chore(accesslog): reduce buffering for stdout

- warn instead of error when version mismatch
- check for major version only
- better version parsing

.env.example

@@ -1,24 +1,29 @@
+# docker image tag (latest, nightly)
+TAG=latest
+
 # set timezone to get correct log timestamp
 TZ=ETC/UTC
 
+# API JWT Configuration (common)
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+# the JWT token time-to-live
+# leave empty to use default (24 hours)
+# format: https://pkg.go.dev/time#Duration
+GODOXY_API_JWT_TOKEN_TTL=
+
 # API/WebUI user password login credentials (optional)
 # These fields are not required for OIDC authentication
 GODOXY_API_USER=admin
 GODOXY_API_PASSWORD=password
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-# the JWT token time-to-live
-GODOXY_API_JWT_TOKEN_TTL=1h
 
 # OIDC Configuration (optional)
 # Uncomment and configure these values to enable OIDC authentication.
+#
 # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
 # GODOXY_OIDC_CLIENT_ID=your-client-id
 # GODOXY_OIDC_CLIENT_SECRET=your-client-secret
-# Keep /api/auth/callback as the redirect URL, change the domain to match your setup.
-# GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback
-# Comma-separated list of scopes
-# GODOXY_OIDC_SCOPES=openid, profile, email
+# GODOXY_OIDC_SCOPES=openid, profile, email, groups # you may also include `offline_access` if your Idp supports it (e.g. Authentik, Pocket ID)
 #
 # User definitions: Uncomment and configure these values to restrict access to specific users or groups.
 # These two fields act as a logical AND operator. For example, given the following membership:
@@ -42,8 +47,15 @@ GODOXY_HTTPS_ADDR=:443
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888
 
-# Prometheus Metrics
-GODOXY_PROMETHEUS_ENABLED=true
+# Frontend listening port
+GODOXY_FRONTEND_PORT=3000
+
+# Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com)
+GODOXY_FRONTEND_ALIASES=godoxy
+
+# Docker socket
+# /var/run/podman/podman.sock for podman
+DOCKER_SOCKET=/var/run/docker.sock
 
 # Debug mode
 GODOXY_DEBUG=false

.github/workflows/agent-binary.yml

@@ -0,0 +1,48 @@
+name: GoDoxy agent binary
+
+on:
+  push:
+    tags:
+      - v*
+    paths:
+      - "agent/**"
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+            binary_name: godoxy-agent-linux-amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64
+            binary_name: godoxy-agent-linux-arm64
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Verify dependencies
+        run: go mod verify
+      - name: Build
+        run: |
+          make agent=1 NAME=${{ matrix.binary_name }} build
+      - name: Check binary
+        run: |
+          file bin/${{ matrix.binary_name }}
+      - name: Upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.binary_name }}
+          path: bin/${{ matrix.binary_name }}
+      - name: Upload to release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: bin/${{ matrix.binary_name }}

.github/workflows/docker-image-nightly.yml

@@ -6,6 +6,7 @@ on:
       - "*" # matches every branch that doesn't contain a '/'
       - "*/*" # matches every branch containing a single '/'
       - "**" # matches every branch
+      - "!dependabot/*"
       - "!main" # excludes main
 
 jobs:

.github/workflows/docker-image.yml

@@ -77,8 +77,10 @@ jobs:
           platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}-${{ inputs.tag }}
+          cache-to: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}-${{ inputs.tag }},mode=max
           build-args: |
             VERSION=${{ github.ref_name }}
             MAKE_ARGS=${{ env.MAKE_ARGS }}

.gitignore

@@ -9,6 +9,9 @@ certs*/
 bin/
 error_pages/
 !examples/error_pages/
+profiles/
+data/
+debug/
 
 logs/
 log/
@@ -26,7 +29,12 @@ todo.md
 .aider*
 mtrace.json
 .env
+.cursorrules
+.windsurfrules
 test.Dockerfile
 
 node_modules/
-tsconfig.tsbuildinfo
+tsconfig.tsbuildinfo
+
+!agent.compose.yml
+!agent/pkg/**

.trunk/trunk.yaml

@@ -23,7 +23,6 @@ lint:
   enabled:
     - hadolint@2.12.1-beta
     - actionlint@1.7.7
-    - checkov@3.2.370
     - git-diff-check
     - gofmt@1.20.4
     - golangci-lint@1.64.5

Dockerfile

@@ -1,40 +1,41 @@
-# Stage 1: Builder
-FROM golang:1.23.6-alpine AS builder
+# Stage 1: deps
+FROM golang:1.24.2-alpine AS deps
 HEALTHCHECK NONE
 
 # package version does not matter
 # trunk-ignore(hadolint/DL3018)
 RUN apk add --no-cache tzdata make libcap-setcap
 
+# Stage 2: builder
+FROM deps AS builder
+
 WORKDIR /src
 
+COPY Makefile ./
+COPY cmd ./cmd
+COPY internal ./internal
+COPY pkg ./pkg
+COPY agent ./agent
+
 # Only copy go.mod and go.sum initially for better caching
 COPY go.mod go.sum /src/
 
-# Utilize build cache
-RUN --mount=type=cache,target="/go/pkg/mod" \
-    go mod download -x
-
-ENV GOCACHE=/root/.cache/go-build
-
-COPY Makefile /src/
-COPY cmd /src/cmd
-COPY internal /src/internal
-COPY pkg /src/pkg
+ENV GOPATH=/root/go
+RUN go mod download -x
 
 ARG VERSION
 ENV VERSION=${VERSION}
 
-ARG BUILD_FLAGS
-ENV BUILD_FLAGS=${BUILD_FLAGS}
+ARG MAKE_ARGS
+ENV MAKE_ARGS=${MAKE_ARGS}
 
-RUN --mount=type=cache,target="/go/pkg/mod" \
-    --mount=type=cache,target="/root/.cache/go-build" \
-    make build && \
-    mkdir -p /app/error_pages /app/certs && \
-    mv bin/godoxy /app/godoxy
+ENV GOCACHE=/root/.cache/go-build
+ENV GOPATH=/root/go
+RUN make ${MAKE_ARGS} build link-binary && \
+    mv bin /app/ && \
+    mkdir -p /app/error_pages /app/certs
 
-# Stage 2: Final image
+# Stage 3: Final image
 FROM scratch
 
 LABEL maintainer="yusing@6uo.me"
@@ -53,12 +54,7 @@ COPY config.example.yml /app/config/config.yml
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs
 
 ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GODOXY_DEBUG=0
-
-EXPOSE 80
-EXPOSE 8888
-EXPOSE 443
 
 WORKDIR /app
 
-CMD ["/app/godoxy"]
+CMD ["/app/run"]

Makefile

@@ -4,55 +4,82 @@ export GOOS = linux
 
 LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
 
+
+ifeq ($(agent), 1)
+	NAME = godoxy-agent
+	CMD_PATH = ./cmd
+	PWD = ${shell pwd}/agent
+else
+	NAME = godoxy
+	CMD_PATH = ./cmd
+	PWD = ${shell pwd}
+endif
+
 ifeq ($(trace), 1)
 	debug = 1
 	GODOXY_TRACE ?= 1
+	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
+endif
+
+ifeq ($(race), 1)
+	debug = 1
+  BUILD_FLAGS += -race
 endif
 
 ifeq ($(debug), 1)
 	CGO_ENABLED = 0
 	GODOXY_DEBUG = 1
-  BUILD_FLAGS = -tags production
+	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug
 else ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
-	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
-	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/
-	BUILD_FLAGS = -race -gcflags=all='-N -l' -tags pprof
-	DOCKER_TAG = pprof
-	VERSION += -pprof
+	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
+	BUILD_FLAGS += -tags pprof
+	VERSION := ${VERSION}-pprof
 else
 	CGO_ENABLED = 0
 	LDFLAGS += -s -w
-  BUILD_FLAGS = -pgo=auto -tags production
-	DOCKER_TAG = latest
+	BUILD_FLAGS += -pgo=auto -tags production
 endif
 
 BUILD_FLAGS += -ldflags='$(LDFLAGS)'
+BIN_PATH := $(shell pwd)/bin/${NAME}
 
+export NAME
+export CMD_PATH
 export CGO_ENABLED
 export GODOXY_DEBUG
 export GODOXY_TRACE
 export GODEBUG
 export GORACE
 export BUILD_FLAGS
-export DOCKER_TAG
+
+ifeq ($(shell id -u), 0)
+	SETCAP_CMD = setcap
+else
+	SETCAP_CMD = sudo setcap
+endif
+
+.PHONY: debug
 
 test:
 	GODOXY_TEST=1 go test ./internal/...
 
 get:
-	go get -u ./cmd && go mod tidy
+	for dir in ${PWD} ${PWD}/agent; do cd $$dir && go get -u ./... && go mod tidy; done
 
 build:
 	mkdir -p bin
-	go build ${BUILD_FLAGS} -o bin/godoxy ./cmd
-	if [ $(shell id -u) -eq 0 ]; \
-		then setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
-		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
-	fi
+	cd ${PWD} && go build ${BUILD_FLAGS} -o ${BIN_PATH} ${CMD_PATH}
+
+	# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+	$(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH}
 
 run:
-	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}
+
+debug:
+	make NAME="godoxy-test" debug=1 build
+	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
 
 mtrace:
 	bin/godoxy debug-ls-mtrace > mtrace.json
@@ -72,55 +99,8 @@ ci-test:
 cloc:
 	cloc --not-match-f '_test.go$$' cmd internal pkg
 
-push-docker-io:
-	BUILDER=build docker buildx build \
-		--platform linux/arm64,linux/amd64 \
-		-f Dockerfile \
-		-t docker.io/yusing/godoxy-nightly:${DOCKER_TAG} \
-		-t docker.io/yusing/godoxy-nightly:${VERSION}-${BUILD_DATE} \
-		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
-		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
-		--push .
-
-build-docker:
-	docker build -t godoxy-nightly \
-		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
-		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
-		.
-
-# To generate schema
-# comment out this part from typescript-json-schema.js#L884
-#
-#	if (indexType.flags !== ts.TypeFlags.Number && !isIndexedObject) {
-#			throw new Error("Not supported: IndexSignatureDeclaration with index symbol other than a number or a string");
-#	}
-
-gen-schema-single:
-	bun --bun run typescript-json-schema --noExtraProps --required --skipLibCheck --tsNodeRegister=true -o schemas/${OUT} schemas/${IN} ${CLASS}
-	# minify
-	python3 -c "import json; f=open('schemas/${OUT}', 'r'); j=json.load(f); f.close(); f=open('schemas/${OUT}', 'w'); json.dump(j, f, separators=(',', ':'));"
-
-gen-schema:
-	bun --bun tsc
-	make IN=config/config.ts \
-			CLASS=Config \
-			OUT=config.schema.json \
-			gen-schema-single
-	make IN=providers/routes.ts \
-			CLASS=Routes \
-			OUT=routes.schema.json \
-			gen-schema-single
-	make IN=middlewares/middleware_compose.ts \
-			CLASS=MiddlewareCompose \
-			OUT=middleware_compose.schema.json \
-			gen-schema-single
-	make IN=docker.ts \
-			CLASS=DockerRoutes \
-			OUT=docker_routes.schema.json \
-			gen-schema-single
-
-update-schema-generator:
-	pnpm up -g typescript-json-schema
+link-binary:
+	ln -s /app/${NAME} bin/run
 
 push-github:
 	git push origin $(shell git rev-parse --abbrev-ref HEAD)

README.md

@@ -5,7 +5,8 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_godoxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
 
 A lightweight, simple, and [performant](https://github.com/yusing/godoxy/wiki/Benchmarks) reverse proxy with WebUI.
 
@@ -13,12 +14,6 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
 
 **EN** | <a href="README_CHT.md">中文</a>
 
-**Currently working on [feat/godoxy-agent](https://github.com/yusing/godoxy/tree/feat/godoxy-agent).<br/>For contribution, please fork this instead of default branch.**
-
-<!-- [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy) -->
-
 <img src="screenshots/webui.jpg" style="max-width: 650">
 
 </div>
@@ -29,10 +24,11 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
 
 - [GoDoxy](#godoxy)
   - [Table of content](#table-of-content)
+  - [Running demo](#running-demo)
   - [Key Features](#key-features)
   - [Prerequisites](#prerequisites)
-  - [How does GoDoxy work](#how-does-godoxy-work)
   - [Setup](#setup)
+  - [How does GoDoxy work](#how-does-godoxy-work)
   - [Screenshots](#screenshots)
     - [idlesleeper](#idlesleeper)
     - [Metrics and Logs](#metrics-and-logs)
@@ -40,59 +36,82 @@ For full documentation, check out **[Wiki](https://github.com/yusing/godoxy/wiki
     - [Folder structrue](#folder-structrue)
   - [Build it yourself](#build-it-yourself)
 
+## Running demo
+
+<https://demo.godoxy.dev>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+
 ## Key Features
 
-- Easy to use
-  - Effortless configuration
-  - Simple multi-node setup with GoDoxy agents
-  - Error messages is clear and detailed, easy troubleshooting
-- Auto SSL with Let's Encrypt and DNS-01 (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
-- Auto hot-reload on container state / config file changes
-- Create routes dynamically from running docker containers
-- **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [screenshots](#idlesleeper))_
-- HTTP reserve proxy and TCP/UDP port forwarding
-- OpenID Connect integration
-- [HTTP middleware](https://github.com/yusing/go-proxy/wiki/Middlewares) and [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
-- **Web UI with App dashboard, config editor, _uptime monitor_, _system monitor_, _docker logs viewer_ (available on nightly builds)**
-- Supports linux/amd64, linux/arm64
-- Written in **[Go](https://go.dev)**
-
-[🔼Back to top](#table-of-content)
+- **Simple**
+  - Effortless configuration with [simple labels](https://github.com/yusing/godoxy/wiki/Docker-labels-and-Route-Files) or WebUI
+  - [Simple multi-node setup](https://github.com/yusing/godoxy/wiki/Configurations#multi-docker-nodes-setup)
+  - Detailed error messages for easy troubleshooting.
+- **ACL**: connection / request level access control
+  - IP/CIDR
+  - Country **(Maxmind account required)**
+  - Timezone **(Maxmind account required)**
+  - **Access logging**
+- **Advanced Automation**
+  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
+  - Auto-configuration for Docker containers
+  - Hot-reloading of configurations and container state changes
+- **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
+  - Docker containers
+  - Proxmox LXCs
+- **Traffic Management**
+  - HTTP reserve proxy
+  - TCP/UDP port forwarding
+  - **OpenID Connect support**: SSO and secure your apps easily
+- **Customization**
+  - [HTTP middlewares](https://github.com/yusing/go-proxy/wiki/Middlewares)
+  - [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
+- **Web UI**
+  - App Dashboard
+  - Config Editor
+  - Uptime and System Metrics
+  - Docker Logs Viewer
+- **Cross-Platform support**
+  - Supports **linux/amd64** and **linux/arm64**
+- **Efficient and Performant**
+  - Written in **[Go](https://go.dev)**
 
 ## Prerequisites
 
-Setup Wildcard DNS Record(s) for machine running `GoDoxy`, e.g.
+Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
 
 - A Record: `*.domain.com` -> `10.0.10.1`
 - AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`
 
+## Setup
+
+> [!NOTE]
+> GoDoxy is designed to be running in `host` network mode, do not change it.
+>
+> To change listening ports, modify `.env`.
+
+1. Prepare a new directory for docker compose and config files.
+
+2. Run setup script inside the directory, or [set up manually](#manual-setup)
+
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```
+
+3. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
+
 ## How does GoDoxy work
 
 1. List all the containers
 2. Read container name, labels and port configurations for each of them
 3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
+4. Watch for container / config changes and update automatically
 
-GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to `container_name`.
-
-For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
-
-## Setup
-
-**NOTE:** GoDoxy is designed to be (and only works when) running in `host` network mode, do not change it. To change listening ports, modify `.env`.
-
-1. Prepare a new directory for docker compose and config files.
-
-2. Run setup script inside the directory, or [set up manually](#manual-setup)
-
-    ```shell
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
-    ```
-
-3. Start the container `docker compose up -d` and wait for it to be ready
-
-4. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
-
-[🔼Back to top](#table-of-content)
+> [!NOTE]
+> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
+>
+> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
 
 ## Screenshots
 
@@ -102,8 +121,6 @@ For example, with the label `proxy.aliases: qbt` you can access your app via `qb
 
 ### Metrics and Logs
 
-_In development, available on nightly builds._
-
 <div align="center">
   <table>
     <tr>
@@ -127,8 +144,6 @@ _In development, available on nightly builds._
   </table>
 </div>
 
-[🔼Back to top](#table-of-content)
-
 ## Manual Setup
 
 1. Make `config` directory then grab `config.example.yml` into `config/config.yml`

README_CHT.md

@@ -3,17 +3,14 @@
 # GoDoxy
 
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-![GitHub last commit](https://img.shields.io/github/last-commit/yusing/go-proxy)
+![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
 
-輕量、易用、 [高效能](https://github.com/yusing/go-proxy/wiki/Benchmarks)，且帶有主頁和配置面板的反向代理
+輕量、易用、 [高效能](https://github.com/yusing/godoxy/wiki/Benchmarks)，且帶有主頁和配置面板的反向代理
 
-完整文檔請查閱 **[Wiki](https://github.com/yusing/go-proxy/wiki)**（暫未有中文翻譯）
-
-<!-- [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy) -->
+完整文檔請查閱 **[Wiki](https://github.com/yusing/godoxy/wiki)**（暫未有中文翻譯）
 
 <a href="README.md">EN</a> | **中文**
 
@@ -27,6 +24,7 @@
 
 - [GoDoxy](#godoxy)
   - [目錄](#目錄)
+  - [運行示例](#運行示例)
   - [主要特點](#主要特點)
   - [前置需求](#前置需求)
   - [安裝](#安裝)
@@ -34,28 +32,33 @@
     - [資料夾結構](#資料夾結構)
   - [截圖](#截圖)
     - [閒置休眠](#閒置休眠)
+    - [監控](#監控)
   - [自行編譯](#自行編譯)
 
+## 運行示例
+
+<https://demo.godoxy.dev>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+
 ## 主要特點
 
 - 容易使用
   - 輕鬆配置
   - 簡單的多節點設置
   - 錯誤訊息清晰詳細，易於排除故障
-- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers)）
+- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers)）
 - 自動配置 Docker 容器
 - 容器狀態/配置文件變更時自動熱重載
 - **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
-- HTTP(s) 反向代理
-- OpenID Connect 支持
-- [HTTP 中介軟體支援](https://github.com/yusing/go-proxy/wiki/Middlewares)
-- [自訂錯誤頁面支援](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
-- TCP 和 UDP 埠轉發
+- OpenID Connect：輕鬆實現單點登入
+- HTTP(s) 反向代理和 TCP 和 UDP 埠轉發
+- [HTTP 中介軟體](https://github.com/yusing/godoxy/wiki/Middlewares) 和 [自定義錯誤頁面](https://github.com/yusing/godoxy/wiki/Middlewares#custom-error-pages)
 - **網頁介面，具有應用儀表板和配置編輯器**
 - 支援 linux/amd64、linux/arm64
 - 使用 **[Go](https://go.dev)** 編寫
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)
 
 ## 前置需求
 
@@ -66,35 +69,36 @@
 
 ## 安裝
 
-**注意：** GoDoxy 設計為（且僅在）`host` 網路模式下運作，請勿更改。如需更改監聽埠，請修改 `.env`。
+> [!NOTE]
+> GoDoxy 僅在 `host` 網路模式下運作，請勿更改。
+>
+> 如需更改監聽埠，請修改 `.env`。
 
-1.  準備一個新目錄用於 docker compose 和配置文件。
+1. 準備一個新目錄用於 docker compose 和配置文件。
 
-2.  在目錄內運行安裝腳本，或[手動安裝](#手動安裝)
+2. 在目錄內運行安裝腳本，或[手動安裝](#手動安裝)
 
-    ```shell
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/setup.sh)"
-    ```
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```
 
-3.  啟動容器 `docker compose up -d` 並等待就緒
+3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置
 
-4.  現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置
-
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)
 
 ### 手動安裝
 
 1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`
 
-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/main/config.example.yml -O config/config.yml`
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`
 
 2. 將 `.env.example` 下載到 `.env`
 
-   `wget https://raw.githubusercontent.com/yusing/go-proxy/main/.env.example -O .env`
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`
 
 3. 將 `compose.example.yml` 下載到 `compose.yml`
 
-   `wget https://raw.githubusercontent.com/yusing/go-proxy/main/compose.example.yml -O compose.yml`
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`
 
 ### 資料夾結構
 
@@ -123,11 +127,36 @@
 
 ![閒置休眠](screenshots/idlesleeper.webp)
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)
+
+### 監控
+
+<div align="center">
+  <table>
+    <tr>
+      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
+      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
+      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>運行時間監控</b></td>
+      <td align="center"><b>Docker 日誌</b></td>
+      <td align="center"><b>伺服器概覽</b></td>
+    </tr>
+        <tr>
+      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
+      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>系統監控</b></td>
+      <td align="center"><b>圖表</b></td>
+    </tr>
+  </table>
+</div>
 
 ## 自行編譯
 
-1. 克隆儲存庫 `git clone https://github.com/yusing/go-proxy --depth=1`
+1. 克隆儲存庫 `git clone https://github.com/yusing/godoxy --depth=1`
 
 2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`
 
@@ -137,4 +166,4 @@
 
 5. 使用 `make build` 編譯二進制檔案
 
-[🔼回到頂部](#目錄)
+[🔼 回到頂部](#目錄)

agent/cmd/main.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"os"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	"github.com/yusing/go-proxy/agent/pkg/server"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+func main() {
+	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
+
+	ca := &agent.PEMPair{}
+	err := ca.Load(env.AgentCACert)
+	if err != nil {
+		gperr.LogFatal("init CA error", err)
+	}
+	caCert, err := ca.ToTLSCert()
+	if err != nil {
+		gperr.LogFatal("init CA error", err)
+	}
+
+	srv := &agent.PEMPair{}
+	srv.Load(env.AgentSSLCert)
+	if err != nil {
+		gperr.LogFatal("init SSL error", err)
+	}
+	srvCert, err := srv.ToTLSCert()
+	if err != nil {
+		gperr.LogFatal("init SSL error", err)
+	}
+
+	logging.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
+	logging.Info().Msgf("Agent name: %s", env.AgentName)
+	logging.Info().Msgf("Agent port: %d", env.AgentPort)
+
+	logging.Info().Msg(`
+Tips:
+1. To change the agent name, you can set the AGENT_NAME environment variable.
+2. To change the agent port, you can set the AGENT_PORT environment variable.
+`)
+
+	t := task.RootTask("agent", false)
+	opts := server.Options{
+		CACert:     caCert,
+		ServerCert: srvCert,
+		Port:       env.AgentPort,
+	}
+
+	server.StartAgentServer(t, opts)
+	systeminfo.Poller.Start()
+
+	task.WaitExit(3)
+}

agent/go.mod

@@ -0,0 +1,88 @@
+module github.com/yusing/go-proxy/agent
+
+go 1.24.2
+
+replace github.com/yusing/go-proxy => ..
+
+require (
+	github.com/coder/websocket v1.8.13
+	github.com/docker/docker v28.1.1+incompatible
+	github.com/rs/zerolog v1.34.0
+	github.com/stretchr/testify v1.10.0
+	github.com/yusing/go-proxy v0.11.1
+)
+
+replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/PuerkitoBio/goquery v1.10.3 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/bytedance/sonic v1.13.2 // indirect
+	github.com/bytedance/sonic/loader v0.2.4 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/cli v28.1.1+incompatible // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-acme/lego/v4 v4.23.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.26.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-yaml v1.17.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
+	github.com/gotify/server/v2 v2.6.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lithammer/fuzzysearch v1.1.8 // indirect
+	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/quic-go v0.51.0 // indirect
+	github.com/samber/lo v1.49.1 // indirect
+	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.3 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/spf13/afero v1.14.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/vincent-petithory/dataurl v1.0.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.1 // indirect
+	golang.org/x/arch v0.16.0 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

agent/go.sum

@@ -0,0 +1,342 @@
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
+github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
+github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
+github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
+github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
+github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
+github.com/bytedance/sonic v1.13.2 h1:8/H1FempDZqC4VqjptGo14QQlJx8VdZJegxs6wwfqpQ=
+github.com/bytedance/sonic v1.13.2/go.mod h1:o68xyaF9u2gvVBuGHPlUVCy+ZfmNNO5ETf1+KgkJhz4=
+github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/bytedance/sonic/loader v0.2.4 h1:ZWCw4stuXUsn1/+zQDqeE7JKP+QO47tz7QCNan80NzY=
+github.com/bytedance/sonic/loader v0.2.4/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
+github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/diskfs/go-diskfs v1.6.0 h1:YmK5+vLSfkwC6kKKRTRPGaDGNF+Xh8FXeiNHwryDfu4=
+github.com/diskfs/go-diskfs v1.6.0/go.mod h1:bRFumZeGFCO8C2KNswrQeuj2m1WCVr4Ms5IjWMczMDk=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
+github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
+github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
+github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
+github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
+github.com/go-acme/lego/v4 v4.23.1 h1:lZ5fGtGESA2L9FB8dNTvrQUq3/X4QOb8ExkKyY7LSV4=
+github.com/go-acme/lego/v4 v4.23.1/go.mod h1:7UMVR7oQbIYw6V7mTgGwi4Er7B6Ww0c+c8feiBM0EgI=
+github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
+github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
+github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
+github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e h1:LEbMtJ6loEubxetD+Aw8+1x0rShor5iMoy9WuFQ8hN8=
+github.com/godoxy-app/docker v0.0.0-20250418000134-7af8fd7b079e/go.mod h1:3tMTnTkH7IN5smn7PX83XdmRnNj4Nw2/Pt8GgReqnKM=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 h1:gD0vax+4I+mAj+jEChEf25Ia07Jq7kYOFO5PPhAxFl4=
+github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gotify/server/v2 v2.6.1 h1:Kf7v5fzBxzELzZa/jonWfwJMkqYqh1LBzBpCmt5QIAI=
+github.com/gotify/server/v2 v2.6.1/go.mod h1:Dk8HLyTVDqmXM8YEg6tjROBen6mxyHZFRggJFHTwZLc=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
+github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
+github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
+github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/luthermonson/go-proxmox v0.2.2 h1:BZ7VEj302wxw2i/EwTcyEiBzQib8teocB2SSkLHyySY=
+github.com/luthermonson/go-proxmox v0.2.2/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
+github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
+github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
+github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
+github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
+github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
+github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/puzpuzpuz/xsync/v3 v3.5.1 h1:GJYJZwO6IdxN/IKbneznS6yPkVC+c3zyY/j19c++5Fg=
+github.com/puzpuzpuz/xsync/v3 v3.5.1/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
+github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
+github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew=
+github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
+github.com/samber/slog-common v0.18.1 h1:c0EipD/nVY9HG5shgm/XAs67mgpWDMF+MmtptdJNCkQ=
+github.com/samber/slog-common v0.18.1/go.mod h1:QNZiNGKakvrfbJ2YglQXLCZauzkI9xZBjOhWFKS3IKk=
+github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
+github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
+github.com/shirou/gopsutil/v4 v4.25.3 h1:SeA68lsu8gLggyMbmCn8cmp97V1TI9ld9sVzAUcKcKE=
+github.com/shirou/gopsutil/v4 v4.25.3/go.mod h1:xbuxyoZj+UsgnZrENu3lQivsngRR5BdjbJwf2fv4szA=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
+github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
+github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
+github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
+github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/mock v0.5.1 h1:ASgazW/qBmR+A32MYFDB6E2POoTgOwT509VP0CT/fjs=
+go.uber.org/mock v0.5.1/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+golang.org/x/arch v0.16.0 h1:foMtLTdyOmIniqWCHjY6+JxuC54XP1fDwx4N0ASyW+U=
+golang.org/x/arch v0.16.0/go.mod h1:JmwW7aLIoRUKgaTzhkiEFxvcEiQGyOg9BMonBJUS7EE=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f h1:tjZsroqekhC63+WMqzmWyW5Twj/ZfR5HAlpd5YQ1Vs0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f/go.mod h1:Cd8IzgPo5Akum2c9R6FsXNaZbH3Jpa2gpHlW89FqlyQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250425173222-7b384671a197 h1:29cjnHVylHwTzH66WfFZqgSQgnxzvWE+jvBwpZCLRxY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250425173222-7b384671a197/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
+google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=

