feat: add pingora-proxy-manager/

src/pingora-proxy-manager/.env.example

@@ -0,0 +1,33 @@
+# Pingora Proxy Manager Configuration
+# https://github.com/DDULDDUCK/pingora-proxy-manager
+
+# Image version (default: v1.0.3)
+# Available tags: latest, slim, amd64-slim, v1.0.3
+PINGORA_VERSION=v1.0.3
+
+# Timezone setting (default: UTC)
+TZ=UTC
+
+# JWT secret for authentication (CHANGE THIS IN PRODUCTION!)
+# Used for API authentication and session management
+PINGORA_JWT_SECRET=changeme_in_production_please
+
+# Log level (trace, debug, info, warn, error)
+PINGORA_LOG_LEVEL=info
+
+# Port overrides
+# HTTP proxy port (container listens on 8080)
+PINGORA_HTTP_PORT_OVERRIDE=80
+# Dashboard/API port (container listens on 81)
+PINGORA_DASHBOARD_PORT_OVERRIDE=81
+# HTTPS proxy port (container listens on 443)
+PINGORA_HTTPS_PORT_OVERRIDE=443
+
+# Resource limits
+PINGORA_CPU_LIMIT=2.00
+PINGORA_MEMORY_LIMIT=512M
+PINGORA_CPU_RESERVATION=0.50
+PINGORA_MEMORY_RESERVATION=256M
+
+# Optional: Global registry prefix (e.g., registry.example.com/)
+# GLOBAL_REGISTRY=

src/pingora-proxy-manager/README.md

@@ -0,0 +1,82 @@
+# Pingora Proxy Manager
+
+A high-performance, zero-downtime reverse proxy manager built on Cloudflare's [Pingora](https://github.com/cloudflare/pingora). Simple, Modern, and Fast.
+
+## Features
+
+- **⚡️ High Performance**: Built on Rust & Pingora, capable of handling high traffic with low latency
+- **🔄 Zero-Downtime Configuration**: Dynamic reconfiguration without restarting the process
+- **🔒 SSL/TLS Automation**:
+  - HTTP-01 challenge for single domains
+  - DNS-01 challenge for wildcard certificates (`*.example.com`) via Cloudflare, AWS Route53, etc.
+- **🌐 Proxy Hosts**: Easy management of virtual hosts, locations, and path rewriting
+- **📡 Streams (L4)**: TCP and UDP forwarding for databases, game servers, etc.
+- **🛡️ Access Control**: IP whitelisting/blacklisting and Basic Authentication support
+- **🎨 Modern Dashboard**: Clean and responsive UI built with React, Tailwind CSS, and shadcn/ui
+- **🐳 Docker Ready**: Single container deployment for easy setup and maintenance
+
+## Quick Start
+
+```bash
+docker compose up -d
+```
+
+Access the dashboard at `http://localhost:81`.
+
+**Default Credentials:**
+
+- Username: `admin`
+- Password: `changeme` (Please change this immediately!)
+
+## Ports
+
+| Port                         | Description   |
+| ---------------------------- | ------------- |
+| 80 (host) → 8080 (container) | HTTP Proxy    |
+| 81 (host) → 81 (container)   | Dashboard/API |
+| 443 (host) → 443 (container) | HTTPS Proxy   |
+
+## Environment Variables
+
+| Variable                          | Default                         | Description                                              |
+| --------------------------------- | ------------------------------- | -------------------------------------------------------- |
+| `PINGORA_VERSION`                 | `latest`                        | Docker image version                                     |
+| `TZ`                              | `UTC`                           | Timezone                                                 |
+| `PINGORA_JWT_SECRET`              | `changeme_in_production_please` | JWT secret for authentication (**change in production**) |
+| `PINGORA_LOG_LEVEL`               | `info`                          | Log level (trace, debug, info, warn, error)              |
+| `PINGORA_HTTP_PORT_OVERRIDE`      | `80`                            | Host port for HTTP proxy                                 |
+| `PINGORA_DASHBOARD_PORT_OVERRIDE` | `81`                            | Host port for Dashboard/API                              |
+| `PINGORA_HTTPS_PORT_OVERRIDE`     | `443`                           | Host port for HTTPS proxy                                |
+
+## Volumes
+
+| Volume         | Path               | Description                      |
+| -------------- | ------------------ | -------------------------------- |
+| `pingora_data` | `/app/data`        | SQLite database and certificates |
+| `pingora_logs` | `/app/logs`        | Application logs                 |
+| `letsencrypt`  | `/etc/letsencrypt` | Let's Encrypt certificates       |
+
+## Architecture
+
+- **Data Plane (8080/443)**: Pingora handles all traffic with high efficiency
+- **Control Plane (81)**: Axum serves the API and Dashboard
+- **SSL Management**: Integrated Certbot for robust ACME handling
+- **State Management**: ArcSwap for lock-free configuration reads
+- **Database**: SQLite for persistent storage of hosts and certificates
+
+## Security Notes
+
+- **Always change the default credentials** immediately after deployment
+- **Set a strong `JWT_SECRET`** in production environments
+- The container runs with minimal capabilities (`NET_BIND_SERVICE` only)
+- Read-only root filesystem enabled for enhanced security
+
+## References
+
+- [Pingora Proxy Manager GitHub](https://github.com/DDULDDUCK/pingora-proxy-manager)
+- [Cloudflare Pingora](https://github.com/cloudflare/pingora)
+- [Docker Hub](https://hub.docker.com/r/dduldduck/pingora-proxy-manager)
+
+## License
+
+MIT License - see the [upstream project](https://github.com/DDULDDUCK/pingora-proxy-manager/blob/master/LICENSE) for details.

