").Parse(agentComposeYAML))
 )

 const (
@@ -20,7 +20,8 @@ const (

 func (c *AgentComposeConfig) Generate() (string, error) {
 	buf := bytes.NewBuffer(make([]byte, 0, 1024))
-	if err := agentComposeYAMLTemplate.Execute(buf, c); err != nil {
+	err := agentComposeYAMLTemplate.Execute(buf, c)
+	if err != nil {
 		return "", err
 	}
 	return buf.String(), nil
--- a/agent/pkg/agent/env.go
+++ b/agent/pkg/agent/env.go
@@ -1,11 +1,13 @@
 package agent

 type (
-	AgentEnvConfig struct {
-		Name    string
-		Port    int
-		CACert  string
-		SSLCert string
+	ContainerRuntime string
+	AgentEnvConfig   struct {
+		Name             string
+		Port             int
+		CACert           string
+		SSLCert          string
+		ContainerRuntime ContainerRuntime
 	}
 	AgentComposeConfig struct {
 		Image string
@@ -15,3 +17,9 @@ type (
 		Generate() (string, error)
 	}
 )
+
+const (
+	ContainerRuntimeDocker ContainerRuntime = "docker"
+	ContainerRuntimePodman ContainerRuntime = "podman"
+	// ContainerRuntimeNerdctl ContainerRuntime = "nerdctl"
+)
--- a/agent/pkg/agent/http_requests.go
+++ b/agent/pkg/agent/http_requests.go
@@ -0,0 +1,112 @@
+package agent
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/bytedance/sonic"
+	"github.com/gorilla/websocket"
+	"github.com/valyala/fasthttp"
+	httputils "github.com/yusing/goutils/http"
+	"github.com/yusing/goutils/http/reverseproxy"
+)
+
+func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
+	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
+	if err != nil {
+		return nil, err
+	}
+	return cfg.httpClient.Do(req)
+}
+
+func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) (*http.Response, error) {
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = APIEndpointBase + endpoint
+	req.RequestURI = ""
+	resp, err := cfg.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+type HealthCheckResponse struct {
+	Healthy bool          `json:"healthy"`
+	Detail  string        `json:"detail"`
+	Latency time.Duration `json:"latency"`
+}
+
+func (cfg *AgentConfig) DoHealthCheck(timeout time.Duration, query string) (ret HealthCheckResponse, err error) {
+	req := fasthttp.AcquireRequest()
+	defer fasthttp.ReleaseRequest(req)
+
+	resp := fasthttp.AcquireResponse()
+	defer fasthttp.ReleaseResponse(resp)
+
+	req.SetRequestURI(APIBaseURL + EndpointHealth + "?" + query)
+	req.Header.SetMethod(fasthttp.MethodGet)
+	req.Header.Set("Accept-Encoding", "identity")
+	req.SetConnectionClose()
+
+	start := time.Now()
+	err = cfg.fasthttpClientHealthCheck.DoTimeout(req, resp, timeout)
+	ret.Latency = time.Since(start)
+	if err != nil {
+		return ret, err
+	}
+
+	if status := resp.StatusCode(); status != http.StatusOK {
+		ret.Detail = fmt.Sprintf("HTTP %d %s", status, resp.Body())
+		return ret, nil
+	} else {
+		err = sonic.Unmarshal(resp.Body(), &ret)
+		if err != nil {
+			return ret, err
+		}
+	}
+	return ret, nil
+}
+
+func (cfg *AgentConfig) fetchString(ctx context.Context, endpoint string) (string, int, error) {
+	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
+	if err != nil {
+		return "", 0, err
+	}
+	defer resp.Body.Close()
+
+	data, release, err := httputils.ReadAllBody(resp)
+	if err != nil {
+		return "", 0, err
+	}
+	ret := string(data)
+	release(data)
+	return ret, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
+	transport := cfg.Transport()
+	dialer := websocket.Dialer{
+		NetDialContext:    transport.DialContext,
+		NetDialTLSContext: transport.DialTLSContext,
+	}
+	return dialer.DialContext(ctx, APIBaseURL+endpoint, http.Header{
+		"Host": {AgentHost},
+	})
+}
+
+// ReverseProxy reverse proxies the request to the agent
+//
+// It will create a new request with the same context, method, and body, but with the agent host and scheme, and the endpoint
+// If the request has a query, it will be added to the proxy request's URL
+func (cfg *AgentConfig) ReverseProxy(w http.ResponseWriter, req *http.Request, endpoint string) {
+	rp := reverseproxy.NewReverseProxy("agent", AgentURL, cfg.Transport())
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = endpoint
+	req.RequestURI = ""
+	rp.ServeHTTP(w, req)
+}
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@@ -1,14 +1,19 @@
 package agent

 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
+	"fmt"
+	"io"
 	"math/big"
 	"strings"
 	"time"
@@ -16,16 +21,29 @@ import (

 const (
 	CertsDNSName = "godoxy.agent"
-	KeySize      = 2048
 )

-func toPEMPair(certDER []byte, key *rsa.PrivateKey) *PEMPair {
+func toPEMPair(certDER []byte, key *ecdsa.PrivateKey) *PEMPair {
+	marshaledKey, err := marshalECPrivateKey(key)
+	if err != nil {
+		// This is a critical internal error during PEM encoding of a newly generated key.
+		// Panicking is acceptable here as it indicates a fundamental issue.
+		panic(fmt.Sprintf("failed to marshal EC private key for PEM encoding: %v", err))
+	}
 	return &PEMPair{
 		Cert: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
-		Key:  pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}),
+		Key:  pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: marshaledKey}),
 	}
 }

+func marshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
+	derBytes, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal EC private key: %w", err)
+	}
+	return derBytes, nil
+}
+
 func b64Encode(data []byte) string {
 	return base64.StdEncoding.EncodeToString(data)
 }
@@ -58,15 +76,84 @@ func (p *PEMPair) Load(data string) (err error) {
 	return nil
 }

+func (p *PEMPair) Encrypt(encKey []byte) (PEMPair, error) {
+	cert, err := encrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := encrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func (p *PEMPair) Decrypt(encKey []byte) (PEMPair, error) {
+	cert, err := decrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := decrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func encrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	return gcm.Seal(nonce, nonce, data, nil), nil
+}
+
+func decrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := data[:gcm.NonceSize()]
+	ciphertext := data[gcm.NonceSize():]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
 func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
 	cert, err := tls.X509KeyPair(p.Cert, p.Key)
 	return &cert, err
 }

+func newSerialNumber() (*big.Int, error) {
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) // 128-bit random number
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+	return serialNumber, nil
+}
+
 func NewAgent() (ca, srv, client *PEMPair, err error) {
+	caSerialNumber, err := newSerialNumber()
+	if err != nil {
+		return nil, nil, nil, err
+	}
 	// Create the CA's certificate
 	caTemplate := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
+		SerialNumber: caSerialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"GoDoxy"},
 			CommonName:   CertsDNSName,
@@ -76,9 +163,12 @@ func NewAgent() (ca, srv, client *PEMPair, err error) {
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
+		MaxPathLen:            0,
+		MaxPathLenZero:        true,
+		SignatureAlgorithm:    x509.ECDSAWithSHA256,
 	}

-	caKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -91,20 +181,29 @@ func NewAgent() (ca, srv, client *PEMPair, err error) {
 	ca = toPEMPair(caDER, caKey)

 	// Generate a new private key for the server certificate
-	serverKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	serverKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, nil, nil, err
 	}

+	serverSerialNumber, err := newSerialNumber()
+	if err != nil {
+		return nil, nil, nil, err
+	}
 	srvTemplate := &x509.Certificate{
-		SerialNumber: big.NewInt(2),
+		SerialNumber: serverSerialNumber,
 		Issuer:       caTemplate.Subject,
-		Subject:      caTemplate.Subject,
-		DNSNames:     []string{CertsDNSName},
-		NotBefore:    time.Now(),
-		NotAfter:     time.Now().AddDate(1000, 0, 0), // Add validity period
-		KeyUsage:     x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		Subject: pkix.Name{
+			Organization:       caTemplate.Subject.Organization,
+			OrganizationalUnit: []string{"Server"},
+			CommonName:         CertsDNSName,
+		},
+		DNSNames:           []string{CertsDNSName},
+		NotBefore:          time.Now(),
+		NotAfter:           time.Now().AddDate(1000, 0, 0), // Add validity period
+		KeyUsage:           x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}

 	srvCertDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, caTemplate, &serverKey.PublicKey, caKey)
@@ -114,20 +213,29 @@ func NewAgent() (ca, srv, client *PEMPair, err error) {

 	srv = toPEMPair(srvCertDER, serverKey)

-	clientKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, nil, nil, err
 	}

+	clientSerialNumber, err := newSerialNumber()
+	if err != nil {
+		return nil, nil, nil, err
+	}
 	clientTemplate := &x509.Certificate{
-		SerialNumber: big.NewInt(3),
+		SerialNumber: clientSerialNumber,
 		Issuer:       caTemplate.Subject,
-		Subject:      caTemplate.Subject,
-		DNSNames:     []string{CertsDNSName},
-		NotBefore:    time.Now(),
-		NotAfter:     time.Now().AddDate(1000, 0, 0),
-		KeyUsage:     x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		Subject: pkix.Name{
+			Organization:       caTemplate.Subject.Organization,
+			OrganizationalUnit: []string{"Client"},
+			CommonName:         CertsDNSName,
+		},
+		DNSNames:           []string{CertsDNSName},
+		NotBefore:          time.Now(),
+		NotAfter:           time.Now().AddDate(1000, 0, 0),
+		KeyUsage:           x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}
 	clientCertDER, err := x509.CreateCertificate(rand.Reader, clientTemplate, caTemplate, &clientKey.PublicKey, caKey)
 	if err != nil {
@@ -135,5 +243,5 @@ func NewAgent() (ca, srv, client *PEMPair, err error) {
 	}

 	client = toPEMPair(clientCertDER, clientKey)
-	return
+	return ca, srv, client, err
 }
--- a/agent/pkg/agent/new_agent_test.go
+++ b/agent/pkg/agent/new_agent_test.go
@@ -1,6 +1,7 @@
 package agent

 import (
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -8,59 +9,59 @@ import (
 	"net/http/httptest"
 	"testing"

-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	"github.com/stretchr/testify/require"
 )

 func TestNewAgent(t *testing.T) {
 	ca, srv, client, err := NewAgent()
-	ExpectNoError(t, err)
-	ExpectTrue(t, ca != nil)
-	ExpectTrue(t, srv != nil)
-	ExpectTrue(t, client != nil)
+	require.NoError(t, err)
+	require.NotNil(t, ca)
+	require.NotNil(t, srv)
+	require.NotNil(t, client)
 }

 func TestPEMPair(t *testing.T) {
 	ca, srv, client, err := NewAgent()
-	ExpectNoError(t, err)
+	require.NoError(t, err)

 	for i, p := range []*PEMPair{ca, srv, client} {
 		t.Run(fmt.Sprintf("load-%d", i), func(t *testing.T) {
 			var pp PEMPair
 			err := pp.Load(p.String())
-			ExpectNoError(t, err)
-			ExpectEqual(t, p.Cert, pp.Cert)
-			ExpectEqual(t, p.Key, pp.Key)
+			require.NoError(t, err)
+			require.Equal(t, p.Cert, pp.Cert)
+			require.Equal(t, p.Key, pp.Key)
 		})
 	}
 }

 func TestPEMPairToTLSCert(t *testing.T) {
 	ca, srv, client, err := NewAgent()
-	ExpectNoError(t, err)
+	require.NoError(t, err)

 	for i, p := range []*PEMPair{ca, srv, client} {
 		t.Run(fmt.Sprintf("toTLSCert-%d", i), func(t *testing.T) {
 			cert, err := p.ToTLSCert()
-			ExpectNoError(t, err)
-			ExpectTrue(t, cert != nil)
+			require.NoError(t, err)
+			require.NotNil(t, cert)
 		})
 	}
 }

 func TestServerClient(t *testing.T) {
 	ca, srv, client, err := NewAgent()
-	ExpectNoError(t, err)
+	require.NoError(t, err)

 	srvTLS, err := srv.ToTLSCert()
-	ExpectNoError(t, err)
-	ExpectTrue(t, srvTLS != nil)
+	require.NoError(t, err)
+	require.NotNil(t, srvTLS)

 	clientTLS, err := client.ToTLSCert()
-	ExpectNoError(t, err)
-	ExpectTrue(t, clientTLS != nil)
+	require.NoError(t, err)
+	require.NotNil(t, clientTLS)

 	caPool := x509.NewCertPool()
-	ExpectTrue(t, caPool.AppendCertsFromPEM(ca.Cert))
+	require.True(t, caPool.AppendCertsFromPEM(ca.Cert))

 	srvTLSConfig := &tls.Config{
 		Certificates: []tls.Certificate{*srvTLS},
@@ -86,6 +87,26 @@ func TestServerClient(t *testing.T) {
 	}

 	resp, err := httpClient.Get(server.URL)
-	ExpectNoError(t, err)
-	ExpectEqual(t, resp.StatusCode, http.StatusOK)
+	require.NoError(t, err)
+	require.Equal(t, resp.StatusCode, http.StatusOK)
+}
+
+func TestPEMPairEncryptDecrypt(t *testing.T) {
+	encKey := make([]byte, 32)
+	_, err := rand.Read(encKey)
+	require.NoError(t, err)
+
+	ca, _, _, err := NewAgent()
+	require.NoError(t, err)
+
+	encCA, err := ca.Encrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, encCA)
+
+	decCA, err := encCA.Decrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, decCA)
+
+	require.Equal(t, string(ca.Cert), string(decCA.Cert))
+	require.Equal(t, string(ca.Key), string(decCA.Key))
 }
--- a/agent/pkg/agent/requests.go
+++ b/agent/pkg/agent/requests.go
@@ -1,49 +0,0 @@
-package agent
-
-import (
-	"context"
-	"io"
-	"net/http"
-
-	"github.com/coder/websocket"
-)
-
-func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
-	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
-	if err != nil {
-		return nil, err
-	}
-	return cfg.httpClient.Do(req)
-}
-
-func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) ([]byte, int, error) {
-	req = req.WithContext(req.Context())
-	req.URL.Host = AgentHost
-	req.URL.Scheme = "https"
-	req.URL.Path = APIEndpointBase + endpoint
-	req.RequestURI = ""
-	resp, err := cfg.httpClient.Do(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer resp.Body.Close()
-	data, _ := io.ReadAll(resp.Body)
-	return data, resp.StatusCode, nil
-}
-
-func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int, error) {
-	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer resp.Body.Close()
-	data, _ := io.ReadAll(resp.Body)
-	return data, resp.StatusCode, nil
-}
-
-func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
-	return websocket.Dial(ctx, APIBaseURL+endpoint, &websocket.DialOptions{
-		HTTPClient: cfg.NewHTTPClient(),
-		Host:       AgentHost,
-	})
-}
--- a/agent/pkg/agent/templates/agent.compose.yml
+++ b/agent/pkg/agent/templates/agent.compose.yml
@@ -9,6 +9,36 @@ services:
      AGENT_PORT: "{{.Port}}"
      AGENT_CA_CERT: "{{.CACert}}"
      AGENT_SSL_CERT: "{{.SSLCert}}"
+      # use agent as a docker socket proxy: [host]:port
+      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
+      LISTEN_ADDR:
+      POST: false
+      ALLOW_RESTARTS: false
+      ALLOW_START: false
+      ALLOW_STOP: false
+      AUTH: false
+      BUILD: false
+      COMMIT: false
+      CONFIGS: false
+      CONTAINERS: false
+      DISTRIBUTION: false
+      EVENTS: true
+      EXEC: false
+      GRPC: false
+      IMAGES: false
+      INFO: false
+      NETWORKS: false
+      NODES: false
+      PING: true
+      PLUGINS: false
+      SECRETS: false
+      SERVICES: false
+      SESSION: false
+      SWARM: false
+      SYSTEM: false
+      TASKS: false
+      VERSION: true
+      VOLUMES: false
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/app/data
--- a/agent/pkg/agent/templates/agent.compose.yml.tmpl
+++ b/agent/pkg/agent/templates/agent.compose.yml.tmpl
@@ -0,0 +1,66 @@
+services:
+  agent:
+    image: "{{.Image}}"
+    container_name: godoxy-agent
+    restart: always
+    {{ if eq .ContainerRuntime "podman" -}}
+    ports:
+      - "{{.Port}}:{{.Port}}"
+    {{ else -}}
+    network_mode: host # do not change this
+    {{ end -}}
+    environment:
+      {{ if eq .ContainerRuntime "nerdctl" -}}
+      DOCKER_SOCKET: "/var/run/containerd/containerd.sock"
+      RUNTIME: "nerdctl"
+      {{ else if eq .ContainerRuntime "podman" -}}
+      DOCKER_SOCKET: "/var/run/podman/podman.sock"
+      RUNTIME: "podman"
+      {{ else -}}
+      DOCKER_SOCKET: "/var/run/docker.sock"
+      RUNTIME: "docker"
+      {{ end -}}
+      AGENT_NAME: "{{.Name}}"
+      AGENT_PORT: "{{.Port}}"
+      AGENT_CA_CERT: "{{.CACert}}"
+      AGENT_SSL_CERT: "{{.SSLCert}}"
+      # use agent as a docker socket proxy: [host]:port
+      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
+      LISTEN_ADDR:
+      POST: false
+      ALLOW_RESTARTS: false
+      ALLOW_START: false
+      ALLOW_STOP: false
+      AUTH: false
+      BUILD: false
+      COMMIT: false
+      CONFIGS: false
+      CONTAINERS: false
+      DISTRIBUTION: false
+      EVENTS: true
+      EXEC: false
+      GRPC: false
+      IMAGES: false
+      INFO: false
+      NETWORKS: false
+      NODES: false
+      PING: true
+      PLUGINS: false
+      SECRETS: false
+      SERVICES: false
+      SESSION: false
+      SWARM: false
+      SYSTEM: false
+      TASKS: false
+      VERSION: true
+      VOLUMES: false
+    volumes:
+      {{ if eq .ContainerRuntime "podman" -}}
+      - /var/run/podman/podman.sock:/var/run/podman/podman.sock
+      {{ else if eq .ContainerRuntime "nerdctl" -}}
+      - /var/run/containerd/containerd.sock:/var/run/containerd/containerd.sock
+      - /var/lib/nerdctl:/var/lib/nerdctl:ro # required to read metadata like network info
+      {{ else -}}
+      - /var/run/docker.sock:/var/run/docker.sock
+      {{ end -}}
+      - ./data:/app/data
--- a/agent/pkg/agentproxy/config.go
+++ b/agent/pkg/agentproxy/config.go
@@ -0,0 +1,73 @@
+package agentproxy
+
+import (
+	"encoding/base64"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/bytedance/sonic"
+	route "github.com/yusing/godoxy/internal/route/types"
+)
+
+type Config struct {
+	Scheme string `json:"scheme,omitempty"`
+	Host   string `json:"host,omitempty"` // host or host:port
+
+	route.HTTPConfig
+}
+
+func ConfigFromHeaders(h http.Header) (Config, error) {
+	cfg, err := proxyConfigFromHeaders(h)
+	if cfg.Host == "" || err != nil {
+		cfg = proxyConfigFromHeadersLegacy(h)
+	}
+	return cfg, nil
+}
+
+func proxyConfigFromHeadersLegacy(h http.Header) (cfg Config) {
+	cfg.Host = h.Get(HeaderXProxyHost)
+	isHTTPS, _ := strconv.ParseBool(h.Get(HeaderXProxyHTTPS))
+	cfg.NoTLSVerify, _ = strconv.ParseBool(h.Get(HeaderXProxySkipTLSVerify))
+	responseHeaderTimeout, err := strconv.Atoi(h.Get(HeaderXProxyResponseHeaderTimeout))
+	if err != nil {
+		responseHeaderTimeout = 0
+	}
+	cfg.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+
+	cfg.Scheme = "http"
+	if isHTTPS {
+		cfg.Scheme = "https"
+	}
+
+	return cfg
+}
+
+func proxyConfigFromHeaders(h http.Header) (cfg Config, err error) {
+	cfg.Scheme = h.Get(HeaderXProxyScheme)
+	cfg.Host = h.Get(HeaderXProxyHost)
+
+	cfgBase64 := h.Get(HeaderXProxyConfig)
+	cfgJSON, err := base64.StdEncoding.DecodeString(cfgBase64)
+	if err != nil {
+		return cfg, err
+	}
+
+	err = sonic.Unmarshal(cfgJSON, &cfg)
+	return cfg, err
+}
+
+func (cfg *Config) SetAgentProxyConfigHeadersLegacy(h http.Header) {
+	h.Set(HeaderXProxyHost, cfg.Host)
+	h.Set(HeaderXProxyHTTPS, strconv.FormatBool(cfg.Scheme == "https"))
+	h.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(cfg.NoTLSVerify))
+	h.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(int(cfg.ResponseHeaderTimeout.Round(time.Second).Seconds())))
+}
+
+func (cfg *Config) SetAgentProxyConfigHeaders(h http.Header) {
+	h.Set(HeaderXProxyHost, cfg.Host)
+	h.Set(HeaderXProxyScheme, string(cfg.Scheme))
+	cfgJSON, _ := sonic.Marshal(cfg.HTTPConfig)
+	cfgBase64 := base64.StdEncoding.EncodeToString(cfgJSON)
+	h.Set(HeaderXProxyConfig, cfgBase64)
+}
--- a/agent/pkg/agentproxy/headers.go
+++ b/agent/pkg/agentproxy/headers.go
@@ -1,27 +1,14 @@
 package agentproxy