agent/pkg/agent/bare_metal.go

@@ -0,0 +1,23 @@
+package agent
+
+import (
+	"bytes"
+	"text/template"
+)
+
+var (
+	installScript = `AGENT_NAME="{{.Name}}" \
+	AGENT_PORT="{{.Port}}" \
+	AGENT_CA_CERT="{{.CACert}}" \
+	AGENT_SSL_CERT="{{.SSLCert}}" \
+	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/install-agent.sh)"`
+	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
+)
+
+func (c *AgentEnvConfig) Generate() (string, error) {
+	buf := bytes.NewBuffer(make([]byte, 0, 4096))
+	if err := installScriptTemplate.Execute(buf, c); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}

agent/pkg/agent/config.go

@@ -0,0 +1,191 @@
+package agent
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	gphttp "github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+type AgentConfig struct {
+	Addr string
+
+	httpClient *http.Client
+	tlsConfig  *tls.Config
+	name       string
+	l          zerolog.Logger
+}
+
+const (
+	EndpointVersion    = "/version"
+	EndpointName       = "/name"
+	EndpointProxyHTTP  = "/proxy/http"
+	EndpointHealth     = "/health"
+	EndpointLogs       = "/logs"
+	EndpointSystemInfo = "/system_info"
+
+	AgentHost = CertsDNSName
+
+	APIEndpointBase = "/godoxy/agent"
+	APIBaseURL      = "https://" + AgentHost + APIEndpointBase
+
+	DockerHost = "https://" + AgentHost
+
+	FakeDockerHostPrefix    = "agent://"
+	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
+)
+
+func mustParseURL(urlStr string) *url.URL {
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+var (
+	AgentURL              = mustParseURL(APIBaseURL)
+	HTTPProxyURL          = mustParseURL(APIBaseURL + EndpointProxyHTTP)
+	HTTPProxyURLPrefixLen = len(APIEndpointBase + EndpointProxyHTTP)
+)
+
+func IsDockerHostAgent(dockerHost string) bool {
+	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
+}
+
+func GetAgentAddrFromDockerHost(dockerHost string) string {
+	return dockerHost[FakeDockerHostPrefixLen:]
+}
+
+func (cfg *AgentConfig) FakeDockerHost() string {
+	return FakeDockerHostPrefix + cfg.Addr
+}
+
+func (cfg *AgentConfig) Parse(addr string) error {
+	cfg.Addr = addr
+	return nil
+}
+
+func (cfg *AgentConfig) StartWithCerts(parent task.Parent, ca, crt, key []byte) error {
+	clientCert, err := tls.X509KeyPair(crt, key)
+	if err != nil {
+		return err
+	}
+
+	// create tls config
+	caCertPool := x509.NewCertPool()
+	ok := caCertPool.AppendCertsFromPEM(ca)
+	if !ok {
+		return gperr.New("invalid ca certificate")
+	}
+
+	cfg.tlsConfig = &tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      caCertPool,
+		ServerName:   CertsDNSName,
+	}
+
+	// create transport and http client
+	cfg.httpClient = cfg.NewHTTPClient()
+
+	ctx, cancel := context.WithTimeout(parent.Context(), 5*time.Second)
+	defer cancel()
+
+	// get agent name
+	name, _, err := cfg.Fetch(ctx, EndpointName)
+	if err != nil {
+		return err
+	}
+
+	cfg.name = string(name)
+
+	cfg.l = logging.With().Str("agent", cfg.name).Logger()
+
+	// check agent version
+	agentVersionBytes, _, err := cfg.Fetch(ctx, EndpointVersion)
+	if err != nil {
+		return err
+	}
+
+	agentVersion := string(agentVersionBytes)
+
+	if pkg.GetVersion().IsNewerMajorThan(pkg.ParseVersion(agentVersion)) {
+		logging.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.name, pkg.GetVersion(), agentVersion)
+	}
+
+	logging.Info().Msgf("agent %q initialized", cfg.name)
+	return nil
+}
+
+func (cfg *AgentConfig) Start(parent task.Parent) gperr.Error {
+	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
+	if !ok {
+		return gperr.New("invalid agent host").Subject(cfg.Addr)
+	}
+
+	certData, err := os.ReadFile(filepath)
+	if err != nil {
+		return gperr.Wrap(err, "failed to read agent certs")
+	}
+
+	ca, crt, key, err := certs.ExtractCert(certData)
+	if err != nil {
+		return gperr.Wrap(err, "failed to extract agent certs")
+	}
+
+	return gperr.Wrap(cfg.StartWithCerts(parent, ca, crt, key))
+}
+
+func (cfg *AgentConfig) NewHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: cfg.Transport(),
+	}
+}
+
+func (cfg *AgentConfig) Transport() *http.Transport {
+	return &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if addr != AgentHost+":443" {
+				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
+			}
+			if network != "tcp" {
+				return nil, &net.OpError{Op: "dial", Net: network, Source: nil, Addr: nil}
+			}
+			return cfg.DialContext(ctx)
+		},
+		TLSClientConfig: cfg.tlsConfig,
+	}
+}
+
+func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
+	return gphttp.DefaultDialer.DialContext(ctx, "tcp", cfg.Addr)
+}
+
+func (cfg *AgentConfig) Name() string {
+	return cfg.name
+}
+
+func (cfg *AgentConfig) String() string {
+	return cfg.name + "@" + cfg.Addr
+}
+
+func (cfg *AgentConfig) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]string{
+		"name": cfg.Name(),
+		"addr": cfg.Addr,
+	})
+}

agent/pkg/agent/docker_compose.go

@@ -0,0 +1,27 @@
+package agent
+
+import (
+	"bytes"
+	"text/template"
+
+	_ "embed"
+)
+
+var (
+	//go:embed templates/agent.compose.yml
+	agentComposeYAML         string
+	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml").Parse(agentComposeYAML))
+)
+
+const (
+	DockerImageProduction = "ghcr.io/yusing/godoxy-agent:latest"
+	DockerImageNightly    = "ghcr.io/yusing/godoxy-agent:nightly"
+)
+
+func (c *AgentComposeConfig) Generate() (string, error) {
+	buf := bytes.NewBuffer(make([]byte, 0, 1024))
+	if err := agentComposeYAMLTemplate.Execute(buf, c); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}

agent/pkg/agent/env.go

@@ -0,0 +1,17 @@
+package agent
+
+type (
+	AgentEnvConfig struct {
+		Name    string
+		Port    int
+		CACert  string
+		SSLCert string
+	}
+	AgentComposeConfig struct {
+		Image string
+		*AgentEnvConfig
+	}
+	Generator interface {
+		Generate() (string, error)
+	}
+)

agent/pkg/agent/new_agent.go

@@ -0,0 +1,139 @@
+package agent
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"math/big"
+	"strings"
+	"time"
+)
+
+const (
+	CertsDNSName = "godoxy.agent"
+	KeySize      = 2048
+)
+
+func toPEMPair(certDER []byte, key *rsa.PrivateKey) *PEMPair {
+	return &PEMPair{
+		Cert: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
+		Key:  pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}),
+	}
+}
+
+func b64Encode(data []byte) string {
+	return base64.StdEncoding.EncodeToString(data)
+}
+
+func b64Decode(data string) ([]byte, error) {
+	return base64.StdEncoding.DecodeString(data)
+}
+
+type PEMPair struct {
+	Cert, Key []byte
+}
+
+func (p *PEMPair) String() string {
+	return b64Encode(p.Cert) + ";" + b64Encode(p.Key)
+}
+
+func (p *PEMPair) Load(data string) (err error) {
+	parts := strings.Split(data, ";")
+	if len(parts) != 2 {
+		return errors.New("invalid PEM pair")
+	}
+	p.Cert, err = b64Decode(parts[0])
+	if err != nil {
+		return err
+	}
+	p.Key, err = b64Decode(parts[1])
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
+	cert, err := tls.X509KeyPair(p.Cert, p.Key)
+	return &cert, err
+}
+
+func NewAgent() (ca, srv, client *PEMPair, err error) {
+	// Create the CA's certificate
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"GoDoxy"},
+			CommonName:   CertsDNSName,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(1000, 0, 0), // 1000 years
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	caDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	ca = toPEMPair(caDER, caKey)
+
+	// Generate a new private key for the server certificate
+	serverKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	srvTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Issuer:       caTemplate.Subject,
+		Subject:      caTemplate.Subject,
+		DNSNames:     []string{CertsDNSName},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(1000, 0, 0), // Add validity period
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+
+	srvCertDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, caTemplate, &serverKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	srv = toPEMPair(srvCertDER, serverKey)
+
+	clientKey, err := rsa.GenerateKey(rand.Reader, KeySize)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	clientTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(3),
+		Issuer:       caTemplate.Subject,
+		Subject:      caTemplate.Subject,
+		DNSNames:     []string{CertsDNSName},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(1000, 0, 0),
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+	}
+	clientCertDER, err := x509.CreateCertificate(rand.Reader, clientTemplate, caTemplate, &clientKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	client = toPEMPair(clientCertDER, clientKey)
+	return
+}

agent/pkg/agent/new_agent_test.go

@@ -0,0 +1,91 @@
+package agent
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+)
+
+func TestNewAgent(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+	ExpectTrue(t, ca != nil)
+	ExpectTrue(t, srv != nil)
+	ExpectTrue(t, client != nil)
+}
+
+func TestPEMPair(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+
+	for i, p := range []*PEMPair{ca, srv, client} {
+		t.Run(fmt.Sprintf("load-%d", i), func(t *testing.T) {
+			var pp PEMPair
+			err := pp.Load(p.String())
+			ExpectNoError(t, err)
+			ExpectEqual(t, p.Cert, pp.Cert)
+			ExpectEqual(t, p.Key, pp.Key)
+		})
+	}
+}
+
+func TestPEMPairToTLSCert(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+
+	for i, p := range []*PEMPair{ca, srv, client} {
+		t.Run(fmt.Sprintf("toTLSCert-%d", i), func(t *testing.T) {
+			cert, err := p.ToTLSCert()
+			ExpectNoError(t, err)
+			ExpectTrue(t, cert != nil)
+		})
+	}
+}
+
+func TestServerClient(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	ExpectNoError(t, err)
+
+	srvTLS, err := srv.ToTLSCert()
+	ExpectNoError(t, err)
+	ExpectTrue(t, srvTLS != nil)
+
+	clientTLS, err := client.ToTLSCert()
+	ExpectNoError(t, err)
+	ExpectTrue(t, clientTLS != nil)
+
+	caPool := x509.NewCertPool()
+	ExpectTrue(t, caPool.AppendCertsFromPEM(ca.Cert))
+
+	srvTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{*srvTLS},
+		ClientCAs:    caPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	clientTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{*clientTLS},
+		RootCAs:      caPool,
+		ServerName:   CertsDNSName,
+	}
+
+	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	server.TLS = srvTLSConfig
+	server.StartTLS()
+	defer server.Close()
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{TLSClientConfig: clientTLSConfig},
+	}
+
+	resp, err := httpClient.Get(server.URL)
+	ExpectNoError(t, err)
+	ExpectEqual(t, resp.StatusCode, http.StatusOK)
+}

agent/pkg/agent/requests.go

@@ -0,0 +1,49 @@
+package agent
+
+import (
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/coder/websocket"
+)
+
+func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
+	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
+	if err != nil {
+		return nil, err
+	}
+	return cfg.httpClient.Do(req)
+}
+
+func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) ([]byte, int, error) {
+	req = req.WithContext(req.Context())
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = APIEndpointBase + endpoint
+	req.RequestURI = ""
+	resp, err := cfg.httpClient.Do(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer resp.Body.Close()
+	data, _ := io.ReadAll(resp.Body)
+	return data, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int, error) {
+	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer resp.Body.Close()
+	data, _ := io.ReadAll(resp.Body)
+	return data, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
+	return websocket.Dial(ctx, APIBaseURL+endpoint, &websocket.DialOptions{
+		HTTPClient: cfg.NewHTTPClient(),
+		Host:       AgentHost,
+	})
+}

agent/pkg/agent/templates/agent.compose.yml

@@ -0,0 +1,14 @@
+services:
+  agent:
+    image: "{{.Image}}"
+    container_name: godoxy-agent
+    restart: always
+    network_mode: host # do not change this
+    environment:
+      AGENT_NAME: "{{.Name}}"
+      AGENT_PORT: "{{.Port}}"
+      AGENT_CA_CERT: "{{.CACert}}"
+      AGENT_SSL_CERT: "{{.SSLCert}}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/app/data

agent/pkg/agentproxy/headers.go

@@ -0,0 +1,27 @@
+package agentproxy
+
+import (
+	"net/http"
+	"strconv"
+)
+
+const (
+	HeaderXProxyHost                  = "X-Proxy-Host"
+	HeaderXProxyHTTPS                 = "X-Proxy-Https"
+	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
+	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
+)
+
+type AgentProxyHeaders struct {
+	Host                  string
+	IsHTTPS               bool
+	SkipTLSVerify         bool
+	ResponseHeaderTimeout int
+}
+
+func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
+	r.Header.Set(HeaderXProxyHost, headers.Host)
+	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
+	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
+	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
+}

agent/pkg/certs/zip.go

@@ -0,0 +1,85 @@
+package certs
+
+import (
+	"archive/zip"
+	"bytes"
+	"io"
+	"path/filepath"
+
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+const AgentCertsBasePath = "certs"
+
+func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
+	w, err := zipWriter.CreateHeader(&zip.FileHeader{
+		Name:   name,
+		Method: zip.Store,
+	})
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(data)
+	return err
+}
+
+func readFile(f *zip.File) ([]byte, error) {
+	r, err := f.Open()
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+	return io.ReadAll(r)
+}
+
+func ZipCert(ca, crt, key []byte) ([]byte, error) {
+	data := bytes.NewBuffer(make([]byte, 0, 6144))
+	zipWriter := zip.NewWriter(data)
+	defer zipWriter.Close()
+
+	if err := writeFile(zipWriter, "ca.pem", ca); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "cert.pem", crt); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "key.pem", key); err != nil {
+		return nil, err
+	}
+	if err := zipWriter.Close(); err != nil {
+		return nil, err
+	}
+	return data.Bytes(), nil
+}
+
+func isValidAgentHost(host string) bool {
+	return strutils.IsValidFilename(host + ".zip")
+}
+
+func AgentCertsFilepath(host string) (filepathOut string, ok bool) {
+	if !isValidAgentHost(host) {
+		return "", false
+	}
+	return filepath.Join(AgentCertsBasePath, host+".zip"), true
+}
+
+func ExtractCert(data []byte) (ca, crt, key []byte, err error) {
+	zipReader, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	for _, file := range zipReader.File {
+		switch file.Name {
+		case "ca.pem":
+			ca, err = readFile(file)
+		case "cert.pem":
+			crt, err = readFile(file)
+		case "key.pem":
+			key, err = readFile(file)
+		}
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+	return ca, crt, key, nil
+}

agent/pkg/certs/zip_test.go

@@ -0,0 +1,20 @@
+package certs_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+)
+
+func TestZipCert(t *testing.T) {
+	ca, crt, key := []byte("test1"), []byte("test2"), []byte("test3")
+	zipData, err := certs.ZipCert(ca, crt, key)
+	require.NoError(t, err)
+
+	ca2, crt2, key2, err := certs.ExtractCert(zipData)
+	require.NoError(t, err)
+	require.Equal(t, ca, ca2)
+	require.Equal(t, crt, crt2)
+	require.Equal(t, key, key2)
+}

agent/pkg/env/env.go

@@ -0,0 +1,24 @@
+package env
+
+import (
+	"os"
+
+	"github.com/yusing/go-proxy/internal/common"
+)
+
+func DefaultAgentName() string {
+	name, err := os.Hostname()
+	if err != nil {
+		return "agent"
+	}
+	return name
+}
+
+var (
+	AgentName                = common.GetEnvString("AGENT_NAME", DefaultAgentName())
+	AgentPort                = common.GetEnvInt("AGENT_PORT", 8890)
+	AgentSkipClientCertCheck = common.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
+
+	AgentCACert  = common.GetEnvString("AGENT_CA_CERT", "")
+	AgentSSLCert = common.GetEnvString("AGENT_SSL_CERT", "")
+)

agent/pkg/handler/check_health.go

@@ -0,0 +1,77 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
+)
+
+var defaultHealthConfig = health.DefaultHealthConfig()
+
+func CheckHealth(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	scheme := query.Get("scheme")
+	if scheme == "" {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	var result *health.HealthCheckResult
+	var err error
+	switch scheme {
+	case "fileserver":
+		path := query.Get("path")
+		if path == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		_, err := os.Stat(path)
+		result = &health.HealthCheckResult{Healthy: err == nil}
+		if err != nil {
+			result.Detail = err.Error()
+		}
+	case "http", "https": // path is optional
+		host := query.Get("host")
+		path := query.Get("path")
+		if host == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+			Path:   path,
+		}, defaultHealthConfig).CheckHealth()
+	case "tcp", "udp":
+		host := query.Get("host")
+		if host == "" {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		hasPort := strings.Contains(host, ":")
+		port := query.Get("port")
+		if port != "" && !hasPort {
+			host = fmt.Sprintf("%s:%s", host, port)
+		} else {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewRawHealthMonitor(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+		}, defaultHealthConfig).CheckHealth()
+	}
+
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadGateway)
+		return
+	}
+
+	gphttp.RespondJSON(w, r, result)
+}

agent/pkg/handler/check_health_test.go

@@ -0,0 +1,216 @@
+package handler_test
+
+import (
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/handler"
+	"github.com/yusing/go-proxy/internal/watcher/health"
+)
+
+func TestCheckHealthHTTP(t *testing.T) {
+	tests := []struct {
+		name            string
+		setupServer     func() *httptest.Server
+		queryParams     map[string]string
+		expectedStatus  int
+		expectedHealthy bool
+	}{
+		{
+			name: "Valid",
+			setupServer: func() *httptest.Server {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusOK)
+				}))
+			},
+			queryParams: map[string]string{
+				"scheme": "http",
+				"host":   "localhost",
+				"path":   "/",
+			},
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:        "InvalidQuery",
+			setupServer: nil,
+			queryParams: map[string]string{
+				"scheme": "http",
+			},
+			expectedStatus: http.StatusBadRequest,
+		},
+		{
+			name:        "ConnectionError",
+			setupServer: nil,
+			queryParams: map[string]string{
+				"scheme": "http",
+				"host":   "localhost:12345",
+			},
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var server *httptest.Server
+			if tt.setupServer != nil {
+				server = tt.setupServer()
+				defer server.Close()
+				u, _ := url.Parse(server.URL)
+				tt.queryParams["scheme"] = u.Scheme
+				tt.queryParams["host"] = u.Host
+				tt.queryParams["path"] = u.Path
+			}
+
+			recorder := httptest.NewRecorder()
+			query := url.Values{}
+			for key, value := range tt.queryParams {
+				query.Set(key, value)
+			}
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			if tt.expectedStatus == http.StatusOK {
+				var result health.HealthCheckResult
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+				require.Equal(t, result.Healthy, tt.expectedHealthy)
+			}
+		})
+	}
+}
+
+func TestCheckHealthFileServer(t *testing.T) {
+	tests := []struct {
+		name            string
+		path            string
+		expectedStatus  int
+		expectedHealthy bool
+		expectedDetail  string
+	}{
+		{
+			name:            "ValidPath",
+			path:            t.TempDir(),
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+			expectedDetail:  "",
+		},
+		{
+			name:            "InvalidPath",
+			path:            "/invalid",
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+			expectedDetail:  "stat /invalid: no such file or directory",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			query := url.Values{}
+			query.Set("scheme", "fileserver")
+			query.Set("path", tt.path)
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			var result health.HealthCheckResult
+			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+			require.Equal(t, result.Healthy, tt.expectedHealthy)
+			require.Equal(t, result.Detail, tt.expectedDetail)
+		})
+	}
+}
+
+func TestCheckHealthTCPUDP(t *testing.T) {
+	tcp, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	go func() {
+		conn, err := tcp.Accept()
+		require.NoError(t, err)
+		conn.Close()
+	}()
+
+	udp, err := net.ListenPacket("udp", "localhost:0")
+	require.NoError(t, err)
+	go func() {
+		buf := make([]byte, 1024)
+		n, addr, err := udp.ReadFrom(buf)
+		require.NoError(t, err)
+		require.Equal(t, string(buf[:n]), "ping")
+		_, _ = udp.WriteTo([]byte("pong"), addr)
+		udp.Close()
+	}()
+
+	tests := []struct {
+		name            string
+		scheme          string
+		host            string
+		port            int
+		expectedStatus  int
+		expectedHealthy bool
+	}{
+		{
+			name:            "ValidTCP",
+			scheme:          "tcp",
+			host:            "localhost",
+			port:            tcp.Addr().(*net.TCPAddr).Port,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:            "InvalidHost",
+			scheme:          "tcp",
+			host:            "invalid",
+			port:            8080,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+		{
+			name:            "ValidUDP",
+			scheme:          "udp",
+			host:            "localhost",
+			port:            udp.LocalAddr().(*net.UDPAddr).Port,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:            "InvalidHost",
+			scheme:          "udp",
+			host:            "invalid",
+			port:            8080,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			query := url.Values{}
+			query.Set("scheme", tt.scheme)
+			query.Set("host", tt.host)
+			query.Set("port", strconv.Itoa(tt.port))
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			var result health.HealthCheckResult
+			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+			require.Equal(t, result.Healthy, tt.expectedHealthy)
+		})
+	}
+}

agent/pkg/handler/docker_socket.go

@@ -0,0 +1,31 @@
+package handler
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/docker/docker/client"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
+)
+
+func serviceUnavailable(w http.ResponseWriter, r *http.Request) {
+	http.Error(w, "docker socket is not available", http.StatusServiceUnavailable)
+}
+
+func DockerSocketHandler() http.HandlerFunc {
+	dockerClient, err := docker.NewClient(common.DockerHostFromEnv)
+	if err != nil {
+		logging.Warn().Err(err).Msg("failed to connect to docker client")
+		return serviceUnavailable
+	}
+	rp := reverseproxy.NewReverseProxy("docker", types.NewURL(&url.URL{
+		Scheme: "http",
+		Host:   client.DummyHost,
+	}), dockerClient.HTTPClient().Transport)
+
+	return rp.ServeHTTP
+}

agent/pkg/handler/handler.go

@@ -0,0 +1,49 @@
+package handler
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/go-proxy/pkg"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func (mux ServeMux) HandleMethods(methods, endpoint string, handler http.HandlerFunc) {
+	for _, m := range strutils.CommaSeperatedList(methods) {
+		mux.ServeMux.HandleFunc(m+" "+agent.APIEndpointBase+endpoint, handler)
+	}
+}
+
+func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
+}
+
+type NopWriteCloser struct {
+	io.Writer
+}
+
+func (NopWriteCloser) Close() error {
+	return nil
+}
+
+func NewAgentHandler() http.Handler {
+	mux := ServeMux{http.NewServeMux()}
+
+	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
+	mux.HandleMethods("GET", agent.EndpointVersion, pkg.GetVersionHTTPHandler())
+	mux.HandleMethods("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.AgentName)
+	})
+	mux.HandleMethods("GET", agent.EndpointHealth, CheckHealth)
+	mux.HandleMethods("GET", agent.EndpointLogs, memlogger.HandlerFunc())
+	mux.HandleMethods("GET", agent.EndpointSystemInfo, systeminfo.Poller.ServeHTTP)
+	mux.ServeMux.HandleFunc("/", DockerSocketHandler())
+	return mux
+}

agent/pkg/handler/proxy_http.go

@@ -0,0 +1,62 @@
+package handler
+
+import (
+	"crypto/tls"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/agentproxy"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
+)
+
+func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
+	host := r.Header.Get(agentproxy.HeaderXProxyHost)
+	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
+	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
+	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
+	if err != nil {
+		responseHeaderTimeout = 0
+	}
+
+	if host == "" {
+		http.Error(w, "missing required headers", http.StatusBadRequest)
+		return
+	}
+
+	scheme := "http"
+	if isHTTPS {
+		scheme = "https"
+	}
+
+	var transport *http.Transport
+	if skipTLSVerify {
+		transport = gphttp.NewTransportWithTLSConfig(&tls.Config{InsecureSkipVerify: true})
+	} else {
+		transport = gphttp.NewTransport()
+	}
+
+	if responseHeaderTimeout > 0 {
+		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+	}
+
+	r.URL.Scheme = ""
+	r.URL.Host = ""
+	r.URL.Path = r.URL.Path[agent.HTTPProxyURLPrefixLen:] // strip the {API_BASE}/proxy/http prefix
+	r.RequestURI = r.URL.String()
+	r.URL.Host = host
+	r.URL.Scheme = scheme
+
+	logging.Debug().Msgf("proxy http request: %s %s", r.Method, r.URL.String())
+
+	rp := reverseproxy.NewReverseProxy("agent", types.NewURL(&url.URL{
+		Scheme: scheme,
+		Host:   host,
+	}), transport)
+	rp.ServeHTTP(w, r)
+}

agent/pkg/server/server.go

@@ -0,0 +1,44 @@
+package server
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+
+	"github.com/yusing/go-proxy/agent/pkg/env"
+	"github.com/yusing/go-proxy/agent/pkg/handler"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp/server"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+type Options struct {
+	CACert, ServerCert *tls.Certificate
+	Port               int
+}
+
+func StartAgentServer(parent task.Parent, opt Options) {
+	caCertPool := x509.NewCertPool()
+	caCertPool.AddCert(opt.CACert.Leaf)
+
+	// Configure TLS
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{*opt.ServerCert},
+		ClientCAs:    caCertPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	if env.AgentSkipClientCertCheck {
+		tlsConfig.ClientAuth = tls.NoClientCert
+	}
+
+	logger := logging.GetLogger()
+	agentServer := &http.Server{
+		Addr:      fmt.Sprintf(":%d", opt.Port),
+		Handler:   handler.NewAgentHandler(),
+		TLSConfig: tlsConfig,
+	}
+
+	server.Start(parent, agentServer, nil, logger)
+}

cmd/main.go

@@ -2,49 +2,50 @@ package main
 
 import (
 	"encoding/json"
-	"io"
 	"log"
 	"os"
-	"os/signal"
-	"syscall"
-	"time"
+	"sync"
 
