fix(panic): nil panic in IterRoutes

chore: update README.md and config.example.yml for new changes
fix(ci): checkout submodules
2026-01-11 21:10:30 +01:00 · 2025-10-12 16:51:52 +08:00 · 2025-10-12 14:25:55 +08:00 · 2025-10-12 14:23:00 +08:00 · 2025-10-12 13:04:28 +08:00 · 2025-10-12 09:38:06 +08:00
430 changed files with 9696 additions and 20600 deletions
--- a/.github/workflows/agent-binary.yml
+++ b/.github/workflows/agent-binary.yml
@@ -25,6 +25,8 @@ jobs:
      id-token: write
    steps:
      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,7 @@ todo.md
 .aider*
 mtrace.json
 .env
+*.env
 .cursorrules
 .cursor/
 .windsurfrules
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "internal/gopsutil"]
+	path = internal/gopsutil
+	url = https://github.com/godoxy-app/gopsutil.git
+[submodule "internal/go-oidc"]
+	path = internal/go-oidc
+	url = https://github.com/godoxy-app/go-oidc.git
+[submodule "goutils"]
+	path = goutils
+	url = https://github.com/yusing/goutils.git
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -70,7 +70,6 @@ linters:
    govet:
      disable:
        - shadow
-        - fieldalignment
      enable-all: true
    misspell:
      locale: US
@@ -108,8 +107,7 @@ linters:
        - all
        - -SA1019
      dot-import-whitelist:
-        - github.com/yusing/go-proxy/internal/utils/testing
-        - github.com/yusing/go-proxy/internal/api/v1/utils
+        - github.com/yusing/godoxy/internal/utils/testing
    tagalign:
      align: false
      sort: true
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -21,9 +21,9 @@ lint:
    - markdownlint
    - yamllint
  enabled:
-    - checkov@3.2.467
-    - golangci-lint2@2.4.0
-    - hadolint@2.12.1-beta
+    - checkov@3.2.471
+    - golangci-lint2@2.5.0
+    - hadolint@2.14.0
    - actionlint@1.7.7
    - git-diff-check
    - gofmt@1.20.4
@@ -32,7 +32,7 @@ lint:
    - prettier@3.6.2
    - shellcheck@0.11.0
    - shfmt@3.6.0
-    - trufflehog@3.90.5
+    - trufflehog@3.90.8
 actions:
  disabled:
    - trunk-announce
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -1,10 +1,10 @@
 {
  "yaml.schemas": {
-    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/config.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/types/godoxy/config.schema.json": [
      "config.example.yml",
      "config.yml"
    ],
-    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/routes.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/types/godoxy/routes.schema.json": [
      "providers.example.yml"
    ]
  }
--- a/16
+++ b/16
@@ -1,5 +1,5 @@
 # Stage 1: deps
-FROM golang:1.25.0-alpine AS deps
+FROM golang:1.25.2-alpine AS deps
 HEALTHCHECK NONE

 # package version does not matter
@@ -7,14 +7,19 @@ HEALTHCHECK NONE
 RUN apk add --no-cache tzdata make libcap-setcap

 ENV GOPATH=/root/go
+ENV GOCACHE=/root/.cache/go-build

 WORKDIR /src

+COPY goutils/go.mod goutils/go.sum ./goutils/
+COPY internal/go-oidc/go.mod internal/go-oidc/go.sum ./internal/go-oidc/
+COPY internal/gopsutil/go.mod internal/gopsutil/go.sum ./internal/gopsutil/
 COPY go.mod go.sum ./

 # remove godoxy stuff from go.mod first
-RUN sed -i '/^module github\.com\/yusing\/go-proxy/!{/github\.com\/yusing\/go-proxy/d}' go.mod && \
-  go mod download -x
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  --mount=type=cache,target=/root/go/pkg/mod \
+  sed -i '/^module github\.com\/yusing\/godoxy/!{/github\.com\/yusing\/godoxy/d}' go.mod && go mod download -x

 # Stage 2: builder
 FROM deps AS builder
@@ -28,6 +33,7 @@ COPY internal ./internal
 COPY pkg ./pkg
 COPY agent ./agent
 COPY socket-proxy ./socket-proxy
+COPY goutils ./goutils

 ARG VERSION
 ENV VERSION=${VERSION}
@@ -35,9 +41,6 @@ ENV VERSION=${VERSION}
 ARG MAKE_ARGS
 ENV MAKE_ARGS=${MAKE_ARGS}

-ENV GOCACHE=/root/.cache/go-build
-ENV GOPATH=/root/go
-
 RUN --mount=type=cache,target=/root/.cache/go-build \
  --mount=type=cache,target=/root/go/pkg/mod \
  make ${MAKE_ARGS} docker=1 build
@@ -47,6 +50,7 @@ FROM scratch

 LABEL maintainer="yusing@6uo.me"
 LABEL proxy.exclude=1
+LABEL proxy.#1.healthcheck.disable=true

 # copy timezone data
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
--- a/30
+++ b/30
@@ -6,7 +6,7 @@ export GOOS = linux
 WEBUI_DIR ?= ../godoxy-frontend
 DOCS_DIR ?= ../godoxy-wiki

-LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
+LDFLAGS = -X github.com/yusing/goutils/version.version=${VERSION} -checklinkname=0

 ifeq ($(agent), 1)
 	NAME = godoxy-agent
@@ -26,16 +26,15 @@ ifeq ($(trace), 1)
 endif

 ifeq ($(race), 1)
-	debug = 1
-  BUILD_FLAGS += -race
-endif
-
-ifeq ($(debug), 1)
+	CGO_ENABLED = 1
+	GODOXY_DEBUG = 1
+	BUILD_FLAGS += -tags debug -race
+else ifeq ($(debug), 1)
 	CGO_ENABLED = 1
 	GODOXY_DEBUG = 1
 	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug -asan
 else ifeq ($(pprof), 1)
-	CGO_ENABLED = 1
+	CGO_ENABLED = 0
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
 	BUILD_FLAGS += -tags pprof
 	VERSION := ${VERSION}-pprof
@@ -72,7 +71,7 @@ endif
 .PHONY: debug

 test:
-	GODOXY_TEST=1 go test ./internal/...
+	go test -v -race ./internal/...

 docker-build-test:
 	docker build -t godoxy .
@@ -113,9 +112,14 @@ build:
 run:
 	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd

-debug:
-	make NAME="godoxy-test" debug=1 build
-	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
+dev:
+	docker compose -f dev.compose.yml $(args)
+
+dev-build: build
+	docker compose -f dev.compose.yml up -t 0 -d app --force-recreate
+
+dev-run: build
+	cd dev-data && ${BIN_PATH}

 mtrace:
 	 ${BIN_PATH} debug-ls-mtrace > mtrace.json
@@ -141,6 +145,8 @@ push-github:
 gen-swagger:
 	swag init --parseDependency --parseInternal -g handler.go -d internal/api -o internal/api/v1/docs
 	python3 scripts/fix-swagger-json.py
+	# we don't need this
+	rm internal/api/v1/docs/docs.go

 gen-swagger-markdown: gen-swagger
 	swagger generate markdown -f internal/api/v1/docs/swagger.yaml --skip-validation --output ${DOCS_DIR}/src/API.md
@@ -148,4 +154,4 @@ gen-swagger-markdown: gen-swagger
 gen-api-types: gen-swagger
 	# --disable-throw-on-error
 	pnpx swagger-typescript-api generate --sort-types --generate-union-enums --axios --add-readonly --route-types \
-		 --responses -o ${WEBUI_DIR}/src/lib -n api.ts -p internal/api/v1/docs/swagger.json
+		 --responses -o ${WEBUI_DIR}/lib -n api.ts -p internal/api/v1/docs/swagger.json
--- a/README.md
+++ b/README.md
@@ -1,10 +1,11 @@
 <div align="center">

-# GoDoxy
+<img src="assets/godoxy.png" width="200">

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=go-proxy)
+
 ![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

@@ -16,29 +17,30 @@ A lightweight, simple, and performant reverse proxy with WebUI.

 <h5>EN | <a href="README_CHT.md">中文</a></h5>

-Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)! (Thanks to [@ismesid](https://github.com/arevindh))
-
 <img src="screenshots/webui.jpg" style="max-width: 650">

+Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)! (Thanks to [@ismesid](https://github.com/arevindh))
+
 </div>

 ## Table of content

 <!-- TOC -->

- [GoDoxy](#godoxy)
-  - [Table of content](#table-of-content)
-  - [Running demo](#running-demo)
-  - [Key Features](#key-features)
-  - [Prerequisites](#prerequisites)
-  - [Setup](#setup)
-  - [How does GoDoxy work](#how-does-godoxy-work)
-  - [Screenshots](#screenshots)
-    - [idlesleeper](#idlesleeper)
-    - [Metrics and Logs](#metrics-and-logs)
-  - [Manual Setup](#manual-setup)
-    - [Folder structrue](#folder-structrue)
-  - [Build it yourself](#build-it-yourself)
+- [Table of content](#table-of-content)
+- [Running demo](#running-demo)
+- [Key Features](#key-features)
+- [Prerequisites](#prerequisites)
+- [Setup](#setup)
+- [How does GoDoxy work](#how-does-godoxy-work)
+- [Update / Uninstall system agent](#update--uninstall-system-agent)
+- [Screenshots](#screenshots)
+  - [idlesleeper](#idlesleeper)
+  - [Metrics and Logs](#metrics-and-logs)
+- [Manual Setup](#manual-setup)
+  - [Folder structrue](#folder-structrue)
+- [Build it yourself](#build-it-yourself)
+- [Star History](#star-history)

 ## Running demo

@@ -57,10 +59,14 @@ Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e4
  - Country **(Maxmind account required)**
  - Timezone **(Maxmind account required)**
  - **Access logging**
+  - Periodic notification of access summaries for number of allowed and blocked connections
 - **Advanced Automation**
  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://docs.godoxy.dev/DNS-01-Providers))
  - Auto-configuration for Docker containers
  - Hot-reloading of configurations and container state changes
+- **Container Runtime Support**
+  - Docker
+  - Podman
 - **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
  - Docker containers
  - Proxmox LXCs
@@ -68,6 +74,7 @@ Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e4
  - HTTP reserve proxy
  - TCP/UDP port forwarding
  - **OpenID Connect support**: SSO and secure your apps easily
+  - **ForwardAuth support**: integrate with any auth provider (e.g. TinyAuth)
 - **Customization**
  - [HTTP middlewares](https://docs.godoxy.dev/Middlewares)
  - [Custom error pages support](https://docs.godoxy.dev/Custom-Error-Pages)
@@ -123,6 +130,20 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 >
 > For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.

+## Update / Uninstall system agent
+
+Update:
+
+```bash
+bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- update
+```
+
+Uninstall:
+
+```bash
+bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- uninstall
+```
+
 ## Screenshots

 ### idlesleeper
@@ -134,22 +155,12 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 <div align="center">
  <table>
    <tr>
-      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
-      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+      <td align="center"><img src="screenshots/routes.jpg" alt="Routes" width="350"/></td>
+      <td align="center"><img src="screenshots/servers.jpg" alt="Servers" width="350"/></td>
    </tr>
    <tr>
-      <td align="center"><b>Uptime Monitor</b></td>
-      <td align="center"><b>Docker Logs</b></td>
-      <td align="center"><b>Server Overview</b></td>
-    </tr>
-        <tr>
-      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>System Monitor</b></td>
-      <td align="center"><b>Graphs</b></td>
+      <td align="center"><b>Routes</b></td>
+      <td align="center"><b>Servers</b></td>
    </tr>
  </table>
 </div>
@@ -201,4 +212,8 @@ Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.

 5. build binary with `make build`

+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=yusing/godoxy&type=Date)](https://www.star-history.com/#yusing/godoxy&Date)
+
 [🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,10 +1,11 @@
 <div align="center">

-# GoDoxy
+<img src="assets/godoxy.png" width="200">

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+
 ![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

@@ -16,28 +17,29 @@

 <h5><a href="README.md">EN</a> | 中文</h5>

-有疑問? 問 [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)！（鳴謝 [@ismesid](https://github.com/arevindh)）
-
 <img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">

+有疑問? 問 [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)！（鳴謝 [@ismesid](https://github.com/arevindh)）
+
 </div>

 ## 目錄

 <!-- TOC -->

- [GoDoxy](#godoxy)
-  - [目錄](#目錄)
-  - [運行示例](#運行示例)
-  - [主要特點](#主要特點)
-  - [前置需求](#前置需求)
-  - [安裝](#安裝)
-    - [手動安裝](#手動安裝)
-    - [資料夾結構](#資料夾結構)
-  - [截圖](#截圖)
-    - [閒置休眠](#閒置休眠)
-    - [監控](#監控)
-  - [自行編譯](#自行編譯)
+- [目錄](#目錄)
+- [運行示例](#運行示例)
+- [主要特點](#主要特點)
+- [前置需求](#前置需求)
+- [安裝](#安裝)
+  - [手動安裝](#手動安裝)
+  - [資料夾結構](#資料夾結構)
+- [更新 / 卸載系統代理 (System Agent)](#更新--卸載系統代理-system-agent)
+- [截圖](#截圖)
+  - [閒置休眠](#閒置休眠)
+  - [監控](#監控)
+- [自行編譯](#自行編譯)
+- [Star History](#star-history)

 ## 運行示例

@@ -56,10 +58,14 @@
  - 國家 **(需要 Maxmind 帳戶)**
  - 時區 **(需要 Maxmind 帳戶)**
  - **存取日誌記錄**
+  - 定時發送摘要 (允許和拒絕的連線次數)
 - **自動化**
  - 使用 Let's Encrypt 自動管理 SSL 憑證 ([使用 DNS-01 驗證](https://docs.godoxy.dev/DNS-01-Providers))
  - Docker 容器自動配置
  - 設定檔與容器狀態變更時自動熱重載
+- **容器運行時支援**
+  - Docker
+  - Podman
 - **閒置休眠**：根據流量停止和喚醒容器 _(參見[截圖](#閒置休眠))_
  - Docker 容器
  - Proxmox LXC 容器
@@ -67,6 +73,7 @@
  - HTTP 反向代理
  - TCP/UDP 連接埠轉送
  - **OpenID Connect 支援**：輕鬆實現單點登入 (SSO) 並保護您的應用程式
+  - **ForwardAuth 支援**：整合任何 auth provider (例如 TinyAuth)
 - **客製化**
  - [HTTP 中介軟體](https://docs.godoxy.dev/Middlewares)
  - [支援自訂錯誤頁面](https://docs.godoxy.dev/Custom-Error-Pages)
@@ -80,8 +87,6 @@
 - **高效能**
  - 以 **[Go](https://go.dev)** 語言編寫

