From 78a8b06467ee523470ad08323b321756561275b4 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 17 Aug 2023 16:27:12 +0800
Subject: [PATCH 01/37] =?UTF-8?q?=E5=8F=98=E6=9B=B4qq=E7=BE=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/conf/files/info.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/conf/files/info.txt b/server/conf/files/info.txt
index 2e7e2e0..9f89a52 100644
--- a/server/conf/files/info.txt
+++ b/server/conf/files/info.txt
@@ -1,2 +1,2 @@
 客户端软件需放置在files目录内，
-如需要帮助请加QQ群：567510628
\ No newline at end of file
+如需要帮助请加QQ群：567510628 、739072205
\ No newline at end of file

From 7714c2a3e826989279a1bc7091395fb9ee26f567 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 24 Aug 2023 14:27:12 +0800
Subject: [PATCH 02/37] =?UTF-8?q?debug=E4=BF=A1=E6=81=AF=20=E9=9C=80?=
 =?UTF-8?q?=E8=A6=81=E9=89=B4=E6=9D=83=E5=90=8E=E6=98=BE=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/admin/api_base.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/admin/api_base.go b/server/admin/api_base.go
index fa63b39..42dfd01 100644
--- a/server/admin/api_base.go
+++ b/server/admin/api_base.go
@@ -82,7 +82,7 @@ func authMiddleware(next http.Handler) http.Handler {
 		route := mux.CurrentRoute(r)
 		name := route.GetName()
 		// fmt.Println("bb", r.URL.Path, name)
-		if utils.InArrStr([]string{"login", "index", "static", "debug"}, name) {
+		if utils.InArrStr([]string{"login", "index", "static"}, name) {
 			// 不进行鉴权
 			next.ServeHTTP(w, r)
 			return
@@ -93,6 +93,12 @@ func authMiddleware(next http.Handler) http.Handler {
 		if jwtToken == "" {
 			jwtToken = r.FormValue("jwt")
 		}
+		if jwtToken == "" {
+			cc, err := r.Cookie("jwt")
+			if err == nil {
+				jwtToken = cc.Value
+			}
+		}
 		data, err := GetJwtData(jwtToken)
 		if err != nil || base.Cfg.AdminUser != fmt.Sprint(data["admin_user"]) {
 			w.WriteHeader(http.StatusUnauthorized)

From 08de4fe08600bf736de62fdc1eadde7258951bae Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 24 Aug 2023 16:59:35 +0800
Subject: [PATCH 03/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=AE=89=E5=85=A8?=
 =?UTF-8?q?=E7=9A=84header=E5=A4=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/admin/api_base.go          | 10 ++++++++++
 server/admin/server.go            |  8 ++++++++
 server/handler/link_auth.go       |  2 +-
 server/handler/link_base.go       | 23 -----------------------
 server/handler/link_home.go       |  2 +-
 server/handler/server.go          |  9 +++++++++
 server/pkg/utils/secure_header.go | 27 +++++++++++++++++++++++++++
 7 files changed, 56 insertions(+), 25 deletions(-)
 create mode 100644 server/pkg/utils/secure_header.go

diff --git a/server/admin/api_base.go b/server/admin/api_base.go
index 42dfd01..61c81a6 100644
--- a/server/admin/api_base.go
+++ b/server/admin/api_base.go
@@ -67,6 +67,14 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	data["admin_user"] = adminUser
 	data["expires_at"] = expiresAt
 
+	ck := &http.Cookie{
+		Name:     "jwt",
+		Value:    tokenString,
+		Path:     "/",
+		HttpOnly: true,
+	}
+	http.SetCookie(w, ck)
+
 	RespSucess(w, data)
 }
 
@@ -76,6 +84,8 @@ func authMiddleware(next http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Methods", "GET,POST,OPTIONS")
 		w.Header().Set("Access-Control-Allow-Headers", "*")
 		if r.Method == http.MethodOptions {
+			// 正式环境不支持 OPTIONS
+			w.WriteHeader(http.StatusForbidden)
 			return
 		}
 
diff --git a/server/admin/server.go b/server/admin/server.go
index 3cabb99..b162755 100644
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -10,6 +10,7 @@ import (
 	"github.com/arl/statsviz"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 )
@@ -20,6 +21,13 @@ var UiData embed.FS
 func StartAdmin() {
 
 	r := mux.NewRouter()
+	// 所有路由添加安全头
+	r.Use(func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			utils.SetSecureHeader(w)
+			next.ServeHTTP(w, req)
+		})
+	})
 	r.Use(authMiddleware)
 	r.Use(handlers.CompressHandler)
 
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index 2e9bf8f..ca43bdd 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -49,7 +49,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// fmt.Printf("%+v \n", cr)
-	setCommonHeader(w)
+	// setCommonHeader(w)
 	if cr.Type == "logout" {
 		// 退出删除session信息
 		if cr.SessionToken != "" {
diff --git a/server/handler/link_base.go b/server/handler/link_base.go
index 7581bcc..48e2258 100644
--- a/server/handler/link_base.go
+++ b/server/handler/link_base.go
@@ -3,7 +3,6 @@ package handler
 import (
 	"encoding/xml"
 	"log"
-	"net/http"
 	"os/exec"
 )
 
@@ -42,28 +41,6 @@ type macAddressList struct {
 	MacAddress string `xml:"mac-address"`
 }
 
-func setCommonHeader(w http.ResponseWriter) {
-	// Content-Length Date 默认已经存在
-	w.Header().Set("Server", "AnyLinkOpenSource")
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	w.Header().Set("Cache-Control", "no-store,no-cache")
-	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Transfer-Encoding", "chunked")
-	w.Header().Set("Connection", "keep-alive")
-	w.Header().Set("X-Frame-Options", "deny")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("Content-Security-Policy", "default-src 'none'")
-	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
-	w.Header().Set("Referrer-Policy", "no-referrer")
-	w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
-	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
-	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
-	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
-	w.Header().Set("X-XSS-Protection", "0")
-	w.Header().Set("X-Aggregate-Auth", "1")
-	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
-}
-
 func execCmd(cmdStrs []string) error {
 	for _, cmdStr := range cmdStrs {
 		cmd := exec.Command("sh", "-c", cmdStr)
diff --git a/server/handler/link_home.go b/server/handler/link_home.go
index a2dc30b..066e6f1 100644
--- a/server/handler/link_home.go
+++ b/server/handler/link_home.go
@@ -13,7 +13,7 @@ func LinkHome(w http.ResponseWriter, r *http.Request) {
 	// fmt.Println(r.RemoteAddr)
 	// hu, _ := httputil.DumpRequest(r, true)
 	// fmt.Println("DumpHome: ", string(hu))
-	w.Header().Set("Server", "AnyLinkOpenSource")
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	connection := strings.ToLower(r.Header.Get("Connection"))
 	userAgent := strings.ToLower(r.UserAgent())
 	if connection == "close" && (strings.Contains(userAgent, "anyconnect") || strings.Contains(userAgent, "openconnect")) {
diff --git a/server/handler/server.go b/server/handler/server.go
index 34fd016..06d72d5 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/mux"
 	"github.com/pires/go-proxyproto"
 )
@@ -86,6 +87,14 @@ func startTls() {
 
 func initRoute() http.Handler {
 	r := mux.NewRouter()
+	// 所有路由添加安全头
+	r.Use(func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			utils.SetSecureHeader(w)
+			next.ServeHTTP(w, req)
+		})
+	})
+
 	r.HandleFunc("/", LinkHome).Methods(http.MethodGet)
 	r.HandleFunc("/", LinkAuth).Methods(http.MethodPost)
 	r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
diff --git a/server/pkg/utils/secure_header.go b/server/pkg/utils/secure_header.go
new file mode 100644
index 0000000..a0a3b31
--- /dev/null
+++ b/server/pkg/utils/secure_header.go
@@ -0,0 +1,27 @@
+package utils
+
+import "net/http"
+
+// 设置安全的header头
+func SetSecureHeader(w http.ResponseWriter) {
+	// Content-Length Date 默认已经存在
+	w.Header().Set("Server", "AnyLinkOpenSource")
+	// w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store,no-cache")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Transfer-Encoding", "chunked")
+	w.Header().Set("Connection", "keep-alive")
+	w.Header().Set("X-Frame-Options", "deny")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Download-Options", "noopen")
+	w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'")
+	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
+	w.Header().Set("Referrer-Policy", "no-referrer")
+	// w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
+	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
+	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
+	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
+	w.Header().Set("X-XSS-Protection", "0")
+	w.Header().Set("X-Aggregate-Auth", "1")
+	w.Header().Set("Strict-Transport-Security", "max-age=31536000")
+}

From da1d6c6c6db1741779e816521054a101ff89c2bd Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 25 Aug 2023 13:56:04 +0800
Subject: [PATCH 04/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=AE=89=E5=85=A8?=
 =?UTF-8?q?=E7=9A=84header=E5=A4=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                         | 1 +
 server/pkg/utils/secure_header.go | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index c4c67c2..e5fb56a 100644
--- a/README.md
+++ b/README.md
@@ -301,6 +301,7 @@ ipv4_end = "10.1.2.200"
 ## Discussion
 
 添加QQ群(1): 567510628
+
 添加QQ群(2): 739072205
 
 群共享文件有相关软件下载
diff --git a/server/pkg/utils/secure_header.go b/server/pkg/utils/secure_header.go
index a0a3b31..f323693 100644
--- a/server/pkg/utils/secure_header.go
+++ b/server/pkg/utils/secure_header.go
@@ -7,9 +7,11 @@ func SetSecureHeader(w http.ResponseWriter) {
 	// Content-Length Date 默认已经存在
 	w.Header().Set("Server", "AnyLinkOpenSource")
 	// w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	// w.Header().Set("Transfer-Encoding", "chunked")
+	w.Header().Set("X-Aggregate-Auth", "1")
+
 	w.Header().Set("Cache-Control", "no-store,no-cache")
 	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Transfer-Encoding", "chunked")
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("X-Frame-Options", "deny")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
@@ -17,11 +19,11 @@ func SetSecureHeader(w http.ResponseWriter) {
 	w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'")
 	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
 	w.Header().Set("Referrer-Policy", "no-referrer")
-	// w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
 	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 	w.Header().Set("X-XSS-Protection", "0")
-	w.Header().Set("X-Aggregate-Auth", "1")
 	w.Header().Set("Strict-Transport-Security", "max-age=31536000")
+
+	// w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
 }