-	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal"
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
-	"github.com/yusing/go-proxy/internal/api/v1/favicon"
 	"github.com/yusing/go-proxy/internal/api/v1/query"
+	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/homepage"
+	"github.com/yusing/go-proxy/internal/dnsproviders"
+	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/metrics/uptime"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
+	"github.com/yusing/go-proxy/internal/route/routes"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
 )
 
 var rawLogger = log.New(os.Stdout, "", 0)
 
-func init() {
-	var out io.Writer = os.Stderr
-	if common.EnableLogStreaming {
-		out = zerolog.MultiLevelWriter(out, v1.GetMemLogger())
+func parallel(fns ...func()) {
+	var wg sync.WaitGroup
+	for _, fn := range fns {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			fn()
+		}()
 	}
-	logging.InitLogger(out)
-	// logging.AddHook(v1.GetMemLogger())
+	wg.Wait()
 }
 
 func main() {
 	initProfiling()
-	args := common.GetArgs()
+	dnsproviders.InitProviders()
+	args := pkg.GetArgs(common.MainServerCommandValidator{})
 
 	switch args.Command {
 	case common.CommandReload:
 		if err := query.ReloadServer(); err != nil {
-			E.LogFatal("server reload error", err)
+			gperr.LogFatal("server reload error", err)
 		}
 		rawLogger.Println("ok")
 		return
@@ -74,9 +75,18 @@ func main() {
 	}
 
 	if args.Command == common.CommandStart {
+		logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
 		logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
 		logging.Trace().Msg("trace enabled")
-		// logging.AddHook(notif.GetDispatcher())
+		parallel(
+			internal.InitIconListCache,
+			systeminfo.Poller.Start,
+		)
+
+		if common.APIJWTSecret == nil {
+			logging.Warn().Msg("API_JWT_SECRET is not set, using random key")
+			common.APIJWTSecret = common.RandomJWTKey()
+		}
 	} else {
 		logging.DiscardLogger()
 	}
@@ -100,15 +110,16 @@ func main() {
 	middleware.LoadComposeFiles()
 
 	var cfg *config.Config
-	var err E.Error
+	var err gperr.Error
 	if cfg, err = config.Load(); err != nil {
-		E.LogWarn("errors in config", err)
+		gperr.LogWarn("errors in config", err)
+		err = nil
 	}
 
 	switch args.Command {
 	case common.CommandListRoutes:
 		cfg.StartProxyProviders()
-		printJSON(routequery.RoutesByAlias())
+		printJSON(routes.ByAlias())
 		return
 	case common.CommandListConfigs:
 		printJSON(cfg.Value())
@@ -121,10 +132,6 @@ func main() {
 		return
 	}
 
-	go internal.InitIconListCache()
-	go homepage.InitOverridesConfig()
-	go favicon.InitIconCache()
-
 	cfg.Start(&config.StartServersOptions{
 		Proxy: true,
 	})
@@ -136,19 +143,10 @@ func main() {
 		API: true,
 	})
 
+	uptime.Poller.Start()
 	config.WatchChanges()
 
-	sig := make(chan os.Signal, 1)
-	signal.Notify(sig, syscall.SIGINT)
-	signal.Notify(sig, syscall.SIGTERM)
-	signal.Notify(sig, syscall.SIGHUP)
-
-	// wait for signal
-	<-sig
-
-	// gracefully shutdown
-	logging.Info().Msg("shutting down")
-	_ = task.GracefulShutdown(time.Second * time.Duration(cfg.Value().TimeoutShutdown))
+	task.WaitExit(cfg.Value().TimeoutShutdown)
 }
 
 func prepareDirectory(dir string) {

cmd/pprof_production.go

@@ -1,4 +1,4 @@
-//go:build production
+//go:build !pprof
 
 package main
 

compose.example.yml

@@ -1,17 +1,20 @@
 ---
 services:
   frontend:
-    image: ghcr.io/yusing/godoxy-frontend:latest
+    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
     container_name: godoxy-frontend
     restart: unless-stopped
-    network_mode: host
+    network_mode: host # do not change this
     env_file: .env
     depends_on:
       - app
+    environment:
+      PORT: ${GODOXY_FRONTEND_PORT:-3000}
+
     # modify below to fit your needs
     labels:
-      proxy.aliases: godoxy
-      proxy.godoxy.port: 3000
+      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
+      proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
       # proxy.godoxy.middlewares.cidr_whitelist: |
       #   status: 403
       #   message: IP not allowed
@@ -21,16 +24,17 @@ services:
       #     - 192.168.0.0/16
       #     - 172.16.0.0/12
   app:
-    image: ghcr.io/yusing/godoxy:latest
+    image: ghcr.io/yusing/godoxy:${TAG:-latest}
     container_name: godoxy
     restart: always
-    network_mode: host
+    network_mode: host # do not change this
     env_file: .env
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
       - ./config:/app/config
       - ./logs:/app/logs
       - ./error_pages:/app/error_pages
+      - ./data:/app/data
 
       # To use autocert, certs will be stored in "./certs".
       # You can also use a docker volume to store it

config.example.yml

@@ -15,7 +15,26 @@
 #   options:
 #     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
 
-# 3. other providers, see https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
+# 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
+
+# acl:
+#   default: allow # or deny (default: allow)
+#   allow_local: true # or false (default: true)
+#   allow:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   deny:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
+#     buffer_size: 65536 # (default: 64KB)
+#     path: /app/logs/acl.log # (default: none)
+#     stdout: false # (default: false)
+#     keep: last 10 # (default: none)
 
 entrypoint:
   # Below define an example of middleware config
@@ -73,7 +92,15 @@ providers:
   #     url: https://discord.com/api/webhooks/...
   #     template: discord # this means use payload template from internal/notif/templates/discord.json
 
-# Check https://github.com/yusing/go-proxy/wiki/Certificates-and-domain-matching#domain-matching
+  # Proxmox providers (for idlesleep support for proxmox LXCs)
+  #
+  # proxmox:
+  #   - url: https://pve.domain.com:8006/api2/json
+  #     token_id: root@pam!abcdef
+  #     secret: aaaa-bbbb-cccc-dddd
+  #     no_tls_verify: true
+
+# Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
 # for explaination of `match_domains`
 #
 # match_domains:

go.mod

@@ -1,83 +1,254 @@
 module github.com/yusing/go-proxy
 
-go 1.23.6
+go 1.24.2
+
+replace github.com/yusing/go-proxy/agent => ./agent
+
+replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
 
 require (
-	github.com/PuerkitoBio/goquery v1.10.2 // parsing HTML for extract fav icon
-	github.com/coder/websocket v1.8.12 // websocket for API and agent
-	github.com/coreos/go-oidc/v3 v3.12.0 // oidc authentication
-	github.com/docker/cli v28.0.1+incompatible // docker CLI
-	github.com/docker/docker v28.0.1+incompatible // docker daemon
-	github.com/fsnotify/fsnotify v1.8.0 // file watcher
-	github.com/go-acme/lego/v4 v4.22.2 // acme client
-	github.com/go-playground/validator/v10 v10.25.0 // validator
+	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
+	github.com/coder/websocket v1.8.13 // websocket for API and agent
+	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
+	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/fsnotify/fsnotify v1.9.0 // file watcher
+	github.com/go-acme/lego/v4 v4.23.1 // acme client
+	github.com/go-playground/validator/v10 v10.26.0 // validator
 	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
-	github.com/golang-jwt/jwt/v5 v5.2.1 // jwt for default auth
 	github.com/gotify/server/v2 v2.6.1 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
-	github.com/prometheus/client_golang v1.21.0 // metrics
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // lock free map for concurrent operations
-	github.com/rs/zerolog v1.33.0 // logging
+	github.com/rs/zerolog v1.34.0 // logging
+	github.com/shirou/gopsutil/v4 v4.25.3 // system info metrics
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
-	golang.org/x/crypto v0.35.0 // encrypting password with bcrypt
-	golang.org/x/net v0.35.0 // HTTP header utilities
-	golang.org/x/oauth2 v0.27.0 // oauth2 authentication
-	golang.org/x/text v0.22.0 // string utilities
-	golang.org/x/time v0.10.0 // time utilities
-	gopkg.in/yaml.v3 v3.0.1 // yaml parsing for different config files
+	golang.org/x/crypto v0.37.0 // encrypting password with bcrypt
+	golang.org/x/net v0.39.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.29.0 // oauth2 authentication
+	golang.org/x/text v0.24.0 // string utilities
+	golang.org/x/time v0.11.0 // time utilities
+	gopkg.in/yaml.v3 v3.0.1 // indirect; yaml parsing for different config files
+)
+
+replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
+
+require (
+	github.com/docker/cli v28.1.1+incompatible
+	github.com/goccy/go-yaml v1.17.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/luthermonson/go-proxmox v0.2.2
+	github.com/oschwald/maxminddb-golang v1.13.1
+	github.com/quic-go/quic-go v0.51.0
+	github.com/samber/slog-zerolog/v2 v2.7.3
+	github.com/spf13/afero v1.14.0
+	github.com/stretchr/testify v1.10.0
+	github.com/yusing/go-proxy/agent v0.0.0-00010101000000-000000000000
+	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-00010101000000-000000000000
+	go.uber.org/atomic v1.11.0
 )
 
 require (
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+)
+
+replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
+
+require (
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.224 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/civo/civogo v0.3.99 // indirect
 	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.15 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect; indirectindirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gophercloud/gophercloud v1.14.1 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.146 // indirect
+	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
+	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
+	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/linode/linodego v1.49.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
+	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.63 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
+	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
+	github.com/nrdcg/desec v0.11.0 // indirect
+	github.com/nrdcg/freemyip v0.3.0 // indirect
+	github.com/nrdcg/goacmedns v0.2.0 // indirect
+	github.com/nrdcg/goinwx v0.11.0 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/namesilo v0.2.1 // indirect
+	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/nzdjb/go-metaname v1.0.0 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.89.2 // indirect
 	github.com/ovh/go-ovh v1.7.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/peterhellberg/link v1.2.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.9 // indirect
+	github.com/sacloud/iaas-api-go v1.14.0 // indirect
+	github.com/sacloud/packages-go v0.0.11 // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/samber/lo v1.49.1 // indirect
+	github.com/samber/slog-common v0.18.1 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
+	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
+	github.com/softlayer/softlayer-go v1.1.7 // indirect
+	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1151 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/transip/gotransip/v6 v6.26.0 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
+	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.206 // indirect
+	github.com/vultr/govultr/v3 v3.19.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver v1.17.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
-	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/tools v0.30.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.1 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/api v0.230.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250425173222-7b384671a197 // indirect
+	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.33.0 // indirect
+	k8s.io/apimachinery v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

internal/acl/city_cache.go

@@ -0,0 +1,37 @@
+package acl
+
+import (
+	"github.com/puzpuzpuz/xsync/v3"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+)
+
+var cityCache = xsync.NewMapOf[string, *acl.City]()
+
+func (cfg *MaxMindConfig) lookupCity(ip *acl.IPInfo) (*acl.City, bool) {
+	if ip.City != nil {
+		return ip.City, true
+	}
+
+	if cfg.db.Reader == nil {
+		return nil, false
+	}
+
+	city, ok := cityCache.Load(ip.Str)
+	if ok {
+		ip.City = city
+		return city, true
+	}
+
+	cfg.db.RLock()
+	defer cfg.db.RUnlock()
+
+	city = new(acl.City)
+	err := cfg.db.Lookup(ip.IP, city)
+	if err != nil {
+		return nil, false
+	}
+
+	cityCache.Store(ip.Str, city)
+	ip.City = city
+	return city, true
+}

internal/acl/config.go

@@ -0,0 +1,215 @@
+package acl
+
+import (
+	"net"
+	"sync"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/puzpuzpuz/xsync/v3"
+	"github.com/rs/zerolog"
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/accesslog"
+	"github.com/yusing/go-proxy/internal/task"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Config struct {
+	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
+	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
+	Allow      []string                   `json:"allow"`
+	Deny       []string                   `json:"deny"`
+	Log        *accesslog.ACLLoggerConfig `json:"log"`
+
+	MaxMind *MaxMindConfig `json:"maxmind" validate:"omitempty"`
+
+	config
+}
+
+type (
+	MaxMindDatabaseType string
+	MaxMindConfig       struct {
+		AccountID  string              `json:"account_id" validate:"required"`
+		LicenseKey string              `json:"license_key" validate:"required"`
+		Database   MaxMindDatabaseType `json:"database" validate:"required,oneof=geolite geoip2"`
+
+		logger     zerolog.Logger
+		lastUpdate time.Time
+		db         struct {
+			*maxminddb.Reader
+			sync.RWMutex
+		}
+	}
+)
+
+type config struct {
+	defaultAllow bool
+	allowLocal   bool
+	allow        []matcher
+	deny         []matcher
+	ipCache      *xsync.MapOf[string, *checkCache]
+	logAllowed   bool
+	logger       *accesslog.AccessLogger
+}
+
+type checkCache struct {
+	*acl.IPInfo
+	allow   bool
+	created time.Time
+}
+
+const cacheTTL = 1 * time.Minute
+
+func (c *checkCache) Expired() bool {
+	return c.created.Add(cacheTTL).Before(utils.TimeNow())
+}
+
+//TODO: add stats
+
+const (
+	ACLAllow = "allow"
+	ACLDeny  = "deny"
+)
+
+const (
+	MaxMindGeoLite MaxMindDatabaseType = "geolite"
+	MaxMindGeoIP2  MaxMindDatabaseType = "geoip2"
+)
+
+func (c *Config) Validate() gperr.Error {
+	switch c.Default {
+	case "", ACLAllow:
+		c.defaultAllow = true
+	case ACLDeny:
+		c.defaultAllow = false
+	default:
+		return gperr.New("invalid default value").Subject(c.Default)
+	}
+
+	if c.AllowLocal != nil {
+		c.allowLocal = *c.AllowLocal
+	} else {
+		c.allowLocal = true
+	}
+
+	if c.MaxMind != nil {
+		c.MaxMind.logger = logging.With().Str("type", string(c.MaxMind.Database)).Logger()
+	}
+
+	if c.Log != nil {
+		c.logAllowed = c.Log.LogAllowed
+	}
+
+	errs := gperr.NewBuilder("syntax error")
+	c.allow = make([]matcher, 0, len(c.Allow))
+	c.deny = make([]matcher, 0, len(c.Deny))
+
+	for _, s := range c.Allow {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.allow = append(c.allow, m)
+	}
+	for _, s := range c.Deny {
+		m, err := c.parseMatcher(s)
+		if err != nil {
+			errs.Add(err.Subject(s))
+			continue
+		}
+		c.deny = append(c.deny, m)
+	}
+
+	if errs.HasError() {
+		c.allow = nil
+		c.deny = nil
+		return errMatcherFormat.With(errs.Error())
+	}
+
+	c.ipCache = xsync.NewMapOf[string, *checkCache]()
+	return nil
+}
+
+func (c *Config) Valid() bool {
+	return c != nil && (len(c.allow) > 0 || len(c.deny) > 0 || c.allowLocal)
+}
+
+func (c *Config) Start(parent *task.Task) gperr.Error {
+	if c.MaxMind != nil {
+		if err := c.MaxMind.LoadMaxMindDB(parent); err != nil {
+			return err
+		}
+	}
+	if c.Log != nil {
+		logger, err := accesslog.NewAccessLogger(parent, c.Log)
+		if err != nil {
+			return gperr.New("failed to start access logger").With(err)
+		}
+		c.logger = logger
+	}
+	return nil
+}
+
+func (c *config) cacheRecord(info *acl.IPInfo, allow bool) {
+	c.ipCache.Store(info.Str, &checkCache{
+		IPInfo:  info,
+		allow:   allow,
+		created: utils.TimeNow(),
+	})
+}
+
+func (c *config) log(info *acl.IPInfo, allowed bool) {
+	if c.logger == nil {
+		return
+	}
+	if !allowed || c.logAllowed {
+		c.logger.LogACL(info, !allowed)
+	}
+}
+
+func (c *Config) IPAllowed(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// always allow private and loopback
+	// loopback is not logged
+	if ip.IsLoopback() {
+		return true
+	}
+
+	if c.allowLocal && ip.IsPrivate() {
+		c.log(&acl.IPInfo{IP: ip, Str: ip.String()}, true)
+		return true
+	}
+
+	ipStr := ip.String()
+	record, ok := c.ipCache.Load(ipStr)
+	if ok && !record.Expired() {
+		c.log(record.IPInfo, record.allow)
+		return record.allow
+	}
+
+	ipAndStr := &acl.IPInfo{IP: ip, Str: ipStr}
+	for _, m := range c.allow {
+		if m(ipAndStr) {
+			c.log(ipAndStr, true)
+			c.cacheRecord(ipAndStr, true)
+			return true
+		}
+	}
+	for _, m := range c.deny {
+		if m(ipAndStr) {
+			c.log(ipAndStr, false)
+			c.cacheRecord(ipAndStr, false)
+			return false
+		}
+	}
+
+	c.log(ipAndStr, c.defaultAllow)
+	c.cacheRecord(ipAndStr, c.defaultAllow)
+	return c.defaultAllow
+}

internal/acl/matcher.go

@@ -0,0 +1,99 @@
+package acl
+
+import (
+	"net"
+	"strings"
+
+	acl "github.com/yusing/go-proxy/internal/acl/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type matcher func(*acl.IPInfo) bool
+
+const (
+	MatcherTypeIP       = "ip"
+	MatcherTypeCIDR     = "cidr"
+	MatcherTypeTimeZone = "tz"
+	MatcherTypeCountry  = "country"
+)
+
+var errMatcherFormat = gperr.Multiline().AddLines(
+	"invalid matcher format, expect {type}:{value}",
+	"Available types: ip|cidr|tz|country",
+	"ip:127.0.0.1",
+	"cidr:127.0.0.0/8",
+	"tz:Asia/Shanghai",
+	"country:GB",
+)
+var (
+	errSyntax               = gperr.New("syntax error")
+	errInvalidIP            = gperr.New("invalid IP")
+	errInvalidCIDR          = gperr.New("invalid CIDR")
+	errMaxMindNotConfigured = gperr.New("MaxMind not configured")
+)
+
+func (cfg *Config) parseMatcher(s string) (matcher, gperr.Error) {
+	parts := strings.Split(s, ":")
+	if len(parts) != 2 {
+		return nil, errSyntax
+	}
+
+	switch parts[0] {
+	case MatcherTypeIP:
+		ip := net.ParseIP(parts[1])
+		if ip == nil {
+			return nil, errInvalidIP
+		}
+		return matchIP(ip), nil
+	case MatcherTypeCIDR:
+		_, net, err := net.ParseCIDR(parts[1])
+		if err != nil {
+			return nil, errInvalidCIDR
+		}
+		return matchCIDR(net), nil
+	case MatcherTypeTimeZone:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchTimeZone(parts[1]), nil
+	case MatcherTypeCountry:
+		if cfg.MaxMind == nil {
+			return nil, errMaxMindNotConfigured
+		}
+		return cfg.MaxMind.matchISOCode(parts[1]), nil
+	default:
+		return nil, errSyntax
+	}
+}
+
+func matchIP(ip net.IP) matcher {
+	return func(ip2 *acl.IPInfo) bool {
+		return ip.Equal(ip2.IP)
+	}
+}
+
+func matchCIDR(n *net.IPNet) matcher {
+	return func(ip *acl.IPInfo) bool {
+		return n.Contains(ip.IP)
+	}
+}
+
+func (cfg *MaxMindConfig) matchTimeZone(tz string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Location.TimeZone == tz
+	}
+}
+
+func (cfg *MaxMindConfig) matchISOCode(iso string) matcher {
+	return func(ip *acl.IPInfo) bool {
+		city, ok := cfg.lookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Country.IsoCode == iso
+	}
+}

internal/acl/maxmind.go

@@ -0,0 +1,281 @@
+package acl
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+var (
+	updateInterval = 24 * time.Hour
+	httpClient     = &http.Client{
+		Timeout: 10 * time.Second,
+	}
+	ErrResponseNotOK   = gperr.New("response not OK")
+	ErrDownloadFailure = gperr.New("download failure")
+)
+
+func dbPathImpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return filepath.Join(dataDir, "GeoLite2-City.mmdb")
+	}
+	return filepath.Join(dataDir, "GeoIP2-City.mmdb")
+}
+
+func dbURLimpl(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
+	}
+	return "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"
+}
+
+func dbFilename(dbType MaxMindDatabaseType) string {
+	if dbType == MaxMindGeoLite {
+		return "GeoLite2-City.mmdb"
+	}
+	return "GeoIP2-City.mmdb"
+}
+
+func (cfg *MaxMindConfig) LoadMaxMindDB(parent task.Parent) gperr.Error {
+	if cfg.Database == "" {
+		return nil
+	}
+
+	path := dbPath(cfg.Database)
+	reader, err := maxmindDBOpen(path)
+	exists := true
+	if err != nil {
+		switch {
+		case errors.Is(err, os.ErrNotExist):
+		default:
+			// ignore invalid error, just download it again
+			var invalidErr maxminddb.InvalidDatabaseError
+			if !errors.As(err, &invalidErr) {
+				return gperr.Wrap(err)
+			}
+		}
+		exists = false
+	}
+
+	if !exists {
+		cfg.logger.Info().Msg("MaxMind DB not found/invalid, downloading...")
+		reader, err = cfg.download()
+		if err != nil {
+			return ErrDownloadFailure.With(err)
+		}
+	}
+	cfg.logger.Info().Msg("MaxMind DB loaded")
+
+	cfg.db.Reader = reader
+	go cfg.scheduleUpdate(parent)
+	return nil
+}
+
+func (cfg *MaxMindConfig) loadLastUpdate() {
+	f, err := os.Stat(dbPath(cfg.Database))
+	if err != nil {
+		return
+	}
+	cfg.lastUpdate = f.ModTime()
+}
+
+func (cfg *MaxMindConfig) setLastUpdate(t time.Time) {
+	cfg.lastUpdate = t
+	_ = os.Chtimes(dbPath(cfg.Database), t, t)
+}
+
+func (cfg *MaxMindConfig) scheduleUpdate(parent task.Parent) {
+	task := parent.Subtask("schedule_update", true)
+	ticker := time.NewTicker(updateInterval)
+
+	cfg.loadLastUpdate()
+	cfg.update()
+
+	defer func() {
+		ticker.Stop()
+		if cfg.db.Reader != nil {
+			cfg.db.Reader.Close()
+		}
+		task.Finish(nil)
+	}()
+
+	for {
+		select {
+		case <-task.Context().Done():
+			return
+		case <-ticker.C:
+			cfg.update()
+		}
+	}
+}
+
+func (cfg *MaxMindConfig) update() {
+	// check for update
+	cfg.logger.Info().Msg("checking for MaxMind DB update...")
+	remoteLastModified, err := cfg.checkLastest()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to check MaxMind DB update")
+		return
+	}
+	if remoteLastModified.Equal(cfg.lastUpdate) {
+		cfg.logger.Info().Msg("MaxMind DB is up to date")
+		return
+	}
+
+	cfg.logger.Info().
+		Time("latest", remoteLastModified.Local()).
+		Time("current", cfg.lastUpdate).
+		Msg("MaxMind DB update available")
+	reader, err := cfg.download()
+	if err != nil {
+		cfg.logger.Err(err).Msg("failed to update MaxMind DB")
+		return
+	}
+	cfg.db.Lock()
+	cfg.db.Close()
+	cfg.db.Reader = reader
+	cfg.setLastUpdate(*remoteLastModified)
+	cfg.db.Unlock()
+
+	cfg.logger.Info().Msg("MaxMind DB updated")
+}
+
+func (cfg *MaxMindConfig) newReq(method string) (*http.Response, error) {
+	req, err := http.NewRequest(method, dbURL(cfg.Database), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.SetBasicAuth(cfg.AccountID, cfg.LicenseKey)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+func (cfg *MaxMindConfig) checkLastest() (lastModifiedT *time.Time, err error) {
+	resp, err := newReq(cfg, http.MethodHead)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	lastModified := resp.Header.Get("Last-Modified")
+	if lastModified == "" {
+		cfg.logger.Warn().Msg("MaxMind responded no last modified time, update skipped")
+		return nil, nil
+	}
+
+	lastModifiedTime, err := time.Parse(http.TimeFormat, lastModified)
+	if err != nil {
+		cfg.logger.Warn().Err(err).Msg("MaxMind responded invalid last modified time, update skipped")
+		return nil, err
+	}
+
+	return &lastModifiedTime, nil
+}
+
+func (cfg *MaxMindConfig) download() (*maxminddb.Reader, error) {
+	resp, err := newReq(cfg, http.MethodGet)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%w: %d", ErrResponseNotOK, resp.StatusCode)
+	}
+
+	path := dbPath(cfg.Database)
+	tmpPath := path + "-tmp.tar.gz"
+	file, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.logger.Info().Msg("MaxMind DB downloading...")
+
+	_, err = io.Copy(file, resp.Body)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	file.Close()
+
+	// extract .tar.gz and move only the dbFilename to path
+	err = extractFileFromTarGz(tmpPath, dbFilename(cfg.Database), path)
+	if err != nil {
+		return nil, gperr.New("failed to extract database from archive").With(err)
+	}
+	// cleanup the tar.gz file
+	_ = os.Remove(tmpPath)
+
+	db, err := maxmindDBOpen(path)
+	if err != nil {
+		return nil, err
+	}
+	return db, nil
+}
+
+func extractFileFromTarGz(tarGzPath, targetFilename, destPath string) error {
+	f, err := os.Open(tarGzPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	gzr, err := gzip.NewReader(f)
+	if err != nil {
+		return err
+	}
+	defer gzr.Close()
+
+	tr := tar.NewReader(gzr)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return err
+		}
+		// Only extract the file that matches targetFilename (basename match)
+		if filepath.Base(hdr.Name) == targetFilename {
+			outFile, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, hdr.FileInfo().Mode())
+			if err != nil {
+				return err
+			}
+			defer outFile.Close()
+			_, err = io.Copy(outFile, tr)
+			if err != nil {
+				return err
+			}
+			return nil // Done
+		}
+	}
+	return fmt.Errorf("file %s not found in archive", targetFilename)
+}
+
+var (
+	dataDir       = common.DataDir
+	dbURL         = dbURLimpl
+	dbPath        = dbPathImpl
+	maxmindDBOpen = maxminddb.Open
+	newReq        = (*MaxMindConfig).newReq
+)