-[🔼 回到頂部](#目錄)
-
 ## 前置需求

 設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：
@@ -106,8 +111,6 @@

 3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置

-[🔼 回到頂部](#目錄)
-
 ### 手動安裝

 1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`
@@ -143,35 +146,37 @@
 └── .env
 ```

+## 更新 / 卸載系統代理 (System Agent)
+
+更新：
+
+```bash
+sudo /bin/bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- update
+```
+
+卸載：
+
+```bash
+sudo /bin/bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- uninstall
+```
+
 ## 截圖

 ### 閒置休眠

 ![閒置休眠](screenshots/idlesleeper.webp)

-[🔼 回到頂部](#目錄)
-
 ### 監控

 <div align="center">
  <table>
    <tr>
-      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
-      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+      <td align="center"><img src="screenshots/routes.jpg" alt="Routes" width="350"/></td>
+      <td align="center"><img src="screenshots/servers.jpg" alt="Servers" width="350"/></td>
    </tr>
    <tr>
-      <td align="center"><b>運行時間監控</b></td>
-      <td align="center"><b>Docker 日誌</b></td>
-      <td align="center"><b>伺服器概覽</b></td>
-    </tr>
-        <tr>
-      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
-      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>系統監控</b></td>
-      <td align="center"><b>圖表</b></td>
+      <td align="center"><b>路由</b></td>
+      <td align="center"><b>伺服器</b></td>
    </tr>
  </table>
 </div>
@@ -188,4 +193,8 @@

 5. 使用 `make build` 編譯二進制檔案

+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=yusing/godoxy&type=Date)](https://www.star-history.com/#yusing/godoxy&Date)
+
 [🔼 回到頂部](#目錄)
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -5,15 +5,15 @@ import (

 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/agent/pkg/server"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	httpServer "github.com/yusing/go-proxy/internal/net/gphttp/server"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
-	socketproxy "github.com/yusing/go-proxy/socketproxy/pkg"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/agent/pkg/server"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
+	httpServer "github.com/yusing/goutils/server"
+	strutils "github.com/yusing/goutils/strings"
+	"github.com/yusing/goutils/task"
+	"github.com/yusing/goutils/version"
 )

 func main() {
@@ -26,26 +26,27 @@ func main() {
 	ca := &agent.PEMPair{}
 	err := ca.Load(env.AgentCACert)
 	if err != nil {
-		gperr.LogFatal("init CA error", err)
+		log.Fatal().Err(err).Msg("init CA error")
 	}
 	caCert, err := ca.ToTLSCert()
 	if err != nil {
-		gperr.LogFatal("init CA error", err)
+		log.Fatal().Err(err).Msg("init CA error")
 	}

 	srv := &agent.PEMPair{}
 	srv.Load(env.AgentSSLCert)
 	if err != nil {
-		gperr.LogFatal("init SSL error", err)
+		log.Fatal().Err(err).Msg("init SSL error")
 	}
 	srvCert, err := srv.ToTLSCert()
 	if err != nil {
-		gperr.LogFatal("init SSL error", err)
+		log.Fatal().Err(err).Msg("init SSL error")
 	}

-	log.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
+	log.Info().Msgf("GoDoxy Agent version %s", version.Get())
 	log.Info().Msgf("Agent name: %s", env.AgentName)
 	log.Info().Msgf("Agent port: %d", env.AgentPort)
+	log.Info().Msgf("Agent runtime: %s", env.Runtime)

 	log.Info().Msg(`
 Tips:
@@ -63,9 +64,11 @@ Tips:
 	server.StartAgentServer(t, opts)

 	if socketproxy.ListenAddr != "" {
-		log.Info().Msgf("Docker socket listening on: %s", socketproxy.ListenAddr)
+		runtime := strutils.Title(string(env.Runtime))
+
+		log.Info().Msgf("%s socket listening on: %s", runtime, socketproxy.ListenAddr)
 		opts := httpServer.Options{
-			Name:     "docker",
+			Name:     runtime,
 			HTTPAddr: socketproxy.ListenAddr,
 			Handler:  socketproxy.NewHandler(),
 		}
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -1,30 +1,35 @@
-module github.com/yusing/go-proxy/agent
+module github.com/yusing/godoxy/agent

-go 1.25.0
+go 1.25.2

-replace github.com/yusing/go-proxy => ..
+replace github.com/yusing/godoxy => ..

-replace github.com/yusing/go-proxy/socketproxy => ../socket-proxy
+replace github.com/yusing/godoxy/socketproxy => ../socket-proxy

-replace github.com/yusing/go-proxy/internal/utils => ../internal/utils
+replace github.com/shirou/gopsutil/v4 => ../internal/gopsutil

-replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d
+replace github.com/yusing/goutils => ../goutils
+
+exclude github.com/containerd/nerdctl/mod/tigron v0.0.0

 require (
-	github.com/gin-gonic/gin v1.10.1
+	github.com/bytedance/sonic v1.14.1
+	github.com/gin-gonic/gin v1.11.0
 	github.com/gorilla/websocket v1.5.3
+	github.com/puzpuzpuz/xsync/v4 v4.2.0
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.11.1
-	github.com/yusing/go-proxy v0.17.1
-	github.com/yusing/go-proxy/internal/utils v0.0.0
-	github.com/yusing/go-proxy/socketproxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/godoxy v0.18.6
+	github.com/yusing/godoxy/socketproxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/goutils v0.6.1
 )

 require (
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/PuerkitoBio/goquery v1.10.3 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
@@ -32,11 +37,11 @@ require (
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v28.3.3+incompatible // indirect
-	github.com/docker/docker v28.3.3+incompatible // indirect
+	github.com/docker/cli v28.5.1+incompatible // indirect
+	github.com/docker/docker v28.5.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/ebitengine/purego v0.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
@@ -45,12 +50,12 @@ require (
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.27.0 // indirect
+	github.com/go-playground/validator/v10 v10.28.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/gotify/server/v2 v2.6.3 // indirect
+	github.com/gotify/server/v2 v2.7.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
 	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
@@ -59,51 +64,48 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.2 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/puzpuzpuz/xsync/v4 v4.1.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.0 // indirect
-	github.com/samber/lo v1.51.0 // indirect
+	github.com/quic-go/quic-go v0.55.0 // indirect
+	github.com/samber/lo v1.52.0 // indirect
 	github.com/samber/slog-common v0.19.0 // indirect
 	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.7 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.9 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/spf13/afero v1.14.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
-	github.com/yusing/ds v0.1.0 // indirect
+	github.com/yusing/ds v0.2.0 // indirect
+	github.com/yusing/gointernals v0.1.16 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/mock v0.6.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/crypto v0.41.0 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
+	golang.org/x/arch v0.22.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
 )
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -6,10 +6,16 @@ github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiU
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
-github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
+github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
+github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.1 h1:FBMC0zVz5XUmE4z9wF4Jey0An5FueFvOsTKKKtwIl7w=
+github.com/bytedance/sonic v1.14.1/go.mod h1:gi6uhQLMbTdeP0muCnrjHLeCUPyb70ujhnNlhOylAFc=
 github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
 github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
@@ -20,31 +26,43 @@ github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151X
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
+github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
+github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo=
-github.com/docker/cli v28.3.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
-github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
+github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY=
+github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
+github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw=
-github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.9.0 h1:mh0zpKBIXDceC63hpvPuGLiJ8ZAa3DfrFTudmfi8A4k=
+github.com/ebitengine/purego v0.9.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
 github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
-github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/go-acme/lego/v4 v4.26.0 h1:521aEQxNstXvPQcFDDPrJiFfixcCQuvAvm35R4GbyYA=
+github.com/go-acme/lego/v4 v4.26.0/go.mod h1:BQVAWgcyzW4IT9eIKHY/RxYlVhoyKyOMXOkq7jK1eEQ=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -59,17 +77,17 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
+github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d h1:bNqtnmyhGDxpBSaFYIo7ferYRIc/QzlaGfIhh/JmMPk=
-github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d/go.mod h1:7iQ/w4jyGYJCZ56dZLNztwM4atNxj5C2HNTBxhLvV8A=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -80,14 +98,14 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotify/server/v2 v2.6.3 h1:2sLDRsQ/No1+hcFwFDvjNtwKepfCSIR8L3BkXl/Vz1I=
-github.com/gotify/server/v2 v2.6.3/go.mod h1:IyeQ/iL3vetcuqUAzkCMVObIMGGJx4zb13/mVatIwE8=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
+github.com/gotify/server/v2 v2.7.3 h1:nro/ZnxdlZFvxFcw9LREGA8zdk6CK744azwhuhX/A4g=
+github.com/gotify/server/v2 v2.7.3/go.mod h1:VAtE1RIc/2j886PYs9WPQbMjqbFsoyQ0G8IdFtnAxU0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
 github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -100,6 +118,10 @@ github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 h1:mFWunSatvkQQDhpdyuFAYwyAan3hzCuma+Pz8sqvOfg=
 github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/luthermonson/go-proxmox v0.2.3 h1:NAjUJ5Jd1ynIK6UHMGd/VLGgNZWpGXhfL+DBmAVSEaA=
+github.com/luthermonson/go-proxmox v0.2.3/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
+github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
+github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -107,6 +129,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
+github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
@@ -130,6 +154,8 @@ github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -137,27 +163,27 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/puzpuzpuz/xsync/v4 v4.1.0 h1:x9eHRl4QhZFIPJ17yl4KKW9xLyVWbb3/Yq4SXpjF71U=
-github.com/puzpuzpuz/xsync/v4 v4.1.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
+github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
-github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
-github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
+github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
 github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
 github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
 github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -177,62 +203,55 @@ github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yusing/ds v0.1.0 h1:aiZs7jPMN3MEChUsddMYjpZFHhhAmkxrwRyIUnGy5AU=
-github.com/yusing/ds v0.1.0/go.mod h1:KC785+mtt+Bau0LLR+slExDaUjeiqLT1k9Or6Rpryh4=
+github.com/yusing/ds v0.2.0 h1:lPhDU5eA2uvquVrBrzLCrQXRJJgSXlUYA53TbuK2sQY=
+github.com/yusing/ds v0.2.0/go.mod h1:XhKV4l7cZwBbbl7lRzNC9zX27zvCM0frIwiuD40ULRk=
+github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
+github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
 go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
+golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
+golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -241,26 +260,25 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -273,8 +291,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -293,33 +311,28 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20250811230008-5f3141c8851a h1:V8Zj/61zlL7B+VH151iV5hJlUnYc3fUNTEhLtyr9Kzc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b h1:ULiyYQ0FdsJhwwZUwbaXpZF5yUE3h+RA+gxvBu37ucc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:oDOGiMSXHL4sDTJvFvIB9nRQCGdLP1o/iVaqQK8zB+M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a h1:tPE/Kp+x9dMSwUm/uM0JKK0IfdiJkwAbSMSeZBXXJXc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
-google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
-google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/genproto v0.0.0-20250908214217-97024824d090 h1:ywCL7vA2n3vVHyf+bx1ZV/knaTPRI8GIeKY0MEhEeOc=
+google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1 h1:APHvLLYBhtZvsbnpkfknDZ7NyH4z5+ub/I0u8L3Oz6g=
+google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1/go.mod h1:xUjFWUnWDpZ/C0Gu0qloASKFb6f8/QXiiXhSPFsD668=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff h1:A90eA31Wq6HOMIQlLfzFwzqGKBTuaVztYu/g8sn+8Zc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/agent/pkg/agent/agent_pool.go
+++ b/agent/pkg/agent/agent_pool.go
@@ -1,14 +1,17 @@
 package agent

 import (
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/utils/functional"
+	"iter"
+	"os"
+	"strings"
+
+	"github.com/puzpuzpuz/xsync/v4"
 )

-var agentPool = functional.NewMapOf[string, *AgentConfig]()
+var agentPool = xsync.NewMap[string, *AgentConfig](xsync.WithPresize(10))

 func init() {
-	if common.IsTest {
+	if strings.HasSuffix(os.Args[0], ".test") {
 		agentPool.Store("test-agent", &AgentConfig{
 			Addr: "test-agent",
 		})
@@ -51,7 +54,15 @@ func ListAgents() []*AgentConfig {
 	return agents
 }

+func IterAgents() iter.Seq2[string, *AgentConfig] {
+	return agentPool.Range
+}
+
+func NumAgents() int {
+	return agentPool.Size()
+}
+
 func getAgentByAddr(addr string) (agent *AgentConfig, ok bool) {
 	agent, ok = agentPool.Load(addr)
-	return
+	return agent, ok
 }
--- a/agent/pkg/agent/bare_metal.go
+++ b/agent/pkg/agent/bare_metal.go
@@ -10,6 +10,16 @@ var (
 	AGENT_PORT="{{.Port}}" \
 	AGENT_CA_CERT="{{.CACert}}" \
 	AGENT_SSL_CERT="{{.SSLCert}}" \
+	{{ if eq .ContainerRuntime "nerdctl" -}}
+	DOCKER_SOCKET="/var/run/containerd/containerd.sock" \
+	RUNTIME="nerdctl" \
+	{{ else if eq .ContainerRuntime "podman" -}}
+	DOCKER_SOCKET="/var/run/podman/podman.sock" \
+	RUNTIME="podman" \
+	{{ else -}}
+	DOCKER_SOCKET="/var/run/docker.sock" \
+	RUNTIME="docker" \
+	{{ end -}}
 	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/install-agent.sh)"`
 	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
 )
--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -15,23 +15,26 @@ import (

 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+	"github.com/yusing/goutils/version"
 )

 type AgentConfig struct {
-	Addr    string `json:"addr"`
-	Name    string `json:"name"`
-	Version string `json:"version"`
+	Addr    string           `json:"addr"`
+	Name    string           `json:"name"`
+	Version version.Version  `json:"version"`
+	Runtime ContainerRuntime `json:"runtime"`

-	httpClient *http.Client
-	tlsConfig  *tls.Config
-	l          zerolog.Logger
+	httpClient            *http.Client
+	httpClientHealthCheck *http.Client
+	tlsConfig             *tls.Config
+	l                     zerolog.Logger
 } // @name Agent

 const (
 	EndpointVersion    = "/version"
 	EndpointName       = "/name"
+	EndpointRuntime    = "/runtime"
 	EndpointProxyHTTP  = "/proxy/http"
 	EndpointHealth     = "/health"
 	EndpointLogs       = "/logs"
@@ -79,7 +82,7 @@ func (cfg *AgentConfig) Parse(addr string) error {
 	return nil
 }

-var serverVersion = pkg.GetVersion()
+var serverVersion = version.Get()

 func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte) error {
 	clientCert, err := tls.X509KeyPair(crt, key)
@@ -102,6 +105,8 @@ func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte)

 	// create transport and http client
 	cfg.httpClient = cfg.NewHTTPClient()
+	cfg.httpClientHealthCheck = cfg.NewHTTPClient()
+	applyHealthCheckTransportConfig(cfg.httpClientHealthCheck.Transport.(*http.Transport))

 	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
@@ -122,11 +127,34 @@ func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte)
 		return err
 	}

-	cfg.Version = string(agentVersionBytes)
-	agentVersion := pkg.ParseVersion(cfg.Version)
+	// check agent runtime
+	runtimeBytes, status, err := cfg.Fetch(ctx, EndpointRuntime)
+	if err != nil {
+		return err
+	}
+	switch status {
+	case http.StatusOK:
+		switch string(runtimeBytes) {
+		case "docker":
+			cfg.Runtime = ContainerRuntimeDocker
+		// case "nerdctl":
+		// 	cfg.Runtime = ContainerRuntimeNerdctl
+		case "podman":
+			cfg.Runtime = ContainerRuntimePodman
+		default:
+			return fmt.Errorf("invalid agent runtime: %s", runtimeBytes)
+		}
+	case http.StatusNotFound:
+		// backward compatibility, old agent does not have runtime endpoint
+		cfg.Runtime = ContainerRuntimeDocker
+	default:
+		return fmt.Errorf("failed to get agent runtime: HTTP %d %s", status, runtimeBytes)
+	}

-	if serverVersion.IsNewerMajorThan(agentVersion) {
-		log.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.Name, serverVersion, agentVersion)
+	cfg.Version = version.Parse(string(agentVersionBytes))
+
+	if serverVersion.IsNewerThanMajor(cfg.Version) {
+		log.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.Name, serverVersion, cfg.Version)
 	}

 	log.Info().Msgf("agent %q initialized", cfg.Name)
@@ -182,3 +210,12 @@ func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
 func (cfg *AgentConfig) String() string {
 	return cfg.Name + "@" + cfg.Addr
 }
+
+func applyHealthCheckTransportConfig(transport *http.Transport) {
+	transport.DisableKeepAlives = true
+	transport.DisableCompression = true
+	transport.MaxIdleConns = 1
+	transport.MaxIdleConnsPerHost = 1
+	transport.ReadBufferSize = 1024
+	transport.WriteBufferSize = 1024
+}
--- a/agent/pkg/agent/docker_compose.go
+++ b/agent/pkg/agent/docker_compose.go
@@ -8,9 +8,9 @@ import (
 )

 var (
-	//go:embed templates/agent.compose.yml
+	//go:embed templates/agent.compose.yml.tmpl
 	agentComposeYAML         string
-	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml").Parse(agentComposeYAML))
+	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml.tmpl").Parse(agentComposeYAML))
 )

 const (
@@ -20,7 +20,8 @@ const (

 func (c *AgentComposeConfig) Generate() (string, error) {
 	buf := bytes.NewBuffer(make([]byte, 0, 1024))
-	if err := agentComposeYAMLTemplate.Execute(buf, c); err != nil {
+	err := agentComposeYAMLTemplate.Execute(buf, c)
+	if err != nil {
 		return "", err
 	}
 	return buf.String(), nil
--- a/agent/pkg/agent/env.go
+++ b/agent/pkg/agent/env.go
@@ -1,11 +1,13 @@
 package agent

 type (
-	AgentEnvConfig struct {
-		Name    string
-		Port    int
-		CACert  string
-		SSLCert string
+	ContainerRuntime string
+	AgentEnvConfig   struct {
+		Name             string
+		Port             int
+		CACert           string
+		SSLCert          string
+		ContainerRuntime ContainerRuntime
 	}
 	AgentComposeConfig struct {
 		Image string
@@ -15,3 +17,9 @@ type (
 		Generate() (string, error)
 	}
 )
+
+const (
+	ContainerRuntimeDocker ContainerRuntime = "docker"
+	ContainerRuntimePodman ContainerRuntime = "podman"
+	// ContainerRuntimeNerdctl ContainerRuntime = "nerdctl"
+)
--- a/agent/pkg/agent/http_requests.go
+++ b/agent/pkg/agent/http_requests.go
@@ -6,6 +6,7 @@ import (
 	"net/http"

 	"github.com/gorilla/websocket"
+	"github.com/yusing/goutils/http/reverseproxy"
 )

 func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
@@ -16,17 +17,32 @@ func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io
 	return cfg.httpClient.Do(req)
 }

-func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) ([]byte, int, error) {
-	req = req.WithContext(req.Context())
+func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) (*http.Response, error) {
 	req.URL.Host = AgentHost
 	req.URL.Scheme = "https"
 	req.URL.Path = APIEndpointBase + endpoint
 	req.RequestURI = ""
