Merge commit from fork

Fixed web ssh security bug
2025-06-28 18:31:45 +02:00 · 2024-11-10 13:57:01 +08:00 · 2024-11-10 13:22:32 +08:00 · 2024-11-06 06:58:52 +08:00 · 2024-11-04 20:39:47 -05:00 · 2024-11-03 17:41:49 +08:00
574 changed files with 678082 additions and 75 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,39 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: "[BUG]"
 labels: bug
 assignees: ''
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screenshots**
 If applicable, add screenshots to help explain your problem.
 **Browser (if it is a bug appears on the UI section of the system):**
 - OS: [e.g. iOS]
 - Browser [e.g. chrome, safari]
 - Version [e.g. 22]
 **Host Environment (please complete the following information):**
 -  Arch: [e.g. arm64]
 - Device: [e.g. Bananapi R2 PRO]
 - OS: [e.g. Armbian]
 - Version [e.g.  23.02 Bullseye ]
 - Docker Version (if you are running Zoraxy in docker): [e.g. 3.0.4]
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,20 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: "[ENHANCEMENTS]"
 labels: enhancement
 assignees: ''
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/help-needed.md
+++ b/.github/ISSUE_TEMPLATE/help-needed.md
@ -0,0 +1,25 @@
 ---
 name: Help Needed
 about: Something went wrong but I don't know why
 title: "[HELP]"
 labels: help wanted
 assignees: ''
 ---
 **What happened?**
 A clear and concise description of what the problem is. Ex. I tried to create a proxy rule but it doesn't work. When I connects to my domain, I see [...]
 **Describe what have you tried**
 A clear and concise description of what you expect to see and what you have tried to debug it.
 **Describe the networking setup you are using**
 Here are some example, commonly asked questions from our maintainers: 
 - Are you using the docker build of Zoraxy? [yes (with docker setup & networking config attach) /no]
 - Your Zoraxy version? [e.g. 3.0.4]
 - Are you using Cloudflare? [yes/no]
 - Are your system hosted under a NAT router? [e.g. yes, with subnet is e.g. 192.168.0.0/24 and include port forwarding config if any]
 - DNS record (if any)
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -0,0 +1,43 @@
 name: Build and push Docker image
 on:
  release:
    types: [ published ]
 jobs:
  setup-build-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.release.tag_name }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Setup building file structure
        run: |
          cp -lr $GITHUB_WORKSPACE/src/ $GITHUB_WORKSPACE/docker/
      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./docker
          push: true
          platforms: linux/amd64,linux/arm64
          tags: |
            zoraxydocker/zoraxy:latest
            zoraxydocker/zoraxy:${{ github.event.release.tag_name }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
--- a/.gitignore
+++ b/.gitignore
@ -27,4 +27,16 @@ src/conf/*
 src/ReverseProxy_*_*
 src/Zoraxy_*_*
 src/certs/*
-src/rules/*
+src/rules/*
 src/README.md
 docker/ContainerTester.sh
 docker/ImagePublisher.sh
 src/mod/acme/test/stackoverflow.pem
 /tools/dns_challenge_update/code-gen/acmedns
 /tools/dns_challenge_update/code-gen/lego
 src/tmp/localhost.key
 src/tmp/localhost.pem
 src/www/html/index.html
 src/sys.uuid
 src/zoraxy
 src/log/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,280 @@
 # v3.1.2 03 Nov 2024
 + Added auto start port 80 listener on acme certificate generator
 + Added polling interval and propagation timeout option in ACME module [#300](https://github.com/tobychui/zoraxy/issues/300)
 + Added support for custom header variables [#318](https://github.com/tobychui/zoraxy/issues/318)
 + Added support for X-Remote-User 
 + Added port scanner [#342](https://github.com/tobychui/zoraxy/issues/342)
 + Optimized code base for stream proxy and config file storage [#320](https://github.com/tobychui/zoraxy/issues/320)
 + Removed sorting on cert list
 + Fixed request certificate button bug 
 + Fixed cert auto renew logic [#316](https://github.com/tobychui/zoraxy/issues/316)
 + Fixed unable to remove new stream proxy bug
 + Fixed many other minor bugs  [#328](https://github.com/tobychui/zoraxy/issues/328) [#297](https://github.com/tobychui/zoraxy/issues/297)
 + Added more code to SSO system (disabled in release)
 # v3.1.1. 09 Sep 2024
 + Updated country name in access list [#287](https://github.com/tobychui/zoraxy/issues/287)
 + Added tour for basic operations
 + Updated acme log to system wide logger implementation
 + Fixed path traversal in file manager [#274](https://github.com/tobychui/zoraxy/issues/274)
 + Removed Proxmox debug code
 + Fixed trie tree implementations
 **Thanks to all contributors**
 + Fix existing containers list in docker popup [7brend7](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3A7brend7)
 + Fix network I/O chart not rendering [JokerQyou](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3AJokerQyou)
