@abtnode/core 1.15.17 → 1.16.0-beta-8ee536d7

package/lib/router/helper.js

@@ -3,63 +3,78 @@
 const fs = require('fs-extra');
 const path = require('path');
 const tar = require('tar');
+const isUrl = require('is-url');
 const get = require('lodash/get');
 const cloneDeep = require('lodash/cloneDeep');
+const isEqual = require('lodash/isEqual');
 const joinUrl = require('url-join');
+const { replaceSlotToIp, findComponentById, findWebInterface } = require('@blocklet/meta/lib/util');
 const { getProvider } = require('@abtnode/router-provider');
 const normalizePathPrefix = require('@abtnode/util/lib/normalize-path-prefix');
-const getTmpDirectory = require('@abtnode/util/lib/get-tmp-directory');
+const getTmpDir = require('@abtnode/util/lib/get-tmp-directory');
 const downloadFile = require('@abtnode/util/lib/download-file');
+const { updateBlockletDocument } = require('@abtnode/util/lib/did-document');
+const getBlockletInfo = require('@blocklet/meta/lib/info');
+const { forEachBlocklet } = require('@blocklet/meta/lib/util');
 const {
   DOMAIN_FOR_DEFAULT_SITE,
   DOMAIN_FOR_IP_SITE_REGEXP,
-  ROUTER_PROVIDER_NONE,
   DOMAIN_FOR_INTERNAL_SITE,
   WELLKNOWN_PATH_PREFIX,
-  WELLKNOWN_AUTH_PATH_PREFIX,
+  WELLKNOWN_SERVICE_PATH_PREFIX,
+  USER_AVATAR_PATH_PREFIX,
   DOMAIN_FOR_IP_SITE,
   NAME_FOR_WELLKNOWN_SITE,
   DEFAULT_HTTP_PORT,
   DEFAULT_HTTPS_PORT,
-  DAY_IN_MS,
-  NODE_MODES,
   ROUTING_RULE_TYPES,
   CERTIFICATE_EXPIRES_OFFSET,
-  CERTIFICATE_EXPIRES_WARNING_OFFSET,
-  DEFAULT_DAEMON_PORT,
   DEFAULT_SERVICE_PATH,
   SLOT_FOR_IP_DNS_SITE,
   BLOCKLET_SITE_GROUP_SUFFIX,
+  WELLKNOWN_ACME_CHALLENGE_PREFIX,
+  WELLKNOWN_DID_RESOLVER_PREFIX,
+  WELLKNOWN_PING_PREFIX,
+  LOG_RETAIN_IN_DAYS,
+  EVENTS,
 } = require('@abtnode/constant');
 const {
   BLOCKLET_DYNAMIC_PATH_PREFIX,
   BLOCKLET_INTERFACE_TYPE_WEB,
+  BLOCKLET_INTERFACE_PUBLIC,
   BLOCKLET_INTERFACE_WELLKNOWN,
   BLOCKLET_INTERFACE_TYPE_WELLKNOWN,
-} = require('@blocklet/meta/lib/constants');
+  BLOCKLET_CONFIGURABLE_KEY,
+  BlockletEvents,
+  BLOCKLET_MODES,
+} = require('@blocklet/constant');
 
 // eslint-disable-next-line global-require
 const logger = require('@abtnode/logger')(`${require('../../package.json').name}:router:helper`);
 const {
   getProviderFromNodeInfo,
-  trimSlash,
-  getInterfaceUrl,
-  getBlockletHost,
   getHttpsCertInfo,
   findInterfacePortByName,
   getWellknownSitePort,
+  getServerDidDomain,
+  isGatewayCacheEnabled,
 } = require('../util');
-const { getServicesFromBlockletInterface } = require('../util/service');
-const getIpDnsDomainForBlocklet = require('../util/get-ip-dns-domain-for-blocklet');
+const { getIpDnsDomainForBlocklet, getDidDomainForBlocklet } = require('../util/get-domain-for-blocklet');
 const { getFromCache: getAccessibleExternalNodeIp } = require('../util/get-accessible-external-node-ip');
 
 const Router = require('./index');
 const states = require('../states');
+const { getBlockletDomainGroupName, getDidFromDomainGroupName } = require('../util/router');
+const { getBlockletKnownAs } = require('../util/blocklet');
 
 /**
  * replace 888-888-888-888 with accessible ip for domain
  */
 const attachRuntimeDomainAliases = async ({ sites = [], context = {}, node }) => {
+  if (!sites) {
+    return [];
+  }
+
   let ip;
   const ipRegex = /\d+[-.]\d+[-.]\d+[-.]\d+/;
   const match = ipRegex.exec(context.hostname);
@@ -79,7 +94,7 @@ const attachRuntimeDomainAliases = async ({ sites = [], context = {}, node }) =>
         return domain;
       }
       if (domain.value.includes(SLOT_FOR_IP_DNS_SITE) && ip) {
-        domain.value = domain.value.replace(SLOT_FOR_IP_DNS_SITE, ip.replace(/\./g, '-'));
+        domain.value = replaceSlotToIp(domain.value, ip);
       }
       return domain;
     });
@@ -96,89 +111,6 @@ const attachRuntimeDomainAliases = async ({ sites = [], context = {}, node }) =>
   });
 };
 
-const attachInterfaceUrls = async ({ sites = [], context, node }) => {
-  if (!sites) {
-    return [];
-  }
-
-  attachRuntimeDomainAliases({ sites, context, node });
-
-  const getUrl = (rule, domain = '') => {
-    const host = getBlockletHost({ domain, context });
-    const prefix = trimSlash(rule.from.pathPrefix);
-    if (prefix) {
-      return `http://${host}/${prefix}/`;
-    }
-
-    return `http://${host}/`;
-  };
-
-  const blocklets = await states.blocklet.getBlocklets();
-  const getInterfaces = (site) =>
-    (site.rules || []).map((tmpRule) => {
-      const rule = { ...tmpRule };
-
-      const ruleId = tmpRule.id;
-      const baseUrl = getUrl(rule, site.domain);
-
-      const interfaces = [];
-      if (rule.to.type === ROUTING_RULE_TYPES.BLOCKLET) {
-        const blocklet = blocklets.find((b) => b.meta.did === rule.to.did);
-
-        if (!blocklet) {
-          logger.warn(`can not attach interface urls for non-existing blocklet ${rule.to.did}`);
-          rule.interfaces = interfaces;
-          return rule;
-        }
-
-        if (!getBlockletHost({ domain: site.domain, context })) {
-          logger.warn('blocklet host does not exist');
-          rule.interfaces = interfaces;
-          return rule;
-        }
-
-        (blocklet.meta.interfaces || []).forEach((x) => {
-          if (x.port && !x.port.external) {
-            interfaces.push({
-              ruleId,
-              type: x.type,
-              name: x.name,
-              url: getInterfaceUrl({ baseUrl, url: '/', version: blocklet.meta.version }),
-            });
-          }
-        });
-      } else if (rule.to.type === ROUTING_RULE_TYPES.REDIRECT || rule.to.type === ROUTING_RULE_TYPES.NONE) {
-        interfaces.push({
-          ruleId,
-          type: 'web',
-          name: ROUTING_RULE_TYPES.REDIRECT,
-          url: baseUrl,
-        });
-      } else {
-        interfaces.push({
-          ruleId,
-          type: 'web',
-          name: 'default',
-          url: getUrl(rule),
-        });
-      }
-
-      rule.interfaces = interfaces;
-      return rule;
-    });
-
-  if (!Array.isArray(sites)) {
-    sites.rules = getInterfaces(sites);
-    return sites;
-  }
-
-  return sites.map((site) => {
-    site.rules = getInterfaces(site);
-
-    return site;
-  });
-};
-
 const addCorsToSite = (site, rawUrl) => {
   if (!site || !rawUrl) {
     return;
@@ -193,7 +125,7 @@ const addCorsToSite = (site, rawUrl) => {
       site.corsAllowedOrigins.push(url.hostname);
     }
   } catch (err) {
-    // Do nothing
+    console.error('addCorsToSite', err);
   }
 };
 