src/pingora-proxy-manager/README.zh.md

@@ -0,0 +1,82 @@
+# Pingora Proxy Manager
+
+基于 Cloudflare [Pingora](https://github.com/cloudflare/pingora) 构建的高性能、零停机反向代理管理器。简单、现代、快速。
+
+## 特性
+
+- **⚡️ 高性能**：基于 Rust 和 Pingora 构建，能够以低延迟处理高流量
+- **🔄 零停机配置**：动态重新配置，无需重启进程
+- **🔒 SSL/TLS 自动化**：
+  - HTTP-01 验证用于单个域名
+  - DNS-01 验证用于通配符证书（`*.example.com`），支持 Cloudflare、AWS Route53 等
+- **🌐 代理主机**：轻松管理虚拟主机、位置和路径重写
+- **📡 流（L4）**：TCP 和 UDP 转发，适用于数据库、游戏服务器等
+- **🛡️ 访问控制**：支持 IP 白名单/黑名单和基本认证
+- **🎨 现代化仪表板**：使用 React、Tailwind CSS 和 shadcn/ui 构建的简洁响应式 UI
+- **🐳 Docker 就绪**：单容器部署，易于设置和维护
+
+## 快速开始
+
+```bash
+docker compose up -d
+```
+
+访问仪表板：`http://localhost:81`
+
+**默认凭据：**
+
+- 用户名：`admin`
+- 密码：`changeme`（请立即更改！）
+
+## 端口
+
+| 端口                     | 描述       |
+| ------------------------ | ---------- |
+| 80（主机）→ 8080（容器） | HTTP 代理  |
+| 81（主机）→ 81（容器）   | 仪表板/API |
+| 443（主机）→ 443（容器） | HTTPS 代理 |
+
+## 环境变量
+
+| 变量                              | 默认值                          | 描述                                        |
+| --------------------------------- | ------------------------------- | ------------------------------------------- |
+| `PINGORA_VERSION`                 | `latest`                        | Docker 镜像版本                             |
+| `TZ`                              | `UTC`                           | 时区                                        |
+| `PINGORA_JWT_SECRET`              | `changeme_in_production_please` | 认证用的 JWT 密钥（**生产环境必须更改**）   |
+| `PINGORA_LOG_LEVEL`               | `info`                          | 日志级别（trace、debug、info、warn、error） |
+| `PINGORA_HTTP_PORT_OVERRIDE`      | `80`                            | HTTP 代理的主机端口                         |
+| `PINGORA_DASHBOARD_PORT_OVERRIDE` | `81`                            | 仪表板/API 的主机端口                       |
+| `PINGORA_HTTPS_PORT_OVERRIDE`     | `443`                           | HTTPS 代理的主机端口                        |
+
+## 卷
+
+| 卷             | 路径               | 描述                |
+| -------------- | ------------------ | ------------------- |
+| `pingora_data` | `/app/data`        | SQLite 数据库和证书 |
+| `pingora_logs` | `/app/logs`        | 应用程序日志        |
+| `letsencrypt`  | `/etc/letsencrypt` | Let's Encrypt 证书  |
+
+## 架构
+
+- **数据平面（8080/443）**：Pingora 高效处理所有流量
+- **控制平面（81）**：Axum 提供 API 和仪表板服务
+- **SSL 管理**：集成 Certbot 进行可靠的 ACME 处理
+- **状态管理**：使用 ArcSwap 实现无锁配置读取
+- **数据库**：SQLite 用于持久化存储主机和证书
+
+## 安全注意事项
+
+- 部署后**立即更改默认凭据**
+- 在生产环境中**设置强密码的 `JWT_SECRET`**
+- 容器以最小权限运行（仅 `NET_BIND_SERVICE`）
+- 启用只读根文件系统以增强安全性
+
+## 参考链接
+
+- [Pingora Proxy Manager GitHub](https://github.com/DDULDDUCK/pingora-proxy-manager)
+- [Cloudflare Pingora](https://github.com/cloudflare/pingora)
+- [Docker Hub](https://hub.docker.com/r/dduldduck/pingora-proxy-manager)
+
+## 许可证
+
+MIT 许可证 - 详见[上游项目](https://github.com/DDULDDUCK/pingora-proxy-manager/blob/master/LICENSE)。