 	resp, err := cfg.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+func (cfg *AgentConfig) DoHealthCheck(ctx context.Context, endpoint string) ([]byte, int, error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", APIBaseURL+endpoint, nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	req.Header.Set("Accept-Encoding", "identity")
+	req.Header.Set("Connection", "close")
+
+	resp, err := cfg.httpClientHealthCheck.Do(req)
 	if err != nil {
 		return nil, 0, err
 	}
 	defer resp.Body.Close()
+
 	data, _ := io.ReadAll(resp.Body)
 	return data, resp.StatusCode, nil
 }
@@ -51,3 +67,16 @@ func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websoc
 		"Host": {AgentHost},
 	})
 }
+
+// ReverseProxy reverse proxies the request to the agent
+//
+// It will create a new request with the same context, method, and body, but with the agent host and scheme, and the endpoint
+// If the request has a query, it will be added to the proxy request's URL
+func (cfg *AgentConfig) ReverseProxy(w http.ResponseWriter, req *http.Request, endpoint string) {
+	rp := reverseproxy.NewReverseProxy("agent", AgentURL, cfg.Transport())
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = endpoint
+	req.RequestURI = ""
+	rp.ServeHTTP(w, req)
+}
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@@ -3,6 +3,8 @@ package agent
 import (
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
@@ -10,14 +12,11 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"io"
 	"math/big"
 	"strings"
 	"time"
-
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"fmt"
 )

 const (
@@ -244,5 +243,5 @@ func NewAgent() (ca, srv, client *PEMPair, err error) {
 	}

 	client = toPEMPair(clientCertDER, clientKey)
-	return
+	return ca, srv, client, err
 }
--- a/agent/pkg/agent/templates/agent.compose.yml.tmpl
+++ b/agent/pkg/agent/templates/agent.compose.yml.tmpl
@@ -0,0 +1,66 @@
+services:
+  agent:
+    image: "{{.Image}}"
+    container_name: godoxy-agent
+    restart: always
+    {{ if eq .ContainerRuntime "podman" -}}
+    ports:
+      - "{{.Port}}:{{.Port}}"
+    {{ else -}}
+    network_mode: host # do not change this
+    {{ end -}}
+    environment:
+      {{ if eq .ContainerRuntime "nerdctl" -}}
+      DOCKER_SOCKET: "/var/run/containerd/containerd.sock"
+      RUNTIME: "nerdctl"
+      {{ else if eq .ContainerRuntime "podman" -}}
+      DOCKER_SOCKET: "/var/run/podman/podman.sock"
+      RUNTIME: "podman"
+      {{ else -}}
+      DOCKER_SOCKET: "/var/run/docker.sock"
+      RUNTIME: "docker"
+      {{ end -}}
+      AGENT_NAME: "{{.Name}}"
+      AGENT_PORT: "{{.Port}}"
+      AGENT_CA_CERT: "{{.CACert}}"
+      AGENT_SSL_CERT: "{{.SSLCert}}"
+      # use agent as a docker socket proxy: [host]:port
+      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
+      LISTEN_ADDR:
+      POST: false
+      ALLOW_RESTARTS: false
+      ALLOW_START: false
+      ALLOW_STOP: false
+      AUTH: false
+      BUILD: false
+      COMMIT: false
+      CONFIGS: false
+      CONTAINERS: false
+      DISTRIBUTION: false
+      EVENTS: true
+      EXEC: false
+      GRPC: false
+      IMAGES: false
+      INFO: false
+      NETWORKS: false
+      NODES: false
+      PING: true
+      PLUGINS: false
+      SECRETS: false
+      SERVICES: false
+      SESSION: false
+      SWARM: false
+      SYSTEM: false
+      TASKS: false
+      VERSION: true
+      VOLUMES: false
+    volumes:
+      {{ if eq .ContainerRuntime "podman" -}}
+      - /var/run/podman/podman.sock:/var/run/podman/podman.sock
+      {{ else if eq .ContainerRuntime "nerdctl" -}}
+      - /var/run/containerd/containerd.sock:/var/run/containerd/containerd.sock
+      - /var/lib/nerdctl:/var/lib/nerdctl:ro # required to read metadata like network info
+      {{ else -}}
+      - /var/run/docker.sock:/var/run/docker.sock
+      {{ end -}}
+      - ./data:/app/data
--- a/agent/pkg/agentproxy/config.go
+++ b/agent/pkg/agentproxy/config.go
@@ -0,0 +1,73 @@
+package agentproxy
+
+import (
+	"encoding/base64"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/bytedance/sonic"
+	route "github.com/yusing/godoxy/internal/route/types"
+)
+
+type Config struct {
+	Scheme string `json:"scheme,omitempty"`
+	Host   string `json:"host,omitempty"` // host or host:port
+
+	route.HTTPConfig
+}
+
+func ConfigFromHeaders(h http.Header) (Config, error) {
+	cfg, err := proxyConfigFromHeaders(h)
+	if cfg.Host == "" || err != nil {
+		cfg = proxyConfigFromHeadersLegacy(h)
+	}
+	return cfg, nil
+}
+
+func proxyConfigFromHeadersLegacy(h http.Header) (cfg Config) {
+	cfg.Host = h.Get(HeaderXProxyHost)
+	isHTTPS, _ := strconv.ParseBool(h.Get(HeaderXProxyHTTPS))
+	cfg.NoTLSVerify, _ = strconv.ParseBool(h.Get(HeaderXProxySkipTLSVerify))
+	responseHeaderTimeout, err := strconv.Atoi(h.Get(HeaderXProxyResponseHeaderTimeout))
+	if err != nil {
+		responseHeaderTimeout = 0
+	}
+	cfg.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+
+	cfg.Scheme = "http"
+	if isHTTPS {
+		cfg.Scheme = "https"
+	}
+
+	return cfg
+}
+
+func proxyConfigFromHeaders(h http.Header) (cfg Config, err error) {
+	cfg.Scheme = h.Get(HeaderXProxyScheme)
+	cfg.Host = h.Get(HeaderXProxyHost)
+
+	cfgBase64 := h.Get(HeaderXProxyConfig)
+	cfgJSON, err := base64.StdEncoding.DecodeString(cfgBase64)
+	if err != nil {
+		return cfg, err
+	}
+
+	err = sonic.Unmarshal(cfgJSON, &cfg)
+	return cfg, err
+}
+
+func (cfg *Config) SetAgentProxyConfigHeadersLegacy(h http.Header) {
+	h.Set(HeaderXProxyHost, cfg.Host)
+	h.Set(HeaderXProxyHTTPS, strconv.FormatBool(cfg.Scheme == "https"))
+	h.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(cfg.NoTLSVerify))
+	h.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(int(cfg.ResponseHeaderTimeout.Round(time.Second).Seconds())))
+}
+
+func (cfg *Config) SetAgentProxyConfigHeaders(h http.Header) {
+	h.Set(HeaderXProxyHost, cfg.Host)
+	h.Set(HeaderXProxyScheme, string(cfg.Scheme))
+	cfgJSON, _ := sonic.Marshal(cfg.HTTPConfig)
+	cfgBase64 := base64.StdEncoding.EncodeToString(cfgJSON)
+	h.Set(HeaderXProxyConfig, cfgBase64)
+}
--- a/agent/pkg/agentproxy/headers.go
+++ b/agent/pkg/agentproxy/headers.go
@@ -1,27 +1,14 @@
 package agentproxy

-import (
-	"net/http"
-	"strconv"
+const (
+	HeaderXProxyScheme = "X-Proxy-Scheme"
+	HeaderXProxyHost   = "X-Proxy-Host"
+	HeaderXProxyConfig = "X-Proxy-Config"
 )

+// deprecated
 const (
-	HeaderXProxyHost                  = "X-Proxy-Host"
 	HeaderXProxyHTTPS                 = "X-Proxy-Https"
 	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
 	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
 )
-
-type AgentProxyHeaders struct {
-	Host                  string
-	IsHTTPS               bool
-	SkipTLSVerify         bool
-	ResponseHeaderTimeout int
-}
-
-func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
-	r.Header.Set(HeaderXProxyHost, headers.Host)
-	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
-	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
-	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
-}
--- a/agent/pkg/certs/zip.go
+++ b/agent/pkg/certs/zip.go
@@ -6,7 +6,7 @@ import (
 	"io"
 	"path/filepath"

-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	strutils "github.com/yusing/goutils/strings"
 )

 const AgentCertsBasePath = "certs"
--- a/agent/pkg/certs/zip_test.go
+++ b/agent/pkg/certs/zip_test.go
@@ -4,7 +4,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
+	"github.com/yusing/godoxy/agent/pkg/certs"
 )

 func TestZipCert(t *testing.T) {
--- a/agent/pkg/env/env.go
+++ b/agent/pkg/env/env.go
@@ -3,7 +3,10 @@ package env
 import (
 	"os"

-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/goutils/env"
+
+	"github.com/rs/zerolog/log"
 )

 func DefaultAgentName() string {
@@ -21,6 +24,7 @@ var (
 	AgentCACert              string
 	AgentSSLCert             string
 	DockerSocket             string
+	Runtime                  agent.ContainerRuntime
 )

 func init() {
@@ -28,11 +32,18 @@ func init() {
 }

 func Load() {
-	DockerSocket = common.GetEnvString("DOCKER_SOCKET", "/var/run/docker.sock")
-	AgentName = common.GetEnvString("AGENT_NAME", DefaultAgentName())
-	AgentPort = common.GetEnvInt("AGENT_PORT", 8890)
-	AgentSkipClientCertCheck = common.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
+	DockerSocket = env.GetEnvString("DOCKER_SOCKET", "/var/run/docker.sock")
+	AgentName = env.GetEnvString("AGENT_NAME", DefaultAgentName())
+	AgentPort = env.GetEnvInt("AGENT_PORT", 8890)
+	AgentSkipClientCertCheck = env.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)

-	AgentCACert = common.GetEnvString("AGENT_CA_CERT", "")
-	AgentSSLCert = common.GetEnvString("AGENT_SSL_CERT", "")
+	AgentCACert = env.GetEnvString("AGENT_CA_CERT", "")
+	AgentSSLCert = env.GetEnvString("AGENT_SSL_CERT", "")
+	Runtime = agent.ContainerRuntime(env.GetEnvString("RUNTIME", "docker"))
+
+	switch Runtime {
+	case agent.ContainerRuntimeDocker, agent.ContainerRuntimePodman: //, agent.ContainerRuntimeNerdctl:
+	default:
+		log.Fatal().Str("runtime", string(Runtime)).Msg("invalid runtime")
+	}
 }
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@@ -1,15 +1,15 @@
 package handler

 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"

-	"github.com/yusing/go-proxy/internal/types"
-	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
+	"github.com/bytedance/sonic"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/godoxy/internal/watcher/health/monitor"
 )

 var defaultHealthConfig = types.DefaultHealthConfig()
@@ -22,8 +22,10 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	var result *types.HealthCheckResult
-	var err error
+	var (
+		result types.HealthCheckResult
+		err    error
+	)
 	switch scheme {
 	case "fileserver":
 		path := query.Get("path")
@@ -32,7 +34,7 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		_, err := os.Stat(path)
-		result = &types.HealthCheckResult{Healthy: err == nil}
+		result = types.HealthCheckResult{Healthy: err == nil}
 		if err != nil {
 			result.Detail = err.Error()
 		}
@@ -76,5 +78,5 @@ func CheckHealth(w http.ResponseWriter, r *http.Request) {

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(result)
+	sonic.ConfigDefault.NewEncoder(w).Encode(result)
 }
--- a/agent/pkg/handler/check_health_test.go
+++ b/agent/pkg/handler/check_health_test.go
@@ -10,9 +10,9 @@ import (
 	"testing"

 	"github.com/stretchr/testify/require"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/types"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/handler"
+	"github.com/yusing/godoxy/internal/types"
 )

 func TestCheckHealthHTTP(t *testing.T) {
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@@ -6,11 +6,11 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/pkg"
-	socketproxy "github.com/yusing/go-proxy/socketproxy/pkg"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
+	"github.com/yusing/goutils/version"
 )

 type ServeMux struct{ *http.ServeMux }
@@ -45,11 +45,14 @@ func NewAgentHandler() http.Handler {

 	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
 	mux.HandleEndpoint("GET", agent.EndpointVersion, func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprint(w, pkg.GetVersion())
+		fmt.Fprint(w, version.Get())
 	})
 	mux.HandleEndpoint("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, env.AgentName)
 	})
+	mux.HandleEndpoint("GET", agent.EndpointRuntime, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.Runtime)
+	})
 	mux.HandleEndpoint("GET", agent.EndpointHealth, CheckHealth)
 	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, metricsHandler.ServeHTTP)
 	mux.ServeMux.HandleFunc("/", socketproxy.DockerSocketHandler(env.DockerSocket))
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -1,14 +1,13 @@
 package handler

 import (
-	"crypto/tls"
+	"fmt"
 	"net/http"
 	"net/http/httputil"
-	"strconv"
 	"time"

-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/agent/pkg/agentproxy"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/agentproxy"
 )

 func NewTransport() *http.Transport {
@@ -24,31 +23,24 @@ func NewTransport() *http.Transport {
 }

 func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
-	host := r.Header.Get(agentproxy.HeaderXProxyHost)
-	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
-	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
-	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
+	cfg, err := agentproxy.ConfigFromHeaders(r.Header)
 	if err != nil {
-		responseHeaderTimeout = 0
-	}
-
-	if host == "" {
-		http.Error(w, "missing required headers", http.StatusBadRequest)
+		http.Error(w, fmt.Sprintf("failed to parse agent proxy config: %s", err.Error()), http.StatusBadRequest)
 		return
 	}

-	scheme := "http"
-	if isHTTPS {
-		scheme = "https"
-	}
-
 	transport := NewTransport()
-	if skipTLSVerify {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	if cfg.ResponseHeaderTimeout > 0 {
+		transport.ResponseHeaderTimeout = cfg.ResponseHeaderTimeout
+	}
+	if cfg.DisableCompression {
+		transport.DisableCompression = true
 	}

-	if responseHeaderTimeout > 0 {
-		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+	transport.TLSClientConfig, err = cfg.BuildTLSConfig(r.URL)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("failed to build TLS client config: %s", err.Error()), http.StatusInternalServerError)
+		return
 	}

 	r.URL.Scheme = ""
@@ -58,8 +50,8 @@ func ProxyHTTP(w http.ResponseWriter, r *http.Request) {

 	rp := &httputil.ReverseProxy{
 		Director: func(r *http.Request) {
-			r.URL.Scheme = scheme
-			r.URL.Host = host
+			r.URL.Scheme = cfg.Scheme
+			r.URL.Host = cfg.Host
 		},
 		Transport: transport,
 	}
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -7,10 +7,10 @@ import (
 	"net/http"

 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/env"
-	"github.com/yusing/go-proxy/agent/pkg/handler"
-	"github.com/yusing/go-proxy/internal/net/gphttp/server"
-	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/agent/pkg/handler"
+	"github.com/yusing/goutils/server"
+	"github.com/yusing/goutils/task"
 )

 type Options struct {
@@ -39,5 +39,5 @@ func StartAgentServer(parent task.Parent, opt Options) {
 		TLSConfig: tlsConfig,
 	}

-	server.Start(parent, agentServer, nil, &log.Logger)
+	server.Start(parent, agentServer, server.WithLogger(&log.Logger))
 }
--- a/assets/godoxy.png
+++ b/assets/godoxy.png
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -5,19 +5,21 @@ import (
 	"sync"

 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/auth"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	"github.com/yusing/go-proxy/internal/dnsproviders"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/yusing/godoxy/internal/api"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/config"
+	"github.com/yusing/godoxy/internal/dnsproviders"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/logging"
+	"github.com/yusing/godoxy/internal/logging/memlogger"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	"github.com/yusing/godoxy/internal/metrics/uptime"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/server"
+	"github.com/yusing/goutils/task"
+	"github.com/yusing/goutils/version"
 )

 func parallel(fns ...func()) {
@@ -32,7 +34,7 @@ func main() {
 	initProfiling()

 	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
-	log.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
+	log.Info().Msgf("GoDoxy version %s", version.Get())
 	log.Trace().Msg("trace enabled")
 	parallel(
 		dnsproviders.InitProviders,
@@ -50,26 +52,26 @@ func main() {
 		prepareDirectory(dir)
 	}

-	cfg, err := config.Load()
+	err := config.Load()
 	if err != nil {
 		gperr.LogWarn("errors in config", err)
 	}

-	cfg.Start(&config.StartServersOptions{
-		Proxy: true,
-	})
+	config.StartProxyServers()
 	if err := auth.Initialize(); err != nil {
 		log.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
 	// API Handler needs to start after auth is initialized.
-	cfg.StartServers(&config.StartServersOptions{
-		API: true,
+	server.StartServer(task.RootTask("api_server", false), server.Options{
+		Name:     "api",
+		HTTPAddr: common.APIHTTPAddr,
+		Handler:  api.NewHandler(),
 	})

 	uptime.Poller.Start()
 	config.WatchChanges()

-	task.WaitExit(cfg.Value().TimeoutShutdown)
+	task.WaitExit(config.Value().TimeoutShutdown)
 }

 func prepareDirectory(dir string) {
--- a/cmd/pprof_prof.go
+++ b/cmd/pprof_prof.go
@@ -10,16 +10,10 @@ import (
 	"time"

 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	strutils "github.com/yusing/goutils/strings"
 )

-const mb = 1024 * 1024
-
 func initProfiling() {
-	debug.SetGCPercent(-1)
-	debug.SetMemoryLimit(50 * mb)
-	debug.SetMaxStack(4 * mb)
-
 	go func() {
 		log.Info().Msgf("pprof server started at http://localhost:7777/debug/pprof/")
 		log.Error().Err(http.ListenAndServe(":7777", nil)).Msg("pprof server failed")
@@ -27,9 +21,14 @@ func initProfiling() {
 	go func() {
 		ticker := time.NewTicker(time.Second * 10)
 		defer ticker.Stop()
+
+		var m runtime.MemStats
+		var gcStats debug.GCStats
+
 		for range ticker.C {
-			var m runtime.MemStats
 			runtime.ReadMemStats(&m)
+			debug.ReadGCStats(&gcStats)
+
 			log.Info().Msgf("-----------------------------------------------------")
 			log.Info().Msgf("Timestamp: %s", time.Now().Format(time.RFC3339))
 			log.Info().Msgf("  Go Heap - In Use (Alloc/HeapAlloc): %s", strutils.FormatByteSize(m.Alloc))
@@ -37,8 +36,12 @@ func initProfiling() {
 			log.Info().Msgf("  Go Stacks - In Use (StackInuse): %s", strutils.FormatByteSize(m.StackInuse))
 			log.Info().Msgf("  Go Runtime - Other Sys (MSpanInuse, MCacheInuse, BuckHashSys, GCSys, OtherSys): %s", strutils.FormatByteSize(m.MSpanInuse+m.MCacheInuse+m.BuckHashSys+m.GCSys+m.OtherSys))
 			log.Info().Msgf("  Go Runtime - Total from OS (Sys): %s", strutils.FormatByteSize(m.Sys))
+			log.Info().Msgf("  Go Runtime - Freed from OS (HeapReleased): %s", strutils.FormatByteSize(m.HeapReleased))
 			log.Info().Msgf("  Number of Goroutines: %d", runtime.NumGoroutine())
-			log.Info().Msgf("  Number of GCs: %d", m.NumGC)
+			log.Info().Msgf("  Number of completed GC cycles: %d", m.NumGC)
+			log.Info().Msgf("  Number of GCs: %d", gcStats.NumGC)
+			log.Info().Msgf("  Total GC time: %s", gcStats.PauseTotal)
+			log.Info().Msgf("  Last GC time: %s", gcStats.LastGC.Format(time.DateTime))
 			log.Info().Msg("-----------------------------------------------------")
 		}
 	}()
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -28,6 +28,8 @@ services:
    env_file: .env
    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
    read_only: true
+    tmpfs:
+      - /app/.next/cache # next image caching
    security_opt:
      - no-new-privileges:true
    cap_drop:
--- a/config.example.yml
+++ b/config.example.yml
@@ -17,6 +17,10 @@

 # 3. other providers, see https://docs.godoxy.dev/DNS-01-Providers

+# Access Control
+# When enabled, it will be applied globally at connection level,
+# all incoming connections (web, tcp and udp) will be checked against the ACL rules.
+
 # acl:
 #   default: allow # or deny (default: allow)
 #   allow_local: true # or false (default: true)
@@ -31,12 +35,21 @@
 #     - country:US
 #     - timezone:Asia/Shanghai
 #   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
-#     buffer_size: 65536 # (default: 64KB)
 #     path: /app/logs/acl.log # (default: none)
 #     stdout: false # (default: false)
-#     keep: last 10 # (default: none)
+#     keep: 30 days # (default: 30 days)
+#     log_allowed: false # (default: false)
+#   notify:
+#     interval: 1m # (default: 1m)
+#     to: [gotify, discord] # names under providers.notification
+#     include_allowed: false # (default: false)

 entrypoint:
+  # Proxy Protocol: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address
+  # When set to true, web entrypoint and all tcp routes will be wrapped with Proxy Protocol listener in order to preserve the client's IP address.
+  # Note that HTTP/3 with proxy protocol is not supported yet.
+  support_proxy_protocol: false
+
  # Below define an example of middleware config
  # 1. set security headers
  # 2. block non local IP connections
@@ -57,20 +70,14 @@ entrypoint:
        X-Frame-Options: SAMEORIGIN