internal/acl/maxmind_test.go

@@ -0,0 +1,213 @@
+package acl
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang"
+	"github.com/rs/zerolog"
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+func Test_dbPath(t *testing.T) {
+	tmpDataDir := "/tmp/testdata"
+	oldDataDir := dataDir
+	dataDir = tmpDataDir
+	defer func() { dataDir = oldDataDir }()
+
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, filepath.Join(tmpDataDir, "GeoLite2-City.mmdb")},
+		{"GeoIP2", MaxMindGeoIP2, filepath.Join(tmpDataDir, "GeoIP2-City.mmdb")},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbPath(tt.dbType); got != tt.want {
+				t.Errorf("dbPath() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_dbURL(t *testing.T) {
+	tests := []struct {
+		name   string
+		dbType MaxMindDatabaseType
+		want   string
+	}{
+		{"GeoLite", MaxMindGeoLite, "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"},
+		{"GeoIP2", MaxMindGeoIP2, "https://download.maxmind.com/geoip/databases/GeoIP2-City/download?suffix=tar.gz"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbURL(tt.dbType); got != tt.want {
+				t.Errorf("dbURL() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+// --- Helper for MaxMindConfig ---
+type testLogger struct{ zerolog.Logger }
+
+func (testLogger) Info() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Warn() *zerolog.Event       { return &zerolog.Event{} }
+func (testLogger) Err(_ error) *zerolog.Event { return &zerolog.Event{} }
+
+func Test_MaxMindConfig_newReq(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "testid",
+		LicenseKey: "testkey",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+
+	// Patch httpClient to use httptest
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if u, p, ok := r.BasicAuth(); !ok || u != "testid" || p != "testkey" {
+			t.Errorf("basic auth not set correctly")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	resp, err := cfg.newReq(http.MethodGet)
+	if err != nil {
+		t.Fatalf("newReq() error = %v", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("unexpected status: %v", resp.StatusCode)
+	}
+}
+
+func Test_MaxMindConfig_checkUpdate(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	lastMod := time.Now().UTC().Format(http.TimeFormat)
+	buildTime := time.Now().Add(-time.Hour)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Last-Modified", lastMod)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	latest, err := cfg.checkLastest()
+	if err != nil {
+		t.Fatalf("checkUpdate() error = %v", err)
+	}
+	if latest.Equal(buildTime) {
+		t.Errorf("expected update needed")
+	}
+}
+
+type fakeReadCloser struct {
+	firstRead bool
+	closed    bool
+}
+
+func (c *fakeReadCloser) Read(p []byte) (int, error) {
+	if !c.firstRead {
+		c.firstRead = true
+		return strings.NewReader("FAKEMMDB").Read(p)
+	}
+	return 0, io.EOF
+}
+
+func (c *fakeReadCloser) Close() error {
+	c.closed = true
+	return nil
+}
+
+func Test_MaxMindConfig_download(t *testing.T) {
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.Copy(w, strings.NewReader("FAKEMMDB"))
+	}))
+	defer server.Close()
+	oldURL := dbURL
+	dbURL = func(MaxMindDatabaseType) string { return server.URL }
+	defer func() { dbURL = oldURL }()
+
+	tmpDir := t.TempDir()
+	oldDataDir := dataDir
+	dataDir = tmpDir
+	defer func() { dataDir = oldDataDir }()
+
+	// Patch maxminddb.Open to always succeed
+	origOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = origOpen }()
+
+	rw := &fakeReadCloser{}
+	oldNewReq := newReq
+	newReq = func(cfg *MaxMindConfig, method string) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Body:       rw,
+		}, nil
+	}
+	defer func() { newReq = oldNewReq }()
+
+	db, err := cfg.download()
+	if err != nil {
+		t.Fatalf("download() error = %v", err)
+	}
+	if db == nil {
+		t.Error("expected db instance")
+	}
+	if !rw.closed {
+		t.Error("expected rw to be closed")
+	}
+}
+
+func Test_MaxMindConfig_loadMaxMindDB(t *testing.T) {
+	// This test should cover both the path where DB exists and where it does not
+	// For brevity, only the non-existing path is tested here
+	cfg := &MaxMindConfig{
+		AccountID:  "id",
+		LicenseKey: "key",
+		Database:   MaxMindGeoLite,
+		logger:     zerolog.Nop(),
+	}
+	oldOpen := maxmindDBOpen
+	maxmindDBOpen = func(path string) (*maxminddb.Reader, error) {
+		return &maxminddb.Reader{}, nil
+	}
+	defer func() { maxmindDBOpen = oldOpen }()
+
+	oldDBPath := dbPath
+	dbPath = func(MaxMindDatabaseType) string { return filepath.Join(t.TempDir(), "maxmind.mmdb") }
+	defer func() { dbPath = oldDBPath }()
+
+	task := task.RootTask("test")
+	defer task.Finish(nil)
+	err := cfg.LoadMaxMindDB(task)
+	if err != nil {
+		t.Errorf("loadMaxMindDB() error = %v", err)
+	}
+}

internal/acl/tcp_listener.go

@@ -0,0 +1,59 @@
+package acl
+
+import (
+	"io"
+	"net"
+	"time"
+)
+
+type TCPListener struct {
+	acl *Config
+	lis net.Listener
+}
+
+type noConn struct{}
+
+func (noConn) Read(b []byte) (int, error)         { return 0, io.EOF }
+func (noConn) Write(b []byte) (int, error)        { return 0, io.EOF }
+func (noConn) Close() error                       { return nil }
+func (noConn) LocalAddr() net.Addr                { return nil }
+func (noConn) RemoteAddr() net.Addr               { return nil }
+func (noConn) SetDeadline(t time.Time) error      { return nil }
+func (noConn) SetReadDeadline(t time.Time) error  { return nil }
+func (noConn) SetWriteDeadline(t time.Time) error { return nil }
+
+func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
+	if cfg == nil {
+		return lis
+	}
+	return &TCPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *TCPListener) Addr() net.Addr {
+	return s.lis.Addr()
+}
+
+func (s *TCPListener) Accept() (net.Conn, error) {
+	c, err := s.lis.Accept()
+	if err != nil {
+		return nil, err
+	}
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		// Not a TCPAddr, drop
+		c.Close()
+		return noConn{}, nil
+	}
+	if !s.acl.IPAllowed(addr.IP) {
+		c.Close()
+		return noConn{}, nil
+	}
+	return c, nil
+}
+
+func (s *TCPListener) Close() error {
+	return s.lis.Close()
+}

internal/acl/types/city_info.go

@@ -0,0 +1,10 @@
+package acl
+
+type City struct {
+	Location struct {
+		TimeZone string `maxminddb:"time_zone"`
+	} `maxminddb:"location"`
+	Country struct {
+		IsoCode string `maxminddb:"iso_code"`
+	} `maxminddb:"country"`
+}

internal/acl/types/ip_info.go

@@ -0,0 +1,9 @@
+package acl
+
+import "net"
+
+type IPInfo struct {
+	IP   net.IP
+	Str  string
+	City *City
+}

internal/acl/udp_listener.go

@@ -0,0 +1,79 @@
+package acl
+
+import (
+	"net"
+	"time"
+)
+
+type UDPListener struct {
+	acl *Config
+	lis net.PacketConn
+}
+
+func (cfg *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if cfg == nil {
+		return lis
+	}
+	return &UDPListener{
+		acl: cfg,
+		lis: lis,
+	}
+}
+
+func (s *UDPListener) LocalAddr() net.Addr {
+	return s.lis.LocalAddr()
+}
+
+func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
+	for {
+		n, addr, err := s.lis.ReadFrom(p)
+		if err != nil {
+			return n, addr, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet from disallowed IP
+			continue
+		}
+		return n, addr, nil
+	}
+}
+
+func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
+	for {
+		n, err := s.lis.WriteTo(p, addr)
+		if err != nil {
+			return n, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet to disallowed IP
+			continue
+		}
+		return n, nil
+	}
+}
+
+func (s *UDPListener) SetDeadline(t time.Time) error {
+	return s.lis.SetDeadline(t)
+}
+
+func (s *UDPListener) SetReadDeadline(t time.Time) error {
+	return s.lis.SetReadDeadline(t)
+}
+
+func (s *UDPListener) SetWriteDeadline(t time.Time) error {
+	return s.lis.SetWriteDeadline(t)
+}
+
+func (s *UDPListener) Close() error {
+	return s.lis.Close()
+}

internal/api/handler.go

@@ -1,70 +1,104 @@
 package api
 
 import (
+	"fmt"
 	"net/http"
 
-	"github.com/prometheus/client_golang/prometheus/promhttp"
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
+	"github.com/yusing/go-proxy/internal/api/v1/certapi"
+	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
 	"github.com/yusing/go-proxy/internal/api/v1/favicon"
-	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/auth"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/metrics/uptime"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/go-proxy/pkg"
 )
 
-type ServeMux struct{ *http.ServeMux }
+type (
+	ServeMux struct {
+		*http.ServeMux
+		cfg config.ConfigInstance
+	}
+	WithCfgHandler = func(config.ConfigInstance, http.ResponseWriter, *http.Request)
+)
 
-func (mux ServeMux) HandleFunc(methods, endpoint string, handler http.HandlerFunc) {
-	for _, m := range strutils.CommaSeperatedList(methods) {
-		mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
+func (mux ServeMux) HandleFunc(methods, endpoint string, h any, requireAuth ...bool) {
+	var handler http.HandlerFunc
+	switch h := h.(type) {
+	case func(http.ResponseWriter, *http.Request):
+		handler = h
+	case http.Handler:
+		handler = h.ServeHTTP
+	case WithCfgHandler:
+		handler = func(w http.ResponseWriter, r *http.Request) {
+			h(mux.cfg, w, r)
+		}
+	default:
+		panic(fmt.Errorf("unsupported handler type: %T", h))
+	}
+
+	matchDomains := mux.cfg.Value().MatchDomains
+	if len(matchDomains) > 0 {
+		origHandler := handler
+		handler = func(w http.ResponseWriter, r *http.Request) {
+			if httpheaders.IsWebsocket(r.Header) {
+				httpheaders.SetWebsocketAllowedDomains(r.Header, matchDomains)
+			}
+			origHandler(w, r)
+		}
+	}
+
+	if len(requireAuth) > 0 && requireAuth[0] {
+		handler = auth.RequireAuth(handler)
+	}
+	if methods == "" {
+		mux.ServeMux.HandleFunc(endpoint, handler)
+	} else {
+		for _, m := range strutils.CommaSeperatedList(methods) {
+			mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
+		}
 	}
 }
 
 func NewHandler(cfg config.ConfigInstance) http.Handler {
-	mux := ServeMux{http.NewServeMux()}
+	mux := ServeMux{http.NewServeMux(), cfg}
 	mux.HandleFunc("GET", "/v1", v1.Index)
-	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
-	mux.HandleFunc("POST", "/v1/reload", useCfg(cfg, v1.Reload))
-	mux.HandleFunc("GET", "/v1/list", auth.RequireAuth(useCfg(cfg, v1.List)))
-	mux.HandleFunc("GET", "/v1/list/{what}", auth.RequireAuth(useCfg(cfg, v1.List)))
-	mux.HandleFunc("GET", "/v1/list/{what}/{which}", auth.RequireAuth(useCfg(cfg, v1.List)))
-	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.GetFileContent))
-	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.SetFileContent))
-	mux.HandleFunc("POST", "/v1/file/validate/{type}", auth.RequireAuth(v1.ValidateFile))
-	mux.HandleFunc("GET", "/v1/stats", useCfg(cfg, v1.Stats))
-	mux.HandleFunc("GET", "/v1/stats/ws", useCfg(cfg, v1.StatsWS))
-	mux.HandleFunc("GET", "/v1/health/ws", auth.RequireAuth(useCfg(cfg, v1.HealthWS)))
-	mux.HandleFunc("GET", "/v1/logs/ws", auth.RequireAuth(useCfg(cfg, v1.LogsWS())))
-	mux.HandleFunc("GET", "/v1/favicon", auth.RequireAuth(favicon.GetFavIcon))
-	mux.HandleFunc("POST", "/v1/homepage/set", auth.RequireAuth(v1.SetHomePageOverrides))
+	mux.HandleFunc("GET", "/v1/version", pkg.GetVersionHTTPHandler())
 
-	if common.PrometheusEnabled {
-		mux.Handle("GET /v1/metrics", promhttp.Handler())
-		logging.Info().Msg("prometheus metrics enabled")
-	}
+	mux.HandleFunc("GET", "/v1/stats", v1.Stats, true)
+	mux.HandleFunc("POST", "/v1/reload", v1.Reload, true)
+	mux.HandleFunc("GET", "/v1/list", v1.List, true)
+	mux.HandleFunc("GET", "/v1/list/{what}", v1.List, true)
+	mux.HandleFunc("GET", "/v1/list/{what}/{which}", v1.List, true)
+	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", v1.GetFileContent, true)
+	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", v1.SetFileContent, true)
+	mux.HandleFunc("POST", "/v1/file/validate/{type}", v1.ValidateFile, true)
+	mux.HandleFunc("GET", "/v1/health", v1.Health, true)
+	mux.HandleFunc("GET", "/v1/logs", memlogger.Handler(), true)
+	mux.HandleFunc("GET", "/v1/favicon", favicon.GetFavIcon, true)
+	mux.HandleFunc("POST", "/v1/homepage/set", v1.SetHomePageOverrides, true)
+	mux.HandleFunc("GET", "/v1/agents", v1.ListAgents, true)
+	mux.HandleFunc("GET", "/v1/agents/new", v1.NewAgent, true)
+	mux.HandleFunc("POST", "/v1/agents/verify", v1.VerifyNewAgent, true)
+	mux.HandleFunc("GET", "/v1/metrics/system_info", v1.SystemInfo, true)
+	mux.HandleFunc("GET", "/v1/metrics/uptime", uptime.Poller.ServeHTTP, true)
+	mux.HandleFunc("GET", "/v1/cert/info", certapi.GetCertInfo, true)
+	mux.HandleFunc("", "/v1/cert/renew", certapi.RenewCert, true)
+	mux.HandleFunc("GET", "/v1/docker/info", dockerapi.DockerInfo, true)
+	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
+	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)
 
 	defaultAuth := auth.GetDefaultAuth()
-	if defaultAuth != nil {
-		mux.HandleFunc("GET", "/v1/auth/redirect", defaultAuth.RedirectLoginPage)
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			if err := defaultAuth.CheckToken(r); err != nil {
-				http.Error(w, err.Error(), http.StatusUnauthorized)
-				return
-			}
-		})
-		mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.LoginCallbackHandler)
-		mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutCallbackHandler)
-	} else {
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-		})
+	if defaultAuth == nil {
+		return mux
 	}
+
+	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/redirect", defaultAuth.LoginHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
+	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
 	return mux
 }
-
-func useCfg(cfg config.ConfigInstance, handler func(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request)) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		handler(cfg, w, r)
-	}
-}

internal/api/v1/agents.go

@@ -0,0 +1,24 @@
+package v1
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+)
+
+func ListAgents(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 10*time.Second, func(conn *websocket.Conn) error {
+			wsjson.Write(r.Context(), conn, cfg.ListAgents())
+			return nil
+		})
+	} else {
+		gphttp.RespondJSON(w, r, cfg.ListAgents())
+	}
+}

internal/api/v1/auth/oidc.go

@@ -1,274 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-	"slices"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	CE "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"golang.org/x/oauth2"
-)
-
-type OIDCProvider struct {
-	oauthConfig   *oauth2.Config
-	oidcProvider  *oidc.Provider
-	oidcVerifier  *oidc.IDTokenVerifier
-	oidcLogoutURL *url.URL
-	allowedUsers  []string
-	allowedGroups []string
-	isMiddleware  bool
-}
-
-const CookieOauthState = "godoxy_oidc_state"
-
-const (
-	OIDCMiddlewareCallbackPath = "/auth/callback"
-	OIDCLogoutPath             = "/auth/logout"
-)
-
-func NewOIDCProvider(issuerURL, clientID, clientSecret, redirectURL, logoutURL string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
-	if len(allowedUsers)+len(allowedGroups) == 0 {
-		return nil, errors.New("OIDC users, groups, or both must not be empty")
-	}
-
-	var logout *url.URL
-	var err error
-	if logoutURL != "" {
-		logout, err = url.Parse(logoutURL)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse logout URL: %w", err)
-		}
-	}
-
-	provider, err := oidc.NewProvider(context.Background(), issuerURL)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
-	}
-
-	return &OIDCProvider{
-		oauthConfig: &oauth2.Config{
-			ClientID:     clientID,
-			ClientSecret: clientSecret,
-			RedirectURL:  redirectURL,
-			Endpoint:     provider.Endpoint(),
-			Scopes:       strutils.CommaSeperatedList(common.OIDCScopes),
-		},
-		oidcProvider: provider,
-		oidcVerifier: provider.Verifier(&oidc.Config{
-			ClientID: clientID,
-		}),
-		oidcLogoutURL: logout,
-		allowedUsers:  allowedUsers,
-		allowedGroups: allowedGroups,
-	}, nil
-}
-
-// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
-func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
-	return NewOIDCProvider(
-		common.OIDCIssuerURL,
-		common.OIDCClientID,
-		common.OIDCClientSecret,
-		common.OIDCRedirectURL,
-		common.OIDCLogoutURL,
-		common.OIDCAllowedUsers,
-		common.OIDCAllowedGroups,
-	)
-}
-
-func (auth *OIDCProvider) TokenCookieName() string {
-	return "godoxy_oidc_token"
-}
-
-func (auth *OIDCProvider) SetIsMiddleware(enabled bool) {
-	auth.isMiddleware = enabled
-	auth.oauthConfig.RedirectURL = ""
-}
-
-func (auth *OIDCProvider) SetAllowedUsers(users []string) {
-	auth.allowedUsers = users
-}
-
-func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
-	auth.allowedGroups = groups
-}
-
-func (auth *OIDCProvider) CheckToken(r *http.Request) error {
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		return ErrMissingToken
-	}
-
-	// checks for Expiry, Audience == ClientID, Issuer, etc.
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), token.Value)
-	if err != nil {
-		return fmt.Errorf("failed to verify ID token: %w: %w", ErrInvalidToken, err)
-	}
-
-	if len(idToken.Audience) == 0 {
-		return ErrInvalidToken
-	}
-
-	var claims struct {
-		Email    string   `json:"email"`
-		Username string   `json:"preferred_username"`
-		Groups   []string `json:"groups"`
-	}
-	if err := idToken.Claims(&claims); err != nil {
-		return fmt.Errorf("failed to parse claims: %w", err)
-	}
-
-	// Logical AND between allowed users and groups.
-	allowedUser := slices.Contains(auth.allowedUsers, claims.Username)
-	allowedGroup := len(CE.Intersect(claims.Groups, auth.allowedGroups)) > 0
-	if !allowedUser && !allowedGroup {
-		return ErrUserNotAllowed.Subject(claims.Username)
-	}
-	return nil
-}
-
-// generateState generates a random string for OIDC state.
-const oidcStateLength = 32
-
-func generateState() (string, error) {
-	b := make([]byte, oidcStateLength)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength], nil
-}
-
-// RedirectOIDC initiates the OIDC login flow.
-func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	state, err := generateState()
-	if err != nil {
-		U.HandleErr(w, r, err, http.StatusInternalServerError)
-		return
-	}
-	http.SetCookie(w, &http.Cookie{
-		Name:     CookieOauthState,
-		Value:    state,
-		MaxAge:   300,
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   true,
-		Path:     "/",
-	})
-
-	redirURL := auth.oauthConfig.AuthCodeURL(state)
-	if auth.isMiddleware {
-		u, err := r.URL.Parse(redirURL)
-		if err != nil {
-			U.HandleErr(w, r, err, http.StatusInternalServerError)
-			return
-		}
-		q := u.Query()
-		q.Set("redirect_uri", "https://"+r.Host+OIDCMiddlewareCallbackPath+q.Get("redirect_uri"))
-		u.RawQuery = q.Encode()
-		redirURL = u.String()
-	}
-	http.Redirect(w, r, redirURL, http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) exchange(r *http.Request) (*oauth2.Token, error) {
-	if auth.isMiddleware {
-		cfg := *auth.oauthConfig
-		cfg.RedirectURL = "https://" + r.Host + OIDCMiddlewareCallbackPath
-		return cfg.Exchange(r.Context(), r.URL.Query().Get("code"))
-	}
-	return auth.oauthConfig.Exchange(r.Context(), r.URL.Query().Get("code"))
-}
-
-// OIDCCallbackHandler handles the OIDC callback.
-func (auth *OIDCProvider) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	// For testing purposes, skip provider verification
-	if common.IsTest {
-		auth.handleTestCallback(w, r)
-		return
-	}
-
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		U.HandleErr(w, r, E.New("missing state cookie"), http.StatusBadRequest)
-		return
-	}
-
-	query := r.URL.Query()
-	if query.Get("state") != state.Value {
-		U.HandleErr(w, r, E.New("invalid oauth state"), http.StatusBadRequest)
-		return
-	}
-
-	oauth2Token, err := auth.exchange(r)
-	if err != nil {
-		U.HandleErr(w, r, fmt.Errorf("failed to exchange token: %w", err), http.StatusInternalServerError)
-		return
-	}
-
-	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
-	if !ok {
-		U.HandleErr(w, r, E.New("missing id_token"), http.StatusInternalServerError)
-		return
-	}
-
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), rawIDToken)
-	if err != nil {
-		U.HandleErr(w, r, fmt.Errorf("failed to verify ID token: %w", err), http.StatusInternalServerError)
-		return
-	}
-
-	setTokenCookie(w, r, auth.TokenCookieName(), rawIDToken, time.Until(idToken.Expiry))
-
-	// Redirect to home page
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	if auth.oidcLogoutURL == nil {
-		DefaultLogoutCallbackHandler(auth, w, r)
-		return
-	}
-
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		U.HandleErr(w, r, E.New("missing token cookie"), http.StatusBadRequest)
-		return
-	}
-	clearTokenCookie(w, r, auth.TokenCookieName())
-
-	logoutURL := *auth.oidcLogoutURL
-	logoutURL.Query().Add("id_token_hint", token.Value)
-
-	http.Redirect(w, r, logoutURL.String(), http.StatusFound)
-}
-
-// handleTestCallback handles OIDC callback in test environment.
-func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		U.HandleErr(w, r, E.New("missing state cookie"), http.StatusBadRequest)
-		return
-	}
-
-	if r.URL.Query().Get("state") != state.Value {
-		U.HandleErr(w, r, E.New("invalid oauth state"), http.StatusBadRequest)
-		return
-	}
-
-	// Create test JWT token
-	setTokenCookie(w, r, auth.TokenCookieName(), "test", time.Hour)
-
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}

internal/api/v1/auth/provider.go

@@ -1,13 +0,0 @@
-package auth
-
-import (
-	"net/http"
-)
-
-type Provider interface {
-	TokenCookieName() string
-	CheckToken(r *http.Request) error
-	RedirectLoginPage(w http.ResponseWriter, r *http.Request)
-	LoginCallbackHandler(w http.ResponseWriter, r *http.Request)
-	LogoutCallbackHandler(w http.ResponseWriter, r *http.Request)
-}

internal/api/v1/auth/utils.go

@@ -1,69 +0,0 @@
-package auth
-
-import (
-	"net"
-	"net/http"
-	"time"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-var (
-	ErrMissingToken   = E.New("missing token")
-	ErrInvalidToken   = E.New("invalid token")
-	ErrUserNotAllowed = E.New("user not allowed")
-)
-
-// cookieFQDN returns the fully qualified domain name of the request host
-// with subdomain stripped.
-//
-// If the request host does not have a subdomain,
-// an empty string is returned
-//
-//	"abc.example.com" -> "example.com"
-//	"example.com" -> ""
-func cookieFQDN(r *http.Request) string {
-	host, _, err := net.SplitHostPort(r.Host)
-	if err != nil {
-		host = r.Host
-	}
-	parts := strutils.SplitRune(host, '.')
-	if len(parts) < 2 {
-		return ""
-	}
-	parts[0] = ""
-	return strutils.JoinRune(parts, '.')
-}
-
-func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     name,
-		Value:    value,
-		MaxAge:   int(ttl.Seconds()),
-		Domain:   cookieFQDN(r),
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	})
-}
-
-func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     name,
-		Value:    "",
-		MaxAge:   -1,
-		Domain:   cookieFQDN(r),
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	})
-}
-
-// DefaultLogoutCallbackHandler clears the token cookie and redirects to the login page..
-func DefaultLogoutCallbackHandler(auth Provider, w http.ResponseWriter, r *http.Request) {
-	clearTokenCookie(w, r, auth.TokenCookieName())
-	auth.RedirectLoginPage(w, r)
-}

internal/api/v1/certapi/cert_info.go

@@ -0,0 +1,41 @@
+package certapi
+
+import (
+	"encoding/json"
+	"net/http"
+
+	config "github.com/yusing/go-proxy/internal/config/types"
+)
+
+type CertInfo struct {
+	Subject        string   `json:"subject"`
+	Issuer         string   `json:"issuer"`
+	NotBefore      int64    `json:"not_before"`
+	NotAfter       int64    `json:"not_after"`
+	DNSNames       []string `json:"dns_names"`
+	EmailAddresses []string `json:"email_addresses"`
+}
+
+func GetCertInfo(w http.ResponseWriter, r *http.Request) {
+	autocert := config.GetInstance().AutoCertProvider()
+	if autocert == nil {
+		http.Error(w, "autocert is not enabled", http.StatusNotFound)
+		return
+	}
+
+	cert, err := autocert.GetCert(nil)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	certInfo := CertInfo{
+		Subject:        cert.Leaf.Subject.CommonName,
+		Issuer:         cert.Leaf.Issuer.CommonName,
+		NotBefore:      cert.Leaf.NotBefore.Unix(),
+		NotAfter:       cert.Leaf.NotAfter.Unix(),
+		DNSNames:       cert.Leaf.DNSNames,
+		EmailAddresses: cert.Leaf.EmailAddresses,
+	}
+	json.NewEncoder(w).Encode(&certInfo)
+}

internal/api/v1/certapi/renew.go

@@ -0,0 +1,56 @@
+package certapi
+
+import (
+	"net/http"
+
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/logging/memlogger"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+)
+
+func RenewCert(w http.ResponseWriter, r *http.Request) {
+	autocert := config.GetInstance().AutoCertProvider()
+	if autocert == nil {
+		http.Error(w, "autocert is not enabled", http.StatusNotFound)
+		return
+	}
+
+	conn, err := gpwebsocket.Initiate(w, r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	//nolint:errcheck
+	defer conn.CloseNow()
+
+	logs, cancel := memlogger.Events()
+	defer cancel()
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+		err = autocert.ObtainCert()
+		if err != nil {
+			gperr.LogError("failed to obtain cert", err)
+			gpwebsocket.WriteText(r, conn, err.Error())
+		} else {
+			logging.Info().Msg("cert obtained successfully")
+		}
+	}()
+	for {
+		select {
+		case l := <-logs:
+			if err != nil {
+				return
+			}
+			if !gpwebsocket.WriteText(r, conn, string(l)) {
+				return
+			}
+		case <-done:
+			return
+		}
+	}
+}

internal/api/v1/config_file.go

@@ -7,11 +7,11 @@ import (
 	"path"
 	"strings"
 