 + Fix typo remvoeClass to removeClass [Aahmadsyamim](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3Aahmadsyamim)
 + Updated weighted random upstream implementation [bouroo](https://github.com/tobychui/zoraxy/issues?q=is%3Apr+author%3Abouroo)
 # v3.1.0 31 Jul 2024
 + Updated log viewer with filter and auto refresh [#243](https://github.com/tobychui/zoraxy/issues/243)
 + Fixed csrf vulnerability [#267](https://github.com/tobychui/zoraxy/issues/267)
 + Fixed promox issue
 + Fixed status code bug in upstream log [#254](https://github.com/tobychui/zoraxy/issues/254)
 + Added host overwrite and hop-by-hop header remover
 + Added early renew days settings [#256](https://github.com/tobychui/zoraxy/issues/256)
 + Updated make file to force no CGO in cicd process
 + Fixed bug in updater
 + Fixed wildcard certificate renew bug [#249](https://github.com/tobychui/zoraxy/issues/249)
 + Added certificate download function [#227](https://github.com/tobychui/zoraxy/issues/227)
 # v3.0.9 16 Jul 2024
 + Added certificate download [#227](https://github.com/tobychui/zoraxy/issues/227)
 + Updated netcup timeout value [#231](https://github.com/tobychui/zoraxy/issues/231)
 + Updated geoip db
 + Removed debug print from log viewer
 + Upgraded netstat log printing to new log formatter
 + Improved update module implementation
 # v3.0.8 15 Jul 2024
 + Added apache style logging mechanism (and build-in log viewer) [#218](https://github.com/tobychui/zoraxy/issues/218)
 + Fixed keep alive flushing issues [#235](https://github.com/tobychui/zoraxy/issues/235)
 + Added multi-upstream supports [#100](https://github.com/tobychui/zoraxy/issues/100)
 + Added stick session load balancer
 + Added weighted random load balancer
 + Added domain cleaning logic to domain / IP input fields
 + Added HSTS "include subdomain" auto injector
 + Added work-in-progress SSO / Oauth Server UI
 + Fixed uptime monitor not updating on proxy rule change bug
 + Optimized UI for create new proxy rule
 + Removed service expose proxy feature
 # v3.0.7 20 Jun 2024
 + Fixed redirection enable bug [#199](https://github.com/tobychui/zoraxy/issues/199)
 + Fixed header tool user agent rewrite sequence
 + Optimized rate limit UI
 + Added HSTS and Permission Policy Editor [#163](https://github.com/tobychui/zoraxy/issues/163)
 + Docker UX optimization start parameter `-docker`
 + Docker container selector implementation for conditional compilations for Windows
 From contributors:
 + Add Rate Limits Limits to Zoraxy fixes [185](https://github.com/tobychui/zoraxy/issues/185) by [Kirari04](https://github.com/Kirari04)
 + Add docker containers list to set rule by [7brend7](https://github.com/7brend7) [PR202](https://github.com/tobychui/zoraxy/pull/202)
 # v3.0.6 10 Jun 2024
 + Added fastly_client_ip to X-Real-IP auto rewrite
 + Added atomic accumulator to TCP proxy
 + Added white logo for future dark theme
 + Added multi selection for white / blacklist [#176](https://github.com/tobychui/zoraxy/issues/176)
 + Moved custom header rewrite to dpcore
 + Restructure dpcore header rewrite sequence
 + Added advance custom header settings (zoraxy to upstream and zoraxy to downstream mode)
 + Added header remove feature
 + Removed password requirement for SMTP [#162](https://github.com/tobychui/zoraxy/issues/162) [#80](https://github.com/tobychui/zoraxy/issues/80) 
 + Restructured TCP proxy into Stream Proxy (Support both TCP and UDP) [#147](https://github.com/tobychui/zoraxy/issues/147)
 + Added stream proxy auto start [#169](https://github.com/tobychui/zoraxy/issues/169)
 + Optimized UX for reminding user to click Apply after port change
 + Added version number to footer [#160](https://github.com/tobychui/zoraxy/issues/160)
 From contributors:
 + Fixed missing / unnecessary error check [PR187](https://github.com/tobychui/zoraxy/pull/187) by [Kirari04](https://github.com/Kirari04)
 # v3.0.5 May 26 2024
 + Optimized uptime monitor error message [#121](https://github.com/tobychui/zoraxy/issues/121)
 + Optimized detection logic for internal proxy target and header rewrite condition for HTTP_HOST [#164](https://github.com/tobychui/zoraxy/issues/164)
 + Fixed ovh DNS challenge provider form generator bug [#161](https://github.com/tobychui/zoraxy/issues/161)
 + Added permission policy module (not enabled)
 + Added single-use cookiejar to uptime monitor request client to handle cookie issues on some poorly written back-end server [#149](https://github.com/tobychui/zoraxy/issues/149)
 # v3.0.4 May 18 2024
 ## This release tidied up the contribution by [Teifun2](https://github.com/Teifun2) and added a new way to generate DNS challenge based certificate (e.g. wildcards) from Let's Encrypt without changing any environment variables. This also fixes a few previous ACME module EAB settings bug related to concurrent save.
