Update README.md

修改客户端下载地址
更新 README.md
2025-09-27 23:47:04 +08:00 · 2025-09-07 09:48:56 +08:00 · 2025-08-27 05:52:51 +08:00 · 2025-03-25 17:38:10 +08:00 · 2025-03-25 17:36:25 +08:00 · 2025-03-10 10:45:11 +08:00
138 changed files with 10743 additions and 5720 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -1,5 +1,7 @@
 ignore:
-  - "screenshot"
-  - "web"
-  - "server/conf"
-  - "server/files"
+  - "^doc"
+  - "^home"
+  - "^web"
+  - "^server/conf"
+  - "^server/files"
+
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+custom: [ 'https://github.com/bjdgyc/anylink/blob/main/doc/README.md' ] # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/ISSUE_TEMPLATE/00-question.md
+++ b/.github/ISSUE_TEMPLATE/00-question.md
@@ -0,0 +1,35 @@
+---
+name: 问题描述
+about: 问题描述
+title: "affected/package: "
+---
+
+<!--
+请先填写下面的问题，再填写具体遇到的问题，感谢！
+-->
+
+### 使用的anylink版本 ?
+
+<pre>
+./anylink tool -v
+管理后台也可以查看
+</pre>
+
+
+### 使用操作系统的类型和版本?
+如： centos 7.9
+<pre>
+cat /etc/issue
+cat /etc/redhat-release
+
+</pre>
+
+### 使用linux 内核版本?
+<pre>
+uname -a
+
+</pre>
+
+### 具体遇到的问题，可上传截图
+
+
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -12,13 +12,15 @@
 name: "CodeQL"

 on:
-  push:
-    branches: [ "main", "dev" ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "main", "dev" ]
+  workflow_dispatch:
  schedule:
-    - cron: '32 12 * * 5'
+    - cron: '32 5 * * 1'
+#  push:
+#    branches: [ "main", "dev" ]
+#  pull_request:
+#    branches: [ "main", "dev" ]
+
+

 jobs:
  analyze:
@@ -38,34 +40,34 @@ jobs:
        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed

    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v4

-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main

-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2

-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl

-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language

-    #- run: |
-    #   make bootstrap
-    #   make release
+      #- run: |
+      #   make bootstrap
+      #   make release

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/go-update.yml
+++ b/.github/workflows/go-update.yml
@@ -0,0 +1,48 @@
+name: go-update
+on:
+  workflow_dispatch:
+#  schedule:
+#    - cron: "1 2 * * 5"
+
+jobs:
+  go:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Go 1.x.y
+        uses: actions/setup-go@main
+        with:
+          go-version: '1.20'
+          stable: true
+
+      - name: Checkout codebase
+        uses: actions/checkout@main
+
+      - name: go
+        run: |
+          cd ./server
+          go mod tidy -compat=1.20
+          #gofmt -w -r 'interface{} -> any' .
+          go get -u
+          go mod download
+          go get -u
+          go mod download
+
+      - name: Git push
+        run: |
+          git init
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote rm origin
+          git remote add origin "https://${{ github.actor }}:${{ secrets.GITHUBTOKEN }}@github.com/${{ github.repository }}"
+          git gc --aggressive
+          git add --all
+          git commit -m "update go.mod $(date +%Y.%m.%d.%H.%M)"
+          #git push -f -u origin _autoaction
+          git push -u origin _autoaction
+
+      # 删除无用 workflow runs;
+      - name: Delete workflow runs
+        uses: GitRML/delete-workflow-runs@main
+        with:
+          retain_days: 0.1
+          keep_minimum_runs: 1
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,6 +1,8 @@
 name: Go

 on:
+  workflow_dispatch:
+
  push:
    branches: [ "main", "dev" ]
  pull_request:
@@ -12,15 +14,15 @@ jobs:
    name: Build
    runs-on: ubuntu-latest
    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4

      - name: Set up Go 1.x
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.18
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+          go-version: '1.22'
+          go-version-file: 'server/go.mod'
+          cache-dependency-path: 'server/go.sum'

      - name: Get dependencies
        run: |
@@ -32,15 +34,16 @@ jobs:
          cd server
          mkdir ui
          touch ui/index.html
-          go build -v -o anylink -ldflags "-X main.CommitId=`git rev-parse HEAD`"
+          go build -v -o anylink -trimpath -ldflags "-X main.CommitId=`git rev-parse HEAD`"
          ./anylink tool -v

      - name: Test coverage
        run: |
          cd server
+          go test ./...
          go test -race -coverprofile=coverage.txt -covermode=atomic -v ./...

-      - name: Upload coverage to Codecov
-        run: |
-          cd server
-          bash <(curl -s https://codecov.io/bash)
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v3
+        env:
+          CODECOV_TOKEN: 28d52fb0-8fc9-460f-95b9-fb84f9138e58
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,98 @@
+name: release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v0.*"
+      - "v1.*"
+
+jobs:
+  Build:
+    name: build-binary
+    runs-on: ubuntu-latest
+    env:
+      TZ: Asia/Shanghai
+    steps:
+      - name: Hello world
+        run: uname -a
+
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+          cache: 'yarn'
+          cache-dependency-path: 'web/yarn.lock'
+      - name: Build web
+        working-directory: web
+        run: |
+          yarn install
+          yarn run build
+      #      - uses: actions/setup-go@v4
+      #        with:
+      #          go-version: '1.20'
+      #          cache-dependency-path: 'server/go.sum'
+
+      - name: Set up QEMU
+        # https://github.com/docker/setup-qemu-action
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: bjdgyc
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          logout: true
+
+      - name: Pre bash
+        shell: bash
+        run: |
+          appVer=`cat version`
+          commitId=`git rev-parse HEAD`
+          echo "APP_VER=$appVer" >> $GITHUB_ENV
+          echo "commitId=$commitId" >> $GITHUB_ENV
+          
+          echo $appVer > version_info
+          echo $commitId >> version_info
+          echo $GITHUB_REF >> version_info
+          echo $GITHUB_REF_NAME >> version_info
+          
+          #cd server;go mod tidy
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          cache-from: type=gha,scope=anylink
+          cache-to: type=gha,mode=max,scope=anylink
+          context: .
+          file: ./docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          #platforms: linux/amd64
+          build-args: |
+            appVer=${{ env.APP_VER }}
+            commitId=${{ env.commitId }}
+          tags: bjdgyc/anylink:${{ env.APP_VER }},bjdgyc/anylink:latest
+          #tags: bjdgyc/anylink:${{ env.APP_VER }}
+
+      - name: Build deploy binary
+        shell: bash
+        run: bash release.sh
+
+      - name: Release
+        # https://github.com/ncipollo/release-action
+        # artifacts: bin/release/*
+        # generateReleaseNotes: true
+        # draft: true
+        # https://github.com/softprops/action-gh-release
+        uses: softprops/action-gh-release@v1
+        #if: startsWith(github.ref, 'refs/tags/')
+        with:
+          tag_name: v${{ env.APP_VER }}
+          files: artifact-dist/*
+
+#  Docker:
+#    name: build-docker
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,12 @@
 .idea/
 anylink-deploy
 anylink-deploy.tar.gz
+anylink-deploy-*
+anylink
+anylink.db

+dist
+artifact-dist
+
+anylink_amd64
+anylink_arm64
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,104 @@
+#https://goreleaser.com/static/schema.json
+
+# release --skip=publish
+
+# goreleaser build --skip=validate --clean --debug
+
+# GOPROXY=https://goproxy.cn
+
+# docker run -it --rm -v $PWD:/app -v /go:/go -w /app --platform=linux/arm64 golang:alpine3.19
+
+# docker run -it --rm -v $PWD:/app -v /go:/go -w /app goreleaser/goreleaser-cross build --skip=validate --clean --debug
+
+# docker run -it --rm -v $PWD:/app -v /go:/go -w /app bjdgyc/dcross goreleaser build --skip=validate --clean --debug
+
+version: 1
+
+dist: dist
+
+before:
+  hooks:
+    - pwd
+#    - cmd: go mod tidy
+#      dir:
+#        "{{ dir .Dist}}"
+#      output: true
+#    - cmd: go generate
+#      dir:
+#        "{{ dir .Dist}}"
+#      output: true
+
+builds:
+  - id: "build"
+    #main: .
+    dir: ./server
+    hooks:
+      pre:
+        - cmd: go mod tidy
+          dir: ./server
+          output: true
+        - cmd: go generate
+          dir: ./server
+          output: true
+    # {{- if eq .Arch "amd64" }}CC=x86_64-linux-gnu-gcc CXX=x86_64-linux-gnu-g++{{- end }}
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Os "linux" }}
+          {{- if eq .Arch "amd64" }}CC=x86_64-linux-musl-gcc{{- end }}
+        
+          {{- if eq .Arch "arm64" }}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- end }}
+        {{- if eq .Os "darwin" }}
+          {{- if eq .Arch "amd64"}}CC=o64-clang{{- end }}
+          {{- if eq .Arch "arm64"}}CC=oa64-clang{{- end }}
+        {{- end }}
+        {{- if eq .Os "windows" }}
+          {{- if eq .Arch "amd64"}}CC=x86_64-w64-mingw32-gcc{{- end }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- end }}
+    goos:
+      - linux
+      #- darwin
+      #- windows
+    goarch:
+      - amd64
+      #- arm64
+    # https://go.dev/wiki/MinimumRequirements
+    goamd64:
+      - v1
+    command: build
+    flags:
+      - -trimpath
+      - -tags osusergo,netgo,sqlite_omit_load_extension
+    ldflags:
+      # go tool link -help
+      # go tool compile -help
+      # -linkmode external
+      # -extld=$CC
+      # -fpic 作为动态链接库的时候 需要添加
+
+      - -s -w -extldflags '-static' -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.builtBy=dcross
+
+archives:
+  - id: "archive1"
+    format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
--- a/49
+++ b/49
@@ -1,49 +0,0 @@
-# web
-FROM node:lts-alpine as builder_node
-WORKDIR /web
-COPY ./web /web
-RUN yarn install \
-    && yarn run build \
-    && ls /web/ui
-
-# server
-FROM golang:1.18-alpine as builder_golang
-#TODO 本地打包时使用镜像
-ENV GOPROXY=https://goproxy.io
-ENV GOOS=linux
-WORKDIR /anylink
-COPY . /anylink
-COPY --from=builder_node /web/ui  /anylink/server/ui
-
-#TODO 本地打包时使用镜像
-RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
-RUN apk add --no-cache git gcc musl-dev
-RUN cd /anylink/server;go mod tidy;go build -o anylink -ldflags "-X main.CommitId=$(git rev-parse HEAD)" \
-    && /anylink/server/anylink tool -v
-
-# anylink
-FROM alpine
-LABEL maintainer="github.com/bjdgyc"
-
-ENV IPV4_CIDR="192.168.10.0/24"
-
-WORKDIR /app
-COPY --from=builder_golang /anylink/server/anylink  /app/
-COPY docker_entrypoint.sh  /app/
-
-COPY ./server/bridge-init.sh /app/
-COPY ./server/conf  /app/conf
-COPY ./LICENSE  /app/LICENSE
-
-
-#TODO 本地打包时使用镜像
-RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
-RUN apk add --no-cache bash iptables \
-    && chmod +x /app/docker_entrypoint.sh \
-    && ls /app
-
-EXPOSE 443 8800
-
-#CMD ["/app/anylink"]
-ENTRYPOINT ["/app/docker_entrypoint.sh"]
-
--- a/README.md
+++ b/README.md
@@ -1,16 +1,21 @@
 # AnyLink

-[![Go](https://github.com/bjdgyc/anylink/workflows/Go/badge.svg?branch=master)](https://github.com/bjdgyc/anylink/actions)
+[![Go](https://github.com/bjdgyc/anylink/workflows/Go/badge.svg?branch=main)](https://github.com/bjdgyc/anylink/actions)
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/bjdgyc/anylink)](https://pkg.go.dev/github.com/bjdgyc/anylink)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bjdgyc/anylink)](https://goreportcard.com/report/github.com/bjdgyc/anylink)
-[![codecov](https://codecov.io/gh/bjdgyc/anylink/branch/master/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/bjdgyc/anylink)
+[![codecov](https://codecov.io/gh/bjdgyc/anylink/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/bjdgyc/anylink)
 ![GitHub release](https://img.shields.io/github/v/release/bjdgyc/anylink)
-![GitHub downloads)](https://img.shields.io/github/downloads/bjdgyc/anylink/total)
+![GitHub downloads total)](https://img.shields.io/github/downloads/bjdgyc/anylink/total)
+![GitHub Downloads (all assets, latest release)](https://img.shields.io/github/downloads/bjdgyc/anylink/latest/total)
 [![Docker pulls)](https://img.shields.io/docker/pulls/bjdgyc/anylink.svg)](https://hub.docker.com/r/bjdgyc/anylink)
 ![LICENSE](https://img.shields.io/github/license/bjdgyc/anylink)

 AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。

+使用 AnyLink，你可以随时随地安全的访问你的内部网络。
+
+With AnyLink, you can securely access your internal network anytime and anywhere.
+
 ## Repo

 > github: https://github.com/bjdgyc/anylink
@@ -22,9 +27,12 @@ AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同
 AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-02)
 协议开发，并且借鉴了 [ocserv](http://ocserv.gitlab.io/www/index.html) 的开发思路，使其可以同时兼容 AnyConnect 客户端。

-AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
+AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以使用私有自签证书，可以通过 Let's Encrypt 和 TrustAsia
+申请免费的 SSL 证书。

-AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap 功能、ip 设置命令。
+AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18、Ubuntu 20、Ubuntu 20、AnolisOS 8 测试通过，如需要安装在其他系统，需要服务端支持
+tun/tap
+功能、ip 设置命令、iptables命令。

 ## Screenshot

@@ -45,33 +53,56 @@ AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过，如需要安装
 > 没有编程基础的同学建议直接下载 release 包，从下面的地址下载 anylink-deploy.tar.gz
 >
 > https://github.com/bjdgyc/anylink/releases
+>
+> https://gitee.com/bjdgyc/anylink/releases
+>
+> 如果不会安装，可以提供有偿远程协助服务(200 CNY)。添加QQ(68492170)联系我
+>
+> 也可以添加QQ群 咨询群内大佬
+>
+> 添加QQ群①: 567510628
+>
+> <img src="doc/screenshot/qq2.jpg" width="400" />

 ### 使用问题

-> 对于测试环境，可以使用 vpn.test.vqilu.cn 绑定host进行测试
+> 对于测试环境，可以直接进行测试，需要客户端取消勾选【阻止不受信任的服务器(Block connections to untrusted servers)】
 >
-> 对于线上环境，必须申请安全的 https 证书，不支持私有证书连接
+> 对于线上环境，尽量申请安全的https证书(跟nginx使用的pem证书类型一致)
 >
-> 客户端请使用群共享文件的版本，其他版本没有测试过，不保证使用正常
-> 
-> 首次使用，请在浏览器访问 https://域名:443，浏览器提示安全后，在客户端输入 【域名:443】 即可
+> 群共享文件有相关客户端软件下载，其他版本没有测试过，不保证使用正常
+>
+> 其他问题 [前往查看](doc/question.md)
+>
+> 默认管理后台访问地址  https://host:8800 或 https://域名:8800 默认账号密码 admin 123456
+>
+> 首次使用，请在浏览器访问  https://域名:443   浏览器提示安全后，在客户端输入 【域名:443】 即可

 ### 自行编译安装

-> 需要提前安装好 golang >= 1.18 和 nodejs >= 14.x 和 yarn >= v1.22.x
+> 需要提前安装好 docker

 ```shell
 git clone https://github.com/bjdgyc/anylink.git

+# docker编译 参考软件版本(不需要安装)
+# go 1.20.12
+# node v16.20.2
+# yarn 1.22.19
+
+
 cd anylink
-sh build.sh
+
+# 编译前端
+bash build_web.sh
+# 编译 anylink-deploy 发布文件
+bash build.sh

 # 注意使用root权限运行
 cd anylink-deploy
 sudo ./anylink

 # 默认管理后台访问地址
-# 注意该host为anylink的内网ip,不能跟客户端请求的ip一样
 # https://host:8800
 # 默认账号 密码
 # admin 123456
@@ -87,10 +118,11 @@ sudo ./anylink
 - [x] 兼容 AnyConnect
 - [x] 兼容 OpenConnect
 - [x] 基于 tun 设备的 nat 访问模式
- [x] 基于 tap 设备的桥接访问模式
+- [x] 基于 tun 设备的桥接访问模式
 - [x] 基于 macvtap 设备的桥接访问模式
- [x] 支持 [proxy protocol v1](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
+- [x] 支持 [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
 - [x] 用户组支持
+- [x] 用户组策略支持
 - [x] 多用户支持
 - [x] 用户策略支持
 - [x] TOTP 令牌支持
@@ -98,10 +130,19 @@ sudo ./anylink
 - [x] 流量速率限制
 - [x] 后台管理界面
 - [x] 访问权限管理
- [x] IP 访问审计功能
+- [x] 用户活动审计功能
+- [x] IP 访问审计功能(支持多端口、连续端口)
 - [x] 域名动态拆分隧道（域名路由功能）
 - [x] radius认证支持
 - [x] LDAP认证支持
+- [x] 空闲链接超时自动断开
+- [x] 流量压缩功能
+- [x] 出口 IP 自动放行
+- [x] 支持多服务的配置区分
+- [x] 支持私有自签证书
+- [x] 支持内网域名解析(指定的域名走内网dns)
+- [x] 增加用户验证防爆功能(IP BAN)
+- [x] 支持 docker 非特权模式
 - [ ] 基于 ipvtap 设备的桥接访问模式

 ## Config
@@ -109,40 +150,71 @@ sudo ./anylink
 > 示例配置文件内有详细的注释，根据注释填写配置即可。

 ```shell
+# 查看帮助信息
+./anylink -h
+
 # 生成后台密码
 ./anylink tool -p 123456

 # 生成jwt密钥
 ./anylink tool -s
+
+# 查看所有配置项
+./anylink tool -d
 ```

 > 数据库配置示例
+>
+> 数据库表结构自动生成，无需手动导入(请赋予 DDL 权限)

-| db_type  | db_source                                              |
-| -------- | ------------------------------------------------------ |
-| sqlite3  | ./conf/anylink.db                                      |
-| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8 |
-| postgres | user:password@localhost/anylink?sslmode=verify-full    |
+| db_type  | db_source                                                                                                            |
+|----------|----------------------------------------------------------------------------------------------------------------------|
+| sqlite3  | ./conf/anylink.db                                                                                                    |
+| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8<br/>user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8mb4 |
+| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full                                                       |
+| mssql    | sqlserver://user:password@localhost?database=anylink&connection+timeout=30                                           |

 > 示例配置文件
 >
 > [conf/server-sample.toml](server/conf/server-sample.toml)

+## Upgrade
+
+> 升级前请备份配置文件`conf`目录 和 数据库，并停止服务
+>
+> 使用新版的 `anylink` 二进制文件替换旧版
+>
+> 重启服务后，即可完成升级
+
 ## Setting

+### 依赖设置
+
+> 服务端依赖安装:
+>
+> centos: yum install iptables iproute
+>
+> ubuntu: apt-get install iptables iproute2
+
+### link_mode 设置
+
 > 以下参数必须设置其中之一

-网络模式选择，需要配置 `link_mode` 参数，如 `link_mode="tun"`,`link_mode="macvtap"`,`link_mode="tap"(不推荐)` 等参数。 不同的参数需要对服务器做相应的设置。
+网络模式选择，需要配置 `link_mode` 参数，如 `link_mode="tun"`,`link_mode="macvtap"`,`link_mode="tap"(不推荐)` 等参数。
+不同的参数需要对服务器做相应的设置。

-建议优先选择 tun 模式，其次选择 macvtap 模式，因客户端传输的是 IP 层数据，无须进行数据转换。 tap 模式是在用户态做的链路层到 IP 层的数据互相转换，性能会有所下降。 如果需要在虚拟机内开启 tap
+建议优先选择 tun 模式，其次选择 macvtap 模式，因客户端传输的是 IP 层数据，无须进行数据转换。 tap 模式是在用户态做的链路层到
+IP 层的数据互相转换，性能会有所下降。 如果需要在虚拟机内开启 tap
 模式，请确认虚拟机的网卡开启混杂模式。

-### tun 设置
+#### tun 设置

 1. 开启服务器转发

 ```shell
-# flie: /etc/sysctl.conf
+# 新版本支持自动设置ip转发
+
+# file: /etc/sysctl.conf
 net.ipv4.ip_forward = 1

 #执行如下命令
@@ -158,173 +230,276 @@ cat /proc/sys/net/ipv4/ip_forward
 systemctl stop firewalld.service
 systemctl disable firewalld.service

+# 新版本支持自动设置nat转发，如有其他需求可以参考下面的命令配置
+
 # 请根据服务器内网网卡替换 eth0
-iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
+# iptables -t nat -A POSTROUTING -s 192.168.90.0/24 -o eth0 -j MASQUERADE
 # 如果执行第一个命令不生效，可以继续执行下面的命令
-# iptables -A FORWARD -i eth0 -s 192.168.10.0/24 -j ACCEPT
+# iptables -A FORWARD -i eth0 -s 192.168.90.0/24 -j ACCEPT
 # 查看设置是否生效
-iptables -nL -t nat
+# iptables -nL -t nat
 ```

 2.2 使用全局路由转发(二选一)

 ```shell
-# 假设anylink所在服务器的内网ip: 10.1.0.10
+# 假设anylink所在服务器的内网ip: 10.1.2.10
+
+# 首先关闭nat转发功能
+iptables_nat = false

 # 传统网络架构，在华三交换机添加以下静态路由规则
-ip route-static 192.168.10.0 255.255.255.0 10.1.0.10
+ip route-static 192.168.90.0 255.255.255.0 10.1.2.10
 # 其他品牌的交换机命令，请参考以下地址
 https://cloud.tencent.com/document/product/216/62007

 # 公有云环境下，需设置vpc下的路由表，添加以下路由策略
-目的端: 192.168.10.0/24
+目的端: 192.168.90.0/24
 下一跳类型: 云服务器
-下一跳: 10.1.0.10
+下一跳: 10.1.2.10

 ```

-
 3. 使用 AnyConnect 客户端连接即可

-### macvtap 设置
+#### 桥接设置

 1. 设置配置文件

-> macvtap 设置相对比较简单，只需要配置相应的参数即可。
+> arp_proxy 性能较高，设置相对比较简单，只需要配置相应的参数即可。
+>
+> 网络要求：需要网络支持 ARP 传输，可通过 ARP 宣告普通内网 IP。
+>
+> 网络限制：云环境下不能使用，网卡mac加白环境不能使用，802.1x认证网络不能使用
+>
 > 以下参数可以通过执行 `ip a` 查看

+
+1.1 arp_proxy
+
 ```
+
+# file: /etc/sysctl.conf
+net.ipv4.conf.all.proxy_arp = 1
+
+#执行如下命令
+sysctl -w net.ipv4.conf.all.proxy_arp=1
+
+
+配置文件修改:
+
+# 首先关闭nat转发功能
+iptables_nat = false
+
+
+link_mode = "tun"
 #内网主网卡名称
 ipv4_master = "eth0"
 #以下网段需要跟ipv4_master网卡设置成一样
-ipv4_cidr = "192.168.10.0/24"
-ipv4_gateway = "192.168.10.1"
-ipv4_start = "192.168.10.100"
-ipv4_end = "192.168.10.200"
-```
-
-<details>
-<summary>tap设置</summary>
-
-### ~~tap 设置~~
-
-1. 创建桥接网卡
+ipv4_cidr = "10.1.2.0/24"
+ipv4_gateway = "10.1.2.99"
+ipv4_start = "10.1.2.100"
+ipv4_end = "10.1.2.200"

-```
-注意 server.toml 的ip参数，需要与 bridge-init.sh 的配置参数一致
 ```

-2. 修改 bridge-init.sh 内的参数
-
-> 以下参数可以通过执行 `ip a` 查看
+1.2 macvtap

 ```
-eth="eth0"
-eth_ip="192.168.10.4/24"
-eth_broadcast="192.168.10.255"
-eth_gateway="192.168.10.1"
+
+# 命令行执行 master网卡需要打开混杂模式
+ip link set dev eth0 promisc on
+
+#=====================#
+
+# 配置文件修改
+# 首先关闭nat转发功能
+iptables_nat = false
+
+link_mode = "macvtap"
+#内网主网卡名称
+ipv4_master = "eth0"
+#以下网段需要跟ipv4_master网卡设置成一样
+ipv4_cidr = "10.1.2.0/24"
+ipv4_gateway = "10.1.2.1"
+ipv4_start = "10.1.2.100"
+ipv4_end = "10.1.2.200"
 ```

-3. 执行 bridge-init.sh 文件
+## Deploy

-```
-sh bridge-init.sh
-```
-</details>
+> 部署配置文件放在 `deploy` 目录下，请根据实际情况修改配置文件

-## Systemd
+### Systemd

 1. 添加 anylink 程序
-
-    - anylink 程序目录放入 `/usr/local/anylink-deploy`
-
-2. systemd/anylink.service 脚本放入：
-
+    - 首先把 `anylink-deploy` 文件夹放入 `/usr/local/anylink-deploy`
+    - 添加执行权限 `chmod +x /usr/local/anylink-deploy/anylink`
+2. 把 `anylink.service` 脚本放入：
    - centos: `/usr/lib/systemd/system/`
    - ubuntu: `/lib/systemd/system/`
-
 3. 操作命令:
-
+    - 加载配置: `systemctl daemon-reload`
    - 启动: `systemctl start anylink`
    - 停止: `systemctl stop anylink`
    - 开机自启: `systemctl enable anylink`

+### Docker Compose
+
+1. 进入 `deploy` 目录
+2. 执行脚本 `docker-compose up`
+
+### k8s
+
+1. 进入 `deploy` 目录
+2. 执行脚本 `kubectl apply -f deployment.yaml`
+
 ## Docker

-1. 获取镜像
+### anylink 镜像地址

+对于国内用户，为提高镜像拉取体验，可以考虑拉取存放于阿里云镜像仓库的镜像，镜像名称及标签如下表所示(
+具体版本号可以查看 `version` 文件):
+
+|    支持设备/平台    |       DockerHub       |                             阿里云镜像仓库                             |
+|:-------------:|:---------------------:|:---------------------------------------------------------------:|
+| x86_64/amd64  | bjdgyc/anylink:latest |     registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest     |
+| x86_64/amd64  | bjdgyc/anylink:0.13.1 |     registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:0.13.1     | 
+| armv8/aarch64 | bjdgyc/anylink:latest | registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-latest | 
+| armv8/aarch64 | bjdgyc/anylink:0.13.1 | registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-0.13.1 | 
+
+### docker 镜像源地址
+
+> docker.1ms.run/bjdgyc/anylink:latest
+>
+> dockerhub.yydy.link:2023/bjdgyc/anylink:latest
+
+
+### 操作步骤
+
+1. 获取镜像
   ```bash
+   # 具体tag可以从docker hub获取
+   # https://hub.docker.com/r/bjdgyc/anylink/tags
   docker pull bjdgyc/anylink:latest
+   docker pull registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest
   ```

 2. 查看命令信息
-
   ```bash
   docker run -it --rm bjdgyc/anylink -h
   ```

 3. 生成密码
-
   ```bash
   docker run -it --rm bjdgyc/anylink tool -p 123456
   #Passwd:$2a$10$lCWTCcGmQdE/4Kb1wabbLelu4vY/cUwBwN64xIzvXcihFgRzUvH2a
   ```

 4. 生成 jwt secret
-
   ```bash
   docker run -it --rm bjdgyc/anylink tool -s
   #Secret:9qXoIhY01jqhWIeIluGliOS4O_rhcXGGGu422uRZ1JjZxIZmh17WwzW36woEbA
   ```

-5. 启动容器
-
+5. 查看所有配置项
   ```bash
-   # -e IPV4_CIDR=192.168.10.0/24 这个参数要与配置文件内的网段一致
+   docker run -it --rm bjdgyc/anylink tool -d
+   ```
+
+6. iptables兼容设置
+   ```bash
+   # 默认 iptables 使用 nf_tables 设置转发规则,如果内核低于 4.19 版本,需要特殊配置
   docker run -itd --name anylink --privileged \
-       -e IPV4_CIDR=192.168.10.0/24
-       -p 443:443 -p 8800:8800 \
+      -e IPTABLES_LEGACY=on \
+      -p 443:443 -p 8800:8800 -p 443:443/udp \
+      --restart=always \
+      bjdgyc/anylink
+   ```
+
+7. 启动容器
+   ```bash
+   # 默认启动
+   docker run -itd --name anylink --privileged \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
+       --restart=always \
+       bjdgyc/anylink
+   
+   # 自定义配置目录
+   # 首次启动会自动创建配置文件
+   # 配置文件初始化完成后，容器会强制退出，请重新启动容器
+   docker run -itd --name anylink --privileged \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
+       -v /home/myconf:/app/conf \
+       --restart=always \
+       bjdgyc/anylink
+   
+   docker restart anylink
+   ```
+
+8. 使用自定义参数启动容器
+   ```bash
+   # 参数可以参考 ./anylink tool -d
+   # 可以使用命令行参数 或者 环境变量 配置
+   docker run -itd --name anylink --privileged \
+       -e LINK_LOG_LEVEL=info \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
+       -v /home/myconf:/app/conf \
+       --restart=always \
+       bjdgyc/anylink \
+       --ip_lease=1209600 # IP地址租约时长
+   ```
+
+9. 使用非特权模式启动容器
+   ```bash
+   # 参数可以参考 ./anylink tool -d
+   # 可以使用命令行参数 或者 环境变量 配置
+   docker run -itd --name anylink \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
+       -v /dev/net/tun:/dev/net/tun --cap-add=NET_ADMIN \
       --restart=always \
       bjdgyc/anylink
   ```

-6. 使用自定义参数启动容器
-   ```bash
-   # 参数可以参考 -h 命令
-   docker run -itd --name anylink --privileged \
-       -e IPV4_CIDR=192.168.10.0/24 \
-       -p 443:443 -p 8800:8800 \
-       --restart=always \
-       bjdgyc/anylink \
-       -c=/etc/server.toml --ip_lease=1209600 # IP地址租约时长
-   ```
-
-7. 构建镜像
-
+10. 构建镜像 (非必需)
   ```bash
   #获取仓库源码
   git clone https://github.com/bjdgyc/anylink.git
   # 构建镜像
-   docker build -t anylink .
+   sh build_docker.sh
+   或
+   docker build -t anylink -f docker/Dockerfile .
   ```

-
 ## 常见问题

 请前往 [问题地址](doc/question.md) 查看具体信息

+<!--
 ## Discussion

-添加QQ群: 567510628
-
 群共享文件有相关软件下载

-<!--
 添加微信群: 群共享文件有相关软件下载

 ![contact_me_qr](doc/screenshot/contact_me_qr.png)
 -->

+## Support Document
+
+- [三方文档-男孩的天职](https://note.youdao.com/s/X4AxyWfL)
+- [三方文档-issues](https://github.com/bjdgyc/anylink/issues)
+- [三方文档-思有云](https://www.ioiox.com/archives/128.html)
+- [三方文档-杨杨得亿](https://yangpin.link/archives/1897.html)  [Windows电脑连接步骤-杨杨得亿](https://yangpin.link/archives/1697.html)
+
+## Support Client
+
+- [AnyConnect Secure Client](https://www.cisco.com/) (可通过群文件下载: Windows/macOS/Linux/Android/iOS)
+- [OpenConnect](https://gitlab.com/openconnect/openconnect) (Windows/macOS/Linux)
+- [三方 AnyLink Secure Client](https://github.com/tlslink/anylink-client) (Windows/macOS/Linux)
+- [【推荐】三方客户端下载地址](https://cisco.yydy.link/) (
+  Windows/macOS/Linux/Android/iOS)
+- [客户端下载面板搭建](https://blog.yydy.link/archives/2018.html) (支持Docker、Linux二进制、Windwos系统直接运行)

 ## Contribution

@@ -347,7 +522,7 @@ sh bridge-init.sh

 ## License

-本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 LICENSE 文件中。
+本项目采用 AGPL-3.0 开源授权许可证，完整的授权说明已放置在 LICENSE 文件中。

 ## Thank

--- a/build.sh
+++ b/build.sh
@@ -1,56 +1,28 @@
 #!/bin/bash

-set -x
-function RETVAL() {
-  rt=$1
-  if [ $rt != 0 ]; then
-    echo $rt
-    exit 1
-  fi
-}
-
 #当前目录
 cpath=$(pwd)

-echo "编译前端项目"
-cd $cpath/web
-#国内可替换源加快速度
-#npx browserslist@latest --update-db
-#npm install --registry=https://registry.npm.taobao.org
-#npm install
-#npm run build
+ver=$(cat version)
+echo $ver

-yarn install
-yarn run build
+#前端编译 仅需要执行一次
+#bash ./build_web.sh

-RETVAL $?
+bash build_docker.sh

-echo "编译二进制文件"
-cd $cpath/server
-rm -rf ui
-cp -rf $cpath/web/ui .
-#国内可替换源加快速度
-export GOPROXY=https://goproxy.io
-go mod tidy
-go build -v -o anylink -ldflags "-X main.CommitId=$(git rev-parse HEAD)"
-RETVAL $?
+deploy="anylink-deploy-$ver"
+docker container rm $deploy
+docker container create --name $deploy bjdgyc/anylink:$ver
+rm -rf anylink-deploy anylink-deploy.tar.gz
+docker cp -a $deploy:/app ./anylink-deploy
+tar zcf ${deploy}.tar.gz anylink-deploy

-cd $cpath

-echo "整理部署文件"
-deploy="anylink-deploy"
-rm -rf $deploy ${deploy}.tar.gz
-mkdir $deploy
+./anylink-deploy/anylink -v

-cp -r server/anylink $deploy
-cp -r server/bridge-init.sh $deploy
-cp -r server/conf $deploy

-cp -r systemd $deploy
-cp -r LICENSE $deploy
+echo "anylink 编译完成，目录: anylink-deploy"
+ls -lh anylink-deploy

-tar zcvf ${deploy}.tar.gz $deploy

-#注意使用root权限运行
-#cd anylink-deploy
-#sudo ./anylink --conf="conf/server.toml"
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -1,14 +1,27 @@
 #!/bin/bash

-ver=`cat server/base/app_ver.go | grep APP_VER | awk '{print $3}' | sed 's/"//g'`
+action=$1
+
+ver=$(cat version)
 echo $ver

-#docker login -u bjdgyc
+# docker login -u bjdgyc

-docker build -t bjdgyc/anylink .
+# 生成时间 2024-01-30T21:41:27+08:00
+# date -Iseconds

+#bash ./build_web.sh
+
+# docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 本地不生成镜像
+docker build -t bjdgyc/anylink:latest --no-cache --progress=plain \
+  --build-arg CN="yes" --build-arg appVer=$ver --build-arg commitId=$(git rev-parse HEAD) \
+  -f docker/Dockerfile .
+
+echo "docker tag latest $ver"
 docker tag bjdgyc/anylink:latest bjdgyc/anylink:$ver

-docker push bjdgyc/anylink:$ver
-docker push bjdgyc/anylink:latest
-
+if [[ $action == "cntest" ]]; then
+  docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+  docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+  echo registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+fi
--- a/build_test.sh
+++ b/build_test.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+#github action release.sh
+
+set -x
+function RETVAL() {
+  rt=$1
+  if [ $rt != 0 ]; then
+    echo $rt
+    exit 1
+  fi
+}
+
+#当前目录
+cpath=$(pwd)
+
+ver=$(cat version)
+echo $ver
+
+#前端编译 仅需要执行一次
+#bash ./build_web.sh
+
+echo "copy二进制文件"
+
+# -tags osusergo,netgo,sqlite_omit_load_extension
+flags="-trimpath"
+ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
+#github action
+gopath=/go
+
+dockercmd=$(
+  cat <<EOF
+sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+apk add gcc g++ musl musl-dev tzdata
+export GOPROXY=https://goproxy.cn
+go mod tidy
+echo "build:"
+rm anylink
+export CGO_ENABLED=1
+go build -v -o anylink $flags -ldflags "$ldflags"
+./anylink -v
+EOF
+)
+
+# golang:1.20-alpine3.19
+#使用 musl-dev 编译
+docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/amd64 \
+  golang:1.22-alpine3.19 sh -c "$dockercmd"
+
+#arm64编译
+#docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/arm64 \
+#  golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
+#exit 0
+
+#cd $cpath
+
+echo "整理部署文件"
+rm -rf anylink-deploy anylink-deploy.tar.gz
+mkdir anylink-deploy
+mkdir anylink-deploy/log
+
+cp -r server/anylink anylink-deploy
+cp -r server/conf anylink-deploy
+
+cp -r index_template anylink-deploy
+cp -r deploy anylink-deploy
+cp -r LICENSE anylink-deploy
+
+tar zcvf anylink-deploy.tar.gz anylink-deploy
+
+#注意使用root权限运行
+#cd anylink-deploy
+#sudo ./anylink --conf="conf/server.toml"
--- a/build_web.sh
+++ b/build_web.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+rm -rf web/ui server/ui
+
+docker run -it --rm -v $PWD/web:/app -w /app node:16-alpine \
+  sh -c "yarn install --registry=https://registry.npmmirror.com && yarn run build"
+
+
+cp -r web/ui server/ui
--- a/deploy/anylink.service
+++ b/deploy/anylink.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=AnyLink Server Service
+Documentation=https://github.com/bjdgyc/anylink
+After=network-online.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/usr/local/anylink-deploy
+Restart=on-failure
+RestartSec=5s
+ExecStart=/usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml
+
+# systemctl --version
+
+# systemd older than v236
+# ExecStart=/bin/bash -c 'exec /usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml >> /usr/local/anylink-deploy/log/anylink.log 2>&1'
+
+# systemd new than v236
+# StandardOutput=file:/usr/local/anylink-deploy/log/anylink-systemd.log
+# StandardError=file:/usr/local/anylink-deploy/log/anylink-systemd.log
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: anylink
+  namespace: default
+  labels:
+    link-app: anylink
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      link-app: anylink
+  template:
+    metadata:
+      labels:
+        link-app: anylink
+    spec:
+      #hostNetwork: true
+      dnsPolicy: ClusterFirst
+      containers:
+        - name: anylink
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: POD_CPU_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: POD_MEMORY_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: TZ
+              value: "Asia/Shanghai"
+          image: bjdgyc/anylink:latest
+          imagePullPolicy: Always
+          args:
+            - --conf=/app/conf/server.toml
+          ports:
+            - name: https
+              containerPort: 443
+              protocol: TCP
+            - name: https-admin
+              containerPort: 8800
+              protocol: TCP
+            - name: dtls
+              containerPort: 443
+              protocol: UDP
+          # 设置资源
+          resources:
+            limits:
+              cpu: "2"
+              memory: 4Gi
+              ephemeral-storage: "2Gi"
+          securityContext:
+            privileged: true
+      # 禁用自动注入 service 信息到环境变量
+      enableServiceLinks: false
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext: { }
+      tolerations:
+        - operator: Exists
+      #设置优先级
+      priorityClassName: system-cluster-critical
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: anylink
+  namespace: default
+  labels:
+    link-app: anylink
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+    - name: https-admin
+      port: 8800
+      targetPort: 8800
+      protocol: TCP
+    - name: dtls
+      port: 443
+      targetPort: 443
+      protocol: UDP
+  selector:
+    link-app: anylink
+  sessionAffinity: ClientIP
+  type: ClusterIP
--- a/deploy/docker-compose.yaml
+++ b/deploy/docker-compose.yaml
@@ -0,0 +1,20 @@
+services:
+  anylink:
+    image: bjdgyc/anylink:latest
+    container_name: anylink
+    restart: always
+    privileged: true
+    #cpus: 2
+    #mem_limit: 4g
+    ports:
+      - 443:443
+      - 8800:8800
+      - 443:443/udp
+    environment:
+      LINK_LOG_LEVEL: info
+      #IPTABLES_LEGACY: "on"
+    command:
+      - --conf=/app/conf/server.toml
+    #volumes:
+    #  - /home/myconf:/app/conf
+    dns_search: .
--- a/deploy_docker_cn.sh
+++ b/deploy_docker_cn.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+ver=$(cat version)
+echo $ver
+
+echo "docker tag latest $ver"
+
+docker pull --platform=linux/amd64 bjdgyc/anylink:$ver
+
+docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest
+docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest
+
+docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:$ver
+docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:$ver
+
+docker rmi bjdgyc/anylink:$ver
+
+#arm64
+docker pull --platform=linux/arm64 bjdgyc/anylink:$ver
+
+docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-latest
+docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-latest
+
+docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-$ver
+docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-$ver
+
+docker rmi bjdgyc/anylink:$ver
--- a/doc/README.md
+++ b/doc/README.md
@@ -3,28 +3,59 @@
 > 如果您觉得 AnyLink 对你有帮助，欢迎给我们打赏，也是帮助 AnyLink 更好的发展。

 <p>
-    <img src="screenshot/wxpay2.png" width="500" />
+    <img src="screenshot/wxpay2.png" width="435" alt="anylink捐赠二维码" />
 </p>

 ## Donator

 > 感谢以下同学的打赏，AnyLink 有你更美好！
+>
+> 需要展示主页的同学，可以在QQ群 直接联系我添加。

-| 昵称           | 主页                         |
-| -------------- | ---------------------------- |
-| 代码 oo8       |                              |
-| 甘磊           | https://github.com/ganlei333 |
-| Oo@            | https://github.com/chooop    |
-| 虚极静笃       |                              |
-| 请喝可乐       |                              |
-| 加油加油       |                              |
-| 李建           |                              |
-| lanbin         |                              |
-| 乐在东途       |                              |
-| 孤鸿           |                              |
-| 刘国华         |                              |
-| 改名好无聊     |                              |
-| 全能互联网专家 |                              |
+| 昵称                 | 主页 / 联系方式                    |
+|--------------------|------------------------------|
+| 代码 oo8             |                              |
+| 甘磊                 | https://github.com/ganlei333 |
+| Oo@                | https://github.com/chooop    |
+| 虚极静笃               |                              |
+| 请喝可乐               |                              |
+| 加油加油               |                              |
+| 李建                 |                              |
+| lanbin             |                              |
+| 乐在东途               |                              |
+| 孤鸿                 |                              |
+| 刘国华                |                              |
+| 改名好无聊              |                              |
+| 全能互联网专家            |                              |
+| JCM                |                              |
+| Eh...              |                              |
+| 沉                  |                              |
+| 刘国华                |                              |
+| 忧郁的豚骨拉面            |                              |
+| 张小旋当爹地             |                              |
+| 对方正在输入             |                              |
+| Ronny              |                              |
+| 奔跑的少年              |                              |
+| ZBW                |                              |
+| 悲鸣                 |                              |
+| 谢谢                 |                              |
+| 云思科技               |                              |
+| 哆啦A伟(张佳伟)          |                              |
+| 人类的悲欢并不相通          |                              |
+| 做人要低调              |                              |
+| 洛洛                 |                              |
+| Dragon Liao        |                              |
+| 诸葛御风               |                              |
+| 杨杨得亿               |                              |
+| Thanataos          |                              |
+| 憨大叔                |                              |
+| 明月                 |                              |
+| Amis               |                              |
+| Blake              |                              |
+| 刘国华                |                              |
+| ZBW                |                              |
+| 全能互联网专家            |                              |
+| 广播.会议.音响.无纸化.物联网中控 |                              |



--- a/doc/question.md
+++ b/doc/question.md
@@ -1,34 +1,110 @@
-# 常见问题
+## 常见问题

 ### anyconnect 客户端问题
+
 > 客户端请使用群共享文件的版本，其他版本没有测试过，不保证使用正常
-> 
+>
 > 添加QQ群: 567510628

 ### OTP 动态码
+
 > 请使用手机安装 freeotp ，然后扫描otp二维码，生成的数字即是动态码

+### 用户策略问题
+
+> 只要有用户策略，组策略就不生效，相当于覆盖了组策略的配置
+
 ### 远程桌面连接
+
 > 本软件已经支持远程桌面里面连接anyconnect。

 ### 私有证书问题
+
 > anylink 默认不支持私有证书
-> 
+>
 > 其他使用私有证书的问题，请自行解决

+### 客户端连接名称
+
+> 客户端连接名称需要修改 [profile.xml](../server/conf/profile.xml) 文件
+
+```xml
+
+<HostEntry>
+    <HostName>VPN</HostName>
+    <HostAddress>localhost</HostAddress>
+</HostEntry>
+```
+
 ### dpd timeout 设置问题
-```
+
+```yaml
 #客户端失效检测时间(秒) dpd > keepalive
-cstp_keepalive = 20
-cstp_dpd = 30
-mobile_keepalive = 40
-mobile_dpd = 50
+cstp_keepalive = 4
+cstp_dpd = 9
+mobile_keepalive = 7
+mobile_dpd = 15
 ```
+
 > 以上dpd参数为客户端的超时检测时间, 如一段时间内，没有数据传输，防火墙会主动关闭连接
-> 
+>
 > 如经常出现 timeout 的错误信息，应根据当前防火墙的设置，适当减小dpd数值