        Referrer-Policy: same-origin
        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
-    # - use: CIDRWhitelist
-    #   allow:
-    #     - "127.0.0.1"
-    #     - "10.0.0.0/8"
-    #     - "172.16.0.0/12"
-    #     - "192.168.0.0/16"
-    #   status: 403
-    #   message: "Forbidden"
    # - use: RedirectHTTP

  # below enables access log
  access_log:
    format: combined
    path: /app/logs/entrypoint.log
+    stdout: false # (default: false)
+    keep: 30 days # (default: 30 days)

 providers:
  # include files are standalone yaml files under `config/` directory
@@ -95,9 +102,13 @@ providers:
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2

-  # notification providers (notify when service health changes)
+  # notification providers
  #
  # notification:
+  #   - name: ntfy
+  #     provider: ntfy
+  #     url: https://ntfy.domain.tld
+  #     topic: godoxy
  #   - name: gotify
  #     provider: gotify
  #     url: https://gotify.domain.tld
@@ -106,6 +117,11 @@ providers:
  #     provider: webhook
  #     url: https://discord.com/api/webhooks/...
  #     template: discord # this means use payload template from internal/notif/templates/discord.json
+  #   - name: pushover
+  #     provider: webhook
+  #     url: https://api.pushover.net/1/messages.json
+  #     mime_type: application/x-www-form-urlencoded
+  #     payload: '{"token": "your-app-token", "user": "your-user-key", "title": $title, "message": $message}'

  # Proxmox providers (for idlesleep support for proxmox LXCs)
  #
@@ -115,8 +131,8 @@ providers:
  #     secret: aaaa-bbbb-cccc-dddd
  #     no_tls_verify: true

-# Check https://docs.godoxy.dev/Certificates-and-domain-matching
-# for explaination of `match_domains`
+# Match domains
+# See https://docs.godoxy.dev/Certificates-and-domain-matching
 #
 # match_domains:
 #   - my.site
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -0,0 +1,7 @@
+FROM alpine:3.22
+
+RUN apk add --no-cache ca-certificates
+
+WORKDIR /app
+
+CMD ["/app/run"]
--- a/dev.compose.yml
+++ b/dev.compose.yml
@@ -0,0 +1,67 @@
+services:
+  app:
+    image: godoxy-dev
+    build:
+      context: .
+      dockerfile: dev.Dockerfile
+    container_name: godoxy-proxy-dev
+    restart: unless-stopped
+    env_file: dev.env
+    environment:
+      DOCKER_HOST: unix:///var/run/docker.sock
+      TZ: Asia/Hong_Kong
+      API_ADDR: 127.0.0.1:8999
+      API_USER: dev
+      API_PASSWORD: 1234
+      API_SKIP_ORIGIN_CHECK: true
+      API_JWT_TTL: 24h
+      DEBUG: true
+      API_SECRET: 1234567891234567
+    labels:
+      proxy.exclude: true
+      proxy.#1.healthcheck.disable: true
+    ipc: host
+    network_mode: host
+    volumes:
+      - ./bin/godoxy:/app/run:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./dev-data/config:/app/config
+      - ./dev-data/certs:/app/certs
+      - ./dev-data/error_pages:/app/error_pages:ro
+      - ./dev-data/data:/app/data
+      - ./dev-data/logs:/app/logs
+      - ~/certs/myCA.pem:/etc/ssl/certs/ca.crt:ro
+  parca:
+    image: ghcr.io/parca-dev/parca:v0.24.2
+    container_name: godoxy-parca
+    restart: unless-stopped
+    command: [/parca, --config-path, /parca.yaml]
+    network_mode: host
+    # ports:
+    #   - 7070:7070
+    configs:
+      - source: parca
+        target: /parca.yaml
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:v3
+    container_name: tinyauth
+    restart: unless-stopped
+    environment:
+      - SECRET=12345678912345671234567891234567
+      - APP_URL=https://tinyauth.my.app
+      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+    labels:
+      proxy.tinyauth.port: "3000"
+configs:
+  parca:
+    content: |
+      object_storage:
+        bucket:
+          type: "FILESYSTEM"
+          config:
+            directory: "./data"
+      scrape_configs:
+        - job_name: "parca"
+          scrape_interval: "1s"
+          static_configs:
+            - targets: [ 'localhost:7777' ]
--- a/go.mod
+++ b/go.mod
@@ -1,88 +1,70 @@
-module github.com/yusing/go-proxy
+module github.com/yusing/godoxy

-go 1.25.0
+go 1.25.2

-replace github.com/yusing/go-proxy/agent => ./agent
+replace github.com/yusing/godoxy/agent => ./agent

-replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
+replace github.com/yusing/godoxy/internal/dnsproviders => ./internal/dnsproviders

-replace github.com/yusing/go-proxy/internal/utils => ./internal/utils
+replace github.com/coreos/go-oidc/v3 => ./internal/go-oidc

-replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.0.0-20250816044348-0630187cb14b
+replace github.com/shirou/gopsutil/v4 => ./internal/gopsutil

-replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250816043325-ee003f88b84d
+replace github.com/yusing/goutils => ./goutils

 require (
 	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
-	github.com/coreos/go-oidc/v3 v3.15.0 // oidc authentication
-	github.com/docker/docker v28.3.3+incompatible // docker daemon
+	github.com/coreos/go-oidc/v3 v3.16.0 // oidc authentication
+	github.com/docker/docker v28.5.1+incompatible // docker daemon
 	github.com/fsnotify/fsnotify v1.9.0 // file watcher
-	github.com/go-acme/lego/v4 v4.25.2 // acme client
-	github.com/go-playground/validator/v10 v10.27.0 // validator
+	github.com/gin-gonic/gin v1.11.0 // api server
+	github.com/go-acme/lego/v4 v4.26.0 // acme client
+	github.com/go-playground/validator/v10 v10.28.0 // validator
 	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
 	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
-	github.com/gotify/server/v2 v2.6.3 // reference the Message struct for json response
+	github.com/gotify/server/v2 v2.7.3 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/puzpuzpuz/xsync/v4 v4.1.0 // lock free map for concurrent operations
+	github.com/pires/go-proxyproto v0.8.1 // proxy protocol support
+	github.com/puzpuzpuz/xsync/v4 v4.2.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
-	github.com/shirou/gopsutil/v4 v4.25.7 // system info metrics
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-	golang.org/x/crypto v0.41.0 // encrypting password with bcrypt
-	golang.org/x/net v0.43.0 // HTTP header utilities
-	golang.org/x/oauth2 v0.30.0 // oauth2 authentication
-	golang.org/x/sync v0.16.0
-	golang.org/x/time v0.12.0 // time utilities
+	golang.org/x/crypto v0.43.0 // encrypting password with bcrypt
+	golang.org/x/net v0.46.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.32.0 // oauth2 authentication
+	golang.org/x/sync v0.17.0
+	golang.org/x/time v0.14.0 // time utilities
 )

 require (
-	github.com/docker/cli v28.3.3+incompatible
+	github.com/docker/cli v28.5.1+incompatible
 	github.com/goccy/go-yaml v1.18.0 // yaml parsing for different config files
 	github.com/golang-jwt/jwt/v5 v5.3.0
-	github.com/luthermonson/go-proxmox v0.2.2
+	github.com/luthermonson/go-proxmox v0.2.3
 	github.com/oschwald/maxminddb-golang v1.13.1
-	github.com/quic-go/quic-go v0.54.0
-	github.com/samber/slog-zerolog/v2 v2.7.3
-	github.com/spf13/afero v1.14.0
+	github.com/quic-go/quic-go v0.55.0 // indirect; http3 support
+	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
+	github.com/spf13/afero v1.15.0
 	github.com/stretchr/testify v1.11.1
-	github.com/yusing/go-proxy/agent v0.0.0-20250819142638-5e15fd4bbef0
-	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-20250819142638-5e15fd4bbef0
-	github.com/yusing/go-proxy/internal/utils v0.0.0
+	github.com/yusing/ds v0.2.0
+	github.com/yusing/godoxy/agent v0.0.0-20251011032714-d1e403e16f1c
+	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20251011032714-d1e403e16f1c
+	github.com/yusing/goutils v0.6.1
 )

 require (
-	cloud.google.com/go/auth v0.16.5 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.8.0 // indirect
-	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
-	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.31.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.8 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.48.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.57.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.28.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.1 // indirect
-	github.com/aws/smithy-go v1.23.0 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.241 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
-	github.com/boombuler/barcode v1.1.0 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -91,207 +73,112 @@ require (
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
-	github.com/exoscale/egoscale/v3 v3.1.25 // indirect
-	github.com/fatih/structs v1.1.0 // indirect
+	github.com/ebitengine/purego v0.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
-	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-resty/resty/v2 v2.16.5 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/gofrs/flock v0.12.1 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/gofrs/flock v0.13.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
-	github.com/gophercloud/gophercloud v1.14.1 // indirect
-	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.166 // indirect
-	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
-	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
-	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
-	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
-	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.56.0 // indirect
-	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
-	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
-	github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.68 // indirect
-	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/nrdcg/auroradns v1.1.0 // indirect
-	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
-	github.com/nrdcg/desec v0.11.0 // indirect
-	github.com/nrdcg/freemyip v0.3.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
-	github.com/nrdcg/goinwx v0.11.0 // indirect
-	github.com/nrdcg/mailinabox v0.2.0 // indirect
-	github.com/nrdcg/namesilo v0.2.1 // indirect
-	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
-	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/ovh/go-ovh v1.9.0 // indirect
-	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/peterhellberg/link v1.2.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/pquerna/otp v1.5.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sacloud/api-client-go v0.3.3 // indirect
-	github.com/sacloud/go-http v0.1.9 // indirect
-	github.com/sacloud/iaas-api-go v1.17.0 // indirect
-	github.com/sacloud/packages-go v0.0.11 // indirect
-	github.com/sagikazarmark/locafero v0.10.0 // indirect
-	github.com/samber/lo v1.51.0 // indirect
+	github.com/samber/lo v1.52.0 // indirect
 	github.com/samber/slog-common v0.19.0 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.34 // indirect
-	github.com/selectel/domains-go v1.1.0 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.2.0 // indirect
-	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/sony/gobreaker v1.0.0 // indirect
-	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
-	github.com/spf13/cast v1.9.2 // indirect
-	github.com/spf13/pflag v1.0.7 // indirect
-	github.com/spf13/viper v1.20.1 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.18 // indirect
-	github.com/tjfoc/gmsm v1.4.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
-	github.com/transip/gotransip/v6 v6.26.0 // indirect
-	github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419 // indirect
-	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.219 // indirect
-	github.com/vultr/govultr/v3 v3.23.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.mongodb.org/mongo-driver v1.17.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/atomic v1.11.0
-	go.uber.org/mock v0.6.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	google.golang.org/api v0.248.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect
-	google.golang.org/grpc v1.75.0
-	google.golang.org/protobuf v1.36.8 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/api v0.252.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff // indirect
+	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.15.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 require (
-	github.com/containerd/containerd/v2 v2.1.4
-	github.com/containerd/nerdctl/v2 v2.1.3
-	github.com/gin-gonic/gin v1.10.1
-	github.com/swaggo/swag v1.16.6
-	github.com/yusing/ds v0.1.0
+	github.com/bytedance/sonic v1.14.1
+	github.com/shirou/gopsutil/v4 v4.25.9
+	github.com/yusing/gointernals v0.1.16
 )

 require (
-	github.com/KyleBanks/depth v1.2.1 // indirect
-	github.com/Microsoft/hcsshim v0.13.0 // indirect
-	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
-	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.11 // indirect
-	github.com/alibabacloud-go/debug v1.0.1 // indirect
-	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
-	github.com/alibabacloud-go/tea v1.3.11 // indirect
-	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
-	github.com/aliyun/credentials-go v1.4.7 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
-	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/containerd/cgroups/v3 v3.0.5 // indirect
-	github.com/containerd/containerd/api v1.9.0 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/containerd/fifo v1.1.0 // indirect
-	github.com/containerd/go-cni v1.1.13 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.1 // indirect
-	github.com/containerd/plugin v1.0.0 // indirect
-	github.com/containerd/ttrpc v1.2.7 // indirect
-	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/containernetworking/cni v1.3.0 // indirect
-	github.com/dnsimple/dnsimple-go/v4 v4.0.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-acme/alidns-20150109/v4 v4.5.11 // indirect
-	github.com/go-acme/tencentclouddnspod v1.0.1208 // indirect
-	github.com/go-openapi/jsonpointer v0.21.2 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-ozzo/ozzo-validation/v4 v4.3.0 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
-	github.com/moby/locker v1.0.1 // indirect
+	github.com/linode/linodego v1.60.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
-	github.com/moby/sys/mountinfo v0.7.2 // indirect
-	github.com/moby/sys/sequential v0.6.0 // indirect
-	github.com/moby/sys/signal v0.7.1 // indirect
-	github.com/moby/sys/user v0.4.0 // indirect
-	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/namedotcom/go/v4 v4.0.2 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.99.1 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.99.1 // indirect
-	github.com/opencontainers/runtime-spec v1.2.1 // indirect
-	github.com/opencontainers/selinux v1.12.0 // indirect
-	github.com/petermattis/goid v0.0.0-20250813065127-a731cc31b4fe // indirect
-	github.com/sasha-s/go-deadlock v0.3.5 // indirect
-	github.com/selectel/go-selvpcclient/v4 v4.1.0 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.102.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.102.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/stretchr/objx v0.5.3 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
-	go.opencensus.io v0.24.0 // indirect
+	github.com/ulikunitz/xz v0.5.14 // indirect
+	github.com/vultr/govultr/v3 v3.24.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	google.golang.org/genproto v0.0.0-20250811230008-5f3141c8851a // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
+	golang.org/x/arch v0.22.0 // indirect
+	google.golang.org/genproto v0.0.0-20250908214217-97024824d090 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/1
+++ b/1
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -1,17 +1,23 @@
 package acl

 import (
+	"fmt"
+	"math"
 	"net"
+	"sync/atomic"
 	"time"

 	"github.com/puzpuzpuz/xsync/v4"
+	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging/accesslog"
-	"github.com/yusing/go-proxy/internal/maxmind"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/logging/accesslog"
+	"github.com/yusing/godoxy/internal/maxmind"
+	"github.com/yusing/godoxy/internal/notif"
+	"github.com/yusing/godoxy/internal/utils"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
+	"github.com/yusing/goutils/task"
 )

 type Config struct {
@@ -21,16 +27,42 @@ type Config struct {
 	Deny       Matchers                   `json:"deny"`
 	Log        *accesslog.ACLLoggerConfig `json:"log"`

+	Notify struct {
+		To             []string      `json:"to"`              // list of notification providers
+		Interval       time.Duration `json:"interval"`        // interval between notifications
+		IncludeAllowed *bool         `json:"include_allowed"` // default: false
+	} `json:"notify"`
+
 	config
 	valErr gperr.Error
 }

+const defaultNotifyInterval = 1 * time.Minute
+
 type config struct {
 	defaultAllow bool
 	allowLocal   bool
 	ipCache      *xsync.Map[string, *checkCache]
-	logAllowed   bool
-	logger       *accesslog.AccessLogger
+
+	// will be nil if Notify.To is empty
+	// these are per IP, reset every Notify.Interval
+	allowedCount map[string]uint32
+	blockedCount map[string]uint32
+
+	// these are total, never reset
+	totalAllowedCount uint64
+	totalBlockedCount uint64
+
+	logAllowed bool
+	// will be nil if Log is nil
+	logger *accesslog.AccessLogger
+
+	// will never tick if Notify.To is empty
+	notifyTicker  *time.Ticker
+	notifyAllowed bool
+
+	// will be nil if both Log and Notify.To are empty
+	logNotifyCh chan ipLog
 }

 type checkCache struct {
@@ -39,6 +71,14 @@ type checkCache struct {
 	created time.Time
 }

+type ipLog struct {
+	info    *maxmind.IPInfo
+	allowed bool
+}
+
+// could be nil
+var ActiveConfig atomic.Pointer[Config]
+
 const cacheTTL = 1 * time.Minute

 func (c *checkCache) Expired() bool {
@@ -69,6 +109,10 @@ func (c *Config) Validate() gperr.Error {
 		c.allowLocal = true
 	}

+	if c.Notify.Interval < 0 {
+		c.Notify.Interval = defaultNotifyInterval
+	}
+
 	if c.Log != nil {
 		c.logAllowed = c.Log.LogAllowed
 	}
@@ -79,6 +123,12 @@ func (c *Config) Validate() gperr.Error {
 	}

 	c.ipCache = xsync.NewMap[string, *checkCache]()
+
+	if c.Notify.IncludeAllowed != nil {
+		c.notifyAllowed = *c.Notify.IncludeAllowed
+	} else {
+		c.notifyAllowed = false
+	}
 	return nil
 }

@@ -86,7 +136,7 @@ func (c *Config) Valid() bool {
 	return c != nil && c.valErr == nil
 }

-func (c *Config) Start(parent *task.Task) gperr.Error {
+func (c *Config) Start(parent task.Parent) gperr.Error {
 	if c.Log != nil {
 		logger, err := accesslog.NewAccessLogger(parent, c.Log)
 		if err != nil {
@@ -97,6 +147,23 @@ func (c *Config) Start(parent *task.Task) gperr.Error {
 	if c.valErr != nil {
 		return c.valErr
 	}
+
+	if c.needLogOrNotify() {
+		c.logNotifyCh = make(chan ipLog, 100)
+	}
+
+	if c.needNotify() {
+		c.allowedCount = make(map[string]uint32)
+		c.blockedCount = make(map[string]uint32)
+		c.notifyTicker = time.NewTicker(c.Notify.Interval)
+	} else {
+		c.notifyTicker = time.NewTicker(time.Duration(math.MaxInt64)) // never tick
+	}
+
+	if c.needLogOrNotify() {
+		go c.logNotifyLoop(parent)
+	}
+
 	log.Info().
 		Str("default", c.Default).
 		Bool("allow_local", c.allowLocal).
@@ -117,12 +184,89 @@ func (c *Config) cacheRecord(info *maxmind.IPInfo, allow bool) {
 	})
 }

-func (c *config) log(info *maxmind.IPInfo, allowed bool) {
-	if c.logger == nil {
-		return
+func (c *Config) needLogOrNotify() bool {
+	return c.needLog() || c.needNotify()
+}
+
+func (c *Config) needLog() bool {
+	return c.logger != nil
+}
+
+func (c *Config) needNotify() bool {
+	return len(c.Notify.To) > 0
+}
+
+func (c *Config) getCachedCity(ip string) string {
+	record, ok := c.ipCache.Load(ip)
+	if ok {
+		if record.City != nil {
+			if record.City.Country.IsoCode != "" {
+				return record.City.Country.IsoCode
+			}
+			return record.City.Location.TimeZone
+		}
 	}
-	if !allowed || c.logAllowed {
-		c.logger.LogACL(info, !allowed)
+	return "unknown location"
+}
+
+func (c *Config) logNotifyLoop(parent task.Parent) {
+	defer c.notifyTicker.Stop()
+
+	for {
+		select {
+		case <-parent.Context().Done():
+			return
+		case log := <-c.logNotifyCh:
+			if c.logger != nil {
