Merge commit from fork

Fixed web ssh security bug
2025-06-28 10:21:46 +02:00 · 2024-11-10 13:57:01 +08:00 · 2024-11-10 13:22:32 +08:00 · 2024-11-06 06:58:52 +08:00 · 2024-11-04 20:39:47 -05:00 · 2024-11-03 17:41:49 +08:00
574 changed files with 678082 additions and 75 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,39 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Browser (if it is a bug appears on the UI section of the system):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Host Environment (please complete the following information):**
+-  Arch: [e.g. arm64]
+ - Device: [e.g. Bananapi R2 PRO]
+ - OS: [e.g. Armbian]
+ - Version [e.g.  23.02 Bullseye ]
+ - Docker Version (if you are running Zoraxy in docker): [e.g. 3.0.4]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[ENHANCEMENTS]"
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/help-needed.md
+++ b/.github/ISSUE_TEMPLATE/help-needed.md
@ -0,0 +1,25 @@
+---
+name: Help Needed
+about: Something went wrong but I don't know why
+title: "[HELP]"
+labels: help wanted
+assignees: ''
+
+---
+
+**What happened?**
+A clear and concise description of what the problem is. Ex. I tried to create a proxy rule but it doesn't work. When I connects to my domain, I see [...]
+
+**Describe what have you tried**
+A clear and concise description of what you expect to see and what you have tried to debug it.
+
+**Describe the networking setup you are using**
+Here are some example, commonly asked questions from our maintainers: 
+- Are you using the docker build of Zoraxy? [yes (with docker setup & networking config attach) /no]
+- Your Zoraxy version? [e.g. 3.0.4]
+- Are you using Cloudflare? [yes/no]
+- Are your system hosted under a NAT router? [e.g. yes, with subnet is e.g. 192.168.0.0/24 and include port forwarding config if any]
+- DNS record (if any)
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -0,0 +1,43 @@
+name: Build and push Docker image
+
+on:
+  release:
+    types: [ published ]
+
+jobs:
+  setup-build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      
+      - name: Setup building file structure
+        run: |
+          cp -lr $GITHUB_WORKSPACE/src/ $GITHUB_WORKSPACE/docker/
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            zoraxydocker/zoraxy:latest
+            zoraxydocker/zoraxy:${{ github.event.release.tag_name }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
--- a/.gitignore
+++ b/.gitignore
@ -27,4 +27,16 @@ src/conf/*
 src/ReverseProxy_*_*
 src/Zoraxy_*_*
 src/certs/*
-src/rules/*
+src/rules/*
+src/README.md
+docker/ContainerTester.sh
+docker/ImagePublisher.sh
+src/mod/acme/test/stackoverflow.pem
+/tools/dns_challenge_update/code-gen/acmedns
+/tools/dns_challenge_update/code-gen/lego
+src/tmp/localhost.key
+src/tmp/localhost.pem
+src/www/html/index.html
+src/sys.uuid
+src/zoraxy
+src/log/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,280 @@
+# v3.1.2 03 Nov 2024
+
+ Added auto start port 80 listener on acme certificate generator
+ Added polling interval and propagation timeout option in ACME module [#300](https://github.com/tobychui/zoraxy/issues/300)
+ Added support for custom header variables [#318](https://github.com/tobychui/zoraxy/issues/318)
+ Added support for X-Remote-User 
+ Added port scanner [#342](https://github.com/tobychui/zoraxy/issues/342)
+ Optimized code base for stream proxy and config file storage [#320](https://github.com/tobychui/zoraxy/issues/320)
+ Removed sorting on cert list
+ Fixed request certificate button bug 
+ Fixed cert auto renew logic [#316](https://github.com/tobychui/zoraxy/issues/316)
+ Fixed unable to remove new stream proxy bug
+ Fixed many other minor bugs  [#328](https://github.com/tobychui/zoraxy/issues/328) [#297](https://github.com/tobychui/zoraxy/issues/297)
+ Added more code to SSO system (disabled in release)
+
+
+# v3.1.1. 09 Sep 2024
+
+ Updated country name in access list [#287](https://github.com/tobychui/zoraxy/issues/287)
+ Added tour for basic operations
+ Updated acme log to system wide logger implementation
+ Fixed path traversal in file manager [#274](https://github.com/tobychui/zoraxy/issues/274)
+ Removed Proxmox debug code
+ Fixed trie tree implementations
+
+**Thanks to all contributors**
+
+ Fix existing containers list in docker popup [7brend7](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3A7brend7)
+ Fix network I/O chart not rendering [JokerQyou](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3AJokerQyou)
+ Fix typo remvoeClass to removeClass [Aahmadsyamim](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3Aahmadsyamim)
+ Updated weighted random upstream implementation [bouroo](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3Abouroo)
+
+# v3.1.0 31 Jul 2024
+
+ Updated log viewer with filter and auto refresh [#243](https://github.com/tobychui/zoraxy/issues/243)
+ Fixed csrf vulnerability [#267](https://github.com/tobychui/zoraxy/issues/267)
+ Fixed promox issue
+ Fixed status code bug in upstream log [#254](https://github.com/tobychui/zoraxy/issues/254)
+ Added host overwrite and hop-by-hop header remover
+ Added early renew days settings [#256](https://github.com/tobychui/zoraxy/issues/256)
+ Updated make file to force no CGO in cicd process
+ Fixed bug in updater
+ Fixed wildcard certificate renew bug [#249](https://github.com/tobychui/zoraxy/issues/249)
+ Added certificate download function [#227](https://github.com/tobychui/zoraxy/issues/227)
+
+# v3.0.9 16 Jul 2024
+
+ Added certificate download [#227](https://github.com/tobychui/zoraxy/issues/227)
+ Updated netcup timeout value [#231](https://github.com/tobychui/zoraxy/issues/231)
+ Updated geoip db
+ Removed debug print from log viewer
+ Upgraded netstat log printing to new log formatter
+ Improved update module implementation
+
+# v3.0.8 15 Jul 2024
+
+ Added apache style logging mechanism (and build-in log viewer) [#218](https://github.com/tobychui/zoraxy/issues/218)
+ Fixed keep alive flushing issues [#235](https://github.com/tobychui/zoraxy/issues/235)
+ Added multi-upstream supports [#100](https://github.com/tobychui/zoraxy/issues/100)
+ Added stick session load balancer
+ Added weighted random load balancer
+ Added domain cleaning logic to domain / IP input fields
+ Added HSTS "include subdomain" auto injector
+ Added work-in-progress SSO / Oauth Server UI
+ Fixed uptime monitor not updating on proxy rule change bug
+ Optimized UI for create new proxy rule
+ Removed service expose proxy feature
+
+# v3.0.7 20 Jun 2024
+
+ Fixed redirection enable bug [#199](https://github.com/tobychui/zoraxy/issues/199)
+ Fixed header tool user agent rewrite sequence
+ Optimized rate limit UI
+ Added HSTS and Permission Policy Editor [#163](https://github.com/tobychui/zoraxy/issues/163)
+ Docker UX optimization start parameter `-docker`
+ Docker container selector implementation for conditional compilations for Windows
+
+From contributors:
+
+ Add Rate Limits Limits to Zoraxy fixes [185](https://github.com/tobychui/zoraxy/issues/185) by [Kirari04](https://github.com/Kirari04)
+ Add docker containers list to set rule by [7brend7](https://github.com/7brend7) [PR202](https://github.com/tobychui/zoraxy/pull/202)
+
+# v3.0.6 10 Jun 2024
+
+ Added fastly_client_ip to X-Real-IP auto rewrite
+ Added atomic accumulator to TCP proxy
+ Added white logo for future dark theme
+ Added multi selection for white / blacklist [#176](https://github.com/tobychui/zoraxy/issues/176)
+ Moved custom header rewrite to dpcore
+ Restructure dpcore header rewrite sequence
+ Added advance custom header settings (zoraxy to upstream and zoraxy to downstream mode)
+ Added header remove feature
+ Removed password requirement for SMTP [#162](https://github.com/tobychui/zoraxy/issues/162) [#80](https://github.com/tobychui/zoraxy/issues/80) 
+ Restructured TCP proxy into Stream Proxy (Support both TCP and UDP) [#147](https://github.com/tobychui/zoraxy/issues/147)
+ Added stream proxy auto start [#169](https://github.com/tobychui/zoraxy/issues/169)
+ Optimized UX for reminding user to click Apply after port change
+ Added version number to footer [#160](https://github.com/tobychui/zoraxy/issues/160)
+
+From contributors:
+
+ Fixed missing / unnecessary error check [PR187](https://github.com/tobychui/zoraxy/pull/187) by [Kirari04](https://github.com/Kirari04)
+
+# v3.0.5 May 26 2024
+
+
+ Optimized uptime monitor error message [#121](https://github.com/tobychui/zoraxy/issues/121)
+ Optimized detection logic for internal proxy target and header rewrite condition for HTTP_HOST [#164](https://github.com/tobychui/zoraxy/issues/164)
+ Fixed ovh DNS challenge provider form generator bug [#161](https://github.com/tobychui/zoraxy/issues/161)
+ Added permission policy module (not enabled)
+ Added single-use cookiejar to uptime monitor request client to handle cookie issues on some poorly written back-end server [#149](https://github.com/tobychui/zoraxy/issues/149)
+
+
+# v3.0.4 May 18 2024
+
+## This release tidied up the contribution by [Teifun2](https://github.com/Teifun2) and added a new way to generate DNS challenge based certificate (e.g. wildcards) from Let's Encrypt without changing any environment variables. This also fixes a few previous ACME module EAB settings bug related to concurrent save.
+
+You can find the DNS challenge settings under TLS / SSL > ACME snippet > Generate New Certificate > (Check the "Use a DNS Challenge" checkbox)
+
+ Optimized DNS challenge implementation [thanks to Teifun2](https://github.com/Teifun2) / Issues [#49](https://github.com/tobychui/zoraxy/issues/49) [#79](https://github.com/tobychui/zoraxy/issues/79)
+ Removed dependencies on environment variable write and keep all data contained
+ Fixed panic on loading certificate generated by Zoraxy v2
+ Added automatic form generator for DNS challenge / providers
+ Added CA name default value
+ Added code generator for acmedns module (storing the DNS challenge provider contents extracted from lego)
+ Fixed ACME snippet "Obtain Certificate" concurrent issues in save EAB and DNS credentials
+
+
+# v3.0.3 Apr 30 2024
+## Breaking Change
+
+For users using SMTP with older versions, you might need to update the settings by moving the domains (the part after @ in the username and domain setup field) into the username field.
+
+ Updated SMTP UI for non email login username [#129](https://github.com/tobychui/zoraxy/issues/129)
+ Fixed ACME cert store reload after cert request [#126](https://github.com/tobychui/zoraxy/issues/126)
+ Fixed default rule not applying to default site when default site is set to proxy target [#130](https://github.com/tobychui/zoraxy/issues/130)
+ Fixed blacklist-ip not working with CIDR bug
+ Fixed minor vdir bug in tailing slash detection and redirect logic
+ Added custom mdns name support (-mdnsname flag)
+ Added LAN tag in statistic [#131](https://github.com/tobychui/zoraxy/issues/131)
+
+
+# v3.0.2 Apr 24 2024
+
+ Added alias for HTTP proxy host names [#76](https://github.com/tobychui/zoraxy/issues/76)
+ Added separator support for create new proxy rules (use "," to add alias when creating new proxy rule)
+ Added HTTP proxy host based access rules [#69](https://github.com/tobychui/zoraxy/issues/69)
+ Added EAD Configuration for ACME (by [yeungalan](https://github.com/yeungalan)) [#45](https://github.com/tobychui/zoraxy/issues/45)
+ Fixed bug for bypassGlobalTLS endpoint do not support basic-auth
+ Fixed panic due to empty domain field in json config [#120](https://github.com/tobychui/zoraxy/issues/120)
+ Removed dependencies on management panel css for online font files
+
+# v3.0.1 Apr 04 2024
+
+## Bugfixupdate for big release of V3, read update notes from V3 if you are still on V2
+
+ Added regex support for redirect (slow, don't use it unless you really needs it) [#42](https://github.com/tobychui/zoraxy/issues/42)
+ Added new dpcore implementations for faster proxy speed
+ Added support for CF-Connecting-IP to X-Real-IP auto rewrite [#114](https://github.com/tobychui/zoraxy/issues/114)
+ Added enable / disable of HTTP proxy rules in runtime via slider [#108](https://github.com/tobychui/zoraxy/issues/108)
+ Added better 404 page
+ Added option to bypass websocket origin check [#107](https://github.com/tobychui/zoraxy/issues/107)
+ Updated project homepage design
+ Fixed recursive port detection logic
+ Fixed UserAgent in resp bug
+ Updated minimum required Go version to v1.22 (Notes: Windows 7 support is dropped) [#112](https://github.com/tobychui/zoraxy/issues/112)
+
+
+# v3.0.0 Feb 18 2024
+
+## IMPORTANT: V3 is a big rewrite and it is incompatible with V2! There is NO migration, if you want to stay on V2, please use V2 branch!
+
+ Added comments for whitelist [#97](https://github.com/tobychui/zoraxy/issues/97)
+ Added force-renew for certificates [#92](https://github.com/tobychui/zoraxy/issues/92)
+ Added automatic cert pick for multi-host certs (SNI)
+ Renamed .crt to .pem for cert store
+ Added best-fit selection for wildcard matching rules
+ Added x-proxy-by header / Added X-real-Ip header [#93](https://github.com/tobychui/zoraxy/issues/93)
+ Added Development Mode (Cache-Control: no-store)
+ Updated utm timeout to 10 seconds instead of 90
+ Added "Add controller as member" feature to Global Area Network editor
+ Added custom header
+ Deprecated aroz subservice support
+ Updated visuals, improving logical structure, less depressing colors [#95](https://github.com/tobychui/zoraxy/issues/95)
+ Added virtual directory into host routing object (each host now got its own sets of virtual directories)
+ Added support for wildcard host names (e.g. *.example.com)
+ Added best-fit selection for wildcard matching rules (e.g. *.a.example.com > *.example.com in routing)
+ Generalized root and hosts routing struct (no more conversion between runtime & save record object
+ Added "Default Site" to replace "Proxy Root" interface
+ Added Redirect & 404 page for "Default Site"
+
+
+# v2.6.8 Nov 25 2023
+
+ Added opt-out for subdomains for global TLS settings: See [release notes](https://github.com/tobychui/zoraxy/releases/tag/2.6.8)
+ Optimized subdomain / vdir editing interface
+ Added system-wide logger (Work in progress)
+ Fixed issue for uptime monitor bug [#77](https://github.com/tobychui/zoraxy/issues/77)
+ Changed default static web port to 5487 (prevent already in use)
+ Added automatic HTTP/2 to TLS mode
+ Bug fix for webserver autostart [67](https://github.com/tobychui/zoraxy/issues/67)
+
+# v2.6.7 Sep 26 2023
+
+ Added Static Web Server function [#56](https://github.com/tobychui/zoraxy/issues/56)
+ Web Directory Manager (see static webserver tab)
+ Added static web server and black / whitelist template [#38](https://github.com/tobychui/zoraxy/issues/38)
+ Added default / preferred CA features for ACME [#47](https://github.com/tobychui/zoraxy/issues/47)
+ Optimized TLS/SSL page and added dedicated section for ACME related features
+ Bugfixes [#61](https://github.com/tobychui/zoraxy/issues/61) [#58](https://github.com/tobychui/zoraxy/issues/58)
+
+# v2.6.6 Aug 30 2023
+
+ Added basic auth editor custom exception rules 
+ Fixed redirection bug under another reverse proxy and Apache location headers [#39](https://github.com/tobychui/zoraxy/issues/39)
+ Optimized memory usage (from 1.2GB to 61MB for low speed geoip lookup) [#52](https://github.com/tobychui/zoraxy/issues/52)
+ Added unset subdomain custom redirection feature [#46](https://github.com/tobychui/zoraxy/issues/46)
+ Fixed potential security issue in satori/go.uuid [#55](https://github.com/tobychui/zoraxy/issues/55)
+ Added custom ACME feature in backend, thx [@daluntw](https://github.com/daluntw)
+ Added bypass TLS check for custom acme server, thx [@daluntw](https://github.com/daluntw)
+ Introduce new start parameter `-fastgeoip=true`: see [release notes](https://github.com/tobychui/zoraxy/releases/tag/2.6.6)
+
+# v2.6.5.1 Jul 26 2023
+
+ Patch on memory leaking for Windows netstat module (do not effect any of the previous non Windows builds)
+ Fixed potential memory leak in ACME handler logic
+ Added "Do you want to get a TLS certificate for this subdomain?" dialogue when a new subdomain proxy rule is created
+
+# v2.6.5 Jul 19 2023
+
+ Added Import / Export-Feature 
+ Moved configuration files to a separate folder [#26](https://github.com/tobychui/zoraxy/issues/26)
+ Added auto-renew with ACME [#6](https://github.com/tobychui/zoraxy/issues/6)
+ Fixed Whitelistbug [#18](https://github.com/tobychui/zoraxy/issues/18)
+ Added Whois
+
+# v2.6.4 Jun 15 2023
+
+ Added force TLS v1.2 above toggle
+ Added trace route
+ Added ICMP ping
+ Added special routing rules module for up-coming ACME integration
+ Fixed IPv6 check bug in black/whitelist
+ Optimized UI for TCP Proxy
+
+# v2.6.3 Jun 8 2023
+
+ Added X-Forwarded-Proto for automatic proxy detector
+ Split blacklist and whitelist from geodb script file
+ Optimized compile binary size
+ Added access control to TCP proxy
+ Added "invalid config detect" in up time monitor for issue [#7](https://github.com/tobychui/zoraxy/issues/7)
+ Fixed minor bugs in advance stats panel
+ Reduced file size of embedded materials
+
+# v2.6.2 Jun 4 2023
+
+ Added advance stats operation tab
+ Added statistic reset [#13](https://github.com/tobychui/zoraxy/issues/13)
+ Added statistic export to csv and json (please use json)
+ Make subdomain clickable (not vdir) [#12](https://github.com/tobychui/zoraxy/issues/12)
+ Added TCP Proxy
+ Updates SMTP setup UI to make it more straight forward to setup
+
+# v2.6.1 May 31 2023
+
+ Added reverse proxy TLS skip verification
+ Added basic auth
+ Edit proxy settings
+ Whitelist
+ TCP Proxy (experimental)
+ Info (Utilities page)
+
+# v2.6 May 27 2023
+
+ Basic auth
+ Support TLS verification skip (for self signed certs)
+ Added trend analysis
+ Added referrer and file type analysis
+ Added cert expire day display
+ Moved subdomain proxy logic to dpcore
--- a/661
+++ b/661
@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.
--- a/README.md
+++ b/README.md
@ -2,40 +2,73 @@

 # Zoraxy

-General purpose request (reverse) proxy and forwarding tool for low power devices. Now written in Go!
+A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!

 ### Features

 - Simple to use interface with detail in-system instructions
- Reverse Proxy
-  
-  - Subdomain Reverse Proxy
-  
-  - Virtual Directory Reverse Proxy
+- Reverse Proxy (HTTP/2)
+  - Virtual Directory
+  - WebSocket Proxy (automatic, no set-up needed) 
+  - Basic Auth
+  - Alias Hostnames
+  - Custom Headers
 - Redirection Rules
 - TLS / SSL setup and deploy
- Blacklist by country or IP address (single IP, CIDR or wildcard for beginners)
+  - ACME features like auto-renew to serve your sites in http**s**
+  - SNI support (and SAN certs)
+  - DNS Challenge for Let's Encrypt and [these DNS providers](https://go-acme.github.io/lego/dns/)
+- Blacklist / Whitelist by country or IP address (single IP, CIDR or wildcard for beginners)
 - Global Area Network Controller Web UI (ZeroTier not included)
+- Stream Proxy (TCP & UDP)
 - Integrated Up-time Monitor
 - Web-SSH Terminal
 - Utilities
-  
  - CIDR IP converters
  - mDNS Scanner
+  - Wake-On-Lan
+  - Debug Forward Proxy
  - IP Scanner
 - Others
  - Basic single-admin management mode
  - External permission management system for easy system integration
  - SMTP config for password reset
-  
+
+## Downloads
+
+[Windows](https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_windows_amd64.exe)
+/ [Linux (amd64)](https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_amd64)
+/ [Linux (arm64)](https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_arm64)
+
+For other systems or architectures, please see [Releases](https://github.com/tobychui/zoraxy/releases/latest/) 
+
+## Getting Started
+
+[Installing Zoraxy Reverse Proxy: Your Gateway to Efficient Web Routing](https://geekscircuit.com/installing-zoraxy-reverse-proxy-your-gateway-to-efficient-web-routing/)
+
+Thank you for the well written and easy to follow tutorial by Reddit user [itsvmn](https://www.reddit.com/user/itsvmn/)! 
+If you have no background in setting up reverse proxy or web routing, you should check this out before you start setting up your Zoraxy. 
+
+## Build from Source
+
+Requires Go 1.23 or higher
+
+```bash
+git clone https://github.com/tobychui/zoraxy
+cd ./zoraxy/src/
+go mod tidy
+go build
+
+sudo ./zoraxy -port=:8000
+```

 ## Usage

-Zoraxy provide basic authentication system for standalone mode. To use it in standalone mode, follow the instruction below for your desired deployment platform.
+Zoraxy provides basic authentication system for standalone mode. To use it in standalone mode, follow the instructions below for your desired deployment platform.

 ### Standalone Mode

-Standalone mode is the default mode for Zoraxy. This allow single account to manage your reverse proxy server just like a home router. This mode is suitable for new owners for homelab or makers start growing their web services into multiple servers.
+Standalone mode is the default mode for Zoraxy. This allows a single account to manage your reverse proxy server just like a basic home router. This mode is suitable for new owners to homelabs or makers starting growing their web services into multiple servers. A full "Getting Started" guide can be found [here](https://github.com/tobychui/zoraxy/wiki/Getting-Started).

 #### Linux

@ -49,111 +82,113 @@ Download the binary executable and double click the binary file to start it.

 #### Raspberry Pi

-The installation method is same as Linux. If you are using Raspberry Pi 4 or newer models, pick the arm64 release. For older version of Pis, use the arm (armv6) version instead.
+The installation method is same as Linux. If you are using a Raspberry Pi 4 or newer models, pick the arm64 release. For older version of Pis, use the arm (armv6) version instead.

 #### Other ARM SBCs or Android phone with Termux

 The installation method is same as Linux. For other ARM SBCs, please refer to your SBC's CPU architecture and pick the one that is suitable for your device. 

+#### Docker
+
+See the [/docker](https://github.com/tobychui/zoraxy/tree/main/docker) folder for more details.
+
+### Start Parameters
+
+```
+Usage of zoraxy:
+  -autorenew int
+        ACME auto TLS/SSL certificate renew check interval (seconds) (default 86400)
+  -cfgupgrade
+        Enable auto config upgrade if breaking change is detected (default true)
+  -docker
+        Run Zoraxy in docker compatibility mode
+  -fastgeoip
+        Enable high speed geoip lookup, require 1GB extra memory (Not recommend for low end devices)
+  -mdns
+        Enable mDNS scanner and transponder (default true)
+  -mdnsname string
+        mDNS name, leave empty to use default (zoraxy_{node-uuid}.local)
+  -noauth
+        Disable authentication for management interface
+  -port string
+        Management web interface listening port (default ":8000")
+  -sshlb
+        Allow loopback web ssh connection (DANGER)
+  -version
+        Show version of this server
+  -webfm
+        Enable web file manager for static web server root folder (default true)
+  -webroot string
+        Static web server root folder. Only allow change in start parameters (default "./www")
+  -ztauth string
+        ZeroTier authtoken for the local node
+  -ztport int
+        ZeroTier controller API port (default 9993)
+```
+
 ### External Permission Management Mode

-If you already have a up-stream reverse proxy server in place with permission management, you can use Zoraxy in noauth mode. To enable noauth mode, start Zoraxy with the following flag
+If you already have an upstream reverse proxy server in place with permission management, you can use Zoraxy in noauth mode. To enable noauth mode, start Zoraxy with the following flag:

 ```bash
 ./zoraxy -noauth=true
 ```

-*Note: For security reaons, you should only enable no-auth if you are running Zoraxy in a trusted environment or with another authentication management proxy in front.*
-
-#### Use with ArozOS
-
-[ArozOS ](https://arozos.com)subservice is a build in permission managed reverse proxy server. To use zoraxy with arozos, connect to your arozos host via ssh and use the following command to install zoraxy
-
-```bash
-# cd into your arozos subservice folder. Sometime it is under ~/arozos/src/subservice
-cd ~/arozos/subservices
-mkdir zoraxy
-cd ./zoraxy
-
-# Download the release binary from Github release
-wget {binary executable link from release page}
-
-# Set permission. Change this if required
-sudo chmod 775 -R ./
-
-# Start zoraxy to see if the downloaded arch is correct.
-./zoraxy
-
-# After the unzip done, press Ctrl + C to kill it
-# Rename it to valid arozos subservice binary format
-mv ./zoraxy zoraxy_linux_amd64
-
-# If you are using SBCs with different CPU arch, use the following names
-# mv ./zoraxy zoraxy_linux_arm
-# mv ./zoraxy zoraxy_linux_arm64
-
-# Restart arozos
-sudo systemctl restart arozos
-```
-
-To start the module, go to System Settings > Modules > Subservice and enable it in the menu. You should be able to see a new module named "Zoraxy" pop up in the start menu.
+*Note: For security reasons, you should only enable no-auth if you are running Zoraxy in a trusted environment or with another authentication management proxy in front.*

 ## Screenshots

-![](img/screenshots/0_1.png)
-
-![](img/screenshots/0_2.png)
-
 ![](img/screenshots/1.png)

 ![](img/screenshots/2.png)

-![](img/screenshots/3.png)
+More screenshots on the wikipage [Screenshots](https://github.com/tobychui/zoraxy/wiki/Screenshots)!

-![](img/screenshots/4.png)
+## FAQ

-![](img/screenshots/5.png)
-
-![](img/screenshots/7.png)
-
-![](img/screenshots/8.png)
-
-![](img/screenshots/9.png)
-
-![](img/screenshots/10_1.png)
-
-![](img/screenshots/10_2.png)
+There is a wikipage with [Frequently-Asked-Questions](https://github.com/tobychui/zoraxy/wiki/FAQ---Frequently-Asked-Questions)!

 ## Global Area Network Controller

 This project also compatible with [ZeroTier](https://www.zerotier.com/). However, due to licensing issues, ZeroTier is not included in the binary. 

-Assuming you already have a valid license, to use Zoraxy with ZeroTier, install ZeroTier on your host and then run Zoraxy in sudo mode (or Run As Administrator if you are on Windows). The program will automatically grab the authtoken at correct location in your host.
+To use Zoraxy with ZeroTier, assuming you already have a valid license, install ZeroTier on your host and then run Zoraxy in sudo mode (or Run As Administrator if you are on Windows). The program will automatically grab the authtoken in the correct location on your host.

-If you prefer not to run Zoraxy in sudo mode or you have some wierd installation profile, you can also pass in the ZeroTier auth token using the following flags
+If you prefer not to run Zoraxy in sudo mode or you have some weird installation profile, you can also pass in the ZeroTier auth token using the following flags::

-```
+```bash
 ./zoraxy -ztauth="your_zerotier_authtoken" -ztport=9993
 ```

 The ZeroTier auth token can usually be found at ```/var/lib/zerotier-one/authtoken.secret``` or ```C:\ProgramData\ZeroTier\One\authtoken.secret```. 

-This allows you to have infinite number of network members in your Global Area Network controller. For more technical details, see [here](https://docs.zerotier.com/self-hosting/network-controllers/).
+This allows you to have an infinite number of network members in your Global Area Network controller. For more technical details, see [here](https://docs.zerotier.com/self-hosting/network-controllers/).

-## Web.SSH
+## Web SSH

-Web SSH currently only support Linux based OS.
+Web SSH currently only supports Linux based OSes. The following platforms are supported:

-### Loopback Connection 
+- linux/amd64
+- linux/arm64
+- linux/armv6 (experimental)
+- linux/386 (experimental)

-Loopback web ssh connection, by default, is disabled. This means that if you are trying to connect to address like 127.0.0.1 or localhost, the system will reject your connection due to security issues. To enable loopback for testing or development purpose, use the following flags to override the loopback checking.
+### Loopback Connection

-```
+Loopback web SSH connection, by default, is disabled. This means that if you are trying to connect to an address like 127.0.0.1 or localhost, the system will reject your connection for security reasons. To enable loopback for testing or development purpose, use the following flags to override the loopback checking:
+
+```bash
 ./zoraxy -sshlb=true
 ```

+## Sponsor This Project

+If you like the project and want to support us, please consider a donation. You can use the links below
+
+- [tobychui (Primary author)](https://paypal.me/tobychui)
+- PassiveLemon (Docker compatibility maintainer)