@@ -222,6 +154,19 @@ const ensureServiceRule = async (sites) => {
     return site;
   });
 };
+const ensureRootRule = async (sites) => {
+  return sites.map((site) => {
+    if (!isBasicSite(site.domain) && !site.rules.some((x) => x.from.pathPrefix === '/')) {
+      site.rules.push({
+        from: { pathPrefix: '/' },
+        to: {
+          type: ROUTING_RULE_TYPES.NONE,
+        },
+      });
+    }
+    return site;
+  });
+};
 
 const ensureLatestNodeInfo = async (sites = [], { withDefaultCors = true } = {}) => {
   const info = await states.node.read();
@@ -243,6 +188,9 @@ const ensureLatestNodeInfo = async (sites = [], { withDefaultCors = true } = {})
       site.domain = DOMAIN_FOR_IP_SITE_REGEXP;
 
       if (withDefaultCors) {
+        // Allow CORS from "Install on ABT Node"
+        addCorsToSite(site, info.registerUrl);
+
         // Allow CORS from "Web Wallet"
         addCorsToSite(site, info.webWalletUrl);
       }
@@ -256,6 +204,7 @@ const ensureLatestNodeInfo = async (sites = [], { withDefaultCors = true } = {})
  * set rule.to.target by interface.path and interface.prefix
  */
 const ensureLatestInterfaceInfo = async (sites = []) => {
+  // FIXME @linchen groupAllInterfaces() may have performance issue
   const interfaces = await states.blocklet.groupAllInterfaces();
   return sites.map((site) => {
     if (!Array.isArray(site.rules)) {
@@ -263,16 +212,22 @@ const ensureLatestInterfaceInfo = async (sites = []) => {
     }
 
     site.rules = site.rules.map((rule) => {
-      // If a rule already has a target and target is WELLKNOWN_AUTH_PATH_PREFIX, just return
+      if (rule.dynamic) {
+        return rule;
+      }
+      // If a rule already has a target and target is WELLKNOWN_SERVICE_PATH_PREFIX, just return
       // Indicates that the rule id generated by the system for auth service
-      if (rule.isProtected && rule.to.target === WELLKNOWN_AUTH_PATH_PREFIX) {
+      if (rule.isProtected && rule.to.target === WELLKNOWN_SERVICE_PATH_PREFIX) {
+        return rule;
+      }
+      if (rule.isProtected && rule.to.target === joinUrl(WELLKNOWN_SERVICE_PATH_PREFIX, USER_AVATAR_PATH_PREFIX)) {
         return rule;
       }
 
-      const { did, interfaceName } = rule.to;
-      if (interfaces[did] && interfaces[did][interfaceName]) {
+      const { componentId, interfaceName } = rule.to;
+      if (interfaces[componentId] && interfaces[componentId][interfaceName]) {
         // eslint-disable-next-line no-shadow
-        const { path, prefix } = interfaces[did][interfaceName];
+        const { path, prefix } = interfaces[componentId][interfaceName];
         if (prefix === BLOCKLET_DYNAMIC_PATH_PREFIX) {
           rule.to.target = path;
         } else {
@@ -294,8 +249,8 @@ const ensureWellknownRule = async (sites) => {
   for (const site of tempSites) {
     // 不向 default site & ip site & wellknown site 添加 wellknown rule
     if (![DOMAIN_FOR_INTERNAL_SITE, DOMAIN_FOR_IP_SITE, DOMAIN_FOR_DEFAULT_SITE].includes(site.domain)) {
+      // add /.well-known for blocklet
       const isExists = site.rules.find((x) => x.from.pathPrefix === WELLKNOWN_PATH_PREFIX);
-
       if (!isExists) {
         site.rules.push({
           from: { pathPrefix: WELLKNOWN_PATH_PREFIX },
@@ -308,40 +263,72 @@ const ensureWellknownRule = async (sites) => {
         });
       }
 
-      // add /.well-known/auth for blocklet
-      const rules = cloneDeep(site.rules);
-      rules.forEach((rule) => {
-        if (
-          rule.to.type !== ROUTING_RULE_TYPES.BLOCKLET || // is not blocklet
-          rule.to.did !== rule.to.realDid // is a component endpoint
-        ) {
-          return;
-        }
+      // add /.well-known/service for blocklet
+      const blockletRules = site.rules
+        .filter((x) => x.to.type === ROUTING_RULE_TYPES.BLOCKLET)
+        // 可能存在挂载的 blocklet 不是自己, 是其他 blocklet
+        // 这里默认 pathPrefix 最短的是自己 ( 通常自己在 /, 其他 blocklet 在 /xxxx )
+        // 挂载其他 blocklet 的使用方式不推荐, 将来可能会被废弃
+        .sort((a, b) => (a.from.pathPrefix.length > b.from.pathPrefix.length ? 1 : -1));
+      if (blockletRules.length) {
+        // get pathPrefix for blocklet-service
+        const rootBlockletRule = blockletRules.find((x) => x.to.did === x.to.componentId);
+
+        const servicePathPrefix = joinUrl(
+          // rootBlockletRule?.from?.pathPrefix is for backwards compatibility
+          // rootBlockletRule?.from?.groupPathPrefix 在旧的场景中可能不为 '/' (blocklet 只能挂载在 relative prefix 下)
+          rootBlockletRule?.from?.groupPathPrefix || rootBlockletRule?.from?.pathPrefix || '/',
+          WELLKNOWN_SERVICE_PATH_PREFIX
+        );
 
-        // already exists
-        if (rule.from.pathPrefix.endsWith(WELLKNOWN_AUTH_PATH_PREFIX)) {
-          return;
+        // requests for /.well-known/service will stay in blocklet-service and never proxy back to blocklet
+        // so any rule is ok to be cloned
+        if (!site.rules.some((x) => x.from.pathPrefix === servicePathPrefix)) {
+          const rule = cloneDeep(rootBlockletRule || blockletRules[0]);
+          rule.from.pathPrefix = servicePathPrefix;
+          rule.to.target = servicePathPrefix;
+          rule.isProtected = true;
+          rule.dynamic = true; // mark as dynamic to avoid redundant generated rules
+          site.rules.push(rule);
         }
 
-        const pathPrefix = joinUrl(rule.from.pathPrefix, WELLKNOWN_AUTH_PATH_PREFIX);
-
-        // already exists
-        if (site.rules.some((x) => x.from.pathPrefix === pathPrefix)) {
-          return;
+        // Cache user avatar in nginx
+        const avatarPathPrefix = joinUrl(servicePathPrefix, USER_AVATAR_PATH_PREFIX);
+        if (!site.rules.some((x) => x.from.pathPrefix === avatarPathPrefix)) {
+          const rule = cloneDeep(rootBlockletRule || blockletRules[0]);
+          rule.from.pathPrefix = avatarPathPrefix;
+          rule.to.cacheGroup = 'blockletProxy';
+          rule.to.target = avatarPathPrefix;
+          rule.isProtected = true;
+          rule.dynamic = true; // mark as dynamic to avoid redundant generated rules
+          site.rules.push(rule);
         }
-
-        rule.from.pathPrefix = pathPrefix;
-        // let service gateway keep WELLKNOWN_AUTH_PATH_PREFIX prefix
-        rule.to.target = WELLKNOWN_AUTH_PATH_PREFIX;
-        rule.isProtected = true;
-        site.rules.push(rule);
-      });
+      }
     }
   }
 
   return tempSites;
 };
 
