Update README.md

修改客户端下载地址
更新 README.md
2025-09-28 16:15:17 +08:00 · 2025-09-07 09:48:56 +08:00 · 2025-08-27 05:52:51 +08:00 · 2025-03-25 17:38:10 +08:00 · 2025-03-25 17:36:25 +08:00 · 2025-03-10 10:45:11 +08:00
105 changed files with 7346 additions and 4350 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -1,5 +1,7 @@
 ignore:
-  - "screenshot"
+  - "^doc"
-  - "web"
+  - "^home"
-  - "server/conf"
+  - "^web"
-  - "server/files"
+  - "^server/conf"
  - "^server/files"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -12,13 +12,15 @@
 name: "CodeQL"
 on:
-  push:
+  workflow_dispatch:
    branches: [ "main", "dev" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main", "dev" ]
  schedule:
-    - cron: '32 12 * * 5'
+    - cron: '32 5 * * 1'
 #  push:
 #    branches: [ "main", "dev" ]
 #  pull_request:
 #    branches: [ "main", "dev" ]
 jobs:
  analyze:
@@ -39,7 +41,7 @@ jobs:
    steps:
      - name: Checkout repository
-      uses: actions/checkout@v2
+        uses: actions/checkout@v4
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
--- a/.github/workflows/go-update.yml
+++ b/.github/workflows/go-update.yml
@@ -0,0 +1,48 @@
 name: go-update
 on:
  workflow_dispatch:
 #  schedule:
 #    - cron: "1 2 * * 5"
 jobs:
  go:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Go 1.x.y
        uses: actions/setup-go@main
        with:
          go-version: '1.20'
          stable: true
      - name: Checkout codebase
        uses: actions/checkout@main
      - name: go
        run: |
          cd ./server
          go mod tidy -compat=1.20
          #gofmt -w -r 'interface{} -> any' .
          go get -u
          go mod download
          go get -u
          go mod download
      - name: Git push
        run: |
          git init
          git config --local user.name "github-actions[bot]"
          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git remote rm origin
          git remote add origin "https://${{ github.actor }}:${{ secrets.GITHUBTOKEN }}@github.com/${{ github.repository }}"
          git gc --aggressive
          git add --all
          git commit -m "update go.mod $(date +%Y.%m.%d.%H.%M)"
          #git push -f -u origin _autoaction
          git push -u origin _autoaction
      # 删除无用 workflow runs;
      - name: Delete workflow runs
        uses: GitRML/delete-workflow-runs@main
        with:
          retain_days: 0.1
          keep_minimum_runs: 1
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,6 +1,8 @@
 name: Go
 on:
  workflow_dispatch:
  push:
    branches: [ "main", "dev" ]
  pull_request:
@@ -12,15 +14,15 @@ jobs:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v4
      - name: Set up Go 1.x
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.18
+          go-version: '1.22'
-        id: go
+          go-version-file: 'server/go.mod'
-
+          cache-dependency-path: 'server/go.sum'
      - name: Check out code into the Go module directory
        uses: actions/checkout@v2
      - name: Get dependencies
        run: |
@@ -32,15 +34,16 @@ jobs:
          cd server
          mkdir ui
          touch ui/index.html
-          go build -v -o anylink -ldflags "-X main.CommitId=`git rev-parse HEAD`"
+          go build -v -o anylink -trimpath -ldflags "-X main.CommitId=`git rev-parse HEAD`"
          ./anylink tool -v
      - name: Test coverage
        run: |
          cd server
          go test ./...
          go test -race -coverprofile=coverage.txt -covermode=atomic -v ./...
-      - name: Upload coverage to Codecov
+      - name: Upload coverage reports to Codecov
-        run: |
+        uses: codecov/codecov-action@v3
-          cd server
+        env:
-          bash <(curl -s https://codecov.io/bash)
+          CODECOV_TOKEN: 28d52fb0-8fc9-460f-95b9-fb84f9138e58
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,98 @@
 name: release
 on:
  workflow_dispatch:
  push:
    tags:
      - "v0.*"
      - "v1.*"
 jobs:
  Build:
    name: build-binary
    runs-on: ubuntu-latest
    env:
      TZ: Asia/Shanghai
    steps:
      - name: Hello world
        run: uname -a
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '16'
          cache: 'yarn'
          cache-dependency-path: 'web/yarn.lock'
      - name: Build web
        working-directory: web
        run: |
          yarn install
          yarn run build
      #      - uses: actions/setup-go@v4
      #        with:
      #          go-version: '1.20'
      #          cache-dependency-path: 'server/go.sum'
      - name: Set up QEMU
        # https://github.com/docker/setup-qemu-action
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: bjdgyc
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          logout: true
      - name: Pre bash
        shell: bash
        run: |
          appVer=`cat version`
          commitId=`git rev-parse HEAD`
          echo "APP_VER=$appVer" >> $GITHUB_ENV
          echo "commitId=$commitId" >> $GITHUB_ENV
          echo $appVer > version_info
          echo $commitId >> version_info
          echo $GITHUB_REF >> version_info
          echo $GITHUB_REF_NAME >> version_info
          #cd server;go mod tidy
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          cache-from: type=gha,scope=anylink
          cache-to: type=gha,mode=max,scope=anylink
          context: .
          file: ./docker/Dockerfile
          platforms: linux/amd64,linux/arm64
          #platforms: linux/amd64
          build-args: |
            appVer=${{ env.APP_VER }}
            commitId=${{ env.commitId }}
          tags: bjdgyc/anylink:${{ env.APP_VER }},bjdgyc/anylink:latest
          #tags: bjdgyc/anylink:${{ env.APP_VER }}
      - name: Build deploy binary
        shell: bash
        run: bash release.sh
      - name: Release
        # https://github.com/ncipollo/release-action
        # artifacts: bin/release/*
        # generateReleaseNotes: true
        # draft: true
        # https://github.com/softprops/action-gh-release
        uses: softprops/action-gh-release@v1
        #if: startsWith(github.ref, 'refs/tags/')
        with:
          tag_name: v${{ env.APP_VER }}
          files: artifact-dist/*
 #  Docker:
 #    name: build-docker
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,12 @@
 .idea/
 anylink-deploy
 anylink-deploy.tar.gz
 anylink-deploy-*
 anylink
 anylink.db
 dist
 artifact-dist
 anylink_amd64
 anylink_arm64
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,104 @@
 #https://goreleaser.com/static/schema.json
 # release --skip=publish
 # goreleaser build --skip=validate --clean --debug
 # GOPROXY=https://goproxy.cn
 # docker run -it --rm -v $PWD:/app -v /go:/go -w /app --platform=linux/arm64 golang:alpine3.19
 # docker run -it --rm -v $PWD:/app -v /go:/go -w /app goreleaser/goreleaser-cross build --skip=validate --clean --debug
 # docker run -it --rm -v $PWD:/app -v /go:/go -w /app bjdgyc/dcross goreleaser build --skip=validate --clean --debug
 version: 1
 dist: dist
 before:
  hooks:
    - pwd
 #    - cmd: go mod tidy
 #      dir:
 #        "{{ dir .Dist}}"
 #      output: true
 #    - cmd: go generate
 #      dir:
 #        "{{ dir .Dist}}"
 #      output: true
 builds:
  - id: "build"
    #main: .
    dir: ./server
    hooks:
      pre:
        - cmd: go mod tidy
          dir: ./server
          output: true
        - cmd: go generate
          dir: ./server
          output: true
    # {{- if eq .Arch "amd64" }}CC=x86_64-linux-gnu-gcc CXX=x86_64-linux-gnu-g++{{- end }}
    env:
      - CGO_ENABLED=1
      - >-
        {{- if eq .Os "linux" }}
          {{- if eq .Arch "amd64" }}CC=x86_64-linux-musl-gcc{{- end }}
          {{- if eq .Arch "arm64" }}CC=aarch64-linux-gnu-gcc{{- end }}
        {{- end }}
        {{- if eq .Os "darwin" }}
          {{- if eq .Arch "amd64"}}CC=o64-clang{{- end }}
          {{- if eq .Arch "arm64"}}CC=oa64-clang{{- end }}
        {{- end }}
        {{- if eq .Os "windows" }}
          {{- if eq .Arch "amd64"}}CC=x86_64-w64-mingw32-gcc{{- end }}
          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
        {{- end }}
    goos:
      - linux
      #- darwin
      #- windows
    goarch:
      - amd64
      #- arm64
    # https://go.dev/wiki/MinimumRequirements
    goamd64:
      - v1
    command: build
    flags:
      - -trimpath
      - -tags osusergo,netgo,sqlite_omit_load_extension
    ldflags:
      # go tool link -help
      # go tool compile -help
      # -linkmode external
      # -extld=$CC
      # -fpic 作为动态链接库的时候 需要添加
      - -s -w -extldflags '-static' -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.builtBy=dcross
 archives:
  - id: "archive1"
    format: tar.gz
    # this name template makes the OS and Arch compatible with the results of `uname`.
    name_template: >-
      {{ .ProjectName }}_
      {{- title .Os }}_
      {{- if eq .Arch "amd64" }}x86_64
      {{- else if eq .Arch "386" }}i386
      {{- else }}{{ .Arch }}{{ end }}
      {{- if .Arm }}v{{ .Arm }}{{ end }}
    # use zip for windows archives
    format_overrides:
      - goos: windows
        format: zip
 changelog:
  sort: asc
  filters:
    exclude:
      - "^docs:"
      - "^test:"
--- a/README.md
+++ b/README.md
@@ -3,14 +3,19 @@
 [![Go](https://github.com/bjdgyc/anylink/workflows/Go/badge.svg?branch=main)](https://github.com/bjdgyc/anylink/actions)
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/bjdgyc/anylink)](https://pkg.go.dev/github.com/bjdgyc/anylink)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bjdgyc/anylink)](https://goreportcard.com/report/github.com/bjdgyc/anylink)
-[![codecov](https://codecov.io/gh/bjdgyc/anylink/branch/master/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/bjdgyc/anylink)
+[![codecov](https://codecov.io/gh/bjdgyc/anylink/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/bjdgyc/anylink)
 ![GitHub release](https://img.shields.io/github/v/release/bjdgyc/anylink)
-![GitHub downloads)](https://img.shields.io/github/downloads/bjdgyc/anylink/total)
+![GitHub downloads total)](https://img.shields.io/github/downloads/bjdgyc/anylink/total)
 ![GitHub Downloads (all assets, latest release)](https://img.shields.io/github/downloads/bjdgyc/anylink/latest/total)
 [![Docker pulls)](https://img.shields.io/docker/pulls/bjdgyc/anylink.svg)](https://hub.docker.com/r/bjdgyc/anylink)
 ![LICENSE](https://img.shields.io/github/license/bjdgyc/anylink)
 AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。
 使用 AnyLink，你可以随时随地安全的访问你的内部网络。
 With AnyLink, you can securely access your internal network anytime and anywhere.
 ## Repo
 > github: https://github.com/bjdgyc/anylink
@@ -22,9 +27,12 @@ AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同
 AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-02)
 协议开发，并且借鉴了 [ocserv](http://ocserv.gitlab.io/www/index.html) 的开发思路，使其可以同时兼容 AnyConnect 客户端。
-AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
+AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以使用私有自签证书，可以通过 Let's Encrypt 和 TrustAsia
 申请免费的 SSL 证书。
-AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap 功能、ip 设置命令。
+AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18、Ubuntu 20、Ubuntu 20、AnolisOS 8 测试通过，如需要安装在其他系统，需要服务端支持
 tun/tap
 功能、ip 设置命令、iptables命令。
 ## Screenshot
@@ -45,35 +53,56 @@ AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试
 > 没有编程基础的同学建议直接下载 release 包，从下面的地址下载 anylink-deploy.tar.gz
 >
 > https://github.com/bjdgyc/anylink/releases
 >
 > https://gitee.com/bjdgyc/anylink/releases
 >
 > 如果不会安装，可以提供有偿远程协助服务(200 CNY)。添加QQ(68492170)联系我
 >
 > 也可以添加QQ群 咨询群内大佬
 >
 > 添加QQ群①: 567510628
 >
 > <img src="doc/screenshot/qq2.jpg" width="400" />
 ### 使用问题
-> 对于测试环境，可以使用 vpn.test.vqilu.cn 绑定host进行测试
+> 对于测试环境，可以直接进行测试，需要客户端取消勾选【阻止不受信任的服务器(Block connections to untrusted servers)】
 >
-> 对于线上环境，必须申请安全的 https 证书，不支持私有证书连接
+> 对于线上环境，尽量申请安全的https证书(跟nginx使用的pem证书类型一致)
 >
-> 客户端请使用群共享文件的版本，其他版本没有测试过，不保证使用正常
+> 群共享文件有相关客户端软件下载，其他版本没有测试过，不保证使用正常
 >
 > 其他问题 [前往查看](doc/question.md)
 >
-> 首次使用，请在浏览器访问 https://域名:443，浏览器提示安全后，在客户端输入 【域名:443】 即可
+> 默认管理后台访问地址  https://host:8800 或 https://域名:8800 默认账号密码 admin 123456
 >
 > 首次使用，请在浏览器访问  https://域名:443   浏览器提示安全后，在客户端输入 【域名:443】 即可
 ### 自行编译安装
-> 需要提前安装好 golang >= 1.19 和 nodejs >= 14.x 和 yarn >= v1.22.x
+> 需要提前安装好 docker
 ```shell
 git clone https://github.com/bjdgyc/anylink.git
 # docker编译 参考软件版本(不需要安装)
 # go 1.20.12
 # node v16.20.2
 # yarn 1.22.19
 cd anylink
-sh build.sh
+
 # 编译前端
 bash build_web.sh
 # 编译 anylink-deploy 发布文件
 bash build.sh
 # 注意使用root权限运行
 cd anylink-deploy
 sudo ./anylink
 # 默认管理后台访问地址
 # 注意该host为anylink的内网ip,不能跟客户端请求的ip一样
 # https://host:8800
 # 默认账号 密码
 # admin 123456
@@ -89,10 +118,11 @@ sudo ./anylink
 - [x] 兼容 AnyConnect
 - [x] 兼容 OpenConnect
 - [x] 基于 tun 设备的 nat 访问模式
- [x] 基于 tap 设备的桥接访问模式
+- [x] 基于 tun 设备的桥接访问模式
 - [x] 基于 macvtap 设备的桥接访问模式
 - [x] 支持 [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
 - [x] 用户组支持
 - [x] 用户组策略支持
 - [x] 多用户支持
 - [x] 用户策略支持
 - [x] TOTP 令牌支持
@@ -100,10 +130,19 @@ sudo ./anylink
 - [x] 流量速率限制
 - [x] 后台管理界面
 - [x] 访问权限管理
- [x] IP 访问审计功能
+- [x] 用户活动审计功能
 - [x] IP 访问审计功能(支持多端口、连续端口)
 - [x] 域名动态拆分隧道（域名路由功能）
 - [x] radius认证支持
 - [x] LDAP认证支持
 - [x] 空闲链接超时自动断开
 - [x] 流量压缩功能
 - [x] 出口 IP 自动放行
 - [x] 支持多服务的配置区分
 - [x] 支持私有自签证书
 - [x] 支持内网域名解析(指定的域名走内网dns)
 - [x] 增加用户验证防爆功能(IP BAN)
 - [x] 支持 docker 非特权模式
 - [ ] 基于 ipvtap 设备的桥接访问模式
 ## Config
@@ -111,39 +150,70 @@ sudo ./anylink
 > 示例配置文件内有详细的注释，根据注释填写配置即可。
 ```shell
 # 查看帮助信息
 ./anylink -h
 # 生成后台密码
 ./anylink tool -p 123456
 # 生成jwt密钥
 ./anylink tool -s
 # 查看所有配置项
 ./anylink tool -d
 ```
 > 数据库配置示例
 >
 > 数据库表结构自动生成，无需手动导入(请赋予 DDL 权限)
 | db_type  | db_source                                                                                                            |
-| -------- | ------------------------------------------------------ |
+|----------|----------------------------------------------------------------------------------------------------------------------|
 | sqlite3  | ./conf/anylink.db                                                                                                    |
-| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8 |
+| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8<br/>user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8mb4 |
-| postgres | user:password@localhost/anylink?sslmode=verify-full    |
+| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full                                                       |
 | mssql    | sqlserver://user:password@localhost?database=anylink&connection+timeout=30                                           |
 > 示例配置文件
 >
 > [conf/server-sample.toml](server/conf/server-sample.toml)
 ## Upgrade
 > 升级前请备份配置文件`conf`目录 和 数据库，并停止服务
 >
 > 使用新版的 `anylink` 二进制文件替换旧版
 >
 > 重启服务后，即可完成升级
 ## Setting
 ### 依赖设置
 > 服务端依赖安装:
 >
 > centos: yum install iptables iproute
 >
 > ubuntu: apt-get install iptables iproute2
 ### link_mode 设置
 > 以下参数必须设置其中之一
-网络模式选择，需要配置 `link_mode` 参数，如 `link_mode="tun"`,`link_mode="macvtap"`,`link_mode="tap"(不推荐)` 等参数。 不同的参数需要对服务器做相应的设置。
+网络模式选择，需要配置 `link_mode` 参数，如 `link_mode="tun"`,`link_mode="macvtap"`,`link_mode="tap"(不推荐)` 等参数。
 不同的参数需要对服务器做相应的设置。
-建议优先选择 tun 模式，其次选择 macvtap 模式，因客户端传输的是 IP 层数据，无须进行数据转换。 tap 模式是在用户态做的链路层到 IP 层的数据互相转换，性能会有所下降。 如果需要在虚拟机内开启 tap
+建议优先选择 tun 模式，其次选择 macvtap 模式，因客户端传输的是 IP 层数据，无须进行数据转换。 tap 模式是在用户态做的链路层到
 IP 层的数据互相转换，性能会有所下降。 如果需要在虚拟机内开启 tap
 模式，请确认虚拟机的网卡开启混杂模式。
-### tun 设置
+#### tun 设置
 1. 开启服务器转发
 ```shell
 # 新版本支持自动设置ip转发
 # file: /etc/sysctl.conf
 net.ipv4.ip_forward = 1
@@ -190,20 +260,63 @@ https://cloud.tencent.com/document/product/216/62007
 ```
 3. 使用 AnyConnect 客户端连接即可
-### macvtap 设置
+#### 桥接设置
 1. 设置配置文件
-> macvtap 设置相对比较简单，只需要配置相应的参数即可。
+> arp_proxy 性能较高，设置相对比较简单，只需要配置相应的参数即可。
 >
 > 网络要求：需要网络支持 ARP 传输，可通过 ARP 宣告普通内网 IP。
 >
 > 网络限制：云环境下不能使用，网卡mac加白环境不能使用，802.1x认证网络不能使用
 >
 > 以下参数可以通过执行 `ip a` 查看
 1.1 arp_proxy
 ```
 # file: /etc/sysctl.conf
 net.ipv4.conf.all.proxy_arp = 1
 #执行如下命令
 sysctl -w net.ipv4.conf.all.proxy_arp=1
 配置文件修改:
 # 首先关闭nat转发功能
 iptables_nat = false
 link_mode = "tun"
 #内网主网卡名称
 ipv4_master = "eth0"
 #以下网段需要跟ipv4_master网卡设置成一样
 ipv4_cidr = "10.1.2.0/24"
 ipv4_gateway = "10.1.2.99"
 ipv4_start = "10.1.2.100"
 ipv4_end = "10.1.2.200"
 ```
 1.2 macvtap
 ```
 # 命令行执行 master网卡需要打开混杂模式
 ip link set dev eth0 promisc on
 #=====================#
 # 配置文件修改
 # 首先关闭nat转发功能
 iptables_nat = false
 link_mode = "macvtap"
 #内网主网卡名称
 ipv4_master = "eth0"
 #以下网段需要跟ipv4_master网卡设置成一样
@@ -213,100 +326,180 @@ ipv4_start = "10.1.2.100"
 ipv4_end = "10.1.2.200"
 ```
 ## Deploy
-## Systemd
+> 部署配置文件放在 `deploy` 目录下，请根据实际情况修改配置文件
 ### Systemd
 1. 添加 anylink 程序
-
+    - 首先把 `anylink-deploy` 文件夹放入 `/usr/local/anylink-deploy`
    - anylink 程序目录放入 `/usr/local/anylink-deploy`
    - 添加执行权限 `chmod +x /usr/local/anylink-deploy/anylink`
-
+2. 把 `anylink.service` 脚本放入：
 2. systemd/anylink.service 脚本放入：
    - centos: `/usr/lib/systemd/system/`
    - ubuntu: `/lib/systemd/system/`
 3. 操作命令:
-
+    - 加载配置: `systemctl daemon-reload`
    - 启动: `systemctl start anylink`
    - 停止: `systemctl stop anylink`
    - 开机自启: `systemctl enable anylink`
 ### Docker Compose
 1. 进入 `deploy` 目录
 2. 执行脚本 `docker-compose up`
 ### k8s
 1. 进入 `deploy` 目录
 2. 执行脚本 `kubectl apply -f deployment.yaml`
 ## Docker
-1. 获取镜像
+### anylink 镜像地址
 对于国内用户，为提高镜像拉取体验，可以考虑拉取存放于阿里云镜像仓库的镜像，镜像名称及标签如下表所示(
 具体版本号可以查看 `version` 文件):
 |    支持设备/平台    |       DockerHub       |                             阿里云镜像仓库                             |
 |:-------------:|:---------------------:|:---------------------------------------------------------------:|
 | x86_64/amd64  | bjdgyc/anylink:latest |     registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest     |
 | x86_64/amd64  | bjdgyc/anylink:0.13.1 |     registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:0.13.1     | 
 | armv8/aarch64 | bjdgyc/anylink:latest | registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-latest | 
 | armv8/aarch64 | bjdgyc/anylink:0.13.1 | registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-0.13.1 | 
 ### docker 镜像源地址
 > docker.1ms.run/bjdgyc/anylink:latest
 >
 > dockerhub.yydy.link:2023/bjdgyc/anylink:latest
 ### 操作步骤
 1. 获取镜像
   ```bash
   # 具体tag可以从docker hub获取
   # https://hub.docker.com/r/bjdgyc/anylink/tags
   docker pull bjdgyc/anylink:latest
   docker pull registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest
   ```
 2. 查看命令信息
   ```bash
   docker run -it --rm bjdgyc/anylink -h
   ```
 3. 生成密码
   ```bash
   docker run -it --rm bjdgyc/anylink tool -p 123456
   #Passwd:$2a$10$lCWTCcGmQdE/4Kb1wabbLelu4vY/cUwBwN64xIzvXcihFgRzUvH2a
   ```
 4. 生成 jwt secret
   ```bash
   docker run -it --rm bjdgyc/anylink tool -s
   #Secret:9qXoIhY01jqhWIeIluGliOS4O_rhcXGGGu422uRZ1JjZxIZmh17WwzW36woEbA
   ```
-5. 启动容器
+5. 查看所有配置项
   ```bash
   docker run -it --rm bjdgyc/anylink tool -d
   ```
 6. iptables兼容设置
   ```bash
   # 默认 iptables 使用 nf_tables 设置转发规则,如果内核低于 4.19 版本,需要特殊配置
   docker run -itd --name anylink --privileged \
-       -p 443:443 -p 8800:8800 \
+      -e IPTABLES_LEGACY=on \
      -p 443:443 -p 8800:8800 -p 443:443/udp \
      --restart=always \
      bjdgyc/anylink
   ```
-6. 使用自定义参数启动容器
+7. 启动容器
   ```bash
-   # 参数可以参考 -h 命令
+   # 默认启动
   docker run -itd --name anylink --privileged \
-       -p 443:443 -p 8800:8800 \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
       --restart=always \
-       bjdgyc/anylink \
+       bjdgyc/anylink
-       -c=/etc/server.toml --ip_lease=1209600 # IP地址租约时长
+   
   # 自定义配置目录
   # 首次启动会自动创建配置文件
   # 配置文件初始化完成后，容器会强制退出，请重新启动容器
   docker run -itd --name anylink --privileged \
       -p 443:443 -p 8800:8800 -p 443:443/udp \
       -v /home/myconf:/app/conf \
       --restart=always \
       bjdgyc/anylink
   docker restart anylink
   ```
-7. 构建镜像
+8. 使用自定义参数启动容器
   ```bash
   # 参数可以参考 ./anylink tool -d
   # 可以使用命令行参数 或者 环境变量 配置
   docker run -itd --name anylink --privileged \
       -e LINK_LOG_LEVEL=info \
       -p 443:443 -p 8800:8800 -p 443:443/udp \
       -v /home/myconf:/app/conf \
       --restart=always \
       bjdgyc/anylink \
       --ip_lease=1209600 # IP地址租约时长
   ```
 9. 使用非特权模式启动容器
   ```bash
   # 参数可以参考 ./anylink tool -d
   # 可以使用命令行参数 或者 环境变量 配置
   docker run -itd --name anylink \
       -p 443:443 -p 8800:8800 -p 443:443/udp \
       -v /dev/net/tun:/dev/net/tun --cap-add=NET_ADMIN \
       --restart=always \
       bjdgyc/anylink
   ```
 10. 构建镜像 (非必需)
   ```bash
   #获取仓库源码
   git clone https://github.com/bjdgyc/anylink.git
   # 构建镜像
   sh build_docker.sh
   或
   docker build -t anylink -f docker/Dockerfile .
   ```
 ## 常见问题
 请前往 [问题地址](doc/question.md) 查看具体信息
 <!--
 ## Discussion
 添加QQ群: 567510628
 群共享文件有相关软件下载
 <!--
 添加微信群: 群共享文件有相关软件下载
 ![contact_me_qr](doc/screenshot/contact_me_qr.png)
 -->
 ## Support Document
 - [三方文档-男孩的天职](https://note.youdao.com/s/X4AxyWfL)
 - [三方文档-issues](https://github.com/bjdgyc/anylink/issues)
 - [三方文档-思有云](https://www.ioiox.com/archives/128.html)
 - [三方文档-杨杨得亿](https://yangpin.link/archives/1897.html)  [Windows电脑连接步骤-杨杨得亿](https://yangpin.link/archives/1697.html)
 ## Support Client
 - [AnyConnect Secure Client](https://www.cisco.com/) (可通过群文件下载: Windows/macOS/Linux/Android/iOS)
 - [OpenConnect](https://gitlab.com/openconnect/openconnect) (Windows/macOS/Linux)
 - [三方 AnyLink Secure Client](https://github.com/tlslink/anylink-client) (Windows/macOS/Linux)
 - [【推荐】三方客户端下载地址](https://cisco.yydy.link/) (
  Windows/macOS/Linux/Android/iOS)
 - [客户端下载面板搭建](https://blog.yydy.link/archives/2018.html) (支持Docker、Linux二进制、Windwos系统直接运行)
 ## Contribution
--- a/build.sh
+++ b/build.sh
@@ -1,57 +1,28 @@
 #!/bin/bash
 set -x
 function RETVAL() {
  rt=$1
  if [ $rt != 0 ]; then
    echo $rt
    exit 1
  fi
 }
 #当前目录
 cpath=$(pwd)
-echo "编译前端项目"
+ver=$(cat version)
-cd $cpath/web
+echo $ver
 #国内可替换源加快速度
 #npx browserslist@latest --update-db
 #npm install --registry=https://registry.npm.taobao.org
 #npm install
 #npm run build
-yarn install --registry=https://registry.npmmirror.com
+#前端编译 仅需要执行一次
-yarn run build
+#bash ./build_web.sh
 bash build_docker.sh
 deploy="anylink-deploy-$ver"
 docker container rm $deploy
 docker container create --name $deploy bjdgyc/anylink:$ver
 rm -rf anylink-deploy anylink-deploy.tar.gz
 docker cp -a $deploy:/app ./anylink-deploy
 tar zcf ${deploy}.tar.gz anylink-deploy
-RETVAL $?
+./anylink-deploy/anylink -v
 echo "编译二进制文件"
 cd $cpath/server
 rm -rf ui
 cp -rf $cpath/web/ui .
 #国内可替换源加快速度
 export GOPROXY=https://goproxy.io
 go mod tidy
 go build -v -o anylink -ldflags "-X main.CommitId=$(git rev-parse HEAD)"
 RETVAL $?
-cd $cpath
+echo "anylink 编译完成，目录: anylink-deploy"
 ls -lh anylink-deploy
 echo "整理部署文件"
 deploy="anylink-deploy"
 rm -rf $deploy ${deploy}.tar.gz
 mkdir $deploy
 cp -r server/anylink $deploy
 #cp -r server/bridge-init.sh $deploy
 cp -r server/conf $deploy
 cp -r systemd $deploy
 cp -r LICENSE $deploy
 tar zcvf ${deploy}.tar.gz $deploy
 #注意使用root权限运行
 #cd anylink-deploy
 #sudo ./anylink --conf="conf/server.toml"
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -1,15 +1,27 @@
 #!/bin/bash
-ver=`cat server/base/app_ver.go | grep APP_VER | awk '{print $3}' | sed 's/"//g'`
+action=$1
 ver=$(cat version)
 echo $ver
 # docker login -u bjdgyc
-#docker build -t bjdgyc/anylink .
+# 生成时间 2024-01-30T21:41:27+08:00
-docker build -t bjdgyc/anylink -f docker/Dockerfile .
+# date -Iseconds
 #bash ./build_web.sh
 # docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 本地不生成镜像
 docker build -t bjdgyc/anylink:latest --no-cache --progress=plain \
  --build-arg CN="yes" --build-arg appVer=$ver --build-arg commitId=$(git rev-parse HEAD) \
  -f docker/Dockerfile .
 echo "docker tag latest $ver"
 docker tag bjdgyc/anylink:latest bjdgyc/anylink:$ver
-docker push bjdgyc/anylink:$ver
+if [[ $action == "cntest" ]]; then
-docker push bjdgyc/anylink:latest
+  docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
-
+  docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
  echo registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
 fi
--- a/build_test.sh
+++ b/build_test.sh
@@ -0,0 +1,73 @@
 #!/bin/bash
 #github action release.sh
 set -x
 function RETVAL() {
  rt=$1
  if [ $rt != 0 ]; then
    echo $rt
    exit 1
  fi
 }
 #当前目录
 cpath=$(pwd)
 ver=$(cat version)
 echo $ver
 #前端编译 仅需要执行一次
 #bash ./build_web.sh
 echo "copy二进制文件"
 # -tags osusergo,netgo,sqlite_omit_load_extension
 flags="-trimpath"
 ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
 #github action
 gopath=/go
 dockercmd=$(
  cat <<EOF
 sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
 apk add gcc g++ musl musl-dev tzdata
 export GOPROXY=https://goproxy.cn
 go mod tidy
 echo "build:"
 rm anylink
 export CGO_ENABLED=1
 go build -v -o anylink $flags -ldflags "$ldflags"
 ./anylink -v
 EOF
 )
 # golang:1.20-alpine3.19
 #使用 musl-dev 编译
 docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/amd64 \
  golang:1.22-alpine3.19 sh -c "$dockercmd"
 #arm64编译
 #docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/arm64 \
 #  golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
 #exit 0
 #cd $cpath
 echo "整理部署文件"
 rm -rf anylink-deploy anylink-deploy.tar.gz
 mkdir anylink-deploy
 mkdir anylink-deploy/log
 cp -r server/anylink anylink-deploy
 cp -r server/conf anylink-deploy
 cp -r index_template anylink-deploy
 cp -r deploy anylink-deploy
 cp -r LICENSE anylink-deploy
 tar zcvf anylink-deploy.tar.gz anylink-deploy
 #注意使用root权限运行
 #cd anylink-deploy
 #sudo ./anylink --conf="conf/server.toml"
--- a/build_web.sh
+++ b/build_web.sh
@@ -0,0 +1,9 @@
 #!/bin/bash
 rm -rf web/ui server/ui
 docker run -it --rm -v $PWD/web:/app -w /app node:16-alpine \
  sh -c "yarn install --registry=https://registry.npmmirror.com && yarn run build"
 cp -r web/ui server/ui
--- a/systemd/anylink.service
+++ b/systemd/anylink.service
@@ -11,12 +11,14 @@ Restart=on-failure
 RestartSec=5s
 ExecStart=/usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml
 # systemctl --version
 # systemd older than v236
 # ExecStart=/bin/bash -c 'exec /usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml >> /usr/local/anylink-deploy/log/anylink.log 2>&1'
-
+# systemd new than v236
-StandardOutput=file:/usr/local/anylink-deploy/log/anylink.log
+# StandardOutput=file:/usr/local/anylink-deploy/log/anylink-systemd.log
-StandardError=file:/usr/local/anylink-deploy/log/anylink.log
+# StandardError=file:/usr/local/anylink-deploy/log/anylink-systemd.log
 [Install]
 WantedBy=multi-user.target
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -0,0 +1,101 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: anylink
  namespace: default
  labels:
    link-app: anylink
 spec:
  replicas: 1
  selector:
    matchLabels:
      link-app: anylink
  template:
    metadata:
      labels:
        link-app: anylink
    spec:
      #hostNetwork: true
      dnsPolicy: ClusterFirst
      containers:
        - name: anylink
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: GOMAXPROCS
              valueFrom:
                resourceFieldRef:
                  resource: limits.cpu
            - name: POD_CPU_LIMIT
              valueFrom:
                resourceFieldRef:
                  resource: limits.cpu
            - name: POD_MEMORY_LIMIT
              valueFrom:
                resourceFieldRef:
                  resource: limits.memory
            - name: TZ
              value: "Asia/Shanghai"
          image: bjdgyc/anylink:latest
          imagePullPolicy: Always
          args:
            - --conf=/app/conf/server.toml
          ports:
            - name: https
              containerPort: 443
              protocol: TCP
            - name: https-admin
              containerPort: 8800
              protocol: TCP
            - name: dtls
              containerPort: 443
              protocol: UDP
          # 设置资源
          resources:
            limits:
              cpu: "2"
              memory: 4Gi
              ephemeral-storage: "2Gi"
          securityContext:
            privileged: true
      # 禁用自动注入 service 信息到环境变量
      enableServiceLinks: false
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      nodeSelector:
        kubernetes.io/os: linux
      securityContext: { }
      tolerations:
        - operator: Exists
      #设置优先级
      priorityClassName: system-cluster-critical
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: anylink
  namespace: default
  labels:
    link-app: anylink
 spec:
  ports:
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
    - name: https-admin
      port: 8800
      targetPort: 8800
      protocol: TCP
    - name: dtls
      port: 443
      targetPort: 443
      protocol: UDP
  selector:
    link-app: anylink
  sessionAffinity: ClientIP
  type: ClusterIP
--- a/deploy/docker-compose.yaml
+++ b/deploy/docker-compose.yaml
@@ -0,0 +1,20 @@
 services:
  anylink:
    image: bjdgyc/anylink:latest
    container_name: anylink
    restart: always
    privileged: true
    #cpus: 2
    #mem_limit: 4g
    ports:
      - 443:443
      - 8800:8800
      - 443:443/udp
    environment:
      LINK_LOG_LEVEL: info
      #IPTABLES_LEGACY: "on"
    command:
      - --conf=/app/conf/server.toml
    #volumes:
    #  - /home/myconf:/app/conf
    dns_search: .
