2025-05-20 20:52:33 +02:00
488 changed files with 5612 additions and 46578 deletions
--- a/.env.example
+++ b/.env.example
@ -1,76 +0,0 @@
 # docker image tag (latest, nightly)
 TAG=latest
 # set timezone to get correct log timestamp
 TZ=ETC/UTC
 # container uid and gid (must match the owner of mounted directories)
 GODOXY_UID=1000
 GODOXY_GID=1000
 # API JWT Configuration (common)
 # generate secret with `openssl rand -base64 32`
 GODOXY_API_JWT_SECRET=
 # the JWT token time-to-live
 # leave empty to use default (24 hours)
 # format: https://pkg.go.dev/time#Duration
 GODOXY_API_JWT_TOKEN_TTL=
 # API/WebUI user password login credentials (optional)
 # These fields are not required for OIDC authentication
 GODOXY_API_USER=admin
 GODOXY_API_PASSWORD=password
 # OIDC Configuration (optional)
 # Uncomment and configure these values to enable OIDC authentication.
 #
 # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
 # GODOXY_OIDC_CLIENT_ID=your-client-id
 # GODOXY_OIDC_CLIENT_SECRET=your-client-secret
 # GODOXY_OIDC_SCOPES=openid, profile, email, groups # you may also include `offline_access` if your Idp supports it (e.g. Authentik, Pocket ID)
 #
 # User definitions: Uncomment and configure these values to restrict access to specific users or groups.
 # These two fields act as a logical AND operator. For example, given the following membership:
 #   user1, group1
 #   user2, group1
 #   user3, group2
 #   user1, group2
 # You can allow access to user3 AND all users of group1 by providing:
 #   # GODOXY_OIDC_ALLOWED_USERS=user3
 #   # GODOXY_OIDC_ALLOWED_GROUPS=group1
 #
 # Comma-separated list of allowed users.
 # GODOXY_OIDC_ALLOWED_USERS=user1,user2
 # Optional: Comma-separated list of allowed groups.
 # GODOXY_OIDC_ALLOWED_GROUPS=group1,group2
 # Proxy listening address
 GODOXY_HTTP_ADDR=:80
 GODOXY_HTTPS_ADDR=:443
 # Enable HTTP3
 GODOXY_HTTP3_ENABLED=true
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888
 # Metrics
 GODOXY_METRICS_DISABLE_CPU=false
 GODOXY_METRICS_DISABLE_MEMORY=false
 GODOXY_METRICS_DISABLE_DISK=false
 GODOXY_METRICS_DISABLE_NETWORK=false
 GODOXY_METRICS_DISABLE_SENSORS=false
 # Frontend listening port
 GODOXY_FRONTEND_PORT=3000
 # Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com)
 GODOXY_FRONTEND_ALIASES=godoxy
 # Docker socket
 # /var/run/podman/podman.sock for podman
 DOCKER_SOCKET=/var/run/docker.sock
 SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375
 # Debug mode
 GODOXY_DEBUG=false
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,15 +0,0 @@
 # These are supported funding model platforms
 github: yusing # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 patreon: # Replace with a single Patreon username
 open_collective: # Replace with a single Open Collective username
 ko_fi: # Replace with a single Ko-fi username
 tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 liberapay: # Replace with a single Liberapay username
 issuehunt: # Replace with a single IssueHunt username
 lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
 polar: # Replace with a single Polar username
 buy_me_a_coffee: yusingwysq # Replace with a single Buy Me a Coffee username
 thanks_dev: # Replace with a single thanks.dev username
 custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/workflows/agent-binary.yml
+++ b/.github/workflows/agent-binary.yml
@ -1,48 +0,0 @@
 name: GoDoxy agent binary
 on:
  push:
    tags:
      - v*
    paths:
      - "agent/**"
 jobs:
  build:
    strategy:
      matrix:
        include:
          - runner: ubuntu-latest
            platform: linux/amd64
            binary_name: godoxy-agent-linux-amd64
          - runner: ubuntu-24.04-arm
            platform: linux/arm64
            binary_name: godoxy-agent-linux-arm64
    name: Build ${{ matrix.platform }}
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
      - name: Verify dependencies
        run: go mod verify
      - name: Build
        run: |
          make agent=1 NAME=${{ matrix.binary_name }} build
      - name: Check binary
        run: |
          file bin/${{ matrix.binary_name }}
      - name: Upload
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.binary_name }}
          path: bin/${{ matrix.binary_name }}
      - name: Upload to release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          files: bin/${{ matrix.binary_name }}
--- a/.github/workflows/docker-image-nightly.yml
+++ b/.github/workflows/docker-image-nightly.yml
@ -1,24 +0,0 @@
 name: Docker Image CI (nightly)
 on:
  push:
    branches:
      - "*" # matches every branch that doesn't contain a '/'
      - "*/*" # matches every branch containing a single '/'
      - "**" # matches every branch
      - "!dependabot/*"
      - "!main" # excludes main
 jobs:
  build-nightly:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy
      tag: nightly
      target: main
  build-nightly-agent:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy-agent
      tag: nightly
      target: agent
--- a/.github/workflows/docker-image-prod.yml
+++ b/.github/workflows/docker-image-prod.yml
@ -1,21 +0,0 @@
 name: Docker Image CI
 on:
  push:
    tags:
      - v*
 jobs:
  build-prod:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy
      old_image_name: ${{ github.repository_owner }}/go-proxy
      tag: latest
      target: main
  build-prod-agent:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/godoxy-agent
      tag: latest
      target: agent
--- a/.github/workflows/docker-image-socket-proxy.yml
+++ b/.github/workflows/docker-image-socket-proxy.yml
@ -1,23 +0,0 @@
 name: Docker Image CI (socket-proxy)
 on:
  push:
    branches:
      - main
    paths:
      - "socket-proxy/**"
    tags-ignore:
      - '**'
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  build:
    uses: ./.github/workflows/docker-image.yml
    with:
      image_name: ${{ github.repository_owner }}/socket-proxy
      tag: latest
      target: socket-proxy
      dockerfile: socket-proxy.Dockerfile
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -1,172 +0,0 @@
 name: Docker Image CI
 on:
  workflow_call:
    inputs:
      tag:
        required: true
        type: string
      image_name:
        required: true
        type: string
      old_image_name:
        required: false
        type: string
      target:
        required: true
        type: string
      dockerfile:
        required: false
        type: string
        default: Dockerfile
 env:
  REGISTRY: ghcr.io
  MAKE_ARGS: ${{ inputs.target }}=1
  DIGEST_PATH: /tmp/digests/${{ inputs.target }}
  DIGEST_NAME_SUFFIX: ${{ inputs.target }}
  DOCKERFILE: ${{ inputs.dockerfile }}
 jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-latest
            platform: linux/amd64
          - runner: ubuntu-24.04-arm
            platform: linux/arm64
    name: Build ${{ matrix.platform }}
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write
    steps:
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
          tags: |
            type=raw,value=${{ inputs.tag }},event=branch
            type=ref,event=tag
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          platforms: ${{ matrix.platform }}
      - name: Login to registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          file: ${{ env.DOCKERFILE }}
          outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
          cache-from: |
            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}
            type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
          cache-to: |
            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max
            type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
          build-args: |
            VERSION=${{ github.ref_name }}
            MAKE_ARGS=${{ env.MAKE_ARGS }}
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ${{ env.REGISTRY }}/${{ inputs.image_name }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true
      - name: Export digest
        run: |
          mkdir -p ${{ env.DIGEST_PATH }}
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ env.DIGEST_PATH }}/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}-${{ env.DIGEST_NAME_SUFFIX }}
          path: ${{ env.DIGEST_PATH }}/*
          if-no-files-found: error
          retention-days: 1
  merge:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ env.DIGEST_PATH }}
          pattern: digests-*-${{ env.DIGEST_NAME_SUFFIX }}
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
          tags: |
            type=raw,value=${{ inputs.tag }},event=branch
            type=ref,event=tag
      - name: Login to registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Create manifest list and push
        id: push
        working-directory: ${{ env.DIGEST_PATH }}
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY }}/${{ inputs.image_name }}@sha256:%s ' *)
      - name: Old image name
        if: inputs.old_image_name != ''
        run: |
          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}\
            ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
      - name: Inspect image (old)
        if: inputs.old_image_name != ''
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.old_image_name }}:${{ steps.meta.outputs.version }}
--- a/.gitignore
+++ b/.gitignore
@ -1,40 +1,8 @@
 compose.yml
 *.compose.yml
-config
+config/**
-certs
+
-config*/
+bin/go-proxy.bak
 !schemas/**
 certs*/
 bin/
 error_pages/
 !examples/error_pages/
 profiles/
 data/
 debug/
 logs/
-log/
+log/
 .vscode/settings.json
 go.work.sum
 !cmd/**/
 !internal/**/
 todo.md
 .*.swp
 .aider*
 mtrace.json
 .env
 .cursorrules
 .windsurfrules
 test.Dockerfile
 node_modules/
 tsconfig.tsbuildinfo
 !agent.compose.yml
 !agent/pkg/**
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,15 +0,0 @@
 build-image:
  image: docker
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      variables:
        CI_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE:latest
    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
      variables:
        CI_REGISTRY_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH
  before_script:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
  script:
    - echo building $CI_REGISTRY_IMAGE
    - docker build --no-cache --build-arg VERSION=$CI_COMMIT_REF_NAME -t $CI_REGISTRY_IMAGE .
    - docker push $CI_REGISTRY_IMAGE
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
 [submodule "templates/codemirror"]
 	path = templates/codemirror
 	url = https://github.com/codemirror/codemirror5.git
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,151 +0,0 @@
 version: "2"
 linters:
  default: all
  disable:
    - bodyclose
    - containedctx
    - contextcheck
    - cyclop
    - depguard
    - dupl
    - err113
    - exhaustive
    - exhaustruct
    - forcetypeassert
    - gochecknoglobals
    - gochecknoinits
    - gocognit
    - goconst
    - gocyclo
    - gomoddirectives
    - gosec
    - gosmopolitan
    - ireturn
    - lll
    - maintidx
    - makezero
    - mnd
    - nakedret
    - nestif
    - nilnil
    - nlreturn
    - noctx
    - nonamedreturns
    - paralleltest
    - prealloc
    - rowserrcheck
    - sqlclosecheck
    - tagliatelle
    - testpackage
    - tparallel
    - varnamelen
    - wrapcheck
    - wsl
  settings:
    errcheck:
      exclude-functions:
        - fmt.Fprintln
    forbidigo:
      forbid:
        - pattern: ^print(ln)?$
    funlen:
      lines: -1
      statements: 120
    gocyclo:
      min-complexity: 14
    godox:
      keywords:
        - FIXME
    gomoddirectives:
      replace-allow-list:
        - github.com/abbot/go-http-auth
        - github.com/gorilla/mux
        - github.com/mailgun/minheap
        - github.com/mailgun/multibuf
        - github.com/jaguilar/vt100
        - github.com/cucumber/godog
        - github.com/http-wasm/http-wasm-host-go
    govet:
      disable:
        - shadow
        - fieldalignment
      enable-all: true
    misspell:
      locale: US
    revive:
      rules:
        - name: struct-tag
        - name: blank-imports
        - name: context-as-argument
        - name: context-keys-type
        - name: error-return
        - name: error-strings
        - name: error-naming
        - name: exported
          disabled: true
        - name: if-return
        - name: increment-decrement
        - name: var-naming
        - name: var-declaration
        - name: package-comments
          disabled: true
        - name: range
        - name: receiver-naming
        - name: time-naming
        - name: unexported-return
        - name: indent-error-flow
        - name: errorf
        - name: empty-block
        - name: superfluous-else
        - name: unused-parameter
          disabled: true
        - name: unreachable-code
        - name: redefines-builtin-id
    staticcheck:
      checks:
        - all
        - -SA1019
      dot-import-whitelist:
        - github.com/yusing/go-proxy/internal/utils/testing
        - github.com/yusing/go-proxy/internal/api/v1/utils
    tagalign:
      align: false
      sort: true
      order:
        - description
        - json
        - toml
        - yaml
        - yml
        - label
        - label-slice-as-struct
        - file
        - kv
        - export
    testifylint:
      disable:
        - suite-dont-use-pkg
        - require-error
        - go-require
  exclusions:
    generated: lax
    presets:
      - comments
      - common-false-positives
      - legacy
      - std-error-handling
    paths:
      - third_party$
      - builtin$
      - examples$
 formatters:
  enable:
    - gofmt
    - gofumpt
    - goimports
  exclusions:
    generated: lax
    paths:
      - third_party$
      - builtin$
      - examples$
--- a/.trunk/.gitignore
+++ b/.trunk/.gitignore
@ -1,9 +0,0 @@
 *out
 *logs
 *actions
 *notifications
 *tools
 plugins
 user_trunk.yaml
 user.yaml
 tmp
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@ -1,42 +0,0 @@
 # This file controls the behavior of Trunk: https://docs.trunk.io/cli
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
  version: 1.22.15
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
  sources:
    - id: trunk
      ref: v1.6.8
      uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
  enabled:
    - node@18.20.5
    - python@3.10.8
    - go@1.24.3
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
  disabled:
    - markdownlint
    - yamllint
  enabled:
    - checkov@3.2.416
    - golangci-lint2@2.1.6
    - hadolint@2.12.1-beta
    - actionlint@1.7.7
    - git-diff-check
    - gofmt@1.20.4
    - osv-scanner@2.0.2
    - oxipng@9.1.5
    - prettier@3.5.3
    - shellcheck@0.10.0
    - shfmt@3.6.0
    - trufflehog@3.88.29
 actions:
  disabled:
    - trunk-announce
    - trunk-check-pre-push
    - trunk-fmt-pre-commit
  enabled:
    - trunk-upgrade-available
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@ -1,11 +0,0 @@
 {
  "yaml.schemas": {
    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/config.schema.json": [
      "config.example.yml",
      "config.yml"
    ],
    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/src/types/godoxy/routes.schema.json": [
      "providers.example.yml"
    ]
  }
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,16 @@
 {
    "go.inferGopath": false,
    "yaml.schemas": {
        // "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
        //     "config.example.yml",
        //     "config.yml"
        // ],
        "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
            "providers.example.yml",
            "*.providers.yml"
        ],
        "file:///config/workspace/go-proxy/schema/config.schema.json": [
            "file:///config/workspace/go-proxy/config.example.yml"
        ]
    }
 }
--- a/72
+++ b/72
@ -1,64 +1,22 @@
-# Stage 1: deps
+FROM alpine:latest
 FROM golang:1.24.3-alpine AS deps
 HEALTHCHECK NONE
 # package version does not matter
 # trunk-ignore(hadolint/DL3018)
 RUN apk add --no-cache tzdata make libcap-setcap
 ENV GOPATH=/root/go
 WORKDIR /src
 COPY go.mod go.sum ./
 # remove godoxy stuff from go.mod first
 RUN sed -i '/^module github\.com\/yusing\/go-proxy/!{/github\.com\/yusing\/go-proxy/d}' go.mod && \
  go mod download -x
 # Stage 2: builder
 FROM deps AS builder
 WORKDIR /src
 COPY go.mod go.sum ./
 COPY Makefile ./
 COPY cmd ./cmd
 COPY internal ./internal
 COPY pkg ./pkg
 COPY agent ./agent
 COPY socket-proxy ./socket-proxy
 ARG VERSION
 ENV VERSION=${VERSION}
 ARG MAKE_ARGS
 ENV MAKE_ARGS=${MAKE_ARGS}
 ENV GOCACHE=/root/.cache/go-build
 ENV GOPATH=/root/go
 RUN --mount=type=cache,target=/root/.cache/go-build \
  --mount=type=cache,target=/root/go/pkg/mod \
  make ${MAKE_ARGS} docker=1 build
 # Stage 3: Final image
 FROM scratch
 LABEL maintainer="yusing@6uo.me"
 LABEL proxy.exclude=1
-# copy timezone data
+RUN apk add --no-cache tzdata
-COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+RUN mkdir /app
 COPY bin/go-proxy /app/
 COPY templates/ /app/templates
 COPY schema/ /app/schema
-# copy binary
+RUN chmod +x /app/go-proxy
-COPY --from=builder /app/run /app/run
+ENV DOCKER_HOST unix:///var/run/docker.sock
 ENV GOPROXY_DEBUG 0
 ENV GOPROXY_REDIRECT_HTTP 1
-# copy certs
+EXPOSE 80
-COPY --from=builder /etc/ssl/certs /etc/ssl/certs
+EXPOSE 8080
-
+EXPOSE 443
-ENV DOCKER_HOST=unix:///var/run/docker.sock
+EXPOSE 8443
 WORKDIR /app
-
+CMD ["/app/go-proxy"]
 CMD ["/app/run"]
--- a/45
+++ b/45
@ -1,45 +0,0 @@
 MIT License
 Copyright (c) 2024 - present Yusing
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 ---
 internal/net/gphttp/reverseproxy/reverse_proxy_mod.go is copied from et/http/httputil/reverseproxy.go with modifications to adapt to this project.
 Copyright 2011 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 ---
 internal/utils/io.go has a modified version of io.Copy with context and HTTP flusher handling.
 Copyright 2009 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
 ---
 internal/utils/strutils/split_join.go is copied from strings.Split and strings.Join with modifications to adapt to this project.
 Copyright 2009 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.
--- a/156
+++ b/156
@ -1,137 +1,35 @@
-shell := /bin/sh
+.PHONY: all build up quick-restart restart logs get udp-server
 export VERSION ?= $(shell git describe --tags --abbrev=0)
 export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux
-LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
+all: build quick-restart logs
 ifeq ($(agent), 1)
 	NAME = godoxy-agent
 	PWD = ${shell pwd}/agent
 else ifeq ($(socket-proxy), 1)
 	NAME = godoxy-socket-proxy
 	PWD = ${shell pwd}/socket-proxy
 else
 	NAME = godoxy
 	PWD = ${shell pwd}
 endif
 ifeq ($(trace), 1)
 	debug = 1
 	GODOXY_TRACE ?= 1
 	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
 endif
 ifeq ($(race), 1)
 	debug = 1
  BUILD_FLAGS += -race
 endif
 ifeq ($(debug), 1)
 	CGO_ENABLED = 0
 	GODOXY_DEBUG = 1
 	BUILD_FLAGS += -gcflags=all='-N -l' -tags debug
 else ifeq ($(pprof), 1)
 	CGO_ENABLED = 1
 	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
 	BUILD_FLAGS += -tags pprof
 	VERSION := ${VERSION}-pprof
 else
 	CGO_ENABLED = 0
 	LDFLAGS += -s -w
 	BUILD_FLAGS += -pgo=auto -tags production
 endif
 BUILD_FLAGS += -ldflags='$(LDFLAGS)'
 BIN_PATH := $(shell pwd)/bin/${NAME}
 export NAME
 export CGO_ENABLED
 export GODOXY_DEBUG
 export GODOXY_TRACE
 export GODEBUG
 export GORACE
 export BUILD_FLAGS
 ifeq ($(shell id -u), 0)
 	SETCAP_CMD = setcap
 else
 	SETCAP_CMD = sudo setcap
 endif
 # CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
 POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
 ifeq ($(docker), 1)
 	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
 endif
 .PHONY: debug
 test:
 	GODOXY_TEST=1 go test ./internal/...
 docker-build-test:
 	docker build -t godoxy .
 	docker build --build-arg=MAKE_ARGS=agent=1 -t godoxy-agent .
 go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
 files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
 gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
 update-go:
 	for file in ${files}; do \
 		echo "updating $$file"; \
 		sed -i 's|go \([0-9]\+\.[0-9]\+\.[0-9]\+\)|go ${go_ver}|g' $$file; \
 		sed -i 's|FROM golang:.*-alpine|FROM golang:${go_ver}-alpine|g' $$file; \
 	done
 	for path in ${gomod_paths}; do \
 		echo "go mod tidy $$path"; \
 		cd ${PWD}/$$path && go mod tidy; \
 	done
 update-deps:
 	for path in ${gomod_paths}; do \
 		echo "go get -u $$path"; \
 		cd ${PWD}/$$path && go get -u ./... && go mod tidy; \
 	done
 mod-tidy:
 	for path in ${gomod_paths}; do \
 		echo "go mod tidy $$path"; \
 		cd ${PWD}/$$path && go mod tidy; \
 	done
 setup:
 	mkdir -p config certs
 	[ -f config/config.yml ] || cp config.example.yml config/config.yml
 	[ -f config/providers.yml ] || touch config/providers.yml
 	[ -f compose.yml ] || cp compose.example.yml compose.yml
 build:
-	mkdir -p $(shell dirname ${BIN_PATH})
+	mkdir -p bin
-	cd ${PWD} && go build ${BUILD_FLAGS} -o ${BIN_PATH} ./cmd
+	CGO_ENABLED=0 GOOS=linux go build -pgo=auto -o bin/go-proxy src/go-proxy/*.go
 	${POST_BUILD}
-run:
+up:
-	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+	docker compose up -d --build app
-debug:
+restart:
-	make NAME="godoxy-test" debug=1 build
+	docker kill go-proxy
-	sh -c 'HTTP_ADDR=:81 HTTPS_ADDR=:8443 API_ADDR=:8899 DEBUG=1 bin/godoxy-test'
+	docker compose up -d app
-mtrace:
+logs:
-	 ${BIN_PATH} debug-ls-mtrace > mtrace.json
+	tail -f log/go-proxy.log
-rapid-crash:
+get:
-	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
+	go get -d -u ./src/go-proxy
 	sleep 3 &&\
 	docker rm -f test_crash
-debug-list-containers:
+udp-server:
-	bash -c 'echo -e "GET /containers/json HTTP/1.0\r\n" | sudo netcat -U /var/run/docker.sock | tail -n +9 | jq'
+	docker run -it --rm \
-
+		-p 9999:9999/udp \
-ci-test:
+		--label proxy.test-udp.scheme=udp \
-	mkdir -p /tmp/artifacts
+		--label proxy.test-udp.port=20003:9999 \
-	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"
+		--network data_default \
-
+		--name test-udp \
-cloc:
+		$$(docker build -q -f udp-test-server.Dockerfile .)
 	cloc --include-lang=Go --not-match-f '_test.go$$' .
 push-github:
 	git push origin $(shell git rev-parse --abbrev-ref HEAD)
--- a/README.md
+++ b/README.md
@ -1,202 +1,493 @@
-<div align="center">
+# go-proxy
-# GoDoxy
+A simple auto docker reverse proxy for home use. **Written in _Go_**
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+In the examples domain `x.y.z` is used, replace them with your domain
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=go-proxy)
 ![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
 A lightweight, simple, and performant reverse proxy with WebUI.
 <h5>
 <a href="https://docs.godoxy.dev">Website</a> | <a href="https://docs.godoxy.dev/Home.html">Wiki</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
 </h5>
 <h5>EN | <a href="README_CHT.md">中文</a></h5>
 <img src="screenshots/webui.jpg" style="max-width: 650">
 </div>
 ## Table of content
-<!-- TOC -->
+- [go-proxy](#go-proxy)
 - [GoDoxy](#godoxy)
  - [Table of content](#table-of-content)
-  - [Running demo](#running-demo)
+  - [Key Points](#key-points)
-  - [Key Features](#key-features)
+  - [How to use](#how-to-use)
-  - [Prerequisites](#prerequisites)
+    - [Binary](#binary)
-  - [Setup](#setup)
+    - [Docker](#docker)
-  - [How does GoDoxy work](#how-does-godoxy-work)
+  - [Command-line args](#command-line-args)
-  - [Screenshots](#screenshots)
+    - [Commands](#commands)
-    - [idlesleeper](#idlesleeper)
+  - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
-    - [Metrics and Logs](#metrics-and-logs)
+  - [Configuration](#configuration)
-  - [Manual Setup](#manual-setup)
+    - [Labels (docker)](#labels-docker)
-    - [Folder structrue](#folder-structrue)
+    - [Environment variables](#environment-variables)
    - [Config File](#config-file)
      - [Fields](#fields)
      - [Provider Kinds](#provider-kinds)
    - [Provider File](#provider-file)
    - [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
  - [Examples](#examples)
    - [Single port configuration example](#single-port-configuration-example)
    - [Multiple ports configuration example](#multiple-ports-configuration-example)
    - [TCP/UDP configuration example](#tcpudp-configuration-example)
  - [Load balancing Configuration Example](#load-balancing-configuration-example)
  - [Troubleshooting](#troubleshooting)
  - [Benchmarks](#benchmarks)
  - [Known issues](#known-issues)
  - [Memory usage](#memory-usage)
  - [Build it yourself](#build-it-yourself)
-## Running demo
+## Key Points
-<https://demo.godoxy.dev>
+- Fast (See [benchmarks](#benchmarks))
 - Auto certificate obtaining and renewal (See [Config File](#config-file) and [Supported DNS Challenge Providers](#supported-dns-challenge-providers))
 - Auto detect reverse proxies from docker
 - Auto hot-reload on container `start` / `die` / `stop` or config file changes
 - Custom proxy entries with `config.yml` and additional provider files
 - Subdomain matching + Path matching **(domain name doesn't matter)**
 - HTTP(s) proxy + TCP/UDP Proxy (UDP is _experimental_)
 - HTTP(s) round robin load balance support (same subdomain and path across different hosts)
 - Simple panel to see all reverse proxies and health available on port 8080 (http) and port 8443 (https)
-[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
+  ![panel screenshot](screenshots/panel.png)
-## Key Features
+- Config editor to edit config and provider files with validation
- **Simple**
+  **Validate and save file with Ctrl+S**
  - Effortless configuration with [simple labels](https://docs.godoxy.dev/Docker-labels-and-Route-Files) or WebUI
  - [Simple multi-node setup](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
  - Detailed error messages for easy troubleshooting.
 - **ACL**: connection / request level access control
  - IP/CIDR
  - Country **(Maxmind account required)**
  - Timezone **(Maxmind account required)**
  - **Access logging**
 - **Advanced Automation**
  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://docs.godoxy.dev/DNS-01-Providers))
  - Auto-configuration for Docker containers
  - Hot-reloading of configurations and container state changes
 - **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
  - Docker containers
  - Proxmox LXCs
 - **Traffic Management**
  - HTTP reserve proxy
  - TCP/UDP port forwarding
  - **OpenID Connect support**: SSO and secure your apps easily
 - **Customization**
  - [HTTP middlewares](https://docs.godoxy.dev/Middlewares)
  - [Custom error pages support](https://docs.godoxy.dev/Custom-Error-Pages)
 - **Web UI**
  - App Dashboard
  - Config Editor
  - Uptime and System Metrics
  - Docker Logs Viewer
 - **Cross-Platform support**
  - Supports **linux/amd64** and **linux/arm64**
 - **Efficient and Performant**
  - Written in **[Go](https://go.dev)**
-## Prerequisites
+  ![config editor screenshot](screenshots/config_editor.png)
-Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.
+## How to use
- A Record: `*.domain.com` -> `10.0.10.1`
+1. Clone the repository `git clone https://github.com/yusing/go-proxy && cd go-proxy`
 - AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`
-## Setup
+2. Call `make setup` to init config file, provider file, and docker compose file
-> [!NOTE]
+3. Point your domain (i.e `y.z`) to your machine's IP address
 > GoDoxy is designed to be running in `host` network mode, do not change it.