+### 关于审计日志 audit_interval 参数
+
+> 默认值 `audit_interval = 600` 表示相同日志600秒内只记录一次，不同日志首次出现立即记录
+>
+> 去重key的格式: 16字节源IP地址 + 16字节目的IP地址 + 2字节目的端口 + 1字节协议类型 + 16字节域名MD5
+
+### 反向代理问题
+
+> anylink 仅支持四层反向代理，不支持七层反向代理
+>
+> 如Nginx请使用 stream模块
+
+```conf
+stream {
+    upstream anylink_server {
+        server 127.0.0.1:8443;
+    }
+    server {
+        listen 443 tcp;
+        proxy_timeout 30s;
+        proxy_pass anylink_server;
+    }
+}
+```
+
+> nginx实现 共用443端口 示例
+
+```conf
+stream {
+    map $ssl_preread_server_name $name {
+        vpn.xx.com        myvpn;
+        default     defaultpage;
+    }
+    
+    # upstream pool
+    upstream myvpn {
+        server 127.0.0.1:8443;
+    }
+    upstream defaultpage {
+        server 127.0.0.1:8080;
+    }
+    
+    server {
+        listen 443 so_keepalive=on;
+        ssl_preread on;
+        #接收端也需要设置 proxy_protocol
+        #proxy_protocol on;
+        proxy_pass $name;
+    }
+}
+
+```
+
 ### 性能问题
+
 ```
 内网环境测试数据
 虚拟服务器：  centos7 4C8G
@@ -37,6 +113,22 @@ anylink:    tun模式 tcp传输
 客户端网卡下载速度：270Mb/s
 服务端网卡上传速度：280Mb/s
 ```
+
 > 客户端tls加密协议、隧道header头都会占用一定带宽


+### 登录防爆说明
+
+```
+1.用户 A 在 IP 1.2.3.4 上尝试登录:
+  用户 A 在 IP 1.2.3.4 上尝试登录失败 5 次，触发了该 IP 上的用户 A 锁定 5 分钟。
+  在这 5 分钟内，用户 A 从 IP 1.2.3.4 无法进行新的登录尝试。
+2.用户 A 更换 IP 到 1.2.3.5 继续尝试登录:
+  用户 A 在 IP 1.2.3.5 上继续尝试登录，并且累计失败 20 次，触发了全局用户 A 锁定 5 分钟。
+  在这 5 分钟内，用户 A 从任何 IP 地址都无法进行新的登录尝试。
+3.IP 1.2.3.4 上多个用户尝试登录:
+  如果从 IP 1.2.3.4 上累计有 40 次失败登录尝试（无论来自多少不同的用户），触发了该 IP 的全局锁定 5 分钟。
+  在这 5 分钟内，从 IP 1.2.3.4 的所有登录尝试都将被拒绝。
+
+如果在 N 分钟内没有新的失败尝试，失败计数会在 N 分钟后（*_reset_time）重置。
+```
--- a/doc/screenshot/contact_me_qr.png
+++ b/doc/screenshot/contact_me_qr.png
--- a/doc/screenshot/qq2.jpg
+++ b/doc/screenshot/qq2.jpg
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,6 +1,62 @@
-FROM ubuntu:18.04
-WORKDIR /
-COPY docker_entrypoint.sh docker_entrypoint.sh
-RUN mkdir /anylink && apt update && apt install -y wget iptables tar iproute2
-ENTRYPOINT ["/docker_entrypoint.sh"]
-#CMD ["/anylink/anylink","-conf=/anylink/conf/server.toml"]
+#node:16-bullseye
+#golang:1.20-bullseye
+#debian:bullseye-slim
+#bullseye
+# sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
+#bookworm
+# sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list.d/debian.sources
+
+# sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+
+
+# 配合 github action 使用
+# 需要先编译出ui文件后 再执行docker编译
+
+# server
+# golang:1.20-alpine3.19
+FROM golang:1.22-alpine3.19 as builder_golang
+
+ARG CN="no"
+ARG appVer="appVer"
+ARG commitId="commitId"
+
+ENV TZ=Asia/Shanghai
+
+WORKDIR /server
+COPY docker/init_build.sh /tmp/
+COPY server/ /server/
+COPY web/ui  /server/ui
+
+#RUN apk add gcc musl-dev bash
+RUN sh /tmp/init_build.sh
+
+
+# anylink
+FROM alpine:3.19
+LABEL maintainer="github.com/bjdgyc"
+
+ARG CN="no"
+
+ENV TZ=Asia/Shanghai
+#开关变量  on  off
+ENV ANYLINK_IN_CONTAINER="on"
+ENV IPTABLES_LEGACY="off"
+
+WORKDIR /app
+COPY docker/init_release.sh /tmp/
+
+COPY --from=builder_golang /server/anylink  /app/
+COPY docker/docker_entrypoint.sh server/bridge-init.sh ./README.md ./LICENSE version_info /app/
+COPY ./deploy /app/deploy
+COPY ./index_template  /app/index_template
+COPY ./server/conf  /app/conf
+
+#TODO 本地打包时使用镜像
+RUN sh /tmp/init_release.sh
+
+
+EXPOSE 443 8800 443/udp
+
+#CMD ["/app/anylink"]
+ENTRYPOINT ["/app/docker_entrypoint.sh"]
+
--- a/docker/docker_entrypoint.sh
+++ b/docker/docker_entrypoint.sh
@@ -1,41 +1,37 @@
-#!/bin/sh
-USER="admin"
-MM=$(pwgen -1s)
-CREATE_USER=1
-CONFIG_FILE='/app/conf/server.toml'
+#!/bin/bash
+var1=$1

-if [ $CREATE_USER -eq 1 ]; then
-  if [ ! -e $CREATE_USER ]; then
-	    MM=$(pwgen -1s)
-            touch $CREATE_USER
-	    bash /app/generate-certs.sh
-            cd /app/conf/ && cp *.crt  /usr/local/share/ca-certificates/
-	    update-ca-certificates --fresh
-            userpass=$(/app/anylink -passwd "${MM}"| cut -d : -f2)
-	    echo "${userpass}"
-            jwttoken=$(/app/anylink -secret | cut -d : -f2)
-            echo "-- First container startup --user:${USER} pwd:${MM}"
-            sed -i "s/admin/${USER}/g" /app/server-example.toml
-            sed -i "s/123456/${MM}/g" /app/server-example.toml
-            sed -i "s#usertoken#${userpass}#g" /app/server-example.toml
-            sed -i "s/jwttoken/${jwttoken}/g" /app/server-example.toml
-            else
-                        echo "-- Not first container startup --"
+#set -x
+
+case $var1 in
+"bash" | "sh")
+  echo $var1
+  exec "$@"
+  ;;
+
+"tool")
+  /app/anylink "$@"
+  ;;
+
+*)
+  #sysctl -w net.ipv4.ip_forward=1
+  #iptables -t nat -A POSTROUTING -s "${IPV4_CIDR}" -o eth0+ -j MASQUERADE
+  #iptables -nL -t nat
+
+  # 启动服务 先判断配置文件是否存在
+  if [[ ! -f /app/conf/profile.xml ]]; then
+    /bin/cp -r /home/conf-bak/* /app/conf/
+    echo "After the configuration file is initialized, the container will be forcibly exited. Restart the container."
+    echo "配置文件初始化完成后，容器会强制退出，请重新启动容器。"
+    exit 1
  fi

-else
-                echo "user switch not create"
+  # 兼容老版本 iptables
+  if [[ $IPTABLES_LEGACY == "on" ]]; then
+    rm /sbin/iptables
+    ln -s /sbin/iptables-legacy /sbin/iptables
+  fi

-fi
-
-if [ ! -f $CONFIG_FILE ]; then
-echo "#####Generating configuration file#####"
-cp /app/server-example.toml /app/conf/server.toml
-else
-        echo "#####Configuration file already exists#####"
-fi
-
-rtaddr=$(grep "cidr" /app/conf/server.toml |awk -F \" '{print $2}')
-sysctl -w net.ipv4.ip_forward=1
-iptables -t nat -A POSTROUTING -s "${rtaddr}" -o eth0+ -j MASQUERADE
-/app/anylink -conf="/app/conf/server.toml"
+  exec /app/anylink "$@"
+  ;;
+esac
--- a/docker/docker_entrypoint_fix.sh
+++ b/docker/docker_entrypoint_fix.sh
@@ -1,37 +0,0 @@
-#! /bin/bash
-version=(`wget -qO- -t1 -T2 "https://api.github.com/repos/bjdgyc/anylink/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g'`)
-count=(`ls anylink | wc -w `)
-wget https://github.com/bjdgyc/anylink/releases/download/${version}/anylink-deploy.tar.gz
-tar xf anylink-deploy.tar.gz
-rm -rf anylink-deploy.tar.gz
-if [ ${count} -eq 0 ]; then
-	echo "init anylink"
-	mv anylink-deploy/* anylink/
-else
-	if [ ! -d "/anylink/log" ]; then
-		mv anylink-deploy/log anylink/
-	fi
-	if [ ! -d "/anylink/conf" ]; then
-                mv anylink-deploy/conf anylink/
-        fi
-	echo "update anylink"
-	rm -rf anylink/ui anylink/anylink anylink/files
-	mv anylink-deploy/ui anylink/
-	mv anylink-deploy/anylink anylink/
-	mv anylink-deploy/files anylink/
-fi
-rm -rf anylink-deploy
-sysctl -w net.ipv4.ip_forward=1
-if [[ ${mode} == pro ]];then
-	iptables -t nat -A POSTROUTING -s ${iproute} -o eth0 -j MASQUERADE
-	iptables -L -n -t nat
-	/anylink/anylink -conf=/anylink/conf/server.toml
-elif [[ ${mode} == password ]];then
-	if [ -z ${password} ];then
-		echo "invalid password"
-	else
-		/anylink/anylink -passwd ${password}
-	fi
-elif [[ ${mode} -eq jwt ]];then
-	/anylink/anylink -secret
-fi
--- a/docker/init_build.sh
+++ b/docker/init_build.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -x
+
+#TODO 本地打包时使用镜像
+if [[ $CN == "yes" ]]; then
+  #sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+  sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+  export GOPROXY=https://goproxy.cn
+fi
+
+apk add build-base tzdata gcc g++ musl musl-dev upx
+
+uname -a
+env
+date
+
+cd /server
+
+go mod tidy
+
+echo "start build"
+
+ldflags="-s -w -X main.appVer=$appVer -X main.commitId=$commitId -X main.buildDate=$(date -Iseconds) -extldflags \"-static\" "
+
+export CGO_ENABLED=1
+go build -v -o anylink -trimpath -ldflags "$ldflags"
+
+ls -lh /server/
+
+# 压缩文件
+upx -9 -k anylink
+
+/server/anylink -v
--- a/docker/init_release.sh
+++ b/docker/init_release.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -x
+
+#TODO 本地打包时使用镜像
+if [[ $CN == "yes" ]]; then
+  #sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+  sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+  export GOPROXY=https://goproxy.cn
+fi
+
+
+# docker 启动使用 4.19 以上内核
+apk add --no-cache ca-certificates bash iproute2 tzdata iptables inetutils-telnet
+
+# alpine:3.19 兼容老版本 iptables
+apk add --no-cache iptables-legacy
+
+#rm /sbin/iptables
+#ln -s /sbin/iptables-legacy /sbin/iptables
+
+
+chmod +x /app/docker_entrypoint.sh
+mkdir /app/log
+
+#备份配置文件
+cp -r /app/conf /home/conf-bak
+
+tree /app
+
+uname -a
+date -Iseconds
--- a/docker_entrypoint.sh
+++ b/docker_entrypoint.sh
@@ -1,23 +0,0 @@
-#!/bin/sh
-var1=$1
-
-#set -x
-
-case $var1 in
-"bash" | "sh")
-  echo $var1
-  exec "$@"
-  ;;
-
-"tool")
-  /app/anylink "$@"
-  ;;
-
-*)
-  sysctl -w net.ipv4.ip_forward=1
-  iptables -t nat -A POSTROUTING -s "${IPV4_CIDR}" -o eth0+ -j MASQUERADE
-  iptables -nL -t nat
-
-  exec /app/anylink "$@"
-  ;;
-esac
--- a/index_template/自定义首页1.html
+++ b/index_template/自定义首页1.html
@@ -0,0 +1,101 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>AnyLink - 企业级远程办公 SSL VPN</title>
+  <style>
+    /* CSS样式表 */
+    body {
+      font-family: Arial, sans-serif;
+      margin: 0;
+      padding: 0;
+    }
+    
+    header {
+      background-color: #333;
+      color: #fff;
+      padding: 20px;
+      text-align: center;
+    }
+    
+    h1 {
+      margin: 0;
+      font-size: 32px;
+    }
+    
+    main {
+      max-width: 960px;
+      margin: 20px auto;
+      padding: 0 20px;
+	  margin-bottom: 100px;
+    }
+    
+    p {
+      line-height: 1.5;
+    }
+    
+	/* 设置页脚固定在底部，并且占满横向宽度 */
+	footer {
+		position: fixed;
+		bottom: 0;
+		left: 0;
+		width: 100%;
+	}
+	
+    footer {
+      background-color: #f2f2f2;
+      padding: 20px;
+      text-align: center;
+    }
+	
+    
+    .cta-button {
+      display: inline-block;
+      background-color: #007bff;
+      color: #fff;
+      padding: 10px 20px;
+      text-decoration: none;
+      border-radius: 4px;
+      font-weight: bold;
+      margin-right: 10px;
+    }
+  </style>
+</head>
+<body>
+  <header>
+    <h1>欢迎使用 AnyLink</h1>
+  </header>
+
+  <main>
+    <h2>什么是 AnyLink？</h2>
+    <p>AnyLink 是一款面向企业级的远程办公 SSL VPN 软件，支持多人同时在线使用。它提供安全、便捷的访问内部网络资源的方式，使远程工作者能够有效协作。</p>
+
+    <h2>核心功能</h2>
+    <ul>
+      <li>安全远程访问：AnyLink 使用 SSL/TLS 加密技术，确保远程用户与企业网络之间的连接安全可靠。</li>
+      <li>多用户支持：多个用户可以同时连接 VPN，实现不同地点团队的无缝协作。</li>
+      <li>灵活网络访问：AnyLink 能够安全地让远程工作者访问内部资源，如文件、应用程序和数据库。</li>
+      <li>集中化管理：该 VPN 解决方案提供集中化管理控制台，便于用户管理、访问控制和监控。</li>
+    </ul>
+
+    <h2>开始使用 AnyLink</h2>
+    <p>体验 AnyLink 为您的企业远程办公需求所带来的便利和安全。</p>
+
+    <h2>下载客户端</h2>
+    <a href="/files/anyconnect-win-4.10.05111.msi" class="cta-button">Windows 客户端</a>
+    <a href="/files/anyconnect-macos-4.10.05111.dmg" class="cta-button">Mac 客户端</a>
+
+    <a href="https://apps.apple.com/cn/app/cisco-secure-client/id1135064690" class="cta-button">iOS 客户端</a>
+    <a href="/files/CiscoSecureClientAnyConnect_v5.0.00247.apk" class="cta-button">Android 客户端</a>
+
+    <a href="/files/freeotp.apk" class="cta-button">Android FreeOTP客户端</a>
+    <a href="https://apps.apple.com/cn/app/freeotp-authenticator/id872559395" class="cta-button">iOS FreeOTP客户端</a>
+    <h2>使用手册</h2>
+    <a href="/files/anylink_doc.pdf" class="cta-button">使用手册(Windows)</a>
+  </main>
+
+  <footer>
+    &copy; 2023 AnyLink. 保留所有权利。
+  </footer>
+</body>
+</html>
--- a/index_template/自定义首页2.html
+++ b/index_template/自定义首页2.html
@@ -0,0 +1,165 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+
+<head>
+    <meta charset=UTF-8">
+    <title id="pageTitle">客户端下载</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <style type="text/css">
+        body {
+            background-color: #fff;
+            background-image: linear-gradient(0deg, transparent 24%, rgba(207, 207, 207, 0.2) 25%, rgba(207, 207, 207, 0.2) 26%, transparent 27%, transparent 74%, rgba(207, 207, 207, 0.2) 75%, rgba(207, 207, 207, 0.2) 76%, transparent 77%, transparent),
+            linear-gradient(90deg, transparent 24%, rgba(207, 207, 207, 0.2) 25%, rgba(207, 207, 207, 0.2) 26%, transparent 27%, transparent 74%, rgba(207, 207, 207, 0.2) 75%, rgba(207, 207, 207, 0.2) 76%, transparent 77%, transparent);
+            background-size: 50px 50px;
+            margin: 0;
+            padding: 0;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+        }
+
+        #box {
+            background-color: #ffffff;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            position: relative;
+            padding: 20px;
+            border-radius: 8px;
+            max-width: 550px;
+            width: 100%;
+            box-sizing: border-box;
+        }
+
+        h2 {
+            color: #333;
+            font-weight: 600;
+            font-size: 28px;
+            margin: 0 0 20px 0;
+        }
+
+        p {
+            color: #666;
+            font-size: 16px;
+            line-height: 1.6;
+            margin-top: 20px;
+        }
+
+        .button {
+            background-color: #ddd;
+            text-decoration: none;
+            line-height: 44px;
+            padding: 9px 42px;
+            font-weight: 500;
+            color: #fff;
+            font-size: 16px;
+            -webkit-transition: background-color 0.25s ease-out 0s;
+            -moz-transition: background-color 0.25s ease-out 0s;
+            transition: background-color 0.25s ease-out 0s;
+            -moz-border-radius: 4px;
+            -webkit-border-radius: 4px;
+            border-radius: 4px;
+        }
+
+        .button:hover {
+            background-color: #CCC;
+            color: #444;
+        }
+
+        .button:active {
+            background-color: #666;
+            color: #eee;
+        }
+
+        .blue {
+            background-color: #007BFF;
+        }
+
+        .deep-blue {
+            background-color: #0056B3;
+        }
+
+        .green {
+            background-color: #28A745;
+        }
+
+        .grey {
+            background-color: #6C757D;
+        }
+
+        .black {
+            background-color: #343A40;
+        }
+
+        .light-blue {
+            background-color: #17A2B8;
+        }
+
+        .dark-grey {
+            background-color: #495057;
+        }
+
+        @media (max-width: 768px) {
+            h2 {
+                font-size: 24px;
+            }
+
+            p {
+                font-size: 14px;
+            }
+
+            .button {
+                padding: 7px 35px;
+            }
+        }
+    </style>
+</head>
+
+<body>
+<div id="app">
+    <div id="box">
+        <h2 id="title">请选择对应平台下载</h2>
+        <p id="windowsTab">Windows 系统</p>
+        <a id="linkWindowsX86_64" class="button blue" href="#">Win X86_64</a>
+        <a id="linkWindowsARM64" class="button deep-blue" href="#">Win ARM64</a>
+
+        <p id="mobileTab">移动端</p>
+        <a id="linkAndroid" class="button green" href="#">Android</a>
+        <a id="linkIphone" class="button grey" href="#" target="_blank">iPhone</a>
+
+        <p id="macOSTab">MacOS 系统</p>
+        <a id="linkMacos" class="button black" href="#">Mac Intel</a>
+        <a id="linkMacosARM64" class="button blue" href="#">Mac ARM64</a>
+
+        <p id="totpTab">TOTP 移动客户端</p>
+        <a id="linkTotpAndroid" class="button light-blue" href="#">Android</a>
+        <a id="linkTotpIphone" class="button dark-grey" href="#" target="_blank">iPhone</a>
+    </div>
+</div>
+<script>
+    const data = {
+        links: {
+            windowsX86_64: '/files/anyconnect-win-4.10.05111.msi',
+            windowsARM64: '/files/anyconnect-win-4.10.05111.msi',
+            android: '/files/CiscoSecureClientAnyConnect_v5.0.00247.apk',
+            iphone: 'https://apps.apple.com/cn/app/cisco-anyconnect/id1135064690',
+            macosIntel: '/files/anyconnect-macos-4.10.05111.dmg',
+            macosARM64: '/files/anyconnect-macos-4.10.05111.dmg',
+            totpAndroid: '/files/Authenticator_v5.10_apkpure.com.apk',
+            totpIphone: 'https://apps.apple.com/cn/app/google-authenticator/id388497605',
+        }
+    };
+
+    window.onload = function () {
+        document.getElementById('linkWindowsX86_64').href = data.links.windowsX86_64;
+        document.getElementById('linkWindowsARM64').href = data.links.windowsARM64;
+        document.getElementById('linkAndroid').href = data.links.android;
+        document.getElementById('linkIphone').href = data.links.iphone;
+        document.getElementById('linkMacos').href = data.links.macosIntel;
+        document.getElementById('linkMacosARM64').href = data.links.macosARM64;
+        document.getElementById('linkTotpAndroid').href = data.links.totpAndroid;
+        document.getElementById('linkTotpIphone').href = data.links.totpIphone;
+    };
+</script>
+</body>
+
+</html>
--- a/release.sh
+++ b/release.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+#github action release.sh
+
+set -x
+function RETVAL() {
+  rt=$1
+  if [ $rt != 0 ]; then
+    echo $rt
+    exit 1
+  fi
+}
+
+#当前目录
+cpath=$(pwd)
+
+ver=$(cat version)
+echo "当前版本 $ver"
+
+rm -rf artifact-dist
+mkdir artifact-dist
+
+function archive() {
+  arch=$1
+  #echo "整理部署文件 $arch"
+  arch_name=${arch//\//-}
+  echo $arch_name
+
+  deploy="anylink-$ver-$arch_name"
+  docker container rm $deploy
+  docker container create --platform $arch --name $deploy bjdgyc/anylink:$ver
+  rm -rf anylink-deploy
+  docker cp -a $deploy:/app ./anylink-deploy
+
+  ls -lh anylink-deploy
+
+  tar zcf ${deploy}.tar.gz anylink-deploy
+  mv ${deploy}.tar.gz artifact-dist/
+}
+
+echo "copy二进制文件"
+
+archive "linux/amd64"
+archive "linux/arm64"
+
+ls -lh artifact-dist
+
+#注意使用root权限运行
+#cd anylink-deploy
+#sudo ./anylink --conf="conf/server.toml"
--- a/server/.gitignore
+++ b/server/.gitignore
@@ -18,4 +18,4 @@ ui/
 .idea/
 anylink
 data.db
-conf/*.db
+conf/*.db
--- a/server/admin/api_base.go
+++ b/server/admin/api_base.go
@@ -3,11 +3,13 @@ package admin
 import (
 	"fmt"
 	"net/http"
+	"runtime/debug"
 	"time"

 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/mux"
+	"github.com/xlzd/gotp"
 )

 // Login 登陆接口
@@ -20,10 +22,35 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	adminUser := r.PostFormValue("admin_user")
 	adminPass := r.PostFormValue("admin_pass")

+	// 启用otp验证
+	if base.Cfg.AdminOtp != "" {
+		pwd := adminPass
+		pl := len(pwd)
+		if pl < 6 {
+			RespError(w, RespUserOrPassErr)
+			base.Error(adminUser, "管理员otp错误")
+			return
+		}
+		// 判断otp信息
+		adminPass = pwd[:pl-6]
+		otp := pwd[pl-6:]
+
+		totp := gotp.NewDefaultTOTP(base.Cfg.AdminOtp)
+		unix := time.Now().Unix()
+		verify := totp.Verify(otp, unix)
+
+		if !verify {
+			RespError(w, RespUserOrPassErr)
+			base.Error(adminUser, "管理员otp错误")
+			return
+		}
+	}
+
 	// 认证错误
 	if !(adminUser == base.Cfg.AdminUser &&
 		utils.PasswordVerify(adminPass, base.Cfg.AdminPass)) {
 		RespError(w, RespUserOrPassErr)
+		base.Error(adminUser, "管理员用户名或密码错误")
 		return
 	}

@@ -41,6 +68,14 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	data["admin_user"] = adminUser
 	data["expires_at"] = expiresAt

+	ck := &http.Cookie{
+		Name:     "jwt",
+		Value:    tokenString,
+		Path:     "/",
+		HttpOnly: true,
+	}
+	http.SetCookie(w, ck)
+
 	RespSucess(w, data)
 }

@@ -50,13 +85,16 @@ func authMiddleware(next http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Methods", "GET,POST,OPTIONS")
 		w.Header().Set("Access-Control-Allow-Headers", "*")
 		if r.Method == http.MethodOptions {
+			// w.WriteHeader(http.StatusOK)
+			// 正式环境不支持 OPTIONS
+			w.WriteHeader(http.StatusForbidden)
 			return
 		}

 		route := mux.CurrentRoute(r)
 		name := route.GetName()
 		// fmt.Println("bb", r.URL.Path, name)
-		if utils.InArrStr([]string{"login", "index", "static", "debug"}, name) {
+		if utils.InArrStr([]string{"login", "index", "static"}, name) {
 			// 不进行鉴权
 			next.ServeHTTP(w, r)
 			return
@@ -67,6 +105,12 @@ func authMiddleware(next http.Handler) http.Handler {
 		if jwtToken == "" {
 			jwtToken = r.FormValue("jwt")
 		}
+		if jwtToken == "" {
+			cc, err := r.Cookie("jwt")
+			if err == nil {
+				jwtToken = cc.Value
+			}
+		}
 		data, err := GetJwtData(jwtToken)
 		if err != nil || base.Cfg.AdminUser != fmt.Sprint(data["admin_user"]) {
 			w.WriteHeader(http.StatusUnauthorized)
@@ -77,3 +121,17 @@ func authMiddleware(next http.Handler) http.Handler {

 	return http.HandlerFunc(fn)
 }
+
+func recoverHttp(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer func() {
+			if err := recover(); err != nil {
+				stack := debug.Stack()
+				base.Error(err, string(stack))
+				// http.Error(w, "Internal Server Error", 500)
+				RespError(w, 500, "Internal Server Error")
+			}
+		}()
+		next.ServeHTTP(w, r)
+	})
+}
--- a/server/admin/api_cert.go
+++ b/server/admin/api_cert.go
@@ -0,0 +1,99 @@
+package admin
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+func CustomCert(w http.ResponseWriter, r *http.Request) {
+	cert, _, err := r.FormFile("cert")
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	key, _, err := r.FormFile("key")
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	certFile, err := os.OpenFile(base.Cfg.CertFile, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer certFile.Close()
+	if _, err := io.Copy(certFile, cert); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	keyFile, err := os.OpenFile(base.Cfg.CertKey, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer keyFile.Close()
+	if _, err := io.Copy(keyFile, key); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	if tlscert, _, err := dbdata.ParseCert(); err != nil {
+		RespError(w, RespInternalErr, fmt.Sprintf("证书不合法，请重新上传:%v", err))
+		return
+	} else {
+		dbdata.LoadCertificate(tlscert)
+	}
+	RespSucess(w, "上传成功")
+}
+func GetCertSetting(w http.ResponseWriter, r *http.Request) {
+	sess := dbdata.GetXdb().NewSession()
+	defer sess.Close()
+	data := &dbdata.SettingLetsEncrypt{}
+	if err := dbdata.SettingGet(data); err != nil {
+		dbdata.SettingSessAdd(sess, data)
+		RespError(w, RespInternalErr, err)
+	}
+	userData := &dbdata.LegoUserData{}
+	if err := dbdata.SettingGet(userData); err != nil {
+		dbdata.SettingSessAdd(sess, userData)
+	}
+	RespSucess(w, data)
+}
+func CreatCert(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+	config := &dbdata.SettingLetsEncrypt{}
+	if err := json.Unmarshal(body, config); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	if err := dbdata.SettingSet(config); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	client := dbdata.LeGoClient{}
+	if err := client.NewClient(config); err != nil {
+		base.Error(err)
+		RespError(w, RespInternalErr, fmt.Sprintf("获取证书失败:%v", err))
+		return
+	}
+	if err := client.GetCert(config.Domain); err != nil {
+		base.Error(err)
+		RespError(w, RespInternalErr, fmt.Sprintf("获取证书失败:%v", err))
+		return
+	}
+	RespSucess(w, "生成证书成功")
+}
--- a/server/admin/api_group.go
+++ b/server/admin/api_group.go
@@ -2,7 +2,7 @@ package admin

 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"