From 6127c41aeaca5b0311b5812fec10dd4798103378 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 1 Sep 2023 17:55:15 +0800
Subject: [PATCH 05/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20panic?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_access_audit.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go
index 4384352..89f3450 100644
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -106,6 +106,7 @@ func logAudit(userName string, pl *sessdata.Payload) {
 	if !(pl.LType == sessdata.LTypeIPData && pl.PType == 0x00) {
 		return
 	}
+
 	ipProto := waterutil.IPv4Protocol(pl.Data)
 	// 访问协议
 	var accessProto uint8
@@ -121,7 +122,15 @@ func logAudit(userName string, pl *sessdata.Payload) {
 
 	ipSrc := waterutil.IPv4Source(pl.Data)
 	ipDst := waterutil.IPv4Destination(pl.Data)
-	ipPort := waterutil.IPv4DestinationPort(pl.Data)
+
+	// ipPort := waterutil.IPv4DestinationPort(pl.Data)
+	// 修复 panic: runtime error: index out of range [2] with length 2
+	ipPl := waterutil.IPv4Payload(pl.Data)
+	if len(ipPl) < 3 {
+		base.Error("ipPl len < 3", pl.Data)
+		return
+	}
+	ipPort := (uint16(ipPl[2]) << 8) | uint16(ipPl[3])
 
 	b := getByte51()
 	key := *b

From a168c96a935e1065d78c24bdbc9cb37de9b418ae Mon Sep 17 00:00:00 2001
From: lanrenwo <phpcleps@gmail.com>
Date: Fri, 1 Sep 2023 18:10:20 +0800
Subject: [PATCH 06/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8DsniNewParser=E7=9A=84pa?=
 =?UTF-8?q?nic?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_tcp_parser.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/handler/payload_tcp_parser.go b/server/handler/payload_tcp_parser.go
index 6d3c4cc..f2e1c31 100644
--- a/server/handler/payload_tcp_parser.go
+++ b/server/handler/payload_tcp_parser.go
@@ -32,6 +32,9 @@ func sniNewParser(b []byte) (uint8, string) {
 	if len(b) < 2 || b[0] != 0x16 || b[1] != 0x03 {
 		return acc_proto_tcp, ""
 	}
+	if len(b) < 6 {
+		return acc_proto_tcp, ""
+	}	
 	rest := b[5:]
 	restLen := len(rest)
 	if restLen == 0 {

From 2af2d273e4725284f255a4f8c2dd486dee7502c0 Mon Sep 17 00:00:00 2001
From: lanrenwo <phpcleps@gmail.com>
Date: Sat, 2 Sep 2023 10:44:47 +0800
Subject: [PATCH 07/37] =?UTF-8?q?=E7=AE=80=E5=8C=96sniNewParser=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_tcp_parser.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/server/handler/payload_tcp_parser.go b/server/handler/payload_tcp_parser.go
index f2e1c31..bbb933e 100644
--- a/server/handler/payload_tcp_parser.go
+++ b/server/handler/payload_tcp_parser.go
@@ -29,10 +29,7 @@ func onTCP(payload []byte) (uint8, string) {
 }
 
 func sniNewParser(b []byte) (uint8, string) {
-	if len(b) < 2 || b[0] != 0x16 || b[1] != 0x03 {
-		return acc_proto_tcp, ""
-	}
-	if len(b) < 6 {
+	if len(b) < 6 || b[0] != 0x16 || b[1] != 0x03 {
 		return acc_proto_tcp, ""
 	}	
 	rest := b[5:]

From 7651b69ed636649161c36f0613719d69960b4b6c Mon Sep 17 00:00:00 2001
From: lanrenwo <phpcleps@gmail.com>
Date: Sat, 2 Sep 2023 10:46:01 +0800
Subject: [PATCH 08/37] =?UTF-8?q?=E5=88=A0=E9=99=A4sniNewParser=E5=A4=9A?=
 =?UTF-8?q?=E4=BD=99=E7=9A=84=E7=A9=BA=E6=A0=BC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_tcp_parser.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/handler/payload_tcp_parser.go b/server/handler/payload_tcp_parser.go
index bbb933e..95c9a0d 100644
--- a/server/handler/payload_tcp_parser.go
+++ b/server/handler/payload_tcp_parser.go
@@ -31,7 +31,7 @@ func onTCP(payload []byte) (uint8, string) {
 func sniNewParser(b []byte) (uint8, string) {
 	if len(b) < 6 || b[0] != 0x16 || b[1] != 0x03 {
 		return acc_proto_tcp, ""
-	}	
+	}
 	rest := b[5:]
 	restLen := len(rest)
 	if restLen == 0 {

From f6980261d456531f69fd8ab92437539d75dd344d Mon Sep 17 00:00:00 2001
From: lanrenwo <phpcleps@gmail.com>
Date: Sun, 3 Sep 2023 11:18:52 +0800
Subject: [PATCH 09/37] =?UTF-8?q?logAudit=E5=BC=95=E5=85=A5recover,=20?=
 =?UTF-8?q?=E9=98=B2=E6=AD=A2=E4=B8=BB=E7=A8=8B=E5=BA=8F=E5=B4=A9=E6=BA=83?=
 =?UTF-8?q?.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_access_audit.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go
index 89f3450..e703c1c 100644
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"crypto/md5"
 	"encoding/binary"
+	"runtime/debug"
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
@@ -101,7 +102,12 @@ func logAuditBatch() {
 
 // 解析IP包的数据
 func logAudit(userName string, pl *sessdata.Payload) {
-	defer putPayload(pl)
+	defer func() {
+		putPayload(pl)
+		if err := recover(); err != nil {
+			base.Error("logAudit is panic: ", err, "\n", string(debug.Stack()), "\n", pl.Data)
+		}
+	}()
 
 	if !(pl.LType == sessdata.LTypeIPData && pl.PType == 0x00) {
 		return

From 7b9be9377f61f7bb5d174614c36c294a3b730c78 Mon Sep 17 00:00:00 2001
From: lanrenwo <phpcleps@gmail.com>
Date: Fri, 8 Sep 2023 20:33:30 +0800
Subject: [PATCH 10/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8DlogAudit=E7=9A=84panic?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_access_audit.go | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go
index e703c1c..99efa24 100644
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -103,10 +103,10 @@ func logAuditBatch() {
 // 解析IP包的数据
 func logAudit(userName string, pl *sessdata.Payload) {
 	defer func() {
-		putPayload(pl)
 		if err := recover(); err != nil {
 			base.Error("logAudit is panic: ", err, "\n", string(debug.Stack()), "\n", pl.Data)
 		}
+		putPayload(pl)
 	}()
 
 	if !(pl.LType == sessdata.LTypeIPData && pl.PType == 0x00) {
@@ -125,19 +125,16 @@ func logAudit(userName string, pl *sessdata.Payload) {
 	default:
 		return
 	}
-
-	ipSrc := waterutil.IPv4Source(pl.Data)
-	ipDst := waterutil.IPv4Destination(pl.Data)
-
 	// ipPort := waterutil.IPv4DestinationPort(pl.Data)
-	// 修复 panic: runtime error: index out of range [2] with length 2
+	// 修复 panic: runtime error: index out of range [2] / range [3]
 	ipPl := waterutil.IPv4Payload(pl.Data)
-	if len(ipPl) < 3 {
-		base.Error("ipPl len < 3", pl.Data)
+	if len(ipPl) < 4 {
+		base.Error("ipPl len < 4", ipPl, pl.Data)
 		return
 	}
 	ipPort := (uint16(ipPl[2]) << 8) | uint16(ipPl[3])
-
+	ipSrc := waterutil.IPv4Source(pl.Data)
+	ipDst := waterutil.IPv4Destination(pl.Data)
 	b := getByte51()
 	key := *b
 	copy(key[:16], ipSrc)
@@ -193,7 +190,6 @@ func logAudit(userName string, pl *sessdata.Payload) {
 		AccessProto: accessProto,
 		Info:        info,
 	}
-
 	select {
 	case logBatch.LogChan <- audit:
 	default:

From 8e843d5eaed90c32323244651cc1d09bd5871238 Mon Sep 17 00:00:00 2001
From: lanrenwo <phpcleps@gmail.com>
Date: Fri, 8 Sep 2023 21:01:03 +0800
Subject: [PATCH 11/37] Update payload_access_audit.go

---
 server/handler/payload_access_audit.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go
index 99efa24..a3cc0c2 100644
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -125,8 +125,7 @@ func logAudit(userName string, pl *sessdata.Payload) {
 	default:
 		return
 	}
-	// ipPort := waterutil.IPv4DestinationPort(pl.Data)
-	// 修复 panic: runtime error: index out of range [2] / range [3]
+	// IP报文只包含头部信息时, 则打印LOG，并退出
 	ipPl := waterutil.IPv4Payload(pl.Data)
 	if len(ipPl) < 4 {
 		base.Error("ipPl len < 4", ipPl, pl.Data)

From bbc5877eb9dd72e71d48a06f553d7b0bbf78caf5 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 22 Sep 2023 16:18:38 +0800
Subject: [PATCH 12/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dheader?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/conf/profile.xml           | 11 ++++++++++-
 server/pkg/utils/secure_header.go |  8 ++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/server/conf/profile.xml b/server/conf/profile.xml
index 0df0912..81645b8 100644
--- a/server/conf/profile.xml
+++ b/server/conf/profile.xml
@@ -8,6 +8,7 @@
         <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
         <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
         <BypassDownloader>true</BypassDownloader>
+        <AutoUpdate UserControllable="false">false</AutoUpdate>
         <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
         <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
         <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
@@ -21,14 +22,22 @@
         </CertificateMatch>
 
         <BackupServerList>
-            <HostAddress>localhost</HostAddress>
+            <HostAddress>localhost-bak</HostAddress>
         </BackupServerList>
     </ClientInitialization>
 
     <ServerList>
+
         <HostEntry>
             <HostName>VPN Server</HostName>
             <HostAddress>localhost</HostAddress>
         </HostEntry>
+
+        <HostEntry>
+            <HostName>VPN Server2</HostName>
+            <HostAddress>localhost2</HostAddress>
+        </HostEntry>
+
+
     </ServerList>
 </AnyConnectProfile>
\ No newline at end of file
diff --git a/server/pkg/utils/secure_header.go b/server/pkg/utils/secure_header.go
index f323693..f31dbe1 100644
--- a/server/pkg/utils/secure_header.go
+++ b/server/pkg/utils/secure_header.go
@@ -13,17 +13,17 @@ func SetSecureHeader(w http.ResponseWriter) {
 	w.Header().Set("Cache-Control", "no-store,no-cache")
 	w.Header().Set("Pragma", "no-cache")
 	w.Header().Set("Connection", "keep-alive")
-	w.Header().Set("X-Frame-Options", "deny")
+	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("X-Download-Options", "noopen")
-	w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'")
+	w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content")
 	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
 	w.Header().Set("Referrer-Policy", "no-referrer")
 	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
-	w.Header().Set("X-XSS-Protection", "0")
-	w.Header().Set("Strict-Transport-Security", "max-age=31536000")
+	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 
 	// w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
 }

From 012f636cf7856c5874a840c1eee6c908253b4782 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 11 Oct 2023 10:19:23 +0800
Subject: [PATCH 13/37] =?UTF-8?q?=E4=BF=AE=E6=94=B9=20profile.xml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/conf/profile.xml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/server/conf/profile.xml b/server/conf/profile.xml
index 81645b8..914f53d 100644
--- a/server/conf/profile.xml
+++ b/server/conf/profile.xml
@@ -21,23 +21,19 @@
             </ExtendedKeyUsage>
         </CertificateMatch>
 
-        <BackupServerList>
-            <HostAddress>localhost-bak</HostAddress>
-        </BackupServerList>
     </ClientInitialization>
 
     <ServerList>
 
         <HostEntry>
-            <HostName>VPN Server</HostName>
+            <HostName>VPN</HostName>
             <HostAddress>localhost</HostAddress>
         </HostEntry>
 
         <HostEntry>
-            <HostName>VPN Server2</HostName>
+            <HostName>VPN2</HostName>
             <HostAddress>localhost2</HostAddress>
         </HostEntry>
 