 >
 > To change listening ports, modify `.env`.
-1. Prepare a new directory for docker compose and config files.
+   - A Record: `*.y.z` -> `10.0.10.1`
   - AAAA Record: `*.y.z` -> `::ffff:a00:a01`
-2. Run setup script inside the directory, or [set up manually](#manual-setup)
+4. Start `go-proxy` (see [Binary](#binary) or [docker](#docker))
-   ```shell
+5. Start editing config files
-   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+    - with text editor (i.e. Visual Studio Code)
-   ```
+    - with web config editor by navigate to `ip:8080`
-3. Start the docker compose service from generated `compose.yml`:
+### Binary
-   ```shell
+1. (Optional) enabled HTTPS
   docker compose up -d
   ```
-4. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`
+   - Use autocert feature by completing `autocert` in `config.yml`
-## How does GoDoxy work
+   - Use existing certificate
-1. List all the containers
+     Prepare your wildcard (`*.y.z`) SSL cert in `certs/`
 2. Read container name, labels and port configurations for each of them
 3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
 4. Watch for container / config changes and update automatically
-> [!NOTE]
+     - cert / chain / fullchain: `certs/cert.crt`
-> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
+     - private key: `certs/priv.key`
 >
 > For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.
-## Screenshots
+2. run the binary `bin/go-proxy`
-### idlesleeper
+3. enjoy
-![idlesleeper](screenshots/idlesleeper.webp)
+### Docker
-### Metrics and Logs
+1. Copy content from [compose.example.yml](compose.example.yml) and create your own `compose.yml`
-<div align="center">
+2. Add networks to make sure it is in the same network with other containers, or make sure `proxy.<alias>.host` is reachable
  <table>
    <tr>
      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
    </tr>
    <tr>
      <td align="center"><b>Uptime Monitor</b></td>
      <td align="center"><b>Docker Logs</b></td>
      <td align="center"><b>Server Overview</b></td>
    </tr>
        <tr>
      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
    </tr>
    <tr>
      <td align="center"><b>System Monitor</b></td>
      <td align="center"><b>Graphs</b></td>
    </tr>
  </table>
 </div>
-## Manual Setup
+3. (Optional) enable HTTPS
-1. Make `config` directory then grab `config.example.yml` into `config/config.yml`
+   - Use autocert feature by completing `autocert` section in `config/config.yml` and mount `certs/` to `/app/certs` in order to store obtained certs
-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`
+   - Use existing certificate by mount your wildcard (`*.y.z`) SSL cert
-2. Grab `.env.example` into `.env`
+     - cert / chain / fullchain -> `/app/certs/cert.crt`
     - private key -> `/app/certs/priv.key`
-   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`
+4. Start `go-proxy` with `docker compose up -d` or `make up`.
-3. Grab `compose.example.yml` into `compose.yml`
+5. (Optional) If you are using ufw with vpn that drop all inbound traffic except vpn, run below to allow docker containers to connect to `go-proxy`
-   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`
+   In case the network of your container is in subnet `172.16.0.0/16` (bridge),
   and vpn network is under `100.64.0.0/10` (i.e. tailscale)
-### Folder structrue
+   `sudo ufw allow from 172.16.0.0/16 to 100.64.0.0/10`
-```shell
+   You can also list CIDRs of all docker bridge networks by:
-├── certs
+
-│   ├── cert.crt
+   `docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -`
-│   └── priv.key
+
-├── compose.yml
+6. start your docker app, and visit <container_name>.y.z
-├── config
+
-│   ├── config.yml
+7. check the logs with `docker compose logs` or `make logs` to see if there is any error, check panel at [panel port] for active proxies
-│   ├── middlewares
+
-│   │   ├── middleware1.yml
+## Command-line args
-│   │   ├── middleware2.yml
+
-│   ├── provider1.yml
+`go-proxy [command]`
-│   └── provider2.yml
+
-├── data
+### Commands
-│   ├── metrics # metrics data
+
-│   │   ├── uptime.json
+- empty: start proxy server
-│   │   └── system_info.json
+- validate: validate config and exit
-└── .env
+- reload: force reload config and exit
 ## Use JSON Schema in VSCode
 Modify `.vscode/settings.json` to fit your needs
 ```json
 {
  "yaml.schemas": {
    "https://github.com/yusing/go-proxy/raw/main/schema/config.schema.json": [
      "config.example.yml",
      "config.yml"
    ],
    "https://github.com/yusing/go-proxy/raw/main/schema/providers.schema.json": [
      "providers.example.yml",
      "*.providers.yml"
    ]
  }
 }
 ```
 ## Configuration
 With container name, no label needs to be added _(most of the time)_.
 ### Labels (docker)
 See [compose.example.yml](compose.example.yml) for more
 - `proxy.aliases`: comma separated aliases for subdomain matching
  - default: container name
 - `proxy.*.<field>`: wildcard label for all aliases
 Below labels has a **`proxy.<alias>`** prefix (i.e. `proxy.nginx.scheme: http`)
 - `scheme`: proxy protocol
  - default: `http`
  - allowed: `http`, `https`, `tcp`, `udp`
 - `host`: proxy host
  - default: `container_name`
 - `port`: proxy port
  - default: first expose port (declared in `Dockerfile` or `docker-compose.yml`)
  - `http(s)`: number in range og `0 - 65535`
  - `tcp/udp`: `[<listeningPort>:]<targetPort>`
    - `listeningPort`: number, when it is omitted (not suggested), a free port starting from 20000 will be used.
    - `targetPort`: number, or predefined names (see [constants.go:14](src/go-proxy/constants.go#L14))
 - `no_tls_verify`: whether skip tls verify when scheme is https
  - default: `false`
 - `path`: proxy path _(http(s) proxy only)_
  - default: empty
 - `path_mode`: mode for path handling
  - default: empty
  - allowed: empty, `forward`, `sub`
    - `empty`: remove path prefix from URL when proxying
      1. apps.y.z/webdav -> webdav:80
      2. apps.y.z./webdav/path/to/file -> webdav:80/path/to/file
    - `forward`: path remain unchanged
      1. apps.y.z/webdav -> webdav:80/webdav
      2. apps.y.z./webdav/path/to/file -> webdav:80/webdav/path/to/file
    - `sub`: (experimental) remove path prefix from URL and also append path to HTML link attributes (`src`, `href` and `action`) and Javascript `fetch(url)` by response body substitution
      e.g. apps.y.z/app1 -> webdav:80, `href="/app1/path/to/file"` -> `href="/path/to/file"`
 - `load_balance`: enable load balance (docker only)
  - allowed: `1`, `true`
 ### Environment variables
 - `GOPROXY_DEBUG`: set to `1` or `true` to enable debug behaviors (i.e. output, etc.)
 - `GOPROXY_REDIRECT_HTTP`: set to `0` or `false` to disable http to https redirect (only when certs are located)
 ### Config File
 See [config.example.yml](config.example.yml) for more
 #### Fields
 - `autocert`: autocert configuration
  - `email`: ACME Email
  - `domains`: a list of domains for cert registration
  - `provider`: DNS Challenge provider, see [Supported DNS Challenge Providers](#supported-dns-challenge-providers)
  - `options`: provider specific options
 - `providers`: reverse proxy providers configuration
  - `kind`: provider kind (string), see [Provider Kinds](#provider-kinds)
  - `value`: provider specific value
 #### Provider Kinds
 - `docker`: load reverse proxies from docker
  values:
  - `FROM_ENV`: value from environment
  - full url to docker host (i.e. `tcp://host:2375`)
 - `file`: load reverse proxies from provider file
  value: relative path of file to `config/`
 ### Provider File
 Fields are same as [docker labels](#labels-docker) starting from `scheme`
 See [providers.example.yml](providers.example.yml) for examples
 ### Supported DNS Challenge Providers
 - Cloudflare
  - `auth_token`: your zone API token
  Follow [this guide](https://cloudkul.com/blog/automcatic-renew-and-generate-ssl-on-your-website-using-lego-client/) to create a new token with `Zone.DNS` read and edit permissions
 To add more provider support (**CloudDNS** as an example):
 1. Fork this repo, modify [autocert.go](src/go-proxy/autocert.go#L305)
   ```go
   var providersGenMap = map[string]ProviderGenerator{
     "cloudflare": providerGenerator(cloudflare.NewDefaultConfig, cloudflare.NewDNSProviderConfig),
     // add here, i.e.
     "clouddns": providerGenerator(clouddns.NewDefaultConfig, clouddns.NewDNSProviderConfig),
   }
   ```
 2. Go to [https://go-acme.github.io/lego/dns/clouddns](https://go-acme.github.io/lego/dns/clouddns/) and check for required config
 3. Build `go-proxy` with `make build`
 4. Set required config in `config.yml` `autocert` -> `options` section
   ```shell
   # From https://go-acme.github.io/lego/dns/clouddns/
   CLOUDDNS_CLIENT_ID=bLsdFAks23429841238feb177a572aX \
   CLOUDDNS_EMAIL=you@example.com \
   CLOUDDNS_PASSWORD=b9841238feb177a84330f \
   lego --email you@example.com --dns clouddns --domains my.example.org run
   ```
   Should turn into:
   ```yaml
   autocert:
     ...
     options:
       client_id: bLsdFAks23429841238feb177a572aX
       email: you@example.com
       password: b9841238feb177a84330f
   ```
 5. Run and test if it works
 6. Commit and create pull request
 ## Examples
 ### Single port configuration example
 ```yaml
 # (default) https://<container_name>.y.z
 whoami:
  image: traefik/whoami
  container_name: whoami # => whoami.y.z
 # enable both subdomain and path matching:
 whoami:
  image: traefik/whoami
  container_name: whoami
  labels:
    - proxy.aliases=whoami,apps
    - proxy.apps.path=/whoami
 # 1. visit https://whoami.y.z
 # 2. visit https://apps.y.z/whoami
 ```
 ### Multiple ports configuration example
 ```yaml
 minio:
  image: quay.io/minio/minio
  container_name: minio
  ...
  labels:
    - proxy.aliases=minio,minio-console
    - proxy.minio.port=9000
    - proxy.minio-console.port=9001
 # visit https://minio.y.z to access minio
 # visit https://minio-console.y.z/whoami to access minio console
 ```
 ### TCP/UDP configuration example
 ```yaml
 # In the app
 app-db:
  image: postgres:15
  container_name: app-db
  ...
  labels:
    # Optional (postgres is in the known image map)
    - proxy.app-db.scheme=tcp
    # Optional (first free port will be used for listening port)
    - proxy.app-db.port=20000:postgres
 # In go-proxy
 go-proxy:
  ...
  ports:
    - 80:80
    ...
    - 20000:20000/tcp
    # or 20000-20010:20000-20010/tcp to declare large range at once
 # access app-db via <*>.y.z:20000
 ```
 ## Load balancing Configuration Example
 ```yaml
 nginx:
  ...
  deploy:
    mode: replicated
    replicas: 3
  labels:
    - proxy.nginx.load_balance=1 # allowed: [1, true]
 ```
 ## Troubleshooting
 Q: How to fix when it shows "no matching route for subdomain \<subdomain>"?
 A: Make sure the container is running, and \<subdomain> matches any container name / alias
 ## Benchmarks
 Benchmarked with `wrk` connecting `traefik/whoami`'s `/bench` endpoint
 Remote benchmark (client running wrk and `go-proxy` server are different devices)
 - Direct connection
  ```shell
  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.100.3:8003/bench
  Running 10s test @ http://10.0.100.3:8003/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
      Latency    94.75ms  199.92ms   1.68s    91.27%
      Req/Sec     4.24k     1.79k   18.79k    72.13%
    Latency Distribution
      50%    1.14ms
      75%  120.23ms
      90%  245.63ms
      99%    1.03s
    423444 requests in 10.10s, 50.88MB read
    Socket errors: connect 0, read 0, write 0, timeout 29
  Requests/sec:  41926.32
  Transfer/sec:      5.04MB
  ```
 - With reverse proxy
  ```shell
  root@yusing-pc:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
  Running 10s test @ http://10.0.1.7/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
      Latency    79.35ms  169.79ms   1.69s    92.55%
      Req/Sec     4.27k     1.90k   19.61k    75.81%
    Latency Distribution
      50%    1.12ms
      75%  105.66ms
      90%  200.22ms
      99%  814.59ms
    409836 requests in 10.10s, 49.25MB read
    Socket errors: connect 0, read 0, write 0, timeout 18
  Requests/sec:  40581.61
  Transfer/sec:      4.88MB
  ```
 Local benchmark (client running wrk and `go-proxy` server are under same proxmox host but different LXCs)
 - Direct connection
  ```shell
  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s --latency http://10.0.100.1/bench
  Running 10s test @ http://10.0.100.1/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
      Latency   434.08us  539.35us   8.76ms   85.28%
      Req/Sec    67.71k     6.31k   87.21k    71.20%
    Latency Distribution
      50%  153.00us
      75%  646.00us
      90%    1.18ms
      99%    2.38ms
    6739591 requests in 10.01s, 809.85MB read
  Requests/sec: 673608.15
  Transfer/sec:     80.94MB
  ```
 - With `go-proxy` reverse proxy
  ```shell
  root@http-benchmark-client:~# wrk -t 10 -c 200 -d 10s -H "Host: bench.6uo.me" --latency http://10.0.1.7/bench
  Running 10s test @ http://10.0.1.7/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
      Latency     1.23ms    0.96ms  11.43ms   72.09%
      Req/Sec    17.48k     1.76k   21.48k    70.20%
    Latency Distribution
      50%    0.98ms
      75%    1.76ms
      90%    2.54ms
      99%    4.24ms
    1739079 requests in 10.01s, 208.97MB read
  Requests/sec: 173779.44
  Transfer/sec:     20.88MB
  ```
 - With `traefik-v3`
  ```shell
  root@traefik-benchmark:~# wrk -t10 -c200 -d10s -H "Host: benchmark.whoami" --latency http://127.0.0.1:8000/bench
  Running 10s test @ http://127.0.0.1:8000/bench
    10 threads and 200 connections
    Thread Stats   Avg      Stdev     Max   +/- Stdev
      Latency     2.81ms   10.36ms 180.26ms   98.57%
      Req/Sec    11.35k     1.74k   13.76k    85.54%
    Latency Distribution
      50%    1.59ms
      75%    2.27ms
      90%    3.17ms
      99%   37.91ms
    1125723 requests in 10.01s, 109.50MB read
  Requests/sec: 112499.59
  Transfer/sec:     10.94MB
  ```
 ## Known issues
 None
 ## Memory usage
 It takes ~15 MB for 50 proxy entries
 ## Build it yourself
-1. Clone the repository `git clone https://github.com/yusing/godoxy --depth=1`
+1. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already
-2. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already
+2. Clear cache if you have built this before (go < 1.22) with `go clean -cache`
-3. Clear cache if you have built this before (go < 1.22) with `go clean -cache`
+3. get dependencies with `make get`
-4. get dependencies with `make get`
+4. build binary with `make build`
-5. build binary with `make build`
+5. start your container with `make up` (docker) or `bin/go-proxy` (binary)
 [🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@ -1,189 +0,0 @@
 <div align="center">
 # GoDoxy
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
 ![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
 [![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)
 輕量、易用、 高效能，且帶有主頁和配置面板的反向代理
 <h5>
 <a href="https://docs.godoxy.dev">網站</a> | <a href="https://docs.godoxy.dev/Home.html">文檔</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
 </h5>
 <h5><a href="README.md">EN</a> | 中文</h5>
 <img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
 </div>
 ## 目錄
 <!-- TOC -->
 - [GoDoxy](#godoxy)
  - [目錄](#目錄)
  - [運行示例](#運行示例)
  - [主要特點](#主要特點)
  - [前置需求](#前置需求)
  - [安裝](#安裝)
    - [手動安裝](#手動安裝)
    - [資料夾結構](#資料夾結構)
  - [截圖](#截圖)
    - [閒置休眠](#閒置休眠)
    - [監控](#監控)
  - [自行編譯](#自行編譯)
 ## 運行示例
 <https://demo.godoxy.dev>
 [![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)
 ## 主要特點
 - **簡單易用**
  - 透過 Docker[標籤](https://docs.godoxy.dev/Docker-labels-and-Route-Files)或 WebUI 輕鬆設定
  - [簡單的多節點設置](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
  - 詳細的錯誤訊息，便於故障排除
 - **存取控制 (ACL)**：連線/請求層級存取控制
  - IP/CIDR
  - 國家 **(需要 Maxmind 帳戶)**
  - 時區 **(需要 Maxmind 帳戶)**
  - **存取日誌記錄**
 - **自動化**
  - 使用 Let's Encrypt 自動管理 SSL 憑證 ([使用 DNS-01 驗證](https://docs.godoxy.dev/DNS-01-Providers))
  - Docker 容器自動配置
  - 設定檔與容器狀態變更時自動熱重載
 - **閒置休眠**：根據流量停止和喚醒容器 _(參見[截圖](#閒置休眠))_
  - Docker 容器
  - Proxmox LXC 容器
 - **流量管理**
  - HTTP 反向代理
  - TCP/UDP 連接埠轉送
  - **OpenID Connect 支援**：輕鬆實現單點登入 (SSO) 並保護您的應用程式
 - **客製化**
  - [HTTP 中介軟體](https://docs.godoxy.dev/Middlewares)
  - [支援自訂錯誤頁面](https://docs.godoxy.dev/Custom-Error-Pages)
 - **網頁使用者介面 (Web UI)**
  - 應用程式一覽
  - 設定編輯器
  - 執行時間與系統指標
  - Docker 日誌檢視器
 - **跨平台支援**
  - 支援 **linux/amd64** 與 **linux/arm64**
 - **高效能**
  - 以 **[Go](https://go.dev)** 語言編寫
 [🔼 回到頂部](#目錄)
 ## 前置需求
 設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：
 - A 記錄：`*.y.z` -> `10.0.10.1`
 - AAAA 記錄：`*.y.z` -> `::ffff:a00:a01`
 ## 安裝
 > [!NOTE]
 > GoDoxy 僅在 `host` 網路模式下運作，請勿更改。
 >
 > 如需更改監聽埠，請修改 `.env`。
 1. 準備一個新目錄用於 docker compose 和配置文件。
 2. 在目錄內運行安裝腳本，或[手動安裝](#手動安裝)
   ```shell
   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
   ```
 3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置
 [🔼 回到頂部](#目錄)
 ### 手動安裝
 1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`
   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`
 2. 將 `.env.example` 下載到 `.env`
   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`
 3. 將 `compose.example.yml` 下載到 `compose.yml`
   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`
 ### 資料夾結構
 ```shell
 ├── certs
 │   ├── cert.crt
 │   └── priv.key
 ├── compose.yml
 ├── config
 │   ├── config.yml
 │   ├── middlewares
 │   │   ├── middleware1.yml
 │   │   ├── middleware2.yml
 │   ├── provider1.yml
 │   └── provider2.yml
 ├── data
 │   ├── metrics # metrics data
 │   │   ├── uptime.json
 │   │   └── system_info.json
 └── .env
 ```
 ## 截圖
 ### 閒置休眠
 ![閒置休眠](screenshots/idlesleeper.webp)
 [🔼 回到頂部](#目錄)
 ### 監控
 <div align="center">
  <table>
    <tr>
      <td align="center"><img src="screenshots/uptime.png" alt="Uptime Monitor" width="250"/></td>
      <td align="center"><img src="screenshots/docker-logs.jpg" alt="Docker Logs" width="250"/></td>
      <td align="center"><img src="screenshots/docker.jpg" alt="Server Overview" width="250"/></td>
    </tr>
    <tr>
      <td align="center"><b>運行時間監控</b></td>
      <td align="center"><b>Docker 日誌</b></td>
      <td align="center"><b>伺服器概覽</b></td>
    </tr>
        <tr>
      <td align="center"><img src="screenshots/system-monitor.jpg" alt="System Monitor" width="250"/></td>
      <td align="center"><img src="screenshots/system-info-graphs.jpg" alt="Graphs" width="250"/></td>
    </tr>
    <tr>
      <td align="center"><b>系統監控</b></td>
      <td align="center"><b>圖表</b></td>
    </tr>
  </table>
 </div>
 ## 自行編譯
 1. 克隆儲存庫 `git clone https://github.com/yusing/godoxy --depth=1`
 2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`
 3. 如果之前編譯過（go < 1.22），請使用 `go clean -cache` 清除快取
 4. 使用 `make get` 獲取依賴
 5. 使用 `make build` 編譯二進制檔案
 [🔼 回到頂部](#目錄)
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@ -1,69 +0,0 @@
 package main
 import (
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/env"
 	"github.com/yusing/go-proxy/agent/pkg/server"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	httpServer "github.com/yusing/go-proxy/internal/net/gphttp/server"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
 	socketproxy "github.com/yusing/go-proxy/socketproxy/pkg"
 )
 func main() {
 	ca := &agent.PEMPair{}
 	err := ca.Load(env.AgentCACert)
 	if err != nil {
 		gperr.LogFatal("init CA error", err)
 	}
 	caCert, err := ca.ToTLSCert()
 	if err != nil {
 		gperr.LogFatal("init CA error", err)
 	}
 	srv := &agent.PEMPair{}
 	srv.Load(env.AgentSSLCert)
 	if err != nil {
 		gperr.LogFatal("init SSL error", err)
 	}
 	srvCert, err := srv.ToTLSCert()
 	if err != nil {
 		gperr.LogFatal("init SSL error", err)
 	}
 	logging.Info().Msgf("GoDoxy Agent version %s", pkg.GetVersion())
 	logging.Info().Msgf("Agent name: %s", env.AgentName)
 	logging.Info().Msgf("Agent port: %d", env.AgentPort)
 	logging.Info().Msg(`
 Tips:
 1. To change the agent name, you can set the AGENT_NAME environment variable.
 2. To change the agent port, you can set the AGENT_PORT environment variable.
 `)
 	t := task.RootTask("agent", false)
 	opts := server.Options{
 		CACert:     caCert,
 		ServerCert: srvCert,
 		Port:       env.AgentPort,
 	}
 	server.StartAgentServer(t, opts)
 	if socketproxy.ListenAddr != "" {
 		logging.Info().Msgf("Docker socket listening on: %s", socketproxy.ListenAddr)
 		opts := httpServer.Options{
 			Name:     "docker",
 			HTTPAddr: socketproxy.ListenAddr,
 			Handler:  socketproxy.NewHandler(),
 		}
 		httpServer.StartServer(t, opts)
 	}
 	systeminfo.Poller.Start()
 	task.WaitExit(3)
 }
--- a/agent/go.mod
+++ b/agent/go.mod
@ -1,92 +0,0 @@
 module github.com/yusing/go-proxy/agent
 go 1.24.3
 replace github.com/yusing/go-proxy => ..