-import (
-	"net/http"
-	"strconv"
+const (
+	HeaderXProxyScheme = "X-Proxy-Scheme"
+	HeaderXProxyHost   = "X-Proxy-Host"
+	HeaderXProxyConfig = "X-Proxy-Config"
 )

+// deprecated
 const (
-	HeaderXProxyHost                  = "X-Proxy-Host"
 	HeaderXProxyHTTPS                 = "X-Proxy-Https"
 	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
 	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
 )
-
-type AgentProxyHeaders struct {
-	Host                  string
-	IsHTTPS               bool
-	SkipTLSVerify         bool
-	ResponseHeaderTimeout int
-}
-
-func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
-	r.Header.Set(HeaderXProxyHost, headers.Host)
-	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
-	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
-	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
-}
--- a/agent/pkg/certs/zip.go
+++ b/agent/pkg/certs/zip.go
@@ -6,7 +6,7 @@ import (
 	"io"
 	"path/filepath"

-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	strutils "github.com/yusing/goutils/strings"
 )

 const AgentCertsBasePath = "certs"
--- a/agent/pkg/certs/zip_test.go
+++ b/agent/pkg/certs/zip_test.go
@@ -4,7 +4,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
+	"github.com/yusing/godoxy/agent/pkg/certs"
 )

 func TestZipCert(t *testing.T) {
--- a/agent/pkg/env/env.go
+++ b/agent/pkg/env/env.go
@@ -3,7 +3,10 @@ package env
 import (
 	"os"

-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/goutils/env"
+
+	"github.com/rs/zerolog/log"
 )

 func DefaultAgentName() string {
@@ -15,10 +18,32 @@ func DefaultAgentName() string {
 }

 var (
-	AgentName                = common.GetEnvString("AGENT_NAME", DefaultAgentName())
-	AgentPort                = common.GetEnvInt("AGENT_PORT", 8890)
-	AgentSkipClientCertCheck = common.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
-
-	AgentCACert  = common.GetEnvString("AGENT_CA_CERT", "")
-	AgentSSLCert = common.GetEnvString("AGENT_SSL_CERT", "")
+	AgentName                string
+	AgentPort                int
+	AgentSkipClientCertCheck bool
+	AgentCACert              string
+	AgentSSLCert             string
+	DockerSocket             string
+	Runtime                  agent.ContainerRuntime
 )
+
+func init() {
+	Load()
+}
+
+func Load() {
+	DockerSocket = env.GetEnvString("DOCKER_SOCKET", "/var/run/docker.sock")
+	AgentName = env.GetEnvString("AGENT_NAME", DefaultAgentName())
+	AgentPort = env.GetEnvInt("AGENT_PORT", 8890)
+	AgentSkipClientCertCheck = env.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
+
+	AgentCACert = env.GetEnvString("AGENT_CA_CERT", "")
+	AgentSSLCert = env.GetEnvString("AGENT_SSL_CERT", "")
+	Runtime = agent.ContainerRuntime(env.GetEnvString("RUNTIME", "docker"))
+
+	switch Runtime {
+	case agent.ContainerRuntimeDocker, agent.ContainerRuntimePodman: //, agent.ContainerRuntimeNerdctl:
+	default:
+		log.Fatal().Str("runtime", string(Runtime)).Msg("invalid runtime")
+	}
+}
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@@ -1,38 +1,39 @@
 package handler

 import (
+	"context"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"

-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/watcher/health"
-	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
+	"github.com/bytedance/sonic"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/godoxy/internal/watcher/health/monitor"
 )

-var defaultHealthConfig = health.DefaultHealthConfig()
-
 func CheckHealth(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	scheme := query.Get("scheme")
 	if scheme == "" {
-		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		http.Error(w, "missing scheme", http.StatusBadRequest)
 		return
 	}

-	var result *health.HealthCheckResult
-	var err error
+	var (
+		result types.HealthCheckResult
+		err    error
+	)
 	switch scheme {
 	case "fileserver":
 		path := query.Get("path")
 		if path == "" {
-			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			http.Error(w, "missing path", http.StatusBadRequest)
 			return
 		}
 		_, err := os.Stat(path)
-		result = &health.HealthCheckResult{Healthy: err == nil}
+		result = types.HealthCheckResult{Healthy: err == nil}
 		if err != nil {
 			result.Detail = err.Error()
 		}
@@ -40,32 +41,33 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 		host := query.Get("host")
 		path := query.Get("path")
 		if host == "" {
-			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			http.Error(w, "missing host", http.StatusBadRequest)
 			return
 		}
 		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
 			Scheme: scheme,
 			Host:   host,
 			Path:   path,
-		}, defaultHealthConfig).CheckHealth()
+		}, healthCheckConfigFromRequest(r)).CheckHealth()
 	case "tcp", "udp":
 		host := query.Get("host")
 		if host == "" {
-			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			http.Error(w, "missing host", http.StatusBadRequest)
 			return
 		}
 		hasPort := strings.Contains(host, ":")
 		port := query.Get("port")
-		if port != "" && !hasPort {
-			host = fmt.Sprintf("%s:%s", host, port)
-		} else {
-			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		if port != "" && hasPort {
+			http.Error(w, "port and host with port cannot both be provided", http.StatusBadRequest)
 			return
 		}
+		if port != "" {
+			host = fmt.Sprintf("%s:%s", host, port)
+		}
 		result, err = monitor.NewRawHealthMonitor(&url.URL{
 			Scheme: scheme,
 			Host:   host,
-		}, defaultHealthConfig).CheckHealth()
+		}, healthCheckConfigFromRequest(r)).CheckHealth()
 	}

 	if err != nil {
@@ -73,5 +75,17 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	gphttp.RespondJSON(w, r, result)
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	sonic.ConfigDefault.NewEncoder(w).Encode(result)
+}
+
+func healthCheckConfigFromRequest(r *http.Request) types.HealthCheckConfig {
+	// we only need timeout and base context because it's one shot request
+	return types.HealthCheckConfig{
+		Timeout: types.HealthCheckTimeoutDefault,
+		BaseContext: func() context.Context {
+			return r.Context()
+		},
+	}
 }
--- a/agent/pkg/handler/check_health_test.go
+++ b/agent/pkg/handler/check_health_test.go
@@ -10,9 +10,9 @@ import (
 	"testing"

 	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/handler"
+	"github.com/yusing/godoxy/internal/types"
 )

 func TestCheckHealthHTTP(t *testing.T) {
@@ -81,7 +81,7 @@ func TestCheckHealthHTTP(t *testing.T) {
 			require.Equal(t, recorder.Code, tt.expectedStatus)

 			if tt.expectedStatus == http.StatusOK {
-				var result health.HealthCheckResult
+				var result types.HealthCheckResult
 				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 				require.Equal(t, result.Healthy, tt.expectedHealthy)
 			}
@@ -125,7 +125,7 @@ func TestCheckHealthFileServer(t *testing.T) {

 			require.Equal(t, recorder.Code, tt.expectedStatus)

-			var result health.HealthCheckResult
+			var result types.HealthCheckResult
 			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 			require.Equal(t, result.Healthy, tt.expectedHealthy)
 			require.Equal(t, result.Detail, tt.expectedDetail)
@@ -172,9 +172,9 @@ func TestCheckHealthTCPUDP(t *testing.T) {
 		{
 			name:            "InvalidHost",
 			scheme:          "tcp",
-			host:            "invalid",
+			host:            "",
 			port:            8080,
-			expectedStatus:  http.StatusOK,
+			expectedStatus:  http.StatusBadRequest,
 			expectedHealthy: false,
 		},
 		{
@@ -188,9 +188,17 @@ func TestCheckHealthTCPUDP(t *testing.T) {
 		{
 			name:            "InvalidHost",
 			scheme:          "udp",
-			host:            "invalid",
+			host:            "",
 			port:            8080,
-			expectedStatus:  http.StatusOK,
+			expectedStatus:  http.StatusBadRequest,
+			expectedHealthy: false,
+		},
+		{
+			name:            "Port in both host and port",
+			scheme:          "tcp",
+			host:            "localhost:1234",
+			port:            1234,
+			expectedStatus:  http.StatusBadRequest,
 			expectedHealthy: false,
 		},
 	}
@@ -208,9 +216,11 @@ func TestCheckHealthTCPUDP(t *testing.T) {

 			require.Equal(t, recorder.Code, tt.expectedStatus)

-			var result health.HealthCheckResult
-			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
-			require.Equal(t, result.Healthy, tt.expectedHealthy)
+			if tt.expectedStatus == http.StatusOK {
+				var result types.HealthCheckResult
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+				require.Equal(t, result.Healthy, tt.expectedHealthy)
+			}
 		})
 	}
 }
--- a/agent/pkg/handler/docker_socket.go
+++ b/agent/pkg/handler/docker_socket.go
@@ -1,31 +0,0 @@
-package handler
-
-import (
-	"net/http"
-	"net/url"
-
-	"github.com/docker/docker/client"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	"github.com/yusing/go-proxy/internal/net/types"
-)
-
-func serviceUnavailable(w http.ResponseWriter, r *http.Request) {
-	http.Error(w, "docker socket is not available", http.StatusServiceUnavailable)
-}
-
-func DockerSocketHandler() http.HandlerFunc {
-	dockerClient, err := docker.NewClient(common.DockerHostFromEnv)
-	if err != nil {
-		logging.Warn().Err(err).Msg("failed to connect to docker client")
-		return serviceUnavailable
-	}
-	rp := reverseproxy.NewReverseProxy("docker", types.NewURL(&url.URL{
-		Scheme: "http",
-		Host:   client.DummyHost,
-	}), dockerClient.HTTPClient().Transport)
-
-	return rp.ServeHTTP
-}
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@@ -2,48 +2,59 @@ package handler

 import (
 	"fmt"
-	"io"
 	"net/http"

-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/gin-gonic/gin"
+	"github.com/gorilla/websocket"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
+	"github.com/yusing/goutils/version"
 )

 type ServeMux struct{ *http.ServeMux }

-func (mux ServeMux) HandleMethods(methods, endpoint string, handler http.HandlerFunc) {
-	for _, m := range strutils.CommaSeperatedList(methods) {
-		mux.ServeMux.HandleFunc(m+" "+agent.APIEndpointBase+endpoint, handler)
-	}
+func (mux ServeMux) HandleEndpoint(method, endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(method+" "+agent.APIEndpointBase+endpoint, handler)
 }

 func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
 	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
 }

-type NopWriteCloser struct {
-	io.Writer
-}
-
-func (NopWriteCloser) Close() error {
-	return nil
+var upgrader = &websocket.Upgrader{
+	// no origin check needed for internal websocket
+	CheckOrigin: func(r *http.Request) bool {
+		return true
+	},
 }

 func NewAgentHandler() http.Handler {
+	gin.SetMode(gin.ReleaseMode)
 	mux := ServeMux{http.NewServeMux()}

+	metricsHandler := gin.Default()
+	{
+		metrics := metricsHandler.Group(agent.APIEndpointBase)
+		metrics.GET(agent.EndpointSystemInfo, func(c *gin.Context) {
+			c.Set("upgrader", upgrader)
+			systeminfo.Poller.ServeHTTP(c)
+		})
+	}
+
 	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
-	mux.HandleMethods("GET", agent.EndpointVersion, pkg.GetVersionHTTPHandler())
-	mux.HandleMethods("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleEndpoint("GET", agent.EndpointVersion, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, version.Get())
+	})
+	mux.HandleEndpoint("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, env.AgentName)
 	})
-	mux.HandleMethods("GET", agent.EndpointHealth, CheckHealth)
-	mux.HandleMethods("GET", agent.EndpointLogs, memlogger.HandlerFunc())
-	mux.HandleMethods("GET", agent.EndpointSystemInfo, systeminfo.Poller.ServeHTTP)
-	mux.ServeMux.HandleFunc("/", DockerSocketHandler())
+	mux.HandleEndpoint("GET", agent.EndpointRuntime, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.Runtime)
+	})
+	mux.HandleEndpoint("GET", agent.EndpointHealth, CheckHealth)
+	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, metricsHandler.ServeHTTP)
+	mux.ServeMux.HandleFunc("/", socketproxy.DockerSocketHandler(env.DockerSocket))
 	return mux
 }
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -1,62 +1,72 @@
 package handler

 import (
-	"crypto/tls"
+	"fmt"
 	"net/http"
-	"net/url"
-	"strconv"
+	"net/http/httputil"
+	"strings"
 	"time"

-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/agentproxy"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	"github.com/yusing/go-proxy/internal/net/types"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/agentproxy"
 )

-func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
-	host := r.Header.Get(agentproxy.HeaderXProxyHost)
-	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
-	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
-	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
-	if err != nil {
-		responseHeaderTimeout = 0
+func NewTransport() *http.Transport {
+	return &http.Transport{
+		MaxIdleConnsPerHost:   100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		ResponseHeaderTimeout: 60 * time.Second,
+		WriteBufferSize:       16 * 1024, // 16KB
+		ReadBufferSize:        16 * 1024, // 16KB
 	}
+}

-	if host == "" {
-		http.Error(w, "missing required headers", http.StatusBadRequest)
+func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
+	cfg, err := agentproxy.ConfigFromHeaders(r.Header)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("failed to parse agent proxy config: %s", err.Error()), http.StatusBadRequest)
 		return
 	}

-	scheme := "http"
-	if isHTTPS {
-		scheme = "https"
+	transport := NewTransport()
+	if cfg.ResponseHeaderTimeout > 0 {
+		transport.ResponseHeaderTimeout = cfg.ResponseHeaderTimeout
+	}
+	if cfg.DisableCompression {
+		transport.DisableCompression = true
 	}

-	var transport *http.Transport
-	if skipTLSVerify {
-		transport = gphttp.NewTransportWithTLSConfig(&tls.Config{InsecureSkipVerify: true})
-	} else {
-		transport = gphttp.NewTransport()
+	transport.TLSClientConfig, err = cfg.BuildTLSConfig(r.URL)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("failed to build TLS client config: %s", err.Error()), http.StatusInternalServerError)
+		return
 	}

-	if responseHeaderTimeout > 0 {
-		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+	// Strip the {API_BASE}/proxy/http prefix while preserving URL escaping.
+	//
+	// NOTE: `r.URL.Path` is decoded. If we rewrite it without keeping `RawPath`
+	// in sync, Go may re-escape the path (e.g. turning "%5B" into "%255B"),
+	// which breaks urls with percent-encoded characters, like Next.js static chunk URLs.
+	prefix := agent.APIEndpointBase + agent.EndpointProxyHTTP
+	r.URL.Path = strings.TrimPrefix(r.URL.Path, prefix)
+	if r.URL.RawPath != "" {
+		if after, ok := strings.CutPrefix(r.URL.RawPath, prefix); ok {
+			r.URL.RawPath = after
+		} else {
+			// RawPath is no longer a valid encoding for Path; force Go to re-derive it.
+			r.URL.RawPath = ""
+		}
 	}
+	r.RequestURI = ""

-	r.URL.Scheme = ""
-	r.URL.Host = ""
-	r.URL.Path = r.URL.Path[agent.HTTPProxyURLPrefixLen:] // strip the {API_BASE}/proxy/http prefix
-	r.RequestURI = r.URL.String()
-	r.URL.Host = host
-	r.URL.Scheme = scheme
-
-	logging.Debug().Msgf("proxy http request: %s %s", r.Method, r.URL.String())
-
-	rp := reverseproxy.NewReverseProxy("agent", types.NewURL(&url.URL{
-		Scheme: scheme,
-		Host:   host,
-	}), transport)
+	rp := &httputil.ReverseProxy{
+		Director: func(r *http.Request) {
+			r.URL.Scheme = cfg.Scheme
+			r.URL.Host = cfg.Host
+		},
+		Transport: transport,
+	}
 	rp.ServeHTTP(w, r)
 }
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -6,11 +6,11 @@ import (
 	"fmt"
 	"net/http"

-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/gphttp/server"
-	"github.com/yusing/go-proxy/internal/task"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/agent/pkg/handler"
+	"github.com/yusing/goutils/server"
+	"github.com/yusing/goutils/task"
 )

 type Options struct {
@@ -33,12 +33,11 @@ func StartAgentServer(parent task.Parent, opt Options) {
 		tlsConfig.ClientAuth = tls.NoClientCert
 	}

-	logger := logging.GetLogger()
 	agentServer := &http.Server{
 		Addr:      fmt.Sprintf(":%d", opt.Port),
 		Handler:   handler.NewAgentHandler(),
 		TLSConfig: tlsConfig,
 	}