--- a/deploy_docker_cn.sh
+++ b/deploy_docker_cn.sh
@@ -0,0 +1,27 @@
 #!/bin/bash
 ver=$(cat version)
 echo $ver
 echo "docker tag latest $ver"
 docker pull --platform=linux/amd64 bjdgyc/anylink:$ver
 docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest
 docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:latest
 docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:$ver
 docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:$ver
 docker rmi bjdgyc/anylink:$ver
 #arm64
 docker pull --platform=linux/arm64 bjdgyc/anylink:$ver
 docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-latest
 docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-latest
 docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-$ver
 docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:arm64v8-$ver
 docker rmi bjdgyc/anylink:$ver
--- a/doc/README.md
+++ b/doc/README.md
@@ -10,10 +10,10 @@
 > 感谢以下同学的打赏，AnyLink 有你更美好！
 >
-> 需要展示主页的同学，可以在QQ群(567510628) 直接联系我添加。
+> 需要展示主页的同学，可以在QQ群 直接联系我添加。
-| 昵称      | 主页                         |
+| 昵称                 | 主页 / 联系方式                    |
-|---------| ---------------------------- |
+|--------------------|------------------------------|
 | 代码 oo8             |                              |
 | 甘磊                 | https://github.com/ganlei333 |
 | Oo@                | https://github.com/chooop    |
@@ -33,9 +33,29 @@
 | 刘国华                |                              |
 | 忧郁的豚骨拉面            |                              |
 | 张小旋当爹地             |                              |
 | 对方正在输入             |                              |
 | Ronny              |                              |
 | 奔跑的少年              |                              |
 | ZBW                |                              |
 | 悲鸣                 |                              |
 | 谢谢                 |                              |
 | 云思科技               |                              |
 | 哆啦A伟(张佳伟)          |                              |
 | 人类的悲欢并不相通          |                              |
 | 做人要低调              |                              |
 | 洛洛                 |                              |
 | Dragon Liao        |                              |
 | 诸葛御风               |                              |
 | 杨杨得亿               |                              |
 | Thanataos          |                              |
 | 憨大叔                |                              |
 | 明月                 |                              |
 | Amis               |                              |
 | Blake              |                              |
 | 刘国华                |                              |
 | ZBW                |                              |
 | 全能互联网专家            |                              |
 | 广播.会议.音响.无纸化.物联网中控 |                              |
--- a/doc/question.md
+++ b/doc/question.md
@@ -1,34 +1,63 @@
 ## 常见问题
 ### anyconnect 客户端问题
 > 客户端请使用群共享文件的版本，其他版本没有测试过，不保证使用正常
 >
 > 添加QQ群: 567510628
 ### OTP 动态码
 > 请使用手机安装 freeotp ，然后扫描otp二维码，生成的数字即是动态码
 ### 用户策略问题
 > 只要有用户策略，组策略就不生效，相当于覆盖了组策略的配置
 ### 远程桌面连接
 > 本软件已经支持远程桌面里面连接anyconnect。
 ### 私有证书问题
 > anylink 默认不支持私有证书
 >
 > 其他使用私有证书的问题，请自行解决
 ### 客户端连接名称
 > 客户端连接名称需要修改 [profile.xml](../server/conf/profile.xml) 文件
 ```xml
 <HostEntry>
    <HostName>VPN</HostName>
    <HostAddress>localhost</HostAddress>
 </HostEntry>
 ```
 ### dpd timeout 设置问题
-```
+
 ```yaml
 #客户端失效检测时间(秒) dpd > keepalive
-cstp_keepalive = 6
+cstp_keepalive = 4
-cstp_dpd = 10
+cstp_dpd = 9
-mobile_keepalive = 15
+mobile_keepalive = 7
-mobile_dpd = 20
+mobile_dpd = 15
 ```
 > 以上dpd参数为客户端的超时检测时间, 如一段时间内，没有数据传输，防火墙会主动关闭连接
 >
 > 如经常出现 timeout 的错误信息，应根据当前防火墙的设置，适当减小dpd数值
 ### 关于审计日志 audit_interval 参数
 > 默认值 `audit_interval = 600` 表示相同日志600秒内只记录一次，不同日志首次出现立即记录
 >
 > 去重key的格式: 16字节源IP地址 + 16字节目的IP地址 + 2字节目的端口 + 1字节协议类型 + 16字节域名MD5
 ### 反向代理问题
 > anylink 仅支持四层反向代理，不支持七层反向代理
 >
 > 如Nginx请使用 stream模块
@@ -46,7 +75,36 @@ stream {
 }
 ```
 > nginx实现 共用443端口 示例
 ```conf
 stream {
    map $ssl_preread_server_name $name {
        vpn.xx.com        myvpn;
        default     defaultpage;
    }
    # upstream pool
    upstream myvpn {
        server 127.0.0.1:8443;
    }
    upstream defaultpage {
        server 127.0.0.1:8080;
    }
    server {
        listen 443 so_keepalive=on;
        ssl_preread on;
        #接收端也需要设置 proxy_protocol
        #proxy_protocol on;
        proxy_pass $name;
    }
 }
 ```
 ### 性能问题
 ```
 内网环境测试数据
 虚拟服务器：  centos7 4C8G
@@ -55,6 +113,22 @@ anylink:    tun模式 tcp传输
 客户端网卡下载速度：270Mb/s
 服务端网卡上传速度：280Mb/s
 ```
 > 客户端tls加密协议、隧道header头都会占用一定带宽
 ### 登录防爆说明
 ```
 1.用户 A 在 IP 1.2.3.4 上尝试登录:
  用户 A 在 IP 1.2.3.4 上尝试登录失败 5 次，触发了该 IP 上的用户 A 锁定 5 分钟。
  在这 5 分钟内，用户 A 从 IP 1.2.3.4 无法进行新的登录尝试。
 2.用户 A 更换 IP 到 1.2.3.5 继续尝试登录:
  用户 A 在 IP 1.2.3.5 上继续尝试登录，并且累计失败 20 次，触发了全局用户 A 锁定 5 分钟。
  在这 5 分钟内，用户 A 从任何 IP 地址都无法进行新的登录尝试。
 3.IP 1.2.3.4 上多个用户尝试登录:
  如果从 IP 1.2.3.4 上累计有 40 次失败登录尝试（无论来自多少不同的用户），触发了该 IP 的全局锁定 5 分钟。
  在这 5 分钟内，从 IP 1.2.3.4 的所有登录尝试都将被拒绝。
 如果在 N 分钟内没有新的失败尝试，失败计数会在 N 分钟后（*_reset_time）重置。
 ```
--- a/doc/screenshot/qq2.jpg
+++ b/doc/screenshot/qq2.jpg
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,48 +1,61 @@
-# web
+#node:16-bullseye
-FROM node:16.17.1-alpine3.15 as builder_node
+#golang:1.20-bullseye
-WORKDIR /web
+#debian:bullseye-slim
-COPY ./web /web
+#bullseye
-RUN yarn install \
+# sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
-    && yarn run build \
+#bookworm
-    && ls /web/ui
+# sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list.d/debian.sources
 # sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
 # 配合 github action 使用
 # 需要先编译出ui文件后 再执行docker编译
 # server
-FROM golang:1.19-alpine as builder_golang
+# golang:1.20-alpine3.19
-#TODO 本地打包时使用镜像
+FROM golang:1.22-alpine3.19 as builder_golang
-ENV GOPROXY=https://goproxy.io
+
-ENV GOOS=linux
+ARG CN="no"
-WORKDIR /anylink
+ARG appVer="appVer"
-COPY . /anylink
+ARG commitId="commitId"
-COPY --from=builder_node /web/ui  /anylink/server/ui
+
 ENV TZ=Asia/Shanghai
 WORKDIR /server
 COPY docker/init_build.sh /tmp/
 COPY server/ /server/
 COPY web/ui  /server/ui
 #RUN apk add gcc musl-dev bash
 RUN sh /tmp/init_build.sh
 #TODO 本地打包时使用镜像
 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
 RUN apk add --no-cache git gcc musl-dev
 RUN cd /anylink/server;go mod tidy;go build -o anylink -ldflags "-X main.CommitId=$(git rev-parse HEAD)" \
    && /anylink/server/anylink tool -v
 # anylink
-FROM alpine
+FROM alpine:3.19
 LABEL maintainer="github.com/bjdgyc"
-#ENV IPV4_CIDR="192.168.10.0/24"
+ARG CN="no"
 ENV TZ=Asia/Shanghai
 #开关变量  on  off
 ENV ANYLINK_IN_CONTAINER="on"
 ENV IPTABLES_LEGACY="off"
 WORKDIR /app
-COPY --from=builder_golang /anylink/server/anylink  /app/
+COPY docker/init_release.sh /tmp/
 COPY docker/docker_entrypoint.sh  /app/
-#COPY ./server/bridge-init.sh /app/
+COPY --from=builder_golang /server/anylink  /app/
 COPY docker/docker_entrypoint.sh server/bridge-init.sh ./README.md ./LICENSE version_info /app/
 COPY ./deploy /app/deploy
 COPY ./index_template  /app/index_template
 COPY ./server/conf  /app/conf
 COPY ./LICENSE  /app/LICENSE
 #TODO 本地打包时使用镜像
-RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+RUN sh /tmp/init_release.sh
 RUN apk add --no-cache bash iptables \
    && chmod +x /app/docker_entrypoint.sh \
    && ls /app
-EXPOSE 443 8800
+
 EXPOSE 443 8800 443/udp
 #CMD ["/app/anylink"]
 ENTRYPOINT ["/app/docker_entrypoint.sh"]
--- a/docker/docker_entrypoint.sh
+++ b/docker/docker_entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 var1=$1
 #set -x
@@ -14,10 +14,24 @@ case $var1 in
  ;;
 *)
-  sysctl -w net.ipv4.ip_forward=1
+  #sysctl -w net.ipv4.ip_forward=1
  #iptables -t nat -A POSTROUTING -s "${IPV4_CIDR}" -o eth0+ -j MASQUERADE
  #iptables -nL -t nat
  # 启动服务 先判断配置文件是否存在
  if [[ ! -f /app/conf/profile.xml ]]; then
    /bin/cp -r /home/conf-bak/* /app/conf/
    echo "After the configuration file is initialized, the container will be forcibly exited. Restart the container."
    echo "配置文件初始化完成后，容器会强制退出，请重新启动容器。"
    exit 1
  fi
  # 兼容老版本 iptables
  if [[ $IPTABLES_LEGACY == "on" ]]; then
    rm /sbin/iptables
    ln -s /sbin/iptables-legacy /sbin/iptables
  fi
  exec /app/anylink "$@"
  ;;
 esac
--- a/docker/init_build.sh
+++ b/docker/init_build.sh
@@ -0,0 +1,34 @@
 #!/bin/sh
 set -x
 #TODO 本地打包时使用镜像
 if [[ $CN == "yes" ]]; then
  #sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
  sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
  export GOPROXY=https://goproxy.cn
 fi
 apk add build-base tzdata gcc g++ musl musl-dev upx
 uname -a
 env
 date
 cd /server
 go mod tidy
 echo "start build"
 ldflags="-s -w -X main.appVer=$appVer -X main.commitId=$commitId -X main.buildDate=$(date -Iseconds) -extldflags \"-static\" "
 export CGO_ENABLED=1
 go build -v -o anylink -trimpath -ldflags "$ldflags"
 ls -lh /server/
 # 压缩文件
 upx -9 -k anylink
 /server/anylink -v
--- a/docker/init_release.sh
+++ b/docker/init_release.sh
@@ -0,0 +1,32 @@
 #!/bin/sh
 set -x
 #TODO 本地打包时使用镜像
 if [[ $CN == "yes" ]]; then
  #sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
  sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
  export GOPROXY=https://goproxy.cn
 fi
 # docker 启动使用 4.19 以上内核
 apk add --no-cache ca-certificates bash iproute2 tzdata iptables inetutils-telnet
 # alpine:3.19 兼容老版本 iptables
 apk add --no-cache iptables-legacy
 #rm /sbin/iptables
 #ln -s /sbin/iptables-legacy /sbin/iptables
 chmod +x /app/docker_entrypoint.sh
 mkdir /app/log
 #备份配置文件
 cp -r /app/conf /home/conf-bak
 tree /app
 uname -a
 date -Iseconds
--- a/index_template/自定义首页1.html
+++ b/index_template/自定义首页1.html
@@ -0,0 +1,101 @@
 <!DOCTYPE html>
 <html>
 <head>
  <meta charset="UTF-8">
  <title>AnyLink - 企业级远程办公 SSL VPN</title>
  <style>
    /* CSS样式表 */
    body {
      font-family: Arial, sans-serif;
      margin: 0;
      padding: 0;
    }
    header {
      background-color: #333;
      color: #fff;
      padding: 20px;
      text-align: center;
    }
    h1 {
      margin: 0;
      font-size: 32px;
    }
    main {
      max-width: 960px;
      margin: 20px auto;
      padding: 0 20px;
 	  margin-bottom: 100px;
    }
    p {
      line-height: 1.5;
    }
 	/* 设置页脚固定在底部，并且占满横向宽度 */
 	footer {
 		position: fixed;
 		bottom: 0;
 		left: 0;
 		width: 100%;
 	}
    footer {
      background-color: #f2f2f2;
      padding: 20px;
      text-align: center;
    }
    .cta-button {
      display: inline-block;
      background-color: #007bff;
      color: #fff;
      padding: 10px 20px;
      text-decoration: none;
      border-radius: 4px;
      font-weight: bold;
      margin-right: 10px;
    }
  </style>
 </head>
 <body>
  <header>
    <h1>欢迎使用 AnyLink</h1>
  </header>
  <main>
    <h2>什么是 AnyLink？</h2>
    <p>AnyLink 是一款面向企业级的远程办公 SSL VPN 软件，支持多人同时在线使用。它提供安全、便捷的访问内部网络资源的方式，使远程工作者能够有效协作。</p>
    <h2>核心功能</h2>
    <ul>
      <li>安全远程访问：AnyLink 使用 SSL/TLS 加密技术，确保远程用户与企业网络之间的连接安全可靠。</li>
      <li>多用户支持：多个用户可以同时连接 VPN，实现不同地点团队的无缝协作。</li>
      <li>灵活网络访问：AnyLink 能够安全地让远程工作者访问内部资源，如文件、应用程序和数据库。</li>
      <li>集中化管理：该 VPN 解决方案提供集中化管理控制台，便于用户管理、访问控制和监控。</li>
    </ul>
    <h2>开始使用 AnyLink</h2>
    <p>体验 AnyLink 为您的企业远程办公需求所带来的便利和安全。</p>
    <h2>下载客户端</h2>
    <a href="/files/anyconnect-win-4.10.05111.msi" class="cta-button">Windows 客户端</a>
    <a href="/files/anyconnect-macos-4.10.05111.dmg" class="cta-button">Mac 客户端</a>
    <a href="https://apps.apple.com/cn/app/cisco-secure-client/id1135064690" class="cta-button">iOS 客户端</a>
    <a href="/files/CiscoSecureClientAnyConnect_v5.0.00247.apk" class="cta-button">Android 客户端</a>
    <a href="/files/freeotp.apk" class="cta-button">Android FreeOTP客户端</a>
    <a href="https://apps.apple.com/cn/app/freeotp-authenticator/id872559395" class="cta-button">iOS FreeOTP客户端</a>
    <h2>使用手册</h2>
    <a href="/files/anylink_doc.pdf" class="cta-button">使用手册(Windows)</a>
  </main>
  <footer>
    &copy; 2023 AnyLink. 保留所有权利。
  </footer>
 </body>
 </html>
--- a/index_template/自定义首页2.html
+++ b/index_template/自定义首页2.html
@@ -0,0 +1,165 @@
 <!DOCTYPE html>
 <html lang="zh-CN">
 <head>
    <meta charset=UTF-8">
    <title id="pageTitle">客户端下载</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <style type="text/css">
        body {
            background-color: #fff;
            background-image: linear-gradient(0deg, transparent 24%, rgba(207, 207, 207, 0.2) 25%, rgba(207, 207, 207, 0.2) 26%, transparent 27%, transparent 74%, rgba(207, 207, 207, 0.2) 75%, rgba(207, 207, 207, 0.2) 76%, transparent 77%, transparent),
            linear-gradient(90deg, transparent 24%, rgba(207, 207, 207, 0.2) 25%, rgba(207, 207, 207, 0.2) 26%, transparent 27%, transparent 74%, rgba(207, 207, 207, 0.2) 75%, rgba(207, 207, 207, 0.2) 76%, transparent 77%, transparent);
            background-size: 50px 50px;
            margin: 0;
            padding: 0;
            display: flex;
            justify-content: center;
            align-items: center;
            height: 100vh;
        }
        #box {
            background-color: #ffffff;
            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
            position: relative;
            padding: 20px;
            border-radius: 8px;
            max-width: 550px;
            width: 100%;
            box-sizing: border-box;
        }
        h2 {
            color: #333;
            font-weight: 600;
            font-size: 28px;
            margin: 0 0 20px 0;
        }
        p {
            color: #666;
            font-size: 16px;
            line-height: 1.6;
            margin-top: 20px;
        }
        .button {
            background-color: #ddd;
            text-decoration: none;
            line-height: 44px;
            padding: 9px 42px;
            font-weight: 500;
            color: #fff;
            font-size: 16px;
            -webkit-transition: background-color 0.25s ease-out 0s;
            -moz-transition: background-color 0.25s ease-out 0s;
            transition: background-color 0.25s ease-out 0s;
            -moz-border-radius: 4px;
            -webkit-border-radius: 4px;
            border-radius: 4px;
        }
        .button:hover {
            background-color: #CCC;
            color: #444;
        }
        .button:active {
            background-color: #666;
            color: #eee;
        }
        .blue {
            background-color: #007BFF;
        }
        .deep-blue {
            background-color: #0056B3;
        }
        .green {
            background-color: #28A745;
        }
        .grey {
            background-color: #6C757D;
        }
        .black {
            background-color: #343A40;
        }
        .light-blue {
            background-color: #17A2B8;
        }
        .dark-grey {
            background-color: #495057;
        }
        @media (max-width: 768px) {
            h2 {
                font-size: 24px;
            }
            p {
                font-size: 14px;
            }
            .button {
                padding: 7px 35px;
            }
        }
    </style>
 </head>
 <body>
 <div id="app">
    <div id="box">
        <h2 id="title">请选择对应平台下载</h2>
        <p id="windowsTab">Windows 系统</p>
        <a id="linkWindowsX86_64" class="button blue" href="#">Win X86_64</a>
        <a id="linkWindowsARM64" class="button deep-blue" href="#">Win ARM64</a>
        <p id="mobileTab">移动端</p>
        <a id="linkAndroid" class="button green" href="#">Android</a>
        <a id="linkIphone" class="button grey" href="#" target="_blank">iPhone</a>
        <p id="macOSTab">MacOS 系统</p>
        <a id="linkMacos" class="button black" href="#">Mac Intel</a>
        <a id="linkMacosARM64" class="button blue" href="#">Mac ARM64</a>
        <p id="totpTab">TOTP 移动客户端</p>
        <a id="linkTotpAndroid" class="button light-blue" href="#">Android</a>
        <a id="linkTotpIphone" class="button dark-grey" href="#" target="_blank">iPhone</a>
    </div>
 </div>
 <script>
    const data = {
        links: {
            windowsX86_64: '/files/anyconnect-win-4.10.05111.msi',
            windowsARM64: '/files/anyconnect-win-4.10.05111.msi',
            android: '/files/CiscoSecureClientAnyConnect_v5.0.00247.apk',
            iphone: 'https://apps.apple.com/cn/app/cisco-anyconnect/id1135064690',
            macosIntel: '/files/anyconnect-macos-4.10.05111.dmg',
            macosARM64: '/files/anyconnect-macos-4.10.05111.dmg',
            totpAndroid: '/files/Authenticator_v5.10_apkpure.com.apk',
            totpIphone: 'https://apps.apple.com/cn/app/google-authenticator/id388497605',
        }
    };
    window.onload = function () {
        document.getElementById('linkWindowsX86_64').href = data.links.windowsX86_64;
        document.getElementById('linkWindowsARM64').href = data.links.windowsARM64;
        document.getElementById('linkAndroid').href = data.links.android;
        document.getElementById('linkIphone').href = data.links.iphone;
        document.getElementById('linkMacos').href = data.links.macosIntel;
        document.getElementById('linkMacosARM64').href = data.links.macosARM64;
        document.getElementById('linkTotpAndroid').href = data.links.totpAndroid;
        document.getElementById('linkTotpIphone').href = data.links.totpIphone;
    };
 </script>
 </body>
 </html>
--- a/release.sh
+++ b/release.sh
@@ -0,0 +1,50 @@
 #!/bin/bash
 #github action release.sh
 set -x
 function RETVAL() {
  rt=$1
  if [ $rt != 0 ]; then
    echo $rt
    exit 1
  fi
 }
 #当前目录
 cpath=$(pwd)
 ver=$(cat version)
 echo "当前版本 $ver"
 rm -rf artifact-dist
 mkdir artifact-dist
 function archive() {
  arch=$1
  #echo "整理部署文件 $arch"
  arch_name=${arch//\//-}
  echo $arch_name
  deploy="anylink-$ver-$arch_name"
  docker container rm $deploy
  docker container create --platform $arch --name $deploy bjdgyc/anylink:$ver
  rm -rf anylink-deploy
  docker cp -a $deploy:/app ./anylink-deploy
  ls -lh anylink-deploy
  tar zcf ${deploy}.tar.gz anylink-deploy
  mv ${deploy}.tar.gz artifact-dist/
 }
 echo "copy二进制文件"
 archive "linux/amd64"
 archive "linux/arm64"
 ls -lh artifact-dist
 #注意使用root权限运行
 #cd anylink-deploy
 #sudo ./anylink --conf="conf/server.toml"
--- a/server/admin/api_base.go
+++ b/server/admin/api_base.go
@@ -3,11 +3,13 @@ package admin
 import (
 	"fmt"
 	"net/http"
 	"runtime/debug"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/mux"
 	"github.com/xlzd/gotp"
 )
 // Login 登陆接口
@@ -20,10 +22,35 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	adminUser := r.PostFormValue("admin_user")
 	adminPass := r.PostFormValue("admin_pass")
 	// 启用otp验证
 	if base.Cfg.AdminOtp != "" {
 		pwd := adminPass
 		pl := len(pwd)
 		if pl < 6 {
 			RespError(w, RespUserOrPassErr)
 			base.Error(adminUser, "管理员otp错误")
 			return
 		}
 		// 判断otp信息
 		adminPass = pwd[:pl-6]
 		otp := pwd[pl-6:]
 		totp := gotp.NewDefaultTOTP(base.Cfg.AdminOtp)
 		unix := time.Now().Unix()
 		verify := totp.Verify(otp, unix)
 		if !verify {
 			RespError(w, RespUserOrPassErr)
 			base.Error(adminUser, "管理员otp错误")
 			return
 		}
 	}
 	// 认证错误
 	if !(adminUser == base.Cfg.AdminUser &&
 		utils.PasswordVerify(adminPass, base.Cfg.AdminPass)) {
 		RespError(w, RespUserOrPassErr)
 		base.Error(adminUser, "管理员用户名或密码错误")
 		return
 	}
@@ -41,6 +68,14 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	data["admin_user"] = adminUser
 	data["expires_at"] = expiresAt
 	ck := &http.Cookie{
 		Name:     "jwt",
 		Value:    tokenString,
 		Path:     "/",
 		HttpOnly: true,
 	}
 	http.SetCookie(w, ck)
 	RespSucess(w, data)
 }
@@ -50,13 +85,16 @@ func authMiddleware(next http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Methods", "GET,POST,OPTIONS")
 		w.Header().Set("Access-Control-Allow-Headers", "*")
 		if r.Method == http.MethodOptions {
 			// w.WriteHeader(http.StatusOK)
 			// 正式环境不支持 OPTIONS
 			w.WriteHeader(http.StatusForbidden)
 			return
 		}
 		route := mux.CurrentRoute(r)
 		name := route.GetName()
 		// fmt.Println("bb", r.URL.Path, name)
-		if utils.InArrStr([]string{"login", "index", "static", "debug"}, name) {
+		if utils.InArrStr([]string{"login", "index", "static"}, name) {
 			// 不进行鉴权
 			next.ServeHTTP(w, r)
 			return
@@ -67,6 +105,12 @@ func authMiddleware(next http.Handler) http.Handler {
 		if jwtToken == "" {
 			jwtToken = r.FormValue("jwt")
 		}
 		if jwtToken == "" {
 			cc, err := r.Cookie("jwt")
 			if err == nil {
 				jwtToken = cc.Value
 			}
 		}
 		data, err := GetJwtData(jwtToken)
 		if err != nil || base.Cfg.AdminUser != fmt.Sprint(data["admin_user"]) {
 			w.WriteHeader(http.StatusUnauthorized)
@@ -77,3 +121,17 @@ func authMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(fn)
 }
 func recoverHttp(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		defer func() {
 			if err := recover(); err != nil {
 				stack := debug.Stack()
 				base.Error(err, string(stack))
 				// http.Error(w, "Internal Server Error", 500)
 				RespError(w, 500, "Internal Server Error")
 			}
 		}()
 		next.ServeHTTP(w, r)
 	})
 }
--- a/server/admin/api_group.go
+++ b/server/admin/api_group.go
@@ -75,6 +75,10 @@ func GroupDetail(w http.ResponseWriter, r *http.Request) {
 	if len(data.Auth) == 0 {
 		data.Auth["type"] = "local"
 	}
 	// 兼容旧数据
 	if data.SplitDns == nil {
 		data.SplitDns = []dbdata.ValData{}
 	}
 	RespSucess(w, data)
 }
--- a/server/admin/api_set.go
+++ b/server/admin/api_set.go
@@ -72,6 +72,7 @@ func SetSystem(w http.ResponseWriter, r *http.Request) {
 		"goroutine":    runtime.NumGoroutine(),
 		"appVersion":   "v" + base.APP_VER,
 		"appCommitId":  base.CommitId,
 		"appBuildDate": base.BuildDate,
 		"hostname": hi.Hostname,
 		"platform": fmt.Sprintf("%v %v %v", hi.Platform, hi.PlatformFamily, hi.PlatformVersion),
--- a/server/admin/api_uploaduser.go
+++ b/server/admin/api_uploaduser.go
@@ -5,11 +5,11 @@ import (
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	mapset "github.com/deckarep/golang-set"
@@ -25,21 +25,27 @@ func UserUpload(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	defer file.Close()
-	newFile, err := os.Create(base.Cfg.FilesPath + header.Filename)
+
 	// go/path-injection
 	// base.Cfg.FilesPath 可以直接对外访问，不能上传文件到此
 	fileName := path.Join(os.TempDir(), utils.RandomRunes(10))
 	newFile, err := os.Create(fileName)
 	if err != nil {
 		RespError(w, RespInternalErr, "创建文件失败:", err)
 		return
 	}
 	defer newFile.Close()
 	io.Copy(newFile, file)
 	if err = UploadUser(newFile.Name()); err != nil {
 		RespError(w, RespInternalErr, err)
-		os.Remove(base.Cfg.FilesPath + header.Filename)
+		os.Remove(fileName)
 		return
 	}
-	os.Remove(base.Cfg.FilesPath + header.Filename)
+	os.Remove(fileName)
 	RespSucess(w, "批量添加成功")
 }
 func UploadUser(file string) error {
 	f, err := excelize.OpenFile(file)
 	if err != nil {
@@ -104,6 +110,7 @@ func UploadUser(file string) error {
 		if err := dbdata.AddBatch(user); err != nil {
 			return fmt.Errorf("请检查第%d行数据是否导入有重复用户", index)
 		}
 		user.PinCode = row[4]
 		if user.SendEmail {
 			if err := userAccountMail(user); err != nil {
 				return err
--- a/server/admin/api_user.go
+++ b/server/admin/api_user.go
@@ -15,13 +15,16 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/skip2/go-qrcode"
 	mail "github.com/xhit/go-simple-mail/v2"
 )
 func UserList(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 	prefix := r.FormValue("prefix")
 	prefix = strings.TrimSpace(prefix)
 	pageS := r.FormValue("page")
 	page, _ := strconv.Atoi(pageS)
 	if page < 1 {
@@ -37,8 +40,11 @@ func UserList(w http.ResponseWriter, r *http.Request) {
 	// 查询前缀匹配
 	if len(prefix) > 0 {
-		count = dbdata.CountPrefix("username", prefix, &dbdata.User{})
+		fuzzy := "%" + prefix + "%"
-		err = dbdata.Prefix("username", prefix, &datas, pageSize, 1)
+		where := "username LIKE ? OR nickname LIKE ? OR email LIKE ?"
 		count = dbdata.FindWhereCount(&dbdata.User{}, where, fuzzy, fuzzy, fuzzy)
 		err = dbdata.FindWhere(&datas, pageSize, page, where, fuzzy, fuzzy, fuzzy)
 	} else {
 		count = dbdata.CountAll(&dbdata.User{})
 		err = dbdata.Find(&datas, pageSize, page)
@@ -93,11 +99,17 @@ func UserSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if len(data.PinCode) < 6 {
 		data.PinCode = utils.RandomRunes(8)
 		base.Info("用户", data.Username, "随机密码为:", data.PinCode)
 	}
 	plainpwd := data.PinCode
 	err = dbdata.SetUser(data)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
 	data.PinCode = plainpwd
 	// 发送邮件
 	if data.SendEmail {
@@ -175,7 +187,15 @@ func userOtpQr(uid int, b64 bool) (string, error) {
 // 在线用户
 func UserOnline(w http.ResponseWriter, r *http.Request) {
-	datas := sessdata.OnlineSess()
+	_ = r.ParseForm()
 	search_cate := r.FormValue("search_cate")
 	search_text := r.FormValue("search_text")
 	show_sleeper := r.FormValue("show_sleeper")
 	showSleeper, _ := strconv.ParseBool(show_sleeper)
 	// one_offline := r.FormValue("one_offline")
 	// datas := sessdata.OnlineSess()
 	datas := sessdata.GetOnlineSess(search_cate, search_text, showSleeper)
 	data := map[string]interface{}{
 		"count":     len(datas),
@@ -205,9 +225,12 @@ type userAccountMailData struct {
 	LinkAddr     string
 	Group        string
 	Username     string
 	Nickname     string
 	PinCode      string
 	LimitTime    string
 	OtpImg       string
 	OtpImgBase64 string
 	DisableOtp   bool
 }
 func userAccountMail(user *dbdata.User) error {
@@ -251,13 +274,23 @@ func userAccountMail(user *dbdata.User) error {
 	otpData, _ := userOtpQr(user.Id, true)
 	data := userAccountMailData{
 		Issuer:       base.Cfg.Issuer,
 		LinkAddr:     setting.LinkAddr,
 		Group:        strings.Join(user.Groups, ","),
 		Username:     user.Username,
 		Nickname:     user.Nickname,
 		PinCode:      user.PinCode,
 		OtpImg:       fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", setting.LinkAddr, user.Id, tokenString),
 		OtpImgBase64: "data:image/png;base64," + otpData,
 		DisableOtp:   user.DisableOtp,
 	}
 	if user.LimitTime == nil {
 		data.LimitTime = "无限制"
 	} else {
 		data.LimitTime = user.LimitTime.Local().Format("2006-01-02")
 	}
 	w := bytes.NewBufferString("")
 	t, _ := template.New("auth_complete").Parse(htmlBody)
 	err = t.Execute(w, data)
@@ -265,5 +298,19 @@ func userAccountMail(user *dbdata.User) error {
 		return err
 	}
 	// fmt.Println(w.String())
-	return SendMail(base.Cfg.Issuer+"平台通知", user.Email, w.String())
+
 	var attach *mail.File
 	if user.DisableOtp {
 		attach = nil
 	} else {
 		imgData, _ := userOtpQr(user.Id, false)
 		attach = &mail.File{
 			MimeType: "image/png",
 			Name:     "userOtpQr.png",
 			Data:     []byte(imgData),
 			Inline:   true,
 		}
 	}
 	return SendMail(base.Cfg.Issuer, user.Email, w.String(), attach)
 }
--- a/server/admin/common.go
+++ b/server/admin/common.go
@@ -43,7 +43,7 @@ func GetJwtData(jwtToken string) (map[string]interface{}, error) {
 	return claims, nil
 }
-func SendMail(subject, to, htmlBody string) error {
+func SendMail(subject, to, htmlBody string, attach *mail.File) error {
 	dataSmtp := &dbdata.SettingSmtp{}
 	err := dbdata.SettingGet(dataSmtp)
@@ -73,7 +73,7 @@ func SendMail(subject, to, htmlBody string) error {
 	// - PLAIN (default)
 	// - LOGIN
 	// - CRAM-MD5
-	server.Authentication = mail.AuthPlain
+	server.Authentication = mail.AuthAuto
 	// Variable to keep alive connection
 	server.KeepAlive = false
@@ -102,6 +102,10 @@ func SendMail(subject, to, htmlBody string) error {
 		AddTo(to).