-
     </ServerList>
 </AnyConnectProfile>
\ No newline at end of file

From ebc7cc85c0969d71598bb9d87af35b2b2895ad81 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 11 Oct 2023 16:00:53 +0800
Subject: [PATCH 14/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0nginx=20stream=E7=A4=BA?=
 =?UTF-8?q?=E4=BE=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/question.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/doc/question.md b/doc/question.md
index 190da8a..82334c2 100644
--- a/doc/question.md
+++ b/doc/question.md
@@ -46,6 +46,34 @@ stream {
 }
 ```
 
+> nginx实现 共用443端口 示例
+
+```conf
+stream {
+    map $ssl_preread_server_name $name {
+        vpn.xx.com        myvpn;
+        default     defaultpage;
+    }
+    
+    # upstream pool
+    upstream myvpn {
+        server 127.0.0.1:8443;
+    }
+    upstream defaultpage {
+        server 127.0.0.1:8080;
+    }
+    
+    server {
+        listen 443 so_keepalive=on;
+        ssl_preread on;
+        #接收端也需要设置 proxy_protocol
+        #proxy_protocol on;
+        proxy_pass $name;
+    }
+}
+
+```
+
 ### 性能问题
 ```
 内网环境测试数据

From 06c8ee11972a57de4ca48bb5e685968215d8f784 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 11 Oct 2023 17:20:57 +0800
Subject: [PATCH 15/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E8=87=AA=E5=AE=9A?=
 =?UTF-8?q?=E4=B9=89=E9=A6=96=E9=A1=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 home/自定义首页1.html | 101 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 home/自定义首页1.html

diff --git a/home/自定义首页1.html b/home/自定义首页1.html
new file mode 100644
index 0000000..9c8f8f9
--- /dev/null
+++ b/home/自定义首页1.html
@@ -0,0 +1,101 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>AnyLink - 企业级远程办公 SSL VPN</title>
+  <style>
+    /* CSS样式表 */
+    body {
+      font-family: Arial, sans-serif;
+      margin: 0;
+      padding: 0;
+    }
+    
+    header {
+      background-color: #333;
+      color: #fff;
+      padding: 20px;
+      text-align: center;
+    }
+    
+    h1 {
+      margin: 0;
+      font-size: 32px;
+    }
+    
+    main {
+      max-width: 960px;
+      margin: 20px auto;
+      padding: 0 20px;
+	  margin-bottom: 100px;
+    }
+    
+    p {
+      line-height: 1.5;
+    }
+    
+	/* 设置页脚固定在底部，并且占满横向宽度 */
+	footer {
+		position: fixed;
+		bottom: 0;
+		left: 0;
+		width: 100%;
+	}
+	
+    footer {
+      background-color: #f2f2f2;
+      padding: 20px;
+      text-align: center;
+    }
+	
+    
+    .cta-button {
+      display: inline-block;
+      background-color: #007bff;
+      color: #fff;
+      padding: 10px 20px;
+      text-decoration: none;
+      border-radius: 4px;
+      font-weight: bold;
+      margin-right: 10px;
+    }
+  </style>
+</head>
+<body>
+  <header>
+    <h1>欢迎使用 AnyLink</h1>
+  </header>
+
+  <main>
+    <h2>什么是 AnyLink？</h2>
+    <p>AnyLink 是一款面向企业级的远程办公 SSL VPN 软件，支持多人同时在线使用。它提供安全、便捷的访问内部网络资源的方式，使远程工作者能够有效协作。</p>
+
+    <h2>核心功能</h2>
+    <ul>
+      <li>安全远程访问：AnyLink 使用 SSL/TLS 加密技术，确保远程用户与企业网络之间的连接安全可靠。</li>
+      <li>多用户支持：多个用户可以同时连接 VPN，实现不同地点团队的无缝协作。</li>
+      <li>灵活网络访问：AnyLink 能够安全地让远程工作者访问内部资源，如文件、应用程序和数据库。</li>
+      <li>集中化管理：该 VPN 解决方案提供集中化管理控制台，便于用户管理、访问控制和监控。</li>
+    </ul>
+
+    <h2>开始使用 AnyLink</h2>
+    <p>体验 AnyLink 为您的企业远程办公需求所带来的便利和安全。</p>
+
+    <h2>下载客户端</h2>
+    <a href="/files/client/anyconnect-win-4.10.05111.msi" class="cta-button">Windows 客户端</a>
+    <a href="/files/client/anyconnect-macos-4.10.05111.dmg" class="cta-button">Mac 客户端</a>
+
+    <a href="https://apps.apple.com/cn/app/cisco-secure-client/id1135064690" class="cta-button">iOS 客户端</a>
+    <a href="/files/client/CiscoSecureClientAnyConnect_v5.0.00247.apk" class="cta-button">Android 客户端</a>
+
+    <a href="/files/client/freeotp.apk" class="cta-button">Android FreeOTP客户端</a>
+    <a href="https://apps.apple.com/cn/app/freeotp-authenticator/id872559395" class="cta-button">iOS FreeOTP客户端</a>
+    <h2>使用手册</h2>
+    <a href="/files/client/anylink_doc.pdf" class="cta-button">使用手册(Windows)</a>
+  </main>
+
+  <footer>
+    &copy; 2023 AnyLink. 保留所有权利。
+  </footer>
+</body>
+</html>

From 6eea265b15f3a6bb0014275130194ae3c575aa3d Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 11 Oct 2023 17:21:26 +0800
Subject: [PATCH 16/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E8=87=AA=E5=AE=9A?=
 =?UTF-8?q?=E4=B9=89=E9=A6=96=E9=A1=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 home/自定义首页1.html | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/home/自定义首页1.html b/home/自定义首页1.html
index 9c8f8f9..171febc 100644
--- a/home/自定义首页1.html
+++ b/home/自定义首页1.html
@@ -82,16 +82,16 @@
     <p>体验 AnyLink 为您的企业远程办公需求所带来的便利和安全。</p>
 
     <h2>下载客户端</h2>
-    <a href="/files/client/anyconnect-win-4.10.05111.msi" class="cta-button">Windows 客户端</a>
-    <a href="/files/client/anyconnect-macos-4.10.05111.dmg" class="cta-button">Mac 客户端</a>
+    <a href="/files/anyconnect-win-4.10.05111.msi" class="cta-button">Windows 客户端</a>
+    <a href="/files/anyconnect-macos-4.10.05111.dmg" class="cta-button">Mac 客户端</a>
 
     <a href="https://apps.apple.com/cn/app/cisco-secure-client/id1135064690" class="cta-button">iOS 客户端</a>
-    <a href="/files/client/CiscoSecureClientAnyConnect_v5.0.00247.apk" class="cta-button">Android 客户端</a>
+    <a href="/files/CiscoSecureClientAnyConnect_v5.0.00247.apk" class="cta-button">Android 客户端</a>
 
-    <a href="/files/client/freeotp.apk" class="cta-button">Android FreeOTP客户端</a>
+    <a href="/files/freeotp.apk" class="cta-button">Android FreeOTP客户端</a>
     <a href="https://apps.apple.com/cn/app/freeotp-authenticator/id872559395" class="cta-button">iOS FreeOTP客户端</a>
     <h2>使用手册</h2>
-    <a href="/files/client/anylink_doc.pdf" class="cta-button">使用手册(Windows)</a>
+    <a href="/files/anylink_doc.pdf" class="cta-button">使用手册(Windows)</a>
   </main>
 
   <footer>

From 43ca09e985cef93f37146e25b61d1d5d9f4b6ec4 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 17 Oct 2023 16:01:31 +0800
Subject: [PATCH 17/37] =?UTF-8?q?=E4=BF=AE=E6=94=B9dtls=E5=8A=A0=E5=AF=86?=
 =?UTF-8?q?=E5=A5=97=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/dtls.go        | 57 ++++++++++++++++++++++++++++++-----
 server/handler/link_tunnel.go |  6 +++-
 2 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/server/handler/dtls.go b/server/handler/dtls.go
index 56e54a9..541e9fc 100644
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -2,6 +2,8 @@ package handler
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
 	"encoding/hex"
 	"errors"
@@ -15,31 +17,55 @@ import (
 	"github.com/pion/logging"
 )
 
+const (
+	dtlsSigneRsa   = 1
+	dtlsSigneEcdsa = 2
+)
+
+var dtlsSigneType = dtlsSigneRsa
+
 func startDtls() {
 	if !base.Cfg.ServerDTLS {
 		return
 	}
 
-	certificate, err := selfsign.GenerateSelfSigned()
+	var (
+		err         error
+		certificate tls.Certificate
+	)
+
+	//rsa 兼容 open connect
+	if dtlsSigneType == dtlsSigneRsa {
+		priv, _ := rsa.GenerateKey(rand.Reader, 2048)
+		certificate, err = selfsign.SelfSign(priv)
+	}
+	//ecdsa
+	if dtlsSigneType == dtlsSigneEcdsa {
+		certificate, err = selfsign.GenerateSelfSigned()
+	}
 	if err != nil {
 		panic(err)
 	}
+
 	logf := logging.NewDefaultLoggerFactory()
 	logf.Writer = base.GetBaseLw()
-	// logf.DefaultLogLevel = logging.LogLevelTrace
+	//logf.DefaultLogLevel = logging.LogLevelTrace
 	logf.DefaultLogLevel = logging.LogLevelInfo
 
 	// https://github.com/pion/dtls/pull/369
 	sessStore := &sessionStore{}
 
 	config := &dtls.Config{
-		Certificates:         []tls.Certificate{certificate},
-		InsecureSkipVerify:   true,
+		Certificates: []tls.Certificate{certificate},
+		//InsecureSkipVerify:   true,
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
-		CipherSuites:         []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
-		LoggerFactory:        logf,
-		MTU:                  BufferSize,
-		SessionStore:         sessStore,
+		CipherSuites: []dtls.CipherSuiteID{
+			dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		},
+		LoggerFactory: logf,
+		MTU:           BufferSize,
+		SessionStore:  sessStore,
 		ConnectContextMaker: func() (context.Context, func()) {
 			return context.WithTimeout(context.Background(), 5*time.Second)
 		},
@@ -98,3 +124,18 @@ func (ms *sessionStore) Get(key []byte) (dtls.Session, error) {
 func (ms *sessionStore) Del(key []byte) error {
 	return nil
 }
+
+func checkDtls12Ciphersuite(ciphersuite string) string {
+	if dtlsSigneType == dtlsSigneEcdsa {
+		return "ECDHE-ECDSA-AES256-GCM-SHA384"
+	}
+
+	return "ECDHE-RSA-AES256-GCM-SHA384"
+
+	//var str2ciphersuite = map[string]dtls.CipherSuiteID{
+	//	"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	//	"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	//	"ECDHE-RSA-AES256-GCM-SHA384":   dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	//	"ECDHE-RSA-AES128-GCM-SHA256":   dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	//}
+}
diff --git a/server/handler/link_tunnel.go b/server/handler/link_tunnel.go
index 4550854..185d352 100644
--- a/server/handler/link_tunnel.go
+++ b/server/handler/link_tunnel.go
@@ -92,6 +92,10 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 
 	base.Debug(cSess.IpAddr, cSess.MacHw, sess.Username, mobile)
 
+	//检测密码套件
+	dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite"))
+	base.Debug("dtlsCiphersuite", dtlsCiphersuite)
+
 	// 压缩
 	if cmpName, ok := cSess.SetPickCmp("cstp", r.Header.Get("X-Cstp-Accept-Encoding")); ok {
 		HttpSetHeader(w, "X-CSTP-Content-Encoding", cmpName)
@@ -164,7 +168,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-DTLS-Port", dtlsPort)
 	HttpSetHeader(w, "X-DTLS-DPD", fmt.Sprintf("%d", cstpDpd))
 	HttpSetHeader(w, "X-DTLS-Keepalive", fmt.Sprintf("%d", cstpKeepalive))
-	HttpSetHeader(w, "X-DTLS12-CipherSuite", "ECDHE-ECDSA-AES128-GCM-SHA256")
+	HttpSetHeader(w, "X-DTLS12-CipherSuite", dtlsCiphersuite)
 