-	server.Start(parent, agentServer, nil, logger)
+	server.Start(parent.Subtask("agent-server", false), agentServer, server.WithLogger(&log.Logger))
 }
--- a/assets/godoxy.png
+++ b/assets/godoxy.png
--- a/cmd/bench_server/Dockerfile
+++ b/cmd/bench_server/Dockerfile
@@ -0,0 +1,18 @@
+FROM golang:1.25.5-alpine AS builder
+
+HEALTHCHECK NONE
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+COPY main.go ./
+
+RUN go build -o bench_server main.go
+
+FROM scratch
+
+COPY --from=builder /src/bench_server /app/run
+
+USER 1001:1001
+
+CMD ["/app/run"]
--- a/cmd/bench_server/go.mod
+++ b/cmd/bench_server/go.mod
@@ -0,0 +1,3 @@
+module github.com/yusing/godoxy/cmd/bench_server
+
+go 1.25.5
--- a/cmd/bench_server/go.sum
+++ b/cmd/bench_server/go.sum
--- a/cmd/bench_server/main.go
+++ b/cmd/bench_server/main.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"math/rand/v2"
+)
+
+var printables = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+var random = make([]byte, 4096)
+
+func init() {
+	for i := range random {
+		random[i] = printables[rand.IntN(len(printables))]
+	}
+}
+
+func main() {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write(random)
+	})
+
+	server := &http.Server{
+		Addr:    ":80",
+		Handler: handler,
+	}
+
+	log.Println("Bench server listening on :80")
+	if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		log.Fatalf("ListenAndServe: %v", err)
+	}
+}
--- a/cmd/debug_page.go
+++ b/cmd/debug_page.go
@@ -0,0 +1,257 @@
+//go:build !production
+
+package main
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/api"
+	apiV1 "github.com/yusing/godoxy/internal/api/v1"
+	agentApi "github.com/yusing/godoxy/internal/api/v1/agent"
+	authApi "github.com/yusing/godoxy/internal/api/v1/auth"
+	certApi "github.com/yusing/godoxy/internal/api/v1/cert"
+	dockerApi "github.com/yusing/godoxy/internal/api/v1/docker"
+	fileApi "github.com/yusing/godoxy/internal/api/v1/file"
+	homepageApi "github.com/yusing/godoxy/internal/api/v1/homepage"
+	metricsApi "github.com/yusing/godoxy/internal/api/v1/metrics"
+	routeApi "github.com/yusing/godoxy/internal/api/v1/route"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/idlewatcher"
+	idlewatcherTypes "github.com/yusing/godoxy/internal/idlewatcher/types"
+)
+
+type debugMux struct {
+	endpoints []debugEndpoint
+	mux       http.ServeMux
+}
+
+type debugEndpoint struct {
+	name   string
+	method string
+	path   string
+}
+
+func newDebugMux() *debugMux {
+	return &debugMux{
+		endpoints: make([]debugEndpoint, 0),
+		mux:       *http.NewServeMux(),
+	}
+}
+
+func (mux *debugMux) registerEndpoint(name, method, path string) {
+	mux.endpoints = append(mux.endpoints, debugEndpoint{name: name, method: method, path: path})
+}
+
+func (mux *debugMux) HandleFunc(name, method, path string, handler http.HandlerFunc) {
+	mux.registerEndpoint(name, method, path)
+	mux.mux.HandleFunc(method+" "+path, handler)
+}
+
+func (mux *debugMux) Finalize() {
+	mux.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintln(w, `
+<!DOCTYPE html>
+<html>
+	<head>
+		<style>
+				body {
+					font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, Apple Color Emoji, Segoe UI Emoji;
+					font-size: 16px;
+					line-height: 1.5;
+					color: #f8f9fa;
+					background-color: #121212;
+					margin: 0;
+					padding: 0;
+				}
+				table {
+					border-collapse: collapse;
+					width: 100%;
+					margin-top: 20px;
+				}
+				th, td {
+					padding: 12px;
+					text-align: left;
+					border-bottom: 1px solid #333;
+				}
+				th {
+					background-color: #1e1e1e;
+					font-weight: 600;
+					color: #f8f9fa;
+				}
+				td {
+					color: #e9ecef;
+				}
+				.link {
+					color: #007bff;
+					text-decoration: none;
+				}
+				.link:hover {
+					text-decoration: underline;
+				}
+				.method {
+					color: #6c757d;
+					font-family: monospace;
+				}
+				.path {
+					color: #6c757d;
+					font-family: monospace;
+				}
+		</style>
+	</head>
+	<body>
+		<table>
+			<thead>
+				<tr>
+					<th>Name</th>
+					<th>Method</th>
+					<th>Path</th>
+				</tr>
+			</thead>
+			<tbody>`)
+		for _, endpoint := range mux.endpoints {
+			fmt.Fprintf(w, "<tr><td><a class='link' href=%q>%s</a></td><td class='method'>%s</td><td class='path'>%s</td></tr>", endpoint.path, endpoint.name, endpoint.method, endpoint.path)
+		}
+		fmt.Fprintln(w, `
+			</tbody>
+		</table>
+	</body>
+</html>`)
+	})
+}
+
+func listenDebugServer() {
+	mux := newDebugMux()
+	mux.mux.HandleFunc("/favicon.ico", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "image/svg+xml")
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><text x="50" y="50" text-anchor="middle" dominant-baseline="middle">🐙</text></svg>`))
+	})
+
+	mux.HandleFunc("Auth block page", "GET", "/auth/block", AuthBlockPageHandler)
+	mux.HandleFunc("Idlewatcher loading page", "GET", idlewatcherTypes.PathPrefix, idlewatcher.DebugHandler)
+	apiHandler := newApiHandler(mux)
+	mux.mux.HandleFunc("/api/v1/", apiHandler.ServeHTTP)
+
+	mux.Finalize()
+
+	go http.ListenAndServe(":7777", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Pragma", "no-cache")
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		w.Header().Set("Expires", "0")
+		mux.mux.ServeHTTP(w, r)
+	}))
+}
+
+func newApiHandler(debugMux *debugMux) *gin.Engine {
+	r := gin.New()
+	r.Use(api.ErrorHandler())
+	r.Use(api.ErrorLoggingMiddleware())
+	r.Use(api.NoCache())
+
+	registerGinRoute := func(router gin.IRouter, method, name string, path string, handler gin.HandlerFunc) {
+		if group, ok := router.(*gin.RouterGroup); ok {
+			debugMux.registerEndpoint(name, method, group.BasePath()+path)
+		} else {
+			debugMux.registerEndpoint(name, method, path)
+		}
+		router.Handle(method, path, handler)
+	}
+
+	registerGinRoute(r, "GET", "App version", "/api/v1/version", apiV1.Version)
+
+	v1 := r.Group("/api/v1")
+	if auth.IsEnabled() {
+		v1Auth := v1.Group("/auth")
+		{
+			registerGinRoute(v1Auth, "HEAD", "Auth check", "/check", authApi.Check)
+			registerGinRoute(v1Auth, "POST", "Auth login", "/login", authApi.Login)
+			registerGinRoute(v1Auth, "GET", "Auth callback", "/callback", authApi.Callback)
+			registerGinRoute(v1Auth, "POST", "Auth callback", "/callback", authApi.Callback)
+			registerGinRoute(v1Auth, "POST", "Auth logout", "/logout", authApi.Logout)
+			registerGinRoute(v1Auth, "GET", "Auth logout", "/logout", authApi.Logout)
+		}
+	}
+
+	{
+		// enable cache for favicon
+		registerGinRoute(v1, "GET", "Route favicon", "/favicon", apiV1.FavIcon)
+		registerGinRoute(v1, "GET", "Route health", "/health", apiV1.Health)
+		registerGinRoute(v1, "GET", "List icons", "/icons", apiV1.Icons)
+		registerGinRoute(v1, "POST", "Config reload", "/reload", apiV1.Reload)
+		registerGinRoute(v1, "GET", "Route stats", "/stats", apiV1.Stats)
+
+		route := v1.Group("/route")
+		{
+			registerGinRoute(route, "GET", "List routes", "/list", routeApi.Routes)
+			registerGinRoute(route, "GET", "Get route", "/:which", routeApi.Route)
+			registerGinRoute(route, "GET", "List providers", "/providers", routeApi.Providers)
+			registerGinRoute(route, "GET", "List routes by provider", "/by_provider", routeApi.ByProvider)
+			registerGinRoute(route, "POST", "Playground", "/playground", routeApi.Playground)
+		}
+
+		file := v1.Group("/file")
+		{
+			registerGinRoute(file, "GET", "List files", "/list", fileApi.List)
+			registerGinRoute(file, "GET", "Get file", "/content", fileApi.Get)
+			registerGinRoute(file, "PUT", "Set file", "/content", fileApi.Set)
+			registerGinRoute(file, "POST", "Set file", "/content", fileApi.Set)
+			registerGinRoute(file, "POST", "Validate file", "/validate", fileApi.Validate)
+		}
+
+		homepage := v1.Group("/homepage")
+		{
+			registerGinRoute(homepage, "GET", "List categories", "/categories", homepageApi.Categories)
+			registerGinRoute(homepage, "GET", "List items", "/items", homepageApi.Items)
+			registerGinRoute(homepage, "POST", "Set item", "/set/item", homepageApi.SetItem)
+			registerGinRoute(homepage, "POST", "Set items batch", "/set/items_batch", homepageApi.SetItemsBatch)
+			registerGinRoute(homepage, "POST", "Set item visible", "/set/item_visible", homepageApi.SetItemVisible)
+			registerGinRoute(homepage, "POST", "Set item favorite", "/set/item_favorite", homepageApi.SetItemFavorite)
+			registerGinRoute(homepage, "POST", "Set item sort order", "/set/item_sort_order", homepageApi.SetItemSortOrder)
+			registerGinRoute(homepage, "POST", "Set item all sort order", "/set/item_all_sort_order", homepageApi.SetItemAllSortOrder)
+			registerGinRoute(homepage, "POST", "Set item fav sort order", "/set/item_fav_sort_order", homepageApi.SetItemFavSortOrder)
+			registerGinRoute(homepage, "POST", "Set category order", "/set/category_order", homepageApi.SetCategoryOrder)
+			registerGinRoute(homepage, "POST", "Item click", "/item_click", homepageApi.ItemClick)
+		}
+
+		cert := v1.Group("/cert")
+		{
+			registerGinRoute(cert, "GET", "Get cert info", "/info", certApi.Info)
+			registerGinRoute(cert, "GET", "Renew cert", "/renew", certApi.Renew)
+		}
+
+		agent := v1.Group("/agent")
+		{
+			registerGinRoute(agent, "GET", "List agents", "/list", agentApi.List)
+			registerGinRoute(agent, "POST", "Create agent", "/create", agentApi.Create)
+			registerGinRoute(agent, "POST", "Verify agent", "/verify", agentApi.Verify)
+		}
+
+		metrics := v1.Group("/metrics")
+		{
+			registerGinRoute(metrics, "GET", "Get system info", "/system_info", metricsApi.SystemInfo)
+			registerGinRoute(metrics, "GET", "Get all system info", "/all_system_info", metricsApi.AllSystemInfo)
+			registerGinRoute(metrics, "GET", "Get uptime", "/uptime", metricsApi.Uptime)
+		}
+
+		docker := v1.Group("/docker")
+		{
+			registerGinRoute(docker, "GET", "Get container", "/container/:id", dockerApi.GetContainer)
+			registerGinRoute(docker, "GET", "List containers", "/containers", dockerApi.Containers)
+			registerGinRoute(docker, "GET", "Get docker info", "/info", dockerApi.Info)
+			registerGinRoute(docker, "GET", "Get docker logs", "/logs/:id", dockerApi.Logs)
+			registerGinRoute(docker, "POST", "Start docker container", "/start", dockerApi.Start)
+			registerGinRoute(docker, "POST", "Stop docker container", "/stop", dockerApi.Stop)
+			registerGinRoute(docker, "POST", "Restart docker container", "/restart", dockerApi.Restart)
+		}
+	}
+
+	return r
+}
+
+func AuthBlockPageHandler(w http.ResponseWriter, r *http.Request) {
+	auth.WriteBlockPage(w, http.StatusForbidden, "Forbidden", "Login", "/login")
+}
--- a/cmd/debug_page_prod.go
+++ b/cmd/debug_page_prod.go
@@ -0,0 +1,7 @@
+//go:build production
+
+package main
+
+func listenDebugServer() {
+	// no-op
+}
--- a/cmd/h2c_test_server/Dockerfile
+++ b/cmd/h2c_test_server/Dockerfile
@@ -0,0 +1,18 @@
+FROM golang:1.25.5-alpine AS builder
+
+HEALTHCHECK NONE
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+COPY main.go ./
+
+RUN go build -o h2c_test_server main.go
+
+FROM scratch
+
+COPY --from=builder /src/h2c_test_server /app/run
+
+USER 1001:1001
+
+CMD ["/app/run"]
--- a/cmd/h2c_test_server/go.mod
+++ b/cmd/h2c_test_server/go.mod
@@ -0,0 +1,7 @@
+module github.com/yusing/godoxy/cmd/h2c_test_server
+
+go 1.25.5
+
+require golang.org/x/net v0.48.0
+
+require golang.org/x/text v0.32.0 // indirect
--- a/cmd/h2c_test_server/go.sum
+++ b/cmd/h2c_test_server/go.sum
@@ -0,0 +1,4 @@
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
--- a/cmd/h2c_test_server/main.go
+++ b/cmd/h2c_test_server/main.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+)
+
+func main() {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("ok"))
+	})
+
+	server := &http.Server{
+		Addr:    ":80",
+		Handler: h2c.NewHandler(handler, &http2.Server{}),
+	}
+
+	log.Println("H2C server listening on :80")
+	if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		log.Fatalf("ListenAndServe: %v", err)
+	}
+}
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,166 +1,89 @@
 package main

 import (
-	"encoding/json"
-	"log"
 	"os"
 	"sync"

-	"github.com/yusing/go-proxy/internal"
-	"github.com/yusing/go-proxy/internal/api/v1/query"
-	"github.com/yusing/go-proxy/internal/auth"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/dnsproviders"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/api"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/config"
+	"github.com/yusing/godoxy/internal/dnsproviders"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/logging"
+	"github.com/yusing/godoxy/internal/logging/memlogger"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	"github.com/yusing/godoxy/internal/metrics/uptime"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
+	"github.com/yusing/godoxy/internal/route/rules"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/server"
+	"github.com/yusing/goutils/task"
+	"github.com/yusing/goutils/version"
 )

-var rawLogger = log.New(os.Stdout, "", 0)
-
 func parallel(fns ...func()) {
 	var wg sync.WaitGroup
 	for _, fn := range fns {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			fn()
-		}()
+		wg.Go(fn)
 	}
 	wg.Wait()
 }

 func main() {
 	initProfiling()
-	dnsproviders.InitProviders()
-	args := pkg.GetArgs(common.MainServerCommandValidator{})

-	switch args.Command {
-	case common.CommandReload:
-		if err := query.ReloadServer(); err != nil {
-			gperr.LogFatal("server reload error", err)
-		}
-		rawLogger.Println("ok")
-		return
-	case common.CommandListIcons:
-		icons, err := internal.ListAvailableIcons()
-		if err != nil {
-			rawLogger.Fatal(err)
-		}
-		printJSON(icons)
-		return
-	case common.CommandListRoutes:
-		routes, err := query.ListRoutes()
-		if err != nil {
-			log.Printf("failed to connect to api server: %s", err)
-			log.Printf("falling back to config file")
-		} else {
-			printJSON(routes)
-			return
-		}
-	case common.CommandDebugListMTrace:
-		trace, err := query.ListMiddlewareTraces()
-		if err != nil {
-			log.Fatal(err)
-		}
-		printJSON(trace)
-		return
-	}
+	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
+	log.Info().Msgf("GoDoxy version %s", version.Get())
+	log.Trace().Msg("trace enabled")
+	parallel(
+		dnsproviders.InitProviders,
+		homepage.InitIconListCache,
+		systeminfo.Poller.Start,
+		middleware.LoadComposeFiles,
+	)

-	if args.Command == common.CommandStart {
-		logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
-		logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
-		logging.Trace().Msg("trace enabled")
-		parallel(
-			internal.InitIconListCache,
-			systeminfo.Poller.Start,
-		)
-
-		if common.APIJWTSecret == nil {
-			logging.Warn().Msg("API_JWT_SECRET is not set, using random key")
-			common.APIJWTSecret = common.RandomJWTKey()
-		}
-	} else {
-		logging.DiscardLogger()
-	}
-
-	if args.Command == common.CommandValidate {
-		data, err := os.ReadFile(common.ConfigPath)
-		if err == nil {
-			err = config.Validate(data)
-		}
-		if err != nil {
-			log.Fatal("config error: ", err)
-		}
-		log.Print("config OK")
-		return
+	if common.APIJWTSecret == nil {
+		log.Warn().Msg("API_JWT_SECRET is not set, using random key")
+		common.APIJWTSecret = common.RandomJWTKey()
 	}

 	for _, dir := range common.RequiredDirectories {
 		prepareDirectory(dir)
 	}

-	middleware.LoadComposeFiles()
-
-	var cfg *config.Config
-	var err gperr.Error
-	if cfg, err = config.Load(); err != nil {
+	err := config.Load()
+	if err != nil {
 		gperr.LogWarn("errors in config", err)
-		err = nil
 	}

-	switch args.Command {
-	case common.CommandListRoutes:
-		cfg.StartProxyProviders()
-		printJSON(routes.ByAlias())
-		return
-	case common.CommandListConfigs:
-		printJSON(cfg.Value())
-		return
-	case common.CommandDebugListEntries:
-		printJSON(cfg.DumpRoutes())
-		return
-	case common.CommandDebugListProviders:
-		printJSON(cfg.DumpRouteProviders())
-		return
-	}
+	config.StartProxyServers()

-	cfg.Start(&config.StartServersOptions{
-		Proxy: true,
-	})
 	if err := auth.Initialize(); err != nil {
-		logging.Fatal().Err(err).Msg("failed to initialize authentication")
+		log.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
+	rules.InitAuthHandler(auth.AuthOrProceed)
+
 	// API Handler needs to start after auth is initialized.
-	cfg.StartServers(&config.StartServersOptions{
-		API: true,
+	server.StartServer(task.RootTask("api_server", false), server.Options{
+		Name:     "api",
+		HTTPAddr: common.APIHTTPAddr,
+		Handler:  api.NewHandler(),
 	})

+	listenDebugServer()
+
 	uptime.Poller.Start()
 	config.WatchChanges()

-	task.WaitExit(cfg.Value().TimeoutShutdown)
+	task.WaitExit(config.Value().TimeoutShutdown)
 }

 func prepareDirectory(dir string) {
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 		if err = os.MkdirAll(dir, 0o755); err != nil {
-			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
+			log.Fatal().Msgf("failed to create directory %s: %v", dir, err)
 		}
 	}
 }
-
-func printJSON(obj any) {
-	j, err := json.MarshalIndent(obj, "", "  ")
-	if err != nil {
-		logging.Fatal().Err(err).Send()
-	}
-	rawLogger.Print(string(j)) // raw output for convenience using "jq"
-}
--- a/cmd/pprof_prof.go
+++ b/cmd/pprof_prof.go
@@ -3,18 +3,46 @@
 package main

 import (
-	"log"
 	"net/http"
 	_ "net/http/pprof"
 	"runtime"
 	"runtime/debug"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	strutils "github.com/yusing/goutils/strings"
 )

 func initProfiling() {
-	runtime.GOMAXPROCS(2)
-	debug.SetMemoryLimit(100 * 1024 * 1024)
-	debug.SetMaxStack(15 * 1024 * 1024)
 	go func() {
-		log.Println(http.ListenAndServe(":7777", nil))
+		log.Info().Msgf("pprof server started at http://localhost:7777/debug/pprof/")
+		log.Error().Err(http.ListenAndServe(":7777", nil)).Msg("pprof server failed")
+	}()
+	go func() {
+		ticker := time.NewTicker(time.Second * 10)
+		defer ticker.Stop()
+
+		var m runtime.MemStats
+		var gcStats debug.GCStats
+
+		for range ticker.C {
+			runtime.ReadMemStats(&m)
+			debug.ReadGCStats(&gcStats)
+
+			log.Info().Msgf("-----------------------------------------------------")
+			log.Info().Msgf("Timestamp: %s", time.Now().Format(time.RFC3339))
+			log.Info().Msgf("  Go Heap - In Use (Alloc/HeapAlloc): %s", strutils.FormatByteSize(m.Alloc))
+			log.Info().Msgf("  Go Heap - Reserved from OS (HeapSys): %s", strutils.FormatByteSize(m.HeapSys))
+			log.Info().Msgf("  Go Stacks - In Use (StackInuse): %s", strutils.FormatByteSize(m.StackInuse))
+			log.Info().Msgf("  Go Runtime - Other Sys (MSpanInuse, MCacheInuse, BuckHashSys, GCSys, OtherSys): %s", strutils.FormatByteSize(m.MSpanInuse+m.MCacheInuse+m.BuckHashSys+m.GCSys+m.OtherSys))
+			log.Info().Msgf("  Go Runtime - Total from OS (Sys): %s", strutils.FormatByteSize(m.Sys))
+			log.Info().Msgf("  Go Runtime - Freed from OS (HeapReleased): %s", strutils.FormatByteSize(m.HeapReleased))
+			log.Info().Msgf("  Number of Goroutines: %d", runtime.NumGoroutine())
+			log.Info().Msgf("  Number of completed GC cycles: %d", m.NumGC)
+			log.Info().Msgf("  Number of GCs: %d", gcStats.NumGC)
+			log.Info().Msgf("  Total GC time: %s", gcStats.PauseTotal)
+			log.Info().Msgf("  Last GC time: %s", gcStats.LastGC.Format(time.DateTime))
+			log.Info().Msg("-----------------------------------------------------")
+		}
 	}()
 }
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,21 +1,50 @@
 ---
 services:
+  socket-proxy:
+    container_name: socket-proxy
+    image: ghcr.io/yusing/socket-proxy:latest
+    environment:
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - CONTAINERS=1
+      - EVENTS=1
+      - INFO=1
+      - PING=1
+      - POST=1
+      - VERSION=1
+    volumes:
+      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
+    restart: unless-stopped
+    tmpfs:
+      - /run
+    ports:
+      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
  frontend:
-    image: ghcr.io/yusing/godoxy-frontend:latest
+    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
+    # lite variant
+    # image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}-lite
    container_name: godoxy-frontend
    restart: unless-stopped
-    network_mode: host # do not change this
    env_file: .env
+    # comment out `user` for lite variant
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    read_only: true
+    tmpfs:
+      - /app/.next/cache # next image caching
+
+      # for lite variant, do not change uid/gid
+      # - /var/cache/nginx:uid=101,gid=101
+      # - /run:uid=101,gid=101
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
    depends_on:
      - app
-    environment:
-      PORT: ${GODOXY_FRONTEND_PORT:-3000}
-
-    # modify below to fit your needs
    labels:
-      proxy.aliases: godoxy
-      proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
-      # proxy.godoxy.middlewares.cidr_whitelist: |
+      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
+      # proxy.#1.middlewares.cidr_whitelist: |
      #   status: 403
      #   message: IP not allowed
      #   allow:
@@ -24,22 +53,32 @@ services:
      #     - 192.168.0.0/16
      #     - 172.16.0.0/12
  app:
-    image: ghcr.io/yusing/godoxy:latest
-    container_name: godoxy
+    image: ghcr.io/yusing/godoxy:${TAG:-latest}
+    container_name: godoxy-proxy
    restart: always
    network_mode: host # do not change this
    env_file: .env
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    depends_on:
+      socket-proxy:
+        condition: service_started
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
+    cap_add:
+      - NET_BIND_SERVICE
+    environment:
+      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/app/config
      - ./logs:/app/logs
-      - ./error_pages:/app/error_pages
+      - ./error_pages:/app/error_pages:ro
      - ./data:/app/data

-      # To use autocert, certs will be stored in "./certs".
-      # You can also use a docker volume to store it
+      # This path stores certs obtained from autocert and agent TLS client certs
      - ./certs:/app/certs

-      # remove "./certs:/app/certs" and uncomment below to use existing certificate
+      # mount existing certificate
      # - /path/to/certs/cert.crt:/app/certs/cert.crt
      # - /path/to/certs/priv.key:/app/certs/priv.key
--- a/config.example.yml
+++ b/config.example.yml
@@ -4,6 +4,8 @@

 # autocert:
 #   provider: local
+#   cert_path: /path/to/cert.crt # default: /app/certs/cert.crt
+#   key_path: /path/to/priv.key # default: /app/certs/priv.key

 # 2. cloudflare
 # autocert:
@@ -15,7 +17,11 @@
 #   options:
 #     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token

-# 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
+# 3. other providers, see https://docs.godoxy.dev/DNS-01-Providers
+
+# Access Control
+# When enabled, it will be applied globally at connection level,
+# all incoming connections (web, tcp and udp) will be checked against the ACL rules.