+				if !log.allowed || c.logAllowed {
+					c.logger.LogACL(log.info, !log.allowed)
+				}
+			}
+			if c.needNotify() {
+				if log.allowed {
+					if c.notifyAllowed {
+						c.allowedCount[log.info.Str]++
+						c.totalAllowedCount++
+					}
+				} else {
+					c.blockedCount[log.info.Str]++
+					c.totalBlockedCount++
+				}
+			}
+		case <-c.notifyTicker.C: // will never tick when notify is disabled
+			total := len(c.allowedCount) + len(c.blockedCount)
+			if total == 0 {
+				continue
+			}
+			total++
+			fieldsBody := make(notif.ListBody, total)
+			i := 0
+			fieldsBody[i] = fmt.Sprintf("Total: allowed %d, blocked %d", c.totalAllowedCount, c.totalBlockedCount)
+			i++
+			for ip, count := range c.allowedCount {
+				fieldsBody[i] = fmt.Sprintf("%s (%s): allowed %d times", ip, c.getCachedCity(ip), count)
+				i++
+			}
+			for ip, count := range c.blockedCount {
+				fieldsBody[i] = fmt.Sprintf("%s (%s): blocked %d times", ip, c.getCachedCity(ip), count)
+				i++
+			}
+			notif.Notify(&notif.LogMessage{
+				Level: zerolog.InfoLevel,
+				Title: "ACL Summary for last " + strutils.FormatDuration(c.Notify.Interval),
+				Body:  fieldsBody,
+				To:    c.Notify.To,
+			})
+			clear(c.allowedCount)
+			clear(c.blockedCount)
+		}
+	}
+}
+
+// log and notify if needed
+func (c *Config) logAndNotify(info *maxmind.IPInfo, allowed bool) {
+	if c.logNotifyCh != nil {
+		c.logNotifyCh <- ipLog{info: info, allowed: allowed}
 	}
 }

@@ -137,30 +281,30 @@ func (c *Config) IPAllowed(ip net.IP) bool {
 	}

 	if c.allowLocal && ip.IsPrivate() {
-		c.log(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
+		c.logAndNotify(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
 		return true
 	}

 	ipStr := ip.String()
 	record, ok := c.ipCache.Load(ipStr)
 	if ok && !record.Expired() {
-		c.log(record.IPInfo, record.allow)
+		c.logAndNotify(record.IPInfo, record.allow)
 		return record.allow
 	}

 	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
 	if c.Allow.Match(ipAndStr) {
-		c.log(ipAndStr, true)
+		c.logAndNotify(ipAndStr, true)
 		c.cacheRecord(ipAndStr, true)
 		return true
 	}
 	if c.Deny.Match(ipAndStr) {
-		c.log(ipAndStr, false)
+		c.logAndNotify(ipAndStr, false)
 		c.cacheRecord(ipAndStr, false)
 		return false
 	}

-	c.log(ipAndStr, c.defaultAllow)
+	c.logAndNotify(ipAndStr, c.defaultAllow)
 	c.cacheRecord(ipAndStr, c.defaultAllow)
 	return c.defaultAllow
 }
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@@ -4,8 +4,8 @@ import (
 	"net"
 	"strings"

-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/maxmind"
+	"github.com/yusing/godoxy/internal/maxmind"
+	gperr "github.com/yusing/goutils/errs"
 )

 type MatcherFunc func(*maxmind.IPInfo) bool
--- a/internal/acl/matcher_test.go
+++ b/internal/acl/matcher_test.go
@@ -5,8 +5,8 @@ import (
 	"reflect"
 	"testing"

-	maxmind "github.com/yusing/go-proxy/internal/maxmind/types"
-	"github.com/yusing/go-proxy/internal/serialization"
+	maxmind "github.com/yusing/godoxy/internal/maxmind/types"
+	"github.com/yusing/godoxy/internal/serialization"
 )

 func TestMatchers(t *testing.T) {
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@@ -1,6 +1,7 @@
 package acl

 import (
+	"errors"
 	"io"
 	"net"
 	"time"
@@ -54,6 +55,21 @@ func (s *TCPListener) Accept() (net.Conn, error) {
 	return c, nil
 }

+type tcpListener interface {
+	SetDeadline(t time.Time) error
+}
+
+var _ tcpListener = (*net.TCPListener)(nil)
+
+func (s *TCPListener) SetDeadline(t time.Time) error {
+	switch lis := s.lis.(type) {
+	case tcpListener:
+		return lis.SetDeadline(t)
+	default:
+		return errors.New("not a TCPListener")
+	}
+}
+
 func (s *TCPListener) Close() error {
 	return s.lis.Close()
 }
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@@ -1,6 +1,7 @@
 package acl

 import (
+	"errors"
 	"net"
 	"time"
 )
@@ -74,6 +75,31 @@ func (s *UDPListener) SetWriteDeadline(t time.Time) error {
 	return s.lis.SetWriteDeadline(t)
 }

+type udpListener interface {
+	SetReadBuffer(bytes int) error
+	SetWriteBuffer(bytes int) error
+}
+
+var _ udpListener = (*net.UDPConn)(nil)
+
+func (s *UDPListener) SetReadBuffer(bytes int) error {
+	switch lis := s.lis.(type) {
+	case udpListener:
+		return lis.SetReadBuffer(bytes)
+	default:
+		return errors.New("not a UDPConn")
+	}
+}
+
+func (s *UDPListener) SetWriteBuffer(bytes int) error {
+	switch lis := s.lis.(type) {
+	case udpListener:
+		return lis.SetWriteBuffer(bytes)
+	default:
+		return errors.New("not a UDPConn")
+	}
+}
+
 func (s *UDPListener) Close() error {
 	return s.lis.Close()
 }
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -8,19 +8,19 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog/log"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	apiV1 "github.com/yusing/go-proxy/internal/api/v1"
-	agentApi "github.com/yusing/go-proxy/internal/api/v1/agent"
-	authApi "github.com/yusing/go-proxy/internal/api/v1/auth"
-	certApi "github.com/yusing/go-proxy/internal/api/v1/cert"
-	dockerApi "github.com/yusing/go-proxy/internal/api/v1/docker"
-	"github.com/yusing/go-proxy/internal/api/v1/docs"
-	fileApi "github.com/yusing/go-proxy/internal/api/v1/file"
-	homepageApi "github.com/yusing/go-proxy/internal/api/v1/homepage"
-	metricsApi "github.com/yusing/go-proxy/internal/api/v1/metrics"
-	routeApi "github.com/yusing/go-proxy/internal/api/v1/route"
-	"github.com/yusing/go-proxy/internal/auth"
-	"github.com/yusing/go-proxy/internal/common"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	apiV1 "github.com/yusing/godoxy/internal/api/v1"
+	agentApi "github.com/yusing/godoxy/internal/api/v1/agent"
+	authApi "github.com/yusing/godoxy/internal/api/v1/auth"
+	certApi "github.com/yusing/godoxy/internal/api/v1/cert"
+	dockerApi "github.com/yusing/godoxy/internal/api/v1/docker"
+	fileApi "github.com/yusing/godoxy/internal/api/v1/file"
+	homepageApi "github.com/yusing/godoxy/internal/api/v1/homepage"
+	metricsApi "github.com/yusing/godoxy/internal/api/v1/metrics"
+	routeApi "github.com/yusing/godoxy/internal/api/v1/route"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/common"
+	gperr "github.com/yusing/goutils/errs"
 )

 // @title           GoDoxy API
@@ -39,23 +39,25 @@ import (
 // @externalDocs.description  GoDoxy Docs
 // @externalDocs.url          https://docs.godoxy.dev
 func NewHandler() *gin.Engine {
-	gin.SetMode("release")
+	if !common.IsDebug {
+		gin.SetMode("release")
+	}
 	r := gin.New()
 	r.Use(ErrorHandler())
 	r.Use(ErrorLoggingMiddleware())

-	docs.SwaggerInfo.Title = "GoDoxy API"
-	docs.SwaggerInfo.BasePath = "/api/v1"
-
 	r.GET("/api/v1/version", apiV1.Version)

-	v1Auth := r.Group("/api/v1/auth")
-	{
-		v1Auth.HEAD("/check", authApi.Check)
-		v1Auth.POST("/login", authApi.Login)
-		v1Auth.GET("/callback", authApi.Callback)
-		v1Auth.POST("/callback", authApi.Callback)
-		v1Auth.POST("/logout", authApi.Logout)
+	if auth.IsEnabled() {
+		v1Auth := r.Group("/api/v1/auth")
+		{
+			v1Auth.HEAD("/check", authApi.Check)
+			v1Auth.POST("/login", authApi.Login)
+			v1Auth.GET("/callback", authApi.Callback)
+			v1Auth.POST("/callback", authApi.Callback)
+			v1Auth.POST("/logout", authApi.Logout)
+			v1Auth.GET("/logout", authApi.Logout)
+		}
 	}

 	v1 := r.Group("/api/v1")
@@ -97,7 +99,12 @@ func NewHandler() *gin.Engine {
 			homepage.POST("/set/item", homepageApi.SetItem)
 			homepage.POST("/set/items_batch", homepageApi.SetItemsBatch)
 			homepage.POST("/set/item_visible", homepageApi.SetItemVisible)
+			homepage.POST("/set/item_favorite", homepageApi.SetItemFavorite)
+			homepage.POST("/set/item_sort_order", homepageApi.SetItemSortOrder)
+			homepage.POST("/set/item_all_sort_order", homepageApi.SetItemAllSortOrder)
+			homepage.POST("/set/item_fav_sort_order", homepageApi.SetItemFavSortOrder)
 			homepage.POST("/set/category_order", homepageApi.SetCategoryOrder)
+			homepage.POST("/item_click", homepageApi.ItemClick)
 		}

 		cert := v1.Group("/cert")
@@ -116,14 +123,19 @@ func NewHandler() *gin.Engine {
 		metrics := v1.Group("/metrics")
 		{
 			metrics.GET("/system_info", metricsApi.SystemInfo)
+			metrics.GET("/all_system_info", metricsApi.AllSystemInfo)
 			metrics.GET("/uptime", metricsApi.Uptime)
 		}

 		docker := v1.Group("/docker")
 		{
+			docker.GET("/container/:id", dockerApi.GetContainer)
 			docker.GET("/containers", dockerApi.Containers)
 			docker.GET("/info", dockerApi.Info)
-			docker.GET("/logs/:server/:container", dockerApi.Logs)
+			docker.GET("/logs/:id", dockerApi.Logs)
+			docker.POST("/start", dockerApi.Start)
+			docker.POST("/stop", dockerApi.Stop)
+			docker.POST("/restart", dockerApi.Restart)
 		}
 	}

@@ -186,10 +198,11 @@ func ErrorHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Next()
 		if len(c.Errors) > 0 {
+			logger := log.With().Str("uri", c.Request.RequestURI).Logger()
 			for _, err := range c.Errors {
-				log.Err(err.Err).Str("uri", c.Request.RequestURI).Msg("Internal error")
+				gperr.LogError("Internal error", err.Err, &logger)
 			}
-			if !isWebSocketRequest(c) {
+			if !c.IsWebsocket() {
 				c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
 			}
 		}
@@ -199,12 +212,8 @@ func ErrorHandler() gin.HandlerFunc {
 func ErrorLoggingMiddleware() gin.HandlerFunc {
 	return gin.CustomRecoveryWithWriter(nil, func(c *gin.Context, err any) {
 		log.Error().Any("error", err).Str("uri", c.Request.RequestURI).Msg("Internal error")
-		if !isWebSocketRequest(c) {
+		if !c.IsWebsocket() {
 			c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
 		}
 	})
 }
-
-func isWebSocketRequest(c *gin.Context) bool {
-	return c.GetHeader("Upgrade") == "websocket"
-}
--- a/internal/api/types/error.go
+++ b/internal/api/types/error.go
@@ -3,7 +3,7 @@ package apitypes
 import (
 	"errors"

-	"github.com/yusing/go-proxy/internal/gperr"
+	gperr "github.com/yusing/goutils/errs"
 )

 type ErrorResponse struct {
--- a/internal/api/types/error_code.go
+++ b/internal/api/types/error_code.go
@@ -1,17 +0,0 @@
-package apitypes
-
-type ErrorCode int
-
-const (
-	ErrorCodeUnauthorized ErrorCode = iota + 1
-	ErrorCodeNotFound
-	ErrorCodeInternalServerError
-)
-
-func (e ErrorCode) String() string {
-	return []string{
-		"Unauthorized",
-		"Not Found",
-		"Internal Server Error",
-	}[e]
-}
--- a/internal/api/v1/agent/common.go
+++ b/internal/api/v1/agent/common.go
@@ -7,7 +7,7 @@ import (
 	"time"

 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/agent"
 )

 type PEMPairResponse struct {
--- a/internal/api/v1/agent/create.go
+++ b/internal/api/v1/agent/create.go
@@ -8,16 +8,17 @@ import (
 	_ "embed"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	apitypes "github.com/yusing/goutils/apitypes"
 )

 type NewAgentRequest struct {
-	Name    string `form:"name" validate:"required"`
-	Host    string `form:"host" validate:"required"`
-	Port    int    `form:"port" validate:"required,min=1,max=65535"`
-	Type    string `form:"type" validate:"required,oneof=docker system"`
-	Nightly bool   `form:"nightly" validate:"omitempty"`
+	Name             string                 `json:"name" binding:"required"`
+	Host             string                 `json:"host" binding:"required"`
+	Port             int                    `json:"port" binding:"required,min=1,max=65535"`
+	Type             string                 `json:"type" binding:"required,oneof=docker system"`
+	Nightly          bool                   `json:"nightly" binding:"omitempty"`
+	ContainerRuntime agent.ContainerRuntime `json:"container_runtime" binding:"omitempty,oneof=docker podman" default:"docker"`
 } // @name NewAgentRequest

 type NewAgentResponse struct {
@@ -47,6 +48,7 @@ func Create(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
 	}
+
 	hostport := net.JoinHostPort(request.Host, strconv.Itoa(request.Port))
 	if _, ok := agent.GetAgent(hostport); ok {
 		c.JSON(http.StatusConflict, apitypes.Error("agent already exists"))
@@ -67,10 +69,11 @@ func Create(c *gin.Context) {
 	}

 	var cfg agent.Generator = &agent.AgentEnvConfig{
-		Name:    request.Name,
-		Port:    request.Port,
-		CACert:  ca.String(),
-		SSLCert: srv.String(),
+		Name:             request.Name,
+		Port:             request.Port,
+		CACert:           ca.String(),
+		SSLCert:          srv.String(),
+		ContainerRuntime: request.ContainerRuntime,
 	}
 	if request.Type == "docker" {
 		cfg = &agent.AgentComposeConfig{
--- a/internal/api/v1/agent/list.go
+++ b/internal/api/v1/agent/list.go
@@ -5,9 +5,9 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 // @x-id				"list"
--- a/internal/api/v1/agent/verify.go
+++ b/internal/api/v1/agent/verify.go
@@ -6,15 +6,19 @@ import (
 	"os"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/certs"
-	. "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+	config "github.com/yusing/godoxy/internal/config/types"
+	"github.com/yusing/godoxy/internal/route/provider"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
 )

 type VerifyNewAgentRequest struct {
-	Host   string          `json:"host"`
-	CA     PEMPairResponse `json:"ca"`
-	Client PEMPairResponse `json:"client"`
+	Host             string                 `json:"host"`
+	CA               PEMPairResponse        `json:"ca"`
+	Client           PEMPairResponse        `json:"client"`
+	ContainerRuntime agent.ContainerRuntime `json:"container_runtime"`
 } // @name VerifyNewAgentRequest

 // @x-id          "verify"
@@ -33,44 +37,78 @@ type VerifyNewAgentRequest struct {
 func Verify(c *gin.Context) {
 	var request VerifyNewAgentRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid request", err))
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
 	}

 	filename, ok := certs.AgentCertsFilepath(request.Host)
 	if !ok {
-		c.JSON(http.StatusBadRequest, Error("invalid host", nil))
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid host", nil))
 		return
 	}

 	ca, err := fromEncryptedPEMPairResponse(request.CA)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid CA", err))
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid CA", err))
 		return
 	}

 	client, err := fromEncryptedPEMPairResponse(request.Client)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid client", err))
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid client", err))
 		return
 	}

-	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(request.Host, ca, client)
+	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error("invalid request", err))
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
 	}

 	zip, err := certs.ZipCert(ca.Cert, client.Cert, client.Key)
 	if err != nil {
-		c.Error(InternalServerError(err, "failed to zip certs"))
+		c.Error(apitypes.InternalServerError(err, "failed to zip certs"))
 		return
 	}

 	if err := os.WriteFile(filename, zip, 0o600); err != nil {
-		c.Error(InternalServerError(err, "failed to write certs"))
+		c.Error(apitypes.InternalServerError(err, "failed to write certs"))
 		return
 	}

-	c.JSON(http.StatusOK, Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
+	c.JSON(http.StatusOK, apitypes.Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
+}
+
+func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+	cfgState := config.ActiveState.Load()
+	for _, a := range cfgState.Value().Providers.Agents {
+		if a.Addr == host {
+			return 0, gperr.New("agent already exists")
+		}
+	}
+
+	var agentCfg agent.AgentConfig
+	agentCfg.Addr = host
+	agentCfg.Runtime = containerRuntime
+
+	err := agentCfg.StartWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to start agent")
+	}
+
+	provider := provider.NewAgentProvider(&agentCfg)
+	if _, loaded := cfgState.LoadOrStoreProvider(provider.String(), provider); loaded {
+		return 0, gperr.Errorf("provider %s already exists", provider.String())
+	}
+
+	// agent must be added before loading routes
+	agent.AddAgent(&agentCfg)
+	err = provider.LoadRoutes()
+	if err != nil {
+		cfgState.DeleteProvider(provider.String())
+		agent.RemoveAgent(&agentCfg)
+		return 0, gperr.Wrap(err, "failed to load routes")
+	}
+
+	return provider.NumRoutes(), nil
 }
--- a/internal/api/v1/auth/callback.go
+++ b/internal/api/v1/auth/callback.go
@@ -3,7 +3,7 @@ package auth

 import (
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
+	"github.com/yusing/godoxy/internal/auth"
 )

 // @x-id				"callback"
@@ -18,7 +18,6 @@ import (
 // @Failure		400	{string}	string	"OIDC: invalid request (missing state cookie or oauth state)"
 // @Failure		400	{string}	string	"Userpass: invalid request / credentials"
 // @Failure		500	{string}	string	"Internal server error"
-// @Router			/auth/callback [get]
 // @Router			/auth/callback [post]
 func Callback(c *gin.Context) {
 	auth.GetDefaultAuth().PostAuthCallbackHandler(c.Writer, c.Request)
--- a/internal/api/v1/auth/check.go
+++ b/internal/api/v1/auth/check.go
@@ -2,17 +2,17 @@ package auth

 import (
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
+	"github.com/yusing/godoxy/internal/auth"
 )

-// @x-id				"check"
+// @x-id	  	"check"
 // @Base			/api/v1
 // @Summary		Check authentication status
 // @Description	Checks if the user is authenticated by validating their token
 // @Tags			auth
 // @Produce		plain
 // @Success		200	{string}	string	"OK"
-// @Failure		403	{string}	string	"Forbidden: use X-Redirect-To header to redirect to login page"
+// @Failure		302	{string}	string	"Redirects to login page or IdP"
 // @Router			/auth/check [head]
 func Check(c *gin.Context) {
 	auth.AuthCheckHandler(c.Writer, c.Request)
--- a/internal/api/v1/auth/login.go
+++ b/internal/api/v1/auth/login.go
@@ -2,7 +2,7 @@ package auth

 import (
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
+	"github.com/yusing/godoxy/internal/auth"
 )

 // @x-id       "login"
@@ -12,7 +12,6 @@ import (
 // @Tags       auth
 // @Produce    plain
 // @Success    302 {string} string "Redirects to login page or IdP"
-// @Failure    403 {string} string "Forbidden(webui): follow X-Redirect-To header"
 // @Failure    429 {string} string "Too Many Requests"
 // @Router     /auth/login [post]
 func Login(c *gin.Context) {
--- a/internal/api/v1/auth/logout.go
+++ b/internal/api/v1/auth/logout.go
@@ -2,7 +2,7 @@ package auth

 import (
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/auth"
+	"github.com/yusing/godoxy/internal/auth"
 )

 // @x-id				"logout"
@@ -13,6 +13,7 @@ import (
 // @Produce		plain
 // @Success		302	{string} string	"Redirects to home page"
 // @Router			/auth/logout [post]
+// @Router			/auth/logout [get]
 func Logout(c *gin.Context) {
 	auth.GetDefaultAuth().LogoutHandler(c.Writer, c.Request)
 }
--- a/internal/api/v1/cert/info.go
+++ b/internal/api/v1/cert/info.go
@@ -4,8 +4,8 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/autocert"
 )

 type CertInfo struct {
@@ -29,7 +29,7 @@ type CertInfo struct {
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/cert/info [get]
 func Info(c *gin.Context) {
-	autocert := config.GetInstance().AutoCertProvider()
+	autocert := autocert.ActiveProvider.Load()
 	if autocert == nil {
 		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
 		return
--- a/internal/api/v1/cert/renew.go
+++ b/internal/api/v1/cert/renew.go
@@ -6,11 +6,11 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/logging/memlogger"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/autocert"
+	"github.com/yusing/godoxy/internal/logging/memlogger"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/websocket"
 )

 // @x-id				"renew"
@@ -24,7 +24,7 @@ import (
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/cert/renew [get]
 func Renew(c *gin.Context) {
-	autocert := config.GetInstance().AutoCertProvider()
+	autocert := autocert.ActiveProvider.Load()
 	if autocert == nil {
 		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
 		return
--- a/internal/api/v1/docker/container.go
+++ b/internal/api/v1/docker/container.go
@@ -0,0 +1,63 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/docker"
+)
+
+// @x-id				"container"
+// @BasePath		/api/v1
+// @Summary		Get container
+// @Description	Get container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			id	path		string	true	"Container ID"