 	HttpSetHeader(w, "X-CSTP-License", "accept")
 	HttpSetHeader(w, "X-CSTP-Routing-Filtering-Ignore", "false")

From a9ad21b3b583627cf9b4caa61c73a0320dbdc625 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 17 Oct 2023 16:30:45 +0800
Subject: [PATCH 18/37] =?UTF-8?q?=E4=BF=AE=E6=94=B9dtls=E5=8A=A0=E5=AF=86?=
 =?UTF-8?q?=E5=A5=97=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/dtls.go        | 13 ++++++-------
 server/handler/link_tunnel.go |  4 ++--
 server/handler/server.go      |  1 -
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/server/handler/dtls.go b/server/handler/dtls.go
index 541e9fc..41fcbe7 100644
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -34,12 +34,12 @@ func startDtls() {
 		certificate tls.Certificate
 	)
 
-	//rsa 兼容 open connect
+	// rsa 兼容 open connect
 	if dtlsSigneType == dtlsSigneRsa {
 		priv, _ := rsa.GenerateKey(rand.Reader, 2048)
 		certificate, err = selfsign.SelfSign(priv)
 	}
-	//ecdsa
+	// ecdsa
 	if dtlsSigneType == dtlsSigneEcdsa {
 		certificate, err = selfsign.GenerateSelfSigned()
 	}
@@ -49,15 +49,14 @@ func startDtls() {
 
 	logf := logging.NewDefaultLoggerFactory()
 	logf.Writer = base.GetBaseLw()
-	//logf.DefaultLogLevel = logging.LogLevelTrace
+	// logf.DefaultLogLevel = logging.LogLevelTrace
 	logf.DefaultLogLevel = logging.LogLevelInfo
 
 	// https://github.com/pion/dtls/pull/369
 	sessStore := &sessionStore{}
 
 	config := &dtls.Config{
-		Certificates: []tls.Certificate{certificate},
-		//InsecureSkipVerify:   true,
+		Certificates:         []tls.Certificate{certificate},
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
 		CipherSuites: []dtls.CipherSuiteID{
 			dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@@ -132,10 +131,10 @@ func checkDtls12Ciphersuite(ciphersuite string) string {
 
 	return "ECDHE-RSA-AES256-GCM-SHA384"
 
-	//var str2ciphersuite = map[string]dtls.CipherSuiteID{
+	// var str2ciphersuite = map[string]dtls.CipherSuiteID{
 	//	"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	//	"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	//	"ECDHE-RSA-AES256-GCM-SHA384":   dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	//	"ECDHE-RSA-AES128-GCM-SHA256":   dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	//}
+	// }
 }
diff --git a/server/handler/link_tunnel.go b/server/handler/link_tunnel.go
index 185d352..61cf1a1 100644
--- a/server/handler/link_tunnel.go
+++ b/server/handler/link_tunnel.go
@@ -92,9 +92,9 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 
 	base.Debug(cSess.IpAddr, cSess.MacHw, sess.Username, mobile)
 
-	//检测密码套件
+	// 检测密码套件
 	dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite"))
-	base.Debug("dtlsCiphersuite", dtlsCiphersuite)
+	base.Trace("dtlsCiphersuite", dtlsCiphersuite)
 
 	// 压缩
 	if cmpName, ok := cSess.SetPickCmp("cstp", r.Header.Get("X-Cstp-Accept-Encoding")); ok {
diff --git a/server/handler/server.go b/server/handler/server.go
index 06d72d5..e8938e4 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -54,7 +54,6 @@ func startTls() {
 			base.Trace("GetCertificate", chi.ServerName)
 			return dbdata.GetCertificateBySNI(chi.ServerName)
 		},
-		// InsecureSkipVerify: true,
 	}
 	srv := &http.Server{
 		Addr:         addr,

From 6788a875a24eef5d89f7d0a1937f786f2c604713 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 24 Oct 2023 17:49:13 +0800
Subject: [PATCH 19/37] =?UTF-8?q?=E4=BC=98=E5=8C=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                   |  2 +-
 build.sh                    |  1 +
 docker/Dockerfile           |  1 +
 server/handler/link_tun.go  | 18 ++++++++++++++----
 web/src/pages/set/Other.vue |  5 ++++-
 5 files changed, 21 insertions(+), 6 deletions(-)
 mode change 100755 => 100644 build.sh

diff --git a/README.md b/README.md
index e5fb56a..0f48b70 100644
--- a/README.md
+++ b/README.md
@@ -284,7 +284,7 @@ ipv4_end = "10.1.2.200"
        -c=/etc/server.toml --ip_lease=1209600 # IP地址租约时长
    ```
 
-7. 构建镜像
+7. 构建镜像 (非必需)
 
    ```bash
    #获取仓库源码
diff --git a/build.sh b/build.sh
old mode 100755
new mode 100644
index 8abf20e..c959803
--- a/build.sh
+++ b/build.sh
@@ -52,6 +52,7 @@ cp -r server/conf $deploy
 
 cp -r systemd $deploy
 cp -r LICENSE $deploy
+cp -r home $deploy
 
 tar zcvf ${deploy}.tar.gz $deploy
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
index b1a5cea..9abbcac 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -34,6 +34,7 @@ COPY docker/docker_entrypoint.sh  /app/
 #COPY ./server/bridge-init.sh /app/
 COPY ./server/conf  /app/conf
 COPY ./LICENSE  /app/LICENSE
+COPY ./home  /app/home
 
 
 #TODO 本地打包时使用镜像
diff --git a/server/handler/link_tun.go b/server/handler/link_tun.go
index 0ba7c76..cbe4415 100644
--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -22,22 +22,32 @@ func checkTun() {
 	defer ifce.Close()
 
 	// 测试ip命令
-	cmdstr := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
-	err = execCmd([]string{cmdstr})
+	cmdstr0 := fmt.Sprintln("modprobe -i tun")
+	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
+	err = execCmd([]string{cmdstr0, cmdstr1})
 	if err != nil {
 		base.Fatal("testTun err: ", err)
 	}
 	//开启服务器转发
 	if err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"}); err != nil {
-		base.Error(err)
+		base.Fatal(err)
 	}
 	if base.Cfg.IptablesNat {
 		//添加NAT转发规则
 		ipt, err := iptables.New()
 		if err != nil {
-			base.Error(err)
+			base.Fatal(err)
 			return
 		}
+
+		//修复 rockyos nat 不生效
+		cmdstr0 := fmt.Sprintln("modprobe -i iptable_filter")
+		cmdstr1 := fmt.Sprintf("modprobe -i iptable_nat")
+		err = execCmd([]string{cmdstr0, cmdstr1})
+		if err != nil {
+			base.Fatal("testTun err: ", err)
+		}
+
 		natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-j", "MASQUERADE"}
 		forwardRule := []string{"-j", "ACCEPT"}
 		if natExists, _ := ipt.Exists("nat", "POSTROUTING", natRule...); !natExists {
diff --git a/web/src/pages/set/Other.vue b/web/src/pages/set/Other.vue
index d7375bf..84b0b5c 100644
--- a/web/src/pages/set/Other.vue
+++ b/web/src/pages/set/Other.vue
@@ -248,11 +248,14 @@
           <el-form-item label="自定义首页" prop="homeindex">
             <el-input
               type="textarea"
-              :rows="5"
+              :rows="10"
               placeholder="请输入内容"
               v-model="dataOther.homeindex"
             >
             </el-input>
+            <el-tooltip content="自定义内容可以参考 home 目录下的文件" placement="top">
+              <i class="el-icon-question"></i>
+            </el-tooltip>
           </el-form-item>
 
           <el-form-item label="账户开通邮件" prop="account_mail">

From 57990d3d2a28c4b3d00e6cc6e044a4bc6aa3cd49 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 30 Oct 2023 11:38:31 +0800
Subject: [PATCH 20/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E7=BD=91=E5=8D=A1=20al?=
 =?UTF-8?q?ias?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_tun.go    | 9 +++++----
 server/handler/link_tunnel.go | 6 +++++-
 server/handler/link_vtap.go   | 3 ++-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/server/handler/link_tun.go b/server/handler/link_tun.go
index cbe4415..7c2d212 100644
--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -28,19 +28,19 @@ func checkTun() {
 	if err != nil {
 		base.Fatal("testTun err: ", err)
 	}
-	//开启服务器转发
+	// 开启服务器转发
 	if err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"}); err != nil {
 		base.Fatal(err)
 	}
 	if base.Cfg.IptablesNat {
-		//添加NAT转发规则
+		// 添加NAT转发规则
 		ipt, err := iptables.New()
 		if err != nil {
 			base.Fatal(err)
 			return
 		}
 
-		//修复 rockyos nat 不生效
+		// 修复 rockyos nat 不生效
 		cmdstr0 := fmt.Sprintln("modprobe -i iptable_filter")
 		cmdstr1 := fmt.Sprintf("modprobe -i iptable_nat")
 		err = execCmd([]string{cmdstr0, cmdstr1})
@@ -75,7 +75,8 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 	// log.Printf("Interface Name: %s\n", ifce.Name())
 	cSess.SetIfName(ifce.Name())
 
-	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off", ifce.Name(), cSess.Mtu)
+	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off alias %s.%s", ifce.Name(), cSess.Mtu,
+		cSess.Group.Name, cSess.Username)
 	cmdstr2 := fmt.Sprintf("ip addr add dev %s local %s peer %s/32",
 		ifce.Name(), base.Cfg.Ipv4Gateway, cSess.IpAddr)
 	err = execCmd([]string{cmdstr1, cmdstr2})
diff --git a/server/handler/link_tunnel.go b/server/handler/link_tunnel.go
index 61cf1a1..3fd5b8b 100644
--- a/server/handler/link_tunnel.go
+++ b/server/handler/link_tunnel.go
@@ -238,7 +238,11 @@ func SetPostAuthXml(g *dbdata.Group, w http.ResponseWriter) error {
 	if err != nil {
 		return err
 	}
-	HttpSetHeader(w, "X-CSTP-Post-Auth-XML", result.String())
+	xmlAuth := ""
+	for _, v := range strings.Split(result.String(), "\n") {
+		xmlAuth += strings.TrimSpace(v)
+	}
+	HttpSetHeader(w, "X-CSTP-Post-Auth-XML", xmlAuth)
 	return nil
 }
 
diff --git a/server/handler/link_vtap.go b/server/handler/link_vtap.go
index 399f9da..9536fca 100644
--- a/server/handler/link_vtap.go
+++ b/server/handler/link_vtap.go
@@ -54,7 +54,8 @@ func LinkMacvtap(cSess *sessdata.ConnSession) error {
 	cSess.SetIfName(ifName)
 
 	cmdstr1 := fmt.Sprintf("ip link add link %s name %s type macvtap mode bridge", base.Cfg.Ipv4Master, ifName)
-	cmdstr2 := fmt.Sprintf("ip link set dev %s up mtu %d address %s", ifName, cSess.Mtu, cSess.MacHw)
+	cmdstr2 := fmt.Sprintf("ip link set dev %s up mtu %d address %s alias %s.%s", ifName, cSess.Mtu, cSess.MacHw,
+		cSess.Group.Name, cSess.Username)
 	err := execCmd([]string{cmdstr1, cmdstr2})
 	if err != nil {
 		base.Error(err)