 ## License

-This Github repo is for storing the release binary and collecting issue only. **This project is not open source and the provided binaries are for function review purpose only.** For business users, please contact toby@imuslab.com for commercial licensing details.
+This project is open-sourced under AGPL. I open-sourced this project so everyone can check for security issues and benefit all users. **This software is intended to be free of charge. If you have acquired this software from a third-party seller, the authors of this repository bears no responsibility for any technical difficulties assistance or support.**
+
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -0,0 +1,66 @@
+FROM docker.io/golang:alpine AS build-zoraxy
+
+RUN mkdir -p /opt/zoraxy/source/ &&\
+    mkdir -p /usr/local/bin/
+
+# If you build it yourself, you will need to add the src directory into the docker directory.
+COPY ./src/ /opt/zoraxy/source/
+
+WORKDIR /opt/zoraxy/source/
+
+RUN go mod tidy &&\
+    go build -o /usr/local/bin/zoraxy &&\
+    chmod 755 /usr/local/bin/zoraxy
+
+FROM docker.io/ubuntu:latest AS build-zerotier
+
+RUN mkdir -p /opt/zerotier/source/ &&\
+    mkdir -p /usr/local/bin/
+
+WORKDIR /opt/zerotier/source/
+
+RUN apt-get update -y &&\
+    apt-get install -y curl jq build-essential pkg-config clang cargo libssl-dev
+
+RUN curl -Lo ZeroTierOne.tar.gz https://codeload.github.com/zerotier/ZeroTierOne/tar.gz/refs/tags/1.10.6 &&\
+    tar -xzvf ZeroTierOne.tar.gz &&\
+    cd ZeroTierOne-* &&\
+    make &&\
+    mv ./zerotier-one /usr/local/bin/zerotier-one &&\
+    chmod 755 /usr/local/bin/zerotier-one
+
+FROM docker.io/ubuntu:latest
+
+RUN apt-get update -y &&\
+    apt-get install -y bash sudo netcat-openbsd libssl-dev ca-certificates
+
+COPY --chmod=700 ./entrypoint.sh /opt/zoraxy/
+COPY --from=build-zoraxy /usr/local/bin/zoraxy /usr/local/bin/zoraxy
+COPY --from=build-zerotier /usr/local/bin/zerotier-one /usr/local/bin/zerotier-one
+
+WORKDIR /opt/zoraxy/config/
+
+ENV ZEROTIER="false"
+
+ENV AUTORENEW="86400"
+ENV CFGUPGRADE="true"
+ENV DOCKER="true"
+ENV EARLYRENEW="30"
+ENV FASTGEOIP="false"
+ENV MDNS="true"
+ENV MDNSNAME="''"
+ENV NOAUTH="false"
+ENV PORT="8000"
+ENV SSHLB="false"
+ENV VERSION="false"
+ENV WEBFM="true"
+ENV WEBROOT="./www"
+ENV ZTAUTH=""
+ENV ZTPORT="9993"
+
+VOLUME [ "/opt/zoraxy/config/", "/var/lib/zerotier-one/" ]
+
+ENTRYPOINT [ "/opt/zoraxy/entrypoint.sh" ]
+
+HEALTHCHECK --interval=15s --timeout=5s --start-period=10s --retries=3 CMD nc -vz 127.0.0.1 $PORT || exit 1
+
--- a/docker/README.md
+++ b/docker/README.md
@ -0,0 +1,98 @@
+# Zoraxy Docker
+
+[![Repo](https://img.shields.io/badge/Docker-Repo-007EC6?labelColor-555555&color-007EC6&logo=docker&logoColor=fff&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
+[![Version](https://img.shields.io/docker/v/zoraxydocker/zoraxy/latest?labelColor-555555&color-007EC6&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
+[![Size](https://img.shields.io/docker/image-size/zoraxydocker/zoraxy/latest?sort=semver&labelColor-555555&color-007EC6&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
+[![Pulls](https://img.shields.io/docker/pulls/zoraxydocker/zoraxy?labelColor-555555&color-007EC6&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
+
+## Usage
+
+If you are attempting to access your service from outside your network, make sure to forward ports 80 and 443 to the Zoraxy host to allow web traffic. If you know how to do this, great! If not, find the manufacturer of your router and search on how to do that. There are too many to be listed here. Read more about it from [whatismyip](https://www.whatismyip.com/port-forwarding/).
+
+In the examples below, make sure to update `/path/to/zoraxy/config/` with your actual path. If a path is not provided, a Docker volume will be created at the location but it is recommended to store the data at a defined host location.
+
+Once setup, access the webui at `http://<host-ip>:8000` to configure Zoraxy. Change the port in the URL if you changed the management port.
+
+### Docker Run
+
+```
+docker run -d \
+  --name zoraxy \
+  --restart unless-stopped \
+  -p 80:80 \
+  -p 443:443 \
+  -p 8000:8000 \
+  -v /path/to/zoraxy/config/:/opt/zoraxy/config/ \
+  -v /path/to/zerotier/config/:/var/lib/zerotier-one/ \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v /etc/localtime:/etc/localtime \
+  -e FASTGEOIP="true" \
+  -e ZEROTIER="true" \
+  zoraxydocker/zoraxy:latest
+```
+
+### Docker Compose
+
+```yml
+services:
+  zoraxy:
+    image: zoraxydocker/zoraxy:latest
+    container_name: zoraxy
+    restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+      - 8000:8000
+    volumes:
+      - /path/to/zoraxy/config/:/opt/zoraxy/config/
+      - /path/to/zerotier/config/:/var/lib/zerotier-one/
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/localtime:/etc/localtime
+    environment:
+      FASTGEOIP: "true"
+      ZEROTIER: "true"
+```
+
+### Ports
+
+| Port | Details |
+|:-|:-|
+| `80` | HTTP traffic. |
+| `443` | HTTPS traffic. |
+| `8000` | Management interface. Can be changed with the `PORT` env. |
+
+### Volumes
+
+| Volume | Details |
+|:-|:-|
+| `/opt/zoraxy/config/` | Zoraxy configuration. |
+| `/var/lib/zerotier-one/` | ZeroTier configuration. Only required if you wish to use ZeroTier. |
+| `/var/run/docker.sock` | Docker socket. Used for additional functionality with Zoraxy. |
+| `/etc/localtime` | Localtime. Set to ensure the host and container are synchronized. |
+
+### Environment
+
+Variables are the same as those in [Start Parameters](https://github.com/tobychui/zoraxy?tab=readme-ov-file#start-paramters).
+
+| Variable | Default | Details |
+|:-|:-|:-|
+| `AUTORENEW` | `86400` (Integer) | ACME auto TLS/SSL certificate renew check interval. |
+| `CFGUPGRADE` | `true` (Boolean) | Enable auto config upgrade if breaking change is detected. |
+| `DOCKER` | `true` (Boolean) | Run Zoraxy in docker compatibility mode. |
+| `EARLYRENEW` | `30` (Integer) | Number of days to early renew a soon expiring certificate. |
+| `FASTGEOIP` | `false`  (Boolean) | Enable high speed geoip lookup, require 1GB extra memory (Not recommend for low end devices). |
+| `MDNS` | `true` (Boolean) | Enable mDNS scanner and transponder. |
+| `MDNSNAME` | `''` (String) | mDNS name, leave empty to use default (zoraxy_{node-uuid}.local). |
+| `NOAUTH` | `false` (Boolean) | Disable authentication for management interface. |
+| `PORT` | `8000` (Integer) | Management web interface listening port |
+| `SSHLB` | `false` (Boolean) | Allow loopback web ssh connection (DANGER). |
+| `VERSION` | `false` (Boolean) | Show version of this server. |
+| `WEBFM` | `true` (Boolean) | Enable web file manager for static web server root folder. |
+| `WEBROOT` | `./www` (String) | Static web server root folder. Only allow change in start parameters. |
+| `ZEROTIER` | `false` (Boolean) | Enable ZeroTier functionality for GAN. |
+| `ZTAUTH` | `""` (String) | ZeroTier authtoken for the local node. |
+| `ZTPORT` | `9993` (Integer) | ZeroTier controller API port. |
+
+> [!IMPORTANT]
+> Contrary to the Zoraxy README, Docker usage of the port flag should NOT include the colon. Ex: `-e PORT="8000"` for Docker run and `PORT: "8000"` for Docker compose.
+
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+update-ca-certificates
+echo "CA certificates updated"
+
+if [ "$ZEROTIER" = "true" ]; then
+  zerotier-one -d
+  echo "ZeroTier daemon started"
+fi
+
+echo "Starting Zoraxy..."
+exec zoraxy \
+  -autorenew="$AUTORENEW" \
+  -cfgupgrade="$CFGUPGRADE" \
+  -docker="$DOCKER" \
+  -earlyrenew="$EARLYRENEW" \
+  -fastgeoip="$FASTGEOIP" \
+  -mdns="$MDNS" \
+  -mdnsname="$MDNSNAME" \
+  -noauth="$NOAUTH" \
+  -port=:"$PORT" \
+  -sshlb="$SSHLB" \
+  -version="$VERSION" \
+  -webfm="$WEBFM" \
+  -webroot="$WEBROOT" \
+  -ztauth="$ZTAUTH" \
+  -ztport="$ZTPORT"
+
--- a/docs/CNAME
+++ b/docs/CNAME
@ -0,0 +1 @@
+zoraxy.aroz.org
--- a/docs/favicon.png
+++ b/docs/favicon.png
--- a/docs/img/icon.png
+++ b/docs/img/icon.png
--- a/docs/img/icons/awesome.svg
+++ b/docs/img/icons/awesome.svg
@ -0,0 +1 @@
+<svg class="item-icon"  xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="m772-635-43-100-104-46 104-45 43-95 43 95 104 45-104 46-43 100Zm0 595-43-96-104-45 104-45 43-101 43 101 104 45-104 45-43 96ZM333-194l-92-197-201-90 201-90 92-196 93 196 200 90-200 90-93 197Zm0-148 48-96 98-43-98-43-48-96-47 96-99 43 99 43 47 96Zm0-139Z"/></svg>
--- a/docs/img/icons/blacklist.svg
+++ b/docs/img/icons/blacklist.svg
@ -0,0 +1 @@
+<svg fill="#ff7a7a" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M280-453h400v-60H280v60ZM480-80q-82 0-155-31.5t-127.5-86Q143-252 111.5-325T80-480q0-83 31.5-156t86-127Q252-817 325-848.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82-31.5 155T763-197.5q-54 54.5-127 86T480-80Zm0-60q142 0 241-99.5T820-480q0-142-99-241t-241-99q-141 0-240.5 99T140-480q0 141 99.5 240.5T480-140Zm0-340Z"/></svg>
--- a/docs/img/icons/code.svg
+++ b/docs/img/icons/code.svg
@ -0,0 +1 @@
+<svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M320-242 80-482l242-242 43 43-199 199 197 197-43 43Zm318 2-43-43 199-199-197-197 43-43 240 240-242 242Z"/></svg>
--- a/docs/img/icons/gan.svg
+++ b/docs/img/icons/gan.svg
@ -0,0 +1 @@
+<svg fill="#919191" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M120-80v-270h120v-160h210v-100H330v-270h300v270H510v100h210v160h120v270H540v-270h120v-100H300v100h120v270H120Zm270-590h180v-150H390v150ZM180-140h180v-150H180v150Zm420 0h180v-150H600v150ZM480-670ZM360-290Zm240 0Z"/></svg>
--- a/docs/img/icons/home.svg
+++ b/docs/img/icons/home.svg
@ -0,0 +1 @@
+<svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M220-180h150v-250h220v250h150v-390L480-765 220-570v390Zm-60 60v-480l320-240 320 240v480H530v-250H430v250H160Zm320-353Z"/></svg>
--- a/docs/img/icons/plugin.svg
+++ b/docs/img/icons/plugin.svg
@ -0,0 +1 @@
+<svg  class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M356-120H180q-24 0-42-18t-18-42v-176q44-5 75.5-34.5T227-463q0-43-31.5-72.5T120-570v-176q0-24 18-42t42-18h177q11-40 39.5-67t68.5-27q40 0 68.5 27t39.5 67h173q24 0 42 18t18 42v173q40 11 65.5 41.5T897-461q0 40-25.5 67T806-356v176q0 24-18 42t-42 18H570q-5-48-35.5-77.5T463-227q-41 0-71.5 29.5T356-120Zm-176-60h130q25-61 69.888-84 44.888-23 83-23T546-264q45 23 70 84h130v-235h45q20 0 33-13t13-33q0-20-13-33t-33-13h-45v-239H511v-48q0-20-13-33t-33-13q-20 0-33 13t-13 33v48H180v130q48.15 17.817 77.575 59.686Q287-514.445 287-462.777 287-412 257.5-370T180-310v130Zm329-330Z"/></svg>
--- a/docs/img/icons/proxy.svg
+++ b/docs/img/icons/proxy.svg
@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48" fill="#fcba03"><path d="M273-160 80-353l193-193 42 42-121 121h316v60H194l121 121-42 42Zm414-254-42-42 121-121H450v-60h316L645-758l42-42 193 193-193 193Z"/></svg>
--- a/docs/img/icons/redirect.svg
+++ b/docs/img/icons/redirect.svg
@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" fill="#0388fc" height="48" viewBox="0 -960 960 960" width="48"><path d="M700-160v-410H275l153 153-42 43-226-226 226-226 42 42-153 154h485v470h-60Z"/></svg>
--- a/docs/img/icons/scan.svg
+++ b/docs/img/icons/scan.svg
@ -0,0 +1 @@
+<svg fill="#83f2c4" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M197-197q-54-54-85.5-126.5T80-480q0-84 31.5-156.5T197-763l43 43q-46 46-73 107.5T140-480q0 71 26.5 132T240-240l-43 43Zm113-113q-32-32-51-75.5T240-480q0-51 19-94.5t51-75.5l43 43q-24 24-38.5 56.5T300-480q0 38 14 70t39 57l-43 43Zm170-90q-33 0-56.5-23.5T400-480q0-33 23.5-56.5T480-560q33 0 56.5 23.5T560-480q0 33-23.5 56.5T480-400Zm170 90-43-43q24-24 38.5-56.5T660-480q0-38-14-70t-39-57l43-43q32 32 51 75.5t19 94.5q0 50-19 93.5T650-310Zm113 113-43-43q46-46 73-107.5T820-480q0-71-26.5-132T720-720l43-43q54 55 85.5 127.5T880-480q0 83-31.5 155.5T763-197Z"/></svg>
--- a/docs/img/icons/screenshots.svg
+++ b/docs/img/icons/screenshots.svg
@ -0,0 +1 @@
+<svg class="item-icon"  xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M345-377h391L609-548 506-413l-68-87-93 123Zm-85 177q-24 0-42-18t-18-42v-560q0-24 18-42t42-18h560q24 0 42 18t18 42v560q0 24-18 42t-42 18H260Zm0-60h560v-560H260v560ZM140-80q-24 0-42-18t-18-42v-620h60v620h620v60H140Zm120-740v560-560Z"/></svg>
--- a/docs/img/icons/stats.svg
+++ b/docs/img/icons/stats.svg
@ -0,0 +1 @@
+<svg fill="#edf230" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M109.912-150Q81-150 60.5-170.589 40-191.177 40-220.089 40-249 60.494-269.5t49.273-20.5q5.233 0 10.233.5 5 .5 13 2.5l200-200q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q371.177-580 400.089-580 429-580 449.5-559.366t20.5 49.61Q470-508 467-487l110 110q8-2 13-2.5t10-.5q5 0 10 .5t13 2.5l160-160q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q821.177-630 850.089-630 879-630 899.5-609.411q20.5 20.588 20.5 49.5Q920-531 899.506-510.5T850.233-490Q845-490 840-490.5q-5-.5-13-2.5L667-333q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q628.823-240 599.911-240 571-240 550.5-260.494T530-309.767q0-5.233.5-10.233.5-5 2.5-13L423-443q-8 2-13 2.5t-10.25.5q-1.75 0-22.75-3L177-243q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q138.823-150 109.912-150ZM160-592l-20.253-43.747L96-656l43.747-20.253L160-720l20.253 43.747L224-656l-43.747 20.253L160-592Zm440-51-30.717-66.283L503-740l66.283-30.717L600-837l30.717 66.283L697-740l-66.283 30.717L600-643Z"/></svg>
--- a/docs/img/icons/terminal.svg
+++ b/docs/img/icons/terminal.svg
@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M140-160q-24 0-42-18t-18-42v-520q0-24 18-42t42-18h680q24 0 42 18t18 42v520q0 24-18 42t-42 18H140Zm0-60h680v-436H140v436Zm160-72-42-42 103-104-104-104 43-42 146 146-146 146Zm190 4v-60h220v60H490Z"/></svg>
--- a/docs/img/logo.png
+++ b/docs/img/logo.png
--- a/docs/img/og.png
+++ b/docs/img/og.png
--- a/docs/img/og.psd
+++ b/docs/img/og.psd
--- a/docs/img/screenshots/1.png
+++ b/docs/img/screenshots/1.png
--- a/docs/img/screenshots/10.png
+++ b/docs/img/screenshots/10.png
--- a/docs/img/screenshots/2.png
+++ b/docs/img/screenshots/2.png
--- a/docs/img/screenshots/3.png
+++ b/docs/img/screenshots/3.png
--- a/docs/img/screenshots/4.png
+++ b/docs/img/screenshots/4.png
--- a/docs/img/screenshots/5.png
+++ b/docs/img/screenshots/5.png
--- a/docs/img/screenshots/6.png
+++ b/docs/img/screenshots/6.png
--- a/docs/img/screenshots/7.png
+++ b/docs/img/screenshots/7.png
--- a/docs/img/screenshots/8.png
+++ b/docs/img/screenshots/8.png
--- a/docs/img/screenshots/9.png
+++ b/docs/img/screenshots/9.png
--- a/docs/img/title.png
+++ b/docs/img/title.png
--- a/docs/img/title.psd
+++ b/docs/img/title.psd
--- a/docs/index.html
+++ b/docs/index.html
@ -0,0 +1,386 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta content="width=device-width, initial-scale=1.0" name="viewport">
+    <meta content="Reverse Proxy, Cluster, Gateway, Go, Homelab, Network Tools" name="keywords">
+    <meta content="A reverse proxy server and cluster network gateway for noobs" name="description">
+    <meta name="author" content="tobychui">
+
+    <!-- HTML Meta Tags -->
+    <title>Reverse Proxy Server | Zoraxy</title>
+    <meta name="description" content="A reverse proxy server and cluster network gateway for noobs">
+
+    <!-- Facebook Meta Tags -->
+    <meta property="og:url" content="https://zoraxy.aroz.org/">
+    <meta property="og:type" content="website">
+    <meta property="og:title" content="Cluster Proxy Gateway | Zoraxy">
+    <meta property="og:description" content="A reverse proxy server and cluster network gateway for noobs">
+    <meta property="og:image" content="https://zoraxy.aroz.org/img/og.png">
+
+    <!-- Twitter Meta Tags -->
+    <meta name="twitter:card" content="summary_large_image">
+    <meta property="twitter:domain" content="aroz.org">
+    <meta property="twitter:url" content="https://zoraxy.aroz.org/">
+    <meta name="twitter:title" content="Cluster Proxy Gateway | Zoraxy">
+    <meta name="twitter:description" content="A reverse proxy server and cluster network gateway for noobs">
+    <meta name="twitter:image" content="https://zoraxy.aroz.org/img/og.png">
+
+    <!-- Favicons -->
+    <link href="favicon.png" rel="icon">
+
+    <!-- Google Fonts -->
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Source+Sans+Pro:wght@100;300;400;600;700;900&display=swap" rel="stylesheet">
+    <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@48,400,0,0" />
+
+    <!-- Main Stylesheet File -->
+    <link href="style.css" rel="stylesheet">
+    <script
+      src="https://code.jquery.com/jquery-3.7.0.min.js"
+      integrity="sha256-2Pmvv0kuTBOenSvLm6bvfBSSHrUJ+3A7x6P5Ebd07/g="
+      crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.js" integrity="sha512-5cguXwRllb+6bcc2pogwIeQmQPXEzn2ddsqAexIBhh7FO1z5Hkek1J9mrK2+rmZCTU6b6pERxI7acnp1MpAg4Q==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.css" integrity="sha512-n//BDM4vMPvyca4bJjZPDh7hlqsQ7hqbP9RH18GF2hTXBY5amBwM2501M0GPiwCU/v9Tor2m13GOTFjk00tkQA==" crossorigin="anonymous" referrerpolicy="no-referrer" />
+    <style>
+      p,a,div,span,h1,h2,h3,h4,h5,h6{
+        font-family: 'Source Sans Pro', sans-serif !important;
+        color: #404040;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="main section">
+      <div class="left-menu">
+        <div class="iconWrapper">
+          <a href="index.html"><img class="ui fluid image" src="img/icon.png"></a>
+        </div>
+        <a href="#home" class="menu-item active" align="center">
+          <img src="img/icons/home.svg">
+        </a>
+        <a href="#features" class="menu-item" align="center">
+          <img src="img/icons/awesome.svg">
+        </a>
+        <a href="#screenshots" class="menu-item" align="center">
+          <img src="img/icons/screenshots.svg">
+        </a>
+        <a href="#plugins" class="menu-item" align="center">
+          <img src="img/icons/plugin.svg">
+        </a>
+        <a href="#source" class="menu-item" align="center">
+          <img src="img/icons/code.svg">
+        </a>
+      </div>
+      <div class="right-content">
+        <!-- Hero Banner Section -->
+        <div class="headbanner"></div>
+        <div id="home" class="herotext">
+          <div class="ui basic segment">
+            <div class="bannerHeaderWrapper">
+              <h1 class="bannerHeader">Zoraxy</h1>
+			  <div class="ui divider"></div><br>
+              <p class="bannerSubheader">Beyond Reverse Proxy: Your Ultimate Homelab Network Tool</p>
+            </div>
+            <br><br>
+            <a class="ui basic big button" style="background-color: white;" href="#features"><i class="ui blue arrow down icon"></i> Learn More</a>
+            <br><br>
+            <table class="ui very basic collapsing unstackable celled table">
+              <thead>
+                <tr><th colspan="2">Quick Access</th>
+              </tr>
+            </thead>
+            <tbody>
+              <tr>
+                <td>
+                  <h4 class="ui image header">
+                    <i class="ui download icon"></i>
+                    <div class="content">
+                      Download
+                      <div class="sub header">Prebuild Binary
+                    </div>
+                  </div>
+                </h4></td>
+                <td>
+                  <a href="https://github.com/tobychui/zoraxy/releases" target="_blank">Open <i class="ui external icon"></i></a>
+                </td>
+              </tr>
+              <tr>
+                <td>
+                  <h4 class="ui image header">
+                    <i class="ui github icon"></i>
+                    <div class="content">
+                      Github
+                      <div class="sub header">Source Code
+                    </div>
+                  </div>
+                </h4></td>
+                <td>
+                  <a href="https://github.com/tobychui/zoraxy" target="_blank">Open <i class="ui external icon"></i></a>
+                </td>
+              </tr>
+            </table>
+          </div>
+		  
+		  <div id="wavesWrapper">
+            <!-- CSS waves-->
+            <svg class="waves" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
+            viewBox="0 24 150 28" preserveAspectRatio="none" shape-rendering="auto">
+                <defs>
+                <path id="gentle-wave" d="M-160 44c30 0 58-18 88-18s 58 18 88 18 58-18 88-18 58 18 88 18 v44h-352z" />
+                </defs>
+                <g class="parallax">
+                <use xlink:href="#gentle-wave" x="48" y="0" fill="rgba(255,255,255,0.7" />
+                <use xlink:href="#gentle-wave" x="48" y="3" fill="rgba(255,255,255,0.5)" />
+                <use xlink:href="#gentle-wave" x="48" y="5" fill="rgba(255,255,255,0.3)" />
+                <use xlink:href="#gentle-wave" x="48" y="7" fill="#fff" />
+                </g>
+            </svg>
+        </div>
+        </div>
+
+        <!-- Features -->
+        <div id="features" class="section">
+          <div class="ui container">
+            <div class="ui basic segment">
+              <h1 class="ui header">
+                <img class="ui small image" src="img/icons/awesome.svg">
+                <div class="content">
+                    Features
+                    <div class="sub header">Highlighting a few important features of Zoraxy</div>
+                </div>
+              </h1>
+              <br>
+              <div class="ui stackable grid featureList">
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/proxy.svg">
+                    <div class="content">
+                      Reverse Proxy
+                    </div>
+                  </h3>
+                  <p>Simple to use noob-friendly reverse proxy server that can be easily set up using a web form and a few toggle switches.</p>
+                </div>
+
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/redirect.svg">
+                    <div class="content">
+                      Redirection
+                    </div>
+                  </h3>
+                  <p>Direct and intuitive redirection rules with basic rewrite options. Suitable for most simple use cases.</p>
+                </div>
+
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/blacklist.svg">
+                    <div class="content">
+                      Geo-IP & Blacklist
+                    </div>
+                  </h3>
+                  <p>Blacklist with GeoIP support. Allows easy setup for regional services.</p>
+                </div>
+
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/gan.svg">
+                    <div class="content">
+                      Global Area Network
+                    </div>
+                  </h3>
+                  <p>ZeroTier controller integrated GAN. Enable unlimited nodes in your network with a few clicks.</p>
+                </div>
+
+                <!-- Row 2-->
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/terminal.svg">
+                    <div class="content">
+                      Web SSH
+                    </div>
+                  </h3>
+                  <p>Integration with Gotty Web SSH terminal allows one-stop management of your nodes inside private LAN via gateway nodes.</p>
+                </div>
+
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/stats.svg">
+                    <div class="content">
+                      Real Time Statistics
+                    </div>
+                  </h3>
+                  <p>Traffic data collection and real-time analytic tools provide you the best insight of visitors data without cookies.</p>
+                </div>
+
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/scan.svg">
+                    <div class="content">
+                      Scanner & Utilities
+                    </div>
+                  </h3>
+                  <p>Build in IP scanner and mDNS discovery service to enable automatic service discovery within LAN.</p>
+                </div>
+
+                <div class="four wide column featureItem">
+                  <h3 class="ui header featureHeader">
+                    <img class="ui image" src="img/icons/code.svg">
+                    <div class="content">
+                      Open Source
+                    </div>
+                  </h3>
+                  <p>Project is open-source under AGPL on Github. Feel free to contribute on missing functions you need! </p>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- Screenshots -->
+        <div id="screenshots" class="ui container">
+          <div class="ui basic segment">
+            <br>
+            <h1 class="ui header">
+              <img class="ui small image" src="img/icons/screenshots.svg">
+              <div class="content">
+                  Screenshots
+                  <div class="sub header">A quick overview of the UI designs</div>
+              </div>
+            </h1>
+            
+            <div class="ui three column stackable grid">
+              <div class="column">
+                <a href="img/screenshots/1.png" target="_blank"><img src="img/screenshots/1.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/2.png" target="_blank"><img src="img/screenshots/2.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/3.png" target="_blank"><img src="img/screenshots/3.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/4.png" target="_blank"><img src="img/screenshots/4.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/5.png" target="_blank"><img src="img/screenshots/5.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/6.png" target="_blank"><img src="img/screenshots/6.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/7.png" target="_blank"><img src="img/screenshots/7.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/8.png" target="_blank"><img src="img/screenshots/8.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/9.png" target="_blank"><img src="img/screenshots/9.png" class="ui fluid image screenshot"></a>
+              </div>
+              <div class="column">
+                <a href="img/screenshots/10.png" target="_blank"><img src="img/screenshots/10.png" class="ui fluid image screenshot"></a>
+              </div>
+            </div> 
+          </div>
+        </div>
+
+        <!-- Plugin Developments -->
+        <div id="plugins" class="ui container">
+          <div class="ui basic segment">
+            <br>
+            <h1 class="ui header">
+              <img class="ui small image" src="img/icons/plugin.svg">
+              <div class="content">
+                  Plugins
+                  <div class="sub header">Add custom routing rules via simple scripts</div>
+              </div>
+            </h1>
+            <div style="width: 100%; text-align: center;">
+              <br>
+              <p>Documentation work in progress</p>
+            </div>
+          </div>
+        </div>
+
+        <!-- Source code -->
+        <div id="source" class="ui container">
+          <div class="ui basic segment">
+            <br>
+            <h1 class="ui header">
+              <img class="ui small image" src="img/icons/code.svg">
+              <div class="content">
+                  Source Code
+                  <div class="sub header">Feel free to give us a ⭐ star ⭐.</div>
+              </div>
+            </h1>
+            <br>
+            <div class="ui two column stackable grid">
+              <div class="column">
+                  <h3 class="ui header">
+                    <i class="grey github icon"></i>
+                    <div class="content" style="text-align: left;">
+                      <a href="https://github.com/tobychui/zoraxy">
+                        Github
+                        <div class="sub header">https://github.com/tobychui/zoraxy</div>
+                      </a>
+                    </div>
+                  </h3>
+              </div>
+              <div class="column">
+                <h3 class="ui header">
+                  <i class="blue mail icon"></i>
+                  <div class="content" style="text-align: left;">
+                    <a href="mailto:toby@imuslab.com">
+                      Email Contact
+                      <div class="sub header">toby@imuslab.com</div>
+                    </a>
+                  </div>
+                </h3>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <br><br>
+        <div class="ui container">
+          <p style="color: #3a3a3a">CopyRight Zoraxy Project and its authors © 2021 - <span class="year"></span></p>
+        </div>
+        <br><br><br>
+      </div>
+    </div>
+    <br>
+    <script>
+      $(".year").text(new Date().getFullYear()  );
+
+      $(".menu-item").on("click", function(){
+        $(".menu-item.active").removeClass("active");
+        $(this).addClass("active");
+      });
+
+      $(".right-content").on("scroll", function() {
+        var scrollPos = $(".right-content").scrollTop();
+        if (scrollPos < 10){
+          //Reaching the top
+          $('.menu-item.active').removeClass("active");
+          $($('.menu-item')[0]).addClass('active');
+          return;
+        }else if ($(".right-content")[0].scrollHeight  ==  $(".right-content").scrollTop() + window.innerHeight ){
+          //Reaching the bottom
+          $('.menu-item.active').removeClass("active");
+          $($('.menu-item').get().reverse()[0]).addClass('active');
+          return
+        }
+        $('.menu-item').each(function() {
+          var currLink = $(this);
+          var refElement = $(currLink.attr("href"));
+          if (refElement.offset().top <= (window.innerHeight / 2)) {
+            $('.menu-item.active').removeClass("active");
+            currLink.addClass("active");
+            console.log(currLink.attr("href"));
+          }
+        });
+      });
+
+    </script>
+  </body>
+</html>
--- a/docs/style.css
+++ b/docs/style.css
@ -0,0 +1,237 @@
+body{
+    background: #ffffff !important;
+    margin: 0;
+    padding: 0;
+    overflow-y: hidden;
+}
+
+:root{
+    --themeTextColor: #404040;
+    --themeSkyblueColor: #a9d1f3;
+    --themeSkyblueColorDecondary: #8eb9df;
+}
+.main {
+    display: flex;
+    height: 100vh;
+}
+
+.left-menu {
+    width: 80px;
+    min-width: 80px;
+    background-color: #fcfcfc;
+    min-height: 100vh;
+    padding-top: 1.5em;
+}
+
+.iconWrapper{
+    padding: 1em;
+    border-bottom: 1px solid #f6f6f6;
+}
+
+.right-content {
+    flex-grow: 1;
+    position: relative;
+    max-height: 100%;
+    overflow-y: auto;
+}
+
+.ui.black.button{
+    background-color: var(--themeTextColor) !important;
+}
+
+/* Menu items */
+.menu-item{
+    display: block;
+    padding: 0.4em;
+    padding-top: 1.2em;
+    padding-bottom: 1.2em;
+    text-align: center;
+    border-bottom: 1px solid #f6f6f6;
+    width: 100%;
+    transition: border-left ease-in-out 0.1s, background-color ease-in-out 0.1s;
+}
+
+.menu-item.active{
+    background: linear-gradient(60deg, rgba(84, 58, 183, 0.3) 0%, rgba(0, 172, 193, 0.3) 100%);
+}
+
+.menu-item .item-icon{
+	fill: #fcfcfc;
+}
+
+.menu-item:hover{
+   background: rgba(35,35,35,0.1);
+}
+
+.menu-item img{
+    width: 30px;
+    display: inline-block;
+    vertical-align: middle;
+}
+
+
+/* Head banner */
+
+.herotext{
+    padding-top: 15em; 
+    padding-left: 8vw;
+    min-height: 100vh;
+}
+
+.bannerHeader{
+    font-size: 8em; 
+    font-weight: 600;
+	color: white;
+}
+
+.bannerSubheader{
+    font-weight: 400; 
+    font-size: 1.2em; 
+	color: #ebebeb;
+    margin-top: -20px;
+}
+
+.bannerHeaderWrapper{
+    text-align: center; 
+    display: inline-block;
+}
+
+#home{
+	background: linear-gradient(60deg, rgba(84,58,183,1) 0%, rgba(0,172,193,1) 100%);
+}
+
+#home .table th, #home .table h4{
+	color: white;
+}
+
+#home .table h4 .content, #home .table h4 .sub.header{
+	color: white;
+}
+#home .table td a{
+	color: #d6ddff;
+}
+
+/* features */
+#features{
+    padding-top: 4em;
+    padding-bottom: 4em;
+    background-color: white;
+}
+
+/* screenshots */
+.screenshot{
+    transition: transform ease-in-out 0.1s;
+    box-shadow: 3px 3px 5px 0px rgba(51,51,51,0.14);
+    margin-bottom: 1em;
+}
+
+.screenshot:hover {
+    transform: scale(1.1); /* (150% zoom - Note: if the zoom is too large, it will go outside of the viewport) */
+}
+
+
+/* RWD */
+@media (max-width:960px) {
+    /* Menu RWD */
+    .left-menu {
+        width: 50px;
+        min-width: 50px;
+    }
+    .iconWrapper{
+        padding: 0.2em;
+        border-bottom: 1px solid #f6f6f6;
+    }
+
+    .menu-item{
+        padding: 0.3em;
+        padding-top: 0.5em;
+        padding-bottom: 0.5em;
+    }
+
+    .menu-item img{
+        width: 26px;
+    }
+
+    /* head banner RWD */
+    .headbanner{
+        opacity: 0.1;
+    }
+
+    .herotext{
+        padding-left: 0;
+        text-align: center;
+    }
+
+    .bannerSubheader{
+        font-size: 1.2em; 
+    }
+
+    .bannerHeader{
+        font-size: 5em; 
+    }
+
+    .bannerHeaderWrapper{
+        display: inline;
+        width: 100%;
+    }
+    
+    .herotext .ui.collapsing.table{
+        width: 100%;
+    }
+}
+
+/* 
+	Waves CSS 
+*/
+
+#wavesWrapper{
+	position: absolute;
+	bottom: 0;
+	width: 100%;
+	left: 0;
+}
+
+.waves {
+	position:relative;
+	width: 100%;
+	height:15vh;
+	margin-bottom:-7px; /*Fix for safari gap*/
+	min-height:100px;
+	max-height:150px;
+}
+
+
+.parallax > use {
+	animation: move-forever 25s cubic-bezier(.55,.5,.45,.5)     infinite;
+}
+.parallax > use:nth-child(1) {
+	animation-delay: -8s;
+	animation-duration: 28s;
+}
+.parallax > use:nth-child(2) {
+	animation-delay: -12s;
+	animation-duration: 40s;
+}
+.parallax > use:nth-child(3) {
+	animation-delay: -16s;
+	animation-duration: 52s;
+}
+.parallax > use:nth-child(4) {
+	animation-delay: -20s;
+	animation-duration: 80s;
+}
+@keyframes move-forever {
+	0% {
+		transform: translate3d(-90px,0,0);
+	}
+	100% { 
+		transform: translate3d(85px,0,0);
+	}
+}
+/*Shrinking for mobile*/
+@media (max-width: 768px) {
+	.waves {
+		height:40px;
+		min-height:40px;
+	}
+}
--- a/example/README.md
+++ b/example/README.md
@ -0,0 +1,26 @@
+# Example www Folder
+
+This is an example www folder that contains two sub-folders.
+
+- `html/`
+- `templates/`
+
+The html file contain static resources that will be served by Zoraxy build-in static web server. You can use it as a generic web server with a static site generator like [Hugo](https://gohugo.io/) or use it as a small CDN for serving your scripts / image that commonly use across many of your sites.
+
+The templates folder contains the template for overriding the build in error or access denied pages. The following templates are supported
+
+- notfound.html (Default site Not-Found error page)
+- whitelist.html (Error page when client being blocked by whitelist rule)
+- blacklist.html (Error page when client being blocked by blacklist rule)
+
+To use the template, copy and paste the `wwww` folder to the same directory as zoraxy executable (aka the src/ file if you `go build` with the current folder tree). 
+
+
+
+### Other Templates
+
+There are a few pre-built templates that works with Zoraxy where you can find in the `other-templates` folder. Copy the folder into `www` and rename the folder to `templates` to active them. 
+
+
+
+It is worth mentioning that the uwu icons for not-found and access-denied are created by @SAWARATSUKI
--- a/example/other-templates/templates_cf/blacklist.html
+++ b/example/other-templates/templates_cf/blacklist.html
--- a/example/other-templates/templates_cf/notfound.html
+++ b/example/other-templates/templates_cf/notfound.html
@ -0,0 +1,154 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta name="apple-mobile-web-app-capable" content="yes" />
+        <meta name="viewport" content="user-scalable=no, width=device-width, initial-scale=1, maximum-scale=1"/>
+        <meta charset="UTF-8">
+        <meta name="theme-color" content="#4b75ff">
+        <link rel="icon" type="image/png" href="img/small_icon.png"/>
+        <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.css">
+        <link rel="preconnect" href="https://fonts.googleapis.com">
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+        <link href="https://fonts.googleapis.com/css2?family=Noto+Sans+TC:wght@300;400;500;700;900&display=swap" rel="stylesheet">
+        <script src="https://code.jquery.com/jquery-3.6.4.min.js"></script>
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.js"></script>
+        <title>404 - Host Not Found</title>
+        <style>
+            h1, h2, h3, h4, h5, p, a, span, .ui.list .item{
+                font-family: 'Noto Sans TC', sans-serif;
+                font-weight: 300;
+                color: rgb(88, 88, 88)
+            }
+
+            .diagram{
+                background-color: #ebebeb;
+                padding-bottom: 2em;
+            }
+
+            .diagramHeader{
+                margin-top: 0.2em;
+            }
+
+            @media (max-width:512px) { 
+                .widescreenOnly{
+                    display: none !important;
+                    
+                }
+
+                .four.wide.column:not(.widescreenOnly){
+                    width: 50% !important;
+                }
+
+                .ui.grid{
+                    justify-content: center !important;
+                }
+            }
+        </style>
+    </head>
+    <body>
+        <div>
+            <br><br>
+            <div class="ui container">
+                <h1 style="font-size: 4rem;">Error 404</h1>
+                <p style="font-size: 2rem; margin-bottom: 0.4em;">Target Host Not Found</p>
+                <small id="timestamp"></small>
+            </div>
+            <br><br>
+        </div>
+        <div class="diagram">
+            <div class="ui text container">
+                <div class="ui grid">
+                    <div class="four wide column widescreenOnly" align="center">
+                        <svg version="1.1" id="client_svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+                            width="100%" viewBox="0 0 200 200" enable-background="new 0 0 200 200" xml:space="preserve">
+                        <path fill="#C9CACA" d="M184.795,143.037c0,9.941-8.059,18-18,18H33.494c-9.941,0-18-8.059-18-18V44.952c0-9.941,8.059-18,18-18
+                            h133.301c9.941,0,18,8.059,18,18V143.037z"/>
+                        <circle fill="#FFFFFF" cx="37.39" cy="50.88" r="6.998"/>
+                        <circle fill="#FFFFFF" cx="54.115" cy="50.88" r="6.998"/>
+                        <path fill="#FFFFFF" d="M167.188,50.88c0,3.865-3.133,6.998-6.998,6.998H72.379c-3.865,0-6.998-3.133-6.998-6.998l0,0
+                            c0-3.865,3.133-6.998,6.998-6.998h87.811C164.055,43.882,167.188,47.015,167.188,50.88L167.188,50.88z"/>
+                        <rect x="31.296" y="66.907" fill="#FFFFFF" width="132.279" height="77.878"/>
+                        <circle fill="#9BCA3E" cx="96.754" cy="144.785" r="37.574"/>
+                        <polyline fill="none" stroke="#FFFFFF" stroke-width="8" stroke-miterlimit="10" points="108.497,133.047 93.373,153.814 
+                            82.989,143.204 "/>
+                        </svg>
+                        <small>You</small>
+                        <h2 class="diagramHeader">Browser</h2>
+                        <p style="font-weight: 500; color: #9bca3e;">Working</p>
+                    </div>  
+                    <div class="two wide column widescreenOnly" style="margin-top: 8em; text-align: center;">
+                        <i class="ui big grey exchange alternate icon" style="color:rgb(167, 167, 167) !important;"></i>
+                    </div>
+                    <div class="four wide column widescreenOnly" align="center">
+                        <svg version="1.1" id="cloud_svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+                            width="100%" viewBox="0 0 200 200" enable-background="new 0 0 200 200" xml:space="preserve">
+                            <ellipse fill="#9FA0A0" cx="46.979" cy="108.234" rx="25.399" ry="25.139"/>
+                            <circle fill="#9FA0A0" cx="109.407" cy="100.066" r="50.314"/>
+                            <circle fill="#9FA0A0" cx="22.733" cy="129.949" r="19.798"/>
+                            <circle fill="#9FA0A0" cx="172.635" cy="125.337" r="24.785"/>
+                            <path fill="#9FA0A0" d="M193.514,133.318c0,9.28-7.522,16.803-16.803,16.803H28.223c-9.281,0-16.803-7.522-16.803-16.803l0,0
+                                c0-9.28,7.522-16.804,16.803-16.804h148.488C185.991,116.515,193.514,124.038,193.514,133.318L193.514,133.318z"/>
+                            <circle fill="#9BCA3D" cx="100" cy="149.572" r="38.267"/>
+                            <polyline fill="none" stroke="#FFFFFF" stroke-width="8" stroke-miterlimit="10" points="113.408,136.402 95.954,160.369 
+                                83.971,148.123 "/>
+                        </svg>
+
+                        <small>Gateway Node</small>
+                        <h2 class="diagramHeader">Reverse Proxy</h2>
+                        <p style="font-weight: 500; color: #9bca3e;">Working</p>
+                    </div>  
+                    <div class="two wide column widescreenOnly" style="margin-top: 8em; text-align: center;">
+                        <i class="ui big grey exchange alternate icon" style="color:rgb(167, 167, 167) !important;"></i>
+                    </div>
+                    <div class="four wide column" align="center">
+                        <svg version="1.1" id="host_svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+                            width="100%" viewBox="0 0 200 200" enable-background="new 0 0 200 200" xml:space="preserve">
+                        <path fill="#999999" d="M168.484,113.413c0,9.941,3.317,46.324-6.624,46.324H35.359c-9.941,0-5.873-39.118-5.715-46.324
+                            l17.053-50.909c1.928-9.879,8.059-18,18-18h69.419c9.941,0,15.464,7.746,18,18L168.484,113.413z"/>
+                        <rect x="38.068" y="118.152" fill="#FFFFFF" width="122.573" height="34.312"/>
+                        <circle fill="#BD2426" cx="141.566" cy="135.873" r="8.014"/>
+                        <circle fill="#BD2426" cx="99.354" cy="152.464" r="36.343"/>
+                        <line fill="none" stroke="#FFFFFF" stroke-width="6" stroke-miterlimit="10" x1="90.5" y1="144.125" x2="107.594" y2="161.946"/>
+                        <line fill="none" stroke="#FFFFFF" stroke-width="6" stroke-miterlimit="10" x1="90.5" y1="161.946" x2="107.594" y2="144.79"/>
+                        </svg>
+                        <small id="host"></small>
+                        <h2 class="diagramHeader">Host</h2>
+                        <p style="font-weight: 500; color: #bd2426;">Not Found</p>
+                    </div>
+                  </div>
+            </div>
+        </div>
+        <div>
+            <br>
+            <div class="ui container">
+                <div class="ui stackable grid">
+                    <div class="eight wide column">
+                        <h1>What happend?</h1>
+                        <p>The reverse proxy target domain is not found.<br>For more information, see the error message on the reverse proxy terminal.</p>
+                    </div>
+                    <div class="eight wide column">
+                        <h1>What can I do?</h1>
+                        <h5 style="font-weight: 500;">If you are a visitor of this website: </h5>
+                        <p>Please try again in a few minutes</p>
+                        <h5 style="font-weight: 500;">If you are the owner of this website:</h5>
+                        <div class="ui bulleted list">
+                            <div class="item">Check if the proxy rules that match this hostname exists</div>
+                            <div class="item">Visit the Reverse Proxy management interface to correct any setting errors</div>
+                        </div>
+                    </div>
+                  </div>
+            </div>
+            <br>
+        </div>
+        <div class="ui divider"></div>
+        <div class="ui container" style="color: grey; font-size: 90%">
+            <p>Powered by Zoraxy</p>
+        </div>
+        <br><br>
+
+        <script>
+            $("#timestamp").text(new Date());
+            $("#host").text(location.href);
+        </script>
+    </body>
+</html>
--- a/example/other-templates/templates_cf/whitelist.html
+++ b/example/other-templates/templates_cf/whitelist.html
--- a/example/other-templates/templates_uwu/blacklist.html
+++ b/example/other-templates/templates_uwu/blacklist.html
--- a/example/other-templates/templates_uwu/notfound.html
+++ b/example/other-templates/templates_uwu/notfound.html
--- a/example/other-templates/templates_uwu/whitelist.html
+++ b/example/other-templates/templates_uwu/whitelist.html
--- a/example/www/html/index.html
+++ b/example/www/html/index.html
@ -0,0 +1,229 @@
+<html>
+    <head>
+        <title>Zoraxy Firework!</title>
+        <style>
+            body{
+                margin: 0 !important;
+            }
+            canvas {
+                display: block;
+                width: 100vw;
+                height: 100vh;
+            }
+        </style>
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.2/anime.min.js" integrity="sha512-aNMyYYxdIxIaot0Y1/PLuEu3eipGCmsEUBrUq+7aVyPGMFH8z0eTP0tkqAvv34fzN6z+201d3T8HPb1svWSKHQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    </head>
+    <body>
+        <canvas id="c"></canvas>
+        <script>
+            var c = document.getElementById("c");
+            var ctx = c.getContext("2d");
+            var cH;
+            var cW;
+            var bgColor = "#FF6138";
+            var animations = [];
+            var circles = [];
+
+            var colorPicker = (function() {
+            var colors = ["#FF6138", "#FFBE53", "#2980B9", "#FCFCFC", "#282741"];
+            var index = 0;
+            function next() {
+                index = index++ < colors.length-1 ? index : 0;
+                return colors[index];
+            }
+            function current() {
+                return colors[index]
+            }
+            return {
+                next: next,
+                current: current
+            }
+            })();
+
+            function removeAnimation(animation) {
+            var index = animations.indexOf(animation);
+            if (index > -1) animations.splice(index, 1);
+            }
+
+            function calcPageFillRadius(x, y) {
+            var l = Math.max(x - 0, cW - x);
+            var h = Math.max(y - 0, cH - y);
+            return Math.sqrt(Math.pow(l, 2) + Math.pow(h, 2));
+            }
+
+            function addClickListeners() {
+            document.addEventListener("touchstart", handleEvent);
+            document.addEventListener("mousedown", handleEvent);
+            };
+
+            function handleEvent(e) {
+                if (e.touches) { 
+                e.preventDefault();
+                e = e.touches[0];
+                }
+                var currentColor = colorPicker.current();
+                var nextColor = colorPicker.next();
+                var targetR = calcPageFillRadius(e.pageX, e.pageY);
+                var rippleSize = Math.min(200, (cW * .4));
+                var minCoverDuration = 750;
+                
+                var pageFill = new Circle({
+                x: e.pageX,
+                y: e.pageY,
+                r: 0,
+                fill: nextColor
+                });
+                var fillAnimation = anime({
+                targets: pageFill,
+                r: targetR,
+                duration:  Math.max(targetR / 2 , minCoverDuration ),
+                easing: "easeOutQuart",
+                complete: function(){
+                    bgColor = pageFill.fill;
+                    removeAnimation(fillAnimation);
+                }
+                });
+                
+                var ripple = new Circle({
+                x: e.pageX,
+                y: e.pageY,
+                r: 0,
+                fill: currentColor,
+                stroke: {
+                    width: 3,
+                    color: currentColor
+                },
+                opacity: 1
+                });
+                var rippleAnimation = anime({
+                targets: ripple,
+                r: rippleSize,
+                opacity: 0,
+                easing: "easeOutExpo",
+                duration: 900,
+                complete: removeAnimation
+                });
+                
+                var particles = [];
+                for (var i=0; i<32; i++) {
+                var particle = new Circle({
+                    x: e.pageX,
+                    y: e.pageY,
+                    fill: currentColor,
+                    r: anime.random(24, 48)
+                })
+                particles.push(particle);
+                }
+                var particlesAnimation = anime({
+                targets: particles,
+                x: function(particle){
+                    return particle.x + anime.random(rippleSize, -rippleSize);
+                },
+                y: function(particle){
+                    return particle.y + anime.random(rippleSize * 1.15, -rippleSize * 1.15);
+                },
+                r: 0,
+                easing: "easeOutExpo",
+                duration: anime.random(1000,1300),
+                complete: removeAnimation
+                });
+                animations.push(fillAnimation, rippleAnimation, particlesAnimation);
+            }
+
+            function extend(a, b){
+            for(var key in b) {
+                if(b.hasOwnProperty(key)) {
+                a[key] = b[key];
+                }
+            }
+            return a;
+            }
+
+            var Circle = function(opts) {
+            extend(this, opts);
+            }
+
+            Circle.prototype.draw = function() {
+            ctx.globalAlpha = this.opacity || 1;
+            ctx.beginPath();
+            ctx.arc(this.x, this.y, this.r, 0, 2 * Math.PI, false);
+            if (this.stroke) {
+                ctx.strokeStyle = this.stroke.color;
+                ctx.lineWidth = this.stroke.width;
+                ctx.stroke();
+            }
+            if (this.fill) {
+                ctx.fillStyle = this.fill;
+                ctx.fill();
+            }
+            ctx.closePath();
+            ctx.globalAlpha = 1;
+            }
+
+            var animate = anime({
+            duration: Infinity,
+            update: function() {
+                ctx.fillStyle = bgColor;
+                ctx.fillRect(0, 0, cW, cH);
+                animations.forEach(function(anim) {
+                anim.animatables.forEach(function(animatable) {
+                    animatable.target.draw();
+                });
+                });
+            }
+            });
+
+            var resizeCanvas = function() {
+            cW = window.innerWidth;
+            cH = window.innerHeight;
+            c.width = cW * devicePixelRatio;
+            c.height = cH * devicePixelRatio;
+            ctx.scale(devicePixelRatio, devicePixelRatio);
+            };
+
+            (function init() {
+            resizeCanvas();
+            if (window.CP) {
+                // CodePen's loop detection was causin' problems
+                // and I have no idea why, so...
+                window.CP.PenTimer.MAX_TIME_IN_LOOP_WO_EXIT = 6000; 
+            }
+            window.addEventListener("resize", resizeCanvas);
+            addClickListeners();
+            if (!!window.location.pathname.match(/fullcpgrid/)) {
+                startFauxClicking();
+            }
+            handleInactiveUser();
+            })();
+
+            function handleInactiveUser() {
+            var inactive = setTimeout(function(){
+                fauxClick(cW/2, cH/2);
+            }, 2000);
+            
+            function clearInactiveTimeout() {
+                clearTimeout(inactive);
+                document.removeEventListener("mousedown", clearInactiveTimeout);
+                document.removeEventListener("touchstart", clearInactiveTimeout);
+            }
+            
+            document.addEventListener("mousedown", clearInactiveTimeout);
+            document.addEventListener("touchstart", clearInactiveTimeout);
+            }
+
+            function startFauxClicking() {
+            setTimeout(function(){
+                fauxClick(anime.random( cW * .2, cW * .8), anime.random(cH * .2, cH * .8));
+                startFauxClicking();
+            }, anime.random(200, 900));
+            }
+
+            function fauxClick(x, y) {
+            var fauxClick = new Event("mousedown");
+            fauxClick.pageX = x;
+            fauxClick.pageY = y;
+            document.dispatchEvent(fauxClick);
+            }
+        </script>
+    </body>
+</html>
--- a/example/www/templates/blacklist.html
+++ b/example/www/templates/blacklist.html
--- a/example/www/templates/notfound.html
+++ b/example/www/templates/notfound.html
--- a/example/www/templates/whitelist.html
+++ b/example/www/templates/whitelist.html
--- a/img/screenshots/0_1.png
+++ b/img/screenshots/0_1.png
--- a/img/screenshots/0_2.png
+++ b/img/screenshots/0_2.png
--- a/img/screenshots/1.png
+++ b/img/screenshots/1.png
--- a/img/screenshots/10_1.png
+++ b/img/screenshots/10_1.png
--- a/img/screenshots/10_2.png
+++ b/img/screenshots/10_2.png
--- a/img/screenshots/2.png
+++ b/img/screenshots/2.png
--- a/img/screenshots/3.png
+++ b/img/screenshots/3.png
--- a/img/screenshots/4.png
+++ b/img/screenshots/4.png
--- a/img/screenshots/5.png
+++ b/img/screenshots/5.png
--- a/img/screenshots/7.png
+++ b/img/screenshots/7.png
--- a/img/screenshots/8.png
+++ b/img/screenshots/8.png
--- a/img/screenshots/9.png
+++ b/img/screenshots/9.png
--- a/img/social_banner.png
+++ b/img/social_banner.png
--- a/img/social_banner.psd
+++ b/img/social_banner.psd
--- a/img/title.png
+++ b/img/title.png
--- a/img/title.psd
+++ b/img/title.psd
--- a/src/Makefile
+++ b/src/Makefile
@ -0,0 +1,61 @@
+# PLATFORMS := darwin/amd64 darwin/arm64 freebsd/amd64 linux/386 linux/amd64 linux/arm linux/arm64 linux/mipsle windows/386 windows/amd64 windows/arm windows/arm64
+PLATFORMS := linux/amd64 linux/386 linux/arm linux/arm64 linux/mipsle linux/riscv64 windows/amd64
+temp = $(subst /, ,$@)
+os = $(word 1, $(temp))
+arch = $(word 2, $(temp))
+
+#all:  web.tar.gz $(PLATFORMS) fixwindows zoraxy_file_checksum.sha1
+all:  clear_old $(PLATFORMS) fixwindows
+
+binary: $(PLATFORMS)
+
+hash: zoraxy_file_checksum.sha1
+
+web: web.tar.gz
+
+clean: 
+	rm -f zoraxy_*_*
+	rm -f web.tar.gz
+
+$(PLATFORMS):
+	@echo "Building $(os)/$(arch)"
+	GOROOT_FINAL=Git/ GOOS=$(os) GOARCH=$(arch) $(if $(filter linux/arm,$(os)/$(arch)),GOARM=6,) CGO_ENABLED="0" go build -o './dist/zoraxy_$(os)_$(arch)'  -ldflags "-s -w" -trimpath
+#	GOROOT_FINAL=Git/ GOOS=$(os) GOARCH=$(arch) GOARM=6 go build -o './dist/zoraxy_$(os)_$(arch)'  -ldflags "-s -w" -trimpath
+
+
+fixwindows:
+	-mv ./dist/zoraxy_windows_amd64 ./dist/zoraxy_windows_amd64.exe
+#	-mv ./dist/zoraxy_windows_arm64 ./dist/zoraxy_windows_arm64.exe
+
+
+clear_old:
+	-rm -rf ./dist/
+	-mkdir ./dist/
+
+web.tar.gz:
+	
+	@echo "Removing old build resources, if exists"
+	-rm -rf ./dist/
+	-mkdir ./dist/
+
+	@echo "Moving subfolders to build folder"
+	-cp -r ./web ./dist/web/
+	-cp -r ./system ./dist/system/
+
+	@ echo "Remove sensitive information"
+	-rm -rf ./dist/certs/
+	-rm -rf ./dist/conf/
+	-rm -rf ./dist/rules/
+
+
+	@echo "Creating tarball for all required files"
+	-rm ./dist/web.tar.gz
+	-cd ./dist/ && tar -czf ./web.tar.gz system/ web/
+
+	@echo "Clearing up unzipped folder structures"
+	-rm -rf "./dist/web"
+	-rm -rf "./dist/system"
+
+zoraxy_file_checksum.sha1:
+	@echo "Generating the checksum, if sha1sum installed"
+	-sha1sum ./dist/web.tar.gz > ./dist/zoraxy_file_checksum.sha1
--- a/src/accesslist.go
+++ b/src/accesslist.go
@ -0,0 +1,507 @@
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/microcosm-cc/bluemonday"
+
+	"imuslab.com/zoraxy/mod/access"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	accesslist.go
+
+	This script file is added to extend the
+	reverse proxy function to include
+	banning / whitelist a specific IP address or country code
+*/
+
+/*
+	General Function
+*/
+
+func handleListAccessRules(w http.ResponseWriter, r *http.Request) {
+	allAccessRules := accessController.ListAllAccessRules()
+	js, _ := json.Marshal(allAccessRules)
+	utils.SendJSONResponse(w, string(js))
+}
+
+func handleAttachRuleToHost(w http.ResponseWriter, r *http.Request) {
+	ruleid, err := utils.PostPara(r, "id")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid rule name")
+		return
+	}
+
+	host, err := utils.PostPara(r, "host")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid rule name")
+		return
+	}
+
+	//Check if access rule and proxy rule exists
+	targetProxyEndpoint, err := dynamicProxyRouter.LoadProxy(host)
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid host given")
+		return
+	}
+	if !accessController.AccessRuleExists(ruleid) {
+		utils.SendErrorResponse(w, "access rule not exists")
+		return
+	}
+
+	//Update the proxy host acess rule id
+	targetProxyEndpoint.AccessFilterUUID = ruleid
+	targetProxyEndpoint.UpdateToRuntime()
+	err = SaveReverseProxyConfig(targetProxyEndpoint)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	utils.SendOK(w)
+}
+
+// Create a new access rule, require name and desc only
+func handleCreateAccessRule(w http.ResponseWriter, r *http.Request) {
+	ruleName, err := utils.PostPara(r, "name")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid rule name")
+		return
+	}
+	ruleDesc, _ := utils.PostPara(r, "desc")
+
+	//Filter out injection if any
+	p := bluemonday.StripTagsPolicy()
+	ruleName = p.Sanitize(ruleName)
+	ruleDesc = p.Sanitize(ruleDesc)
+
+	ruleUUID := uuid.New().String()
+	newAccessRule := access.AccessRule{
+		ID:               ruleUUID,
+		Name:             ruleName,
+		Desc:             ruleDesc,
+		BlacklistEnabled: false,
+		WhitelistEnabled: false,
+	}
+
+	//Add it to runtime
+	err = accessController.AddNewAccessRule(&newAccessRule)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	utils.SendOK(w)
+}
+
+// Handle removing an access rule. All proxy endpoint using this rule will be
+// set to use the default rule
+func handleRemoveAccessRule(w http.ResponseWriter, r *http.Request) {
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid rule id given")
+		return
+	}
+
+	if ruleID == "default" {
+		utils.SendErrorResponse(w, "default access rule cannot be removed")
+		return
+	}
+
+	ruleID = strings.TrimSpace(ruleID)
+
+	//Set all proxy hosts that use this access rule back to using "default"
+	allProxyEndpoints := dynamicProxyRouter.GetProxyEndpointsAsMap()
+	for _, proxyEndpoint := range allProxyEndpoints {
+		if strings.EqualFold(proxyEndpoint.AccessFilterUUID, ruleID) {
+			//This proxy endpoint is using the current access filter.
+			//set it to default
+			proxyEndpoint.AccessFilterUUID = "default"
+			proxyEndpoint.UpdateToRuntime()
+			err = SaveReverseProxyConfig(proxyEndpoint)
+			if err != nil {
+				SystemWideLogger.PrintAndLog("Access", "Unable to save updated proxy endpoint "+proxyEndpoint.RootOrMatchingDomain, err)
+			} else {
+				SystemWideLogger.PrintAndLog("Access", "Updated "+proxyEndpoint.RootOrMatchingDomain+" access filter to \"default\"", nil)
+			}
+		}
+	}
+
+	//Remove the access rule by ID
+	err = accessController.RemoveAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	SystemWideLogger.PrintAndLog("Access", "Access Rule "+ruleID+" removed", nil)
+	utils.SendOK(w)
+}
+
+// Only the name and desc, for other properties use blacklist / whitelist api
+func handleUpadateAccessRule(w http.ResponseWriter, r *http.Request) {
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid rule id")
+		return
+	}
+	ruleName, err := utils.PostPara(r, "name")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid rule name")
+		return
+	}
+	ruleDesc, _ := utils.PostPara(r, "desc")
+
+	//Filter anything weird
+	p := bluemonday.StrictPolicy()
+	ruleName = p.Sanitize(ruleName)
+	ruleDesc = p.Sanitize(ruleDesc)
+
+	err = accessController.UpdateAccessRule(ruleID, ruleName, ruleDesc)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	utils.SendOK(w)
+}
+
+/*
+	Blacklist Related
+*/
+
+// List a of blacklisted ip address or country code
+func handleListBlacklisted(w http.ResponseWriter, r *http.Request) {
+	bltype, err := utils.GetPara(r, "type")
+	if err != nil {
+		bltype = "country"
+	}
+
+	ruleID, err := utils.GetPara(r, "id")
+	if err != nil {
+		//Use default if not set
+		ruleID = "default"
+	}
+
+	//Load the target rule from access controller
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	resulst := []string{}
+	if bltype == "country" {
+		resulst = rule.GetAllBlacklistedCountryCode()
+	} else if bltype == "ip" {
+		resulst = rule.GetAllBlacklistedIp()
+	}
+
+	js, _ := json.Marshal(resulst)
+	utils.SendJSONResponse(w, string(js))
+
+}
+
+func handleCountryBlacklistAdd(w http.ResponseWriter, r *http.Request) {
+	countryCode, err := utils.PostPara(r, "cc")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty country code")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	comment, _ := utils.PostPara(r, "comment")
+	p := bluemonday.StripTagsPolicy()
+	comment = p.Sanitize(comment)
+
+	//Load the target rule from access controller
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	rule.AddCountryCodeToBlackList(countryCode, comment)
+
+	utils.SendOK(w)
+}
+
+func handleCountryBlacklistRemove(w http.ResponseWriter, r *http.Request) {
+	countryCode, err := utils.PostPara(r, "cc")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty country code")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	//Load the target rule from access controller
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	rule.RemoveCountryCodeFromBlackList(countryCode)
+
+	utils.SendOK(w)
+}
+
+func handleIpBlacklistAdd(w http.ResponseWriter, r *http.Request) {
+	ipAddr, err := utils.PostPara(r, "ip")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty ip address")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	//Load the target rule from access controller
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	comment, _ := utils.GetPara(r, "comment")
+	p := bluemonday.StripTagsPolicy()
+	comment = p.Sanitize(comment)
+
+	rule.AddIPToBlackList(ipAddr, comment)
+	utils.SendOK(w)
+}
+
+func handleIpBlacklistRemove(w http.ResponseWriter, r *http.Request) {
+	ipAddr, err := utils.PostPara(r, "ip")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty ip address")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	//Load the target rule from access controller
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	rule.RemoveIPFromBlackList(ipAddr)
+
+	utils.SendOK(w)
+}
+
+func handleBlacklistEnable(w http.ResponseWriter, r *http.Request) {
+	enable, _ := utils.PostPara(r, "enable")
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	if enable == "" {
+		//enable paramter not set
+		currentEnabled := rule.BlacklistEnabled
+		js, _ := json.Marshal(currentEnabled)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		if enable == "true" {
+			rule.ToggleBlacklist(true)
+		} else if enable == "false" {
+			rule.ToggleBlacklist(false)
+		} else {
+			utils.SendErrorResponse(w, "invalid enable state: only true and false is accepted")
+			return
+		}
+
+		utils.SendOK(w)
+	}
+}
+
+/*
+	Whitelist Related
+*/
+
+func handleListWhitelisted(w http.ResponseWriter, r *http.Request) {
+	bltype, err := utils.GetPara(r, "type")
+	if err != nil {
+		bltype = "country"
+	}
+
+	ruleID, err := utils.GetPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	resulst := []*access.WhitelistEntry{}
+	if bltype == "country" {
+		resulst = rule.GetAllWhitelistedCountryCode()
+	} else if bltype == "ip" {
+		resulst = rule.GetAllWhitelistedIp()
+	}
+
+	js, _ := json.Marshal(resulst)
+	utils.SendJSONResponse(w, string(js))
+
+}
+
+func handleCountryWhitelistAdd(w http.ResponseWriter, r *http.Request) {
+	countryCode, err := utils.PostPara(r, "cc")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty country code")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	comment, _ := utils.PostPara(r, "comment")
+	p := bluemonday.StrictPolicy()
+	comment = p.Sanitize(comment)
+
+	rule.AddCountryCodeToWhitelist(countryCode, comment)
+
+	utils.SendOK(w)
+}
+
+func handleCountryWhitelistRemove(w http.ResponseWriter, r *http.Request) {
+	countryCode, err := utils.PostPara(r, "cc")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty country code")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	rule.RemoveCountryCodeFromWhitelist(countryCode)
+
+	utils.SendOK(w)
+}
+
+func handleIpWhitelistAdd(w http.ResponseWriter, r *http.Request) {
+	ipAddr, err := utils.PostPara(r, "ip")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty ip address")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	comment, _ := utils.PostPara(r, "comment")
+	p := bluemonday.StrictPolicy()
+	comment = p.Sanitize(comment)
+
+	rule.AddIPToWhiteList(ipAddr, comment)
+	utils.SendOK(w)
+}
+
+func handleIpWhitelistRemove(w http.ResponseWriter, r *http.Request) {
+	ipAddr, err := utils.PostPara(r, "ip")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid or empty ip address")
+		return
+	}
+
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	rule.RemoveIPFromWhiteList(ipAddr)
+
+	utils.SendOK(w)
+}
+
+func handleWhitelistEnable(w http.ResponseWriter, r *http.Request) {
+	enable, _ := utils.PostPara(r, "enable")
+	ruleID, err := utils.PostPara(r, "id")
+	if err != nil {
+		ruleID = "default"
+	}
+
+	rule, err := accessController.GetAccessRuleByID(ruleID)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	if enable == "" {
+		//Return the current enabled state
+		currentEnabled := rule.WhitelistEnabled
+		js, _ := json.Marshal(currentEnabled)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		if enable == "true" {
+			rule.ToggleWhitelist(true)
+		} else if enable == "false" {
+			rule.ToggleWhitelist(false)
+		} else {
+			utils.SendErrorResponse(w, "invalid enable state: only true and false is accepted")
+			return
+		}
+
+		utils.SendOK(w)
+	}
+}
--- a/src/acme.go
+++ b/src/acme.go
@ -0,0 +1,162 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"math/rand"
+	"net/http"
+	"regexp"
+	"strconv"
+	"time"
+
+	"imuslab.com/zoraxy/mod/acme"
+	"imuslab.com/zoraxy/mod/dynamicproxy"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	acme.go
+
+	This script handle special routing required for acme auto cert renew functions
+*/
+
+// Helper function to generate a random port above a specified value
+func getRandomPort(minPort int) int {
+	return rand.Intn(65535-minPort) + minPort
+}
+
+// init the new ACME instance
+func initACME() *acme.ACMEHandler {
+	SystemWideLogger.Println("Starting ACME handler")
+	rand.Seed(time.Now().UnixNano())
+	// Generate a random port above 30000
+	port := getRandomPort(30000)
+
+	// Check if the port is already in use
+	for acme.IsPortInUse(port) {
+		port = getRandomPort(30000)
+	}
+
+	return acme.NewACME("https://acme-v02.api.letsencrypt.org/directory", strconv.Itoa(port), sysdb, SystemWideLogger)
+}
+
+// create the special routing rule for ACME
+func acmeRegisterSpecialRoutingRule() {
+	SystemWideLogger.Println("Assigned temporary port:" + acmeHandler.Getport())
+
+	err := dynamicProxyRouter.AddRoutingRules(&dynamicproxy.RoutingRule{
+		ID: "acme-autorenew",
+		MatchRule: func(r *http.Request) bool {
+			found, _ := regexp.MatchString("/.well-known/acme-challenge/*", r.RequestURI)
+			return found
+		},
+		RoutingHandler: func(w http.ResponseWriter, r *http.Request) {
+
+			req, err := http.NewRequest(http.MethodGet, "http://localhost:"+acmeHandler.Getport()+r.RequestURI, nil)
+			req.Host = r.Host
+			if err != nil {
+				fmt.Printf("client: could not create request: %s\n", err)
+				return
+			}
+			res, err := http.DefaultClient.Do(req)
+			if err != nil {
+				fmt.Printf("client: error making http request: %s\n", err)
+				return
+			}
+
+			resBody, err := io.ReadAll(res.Body)
+			defer res.Body.Close()
+			if err != nil {
+				fmt.Printf("error reading: %s\n", err)
+				return
+			}
+			w.Write(resBody)
+		},
+		Enabled:                true,
+		UseSystemAccessControl: false,
+	})
+
+	if err != nil {
+		SystemWideLogger.PrintAndLog("ACME", "Unable register temp port for DNS resolver", err)
+	}
+}
+
+// This function check if the renew setup is satisfied. If not, toggle them automatically
+func AcmeCheckAndHandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
+	isForceHttpsRedirectEnabledOriginally := false
+	requireRestorePort80 := false
+	dnsPara, _ := utils.PostBool(r, "dns")
+	if !dnsPara {
+
+		if dynamicProxyRouter.Option.Port == 443 {
+			//Check if port 80 is enabled
+			if !dynamicProxyRouter.Option.ListenOnPort80 {
+				//Enable port 80 temporarily
+				SystemWideLogger.PrintAndLog("ACME", "Temporarily enabling port 80 listener to handle ACME request ", nil)
+				dynamicProxyRouter.UpdatePort80ListenerState(true)
+				requireRestorePort80 = true
+				time.Sleep(2 * time.Second)
+			}
+
+			//Enable port 80 to 443 redirect
+			if !dynamicProxyRouter.Option.ForceHttpsRedirect {
+				SystemWideLogger.Println("Temporary enabling HTTP to HTTPS redirect for ACME certificate renew requests")
+				dynamicProxyRouter.UpdateHttpToHttpsRedirectSetting(true)
+			} else {
+				//Set this to true, so after renew, do not turn it off
+				isForceHttpsRedirectEnabledOriginally = true
+			}
+
+		} else if dynamicProxyRouter.Option.Port == 80 {
+			//Go ahead
+
+		} else {
+			//This port do not support ACME
+			utils.SendErrorResponse(w, "ACME renew only support web server listening on port 80 (http) or 443 (https)")
+			return
+		}
+	}
+
+	//Add a 2 second delay to make sure everything is settle down
+	time.Sleep(2 * time.Second)
+
+	// Pass over to the acmeHandler to deal with the communication
+	acmeHandler.HandleRenewCertificate(w, r)
+
+	//Update the TLS cert store buffer
+	tlsCertManager.UpdateLoadedCertList()
+
+	//Restore original settings
+	if requireRestorePort80 {
+		//Restore port 80 listener
+		SystemWideLogger.PrintAndLog("ACME", "Restoring previous port 80 listener settings", nil)
+		dynamicProxyRouter.UpdatePort80ListenerState(false)
+	}
+	if !isForceHttpsRedirectEnabledOriginally {
+		//Default is off. Turn the redirection off
+		SystemWideLogger.PrintAndLog("ACME", "Restoring HTTP to HTTPS redirect settings", nil)
+		dynamicProxyRouter.UpdateHttpToHttpsRedirectSetting(false)
+	}
+
+}
+
+// HandleACMEPreferredCA return the user preferred / default CA for new subdomain auto creation
+func HandleACMEPreferredCA(w http.ResponseWriter, r *http.Request) {
+	ca, err := utils.PostPara(r, "set")
+	if err != nil {
+		//Return the current ca to user
+		prefCA := "Let's Encrypt"
+		sysdb.Read("acmepref", "prefca", &prefCA)
+		js, _ := json.Marshal(prefCA)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		//Check if the CA is supported
+		acme.IsSupportedCA(ca)
+		//Set the new config
+		sysdb.Write("acmepref", "prefca", ca)
+		SystemWideLogger.Println("Updating prefered ACME CA to " + ca)
+		utils.SendOK(w)
+	}
+
+}
--- a/src/api.go
+++ b/src/api.go
@ -0,0 +1,336 @@
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/pprof"
+
+	"imuslab.com/zoraxy/mod/acme/acmedns"
+	"imuslab.com/zoraxy/mod/acme/acmewizard"
+	"imuslab.com/zoraxy/mod/auth"
+	"imuslab.com/zoraxy/mod/ipscan"
+	"imuslab.com/zoraxy/mod/netstat"
+	"imuslab.com/zoraxy/mod/netutils"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	API.go
+
+	This file contains all the API called by the web management interface
+
+*/
+
+var requireAuth = true
+
+func initAPIs(targetMux *http.ServeMux) {
+	authRouter := auth.NewManagedHTTPRouter(auth.RouterOption{
+		AuthAgent:   authAgent,
+		RequireAuth: requireAuth,
+		TargetMux:   targetMux,
+		DeniedHandler: func(w http.ResponseWriter, r *http.Request) {
+			http.Error(w, "401 - Unauthorized", http.StatusUnauthorized)
+		},
+	})
+
+	//Register the standard web services urls
+	fs := http.FileServer(http.FS(webres))
+	if development {
+		fs = http.FileServer(http.Dir("web/"))
+	}
+	//Add a layer of middleware for advance control
+	advHandler := FSHandler(fs)
+	targetMux.Handle("/", advHandler)
+
+	//Authentication APIs
+	registerAuthAPIs(requireAuth, targetMux)
+
+	//Reverse proxy
+	authRouter.HandleFunc("/api/proxy/enable", ReverseProxyHandleOnOff)
+	authRouter.HandleFunc("/api/proxy/add", ReverseProxyHandleAddEndpoint)
+	authRouter.HandleFunc("/api/proxy/status", ReverseProxyStatus)
+	authRouter.HandleFunc("/api/proxy/toggle", ReverseProxyToggleRuleSet)
+	authRouter.HandleFunc("/api/proxy/list", ReverseProxyList)
+	authRouter.HandleFunc("/api/proxy/detail", ReverseProxyListDetail)
+	authRouter.HandleFunc("/api/proxy/edit", ReverseProxyHandleEditEndpoint)
+	authRouter.HandleFunc("/api/proxy/setAlias", ReverseProxyHandleAlias)
+	authRouter.HandleFunc("/api/proxy/del", DeleteProxyEndpoint)
+	authRouter.HandleFunc("/api/proxy/updateCredentials", UpdateProxyBasicAuthCredentials)
+	authRouter.HandleFunc("/api/proxy/tlscheck", HandleCheckSiteSupportTLS)
+	authRouter.HandleFunc("/api/proxy/setIncoming", HandleIncomingPortSet)
+	authRouter.HandleFunc("/api/proxy/useHttpsRedirect", HandleUpdateHttpsRedirect)
+	authRouter.HandleFunc("/api/proxy/listenPort80", HandleUpdatePort80Listener)
+	authRouter.HandleFunc("/api/proxy/requestIsProxied", HandleManagementProxyCheck)
+	authRouter.HandleFunc("/api/proxy/developmentMode", HandleDevelopmentModeChange)
+	//Reverse proxy upstream (load balance) APIs
+	authRouter.HandleFunc("/api/proxy/upstream/list", ReverseProxyUpstreamList)
+	authRouter.HandleFunc("/api/proxy/upstream/add", ReverseProxyUpstreamAdd)
+	authRouter.HandleFunc("/api/proxy/upstream/setPriority", ReverseProxyUpstreamSetPriority)
+	authRouter.HandleFunc("/api/proxy/upstream/update", ReverseProxyUpstreamUpdate)
+	authRouter.HandleFunc("/api/proxy/upstream/remove", ReverseProxyUpstreamDelete)
+	//Reverse proxy virtual directory APIs
+	authRouter.HandleFunc("/api/proxy/vdir/list", ReverseProxyListVdir)
+	authRouter.HandleFunc("/api/proxy/vdir/add", ReverseProxyAddVdir)
+	authRouter.HandleFunc("/api/proxy/vdir/del", ReverseProxyDeleteVdir)
+	authRouter.HandleFunc("/api/proxy/vdir/edit", ReverseProxyEditVdir)
+	//Reverse proxy user define header apis
+	authRouter.HandleFunc("/api/proxy/header/list", HandleCustomHeaderList)
+	authRouter.HandleFunc("/api/proxy/header/add", HandleCustomHeaderAdd)
+	authRouter.HandleFunc("/api/proxy/header/remove", HandleCustomHeaderRemove)
+	authRouter.HandleFunc("/api/proxy/header/handleHSTS", HandleHSTSState)
+	authRouter.HandleFunc("/api/proxy/header/handleHopByHop", HandleHopByHop)
+	authRouter.HandleFunc("/api/proxy/header/handleHostOverwrite", HandleHostOverwrite)
+	authRouter.HandleFunc("/api/proxy/header/handlePermissionPolicy", HandlePermissionPolicy)
+	//Reverse proxy auth related APIs
+	authRouter.HandleFunc("/api/proxy/auth/exceptions/list", ListProxyBasicAuthExceptionPaths)
+	authRouter.HandleFunc("/api/proxy/auth/exceptions/add", AddProxyBasicAuthExceptionPaths)
+	authRouter.HandleFunc("/api/proxy/auth/exceptions/delete", RemoveProxyBasicAuthExceptionPaths)
+
+	//TLS / SSL config
+	authRouter.HandleFunc("/api/cert/tls", handleToggleTLSProxy)
+	authRouter.HandleFunc("/api/cert/tlsRequireLatest", handleSetTlsRequireLatest)
+	authRouter.HandleFunc("/api/cert/upload", handleCertUpload)
+	authRouter.HandleFunc("/api/cert/download", handleCertDownload)
+	authRouter.HandleFunc("/api/cert/list", handleListCertificate)
+	authRouter.HandleFunc("/api/cert/listdomains", handleListDomains)
+	authRouter.HandleFunc("/api/cert/checkDefault", handleDefaultCertCheck)
+	authRouter.HandleFunc("/api/cert/delete", handleCertRemove)
+
+	//SSO and Oauth
+	authRouter.HandleFunc("/api/sso/status", ssoHandler.HandleSSOStatus)
+	authRouter.HandleFunc("/api/sso/enable", ssoHandler.HandleSSOEnable)
+	authRouter.HandleFunc("/api/sso/setPort", ssoHandler.HandlePortChange)
+	authRouter.HandleFunc("/api/sso/setAuthURL", ssoHandler.HandleSetAuthURL)
+
+	authRouter.HandleFunc("/api/sso/app/register", ssoHandler.HandleRegisterApp)
+	//authRouter.HandleFunc("/api/sso/app/list", ssoHandler.HandleListApp)
+	//authRouter.HandleFunc("/api/sso/app/remove", ssoHandler.HandleRemoveApp)
+
+	authRouter.HandleFunc("/api/sso/user/list", ssoHandler.HandleListUser)
+	authRouter.HandleFunc("/api/sso/user/add", ssoHandler.HandleAddUser)
+	authRouter.HandleFunc("/api/sso/user/edit", ssoHandler.HandleEditUser)
+	authRouter.HandleFunc("/api/sso/user/remove", ssoHandler.HandleRemoveUser)
+
+	//Redirection config
+	authRouter.HandleFunc("/api/redirect/list", handleListRedirectionRules)
+	authRouter.HandleFunc("/api/redirect/add", handleAddRedirectionRule)
+	authRouter.HandleFunc("/api/redirect/delete", handleDeleteRedirectionRule)
+	authRouter.HandleFunc("/api/redirect/regex", handleToggleRedirectRegexpSupport)
+
+	//Access Rules API
+	authRouter.HandleFunc("/api/access/list", handleListAccessRules)
+	authRouter.HandleFunc("/api/access/attach", handleAttachRuleToHost)
+	authRouter.HandleFunc("/api/access/create", handleCreateAccessRule)
+	authRouter.HandleFunc("/api/access/remove", handleRemoveAccessRule)
+	authRouter.HandleFunc("/api/access/update", handleUpadateAccessRule)
+	//Blacklist APIs
+	authRouter.HandleFunc("/api/blacklist/list", handleListBlacklisted)
+	authRouter.HandleFunc("/api/blacklist/country/add", handleCountryBlacklistAdd)
+	authRouter.HandleFunc("/api/blacklist/country/remove", handleCountryBlacklistRemove)
+	authRouter.HandleFunc("/api/blacklist/ip/add", handleIpBlacklistAdd)
+	authRouter.HandleFunc("/api/blacklist/ip/remove", handleIpBlacklistRemove)
+	authRouter.HandleFunc("/api/blacklist/enable", handleBlacklistEnable)
+	//Whitelist APIs
+	authRouter.HandleFunc("/api/whitelist/list", handleListWhitelisted)
+	authRouter.HandleFunc("/api/whitelist/country/add", handleCountryWhitelistAdd)
+	authRouter.HandleFunc("/api/whitelist/country/remove", handleCountryWhitelistRemove)
+	authRouter.HandleFunc("/api/whitelist/ip/add", handleIpWhitelistAdd)
+	authRouter.HandleFunc("/api/whitelist/ip/remove", handleIpWhitelistRemove)
+	authRouter.HandleFunc("/api/whitelist/enable", handleWhitelistEnable)
+
+	//Path Blocker APIs
+	authRouter.HandleFunc("/api/pathrule/add", pathRuleHandler.HandleAddBlockingPath)
+	authRouter.HandleFunc("/api/pathrule/list", pathRuleHandler.HandleListBlockingPath)
+	authRouter.HandleFunc("/api/pathrule/remove", pathRuleHandler.HandleRemoveBlockingPath)
+
+	//Statistic & uptime monitoring API
+	authRouter.HandleFunc("/api/stats/summary", statisticCollector.HandleTodayStatLoad)
+	authRouter.HandleFunc("/api/stats/countries", HandleCountryDistrSummary)
+	authRouter.HandleFunc("/api/stats/netstat", netstatBuffers.HandleGetNetworkInterfaceStats)
+	authRouter.HandleFunc("/api/stats/netstatgraph", netstatBuffers.HandleGetBufferedNetworkInterfaceStats)
+	authRouter.HandleFunc("/api/stats/listnic", netstat.HandleListNetworkInterfaces)
+	authRouter.HandleFunc("/api/utm/list", HandleUptimeMonitorListing)
+
+	//Global Area Network APIs
+	authRouter.HandleFunc("/api/gan/network/info", ganManager.HandleGetNodeID)
+	authRouter.HandleFunc("/api/gan/network/add", ganManager.HandleAddNetwork)
+	authRouter.HandleFunc("/api/gan/network/remove", ganManager.HandleRemoveNetwork)
+	authRouter.HandleFunc("/api/gan/network/list", ganManager.HandleListNetwork)
+	authRouter.HandleFunc("/api/gan/network/name", ganManager.HandleNetworkNaming)
+	//authRouter.HandleFunc("/api/gan/network/detail", ganManager.HandleNetworkDetails)
+	authRouter.HandleFunc("/api/gan/network/setRange", ganManager.HandleSetRanges)
+	authRouter.HandleFunc("/api/gan/network/join", ganManager.HandleServerJoinNetwork)
+	authRouter.HandleFunc("/api/gan/network/leave", ganManager.HandleServerLeaveNetwork)
+	authRouter.HandleFunc("/api/gan/members/list", ganManager.HandleMemberList)
+	authRouter.HandleFunc("/api/gan/members/ip", ganManager.HandleMemberIP)
+	authRouter.HandleFunc("/api/gan/members/name", ganManager.HandleMemberNaming)
+	authRouter.HandleFunc("/api/gan/members/authorize", ganManager.HandleMemberAuthorization)
+	authRouter.HandleFunc("/api/gan/members/delete", ganManager.HandleMemberDelete)
+
+	//Stream (TCP / UDP) Proxy
+	authRouter.HandleFunc("/api/streamprox/config/add", streamProxyManager.HandleAddProxyConfig)
+	authRouter.HandleFunc("/api/streamprox/config/edit", streamProxyManager.HandleEditProxyConfigs)
+	authRouter.HandleFunc("/api/streamprox/config/list", streamProxyManager.HandleListConfigs)
+	authRouter.HandleFunc("/api/streamprox/config/start", streamProxyManager.HandleStartProxy)
+	authRouter.HandleFunc("/api/streamprox/config/stop", streamProxyManager.HandleStopProxy)
+	authRouter.HandleFunc("/api/streamprox/config/delete", streamProxyManager.HandleRemoveProxy)
+	authRouter.HandleFunc("/api/streamprox/config/status", streamProxyManager.HandleGetProxyStatus)
+
+	//mDNS APIs
+	authRouter.HandleFunc("/api/mdns/list", HandleMdnsListing)
+	authRouter.HandleFunc("/api/mdns/discover", HandleMdnsScanning)
+
+	//Zoraxy Analytic
+	authRouter.HandleFunc("/api/analytic/list", AnalyticLoader.HandleSummaryList)
+	authRouter.HandleFunc("/api/analytic/load", AnalyticLoader.HandleLoadTargetDaySummary)
+	authRouter.HandleFunc("/api/analytic/loadRange", AnalyticLoader.HandleLoadTargetRangeSummary)
+	authRouter.HandleFunc("/api/analytic/exportRange", AnalyticLoader.HandleRangeExport)
+	authRouter.HandleFunc("/api/analytic/resetRange", AnalyticLoader.HandleRangeReset)
+
+	//Network utilities
+	authRouter.HandleFunc("/api/tools/ipscan", ipscan.HandleIpScan)
+	authRouter.HandleFunc("/api/tools/portscan", ipscan.HandleScanPort)
+	authRouter.HandleFunc("/api/tools/traceroute", netutils.HandleTraceRoute)
+	authRouter.HandleFunc("/api/tools/ping", netutils.HandlePing)
+	authRouter.HandleFunc("/api/tools/whois", netutils.HandleWhois)
+	authRouter.HandleFunc("/api/tools/webssh", HandleCreateProxySession)
+	authRouter.HandleFunc("/api/tools/websshSupported", HandleWebSshSupportCheck)
+	authRouter.HandleFunc("/api/tools/wol", HandleWakeOnLan)
+	authRouter.HandleFunc("/api/tools/smtp/get", HandleSMTPGet)
+	authRouter.HandleFunc("/api/tools/smtp/set", HandleSMTPSet)
+	authRouter.HandleFunc("/api/tools/smtp/admin", HandleAdminEmailGet)
+	authRouter.HandleFunc("/api/tools/smtp/test", HandleTestEmailSend)
+	authRouter.HandleFunc("/api/tools/fwdproxy/enable", forwardProxy.HandleToogle)
+	authRouter.HandleFunc("/api/tools/fwdproxy/port", forwardProxy.HandlePort)
+
+	//Account Reset
+	targetMux.HandleFunc("/api/account/reset", HandleAdminAccountResetEmail)
+	targetMux.HandleFunc("/api/account/new", HandleNewPasswordSetup)
+
+	//ACME & Auto Renewer
+	authRouter.HandleFunc("/api/acme/listExpiredDomains", acmeHandler.HandleGetExpiredDomains)
+	authRouter.HandleFunc("/api/acme/obtainCert", AcmeCheckAndHandleRenewCertificate)
+	authRouter.HandleFunc("/api/acme/autoRenew/enable", acmeAutoRenewer.HandleAutoRenewEnable)
+	authRouter.HandleFunc("/api/acme/autoRenew/ca", HandleACMEPreferredCA)
+	authRouter.HandleFunc("/api/acme/autoRenew/email", acmeAutoRenewer.HandleACMEEmail)
+	authRouter.HandleFunc("/api/acme/autoRenew/setDomains", acmeAutoRenewer.HandleSetAutoRenewDomains)
+	authRouter.HandleFunc("/api/acme/autoRenew/setEAB", acmeAutoRenewer.HanldeSetEAB)
+	authRouter.HandleFunc("/api/acme/autoRenew/setDNS", acmeAutoRenewer.HanldeSetDNS)
+	authRouter.HandleFunc("/api/acme/autoRenew/listDomains", acmeAutoRenewer.HandleLoadAutoRenewDomains)
+	authRouter.HandleFunc("/api/acme/autoRenew/renewPolicy", acmeAutoRenewer.HandleRenewPolicy)
+	authRouter.HandleFunc("/api/acme/autoRenew/renewNow", acmeAutoRenewer.HandleRenewNow)
+	authRouter.HandleFunc("/api/acme/dns/providers", acmedns.HandleServeProvidersJson)
+	authRouter.HandleFunc("/api/acme/wizard", acmewizard.HandleGuidedStepCheck) //ACME Wizard
+
+	//Static Web Server
+	authRouter.HandleFunc("/api/webserv/status", staticWebServer.HandleGetStatus)
+	authRouter.HandleFunc("/api/webserv/start", staticWebServer.HandleStartServer)
+	authRouter.HandleFunc("/api/webserv/stop", staticWebServer.HandleStopServer)
+	authRouter.HandleFunc("/api/webserv/setPort", HandleStaticWebServerPortChange)
+	authRouter.HandleFunc("/api/webserv/setDirList", staticWebServer.SetEnableDirectoryListing)
+	if *allowWebFileManager {
+		//Web Directory Manager file operation functions
+		authRouter.HandleFunc("/api/fs/list", staticWebServer.FileManager.HandleList)
+		authRouter.HandleFunc("/api/fs/upload", staticWebServer.FileManager.HandleUpload)
+		authRouter.HandleFunc("/api/fs/download", staticWebServer.FileManager.HandleDownload)
+		authRouter.HandleFunc("/api/fs/newFolder", staticWebServer.FileManager.HandleNewFolder)
+		authRouter.HandleFunc("/api/fs/copy", staticWebServer.FileManager.HandleFileCopy)
+		authRouter.HandleFunc("/api/fs/move", staticWebServer.FileManager.HandleFileMove)
+		authRouter.HandleFunc("/api/fs/properties", staticWebServer.FileManager.HandleFileProperties)
+		authRouter.HandleFunc("/api/fs/del", staticWebServer.FileManager.HandleFileDelete)
+	}
+
+	//Docker UX Optimizations
+	authRouter.HandleFunc("/api/docker/available", DockerUXOptimizer.HandleDockerAvailable)
+	authRouter.HandleFunc("/api/docker/containers", DockerUXOptimizer.HandleDockerContainersList)
+
+	//Others
+	targetMux.HandleFunc("/api/info/x", HandleZoraxyInfo)
+	authRouter.HandleFunc("/api/info/geoip", HandleGeoIpLookup)
+	authRouter.HandleFunc("/api/conf/export", ExportConfigAsZip)
+	authRouter.HandleFunc("/api/conf/import", ImportConfigFromZip)
+	authRouter.HandleFunc("/api/log/list", LogViewer.HandleListLog)
+	authRouter.HandleFunc("/api/log/read", LogViewer.HandleReadLog)
+
+	//Debug
+	authRouter.HandleFunc("/api/info/pprof", pprof.Index)
+
+	//If you got APIs to add, append them here
+
+}
+
+// Function to renders Auth related APIs
+func registerAuthAPIs(requireAuth bool, targetMux *http.ServeMux) {
+	//Auth APIs
+	targetMux.HandleFunc("/api/auth/login", authAgent.HandleLogin)
+	targetMux.HandleFunc("/api/auth/logout", authAgent.HandleLogout)
+	targetMux.HandleFunc("/api/auth/checkLogin", func(w http.ResponseWriter, r *http.Request) {
+		if requireAuth {
+			authAgent.CheckLogin(w, r)
+		} else {
+			utils.SendJSONResponse(w, "true")
+		}
+	})
+	targetMux.HandleFunc("/api/auth/username", func(w http.ResponseWriter, r *http.Request) {
+		username, err := authAgent.GetUserName(w, r)
+		if err != nil {
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			return
+		}
+
+		js, _ := json.Marshal(username)
+		utils.SendJSONResponse(w, string(js))
+	})
+	targetMux.HandleFunc("/api/auth/userCount", func(w http.ResponseWriter, r *http.Request) {
+		uc := authAgent.GetUserCounts()
+		js, _ := json.Marshal(uc)
+		utils.SendJSONResponse(w, string(js))
+	})
+	targetMux.HandleFunc("/api/auth/register", func(w http.ResponseWriter, r *http.Request) {
+		if authAgent.GetUserCounts() == 0 {
+			//Allow register root admin
+			authAgent.HandleRegisterWithoutEmail(w, r, func(username, reserved string) {
+
+			})
+		} else {
+			//This function is disabled
+			utils.SendErrorResponse(w, "Root management account already exists")
+		}
+	})
+	targetMux.HandleFunc("/api/auth/changePassword", func(w http.ResponseWriter, r *http.Request) {
+		username, err := authAgent.GetUserName(w, r)
+		if err != nil {
+			http.Error(w, "401 - Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		oldPassword, err := utils.PostPara(r, "oldPassword")
+		if err != nil {
+			utils.SendErrorResponse(w, "empty current password")
+			return
+		}
+		newPassword, err := utils.PostPara(r, "newPassword")
+		if err != nil {
+			utils.SendErrorResponse(w, "empty new password")
+			return
+		}
+		confirmPassword, _ := utils.PostPara(r, "confirmPassword")
+
+		if newPassword != confirmPassword {
+			utils.SendErrorResponse(w, "confirm password not match")
+			return
+		}
+
+		//Check if the old password correct
+		oldPasswordCorrect, _ := authAgent.ValidateUsernameAndPasswordWithReason(username, oldPassword)
+		if !oldPasswordCorrect {
+			utils.SendErrorResponse(w, "Invalid current password given")
+			return
+		}
+
+		//Change the password of the root user
+		authAgent.UnregisterUser(username)
+		authAgent.CreateUserAccount(username, newPassword, "")
+	})
+
+}
--- a/src/cert.go
+++ b/src/cert.go
@ -0,0 +1,363 @@
+package main
+
+import (
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"imuslab.com/zoraxy/mod/acme"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+// Check if the default certificates is correctly setup
+func handleDefaultCertCheck(w http.ResponseWriter, r *http.Request) {
+	type CheckResult struct {
+		DefaultPubExists bool
+		DefaultPriExists bool
+	}
+
+	pub, pri := tlsCertManager.DefaultCertExistsSep()
+	js, _ := json.Marshal(CheckResult{
+		pub,
+		pri,
+	})
+
+	utils.SendJSONResponse(w, string(js))
+}
+
+// Return a list of domains where the certificates covers
+func handleListCertificate(w http.ResponseWriter, r *http.Request) {
+	filenames, err := tlsCertManager.ListCertDomains()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	showDate, _ := utils.GetPara(r, "date")
+	if showDate == "true" {
+		type CertInfo struct {
+			Domain           string
+			LastModifiedDate string
+			ExpireDate       string
+			RemainingDays    int
+			UseDNS           bool
+		}
+
+		results := []*CertInfo{}
+
+		for _, filename := range filenames {
+			certFilepath := filepath.Join(tlsCertManager.CertStore, filename+".pem")
+			//keyFilepath := filepath.Join(tlsCertManager.CertStore, filename+".key")
+			fileInfo, err := os.Stat(certFilepath)
+			if err != nil {
+				utils.SendErrorResponse(w, "invalid domain certificate discovered: "+filename)
+				return
+			}
+			modifiedTime := fileInfo.ModTime().Format("2006-01-02 15:04:05")
+
+			certExpireTime := "Unknown"
+			certBtyes, err := os.ReadFile(certFilepath)
+			expiredIn := 0
+			if err != nil {
+				//Unable to load this file
+				continue
+			} else {
+				//Cert loaded. Check its expire time
+				block, _ := pem.Decode(certBtyes)
+				if block != nil {
+					cert, err := x509.ParseCertificate(block.Bytes)
+					if err == nil {
+						certExpireTime = cert.NotAfter.Format("2006-01-02 15:04:05")
+
+						duration := cert.NotAfter.Sub(time.Now())
+
+						// Convert the duration to days
+						expiredIn = int(duration.Hours() / 24)
+					}
+				}
+			}
+			certInfoFilename := filepath.Join(tlsCertManager.CertStore, filename+".json")
+			useDNSValidation := false                                //Default to false for HTTP TLS certificates
+			certInfo, err := acme.LoadCertInfoJSON(certInfoFilename) //Note: Not all certs have info json
+			if err == nil {
+				useDNSValidation = certInfo.UseDNS
+			}
+
+			thisCertInfo := CertInfo{
+				Domain:           filename,
+				LastModifiedDate: modifiedTime,
+				ExpireDate:       certExpireTime,
+				RemainingDays:    expiredIn,
+				UseDNS:           useDNSValidation,
+			}
+
+			results = append(results, &thisCertInfo)
+		}
+
+		js, _ := json.Marshal(results)
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(js)
+	} else {
+		response, err := json.Marshal(filenames)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(response)
+	}
+
+}
+
+// List all certificates and map all their domains to the cert filename
+func handleListDomains(w http.ResponseWriter, r *http.Request) {
+	filenames, err := os.ReadDir("./conf/certs/")
+
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	certnameToDomainMap := map[string]string{}
+	for _, filename := range filenames {
+		if filename.IsDir() {
+			continue
+		}
+		certFilepath := filepath.Join("./conf/certs/", filename.Name())
+
+		certBtyes, err := os.ReadFile(certFilepath)
+		if err != nil {
+			// Unable to load this file
+			SystemWideLogger.PrintAndLog("TLS", "Unable to load certificate: "+certFilepath, err)
+			continue
+		} else {
+			// Cert loaded. Check its expiry time
+			block, _ := pem.Decode(certBtyes)
+			if block != nil {
+				cert, err := x509.ParseCertificate(block.Bytes)
+				if err == nil {
+					certname := strings.TrimSuffix(filepath.Base(certFilepath), filepath.Ext(certFilepath))
+					for _, dnsName := range cert.DNSNames {
+						certnameToDomainMap[dnsName] = certname
+					}
+					certnameToDomainMap[cert.Subject.CommonName] = certname
+				}
+			}
+		}
+	}
+
+	requireCompact, _ := utils.GetPara(r, "compact")
+	if requireCompact == "true" {
+		result := make(map[string][]string)
+
+		for key, value := range certnameToDomainMap {
+			if _, ok := result[value]; !ok {
+				result[value] = make([]string, 0)
+			}
+
+			result[value] = append(result[value], key)
+		}
+
+		js, _ := json.Marshal(result)
+		utils.SendJSONResponse(w, string(js))
+		return
+	}
+
+	js, _ := json.Marshal(certnameToDomainMap)
+	utils.SendJSONResponse(w, string(js))
+}
+
+// Handle front-end toggling TLS mode
+func handleToggleTLSProxy(w http.ResponseWriter, r *http.Request) {
+	currentTlsSetting := false
+	if sysdb.KeyExists("settings", "usetls") {
+		sysdb.Read("settings", "usetls", &currentTlsSetting)
+	}
+
+	if r.Method == http.MethodGet {
+		//Get the current status
+		js, _ := json.Marshal(currentTlsSetting)
+		utils.SendJSONResponse(w, string(js))
+	} else if r.Method == http.MethodPost {
+		newState, err := utils.PostBool(r, "set")
+		if err != nil {
+			utils.SendErrorResponse(w, "new state not set or invalid")
+			return
+		}
+		if newState {
+			sysdb.Write("settings", "usetls", true)
+			SystemWideLogger.Println("Enabling TLS mode on reverse proxy")
+			dynamicProxyRouter.UpdateTLSSetting(true)
+		} else {
+			sysdb.Write("settings", "usetls", false)
+			SystemWideLogger.Println("Disabling TLS mode on reverse proxy")
+			dynamicProxyRouter.UpdateTLSSetting(false)
+		}
+		utils.SendOK(w)
+	} else {
+		http.Error(w, "405 - Method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+// Handle the GET and SET of reverse proxy TLS versions
+func handleSetTlsRequireLatest(w http.ResponseWriter, r *http.Request) {
+	newState, err := utils.PostPara(r, "set")
+	if err != nil {
+		//GET
+		var reqLatestTLS bool = false
+		if sysdb.KeyExists("settings", "forceLatestTLS") {
+			sysdb.Read("settings", "forceLatestTLS", &reqLatestTLS)
+		}
+
+		js, _ := json.Marshal(reqLatestTLS)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		if newState == "true" {
+			sysdb.Write("settings", "forceLatestTLS", true)
+			SystemWideLogger.Println("Updating minimum TLS version to v1.2 or above")
+			dynamicProxyRouter.UpdateTLSVersion(true)
+		} else if newState == "false" {
+			sysdb.Write("settings", "forceLatestTLS", false)
+			SystemWideLogger.Println("Updating minimum TLS version to v1.0 or above")
+			dynamicProxyRouter.UpdateTLSVersion(false)
+		} else {
+			utils.SendErrorResponse(w, "invalid state given")
+		}
+	}
+}
+
+// Handle download of the selected certificate
+func handleCertDownload(w http.ResponseWriter, r *http.Request) {
+	// get the certificate name
+	certname, err := utils.GetPara(r, "certname")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid certname given")
+		return
+	}
+	certname = filepath.Base(certname) //prevent path escape
+
+	// check if the cert exists
+	pubKey := filepath.Join(filepath.Join("./conf/certs"), certname+".key")
+	priKey := filepath.Join(filepath.Join("./conf/certs"), certname+".pem")
+
+	if utils.FileExists(pubKey) && utils.FileExists(priKey) {
+		//Zip them and serve them via http download
+		seeking, _ := utils.GetBool(r, "seek")
+		if seeking {
+			//This request only check if the key exists. Do not provide download
+			utils.SendOK(w)
+			return
+		}
+
+		//Serve both file in zip
+		zipTmpFolder := "./tmp/download"
+		os.MkdirAll(zipTmpFolder, 0775)
+		zipFileName := filepath.Join(zipTmpFolder, certname+".zip")
+		err := utils.ZipFiles(zipFileName, pubKey, priKey)
+		if err != nil {
+			http.Error(w, "Failed to create zip file", http.StatusInternalServerError)
+			return
+		}
+		defer os.Remove(zipFileName) // Clean up the zip file after serving
+
+		// Serve the zip file
+		w.Header().Set("Content-Disposition", "attachment; filename=\""+certname+"_export.zip\"")
+		w.Header().Set("Content-Type", "application/zip")
+		http.ServeFile(w, r, zipFileName)
+	} else {
+		//Not both key exists
+		utils.SendErrorResponse(w, "invalid key-pairs: private key or public key not found in key store")
+		return
+	}
+}
+
+// Handle upload of the certificate
+func handleCertUpload(w http.ResponseWriter, r *http.Request) {
+	// check if request method is POST
+	if r.Method != "POST" {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// get the key type
+	keytype, err := utils.GetPara(r, "ktype")
+	overWriteFilename := ""
+	if err != nil {
+		http.Error(w, "Not defined key type (pub / pri)", http.StatusBadRequest)
+		return
+	}
+
+	// get the domain
+	domain, err := utils.GetPara(r, "domain")
+	if err != nil {
+		//Assume localhost
+		domain = "default"
+	}
+
+	if keytype == "pub" {
+		overWriteFilename = domain + ".pem"
+	} else if keytype == "pri" {
+		overWriteFilename = domain + ".key"
+	} else {
+		http.Error(w, "Not supported keytype: "+keytype, http.StatusBadRequest)
+		return
+	}
+
+	// parse multipart form data
+	err = r.ParseMultipartForm(10 << 20) // 10 MB
+	if err != nil {
+		http.Error(w, "Failed to parse form data", http.StatusBadRequest)
+		return
+	}
+
+	// get file from form data
+	file, _, err := r.FormFile("file")
+	if err != nil {
+		http.Error(w, "Failed to get file", http.StatusBadRequest)
+		return
+	}
+	defer file.Close()
+
+	// create file in upload directory
+	os.MkdirAll("./conf/certs", 0775)
+	f, err := os.Create(filepath.Join("./conf/certs", overWriteFilename))
+	if err != nil {
+		http.Error(w, "Failed to create file", http.StatusInternalServerError)
+		return
+	}
+	defer f.Close()
+
+	// copy file contents to destination file
+	_, err = io.Copy(f, file)
+	if err != nil {
+		http.Error(w, "Failed to save file", http.StatusInternalServerError)
+		return
+	}
+
+	//Update cert list
+	tlsCertManager.UpdateLoadedCertList()
+
+	// send response
+	fmt.Fprintln(w, "File upload successful!")
+}
+
+// Handle cert remove
+func handleCertRemove(w http.ResponseWriter, r *http.Request) {
+	domain, err := utils.PostPara(r, "domain")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid domain given")
+		return
+	}
+	err = tlsCertManager.RemoveCert(domain)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+	}
+}
--- a/src/config.go
+++ b/src/config.go
@ -0,0 +1,357 @@
+package main
+
+import (
+	"archive/zip"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"imuslab.com/zoraxy/mod/dynamicproxy"
+	"imuslab.com/zoraxy/mod/dynamicproxy/loadbalance"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	Reverse Proxy Configs
+
+	The following section handle
+	the reverse proxy configs
+*/
+
+type Record struct {
+	ProxyType               string
+	Rootname                string
+	ProxyTarget             string
+	UseTLS                  bool
+	BypassGlobalTLS         bool
+	SkipTlsValidation       bool
+	RequireBasicAuth        bool
+	BasicAuthCredentials    []*dynamicproxy.BasicAuthCredentials
+	BasicAuthExceptionRules []*dynamicproxy.BasicAuthExceptionRule
+}
+
+/*
+Load Reverse Proxy Config from file and append it to current runtime proxy router
+*/
+func LoadReverseProxyConfig(configFilepath string) error {
+	//Load the config file from disk
+	endpointConfig, err := os.ReadFile(configFilepath)
+	if err != nil {
+		return err
+	}
+
+	//Parse it into dynamic proxy endpoint
+	thisConfigEndpoint := dynamicproxy.ProxyEndpoint{}
+	err = json.Unmarshal(endpointConfig, &thisConfigEndpoint)
+	if err != nil {
+		return err
+	}
+
+	//Matching domain not set. Assume root
+	if thisConfigEndpoint.RootOrMatchingDomain == "" {
+		thisConfigEndpoint.RootOrMatchingDomain = "/"
+	}
+
+	if thisConfigEndpoint.ProxyType == dynamicproxy.ProxyType_Root {
+		//This is a root config file
+		rootProxyEndpoint, err := dynamicProxyRouter.PrepareProxyRoute(&thisConfigEndpoint)
+		if err != nil {
+			return err
+		}
+
+		dynamicProxyRouter.SetProxyRouteAsRoot(rootProxyEndpoint)
+
+	} else if thisConfigEndpoint.ProxyType == dynamicproxy.ProxyType_Host {
+		//This is a host config file
+		readyProxyEndpoint, err := dynamicProxyRouter.PrepareProxyRoute(&thisConfigEndpoint)
+		if err != nil {
+			return err
+		}
+
+		dynamicProxyRouter.AddProxyRouteToRuntime(readyProxyEndpoint)
+	} else {
+		return errors.New("not supported proxy type")
+	}
+
+	SystemWideLogger.PrintAndLog("proxy-config", thisConfigEndpoint.RootOrMatchingDomain+" -> "+loadbalance.GetUpstreamsAsString(thisConfigEndpoint.ActiveOrigins)+" routing rule loaded", nil)
+	return nil
+}
+
+func filterProxyConfigFilename(filename string) string {
+	//Filter out wildcard characters
+	filename = strings.ReplaceAll(filename, "*", "(ST)")
+	filename = strings.ReplaceAll(filename, "?", "(QM)")
+	filename = strings.ReplaceAll(filename, "[", "(OB)")
+	filename = strings.ReplaceAll(filename, "]", "(CB)")
+	filename = strings.ReplaceAll(filename, "#", "(HT)")
+	return filepath.ToSlash(filename)
+}
+
+func SaveReverseProxyConfig(endpoint *dynamicproxy.ProxyEndpoint) error {
+	//Get filename for saving
+	filename := filepath.Join("./conf/proxy/", endpoint.RootOrMatchingDomain+".config")
+	if endpoint.ProxyType == dynamicproxy.ProxyType_Root {
+		filename = "./conf/proxy/root.config"
+	}
+
+	filename = filterProxyConfigFilename(filename)
+
+	//Save config to file
+	js, err := json.MarshalIndent(endpoint, "", " ")
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(filename, js, 0775)
+}
+
+func RemoveReverseProxyConfig(endpoint string) error {
+	filename := filepath.Join("./conf/proxy/", endpoint+".config")
+	if endpoint == "/" {
+		filename = "./conf/proxy/root.config"
+	}
+
+	filename = filterProxyConfigFilename(filename)
+
+	if !utils.FileExists(filename) {
+		return errors.New("target endpoint not exists")
+	}
+	return os.Remove(filename)
+}
+
+// Get the default root config that point to the internal static web server
+// this will be used if root config is not found (new deployment / missing root.config file)
+func GetDefaultRootConfig() (*dynamicproxy.ProxyEndpoint, error) {
+	//Default settings
+	rootProxyEndpoint, err := dynamicProxyRouter.PrepareProxyRoute(&dynamicproxy.ProxyEndpoint{
+		ProxyType:            dynamicproxy.ProxyType_Root,
+		RootOrMatchingDomain: "/",
+		ActiveOrigins: []*loadbalance.Upstream{
+			{
+				OriginIpOrDomain:    "127.0.0.1:" + staticWebServer.GetListeningPort(),
+				RequireTLS:          false,
+				SkipCertValidations: false,
+				Weight:              0,
+			},
+		},
+		InactiveOrigins:         []*loadbalance.Upstream{},
+		BypassGlobalTLS:         false,
+		VirtualDirectories:      []*dynamicproxy.VirtualDirectoryEndpoint{},
+		RequireBasicAuth:        false,
+		BasicAuthCredentials:    []*dynamicproxy.BasicAuthCredentials{},
+		BasicAuthExceptionRules: []*dynamicproxy.BasicAuthExceptionRule{},
+		DefaultSiteOption:       dynamicproxy.DefaultSite_InternalStaticWebServer,
+		DefaultSiteValue:        "",
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return rootProxyEndpoint, nil
+}
+
+/*
+	Importer and Exporter of Zoraxy proxy config
+*/
+
+func ExportConfigAsZip(w http.ResponseWriter, r *http.Request) {
+	includeSysDBRaw, _ := utils.GetPara(r, "includeDB")
+	includeSysDB := false
+	if includeSysDBRaw == "true" {
+		//Include the system database in backup snapshot
+		//Temporary set it to read only
+		sysdb.ReadOnly = true
+		includeSysDB = true
+	}
+
+	// Specify the folder path to be zipped
+	folderPath := "./conf/"
+
+	// Set the Content-Type header to indicate it's a zip file
+	w.Header().Set("Content-Type", "application/zip")
+	// Set the Content-Disposition header to specify the file name
+	w.Header().Set("Content-Disposition", "attachment; filename=\"config.zip\"")
+
+	// Create a zip writer
+	zipWriter := zip.NewWriter(w)
+	defer zipWriter.Close()
+
+	// Walk through the folder and add files to the zip
+	err := filepath.Walk(folderPath, func(filePath string, fileInfo os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if folderPath == filePath {
+			//Skip root folder
+			return nil
+		}
+
+		// Create a new file in the zip
+		if !utils.IsDir(filePath) {
+			zipFile, err := zipWriter.Create(filePath)
+			if err != nil {
+				return err
+			}
+
+			// Open the file on disk
+			file, err := os.Open(filePath)
+			if err != nil {
+				return err
+			}
+			defer file.Close()
+
+			// Copy the file contents to the zip file
+			_, err = io.Copy(zipFile, file)
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+
+	if includeSysDB {
+		//Also zip in the sysdb
+		zipFile, err := zipWriter.Create("sys.db")
+		if err != nil {
+			SystemWideLogger.PrintAndLog("Backup", "Unable to zip sysdb", err)
+			return
+		}
+
+		// Open the file on disk
+		file, err := os.Open("sys.db")
+		if err != nil {
+			SystemWideLogger.PrintAndLog("Backup", "Unable to open sysdb", err)
+			return
+		}
+		defer file.Close()
+
+		// Copy the file contents to the zip file
+		_, err = io.Copy(zipFile, file)
+		if err != nil {
+			SystemWideLogger.Println(err)
+			return
+		}
+
+		//Restore sysdb state
+		sysdb.ReadOnly = false
+	}
+
+	if err != nil {
+		// Handle the error and send an HTTP response with the error message
+		http.Error(w, fmt.Sprintf("Failed to zip folder: %v", err), http.StatusInternalServerError)
+		return
+	}
+}
+
+func ImportConfigFromZip(w http.ResponseWriter, r *http.Request) {
+	// Check if the request is a POST with a file upload
+	if r.Method != http.MethodPost {
+		http.Error(w, "Invalid request method", http.StatusBadRequest)
+		return
+	}
+
+	// Max file size limit (10 MB in this example)
+	r.ParseMultipartForm(10 << 20)
+
+	// Get the uploaded file
+	file, handler, err := r.FormFile("file")
+	if err != nil {
+		http.Error(w, "Failed to retrieve uploaded file", http.StatusInternalServerError)
+		return
+	}
+	defer file.Close()
+
+	if filepath.Ext(handler.Filename) != ".zip" {
+		http.Error(w, "Upload file is not a zip file", http.StatusInternalServerError)
+		return
+	}
+	// Create the target directory to unzip the files
+	targetDir := "./conf"
+	if utils.FileExists(targetDir) {
+		//Backup the old config to old
+		os.Rename("./conf", "./conf.old_"+strconv.Itoa(int(time.Now().Unix())))
+	}
+
+	err = os.MkdirAll(targetDir, os.ModePerm)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed to create target directory: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	// Open the zip file
+	zipReader, err := zip.NewReader(file, handler.Size)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed to open zip file: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	restoreDatabase := false
+
+	// Extract each file from the zip archive
+	for _, zipFile := range zipReader.File {
+		// Open the file in the zip archive
+		rc, err := zipFile.Open()
+		if err != nil {
+			http.Error(w, fmt.Sprintf("Failed to open file in zip: %v", err), http.StatusInternalServerError)
+			return
+		}
+		defer rc.Close()
+
+		// Create the corresponding file on disk
+		zipFile.Name = strings.ReplaceAll(zipFile.Name, "../", "")
+		fmt.Println("Restoring: " + strings.ReplaceAll(zipFile.Name, "\\", "/"))
+		if zipFile.Name == "sys.db" {
+			//Sysdb replacement. Close the database and restore
+			sysdb.Close()
+			restoreDatabase = true
+		} else if !strings.HasPrefix(strings.ReplaceAll(zipFile.Name, "\\", "/"), "conf/") {
+			//Malformed zip file.
+			http.Error(w, fmt.Sprintf("Invalid zip file structure or version too old"), http.StatusInternalServerError)
+			return
+		}
+
+		//Check if parent dir exists
+		if !utils.FileExists(filepath.Dir(zipFile.Name)) {
+			os.MkdirAll(filepath.Dir(zipFile.Name), 0775)
+		}
+
+		//Create the file
+		newFile, err := os.Create(zipFile.Name)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("Failed to create file: %v", err), http.StatusInternalServerError)
+			return
+		}
+		defer newFile.Close()
+
+		// Copy the file contents from the zip to the new file
+		_, err = io.Copy(newFile, rc)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("Failed to extract file from zip: %v", err), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	// Send a success response
+	w.WriteHeader(http.StatusOK)
+	SystemWideLogger.Println("Configuration restored")
+	fmt.Fprintln(w, "Configuration restored")
+
+	if restoreDatabase {
+		go func() {
+			SystemWideLogger.Println("Database altered. Restarting in 3 seconds...")
+			time.Sleep(3 * time.Second)
+			os.Exit(0)
+		}()
+
+	}
+
+}
--- a/src/emails.go
+++ b/src/emails.go
@ -0,0 +1,288 @@
+package main
+
+import (
+	"bytes"
+	"encoding/gob"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"imuslab.com/zoraxy/mod/email"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	SMTP Settings and Test Email Handlers
+*/
+
+func HandleSMTPSet(w http.ResponseWriter, r *http.Request) {
+	hostname, err := utils.PostPara(r, "hostname")
+	if err != nil {
+		utils.SendErrorResponse(w, "hostname cannot be empty")
+		return
+	}
+
+	portString, err := utils.PostPara(r, "port")
+	if err != nil {
+		utils.SendErrorResponse(w, "port must be a valid integer")
+		return
+	}
+
+	port, err := strconv.Atoi(portString)
+	if err != nil {
+		utils.SendErrorResponse(w, "port must be a valid integer")
+		return
+	}
+
+	username, err := utils.PostPara(r, "username")
+	if err != nil {
+		utils.SendErrorResponse(w, "username cannot be empty")
+		return
+	}
+
+	password, err := utils.PostPara(r, "password")
+	if err != nil {
+		//Empty password. Use old one if exists
+		oldConfig := loadSMTPConfig()
+		if oldConfig.Password == "" {
+			utils.SendErrorResponse(w, "password cannot be empty")
+			return
+		} else {
+			password = oldConfig.Password
+		}
+	}
+
+	senderAddr, err := utils.PostPara(r, "senderAddr")
+	if err != nil {
+		utils.SendErrorResponse(w, "senderAddr cannot be empty")
+		return
+	}
+
+	adminAddr, err := utils.PostPara(r, "adminAddr")
+	if err != nil {
+		utils.SendErrorResponse(w, "adminAddr cannot be empty")
+		return
+	}
+
+	//Set the email sender properties
+	thisEmailSender := email.Sender{
+		Hostname:   strings.TrimSpace(hostname),
+		Port:       port,
+		Username:   strings.TrimSpace(username),
+		Password:   strings.TrimSpace(password),
+		SenderAddr: strings.TrimSpace(senderAddr),
+	}
+
+	//Write this into database
+	setSMTPConfig(&thisEmailSender)
+
+	//Update the current EmailSender
+	EmailSender = &thisEmailSender
+
+	//Set the admin address of password reset
+	setSMTPAdminAddress(adminAddr)
+
+	//Reply ok
+	utils.SendOK(w)
+}
+
+func HandleSMTPGet(w http.ResponseWriter, r *http.Request) {
+	// Create a buffer to store the encoded value
+	var buf bytes.Buffer
+
+	// Encode the original object into the buffer
+	encoder := gob.NewEncoder(&buf)
+	err := encoder.Encode(*EmailSender)
+	if err != nil {
+		utils.SendErrorResponse(w, "Internal encode error")
+		return
+	}
+
+	// Decode the buffer into a new object
+	var copied email.Sender
+	decoder := gob.NewDecoder(&buf)
+	err = decoder.Decode(&copied)
+	if err != nil {
+		utils.SendErrorResponse(w, "Internal decode error")
+		return
+	}
+
+	copied.Password = ""
+
+	js, _ := json.Marshal(copied)
+	utils.SendJSONResponse(w, string(js))
+}
+
+func HandleAdminEmailGet(w http.ResponseWriter, r *http.Request) {
+	js, _ := json.Marshal(loadSMTPAdminAddr())
+	utils.SendJSONResponse(w, string(js))
+}
+
+func HandleTestEmailSend(w http.ResponseWriter, r *http.Request) {
+	adminEmailAccount := loadSMTPAdminAddr()
+	if adminEmailAccount == "" {
+		utils.SendErrorResponse(w, "Management account not set")
+		return
+	}
+
+	err := EmailSender.SendEmail(adminEmailAccount,
+		"SMTP Testing Email | Zoraxy", "This is a test email sent by Zoraxy. Please do not reply to this email.<br>Zoraxy からのテストメールです。このメールには返信しないでください。<br>這是由 Zoraxy 發送的測試電子郵件。請勿回覆此郵件。<br>Ceci est un email de test envoyé par Zoraxy. Merci de ne pas répondre à cet email.<br>Dies ist eine Test-E-Mail, die von Zoraxy gesendet wurde. Bitte antworten Sie nicht auf diese E-Mail.")
+
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	utils.SendOK(w)
+}
+
+/*
+	SMTP config
+
+	The following handle SMTP configs
+*/
+
+func setSMTPConfig(config *email.Sender) error {
+	return sysdb.Write("smtp", "config", config)
+}
+
+func loadSMTPConfig() *email.Sender {
+	if sysdb.KeyExists("smtp", "config") {
+		thisEmailSender := email.Sender{
+			Port: 587,
+		}
+		err := sysdb.Read("smtp", "config", &thisEmailSender)
+		if err != nil {
+			return &email.Sender{
+				Port: 587,
+			}
+		}
+		return &thisEmailSender
+	} else {
+		//Not set. Return an empty one
+		return &email.Sender{
+			Port: 587,
+		}
+	}
+}
+
+func setSMTPAdminAddress(adminAddr string) error {
+	return sysdb.Write("smtp", "admin", adminAddr)
+}
+
+// Load SMTP admin address. Return empty string if not set
+func loadSMTPAdminAddr() string {
+	adminAddr := ""
+	if sysdb.KeyExists("smtp", "admin") {
+		err := sysdb.Read("smtp", "admin", &adminAddr)
+		if err != nil {
+			return ""
+		}
+		return adminAddr
+	} else {
+		return ""
+	}
+}
+
+/*
+	Admin Account Reset
+*/
+
+var (
+	accountResetEmailDelay   int64  = 30      //Delay between each account reset email, default 30s
+	tokenValidDuration       int64  = 15 * 60 //Duration of the token, default 15 minutes
+	lastAccountResetEmail    int64  = 0       //Timestamp for last sent account reset email
+	passwordResetAccessToken string = ""      //Access token for resetting password
+)
+
+func HandleAdminAccountResetEmail(w http.ResponseWriter, r *http.Request) {
+	if EmailSender.Username == "" {
+		//Reset account not setup
+		utils.SendErrorResponse(w, "Reset account not setup.")
+		return
+	}
+
+	if loadSMTPAdminAddr() == "" {
+		utils.SendErrorResponse(w, "Reset account not setup.")
+	}
+
+	//Check if the delay expired
+	if lastAccountResetEmail+accountResetEmailDelay > time.Now().Unix() {
+		//Too frequent
+		utils.SendErrorResponse(w, "You cannot send another account reset email in cooldown time")
+		return
+	}
+
+	passwordResetAccessToken = uuid.New().String()
+
+	//SMTP info exists. Send reset account email
+	lastAccountResetEmail = time.Now().Unix()
+	EmailSender.SendEmail(loadSMTPAdminAddr(), "Management Account Reset | Zoraxy",
+		"Enter the following reset token to reset your password on your Zoraxy router.<br>"+passwordResetAccessToken+"<br><br> This is an automated generated email. DO NOT REPLY TO THIS EMAIL.")
+
+	utils.SendOK(w)
+}
+
+func HandleNewPasswordSetup(w http.ResponseWriter, r *http.Request) {
+	if passwordResetAccessToken == "" {
+		//Not initiated
+		utils.SendErrorResponse(w, "Invalid usage")
+		return
+	}
+
+	username, err := utils.PostPara(r, "username")
+	if err != nil {
+		utils.SendErrorResponse(w, "Invalid username given")
+		return
+	}
+	token, err := utils.PostPara(r, "token")
+	if err != nil {
+		utils.SendErrorResponse(w, "Invalid token given")
+		return
+	}
+	newPassword, err := utils.PostPara(r, "newpw")
+	if err != nil {
+		utils.SendErrorResponse(w, "Invalid new password given")
+		return
+	}
+
+	token = strings.TrimSpace(token)
+	username = strings.TrimSpace(username)
+
+	//Validate the token
+	if token != passwordResetAccessToken {
+		utils.SendErrorResponse(w, "Invalid Token")
+		return
+	}
+
+	//Check if time expired
+	if lastAccountResetEmail+tokenValidDuration < time.Now().Unix() {
+		//Expired
+		utils.SendErrorResponse(w, "Token expired")
+		return
+	}
+
+	//Check if user exists
+	if !authAgent.UserExists(username) {
+		//Invalid admin account name
+		utils.SendErrorResponse(w, "Invalid Username")
+		return
+	}
+
+	// Un register the user account
+	if err := authAgent.UnregisterUser(username); err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	//Ok. Set the new password
+	if err := authAgent.CreateUserAccount(username, newPassword, ""); err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	utils.SendOK(w)
+}
--- a/src/go.mod
+++ b/src/go.mod
@ -0,0 +1,210 @@
+module imuslab.com/zoraxy
+
+go 1.22.0
+
+toolchain go1.22.2
+
+require (
+	github.com/boltdb/bolt v1.3.1
+	github.com/docker/docker v27.0.0+incompatible
+	github.com/go-acme/lego/v4 v4.19.2
+	github.com/go-ping/ping v1.1.0
+	github.com/go-session/session v3.1.2+incompatible
+	github.com/google/uuid v1.6.0
+	github.com/gorilla/sessions v1.2.2
+	github.com/gorilla/websocket v1.5.1
+	github.com/grandcat/zeroconf v1.0.0
+	github.com/likexian/whois v1.15.1
+	github.com/microcosm-cc/bluemonday v1.0.26
+	golang.org/x/net v0.29.0
+	golang.org/x/sys v0.25.0
+	golang.org/x/text v0.18.0
+)
+
+require (
+	cloud.google.com/go/auth v0.9.3 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/benbjohnson/clock v1.3.0 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.114 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/tidwall/btree v0.0.0-20191029221954-400434d76274 // indirect
+	github.com/tidwall/buntdb v1.1.2 // indirect
+	github.com/tidwall/gjson v1.12.1 // indirect
+	github.com/tidwall/grect v0.0.0-20161006141115-ba9a043346eb // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/tidwall/rtree v0.0.0-20180113144539-6cd427091e0e // indirect
+	github.com/tidwall/tinyqueue v0.0.0-20180302190814-1e39f5511563 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/vultr/govultr/v3 v3.9.1 // indirect
+	go.mongodb.org/mongo-driver v1.12.0 // indirect
+)
+
+require (
+	cloud.google.com/go/compute/metadata v0.5.1 // indirect
+	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.2.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/Microsoft/go-winio v0.4.14 // indirect
+	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.15 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.33 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.40.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.43.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
+	github.com/aws/smithy-go v1.20.4 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
+	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/civo/civogo v0.3.11 // indirect
+	github.com/cloudflare/cloudflare-go v0.104.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-oauth2/oauth2/v4 v4.5.2
+	github.com/go-resty/resty/v2 v2.13.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.1.0 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