 # acl:
 #   default: allow # or deny (default: allow)
@@ -31,31 +37,62 @@
 #     - country:US
 #     - timezone:Asia/Shanghai
 #   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
-#     buffer_size: 65536 # (default: 64KB)
 #     path: /app/logs/acl.log # (default: none)
 #     stdout: false # (default: false)
-#     keep: last 10 # (default: none)
+#     keep: 30 days # (default: 30 days)
+#     log_allowed: false # (default: false)
+#   notify:
+#     interval: 1m # (default: 1m)
+#     to: [gotify, discord] # names under providers.notification
+#     include_allowed: false # (default: false)

 entrypoint:
+  # Proxy Protocol: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address
+  # When set to true, web entrypoint and all tcp routes will be wrapped with Proxy Protocol listener in order to preserve the client's IP address.
+  # Note that HTTP/3 with proxy protocol is not supported yet.
+  support_proxy_protocol: false
+
  # Below define an example of middleware config
-  # 1. block non local IP connections
-  # 2. redirect HTTP to HTTPS
+  # 1. set security headers
+  # 2. block non local IP connections
+  # 3. redirect HTTP to HTTPS
  #
-  # middlewares:
-  #   - use: CIDRWhitelist
-  #     allow:
-  #       - "127.0.0.1"
-  #       - "10.0.0.0/8"
-  #       - "172.16.0.0/12"
-  #       - "192.168.0.0/16"
-  #     status: 403
-  #     message: "Forbidden"
-  #   - use: RedirectHTTP
+  middlewares:
+    - use: CloudflareRealIP
+    - use: ModifyResponse
+      set_headers:
+        Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
+        Access-Control-Allow-Headers: "*"
+        Access-Control-Allow-Origin: "*"
+        Access-Control-Max-Age: 180
+        Vary: "*"
+        X-XSS-Protection: 1; mode=block
+        Content-Security-Policy: "object-src 'self'; frame-ancestors 'self';"
+        X-Content-Type-Options: nosniff
+        X-Frame-Options: SAMEORIGIN
+        Referrer-Policy: same-origin
+        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+    # - use: RedirectHTTP

  # below enables access log
  access_log:
    format: combined
    path: /app/logs/entrypoint.log
+    stdout: false # (default: false)
+    keep: 30 days # (default: 30 days)
+
+  # customize behavior for non-existent routes, e.g. pass over to another proxy
+  #
+  # rules:
+  #   not_found:
+  #     - name: default
+  #       do: proxy http://other-proxy:8080
+
+defaults:
+  healthcheck:
+    interval: 5s
+    timeout: 15s
+    retries: 3

 providers:
  # include files are standalone yaml files under `config/` directory
@@ -80,9 +117,13 @@ providers:
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2

-  # notification providers (notify when service health changes)
+  # notification providers
  #
  # notification:
+  #   - name: ntfy
+  #     provider: ntfy
+  #     url: https://ntfy.domain.tld
+  #     topic: godoxy
  #   - name: gotify
  #     provider: gotify
  #     url: https://gotify.domain.tld
@@ -91,6 +132,11 @@ providers:
  #     provider: webhook
  #     url: https://discord.com/api/webhooks/...
  #     template: discord # this means use payload template from internal/notif/templates/discord.json
+  #   - name: pushover
+  #     provider: webhook
+  #     url: https://api.pushover.net/1/messages.json
+  #     mime_type: application/x-www-form-urlencoded
+  #     payload: '{"token": "your-app-token", "user": "your-user-key", "title": $title, "message": $message}'

  # Proxmox providers (for idlesleep support for proxmox LXCs)
  #
@@ -100,8 +146,8 @@ providers:
  #     secret: aaaa-bbbb-cccc-dddd
  #     no_tls_verify: true

-# Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
-# for explaination of `match_domains`
+# Match domains
+# See https://docs.godoxy.dev/Certificates-and-domain-matching
 #
 # match_domains:
 #   - my.site
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -0,0 +1,7 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y ca-certificates
+
+WORKDIR /app
+
+CMD ["/app/run"]
--- a/dev.compose.yml
+++ b/dev.compose.yml
@@ -0,0 +1,257 @@
+x-benchmark: &benchmark
+  restart: no
+  labels:
+    proxy.exclude: true
+    proxy.#1.healthcheck.disable: true
+services:
+  app:
+    image: godoxy-dev
+    build:
+      context: .
+      dockerfile: dev.Dockerfile
+    container_name: godoxy-proxy-dev
+    restart: unless-stopped
+    env_file: dev.env
+    environment:
+      DOCKER_HOST: unix:///var/run/docker.sock
+      TZ: Asia/Hong_Kong
+      API_ADDR: 127.0.0.1:8999
+      API_USER: dev
+      API_PASSWORD: 1234
+      API_SKIP_ORIGIN_CHECK: true
+      API_JWT_TTL: 24h
+      DEBUG: true
+      API_JWT_SECRET: 1234567891234567
+    labels:
+      proxy.exclude: true
+      proxy.#1.healthcheck.disable: true
+    ipc: host
+    network_mode: host
+    volumes:
+      - ./bin/godoxy:/app/run:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./dev-data/config:/app/config
+      - ./dev-data/certs:/app/certs
+      - ./dev-data/error_pages:/app/error_pages:ro
+      - ./dev-data/data:/app/data
+      - ./dev-data/logs:/app/logs
+      - ~/certs/myCA.pem:/etc/ssl/certs/ca.crt:ro
+  parca:
+    image: ghcr.io/parca-dev/parca:v0.24.2
+    container_name: godoxy-parca
+    restart: unless-stopped
+    command: [/parca, --config-path, /parca.yaml]
+    network_mode: host
+    # ports:
+    #   - 7070:7070
+    configs:
+      - source: parca
+        target: /parca.yaml
+    labels:
+      proxy.#1.port: "7070"
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:v3
+    container_name: tinyauth
+    restart: unless-stopped
+    environment:
+      - SECRET=12345678912345671234567891234567
+      - APP_URL=https://tinyauth.my.app
+      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+    labels:
+      proxy.tinyauth.port: "3000"
+  jotty: # issue #182
+    image: ghcr.io/fccview/jotty:latest
+    container_name: jotty
+    user: "1000:1000"
+    tmpfs:
+      - /app/data:rw,uid=1000,gid=1000
+      - /app/config:rw,uid=1000,gid=1000
+      - /app/.next/cache:rw,uid=1000,gid=1000
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+    labels:
+      proxy.aliases: "jotty.my.app"
+  postgres-test:
+    image: postgres:18-alpine
+    container_name: postgres-test
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_DB=postgres
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+  h2c_test_server:
+    build:
+      context: cmd/h2c_test_server
+      dockerfile: Dockerfile
+    container_name: h2c_test
+    restart: unless-stopped
+    labels:
+      proxy.#1.scheme: h2c
+      proxy.#1.port: 80
+  bench: # returns 4096 bytes of random data
+    <<: *benchmark
+    build:
+      context: cmd/bench_server
+      dockerfile: Dockerfile
+    container_name: bench
+  godoxy:
+    <<: *benchmark
+    build: .
+    container_name: godoxy-benchmark
+    ports:
+      - 8080:80
+    configs:
+      - source: godoxy_config
+        target: /app/config/config.yml
+      - source: godoxy_provider
+        target: /app/config/providers.yml
+  traefik:
+    <<: *benchmark
+    image: traefik:latest
+    container_name: traefik
+    command:
+      - --api.insecure=true
+      - --entrypoints.web.address=:8081
+      - --providers.file.directory=/etc/traefik/dynamic
+      - --providers.file.watch=true
+      - --log.level=ERROR
+    ports:
+      - 8081:8081
+    configs:
+      - source: traefik_config
+        target: /etc/traefik/dynamic/routes.yml
+  caddy:
+    <<: *benchmark
+    image: caddy:latest
+    container_name: caddy
+    ports:
+      - 8082:80
+    configs:
+      - source: caddy_config
+        target: /etc/caddy/Caddyfile
+    tmpfs:
+      - /data
+      - /config
+  nginx:
+    <<: *benchmark
+    image: nginx:latest
+    container_name: nginx
+    command: nginx -g 'daemon off;' -c /etc/nginx/nginx.conf
+    ports:
+      - 8083:80
+    configs:
+      - source: nginx_config
+        target: /etc/nginx/nginx.conf
+
+configs:
+  godoxy_config:
+    content: |
+      providers:
+        include:
+          - providers.yml
+  godoxy_provider:
+    content: |
+      bench.domain.com:
+        host: bench
+  traefik_config:
+    content: |
+      http:
+        routers:
+          bench:
+            rule: "Host(`bench.domain.com`)"
+            entryPoints:
+              - web
+            service: bench
+        services:
+          bench:
+            loadBalancer:
+              servers:
+                - url: "http://bench:80"
+  caddy_config:
+    content: |
+      {
+        admin off
+        auto_https off
+        default_bind 0.0.0.0
+
+        servers {
+          protocols h1 h2c
+        }
+      }
+
+      http://bench.domain.com {
+        reverse_proxy bench:80
+      }
+  nginx_config:
+    content: |
+      worker_processes auto;
+      worker_rlimit_nofile 65535;
+      error_log /dev/null;
+      pid /var/run/nginx.pid;
+
+      events {
+        worker_connections 10240;
+        multi_accept on;
+        use epoll;
+      }
+
+      http {
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        
+        access_log off;
+        
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        keepalive_requests 10000;
+        
+        upstream backend {
+          server bench:80;
+          keepalive 128;
+        }
+
+        server {
+          listen 80 default_server;
+          server_name _;
+          http2 on;
+
+          return 404;
+        }
+
+        server {
+          listen 80;
+          server_name bench.domain.com;
+          http2 on;
+          
+          location / {
+            proxy_pass http://backend;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $$host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_buffering off;
+          }
+        }
+      }
+  parca:
+    content: |
+      object_storage:
+        bucket:
+          type: "FILESYSTEM"
+          config:
+            directory: "./data"
+      scrape_configs:
+        - job_name: "parca"
+          scrape_interval: "1s"
+          static_configs:
+            - targets: [ 'localhost:7777' ]
--- a/go.mod
+++ b/go.mod
@@ -1,254 +1,181 @@
-module github.com/yusing/go-proxy
+module github.com/yusing/godoxy

-go 1.24.2
+go 1.25.5

-replace github.com/yusing/go-proxy/agent => ./agent
-
-replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
+replace (
+	github.com/coreos/go-oidc/v3 => ./internal/go-oidc
+	github.com/shirou/gopsutil/v4 => ./internal/gopsutil
+	github.com/yusing/godoxy/agent => ./agent
+	github.com/yusing/godoxy/internal/dnsproviders => ./internal/dnsproviders
+	github.com/yusing/goutils => ./goutils
+	github.com/yusing/goutils/http/reverseproxy => ./goutils/http/reverseproxy
+	github.com/yusing/goutils/http/websocket => ./goutils/http/websocket
+	github.com/yusing/goutils/server => ./goutils/server
+)

 require (
-	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
-	github.com/coder/websocket v1.8.13 // websocket for API and agent
-	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
-	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/PuerkitoBio/goquery v1.11.0 // parsing HTML for extract fav icon
+	github.com/coreos/go-oidc/v3 v3.17.0 // oidc authentication
 	github.com/fsnotify/fsnotify v1.9.0 // file watcher
-	github.com/go-acme/lego/v4 v4.23.1 // acme client
-	github.com/go-playground/validator/v10 v10.26.0 // validator
+	github.com/gin-gonic/gin v1.11.0 // api server
+	github.com/go-acme/lego/v4 v4.30.1 // acme client
+	github.com/go-playground/validator/v10 v10.30.1 // validator
 	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
-	github.com/gotify/server/v2 v2.6.1 // reference the Message struct for json response
+	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
+	github.com/gotify/server/v2 v2.7.3 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/puzpuzpuz/xsync/v3 v3.5.1 // lock free map for concurrent operations
+	github.com/pires/go-proxyproto v0.8.1 // proxy protocol support
+	github.com/puzpuzpuz/xsync/v4 v4.2.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
-	github.com/shirou/gopsutil/v4 v4.25.3 // system info metrics
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-	golang.org/x/crypto v0.37.0 // encrypting password with bcrypt
-	golang.org/x/net v0.39.0 // HTTP header utilities
-	golang.org/x/oauth2 v0.29.0 // oauth2 authentication
-	golang.org/x/text v0.24.0 // string utilities
-	golang.org/x/time v0.11.0 // time utilities
-	gopkg.in/yaml.v3 v3.0.1 // indirect; yaml parsing for different config files
-)
-
-replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
-
-require (
-	github.com/docker/cli v28.1.1+incompatible
-	github.com/goccy/go-yaml v1.17.1
-	github.com/golang-jwt/jwt/v5 v5.2.2
-	github.com/luthermonson/go-proxmox v0.2.2
-	github.com/oschwald/maxminddb-golang v1.13.1
-	github.com/quic-go/quic-go v0.51.0
-	github.com/samber/slog-zerolog/v2 v2.7.3
-	github.com/spf13/afero v1.14.0
-	github.com/stretchr/testify v1.10.0
-	github.com/yusing/go-proxy/agent v0.0.0-00010101000000-000000000000
-	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-00010101000000-000000000000
-	go.uber.org/atomic v1.11.0
+	golang.org/x/crypto v0.46.0 // encrypting password with bcrypt
+	golang.org/x/net v0.48.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.34.0 // oauth2 authentication
+	golang.org/x/sync v0.19.0
+	golang.org/x/time v0.14.0 // time utilities
 )

 require (
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // xxhash64 for fast hash
+	github.com/bytedance/sonic v1.14.2 // fast json parsing
+	github.com/docker/cli v29.1.3+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
+	github.com/goccy/go-yaml v1.19.1 // yaml parsing for different config files
+	github.com/golang-jwt/jwt/v5 v5.3.0 // jwt authentication
+	github.com/luthermonson/go-proxmox v0.2.4 // proxmox API client
+	github.com/moby/moby/api v1.52.0 // docker API
+	github.com/moby/moby/client v0.2.1 // docker client
+	github.com/oschwald/maxminddb-golang v1.13.1 // maxminddb for geoip database
+	github.com/quic-go/quic-go v0.58.0 // http3 support
+	github.com/shirou/gopsutil/v4 v4.25.11 // system information
+	github.com/spf13/afero v1.15.0 // afero for file system operations
+	github.com/stretchr/testify v1.11.1 // testing framework
+	github.com/valyala/fasthttp v1.68.0 // fast http for health check
+	github.com/yusing/ds v0.3.1 // data structures and algorithms
+	github.com/yusing/godoxy/agent v0.0.0-20251230135310-5087800fd763
+	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20251230043958-dba8441e8a5d
+	github.com/yusing/gointernals v0.1.16
+	github.com/yusing/goutils v0.7.0
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20251217162119-cb0f79b51ce2
+	github.com/yusing/goutils/http/websocket v0.0.0-20251217162119-cb0f79b51ce2
+	github.com/yusing/goutils/server v0.0.0-20251217162119-cb0f79b51ce2
 )

-replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
-
 require (
-	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth v0.18.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
-	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
-	github.com/aws/smithy-go v1.22.3 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.224 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
-	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/civo/civogo v0.3.99 // indirect
-	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/diskfs/go-diskfs v1.6.0 // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
-	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.2 // indirect
-	github.com/exoscale/egoscale/v3 v3.1.15 // indirect
-	github.com/fatih/structs v1.1.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
-	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-resty/resty/v2 v2.16.5 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect; indirectindirect
-	github.com/gofrs/flock v0.12.1 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
+	github.com/gofrs/flock v0.13.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
-	github.com/gophercloud/gophercloud v1.14.1 // indirect
-	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
-	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.146 // indirect
-	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
-	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
-	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
-	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.49.0 // indirect
-	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
-	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
-	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.65 // indirect
-	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/miekg/dns v1.1.69 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
-	github.com/nrdcg/auroradns v1.1.0 // indirect
-	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
-	github.com/nrdcg/desec v0.11.0 // indirect
-	github.com/nrdcg/freemyip v0.3.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
-	github.com/nrdcg/goinwx v0.11.0 // indirect
-	github.com/nrdcg/mailinabox v0.2.0 // indirect
-	github.com/nrdcg/namesilo v0.2.1 // indirect
-	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
-	github.com/nzdjb/go-metaname v1.0.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/oracle/oci-go-sdk/v65 v65.89.2 // indirect
-	github.com/ovh/go-ovh v1.7.0 // indirect
-	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/peterhellberg/link v1.2.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/pquerna/otp v1.4.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sacloud/api-client-go v0.2.10 // indirect
-	github.com/sacloud/go-http v0.1.9 // indirect
-	github.com/sacloud/iaas-api-go v1.14.0 // indirect
-	github.com/sacloud/packages-go v0.0.11 // indirect
-	github.com/sagikazarmark/locafero v0.9.0 // indirect
-	github.com/samber/lo v1.49.1 // indirect
-	github.com/samber/slog-common v0.18.1 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
-	github.com/selectel/domains-go v1.1.0 // indirect
-	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/samber/lo v1.52.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.1.7 // indirect
-	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/sony/gobreaker v1.0.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/spf13/viper v1.20.1 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1151 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
-	github.com/tjfoc/gmsm v1.4.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
-	github.com/transip/gotransip/v6 v6.26.0 // indirect
-	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
-	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.206 // indirect
-	github.com/vultr/govultr/v3 v3.19.1 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.mongodb.org/mongo-driver v1.17.3 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/mock v0.5.1 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.uber.org/atomic v1.11.0
 	go.uber.org/ratelimit v0.3.1 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/tools v0.32.0 // indirect
-	google.golang.org/api v0.230.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250425173222-7b384671a197 // indirect
-	google.golang.org/grpc v1.72.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/api v0.258.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.14.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/api v0.33.0 // indirect
-	k8s.io/apimachinery v0.33.0 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
+
+require (
+	github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-ozzo/ozzo-validation/v4 v4.3.0 // indirect
+	github.com/go-resty/resty/v2 v2.17.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/linode/linodego v1.63.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.105.2 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.105.2 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/stretchr/objx v0.5.3 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/vultr/govultr/v3 v3.26.1 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	golang.org/x/arch v0.23.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/1
+++ b/1
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -1,83 +1,96 @@
 package acl

 import (
+	"fmt"
+	"math"
 	"net"
-	"sync"
+	"sync/atomic"
 	"time"

-	"github.com/oschwald/maxminddb-golang"
-	"github.com/puzpuzpuz/xsync/v3"
+	"github.com/puzpuzpuz/xsync/v4"
 	"github.com/rs/zerolog"
-	acl "github.com/yusing/go-proxy/internal/acl/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/accesslog"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/logging/accesslog"
+	"github.com/yusing/godoxy/internal/maxmind"
+	"github.com/yusing/godoxy/internal/notif"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
+	"github.com/yusing/goutils/task"
 )

 type Config struct {
 	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
 	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
-	Allow      []string                   `json:"allow"`
-	Deny       []string                   `json:"deny"`
+	Allow      Matchers                   `json:"allow"`
+	Deny       Matchers                   `json:"deny"`
 	Log        *accesslog.ACLLoggerConfig `json:"log"`