From 38d268e999dbe823168b1bbdf677f5b27773567e Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 30 Oct 2023 11:46:53 +0800
Subject: [PATCH 21/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E7=BD=91=E5=8D=A1=20al?=
 =?UTF-8?q?ias=20=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_tun.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/handler/link_tun.go b/server/handler/link_tun.go
index 7c2d212..e7a036d 100644
--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -75,6 +75,7 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 	// log.Printf("Interface Name: %s\n", ifce.Name())
 	cSess.SetIfName(ifce.Name())
 
+	// 通过 ip link show  查看 alias 信息
 	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off alias %s.%s", ifce.Name(), cSess.Mtu,
 		cSess.Group.Name, cSess.Username)
 	cmdstr2 := fmt.Sprintf("ip addr add dev %s local %s peer %s/32",

From 9019a5f03a679ba2baaddcdb3df6faad1339156e Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 30 Oct 2023 13:04:07 +0800
Subject: [PATCH 22/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E7=BD=91=E5=8D=A1=20al?=
 =?UTF-8?q?ias=20=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_tun.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/handler/link_tun.go b/server/handler/link_tun.go
index e7a036d..d01b5f5 100644
--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -76,6 +76,7 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 	cSess.SetIfName(ifce.Name())
 
 	// 通过 ip link show  查看 alias 信息
+
 	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off alias %s.%s", ifce.Name(), cSess.Mtu,
 		cSess.Group.Name, cSess.Username)
 	cmdstr2 := fmt.Sprintf("ip addr add dev %s local %s peer %s/32",

From bfc39fe4eaada19fa826995c8da2c8c66dd033ac Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 2 Nov 2023 15:54:59 +0800
Subject: [PATCH 23/37] =?UTF-8?q?=E9=BB=98=E8=AE=A4=E6=98=BE=E7=A4=BA?=
 =?UTF-8?q?=E9=94=99=E8=AF=AF=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/conf/server.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/conf/server.toml b/server/conf/server.toml
index 7969253..40f2213 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -41,6 +41,6 @@ iptables_nat = true
 
 
 #客户端显示详细错误信息(线上环境慎开启)
-display_error = false
+display_error = true
 
 

From 5b1d86282ac8f61f654bf4c33dc3ac452960739e Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 6 Nov 2023 16:51:32 +0800
Subject: [PATCH 24/37] fix

---
 systemd/anylink.service | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/systemd/anylink.service b/systemd/anylink.service
index 72c3297..c2023a2 100644
--- a/systemd/anylink.service
+++ b/systemd/anylink.service
@@ -11,12 +11,14 @@ Restart=on-failure
 RestartSec=5s
 ExecStart=/usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml
 
+# systemctl --version
+
 # systemd older than v236
 # ExecStart=/bin/bash -c 'exec /usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml >> /usr/local/anylink-deploy/log/anylink.log 2>&1'
 
-
-StandardOutput=file:/usr/local/anylink-deploy/log/anylink.log
-StandardError=file:/usr/local/anylink-deploy/log/anylink.log
+# systemd new than v236
+# StandardOutput=file:/usr/local/anylink-deploy/log/anylink.log
+# StandardError=file:/usr/local/anylink-deploy/log/anylink.log
 
 [Install]
 WantedBy=multi-user.target

From 9e1969e3d07177325937178a0dd9653a0ff3f15a Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 8 Nov 2023 18:07:32 +0800
Subject: [PATCH 25/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20DTLS12-CipherSuite?=
 =?UTF-8?q?=20=E7=AD=9B=E9=80=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/dtls.go | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/server/handler/dtls.go b/server/handler/dtls.go
index 41fcbe7..960ab37 100644
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"net"
+	"strings"
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
@@ -60,7 +61,9 @@ func startDtls() {
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
 		CipherSuites: []dtls.CipherSuiteID{
 			dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 		},
 		LoggerFactory: logf,
 		MTU:           BufferSize,
@@ -124,17 +127,35 @@ func (ms *sessionStore) Del(key []byte) error {
 	return nil
 }
 
+// 客户端和服务端映射 X-DTLS12-CipherSuite
+var dtlsECDSA = map[string]dtls.CipherSuiteID{
+	"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+}
+
+var dtlsRSA = map[string]dtls.CipherSuiteID{
+	"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+}
+
 func checkDtls12Ciphersuite(ciphersuite string) string {
+	csArr := strings.Split(ciphersuite, ",")
+
 	if dtlsSigneType == dtlsSigneEcdsa {
+		for _, v := range csArr {
+			if _, ok := dtlsECDSA[v]; ok {
+				return v
+			}
+		}
+		// 返回默认值
 		return "ECDHE-ECDSA-AES256-GCM-SHA384"
 	}
 
+	for _, v := range csArr {
+		if _, ok := dtlsRSA[v]; ok {
+			return v
+		}
+	}
+	// 返回默认值
 	return "ECDHE-RSA-AES256-GCM-SHA384"
-
-	// var str2ciphersuite = map[string]dtls.CipherSuiteID{
-	//	"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	//	"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	//	"ECDHE-RSA-AES256-GCM-SHA384":   dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	//	"ECDHE-RSA-AES128-GCM-SHA256":   dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	// }
 }

From aa2b89855ff4f4780911afd3e79f9b12189ed888 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 9 Nov 2023 10:52:10 +0800
Subject: [PATCH 26/37] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20DTLS12-CipherSuite?=
 =?UTF-8?q?=20=E7=AD=9B=E9=80=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/dtls.go | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/server/handler/dtls.go b/server/handler/dtls.go
index 960ab37..12667dc 100644
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -59,12 +59,15 @@ func startDtls() {
 	config := &dtls.Config{
 		Certificates:         []tls.Certificate{certificate},
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
-		CipherSuites: []dtls.CipherSuiteID{
-			dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		},
+		CipherSuites: func() []dtls.CipherSuiteID {
+			var cs = []dtls.CipherSuiteID{}
+			for _, v := range dtlsCipherSuites {
+				for _, vv := range v {
+					cs = append(cs, vv)
+				}
+			}
+			return cs
+		}(),
 		LoggerFactory: logf,
 		MTU:           BufferSize,
 		SessionStore:  sessStore,
@@ -128,22 +131,23 @@ func (ms *sessionStore) Del(key []byte) error {
 }
 
 // 客户端和服务端映射 X-DTLS12-CipherSuite
-var dtlsECDSA = map[string]dtls.CipherSuiteID{
-	"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-}
-
-var dtlsRSA = map[string]dtls.CipherSuiteID{
-	"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+var dtlsCipherSuites = map[string]map[string]dtls.CipherSuiteID{
+	"ECDSA": {
+		"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	},
+	"RSA": {
+		"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	},
 }
 
 func checkDtls12Ciphersuite(ciphersuite string) string {
 	csArr := strings.Split(ciphersuite, ",")
-
+	// ECDSA
 	if dtlsSigneType == dtlsSigneEcdsa {
 		for _, v := range csArr {
-			if _, ok := dtlsECDSA[v]; ok {
+			if _, ok := dtlsCipherSuites["ECDSA"][v]; ok {
 				return v
 			}
 		}
@@ -152,7 +156,7 @@ func checkDtls12Ciphersuite(ciphersuite string) string {
 	}
 
 	for _, v := range csArr {
-		if _, ok := dtlsRSA[v]; ok {
+		if _, ok := dtlsCipherSuites["RSA"][v]; ok {
 			return v
 		}
 	}

From 3879c3a4bccfaea5685a2d0a6a39f6324776e34b Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 15 Nov 2023 11:57:12 +0800
Subject: [PATCH 27/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8DBanner=E7=89=B9?=
 =?UTF-8?q?=E6=AE=8A=E5=AD=97=E7=AC=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/dtls.go      | 58 ++++++++-----------------------------
 server/handler/link_auth.go |  2 ++
 2 files changed, 14 insertions(+), 46 deletions(-)

diff --git a/server/handler/dtls.go b/server/handler/dtls.go
index 12667dc..f9f27a2 100644
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -18,32 +18,14 @@ import (
 	"github.com/pion/logging"
 )
 
-const (
-	dtlsSigneRsa   = 1
-	dtlsSigneEcdsa = 2
-)
-
-var dtlsSigneType = dtlsSigneRsa
-
 func startDtls() {
 	if !base.Cfg.ServerDTLS {
 		return
 	}
 
-	var (
-		err         error
-		certificate tls.Certificate
-	)
-
 	// rsa 兼容 open connect
-	if dtlsSigneType == dtlsSigneRsa {
-		priv, _ := rsa.GenerateKey(rand.Reader, 2048)
-		certificate, err = selfsign.SelfSign(priv)
-	}
-	// ecdsa
-	if dtlsSigneType == dtlsSigneEcdsa {
-		certificate, err = selfsign.GenerateSelfSigned()
-	}
+	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
+	certificate, err := selfsign.SelfSign(priv)
 	if err != nil {
 		panic(err)
 	}
@@ -61,10 +43,8 @@ func startDtls() {
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
 		CipherSuites: func() []dtls.CipherSuiteID {
 			var cs = []dtls.CipherSuiteID{}
-			for _, v := range dtlsCipherSuites {
-				for _, vv := range v {
-					cs = append(cs, vv)
-				}
+			for _, vv := range dtlsCipherSuites {
+				cs = append(cs, vv)
 			}
 			return cs
 		}(),
@@ -131,35 +111,21 @@ func (ms *sessionStore) Del(key []byte) error {
 }
 
 // 客户端和服务端映射 X-DTLS12-CipherSuite
-var dtlsCipherSuites = map[string]map[string]dtls.CipherSuiteID{
-	"ECDSA": {
-		"ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		"ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	},
-	"RSA": {
-		"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	},
+var dtlsCipherSuites = map[string]dtls.CipherSuiteID{
+	// "ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	// "ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 }
 
 func checkDtls12Ciphersuite(ciphersuite string) string {
-	csArr := strings.Split(ciphersuite, ",")
-	// ECDSA
-	if dtlsSigneType == dtlsSigneEcdsa {
-		for _, v := range csArr {
-			if _, ok := dtlsCipherSuites["ECDSA"][v]; ok {
-				return v
-			}
-		}
-		// 返回默认值
-		return "ECDHE-ECDSA-AES256-GCM-SHA384"
-	}
+	csArr := strings.Split(ciphersuite, ":")
 
 	for _, v := range csArr {
-		if _, ok := dtlsCipherSuites["RSA"][v]; ok {
+		if _, ok := dtlsCipherSuites[v]; ok {
 			return v
 		}
 	}
 	// 返回默认值
-	return "ECDHE-RSA-AES256-GCM-SHA384"
+	return "ECDHE-RSA-AES128-GCM-SHA256"
 }
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index ca43bdd..e9794ad 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -14,6 +14,7 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/sessdata"
+	"golang.org/x/net/html"
 )
 
 var profileHash = ""
@@ -157,6 +158,7 @@ func tplRequest(typ int, w io.Writer, data RequestData) {
 	if strings.Contains(data.Banner, "\n") {
 		// 替换xml文件的换行符
 		data.Banner = strings.ReplaceAll(data.Banner, "\n", "&#x0A;")
+		data.Banner = html.EscapeString(data.Banner)
 	}
 	t, _ := template.New("auth_complete").Parse(auth_complete)
 	_ = t.Execute(w, data)