@@ -75,11 +75,15 @@ func GroupDetail(w http.ResponseWriter, r *http.Request) {
 	if len(data.Auth) == 0 {
 		data.Auth["type"] = "local"
 	}
+	// 兼容旧数据
+	if data.SplitDns == nil {
+		data.SplitDns = []dbdata.ValData{}
+	}
 	RespSucess(w, data)
 }

 func GroupSet(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -118,3 +122,30 @@ func GroupDel(w http.ResponseWriter, r *http.Request) {
 	}
 	RespSucess(w, nil)
 }
+
+func GroupAuthLogin(w http.ResponseWriter, r *http.Request) {
+	type AuthLoginData struct {
+		Name string                 `json:"name"`
+		Pwd  string                 `json:"pwd"`
+		Auth map[string]interface{} `json:"auth"`
+	}
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+	v := &AuthLoginData{}
+	err = json.Unmarshal(body, &v)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	err = dbdata.GroupAuthLogin(v.Name, v.Pwd, v.Auth)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	RespSucess(w, "ok")
+}
--- a/server/admin/api_ip_map.go
+++ b/server/admin/api_ip_map.go
@@ -2,7 +2,7 @@ package admin

 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"

@@ -59,7 +59,7 @@ func UserIpMapDetail(w http.ResponseWriter, r *http.Request) {
 func UserIpMapSet(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()

-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -80,6 +80,8 @@ func UserIpMapSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// sessdata.IpAllSet(v)
+
 	RespSucess(w, nil)
 }

@@ -93,11 +95,20 @@ func UserIpMapDel(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	data := dbdata.IpMap{Id: id}
-	err := dbdata.Del(&data)
+	var data dbdata.IpMap
+	err := dbdata.One("Id", id, &data)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
+
+	err = dbdata.Del(&data)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	// sessdata.IpAllDel(&data)
+
 	RespSucess(w, nil)
 }
--- a/server/admin/api_other.go
+++ b/server/admin/api_other.go
@@ -3,10 +3,11 @@ package admin
 import (
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"regexp"

+	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 )

@@ -25,7 +26,7 @@ func setOtherGet(data interface{}, w http.ResponseWriter) {
 }

 func setOtherEdit(data interface{}, w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -82,11 +83,12 @@ func SetOtherAuditLog(w http.ResponseWriter, r *http.Request) {
 		RespError(w, RespInternalErr, err)
 		return
 	}
+	data.AuditInterval = base.Cfg.AuditInterval
 	RespSucess(w, data)
 }

 func SetOtherAuditLogEdit(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
--- a/server/admin/api_policy.go
+++ b/server/admin/api_policy.go
@@ -2,7 +2,7 @@ package admin

 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"

@@ -57,7 +57,7 @@ func PolicyDetail(w http.ResponseWriter, r *http.Request) {
 }

 func PolicySet(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
--- a/server/admin/api_set.go
+++ b/server/admin/api_set.go
@@ -66,12 +66,13 @@ func SetSystem(w http.ResponseWriter, r *http.Request) {
 	hi, _ := host.Info()
 	l, _ := load.Avg()
 	data["sys"] = map[string]interface{}{
-		"goOs":        runtime.GOOS,
-		"goArch":      runtime.GOARCH,
-		"goVersion":   runtime.Version(),
-		"goroutine":   runtime.NumGoroutine(),
-		"appVersion":  "v" + base.APP_VER,
-		"appCommitId": base.CommitId,
+		"goOs":         runtime.GOOS,
+		"goArch":       runtime.GOARCH,
+		"goVersion":    runtime.Version(),
+		"goroutine":    runtime.NumGoroutine(),
+		"appVersion":   "v" + base.APP_VER,
+		"appCommitId":  base.CommitId,
+		"appBuildDate": base.BuildDate,

 		"hostname": hi.Hostname,
 		"platform": fmt.Sprintf("%v %v %v", hi.Platform, hi.PlatformFamily, hi.PlatformVersion),
--- a/server/admin/api_set_audit.go
+++ b/server/admin/api_set_audit.go
@@ -51,3 +51,29 @@ func SetAuditExport(w http.ResponseWriter, r *http.Request) {
 	gocsv.Marshal(datas, w)

 }
+
+func UserActLogList(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	pageS := r.FormValue("page")
+	page, _ := strconv.Atoi(pageS)
+	if page < 1 {
+		page = 1
+	}
+	var datas []dbdata.UserActLog
+	session := dbdata.UserActLogIns.GetSession(r.Form)
+	count, err := dbdata.FindAndCount(session, &datas, dbdata.PageSize, page)
+	if err != nil && !dbdata.CheckErrNotFound(err) {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	data := map[string]interface{}{
+		"count":     count,
+		"page_size": dbdata.PageSize,
+		"datas":     datas,
+		"statusOps": dbdata.UserActLogIns.GetStatusOpsWithTag(),
+		"osOps":     dbdata.UserActLogIns.OsOps,
+		"clientOps": dbdata.UserActLogIns.ClientOps,
+	}
+
+	RespSucess(w, data)
+}
--- a/server/admin/api_uploaduser.go
+++ b/server/admin/api_uploaduser.go
@@ -0,0 +1,121 @@
+package admin
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
+	mapset "github.com/deckarep/golang-set"
+	"github.com/spf13/cast"
+	"github.com/xuri/excelize/v2"
+)
+
+func UserUpload(w http.ResponseWriter, r *http.Request) {
+	r.ParseMultipartForm(8 << 20)
+	file, header, err := r.FormFile("file")
+	if err != nil || !strings.Contains(header.Filename, ".xlsx") || !strings.Contains(header.Filename, ".xls") {
+		RespError(w, RespInternalErr, "文件解析失败:仅支持xlsx或xls文件")
+		return
+	}
+	defer file.Close()
+
+	// go/path-injection
+	// base.Cfg.FilesPath 可以直接对外访问，不能上传文件到此
+	fileName := path.Join(os.TempDir(), utils.RandomRunes(10))
+	newFile, err := os.Create(fileName)
+	if err != nil {
+		RespError(w, RespInternalErr, "创建文件失败:", err)
+		return
+	}
+	defer newFile.Close()
+
+	io.Copy(newFile, file)
+	if err = UploadUser(newFile.Name()); err != nil {
+		RespError(w, RespInternalErr, err)
+		os.Remove(fileName)
+		return
+	}
+	os.Remove(fileName)
+	RespSucess(w, "批量添加成功")
+}
+
+func UploadUser(file string) error {
+	f, err := excelize.OpenFile(file)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := f.Close(); err != nil {
+			return
+		}
+	}()
+	rows, err := f.GetRows("Sheet1")
+	if err != nil {
+		return err
+	}
+	if rows[0][0] != "id" || rows[0][1] != "username" || rows[0][2] != "nickname" || rows[0][3] != "email" || rows[0][4] != "pin_code" || rows[0][5] != "limittime" || rows[0][6] != "otp_secret" || rows[0][7] != "disable_otp" || rows[0][8] != "groups" || rows[0][9] != "status" || rows[0][10] != "send_email" {
+		return fmt.Errorf("批量添加失败，表格格式不正确")
+	}
+	var k []interface{}
+	for _, v := range dbdata.GetGroupNames() {
+		k = append(k, v)
+	}
+	for index, row := range rows {
+		if index == 0 {
+			continue
+		}
+		id, _ := strconv.Atoi(row[0])
+		if len(row[4]) < 6 {
+			row[4] = utils.RandomRunes(8)
+		}
+		limittime, _ := time.ParseInLocation("2006-01-02 15:04:05", row[5], time.Local)
+		disableOtp, _ := strconv.ParseBool(row[7])
+		var group []string
+		if row[8] == "" {
+			return fmt.Errorf("第%d行数据错误，用户组不允许为空", index)
+		}
+		for _, v := range strings.Split(row[8], ",") {
+			if s := mapset.NewSetFromSlice(k); s.Contains(v) {
+				group = append(group, v)
+			} else {
+				return fmt.Errorf("用户组【%s】不存在,请检查第%d行数据", v, index)
+			}
+		}
+		status := cast.ToInt8(row[9])
+		sendmail, _ := strconv.ParseBool(row[10])
+		// createdAt, _ := time.ParseInLocation("2006-01-02 15:04:05", row[11], time.Local)
+		// updatedAt, _ := time.ParseInLocation("2006-01-02 15:04:05", row[12], time.Local)
+		user := &dbdata.User{
+			Id:         id,
+			Username:   row[1],
+			Nickname:   row[2],
+			Email:      row[3],
+			PinCode:    row[4],
+			LimitTime:  &limittime,
+			OtpSecret:  row[6],
+			DisableOtp: disableOtp,
+			Groups:     group,
+			Status:     status,
+			SendEmail:  sendmail,
+			// CreatedAt:  createdAt,
+			// UpdatedAt:  updatedAt,
+		}
+		if err := dbdata.AddBatch(user); err != nil {
+			return fmt.Errorf("请检查第%d行数据是否导入有重复用户", index)
+		}
+		user.PinCode = row[4]
+		if user.SendEmail {
+			if err := userAccountMail(user); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
--- a/server/admin/api_user.go
+++ b/server/admin/api_user.go
@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -15,13 +15,16 @@ import (

 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/skip2/go-qrcode"
+	mail "github.com/xhit/go-simple-mail/v2"
 )

 func UserList(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 	prefix := r.FormValue("prefix")
+	prefix = strings.TrimSpace(prefix)
 	pageS := r.FormValue("page")
 	page, _ := strconv.Atoi(pageS)
 	if page < 1 {
@@ -37,8 +40,11 @@ func UserList(w http.ResponseWriter, r *http.Request) {

 	// 查询前缀匹配
 	if len(prefix) > 0 {
-		count = dbdata.CountPrefix("username", prefix, &dbdata.User{})
-		err = dbdata.Prefix("username", prefix, &datas, pageSize, 1)
+		fuzzy := "%" + prefix + "%"
+		where := "username LIKE ? OR nickname LIKE ? OR email LIKE ?"
+
+		count = dbdata.FindWhereCount(&dbdata.User{}, where, fuzzy, fuzzy, fuzzy)
+		err = dbdata.FindWhere(&datas, pageSize, page, where, fuzzy, fuzzy, fuzzy)
 	} else {
 		count = dbdata.CountAll(&dbdata.User{})
 		err = dbdata.Find(&datas, pageSize, page)
@@ -80,7 +86,7 @@ func UserDetail(w http.ResponseWriter, r *http.Request) {
 func UserSet(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()

-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -93,11 +99,17 @@ func UserSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if len(data.PinCode) < 6 {
+		data.PinCode = utils.RandomRunes(8)
+		base.Info("用户", data.Username, "随机密码为:", data.PinCode)
+	}
+	plainpwd := data.PinCode
 	err = dbdata.SetUser(data)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
+	data.PinCode = plainpwd

 	// 发送邮件
 	if data.SendEmail {
@@ -107,7 +119,8 @@ func UserSet(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-
+	// 修改用户资料后执行过期用户检测
+	sessdata.CloseUserLimittimeSession()
 	RespSucess(w, nil)
 }

@@ -132,38 +145,57 @@ func UserDel(w http.ResponseWriter, r *http.Request) {

 func UserOtpQr(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
-	b64 := r.FormValue("b64")
+	b64S := r.FormValue("b64")
 	idS := r.FormValue("id")
 	id, _ := strconv.Atoi(idS)
-	var user dbdata.User
-	err := dbdata.One("Id", id, &user)
+
+	var b64 bool
+	if b64S == "1" {
+		b64 = true
+	}
+	data, err := userOtpQr(id, b64)
 	if err != nil {
-		RespError(w, RespInternalErr, err)
-		return
+		base.Error(err)
+	}
+	io.WriteString(w, data)
+}
+
+func userOtpQr(uid int, b64 bool) (string, error) {
+	var user dbdata.User
+	err := dbdata.One("Id", uid, &user)
+	if err != nil {
+		return "", err
 	}

 	issuer := url.QueryEscape(base.Cfg.Issuer)
 	qrstr := fmt.Sprintf("otpauth://totp/%s:%s?issuer=%s&secret=%s", issuer, user.Email, issuer, user.OtpSecret)
 	qr, _ := qrcode.New(qrstr, qrcode.High)

-	if b64 == "1" {
-		data, _ := qr.PNG(300)
-		s := base64.StdEncoding.EncodeToString(data)
-		_, err = fmt.Fprint(w, s)
+	if b64 {
+		data, err := qr.PNG(300)
 		if err != nil {
-			base.Error(err)
+			return "", err
 		}
-		return
-	}
-	err = qr.Write(300, w)
-	if err != nil {
-		base.Error(err)
+		s := base64.StdEncoding.EncodeToString(data)
+		return s, nil
 	}
+
+	buf := bytes.NewBuffer(nil)
+	err = qr.Write(300, buf)
+	return buf.String(), err
 }

 // 在线用户
 func UserOnline(w http.ResponseWriter, r *http.Request) {
-	datas := sessdata.OnlineSess()
+	_ = r.ParseForm()
+	search_cate := r.FormValue("search_cate")
+	search_text := r.FormValue("search_text")
+	show_sleeper := r.FormValue("show_sleeper")
+	showSleeper, _ := strconv.ParseBool(show_sleeper)
+	// one_offline := r.FormValue("one_offline")
+
+	// datas := sessdata.OnlineSess()
+	datas := sessdata.GetOnlineSess(search_cate, search_text, showSleeper)

 	data := map[string]interface{}{
 		"count":     len(datas),
@@ -177,7 +209,7 @@ func UserOnline(w http.ResponseWriter, r *http.Request) {
 func UserOffline(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 	token := r.FormValue("token")
-	sessdata.CloseSess(token)
+	sessdata.CloseSess(token, dbdata.UserLogoutAdmin)
 	RespSucess(w, nil)
 }

@@ -189,12 +221,16 @@ func UserReline(w http.ResponseWriter, r *http.Request) {
 }

 type userAccountMailData struct {
-	Issuer   string
-	LinkAddr string
-	Group    string
-	Username string
-	PinCode  string
-	OtpImg   string
+	Issuer       string
+	LinkAddr     string
+	Group        string
+	Username     string
+	Nickname     string
+	PinCode      string
+	LimitTime    string
+	OtpImg       string
+	OtpImgBase64 string
+	DisableOtp   bool
 }

 func userAccountMail(user *dbdata.User) error {
@@ -235,13 +271,26 @@ func userAccountMail(user *dbdata.User) error {
 		return err
 	}

+	otpData, _ := userOtpQr(user.Id, true)
+
 	data := userAccountMailData{
-		LinkAddr: setting.LinkAddr,
-		Group:    strings.Join(user.Groups, ","),
-		Username: user.Username,
-		PinCode:  user.PinCode,
-		OtpImg:   fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", setting.LinkAddr, user.Id, tokenString),
+		Issuer:       base.Cfg.Issuer,
+		LinkAddr:     setting.LinkAddr,
+		Group:        strings.Join(user.Groups, ","),
+		Username:     user.Username,
+		Nickname:     user.Nickname,
+		PinCode:      user.PinCode,
+		OtpImg:       fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", setting.LinkAddr, user.Id, tokenString),
+		OtpImgBase64: "data:image/png;base64," + otpData,
+		DisableOtp:   user.DisableOtp,
 	}
+
+	if user.LimitTime == nil {
+		data.LimitTime = "无限制"
+	} else {
+		data.LimitTime = user.LimitTime.Local().Format("2006-01-02")
+	}
+
 	w := bytes.NewBufferString("")
 	t, _ := template.New("auth_complete").Parse(htmlBody)
 	err = t.Execute(w, data)
@@ -249,5 +298,19 @@ func userAccountMail(user *dbdata.User) error {
 		return err
 	}
 	// fmt.Println(w.String())
-	return SendMail(base.Cfg.Issuer+"平台通知", user.Email, w.String())
+
+	var attach *mail.File
+	if user.DisableOtp {
+		attach = nil
+	} else {
+		imgData, _ := userOtpQr(user.Id, false)
+		attach = &mail.File{
+			MimeType: "image/png",
+			Name:     "userOtpQr.png",
+			Data:     []byte(imgData),
+			Inline:   true,
+		}
+	}
+
+	return SendMail(base.Cfg.Issuer, user.Email, w.String(), attach)
 }
--- a/server/admin/common.go
+++ b/server/admin/common.go
@@ -43,7 +43,7 @@ func GetJwtData(jwtToken string) (map[string]interface{}, error) {
 	return claims, nil
 }

-func SendMail(subject, to, htmlBody string) error {
+func SendMail(subject, to, htmlBody string, attach *mail.File) error {

 	dataSmtp := &dbdata.SettingSmtp{}
 	err := dbdata.SettingGet(dataSmtp)
@@ -73,7 +73,7 @@ func SendMail(subject, to, htmlBody string) error {
 	// - PLAIN (default)
 	// - LOGIN
 	// - CRAM-MD5
-	server.Authentication = mail.AuthPlain
+	server.Authentication = mail.AuthAuto

 	// Variable to keep alive connection
 	server.KeepAlive = false
@@ -102,6 +102,10 @@ func SendMail(subject, to, htmlBody string) error {
 		AddTo(to).
 		SetSubject(subject)

+	if attach != nil {
+		email.Attach(attach)
+	}
+
 	email.SetBody(mail.TextHTML, htmlBody)

 	// Call Send and pass the client
--- a/server/admin/lockmanager.go
+++ b/server/admin/lockmanager.go
@@ -0,0 +1,465 @@
+package admin
+
+import (
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/bjdgyc/anylink/base"
+)
+
+type LockInfo struct {
+	Description string     `json:"description"` // 锁定原因
+	Username    string     `json:"username"`    // 用户名
+	IP          string     `json:"ip"`          // IP 地址
+	State       *LockState `json:"state"`       // 锁定状态信息
+}
+type LockState struct {
+	Locked       bool      `json:"locked"`      // 是否锁定
+	FailureCount int       `json:"attempts"`    // 失败次数
+	LockTime     time.Time `json:"lock_time"`   // 锁定截止时间
+	LastAttempt  time.Time `json:"lastAttempt"` // 最后一次尝试的时间
+}
+type IPWhitelists struct {
+	IP   net.IP
+	CIDR *net.IPNet
+}
+
+type LockManager struct {
+	mu sync.Mutex
+	// LoginStatus   sync.Map                         // 登录状态
+	ipLocks       map[string]*LockState            // 全局IP锁定状态
+	userLocks     map[string]*LockState            // 全局用户锁定状态
+	ipUserLocks   map[string]map[string]*LockState // 单用户IP锁定状态
+	ipWhitelists  []IPWhitelists                   // 全局IP白名单，包含IP地址和CIDR范围
+	cleanupTicker *time.Ticker
+}
+
+var lockmanager *LockManager
+var once sync.Once
+
+func GetLockManager() *LockManager {
+	once.Do(func() {
+		lockmanager = &LockManager{
+			// LoginStatus:  sync.Map{},
+			ipLocks:      make(map[string]*LockState),
+			userLocks:    make(map[string]*LockState),
+			ipUserLocks:  make(map[string]map[string]*LockState),
+			ipWhitelists: make([]IPWhitelists, 0),
+		}
+	})
+	return lockmanager
+}
+
+const defaultGlobalLockStateExpirationTime = 3600
+
+func InitLockManager() {
+	lm := GetLockManager()
+	if base.Cfg.AntiBruteForce {
+		if base.Cfg.GlobalLockStateExpirationTime <= 0 {
+			base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
+		}
+		lm.StartCleanupTicker()
+		lm.InitIPWhitelist()
+	}
+}
+
+func GetLocksInfo(w http.ResponseWriter, r *http.Request) {
+	lm := GetLockManager()
+	locksInfo := lm.GetLocksInfo()
+
+	RespSucess(w, locksInfo)
+}
+
+func UnlockUser(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	lockinfo := LockInfo{}
+	if err := json.Unmarshal(body, &lockinfo); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	if lockinfo.State == nil {
+		RespError(w, RespInternalErr, "未找到锁定用户！")
+		return
+	}
+	lm := GetLockManager()
+
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	// 根据用户名和IP查找锁定状态
+	var state *LockState
+	switch {
+	case lockinfo.IP == "" && lockinfo.Username != "":
+		state = lm.userLocks[lockinfo.Username] // 全局用户锁定
+	case lockinfo.Username != "" && lockinfo.IP != "":
+		if userIPMap, exists := lm.ipUserLocks[lockinfo.Username]; exists {
+			state = userIPMap[lockinfo.IP] // 单用户 IP 锁定
+		}
+	default:
+		state = lm.ipLocks[lockinfo.IP] // 全局 IP 锁定
+	}
+
+	if state == nil || !state.Locked {
+		RespError(w, RespInternalErr, "锁定状态未找到或已解锁")
+		return
+	}
+
+	lm.Unlock(state)
+	base.Info("解锁成功:", lockinfo.Description, lockinfo.Username, lockinfo.IP)
+
+	RespSucess(w, "解锁成功！")
+}
+
+func (lm *LockManager) GetLocksInfo() []LockInfo {
+	var locksInfo []LockInfo
+
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	for ip, state := range lm.ipLocks {
+		if base.Cfg.MaxGlobalIPBanCount > 0 && state.Locked {
+			info := LockInfo{
+				Description: "全局IP锁定",
+				Username:    "",
+				IP:          ip,
+				State: &LockState{
+					Locked:       state.Locked,
+					FailureCount: state.FailureCount,
+					LockTime:     state.LockTime,
+					LastAttempt:  state.LastAttempt,
+				},
+			}
+			locksInfo = append(locksInfo, info)
+		}
+	}
+
+	for username, state := range lm.userLocks {
+		if base.Cfg.MaxGlobalUserBanCount > 0 && state.Locked {
+			info := LockInfo{
+				Description: "全局用户锁定",
+				Username:    username,
+				IP:          "",
+				State: &LockState{
+					Locked:       state.Locked,
+					FailureCount: state.FailureCount,
+					LockTime:     state.LockTime,
+					LastAttempt:  state.LastAttempt,
+				},
+			}
+			locksInfo = append(locksInfo, info)
+		}
+	}
+
+	for username, ipStates := range lm.ipUserLocks {
+		for ip, state := range ipStates {
+			if base.Cfg.MaxBanCount > 0 && state.Locked {
+				info := LockInfo{
+					Description: "单用户IP锁定",
+					Username:    username,
+					IP:          ip,
+					State: &LockState{
+						Locked:       state.Locked,
+						FailureCount: state.FailureCount,
+						LockTime:     state.LockTime,
+						LastAttempt:  state.LastAttempt,
+					},
+				}
+				locksInfo = append(locksInfo, info)
+			}
+		}
+	}
+	return locksInfo
+}
+
+// 初始化IP白名单
+func (lm *LockManager) InitIPWhitelist() {
+	ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
+	for _, ipWhitelist := range ipWhitelist {
+		ipWhitelist = strings.TrimSpace(ipWhitelist)
+		if ipWhitelist == "" {
+			continue
+		}
+
+		_, ipNet, err := net.ParseCIDR(ipWhitelist)
+		if err == nil {
+			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
+			continue
+		}
+
+		ip := net.ParseIP(ipWhitelist)
+		if ip != nil {
+			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
+			continue
+		}
+	}
+}
+
+// 检查 IP 是否在白名单中
+func (lm *LockManager) IsWhitelisted(ip string) bool {
+	clientIP := net.ParseIP(ip)
+	if clientIP == nil {
+		return false
+	}
+	for _, ipWhitelist := range lm.ipWhitelists {
+		if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
+			return true
+		}
+		if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
+			return true
+		}
+	}
+	return false
+}
+
+func (lm *LockManager) StartCleanupTicker() {
+	lm.cleanupTicker = time.NewTicker(1 * time.Minute)
+	go func() {
+		for range lm.cleanupTicker.C {
+			lm.CleanupExpiredLocks()
+		}
+	}()
+}
+
+// 定期清理过期的锁定
+func (lm *LockManager) CleanupExpiredLocks() {
+	now := time.Now()
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	for ip, state := range lm.ipLocks {
+		if !lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime) ||
+			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			delete(lm.ipLocks, ip)
+		}
+	}
+
+	for user, state := range lm.userLocks {
+		if !lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime) ||
+			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			delete(lm.userLocks, user)
+		}
+	}
+
+	for user, ipMap := range lm.ipUserLocks {
+		for ip, state := range ipMap {
+			if !lm.CheckLockState(state, now, base.Cfg.BanResetTime) ||
+				now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+				delete(ipMap, ip)
+				if len(ipMap) == 0 {
+					delete(lm.ipUserLocks, user)
+				}
+			}
+		}
+	}
+}
+
+// 检查全局 IP 锁定
+func (lm *LockManager) CheckGlobalIPLock(ip string, now time.Time) bool {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.ipLocks[ip]
+	if !exists {
+		return false
+	}
+
+	return lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime)
+}
+
+// 检查全局用户锁定
+func (lm *LockManager) CheckGlobalUserLock(username string, now time.Time) bool {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return false
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.userLocks[username]
+	if !exists {
+		return false
+	}
+	return lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime)
+}
+
+// 检查单个用户的 IP 锁定
+func (lm *LockManager) CheckUserIPLock(username, ip string, now time.Time) bool {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return false
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	userIPMap, userExists := lm.ipUserLocks[username]
+	if !userExists {
+		return false
+	}
+
+	state, ipExists := userIPMap[ip]
+	if !ipExists {
+		return false
+	}
+
+	return lm.CheckLockState(state, now, base.Cfg.BanResetTime)
+}
+
+// 更新全局 IP 锁定状态
+func (lm *LockManager) UpdateGlobalIPLock(ip string, now time.Time, success bool) {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.ipLocks[ip]
+	if !exists {
+		state = &LockState{}
+		lm.ipLocks[ip] = state
+	}
+
+	lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
+}
+
+// 更新全局用户锁定状态
+func (lm *LockManager) UpdateGlobalUserLock(username string, now time.Time, success bool) {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.userLocks[username]
+	if !exists {
+		state = &LockState{}
+		lm.userLocks[username] = state
+	}
+
+	lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
+}
+
+// 更新单个用户的 IP 锁定状态
+func (lm *LockManager) UpdateUserIPLock(username, ip string, now time.Time, success bool) {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	userIPMap, userExists := lm.ipUserLocks[username]
+	if !userExists {
+		userIPMap = make(map[string]*LockState)
+		lm.ipUserLocks[username] = userIPMap
+	}
+
+	state, ipExists := userIPMap[ip]
+	if !ipExists {
+		state = &LockState{}
+		userIPMap[ip] = state
+	}
+
+	lm.UpdateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
+}
+
+// 更新锁定状态
+func (lm *LockManager) UpdateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
+	if success {
+		lm.Unlock(state) // 成功登录后解锁
+	} else {
+		state.FailureCount++
+		if state.FailureCount >= maxBanCount {
+			state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
+			state.Locked = true // 超过阈值时锁定
+		}
+	}
+	state.LastAttempt = now
+}
+
+// 检查锁定状态
+func (lm *LockManager) CheckLockState(state *LockState, now time.Time, resetTime int) bool {
+	if state == nil || state.LastAttempt.IsZero() {
+		return false
+	}
+
+	// 如果超过锁定时间，重置锁定状态
+	if !state.LockTime.IsZero() && now.After(state.LockTime) {
+		lm.Unlock(state) // 锁定期过后解锁
+		return false
+	}
+	// 如果超过窗口时间，重置失败计数
+	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
+		state.FailureCount = 0
+		return false
+	}
+	return state.Locked
+}
+
+// 解锁
+func (lm *LockManager) Unlock(state *LockState) {
+	state.FailureCount = 0
+	state.LockTime = time.Time{}
+	state.Locked = false
+}
+
+// 检查锁定状态
+func (lm *LockManager) CheckLocked(username, ipaddr string) bool {
+	if !base.Cfg.AntiBruteForce {
+		return true
+	}
+
+	ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址，去掉端口号
+	if err != nil {
+		base.Error("检查锁定状态失败,提取IP地址错误:", ipaddr)
+		return true
+	}
+	now := time.Now()
+
+	// 检查IP是否在白名单中
+	if lm.IsWhitelisted(ip) {
+		return true
+	}
+
+	// 检查全局 IP 锁定
+	if base.Cfg.MaxGlobalIPBanCount > 0 && lm.CheckGlobalIPLock(ip, now) {
+		base.Warn("IP", ip, "is globally locked. Try again later.")
+		return false
+	}
+
+	// 检查全局用户锁定
+	if base.Cfg.MaxGlobalUserBanCount > 0 && lm.CheckGlobalUserLock(username, now) {
+		base.Warn("User", username, "is globally locked. Try again later.")
+		return false
+	}
+
+	// 检查单个用户的 IP 锁定
+	if base.Cfg.MaxBanCount > 0 && lm.CheckUserIPLock(username, ip, now) {
+		base.Warn("IP", ip, "is locked for user", username, "Try again later.")
+		return false
+	}
+
+	return true
+}
+
+// 更新用户登录状态
+func (lm *LockManager) UpdateLoginStatus(username, ipaddr string, loginStatus bool) {
+	ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址，去掉端口号
+	if err != nil {
+		base.Error("更新登录状态失败,提取IP地址错误:", ipaddr)
+		return
+	}
+	now := time.Now()
+
+	// 更新用户登录状态
+	lm.UpdateGlobalIPLock(ip, now, loginStatus)
+	lm.UpdateGlobalUserLock(username, now, loginStatus)
+	lm.UpdateUserIPLock(username, ip, now, loginStatus)
+}
--- a/server/admin/resp_test.go
+++ b/server/admin/resp_test.go
@@ -2,7 +2,7 @@ package admin

 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http/httptest"
 	"testing"

@@ -15,7 +15,7 @@ func TestRespSucess(t *testing.T) {
 	RespSucess(w, "data")
 	// fmt.Println(w)
 	assert.Equal(w.Code, 200)
-	body, _ := ioutil.ReadAll(w.Body)
+	body, _ := io.ReadAll(w.Body)
 	res := Resp{}
 	err := json.Unmarshal(body, &res)
 	assert.Nil(err)
@@ -30,7 +30,7 @@ func TestRespError(t *testing.T) {
 	RespError(w, 10, "err-msg")
 	// fmt.Println(w)
 	assert.Equal(w.Code, 200)
-	body, _ := ioutil.ReadAll(w.Body)
+	body, _ := io.ReadAll(w.Body)
 	res := Resp{}
 	err := json.Unmarshal(body, &res)
 	assert.Nil(err)
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -9,6 +9,8 @@ import (

 	"github.com/arl/statsviz"
 	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 )
@@ -19,8 +21,15 @@ var UiData embed.FS
 func StartAdmin() {

 	r := mux.NewRouter()
-	r.Use(authMiddleware)
-	r.Use(handlers.CompressHandler)
+	r.Use(recoverHttp, authMiddleware, handlers.CompressHandler)
+	// 所有路由添加安全头
+	r.Use(func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			utils.SetSecureHeader(w)
+			w.Header().Set("Server", "AnyLinkAdminOpenSource")
+			next.ServeHTTP(w, req)
+		})
+	})

 	// 监控检测
 	r.HandleFunc("/status.html", func(w http.ResponseWriter, r *http.Request) {
@@ -45,10 +54,15 @@ func StartAdmin() {
 	r.HandleFunc("/set/other/audit_log/edit", SetOtherAuditLogEdit)
 	r.HandleFunc("/set/audit/list", SetAuditList)
 	r.HandleFunc("/set/audit/export", SetAuditExport)
+	r.HandleFunc("/set/audit/act_log_list", UserActLogList)
+	r.HandleFunc("/set/other/createcert", CreatCert)
+	r.HandleFunc("/set/other/getcertset", GetCertSetting)
+	r.HandleFunc("/set/other/customcert", CustomCert)

 	r.HandleFunc("/user/list", UserList)
 	r.HandleFunc("/user/detail", UserDetail)
 	r.HandleFunc("/user/set", UserSet)
+	r.HandleFunc("/user/uploaduser", UserUpload).Methods(http.MethodPost)
 	r.HandleFunc("/user/del", UserDel)
 	r.HandleFunc("/user/online", UserOnline)
 	r.HandleFunc("/user/offline", UserOffline)
@@ -69,8 +83,11 @@ func StartAdmin() {
 	r.HandleFunc("/group/detail", GroupDetail)
 	r.HandleFunc("/group/set", GroupSet)
 	r.HandleFunc("/group/del", GroupDel)
+	r.HandleFunc("/group/auth_login", GroupAuthLogin)

 	r.HandleFunc("/statsinfo/list", StatsInfoList)
+	r.HandleFunc("/locksinfo/list", GetLocksInfo)
+	r.HandleFunc("/locksinfo/unlok", UnlockUser)

 	// pprof
 	if base.Cfg.Pprof {
@@ -81,8 +98,9 @@ func StartAdmin() {
 		r.HandleFunc("/debug/pprof", location("/debug/pprof/")).Name("debug")
 		r.PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index).Name("debug")
 		// statsviz
-		r.Path("/debug/statsviz/ws").Name("debug").HandlerFunc(statsviz.Ws)
-		r.PathPrefix("/debug/statsviz/").Name("debug").Handler(statsviz.Index)
+		srv, _ := statsviz.NewServer() // Create server or handle error
+		r.Path("/debug/statsviz/ws").Name("debug").HandlerFunc(srv.Ws())
+		r.PathPrefix("/debug/statsviz/").Name("debug").Handler(srv.Index())
 	}

 	base.Info("Listen admin", base.Cfg.AdminAddr)
@@ -93,18 +111,23 @@ func StartAdmin() {
 	for _, s := range cipherSuites {
 		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}
+
 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: selectedCipherSuites,
+		GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return dbdata.GetCertificateBySNI(chi.ServerName)
+		},
 	}
 	srv := &http.Server{
 		Addr:      base.Cfg.AdminAddr,
 		Handler:   r,
 		TLSConfig: tlsConfig,
+		ErrorLog:  base.GetServerLog(),
 	}
-	err := srv.ListenAndServeTLS(base.Cfg.CertFile, base.Cfg.CertKey)
+	err := srv.ListenAndServeTLS("", "")
 	if err != nil {
 		base.Fatal(err)
 	}
--- a/server/base/app_ver.go
+++ b/server/base/app_ver.go
@@ -2,6 +2,12 @@ package base

 const (
 	APP_NAME = "AnyLink"
-	// app版本号
-	APP_VER = "0.9.1-beta1"
+)
+
+var (
+	// APP_VER app版本号
+	APP_VER = "0.0.1"
+	// 提交id
+	CommitId  string
+	BuildDate string
 )
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -5,6 +5,9 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strings"
+
+	"github.com/bjdgyc/anylink/pkg/utils"
 )

 const (
@@ -31,25 +34,29 @@ var (

 type ServerConfig struct {
 	// LinkAddr      string `json:"link_addr"`
-	Conf           string `json:"conf"`
-	Profile        string `json:"profile"`
-	ServerAddr     string `json:"server_addr"`
-	ServerDTLSAddr string `json:"server_dtls_addr"`
-	ServerDTLS     bool   `json:"server_dtls"`
-	AdminAddr      string `json:"admin_addr"`
-	ProxyProtocol  bool   `json:"proxy_protocol"`
-	DbType         string `json:"db_type"`
-	DbSource       string `json:"db_source"`
-	CertFile       string `json:"cert_file"`
-	CertKey        string `json:"cert_key"`
-	FilesPath      string `json:"files_path"`
-	LogPath        string `json:"log_path"`
-	LogLevel       string `json:"log_level"`
-	Pprof          bool   `json:"pprof"`
-	Issuer         string `json:"issuer"`
-	AdminUser      string `json:"admin_user"`
-	AdminPass      string `json:"admin_pass"`
-	JwtSecret      string `json:"jwt_secret"`
+	Conf              string `json:"conf"`
+	Profile           string `json:"profile"`
+	ProfileName       string `json:"profile_name"`
+	ServerAddr        string `json:"server_addr"`
+	ServerDTLS        bool   `json:"server_dtls"`
+	ServerDTLSAddr    string `json:"server_dtls_addr"`
+	AdvertiseDTLSAddr string `json:"advertise_dtls_addr"`
+	AdminAddr         string `json:"admin_addr"`
+	ProxyProtocol     bool   `json:"proxy_protocol"`
+	DbType            string `json:"db_type"`
+	DbSource          string `json:"db_source"`
+	CertFile          string `json:"cert_file"`
+	CertKey           string `json:"cert_key"`
+	FilesPath         string `json:"files_path"`
+	LogPath           string `json:"log_path"`
+	LogLevel          string `json:"log_level"`
+	HttpServerLog     bool   `json:"http_server_log"`
+	Pprof             bool   `json:"pprof"`
+	Issuer            string `json:"issuer"`
+	AdminUser         string `json:"admin_user"`
+	AdminPass         string `json:"admin_pass"`
+	AdminOtp          string `json:"admin_otp"`
+	JwtSecret         string `json:"jwt_secret"`

 	LinkMode    string `json:"link_mode"`    // tun tap macvtap ipvtap
 	Ipv4Master  string `json:"ipv4_master"`  // eth0
@@ -69,11 +76,37 @@ type ServerConfig struct {
 	Mtu             int    `json:"mtu"`
 	DefaultDomain   string `json:"default_domain"`