+// @Success		200	{object}		Container
+// @Failure		400	{object}	apitypes.ErrorResponse "ID is required"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/container/{id} [get]
+func GetContainer(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("id is required"))
+		return
+	}
+
+	dockerHost, ok := docker.GetDockerHostByContainerID(id)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerHost)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	cont, err := client.ContainerInspect(c.Request.Context(), id)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to inspect container"))
+		return
+	}
+
+	var state ContainerState
+	if cont.State != nil {
+		state = cont.State.Status
+	}
+
+	c.JSON(http.StatusOK, &Container{
+		Server: dockerHost,
+		Name:   cont.Name,
+		ID:     cont.ID,
+		Image:  cont.Image,
+		State:  state,
+	})
+}
--- a/internal/api/v1/docker/containers.go
+++ b/internal/api/v1/docker/containers.go
@@ -6,7 +6,7 @@ import (

 	"github.com/docker/docker/api/types/container"
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/gperr"
+	gperr "github.com/yusing/goutils/errs"
 )

 type ContainerState = container.ContainerState // @name ContainerState
@@ -16,7 +16,7 @@ type Container struct {
 	Name   string         `json:"name"`
 	ID     string         `json:"id"`
 	Image  string         `json:"image"`
-	State  ContainerState `json:"state"`
+	State  ContainerState `json:"state,omitempty" extensions:"x-nullable"`
 } // @name ContainerResponse

 // @x-id				"containers"
--- a/internal/api/v1/docker/info.go
+++ b/internal/api/v1/docker/info.go
@@ -6,8 +6,8 @@ import (

 	dockerSystem "github.com/docker/docker/api/types/system"
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
 )

 type containerStats struct {
--- a/internal/api/v1/docker/logs.go
+++ b/internal/api/v1/docker/logs.go
@@ -3,22 +3,19 @@ package dockerapi
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/task"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/docker"
+	"github.com/yusing/goutils/http/websocket"
+	"github.com/yusing/goutils/task"
 )

-type LogsPathParams struct {
-	Server      string `uri:"server" binding:"required"`
-	ContainerID string `uri:"container" binding:"required"`
-} //	@name	LogsPathParams
-
 type LogsQueryParams struct {
 	Stdout bool   `form:"stdout,default=true"`
 	Stderr bool   `form:"stderr,default=true"`
@@ -30,12 +27,11 @@ type LogsQueryParams struct {
 // @x-id				"logs"
 // @BasePath		/api/v1
 // @Summary		Get docker container logs
-// @Description	Get docker container logs
+// @Description	Get docker container logs by container id
 // @Tags			docker,websocket
 // @Accept			json
 // @Produce		json
-// @Param			server		path	string	true	"server name"
-// @Param			container	path	string	true	"container id"
+// @Param			id	path	string	true	"container id"
 // @Param			stdout		query	bool	false	"show stdout"
 // @Param			stderr		query	bool	false	"show stderr"
 // @Param			from		query	string	false	"from timestamp"
@@ -44,31 +40,34 @@ type LogsQueryParams struct {
 // @Success		200
 // @Failure		400	{object}	apitypes.ErrorResponse
 // @Failure		403	{object}	apitypes.ErrorResponse
-// @Failure		404	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "server not found or container not found"
 // @Failure		500	{object}	apitypes.ErrorResponse
-// @Router			/docker/logs/{server}/{container} [get]
+// @Router			/docker/logs/{id} [get]
 func Logs(c *gin.Context) {
-	var pathParams LogsPathParams
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("container id is required"))
+		return
+	}
+
 	var queryParams LogsQueryParams
 	if err := c.ShouldBindQuery(&queryParams); err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid query params"))
 		return
 	}
-	if err := c.ShouldBindUri(&pathParams); err != nil {
-		c.JSON(http.StatusBadRequest, apitypes.Error("invalid path params"))
+
+	// TODO: implement levels
+	dockerHost, ok := docker.GetDockerHostByContainerID(id)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error(fmt.Sprintf("container %s not found", id)))
 		return
 	}
-	// TODO: implement levels

-	dockerClient, found, err := getDockerClient(pathParams.Server)
+	dockerClient, err := docker.NewClient(dockerHost)
 	if err != nil {
 		c.Error(apitypes.InternalServerError(err, "failed to get docker client"))
 		return
 	}
-	if !found {
-		c.JSON(http.StatusNotFound, apitypes.Error("server not found"))
-		return
-	}
 	defer dockerClient.Close()

 	opts := container.LogsOptions{
@@ -84,7 +83,7 @@ func Logs(c *gin.Context) {
 		opts.Details = true
 	}

-	logs, err := dockerClient.ContainerLogs(c.Request.Context(), pathParams.ContainerID, opts)
+	logs, err := dockerClient.ContainerLogs(c.Request.Context(), id, opts)
 	if err != nil {
 		c.Error(apitypes.InternalServerError(err, "failed to get container logs"))
 		return
@@ -106,8 +105,8 @@ func Logs(c *gin.Context) {
 			return
 		}
 		log.Err(err).
-			Str("server", pathParams.Server).
-			Str("container", pathParams.ContainerID).
+			Str("server", dockerHost).
+			Str("container", id).
 			Msg("failed to de-multiplex logs")
 	}
 }
--- a/internal/api/v1/docker/restart.go
+++ b/internal/api/v1/docker/restart.go
@@ -0,0 +1,52 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/docker"
+)
+
+// @x-id				"restart"
+// @BasePath		/api/v1
+// @Summary		Restart container
+// @Description	Restart container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StopRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/restart [post]
+func Restart(c *gin.Context) {
+	var req StopRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerHost, ok := docker.GetDockerHostByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerHost)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	err = client.ContainerRestart(c.Request.Context(), req.ID, req.StopOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to restart container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container restarted"))
+}
--- a/internal/api/v1/docker/start.go
+++ b/internal/api/v1/docker/start.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/docker"
+)
+
+type StartRequest struct {
+	ID string `json:"id" binding:"required"`
+	container.StartOptions
+}
+
+// @x-id				"start"
+// @BasePath		/api/v1
+// @Summary		Start container
+// @Description	Start container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StartRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/start [post]
+func Start(c *gin.Context) {
+	var req StartRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerHost, ok := docker.GetDockerHostByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerHost)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	err = client.ContainerStart(c.Request.Context(), req.ID, req.StartOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to start container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container started"))
+}
--- a/internal/api/v1/docker/stop.go
+++ b/internal/api/v1/docker/stop.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/docker"
+)
+
+type StopRequest struct {
+	ID string `json:"id" binding:"required"`
+	container.StopOptions
+}
+
+// @x-id				"stop"
+// @BasePath		/api/v1
+// @Summary		Stop container
+// @Description	Stop container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StopRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/stop [post]
+func Stop(c *gin.Context) {
+	var req StopRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerHost, ok := docker.GetDockerHostByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerHost)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	err = client.ContainerStop(c.Request.Context(), req.ID, req.StopOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to stop container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container stopped"))
+}
--- a/internal/api/v1/docker/utils.go
+++ b/internal/api/v1/docker/utils.go
@@ -6,13 +6,11 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/agent/pkg/agent"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/docker"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/docker"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 type (
@@ -22,67 +20,6 @@ type (
 	}
 )

-// getDockerClients returns a map of docker clients for the current config.
-//
-// Returns a map of docker clients by server name and an error if any.
-//
-// Even if there are errors, the map of docker clients might not be empty.
-func getDockerClients() (DockerClients, gperr.Error) {
-	cfg := config.GetInstance()
-
-	dockerHosts := cfg.Value().Providers.Docker
-	dockerClients := make(DockerClients)
-
-	connErrs := gperr.NewBuilder("failed to connect to docker")
-
-	for name, host := range dockerHosts {
-		dockerClient, err := docker.NewClient(host)
-		if err != nil {
-			connErrs.Add(err)
-			continue
-		}
-		dockerClients[name] = dockerClient
-	}
-
-	for _, agent := range agent.ListAgents() {
-		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
-		if err != nil {
-			connErrs.Add(err)
-			continue
-		}
-		dockerClients[agent.Name] = dockerClient
-	}
-
-	return dockerClients, connErrs.Error()
-}
-
-func getDockerClient(server string) (*docker.SharedClient, bool, error) {
-	cfg := config.GetInstance()
-	var host string
-	for name, h := range cfg.Value().Providers.Docker {
-		if name == server {
-			host = h
-			break
-		}
-	}
-	if host == "" {
-		for _, agent := range agent.ListAgents() {
-			if agent.Name == server {
-				host = agent.FakeDockerHost()
-				break
-			}
-		}
-	}
-	if host == "" {
-		return nil, false, nil
-	}
-	dockerClient, err := docker.NewClient(host)
-	if err != nil {
-		return nil, false, err
-	}
-	return dockerClient, true, nil
-}
-
 // closeAllClients closes all docker clients after a delay.
 //
 // This is used to ensure that all docker clients are closed after the http handler returns.
@@ -103,11 +40,7 @@ func handleResult[V any, T ResultType[V]](c *gin.Context, errs error, result T)
 }

 func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
-	dockerClients, err := getDockerClients()
-	if err != nil {
-		handleResult[V, T](c, err, nil)
-		return
-	}
+	dockerClients := docker.Clients()
 	defer closeAllClients(dockerClients)

 	if httpheaders.IsWebsocket(c.Request.Header) {
--- a/internal/api/v1/docs/docs.go
+++ b/internal/api/v1/docs/docs.go
--- a/internal/api/v1/docs/swagger.json
+++ b/internal/api/v1/docs/swagger.json
--- a/internal/api/v1/docs/swagger.yaml
+++ b/internal/api/v1/docs/swagger.yaml
--- a/internal/api/v1/favicon.go
+++ b/internal/api/v1/favicon.go
@@ -5,9 +5,11 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/route/routes"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/route/routes"
+
+	_ "unsafe"
 )

 type GetFavIconRequest struct {
@@ -44,9 +46,9 @@ func FavIcon(c *gin.Context) {
 			c.JSON(http.StatusBadRequest, apitypes.Error("invalid url", err))
 			return
 		}
-		fetchResult := homepage.FetchFavIconFromURL(c.Request.Context(), &iconURL)
-		if !fetchResult.OK() {
-			c.JSON(fetchResult.StatusCode, apitypes.Error(fetchResult.ErrMsg))
+		fetchResult, err := homepage.FetchFavIconFromURL(c.Request.Context(), &iconURL)
+		if err != nil {
+			homepage.GinFetchError(c, fetchResult.StatusCode, err)
 			return
 		}
 		c.Data(fetchResult.StatusCode, fetchResult.ContentType(), fetchResult.Icon)
@@ -54,38 +56,39 @@ func FavIcon(c *gin.Context) {
 	}

 	// try with alias
-	result := GetFavIconFromAlias(c.Request.Context(), request.Alias)
-	if !result.OK() {
-		c.JSON(result.StatusCode, apitypes.Error(result.ErrMsg))
+	result, err := GetFavIconFromAlias(c.Request.Context(), request.Alias)
+	if err != nil {
+		homepage.GinFetchError(c, result.StatusCode, err)
 		return
 	}
 	c.Data(result.StatusCode, result.ContentType(), result.Icon)
 }

-func GetFavIconFromAlias(ctx context.Context, alias string) *homepage.FetchResult {
+//go:linkname GetFavIconFromAlias v1.GetFavIconFromAlias
+func GetFavIconFromAlias(ctx context.Context, alias string) (homepage.FetchResult, error) {
 	// try with route.Icon
 	r, ok := routes.HTTP.Get(alias)
 	if !ok {
-		return &homepage.FetchResult{
-			StatusCode: http.StatusNotFound,
-			ErrMsg:     "route not found",
-		}
+		return homepage.FetchResultWithErrorf(http.StatusNotFound, "route not found")
 	}

-	var result *homepage.FetchResult
+	var (
+		result homepage.FetchResult
+		err    error
+	)
 	hp := r.HomepageItem()
 	if hp.Icon != nil {
 		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = homepage.FindIcon(ctx, r, *hp.Icon.FullURL)
+			result, err = homepage.FindIcon(ctx, r, *hp.Icon.FullURL)
 		} else {
-			result = homepage.FetchFavIconFromURL(ctx, hp.Icon)
+			result, err = homepage.FetchFavIconFromURL(ctx, hp.Icon)
 		}
 	} else {
 		// try extract from "link[rel=icon]"
-		result = homepage.FindIcon(ctx, r, "/")
+		result, err = homepage.FindIcon(ctx, r, "/")
 	}
 	if result.StatusCode == 0 {
 		result.StatusCode = http.StatusOK
 	}
-	return result
+	return result, err
 }
--- a/internal/api/v1/file/get.go
+++ b/internal/api/v1/file/get.go
@@ -7,8 +7,8 @@ import (
 	"strings"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/common"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/common"
 )

 type FileType string // @name FileType
--- a/internal/api/v1/file/list.go
+++ b/internal/api/v1/file/list.go
@@ -5,9 +5,9 @@ import (
 	"strings"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/utils"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/utils"
 )

 type ListFilesResponse struct {
--- a/internal/api/v1/file/set.go
+++ b/internal/api/v1/file/set.go
@@ -5,7 +5,7 @@ import (
 	"os"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
 )

 type SetFileContentRequest GetFileContentRequest
--- a/internal/api/v1/file/validate.go
+++ b/internal/api/v1/file/validate.go
@@ -4,11 +4,11 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
-	"github.com/yusing/go-proxy/internal/route/provider"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	config "github.com/yusing/godoxy/internal/config/types"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
+	"github.com/yusing/godoxy/internal/route/provider"
+	gperr "github.com/yusing/goutils/errs"
 )

 type ValidateFileRequest struct {
@@ -57,7 +57,7 @@ func validateFile(fileType FileType, content []byte) gperr.Error {
 		return config.Validate(content)
 	case FileTypeMiddleware:
 		errs := gperr.NewBuilder("middleware errors")
-		middleware.BuildMiddlewaresFromYAML("", content, errs)
+		middleware.BuildMiddlewaresFromYAML("", content, &errs)
 		return errs.Error()
 	}
 	return provider.Validate(content)
--- a/internal/api/v1/health.go
+++ b/internal/api/v1/health.go
@@ -5,9 +5,9 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/yusing/godoxy/internal/route/routes"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 type HealthMap = map[string]routes.HealthInfo //	@name	HealthMap
--- a/internal/api/v1/homepage/categories.go
+++ b/internal/api/v1/homepage/categories.go
@@ -4,7 +4,8 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/route/routes"
 )

 // @x-id				"categories"
@@ -18,5 +19,24 @@ import (
 // @Failure		403	{object}	apitypes.ErrorResponse
 // @Router			/homepage/categories [get]
 func Categories(c *gin.Context) {
-	c.JSON(http.StatusOK, routes.HomepageCategories())
+	c.JSON(http.StatusOK, HomepageCategories())
+}
+
+func HomepageCategories() []string {
+	check := make(map[string]struct{})
+	categories := make([]string, 0)
+	categories = append(categories, homepage.CategoryAll)
+	categories = append(categories, homepage.CategoryFavorites)
+	for _, r := range routes.HTTP.Iter {
+		item := r.HomepageItem()
+		if item.Category == "" {
+			continue
+		}
+		if _, ok := check[item.Category]; ok {
+			continue
+		}
+		check[item.Category] = struct{}{}
+		categories = append(categories, item.Category)
+	}
+	return categories
 }
--- a/internal/api/v1/homepage/item_click.go
+++ b/internal/api/v1/homepage/item_click.go
@@ -0,0 +1,36 @@
+package homepageapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/homepage"
+)
+
+type HomepageOverrideItemClickParams struct {
+	Which string `form:"which" binding:"required"`
+} //	@name	HomepageOverrideItemClickParams
+
+// @x-id				"item-click"
+// @BasePath		/api/v1
+// @Summary		Increment item click
+// @Description	Increment item click.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	query		HomepageOverrideItemClickParams	true	"Increment item click"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/item_click [post]
+func ItemClick(c *gin.Context) {
+	var params HomepageOverrideItemClickParams
+	if err := c.ShouldBindQuery(&params); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.IncrementItemClicks(params.Which)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
--- a/internal/api/v1/homepage/items.go
+++ b/internal/api/v1/homepage/items.go
@@ -1,27 +1,38 @@
 package homepageapi

 import (
+	"fmt"
 	"net/http"
+	"net/url"
+	"slices"
+	"strings"
+	"time"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/lithammer/fuzzysearch/fuzzy"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/route/routes"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 type HomepageItemsRequest struct {
-	Category string `form:"category" validate:"omitempty"`
-	Provider string `form:"provider" validate:"omitempty"`
+	SearchQuery string `form:"search"`   // Search query
+	Category    string `form:"category"` // Category filter
+	Provider    string `form:"provider"` // Provider filter
+	// Sort method
+	SortMethod homepage.SortMethod `form:"sort_method" default:"alphabetical" binding:"omitempty,oneof=clicks alphabetical custom"`
 } //	@name	HomepageItemsRequest

 // @x-id				"items"
 // @BasePath		/api/v1
 // @Summary		Homepage items
 // @Description	Homepage items
-// @Tags			homepage
+// @Tags			homepage,websocket
 // @Accept			json
 // @Produce		json
-// @Param			category	query		string	false	"Category filter"
-// @Param			provider	query		string	false	"Provider filter"
+// @Param			query		query		HomepageItemsRequest	false	"Query parameters"
 // @Success		200			{object}	homepage.Homepage
 // @Failure		400			{object}	apitypes.ErrorResponse
 // @Failure		403			{object}	apitypes.ErrorResponse
@@ -42,5 +53,81 @@ func Items(c *gin.Context) {
 		hostname = host
 	}

-	c.JSON(http.StatusOK, routes.HomepageItems(proto, hostname, request.Category, request.Provider))
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 2*time.Second, func() (any, error) {
+			return HomepageItems(proto, hostname, &request), nil
+		})
+	} else {
+		c.JSON(http.StatusOK, HomepageItems(proto, hostname, &request))
+	}
+}
+
+func HomepageItems(proto, hostname string, request *HomepageItemsRequest) homepage.Homepage {
+	switch proto {
+	case "http", "https":
+	default:
+		proto = "http"
+	}
+
+	hp := homepage.NewHomepageMap(routes.HTTP.Size())
+
+	if strings.Count(hostname, ".") > 1 {
+		_, hostname, _ = strings.Cut(hostname, ".") // remove the subdomain
+	}
+
+	for _, r := range routes.HTTP.Iter {
+		if request.Provider != "" && r.ProviderName() != request.Provider {
+			continue
+		}
+		item := r.HomepageItem()
+		if request.Category != "" && item.Category != request.Category {
+			continue
+		}
+		if request.SearchQuery != "" && !fuzzy.MatchFold(request.SearchQuery, item.Name) {
+			continue
+		}
+
+		// clear url if invalid
+		_, err := url.Parse(item.URL)
+		if err != nil {
+			item.URL = ""
+		}
+
+		// append hostname if provided and only if alias is not FQDN
+		if hostname != "" && item.URL == "" {
+			isFQDNAlias := strings.Contains(item.Alias, ".")
+			if !isFQDNAlias {
+				item.URL = fmt.Sprintf("%s://%s.%s", proto, item.Alias, hostname)
+			} else {
+				item.URL = fmt.Sprintf("%s://%s", proto, item.Alias)
+			}
+		}
+
+		// prepend protocol if not exists
+		if !strings.HasPrefix(item.URL, "http://") && !strings.HasPrefix(item.URL, "https://") {
+			item.URL = fmt.Sprintf("%s://%s", proto, item.URL)
+		}
+
+		hp.Add(&item)
+	}
+