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 	"github.com/yusing/go-proxy/internal/route/provider"
 )
 
@@ -51,12 +51,12 @@ func (t FileType) GetPath(filename string) string {
 func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
 	fileType = FileType(r.PathValue("type"))
 	if !fileType.IsValid() {
-		err = U.ErrInvalidKey("type")
+		err = gphttp.ErrInvalidKey("type")
 		return
 	}
 	filename = r.PathValue("filename")
 	if filename == "" {
-		err = U.ErrMissingKey("filename")
+		err = gphttp.ErrMissingKey("filename")
 	}
 	return
 }
@@ -64,23 +64,23 @@ func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
 func GetFileContent(w http.ResponseWriter, r *http.Request) {
 	fileType, filename, err := getArgs(r)
 	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
+		gphttp.BadRequest(w, err.Error())
 		return
 	}
 	content, err := os.ReadFile(fileType.GetPath(filename))
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
-	U.WriteBody(w, content)
+	gphttp.WriteBody(w, content)
 }
 
-func validateFile(fileType FileType, content []byte) error {
+func validateFile(fileType FileType, content []byte) gperr.Error {
 	switch fileType {
 	case FileTypeConfig:
 		return config.Validate(content)
 	case FileTypeMiddleware:
-		errs := E.NewBuilder("middleware errors")
+		errs := gperr.NewBuilder("middleware errors")
 		middleware.BuildMiddlewaresFromYAML("", content, errs)
 		return errs.Error()
 	}
@@ -90,18 +90,17 @@ func validateFile(fileType FileType, content []byte) error {
 func ValidateFile(w http.ResponseWriter, r *http.Request) {
 	fileType := FileType(r.PathValue("type"))
 	if !fileType.IsValid() {
-		U.RespondError(w, U.ErrInvalidKey("type"), http.StatusBadRequest)
+		gphttp.BadRequest(w, "invalid file type")
 		return
 	}
 	content, err := io.ReadAll(r.Body)
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
 	r.Body.Close()
-	err = validateFile(fileType, content)
-	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
+	if valErr := validateFile(fileType, content); valErr != nil {
+		gphttp.JSONError(w, valErr, http.StatusBadRequest)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
@@ -110,23 +109,23 @@ func ValidateFile(w http.ResponseWriter, r *http.Request) {
 func SetFileContent(w http.ResponseWriter, r *http.Request) {
 	fileType, filename, err := getArgs(r)
 	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
+		gphttp.BadRequest(w, err.Error())
 		return
 	}
 	content, err := io.ReadAll(r.Body)
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
 
 	if valErr := validateFile(fileType, content); valErr != nil {
-		U.RespondError(w, valErr, http.StatusBadRequest)
+		gphttp.JSONError(w, valErr, http.StatusBadRequest)
 		return
 	}
 
 	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
 	w.WriteHeader(http.StatusOK)

internal/api/v1/dockerapi/common.go

@@ -0,0 +1,5 @@
+package dockerapi
+
+import "time"
+
+const reqTimeout = 10 * time.Second

internal/api/v1/dockerapi/containers.go

@@ -0,0 +1,54 @@
+package dockerapi
+
+import (
+	"context"
+	"net/http"
+	"sort"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/yusing/go-proxy/internal/gperr"
+)
+
+type Container struct {
+	Server string `json:"server"`
+	Name   string `json:"name"`
+	ID     string `json:"id"`
+	Image  string `json:"image"`
+	State  string `json:"state"`
+}
+
+func Containers(w http.ResponseWriter, r *http.Request) {
+	serveHTTP[Container, []Container](w, r, GetContainers)
+}
+
+func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get containers")
+	containers := make([]Container, 0)
+	for server, dockerClient := range dockerClients {
+		conts, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		for _, cont := range conts {
+			containers = append(containers, Container{
+				Server: server,
+				Name:   cont.Names[0],
+				ID:     cont.ID,
+				Image:  cont.Image,
+				State:  cont.State,
+			})
+		}
+	}
+	sort.Slice(containers, func(i, j int) bool {
+		return containers[i].Name < containers[j].Name
+	})
+	if err := errs.Error(); err != nil {
+		gperr.LogError("failed to get containers", err)
+		if len(containers) == 0 {
+			return nil, err
+		}
+		return containers, nil
+	}
+	return containers, nil
+}

internal/api/v1/dockerapi/info.go

@@ -0,0 +1,56 @@
+package dockerapi
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"sort"
+
+	dockerSystem "github.com/docker/docker/api/types/system"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type dockerInfo dockerSystem.Info
+
+func (d *dockerInfo) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]any{
+		"name":    d.Name,
+		"version": d.ServerVersion,
+		"containers": map[string]int{
+			"total":   d.Containers,
+			"running": d.ContainersRunning,
+			"paused":  d.ContainersPaused,
+			"stopped": d.ContainersStopped,
+		},
+		"images": d.Images,
+		"n_cpu":  d.NCPU,
+		"memory": strutils.FormatByteSize(d.MemTotal),
+	})
+}
+
+func DockerInfo(w http.ResponseWriter, r *http.Request) {
+	serveHTTP[dockerInfo](w, r, GetDockerInfo)
+}
+
+func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get docker info")
+	dockerInfos := make([]dockerInfo, len(dockerClients))
+
+	i := 0
+	for name, dockerClient := range dockerClients {
+		info, err := dockerClient.Info(ctx)
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		info.Name = name
+		dockerInfos[i] = dockerInfo(info)
+		i++
+	}
+
+	sort.Slice(dockerInfos, func(i, j int) bool {
+		return dockerInfos[i].Name < dockerInfos[j].Name
+	})
+	return dockerInfos, errs.Error()
+}

internal/api/v1/dockerapi/logs.go

@@ -0,0 +1,69 @@
+package dockerapi
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/coder/websocket"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+)
+
+func Logs(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	server := r.PathValue("server")
+	containerID := r.PathValue("container")
+	stdout, _ := strconv.ParseBool(query.Get("stdout"))
+	stderr, _ := strconv.ParseBool(query.Get("stderr"))
+	since := query.Get("from")
+	until := query.Get("to")
+	levels := query.Get("levels") // TODO: implement levels
+
+	dockerClient, found, err := getDockerClient(w, server)
+	if err != nil {
+		gphttp.BadRequest(w, err.Error())
+		return
+	}
+	if !found {
+		gphttp.NotFound(w, "server not found")
+		return
+	}
+
+	opts := container.LogsOptions{
+		ShowStdout: stdout,
+		ShowStderr: stderr,
+		Since:      since,
+		Until:      until,
+		Timestamps: true,
+		Follow:     true,
+		Tail:       "100",
+	}
+	if levels != "" {
+		opts.Details = true
+	}
+
+	logs, err := dockerClient.ContainerLogs(r.Context(), containerID, opts)
+	if err != nil {
+		gphttp.BadRequest(w, err.Error())
+		return
+	}
+	defer logs.Close()
+
+	conn, err := gpwebsocket.Initiate(w, r)
+	if err != nil {
+		return
+	}
+	defer conn.CloseNow()
+
+	writer := gpwebsocket.NewWriter(r.Context(), conn, websocket.MessageText)
+	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
+	if err != nil {
+		logging.Err(err).
+			Str("server", server).
+			Str("container", containerID).
+			Msg("failed to de-multiplex logs")
+	}
+}

internal/api/v1/dockerapi/utils.go

@@ -0,0 +1,124 @@
+package dockerapi
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/coder/websocket"
+	"github.com/coder/websocket/wsjson"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/docker"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+)
+
+type (
+	DockerClients     map[string]*docker.SharedClient
+	ResultType[T any] interface {
+		map[string]T | []T
+	}
+)
+
+// getDockerClients returns a map of docker clients for the current config.
+//
+// Returns a map of docker clients by server name and an error if any.
+//
+// Even if there are errors, the map of docker clients might not be empty.
+func getDockerClients() (DockerClients, gperr.Error) {
+	cfg := config.GetInstance()
+
+	dockerHosts := cfg.Value().Providers.Docker
+	dockerClients := make(DockerClients)
+
+	connErrs := gperr.NewBuilder("failed to connect to docker")
+
+	for name, host := range dockerHosts {
+		dockerClient, err := docker.NewClient(host)
+		if err != nil {
+			connErrs.Add(err)
+			continue
+		}
+		dockerClients[name] = dockerClient
+	}
+
+	for _, agent := range cfg.ListAgents() {
+		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
+		if err != nil {
+			connErrs.Add(err)
+			continue
+		}
+		dockerClients[agent.Name()] = dockerClient
+	}
+
+	return dockerClients, connErrs.Error()
+}
+
+func getDockerClient(w http.ResponseWriter, server string) (*docker.SharedClient, bool, error) {
+	cfg := config.GetInstance()
+	var host string
+	for name, h := range cfg.Value().Providers.Docker {
+		if name == server {
+			host = h
+			break
+		}
+	}
+	for _, agent := range cfg.ListAgents() {
+		if agent.Name() == server {
+			host = agent.FakeDockerHost()
+			break
+		}
+	}
+	if host == "" {
+		return nil, false, nil
+	}
+	dockerClient, err := docker.NewClient(host)
+	if err != nil {
+		return nil, false, err
+	}
+	return dockerClient, true, nil
+}
+
+// closeAllClients closes all docker clients after a delay.
+//
+// This is used to ensure that all docker clients are closed after the http handler returns.
+func closeAllClients(dockerClients DockerClients) {
+	for _, dockerClient := range dockerClients {
+		dockerClient.Close()
+	}
+}
+
+func handleResult[V any, T ResultType[V]](w http.ResponseWriter, errs error, result T) {
+	if errs != nil {
+		gperr.LogError("docker errors", errs)
+		if len(result) == 0 {
+			http.Error(w, "docker errors", http.StatusInternalServerError)
+			return
+		}
+	}
+	json.NewEncoder(w).Encode(result)
+}
+
+func serveHTTP[V any, T ResultType[V]](w http.ResponseWriter, r *http.Request, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
+	dockerClients, err := getDockerClients()
+	if err != nil {
+		handleResult[V, T](w, err, nil)
+		return
+	}
+	defer closeAllClients(dockerClients)
+
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
+			result, err := getResult(r.Context(), dockerClients)
+			if err != nil {
+				return err
+			}
+			return wsjson.Write(r.Context(), conn, result)
+		})
+	} else {
+		result, err := getResult(r.Context(), dockerClients)
+		handleResult[V, T](w, err, result)
+	}
+}

internal/api/v1/favicon/cache.go

@@ -1,136 +0,0 @@
-package favicon
-
-import (
-	"encoding/json"
-	"sync"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/logging"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-type cacheEntry struct {
-	Icon       []byte    `json:"icon"`
-	LastAccess time.Time `json:"lastAccess"`
-}
-
-// cache key can be absolute url or route name.
-var (
-	iconCache   = make(map[string]*cacheEntry)
-	iconCacheMu sync.RWMutex
-)
-
-const (
-	iconCacheTTL    = 24 * time.Hour
-	cleanUpInterval = time.Hour
-)
-
-func InitIconCache() {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-
-	err := utils.LoadJSONIfExist(common.IconCachePath, &iconCache)
-	if err != nil {
-		logging.Error().Err(err).Msg("failed to load icon cache")
-	} else {
-		logging.Info().Msgf("icon cache loaded (%d icons)", len(iconCache))
-	}
-
-	go func() {
-		cleanupTicker := time.NewTicker(cleanUpInterval)
-		defer cleanupTicker.Stop()
-		for {
-			select {
-			case <-task.RootContextCanceled():
-				return
-			case <-cleanupTicker.C:
-				pruneExpiredIconCache()
-			}
-		}
-	}()
-
-	task.OnProgramExit("save_favicon_cache", func() {
-		iconCacheMu.Lock()
-		defer iconCacheMu.Unlock()
-
-		if len(iconCache) == 0 {
-			return
-		}
-
-		if err := utils.SaveJSON(common.IconCachePath, &iconCache, 0o644); err != nil {
-			logging.Error().Err(err).Msg("failed to save icon cache")
-		}
-	})
-}
-
-func pruneExpiredIconCache() {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-
-	nPruned := 0
-	for key, icon := range iconCache {
-		if icon.IsExpired() {
-			delete(iconCache, key)
-			nPruned++
-		}
-	}
-	logging.Info().Int("pruned", nPruned).Msg("pruned expired icon cache")
-}
-
-func routeKey(r route.HTTPRoute) string {
-	return r.ProviderName() + ":" + r.TargetName()
-}
-
-func PruneRouteIconCache(route route.HTTPRoute) {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-	delete(iconCache, routeKey(route))
-}
-
-func loadIconCache(key string) *fetchResult {
-	iconCacheMu.RLock()
-	defer iconCacheMu.RUnlock()
-
-	icon, ok := iconCache[key]
-	if ok && icon != nil {
-		logging.Debug().
-			Str("key", key).
-			Msg("icon found in cache")
-		icon.LastAccess = time.Now()
-		return &fetchResult{icon: icon.Icon}
-	}
-	return nil
-}
-
-func storeIconCache(key string, icon []byte) {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-	iconCache[key] = &cacheEntry{Icon: icon, LastAccess: time.Now()}
-}
-
-func (e *cacheEntry) IsExpired() bool {
-	return time.Since(e.LastAccess) > iconCacheTTL
-}
-
-func (e *cacheEntry) UnmarshalJSON(data []byte) error {
-	attempt := struct {
-		Icon       []byte    `json:"icon"`
-		LastAccess time.Time `json:"lastAccess"`
-	}{}
-	err := json.Unmarshal(data, &attempt)
-	if err == nil {
-		e.Icon = attempt.Icon
-		e.LastAccess = attempt.LastAccess
-		return nil
-	}
-	// fallback to bytes
-	err = json.Unmarshal(data, &e.Icon)
-	if err == nil {
-		e.LastAccess = time.Now()
-		return nil
-	}
-	return err
-}

internal/api/v1/favicon/favicon.go

@@ -1,47 +1,15 @@
 package favicon
 
 import (
-	"bytes"
-	"context"
 	"errors"
-	"io"
 	"net/http"
-	"net/url"
-	"path"
-	"strings"
-	"time"
 
-	"github.com/PuerkitoBio/goquery"
-	"github.com/vincent-petithory/dataurl"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/logging"
-	gphttp "github.com/yusing/go-proxy/internal/net/http"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
-	route "github.com/yusing/go-proxy/internal/route/types"
 )
 
-type fetchResult struct {
-	icon        []byte
-	contentType string
-	statusCode  int
-	errMsg      string
-}
-
-func (res *fetchResult) OK() bool {
-	return res.icon != nil
-}
-
-func (res *fetchResult) ContentType() string {
-	if res.contentType == "" {
-		if bytes.HasPrefix(res.icon, []byte("<svg")) || bytes.HasPrefix(res.icon, []byte("<?xml")) {
-			return "image/svg+xml"
-		}
-		return "image/x-icon"
-	}
-	return res.contentType
-}
-
 // GetFavIcon returns the favicon of the route
 //
 // Returns:
@@ -53,11 +21,11 @@ func (res *fetchResult) ContentType() string {
 func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	url, alias := req.FormValue("url"), req.FormValue("alias")
 	if url == "" && alias == "" {
-		U.RespondError(w, U.ErrMissingKey("url or alias"), http.StatusBadRequest)
+		gphttp.ClientError(w, gphttp.ErrMissingKey("url or alias"), http.StatusBadRequest)
 		return
 	}
 	if url != "" && alias != "" {
-		U.RespondError(w, U.ErrInvalidKey("url and alias are mutually exclusive"), http.StatusBadRequest)
+		gphttp.ClientError(w, gperr.New("url and alias are mutually exclusive"), http.StatusBadRequest)
 		return
 	}
 
@@ -65,219 +33,45 @@ func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	if url != "" {
 		var iconURL homepage.IconURL
 		if err := iconURL.Parse(url); err != nil {
-			U.RespondError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, err, http.StatusBadRequest)
 			return
 		}
-		fetchResult := getFavIconFromURL(&iconURL)
+		fetchResult := homepage.FetchFavIconFromURL(req.Context(), &iconURL)
 		if !fetchResult.OK() {
-			http.Error(w, fetchResult.errMsg, fetchResult.statusCode)
+			http.Error(w, fetchResult.ErrMsg, fetchResult.StatusCode)
 			return
 		}
 		w.Header().Set("Content-Type", fetchResult.ContentType())
-		U.WriteBody(w, fetchResult.icon)
+		gphttp.WriteBody(w, fetchResult.Icon)
 		return
 	}
 
-	// try with route.Homepage.Icon
-	r, ok := routes.GetHTTPRoute(alias)
+	// try with route.Icon
+	r, ok := routes.HTTP.Get(alias)
 	if !ok {
-		U.RespondError(w, errors.New("no such route"), http.StatusNotFound)
+		gphttp.ClientError(w, errors.New("no such route"), http.StatusNotFound)
 		return
 	}
 
-	var result *fetchResult
-	hp := r.HomepageConfig().GetOverride()
-	if !hp.IsEmpty() && hp.Icon != nil {
+	var result *homepage.FetchResult
+	hp := r.HomepageItem()
+	if hp.Icon != nil {
 		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = findIcon(r, req, hp.Icon.Value)
+			result = homepage.FindIcon(req.Context(), r, hp.Icon.Value)
 		} else {
-			result = getFavIconFromURL(hp.Icon)
+			result = homepage.FetchFavIconFromURL(req.Context(), hp.Icon)
 		}
 	} else {
 		// try extract from "link[rel=icon]"
-		result = findIcon(r, req, "/")
+		result = homepage.FindIcon(req.Context(), r, "/")
 	}
-	if result.statusCode == 0 {
-		result.statusCode = http.StatusOK
+	if result.StatusCode == 0 {
+		result.StatusCode = http.StatusOK
 	}
 	if !result.OK() {
-		http.Error(w, result.errMsg, result.statusCode)
+		http.Error(w, result.ErrMsg, result.StatusCode)
 		return
 	}
 	w.Header().Set("Content-Type", result.ContentType())
-	U.WriteBody(w, result.icon)
-}
-
-func getFavIconFromURL(iconURL *homepage.IconURL) *fetchResult {
-	switch iconURL.IconSource {
-	case homepage.IconSourceAbsolute:
-		return fetchIconAbsolute(iconURL.URL())
-	case homepage.IconSourceRelative:
-		return &fetchResult{statusCode: http.StatusBadRequest, errMsg: "unexpected relative icon"}
-	case homepage.IconSourceWalkXCode, homepage.IconSourceSelfhSt:
-		return fetchKnownIcon(iconURL)
-	}
-	return &fetchResult{statusCode: http.StatusBadRequest, errMsg: "invalid icon source"}
-}
-
-func fetchIconAbsolute(url string) *fetchResult {
-	if result := loadIconCache(url); result != nil {
-		return result
-	}
-
-	resp, err := U.Get(url)
-	if err != nil || resp.StatusCode != http.StatusOK {
-		if err == nil {
-			err = errors.New(resp.Status)
-		}
-		logging.Error().Err(err).
-			Str("url", url).
-			Msg("failed to get icon")
-		return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
-	}
-
-	defer resp.Body.Close()
-	icon, err := io.ReadAll(resp.Body)
-	if err != nil {
-		logging.Error().Err(err).
-			Str("url", url).
-			Msg("failed to read icon")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-	}
-
-	storeIconCache(url, icon)
-	return &fetchResult{icon: icon}
-}
-
-var nameSanitizer = strings.NewReplacer(
-	"_", "-",
-	" ", "-",
-	"(", "",
-	")", "",
-)
-
-func sanitizeName(name string) string {
-	return strings.ToLower(nameSanitizer.Replace(name))
-}
-
-func fetchKnownIcon(url *homepage.IconURL) *fetchResult {
-	// if icon isn't in the list, no need to fetch
-	if !url.HasIcon() {
-		logging.Debug().
-			Str("value", url.String()).
-			Str("url", url.URL()).
-			Msg("no such icon")
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "no such icon"}
-	}
-
-	return fetchIconAbsolute(url.URL())
-}
-
-func fetchIcon(filetype, filename string) *fetchResult {
-	result := fetchKnownIcon(homepage.NewSelfhStIconURL(filename, filetype))
-	if result.icon == nil {
-		return result
-	}
-	return fetchKnownIcon(homepage.NewWalkXCodeIconURL(filename, filetype))
-}
-
-func findIcon(r route.HTTPRoute, req *http.Request, uri string) *fetchResult {
-	key := routeKey(r)
-	if result := loadIconCache(key); result != nil {
-		return result
-	}
-
-	result := fetchIcon("png", sanitizeName(r.TargetName()))
-	cont := r.ContainerInfo()
-	if !result.OK() && cont != nil {
-		result = fetchIcon("png", sanitizeName(cont.ImageName))
-	}
-	if !result.OK() {
-		// fallback to parse html
-		result = findIconSlow(r, req, uri)
-	}
-	if result.OK() {
-		storeIconCache(key, result.icon)
-	}
-	return result
-}
-
-func findIconSlow(r route.HTTPRoute, req *http.Request, uri string) *fetchResult {
-	ctx, cancel := context.WithTimeoutCause(req.Context(), 3*time.Second, errors.New("favicon request timeout"))
-	defer cancel()
-	newReq := req.WithContext(ctx)
-	newReq.Header.Set("Accept-Encoding", "identity") // disable compression
-	if !strings.HasPrefix(uri, "/") {
-		uri = "/" + uri
-	}
-	u, err := url.ParseRequestURI(uri)
-	if err != nil {
-		logging.Error().Err(err).
-			Str("route", r.TargetName()).
-			Str("path", uri).
-			Msg("failed to parse uri")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "cannot parse uri"}
-	}
-	newReq.URL.Path = u.Path
-	newReq.URL.RawPath = u.RawPath
-	newReq.URL.RawQuery = u.RawQuery
-	newReq.RequestURI = u.String()
-
-	c := newContent()
-	r.ServeHTTP(c, newReq)
-	if c.status != http.StatusOK {
-		switch c.status {
-		case 0:
-			return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
-		default:
-			if loc := c.Header().Get("Location"); loc != "" {
-				loc = path.Clean(loc)
-				if !strings.HasPrefix(loc, "/") {
-					loc = "/" + loc
-				}
-				if loc == newReq.URL.Path {
-					return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "circular redirect"}
-				}
-				return findIconSlow(r, req, loc)
-			}
-		}
-		return &fetchResult{statusCode: c.status, errMsg: "upstream error: " + string(c.data)}
-	}
-	// return icon data
-	if !gphttp.GetContentType(c.header).IsHTML() {
-		return &fetchResult{icon: c.data, contentType: c.header.Get("Content-Type")}
-	}
-	// try extract from "link[rel=icon]" from path "/"
-	doc, err := goquery.NewDocumentFromReader(bytes.NewBuffer(c.data))
-	if err != nil {
-		logging.Error().Err(err).
-			Str("route", r.TargetName()).
-			Msg("failed to parse html")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-	}
-	ele := doc.Find("head > link[rel=icon]").First()
-	if ele.Length() == 0 {
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "icon element not found"}
-	}
-	href := ele.AttrOr("href", "")
-	if href == "" {
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "icon href not found"}
-	}
-	// https://en.wikipedia.org/wiki/Data_URI_scheme
-	if strings.HasPrefix(href, "data:image/") {
-		dataURI, err := dataurl.DecodeString(href)
-		if err != nil {
-			logging.Error().Err(err).
-				Str("route", r.TargetName()).
-				Msg("failed to decode favicon")
-			return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-		}
-		return &fetchResult{icon: dataURI.Data, contentType: dataURI.ContentType()}
-	}
-	switch {
-	case strings.HasPrefix(href, "http://"), strings.HasPrefix(href, "https://"):
-		return fetchIconAbsolute(href)
-	default:
-		return findIconSlow(r, req, path.Clean(href))
-	}
+	gphttp.WriteBody(w, result.Icon)
 }

internal/api/v1/health.go

@@ -6,13 +6,18 @@ import (
 
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/route/routes"
 )
 
-func HealthWS(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	U.PeriodicWS(cfg, w, r, 1*time.Second, func(conn *websocket.Conn) error {
-		return wsjson.Write(r.Context(), conn, routequery.HealthMap())
-	})
+func Health(w http.ResponseWriter, r *http.Request) {
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
+			return wsjson.Write(r.Context(), conn, routes.HealthMap())
+		})
+	} else {
+		gphttp.RespondJSON(w, r, routes.HealthMap())
+	}
 }

internal/api/v1/homepage_overrides.go

@@ -5,8 +5,8 @@ import (
 	"io"
 	"net/http"
 