+const ensureBlockletDid = async (sites) => {
+  const info = await states.node.read();
+
+  return (sites || []).map((site) => {
+    if (site.domain === DOMAIN_FOR_INTERNAL_SITE) {
+      return site;
+    }
+
+    if ([DOMAIN_FOR_IP_SITE, DOMAIN_FOR_DEFAULT_SITE, DOMAIN_FOR_IP_SITE_REGEXP].includes(site.domain)) {
+      site.blockletDid = info.did;
+      return site;
+    }
+
+    site.blockletDid = getDidFromDomainGroupName(site.domain);
+
+    return site;
+  });
+};
+
 const ensureCorsForWebWallet = async (sites) => {
   const info = await states.node.read();
   for (const site of sites) {
@@ -353,48 +340,97 @@ const ensureCorsForWebWallet = async (sites) => {
   return sites;
 };
 
-const ensureLatestInfo = async (sites = [], { withDefaultCors = true } = {}) => {
-  let result = await ensureLatestNodeInfo(sites, { withDefaultCors });
-  result = await ensureWellknownRule(result);
-  result = await ensureCorsForWebWallet(result);
-  return ensureLatestInterfaceInfo(result);
+const ensureCorsForDidSpace = async (sites = [], blocklets) => {
+  return sites.map((site) => {
+    const blocklet = blocklets.find((x) => x.meta.did === site.blockletDid);
+    if (blocklet) {
+      const endpoint = blocklet.environments.find(
+        (x) => x.key === BLOCKLET_CONFIGURABLE_KEY.BLOCKLET_APP_SPACE_ENDPOINT
+      );
+      if (endpoint && isUrl(endpoint.value)) {
+        addCorsToSite(site, endpoint.value);
+      }
+    }
+
+    return site;
+  });
 };
 
-const ensureAuthService = async (sites = [], blockletManager) => {
-  const blocklets = await blockletManager.list({ includeRuntimeInfo: false });
-  const blockletMap = blocklets.reduce((o, x) => {
-    o[x.meta.did] = x;
-    return o;
-  }, {});
+const filterSitesForRemovedBlocklets = async (sites = [], blocklets) => {
+  return sites.filter((site) => {
+    if (!site.domain.endsWith(BLOCKLET_SITE_GROUP_SUFFIX)) {
+      return true;
+    }
 
-  sites.forEach((site) => {
-    site.rules.forEach((rule) => {
-      if (rule.to.type !== ROUTING_RULE_TYPES.BLOCKLET || !blockletMap[rule.to.did]) {
-        return;
-      }
+    const blocklet = blocklets.find((x) => x.meta.did === site.blockletDid);
+    return !!blocklet;
+  });
+};
 
-      // find blocklet
-      let blocklet = blockletMap[rule.to.did];
-      if (rule.to.realDid && rule.to.did !== rule.to.realDid) {
-        blocklet = (blocklet.children || []).find((x) => x.meta.did === rule.to.realDid);
-      }
-      if (!blocklet) {
-        return;
+const ensureBlockletCache = async (sites = [], blocklets) => {
+  return sites
+    .map((site) => {
+      if (!site.domain.endsWith(BLOCKLET_SITE_GROUP_SUFFIX)) {
+        return site;
       }
 
-      // find interface
-      // we should only use rule.to.realInterfaceName, rule.to.interfaceName is for backward compatible
-      const interfaceName = rule.to.realInterfaceName || rule.to.interfaceName;
-      const { interfaces } = blocklet.meta;
-      const _interface = interfaces.find((x) => x.type === BLOCKLET_INTERFACE_TYPE_WEB && x.name === interfaceName);
-      if (_interface) {
-        rule.services = rule.services || [];
-        rule.services.unshift(...getServicesFromBlockletInterface(_interface, { logError: logger.error }));
+      if (site.cacheableGenerated) {
+        return site;
       }
-    });
-  });
 
-  return sites;
+      // For each rule, get component, check cacheable, clone and push new rule
+      const blocklet = blocklets.find((x) => x.meta.did === site.blockletDid);
+      const cacheRules = [];
+      site.rules
+        .filter(
+          (x) =>
+            x.to.type === ROUTING_RULE_TYPES.BLOCKLET &&
+            x.to.interfaceName === BLOCKLET_INTERFACE_PUBLIC &&
+            x.from.pathPrefix.startsWith(WELLKNOWN_SERVICE_PATH_PREFIX) === false
+        )
+        .forEach((rule) => {
+          const component = findComponentById(blocklet, rule.to.componentId);
+          if (!component) {
+            return;
+          }
+
+          if (component.mode !== BLOCKLET_MODES.PRODUCTION) {
+            return;
+          }
+          const cacheable = get(findWebInterface(component), 'cacheable', []);
+          cacheable.forEach((cachePrefix) => {
+            const clone = cloneDeep(rule);
+            clone.from.pathPrefix = joinUrl(rule.from.pathPrefix, cachePrefix);
+            clone.to.cacheGroup = 'blockletProxy';
+            clone.to.targetPrefix = cachePrefix;
+            clone.dynamic = true; // mark as dynamic to avoid redundant generated rules
+            cacheRules.push(clone);
+          });
+        });
+
+      site.rules = site.rules.concat(cacheRules);
+      site.mode = blocklet.mode;
+      site.cacheableGenerated = true;
+
+      return site;
+    })
+    .filter(Boolean);
+};
+
+const ensureLatestInfo = async (sites = [], { withDefaultCors = true } = {}) => {
+  const blocklets = await states.blocklet.getBlocklets();
+
+  // CAUTION: following steps are very important, please do not change the order
+  let result = await ensureLatestNodeInfo(sites, { withDefaultCors });
+  result = await ensureBlockletDid(result);
+  result = await filterSitesForRemovedBlocklets(sites, blocklets);
+  result = await ensureBlockletCache(result, blocklets);
+  result = await ensureWellknownRule(result);
+  result = await ensureCorsForWebWallet(result);
+  result = await ensureCorsForDidSpace(result, blocklets);
+  result = await ensureLatestInterfaceInfo(result);
+
+  return result;
 };
 
 const decompressCertificates = async (source, dest) => {
@@ -403,55 +439,29 @@ const decompressCertificates = async (source, dest) => {
   return dest;
 };
 
-module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerManager, blockletManager }) {
+const joinCertDownUrl = (baseUrl, name) => joinUrl(baseUrl, '/certs', name);
+
+const getIpEchoCertDownloadUrl = (baseUrl) => joinCertDownUrl(baseUrl, 'ip-abtnet-io.tar.gz');
+const getDidDomainCertDownloadUrl = (baseUrl) => joinCertDownUrl(baseUrl, 'did-abtnet-io.tar.gz');
+const getDownloadCertBaseUrl = (info) =>
+  process.env.ABT_NODE_WILDCARD_CERT_HOST || get(info, 'routing.wildcardCertHost', '');
+
+module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerManager, blockletManager, certManager }) {
   const nodeState = states.node;
   const blockletState = states.blocklet;
   const siteState = states.site;
-  const httpsCertState = states.certificate;
   const notification = states.notification;
 