src/pingora-proxy-manager/docker-compose.yaml

@@ -0,0 +1,54 @@
+# Pingora Proxy Manager - High-performance reverse proxy built on Cloudflare's Pingora
+# https://github.com/DDULDDUCK/pingora-proxy-manager
+
+x-defaults: &defaults
+  restart: unless-stopped
+  logging:
+    driver: json-file
+    options:
+      max-size: 100m
+      max-file: "3"
+
+services:
+  pingora-proxy-manager:
+    <<: *defaults
+    image: ${GLOBAL_REGISTRY:-}dduldduck/pingora-proxy-manager:${PINGORA_VERSION:-v1.0.3}
+    ports:
+      - "${PINGORA_HTTP_PORT_OVERRIDE:-80}:8080"
+      - "${PINGORA_DASHBOARD_PORT_OVERRIDE:-81}:81"
+      - "${PINGORA_HTTPS_PORT_OVERRIDE:-443}:443"
+    volumes:
+      - pingora_data:/app/data
+      - pingora_logs:/app/logs
+      - letsencrypt:/etc/letsencrypt
+    environment:
+      - TZ=${TZ:-UTC}
+      - JWT_SECRET=${PINGORA_JWT_SECRET:-changeme_in_production_please}
+      - RUST_LOG=${PINGORA_LOG_LEVEL:-info}
+    healthcheck:
+      test: ["CMD", "sh", "-c", "wget -q --spider http://127.0.0.1:81/api/login || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    deploy:
+      resources:
+        limits:
+          cpus: "${PINGORA_CPU_LIMIT:-2.00}"
+          memory: "${PINGORA_MEMORY_LIMIT:-512M}"
+        reservations:
+          cpus: "${PINGORA_CPU_RESERVATION:-0.50}"
+          memory: "${PINGORA_MEMORY_RESERVATION:-256M}"
+    # Security hardening
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+    read_only: true
+    tmpfs:
+      - /tmp:size=64M
+
+volumes:
+  pingora_data:
+  pingora_logs:
+  letsencrypt: