diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 60d7b5d..e7a972d 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,60 +1,62 @@
+---
 name: Build and push Docker image
 
-on:
+"on":
   release:
-    types: [ released, prereleased ]
+    types: [released, prereleased]
+
+env:
+  DOCKER_ACCOUNT: zoraxydocker
+  DOCKER_REPO: zoraxy
+  DOCKER_REPO_TAG_CACHE_NAME: buildcache
+  DOCKER_PLATFORMS: linux/amd64,linux/arm64
+
+permissions:
+  contents: read
 
 jobs:
   setup-build-push:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           ref: ${{ github.event.release.tag_name }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Pull last image for layer reuse
-        run: |
-          docker pull docker.io/zoraxydocker/zoraxy:latest
-      
       - name: Setup building file structure
         run: |
           cp -lr $GITHUB_WORKSPACE/src/ $GITHUB_WORKSPACE/docker/src/
 
-      - name: Build and push Docker image (Release)
-        if: "!github.event.release.prerelease"
-        uses: docker/build-push-action@v6
+      - name: Create tag list for docker image
+        id: tags
+        run: |
+          if [ "${{ github.event.release.prerelease }}" = true ]; then
+            echo "docker=${{ env.DOCKER_ACCOUNT }}/${{ env.DOCKER_REPO }}:${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event.release.tag_name }}" == *"-rc"* ]]; then
+            echo "docker=${{ env.DOCKER_ACCOUNT }}/${{ env.DOCKER_REPO }}:${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "docker=${{ env.DOCKER_ACCOUNT }}/${{ env.DOCKER_REPO }}:latest, ${{ env.DOCKER_ACCOUNT }}/${{ env.DOCKER_REPO }}:${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
         with:
           context: ./docker
           push: true
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            zoraxydocker/zoraxy:latest
-            zoraxydocker/zoraxy:${{ github.event.release.tag_name }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Build and push Docker image (Prerelease)
-        if: "github.event.release.prerelease"
-        uses: docker/build-push-action@v6
-        with:
-          context: ./docker
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            zoraxydocker/zoraxy:${{ github.event.release.tag_name }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          platforms: ${{ env.DOCKER_PLATFORMS }}
+          tags: ${{ steps.tags.outputs.docker }}
+          cache-from: type=registry,ref=${{ env.DOCKER_ACCOUNT }}/${{ env.DOCKER_REPO }}:${{ env.DOCKER_REPO_TAG_CACHE_NAME }}
+          cache-to: type=registry,ref=${{ env.DOCKER_ACCOUNT }}/${{ env.DOCKER_REPO }}:${{ env.DOCKER_REPO_TAG_CACHE_NAME }},mode=max
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 283db3c..387b198 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
+# v3.2.9 2 Nov 2025
+
++ Add PKCE support with SHA256 challenge method for OAuth2 by [kjagosz](https://github.com/kjagosz) fixes [#852](https://github.com/tobychui/zoraxy/issues/852)
++ Update lego to v4.28.0 by [zen8841](https://github.com/zen8841) fixes [778](https://github.com/tobychui/zoraxy/issues/778)
++ Typo in plugins.html by [mlbarrow](mlbarrow)
++ Moved log rotation options to webmin panel
++ Supported opening tar.gz in the new log viewer
++ Added disable logging function to HTTP proxy rule for high traffic sites
++ Fixed other bugs / improvements [#855](https://github.com/tobychui/zoraxy/issues/855) [#866](https://github.com/tobychui/zoraxy/issues/866) [#867](https://github.com/tobychui/zoraxy/issues/867) [#855](https://github.com/tobychui/zoraxy/issues/856)
+
 # v3.2.8 16 Oct 2025
 
 + Fixed wildcard certificate bug [#845](https://github.com/tobychui/zoraxy/issues/845) by [zen8841](https://github.com/zen8841)
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 1ad1cd3..f8008f6 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -37,7 +37,7 @@ RUN curl -Lo ZeroTierOne.tar.gz https://codeload.github.com/zerotier/ZeroTierOne
 ## Main
 FROM docker.io/alpine:latest
 
-RUN apk add --update --no-cache python3 sudo netcat-openbsd libressl-dev openssh ca-certificates libc6-compat libstdc++ &&\
+RUN apk add --update --no-cache tzdata python3 sudo netcat-openbsd libressl-dev openssh ca-certificates libc6-compat libstdc++ &&\
     rm -rf /var/cache/apk/* /tmp/*
 
 COPY --chmod=700 ./entrypoint.py /opt/zoraxy/
@@ -50,6 +50,7 @@ RUN mkdir -p /opt/zoraxy/plugin/ &&\
 
 WORKDIR /opt/zoraxy/config/
 
+ENV TZ="Etc/UTC"
 ENV ZEROTIER="false"
 
 ENV AUTORENEW="86400"
diff --git a/docker/README.md b/docker/README.md
index aaf0bbb..65402ec 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -26,8 +26,8 @@ docker run -d \
   -v /path/to/zoraxy/config/:/opt/zoraxy/config/ \
   -v /path/to/zoraxy/plugin/:/opt/zoraxy/plugin/ \
   -v /var/run/docker.sock:/var/run/docker.sock \
-  -v /etc/localtime:/etc/localtime \
   -e FASTGEOIP="true" \
+  -e TZ="America/New_York" \
   zoraxydocker/zoraxy:latest
 ```
 
@@ -47,11 +47,11 @@ services:
       - /path/to/zoraxy/config/:/opt/zoraxy/config/
       - /path/to/zoraxy/plugin/:/opt/zoraxy/plugin/
       - /var/run/docker.sock:/var/run/docker.sock
-      - /etc/localtime:/etc/localtime
     extra_hosts:
       - "host.docker.internal:host-gateway"
     environment:
       FASTGEOIP: "true"
+      TZ: "Europe/London"
 ```
 
 ### Ports
@@ -95,6 +95,7 @@ Variables are the same as those in [Start Parameters](https://github.com/tobychu
 | `PLUGIN` | `/opt/zoraxy/plugin/` (String) | Set the path for Zoraxy plugins. Only change this if you know what you are doing. |
 | `PORT` | `8000` (Integer) | Management web interface listening port |
 | `SSHLB` | `false` (Boolean) | Allow loopback web ssh connection (DANGER). |
+| `TZ` | `Etc/UTC` (String) | Define timezone using [standard tzdata values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). |
 | `UPDATE_GEOIP` | `false` (Boolean) | Download the latest GeoIP data and exit. |
 | `VERSION` | `false` (Boolean) | Show version of this server. |
 | `WEBFM` | `true` (Boolean) | Enable web file manager for static web server root folder. |