 		SetSubject(subject)
 	if attach != nil {
 		email.Attach(attach)
 	}
 	email.SetBody(mail.TextHTML, htmlBody)
 	// Call Send and pass the client
--- a/server/admin/lockmanager.go
+++ b/server/admin/lockmanager.go
@@ -0,0 +1,465 @@
 package admin
 import (
 	"encoding/json"
 	"io"
 	"net"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 )
 type LockInfo struct {
 	Description string     `json:"description"` // 锁定原因
 	Username    string     `json:"username"`    // 用户名
 	IP          string     `json:"ip"`          // IP 地址
 	State       *LockState `json:"state"`       // 锁定状态信息
 }
 type LockState struct {
 	Locked       bool      `json:"locked"`      // 是否锁定
 	FailureCount int       `json:"attempts"`    // 失败次数
 	LockTime     time.Time `json:"lock_time"`   // 锁定截止时间
 	LastAttempt  time.Time `json:"lastAttempt"` // 最后一次尝试的时间
 }
 type IPWhitelists struct {
 	IP   net.IP
 	CIDR *net.IPNet
 }
 type LockManager struct {
 	mu sync.Mutex
 	// LoginStatus   sync.Map                         // 登录状态
 	ipLocks       map[string]*LockState            // 全局IP锁定状态
 	userLocks     map[string]*LockState            // 全局用户锁定状态
 	ipUserLocks   map[string]map[string]*LockState // 单用户IP锁定状态
 	ipWhitelists  []IPWhitelists                   // 全局IP白名单，包含IP地址和CIDR范围
 	cleanupTicker *time.Ticker
 }
 var lockmanager *LockManager
 var once sync.Once
 func GetLockManager() *LockManager {
 	once.Do(func() {
 		lockmanager = &LockManager{
 			// LoginStatus:  sync.Map{},
 			ipLocks:      make(map[string]*LockState),
 			userLocks:    make(map[string]*LockState),
 			ipUserLocks:  make(map[string]map[string]*LockState),
 			ipWhitelists: make([]IPWhitelists, 0),
 		}
 	})
 	return lockmanager
 }
 const defaultGlobalLockStateExpirationTime = 3600
 func InitLockManager() {
 	lm := GetLockManager()
 	if base.Cfg.AntiBruteForce {
 		if base.Cfg.GlobalLockStateExpirationTime <= 0 {
 			base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
 		}
 		lm.StartCleanupTicker()
 		lm.InitIPWhitelist()
 	}
 }
 func GetLocksInfo(w http.ResponseWriter, r *http.Request) {
 	lm := GetLockManager()
 	locksInfo := lm.GetLocksInfo()
 	RespSucess(w, locksInfo)
 }
 func UnlockUser(w http.ResponseWriter, r *http.Request) {
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
 	lockinfo := LockInfo{}
 	if err := json.Unmarshal(body, &lockinfo); err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
 	if lockinfo.State == nil {
 		RespError(w, RespInternalErr, "未找到锁定用户！")
 		return
 	}
 	lm := GetLockManager()
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	// 根据用户名和IP查找锁定状态
 	var state *LockState
 	switch {
 	case lockinfo.IP == "" && lockinfo.Username != "":
 		state = lm.userLocks[lockinfo.Username] // 全局用户锁定
 	case lockinfo.Username != "" && lockinfo.IP != "":
 		if userIPMap, exists := lm.ipUserLocks[lockinfo.Username]; exists {
 			state = userIPMap[lockinfo.IP] // 单用户 IP 锁定
 		}
 	default:
 		state = lm.ipLocks[lockinfo.IP] // 全局 IP 锁定
 	}
 	if state == nil || !state.Locked {
 		RespError(w, RespInternalErr, "锁定状态未找到或已解锁")
 		return
 	}
 	lm.Unlock(state)
 	base.Info("解锁成功:", lockinfo.Description, lockinfo.Username, lockinfo.IP)
 	RespSucess(w, "解锁成功！")
 }
 func (lm *LockManager) GetLocksInfo() []LockInfo {
 	var locksInfo []LockInfo
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	for ip, state := range lm.ipLocks {
 		if base.Cfg.MaxGlobalIPBanCount > 0 && state.Locked {
 			info := LockInfo{
 				Description: "全局IP锁定",
 				Username:    "",
 				IP:          ip,
 				State: &LockState{
 					Locked:       state.Locked,
 					FailureCount: state.FailureCount,
 					LockTime:     state.LockTime,
 					LastAttempt:  state.LastAttempt,
 				},
 			}
 			locksInfo = append(locksInfo, info)
 		}
 	}
 	for username, state := range lm.userLocks {
 		if base.Cfg.MaxGlobalUserBanCount > 0 && state.Locked {
 			info := LockInfo{
 				Description: "全局用户锁定",
 				Username:    username,
 				IP:          "",
 				State: &LockState{
 					Locked:       state.Locked,
 					FailureCount: state.FailureCount,
 					LockTime:     state.LockTime,
 					LastAttempt:  state.LastAttempt,
 				},
 			}
 			locksInfo = append(locksInfo, info)
 		}
 	}
 	for username, ipStates := range lm.ipUserLocks {
 		for ip, state := range ipStates {
 			if base.Cfg.MaxBanCount > 0 && state.Locked {
 				info := LockInfo{
 					Description: "单用户IP锁定",
 					Username:    username,
 					IP:          ip,
 					State: &LockState{
 						Locked:       state.Locked,
 						FailureCount: state.FailureCount,
 						LockTime:     state.LockTime,
 						LastAttempt:  state.LastAttempt,
 					},
 				}
 				locksInfo = append(locksInfo, info)
 			}
 		}
 	}
 	return locksInfo
 }
 // 初始化IP白名单
 func (lm *LockManager) InitIPWhitelist() {
 	ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
 	for _, ipWhitelist := range ipWhitelist {
 		ipWhitelist = strings.TrimSpace(ipWhitelist)
 		if ipWhitelist == "" {
 			continue
 		}
 		_, ipNet, err := net.ParseCIDR(ipWhitelist)
 		if err == nil {
 			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
 			continue
 		}
 		ip := net.ParseIP(ipWhitelist)
 		if ip != nil {
 			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
 			continue
 		}
 	}
 }
 // 检查 IP 是否在白名单中
 func (lm *LockManager) IsWhitelisted(ip string) bool {
 	clientIP := net.ParseIP(ip)
 	if clientIP == nil {
 		return false
 	}
 	for _, ipWhitelist := range lm.ipWhitelists {
 		if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
 			return true
 		}
 		if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
 			return true
 		}
 	}
 	return false
 }
 func (lm *LockManager) StartCleanupTicker() {
 	lm.cleanupTicker = time.NewTicker(1 * time.Minute)
 	go func() {
 		for range lm.cleanupTicker.C {
 			lm.CleanupExpiredLocks()
 		}
 	}()
 }
 // 定期清理过期的锁定
 func (lm *LockManager) CleanupExpiredLocks() {
 	now := time.Now()
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	for ip, state := range lm.ipLocks {
 		if !lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime) ||
 			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 			delete(lm.ipLocks, ip)
 		}
 	}
 	for user, state := range lm.userLocks {
 		if !lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime) ||
 			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 			delete(lm.userLocks, user)
 		}
 	}
 	for user, ipMap := range lm.ipUserLocks {
 		for ip, state := range ipMap {
 			if !lm.CheckLockState(state, now, base.Cfg.BanResetTime) ||
 				now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 				delete(ipMap, ip)
 				if len(ipMap) == 0 {
 					delete(lm.ipUserLocks, user)
 				}
 			}
 		}
 	}
 }
 // 检查全局 IP 锁定
 func (lm *LockManager) CheckGlobalIPLock(ip string, now time.Time) bool {
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	state, exists := lm.ipLocks[ip]
 	if !exists {
 		return false
 	}
 	return lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime)
 }
 // 检查全局用户锁定
 func (lm *LockManager) CheckGlobalUserLock(username string, now time.Time) bool {
 	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
 	if username == "" {
 		return false
 	}
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	state, exists := lm.userLocks[username]
 	if !exists {
 		return false
 	}
 	return lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime)
 }
 // 检查单个用户的 IP 锁定
 func (lm *LockManager) CheckUserIPLock(username, ip string, now time.Time) bool {
 	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
 	if username == "" {
 		return false
 	}
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	userIPMap, userExists := lm.ipUserLocks[username]
 	if !userExists {
 		return false
 	}
 	state, ipExists := userIPMap[ip]
 	if !ipExists {
 		return false
 	}
 	return lm.CheckLockState(state, now, base.Cfg.BanResetTime)
 }
 // 更新全局 IP 锁定状态
 func (lm *LockManager) UpdateGlobalIPLock(ip string, now time.Time, success bool) {
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	state, exists := lm.ipLocks[ip]
 	if !exists {
 		state = &LockState{}
 		lm.ipLocks[ip] = state
 	}
 	lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
 }
 // 更新全局用户锁定状态
 func (lm *LockManager) UpdateGlobalUserLock(username string, now time.Time, success bool) {
 	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
 	if username == "" {
 		return
 	}
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	state, exists := lm.userLocks[username]
 	if !exists {
 		state = &LockState{}
 		lm.userLocks[username] = state
 	}
 	lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
 }
 // 更新单个用户的 IP 锁定状态
 func (lm *LockManager) UpdateUserIPLock(username, ip string, now time.Time, success bool) {
 	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
 	if username == "" {
 		return
 	}
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 	userIPMap, userExists := lm.ipUserLocks[username]
 	if !userExists {
 		userIPMap = make(map[string]*LockState)
 		lm.ipUserLocks[username] = userIPMap
 	}
 	state, ipExists := userIPMap[ip]
 	if !ipExists {
 		state = &LockState{}
 		userIPMap[ip] = state
 	}
 	lm.UpdateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
 }
 // 更新锁定状态
 func (lm *LockManager) UpdateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
 	if success {
 		lm.Unlock(state) // 成功登录后解锁
 	} else {
 		state.FailureCount++
 		if state.FailureCount >= maxBanCount {
 			state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
 			state.Locked = true // 超过阈值时锁定
 		}
 	}
 	state.LastAttempt = now
 }
 // 检查锁定状态
 func (lm *LockManager) CheckLockState(state *LockState, now time.Time, resetTime int) bool {
 	if state == nil || state.LastAttempt.IsZero() {
 		return false
 	}
 	// 如果超过锁定时间，重置锁定状态
 	if !state.LockTime.IsZero() && now.After(state.LockTime) {
 		lm.Unlock(state) // 锁定期过后解锁
 		return false
 	}
 	// 如果超过窗口时间，重置失败计数
 	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
 		state.FailureCount = 0
 		return false
 	}
 	return state.Locked
 }
 // 解锁
 func (lm *LockManager) Unlock(state *LockState) {
 	state.FailureCount = 0
 	state.LockTime = time.Time{}
 	state.Locked = false
 }
 // 检查锁定状态
 func (lm *LockManager) CheckLocked(username, ipaddr string) bool {
 	if !base.Cfg.AntiBruteForce {
 		return true
 	}
 	ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址，去掉端口号
 	if err != nil {
 		base.Error("检查锁定状态失败,提取IP地址错误:", ipaddr)
 		return true
 	}
 	now := time.Now()
 	// 检查IP是否在白名单中
 	if lm.IsWhitelisted(ip) {
 		return true
 	}
 	// 检查全局 IP 锁定
 	if base.Cfg.MaxGlobalIPBanCount > 0 && lm.CheckGlobalIPLock(ip, now) {
 		base.Warn("IP", ip, "is globally locked. Try again later.")
 		return false
 	}
 	// 检查全局用户锁定
 	if base.Cfg.MaxGlobalUserBanCount > 0 && lm.CheckGlobalUserLock(username, now) {
 		base.Warn("User", username, "is globally locked. Try again later.")
 		return false
 	}
 	// 检查单个用户的 IP 锁定
 	if base.Cfg.MaxBanCount > 0 && lm.CheckUserIPLock(username, ip, now) {
 		base.Warn("IP", ip, "is locked for user", username, "Try again later.")
 		return false
 	}
 	return true
 }
 // 更新用户登录状态
 func (lm *LockManager) UpdateLoginStatus(username, ipaddr string, loginStatus bool) {
 	ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址，去掉端口号
 	if err != nil {
 		base.Error("更新登录状态失败,提取IP地址错误:", ipaddr)
 		return
 	}
 	now := time.Now()
 	// 更新用户登录状态
 	lm.UpdateGlobalIPLock(ip, now, loginStatus)
 	lm.UpdateGlobalUserLock(username, now, loginStatus)
 	lm.UpdateUserIPLock(username, ip, now, loginStatus)
 }
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -10,6 +10,7 @@ import (
 	"github.com/arl/statsviz"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 )
@@ -20,8 +21,15 @@ var UiData embed.FS
 func StartAdmin() {
 	r := mux.NewRouter()
-	r.Use(authMiddleware)
+	r.Use(recoverHttp, authMiddleware, handlers.CompressHandler)
-	r.Use(handlers.CompressHandler)
+	// 所有路由添加安全头
 	r.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			utils.SetSecureHeader(w)
 			w.Header().Set("Server", "AnyLinkAdminOpenSource")
 			next.ServeHTTP(w, req)
 		})
 	})
 	// 监控检测
 	r.HandleFunc("/status.html", func(w http.ResponseWriter, r *http.Request) {
@@ -78,6 +86,8 @@ func StartAdmin() {
 	r.HandleFunc("/group/auth_login", GroupAuthLogin)
 	r.HandleFunc("/statsinfo/list", StatsInfoList)
 	r.HandleFunc("/locksinfo/list", GetLocksInfo)
 	r.HandleFunc("/locksinfo/unlok", UnlockUser)
 	// pprof
 	if base.Cfg.Pprof {
@@ -88,8 +98,9 @@ func StartAdmin() {
 		r.HandleFunc("/debug/pprof", location("/debug/pprof/")).Name("debug")
 		r.PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index).Name("debug")
 		// statsviz
-		r.Path("/debug/statsviz/ws").Name("debug").HandlerFunc(statsviz.Ws)
+		srv, _ := statsviz.NewServer() // Create server or handle error
-		r.PathPrefix("/debug/statsviz/").Name("debug").Handler(statsviz.Index)
+		r.Path("/debug/statsviz/ws").Name("debug").HandlerFunc(srv.Ws())
 		r.PathPrefix("/debug/statsviz/").Name("debug").Handler(srv.Index())
 	}
 	base.Info("Listen admin", base.Cfg.AdminAddr)
@@ -101,12 +112,6 @@ func StartAdmin() {
 		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}
 	if tlscert, _, err := dbdata.ParseCert(); err != nil {
 		base.Fatal("证书加载失败", err)
 	} else {
 		dbdata.LoadCertificate(tlscert)
 	}
 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
@@ -120,6 +125,7 @@ func StartAdmin() {
 		Addr:      base.Cfg.AdminAddr,
 		Handler:   r,
 		TLSConfig: tlsConfig,
 		ErrorLog:  base.GetServerLog(),
 	}
 	err := srv.ListenAndServeTLS("", "")
 	if err != nil {
--- a/server/base/app_ver.go
+++ b/server/base/app_ver.go
@@ -2,6 +2,12 @@ package base
 const (
 	APP_NAME = "AnyLink"
-	// app版本号
+)
-	APP_VER = "0.9.3"
+
 var (
 	// APP_VER app版本号
 	APP_VER = "0.0.1"
 	// 提交id
 	CommitId  string
 	BuildDate string
 )
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -5,6 +5,9 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
 	"strings"
 	"github.com/bjdgyc/anylink/pkg/utils"
 )
 const (
@@ -33,9 +36,11 @@ type ServerConfig struct {
 	// LinkAddr      string `json:"link_addr"`
 	Conf              string `json:"conf"`
 	Profile           string `json:"profile"`
 	ProfileName       string `json:"profile_name"`
 	ServerAddr        string `json:"server_addr"`
 	ServerDTLSAddr string `json:"server_dtls_addr"`
 	ServerDTLS        bool   `json:"server_dtls"`
 	ServerDTLSAddr    string `json:"server_dtls_addr"`
 	AdvertiseDTLSAddr string `json:"advertise_dtls_addr"`
 	AdminAddr         string `json:"admin_addr"`
 	ProxyProtocol     bool   `json:"proxy_protocol"`
 	DbType            string `json:"db_type"`
@@ -45,10 +50,12 @@ type ServerConfig struct {
 	FilesPath         string `json:"files_path"`
 	LogPath           string `json:"log_path"`
 	LogLevel          string `json:"log_level"`
 	HttpServerLog     bool   `json:"http_server_log"`
 	Pprof             bool   `json:"pprof"`
 	Issuer            string `json:"issuer"`
 	AdminUser         string `json:"admin_user"`
 	AdminPass         string `json:"admin_pass"`
 	AdminOtp          string `json:"admin_otp"`
 	JwtSecret         string `json:"jwt_secret"`
 	LinkMode    string `json:"link_mode"`    // tun tap macvtap ipvtap
@@ -69,6 +76,7 @@ type ServerConfig struct {
 	Mtu             int    `json:"mtu"`
 	DefaultDomain   string `json:"default_domain"`
 	IdleTimeout    int `json:"idle_timeout"`    // in seconds
 	SessionTimeout int `json:"session_timeout"` // in seconds
 	// AuthTimeout    int `json:"auth_timeout"`    // in seconds
 	AuditInterval int `json:"audit_interval"` // in seconds
@@ -79,6 +87,26 @@ type ServerConfig struct {
 	NoCompressLimit int  `json:"no_compress_limit"` // int
 	DisplayError       bool `json:"display_error"`
 	ExcludeExportIp    bool `json:"exclude_export_ip"`
 	AuthAloneOtp       bool `json:"auth_alone_otp"`
 	EncryptionPassword bool `json:"encryption_password"`
 	AntiBruteForce bool   `json:"anti_brute_force"`
 	IPWhitelist    string `json:"ip_whitelist"`
 	MaxBanCount  int `json:"max_ban_score"`
 	BanResetTime int `json:"ban_reset_time"`
 	LockTime     int `json:"lock_time"`
 	MaxGlobalUserBanCount  int `json:"max_global_user_ban_count"`
 	GlobalUserBanResetTime int `json:"global_user_ban_reset_time"`
 	GlobalUserLockTime     int `json:"global_user_lock_time"`
 	MaxGlobalIPBanCount  int `json:"max_global_ip_ban_count"`
 	GlobalIPBanResetTime int `json:"global_ip_ban_reset_time"`
 	GlobalIPLockTime     int `json:"global_ip_lock_time"`
 	GlobalLockStateExpirationTime int `json:"global_lock_state_expiration_time"`
 }
 func initServerCfg() {
@@ -101,6 +129,15 @@ func initServerCfg() {
 	if Cfg.JwtSecret == defaultJwt {
 		fmt.Fprintln(os.Stderr, "=== 使用默认的jwt_secret有安全风险，请设置新的jwt_secret ===")
 		// 安全问题，自动生成新的密钥
 		jwtSecret, _ := utils.RandSecret(40, 60)
 		jwtSecret = strings.Trim(jwtSecret, "=")
 		Cfg.JwtSecret = jwtSecret
 	}
 	if Cfg.AdvertiseDTLSAddr == "" {
 		Cfg.AdvertiseDTLSAddr = Cfg.ServerDTLSAddr
 	}
 	fmt.Printf("ServerCfg: %+v \n", Cfg)
@@ -152,6 +189,7 @@ type SCfg struct {
 	Env  string      `json:"env"`
 	Info string      `json:"info"`
 	Data interface{} `json:"data"`
 	Val  interface{} `json:"default"`
 }
 func ServerCfg2Slice() []SCfg {
@@ -166,18 +204,27 @@ func ServerCfg2Slice() []SCfg {
 		field := typ.Field(i)
 		value := s.Field(i)
 		tag := field.Tag.Get("json")
-		usage, env := getUsageEnv(tag)
+		usage, env, val := getUsageEnv(tag)
-		datas = append(datas, SCfg{Name: tag, Env: env, Info: usage, Data: value.Interface()})
+		datas = append(datas, SCfg{Name: tag, Env: env, Info: usage, Data: value.Interface(), Val: val})
 	}
 	return datas
 }
-func getUsageEnv(name string) (usage, env string) {
+func getUsageEnv(name string) (usage, env string, val interface{}) {
 	for _, v := range configs {
 		if v.Name == name {
 			usage = v.Usage
 			if v.Typ == cfgStr {
 				val = v.ValStr
 			}
 			if v.Typ == cfgInt {
 				val = v.ValInt
 			}
 			if v.Typ == cfgBool {
 				val = v.ValBool
 			}
 		}
 	}
--- a/server/base/cmd.go
+++ b/server/base/cmd.go
@@ -1,23 +1,25 @@
 package base
 import (
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"reflect"
 	"runtime"
 	"strings"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/skip2/go-qrcode"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/xlzd/gotp"
 )
 var (
 	// 提交id
 	CommitId string
 	// pass明文
 	passwd string
 	// 生成otp
 	otp bool
 	// 生成密钥
 	secret bool
 	// 显示版本信息
@@ -56,8 +58,28 @@ func execute() {
 	}
 	if !runSrv {
 		if debug {
 			scfgData := ServerCfg2Slice()
 			fmtStr := "%-18v %-23v %-20v %v\n"
 			fmt.Printf(fmtStr, "Name", "Env", "Value", "Info")
 			for _, v := range scfgData {
 				if v.Name == "admin_pass" || v.Name == "jwt_secret" {
 					v.Val = "******"
 				}
 				fmt.Printf(fmtStr, v.Name, v.Env, v.Val, v.Info)
 			}
 		}
 		os.Exit(0)
 	}
 	// 移动配置解析代码
 	conf := linkViper.GetString("conf")
 	linkViper.SetConfigFile(conf)
 	err = linkViper.ReadInConfig()
 	if err != nil {
 		// 没有配置文件，直接报错
 		panic("config file err:" + err.Error())
 	}
 }
 func initCmd() {
@@ -80,7 +102,6 @@ func initCmd() {
 	linkViper.SetEnvPrefix("link")
 	// 基础配置
 	for _, v := range configs {
 		if v.Typ == cfgStr {
 			rootCmd.Flags().StringP(v.Name, v.Short, v.ValStr, v.Usage)
@@ -102,19 +123,6 @@ func initCmd() {
 	cobra.OnInitialize(func() {
 		linkViper.AutomaticEnv()
 		conf := linkViper.GetString("conf")
 		_, err := os.Stat(conf)
 		if errors.Is(err, os.ErrNotExist) {
 			// 没有配置文件，不做处理
 			panic(err)
 		}
 		linkViper.SetConfigFile(conf)
 		err = linkViper.ReadInConfig()
 		if err != nil {
 			fmt.Println("Using config file:", err)
 		}
 	})
 }
@@ -128,9 +136,12 @@ func initToolCmd() *cobra.Command {
 	toolCmd.Flags().BoolVarP(&rev, "version", "v", false, "display version info")
 	toolCmd.Flags().BoolVarP(&secret, "secret", "s", false, "generate a random jwt secret")
 	toolCmd.Flags().StringVarP(&passwd, "passwd", "p", "", "convert the password plaintext")
 	toolCmd.Flags().BoolVarP(&otp, "otp", "o", false, "generate a random otp secret")
 	toolCmd.Flags().BoolVarP(&debug, "debug", "d", false, "list the config viper.Debug() info")
 	toolCmd.Run = func(cmd *cobra.Command, args []string) {
 		runSrv = false
 		switch {
 		case rev:
 			printVersion()
@@ -138,11 +149,18 @@ func initToolCmd() *cobra.Command {
 			s, _ := utils.RandSecret(40, 60)
 			s = strings.Trim(s, "=")
 			fmt.Printf("Secret:%s\n", s)
 		case otp:
 			s := gotp.RandomSecret(32)
 			fmt.Printf("Otp:%s\n\n", s)
 			qrstr := fmt.Sprintf("otpauth://totp/%s:%s?issuer=%s&secret=%s", "anylink_admin", "admin@anylink", "anylink_admin", s)
 			qr, _ := qrcode.New(qrstr, qrcode.High)
 			ss := qr.ToSmallString(false)
 			io.WriteString(os.Stderr, ss)
 		case passwd != "":
 			pass, _ := utils.PasswordHash(passwd)
 			fmt.Printf("Passwd:%s\n", pass)
 		case debug:
-			linkViper.Debug()
+			// linkViper.Debug()
 		default:
 			fmt.Println("Using [anylink tool -h] for help")
 		}
@@ -152,6 +170,6 @@ func initToolCmd() *cobra.Command {
 }
 func printVersion() {
-	fmt.Printf("%s v%s build on %s [%s, %s] commit_id(%s) \n",
+	fmt.Printf("%s v%s build on %s [%s, %s] date:%s commit_id(%s)\n",
-		APP_NAME, APP_VER, runtime.Version(), runtime.GOOS, runtime.GOARCH, CommitId)
+		APP_NAME, APP_VER, runtime.Version(), runtime.GOOS, runtime.GOARCH, BuildDate, CommitId)
 }
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -22,9 +22,11 @@ type config struct {
 var configs = []config{
 	{Typ: cfgStr, Name: "conf", Usage: "config file", ValStr: "./conf/server.toml", Short: "c"},
 	{Typ: cfgStr, Name: "profile", Usage: "profile.xml file", ValStr: "./conf/profile.xml"},
-	{Typ: cfgStr, Name: "server_addr", Usage: "服务监听地址", ValStr: ":443"},
+	{Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同服务端的配置)", ValStr: "anylink"},
 	{Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"},
 	{Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false},
-	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址", ValStr: ":443"},
+	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"},
 	{Typ: cfgStr, Name: "advertise_dtls_addr", Usage: "DTLS对外映射端口(为空则与server_dtls_addr相同)", ValStr: ""},
 	{Typ: cfgStr, Name: "admin_addr", Usage: "后台服务监听地址", ValStr: ":8800"},
 	{Typ: cfgBool, Name: "proxy_protocol", Usage: "TCP代理协议", ValBool: false},
 	{Typ: cfgStr, Name: "db_type", Usage: "数据库类型 [sqlite3 mysql postgres]", ValStr: "sqlite3"},
@@ -34,10 +36,12 @@ var configs = []config{
 	{Typ: cfgStr, Name: "files_path", Usage: "外部下载文件路径", ValStr: "./conf/files"},
 	{Typ: cfgStr, Name: "log_path", Usage: "日志文件路径,默认标准输出", ValStr: ""},
 	{Typ: cfgStr, Name: "log_level", Usage: "日志等级 [debug info warn error]", ValStr: "debug"},
-	{Typ: cfgBool, Name: "pprof", Usage: "开启pprof", ValBool: false},
+	{Typ: cfgBool, Name: "http_server_log", Usage: "开启go标准库http.Server的日志", ValBool: false},
 	{Typ: cfgBool, Name: "pprof", Usage: "开启pprof", ValBool: true},
 	{Typ: cfgStr, Name: "issuer", Usage: "系统名称", ValStr: "XX公司VPN"},
 	{Typ: cfgStr, Name: "admin_user", Usage: "管理用户名", ValStr: "admin"},
 	{Typ: cfgStr, Name: "admin_pass", Usage: "管理用户密码", ValStr: defaultPwd},
 	{Typ: cfgStr, Name: "admin_otp", Usage: "管理用户otp,生成命令 ./anylink tool -o", ValStr: ""},
 	{Typ: cfgStr, Name: "jwt_secret", Usage: "JWT密钥", ValStr: defaultJwt},
 	{Typ: cfgStr, Name: "link_mode", Usage: "虚拟网络类型[tun tap macvtap ipvtap]", ValStr: "tun"},
 	{Typ: cfgStr, Name: "ipv4_master", Usage: "ipv4主网卡名称", ValStr: "eth0"},
@@ -46,19 +50,20 @@ var configs = []config{
 	{Typ: cfgStr, Name: "ipv4_start", Usage: "IPV4开始地址", ValStr: "192.168.90.100"},
 	{Typ: cfgStr, Name: "ipv4_end", Usage: "IPV4结束", ValStr: "192.168.90.200"},
 	{Typ: cfgStr, Name: "default_group", Usage: "默认用户组", ValStr: "one"},
-	{Typ: cfgStr, Name: "default_domain", Usage: "要发布的默认域", ValStr: ""},
+	{Typ: cfgStr, Name: "default_domain", Usage: "客户端dns的默认搜索域", ValStr: ""},
 	{Typ: cfgInt, Name: "ip_lease", Usage: "IP租期(秒)", ValInt: 86400},
 	{Typ: cfgInt, Name: "max_client", Usage: "最大用户连接", ValInt: 200},
 	{Typ: cfgInt, Name: "max_user_client", Usage: "最大单用户连接", ValInt: 3},
-	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 4},
+	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 3},
-	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 10},
+	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 20},
-	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 7},
+	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 4},
-	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 15},
+	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60},
 	{Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460},
 	{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接，0关闭此功能", ValInt: 0},
 	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连，0永不过期", ValInt: 3600},
 	// {Typ: cfgInt, Name: "auth_timeout", Usage: "auth_timeout", ValInt: 0},
-	{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: -1},
+	{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: 600},
 	{Typ: cfgBool, Name: "show_sql", Usage: "显示sql语句，用于调试", ValBool: false},
 	{Typ: cfgBool, Name: "iptables_nat", Usage: "是否自动添加NAT", ValBool: true},
@@ -66,6 +71,26 @@ var configs = []config{
 	{Typ: cfgInt, Name: "no_compress_limit", Usage: "低于及等于多少字节不压缩", ValInt: 256},
 	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
 	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
 	{Typ: cfgBool, Name: "auth_alone_otp", Usage: "登录单独验证OTP窗口", ValBool: false},
 	{Typ: cfgBool, Name: "encryption_password", Usage: "用户密码是否加密保存", ValBool: false},
 	{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
 	{Typ: cfgStr, Name: "ip_whitelist", Usage: "全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围", ValStr: "192.168.90.1,172.16.0.0/24"},
 	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭该功能", ValInt: 5},
 	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 10},
 	{Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300},
 	{Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数，0为关闭该功能", ValInt: 20},
 	{Typ: cfgInt, Name: "global_user_ban_reset_time", Usage: "全局用户设置单位时间(秒)", ValInt: 600},
 	{Typ: cfgInt, Name: "global_user_lock_time", Usage: "全局用户锁定时间(秒)", ValInt: 300},
 	{Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数，0为关闭该功能", ValInt: 40},
 	{Typ: cfgInt, Name: "global_ip_ban_reset_time", Usage: "全局IP设置单位时间(秒)", ValInt: 1200},
 	{Typ: cfgInt, Name: "global_ip_lock_time", Usage: "全局IP锁定时间(秒)", ValInt: 300},
 	{Typ: cfgInt, Name: "global_lock_state_expiration_time", Usage: "全局锁定状态的保存生命周期(秒),超过则删除记录", ValInt: 3600},
 }
 var envs = map[string]string{}
--- a/server/base/log.go
+++ b/server/base/log.go
@@ -28,6 +28,10 @@ var (
 	logName    = "anylink.log"
 )
 func init() {
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
 }
 // 实现 os.Writer 接口
 type logWriter struct {
 	UseStdout bool
@@ -77,15 +81,28 @@ func initLog() {
 	baseLw.newFile()
 	baseLevel = logLevel2Int(Cfg.LogLevel)
 	baseLog = log.New(baseLw, "", log.LstdFlags|log.Lshortfile)
 	serverLog = log.New(&sLogWriter{}, "[http_server]", log.LstdFlags|log.Lshortfile)
 }
 func GetBaseLw() *logWriter {
 	return baseLw
 }
 var serverLog *log.Logger
 type sLogWriter struct{}
 func (w *sLogWriter) Write(p []byte) (n int, err error) {
 	if Cfg.HttpServerLog {
 		return os.Stderr.Write(p)
 	}
 	return 0, nil
 }
 // 获取 log.Logger
-func GetBaseLog() *log.Logger {
+func GetServerLog() *log.Logger {
-	return baseLog
+	return serverLog
 }
 func GetLogLevel() int {
@@ -103,7 +120,7 @@ func logLevel2Int(l string) int {
 	}
 	lvl := LogLevelInfo
 	for k, v := range levels {
-		if strings.EqualFold(strings.ToLower(l), strings.ToLower(v)) {
+		if strings.ToLower(l) == strings.ToLower(v) {
 			lvl = k
 		}
 	}
--- a/server/base/mod.go
+++ b/server/base/mod.go
@@ -0,0 +1,81 @@
 package base
 import (
 	"bufio"
 	"fmt"
 	"log"
 	"os"
 	"os/exec"
 	"strings"
 )
 const (
 	procModulesPath = "/proc/modules"
 	inContainerKey  = "ANYLINK_IN_CONTAINER"
 	tunPath         = "/dev/net/tun"
 )
 var (
 	InContainer = false
 	modMap      = map[string]struct{}{}
 )
 func initMod() {
 	container := os.Getenv(inContainerKey)
 	if container == "on" {