 replace github.com/yusing/go-proxy/socketproxy => ../socket-proxy
 replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
 replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97
 require (
 	github.com/coder/websocket v1.8.13
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.10.0
 	github.com/yusing/go-proxy v0.0.0-00010101000000-000000000000
 	github.com/yusing/go-proxy/socketproxy v0.0.0-00010101000000-000000000000
 )
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/PuerkitoBio/goquery v1.10.3 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/docker/cli v28.1.1+incompatible // indirect
 	github.com/docker/docker v28.1.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.3 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
 	github.com/go-acme/lego/v4 v4.23.1 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.26.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/goccy/go-yaml v1.17.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/gotify/server/v2 v2.6.3 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/luthermonson/go-proxmox v0.2.2 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.66 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/puzpuzpuz/xsync/v4 v4.1.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/quic-go/quic-go v0.51.0 // indirect
 	github.com/samber/lo v1.50.0 // indirect
 	github.com/samber/slog-common v0.18.1 // indirect
 	github.com/samber/slog-zerolog/v2 v2.7.3 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.4 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/spf13/afero v1.14.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/mock v0.5.2 // indirect
 	golang.org/x/crypto v0.38.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/agent/go.sum
+++ b/agent/go.sum
@ -1,330 +0,0 @@
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
 github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
 github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/diskfs/go-diskfs v1.6.0 h1:YmK5+vLSfkwC6kKKRTRPGaDGNF+Xh8FXeiNHwryDfu4=
 github.com/diskfs/go-diskfs v1.6.0/go.mod h1:bRFumZeGFCO8C2KNswrQeuj2m1WCVr4Ms5IjWMczMDk=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
 github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/ebitengine/purego v0.8.3 h1:K+0AjQp63JEZTEMZiwsI9g0+hAMNohwUOtY0RPGexmc=
 github.com/ebitengine/purego v0.8.3/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
 github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
 github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
 github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
 github.com/go-acme/lego/v4 v4.23.1 h1:lZ5fGtGESA2L9FB8dNTvrQUq3/X4QOb8ExkKyY7LSV4=
 github.com/go-acme/lego/v4 v4.23.1/go.mod h1:7UMVR7oQbIYw6V7mTgGwi4Er7B6Ww0c+c8feiBM0EgI=
 github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
 github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
 github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
 github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
 github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1 h1:fsSqE28vU0PRkq9FdekirRoDBeYJ+UaJ9dTErdXflWg=
 github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1/go.mod h1:av6ggKWQz6SEkFyShjDEgVqiIB0RHvEQNIkPeqgJEeE=
 github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97 h1:i52gBYamrKs4DHT1+SiobW2im5UgTMVXK1KIL1djSeA=
 github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97/go.mod h1:XvbfPmmrdpLrsKwj3irYkxt5ygyMcDsTQTJ7cnZ9RNQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4=
 github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotify/server/v2 v2.6.3 h1:2sLDRsQ/No1+hcFwFDvjNtwKepfCSIR8L3BkXl/Vz1I=
 github.com/gotify/server/v2 v2.6.3/go.mod h1:IyeQ/iL3vetcuqUAzkCMVObIMGGJx4zb13/mVatIwE8=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
 github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
 github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
 github.com/luthermonson/go-proxmox v0.2.2 h1:BZ7VEj302wxw2i/EwTcyEiBzQib8teocB2SSkLHyySY=
 github.com/luthermonson/go-proxmox v0.2.2/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
 github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
 github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
 github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
 github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
 github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
 github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
 github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
 github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
 github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/puzpuzpuz/xsync/v4 v4.1.0 h1:x9eHRl4QhZFIPJ17yl4KKW9xLyVWbb3/Yq4SXpjF71U=
 github.com/puzpuzpuz/xsync/v4 v4.1.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
 github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
 github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
 github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
 github.com/samber/slog-common v0.18.1 h1:c0EipD/nVY9HG5shgm/XAs67mgpWDMF+MmtptdJNCkQ=
 github.com/samber/slog-common v0.18.1/go.mod h1:QNZiNGKakvrfbJ2YglQXLCZauzkI9xZBjOhWFKS3IKk=
 github.com/samber/slog-zerolog/v2 v2.7.3 h1:/MkPDl/tJhijN2GvB1MWwBn2FU8RiL3rQ8gpXkQm2EY=
 github.com/samber/slog-zerolog/v2 v2.7.3/go.mod h1:oWU7WHof4Xp8VguiNO02r1a4VzkgoOyOZhY5CuRke60=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
 github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
 github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
 github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
 github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
 github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
 go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 h1:lUsI2TYsQw2r1IASwoROaCnjdj2cvC2+Jbxvk6nHnWU=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0/go.mod h1:2HpZxxQurfGxJlJDblybejHB6RX6pmExPNe517hREw4=
 go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
 go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
 go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
 go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
 go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
 go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI=
 go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
 go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
 golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
 golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
 golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
 golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
 golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
 golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
 google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 h1:GVIKPyP/kLIyVOgOnTwFOrvQaQUzOzGMCxgFUOEmm24=
 google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422/go.mod h1:b6h1vNKhxaSoEI+5jc3PJUCustfli/mRab7295pY7rw=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 h1:IkAfh6J/yllPtpYFU0zZN1hUPYdT0ogkBT/9hMxHjvg=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
 google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
--- a/agent/pkg/agent/bare_metal.go
+++ b/agent/pkg/agent/bare_metal.go
@ -1,23 +0,0 @@
 package agent
 import (
 	"bytes"
 	"text/template"
 )
 var (
 	installScript = `AGENT_NAME="{{.Name}}" \
 	AGENT_PORT="{{.Port}}" \
 	AGENT_CA_CERT="{{.CACert}}" \
 	AGENT_SSL_CERT="{{.SSLCert}}" \
 	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/install-agent.sh)"`
 	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
 )
 func (c *AgentEnvConfig) Generate() (string, error) {
 	buf := bytes.NewBuffer(make([]byte, 0, 4096))
 	if err := installScriptTemplate.Execute(buf, c); err != nil {
 		return "", err
 	}
 	return buf.String(), nil
 }
--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@ -1,197 +0,0 @@
 package agent
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/agent/pkg/certs"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/pkg"
 )
 type AgentConfig struct {
 	Addr string
 	httpClient *http.Client
 	tlsConfig  *tls.Config
 	name       string
 	version    string
 	l          zerolog.Logger
 }
 const (
 	EndpointVersion    = "/version"
 	EndpointName       = "/name"
 	EndpointProxyHTTP  = "/proxy/http"
 	EndpointHealth     = "/health"
 	EndpointLogs       = "/logs"
 	EndpointSystemInfo = "/system_info"
 	AgentHost = CertsDNSName
 	APIEndpointBase = "/godoxy/agent"
 	APIBaseURL      = "https://" + AgentHost + APIEndpointBase
 	DockerHost = "https://" + AgentHost
 	FakeDockerHostPrefix    = "agent://"
 	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
 )
 func mustParseURL(urlStr string) *url.URL {
 	u, err := url.Parse(urlStr)
 	if err != nil {
 		panic(err)
 	}
 	return u
 }
 var (
 	AgentURL              = mustParseURL(APIBaseURL)
 	HTTPProxyURL          = mustParseURL(APIBaseURL + EndpointProxyHTTP)
 	HTTPProxyURLPrefixLen = len(APIEndpointBase + EndpointProxyHTTP)
 )
 func IsDockerHostAgent(dockerHost string) bool {
 	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
 }
 func GetAgentAddrFromDockerHost(dockerHost string) string {
 	return dockerHost[FakeDockerHostPrefixLen:]
 }
 func (cfg *AgentConfig) FakeDockerHost() string {
 	return FakeDockerHostPrefix + cfg.Addr
 }
 func (cfg *AgentConfig) Parse(addr string) error {
 	cfg.Addr = addr
 	return nil
 }
 var serverVersion = pkg.GetVersion()
 func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte) error {
 	clientCert, err := tls.X509KeyPair(crt, key)
 	if err != nil {
 		return err
 	}
 	// create tls config
 	caCertPool := x509.NewCertPool()
 	ok := caCertPool.AppendCertsFromPEM(ca)
 	if !ok {
 		return errors.New("invalid ca certificate")
 	}
 	cfg.tlsConfig = &tls.Config{
 		Certificates: []tls.Certificate{clientCert},
 		RootCAs:      caCertPool,
 		ServerName:   CertsDNSName,
 	}
 	// create transport and http client
 	cfg.httpClient = cfg.NewHTTPClient()
 	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 	// get agent name
 	name, _, err := cfg.Fetch(ctx, EndpointName)
 	if err != nil {
 		return err
 	}
 	cfg.name = string(name)
 	cfg.l = logging.With().Str("agent", cfg.name).Logger()
 	// check agent version
 	agentVersionBytes, _, err := cfg.Fetch(ctx, EndpointVersion)
 	if err != nil {
 		return err
 	}
 	cfg.version = string(agentVersionBytes)
 	agentVersion := pkg.ParseVersion(cfg.version)
 	if serverVersion.IsNewerMajorThan(agentVersion) {
 		logging.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.name, serverVersion, agentVersion)
 	}
 	logging.Info().Msgf("agent %q initialized", cfg.name)
 	return nil
 }
 func (cfg *AgentConfig) Start(ctx context.Context) error {
 	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
 	if !ok {
 		return fmt.Errorf("invalid agent host: %s", cfg.Addr)
 	}
 	certData, err := os.ReadFile(filepath)
 	if err != nil {
 		return fmt.Errorf("failed to read agent certs: %w", err)
 	}
 	ca, crt, key, err := certs.ExtractCert(certData)
 	if err != nil {
 		return fmt.Errorf("failed to extract agent certs: %w", err)
 	}
 	return cfg.StartWithCerts(ctx, ca, crt, key)
 }
 func (cfg *AgentConfig) NewHTTPClient() *http.Client {
 	return &http.Client{
 		Transport: cfg.Transport(),
 	}
 }
 func (cfg *AgentConfig) Transport() *http.Transport {
 	return &http.Transport{
 		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 			if addr != AgentHost+":443" {
 				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
 			}
 			if network != "tcp" {
 				return nil, &net.OpError{Op: "dial", Net: network, Source: nil, Addr: nil}
 			}
 			return cfg.DialContext(ctx)
 		},
 		TLSClientConfig: cfg.tlsConfig,
 	}
 }
 var dialer = &net.Dialer{Timeout: 5 * time.Second}
 func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
 	return dialer.DialContext(ctx, "tcp", cfg.Addr)
 }
 func (cfg *AgentConfig) Name() string {
 	return cfg.name
 }
 func (cfg *AgentConfig) String() string {
 	return cfg.name + "@" + cfg.Addr
 }
 func (cfg *AgentConfig) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]string{
 		"name":    cfg.Name(),
 		"addr":    cfg.Addr,
 		"version": cfg.version,
 	})
 }
--- a/agent/pkg/agent/docker_compose.go
+++ b/agent/pkg/agent/docker_compose.go
@ -1,27 +0,0 @@
 package agent
 import (
 	"bytes"
 	"text/template"
 	_ "embed"
 )
 var (
 	//go:embed templates/agent.compose.yml
 	agentComposeYAML         string
 	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml").Parse(agentComposeYAML))
 )
 const (
 	DockerImageProduction = "ghcr.io/yusing/godoxy-agent:latest"
 	DockerImageNightly    = "ghcr.io/yusing/godoxy-agent:nightly"
 )
 func (c *AgentComposeConfig) Generate() (string, error) {
 	buf := bytes.NewBuffer(make([]byte, 0, 1024))
 	if err := agentComposeYAMLTemplate.Execute(buf, c); err != nil {
 		return "", err
 	}
 	return buf.String(), nil
 }
--- a/agent/pkg/agent/env.go
+++ b/agent/pkg/agent/env.go
@ -1,17 +0,0 @@
 package agent
 type (
 	AgentEnvConfig struct {
 		Name    string
 		Port    int
 		CACert  string
 		SSLCert string
 	}
 	AgentComposeConfig struct {
 		Image string
 		*AgentEnvConfig
 	}
 	Generator interface {
 		Generate() (string, error)
 	}
 )
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@ -1,189 +0,0 @@
 package agent
 import (
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
 	"math/big"
 	"strings"
 	"time"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"fmt"
 )
 const (
 	CertsDNSName = "godoxy.agent"
 )
 func toPEMPair(certDER []byte, key *ecdsa.PrivateKey) *PEMPair {
 	marshaledKey, err := marshalECPrivateKey(key)
 	if err != nil {
 		// This is a critical internal error during PEM encoding of a newly generated key.
 		// Panicking is acceptable here as it indicates a fundamental issue.
 		panic(fmt.Sprintf("failed to marshal EC private key for PEM encoding: %v", err))
 	}
 	return &PEMPair{
 		Cert: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
 		Key:  pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: marshaledKey}),
 	}
 }
 func marshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
 	derBytes, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal EC private key: %w", err)
 	}
 	return derBytes, nil
 }
 func b64Encode(data []byte) string {
 	return base64.StdEncoding.EncodeToString(data)
 }
 func b64Decode(data string) ([]byte, error) {
 	return base64.StdEncoding.DecodeString(data)
 }
 type PEMPair struct {
 	Cert, Key []byte
 }
 func (p *PEMPair) String() string {
 	return b64Encode(p.Cert) + ";" + b64Encode(p.Key)
 }
 func (p *PEMPair) Load(data string) (err error) {
 	parts := strings.Split(data, ";")
 	if len(parts) != 2 {
 		return errors.New("invalid PEM pair")
 	}
 	p.Cert, err = b64Decode(parts[0])
 	if err != nil {
 		return err
 	}
 	p.Key, err = b64Decode(parts[1])
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
 	cert, err := tls.X509KeyPair(p.Cert, p.Key)
 	return &cert, err
 }
 func newSerialNumber() (*big.Int, error) {
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) // 128-bit random number
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate serial number: %w", err)
 	}
 	return serialNumber, nil
 }
 func NewAgent() (ca, srv, client *PEMPair, err error) {
 	caSerialNumber, err := newSerialNumber()
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	// Create the CA's certificate
 	caTemplate := &x509.Certificate{
 		SerialNumber: caSerialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"GoDoxy"},
 			CommonName:   CertsDNSName,
 		},
 		NotBefore:             time.Now(),
 		NotAfter:              time.Now().AddDate(1000, 0, 0), // 1000 years
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		MaxPathLen:            0,
 		MaxPathLenZero:        true,
 		SignatureAlgorithm:    x509.ECDSAWithSHA256,
 	}
 	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	caDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	ca = toPEMPair(caDER, caKey)
 	// Generate a new private key for the server certificate
 	serverKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	serverSerialNumber, err := newSerialNumber()
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	srvTemplate := &x509.Certificate{
 		SerialNumber: serverSerialNumber,
 		Issuer:       caTemplate.Subject,
 		Subject: pkix.Name{
 			Organization:       caTemplate.Subject.Organization,
 			OrganizationalUnit: []string{"Server"},
 			CommonName:         CertsDNSName,
 		},
 		DNSNames:           []string{CertsDNSName},
 		NotBefore:          time.Now(),
 		NotAfter:           time.Now().AddDate(1000, 0, 0), // Add validity period
 		KeyUsage:           x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}
 	srvCertDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, caTemplate, &serverKey.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	srv = toPEMPair(srvCertDER, serverKey)
 	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	clientSerialNumber, err := newSerialNumber()
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	clientTemplate := &x509.Certificate{
 		SerialNumber: clientSerialNumber,
 		Issuer:       caTemplate.Subject,
 		Subject: pkix.Name{
 			Organization:       caTemplate.Subject.Organization,
 			OrganizationalUnit: []string{"Client"},
 			CommonName:         CertsDNSName,
 		},
 		DNSNames:           []string{CertsDNSName},
 		NotBefore:          time.Now(),
 		NotAfter:           time.Now().AddDate(1000, 0, 0),
 		KeyUsage:           x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}
 	clientCertDER, err := x509.CreateCertificate(rand.Reader, clientTemplate, caTemplate, &clientKey.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	client = toPEMPair(clientCertDER, clientKey)
 	return
 }
--- a/agent/pkg/agent/new_agent_test.go
+++ b/agent/pkg/agent/new_agent_test.go
@ -1,91 +0,0 @@
 package agent
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestNewAgent(t *testing.T) {
 	ca, srv, client, err := NewAgent()
 	require.NoError(t, err)
 	require.NotNil(t, ca)
 	require.NotNil(t, srv)
 	require.NotNil(t, client)
 }
 func TestPEMPair(t *testing.T) {
 	ca, srv, client, err := NewAgent()
 	require.NoError(t, err)
 	for i, p := range []*PEMPair{ca, srv, client} {
 		t.Run(fmt.Sprintf("load-%d", i), func(t *testing.T) {
 			var pp PEMPair
 			err := pp.Load(p.String())
 			require.NoError(t, err)
 			require.Equal(t, p.Cert, pp.Cert)
 			require.Equal(t, p.Key, pp.Key)
 		})
 	}
 }
 func TestPEMPairToTLSCert(t *testing.T) {
 	ca, srv, client, err := NewAgent()
 	require.NoError(t, err)
 	for i, p := range []*PEMPair{ca, srv, client} {
 		t.Run(fmt.Sprintf("toTLSCert-%d", i), func(t *testing.T) {
 			cert, err := p.ToTLSCert()
 			require.NoError(t, err)
 			require.NotNil(t, cert)
 		})
 	}
 }
 func TestServerClient(t *testing.T) {
 	ca, srv, client, err := NewAgent()
 	require.NoError(t, err)
 	srvTLS, err := srv.ToTLSCert()
 	require.NoError(t, err)
 	require.NotNil(t, srvTLS)
 	clientTLS, err := client.ToTLSCert()
 	require.NoError(t, err)
 	require.NotNil(t, clientTLS)
 	caPool := x509.NewCertPool()
 	require.True(t, caPool.AppendCertsFromPEM(ca.Cert))
 	srvTLSConfig := &tls.Config{
 		Certificates: []tls.Certificate{*srvTLS},
 		ClientCAs:    caPool,
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 	}
 	clientTLSConfig := &tls.Config{
 		Certificates: []tls.Certificate{*clientTLS},
 		RootCAs:      caPool,
 		ServerName:   CertsDNSName,
 	}
 	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	server.TLS = srvTLSConfig
 	server.StartTLS()
 	defer server.Close()
 	httpClient := &http.Client{
 		Transport: &http.Transport{TLSClientConfig: clientTLSConfig},
 	}
 	resp, err := httpClient.Get(server.URL)
 	require.NoError(t, err)
 	require.Equal(t, resp.StatusCode, http.StatusOK)
 }
--- a/agent/pkg/agent/requests.go
+++ b/agent/pkg/agent/requests.go
@ -1,49 +0,0 @@
 package agent
 import (
 	"context"
 	"io"
 	"net/http"
 	"github.com/coder/websocket"
 )
 func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
 	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
 	if err != nil {
 		return nil, err
 	}
 	return cfg.httpClient.Do(req)
 }
 func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) ([]byte, int, error) {
 	req = req.WithContext(req.Context())
 	req.URL.Host = AgentHost
 	req.URL.Scheme = "https"
 	req.URL.Path = APIEndpointBase + endpoint
 	req.RequestURI = ""
 	resp, err := cfg.httpClient.Do(req)
 	if err != nil {
 		return nil, 0, err
 	}
 	defer resp.Body.Close()
 	data, _ := io.ReadAll(resp.Body)
 	return data, resp.StatusCode, nil
 }
 func (cfg *AgentConfig) Fetch(ctx context.Context, endpoint string) ([]byte, int, error) {
 	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
 	if err != nil {
 		return nil, 0, err
 	}
 	defer resp.Body.Close()
 	data, _ := io.ReadAll(resp.Body)
 	return data, resp.StatusCode, nil
 }
 func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
 	return websocket.Dial(ctx, APIBaseURL+endpoint, &websocket.DialOptions{
 		HTTPClient: cfg.NewHTTPClient(),
 		Host:       AgentHost,
 	})
 }
--- a/agent/pkg/agent/templates/agent.compose.yml
+++ b/agent/pkg/agent/templates/agent.compose.yml
@ -1,44 +0,0 @@
 services:
  agent:
    image: "{{.Image}}"
    container_name: godoxy-agent
    restart: always
    network_mode: host # do not change this
    environment:
      AGENT_NAME: "{{.Name}}"
      AGENT_PORT: "{{.Port}}"
      AGENT_CA_CERT: "{{.CACert}}"
      AGENT_SSL_CERT: "{{.SSLCert}}"
      # use agent as a docker socket proxy: [host]:port
      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
      LISTEN_ADDR:
      POST: false
      ALLOW_RESTARTS: false
      ALLOW_START: false
      ALLOW_STOP: false
      AUTH: false
      BUILD: false
      COMMIT: false
      CONFIGS: false
      CONTAINERS: false
      DISTRIBUTION: false
      EVENTS: true
      EXEC: false
      GRPC: false
      IMAGES: false
      INFO: false
      NETWORKS: false
      NODES: false
      PING: true
      PLUGINS: false
      SECRETS: false
      SERVICES: false
      SESSION: false
      SWARM: false
      SYSTEM: false
      TASKS: false
      VERSION: true
      VOLUMES: false
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/app/data
--- a/agent/pkg/agentproxy/headers.go
+++ b/agent/pkg/agentproxy/headers.go
@ -1,27 +0,0 @@
 package agentproxy
 import (
 	"net/http"
 	"strconv"
 )
 const (
 	HeaderXProxyHost                  = "X-Proxy-Host"
 	HeaderXProxyHTTPS                 = "X-Proxy-Https"
 	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
 	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
 )
 type AgentProxyHeaders struct {
 	Host                  string
 	IsHTTPS               bool
 	SkipTLSVerify         bool
 	ResponseHeaderTimeout int
 }
 func SetAgentProxyHeaders(r *http.Request, headers *AgentProxyHeaders) {
 	r.Header.Set(HeaderXProxyHost, headers.Host)
 	r.Header.Set(HeaderXProxyHTTPS, strconv.FormatBool(headers.IsHTTPS))
 	r.Header.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(headers.SkipTLSVerify))
 	r.Header.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(headers.ResponseHeaderTimeout))
 }
--- a/agent/pkg/certs/zip.go
+++ b/agent/pkg/certs/zip.go
@ -1,85 +0,0 @@
 package certs
 import (
 	"archive/zip"
 	"bytes"
 	"io"
 	"path/filepath"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 const AgentCertsBasePath = "certs"
 func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
 	w, err := zipWriter.CreateHeader(&zip.FileHeader{
 		Name:   name,
 		Method: zip.Store,
 	})
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(data)
 	return err
 }
 func readFile(f *zip.File) ([]byte, error) {
 	r, err := f.Open()
 	if err != nil {
 		return nil, err
 	}
 	defer r.Close()
 	return io.ReadAll(r)
 }
 func ZipCert(ca, crt, key []byte) ([]byte, error) {
 	data := bytes.NewBuffer(make([]byte, 0, 6144))
 	zipWriter := zip.NewWriter(data)
 	defer zipWriter.Close()
 	if err := writeFile(zipWriter, "ca.pem", ca); err != nil {
 		return nil, err
 	}
 	if err := writeFile(zipWriter, "cert.pem", crt); err != nil {
 		return nil, err
 	}
 	if err := writeFile(zipWriter, "key.pem", key); err != nil {
 		return nil, err
 	}
 	if err := zipWriter.Close(); err != nil {
 		return nil, err
 	}
 	return data.Bytes(), nil
 }
 func isValidAgentHost(host string) bool {
 	return strutils.IsValidFilename(host + ".zip")
 }
 func AgentCertsFilepath(host string) (filepathOut string, ok bool) {
 	if !isValidAgentHost(host) {
 		return "", false
 	}
 	return filepath.Join(AgentCertsBasePath, host+".zip"), true
 }
 func ExtractCert(data []byte) (ca, crt, key []byte, err error) {
 	zipReader, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	for _, file := range zipReader.File {
 		switch file.Name {
 		case "ca.pem":
 			ca, err = readFile(file)
 		case "cert.pem":
 			crt, err = readFile(file)
 		case "key.pem":
 			key, err = readFile(file)
 		}
 		if err != nil {
 			return nil, nil, nil, err
 		}
 	}
 	return ca, crt, key, nil
 }
--- a/agent/pkg/certs/zip_test.go
+++ b/agent/pkg/certs/zip_test.go
@ -1,20 +0,0 @@
 package certs_test
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/go-proxy/agent/pkg/certs"
 )
 func TestZipCert(t *testing.T) {
 	ca, crt, key := []byte("test1"), []byte("test2"), []byte("test3")
 	zipData, err := certs.ZipCert(ca, crt, key)
 	require.NoError(t, err)
 	ca2, crt2, key2, err := certs.ExtractCert(zipData)
 	require.NoError(t, err)
 	require.Equal(t, ca, ca2)
 	require.Equal(t, crt, crt2)
 	require.Equal(t, key, key2)
 }
--- a/agent/pkg/env/env.go
+++ b/agent/pkg/env/env.go
@ -1,38 +0,0 @@
 package env
 import (
 	"os"
 	"github.com/yusing/go-proxy/internal/common"
 )
 func DefaultAgentName() string {
 	name, err := os.Hostname()
 	if err != nil {
 		return "agent"
 	}
 	return name
 }
 var (
 	AgentName                string
 	AgentPort                int
 	AgentSkipClientCertCheck bool
 	AgentCACert              string
 	AgentSSLCert             string
 	DockerSocket             string
 )
 func init() {
 	Load()
 }
 func Load() {
 	DockerSocket = common.GetEnvString("DOCKER_SOCKET", "/var/run/docker.sock")
 	AgentName = common.GetEnvString("AGENT_NAME", DefaultAgentName())
 	AgentPort = common.GetEnvInt("AGENT_PORT", 8890)
 	AgentSkipClientCertCheck = common.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
 	AgentCACert = common.GetEnvString("AGENT_CA_CERT", "")
 	AgentSSLCert = common.GetEnvString("AGENT_SSL_CERT", "")
 }
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@ -1,80 +0,0 @@
 package handler
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"github.com/yusing/go-proxy/internal/watcher/health"
 	"github.com/yusing/go-proxy/internal/watcher/health/monitor"
 )
 var defaultHealthConfig = health.DefaultHealthConfig()
 func CheckHealth(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	scheme := query.Get("scheme")
 	if scheme == "" {
 		http.Error(w, "missing scheme", http.StatusBadRequest)
 		return
 	}
 	var result *health.HealthCheckResult
 	var err error
 	switch scheme {
 	case "fileserver":
 		path := query.Get("path")
 		if path == "" {
 			http.Error(w, "missing path", http.StatusBadRequest)
 			return
 		}
 		_, err := os.Stat(path)
 		result = &health.HealthCheckResult{Healthy: err == nil}
 		if err != nil {
 			result.Detail = err.Error()
 		}
 	case "http", "https": // path is optional
 		host := query.Get("host")
 		path := query.Get("path")
 		if host == "" {
 			http.Error(w, "missing host", http.StatusBadRequest)
 			return
 		}
 		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
 			Scheme: scheme,
 			Host:   host,
 			Path:   path,
 		}, defaultHealthConfig).CheckHealth()
 	case "tcp", "udp":
 		host := query.Get("host")
 		if host == "" {
 			http.Error(w, "missing host", http.StatusBadRequest)
 			return
 		}
 		hasPort := strings.Contains(host, ":")
 		port := query.Get("port")
 		if port != "" && hasPort {
 			http.Error(w, "port and host with port cannot both be provided", http.StatusBadRequest)
 			return
 		}
 		if port != "" {
 			host = fmt.Sprintf("%s:%s", host, port)
 		}
 		result, err = monitor.NewRawHealthMonitor(&url.URL{
 			Scheme: scheme,
 			Host:   host,
 		}, defaultHealthConfig).CheckHealth()
 	}
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadGateway)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode(result)
 }
--- a/agent/pkg/handler/check_health_test.go
+++ b/agent/pkg/handler/check_health_test.go
@ -1,216 +0,0 @@
 package handler_test
 import (
 	"encoding/json"
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strconv"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/handler"
 	"github.com/yusing/go-proxy/internal/watcher/health"
 )
 func TestCheckHealthHTTP(t *testing.T) {
 	tests := []struct {
 		name            string
 		setupServer     func() *httptest.Server
 		queryParams     map[string]string
 		expectedStatus  int
 		expectedHealthy bool
 	}{
 		{
 			name: "Valid",
 			setupServer: func() *httptest.Server {
 				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(http.StatusOK)
 				}))
 			},
 			queryParams: map[string]string{
 				"scheme": "http",
 				"host":   "localhost",
 				"path":   "/",
 			},
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: true,
 		},
 		{
 			name:        "InvalidQuery",
 			setupServer: nil,
 			queryParams: map[string]string{
 				"scheme": "http",
 			},
 			expectedStatus: http.StatusBadRequest,
 		},
 		{
 			name:        "ConnectionError",
 			setupServer: nil,
 			queryParams: map[string]string{
 				"scheme": "http",
 				"host":   "localhost:12345",
 			},
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var server *httptest.Server
 			if tt.setupServer != nil {
 				server = tt.setupServer()
 				defer server.Close()
 				u, _ := url.Parse(server.URL)
 				tt.queryParams["scheme"] = u.Scheme
 				tt.queryParams["host"] = u.Host
 				tt.queryParams["path"] = u.Path
 			}
 			recorder := httptest.NewRecorder()
 			query := url.Values{}
 			for key, value := range tt.queryParams {
 				query.Set(key, value)
 			}
 			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
 			handler.CheckHealth(recorder, request)
 			require.Equal(t, recorder.Code, tt.expectedStatus)
 			if tt.expectedStatus == http.StatusOK {
 				var result health.HealthCheckResult
 				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 				require.Equal(t, result.Healthy, tt.expectedHealthy)
 			}
 		})
 	}
 }
 func TestCheckHealthFileServer(t *testing.T) {
 	tests := []struct {
 		name            string
 		path            string
 		expectedStatus  int
 		expectedHealthy bool
 		expectedDetail  string
 	}{
 		{
 			name:            "ValidPath",
 			path:            t.TempDir(),
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: true,
 			expectedDetail:  "",
 		},
 		{
 			name:            "InvalidPath",
 			path:            "/invalid",
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: false,
 			expectedDetail:  "stat /invalid: no such file or directory",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			query := url.Values{}
 			query.Set("scheme", "fileserver")
 			query.Set("path", tt.path)
 			recorder := httptest.NewRecorder()
 			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
 			handler.CheckHealth(recorder, request)
 			require.Equal(t, recorder.Code, tt.expectedStatus)
 			var result health.HealthCheckResult
 			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 			require.Equal(t, result.Healthy, tt.expectedHealthy)
 			require.Equal(t, result.Detail, tt.expectedDetail)
 		})
 	}
 }
 func TestCheckHealthTCPUDP(t *testing.T) {
 	tcp, err := net.Listen("tcp", "localhost:0")
 	require.NoError(t, err)
 	go func() {
 		conn, err := tcp.Accept()
 		require.NoError(t, err)
 		conn.Close()
 	}()
 	udp, err := net.ListenPacket("udp", "localhost:0")
 	require.NoError(t, err)
 	go func() {
 		buf := make([]byte, 1024)
 		n, addr, err := udp.ReadFrom(buf)
 		require.NoError(t, err)
 		require.Equal(t, string(buf[:n]), "ping")
 		_, _ = udp.WriteTo([]byte("pong"), addr)
 		udp.Close()
 	}()
 	tests := []struct {
 		name            string
 		scheme          string
 		host            string
 		port            int
 		expectedStatus  int
 		expectedHealthy bool
 	}{
 		{
 			name:            "ValidTCP",
 			scheme:          "tcp",
 			host:            "localhost",
 			port:            tcp.Addr().(*net.TCPAddr).Port,
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: true,
 		},
 		{
 			name:            "InvalidHost",
 			scheme:          "tcp",
 			host:            "invalid",
 			port:            8080,
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: false,
 		},
 		{
 			name:            "ValidUDP",
 			scheme:          "udp",
 			host:            "localhost",
 			port:            udp.LocalAddr().(*net.UDPAddr).Port,
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: true,
 		},
 		{
 			name:            "InvalidHost",
 			scheme:          "udp",
 			host:            "invalid",
 			port:            8080,
 			expectedStatus:  http.StatusOK,
 			expectedHealthy: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			query := url.Values{}
 			query.Set("scheme", tt.scheme)
 			query.Set("host", tt.host)
 			query.Set("port", strconv.Itoa(tt.port))
 			recorder := httptest.NewRecorder()
 			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
 			handler.CheckHealth(recorder, request)
 			require.Equal(t, recorder.Code, tt.expectedStatus)
 			var result health.HealthCheckResult
 			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
 			require.Equal(t, result.Healthy, tt.expectedHealthy)
 		})
 	}
 }
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@ -1,57 +0,0 @@
 package handler
 import (
 	"context"
 	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"time"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/env"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/pkg"
 )
 type ServeMux struct{ *http.ServeMux }
 func (mux ServeMux) HandleEndpoint(method, endpoint string, handler http.HandlerFunc) {
 	mux.ServeMux.HandleFunc(method+" "+agent.APIEndpointBase+endpoint, handler)
 }
 func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
 	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
 }
 var dialer = &net.Dialer{KeepAlive: 1 * time.Second}
 func dialDockerSocket(ctx context.Context, _, _ string) (net.Conn, error) {
 	return dialer.DialContext(ctx, "unix", env.DockerSocket)
 }
 func dockerSocketHandler() http.HandlerFunc {
 	rp := httputil.NewSingleHostReverseProxy(&url.URL{
 		Scheme: "http",
 		Host:   "api.moby.localhost",
 	})
 	rp.Transport = &http.Transport{
 		DialContext: dialDockerSocket,
 	}
 	return rp.ServeHTTP
 }
 func NewAgentHandler() http.Handler {
 	mux := ServeMux{http.NewServeMux()}
 	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
 	mux.HandleEndpoint("GET", agent.EndpointVersion, pkg.GetVersionHTTPHandler())
 	mux.HandleEndpoint("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, env.AgentName)
 	})
 	mux.HandleEndpoint("GET", agent.EndpointHealth, CheckHealth)
 	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, systeminfo.Poller.ServeHTTP)
 	mux.ServeMux.HandleFunc("/", dockerSocketHandler())
 	return mux
 }
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@ -1,67 +0,0 @@
 package handler
 import (
 	"crypto/tls"
 	"net/http"
 	"net/http/httputil"
 	"strconv"
 	"time"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/agentproxy"
 )
 func NewTransport() *http.Transport {
 	return &http.Transport{
 		MaxIdleConnsPerHost:   100,
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		ResponseHeaderTimeout: 60 * time.Second,
 		WriteBufferSize:       16 * 1024, // 16KB
 		ReadBufferSize:        16 * 1024, // 16KB
 	}
 }
 func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
 	host := r.Header.Get(agentproxy.HeaderXProxyHost)
 	isHTTPS, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxyHTTPS))
 	skipTLSVerify, _ := strconv.ParseBool(r.Header.Get(agentproxy.HeaderXProxySkipTLSVerify))
 	responseHeaderTimeout, err := strconv.Atoi(r.Header.Get(agentproxy.HeaderXProxyResponseHeaderTimeout))
 	if err != nil {
 		responseHeaderTimeout = 0
 	}
 	if host == "" {
 		http.Error(w, "missing required headers", http.StatusBadRequest)
 		return
 	}
 	scheme := "http"
 	if isHTTPS {
 		scheme = "https"
 	}
 	transport := NewTransport()
 	if skipTLSVerify {
 		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	if responseHeaderTimeout > 0 {
 		transport.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
 	}
 	r.URL.Scheme = ""
 	r.URL.Host = ""
 	r.URL.Path = r.URL.Path[agent.HTTPProxyURLPrefixLen:] // strip the {API_BASE}/proxy/http prefix
 	r.RequestURI = r.URL.String()
 	rp := &httputil.ReverseProxy{
 		Director: func(r *http.Request) {
 			r.URL.Scheme = scheme
 			r.URL.Host = host
 		},
 		Transport: transport,
 	}
 	rp.ServeHTTP(w, r)
 }
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@ -1,44 +0,0 @@
 package server
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net/http"
 	"github.com/yusing/go-proxy/agent/pkg/env"
 	"github.com/yusing/go-proxy/agent/pkg/handler"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp/server"
 	"github.com/yusing/go-proxy/internal/task"
 )
 type Options struct {
 	CACert, ServerCert *tls.Certificate
 	Port               int
 }
 func StartAgentServer(parent task.Parent, opt Options) {
 	caCertPool := x509.NewCertPool()
 	caCertPool.AddCert(opt.CACert.Leaf)
 	// Configure TLS
 	tlsConfig := &tls.Config{
 		Certificates: []tls.Certificate{*opt.ServerCert},
 		ClientCAs:    caCertPool,
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 	}
 	if env.AgentSkipClientCertCheck {
 		tlsConfig.ClientAuth = tls.NoClientCert
 	}
 	logger := logging.GetLogger()
 	agentServer := &http.Server{
 		Addr:      fmt.Sprintf(":%d", opt.Port),
 		Handler:   handler.NewAgentHandler(),
 		TLSConfig: tlsConfig,
 	}
 	server.Start(parent, agentServer, nil, logger)
 }
--- a/bin/go-proxy
+++ b/bin/go-proxy
--- a/cmd/main.go
+++ b/cmd/main.go
@ -1,84 +0,0 @@
 package main
 import (
 	"os"
 	"sync"
 	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
 	"github.com/yusing/go-proxy/internal/dnsproviders"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/internal/metrics/uptime"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/pkg"
 )
 func parallel(fns ...func()) {
 	var wg sync.WaitGroup
 	for _, fn := range fns {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			fn()
 		}()
 	}
 	wg.Wait()
 }
 func main() {
 	initProfiling()
 	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
 	logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
 	logging.Trace().Msg("trace enabled")
 	parallel(
 		dnsproviders.InitProviders,
 		homepage.InitIconListCache,
 		systeminfo.Poller.Start,
 		middleware.LoadComposeFiles,
 	)
 	if common.APIJWTSecret == nil {
 		logging.Warn().Msg("API_JWT_SECRET is not set, using random key")
 		common.APIJWTSecret = common.RandomJWTKey()
 	}
 	for _, dir := range common.RequiredDirectories {
 		prepareDirectory(dir)
 	}
 	cfg, err := config.Load()
 	if err != nil {
 		gperr.LogWarn("errors in config", err)
 	}
 	cfg.Start(&config.StartServersOptions{
 		Proxy: true,
 	})
 	if err := auth.Initialize(); err != nil {
 		logging.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
 	// API Handler needs to start after auth is initialized.
