update files for agent, deps upgrade

2025-06-09 04:52:35 +02:00 · 2025-02-10 09:36:05 +08:00 · 2025-02-10 09:36:05 +08:00 · ecb89f80a0
commit ecb89f80a0
parent 9626b65593
12 changed files with 250 additions and 141 deletions
--- a/.env.example
+++ b/.env.example
@ -42,6 +42,9 @@ GODOXY_HTTPS_ADDR=:443
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888

+# Frontend listening port
+GODOXY_FRONTEND_PORT=3000
+
 # Prometheus Metrics
 GODOXY_PROMETHEUS_ENABLED=true

--- a/.github/workflows/docker-image-agent.yml
+++ b/.github/workflows/docker-image-agent.yml
@ -0,0 +1,12 @@
+name: Docker Image CI (agent)
+
+on:
+  push:
+    tags: ["*"]
+
+jobs:
+  call-main-workflow:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      make_args: "agent=1"
+      image_name: ${{ github.repository }}-agent
--- a/.github/workflows/docker-image-main.yml
+++ b/.github/workflows/docker-image-main.yml
@ -0,0 +1,9 @@
+name: Docker Image CI (main)
+
+on:
+  push:
+    tags: ["*"]
+
+jobs:
+  call-main-workflow:
+    uses: ./.github/workflows/docker-image.yml
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -1,12 +1,22 @@
 name: Docker Image CI

 on:
-    push:
-        tags: ["*"]
+  workflow_call:
+    inputs:
+      make_args:
+        description: "Arguments to pass to make"
+        type: string
+        required: false
+        default: ""
+      image_name:
+        description: "Image name"
+        type: string
+        required: false
+        default: ${{ github.repository }}

 env:
  REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
+  IMAGE_NAME: ${{ inputs.image_name }}

 jobs:
  build:
@ -63,6 +73,7 @@ jobs:
          cache-to: type=gha,mode=max
          build-args: |
            VERSION=${{ github.ref_name }}
+            MAKE_ARGS=${{ inputs.make_args }}

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v1
--- a/.gitignore
+++ b/.gitignore
@ -30,3 +30,6 @@ test.Dockerfile

 node_modules/
 tsconfig.tsbuildinfo
+
+!agent.compose.yml
+!agent/pkg/**
--- a/20
+++ b/20
@ -1,5 +1,5 @@
 # Stage 1: Builder
-FROM golang:1.23.5-alpine AS builder
+FROM golang:1.23.6-alpine AS builder
 HEALTHCHECK NONE

 # package version does not matter
@ -21,18 +21,19 @@ COPY Makefile /src/
 COPY cmd /src/cmd
 COPY internal /src/internal
 COPY pkg /src/pkg
+COPY agent /src/agent

 ARG VERSION
 ENV VERSION=${VERSION}

-ARG BUILD_FLAGS
-ENV BUILD_FLAGS=${BUILD_FLAGS}
+ARG MAKE_ARGS
+ENV MAKE_ARGS=${MAKE_ARGS}

 RUN --mount=type=cache,target="/go/pkg/mod" \
    --mount=type=cache,target="/root/.cache/go-build" \
-    make build && \
-    mkdir -p /app/error_pages /app/certs && \
-    mv bin/godoxy /app/godoxy
+    make ${MAKE_ARGS} build create-docker-entrypoint && \
+    mv bin /app/ && \
+    mkdir -p /app/error_pages /app/certs

 # Stage 2: Final image
 FROM scratch
@ -53,12 +54,7 @@ COPY config.example.yml /app/config/config.yml
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs

 ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GODOXY_DEBUG=0
-
-EXPOSE 80
-EXPOSE 8888
-EXPOSE 443

 WORKDIR /app

-CMD ["/app/godoxy"]
+CMD ["/app/entrypoint.sh"]
--- a/38
+++ b/38
@ -4,6 +4,15 @@ export GOOS = linux

 LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}

+
+ifeq ($(agent), 1)
+	NAME = godoxy-agent
+	CMD_PATH = ./agent/cmd
+else
+	NAME = godoxy
+	CMD_PATH = ./cmd
+endif
+
 ifeq ($(trace), 1)
 		debug = 1
 		GODOXY_TRACE ?= 1
@ -12,8 +21,10 @@ endif
 ifeq ($(debug), 1)
 	CGO_ENABLED = 0
 	GODOXY_DEBUG = 1
-  BUILD_FLAGS = -tags production
-else ifeq ($(pprof), 1)
+	BUILD_FLAGS ?= -tags production
+endif
+
+ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
 	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/
@ -29,6 +40,8 @@ endif

 BUILD_FLAGS += -ldflags='$(LDFLAGS)'