From 2bd94aef2b24f966c6893577bba752d580c20667 Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Mon, 20 Nov 2023 12:24:44 +0800
Subject: [PATCH 28/37] =?UTF-8?q?=E4=BC=98=E5=8C=96=E5=A4=84=E7=90=86Banne?=
 =?UTF-8?q?r=E7=89=B9=E6=AE=8A=E5=AD=97=E7=AC=A6=E7=9A=84=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_auth.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index e9794ad..9e3dd6f 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"bytes"
 	"crypto/md5"
 	"encoding/xml"
 	"fmt"
@@ -14,7 +15,6 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/sessdata"
-	"golang.org/x/net/html"
 )
 
 var profileHash = ""
@@ -155,11 +155,12 @@ func tplRequest(typ int, w io.Writer, data RequestData) {
 		return
 	}
 
-	if strings.Contains(data.Banner, "\n") {
-		// 替换xml文件的换行符
-		data.Banner = strings.ReplaceAll(data.Banner, "\n", "&#x0A;")
-		data.Banner = html.EscapeString(data.Banner)
+	if data.Banner != "" {
+		buf := new(bytes.Buffer)
+		xml.EscapeText(buf, []byte(data.Banner))
+		data.Banner = buf.String()
 	}
+
 	t, _ := template.New("auth_complete").Parse(auth_complete)
 	_ = t.Execute(w, data)
 }

From ea92857524cc624eb526627d2eb931d84c4c72cf Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Sat, 2 Dec 2023 15:38:18 +0800
Subject: [PATCH 29/37] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E8=B7=AF=E7=94=B1?=
 =?UTF-8?q?=E8=AE=BE=E7=BD=AE=E7=9A=84=E7=BC=96=E8=BE=91=E6=A8=A1=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 web/src/pages/group/List.vue | 71 +++++++++++++++++++++++++++++++++---
 1 file changed, 65 insertions(+), 6 deletions(-)

diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 4f71eb7..562c936 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -281,11 +281,15 @@
             <el-tab-pane label="路由设置" name="route">
                 <el-form-item label="包含路由" prop="route_include">
                 <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.1.0/24</el-col>
-                    <el-col :span="4">
+                    <el-col :span="18">输入CIDR格式如: 192.168.1.0/24</el-col>
+                    <el-col :span="2">
                     <el-button size="mini" type="success" icon="el-icon-plus" circle
                                 @click.prevent="addDomain(ruleForm.route_include)"></el-button>
                     </el-col>
+                    <el-col :span="4">
+                      <el-button size="mini" type="info" icon="el-icon-edit" circle
+                                @click.prevent="openIpListDialog('route_include')"></el-button>
+                    </el-col>                    
                 </el-row>
                 <el-row v-for="(item,index) in ruleForm.route_include"
                         :key="index" style="margin-bottom: 5px" :gutter="10">
@@ -304,11 +308,15 @@
 
                 <el-form-item label="排除路由" prop="route_exclude">
                 <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.2.0/24</el-col>
-                    <el-col :span="4">
+                    <el-col :span="18">输入CIDR格式如: 192.168.2.0/24</el-col>
+                    <el-col :span="2">
                     <el-button size="mini" type="success" icon="el-icon-plus" circle
                                 @click.prevent="addDomain(ruleForm.route_exclude)"></el-button>
                     </el-col>
+                    <el-col :span="4">
+                      <el-button size="mini" type="info" icon="el-icon-edit" circle
+                                @click.prevent="openIpListDialog('route_exclude')"></el-button>
+                    </el-col>                    
                 </el-row>
                 <el-row v-for="(item,index) in ruleForm.route_exclude"
                         :key="index" style="margin-bottom: 5px" :gutter="10">
@@ -365,6 +373,7 @@
                 </el-form-item>                
                 <el-form-item label="排除域名" prop="ds_exclude_domains">
                     <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
+                    <div class="msg-info">注意：域名拆分隧道，仅支持AnyConnect的桌面客户端，不支持移动端.</div>
                 </el-form-item>
             </el-tab-pane>
             <el-form-item>
@@ -398,6 +407,25 @@
             </el-form-item>
         </el-form>
     </el-dialog> 
+    <!--编辑模式弹窗-->
+    <el-dialog
+    :close-on-click-modal="false"
+    title="编辑模式"
+    :visible.sync="ipListDialog"
+    width="600px"
+    custom-class="valgin-dialog"
+    center>
+      <el-form ref="ipEditForm" label-width="80px">
+          <el-form-item label="路由表" prop="ip_list">
+              <el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list" placeholder="输入CIDR格式和备注，以逗号分隔，如: 192.168.1.0/24,test"></el-input>
+              <div class="msg-info">AnyConnect最多支持{{ this.maxRouteRows }}条路由，当前共 {{ ipEditForm.ip_list.split("\n").length }} 条</div>
+          </el-form-item>
+          <el-form-item>
+              <el-button type="primary" @click="ipEdit()" :loading="ipEditLoading">更新</el-button>
+              <el-button @click="ipListDialog = false">取 消</el-button>
+          </el-form-item>
+      </el-form>
+    </el-dialog>
   </div>
 </template>
 
@@ -424,6 +452,7 @@ export default {
       activeTab : "general",
       readMore: {},
       readMinRows : 5,
+      maxRouteRows : 2500,
       defAuth : {
                 type:'local', 
                 radius:{addr:"", secret:""},
@@ -450,11 +479,17 @@ export default {
         auth : {},
       },
       authLoginDialog : false,
-      authLoginLoading : false,
+      ipListDialog : false,
+      authLoginLoading : false,      
       authLoginForm : {
         name : "",
         pwd : "",
-      },   
+      },
+      ipEditForm: {
+        ip_list: "",
+        type : "",
+      },
+      ipEditLoading : false,
       authLoginRules: {
         name: [
           {required: true, message: '请输入账号', trigger: 'blur'},
@@ -644,6 +679,30 @@ export default {
         });
       });
     },
+    openIpListDialog(type) {
+      this.ipListDialog = true;
+      this.ipEditForm.type = type;
+      this.ipEditForm.ip_list = this.ruleForm[type].map(item => item.val + (item.note ? "," + item.note : "")).join("\n");      
+    },
+    ipEdit() {
+        this.ipEditLoading = true;
+        // ip_list不能超过this.maxRouteRows行
+        if (this.ipEditForm.ip_list.split("\n").length > this.maxRouteRows) {
+            this.$message.error("错误：AnyConnect最多支持" + this.maxRouteRows + "条路由.");
+            this.ipEditLoading = false;
+            return false;
+        }
+        let arr = this.ipEditForm.ip_list.split("\n").map(item => {
+            let ip = item.split(",");
+            if (ip.length > 2) {
+                ip[1] = ip.slice(1).join(",");
+            }
+            return {val: ip[0], note: ip[1] ? ip[1] : ""};
+        });
+        this.ruleForm[this.ipEditForm.type] = arr;
+        this.ipEditLoading = false;
+        this.ipListDialog = false;
+    },
     resetForm(formName) {
       this.$refs[formName].resetFields();
     },

From 5d24eda7fcabbbf3aed676620775e48c692fe801 Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Sun, 3 Dec 2023 22:09:46 +0800
Subject: [PATCH 30/37] =?UTF-8?q?=E4=B8=8D=E9=99=90=E5=88=B6=E8=B7=AF?=
 =?UTF-8?q?=E7=94=B1=E7=9A=84=E6=95=B0=E9=87=8F=EF=BC=8C=E5=B9=B6=E6=A3=80?=
 =?UTF-8?q?=E6=B5=8BCIDR=E6=A0=BC=E5=BC=8F=E7=9A=84=E6=AD=A3=E7=A1=AE?=
 =?UTF-8?q?=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 web/src/pages/group/List.vue | 47 ++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 15 deletions(-)

diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 562c936..8d1d221 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -373,7 +373,7 @@
                 </el-form-item>                
                 <el-form-item label="排除域名" prop="ds_exclude_domains">
                     <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
-                    <div class="msg-info">注意：域名拆分隧道，仅支持AnyConnect的桌面客户端，不支持移动端.</div>
+                    <div class="msg-info">注：域名拆分隧道，仅支持AnyConnect的桌面客户端，不支持移动端.</div>
                 </el-form-item>
             </el-tab-pane>
             <el-form-item>
@@ -412,13 +412,13 @@
     :close-on-click-modal="false"
     title="编辑模式"
     :visible.sync="ipListDialog"
-    width="600px"
+    width="650px"
     custom-class="valgin-dialog"
     center>
       <el-form ref="ipEditForm" label-width="80px">
           <el-form-item label="路由表" prop="ip_list">
-              <el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list" placeholder="输入CIDR格式和备注，以逗号分隔，如: 192.168.1.0/24,test"></el-input>
-              <div class="msg-info">AnyConnect最多支持{{ this.maxRouteRows }}条路由，当前共 {{ ipEditForm.ip_list.split("\n").length }} 条</div>
+              <el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list" placeholder="每行一条路由，例：192.168.1.0/24,备注 或 192.168.1.0/24"></el-input>
+              <div class="msg-info">当前共 {{ ipEditForm.ip_list.trim() === '' ? 0 : ipEditForm.ip_list.trim().split("\n").length }} 条（注：AnyConnect客户端最多支持{{ this.maxRouteRows }}条路由）</div>
           </el-form-item>
           <el-form-item>
               <el-button type="primary" @click="ipEdit()" :loading="ipEditLoading">更新</el-button>
@@ -686,23 +686,40 @@ export default {
     },
     ipEdit() {
         this.ipEditLoading = true;
-        // ip_list不能超过this.maxRouteRows行
-        if (this.ipEditForm.ip_list.split("\n").length > this.maxRouteRows) {
-            this.$message.error("错误：AnyConnect最多支持" + this.maxRouteRows + "条路由.");
+        let ipList = [];
+        if (this.ipEditForm.ip_list.trim() !== "") {
+            ipList = this.ipEditForm.ip_list.trim().split("\n");
+        }        
+        let arr = [];
+        for (let i = 0; i < ipList.length; i++) {
+          let item = ipList[i];
+          let ip = item.split(",");
+          if (ip.length > 2) {
+            ip[1] = ip.slice(1).join(",");
+          }
+          let note = ip[1] ? ip[1] : "";
+          const pushToArr = () => {
+            arr.push({val: ip[0], note: note});
+          };
+          if (this.ipEditForm.type == "route_include" && ip[0] == "all") {
+            pushToArr();
+            continue;  
+          }
+          if (!this.isValidCIDR(ip[0])) {
+            this.$message.error("错误：CIDR格式错误 " + item);
             this.ipEditLoading = false;
-            return false;
+            return;
+          }
+          pushToArr();
         }
-        let arr = this.ipEditForm.ip_list.split("\n").map(item => {
-            let ip = item.split(",");
-            if (ip.length > 2) {
-                ip[1] = ip.slice(1).join(",");
-            }
-            return {val: ip[0], note: ip[1] ? ip[1] : ""};
-        });
         this.ruleForm[this.ipEditForm.type] = arr;
         this.ipEditLoading = false;
         this.ipListDialog = false;
     },
+    isValidCIDR(str) {
+       const cidrRegex = /^([0-9]{1,3}\.){3}[0-9]{1,3}\/([0-9]|[1-2][0-9]|3[0-2])$/;
+       return cidrRegex.test(str);
+    },
     resetForm(formName) {
       this.$refs[formName].resetFields();
     },