+	github.com/gophercloud/gophercloud v1.14.0 // indirect
+	github.com/gorilla/csrf v1.7.2
+	github.com/gorilla/css v1.0.1 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/infobloxopen/infoblox-go-client v1.1.1 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
+	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
+	github.com/labbsr0x/goh v1.0.1 // indirect
+	github.com/linode/linodego v1.40.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
+	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/term v0.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20240207213615-dde5bf4577a3 // indirect
+	github.com/nrdcg/desec v0.8.0 // indirect
+	github.com/nrdcg/dnspod-go v0.4.0 // indirect
+	github.com/nrdcg/freemyip v0.2.0 // indirect
+	github.com/nrdcg/goinwx v0.10.0 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/namesilo v0.2.1 // indirect
+	github.com/nrdcg/nodion v0.1.0 // indirect
+	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/nzdjb/go-metaname v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/ovh/go-ovh v1.6.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.8 // indirect
+	github.com/sacloud/iaas-api-go v1.12.0 // indirect
+	github.com/sacloud/packages-go v0.0.10 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.30 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
+	github.com/softlayer/softlayer-go v1.1.5 // indirect
+	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1002 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1002 // indirect
+	github.com/transip/gotransip/v6 v6.26.0 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.7.0-20240913052650-970ca9a // indirect
+	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
+	github.com/xlzd/gotp v0.1.0
+	github.com/yandex-cloud/go-genproto v0.0.0-20240911120709-1fa0cb6f47c2 // indirect
+	github.com/yandex-cloud/go-sdk v0.0.0-20240911121212-e4e74d0d02f5 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	go.uber.org/ratelimit v0.3.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.25.0 // indirect
+	google.golang.org/api v0.197.0 // indirect
+	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/grpc v1.66.1 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.12.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+)
--- a/src/go.sum
+++ b/src/go.sum
--- a/src/main.go
+++ b/src/main.go
@ -0,0 +1,218 @@
+package main
+
+import (
+	"embed"
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/gorilla/csrf"
+	"imuslab.com/zoraxy/mod/access"
+	"imuslab.com/zoraxy/mod/acme"
+	"imuslab.com/zoraxy/mod/auth"
+	"imuslab.com/zoraxy/mod/auth/sso"
+	"imuslab.com/zoraxy/mod/database"
+	"imuslab.com/zoraxy/mod/dockerux"
+	"imuslab.com/zoraxy/mod/dynamicproxy/loadbalance"
+	"imuslab.com/zoraxy/mod/dynamicproxy/redirection"
+	"imuslab.com/zoraxy/mod/email"
+	"imuslab.com/zoraxy/mod/forwardproxy"
+	"imuslab.com/zoraxy/mod/ganserv"
+	"imuslab.com/zoraxy/mod/geodb"
+	"imuslab.com/zoraxy/mod/info/logger"
+	"imuslab.com/zoraxy/mod/info/logviewer"
+	"imuslab.com/zoraxy/mod/mdns"
+	"imuslab.com/zoraxy/mod/netstat"
+	"imuslab.com/zoraxy/mod/pathrule"
+	"imuslab.com/zoraxy/mod/sshprox"
+	"imuslab.com/zoraxy/mod/statistic"
+	"imuslab.com/zoraxy/mod/statistic/analytic"
+	"imuslab.com/zoraxy/mod/streamproxy"
+	"imuslab.com/zoraxy/mod/tlscert"
+	"imuslab.com/zoraxy/mod/update"
+	"imuslab.com/zoraxy/mod/uptime"
+	"imuslab.com/zoraxy/mod/utils"
+	"imuslab.com/zoraxy/mod/webserv"
+)
+
+// General flags
+var webUIPort = flag.String("port", ":8000", "Management web interface listening port")
+var noauth = flag.Bool("noauth", false, "Disable authentication for management interface")
+var showver = flag.Bool("version", false, "Show version of this server")
+var allowSshLoopback = flag.Bool("sshlb", false, "Allow loopback web ssh connection (DANGER)")
+var allowMdnsScanning = flag.Bool("mdns", true, "Enable mDNS scanner and transponder")
+var mdnsName = flag.String("mdnsname", "", "mDNS name, leave empty to use default (zoraxy_{node-uuid}.local)")
+var ztAuthToken = flag.String("ztauth", "", "ZeroTier authtoken for the local node")
+var ztAPIPort = flag.Int("ztport", 9993, "ZeroTier controller API port")
+var runningInDocker = flag.Bool("docker", false, "Run Zoraxy in docker compatibility mode")
+var acmeAutoRenewInterval = flag.Int("autorenew", 86400, "ACME auto TLS/SSL certificate renew check interval (seconds)")
+var acmeCertAutoRenewDays = flag.Int("earlyrenew", 30, "Number of days to early renew a soon expiring certificate (days)")
+var enableHighSpeedGeoIPLookup = flag.Bool("fastgeoip", false, "Enable high speed geoip lookup, require 1GB extra memory (Not recommend for low end devices)")
+var staticWebServerRoot = flag.String("webroot", "./www", "Static web server root folder. Only allow chnage in start paramters")
+var allowWebFileManager = flag.Bool("webfm", true, "Enable web file manager for static web server root folder")
+var enableAutoUpdate = flag.Bool("cfgupgrade", true, "Enable auto config upgrade if breaking change is detected")
+
+var (
+	name        = "Zoraxy"
+	version     = "3.1.2"
+	nodeUUID    = "generic" //System uuid, in uuidv4 format
+	development = false     //Set this to false to use embedded web fs
+	bootTime    = time.Now().Unix()
+
+	/*
+		Binary Embedding File System
+	*/
+	//go:embed web/*
+	webres embed.FS
+
+	/*
+		Handler Modules
+	*/
+	sysdb          *database.Database              //System database
+	authAgent      *auth.AuthAgent                 //Authentication agent
+	tlsCertManager *tlscert.Manager                //TLS / SSL management
+	redirectTable  *redirection.RuleTable          //Handle special redirection rule sets
+	webminPanelMux *http.ServeMux                  //Server mux for handling webmin panel APIs
+	csrfMiddleware func(http.Handler) http.Handler //CSRF protection middleware
+
+	pathRuleHandler    *pathrule.Handler         //Handle specific path blocking or custom headers
+	geodbStore         *geodb.Store              //GeoIP database, for resolving IP into country code
+	accessController   *access.Controller        //Access controller, handle black list and white list
+	netstatBuffers     *netstat.NetStatBuffers   //Realtime graph buffers
+	statisticCollector *statistic.Collector      //Collecting statistic from visitors
+	uptimeMonitor      *uptime.Monitor           //Uptime monitor service worker
+	mdnsScanner        *mdns.MDNSHost            //mDNS discovery services
+	ganManager         *ganserv.NetworkManager   //Global Area Network Manager
+	webSshManager      *sshprox.Manager          //Web SSH connection service
+	streamProxyManager *streamproxy.Manager      //Stream Proxy Manager for TCP / UDP forwarding
+	acmeHandler        *acme.ACMEHandler         //Handler for ACME Certificate renew
+	acmeAutoRenewer    *acme.AutoRenewer         //Handler for ACME auto renew ticking
+	staticWebServer    *webserv.WebServer        //Static web server for hosting simple stuffs
+	forwardProxy       *forwardproxy.Handler     //HTTP Forward proxy, basically VPN for web browser
+	loadBalancer       *loadbalance.RouteManager //Global scope loadbalancer, store the state of the lb routing
+	ssoHandler         *sso.SSOHandler           //Single Sign On handler
+
+	//Helper modules
+	EmailSender       *email.Sender         //Email sender that handle email sending
+	AnalyticLoader    *analytic.DataLoader  //Data loader for Zoraxy Analytic
+	DockerUXOptimizer *dockerux.UXOptimizer //Docker user experience optimizer, community contribution only
+	SystemWideLogger  *logger.Logger        //Logger for Zoraxy
+	LogViewer         *logviewer.Viewer
+)
+
+// Kill signal handler. Do something before the system the core terminate.
+func SetupCloseHandler() {
+	c := make(chan os.Signal, 2)
+	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-c
+		ShutdownSeq()
+		os.Exit(0)
+	}()
+}
+
+func ShutdownSeq() {
+	SystemWideLogger.Println("Shutting down " + name)
+	//SystemWideLogger.Println("Closing GeoDB")
+	//geodbStore.Close()
+	SystemWideLogger.Println("Closing Netstats Listener")
+	netstatBuffers.Close()
+	SystemWideLogger.Println("Closing Statistic Collector")
+	statisticCollector.Close()
+	if mdnsTickerStop != nil {
+		SystemWideLogger.Println("Stopping mDNS Discoverer (might take a few minutes)")
+		// Stop the mdns service
+		mdnsTickerStop <- true
+	}
+	mdnsScanner.Close()
+	SystemWideLogger.Println("Shutting down load balancer")
+	loadBalancer.Close()
+	SystemWideLogger.Println("Closing Certificates Auto Renewer")
+	acmeAutoRenewer.Close()
+	//Remove the tmp folder
+	SystemWideLogger.Println("Cleaning up tmp files")
+	os.RemoveAll("./tmp")
+
+	//Close database
+	SystemWideLogger.Println("Stopping system database")
+	sysdb.Close()
+
+	//Close logger
+	SystemWideLogger.Println("Closing system wide logger")
+	SystemWideLogger.Close()
+}
+
+func main() {
+	//Parse startup flags
+	flag.Parse()
+	if *showver {
+		fmt.Println(name + " - Version " + version)
+		os.Exit(0)
+	}
+
+	if !utils.ValidateListeningAddress(*webUIPort) {
+		fmt.Println("Malformed -port (listening address) paramter. Do you mean -port=:" + *webUIPort + "?")
+		os.Exit(0)
+	}
+
+	if *enableAutoUpdate {
+		fmt.Println("Checking required config update")
+		update.RunConfigUpdate(0, update.GetVersionIntFromVersionNumber(version))
+	}
+
+	SetupCloseHandler()
+
+	//Read or create the system uuid
+	uuidRecord := "./sys.uuid"
+	if !utils.FileExists(uuidRecord) {
+		newSystemUUID := uuid.New().String()
+		os.WriteFile(uuidRecord, []byte(newSystemUUID), 0775)
+	}
+	uuidBytes, err := os.ReadFile(uuidRecord)
+	if err != nil {
+		SystemWideLogger.PrintAndLog("ZeroTier", "Unable to read system uuid from file system", nil)
+		panic(err)
+	}
+	nodeUUID = string(uuidBytes)
+
+	//Create a new webmin mux and csrf middleware layer
+	webminPanelMux = http.NewServeMux()
+	csrfMiddleware = csrf.Protect(
+		[]byte(nodeUUID),
+		csrf.CookieName("zoraxy-csrf"),
+		csrf.Secure(false),
+		csrf.Path("/"),
+		csrf.SameSite(csrf.SameSiteLaxMode),
+	)
+
+	//Startup all modules
+	startupSequence()
+
+	//Initiate management interface APIs
+	requireAuth = !(*noauth)
+	initAPIs(webminPanelMux)
+
+	//Start the reverse proxy server in go routine
+	go func() {
+		ReverseProxtInit()
+	}()
+
+	time.Sleep(500 * time.Millisecond)
+
+	//Start the finalize sequences
+	finalSequence()
+
+	SystemWideLogger.Println("Zoraxy started. Visit control panel at http://localhost" + *webUIPort)
+	err = http.ListenAndServe(*webUIPort, csrfMiddleware(webminPanelMux))
+
+	if err != nil {
+		log.Fatal(err)
+	}
+
+}
--- a/src/mod/access/access.go
+++ b/src/mod/access/access.go
@ -0,0 +1,221 @@
+package access
+
+import (
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	Access.go
+
+	This module is the new version of access control system
+	where now the blacklist / whitelist are seperated from
+	geodb module
+*/
+
+// Create a new access controller to handle blacklist / whitelist
+func NewAccessController(options *Options) (*Controller, error) {
+	sysdb := options.Database
+	if sysdb == nil {
+		return nil, errors.New("missing database access")
+	}
+
+	//Create the config folder if not exists
+	confFolder := options.ConfigFolder
+	if !utils.FileExists(confFolder) {
+		err := os.MkdirAll(confFolder, 0775)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Create the global access rule if not exists
+	var defaultAccessRule = AccessRule{
+		ID:                   "default",
+		Name:                 "Default",
+		Desc:                 "Default access rule for all HTTP proxy hosts",
+		BlacklistEnabled:     false,
+		WhitelistEnabled:     false,
+		WhiteListCountryCode: &map[string]string{},
+		WhiteListIP:          &map[string]string{},
+		BlackListContryCode:  &map[string]string{},
+		BlackListIP:          &map[string]string{},
+	}
+	defaultRuleSettingFile := filepath.Join(confFolder, "default.json")
+	if utils.FileExists(defaultRuleSettingFile) {
+		//Load from file
+		defaultRuleBytes, err := os.ReadFile(defaultRuleSettingFile)
+		if err == nil {
+			err = json.Unmarshal(defaultRuleBytes, &defaultAccessRule)
+			if err != nil {
+				options.Logger.PrintAndLog("Access", "Unable to parse default routing rule config file. Using default", err)
+			}
+		}
+	} else {
+		//Create one
+		js, _ := json.MarshalIndent(defaultAccessRule, "", " ")
+		os.WriteFile(defaultRuleSettingFile, js, 0775)
+	}
+
+	//Generate a controller object
+	thisController := Controller{
+		DefaultAccessRule: &defaultAccessRule,
+		ProxyAccessRule:   &sync.Map{},
+		Options:           options,
+	}
+
+	//Assign default access rule parent
+	thisController.DefaultAccessRule.parent = &thisController
+
+	//Load all acccess rules from file
+	configFiles, err := filepath.Glob(options.ConfigFolder + "/*.json")
+	if err != nil {
+		return nil, err
+	}
+	ProxyAccessRules := sync.Map{}
+	for _, configFile := range configFiles {
+		if filepath.Base(configFile) == "default.json" {
+			//Skip this, as this was already loaded as default
+			continue
+		}
+
+		configContent, err := os.ReadFile(configFile)
+		if err != nil {
+			options.Logger.PrintAndLog("Access", "Unable to load config "+filepath.Base(configFile), err)
+			continue
+		}
+
+		//Parse the config file into AccessRule
+		thisAccessRule := AccessRule{}
+		err = json.Unmarshal(configContent, &thisAccessRule)
+		if err != nil {
+			options.Logger.PrintAndLog("Access", "Unable to parse config "+filepath.Base(configFile), err)
+			continue
+		}
+		thisAccessRule.parent = &thisController
+		ProxyAccessRules.Store(thisAccessRule.ID, &thisAccessRule)
+	}
+	thisController.ProxyAccessRule = &ProxyAccessRules
+
+	return &thisController, nil
+}
+
+// Get the global access rule
+func (c *Controller) GetGlobalAccessRule() (*AccessRule, error) {
+	if c.DefaultAccessRule == nil {
+		return nil, errors.New("global access rule is not set")
+	}
+	return c.DefaultAccessRule, nil
+}
+
+// Load access rules to runtime, require rule ID
+func (c *Controller) GetAccessRuleByID(accessRuleID string) (*AccessRule, error) {
+	if accessRuleID == "default" || accessRuleID == "" {
+
+		return c.DefaultAccessRule, nil
+	}
+	//Load from sync.Map, should be O(1)
+	targetRule, ok := c.ProxyAccessRule.Load(accessRuleID)
+
+	if !ok {
+		return nil, errors.New("target access rule not exists")
+	}
+
+	ar, ok := targetRule.(*AccessRule)
+	if !ok {
+		return nil, errors.New("assertion of access rule failed, version too old?")
+	}
+	return ar, nil
+}
+
+// Return all the access rules currently in runtime, including default
+func (c *Controller) ListAllAccessRules() []*AccessRule {
+	results := []*AccessRule{c.DefaultAccessRule}
+	c.ProxyAccessRule.Range(func(key, value interface{}) bool {
+		results = append(results, value.(*AccessRule))
+		return true
+	})
+
+	return results
+}
+
+// Check if an access rule exists given the rule id
+func (c *Controller) AccessRuleExists(ruleID string) bool {
+	r, _ := c.GetAccessRuleByID(ruleID)
+	if r != nil {
+		//An access rule with identical ID exists
+		return true
+	}
+	return false
+}
+
+// Add a new access rule to runtime and save it to file
+func (c *Controller) AddNewAccessRule(newRule *AccessRule) error {
+	r, _ := c.GetAccessRuleByID(newRule.ID)
+	if r != nil {
+		//An access rule with identical ID exists
+		return errors.New("access rule already exists")
+	}
+
+	//Check if the blacklist and whitelist are populated with empty map
+	if newRule.BlackListContryCode == nil {
+		newRule.BlackListContryCode = &map[string]string{}
+	}
+	if newRule.BlackListIP == nil {
+		newRule.BlackListIP = &map[string]string{}
+	}
+	if newRule.WhiteListCountryCode == nil {
+		newRule.WhiteListCountryCode = &map[string]string{}
+	}
+	if newRule.WhiteListIP == nil {
+		newRule.WhiteListIP = &map[string]string{}
+	}
+
+	//Add access rule to runtime
+	newRule.parent = c
+	c.ProxyAccessRule.Store(newRule.ID, newRule)
+
+	//Save rule to file
+	newRule.SaveChanges()
+	return nil
+}
+
+// Update the access rule meta info.
+func (c *Controller) UpdateAccessRule(ruleID string, name string, desc string) error {
+	targetAccessRule, err := c.GetAccessRuleByID(ruleID)
+	if err != nil {
+		return err
+	}
+
+	///Update the name and desc
+	targetAccessRule.Name = name
+	targetAccessRule.Desc = desc
+
+	//Overwrite the rule currently in sync map
+	if ruleID == "default" {
+		c.DefaultAccessRule = targetAccessRule
+	} else {
+		c.ProxyAccessRule.Store(ruleID, targetAccessRule)
+	}
+	return targetAccessRule.SaveChanges()
+}
+
+// Remove the access rule by its id
+func (c *Controller) RemoveAccessRuleByID(ruleID string) error {
+	if !c.AccessRuleExists(ruleID) {
+		return errors.New("access rule not exists")
+	}
+
+	//Default cannot be removed
+	if ruleID == "default" {
+		return errors.New("default access rule cannot be removed")
+	}
+
+	//Remove it
+	return c.DeleteAccessRuleByID(ruleID)
+}
--- a/src/mod/access/accessRule.go
+++ b/src/mod/access/accessRule.go
@ -0,0 +1,153 @@
+package access
+
+import (
+	"encoding/json"
+	"errors"
+	"net"
+	"os"
+	"path/filepath"
+)
+
+// Check both blacklist and whitelist for access for both geoIP and ip / CIDR ranges
+func (s *AccessRule) AllowIpAccess(ipaddr string) bool {
+	if s.IsBlacklisted(ipaddr) {
+		return false
+	}
+
+	return s.IsWhitelisted(ipaddr)
+}
+
+// Check both blacklist and whitelist for access using net.Conn
+func (s *AccessRule) AllowConnectionAccess(conn net.Conn) bool {
+	if addr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
+		return s.AllowIpAccess(addr.IP.String())
+	}
+	return true
+}
+
+// Toggle black list
+func (s *AccessRule) ToggleBlacklist(enabled bool) {
+	s.BlacklistEnabled = enabled
+	s.SaveChanges()
+}
+
+// Toggel white list
+func (s *AccessRule) ToggleWhitelist(enabled bool) {
+	s.WhitelistEnabled = enabled
+	s.SaveChanges()
+}
+
+/*
+Check if a IP address is blacklisted, in either country or IP blacklist
+IsBlacklisted default return is false (allow access)
+*/
+func (s *AccessRule) IsBlacklisted(ipAddr string) bool {
+	if !s.BlacklistEnabled {
+		//Blacklist not enabled. Always return false
+		return false
+	}
+
+	if ipAddr == "" {
+		//Unable to get the target IP address
+		return false
+	}
+
+	countryCode, err := s.parent.Options.GeoDB.ResolveCountryCodeFromIP(ipAddr)
+	if err != nil {
+		return false
+	}
+
+	if s.IsCountryCodeBlacklisted(countryCode.CountryIsoCode) {
+		return true
+	}
+
+	if s.IsIPBlacklisted(ipAddr) {
+		return true
+	}
+
+	return false
+}
+
+/*
+IsWhitelisted check if a given IP address is in the current
+server's white list.
+
+Note that the Whitelist default result is true even
+when encountered error
+*/
+func (s *AccessRule) IsWhitelisted(ipAddr string) bool {
+	if !s.WhitelistEnabled {
+		//Whitelist not enabled. Always return true (allow access)
+		return true
+	}
+
+	if ipAddr == "" {
+		//Unable to get the target IP address, assume ok
+		return true
+	}
+
+	countryCode, err := s.parent.Options.GeoDB.ResolveCountryCodeFromIP(ipAddr)
+	if err != nil {
+		return true
+	}
+
+	if s.IsCountryCodeWhitelisted(countryCode.CountryIsoCode) {
+		return true
+	}
+
+	if s.IsIPWhitelisted(ipAddr) {
+		return true
+	}
+
+	return false
+}
+
+/* Utilities function */
+
+// Update the current access rule to json file
+func (s *AccessRule) SaveChanges() error {
+	if s.parent == nil {
+		return errors.New("save failed: access rule detached from controller")
+	}
+	saveTarget := filepath.Join(s.parent.Options.ConfigFolder, s.ID+".json")
+	js, err := json.MarshalIndent(s, "", " ")
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(saveTarget, js, 0775)
+	return err
+}
+
+// Delete this access rule, this will only delete the config file.
+// for runtime delete, use DeleteAccessRuleByID from parent Controller
+func (s *AccessRule) DeleteConfigFile() error {
+	saveTarget := filepath.Join(s.parent.Options.ConfigFolder, s.ID+".json")
+	return os.Remove(saveTarget)
+}
+
+// Delete the access rule by given ID
+func (c *Controller) DeleteAccessRuleByID(accessRuleID string) error {
+	targetAccessRule, err := c.GetAccessRuleByID(accessRuleID)
+	if err != nil {
+		return err
+	}
+
+	//Delete config file associated with this access rule
+	err = targetAccessRule.DeleteConfigFile()
+	if err != nil {
+		return err
+	}
+
+	//Delete the access rule in runtime
+	c.ProxyAccessRule.Delete(accessRuleID)
+	return nil
+}
+
+// Create a deep copy object of the access rule list
+func deepCopy(valueList map[string]string) map[string]string {
+	result := map[string]string{}
+	js, _ := json.Marshal(valueList)
+	json.Unmarshal(js, &result)
+	return result
+}
--- a/src/mod/access/blacklist.go
+++ b/src/mod/access/blacklist.go
@ -0,0 +1,94 @@
+package access
+
+import (
+	"strings"
+
+	"imuslab.com/zoraxy/mod/netutils"
+)
+
+/*
+	Blacklist.go
+
+	This script store the blacklist related functions
+*/
+
+// Geo Blacklist
+func (s *AccessRule) AddCountryCodeToBlackList(countryCode string, comment string) {
+	countryCode = strings.ToLower(countryCode)
+	newBlacklistCountryCode := deepCopy(*s.BlackListContryCode)
+	newBlacklistCountryCode[countryCode] = comment
+	s.BlackListContryCode = &newBlacklistCountryCode
+	s.SaveChanges()
+}
+
+func (s *AccessRule) RemoveCountryCodeFromBlackList(countryCode string) {
+	countryCode = strings.ToLower(countryCode)
+	newBlacklistCountryCode := deepCopy(*s.BlackListContryCode)
+	delete(newBlacklistCountryCode, countryCode)
+	s.BlackListContryCode = &newBlacklistCountryCode
+	s.SaveChanges()
+}
+
+func (s *AccessRule) IsCountryCodeBlacklisted(countryCode string) bool {
+	countryCode = strings.ToLower(countryCode)
+	blacklistMap := *s.BlackListContryCode
+	_, ok := blacklistMap[countryCode]
+	return ok
+}
+
+func (s *AccessRule) GetAllBlacklistedCountryCode() []string {
+	bannedCountryCodes := []string{}
+	blacklistMap := *s.BlackListContryCode
+	for cc, _ := range blacklistMap {
+		bannedCountryCodes = append(bannedCountryCodes, cc)
+	}
+	return bannedCountryCodes
+}
+
+// IP Blacklsits
+func (s *AccessRule) AddIPToBlackList(ipAddr string, comment string) {
+	newBlackListIP := deepCopy(*s.BlackListIP)
+	newBlackListIP[ipAddr] = comment
+	s.BlackListIP = &newBlackListIP
+	s.SaveChanges()
+}
+
+func (s *AccessRule) RemoveIPFromBlackList(ipAddr string) {
+	newBlackListIP := deepCopy(*s.BlackListIP)
+	delete(newBlackListIP, ipAddr)
+	s.BlackListIP = &newBlackListIP
+	s.SaveChanges()
+}
+
+func (s *AccessRule) GetAllBlacklistedIp() []string {
+	bannedIps := []string{}
+	blacklistMap := *s.BlackListIP
+	for ip, _ := range blacklistMap {
+		bannedIps = append(bannedIps, ip)
+	}
+
+	return bannedIps
+}
+
+func (s *AccessRule) IsIPBlacklisted(ipAddr string) bool {
+	IPBlacklist := *s.BlackListIP
+	_, ok := IPBlacklist[ipAddr]
+	if ok {
+		return true
+	}
+
+	//Check for CIDR
+	for ipOrCIDR, _ := range IPBlacklist {
+		wildcardMatch := netutils.MatchIpWildcard(ipAddr, ipOrCIDR)
+		if wildcardMatch {
+			return true
+		}
+
+		cidrMatch := netutils.MatchIpCIDR(ipAddr, ipOrCIDR)
+		if cidrMatch {
+			return true
+		}
+	}
+
+	return false
+}
--- a/src/mod/access/typedef.go
+++ b/src/mod/access/typedef.go
@ -0,0 +1,38 @@
+package access
+
+import (
+	"sync"
+
+	"imuslab.com/zoraxy/mod/database"
+	"imuslab.com/zoraxy/mod/geodb"
+	"imuslab.com/zoraxy/mod/info/logger"
+)
+
+type Options struct {
+	Logger       logger.Logger
+	ConfigFolder string             //Path for storing config files
+	GeoDB        *geodb.Store       //For resolving country code
+	Database     *database.Database //System key-value database
+}
+
+type AccessRule struct {
+	ID               string
+	Name             string
+	Desc             string
+	BlacklistEnabled bool
+	WhitelistEnabled bool
+
+	/* Whitelist Blacklist Table, value is comment if supported */
+	WhiteListCountryCode *map[string]string
+	WhiteListIP          *map[string]string
+	BlackListContryCode  *map[string]string
+	BlackListIP          *map[string]string
+
+	parent *Controller
+}
+
+type Controller struct {
+	DefaultAccessRule *AccessRule
+	ProxyAccessRule   *sync.Map
+	Options           *Options
+}
--- a/src/mod/access/whitelist.go
+++ b/src/mod/access/whitelist.go
@ -0,0 +1,112 @@
+package access
+
+import (
+	"strings"
+
+	"imuslab.com/zoraxy/mod/netutils"
+)
+
+/*
+	Whitelist.go
+
+	This script handles whitelist related functions
+*/
+
+const (
+	EntryType_CountryCode int = 0
+	EntryType_IP          int = 1
+)
+
+type WhitelistEntry struct {
+	EntryType int    //Entry type of whitelist, Country Code or IP
+	CC        string //ISO Country Code
+	IP        string //IP address or range
+	Comment   string //Comment for this entry
+}
+
+//Geo Whitelist
+
+func (s *AccessRule) AddCountryCodeToWhitelist(countryCode string, comment string) {
+	countryCode = strings.ToLower(countryCode)
+	newWhitelistCC := deepCopy(*s.WhiteListCountryCode)
+	newWhitelistCC[countryCode] = comment
+	s.WhiteListCountryCode = &newWhitelistCC
+	s.SaveChanges()
+}
+
+func (s *AccessRule) RemoveCountryCodeFromWhitelist(countryCode string) {
+	countryCode = strings.ToLower(countryCode)
+	newWhitelistCC := deepCopy(*s.WhiteListCountryCode)
+	delete(newWhitelistCC, countryCode)
+	s.WhiteListCountryCode = &newWhitelistCC
+	s.SaveChanges()
+}
+
+func (s *AccessRule) IsCountryCodeWhitelisted(countryCode string) bool {
+	countryCode = strings.ToLower(countryCode)
+	whitelistCC := *s.WhiteListCountryCode
+	_, ok := whitelistCC[countryCode]
+	return ok
+}
+
+func (s *AccessRule) GetAllWhitelistedCountryCode() []*WhitelistEntry {
+	whitelistedCountryCode := []*WhitelistEntry{}
+	whitelistCC := *s.WhiteListCountryCode
+	for cc, comment := range whitelistCC {
+		whitelistedCountryCode = append(whitelistedCountryCode, &WhitelistEntry{
+			EntryType: EntryType_CountryCode,
+			CC:        cc,
+			Comment:   comment,
+		})
+	}
+	return whitelistedCountryCode
+}
+
+//IP Whitelist
+
+func (s *AccessRule) AddIPToWhiteList(ipAddr string, comment string) {
+	newWhitelistIP := deepCopy(*s.WhiteListIP)
+	newWhitelistIP[ipAddr] = comment
+	s.WhiteListIP = &newWhitelistIP
+	s.SaveChanges()
+}
+
+func (s *AccessRule) RemoveIPFromWhiteList(ipAddr string) {
+	newWhitelistIP := deepCopy(*s.WhiteListIP)
+	delete(newWhitelistIP, ipAddr)
+	s.WhiteListIP = &newWhitelistIP
+	s.SaveChanges()
+}
+
+func (s *AccessRule) IsIPWhitelisted(ipAddr string) bool {
+	//Check for IP wildcard and CIRD rules
+	WhitelistedIP := *s.WhiteListIP
+	for ipOrCIDR, _ := range WhitelistedIP {
+		wildcardMatch := netutils.MatchIpWildcard(ipAddr, ipOrCIDR)
+		if wildcardMatch {
+			return true
+		}
+
+		cidrMatch := netutils.MatchIpCIDR(ipAddr, ipOrCIDR)
+		if cidrMatch {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (s *AccessRule) GetAllWhitelistedIp() []*WhitelistEntry {
+	whitelistedIp := []*WhitelistEntry{}
+	currentWhitelistedIP := *s.WhiteListIP
+	for ipOrCIDR, comment := range currentWhitelistedIP {
+		thisEntry := WhitelistEntry{
+			EntryType: EntryType_IP,
+			IP:        ipOrCIDR,
+			Comment:   comment,
+		}
+		whitelistedIp = append(whitelistedIp, &thisEntry)
+	}
+
+	return whitelistedIp
+}
--- a/src/mod/acme/acme.go
+++ b/src/mod/acme/acme.go
@ -0,0 +1,524 @@
+package acme
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge/http01"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
+	"imuslab.com/zoraxy/mod/database"
+	"imuslab.com/zoraxy/mod/info/logger"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+type CertificateInfoJSON struct {
+	AcmeName    string `json:"acme_name"` //ACME provider name
+	AcmeUrl     string `json:"acme_url"`  //Custom ACME URL (if any)
+	SkipTLS     bool   `json:"skip_tls"`  //Skip TLS verification of upstream
+	UseDNS      bool   `json:"dns"`       //Use DNS challenge
+	PropTimeout int    `json:"prop_time"` //Propagation timeout
+}
+
+// ACMEUser represents a user in the ACME system.
+type ACMEUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+type EABConfig struct {
+	Kid     string `json:"kid"`
+	HmacKey string `json:"HmacKey"`
+}
+
+// GetEmail returns the email of the ACMEUser.
+func (u *ACMEUser) GetEmail() string {
+	return u.Email
+}
+
+// GetRegistration returns the registration resource of the ACMEUser.
+func (u ACMEUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+
+// GetPrivateKey returns the private key of the ACMEUser.
+func (u *ACMEUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+// ACMEHandler handles ACME-related operations.
+type ACMEHandler struct {
+	DefaultAcmeServer string
+	Port              string
+	Database          *database.Database
+	Logger            *logger.Logger
+}
+
+// NewACME creates a new ACMEHandler instance.
+func NewACME(defaultAcmeServer string, port string, database *database.Database, logger *logger.Logger) *ACMEHandler {
+	return &ACMEHandler{
+		DefaultAcmeServer: defaultAcmeServer,
+		Port:              port,
+		Database:          database,
+		Logger:            logger,
+	}
+}
+
+func (a *ACMEHandler) Logf(message string, err error) {
+	a.Logger.PrintAndLog("ACME", message, err)
+}
+
+// ObtainCert obtains a certificate for the specified domains.
+func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, caName string, caUrl string, skipTLS bool, useDNS bool, propagationTimeout int) (bool, error) {
+	a.Logf("Obtaining certificate for: "+strings.Join(domains, ", "), nil)
+
+	// generate private key
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		a.Logf("Private key generation failed", err)
+		return false, err
+	}
+
+	// create a admin user for our new generation
+	adminUser := ACMEUser{
+		Email: email,
+		key:   privateKey,
+	}
+
+	// create config
+	config := lego.NewConfig(&adminUser)
+
+	// skip TLS verify if need