+	ret := hp.Values()
+	// sort items in each category
+	for _, category := range ret {
+		category.Sort(request.SortMethod)
+	}
+	// sort categories
+	overrides := homepage.GetOverrideConfig()
+	slices.SortStableFunc(ret, func(a, b *homepage.Category) int {
+		// if category is "Hidden", move it to the end of the list
+		if a.Name == homepage.CategoryHidden {
+			return 1
+		}
+		if b.Name == homepage.CategoryHidden {
+			return -1
+		}
+		// sort categories by order in config
+		return overrides.CategoryOrder[a.Name] - overrides.CategoryOrder[b.Name]
+	})
+	return ret
 }
--- a/internal/api/v1/homepage/overrides.go
+++ b/internal/api/v1/homepage/overrides.go
@@ -1,12 +1,11 @@
 package homepageapi

 import (
-	"encoding/json"
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/homepage"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/homepage"
 )

 type (
@@ -15,16 +14,22 @@ type (
 		Value homepage.ItemConfig `json:"value"`
 	} //	@name	HomepageOverrideItemParams
 	HomepageOverrideItemsBatchParams struct {
-		Value map[string]*homepage.ItemConfig `json:"value"`
+		Value map[string]homepage.ItemConfig `json:"value"`
 	} //	@name	HomepageOverrideItemsBatchParams
+
 	HomepageOverrideCategoryOrderParams struct {
 		Which string `json:"which"`
 		Value int    `json:"value"`
 	} //	@name	HomepageOverrideCategoryOrderParams
+	HomepageOverrideItemSortOrderParams    HomepageOverrideCategoryOrderParams //	@name	HomepageOverrideItemSortOrderParams
+	HomepageOverrideItemAllSortOrderParams HomepageOverrideCategoryOrderParams //	@name	HomepageOverrideItemAllSortOrderParams
+	HomepageOverrideItemFavSortOrderParams HomepageOverrideCategoryOrderParams //	@name	HomepageOverrideItemFavSortOrderParams
+
 	HomepageOverrideItemVisibleParams struct {
 		Which []string `json:"which"`
 		Value bool     `json:"value"`
 	} //	@name	HomepageOverrideItemVisibleParams
+	HomepageOverrideItemFavoriteParams HomepageOverrideItemVisibleParams //	@name	HomepageOverrideItemFavoriteParams
 )

 // @x-id				"set-item"
@@ -46,7 +51,7 @@ func SetItem(c *gin.Context) {
 		return
 	}
 	overrides := homepage.GetOverrideConfig()
-	overrides.OverrideItem(params.Which, &params.Value)
+	overrides.OverrideItem(params.Which, params.Value)
 	c.JSON(http.StatusOK, apitypes.Success("success"))
 }

@@ -65,15 +70,8 @@ func SetItem(c *gin.Context) {
 func SetItemsBatch(c *gin.Context) {
 	var params HomepageOverrideItemsBatchParams
 	if err := c.ShouldBindJSON(&params); err != nil {
-		data, derr := c.GetRawData()
-		if derr != nil {
-			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
-			return
-		}
-		if uerr := json.Unmarshal(data, &params); uerr != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
-			return
-		}
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
 	}
 	overrides := homepage.GetOverrideConfig()
 	overrides.OverrideItems(params.Value)
@@ -95,22 +93,103 @@ func SetItemsBatch(c *gin.Context) {
 func SetItemVisible(c *gin.Context) {
 	var params HomepageOverrideItemVisibleParams
 	if err := c.ShouldBindJSON(&params); err != nil {
-		data, derr := c.GetRawData()
-		if derr != nil {
-			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
-			return
-		}
-		if uerr := json.Unmarshal(data, &params); uerr != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
-			return
-		}
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
 	}
 	overrides := homepage.GetOverrideConfig()
-	if params.Value {
-		overrides.UnhideItems(params.Which)
-	} else {
-		overrides.HideItems(params.Which)
+	overrides.SetItemsVisibility(params.Which, params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-item-favorite"
+// @BasePath		/api/v1
+// @Summary		Set homepage item favorite
+// @Description	Set homepage item favorite.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemFavoriteParams	true	"Set item favorite"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/item_favorite [post]
+func SetItemFavorite(c *gin.Context) {
+	var params HomepageOverrideItemFavoriteParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
 	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.SetItemsFavorite(params.Which, params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-item-sort-order"
+// @BasePath		/api/v1
+// @Summary		Set homepage item sort order
+// @Description	Set homepage item sort order.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemSortOrderParams	true	"Set item sort order"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/item_sort_order [post]
+func SetItemSortOrder(c *gin.Context) {
+	var params HomepageOverrideItemSortOrderParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.SetSortOrder(params.Which, params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-item-all-sort-order"
+// @BasePath		/api/v1
+// @Summary		Set homepage item all sort order
+// @Description	Set homepage item all sort order.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemAllSortOrderParams	true	"Set item all sort order"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/item_all_sort_order [post]
+func SetItemAllSortOrder(c *gin.Context) {
+	var params HomepageOverrideItemAllSortOrderParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.SetAllSortOrder(params.Which, params.Value)
+	c.JSON(http.StatusOK, apitypes.Success("success"))
+}
+
+// @x-id				"set-item-fav-sort-order"
+// @BasePath		/api/v1
+// @Summary		Set homepage item fav sort order
+// @Description	Set homepage item fav sort order.
+// @Tags			homepage
+// @Accept		json
+// @Produce		json
+// @Param		request	body		HomepageOverrideItemFavSortOrderParams	true	"Set item fav sort order"
+// @Success		200		{object}	apitypes.SuccessResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/homepage/set/item_fav_sort_order [post]
+func SetItemFavSortOrder(c *gin.Context) {
+	var params HomepageOverrideItemFavSortOrderParams
+	if err := c.ShouldBindJSON(&params); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+	overrides := homepage.GetOverrideConfig()
+	overrides.SetFavSortOrder(params.Which, params.Value)
 	c.JSON(http.StatusOK, apitypes.Success("success"))
 }

@@ -129,15 +208,8 @@ func SetItemVisible(c *gin.Context) {
 func SetCategoryOrder(c *gin.Context) {
 	var params HomepageOverrideCategoryOrderParams
 	if err := c.ShouldBindJSON(&params); err != nil {
-		data, derr := c.GetRawData()
-		if derr != nil {
-			c.Error(apitypes.InternalServerError(derr, "failed to get raw data"))
-			return
-		}
-		if uerr := json.Unmarshal(data, &params); uerr != nil {
-			c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", uerr))
-			return
-		}
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
 	}
 	overrides := homepage.GetOverrideConfig()
 	overrides.SetCategoryOrder(params.Which, params.Value)
--- a/internal/api/v1/icons.go
+++ b/internal/api/v1/icons.go
@@ -4,8 +4,8 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/homepage"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/homepage"
 )

 type ListIconsRequest struct {
--- a/internal/api/v1/metrics/all_system_info.go
+++ b/internal/api/v1/metrics/all_system_info.go
@@ -0,0 +1,268 @@
+package metrics
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/bytedance/sonic"
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/metrics/period"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+	"github.com/yusing/goutils/synk"
+)
+
+var (
+	// for json marshaling (unknown size)
+	allSystemInfoBytesPool = synk.GetBytesPoolWithUniqueMemory()
+	// for storing http response body (known size)
+	allSystemInfoFixedSizePool = synk.GetBytesPool()
+)
+
+type AllSystemInfoRequest struct {
+	Period    period.Filter                      `query:"period"`
+	Aggregate systeminfo.SystemInfoAggregateMode `query:"aggregate"`
+	Interval  time.Duration                      `query:"interval" swaggertype:"string" format:"duration"`
+} // @name AllSystemInfoRequest
+
+type bytesFromPool struct {
+	json.RawMessage
+}
+
+// @x-id				"all_system_info"
+// @BasePath		/api/v1
+// @Summary		Get system info
+// @Description	Get system info
+// @Tags			metrics,websocket
+// @Produce		json
+// @Param			request	query		AllSystemInfoRequest	false	"Request"
+// @Success		200			{object}	map[string]systeminfo.SystemInfo "no period specified, system info by agent name"
+// @Success		200			{object}	map[string]SystemInfoAggregate "period specified, aggregated system info by agent name"
+// @Failure		400			{object}	apitypes.ErrorResponse
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Failure		500			{object}	apitypes.ErrorResponse
+// @Router	 /metrics/all_system_info [get]
+func AllSystemInfo(c *gin.Context) {
+	var req AllSystemInfoRequest
+	if err := c.ShouldBindQuery(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid query", err))
+		return
+	}
+
+	if req.Interval < period.PollInterval {
+		req.Interval = period.PollInterval
+	}
+
+	if !httpheaders.IsWebsocket(c.Request.Header) {
+		c.JSON(http.StatusBadRequest, apitypes.Error("bad request, websocket is required"))
+		return
+	}
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to upgrade to websocket"))
+		return
+	}
+	defer manager.Close()
+
+	query := c.Request.URL.Query()
+	queryEncoded := c.Request.URL.Query().Encode()
+
+	type SystemInfoData struct {
+		AgentName  string
+		SystemInfo any
+	}
+
+	// leave 5 extra slots for buffering in case new agents are added.
+	dataCh := make(chan SystemInfoData, 1+agent.NumAgents()+5)
+	defer close(dataCh)
+
+	ticker := time.NewTicker(req.Interval)
+	defer ticker.Stop()
+
+	go func() {
+		for {
+			select {
+			case <-manager.Done():
+				return
+			case data := <-dataCh:
+				err := marshalSystemInfo(manager, data.AgentName, data.SystemInfo)
+				if err != nil {
+					manager.Close()
+					return
+				}
+			}
+		}
+	}()
+
+	// processing function for one round.
+	doRound := func() (bool, error) {
+		var roundWg sync.WaitGroup
+		var numErrs atomic.Int32
+
+		totalAgents := int32(1) // myself
+
+		errs := gperr.NewBuilderWithConcurrency()
+		// get system info for me and all agents in parallel.
+		roundWg.Go(func() {
+			data, err := systeminfo.Poller.GetRespData(req.Period, query)
+			if err != nil {
+				errs.Add(gperr.Wrap(err, "Main server"))
+				numErrs.Add(1)
+				return
+			}
+			select {
+			case <-manager.Done():
+				return
+			case dataCh <- SystemInfoData{
+				AgentName:  "GoDoxy",
+				SystemInfo: data,
+			}:
+			}
+		})
+
+		for _, a := range agent.IterAgents() {
+			totalAgents++
+			agentShallowCopy := *a
+
+			roundWg.Go(func() {
+				data, err := getAgentSystemInfoWithRetry(manager.Context(), &agentShallowCopy, queryEncoded)
+				if err != nil {
+					errs.Add(gperr.Wrap(err, "Agent "+agentShallowCopy.Name))
+					numErrs.Add(1)
+					return
+				}
+				select {
+				case <-manager.Done():
+					return
+				case dataCh <- SystemInfoData{
+					AgentName:  agentShallowCopy.Name,
+					SystemInfo: data,
+				}:
+				}
+			})
+		}
+
+		roundWg.Wait()
+		return numErrs.Load() == totalAgents, errs.Error()
+	}
+
+	// write system info immediately once.
+	if shouldContinue, err := doRound(); err != nil {
+		if !shouldContinue {
+			c.Error(apitypes.InternalServerError(err, "failed to get all system info"))
+			return
+		}
+	}
+
+	// then continue on the ticker.
+	for {
+		select {
+		case <-manager.Done():
+			return
+		case <-ticker.C:
+			if shouldContinue, err := doRound(); err != nil {
+				if !shouldContinue {
+					c.Error(apitypes.InternalServerError(err, "failed to get all system info"))
+					return
+				}
+				gperr.LogWarn("failed to get some system info", err)
+			}
+		}
+	}
+}
+
+func getAgentSystemInfo(ctx context.Context, a *agent.AgentConfig, query string) (json.Marshaler, error) {
+	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	path := agent.EndpointSystemInfo + "?" + query
+	resp, err := a.Do(ctx, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	// NOTE: buffer will be released by marshalSystemInfo once marshaling is done.
+	if resp.ContentLength >= 0 {
+		bytesBuf := allSystemInfoFixedSizePool.GetSized(int(resp.ContentLength))
+		_, err = io.ReadFull(resp.Body, bytesBuf)
+		if err != nil {
+			// prevent pool leak on error.
+			allSystemInfoFixedSizePool.Put(bytesBuf)
+			return nil, err
+		}
+		return bytesFromPool{json.RawMessage(bytesBuf)}, nil
+	}
+
+	// Fallback when content length is unknown (should not happen but just in case).
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return json.RawMessage(data), nil
+}
+
+func getAgentSystemInfoWithRetry(ctx context.Context, a *agent.AgentConfig, query string) (json.Marshaler, error) {
+	const maxRetries = 3
+	var lastErr error
+
+	for attempt := range maxRetries {
+		// Apply backoff delay for retries (not for first attempt)
+		if attempt > 0 {
+			delay := max((1<<attempt)*time.Second, 5*time.Second)
+			select {
+			case <-ctx.Done():
+				return nil, ctx.Err()
+			case <-time.After(delay):
+			}
+		}
+
+		data, err := getAgentSystemInfo(ctx, a, query)
+		if err == nil {
+			return data, nil
+		}
+
+		lastErr = err
+
+		log.Debug().Str("agent", a.Name).Int("attempt", attempt+1).Str("error", err.Error()).Msg("Agent request attempt failed")
+
+		// Don't retry on context cancellation
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+	}
+
+	return nil, lastErr
+}
+
+func marshalSystemInfo(ws *websocket.Manager, agentName string, systemInfo any) error {
+	bytesBuf := allSystemInfoBytesPool.Get()
+	defer allSystemInfoBytesPool.Put(bytesBuf)
+
+	// release the buffer retrieved from getAgentSystemInfo
+	if bufFromPool, ok := systemInfo.(bytesFromPool); ok {
+		defer allSystemInfoFixedSizePool.Put(bufFromPool.RawMessage)
+	}
+
+	buf := bytes.NewBuffer(bytesBuf)
+	err := sonic.ConfigDefault.NewEncoder(buf).Encode(map[string]any{
+		agentName: systemInfo,
+	})
+	if err != nil {
+		return err
+	}
+
+	return ws.WriteData(websocket.TextMessage, buf.Bytes(), 3*time.Second)
+}
--- a/internal/api/v1/metrics/system_info.go
+++ b/internal/api/v1/metrics/system_info.go
@@ -1,25 +1,26 @@
 package metrics

 import (
+	"io"
+	"maps"
 	"net/http"

 	"github.com/gin-gonic/gin"
-	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/metrics/period"
-	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
-	nettypes "github.com/yusing/go-proxy/internal/net/types"
+	agentPkg "github.com/yusing/godoxy/agent/pkg/agent"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/metrics/period"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	"github.com/yusing/goutils/http/httpheaders"
 )

 type SystemInfoRequest struct {
 	AgentAddr string                             `query:"agent_addr"`
+	AgentName string                             `query:"agent_name"`
 	Aggregate systeminfo.SystemInfoAggregateMode `query:"aggregate"`
 	Period    period.Filter                      `query:"period"`
 } // @name SystemInfoRequest

-type SystemInfoAggregate period.ResponseType[systeminfo.Aggregated] // @name SystemInfoAggregate
+type SystemInfoAggregate period.ResponseType[systeminfo.AggregatedJSON] // @name SystemInfoAggregate

 // @x-id				"system_info"
 // @BasePath		/api/v1
@@ -38,39 +39,37 @@ type SystemInfoAggregate period.ResponseType[systeminfo.Aggregated] // @name Sys
 func SystemInfo(c *gin.Context) {
 	query := c.Request.URL.Query()
 	agentAddr := query.Get("agent_addr")
+	agentName := query.Get("agent_name")
 	query.Del("agent_addr")
-	if agentAddr == "" {
+	query.Del("agent_name")
+	if agentAddr == "" && agentName == "" {
 		systeminfo.Poller.ServeHTTP(c)
 		return
 	}
+	c.Request.URL.RawQuery = query.Encode()

 	agent, ok := agentPkg.GetAgent(agentAddr)
 	if !ok {
-		c.JSON(http.StatusNotFound, apitypes.Error("agent_addr not found"))
+		agent, ok = agentPkg.GetAgentByName(agentName)
+	}
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("agent_addr or agent_name not found"))
 		return
 	}

 	isWS := httpheaders.IsWebsocket(c.Request.Header)
 	if !isWS {
-		respData, status, err := agent.Forward(c.Request, agentPkg.EndpointSystemInfo)
+		resp, err := agent.Forward(c.Request, agentPkg.EndpointSystemInfo)
 		if err != nil {
 			c.Error(apitypes.InternalServerError(err, "failed to forward request to agent"))
 			return
 		}
-		if status != http.StatusOK {
-			c.JSON(status, apitypes.Error(string(respData)))
-			return
-		}
-		c.JSON(status, respData)
+		defer resp.Body.Close()
+
+		maps.Copy(c.Writer.Header(), resp.Header)
+		c.Status(resp.StatusCode)
+		io.Copy(c.Writer, resp.Body)
 	} else {
-		rp := reverseproxy.NewReverseProxy("agent", nettypes.NewURL(agentPkg.AgentURL), agent.Transport())
-		header := c.Request.Header.Clone()
-		r, err := http.NewRequestWithContext(c.Request.Context(), c.Request.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
-		if err != nil {
-			c.Error(apitypes.InternalServerError(err, "failed to create request"))
-			return
-		}
-		r.Header = header
-		rp.ServeHTTP(c.Writer, r)
+		agent.ReverseProxy(c.Writer, c.Request, agentPkg.EndpointSystemInfo)
 	}
 }
--- a/internal/api/v1/metrics/upime.go
+++ b/internal/api/v1/metrics/upime.go
@@ -2,8 +2,8 @@ package metrics

 import (
 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/metrics/period"
-	"github.com/yusing/go-proxy/internal/metrics/uptime"
+	"github.com/yusing/godoxy/internal/metrics/period"
+	"github.com/yusing/godoxy/internal/metrics/uptime"
 )

 type UptimeRequest struct {
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@@ -4,8 +4,8 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	config "github.com/yusing/go-proxy/internal/config/types"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	"github.com/yusing/godoxy/internal/config"
 )

 // @x-id				"reload"
@@ -20,7 +20,7 @@ import (
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/reload [post]
 func Reload(c *gin.Context) {
-	if err := config.GetInstance().Reload(); err != nil {
+	if err := config.Reload(); err != nil {
 		c.Error(apitypes.InternalServerError(err, "failed to reload config"))
 		return
 	}
--- a/internal/api/v1/route/by_provider.go
+++ b/internal/api/v1/route/by_provider.go
@@ -4,8 +4,8 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/route/routes"
+	"github.com/yusing/godoxy/internal/route"
+	"github.com/yusing/godoxy/internal/route/routes"
 )

 type RoutesByProvider map[string][]route.Route
--- a/internal/api/v1/route/providers.go
+++ b/internal/api/v1/route/providers.go
@@ -5,9 +5,9 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
+	statequery "github.com/yusing/godoxy/internal/config/query"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 // @x-id				"providers"
@@ -22,12 +22,11 @@ import (
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/route/providers [get]
 func Providers(c *gin.Context) {
-	cfg := config.GetInstance()
 	if httpheaders.IsWebsocket(c.Request.Header) {
 		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
-			return config.GetInstance().RouteProviderList(), nil
+			return statequery.RouteProviderList(), nil
 		})
 	} else {
-		c.JSON(http.StatusOK, cfg.RouteProviderList())
+		c.JSON(http.StatusOK, statequery.RouteProviderList())
 	}
 }
--- a/internal/api/v1/route/route.go
+++ b/internal/api/v1/route/route.go
@@ -4,8 +4,9 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	apitypes "github.com/yusing/go-proxy/internal/api/types"
-	"github.com/yusing/go-proxy/internal/route/routes"
+	apitypes "github.com/yusing/godoxy/internal/api/types"
+	statequery "github.com/yusing/godoxy/internal/config/query"
+	"github.com/yusing/godoxy/internal/route/routes"
 )

 type ListRouteRequest struct {
@@ -35,7 +36,14 @@ func Route(c *gin.Context) {
 	route, ok := routes.Get(request.Which)
 	if ok {
 		c.JSON(http.StatusOK, route)
-	} else {
-		c.JSON(http.StatusNotFound, nil)
+		return
 	}
+
+	// also search for excluded routes
+	route = statequery.SearchRoute(request.Which)
+	if route != nil {
+		c.JSON(http.StatusOK, route)
+		return
+	}
+	c.JSON(http.StatusNotFound, nil)
 }
--- a/internal/api/v1/route/routes.go
+++ b/internal/api/v1/route/routes.go