+	IdleTimeout    int `json:"idle_timeout"`    // in seconds
 	SessionTimeout int `json:"session_timeout"` // in seconds
 	// AuthTimeout    int `json:"auth_timeout"`    // in seconds
 	AuditInterval int `json:"audit_interval"` // in seconds

-	ShowSQL bool `json:"show_sql"` // bool
+	ShowSQL         bool `json:"show_sql"` // bool
+	IptablesNat     bool `json:"iptables_nat"`
+	Compression     bool `json:"compression"`       // bool
+	NoCompressLimit int  `json:"no_compress_limit"` // int
+
+	DisplayError       bool `json:"display_error"`
+	ExcludeExportIp    bool `json:"exclude_export_ip"`
+	AuthAloneOtp       bool `json:"auth_alone_otp"`
+	EncryptionPassword bool `json:"encryption_password"`
+
+	AntiBruteForce bool   `json:"anti_brute_force"`
+	IPWhitelist    string `json:"ip_whitelist"`
+
+	MaxBanCount  int `json:"max_ban_score"`
+	BanResetTime int `json:"ban_reset_time"`
+	LockTime     int `json:"lock_time"`
+
+	MaxGlobalUserBanCount  int `json:"max_global_user_ban_count"`
+	GlobalUserBanResetTime int `json:"global_user_ban_reset_time"`
+	GlobalUserLockTime     int `json:"global_user_lock_time"`
+
+	MaxGlobalIPBanCount  int `json:"max_global_ip_ban_count"`
+	GlobalIPBanResetTime int `json:"global_ip_ban_reset_time"`
+	GlobalIPLockTime     int `json:"global_ip_lock_time"`
+
+	GlobalLockStateExpirationTime int `json:"global_lock_state_expiration_time"`
 }

 func initServerCfg() {
@@ -96,6 +129,15 @@ func initServerCfg() {

 	if Cfg.JwtSecret == defaultJwt {
 		fmt.Fprintln(os.Stderr, "=== 使用默认的jwt_secret有安全风险，请设置新的jwt_secret ===")
+
+		// 安全问题，自动生成新的密钥
+		jwtSecret, _ := utils.RandSecret(40, 60)
+		jwtSecret = strings.Trim(jwtSecret, "=")
+		Cfg.JwtSecret = jwtSecret
+	}
+
+	if Cfg.AdvertiseDTLSAddr == "" {
+		Cfg.AdvertiseDTLSAddr = Cfg.ServerDTLSAddr
 	}

 	fmt.Printf("ServerCfg: %+v \n", Cfg)
@@ -147,6 +189,7 @@ type SCfg struct {
 	Env  string      `json:"env"`
 	Info string      `json:"info"`
 	Data interface{} `json:"data"`
+	Val  interface{} `json:"default"`
 }

 func ServerCfg2Slice() []SCfg {
@@ -161,18 +204,27 @@ func ServerCfg2Slice() []SCfg {
 		field := typ.Field(i)
 		value := s.Field(i)
 		tag := field.Tag.Get("json")
-		usage, env := getUsageEnv(tag)
+		usage, env, val := getUsageEnv(tag)

-		datas = append(datas, SCfg{Name: tag, Env: env, Info: usage, Data: value.Interface()})
+		datas = append(datas, SCfg{Name: tag, Env: env, Info: usage, Data: value.Interface(), Val: val})
 	}

 	return datas
 }

-func getUsageEnv(name string) (usage, env string) {
+func getUsageEnv(name string) (usage, env string, val interface{}) {
 	for _, v := range configs {
 		if v.Name == name {
 			usage = v.Usage
+			if v.Typ == cfgStr {
+				val = v.ValStr
+			}
+			if v.Typ == cfgInt {
+				val = v.ValInt
+			}
+			if v.Typ == cfgBool {
+				val = v.ValBool
+			}
 		}
 	}

--- a/server/base/cmd.go
+++ b/server/base/cmd.go
@@ -1,23 +1,25 @@
 package base

 import (
-	"errors"
 	"fmt"
+	"io"
 	"os"
 	"reflect"
 	"runtime"
 	"strings"

 	"github.com/bjdgyc/anylink/pkg/utils"
+	"github.com/skip2/go-qrcode"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"github.com/xlzd/gotp"
 )

 var (
-	// 提交id
-	CommitId string
 	// pass明文
 	passwd string
+	// 生成otp
+	otp bool
 	// 生成密钥
 	secret bool
 	// 显示版本信息
@@ -56,8 +58,28 @@ func execute() {
 	}

 	if !runSrv {
+		if debug {
+			scfgData := ServerCfg2Slice()
+			fmtStr := "%-18v %-23v %-20v %v\n"
+			fmt.Printf(fmtStr, "Name", "Env", "Value", "Info")
+			for _, v := range scfgData {
+				if v.Name == "admin_pass" || v.Name == "jwt_secret" {
+					v.Val = "******"
+				}
+				fmt.Printf(fmtStr, v.Name, v.Env, v.Val, v.Info)
+			}
+		}
 		os.Exit(0)
 	}
+
+	// 移动配置解析代码
+	conf := linkViper.GetString("conf")
+	linkViper.SetConfigFile(conf)
+	err = linkViper.ReadInConfig()
+	if err != nil {
+		// 没有配置文件，直接报错
+		panic("config file err:" + err.Error())
+	}
 }

 func initCmd() {
@@ -69,13 +91,17 @@ func initCmd() {
 		Run: func(cmd *cobra.Command, args []string) {
 			// fmt.Println("cmd：", cmd.Use, args)
 			runSrv = true
+
+			if rev {
+				printVersion()
+				os.Exit(0)
+			}
 		},
 	}

 	linkViper.SetEnvPrefix("link")

 	// 基础配置
-
 	for _, v := range configs {
 		if v.Typ == cfgStr {
 			rootCmd.Flags().StringP(v.Name, v.Short, v.ValStr, v.Usage)
@@ -92,23 +118,11 @@ func initCmd() {
 		// viper.SetDefault(v.Name, v.Value)
 	}

+	rootCmd.Flags().BoolVarP(&rev, "version", "v", false, "display version info")
 	rootCmd.AddCommand(initToolCmd())

 	cobra.OnInitialize(func() {
 		linkViper.AutomaticEnv()
-		conf := linkViper.GetString("conf")
-
-		_, err := os.Stat(conf)
-		if errors.Is(err, os.ErrNotExist) {
-			// 没有配置文件，不做处理
-			panic(err)
-		}
-
-		linkViper.SetConfigFile(conf)
-		err = linkViper.ReadInConfig()
-		if err != nil {
-			fmt.Println("Using config file:", err)
-		}
 	})
 }

@@ -122,22 +136,31 @@ func initToolCmd() *cobra.Command {
 	toolCmd.Flags().BoolVarP(&rev, "version", "v", false, "display version info")
 	toolCmd.Flags().BoolVarP(&secret, "secret", "s", false, "generate a random jwt secret")
 	toolCmd.Flags().StringVarP(&passwd, "passwd", "p", "", "convert the password plaintext")
+	toolCmd.Flags().BoolVarP(&otp, "otp", "o", false, "generate a random otp secret")
 	toolCmd.Flags().BoolVarP(&debug, "debug", "d", false, "list the config viper.Debug() info")

 	toolCmd.Run = func(cmd *cobra.Command, args []string) {
+		runSrv = false
+
 		switch {
 		case rev:
-			fmt.Printf("%s v%s build on %s [%s, %s] commit_id(%s) \n",
-				APP_NAME, APP_VER, runtime.Version(), runtime.GOOS, runtime.GOARCH, CommitId)
+			printVersion()
 		case secret:
 			s, _ := utils.RandSecret(40, 60)
 			s = strings.Trim(s, "=")
 			fmt.Printf("Secret:%s\n", s)
+		case otp:
+			s := gotp.RandomSecret(32)
+			fmt.Printf("Otp:%s\n\n", s)
+			qrstr := fmt.Sprintf("otpauth://totp/%s:%s?issuer=%s&secret=%s", "anylink_admin", "admin@anylink", "anylink_admin", s)
+			qr, _ := qrcode.New(qrstr, qrcode.High)
+			ss := qr.ToSmallString(false)
+			io.WriteString(os.Stderr, ss)
 		case passwd != "":
 			pass, _ := utils.PasswordHash(passwd)
 			fmt.Printf("Passwd:%s\n", pass)
 		case debug:
-			linkViper.Debug()
+			// linkViper.Debug()
 		default:
 			fmt.Println("Using [anylink tool -h] for help")
 		}
@@ -145,3 +168,8 @@ func initToolCmd() *cobra.Command {

 	return toolCmd
 }
+
+func printVersion() {
+	fmt.Printf("%s v%s build on %s [%s, %s] date:%s commit_id(%s)\n",
+		APP_NAME, APP_VER, runtime.Version(), runtime.GOOS, runtime.GOARCH, BuildDate, CommitId)
+}
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -22,9 +22,11 @@ type config struct {
 var configs = []config{
 	{Typ: cfgStr, Name: "conf", Usage: "config file", ValStr: "./conf/server.toml", Short: "c"},
 	{Typ: cfgStr, Name: "profile", Usage: "profile.xml file", ValStr: "./conf/profile.xml"},
-	{Typ: cfgStr, Name: "server_addr", Usage: "服务监听地址", ValStr: ":443"},
+	{Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同服务端的配置)", ValStr: "anylink"},
+	{Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"},
 	{Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false},
-	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址", ValStr: ":4433"},
+	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"},
+	{Typ: cfgStr, Name: "advertise_dtls_addr", Usage: "DTLS对外映射端口(为空则与server_dtls_addr相同)", ValStr: ""},
 	{Typ: cfgStr, Name: "admin_addr", Usage: "后台服务监听地址", ValStr: ":8800"},
 	{Typ: cfgBool, Name: "proxy_protocol", Usage: "TCP代理协议", ValBool: false},
 	{Typ: cfgStr, Name: "db_type", Usage: "数据库类型 [sqlite3 mysql postgres]", ValStr: "sqlite3"},
@@ -33,34 +35,62 @@ var configs = []config{
 	{Typ: cfgStr, Name: "cert_key", Usage: "证书密钥", ValStr: "./conf/vpn_cert.key"},
 	{Typ: cfgStr, Name: "files_path", Usage: "外部下载文件路径", ValStr: "./conf/files"},
 	{Typ: cfgStr, Name: "log_path", Usage: "日志文件路径,默认标准输出", ValStr: ""},
-	{Typ: cfgStr, Name: "log_level", Usage: "日志等级 [debug info warn error]", ValStr: "info"},
-	{Typ: cfgBool, Name: "pprof", Usage: "开启pprof", ValBool: false},
+	{Typ: cfgStr, Name: "log_level", Usage: "日志等级 [debug info warn error]", ValStr: "debug"},
+	{Typ: cfgBool, Name: "http_server_log", Usage: "开启go标准库http.Server的日志", ValBool: false},
+	{Typ: cfgBool, Name: "pprof", Usage: "开启pprof", ValBool: true},
 	{Typ: cfgStr, Name: "issuer", Usage: "系统名称", ValStr: "XX公司VPN"},
 	{Typ: cfgStr, Name: "admin_user", Usage: "管理用户名", ValStr: "admin"},
 	{Typ: cfgStr, Name: "admin_pass", Usage: "管理用户密码", ValStr: defaultPwd},
+	{Typ: cfgStr, Name: "admin_otp", Usage: "管理用户otp,生成命令 ./anylink tool -o", ValStr: ""},
 	{Typ: cfgStr, Name: "jwt_secret", Usage: "JWT密钥", ValStr: defaultJwt},
 	{Typ: cfgStr, Name: "link_mode", Usage: "虚拟网络类型[tun tap macvtap ipvtap]", ValStr: "tun"},
 	{Typ: cfgStr, Name: "ipv4_master", Usage: "ipv4主网卡名称", ValStr: "eth0"},
-	{Typ: cfgStr, Name: "ipv4_cidr", Usage: "ip地址网段", ValStr: "192.168.10.0/24"},
-	{Typ: cfgStr, Name: "ipv4_gateway", Usage: "ipv4_gateway", ValStr: "192.168.10.1"},
-	{Typ: cfgStr, Name: "ipv4_start", Usage: "IPV4开始地址", ValStr: "192.168.10.100"},
-	{Typ: cfgStr, Name: "ipv4_end", Usage: "IPV4结束", ValStr: "192.168.10.200"},
+	{Typ: cfgStr, Name: "ipv4_cidr", Usage: "ip地址网段", ValStr: "192.168.90.0/24"},
+	{Typ: cfgStr, Name: "ipv4_gateway", Usage: "ipv4_gateway", ValStr: "192.168.90.1"},
+	{Typ: cfgStr, Name: "ipv4_start", Usage: "IPV4开始地址", ValStr: "192.168.90.100"},
+	{Typ: cfgStr, Name: "ipv4_end", Usage: "IPV4结束", ValStr: "192.168.90.200"},
 	{Typ: cfgStr, Name: "default_group", Usage: "默认用户组", ValStr: "one"},
-	{Typ: cfgStr, Name: "default_domain", Usage: "要发布的默认域", ValStr: ""},
+	{Typ: cfgStr, Name: "default_domain", Usage: "客户端dns的默认搜索域", ValStr: ""},

-	{Typ: cfgInt, Name: "ip_lease", Usage: "IP租期(秒)", ValInt: 1209600},
-	{Typ: cfgInt, Name: "max_client", Usage: "最大用户连接", ValInt: 100},
+	{Typ: cfgInt, Name: "ip_lease", Usage: "IP租期(秒)", ValInt: 86400},
+	{Typ: cfgInt, Name: "max_client", Usage: "最大用户连接", ValInt: 200},
 	{Typ: cfgInt, Name: "max_user_client", Usage: "最大单用户连接", ValInt: 3},
-	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 20},
-	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 30},
-	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 50},
+	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 3},
+	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 20},
+	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 4},
 	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60},
 	{Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460},
-	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)", ValInt: 3600},
+	{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接，0关闭此功能", ValInt: 0},
+	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连，0永不过期", ValInt: 3600},
 	// {Typ: cfgInt, Name: "auth_timeout", Usage: "auth_timeout", ValInt: 0},
-	{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: -1},
+	{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: 600},

 	{Typ: cfgBool, Name: "show_sql", Usage: "显示sql语句，用于调试", ValBool: false},
+	{Typ: cfgBool, Name: "iptables_nat", Usage: "是否自动添加NAT", ValBool: true},
+	{Typ: cfgBool, Name: "compression", Usage: "启用压缩", ValBool: false},
+	{Typ: cfgInt, Name: "no_compress_limit", Usage: "低于及等于多少字节不压缩", ValInt: 256},
+
+	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
+	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
+	{Typ: cfgBool, Name: "auth_alone_otp", Usage: "登录单独验证OTP窗口", ValBool: false},
+	{Typ: cfgBool, Name: "encryption_password", Usage: "用户密码是否加密保存", ValBool: false},
+
+	{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
+	{Typ: cfgStr, Name: "ip_whitelist", Usage: "全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围", ValStr: "192.168.90.1,172.16.0.0/24"},
+
+	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭该功能", ValInt: 5},
+	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 10},
+	{Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300},
+
+	{Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数，0为关闭该功能", ValInt: 20},
+	{Typ: cfgInt, Name: "global_user_ban_reset_time", Usage: "全局用户设置单位时间(秒)", ValInt: 600},
+	{Typ: cfgInt, Name: "global_user_lock_time", Usage: "全局用户锁定时间(秒)", ValInt: 300},
+
+	{Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数，0为关闭该功能", ValInt: 40},
+	{Typ: cfgInt, Name: "global_ip_ban_reset_time", Usage: "全局IP设置单位时间(秒)", ValInt: 1200},
+	{Typ: cfgInt, Name: "global_ip_lock_time", Usage: "全局IP锁定时间(秒)", ValInt: 300},
+
+	{Typ: cfgInt, Name: "global_lock_state_expiration_time", Usage: "全局锁定状态的保存生命周期(秒),超过则删除记录", ValInt: 3600},
 }

 var envs = map[string]string{}
--- a/server/base/log.go
+++ b/server/base/log.go
@@ -10,11 +10,12 @@ import (
 )

 const (
-	_Debug = iota
-	_Info
-	_Warn
-	_Error
-	_Fatal
+	LogLevelTrace = iota
+	LogLevelDebug
+	LogLevelInfo
+	LogLevelWarn
+	LogLevelError
+	LogLevelFatal
 )

 var (
@@ -27,6 +28,10 @@ var (
 	logName    = "anylink.log"
 )

+func init() {
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+}
+
 // 实现 os.Writer 接口
 type logWriter struct {
 	UseStdout bool
@@ -76,28 +81,46 @@ func initLog() {
 	baseLw.newFile()
 	baseLevel = logLevel2Int(Cfg.LogLevel)
 	baseLog = log.New(baseLw, "", log.LstdFlags|log.Lshortfile)
+
+	serverLog = log.New(&sLogWriter{}, "[http_server]", log.LstdFlags|log.Lshortfile)
 }

 func GetBaseLw() *logWriter {
 	return baseLw
 }

+var serverLog *log.Logger
+
+type sLogWriter struct{}
+
+func (w *sLogWriter) Write(p []byte) (n int, err error) {
+	if Cfg.HttpServerLog {
+		return os.Stderr.Write(p)
+	}
+	return 0, nil
+}
+
 // 获取 log.Logger
-func GetBaseLog() *log.Logger {
-	return baseLog
+func GetServerLog() *log.Logger {
+	return serverLog
+}
+
+func GetLogLevel() int {
+	return baseLevel
 }

 func logLevel2Int(l string) int {
 	levels = map[int]string{
-		_Debug: "Debug",
-		_Info:  "Info",
-		_Warn:  "Warn",
-		_Error: "Error",
-		_Fatal: "Fatal",
+		LogLevelTrace: "Trace",
+		LogLevelDebug: "Debug",
+		LogLevelInfo:  "Info",
+		LogLevelWarn:  "Warn",
+		LogLevelError: "Error",
+		LogLevelFatal: "Fatal",
 	}
-	lvl := _Info
+	lvl := LogLevelInfo
 	for k, v := range levels {
-		if strings.EqualFold(strings.ToLower(l), strings.ToLower(v)) {
+		if strings.ToLower(l) == strings.ToLower(v) {
 			lvl = k
 		}
 	}
@@ -109,8 +132,16 @@ func output(l int, s ...interface{}) {
 	_ = baseLog.Output(3, lvl+fmt.Sprintln(s...))
 }

+func Trace(v ...interface{}) {
+	l := LogLevelTrace
+	if baseLevel > l {
+		return
+	}
+	output(l, v...)
+}
+
 func Debug(v ...interface{}) {
-	l := _Debug
+	l := LogLevelDebug
 	if baseLevel > l {
 		return
 	}
@@ -118,7 +149,7 @@ func Debug(v ...interface{}) {
 }

 func Info(v ...interface{}) {
-	l := _Info
+	l := LogLevelInfo
 	if baseLevel > l {
 		return
 	}
@@ -126,7 +157,7 @@ func Info(v ...interface{}) {
 }

 func Warn(v ...interface{}) {
-	l := _Warn
+	l := LogLevelWarn
 	if baseLevel > l {
 		return
 	}
@@ -134,7 +165,7 @@ func Warn(v ...interface{}) {
 }

 func Error(v ...interface{}) {
-	l := _Error
+	l := LogLevelError
 	if baseLevel > l {
 		return
 	}
@@ -142,7 +173,7 @@ func Error(v ...interface{}) {
 }

 func Fatal(v ...interface{}) {
-	l := _Fatal
+	l := LogLevelFatal
 	if baseLevel > l {
 		return
 	}
--- a/server/base/mod.go
+++ b/server/base/mod.go
@@ -0,0 +1,81 @@
+package base
+
+import (
+	"bufio"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+const (
+	procModulesPath = "/proc/modules"
+	inContainerKey  = "ANYLINK_IN_CONTAINER"
+	tunPath         = "/dev/net/tun"
+)
+
+var (
+	InContainer = false
+	modMap      = map[string]struct{}{}
+)
+
+func initMod() {
+	container := os.Getenv(inContainerKey)
+	if container == "on" {
+		InContainer = true
+	}
+	log.Println("InContainer", InContainer)
+
+	file, err := os.Open(procModulesPath)
+	if err != nil {
+		err = fmt.Errorf("[ERROR] Problem with open file: %s", err)
+		panic(err)
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(file)
+	scanner.Split(bufio.ScanLines)
+	for scanner.Scan() {
+		splited := strings.Split(scanner.Text(), " ")
+		if len(splited[0]) > 0 {
+			modMap[splited[0]] = struct{}{}
+		}
+	}
+}
+
+func CheckModOrLoad(mod string) {
+	log.Println("CheckModOrLoad", mod)
+
+	if _, ok := modMap[mod]; ok {
+		return
+	}
+
+	var err error
+
+	if mod == "tun" || mod == "tap" {
+		_, err = os.Stat(tunPath)
+		if err == nil {
+			// 文件存在
+			return
+		}
+		// err = fmt.Errorf("[error] Linux tunFile is null %s", tunPath)
+		// log.Println(err)
+		// return
+	}
+
+	if InContainer {
+		err = fmt.Errorf("[error] Linux module %s is not loaded, please run `modprobe %s`", mod, mod)
+		log.Println(err)
+		return
+		// panic(err)
+	}
+
+	cmdstr := fmt.Sprintln("modprobe", mod)
+
+	cmd := exec.Command("sh", "-c", cmdstr)
+	b, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Println(mod, string(b))
+		panic(err)
+	}
+}
--- a/server/base/start.go
+++ b/server/base/start.go
@@ -4,6 +4,7 @@ func Start() {
 	execute()
 	initCfg()
 	initLog()
+	initMod()
 }

 func Test() {
--- a/server/conf/files/info.txt
+++ b/server/conf/files/info.txt
@@ -1,2 +1,2 @@
 客户端软件需放置在files目录内，
-如需要帮助请加QQ群：567510628
+如需要帮助请加QQ群：567510628 、739072205
--- a/server/conf/profile.xml
+++ b/server/conf/profile.xml
@@ -8,6 +8,8 @@
        <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
        <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
        <BypassDownloader>true</BypassDownloader>
+        <AutoUpdate UserControllable="false">false</AutoUpdate>
+        <LocalLanAccess UserControllable="true">true</LocalLanAccess>
        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
        <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
        <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
@@ -20,15 +22,19 @@
            </ExtendedKeyUsage>
        </CertificateMatch>

-        <BackupServerList>
-            <HostAddress>localhost</HostAddress>
-        </BackupServerList>
    </ClientInitialization>

    <ServerList>
+
        <HostEntry>
-            <HostName>VPN Server</HostName>
+            <HostName>VPN</HostName>
            <HostAddress>localhost</HostAddress>
        </HostEntry>
+
+        <HostEntry>
+            <HostName>VPN2</HostName>
+            <HostAddress>localhost2</HostAddress>
+        </HostEntry>
+
    </ServerList>
 </AnyConnectProfile>
--- a/server/conf/server-sample.toml
+++ b/server/conf/server-sample.toml
@@ -7,15 +7,24 @@
 db_type = "sqlite3"
 db_source = "./conf/anylink.db"
 #证书文件 使用跟nginx一样的证书即可
-cert_file = "./conf/vpn_cert.crt"
+cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
 profile = "./conf/profile.xml"
-#日志目录,为空写入标准输出
+#profile name(用于区分不同服务端的配置)
+#客户端存放位置
+#Windows 10
+#%ProgramData%Cisco\Cisco AnyConnect Secure Mobility Client\Profile
+#Mac Os X
+#/opt/cisco/anyconnect/profile
+#Linux
+#/opt/cisco/anyconnect/profile
+profile_name = "anylink"
+#日志目录,默认为空写入标准输出
 #log_path = "./log"
 log_path = ""
 log_level = "debug"
-pprof = false
+pprof = true

 #系统名称
 issuer = "XX公司VPN"
@@ -23,57 +32,123 @@ issuer = "XX公司VPN"
 admin_user = "admin"
 #pass 123456
 admin_pass = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
+# 留空表示不开启 otp, 开启otp后密码为  pass + 6位otp
+# 生成 ./anylink tool -o
+admin_otp = ""
 jwt_secret = "abcdef.0123456789.abcdef"


-#服务监听地址
+#TCP服务监听地址(任意端口)
 server_addr = ":443"
-#开启 DTLS, 默认关闭
+#开启 DTLS
 server_dtls = false
-server_dtls_addr = ":4433"
+#UDP监听地址(任意端口)
+server_dtls_addr = ":443"
+#DTLS对外映射端口(为空则与server_dtls_addr相同)
+advertise_dtls_addr = ""
 #后台服务监听地址
 admin_addr = ":8800"
 #开启tcp proxy protocol协议
 proxy_protocol = false

+#开启go标准库http.Server的日志
+http_server_log=false
+
+#虚拟网络类型[tun macvtap tap]
 link_mode = "tun"

 #客户端分配的ip地址池
+#docker环境一般默认 eth0，其他情况根据实际网卡信息填写
 ipv4_master = "eth0"
-ipv4_cidr = "192.168.10.0/24"
-ipv4_gateway = "192.168.10.1"
-ipv4_start = "192.168.10.100"
-ipv4_end = "192.168.10.200"
+ipv4_cidr = "192.168.90.0/24"
+ipv4_gateway = "192.168.90.1"
+ipv4_start = "192.168.90.100"
+ipv4_end = "192.168.90.200"

 #最大客户端数量
-max_client = 100
+max_client = 200
 #单个用户同时在线数量
 max_user_client = 3
 #IP租期(秒)
-ip_lease = 1209600
+ip_lease = 86400

 #默认选择的组
 default_group = "one"

 #客户端失效检测时间(秒) dpd > keepalive
-cstp_keepalive = 20
-cstp_dpd = 30
-mobile_keepalive = 40
-mobile_dpd = 50
+cstp_keepalive = 3
+cstp_dpd = 20
+mobile_keepalive = 4
+mobile_dpd = 60
+
+# 根据实际情况修改
+#cstp_keepalive = 20
+#cstp_dpd = 30
+#mobile_keepalive = 40
+#mobile_dpd = 60

 #设置最大传输单元
 mtu = 1460

-# 要发布的默认域
+# 客户端dns的默认搜索域
 default_domain = "example.com"
 #default_domain = "example.com abc.example.com"

+#空闲链接超时时间(秒)-超时后断开链接，0关闭此功能
+idle_timeout = 0
 #session过期时间，用于断线重连，0永不过期
 session_timeout = 3600
-auth_timeout = 0
-audit_interval = -1
+#auth_timeout = 0
+audit_interval = 600

 show_sql = false

+#是否自动添加nat
+iptables_nat = true

+#启用压缩
+compression = false
+#低于及等于多少字节不压缩
+no_compress_limit = 256

+#客户端显示详细错误信息(线上环境慎开启)
+display_error = false
+
+#排除出口ip路由(出口ip不加密传输)
+exclude_export_ip = true
+
+#登录单独验证OTP窗口
+auth_alone_otp = false
+
+#加密保存用户密码
+encryption_password = false
+
+#防爆破全局开关
+anti_brute_force = true
+#全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围
+ip_whitelist = "192.168.90.1,172.16.0.0/24"
+
+#锁定时间最好不要超过单位时间
+#单位时间内最大尝试次数，0为关闭该功能
+max_ban_score = 5
+#设置单位时间(秒)，超过则重置计数
+ban_reset_time = 600
+#超过最大尝试次数后的锁定时长(秒)
+lock_time = 300
+
+#全局用户单位时间内最大尝试次数,0为关闭该功能
+max_global_user_ban_count = 20
+#全局用户设置单位时间(秒)
+global_user_ban_reset_time = 600
+#全局用户锁定时间(秒)
+global_user_lock_time = 300
+
+#全局IP单位时间内最大尝试次数，0为关闭该功能
+max_global_ip_ban_count = 40
+#全局IP设置单位时间(秒)
+global_ip_ban_reset_time = 1200
+#全局IP锁定时间(秒)
+global_ip_lock_time = 300
+
+#全局锁定状态的保存生命周期(秒),超过则删除记录
+global_lock_state_expiration_time = 3600
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -7,9 +7,12 @@
 db_type = "sqlite3"
 db_source = "./conf/anylink.db"
 #证书文件
-cert_file = "./conf/vpn_cert.crt"
+cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
+
+#日志目录,默认为空写入标准输出
+#log_path = "./log"
 log_level = "debug"

 #系统名称
@@ -18,13 +21,37 @@ issuer = "XX公司VPN"
 admin_user = "admin"
 #pass 123456
 admin_pass = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
+# 留空表示不开启 otp, 开启otp后密码为  pass + 6位otp
+# 生成 ./anylink tool -o
+admin_otp = ""
 jwt_secret = "abcdef.0123456789.abcdef"

-#服务监听地址
+#TCP服务监听地址(任意端口)
 server_addr = ":443"
+#开启 DTLS
+server_dtls = false
+#UDP监听地址(任意端口)
+server_dtls_addr = ":443"
 #后台服务监听地址
 admin_addr = ":8800"

+#最大客户端数量
+max_client = 200
+#单个用户同时在线数量
+max_user_client = 3

+#虚拟网络类型[tun macvtap]
+link_mode = "tun"
+#客户端分配的ip地址池
+#docker环境一般默认 eth0，其他情况根据实际网卡信息填写
+ipv4_master = "eth0"
+ipv4_cidr = "192.168.90.0/24"
+ipv4_gateway = "192.168.90.1"
+ipv4_start = "192.168.90.100"
+ipv4_end = "192.168.90.200"