-	MaxMind *MaxMindConfig `json:"maxmind" validate:"omitempty"`
+	Notify struct {
+		To             []string      `json:"to"`              // list of notification providers
+		Interval       time.Duration `json:"interval"`        // interval between notifications
+		IncludeAllowed *bool         `json:"include_allowed"` // default: false
+	} `json:"notify"`

 	config
+	valErr gperr.Error
 }

-type (
-	MaxMindDatabaseType string
-	MaxMindConfig       struct {
-		AccountID  string              `json:"account_id" validate:"required"`
-		LicenseKey string              `json:"license_key" validate:"required"`
-		Database   MaxMindDatabaseType `json:"database" validate:"required,oneof=geolite geoip2"`
-
-		logger     zerolog.Logger
-		lastUpdate time.Time
-		db         struct {
-			*maxminddb.Reader
-			sync.RWMutex
-		}
-	}
-)
+const defaultNotifyInterval = 1 * time.Minute

 type config struct {
 	defaultAllow bool
 	allowLocal   bool
-	allow        []matcher
-	deny         []matcher
-	ipCache      *xsync.MapOf[string, *checkCache]
-	logAllowed   bool
-	logger       *accesslog.AccessLogger
+	ipCache      *xsync.Map[string, *checkCache]
+
+	// will be nil if Notify.To is empty
+	// these are per IP, reset every Notify.Interval
+	allowedCount map[string]uint32
+	blockedCount map[string]uint32
+
+	// these are total, never reset
+	totalAllowedCount uint64
+	totalBlockedCount uint64
+
+	logAllowed bool
+	// will be nil if Log is nil
+	logger accesslog.AccessLogger
+
+	// will never tick if Notify.To is empty
+	notifyTicker  *time.Ticker
+	notifyAllowed bool
+
+	// will be nil if both Log and Notify.To are empty
+	logNotifyCh chan ipLog
 }

 type checkCache struct {
-	*acl.IPInfo
+	*maxmind.IPInfo
 	allow   bool
 	created time.Time
 }

+type ipLog struct {
+	info    *maxmind.IPInfo
+	allowed bool
+}
+
+// could be nil
+var ActiveConfig atomic.Pointer[Config]
+
 const cacheTTL = 1 * time.Minute

 func (c *checkCache) Expired() bool {
-	return c.created.Add(cacheTTL).After(utils.TimeNow())
+	return c.created.Add(cacheTTL).Before(time.Now())
 }

-//TODO: add stats
+// TODO: add stats

 const (
 	ACLAllow = "allow"
 	ACLDeny  = "deny"
 )

-const (
-	MaxMindGeoLite MaxMindDatabaseType = "geolite"
-	MaxMindGeoIP2  MaxMindDatabaseType = "geoip2"
-)
-
 func (c *Config) Validate() gperr.Error {
 	switch c.Default {
 	case "", ACLAllow:
@@ -85,7 +98,8 @@ func (c *Config) Validate() gperr.Error {
 	case ACLDeny:
 		c.defaultAllow = false
 	default:
-		return gperr.New("invalid default value").Subject(c.Default)
+		c.valErr = gperr.New("invalid default value").Subject(c.Default)
+		return c.valErr
 	}

 	if c.AllowLocal != nil {
@@ -94,55 +108,34 @@ func (c *Config) Validate() gperr.Error {
 		c.allowLocal = true
 	}

-	if c.MaxMind != nil {
-		c.MaxMind.logger = logging.With().Str("type", string(c.MaxMind.Database)).Logger()
+	if c.Notify.Interval < 0 {
+		c.Notify.Interval = defaultNotifyInterval
 	}

 	if c.Log != nil {
 		c.logAllowed = c.Log.LogAllowed
 	}

-	errs := gperr.NewBuilder("syntax error")
-	c.allow = make([]matcher, 0, len(c.Allow))
-	c.deny = make([]matcher, 0, len(c.Deny))
-
-	for _, s := range c.Allow {
-		m, err := c.parseMatcher(s)
-		if err != nil {
-			errs.Add(err.Subject(s))
-			continue
-		}
-		c.allow = append(c.allow, m)
-	}
-	for _, s := range c.Deny {
-		m, err := c.parseMatcher(s)
-		if err != nil {
-			errs.Add(err.Subject(s))
-			continue
-		}
-		c.deny = append(c.deny, m)
+	if !c.allowLocal && !c.defaultAllow && len(c.Allow) == 0 {
+		c.valErr = gperr.New("allow_local is false and default is deny, but no allow rules are configured")
+		return c.valErr
 	}

-	if errs.HasError() {
-		c.allow = nil
-		c.deny = nil
-		return errMatcherFormat.With(errs.Error())
-	}
+	c.ipCache = xsync.NewMap[string, *checkCache]()

-	c.ipCache = xsync.NewMapOf[string, *checkCache]()
+	if c.Notify.IncludeAllowed != nil {
+		c.notifyAllowed = *c.Notify.IncludeAllowed
+	} else {
+		c.notifyAllowed = false
+	}
 	return nil
 }

 func (c *Config) Valid() bool {
-	return c != nil && (len(c.allow) > 0 || len(c.deny) > 0 || c.allowLocal)
+	return c != nil && c.valErr == nil
 }

-func (c *Config) Start(parent *task.Task) gperr.Error {
-	if c.MaxMind != nil {
-		if err := c.MaxMind.LoadMaxMindDB(parent); err != nil {
-			return err
-		}
-	}
+func (c *Config) Start(parent task.Parent) gperr.Error {
 	if c.Log != nil {
 		logger, err := accesslog.NewAccessLogger(parent, c.Log)
 		if err != nil {
@@ -150,23 +143,129 @@ func (c *Config) Start(parent *task.Task) gperr.Error {
 		}
 		c.logger = logger
 	}
+	if c.valErr != nil {
+		return c.valErr
+	}
+
+	if c.needLogOrNotify() {
+		c.logNotifyCh = make(chan ipLog, 100)
+	}
+
+	if c.needNotify() {
+		c.allowedCount = make(map[string]uint32)
+		c.blockedCount = make(map[string]uint32)
+		c.notifyTicker = time.NewTicker(c.Notify.Interval)
+	} else {
+		c.notifyTicker = time.NewTicker(time.Duration(math.MaxInt64)) // never tick
+	}
+
+	if c.needLogOrNotify() {
+		go c.logNotifyLoop(parent)
+	}
+
+	log.Info().
+		Str("default", c.Default).
+		Bool("allow_local", c.allowLocal).
+		Int("allow_rules", len(c.Allow)).
+		Int("deny_rules", len(c.Deny)).
+		Msg("ACL started")
 	return nil
 }

-func (c *config) cacheRecord(info *acl.IPInfo, allow bool) {
+func (c *Config) cacheRecord(info *maxmind.IPInfo, allow bool) {
+	if common.ForceResolveCountry && info.City == nil {
+		maxmind.LookupCity(info)
+	}
 	c.ipCache.Store(info.Str, &checkCache{
 		IPInfo:  info,
 		allow:   allow,
-		created: utils.TimeNow(),
+		created: time.Now(),
 	})
 }

-func (c *config) log(info *acl.IPInfo, allowed bool) {
-	if c.logger == nil {
-		return
+func (c *Config) needLogOrNotify() bool {
+	return c.needLog() || c.needNotify()
+}
+
+func (c *Config) needLog() bool {
+	return c.logger != nil
+}
+
+func (c *Config) needNotify() bool {
+	return len(c.Notify.To) > 0
+}
+
+func (c *Config) getCachedCity(ip string) string {
+	record, ok := c.ipCache.Load(ip)
+	if ok {
+		if record.City != nil {
+			if record.City.Country.IsoCode != "" {
+				return record.City.Country.IsoCode
+			}
+			return record.City.Location.TimeZone
+		}
 	}
-	if !allowed || c.logAllowed {
-		c.logger.LogACL(info, !allowed)
+	return "unknown location"
+}
+
+func (c *Config) logNotifyLoop(parent task.Parent) {
+	defer c.notifyTicker.Stop()
+
+	for {
+		select {
+		case <-parent.Context().Done():
+			return
+		case log := <-c.logNotifyCh:
+			if c.logger != nil {
+				if !log.allowed || c.logAllowed {
+					c.logger.LogACL(log.info, !log.allowed)
+				}
+			}
+			if c.needNotify() {
+				if log.allowed {
+					if c.notifyAllowed {
+						c.allowedCount[log.info.Str]++
+						c.totalAllowedCount++
+					}
+				} else {
+					c.blockedCount[log.info.Str]++
+					c.totalBlockedCount++
+				}
+			}
+		case <-c.notifyTicker.C: // will never tick when notify is disabled
+			total := len(c.allowedCount) + len(c.blockedCount)
+			if total == 0 {
+				continue
+			}
+			total++
+			fieldsBody := make(notif.ListBody, total)
+			i := 0
+			fieldsBody[i] = fmt.Sprintf("Total: allowed %d, blocked %d", c.totalAllowedCount, c.totalBlockedCount)
+			i++
+			for ip, count := range c.allowedCount {
+				fieldsBody[i] = fmt.Sprintf("%s (%s): allowed %d times", ip, c.getCachedCity(ip), count)
+				i++
+			}
+			for ip, count := range c.blockedCount {
+				fieldsBody[i] = fmt.Sprintf("%s (%s): blocked %d times", ip, c.getCachedCity(ip), count)
+				i++
+			}
+			notif.Notify(&notif.LogMessage{
+				Level: zerolog.InfoLevel,
+				Title: "ACL Summary for last " + strutils.FormatDuration(c.Notify.Interval),
+				Body:  fieldsBody,
+				To:    c.Notify.To,
+			})
+			clear(c.allowedCount)
+			clear(c.blockedCount)
+		}
+	}
+}
+
+// log and notify if needed
+func (c *Config) logAndNotify(info *maxmind.IPInfo, allowed bool) {
+	if c.logNotifyCh != nil {
+		c.logNotifyCh <- ipLog{info: info, allowed: allowed}
 	}
 }

@@ -175,41 +274,36 @@ func (c *Config) IPAllowed(ip net.IP) bool {
 		return false
 	}

-	// always allow private and loopback
-	// loopback is not logged
+	// always allow loopback, not logged
 	if ip.IsLoopback() {
 		return true
 	}

 	if c.allowLocal && ip.IsPrivate() {
-		c.log(&acl.IPInfo{IP: ip, Str: ip.String()}, true)
+		c.logAndNotify(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
 		return true
 	}

 	ipStr := ip.String()
 	record, ok := c.ipCache.Load(ipStr)
 	if ok && !record.Expired() {
-		c.log(record.IPInfo, record.allow)
+		c.logAndNotify(record.IPInfo, record.allow)
 		return record.allow
 	}

-	ipAndStr := &acl.IPInfo{IP: ip, Str: ipStr}
-	for _, m := range c.allow {
-		if m(ipAndStr) {
-			c.log(ipAndStr, true)
-			c.cacheRecord(ipAndStr, true)
-			return true
-		}
+	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
+	if c.Allow.Match(ipAndStr) {
+		c.logAndNotify(ipAndStr, true)
+		c.cacheRecord(ipAndStr, true)
+		return true
 	}
-	for _, m := range c.deny {
-		if m(ipAndStr) {
-			c.log(ipAndStr, false)
-			c.cacheRecord(ipAndStr, false)
-			return false
-		}
+	if c.Deny.Match(ipAndStr) {
+		c.logAndNotify(ipAndStr, false)
+		c.cacheRecord(ipAndStr, false)
+		return false
 	}

-	c.log(ipAndStr, c.defaultAllow)
+	c.logAndNotify(ipAndStr, c.defaultAllow)
 	c.cacheRecord(ipAndStr, c.defaultAllow)
 	return c.defaultAllow
 }
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@@ -4,11 +4,17 @@ import (
 	"net"
 	"strings"

-	acl "github.com/yusing/go-proxy/internal/acl/types"
-	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/godoxy/internal/maxmind"
+	gperr "github.com/yusing/goutils/errs"
 )

-type matcher func(*acl.IPInfo) bool
+type MatcherFunc func(*maxmind.IPInfo) bool
+
+type Matcher struct {
+	match MatcherFunc
+}
+
+type Matchers []Matcher

 const (
 	MatcherTypeIP       = "ip"
@@ -17,6 +23,9 @@ const (
 	MatcherTypeCountry  = "country"
 )

+// TODO: use this error in the future
+//
+//nolint:unused
 var errMatcherFormat = gperr.Multiline().AddLines(
 	"invalid matcher format, expect {type}:{value}",
 	"Available types: ip|cidr|tz|country",
@@ -25,62 +34,66 @@ var errMatcherFormat = gperr.Multiline().AddLines(
 	"tz:Asia/Shanghai",
 	"country:GB",
 )
+
 var (
-	errSyntax               = gperr.New("syntax error")
-	errInvalidIP            = gperr.New("invalid IP")
-	errInvalidCIDR          = gperr.New("invalid CIDR")
-	errMaxMindNotConfigured = gperr.New("MaxMind not configured")
+	errSyntax      = gperr.New("syntax error")
+	errInvalidIP   = gperr.New("invalid IP")
+	errInvalidCIDR = gperr.New("invalid CIDR")
 )

-func (cfg *Config) parseMatcher(s string) (matcher, gperr.Error) {
+func (matcher *Matcher) Parse(s string) error {
 	parts := strings.Split(s, ":")
 	if len(parts) != 2 {
-		return nil, errSyntax
+		return errSyntax
 	}

 	switch parts[0] {
 	case MatcherTypeIP:
 		ip := net.ParseIP(parts[1])
 		if ip == nil {
-			return nil, errInvalidIP
+			return errInvalidIP
 		}
-		return matchIP(ip), nil
+		matcher.match = matchIP(ip)
 	case MatcherTypeCIDR:
 		_, net, err := net.ParseCIDR(parts[1])
 		if err != nil {
-			return nil, errInvalidCIDR
+			return errInvalidCIDR
 		}
-		return matchCIDR(net), nil
+		matcher.match = matchCIDR(net)
 	case MatcherTypeTimeZone:
-		if cfg.MaxMind == nil {
-			return nil, errMaxMindNotConfigured
-		}
-		return cfg.MaxMind.matchTimeZone(parts[1]), nil
+		matcher.match = matchTimeZone(parts[1])
 	case MatcherTypeCountry:
-		if cfg.MaxMind == nil {
-			return nil, errMaxMindNotConfigured
-		}
-		return cfg.MaxMind.matchISOCode(parts[1]), nil
+		matcher.match = matchISOCode(parts[1])
 	default:
-		return nil, errSyntax
+		return errSyntax
 	}
+	return nil
 }

-func matchIP(ip net.IP) matcher {
-	return func(ip2 *acl.IPInfo) bool {
+func (matchers Matchers) Match(ip *maxmind.IPInfo) bool {
+	for _, m := range matchers {
+		if m.match(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func matchIP(ip net.IP) MatcherFunc {
+	return func(ip2 *maxmind.IPInfo) bool {
 		return ip.Equal(ip2.IP)
 	}
 }

-func matchCIDR(n *net.IPNet) matcher {
-	return func(ip *acl.IPInfo) bool {
+func matchCIDR(n *net.IPNet) MatcherFunc {
+	return func(ip *maxmind.IPInfo) bool {
 		return n.Contains(ip.IP)
 	}
 }

-func (cfg *MaxMindConfig) matchTimeZone(tz string) matcher {
-	return func(ip *acl.IPInfo) bool {
-		city, ok := cfg.lookupCity(ip)
+func matchTimeZone(tz string) MatcherFunc {
+	return func(ip *maxmind.IPInfo) bool {
+		city, ok := maxmind.LookupCity(ip)
 		if !ok {
 			return false
 		}
@@ -88,9 +101,9 @@ func (cfg *MaxMindConfig) matchTimeZone(tz string) matcher {
 	}
 }