-	"github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/homepage"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 
 const (
@@ -37,13 +37,13 @@ type (
 func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
 	what := r.FormValue("what")
 	if what == "" {
-		http.Error(w, "missing what or which", http.StatusBadRequest)
+		gphttp.BadRequest(w, "missing what or which")
 		return
 	}
 
 	data, err := io.ReadAll(r.Body)
 	if err != nil {
-		utils.RespondError(w, err, http.StatusBadRequest)
+		gphttp.ClientError(w, err, http.StatusBadRequest)
 		return
 	}
 	r.Body.Close()
@@ -53,32 +53,32 @@ func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
 	case HomepageOverrideItem:
 		var params HomepageOverrideItemParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			utils.RespondError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, err, http.StatusBadRequest)
 			return
 		}
 		overrides.OverrideItem(params.Which, &params.Value)
 	case HomepageOverrideItemsBatch:
 		var params HomepageOverrideItemsBatchParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			utils.RespondError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, err, http.StatusBadRequest)
 			return
 		}
 		overrides.OverrideItems(params.Value)
 	case HomepageOverrideItemVisible: // POST /v1/item_visible [a,b,c], false => hide a, b, c
 		var params HomepageOverrideItemVisibleParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			utils.RespondError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, err, http.StatusBadRequest)
 			return
 		}
 		if params.Value {
-			overrides.UnhideItems(params.Which...)
+			overrides.UnhideItems(params.Which)
 		} else {
-			overrides.HideItems(params.Which...)
+			overrides.HideItems(params.Which)
 		}
 	case HomepageOverrideCategoryOrder:
 		var params HomepageOverrideCategoryOrderParams
 		if err := json.Unmarshal(data, &params); err != nil {
-			utils.RespondError(w, err, http.StatusBadRequest)
+			gphttp.ClientError(w, err, http.StatusBadRequest)
 			return
 		}
 		overrides.SetCategoryOrder(params.Which, params.Value)

internal/api/v1/index.go

@@ -3,9 +3,9 @@ package v1
 import (
 	"net/http"
 
-	. "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 
 func Index(w http.ResponseWriter, r *http.Request) {
-	WriteBody(w, []byte("API ready"))
+	gphttp.WriteBody(w, []byte("API ready"))
 }

internal/api/v1/list.go

@@ -1,16 +1,17 @@
 package v1
 
 import (
+	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
 
 	"github.com/yusing/go-proxy/internal"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
 	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
+	"github.com/yusing/go-proxy/internal/route/routes"
 	route "github.com/yusing/go-proxy/internal/route/types"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
@@ -43,24 +44,24 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 		if route == nil {
 			http.NotFound(w, r)
 		} else {
-			U.RespondJSON(w, r, route)
+			gphttp.RespondJSON(w, r, route)
 		}
 	case ListRoutes:
-		U.RespondJSON(w, r, routequery.RoutesByAlias(route.RouteType(r.FormValue("type"))))
+		gphttp.RespondJSON(w, r, routes.ByAlias(route.RouteType(r.FormValue("type"))))
 	case ListFiles:
 		listFiles(w, r)
 	case ListMiddlewares:
-		U.RespondJSON(w, r, middleware.All())
+		gphttp.RespondJSON(w, r, middleware.All())
 	case ListMiddlewareTraces:
-		U.RespondJSON(w, r, middleware.GetAllTrace())
+		gphttp.RespondJSON(w, r, middleware.GetAllTrace())
 	case ListMatchDomains:
-		U.RespondJSON(w, r, cfg.Value().MatchDomains)
+		gphttp.RespondJSON(w, r, cfg.Value().MatchDomains)
 	case ListHomepageConfig:
-		U.RespondJSON(w, r, routequery.HomepageConfig(cfg.Value().Homepage.UseDefaultCategories, r.FormValue("category"), r.FormValue("provider")))
+		gphttp.RespondJSON(w, r, routes.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
 	case ListRouteProviders:
-		U.RespondJSON(w, r, cfg.RouteProviderList())
+		gphttp.RespondJSON(w, r, cfg.RouteProviderList())
 	case ListHomepageCategories:
-		U.RespondJSON(w, r, routequery.HomepageCategories())
+		gphttp.RespondJSON(w, r, routes.HomepageCategories())
 	case ListIcons:
 		limit, err := strconv.Atoi(r.FormValue("limit"))
 		if err != nil {
@@ -68,17 +69,17 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 		}
 		icons, err := internal.SearchIcons(r.FormValue("keyword"), limit)
 		if err != nil {
-			U.RespondError(w, err)
+			gphttp.ClientError(w, err)
 			return
 		}
 		if icons == nil {
 			icons = []string{}
 		}
-		U.RespondJSON(w, r, icons)
+		gphttp.RespondJSON(w, r, icons)
 	case ListTasks:
-		U.RespondJSON(w, r, task.DebugTaskList())
+		gphttp.RespondJSON(w, r, task.DebugTaskList())
 	default:
-		U.HandleErr(w, r, U.ErrInvalidKey("what"), http.StatusBadRequest)
+		gphttp.BadRequest(w, fmt.Sprintf("invalid what: %s", what))
 	}
 }
 
@@ -86,9 +87,9 @@ func List(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 // otherwise, return a single Route with alias which or nil if not found.
 func listRoute(which string) any {
 	if which == "" || which == "all" {
-		return routequery.RoutesByAlias()
+		return routes.ByAlias()
 	}
-	routes := routequery.RoutesByAlias()
+	routes := routes.ByAlias()
 	route, ok := routes[which]
 	if !ok {
 		return nil
@@ -99,7 +100,7 @@ func listRoute(which string) any {
 func listFiles(w http.ResponseWriter, r *http.Request) {
 	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
 	resp := map[FileType][]string{
@@ -116,12 +117,12 @@ func listFiles(w http.ResponseWriter, r *http.Request) {
 
 	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
 	if err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
 	for _, mid := range mids {
 		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
 		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
 	}
-	U.RespondJSON(w, r, resp)
+	gphttp.RespondJSON(w, r, resp)
 }

internal/api/v1/new_agent.go

@@ -0,0 +1,141 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strconv"
+
+	_ "embed"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/agent/pkg/certs"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+)
+
+func NewAgent(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	name := q.Get("name")
+	if name == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("name"))
+		return
+	}
+	host := q.Get("host")
+	if host == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("host"))
+		return
+	}
+	portStr := q.Get("port")
+	if portStr == "" {
+		gphttp.ClientError(w, gphttp.ErrMissingKey("port"))
+		return
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil || port < 1 || port > 65535 {
+		gphttp.ClientError(w, gphttp.ErrInvalidKey("port"))
+		return
+	}
+	hostport := fmt.Sprintf("%s:%d", host, port)
+	if _, ok := config.GetInstance().GetAgent(hostport); ok {
+		gphttp.ClientError(w, gphttp.ErrAlreadyExists("agent", hostport), http.StatusConflict)
+		return
+	}
+	t := q.Get("type")
+	switch t {
+	case "docker", "system":
+		break
+	case "":
+		gphttp.ClientError(w, gphttp.ErrMissingKey("type"))
+		return
+	default:
+		gphttp.ClientError(w, gphttp.ErrInvalidKey("type"))
+		return
+	}
+
+	nightly, _ := strconv.ParseBool(q.Get("nightly"))
+	var image string
+	if nightly {
+		image = agent.DockerImageNightly
+	} else {
+		image = agent.DockerImageProduction
+	}
+
+	ca, srv, client, err := agent.NewAgent()
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	var cfg agent.Generator = &agent.AgentEnvConfig{
+		Name:    name,
+		Port:    port,
+		CACert:  ca.String(),
+		SSLCert: srv.String(),
+	}
+	if t == "docker" {
+		cfg = &agent.AgentComposeConfig{
+			Image:          image,
+			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
+		}
+	}
+	template, err := cfg.Generate()
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	gphttp.RespondJSON(w, r, map[string]any{
+		"compose": template,
+		"ca":      ca,
+		"client":  client,
+	})
+}
+
+func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+	clientPEMData, err := io.ReadAll(r.Body)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	var data struct {
+		Host   string        `json:"host"`
+		CA     agent.PEMPair `json:"ca"`
+		Client agent.PEMPair `json:"client"`
+	}
+
+	if err := json.Unmarshal(clientPEMData, &data); err != nil {
+		gphttp.ClientError(w, err, http.StatusBadRequest)
+		return
+	}
+
+	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(data.Host, data.CA, data.Client)
+	if err != nil {
+		gphttp.ClientError(w, err)
+		return
+	}
+
+	zip, err := certs.ZipCert(data.CA.Cert, data.Client.Cert, data.Client.Key)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	filename, ok := certs.AgentCertsFilepath(data.Host)
+	if !ok {
+		gphttp.ClientError(w, gphttp.ErrInvalidKey("host"))
+		return
+	}
+
+	if err := os.WriteFile(filename, zip, 0600); err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.Write(fmt.Appendf(nil, "Added %d routes", nRoutesAdded))
+}

internal/api/v1/query/query.go

@@ -7,20 +7,20 @@ import (
 	"net/http"
 
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 )
 
-func ReloadServer() E.Error {
-	resp, err := U.Post(common.APIHTTPURL+"/v1/reload", "", nil)
+func ReloadServer() gperr.Error {
+	resp, err := gphttp.Post(common.APIHTTPURL+"/v1/reload", "", nil)
 	if err != nil {
-		return E.From(err)
+		return gperr.Wrap(err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		failure := E.Errorf("server reload status %v", resp.StatusCode)
+		failure := gperr.Errorf("server reload status %v", resp.StatusCode)
 		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return failure.With(err)
@@ -31,34 +31,34 @@ func ReloadServer() E.Error {
 	return nil
 }
 
-func List[T any](what string) (_ T, outErr E.Error) {
-	resp, err := U.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, what))
+func List[T any](what string) (_ T, outErr gperr.Error) {
+	resp, err := gphttp.Get(fmt.Sprintf("%s/v1/list/%s", common.APIHTTPURL, what))
 	if err != nil {
-		outErr = E.From(err)
+		outErr = gperr.Wrap(err)
 		return
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		outErr = E.Errorf("list %s: failed, status %v", what, resp.StatusCode)
+		outErr = gperr.Errorf("list %s: failed, status %v", what, resp.StatusCode)
 		return
 	}
 	var res T
 	err = json.NewDecoder(resp.Body).Decode(&res)
 	if err != nil {
-		outErr = E.From(err)
+		outErr = gperr.Wrap(err)
 		return
 	}
 	return res, nil
 }
 
-func ListRoutes() (map[string]map[string]any, E.Error) {
+func ListRoutes() (map[string]map[string]any, gperr.Error) {
 	return List[map[string]map[string]any](v1.ListRoutes)
 }
 
-func ListMiddlewareTraces() (middleware.Traces, E.Error) {
+func ListMiddlewareTraces() (middleware.Traces, gperr.Error) {
 	return List[middleware.Traces](v1.ListMiddlewareTraces)
 }
 
-func DebugListTasks() (map[string]any, E.Error) {
+func DebugListTasks() (map[string]any, gperr.Error) {
 	return List[map[string]any](v1.ListTasks)
 }

internal/api/v1/reload.go

@@ -3,14 +3,14 @@ package v1
 import (
 	"net/http"
 
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 
 func Reload(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	if err := cfg.Reload(); err != nil {
-		U.HandleErr(w, r, err)
+		gphttp.ServerError(w, r, err)
 		return
 	}
-	U.WriteBody(w, []byte("OK"))
+	gphttp.WriteBody(w, []byte("OK"))
 }

internal/api/v1/stats.go

@@ -6,19 +6,21 @@ import (
 
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 func Stats(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	U.RespondJSON(w, r, getStats(cfg))
-}
-
-func StatsWS(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
-	U.PeriodicWS(cfg, w, r, 1*time.Second, func(conn *websocket.Conn) error {
-		return wsjson.Write(r.Context(), conn, getStats(cfg))
-	})
+	if httpheaders.IsWebsocket(r.Header) {
+		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
+			return wsjson.Write(r.Context(), conn, getStats(cfg))
+		})
+	} else {
+		gphttp.RespondJSON(w, r, getStats(cfg))
+	}
 }
 
 var startTime = time.Now()

internal/api/v1/system_info.go

@@ -0,0 +1,54 @@
+package v1
+
+import (
+	"net/http"
+
+	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
+	config "github.com/yusing/go-proxy/internal/config/types"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
+	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
+	"github.com/yusing/go-proxy/internal/net/types"
+)
+
+func SystemInfo(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	agentAddr := query.Get("agent_addr")
+	query.Del("agent_addr")
+	if agentAddr == "" {
+		systeminfo.Poller.ServeHTTP(w, r)
+		return
+	}
+
+	agent, ok := cfg.GetAgent(agentAddr)
+	if !ok {
+		gphttp.NotFound(w, "agent_addr")
+		return
+	}
+
+	isWS := httpheaders.IsWebsocket(r.Header)
+	if !isWS {
+		respData, status, err := agent.Forward(r, agentPkg.EndpointSystemInfo)
+		if err != nil {
+			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to forward request to agent"))
+			return
+		}
+		if status != http.StatusOK {
+			http.Error(w, string(respData), status)
+			return
+		}
+		gphttp.WriteBody(w, respData)
+	} else {
+		rp := reverseproxy.NewReverseProxy("agent", types.NewURL(agentPkg.AgentURL), agent.Transport())
+		header := r.Header.Clone()
+		r, err := http.NewRequestWithContext(r.Context(), r.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
+		if err != nil {
+			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to create request"))
+			return
+		}
+		r.Header = header
+		rp.ServeHTTP(w, r)
+	}
+}

internal/api/v1/utils/error.go

@@ -1,55 +0,0 @@
-package utils
-
-import (
-	"encoding/json"
-	"net/http"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils/ansi"
-)
-
-// HandleErr logs the error and returns an error code to the client.
-// If code is specified, it will be used as the HTTP status code; otherwise,
-// http.StatusInternalServerError is used.
-//
-// The error is only logged but not returned to the client.
-func HandleErr(w http.ResponseWriter, r *http.Request, err error, code ...int) {
-	if err == nil {
-		return
-	}
-	LogError(r).Msg(err.Error())
-	if len(code) == 0 {
-		code = []int{http.StatusInternalServerError}
-	}
-	http.Error(w, http.StatusText(code[0]), code[0])
-}
-
-// RespondError returns error details to the client.
-// If code is specified, it will be used as the HTTP status code; otherwise,
-// http.StatusBadRequest is used.
-func RespondError(w http.ResponseWriter, err error, code ...int) {
-	if len(code) == 0 {
-		code = []int{http.StatusBadRequest}
-	}
-	buf, err := json.Marshal(err)
-	if err != nil { // just in case
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		http.Error(w, ansi.StripANSI(err.Error()), code[0])
-		return
-	}
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	w.WriteHeader(code[0])
-	_, _ = w.Write(buf)
-}
-
-func ErrMissingKey(k string) error {
-	return E.New("missing key '" + k + "' in query or request body")
-}
-
-func ErrInvalidKey(k string) error {
-	return E.New("invalid key '" + k + "' in query or request body")
-}
-
-func ErrNotFound(k, v string) error {
-	return E.Errorf("key %q with value %q not found", k, v)
-}

internal/api/v1/utils/ws.go

@@ -1,68 +0,0 @@
-package utils
-
-import (
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging"
-)
-
-func warnNoMatchDomains() {
-	logging.Warn().Msg("no match domains configured, accepting websocket API request from all origins")
-}
-
-var warnNoMatchDomainOnce sync.Once
-
-func InitiateWS(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) (*websocket.Conn, error) {
-	var originPats []string
-
-	localAddresses := []string{"127.0.0.1", "10.0.*.*", "172.16.*.*", "192.168.*.*"}
-
-	if len(cfg.Value().MatchDomains) == 0 {
-		warnNoMatchDomainOnce.Do(warnNoMatchDomains)
-		originPats = []string{"*"}
-	} else {
-		originPats = make([]string, len(cfg.Value().MatchDomains))
-		for i, domain := range cfg.Value().MatchDomains {
-			originPats[i] = "*" + domain
-		}
-		originPats = append(originPats, localAddresses...)
-	}
-	if common.IsDebug {
-		originPats = []string{"*"}
-	}
-	return websocket.Accept(w, r, &websocket.AcceptOptions{
-		OriginPatterns: originPats,
-	})
-}
-
-func PeriodicWS(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request, interval time.Duration, do func(conn *websocket.Conn) error) {
-	conn, err := InitiateWS(cfg, w, r)
-	if err != nil {
-		HandleErr(w, r, err)
-		return
-	}
-	/* trunk-ignore(golangci-lint/errcheck) */
-	defer conn.CloseNow()
-
-	ticker := time.NewTicker(interval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-cfg.Context().Done():
-			return
-		case <-r.Context().Done():
-			return
-		case <-ticker.C:
-			if err := do(conn); err != nil {
-				LogError(r).Msg(err.Error())
-				return
-			}
-		}
-	}
-}

internal/api/v1/version.go

@@ -1,12 +0,0 @@
-package v1
-
-import (
-	"net/http"
-
-	. "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/pkg"
-)
-
-func GetVersion(w http.ResponseWriter, r *http.Request) {
-	WriteBody(w, []byte(pkg.GetVersion()))
-}

internal/auth/auth.go

@@ -3,9 +3,8 @@ package auth
 import (
 	"net/http"
 
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 
 var defaultAuth Provider
@@ -13,7 +12,6 @@ var defaultAuth Provider
 // Initialize sets up authentication providers.
 func Initialize() error {
 	if !IsEnabled() {
-		logging.Warn().Msg("authentication is disabled, please set API_JWT_SECRET or OIDC_* to enable authentication")
 		return nil
 	}
 
@@ -33,7 +31,7 @@ func GetDefaultAuth() Provider {
 }
 
 func IsEnabled() bool {
-	return common.APIJWTSecret != nil || IsOIDCEnabled()
+	return !common.DebugDisableAuth && (common.APIJWTSecret != nil || IsOIDCEnabled())
 }
 
 func IsOIDCEnabled() bool {
@@ -44,7 +42,7 @@ func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
 	if IsEnabled() {
 		return func(w http.ResponseWriter, r *http.Request) {
 			if err := defaultAuth.CheckToken(r); err != nil {
-				U.RespondError(w, err, http.StatusUnauthorized)
+				gphttp.ClientError(w, err, http.StatusUnauthorized)
 			} else {
 				next(w, r)
 			}
@@ -52,3 +50,11 @@ func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
 	}
 	return next
 }
+
+func AuthCheckHandler(w http.ResponseWriter, r *http.Request) {
+	if err := defaultAuth.CheckToken(r); err != nil {
+		defaultAuth.LoginHandler(w, r)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+}

internal/auth/block_page.go

@@ -0,0 +1,22 @@
+package auth
+
+import (
+	"html/template"
+	"net/http"
+
+	_ "embed"
+)
+
+//go:embed block_page.html
+var blockPageHTML string
+
+var blockPageTemplate = template.Must(template.New("block_page").Parse(blockPageHTML))
+
+func WriteBlockPage(w http.ResponseWriter, status int, error string, logoutURL string) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	blockPageTemplate.Execute(w, map[string]string{
+		"StatusText": http.StatusText(status),
+		"Error":      error,
+		"LogoutURL":  logoutURL,
+	})
+}

internal/auth/block_page.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+    <title>Access Denied</title>
+</head>
+<body>
+    <h1>{{.StatusText}}</h1>
+    <p>{{.Error}}</p>
+    <a href="{{.LogoutURL}}">Logout</a>
+</body>
+</html>

internal/auth/oauth_refresh.go

@@ -0,0 +1,185 @@
+package auth
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/jsonstore"
+	"github.com/yusing/go-proxy/internal/logging"
+	"golang.org/x/oauth2"
+)
+
+type oauthRefreshToken struct {
+	Username     string    `json:"username"`
+	RefreshToken string    `json:"refresh_token"`
+	Expiry       time.Time `json:"expiry"`
+}
+
+type Session struct {
+	SessionID sessionID `json:"session_id"`
+	Username  string    `json:"username"`
+	Groups    []string  `json:"groups"`
+}
+
+type sessionClaims struct {
+	Session
+	jwt.RegisteredClaims
+}
+
+type sessionID string
+
+var oauthRefreshTokens jsonstore.MapStore[oauthRefreshToken]
+
+var (
+	defaultRefreshTokenExpiry = 30 * 24 * time.Hour // 1 month
+	refreshBefore             = 30 * time.Second
+)
+
+var (
+	errNoRefreshToken      = errors.New("no refresh token")
+	ErrRefreshTokenFailure = errors.New("failed to refresh token")
+)
+
+const sessionTokenIssuer = "GoDoxy"
+
+func init() {
+	if IsOIDCEnabled() {
+		oauthRefreshTokens = jsonstore.Store[oauthRefreshToken]("oauth_refresh_tokens")
+	}
+}
+
+func (token *oauthRefreshToken) expired() bool {
+	return time.Now().After(token.Expiry)
+}
+
+func newSessionID() sessionID {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return sessionID(base64.StdEncoding.EncodeToString(b))
+}
+
+func newSession(username string, groups []string) Session {
+	return Session{
+		SessionID: newSessionID(),
+		Username:  username,
+		Groups:    groups,
+	}
+}
+
+// getOnceOAuthRefreshToken returns the refresh token for the given session.
+//
+// The token is removed from the store after retrieval.
+func getOnceOAuthRefreshToken(claims *Session) (*oauthRefreshToken, bool) {
+	token, ok := oauthRefreshTokens.Load(string(claims.SessionID))
+	if !ok {
+		return nil, false
+	}
+	invalidateOAuthRefreshToken(claims.SessionID)
+	if token.expired() {
+		return nil, false
+	}
+	if claims.Username != token.Username {
+		return nil, false
+	}
+	return &token, true
+}
+
+func storeOAuthRefreshToken(sessionID sessionID, username, token string) {
+	oauthRefreshTokens.Store(string(sessionID), oauthRefreshToken{
+		Username:     username,
+		RefreshToken: token,
+		Expiry:       time.Now().Add(defaultRefreshTokenExpiry),
+	})
+	logging.Debug().Str("username", username).Msg("stored oauth refresh token")
+}
+
+func invalidateOAuthRefreshToken(sessionID sessionID) {
+	logging.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
+	oauthRefreshTokens.Delete(string(sessionID))
+}
+
+func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.Request, session Session) {
+	claims := &sessionClaims{
+		Session: session,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    sessionTokenIssuer,
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(common.APIJWTTokenTTL)),
+		},
+	}
+	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
+	signed, err := jwtToken.SignedString(common.APIJWTSecret)
+	if err != nil {
+		logging.Err(err).Msg("failed to sign session token")
+		return
+	}
+	setTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
+}
+
+func (auth *OIDCProvider) parseSessionJWT(sessionJWT string) (claims *sessionClaims, valid bool, err error) {
+	claims = &sessionClaims{}
+	sessionToken, err := jwt.ParseWithClaims(sessionJWT, claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return common.APIJWTSecret, nil
+	})
+	if err != nil {
+		return nil, false, err
+	}
+	return claims, sessionToken.Valid && claims.Issuer == sessionTokenIssuer, nil
+}
+
+func (auth *OIDCProvider) TryRefreshToken(w http.ResponseWriter, r *http.Request, sessionJWT string) error {
+	// verify the session cookie
+	claims, valid, err := auth.parseSessionJWT(sessionJWT)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidSessionToken, err)
+	}
+	if !valid {
+		return ErrInvalidSessionToken
+	}
+
+	// check if refresh is possible
+	refreshToken, ok := getOnceOAuthRefreshToken(&claims.Session)
+	if !ok {
+		return errNoRefreshToken
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+
+	// this step refreshes the token
+	// see https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.29.0:oauth2.go;l=313
+	newToken, err := auth.oauthConfig.TokenSource(r.Context(), &oauth2.Token{
+		RefreshToken: refreshToken.RefreshToken,
+	}).Token()
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrRefreshTokenFailure, err)
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), newToken)
+	if err != nil {
+		return err
+	}
+
+	sessionID := newSessionID()
+
+	logging.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
+	storeOAuthRefreshToken(sessionID, claims.Username, newToken.RefreshToken)
+
+	// set new idToken and new sessionToken
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+	auth.setSessionTokenCookie(w, r, Session{
+		SessionID: sessionID,
+		Username:  claims.Username,
+		Groups:    claims.Groups,
+	})
+	return nil
+}