+#是否自动添加nat
+iptables_nat = true

+#客户端显示详细错误信息(线上环境慎开启)
+display_error = true
--- a/server/conf/vpn_cert.crt
+++ b/server/conf/vpn_cert.crt
@@ -1,61 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF9zCCBN+gAwIBAgIQBNH+cm5YH1O2NhfT+zB+ATANBgkqhkiG9w0BAQsFADBu
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
-RFYgVExTIENBIC0gRzEwHhcNMjExMjEyMDAwMDAwWhcNMjIxMjEzMjM1OTU5WjAc
-MRowGAYDVQQDExF2cG4udGVzdC52cWlsdS5jbjCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAK2XO6Na//i0sMiV0nF+aDTbDibGiTLr+LFlhTIi1KX9IAU2
-Xboz1B8cxDro3g+CzgrGg0YMI4CxBiY56UT3jUTsLYBNpWPkbhlH+mpf0J7fgH29
-V1LAZKm2qR28y/krKHIbcGrfMAbXi6iVkVHhc+edvGCdAiDSyJgVSZbYV/s0LXLF
-0B0BokagwtvGIx7ik5uG4exuRCUKE3z0n6RXdN0eWBvKKHFhWEeaBIGzHjoDgAx/
-4VJ8XsW0tcwByiVRqpMFa1eG3HLMvi34M1qLzNv7dGPIkr1zjvlvTqhDpimXOi9C
-4N5ZOfZfNAyR8zU5+tBqSCvByavxLJwC//F7VQcCAwEAAaOCAuEwggLdMB8GA1Ud
-IwQYMBaAFFV0T7JyT/VgulDR1+ZRXJoBhxrXMB0GA1UdDgQWBBQKyNOGPzBPyqY9
-nxahHC+B6xT83TAcBgNVHREEFTATghF2cG4udGVzdC52cWlsdS5jbjAOBgNVHQ8B
-Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD4GA1UdIAQ3
-MDUwMwYGZ4EMAQIBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQu
-Y29tL0NQUzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
-cC5kaWdpY2VydC5jb20wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jYWNlcnRzLmRpZ2lj
-ZXJ0LmNvbS9FbmNyeXB0aW9uRXZlcnl3aGVyZURWVExTQ0EtRzEuY3J0MAkGA1Ud
-EwQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2ACl5vvCeOTkh8FZzn2Ol
-d+W+V32cYAr4+U1dJlwlXceEAAABfa0lBgAAAAQDAEcwRQIgEQ4wS5gyLMK30aeD
-xF3kWvsUhkd94HKIl13ckYnukGMCIQD1/6fFUAPjdw2k8f/ctJ7STUHeA1WoBy5H
-O/iXBRCkWgB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfa0l
-BmYAAAQDAEcwRQIgOoguGrrlpwoxGiJHJNcEWbuH2AOJCDSDiun80DX9hUwCIQCJ
-cFCOe5E5VbgHrTWbQ0OUFS0epDgUiG8y9kjfkN1M5QB2AEHIyrHfIkZKEMahOglC
-h15OMYsbA+vrS8do8JBilgb2AAABfa0lBfoAAAQDAEcwRQIhAIHCUjXv+M3/jFOU
-AzjjMCISczShjqQ5FKqsIYNTUN46AiAom+II914ifwdFiS2xWI0ncSj8cxH6f+WZ
-UUQj9RczMDANBgkqhkiG9w0BAQsFAAOCAQEALj5oEwyU+gxVKhLFrBBtkoi9F0HQ
-jjSQZvOcKApSXjKS11VdmLGKuy85FSocw7VvDtZ4o43OhO79GMAMiPXroTnPIS5O
-ZNxfuusF6HpS+2Dq9UidnlxQmIaJ4A7PkX+NqAI4V6yr839SXKyHJROfXf9hNoJZ
-PJeZ94oMwXdeNjFkOismFpvaZcYq7t51xi5tkH/NaJHV5FEU8Or4zk/OoaPe3r+b
-2hpltIIaapoNVYLWLW7YS7hlvhjfwPypsR3ev4bTRWvT1tu9+AE+TG0OZqeWGucP
-6MjZI5gecOnkQVmBovkRi2lr26PDWrwnAlyoMI3ioU1XaTftIrBL2YalfQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
-MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
-oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
-lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
-pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
-yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
-wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
-pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
-BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
-HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
-AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
-Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
-Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
-/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
-MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
-SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
-M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
-4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
-sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
-rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
--- a/server/conf/vpn_cert.key
+++ b/server/conf/vpn_cert.key
@@ -1,27 +1,28 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEArZc7o1r/+LSwyJXScX5oNNsOJsaJMuv4sWWFMiLUpf0gBTZd
-ujPUHxzEOujeD4LOCsaDRgwjgLEGJjnpRPeNROwtgE2lY+RuGUf6al/Qnt+Afb1X
-UsBkqbapHbzL+Ssochtwat8wBteLqJWRUeFz5528YJ0CINLImBVJlthX+zQtcsXQ
-HQGiRqDC28YjHuKTm4bh7G5EJQoTfPSfpFd03R5YG8oocWFYR5oEgbMeOgOADH/h
-UnxexbS1zAHKJVGqkwVrV4bccsy+LfgzWovM2/t0Y8iSvXOO+W9OqEOmKZc6L0Lg
-3lk59l80DJHzNTn60GpIK8HJq/EsnAL/8XtVBwIDAQABAoIBACXjPEELO5Ms3Ojq
-ymO7E0N2DECqVIeouT7+yXOH5qHT/YkltI9PgJzJyoqRCOaZxh7T9RL000rjWFQ/
-j4pd/ZdtdQDr8Y077kvWSfGtt/r1DTZkfQqys0XXeFHlQx+/K7S8CG1LCVB0+yZw
-fqdAbeu/ob30huJjHyUSgF1MGufYvuII6x0CGORwzruWWFniXkg2z+9SP4x4RSfm
-exMUE4T4tlzR63QaW02xWEDTWCSQw/FgjpCWwryDVCmnLf63UhI+4hITqZLL+ROd
-sG/8Yp284q7BYBKk4/N1HD4W1vU+dls3glxZ22NCQKx+2RVtqTrRUd/d4AnxOmMR
-dnfh4AECgYEA7cl9NIRrtQdW+KFcoSdyP2F+SU74nSAh6Uolzwr9lHB+NbMJ5g79
-eU1zp3RAvSFg249L4cnceaFL1LTPcNN0xhpaJ7v5FQWk5tkddSmy2T3CAh8VwLXF
-487pgakO1SpS6uz+BtwsAFOS8k/GjYeSbPR4e9F/FbYAvGYwOLNj2ocCgYEAuuL8
-xnFnt95TwWptu4T97YXTeZRB17jiH1BhX+QawsSafagsWlSKihKMxYhfCHiwztS/
-KsCnkS6cH9slU3y4gvCiT1S4z1Qkw93ljUQXCzRIVEd9SxXoQMeRi+/5c239Fhnu
-aoxESAFWNXJZ5r9Jp3qukHvEtYn2FoE1Zkmu0YECgYApULgDdvqr4pGW85p/mbX9
-Ezh5DlKeImYh/bMiDTvQHdegBvKyWWprOCzfLJDPC8yjeXtqyMMZExB07dGZPfRt
-M0j03HFD2M41GgZHRC6CFnvuGG6UJEE0+s+Rqskb+pWbof/lOz4d9Gd02K2cC7FC
-YxvID7dwE0Z/dZXtVCYGYwKBgQCjckPKtoIUcBBmV1NzLiP66REEAuL27Q5ufpk7
-CT9SWioXfc6Ujd3AVeriE5uxyAQyUCSFGosy0UXgIoRpmOmyMwxxP1KGmTuyRc4u
-l39j4Czl8MQmuBkxFpk3fwB2sJopCzLV4qkRJIImKkVwJpofLI+hc22dq/QayJRQ
-Sl7ngQKBgQCkfcbQDvhkL6QKUC/K7MDGw9JMICLUpRyp6D3ibeL7i6WO6dkKde2t
-O/oLz2XvG0NR0nulhThpWUdyUWco3FZ038jiuY8ZZum5wdVBDOcDcnuBisE3Kzh8
-p7WycoWItAVxmyTKzHJIZ7pFQULYjap7gFSUPE9uBQZu09VKBtGPHA==
-----END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDRVjwa+YPKcvKD
+2YZJUMPcwXCL32hF9gFTyMFuojpvo/L9C710xkJBNW2ceEcAdYyohBhtylbCFKUy
+QpDRJsAmRiWL5zSjfeds4bVEInmXvF+Ga9FuN/o/R27/kyrejBVd7u9AKzg9k5vI
+/4FhXFMivZgwghaSiJkVHJG6ehmCVGR11A5LUIjrub+iYJfaS2dl4WVxn9kyYRuO
+NU0nDMInWE6F+dVa57HEUEOolDEmr9R+N5XIXYfXwE4W4Xj/5CL+mBLME+OaADK8
+RE9dPomgk3Vqc/s8thllyztqR/TfQIwCwmQNf+UB5DIWr5iYDsX4rU3hswJQUCTQ
+CLNEcdStAgMBAAECgf97UHp7u8+x4lz6BQB8/c0xHWdAw1clIveZbEVl0hNoVUN/
+EKku+q/1Sf+CuhnbgLjT1bkVnnotmVcGeWH2DeCnkMJqHVMOBRb/dso2fw+pCTzY
+VofQpmbPy1xCXb6chqrpT3MTaJdI7IrBCNEQ54cOxsojwzp0MfejS/NI41q8iuCS
+hVry+VEbmtA22vjwMvsF6NsRKlfc1DUyC/ZoHB91gzKmvLdXBREwBXtdiJfMlu9G
+EKH3ORxbcanmdsXWIG84t5M9Sf9L5FZe6tlL4FdoKv25Vxv2z+PVM8Y/0B3IBTCb
+yqMK8579PTlHl40WRjSgzpijGvMxuIpgm5KaXQECgYEA7U6lBhRWmPsJRaK0jyAv
+qnaC5AbnM8OjIbsDtnQxn0BWvx7aZznxOE4jL0QejUD/gov6yYkNhIu797LzO8Mq
+fEqEX7Bp23PfLvybqkyhJWFz26v0erU5q8Rlt648bK7Ul1j8FkmsEN3qu+64c8Fu
+pzN081bqOGjEcaCjsHswvkMCgYEA4dOPvYYu8wBfrH3Gn94XHWWVvFMnWErXEOzK
+eL0dFg3Ae+y8Sg5x9YTz3XjwyzwcTbrD0zg4huWwmD64BgPcliG7XKA093ea2JIs
+Mah5/KTQmltcIut7qUvzwwbQVfN3xTwWzd7eDtEIAeFZ8r/HzJM6X21b/LaQIXUY
+Gb7dik8CgYAaaUxYlt7ke9wWUfuCinSDplj/A/2rdzSqxmOtZNU5AjIlZ0urfXlp
+aNjlo9E6q2dEokuxLn3AqMSs1s/XcOtDlg+RjtLZR9YpJpg0pf6xaF06r7KwDYdz
+pJIllVDIT9T9WzwDRwPNhMVhUTpaN8cW+NUlWCENUiu68cQGGk/cfQKBgEmvRk+I
+4PjZPl6CC7VOOiyVYO46E7RzdwlGuin7SupPQmctL6LaY8TAxPGW7LrjujiCoDLj
+PU6G08BZdqI/0FIMX54xiBbXJ+dSiqkJWARfotE6zi12uLrc1YTlTEU/U+0/VhGG
+jt42xm4WocrbWM4fnARXIpSq3QyNsHd2F8NxAoGBAMEcT0mFQ0J7HCQ+zL36ogGv
+Bc/N6WR0xSEBQVG9D4iysxX4XyJukCuUCvMIbsBj5IVAVBlMNxfDtL/kD6tgy0L7
+tdN7nOaYgnqTyZfQItz92cQ6oiIqW7GPJA5ATJe1fxXINjcP6EkRDAfACBW7/l85
+Cd/yRpaOSMPbqKO1OOSn
+-----END PRIVATE KEY-----
--- a/server/conf/vpn_cert.pem
+++ b/server/conf/vpn_cert.pem
@@ -0,0 +1,67 @@
+-----BEGIN CERTIFICATE-----
+MIIGbTCCBNWgAwIBAgIQIodwqN03+Y3aYpdvfq2qKTANBgkqhkiG9w0BAQwFADBZ
+MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywg
+SW5jLjEjMCEGA1UEAxMaVHJ1c3RBc2lhIFJTQSBEViBUTFMgQ0EgRzIwHhcNMjQw
+MTIyMDAwMDAwWhcNMjUwMTIxMjM1OTU5WjAcMRowGAYDVQQDExF2cG4udGVzdC52
+cWlsdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFWPBr5g8py
+8oPZhklQw9zBcIvfaEX2AVPIwW6iOm+j8v0LvXTGQkE1bZx4RwB1jKiEGG3KVsIU
+pTJCkNEmwCZGJYvnNKN952zhtUQieZe8X4Zr0W43+j9Hbv+TKt6MFV3u70ArOD2T
+m8j/gWFcUyK9mDCCFpKImRUckbp6GYJUZHXUDktQiOu5v6Jgl9pLZ2XhZXGf2TJh
+G441TScMwidYToX51VrnscRQQ6iUMSav1H43lchdh9fAThbheP/kIv6YEswT45oA
+MrxET10+iaCTdWpz+zy2GWXLO2pH9N9AjALCZA1/5QHkMhavmJgOxfitTeGzAlBQ
+JNAIs0Rx1K0CAwEAAaOCAuwwggLoMB8GA1UdIwQYMBaAFF86fBEQfgxncWHci6O1
+AANn9VccMB0GA1UdDgQWBBRDRfNBNYRlLb4V1MRTnU+bUVnvnDAOBgNVHQ8BAf8E
+BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICMTAlMCMGCCsGAQUFBwIBFhdodHRw
+czovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwfQYIKwYBBQUHAQEEcTBvMEIG
+CCsGAQUFBzAChjZodHRwOi8vY3J0LnRydXN0LXByb3ZpZGVyLmNuL1RydXN0QXNp
+YVJTQURWVExTQ0FHMi5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnRydXN0
+LXByb3ZpZGVyLmNuMBwGA1UdEQQVMBOCEXZwbi50ZXN0LnZxaWx1LmNuMIIBfwYK
+KwYBBAHWeQIEAgSCAW8EggFrAWkAdgDPEVbu1S58r/OHW9lpLpvpGnFnSrAX7KwB
+0lt3zsw7CAAAAY0v95Z6AAAEAwBHMEUCIDbFVgzV1DDvqTq6UnYisMqAEJn1cR+d
+mc+agwaOuRbrAiEAz3W2HooNcKqADX9QyK8xQQ8r9BQKVCQzF76g9AZKeDoAdwCi
+4wrkRe+9rZt+OO1HZ3dT14JbhJTXK14bLMS5UKRH5wAAAY0v95ZkAAAEAwBIMEYC
+IQCWVxDjciJ/KMbwbqMbEZdsDq0nCrotlPhIBb5wFBurVgIhAOgnw3nqSqFYRm8y
+OL3nz8rop0V5IEtgiNarOqMfLf33AHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnA
+sfpksWKaOd8AAAGNL/eWFwAABAMARzBFAiBB+V0NBebuCniZVuin5OaMYvWyNvRd
+NJ6hRmLbSKQAwwIhAKrPRrAP3An/9HSrFN/70eEK5DHT8+q8m0L5tc0+TckmMA0G
+CSqGSIb3DQEBDAUAA4IBgQCB65Q0V6Mewca0iVCxLJxczu6XYCCwsUzJiTWYjao3
+XZVe8yB4RhAimsUY+U3nXIL3RivkJydqfOO9N5APWndDgbtS4r55TFdscDUDmzsR
+S5kYCoEudbDWT89U+tHMOxzUKkb3nDA0WvJEN52CAanYO3blihnX3eX7enQMGtsM
+gfDrArcQyS+WMKUkyOlNysqGtj3XWYKssBPrX/0GqMimoeYkg+B4daBTbOVB6sKs
+USnmhI2MF3QUxn0+fC207HbSDj7s4a6npjg5KsL0zUsFrNZlMH30Tx2L0WuI1T7
+65lKHaKt8CyuL/YTjD5lAGYtJ+K9ypl5sBUFCXeW1lazTocjDa2CKv3WV+kVBhyO
+2nA2Lo4e643YXwXw98+ufU2U9yUjn1OrhsUXo3qaxETGVMumRwubtX4O2dUKnYGF
+xBxfHzXJKhZjX+U2ENIwsrm7pp3dcpIZqKxPCeowU5Ma9tvYpM7kgDhploMfsVic
+H7pWcFY99X5nMwJoDDBYomY=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFBzCCA++gAwIBAgIRALIM7VUuMaC/NDp1KHQ76aswDQYJKoZIhvcNAQELBQAw
+ezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV
+BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0yMjAxMTAwMDAwMDBaFw0y
+ODEyMzEyMzU5NTlaMFkxCzAJBgNVBAYTAkNOMSUwIwYDVQQKExxUcnVzdEFzaWEg
+VGVjaG5vbG9naWVzLCBJbmMuMSMwIQYDVQQDExpUcnVzdEFzaWEgUlNBIERWIFRM
+UyBDQSBHMjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKjGDe0GSaBs
+Yl/VhMaTM6GhfR1TAt4mrhN8zfAMwEfLZth+N2ie5ULbW8YvSGzhqkDhGgSBlafm
+qq05oeESrIJQyz24j7icGeGyIZ/jIChOOvjt4M8EVi3O0Se7E6RAgVYcX+QWVp5c
+Sy+l7XrrtL/pDDL9Bngnq/DVfjCzm5ZYUb1PpyvYTP7trsV+yYOCNmmwQvB4yVjf
+IIpHC1OcsPBntMUGeH1Eja4D+qJYhGOxX9kpa+2wTCW06L8T6OhkpJWYn5JYiht5
+8exjAR7b8Zi3DeG9oZO5o6Qvhl3f8uGU8lK1j9jCUN/18mI/5vZJ76i+hsgdlfZB
+Rh5lmAQjD80M9TY+oD4MYUqB5XrigPfFAUwXFGehhlwCVw7y6+5kpbq/NpvM5Ba8
+SeQYUUuMA8RXpTtGlrrTPqJryfa55hTuX/ThhX4gcCVkbyujo0CYr+Uuc14IOyNY
+1fD0/qORbllbgV41wiy/2ZUWZQUodqHWkjT1CwIMbQOY5jmrSYGBwwIDAQABo4IB
+JjCCASIwHwYDVR0jBBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYE
+FF86fBEQfgxncWHci6O1AANn9VccMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E
+CDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAiBgNVHSAE
+GzAZMA0GCysGAQQBsjEBAgIxMAgGBmeBDAECATBDBgNVHR8EPDA6MDigNqA0hjJo
+dHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNy
+bDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9k
+b2NhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAHMUom5cxIje2IiFU7mOCsBr2F6CY
+eU5cyfQ/Aep9kAXYUDuWsaT85721JxeXFYkf4D/cgNd9+hxT8ZeDOJrn+ysqR7NO
+2K9AdqTdIY2uZPKmvgHOkvH2gQD6jc05eSPOwdY/10IPvmpgUKaGOa/tyygL8Og4
+3tYyoHipMMnS4OiYKakDJny0XVuchIP7ZMKiP07Q3FIuSS4omzR77kmc75/6Q9dP
+v4wa90UCOn1j6r7WhMmX3eT3Gsdj3WMe9bYD0AFuqa6MDyjIeXq08mVGraXiw73s
+Zale8OMckn/BU3O/3aFNLHLfET2H2hT6Wb3nwxjpLIfXmSVcVd8A58XH0g==
+-----END CERTIFICATE-----
--- a/server/cron/clear_statsinfo.go
+++ b/server/cron/clear_statsinfo.go
@@ -43,10 +43,5 @@ func getTimeAgo(days int) string {
 	ts := time.Now().AddDate(0, 0, -days)
 	tsZero := time.Date(ts.Year(), ts.Month(), ts.Day(), 0, 0, 0, 0, time.Local)
 	timeS = tsZero.Format(dbdata.LayoutTimeFormat)
-	// UTC
-	switch base.Cfg.DbType {
-	case "sqlite3", "postgres":
-		timeS = tsZero.UTC().Format(dbdata.LayoutTimeFormat)
-	}
 	return timeS
 }
--- a/server/cron/clear_user_act_log.go
+++ b/server/cron/clear_user_act_log.go
@@ -0,0 +1,20 @@
+package cron
+
+import (
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+// 清除用户活动日志
+func ClearUserActLog() {
+	lifeDay, timesUp := isClearTime()
+	if !timesUp {
+		return
+	}
+	// 当审计日志永久保存时，则退出
+	if lifeDay <= 0 {
+		return
+	}
+	affected, err := dbdata.UserActLogIns.ClearUserActLog(getTimeAgo(lifeDay))
+	base.Info("Cron ClearUserActLog: ", affected, err)
+}
--- a/server/cron/start.go
+++ b/server/cron/start.go
@@ -3,6 +3,8 @@ package cron
 import (
 	"time"

+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/go-co-op/gocron"
 )

@@ -10,5 +12,8 @@ func Start() {
 	s := gocron.NewScheduler(time.Local)
 	s.Cron("0 * * * *").Do(ClearAudit)
 	s.Cron("0 * * * *").Do(ClearStatsInfo)
+	s.Cron("0 * * * *").Do(ClearUserActLog)
+	s.Every(1).Day().At("00:00").Do(sessdata.CloseUserLimittimeSession)
+	s.Every(1).Day().At("00:00").Do(dbdata.ReNewCert)
 	s.StartAsync()
 }
--- a/server/dbdata/audit.go
+++ b/server/dbdata/audit.go
@@ -14,6 +14,7 @@ type SearchCon struct {
 	AccessProto string   `json:"access_proto"`
 	Date        []string `json:"date"`
 	Info        string   `json:"info"`
+	Sort        int      `json:"sort"`
 }

 func GetAuditSession(search string) *xorm.Session {
@@ -47,6 +48,11 @@ func GetAuditSession(search string) *xorm.Session {
 	if searchData.Info != "" {
 		session.And("info LIKE ?", "%"+searchData.Info+"%")
 	}
+	if searchData.Sort == 1 {
+		session.OrderBy("id desc")
+	} else {
+		session.OrderBy("id asc")
+	}
 	return session
 }

--- a/server/dbdata/audit_test.go
+++ b/server/dbdata/audit_test.go
@@ -15,7 +15,7 @@ func TestSearchAudit(t *testing.T) {
 	defer closeIpdata()

 	currDateVal := "2022-07-24 00:00:00"
-	CreatedAt, _ := time.Parse("2006-01-02 15:04:05", currDateVal)
+	CreatedAt, _ := time.ParseInLocation("2006-01-02 15:04:05", currDateVal, time.Local)

 	dataTest := AccessAudit{
 		Username:    "Test",
--- a/server/dbdata/cert.go
+++ b/server/dbdata/cert.go
@@ -0,0 +1,402 @@
+package dbdata
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math/big"
+	"net"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/pion/dtls/v2/pkg/crypto/selfsign"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/dns/alidns"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/providers/dns/tencentcloud"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+var (
+	// nameToCertificate mutex
+	ntcMux            sync.RWMutex
+	nameToCertificate = make(map[string]*tls.Certificate)
+	tempCert          *tls.Certificate
+)
+
+func init() {
+	c, _ := selfsign.GenerateSelfSignedWithDNS("localhost")
+	tempCert = &c
+}
+
+type SettingLetsEncrypt struct {
+	Domain   string `json:"domain"`
+	Legomail string `json:"legomail"`
+	Name     string `json:"name"`
+	Renew    bool   `json:"renew"`
+	DNSProvider
+}
+
+type DNSProvider struct {
+	AliYun struct {
+		APIKey    string `json:"apiKey"`
+		SecretKey string `json:"secretKey"`
+	} `json:"aliyun"`
+
+	TXCloud struct {
+		SecretID  string `json:"secretId"`
+		SecretKey string `json:"secretKey"`
+	} `json:"txcloud"`
+	CfCloud struct {
+		AuthToken string `json:"authToken"`
+	} `json:"cfcloud"`
+}
+type LegoUserData struct {
+	Email        string                 `json:"email"`
+	Registration *registration.Resource `json:"registration"`
+	Key          []byte                 `json:"key"`
+}
+type LegoUser struct {
+	Email        string
+	Registration *registration.Resource
+	Key          *ecdsa.PrivateKey
+}
+
+type LeGoClient struct {
+	mutex  sync.Mutex
+	Client *lego.Client
+	Cert   *certificate.Resource
+	LegoUserData
+}
+
+func GetDNSProvider(l *SettingLetsEncrypt) (Provider challenge.Provider, err error) {
+	switch l.Name {
+	case "aliyun":
+		if Provider, err = alidns.NewDNSProviderConfig(&alidns.Config{APIKey: l.DNSProvider.AliYun.APIKey, SecretKey: l.DNSProvider.AliYun.SecretKey, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
+			return
+		}
+	case "txcloud":
+		if Provider, err = tencentcloud.NewDNSProviderConfig(&tencentcloud.Config{SecretID: l.DNSProvider.TXCloud.SecretID, SecretKey: l.DNSProvider.TXCloud.SecretKey, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
+			return
+		}
+	case "cfcloud":
+		if Provider, err = cloudflare.NewDNSProviderConfig(&cloudflare.Config{AuthToken: l.DNSProvider.CfCloud.AuthToken, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
+			return
+		}
+	}
+	return
+}
+func (u *LegoUser) GetEmail() string {
+	return u.Email
+}
+func (u LegoUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *LegoUser) GetPrivateKey() crypto.PrivateKey {
+	return u.Key
+}
+
+func (l *LegoUserData) SaveUserData(u *LegoUser) error {
+	key, err := x509.MarshalECPrivateKey(u.Key)
+	if err != nil {
+		return err
+	}
+	l.Email = u.Email
+	l.Registration = u.Registration
+	l.Key = key
+	if err := SettingSet(l); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (l *LegoUserData) GetUserData(d *SettingLetsEncrypt) (*LegoUser, error) {
+	if err := SettingGet(l); err != nil {
+		return nil, err
+	}
+	if l.Email != "" {
+		key, err := x509.ParseECPrivateKey(l.Key)
+		if err != nil {
+			return nil, err
+		}
+		return &LegoUser{
+			Email:        l.Email,
+			Registration: l.Registration,
+			Key:          key,
+		}, nil
+	}
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return &LegoUser{
+		Email: d.Legomail,
+		Key:   privateKey,
+	}, nil
+}
+func ReNewCert() {
+	_, certtime, err := ParseCert()
+	if err != nil {
+		base.Error(err)
+		return
+	}
+	if certtime.AddDate(0, 0, -7).Before(time.Now()) {
+		config := &SettingLetsEncrypt{}
+		if err := SettingGet(config); err != nil {
+			base.Error(err)
+			return
+		}
+		if config.Renew {
+			client := &LeGoClient{}
+			if err := client.NewClient(config); err != nil {
+				base.Error(err)
+				return
+			}
+			if err := client.RenewCert(base.Cfg.CertFile, base.Cfg.CertKey); err != nil {
+				base.Error(err)
+				return
+			}
+			base.Info("证书续期成功")
+		}
+	} else {
+		base.Info(fmt.Sprintf("证书过期时间：%s", certtime.Local().Format("2006-1-2 15:04:05")))
+	}
+}
+
+func (c *LeGoClient) NewClient(l *SettingLetsEncrypt) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+	legouser, err := c.GetUserData(l)
+	if err != nil {
+		return err
+	}
+	config := lego.NewConfig(legouser)
+	config.CADirURL = lego.LEDirectoryProduction
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return err
+	}
+	Provider, err := GetDNSProvider(l)
+	if err != nil {
+		return err
+	}
+	if err := client.Challenge.SetDNS01Provider(Provider, dns01.AddRecursiveNameservers([]string{"223.6.6.6", "223.5.5.5"})); err != nil {
+		return err
+	}
+	if legouser.Registration == nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return err
+		}
+		legouser.Registration = reg
+		c.SaveUserData(legouser)
+	}
+	c.Client = client
+	return nil
+}
+
+func (c *LeGoClient) GetCert(domain string) error {
+	// 申请证书
+	certificates, err := c.Client.Certificate.Obtain(
+		certificate.ObtainRequest{
+			Domains: []string{domain},
+			Bundle:  true,
+		})
+	if err != nil {
+		return err
+	}
+	c.Cert = certificates
+	// 保存证书
+	if err := c.SaveCert(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *LeGoClient) RenewCert(certFile, keyFile string) error {
+	cert, err := os.ReadFile(certFile)
+	if err != nil {
+		return err
+	}
+	key, err := os.ReadFile(keyFile)
+	if err != nil {
+		return err
+	}
+	// 续期证书
+	renewcert, err := c.Client.Certificate.Renew(certificate.Resource{
+		Certificate: cert,
+		PrivateKey:  key,
+	}, true, false, "")
+	if err != nil {
+		return err
+	}
+	c.Cert = renewcert
+	// 保存更新证书
+	if err := c.SaveCert(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *LeGoClient) SaveCert() error {
+	err := os.WriteFile(base.Cfg.CertFile, c.Cert.Certificate, 0600)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(base.Cfg.CertKey, c.Cert.PrivateKey, 0600)
+	if err != nil {
+		return err
+	}
+	if tlscert, _, err := ParseCert(); err != nil {
+		return err
+	} else {
+		LoadCertificate(tlscert)
+	}
+	return nil
+}
+
+func ParseCert() (*tls.Certificate, *time.Time, error) {
+	_, errCert := os.Stat(base.Cfg.CertFile)
+	_, errKey := os.Stat(base.Cfg.CertKey)
+	if os.IsNotExist(errCert) || os.IsNotExist(errKey) {
+		err := PrivateCert()
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	cert, err := tls.LoadX509KeyPair(base.Cfg.CertFile, base.Cfg.CertKey)
+	if err != nil || errors.Is(err, os.ErrNotExist) {
+		PrivateCert()
+		return nil, nil, err
+	}
+	parseCert, err := x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return nil, nil, err
+	}
+	return &cert, &parseCert.NotAfter, nil
+}
+
+func PrivateCert() error {
+	// 创建一个RSA密钥对
+	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
+	pub := &priv.PublicKey
+
+	// 生成一个自签名证书
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(1658),
+		Subject:               pkix.Name{CommonName: "localhost"},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return err
+	}
+
+	// 将证书编码为PEM格式并将其写入文件
+	certOut, _ := os.OpenFile(base.Cfg.CertFile, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
+	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	certOut.Close()
+
+	// 将私钥编码为PEM格式并将其写入文件
+	keyOut, _ := os.OpenFile(base.Cfg.CertKey, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+	keyOut.Close()
+	cert, err := tls.LoadX509KeyPair(base.Cfg.CertFile, base.Cfg.CertKey)
+	if err != nil {
+		return err
+	}
+	LoadCertificate(&cert)
+	return nil
+}
+
+func getTempCertificate() (*tls.Certificate, error) {
+	var err error
+	var cert tls.Certificate
+	if tempCert == nil {
+		cert, err = selfsign.GenerateSelfSignedWithDNS("localhost")
+		tempCert = &cert
+	}
+	return tempCert, err
+}
+
+func GetCertificateBySNI(commonName string) (*tls.Certificate, error) {
+	ntcMux.RLock()
+	defer ntcMux.RUnlock()
+
+	// Copy from tls.Config getCertificate()
+	name := strings.ToLower(commonName)
+	if cert, ok := nameToCertificate[name]; ok {
+		return cert, nil
+	}
+	if len(name) > 0 {
+		labels := strings.Split(name, ".")
+		labels[0] = "*"
+		wildcardName := strings.Join(labels, ".")
+		if cert, ok := nameToCertificate[wildcardName]; ok {
+			return cert, nil
+		}
+	}
+	// TODO 默认证书 兼容不支持 SNI 的客户端
+	if cert, ok := nameToCertificate["default"]; ok {
+		return cert, nil
+	}
+
+	return getTempCertificate()
+}
+
+func LoadCertificate(cert *tls.Certificate) {
+	buildNameToCertificate(cert)
+}
+
+// Copy from tls.Config BuildNameToCertificate()
+func buildNameToCertificate(cert *tls.Certificate) {
+	ntcMux.Lock()
+	defer ntcMux.Unlock()
+
+	// TODO 设置默认证书
+	nameToCertificate["default"] = cert
+
+	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return
+	}
+	startTime := x509Cert.NotBefore.String()
+	expiredTime := x509Cert.NotAfter.String()
+	if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 {
+		commonName := x509Cert.Subject.CommonName
+		fmt.Printf("┏ Load Certificate: %s\n", commonName)
+		fmt.Printf("┠╌╌ Start Time:     %s\n", startTime)
+		fmt.Printf("┖╌╌ Expired Time:   %s\n", expiredTime)
+		nameToCertificate[commonName] = cert
+	}
+	for _, san := range x509Cert.DNSNames {
+		fmt.Printf("┏ Load Certificate: %s\n", san)
+		fmt.Printf("┠╌╌ Start Time:     %s\n", startTime)
+		fmt.Printf("┖╌╌ Expired Time:   %s\n", expiredTime)
+		nameToCertificate[san] = cert
+	}
+}
--- a/server/dbdata/db.go
+++ b/server/dbdata/db.go
@@ -1,7 +1,11 @@
 package dbdata

 import (
+	"net/http"
+	"time"
+
 	"github.com/bjdgyc/anylink/base"
+	_ "github.com/denisenkom/go-mssqldb"
 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/lib/pq"
 	_ "github.com/mattn/go-sqlite3"
@@ -23,12 +27,16 @@ func initDb() {
 		base.Fatal(err)
 	}

+	// 初始化xorm时区
+	xdb.DatabaseTZ = time.Local
+	xdb.TZLocation = time.Local
+
 	if base.Cfg.ShowSQL {
 		xdb.ShowSQL(true)
 	}

 	// 初始化数据库
-	err = xdb.Sync2(&User{}, &Setting{}, &Group{}, &IpMap{}, &AccessAudit{}, &Policy{}, &StatsNetwork{}, &StatsCpu{}, &StatsMem{}, &StatsOnline{})
+	err = xdb.Sync2(&User{}, &Setting{}, &Group{}, &IpMap{}, &AccessAudit{}, &Policy{}, &StatsNetwork{}, &StatsCpu{}, &StatsMem{}, &StatsOnline{}, &UserActLog{})
 	if err != nil {
 		base.Fatal(err)
 	}
@@ -94,10 +102,29 @@ func addInitData() error {
 		return err
 	}

+	// SettingDnsProvider
+	provider := &SettingLetsEncrypt{
+		Domain:      "vpn.xxx.com",
+		Legomail:    "legomail",
+		Name:        "aliyun",
+		Renew:       false,
+		DNSProvider: DNSProvider{},
+	}
+	err = SettingSessAdd(sess, provider)
+	if err != nil {
+		return err
+	}
+	// LegoUser
+	legouser := &LegoUserData{}
+	err = SettingSessAdd(sess, legouser)
+	if err != nil {
+		return err
+	}
 	// SettingOther
 	other := &SettingOther{
 		LinkAddr:    "vpn.xx.com",
 		Banner:      "您已接入公司网络，请按照公司规定使用。\n请勿进行非工作下载及视频行为！",
+		Homecode:    http.StatusOK,
 		Homeindex:   "AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。",
 		AccountMail: accountMail,
 	}
@@ -119,12 +146,25 @@ func addInitData() error {
 	}

 	g1 := Group{
+		Name:         "all",
+		AllowLan:     true,
+		ClientDns:    []ValData{{Val: "114.114.114.114"}},
+		RouteInclude: []ValData{{Val: ALL}},
+		Status:       1,
+	}
+	err = SetGroup(&g1)
+	if err != nil {
+		return err
+	}
+
+	g2 := Group{
 		Name:         "ops",
 		AllowLan:     true,
 		ClientDns:    []ValData{{Val: "114.114.114.114"}},
-		RouteInclude: []ValData{{Val: All}},
+		RouteInclude: []ValData{{Val: "10.0.0.0/8"}},
+		Status:       1,
 	}
-	err = SetGroup(&g1)
+	err = SetGroup(&g2)
 	if err != nil {
 		return err
 	}
@@ -136,6 +176,9 @@ func CheckErrNotFound(err error) bool {
 	return err == ErrNotFound
 }

+// base64 图片
+// 用户动态码(请妥善保存):<br/>
+// <img src="{{.OtpImgBase64}}"/><br/>
 const accountMail = `<p>您好:</p>
 <p>&nbsp;&nbsp;您的{{.Issuer}}账号已经审核开通。</p>
 <p>
@@ -143,15 +186,27 @@ const accountMail = `<p>您好:</p>
    用户组: <b>{{.Group}}</b> <br/>
    用户名: <b>{{.Username}}</b> <br/>
    用户PIN码: <b>{{.PinCode}}</b> <br/>
+    用户过期时间: <b>{{.LimitTime}}</b> <br/>
+    {{if .DisableOtp}}
+    <!-- nothing -->
+    {{else}}
+	
+    <!-- 
    用户动态码(3天后失效):<br/>
-    <img src="{{.OtpImg}}"/>
+    <img src="{{.OtpImg}}"/><br/>
+    -->
+    用户动态码(请妥善保存):<br/>
+    <img src="cid:userOtpQr.png" alt="userOtpQr" /><br/>
+
+    {{end}}
 </p>
 <div>
    使用说明:
    <ul>
        <li>请使用OTP软件扫描动态码二维码</li>
        <li>然后使用anyconnect客户端进行登陆</li>
-        <li>登陆密码为 【PIN码+动态码】</li>
+        <li>登陆密码为 PIN 码</li>
+		<li>OTP密码为扫码后生成的动态码</li>
    </ul>
 </div>
 <p>
--- a/server/dbdata/db_orm.go
+++ b/server/dbdata/db_orm.go
@@ -75,6 +75,11 @@ func Find(data interface{}, limit, page int) error {
 	return xdb.Limit(limit, start).Find(data)
 }

+func FindWhereCount(data interface{}, where string, args ...interface{}) int {
+	n, _ := xdb.Where(where, args...).Count(data)
+	return int(n)
+}
+
 func FindWhere(data interface{}, limit int, page int, where string, args ...interface{}) error {
 	if limit == 0 {
 		return xdb.Where(where, args...).Find(data)
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -5,10 +5,12 @@ import (
 	"fmt"
 	"net"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"

 	"github.com/bjdgyc/anylink/base"
+	"github.com/songgao/water/waterutil"
 	"golang.org/x/text/language"
 	"golang.org/x/text/message"
 )
@@ -16,7 +18,10 @@ import (
 const (
 	Allow = "allow"
 	Deny  = "deny"
-	All   = "all"
+	ALL   = "all"
+	TCP   = "tcp"
+	UDP   = "udp"
+	ICMP  = "icmp"
 )

 // 域名分流最大字符2万
@@ -24,11 +29,14 @@ const DsMaxLen = 20000

 type GroupLinkAcl struct {
 	// 自上而下匹配 默认 allow * *
-	Action string     `json:"action"` // allow、deny
-	Val    string     `json:"val"`
-	Port   uint16     `json:"port"`
-	IpNet  *net.IPNet `json:"ip_net"`
-	Note   string     `json:"note"`
+	Action   string               `json:"action"`      // allow、deny
+	Protocol string               `json:"protocol"`    // 支持 ALL、TCP、UDP、ICMP 协议
+	IpProto  waterutil.IPProtocol `json:"ip_protocol"` // 判断协议使用
+	Val      string               `json:"val"`
+	Port     string               `json:"port"` // 兼容单端口历史数据类型uint16
+	Ports    map[uint16]int8      `json:"ports"`
+	IpNet    *net.IPNet           `json:"ip_net"`
+	Note     string               `json:"note"`
 }

 type ValData struct {
@@ -74,6 +82,20 @@ func GetGroupNames() []string {
 	return names
 }

+func GetGroupNamesNormal() []string {
+	var datas []Group
+	err := FindWhere(&datas, 0, 0, "status=1")
+	if err != nil {
+		base.Error(err)
+		return nil
+	}
+	var names []string
+	for _, v := range datas {
+		names = append(names, v.Name)
+	}
+	return names
+}
+
 func GetGroupNamesIds() []GroupNameId {
 	var datas []Group
 	err := Find(&datas, 0, 0)
@@ -98,16 +120,23 @@ func SetGroup(g *Group) error {
 	routeInclude := []ValData{}
 	for _, v := range g.RouteInclude {
 		if v.Val != "" {
-			if v.Val == All {
+			if v.Val == ALL {
 				routeInclude = append(routeInclude, v)
 				continue
 			}

-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
+
 			if err != nil {
 				return errors.New("RouteInclude 错误" + err.Error())
 			}

+			// 给Mac系统下发路由时，必须是标准的网络地址
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+
 			v.IpMask = ipMask
 			routeInclude = append(routeInclude, v)
 		}
@@ -116,10 +145,16 @@ func SetGroup(g *Group) error {
 	routeExclude := []ValData{}
 	for _, v := range g.RouteExclude {
 		if v.Val != "" {
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteExclude 错误" + err.Error())
 			}
+
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+
 			v.IpMask = ipMask
 			routeExclude = append(routeExclude, v)
 		}
@@ -134,14 +169,74 @@ func SetGroup(g *Group) error {
 				return errors.New("GroupLinkAcl 错误" + err.Error())
 			}
 			v.IpNet = ipNet
-			linkAcl = append(linkAcl, v)
+
+			// 设置协议数据
+			switch v.Protocol {
+			case TCP:
+				v.IpProto = waterutil.TCP
+			case UDP:
+				v.IpProto = waterutil.UDP
+			case ICMP:
+				v.IpProto = waterutil.ICMP
+			default:
+				// 其他类型都是 all
+				v.Protocol = ALL
+			}
+
+			portsStr := v.Port
+			v.Port = strings.TrimSpace(portsStr)
+			// switch vp := v.Port.(type) {
+			// case float64:
+			// 	portsStr = strconv.Itoa(int(vp))
+			// case string:
+			// 	portsStr = vp
+			// }
+
+			if regexp.MustCompile(`^\d{1,5}(-\d{1,5})?(,\d{1,5}(-\d{1,5})?)*$`).MatchString(portsStr) {
+				ports := map[uint16]int8{}
+				for _, p := range strings.Split(portsStr, ",") {
+					if p == "" {
+						continue
+					}
+					if regexp.MustCompile(`^\d{1,5}-\d{1,5}$`).MatchString(p) {
+						rp := strings.Split(p, "-")
+						// portfrom, err := strconv.Atoi(rp[0])
+						portfrom, err := strconv.ParseUint(rp[0], 10, 16)
+						if err != nil {
+							return errors.New("端口:" + rp[0] + " 格式错误, " + err.Error())
+						}
+						// portto, err := strconv.Atoi(rp[1])
+						portto, err := strconv.ParseUint(rp[1], 10, 16)
+						if err != nil {
+							return errors.New("端口:" + rp[1] + " 格式错误, " + err.Error())
+						}
+						for i := portfrom; i <= portto; i++ {
+							ports[uint16(i)] = 1
+						}
+
+					} else {
+						port, err := strconv.ParseUint(p, 10, 16)
+						if err != nil {
+							return errors.New("端口:" + p + " 格式错误, " + err.Error())
+						}
+						ports[uint16(port)] = 1
+					}
+				}
+				v.Ports = ports
+				linkAcl = append(linkAcl, v)
+			} else {
+				return errors.New("端口: " + portsStr + " 格式错误,请用逗号分隔的端口,比如: 22,80,443 连续端口用-,比如:1234-5678")
+			}
+
 		}
 	}
+
 	g.LinkAcl = linkAcl

 	// DNS 判断
 	clientDns := []ValData{}
 	for _, v := range g.ClientDns {
+		v.Val = strings.TrimSpace(v.Val)
 		if v.Val != "" {
 			ip := net.ParseIP(v.Val)
 			if ip.String() != v.Val {
@@ -156,6 +251,20 @@ func SetGroup(g *Group) error {
 		return errors.New("默认路由，必须设置一个DNS")
 	}
 	g.ClientDns = clientDns
+
+	splitDns := []ValData{}
+	for _, v := range g.SplitDns {
+		v.Val = strings.TrimSpace(v.Val)
+		if v.Val != "" {
+			ValidateDomainName(v.Val)
+			if !ValidateDomainName(v.Val) {
+				return errors.New("域名 错误")
+			}
+			splitDns = append(splitDns, v)
+		}
+	}
+	g.SplitDns = splitDns
+
 	// 域名拆分隧道，不能同时填写
 	g.DsIncludeDomains = strings.TrimSpace(g.DsIncludeDomains)
 	g.DsExcludeDomains = strings.TrimSpace(g.DsExcludeDomains)
@@ -211,6 +320,31 @@ func SetGroup(g *Group) error {
 	return err
 }