+	// Ref: https://github.com/go-acme/lego/blob/6af2c756ac73a9cb401621afca722d0f4112b1b8/lego/client_config.go#L74
+	if skipTLS {
+		a.Logf("Ignoring TLS/SSL Verification Error for ACME Server", nil)
+		config.HTTPClient.Transport = &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			TLSHandshakeTimeout:   30 * time.Second,
+			ResponseHeaderTimeout: 30 * time.Second,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+	}
+
+	//Fallback to Let's Encrypt if it is not set
+	if caName == "" {
+		caName = "Let's Encrypt"
+	}
+
+	// setup the custom ACME url endpoint.
+	if caUrl != "" {
+		config.CADirURL = caUrl
+	}
+
+	// if not custom ACME url, load it from ca.json
+	if caName == "custom" {
+		a.Logf("Using Custom ACME "+caUrl+" for CA Directory URL", nil)
+	} else {
+		caLinkOverwrite, err := loadCAApiServerFromName(caName)
+		if err == nil {
+			config.CADirURL = caLinkOverwrite
+			a.Logf("Using "+caLinkOverwrite+" for CA Directory URL", nil)
+		} else {
+			// (caName == "" || caUrl == "") will use default acme
+			config.CADirURL = a.DefaultAcmeServer
+			a.Logf("Using Default ACME "+a.DefaultAcmeServer+" for CA Directory URL", nil)
+		}
+	}
+
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		a.Logf("Failed to spawn new ACME client from current config", err)
+		return false, err
+	}
+
+	// setup how to receive challenge
+	if useDNS {
+		if !a.Database.TableExists("acme") {
+			a.Database.NewTable("acme")
+			return false, errors.New("DNS Provider and DNS Credenital configuration required for ACME Provider (Error -1)")
+		}
+
+		if !a.Database.KeyExists("acme", certificateName+"_dns_provider") || !a.Database.KeyExists("acme", certificateName+"_dns_credentials") {
+			return false, errors.New("DNS Provider and DNS Credenital configuration required for ACME Provider (Error -2)")
+		}
+
+		var dnsCredentials string
+		err := a.Database.Read("acme", certificateName+"_dns_credentials", &dnsCredentials)
+		if err != nil {
+			a.Logf("Read DNS credential failed", err)
+			return false, err
+		}
+
+		var dnsProvider string
+		err = a.Database.Read("acme", certificateName+"_dns_provider", &dnsProvider)
+		if err != nil {
+			a.Logf("Read DNS Provider failed", err)
+			return false, err
+		}
+
+		provider, err := GetDnsChallengeProviderByName(dnsProvider, dnsCredentials, propagationTimeout)
+		if err != nil {
+			a.Logf("Unable to resolve DNS challenge provider", err)
+			return false, err
+		}
+
+		err = client.Challenge.SetDNS01Provider(provider)
+		if err != nil {
+			a.Logf("Failed to resolve DNS01 Provider", err)
+			return false, err
+		}
+	} else {
+		err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", a.Port))
+		if err != nil {
+			a.Logf("Failed to resolve HTTP01 Provider", err)
+			return false, err
+		}
+	}
+
+	// New users will need to register
+	/*
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			log.Println(err)
+			return false, err
+		}
+	*/
+	var reg *registration.Resource
+	// New users will need to register
+	if client.GetExternalAccountRequired() {
+		a.Logf("External Account Required for this ACME Provider", nil)
+		// IF KID and HmacEncoded is overidden
+
+		if !a.Database.TableExists("acme") {
+			a.Database.NewTable("acme")
+			return false, errors.New("kid and HmacEncoded configuration required for ACME Provider (Error -1)")
+		}
+
+		if !a.Database.KeyExists("acme", config.CADirURL+"_kid") || !a.Database.KeyExists("acme", config.CADirURL+"_hmacEncoded") {
+			return false, errors.New("kid and HmacEncoded configuration required for ACME Provider (Error -2)")
+		}
+
+		var kid string
+		var hmacEncoded string
+		err := a.Database.Read("acme", config.CADirURL+"_kid", &kid)
+		if err != nil {
+			a.Logf("Failed to read kid from database", err)
+			return false, err
+		}
+
+		err = a.Database.Read("acme", config.CADirURL+"_hmacEncoded", &hmacEncoded)
+		if err != nil {
+			a.Logf("Failed to read HMAC from database", err)
+			return false, err
+		}
+
+		a.Logf("EAB Credential retrieved: "+kid+" / "+hmacEncoded, nil)
+		if kid != "" && hmacEncoded != "" {
+			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  kid,
+				HmacEncoded:          hmacEncoded,
+			})
+		}
+		if err != nil {
+			a.Logf("Register with external account binder failed", err)
+			return false, err
+		}
+		//return false, errors.New("External Account Required for this ACME Provider.")
+	} else {
+		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			a.Logf("Unable to register client", err)
+			return false, err
+		}
+	}
+	adminUser.Registration = reg
+
+	// obtain the certificate
+	request := certificate.ObtainRequest{
+		Domains: domains,
+		Bundle:  true,
+	}
+	certificates, err := client.Certificate.Obtain(request)
+	if err != nil {
+		a.Logf("Obtain certificate failed", err)
+		return false, err
+	}
+
+	// Each certificate comes back with the cert bytes, the bytes of the client's
+	// private key, and a certificate URL.
+	err = os.WriteFile("./conf/certs/"+certificateName+".pem", certificates.Certificate, 0777)
+	if err != nil {
+		a.Logf("Failed to write public key to disk", err)
+		return false, err
+	}
+	err = os.WriteFile("./conf/certs/"+certificateName+".key", certificates.PrivateKey, 0777)
+	if err != nil {
+		a.Logf("Failed to write private key to disk", err)
+		return false, err
+	}
+
+	// Save certificate's ACME info for renew usage
+	certInfo := &CertificateInfoJSON{
+		AcmeName:    caName,
+		AcmeUrl:     caUrl,
+		SkipTLS:     skipTLS,
+		UseDNS:      useDNS,
+		PropTimeout: propagationTimeout,
+	}
+
+	certInfoBytes, err := json.Marshal(certInfo)
+	if err != nil {
+		a.Logf("Marshal certificate renew config failed", err)
+		return false, err
+	}
+
+	err = os.WriteFile("./conf/certs/"+certificateName+".json", certInfoBytes, 0777)
+	if err != nil {
+		a.Logf("Failed to write certificate renew config to file", err)
+		return false, err
+	}
+
+	return true, nil
+}
+
+// CheckCertificate returns a list of domains that are in expired certificates.
+// It will return all domains that is in expired certificates
+// *** if there is a vaild certificate contains the domain and there is a expired certificate contains the same domain
+// it will said expired as well!
+func (a *ACMEHandler) CheckCertificate() []string {
+	// read from dir
+	filenames, err := os.ReadDir("./conf/certs/")
+
+	expiredCerts := []string{}
+
+	if err != nil {
+		a.Logf("Failed to load certificate folder", err)
+		return []string{}
+	}
+
+	for _, filename := range filenames {
+		certFilepath := filepath.Join("./conf/certs/", filename.Name())
+
+		certBytes, err := os.ReadFile(certFilepath)
+		if err != nil {
+			// Unable to load this file
+			continue
+		} else {
+			// Cert loaded. Check its expiry time
+			block, _ := pem.Decode(certBytes)
+			if block != nil {
+				cert, err := x509.ParseCertificate(block.Bytes)
+				if err == nil {
+					elapsed := time.Since(cert.NotAfter)
+					if elapsed > 0 {
+						// if it is expired then add it in
+						// make sure it's uniqueless
+						for _, dnsName := range cert.DNSNames {
+							if !contains(expiredCerts, dnsName) {
+								expiredCerts = append(expiredCerts, dnsName)
+							}
+						}
+						if !contains(expiredCerts, cert.Subject.CommonName) {
+							expiredCerts = append(expiredCerts, cert.Subject.CommonName)
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return expiredCerts
+}
+
+// return the current port number
+func (a *ACMEHandler) Getport() string {
+	return a.Port
+}
+
+// contains checks if a string is present in a slice.
+func contains(slice []string, str string) bool {
+	for _, s := range slice {
+		if s == str {
+			return true
+		}
+	}
+	return false
+}
+
+// HandleGetExpiredDomains handles the HTTP GET request to retrieve the list of expired domains.
+// It calls the CheckCertificate method to obtain the expired domains and sends a JSON response
+// containing the list of expired domains.
+func (a *ACMEHandler) HandleGetExpiredDomains(w http.ResponseWriter, r *http.Request) {
+	type ExpiredDomains struct {
+		Domain []string `json:"domain"`
+	}
+
+	info := ExpiredDomains{
+		Domain: a.CheckCertificate(),
+	}
+
+	js, _ := json.MarshalIndent(info, "", " ")
+	utils.SendJSONResponse(w, string(js))
+}
+
+// HandleRenewCertificate handles the HTTP GET request to renew a certificate for the provided domains.
+// It retrieves the domains and filename parameters from the request, calls the ObtainCert method
+// to renew the certificate, and sends a JSON response indicating the result of the renewal process.
+func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
+	domainPara, err := utils.PostPara(r, "domains")
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+
+	filename, err := utils.PostPara(r, "filename")
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+	//Make sure the wildcard * do not goes into the filename
+	filename = strings.ReplaceAll(filename, "*", "_")
+
+	email, err := utils.PostPara(r, "email")
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+
+	var caUrl string
+
+	ca, err := utils.PostPara(r, "ca")
+	if err != nil {
+		a.Logf("CA not set. Using default", nil)
+		ca, caUrl = "", ""
+	}
+
+	if ca == "custom" {
+		caUrl, err = utils.PostPara(r, "caURL")
+		if err != nil {
+			a.Logf("Custom CA set but no URL provide, Using default", nil)
+			ca, caUrl = "", ""
+		}
+	}
+
+	if ca == "" {
+		//default. Use Let's Encrypt
+		ca = "Let's Encrypt"
+	}
+
+	var skipTLS bool
+
+	if skipTLSString, err := utils.PostPara(r, "skipTLS"); err != nil {
+		skipTLS = false
+	} else if skipTLSString != "true" {
+		skipTLS = false
+	} else {
+		skipTLS = true
+	}
+
+	var dns bool
+
+	if dnsString, err := utils.PostPara(r, "dns"); err != nil {
+		dns = false
+	} else if dnsString != "true" {
+		dns = false
+	} else {
+		dns = true
+	}
+
+	domains := strings.Split(domainPara, ",")
+
+	// Default propagation timeout is 300 seconds
+	propagationTimeout := 300
+	if dns {
+		ppgTimeout, err := utils.PostPara(r, "ppgTimeout")
+		if err == nil {
+			propagationTimeout, err = strconv.Atoi(ppgTimeout)
+			if err != nil {
+				utils.SendErrorResponse(w, "Invalid propagation timeout value")
+				return
+			}
+			if propagationTimeout < 60 {
+				//Minimum propagation timeout is 60 seconds
+				propagationTimeout = 60
+			}
+		}
+	}
+
+	//Clean spaces in front or behind each domain
+	cleanedDomains := []string{}
+	for _, domain := range domains {
+		cleanedDomains = append(cleanedDomains, strings.TrimSpace(domain))
+	}
+	result, err := a.ObtainCert(cleanedDomains, filename, email, ca, caUrl, skipTLS, dns, propagationTimeout)
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+	utils.SendJSONResponse(w, strconv.FormatBool(result))
+}
+
+// Escape JSON string
+func jsonEscape(i string) string {
+	b, err := json.Marshal(i)
+	if err != nil {
+		//log.Println("Unable to escape json data: " + err.Error())
+		return i
+	}
+	s := string(b)
+	return s[1 : len(s)-1]
+}
+
+// Helper function to check if a port is in use
+func IsPortInUse(port int) bool {
+	address := fmt.Sprintf(":%d", port)
+	listener, err := net.Listen("tcp", address)
+	if err != nil {
+		return true // Port is in use
+	}
+	defer listener.Close()
+	return false // Port is not in use
+
+}
+
+// Load cert information from json file
+func LoadCertInfoJSON(filename string) (*CertificateInfoJSON, error) {
+	certInfoBytes, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	certInfo := &CertificateInfoJSON{}
+	if err = json.Unmarshal(certInfoBytes, certInfo); err != nil {
+		return nil, err
+	}
+
+	return certInfo, nil
+}
--- a/src/mod/acme/acme_dns.go
+++ b/src/mod/acme/acme_dns.go
@ -0,0 +1,56 @@
+package acme
+
+import (
+	"encoding/json"
+	"strconv"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"imuslab.com/zoraxy/mod/acme/acmedns"
+)
+
+// Preprocessor function to get DNS challenge provider by name
+func GetDnsChallengeProviderByName(dnsProvider string, dnsCredentials string, ppgTimeout int) (challenge.Provider, error) {
+	//Unpack the dnsCredentials (json string) to map
+	var dnsCredentialsMap map[string]interface{}
+	err := json.Unmarshal([]byte(dnsCredentials), &dnsCredentialsMap)
+	if err != nil {
+		return nil, err
+	}
+
+	//Clear the PollingInterval and PropagationTimeout field and conert to int
+	userDefinedPollingInterval := 2
+	if dnsCredentialsMap["PollingInterval"] != nil {
+		userDefinedPollingIntervalRaw := dnsCredentialsMap["PollingInterval"].(string)
+		delete(dnsCredentialsMap, "PollingInterval")
+		convertedPollingInterval, err := strconv.Atoi(userDefinedPollingIntervalRaw)
+		if err == nil {
+			userDefinedPollingInterval = convertedPollingInterval
+		}
+	}
+
+	userDefinedPropagationTimeout := ppgTimeout
+	if dnsCredentialsMap["PropagationTimeout"] != nil {
+		userDefinedPropagationTimeoutRaw := dnsCredentialsMap["PropagationTimeout"].(string)
+		delete(dnsCredentialsMap, "PropagationTimeout")
+		convertedPropagationTimeout, err := strconv.Atoi(userDefinedPropagationTimeoutRaw)
+		if err == nil {
+			//Overwrite the default propagation timeout if it is requeted from UI
+			userDefinedPropagationTimeout = convertedPropagationTimeout
+		}
+	}
+
+	//Restructure dnsCredentials string from map
+	dnsCredentialsBytes, err := json.Marshal(dnsCredentialsMap)
+	if err != nil {
+		return nil, err
+	}
+	dnsCredentials = string(dnsCredentialsBytes)
+
+	//Using acmedns CICD pipeline generated datatype to optain the DNS provider
+	return acmedns.GetDNSProviderByJsonConfig(
+		dnsProvider,
+		dnsCredentials,
+		int64(userDefinedPropagationTimeout),
+		int64(userDefinedPollingInterval),
+	)
+}
--- a/src/mod/acme/acme_test.go
+++ b/src/mod/acme/acme_test.go
@ -0,0 +1,24 @@
+package acme_test
+
+import (
+	"fmt"
+	"testing"
+
+	"imuslab.com/zoraxy/mod/acme"
+)
+
+// Test if the issuer extraction is working
+func TestExtractIssuerNameFromPEM(t *testing.T) {
+	pemFilePath := "test/stackoverflow.pem"
+	expectedIssuer := "Let's Encrypt"
+
+	issuerName, err := acme.ExtractIssuerNameFromPEM(pemFilePath)
+	fmt.Println(issuerName)
+	if err != nil {
+		t.Errorf("Error extracting issuer name: %v", err)
+	}
+
+	if issuerName != expectedIssuer {
+		t.Errorf("Unexpected issuer name. Expected: %s, Got: %s", expectedIssuer, issuerName)
+	}
+}
--- a/src/mod/acme/acmedns/acmedns.go
+++ b/src/mod/acme/acmedns/acmedns.go
--- a/src/mod/acme/acmedns/acmedns_test.go
+++ b/src/mod/acme/acmedns/acmedns_test.go
@ -0,0 +1,27 @@
+package acmedns_test
+
+import (
+	"fmt"
+	"testing"
+
+	"imuslab.com/zoraxy/mod/acme/acmedns"
+)
+
+// Test if the structure of ACME DNS config can be reflected from lego source code definations
+func TestACMEDNSConfigStructureReflector(t *testing.T) {
+	providers := []string{
+		"gandi",
+		"cloudflare",
+		"azure",
+	}
+
+	for _, provider := range providers {
+		strcture, err := acmedns.GetProviderConfigStructure(provider)
+		if err != nil {
+			panic(err)
+		}
+
+		fmt.Println(strcture)
+	}
+
+}
--- a/src/mod/acme/acmedns/providers.json
+++ b/src/mod/acme/acmedns/providers.json
--- a/src/mod/acme/acmedns/providerutils.go
+++ b/src/mod/acme/acmedns/providerutils.go
@ -0,0 +1,80 @@
+package acmedns
+
+import (
+	_ "embed"
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+//go:embed providers.json
+var providers []byte //A list of providers generated by acmedns code-generator
+
+type ConfigTemplate struct {
+	Name             string `json:"Name"`
+	ConfigableFields []struct {
+		Title    string `json:"Title"`
+		Datatype string `json:"Datatype"`
+	} `json:"ConfigableFields"`
+	HiddenFields []struct {
+		Title    string `json:"Title"`
+		Datatype string `json:"Datatype"`
+	} `json:"HiddenFields"`
+}
+
+// Return a map of string => datatype
+func GetProviderConfigStructure(providerName string) (map[string]string, error) {
+	//Load the target config template from embedded providers.json
+	configTemplateMap := map[string]ConfigTemplate{}
+	err := json.Unmarshal(providers, &configTemplateMap)
+	if err != nil {
+		return map[string]string{}, err
+	}
+
+	targetConfigTemplate, ok := configTemplateMap[providerName]
+	if !ok {
+		return map[string]string{}, errors.New("provider not supported")
+	}
+
+	results := map[string]string{}
+	for _, field := range targetConfigTemplate.ConfigableFields {
+		results[field.Title] = field.Datatype
+	}
+
+	return results, nil
+}
+
+// HandleServeProvidersJson return the list of supported providers as json
+func HandleServeProvidersJson(w http.ResponseWriter, r *http.Request) {
+	providerName, _ := utils.GetPara(r, "name")
+	if providerName == "" {
+		//Send the current list of providers
+		configTemplateMap := map[string]ConfigTemplate{}
+		err := json.Unmarshal(providers, &configTemplateMap)
+		if err != nil {
+			utils.SendErrorResponse(w, "failed to load DNS provider")
+			return
+		}
+
+		//Parse the provider names into an array
+		providers := []string{}
+		for providerName, _ := range configTemplateMap {
+			providers = append(providers, providerName)
+		}
+
+		js, _ := json.Marshal(providers)
+		utils.SendJSONResponse(w, string(js))
+		return
+	}
+	//Get the config for that provider
+	confTemplate, err := GetProviderConfigStructure(providerName)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	js, _ := json.Marshal(confTemplate)
+	utils.SendJSONResponse(w, string(js))
+}
--- a/src/mod/acme/acmewizard/acmewizard.go
+++ b/src/mod/acme/acmewizard/acmewizard.go
@ -0,0 +1,172 @@
+package acmewizard
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	ACME Wizard
+
+	This wizard help validate the acme settings and configurations
+*/
+
+func HandleGuidedStepCheck(w http.ResponseWriter, r *http.Request) {
+	stepNoStr, err := utils.GetPara(r, "step")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid step number given")
+		return
+	}
+
+	stepNo, err := strconv.Atoi(stepNoStr)
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid step number given")
+		return
+	}
+
+	if stepNo == 1 {
+		isListening, err := isLocalhostListening()
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+
+		js, _ := json.Marshal(isListening)
+		utils.SendJSONResponse(w, string(js))
+	} else if stepNo == 2 {
+		publicIp, err := getPublicIPAddress()
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+
+		publicIp = strings.TrimSpace(publicIp)
+
+		httpServerReachable := isHTTPServerAvailable(publicIp)
+
+		js, _ := json.Marshal(httpServerReachable)
+		utils.SendJSONResponse(w, string(js))
+	} else if stepNo == 3 {
+		domain, err := utils.GetPara(r, "domain")
+		if err != nil {
+			utils.SendErrorResponse(w, "domain cannot be empty")
+			return
+		}
+
+		domain = strings.TrimSpace(domain)
+
+		//Check if the domain is reachable
+		reachable := isDomainReachable(domain)
+		if !reachable {
+			utils.SendErrorResponse(w, "domain is not reachable")
+			return
+		}
+
+		//Check http is setup correctly
+		httpServerReachable := isHTTPServerAvailable(domain)
+		js, _ := json.Marshal(httpServerReachable)
+		utils.SendJSONResponse(w, string(js))
+	} else if stepNo == 10 {
+		//Resolve public Ip address for tour
+		publicIp, err := getPublicIPAddress()
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+		js, _ := json.Marshal(publicIp)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		utils.SendErrorResponse(w, "invalid step number")
+	}
+}
+
+// Step 1
+func isLocalhostListening() (isListening bool, err error) {
+	timeout := 2 * time.Second
+	isListening = false
+	// Check if localhost is listening on port 80 (HTTP)
+	conn, err := net.DialTimeout("tcp", "localhost:80", timeout)
+	if err == nil {
+		isListening = true
+		conn.Close()
+	}
+
+	// Check if localhost is listening on port 443 (HTTPS)
+	conn, err = net.DialTimeout("tcp", "localhost:443", timeout)
+	if err == nil {
+		isListening = true
+		conn.Close()
+	}
+
+	if isListening {
+		return true, nil
+	}
+
+	return isListening, err
+}
+
+// Step 2
+func getPublicIPAddress() (string, error) {
+	resp, err := http.Get("http://checkip.amazonaws.com/")
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	ip, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	return string(ip), nil
+}
+
+func isHTTPServerAvailable(ipAddress string) bool {
+	client := http.Client{
+		Timeout: 5 * time.Second, // Timeout for the HTTP request
+	}
+
+	urls := []string{
+		"http://" + ipAddress + ":80",
+		"https://" + ipAddress + ":443",
+	}
+
+	for _, url := range urls {
+		req, err := http.NewRequest("GET", url, nil)
+		if err != nil {
+			fmt.Println(err, url)
+			continue // Ignore invalid URLs
+		}
+
+		// Disable TLS verification to handle invalid certificates
+		client.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+
+		resp, err := client.Do(req)
+		if err == nil {
+			resp.Body.Close()
+			return true // HTTP server is available
+		}
+	}
+
+	return false // HTTP server is not available
+}
+
+// Step 3
+func isDomainReachable(domain string) bool {
+	_, err := net.LookupHost(domain)
+	if err != nil {
+		return false // Domain is not reachable
+	}
+	return true // Domain is reachable
+}
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@ -0,0 +1,471 @@
+package acme
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/mail"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"imuslab.com/zoraxy/mod/info/logger"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	autorenew.go
+
+	This script handle auto renew
+*/
+
+type AutoRenewConfig struct {
+	Enabled      bool     //Automatic renew is enabled
+	Email        string   //Email for acme
+	RenewAll     bool     //Renew all or selective renew with the slice below
+	FilesToRenew []string //If RenewAll is false, renew these certificate files
+}
+
+type AutoRenewer struct {
+	ConfigFilePath    string
+	CertFolder        string
+	AcmeHandler       *ACMEHandler
+	RenewerConfig     *AutoRenewConfig
+	RenewTickInterval int64
+	EarlyRenewDays    int //How many days before cert expire to renew certificate
+	TickerstopChan    chan bool
+	Logger            *logger.Logger //System wide logger
+}
+
+type ExpiredCerts struct {
+	Domains  []string
+	Filepath string
+}
+
+// Create an auto renew agent, require config filepath and auto scan & renew interval (seconds)
+// Set renew check interval to 0 for auto (1 day)
+func NewAutoRenewer(config string, certFolder string, renewCheckInterval int64, earlyRenewDays int, AcmeHandler *ACMEHandler, logger *logger.Logger) (*AutoRenewer, error) {
+	if renewCheckInterval == 0 {
+		renewCheckInterval = 86400 //1 day
+	}
+
+	if earlyRenewDays == 0 {
+		earlyRenewDays = 30
+	}
+
+	//Load the config file. If not found, create one
+	if !utils.FileExists(config) {
+		//Create one
+		os.MkdirAll(filepath.Dir(config), 0775)
+		newConfig := AutoRenewConfig{
+			RenewAll:     true,
+			FilesToRenew: []string{},
+		}
+		js, _ := json.MarshalIndent(newConfig, "", " ")
+		err := os.WriteFile(config, js, 0775)
+		if err != nil {
+			return nil, errors.New("Failed to create acme auto renewer config: " + err.Error())
+		}
+	}
+
+	renewerConfig := AutoRenewConfig{}
+	content, err := os.ReadFile(config)
+	if err != nil {
+		return nil, errors.New("Failed to open acme auto renewer config: " + err.Error())
+	}
+
+	err = json.Unmarshal(content, &renewerConfig)
+	if err != nil {
+		return nil, errors.New("Malformed acme config file: " + err.Error())
+	}
+
+	//Create an Auto renew object
+	thisRenewer := AutoRenewer{
+		ConfigFilePath:    config,
+		CertFolder:        certFolder,
+		AcmeHandler:       AcmeHandler,
+		RenewerConfig:     &renewerConfig,
+		RenewTickInterval: renewCheckInterval,
+		EarlyRenewDays:    earlyRenewDays,
+		Logger:            logger,
+	}
+
+	thisRenewer.Logf("ACME early renew set to "+fmt.Sprint(earlyRenewDays)+" days and check interval set to "+fmt.Sprint(renewCheckInterval)+" seconds", nil)
+
+	if thisRenewer.RenewerConfig.Enabled {
+		//Start the renew ticker
+		thisRenewer.StartAutoRenewTicker()
+
+		//Check and renew certificate on startup
+		go thisRenewer.CheckAndRenewCertificates()
+	}
+
+	return &thisRenewer, nil
+}
+
+func (a *AutoRenewer) Logf(message string, err error) {
+	a.Logger.PrintAndLog("cert-renew", message, err)
+}
+
+func (a *AutoRenewer) StartAutoRenewTicker() {
+	//Stop the previous ticker if still running
+	if a.TickerstopChan != nil {
+		a.TickerstopChan <- true
+	}
+
+	time.Sleep(1 * time.Second)
+
+	ticker := time.NewTicker(time.Duration(a.RenewTickInterval) * time.Second)
+	done := make(chan bool)
+
+	//Start the ticker to check and renew every x seconds
+	go func(a *AutoRenewer) {
+		for {
+			select {
+			case <-done:
+				return
+			case <-ticker.C:
+				a.Logf("Check and renew certificates in progress", nil)
+				a.CheckAndRenewCertificates()
+			}
+		}
+	}(a)
+
+	a.TickerstopChan = done
+}
+
+func (a *AutoRenewer) StopAutoRenewTicker() {
+	if a.TickerstopChan != nil {
+		a.TickerstopChan <- true
+	}
+
+	a.TickerstopChan = nil
+}
+
+// Handle update auto renew domains
+// Set opr for different mode of operations
+// opr = setSelected -> Enter a list of file names (or matching rules) for auto renew
+// opr = setAuto -> Set to use auto detect certificates and renew
+func (a *AutoRenewer) HandleSetAutoRenewDomains(w http.ResponseWriter, r *http.Request) {
+	opr, err := utils.PostPara(r, "opr")
+	if err != nil {
+		utils.SendErrorResponse(w, "Operation not set")
+		return
+	}
+
+	if opr == "setSelected" {
+		files, err := utils.PostPara(r, "domains")
+		if err != nil {
+			utils.SendErrorResponse(w, "Domains is not defined")
+			return
+		}
+
+		//Parse it int array of string
+		matchingRuleFiles := []string{}
+		err = json.Unmarshal([]byte(files), &matchingRuleFiles)
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+
+		//Update the configs
+		a.RenewerConfig.RenewAll = false
+		a.RenewerConfig.FilesToRenew = matchingRuleFiles
+		a.saveRenewConfigToFile()
+		utils.SendOK(w)
+	} else if opr == "setAuto" {
+		a.RenewerConfig.RenewAll = true
+		a.saveRenewConfigToFile()
+		utils.SendOK(w)
+	} else {
+		utils.SendErrorResponse(w, "invalid operation given")
+	}
+
+}
+
+// if auto renew all is true (aka auto scan), it will return []string{"*"}
+func (a *AutoRenewer) HandleLoadAutoRenewDomains(w http.ResponseWriter, r *http.Request) {
+	results := []string{}
+	if a.RenewerConfig.RenewAll {
+		//Auto pick which cert to renew.
+		results = append(results, "*")
+	} else {
+		//Manually set the files to renew
+		results = a.RenewerConfig.FilesToRenew
+	}
+
+	js, _ := json.Marshal(results)
+	utils.SendJSONResponse(w, string(js))
+}
+
+func (a *AutoRenewer) HandleRenewPolicy(w http.ResponseWriter, r *http.Request) {
+	//Load the current value
+	js, _ := json.Marshal(a.RenewerConfig.RenewAll)
+	utils.SendJSONResponse(w, string(js))
+}
+
+func (a *AutoRenewer) HandleRenewNow(w http.ResponseWriter, r *http.Request) {
+	renewedDomains, err := a.CheckAndRenewCertificates()
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	message := "Domains renewed"
+	if len(renewedDomains) == 0 {
+		message = ("All certificates are up-to-date!")
+	} else {
+		message = ("The following domains have been renewed: " + strings.Join(renewedDomains, ","))
+	}
+
+	js, _ := json.Marshal(message)
+	utils.SendJSONResponse(w, string(js))
+}
+
+// HandleAutoRenewEnable get and set the auto renew enable state
+func (a *AutoRenewer) HandleAutoRenewEnable(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		js, _ := json.Marshal(a.RenewerConfig.Enabled)
+		utils.SendJSONResponse(w, string(js))
+	} else if r.Method == http.MethodPost {
+		val, err := utils.PostBool(r, "enable")
+		if err != nil {
+			utils.SendErrorResponse(w, "invalid or empty enable state")
+		}
+		if val {
+			//Check if the email is not empty
+			if a.RenewerConfig.Email == "" {
+				utils.SendErrorResponse(w, "Email is not set")
+				return
+			}
+			a.RenewerConfig.Enabled = true
+			a.saveRenewConfigToFile()
+			a.Logf("ACME auto renew enabled", nil)
+			a.StartAutoRenewTicker()
+		} else {
+			a.RenewerConfig.Enabled = false
+			a.saveRenewConfigToFile()
+			a.Logf("ACME auto renew disabled", nil)
+			a.StopAutoRenewTicker()
+		}
+	} else {
+		http.Error(w, "405 - Method not allowed", http.StatusMethodNotAllowed)
+	}
+
+}
+
+func (a *AutoRenewer) HandleACMEEmail(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		//Return the current email to user
+		js, _ := json.Marshal(a.RenewerConfig.Email)
+		utils.SendJSONResponse(w, string(js))
+	} else if r.Method == http.MethodPost {
+		email, err := utils.PostPara(r, "set")
+		if err != nil {
+			utils.SendErrorResponse(w, "invalid or empty email given")
+			return
+		}
+
+		//Check if the email is valid
+		_, err = mail.ParseAddress(email)
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+
+		//Set the new config
+		a.RenewerConfig.Email = email
+		a.saveRenewConfigToFile()
+
+		utils.SendOK(w)
+	} else {
+		http.Error(w, "405 - Method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+// Check and renew certificates. This check all the certificates in the
+// certificate folder and return a list of certs that is renewed in this call
+// Return string array with length 0 when no cert is expired
+func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
+	certFolder := a.CertFolder
+	files, err := os.ReadDir(certFolder)
+	if err != nil {
+		a.Logf("Read certificate store failed", err)
+		return []string{}, err
+	}
+
+	expiredCertList := []*ExpiredCerts{}
+	if a.RenewerConfig.RenewAll {
+		//Scan and renew all
+		for _, file := range files {
+			if filepath.Ext(file.Name()) == ".crt" || filepath.Ext(file.Name()) == ".pem" {
+				//This is a public key file
+				certBytes, err := os.ReadFile(filepath.Join(certFolder, file.Name()))
+				if err != nil {
+					continue
+				}
+				if CertExpireSoon(certBytes, a.EarlyRenewDays) || CertIsExpired(certBytes) {
+					//This cert is expired