 		InContainer = true
 	}
 	log.Println("InContainer", InContainer)
 	file, err := os.Open(procModulesPath)
 	if err != nil {
 		err = fmt.Errorf("[ERROR] Problem with open file: %s", err)
 		panic(err)
 	}
 	defer file.Close()
 	scanner := bufio.NewScanner(file)
 	scanner.Split(bufio.ScanLines)
 	for scanner.Scan() {
 		splited := strings.Split(scanner.Text(), " ")
 		if len(splited[0]) > 0 {
 			modMap[splited[0]] = struct{}{}
 		}
 	}
 }
 func CheckModOrLoad(mod string) {
 	log.Println("CheckModOrLoad", mod)
 	if _, ok := modMap[mod]; ok {
 		return
 	}
 	var err error
 	if mod == "tun" || mod == "tap" {
 		_, err = os.Stat(tunPath)
 		if err == nil {
 			// 文件存在
 			return
 		}
 		// err = fmt.Errorf("[error] Linux tunFile is null %s", tunPath)
 		// log.Println(err)
 		// return
 	}
 	if InContainer {
 		err = fmt.Errorf("[error] Linux module %s is not loaded, please run `modprobe %s`", mod, mod)
 		log.Println(err)
 		return
 		// panic(err)
 	}
 	cmdstr := fmt.Sprintln("modprobe", mod)
 	cmd := exec.Command("sh", "-c", cmdstr)
 	b, err := cmd.CombinedOutput()
 	if err != nil {
 		log.Println(mod, string(b))
 		panic(err)
 	}
 }
--- a/server/base/start.go
+++ b/server/base/start.go
@@ -4,6 +4,7 @@ func Start() {
 	execute()
 	initCfg()
 	initLog()
 	initMod()
 }
 func Test() {
--- a/server/conf/files/info.txt
+++ b/server/conf/files/info.txt
@@ -1,2 +1,2 @@
 客户端软件需放置在files目录内，
-如需要帮助请加QQ群：567510628
+如需要帮助请加QQ群：567510628 、739072205
--- a/server/conf/profile.xml
+++ b/server/conf/profile.xml
@@ -8,6 +8,8 @@
        <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
        <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
        <BypassDownloader>true</BypassDownloader>
        <AutoUpdate UserControllable="false">false</AutoUpdate>
        <LocalLanAccess UserControllable="true">true</LocalLanAccess>
        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
        <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
        <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
@@ -20,15 +22,19 @@
            </ExtendedKeyUsage>
        </CertificateMatch>
        <BackupServerList>
            <HostAddress>localhost</HostAddress>
        </BackupServerList>
    </ClientInitialization>
    <ServerList>
        <HostEntry>
-            <HostName>VPN Server</HostName>
+            <HostName>VPN</HostName>
            <HostAddress>localhost</HostAddress>
        </HostEntry>
        <HostEntry>
            <HostName>VPN2</HostName>
            <HostAddress>localhost2</HostAddress>
        </HostEntry>
    </ServerList>
 </AnyConnectProfile>
--- a/server/conf/server-sample.toml
+++ b/server/conf/server-sample.toml
@@ -7,15 +7,24 @@
 db_type = "sqlite3"
 db_source = "./conf/anylink.db"
 #证书文件 使用跟nginx一样的证书即可
-cert_file = "./conf/vpn_cert.crt"
+cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
 profile = "./conf/profile.xml"
-#日志目录,为空写入标准输出
+#profile name(用于区分不同服务端的配置)
 #客户端存放位置
 #Windows 10
 #%ProgramData%Cisco\Cisco AnyConnect Secure Mobility Client\Profile
 #Mac Os X
 #/opt/cisco/anyconnect/profile
 #Linux
 #/opt/cisco/anyconnect/profile
 profile_name = "anylink"
 #日志目录,默认为空写入标准输出
 #log_path = "./log"
 log_path = ""
 log_level = "debug"
-pprof = false
+pprof = true
 #系统名称
 issuer = "XX公司VPN"
@@ -23,22 +32,33 @@ issuer = "XX公司VPN"
 admin_user = "admin"
 #pass 123456
 admin_pass = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
 # 留空表示不开启 otp, 开启otp后密码为  pass + 6位otp
 # 生成 ./anylink tool -o
 admin_otp = ""
 jwt_secret = "abcdef.0123456789.abcdef"
-#服务监听地址
+#TCP服务监听地址(任意端口)
 server_addr = ":443"
-#开启 DTLS, 默认关闭
+#开启 DTLS
 server_dtls = false
 #UDP监听地址(任意端口)
 server_dtls_addr = ":443"
 #DTLS对外映射端口(为空则与server_dtls_addr相同)
 advertise_dtls_addr = ""
 #后台服务监听地址
 admin_addr = ":8800"
 #开启tcp proxy protocol协议
 proxy_protocol = false
 #开启go标准库http.Server的日志
 http_server_log=false
 #虚拟网络类型[tun macvtap tap]
 link_mode = "tun"
 #客户端分配的ip地址池
 #docker环境一般默认 eth0，其他情况根据实际网卡信息填写
 ipv4_master = "eth0"
 ipv4_cidr = "192.168.90.0/24"
 ipv4_gateway = "192.168.90.1"
@@ -46,7 +66,7 @@ ipv4_start = "192.168.90.100"
 ipv4_end = "192.168.90.200"
 #最大客户端数量
-max_client = 100
+max_client = 200
 #单个用户同时在线数量
 max_user_client = 3
 #IP租期(秒)
@@ -56,22 +76,30 @@ ip_lease = 86400
 default_group = "one"
 #客户端失效检测时间(秒) dpd > keepalive
-cstp_keepalive = 6
+cstp_keepalive = 3
-cstp_dpd = 10
+cstp_dpd = 20
-mobile_keepalive = 15
+mobile_keepalive = 4
-mobile_dpd = 20
+mobile_dpd = 60
 # 根据实际情况修改
 #cstp_keepalive = 20
 #cstp_dpd = 30
 #mobile_keepalive = 40
 #mobile_dpd = 60
 #设置最大传输单元
 mtu = 1460
-# 要发布的默认域
+# 客户端dns的默认搜索域
 default_domain = "example.com"
 #default_domain = "example.com abc.example.com"
 #空闲链接超时时间(秒)-超时后断开链接，0关闭此功能
 idle_timeout = 0
 #session过期时间，用于断线重连，0永不过期
 session_timeout = 3600
-auth_timeout = 0
+#auth_timeout = 0
-audit_interval = -1
+audit_interval = 600
 show_sql = false
@@ -86,4 +114,41 @@ no_compress_limit = 256
 #客户端显示详细错误信息(线上环境慎开启)
 display_error = false
 #排除出口ip路由(出口ip不加密传输)
 exclude_export_ip = true
 #登录单独验证OTP窗口
 auth_alone_otp = false
 #加密保存用户密码
 encryption_password = false
 #防爆破全局开关
 anti_brute_force = true
 #全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围
 ip_whitelist = "192.168.90.1,172.16.0.0/24"
 #锁定时间最好不要超过单位时间
 #单位时间内最大尝试次数，0为关闭该功能
 max_ban_score = 5
 #设置单位时间(秒)，超过则重置计数
 ban_reset_time = 600
 #超过最大尝试次数后的锁定时长(秒)
 lock_time = 300
 #全局用户单位时间内最大尝试次数,0为关闭该功能
 max_global_user_ban_count = 20
 #全局用户设置单位时间(秒)
 global_user_ban_reset_time = 600
 #全局用户锁定时间(秒)
 global_user_lock_time = 300
 #全局IP单位时间内最大尝试次数，0为关闭该功能
 max_global_ip_ban_count = 40
 #全局IP设置单位时间(秒)
 global_ip_ban_reset_time = 1200
 #全局IP锁定时间(秒)
 global_ip_lock_time = 300
 #全局锁定状态的保存生命周期(秒),超过则删除记录
 global_lock_state_expiration_time = 3600
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -7,9 +7,12 @@
 db_type = "sqlite3"
 db_source = "./conf/anylink.db"
 #证书文件
-cert_file = "./conf/vpn_cert.crt"
+cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
 #日志目录,默认为空写入标准输出
 #log_path = "./log"
 log_level = "debug"
 #系统名称
@@ -18,15 +21,29 @@ issuer = "XX公司VPN"
 admin_user = "admin"
 #pass 123456
 admin_pass = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
 # 留空表示不开启 otp, 开启otp后密码为  pass + 6位otp
 # 生成 ./anylink tool -o
 admin_otp = ""
 jwt_secret = "abcdef.0123456789.abcdef"
-#服务监听地址
+#TCP服务监听地址(任意端口)
 server_addr = ":443"
 #开启 DTLS
 server_dtls = false
 #UDP监听地址(任意端口)
 server_dtls_addr = ":443"
 #后台服务监听地址
 admin_addr = ":8800"
 #最大客户端数量
 max_client = 200
 #单个用户同时在线数量
 max_user_client = 3
 #虚拟网络类型[tun macvtap]
 link_mode = "tun"
 #客户端分配的ip地址池
 #docker环境一般默认 eth0，其他情况根据实际网卡信息填写
 ipv4_master = "eth0"
 ipv4_cidr = "192.168.90.0/24"
 ipv4_gateway = "192.168.90.1"
@@ -36,8 +53,5 @@ ipv4_end = "192.168.90.200"
 #是否自动添加nat
 iptables_nat = true
 #客户端显示详细错误信息(线上环境慎开启)
-display_error = false
+display_error = true
--- a/server/conf/vpn_cert.crt
+++ b/server/conf/vpn_cert.crt
@@ -1,61 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIF9jCCBN6gAwIBAgIQAuUy6Rv6Bo3nDXn5FackbDANBgkqhkiG9w0BAQsFADBu
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
 RFYgVExTIENBIC0gRzEwHhcNMjMwMTAzMDAwMDAwWhcNMjQwMTAzMjM1OTU5WjAc
 MRowGAYDVQQDExF2cG4udGVzdC52cWlsdS5jbjCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBANJAJPYBvOP/7v8SgMIkVLIulN/ziPALvFcEwVnQDImUIky8
 4udy0fmvJ2E3E3NL6Qv14ZHDGtH7CafukimNWTT2BVmQBYiO1ZlUkHcHUX4IoYEh
 egdy2xw0WwknJWTOyvkRkeDhtT9QUpA/zeemS4q1TG95zRDf5htUR4OMZXsZpkQ2
 bkSgnLtdyUmw2nhfSWgsD9fbwr6WnOx/swsUe52N3sIDZ6JTgn3N7xeT3/lVJKVN
 wyYkZldialmRzrs6btr3mmnqpWObcc4FvKr/CLmoOSXl0I1wWsr+HnQ4X9hHsJUk
 jk3EZKfhH3mM37HF8apqztb6WjC3R96Zam6Z8bMCAwEAAaOCAuAwggLcMB8GA1Ud
 IwQYMBaAFFV0T7JyT/VgulDR1+ZRXJoBhxrXMB0GA1UdDgQWBBSUpPcW3emC2l0o
 q6qRBOBDMjQ2rDAcBgNVHREEFTATghF2cG4udGVzdC52cWlsdS5jbjAOBgNVHQ8B
 Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD4GA1UdIAQ3
 MDUwMwYGZ4EMAQIBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQu
 Y29tL0NQUzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
 cC5kaWdpY2VydC5jb20wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jYWNlcnRzLmRpZ2lj
 ZXJ0LmNvbS9FbmNyeXB0aW9uRXZlcnl3aGVyZURWVExTQ0EtRzEuY3J0MAkGA1Ud
 EwQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2AO7N0GTV2xrOxVy3nbTN
 E6Iyh0Z8vOzew1FIWUZxH7WbAAABhXXkyXMAAAQDAEcwRQIgVhLvLOPcW0V1xhBv
 5KSeqGHbAnRVhew3kutV3Bu1x+ICIQCbYjRtmkDo1hx6p0YNdNfkZ3N5u+syVjwH
 Al3a9NpVxgB1AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABhXXk
 yY4AAAQDAEYwRAIgcuscG2kkSGNvAsVH9CAtXjNUwk9UJriY0+3OtQ4WVrMCIAsC
 CkqEI1Ek5M26yrWt0Q7+u+UZ8rXhfYu3kcMMq7PVAHYAO1N3dT4tuYBOizBbBv5A
 O2fYT8P0x70ADS1yb+H61BcAAAGFdeTJkAAABAMARzBFAiAEJbJTN8hrRUZ6UaaD
 2TlyDQfzUvTkex0XGT6PGKHkagIhAJ+Kg6tdt/csKde2vdweu+dT01fzg/fq4q3o
 mjfPhFm1MA0GCSqGSIb3DQEBCwUAA4IBAQAKFTUHbpgKsXARCBIIfEZGqkOvaafm
 QaoNodc6cj0+LJCbuMzrTlkzmII0X/U52MBG8JCEIO8BPe5R4NIFqqaE066zQANq
 HOsROOJi2A+WTTZcSEHbH3uhdVwcEQHvDzaOEEJc9Ilz6pdYsrv+trOmeR5PeIxv
 t1jQacSwN1z6z0N4CRjBpePV/9nwETkEaKjQuXSoYlN+pczK/4nX2W9+E/OnwtZs
 ScyFffPtTLHf1u4eSYuBT/AdwaKHXetxWzh98GP9LRfQhm63Gs+/WcloYl489dG/
 FOFjch2TdmrPcUwxxGEbbPt3zXRxSVlzvIaf4gTUl2+PsKwbKy/w4OLS
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
 QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
 MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
 b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
 MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
 oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
 lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
 pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
 yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
 wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
 pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
 BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
 HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
 AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
 Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
 Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
 /WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
 MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
 SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
 M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
 4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
 sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
 rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
 -----END CERTIFICATE-----
--- a/server/conf/vpn_cert.key
+++ b/server/conf/vpn_cert.key
@@ -1,27 +1,28 @@
-----BEGIN RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
-MIIEpQIBAAKCAQEA0kAk9gG84//u/xKAwiRUsi6U3/OI8Au8VwTBWdAMiZQiTLzi
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDRVjwa+YPKcvKD
-53LR+a8nYTcTc0vpC/XhkcMa0fsJp+6SKY1ZNPYFWZAFiI7VmVSQdwdRfgihgSF6
+2YZJUMPcwXCL32hF9gFTyMFuojpvo/L9C710xkJBNW2ceEcAdYyohBhtylbCFKUy
-B3LbHDRbCSclZM7K+RGR4OG1P1BSkD/N56ZLirVMb3nNEN/mG1RHg4xlexmmRDZu
+QpDRJsAmRiWL5zSjfeds4bVEInmXvF+Ga9FuN/o/R27/kyrejBVd7u9AKzg9k5vI
-RKCcu13JSbDaeF9JaCwP19vCvpac7H+zCxR7nY3ewgNnolOCfc3vF5Pf+VUkpU3D
+/4FhXFMivZgwghaSiJkVHJG6ehmCVGR11A5LUIjrub+iYJfaS2dl4WVxn9kyYRuO
-JiRmV2JqWZHOuzpu2veaaeqlY5txzgW8qv8Iuag5JeXQjXBayv4edDhf2EewlSSO
+NU0nDMInWE6F+dVa57HEUEOolDEmr9R+N5XIXYfXwE4W4Xj/5CL+mBLME+OaADK8
-TcRkp+EfeYzfscXxqmrO1vpaMLdH3plqbpnxswIDAQABAoIBAGKKzugAi4Q/Vch2
+RE9dPomgk3Vqc/s8thllyztqR/TfQIwCwmQNf+UB5DIWr5iYDsX4rU3hswJQUCTQ
-ZyPXPF0hCQToE3QSxAzy/R53rRCkfekClMTO44xHpEjjs/mTiCBjd3xGeiEVrIJp
+CLNEcdStAgMBAAECgf97UHp7u8+x4lz6BQB8/c0xHWdAw1clIveZbEVl0hNoVUN/
-hlb0WW3Bq2M9ZeKJs6JAaM9o/jB4oh2wT44DLqALB+oDz3puk+Jl8j34++a3YmMa
+EKku+q/1Sf+CuhnbgLjT1bkVnnotmVcGeWH2DeCnkMJqHVMOBRb/dso2fw+pCTzY
-jIq4veo+rBsJduwkTKjdeQE2ge/ODZEQ6bUmSjYo1P9LNGEyO2wmcVk+jHx0zBi7
+VofQpmbPy1xCXb6chqrpT3MTaJdI7IrBCNEQ54cOxsojwzp0MfejS/NI41q8iuCS
-8fR3oY03Io+byuN0494Di1m3IpIdj3ma0MV5zJf31urLXqqYtOApouWL/yhZOIuo
+hVry+VEbmtA22vjwMvsF6NsRKlfc1DUyC/ZoHB91gzKmvLdXBREwBXtdiJfMlu9G
-YW+mcuS7ZgK5FsqrUm0vGBcf24GcKhhlBlUu0mfLrCRrWLDsqJDQ/8alvuNP0IVm
+EKH3ORxbcanmdsXWIG84t5M9Sf9L5FZe6tlL4FdoKv25Vxv2z+PVM8Y/0B3IBTCb
-gqz0H5UCgYEA8yaKzMfkeRXSTERt6NZHo/8ShIn26Yf+pMDpVdYKfVBL254vGTeq
+yqMK8579PTlHl40WRjSgzpijGvMxuIpgm5KaXQECgYEA7U6lBhRWmPsJRaK0jyAv
-B+LQhDpxZV1iMr1FNvkhHtNGQ74ZbWOj4+5Xjsllaw1ao2iGp1w/chuJ6FG/Go4q
+qnaC5AbnM8OjIbsDtnQxn0BWvx7aZznxOE4jL0QejUD/gov6yYkNhIu797LzO8Mq
-9FaY3eGiCqRJOQNivBxU/D7sN0y4b48HAEQdmp516pItlGtG+C8TY38CgYEA3VyD
+fEqEX7Bp23PfLvybqkyhJWFz26v0erU5q8Rlt648bK7Ul1j8FkmsEN3qu+64c8Fu
-6EczHdAmPO7bdbYn/irfe78so1lHT04P0FiVg2W77ZKuQINTNDK9w/alYyZ2tH1b
+pzN081bqOGjEcaCjsHswvkMCgYEA4dOPvYYu8wBfrH3Gn94XHWWVvFMnWErXEOzK
-N2JznulJ6UDcl4xw43xJixxhme2jWPaYzmQUuQHviZ0D0tCgmOkN8bUnc9LSvEGA
+eL0dFg3Ae+y8Sg5x9YTz3XjwyzwcTbrD0zg4huWwmD64BgPcliG7XKA093ea2JIs
-SnaiKbOtUfP8Z3c/mF997wuFNfdmhww8LBpbO80CgYEAmdRKf9/+5bQuhd3NAz99
+Mah5/KTQmltcIut7qUvzwwbQVfN3xTwWzd7eDtEIAeFZ8r/HzJM6X21b/LaQIXUY
-t31KQ9vdAEXvjmAVvx5ZKIrCU0EyXuvegHq4nM80qoJ3+83Omkbm80+K5pTAFXqy
+Gb7dik8CgYAaaUxYlt7ke9wWUfuCinSDplj/A/2rdzSqxmOtZNU5AjIlZ0urfXlp
-VyOU9Vro9N9P9o3MktlDsndFulrtYmmLN2YJ9GYpVD43rQA9WPE7uxI784hwLvP3
+aNjlo9E6q2dEokuxLn3AqMSs1s/XcOtDlg+RjtLZR9YpJpg0pf6xaF06r7KwDYdz
-4+00JXwW8b5lY76y+ZUe2RUCgYEAt6BQN/YgPCH4JmHKIWp64If2HbQntlWQJwRN
+pJIllVDIT9T9WzwDRwPNhMVhUTpaN8cW+NUlWCENUiu68cQGGk/cfQKBgEmvRk+I
-b/qcBIT3EQu1iwSll85jxtSqu4YjwHOgoGAGI5PIYTsSApFY8AyhAUoI2OTdtSXS
+4PjZPl6CC7VOOiyVYO46E7RzdwlGuin7SupPQmctL6LaY8TAxPGW7LrjujiCoDLj
-+prg6dvmNhTPICk6n73seE5bLOR9NfdsEdk5ijhnlW09OyMb2S2VzR+UYIEbRvnq
+PU6G08BZdqI/0FIMX54xiBbXJ+dSiqkJWARfotE6zi12uLrc1YTlTEU/U+0/VhGG
-THeMqR0CgYEAwQ9aAIGD4t4DXjHHtz6Wqpbq6jj6mmYBsL9jqRgu8ASj1/THgWWn
+jt42xm4WocrbWM4fnARXIpSq3QyNsHd2F8NxAoGBAMEcT0mFQ0J7HCQ+zL36ogGv
-iUrlCbFIXWu2vnP1h0SBV56GA7MSTqAt0ZdTzpI1PRkMOIO9z1dN4Q2R1SEya1eF
+Bc/N6WR0xSEBQVG9D4iysxX4XyJukCuUCvMIbsBj5IVAVBlMNxfDtL/kD6tgy0L7
-7/LPLqJIoLbILGvy6U3DLYdMckPZaoTPf5BNKD52paZcNbjkXTlVLSY=
+tdN7nOaYgnqTyZfQItz92cQ6oiIqW7GPJA5ATJe1fxXINjcP6EkRDAfACBW7/l85
-----END RSA PRIVATE KEY-----
+Cd/yRpaOSMPbqKO1OOSn
 -----END PRIVATE KEY-----
--- a/server/conf/vpn_cert.pem
+++ b/server/conf/vpn_cert.pem
@@ -0,0 +1,67 @@
 -----BEGIN CERTIFICATE-----
 MIIGbTCCBNWgAwIBAgIQIodwqN03+Y3aYpdvfq2qKTANBgkqhkiG9w0BAQwFADBZ
 MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywg
 SW5jLjEjMCEGA1UEAxMaVHJ1c3RBc2lhIFJTQSBEViBUTFMgQ0EgRzIwHhcNMjQw
 MTIyMDAwMDAwWhcNMjUwMTIxMjM1OTU5WjAcMRowGAYDVQQDExF2cG4udGVzdC52
 cWlsdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFWPBr5g8py
 8oPZhklQw9zBcIvfaEX2AVPIwW6iOm+j8v0LvXTGQkE1bZx4RwB1jKiEGG3KVsIU
 pTJCkNEmwCZGJYvnNKN952zhtUQieZe8X4Zr0W43+j9Hbv+TKt6MFV3u70ArOD2T
 m8j/gWFcUyK9mDCCFpKImRUckbp6GYJUZHXUDktQiOu5v6Jgl9pLZ2XhZXGf2TJh
 G441TScMwidYToX51VrnscRQQ6iUMSav1H43lchdh9fAThbheP/kIv6YEswT45oA
 MrxET10+iaCTdWpz+zy2GWXLO2pH9N9AjALCZA1/5QHkMhavmJgOxfitTeGzAlBQ
 JNAIs0Rx1K0CAwEAAaOCAuwwggLoMB8GA1UdIwQYMBaAFF86fBEQfgxncWHci6O1
 AANn9VccMB0GA1UdDgQWBBRDRfNBNYRlLb4V1MRTnU+bUVnvnDAOBgNVHQ8BAf8E
 BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
 AwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICMTAlMCMGCCsGAQUFBwIBFhdodHRw
 czovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwfQYIKwYBBQUHAQEEcTBvMEIG
 CCsGAQUFBzAChjZodHRwOi8vY3J0LnRydXN0LXByb3ZpZGVyLmNuL1RydXN0QXNp
 YVJTQURWVExTQ0FHMi5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnRydXN0
 LXByb3ZpZGVyLmNuMBwGA1UdEQQVMBOCEXZwbi50ZXN0LnZxaWx1LmNuMIIBfwYK
 KwYBBAHWeQIEAgSCAW8EggFrAWkAdgDPEVbu1S58r/OHW9lpLpvpGnFnSrAX7KwB
 0lt3zsw7CAAAAY0v95Z6AAAEAwBHMEUCIDbFVgzV1DDvqTq6UnYisMqAEJn1cR+d
 mc+agwaOuRbrAiEAz3W2HooNcKqADX9QyK8xQQ8r9BQKVCQzF76g9AZKeDoAdwCi
 4wrkRe+9rZt+OO1HZ3dT14JbhJTXK14bLMS5UKRH5wAAAY0v95ZkAAAEAwBIMEYC
 IQCWVxDjciJ/KMbwbqMbEZdsDq0nCrotlPhIBb5wFBurVgIhAOgnw3nqSqFYRm8y
 OL3nz8rop0V5IEtgiNarOqMfLf33AHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnA
 sfpksWKaOd8AAAGNL/eWFwAABAMARzBFAiBB+V0NBebuCniZVuin5OaMYvWyNvRd
 NJ6hRmLbSKQAwwIhAKrPRrAP3An/9HSrFN/70eEK5DHT8+q8m0L5tc0+TckmMA0G
 CSqGSIb3DQEBDAUAA4IBgQCB65Q0V6Mewca0iVCxLJxczu6XYCCwsUzJiTWYjao3
 XZVe8yB4RhAimsUY+U3nXIL3RivkJydqfOO9N5APWndDgbtS4r55TFdscDUDmzsR
 S5kYCoEudbDWT89U+tHMOxzUKkb3nDA0WvJEN52CAanYO3blihnX3eX7enQMGtsM
 gfDrArcQyS+WMKUkyOlNysqGtj3XWYKssBPrX/0GqMimoeYkg+B4daBTbOVB6sKs
 +USnmhI2MF3QUxn0+fC207HbSDj7s4a6npjg5KsL0zUsFrNZlMH30Tx2L0WuI1T7
 65lKHaKt8CyuL/YTjD5lAGYtJ+K9ypl5sBUFCXeW1lazTocjDa2CKv3WV+kVBhyO
 2nA2Lo4e643YXwXw98+ufU2U9yUjn1OrhsUXo3qaxETGVMumRwubtX4O2dUKnYGF
 xBxfHzXJKhZjX+U2ENIwsrm7pp3dcpIZqKxPCeowU5Ma9tvYpM7kgDhploMfsVic
 H7pWcFY99X5nMwJoDDBYomY=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFBzCCA++gAwIBAgIRALIM7VUuMaC/NDp1KHQ76aswDQYJKoZIhvcNAQELBQAw
 ezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV
 BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0yMjAxMTAwMDAwMDBaFw0y
 ODEyMzEyMzU5NTlaMFkxCzAJBgNVBAYTAkNOMSUwIwYDVQQKExxUcnVzdEFzaWEg
 VGVjaG5vbG9naWVzLCBJbmMuMSMwIQYDVQQDExpUcnVzdEFzaWEgUlNBIERWIFRM
 UyBDQSBHMjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKjGDe0GSaBs
 Yl/VhMaTM6GhfR1TAt4mrhN8zfAMwEfLZth+N2ie5ULbW8YvSGzhqkDhGgSBlafm
 qq05oeESrIJQyz24j7icGeGyIZ/jIChOOvjt4M8EVi3O0Se7E6RAgVYcX+QWVp5c
 Sy+l7XrrtL/pDDL9Bngnq/DVfjCzm5ZYUb1PpyvYTP7trsV+yYOCNmmwQvB4yVjf
 IIpHC1OcsPBntMUGeH1Eja4D+qJYhGOxX9kpa+2wTCW06L8T6OhkpJWYn5JYiht5
 8exjAR7b8Zi3DeG9oZO5o6Qvhl3f8uGU8lK1j9jCUN/18mI/5vZJ76i+hsgdlfZB
 Rh5lmAQjD80M9TY+oD4MYUqB5XrigPfFAUwXFGehhlwCVw7y6+5kpbq/NpvM5Ba8
 SeQYUUuMA8RXpTtGlrrTPqJryfa55hTuX/ThhX4gcCVkbyujo0CYr+Uuc14IOyNY
 1fD0/qORbllbgV41wiy/2ZUWZQUodqHWkjT1CwIMbQOY5jmrSYGBwwIDAQABo4IB
 JjCCASIwHwYDVR0jBBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYE
 FF86fBEQfgxncWHci6O1AANn9VccMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E
 CDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAiBgNVHSAE
 GzAZMA0GCysGAQQBsjEBAgIxMAgGBmeBDAECATBDBgNVHR8EPDA6MDigNqA0hjJo
 dHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNy
 bDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9k
 b2NhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAHMUom5cxIje2IiFU7mOCsBr2F6CY
 eU5cyfQ/Aep9kAXYUDuWsaT85721JxeXFYkf4D/cgNd9+hxT8ZeDOJrn+ysqR7NO
 2K9AdqTdIY2uZPKmvgHOkvH2gQD6jc05eSPOwdY/10IPvmpgUKaGOa/tyygL8Og4
 3tYyoHipMMnS4OiYKakDJny0XVuchIP7ZMKiP07Q3FIuSS4omzR77kmc75/6Q9dP
 v4wa90UCOn1j6r7WhMmX3eT3Gsdj3WMe9bYD0AFuqa6MDyjIeXq08mVGraXiw73s
 Zale8OMckn/BU3O/3aFNLHLfET2H2hT6Wb3nwxjpLIfXmSVcVd8A58XH0g==
 -----END CERTIFICATE-----
--- a/server/dbdata/cert.go
+++ b/server/dbdata/cert.go
@@ -64,8 +64,7 @@ type DNSProvider struct {
 		SecretKey string `json:"secretKey"`
 	} `json:"txcloud"`
 	CfCloud struct {
-		AuthEmail string `json:"authEmail"`
+		AuthToken string `json:"authToken"`
 		AuthKey   string `json:"authKey"`
 	} `json:"cfcloud"`
 }
 type LegoUserData struct {
@@ -89,15 +88,15 @@ type LeGoClient struct {
 func GetDNSProvider(l *SettingLetsEncrypt) (Provider challenge.Provider, err error) {
 	switch l.Name {
 	case "aliyun":
-		if Provider, err = alidns.NewDNSProviderConfig(&alidns.Config{APIKey: l.DNSProvider.AliYun.APIKey, SecretKey: l.DNSProvider.AliYun.SecretKey, TTL: 600}); err != nil {
+		if Provider, err = alidns.NewDNSProviderConfig(&alidns.Config{APIKey: l.DNSProvider.AliYun.APIKey, SecretKey: l.DNSProvider.AliYun.SecretKey, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
 			return
 		}
 	case "txcloud":
-		if Provider, err = tencentcloud.NewDNSProviderConfig(&tencentcloud.Config{SecretID: l.DNSProvider.TXCloud.SecretID, SecretKey: l.DNSProvider.TXCloud.SecretKey, TTL: 600}); err != nil {
+		if Provider, err = tencentcloud.NewDNSProviderConfig(&tencentcloud.Config{SecretID: l.DNSProvider.TXCloud.SecretID, SecretKey: l.DNSProvider.TXCloud.SecretKey, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
 			return
 		}
-	case "cloudflare":
+	case "cfcloud":
-		if Provider, err = cloudflare.NewDNSProviderConfig(&cloudflare.Config{AuthEmail: l.DNSProvider.CfCloud.AuthEmail, AuthKey: l.DNSProvider.CfCloud.AuthKey, TTL: 600}); err != nil {
+		if Provider, err = cloudflare.NewDNSProviderConfig(&cloudflare.Config{AuthToken: l.DNSProvider.CfCloud.AuthToken, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
 			return
 		}
 	}
@@ -199,7 +198,7 @@ func (c *LeGoClient) NewClient(l *SettingLetsEncrypt) error {
 	if err != nil {
 		return err
 	}
-	if err := client.Challenge.SetDNS01Provider(Provider, dns01.AddRecursiveNameservers([]string{"114.114.114.114", "114.114.115.115"})); err != nil {
+	if err := client.Challenge.SetDNS01Provider(Provider, dns01.AddRecursiveNameservers([]string{"223.6.6.6", "223.5.5.5"})); err != nil {
 		return err
 	}
 	if legouser.Registration == nil {
@@ -401,12 +400,3 @@ func buildNameToCertificate(cert *tls.Certificate) {
 		nameToCertificate[san] = cert
 	}
 }
 // func Scrypt(passwd string) string {
 // 	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
 // 	hashPasswd, err := scrypt.Key([]byte(passwd), salt, 1<<15, 8, 1, 32)
 // 	if err != nil {
 // 		return err.Error()
 // 	}
 // 	return base64.StdEncoding.EncodeToString(hashPasswd)
 // }
--- a/server/dbdata/db.go
+++ b/server/dbdata/db.go
@@ -1,9 +1,11 @@
 package dbdata
 import (
 	"net/http"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	_ "github.com/denisenkom/go-mssqldb"
 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/lib/pq"
 	_ "github.com/mattn/go-sqlite3"
@@ -21,13 +23,14 @@ func GetXdb() *xorm.Engine {
 func initDb() {
 	var err error
 	xdb, err = xorm.NewEngine(base.Cfg.DbType, base.Cfg.DbSource)
 	// 初始化xorm时区
 	xdb.DatabaseTZ = time.Local
 	xdb.TZLocation = time.Local
 	if err != nil {
 		base.Fatal(err)
 	}
 	// 初始化xorm时区
 	xdb.DatabaseTZ = time.Local
 	xdb.TZLocation = time.Local
 	if base.Cfg.ShowSQL {
 		xdb.ShowSQL(true)
 	}
@@ -105,19 +108,7 @@ func addInitData() error {
 		Legomail:    "legomail",
 		Name:        "aliyun",
 		Renew:       false,
-		DNSProvider: DNSProvider{
+		DNSProvider: DNSProvider{},
 			AliYun: struct {
 				APIKey    string `json:"apiKey"`
 				SecretKey string `json:"secretKey"`
 			}{APIKey: "", SecretKey: ""},
 			TXCloud: struct {
 				SecretID  string `json:"secretId"`
 				SecretKey string `json:"secretKey"`
 			}{SecretID: "", SecretKey: ""},
 			CfCloud: struct {
 				AuthEmail string `json:"authEmail"`
 				AuthKey   string `json:"authKey"`
 			}{AuthEmail: "", AuthKey: ""}},
 	}
 	err = SettingSessAdd(sess, provider)
 	if err != nil {
@@ -133,6 +124,7 @@ func addInitData() error {
 	other := &SettingOther{
 		LinkAddr:    "vpn.xx.com",
 		Banner:      "您已接入公司网络，请按照公司规定使用。\n请勿进行非工作下载及视频行为！",
 		Homecode:    http.StatusOK,
 		Homeindex:   "AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。",
 		AccountMail: accountMail,
 	}
@@ -154,10 +146,10 @@ func addInitData() error {
 	}
 	g1 := Group{
-		Name:         "ops",
+		Name:         "all",
 		AllowLan:     true,
 		ClientDns:    []ValData{{Val: "114.114.114.114"}},
-		RouteInclude: []ValData{{Val: All}},
+		RouteInclude: []ValData{{Val: ALL}},
 		Status:       1,
 	}
 	err = SetGroup(&g1)
@@ -165,6 +157,18 @@ func addInitData() error {
 		return err
 	}
 	g2 := Group{
 		Name:         "ops",
 		AllowLan:     true,
 		ClientDns:    []ValData{{Val: "114.114.114.114"}},
 		RouteInclude: []ValData{{Val: "10.0.0.0/8"}},
 		Status:       1,
 	}
 	err = SetGroup(&g2)
 	if err != nil {
 		return err
 	}
 	return nil
 }
@@ -172,6 +176,9 @@ func CheckErrNotFound(err error) bool {
 	return err == ErrNotFound
 }
 // base64 图片
 // 用户动态码(请妥善保存):<br/>
 // <img src="{{.OtpImgBase64}}"/><br/>
 const accountMail = `<p>您好:</p>
 <p>&nbsp;&nbsp;您的{{.Issuer}}账号已经审核开通。</p>
 <p>
@@ -179,19 +186,27 @@ const accountMail = `<p>您好:</p>
    用户组: <b>{{.Group}}</b> <br/>
    用户名: <b>{{.Username}}</b> <br/>
    用户PIN码: <b>{{.PinCode}}</b> <br/>
    用户过期时间: <b>{{.LimitTime}}</b> <br/>
    {{if .DisableOtp}}
    <!-- nothing -->
    {{else}}
    <!-- 
    用户动态码(3天后失效):<br/>
-    <img src="{{.OtpImg}}"/>
+    <img src="{{.OtpImg}}"/><br/>
    -->
    用户动态码(请妥善保存):<br/>
-    <img src="{{.OtpImgBase64}}"/>
+    <img src="cid:userOtpQr.png" alt="userOtpQr" /><br/>
    {{end}}
 </p>
 <div>
    使用说明:
    <ul>
        <li>请使用OTP软件扫描动态码二维码</li>
        <li>然后使用anyconnect客户端进行登陆</li>
-        <li>登陆密码为 【PIN码+动态码】</li>
+        <li>登陆密码为 PIN 码</li>
 		<li>OTP密码为扫码后生成的动态码</li>
    </ul>
 </div>
 <p>
--- a/server/dbdata/db_orm.go
+++ b/server/dbdata/db_orm.go
@@ -75,6 +75,11 @@ func Find(data interface{}, limit, page int) error {
 	return xdb.Limit(limit, start).Find(data)
 }
 func FindWhereCount(data interface{}, where string, args ...interface{}) int {
 	n, _ := xdb.Where(where, args...).Count(data)
 	return int(n)
 }
 func FindWhere(data interface{}, limit int, page int, where string, args ...interface{}) error {
 	if limit == 0 {
 		return xdb.Where(where, args...).Find(data)
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -5,10 +5,12 @@ import (
 	"fmt"
 	"net"
 	"regexp"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/songgao/water/waterutil"
 	"golang.org/x/text/language"
 	"golang.org/x/text/message"
 )
@@ -16,7 +18,10 @@ import (
 const (
 	Allow = "allow"
 	Deny  = "deny"
-	All   = "all"
+	ALL   = "all"
 	TCP   = "tcp"
 	UDP   = "udp"
 	ICMP  = "icmp"
 )
 // 域名分流最大字符2万
@@ -25,8 +30,11 @@ const DsMaxLen = 20000
 type GroupLinkAcl struct {
 	// 自上而下匹配 默认 allow * *
 	Action   string               `json:"action"`      // allow、deny
 	Protocol string               `json:"protocol"`    // 支持 ALL、TCP、UDP、ICMP 协议
 	IpProto  waterutil.IPProtocol `json:"ip_protocol"` // 判断协议使用
 	Val      string               `json:"val"`
-	Port   uint16     `json:"port"`
+	Port     string               `json:"port"` // 兼容单端口历史数据类型uint16
 	Ports    map[uint16]int8      `json:"ports"`
 	IpNet    *net.IPNet           `json:"ip_net"`
 	Note     string               `json:"note"`
 }
@@ -112,16 +120,23 @@ func SetGroup(g *Group) error {
 	routeInclude := []ValData{}
 	for _, v := range g.RouteInclude {
 		if v.Val != "" {
-			if v.Val == All {
+			if v.Val == ALL {
 				routeInclude = append(routeInclude, v)
 				continue
 			}
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteInclude 错误" + err.Error())
 			}
 			// 给Mac系统下发路由时，必须是标准的网络地址
 			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
 				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
 				return errors.New(errMsg)
 			}
 			v.IpMask = ipMask
 			routeInclude = append(routeInclude, v)
 		}
@@ -130,10 +145,16 @@ func SetGroup(g *Group) error {
 	routeExclude := []ValData{}
 	for _, v := range g.RouteExclude {
 		if v.Val != "" {
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteExclude 错误" + err.Error())
 			}
 			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
 				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
 				return errors.New(errMsg)
 			}
 			v.IpMask = ipMask
 			routeExclude = append(routeExclude, v)
 		}
@@ -148,14 +169,74 @@ func SetGroup(g *Group) error {
 				return errors.New("GroupLinkAcl 错误" + err.Error())
 			}
 			v.IpNet = ipNet
 			// 设置协议数据
 			switch v.Protocol {
 			case TCP:
 				v.IpProto = waterutil.TCP
 			case UDP:
 				v.IpProto = waterutil.UDP
 			case ICMP:
 				v.IpProto = waterutil.ICMP
 			default:
 				// 其他类型都是 all
 				v.Protocol = ALL
 			}
 			portsStr := v.Port
 			v.Port = strings.TrimSpace(portsStr)
 			// switch vp := v.Port.(type) {
 			// case float64:
 			// 	portsStr = strconv.Itoa(int(vp))
 			// case string:
 			// 	portsStr = vp
 			// }
 			if regexp.MustCompile(`^\d{1,5}(-\d{1,5})?(,\d{1,5}(-\d{1,5})?)*$`).MatchString(portsStr) {
 				ports := map[uint16]int8{}
 				for _, p := range strings.Split(portsStr, ",") {
 					if p == "" {
 						continue
 					}
 					if regexp.MustCompile(`^\d{1,5}-\d{1,5}$`).MatchString(p) {
 						rp := strings.Split(p, "-")
 						// portfrom, err := strconv.Atoi(rp[0])
 						portfrom, err := strconv.ParseUint(rp[0], 10, 16)
 						if err != nil {
 							return errors.New("端口:" + rp[0] + " 格式错误, " + err.Error())
 						}
 						// portto, err := strconv.Atoi(rp[1])
 						portto, err := strconv.ParseUint(rp[1], 10, 16)
 						if err != nil {
 							return errors.New("端口:" + rp[1] + " 格式错误, " + err.Error())
 						}
 						for i := portfrom; i <= portto; i++ {
 							ports[uint16(i)] = 1
 						}
 					} else {
 						port, err := strconv.ParseUint(p, 10, 16)
 						if err != nil {