+func ContainsInPorts(ports map[uint16]int8, port uint16) bool {
+	_, ok := ports[port]
+	if ok {
+		return true
+	} else {
+		return false
+	}
+}
+
+func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
+	g := &Group{Auth: authData}
+	authType := g.Auth["type"].(string)
+	if _, ok := authRegistry[authType]; !ok {
+		return errors.New("未知的认证方式: " + authType)
+	}
+	auth := makeInstance(authType).(IUserAuth)
+	err := auth.checkData(g.Auth)
+	if err != nil {
+		return err
+	}
+	ext := map[string]interface{}{}
+	err = auth.checkUser(name, pwd, g, ext)
+	return err
+}
+
 func parseIpNet(s string) (string, *net.IPNet, error) {
 	ip, ipNet, err := net.ParseCIDR(s)
 	if err != nil {
--- a/server/dbdata/group_test.go
+++ b/server/dbdata/group_test.go
@@ -46,13 +46,14 @@ func TestGetGroupNames(t *testing.T) {
 	authData = map[string]interface{}{
 		"type": "ldap",
 		"ldap": map[string]interface{}{
-			"addr":        "192.168.8.12:389",
-			"tls":         true,
-			"bind_name":   "userfind@abc.com",
-			"bind_pwd":    "afdbfdsafds",
-			"base_dn":     "dc=abc,dc=com",
-			"search_attr": "sAMAccountName",
-			"member_of":   "cn=vpn,cn=user,dc=abc,dc=com",
+			"addr":         "192.168.8.12:389",
+			"tls":          true,
+			"bind_name":    "userfind@abc.com",
+			"bind_pwd":     "afdbfdsafds",
+			"base_dn":      "dc=abc,dc=com",
+			"object_class": "person",
+			"search_attr":  "sAMAccountName",
+			"member_of":    "cn=vpn,cn=user,dc=abc,dc=com",
 		},
 	}
 	g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
--- a/server/dbdata/ip_map.go
+++ b/server/dbdata/ip_map.go
@@ -2,20 +2,22 @@ package dbdata

 import (
 	"errors"
+	"net"
 	"time"
 )

-// type IpMap struct {
-// 	Id        int       `json:"id" xorm:"pk autoincr not null"`
-// 	IpAddr    string    `json:"ip_addr" xorm:"not null unique"`
-// 	MacAddr   string    `json:"mac_addr" xorm:"not null unique"`
-// 	Username  string    `json:"username"`
-// 	Keep      bool      `json:"keep"` // 保留 ip-mac 绑定
-// 	KeepTime  time.Time `json:"keep_time"`
-// 	Note      string    `json:"note"` // 备注
-// 	LastLogin time.Time `json:"last_login"`
-// 	UpdatedAt time.Time `json:"updated_at"`
-// }
+type IpMap struct {
+	Id        int       `json:"id" xorm:"pk autoincr not null"`
+	IpAddr    string    `json:"ip_addr" xorm:"varchar(32) not null unique"`
+	MacAddr   string    `json:"mac_addr" xorm:"varchar(32) not null unique"`
+	UniqueMac bool      `json:"unique_mac" xorm:"Bool index"`
+	Username  string    `json:"username" xorm:"varchar(60)"`
+	Keep      bool      `json:"keep" xorm:"Bool"` // 保留 ip-mac 绑定
+	KeepTime  time.Time `json:"keep_time" xorm:"DateTime"`
+	Note      string    `json:"note" xorm:"varchar(255)"` // 备注
+	LastLogin time.Time `json:"last_login" xorm:"DateTime"`
+	UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`
+}

 func SetIpMap(v *IpMap) error {
 	var err error
@@ -24,6 +26,13 @@ func SetIpMap(v *IpMap) error {
 		return errors.New("IP或MAC错误")
 	}

+	macHw, err := net.ParseMAC(v.MacAddr)
+	if err != nil {
+		return errors.New("MAC错误")
+	}
+	// 统一macAddr的格式
+	v.MacAddr = macHw.String()
+
 	v.UpdatedAt = time.Now()
 	if v.Id > 0 {
 		err = Set(v)
--- a/server/dbdata/policy.go
+++ b/server/dbdata/policy.go
@@ -2,6 +2,7 @@ package dbdata

 import (
 	"errors"
+	"fmt"
 	"net"
 	"strings"
 	"time"
@@ -26,16 +27,21 @@ func SetPolicy(p *Policy) error {
 	routeInclude := []ValData{}
 	for _, v := range p.RouteInclude {
 		if v.Val != "" {
-			if v.Val == All {
+			if v.Val == ALL {
 				routeInclude = append(routeInclude, v)
 				continue
 			}

-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteInclude 错误" + err.Error())
 			}

+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+
 			v.IpMask = ipMask
 			routeInclude = append(routeInclude, v)
 		}
@@ -45,10 +51,15 @@ func SetPolicy(p *Policy) error {
 	routeExclude := []ValData{}
 	for _, v := range p.RouteExclude {
 		if v.Val != "" {
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteExclude 错误" + err.Error())
 			}
+
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
 			v.IpMask = ipMask
 			routeExclude = append(routeExclude, v)
 		}
--- a/server/dbdata/policy_test.go
+++ b/server/dbdata/policy_test.go
@@ -21,19 +21,19 @@ func TestGetPolicy(t *testing.T) {
 	err = SetPolicy(&p2)
 	ast.Nil(err)

-	route := []ValData{{Val: "192.168.1.1/24"}}
+	route := []ValData{{Val: "192.168.1.0/24"}}
 	p3 := Policy{Username: "a3", ClientDns: []ValData{{Val: "114.114.114.114"}}, RouteInclude: route, DsExcludeDomains: "com.cn,qq.com"}
 	err = SetPolicy(&p3)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(p3.RouteInclude[0].IpMask, "192.168.1.1/255.255.255.0")
+	ast.Equal(p3.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")

-	route2 := []ValData{{Val: "192.168.2.1/24"}}
+	route2 := []ValData{{Val: "192.168.2.0/24"}}
 	p4 := Policy{Username: "a4", ClientDns: []ValData{{Val: "114.114.114.114"}}, RouteExclude: route2, DsIncludeDomains: "com.cn,qq.com"}
 	err = SetPolicy(&p4)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(p4.RouteExclude[0].IpMask, "192.168.2.1/255.255.255.0")
+	ast.Equal(p4.RouteExclude[0].IpMask, "192.168.2.0/255.255.255.0")

 	// 判断所有数据
 	var userPolicy *Policy
--- a/server/dbdata/setting.go
+++ b/server/dbdata/setting.go
@@ -21,13 +21,15 @@ type SettingSmtp struct {
 }

 type SettingAuditLog struct {
-	LifeDay   int    `json:"life_day"`
-	ClearTime string `json:"clear_time"`
+	AuditInterval int    `json:"audit_interval"`
+	LifeDay       int    `json:"life_day"`
+	ClearTime     string `json:"clear_time"`
 }

 type SettingOther struct {
 	LinkAddr    string `json:"link_addr"`
 	Banner      string `json:"banner"`
+	Homecode    int    `json:"homecode"`
 	Homeindex   string `json:"homeindex"`
 	AccountMail string `json:"account_mail"`
 }
@@ -48,7 +50,6 @@ func SettingSessAdd(sess *xorm.Session, data interface{}) error {
 	v, _ := json.Marshal(data)
 	s := &Setting{Name: name, Data: v}
 	_, err := sess.InsertOne(s)
-
 	return err
 }

@@ -62,7 +63,7 @@ func SettingSet(data interface{}) error {

 func SettingGet(data interface{}) error {
 	name := StructName(data)
-	s := &Setting{Name: name}
+	s := &Setting{}
 	err := One("name", name, s)
 	if err != nil {
 		return err
--- a/server/dbdata/statsinfo.go
+++ b/server/dbdata/statsinfo.go
@@ -199,12 +199,6 @@ func (s *StatsInfo) getScopeDetail(scope string) (sd *ScopeDetail) {
 	}
 	sd.fsTime = sd.sTime.Format(LayoutTimeFormat)
 	sd.feTime = sd.eTime.Format(LayoutTimeFormat)
-	// UTC
-	switch base.Cfg.DbType {
-	case "sqlite3", "postgres":
-		sd.fsTime = sd.sTime.UTC().Format(LayoutTimeFormat)
-		sd.feTime = sd.eTime.UTC().Format(LayoutTimeFormat)
-	}
 	return
 }

--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -11,6 +11,7 @@ type Group struct {
 	Note             string                 `json:"note" xorm:"varchar(255)"`
 	AllowLan         bool                   `json:"allow_lan" xorm:"Bool"`
 	ClientDns        []ValData              `json:"client_dns" xorm:"Text"`
+	SplitDns         []ValData              `json:"split_dns" xorm:"Text"`
 	RouteInclude     []ValData              `json:"route_include" xorm:"Text"`
 	RouteExclude     []ValData              `json:"route_exclude" xorm:"Text"`
 	DsExcludeDomains string                 `json:"ds_exclude_domains" xorm:"Text"`
@@ -29,26 +30,31 @@ type User struct {
 	Nickname string `json:"nickname" xorm:"varchar(255)"`
 	Email    string `json:"email" xorm:"varchar(255)"`
 	// Password  string    `json:"password"`
-	PinCode    string    `json:"pin_code" xorm:"varchar(32)"`
-	OtpSecret  string    `json:"otp_secret" xorm:"varchar(255)"`
-	DisableOtp bool      `json:"disable_otp" xorm:"Bool"` // 禁用otp
-	Groups     []string  `json:"groups" xorm:"Text"`
-	Status     int8      `json:"status" xorm:"Int"` // 1正常
-	SendEmail  bool      `json:"send_email" xorm:"Bool"`
-	CreatedAt  time.Time `json:"created_at" xorm:"DateTime created"`
-	UpdatedAt  time.Time `json:"updated_at" xorm:"DateTime updated"`
+	PinCode    string     `json:"pin_code" xorm:"varchar(64)"`
+	LimitTime  *time.Time `json:"limittime,omitempty" xorm:"Datetime limittime"` // 值为null时，前端不显示
+	OtpSecret  string     `json:"otp_secret" xorm:"varchar(255)"`
+	DisableOtp bool       `json:"disable_otp" xorm:"Bool"` // 禁用otp
+	Groups     []string   `json:"groups" xorm:"Text"`
+	Status     int8       `json:"status" xorm:"Int"` // 1正常
+	SendEmail  bool       `json:"send_email" xorm:"Bool"`
+	CreatedAt  time.Time  `json:"created_at" xorm:"DateTime created"`
+	UpdatedAt  time.Time  `json:"updated_at" xorm:"DateTime updated"`
 }

-type IpMap struct {
-	Id        int       `json:"id" xorm:"pk autoincr not null"`
-	IpAddr    string    `json:"ip_addr" xorm:"varchar(32) not null unique"`
-	MacAddr   string    `json:"mac_addr" xorm:"varchar(32) not null unique"`
-	Username  string    `json:"username" xorm:"varchar(60)"`
-	Keep      bool      `json:"keep" xorm:"Bool"` // 保留 ip-mac 绑定
-	KeepTime  time.Time `json:"keep_time" xorm:"DateTime"`
-	Note      string    `json:"note" xorm:"varchar(255)"` // 备注
-	LastLogin time.Time `json:"last_login" xorm:"DateTime"`
-	UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`
+type UserActLog struct {
+	Id              int       `json:"id" xorm:"pk autoincr not null"`
+	Username        string    `json:"username" xorm:"varchar(60)"`
+	GroupName       string    `json:"group_name" xorm:"varchar(60)"`
+	IpAddr          string    `json:"ip_addr" xorm:"varchar(32)"`
+	RemoteAddr      string    `json:"remote_addr" xorm:"varchar(42)"`
+	Os              uint8     `json:"os" xorm:"not null default 0 Int"`
+	Client          uint8     `json:"client" xorm:"not null default 0 Int"`
+	Version         string    `json:"version" xorm:"varchar(15)"`
+	DeviceType      string    `json:"device_type" xorm:"varchar(128) not null default ''"`
+	PlatformVersion string    `json:"platform_version" xorm:"varchar(128) not null default ''"`
+	Status          uint8     `json:"status" xorm:"not null default 0 Int"`
+	Info            string    `json:"info" xorm:"varchar(255) not null default ''"` // 详情
+	CreatedAt       time.Time `json:"created_at" xorm:"DateTime created"`
 }

 type Setting struct {
@@ -61,12 +67,12 @@ type Setting struct {
 type AccessAudit struct {
 	Id          int       `json:"id" xorm:"pk autoincr not null"`
 	Username    string    `json:"username" xorm:"varchar(60) not null"`
-	Protocol    uint8     `json:"protocol" xorm:"not null"`
+	Protocol    uint8     `json:"protocol" xorm:"Int not null"`
 	Src         string    `json:"src" xorm:"varchar(60) not null"`
-	SrcPort     uint16    `json:"src_port" xorm:"not null"`
+	SrcPort     uint16    `json:"src_port" xorm:"Int not null"`
 	Dst         string    `json:"dst" xorm:"varchar(60) not null"`
-	DstPort     uint16    `json:"dst_port" xorm:"not null"`
-	AccessProto uint8     `json:"access_proto" xorm:"default 0"`                // 访问协议
+	DstPort     uint16    `json:"dst_port" xorm:"Int not null"`
+	AccessProto uint8     `json:"access_proto" xorm:"Int default 0"`            // 访问协议
 	Info        string    `json:"info" xorm:"varchar(255) not null default ''"` // 详情
 	CreatedAt   time.Time `json:"created_at" xorm:"DateTime"`
 }
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -6,6 +6,7 @@ import (
 	"sync"
 	"time"

+	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/xlzd/gotp"
 )
@@ -67,7 +68,9 @@ func SetUser(v *User) error {
 }

 // 验证用户登录信息
-func CheckUser(name, pwd, group string) error {
+func CheckUser(name, pwd, group string, ext map[string]interface{}) error {
+	base.Trace("CheckUser", name, pwd, group, ext)
+
 	// 获取登入的group数据
 	groupData := &Group{}
 	err := One("Name", group, groupData)
@@ -81,7 +84,7 @@ func CheckUser(name, pwd, group string) error {
 	authType := groupData.Auth["type"].(string)
 	// 本地认证方式
 	if authType == "local" {
-		return checkLocalUser(name, pwd, group)
+		return checkLocalUser(name, pwd, group, ext)
 	}
 	// 其它认证方式, 支持自定义
 	_, ok := authRegistry[authType]
@@ -89,11 +92,11 @@ func CheckUser(name, pwd, group string) error {
 		return fmt.Errorf("%s %s", "未知的认证方式: ", authType)
 	}
 	auth := makeInstance(authType).(IUserAuth)
-	return auth.checkUser(name, pwd, groupData)
+	return auth.checkUser(name, pwd, groupData, ext)
 }

 // 验证本地用户登录信息
-func checkLocalUser(name, pwd, group string) error {
+func checkLocalUser(name, pwd, group string, ext map[string]interface{}) error {
 	// TODO 严重问题
 	// return nil

@@ -104,30 +107,61 @@ func checkLocalUser(name, pwd, group string) error {
 	v := &User{}
 	err := One("Username", name, v)
 	if err != nil || v.Status != 1 {
-		return fmt.Errorf("%s %s", name, "用户名错误")
+		switch v.Status {
+		case 0:
+			return fmt.Errorf("%s %s", name, "用户不存在或用户已停用")
+		case 2:
+			return fmt.Errorf("%s %s", name, "用户已过期")
+		}
 	}
 	// 判断用户组信息
 	if !utils.InArrStr(v.Groups, group) {
 		return fmt.Errorf("%s %s", name, "用户组错误")
 	}
-	// 判断otp信息
+
 	pinCode := pwd
-	if !v.DisableOtp {
-		pinCode = pwd[:pl-6]
-		otp := pwd[pl-6:]
-		if !checkOtp(name, otp, v.OtpSecret) {
-			return fmt.Errorf("%s %s", name, "动态码错误")
+	if !base.Cfg.AuthAloneOtp {
+		// 判断otp信息
+		if !v.DisableOtp {
+			pinCode = pwd[:pl-6]
+			otp := pwd[pl-6:]
+			if !CheckOtp(name, otp, v.OtpSecret) {
+				return fmt.Errorf("%s %s", name, "动态码错误")
+			}
 		}
 	}

 	// 判断用户密码
-	if pinCode != v.PinCode {
+	// 兼容明文密码
+	if len(v.PinCode) != 60 {
+		if pinCode != v.PinCode {
+			return fmt.Errorf("%s %s", name, "密码错误")
+		}
+		return nil
+	}
+	// 密文密码
+	if !utils.PasswordVerify(pinCode, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}

 	return nil
 }

+// 用户过期时间到达后，更新用户状态，并返回一个状态为过期的用户切片
+func CheckUserlimittime() (limitUser []interface{}) {
+	if _, err := xdb.Where("limittime <= ?", time.Now()).And("status = ?", 1).Update(&User{Status: 2}); err != nil {
+		return
+	}
+	user := make(map[int64]User)
+	if err := xdb.Where("status != ?", 1).Find(user); err != nil {
+		return
+	}
+	for _, v := range user {
+		limitUser = append(limitUser, v.Username)
+	}
+	return
+}
+
 var (
 	userOtpMux = sync.Mutex{}
 	userOtp    = map[string]time.Time{}
@@ -151,7 +185,7 @@ func init() {
 }

 // 判断令牌信息
-func checkOtp(name, otp, secret string) bool {
+func CheckOtp(name, otp, secret string) bool {
 	key := fmt.Sprintf("%s:%s", name, otp)

 	userOtpMux.Lock()
@@ -166,7 +200,29 @@ func checkOtp(name, otp, secret string) bool {

 	totp := gotp.NewDefaultTOTP(secret)
 	unix := time.Now().Unix()
-	verify := totp.Verify(otp, int(unix))
+	verify := totp.Verify(otp, unix)

 	return verify
 }
+
+// 插入数据库前加密密码
+func (u *User) BeforeInsert() {
+	if base.Cfg.EncryptionPassword {
+		hashedPassword, err := utils.PasswordHash(u.PinCode)
+		if err != nil {
+			base.Error(err)
+		}
+		u.PinCode = hashedPassword
+	}
+}
+
+// 更新数据库前加密密码
+func (u *User) BeforeUpdate() {
+	if len(u.PinCode) != 60 && base.Cfg.EncryptionPassword {
+		hashedPassword, err := utils.PasswordHash(u.PinCode)
+		if err != nil {
+			base.Error(err)
+		}
+		u.PinCode = hashedPassword
+	}
+}
--- a/server/dbdata/user_act_log.go
+++ b/server/dbdata/user_act_log.go
@@ -0,0 +1,220 @@
+package dbdata
+
+import (
+	"net"
+	"net/url"
+	"regexp"
+	"strings"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/ivpusic/grpool"
+	"github.com/spf13/cast"
+	"xorm.io/xorm"
+)
+
+const (
+	UserAuthFail       = 0 // 认证失败
+	UserAuthSuccess    = 1 // 认证成功
+	UserConnected      = 2 // 连线成功
+	UserLogout         = 3 // 用户登出
+	UserLogoutLose     = 0 // 用户掉线
+	UserLogoutBanner   = 1 // 用户banner弹窗取消
+	UserLogoutClient   = 2 // 用户主动登出
+	UserLogoutTimeout  = 3 // 用户超时登出
+	UserLogoutAdmin    = 4 // 账号被管理员踢下线
+	UserLogoutExpire   = 5 // 账号过期被踢下线
+	UserIdleTimeout    = 6 // 用户空闲链接超时
+	UserLogoutOneAdmin = 7 // 账号被管理员一键下线
+
+)
+
+type UserActLogProcess struct {
+	Pool      *grpool.Pool
+	StatusOps []string
+	OsOps     []string
+	ClientOps []string
+	InfoOps   []string
+}
+
+var (
+	UserActLogIns = &UserActLogProcess{
+		Pool: grpool.NewPool(1, 100),
+		StatusOps: []string{ // 操作类型
+			UserAuthFail:    "认证失败",
+			UserAuthSuccess: "认证成功",
+			UserConnected:   "连接成功",
+			UserLogout:      "用户登出",
+		},
+		OsOps: []string{ // 操作系统
+			0: "Unknown",
+			1: "Windows",
+			2: "macOS",
+			3: "Linux",
+			4: "Android",
+			5: "iOS",
+		},
+		ClientOps: []string{ // 客户端
+			0: "Unknown",
+			1: "AnyConnect",
+			2: "OpenConnect",
+			3: "AnyLink",
+		},
+		InfoOps: []string{ // 信息
+			UserLogoutLose:     "用户掉线",
+			UserLogoutBanner:   "用户取消弹窗/客户端发起的logout",
+			UserLogoutClient:   "用户/客户端主动断开",
+			UserLogoutTimeout:  "Session过期被踢下线",
+			UserLogoutAdmin:    "账号被管理员踢下线",
+			UserLogoutExpire:   "账号过期被踢下线",
+			UserIdleTimeout:    "用户空闲链接超时",
+			UserLogoutOneAdmin: "账号被管理员一键下线",
+		},
+	}
+)
+
+// 异步写入用户操作日志
+func (ua *UserActLogProcess) Add(u UserActLog, userAgent string) {
+	// os, client, ver
+	os_idx, client_idx, ver := ua.ParseUserAgent(userAgent)
+	u.Os = os_idx
+	u.Client = client_idx
+	u.Version = ver
+	// u.RemoteAddr = strings.Split(u.RemoteAddr, ":")[0]
+	u.RemoteAddr, _, _ = net.SplitHostPort(u.RemoteAddr)
+	// remove extra characters
+	infoSlice := strings.Split(u.Info, " ")
+	infoLen := len(infoSlice)
+	if infoLen > 1 {
+		if u.Username == infoSlice[0] {
+			u.Info = strings.Join(infoSlice[1:], " ")
+		}
+		// delete - char
+		if infoLen > 2 && infoSlice[1] == "-" {
+			u.Info = u.Info[2:]
+		}
+	}
+	// limit the max length of char
+	u.Version = substr(u.Version, 0, 15)
+	u.DeviceType = substr(u.DeviceType, 0, 128)
+	u.PlatformVersion = substr(u.PlatformVersion, 0, 128)
+	u.Info = substr(u.Info, 0, 255)
+
+	UserActLogIns.Pool.JobQueue <- func() {
+		err := Add(u)
+		if err != nil {
+			base.Error("Add UserActLog error: ", err)
+		}
+	}
+}
+
+// 转义操作类型, 方便vue显示
+func (ua *UserActLogProcess) GetStatusOpsWithTag() interface{} {
+	type StatusTag struct {
+		Key   int    `json:"key"`
+		Value string `json:"value"`
+		Tag   string `json:"tag"`
+	}
+	var res []StatusTag
+	for k, v := range ua.StatusOps {
+		tag := "info"
+		switch k {
+		case UserAuthFail:
+			tag = "danger"
+		case UserAuthSuccess:
+			tag = "success"
+		case UserConnected:
+			tag = ""
+		}
+		res = append(res, StatusTag{k, v, tag})
+	}
+	return res
+}
+
+func (ua *UserActLogProcess) GetInfoOpsById(id uint8) string {
+	if int(id) >= len(ua.InfoOps) {
+		return "未知的信息类型"
+	}
+	return ua.InfoOps[id]
+}
+
+// 解析user agent
+func (ua *UserActLogProcess) ParseUserAgent(userAgent string) (os_idx, client_idx uint8, ver string) {
+	// Unknown
+	if len(userAgent) == 0 {
+		return 0, 0, ""
+	}
+	// OS
+	os_idx = 0
+	if strings.Contains(userAgent, "windows") {
+		os_idx = 1
+	} else if strings.Contains(userAgent, "mac os") || strings.Contains(userAgent, "darwin_i386") || strings.Contains(userAgent, "darwin_amd64") || strings.Contains(userAgent, "darwin_arm64") {
+		os_idx = 2
+	} else if strings.Contains(userAgent, "darwin_arm") || strings.Contains(userAgent, "apple") {
+		os_idx = 5
+	} else if strings.Contains(userAgent, "android") {
+		os_idx = 4
+	} else if strings.Contains(userAgent, "linux") {
+		os_idx = 3
+	}
+	// Client
+	client_idx = 0
+	if strings.Contains(userAgent, "anyconnect") {
+		client_idx = 1
+	} else if strings.Contains(userAgent, "openconnect") {
+		client_idx = 2
+	} else if strings.Contains(userAgent, "anylink") {
+		client_idx = 3
+	}
+	// Version
+	uaSlice := strings.Split(userAgent, " ")
+	ver = uaSlice[len(uaSlice)-1]
+	if ver[0] == 'v' {
+		ver = ver[1:]
+	}
+	if !regexp.MustCompile(`^(\d+\.?)+$`).MatchString(ver) {
+		ver = ""
+	}
+	return
+}
+
+// 清除用户操作日志
+func (ua *UserActLogProcess) ClearUserActLog(ts string) (int64, error) {
+	affected, err := xdb.Where("created_at < '" + ts + "'").Delete(&UserActLog{})
+	return affected, err
+}
+
+// 后台筛选用户操作日志
+func (ua *UserActLogProcess) GetSession(values url.Values) *xorm.Session {
+	session := xdb.Where("1=1")
+	if values.Get("username") != "" {
+		session.And("username = ?", values.Get("username"))
+	}
+	if values.Get("sdate") != "" {
+		session.And("created_at >= ?", values.Get("sdate")+" 00:00:00'")
+	}
+	if values.Get("edate") != "" {
+		session.And("created_at <= ?", values.Get("edate")+" 23:59:59'")
+	}
+	if values.Get("status") != "" {
+		session.And("status = ?", cast.ToUint8(values.Get("status"))-1)
+	}
+	if values.Get("os") != "" {
+		session.And("os = ?", cast.ToUint8(values.Get("os"))-1)
+	}
+	if values.Get("sort") == "1" {
+		session.OrderBy("id desc")
+	} else {
+		session.OrderBy("id asc")
+	}
+	return session
+}
+
+// 截取字符串
+func substr(s string, pos, length int) string {
+	runes := []rune(s)
+	l := pos + length
+	if l > len(runes) {
+		l = len(runes)
+	}
+	return string(runes[pos:l])
+}
--- a/server/dbdata/user_act_log_test.go
+++ b/server/dbdata/user_act_log_test.go
@@ -0,0 +1,82 @@
+package dbdata
+
+import "testing"
+
+func TestParseUserAgent(t *testing.T) {
+	type args struct {
+		userAgent string
+	}
+	type res struct {
+		os_idx     uint8
+		client_idx uint8
+		ver        string
+	}
+	tests := []struct {
+		name string
+		args args
+		want res
+	}{
+		{
+			name: "mac os 1",
+			args: args{userAgent: "cisco anyconnect vpn agent for mac os x 4.10.05085"},
+			want: res{os_idx: 2, client_idx: 1, ver: "4.10.05085"},
+		},
+		{
+			name: "mac os 2",
+			args: args{userAgent: "anyconnect darwin_i386 4.10.05085"},
+			want: res{os_idx: 2, client_idx: 1, ver: "4.10.05085"},
+		},
+		{
+			name: "windows",
+			args: args{userAgent: "cisco anyconnect vpn agent for windows 4.8.02042"},
+			want: res{os_idx: 1, client_idx: 1, ver: "4.8.02042"},
+		},
+		{
+			name: "iPad",
+			args: args{userAgent: "anyconnect applesslvpn_darwin_arm (ipad) 4.10.04060"},
+			want: res{os_idx: 5, client_idx: 1, ver: "4.10.04060"},
+		},
+		{
+			name: "iPhone",
+			args: args{userAgent: "cisco anyconnect vpn agent for apple iphone 4.10.04060"},
+			want: res{os_idx: 5, client_idx: 1, ver: "4.10.04060"},
+		},
+		{
+			name: "android",
+			args: args{userAgent: "anyconnect android 4.10.05096"},
+			want: res{os_idx: 4, client_idx: 1, ver: "4.10.05096"},
+		},
+		{
+			name: "linux",
+			args: args{userAgent: "cisco anyconnect vpn agent for linux v7.08"},
+			want: res{os_idx: 3, client_idx: 1, ver: "7.08"},
+		},
+		{
+			name: "openconnect",
+			args: args{userAgent: "openconnect-gui 1.5.3 v7.08"},
+			want: res{os_idx: 0, client_idx: 2, ver: "7.08"},
+		},
+		{
+			name: "unknown",
+			args: args{userAgent: "unknown 1.4.3 aabcd"},
+			want: res{os_idx: 0, client_idx: 0, ver: ""},
+		},
+		{
+			name: "unknown 2",
+			args: args{userAgent: ""},
+			want: res{os_idx: 0, client_idx: 0, ver: ""},
+		},
+		{
+			name: "anylink",
+			args: args{userAgent: "anylink vpn agent for linux v1.0"},
+			want: res{os_idx: 3, client_idx: 3, ver: "1.0"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if os_idx, client_idx, ver := UserActLogIns.ParseUserAgent(tt.args.userAgent); os_idx != tt.want.os_idx || client_idx != tt.want.client_idx || ver != tt.want.ver {
+				t.Errorf("ParseUserAgent() = %v, %v, %v, want %v, %v, %v", os_idx, client_idx, ver, tt.want.os_idx, tt.want.client_idx, tt.want.ver)
+			}
+		})
+	}
+}
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -3,11 +3,12 @@ package dbdata
 import (
 	"testing"

+	"github.com/bjdgyc/anylink/base"
 	"github.com/stretchr/testify/assert"
-	"github.com/xlzd/gotp"
 )

 func TestCheckUser(t *testing.T) {
+	base.Test()
 	ast := assert.New(t)

 	preIpData()
@@ -17,28 +18,32 @@ func TestCheckUser(t *testing.T) {

 	// 添加一个组
 	dns := []ValData{{Val: "114.114.114.114"}}
-	route := []ValData{{Val: "192.168.1.1/24"}}
+	route := []ValData{{Val: "192.168.1.0/24"}}
 	g := Group{Name: group, Status: 1, ClientDns: dns, RouteInclude: route}
 	err := SetGroup(&g)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.1/255.255.255.0")
+	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")

 	// 添加一个用户
-	u := User{Username: "aaa", Groups: []string{group}, Status: 1}
+	pincode := "a123456"
+	u := User{Username: "aaa", PinCode: pincode, Groups: []string{group}, Status: 1}
 	err = SetUser(&u)
 	ast.Nil(err)

 	// 验证 PinCode + OtpSecret
-	totp := gotp.NewDefaultTOTP(u.OtpSecret)
-	secret := totp.Now()
-	err = CheckUser("aaa", u.PinCode+secret, group)
-	ast.Nil(err)
+	// totp := gotp.NewDefaultTOTP(u.OtpSecret)
+	// secret := totp.Now()
+	// err = CheckUser("aaa", u.PinCode+secret, group)
+	// ast.Nil(err)

 	// 单独验证密码
 	u.DisableOtp = true
 	_ = SetUser(&u)
-	err = CheckUser("aaa", u.PinCode, group)
+	ext := map[string]any{
+		"mac_addr": "",
+	}
+	err = CheckUser("aaa", pincode, group, ext)
 	ast.Nil(err)

 	// 添加一个radius组
@@ -53,36 +58,37 @@ func TestCheckUser(t *testing.T) {
 	g2 := Group{Name: group2, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
 	err = SetGroup(&g2)
 	ast.Nil(err)
-	err = CheckUser("aaa", "bbbbbbb", group2)
+	err = CheckUser("aaa", "bbbbbbb", group2, ext)
 	if ast.NotNil(err) {
-		ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
+		ast.Contains(err.Error(), "aaa Radius服务器连接异常")
 	}
 	// 添加用户策略
 	dns2 := []ValData{{Val: "8.8.8.8"}}
-	route2 := []ValData{{Val: "192.168.2.1/24"}}
+	route2 := []ValData{{Val: "192.168.2.0/24"}}
 	p1 := Policy{Username: "aaa", Status: 1, ClientDns: dns2, RouteInclude: route2}
 	err = SetPolicy(&p1)
 	ast.Nil(err)
-	err = CheckUser("aaa", u.PinCode, group)
+	err = CheckUser("aaa", pincode, group, ext)
 	ast.Nil(err)
 	// 添加一个ldap组
 	group3 := "group3"
 	authData = map[string]interface{}{
 		"type": "ldap",
 		"ldap": map[string]interface{}{
-			"addr":        "192.168.8.12:389",
-			"tls":         true,
-			"bind_name":   "userfind@abc.com",
-			"bind_pwd":    "afdbfdsafds",
-			"base_dn":     "dc=abc,dc=com",
-			"search_attr": "sAMAccountName",
-			"member_of":   "cn=vpn,cn=user,dc=abc,dc=com",
+			"addr":         "192.168.8.12:389",
+			"tls":          true,
+			"bind_name":    "userfind@abc.com",
+			"bind_pwd":     "afdbfdsafds",
+			"base_dn":      "dc=abc,dc=com",
+			"object_class": "person",
+			"search_attr":  "sAMAccountName",
+			"member_of":    "cn=vpn,cn=user,dc=abc,dc=com",
 		},
 	}
 	g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
 	err = SetGroup(&g3)
 	ast.Nil(err)
-	err = CheckUser("aaa", "bbbbbbb", group3)
+	err = CheckUser("aaa", "bbbbbbb", group3, ext)
 	if ast.NotNil(err) {
 		ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
 	}
--- a/server/dbdata/userauth.go
+++ b/server/dbdata/userauth.go
@@ -9,7 +9,7 @@ var authRegistry = make(map[string]reflect.Type)

 type IUserAuth interface {
 	checkData(authData map[string]interface{}) error
-	checkUser(name, pwd string, g *Group) error
+	checkUser(name, pwd string, g *Group, ext map[string]interface{}) error
 }

 func makeInstance(name string) interface{} {
--- a/server/dbdata/userauth_ldap.go
+++ b/server/dbdata/userauth_ldap.go
@@ -8,19 +8,21 @@ import (
 	"net"
 	"reflect"
 	"regexp"
+	"strconv"
 	"time"

 	"github.com/go-ldap/ldap"
 )

 type AuthLdap struct {
-	Addr       string `json:"addr"`
-	Tls        bool   `json:"tls"`
-	BindName   string `json:"bind_name"`
-	BindPwd    string `json:"bind_pwd"`
-	BaseDn     string `json:"base_dn"`
-	SearchAttr string `json:"search_attr"`
-	MemberOf   string `json:"member_of"`
+	Addr        string `json:"addr"`
+	Tls         bool   `json:"tls"`
+	BindName    string `json:"bind_name"`
+	BindPwd     string `json:"bind_pwd"`
+	BaseDn      string `json:"base_dn"`
+	ObjectClass string `json:"object_class"`
+	SearchAttr  string `json:"search_attr"`
+	MemberOf    string `json:"member_of"`
 }

 func init() {
@@ -39,7 +41,7 @@ func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 		return errors.New("LDAP的服务器地址(含端口)填写有误")
 	}
 	if auth.BindName == "" {
-		return errors.New("LDAP的管理员账号不能为空")
+		return errors.New("LDAP的管理员 DN不能为空")
 	}
 	if auth.BindPwd == "" {
 		return errors.New("LDAP的管理员密码不能为空")
@@ -47,6 +49,9 @@ func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 	if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
 		return errors.New("LDAP的Base DN填写有误")
 	}
+	if auth.ObjectClass == "" {
+		return errors.New("LDAP的用户对象类填写有误")
+	}
 	if auth.SearchAttr == "" {
 		return errors.New("LDAP的用户唯一ID不能为空")
 	}
@@ -56,7 +61,7 @@ func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 	return nil
 }

-func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+func (auth AuthLdap) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
 	pl := len(pwd)
 	if name == "" || pl < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
@@ -93,9 +98,12 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
 	}
 	err = l.Bind(auth.BindName, auth.BindPwd)
 	if err != nil {
-		return fmt.Errorf("%s LDAP 管理员账号或密码填写有误 %s", name, err.Error())
+		return fmt.Errorf("%s LDAP 管理员 DN或密码填写有误 %s", name, err.Error())
 	}
-	filterAttr := "(objectClass=person)"
+	if auth.ObjectClass == "" {
+		auth.ObjectClass = "person"
+	}
+	filterAttr := "(objectClass=" + auth.ObjectClass + ")"
 	filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
 	if auth.MemberOf != "" {
 		filterAttr += "(memberOf:=" + auth.MemberOf + ")"
@@ -117,6 +125,10 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
 		}
 		return fmt.Errorf("LDAP发现 %s 用户，存在多个账号", name)
 	}
+	err = parseEntries(sr)
+	if err != nil {
+		return fmt.Errorf("LDAP %s 用户 %s", name, err.Error())
+	}
 	userDN := sr.Entries[0].DN
 	err = l.Bind(userDN, pwd)
 	if err != nil {
@@ -125,6 +137,32 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
 	return nil
 }