 You can find the DNS challenge settings under TLS / SSL > ACME snippet > Generate New Certificate > (Check the "Use a DNS Challenge" checkbox)
 + Optimized DNS challenge implementation [thanks to Teifun2](https://github.com/Teifun2) / Issues [#49](https://github.com/tobychui/zoraxy/issues/49) [#79](https://github.com/tobychui/zoraxy/issues/79)
 + Removed dependencies on environment variable write and keep all data contained
 + Fixed panic on loading certificate generated by Zoraxy v2
 + Added automatic form generator for DNS challenge / providers
 + Added CA name default value
 + Added code generator for acmedns module (storing the DNS challenge provider contents extracted from lego)
 + Fixed ACME snippet "Obtain Certificate" concurrent issues in save EAB and DNS credentials
 # v3.0.3 Apr 30 2024
 ## Breaking Change
 For users using SMTP with older versions, you might need to update the settings by moving the domains (the part after @ in the username and domain setup field) into the username field.
 + Updated SMTP UI for non email login username [#129](https://github.com/tobychui/zoraxy/issues/129)
 + Fixed ACME cert store reload after cert request [#126](https://github.com/tobychui/zoraxy/issues/126)
 + Fixed default rule not applying to default site when default site is set to proxy target [#130](https://github.com/tobychui/zoraxy/issues/130)
 + Fixed blacklist-ip not working with CIDR bug
 + Fixed minor vdir bug in tailing slash detection and redirect logic
 + Added custom mdns name support (-mdnsname flag)
 + Added LAN tag in statistic [#131](https://github.com/tobychui/zoraxy/issues/131)
 # v3.0.2 Apr 24 2024
 + Added alias for HTTP proxy host names [#76](https://github.com/tobychui/zoraxy/issues/76)
 + Added separator support for create new proxy rules (use "," to add alias when creating new proxy rule)
 + Added HTTP proxy host based access rules [#69](https://github.com/tobychui/zoraxy/issues/69)
 + Added EAD Configuration for ACME (by [yeungalan](https://github.com/yeungalan)) [#45](https://github.com/tobychui/zoraxy/issues/45)
 + Fixed bug for bypassGlobalTLS endpoint do not support basic-auth
 + Fixed panic due to empty domain field in json config [#120](https://github.com/tobychui/zoraxy/issues/120)
 + Removed dependencies on management panel css for online font files
 # v3.0.1 Apr 04 2024
 ## Bugfixupdate for big release of V3, read update notes from V3 if you are still on V2
 + Added regex support for redirect (slow, don't use it unless you really needs it) [#42](https://github.com/tobychui/zoraxy/issues/42)
 + Added new dpcore implementations for faster proxy speed
 + Added support for CF-Connecting-IP to X-Real-IP auto rewrite [#114](https://github.com/tobychui/zoraxy/issues/114)
 + Added enable / disable of HTTP proxy rules in runtime via slider [#108](https://github.com/tobychui/zoraxy/issues/108)
 + Added better 404 page
 + Added option to bypass websocket origin check [#107](https://github.com/tobychui/zoraxy/issues/107)
 + Updated project homepage design
 + Fixed recursive port detection logic
 + Fixed UserAgent in resp bug
 + Updated minimum required Go version to v1.22 (Notes: Windows 7 support is dropped) [#112](https://github.com/tobychui/zoraxy/issues/112)
 # v3.0.0 Feb 18 2024
 ## IMPORTANT: V3 is a big rewrite and it is incompatible with V2! There is NO migration, if you want to stay on V2, please use V2 branch!