   // site level duplication detection
   const hasRuleByPrefix = (site, value) => site.rules.find((x) => x.isProtected && get(x, 'from.pathPrefix') === value);
 
-  const updateDashboardCertificate = async ({ checkExpire = true }) => {
-    const info = await nodeState.read();
-    const provider = getProviderFromNodeInfo(info);
-    if (provider === ROUTER_PROVIDER_NONE) {
-      return;
-    }
-
-    const https = get(info, 'routing.https', true);
-    const dashboardDomain = get(info, 'routing.dashboardDomain', '');
-    const certDownloadAddress = get(info, 'routing.dashboardCertDownloadAddress', '');
-    if (!https || !dashboardDomain || !certDownloadAddress) {
-      return;
-    }
-
-    if (checkExpire) {
-      try {
-        const cert = await routerManager.findCertificateByDomain(dashboardDomain);
-        if (!cert) {
-          return;
-        }
-
-        const now = Date.now();
-        const certInfo = getHttpsCertInfo(cert.certificate);
-        if (certInfo.validTo - now >= CERTIFICATE_EXPIRES_OFFSET) {
-          logger.info('skip dashboard certificate update before not expired');
-          return;
-        }
-      } catch (err) {
-        logger.error('failed to check dashboard certificate expiration', { error: err });
-        return;
-      }
-    }
-
-    const destFolder = getTmpDirectory(path.join(`certificate-${Date.now()}`));
+  const downloadCert = async ({ domain, url }) => {
+    const destFolder = getTmpDir(path.join(`certificate-${Date.now()}`));
     try {
       const filename = path.join(destFolder, 'certificate.tar.gz');
       fs.ensureDirSync(destFolder);
 
-      await downloadFile(certDownloadAddress, filename);
+      await downloadFile(url, filename);
       await decompressCertificates(filename, destFolder);
 
       const certificateFilePath = path.join(destFolder, 'cert.pem');
@@ -468,58 +478,186 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       const certificate = fs.readFileSync(certificateFilePath).toString();
       const privateKey = fs.readFileSync(privateKeyFilePath).toString();
 
-      await routerManager.updateNginxHttpsCert({ domain: dashboardDomain, privateKey, certificate, isProtected: true });
-      logger.info('dashboard certificate updated');
+      await certManager.upsertByDomain({
+        domain,
+        privateKey,
+        certificate,
+        isProtected: true,
+      });
+
+      logger.info('dashboard certificate updated', { domain });
     } catch (error) {
-      logger.error('Update dashboard certificate failed', { error });
+      logger.error('update dashboard certificate failed', { error });
+      throw error;
     } finally {
       fs.removeSync(destFolder);
     }
   };
 
+  const updateCert = async (domain, url) => {
+    try {
+      const cert = await certManager.getByDomain(domain);
+      if (!cert) {
+        return;
+      }
+
+      const now = Date.now();
+      const certInfo = getHttpsCertInfo(cert.certificate);
+
+      if (certInfo.validTo - now >= CERTIFICATE_EXPIRES_OFFSET) {
+        logger.info('skip dashboard certificate update before not expired', { domain, url });
+        return;
+      }
+
+      await downloadCert({
+        domain,
+        url,
+      });
+    } catch (err) {
+      logger.error('failed to check dashboard certificate expiration', { error: err, domain, url });
+    }
+  };
+
+  const updateDashboardCertificates = async () => {
+    const info = await nodeState.read();
+    const https = get(info, 'routing.https', true);
+    const ipWildcardDomain = get(info, 'routing.ipWildcardDomain', '');
+    const didDomain = info.didDomain;
+    const certDownloadAddress = getDownloadCertBaseUrl(info);
+    if (!https || !certDownloadAddress) {
+      return;
+    }
+
+    await updateCert(ipWildcardDomain, getIpEchoCertDownloadUrl(certDownloadAddress));
+    await updateCert(`*.${didDomain}`, getDidDomainCertDownloadUrl(certDownloadAddress));
+  };
+
+  const ensureWildcardCerts = async () => {
+    const info = await nodeState.read();
+    const didDomain = info.didDomain;
+    const ipWildcardDomain = get(info, 'routing.ipWildcardDomain', '');
+
+    const ensureDomainCert = async (domain, url) => {
+      const cert = await certManager.getByDomain(domain);
+      if (!cert || get(cert, 'meta.validTo') <= Date.now()) {
+        await downloadCert({
+          domain,
+          url,
+        });
+      }
+    };
+
+    const certBaseUrl = getDownloadCertBaseUrl(info);
+    await Promise.all([
+      ensureDomainCert(ipWildcardDomain, getIpEchoCertDownloadUrl(certBaseUrl)),
+      ensureDomainCert(`*.${didDomain}`, getDidDomainCertDownloadUrl(certBaseUrl)),
+    ]);
+  };
+
+  const upsertSiteRule = async ({ site, rule }, context) => {
+    const findExistingRule = (prefix) => site.rules.find((r) => r.from.pathPrefix === normalizePathPrefix(prefix));
+
+    const newSiteRule = {
+      id: site.id,
+      rule,
+    };
+
+    const existingRule = findExistingRule(get(rule, 'from.pathPrefix'));
+    if (!existingRule) {
+      await routerManager.addRoutingRule(newSiteRule, context);
+      return true;
+    }
+
+    if (!isEqual(existingRule.to, rule.to)) {
+      newSiteRule.rule.id = existingRule.id;
+      newSiteRule.skipProtectedRuleChecking = true;
+      await routerManager.updateRoutingRule(newSiteRule, context);
+      return true;
+    }
+
+    return false;
+  };
+
   const addWellknownSite = async (sites, context) => {
     const site = (sites || []).find((x) => x.name === NAME_FOR_WELLKNOWN_SITE);
 
     try {
-      const pathPrefix = joinUrl(WELLKNOWN_PATH_PREFIX, '/did.json');
+      const info = await nodeState.read();
+      const proxyTarget = {
+        port: info.port,
+        type: ROUTING_RULE_TYPES.GENERAL_PROXY,
+        interfaceName: BLOCKLET_INTERFACE_WELLKNOWN,
+      };
+
       const didResolverWellknownRule = {
-        from: { pathPrefix },
+        isProtected: true,
+        from: { pathPrefix: WELLKNOWN_DID_RESOLVER_PREFIX },
+        to: proxyTarget,
+      };
+
+      const acmeChallengeWellknownRule = {
+        isProtected: true,
+        from: { pathPrefix: WELLKNOWN_ACME_CHALLENGE_PREFIX },
+        to: proxyTarget,
+      };
+
+      const pingWellknownRule = {
+        isProtected: true,
+        from: { pathPrefix: WELLKNOWN_PING_PREFIX },
         to: {
-          port: DEFAULT_DAEMON_PORT,
-          type: ROUTING_RULE_TYPES.GENERAL_PROXY,
-          interfaceName: BLOCKLET_INTERFACE_WELLKNOWN,
+          type: ROUTING_RULE_TYPES.DIRECT_RESPONSE,
+          response: {
+            status: 200,
+            contentType: 'application/javascript',
+            body: "'pong'",
+          },
+          port: info.port,
         },
       };
 
       if (site) {
-        if (site.rules.find((r) => r.from.pathPrefix === normalizePathPrefix(pathPrefix))) {
-          return false;
-        }
-
-        await routerManager.addRoutingRule(
+        const didResolverRuleUpdateRes = await upsertSiteRule(
           {
-            id: site.id,
+            site,
             rule: didResolverWellknownRule,
           },
           context
         );
-      } else {
-        await routerManager.addRoutingSite(
+
+        const acmeRuleUpdateRes = await upsertSiteRule(
           {
-            site: {
-              domain: DOMAIN_FOR_INTERNAL_SITE,
-              port: await getWellknownSitePort(),
-              name: NAME_FOR_WELLKNOWN_SITE,
-              rules: [didResolverWellknownRule],
-              isProtected: true,
-            },
-            skipCheckDynamicBlacklist: true,
-            skipValidation: true,
+            site,
+            rule: acmeChallengeWellknownRule,
           },
           context
         );
+
+        const pingRuleRes = await upsertSiteRule(
+          {
+            site,
+            rule: pingWellknownRule,
+          },
+          context
+        );
+
+        return didResolverRuleUpdateRes || acmeRuleUpdateRes || pingRuleRes;
       }
 