+func parseEntries(sr *ldap.SearchResult) error {
+	for _, attr := range sr.Entries[0].Attributes {
+		switch attr.Name {
+		case "shadowExpire":
+			// -1 启用, 1 停用, >1 从1970-01-01至到期日的天数
+			val, _ := strconv.ParseInt(attr.Values[0], 10, 64)
+			if val == -1 {
+				return nil
+			}
+			if val == 1 {
+				return fmt.Errorf("账号已停用")
+			}
+			if val > 1 {
+				expireTime := time.Unix(val*86400, 0)
+				t := time.Date(expireTime.Year(), expireTime.Month(), expireTime.Day(), 23, 59, 59, 0, time.Local)
+				if t.Before(time.Now()) {
+					return fmt.Errorf("账号已过期(过期日期: %s)", t.Format("2006-01-02"))
+				}
+				return nil
+			}
+			return fmt.Errorf("账号shadowExpire值异常: %d", val)
+		}
+	}
+	return nil
+}
+
 func ValidateDomainPort(addr string) bool {
 	re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
 	return re.MatchString(addr)
--- a/server/dbdata/userauth_radius.go
+++ b/server/dbdata/userauth_radius.go
@@ -5,9 +5,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"reflect"
 	"time"

+	"github.com/bjdgyc/anylink/base"
 	"layeh.com/radius"
 	"layeh.com/radius/rfc2865"
 )
@@ -15,6 +17,7 @@ import (
 type AuthRadius struct {
 	Addr   string `json:"addr"`
 	Secret string `json:"secret"`
+	Nasip  string `json:"nasip"`
 }

 func init() {
@@ -38,7 +41,7 @@ func (auth AuthRadius) checkData(authData map[string]interface{}) error {
 	return nil
 }

-func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
+func (auth AuthRadius) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
 	pl := len(pwd)
 	if name == "" || pl < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
@@ -57,13 +60,38 @@ func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
 	}
 	// radius认证时，设置超时3秒
 	packet := radius.New(radius.CodeAccessRequest, []byte(auth.Secret))
-	rfc2865.UserName_SetString(packet, name)
-	rfc2865.UserPassword_SetString(packet, pwd)
+	err = rfc2865.UserName_SetString(packet, name)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "Radius set name 出现错误")
+	}
+	err = rfc2865.UserPassword_SetString(packet, pwd)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "Radius set pwd 出现错误")
+	}
+	if auth.Nasip != "" {
+		nasip := net.ParseIP(auth.Nasip)
+		err = rfc2865.NASIPAddress_Set(packet, nasip)
+		if err != nil {
+			return fmt.Errorf("%s %s", name, "Radius set nasip 出现错误")
+		}
+	}
+	macAddr := ""
+	if ext["mac_addr"] != nil {
+		macAddr = ext["mac_addr"].(string)
+		base.Trace("AuthRadius", ext, macAddr)
+	}
+	if macAddr != "" {
+		err = rfc2865.CallingStationID_AddString(packet, macAddr)
+		if err != nil {
+			return fmt.Errorf("%s %s", name, "Radius set CallingStationID 出现错误")
+		}
+	}
+
 	ctx, done := context.WithTimeout(context.Background(), 3*time.Second)
 	defer done()
 	response, err := radius.Exchange(ctx, packet, auth.Addr)
 	if err != nil {
-		return fmt.Errorf("%s %s", name, "Radius服务器连接异常, 请检测服务器和端口")
+		return fmt.Errorf("%s %s %s", name, "Radius服务器连接异常, 请检测服务器和端口", err)
 	}
 	if response.Code != radius.CodeAccessAccept {
 		return fmt.Errorf("%s %s", name, "Radius：用户名或密码错误")
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,75 +1,118 @@
 module github.com/bjdgyc/anylink

-go 1.18
+go 1.22.0
+
+toolchain go1.22.12

 require (
-	github.com/arl/statsviz v0.5.1
-	github.com/go-co-op/gocron v1.17.0
+	github.com/arl/statsviz v0.6.0
+	github.com/deckarep/golang-set v1.8.0
+	github.com/denisenkom/go-mssqldb v0.12.3
+	github.com/go-acme/lego/v4 v4.19.2
+	github.com/go-co-op/gocron v1.37.0
 	github.com/go-ldap/ldap v3.0.3+incompatible
-	github.com/go-sql-driver/mysql v1.6.0
-	github.com/gocarina/gocsv v0.0.0-20220712153207-8b2118da4570
-	github.com/golang-jwt/jwt/v4 v4.0.0
+	github.com/go-sql-driver/mysql v1.8.1
+	github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1
+	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/google/gopacket v1.1.19
-	github.com/gorilla/handlers v1.5.1
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
 	github.com/ivpusic/grpool v1.0.0
-	github.com/lib/pq v1.10.2
-	github.com/mattn/go-sqlite3 v1.14.8
+	github.com/lanrenwo/lzsgo v0.0.2
+	github.com/lib/pq v1.10.9
+	github.com/lorenzosaino/go-sysctl v0.3.1
+	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/orcaman/concurrent-map v1.0.0
-	github.com/pion/dtls/v2 v2.1.5
+	github.com/pion/dtls/v2 v2.2.12
 	github.com/pion/logging v0.2.2
-	github.com/shirou/gopsutil v3.21.7+incompatible
+	github.com/pires/go-proxyproto v0.8.0
+	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
-	github.com/spf13/cobra v1.2.1
-	github.com/spf13/viper v1.8.1
-	github.com/stretchr/testify v1.8.0
-	github.com/xhit/go-simple-mail/v2 v2.10.0
-	github.com/xlzd/gotp v0.0.0-20181030022105-c8557ba2c119
-	go.uber.org/atomic v1.10.0
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
-	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4
-	golang.org/x/text v0.3.7
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
-	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
-	xorm.io/xorm v1.2.2
+	github.com/spf13/cast v1.7.0
+	github.com/spf13/cobra v1.8.1
+	github.com/spf13/viper v1.19.0
+	github.com/stretchr/testify v1.10.0
+	github.com/xhit/go-simple-mail/v2 v2.16.0
+	github.com/xlzd/gotp v0.1.0
+	github.com/xuri/excelize/v2 v2.9.0
+	golang.org/x/crypto v0.32.0
+	golang.org/x/net v0.33.0
+	golang.org/x/text v0.21.0
+	golang.org/x/time v0.7.0
+	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
+	xorm.io/xorm v1.3.9
 )

 require (
-	github.com/StackExchange/wmi v1.2.1 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/go-ole/go-ole v1.2.5 // indirect
-	github.com/goccy/go-json v0.7.4 // indirect
-	github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.11 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
-	github.com/pion/transport v0.13.0 // indirect
-	github.com/pion/udp v0.1.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/syndtr/goleveldb v1.0.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.7 // indirect
-	github.com/tklauser/numcpus v0.2.3 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
-	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	xorm.io/builder v0.3.9 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.48 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.109.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-test/deep v1.1.0 // indirect
+	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
+	github.com/golang-sql/sqlexp v0.1.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pion/transport/v2 v2.2.10 // indirect
+	github.com/pion/transport/v3 v3.0.7 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1036 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1036 // indirect
+	github.com/toorop/go-dkim v0.0.0-20240103092955-90b7d1423f92 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
+	golang.org/x/exp/typeparams v0.0.0-20220613132600-b0d781184e0d // indirect
+	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
+	honnef.co/go/tools v0.3.2 // indirect
+)
+
+require (
+	github.com/coreos/go-iptables v0.8.0
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/richardlehane/mscfb v1.0.4 // indirect
+	github.com/richardlehane/msoleps v1.0.4 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.14 // indirect
+	github.com/tklauser/numcpus v0.9.0 // indirect
+	github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d // indirect
+	github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	xorm.io/builder v0.3.13 // indirect
 )
--- a/server/go.sum
+++ b/server/go.sum
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -2,10 +2,13 @@ package handler

 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
 	"encoding/hex"
 	"errors"
 	"net"
+	"strings"
 	"time"

 	"github.com/bjdgyc/anylink/base"
@@ -20,26 +23,36 @@ func startDtls() {
 		return
 	}

-	certificate, err := selfsign.GenerateSelfSigned()
+	// rsa 兼容 open connect
+	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
+	certificate, err := selfsign.SelfSign(priv)
 	if err != nil {
 		panic(err)
 	}
+
 	logf := logging.NewDefaultLoggerFactory()
 	logf.Writer = base.GetBaseLw()
-	// logf.DefaultLogLevel = logging.LogLevelTrace
 	logf.DefaultLogLevel = logging.LogLevelInfo
+	if base.GetLogLevel() == base.LogLevelTrace {
+		// logf.DefaultLogLevel = logging.LogLevelTrace
+	}

 	// https://github.com/pion/dtls/pull/369
 	sessStore := &sessionStore{}

 	config := &dtls.Config{
 		Certificates:         []tls.Certificate{certificate},
-		InsecureSkipVerify:   true,
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
-		CipherSuites:         []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
-		LoggerFactory:        logf,
-		MTU:                  BufferSize,
-		SessionStore:         sessStore,
+		CipherSuites: func() []dtls.CipherSuiteID {
+			var cs = []dtls.CipherSuiteID{}
+			for _, vv := range dtlsCipherSuites {
+				cs = append(cs, vv)
+			}
+			return cs
+		}(),
+		LoggerFactory: logf,
+		MTU:           BufferSize,
+		SessionStore:  sessStore,
 		ConnectContextMaker: func() (context.Context, func()) {
 			return context.WithTimeout(context.Background(), 5*time.Second)
 		},
@@ -66,9 +79,13 @@ func startDtls() {
 		go func() {
 			// time.Sleep(1 * time.Second)
 			cc := conn.(*dtls.Conn)
-			sessid := hex.EncodeToString(cc.ConnectionState().SessionID)
-			sess := sessdata.Dtls2Sess(sessid)
-			LinkDtls(conn, sess.CSess)
+			did := hex.EncodeToString(cc.ConnectionState().SessionID)
+			cSess := sessdata.Dtls2CSess(did)
+			if cSess == nil {
+				conn.Close()
+				return
+			}
+			LinkDtls(conn, cSess)
 		}()
 	}
 }
@@ -94,3 +111,23 @@ func (ms *sessionStore) Get(key []byte) (dtls.Session, error) {
 func (ms *sessionStore) Del(key []byte) error {
 	return nil
 }
+
+// 客户端和服务端映射 X-DTLS12-CipherSuite
+var dtlsCipherSuites = map[string]dtls.CipherSuiteID{
+	// "ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	// "ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+}
+
+func checkDtls12Ciphersuite(ciphersuite string) string {
+	csArr := strings.Split(ciphersuite, ":")
+
+	for _, v := range csArr {
+		if _, ok := dtlsCipherSuites[v]; ok {
+			return v
+		}
+	}
+	// 返回默认值
+	return "ECDHE-RSA-AES128-GCM-SHA256"
+}
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -1,12 +1,12 @@
 package handler

 import (
-	"crypto/md5"
+	"bytes"
 	"encoding/xml"
 	"fmt"
 	"io"
-	"net"
 	"net/http"
+	"net/http/httputil"
 	"strings"
 	"text/template"

@@ -15,14 +15,22 @@ import (
 	"github.com/bjdgyc/anylink/sessdata"
 )

-var profileHash = ""
+var (
+	profileHash = ""
+	certHash    = ""
+)

 func LinkAuth(w http.ResponseWriter, r *http.Request) {
+	// TODO 调试信息输出
+	if base.GetLogLevel() == base.LogLevelTrace {
+		hd, _ := httputil.DumpRequest(r, true)
+		base.Trace("LinkAuth: ", string(hd))
+	}
 	// 判断anyconnect客户端
 	userAgent := strings.ToLower(r.UserAgent())
 	xAggregateAuth := r.Header.Get("X-Aggregate-Auth")
 	xTranscendVersion := r.Header.Get("X-Transcend-Version")
-	if !((strings.Contains(userAgent, "anyconnect") || strings.Contains(userAgent, "openconnect")) &&
+	if !((strings.Contains(userAgent, "anyconnect") || strings.Contains(userAgent, "openconnect") || strings.Contains(userAgent, "anylink")) &&
 		xAggregateAuth == "1" && xTranscendVersion == "1") {
 		w.WriteHeader(http.StatusForbidden)
 		fmt.Fprintf(w, "error request")
@@ -36,15 +44,18 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	}
 	defer r.Body.Close()

-	cr := ClientRequest{}
+	cr := &ClientRequest{
+		RemoteAddr: r.RemoteAddr,
+		UserAgent:  userAgent,
+	}
 	err = xml.Unmarshal(body, &cr)
 	if err != nil {
+		base.Error(err)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
-	// fmt.Printf("%+v \n", cr)
-
-	setCommonHeader(w)
+	base.Trace(fmt.Sprintf("%+v \n", cr))
+	// setCommonHeader(w)
 	if cr.Type == "logout" {
 		// 退出删除session信息
 		if cr.SessionToken != "" {
@@ -56,7 +67,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {

 	if cr.Type == "init" {
 		w.WriteHeader(http.StatusOK)
-		data := RequestData{Group: cr.GroupSelect, Groups: dbdata.GetGroupNames()}
+		data := RequestData{Group: cr.GroupSelect, Groups: dbdata.GetGroupNamesNormal()}
 		tplRequest(tpl_request, w, data)
 		return
 	}
@@ -67,69 +78,102 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// 锁定状态判断
+	if !lockManager.CheckLocked(cr.Auth.Username, r.RemoteAddr) {
+		w.WriteHeader(http.StatusTooManyRequests)
+		return
+	}
+
+	// 用户活动日志
+	ua := &dbdata.UserActLog{
+		Username:        cr.Auth.Username,
+		GroupName:       cr.GroupSelect,
+		RemoteAddr:      r.RemoteAddr,
+		Status:          dbdata.UserAuthSuccess,
+		DeviceType:      cr.DeviceId.DeviceType,
+		PlatformVersion: cr.DeviceId.PlatformVersion,
+	}
+
+	sessionData := &AuthSession{
+		ClientRequest: cr,
+		UserActLog:    ua,
+	}
 	// TODO 用户密码校验
-	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
+	ext := map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress}
+	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect, ext)
 	if err != nil {
-		base.Warn(err)
+		lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, false) // 记录登录失败状态
+
+		base.Warn(err, r.RemoteAddr)
+		ua.Info = err.Error()
+		ua.Status = dbdata.UserAuthFail
+		dbdata.UserActLogIns.Add(*ua, userAgent)
+
 		w.WriteHeader(http.StatusOK)
-		data := RequestData{Group: cr.GroupSelect, Groups: dbdata.GetGroupNames(), Error: "用户名或密码错误"}
+		data := RequestData{Group: cr.GroupSelect, Groups: dbdata.GetGroupNamesNormal(), Error: "用户名或密码错误"}
+		if base.Cfg.DisplayError {
+			data.Error = err.Error()
+		}
 		tplRequest(tpl_request, w, data)
 		return
 	}
-	// if !ok {
-	//	w.WriteHeader(http.StatusOK)
-	//	data := RequestData{Group: cr.GroupSelect, Groups: base.Cfg.UserGroups, Error: "请先激活用户"}
-	//	tplRequest(tpl_request, w, data)
-	//	return
-	// }
+	dbdata.UserActLogIns.Add(*ua, userAgent)

-	// 创建新的session信息
-	sess := sessdata.NewSession("")
-	sess.Username = cr.Auth.Username
-	sess.Group = cr.GroupSelect
-	sess.MacAddr = strings.ToLower(cr.MacAddressList.MacAddress)
-	sess.UniqueIdGlobal = cr.DeviceId.UniqueIdGlobal
-	// 获取客户端mac地址
-	macHw, err := net.ParseMAC(sess.MacAddr)
+	v := &dbdata.User{}
+	err = dbdata.One("Username", cr.Auth.Username, v)
 	if err != nil {
-		var sum [16]byte
-		if sess.UniqueIdGlobal != "" {
-			sum = md5.Sum([]byte(sess.UniqueIdGlobal))
-		} else {
-			sum = md5.Sum([]byte(sess.Token))
-		}
-		macHw = sum[0:5] // 5个byte
-		macHw = append([]byte{0x02}, macHw...)
-		sess.MacAddr = macHw.String()
+		base.Info("正在使用第三方认证方式登录")
+		CreateSession(w, r, sessionData)
+		return
 	}
-	sess.MacHw = macHw
-	other := &dbdata.SettingOther{}
-	_ = dbdata.SettingGet(other)
-	rd := RequestData{SessionId: sess.Sid, SessionToken: sess.Sid + "@" + sess.Token,
-		Banner: other.Banner, ProfileHash: profileHash}
-	w.WriteHeader(http.StatusOK)
-	tplRequest(tpl_complete, w, rd)
-	base.Debug("login", cr.Auth.Username)
+	// 用户otp验证
+	if base.Cfg.AuthAloneOtp && !v.DisableOtp {
+		lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 重置OTP验证计数
+
+		sessionID, err := GenerateSessionID()
+		if err != nil {
+			base.Error("Failed to generate session ID: ", err)
+			http.Error(w, "Failed to generate session ID", http.StatusInternalServerError)
+			return
+		}
+
+		sessionData.ClientRequest.Auth.OtpSecret = v.OtpSecret
+		SessStore.SaveAuthSession(sessionID, sessionData)
+
+		SetCookie(w, "auth-session-id", sessionID, 0)
+
+		data := RequestData{}
+		w.WriteHeader(http.StatusOK)
+		tplRequest(tpl_otp, w, data)
+		return
+	}
+
+	CreateSession(w, r, sessionData)
 }

 const (
 	tpl_request = iota
 	tpl_complete
+	tpl_otp
 )

 func tplRequest(typ int, w io.Writer, data RequestData) {
-	if typ == tpl_request {
+	switch typ {
+	case tpl_request:
 		t, _ := template.New("auth_request").Parse(auth_request)
 		_ = t.Execute(w, data)
-		return
+	case tpl_complete:
+		if data.Banner != "" {
+			buf := new(bytes.Buffer)
+			_ = xml.EscapeText(buf, []byte(data.Banner))
+			data.Banner = buf.String()
+		}
+		t, _ := template.New("auth_complete").Parse(auth_complete)
+		_ = t.Execute(w, data)
+	case tpl_otp:
+		t, _ := template.New("auth_otp").Parse(auth_otp)
+		_ = t.Execute(w, data)
 	}
-
-	if strings.Contains(data.Banner, "\n") {
-		// 替换xml文件的换行符
-		data.Banner = strings.ReplaceAll(data.Banner, "\n", "&#x0A;")
-	}
-	t, _ := template.New("auth_complete").Parse(auth_complete)
-	_ = t.Execute(w, data)
 }

 // 设置输出信息
@@ -142,7 +186,9 @@ type RequestData struct {
 	SessionId    string
 	SessionToken string
 	Banner       string
+	ProfileName  string
 	ProfileHash  string
+	CertHash     string
 }

 var auth_request = `<?xml version="1.0" encoding="UTF-8"?>
@@ -188,13 +234,13 @@ var auth_complete = `<?xml version="1.0" encoding="UTF-8"?>
    </capabilities>
    <config client="vpn" type="private">
        <vpn-base-config>
-            <server-cert-hash>240B97A685B2BFA66AD699B90AAC49EA66495D69</server-cert-hash>
+            <server-cert-hash>{{.CertHash}}</server-cert-hash>
        </vpn-base-config>
        <opaque is-for="vpn-client"></opaque>
        <vpn-profile-manifest>
            <vpn rev="1.0">
                <file type="profile" service-type="user">
-                    <uri>/profile.xml</uri>
+                    <uri>/profile_{{.ProfileName}}.xml</uri>
                    <hash type="sha1">{{.ProfileHash}}</hash>
                </file>
            </vpn>
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -0,0 +1,242 @@
+package handler
+
+import (
+	"crypto/md5"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"sync"
+
+	"github.com/bjdgyc/anylink/admin"
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
+	"github.com/bjdgyc/anylink/sessdata"
+)
+
+var SessStore = NewSessionStore()
+var lockManager = admin.GetLockManager()
+
+// const maxOtpErrCount = 3
+
+type AuthSession struct {
+	ClientRequest *ClientRequest
+	UserActLog    *dbdata.UserActLog
+	// OtpErrCount   atomic.Uint32 // otp错误次数
+}
+
+// 存储临时会话信息
+type SessionStore struct {
+	session map[string]*AuthSession
+	mu      sync.Mutex
+}
+
+func NewSessionStore() *SessionStore {
+	return &SessionStore{
+		session: make(map[string]*AuthSession),
+	}
+}
+
+func (s *SessionStore) SaveAuthSession(sessionID string, session *AuthSession) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.session[sessionID] = session
+}
+
+func (s *SessionStore) GetAuthSession(sessionID string) (*AuthSession, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	session, exists := s.session[sessionID]
+	if !exists {
+		return nil, fmt.Errorf("auth session not found")
+	}
+
+	return session, nil
+}
+
+func (s *SessionStore) DeleteAuthSession(sessionID string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.session, sessionID)
+}
+
+// func (a *AuthSession) AddOtpErrCount(i int) int {
+// 	newI := a.OtpErrCount.Add(uint32(i))
+// 	return int(newI)
+// }
+
+func GenerateSessionID() (string, error) {
+	sessionID := utils.RandomRunes(32)
+	if sessionID == "" {
+		return "", fmt.Errorf("failed to generate session ID")
+	}
+
+	return sessionID, nil
+}
+
+func SetCookie(w http.ResponseWriter, name, value string, maxAge int) {
+	cookie := &http.Cookie{
+		Name:     name,
+		Value:    value,
+		MaxAge:   maxAge,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	}
+	http.SetCookie(w, cookie)
+}
+
+func GetCookie(r *http.Request, name string) (string, error) {
+	cookie, err := r.Cookie(name)
+	if err != nil {
+		return "", fmt.Errorf("failed to get cookie: %v", err)
+	}
+	return cookie.Value, nil
+}
+
+func DeleteCookie(w http.ResponseWriter, name string) {
+	cookie := &http.Cookie{
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	}
+	http.SetCookie(w, cookie)
+}
+func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
+	cr := authSession.ClientRequest
+	ua := authSession.UserActLog
+
+	lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 更新登录成功状态
+
+	sess := sessdata.NewSession("")
+	sess.Username = cr.Auth.Username
+	sess.Group = cr.GroupSelect
+	oriMac := cr.MacAddressList.MacAddress
+	sess.UniqueIdGlobal = cr.DeviceId.UniqueIdGlobal
+	sess.UserAgent = cr.UserAgent
+	sess.DeviceType = ua.DeviceType
+	sess.PlatformVersion = ua.PlatformVersion
+	sess.RemoteAddr = cr.RemoteAddr
+	// 获取客户端mac地址
+	sess.UniqueMac = true
+	macHw, err := net.ParseMAC(oriMac)
+	if err != nil {
+		var sum [16]byte
+		if sess.UniqueIdGlobal != "" {
+			sum = md5.Sum([]byte(sess.UniqueIdGlobal))
+		} else {
+			sum = md5.Sum([]byte(sess.Token))
+			sess.UniqueMac = false
+		}
+		macHw = sum[0:5] // 5个byte
+		macHw = append([]byte{0x02}, macHw...)
+		sess.MacAddr = macHw.String()
+	}
+	sess.MacHw = macHw
+	// 统一macAddr的格式
+	sess.MacAddr = macHw.String()
+
+	other := &dbdata.SettingOther{}
+	dbdata.SettingGet(other)
+	rd := RequestData{
+		SessionId:    sess.Sid,
+		SessionToken: sess.Sid + "@" + sess.Token,
+		Banner:       other.Banner,
+		ProfileName:  base.Cfg.ProfileName,
+		ProfileHash:  profileHash,
+		CertHash:     certHash,
+	}
+
+	w.WriteHeader(http.StatusOK)
+	tplRequest(tpl_complete, w, rd)
+	base.Info("login", cr.Auth.Username, cr.UserAgent)
+}
+
+func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
+	sessionID, err := GetCookie(r, "auth-session-id")
+	if err != nil {
+		http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
+		return
+	}
+
+	sessionData, err := SessStore.GetAuthSession(sessionID)
+	if err != nil {
+		http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
+		return
+	}
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		base.Error(err)
+		SessStore.DeleteAuthSession(sessionID)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	cr := ClientRequest{}
+	err = xml.Unmarshal(body, &cr)
+	if err != nil {
+		base.Error(err)
+		SessStore.DeleteAuthSession(sessionID)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	ua := sessionData.UserActLog
+	username := sessionData.ClientRequest.Auth.Username
+	otpSecret := sessionData.ClientRequest.Auth.OtpSecret
+	otp := cr.Auth.SecondaryPassword
+
+	// 锁定状态判断
+	if !lockManager.CheckLocked(username, r.RemoteAddr) {
+		w.WriteHeader(http.StatusTooManyRequests)
+		SessStore.DeleteAuthSession(sessionID)
+		return
+	}
+
+	// 动态码错误
+	if !dbdata.CheckOtp(username, otp, otpSecret) {
+		lockManager.UpdateLoginStatus(username, r.RemoteAddr, false) // 记录登录失败状态
+
+		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
+		ua.Info = "OTP 动态码错误"
+		ua.Status = dbdata.UserAuthFail
+		dbdata.UserActLogIns.Add(*ua, sessionData.ClientRequest.UserAgent)
+
+		w.WriteHeader(http.StatusOK)
+		data := RequestData{Error: "请求错误"}
+		if base.Cfg.DisplayError {
+			data.Error = "OTP 动态码错误"
+		}
+		tplRequest(tpl_otp, w, data)
+		return
+	}
+	CreateSession(w, r, sessionData)
+
+	// 删除临时会话信息
+	SessStore.DeleteAuthSession(sessionID)
+	// DeleteCookie(w, "auth-session-id")
+}
+
+var auth_otp = `<?xml version="1.0" encoding="UTF-8"?>
+<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
+    <auth id="otp-verification">
+        <title>OTP 动态码验证</title>
+        <message>请输入您的 OTP 动态码</message>
+        {{if .Error}}
+        <error id="otp-verification" param1="{{.Error}}" param2="">验证失败:  %s</error>
+        {{end}}		
+        <form method="post" action="/otp-verification">
+            <input type="password" name="secondary_password" label="OTPCode:"/>
+        </form>
+    </auth>
+</config-auth>`
--- a/server/handler/link_base.go
+++ b/server/handler/link_base.go
@@ -2,9 +2,9 @@ package handler

 import (
 	"encoding/xml"
-	"log"
-	"net/http"
 	"os/exec"
+
+	"github.com/bjdgyc/anylink/base"
 )

 const BufferSize = 2048
@@ -17,6 +17,8 @@ type ClientRequest struct {
 	Version              string         `xml:"version"`                     // 客户端版本号
 	GroupAccess          string         `xml:"group-access"`                // 请求的地址
 	GroupSelect          string         `xml:"group-select"`                // 选择的组名
+	RemoteAddr           string         `xml:"remote_addr"`
+	UserAgent            string         `xml:"user_agent"`
 	SessionId            string         `xml:"session-id"`
 	SessionToken         string         `xml:"session-token"`
 	Auth                 auth           `xml:"auth"`
@@ -27,6 +29,7 @@ type ClientRequest struct {
 type auth struct {
 	Username          string `xml:"username"`
 	Password          string `xml:"password"`
+	OtpSecret         string `xml:"otp_secret"`
 	SecondaryPassword string `xml:"secondary_password"`
 }

@@ -42,33 +45,12 @@ type macAddressList struct {
 	MacAddress string `xml:"mac-address"`
 }

-func setCommonHeader(w http.ResponseWriter) {
-	// Content-Length Date 默认已经存在
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	w.Header().Set("Cache-Control", "no-store,no-cache")
-	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Transfer-Encoding", "chunked")
-	w.Header().Set("Connection", "keep-alive")
-	w.Header().Set("X-Frame-Options", "deny")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("Content-Security-Policy", "default-src 'none'")
-	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
-	w.Header().Set("Referrer-Policy", "no-referrer")
-	w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
-	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
-	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
-	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
-	w.Header().Set("X-XSS-Protection", "0")
-	w.Header().Set("X-Aggregate-Auth", "1")
-	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
-}
-
 func execCmd(cmdStrs []string) error {
 	for _, cmdStr := range cmdStrs {
 		cmd := exec.Command("sh", "-c", cmdStr)
 		b, err := cmd.CombinedOutput()
 		if err != nil {
-			log.Println(string(b))
+			base.Error(cmdStr, string(b))
 			return err
 		}
 	}
--- a/server/handler/link_cstp.go
+++ b/server/handler/link_cstp.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 )
@@ -14,16 +15,19 @@ import (
 func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSession) {
 	base.Debug("LinkCstp connect ip:", cSess.IpAddr, "user:", cSess.Username, "rip:", conn.RemoteAddr())
 	defer func() {
-		base.Debug("LinkCstp return", cSess.IpAddr)
+		base.Debug("LinkCstp return", cSess.Username, cSess.IpAddr)
 		_ = conn.Close()
 		cSess.Close()
 	}()

 	var (
-		err     error
-		n       int
-		dataLen uint16
-		dead    = time.Duration(cSess.CstpDpd+5) * time.Second
+		err       error
+		n         int
+		dataLen   uint16
+		dead      = time.Second * time.Duration(cSess.CstpDpd+5)
+		idle      = int64(base.Cfg.IdleTimeout)
+		checkIdle = base.Cfg.IdleTimeout > 0
+		lastTime  int64
 	)

 	go cstpWrite(conn, bufRW, cSess)
@@ -33,14 +37,14 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 		// 设置超时限制
 		err = conn.SetReadDeadline(utils.NowSec().Add(dead))
 		if err != nil {
-			base.Error("SetDeadline: ", err)
+			base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 		// hdata := make([]byte, BufferSize)
 		pl := getPayload()
 		n, err = bufRW.Read(pl.Data)
 		if err != nil {
-			base.Error("read hdata: ", err)
+			base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}

@@ -53,24 +57,51 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 		switch pl.Data[6] {
 		case 0x07: // KEEPALIVE
 			// do nothing
-			// base.Debug("recv keepalive", cSess.IpAddr)
+			base.Trace("recv LinkCstp Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
+			// 判断超时时间
+			if checkIdle {
+				lastTime = cSess.LastDataTime.Load()
+				if lastTime < (utils.NowSec().Unix() - idle) {
+					base.Warn("IdleTimeout", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), "lastTime", lastTime)
+					sessdata.CloseSess(cSess.Sess.Token, dbdata.UserIdleTimeout)
+					return
+				}
+			}
 		case 0x05: // DISCONNECT
-			base.Debug("DISCONNECT", cSess.IpAddr)
+			cSess.UserLogoutCode = dbdata.UserLogoutClient
+			base.Info("DISCONNECT", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, string(pl.Data[9:n]))
+			sessdata.CloseSess(cSess.Sess.Token, dbdata.UserLogoutClient)
 			return
 		case 0x03: // DPD-REQ
-			// base.Debug("recv DPD-REQ", cSess.IpAddr)
+			base.Trace("recv LinkCstp DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, pl.Data[:n])
 			pl.PType = 0x04
+			// pl.Data = pl.Data[:n]
 			if payloadOutCstp(cSess, pl) {
 				return
 			}
 		case 0x04:
-			// log.Println("recv DPD-RESP")
+			base.Trace("recv LinkCstp DPD-RESP", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
+		case 0x08: // decompress
+			if cSess.CstpPickCmp == nil {
+				continue
+			}
+			dst := getByteFull()
+			nn, err := cSess.CstpPickCmp.Uncompress(pl.Data[8:], *dst)
+			if err != nil {
+				putByte(dst)
+				base.Error("cstp decompress error", err, nn)
+				continue
+			}
+			binary.BigEndian.PutUint16(pl.Data[4:6], uint16(nn))
+			pl.Data = append(pl.Data[:8], (*dst)[:nn]...)
+			putByte(dst)
+			fallthrough
 		case 0x00: // DATA
 			// 获取数据长度
 			dataLen = binary.BigEndian.Uint16(pl.Data[4:6]) // 4,5
 			// 修复 cstp 数据长度溢出报错
 			if 8+dataLen > BufferSize {
-				base.Error("recv error dataLen", dataLen)
+				base.Error("recv error dataLen", cSess.Username, dataLen)
 				continue
 			}
 			// 去除数据头
@@ -81,13 +112,15 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 			if payloadIn(cSess, pl) {
 				return
 			}
+			// 只记录返回正确的数据时间
+			cSess.LastDataTime.Store(utils.NowSec().Unix())
 		}
 	}
 }

 func cstpWrite(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSession) {
 	defer func() {
-		base.Debug("cstpWrite return", cSess.IpAddr)
+		base.Debug("cstpWrite return", cSess.Username, cSess.IpAddr)
 		_ = conn.Close()
 		cSess.Close()
 	}()
@@ -110,16 +143,31 @@ func cstpWrite(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessi
 		}

 		if pl.PType == 0x00 {
-			// 获取数据长度
-			l := len(pl.Data)
-			// 先扩容 +8
-			pl.Data = pl.Data[:l+8]
-			// 数据后移
-			copy(pl.Data[8:], pl.Data)
-			// 添加头信息
-			copy(pl.Data[:8], plHeader)
-			// 更新头长度
-			binary.BigEndian.PutUint16(pl.Data[4:6], uint16(l))
+			isCompress := false
+			if cSess.CstpPickCmp != nil && len(pl.Data) > base.Cfg.NoCompressLimit {
+				dst := getByteFull()
+				size, err := cSess.CstpPickCmp.Compress(pl.Data, (*dst)[8:])
+				if err == nil && size < len(pl.Data) {
+					copy((*dst)[:8], plHeader)
+					binary.BigEndian.PutUint16((*dst)[4:6], uint16(size))
+					(*dst)[6] = 0x08
+					pl.Data = append(pl.Data[:0], (*dst)[:size+8]...)
+					isCompress = true
+				}
+				putByte(dst)
+			}
+			if !isCompress {
+				// 获取数据长度
+				l := len(pl.Data)
+				// 先扩容 +8
+				pl.Data = pl.Data[:l+8]
+				// 数据后移
+				copy(pl.Data[8:], pl.Data)
+				// 添加头信息
+				copy(pl.Data[:8], plHeader)
+				// 更新头长度
+				binary.BigEndian.PutUint16(pl.Data[4:6], uint16(l))
+			}
 		} else {
 			pl.Data = append(pl.Data[:0], plHeader...)
 			// 设置头类型
@@ -128,7 +176,7 @@ func cstpWrite(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessi

 		n, err = conn.Write(pl.Data)
 		if err != nil {
-			base.Error("write err", err)
+			base.Warn("write err", cSess.Username, cSess.IpAddr, err)
 			return
 		}

--- a/server/handler/link_dtls.go
+++ b/server/handler/link_dtls.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 )
@@ -19,7 +20,7 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 	}

 	defer func() {
-		base.Debug("LinkDtls return", cSess.IpAddr)
+		base.Debug("LinkDtls return", cSess.Username, cSess.IpAddr)
 		_ = conn.Close()
 		dSess.Close()
 	}()
@@ -35,14 +36,14 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 	for {
 		err = conn.SetReadDeadline(utils.NowSec().Add(dead))
 		if err != nil {
-			base.Error("SetDeadline: ", err)
+			base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}

 		pl := getPayload()
 		n, err = conn.Read(pl.Data)
 		if err != nil {
-			base.Error("read hdata: ", err)
+			base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}

@@ -55,18 +56,36 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 		switch pl.Data[0] {
 		case 0x07: // KEEPALIVE
 			// do nothing
-			// base.Debug("recv keepalive", cSess.IpAddr)
+			base.Trace("recv LinkDtls Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 		case 0x05: // DISCONNECT
-			base.Debug("DISCONNECT DTLS", cSess.IpAddr)
+			cSess.UserLogoutCode = dbdata.UserLogoutClient
+			base.Info("DISCONNECT DTLS", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 			return
 		case 0x03: // DPD-REQ
-			// base.Debug("recv DPD-REQ", cSess.IpAddr)
+			base.Trace("recv LinkDtls DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n)
 			pl.PType = 0x04
+			// 从零开始 可以直接赋值
+			pl.Data = pl.Data[:n]
 			if payloadOutDtls(cSess, dSess, pl) {
 				return
 			}
 		case 0x04:
-			// base.Debug("recv DPD-RESP", cSess.IpAddr)
+			base.Trace("recv LinkDtls DPD-RESP", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
+		case 0x08: // decompress
+			if cSess.DtlsPickCmp == nil {
+				continue
+			}
+			dst := getByteFull()
+			nn, err := cSess.DtlsPickCmp.Uncompress(pl.Data[1:], *dst)
+			if err != nil {
+				putByte(dst)
+				base.Error("dtls decompress error", err, n)
+				continue
+			}
+			pl.Data = append(pl.Data[:1], (*dst)[:nn]...)
+			putByte(dst)
+			n = nn + 1
+			fallthrough
 		case 0x00: // DATA
 			// 去除数据头
 			// copy(pl.Data, pl.Data[1:n])
@@ -76,6 +95,8 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 			if payloadIn(cSess, pl) {
 				return
 			}
+			// 只记录返回正确的数据时间
+			cSess.LastDataTime.Store(utils.NowSec().Unix())
 		}