 	cfg.StartServers(&config.StartServersOptions{
 		API: true,
 	})
 	uptime.Poller.Start()
 	config.WatchChanges()
 	task.WaitExit(cfg.Value().TimeoutShutdown)
 }
 func prepareDirectory(dir string) {
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 		if err = os.MkdirAll(dir, 0o755); err != nil {
 			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
 		}
 	}
 }
--- a/cmd/pprof_production.go
+++ b/cmd/pprof_production.go
@ -1,7 +0,0 @@
 //go:build !pprof
 package main
 func initProfiling() {
 	// no profiling in production
 }
--- a/cmd/pprof_prof.go
+++ b/cmd/pprof_prof.go
@ -1,20 +0,0 @@
 //go:build pprof
 package main
 import (
 	"log"
 	"net/http"
 	_ "net/http/pprof"
 	"runtime"
 	"runtime/debug"
 )
 func initProfiling() {
 	runtime.GOMAXPROCS(2)
 	debug.SetMemoryLimit(100 * 1024 * 1024)
 	debug.SetMaxStack(15 * 1024 * 1024)
 	go func() {
 		log.Println(http.ListenAndServe(":7777", nil))
 	}()
 }
--- a/compose.example.yml
+++ b/compose.example.yml
@ -1,81 +1,48 @@
---
+version: '3'
 services:
  socket-proxy:
    container_name: socket-proxy
    image: ghcr.io/yusing/socket-proxy:latest
    environment:
      - ALLOW_START=1
      - ALLOW_STOP=1
      - ALLOW_RESTARTS=1
      - CONTAINERS=1
      - EVENTS=1
      - INFO=1
      - PING=1
      - POST=1
      - VERSION=1
    volumes:
      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
    restart: unless-stopped
    tmpfs:
      - /run
    ports:
      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
  frontend:
    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
    container_name: godoxy-frontend
    restart: unless-stopped
    network_mode: host # do not change this
    env_file: .env
    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - all
    depends_on:
      - app
    environment:
      HOSTNAME: 127.0.0.1
      PORT: ${GODOXY_FRONTEND_PORT:-3000}
    labels:
      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
      proxy.#1.port: ${GODOXY_FRONTEND_PORT:-3000}
      # proxy.#1.middlewares.cidr_whitelist: |
      #   status: 403
      #   message: IP not allowed
      #   allow:
      #     - 127.0.0.1
      #     - 10.0.0.0/8
      #     - 192.168.0.0/16
      #     - 172.16.0.0/12
  app:
-    image: ghcr.io/yusing/godoxy:${TAG:-latest}
+    build: .
-    container_name: godoxy
+    container_name: go-proxy
    restart: always
-    network_mode: host # do not change this
+    networks: # ^also add here
-    env_file: .env
+      - default
-    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    # environment:
-    depends_on:
+      # - GOPROXY_DEBUG=1 # (optional, enable only for debug)
-      socket-proxy:
+      # - GOPROXY_REDIRECT_HTTP=0 # (optional, uncomment to disable http redirect (http -> https))
-        condition: service_started
+    ports:
-    security_opt:
+      - 80:80 # http
-      - no-new-privileges:true
+      # - 443:443 # optional, https
-    cap_drop:
+      - 8080:8080 # http panel
-      - all
+      # - 8443:8443 # optional, https panel
-    cap_add:
+
-      - NET_BIND_SERVICE
+      # optional, if you declared any tcp/udp proxy, set a range you want to use
-    environment:
+      # - 20000:20100/tcp
-      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}
+      # - 20000:20100/udp
    volumes:
      - ./config:/app/config
      - ./logs:/app/logs
      - ./error_pages:/app/error_pages:ro
      - ./data:/app/data
-      # To use autocert, certs will be stored in "./certs".
+      # if local docker provider is used
-      # You can also use a docker volume to store it
+      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./certs:/app/certs
+      
      # use existing certificate
      # - /path/to/cert.pem:/app/certs/cert.crt:ro
      # - /path/to/privkey.pem:/app/certs/priv.key:ro
-      # remove "./certs:/app/certs" and uncomment below to use existing certificate
+      # store autocert obtained cert
-      # - /path/to/certs/cert.crt:/app/certs/cert.crt
+      # - ./certs:/app/certs
-      # - /path/to/certs/priv.key:/app/certs/priv.key
+    
    # workaround for "lookup: no such host"
    # dns:
    #   - 127.0.0.1
    # if you have container running in "host" network mode
    # extra_hosts:
    #   - host.docker.internal:host-gateway
    logging:
      driver: 'json-file'
      options:
        max-file: '1'
        max-size: 128k
 networks: # ^you may add other external networks
  default:
    driver: bridge
--- a/config.example.yml
+++ b/config.example.yml
@ -1,133 +1,21 @@
-# Autocert (choose one below and uncomment to enable)
+# Autocert (uncomment to enable)
-#
+# autocert: # (optional, if you need autocert feature)
-# 1. use existing cert
+#   email: "user@domain.com" # (required) email for acme certificate
-
+#   domains: # (required)
-# autocert:
+#     - "*.y.z" # domain for acme certificate, use wild card to allow all subdomains
-#   provider: local
+#   provider: cloudflare # (required) dns challenge provider (string)
-
+#   options: # provider specific options
-# 2. cloudflare
+#     auth_token: "YOUR_ZONE_API_TOKEN"
 # autocert:
 #   provider: cloudflare
 #   email: abc@gmail.com # ACME Email
 #   domains: # a list of domains for cert registration
 #     - "*.domain.com"
 #     - "domain.com"
 #   options:
 #     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token
 # 3. other providers, see https://github.com/yusing/godoxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
 # acl:
 #   default: allow # or deny (default: allow)
 #   allow_local: true # or false (default: true)
 #   allow:
 #     - ip:1.2.3.4
 #     - cidr:1.2.3.4/32
 #     - country:US
 #     - timezone:Asia/Shanghai
 #   deny:
 #     - ip:1.2.3.4
 #     - cidr:1.2.3.4/32
 #     - country:US
 #     - timezone:Asia/Shanghai
 #   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
 #     buffer_size: 65536 # (default: 64KB)
 #     path: /app/logs/acl.log # (default: none)
 #     stdout: false # (default: false)
 #     keep: last 10 # (default: none)
 entrypoint:
  # Below define an example of middleware config
  # 1. set security headers
  # 2. block non local IP connections
  # 3. redirect HTTP to HTTPS
  #
  middlewares:
    - use: CloudflareRealIP
    - use: ModifyResponse
      set_headers:
        Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
        Access-Control-Allow-Headers: "*"
        Access-Control-Allow-Origin: "*"
        Access-Control-Max-Age: 180
        Vary: "*"
        X-XSS-Protection: 1; mode=block
        Content-Security-Policy: "object-src 'self'; frame-ancestors 'self';"
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        Referrer-Policy: same-origin
        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
    # - use: CIDRWhitelist
    #   allow:
    #     - "127.0.0.1"
    #     - "10.0.0.0/8"
    #     - "172.16.0.0/12"
    #     - "192.168.0.0/16"
    #   status: 403
    #   message: "Forbidden"
    # - use: RedirectHTTP
  # below enables access log
  access_log:
    format: combined
    path: /app/logs/entrypoint.log
 providers:
-  # include files are standalone yaml files under `config/` directory
+  local:
-  #
+    kind: docker
  # include:
  #   - file1.yml
  #   - file2.yml
  docker:
    # $DOCKER_HOST implies environment variable `DOCKER_HOST` or unix:///var/run/docker.sock by default
    local: $DOCKER_HOST
    # explicit only mode
    # only containers with explicit aliases will be proxied
    # add "!" after provider name to enable explicit only mode
    #
    # local!: $DOCKER_HOST
    #
    # add more docker providers if needed
    # for value format, see https://docs.docker.com/reference/cli/dockerd/
-    #
+    # i.e. FROM_ENV, ssh://user@10.0.1.1:22, tcp://10.0.2.1:2375
-    # remote-1: tcp://10.0.2.1:2375
+    value: FROM_ENV
-    # remote-2: ssh://root:1234@10.0.2.2
+  providers:
    kind: file
    value: providers.yml
-  # notification providers (notify when service health changes)
+# Fixed options (optional, non hot-reloadable)
-  #
+# timeout_shutdown: 5
-  # notification:
+# redirect_to_https: false
  #   - name: gotify
  #     provider: gotify
  #     url: https://gotify.domain.tld
  #     token: abcd
  #   - name: discord
  #     provider: webhook
  #     url: https://discord.com/api/webhooks/...
  #     template: discord # this means use payload template from internal/notif/templates/discord.json
  # Proxmox providers (for idlesleep support for proxmox LXCs)
  #
  # proxmox:
  #   - url: https://pve.domain.com:8006/api2/json
  #     token_id: root@pam!abcdef
  #     secret: aaaa-bbbb-cccc-dddd
  #     no_tls_verify: true
 # Check https://github.com/yusing/godoxy/wiki/Certificates-and-domain-matching#domain-matching
 # for explaination of `match_domains`
 #
 # match_domains:
 #   - my.site
 #   - node1.my.app
 # homepage config
 homepage:
  # use default app categories detected from alias or docker image name
  use_default_categories: true
 # Below are fixed options (non hot-reloadable)
 # timeout for shutdown (in seconds)
 timeout_shutdown: 5
--- a/examples/docker-compose/n8n.yml
+++ b/examples/docker-compose/n8n.yml
@ -1,27 +0,0 @@
 ---
 services:
  n8n:
    image: n8nio/n8n
    container_name: n8n
    restart: always
    expose:
      - 5678
    labels:
      proxy.n8n.middlewares.request.set_headers: |
        SSLRedirect: true
        STSSeconds: 315360000
        browserXSSFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        SSLHost: ${DOMAIN_NAME}
        STSIncludeSubdomains: true
        STSPreload: true
    environment:
      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
    volumes:
      - ./data:/home/node/.n8n
--- a/examples/error_pages/404.css
+++ b/examples/error_pages/404.css
@ -1,288 +0,0 @@
@import url("https://fonts.googleapis.com/css?family=Audiowide&display=swap");
 html,
 body {
    margin: 0px;
    overflow: hidden;
 }
 div {
    position: absolute;
    top: 0%;
    left: 0%;
    height: 100%;
    width: 100%;
    margin: 0px;
    background: radial-gradient(circle, #240015 0%, #12000b 100%);
    overflow: hidden;
 }
 .wrap {
    position: absolute;
    left: 50%;
    top: 50%;
    transform: translate(-50%, -50%);
 }
 h2 {
    position: absolute;
    top: 50%;
    left: 50%;
    margin-top: 150px;
    font-size: 32px;
    text-transform: uppercase;
    transform: translate(-50%, -50%);
    display: block;
    color: #12000a;
    font-weight: 300;
    font-family: Audiowide;
    text-shadow: 0px 0px 4px #12000a;
    animation: fadeInText 3s ease-in 3.5s forwards,
        flicker4 5s linear 7.5s infinite, hueRotate 6s ease-in-out 3s infinite;
 }
 #svgWrap_1,
 #svgWrap_2 {
    position: absolute;
    height: auto;
    width: 600px;
    max-width: 100%;
    top: 50%;
    left: 50%;
    transform: translate(-50%, -50%);
 }
 #svgWrap_1,
 #svgWrap_2,
 div {
    animation: hueRotate 6s ease-in-out 3s infinite;
 }
 #id1_1,
 #id2_1,
 #id3_1 {
    stroke: #ff005d;
    stroke-width: 3px;
    fill: transparent;
    filter: url(#glow);
 }
 #id1_2,
 #id2_2,
 #id3_2 {
    stroke: #12000a;
    stroke-width: 3px;
    fill: transparent;
    filter: url(#glow);
 }
 #id3_1 {
    stroke-dasharray: 940px;
    stroke-dashoffset: -940px;
    animation: drawLine3 2.5s ease-in-out 0s forwards,
        flicker3 4s linear 4s infinite;
 }
 #id2_1 {
    stroke-dasharray: 735px;
    stroke-dashoffset: -735px;
    animation: drawLine2 2.5s ease-in-out 0.5s forwards,
        flicker2 4s linear 4.5s infinite;
 }
 #id1_1 {
    stroke-dasharray: 940px;
    stroke-dashoffset: -940px;
    animation: drawLine1 2.5s ease-in-out 1s forwards,
        flicker1 4s linear 5s infinite;
 }
@keyframes drawLine1 {
    0% {
        stroke-dashoffset: -940px;
    }
    100% {
        stroke-dashoffset: 0px;
    }
 }
@keyframes drawLine2 {
    0% {
        stroke-dashoffset: -735px;
    }
    100% {
        stroke-dashoffset: 0px;
    }
 }
@keyframes drawLine3 {
    0% {
        stroke-dashoffset: -940px;
    }
    100% {
        stroke-dashoffset: 0px;
    }
 }
@keyframes flicker1 {
    0% {
        stroke: #ff005d;
    }
    1% {
        stroke: transparent;
    }
    3% {
        stroke: transparent;
    }
    4% {
        stroke: #ff005d;
    }
    6% {
        stroke: #ff005d;
    }
    7% {
        stroke: transparent;
    }
    13% {
        stroke: transparent;
    }
    14% {
        stroke: #ff005d;
    }
    100% {
        stroke: #ff005d;
    }
 }
@keyframes flicker2 {
    0% {
        stroke: #ff005d;
    }
    50% {
        stroke: #ff005d;
    }
    51% {
        stroke: transparent;
    }
    61% {
        stroke: transparent;
    }
    62% {
        stroke: #ff005d;
    }
    100% {
        stroke: #ff005d;
    }
 }
@keyframes flicker3 {
    0% {
        stroke: #ff005d;
    }
    1% {
        stroke: transparent;
    }
    10% {
        stroke: transparent;
    }
    11% {
        stroke: #ff005d;
    }
    40% {
        stroke: #ff005d;
    }
    41% {
        stroke: transparent;
    }
    45% {
        stroke: transparent;
    }
    46% {
        stroke: #ff005d;
    }
    100% {
        stroke: #ff005d;
    }
 }
@keyframes flicker4 {
    0% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    30% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    31% {
        color: #12000a;
        text-shadow: 0px 0px 4px #12000a;
    }
    32% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    36% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    37% {
        color: #12000a;
        text-shadow: 0px 0px 4px #12000a;
    }
    41% {
        color: #12000a;
        text-shadow: 0px 0px 4px #12000a;
    }
    42% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    85% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    86% {
        color: #12000a;
        text-shadow: 0px 0px 4px #12000a;
    }
    95% {
        color: #12000a;
        text-shadow: 0px 0px 4px #12000a;
    }
    96% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
    100% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
 }
@keyframes fadeInText {
    1% {
        color: #12000a;
        text-shadow: 0px 0px 4px #12000a;
    }
    70% {
        color: #ff005d;
        text-shadow: 0px 0px 14px #ff005d;
    }
    100% {
        color: #ff005d;
        text-shadow: 0px 0px 4px #ff005d;
    }
 }
@keyframes hueRotate {
    0% {
        filter: hue-rotate(0deg);
    }
    50% {
        filter: hue-rotate(-120deg);
    }
    100% {
        filter: hue-rotate(0deg);
    }
 }
--- a/examples/error_pages/404.html
+++ b/examples/error_pages/404.html
@ -1,51 +0,0 @@
 {{/* Credit: https://codepen.io/code2rithik/pen/XWpVvYL */}}
 <!DOCTYPE html>
 <html lang="en">
 <head>
  <meta charset="UTF-8" />
  <title>Page Not Found</title>
  <link rel="stylesheet" href="/$gperrorpage/404.css" type="text/css">
  <!-- <script src="/$gperrorpage/404.js"> </script> -->
 </head>
 <body>
  <script>0</script>
  <div></div>
  <svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
    <g>
      <path id="id3_2"
        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
      <path id="id2_2"
        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
      <path id="id1_2"
        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
    </g>
  </svg>
  <svg id="svgWrap_1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250">
    <g>
      <path id="id3_1"
        d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z" />
      <path id="id2_1"
        d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67-10.38 10.92-19.33 18.76-26.83 7.83-7.5 16.87-13.36 27.12-17.56 10.24-4.2 20.93-6.3 32.07-6.3h66.41c7.36 0 14.58.94 21.67 2.83 7.08 1.89 13.76 4.6 20.04 8.14a88.292 88.292 0 0 1 17.35 12.81c5.29 5 9.86 10.67 13.74 16.99 3.87 6.33 6.87 13.19 8.99 20.6 2.13 7.41 3.19 15.27 3.19 23.58v33.14zm-37.1-33.13c0-7.27-1.32-13.88-3.96-19.82-2.64-5.95-6.16-11.04-10.55-15.29-4.39-4.25-9.46-7.5-15.22-9.77-5.76-2.27-11.8-3.35-18.13-3.26h-66.41c-6.14-.09-12.11.97-17.91 3.19-5.81 2.22-10.95 5.43-15.44 9.63-4.48 4.2-8.07 9.3-10.76 15.29-2.69 6-4.04 12.67-4.04 20.04v33.13c0 7.36 1.32 14.02 3.96 19.97 2.64 5.95 6.18 11.02 10.62 15.22 4.44 4.2 9.56 7.43 15.36 9.7 5.8 2.27 11.87 3.35 18.2 3.26h66.41c7.27 0 13.85-1.2 19.75-3.61s10.93-5.73 15.08-9.98 7.36-9.32 9.63-15.22c2.27-5.9 3.4-12.34 3.4-19.33v-33.15zm-16-26.91a17.89 17.89 0 0 1 2.83 6.73c.47 2.41.47 4.77 0 7.08-.47 2.31-1.39 4.48-2.76 6.51-1.37 2.03-3.14 3.75-5.31 5.17l-99.4 66.41c-1.61 1.23-3.26 2.08-4.96 2.55-1.7.47-3.45.71-5.24.71-3.02 0-5.9-.71-8.64-2.12-2.74-1.42-4.96-3.44-6.66-6.09a17.89 17.89 0 0 1-2.83-6.73c-.47-2.41-.5-4.77-.07-7.08.43-2.31 1.3-4.48 2.62-6.51 1.32-2.03 3.07-3.75 5.24-5.17l99.69-66.41a17.89 17.89 0 0 1 6.73-2.83c2.41-.47 4.77-.47 7.08 0 2.31.47 4.48 1.37 6.51 2.69 2.03 1.32 3.75 3.02 5.17 5.09z" />
      <path id="id1_1"
        d="M688.33 232.67h-37.1V149.7H520.39c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98h112.57V29.62h37.1v203.05z" />
    </g>
  </svg>
  <svg>
    <defs>
      <filter id="glow">
        <fegaussianblur class="blur" result="coloredBlur" stddeviation="4"></fegaussianblur>
        <femerge>
          <femergenode in="coloredBlur"></femergenode>
          <femergenode in="SourceGraphic"></femergenode>
        </femerge>
      </filter>
    </defs>
  </svg>
  <h2>Page Not Found</h2>
 </body>
 </html>
--- a/examples/grafana_template.json
+++ b/examples/grafana_template.json
--- a/go.mod
+++ b/go.mod
@ -1,251 +1,53 @@
 module github.com/yusing/go-proxy
-go 1.24.3
+go 1.22
 replace github.com/yusing/go-proxy/agent => ./agent
 replace github.com/yusing/go-proxy/internal/dnsproviders => ./internal/dnsproviders
 replace github.com/coreos/go-oidc/v3 => github.com/godoxy-app/go-oidc/v3 v3.14.2
 replace github.com/docker/docker => github.com/godoxy-app/docker v0.0.0-20250425105916-b2ad800de7a1
 replace github.com/shirou/gopsutil/v4 => github.com/godoxy-app/gopsutil/v4 v4.0.0-20250502022742-408a348f1b97
 require (
-	github.com/PuerkitoBio/goquery v1.10.3 // parsing HTML for extract fav icon
+	github.com/docker/cli v26.0.0+incompatible
-	github.com/coder/websocket v1.8.13 // websocket for API and agent
+	github.com/docker/docker v26.0.0+incompatible
-	github.com/coreos/go-oidc/v3 v3.14.1 // oidc authentication
+	github.com/fsnotify/fsnotify v1.7.0
-	github.com/docker/docker v28.1.1+incompatible // docker daemon
+	github.com/go-acme/lego/v4 v4.16.1
-	github.com/fsnotify/fsnotify v1.9.0 // file watcher
+	github.com/santhosh-tekuri/jsonschema v1.2.4
-	github.com/go-acme/lego/v4 v4.23.1 // acme client
+	github.com/sirupsen/logrus v1.9.3
-	github.com/go-playground/validator/v10 v10.26.0 // validator
+	golang.org/x/net v0.22.0
-	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
+	gopkg.in/yaml.v3 v3.0.1
 	github.com/gotify/server/v2 v2.6.3 // reference the Message struct for json response
 	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
 	github.com/puzpuzpuz/xsync/v4 v4.1.0 // lock free map for concurrent operations
 	github.com/rs/zerolog v1.34.0 // logging
 	github.com/shirou/gopsutil/v4 v4.25.4 // system info metrics
 	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
 	golang.org/x/crypto v0.38.0 // encrypting password with bcrypt
 	golang.org/x/net v0.40.0 // HTTP header utilities
 	golang.org/x/oauth2 v0.30.0 // oauth2 authentication
 	golang.org/x/time v0.11.0 // time utilities
 )
 require (
-	github.com/docker/cli v28.1.1+incompatible
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/goccy/go-yaml v1.17.1 // yaml parsing for different config files
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/luthermonson/go-proxmox v0.2.2
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/quic-go/quic-go v0.51.0
 	github.com/samber/slog-zerolog/v2 v2.7.3
 	github.com/spf13/afero v1.14.0
 	github.com/stretchr/testify v1.10.0
 	github.com/yusing/go-proxy/agent v0.0.0-00010101000000-000000000000
 	github.com/yusing/go-proxy/internal/dnsproviders v0.0.0-00010101000000-000000000000
 	go.uber.org/atomic v1.11.0
 )
 require (
 	cloud.google.com/go/auth v0.16.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.7.0 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.51.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
 	github.com/aws/smithy-go v1.22.3 // indirect
 	github.com/baidubce/bce-sdk-go v0.9.226 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/civo/civogo v0.5.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.92.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/diskfs/go-diskfs v1.6.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/djherbis/times v1.6.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.3 // indirect
 	github.com/exoscale/egoscale/v3 v3.1.17 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect; indirectindirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
 	github.com/gophercloud/gophercloud v1.14.1 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.149 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/linode/linodego v1.50.0 // indirect
 	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.66 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/moby/term v0.5.0 // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
 	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
 	github.com/nrdcg/desec v0.11.0 // indirect
 	github.com/nrdcg/freemyip v0.3.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.11.0 // indirect
 	github.com/nrdcg/mailinabox v0.2.0 // indirect
 	github.com/nrdcg/namesilo v0.2.1 // indirect
 	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/oracle/oci-go-sdk/v65 v65.91.0 // indirect
 	github.com/ovh/go-ovh v1.7.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterhellberg/link v1.2.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
-	github.com/pquerna/otp v1.4.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	github.com/sacloud/api-client-go v0.2.10 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
-	github.com/sacloud/go-http v0.1.9 // indirect
+	golang.org/x/mod v0.16.0 // indirect
-	github.com/sacloud/iaas-api-go v1.15.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
-	github.com/sacloud/packages-go v0.0.11 // indirect
+	golang.org/x/text v0.14.0 // indirect
-	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
-	github.com/samber/lo v1.50.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
-	github.com/samber/slog-common v0.18.1 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
 	github.com/selectel/domains-go v1.1.0 // indirect
 	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
 	github.com/softlayer/softlayer-go v1.1.7 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/sony/gobreaker v1.0.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/cast v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spf13/viper v1.20.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1164 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1136 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/transip/gotransip/v6 v6.26.0 // indirect
 	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
 	github.com/volcengine/volc-sdk-golang v1.0.207 // indirect
 	github.com/vultr/govultr/v3 v3.20.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mongodb.org/mongo-driver v1.17.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
 	go.opentelemetry.io/otel v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/mock v0.5.2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0
 	golang.org/x/tools v0.33.0 // indirect
 	google.golang.org/api v0.233.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect
 	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/ns1/ns1-go.v2 v2.14.3 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.33.0 // indirect
 	k8s.io/apimachinery v0.33.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@ -1,166 +0,0 @@
 package acl
 import (
 	"net"
 	"time"
 	"github.com/puzpuzpuz/xsync/v4"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/accesslog"
 	"github.com/yusing/go-proxy/internal/maxmind"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 type Config struct {
 	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
 	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
 	Allow      Matchers                   `json:"allow"`
 	Deny       Matchers                   `json:"deny"`
 	Log        *accesslog.ACLLoggerConfig `json:"log"`
 	config
 	valErr gperr.Error
 }
 type config struct {
 	defaultAllow bool
 	allowLocal   bool
 	ipCache      *xsync.Map[string, *checkCache]
 	logAllowed   bool
 	logger       *accesslog.AccessLogger
 }
 type checkCache struct {
 	*maxmind.IPInfo
 	allow   bool
 	created time.Time
 }
 const cacheTTL = 1 * time.Minute
 func (c *checkCache) Expired() bool {
 	return c.created.Add(cacheTTL).Before(utils.TimeNow())
 }
 //TODO: add stats
 const (
 	ACLAllow = "allow"
 	ACLDeny  = "deny"
 )
 func (c *Config) Validate() gperr.Error {
 	switch c.Default {
 	case "", ACLAllow:
 		c.defaultAllow = true
 	case ACLDeny:
 		c.defaultAllow = false
 	default:
 		c.valErr = gperr.New("invalid default value").Subject(c.Default)
 		return c.valErr
 	}
 	if c.AllowLocal != nil {
 		c.allowLocal = *c.AllowLocal
 	} else {
 		c.allowLocal = true
 	}
 	if c.Log != nil {
 		c.logAllowed = c.Log.LogAllowed
 	}
 	if !c.allowLocal && !c.defaultAllow && len(c.Allow) == 0 {
 		c.valErr = gperr.New("allow_local is false and default is deny, but no allow rules are configured")
 		return c.valErr
 	}
 	c.ipCache = xsync.NewMap[string, *checkCache]()
 	return nil
 }
 func (c *Config) Valid() bool {
 	return c != nil && c.valErr == nil
 }
 func (c *Config) Start(parent *task.Task) gperr.Error {
 	if c.Log != nil {
 		logger, err := accesslog.NewAccessLogger(parent, c.Log)
 		if err != nil {
 			return gperr.New("failed to start access logger").With(err)
 		}
 		c.logger = logger
 	}
 	if c.valErr != nil {
 		return c.valErr
 	}
 	logging.Info().