+
+					DNSName, err := ExtractDomains(certBytes)
+					if err != nil {
+						//Maybe self signed. Ignore this
+						a.Logf("Encounted error when trying to resolve DNS name for cert "+file.Name(), err)
+						continue
+					}
+
+					expiredCertList = append(expiredCertList, &ExpiredCerts{
+						Filepath: filepath.Join(certFolder, file.Name()),
+						Domains:  DNSName,
+					})
+				}
+			}
+		}
+	} else {
+		//Only renew those in the list
+		for _, file := range files {
+			fileName := file.Name()
+			certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
+			if contains(a.RenewerConfig.FilesToRenew, certName) {
+				//This is the one to auto renew
+				certBytes, err := os.ReadFile(filepath.Join(certFolder, file.Name()))
+				if err != nil {
+					continue
+				}
+				if CertExpireSoon(certBytes, a.EarlyRenewDays) || CertIsExpired(certBytes) {
+					//This cert is expired
+					DNSName, err := ExtractDomains(certBytes)
+					if err != nil {
+						//Maybe self signed. Ignore this
+						a.Logf("Encounted error when trying to resolve DNS name for cert "+file.Name(), err)
+						continue
+					}
+
+					expiredCertList = append(expiredCertList, &ExpiredCerts{
+						Filepath: filepath.Join(certFolder, file.Name()),
+						Domains:  DNSName,
+					})
+				}
+			}
+		}
+	}
+
+	return a.renewExpiredDomains(expiredCertList)
+}
+
+func (a *AutoRenewer) Close() {
+	if a.TickerstopChan != nil {
+		a.TickerstopChan <- true
+	}
+}
+
+// Renew the certificate by filename extract all DNS name from the
+// certificate and renew them one by one by calling to the acmeHandler
+func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, error) {
+	renewedCertFiles := []string{}
+	for _, expiredCert := range certs {
+		a.Logf("Renewing "+expiredCert.Filepath+" (Might take a few minutes)", nil)
+		fileName := filepath.Base(expiredCert.Filepath)
+		certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
+
+		// Load certificate info for ACME detail
+		certInfoFilename := fmt.Sprintf("%s/%s.json", filepath.Dir(expiredCert.Filepath), certName)
+		certInfo, err := LoadCertInfoJSON(certInfoFilename)
+		if err != nil {
+			a.Logf("Renew "+certName+"certificate error, can't get the ACME detail for certificate, trying org section as ca", err)
+
+			if CAName, extractErr := ExtractIssuerNameFromPEM(expiredCert.Filepath); extractErr != nil {
+				a.Logf("Extract issuer name for cert error, using default ca", err)
+				certInfo = &CertificateInfoJSON{}
+			} else {
+				certInfo = &CertificateInfoJSON{AcmeName: CAName}
+			}
+		}
+
+		//For upgrading config from older version of Zoraxy which don't have timeout
+		if certInfo.PropTimeout == 0 {
+			//Set default timeout
+			certInfo.PropTimeout = 300
+		}
+
+		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS, certInfo.UseDNS, certInfo.PropTimeout)
+		if err != nil {
+			a.Logf("Renew "+fileName+"("+strings.Join(expiredCert.Domains, ",")+") failed", err)
+		} else {
+			a.Logf("Successfully renewed "+filepath.Base(expiredCert.Filepath), nil)
+			renewedCertFiles = append(renewedCertFiles, filepath.Base(expiredCert.Filepath))
+		}
+	}
+
+	return renewedCertFiles, nil
+}
+
+// Write the current renewer config to file
+func (a *AutoRenewer) saveRenewConfigToFile() error {
+	js, _ := json.MarshalIndent(a.RenewerConfig, "", " ")
+	return os.WriteFile(a.ConfigFilePath, js, 0775)
+}
+
+// Handle update auto renew EAD configuration
+func (a *AutoRenewer) HanldeSetEAB(w http.ResponseWriter, r *http.Request) {
+	kid, err := utils.GetPara(r, "kid")
+	if err != nil {
+		utils.SendErrorResponse(w, "kid not set")
+		return
+	}
+
+	hmacEncoded, err := utils.GetPara(r, "hmacEncoded")
+	if err != nil {
+		utils.SendErrorResponse(w, "hmacEncoded not set")
+		return
+	}
+
+	acmeDirectoryURL, err := utils.GetPara(r, "acmeDirectoryURL")
+	if err != nil {
+		utils.SendErrorResponse(w, "acmeDirectoryURL not set")
+		return
+	}
+
+	if !a.AcmeHandler.Database.TableExists("acme") {
+		a.AcmeHandler.Database.NewTable("acme")
+	}
+
+	a.AcmeHandler.Database.Write("acme", acmeDirectoryURL+"_kid", kid)
+	a.AcmeHandler.Database.Write("acme", acmeDirectoryURL+"_hmacEncoded", hmacEncoded)
+
+	utils.SendOK(w)
+
+}
+
+// Handle update auto renew DNS configuration
+func (a *AutoRenewer) HanldeSetDNS(w http.ResponseWriter, r *http.Request) {
+	dnsProvider, err := utils.PostPara(r, "dnsProvider")
+	if err != nil {
+		utils.SendErrorResponse(w, "dnsProvider not set")
+		return
+	}
+
+	dnsCredentials, err := utils.PostPara(r, "dnsCredentials")
+	if err != nil {
+		utils.SendErrorResponse(w, "dnsCredentials not set")
+		return
+	}
+
+	filename, err := utils.PostPara(r, "filename")
+	if err != nil {
+		utils.SendErrorResponse(w, "filename not set")
+		return
+	}
+
+	if !a.AcmeHandler.Database.TableExists("acme") {
+		a.AcmeHandler.Database.NewTable("acme")
+	}
+
+	a.AcmeHandler.Database.Write("acme", filename+"_dns_provider", dnsProvider)
+	a.AcmeHandler.Database.Write("acme", filename+"_dns_credentials", dnsCredentials)
+
+	utils.SendOK(w)
+
+}
--- a/src/mod/acme/ca.go
+++ b/src/mod/acme/ca.go
@ -0,0 +1,56 @@
+package acme
+
+/*
+	CA.go
+
+	This script load CA defination from embedded ca.json
+*/
+import (
+	_ "embed"
+	"encoding/json"
+	"errors"
+	"log"
+	"strings"
+)
+
+// CA Defination, load from embeded json when startup
+type CaDef struct {
+	Production map[string]string
+	Test       map[string]string
+}
+
+//go:embed ca.json
+var caJson []byte
+
+var caDef CaDef = CaDef{}
+
+func init() {
+	runtimeCaDef := CaDef{}
+	err := json.Unmarshal(caJson, &runtimeCaDef)
+	if err != nil {
+		log.Println("[ERR] Unable to unmarshal CA def from embedded file. You sure your ca.json is valid?")
+		return
+	}
+
+	caDef = runtimeCaDef
+}
+
+// Get the CA ACME server endpoint and error if not found
+func loadCAApiServerFromName(caName string) (string, error) {
+	// handle BuyPass cert org section (Buypass AS-983163327)
+	if strings.HasPrefix(caName, "Buypass AS") {
+		caName = "Buypass"
+	}
+
+	val, ok := caDef.Production[caName]
+	if !ok {
+		return "", errors.New("This CA is not supported")
+	}
+
+	return val, nil
+}
+
+func IsSupportedCA(caName string) bool {
+	_, err := loadCAApiServerFromName(caName)
+	return err == nil
+}
--- a/src/mod/acme/ca.json
+++ b/src/mod/acme/ca.json
@ -0,0 +1,15 @@
+{
+    "production": {
+        "Let's Encrypt": "https://acme-v02.api.letsencrypt.org/directory",
+        "Buypass": "https://api.buypass.com/acme/directory",
+        "ZeroSSL": "https://acme.zerossl.com/v2/DV90",
+        "Google": "https://dv.acme-v02.api.pki.goog/directory"
+    },
+    "test":{
+        "Let's Encrypt": "https://acme-staging-v02.api.letsencrypt.org/directory",
+        "Buypass": "https://api.test4.buypass.no/acme/directory",
+        "Google": "https://dv.acme-v02.test-api.pki.goog/directory"
+    }
+  }
+  
+  
--- a/src/mod/acme/utils.go
+++ b/src/mod/acme/utils.go
@ -0,0 +1,100 @@
+package acme
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+	"time"
+)
+
+// Get the issuer name from pem file
+func ExtractIssuerNameFromPEM(pemFilePath string) (string, error) {
+	// Read the PEM file
+	pemData, err := os.ReadFile(pemFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	return ExtractIssuerName(pemData)
+}
+
+// Get the DNSName in the cert
+func ExtractDomains(certBytes []byte) ([]string, error) {
+	domains := []string{}
+	block, _ := pem.Decode(certBytes)
+	if block != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return []string{}, err
+		}
+		for _, dnsName := range cert.DNSNames {
+			if !contains(domains, dnsName) {
+				domains = append(domains, dnsName)
+			}
+		}
+
+		return domains, nil
+	}
+	return []string{}, errors.New("decode cert bytes failed")
+}
+
+func ExtractIssuerName(certBytes []byte) (string, error) {
+	// Parse the PEM block
+	block, _ := pem.Decode(certBytes)
+	if block == nil || block.Type != "CERTIFICATE" {
+		return "", fmt.Errorf("failed to decode PEM block containing certificate")
+	}
+
+	// Parse the certificate
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse certificate: %v", err)
+	}
+
+	// Check if exist incase some acme server didn't have org section
+	if len(cert.Issuer.Organization) == 0 {
+		return "", fmt.Errorf("cert didn't have org section exist")
+	}
+
+	// Extract the issuer name
+	issuer := cert.Issuer.Organization[0]
+
+	return issuer, nil
+}
+
+// Check if a cert is expired by public key
+func CertIsExpired(certBytes []byte) bool {
+	block, _ := pem.Decode(certBytes)
+	if block != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err == nil {
+			elapsed := time.Since(cert.NotAfter)
+			if elapsed > 0 {
+				// if it is expired then add it in
+				// make sure it's uniqueless
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// CertExpireSoon check if the given cert bytes will expires within the given number of days from now
+func CertExpireSoon(certBytes []byte, numberOfDays int) bool {
+	block, _ := pem.Decode(certBytes)
+	if block != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err == nil {
+			expirationDate := cert.NotAfter
+			threshold := time.Duration(numberOfDays) * 24 * time.Hour
+
+			timeRemaining := time.Until(expirationDate)
+			if timeRemaining <= threshold {
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/src/mod/auth/auth.go
+++ b/src/mod/auth/auth.go
@ -0,0 +1,484 @@
+package auth
+
+/*
+
+	author: tobychui
+*/
+
+import (
+	"crypto/rand"
+	"crypto/sha512"
+	"errors"
+	"net/http"
+	"net/mail"
+	"strings"
+
+	"encoding/hex"
+
+	"github.com/gorilla/sessions"
+	db "imuslab.com/zoraxy/mod/database"
+	"imuslab.com/zoraxy/mod/info/logger"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+type AuthAgent struct {
+	//Session related
+	SessionName             string
+	SessionStore            *sessions.CookieStore
+	Database                *db.Database
+	LoginRedirectionHandler func(http.ResponseWriter, *http.Request)
+	Logger                  *logger.Logger
+}
+
+type AuthEndpoints struct {
+	Login         string
+	Logout        string
+	Register      string
+	CheckLoggedIn string
+	Autologin     string
+}
+
+// Constructor
+func NewAuthenticationAgent(sessionName string, key []byte, sysdb *db.Database, allowReg bool, systemLogger *logger.Logger, loginRedirectionHandler func(http.ResponseWriter, *http.Request)) *AuthAgent {
+	store := sessions.NewCookieStore(key)
+	err := sysdb.NewTable("auth")
+	if err != nil {
+		systemLogger.Println("Failed to create auth database. Terminating.")
+		panic(err)
+	}
+
+	//Create a new AuthAgent object
+	newAuthAgent := AuthAgent{
+		SessionName:             sessionName,
+		SessionStore:            store,
+		Database:                sysdb,
+		LoginRedirectionHandler: loginRedirectionHandler,
+		Logger:                  systemLogger,
+	}
+
+	//Return the authAgent
+	return &newAuthAgent
+}
+
+func GetSessionKey(sysdb *db.Database, logger *logger.Logger) (string, error) {
+	sysdb.NewTable("auth")
+	sessionKey := ""
+	if !sysdb.KeyExists("auth", "sessionkey") {
+		key := make([]byte, 32)
+		rand.Read(key)
+		sessionKey = string(key)
+		sysdb.Write("auth", "sessionkey", sessionKey)
+		logger.PrintAndLog("auth", "New authentication session key generated", nil)
+	} else {
+		logger.PrintAndLog("auth", "Authentication session key loaded from database", nil)
+		err := sysdb.Read("auth", "sessionkey", &sessionKey)
+		if err != nil {
+			return "", errors.New("database read error. Is the database file corrupted?")
+		}
+	}
+	return sessionKey, nil
+}
+
+// This function will handle an http request and redirect to the given login address if not logged in
+func (a *AuthAgent) HandleCheckAuth(w http.ResponseWriter, r *http.Request, handler func(http.ResponseWriter, *http.Request)) {
+	if a.CheckAuth(r) {
+		//User already logged in
+		handler(w, r)
+	} else {
+		//User not logged in
+		a.LoginRedirectionHandler(w, r)
+	}
+}
+
+// Handle login request, require POST username and password
+func (a *AuthAgent) HandleLogin(w http.ResponseWriter, r *http.Request) {
+
+	//Get username from request using POST mode
+	username, err := utils.PostPara(r, "username")
+	if err != nil {
+		//Username not defined
+		a.Logger.PrintAndLog("auth", r.RemoteAddr+" trying to login with username: "+username, nil)
+		utils.SendErrorResponse(w, "Username not defined or empty.")
+		return
+	}
+
+	//Get password from request using POST mode
+	password, err := utils.PostPara(r, "password")
+	if err != nil {
+		//Password not defined
+		utils.SendErrorResponse(w, "Password not defined or empty.")
+		return
+	}
+
+	//Get rememberme settings
+	rememberme := false
+	rmbme, _ := utils.PostPara(r, "rmbme")
+	if rmbme == "true" {
+		rememberme = true
+	}
+
+	//Check the database and see if this user is in the database
+	passwordCorrect, rejectionReason := a.ValidateUsernameAndPasswordWithReason(username, password)
+	//The database contain this user information. Check its password if it is correct
+	if passwordCorrect {
+		//Password correct
+		// Set user as authenticated
+		a.LoginUserByRequest(w, r, username, rememberme)
+
+		//Print the login message to console
+		a.Logger.PrintAndLog("auth", username+" logged in.", nil)
+		utils.SendOK(w)
+	} else {
+		//Password incorrect
+		a.Logger.PrintAndLog("auth", username+" login request rejected: "+rejectionReason, nil)
+
+		utils.SendErrorResponse(w, rejectionReason)
+		return
+	}
+}
+
+func (a *AuthAgent) ValidateUsernameAndPassword(username string, password string) bool {
+	succ, _ := a.ValidateUsernameAndPasswordWithReason(username, password)
+	return succ
+}
+
+// validate the username and password, return reasons if the auth failed
+func (a *AuthAgent) ValidateUsernameAndPasswordWithReason(username string, password string) (bool, string) {
+	hashedPassword := Hash(password)
+	var passwordInDB string
+	err := a.Database.Read("auth", "passhash/"+username, &passwordInDB)
+	if err != nil {
+		//User not found or db exception
+		a.Logger.PrintAndLog("auth", username+" login with incorrect password", nil)
+		return false, "Invalid username or password"
+	}
+
+	if passwordInDB == hashedPassword {
+		return true, ""
+	} else {
+		return false, "Invalid username or password"
+	}
+}
+
+// Login the user by creating a valid session for this user
+func (a *AuthAgent) LoginUserByRequest(w http.ResponseWriter, r *http.Request, username string, rememberme bool) {
+	session, _ := a.SessionStore.Get(r, a.SessionName)
+
+	session.Values["authenticated"] = true
+	session.Values["username"] = username
+	session.Values["rememberMe"] = rememberme
+
+	//Check if remember me is clicked. If yes, set the maxage to 1 week.
+	if rememberme {
+		session.Options = &sessions.Options{
+			MaxAge: 3600 * 24 * 7, //One week
+			Path:   "/",
+		}
+	} else {
+		session.Options = &sessions.Options{
+			MaxAge: 3600 * 1, //One hour
+			Path:   "/",
+		}
+	}
+	session.Save(r, w)
+}
+
+// Handle logout, reply OK after logged out. WILL NOT DO REDIRECTION
+func (a *AuthAgent) HandleLogout(w http.ResponseWriter, r *http.Request) {
+	username, err := a.GetUserName(w, r)
+	if err != nil {
+		utils.SendErrorResponse(w, "user not logged in")
+		return
+	}
+	if username != "" {
+		a.Logger.PrintAndLog("auth", username+" logged out", nil)
+	}
+	// Revoke users authentication
+	err = a.Logout(w, r)
+	if err != nil {
+		utils.SendErrorResponse(w, "Logout failed")
+		return
+	}
+
+	utils.SendOK(w)
+}
+
+func (a *AuthAgent) Logout(w http.ResponseWriter, r *http.Request) error {
+	session, err := a.SessionStore.Get(r, a.SessionName)
+	if err != nil {
+		return err
+	}
+	session.Values["authenticated"] = false
+	session.Values["username"] = nil
+	session.Save(r, w)
+	return nil
+}
+
+// Get the current session username from request
+func (a *AuthAgent) GetUserName(w http.ResponseWriter, r *http.Request) (string, error) {
+	if a.CheckAuth(r) {
+		//This user has logged in.
+		session, _ := a.SessionStore.Get(r, a.SessionName)
+		return session.Values["username"].(string), nil
+	} else {
+		//This user has not logged in.
+		return "", errors.New("user not logged in")
+	}
+}
+
+// Get the current session user email from request
+func (a *AuthAgent) GetUserEmail(w http.ResponseWriter, r *http.Request) (string, error) {
+	if a.CheckAuth(r) {
+		//This user has logged in.
+		session, _ := a.SessionStore.Get(r, a.SessionName)
+		username := session.Values["username"].(string)
+		userEmail := ""
+		err := a.Database.Read("auth", "email/"+username, &userEmail)
+		if err != nil {
+			return "", err
+		}
+
+		return userEmail, nil
+	} else {
+		//This user has not logged in.
+		return "", errors.New("user not logged in")
+	}
+}
+
+// Check if the user has logged in, return true / false in JSON
+func (a *AuthAgent) CheckLogin(w http.ResponseWriter, r *http.Request) {
+	if a.CheckAuth(r) {
+		utils.SendJSONResponse(w, "true")
+	} else {
+		utils.SendJSONResponse(w, "false")
+	}
+}
+
+// Handle new user register. Require POST username, password, group.
+func (a *AuthAgent) HandleRegister(w http.ResponseWriter, r *http.Request, callback func(string, string)) {
+	//Get username from request
+	newusername, err := utils.PostPara(r, "username")
+	if err != nil {
+		utils.SendErrorResponse(w, "Missing 'username' paramter")
+		return
+	}
+
+	//Get password from request
+	password, err := utils.PostPara(r, "password")
+	if err != nil {
+		utils.SendErrorResponse(w, "Missing 'password' paramter")
+		return
+	}
+
+	//Get email from request
+	email, err := utils.PostPara(r, "email")
+	if err != nil {
+		utils.SendErrorResponse(w, "Missing 'email' paramter")
+		return
+	}
+
+	_, err = mail.ParseAddress(email)
+	if err != nil {
+		utils.SendErrorResponse(w, "Invalid or malformed email")
+		return
+	}
+
+	//Ok to proceed create this user
+	err = a.CreateUserAccount(newusername, password, email)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	//Do callback if exists
+	if callback != nil {
+		callback(newusername, email)
+	}
+
+	//Return to the client with OK
+	utils.SendOK(w)
+	a.Logger.PrintAndLog("auth", "New user "+newusername+" added to system.", nil)
+}
+
+// Handle new user register without confirmation email. Require POST username, password, group.
+func (a *AuthAgent) HandleRegisterWithoutEmail(w http.ResponseWriter, r *http.Request, callback func(string, string)) {
+	//Get username from request
+	newusername, err := utils.PostPara(r, "username")
+	if err != nil {
+		utils.SendErrorResponse(w, "Missing 'username' paramter")
+		return
+	}
+
+	//Get password from request
+	password, err := utils.PostPara(r, "password")
+	if err != nil {
+		utils.SendErrorResponse(w, "Missing 'password' paramter")
+		return
+	}
+
+	//Ok to proceed create this user
+	err = a.CreateUserAccount(newusername, password, "")
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	//Do callback if exists
+	if callback != nil {
+		callback(newusername, "")
+	}
+
+	//Return to the client with OK
+	utils.SendOK(w)
+	a.Logger.PrintAndLog("auth", "Admin account created: "+newusername, nil)
+}
+
+// Check authentication from request header's session value
+func (a *AuthAgent) CheckAuth(r *http.Request) bool {
+	session, err := a.SessionStore.Get(r, a.SessionName)
+	if err != nil {
+		return false
+	}
+	// Check if user is authenticated
+	if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
+		return false
+	}
+	return true
+}
+
+// Handle de-register of users. Require POST username.
+// THIS FUNCTION WILL NOT CHECK FOR PERMISSION. PLEASE USE WITH PERMISSION HANDLER
+func (a *AuthAgent) HandleUnregister(w http.ResponseWriter, r *http.Request) {
+	//Check if the user is logged in
+	if !a.CheckAuth(r) {
+		//This user has not logged in
+		utils.SendErrorResponse(w, "Login required to remove user from the system.")
+		return
+	}
+
+	//Get username from request
+	username, err := utils.PostPara(r, "username")
+	if err != nil {
+		utils.SendErrorResponse(w, "Missing 'username' paramter")
+		return
+	}
+
+	err = a.UnregisterUser(username)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	//Return to the client with OK
+	utils.SendOK(w)
+	a.Logger.PrintAndLog("auth", "User "+username+" has been removed from the system", nil)
+}
+
+func (a *AuthAgent) UnregisterUser(username string) error {
+	//Check if the user exists in the system database.
+	if !a.Database.KeyExists("auth", "passhash/"+username) {
+		//This user do not exists.
+		return errors.New("this user does not exists")
+	}
+
+	//OK! Remove the user from the database
+	a.Database.Delete("auth", "passhash/"+username)
+	a.Database.Delete("auth", "email/"+username)
+	return nil
+}
+
+// Get the number of users in the system
+func (a *AuthAgent) GetUserCounts() int {
+	entries, _ := a.Database.ListTable("auth")
+	usercount := 0
+	for _, keypairs := range entries {
+		if strings.Contains(string(keypairs[0]), "passhash/") {
+			//This is a user registry
+			usercount++
+		}
+	}
+
+	if usercount == 0 {
+		a.Logger.PrintAndLog("auth", "There are no user in the database", nil)
+	}
+	return usercount
+}
+
+// List all username within the system
+func (a *AuthAgent) ListUsers() []string {
+	entries, _ := a.Database.ListTable("auth")
+	results := []string{}
+	for _, keypairs := range entries {
+		if strings.Contains(string(keypairs[0]), "passhash/") {
+			username := strings.Split(string(keypairs[0]), "/")[1]
+			results = append(results, username)
+		}
+	}
+	return results
+}
+
+// Check if the given username exists
+func (a *AuthAgent) UserExists(username string) bool {
+	userpasswordhash := ""
+	err := a.Database.Read("auth", "passhash/"+username, &userpasswordhash)
+	if err != nil || userpasswordhash == "" {
+		return false
+	}
+	return true
+}
+
+// Update the session expire time given the request header.
+func (a *AuthAgent) UpdateSessionExpireTime(w http.ResponseWriter, r *http.Request) bool {
+	session, _ := a.SessionStore.Get(r, a.SessionName)
+	if session.Values["authenticated"].(bool) {
+		//User authenticated. Extend its expire time
+		rememberme := session.Values["rememberMe"].(bool)
+		//Extend the session expire time
+		if rememberme {
+			session.Options = &sessions.Options{
+				MaxAge: 3600 * 24 * 7, //One week
+				Path:   "/",
+			}
+		} else {
+			session.Options = &sessions.Options{
+				MaxAge: 3600 * 1, //One hour
+				Path:   "/",
+			}
+		}
+		session.Save(r, w)
+		return true
+	} else {
+		return false
+	}
+}
+
+// Create user account
+func (a *AuthAgent) CreateUserAccount(newusername string, password string, email string) error {
+	//Check user already exists
+	if a.UserExists(newusername) {
+		return errors.New("user with same name already exists")
+	}
+
+	key := newusername
+	hashedPassword := Hash(password)
+	err := a.Database.Write("auth", "passhash/"+key, hashedPassword)
+	if err != nil {
+		return err
+	}
+
+	if email != "" {
+		err = a.Database.Write("auth", "email/"+key, email)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Hash the given raw string into sha512 hash
+func Hash(raw string) string {
+	h := sha512.New()
+	h.Write([]byte(raw))
+	return hex.EncodeToString(h.Sum(nil))
+}
--- a/src/mod/auth/router.go
+++ b/src/mod/auth/router.go
@ -0,0 +1,67 @@
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+)
+
+type RouterOption struct {
+	AuthAgent     *AuthAgent
+	RequireAuth   bool                                     //This router require authentication
+	DeniedHandler func(http.ResponseWriter, *http.Request) //Things to do when request is rejected
+	TargetMux     *http.ServeMux
+}
+
+type RouterDef struct {
+	option    RouterOption
+	endpoints map[string]func(http.ResponseWriter, *http.Request)
+}
+
+func NewManagedHTTPRouter(option RouterOption) *RouterDef {
+	return &RouterDef{
+		option:    option,
+		endpoints: map[string]func(http.ResponseWriter, *http.Request){},
+	}
+}
+
+func (router *RouterDef) HandleFunc(endpoint string, handler func(http.ResponseWriter, *http.Request)) error {
+	//Check if the endpoint already registered
+	if _, exist := router.endpoints[endpoint]; exist {
+		fmt.Println("WARNING! Duplicated registering of web endpoint: " + endpoint)
+		return errors.New("endpoint register duplicated")
+	}
+
+	authAgent := router.option.AuthAgent
+
+	//OK. Register handler
+	if router.option.TargetMux == nil {
+		http.HandleFunc(endpoint, func(w http.ResponseWriter, r *http.Request) {
+			//Check authentication of the user
+			if router.option.RequireAuth {
+				authAgent.HandleCheckAuth(w, r, func(w http.ResponseWriter, r *http.Request) {
+					handler(w, r)
+				})
+			} else {
+				handler(w, r)
+			}
+
+		})
+	} else {
+		router.option.TargetMux.HandleFunc(endpoint, func(w http.ResponseWriter, r *http.Request) {
+			//Check authentication of the user
+			if router.option.RequireAuth {
+				authAgent.HandleCheckAuth(w, r, func(w http.ResponseWriter, r *http.Request) {
+					handler(w, r)
+				})
+			} else {
+				handler(w, r)
+			}
+
+		})
+	}
+
+	router.endpoints[endpoint] = handler
+
+	return nil
+}
--- a/src/mod/auth/sso/app.go
+++ b/src/mod/auth/sso/app.go
@ -0,0 +1,34 @@
+package sso
+
+/*
+	app.go
+
+	This file contains the app structure and app management
+	functions for the SSO module.
+
+*/
+
+// RegisteredUpstreamApp is a structure that contains the information of an
+// upstream app that is registered with the SSO server
+type RegisteredUpstreamApp struct {
+	ID              string
+	Secret          string
+	Domain          []string
+	Scopes          []string
+	SessionDuration int //in seconds, default to 1 hour
+}
+
+// RegisterUpstreamApp registers an upstream app with the SSO server
+func (s *SSOHandler) ListRegisteredApps() []*RegisteredUpstreamApp {
+	apps := make([]*RegisteredUpstreamApp, 0)
+	for _, app := range s.Apps {
+		apps = append(apps, &app)
+	}
+	return apps
+}
+
+// RegisterUpstreamApp registers an upstream app with the SSO server
+func (s *SSOHandler) GetAppByID(appID string) (*RegisteredUpstreamApp, bool) {
+	app, ok := s.Apps[appID]
+	return &app, ok
+}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`<svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="m772-635-43-100-104-46 104-45 43-95 43 95 104 45-104 46-43 100Zm0 595-43-96-104-45 104-45 43-101 43 101 104 45-104 45-43 96ZM333-194l-92-197-201-90 201-90 92-196 93 196 200 90-200 90-93 197Zm0-148 48-96 98-43-98-43-48-96-47 96-99 43 99 43 47 96Zm0-139Z"/></svg>`
				`@ -0,0 +1 @@`
				`<svg fill="#ff7a7a" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M280-453h400v-60H280v60ZM480-80q-82 0-155-31.5t-127.5-86Q143-252 111.5-325T80-480q0-83 31.5-156t86-127Q252-817 325-848.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82-31.5 155T763-197.5q-54 54.5-127 86T480-80Zm0-60q142 0 241-99.5T820-480q0-142-99-241t-241-99q-141 0-240.5 99T140-480q0 141 99.5 240.5T480-140Zm0-340Z"/></svg>`
				`@ -0,0 +1 @@`
				`<svg fill="#919191" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M120-80v-270h120v-160h210v-100H330v-270h300v270H510v100h210v160h120v270H540v-270h120v-100H300v100h120v270H120Zm270-590h180v-150H390v150ZM180-140h180v-150H180v150Zm420 0h180v-150H600v150ZM480-670ZM360-290Zm240 0Z"/></svg>`
				`@ -0,0 +1 @@`
				<svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M356-120H180q-24 0-42-18t-18-42v-176q44-5 75.5-34.5T227-463q0-43-31.5-72.5T120-570v-176q0-24 18-42t42-18h177q11-40 39.5-67t68.5-27q40 0 68.5 27t39.5 67h173q24 0 42 18t18 42v173q40 11 65.5 41.5T897-461q0 40-25.5 67T806-356v176q0 24-18 42t-42 18H570q-5-48-35.5-77.5T463-227q-41 0-71.5 29.5T356-120Zm-176-60h130q25-61 69.888-84 44.888-23 83-23T546-264q45 23 70 84h130v-235h45q20 0 33-13t13-33q0-20-13-33t-33-13h-45v-239H511v-48q0-20-13-33t-33-13q-20 0-33 13t-13 33v48H180v130q48.15 17.817 77.575 59.686Q287-514.445 287-462.777 287-412 257.5-370T180-310v130Zm329-330Z"/></svg>
				`@ -0,0 +1 @@`
				`<svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48" fill="#fcba03"><path d="M273-160 80-353l193-193 42 42-121 121h316v60H194l121 121-42 42Zm414-254-42-42 121-121H450v-60h316L645-758l42-42 193 193-193 193Z"/></svg>`
				`@ -0,0 +1 @@`
				<svg fill="#83f2c4" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M197-197q-54-54-85.5-126.5T80-480q0-84 31.5-156.5T197-763l43 43q-46 46-73 107.5T140-480q0 71 26.5 132T240-240l-43 43Zm113-113q-32-32-51-75.5T240-480q0-51 19-94.5t51-75.5l43 43q-24 24-38.5 56.5T300-480q0 38 14 70t39 57l-43 43Zm170-90q-33 0-56.5-23.5T400-480q0-33 23.5-56.5T480-560q33 0 56.5 23.5T560-480q0 33-23.5 56.5T480-400Zm170 90-43-43q24-24 38.5-56.5T660-480q0-38-14-70t-39-57l43-43q32 32 51 75.5t19 94.5q0 50-19 93.5T650-310Zm113 113-43-43q46-46 73-107.5T820-480q0-71-26.5-132T720-720l43-43q54 55 85.5 127.5T880-480q0 83-31.5 155.5T763-197Z"/></svg>
				`@ -0,0 +1 @@`
				<svg fill="#edf230" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M109.912-150Q81-150 60.5-170.589 40-191.177 40-220.089 40-249 60.494-269.5t49.273-20.5q5.233 0 10.233.5 5 .5 13 2.5l200-200q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q371.177-580 400.089-580 429-580 449.5-559.366t20.5 49.61Q470-508 467-487l110 110q8-2 13-2.5t10-.5q5 0 10 .5t13 2.5l160-160q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q821.177-630 850.089-630 879-630 899.5-609.411q20.5 20.588 20.5 49.5Q920-531 899.506-510.5T850.233-490Q845-490 840-490.5q-5-.5-13-2.5L667-333q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q628.823-240 599.911-240 571-240 550.5-260.494T530-309.767q0-5.233.5-10.233.5-5 2.5-13L423-443q-8 2-13 2.5t-10.25.5q-1.75 0-22.75-3L177-243q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q138.823-150 109.912-150ZM160-592l-20.253-43.747L96-656l43.747-20.253L160-720l20.253 43.747L224-656l-43.747 20.253L160-592Zm440-51-30.717-66.283L503-740l66.283-30.717L600-837l30.717 66.283L697-740l-66.283 30.717L600-643Z"/></svg>