 							return errors.New("端口:" + p + " 格式错误, " + err.Error())
 						}
 						ports[uint16(port)] = 1
 					}
 				}
 				v.Ports = ports
 				linkAcl = append(linkAcl, v)
 			} else {
 				return errors.New("端口: " + portsStr + " 格式错误,请用逗号分隔的端口,比如: 22,80,443 连续端口用-,比如:1234-5678")
 			}
 		}
 	}
 	g.LinkAcl = linkAcl
 	// DNS 判断
 	clientDns := []ValData{}
 	for _, v := range g.ClientDns {
 		v.Val = strings.TrimSpace(v.Val)
 		if v.Val != "" {
 			ip := net.ParseIP(v.Val)
 			if ip.String() != v.Val {
@@ -170,6 +251,20 @@ func SetGroup(g *Group) error {
 		return errors.New("默认路由，必须设置一个DNS")
 	}
 	g.ClientDns = clientDns
 	splitDns := []ValData{}
 	for _, v := range g.SplitDns {
 		v.Val = strings.TrimSpace(v.Val)
 		if v.Val != "" {
 			ValidateDomainName(v.Val)
 			if !ValidateDomainName(v.Val) {
 				return errors.New("域名 错误")
 			}
 			splitDns = append(splitDns, v)
 		}
 	}
 	g.SplitDns = splitDns
 	// 域名拆分隧道，不能同时填写
 	g.DsIncludeDomains = strings.TrimSpace(g.DsIncludeDomains)
 	g.DsExcludeDomains = strings.TrimSpace(g.DsExcludeDomains)
@@ -225,6 +320,15 @@ func SetGroup(g *Group) error {
 	return err
 }
 func ContainsInPorts(ports map[uint16]int8, port uint16) bool {
 	_, ok := ports[port]
 	if ok {
 		return true
 	} else {
 		return false
 	}
 }
 func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
 	g := &Group{Auth: authData}
 	authType := g.Auth["type"].(string)
@@ -236,7 +340,8 @@ func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
 	if err != nil {
 		return err
 	}
-	err = auth.checkUser(name, pwd, g)
+	ext := map[string]interface{}{}
 	err = auth.checkUser(name, pwd, g, ext)
 	return err
 }
--- a/server/dbdata/policy.go
+++ b/server/dbdata/policy.go
@@ -2,6 +2,7 @@ package dbdata
 import (
 	"errors"
 	"fmt"
 	"net"
 	"strings"
 	"time"
@@ -26,16 +27,21 @@ func SetPolicy(p *Policy) error {
 	routeInclude := []ValData{}
 	for _, v := range p.RouteInclude {
 		if v.Val != "" {
-			if v.Val == All {
+			if v.Val == ALL {
 				routeInclude = append(routeInclude, v)
 				continue
 			}
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteInclude 错误" + err.Error())
 			}
 			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
 				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
 				return errors.New(errMsg)
 			}
 			v.IpMask = ipMask
 			routeInclude = append(routeInclude, v)
 		}
@@ -45,10 +51,15 @@ func SetPolicy(p *Policy) error {
 	routeExclude := []ValData{}
 	for _, v := range p.RouteExclude {
 		if v.Val != "" {
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteExclude 错误" + err.Error())
 			}
 			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
 				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
 				return errors.New(errMsg)
 			}
 			v.IpMask = ipMask
 			routeExclude = append(routeExclude, v)
 		}
--- a/server/dbdata/policy_test.go
+++ b/server/dbdata/policy_test.go
@@ -21,19 +21,19 @@ func TestGetPolicy(t *testing.T) {
 	err = SetPolicy(&p2)
 	ast.Nil(err)
-	route := []ValData{{Val: "192.168.1.1/24"}}
+	route := []ValData{{Val: "192.168.1.0/24"}}
 	p3 := Policy{Username: "a3", ClientDns: []ValData{{Val: "114.114.114.114"}}, RouteInclude: route, DsExcludeDomains: "com.cn,qq.com"}
 	err = SetPolicy(&p3)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(p3.RouteInclude[0].IpMask, "192.168.1.1/255.255.255.0")
+	ast.Equal(p3.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")
-	route2 := []ValData{{Val: "192.168.2.1/24"}}
+	route2 := []ValData{{Val: "192.168.2.0/24"}}
 	p4 := Policy{Username: "a4", ClientDns: []ValData{{Val: "114.114.114.114"}}, RouteExclude: route2, DsIncludeDomains: "com.cn,qq.com"}
 	err = SetPolicy(&p4)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(p4.RouteExclude[0].IpMask, "192.168.2.1/255.255.255.0")
+	ast.Equal(p4.RouteExclude[0].IpMask, "192.168.2.0/255.255.255.0")
 	// 判断所有数据
 	var userPolicy *Policy
--- a/server/dbdata/setting.go
+++ b/server/dbdata/setting.go
@@ -29,6 +29,7 @@ type SettingAuditLog struct {
 type SettingOther struct {
 	LinkAddr    string `json:"link_addr"`
 	Banner      string `json:"banner"`
 	Homecode    int    `json:"homecode"`
 	Homeindex   string `json:"homeindex"`
 	AccountMail string `json:"account_mail"`
 }
@@ -62,7 +63,7 @@ func SettingSet(data interface{}) error {
 func SettingGet(data interface{}) error {
 	name := StructName(data)
-	s := &Setting{Name: name}
+	s := &Setting{}
 	err := One("name", name, s)
 	if err != nil {
 		return err
--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -11,6 +11,7 @@ type Group struct {
 	Note             string                 `json:"note" xorm:"varchar(255)"`
 	AllowLan         bool                   `json:"allow_lan" xorm:"Bool"`
 	ClientDns        []ValData              `json:"client_dns" xorm:"Text"`
 	SplitDns         []ValData              `json:"split_dns" xorm:"Text"`
 	RouteInclude     []ValData              `json:"route_include" xorm:"Text"`
 	RouteExclude     []ValData              `json:"route_exclude" xorm:"Text"`
 	DsExcludeDomains string                 `json:"ds_exclude_domains" xorm:"Text"`
@@ -29,7 +30,7 @@ type User struct {
 	Nickname string `json:"nickname" xorm:"varchar(255)"`
 	Email    string `json:"email" xorm:"varchar(255)"`
 	// Password  string    `json:"password"`
-	PinCode    string     `json:"pin_code" xorm:"varchar(32)"`
+	PinCode    string     `json:"pin_code" xorm:"varchar(64)"`
 	LimitTime  *time.Time `json:"limittime,omitempty" xorm:"Datetime limittime"` // 值为null时，前端不显示
 	OtpSecret  string     `json:"otp_secret" xorm:"varchar(255)"`
 	DisableOtp bool       `json:"disable_otp" xorm:"Bool"` // 禁用otp
@@ -45,7 +46,7 @@ type UserActLog struct {
 	Username        string    `json:"username" xorm:"varchar(60)"`
 	GroupName       string    `json:"group_name" xorm:"varchar(60)"`
 	IpAddr          string    `json:"ip_addr" xorm:"varchar(32)"`
-	RemoteAddr      string    `json:"remote_addr" xorm:"varchar(32)"`
+	RemoteAddr      string    `json:"remote_addr" xorm:"varchar(42)"`
 	Os              uint8     `json:"os" xorm:"not null default 0 Int"`
 	Client          uint8     `json:"client" xorm:"not null default 0 Int"`
 	Version         string    `json:"version" xorm:"varchar(15)"`
@@ -66,12 +67,12 @@ type Setting struct {
 type AccessAudit struct {
 	Id          int       `json:"id" xorm:"pk autoincr not null"`
 	Username    string    `json:"username" xorm:"varchar(60) not null"`
-	Protocol    uint8     `json:"protocol" xorm:"not null"`
+	Protocol    uint8     `json:"protocol" xorm:"Int not null"`
 	Src         string    `json:"src" xorm:"varchar(60) not null"`
-	SrcPort     uint16    `json:"src_port" xorm:"not null"`
+	SrcPort     uint16    `json:"src_port" xorm:"Int not null"`
 	Dst         string    `json:"dst" xorm:"varchar(60) not null"`
-	DstPort     uint16    `json:"dst_port" xorm:"not null"`
+	DstPort     uint16    `json:"dst_port" xorm:"Int not null"`
-	AccessProto uint8     `json:"access_proto" xorm:"default 0"`                // 访问协议
+	AccessProto uint8     `json:"access_proto" xorm:"Int default 0"`            // 访问协议
 	Info        string    `json:"info" xorm:"varchar(255) not null default ''"` // 详情
 	CreatedAt   time.Time `json:"created_at" xorm:"DateTime"`
 }
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -6,6 +6,7 @@ import (
 	"sync"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/xlzd/gotp"
 )
@@ -67,7 +68,9 @@ func SetUser(v *User) error {
 }
 // 验证用户登录信息
-func CheckUser(name, pwd, group string) error {
+func CheckUser(name, pwd, group string, ext map[string]interface{}) error {
 	base.Trace("CheckUser", name, pwd, group, ext)
 	// 获取登入的group数据
 	groupData := &Group{}
 	err := One("Name", group, groupData)
@@ -81,7 +84,7 @@ func CheckUser(name, pwd, group string) error {
 	authType := groupData.Auth["type"].(string)
 	// 本地认证方式
 	if authType == "local" {
-		return checkLocalUser(name, pwd, group)
+		return checkLocalUser(name, pwd, group, ext)
 	}
 	// 其它认证方式, 支持自定义
 	_, ok := authRegistry[authType]
@@ -89,11 +92,11 @@ func CheckUser(name, pwd, group string) error {
 		return fmt.Errorf("%s %s", "未知的认证方式: ", authType)
 	}
 	auth := makeInstance(authType).(IUserAuth)
-	return auth.checkUser(name, pwd, groupData)
+	return auth.checkUser(name, pwd, groupData, ext)
 }
 // 验证本地用户登录信息
-func checkLocalUser(name, pwd, group string) error {
+func checkLocalUser(name, pwd, group string, ext map[string]interface{}) error {
 	// TODO 严重问题
 	// return nil
@@ -115,20 +118,31 @@ func checkLocalUser(name, pwd, group string) error {
 	if !utils.InArrStr(v.Groups, group) {
 		return fmt.Errorf("%s %s", name, "用户组错误")
 	}
-	// 判断otp信息
+
 	pinCode := pwd
 	if !base.Cfg.AuthAloneOtp {
 		// 判断otp信息
 		if !v.DisableOtp {
 			pinCode = pwd[:pl-6]
 			otp := pwd[pl-6:]
-		if !checkOtp(name, otp, v.OtpSecret) {
+			if !CheckOtp(name, otp, v.OtpSecret) {
 				return fmt.Errorf("%s %s", name, "动态码错误")
 			}
 		}
 	}
 	// 判断用户密码
 	// 兼容明文密码
 	if len(v.PinCode) != 60 {
 		if pinCode != v.PinCode {
 			return fmt.Errorf("%s %s", name, "密码错误")
 		}
 		return nil
 	}
 	// 密文密码
 	if !utils.PasswordVerify(pinCode, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}
 	return nil
 }
@@ -171,7 +185,7 @@ func init() {
 }
 // 判断令牌信息
-func checkOtp(name, otp, secret string) bool {
+func CheckOtp(name, otp, secret string) bool {
 	key := fmt.Sprintf("%s:%s", name, otp)
 	userOtpMux.Lock()
@@ -186,7 +200,29 @@ func checkOtp(name, otp, secret string) bool {
 	totp := gotp.NewDefaultTOTP(secret)
 	unix := time.Now().Unix()
-	verify := totp.Verify(otp, int(unix))
+	verify := totp.Verify(otp, unix)
 	return verify
 }
 // 插入数据库前加密密码
 func (u *User) BeforeInsert() {
 	if base.Cfg.EncryptionPassword {
 		hashedPassword, err := utils.PasswordHash(u.PinCode)
 		if err != nil {
 			base.Error(err)
 		}
 		u.PinCode = hashedPassword
 	}
 }
 // 更新数据库前加密密码
 func (u *User) BeforeUpdate() {
 	if len(u.PinCode) != 60 && base.Cfg.EncryptionPassword {
 		hashedPassword, err := utils.PasswordHash(u.PinCode)
 		if err != nil {
 			base.Error(err)
 		}
 		u.PinCode = hashedPassword
 	}
 }
--- a/server/dbdata/user_act_log.go
+++ b/server/dbdata/user_act_log.go
@@ -1,6 +1,7 @@
 package dbdata
 import (
 	"net"
 	"net/url"
 	"regexp"
 	"strings"
@@ -22,6 +23,9 @@ const (
 	UserLogoutTimeout  = 3 // 用户超时登出
 	UserLogoutAdmin    = 4 // 账号被管理员踢下线
 	UserLogoutExpire   = 5 // 账号过期被踢下线
 	UserIdleTimeout    = 6 // 用户空闲链接超时
 	UserLogoutOneAdmin = 7 // 账号被管理员一键下线
 )
 type UserActLogProcess struct {
@@ -62,6 +66,8 @@ var (
 			UserLogoutTimeout:  "Session过期被踢下线",
 			UserLogoutAdmin:    "账号被管理员踢下线",
 			UserLogoutExpire:   "账号过期被踢下线",
 			UserIdleTimeout:    "用户空闲链接超时",
 			UserLogoutOneAdmin: "账号被管理员一键下线",
 		},
 	}
 )
@@ -73,7 +79,8 @@ func (ua *UserActLogProcess) Add(u UserActLog, userAgent string) {
 	u.Os = os_idx
 	u.Client = client_idx
 	u.Version = ver
-	u.RemoteAddr = strings.Split(u.RemoteAddr, ":")[0]
+	// u.RemoteAddr = strings.Split(u.RemoteAddr, ":")[0]
 	u.RemoteAddr, _, _ = net.SplitHostPort(u.RemoteAddr)
 	// remove extra characters
 	infoSlice := strings.Split(u.Info, " ")
 	infoLen := len(infoSlice)
@@ -124,6 +131,9 @@ func (ua *UserActLogProcess) GetStatusOpsWithTag() interface{} {
 }
 func (ua *UserActLogProcess) GetInfoOpsById(id uint8) string {
 	if int(id) >= len(ua.InfoOps) {
 		return "未知的信息类型"
 	}
 	return ua.InfoOps[id]
 }
@@ -137,7 +147,7 @@ func (ua *UserActLogProcess) ParseUserAgent(userAgent string) (os_idx, client_id
 	os_idx = 0
 	if strings.Contains(userAgent, "windows") {
 		os_idx = 1
-	} else if strings.Contains(userAgent, "mac os") || strings.Contains(userAgent, "darwin_i386") {
+	} else if strings.Contains(userAgent, "mac os") || strings.Contains(userAgent, "darwin_i386") || strings.Contains(userAgent, "darwin_amd64") || strings.Contains(userAgent, "darwin_arm64") {
 		os_idx = 2
 	} else if strings.Contains(userAgent, "darwin_arm") || strings.Contains(userAgent, "apple") {
 		os_idx = 5
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -3,11 +3,12 @@ package dbdata
 import (
 	"testing"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/stretchr/testify/assert"
 	"github.com/xlzd/gotp"
 )
 func TestCheckUser(t *testing.T) {
 	base.Test()
 	ast := assert.New(t)
 	preIpData()
@@ -17,28 +18,32 @@ func TestCheckUser(t *testing.T) {
 	// 添加一个组
 	dns := []ValData{{Val: "114.114.114.114"}}
-	route := []ValData{{Val: "192.168.1.1/24"}}
+	route := []ValData{{Val: "192.168.1.0/24"}}
 	g := Group{Name: group, Status: 1, ClientDns: dns, RouteInclude: route}
 	err := SetGroup(&g)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.1/255.255.255.0")
+	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")
 	// 添加一个用户
-	u := User{Username: "aaa", Groups: []string{group}, Status: 1}
+	pincode := "a123456"
 	u := User{Username: "aaa", PinCode: pincode, Groups: []string{group}, Status: 1}
 	err = SetUser(&u)
 	ast.Nil(err)
 	// 验证 PinCode + OtpSecret
-	totp := gotp.NewDefaultTOTP(u.OtpSecret)
+	// totp := gotp.NewDefaultTOTP(u.OtpSecret)
-	secret := totp.Now()
+	// secret := totp.Now()
-	err = CheckUser("aaa", u.PinCode+secret, group)
+	// err = CheckUser("aaa", u.PinCode+secret, group)
-	ast.Nil(err)
+	// ast.Nil(err)
 	// 单独验证密码
 	u.DisableOtp = true
 	_ = SetUser(&u)
-	err = CheckUser("aaa", u.PinCode, group)
+	ext := map[string]any{
 		"mac_addr": "",
 	}
 	err = CheckUser("aaa", pincode, group, ext)
 	ast.Nil(err)
 	// 添加一个radius组
@@ -53,17 +58,17 @@ func TestCheckUser(t *testing.T) {
 	g2 := Group{Name: group2, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
 	err = SetGroup(&g2)
 	ast.Nil(err)
-	err = CheckUser("aaa", "bbbbbbb", group2)
+	err = CheckUser("aaa", "bbbbbbb", group2, ext)
 	if ast.NotNil(err) {
-		ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
+		ast.Contains(err.Error(), "aaa Radius服务器连接异常")
 	}
 	// 添加用户策略
 	dns2 := []ValData{{Val: "8.8.8.8"}}
-	route2 := []ValData{{Val: "192.168.2.1/24"}}
+	route2 := []ValData{{Val: "192.168.2.0/24"}}
 	p1 := Policy{Username: "aaa", Status: 1, ClientDns: dns2, RouteInclude: route2}
 	err = SetPolicy(&p1)
 	ast.Nil(err)
-	err = CheckUser("aaa", u.PinCode, group)
+	err = CheckUser("aaa", pincode, group, ext)
 	ast.Nil(err)
 	// 添加一个ldap组
 	group3 := "group3"
@@ -83,7 +88,7 @@ func TestCheckUser(t *testing.T) {
 	g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
 	err = SetGroup(&g3)
 	ast.Nil(err)
-	err = CheckUser("aaa", "bbbbbbb", group3)
+	err = CheckUser("aaa", "bbbbbbb", group3, ext)
 	if ast.NotNil(err) {
 		ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
 	}
--- a/server/dbdata/userauth.go
+++ b/server/dbdata/userauth.go
@@ -9,7 +9,7 @@ var authRegistry = make(map[string]reflect.Type)
 type IUserAuth interface {
 	checkData(authData map[string]interface{}) error
-	checkUser(name, pwd string, g *Group) error
+	checkUser(name, pwd string, g *Group, ext map[string]interface{}) error
 }
 func makeInstance(name string) interface{} {
--- a/server/dbdata/userauth_ldap.go
+++ b/server/dbdata/userauth_ldap.go
@@ -61,7 +61,7 @@ func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 	return nil
 }
-func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+func (auth AuthLdap) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
 	pl := len(pwd)
 	if name == "" || pl < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
--- a/server/dbdata/userauth_radius.go
+++ b/server/dbdata/userauth_radius.go
@@ -5,9 +5,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"reflect"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	"layeh.com/radius"
 	"layeh.com/radius/rfc2865"
 )
@@ -15,6 +17,7 @@ import (
 type AuthRadius struct {
 	Addr   string `json:"addr"`
 	Secret string `json:"secret"`
 	Nasip  string `json:"nasip"`
 }
 func init() {
@@ -38,7 +41,7 @@ func (auth AuthRadius) checkData(authData map[string]interface{}) error {
 	return nil
 }
-func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
+func (auth AuthRadius) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
 	pl := len(pwd)
 	if name == "" || pl < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
@@ -57,13 +60,38 @@ func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
 	}
 	// radius认证时，设置超时3秒
 	packet := radius.New(radius.CodeAccessRequest, []byte(auth.Secret))
-	rfc2865.UserName_SetString(packet, name)
+	err = rfc2865.UserName_SetString(packet, name)
-	rfc2865.UserPassword_SetString(packet, pwd)
+	if err != nil {
 		return fmt.Errorf("%s %s", name, "Radius set name 出现错误")
 	}
 	err = rfc2865.UserPassword_SetString(packet, pwd)
 	if err != nil {
 		return fmt.Errorf("%s %s", name, "Radius set pwd 出现错误")
 	}
 	if auth.Nasip != "" {
 		nasip := net.ParseIP(auth.Nasip)
 		err = rfc2865.NASIPAddress_Set(packet, nasip)
 		if err != nil {
 			return fmt.Errorf("%s %s", name, "Radius set nasip 出现错误")
 		}
 	}
 	macAddr := ""
 	if ext["mac_addr"] != nil {
 		macAddr = ext["mac_addr"].(string)
 		base.Trace("AuthRadius", ext, macAddr)
 	}
 	if macAddr != "" {
 		err = rfc2865.CallingStationID_AddString(packet, macAddr)
 		if err != nil {
 			return fmt.Errorf("%s %s", name, "Radius set CallingStationID 出现错误")
 		}
 	}
 	ctx, done := context.WithTimeout(context.Background(), 3*time.Second)
 	defer done()
 	response, err := radius.Exchange(ctx, packet, auth.Addr)
 	if err != nil {
-		return fmt.Errorf("%s %s", name, "Radius服务器连接异常, 请检测服务器和端口")
+		return fmt.Errorf("%s %s %s", name, "Radius服务器连接异常, 请检测服务器和端口", err)
 	}
 	if response.Code != radius.CodeAccessAccept {
 		return fmt.Errorf("%s %s", name, "Radius：用户名或密码错误")
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,104 +1,118 @@
 module github.com/bjdgyc/anylink
-go 1.19
+go 1.22.0
 toolchain go1.22.12
 require (
-	github.com/arl/statsviz v0.5.1
+	github.com/arl/statsviz v0.6.0
 	github.com/deckarep/golang-set v1.8.0
-	github.com/go-acme/lego/v4 v4.10.2
+	github.com/denisenkom/go-mssqldb v0.12.3
-	github.com/go-co-op/gocron v1.17.0
+	github.com/go-acme/lego/v4 v4.19.2
 	github.com/go-co-op/gocron v1.37.0
 	github.com/go-ldap/ldap v3.0.3+incompatible
-	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-sql-driver/mysql v1.8.1
-	github.com/gocarina/gocsv v0.0.0-20220712153207-8b2118da4570
+	github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1
-	github.com/golang-jwt/jwt/v4 v4.2.0
+	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/google/gopacket v1.1.19
-	github.com/gorilla/handlers v1.5.1
+	github.com/gorilla/handlers v1.5.2
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
 	github.com/ivpusic/grpool v1.0.0
 	github.com/lanrenwo/lzsgo v0.0.2
-	github.com/lib/pq v1.10.2
+	github.com/lib/pq v1.10.9
-	github.com/mattn/go-sqlite3 v1.14.9
+	github.com/lorenzosaino/go-sysctl v0.3.1
 	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/orcaman/concurrent-map v1.0.0
-	github.com/pion/dtls/v2 v2.2.6
+	github.com/pion/dtls/v2 v2.2.12
 	github.com/pion/logging v0.2.2
-	github.com/pires/go-proxyproto v0.6.2
+	github.com/pires/go-proxyproto v0.8.0
-	github.com/shirou/gopsutil v3.21.7+incompatible
+	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
-	github.com/spf13/cast v1.3.1
+	github.com/spf13/cast v1.7.0
-	github.com/spf13/cobra v1.2.1
+	github.com/spf13/cobra v1.8.1
-	github.com/spf13/viper v1.8.1
+	github.com/spf13/viper v1.19.0
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.10.0
-	github.com/xhit/go-simple-mail/v2 v2.10.0
+	github.com/xhit/go-simple-mail/v2 v2.16.0
-	github.com/xlzd/gotp v0.0.0-20181030022105-c8557ba2c119
+	github.com/xlzd/gotp v0.1.0
-	github.com/xuri/excelize/v2 v2.6.1
+	github.com/xuri/excelize/v2 v2.9.0
-	go.uber.org/atomic v1.10.0
+	golang.org/x/crypto v0.32.0
-	golang.org/x/crypto v0.5.0
+	golang.org/x/net v0.33.0
-	golang.org/x/net v0.7.0
+	golang.org/x/text v0.21.0
-	golang.org/x/text v0.7.0
+	golang.org/x/time v0.7.0
-	golang.org/x/time v0.3.0
+	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
-	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
+	xorm.io/xorm v1.3.9
 	xorm.io/xorm v1.3.2
 )
 require (
-	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1755 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.49.0 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.48 // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.109.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
-	github.com/miekg/dns v1.1.50 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/pion/transport/v2 v2.0.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/pion/udp/v2 v2.0.1 // indirect
+	github.com/pion/transport/v2 v2.2.10 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pion/transport/v3 v3.0.7 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.490 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.490 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
-	golang.org/x/tools v0.1.12 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1036 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1036 // indirect
 	github.com/toorop/go-dkim v0.0.0-20240103092955-90b7d1423f92 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220613132600-b0d781184e0d // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	honnef.co/go/tools v0.3.2 // indirect
 )
 require (
-	github.com/StackExchange/wmi v1.2.1 // indirect
+	github.com/coreos/go-iptables v0.8.0
-	github.com/coreos/go-iptables v0.6.0
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-ole/go-ole v1.2.5 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/goccy/go-json v0.8.1 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/richardlehane/mscfb v1.0.4 // indirect
-	github.com/richardlehane/msoleps v1.0.3 // indirect
+	github.com/richardlehane/msoleps v1.0.4 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.7 // indirect
+	github.com/tklauser/go-sysconf v0.3.14 // indirect
-	github.com/tklauser/numcpus v0.2.3 // indirect
+	github.com/tklauser/numcpus v0.9.0 // indirect
-	github.com/xuri/efp v0.0.0-20220603152613-6918739fd470 // indirect
+	github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d // indirect
-	github.com/xuri/nfp v0.0.0-20220409054826-5e722a1d9e22 // indirect
+	github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7 // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/sys v0.5.0 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
-	gopkg.in/ini.v1 v1.66.6 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	xorm.io/builder v0.3.11-0.20220531020008-1bd24a7dc978 // indirect
+	xorm.io/builder v0.3.13 // indirect
 )
--- a/server/go.sum
+++ b/server/go.sum
--- a/server/handler/dtls.go
+++ b/server/handler/dtls.go
@@ -2,10 +2,13 @@ package handler
 import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"encoding/hex"
 	"errors"
 	"net"
 	"strings"
 	"time"
 	"github.com/bjdgyc/anylink/base"
@@ -20,23 +23,33 @@ func startDtls() {
 		return
 	}
-	certificate, err := selfsign.GenerateSelfSigned()
+	// rsa 兼容 open connect
 	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
 	certificate, err := selfsign.SelfSign(priv)
 	if err != nil {
 		panic(err)
 	}
 	logf := logging.NewDefaultLoggerFactory()
 	logf.Writer = base.GetBaseLw()
 	// logf.DefaultLogLevel = logging.LogLevelTrace
 	logf.DefaultLogLevel = logging.LogLevelInfo
 	if base.GetLogLevel() == base.LogLevelTrace {
 		// logf.DefaultLogLevel = logging.LogLevelTrace
 	}
 	// https://github.com/pion/dtls/pull/369
 	sessStore := &sessionStore{}
 	config := &dtls.Config{
 		Certificates:         []tls.Certificate{certificate},
 		InsecureSkipVerify:   true,
 		ExtendedMasterSecret: dtls.DisableExtendedMasterSecret,
-		CipherSuites:         []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
+		CipherSuites: func() []dtls.CipherSuiteID {
 			var cs = []dtls.CipherSuiteID{}
 			for _, vv := range dtlsCipherSuites {
 				cs = append(cs, vv)
 			}
 			return cs
 		}(),
 		LoggerFactory: logf,
 		MTU:           BufferSize,
 		SessionStore:  sessStore,
@@ -98,3 +111,23 @@ func (ms *sessionStore) Get(key []byte) (dtls.Session, error) {
 func (ms *sessionStore) Del(key []byte) error {
 	return nil
 }
 // 客户端和服务端映射 X-DTLS12-CipherSuite
 var dtlsCipherSuites = map[string]dtls.CipherSuiteID{
 	// "ECDHE-ECDSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	// "ECDHE-ECDSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	"ECDHE-RSA-AES256-GCM-SHA384": dtls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	"ECDHE-RSA-AES128-GCM-SHA256": dtls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 }
 func checkDtls12Ciphersuite(ciphersuite string) string {
 	csArr := strings.Split(ciphersuite, ":")
 	for _, v := range csArr {
 		if _, ok := dtlsCipherSuites[v]; ok {
 			return v
 		}
 	}
 	// 返回默认值
 	return "ECDHE-RSA-AES128-GCM-SHA256"
 }
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -1,11 +1,10 @@
 package handler
 import (
-	"crypto/md5"
+	"bytes"
 	"encoding/xml"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"strings"
@@ -16,7 +15,10 @@ import (
 	"github.com/bjdgyc/anylink/sessdata"
 )
-var profileHash = ""
+var (
 	profileHash = ""
 	certHash    = ""
 )
 func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 调试信息输出
@@ -42,14 +44,18 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	}
 	defer r.Body.Close()
-	cr := ClientRequest{}
+	cr := &ClientRequest{
 		RemoteAddr: r.RemoteAddr,
 		UserAgent:  userAgent,
 	}
 	err = xml.Unmarshal(body, &cr)
 	if err != nil {
 		base.Error(err)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
-	// fmt.Printf("%+v \n", cr)
+	base.Trace(fmt.Sprintf("%+v \n", cr))
-	setCommonHeader(w)
+	// setCommonHeader(w)
 	if cr.Type == "logout" {
 		// 退出删除session信息
 		if cr.SessionToken != "" {
@@ -71,8 +77,15 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
 	// 锁定状态判断
 	if !lockManager.CheckLocked(cr.Auth.Username, r.RemoteAddr) {
 		w.WriteHeader(http.StatusTooManyRequests)
 		return
 	}
 	// 用户活动日志
-	ua := dbdata.UserActLog{
+	ua := &dbdata.UserActLog{
 		Username:        cr.Auth.Username,
 		GroupName:       cr.GroupSelect,
 		RemoteAddr:      r.RemoteAddr,
@@ -80,13 +93,21 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		DeviceType:      cr.DeviceId.DeviceType,
 		PlatformVersion: cr.DeviceId.PlatformVersion,
 	}
 	sessionData := &AuthSession{
 		ClientRequest: cr,
 		UserActLog:    ua,
 	}
 	// TODO 用户密码校验
-	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
+	ext := map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress}
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect, ext)
 	if err != nil {
-		base.Warn(err)
+		lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, false) // 记录登录失败状态
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
 		ua.Status = dbdata.UserAuthFail
-		dbdata.UserActLogIns.Add(ua, userAgent)
+		dbdata.UserActLogIns.Add(*ua, userAgent)
 		w.WriteHeader(http.StatusOK)
 		data := RequestData{Group: cr.GroupSelect, Groups: dbdata.GetGroupNamesNormal(), Error: "用户名或密码错误"}
@@ -96,70 +117,63 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		tplRequest(tpl_request, w, data)
 		return
 	}
-	dbdata.UserActLogIns.Add(ua, userAgent)
+	dbdata.UserActLogIns.Add(*ua, userAgent)
 	// if !ok {
 	//	w.WriteHeader(http.StatusOK)
 	//	data := RequestData{Group: cr.GroupSelect, Groups: base.Cfg.UserGroups, Error: "请先激活用户"}
 	//	tplRequest(tpl_request, w, data)
 	//	return
 	// }
-	// 创建新的session信息
+	v := &dbdata.User{}
-	sess := sessdata.NewSession("")
+	err = dbdata.One("Username", cr.Auth.Username, v)
 	sess.Username = cr.Auth.Username
 	sess.Group = cr.GroupSelect
 	oriMac := cr.MacAddressList.MacAddress
 	sess.UniqueIdGlobal = cr.DeviceId.UniqueIdGlobal
 	sess.UserAgent = userAgent
 	sess.DeviceType = ua.DeviceType
 	sess.PlatformVersion = ua.PlatformVersion
 	sess.RemoteAddr = r.RemoteAddr
 	// 获取客户端mac地址
 	sess.UniqueMac = true
 	macHw, err := net.ParseMAC(oriMac)
 	if err != nil {
-		var sum [16]byte
+		base.Info("正在使用第三方认证方式登录")
-		if sess.UniqueIdGlobal != "" {
+		CreateSession(w, r, sessionData)
-			sum = md5.Sum([]byte(sess.UniqueIdGlobal))
+		return
 		} else {
 			sum = md5.Sum([]byte(sess.Token))
 			sess.UniqueMac = false
 	}
-		macHw = sum[0:5] // 5个byte
+	// 用户otp验证
-		macHw = append([]byte{0x02}, macHw...)
