update files for agent, deps upgrade

.env.example

@@ -42,6 +42,9 @@ GODOXY_HTTPS_ADDR=:443
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888
 
+# Frontend listening port
+GODOXY_FRONTEND_PORT=3000
+
 # Prometheus Metrics
 GODOXY_PROMETHEUS_ENABLED=true
 

.github/workflows/docker-image-agent.yml

@@ -0,0 +1,12 @@
+name: Docker Image CI (agent)
+
+on:
+  push:
+    tags: ["*"]
+
+jobs:
+  call-main-workflow:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      make_args: "agent=1"
+      image_name: ${{ github.repository }}-agent

.github/workflows/docker-image-main.yml

@@ -0,0 +1,9 @@
+name: Docker Image CI (main)
+
+on:
+  push:
+    tags: ["*"]
+
+jobs:
+  call-main-workflow:
+    uses: ./.github/workflows/docker-image.yml

.github/workflows/docker-image.yml

@@ -1,12 +1,22 @@
 name: Docker Image CI
 
 on:
-    push:
+  workflow_call:
-        tags: ["*"]
+    inputs:
+      make_args:
+        description: "Arguments to pass to make"
+        type: string
+        required: false
+        default: ""
+      image_name:
+        description: "Image name"
+        type: string
+        required: false
+        default: ${{ github.repository }}
 
 env:
   REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
+  IMAGE_NAME: ${{ inputs.image_name }}
 
 jobs:
   build:
@@ -63,6 +73,7 @@ jobs:
           cache-to: type=gha,mode=max
           build-args: |
             VERSION=${{ github.ref_name }}
+            MAKE_ARGS=${{ inputs.make_args }}
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1

.gitignore

@@ -30,3 +30,6 @@ test.Dockerfile
 
 node_modules/
 tsconfig.tsbuildinfo
+
+!agent.compose.yml
+!agent/pkg/**

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: Builder
-FROM golang:1.23.5-alpine AS builder
+FROM golang:1.23.6-alpine AS builder
 HEALTHCHECK NONE
 
 # package version does not matter
@@ -21,18 +21,19 @@ COPY Makefile /src/
 COPY cmd /src/cmd
 COPY internal /src/internal
 COPY pkg /src/pkg
+COPY agent /src/agent
 
 ARG VERSION
 ENV VERSION=${VERSION}
 
-ARG BUILD_FLAGS
+ARG MAKE_ARGS
-ENV BUILD_FLAGS=${BUILD_FLAGS}
+ENV MAKE_ARGS=${MAKE_ARGS}
 
 RUN --mount=type=cache,target="/go/pkg/mod" \
     --mount=type=cache,target="/root/.cache/go-build" \
-    make build && \
+    make ${MAKE_ARGS} build create-docker-entrypoint && \
-    mkdir -p /app/error_pages /app/certs && \
+    mv bin /app/ && \
-    mv bin/godoxy /app/godoxy
+    mkdir -p /app/error_pages /app/certs
 
 # Stage 2: Final image
 FROM scratch
@@ -53,12 +54,7 @@ COPY config.example.yml /app/config/config.yml
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs
 
 ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GODOXY_DEBUG=0
-
-EXPOSE 80
-EXPOSE 8888
-EXPOSE 443
 
 WORKDIR /app
 
-CMD ["/app/godoxy"]
+CMD ["/app/entrypoint.sh"]

Makefile

@@ -4,6 +4,15 @@ export GOOS = linux
 
 LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
 
+
+ifeq ($(agent), 1)
+	NAME = godoxy-agent
+	CMD_PATH = ./agent/cmd
+else
+	NAME = godoxy
+	CMD_PATH = ./cmd
+endif
+
 ifeq ($(trace), 1)
 		debug = 1
 		GODOXY_TRACE ?= 1
@@ -12,8 +21,10 @@ endif
 ifeq ($(debug), 1)
 	CGO_ENABLED = 0
 	GODOXY_DEBUG = 1
-  BUILD_FLAGS = -tags production
+	BUILD_FLAGS ?= -tags production
-else ifeq ($(pprof), 1)
+endif
+
+ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
 	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/
@@ -29,6 +40,8 @@ endif
 
 BUILD_FLAGS += -ldflags='$(LDFLAGS)'
 
+export NAME
+export CMD_PATH
 export CGO_ENABLED
 export GODOXY_DEBUG
 export GODOXY_TRACE
@@ -45,14 +58,14 @@ get:
 
 build:
 	mkdir -p bin
-	go build ${BUILD_FLAGS} -o bin/godoxy ./cmd
+	go build ${BUILD_FLAGS} -o bin/${NAME} ${CMD_PATH}
 	if [ $(shell id -u) -eq 0 ]; \
-		then setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
+		then setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
-		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
+		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
 	fi
 
 run:
-	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}
 
 mtrace:
 	bin/godoxy debug-ls-mtrace > mtrace.json
@@ -76,18 +89,25 @@ push-docker-io:
 	BUILDER=build docker buildx build \
 		--platform linux/arm64,linux/amd64 \
 		-f Dockerfile \
-		-t docker.io/yusing/godoxy-nightly:${DOCKER_TAG} \
+		-t docker.io/yusing/${NAME}-nightly:${DOCKER_TAG} \
-		-t docker.io/yusing/godoxy-nightly:${VERSION}-${BUILD_DATE} \
+		-t docker.io/yusing/${NAME}-nightly:${VERSION}-${BUILD_DATE} \
 		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
 		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
+		--build-arg MAKE_ARGS="agent=${agent}" \
 		--push .
 
 build-docker:
-	docker build -t godoxy-nightly \
+	docker build -t ${NAME}-nightly \
 		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
 		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
+		--build-arg MAKE_ARGS="agent=${agent}" \
 		.
 