 		Str("default", c.Default).
 		Bool("allow_local", c.allowLocal).
 		Int("allow_rules", len(c.Allow)).
 		Int("deny_rules", len(c.Deny)).
 		Msg("ACL started")
 	return nil
 }
 func (c *Config) cacheRecord(info *maxmind.IPInfo, allow bool) {
 	if common.ForceResolveCountry && info.City == nil {
 		maxmind.LookupCity(info)
 	}
 	c.ipCache.Store(info.Str, &checkCache{
 		IPInfo:  info,
 		allow:   allow,
 		created: utils.TimeNow(),
 	})
 }
 func (c *config) log(info *maxmind.IPInfo, allowed bool) {
 	if c.logger == nil {
 		return
 	}
 	if !allowed || c.logAllowed {
 		c.logger.LogACL(info, !allowed)
 	}
 }
 func (c *Config) IPAllowed(ip net.IP) bool {
 	if ip == nil {
 		return false
 	}
 	// always allow loopback, not logged
 	if ip.IsLoopback() {
 		return true
 	}
 	if c.allowLocal && ip.IsPrivate() {
 		c.log(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
 		return true
 	}
 	ipStr := ip.String()
 	record, ok := c.ipCache.Load(ipStr)
 	if ok && !record.Expired() {
 		c.log(record.IPInfo, record.allow)
 		return record.allow
 	}
 	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
 	if c.Allow.Match(ipAndStr) {
 		c.log(ipAndStr, true)
 		c.cacheRecord(ipAndStr, true)
 		return true
 	}
 	if c.Deny.Match(ipAndStr) {
 		c.log(ipAndStr, false)
 		c.cacheRecord(ipAndStr, false)
 		return false
 	}
 	c.log(ipAndStr, c.defaultAllow)
 	c.cacheRecord(ipAndStr, c.defaultAllow)
 	return c.defaultAllow
 }
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@ -1,112 +0,0 @@
 package acl
 import (
 	"net"
 	"strings"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/maxmind"
 )
 type MatcherFunc func(*maxmind.IPInfo) bool
 type Matcher struct {
 	match MatcherFunc
 }
 type Matchers []Matcher
 const (
 	MatcherTypeIP       = "ip"
 	MatcherTypeCIDR     = "cidr"
 	MatcherTypeTimeZone = "tz"
 	MatcherTypeCountry  = "country"
 )
 // TODO: use this error in the future
 //
 //nolint:unused
 var errMatcherFormat = gperr.Multiline().AddLines(
 	"invalid matcher format, expect {type}:{value}",
 	"Available types: ip|cidr|tz|country",
 	"ip:127.0.0.1",
 	"cidr:127.0.0.0/8",
 	"tz:Asia/Shanghai",
 	"country:GB",
 )
 var (
 	errSyntax      = gperr.New("syntax error")
 	errInvalidIP   = gperr.New("invalid IP")
 	errInvalidCIDR = gperr.New("invalid CIDR")
 )
 func (matcher *Matcher) Parse(s string) error {
 	parts := strings.Split(s, ":")
 	if len(parts) != 2 {
 		return errSyntax
 	}
 	switch parts[0] {
 	case MatcherTypeIP:
 		ip := net.ParseIP(parts[1])
 		if ip == nil {
 			return errInvalidIP
 		}
 		matcher.match = matchIP(ip)
 	case MatcherTypeCIDR:
 		_, net, err := net.ParseCIDR(parts[1])
 		if err != nil {
 			return errInvalidCIDR
 		}
 		matcher.match = matchCIDR(net)
 	case MatcherTypeTimeZone:
 		matcher.match = matchTimeZone(parts[1])
 	case MatcherTypeCountry:
 		matcher.match = matchISOCode(parts[1])
 	default:
 		return errSyntax
 	}
 	return nil
 }
 func (matchers Matchers) Match(ip *maxmind.IPInfo) bool {
 	for _, m := range matchers {
 		if m.match(ip) {
 			return true
 		}
 	}
 	return false
 }
 func matchIP(ip net.IP) MatcherFunc {
 	return func(ip2 *maxmind.IPInfo) bool {
 		return ip.Equal(ip2.IP)
 	}
 }
 func matchCIDR(n *net.IPNet) MatcherFunc {
 	return func(ip *maxmind.IPInfo) bool {
 		return n.Contains(ip.IP)
 	}
 }
 func matchTimeZone(tz string) MatcherFunc {
 	return func(ip *maxmind.IPInfo) bool {
 		city, ok := maxmind.LookupCity(ip)
 		if !ok {
 			return false
 		}
 		return city.Location.TimeZone == tz
 	}
 }
 func matchISOCode(iso string) MatcherFunc {
 	return func(ip *maxmind.IPInfo) bool {
 		city, ok := maxmind.LookupCity(ip)
 		if !ok {
 			return false
 		}
 		return city.Country.IsoCode == iso
 	}
 }
--- a/internal/acl/matcher_test.go
+++ b/internal/acl/matcher_test.go
@ -1,49 +0,0 @@
 package acl
 import (
 	"net"
 	"reflect"
 	"testing"
 	maxmind "github.com/yusing/go-proxy/internal/maxmind/types"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 func TestMatchers(t *testing.T) {
 	strMatchers := []string{
 		"ip:127.0.0.1",
 		"cidr:10.0.0.0/8",
 	}
 	var mathers Matchers
 	err := utils.Convert(reflect.ValueOf(strMatchers), reflect.ValueOf(&mathers), false)
 	if err != nil {
 		t.Fatal(err)
 	}
 	tests := []struct {
 		ip   string
 		want bool
 	}{
 		{"127.0.0.1", true},
 		{"10.0.0.1", true},
 		{"127.0.0.2", false},
 		{"192.168.0.1", false},
 		{"11.0.0.1", false},
 	}
 	for _, test := range tests {
 		ip := net.ParseIP(test.ip)
 		if ip == nil {
 			t.Fatalf("invalid ip: %s", test.ip)
 		}
 		got := mathers.Match(&maxmind.IPInfo{
 			IP:  ip,
 			Str: test.ip,
 		})
 		if got != test.want {
 			t.Errorf("mathers.Match(%s) = %v, want %v", test.ip, got, test.want)
 		}
 	}
 }
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@ -1,59 +0,0 @@
 package acl
 import (
 	"io"
 	"net"
 	"time"
 )
 type TCPListener struct {
 	acl *Config
 	lis net.Listener
 }
 type noConn struct{}
 func (noConn) Read(b []byte) (int, error)         { return 0, io.EOF }
 func (noConn) Write(b []byte) (int, error)        { return 0, io.EOF }
 func (noConn) Close() error                       { return nil }
 func (noConn) LocalAddr() net.Addr                { return nil }
 func (noConn) RemoteAddr() net.Addr               { return nil }
 func (noConn) SetDeadline(t time.Time) error      { return nil }
 func (noConn) SetReadDeadline(t time.Time) error  { return nil }
 func (noConn) SetWriteDeadline(t time.Time) error { return nil }
 func (cfg *Config) WrapTCP(lis net.Listener) net.Listener {
 	if cfg == nil {
 		return lis
 	}
 	return &TCPListener{
 		acl: cfg,
 		lis: lis,
 	}
 }
 func (s *TCPListener) Addr() net.Addr {
 	return s.lis.Addr()
 }
 func (s *TCPListener) Accept() (net.Conn, error) {
 	c, err := s.lis.Accept()
 	if err != nil {
 		return nil, err
 	}
 	addr, ok := c.RemoteAddr().(*net.TCPAddr)
 	if !ok {
 		// Not a TCPAddr, drop
 		c.Close()
 		return noConn{}, nil
 	}
 	if !s.acl.IPAllowed(addr.IP) {
 		c.Close()
 		return noConn{}, nil
 	}
 	return c, nil
 }
 func (s *TCPListener) Close() error {
 	return s.lis.Close()
 }
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@ -1,79 +0,0 @@
 package acl
 import (
 	"net"
 	"time"
 )
 type UDPListener struct {
 	acl *Config
 	lis net.PacketConn
 }
 func (c *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
 	if c == nil {
 		return lis
 	}
 	return &UDPListener{
 		acl: c,
 		lis: lis,
 	}
 }
 func (s *UDPListener) LocalAddr() net.Addr {
 	return s.lis.LocalAddr()
 }
 func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
 	for {
 		n, addr, err := s.lis.ReadFrom(p)
 		if err != nil {
 			return n, addr, err
 		}
 		udpAddr, ok := addr.(*net.UDPAddr)
 		if !ok {
 			// Not a UDPAddr, drop
 			continue
 		}
 		if !s.acl.IPAllowed(udpAddr.IP) {
 			// Drop packet from disallowed IP
 			continue
 		}
 		return n, addr, nil
 	}
 }
 func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
 	for {
 		n, err := s.lis.WriteTo(p, addr)
 		if err != nil {
 			return n, err
 		}
 		udpAddr, ok := addr.(*net.UDPAddr)
 		if !ok {
 			// Not a UDPAddr, drop
 			continue
 		}
 		if !s.acl.IPAllowed(udpAddr.IP) {
 			// Drop packet to disallowed IP
 			continue
 		}
 		return n, nil
 	}
 }
 func (s *UDPListener) SetDeadline(t time.Time) error {
 	return s.lis.SetDeadline(t)
 }
 func (s *UDPListener) SetReadDeadline(t time.Time) error {
 	return s.lis.SetReadDeadline(t)
 }
 func (s *UDPListener) SetWriteDeadline(t time.Time) error {
 	return s.lis.SetWriteDeadline(t)
 }
 func (s *UDPListener) Close() error {
 	return s.lis.Close()
 }
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@ -1,111 +0,0 @@
 package api
 import (
 	"fmt"
 	"net/http"
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
 	"github.com/yusing/go-proxy/internal/api/v1/certapi"
 	"github.com/yusing/go-proxy/internal/api/v1/dockerapi"
 	"github.com/yusing/go-proxy/internal/api/v1/favicon"
 	"github.com/yusing/go-proxy/internal/auth"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/metrics/uptime"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 	"github.com/yusing/go-proxy/pkg"
 )
 type (
 	ServeMux struct {
 		*http.ServeMux
 		cfg config.ConfigInstance
 	}
 	WithCfgHandler = func(config.ConfigInstance, http.ResponseWriter, *http.Request)
 )
 func (mux ServeMux) HandleFunc(methods, endpoint string, h any, requireAuth ...bool) {
 	var handler http.HandlerFunc
 	switch h := h.(type) {
 	case func(http.ResponseWriter, *http.Request):
 		handler = h
 	case http.Handler:
 		handler = h.ServeHTTP
 	case WithCfgHandler:
 		handler = func(w http.ResponseWriter, r *http.Request) {
 			h(mux.cfg, w, r)
 		}
 	default:
 		panic(fmt.Errorf("unsupported handler type: %T", h))
 	}
 	matchDomains := mux.cfg.Value().MatchDomains
 	if len(matchDomains) > 0 {
 		origHandler := handler
 		handler = func(w http.ResponseWriter, r *http.Request) {
 			if httpheaders.IsWebsocket(r.Header) {
 				gpwebsocket.SetWebsocketAllowedDomains(r.Header, matchDomains)
 			}
 			origHandler(w, r)
 		}
 	}
 	if len(requireAuth) > 0 && requireAuth[0] {
 		handler = auth.RequireAuth(handler)
 	}
 	if methods == "" {
 		mux.ServeMux.HandleFunc(endpoint, handler)
 	} else {
 		for _, m := range strutils.CommaSeperatedList(methods) {
 			mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
 		}
 	}
 }
 func NewHandler(cfg config.ConfigInstance) http.Handler {
 	mux := ServeMux{http.NewServeMux(), cfg}
 	mux.HandleFunc("GET", "/v1", v1.Index)
 	mux.HandleFunc("GET", "/v1/version", pkg.GetVersionHTTPHandler())
 	mux.HandleFunc("GET", "/v1/stats", v1.Stats, true)
 	mux.HandleFunc("POST", "/v1/reload", v1.Reload, true)
 	mux.HandleFunc("GET", "/v1/list", v1.ListRoutesHandler, true)
 	mux.HandleFunc("GET", "/v1/list/routes", v1.ListRoutesHandler, true)
 	mux.HandleFunc("GET", "/v1/list/route/{which}", v1.ListRouteHandler, true)
 	mux.HandleFunc("GET", "/v1/list/routes_by_provider", v1.ListRoutesByProviderHandler, true)
 	mux.HandleFunc("GET", "/v1/list/files", v1.ListFilesHandler, true)
 	mux.HandleFunc("GET", "/v1/list/homepage_config", v1.ListHomepageConfigHandler, true)
 	mux.HandleFunc("GET", "/v1/list/route_providers", v1.ListRouteProvidersHandler, true)
 	mux.HandleFunc("GET", "/v1/list/homepage_categories", v1.ListHomepageCategoriesHandler, true)
 	mux.HandleFunc("GET", "/v1/list/icons", v1.ListIconsHandler, true)
 	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", v1.GetFileContent, true)
 	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", v1.SetFileContent, true)
 	mux.HandleFunc("POST", "/v1/file/validate/{type}", v1.ValidateFile, true)
 	mux.HandleFunc("GET", "/v1/health", v1.Health, true)
 	mux.HandleFunc("GET", "/v1/logs", memlogger.Handler(), true)
 	mux.HandleFunc("GET", "/v1/favicon", favicon.GetFavIcon, true)
 	mux.HandleFunc("POST", "/v1/homepage/set", v1.SetHomePageOverrides, true)
 	mux.HandleFunc("GET", "/v1/agents", v1.ListAgents, true)
 	mux.HandleFunc("GET", "/v1/agents/new", v1.NewAgent, true)
 	mux.HandleFunc("POST", "/v1/agents/verify", v1.VerifyNewAgent, true)
 	mux.HandleFunc("GET", "/v1/metrics/system_info", v1.SystemInfo, true)
 	mux.HandleFunc("GET", "/v1/metrics/uptime", uptime.Poller.ServeHTTP, true)
 	mux.HandleFunc("GET", "/v1/cert/info", certapi.GetCertInfo, true)
 	mux.HandleFunc("", "/v1/cert/renew", certapi.RenewCert, true)
 	mux.HandleFunc("GET", "/v1/docker/info", dockerapi.DockerInfo, true)
 	mux.HandleFunc("GET", "/v1/docker/logs/{server}/{container}", dockerapi.Logs, true)
 	mux.HandleFunc("GET", "/v1/docker/containers", dockerapi.Containers, true)
 	defaultAuth := auth.GetDefaultAuth()
 	if defaultAuth == nil {
 		return mux
 	}
 	mux.HandleFunc("GET", "/v1/auth/check", auth.AuthCheckHandler)
 	mux.HandleFunc("GET,POST", "/v1/auth/redirect", defaultAuth.LoginHandler)
 	mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.PostAuthCallbackHandler)
 	mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutHandler)
 	return mux
 }
--- a/internal/api/v1/agents.go
+++ b/internal/api/v1/agents.go
@ -1,24 +0,0 @@
 package v1
 import (
 	"net/http"
 	"time"
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 )
 func ListAgents(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	if httpheaders.IsWebsocket(r.Header) {
 		gpwebsocket.Periodic(w, r, 10*time.Second, func(conn *websocket.Conn) error {
 			wsjson.Write(r.Context(), conn, cfg.ListAgents())
 			return nil
 		})
 	} else {
 		gphttp.RespondJSON(w, r, cfg.ListAgents())
 	}
 }
--- a/internal/api/v1/certapi/cert_info.go
+++ b/internal/api/v1/certapi/cert_info.go
@ -1,41 +0,0 @@
 package certapi
 import (
 	"encoding/json"
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 )
 type CertInfo struct {
 	Subject        string   `json:"subject"`
 	Issuer         string   `json:"issuer"`
 	NotBefore      int64    `json:"not_before"`
 	NotAfter       int64    `json:"not_after"`
 	DNSNames       []string `json:"dns_names"`
 	EmailAddresses []string `json:"email_addresses"`
 }
 func GetCertInfo(w http.ResponseWriter, r *http.Request) {
 	autocert := config.GetInstance().AutoCertProvider()
 	if autocert == nil {
 		http.Error(w, "autocert is not enabled", http.StatusNotFound)
 		return
 	}
 	cert, err := autocert.GetCert(nil)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	certInfo := CertInfo{
 		Subject:        cert.Leaf.Subject.CommonName,
 		Issuer:         cert.Leaf.Issuer.CommonName,
 		NotBefore:      cert.Leaf.NotBefore.Unix(),
 		NotAfter:       cert.Leaf.NotAfter.Unix(),
 		DNSNames:       cert.Leaf.DNSNames,
 		EmailAddresses: cert.Leaf.EmailAddresses,
 	}
 	json.NewEncoder(w).Encode(&certInfo)
 }
--- a/internal/api/v1/certapi/renew.go
+++ b/internal/api/v1/certapi/renew.go
@ -1,56 +0,0 @@
 package certapi
 import (
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/logging/memlogger"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 )
 func RenewCert(w http.ResponseWriter, r *http.Request) {
 	autocert := config.GetInstance().AutoCertProvider()
 	if autocert == nil {
 		http.Error(w, "autocert is not enabled", http.StatusNotFound)
 		return
 	}
 	conn, err := gpwebsocket.Initiate(w, r)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	//nolint:errcheck
 	defer conn.CloseNow()
 	logs, cancel := memlogger.Events()
 	defer cancel()
 	done := make(chan struct{})
 	go func() {
 		defer close(done)
 		err = autocert.ObtainCert()
 		if err != nil {
 			gperr.LogError("failed to obtain cert", err)
 			gpwebsocket.WriteText(r, conn, err.Error())
 		} else {
 			logging.Info().Msg("cert obtained successfully")
 		}
 	}()
 	for {
 		select {
 		case l := <-logs:
 			if err != nil {
 				return
 			}
 			if !gpwebsocket.WriteText(r, conn, string(l)) {
 				return
 			}
 		case <-done:
 			return
 		}
 	}
 }
--- a/internal/api/v1/config_file.go
+++ b/internal/api/v1/config_file.go
@ -1,133 +0,0 @@
 package v1
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"strings"
 	"github.com/yusing/go-proxy/internal/common"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/middleware"
 	"github.com/yusing/go-proxy/internal/route/provider"
 )
 type FileType string
 const (
 	FileTypeConfig     FileType = "config"
 	FileTypeProvider   FileType = "provider"
 	FileTypeMiddleware FileType = "middleware"
 )
 func fileType(file string) FileType {
 	switch {
 	case strings.HasPrefix(path.Base(file), "config."):
 		return FileTypeConfig
 	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
 		return FileTypeMiddleware
 	}
 	return FileTypeProvider
 }
 func (t FileType) IsValid() bool {
 	switch t {
 	case FileTypeConfig, FileTypeProvider, FileTypeMiddleware:
 		return true
 	}
 	return false
 }
 func (t FileType) GetPath(filename string) string {
 	if t == FileTypeMiddleware {
 		return path.Join(common.MiddlewareComposeBasePath, filename)
 	}
 	return path.Join(common.ConfigBasePath, filename)
 }
 func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
 	fileType = FileType(r.PathValue("type"))
 	if !fileType.IsValid() {
 		err = fmt.Errorf("invalid file type: %s", fileType)
 		return
 	}
 	filename = r.PathValue("filename")
 	if filename == "" {
 		err = fmt.Errorf("missing filename")
 	}
 	return
 }
 func GetFileContent(w http.ResponseWriter, r *http.Request) {
 	fileType, filename, err := getArgs(r)
 	if err != nil {
 		gphttp.BadRequest(w, err.Error())
 		return
 	}
 	content, err := os.ReadFile(fileType.GetPath(filename))
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	gphttp.WriteBody(w, content)
 }
 func validateFile(fileType FileType, content []byte) gperr.Error {
 	switch fileType {
 	case FileTypeConfig:
 		return config.Validate(content)
 	case FileTypeMiddleware:
 		errs := gperr.NewBuilder("middleware errors")
 		middleware.BuildMiddlewaresFromYAML("", content, errs)
 		return errs.Error()
 	}
 	return provider.Validate(content)
 }
 func ValidateFile(w http.ResponseWriter, r *http.Request) {
 	fileType := FileType(r.PathValue("type"))
 	if !fileType.IsValid() {
 		gphttp.BadRequest(w, "invalid file type")
 		return
 	}
 	content, err := io.ReadAll(r.Body)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	r.Body.Close()
 	if valErr := validateFile(fileType, content); valErr != nil {
 		gphttp.JSONError(w, valErr, http.StatusBadRequest)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 }
 func SetFileContent(w http.ResponseWriter, r *http.Request) {
 	fileType, filename, err := getArgs(r)
 	if err != nil {
 		gphttp.BadRequest(w, err.Error())
 		return
 	}
 	content, err := io.ReadAll(r.Body)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	if valErr := validateFile(fileType, content); valErr != nil {
 		gphttp.JSONError(w, valErr, http.StatusBadRequest)
 		return
 	}
 	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 }
--- a/internal/api/v1/dockerapi/containers.go
+++ b/internal/api/v1/dockerapi/containers.go
@ -1,54 +0,0 @@
 package dockerapi
 import (
 	"context"
 	"net/http"
 	"sort"
 	"github.com/docker/docker/api/types/container"
 	"github.com/yusing/go-proxy/internal/gperr"
 )
 type Container struct {
 	Server string `json:"server"`
 	Name   string `json:"name"`
 	ID     string `json:"id"`
 	Image  string `json:"image"`
 	State  string `json:"state"`
 }
 func Containers(w http.ResponseWriter, r *http.Request) {
 	serveHTTP[Container](w, r, GetContainers)
 }
 func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
 	errs := gperr.NewBuilder("failed to get containers")
 	containers := make([]Container, 0)
 	for server, dockerClient := range dockerClients {
 		conts, err := dockerClient.ContainerList(ctx, container.ListOptions{All: true})
 		if err != nil {
 			errs.Add(err)
 			continue
 		}
 		for _, cont := range conts {
 			containers = append(containers, Container{
 				Server: server,
 				Name:   cont.Names[0],
 				ID:     cont.ID,
 				Image:  cont.Image,
 				State:  cont.State,
 			})
 		}
 	}
 	sort.Slice(containers, func(i, j int) bool {
 		return containers[i].Name < containers[j].Name
 	})
 	if err := errs.Error(); err != nil {
 		gperr.LogError("failed to get containers", err)
 		if len(containers) == 0 {
 			return nil, err
 		}
 		return containers, nil
 	}
 	return containers, nil
 }
--- a/internal/api/v1/dockerapi/info.go
+++ b/internal/api/v1/dockerapi/info.go
@ -1,56 +0,0 @@
 package dockerapi
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"sort"
 	dockerSystem "github.com/docker/docker/api/types/system"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 type dockerInfo dockerSystem.Info
 func (d *dockerInfo) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]any{
 		"name":    d.Name,
 		"version": d.ServerVersion,
 		"containers": map[string]int{
 			"total":   d.Containers,
 			"running": d.ContainersRunning,
 			"paused":  d.ContainersPaused,
 			"stopped": d.ContainersStopped,
 		},
 		"images": d.Images,
 		"n_cpu":  d.NCPU,
 		"memory": strutils.FormatByteSize(d.MemTotal),
 	})
 }
 func DockerInfo(w http.ResponseWriter, r *http.Request) {
 	serveHTTP[dockerInfo](w, r, GetDockerInfo)
 }
 func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
 	errs := gperr.NewBuilder("failed to get docker info")
 	dockerInfos := make([]dockerInfo, len(dockerClients))
 	i := 0
 	for name, dockerClient := range dockerClients {
 		info, err := dockerClient.Info(ctx)
 		if err != nil {
 			errs.Add(err)
 			continue
 		}
 		info.Name = name
 		dockerInfos[i] = dockerInfo(info)
 		i++
 	}
 	sort.Slice(dockerInfos, func(i, j int) bool {
 		return dockerInfos[i].Name < dockerInfos[j].Name
 	})
 	return dockerInfos, errs.Error()
 }
--- a/internal/api/v1/dockerapi/logs.go
+++ b/internal/api/v1/dockerapi/logs.go
@ -1,69 +0,0 @@
 package dockerapi
 import (
 	"net/http"
 	"strconv"
 	"github.com/coder/websocket"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 )
 func Logs(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	server := r.PathValue("server")
 	containerID := r.PathValue("container")
 	stdout, _ := strconv.ParseBool(query.Get("stdout"))
 	stderr, _ := strconv.ParseBool(query.Get("stderr"))
 	since := query.Get("from")
 	until := query.Get("to")
 	levels := query.Get("levels") // TODO: implement levels
 	dockerClient, found, err := getDockerClient(server)
 	if err != nil {
 		gphttp.BadRequest(w, err.Error())
 		return
 	}
 	if !found {
 		gphttp.NotFound(w, "server not found")
 		return
 	}
 	opts := container.LogsOptions{
 		ShowStdout: stdout,
 		ShowStderr: stderr,
 		Since:      since,
 		Until:      until,
 		Timestamps: true,
 		Follow:     true,
 		Tail:       "100",
 	}
 	if levels != "" {
 		opts.Details = true
 	}
 	logs, err := dockerClient.ContainerLogs(r.Context(), containerID, opts)
 	if err != nil {
 		gphttp.BadRequest(w, err.Error())
 		return
 	}
 	defer logs.Close()
 	conn, err := gpwebsocket.Initiate(w, r)
 	if err != nil {
 		return
 	}
 	defer conn.CloseNow()
 	writer := gpwebsocket.NewWriter(r.Context(), conn, websocket.MessageText)
 	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
 	if err != nil {
 		logging.Err(err).