+	if base.Cfg.AuthAloneOtp && !v.DisableOtp {
-		sess.MacAddr = macHw.String()
+		lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 重置OTP验证计数
 	}
 	sess.MacHw = macHw
 	// 统一macAddr的格式
 	sess.MacAddr = macHw.String()
-	other := &dbdata.SettingOther{}
+		sessionID, err := GenerateSessionID()
-	_ = dbdata.SettingGet(other)
+		if err != nil {
-	rd := RequestData{SessionId: sess.Sid, SessionToken: sess.Sid + "@" + sess.Token,
+			base.Error("Failed to generate session ID: ", err)
-		Banner: other.Banner, ProfileHash: profileHash}
+			http.Error(w, "Failed to generate session ID", http.StatusInternalServerError)
 			return
 		}
 		sessionData.ClientRequest.Auth.OtpSecret = v.OtpSecret
 		SessStore.SaveAuthSession(sessionID, sessionData)
 		SetCookie(w, "auth-session-id", sessionID, 0)
 		data := RequestData{}
 		w.WriteHeader(http.StatusOK)
-	tplRequest(tpl_complete, w, rd)
+		tplRequest(tpl_otp, w, data)
-	base.Debug("login", cr.Auth.Username, userAgent)
+		return
 	}
 	CreateSession(w, r, sessionData)
 }
 const (
 	tpl_request = iota
 	tpl_complete
 	tpl_otp
 )
 func tplRequest(typ int, w io.Writer, data RequestData) {
-	if typ == tpl_request {
+	switch typ {
 	case tpl_request:
 		t, _ := template.New("auth_request").Parse(auth_request)
 		_ = t.Execute(w, data)
-		return
+	case tpl_complete:
-	}
+		if data.Banner != "" {
-
+			buf := new(bytes.Buffer)
-	if strings.Contains(data.Banner, "\n") {
+			_ = xml.EscapeText(buf, []byte(data.Banner))
-		// 替换xml文件的换行符
+			data.Banner = buf.String()
 		data.Banner = strings.ReplaceAll(data.Banner, "\n", "&#x0A;")
 		}
 		t, _ := template.New("auth_complete").Parse(auth_complete)
 		_ = t.Execute(w, data)
 	case tpl_otp:
 		t, _ := template.New("auth_otp").Parse(auth_otp)
 		_ = t.Execute(w, data)
 	}
 }
 // 设置输出信息
@@ -172,7 +186,9 @@ type RequestData struct {
 	SessionId    string
 	SessionToken string
 	Banner       string
 	ProfileName  string
 	ProfileHash  string
 	CertHash     string
 }
 var auth_request = `<?xml version="1.0" encoding="UTF-8"?>
@@ -218,13 +234,13 @@ var auth_complete = `<?xml version="1.0" encoding="UTF-8"?>
    </capabilities>
    <config client="vpn" type="private">
        <vpn-base-config>
-            <server-cert-hash>240B97A685B2BFA66AD699B90AAC49EA66495D69</server-cert-hash>
+            <server-cert-hash>{{.CertHash}}</server-cert-hash>
        </vpn-base-config>
        <opaque is-for="vpn-client"></opaque>
        <vpn-profile-manifest>
            <vpn rev="1.0">
                <file type="profile" service-type="user">
-                    <uri>/profile.xml</uri>
+                    <uri>/profile_{{.ProfileName}}.xml</uri>
                    <hash type="sha1">{{.ProfileHash}}</hash>
                </file>
            </vpn>
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -0,0 +1,242 @@
 package handler
 import (
 	"crypto/md5"
 	"encoding/xml"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"sync"
 	"github.com/bjdgyc/anylink/admin"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 )
 var SessStore = NewSessionStore()
 var lockManager = admin.GetLockManager()
 // const maxOtpErrCount = 3
 type AuthSession struct {
 	ClientRequest *ClientRequest
 	UserActLog    *dbdata.UserActLog
 	// OtpErrCount   atomic.Uint32 // otp错误次数
 }
 // 存储临时会话信息
 type SessionStore struct {
 	session map[string]*AuthSession
 	mu      sync.Mutex
 }
 func NewSessionStore() *SessionStore {
 	return &SessionStore{
 		session: make(map[string]*AuthSession),
 	}
 }
 func (s *SessionStore) SaveAuthSession(sessionID string, session *AuthSession) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.session[sessionID] = session
 }
 func (s *SessionStore) GetAuthSession(sessionID string) (*AuthSession, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	session, exists := s.session[sessionID]
 	if !exists {
 		return nil, fmt.Errorf("auth session not found")
 	}
 	return session, nil
 }
 func (s *SessionStore) DeleteAuthSession(sessionID string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.session, sessionID)
 }
 // func (a *AuthSession) AddOtpErrCount(i int) int {
 // 	newI := a.OtpErrCount.Add(uint32(i))
 // 	return int(newI)
 // }
 func GenerateSessionID() (string, error) {
 	sessionID := utils.RandomRunes(32)
 	if sessionID == "" {
 		return "", fmt.Errorf("failed to generate session ID")
 	}
 	return sessionID, nil
 }
 func SetCookie(w http.ResponseWriter, name, value string, maxAge int) {
 	cookie := &http.Cookie{
 		Name:     name,
 		Value:    value,
 		MaxAge:   maxAge,
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   true,
 		SameSite: http.SameSiteLaxMode,
 	}
 	http.SetCookie(w, cookie)
 }
 func GetCookie(r *http.Request, name string) (string, error) {
 	cookie, err := r.Cookie(name)
 	if err != nil {
 		return "", fmt.Errorf("failed to get cookie: %v", err)
 	}
 	return cookie.Value, nil
 }
 func DeleteCookie(w http.ResponseWriter, name string) {
 	cookie := &http.Cookie{
 		Name:     name,
 		Value:    "",
 		MaxAge:   -1,
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   true,
 		SameSite: http.SameSiteStrictMode,
 	}
 	http.SetCookie(w, cookie)
 }
 func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
 	cr := authSession.ClientRequest
 	ua := authSession.UserActLog
 	lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 更新登录成功状态
 	sess := sessdata.NewSession("")
 	sess.Username = cr.Auth.Username
 	sess.Group = cr.GroupSelect
 	oriMac := cr.MacAddressList.MacAddress
 	sess.UniqueIdGlobal = cr.DeviceId.UniqueIdGlobal
 	sess.UserAgent = cr.UserAgent
 	sess.DeviceType = ua.DeviceType
 	sess.PlatformVersion = ua.PlatformVersion
 	sess.RemoteAddr = cr.RemoteAddr
 	// 获取客户端mac地址
 	sess.UniqueMac = true
 	macHw, err := net.ParseMAC(oriMac)
 	if err != nil {
 		var sum [16]byte
 		if sess.UniqueIdGlobal != "" {
 			sum = md5.Sum([]byte(sess.UniqueIdGlobal))
 		} else {
 			sum = md5.Sum([]byte(sess.Token))
 			sess.UniqueMac = false
 		}
 		macHw = sum[0:5] // 5个byte
 		macHw = append([]byte{0x02}, macHw...)
 		sess.MacAddr = macHw.String()
 	}
 	sess.MacHw = macHw
 	// 统一macAddr的格式
 	sess.MacAddr = macHw.String()
 	other := &dbdata.SettingOther{}
 	dbdata.SettingGet(other)
 	rd := RequestData{
 		SessionId:    sess.Sid,
 		SessionToken: sess.Sid + "@" + sess.Token,
 		Banner:       other.Banner,
 		ProfileName:  base.Cfg.ProfileName,
 		ProfileHash:  profileHash,
 		CertHash:     certHash,
 	}
 	w.WriteHeader(http.StatusOK)
 	tplRequest(tpl_complete, w, rd)
 	base.Info("login", cr.Auth.Username, cr.UserAgent)
 }
 func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 	sessionID, err := GetCookie(r, "auth-session-id")
 	if err != nil {
 		http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
 		return
 	}
 	sessionData, err := SessStore.GetAuthSession(sessionID)
 	if err != nil {
 		http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
 		return
 	}
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		base.Error(err)
 		SessStore.DeleteAuthSession(sessionID)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
 	defer r.Body.Close()
 	cr := ClientRequest{}
 	err = xml.Unmarshal(body, &cr)
 	if err != nil {
 		base.Error(err)
 		SessStore.DeleteAuthSession(sessionID)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
 	ua := sessionData.UserActLog
 	username := sessionData.ClientRequest.Auth.Username
 	otpSecret := sessionData.ClientRequest.Auth.OtpSecret
 	otp := cr.Auth.SecondaryPassword
 	// 锁定状态判断
 	if !lockManager.CheckLocked(username, r.RemoteAddr) {
 		w.WriteHeader(http.StatusTooManyRequests)
 		SessStore.DeleteAuthSession(sessionID)
 		return
 	}
 	// 动态码错误
 	if !dbdata.CheckOtp(username, otp, otpSecret) {
 		lockManager.UpdateLoginStatus(username, r.RemoteAddr, false) // 记录登录失败状态
 		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
 		ua.Info = "OTP 动态码错误"
 		ua.Status = dbdata.UserAuthFail
 		dbdata.UserActLogIns.Add(*ua, sessionData.ClientRequest.UserAgent)
 		w.WriteHeader(http.StatusOK)
 		data := RequestData{Error: "请求错误"}
 		if base.Cfg.DisplayError {
 			data.Error = "OTP 动态码错误"
 		}
 		tplRequest(tpl_otp, w, data)
 		return
 	}
 	CreateSession(w, r, sessionData)
 	// 删除临时会话信息
 	SessStore.DeleteAuthSession(sessionID)
 	// DeleteCookie(w, "auth-session-id")
 }
 var auth_otp = `<?xml version="1.0" encoding="UTF-8"?>
 <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
    <auth id="otp-verification">
        <title>OTP 动态码验证</title>
        <message>请输入您的 OTP 动态码</message>
        {{if .Error}}
        <error id="otp-verification" param1="{{.Error}}" param2="">验证失败:  %s</error>
        {{end}}		
        <form method="post" action="/otp-verification">
            <input type="password" name="secondary_password" label="OTPCode:"/>
        </form>
    </auth>
 </config-auth>`
--- a/server/handler/link_base.go
+++ b/server/handler/link_base.go
@@ -2,9 +2,9 @@ package handler
 import (
 	"encoding/xml"
 	"log"
 	"net/http"
 	"os/exec"
 	"github.com/bjdgyc/anylink/base"
 )
 const BufferSize = 2048
@@ -17,6 +17,8 @@ type ClientRequest struct {
 	Version              string         `xml:"version"`                     // 客户端版本号
 	GroupAccess          string         `xml:"group-access"`                // 请求的地址
 	GroupSelect          string         `xml:"group-select"`                // 选择的组名
 	RemoteAddr           string         `xml:"remote_addr"`
 	UserAgent            string         `xml:"user_agent"`
 	SessionId            string         `xml:"session-id"`
 	SessionToken         string         `xml:"session-token"`
 	Auth                 auth           `xml:"auth"`
@@ -27,6 +29,7 @@ type ClientRequest struct {
 type auth struct {
 	Username          string `xml:"username"`
 	Password          string `xml:"password"`
 	OtpSecret         string `xml:"otp_secret"`
 	SecondaryPassword string `xml:"secondary_password"`
 }
@@ -42,34 +45,12 @@ type macAddressList struct {
 	MacAddress string `xml:"mac-address"`
 }
 func setCommonHeader(w http.ResponseWriter) {
 	// Content-Length Date 默认已经存在
 	w.Header().Set("Server", "AnyLink")
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Set("Cache-Control", "no-store,no-cache")
 	w.Header().Set("Pragma", "no-cache")
 	w.Header().Set("Transfer-Encoding", "chunked")
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("X-Frame-Options", "deny")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Security-Policy", "default-src 'none'")
 	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
 	w.Header().Set("Referrer-Policy", "no-referrer")
 	w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
 	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 	w.Header().Set("X-XSS-Protection", "0")
 	w.Header().Set("X-Aggregate-Auth", "1")
 	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 }
 func execCmd(cmdStrs []string) error {
 	for _, cmdStr := range cmdStrs {
 		cmd := exec.Command("sh", "-c", cmdStr)
 		b, err := cmd.CombinedOutput()
 		if err != nil {
-			log.Println(string(b))
+			base.Error(cmdStr, string(b))
 			return err
 		}
 	}
--- a/server/handler/link_cstp.go
+++ b/server/handler/link_cstp.go
@@ -24,7 +24,10 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 		err       error
 		n         int
 		dataLen   uint16
-		dead    = time.Duration(cSess.CstpDpd+5) * time.Second
+		dead      = time.Second * time.Duration(cSess.CstpDpd+5)
 		idle      = int64(base.Cfg.IdleTimeout)
 		checkIdle = base.Cfg.IdleTimeout > 0
 		lastTime  int64
 	)
 	go cstpWrite(conn, bufRW, cSess)
@@ -34,14 +37,14 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 		// 设置超时限制
 		err = conn.SetReadDeadline(utils.NowSec().Add(dead))
 		if err != nil {
-			base.Error("SetDeadline: ", cSess.Username, err)
+			base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 		// hdata := make([]byte, BufferSize)
 		pl := getPayload()
 		n, err = bufRW.Read(pl.Data)
 		if err != nil {
-			base.Error("read hdata: ", cSess.Username, err)
+			base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
@@ -54,19 +57,30 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 		switch pl.Data[6] {
 		case 0x07: // KEEPALIVE
 			// do nothing
-			// base.Debug("recv keepalive", cSess.IpAddr)
+			base.Trace("recv LinkCstp Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 			// 判断超时时间
 			if checkIdle {
 				lastTime = cSess.LastDataTime.Load()
 				if lastTime < (utils.NowSec().Unix() - idle) {
 					base.Warn("IdleTimeout", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), "lastTime", lastTime)
 					sessdata.CloseSess(cSess.Sess.Token, dbdata.UserIdleTimeout)
 					return
 				}
 			}
 		case 0x05: // DISCONNECT
 			cSess.UserLogoutCode = dbdata.UserLogoutClient
-			base.Debug("DISCONNECT", cSess.Username, cSess.IpAddr)
+			base.Info("DISCONNECT", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, string(pl.Data[9:n]))
 			sessdata.CloseSess(cSess.Sess.Token, dbdata.UserLogoutClient)
 			return
 		case 0x03: // DPD-REQ
-			// base.Debug("recv DPD-REQ", cSess.IpAddr)
+			base.Trace("recv LinkCstp DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, pl.Data[:n])
 			pl.PType = 0x04
 			// pl.Data = pl.Data[:n]
 			if payloadOutCstp(cSess, pl) {
 				return
 			}
 		case 0x04:
-		// log.Println("recv DPD-RESP")
+			base.Trace("recv LinkCstp DPD-RESP", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 		case 0x08: // decompress
 			if cSess.CstpPickCmp == nil {
 				continue
@@ -98,6 +112,8 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 			if payloadIn(cSess, pl) {
 				return
 			}
 			// 只记录返回正确的数据时间
 			cSess.LastDataTime.Store(utils.NowSec().Unix())
 		}
 	}
 }
@@ -160,7 +176,7 @@ func cstpWrite(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessi
 		n, err = conn.Write(pl.Data)
 		if err != nil {
-			base.Error("write err", cSess.Username, err)
+			base.Warn("write err", cSess.Username, cSess.IpAddr, err)
 			return
 		}
--- a/server/handler/link_dtls.go
+++ b/server/handler/link_dtls.go
@@ -36,14 +36,14 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 	for {
 		err = conn.SetReadDeadline(utils.NowSec().Add(dead))
 		if err != nil {
-			base.Error("SetDeadline: ", cSess.Username, err)
+			base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 		pl := getPayload()
 		n, err = conn.Read(pl.Data)
 		if err != nil {
-			base.Error("read hdata: ", cSess.Username, err)
+			base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
@@ -56,19 +56,21 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 		switch pl.Data[0] {
 		case 0x07: // KEEPALIVE
 			// do nothing
-			// base.Debug("recv keepalive", cSess.IpAddr)
+			base.Trace("recv LinkDtls Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 		case 0x05: // DISCONNECT
 			cSess.UserLogoutCode = dbdata.UserLogoutClient
-			base.Debug("DISCONNECT DTLS", cSess.Username, cSess.IpAddr)
+			base.Info("DISCONNECT DTLS", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 			return
 		case 0x03: // DPD-REQ
-			// base.Debug("recv DPD-REQ", cSess.IpAddr)
+			base.Trace("recv LinkDtls DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n)
 			pl.PType = 0x04
 			// 从零开始 可以直接赋值
 			pl.Data = pl.Data[:n]
 			if payloadOutDtls(cSess, dSess, pl) {
 				return
 			}
 		case 0x04:
-		// base.Debug("recv DPD-RESP", cSess.IpAddr)
+			base.Trace("recv LinkDtls DPD-RESP", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 		case 0x08: // decompress
 			if cSess.DtlsPickCmp == nil {
 				continue
@@ -93,6 +95,8 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 			if payloadIn(cSess, pl) {
 				return
 			}
 			// 只记录返回正确的数据时间
 			cSess.LastDataTime.Store(utils.NowSec().Unix())
 		}
 	}
@@ -147,11 +151,15 @@ func dtlsWrite(conn net.Conn, dSess *sessdata.DtlsSession, cSess *sessdata.ConnS
 			}
 		} else {
 			// 设置头类型
 			if pl.PType == 0x04 {
 				pl.Data[0] = pl.PType
 			} else {
 				pl.Data = append(pl.Data[:0], pl.PType)
 			}
 		}
 		n, err := conn.Write(pl.Data)
 		if err != nil {
-			base.Error("write err", cSess.Username, err)
+			base.Warn("write err", cSess.Username, cSess.IpAddr, err)
 			return
 		}
--- a/server/handler/link_home.go
+++ b/server/handler/link_home.go
@@ -13,7 +13,9 @@ func LinkHome(w http.ResponseWriter, r *http.Request) {
 	// fmt.Println(r.RemoteAddr)
 	// hu, _ := httputil.DumpRequest(r, true)
 	// fmt.Println("DumpHome: ", string(hu))
-	w.Header().Set("Server", "AnyLinkOpenSource")
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Del("X-Aggregate-Auth")
 	connection := strings.ToLower(r.Header.Get("Connection"))
 	userAgent := strings.ToLower(r.UserAgent())
 	if connection == "close" && (strings.Contains(userAgent, "anyconnect") || strings.Contains(userAgent, "openconnect")) {
@@ -25,14 +27,22 @@ func LinkHome(w http.ResponseWriter, r *http.Request) {
 	if err := dbdata.SettingGet(index); err != nil {
 		return
 	}
-	w.WriteHeader(http.StatusOK)
+
-	if index.Homeindex == "" {
+	if index.Homecode != http.StatusOK {
-		index.Homeindex = "AnyLink 是一个企业级远程办公 SSL VPN 软件，可以支持多人同时在线使用。"
+		w.WriteHeader(index.Homecode)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 	// if index.Homeindex == "" {
 	// 	index.Homeindex = "AnyLink 是一个企业级远程办公 SSL VPN 软件，可以支持多人同时在线使用。"
 	// }
 	fmt.Fprintln(w, index.Homeindex)
 }
 func LinkOtpQr(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Cross-Origin-Resource-Policy", "cross-origin")
 	_ = r.ParseForm()
 	idS := r.FormValue("id")
 	jwtToken := r.FormValue("jwt")
--- a/server/handler/link_tap.go
+++ b/server/handler/link_tap.go
@@ -10,6 +10,7 @@ import (
 	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	gosysctl "github.com/lorenzosaino/go-sysctl"
 	"github.com/songgao/packets/ethernet"
 	"github.com/songgao/water"
 	"github.com/songgao/water/waterutil"
@@ -88,8 +89,12 @@ func LinkTap(cSess *sessdata.ConnSession) error {
 		return err
 	}
-	cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
+	// cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
-	execCmd([]string{cmdstr3})
+	// execCmd([]string{cmdstr3})
 	err = gosysctl.Set(fmt.Sprintf("net.ipv6.conf.%s.disable_ipv6", ifce.Name()), "1")
 	if err != nil {
 		base.Warn(err)
 	}
 	go allTapRead(ifce, cSess)
 	go allTapWrite(ifce, cSess)
--- a/server/handler/link_tun.go
+++ b/server/handler/link_tun.go
@@ -4,12 +4,17 @@ import (
 	"fmt"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/coreos/go-iptables/iptables"
 	gosysctl "github.com/lorenzosaino/go-sysctl"
 	"github.com/songgao/water"
 )
 func checkTun() {
 	// 测试ip命令
 	base.CheckModOrLoad("tun")
 	// 测试tun
 	cfg := water.Config{
 		DeviceType: water.TUN,
@@ -21,31 +26,50 @@ func checkTun() {
 	}
 	defer ifce.Close()
-	// 测试ip命令
+	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
-	cmdstr := fmt.Sprintf("ip link set dev %s up mtu %s multicast off", ifce.Name(), "1399")
+	err = execCmd([]string{cmdstr1})
 	err = execCmd([]string{cmdstr})
 	if err != nil {
 		base.Fatal("testTun err: ", err)
 	}
 	// 开启服务器转发
-	if err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"}); err != nil {
+	// err = execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})
-		base.Error(err)
+	// if err != nil {
-	}
+	// 	base.Fatal(err)
 	// }
 	if base.Cfg.IptablesNat {
 		// 添加NAT转发规则
 		ipt, err := iptables.New()
 		if err != nil {
-			base.Error(err)
+			base.Fatal(err)
 			return
 		}
-		natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-j", "MASQUERADE"}
+
-		forwardRule := []string{"-j", "ACCEPT"}
+		// 修复 rockyos nat 不生效
-		if natExists, _ := ipt.Exists("nat", "POSTROUTING", natRule...); !natExists {
+		base.CheckModOrLoad("iptable_filter")
-			ipt.Insert("nat", "POSTROUTING", 1, natRule...)
+		base.CheckModOrLoad("iptable_nat")
 		// base.CheckModOrLoad("xt_comment")
 		// 添加注释
 		natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-m", "comment",
 			"--comment", "AnyLink", "-j", "MASQUERADE"}
 		if base.InContainer {
 			natRule = []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-j", "MASQUERADE"}
 		}
-		if forwardExists, _ := ipt.Exists("filter", "FORWARD", forwardRule...); !forwardExists {
+		err = ipt.InsertUnique("nat", "POSTROUTING", 1, natRule...)
-			ipt.Insert("filter", "FORWARD", 1, forwardRule...)
+		if err != nil {
 			base.Error(err)
 		}
 		// 添加注释
 		forwardRule := []string{"-m", "comment", "--comment", "AnyLink", "-j", "ACCEPT"}
 		if base.InContainer {
 			forwardRule = []string{"-j", "ACCEPT"}
 		}
 		err = ipt.InsertUnique("filter", "FORWARD", 1, forwardRule...)
 		if err != nil {
 			base.Error(err)
 		}
 		base.Info(ipt.List("nat", "POSTROUTING"))
 		base.Info(ipt.List("filter", "FORWARD"))
 	}
@@ -65,7 +89,9 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 	// log.Printf("Interface Name: %s\n", ifce.Name())
 	cSess.SetIfName(ifce.Name())
-	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off", ifce.Name(), cSess.Mtu)
+	// 通过 ip link show  查看 alias 信息
 	alias := utils.ParseName(cSess.Group.Name + "." + cSess.Username)
 	cmdstr1 := fmt.Sprintf("ip link set dev %s up mtu %d multicast off alias %s", ifce.Name(), cSess.Mtu, alias)
 	cmdstr2 := fmt.Sprintf("ip addr add dev %s local %s peer %s/32",
 		ifce.Name(), base.Cfg.Ipv4Gateway, cSess.IpAddr)
 	err = execCmd([]string{cmdstr1, cmdstr2})
@@ -75,8 +101,12 @@ func LinkTun(cSess *sessdata.ConnSession) error {
 		return err
 	}
-	cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
+	// cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifce.Name())
-	execCmd([]string{cmdstr3})
+	// execCmd([]string{cmdstr3})
 	err = gosysctl.Set(fmt.Sprintf("net.ipv6.conf.%s.disable_ipv6", ifce.Name()), "1")
 	if err != nil {
 		base.Warn(err)
 	}
 	go tunRead(ifce, cSess)
 	go tunWrite(ifce, cSess)
--- a/server/handler/link_tunnel.go
+++ b/server/handler/link_tunnel.go
@@ -43,13 +43,13 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	// 判断session-token的值
 	cookie, err := r.Cookie("webvpn")
 	if err != nil || cookie.Value == "" {
-		w.WriteHeader(http.StatusBadRequest)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
 	sess := sessdata.SToken2Sess(cookie.Value)
 	if sess == nil {
-		w.WriteHeader(http.StatusBadRequest)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
@@ -57,7 +57,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	cSess := sess.NewConn()
 	if cSess == nil {
 		log.Println(err)
-		w.WriteHeader(http.StatusBadRequest)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
@@ -66,6 +66,8 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	cstpBaseMtu := r.Header.Get("X-CSTP-Base-MTU")
 	masterSecret := r.Header.Get("X-DTLS-Master-Secret")
 	localIp := r.Header.Get("X-Cstp-Local-Address-Ip4")
 	// 出口ip
 	exportIp4 := r.Header.Get("X-Cstp-Remote-Address-Ip4")
 	mobile := r.Header.Get("X-Cstp-License")
 	cSess.SetMtu(cstpMtu)
@@ -84,21 +86,17 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	}
 	cSess.CstpDpd = cstpDpd
-	dtlsPort := "4433"
+	dtlsPort := "443"
-	if strings.Contains(base.Cfg.ServerDTLSAddr, ":") {
+	if strings.Contains(base.Cfg.AdvertiseDTLSAddr, ":") {
-		ss := strings.Split(base.Cfg.ServerDTLSAddr, ":")
+		ss := strings.Split(base.Cfg.AdvertiseDTLSAddr, ":")
 		dtlsPort = ss[1]
 	}
-	base.Debug(cSess.IpAddr, cSess.MacHw, sess.Username, mobile)
+	base.Info(sess.Username, cSess.IpAddr, cSess.MacHw, cSess.Client, mobile)
-	// 压缩
+	// 检测密码套件
-	if cmpName, ok := cSess.SetPickCmp("cstp", r.Header.Get("X-Cstp-Accept-Encoding")); ok {
+	dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite"))
-		HttpSetHeader(w, "X-CSTP-Content-Encoding", cmpName)
+	base.Trace("dtlsCiphersuite", dtlsCiphersuite)
 	}
 	if cmpName, ok := cSess.SetPickCmp("dtls", r.Header.Get("X-Dtls-Accept-Encoding")); ok {
 		HttpSetHeader(w, "X-DTLS-Content-Encoding", cmpName)
 	}
 	// 返回客户端数据
 	HttpSetHeader(w, "Server", fmt.Sprintf("%s %s", base.APP_NAME, base.APP_VER))
@@ -109,11 +107,19 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-CSTP-Netmask", sessdata.IpPool.Ipv4Mask.String()) // 子网掩码
 	HttpSetHeader(w, "X-CSTP-Hostname", hn)                               // 机器名称
 	HttpSetHeader(w, "X-CSTP-Base-MTU", cstpBaseMtu)
-	// 要发布的默认域
+	// 客户端dns的默认搜索域
 	if base.Cfg.DefaultDomain != "" {
 		HttpSetHeader(w, "X-CSTP-Default-Domain", base.Cfg.DefaultDomain)
 	}
 	// 压缩
 	if cmpName, ok := cSess.SetPickCmp("cstp", r.Header.Get("X-Cstp-Accept-Encoding")); ok {
 		HttpSetHeader(w, "X-CSTP-Content-Encoding", cmpName)
 	}
 	if cmpName, ok := cSess.SetPickCmp("dtls", r.Header.Get("X-Dtls-Accept-Encoding")); ok {
 		HttpSetHeader(w, "X-DTLS-Content-Encoding", cmpName)
 	}
 	// 设置用户策略
 	SetUserPolicy(cSess.Username, cSess.Group)
@@ -125,9 +131,14 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	for _, v := range cSess.Group.ClientDns {
 		HttpAddHeader(w, "X-CSTP-DNS", v.Val)
 	}
 	// 分割dns
 	for _, v := range cSess.Group.SplitDns {
 		HttpAddHeader(w, "X-CSTP-Split-DNS", v.Val)
 	}
 	// 允许的路由
 	for _, v := range cSess.Group.RouteInclude {
-		if v.Val == dbdata.All {
+		if strings.ToLower(v.Val) == dbdata.ALL {
 			continue
 		}
 		HttpAddHeader(w, "X-CSTP-Split-Include", v.IpMask)
@@ -136,6 +147,10 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	for _, v := range cSess.Group.RouteExclude {
 		HttpAddHeader(w, "X-CSTP-Split-Exclude", v.IpMask)
 	}
 	// 排除出口ip路由(出口ip不加密传输)
 	if base.Cfg.ExcludeExportIp && exportIp4 != "" {
 		HttpAddHeader(w, "X-CSTP-Split-Exclude", exportIp4+"/255.255.255.255")
 	}
 	HttpSetHeader(w, "X-CSTP-Lease-Duration", "1209600") // ip地址租期
 	HttpSetHeader(w, "X-CSTP-Session-Timeout", "none")
@@ -146,9 +161,9 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-CSTP-Keep", "true")
 	HttpSetHeader(w, "X-CSTP-Tunnel-All-DNS", "false")
-	HttpSetHeader(w, "X-CSTP-Rekey-Time", "43200") // 172800
+	HttpSetHeader(w, "X-CSTP-Rekey-Time", "86400") // 172800
 	HttpSetHeader(w, "X-CSTP-Rekey-Method", "new-tunnel")
-	HttpSetHeader(w, "X-DTLS-Rekey-Time", "43200")
+	HttpSetHeader(w, "X-DTLS-Rekey-Time", "86400")
 	HttpSetHeader(w, "X-DTLS-Rekey-Method", "new-tunnel")
 	HttpSetHeader(w, "X-CSTP-DPD", fmt.Sprintf("%d", cstpDpd))
@@ -164,13 +179,13 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-DTLS-Port", dtlsPort)
 	HttpSetHeader(w, "X-DTLS-DPD", fmt.Sprintf("%d", cstpDpd))
 	HttpSetHeader(w, "X-DTLS-Keepalive", fmt.Sprintf("%d", cstpKeepalive))
-	HttpSetHeader(w, "X-DTLS12-CipherSuite", "ECDHE-ECDSA-AES128-GCM-SHA256")
+	HttpSetHeader(w, "X-DTLS12-CipherSuite", dtlsCiphersuite)
 	HttpSetHeader(w, "X-CSTP-License", "accept")
 	HttpSetHeader(w, "X-CSTP-Routing-Filtering-Ignore", "false")
 	HttpSetHeader(w, "X-CSTP-Quarantine", "false")
 	HttpSetHeader(w, "X-CSTP-Disable-Always-On-VPN", "false")
-	HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "false")
+	HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "true")
 	HttpSetHeader(w, "X-CSTP-TCP-Keepalive", "false")
 	// 设置域名拆分隧道（移动端不支持）
 	if mobile != "mobile" {
@@ -180,10 +195,9 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 	hClone := w.Header().Clone()
-	headers := make([]byte, 0)
+	buf := &bytes.Buffer{}
 	buf := bytes.NewBuffer(headers)
 	_ = hClone.Write(buf)
-	base.Debug(buf.String())
+	base.Debug("LinkTunnel Response Header:", buf.String())
 	hj := w.(http.Hijacker)
 	conn, bufRW, err := hj.Hijack()
@@ -234,7 +248,11 @@ func SetPostAuthXml(g *dbdata.Group, w http.ResponseWriter) error {
 	if err != nil {
 		return err
 	}
-	HttpSetHeader(w, "X-CSTP-Post-Auth-XML", result.String())
+	xmlAuth := ""
 	for _, v := range strings.Split(result.String(), "\n") {
 		xmlAuth += strings.TrimSpace(v)
 	}
 	HttpSetHeader(w, "X-CSTP-Post-Auth-XML", xmlAuth)
 	return nil
 }
--- a/server/handler/link_vtap.go
+++ b/server/handler/link_vtap.go
@@ -11,6 +11,7 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 	gosysctl "github.com/lorenzosaino/go-sysctl"
 )
 // link vtap
@@ -28,18 +29,20 @@ func (v *Vtap) Close() error {
 }
 func checkMacvtap() {
 	// 加载 macvtap
 	base.CheckModOrLoad("macvtap")
 	_setGateway()
 	_checkTapIp(base.Cfg.Ipv4Master)
 	ifName := "anylinkMacvtap"
-	// 加载 macvtap
+
 	cmdstr0 := fmt.Sprintln("modprobe -i macvtap")
 	// 开启主网卡混杂模式
 	cmdstr1 := fmt.Sprintf("ip link set dev %s promisc on", base.Cfg.Ipv4Master)
 	// 测试 macvtap 功能
 	cmdstr2 := fmt.Sprintf("ip link add link %s name %s type macvtap mode bridge", base.Cfg.Ipv4Master, ifName)
 	cmdstr3 := fmt.Sprintf("ip link del %s", ifName)
-	err := execCmd([]string{cmdstr0, cmdstr1, cmdstr2, cmdstr3})
+	err := execCmd([]string{cmdstr1, cmdstr2, cmdstr3})
 	if err != nil {
 		base.Fatal(err)
 	}
@@ -54,14 +57,20 @@ func LinkMacvtap(cSess *sessdata.ConnSession) error {
 	cSess.SetIfName(ifName)
 	cmdstr1 := fmt.Sprintf("ip link add link %s name %s type macvtap mode bridge", base.Cfg.Ipv4Master, ifName)
-	cmdstr2 := fmt.Sprintf("ip link set dev %s up mtu %d address %s", ifName, cSess.Mtu, cSess.MacHw)
+	alias := utils.ParseName(cSess.Group.Name + "." + cSess.Username)
 	cmdstr2 := fmt.Sprintf("ip link set dev %s up mtu %d address %s alias %s", ifName, cSess.Mtu, cSess.MacHw, alias)
 	err := execCmd([]string{cmdstr1, cmdstr2})
 	if err != nil {
 		base.Error(err)
 		return err
 	}
-	cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifName)
+	// cmdstr3 := fmt.Sprintf("sysctl -w net.ipv6.conf.%s.disable_ipv6=1", ifName)
-	execCmd([]string{cmdstr3})
+	// execCmd([]string{cmdstr3})
 	err = gosysctl.Set(fmt.Sprintf("net.ipv6.conf.%s.disable_ipv6", ifName), "1")
 	if err != nil {
 		base.Warn(err)
 	}
 	return createVtap(cSess, ifName)
 }
--- a/server/handler/payload.go
+++ b/server/handler/payload.go
@@ -86,16 +86,43 @@ func checkLinkAcl(group *dbdata.Group, pl *sessdata.Payload) bool {
 	}
 	for _, v := range group.LinkAcl {
 		// 放行允许ip的ping
 		// if v.Ports == nil || len(v.Ports) == 0 {
 		// 	//单端口历史数据兼容
 		// 	port := uint16(v.Port.(float64))
 		// 	if port == ipPort || port == 0 || ipProto == waterutil.ICMP {
 		// 		if v.Action == dbdata.Allow {
 		// 			return true
 		// 		} else {
 		// 			return false
 		// 		}
 		// 	}
 		// } else {
 		// 先判断协议
 		// 兼容旧数据 v.Protocol == ""
 		if v.Protocol == "" || v.Protocol == dbdata.ALL || v.IpProto == ipProto {
 			// 循环判断ip和端口
 			if v.IpNet.Contains(ipDst) {
-			// 放行允许ip的ping
+				// icmp 不判断端口
-			if v.Port == ipPort || v.Port == 0 || ipProto == waterutil.ICMP {
+				if ipProto == waterutil.ICMP {
 					if v.Action == dbdata.Allow {
 						return true
 					} else {
 						return false
 					}
 				}
 				if dbdata.ContainsInPorts(v.Ports, ipPort) || dbdata.ContainsInPorts(v.Ports, 0) {
 					if v.Action == dbdata.Allow {
 						// log.Println(dbdata.Allow, v.Ports)
 						return true
 					} else {
 						// log.Println(dbdata.Deny, v.Ports)
 						return false
 					}
 				}
 			}
 		}
 	}
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"crypto/md5"
 	"encoding/binary"
 	"runtime/debug"
 	"time"
 	"github.com/bjdgyc/anylink/base"
@@ -101,11 +102,20 @@ func logAuditBatch() {
 // 解析IP包的数据
 func logAudit(userName string, pl *sessdata.Payload) {
-	defer putPayload(pl)
+	defer func() {
 		if err := recover(); err != nil {
 			base.Error("logAudit is panic: ", err, "\n", string(debug.Stack()), "\n", pl.Data)
 		}
 	}()
 	defer func() {
 		putPayload(pl)
 	}()
 	if !(pl.LType == sessdata.LTypeIPData && pl.PType == 0x00) {
 		return
 	}
 	ipProto := waterutil.IPv4Protocol(pl.Data)
 	// 访问协议
 	var accessProto uint8
@@ -118,12 +128,17 @@ func logAudit(userName string, pl *sessdata.Payload) {
 	default:
 		return
 	}
-
+	// IP报文只包含头部信息时, 则打印LOG，并退出
 	ipPl := waterutil.IPv4Payload(pl.Data)
 	if len(ipPl) < 4 {
 		base.Error("ipPl len < 4", ipPl, pl.Data)
 		return
 	}
 	ipPort := (uint16(ipPl[2]) << 8) | uint16(ipPl[3])
 	ipSrc := waterutil.IPv4Source(pl.Data)
 	ipDst := waterutil.IPv4Destination(pl.Data)
 	ipPort := waterutil.IPv4DestinationPort(pl.Data)
 	b := getByte51()
 	// key格式 16字节源IP地址 + 16字节目的IP地址 + 2字节目的端口 + 1字节协议类型 + 16字节域名MD5
 	key := *b
 	copy(key[:16], ipSrc)
 	copy(key[16:32], ipDst)
@@ -178,7 +193,6 @@ func logAudit(userName string, pl *sessdata.Payload) {
 		AccessProto: accessProto,
 		Info:        info,
 	}
 	select {
 	case logBatch.LogChan <- audit:
 	default:
--- a/server/handler/payload_tcp_parser.go
+++ b/server/handler/payload_tcp_parser.go
@@ -29,7 +29,7 @@ func onTCP(payload []byte) (uint8, string) {
 }
 func sniNewParser(b []byte) (uint8, string) {
-	if len(b) < 2 || b[0] != 0x16 || b[1] != 0x03 {
+	if len(b) < 6 || b[0] != 0x16 || b[1] != 0x03 {
 		return acc_proto_tcp, ""
 	}
 	rest := b[5:]
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -1,17 +1,21 @@
 package handler
 import (
 	"crypto/sha1"
 	"crypto/tls"
 	"encoding/hex"
 	"fmt"
 	"io"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"os"
 	"strings"
 	"time"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/mux"
 	"github.com/pires/go-proxyproto"
 )
@@ -35,6 +39,19 @@ func startTls() {
 	//	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
 	// }
 	tlscert, _, err := dbdata.ParseCert()
 	if err != nil {
 		base.Fatal("证书加载失败", err)
 	}
 	dbdata.LoadCertificate(tlscert)
 	// 计算证书hash值
 	s1 := sha1.New()
 	s1.Write(tlscert.Certificate[0])
 	h2s := hex.EncodeToString(s1.Sum(nil))
 	certHash = strings.ToUpper(h2s)
 	base.Info("certHash", certHash)
 	// 修复 CVE-2016-2183
 	// https://segmentfault.com/a/1190000038486901
 	// nmap -sV --script ssl-enum-ciphers -p 443 www.example.com
@@ -50,23 +67,22 @@ func startTls() {
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: selectedCipherSuites,
 		GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			base.Trace("GetCertificate", chi.ServerName)
+			base.Trace("GetCertificate ServerName", chi.ServerName)
 			return dbdata.GetCertificateBySNI(chi.ServerName)
 		},
 		// InsecureSkipVerify: true,
 	}
 	srv := &http.Server{
 		Addr:         addr,
 		Handler:      initRoute(),
 		TLSConfig:    tlsConfig,
-		ErrorLog:     base.GetBaseLog(),
+		ErrorLog:     base.GetServerLog(),
-		ReadTimeout:  60 * time.Second,
+		ReadTimeout:  100 * time.Second,
-		WriteTimeout: 60 * time.Second,
+		WriteTimeout: 100 * time.Second,
 	}
 	ln, err = net.Listen("tcp", addr)
 	if err != nil {
-		log.Fatal(err)
+		base.Fatal(err)
 	}
 	defer ln.Close()
@@ -86,11 +102,22 @@ func startTls() {
 func initRoute() http.Handler {
 	r := mux.NewRouter()
 	// 所有路由添加安全头
 	r.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			utils.SetSecureHeader(w)
 			next.ServeHTTP(w, req)
 		})
 	})
 	r.HandleFunc("/", LinkHome).Methods(http.MethodGet)
 	r.HandleFunc("/", LinkAuth).Methods(http.MethodPost)
 	// r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
 	r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
 	r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
-	r.HandleFunc("/profile.xml", func(w http.ResponseWriter, r *http.Request) {
+	r.HandleFunc("/otp-verification", LinkAuth_otp).Methods(http.MethodPost)
 	// r.Handle("/otp-verification", antiBruteForce(http.HandlerFunc(LinkAuth_otp))).Methods(http.MethodPost)
 	r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {
 		b, _ := os.ReadFile(base.Cfg.Profile)
 		w.Write(b)
 	}).Methods(http.MethodGet)
@@ -109,8 +136,10 @@ func initRoute() http.Handler {
 func notFound(w http.ResponseWriter, r *http.Request) {
 	// fmt.Println(r.RemoteAddr)
-	// hu, _ := httputil.DumpRequest(r, true)
+	if base.GetLogLevel() == base.LogLevelTrace {
-	// fmt.Println("NotFound: ", string(hu))
+		hd, _ := httputil.DumpRequest(r, true)
 		base.Trace("NotFound: ", r.RemoteAddr, string(hd))
 	}
 	w.WriteHeader(http.StatusNotFound)
 	fmt.Fprintln(w, "404 page not found")
--- a/server/handler/start.go
+++ b/server/handler/start.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"crypto/sha1"
 	"encoding/hex"
 	"log"
 	"os"
 	"github.com/bjdgyc/anylink/admin"
@@ -10,6 +11,7 @@ import (
 	"github.com/bjdgyc/anylink/cron"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/sessdata"
 	gosysctl "github.com/lorenzosaino/go-sysctl"
 )
 func Start() {
@@ -17,6 +19,21 @@ func Start() {
 	sessdata.Start()
 	cron.Start()
 	admin.InitLockManager() // 初始化防爆破定时器和IP白名单
 	// 开启服务器转发
 	err := gosysctl.Set("net.ipv4.ip_forward", "1")
 	if err != nil {
 		base.Warn(err)
 	}
 	val, err := gosysctl.Get("net.ipv4.ip_forward")
 	if val != "1" {
 		log.Fatal("Please exec 'sysctl -w net.ipv4.ip_forward=1' ")
 	}
 	// os.Exit(0)
 	// execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})
 	switch base.Cfg.LinkMode {
 	case base.LinkModeTUN:
 		checkTun()
--- a/server/main.go
+++ b/server/main.go
@@ -20,14 +20,21 @@ import (
 var uiData embed.FS
 // 程序版本
-var CommitId string
+var (
 	appVer    string
 	commitId  string
 	buildDate string
 )
 func main() {
 	base.CommitId = CommitId
 	admin.UiData = uiData
 	base.APP_VER = appVer
 	base.CommitId = commitId
 	base.BuildDate = buildDate
 	base.Start()
 	handler.Start()
 	signalWatch()
 }
@@ -35,7 +42,7 @@ func signalWatch() {
 	base.Info("Server pid: ", os.Getpid())
 	sigs := make(chan os.Signal, 1)
-	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM, syscall.SIGALRM)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM, syscall.SIGALRM, syscall.SIGUSR2)
 	for {
 		sig := <-sigs
 		base.Info("Get signal:", sig)
--- a/server/pkg/utils/password_hash.go
+++ b/server/pkg/utils/password_hash.go
@@ -14,6 +14,10 @@ func PasswordHash(password string) (string, error) {
 }
 func PasswordVerify(password, hash string) bool {
 	// 保留老用户明文验证
 	if len(hash) != 60 {
 		return password == hash
 	}
 	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
 	return err == nil
 }
--- a/server/pkg/utils/secure_header.go
+++ b/server/pkg/utils/secure_header.go
@@ -0,0 +1,32 @@
 package utils
 import "net/http"
 // SetSecureHeader 设置安全的header头
 // https://blog.csdn.net/liwan09/article/details/130248003
 // https://zhuanlan.zhihu.com/p/335165168
 func SetSecureHeader(w http.ResponseWriter) {
 	// Content-Length Date 默认已经存在
 	w.Header().Set("Server", "AnyLinkOpenSource")
 	// w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	// w.Header().Set("Transfer-Encoding", "chunked")
 	w.Header().Set("X-Aggregate-Auth", "1")
 	w.Header().Set("Cache-Control", "no-store,no-cache")
 	w.Header().Set("Pragma", "no-cache")
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("X-Download-Options", "noopen")
 	w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content")
 	w.Header().Set("X-Permitted-Cross-Domain-Policies", "none")
 	w.Header().Set("Referrer-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 	w.Header().Set("X-XSS-Protection", "1;mode=block")
 	w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 	// w.Header().Set("Clear-Site-Data", "cache,cookies,storage")
 }
--- a/server/pkg/utils/util.go
+++ b/server/pkg/utils/util.go
@@ -1,8 +1,12 @@
 package utils
 import (
 	crand "crypto/rand"
 	"encoding/hex"
 	"fmt"
 	"log"
 	"math/rand"
 	"strings"
 	"sync/atomic"
 	"time"
 )
@@ -82,12 +86,29 @@ func HumanByte(bf interface{}) string {
 func RandomRunes(length int) string {
 	letterRunes := []rune("abcdefghijklmnpqrstuvwxy1234567890")
 	bytes := make([]rune, length)
 	for i := range bytes {
 		bytes[i] = letterRunes[rand.Intn(len(letterRunes))]
 	}
 	return string(bytes)
 }
 func RandomHex(length int) string {
 	b := make([]byte, length)
 	_, err := crand.Read(b)
 	if err != nil {
 		log.Println(err)
 		return ""
 	}
 	return hex.EncodeToString(b)
 }
 func ParseName(name string) string {
 	name = strings.ReplaceAll(name, " ", "-")
 	name = strings.ReplaceAll(name, "'", "-")
 	name = strings.ReplaceAll(name, "\"", "-")
 	name = strings.ReplaceAll(name, ";", "-")
 	return name
 }
--- a/server/sessdata/ip_pool.go
+++ b/server/sessdata/ip_pool.go
@@ -13,11 +13,9 @@ import (
 var (
 	IpPool   = &ipPoolConfig{}
 	ipActive = map[string]bool{}
-	// ipKeep and ipLease  ipAddr => type
+	// ipKeep and ipLease  ipAddr => macAddr
-	// ipLease   = map[string]bool{}
+	// ipKeep    = map[string]string{}
 	ipPoolMux sync.Mutex
 	// 记录循环点
 	loopCurIp uint32
 )
 type ipPoolConfig struct {
@@ -73,32 +71,43 @@ func initIpPool() {
 // func getIpLease() {
 // 	xdb := dbdata.GetXdb()
 // 	keepIpMaps := []dbdata.IpMap{}
-// 	sNow := time.Now().Add(-1 * time.Duration(base.Cfg.IpLease) * time.Second)
+// 	// sNow := time.Now().Add(-1 * time.Duration(base.Cfg.IpLease) * time.Second)
-// 	err := xdb.Cols("ip_addr").Where("keep=?", true).