internal/auth/oidc.go

@@ -0,0 +1,312 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"slices"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/logging"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
+	"github.com/yusing/go-proxy/internal/utils"
+	"golang.org/x/oauth2"
+)
+
+type (
+	OIDCProvider struct {
+		oauthConfig   *oauth2.Config
+		oidcProvider  *oidc.Provider
+		oidcVerifier  *oidc.IDTokenVerifier
+		endSessionURL *url.URL
+		allowedUsers  []string
+		allowedGroups []string
+	}
+
+	IDTokenClaims struct {
+		Username string   `json:"preferred_username"`
+		Groups   []string `json:"groups"`
+	}
+)
+
+const (
+	CookieOauthState        = "godoxy_oidc_state"
+	CookieOauthToken        = "godoxy_oauth_token"
+	CookieOauthSessionToken = "godoxy_session_token"
+)
+
+const (
+	OIDCAuthInitPath = "/"
+	OIDCPostAuthPath = "/auth/callback"
+	OIDCLogoutPath   = "/auth/logout"
+)
+
+var errMissingIDToken = errors.New("missing id_token field from oauth token")
+
+// generateState generates a random string for OIDC state.
+const oidcStateLength = 32
+
+func generateState() string {
+	b := make([]byte, oidcStateLength)
+	_, _ = rand.Read(b)
+	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength]
+}
+
+func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
+	if len(allowedUsers)+len(allowedGroups) == 0 {
+		return nil, errors.New("oidc.allowed_users or oidc.allowed_groups are both empty")
+	}
+	provider, err := oidc.NewProvider(context.Background(), issuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
+	}
+
+	endSessionURL, err := url.Parse(provider.EndSessionEndpoint())
+	if err != nil && provider.EndSessionEndpoint() != "" {
+		// non critical, just warn
+		logging.Warn().
+			Str("issuer", issuerURL).
+			Err(err).
+			Msg("failed to parse end session URL")
+	}
+
+	return &OIDCProvider{
+		oauthConfig: &oauth2.Config{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			RedirectURL:  "",
+			Endpoint:     provider.Endpoint(),
+			Scopes:       common.OIDCScopes,
+		},
+		oidcProvider: provider,
+		oidcVerifier: provider.Verifier(&oidc.Config{
+			ClientID: clientID,
+		}),
+		endSessionURL: endSessionURL,
+		allowedUsers:  allowedUsers,
+		allowedGroups: allowedGroups,
+	}, nil
+}
+
+// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
+func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
+	return NewOIDCProvider(
+		common.OIDCIssuerURL,
+		common.OIDCClientID,
+		common.OIDCClientSecret,
+		common.OIDCAllowedUsers,
+		common.OIDCAllowedGroups,
+	)
+}
+
+func (auth *OIDCProvider) SetAllowedUsers(users []string) {
+	auth.allowedUsers = users
+}
+
+func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
+	auth.allowedGroups = groups
+}
+
+// optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
+// parameter of the authorization URL to the post auth path of the current
+// request host.
+func optRedirectPostAuth(r *http.Request) oauth2.AuthCodeOption {
+	return oauth2.SetAuthURLParam("redirect_uri", "https://"+requestHost(r)+OIDCPostAuthPath)
+}
+
+func (auth *OIDCProvider) getIdToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
+	idTokenJWT, ok := oauthToken.Extra("id_token").(string)
+	if !ok {
+		return "", nil, errMissingIDToken
+	}
+	idToken, err := auth.oidcVerifier.Verify(ctx, idTokenJWT)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to verify ID token: %w", err)
+	}
+	return idTokenJWT, idToken, nil
+}
+
+func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case OIDCAuthInitPath:
+		auth.LoginHandler(w, r)
+	case OIDCPostAuthPath:
+		auth.PostAuthCallbackHandler(w, r)
+	case OIDCLogoutPath:
+		auth.LogoutHandler(w, r)
+	default:
+		http.Redirect(w, r, OIDCAuthInitPath, http.StatusFound)
+	}
+}
+
+func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	// check for session token
+	sessionToken, err := r.Cookie(CookieOauthSessionToken)
+	if err == nil {
+		err = auth.TryRefreshToken(w, r, sessionToken.Value)
+		if err != nil {
+			logging.Debug().Err(err).Msg("failed to refresh token")
+			auth.clearCookie(w, r)
+		}
+		http.Redirect(w, r, "/", http.StatusFound)
+		return
+	}
+
+	state := generateState()
+	setTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
+	// redirect user to Idp
+	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
+}
+
+func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
+	var claim IDTokenClaims
+	if err := idToken.Claims(&claim); err != nil {
+		return nil, fmt.Errorf("failed to parse claims: %w", err)
+	}
+	if claim.Username == "" {
+		return nil, fmt.Errorf("missing username in ID token")
+	}
+	return &claim, nil
+}
+
+func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
+	userAllowed := slices.Contains(auth.allowedUsers, user)
+	if !userAllowed {
+		return false
+	}
+	if len(auth.allowedGroups) == 0 {
+		return true
+	}
+	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
+}
+
+func (auth *OIDCProvider) CheckToken(r *http.Request) error {
+	tokenCookie, err := r.Cookie(CookieOauthToken)
+	if err != nil {
+		return ErrMissingOAuthToken
+	}
+
+	idToken, err := auth.oidcVerifier.Verify(r.Context(), tokenCookie.Value)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	claims, err := parseClaims(idToken)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
+	}
+
+	if !auth.checkAllowed(claims.Username, claims.Groups) {
+		return ErrUserNotAllowed
+	}
+	return nil
+}
+
+func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+	// For testing purposes, skip provider verification
+	if common.IsTest {
+		auth.handleTestCallback(w, r)
+		return
+	}
+
+	// verify state
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	code := r.URL.Query().Get("code")
+	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code, optRedirectPostAuth(r))
+	if err != nil {
+		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
+		return
+	}
+
+	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), oauth2Token)
+	if err != nil {
+		gphttp.ServerError(w, r, err)
+		return
+	}
+
+	if oauth2Token.RefreshToken != "" {
+		claims, err := parseClaims(idToken)
+		if err != nil {
+			gphttp.ServerError(w, r, err)
+			return
+		}
+		session := newSession(claims.Username, claims.Groups)
+		storeOAuthRefreshToken(session.SessionID, claims.Username, oauth2Token.RefreshToken)
+		auth.setSessionTokenCookie(w, r, session)
+	}
+	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
+
+	// Redirect to home page
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	oauthToken, _ := r.Cookie(CookieOauthToken)
+	sessionToken, _ := r.Cookie(CookieOauthSessionToken)
+	auth.clearCookie(w, r)
+
+	if sessionToken != nil {
+		claims, _, err := auth.parseSessionJWT(sessionToken.Value)
+		if err == nil {
+			invalidateOAuthRefreshToken(claims.SessionID)
+		}
+	}
+
+	url := "/"
+	if auth.endSessionURL != nil && oauthToken != nil {
+		query := auth.endSessionURL.Query()
+		query.Set("id_token_hint", oauthToken.Value)
+		query.Set("post_logout_redirect_uri", "https://"+requestHost(r))
+
+		clone := *auth.endSessionURL
+		clone.RawQuery = query.Encode()
+		url = clone.String()
+	} else if auth.endSessionURL != nil {
+		url = auth.endSessionURL.String()
+	}
+
+	http.Redirect(w, r, url, http.StatusFound)
+}
+
+func (auth *OIDCProvider) setIDTokenCookie(w http.ResponseWriter, r *http.Request, jwt string, ttl time.Duration) {
+	setTokenCookie(w, r, CookieOauthToken, jwt, ttl)
+}
+
+func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
+	clearTokenCookie(w, r, CookieOauthToken)
+	clearTokenCookie(w, r, CookieOauthSessionToken)
+}
+
+// handleTestCallback handles OIDC callback in test environment.
+func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
+	state, err := r.Cookie(CookieOauthState)
+	if err != nil {
+		gphttp.BadRequest(w, "missing state cookie")
+		return
+	}
+
+	if r.URL.Query().Get("state") != state.Value {
+		gphttp.BadRequest(w, "invalid oauth state")
+		return
+	}
+
+	// Create test JWT token
+	setTokenCookie(w, r, CookieOauthToken, "test", time.Hour)
+
+	http.Redirect(w, r, "/", http.StatusFound)
+}

internal/auth/oidc_test.go

@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -35,7 +36,8 @@ func setupMockOIDC(t *testing.T) {
 			},
 			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 		},
-		oidcProvider: provider,
+		endSessionURL: Must(url.Parse("http://mock-provider/logout")),
+		oidcProvider:  provider,
 		oidcVerifier: provider.Verifier(&oidc.Config{
 			ClientID: "test-client",
 		}),
@@ -148,17 +150,17 @@ func TestOIDCLoginHandler(t *testing.T) {
 	}{
 		{
 			name:         "Success - Redirects to provider",
-			wantStatus:   http.StatusTemporaryRedirect,
+			wantStatus:   http.StatusFound,
 			wantRedirect: true,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/auth/redirect", nil)
+			req := httptest.NewRequest(http.MethodGet, OIDCAuthInitPath, nil)
 			w := httptest.NewRecorder()
 
-			defaultAuth.RedirectLoginPage(w, req)
+			defaultAuth.(*OIDCProvider).HandleAuth(w, req)
 
 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCLoginHandler() status = %v, want %v", got, tt.wantStatus)
@@ -194,7 +196,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			state:      "valid-state",
 			code:       "valid-code",
 			setupMocks: true,
-			wantStatus: http.StatusTemporaryRedirect,
+			wantStatus: http.StatusFound,
 		},
 		{
 			name:       "Failure - Missing state",
@@ -219,7 +221,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 			}
 			w := httptest.NewRecorder()
 
-			defaultAuth.LoginCallbackHandler(w, req)
+			defaultAuth.(*OIDCProvider).PostAuthCallbackHandler(w, req)
 
 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCCallbackHandler() status = %v, want %v", got, tt.wantStatus)
@@ -227,7 +229,7 @@ func TestOIDCCallbackHandler(t *testing.T) {
 
 			if tt.wantStatus == http.StatusTemporaryRedirect {
 				setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
-				ExpectEqual(t, setCookie.Name, defaultAuth.TokenCookieName())
+				ExpectEqual(t, setCookie.Name, CookieOauthToken)
 				ExpectTrue(t, setCookie.Value != "")
 				ExpectEqual(t, setCookie.Path, "/")
 				ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
@@ -270,7 +272,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:    server.URL,
 			clientID:     "client_id",
 			clientSecret: "client_secret",
-			redirectURL:  "https://example.com/callback",
 			allowedUsers: []string{"user1", "user2"},
 			wantErr:      false,
 		},
@@ -279,7 +280,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
-			redirectURL:   "https://example.com/callback",
 			allowedGroups: []string{"group1", "group2"},
 			wantErr:       false,
 		},
@@ -288,7 +288,6 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
-			redirectURL:   "https://example.com/callback",
 			logoutURL:     "https://example.com/logout",
 			allowedUsers:  []string{"user1", "user2"},
 			allowedGroups: []string{"group1", "group2"},
@@ -299,14 +298,13 @@ func TestInitOIDC(t *testing.T) {
 			issuerURL:    "https://example.com",
 			clientID:     "client_id",
 			clientSecret: "client_secret",
-			redirectURL:  "https://example.com/callback",
 			wantErr:      true,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.redirectURL, tt.logoutURL, tt.allowedUsers, tt.allowedGroups)
+			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.allowedUsers, tt.allowedGroups)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("InitOIDC() error = %v, wantErr %v", err, tt.wantErr)
 			}
@@ -400,7 +398,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns incorrect audience",
@@ -411,7 +409,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns expired token",
@@ -422,7 +420,7 @@ func TestCheckToken(t *testing.T) {
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
-			wantErr: ErrInvalidToken,
+			wantErr: ErrInvalidOAuthToken,
 		},
 	}
 	for _, tc := range tests {
@@ -438,7 +436,7 @@ func TestCheckToken(t *testing.T) {
 			// Craft a test HTTP request that includes the token as a cookie.
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
 			req.AddCookie(&http.Cookie{
-				Name:  auth.TokenCookieName(),
+				Name:  CookieOauthToken,
 				Value: signedToken,
 			})
 
@@ -452,3 +450,35 @@ func TestCheckToken(t *testing.T) {
 		})
 	}
 }
+
+func TestLogoutHandler(t *testing.T) {
+	t.Helper()
+
+	setupMockOIDC(t)
+
+	req := httptest.NewRequest(http.MethodGet, OIDCLogoutPath, nil)
+	w := httptest.NewRecorder()
+
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthToken,
+		Value: "test-token",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  CookieOauthSessionToken,
+		Value: "test-session-token",
+	})
+
+	defaultAuth.(*OIDCProvider).LogoutHandler(w, req)
+
+	if got := w.Code; got != http.StatusFound {
+		t.Errorf("LogoutHandler() status = %v, want %v", got, http.StatusFound)
+	}
+
+	if got := w.Header().Get("Location"); got == "" {
+		t.Error("LogoutHandler() missing redirect location")
+	}
+
+	if len(w.Header().Values("Set-Cookie")) != 2 {
+		t.Error("LogoutHandler() did not clear all cookies")
+	}
+}

internal/auth/provider.go

@@ -0,0 +1,10 @@
+package auth
+
+import "net/http"
+
+type Provider interface {
+	CheckToken(r *http.Request) error
+	LoginHandler(w http.ResponseWriter, r *http.Request)
+	PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request)
+	LogoutHandler(w http.ResponseWriter, r *http.Request)
+}

internal/auth/userpass.go

@@ -7,16 +7,16 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 	"golang.org/x/crypto/bcrypt"
 )
 
 var (
-	ErrInvalidUsername = E.New("invalid username")
-	ErrInvalidPassword = E.New("invalid password")
+	ErrInvalidUsername = gperr.New("invalid username")
+	ErrInvalidPassword = gperr.New("invalid password")
 )
 
 type (
@@ -76,7 +76,7 @@ func (auth *UserPassAuth) NewToken() (token string, err error) {
 func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	jwtCookie, err := r.Cookie(auth.TokenCookieName())
 	if err != nil {
-		return ErrMissingToken
+		return ErrMissingSessionToken
 	}
 	var claims UserPassClaims
 	token, err := jwt.ParseWithClaims(jwtCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
@@ -90,46 +90,46 @@ func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	}
 	switch {
 	case !token.Valid:
-		return ErrInvalidToken
+		return ErrInvalidSessionToken
 	case claims.Username != auth.username:
 		return ErrUserNotAllowed.Subject(claims.Username)
 	case claims.ExpiresAt.Before(time.Now()):
-		return E.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
+		return gperr.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
 	}
 
 	return nil
 }
 
-func (auth *UserPassAuth) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)
-}
-
-func (auth *UserPassAuth) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
+func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	var creds struct {
 		User string `json:"username"`
 		Pass string `json:"password"`
 	}
 	err := json.NewDecoder(r.Body).Decode(&creds)
 	if err != nil {
-		U.HandleErr(w, r, err, http.StatusBadRequest)
+		gphttp.Unauthorized(w, "invalid credentials")
 		return
 	}
 	if err := auth.validatePassword(creds.User, creds.Pass); err != nil {
-		U.LogError(r).Err(err).Msg("auth: invalid credentials")
-		U.RespondError(w, E.New("invalid credentials"), http.StatusUnauthorized)
+		gphttp.Unauthorized(w, "invalid credentials")
 		return
 	}
 	token, err := auth.NewToken()
 	if err != nil {
-		U.HandleErr(w, r, err, http.StatusInternalServerError)
+		gphttp.ServerError(w, r, err)
 		return
 	}
 	setTokenCookie(w, r, auth.TokenCookieName(), token, auth.tokenTTL)
 	w.WriteHeader(http.StatusOK)
 }
 
-func (auth *UserPassAuth) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	DefaultLogoutCallbackHandler(auth, w, r)
+func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	http.Redirect(w, r, "/login", http.StatusFound) // redirects to WebUI login page
+}
+
+func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	clearTokenCookie(w, r, auth.TokenCookieName())
+	http.Redirect(w, r, "/", http.StatusFound)
 }
 
 func (auth *UserPassAuth) validatePassword(user, pass string) error {

internal/auth/userpass_test.go

@@ -98,7 +98,7 @@ func TestUserPassLoginCallbackHandler(t *testing.T) {
 			Host: "app.example.com",
 			Body: io.NopCloser(bytes.NewReader(Must(json.Marshal(tt.creds)))),
 		}
-		auth.LoginCallbackHandler(w, req)
+		auth.LoginHandler(w, req)
 		if tt.wantErr {
 			ExpectEqual(t, w.Code, http.StatusUnauthorized)
 		} else {

internal/auth/utils.go

@@ -0,0 +1,72 @@
+package auth
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/yusing/go-proxy/internal/common"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+var (
+	ErrMissingOAuthToken   = gperr.New("missing oauth token")
+	ErrMissingSessionToken = gperr.New("missing session token")
+	ErrInvalidOAuthToken   = gperr.New("invalid oauth token")
+	ErrInvalidSessionToken = gperr.New("invalid session token")
+	ErrUserNotAllowed      = gperr.New("user not allowed")
+)
+
+func requestHost(r *http.Request) string {
+	// check if it's from backend
+	switch r.Host {
+	case common.APIHTTPAddr:
+		// use XFH
+		return r.Header.Get("X-Forwarded-Host")
+	default:
+		return r.Host
+	}
+}
+
+// cookieDomain returns the fully qualified domain name of the request host
+// with subdomain stripped.
+//
+// If the request host does not have a subdomain,
+// an empty string is returned
+//
+//	"abc.example.com" -> ".example.com" (cross subdomain)
+//	"example.com" -> "" (same domain only)
+func cookieDomain(r *http.Request) string {
+	parts := strutils.SplitRune(requestHost(r), '.')
+	if len(parts) < 2 {
+		return ""
+	}
+	parts[0] = ""
+	return strutils.JoinRune(parts, '.')
+}
+
+func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    value,
+		MaxAge:   int(ttl.Seconds()),
+		Domain:   cookieDomain(r),
+		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+}
+
+func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		Domain:   cookieDomain(r),
+		HttpOnly: true,
+		Secure:   common.APIJWTSecure,
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+}

internal/autocert/config.go

@@ -10,37 +10,39 @@ import (
 
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/lego"
-	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
-type (
-	AutocertConfig struct {
-		Email       string      `json:"email,omitempty"`
-		Domains     []string    `json:"domains,omitempty"`
-		CertPath    string      `json:"cert_path,omitempty"`
-		KeyPath     string      `json:"key_path,omitempty"`
-		ACMEKeyPath string      `json:"acme_key_path,omitempty"`
-		Provider    string      `json:"provider,omitempty"`
-		Options     ProviderOpt `json:"options,omitempty"`
-	}
-	ProviderOpt map[string]any
-)
+type Config struct {
+	Email       string         `json:"email,omitempty"`
+	Domains     []string       `json:"domains,omitempty"`
+	CertPath    string         `json:"cert_path,omitempty"`
+	KeyPath     string         `json:"key_path,omitempty"`
+	ACMEKeyPath string         `json:"acme_key_path,omitempty"`
+	Provider    string         `json:"provider,omitempty"`
+	Options     map[string]any `json:"options,omitempty"`
+}
 
 var (
-	ErrMissingDomain   = E.New("missing field 'domains'")
-	ErrMissingEmail    = E.New("missing field 'email'")
-	ErrMissingProvider = E.New("missing field 'provider'")
-	ErrInvalidDomain   = E.New("invalid domain")
-	ErrUnknownProvider = E.New("unknown provider")
+	ErrMissingDomain   = gperr.New("missing field 'domains'")
+	ErrMissingEmail    = gperr.New("missing field 'email'")
+	ErrMissingProvider = gperr.New("missing field 'provider'")
+	ErrInvalidDomain   = gperr.New("invalid domain")
+	ErrUnknownProvider = gperr.New("unknown provider")
+)
+
+const (
+	ProviderLocal  = "local"
+	ProviderPseudo = "pseudo"
 )
 
 var domainOrWildcardRE = regexp.MustCompile(`^\*?([^.]+\.)+[^.]+$`)
 
 // Validate implements the utils.CustomValidator interface.
-func (cfg *AutocertConfig) Validate() E.Error {
+func (cfg *Config) Validate() gperr.Error {
 	if cfg == nil {
 		return nil
 	}
@@ -50,8 +52,8 @@ func (cfg *AutocertConfig) Validate() E.Error {
 		return nil
 	}
 
-	b := E.NewBuilder("autocert errors")
-	if cfg.Provider != ProviderLocal {
+	b := gperr.NewBuilder("autocert errors")
+	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
 		if len(cfg.Domains) == 0 {
 			b.Add(ErrMissingDomain)
 		}
@@ -64,11 +66,11 @@ func (cfg *AutocertConfig) Validate() E.Error {
 			}
 		}
 		// check if provider is implemented
-		providerConstructor, ok := providersGenMap[cfg.Provider]
+		providerConstructor, ok := Providers[cfg.Provider]
 		if !ok {
 			b.Add(ErrUnknownProvider.
 				Subject(cfg.Provider).
-				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, providersGenMap))))
+				Withf(strutils.DoYouMean(utils.NearestField(cfg.Provider, Providers))))
 		} else {
 			_, err := providerConstructor(cfg.Options)
 			if err != nil {
@@ -79,13 +81,9 @@ func (cfg *AutocertConfig) Validate() E.Error {
 	return b.Error()
 }
 
-func (cfg *AutocertConfig) GetProvider() (*Provider, E.Error) {
-	if cfg == nil {
-		cfg = new(AutocertConfig)
-	}
-
+func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 	if err := cfg.Validate(); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if cfg.CertPath == "" {
@@ -101,36 +99,32 @@ func (cfg *AutocertConfig) GetProvider() (*Provider, E.Error) {
 	var privKey *ecdsa.PrivateKey
 	var err error
 
-	if cfg.Provider != ProviderLocal {
-		if privKey, err = cfg.loadACMEKey(); err != nil {
+	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
+		if privKey, err = cfg.LoadACMEKey(); err != nil {
 			logging.Info().Err(err).Msg("load ACME private key failed")
 			logging.Info().Msg("generate new ACME private key")
 			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			if err != nil {
-				return nil, E.New("generate ACME private key").With(err)
+				return nil, nil, gperr.New("generate ACME private key").With(err)
 			}
-			if err = cfg.saveACMEKey(privKey); err != nil {
-				return nil, E.New("save ACME private key").With(err)
+			if err = cfg.SaveACMEKey(privKey); err != nil {
+				return nil, nil, gperr.New("save ACME private key").With(err)
 			}
 		}
 	}
 
 	user := &User{
 		Email: cfg.Email,
-		key:   privKey,
+		Key:   privKey,
 	}
 
 	legoCfg := lego.NewConfig(user)
 	legoCfg.Certificate.KeyType = certcrypto.RSA2048
 
-	return &Provider{
-		cfg:     cfg,
-		user:    user,
-		legoCfg: legoCfg,
-	}, nil
+	return user, legoCfg, nil
 }
 
-func (cfg *AutocertConfig) loadACMEKey() (*ecdsa.PrivateKey, error) {
+func (cfg *Config) LoadACMEKey() (*ecdsa.PrivateKey, error) {
 	data, err := os.ReadFile(cfg.ACMEKeyPath)
 	if err != nil {
 		return nil, err
@@ -138,7 +132,7 @@ func (cfg *AutocertConfig) loadACMEKey() (*ecdsa.PrivateKey, error) {
 	return x509.ParseECPrivateKey(data)
 }
 
-func (cfg *AutocertConfig) saveACMEKey(key *ecdsa.PrivateKey) error {
+func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
 	data, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		return err

internal/autocert/constants.go

@@ -1,34 +0,0 @@
-package autocert
-
-import (
-	"github.com/go-acme/lego/v4/providers/dns/clouddns"
-	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
-	"github.com/go-acme/lego/v4/providers/dns/duckdns"
-	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	"github.com/go-acme/lego/v4/providers/dns/porkbun"
-)
-
-const (
-	certBasePath       = "certs/"
-	CertFileDefault    = certBasePath + "cert.crt"
-	KeyFileDefault     = certBasePath + "priv.key"
-	ACMEKeyFileDefault = certBasePath + "acme.key"
-)
-
-const (
-	ProviderLocal      = "local"
-	ProviderCloudflare = "cloudflare"
-	ProviderClouddns   = "clouddns"
-	ProviderDuckdns    = "duckdns"
-	ProviderOVH        = "ovh"
-	ProviderPorkbun    = "porkbun"
-)
-
-var providersGenMap = map[string]ProviderGenerator{
-	ProviderLocal:      providerGenerator(NewDummyDefaultConfig, NewDummyDNSProviderConfig),
-	ProviderCloudflare: providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
-	ProviderClouddns:   providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
-	ProviderDuckdns:    providerGenerator(duckdns.NewDefaultConfig, duckdns.NewDNSProviderConfig),
-	ProviderOVH:        providerGenerator(ovh.NewDefaultConfig, ovh.NewDNSProviderConfig),
-	ProviderPorkbun:    providerGenerator(porkbun.NewDefaultConfig, porkbun.NewDNSProviderConfig),
-}

internal/autocert/paths.go

@@ -0,0 +1,8 @@
+package autocert
+
+const (
+	certBasePath       = "certs/"
+	CertFileDefault    = certBasePath + "cert.crt"
+	KeyFileDefault     = certBasePath + "priv.key"
+	ACMEKeyFileDefault = certBasePath + "acme.key"
+)

internal/autocert/provider.go

@@ -4,26 +4,26 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"os"
 	"path"
 	"reflect"
 	"sort"
+	"sync"
 	"time"
 
 	"github.com/go-acme/lego/v4/certificate"
-	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
-	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/task"
-	U "github.com/yusing/go-proxy/internal/utils"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
 type (
 	Provider struct {
-		cfg     *AutocertConfig
+		cfg     *Config
 		user    *User
 		legoCfg *lego.Config
 		client  *lego.Client
@@ -31,14 +31,23 @@ type (
 		legoCert     *certificate.Resource
 		tlsCert      *tls.Certificate
 		certExpiries CertExpiries
+
+		obtainMu sync.Mutex
 	}
-	ProviderGenerator func(ProviderOpt) (challenge.Provider, E.Error)
 
 	CertExpiries map[string]time.Time
 )
 
 var ErrGetCertFailure = errors.New("get certificate failed")
 
+func NewProvider(cfg *Config, user *User, legoCfg *lego.Config) *Provider {
+	return &Provider{
+		cfg:     cfg,
+		user:    user,
+		legoCfg: legoCfg,
+	}
+}
+
 func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if p.tlsCert == nil {
 		return nil, ErrGetCertFailure
@@ -62,11 +71,22 @@ func (p *Provider) GetExpiries() CertExpiries {
 	return p.certExpiries
 }
 
-func (p *Provider) ObtainCert() E.Error {
+func (p *Provider) ObtainCert() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}
 
+	if p.cfg.Provider == ProviderPseudo {
+		t := time.NewTicker(1000 * time.Millisecond)
+		defer t.Stop()
+		logging.Info().Msg("init client for pseudo provider")
+		<-t.C
+		logging.Info().Msg("registering acme for pseudo provider")
+		<-t.C
+		logging.Info().Msg("obtained cert for pseudo provider")
+		return nil
+	}
+
 	if p.client == nil {
 		if err := p.initClient(); err != nil {
 			return err
@@ -75,7 +95,7 @@ func (p *Provider) ObtainCert() E.Error {
 
 	if p.user.Registration == nil {
 		if err := p.registerACME(); err != nil {
-			return E.From(err)
+			return err
 		}
 	}
 
@@ -100,22 +120,22 @@ func (p *Provider) ObtainCert() E.Error {
 			Bundle:  true,
 		})
 		if err != nil {
-			return E.From(err)
+			return err
 		}
 	}
 
 	if err = p.saveCert(cert); err != nil {
-		return E.From(err)
+		return err
 	}
 
 	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
 	if err != nil {
-		return E.From(err)
+		return err
 	}
 
 	expiries, err := getCertExpiries(&tlsCert)
 	if err != nil {
-		return E.From(err)
+		return err
 	}
 	p.tlsCert = &tlsCert
 	p.certExpiries = expiries
@@ -123,14 +143,14 @@ func (p *Provider) ObtainCert() E.Error {
 	return nil
 }
 