 	}
@@ -83,7 +104,7 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {

 func dtlsWrite(conn net.Conn, dSess *sessdata.DtlsSession, cSess *sessdata.ConnSession) {
 	defer func() {
-		base.Debug("dtlsWrite return", cSess.IpAddr)
+		base.Debug("dtlsWrite return", cSess.Username, cSess.IpAddr)
 		_ = conn.Close()
 		dSess.Close()
 	}()
@@ -106,21 +127,39 @@ func dtlsWrite(conn net.Conn, dSess *sessdata.DtlsSession, cSess *sessdata.ConnS

 		// header = []byte{payload.PType}
 		if pl.PType == 0x00 { // data
-			// 获取数据长度
-			l := len(pl.Data)
-			// 先扩容 +1
-			pl.Data = pl.Data[:l+1]
-			// 数据后移
-			copy(pl.Data[1:], pl.Data)
-			// 添加头信息
-			pl.Data[0] = pl.PType
+			isCompress := false
+			if cSess.DtlsPickCmp != nil && len(pl.Data) > base.Cfg.NoCompressLimit {
+				dst := getByteFull()
+				size, err := cSess.DtlsPickCmp.Compress(pl.Data, (*dst)[1:])
+				if err == nil && size < len(pl.Data) {
+					(*dst)[0] = 0x08
+					pl.Data = append(pl.Data[:0], (*dst)[:size+1]...)
+					isCompress = true
+				}
+				putByte(dst)
+			}
+			// 未压缩
+			if !isCompress {
+				// 获取数据长度
+				l := len(pl.Data)
+				// 先扩容 +1
+				pl.Data = pl.Data[:l+1]
+				// 数据后移
+				copy(pl.Data[1:], pl.Data)
+				// 添加头信息
+				pl.Data[0] = pl.PType
+			}
 		} else {
 			// 设置头类型
-			pl.Data = append(pl.Data[:0], pl.PType)
+			if pl.PType == 0x04 {
+				pl.Data[0] = pl.PType
+			} else {
+				pl.Data = append(pl.Data[:0], pl.PType)
+			}
 		}
 		n, err := conn.Write(pl.Data)
 		if err != nil {
-			base.Error("write err", err)
+			base.Warn("write err", cSess.Username, cSess.IpAddr, err)
 			return
 		}

--- a/server/handler/link_home.go
+++ b/server/handler/link_home.go
@@ -13,6 +13,9 @@ func LinkHome(w http.ResponseWriter, r *http.Request) {
 	// fmt.Println(r.RemoteAddr)
 	// hu, _ := httputil.DumpRequest(r, true)
 	// fmt.Println("DumpHome: ", string(hu))
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Del("X-Aggregate-Auth")
+
 	connection := strings.ToLower(r.Header.Get("Connection"))
 	userAgent := strings.ToLower(r.UserAgent())
 	if connection == "close" && (strings.Contains(userAgent, "anyconnect") || strings.Contains(userAgent, "openconnect")) {
@@ -21,15 +24,25 @@ func LinkHome(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	index := &dbdata.SettingOther{}
-	dbdata.SettingGet(index)
+	if err := dbdata.SettingGet(index); err != nil {
+		return
+	}
+
+	if index.Homecode != http.StatusOK {
+		w.WriteHeader(index.Homecode)
+		return
+	}
 	w.WriteHeader(http.StatusOK)
-	if index.Homeindex == "" {
-		index.Homeindex = "AnyLink 是一个企业级远程办公 SSL VPN 软件，可以支持多人同时在线使用。"
-	}	
+
+	// if index.Homeindex == "" {
+	// 	index.Homeindex = "AnyLink 是一个企业级远程办公 SSL VPN 软件，可以支持多人同时在线使用。"
+	// }
 	fmt.Fprintln(w, index.Homeindex)
 }

 func LinkOtpQr(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Cross-Origin-Resource-Policy", "cross-origin")
+
 	_ = r.ParseForm()
 	idS := r.FormValue("id")
 	jwtToken := r.FormValue("jwt")
--- a/server/handler/link_tap.go
+++ b/server/handler/link_tap.go
@@ -10,6 +10,7 @@ import (
 	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
+	gosysctl "github.com/lorenzosaino/go-sysctl"
 	"github.com/songgao/packets/ethernet"
 	"github.com/songgao/water"
 	"github.com/songgao/water/waterutil"
@@ -88,8 +89,12 @@ func LinkTap(cSess *sessdata.ConnSession) error {
 		return err
 	}

-	cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
-	execCmd([]string{cmdstr3})
+	// cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
+	// execCmd([]string{cmdstr3})
+	err = gosysctl.Set(fmt.Sprintf("net.ipv6.conf.%s.disable_ipv6", ifce.Name()), "1")
+	if err != nil {
+		base.Warn(err)
+	}

 	go allTapRead(ifce, cSess)
 	go allTapWrite(ifce, cSess)
@@ -175,7 +180,7 @@ func allTapWrite(ifce LinkDriver, cSess *sessdata.ConnSession) {
 			return
 		}

-		putPayload(pl)
+		putPayloadInBefore(cSess, pl)
 	}
 }

--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -4,11 +4,17 @@ import (
 	"fmt"

 	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
+	"github.com/coreos/go-iptables/iptables"
+	gosysctl "github.com/lorenzosaino/go-sysctl"
 	"github.com/songgao/water"
 )

 func checkTun() {
+	// 测试ip命令
+	base.CheckModOrLoad("tun")
+
 	// 测试tun
 	cfg := water.Config{
 		DeviceType: water.TUN,
@@ -20,12 +26,53 @@ func checkTun() {
 	}
 	defer ifce.Close()

-	// 测试ip命令
-	cmdstr := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
-	err = execCmd([]string{cmdstr})
+	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
+	err = execCmd([]string{cmdstr1})
 	if err != nil {
 		base.Fatal("testTun err: ", err)
 	}
+	// 开启服务器转发
+	// err = execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})
+	// if err != nil {
+	// 	base.Fatal(err)
+	// }
+	if base.Cfg.IptablesNat {
+		// 添加NAT转发规则
+		ipt, err := iptables.New()
+		if err != nil {
+			base.Fatal(err)
+			return
+		}
+
+		// 修复 rockyos nat 不生效
+		base.CheckModOrLoad("iptable_filter")
+		base.CheckModOrLoad("iptable_nat")
+		// base.CheckModOrLoad("xt_comment")
+
+		// 添加注释
+		natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-m", "comment",
+			"--comment", "AnyLink", "-j", "MASQUERADE"}
+		if base.InContainer {
+			natRule = []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-j", "MASQUERADE"}
+		}
+		err = ipt.InsertUnique("nat", "POSTROUTING", 1, natRule...)
+		if err != nil {
+			base.Error(err)
+		}
+
+		// 添加注释
+		forwardRule := []string{"-m", "comment", "--comment", "AnyLink", "-j", "ACCEPT"}
+		if base.InContainer {
+			forwardRule = []string{"-j", "ACCEPT"}
+		}
+		err = ipt.InsertUnique("filter", "FORWARD", 1, forwardRule...)
+		if err != nil {
+			base.Error(err)
+		}
+
+		base.Info(ipt.List("nat", "POSTROUTING"))
+		base.Info(ipt.List("filter", "FORWARD"))
+	}
 }

 // 创建tun网卡
@@ -42,7 +89,9 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 	// log.Printf("Interface Name: %s\n", ifce.Name())
 	cSess.SetIfName(ifce.Name())

-	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off", ifce.Name(), cSess.Mtu)
+	// 通过 ip link show  查看 alias 信息
+	alias := utils.ParseName(cSess.Group.Name + "." + cSess.Username)
+	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off alias %s", ifce.Name(), cSess.Mtu, alias)
 	cmdstr2 := fmt.Sprintf("ip addr add dev %s local %s peer %s/32",
 		ifce.Name(), base.Cfg.Ipv4Gateway, cSess.IpAddr)
 	err = execCmd([]string{cmdstr1, cmdstr2})
@@ -52,8 +101,12 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 		return err
 	}

-	cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
-	execCmd([]string{cmdstr3})
+	// cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
+	// execCmd([]string{cmdstr3})
+	err = gosysctl.Set(fmt.Sprintf("net.ipv6.conf.%s.disable_ipv6", ifce.Name()), "1")
+	if err != nil {
+		base.Warn(err)
+	}

 	go tunRead(ifce, cSess)
 	go tunWrite(ifce, cSess)
@@ -85,7 +138,7 @@ func tunWrite(ifce *water.Interface, cSess *sessdata.ConnSession) {
 			return
 		}

-		putPayload(pl)
+		putPayloadInBefore(cSess, pl)
 	}
 }

--- a/server/handler/link_tunnel.go
+++ b/server/handler/link_tunnel.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"net/http/httputil"
 	"os"
 	"strings"
 	"text/template"
@@ -34,20 +35,21 @@ func HttpAddHeader(w http.ResponseWriter, key string, value string) {

 func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	// TODO 调试信息输出
-	// hd, _ := httputil.DumpRequest(r, true)
-	// fmt.Println("DumpRequest: ", string(hd))
-	// fmt.Println("LinkTunnel", r.RemoteAddr)
+	if base.GetLogLevel() == base.LogLevelTrace {
+		hd, _ := httputil.DumpRequest(r, true)
+		base.Trace("LinkTunnel: ", string(hd))
+	}

 	// 判断session-token的值
 	cookie, err := r.Cookie("webvpn")
 	if err != nil || cookie.Value == "" {
-		w.WriteHeader(http.StatusBadRequest)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}

 	sess := sessdata.SToken2Sess(cookie.Value)
 	if sess == nil {
-		w.WriteHeader(http.StatusBadRequest)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}

@@ -55,7 +57,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	cSess := sess.NewConn()
 	if cSess == nil {
 		log.Println(err)
-		w.WriteHeader(http.StatusBadRequest)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}

@@ -64,11 +66,14 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	cstpBaseMtu := r.Header.Get("X-CSTP-Base-MTU")
 	masterSecret := r.Header.Get("X-DTLS-Master-Secret")
 	localIp := r.Header.Get("X-Cstp-Local-Address-Ip4")
+	// 出口ip
+	exportIp4 := r.Header.Get("X-Cstp-Remote-Address-Ip4")
 	mobile := r.Header.Get("X-Cstp-License")

 	cSess.SetMtu(cstpMtu)
 	cSess.MasterSecret = masterSecret
 	cSess.RemoteAddr = r.RemoteAddr
+	cSess.UserAgent = strings.ToLower(r.UserAgent())
 	cSess.LocalIp = net.ParseIP(localIp)
 	cstpKeepalive := base.Cfg.CstpKeepalive
 	cstpDpd := base.Cfg.CstpDpd
@@ -81,13 +86,17 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	}
 	cSess.CstpDpd = cstpDpd

-	dtlsPort := "4433"
-	if strings.Contains(base.Cfg.ServerDTLSAddr, ":") {
-		ss := strings.Split(base.Cfg.ServerDTLSAddr, ":")
+	dtlsPort := "443"
+	if strings.Contains(base.Cfg.AdvertiseDTLSAddr, ":") {
+		ss := strings.Split(base.Cfg.AdvertiseDTLSAddr, ":")
 		dtlsPort = ss[1]
 	}

-	base.Debug(cSess.IpAddr, cSess.MacHw, sess.Username, mobile)
+	base.Info(sess.Username, cSess.IpAddr, cSess.MacHw, cSess.Client, mobile)
+
+	// 检测密码套件
+	dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite"))
+	base.Trace("dtlsCiphersuite", dtlsCiphersuite)

 	// 返回客户端数据
 	HttpSetHeader(w, "Server", fmt.Sprintf("%s %s", base.APP_NAME, base.APP_VER))
@@ -98,11 +107,19 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-CSTP-Netmask", sessdata.IpPool.Ipv4Mask.String()) // 子网掩码
 	HttpSetHeader(w, "X-CSTP-Hostname", hn)                               // 机器名称
 	HttpSetHeader(w, "X-CSTP-Base-MTU", cstpBaseMtu)
-	// 要发布的默认域
+	// 客户端dns的默认搜索域
 	if base.Cfg.DefaultDomain != "" {
 		HttpSetHeader(w, "X-CSTP-Default-Domain", base.Cfg.DefaultDomain)
 	}

+	// 压缩
+	if cmpName, ok := cSess.SetPickCmp("cstp", r.Header.Get("X-Cstp-Accept-Encoding")); ok {
+		HttpSetHeader(w, "X-CSTP-Content-Encoding", cmpName)
+	}
+	if cmpName, ok := cSess.SetPickCmp("dtls", r.Header.Get("X-Dtls-Accept-Encoding")); ok {
+		HttpSetHeader(w, "X-DTLS-Content-Encoding", cmpName)
+	}
+
 	// 设置用户策略
 	SetUserPolicy(cSess.Username, cSess.Group)

@@ -114,9 +131,14 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	for _, v := range cSess.Group.ClientDns {
 		HttpAddHeader(w, "X-CSTP-DNS", v.Val)
 	}
+	// 分割dns
+	for _, v := range cSess.Group.SplitDns {
+		HttpAddHeader(w, "X-CSTP-Split-DNS", v.Val)
+	}
+
 	// 允许的路由
 	for _, v := range cSess.Group.RouteInclude {
-		if v.Val == dbdata.All {
+		if strings.ToLower(v.Val) == dbdata.ALL {
 			continue
 		}
 		HttpAddHeader(w, "X-CSTP-Split-Include", v.IpMask)
@@ -125,7 +147,12 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	for _, v := range cSess.Group.RouteExclude {
 		HttpAddHeader(w, "X-CSTP-Split-Exclude", v.IpMask)
 	}
-	HttpSetHeader(w, "X-CSTP-Lease-Duration", fmt.Sprintf("%d", base.Cfg.IpLease)) // ip地址租期
+	// 排除出口ip路由(出口ip不加密传输)
+	if base.Cfg.ExcludeExportIp && exportIp4 != "" {
+		HttpAddHeader(w, "X-CSTP-Split-Exclude", exportIp4+"/255.255.255.255")
+	}
+
+	HttpSetHeader(w, "X-CSTP-Lease-Duration", "1209600") // ip地址租期
 	HttpSetHeader(w, "X-CSTP-Session-Timeout", "none")
 	HttpSetHeader(w, "X-CSTP-Session-Timeout-Alert-Interval", "60")
 	HttpSetHeader(w, "X-CSTP-Session-Timeout-Remaining", "none")
@@ -134,8 +161,10 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-CSTP-Keep", "true")
 	HttpSetHeader(w, "X-CSTP-Tunnel-All-DNS", "false")

-	HttpSetHeader(w, "X-CSTP-Rekey-Time", "172800")
+	HttpSetHeader(w, "X-CSTP-Rekey-Time", "86400") // 172800
 	HttpSetHeader(w, "X-CSTP-Rekey-Method", "new-tunnel")
+	HttpSetHeader(w, "X-DTLS-Rekey-Time", "86400")
+	HttpSetHeader(w, "X-DTLS-Rekey-Method", "new-tunnel")

 	HttpSetHeader(w, "X-CSTP-DPD", fmt.Sprintf("%d", cstpDpd))
 	HttpSetHeader(w, "X-CSTP-Keepalive", fmt.Sprintf("%d", cstpKeepalive))
@@ -150,14 +179,13 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-DTLS-Port", dtlsPort)
 	HttpSetHeader(w, "X-DTLS-DPD", fmt.Sprintf("%d", cstpDpd))
 	HttpSetHeader(w, "X-DTLS-Keepalive", fmt.Sprintf("%d", cstpKeepalive))
-	HttpSetHeader(w, "X-DTLS-Rekey-Time", "5400")
-	HttpSetHeader(w, "X-DTLS12-CipherSuite", "ECDHE-ECDSA-AES128-GCM-SHA256")
+	HttpSetHeader(w, "X-DTLS12-CipherSuite", dtlsCiphersuite)

 	HttpSetHeader(w, "X-CSTP-License", "accept")
 	HttpSetHeader(w, "X-CSTP-Routing-Filtering-Ignore", "false")
 	HttpSetHeader(w, "X-CSTP-Quarantine", "false")
 	HttpSetHeader(w, "X-CSTP-Disable-Always-On-VPN", "false")
-	HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "false")
+	HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "true")
 	HttpSetHeader(w, "X-CSTP-TCP-Keepalive", "false")
 	// 设置域名拆分隧道（移动端不支持）
 	if mobile != "mobile" {
@@ -167,10 +195,9 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)

 	hClone := w.Header().Clone()
-	headers := make([]byte, 0)
-	buf := bytes.NewBuffer(headers)
+	buf := &bytes.Buffer{}
 	_ = hClone.Write(buf)
-	base.Debug(buf.String())
+	base.Debug("LinkTunnel Response Header:", buf.String())

 	hj := w.(http.Hijacker)
 	conn, bufRW, err := hj.Hijack()
@@ -194,6 +221,15 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 		base.Error(err)
 		return
 	}
+	dbdata.UserActLogIns.Add(dbdata.UserActLog{
+		Username:        sess.Username,
+		GroupName:       sess.Group,
+		IpAddr:          cSess.IpAddr.String(),
+		RemoteAddr:      cSess.RemoteAddr,
+		DeviceType:      sess.DeviceType,
+		PlatformVersion: sess.PlatformVersion,
+		Status:          dbdata.UserConnected,
+	}, cSess.UserAgent)

 	go LinkCstp(conn, bufRW, cSess)
 }
@@ -212,7 +248,11 @@ func SetPostAuthXml(g *dbdata.Group, w http.ResponseWriter) error {
 	if err != nil {
 		return err
 	}
-	HttpSetHeader(w, "X-CSTP-Post-Auth-XML", result.String())
+	xmlAuth := ""
+	for _, v := range strings.Split(result.String(), "\n") {
+		xmlAuth += strings.TrimSpace(v)
+	}
+	HttpSetHeader(w, "X-CSTP-Post-Auth-XML", xmlAuth)
 	return nil
 }

--- a/server/handler/link_vtap.go
+++ b/server/handler/link_vtap.go
@@ -11,6 +11,7 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
+	gosysctl "github.com/lorenzosaino/go-sysctl"
 )

 // link vtap
@@ -28,18 +29,20 @@ func (v *Vtap) Close() error {
 }

 func checkMacvtap() {
+	// 加载 macvtap
+	base.CheckModOrLoad("macvtap")
+
 	_setGateway()
 	_checkTapIp(base.Cfg.Ipv4Master)

 	ifName := "anylinkMacvtap"
-	// 加载 macvtap
-	cmdstr0 := fmt.Sprintln("modprobe -i macvtap")
+
 	// 开启主网卡混杂模式
 	cmdstr1 := fmt.Sprintf("ip link set dev %s promisc on", base.Cfg.Ipv4Master)
 	// 测试 macvtap 功能
 	cmdstr2 := fmt.Sprintf("ip link add link %s name %s type macvtap mode bridge", base.Cfg.Ipv4Master, ifName)
 	cmdstr3 := fmt.Sprintf("ip link del %s", ifName)
-	err := execCmd([]string{cmdstr0, cmdstr1, cmdstr2, cmdstr3})
+	err := execCmd([]string{cmdstr1, cmdstr2, cmdstr3})
 	if err != nil {
 		base.Fatal(err)
 	}
@@ -54,14 +57,20 @@ func LinkMacvtap(cSess *sessdata.ConnSession) error {
 	cSess.SetIfName(ifName)

 	cmdstr1 := fmt.Sprintf("ip link add link %s name %s type macvtap mode bridge", base.Cfg.Ipv4Master, ifName)
-	cmdstr2 := fmt.Sprintf("ip link set dev %s up mtu %d address %s", ifName, cSess.Mtu, cSess.MacHw)
+	alias := utils.ParseName(cSess.Group.Name + "." + cSess.Username)
+	cmdstr2 := fmt.Sprintf("ip link set dev %s up mtu %d address %s alias %s", ifName, cSess.Mtu, cSess.MacHw, alias)
+
 	err := execCmd([]string{cmdstr1, cmdstr2})
 	if err != nil {
 		base.Error(err)
 		return err
 	}
-	cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifName)
-	execCmd([]string{cmdstr3})
+	// cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifName)
+	// execCmd([]string{cmdstr3})
+	err = gosysctl.Set(fmt.Sprintf("net.ipv6.conf.%s.disable_ipv6", ifName), "1")
+	if err != nil {
+		base.Warn(err)
+	}

 	return createVtap(cSess, ifName)
 }
--- a/server/handler/payload.go
+++ b/server/handler/payload.go
@@ -15,11 +15,6 @@ func payloadIn(cSess *sessdata.ConnSession, pl *sessdata.Payload) bool {
 			// 校验不通过直接丢弃
 			return false
 		}
-		if base.Cfg.AuditInterval >= 0 {
-			cSess.IpAuditPool.JobQueue <- func() {
-				logAudit(cSess, pl)
-			}
-		}
 	}

 	closed := false
@@ -32,6 +27,15 @@ func payloadIn(cSess *sessdata.ConnSession, pl *sessdata.Payload) bool {
 	return closed
 }

+func putPayloadInBefore(cSess *sessdata.ConnSession, pl *sessdata.Payload) {
+	// 异步审计日志
+	if base.Cfg.AuditInterval >= 0 {
+		auditPayload.Add(cSess.Username, pl)
+		return
+	}
+	putPayload(pl)
+}
+
 func payloadOut(cSess *sessdata.ConnSession, pl *sessdata.Payload) bool {
 	dSess := cSess.GetDtlsSession()
 	if dSess == nil {
@@ -82,14 +86,41 @@ func checkLinkAcl(group *dbdata.Group, pl *sessdata.Payload) bool {
 	}

 	for _, v := range group.LinkAcl {
-		// 循环判断ip和端口
-		if v.IpNet.Contains(ipDst) {
-			// 放行允许ip的ping
-			if v.Port == ipPort || v.Port == 0 || ipProto == waterutil.ICMP {
-				if v.Action == dbdata.Allow {
-					return true
-				} else {
-					return false
+		// 放行允许ip的ping
+		// if v.Ports == nil || len(v.Ports) == 0 {
+		// 	//单端口历史数据兼容
+		// 	port := uint16(v.Port.(float64))
+		// 	if port == ipPort || port == 0 || ipProto == waterutil.ICMP {
+		// 		if v.Action == dbdata.Allow {
+		// 			return true
+		// 		} else {
+		// 			return false
+		// 		}
+		// 	}
+		// } else {
+
+		// 先判断协议
+		// 兼容旧数据 v.Protocol == ""
+		if v.Protocol == "" || v.Protocol == dbdata.ALL || v.IpProto == ipProto {
+			// 循环判断ip和端口
+			if v.IpNet.Contains(ipDst) {
+				// icmp 不判断端口
+				if ipProto == waterutil.ICMP {
+					if v.Action == dbdata.Allow {
+						return true
+					} else {
+						return false
+					}
+				}
+
+				if dbdata.ContainsInPorts(v.Ports, ipPort) || dbdata.ContainsInPorts(v.Ports, 0) {
+					if v.Action == dbdata.Allow {
+						// log.Println(dbdata.Allow, v.Ports)
+						return true
+					} else {
+						// log.Println(dbdata.Deny, v.Ports)
+						return false
+					}
 				}
 			}
 		}
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -3,13 +3,14 @@ package handler
 import (
 	"crypto/md5"
 	"encoding/binary"
-	"encoding/hex"
+	"runtime/debug"
 	"time"

 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
+	"github.com/ivpusic/grpool"
 	"github.com/songgao/water/waterutil"
 )

@@ -20,73 +21,101 @@ const (
 	acc_proto_http
 )

-// 保存批量的审计日志
+var (
+	auditPayload *AuditPayload
+	logBatch     *LogBatch
+)
+
+// 分析审计日志
+type AuditPayload struct {
+	Pool       *grpool.Pool
+	IpAuditMap utils.IMaps
+}
+
+// 保存审计日志
 type LogBatch struct {
-	Logs []dbdata.AccessAudit
+	Logs    []dbdata.AccessAudit
+	LogChan chan dbdata.AccessAudit
 }

-// 日志池
-type LogSink struct {
-	logChan        chan dbdata.AccessAudit
-	autoCommitChan chan *LogBatch // 超时通知
+// 异步写入pool
+func (p *AuditPayload) Add(userName string, pl *sessdata.Payload) {
+	select {
+	case p.Pool.JobQueue <- func() {
+		logAudit(userName, pl)
+	}:
+	default:
+		putPayload(pl)
+		base.Error("AccessAudit: AuditPayload channel is full")
+	}
 }

-var logAuditSink *LogSink
-
-// 写入日志通道
-func logAuditWrite(aa dbdata.AccessAudit) {
-	logAuditSink.logChan <- aa
+// 数据落盘
+func (l *LogBatch) Write() {
+	if len(l.Logs) == 0 {
+		return
+	}
+	_ = dbdata.AddBatch(l.Logs)
+	l.Reset()
 }

-// 批量写入数据表
+// 清空数据
+func (l *LogBatch) Reset() {
+	l.Logs = []dbdata.AccessAudit{}
+}
+
+// 开启批量写入数据功能
 func logAuditBatch() {
 	if base.Cfg.AuditInterval < 0 {
 		return
 	}
-	logAuditSink = &LogSink{
-		logChan:        make(chan dbdata.AccessAudit, 1000),
-		autoCommitChan: make(chan *LogBatch, 10),
+	auditPayload = &AuditPayload{
+		Pool:       grpool.NewPool(10, 10240),
+		IpAuditMap: utils.NewMap("cmap", 0),
+	}
+	logBatch = &LogBatch{
+		LogChan: make(chan dbdata.AccessAudit, 10240),
 	}
 	var (
-		limit        = 100 // 超过上限批量写入数据表
-		logAudit     dbdata.AccessAudit
-		logBatch     *LogBatch
-		commitTimer  *time.Timer // 超时自动提交
-		timeOutBatch *LogBatch
+		limit       = 100 // 超过上限批量写入数据表
+		outTime     = time.NewTimer(time.Second)
+		accessAudit = dbdata.AccessAudit{}
 	)
+
 	for {
+		// 重置超时 时间
+		outTime.Reset(time.Second * 1)
 		select {
-		case logAudit = <-logAuditSink.logChan:
-			if logBatch == nil {
-				logBatch = &LogBatch{}
-				commitTimer = time.AfterFunc(
-					1*time.Second, func(logBatch *LogBatch) func() {
-						return func() {
-							logAuditSink.autoCommitChan <- logBatch
-						}
-					}(logBatch),
-				)
-			}
-			logBatch.Logs = append(logBatch.Logs, logAudit)
+		case accessAudit = <-logBatch.LogChan:
+			logBatch.Logs = append(logBatch.Logs, accessAudit)
 			if len(logBatch.Logs) >= limit {
-				commitTimer.Stop()
-				_ = dbdata.AddBatch(logBatch.Logs)
-				logBatch = nil
+				if !outTime.Stop() {
+					<-outTime.C
+				}
+				logBatch.Write()
 			}
-		case timeOutBatch = <-logAuditSink.autoCommitChan:
-			if timeOutBatch != logBatch {
-				continue
-			}
-			if logBatch != nil {
-				_ = dbdata.AddBatch(logBatch.Logs)
-			}
-			logBatch = nil
+		case <-outTime.C:
+			logBatch.Write()
 		}
 	}
 }

 // 解析IP包的数据
-func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) {
+func logAudit(userName string, pl *sessdata.Payload) {
+	defer func() {
+		if err := recover(); err != nil {
+			base.Error("logAudit is panic: ", err, "\n", string(debug.Stack()), "\n", pl.Data)
+		}
+	}()
+
+	defer func() {
+		putPayload(pl)
+	}()
+
+	if !(pl.LType == sessdata.LTypeIPData && pl.PType == 0x00) {
+		return
+	}
+
 	ipProto := waterutil.IPv4Protocol(pl.Data)
 	// 访问协议
 	var accessProto uint8
@@ -99,89 +128,63 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) {
 	default:
 		return
 	}
-
+	// IP报文只包含头部信息时, 则打印LOG，并退出
+	ipPl := waterutil.IPv4Payload(pl.Data)
+	if len(ipPl) < 4 {
+		base.Error("ipPl len < 4", ipPl, pl.Data)
+		return
+	}
+	ipPort := (uint16(ipPl[2]) << 8) | uint16(ipPl[3])
 	ipSrc := waterutil.IPv4Source(pl.Data)
 	ipDst := waterutil.IPv4Destination(pl.Data)
-	ipPort := waterutil.IPv4DestinationPort(pl.Data)
-
 	b := getByte51()
+	// key格式 16字节源IP地址 + 16字节目的IP地址 + 2字节目的端口 + 1字节协议类型 + 16字节域名MD5
 	key := *b
 	copy(key[:16], ipSrc)
 	copy(key[16:32], ipDst)
 	binary.BigEndian.PutUint16(key[32:34], ipPort)
+	key[34] = byte(accessProto)
+	copy(key[35:51], []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})

 	info := ""
 	nu := utils.NowSec().Unix()
 	if ipProto == waterutil.TCP {
-		plData := waterutil.IPv4Payload(pl.Data)
-		if len(plData) < 14 {
+		tcpPlData := waterutil.IPv4Payload(pl.Data)
+		// 24 (ACK PSH)
+		if len(tcpPlData) < 14 || tcpPlData[13] != 24 {
 			return
 		}
-		flags := plData[13]
-		switch flags {
-		case flags & 0x20:
-			// URG
-			return
-		case flags & 0x14:
-			// RST ACK
-			return
-		case flags & 0x12:
-			// SYN ACK
-			return
-		case flags & 0x11:
-			// Client FIN
-			return
-		case flags & 0x10:
-			// ACK
-			return
-		case flags & 0x08:
-			// PSH
-			return
-		case flags & 0x04:
-			// RST
-			return
-		case flags & 0x02:
-			// SYN
-			return
-		case flags & 0x01:
-			// FIN
-			return
-		case flags & 0x18:
-			// PSH ACK
-			accessProto, info = onTCP(plData)
+		accessProto, info = onTCP(tcpPlData)
+		// HTTPS or HTTP
+		if accessProto != acc_proto_tcp {
+			// 提前存储只含ip数据的key, 避免即记录域名又记录一笔IP数据的记录
+			ipKey := make([]byte, 51)
+			copy(ipKey, key)
+			ipS := utils.BytesToString(ipKey)
+			auditPayload.IpAuditMap.Set(ipS, nu)
+
+			key[34] = byte(accessProto)
+			// 存储含域名的key
 			if info != "" {
-				// 提前存储只含ip数据的key, 避免即记录域名又记录一笔IP数据的记录
-				ipKey := make([]byte, 51)
-				copy(ipKey, key)
-				ipS := utils.BytesToString(ipKey)
-				cSess.IpAuditMap.Set(ipS, nu)
-				// 存储含域名的key
-				key[34] = byte(accessProto)
 				md5Sum := md5.Sum([]byte(info))
-				copy(key[35:51], hex.EncodeToString(md5Sum[:]))
+				copy(key[35:51], md5Sum[:])
 			}
-		case flags & 0x19:
-			// URG
-			return
-		case flags & 0xC2:
-			// SYN-ECE-CWR
-			return
 		}
 	}
 	s := utils.BytesToString(key)

 	// 判断已经存在，并且没有过期
-	v, ok := cSess.IpAuditMap.Get(s)
+	v, ok := auditPayload.IpAuditMap.Get(s)
 	if ok && nu-v.(int64) < int64(base.Cfg.AuditInterval) {
 		// 回收byte对象
 		putByte51(b)
 		return
 	}

-	cSess.IpAuditMap.Set(s, nu)
+	auditPayload.IpAuditMap.Set(s, nu)

 	audit := dbdata.AccessAudit{
-		Username:    cSess.Username,
+		Username:    userName,
 		Protocol:    uint8(ipProto),
 		Src:         ipSrc.String(),
 		Dst:         ipDst.String(),
@@ -190,5 +193,10 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) {
 		AccessProto: accessProto,
 		Info:        info,
 	}
-	logAuditWrite(audit)
+	select {
+	case logBatch.LogChan <- audit:
+	default:
+		base.Error("AccessAudit: LogChan channel is full")
+		return
+	}
 }
--- a/server/handler/payload_tcp_parser.go
+++ b/server/handler/payload_tcp_parser.go
@@ -21,7 +21,7 @@ func onTCP(payload []byte) (uint8, string) {
 	}
 	data := payload[ihl:]
 	for _, parser := range tcpParsers {
-		if proto, info := parser(data); info != "" {
+		if proto, info := parser(data); proto != acc_proto_tcp {
 			return proto, info
 		}
 	}
@@ -29,8 +29,7 @@ func onTCP(payload []byte) (uint8, string) {
 }

 func sniNewParser(b []byte) (uint8, string) {
-	dataSize := len(b)
-	if dataSize < 2 || b[0] != 0x16 || b[1] != 0x03 {
+	if len(b) < 6 || b[0] != 0x16 || b[1] != 0x03 {
 		return acc_proto_tcp, ""
 	}
 	rest := b[5:]
@@ -51,27 +50,27 @@ func sniNewParser(b []byte) (uint8, string) {
 	// Skip over random number
 	current += 4 + 28
 	if current >= restLen {
-		return acc_proto_tcp, ""
+		return acc_proto_https, ""
 	}
 	// Skip over session ID
 	sessionIDLength := int(rest[current])
 	current += 1
 	current += sessionIDLength
-	if current >= restLen {
-		return acc_proto_tcp, ""
+	if current+1 >= restLen {
+		return acc_proto_https, ""
 	}
 	cipherSuiteLength := (int(rest[current]) << 8) + int(rest[current+1])
 	current += 2
 	current += cipherSuiteLength
 	if current >= restLen {
-		return acc_proto_tcp, ""
+		return acc_proto_https, ""
 	}
 	compressionMethodLength := int(rest[current])
 	current += 1
 	current += compressionMethodLength

 	if current >= restLen {
-		return acc_proto_tcp, ""
+		return acc_proto_https, ""
 	}
 	current += 2
 	hostname := ""
@@ -84,27 +83,30 @@ func sniNewParser(b []byte) (uint8, string) {
 			// Skip over number of names as we're assuming there's just one
 			current += 2
 			if current >= restLen {
-				return acc_proto_tcp, ""
+				return acc_proto_https, ""
 			}
 			nameType := rest[current]
 			current += 1
 			if nameType != 0 {
-				return acc_proto_tcp, ""
+				return acc_proto_https, ""
 			}
 			if current+1 >= restLen {
-				return acc_proto_tcp, ""
+				return acc_proto_https, ""
 			}
 			nameLen := (int(rest[current]) << 8) + int(rest[current+1])
 			current += 2
 			if current+nameLen >= restLen {
-				return acc_proto_tcp, ""
+				return acc_proto_https, ""
 			}
 			hostname = string(rest[current : current+nameLen])
 		}
 		current += extensionDataLength
 	}
 	if hostname == "" {
-		return acc_proto_tcp, ""
+		return acc_proto_https, ""
+	}
+	if !validDomainChar(hostname) {
+		return acc_proto_https, ""
 	}
 	return acc_proto_https, hostname
 }
@@ -150,8 +152,7 @@ func httpNewParser(data []byte) (uint8, string) {
 }

 func sniParser(data []byte) (uint8, string) {
-	dataSize := len(data)
-	if dataSize < 2 || data[0] != 0x16 || data[1] != 0x03 {
+	if len(data) < 2 || data[0] != 0x16 || data[1] != 0x03 {
 		return acc_proto_tcp, ""
 	}
 	sniRe := regexp.MustCompile("\x00\x00.{4}\x00.{2}([a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,6})\x00")
@@ -169,3 +170,15 @@ func httpParser(data []byte) (uint8, string) {
 	}
 	return acc_proto_tcp, ""
 }
+
+// 校验域名的合法字符, 处理乱码问题
+func validDomainChar(addr string) bool {
+	// Allow a-z A-Z . - 0-9
+	for i := 0; i < len(addr); i++ {
+		c := addr[i]
+		if !((c >= 97 && c <= 122) || (c >= 65 && c <= 90) || (c >= 45 && c <= 46) || (c >= 48 && c <= 57)) {
+			return false
+		}
+	}
+	return true
+}
--- a/Show More
+++ b/Show More