+// 	err := xdb.Cols("ip_addr", "mac_addr").Where("keep=?", true).Find(&keepIpMaps)
 // 		Or("unique_mac=? and last_login>?", true, sNow).Find(&keepIpMaps)
 // 	if err != nil {
 // 		base.Error(err)
 // 	}
-// 	// fmt.Println(keepIpMaps)
+// 	log.Println(keepIpMaps)
 // 	ipPoolMux.Lock()
-// 	ipLease = map[string]bool{}
+// 	ipKeep = map[string]string{}
 // 	for _, v := range keepIpMaps {
-// 		ipLease[v.IpAddr] = true
+// 		ipKeep[v.IpAddr] = v.MacAddr
 // 	}
 // 	ipPoolMux.Unlock()
 // }
 func ipInPool(ip net.IP) bool {
 	if utils.Ip2long(ip) >= IpPool.IpLongMin && utils.Ip2long(ip) <= IpPool.IpLongMax {
 		return true
 	}
 	return false
 }
 // AcquireIp 获取动态ip
-func AcquireIp(username, macAddr string, uniqueMac bool) net.IP {
+func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
-	base.Trace("AcquireIp:", username, macAddr, uniqueMac)
+	base.Trace("AcquireIp start:", username, macAddr, uniqueMac)
 	ipPoolMux.Lock()
-	defer ipPoolMux.Unlock()
+	defer func() {
 		ipPoolMux.Unlock()
 		base.Trace("AcquireIp end:", username, macAddr, uniqueMac, newIp)
 		base.Info("AcquireIp ip:", username, macAddr, uniqueMac, newIp)
 	}()
 	var (
 		err  error
 		tNow = time.Now()
 	)
 	// 获取到客户端 macAddr 的情况
 	if uniqueMac {
 		// 判断是否已经分配过
 		mi := &dbdata.IpMap{}
@@ -121,9 +130,9 @@ func AcquireIp(username, macAddr string, uniqueMac bool) net.IP {
 		_, ok := ipActive[ipStr]
 		// 检测原有ip是否在新的ip池内
 		// IpPool.Ipv4IPNet.Contains(ip) &&
-		if !ok &&
+		// ip符合规范
-			utils.Ip2long(ip) >= IpPool.IpLongMin &&
+		// 检测原有ip是否在新的ip池内
-			utils.Ip2long(ip) <= IpPool.IpLongMax {
+		if !ok && ipInPool(ip) {
 			mi.Username = username
 			mi.LastLogin = tNow
 			mi.UniqueMac = uniqueMac
@@ -132,14 +141,22 @@ func AcquireIp(username, macAddr string, uniqueMac bool) net.IP {
 			ipActive[ipStr] = true
 			return ip
 		}
 		// ip保留
 		if mi.Keep {
 			base.Error(username, macAddr, ipStr, "保留ip不匹配CIDR")
 			return nil
 		}
 		// 删除当前macAddr
 		mi = &dbdata.IpMap{MacAddr: macAddr}
 		_ = dbdata.Del(mi)
 		return loopIp(username, macAddr, uniqueMac)
 	}
 	} else {
 	// 没有获取到mac的情况
 	ipMaps := []dbdata.IpMap{}
-		err = dbdata.FindWhere(&ipMaps, 50, 1, "username=? and unique_mac=?", username, false)
+	err = dbdata.FindWhere(&ipMaps, 30, 1, "username=?", username)
 	if err != nil {
 		// 没有查询到数据
 		if dbdata.CheckErrNotFound(err) {
@@ -163,10 +180,14 @@ func AcquireIp(username, macAddr string, uniqueMac bool) net.IP {
 		if mi.Keep {
 			continue
 		}
 		if mi.UniqueMac {
 			continue
 		}
 		// 没有mac的 不需要验证租期
 		// mi.LastLogin.Before(leaseTime) &&
-			if utils.Ip2long(ip) >= IpPool.IpLongMin &&
+		if ipInPool(ip) {
-				utils.Ip2long(ip) <= IpPool.IpLongMax {
+			mi.Username = username
 			mi.LastLogin = tNow
 			mi.MacAddr = macAddr
 			mi.UniqueMac = uniqueMac
@@ -176,17 +197,25 @@ func AcquireIp(username, macAddr string, uniqueMac bool) net.IP {
 			return ip
 		}
 	}
 	}
 	return loopIp(username, macAddr, uniqueMac)
 }
 var (
 	// 记录循环点
 	loopCurIp uint32
 	loopFarIp *dbdata.IpMap
 )
 func loopIp(username, macAddr string, uniqueMac bool) net.IP {
 	var (
 		i  uint32
 		ip net.IP
 	)
 	// 重新赋值
 	loopFarIp = &dbdata.IpMap{LastLogin: time.Now()}
 	i, ip = loopLong(loopCurIp, IpPool.IpLongMax, username, macAddr, uniqueMac)
 	if ip != nil {
 		loopCurIp = i
@@ -199,6 +228,22 @@ func loopIp(username, macAddr string, uniqueMac bool) net.IP {
 		return ip
 	}
 	// ip分配完,从头开始
 	loopCurIp = IpPool.IpLongMin
 	if loopFarIp.Id > 0 {
 		// 使用最早登陆的 ip
 		ipStr := loopFarIp.IpAddr
 		ip = net.ParseIP(ipStr)
 		mi := &dbdata.IpMap{IpAddr: ipStr, MacAddr: macAddr, UniqueMac: uniqueMac, Username: username, LastLogin: time.Now()}
 		// 回写db数据
 		_ = dbdata.Set(mi)
 		ipActive[ipStr] = true
 		return ip
 	}
 	// 全都在线，没有数据可用
 	base.Warn("no ip available, please see ip_map table row", username, macAddr)
 	return nil
 }
@@ -244,6 +289,7 @@ func loopLong(start, end uint32, username, macAddr string, uniqueMac bool) (uint
 		// 判断租期
 		if mi.LastLogin.Before(leaseTime) {
 			// 存在记录，说明已经超过租期，可以直接使用
 			mi.Username = username
 			mi.LastLogin = tNow
 			mi.MacAddr = macAddr
 			mi.UniqueMac = uniqueMac
@@ -252,6 +298,10 @@ func loopLong(start, end uint32, username, macAddr string, uniqueMac bool) (uint
 			ipActive[ipStr] = true
 			return i, ip
 		}
 		// 其他情况判断最早登陆
 		if mi.LastLogin.Before(loopFarIp.LastLogin) {
 			loopFarIp = mi
 		}
 	}
 	return 0, nil
--- a/server/sessdata/online.go
+++ b/server/sessdata/online.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"net"
 	"sort"
 	"strings"
 	"time"
 	"github.com/bjdgyc/anylink/pkg/utils"
@@ -17,6 +18,7 @@ type Online struct {
 	UniqueMac         bool      `json:"unique_mac"`
 	Ip                net.IP    `json:"ip"`
 	RemoteAddr        string    `json:"remote_addr"`
 	TransportProtocol string    `json:"transport_protocol"`
 	TunName           string    `json:"tun_name"`
 	Mtu               int       `json:"mtu"`
 	Client            string    `json:"client"`
@@ -42,33 +44,80 @@ func (o Onlines) Swap(i, j int) {
 }
 func OnlineSess() []Online {
 	return GetOnlineSess("", "", false)
 }
 /**
 * @Description: GetOnlineSess
 * @param search_cate 分类：用户名、登录组、MAC地址、IP地址、远端地址
 * @param search_text 关键字，模糊搜索
 * @param show_sleeper 是否显示休眠用户
 * @return []Online
 */
 func GetOnlineSess(search_cate string, search_text string, show_sleeper bool) []Online {
 	var datas Onlines
 	if strings.TrimSpace(search_text) == "" {
 		search_cate = ""
 	}
 	sessMux.Lock()
 	defer sessMux.Unlock()
 	for _, v := range sessions {
 		v.mux.Lock()
-		if v.IsActive {
+		cSess := v.CSess
 		if cSess == nil {
 			cSess = &ConnSession{}
 		}
 		// 选择需要比较的字符串
 		var compareText string
 		switch search_cate {
 		case "username":
 			compareText = v.Username
 		case "group":
 			compareText = v.Group
 		case "mac_addr":
 			compareText = v.MacAddr
 		case "ip":
 			if cSess != nil {
 				compareText = cSess.IpAddr.String()
 			}
 		case "remote_addr":
 			if cSess != nil {
 				compareText = cSess.RemoteAddr
 			}
 		}
 		if search_cate != "" && !strings.Contains(compareText, search_text) {
 			v.mux.Unlock()
 			continue
 		}
 		if show_sleeper || v.IsActive {
 			transportProtocol := "TCP"
 			dSess := cSess.GetDtlsSession()
 			if dSess != nil {
 				transportProtocol = "UDP"
 			}
 			val := Online{
 				Token:             v.Token,
-				Ip:               v.CSess.IpAddr,
+				Ip:                cSess.IpAddr,
 				Username:          v.Username,
 				Group:             v.Group,
 				MacAddr:           v.MacAddr,
 				UniqueMac:         v.UniqueMac,
-				RemoteAddr:       v.CSess.RemoteAddr,
+				RemoteAddr:        cSess.RemoteAddr,
-				TunName:          v.CSess.IfName,
+				TransportProtocol: transportProtocol,
-				Mtu:              v.CSess.Mtu,
+				TunName:           cSess.IfName,
-				Client:           v.CSess.Client,
+				Mtu:               cSess.Mtu,
-				BandwidthUp:      utils.HumanByte(v.CSess.BandwidthUpPeriod.Load()) + "/s",
+				Client:            cSess.Client,
-				BandwidthDown:    utils.HumanByte(v.CSess.BandwidthDownPeriod.Load()) + "/s",
+				BandwidthUp:       utils.HumanByte(cSess.BandwidthUpPeriod.Load()) + "/s",
-				BandwidthUpAll:   utils.HumanByte(v.CSess.BandwidthUpAll.Load()),
+				BandwidthDown:     utils.HumanByte(cSess.BandwidthDownPeriod.Load()) + "/s",
-				BandwidthDownAll: utils.HumanByte(v.CSess.BandwidthDownAll.Load()),
+				BandwidthUpAll:    utils.HumanByte(cSess.BandwidthUpAll.Load()),
 				BandwidthDownAll:  utils.HumanByte(cSess.BandwidthDownAll.Load()),
 				LastLogin:         v.LastLogin,
 			}
 			datas = append(datas, val)
 		}
 		v.mux.Unlock()
 	}
 	sessMux.Unlock()
 	sort.Sort(&datas)
 	return datas
 }
--- a/server/sessdata/session.go
+++ b/server/sessdata/session.go
@@ -2,7 +2,6 @@ package sessdata
 import (
 	"fmt"
 	"math/rand"
 	"net"
 	"strconv"
 	"strings"
@@ -12,8 +11,8 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	mapset "github.com/deckarep/golang-set"
 	atomic2 "go.uber.org/atomic"
 )
 var (
@@ -41,14 +40,15 @@ type ConnSession struct {
 	CstpDpd             int
 	Group               *dbdata.Group
 	Limit               *LimitRater
-	BandwidthUp         atomic2.Uint32 // 使用上行带宽 Byte
+	BandwidthUp         atomic.Uint32 // 使用上行带宽 Byte
-	BandwidthDown       atomic2.Uint32 // 使用下行带宽 Byte
+	BandwidthDown       atomic.Uint32 // 使用下行带宽 Byte
-	BandwidthUpPeriod   atomic2.Uint32 // 前一周期的总量
+	BandwidthUpPeriod   atomic.Uint32 // 前一周期的总量
-	BandwidthDownPeriod atomic2.Uint32
+	BandwidthDownPeriod atomic.Uint32
-	BandwidthUpAll      atomic2.Uint64 // 使用上行带宽总量
+	BandwidthUpAll      atomic.Uint64 // 使用上行带宽总量
-	BandwidthDownAll    atomic2.Uint64 // 使用下行带宽总量
+	BandwidthDownAll    atomic.Uint64 // 使用下行带宽总量
 	closeOnce           sync.Once
 	CloseChan           chan struct{}
 	LastDataTime        atomic.Int64 // 最后数据传输时间
 	PayloadIn           chan *Payload
 	PayloadOutCstp      chan *Payload // Cstp的数据
 	PayloadOutDtls      chan *Payload // Dtls的数据
@@ -91,10 +91,6 @@ type Session struct {
 	CSess *ConnSession
 }
 func init() {
 	rand.Seed(time.Now().UnixNano())
 }
 func checkSession() {
 	// 检测过期的session
 	go func() {
@@ -144,28 +140,16 @@ func CloseUserLimittimeSession() {
 	}
 }
 func GenToken() string {
 	// 生成32位的 token
 	bToken := make([]byte, 32)
 	rand.Read(bToken)
 	return fmt.Sprintf("%x", bToken)
 }
 func NewSession(token string) *Session {
 	if token == "" {
-		btoken := make([]byte, 32)
+		token = utils.RandomHex(32)
 		rand.Read(btoken)
 		token = fmt.Sprintf("%x", btoken)
 	}
 	// 生成 dtlsn session_id
 	dtlsid := make([]byte, 32)
 	rand.Read(dtlsid)
 	sess := &Session{
 		Sid:       fmt.Sprintf("%d", time.Now().Unix()),
 		Token:     token,
-		DtlsSid:   fmt.Sprintf("%x", dtlsid),
+		DtlsSid:   utils.RandomHex(32),
 		LastLogin: time.Now(),
 	}
@@ -219,6 +203,7 @@ func (s *Session) NewConn() *ConnSession {
 		PayloadOutDtls: make(chan *Payload, 64),
 		dSess:          &atomic.Value{},
 	}
 	cSess.LastDataTime.Store(time.Now().Unix())
 	dSess := &DtlsSession{
 		isActive: -1,
@@ -462,7 +447,7 @@ func CloseSess(token string, code ...uint8) {
 		sess.CSess.Close()
 		return
 	}
-	AddUserActLogBySess(sess)
+	AddUserActLogBySess(sess, code...)
 }
 func CloseCSess(token string) {
@@ -499,7 +484,7 @@ func AddUserActLog(cs *ConnSession) {
 	dbdata.UserActLogIns.Add(ua, cs.UserAgent)
 }
-func AddUserActLogBySess(sess *Session) {
+func AddUserActLogBySess(sess *Session, code ...uint8) {
 	ua := dbdata.UserActLog{
 		Username:        sess.Username,
 		GroupName:       sess.Group,
@@ -510,5 +495,8 @@ func AddUserActLogBySess(sess *Session) {
 		Status:          dbdata.UserLogout,
 	}
 	ua.Info = dbdata.UserActLogIns.GetInfoOpsById(dbdata.UserLogoutBanner)
 	if len(code) > 0 {
 		ua.Info = dbdata.UserActLogIns.GetInfoOpsById(code[0])
 	}
 	dbdata.UserActLogIns.Add(ua, sess.UserAgent)
 }
--- a/server/sessdata/session_test.go
+++ b/server/sessdata/session_test.go
@@ -33,7 +33,7 @@ func TestConnSession(t *testing.T) {
 	sess.MacAddr = "00:15:5d:50:14:43"
 	cSess := sess.NewConn()
-	base.Info("cSess", cSess)
+	// base.Info("cSess", cSess)
 	err := cSess.RateLimit(100, true)
 	ast.Nil(err)
@@ -60,4 +60,7 @@ func TestConnSession(t *testing.T) {
 	ast.Equal(cmpName, "")
 	cSess.Close()
 	// 等待日志执行完成
 	time.Sleep(time.Second * 10)
 }
--- a/1
+++ b/1
@@ -0,0 +1 @@
 0.13.1
--- a/1
+++ b/1
@@ -0,0 +1 @@
 version_info
--- a/web/package.json
+++ b/web/package.json
@@ -15,7 +15,8 @@
    "qs": "^6.11.1",
    "vue": "^2.6.11",
    "vue-count-to": "^1.0.13",
-    "vue-router": "^3.5.2"
+    "vue-router": "^3.5.2",
    "vuedraggable": "^2.24.3"
  },
  "devDependencies": {
    "@vue/cli-plugin-babel": "~4.5.0",
--- a/web/src/layout/Layout.vue
+++ b/web/src/layout/Layout.vue
@@ -18,6 +18,14 @@
        <!--子组件上报route信息-->
        <router-view :route_path.sync="route_path" :route_name.sync="route_name"></router-view>
      </el-main>
      <el-footer>
        <div>
          <el-button size="mini" @click="goUrl('https://gitee.com/bjdgyc/anylink')">
            Powered by AnyLink
          </el-button>
          企业级远程办公系统 AGPL-3.0 ⓒ 2020-present
        </div>
      </el-footer>
    </el-container>
  </el-container>
 </template>
@@ -36,6 +44,11 @@ export default {
      route_name: ['首页'],
    }
  },
  methods: {
    goUrl(url) {
      window.open(url, "_blank")
    },
  },
  watch: {
    route_path: function (val) {
      // var w = document.getElementById('layout-menu').clientWidth;
@@ -60,4 +73,16 @@ export default {
  box-shadow: 0 1px 3px 0 rgba(0, 0, 0, .12), 0 0 3px 0 rgba(0, 0, 0, .04);
 }
 .el-footer {
  display: flex;
  align-items: center;
  justify-content: center;
  text-align: center;
  font-size: 12px;
  line-height: 12px;
  margin: 0 12px;
  color: rgb(134, 144, 156);
 }
 </style>
--- a/web/src/layout/LayoutAside.vue
+++ b/web/src/layout/LayoutAside.vue
@@ -7,17 +7,9 @@
  <!--<div class="layout-aside" :style="aside_style">-->
-  <el-menu :collapse="!is_active"
+  <el-menu :collapse="!is_active" :default-active="route_path" :style="is_active ? 'width:200px' : ''" router
-           :default-active="route_path"
+    class="layout-menu" :collapse-transition="false" background-color="#545c64" text-color="#fff"
-           :style="is_active?'width:200px':''"
+    active-text-color="#ffd04b">
           router
           class="layout-menu"
           :collapse-transition="false"
           background-color="#545c64"
           text-color="#fff"
           active-text-color="#ffd04b"
  >
    <el-menu-item index="/admin/home">
      <i class="el-icon-s-home"></i>
      <span slot="title">首页</span>
@@ -44,6 +36,7 @@
      <el-menu-item index="/admin/user/list">用户列表</el-menu-item>
      <el-menu-item index="/admin/user/policy">用户策略</el-menu-item>
      <el-menu-item index="/admin/user/online">在线用户</el-menu-item>
      <el-menu-item index="/admin/user/lockmanager">锁定管理</el-menu-item>
      <el-menu-item index="/admin/user/ip_map">IP映射</el-menu-item>
    </el-submenu>
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -47,7 +47,13 @@
        <el-table-column
            prop="bandwidth"
-            label="带宽限制">
+            label="带宽限制"
            width="90">
          <template slot-scope="scope">
            <el-row v-if="scope.row.bandwidth > 0">{{ convertBandwidth(scope.row.bandwidth, 'BYTE', 'Mbps') }} Mbps
            </el-row>
            <el-row v-else>不限</el-row>
          </template>
        </el-table-column>
        <el-table-column
@@ -62,14 +68,22 @@
        <el-table-column
            prop="route_include"
            label="路由包含"
-            width="200">
+            width="180">
          <template slot-scope="scope">
-            <el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
+            <el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{
                item.val
              }}
            </el-row>
            <div v-if="scope.row.route_include.length > readMinRows">
              <div v-if="readMore[`ri_${ scope.row.id }`]">
-                <el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>              
+                <el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{
                    item.val
                  }}
                </el-row>
              </div>
-              <el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">{{ readMore[`ri_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">
                {{ readMore[`ri_${scope.row.id}`] ? "▲ 收起" : "▼ 更多" }}
              </el-button>
            </div>
          </template>
        </el-table-column>
@@ -77,14 +91,22 @@
        <el-table-column
            prop="route_exclude"
            label="路由排除"
-            width="200">
+            width="180">
          <template slot-scope="scope">
-            <el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
+            <el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{
                item.val
              }}
            </el-row>
            <div v-if="scope.row.route_exclude.length > readMinRows">
              <div v-if="readMore[`re_${ scope.row.id }`]">
-                <el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>              
+                <el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{
                    item.val
                  }}
                </el-row>
              </div>
-              <el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">{{ readMore[`re_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">
                {{ readMore[`re_${scope.row.id}`] ? "▲ 收起" : "▼ 更多" }}
              </el-button>
            </div>
          </template>
        </el-table-column>
@@ -92,7 +114,7 @@
        <el-table-column
            prop="link_acl"
            label="LINK-ACL"
-            min-width="200">
+            min-width="180">
          <template slot-scope="scope">
            <el-row v-for="(item,inx) in scope.row.link_acl.slice(0, readMinRows)" :key="inx">
              {{ item.action }} => {{ item.val }} : {{ item.port }}
@@ -103,7 +125,9 @@
                  {{ item.action }} => {{ item.val }} : {{ item.port }}
                </el-row>
              </div>
-              <el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">{{ readMore[`la_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">
                {{ readMore[`la_${scope.row.id}`] ? "▲ 收起" : "▼ 更多" }}
              </el-button>
            </div>
          </template>
        </el-table-column>
@@ -167,7 +191,7 @@
        :close-on-click-modal="false"
        title="用户组"
        :visible.sync="user_edit_dialog"
-        width="750px"
+        width="850px"
        @close='closeDialog'
        center>
@@ -186,16 +210,21 @@
              <el-input v-model="ruleForm.note"></el-input>
            </el-form-item>
-                <el-form-item label="带宽限制" prop="bandwidth">
+            <el-form-item label="带宽限制" prop="bandwidth_format" style="width:260px;">
-                <el-input v-model.number="ruleForm.bandwidth">
+              <el-input v-model="ruleForm.bandwidth_format"
-                    <template slot="append">BYTE/S</template>
+                        oninput="value= value.match(/\d+(\.\d{0,2})?/) ? value.match(/\d+(\.\d{0,2})?/)[0] : ''">
                <template slot="append">Mbps</template>
              </el-input>
            </el-form-item>
            <el-form-item label="排除本地网络" prop="allow_lan">
-                <el-switch
+              <!--  active-text="开启后 用户本地所在网段将不通过anylink加密传输" -->
-                    v-model="ruleForm.allow_lan"
+              <el-switch v-model="ruleForm.allow_lan"></el-switch>
-                    active-text="开启后 用户本地所在网段将不通过anylink加密传输">
+              <div class="msg-info">
-                </el-switch>
+                注：本地网络 指的是：
                运行 anyconnect 客户端的PC 所在的的网络，即本地路由网段。
                开启后，PC本地路由网段的数据就不会走隧道链路转发数据了。
                同时 anyconnect 客户端需要勾选本地网络(Allow Local Lan)的开关，功能才能生效。
              </div>
            </el-form-item>
            <el-form-item label="客户端DNS" prop="client_dns">
@@ -220,6 +249,30 @@
                </el-col>
              </el-row>
            </el-form-item>
            <el-form-item label="内网域名" prop="split_dns">
              <el-row class="msg-info">
                <el-col :span="20">(分割DNS)一般留空。如果输入域名，只有配置的域名(包含子域名)走配置的dns</el-col>
                <el-col :span="4">
                  <el-button size="mini" type="success" icon="el-icon-plus" circle
                             @click.prevent="addDomain(ruleForm.split_dns)"></el-button>
                </el-col>
              </el-row>
              <el-row v-for="(item,index) in ruleForm.split_dns"
                      :key="index" style="margin-bottom: 5px" :gutter="10">
                <el-col :span="10">
                  <el-input v-model="item.val"></el-input>
                </el-col>
                <el-col :span="12">
                  <el-input v-model="item.note" placeholder="备注"></el-input>
                </el-col>
                <el-col :span="2">
                  <el-button size="mini" type="danger" icon="el-icon-minus" circle
                             @click.prevent="removeDomain(ruleForm.split_dns,index)"></el-button>
                </el-col>
              </el-row>
            </el-form-item>
            <el-form-item label="状态" prop="status">
              <el-radio-group v-model="ruleForm.status">
                <el-radio :label="1" border>启用</el-radio>
@@ -237,38 +290,53 @@
              </el-radio-group>
            </el-form-item>
            <template v-if="ruleForm.auth.type == 'radius'">
-                  <el-form-item label="服务器地址" prop="auth.radius.addr" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
+              <el-form-item label="服务器地址" prop="auth.radius.addr"
                            :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.radius.addr" placeholder="例如 ip:1812"></el-input>
              </el-form-item>
-                  <el-form-item label="密钥" prop="auth.radius.secret" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
+              <el-form-item label="密钥" prop="auth.radius.secret"
                            :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.radius.secret" placeholder=""></el-input>
              </el-form-item>
              <el-form-item label="Nasip" prop="auth.radius.nasip">
                <el-input v-model="ruleForm.auth.radius.nasip" placeholder=""></el-input>
              </el-form-item>
            </template>
            <template v-if="ruleForm.auth.type == 'ldap'">
-                  <el-form-item label="服务器地址" prop="auth.ldap.addr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
+              <el-form-item label="服务器地址" prop="auth.ldap.addr"
                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 ip:389 / 域名:389"></el-input>
              </el-form-item>
              <el-form-item label="开启TLS" prop="auth.ldap.tls">
                <el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>
              </el-form-item>
-                  <el-form-item label="管理员 DN" prop="auth.ldap.bind_name" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
+              <el-form-item label="管理员 DN" prop="auth.ldap.bind_name"
-                    <el-input v-model="ruleForm.auth.ldap.bind_name" placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.ldap.bind_name"
                          placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
              </el-form-item>
-                  <el-form-item label="管理员密码" prop="auth.ldap.bind_pwd" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
+              <el-form-item label="管理员密码" prop="auth.ldap.bind_pwd"
                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
                <el-input type="password" v-model="ruleForm.auth.ldap.bind_pwd" placeholder=""></el-input>
              </el-form-item>
-                  <el-form-item label="Base DN" prop="auth.ldap.base_dn" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
+              <el-form-item label="Base DN" prop="auth.ldap.base_dn"
                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.ldap.base_dn" placeholder="例如 DC=abc,DC=com"></el-input>
              </el-form-item>
-                  <el-form-item label="用户对象类" prop="auth.ldap.object_class" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
+              <el-form-item label="用户对象类" prop="auth.ldap.object_class"
-                    <el-input v-model="ruleForm.auth.ldap.object_class" placeholder="例如 person / user / posixAccount"></el-input>
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.ldap.object_class"
                          placeholder="例如 person / user / posixAccount"></el-input>
              </el-form-item>
-                  <el-form-item label="用户唯一ID" prop="auth.ldap.search_attr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
+              <el-form-item label="用户唯一ID" prop="auth.ldap.search_attr"
-                    <el-input v-model="ruleForm.auth.ldap.search_attr" placeholder="例如 sAMAccountName / uid / cn"></el-input>
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
                <el-input v-model="ruleForm.auth.ldap.search_attr"
                          placeholder="例如 sAMAccountName / uid / cn"></el-input>
              </el-form-item>
              <el-form-item label="受限用户组" prop="auth.ldap.member_of">
-                    <el-input v-model="ruleForm.auth.ldap.member_of" placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
+                <el-input v-model="ruleForm.auth.ldap.member_of"
                          placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
              </el-form-item>
            </template>
          </el-tab-pane>
@@ -276,12 +344,17 @@
          <el-tab-pane label="路由设置" name="route">
            <el-form-item label="包含路由" prop="route_include">
              <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.1.0/24</el-col>
+                <el-col :span="18">输入CIDR格式如: 192.168.1.0/24</el-col>
-                    <el-col :span="4">
+                <el-col :span="2">
                  <el-button size="mini" type="success" icon="el-icon-plus" circle
                             @click.prevent="addDomain(ruleForm.route_include)"></el-button>
                </el-col>
                <el-col :span="4">
                  <el-button size="mini" type="info" icon="el-icon-edit" circle
                             @click.prevent="openIpListDialog('route_include')"></el-button>
                </el-col>
              </el-row>
              <templete v-if="activeTab == 'route'">
                <el-row v-for="(item,index) in ruleForm.route_include"
                        :key="index" style="margin-bottom: 5px" :gutter="10">
                  <el-col :span="10">
@@ -295,16 +368,22 @@
                               @click.prevent="removeDomain(ruleForm.route_include,index)"></el-button>
                  </el-col>
                </el-row>
              </templete>
            </el-form-item>
            <el-form-item label="排除路由" prop="route_exclude">
              <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.2.0/24</el-col>
+                <el-col :span="18">输入CIDR格式如: 192.168.2.0/24</el-col>
-                    <el-col :span="4">
+                <el-col :span="2">
                  <el-button size="mini" type="success" icon="el-icon-plus" circle
                             @click.prevent="addDomain(ruleForm.route_exclude)"></el-button>
                </el-col>
                <el-col :span="4">
                  <el-button size="mini" type="info" icon="el-icon-edit" circle
                             @click.prevent="openIpListDialog('route_exclude')"></el-button>
                </el-col>
              </el-row>
              <templete v-if="activeTab == 'route'">
                <el-row v-for="(item,index) in ruleForm.route_exclude"
                        :key="index" style="margin-bottom: 5px" :gutter="10">
                  <el-col :span="10">
@@ -318,21 +397,33 @@
                               @click.prevent="removeDomain(ruleForm.route_exclude,index)"></el-button>
                  </el-col>
                </el-row>
              </templete>
            </el-form-item>
          </el-tab-pane>
          <el-tab-pane label="权限控制" name="link_acl">
            <el-form-item label="权限控制" prop="link_acl">
              <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.3.0/24 端口0表示所有端口</el-col>
+                <el-col :span="22">输入CIDR格式如: 192.168.3.0/24
-                    <el-col :span="4">
+                  协议支持 all,tcp,udp,icmp
                  端口0表示所有端口,多个端口:80,443,连续端口:1234-5678
                </el-col>
                <el-col :span="2">
                  <el-button size="mini" type="success" icon="el-icon-plus" circle
                             @click.prevent="addDomain(ruleForm.link_acl)"></el-button>
                </el-col>
              </el-row>
              <!--  添加拖拽功能  -->
              <draggable v-model="ruleForm.link_acl" handle=".drag-handle" @end="onEnd">
              <el-row v-for="(item,index) in ruleForm.link_acl"
-                        :key="index" style="margin-bottom: 5px" :gutter="5">
+                      :key="index" style="margin-bottom: 5px" :gutter="1">
-                    <el-col :span="11">
+
                <el-col :span="1" class="drag-handle">
                <i class="el-icon-rank"></i>
                </el-col>
                <el-col :span="9">
                  <el-input placeholder="请输入CIDR地址" v-model="item.val">
                    <el-select v-model="item.action" slot="prepend">
                      <el-option label="允许" value="allow"></el-option>
@@ -340,26 +431,38 @@
                    </el-select>
                  </el-input>
                </el-col>
                <el-col :span="3">
-                    <el-input v-model.number="item.port" placeholder="端口"></el-input>
+                    <el-input placeholder="协议" v-model="item.protocol">
                </el-col>
-                    <el-col :span="8">
+
                <el-col :span="6">
                  <!--  type="textarea" :autosize="{ minRows: 1, maxRows: 2}"  -->
                  <el-input v-model="item.port" placeholder="多端口,号分隔"></el-input>
                </el-col>
                <el-col :span="3">
                  <el-input v-model="item.note" placeholder="备注"></el-input>
                </el-col>
                <el-col :span="2">
                  <el-button size="mini" type="danger" icon="el-icon-minus" circle
                             @click.prevent="removeDomain(ruleForm.link_acl,index)"></el-button>
                </el-col>
              </el-row>
              </draggable>
            </el-form-item>
          </el-tab-pane>
          <el-tab-pane label="域名拆分隧道" name="ds_domains">
            <el-form-item label="包含域名" prop="ds_include_domains">
-                    <el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
+              <el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains"
                        placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
            </el-form-item>
            <el-form-item label="排除域名" prop="ds_exclude_domains">
-                    <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
+              <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains"
                        placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
              <div class="msg-info">注：域名拆分隧道，仅支持AnyConnect的windows和MacOS桌面客户端，不支持移动端.</div>
            </el-form-item>
          </el-tab-pane>
          <el-form-item>
@@ -382,7 +485,8 @@
        center>
      <el-form :model="authLoginForm" :rules="authLoginRules" ref="authLoginForm" label-width="100px">
        <el-form-item label="账号" prop="name">
-                <el-input v-model="authLoginForm.name" ref="authLoginFormName" @keydown.enter.native="testAuthLogin"></el-input>
+          <el-input v-model="authLoginForm.name" ref="authLoginFormName"
                    @keydown.enter.native="testAuthLogin"></el-input>
        </el-form-item>
        <el-form-item label="密码" prop="pwd">
          <el-input type="password" v-model="authLoginForm.pwd" @keydown.enter.native="testAuthLogin"></el-input>
@@ -393,15 +497,39 @@
        </el-form-item>
      </el-form>
    </el-dialog>
    <!--编辑模式弹窗-->
    <el-dialog
        :close-on-click-modal="false"
        title="编辑模式"
        :visible.sync="ipListDialog"
        width="650px"
        custom-class="valgin-dialog"
        center>
      <el-form ref="ipEditForm" label-width="80px">
        <el-form-item label="路由表" prop="ip_list">