-func (p *Provider) LoadCert() E.Error {
+func (p *Provider) LoadCert() error {
 	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
 	if err != nil {
-		return E.Errorf("load SSL certificate: %w", err)
+		return fmt.Errorf("load SSL certificate: %w", err)
 	}
 	expiries, err := getCertExpiries(&cert)
 	if err != nil {
-		return E.Errorf("parse SSL certificate: %w", err)
+		return fmt.Errorf("parse SSL certificate: %w", err)
 	}
 	p.tlsCert = &cert
 	p.certExpiries = expiries
@@ -149,7 +169,7 @@ func (p *Provider) ShouldRenewOn() time.Time {
 }
 
 func (p *Provider) ScheduleRenewal(parent task.Parent) {
-	if p.GetName() == ProviderLocal {
+	if p.GetName() == ProviderLocal || p.GetName() == ProviderPseudo {
 		return
 	}
 	go func() {
@@ -171,7 +191,7 @@ func (p *Provider) ScheduleRenewal(parent task.Parent) {
 					continue
 				}
 				if err := p.renewIfNeeded(); err != nil {
-					E.LogWarn("cert renew failed", err)
+					gperr.LogWarn("cert renew failed", err)
 					lastErrOn = time.Now()
 					continue
 				}
@@ -184,13 +204,13 @@ func (p *Provider) ScheduleRenewal(parent task.Parent) {
 	}()
 }
 
-func (p *Provider) initClient() E.Error {
+func (p *Provider) initClient() error {
 	legoClient, err := lego.NewClient(p.legoCfg)
 	if err != nil {
-		return E.From(err)
+		return err
 	}
 
-	generator := providersGenMap[p.cfg.Provider]
+	generator := Providers[p.cfg.Provider]
 	legoProvider, pErr := generator(p.cfg.Options)
 	if pErr != nil {
 		return pErr
@@ -198,7 +218,7 @@ func (p *Provider) initClient() E.Error {
 
 	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
 	if err != nil {
-		return E.From(err)
+		return err
 	}
 
 	p.client = legoClient
@@ -273,7 +293,7 @@ func (p *Provider) certState() CertState {
 	return CertStateValid
 }
 
-func (p *Provider) renewIfNeeded() E.Error {
+func (p *Provider) renewIfNeeded() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}
@@ -307,18 +327,3 @@ func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
 	}
 	return r, nil
 }
-
-func providerGenerator[CT any, PT challenge.Provider](
-	defaultCfg func() *CT,
-	newProvider func(*CT) (PT, error),
-) ProviderGenerator {
-	return func(opt ProviderOpt) (challenge.Provider, E.Error) {
-		cfg := defaultCfg()
-		err := U.Deserialize(opt, &cfg)
-		if err != nil {
-			return nil, err
-		}
-		p, pErr := newProvider(cfg)
-		return p, E.From(pErr)
-	}
-}

internal/autocert/provider_test/ovh_test.go

@@ -4,9 +4,9 @@ import (
 	"testing"
 
 	"github.com/go-acme/lego/v4/providers/dns/ovh"
-	U "github.com/yusing/go-proxy/internal/utils"
-	. "github.com/yusing/go-proxy/internal/utils/testing"
-	"gopkg.in/yaml.v3"
+	"github.com/goccy/go-yaml"
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/go-proxy/internal/utils"
 )
 
 // type Config struct {
@@ -44,7 +44,7 @@ oauth2_config:
 	}
 	testYaml = testYaml[1:] // remove first \n
 	opt := make(map[string]any)
-	ExpectNoError(t, yaml.Unmarshal([]byte(testYaml), opt))
-	ExpectNoError(t, U.Deserialize(opt, cfg))
-	ExpectDeepEqual(t, cfg, cfgExpected)
+	require.NoError(t, yaml.Unmarshal([]byte(testYaml), &opt))
+	require.NoError(t, utils.Deserialize(opt, cfg))
+	require.Equal(t, cfg, cfgExpected)
 }

internal/autocert/providers.go

@@ -0,0 +1,26 @@
+package autocert
+
+import (
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/utils"
+)
+
+type Generator func(map[string]any) (challenge.Provider, gperr.Error)
+
+var Providers = make(map[string]Generator)
+
+func DNSProvider[CT any, PT challenge.Provider](
+	defaultCfg func() *CT,
+	newProvider func(*CT) (PT, error),
+) Generator {
+	return func(opt map[string]any) (challenge.Provider, gperr.Error) {
+		cfg := defaultCfg()
+		err := utils.Deserialize(opt, &cfg)
+		if err != nil {
+			return nil, err
+		}
+		p, pErr := newProvider(cfg)
+		return p, gperr.Wrap(pErr)
+	}
+}

internal/autocert/setup.go

@@ -1,16 +1,16 @@
 package autocert
 
 import (
+	"errors"
 	"os"
 
-	E "github.com/yusing/go-proxy/internal/error"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 
-func (p *Provider) Setup() (err E.Error) {
+func (p *Provider) Setup() (err error) {
 	if err = p.LoadCert(); err != nil {
-		if !err.Is(os.ErrNotExist) { // ignore if cert doesn't exist
+		if !errors.Is(err, os.ErrNotExist) { // ignore if cert doesn't exist
 			return err
 		}
 		logging.Debug().Msg("obtaining cert due to error loading cert")

internal/autocert/types/provider.go

@@ -0,0 +1,14 @@
+package autocert
+
+import (
+	"crypto/tls"
+
+	"github.com/yusing/go-proxy/internal/task"
+)
+
+type Provider interface {
+	Setup() error
+	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
+	ScheduleRenewal(task.Parent)
+	ObtainCert() error
+}

internal/autocert/user.go

@@ -9,7 +9,7 @@ import (
 type User struct {
 	Email        string
 	Registration *registration.Resource
-	key          crypto.PrivateKey
+	Key          crypto.PrivateKey
 }
 
 func (u *User) GetEmail() string {
@@ -21,5 +21,5 @@ func (u *User) GetRegistration() *registration.Resource {
 }
 
 func (u *User) GetPrivateKey() crypto.PrivateKey {
-	return u.key
+	return u.Key
 }

internal/common/args.go

@@ -1,15 +1,5 @@
 package common
 
-import (
-	"flag"
-	"fmt"
-	"log"
-)
-
-type Args struct {
-	Command string
-}
-
 const (
 	CommandStart              = ""
 	CommandValidate           = "validate"
@@ -22,33 +12,20 @@ const (
 	CommandDebugListMTrace    = "debug-ls-mtrace"
 )
 
-var ValidCommands = []string{
-	CommandStart,
-	CommandValidate,
-	CommandListConfigs,
-	CommandListRoutes,
-	CommandListIcons,
-	CommandReload,
-	CommandDebugListEntries,
-	CommandDebugListProviders,
-	CommandDebugListMTrace,
-}
+type MainServerCommandValidator struct{}
 
-func validateArg(arg string) error {
-	for _, v := range ValidCommands {
-		if arg == v {
-			return nil
-		}
+func (v MainServerCommandValidator) IsCommandValid(cmd string) bool {
+	switch cmd {
+	case CommandStart,
+		CommandValidate,
+		CommandListConfigs,
+		CommandListRoutes,
+		CommandListIcons,
+		CommandReload,
+		CommandDebugListEntries,
+		CommandDebugListProviders,
+		CommandDebugListMTrace:
+		return true
 	}
-	return fmt.Errorf("invalid command %q", arg)
-}
-
-func GetArgs() Args {
-	var args Args
-	flag.Parse()
-	args.Command = flag.Arg(0)
-	if err := validateArg(args.Command); err != nil {
-		log.Fatalf("invalid command: %s", err)
-	}
-	return args
+	return false
 }

internal/common/constants.go

@@ -4,31 +4,30 @@ import (
 	"time"
 )
 
-const (
-	ConnectionTimeout = 5 * time.Second
-	DialTimeout       = 3 * time.Second
-	KeepAlive         = 60 * time.Second
-)
-
 // file, folder structure
 
 const (
 	DotEnvPath        = ".env"
 	DotEnvExamplePath = ".env.example"
 
-	ConfigBasePath         = "config"
-	ConfigFileName         = "config.yml"
-	ConfigExampleFileName  = "config.example.yml"
-	ConfigPath             = ConfigBasePath + "/" + ConfigFileName
-	HomepageJSONConfigPath = ConfigBasePath + "/.homepage.json"
-	IconListCachePath      = ConfigBasePath + "/.icon_list_cache.json"
-	IconCachePath          = ConfigBasePath + "/.icon_cache.json"
+	ConfigBasePath        = "config"
+	ConfigFileName        = "config.yml"
+	ConfigExampleFileName = "config.example.yml"
+	ConfigPath            = ConfigBasePath + "/" + ConfigFileName
+
+	IconListCachePath = ConfigBasePath + "/.icon_list_cache.json"
+	IconCachePath     = ConfigBasePath + "/.icon_cache.json"
+
+	NamespaceHomepageOverrides = ".homepage"
+	NamespaceIconCache         = ".icon_cache"
 
 	MiddlewareComposeBasePath = ConfigBasePath + "/middlewares"
 
 	ComposeFileName        = "compose.yml"
 	ComposeExampleFileName = "compose.example.yml"
 
+	DataDir = "data"
+
 	ErrorPagesBasePath = "error_pages"
 )
 
@@ -44,9 +43,7 @@ const (
 	HealthCheckIntervalDefault = 5 * time.Second
 	HealthCheckTimeoutDefault  = 5 * time.Second
 
-	WakeTimeoutDefault = "30s"
-	StopTimeoutDefault = "30s"
+	WakeTimeoutDefault = "3m"
+	StopTimeoutDefault = "3m"
 	StopMethodDefault  = "stop"
 )
-
-const HeaderCheckRedirect = "X-Goproxy-Check-Redirect"

internal/common/crypto.go

@@ -1,6 +1,7 @@
 package common
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 
 	"github.com/rs/zerolog/log"
@@ -12,7 +13,16 @@ func decodeJWTKey(key string) []byte {
 	}
 	bytes, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
-		log.Panic().Err(err).Msg("failed to decode jwt key")
+		log.Fatal().Str("key", key).Err(err).Msg("failed to decode secret")
 	}
 	return bytes
 }
+
+func RandomJWTKey() []byte {
+	key := make([]byte, 32)
+	_, err := rand.Read(key)
+	if err != nil {
+		log.Fatal().Err(err).Msg("failed to generate random jwt key")
+	}
+	return key
+}

internal/common/env.go

@@ -15,13 +15,11 @@ import (
 var (
 	prefixes = []string{"GODOXY_", "GOPROXY_", ""}
 
-	IsTest       = GetEnvBool("TEST", false) || strings.HasSuffix(os.Args[0], ".test")
-	IsDebug      = GetEnvBool("DEBUG", IsTest)
-	IsTrace      = GetEnvBool("TRACE", false) && IsDebug
-	IsProduction = !IsTest && !IsDebug
+	IsTest  = GetEnvBool("TEST", false) || strings.HasSuffix(os.Args[0], ".test")
+	IsDebug = GetEnvBool("DEBUG", IsTest)
+	IsTrace = GetEnvBool("TRACE", false) && IsDebug
 
-	EnableLogStreaming = GetEnvBool("LOG_STREAMING", true)
-	DebugMemLogger     = GetEnvBool("DEBUG_MEM_LOGGER", false) && EnableLogStreaming
+	HTTP3Enabled = GetEnvBool("HTTP3_ENABLED", true)
 
 	ProxyHTTPAddr,
 	ProxyHTTPHost,
@@ -38,22 +36,28 @@ var (
 	APIHTTPPort,
 	APIHTTPURL = GetAddrEnv("API_ADDR", "127.0.0.1:8888", "http")
 
-	PrometheusEnabled = GetEnvBool("PROMETHEUS_ENABLED", false)
-
+	APIJWTSecure   = GetEnvBool("API_JWT_SECURE", true)
 	APIJWTSecret   = decodeJWTKey(GetEnvString("API_JWT_SECRET", ""))
-	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour)
+	APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", 24*time.Hour)
 	APIUser        = GetEnvString("API_USER", "admin")
 	APIPassword    = GetEnvString("API_PASSWORD", "password")
 
+	DebugDisableAuth = GetEnvBool("DEBUG_DISABLE_AUTH", false)
+
 	// OIDC Configuration.
 	OIDCIssuerURL     = GetEnvString("OIDC_ISSUER_URL", "")
-	OIDCLogoutURL     = GetEnvString("OIDC_LOGOUT_URL", "")
 	OIDCClientID      = GetEnvString("OIDC_CLIENT_ID", "")
 	OIDCClientSecret  = GetEnvString("OIDC_CLIENT_SECRET", "")
-	OIDCRedirectURL   = GetEnvString("OIDC_REDIRECT_URL", "")
-	OIDCScopes        = GetEnvString("OIDC_SCOPES", "openid, profile, email")
+	OIDCScopes        = GetCommaSepEnv("OIDC_SCOPES", "openid, profile, email, groups")
 	OIDCAllowedUsers  = GetCommaSepEnv("OIDC_ALLOWED_USERS", "")
 	OIDCAllowedGroups = GetCommaSepEnv("OIDC_ALLOWED_GROUPS", "")
+
+	// metrics configuration
+	MetricsDisableCPU     = GetEnvBool("METRICS_DISABLE_CPU", false)
+	MetricsDisableMemory  = GetEnvBool("METRICS_DISABLE_MEMORY", false)
+	MetricsDisableDisk    = GetEnvBool("METRICS_DISABLE_DISK", false)
+	MetricsDisableNetwork = GetEnvBool("METRICS_DISABLE_NETWORK", false)
+	MetricsDisableSensors = GetEnvBool("METRICS_DISABLE_SENSORS", false)
 )
 
 func GetEnv[T any](key string, defaultValue T, parser func(string) (T, error)) T {
@@ -86,7 +90,11 @@ func GetEnvBool(key string, defaultValue bool) bool {
 	return GetEnv(key, defaultValue, strconv.ParseBool)
 }
 
-func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL string) {
+func GetEnvInt(key string, defaultValue int) int {
+	return GetEnv(key, defaultValue, strconv.Atoi)
+}
+
+func GetAddrEnv(key, defaultValue, scheme string) (addr, host string, portInt int, fullURL string) {
 	addr = GetEnvString(key, defaultValue)
 	if addr == "" {
 		return
@@ -99,6 +107,10 @@ func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL str
 		host = "localhost"
 	}
 	fullURL = fmt.Sprintf("%s://%s:%s", scheme, host, port)
+	portInt, err = strconv.Atoi(port)
+	if err != nil {
+		log.Fatal().Msgf("env %s: invalid port: %s", key, port)
+	}
 	return
 }
 

internal/config/agent_pool.go

@@ -0,0 +1,66 @@
+package config
+
+import (
+	"slices"
+
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	"github.com/yusing/go-proxy/internal/gperr"
+	"github.com/yusing/go-proxy/internal/route/provider"
+	"github.com/yusing/go-proxy/internal/utils/functional"
+)
+
+var agentPool = functional.NewMapOf[string, *agent.AgentConfig]()
+
+func addAgent(agent *agent.AgentConfig) {
+	agentPool.Store(agent.Addr, agent)
+}
+
+func removeAllAgents() {
+	agentPool.Clear()
+}
+
+func GetAgent(addr string) (agent *agent.AgentConfig, ok bool) {
+	agent, ok = agentPool.Load(addr)
+	return
+}
+
+func (cfg *Config) GetAgent(agentAddrOrDockerHost string) (*agent.AgentConfig, bool) {
+	if !agent.IsDockerHostAgent(agentAddrOrDockerHost) {
+		return GetAgent(agentAddrOrDockerHost)
+	}
+	return GetAgent(agent.GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
+}
+
+func (cfg *Config) VerifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair) (int, gperr.Error) {
+	if slices.ContainsFunc(cfg.value.Providers.Agents, func(a *agent.AgentConfig) bool {
+		return a.Addr == host
+	}) {
+		return 0, gperr.New("agent already exists")
+	}
+
+	var agentCfg agent.AgentConfig
+	agentCfg.Addr = host
+	err := agentCfg.StartWithCerts(cfg.Task(), ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to start agent")
+	}
+	addAgent(&agentCfg)
+
+	provider := provider.NewAgentProvider(&agentCfg)
+	if err := cfg.errIfExists(provider); err != nil {
+		return 0, err
+	}
+	err = provider.LoadRoutes()
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to load routes")
+	}
+	return provider.NumRoutes(), nil
+}
+
+func (cfg *Config) ListAgents() []*agent.AgentConfig {
+	agents := make([]*agent.AgentConfig, 0, agentPool.Size())
+	agentPool.RangeAll(func(key string, value *agent.AgentConfig) {
+		agents = append(agents, value)
+	})
+	return agents
+}

internal/config/config.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"context"
+	"errors"
 	"os"
 	"strconv"
 	"strings"
@@ -9,13 +10,13 @@ import (
 	"time"
 
 	"github.com/yusing/go-proxy/internal/api"
-	"github.com/yusing/go-proxy/internal/autocert"
+	autocert "github.com/yusing/go-proxy/internal/autocert"
 	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config/types"
+	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/entrypoint"
-	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/http/server"
+	"github.com/yusing/go-proxy/internal/net/gphttp/server"
 	"github.com/yusing/go-proxy/internal/notif"
 	proxy "github.com/yusing/go-proxy/internal/route/provider"
 	"github.com/yusing/go-proxy/internal/task"
@@ -26,7 +27,7 @@ import (
 )
 
 type Config struct {
-	value            *types.Config
+	value            *config.Config
 	providers        F.Map[string, *proxy.Provider]
 	autocertProvider *autocert.Provider
 	entrypoint       *entrypoint.Entrypoint
@@ -35,7 +36,6 @@ type Config struct {
 }
 
 var (
-	instance   *Config
 	cfgWatcher watcher.Watcher
 	reloadMu   sync.Mutex
 )
@@ -49,32 +49,29 @@ Make sure you rename it back before next time you start.`
 You may run "ls-config" to show or dump the current config.`
 )
 
-var Validate = types.Validate
-
-func GetInstance() *Config {
-	return instance
-}
+var Validate = config.Validate
 
 func newConfig() *Config {
 	return &Config{
-		value:      types.DefaultConfig(),
+		value:      config.DefaultConfig(),
 		providers:  F.NewMapOf[string, *proxy.Provider](),
 		entrypoint: entrypoint.NewEntrypoint(),
 		task:       task.RootTask("config", false),
 	}
 }
 
-func Load() (*Config, E.Error) {
-	if instance != nil {
-		return instance, nil
+func Load() (*Config, gperr.Error) {
+	if config.HasInstance() {
+		panic(errors.New("config already loaded"))
 	}
-	instance = newConfig()
+	cfg := newConfig()
+	config.SetInstance(cfg)
 	cfgWatcher = watcher.NewConfigFileWatcher(common.ConfigFileName)
-	return instance, instance.load()
+	return cfg, cfg.load()
 }
 
 func MatchDomains() []string {
-	return instance.value.MatchDomains
+	return config.GetInstance().Value().MatchDomains
 }
 
 func WatchChanges() {
@@ -83,8 +80,8 @@ func WatchChanges() {
 		t,
 		configEventFlushInterval,
 		OnConfigChange,
-		func(err E.Error) {
-			E.LogError("config reload error", err)
+		func(err gperr.Error) {
+			gperr.LogError("config reload error", err)
 		},
 	)
 	eventQueue.Start(cfgWatcher.Events(t.Context()))
@@ -108,7 +105,7 @@ func OnConfigChange(ev []events.Event) {
 	}
 }
 
-func Reload() E.Error {
+func Reload() gperr.Error {
 	// avoid race between config change and API reload request
 	reloadMu.Lock()
 	defer reloadMu.Unlock()
@@ -117,27 +114,30 @@ func Reload() E.Error {
 	err := newCfg.load()
 	if err != nil {
 		newCfg.task.Finish(err)
-		return E.New("using last config").With(err)
+		return gperr.New("using last config").With(err)
 	}
 
 	// cancel all current subtasks -> wait
 	// -> replace config -> start new subtasks
-	instance.task.Finish("config changed")
-	instance = newCfg
-	instance.Start(StartAllServers)
+	config.GetInstance().(*Config).Task().Finish("config changed")
+	newCfg.Start(StartAllServers)
+	config.SetInstance(newCfg)
 	return nil
 }
 
-func (cfg *Config) Value() *types.Config {
-	return instance.value
+func (cfg *Config) Value() *config.Config {
+	return cfg.value
 }
 
-func (cfg *Config) Reload() E.Error {
+func (cfg *Config) Reload() gperr.Error {
 	return Reload()
 }
 
+// AutoCertProvider returns the autocert provider.
+//
+// If the autocert provider is not configured, it returns nil.
 func (cfg *Config) AutoCertProvider() *autocert.Provider {
-	return instance.autocertProvider
+	return cfg.autocertProvider
 }
 
 func (cfg *Config) Task() *task.Task {
@@ -162,20 +162,20 @@ func (cfg *Config) StartAutoCert() {
 	}
 
 	if err := autocert.Setup(); err != nil {
-		E.LogFatal("autocert setup error", err)
+		gperr.LogFatal("autocert setup error", err)
 	} else {
 		autocert.ScheduleRenewal(cfg.task)
 	}
 }
 
 func (cfg *Config) StartProxyProviders() {
-	errs := cfg.providers.CollectErrorsParallel(
+	errs := cfg.providers.CollectErrors(
 		func(_ string, p *proxy.Provider) error {
 			return p.Start(cfg.task)
 		})
 
-	if err := E.Join(errs...); err != nil {
-		E.LogError("route provider errors", err)
+	if err := gperr.Join(errs...); err != nil {
+		gperr.LogError("route provider errors", err)
 	}
 }
 
@@ -197,6 +197,7 @@ func (cfg *Config) StartServers(opts ...*StartServersOptions) {
 			HTTPAddr:     common.ProxyHTTPAddr,
 			HTTPSAddr:    common.ProxyHTTPSAddr,
 			Handler:      cfg.entrypoint,
+			ACL:          cfg.value.ACL,
 		})
 	}
 	if opt.API {
@@ -209,21 +210,21 @@ func (cfg *Config) StartServers(opts ...*StartServersOptions) {
 	}
 }
 
-func (cfg *Config) load() E.Error {
+func (cfg *Config) load() gperr.Error {
 	const errMsg = "config load error"
 
 	data, err := os.ReadFile(common.ConfigPath)
 	if err != nil {
-		E.LogFatal(errMsg, err)
+		gperr.LogFatal(errMsg, err)
 	}
 
-	model := types.DefaultConfig()
+	model := config.DefaultConfig()
 	if err := utils.DeserializeYAML(data, model); err != nil {
-		E.LogFatal(errMsg, err)
+		gperr.LogFatal(errMsg, err)
 	}
 
 	// errors are non fatal below
-	errs := E.NewBuilder(errMsg)
+	errs := gperr.NewBuilder(errMsg)
 	errs.Add(cfg.entrypoint.SetMiddlewares(model.Entrypoint.Middlewares))
 	errs.Add(cfg.entrypoint.SetAccessLogger(cfg.task, model.Entrypoint.AccessLog))
 	cfg.initNotification(model.Providers.Notification)
@@ -237,6 +238,14 @@ func (cfg *Config) load() E.Error {
 		}
 	}
 	cfg.entrypoint.SetFindRouteDomains(model.MatchDomains)
+	if model.ACL.Valid() {
+		err := model.ACL.Start(cfg.task)
+		if err != nil {
+			errs.Add(err)
+		} else {
+			logging.Info().Msg("ACL started")
+		}
+	}
 
 	return errs.Error()
 }
@@ -251,42 +260,84 @@ func (cfg *Config) initNotification(notifCfg []notif.NotificationConfig) {
 	}
 }
 
-func (cfg *Config) initAutoCert(autocertCfg *autocert.AutocertConfig) (err E.Error) {
+func (cfg *Config) initAutoCert(autocertCfg *autocert.Config) gperr.Error {
 	if cfg.autocertProvider != nil {
-		return
+		return nil
 	}
 
-	cfg.autocertProvider, err = autocertCfg.GetProvider()
-	return
+	if autocertCfg == nil {
+		autocertCfg = new(autocert.Config)
+	}
+
+	user, legoCfg, err := autocertCfg.GetLegoConfig()
+	if err != nil {
+		return err
+	}
+
+	cfg.autocertProvider = autocert.NewProvider(autocertCfg, user, legoCfg)
+	return nil
 }
 
-func (cfg *Config) loadRouteProviders(providers *types.Providers) E.Error {
-	errs := E.NewBuilder("route provider errors")
-	results := E.NewBuilder("loaded route providers")
+func (cfg *Config) errIfExists(p *proxy.Provider) gperr.Error {
+	if _, ok := cfg.providers.Load(p.String()); ok {
+		return gperr.Errorf("provider %s already exists", p.String())
+	}
+	return nil
+}
 
-	lenLongestName := 0
+func (cfg *Config) storeProvider(p *proxy.Provider) {
+	cfg.providers.Store(p.String(), p)
+}
+
+func (cfg *Config) loadRouteProviders(providers *config.Providers) gperr.Error {
+	errs := gperr.NewBuilder("route provider errors")
+	results := gperr.NewBuilder("loaded route providers")
+
+	removeAllAgents()
+
+	for _, agent := range providers.Agents {
+		if err := agent.Start(cfg.task); err != nil {
+			errs.Add(err.Subject(agent.String()))
+			continue
+		}
+		addAgent(agent)
+		p := proxy.NewAgentProvider(agent)
+		if err := cfg.errIfExists(p); err != nil {
+			errs.Add(err.Subject(p.String()))
+			continue
+		}
+		cfg.storeProvider(p)
+	}
 	for _, filename := range providers.Files {
 		p, err := proxy.NewFileProvider(filename)
+		if err == nil {
+			err = cfg.errIfExists(p)
+		}
 		if err != nil {
-			errs.Add(E.PrependSubject(filename, err))
+			errs.Add(gperr.PrependSubject(filename, err))
 			continue
 		}
-		cfg.providers.Store(p.String(), p)
-		if len(p.String()) > lenLongestName {
-			lenLongestName = len(p.String())
-		}
+		cfg.storeProvider(p)
 	}
 	for name, dockerHost := range providers.Docker {
-		p, err := proxy.NewDockerProvider(name, dockerHost)
-		if err != nil {
-			errs.Add(E.PrependSubject(name, err))
+		p := proxy.NewDockerProvider(name, dockerHost)
+		if err := cfg.errIfExists(p); err != nil {
+			errs.Add(err.Subject(p.String()))
 			continue
 		}
-		cfg.providers.Store(p.String(), p)
-		if len(p.String()) > lenLongestName {
-			lenLongestName = len(p.String())
-		}
+		cfg.storeProvider(p)
 	}
+	if cfg.providers.Size() == 0 {
+		return nil
+	}
+
+	lenLongestName := 0
+	cfg.providers.RangeAll(func(k string, _ *proxy.Provider) {
+		if len(k) > lenLongestName {
+			lenLongestName = len(k)
+		}
+	})
+	results.EnableConcurrency()
 	cfg.providers.RangeAllParallel(func(_ string, p *proxy.Provider) {
 		if err := p.LoadRoutes(); err != nil {
 			errs.Add(err.Subject(p.String()))