+export NAME
+export CMD_PATH
 export CGO_ENABLED
 export GODOXY_DEBUG
 export GODOXY_TRACE
@ -45,14 +58,14 @@ get:

 build:
 	mkdir -p bin
-	go build ${BUILD_FLAGS} -o bin/godoxy ./cmd
+	go build ${BUILD_FLAGS} -o bin/${NAME} ${CMD_PATH}
 	if [ $(shell id -u) -eq 0 ]; \
-		then setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
-		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
+		then setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
+		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/${NAME}; \
 	fi

 run:
-	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ${CMD_PATH}

 mtrace:
 	bin/godoxy debug-ls-mtrace > mtrace.json
@ -76,18 +89,25 @@ push-docker-io:
 	BUILDER=build docker buildx build \
 		--platform linux/arm64,linux/amd64 \
 		-f Dockerfile \
-		-t docker.io/yusing/godoxy-nightly:${DOCKER_TAG} \
-		-t docker.io/yusing/godoxy-nightly:${VERSION}-${BUILD_DATE} \
+		-t docker.io/yusing/${NAME}-nightly:${DOCKER_TAG} \
+		-t docker.io/yusing/${NAME}-nightly:${VERSION}-${BUILD_DATE} \
 		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
 		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
+		--build-arg MAKE_ARGS="agent=${agent}" \
 		--push .

 build-docker:
-	docker build -t godoxy-nightly \
+	docker build -t ${NAME}-nightly \
 		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
 		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
+		--build-arg MAKE_ARGS="agent=${agent}" \
 		.

+create-docker-entrypoint:
+	printf '#!/bin/sh\n/app/${NAME}\n' > bin/entrypoint.sh
+	chmod +x bin/entrypoint.sh
+
+
 # To generate schema
 # comment out this part from typescript-json-schema.js#L884
 #
--- a/README.md
+++ b/README.md
@ -59,11 +59,21 @@ For full documentation, check out **[Wiki](https://github.com/yusing/go-proxy/wi

 ## Prerequisites

-Setup DNS Records point to machine which runs `GoDoxy`, e.g.
+1. Setup DNS Records point to machine which runs `GoDoxy`, e.g.

 - A Record: `*.y.z` -> `10.0.10.1`
 - AAAA Record: `*.y.z` -> `::ffff:a00:a01`

+2. Create shell alias:
+
+   ```shell
+   # for main server
+   alias godoxy="docker exec godoxy /app/godoxy"
+
+   # for agent server
+   alias godoxy-agent="docker exec godoxy-agent /app/godoxy-agent"
+   ```
+
 ## Setup

 **NOTE:** GoDoxy is designed to be (and only works when) running in `host` network mode, do not change it. To change listening ports, modify `.env`.
--- a/agent.compose.yml
+++ b/agent.compose.yml
@ -0,0 +1,12 @@
+services:
+  godoxy-agent:
+    image: ghcr.io/yusing/godoxy-agent:latest
+    container_name: godoxy-agent
+    restart: always
+    network_mode: host # do not change this
+    environment:
+      GODOXY_AGENT_NAME: "agent-1"
+      GODOXY_AGENT_PORT: "8890"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./certs:/app/certs # store Agent CA cert and Agent SSL cert
--- a/compose.example.yml
+++ b/compose.example.yml
@ -4,14 +4,17 @@ services:
    image: ghcr.io/yusing/go-proxy-frontend:latest
    container_name: godoxy-frontend
    restart: unless-stopped
-    network_mode: host
+    network_mode: host # do not change this
    env_file: .env
    depends_on:
      - app
+    environment:
+      PORT: ${GODOXY_FRONTEND_PORT:-3000}
+
    # modify below to fit your needs
    labels:
      proxy.aliases: godoxy
-      proxy.godoxy.port: 3000
+      proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
      # proxy.godoxy.middlewares.cidr_whitelist: |
      #   status: 403
      #   message: IP not allowed
@ -24,7 +27,7 @@ services:
    image: ghcr.io/yusing/go-proxy:latest
    container_name: godoxy
    restart: always
-    network_mode: host
+    network_mode: host # do not change this
    env_file: .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/yusing/go-proxy

-go 1.23.5
+go 1.23.6

 require (
 	github.com/PuerkitoBio/goquery v1.10.1
--- a/next-release.md
+++ b/next-release.md
@ -1,6 +1,36 @@
-GoDoxy v0.9.1 expected changes
+## GoDoxy v0.10.0

- Support Ntfy notifications
- Prometheus metrics server now inside API server under `/v1/metrics`
-  - `GODOXY_PROMETHEUS_ADDR` removed
-  - `GODOXY_PROMETHEUS_ENABLED` added, default `false`
+### Agent Mode
+
+listen only on Agent API server, authenticate with mTLS. Maintain secure connection between GoDoxy main and GoDoxy agent server
+
+Main benefits:
+
+- No more exposing docker socket: drops the need of `docker-socket-proxy`
+- No more exposing app ports: fewer attack surface
+  ```yaml
+  services:
+    app:
+      ...
+      # ports: # this part is not needed on agent server
+      #  - 6789
+  ```
+- Secure: no one can connect to it except GoDoxy main server because of mTLS
+- Fetch info from agent server, e.g. CPU usage, Memory usage, container list, container logs, etc... (to be ready for beszel and dockge like features in WebUI)
+
+### How to setup
+
+1. Agent server generates CA cert, SSL certificate and Client certificate on first run.
+2. Follow the output on screen to run `godoxy new-agent <ip>:<port> ...` on GoDoxy main server to store generated certs
+3. Add config output to GoDoxy main server in `config.yml` under `providers.agents`
+   ```yaml
+   providers:
+     agents:
+       - 12.34.5.6:8889
+   ```
+
+### How does it work
+
+1. Main server and agent server negotiate mTLS
+2. Agent server verify main server's client cert and check if server version matches agent version
+3. Agent server now acts as a http proxy and docker socket proxy