+      await routerManager.addRoutingSite(
+        {
+          site: {
+            domain: DOMAIN_FOR_INTERNAL_SITE,
+            port: await getWellknownSitePort(),
+            name: NAME_FOR_WELLKNOWN_SITE,
+            rules: [didResolverWellknownRule, acmeChallengeWellknownRule, pingWellknownRule],
+            isProtected: true,
+          },
+          skipCheckDynamicBlacklist: true,
+          skipValidation: true,
+        },
+        context
+      );
+
       return true;
     } catch (err) {
       console.error('add well-known site failed:', err);
@@ -533,14 +671,8 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
    *
    * @returns {boolean} if routing changed
    */
-  const ensureDashboardRouting = async (context = {}, output) => {
+  const ensureDashboardRouting = async (context = {}) => {
     const info = await nodeState.read();
-
-    const provider = getProviderFromNodeInfo(info);
-    if (provider === ROUTER_PROVIDER_NONE) {
-      return false;
-    }
-
     const sites = await siteState.getSites();
     let dashboardSite = (sites || []).find((x) => x.domain === DOMAIN_FOR_IP_SITE);
     const updatedResult = [];
@@ -569,28 +701,26 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       }
     }
 
-    const isExistsInAlias = (domainAlias) =>
-      (dashboardSite.domainAliases || []).find((item) => {
-        if (typeof item === 'object') {
-          return domainAlias === item.value;
-        }
+    const ipWildcardDomain = get(info, 'routing.ipWildcardDomain', '');
 
-        return domainAlias === item;
-      });
+    const domainAliases = (dashboardSite.domainAliases || []).filter(
+      (item) => !item.value.endsWith(ipWildcardDomain) && !item.value.endsWith(info.didDomain)
+    );
 
-    const dashboardDomain = get(info, 'routing.dashboardDomain', '');
-    if (dashboardDomain && !isExistsInAlias(dashboardDomain)) {
-      try {
-        const result = await siteState.update(
-          { _id: dashboardSite.id },
-          { $push: { domainAliases: { value: dashboardDomain, isProtected: true } } }
-        );
+    const didDomain = getServerDidDomain(info);
+    const dashboardAliasDomains = [
+      { value: ipWildcardDomain, isProtected: true },
+      { value: didDomain, isProtected: true },
+    ];
+    domainAliases.push(...dashboardAliasDomains);
 
-        updatedResult.push(result);
-      } catch (error) {
-        logger.error('add dashboard domain rule failed', { error });
-        console.error('Add dashboard domain rule failed:', error);
-      }
+    try {
+      const result = await siteState.update({ _id: dashboardSite.id }, { $set: { domainAliases } });
+
+      updatedResult.push(result);
+    } catch (error) {
+      logger.error('add dashboard domain rule failed', { error });
+      console.error('Add dashboard domain rule failed:', error);
     }
 
     const defaultRule = sites.find((x) => x.domain === DOMAIN_FOR_DEFAULT_SITE);
@@ -618,18 +748,6 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       updatedResult.push(wellknownRes);
     }
 
-    // Download dashboard certificates if not exists
-    const certDownloadAddress = get(info, 'routing.dashboardCertDownloadAddress', '');
-    if (dashboardDomain && certDownloadAddress) {
-      const cert = await routerManager.findCertificateByDomain(dashboardDomain);
-      if (!cert) {
-        await updateDashboardCertificate({ checkExpire: false });
-        if (typeof output === 'function') {
-          output('Dashboard HTTPS certificate was downloaded successfully!');
-        }
-      }
-    }
-
     if (updatedResult.length) {
       const hash = await takeRoutingSnapshot({ message: 'ensure dashboard routing rules', dryRun: false }, context);
       logger.info('take routing snapshot on ensure dashboard routing rules', { updatedResult, hash });
@@ -657,8 +775,8 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       return `/${str}`.replace(/^\/+/, '/');
     };
 
-    const domainGroup = `${blocklet.meta.did}${BLOCKLET_SITE_GROUP_SUFFIX}`;
-    const domain = getIpDnsDomainForBlocklet(blocklet, webInterface);
+    const domainGroup = getBlockletDomainGroupName(blocklet.meta.did);
+
     const pathPrefix = getPrefix(webInterface.prefix);
     const rule = {
       from: { pathPrefix },
@@ -672,20 +790,45 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
     };
 
     const existSite = await states.site.findOne({ domain: domainGroup });
+    const { wallet } = getBlockletInfo(blocklet, nodeInfo.sk);
+    updateBlockletDocument({
+      wallet,
+      appPid: blocklet.appPid,
+      alsoKnownAs: getBlockletKnownAs(blocklet),
+      daemonDidDomain: getServerDidDomain(nodeInfo),
+      didRegistryUrl: nodeInfo.didRegistry,
+      domain: nodeInfo.didDomain,
+    })
+      .then(() => {
+        logger.info(`updated blocklet ${blocklet.appDid} dns`);
+      })
+      .catch((err) => {
+        logger.error(`update blocklet ${blocklet.appDid} dns failed`, { error: err });
+      });
+
     if (!existSite) {
+      const domainAliases = [];
+
+      const didDomain = getDidDomainForBlocklet({ appPid: blocklet.appPid, didDomain: nodeInfo.didDomain });
+      const ipEchoDnsDomain = getIpDnsDomainForBlocklet(blocklet);
+
+      // let didDomain in front of ipEchoDnsDomain
+      domainAliases.push({ value: didDomain, isProtected: true }, { value: ipEchoDnsDomain, isProtected: true });
+
       await routerManager.addRoutingSite(
         {
           site: {
             domain: domainGroup,
-            domainAliases: [{ value: domain, isProtected: true }],
+            domainAliases,
             isProtected: true,
             rules: [rule],
           },
           skipCheckDynamicBlacklist: true,
+          skipValidation: true,
         },
         context
       );
-      logger.info('add routing site', { site: domain });
+      logger.info('add routing site', { site: domainGroup });
 
       return true;
     }
@@ -700,13 +843,13 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
         },
         skipProtectedRuleChecking: true,
       });
-      logger.info('update routing rule for site', { site: domain });
+      logger.info('update routing rule for site', { site: domainGroup });
     } else {
       await routerManager.addRoutingRule({
         id: existSite.id,
         rule,
       });
-      logger.info('add routing rule for site', { site: domain });
+      logger.info('add routing rule for site', { site: domainGroup });
     }
 
     return true;
@@ -723,130 +866,79 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       return false;
     }
 