-func (cfg *MaxMindConfig) matchISOCode(iso string) matcher {
-	return func(ip *acl.IPInfo) bool {
-		city, ok := cfg.lookupCity(ip)
+func matchISOCode(iso string) MatcherFunc {
+	return func(ip *maxmind.IPInfo) bool {
+		city, ok := maxmind.LookupCity(ip)
 		if !ok {
 			return false
 		}
--- a/internal/acl/matcher_test.go
+++ b/internal/acl/matcher_test.go
@@ -0,0 +1,49 @@
+package acl
+
+import (
+	"net"
+	"reflect"
+	"testing"
+
+	maxmind "github.com/yusing/godoxy/internal/maxmind/types"
+	"github.com/yusing/godoxy/internal/serialization"
+)
+
+func TestMatchers(t *testing.T) {
+	strMatchers := []string{
+		"ip:127.0.0.1",
+		"cidr:10.0.0.0/8",
+	}
+
+	var mathers Matchers
+	err := serialization.Convert(reflect.ValueOf(strMatchers), reflect.ValueOf(&mathers), false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		ip   string
+		want bool
+	}{
+		{"127.0.0.1", true},
+		{"10.0.0.1", true},
+		{"127.0.0.2", false},
+		{"192.168.0.1", false},
+		{"11.0.0.1", false},
+	}
+
+	for _, test := range tests {
+		ip := net.ParseIP(test.ip)
+		if ip == nil {
+			t.Fatalf("invalid ip: %s", test.ip)
+		}
+
+		got := mathers.Match(&maxmind.IPInfo{
+			IP:  ip,
+			Str: test.ip,
+		})
+		if got != test.want {
+			t.Errorf("mathers.Match(%s) = %v, want %v", test.ip, got, test.want)
+		}
+	}
+}
--- a/internal/acl/maxmind.go
+++ b/internal/acl/maxmind.go
@@ -1,281 +0,0 @@
-package acl
-
-import (
-	"archive/tar"
-	"compress/gzip"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"path/filepath"
-	"time"
-
-	"github.com/oschwald/maxminddb-golang"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/task"
-)
-
-var (
-	updateInterval = 24 * time.Hour
-	httpClient     = &http.Client{
-		Timeout: 10 * time.Second,
-	}
-	ErrResponseNotOK   = gperr.New("response not OK")
-	ErrDownloadFailure = gperr.New("download failure")
-)
-
-func dbPathImpl(dbType MaxMindDatabaseType) string {
-	if dbType == MaxMindGeoLite {
-		return filepath.Join(dataDir, "GeoLite2-City.mmdb")
-	}
-	return filepath.Join(dataDir, "GeoIP2-City.mmdb")
-}
-
-func dbURLimpl(dbType MaxMindDatabaseType) string {
-	if dbType == MaxMindGeoLite {
-		return "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
-	}
-	return "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"
-}
-
-func dbFilename(dbType MaxMindDatabaseType) string {
-	if dbType == MaxMindGeoLite {
-		return "GeoLite2-City.mmdb"
-	}
-	return "GeoIP2-City.mmdb"
-}
-
-func (cfg *MaxMindConfig) LoadMaxMindDB(parent task.Parent) gperr.Error {
-	if cfg.Database == "" {
-		return nil
-	}
-
-	path := dbPath(cfg.Database)
-	reader, err := maxmindDBOpen(path)
-	exists := true
-	if err != nil {
-		switch {
-		case errors.Is(err, os.ErrNotExist):
-		default:
-			// ignore invalid error, just download it again
-			var invalidErr maxminddb.InvalidDatabaseError
-			if !errors.As(err, &invalidErr) {
-				return gperr.Wrap(err)
-			}
-		}
-		exists = false
-	}
-
-	if !exists {
-		cfg.logger.Info().Msg("MaxMind DB not found/invalid, downloading...")
-		reader, err = cfg.download()
-		if err != nil {
-			return ErrDownloadFailure.With(err)
-		}
-	}
-	cfg.logger.Info().Msg("MaxMind DB loaded")
-
-	cfg.db.Reader = reader
-	go cfg.scheduleUpdate(parent)
-	return nil
-}
-
-func (cfg *MaxMindConfig) loadLastUpdate() {
-	f, err := os.Stat(dbPath(cfg.Database))
-	if err != nil {
-		return
-	}
-	cfg.lastUpdate = f.ModTime()
-}
-
-func (cfg *MaxMindConfig) setLastUpdate(t time.Time) {
-	cfg.lastUpdate = t
-	_ = os.Chtimes(dbPath(cfg.Database), t, t)
-}
-
-func (cfg *MaxMindConfig) scheduleUpdate(parent task.Parent) {
-	task := parent.Subtask("schedule_update", true)
-	ticker := time.NewTicker(updateInterval)
-
-	cfg.loadLastUpdate()
-	cfg.update()
-
-	defer func() {
-		ticker.Stop()
-		if cfg.db.Reader != nil {
-			cfg.db.Reader.Close()
-		}
-		task.Finish(nil)
-	}()
-
-	for {
-		select {
-		case <-task.Context().Done():
-			return
-		case <-ticker.C:
-			cfg.update()
-		}
-	}
-}
-
-func (cfg *MaxMindConfig) update() {
-	// check for update
-	cfg.logger.Info().Msg("checking for MaxMind DB update...")
-	remoteLastModified, err := cfg.checkLastest()
-	if err != nil {
-		cfg.logger.Err(err).Msg("failed to check MaxMind DB update")
-		return
-	}
-	if remoteLastModified.Equal(cfg.lastUpdate) {
-		cfg.logger.Info().Msg("MaxMind DB is up to date")
-		return
-	}
-
-	cfg.logger.Info().
-		Time("latest", remoteLastModified.Local()).
-		Time("current", cfg.lastUpdate).
-		Msg("MaxMind DB update available")
-	reader, err := cfg.download()
-	if err != nil {
-		cfg.logger.Err(err).Msg("failed to update MaxMind DB")
-		return
-	}
-	cfg.db.Lock()
-	cfg.db.Close()
-	cfg.db.Reader = reader
-	cfg.setLastUpdate(*remoteLastModified)
-	cfg.db.Unlock()
-
-	cfg.logger.Info().Msg("MaxMind DB updated")
-}
-
-func (cfg *MaxMindConfig) newReq(method string) (*http.Response, error) {
-	req, err := http.NewRequest(method, dbURL(cfg.Database), nil)
-	if err != nil {
-		return nil, err
-	}
-	req.SetBasicAuth(cfg.AccountID, cfg.LicenseKey)
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	return resp, nil
-}
-
-func (cfg *MaxMindConfig) checkLastest() (lastModifiedT *time.Time, err error) {
-	resp, err := newReq(cfg, http.MethodHead)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
-	}
-
-	lastModified := resp.Header.Get("Last-Modified")
-	if lastModified == "" {
-		cfg.logger.Warn().Msg("MaxMind responded no last modified time, update skipped")
-		return nil, nil
-	}
-
-	lastModifiedTime, err := time.Parse(http.TimeFormat, lastModified)
-	if err != nil {
-		cfg.logger.Warn().Err(err).Msg("MaxMind responded invalid last modified time, update skipped")
-		return nil, err
-	}
-
-	return &lastModifiedTime, nil
-}
-
-func (cfg *MaxMindConfig) download() (*maxminddb.Reader, error) {
-	resp, err := newReq(cfg, http.MethodGet)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
-	}
-
-	path := dbPath(cfg.Database)
-	tmpPath := path + "-tmp.tar.gz"
-	file, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY, 0o644)
-	if err != nil {
-		return nil, err
-	}
-
-	cfg.logger.Info().Msg("MaxMind DB downloading...")
-
-	_, err = io.Copy(file, resp.Body)
-	if err != nil {
-		file.Close()
-		return nil, err
-	}
-
-	file.Close()
-
-	// extract .tar.gz and move only the dbFilename to path
-	err = extractFileFromTarGz(tmpPath, dbFilename(cfg.Database), path)
-	if err != nil {
-		return nil, gperr.New("failed to extract database from archive").With(err)
-	}
-	// cleanup the tar.gz file
-	_ = os.Remove(tmpPath)
-
-	db, err := maxmindDBOpen(path)
-	if err != nil {
-		return nil, err
-	}
-	return db, nil
-}
-
-func extractFileFromTarGz(tarGzPath, targetFilename, destPath string) error {
-	f, err := os.Open(tarGzPath)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	gzr, err := gzip.NewReader(f)
-	if err != nil {
-		return err
-	}
-	defer gzr.Close()
-
-	tr := tar.NewReader(gzr)
-	for {
-		hdr, err := tr.Next()
-		if err == io.EOF {
-			break // End of archive
-		}
-		if err != nil {
-			return err
-		}
-		// Only extract the file that matches targetFilename (basename match)
-		if filepath.Base(hdr.Name) == targetFilename {
-			outFile, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, hdr.FileInfo().Mode())
-			if err != nil {
-				return err
-			}
-			defer outFile.Close()
-			_, err = io.Copy(outFile, tr)
-			if err != nil {
-				return err
-			}
-			return nil // Done
-		}
-	}
-	return fmt.Errorf("file %s not found in archive", targetFilename)
-}
-
-var (
-	dataDir       = common.DataDir
-	dbURL         = dbURLimpl
-	dbPath        = dbPathImpl
-	maxmindDBOpen = maxminddb.Open
-	newReq        = (*MaxMindConfig).newReq
-)
--- a/internal/acl/maxmind_test.go
+++ b/internal/acl/maxmind_test.go
@@ -1,213 +0,0 @@
-package acl
-
-import (
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/oschwald/maxminddb-golang"
-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal/task"
-)
-
-func Test_dbPath(t *testing.T) {
-	tmpDataDir := "/tmp/testdata"
-	oldDataDir := dataDir
-	dataDir = tmpDataDir
-	defer func() { dataDir = oldDataDir }()
-
-	tests := []struct {
-		name   string
-		dbType MaxMindDatabaseType
-		want   string
-	}{
-		{"GeoLite", MaxMindGeoLite, filepath.Join(tmpDataDir, "GeoLite2-City.mmdb")},
-		{"GeoIP2", MaxMindGeoIP2, filepath.Join(tmpDataDir, "GeoIP2-City.mmdb")},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := dbPath(tt.dbType); got != tt.want {
-				t.Errorf("dbPath() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func Test_dbURL(t *testing.T) {
-	tests := []struct {
-		name   string
-		dbType MaxMindDatabaseType
-		want   string
-	}{
-		{"GeoLite", MaxMindGeoLite, "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"},
-		{"GeoIP2", MaxMindGeoIP2, "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := dbURL(tt.dbType); got != tt.want {
-				t.Errorf("dbURL() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-// --- Helper for MaxMindConfig ---
-type testLogger struct{ zerolog.Logger }
-
-func (testLogger) Info() *zerolog.Event       { return &zerolog.Event{} }
-func (testLogger) Warn() *zerolog.Event       { return &zerolog.Event{} }
-func (testLogger) Err(_ error) *zerolog.Event { return &zerolog.Event{} }
-
-func Test_MaxMindConfig_newReq(t *testing.T) {
-	cfg := &MaxMindConfig{
-		AccountID:  "testid",
-		LicenseKey: "testkey",
-		Database:   MaxMindGeoLite,
-		logger:     zerolog.Nop(),
-	}
-
-	// Patch httpClient to use httptest
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if u, p, ok := r.BasicAuth(); !ok || u != "testid" || p != "testkey" {
-			t.Errorf("basic auth not set correctly")
-		}
-		w.WriteHeader(http.StatusOK)
-	}))
-	defer server.Close()
-	oldURL := dbURL
-	dbURL = func(MaxMindDatabaseType) string { return server.URL }
-	defer func() { dbURL = oldURL }()
-
-	resp, err := cfg.newReq(http.MethodGet)
-	if err != nil {
-		t.Fatalf("newReq() error = %v", err)
-	}
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("unexpected status: %v", resp.StatusCode)
-	}
-}
-
-func Test_MaxMindConfig_checkUpdate(t *testing.T) {
-	cfg := &MaxMindConfig{
-		AccountID:  "id",
-		LicenseKey: "key",
-		Database:   MaxMindGeoLite,
-		logger:     zerolog.Nop(),
-	}
-	lastMod := time.Now().UTC().Format(http.TimeFormat)
-	buildTime := time.Now().Add(-time.Hour)
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Last-Modified", lastMod)
-		w.WriteHeader(http.StatusOK)
-	}))
-	defer server.Close()
-	oldURL := dbURL
-	dbURL = func(MaxMindDatabaseType) string { return server.URL }
-	defer func() { dbURL = oldURL }()
-
-	latest, err := cfg.checkLastest()
-	if err != nil {
-		t.Fatalf("checkUpdate() error = %v", err)
-	}
-	if latest.Equal(buildTime) {
-		t.Errorf("expected update needed")
-	}
-}
-
-type fakeReadCloser struct {
-	firstRead bool
-	closed    bool
-}
-
-func (c *fakeReadCloser) Read(p []byte) (int, error) {
-	if !c.firstRead {
-		c.firstRead = true
-		return strings.NewReader("FAKEMMDB").Read(p)
-	}
-	return 0, io.EOF
-}
-
-func (c *fakeReadCloser) Close() error {
-	c.closed = true
-	return nil
-}
-
-func Test_MaxMindConfig_download(t *testing.T) {
-	cfg := &MaxMindConfig{
-		AccountID:  "id",
-		LicenseKey: "key",
-		Database:   MaxMindGeoLite,
-		logger:     zerolog.Nop(),
-	}
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.Copy(w, strings.NewReader("FAKEMMDB"))
-	}))
-	defer server.Close()
-	oldURL := dbURL
-	dbURL = func(MaxMindDatabaseType) string { return server.URL }
-	defer func() { dbURL = oldURL }()
-
-	tmpDir := t.TempDir()
-	oldDataDir := dataDir
-	dataDir = tmpDir
-	defer func() { dataDir = oldDataDir }()
-
-	// Patch maxminddb.Open to always succeed
-	origOpen := maxmindDBOpen
-	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
-		return &maxminddb.Reader{}, nil
-	}
-	defer func() { maxmindDBOpen = origOpen }()
-
-	rw := &fakeReadCloser{}
-	oldNewReq := newReq
-	newReq = func(cfg *MaxMindConfig, method string) (*http.Response, error) {
-		return &http.Response{
-			StatusCode: http.StatusOK,
-			Body:       rw,
-		}, nil
-	}
-	defer func() { newReq = oldNewReq }()
-
-	db, err := cfg.download()
-	if err != nil {
-		t.Fatalf("download() error = %v", err)
-	}
-	if db == nil {
-		t.Error("expected db instance")
-	}
-	if !rw.closed {
-		t.Error("expected rw to be closed")
-	}
-}
-
-func Test_MaxMindConfig_loadMaxMindDB(t *testing.T) {
-	// This test should cover both the path where DB exists and where it does not
-	// For brevity, only the non-existing path is tested here
-	cfg := &MaxMindConfig{
-		AccountID:  "id",
-		LicenseKey: "key",
-		Database:   MaxMindGeoLite,
-		logger:     zerolog.Nop(),
-	}
-	oldOpen := maxmindDBOpen
-	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
-		return &maxminddb.Reader{}, nil
-	}
-	defer func() { maxmindDBOpen = oldOpen }()
-
-	oldDBPath := dbPath
-	dbPath = func(MaxMindDatabaseType) string { return filepath.Join(t.TempDir(), "maxmind.mmdb") }
-	defer func() { dbPath = oldDBPath }()
-
-	task := task.RootTask("test")
-	defer task.Finish(nil)
-	err := cfg.LoadMaxMindDB(task)
-	if err != nil {
-		t.Errorf("loadMaxMindDB() error = %v", err)
-	}
-}
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@@ -1,7 +1,10 @@
 package acl

 import (
+	"errors"
+	"io"
 	"net"
+	"time"
 )

 type TCPListener struct {
@@ -9,12 +12,23 @@ type TCPListener struct {
 	lis net.Listener
 }

-func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
-	if cfg == nil {
+type noConn struct{}
+
+func (noConn) Read(b []byte) (int, error)         { return 0, io.EOF }
+func (noConn) Write(b []byte) (int, error)        { return 0, io.EOF }
+func (noConn) Close() error                       { return nil }
+func (noConn) LocalAddr() net.Addr                { return nil }
+func (noConn) RemoteAddr() net.Addr               { return nil }
+func (noConn) SetDeadline(t time.Time) error      { return nil }
+func (noConn) SetReadDeadline(t time.Time) error  { return nil }
+func (noConn) SetWriteDeadline(t time.Time) error { return nil }
+
+func (c *Config) WrapTCP(lis net.Listener) net.Listener {
+	if c == nil {
 		return lis
 	}
 	return &TCPListener{
-		acl: cfg,
+		acl: c,
 		lis: lis,
 	}
 }
@@ -32,15 +46,30 @@ func (s *TCPListener) Accept() (net.Conn, error) {
 	if !ok {
 		// Not a TCPAddr, drop
 		c.Close()
-		return nil, nil
+		return noConn{}, nil
 	}
 	if !s.acl.IPAllowed(addr.IP) {
 		c.Close()
-		return nil, nil
+		return noConn{}, nil
 	}
 	return c, nil
 }

+type tcpListener interface {
+	SetDeadline(t time.Time) error
+}
+
+var _ tcpListener = (*net.TCPListener)(nil)
+
+func (s *TCPListener) SetDeadline(t time.Time) error {
+	switch lis := s.lis.(type) {
+	case tcpListener:
+		return lis.SetDeadline(t)
+	default:
+		return errors.New("not a TCPListener")
+	}
+}
+
 func (s *TCPListener) Close() error {
 	return s.lis.Close()
 }
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@@ -1,6 +1,7 @@
 package acl

 import (
+	"errors"
 	"net"
 	"time"
 )
@@ -10,12 +11,12 @@ type UDPListener struct {
 	lis net.PacketConn
 }

-func (cfg *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
-	if cfg == nil {
+func (c *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if c == nil {
 		return lis
 	}
 	return &UDPListener{
-		acl: cfg,
+		acl: c,
 		lis: lis,
 	}
 }
@@ -74,6 +75,31 @@ func (s *UDPListener) SetWriteDeadline(t time.Time) error {
 	return s.lis.SetWriteDeadline(t)
 }

+type udpListener interface {
+	SetReadBuffer(bytes int) error
+	SetWriteBuffer(bytes int) error
+}
+
+var _ udpListener = (*net.UDPConn)(nil)
+
+func (s *UDPListener) SetReadBuffer(bytes int) error {
+	switch lis := s.lis.(type) {
+	case udpListener:
+		return lis.SetReadBuffer(bytes)
+	default:
+		return errors.New("not a UDPConn")
+	}
+}
+
+func (s *UDPListener) SetWriteBuffer(bytes int) error {
+	switch lis := s.lis.(type) {
+	case udpListener:
+		return lis.SetWriteBuffer(bytes)
+	default:
+		return errors.New("not a UDPConn")
+	}
+}
+
 func (s *UDPListener) Close() error {
 	return s.lis.Close()
 }
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -1,104 +1,207 @@
 package api

 import (
-	"fmt"
 	"net/http"
+	"reflect"

-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/certapi"
-	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
-	"github.com/yusing/go-proxy/internal/api/v1/favicon"
-	"github.com/yusing/go-proxy/internal/auth"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/codec/json"
+	"github.com/gorilla/websocket"
+	"github.com/rs/zerolog/log"
+	apiV1 "github.com/yusing/godoxy/internal/api/v1"
+	agentApi "github.com/yusing/godoxy/internal/api/v1/agent"
+	authApi "github.com/yusing/godoxy/internal/api/v1/auth"
+	certApi "github.com/yusing/godoxy/internal/api/v1/cert"
+	dockerApi "github.com/yusing/godoxy/internal/api/v1/docker"
+	fileApi "github.com/yusing/godoxy/internal/api/v1/file"
+	homepageApi "github.com/yusing/godoxy/internal/api/v1/homepage"
+	metricsApi "github.com/yusing/godoxy/internal/api/v1/metrics"
+	routeApi "github.com/yusing/godoxy/internal/api/v1/route"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/common"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
 )

-type (
-	ServeMux struct {
-		*http.ServeMux
-		cfg config.ConfigInstance
+// @title           GoDoxy API
+// @version         1.0
+// @description     GoDoxy API
+// @termsOfService  https://github.com/yusing/godoxy/blob/main/LICENSE
+
+// @contact.name   Yusing
+// @contact.url    https://github.com/yusing/godoxy/issues
+
+// @license.name  MIT
+// @license.url   https://github.com/yusing/godoxy/blob/main/LICENSE
+
+// @BasePath  /api/v1
+
+// @externalDocs.description  GoDoxy Docs
+// @externalDocs.url          https://docs.godoxy.dev
+func NewHandler() *gin.Engine {
+	if !common.IsDebug {
+		gin.SetMode("release")
 	}
-	WithCfgHandler = func(config.ConfigInstance, http.ResponseWriter, *http.Request)
-)
+	r := gin.New()
+	r.Use(ErrorHandler())
+	r.Use(ErrorLoggingMiddleware())
+	r.Use(NoCache())

-func (mux ServeMux) HandleFunc(methods, endpoint string, h any, requireAuth ...bool) {
-	var handler http.HandlerFunc
-	switch h := h.(type) {
-	case func(http.ResponseWriter, *http.Request):
-		handler = h
-	case http.Handler:
-		handler = h.ServeHTTP
-	case WithCfgHandler:
-		handler = func(w http.ResponseWriter, r *http.Request) {
-			h(mux.cfg, w, r)
+	log.Debug().Msg("gin codec json.API: " + reflect.TypeOf(json.API).Name())
+
+	r.GET("/api/v1/version", apiV1.Version)
+
+	if auth.IsEnabled() {
+		v1Auth := r.Group("/api/v1/auth")
+		{
+			v1Auth.HEAD("/check", authApi.Check)
+			v1Auth.POST("/login", authApi.Login)
+			v1Auth.GET("/callback", authApi.Callback)
+			v1Auth.POST("/callback", authApi.Callback)
+			v1Auth.POST("/logout", authApi.Logout)
+			v1Auth.GET("/logout", authApi.Logout)
 		}
-	default:
-		panic(fmt.Errorf("unsupported handler type: %T", h))
 	}

-	matchDomains := mux.cfg.Value().MatchDomains
-	if len(matchDomains) > 0 {
-		origHandler := handler
-		handler = func(w http.ResponseWriter, r *http.Request) {
-			if httpheaders.IsWebsocket(r.Header) {
-				httpheaders.SetWebsocketAllowedDomains(r.Header, matchDomains)
+	v1 := r.Group("/api/v1")
+	if auth.IsEnabled() {
+		v1.Use(AuthMiddleware())
+	}
+	if common.APISkipOriginCheck {
+		v1.Use(SkipOriginCheckMiddleware())
+	}
+	{
+		// enable cache for favicon
+		v1.GET("/favicon", apiV1.FavIcon)
+		v1.GET("/health", apiV1.Health)
+		v1.GET("/icons", apiV1.Icons)
+		v1.POST("/reload", apiV1.Reload)
+		v1.GET("/stats", apiV1.Stats)
+
+		route := v1.Group("/route")
+		{
+			route.GET("/list", routeApi.Routes)
+			route.GET("/:which", routeApi.Route)
+			route.GET("/providers", routeApi.Providers)
+			route.GET("/by_provider", routeApi.ByProvider)
+			route.POST("/playground", routeApi.Playground)
+		}
+
+		file := v1.Group("/file")
+		{
+			file.GET("/list", fileApi.List)
+			file.GET("/content", fileApi.Get)
+			file.PUT("/content", fileApi.Set)
+			file.POST("/content", fileApi.Set)
+			file.POST("/validate", fileApi.Validate)
+		}
+
+		homepage := v1.Group("/homepage")
+		{
+			homepage.GET("/categories", homepageApi.Categories)
+			homepage.GET("/items", homepageApi.Items)
+			homepage.POST("/set/item", homepageApi.SetItem)
+			homepage.POST("/set/items_batch", homepageApi.SetItemsBatch)
+			homepage.POST("/set/item_visible", homepageApi.SetItemVisible)
+			homepage.POST("/set/item_favorite", homepageApi.SetItemFavorite)
+			homepage.POST("/set/item_sort_order", homepageApi.SetItemSortOrder)
+			homepage.POST("/set/item_all_sort_order", homepageApi.SetItemAllSortOrder)
+			homepage.POST("/set/item_fav_sort_order", homepageApi.SetItemFavSortOrder)
+			homepage.POST("/set/category_order", homepageApi.SetCategoryOrder)
+			homepage.POST("/item_click", homepageApi.ItemClick)
+		}
+
+		cert := v1.Group("/cert")
+		{
+			cert.GET("/info", certApi.Info)
+			cert.GET("/renew", certApi.Renew)
+		}
+
+		agent := v1.Group("/agent")
+		{
+			agent.GET("/list", agentApi.List)
+			agent.POST("/create", agentApi.Create)
+			agent.POST("/verify", agentApi.Verify)
+		}
+
+		metrics := v1.Group("/metrics")
+		{
+			metrics.GET("/system_info", metricsApi.SystemInfo)
+			metrics.GET("/all_system_info", metricsApi.AllSystemInfo)
+			metrics.GET("/uptime", metricsApi.Uptime)
+		}
+
+		docker := v1.Group("/docker")
+		{
+			docker.GET("/container/:id", dockerApi.GetContainer)
+			docker.GET("/containers", dockerApi.Containers)
+			docker.GET("/info", dockerApi.Info)
+			docker.GET("/logs/:id", dockerApi.Logs)
+			docker.POST("/start", dockerApi.Start)
+			docker.POST("/stop", dockerApi.Stop)
+			docker.POST("/restart", dockerApi.Restart)
+		}
+	}
+
+	return r
+}
+
+func NoCache() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// skip cache if Cache-Control header is set
+		if c.Writer.Header().Get("Cache-Control") == "" {
+			c.Header("Cache-Control", "no-cache, no-store, must-revalidate")
+			c.Header("Pragma", "no-cache")
+			c.Header("Expires", "0")
+		}
+		c.Next()
+	}
+}
+
+func AuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		err := auth.GetDefaultAuth().CheckToken(c.Request)
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, apitypes.Error("Unauthorized", err))
+			c.Abort()
+			return
+		}
+		c.Next()
+	}
+}
+
+func SkipOriginCheckMiddleware() gin.HandlerFunc {
+	upgrader := &websocket.Upgrader{
+		CheckOrigin: func(r *http.Request) bool {
+			return true
+		},
+	}
+	return func(c *gin.Context) {
+		c.Set("upgrader", upgrader)
+		c.Next()
+	}
+}
+
+func ErrorHandler() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Next()
+		if len(c.Errors) > 0 {
+			logger := log.With().Str("uri", c.Request.RequestURI).Logger()
+			for _, err := range c.Errors {
+				gperr.LogError("Internal error", err.Err, &logger)
+			}
+			if !c.IsWebsocket() {
+				c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
 			}
-			origHandler(w, r)
-		}
-	}
-
-	if len(requireAuth) > 0 && requireAuth[0] {
-		handler = auth.RequireAuth(handler)
-	}
-	if methods == "" {
-		mux.ServeMux.HandleFunc(endpoint, handler)
-	} else {
-		for _, m := range strutils.CommaSeperatedList(methods) {
-			mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
 		}
 	}
 }