 			Str("server", server).
 			Str("container", containerID).
 			Msg("failed to de-multiplex logs")
 	}
 }
--- a/internal/api/v1/dockerapi/utils.go
+++ b/internal/api/v1/dockerapi/utils.go
@ -1,124 +0,0 @@
 package dockerapi
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"time"
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/docker"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 )
 type (
 	DockerClients     map[string]*docker.SharedClient
 	ResultType[T any] interface {
 		map[string]T | []T
 	}
 )
 // getDockerClients returns a map of docker clients for the current config.
 //
 // Returns a map of docker clients by server name and an error if any.
 //
 // Even if there are errors, the map of docker clients might not be empty.
 func getDockerClients() (DockerClients, gperr.Error) {
 	cfg := config.GetInstance()
 	dockerHosts := cfg.Value().Providers.Docker
 	dockerClients := make(DockerClients)
 	connErrs := gperr.NewBuilder("failed to connect to docker")
 	for name, host := range dockerHosts {
 		dockerClient, err := docker.NewClient(host)
 		if err != nil {
 			connErrs.Add(err)
 			continue
 		}
 		dockerClients[name] = dockerClient
 	}
 	for _, agent := range cfg.ListAgents() {
 		dockerClient, err := docker.NewClient(agent.FakeDockerHost())
 		if err != nil {
 			connErrs.Add(err)
 			continue
 		}
 		dockerClients[agent.Name()] = dockerClient
 	}
 	return dockerClients, connErrs.Error()
 }
 func getDockerClient(server string) (*docker.SharedClient, bool, error) {
 	cfg := config.GetInstance()
 	var host string
 	for name, h := range cfg.Value().Providers.Docker {
 		if name == server {
 			host = h
 			break
 		}
 	}
 	for _, agent := range cfg.ListAgents() {
 		if agent.Name() == server {
 			host = agent.FakeDockerHost()
 			break
 		}
 	}
 	if host == "" {
 		return nil, false, nil
 	}
 	dockerClient, err := docker.NewClient(host)
 	if err != nil {
 		return nil, false, err
 	}
 	return dockerClient, true, nil
 }
 // closeAllClients closes all docker clients after a delay.
 //
 // This is used to ensure that all docker clients are closed after the http handler returns.
 func closeAllClients(dockerClients DockerClients) {
 	for _, dockerClient := range dockerClients {
 		dockerClient.Close()
 	}
 }
 func handleResult[V any, T ResultType[V]](w http.ResponseWriter, errs error, result T) {
 	if errs != nil {
 		gperr.LogError("docker errors", errs)
 		if len(result) == 0 {
 			http.Error(w, "docker errors", http.StatusInternalServerError)
 			return
 		}
 	}
 	json.NewEncoder(w).Encode(result) //nolint
 }
 func serveHTTP[V any, T ResultType[V]](w http.ResponseWriter, r *http.Request, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
 	dockerClients, err := getDockerClients()
 	if err != nil {
 		handleResult[V, T](w, err, nil)
 		return
 	}
 	defer closeAllClients(dockerClients)
 	if httpheaders.IsWebsocket(r.Header) {
 		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
 			result, err := getResult(r.Context(), dockerClients)
 			if err != nil {
 				return err
 			}
 			return wsjson.Write(r.Context(), conn, result)
 		})
 	} else {
 		result, err := getResult(r.Context(), dockerClients)
 		handleResult[V](w, err, result)
 	}
 }
--- a/internal/api/v1/favicon/favicon.go
+++ b/internal/api/v1/favicon/favicon.go
@ -1,75 +0,0 @@
 package favicon
 import (
 	"net/http"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 // GetFavIcon returns the favicon of the route
 //
 // Returns:
 //   - 200 OK: if icon found
 //   - 400 Bad Request: if alias is empty or route is not HTTPRoute
 //   - 404 Not Found: if route or icon not found
 //   - 500 Internal Server Error: if internal error
 //   - others: depends on route handler response
 func GetFavIcon(w http.ResponseWriter, req *http.Request) {
 	url, alias := req.FormValue("url"), req.FormValue("alias")
 	if url == "" && alias == "" {
 		gphttp.MissingKey(w, "url or alias")
 		return
 	}
 	if url != "" && alias != "" {
 		gphttp.BadRequest(w, "url and alias are mutually exclusive")
 		return
 	}
 	// try with url
 	if url != "" {
 		var iconURL homepage.IconURL
 		if err := iconURL.Parse(url); err != nil {
 			gphttp.ClientError(w, req, err, http.StatusBadRequest)
 			return
 		}
 		fetchResult := homepage.FetchFavIconFromURL(req.Context(), &iconURL)
 		if !fetchResult.OK() {
 			http.Error(w, fetchResult.ErrMsg, fetchResult.StatusCode)
 			return
 		}
 		w.Header().Set("Content-Type", fetchResult.ContentType())
 		gphttp.WriteBody(w, fetchResult.Icon)
 		return
 	}
 	// try with route.Icon
 	r, ok := routes.HTTP.Get(alias)
 	if !ok {
 		gphttp.ValueNotFound(w, "route", alias)
 		return
 	}
 	var result *homepage.FetchResult
 	hp := r.HomepageItem()
 	if hp.Icon != nil {
 		if hp.Icon.IconSource == homepage.IconSourceRelative {
 			result = homepage.FindIcon(req.Context(), r, *hp.Icon.FullURL)
 		} else {
 			result = homepage.FetchFavIconFromURL(req.Context(), hp.Icon)
 		}
 	} else {
 		// try extract from "link[rel=icon]"
 		result = homepage.FindIcon(req.Context(), r, "/")
 	}
 	if result.StatusCode == 0 {
 		result.StatusCode = http.StatusOK
 	}
 	if !result.OK() {
 		http.Error(w, result.ErrMsg, result.StatusCode)
 		return
 	}
 	w.Header().Set("Content-Type", result.ContentType())
 	gphttp.WriteBody(w, result.Icon)
 }
--- a/internal/api/v1/health.go
+++ b/internal/api/v1/health.go
@ -1,23 +0,0 @@
 package v1
 import (
 	"net/http"
 	"time"
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 func Health(w http.ResponseWriter, r *http.Request) {
 	if httpheaders.IsWebsocket(r.Header) {
 		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
 			return wsjson.Write(r.Context(), conn, routes.HealthMap())
 		})
 	} else {
 		gphttp.RespondJSON(w, r, routes.HealthMap())
 	}
 }
--- a/internal/api/v1/homepage_overrides.go
+++ b/internal/api/v1/homepage_overrides.go
@ -1,90 +0,0 @@
 package v1
 import (
 	"encoding/json"
 	"io"
 	"net/http"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 const (
 	HomepageOverrideItem          = "item"
 	HomepageOverrideItemsBatch    = "items_batch"
 	HomepageOverrideCategoryOrder = "category_order"
 	HomepageOverrideItemVisible   = "item_visible"
 )
 type (
 	HomepageOverrideItemParams struct {
 		Which string              `json:"which"`
 		Value homepage.ItemConfig `json:"value"`
 	}
 	HomepageOverrideItemsBatchParams struct {
 		Value map[string]*homepage.ItemConfig `json:"value"`
 	}
 	HomepageOverrideCategoryOrderParams struct {
 		Which string `json:"which"`
 		Value int    `json:"value"`
 	}
 	HomepageOverrideItemVisibleParams struct {
 		Which []string `json:"which"`
 		Value bool     `json:"value"`
 	}
 )
 func SetHomePageOverrides(w http.ResponseWriter, r *http.Request) {
 	what := r.FormValue("what")
 	if what == "" {
 		gphttp.BadRequest(w, "missing what or which")
 		return
 	}
 	data, err := io.ReadAll(r.Body)
 	if err != nil {
 		gphttp.ClientError(w, r, err, http.StatusBadRequest)
 		return
 	}
 	r.Body.Close()
 	overrides := homepage.GetOverrideConfig()
 	switch what {
 	case HomepageOverrideItem:
 		var params HomepageOverrideItemParams
 		if err := json.Unmarshal(data, &params); err != nil {
 			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		overrides.OverrideItem(params.Which, &params.Value)
 	case HomepageOverrideItemsBatch:
 		var params HomepageOverrideItemsBatchParams
 		if err := json.Unmarshal(data, &params); err != nil {
 			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		overrides.OverrideItems(params.Value)
 	case HomepageOverrideItemVisible: // POST /v1/item_visible [a,b,c], false => hide a, b, c
 		var params HomepageOverrideItemVisibleParams
 		if err := json.Unmarshal(data, &params); err != nil {
 			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		if params.Value {
 			overrides.UnhideItems(params.Which)
 		} else {
 			overrides.HideItems(params.Which)
 		}
 	case HomepageOverrideCategoryOrder:
 		var params HomepageOverrideCategoryOrderParams
 		if err := json.Unmarshal(data, &params); err != nil {
 			gphttp.ClientError(w, r, err, http.StatusBadRequest)
 			return
 		}
 		overrides.SetCategoryOrder(params.Which, params.Value)
 	default:
 		http.Error(w, "invalid what", http.StatusBadRequest)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 }
--- a/internal/api/v1/index.go
+++ b/internal/api/v1/index.go
@ -1,11 +0,0 @@
 package v1
 import (
 	"net/http"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 func Index(w http.ResponseWriter, r *http.Request) {
 	gphttp.WriteBody(w, []byte("API ready"))
 }
--- a/internal/api/v1/list_files.go
+++ b/internal/api/v1/list_files.go
@ -1,41 +0,0 @@
 package v1
 import (
 	"net/http"
 	"strings"
 	"github.com/yusing/go-proxy/internal/common"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 func ListFilesHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	files, err := utils.ListFiles(common.ConfigBasePath, 0, true)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	resp := map[FileType][]string{
 		FileTypeConfig:     make([]string, 0),
 		FileTypeProvider:   make([]string, 0),
 		FileTypeMiddleware: make([]string, 0),
 	}
 	for _, file := range files {
 		t := fileType(file)
 		file = strings.TrimPrefix(file, common.ConfigBasePath+"/")
 		resp[t] = append(resp[t], file)
 	}
 	mids, err := utils.ListFiles(common.MiddlewareComposeBasePath, 0, true)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	for _, mid := range mids {
 		mid = strings.TrimPrefix(mid, common.MiddlewareComposeBasePath+"/")
 		resp[FileTypeMiddleware] = append(resp[FileTypeMiddleware], mid)
 	}
 	gphttp.RespondJSON(w, r, resp)
 }
--- a/internal/api/v1/list_homepage_categories.go
+++ b/internal/api/v1/list_homepage_categories.go
@ -1,13 +0,0 @@
 package v1
 import (
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 func ListHomepageCategoriesHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	gphttp.RespondJSON(w, r, routes.HomepageCategories())
 }
--- a/internal/api/v1/list_homepage_config.go
+++ b/internal/api/v1/list_homepage_config.go
@ -1,13 +0,0 @@
 package v1
 import (
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 func ListHomepageConfigHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	gphttp.RespondJSON(w, r, routes.HomepageConfig(r.FormValue("category"), r.FormValue("provider")))
 }
--- a/internal/api/v1/list_icons.go
+++ b/internal/api/v1/list_icons.go
@ -1,23 +0,0 @@
 package v1
 import (
 	"net/http"
 	"strconv"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/homepage"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 func ListIconsHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	limit, err := strconv.Atoi(r.FormValue("limit"))
 	if err != nil {
 		limit = 0
 	}
 	icons, err := homepage.SearchIcons(r.FormValue("keyword"), limit)
 	if err != nil {
 		gphttp.ClientError(w, r, err)
 		return
 	}
 	gphttp.RespondJSON(w, r, icons)
 }
--- a/internal/api/v1/list_route.go
+++ b/internal/api/v1/list_route.go
@ -1,19 +0,0 @@
 package v1
 import (
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 func ListRouteHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	which := r.PathValue("which")
 	route, ok := routes.Get(which)
 	if ok {
 		gphttp.RespondJSON(w, r, route)
 	} else {
 		gphttp.RespondJSON(w, r, nil)
 	}
 }
--- a/internal/api/v1/list_route_providers.go
+++ b/internal/api/v1/list_route_providers.go
@ -1,23 +0,0 @@
 package v1
 import (
 	"net/http"
 	"time"
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 )
 func ListRouteProvidersHandler(cfgInstance config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	if httpheaders.IsWebsocket(r.Header) {
 		gpwebsocket.Periodic(w, r, 5*time.Second, func(conn *websocket.Conn) error {
 			return wsjson.Write(r.Context(), conn, cfgInstance.RouteProviderList())
 		})
 	} else {
 		gphttp.RespondJSON(w, r, cfgInstance.RouteProviderList())
 	}
 }
--- a/internal/api/v1/list_routes.go
+++ b/internal/api/v1/list_routes.go
@ -1,25 +0,0 @@
 package v1
 import (
 	"net/http"
 	"slices"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 func ListRoutesHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	rts := make([]routes.Route, 0)
 	provider := r.FormValue("provider")
 	if provider == "" {
 		gphttp.RespondJSON(w, r, slices.Collect(routes.Iter))
 		return
 	}
 	for r := range routes.Iter {
 		if r.ProviderName() == provider {
 			rts = append(rts, r)
 		}
 	}
 	gphttp.RespondJSON(w, r, rts)
 }
--- a/internal/api/v1/list_routes_by_provider.go
+++ b/internal/api/v1/list_routes_by_provider.go
@ -1,13 +0,0 @@
 package v1
 import (
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/route/routes"
 )
 func ListRoutesByProviderHandler(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	gphttp.RespondJSON(w, r, routes.ByProvider())
 }
--- a/internal/api/v1/new_agent.go
+++ b/internal/api/v1/new_agent.go
@ -1,141 +0,0 @@
 package v1
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"strconv"
 	_ "embed"
 	"github.com/yusing/go-proxy/agent/pkg/agent"
 	"github.com/yusing/go-proxy/agent/pkg/certs"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 func NewAgent(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 	name := q.Get("name")
 	if name == "" {
 		gphttp.MissingKey(w, "name")
 		return
 	}
 	host := q.Get("host")
 	if host == "" {
 		gphttp.MissingKey(w, "host")
 		return
 	}
 	portStr := q.Get("port")
 	if portStr == "" {
 		gphttp.MissingKey(w, "port")
 		return
 	}
 	port, err := strconv.Atoi(portStr)
 	if err != nil || port < 1 || port > 65535 {
 		gphttp.InvalidKey(w, "port")
 		return
 	}
 	hostport := fmt.Sprintf("%s:%d", host, port)
 	if _, ok := config.GetInstance().GetAgent(hostport); ok {
 		gphttp.KeyAlreadyExists(w, "agent", hostport)
 		return
 	}
 	t := q.Get("type")
 	switch t {
 	case "docker", "system":
 		break
 	case "":
 		gphttp.MissingKey(w, "type")
 		return
 	default:
 		gphttp.InvalidKey(w, "type")
 		return
 	}
 	nightly, _ := strconv.ParseBool(q.Get("nightly"))
 	var image string
 	if nightly {
 		image = agent.DockerImageNightly
 	} else {
 		image = agent.DockerImageProduction
 	}
 	ca, srv, client, err := agent.NewAgent()
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	var cfg agent.Generator = &agent.AgentEnvConfig{
 		Name:    name,
 		Port:    port,
 		CACert:  ca.String(),
 		SSLCert: srv.String(),
 	}
 	if t == "docker" {
 		cfg = &agent.AgentComposeConfig{
 			Image:          image,
 			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
 		}
 	}
 	template, err := cfg.Generate()
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	gphttp.RespondJSON(w, r, map[string]any{
 		"compose": template,
 		"ca":      ca,
 		"client":  client,
 	})
 }
 func VerifyNewAgent(w http.ResponseWriter, r *http.Request) {
 	defer r.Body.Close()
 	clientPEMData, err := io.ReadAll(r.Body)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	var data struct {
 		Host   string        `json:"host"`
 		CA     agent.PEMPair `json:"ca"`
 		Client agent.PEMPair `json:"client"`
 	}
 	if err := json.Unmarshal(clientPEMData, &data); err != nil {
 		gphttp.ClientError(w, r, err)
 		return
 	}
 	nRoutesAdded, err := config.GetInstance().VerifyNewAgent(data.Host, data.CA, data.Client)
 	if err != nil {
 		gphttp.ClientError(w, r, err)
 		return
 	}
 	zip, err := certs.ZipCert(data.CA.Cert, data.Client.Cert, data.Client.Key)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	filename, ok := certs.AgentCertsFilepath(data.Host)
 	if !ok {
 		gphttp.InvalidKey(w, "host")
 		return
 	}
 	if err := os.WriteFile(filename, zip, 0600); err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 	w.Write(fmt.Appendf(nil, "Added %d routes", nRoutesAdded))
 }
--- a/internal/api/v1/reload.go
+++ b/internal/api/v1/reload.go
@ -1,16 +0,0 @@
 package v1
 import (
 	"net/http"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 func Reload(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	if err := cfg.Reload(); err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	gphttp.WriteBody(w, []byte("OK"))
 }
--- a/internal/api/v1/stats.go
+++ b/internal/api/v1/stats.go
@ -1,33 +0,0 @@
 package v1
 import (
 	"net/http"
 	"time"
 	"github.com/coder/websocket"
 	"github.com/coder/websocket/wsjson"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/gpwebsocket"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 func Stats(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	if httpheaders.IsWebsocket(r.Header) {
 		gpwebsocket.Periodic(w, r, 1*time.Second, func(conn *websocket.Conn) error {
 			return wsjson.Write(r.Context(), conn, getStats(cfg))
 		})
 	} else {
 		gphttp.RespondJSON(w, r, getStats(cfg))
 	}
 }
 var startTime = time.Now()
 func getStats(cfg config.ConfigInstance) map[string]any {
 	return map[string]any{
 		"proxies": cfg.Statistics(),
 		"uptime":  strutils.FormatDuration(time.Since(startTime)),
 	}
 }
--- a/internal/api/v1/system_info.go
+++ b/internal/api/v1/system_info.go
@ -1,54 +0,0 @@
 package v1
 import (
 	"net/http"
 	agentPkg "github.com/yusing/go-proxy/agent/pkg/agent"
 	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/metrics/systeminfo"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/net/gphttp/httpheaders"
 	"github.com/yusing/go-proxy/internal/net/gphttp/reverseproxy"
 	"github.com/yusing/go-proxy/internal/net/types"
 )
 func SystemInfo(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	agentAddr := query.Get("agent_addr")
 	query.Del("agent_addr")
 	if agentAddr == "" {
 		systeminfo.Poller.ServeHTTP(w, r)
 		return
 	}
 	agent, ok := cfg.GetAgent(agentAddr)
 	if !ok {
 		gphttp.NotFound(w, "agent_addr")
 		return
 	}
 	isWS := httpheaders.IsWebsocket(r.Header)
 	if !isWS {
 		respData, status, err := agent.Forward(r, agentPkg.EndpointSystemInfo)
 		if err != nil {
 			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to forward request to agent"))
 			return
 		}
 		if status != http.StatusOK {
 			http.Error(w, string(respData), status)
 			return
 		}
 		gphttp.WriteBody(w, respData)
 	} else {
 		rp := reverseproxy.NewReverseProxy("agent", types.NewURL(agentPkg.AgentURL), agent.Transport())
 		header := r.Header.Clone()
 		r, err := http.NewRequestWithContext(r.Context(), r.Method, agentPkg.EndpointSystemInfo+"?"+query.Encode(), nil)
 		if err != nil {
 			gphttp.ServerError(w, r, gperr.Wrap(err, "failed to create request"))
 			return
 		}
 		r.Header = header
 		rp.ServeHTTP(w, r)
 	}
 }
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@ -1,73 +0,0 @@
 package auth
 import (
 	"net/http"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 )
 var defaultAuth Provider
 // Initialize sets up authentication providers.
 func Initialize() error {
 	if !IsEnabled() {
 		return nil
 	}
 	var err error
 	// Initialize OIDC if configured.
 	if common.OIDCIssuerURL != "" {
 		defaultAuth, err = NewOIDCProviderFromEnv()
 	} else {
 		defaultAuth, err = NewUserPassAuthFromEnv()
 	}
 	return err
 }
 func GetDefaultAuth() Provider {
 	return defaultAuth
 }
 func IsEnabled() bool {
 	return !common.DebugDisableAuth && (common.APIJWTSecret != nil || IsOIDCEnabled())
 }
 func IsOIDCEnabled() bool {
 	return common.OIDCIssuerURL != ""
 }
 type nextHandler struct{}
 var nextHandlerContextKey = nextHandler{}
 func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
 	if !IsEnabled() {
 		return next
 	}
 	return func(w http.ResponseWriter, r *http.Request) {
 		if err := defaultAuth.CheckToken(r); err != nil {
 			gphttp.Unauthorized(w, err.Error())
 			return
 		}
 		next(w, r)
 	}
 }
 func ProceedNext(w http.ResponseWriter, r *http.Request) {
 	next, ok := r.Context().Value(nextHandlerContextKey).(http.HandlerFunc)
 	if ok {
 		next(w, r)
 	} else {
 		w.WriteHeader(http.StatusOK)
 	}
 }
 func AuthCheckHandler(w http.ResponseWriter, r *http.Request) {
 	if err := defaultAuth.CheckToken(r); err != nil {
 		defaultAuth.LoginHandler(w, r)
 	} else {
 		w.WriteHeader(http.StatusOK)
 	}
 }
--- a/internal/auth/block_page.go
+++ b/internal/auth/block_page.go
@ -1,22 +0,0 @@
 package auth
 import (
 	"html/template"
 	"net/http"
 	_ "embed"
 )
 //go:embed block_page.html
 var blockPageHTML string
 var blockPageTemplate = template.Must(template.New("block_page").Parse(blockPageHTML))
 func WriteBlockPage(w http.ResponseWriter, status int, error string, logoutURL string) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	blockPageTemplate.Execute(w, map[string]string{
 		"StatusText": http.StatusText(status),
 		"Error":      error,
 		"LogoutURL":  logoutURL,
 	})
 }
--- a/internal/auth/block_page.html
+++ b/internal/auth/block_page.html
@ -1,14 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Access Denied</title>
 </head>
 <body>
    <h1>{{.StatusText}}</h1>
    <p>{{.Error}}</p>
    <a href="{{.LogoutURL}}">Logout</a>
 </body>
 </html>
--- a/internal/auth/oauth_refresh.go
+++ b/internal/auth/oauth_refresh.go
@ -1,221 +0,0 @@
 package auth
 import (
 	"context"
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
 	"sync"
 	"time"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/jsonstore"
 	"github.com/yusing/go-proxy/internal/logging"
 	"golang.org/x/oauth2"
 )
 type oauthRefreshToken struct {
 	Username     string    `json:"username"`
 	RefreshToken string    `json:"refresh_token"`
 	Expiry       time.Time `json:"expiry"`
 	result *RefreshResult
 	err    error
 	mu     sync.Mutex
 }
 type Session struct {
 	SessionID sessionID `json:"session_id"`
 	Username  string    `json:"username"`
 	Groups    []string  `json:"groups"`
 }
 type RefreshResult struct {
 	newSession Session
 	jwt        string
 	jwtExpiry  time.Time
 }
 type sessionClaims struct {
 	Session
 	jwt.RegisteredClaims
 }
 type sessionID string
 var oauthRefreshTokens jsonstore.MapStore[*oauthRefreshToken]
 var (
 	defaultRefreshTokenExpiry = 30 * 24 * time.Hour // 1 month
 	sessionInvalidateDelay    = 3 * time.Second
 )
 var (
 	errNoRefreshToken      = errors.New("no refresh token")
 	ErrRefreshTokenFailure = errors.New("failed to refresh token")
 )
 const sessionTokenIssuer = "GoDoxy"
 func init() {
 	if IsOIDCEnabled() {
 		oauthRefreshTokens = jsonstore.Store[*oauthRefreshToken]("oauth_refresh_tokens")
 	}
 }
 func (token *oauthRefreshToken) expired() bool {
 	return time.Now().After(token.Expiry)
 }
 func newSessionID() sessionID {
 	b := make([]byte, 32)
 	_, _ = rand.Read(b)
 	return sessionID(hex.EncodeToString(b))
 }
 func newSession(username string, groups []string) Session {
 	return Session{
 		SessionID: newSessionID(),
 		Username:  username,
 		Groups:    groups,
 	}
 }
 // getOAuthRefreshToken returns the refresh token for the given session.