-    const tasks = (blocklet.meta.interfaces || [])
-      .filter((x) => x.type === BLOCKLET_INTERFACE_TYPE_WELLKNOWN)
-      .map(async (x) => {
-        const pathPrefix = normalizePathPrefix(x.prefix);
-        if (!pathPrefix.startsWith(WELLKNOWN_PATH_PREFIX)) {
-          throw new Error(`Wellknown path prefix must start with: ${WELLKNOWN_PATH_PREFIX}`);
-        }
+    /**
+     * 1. component blocklet 不允许有相同多的 wellknown
+     * 1. wellknown 可以访问的路由:
+     *    /.well-known/xxx
+     *    /{wellknown owner blocklet}/.well-known/xxx
+     */
 
-        const port = findInterfacePortByName(blocklet, x.name);
-        const existedRule = hasRuleByPrefix(wellknownSite, pathPrefix);
+    const isWellknownInterface = (x) => x.type === BLOCKLET_INTERFACE_TYPE_WELLKNOWN;
 
-        const rule = {
-          from: { pathPrefix },
-          to: {
-            did: blocklet.meta.did,
-            port,
-            type: ROUTING_RULE_TYPES.GENERAL_PROXY,
-            interfaceName: x.name,
-          },
-          isProtected: true,
-        };
+    const handler = async (tmpBlocklet, tmpInterface, mountPoint) => {
+      let pathPrefix = normalizePathPrefix(tmpInterface.prefix);
+      if (!pathPrefix.startsWith(WELLKNOWN_PATH_PREFIX)) {
+        throw new Error(`Wellknown path prefix must start with: ${WELLKNOWN_PATH_PREFIX}`);
+      }
 
-        if (!existedRule) {
-          await routerManager.addRoutingRule({ id: wellknownSite.id, rule, skipCheckDynamicBlacklist: true }, context);
-          return true;
-        }
+      const tmpMountPoint = mountPoint || tmpBlocklet.mountPoint;
+      if (tmpMountPoint) {
+        pathPrefix = joinUrl(tmpMountPoint, pathPrefix);
+      }
 
-        // 兼容代码，旧的 rule 没有 to.did 字段
-        if (port !== existedRule.to.port || existedRule.to.did !== blocklet.meta.did) {
-          existedRule.to = rule.to;
+      const port = findInterfacePortByName(tmpBlocklet, tmpInterface.name);
+      const existedRule = hasRuleByPrefix(wellknownSite, pathPrefix);
 
-          await routerManager.updateRoutingRule(
-            { id: wellknownSite.id, rule: existedRule, skipProtectedRuleChecking: true },
-            context
-          );
+      const rule = {
+        from: { pathPrefix },
+        to: {
+          did: tmpBlocklet.meta.did,
+          port,
+          type: ROUTING_RULE_TYPES.GENERAL_PROXY,
+          interfaceName: tmpInterface.name,
+        },
+        isProtected: true,
+      };
 
-          return true;
-        }
+      if (!existedRule) {
+        await routerManager.addRoutingRule({ id: wellknownSite.id, rule, skipCheckDynamicBlacklist: true }, context);
+        return true;
+      }
 
-        return false;
-      });
+      // 兼容代码，旧的 rule 没有 to.did 字段
+      if (port !== existedRule.to.port || existedRule.to.did !== tmpBlocklet.meta.did) {
+        existedRule.to = rule.to;
 
-    const changes = await Promise.all(tasks);
-    return changes.some(Boolean);
-  };
+        await routerManager.updateRoutingRule(
+          { id: wellknownSite.id, rule: existedRule, skipProtectedRuleChecking: true },
+          context
+        );
 
-  /**
-   * Add system routing rules for blocklet in dashboard site
-   *
-   * @returns {boolean} if routing changed
-   */
-  const _ensureBlockletRulesForDashboardSite = async (blocklet, sites, nodeInfo, context = {}) => {
-    // blocklet level duplication detection
-    const findRulesByInterface = (site, value) =>
-      site.rules.filter((x) => x.isProtected && x.to.did === blocklet.meta.did && get(x, 'to.interfaceName') === value);
-
-    const ipSite = sites.find((x) => x.domain === DOMAIN_FOR_IP_SITE);
-    if (!ipSite) {
-      logger.warn(`Routing rule for dashboard not found, abort on ensure rules for blocklet ${blocklet.meta.did}`);
-      return false;
-    }
+        return true;
+      }
 
-    // If we have rule for legacy path prefix, just return
-    const pathPrefixLegacy = normalizePathPrefix(`/${nodeInfo.routing.adminPath}/${blocklet.meta.name}`);
-    if (hasRuleByPrefix(ipSite, pathPrefixLegacy)) {
       return false;
-    }
-
-    const removedRuleIds = [];
-    const changes = await Promise.all(
-      blocklet.meta.interfaces.map(async (x) => {
-        let changed = false; // if state db was mutated
-        let pathPrefix = '';
-        if (x.prefix === BLOCKLET_DYNAMIC_PATH_PREFIX) {
-          // pathPrefix for dynamic path: `/{adminPath}/{blockletName}/{interfaceName}`
-          pathPrefix = normalizePathPrefix(`/${pathPrefixLegacy}/${x.name}`);
-        } else {
-          // pathPrefix for fixed path: `/{interfacePrefix}`
-          pathPrefix = normalizePathPrefix(x.prefix);
-        }
-
-        // Remove if we have rule with same interface
-        const exists = findRulesByInterface(ipSite, x.name);
-        if (exists.length) {
-          // Note: we need to keep a list of removed rules since we might remove multiple rules in the loop
-          exists.forEach((e) => removedRuleIds.push(e.id));
-          await states.site.update(
-            { _id: ipSite.id },
-            { $set: { rules: ipSite.rules.filter((r) => removedRuleIds.includes(r.id) === false) } }
-          );
-          changed = true;
-        } else if (hasRuleByPrefix(ipSite, pathPrefix)) {
-          // Skip same pathPrefix rules
-          return changed;
-        }
+    };
 
-        // 不在 dashboard site 中添加 path 和 prefix 都是根路径(/) 的路由
-        if (x.path === '/' && x.prefix === '/') {
-          return changed;
-        }
+    const tasks = [];
 
-        await routerManager.addRoutingRule(
-          {
-            id: ipSite.id,
-            rule: {
-              from: { pathPrefix },
-              to: {
-                type: ROUTING_RULE_TYPES.BLOCKLET,
-                port: findInterfacePortByName(blocklet, x.name),
-                did: blocklet.meta.did, // root blocklet did
-                interfaceName: x.name, // root blocklet interface
-              },
-              isProtected: true,
-            },
-            skipCheckDynamicBlacklist: true,
-          },
-          context
-        );
-        changed = true;
+    forEachBlocklet(
+      blocklet,
+      (b) => {
+        (b.meta.interfaces || []).forEach((item) => {
+          if (isWellknownInterface(item)) {
+            tasks.push(handler(b, item));
 
-        return changed;
-      })
+            if (!b.mountPoint || b.mountPoint !== '/') {
+              tasks.push(handler(b, item, '/')); // 在站点的根路由下挂载一个
+            }
+          }
+        });
+      },
+      { sync: true }
     );
 
+    const changes = await Promise.all(tasks);
     return changes.some(Boolean);
   };
 
@@ -873,12 +965,6 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
    */
   const ensureBlockletRouting = async (blocklet, context = {}) => {
     const nodeInfo = await nodeState.read();
-
-    const provider = getProviderFromNodeInfo(nodeInfo);
-    if (provider === ROUTER_PROVIDER_NONE) {
-      return false;
-    }
-
     const hasWebInterface = (blocklet.meta.interfaces || []).some((x) => x.type === BLOCKLET_INTERFACE_TYPE_WEB);
     if (!hasWebInterface) {
       return false;
@@ -891,14 +977,6 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       _ensureBlockletSites(blocklet, sites, nodeInfo, context),
     ];
 