From 3d03f6adb86723b7553af7ed33f41c2cb612bd8f Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Mon, 4 Dec 2023 13:08:37 +0800
Subject: [PATCH 31/37] =?UTF-8?q?=E8=A7=A3=E5=86=B3=E5=A4=A7=E9=87=8F?=
 =?UTF-8?q?=E8=B7=AF=E7=94=B1=E5=AF=BC=E8=87=B4=E5=BC=B9=E7=AA=97=E5=8D=A1?=
 =?UTF-8?q?=E9=A1=BF=E7=9A=84=E9=97=AE=E9=A2=98=EF=BC=88=E5=BD=93=E7=82=B9?=
 =?UTF-8?q?=E5=87=BB=E2=80=9C=E8=B7=AF=E7=94=B1=E8=AE=BE=E7=BD=AE=E2=80=9D?=
 =?UTF-8?q?=E6=97=B6=EF=BC=8C=E6=89=8D=E5=8A=A0=E8=BD=BD=E8=B7=AF=E7=94=B1?=
 =?UTF-8?q?=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 web/src/pages/group/List.vue | 60 +++++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 28 deletions(-)

diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 8d1d221..298abae 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -291,19 +291,21 @@
                                 @click.prevent="openIpListDialog('route_include')"></el-button>
                     </el-col>                    
                 </el-row>
-                <el-row v-for="(item,index) in ruleForm.route_include"
-                        :key="index" style="margin-bottom: 5px" :gutter="10">
-                    <el-col :span="10">
-                    <el-input v-model="item.val"></el-input>
-                    </el-col>
-                    <el-col :span="12">
-                    <el-input v-model="item.note" placeholder="备注"></el-input>
-                    </el-col>
-                    <el-col :span="2">
-                    <el-button size="mini" type="danger" icon="el-icon-minus" circle
-                                @click.prevent="removeDomain(ruleForm.route_include,index)"></el-button>
-                    </el-col>
-                </el-row>
+                <templete v-if="activeTab == 'route'">
+                    <el-row v-for="(item,index) in ruleForm.route_include"
+                            :key="index" style="margin-bottom: 5px" :gutter="10">
+                        <el-col :span="10">
+                        <el-input v-model="item.val"></el-input>
+                        </el-col>
+                        <el-col :span="12">
+                        <el-input v-model="item.note" placeholder="备注"></el-input>
+                        </el-col>
+                        <el-col :span="2">
+                        <el-button size="mini" type="danger" icon="el-icon-minus" circle
+                                    @click.prevent="removeDomain(ruleForm.route_include,index)"></el-button>
+                        </el-col>
+                    </el-row>
+                </templete>
                 </el-form-item>
 
                 <el-form-item label="排除路由" prop="route_exclude">
@@ -318,19 +320,21 @@
                                 @click.prevent="openIpListDialog('route_exclude')"></el-button>
                     </el-col>                    
                 </el-row>
-                <el-row v-for="(item,index) in ruleForm.route_exclude"
-                        :key="index" style="margin-bottom: 5px" :gutter="10">
-                    <el-col :span="10">
-                    <el-input v-model="item.val"></el-input>
-                    </el-col>
-                    <el-col :span="12">
-                    <el-input v-model="item.note" placeholder="备注"></el-input>
-                    </el-col>
-                    <el-col :span="2">
-                    <el-button size="mini" type="danger" icon="el-icon-minus" circle
-                                @click.prevent="removeDomain(ruleForm.route_exclude,index)"></el-button>
-                    </el-col>
-                </el-row>
+                <templete v-if="activeTab == 'route'">
+                    <el-row v-for="(item,index) in ruleForm.route_exclude"
+                            :key="index" style="margin-bottom: 5px" :gutter="10">
+                        <el-col :span="10">
+                        <el-input v-model="item.val"></el-input>
+                        </el-col>
+                        <el-col :span="12">
+                        <el-input v-model="item.note" placeholder="备注"></el-input>
+                        </el-col>
+                        <el-col :span="2">
+                        <el-button size="mini" type="danger" icon="el-icon-minus" circle
+                                    @click.prevent="removeDomain(ruleForm.route_exclude,index)"></el-button>
+                        </el-col>
+                    </el-row>
+                </templete>
                 </el-form-item>
             </el-tab-pane>
             <el-tab-pane label="权限控制" name="link_acl">
@@ -341,8 +345,8 @@
                     <el-button size="mini" type="success" icon="el-icon-plus" circle
                                 @click.prevent="addDomain(ruleForm.link_acl)"></el-button>
                     </el-col>
-                </el-row>
-
+                </el-row>  
+                              
                 <el-row v-for="(item,index) in ruleForm.link_acl"
                         :key="index" style="margin-bottom: 5px" :gutter="5">
                     <el-col :span="11">

From 7c040e2a0fba8a5a3e600ae29992ca4d0b0b4dad Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Mon, 4 Dec 2023 13:44:06 +0800
Subject: [PATCH 32/37] =?UTF-8?q?=E8=BF=87=E6=BB=A4=E6=96=87=E6=9C=AC?=
 =?UTF-8?q?=E6=A1=86=E5=86=85=E7=9A=84=E7=A9=BA=E8=A1=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 web/src/pages/group/List.vue | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 298abae..97fdaae 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -346,7 +346,7 @@
                                 @click.prevent="addDomain(ruleForm.link_acl)"></el-button>
                     </el-col>
                 </el-row>  
-                              
+
                 <el-row v-for="(item,index) in ruleForm.link_acl"
                         :key="index" style="margin-bottom: 5px" :gutter="5">
                     <el-col :span="11">
@@ -697,6 +697,9 @@ export default {
         let arr = [];
         for (let i = 0; i < ipList.length; i++) {
           let item = ipList[i];
+          if (item.trim() === "") {
+            continue;
+          }
           let ip = item.split(",");
           if (ip.length > 2) {
             ip[1] = ip.slice(1).join(",");

From 8a3d34b737a4894f9eeed0807130fe22fa92c21f Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Mon, 4 Dec 2023 18:32:09 +0800
Subject: [PATCH 33/37] =?UTF-8?q?=E4=BC=98=E5=8C=96isValidCIDR=E5=87=BD?=
 =?UTF-8?q?=E6=95=B0=EF=BC=8C=E8=A7=A3=E5=86=B3=E9=83=A8=E5=88=86=E6=A0=BC?=
 =?UTF-8?q?=E5=BC=8F=E6=A3=80=E6=B5=8B=E6=9C=89=E8=AF=AF=EF=BC=8C=E5=B9=B6?=
 =?UTF-8?q?=E7=BB=99=E4=BA=88=E5=BB=BA=E8=AE=AE=E6=8F=90=E7=A4=BA=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 web/src/pages/group/List.vue | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 97fdaae..6d5975c 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -712,10 +712,11 @@ export default {
             pushToArr();
             continue;  
           }
-          if (!this.isValidCIDR(ip[0])) {
-            this.$message.error("错误：CIDR格式错误 " + item);
-            this.ipEditLoading = false;
-            return;
+          let valid = this.isValidCIDR(ip[0]);
+          if (!valid.valid) {
+                this.$message.error("错误：CIDR格式错误，建议 " + ip[0] + " 改为 " + valid.suggestion);
+                this.ipEditLoading = false;
+                return;
           }
           pushToArr();
         }
@@ -723,9 +724,28 @@ export default {
         this.ipEditLoading = false;
         this.ipListDialog = false;
     },
-    isValidCIDR(str) {
-       const cidrRegex = /^([0-9]{1,3}\.){3}[0-9]{1,3}\/([0-9]|[1-2][0-9]|3[0-2])$/;
-       return cidrRegex.test(str);
+    isValidCIDR(input) {
+        const cidrRegex = /^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)\/([12]?\d|3[0-2])$/;
+        if (!cidrRegex.test(input)) {
+            return { valid: false, suggestion: null };
+        }
+        const [ip, mask] = input.split('/');
+        const maskNum = parseInt(mask);
+        const ipParts = ip.split('.').map(part => parseInt(part));
+        const binaryIP = ipParts.map(part => part.toString(2).padStart(8, '0')).join('');
+        for (let i = maskNum; i < 32; i++) {
+            if (binaryIP[i] === '1') {
+                const binaryNetworkPart = binaryIP.substring(0, maskNum).padEnd(32, '0');
+                const networkIPParts = [];
+                for (let j = 0; j < 4; j++) {
+                    const octet = binaryNetworkPart.substring(j * 8, (j + 1) * 8);
+                    networkIPParts.push(parseInt(octet, 2));
+                }
+                const suggestedIP = networkIPParts.join('.');
+                return { valid: false, suggestion: `${suggestedIP}/${mask}` };
+            }
+        }
+        return { valid: true, suggestion: null };
     },
     resetForm(formName) {
       this.$refs[formName].resetFields();

From 64404ea94b2f3fe9290d2819a0f400c98116b197 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 13 Dec 2023 16:50:35 +0800
Subject: [PATCH 34/37] =?UTF-8?q?=E4=BF=AE=E6=94=B9readme?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                         | 8 +++++++-
 server/pkg/utils/secure_header.go | 9 ++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 0f48b70..2aad3e5 100644
--- a/README.md
+++ b/README.md
@@ -60,11 +60,17 @@ AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试
 