@@ -6,11 +6,11 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/route"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	"github.com/yusing/go-proxy/internal/types"
+	"github.com/yusing/godoxy/internal/route"
+	"github.com/yusing/godoxy/internal/route/routes"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 type RouteType route.Route // @name Route
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@@ -5,16 +5,15 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
-	"github.com/yusing/go-proxy/internal/net/gphttp/websocket"
-	"github.com/yusing/go-proxy/internal/types"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	statequery "github.com/yusing/godoxy/internal/config/query"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
 )

 type StatsResponse struct {
 	Proxies ProxyStats `json:"proxies"`
-	Uptime  string     `json:"uptime"`
+	Uptime  int64      `json:"uptime"`
 } //	@name	StatsResponse

 type ProxyStats struct {
@@ -36,11 +35,10 @@ type ProxyStats struct {
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/stats [get]
 func Stats(c *gin.Context) {
-	cfg := config.GetInstance()
 	getStats := func() (any, error) {
 		return map[string]any{
-			"proxies": cfg.Statistics(),
-			"uptime":  strutils.FormatDuration(time.Since(startTime)),
+			"proxies": statequery.GetStatistics(),
+			"uptime":  int64(time.Since(startTime).Round(time.Second).Seconds()),
 		}, nil
 	}

--- a/internal/api/v1/version.go
+++ b/internal/api/v1/version.go
@@ -4,7 +4,7 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/yusing/goutils/version"
 )

 // @x-id				"version"
@@ -17,5 +17,5 @@ import (
 // @Success		200	{string}	string	"version"
 // @Router			/version [get]
 func Version(c *gin.Context) {
-	c.JSON(http.StatusOK, pkg.GetVersion().String())
+	c.JSON(http.StatusOK, version.Get().String())
 }
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -3,7 +3,7 @@ package auth
 import (
 	"net/http"

-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/godoxy/internal/common"
 )

 var defaultAuth Provider
--- a/internal/auth/oauth_refresh.go
+++ b/internal/auth/oauth_refresh.go
@@ -12,8 +12,8 @@ import (

 	"github.com/golang-jwt/jwt/v5"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/jsonstore"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/jsonstore"
 	"golang.org/x/oauth2"
 )

@@ -130,7 +130,7 @@ func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.R
 		log.Err(err).Msg("failed to sign session token")
 		return
 	}
-	SetTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
+	SetTokenCookie(w, r, auth.getAppScopedCookieName(CookieOauthSessionToken), signed, common.APIJWTTokenTTL)
 }

 func (auth *OIDCProvider) parseSessionJWT(sessionJWT string) (claims *sessionClaims, valid bool, err error) {
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -13,10 +14,10 @@ import (

 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/utils"
+	gperr "github.com/yusing/goutils/errs"
+	httputils "github.com/yusing/goutils/http"
 	"golang.org/x/oauth2"
 	"golang.org/x/time/rate"
 )
@@ -39,12 +40,27 @@ type (

 var _ Provider = (*OIDCProvider)(nil)

+// Cookie names for OIDC authentication
 const (
 	CookieOauthState        = "godoxy_oidc_state"
 	CookieOauthToken        = "godoxy_oauth_token"   //nolint:gosec
 	CookieOauthSessionToken = "godoxy_session_token" //nolint:gosec
 )

+// getAppScopedCookieName returns a cookie name scoped to the specific application
+// to prevent conflicts between different OIDC clients
+func (auth *OIDCProvider) getAppScopedCookieName(baseName string) string {
+	// Use the client ID to scope the cookie name
+	// This prevents conflicts when multiple apps use different client IDs
+	if auth.oauthConfig.ClientID != "" {
+		// Create a hash of the client ID to keep cookie names short
+		hash := sha256.Sum256([]byte(auth.oauthConfig.ClientID))
+		clientHash := base64.URLEncoding.EncodeToString(hash[:])[:8]
+		return fmt.Sprintf("%s_%s", baseName, clientHash)
+	}
+	return baseName
+}
+
 const (
 	OIDCAuthInitPath = "/"
 	OIDCPostAuthPath = "/auth/callback"
@@ -117,6 +133,37 @@ func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
 	)
 }

+// NewOIDCProviderWithCustomClient creates a new OIDCProvider with custom client credentials
+// based on an existing provider (for issuer discovery)
+func NewOIDCProviderWithCustomClient(baseProvider *OIDCProvider, clientID, clientSecret string) (*OIDCProvider, error) {
+	if clientID == "" || clientSecret == "" {
+		return nil, errors.New("client ID and client secret are required")
+	}
+
+	// Create a new OIDC verifier with the custom client ID
+	oidcVerifier := baseProvider.oidcProvider.Verifier(&oidc.Config{
+		ClientID: clientID,
+	})
+
+	// Create new OAuth config with custom credentials
+	oauthConfig := &oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		RedirectURL:  "",
+		Endpoint:     baseProvider.oauthConfig.Endpoint,
+		Scopes:       baseProvider.oauthConfig.Scopes,
+	}
+
+	return &OIDCProvider{
+		oauthConfig:   oauthConfig,
+		oidcProvider:  baseProvider.oidcProvider,
+		oidcVerifier:  oidcVerifier,
+		endSessionURL: baseProvider.endSessionURL,
+		allowedUsers:  baseProvider.allowedUsers,
+		allowedGroups: baseProvider.allowedGroups,
+	}, nil
+}
+
 func (auth *OIDCProvider) SetAllowedUsers(users []string) {
 	auth.allowedUsers = users
 }
@@ -125,6 +172,10 @@ func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
 	auth.allowedGroups = groups
 }

+func (auth *OIDCProvider) SetScopes(scopes []string) {
+	auth.oauthConfig.Scopes = scopes
+}
+
 // optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
 // parameter of the authorization URL to the post auth path of the current
 // request host.
@@ -169,7 +220,7 @@ var rateLimit = rate.NewLimiter(rate.Every(time.Second), 1)

 func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	// check for session token
-	sessionToken, err := r.Cookie(CookieOauthSessionToken)
+	sessionToken, err := r.Cookie(auth.getAppScopedCookieName(CookieOauthSessionToken))
 	if err == nil { // session token exists
 		result, err := auth.TryRefreshToken(r.Context(), sessionToken.Value)
 		// redirect back to where they requested
@@ -193,15 +244,10 @@ func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	state := generateState()
-	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
+	SetTokenCookie(w, r, auth.getAppScopedCookieName(CookieOauthState), state, 300*time.Second)
 	// redirect user to Idp
 	url := auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r))
-	if IsFrontend(r) {
-		w.Header().Set("X-Redirect-To", url)
-		w.WriteHeader(http.StatusForbidden)
-	} else {
-		http.Redirect(w, r, url, http.StatusFound)
-	}
+	http.Redirect(w, r, url, http.StatusFound)
 }

 func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
@@ -209,7 +255,8 @@ func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
 	if err := idToken.Claims(&claim); err != nil {
 		return nil, fmt.Errorf("failed to parse claims: %w", err)
 	}
-	if claim.Username == "" {
+	// Username is optional if groups are present
+	if claim.Username == "" && len(claim.Groups) == 0 {
 		return nil, errors.New("missing username in ID token")
 	}
 	return &claim, nil
@@ -228,7 +275,7 @@ func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
 }

 func (auth *OIDCProvider) CheckToken(r *http.Request) error {
-	tokenCookie, err := r.Cookie(CookieOauthToken)
+	tokenCookie, err := r.Cookie(auth.getAppScopedCookieName(CookieOauthToken))
 	if err != nil {
 		return ErrMissingOAuthToken
 	}
@@ -257,7 +304,7 @@ func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 	}

 	// verify state
-	state, err := r.Cookie(CookieOauthState)
+	state, err := r.Cookie(auth.getAppScopedCookieName(CookieOauthState))
 	if err != nil {
 		http.Error(w, "missing state cookie", http.StatusBadRequest)
 		return
@@ -270,20 +317,23 @@ func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 	code := r.URL.Query().Get("code")
 	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code, optRedirectPostAuth(r))
 	if err != nil {
-		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		httputils.LogError(r).Msg(fmt.Sprintf("failed to exchange token: %v", err))
 		return
 	}

 	idTokenJWT, idToken, err := auth.getIDToken(r.Context(), oauth2Token)
 	if err != nil {
-		gphttp.ServerError(w, r, err)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		httputils.LogError(r).Msg(fmt.Sprintf("failed to get ID token: %v", err))
 		return
 	}

 	if oauth2Token.RefreshToken != "" {
 		claims, err := parseClaims(idToken)
 		if err != nil {
-			gphttp.ServerError(w, r, err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			httputils.LogError(r).Msg(fmt.Sprintf("failed to parse claims: %v", err))
 			return
 		}
 		session := newSession(claims.Username, claims.Groups)
@@ -297,8 +347,8 @@ func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 }

 func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request) {
-	oauthToken, _ := r.Cookie(CookieOauthToken)
-	sessionToken, _ := r.Cookie(CookieOauthSessionToken)
+	oauthToken, _ := r.Cookie(auth.getAppScopedCookieName(CookieOauthToken))
+	sessionToken, _ := r.Cookie(auth.getAppScopedCookieName(CookieOauthSessionToken))
 	auth.clearCookie(w, r)

 	if sessionToken != nil {
@@ -325,17 +375,17 @@ func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request)
 }

 func (auth *OIDCProvider) setIDTokenCookie(w http.ResponseWriter, r *http.Request, jwt string, ttl time.Duration) {
-	SetTokenCookie(w, r, CookieOauthToken, jwt, ttl)
+	SetTokenCookie(w, r, auth.getAppScopedCookieName(CookieOauthToken), jwt, ttl)
 }

 func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
-	ClearTokenCookie(w, r, CookieOauthToken)
-	ClearTokenCookie(w, r, CookieOauthSessionToken)
+	ClearTokenCookie(w, r, auth.getAppScopedCookieName(CookieOauthToken))
+	ClearTokenCookie(w, r, auth.getAppScopedCookieName(CookieOauthSessionToken))
 }

 // handleTestCallback handles OIDC callback in test environment.
 func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
-	state, err := r.Cookie(CookieOauthState)
+	state, err := r.Cookie(auth.getAppScopedCookieName(CookieOauthState))
 	if err != nil {
 		http.Error(w, "missing state cookie", http.StatusBadRequest)
 		return
@@ -347,7 +397,7 @@ func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Requ
 	}

 	// Create test JWT token
-	SetTokenCookie(w, r, CookieOauthToken, "test", time.Hour)
+	SetTokenCookie(w, r, auth.getAppScopedCookieName(CookieOauthToken), "test", time.Hour)

 	http.Redirect(w, r, "/", http.StatusFound)
 }
--- a/internal/auth/oidc_test.go
+++ b/internal/auth/oidc_test.go
@@ -13,10 +13,10 @@ import (

 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/godoxy/internal/common"
 	"golang.org/x/oauth2"

-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	expect "github.com/yusing/goutils/testing"
 )

 // setupMockOIDC configures mock OIDC provider for testing.
@@ -35,7 +35,7 @@ func setupMockOIDC(t *testing.T) {
 			},
 			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 		},
-		endSessionURL: Must(url.Parse("http://mock-provider/logout")),
+		endSessionURL: expect.Must(url.Parse("http://mock-provider/logout")),
 		oidcProvider:  provider,
 		oidcVerifier: provider.Verifier(&oidc.Config{
 			ClientID: "test-client",
@@ -75,7 +75,7 @@ func (j *provider) SignClaims(t *testing.T, claims jwt.Claims) string {
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	token.Header["kid"] = keyID
 	signed, err := token.SignedString(j.key)
-	ExpectNoError(t, err)
+	expect.NoError(t, err)
 	return signed
 }

@@ -84,7 +84,7 @@ func setupProvider(t *testing.T) *provider {

 	// Generate an RSA key pair for the test.
 	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	ExpectNoError(t, err)
+	expect.NoError(t, err)

 	// Build the matching public JWK that will be served by the endpoint.
 	jwk := buildRSAJWK(t, &privKey.PublicKey, keyID)
@@ -227,12 +227,12 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			}

 			if tt.wantStatus == http.StatusTemporaryRedirect {
-				setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
-				ExpectEqual(t, setCookie.Name, CookieOauthToken)
-				ExpectTrue(t, setCookie.Value != "")
-				ExpectEqual(t, setCookie.Path, "/")
-				ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
-				ExpectEqual(t, setCookie.HttpOnly, true)
+				setCookie := expect.Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
+				expect.Equal(t, setCookie.Name, CookieOauthToken)
+				expect.True(t, setCookie.Value != "")
+				expect.Equal(t, setCookie.Path, "/")
+				expect.Equal(t, setCookie.SameSite, http.SameSiteLaxMode)
+				expect.Equal(t, setCookie.HttpOnly, true)
 			}
 		})
 	}
@@ -245,7 +245,7 @@ func TestInitOIDC(t *testing.T) {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		ExpectNoError(t, json.NewEncoder(w).Encode(discoveryDocument(t, server)))
+		expect.NoError(t, json.NewEncoder(w).Encode(discoveryDocument(t, server)))
 	})
 	server = httptest.NewServer(mux)
 	t.Cleanup(server.Close)
@@ -426,6 +426,9 @@ func TestCheckToken(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			// Create the Auth Provider.
 			auth := &OIDCProvider{
+				oauthConfig: &oauth2.Config{
+					ClientID: clientID,
+				},
 				oidcVerifier:  provider.verifier,
 				allowedUsers:  tc.allowedUsers,
 				allowedGroups: tc.allowedGroups,
@@ -435,16 +438,16 @@ func TestCheckToken(t *testing.T) {
 			// Craft a test HTTP request that includes the token as a cookie.
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
 			req.AddCookie(&http.Cookie{
-				Name:  CookieOauthToken,
+				Name:  auth.getAppScopedCookieName(CookieOauthToken),
 				Value: signedToken,
 			})

 			// Call CheckToken and verify the result.
 			err := auth.CheckToken(req)
 			if tc.wantErr == nil {
-				ExpectNoError(t, err)
+				expect.NoError(t, err)
 			} else {
-				ExpectError(t, tc.wantErr, err)
+				expect.ErrorIs(t, tc.wantErr, err)
 			}
 		})
 	}
--- a/internal/auth/userpass.go
+++ b/internal/auth/userpass.go
@@ -1,16 +1,16 @@
 package auth

 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"

+	"github.com/bytedance/sonic"
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/net/gphttp"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/godoxy/internal/common"
+	gperr "github.com/yusing/goutils/errs"
+	httputils "github.com/yusing/goutils/http"
+	strutils "github.com/yusing/goutils/strings"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -109,7 +109,7 @@ type UserPassAuthCallbackRequest struct {

 func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	var creds UserPassAuthCallbackRequest
-	err := json.NewDecoder(r.Body).Decode(&creds)
+	err := sonic.ConfigDefault.NewDecoder(r.Body).Decode(&creds)
 	if err != nil {
 		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
@@ -121,7 +121,8 @@ func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 	}
 	token, err := auth.NewToken()
 	if err != nil {
-		gphttp.ServerError(w, r, err)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		httputils.LogError(r).Msg(fmt.Sprintf("failed to generate token: %v", err))
 		return
 	}
 	SetTokenCookie(w, r, auth.TokenCookieName(), token, auth.tokenTTL)
@@ -129,8 +130,7 @@ func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 }

 func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-Redirect-To", "/login")
-	w.WriteHeader(http.StatusForbidden)
+	http.Redirect(w, r, "/login", http.StatusFound)
 }

 func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {
--- a/internal/auth/userpass_test.go
+++ b/internal/auth/userpass_test.go
@@ -9,14 +9,14 @@ import (
 	"testing"
 	"time"

-	. "github.com/yusing/go-proxy/internal/utils/testing"
+	expect "github.com/yusing/goutils/testing"
 	"golang.org/x/crypto/bcrypt"
 )

 func newMockUserPassAuth() *UserPassAuth {
 	return &UserPassAuth{
 		username: "username",
-		pwdHash:  Must(bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)),
+		pwdHash:  expect.Must(bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)),
 		secret:   []byte("abcdefghijklmnopqrstuvwxyz"),
 		tokenTTL: time.Hour,
 	}
@@ -25,17 +25,17 @@ func newMockUserPassAuth() *UserPassAuth {
 func TestUserPassValidateCredentials(t *testing.T) {
 	auth := newMockUserPassAuth()
 	err := auth.validatePassword("username", "password")
-	ExpectNoError(t, err)
+	expect.NoError(t, err)
 	err = auth.validatePassword("username", "wrong-password")
-	ExpectError(t, ErrInvalidPassword, err)
+	expect.ErrorIs(t, ErrInvalidPassword, err)
 	err = auth.validatePassword("wrong-username", "password")
-	ExpectError(t, ErrInvalidUsername, err)
+	expect.ErrorIs(t, ErrInvalidUsername, err)
 }

 func TestUserPassCheckToken(t *testing.T) {
 	auth := newMockUserPassAuth()
 	token, err := auth.NewToken()
-	ExpectNoError(t, err)
+	expect.NoError(t, err)
 	tests := []struct {
 		token   string
 		wantErr bool
@@ -60,9 +60,9 @@ func TestUserPassCheckToken(t *testing.T) {
 		}
 		err = auth.CheckToken(req)
 		if tt.wantErr {
-			ExpectTrue(t, err != nil)
+			expect.True(t, err != nil)
 		} else {
-			ExpectNoError(t, err)
+			expect.NoError(t, err)
 		}
 	}
 }
@@ -96,20 +96,20 @@ func TestUserPassLoginCallbackHandler(t *testing.T) {
 		w := httptest.NewRecorder()
 		req := &http.Request{
 			Host: "app.example.com",
-			Body: io.NopCloser(bytes.NewReader(Must(json.Marshal(tt.creds)))),
+			Body: io.NopCloser(bytes.NewReader(expect.Must(json.Marshal(tt.creds)))),
 		}
 		auth.PostAuthCallbackHandler(w, req)
 		if tt.wantErr {
-			ExpectEqual(t, w.Code, http.StatusUnauthorized)
+			expect.Equal(t, w.Code, http.StatusUnauthorized)
 		} else {
-			setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
-			ExpectTrue(t, setCookie.Name == auth.TokenCookieName())
-			ExpectTrue(t, setCookie.Value != "")
-			ExpectEqual(t, setCookie.Domain, "example.com")
-			ExpectEqual(t, setCookie.Path, "/")
-			ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
-			ExpectEqual(t, setCookie.HttpOnly, true)
-			ExpectEqual(t, w.Code, http.StatusOK)
+			setCookie := expect.Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
+			expect.True(t, setCookie.Name == auth.TokenCookieName())
+			expect.True(t, setCookie.Value != "")
+			expect.Equal(t, setCookie.Domain, "example.com")
+			expect.Equal(t, setCookie.Path, "/")
+			expect.Equal(t, setCookie.SameSite, http.SameSiteLaxMode)
+			expect.Equal(t, setCookie.HttpOnly, true)
+			expect.Equal(t, w.Code, http.StatusOK)
 		}
 	}
 }
--- a/internal/auth/utils.go
+++ b/internal/auth/utils.go
@@ -6,9 +6,9 @@ import (
 	"strings"
 	"time"

-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/godoxy/internal/common"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
 )

 var (
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -11,11 +11,12 @@ import (

 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/gperr"
-	"github.com/yusing/go-proxy/internal/utils"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/utils"
+	gperr "github.com/yusing/goutils/errs"
 )

 type Config struct {
@@ -27,6 +28,8 @@ type Config struct {
 	Provider    string         `json:"provider,omitempty"`
 	Options     map[string]any `json:"options,omitempty"`

+	Resolvers []string `json:"resolvers,omitempty"`
+
 	// Custom ACME CA
 	CADirURL string   `json:"ca_dir_url,omitempty"`
 	CACerts  []string `json:"ca_certs,omitempty"`
@@ -111,6 +114,12 @@ func (cfg *Config) Validate() gperr.Error {
 	return b.Error()
 }

+func (cfg *Config) dns01Options() []dns01.ChallengeOption {
+	return []dns01.ChallengeOption{
+		dns01.CondOption(len(cfg.Resolvers) > 0, dns01.AddRecursiveNameservers(cfg.Resolvers)),
+	}
+}
+
 func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 	if err := cfg.Validate(); err != nil {
 		return nil, nil, err
--- a/internal/autocert/config_test.go
+++ b/internal/autocert/config_test.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"

-	"github.com/yusing/go-proxy/internal/serialization"
+	"github.com/yusing/godoxy/internal/serialization"
 )

 func TestEABConfigRequired(t *testing.T) {
--- a/Show More
+++ b/Show More