 func getOAuthRefreshToken(claims *Session) (*oauthRefreshToken, bool) {
 	token, ok := oauthRefreshTokens.Load(string(claims.SessionID))
 	if !ok {
 		return nil, false
 	}
 	if token.expired() {
 		invalidateOAuthRefreshToken(claims.SessionID)
 		return nil, false
 	}
 	if claims.Username != token.Username {
 		return nil, false
 	}
 	return token, true
 }
 func storeOAuthRefreshToken(sessionID sessionID, username, token string) {
 	oauthRefreshTokens.Store(string(sessionID), &oauthRefreshToken{
 		Username:     username,
 		RefreshToken: token,
 		Expiry:       time.Now().Add(defaultRefreshTokenExpiry),
 	})
 	logging.Debug().Str("username", username).Msg("stored oauth refresh token")
 }
 func invalidateOAuthRefreshToken(sessionID sessionID) {
 	logging.Debug().Str("session_id", string(sessionID)).Msg("invalidating oauth refresh token")
 	oauthRefreshTokens.Delete(string(sessionID))
 }
 func (auth *OIDCProvider) setSessionTokenCookie(w http.ResponseWriter, r *http.Request, session Session) {
 	claims := &sessionClaims{
 		Session: session,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    sessionTokenIssuer,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(common.APIJWTTokenTTL)),
 		},
 	}
 	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
 	signed, err := jwtToken.SignedString(common.APIJWTSecret)
 	if err != nil {
 		logging.Err(err).Msg("failed to sign session token")
 		return
 	}
 	SetTokenCookie(w, r, CookieOauthSessionToken, signed, common.APIJWTTokenTTL)
 }
 func (auth *OIDCProvider) parseSessionJWT(sessionJWT string) (claims *sessionClaims, valid bool, err error) {
 	claims = &sessionClaims{}
 	sessionToken, err := jwt.ParseWithClaims(sessionJWT, claims, func(t *jwt.Token) (interface{}, error) {
 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
 		}
 		return common.APIJWTSecret, nil
 	})
 	if err != nil {
 		return nil, false, err
 	}
 	return claims, sessionToken.Valid && claims.Issuer == sessionTokenIssuer, nil
 }
 func (auth *OIDCProvider) TryRefreshToken(ctx context.Context, sessionJWT string) (*RefreshResult, error) {
 	// verify the session cookie
 	claims, valid, err := auth.parseSessionJWT(sessionJWT)
 	if err != nil {
 		return nil, fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrInvalidSessionToken, err)
 	}
 	if !valid {
 		return nil, ErrInvalidSessionToken
 	}
 	// check if refresh is possible
 	refreshToken, ok := getOAuthRefreshToken(&claims.Session)
 	if !ok {
 		return nil, errNoRefreshToken
 	}
 	if !auth.checkAllowed(claims.Username, claims.Groups) {
 		return nil, ErrUserNotAllowed
 	}
 	return auth.doRefreshToken(ctx, refreshToken, &claims.Session)
 }
 func (auth *OIDCProvider) doRefreshToken(ctx context.Context, refreshToken *oauthRefreshToken, claims *Session) (*RefreshResult, error) {
 	refreshToken.mu.Lock()
 	defer refreshToken.mu.Unlock()
 	// already refreshed
 	// this must be called after refresh but before invalidate
 	if refreshToken.result != nil || refreshToken.err != nil {
 		return refreshToken.result, refreshToken.err
 	}
 	// this step refreshes the token
 	// see https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.29.0:oauth2.go;l=313
 	newToken, err := auth.oauthConfig.TokenSource(ctx, &oauth2.Token{
 		RefreshToken: refreshToken.RefreshToken,
 	}).Token()
 	if err != nil {
 		refreshToken.err = fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrRefreshTokenFailure, err)
 		return nil, refreshToken.err
 	}
 	idTokenJWT, idToken, err := auth.getIdToken(ctx, newToken)
 	if err != nil {
 		refreshToken.err = fmt.Errorf("session: %s - %w: %w", claims.SessionID, ErrRefreshTokenFailure, err)
 		return nil, refreshToken.err
 	}
 	// in case there're multiple requests for the same session to refresh
 	// invalidate the token after a short delay
 	go func() {
 		<-time.After(sessionInvalidateDelay)
 		invalidateOAuthRefreshToken(claims.SessionID)
 	}()
 	sessionID := newSessionID()
 	logging.Debug().Str("username", claims.Username).Time("expiry", newToken.Expiry).Msg("refreshed token")
 	storeOAuthRefreshToken(sessionID, claims.Username, newToken.RefreshToken)
 	refreshToken.result = &RefreshResult{
 		newSession: Session{
 			SessionID: sessionID,
 			Username:  claims.Username,
 			Groups:    claims.Groups,
 		},
 		jwt:       idTokenJWT,
 		jwtExpiry: idToken.Expiry,
 	}
 	return refreshToken.result, nil
 }
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@ -1,336 +0,0 @@
 package auth
 import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"slices"
 	"time"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils"
 	"golang.org/x/oauth2"
 )
 type (
 	OIDCProvider struct {
 		oauthConfig   *oauth2.Config
 		oidcProvider  *oidc.Provider
 		oidcVerifier  *oidc.IDTokenVerifier
 		endSessionURL *url.URL
 		allowedUsers  []string
 		allowedGroups []string
 	}
 	IDTokenClaims struct {
 		Username string   `json:"preferred_username"`
 		Groups   []string `json:"groups"`
 	}
 )
 const (
 	CookieOauthState        = "godoxy_oidc_state"
 	CookieOauthToken        = "godoxy_oauth_token"
 	CookieOauthSessionToken = "godoxy_session_token"
 )
 const (
 	OIDCAuthInitPath = "/"
 	OIDCPostAuthPath = "/auth/callback"
 	OIDCLogoutPath   = "/auth/logout"
 )
 var (
 	errMissingIDToken = errors.New("missing id_token field from oauth token")
 	ErrMissingOAuthToken = gperr.New("missing oauth token")
 	ErrInvalidOAuthToken = gperr.New("invalid oauth token")
 )
 // generateState generates a random string for OIDC state.
 const oidcStateLength = 32
 func generateState() string {
 	b := make([]byte, oidcStateLength)
 	_, _ = rand.Read(b)
 	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength]
 }
 func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
 	if len(allowedUsers)+len(allowedGroups) == 0 {
 		return nil, errors.New("oidc.allowed_users or oidc.allowed_groups are both empty")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	provider, err := oidc.NewProvider(ctx, issuerURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
 	}
 	endSessionURL, err := url.Parse(provider.EndSessionEndpoint())
 	if err != nil && provider.EndSessionEndpoint() != "" {
 		// non critical, just warn
 		logging.Warn().
 			Str("issuer", issuerURL).
 			Err(err).
 			Msg("failed to parse end session URL")
 	}
 	return &OIDCProvider{
 		oauthConfig: &oauth2.Config{
 			ClientID:     clientID,
 			ClientSecret: clientSecret,
 			RedirectURL:  "",
 			Endpoint:     provider.Endpoint(),
 			Scopes:       common.OIDCScopes,
 		},
 		oidcProvider: provider,
 		oidcVerifier: provider.Verifier(&oidc.Config{
 			ClientID: clientID,
 		}),
 		endSessionURL: endSessionURL,
 		allowedUsers:  allowedUsers,
 		allowedGroups: allowedGroups,
 	}, nil
 }
 // NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
 func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
 	return NewOIDCProvider(
 		common.OIDCIssuerURL,
 		common.OIDCClientID,
 		common.OIDCClientSecret,
 		common.OIDCAllowedUsers,
 		common.OIDCAllowedGroups,
 	)
 }
 func (auth *OIDCProvider) SetAllowedUsers(users []string) {
 	auth.allowedUsers = users
 }
 func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
 	auth.allowedGroups = groups
 }
 // optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
 // parameter of the authorization URL to the post auth path of the current
 // request host.
 func optRedirectPostAuth(r *http.Request) oauth2.AuthCodeOption {
 	return oauth2.SetAuthURLParam("redirect_uri", "https://"+requestHost(r)+OIDCPostAuthPath)
 }
 func (auth *OIDCProvider) getIdToken(ctx context.Context, oauthToken *oauth2.Token) (string, *oidc.IDToken, error) {
 	idTokenJWT, ok := oauthToken.Extra("id_token").(string)
 	if !ok {
 		return "", nil, errMissingIDToken
 	}
 	idToken, err := auth.oidcVerifier.Verify(ctx, idTokenJWT)
 	if err != nil {
 		return "", nil, fmt.Errorf("failed to verify ID token: %w", err)
 	}
 	return idTokenJWT, idToken, nil
 }
 func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path == "" {
 		r.URL.Path = OIDCAuthInitPath
 	}
 	if r.TLS == nil && r.Header.Get("X-Forwarded-Proto") != "https" {
 		r.URL.Scheme = "https"
 		http.Redirect(w, r, r.URL.String(), http.StatusFound)
 		return
 	}
 	switch r.URL.Path {
 	case OIDCAuthInitPath:
 		auth.LoginHandler(w, r)
 	case OIDCPostAuthPath:
 		auth.PostAuthCallbackHandler(w, r)
 	case OIDCLogoutPath:
 		auth.LogoutHandler(w, r)
 	default:
 		http.Redirect(w, r, OIDCAuthInitPath, http.StatusFound)
 	}
 }
 func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	// check for session token
 	sessionToken, err := r.Cookie(CookieOauthSessionToken)
 	if err == nil { // session token exists
 		result, err := auth.TryRefreshToken(r.Context(), sessionToken.Value)
 		// redirect back to where they requested
 		// when token refresh is ok
 		if err == nil {
 			auth.setIDTokenCookie(w, r, result.jwt, time.Until(result.jwtExpiry))
 			auth.setSessionTokenCookie(w, r, result.newSession)
 			ProceedNext(w, r)
 			return
 		}
 		// clear cookies then redirect to home
 		logging.Err(err).Msg("failed to refresh token")
 		auth.clearCookie(w, r)
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
 	state := generateState()
 	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
 	// redirect user to Idp
 	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
 }
 func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
 	var claim IDTokenClaims
 	if err := idToken.Claims(&claim); err != nil {
 		return nil, fmt.Errorf("failed to parse claims: %w", err)
 	}
 	if claim.Username == "" {
 		return nil, errors.New("missing username in ID token")
 	}
 	return &claim, nil
 }
 func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
 	userAllowed := slices.Contains(auth.allowedUsers, user)
 	if !userAllowed {
 		return false
 	}
 	if len(auth.allowedGroups) == 0 {
 		return true
 	}
 	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
 }
 func (auth *OIDCProvider) CheckToken(r *http.Request) error {
 	tokenCookie, err := r.Cookie(CookieOauthToken)
 	if err != nil {
 		return ErrMissingOAuthToken
 	}
 	idToken, err := auth.oidcVerifier.Verify(r.Context(), tokenCookie.Value)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
 	}
 	claims, err := parseClaims(idToken)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err)
 	}
 	if !auth.checkAllowed(claims.Username, claims.Groups) {
 		return ErrUserNotAllowed
 	}
 	return nil
 }
 func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	// For testing purposes, skip provider verification
 	if common.IsTest {
 		auth.handleTestCallback(w, r)
 		return
 	}
 	// verify state
 	state, err := r.Cookie(CookieOauthState)
 	if err != nil {
 		gphttp.BadRequest(w, "missing state cookie")
 		return
 	}
 	if r.URL.Query().Get("state") != state.Value {
 		gphttp.BadRequest(w, "invalid oauth state")
 		return
 	}
 	code := r.URL.Query().Get("code")
 	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code, optRedirectPostAuth(r))
 	if err != nil {
 		gphttp.ServerError(w, r, fmt.Errorf("failed to exchange token: %w", err))
 		return
 	}
 	idTokenJWT, idToken, err := auth.getIdToken(r.Context(), oauth2Token)
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	if oauth2Token.RefreshToken != "" {
 		claims, err := parseClaims(idToken)
 		if err != nil {
 			gphttp.ServerError(w, r, err)
 			return
 		}
 		session := newSession(claims.Username, claims.Groups)
 		storeOAuthRefreshToken(session.SessionID, claims.Username, oauth2Token.RefreshToken)
 		auth.setSessionTokenCookie(w, r, session)
 	}
 	auth.setIDTokenCookie(w, r, idTokenJWT, time.Until(idToken.Expiry))
 	// Redirect to home page
 	http.Redirect(w, r, "/", http.StatusFound)
 }
 func (auth *OIDCProvider) LogoutHandler(w http.ResponseWriter, r *http.Request) {
 	oauthToken, _ := r.Cookie(CookieOauthToken)
 	sessionToken, _ := r.Cookie(CookieOauthSessionToken)
 	auth.clearCookie(w, r)
 	if sessionToken != nil {
 		claims, _, err := auth.parseSessionJWT(sessionToken.Value)
 		if err == nil {
 			invalidateOAuthRefreshToken(claims.SessionID)
 		}
 	}
 	url := "/"
 	if auth.endSessionURL != nil && oauthToken != nil {
 		query := auth.endSessionURL.Query()
 		query.Set("id_token_hint", oauthToken.Value)
 		query.Set("post_logout_redirect_uri", "https://"+requestHost(r))
 		clone := *auth.endSessionURL
 		clone.RawQuery = query.Encode()
 		url = clone.String()
 	} else if auth.endSessionURL != nil {
 		url = auth.endSessionURL.String()
 	}
 	http.Redirect(w, r, url, http.StatusFound)
 }
 func (auth *OIDCProvider) setIDTokenCookie(w http.ResponseWriter, r *http.Request, jwt string, ttl time.Duration) {
 	SetTokenCookie(w, r, CookieOauthToken, jwt, ttl)
 }
 func (auth *OIDCProvider) clearCookie(w http.ResponseWriter, r *http.Request) {
 	ClearTokenCookie(w, r, CookieOauthToken)
 	ClearTokenCookie(w, r, CookieOauthSessionToken)
 }
 // handleTestCallback handles OIDC callback in test environment.
 func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
 	state, err := r.Cookie(CookieOauthState)
 	if err != nil {
 		gphttp.BadRequest(w, "missing state cookie")
 		return
 	}
 	if r.URL.Query().Get("state") != state.Value {
 		gphttp.BadRequest(w, "invalid oauth state")
 		return
 	}
 	// Create test JWT token
 	SetTokenCookie(w, r, CookieOauthToken, "test", time.Hour)
 	http.Redirect(w, r, "/", http.StatusFound)
 }
--- a/internal/auth/oidc_test.go
+++ b/internal/auth/oidc_test.go
@ -1,483 +0,0 @@
 package auth
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"time"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/yusing/go-proxy/internal/common"
 	"golang.org/x/oauth2"
 	. "github.com/yusing/go-proxy/internal/utils/testing"
 )
 // setupMockOIDC configures mock OIDC provider for testing.
 func setupMockOIDC(t *testing.T) {
 	t.Helper()
 	provider := (&oidc.ProviderConfig{}).NewProvider(t.Context())
 	defaultAuth = &OIDCProvider{
 		oauthConfig: &oauth2.Config{
 			ClientID:     "test-client",
 			ClientSecret: "test-secret",
 			RedirectURL:  "http://localhost/callback",
 			Endpoint: oauth2.Endpoint{
 				AuthURL:  "http://mock-provider/auth",
 				TokenURL: "http://mock-provider/token",
 			},
 			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 		},
 		endSessionURL: Must(url.Parse("http://mock-provider/logout")),
 		oidcProvider:  provider,
 		oidcVerifier: provider.Verifier(&oidc.Config{
 			ClientID: "test-client",
 		}),
 		allowedUsers:  []string{"test-user"},
 		allowedGroups: []string{"test-group1", "test-group2"},
 	}
 }
 // discoveryDocument returns a mock OIDC discovery document.
 func discoveryDocument(t *testing.T, server *httptest.Server) map[string]any {
 	t.Helper()
 	discovery := map[string]any{
 		"issuer":                 server.URL,
 		"authorization_endpoint": server.URL + "/auth",
 		"token_endpoint":         server.URL + "/token",
 	}
 	return discovery
 }
 const (
 	keyID    = "test-key-id"
 	clientID = "test-client-id"
 )
 type provider struct {
 	ts       *httptest.Server
 	key      *rsa.PrivateKey
 	verifier *oidc.IDTokenVerifier
 }
 func (j *provider) SignClaims(t *testing.T, claims jwt.Claims) string {
 	t.Helper()
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	token.Header["kid"] = keyID
 	signed, err := token.SignedString(j.key)
 	ExpectNoError(t, err)
 	return signed
 }
 func setupProvider(t *testing.T) *provider {
 	t.Helper()
 	// Generate an RSA key pair for the test.
 	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	ExpectNoError(t, err)
 	// Build the matching public JWK that will be served by the endpoint.
 	jwk := buildRSAJWK(t, &privKey.PublicKey, keyID)
 	// Start a test server that serves the JWKS endpoint.
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/.well-known/jwks.json":
 			_ = json.NewEncoder(w).Encode(map[string]any{
 				"keys": []any{jwk},
 			})
 		default:
 			http.NotFound(w, r)
 		}
 	}))
 	t.Cleanup(ts.Close)
 	// Create a test OIDCProvider.
 	providerCtx := oidc.ClientContext(t.Context(), ts.Client())
 	keySet := oidc.NewRemoteKeySet(providerCtx, ts.URL+"/.well-known/jwks.json")
 	return &provider{
 		ts:  ts,
 		key: privKey,
 		verifier: oidc.NewVerifier(ts.URL, keySet, &oidc.Config{
 			ClientID: clientID, // matches audience in the token
 		}),
 	}
 }
 // buildRSAJWK is a helper to construct a minimal JWK for the JWKS endpoint.
 func buildRSAJWK(t *testing.T, pub *rsa.PublicKey, kid string) map[string]any {
 	t.Helper()
 	nBytes := pub.N.Bytes()
 	eBytes := []byte{0x01, 0x00, 0x01} // Usually 65537
 	return map[string]any{
 		"kty": "RSA",
 		"alg": "RS256",
 		"use": "sig",
 		"kid": kid,
 		"n":   base64.RawURLEncoding.EncodeToString(nBytes),
 		"e":   base64.RawURLEncoding.EncodeToString(eBytes),
 	}
 }
 func cleanup() {
 	defaultAuth = nil
 }
 func TestOIDCLoginHandler(t *testing.T) {
 	// Setup
 	common.APIJWTSecret = []byte("test-secret")
 	t.Cleanup(cleanup)
 	setupMockOIDC(t)
 	tests := []struct {
 		name         string
 		wantStatus   int
 		wantRedirect bool
 	}{
 		{
 			name:         "Success - Redirects to provider",
 			wantStatus:   http.StatusFound,
 			wantRedirect: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			req := httptest.NewRequest(http.MethodGet, OIDCAuthInitPath, nil)
 			w := httptest.NewRecorder()
 			defaultAuth.(*OIDCProvider).HandleAuth(w, req)
 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCLoginHandler() status = %v, want %v", got, tt.wantStatus)
 			}
 			if tt.wantRedirect {
 				if loc := w.Header().Get("Location"); loc == "" {
 					t.Error("OIDCLoginHandler() missing redirect location")
 				}
 				cookie := w.Header().Get("Set-Cookie")
 				if cookie == "" {
 					t.Error("OIDCLoginHandler() missing state cookie")
 				}
 			}
 		})
 	}
 }
 func TestOIDCCallbackHandler(t *testing.T) {
 	// Setup
 	common.APIJWTSecret = []byte("test-secret")
 	t.Cleanup(cleanup)
 	tests := []struct {
 		name       string
 		state      string
 		code       string
 		setupMocks bool
 		wantStatus int
 	}{
 		{
 			name:       "Success - Valid callback",
 			state:      "valid-state",
 			code:       "valid-code",
 			setupMocks: true,
 			wantStatus: http.StatusFound,
 		},
 		{
 			name:       "Failure - Missing state",
 			code:       "valid-code",
 			setupMocks: true,
 			wantStatus: http.StatusBadRequest,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.setupMocks {
 				setupMockOIDC(t)
 			}
 			req := httptest.NewRequest(http.MethodGet, "/auth/callback?code="+tt.code+"&state="+tt.state, nil)
 			if tt.state != "" {
 				req.AddCookie(&http.Cookie{
 					Name:  CookieOauthState,
 					Value: tt.state,
 				})
 			}
 			w := httptest.NewRecorder()
 			defaultAuth.(*OIDCProvider).PostAuthCallbackHandler(w, req)
 			if got := w.Code; got != tt.wantStatus {
 				t.Errorf("OIDCCallbackHandler() status = %v, want %v", got, tt.wantStatus)
 			}
 			if tt.wantStatus == http.StatusTemporaryRedirect {
 				setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
 				ExpectEqual(t, setCookie.Name, CookieOauthToken)
 				ExpectTrue(t, setCookie.Value != "")
 				ExpectEqual(t, setCookie.Path, "/")
 				ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
 				ExpectEqual(t, setCookie.HttpOnly, true)
 			}
 		})
 	}
 }
 func TestInitOIDC(t *testing.T) {
 	setupMockOIDC(t)
 	// Create a test server that serves the discovery document
 	var server *httptest.Server
 	mux := http.NewServeMux()
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		ExpectNoError(t, json.NewEncoder(w).Encode(discoveryDocument(t, server)))
 	})
 	server = httptest.NewServer(mux)
 	t.Cleanup(server.Close)
 	t.Cleanup(cleanup)
 	tests := []struct {
 		name          string
 		issuerURL     string
 		clientID      string
 		clientSecret  string
 		redirectURL   string
 		logoutURL     string
 		allowedUsers  []string
 		allowedGroups []string
 		wantErr       bool
 	}{
 		{
 			name:    "Fail - Empty configuration",
 			wantErr: true,
 		},
 		{
 			name:         "Success - Valid configuration with users",
 			issuerURL:    server.URL,
 			clientID:     "client_id",
 			clientSecret: "client_secret",
 			allowedUsers: []string{"user1", "user2"},
 			wantErr:      false,
 		},
 		{
 			name:          "Success - Valid configuration with groups",
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
 			allowedGroups: []string{"group1", "group2"},
 			wantErr:       false,
 		},
 		{
 			name:          "Success - Valid configuration with users, groups and logout URL",
 			issuerURL:     server.URL,
 			clientID:      "client_id",
 			clientSecret:  "client_secret",
 			logoutURL:     "https://example.com/logout",
 			allowedUsers:  []string{"user1", "user2"},
 			allowedGroups: []string{"group1", "group2"},
 			wantErr:       false,
 		},
 		{
 			name:         "Fail - No allowed users or allowed groups",
 			issuerURL:    "https://example.com",
 			clientID:     "client_id",
 			clientSecret: "client_secret",
 			wantErr:      true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			_, err := NewOIDCProvider(tt.issuerURL, tt.clientID, tt.clientSecret, tt.allowedUsers, tt.allowedGroups)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("InitOIDC() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
 func TestCheckToken(t *testing.T) {
 	provider := setupProvider(t)
 	tests := []struct {
 		name          string
 		allowedUsers  []string
 		allowedGroups []string
 		claims        jwt.Claims
 		wantErr       error
 	}{
 		{
 			name:         "Success - Valid token with allowed user",
 			allowedUsers: []string{"user1"},
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                clientID,
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 		},
 		{
 			name:          "Success - Valid token with allowed group",
 			allowedGroups: []string{"group1"},
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                clientID,
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 		},
 		{
 			name:         "Success - Server omits groups, but user is allowed",
 			allowedUsers: []string{"user1"},
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                clientID,
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 			},
 		},
 		{
 			name:          "Success - Server omits preferred_username, but group is allowed",
 			allowedGroups: []string{"group1"},
 			claims: jwt.MapClaims{
 				"iss":    provider.ts.URL,
 				"aud":    clientID,
 				"exp":    time.Now().Add(time.Hour).Unix(),
 				"groups": []string{"group1"},
 			},
 		},
 		{
 			name:          "Success - Valid token with allowed user and group",
 			allowedUsers:  []string{"user1"},
 			allowedGroups: []string{"group1"},
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                clientID,
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 		},
 		{
 			name:          "Error - User not allowed",
 			allowedUsers:  []string{"user2", "user3"},
 			allowedGroups: []string{"group2", "group3"},
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                clientID,
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 			wantErr: ErrUserNotAllowed,
 		},
 		{
 			name: "Error - Server returns incorrect issuer",
 			claims: jwt.MapClaims{
 				"iss":                "https://example.com",
 				"aud":                clientID,
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns incorrect audience",
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                "some-other-audience",
 				"exp":                time.Now().Add(time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 			wantErr: ErrInvalidOAuthToken,
 		},
 		{
 			name: "Error - Server returns expired token",
 			claims: jwt.MapClaims{
 				"iss":                provider.ts.URL,
 				"aud":                clientID,
 				"exp":                time.Now().Add(-time.Hour).Unix(),
 				"preferred_username": "user1",
 				"groups":             []string{"group1"},
 			},
 			wantErr: ErrInvalidOAuthToken,
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			// Create the Auth Provider.
 			auth := &OIDCProvider{
 				oidcVerifier:  provider.verifier,
 				allowedUsers:  tc.allowedUsers,
 				allowedGroups: tc.allowedGroups,
 			}
 			// Sign the claims to create a token.
 			signedToken := provider.SignClaims(t, tc.claims)
 			// Craft a test HTTP request that includes the token as a cookie.