-    if (nodeInfo.mode === NODE_MODES.DEBUG || ['e2e', 'test'].includes(process.env.NODE_ENV)) {
-      logger.info('Add blocklet endpoint in dashboard site', {
-        nodeMode: nodeInfo.mode,
-        NODE_ENV: process.env.NODE_ENV,
-      });
-      tasks.push(_ensureBlockletRulesForDashboardSite(blocklet, sites, nodeInfo, context));
-    }
-
     const changes = await Promise.all(tasks);
 
     return changes.some(Boolean);
@@ -978,12 +1056,6 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
    * @returns {boolean} if routing changed
    */
   const ensureBlockletRoutingForUpgrade = async (blocklet, context = {}) => {
-    const nodeInfo = await nodeState.read();
-    const provider = getProviderFromNodeInfo(nodeInfo);
-    if (provider === ROUTER_PROVIDER_NONE) {
-      return false;
-    }
-
     await routerManager.deleteRoutingRulesItemByDid(
       { did: blocklet.meta.did, ruleFilter: (x) => x.isProtected },
       context
@@ -1004,7 +1076,10 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
     const nodeInfo = await nodeState.read();
 
     const ruleChanged = await routerManager.deleteRoutingRulesItemByDid({ did: blocklet.meta.did }, context);
-    const siteChanged = await _removeBlockletSites(blocklet, nodeInfo, context);
+    let siteChanged;
+    if (!context.keepRouting) {
+      siteChanged = await _removeBlockletSites(blocklet, nodeInfo, context);
+    }
 
     return ruleChanged || siteChanged;
   };
@@ -1028,21 +1103,21 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
     return result;
   }
 
-  async function getRoutingRulesByDid(did) {
-    const info = await nodeState.read();
-    const { sites } = await readRoutingSites();
-    const rules = Router.flattenSitesToRules(sites, info);
-    return rules.filter((rule) => rule.to.did === did);
+  async function resetSiteByDid(did, { refreshRouterProvider = true } = {}) {
+    const blocklet = await states.blocklet.getBlocklet(did);
+    await removeBlockletRouting(blocklet);
+    await ensureBlockletRouting(blocklet);
+    if (refreshRouterProvider) {
+      const hash = await takeRoutingSnapshot({ message: `Reset blocklet ${did}`, dryRun: false });
+      logger.info('reset blocklet routing rules', { did, hash });
+    }
   }
 
-  const routers = {}; // we need to keep reference for different router instances
+  const providers = {}; // we need to keep reference for different router instances
   const handleRouting = async (nodeInfo) => {
     const providerName = get(nodeInfo, 'routing.provider', null);
     const httpsEnabled = get(nodeInfo, 'routing.https', true);
     logger.debug('handle routing', { providerName, httpsEnabled });
-    if (providerName === ROUTER_PROVIDER_NONE) {
-      return;
-    }
 
     const Provider = getProvider(providerName);
     const checkResult = await Provider.check({ configDir: dataDirs.router });
@@ -1050,27 +1125,25 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       throw new Error(`${providerName} pre-check failed, ${checkResult.error}`);
     }
 
-    if (routers[providerName]) {
-      await routers[providerName].restart();
+    if (providers[providerName]) {
+      await providers[providerName].reload();
     } else {
-      routers[providerName] = new Router({
+      providers[providerName] = new Router({
         provider: new Provider({
-          configDirectory: path.join(dataDirs.router, providerName),
+          configDir: path.join(dataDirs.router, providerName),
           httpPort: nodeInfo.routing.httpPort || DEFAULT_HTTP_PORT,
           httpsPort: nodeInfo.routing.httpsPort || DEFAULT_HTTPS_PORT,
-          cacheDisabled: nodeInfo.mode === NODE_MODES.DEBUG,
+          cacheEnabled: isGatewayCacheEnabled(nodeInfo),
         }),
         getRoutingParams: async () => {
           try {
             const info = await nodeState.read();
             let { sites } = await readRoutingSites();
             sites = await ensureLatestInfo(sites);
-            sites = await ensureAuthService(sites, blockletManager);
             sites = await ensureServiceRule(sites);
+            sites = await ensureRootRule(sites);
 
-            const certificates = httpsEnabled
-              ? await httpsCertState.find({ type: providerName }, { domain: 1, certificate: 1, privateKey: 1 })
-              : [];
+            const certificates = httpsEnabled ? await certManager.getAllNormal() : [];
 
             return {
               sites,
@@ -1093,11 +1166,17 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
         },
       });
 
-      routerManager.on('router.certificate.add', () => routers[providerName].restart());
-      routerManager.on('router.certificate.updated', () => routers[providerName].restart());
-      routerManager.on('router.certificate.remove', () => routers[providerName].restart());
+      [
+        BlockletEvents.certIssued,
+        EVENTS.CERT_ADDED,
+        EVENTS.CERT_REMOVED,
+        EVENTS.CERT_ISSUED,
+        EVENTS.CERT_UPDATED,
+      ].forEach((event) => {
+        certManager.on(event, () => providers[providerName].reload());
+      });
 
-      await routers[providerName].start();
+      await providers[providerName].start();
     }
   };
 
@@ -1105,8 +1184,8 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
     const info = await nodeState.read();
     const providerName = get(info, 'routing.provider', null);
 
-    if (providerName && routers[providerName] && typeof routers[providerName].rotateLogs === 'function') {
-      await routers[providerName].rotateLogs();
+    if (providerName && providers[providerName] && typeof providers[providerName].rotateLogs === 'function') {
+      await providers[providerName].rotateLogs({ retain: LOG_RETAIN_IN_DAYS });
     }
   };
 
@@ -1135,33 +1214,31 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
     await handleRouting(result);
 
     if (newProvider !== info.routing.provider) {
-      if (newProvider !== ROUTER_PROVIDER_NONE) {
-        // Ensure we have system sites for daemon
-        await ensureDashboardRouting(context);
-
-        // Ensure we have system rules for blocklets
-        const blocklets = await blockletState.getBlocklets();
-        const ensureBlocklet = async (x) => {
-          const blocklet = await blockletManager.ensureBlocklet(x.meta.did);
-          return ensureBlockletRouting(blocklet, context);
-        };
-        const ensureBlockletResults = await Promise.all(blocklets.map((x) => ensureBlocklet(x)));
-
-        // We need to take snapshot after system rules ensured
-        if (ensureBlockletResults.filter(Boolean).length) {
-          await takeRoutingSnapshot({ message: `Switch routing engine to ${newProvider}`, dryRun: false }, context);
-          logger.info(`take routing snapshot on switch engine: ${newProvider}`, { ensureBlockletResults });
-        }
+      // Ensure we have system sites for daemon
+      await ensureDashboardRouting(context);
+
+      // Ensure we have system rules for blocklets
+      const blocklets = await blockletState.getBlocklets();
+      const ensureBlocklet = async (x) => {
+        const blocklet = await blockletManager.getBlocklet(x.meta.did);
+        return ensureBlockletRouting(blocklet, context);
+      };
+      const ensureBlockletResults = await Promise.all(blocklets.map((x) => ensureBlocklet(x)));
+
+      // We need to take snapshot after system rules ensured
+      if (ensureBlockletResults.filter(Boolean).length) {
+        await takeRoutingSnapshot({ message: `Switch routing engine to ${newProvider}`, dryRun: false }, context);
+        logger.info(`take routing snapshot on switch engine: ${newProvider}`, { ensureBlockletResults });
       }
 
       const Provider = getProvider(info.routing.provider);
       if (Provider) {
         try {
           const providerInstance = new Provider({
-            configDirectory: path.join(dataDirs.router, info.routing.provider),
+            configDir: path.join(dataDirs.router, info.routing.provider),
             httpPort: info.routing.httpPort || DEFAULT_HTTP_PORT,
             httpsPort: info.routing.httpsPort || DEFAULT_HTTPS_PORT,
-            cacheDisabled: info.mode === NODE_MODES.DEBUG,
+            cacheEnabled: isGatewayCacheEnabled(info),
           });
           await providerInstance.stop();
           logger.info('original router stopped:', { provider: info.routing.provider });
@@ -1240,7 +1317,7 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
       return sites;
     }
 