+create-docker-entrypoint:
+	printf '#!/bin/sh\n/app/${NAME}\n' > bin/entrypoint.sh
+	chmod +x bin/entrypoint.sh
+
+
 # To generate schema
 # comment out this part from typescript-json-schema.js#L884
 #

README.md

@@ -59,11 +59,21 @@ For full documentation, check out **[Wiki](https://github.com/yusing/go-proxy/wi
 
 ## Prerequisites
 
-Setup DNS Records point to machine which runs `GoDoxy`, e.g.
+1. Setup DNS Records point to machine which runs `GoDoxy`, e.g.
 
 - A Record: `*.y.z` -> `10.0.10.1`
 - AAAA Record: `*.y.z` -> `::ffff:a00:a01`
 
+2. Create shell alias:
+
+   ```shell
+   # for main server
+   alias godoxy="docker exec godoxy /app/godoxy"
+
+   # for agent server
+   alias godoxy-agent="docker exec godoxy-agent /app/godoxy-agent"
+   ```
+
 ## Setup
 
 **NOTE:** GoDoxy is designed to be (and only works when) running in `host` network mode, do not change it. To change listening ports, modify `.env`.

agent.compose.yml

@@ -0,0 +1,12 @@
+services:
+  godoxy-agent:
+    image: ghcr.io/yusing/godoxy-agent:latest
+    container_name: godoxy-agent
+    restart: always
+    network_mode: host # do not change this
+    environment:
+      GODOXY_AGENT_NAME: "agent-1"
+      GODOXY_AGENT_PORT: "8890"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./certs:/app/certs # store Agent CA cert and Agent SSL cert

compose.example.yml

@@ -4,14 +4,17 @@ services:
     image: ghcr.io/yusing/go-proxy-frontend:latest
     container_name: godoxy-frontend
     restart: unless-stopped
-    network_mode: host
+    network_mode: host # do not change this
     env_file: .env
     depends_on:
       - app
+    environment:
+      PORT: ${GODOXY_FRONTEND_PORT:-3000}
+
     # modify below to fit your needs
     labels:
       proxy.aliases: godoxy
-      proxy.godoxy.port: 3000
+      proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
       # proxy.godoxy.middlewares.cidr_whitelist: |
       #   status: 403
       #   message: IP not allowed
@@ -24,7 +27,7 @@ services:
     image: ghcr.io/yusing/go-proxy:latest
     container_name: godoxy
     restart: always
-    network_mode: host
+    network_mode: host # do not change this
     env_file: .env
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock

go.mod

@@ -1,6 +1,6 @@
 module github.com/yusing/go-proxy
 
-go 1.23.5
+go 1.23.6
 
 require (
 	github.com/PuerkitoBio/goquery v1.10.1

next-release.md

@@ -1,6 +1,36 @@
-GoDoxy v0.9.1 expected changes
+## GoDoxy v0.10.0
 
-- Support Ntfy notifications
+### Agent Mode
-- Prometheus metrics server now inside API server under `/v1/metrics`
+
-  - `GODOXY_PROMETHEUS_ADDR` removed
+listen only on Agent API server, authenticate with mTLS. Maintain secure connection between GoDoxy main and GoDoxy agent server
-  - `GODOXY_PROMETHEUS_ENABLED` added, default `false`
+
+Main benefits:
+
+- No more exposing docker socket: drops the need of `docker-socket-proxy`
+- No more exposing app ports: fewer attack surface
+  ```yaml
+  services:
+    app:
+      ...
+      # ports: # this part is not needed on agent server
+      #  - 6789
+  ```
+- Secure: no one can connect to it except GoDoxy main server because of mTLS
+- Fetch info from agent server, e.g. CPU usage, Memory usage, container list, container logs, etc... (to be ready for beszel and dockge like features in WebUI)
+
+### How to setup
+
+1. Agent server generates CA cert, SSL certificate and Client certificate on first run.
+2. Follow the output on screen to run `godoxy new-agent <ip>:<port> ...` on GoDoxy main server to store generated certs
+3. Add config output to GoDoxy main server in `config.yml` under `providers.agents`
+   ```yaml
+   providers:
+     agents:
+       - 12.34.5.6:8889
+   ```
+
+### How does it work
+
+1. Main server and agent server negotiate mTLS
+2. Agent server verify main server's client cert and check if server version matches agent version
+3. Agent server now acts as a http proxy and docker socket proxy