 ### 自行编译安装
 
-> 需要提前安装好 golang >= 1.19 和 nodejs >= 14.x 和 yarn >= v1.22.x
+> 需要提前安装好 golang >= 1.19 和 nodejs >= 16.x 和 yarn >= v1.22.x
 
 ```shell
 git clone https://github.com/bjdgyc/anylink.git
 
+# 编译参考软件版本
+# go 1.20.12
+# node v16.20.2
+# yarn 1.22.19
+
+
 cd anylink
 sh build.sh
 
diff --git a/server/pkg/utils/secure_header.go b/server/pkg/utils/secure_header.go
index f31dbe1..ae83774 100644
--- a/server/pkg/utils/secure_header.go
+++ b/server/pkg/utils/secure_header.go
@@ -2,7 +2,9 @@ package utils
 
 import "net/http"
 
-// 设置安全的header头
+// SetSecureHeader 设置安全的header头
+// https://blog.csdn.net/liwan09/article/details/130248003
+// https://zhuanlan.zhihu.com/p/335165168
 func SetSecureHeader(w http.ResponseWriter) {
 	// Content-Length Date 默认已经存在
 	w.Header().Set("Server", "AnyLinkOpenSource")
@@ -18,12 +20,13 @@ func SetSecureHeader(w http.ResponseWriter) {
 	w.Header().Set("X-Download-Options", "noopen")
 	w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content")
 	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
-	w.Header().Set("Referrer-Policy", "no-referrer")
+	w.Header().Set("Referrer-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
-	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("X-XSS-Protection", "1;mode=block")
 	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 
 	// w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
+
 }

From d3f16eb2ade1b37b1c2c92383706c84dab6c40db Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 25 Dec 2023 14:31:35 +0800
Subject: [PATCH 35/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20modprobe=20=E6=8A=A5?=
 =?UTF-8?q?=E9=94=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 build_docker.sh             |  5 ++-
 doc/README.md               | 60 +++++++++++++++++-----------------
 docker/Dockerfile           | 34 +++++++++++--------
 server/base/app_ver.go      |  2 +-
 server/base/mod.go          | 65 +++++++++++++++++++++++++++++++++++++
 server/base/start.go        |  1 +
 server/handler/link_tun.go  | 13 +++-----
 server/handler/link_vtap.go |  5 +--
 8 files changed, 130 insertions(+), 55 deletions(-)
 create mode 100644 server/base/mod.go

diff --git a/build_docker.sh b/build_docker.sh
index ec94d0f..ef8afac 100644
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -6,10 +6,13 @@ echo $ver
 #docker login -u bjdgyc
 
 #docker build -t bjdgyc/anylink .
-docker build -t bjdgyc/anylink -f docker/Dockerfile .
+
+docker build -t bjdgyc/anylink --build-arg GitCommitId=$(git rev-parse HEAD) -f docker/Dockerfile .
 
 docker tag bjdgyc/anylink:latest bjdgyc/anylink:$ver
 
+exit 0
+
 docker push bjdgyc/anylink:$ver
 docker push bjdgyc/anylink:latest
 
diff --git a/doc/README.md b/doc/README.md
index a56d567..6953384 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -9,37 +9,39 @@
 ## Donator
 
 > 感谢以下同学的打赏，AnyLink 有你更美好！
-> 
+>
 > 需要展示主页的同学，可以在QQ群 直接联系我添加。
 
-| 昵称      | 主页                         |
-|---------| ---------------------------- |
-| 代码 oo8  |                              |
-| 甘磊      | https://github.com/ganlei333 |
-| Oo@     | https://github.com/chooop    |
-| 虚极静笃    |                              |
-| 请喝可乐    |                              |
-| 加油加油    |                              |
-| 李建      |                              |
-| lanbin  |                              |
-| 乐在东途    |                              |
-| 孤鸿      |                              |
-| 刘国华     |                              |
-| 改名好无聊   |                              |
-| 全能互联网专家 |                              |
-| JCM     |                              |
-| Eh...   |                              |
-| 沉       |                              |
-| 刘国华     |                              |
-| 忧郁的豚骨拉面 |                              |
-| 张小旋当爹地  |                              |
-| 对方正在输入  |                              |
-| Ronny   |                              |
-| 奔跑的少年   |                              |
-| ZBW     |                              |
-| 悲鸣      |                              |
-| 谢谢      |                              |
-| 云思科技    |                              |
+| 昵称        | 主页 / 留言                      |
+|-----------|------------------------------|
+| 代码 oo8    |                              |
+| 甘磊        | https://github.com/ganlei333 |
+| Oo@       | https://github.com/chooop    |
+| 虚极静笃      |                              |
+| 请喝可乐      |                              |
+| 加油加油      |                              |
+| 李建        |                              |
+| lanbin    |                              |
+| 乐在东途      |                              |
+| 孤鸿        |                              |
+| 刘国华       |                              |
+| 改名好无聊     |                              |
+| 全能互联网专家   |                              |
+| JCM       |                              |
+| Eh...     |                              |
+| 沉         |                              |
+| 刘国华       |                              |
+| 忧郁的豚骨拉面   |                              |
+| 张小旋当爹地    |                              |
+| 对方正在输入    |                              |
+| Ronny     |                              |
+| 奔跑的少年     |                              |
+| ZBW       |                              |
+| 悲鸣        |                              |
+| 谢谢        |                              |
+| 云思科技      |                              |
+| 哆啦A伟(张佳伟) |                              |
+| nobody    | 开源不易，感谢分享                    |
 
 
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 9abbcac..e703090 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,42 +1,48 @@
+#node:16-bullseye
+#golang:1.20-bullseye
+#debian:bullseye-slim
+
 # web
-FROM node:16.17.1-alpine3.15 as builder_node
+FROM node:16-alpine3.18 as builder_node
 WORKDIR /web
 COPY ./web /web
 RUN yarn install \
     && yarn run build \
     && ls /web/ui
 
+
 # server
-FROM golang:1.19-alpine as builder_golang
+FROM golang:1.20-alpine3.18 as builder_golang
 #TODO 本地打包时使用镜像
-ENV GOPROXY=https://goproxy.io
+ENV GOPROXY=https://goproxy.cn
 ENV GOOS=linux
+ARG GitCommitId="gitCommitId"
+
 WORKDIR /anylink
-COPY . /anylink
-COPY --from=builder_node /web/ui  /anylink/server/ui
+COPY server /anylink
+COPY --from=builder_node /web/ui  /anylink/ui
 
 #TODO 本地打包时使用镜像
 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
-RUN apk add --no-cache git gcc musl-dev
-RUN cd /anylink/server;go mod tidy;go build -o anylink -ldflags "-X main.CommitId=$(git rev-parse HEAD)" \
-    && /anylink/server/anylink tool -v
+RUN apk add gcc musl-dev
+RUN cd /anylink;go mod tidy;go build -o anylink -ldflags "-s -w -X main.CommitId=${GitCommitId}" \
+    && /anylink/anylink tool -v
+
 
 # anylink
-FROM alpine
+FROM alpine:3.18
 LABEL maintainer="github.com/bjdgyc"
 
-#ENV IPV4_CIDR="192.168.10.0/24"
+ENV ANYLINK_IN_CONTAINER=true
 
 WORKDIR /app
-COPY --from=builder_golang /anylink/server/anylink  /app/
+COPY --from=builder_golang /anylink/anylink  /app/
 COPY docker/docker_entrypoint.sh  /app/
-
-#COPY ./server/bridge-init.sh /app/
+COPY ./server/bridge-init.sh /app/
 COPY ./server/conf  /app/conf
 COPY ./LICENSE  /app/LICENSE
 COPY ./home  /app/home
 
-
 #TODO 本地打包时使用镜像
 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
 RUN apk add --no-cache bash iptables \
diff --git a/server/base/app_ver.go b/server/base/app_ver.go
index e3556a6..fa9e89f 100644
--- a/server/base/app_ver.go
+++ b/server/base/app_ver.go
@@ -3,5 +3,5 @@ package base
 const (
 	APP_NAME = "AnyLink"
 	// app版本号
-	APP_VER = "0.9.4"
+	APP_VER = "0.10.1"
 )
diff --git a/server/base/mod.go b/server/base/mod.go
new file mode 100644
index 0000000..0f85830
--- /dev/null
+++ b/server/base/mod.go
@@ -0,0 +1,65 @@
+package base
+
+import (
+	"bufio"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+const (
+	procModulesPath = "/proc/modules"
+	inContainerKey  = "ANYLINK_IN_CONTAINER"
+)
+
+var (
+	inContainer = false
+	modMap      = map[string]struct{}{}
+)
+
+func initMod() {
+	container := os.Getenv(inContainerKey)
+	if container == "true" {
+		inContainer = true
+	}
+	log.Println("inContainer", inContainer)
+
+	file, err := os.Open(procModulesPath)
+	if err != nil {
+		err = fmt.Errorf("[ERROR] Problem with open file: %s", err)
+		panic(err)
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(file)
+	scanner.Split(bufio.ScanLines)
+	for scanner.Scan() {
+		splited := strings.Split(scanner.Text(), " ")
+		if len(splited[0]) > 0 {
+			modMap[splited[0]] = struct{}{}
+		}
+	}
+}
+
+func CheckModOrLoad(mod string) {
+	log.Println("CheckModOrLoad", mod)
+
+	if _, ok := modMap[mod]; ok {
+		return
+	}
+
+	if inContainer {
+		err := fmt.Errorf("Linux modules %s is not loaded, please run `modprobe %s`", mod, mod)
+		panic(err)
+	}
+
+	cmdstr := fmt.Sprintln("modprobe", mod)
+
+	cmd := exec.Command("sh", "-c", cmdstr)
+	b, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Println(string(b))
+		panic(err)
+	}
+}
diff --git a/server/base/start.go b/server/base/start.go
index a2354c6..c25d202 100644
--- a/server/base/start.go
+++ b/server/base/start.go
@@ -4,6 +4,7 @@ func Start() {
 	execute()
 	initCfg()
 	initLog()
+	initMod()
 }
 
 func Test() {
diff --git a/server/handler/link_tun.go b/server/handler/link_tun.go
index d01b5f5..5ba65f2 100644
--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -22,9 +22,10 @@ func checkTun() {
 	defer ifce.Close()
 
 	// 测试ip命令
-	cmdstr0 := fmt.Sprintln("modprobe -i tun")
+	base.CheckModOrLoad("tun")
+
 	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
-	err = execCmd([]string{cmdstr0, cmdstr1})
+	err = execCmd([]string{cmdstr1})
 	if err != nil {
 		base.Fatal("testTun err: ", err)
 	}
@@ -41,12 +42,8 @@ func checkTun() {
 		}
 
 		// 修复 rockyos nat 不生效
-		cmdstr0 := fmt.Sprintln("modprobe -i iptable_filter")
-		cmdstr1 := fmt.Sprintf("modprobe -i iptable_nat")
-		err = execCmd([]string{cmdstr0, cmdstr1})
-		if err != nil {
-			base.Fatal("testTun err: ", err)
-		}
+		base.CheckModOrLoad("iptable_filter")
+		base.CheckModOrLoad("iptable_nat")
 
 		natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-j", "MASQUERADE"}
 		forwardRule := []string{"-j", "ACCEPT"}
diff --git a/server/handler/link_vtap.go b/server/handler/link_vtap.go
index 9536fca..fa2c5b0 100644
--- a/server/handler/link_vtap.go
+++ b/server/handler/link_vtap.go
@@ -33,13 +33,14 @@ func checkMacvtap() {
 
 	ifName := "anylinkMacvtap"
 	// 加载 macvtap
-	cmdstr0 := fmt.Sprintln("modprobe -i macvtap")
+	base.CheckModOrLoad("macvtap")
+
 	// 开启主网卡混杂模式
 	cmdstr1 := fmt.Sprintf("ip link set dev %s promisc on", base.Cfg.Ipv4Master)
 	// 测试 macvtap 功能
 	cmdstr2 := fmt.Sprintf("ip link add link %s name %s type macvtap mode bridge", base.Cfg.Ipv4Master, ifName)
 	cmdstr3 := fmt.Sprintf("ip link del %s", ifName)
-	err := execCmd([]string{cmdstr0, cmdstr1, cmdstr2, cmdstr3})
+	err := execCmd([]string{cmdstr1, cmdstr2, cmdstr3})
 	if err != nil {
 		base.Fatal(err)
 	}

From e3b303744bd04b0bcb919b550164cd12db5b29af Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 25 Dec 2023 14:34:21 +0800
Subject: [PATCH 36/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20modprobe=20=E6=8A=A5?=
 =?UTF-8?q?=E9=94=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docker/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index e703090..af5cde3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,6 +1,8 @@
 #node:16-bullseye
 #golang:1.20-bullseye
 #debian:bullseye-slim
+#sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
+
 
 # web
 FROM node:16-alpine3.18 as builder_node

From 1b6abeb8499f9ba6e9e4dff5054f58439a9da89e Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 25 Dec 2023 14:47:30 +0800
Subject: [PATCH 37/37] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20modprobe=20=E6=8A=A5?=
 =?UTF-8?q?=E9=94=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index c959803..057bff0 100644
--- a/build.sh
+++ b/build.sh
@@ -36,7 +36,7 @@ cp -rf $cpath/web/ui .
 #国内可替换源加快速度
 export GOPROXY=https://goproxy.io
 go mod tidy
-go build -v -o anylink -ldflags "-X main.CommitId=$(git rev-parse HEAD)"
+go build -v -o anylink -ldflags "-s -w -X main.CommitId=$(git rev-parse HEAD)"
 RETVAL $?
 
 cd $cpath