          <el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list"
                    placeholder="每行一条路由，例：192.168.1.0/24,备注 或 192.168.1.0/24"></el-input>
          <div class="msg-info">当前共
            {{ ipEditForm.ip_list.trim() === '' ? 0 : ipEditForm.ip_list.trim().split("\n").length }}
            条（注：AnyConnect客户端最多支持{{ this.maxRouteRows }}条路由）
          </div>
        </el-form-item>
        <el-form-item>
          <el-button type="primary" @click="ipEdit()" :loading="ipEditLoading">更新</el-button>
          <el-button @click="ipListDialog = false">取 消</el-button>
        </el-form-item>
      </el-form>
    </el-dialog>
  </div>
 </template>
 <script>
 import axios from "axios";
 import draggable from 'vuedraggable'
 export default {
  name: "List",
-  components: {},
+  components: {draggable},
  mixins: [],
  created() {
    this.$emit('update:route_path', this.$route.path)
@@ -419,9 +547,10 @@ export default {
      activeTab: "general",
      readMore: {},
      readMinRows: 5,
      maxRouteRows: 2500,
      defAuth: {
        type: 'local',
-                radius:{addr:"", secret:""},
+        radius: {addr: "", secret: "", nasip: ""},
        ldap: {
          addr: "",
          tls: false,
@@ -435,20 +564,28 @@ export default {
      },
      ruleForm: {
        bandwidth: 0,
        bandwidth_format: '0',
        status: 1,
        allow_lan: true,
-        client_dns: [{val: '114.114.114.114'}],
+        client_dns: [{val: '114.114.114.114', note: '默认dns'}],
        split_dns: [],
        route_include: [{val: 'all', note: '默认全局代理'}],
        route_exclude: [],
        link_acl: [],
        auth: {},
      },
      authLoginDialog: false,
      ipListDialog: false,
      authLoginLoading: false,
      authLoginForm: {
        name: "",
        pwd: "",
      },
      ipEditForm: {
        ip_list: "",
        type: "",
      },
      ipEditLoading: false,
      authLoginRules: {
        name: [
          {required: true, message: '请输入账号', trigger: 'blur'},
@@ -463,9 +600,9 @@ export default {
          {required: true, message: '请输入组名', trigger: 'blur'},
          {max: 30, message: '长度小于 30 个字符', trigger: 'blur'}
        ],
-        bandwidth: [
+        bandwidth_format: [
          {required: true, message: '请输入带宽限制', trigger: 'blur'},
-          {type: 'number', message: '带宽限制必须为数字值'}
+          {type: 'string', message: '带宽限制必须为数字值'}
        ],
        status: [
          {required: true}
@@ -498,6 +635,9 @@ export default {
    }
  },
  methods: {
    onEnd: function() {
       window.console.log("onEnd", this.ruleForm.link_acl);
    },
    setAuthData(row) {
      if (!row) {
        this.ruleForm.auth = JSON.parse(JSON.stringify(this.defAuth));
@@ -536,6 +676,7 @@ export default {
          id: row.id,
        }
      }).then(resp => {
        resp.data.data.bandwidth_format = this.convertBandwidth(resp.data.data.bandwidth, 'BYTE', 'Mbps').toString();
        this.ruleForm = resp.data.data;
        this.setAuthData(resp.data.data);
      }).catch(error => {
@@ -574,7 +715,8 @@ export default {
      // arr.pop()
    },
    addDomain(arr) {
-      arr.push({val: "", action: "allow", port: 0});
+      console.log("arr", arr)
      arr.push({protocol:"all", val: "", action: "allow", port: "0", note: ""});
    },
    submitForm(formName) {
      this.$refs[formName].validate((valid) => {
@@ -582,6 +724,7 @@ export default {
          console.log('error submit!!');
          return false;
        }
        this.ruleForm.bandwidth = this.convertBandwidth(this.ruleForm.bandwidth_format, 'Mbps', 'BYTE');
        axios.post('/group/set', this.ruleForm).then(resp => {
          const rdata = resp.data;
          if (rdata.code === 0) {
@@ -605,9 +748,11 @@ export default {
          return false;
        }
        this.authLoginLoading = true;
-            axios.post('/group/auth_login', {name:this.authLoginForm.name,
+        axios.post('/group/auth_login', {
          name: this.authLoginForm.name,
          pwd: this.authLoginForm.pwd,
-                                            auth:this.ruleForm.auth}).then(resp => {
+          auth: this.ruleForm.auth
        }).then(resp => {
          const rdata = resp.data;
          if (rdata.code === 0) {
            this.$message.success("登录成功");
@@ -636,6 +781,70 @@ export default {
        });
      });
    },
    openIpListDialog(type) {
      this.ipListDialog = true;
      this.ipEditForm.type = type;
      this.ipEditForm.ip_list = this.ruleForm[type].map(item => item.val + (item.note ? "," + item.note : "")).join("\n");
    },
    ipEdit() {
      this.ipEditLoading = true;
      let ipList = [];
      if (this.ipEditForm.ip_list.trim() !== "") {
        ipList = this.ipEditForm.ip_list.trim().split("\n");
      }
      let arr = [];
      for (let i = 0; i < ipList.length; i++) {
        let item = ipList[i];
        if (item.trim() === "") {
          continue;
        }
        let ip = item.split(",");
        if (ip.length > 2) {
          ip[1] = ip.slice(1).join(",");
        }
        let note = ip[1] ? ip[1] : "";
        const pushToArr = () => {
          arr.push({val: ip[0], note: note});
        };
        if (this.ipEditForm.type == "route_include" && ip[0] == "all") {
          pushToArr();
          continue;
        }
        let valid = this.isValidCIDR(ip[0]);
        if (!valid.valid) {
          this.$message.error("错误：CIDR格式错误，建议 " + ip[0] + " 改为 " + valid.suggestion);
          this.ipEditLoading = false;
          return;
        }
        pushToArr();
      }
      this.ruleForm[this.ipEditForm.type] = arr;
      this.ipEditLoading = false;
      this.ipListDialog = false;
    },
    isValidCIDR(input) {
      const cidrRegex = /^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)\/([12]?\d|3[0-2])$/;
      if (!cidrRegex.test(input)) {
        return {valid: false, suggestion: null};
      }
      const [ip, mask] = input.split('/');
      const maskNum = parseInt(mask);
      const ipParts = ip.split('.').map(part => parseInt(part));
      const binaryIP = ipParts.map(part => part.toString(2).padStart(8, '0')).join('');
      for (let i = maskNum; i < 32; i++) {
        if (binaryIP[i] === '1') {
          const binaryNetworkPart = binaryIP.substring(0, maskNum).padEnd(32, '0');
          const networkIPParts = [];
          for (let j = 0; j < 4; j++) {
            const octet = binaryNetworkPart.substring(j * 8, (j + 1) * 8);
            networkIPParts.push(parseInt(octet, 2));
          }
          const suggestedIP = networkIPParts.join('.');
          return {valid: false, suggestion: `${suggestedIP}/${mask}`};
        }
      }
      return {valid: true, suggestion: null};
    },
    resetForm(formName) {
      this.$refs[formName].resetFields();
    },
@@ -666,6 +875,18 @@ export default {
    closeDialog() {
      this.user_edit_dialog = false;
      this.activeTab = "general";
    },
    convertBandwidth(bandwidth, fromUnit, toUnit) {
      const units = {
        bps: 1,
        Kbps: 1000,
        Mbps: 1000000,
        Gbps: 1000000000,
        BYTE: 8,
      };
      const result = bandwidth * units[fromUnit] / units[toUnit];
      const fixedResult = result.toFixed(2);
      return parseFloat(fixedResult);
    }
  },
 }
@@ -697,8 +918,14 @@ export default {
  max-height: calc(100% - 30px);
  max-width: calc(100% - 30px);
 }
 ::v-deep .valgin-dialog .el-dialog__body {
  flex: 1;
  overflow: auto;
 }
 .drag-handle {
  cursor: move;
 }
 </style>
--- a/web/src/pages/set/Other.vue
+++ b/web/src/pages/set/Other.vue
@@ -37,7 +37,8 @@
          </el-form-item>
          <el-form-item>
            <el-button type="primary" @click="submitForm('dataSmtp')"
-              >保存</el-button
+            >保存
            </el-button
            >
            <el-button @click="resetForm('dataSmtp')">重置</el-button>
          </el-form-item>
@@ -88,7 +89,7 @@
                step: '01:00',
                end: '23:00',
              }"
-              editable="false,"
+                :editable="false"
                size="small"
                placeholder="请选择"
                style="width: 130px"
@@ -97,7 +98,8 @@
          </el-form-item>
          <el-form-item>
            <el-button type="primary" @click="submitForm('dataAuditLog')"
-              >保存</el-button
+            >保存
            </el-button
            >
            <el-button @click="resetForm('dataAuditLog')">重置</el-button>
          </el-form-item>
@@ -125,7 +127,8 @@
                    :limit="1"
                >
                  <el-button size="mini" icon="el-icon-plus" slot="trigger"
-                    >证书文件</el-button
+                  >证书文件
                  </el-button
                  >
                  <el-tooltip
                      class="item"
@@ -145,7 +148,8 @@
                    :limit="1"
                >
                  <el-button size="mini" icon="el-icon-plus" slot="trigger"
-                    >私钥文件</el-button
+                  >私钥文件
                  </el-button
                  >
                  <el-tooltip
                      class="item"
@@ -163,7 +167,8 @@
                    icon="el-icon-upload"
                    type="primary"
                    @click="submitForm('customCert')"
-                  >上传</el-button
+                >上传
                </el-button
                >
              </el-form-item>
            </el-form>
@@ -214,7 +219,8 @@
              </el-form-item>
              <el-form-item>
                <el-button type="primary" @click="submitForm('letsCert')"
-                  >申请</el-button
+                >申请
                </el-button
                >
                <el-button @click="resetForm('letsCert')">重置</el-button>
              </el-form-item>
@@ -227,7 +233,7 @@
            :model="dataOther"
            ref="dataOther"
            :rules="rules"
-          label-width="100px"
+            label-width="130px"
            class="tab-one"
        >
          <el-form-item label="vpn对外地址" prop="link_addr">
@@ -245,17 +251,28 @@
            </el-input>
          </el-form-item>
          <el-form-item label="自定义首页状态码" prop="homecode">
            <el-input-number
                v-model="dataOther.homecode"
                :min="0"
                :max="1000"
            ></el-input-number>
          </el-form-item>
          <el-form-item label="自定义首页" prop="homeindex">
            <el-input
                type="textarea"
-              :rows="5"
+                :rows="10"
                placeholder="请输入内容"
                v-model="dataOther.homeindex"
            >
            </el-input>
            <el-tooltip content="自定义内容可以参考 index_template 目录下的文件" placement="top">
              <i class="el-icon-question"></i>
            </el-tooltip>
          </el-form-item>
-          <el-form-item label="账户开通邮件" prop="account_mail">
+          <el-form-item label="账户开通邮件模板" prop="account_mail">
            <el-input
                type="textarea"
                :rows="10"
@@ -276,7 +293,8 @@
          <el-form-item>
            <el-button type="primary" @click="submitForm('dataOther')"
-              >保存</el-button
+            >保存
            </el-button
            >
            <el-button @click="resetForm('dataOther')">重置</el-button>
          </el-form-item>
@@ -318,8 +336,7 @@ export default {
          secretKey: "",
        },
        cfcloud: {
-          authEmail: "",
+          authToken: "",
          authKey: "",
        },
      },
      customCert: {cert: "", key: ""},
@@ -399,19 +416,13 @@ export default {
        ],
        cfcloud: [
          {
-            label: "Email",
+            label: "AuthToken",
-            prop: "email",
+            prop: "authToken",
            component: "el-input",
            type: "text",
          },
          {
            label: "AuthKey",
            prop: "authKey",
            component: "el-input",
            type: "password",
            rules: {
              required: true,
-              message: "请输入正确的APIKey",
+              message: "请输入正确的AuthToken",
              trigger: "blur",
            },
          },
@@ -551,12 +562,20 @@ export default {
                });
            break;
          case "letsCert":
            var loading = this.$loading({
              lock: true,
              text: "证书申请中...",
              spinner: "el-icon-loading",
              background: "rgba(0, 0, 0, 0.7)",
            });
            axios.post("/set/other/createcert", this.letsCert).then((resp) => {
              var rdata = resp.data;
              console.log(rdata);
              if (rdata.code === 0) {
                loading.close();
                this.$message.success(rdata.msg);
              } else {
                loading.close();
                this.$message.error(rdata.msg);
              }
            });
--- a/web/src/pages/set/System.vue
+++ b/web/src/pages/set/System.vue
@@ -50,6 +50,7 @@
      </div>
      <Cell left="软件版本" :right="system.sys.appVersion" divider/>
      <Cell left="软件CommitId" :right="system.sys.appCommitId" divider/>
      <Cell left="软件BuildDate" :right="system.sys.appBuildDate" divider/>
      <Cell left="GO系统" :right="system.sys.goOs" divider/>
      <Cell left="GoArch" :right="system.sys.goArch" divider/>
      <Cell left="GO版本" :right="system.sys.goVersion" divider/>
--- a/web/src/pages/user/IpMap.vue
+++ b/web/src/pages/user/IpMap.vue
@@ -48,6 +48,7 @@
                        label="唯一MAC">
                    <template slot-scope="scope">
                        <el-tag v-if="scope.row.unique_mac" type="success">是</el-tag>
                        <el-tag v-else type="info">否</el-tag>
                    </template>
                </el-table-column>
--- a/web/src/pages/user/List.vue
+++ b/web/src/pages/user/List.vue
@@ -3,105 +3,65 @@
    <el-card>
      <el-form :inline="true">
        <el-form-item>
-          <el-button
+          <el-button size="small" type="primary" icon="el-icon-plus" @click="handleEdit('')">添加
              size="small"
              type="primary"
              icon="el-icon-plus"
              @click="handleEdit('')">添加
          </el-button>
        </el-form-item>
        <el-form-item>
          <el-dropdown size="small" placement="bottom">
-            <el-upload
+            <el-upload class="uploaduser" action="uploaduser" accept=".xlsx, .xls" :http-request="upLoadUser" :limit="1"
              class="uploaduser"
              action="uploaduser"
              accept=".xlsx, .xls"
              :http-request="upLoadUser"
              :limit="1"
              :show-file-list="false">
              <el-button size="small" icon="el-icon-upload2" type="primary">批量添加</el-button>
            </el-upload>
            <el-dropdown-menu slot="dropdown">
              <el-dropdown-item>
-              <el-link style="font-size:12px;" type="success" href="批量添加用户模版.xlsx"><i class="el-icon-download"></i>下载模版</el-link>
+                <el-link style="font-size:12px;" type="success" href="批量添加用户模版.xlsx"><i
                    class="el-icon-download"></i>下载模版
                </el-link>
              </el-dropdown-item>
            </el-dropdown-menu>
          </el-dropdown>
        </el-form-item>
-        <el-form-item label="用户名:">
+        <el-form-item label="用户名或姓名或邮箱:">
-          <el-input size="small" v-model="searchData" placeholder="请输入内容" @keydown.enter.native="searchEnterFun"></el-input>
+          <el-input size="small" v-model="searchData" placeholder="请输入内容"
            @keydown.enter.native="searchEnterFun"></el-input>
        </el-form-item>
        <el-form-item>
-          <el-button
+          <el-button size="small" type="primary" icon="el-icon-search" @click="handleSearch()">搜索
              size="small"
              type="primary"
              icon="el-icon-search"
              @click="handleSearch()">搜索
          </el-button>
-          <el-button
+          <el-button size="small" icon="el-icon-refresh" @click="reset">重置搜索
              size="small"
              icon="el-icon-refresh"
              @click="reset">重置搜索
          </el-button>
        </el-form-item>
      </el-form>
-      <el-table
+      <el-table ref="multipleTable" :data="tableData" border>
          ref="multipleTable"
          :data="tableData"
          border>
-        <el-table-column
+        <el-table-column sortable="true" prop="id" label="ID" width="60">
            sortable="true"
            prop="id"
            label="ID"
            width="60">
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="username" label="用户名" width="150">
            prop="username"
            label="用户名"
            width="150">
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="nickname" label="姓名" width="100">
            prop="nickname"
            label="姓名"
            width="100">
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="email" label="邮箱">
            prop="email"
            label="邮箱">
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="otp_secret" label="OTP密钥" width="110">
            prop="otp_secret"
            label="OTP密钥"
            width="110">
          <template slot-scope="scope">
-            <el-button
+            <el-button v-if="!scope.row.disable_otp" type="text" icon="el-icon-view" @click="getOtpImg(scope.row)">
                v-if="!scope.row.disable_otp"
                type="text"
                icon="el-icon-view"
                @click="getOtpImg(scope.row)">
              {{ scope.row.otp_secret.substring(0, 6) }}
            </el-button>
          </template>
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="groups" label="用户组">
            prop="groups"
            label="用户组">
          <template slot-scope="scope">
            <el-row v-for="item in scope.row.groups" :key="item">{{ item }}</el-row>
          </template>
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="status" label="状态" width="70">
            prop="status"
            label="状态"
            width="70">
          <template slot-scope="scope">
            <el-tag v-if="scope.row.status === 1" type="success">可用</el-tag>
            <el-tag v-if="scope.row.status === 0" type="danger">停用</el-tag>
@@ -109,20 +69,12 @@
          </template>
        </el-table-column>
-        <el-table-column
+        <el-table-column prop="updated_at" label="更新时间" :formatter="tableDateFormat">
            prop="updated_at"
            label="更新时间"
            :formatter="tableDateFormat">
        </el-table-column>
-        <el-table-column
+        <el-table-column label="操作" width="210">
            label="操作"
            width="210">
          <template slot-scope="scope">
-            <el-button
+            <el-button size="mini" type="primary" @click="handleEdit(scope.row)">编辑
                size="mini"
                type="primary"
                @click="handleEdit(scope.row)">编辑
            </el-button>
            <!--            <el-popconfirm
@@ -136,14 +88,8 @@
                          </el-button>
                        </el-popconfirm>-->
-            <el-popconfirm
+            <el-popconfirm class="m-left-10" @confirm="handleDel(scope.row)" title="确定要删除用户吗？">
-                class="m-left-10"
+              <el-button slot="reference" size="mini" type="danger">删除
                @confirm="handleDel(scope.row)"
                title="确定要删除用户吗？">
              <el-button
                  slot="reference"
                  size="mini"
                  type="danger">删除
              </el-button>
            </el-popconfirm>
@@ -153,33 +99,19 @@
      <div class="sh-20"></div>
-      <el-pagination
+      <el-pagination background layout="prev, pager, next" :pager-count="11" @current-change="pageChange"
-          background
+        :current-page="page" :total="count">
          layout="prev, pager, next"
          :pager-count="11"
          @current-change="pageChange"
          :current-page="page"
          :total="count">
      </el-pagination>
    </el-card>
-    <el-dialog
+    <el-dialog title="OTP密钥" :visible.sync="otpImgData.visible" width="350px" center>
        title="OTP密钥"
        :visible.sync="otpImgData.visible"
        width="350px"
        center>
      <div style="text-align: center">{{ otpImgData.username }} : {{ otpImgData.nickname }}</div>
      <img :src="otpImgData.base64Img" alt="otp-img" />
    </el-dialog>
    <!--新增、修改弹出框-->
-    <el-dialog
+    <el-dialog :close-on-click-modal="false" title="用户" :visible="user_edit_dialog" @close="disVisible" width="650px"
        :close-on-click-modal="false"
        title="用户"
        :visible="user_edit_dialog"
        @close="disVisible"
        width="650px"
      center>
      <el-form :model="ruleForm" :rules="rules" ref="ruleForm" label-width="100px" class="ruleForm">
@@ -201,20 +133,13 @@
        </el-form-item>
        <el-form-item label="过期时间" prop="limittime">
-          <el-date-picker
+          <el-date-picker v-model="ruleForm.limittime" type="date" size="small" align="center" style="width:130px"
-            v-model="ruleForm.limittime"
+            :picker-options="pickerOptions" placeholder="选择日期">
            type="date"
            size="small"
            align="center"
            style="width:130px"
            :picker-options="pickerOptions"
            placeholder="选择日期">
          </el-date-picker>
        </el-form-item>
        <el-form-item label="禁用OTP" prop="disable_otp">
-          <el-switch
+          <el-switch v-model="ruleForm.disable_otp" active-text="开启OTP后，用户密码为PIN码,OTP密码为扫码后生成的动态码">
              v-model="ruleForm.disable_otp">
          </el-switch>
        </el-form-item>
@@ -229,8 +154,7 @@
        </el-form-item>
        <el-form-item label="发送邮件" prop="send_email">
-          <el-switch
+          <el-switch v-model="ruleForm.send_email">
              v-model="ruleForm.send_email">
          </el-switch>
        </el-form-item>
@@ -469,6 +393,4 @@ export default {
 }
 </script>
-<style scoped>
+<style scoped></style>
 </style>
--- a/web/src/pages/user/LockManager.vue
+++ b/web/src/pages/user/LockManager.vue
@@ -0,0 +1,109 @@
 <template>
    <div id="lock-manager">
        <el-card>
            <div slot="header">
                <el-button type="primary" @click="getLocks">刷新信息</el-button>
            </div>
            <el-table :data="locksInfo" style="width: 100%" border>
                <el-table-column type="index" label="序号" width="60"></el-table-column>
                <el-table-column prop="description" label="描述"></el-table-column>
                <el-table-column prop="username" label="用户名"></el-table-column>
                <el-table-column prop="ip" label="IP地址"></el-table-column>
                <el-table-column prop="state.locked" label="状态" width="100">
                    <template slot-scope="scope">
                        <el-tag :type="scope.row.state.locked ? 'danger' : 'success'">
                            {{ scope.row.state.locked ? '已锁定' : '未锁定' }}
                        </el-tag>
                    </template>
                </el-table-column>
                <el-table-column prop="state.attempts" label="失败次数"></el-table-column>
                <el-table-column prop="state.lock_time" label="锁定截止时间">
                    <template slot-scope="scope">
                        {{ formatDate(scope.row.state.lock_time) }}
                    </template>
                </el-table-column>
                <el-table-column prop="state.lastAttempt" label="最后尝试时间">
                    <template slot-scope="scope">
                        {{ formatDate(scope.row.state.lastAttempt) }}
                    </template>
                </el-table-column>
                <el-table-column label="操作">
                    <template slot-scope="scope">
                        <div class="button">
                            <el-button size="small" type="danger" @click="unlock(scope.row)">
                                解锁
                            </el-button>
                        </div>
                    </template>
                </el-table-column>
            </el-table>
        </el-card>
    </div>
 </template>
 <script>
 import axios from 'axios';
 export default {
    name: 'LockManager',
    data() {
        return {
            locksInfo: []
        };
    },
    methods: {
        getLocks() {
            axios.get('/locksinfo/list')
                .then(response => {
                    this.locksInfo = response.data.data;
                })
                .catch(error => {
                    console.error('Failed to get locks info:', error);
                    this.$message.error('无法获取锁信息，请稍后再试。');
                });
        },
        unlock(lock) {
            const lockInfo = {
                state: { locked: false },
                username: lock.username,
                ip: lock.ip,
                description: lock.description
            };
            axios.post('/locksinfo/unlok', lockInfo)
                .then(() => {
                    this.$message.success('解锁成功！');
                    this.getLocks();
                })
                .catch(error => {
                    console.error('Failed to unlock:', error);
                    this.$message.error('解锁失败，请稍后再试。');
                });
        },
        formatDate(dateString) {
            if (!dateString) return '';
            const date = new Date(dateString);
            return new Intl.DateTimeFormat('zh-CN', {
                year: 'numeric',
                month: '2-digit',
                day: '2-digit',
                hour: '2-digit',
                minute: '2-digit',
                second: '2-digit',
                hour12: false
            }).format(date);
        }
    },
    created() {
        this.getLocks();
    }
 };
 </script>
 <style scoped>
 .button {
    display: flex;
    justify-content: center;
    align-items: center;
 }
 </style>
--- a/web/src/pages/user/Online.vue
+++ b/web/src/pages/user/Online.vue
@@ -1,6 +1,59 @@
 <template>
  <div>
    <el-card>
      <el-form :inline="true">
        <el-form-item>
          <el-select
              v-model="searchCate"
              style="width: 86px;"                      
              @change="handleSearch">
            <el-option
                label="用户名"
                value="username">
            </el-option>
            <el-option
                label="登录组"
                value="group">
            </el-option>            
            <el-option
                label="MAC地址"
                value="mac_addr">
            </el-option>
            <el-option
                label="IP地址"
                value="ip">
            </el-option>
            <el-option
                label="远端地址"
                value="remote_addr">
            </el-option>
          </el-select>
        </el-form-item>
        <el-form-item>
          <el-input
              v-model="searchText"
              placeholder="请输入搜索内容"
              @input="handleSearch">
          </el-input>
        </el-form-item>        
        <el-form-item>
          显示休眠用户：
            <el-switch
                v-model="showSleeper"
                @change="handleSearch">
            </el-switch>
        </el-form-item>
        <el-form-item>
          <el-button
              class="extra-small-button"
              type="danger"
              size="mini"
              :loading="loadingOneOffline"
              @click="handleOneOffline">
            一键下线
          </el-button>
      </el-form>
      <el-table
          ref="multipleTable"
          :data="tableData"
@@ -20,7 +73,7 @@
        <el-table-column
            prop="group"
-            label="登陆组">
+            label="登录组">
        </el-table-column>
        <el-table-column
@@ -33,6 +86,7 @@
            label="唯一MAC">
            <template slot-scope="scope">
                <el-tag v-if="scope.row.unique_mac" type="success">是</el-tag>
                <el-tag v-else type="info">否</el-tag>
            </template>
        </el-table-column>
@@ -46,7 +100,10 @@
            prop="remote_addr"
            label="远端地址">
        </el-table-column>
-
+        <el-table-column
            prop="transport_protocol"
            label="传输协议">
        </el-table-column>
        <el-table-column
            prop="tun_name"
            label="虚拟网卡">
@@ -67,7 +124,6 @@
        </el-table-column>
        <el-table-column
            prop="status"
            label="实时 上行/下行"
            width="220">
          <template slot-scope="scope">
@@ -77,7 +133,6 @@
        </el-table-column>
        <el-table-column
            prop="status"
            label="总量 上行/下行"
            width="200">
          <template slot-scope="scope">
@@ -88,7 +143,7 @@
        <el-table-column
            prop="last_login"
-            label="登陆时间"
+            label="登录时间"
            :formatter="tableDateFormat">
        </el-table-column>
@@ -99,6 +154,7 @@
            <el-button
                size="mini"
                type="primary"
                v-if="scope.row.remote_addr !== ''"
                @click="handleReline(scope.row)">重连
            </el-button>
@@ -123,6 +179,7 @@
 <script>
 import axios from "axios";
 import { MessageBox } from 'element-ui';
 export default {
  name: "Online",
@@ -147,6 +204,10 @@ export default {
  data() {
    return {
      tableData: [],
      searchCate: 'username',
      searchText: '',
      showSleeper: false,
      loadingOneOffline: false,
    }
  },
  methods: {
@@ -185,8 +246,43 @@ export default {
    handleEdit(a, row) {
      console.log(a, row)
    },
    handleOneOffline() {
        if (this.tableData === null || this.tableData.length === 0) {
            this.$message.error('错误：当前在线用户表为空，无法执行一键下线操作！');
            return;
        }
        MessageBox.confirm('当前搜索条件下的所有用户将会“下线”，你确定执行吗?', '危险', {
            confirmButtonText: '确定',
            cancelButtonText: '取消',
            type: 'danger'
        }).then(() => {   
            try {
                this.loadingOneOffline = true;
                this.getData();        
                this.$message.success('操作成功');
                this.loadingOneOffline = false;
                // 清空当前表格
                this.tableData = [];
            } catch (error) {
                this.loadingOneOffline = false;
                this.$message.error('操作失败');
            }
        });        
    },
    handleSearch() {
        this.getData();
    },
    getData() {
-      axios.get('/user/online').then(resp => {
+      axios.get('/user/online', 
        {
          params: {            
            search_cate: this.searchCate,
            search_text: this.searchText,
            show_sleeper: this.showSleeper,
            one_offline: this.loadingOneOffline
          }
        }
      ).then(resp => {
        var data = resp.data.data
        console.log(data);
        this.tableData = data.datas;
@@ -201,5 +297,23 @@ export default {
 </script>
 <style scoped>
-
+/deep/ .el-form .el-form-item__label,
 /deep/ .el-form .el-form-item__content,
 /deep/ .el-form .el-input,
 /deep/ .el-form .el-select,
 /deep/ .el-form .el-button,
 /deep/ .el-form .el-select-dropdown__item {
  font-size: 11px;
 }
 .el-select-dropdown .el-select-dropdown__item {
    font-size: 11px;
    padding: 0 10px;
 }
 /deep/ .el-input__inner{
    height: 30px;
    padding: 0 10px;
 }
 .extra-small-button {
  padding: 5px 10px;
 }
 </style>
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`客户端软件需放置在files目录内，`	`客户端软件需放置在files目录内，`
	`如需要帮助请加QQ群：567510628`	`如需要帮助请加QQ群：567510628 、739072205`