-func NewHandler(cfg config.ConfigInstance) http.Handler {
-	mux := ServeMux{http.NewServeMux(), cfg}
-	mux.HandleFunc("GET", "/v1", v1.Index)
-	mux.HandleFunc("GET", "/v1/version", pkg.GetVersionHTTPHandler())
-
-	mux.HandleFunc("GET", "/v1/stats", v1.Stats, true)
-	mux.HandleFunc("POST", "/v1/reload", v1.Reload, true)
-	mux.HandleFunc("GET", "/v1/list", v1.List, true)
-	mux.HandleFunc("GET", "/v1/list/{what}", v1.List, true)
-	mux.HandleFunc("GET", "/v1/list/{what}/{which}", v1.List, true)
-	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", v1.GetFileContent, true)
-	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", v1.SetFileContent, true)
-	mux.HandleFunc("POST", "/v1/file/validate/{type}", v1.ValidateFile, true)
-	mux.HandleFunc("GET", "/v1/health", v1.Health, true)
-	mux.HandleFunc("GET", "/v1/logs", memlogger.Handler(), true)
-	mux.HandleFunc("GET", "/v1/favicon", favicon.GetFavIcon, true)
-	mux.HandleFunc("POST", "/v1/homepage/set", v1.SetHomePageOverrides, true)
-	mux.HandleFunc("GET", "/v1/agents", v1.ListAgents, true)
-	mux.HandleFunc("GET", "/v1/agents/new", v1.NewAgent, true)
-	mux.HandleFunc("POST", "/v1/agents/verify", v1.VerifyNewAgent, true)
-	mux.HandleFunc("GET", "/v1/metrics/system_info", v1.SystemInfo, true)
-	mux.HandleFunc("GET", "/v1/metrics/uptime", uptime.Poller.ServeHTTP, true)
-	mux.HandleFunc("GET", "/v1/cert/info", certapi.GetCertInfo, true)
-	mux.HandleFunc("", "/v1/cert/renew", certapi.RenewCert, true)
-	mux.HandleFunc("GET", "/v1/docker/info", dockerapi.DockerInfo, true)
-	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
-	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)
-
-	defaultAuth := auth.GetDefaultAuth()
-	if defaultAuth == nil {
-		return mux
-	}
-
-	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
-	mux.HandleFunc("GET,POST", "/v1/auth/redirect", defaultAuth.LoginHandler)
-	mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
-	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
-	return mux
+func ErrorLoggingMiddleware() gin.HandlerFunc {
+	return gin.CustomRecoveryWithWriter(nil, func(c *gin.Context, err any) {
+		log.Error().Any("error", err).Str("uri", c.Request.RequestURI).Msg("Internal error")
+		if !c.IsWebsocket() {
+			c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
+		}
+	})
 }
--- a/internal/api/v1/agent/common.go
+++ b/internal/api/v1/agent/common.go
@@ -0,0 +1,67 @@
+package agentapi
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"sync/atomic"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+)
+
+type PEMPairResponse struct {
+	Cert string `json:"cert" format:"base64"`
+	Key  string `json:"key" format:"base64"`
+} // @name PEMPairResponse
+
+var encryptionKey atomic.Value
+
+const rotateKeyInterval = 15 * time.Minute
+
+func init() {
+	if err := rotateKey(); err != nil {
+		log.Panic().Err(err).Msg("failed to generate encryption key")
+	}
+	go func() {
+		for range time.Tick(rotateKeyInterval) {
+			if err := rotateKey(); err != nil {
+				log.Error().Err(err).Msg("failed to rotate encryption key")
+			}
+		}
+	}()
+}
+
+func getEncryptionKey() []byte {
+	return encryptionKey.Load().([]byte)
+}
+
+func rotateKey() error {
+	// generate a random 32 bytes key
+	key := make([]byte, 32)
+	if _, err := rand.Read(key); err != nil {
+		return err
+	}
+	encryptionKey.Store(key)
+	return nil
+}
+
+func toPEMPairResponse(encPEMPair agent.PEMPair) PEMPairResponse {
+	return PEMPairResponse{
+		Cert: base64.StdEncoding.EncodeToString(encPEMPair.Cert),
+		Key:  base64.StdEncoding.EncodeToString(encPEMPair.Key),
+	}
+}
+
+func fromEncryptedPEMPairResponse(pemPair PEMPairResponse) (agent.PEMPair, error) {
+	encCert, err := base64.StdEncoding.DecodeString(pemPair.Cert)
+	if err != nil {
+		return agent.PEMPair{}, err
+	}
+	encKey, err := base64.StdEncoding.DecodeString(pemPair.Key)
+	if err != nil {
+		return agent.PEMPair{}, err
+	}
+	pair := agent.PEMPair{Cert: encCert, Key: encKey}
+	return pair.Decrypt(getEncryptionKey())
+}
--- a/internal/api/v1/agent/create.go
+++ b/internal/api/v1/agent/create.go
@@ -0,0 +1,107 @@
+package agentapi
+
+import (
+	"net"
+	"net/http"
+	"strconv"
+
+	_ "embed"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type NewAgentRequest struct {
+	Name             string                 `json:"name" binding:"required"`
+	Host             string                 `json:"host" binding:"required"`
+	Port             int                    `json:"port" binding:"required,min=1,max=65535"`
+	Type             string                 `json:"type" binding:"required,oneof=docker system"`
+	Nightly          bool                   `json:"nightly" binding:"omitempty"`
+	ContainerRuntime agent.ContainerRuntime `json:"container_runtime" binding:"omitempty,oneof=docker podman" default:"docker"`
+} // @name NewAgentRequest
+
+type NewAgentResponse struct {
+	Compose string          `json:"compose"`
+	CA      PEMPairResponse `json:"ca"`
+	Client  PEMPairResponse `json:"client"`
+} // @name NewAgentResponse
+
+// @x-id				"create"
+// @BasePath		/api/v1
+// @Summary		Create a new agent
+// @Description	Create a new agent and return the docker compose file, encrypted CA and client PEMs
+// @Description	The returned PEMs are encrypted with a random key and will be used for verification when adding a new agent
+// @Tags			agent
+// @Accept			json
+// @Produce		json
+// @Param			request	body		NewAgentRequest	true	"Request"
+// @Success		200		{object}	NewAgentResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		403		{object}	apitypes.ErrorResponse
+// @Failure		409		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/agent/create [post]
+func Create(c *gin.Context) {
+	var request NewAgentRequest
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	hostport := net.JoinHostPort(request.Host, strconv.Itoa(request.Port))
+	if _, ok := agent.GetAgent(hostport); ok {
+		c.JSON(http.StatusConflict, apitypes.Error("agent already exists"))
+		return
+	}
+
+	var image string
+	if request.Nightly {
+		image = agent.DockerImageNightly
+	} else {
+		image = agent.DockerImageProduction
+	}
+
+	ca, srv, client, err := agent.NewAgent()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create agent"))
+		return
+	}
+
+	var cfg agent.Generator = &agent.AgentEnvConfig{
+		Name:             request.Name,
+		Port:             request.Port,
+		CACert:           ca.String(),
+		SSLCert:          srv.String(),
+		ContainerRuntime: request.ContainerRuntime,
+	}
+	if request.Type == "docker" {
+		cfg = &agent.AgentComposeConfig{
+			Image:          image,
+			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
+		}
+	}
+	template, err := cfg.Generate()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to generate agent config"))
+		return
+	}
+
+	key := getEncryptionKey()
+	encCA, err := ca.Encrypt(key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to encrypt CA PEMs"))
+		return
+	}
+	encClient, err := client.Encrypt(key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to encrypt client PEMs"))
+		return
+	}
+
+	c.JSON(http.StatusOK, NewAgentResponse{
+		Compose: template,
+		CA:      toPEMPairResponse(encCA),
+		Client:  toPEMPairResponse(encClient),
+	})
+}
--- a/internal/api/v1/agent/list.go
+++ b/internal/api/v1/agent/list.go
@@ -0,0 +1,33 @@
+package agentapi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+
+	_ "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"list"
+// @BasePath		/api/v1
+// @Summary		List agents
+// @Description	List agents
+// @Tags			agent,websocket
+// @Accept			json
+// @Produce		json
+// @Success		200	{array}		Agent
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Router			/agent/list [get]
+func List(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 10*time.Second, func() (any, error) {
+			return agent.ListAgents(), nil
+		})
+	} else {
+		c.JSON(http.StatusOK, agent.ListAgents())
+	}
+}
--- a/internal/api/v1/agent/verify.go
+++ b/internal/api/v1/agent/verify.go
@@ -0,0 +1,114 @@
+package agentapi
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+	config "github.com/yusing/godoxy/internal/config/types"
+	"github.com/yusing/godoxy/internal/route/provider"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
+)
+
+type VerifyNewAgentRequest struct {
+	Host             string                 `json:"host"`
+	CA               PEMPairResponse        `json:"ca"`
+	Client           PEMPairResponse        `json:"client"`
+	ContainerRuntime agent.ContainerRuntime `json:"container_runtime"`
+} // @name VerifyNewAgentRequest
+
+// @x-id          "verify"
+// @BasePath		/api/v1
+// @Summary		Verify a new agent
+// @Description	Verify a new agent and return the number of routes added
+// @Tags			agent
+// @Accept			json
+// @Produce		json
+// @Param			request	body		VerifyNewAgentRequest	true	"Request"
+// @Success		200		{object}	SuccessResponse
+// @Failure		400		{object}	ErrorResponse
+// @Failure		403		{object}	ErrorResponse
+// @Failure		500		{object}	ErrorResponse
+// @Router			/agent/verify [post]
+func Verify(c *gin.Context) {
+	var request VerifyNewAgentRequest
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	filename, ok := certs.AgentCertsFilepath(request.Host)
+	if !ok {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid host", nil))
+		return
+	}
+
+	ca, err := fromEncryptedPEMPairResponse(request.CA)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid CA", err))
+		return
+	}
+
+	client, err := fromEncryptedPEMPairResponse(request.Client)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid client", err))
+		return
+	}
+
+	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	zip, err := certs.ZipCert(ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to zip certs"))
+		return
+	}
+
+	if err := os.WriteFile(filename, zip, 0o600); err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to write certs"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
+}
+
+func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+	cfgState := config.ActiveState.Load()
+	for _, a := range cfgState.Value().Providers.Agents {
+		if a.Addr == host {
+			return 0, gperr.New("agent already exists")
+		}
+	}
+
+	var agentCfg agent.AgentConfig
+	agentCfg.Addr = host
+	agentCfg.Runtime = containerRuntime
+
+	err := agentCfg.StartWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to start agent")
+	}
+
+	provider := provider.NewAgentProvider(&agentCfg)
+	if _, loaded := cfgState.LoadOrStoreProvider(provider.String(), provider); loaded {
+		return 0, gperr.Errorf("provider %s already exists", provider.String())
+	}
+
+	// agent must be added before loading routes
+	agent.AddAgent(&agentCfg)
+	err = provider.LoadRoutes()
+	if err != nil {
+		cfgState.DeleteProvider(provider.String())
+		agent.RemoveAgent(&agentCfg)
+		return 0, gperr.Wrap(err, "failed to load routes")
+	}
+
+	return provider.NumRoutes(), nil
+}
--- a/internal/api/v1/agents.go
+++ b/internal/api/v1/agents.go
@@ -1,24 +0,0 @@
-package v1
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-)
-
-func ListAgents(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 10*time.Second, func(conn *websocket.Conn) error {
-			wsjson.Write(r.Context(), conn, cfg.ListAgents())
-			return nil
-		})
-	} else {
-		gphttp.RespondJSON(w, r, cfg.ListAgents())
-	}
-}
--- a/internal/api/v1/auth/callback.go
+++ b/internal/api/v1/auth/callback.go
@@ -0,0 +1,24 @@
+//nolint:dupword
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id				"callback"
+// @Base			/api/v1
+// @Summary		Auth Callback
+// @Description	Handles the callback from the provider after successful authentication
+// @Tags			auth
+// @Produce		plain
+// @Param		  body	body	auth.UserPassAuthCallbackRequest	true	"Userpass only"
+// @Success		200	{string}	string	"Userpass: OK"
+// @Success		302	{string}	string	"OIDC: Redirects to home page"
+// @Failure		400	{string}	string	"OIDC: invalid request (missing state cookie or oauth state)"
+// @Failure		400	{string}	string	"Userpass: invalid request / credentials"
+// @Failure		500	{string}	string	"Internal server error"
+// @Router			/auth/callback [post]
+func Callback(c *gin.Context) {
+	auth.GetDefaultAuth().PostAuthCallbackHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/check.go
+++ b/internal/api/v1/auth/check.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id	  	"check"
+// @Base			/api/v1
+// @Summary		Check authentication status
+// @Description	Checks if the user is authenticated by validating their token
+// @Tags			auth
+// @Produce		plain
+// @Success		200	{string}	string	"OK"
+// @Failure		302	{string}	string	"Redirects to login page or IdP"
+// @Router			/auth/check [head]
+func Check(c *gin.Context) {
+	auth.AuthCheckHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/login.go
+++ b/internal/api/v1/auth/login.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id       "login"
+// @Base       /api/v1
+// @Summary    Login
+// @Description Initiates the login process by redirecting the user to the provider's login page
+// @Tags       auth
+// @Produce    plain
+// @Success    302 {string} string "Redirects to login page or IdP"
+// @Failure    429 {string} string "Too Many Requests"
+// @Router     /auth/login [post]
+func Login(c *gin.Context) {
+	auth.GetDefaultAuth().LoginHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/logout.go
+++ b/internal/api/v1/auth/logout.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id				"logout"
+// @Base			/api/v1
+// @Summary		Logout
+// @Description	Logs out the user by invalidating the token
+// @Tags			auth
+// @Produce		plain
+// @Success		302	{string} string	"Redirects to home page"
+// @Router			/auth/logout [post]
+// @Router			/auth/logout [get]
+func Logout(c *gin.Context) {
+	auth.GetDefaultAuth().LogoutHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/cert/info.go
+++ b/internal/api/v1/cert/info.go
@@ -0,0 +1,53 @@
+package certapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/autocert"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type CertInfo struct {
+	Subject        string   `json:"subject"`
+	Issuer         string   `json:"issuer"`
+	NotBefore      int64    `json:"not_before"`
+	NotAfter       int64    `json:"not_after"`
+	DNSNames       []string `json:"dns_names"`
+	EmailAddresses []string `json:"email_addresses"`
+} // @name CertInfo
+
+// @x-id				"info"
+// @BasePath		/api/v1
+// @Summary		Get cert info
+// @Description	Get cert info
+// @Tags			cert
+// @Produce		json
+// @Success		200	{object}	CertInfo
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/cert/info [get]
+func Info(c *gin.Context) {
+	autocert := autocert.ActiveProvider.Load()
+	if autocert == nil {
+		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
+		return
+	}
+
+	cert, err := autocert.GetCert(nil)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get cert info"))
+		return
+	}
+
+	certInfo := CertInfo{
+		Subject:        cert.Leaf.Subject.CommonName,
+		Issuer:         cert.Leaf.Issuer.CommonName,
+		NotBefore:      cert.Leaf.NotBefore.Unix(),
+		NotAfter:       cert.Leaf.NotAfter.Unix(),
+		DNSNames:       cert.Leaf.DNSNames,
+		EmailAddresses: cert.Leaf.EmailAddresses,
+	}
+	c.JSON(http.StatusOK, certInfo)
+}
--- a/internal/api/v1/cert/renew.go
+++ b/internal/api/v1/cert/renew.go
@@ -0,0 +1,72 @@
+package certapi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/autocert"
+	"github.com/yusing/godoxy/internal/logging/memlogger"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+// @x-id				"renew"
+// @BasePath		/api/v1
+// @Summary		Renew cert
+// @Description	Renew cert
+// @Tags			cert,websocket
+// @Produce		plain
+// @Success		200	{object}	apitypes.SuccessResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/cert/renew [get]
+func Renew(c *gin.Context) {
+	autocert := autocert.ActiveProvider.Load()
+	if autocert == nil {
+		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
+		return
+	}
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+		return
+	}
+	defer manager.Close()
+
+	logs, cancel := memlogger.Events()
+	defer cancel()
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+
+		err = autocert.ObtainCert()
+		if err != nil {
+			gperr.LogError("failed to obtain cert", err)
+			_ = manager.WriteData(websocket.TextMessage, []byte(err.Error()), 10*time.Second)
+		} else {
+			log.Info().Msg("cert obtained successfully")
+		}
+	}()
+
+	for {
+		select {
+		case l := <-logs:
+			if err != nil {
+				return
+			}
+
+			err = manager.WriteData(websocket.TextMessage, l, 10*time.Second)
+			if err != nil {
+				return
+			}
+		case <-done:
+			return
+		}
+	}
+}
--- a/internal/api/v1/certapi/cert_info.go
+++ b/internal/api/v1/certapi/cert_info.go
@@ -1,41 +0,0 @@
-package certapi
-
-import (
-	"encoding/json"
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-)
-
-type CertInfo struct {
-	Subject        string   `json:"subject"`
-	Issuer         string   `json:"issuer"`
-	NotBefore      int64    `json:"not_before"`
-	NotAfter       int64    `json:"not_after"`
-	DNSNames       []string `json:"dns_names"`
-	EmailAddresses []string `json:"email_addresses"`
-}
-
-func GetCertInfo(w http.ResponseWriter, r *http.Request) {
-	autocert := config.GetInstance().AutoCertProvider()
-	if autocert == nil {
-		http.Error(w, "autocert is not enabled", http.StatusNotFound)
-		return
-	}
-
-	cert, err := autocert.GetCert(nil)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	certInfo := CertInfo{
-		Subject:        cert.Leaf.Subject.CommonName,
-		Issuer:         cert.Leaf.Issuer.CommonName,
-		NotBefore:      cert.Leaf.NotBefore.Unix(),
-		NotAfter:       cert.Leaf.NotAfter.Unix(),
-		DNSNames:       cert.Leaf.DNSNames,
-		EmailAddresses: cert.Leaf.EmailAddresses,
-	}
-	json.NewEncoder(w).Encode(&certInfo)
-}
--- a/internal/api/v1/certapi/renew.go
+++ b/internal/api/v1/certapi/renew.go
@@ -1,56 +0,0 @@
-package certapi
-
-import (
-	"net/http"
-
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-)
-
-func RenewCert(w http.ResponseWriter, r *http.Request) {
-	autocert := config.GetInstance().AutoCertProvider()
-	if autocert == nil {
-		http.Error(w, "autocert is not enabled", http.StatusNotFound)
-		return
-	}
-
-	conn, err := gpwebsocket.Initiate(w, r)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	//nolint:errcheck
-	defer conn.CloseNow()
-
-	logs, cancel := memlogger.Events()
-	defer cancel()
-
-	done := make(chan struct{})
-
-	go func() {
-		defer close(done)
-		err = autocert.ObtainCert()
-		if err != nil {
-			gperr.LogError("failed to obtain cert", err)
-			gpwebsocket.WriteText(r, conn, err.Error())
-		} else {
-			logging.Info().Msg("cert obtained successfully")
-		}
-	}()
-	for {
-		select {
-		case l := <-logs:
-			if err != nil {
-				return
-			}
-			if !gpwebsocket.WriteText(r, conn, string(l)) {
-				return
-			}
-		case <-done:
-			return
-		}
-	}
-}
--- a/internal/api/v1/config_file.go
+++ b/internal/api/v1/config_file.go
@@ -1,132 +0,0 @@
-package v1
-
-import (
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/provider"
-)
-
-type FileType string
-
-const (
-	FileTypeConfig     FileType = "config"
-	FileTypeProvider   FileType = "provider"
-	FileTypeMiddleware FileType = "middleware"
-)
-
-func fileType(file string) FileType {
-	switch {
-	case strings.HasPrefix(path.Base(file), "config."):
-		return FileTypeConfig
-	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
-		return FileTypeMiddleware
-	}
-	return FileTypeProvider
-}
-
-func (t FileType) IsValid() bool {
-	switch t {
-	case FileTypeConfig, FileTypeProvider, FileTypeMiddleware:
-		return true
-	}
-	return false
-}
-
-func (t FileType) GetPath(filename string) string {
-	if t == FileTypeMiddleware {
-		return path.Join(common.MiddlewareComposeBasePath, filename)
-	}
-	return path.Join(common.ConfigBasePath, filename)
-}
-
-func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
-	fileType = FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		err = gphttp.ErrInvalidKey("type")
-		return
-	}
-	filename = r.PathValue("filename")
-	if filename == "" {
-		err = gphttp.ErrMissingKey("filename")
-	}
-	return
-}
-
-func GetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	content, err := os.ReadFile(fileType.GetPath(filename))
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	gphttp.WriteBody(w, content)
-}
-
-func validateFile(fileType FileType, content []byte) gperr.Error {
-	switch fileType {