-    return attachInterfaceUrls({
+    return attachRuntimeDomainAliases({
       sites: await ensureLatestInfo(sites, { withDefaultCors }),
       context,
       node: nodeState,
@@ -1249,7 +1326,7 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
 
   const getSnapshotSites = async ({ hash }, context = {}, { withDefaultCors = true } = {}) => {
     const sites = await routingSnapshot.readSnapshotSites(hash);
-    return attachInterfaceUrls({
+    return attachRuntimeDomainAliases({
       sites: await ensureLatestInfo(sites, { withDefaultCors }),
       context,
       node: nodeState,
@@ -1257,65 +1334,56 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
   };
 
   const getCertificates = async () => {
-    const certificates = await httpsCertState.find();
+    const certificates = await certManager.getAll();
     const sites = await getSitesFromSnapshot();
+
+    const isMatch = (cert, domain) =>
+      domain !== DOMAIN_FOR_DEFAULT_SITE && domain && routerManager.isCertMatchedDomain(cert, domain);
+
     return certificates.map((cert) => {
       cert.matchedSites = [];
       sites.forEach((site) => {
-        if (
-          site.domain !== DOMAIN_FOR_DEFAULT_SITE &&
-          site.domain &&
-          routerManager.isCertMatchedDomain(cert, site.domain)
-        ) {
-          cert.matchedSites.push({ id: site.id, domain: site.domain });
-        }
+        const domains = [site.domain, ...(site.domainAliases || []).map((x) => x.value)];
+        domains.forEach((domain) => {
+          if (isMatch(cert, domain)) {
+            cert.matchedSites.push({ id: site.id, domain });
+          }
+        });
       });
 
       return cert;
     });
   };
 
-  const checkDomain = async (domain) => {
-    const matchedCert = await routerManager.getMatchedCert(domain);
+  /**
+   * proxy to routerManager and do takeRoutingSnapshot
+   */
+  const _proxyToRouterManager =
+    (fnName) =>
+    async (...args) => {
+      const res = await routerManager[fnName](...args);
 
-    return { domain, isHttps: !!matchedCert, matchedCert };
-  };
+      takeRoutingSnapshot({ message: fnName, dryRun: false }).catch((error) => {
+        logger.error('failed to takeRoutingSnapshot', { error });
+      });
 
-  const checkCertificatesExpiration = async () => {
-    const now = Date.now();
-
-    const certificates = await getCertificates();
-    for (let i = 0; i < certificates.length; i++) {
-      const cert = certificates[i];
-      const alreadyExpired = now >= cert.validTo;
-      const aboutToExpire = cert.validTo - now > 0 && cert.validTo - now < CERTIFICATE_EXPIRES_WARNING_OFFSET;
-
-      if (alreadyExpired) {
-        logger.info('send certificate expire notification', { domain: cert.domain });
-        notification.create({
-          title: 'SSL Certificate Expired',
-          description: `Your SSL certificate for domain ${cert.domain} has expired, please update it in Blocklet Server`,
-          severity: 'error',
-          entityType: 'certificate',
-          entityId: cert._id, // eslint-disable-line no-underscore-dangle
-        });
-      } else if (aboutToExpire) {
-        logger.info('send certificate about-expire notification', { domain: cert.domain });
-        const expireInDays = Math.ceil((cert.validTo - now) / DAY_IN_MS);
-        notification.create({
-          title: 'SSL Certificate Expire Warning',
-          description: `Your SSL certificate for domain ${
-            cert.domain
-          } will expire in ${expireInDays} days (on ${new Date(
-            cert.validTo
-          ).toLocaleString()}), please remember to update it in Blocklet Server`,
-          severity: 'warning',
-          entityType: 'certificate',
-          entityId: cert._id, // eslint-disable-line no-underscore-dangle
-        });
+      const { teamDid: did } = args[0] || {};
+      if (did) {
+        routerManager.emit(BlockletEvents.updated, { meta: { did } });
       }
-    }
-  };
+
+      return res;
+    };
+
+  const addRoutingSite = _proxyToRouterManager('addRoutingSite');
+  const updateRoutingSite = _proxyToRouterManager('updateRoutingSite');
+  const deleteRoutingSite = _proxyToRouterManager('deleteRoutingSite');
+  const addRoutingRule = _proxyToRouterManager('addRoutingRule');
+  const updateRoutingRule = _proxyToRouterManager('updateRoutingRule');
+  const deleteRoutingRule = _proxyToRouterManager('deleteRoutingRule');
+  // FIXME: should verify domain owner before added
+  const addDomainAlias = _proxyToRouterManager('addDomainAlias');
+  const deleteDomainAlias = _proxyToRouterManager('deleteDomainAlias');
 
   return {
     ensureDashboardRouting,
@@ -1323,39 +1391,47 @@ module.exports = function getRouterHelpers({ dataDirs, routingSnapshot, routerMa
     ensureBlockletRoutingForUpgrade,
     removeBlockletRouting,
     handleRouting,
-    getRoutingRulesByDid,
+    resetSiteByDid,
     updateNodeRouting,
     takeRoutingSnapshot,
     getRoutingSites,
     getSnapshotSites,
-    getCertificates,
     getSitesFromSnapshot,
-    checkDomain,
+    getCertificates,
+    ensureWildcardCerts,
+    addWellknownSite,
+    upsertSiteRule,
+    getRouterProvider: (name) => providers[name],
 
     getRoutingCrons: () => [
       {
         name: 'update-dashboard-certificate',
         time: '0 1 */6 * * *', // refetch on 0:00, 6:00, etc.
-        fn: () => updateDashboardCertificate({ checkExpire: true }),
+        fn: () => updateDashboardCertificates(),
         options: { runOnInit: true },
       },
-      {
-        name: 'check-certificate-expiration',
-        time: '0 0 9 * * *', // check on 09:00 every day
-        fn: checkCertificatesExpiration,
-        options: { runOnInit: false },
-      },
       {
         name: 'rotate-log-files',
-        time: '5 0 0 * * *', // rotate at 05:00 every day
+        time: '1 0 0 * * *', // rotate at 00:00:01 every day
         fn: rotateRouterLog,
         options: { runOnInit: false },
       },
     ],
+
+    addRoutingSite,
+    deleteRoutingSite,
+    updateRoutingSite,
+    addRoutingRule,
+    updateRoutingRule,
+    deleteRoutingRule,
+    addDomainAlias,
+    deleteDomainAlias,
+
+    isGatewayCacheEnabled,
   };
 };
 
-module.exports.attachInterfaceUrls = attachInterfaceUrls;
+module.exports.attachRuntimeDomainAliases = attachRuntimeDomainAliases;
 module.exports.ensureLatestNodeInfo = ensureLatestNodeInfo;
 module.exports.ensureLatestInterfaceInfo = ensureLatestInterfaceInfo;
 module.exports.ensureLatestInfo = ensureLatestInfo;