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
 			req.AddCookie(&http.Cookie{
 				Name:  CookieOauthToken,
 				Value: signedToken,
 			})
 			// Call CheckToken and verify the result.
 			err := auth.CheckToken(req)
 			if tc.wantErr == nil {
 				ExpectNoError(t, err)
 			} else {
 				ExpectError(t, tc.wantErr, err)
 			}
 		})
 	}
 }
 func TestLogoutHandler(t *testing.T) {
 	t.Helper()
 	setupMockOIDC(t)
 	req := httptest.NewRequest(http.MethodGet, OIDCLogoutPath, nil)
 	w := httptest.NewRecorder()
 	req.AddCookie(&http.Cookie{
 		Name:  CookieOauthToken,
 		Value: "test-token",
 	})
 	req.AddCookie(&http.Cookie{
 		Name:  CookieOauthSessionToken,
 		Value: "test-session-token",
 	})
 	defaultAuth.(*OIDCProvider).LogoutHandler(w, req)
 	if got := w.Code; got != http.StatusFound {
 		t.Errorf("LogoutHandler() status = %v, want %v", got, http.StatusFound)
 	}
 	if got := w.Header().Get("Location"); got == "" {
 		t.Error("LogoutHandler() missing redirect location")
 	}
 	if len(w.Header().Values("Set-Cookie")) != 2 {
 		t.Error("LogoutHandler() did not clear all cookies")
 	}
 }
--- a/internal/auth/provider.go
+++ b/internal/auth/provider.go
@ -1,10 +0,0 @@
 package auth
 import "net/http"
 type Provider interface {
 	CheckToken(r *http.Request) error
 	LoginHandler(w http.ResponseWriter, r *http.Request)
 	PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request)
 	LogoutHandler(w http.ResponseWriter, r *http.Request)
 }
--- a/internal/auth/userpass.go
+++ b/internal/auth/userpass.go
@ -1,143 +0,0 @@
 package auth
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 	"golang.org/x/crypto/bcrypt"
 )
 var (
 	ErrInvalidUsername = gperr.New("invalid username")
 	ErrInvalidPassword = gperr.New("invalid password")
 )
 type (
 	UserPassAuth struct {
 		username string
 		pwdHash  []byte
 		secret   []byte
 		tokenTTL time.Duration
 	}
 	UserPassClaims struct {
 		Username string `json:"username"`
 		jwt.RegisteredClaims
 	}
 )
 func NewUserPassAuth(username, password string, secret []byte, tokenTTL time.Duration) (*UserPassAuth, error) {
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
 		return nil, err
 	}
 	return &UserPassAuth{
 		username: username,
 		pwdHash:  hash,
 		secret:   secret,
 		tokenTTL: tokenTTL,
 	}, nil
 }
 func NewUserPassAuthFromEnv() (*UserPassAuth, error) {
 	return NewUserPassAuth(
 		common.APIUser,
 		common.APIPassword,
 		common.APIJWTSecret,
 		common.APIJWTTokenTTL,
 	)
 }
 func (auth *UserPassAuth) TokenCookieName() string {
 	return "godoxy_token"
 }
 func (auth *UserPassAuth) NewToken() (token string, err error) {
 	claim := &UserPassClaims{
 		Username: auth.username,
 		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(auth.tokenTTL)),
 		},
 	}
 	tok := jwt.NewWithClaims(jwt.SigningMethodHS512, claim)
 	token, err = tok.SignedString(auth.secret)
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 func (auth *UserPassAuth) CheckToken(r *http.Request) error {
 	jwtCookie, err := r.Cookie(auth.TokenCookieName())
 	if err != nil {
 		return ErrMissingSessionToken
 	}
 	var claims UserPassClaims
 	token, err := jwt.ParseWithClaims(jwtCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
 		}
 		return auth.secret, nil
 	})
 	if err != nil {
 		return err
 	}
 	switch {
 	case !token.Valid:
 		return ErrInvalidSessionToken
 	case claims.Username != auth.username:
 		return ErrUserNotAllowed.Subject(claims.Username)
 	case claims.ExpiresAt.Before(time.Now()):
 		return gperr.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
 	}
 	return nil
 }
 func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	var creds struct {
 		User string `json:"username"`
 		Pass string `json:"password"`
 	}
 	err := json.NewDecoder(r.Body).Decode(&creds)
 	if err != nil {
 		gphttp.Unauthorized(w, "invalid credentials")
 		return
 	}
 	if err := auth.validatePassword(creds.User, creds.Pass); err != nil {
 		gphttp.Unauthorized(w, "invalid credentials")
 		return
 	}
 	token, err := auth.NewToken()
 	if err != nil {
 		gphttp.ServerError(w, r, err)
 		return
 	}
 	SetTokenCookie(w, r, auth.TokenCookieName(), token, auth.tokenTTL)
 	w.WriteHeader(http.StatusOK)
 }
 func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/login", http.StatusFound) // redirects to WebUI login page
 }
 func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {
 	ClearTokenCookie(w, r, auth.TokenCookieName())
 	http.Redirect(w, r, "/", http.StatusFound)
 }
 func (auth *UserPassAuth) validatePassword(user, pass string) error {
 	if user != auth.username {
 		return ErrInvalidUsername.Subject(user)
 	}
 	if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil {
 		return ErrInvalidPassword.With(err).Subject(pass)
 	}
 	return nil
 }
--- a/internal/auth/userpass_test.go
+++ b/internal/auth/userpass_test.go
@ -1,115 +0,0 @@
 package auth
 import (
 	"bytes"
 	"encoding/json"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	. "github.com/yusing/go-proxy/internal/utils/testing"
 	"golang.org/x/crypto/bcrypt"
 )
 func newMockUserPassAuth() *UserPassAuth {
 	return &UserPassAuth{
 		username: "username",
 		pwdHash:  Must(bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)),
 		secret:   []byte("abcdefghijklmnopqrstuvwxyz"),
 		tokenTTL: time.Hour,
 	}
 }
 func TestUserPassValidateCredentials(t *testing.T) {
 	auth := newMockUserPassAuth()
 	err := auth.validatePassword("username", "password")
 	ExpectNoError(t, err)
 	err = auth.validatePassword("username", "wrong-password")
 	ExpectError(t, ErrInvalidPassword, err)
 	err = auth.validatePassword("wrong-username", "password")
 	ExpectError(t, ErrInvalidUsername, err)
 }
 func TestUserPassCheckToken(t *testing.T) {
 	auth := newMockUserPassAuth()
 	token, err := auth.NewToken()
 	ExpectNoError(t, err)
 	tests := []struct {
 		token   string
 		wantErr bool
 	}{
 		{
 			token:   token,
 			wantErr: false,
 		},
 		{
 			token:   "invalid-token",
 			wantErr: true,
 		},
 		{
 			token:   "",
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		req := &http.Request{Header: http.Header{}}
 		if tt.token != "" {
 			req.Header.Set("Cookie", auth.TokenCookieName()+"="+tt.token)
 		}
 		err = auth.CheckToken(req)
 		if tt.wantErr {
 			ExpectTrue(t, err != nil)
 		} else {
 			ExpectNoError(t, err)
 		}
 	}
 }
 func TestUserPassLoginCallbackHandler(t *testing.T) {
 	type cred struct {
 		User string `json:"username"`
 		Pass string `json:"password"`
 	}
 	auth := newMockUserPassAuth()
 	tests := []struct {
 		creds   cred
 		wantErr bool
 	}{
 		{
 			creds: cred{
 				User: "username",
 				Pass: "password",
 			},
 			wantErr: false,
 		},
 		{
 			creds: cred{
 				User: "username",
 				Pass: "wrong-password",
 			},
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		w := httptest.NewRecorder()
 		req := &http.Request{
 			Host: "app.example.com",
 			Body: io.NopCloser(bytes.NewReader(Must(json.Marshal(tt.creds)))),
 		}
 		auth.PostAuthCallbackHandler(w, req)
 		if tt.wantErr {
 			ExpectEqual(t, w.Code, http.StatusUnauthorized)
 		} else {
 			setCookie := Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
 			ExpectTrue(t, setCookie.Name == auth.TokenCookieName())
 			ExpectTrue(t, setCookie.Value != "")
 			ExpectEqual(t, setCookie.Domain, "example.com")
 			ExpectEqual(t, setCookie.Path, "/")
 			ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
 			ExpectEqual(t, setCookie.HttpOnly, true)
 			ExpectEqual(t, w.Code, http.StatusOK)
 		}
 	}
 }
--- a/internal/auth/utils.go
+++ b/internal/auth/utils.go
@ -1,71 +0,0 @@
 package auth
 import (
 	"net/http"
 	"time"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 var (
 	ErrMissingSessionToken = gperr.New("missing session token")
 	ErrInvalidSessionToken = gperr.New("invalid session token")
 	ErrUserNotAllowed      = gperr.New("user not allowed")
 )
 func IsFrontend(r *http.Request) bool {
 	return r.Host == common.APIHTTPAddr
 }
 func requestHost(r *http.Request) string {
 	// check if it's from backend
 	if IsFrontend(r) {
 		return r.Header.Get("X-Forwarded-Host")
 	}
 	return r.Host
 }
 // cookieDomain returns the fully qualified domain name of the request host
 // with subdomain stripped.
 //
 // If the request host does not have a subdomain,
 // an empty string is returned
 //
 //	"abc.example.com" -> ".example.com" (cross subdomain)
 //	"example.com" -> "" (same domain only)
 func cookieDomain(r *http.Request) string {
 	parts := strutils.SplitRune(requestHost(r), '.')
 	if len(parts) < 2 {
 		return ""
 	}
 	parts[0] = ""
 	return strutils.JoinRune(parts, '.')
 }
 func SetTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     name,
 		Value:    value,
 		MaxAge:   int(ttl.Seconds()),
 		Domain:   cookieDomain(r),
 		HttpOnly: true,
 		Secure:   common.APIJWTSecure,
 		SameSite: http.SameSiteLaxMode,
 		Path:     "/",
 	})
 }
 func ClearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     name,
 		Value:    "",
 		MaxAge:   -1,
 		Domain:   cookieDomain(r),
 		HttpOnly: true,
 		Secure:   common.APIJWTSecure,
 		SameSite: http.SameSiteLaxMode,
 		Path:     "/",
 	})
 }
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@ -1,140 +0,0 @@
 package autocert
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"os"
 	"regexp"
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 type Config struct {
 	Email       string         `json:"email,omitempty"`
 	Domains     []string       `json:"domains,omitempty"`
 	CertPath    string         `json:"cert_path,omitempty"`
 	KeyPath     string         `json:"key_path,omitempty"`
 	ACMEKeyPath string         `json:"acme_key_path,omitempty"`
 	Provider    string         `json:"provider,omitempty"`
 	Options     map[string]any `json:"options,omitempty"`
 }
 var (
 	ErrMissingDomain   = gperr.New("missing field 'domains'")
 	ErrMissingEmail    = gperr.New("missing field 'email'")
 	ErrMissingProvider = gperr.New("missing field 'provider'")
 	ErrInvalidDomain   = gperr.New("invalid domain")
 	ErrUnknownProvider = gperr.New("unknown provider")
 )
 const (
 	ProviderLocal  = "local"
 	ProviderPseudo = "pseudo"
 )
 var domainOrWildcardRE = regexp.MustCompile(`^\*?([^.]+\.)+[^.]+$`)
 // Validate implements the utils.CustomValidator interface.
 func (cfg *Config) Validate() gperr.Error {
 	if cfg == nil {
 		return nil
 	}
 	if cfg.Provider == "" {
 		cfg.Provider = ProviderLocal
 		return nil
 	}
 	b := gperr.NewBuilder("autocert errors")
 	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
 		if len(cfg.Domains) == 0 {
 			b.Add(ErrMissingDomain)
 		}
 		if cfg.Email == "" {
 			b.Add(ErrMissingEmail)
 		}
 		for i, d := range cfg.Domains {
 			if !domainOrWildcardRE.MatchString(d) {
 				b.Add(ErrInvalidDomain.Subjectf("domains[%d]", i))
 			}
 		}
 		// check if provider is implemented
 		providerConstructor, ok := Providers[cfg.Provider]
 		if !ok {
 			b.Add(ErrUnknownProvider.
 				Subject(cfg.Provider).
 				With(gperr.DoYouMean(utils.NearestField(cfg.Provider, Providers))))
 		} else {
 			_, err := providerConstructor(cfg.Options)
 			if err != nil {
 				b.Add(err)
 			}
 		}
 	}
 	return b.Error()
 }
 func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 	if err := cfg.Validate(); err != nil {
 		return nil, nil, err
 	}
 	if cfg.CertPath == "" {
 		cfg.CertPath = CertFileDefault
 	}
 	if cfg.KeyPath == "" {
 		cfg.KeyPath = KeyFileDefault
 	}
 	if cfg.ACMEKeyPath == "" {
 		cfg.ACMEKeyPath = ACMEKeyFileDefault
 	}
 	var privKey *ecdsa.PrivateKey
 	var err error
 	if cfg.Provider != ProviderLocal && cfg.Provider != ProviderPseudo {
 		if privKey, err = cfg.LoadACMEKey(); err != nil {
 			logging.Info().Err(err).Msg("load ACME private key failed")
 			logging.Info().Msg("generate new ACME private key")
 			privKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			if err != nil {
 				return nil, nil, gperr.New("generate ACME private key").With(err)
 			}
 			if err = cfg.SaveACMEKey(privKey); err != nil {
 				return nil, nil, gperr.New("save ACME private key").With(err)
 			}
 		}
 	}
 	user := &User{
 		Email: cfg.Email,
 		Key:   privKey,
 	}
 	legoCfg := lego.NewConfig(user)
 	legoCfg.Certificate.KeyType = certcrypto.RSA2048
 	return user, legoCfg, nil
 }
 func (cfg *Config) LoadACMEKey() (*ecdsa.PrivateKey, error) {
 	data, err := os.ReadFile(cfg.ACMEKeyPath)
 	if err != nil {
 		return nil, err
 	}
 	return x509.ParseECPrivateKey(data)
 }
 func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
 	data, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		return err
 	}
 	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
 }
--- a/internal/autocert/paths.go
+++ b/internal/autocert/paths.go
@ -1,8 +0,0 @@
 package autocert
 const (
 	certBasePath       = "certs/"
 	CertFileDefault    = certBasePath + "cert.crt"
 	KeyFileDefault     = certBasePath + "priv.key"
 	ACMEKeyFileDefault = certBasePath + "acme.key"
 )
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@ -1,338 +0,0 @@
 package autocert
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"os"
 	"path"
 	"reflect"
 	"sort"
 	"time"
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
 	"github.com/rs/zerolog"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/notif"
 	"github.com/yusing/go-proxy/internal/task"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 type (
 	Provider struct {
 		cfg     *Config
 		user    *User
 		legoCfg *lego.Config
 		client  *lego.Client
 		legoCert     *certificate.Resource
 		tlsCert      *tls.Certificate
 		certExpiries CertExpiries
 	}
 	CertExpiries map[string]time.Time
 )
 var ErrGetCertFailure = errors.New("get certificate failed")
 func NewProvider(cfg *Config, user *User, legoCfg *lego.Config) *Provider {
 	return &Provider{
 		cfg:     cfg,
 		user:    user,
 		legoCfg: legoCfg,
 	}
 }
 func (p *Provider) GetCert(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if p.tlsCert == nil {
 		return nil, ErrGetCertFailure
 	}
 	return p.tlsCert, nil
 }
 func (p *Provider) GetName() string {
 	return p.cfg.Provider
 }
 func (p *Provider) GetCertPath() string {
 	return p.cfg.CertPath
 }
 func (p *Provider) GetKeyPath() string {
 	return p.cfg.KeyPath
 }
 func (p *Provider) GetExpiries() CertExpiries {
 	return p.certExpiries
 }
 func (p *Provider) ObtainCert() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}
 	if p.cfg.Provider == ProviderPseudo {
 		t := time.NewTicker(1000 * time.Millisecond)
 		defer t.Stop()
 		logging.Info().Msg("init client for pseudo provider")
 		<-t.C
 		logging.Info().Msg("registering acme for pseudo provider")
 		<-t.C
 		logging.Info().Msg("obtained cert for pseudo provider")
 		return nil
 	}
 	if p.client == nil {
 		if err := p.initClient(); err != nil {
 			return err
 		}
 	}
 	if p.user.Registration == nil {
 		if err := p.registerACME(); err != nil {
 			return err
 		}
 	}
 	var cert *certificate.Resource
 	var err error
 	if p.legoCert != nil {
 		cert, err = p.client.Certificate.RenewWithOptions(*p.legoCert, &certificate.RenewOptions{
 			Bundle: true,
 		})
 		if err != nil {
 			p.legoCert = nil
 			logging.Err(err).Msg("cert renew failed, fallback to obtain")
 		} else {
 			p.legoCert = cert
 		}
 	}
 	if cert == nil {
 		cert, err = p.client.Certificate.Obtain(certificate.ObtainRequest{
 			Domains: p.cfg.Domains,
 			Bundle:  true,
 		})
 		if err != nil {
 			return err
 		}
 	}
 	if err = p.saveCert(cert); err != nil {
 		return err
 	}
 	tlsCert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
 	if err != nil {
 		return err
 	}
 	expiries, err := getCertExpiries(&tlsCert)
 	if err != nil {
 		return err
 	}
 	p.tlsCert = &tlsCert
 	p.certExpiries = expiries
 	return nil
 }
 func (p *Provider) LoadCert() error {
 	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
 	if err != nil {
 		return fmt.Errorf("load SSL certificate: %w", err)
 	}
 	expiries, err := getCertExpiries(&cert)
 	if err != nil {
 		return fmt.Errorf("parse SSL certificate: %w", err)
 	}
 	p.tlsCert = &cert
 	p.certExpiries = expiries
 	logging.Info().Msgf("next renewal in %v", strutils.FormatDuration(time.Until(p.ShouldRenewOn())))
 	return p.renewIfNeeded()
 }
 // ShouldRenewOn returns the time at which the certificate should be renewed.
 func (p *Provider) ShouldRenewOn() time.Time {
 	for _, expiry := range p.certExpiries {
 		return expiry.AddDate(0, -1, 0) // 1 month before
 	}
 	// this line should never be reached
 	panic("no certificate available")
 }
 func (p *Provider) ScheduleRenewal(parent task.Parent) {
 	if p.GetName() == ProviderLocal || p.GetName() == ProviderPseudo {
 		return
 	}
 	go func() {
 		lastErrOn := time.Time{}
 		renewalTime := p.ShouldRenewOn()
 		timer := time.NewTimer(time.Until(renewalTime))
 		defer timer.Stop()
 		task := parent.Subtask("cert-renew-scheduler")
 		defer task.Finish(nil)
 		for {
 			select {
 			case <-task.Context().Done():
 				return
 			case <-timer.C:
 				// Retry after 1 hour on failure
 				if !lastErrOn.IsZero() && time.Now().Before(lastErrOn.Add(time.Hour)) {
 					continue
 				}
 				if err := p.renewIfNeeded(); err != nil {
 					gperr.LogWarn("cert renew failed", err)
 					lastErrOn = time.Now()
 					notif.Notify(&notif.LogMessage{
 						Level: zerolog.ErrorLevel,
 						Title: "SSL certificate renewal failed",
 						Body:  notif.MessageBody(err.Error()),
 					})
 					continue
 				}
 				notif.Notify(&notif.LogMessage{
 					Level: zerolog.InfoLevel,
 					Title: "SSL certificate renewed",
 					Body:  notif.ListBody(p.cfg.Domains),
 				})
 				// Reset on success
 				lastErrOn = time.Time{}
 				renewalTime = p.ShouldRenewOn()
 				timer.Reset(time.Until(renewalTime))
 			}
 		}
 	}()
 }
 func (p *Provider) initClient() error {
 	legoClient, err := lego.NewClient(p.legoCfg)
 	if err != nil {
 		return err
 	}
 	generator := Providers[p.cfg.Provider]
 	legoProvider, pErr := generator(p.cfg.Options)
 	if pErr != nil {
 		return pErr
 	}
 	err = legoClient.Challenge.SetDNS01Provider(legoProvider)
 	if err != nil {
 		return err
 	}
 	p.client = legoClient
 	return nil
 }
 func (p *Provider) registerACME() error {
 	if p.user.Registration != nil {
 		return nil
 	}
 	if reg, err := p.client.Registration.ResolveAccountByKey(); err == nil {
 		p.user.Registration = reg
 		logging.Info().Msg("reused acme registration from private key")
 		return nil
 	}
 	reg, err := p.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 	if err != nil {
 		return err
 	}
 	p.user.Registration = reg
 	logging.Info().Interface("reg", reg).Msg("acme registered")
 	return nil
 }
 func (p *Provider) saveCert(cert *certificate.Resource) error {
 	/* This should have been done in setup
 	but double check is always a good choice.*/
 	_, err := os.Stat(path.Dir(p.cfg.CertPath))
 	if err != nil {
 		if os.IsNotExist(err) {
 			if err = os.MkdirAll(path.Dir(p.cfg.CertPath), 0o755); err != nil {
 				return err
 			}
 		} else {
 			return err
 		}
 	}
 	err = os.WriteFile(p.cfg.KeyPath, cert.PrivateKey, 0o600) // -rw-------
 	if err != nil {
 		return err
 	}
 	err = os.WriteFile(p.cfg.CertPath, cert.Certificate, 0o644) // -rw-r--r--
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (p *Provider) certState() CertState {
 	if time.Now().After(p.ShouldRenewOn()) {
 		return CertStateExpired
 	}
 	certDomains := make([]string, len(p.certExpiries))
 	wantedDomains := make([]string, len(p.cfg.Domains))
 	i := 0
 	for domain := range p.certExpiries {
 		certDomains[i] = domain
 		i++
 	}
 	copy(wantedDomains, p.cfg.Domains)
 	sort.Strings(wantedDomains)
 	sort.Strings(certDomains)
 	if !reflect.DeepEqual(certDomains, wantedDomains) {
 		logging.Info().Msgf("cert domains mismatch: %v != %v", certDomains, p.cfg.Domains)
 		return CertStateMismatch
 	}
 	return CertStateValid
 }
 func (p *Provider) renewIfNeeded() error {
 	if p.cfg.Provider == ProviderLocal {
 		return nil
 	}
 	switch p.certState() {
 	case CertStateExpired:
 		logging.Info().Msg("certs expired, renewing")
 	case CertStateMismatch:
 		logging.Info().Msg("cert domains mismatch with config, renewing")
 	default:
 		return nil
 	}
 	return p.ObtainCert()
 }
 func getCertExpiries(cert *tls.Certificate) (CertExpiries, error) {
 	r := make(CertExpiries, len(cert.Certificate))
 	for _, cert := range cert.Certificate {
 		x509Cert, err := x509.ParseCertificate(cert)
 		if err != nil {
 			return nil, err
 		}
 		if x509Cert.IsCA {
 			continue
 		}
 		r[x509Cert.Subject.CommonName] = x509Cert.NotAfter
 		for i := range x509Cert.DNSNames {
 			r[x509Cert.DNSNames[i]] = x509Cert.NotAfter
 		}
 	}
 	return r, nil
 }
--- a/internal/autocert/provider_test/ovh_test.go
+++ b/internal/autocert/provider_test/ovh_test.go
@ -1,50 +0,0 @@
 package provider_test
 import (
 	"testing"
 	"github.com/go-acme/lego/v4/providers/dns/ovh"
 	"github.com/goccy/go-yaml"
 	"github.com/stretchr/testify/require"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 // type Config struct {
 // 	APIEndpoint string
 // 	ApplicationKey    string
 // 	ApplicationSecret string
 // 	ConsumerKey       string
 // 	OAuth2Config *OAuth2Config
 // 	PropagationTimeout time.Duration
 // 	PollingInterval    time.Duration
 // 	TTL                int
 // 	HTTPClient         *http.Client
 // }
 func TestOVH(t *testing.T) {
 	cfg := &ovh.Config{}
 	testYaml := `
 api_endpoint: https://eu.api.ovh.com
 application_key: <application_key>
 application_secret: <application_secret>
 consumer_key: <consumer_key>
 oauth2_config:
  client_id: <client_id>
  client_secret: <client_secret>
 `
 	cfgExpected := &ovh.Config{
 		APIEndpoint:       "https://eu.api.ovh.com",
 		ApplicationKey:    "<application_key>",
 		ApplicationSecret: "<application_secret>",
 		ConsumerKey:       "<consumer_key>",
 		OAuth2Config:      &ovh.OAuth2Config{ClientID: "<client_id>", ClientSecret: "<client_secret>"},
 	}
 	testYaml = testYaml[1:] // remove first \n
 	opt := make(map[string]any)
 	require.NoError(t, yaml.Unmarshal([]byte(testYaml), &opt))
 	require.NoError(t, utils.MapUnmarshalValidate(opt, cfg))
 	require.Equal(t, cfgExpected, cfg)
 }
--- a/internal/autocert/providers.go
+++ b/internal/autocert/providers.go
@ -1,26 +0,0 @@
 package autocert
 import (
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/yusing/go-proxy/internal/gperr"
 	"github.com/yusing/go-proxy/internal/utils"
 )
 type Generator func(map[string]any) (challenge.Provider, gperr.Error)
 var Providers = make(map[string]Generator)
 func DNSProvider[CT any, PT challenge.Provider](
 	defaultCfg func() *CT,
 	newProvider func(*CT) (PT, error),
 ) Generator {
 	return func(opt map[string]any) (challenge.Provider, gperr.Error) {
 		cfg := defaultCfg()
 		err := utils.MapUnmarshalValidate(opt, &cfg)
 		if err != nil {
 			return nil, err
 		}
 		p, pErr := newProvider(cfg)
 		return p, gperr.Wrap(pErr)
 	}
 }
--- a/internal/autocert/setup.go
+++ b/internal/autocert/setup.go
@ -1,28 +0,0 @@
 package autocert
 import (
 	"errors"
 	"os"
 	"github.com/yusing/go-proxy/internal/logging"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )
 func (p *Provider) Setup() (err error) {
 	if err = p.LoadCert(); err != nil {
 		if !errors.Is(err, os.ErrNotExist) { // ignore if cert doesn't exist
 			return err
 		}
 		logging.Debug().Msg("obtaining cert due to error loading cert")
 		if err = p.ObtainCert(); err != nil {
 			return err
 		}
 	}
 	for _, expiry := range p.GetExpiries() {
 		logging.Info().Msg("certificate expire on " + strutils.FormatTime(expiry))
 		break
 	}
 	return nil
 }
--- a/internal/autocert/state.go
+++ b/internal/autocert/state.go
@ -1,9 +0,0 @@
 package autocert
 type CertState int
 const (
 	CertStateValid CertState = iota
 	CertStateExpired
 	CertStateMismatch
 )
--- a/internal/autocert/types/provider.go
+++ b/internal/autocert/types/provider.go
@ -1,14 +0,0 @@
 package autocert
 import (
 	"crypto/tls"
 	"github.com/yusing/go-proxy/internal/task"
 )
 type Provider interface {
 	Setup() error
 	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
 	ScheduleRenewal(task.Parent)
 	ObtainCert() error
 }
--- a/Show more
+++ b/Show more