-	case FileTypeConfig:
-		return config.Validate(content)
-	case FileTypeMiddleware:
-		errs := gperr.NewBuilder("middleware errors")
-		middleware.BuildMiddlewaresFromYAML("", content, errs)
-		return errs.Error()
-	}
-	return provider.Validate(content)
-}
-
-func ValidateFile(w http.ResponseWriter, r *http.Request) {
-	fileType := FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		gphttp.BadRequest(w, "invalid file type")
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	r.Body.Close()
-	if valErr := validateFile(fileType, content); valErr != nil {
-		gphttp.JSONError(w, valErr, http.StatusBadRequest)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
-
-func SetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-
-	if valErr := validateFile(fileType, content); valErr != nil {
-		gphttp.JSONError(w, valErr, http.StatusBadRequest)
-		return
-	}
-
-	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
-	if err != nil {
-		gphttp.ServerError(w, r, err)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
--- a/internal/api/v1/docker/container.go
+++ b/internal/api/v1/docker/container.go
@@ -0,0 +1,64 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"container"
+// @BasePath		/api/v1
+// @Summary		Get container
+// @Description	Get container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			id	path		string	true	"Container ID"
+// @Success		200	{object}		Container
+// @Failure		400	{object}	apitypes.ErrorResponse "ID is required"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/container/{id} [get]
+func GetContainer(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("id is required"))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(id)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	dockerClient, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer dockerClient.Close()
+
+	cont, err := dockerClient.ContainerInspect(c.Request.Context(), id, client.ContainerInspectOptions{})
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to inspect container"))
+		return
+	}
+
+	var state ContainerState
+	if cont.Container.State != nil {
+		state = cont.Container.State.Status
+	}
+
+	c.JSON(http.StatusOK, &Container{
+		Server: dockerCfg.URL,
+		Name:   cont.Container.Name,
+		ID:     cont.Container.ID,
+		Image:  cont.Container.Image,
+		State:  state,
+	})
+}
--- a/internal/api/v1/docker/containers.go
+++ b/internal/api/v1/docker/containers.go
@@ -0,0 +1,69 @@
+package dockerapi
+
+import (
+	"context"
+	"sort"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
+	gperr "github.com/yusing/goutils/errs"
+
+	_ "github.com/yusing/goutils/apitypes"
+)
+
+type ContainerState = container.ContainerState // @name ContainerState
+
+type Container struct {
+	Server string         `json:"server"`
+	Name   string         `json:"name"`
+	ID     string         `json:"id"`
+	Image  string         `json:"image"`
+	State  ContainerState `json:"state,omitempty" extensions:"x-nullable"`
+} // @name ContainerResponse
+
+// @x-id				"containers"
+// @BasePath		/api/v1
+// @Summary		Get containers
+// @Description	Get containers
+// @Tags			docker
+// @Produce		json
+// @Success		200	{array}		Container
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/containers [get]
+func Containers(c *gin.Context) {
+	serveHTTP[Container](c, GetContainers)
+}
+
+func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get containers")
+	containers := make([]Container, 0)
+	for server, dockerClient := range dockerClients {
+		conts, err := dockerClient.ContainerList(ctx, client.ContainerListOptions{All: true})
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		for _, cont := range conts.Items {
+			containers = append(containers, Container{
+				Server: server,
+				Name:   cont.Names[0],
+				ID:     cont.ID,
+				Image:  cont.Image,
+				State:  cont.State,
+			})
+		}
+	}
+	sort.Slice(containers, func(i, j int) bool {
+		return containers[i].Name < containers[j].Name
+	})
+	if err := errs.Error(); err != nil {
+		gperr.LogError("failed to get containers", err)
+		if len(containers) == 0 {
+			return nil, err
+		}
+		return containers, nil
+	}
+	return containers, nil
+}
--- a/internal/api/v1/docker/info.go
+++ b/internal/api/v1/docker/info.go
@@ -0,0 +1,82 @@
+package dockerapi
+
+import (
+	"context"
+	"sort"
+
+	"github.com/gin-gonic/gin"
+	dockerSystem "github.com/moby/moby/api/types/system"
+	"github.com/moby/moby/client"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
+
+	_ "github.com/yusing/goutils/apitypes"
+)
+
+type containerStats struct {
+	Total   int `json:"total"`
+	Running int `json:"running"`
+	Paused  int `json:"paused"`
+	Stopped int `json:"stopped"`
+} // @name ContainerStats
+
+type dockerInfo struct {
+	Name          string         `json:"name"`
+	ServerVersion string         `json:"version"`
+	Containers    containerStats `json:"containers"`
+	Images        int            `json:"images"`
+	NCPU          int            `json:"n_cpu"`
+	MemTotal      string         `json:"memory"`
+} // @name ServerInfo
+
+func toDockerInfo(info dockerSystem.Info) dockerInfo {
+	return dockerInfo{
+		Name:          info.Name,
+		ServerVersion: info.ServerVersion,
+		Containers: containerStats{
+			Total:   info.ContainersRunning,
+			Running: info.ContainersRunning,
+			Paused:  info.ContainersPaused,
+			Stopped: info.ContainersStopped,
+		},
+		Images:   info.Images,
+		NCPU:     info.NCPU,
+		MemTotal: strutils.FormatByteSize(info.MemTotal),
+	}
+}
+
+// @x-id				"info"
+// @BasePath		/api/v1
+// @Summary		Get docker info
+// @Description	Get docker info
+// @Tags			docker
+// @Produce		json
+// @Success		200	{object}		dockerInfo
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/info [get]
+func Info(c *gin.Context) {
+	serveHTTP[dockerInfo](c, GetDockerInfo)
+}
+
+func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get docker info")
+	dockerInfos := make([]dockerInfo, len(dockerClients))
+
+	i := 0
+	for name, dockerClient := range dockerClients {
+		info, err := dockerClient.Info(ctx, client.InfoOptions{})
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		info.Info.Name = name
+		dockerInfos[i] = toDockerInfo(info.Info)
+		i++
+	}
+
+	sort.Slice(dockerInfos, func(i, j int) bool {
+		return dockerInfos[i].Name < dockerInfos[j].Name
+	})
+	return dockerInfos, errs.Error()
+}
--- a/internal/api/v1/docker/logs.go
+++ b/internal/api/v1/docker/logs.go
@@ -0,0 +1,112 @@
+package dockerapi
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/client"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/websocket"
+	"github.com/yusing/goutils/task"
+)
+
+type LogsQueryParams struct {
+	Stdout bool   `form:"stdout,default=true"`
+	Stderr bool   `form:"stderr,default=true"`
+	Since  string `form:"from"`
+	Until  string `form:"to"`
+	Levels string `form:"levels"`
+} //	@name	LogsQueryParams
+
+// @x-id				"logs"
+// @BasePath		/api/v1
+// @Summary		Get docker container logs
+// @Description	Get docker container logs by container id
+// @Tags			docker,websocket
+// @Accept			json
+// @Produce		json
+// @Param			id	path	string	true	"container id"
+// @Param			stdout		query	bool	false	"show stdout"
+// @Param			stderr		query	bool	false	"show stderr"
+// @Param			from		query	string	false	"from timestamp"
+// @Param			to			query	string	false	"to timestamp"
+// @Param			levels		query	string	false	"levels"
+// @Success		200
+// @Failure		400	{object}	apitypes.ErrorResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "server not found or container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/logs/{id} [get]
+func Logs(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("container id is required"))
+		return
+	}
+
+	var queryParams LogsQueryParams
+	if err := c.ShouldBindQuery(&queryParams); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid query params"))
+		return
+	}
+
+	// TODO: implement levels
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(id)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error(fmt.Sprintf("container %s not found", id)))
+		return
+	}
+
+	dockerClient, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get docker client"))
+		return
+	}
+	defer dockerClient.Close()
+
+	opts := client.ContainerLogsOptions{
+		ShowStdout: queryParams.Stdout,
+		ShowStderr: queryParams.Stderr,
+		Since:      queryParams.Since,
+		Until:      queryParams.Until,
+		Timestamps: true,
+		Follow:     true,
+		Tail:       "100",
+	}
+	if queryParams.Levels != "" {
+		opts.Details = true
+	}
+
+	logs, err := dockerClient.ContainerLogs(c.Request.Context(), id, opts)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get container logs"))
+		return
+	}
+	defer logs.Close()
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+
+	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
+	if err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, task.ErrProgramExiting) {
+			return
+		}
+		log.Err(err).
+			Str("server", dockerCfg.URL).
+			Str("container", id).
+			Msg("failed to de-multiplex logs")
+	}
+}
--- a/internal/api/v1/docker/restart.go
+++ b/internal/api/v1/docker/restart.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type RestartRequest struct {
+	ID string `json:"id" binding:"required"`
+	client.ContainerRestartOptions
+}
+
+// @x-id				"restart"
+// @BasePath		/api/v1
+// @Summary		Restart container
+// @Description	Restart container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body	RestartRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/restart [post]
+func Restart(c *gin.Context) {
+	var req RestartRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	_, err = client.ContainerRestart(c.Request.Context(), req.ID, req.ContainerRestartOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to restart container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container restarted"))
+}
--- a/internal/api/v1/docker/start.go
+++ b/internal/api/v1/docker/start.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type StartRequest struct {
+	ID string `json:"id" binding:"required"`
+	client.ContainerStartOptions
+}
+
+// @x-id				"start"
+// @BasePath		/api/v1
+// @Summary		Start container
+// @Description	Start container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StartRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/start [post]
+func Start(c *gin.Context) {
+	var req StartRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	_, err = client.ContainerStart(c.Request.Context(), req.ID, req.ContainerStartOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to start container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container started"))
+}
--- a/internal/api/v1/docker/stop.go
+++ b/internal/api/v1/docker/stop.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type StopRequest struct {
+	ID string `json:"id" binding:"required"`
+	client.ContainerStopOptions
+}
+
+// @x-id				"stop"
+// @BasePath		/api/v1
+// @Summary		Stop container
+// @Description	Stop container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StopRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/stop [post]
+func Stop(c *gin.Context) {
+	var req StopRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	_, err = client.ContainerStop(c.Request.Context(), req.ID, req.ContainerStopOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to stop container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container stopped"))
+}
--- a/internal/api/v1/docker/utils.go
+++ b/internal/api/v1/docker/utils.go
@@ -0,0 +1,54 @@
+package dockerapi
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+type (
+	DockerClients     map[string]*docker.SharedClient
+	ResultType[T any] interface {
+		map[string]T | []T
+	}
+)
+
+// closeAllClients closes all docker clients after a delay.
+//
+// This is used to ensure that all docker clients are closed after the http handler returns.
+func closeAllClients(dockerClients DockerClients) {
+	for _, dockerClient := range dockerClients {
+		dockerClient.Close()
+	}
+}
+
+func handleResult[V any, T ResultType[V]](c *gin.Context, errs error, result T) {
+	if errs != nil {
+		if len(result) == 0 {
+			c.Error(apitypes.InternalServerError(errs, "docker errors"))
+			return
+		}
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
+	dockerClients := docker.Clients()
+	defer closeAllClients(dockerClients)
+
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
+			return getResult(c.Request.Context(), dockerClients)
+		})
+	} else {
+		result, err := getResult(c.Request.Context(), dockerClients)
+		handleResult[V](c, err, result)
+	}
+}
--- a/internal/api/v1/dockerapi/common.go
+++ b/internal/api/v1/dockerapi/common.go
@@ -1,5 +0,0 @@
-package dockerapi
-
-import "time"
-
-const reqTimeout = 10 * time.Second
--- a/internal/api/v1/dockerapi/containers.go
+++ b/internal/api/v1/dockerapi/containers.go
@@ -1,54 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"net/http"
-	"sort"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/yusing/go-proxy/internal/gperr"
-)
-
-type Container struct {
-	Server string `json:"server"`
-	Name   string `json:"name"`
-	ID     string `json:"id"`
-	Image  string `json:"image"`
-	State  string `json:"state"`
-}
-
-func Containers(w http.ResponseWriter, r *http.Request) {
-	serveHTTP[Container, []Container](w, r, GetContainers)
-}
-
-func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
-	errs := gperr.NewBuilder("failed to get containers")
-	containers := make([]Container, 0)
-	for server, dockerClient := range dockerClients {
-		conts, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
-		if err != nil {
-			errs.Add(err)
-			continue
-		}
-		for _, cont := range conts {
-			containers = append(containers, Container{
-				Server: server,
-				Name:   cont.Names[0],
-				ID:     cont.ID,
-				Image:  cont.Image,
-				State:  cont.State,
-			})
-		}
-	}
-	sort.Slice(containers, func(i, j int) bool {
-		return containers[i].Name < containers[j].Name
-	})
-	if err := errs.Error(); err != nil {
-		gperr.LogError("failed to get containers", err)
-		if len(containers) == 0 {
-			return nil, err
-		}
-		return containers, nil
-	}
-	return containers, nil
-}
--- a/internal/api/v1/dockerapi/info.go
+++ b/internal/api/v1/dockerapi/info.go
@@ -1,56 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"sort"
-
-	dockerSystem "github.com/docker/docker/api/types/system"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-type dockerInfo dockerSystem.Info
-
-func (d *dockerInfo) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]any{
-		"name":    d.Name,
-		"version": d.ServerVersion,
-		"containers": map[string]int{
-			"total":   d.Containers,
-			"running": d.ContainersRunning,
-			"paused":  d.ContainersPaused,
-			"stopped": d.ContainersStopped,
-		},
-		"images": d.Images,
-		"n_cpu":  d.NCPU,
-		"memory": strutils.FormatByteSize(d.MemTotal),
-	})
-}
-
-func DockerInfo(w http.ResponseWriter, r *http.Request) {
-	serveHTTP[dockerInfo](w, r, GetDockerInfo)
-}
-
-func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
-	errs := gperr.NewBuilder("failed to get docker info")
-	dockerInfos := make([]dockerInfo, len(dockerClients))
-
-	i := 0
-	for name, dockerClient := range dockerClients {
-		info, err := dockerClient.Info(ctx)
-		if err != nil {
-			errs.Add(err)
-			continue
-		}
-		info.Name = name
-		dockerInfos[i] = dockerInfo(info)
-		i++
-	}
-
-	sort.Slice(dockerInfos, func(i, j int) bool {
-		return dockerInfos[i].Name < dockerInfos[j].Name
-	})
-	return dockerInfos, errs.Error()
-}
--- a/internal/api/v1/dockerapi/logs.go
+++ b/internal/api/v1/dockerapi/logs.go
@@ -1,69 +0,0 @@
-package dockerapi
-
-import (
-	"net/http"
-	"strconv"
-
-	"github.com/coder/websocket"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-)
-
-func Logs(w http.ResponseWriter, r *http.Request) {
-	query := r.URL.Query()
-	server := r.PathValue("server")
-	containerID := r.PathValue("container")
-	stdout, _ := strconv.ParseBool(query.Get("stdout"))
-	stderr, _ := strconv.ParseBool(query.Get("stderr"))
-	since := query.Get("from")
-	until := query.Get("to")
-	levels := query.Get("levels") // TODO: implement levels
-
-	dockerClient, found, err := getDockerClient(w, server)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	if !found {
-		gphttp.NotFound(w, "server not found")
-		return
-	}
-
-	opts := container.LogsOptions{
-		ShowStdout: stdout,
-		ShowStderr: stderr,
-		Since:      since,
-		Until:      until,
-		Timestamps: true,
-		Follow:     true,
-		Tail:       "100",
-	}
-	if levels != "" {
-		opts.Details = true
-	}
-
-	logs, err := dockerClient.ContainerLogs(r.Context(), containerID, opts)
-	if err != nil {
-		gphttp.BadRequest(w, err.Error())
-		return
-	}
-	defer logs.Close()
-
-	conn, err := gpwebsocket.Initiate(w, r)
-	if err != nil {
-		return
-	}
-	defer conn.CloseNow()
-
-	writer := gpwebsocket.NewWriter(r.Context(), conn, websocket.MessageText)
-	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
-	if err != nil {
-		logging.Err(err).
-			Str("server", server).
-			Str("container", containerID).
-			Msg("failed to de-multiplex logs")
-	}
-}
--- a/internal/api/v1/dockerapi/utils.go
+++ b/internal/api/v1/dockerapi/utils.go
@@ -1,124 +0,0 @@
-package dockerapi
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/coder/websocket/wsjson"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-)
-
-type (
-	DockerClients     map[string]*docker.SharedClient
-	ResultType[T any] interface {
-		map[string]T | []T
-	}
-)
-
-// getDockerClients returns a map of docker clients for the current config.
-//
-// Returns a map of docker clients by server name and an error if any.
-//
-// Even if there are errors, the map of docker clients might not be empty.
-func getDockerClients() (DockerClients, gperr.Error) {
-	cfg := config.GetInstance()
-
-	dockerHosts := cfg.Value().Providers.Docker
-	dockerClients := make(DockerClients)
-
-	connErrs := gperr.NewBuilder("failed to connect to docker")
-
-	for name, host := range dockerHosts {
-		dockerClient, err := docker.NewClient(host)
-		if err != nil {
-			connErrs.Add(err)
-			continue
-		}
-		dockerClients[name] = dockerClient
-	}
-
-	for _, agent := range cfg.ListAgents() {
-		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
-		if err != nil {
-			connErrs.Add(err)
-			continue
-		}
-		dockerClients[agent.Name()] = dockerClient
-	}
-
-	return dockerClients, connErrs.Error()
-}
-
-func getDockerClient(w http.ResponseWriter, server string) (*docker.SharedClient, bool, error) {
-	cfg := config.GetInstance()
-	var host string
-	for name, h := range cfg.Value().Providers.Docker {
-		if name == server {
-			host = h
-			break
-		}
-	}
-	for _, agent := range cfg.ListAgents() {
-		if agent.Name() == server {
-			host = agent.FakeDockerHost()
-			break
-		}
-	}
-	if host == "" {
-		return nil, false, nil
-	}
-	dockerClient, err := docker.NewClient(host)
-	if err != nil {
-		return nil, false, err
-	}
-	return dockerClient, true, nil
-}
-
-// closeAllClients closes all docker clients after a delay.
-//
-// This is used to ensure that all docker clients are closed after the http handler returns.
-func closeAllClients(dockerClients DockerClients) {
-	for _, dockerClient := range dockerClients {
-		dockerClient.Close()
-	}
-}
-
-func handleResult[V any, T ResultType[V]](w http.ResponseWriter, errs error, result T) {
-	if errs != nil {
-		gperr.LogError("docker errors", errs)
-		if len(result) == 0 {
-			http.Error(w, "docker errors", http.StatusInternalServerError)
-			return
-		}
-	}
-	json.NewEncoder(w).Encode(result)
-}
-
-func serveHTTP[V any, T ResultType[V]](w http.ResponseWriter, r *http.Request, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
-	dockerClients, err := getDockerClients()
-	if err != nil {
-		handleResult[V, T](w, err, nil)
-		return
-	}
-	defer closeAllClients(dockerClients)
-
-	if httpheaders.IsWebsocket(r.Header) {
-		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
-			result, err := getResult(r.Context(), dockerClients)
-			if err != nil {
-				return err
-			}
-			return wsjson.Write(r.Context(), conn, result)
-		})
-	} else {
-		result, err := getResult(r.Context(), dockerClients)
-		handleResult[V, T](w, err, result)
-	}
-}
--- a/internal/api/v1/docs/swagger.json
+++ b/internal/api/v1/docs/swagger.json
--- a/internal/api/v1/docs/swagger.yaml
+++ b/internal/api/v1/docs/swagger.yaml
--- a/Show More
+++ b/Show More