 + Added comments for whitelist [#97](https://github.com/tobychui/zoraxy/issues/97)
 + Added force-renew for certificates [#92](https://github.com/tobychui/zoraxy/issues/92)
 + Added automatic cert pick for multi-host certs (SNI)
 + Renamed .crt to .pem for cert store
 + Added best-fit selection for wildcard matching rules
 + Added x-proxy-by header / Added X-real-Ip header [#93](https://github.com/tobychui/zoraxy/issues/93)
 + Added Development Mode (Cache-Control: no-store)
 + Updated utm timeout to 10 seconds instead of 90
 + Added "Add controller as member" feature to Global Area Network editor
 + Added custom header
 + Deprecated aroz subservice support
 + Updated visuals, improving logical structure, less depressing colors [#95](https://github.com/tobychui/zoraxy/issues/95)
 + Added virtual directory into host routing object (each host now got its own sets of virtual directories)
 + Added support for wildcard host names (e.g. *.example.com)
 + Added best-fit selection for wildcard matching rules (e.g. *.a.example.com > *.example.com in routing)
 + Generalized root and hosts routing struct (no more conversion between runtime & save record object
 + Added "Default Site" to replace "Proxy Root" interface
 + Added Redirect & 404 page for "Default Site"
 # v2.6.8 Nov 25 2023
 + Added opt-out for subdomains for global TLS settings: See [release notes](https://github.com/tobychui/zoraxy/releases/tag/2.6.8)
 + Optimized subdomain / vdir editing interface
 + Added system-wide logger (Work in progress)
 + Fixed issue for uptime monitor bug [#77](https://github.com/tobychui/zoraxy/issues/77)
 + Changed default static web port to 5487 (prevent already in use)
 + Added automatic HTTP/2 to TLS mode
 + Bug fix for webserver autostart [67](https://github.com/tobychui/zoraxy/issues/67)
 # v2.6.7 Sep 26 2023
 + Added Static Web Server function [#56](https://github.com/tobychui/zoraxy/issues/56)
 + Web Directory Manager (see static webserver tab)
 + Added static web server and black / whitelist template [#38](https://github.com/tobychui/zoraxy/issues/38)
 + Added default / preferred CA features for ACME [#47](https://github.com/tobychui/zoraxy/issues/47)
 + Optimized TLS/SSL page and added dedicated section for ACME related features
 + Bugfixes [#61](https://github.com/tobychui/zoraxy/issues/61) [#58](https://github.com/tobychui/zoraxy/issues/58)
 # v2.6.6 Aug 30 2023
 + Added basic auth editor custom exception rules 
 + Fixed redirection bug under another reverse proxy and Apache location headers [#39](https://github.com/tobychui/zoraxy/issues/39)
 + Optimized memory usage (from 1.2GB to 61MB for low speed geoip lookup) [#52](https://github.com/tobychui/zoraxy/issues/52)
 + Added unset subdomain custom redirection feature [#46](https://github.com/tobychui/zoraxy/issues/46)
 + Fixed potential security issue in satori/go.uuid [#55](https://github.com/tobychui/zoraxy/issues/55)
 + Added custom ACME feature in backend, thx [@daluntw](https://github.com/daluntw)
 + Added bypass TLS check for custom acme server, thx [@daluntw](https://github.com/daluntw)
 + Introduce new start parameter `-fastgeoip=true`: see [release notes](https://github.com/tobychui/zoraxy/releases/tag/2.6.6)
 # v2.6.5.1 Jul 26 2023
 + Patch on memory leaking for Windows netstat module (do not effect any of the previous non Windows builds)
 + Fixed potential memory leak in ACME handler logic
 + Added "Do you want to get a TLS certificate for this subdomain?" dialogue when a new subdomain proxy rule is created
 # v2.6.5 Jul 19 2023
 + Added Import / Export-Feature 
 + Moved configuration files to a separate folder [#26](https://github.com/tobychui/zoraxy/issues/26)
 + Added auto-renew with ACME [#6](https://github.com/tobychui/zoraxy/issues/6)
 + Fixed Whitelistbug [#18](https://github.com/tobychui/zoraxy/issues/18)
 + Added Whois
 # v2.6.4 Jun 15 2023
 + Added force TLS v1.2 above toggle
 + Added trace route
 + Added ICMP ping
 + Added special routing rules module for up-coming ACME integration
 + Fixed IPv6 check bug in black/whitelist
 + Optimized UI for TCP Proxy
 # v2.6.3 Jun 8 2023
 + Added X-Forwarded-Proto for automatic proxy detector
 + Split blacklist and whitelist from geodb script file
 + Optimized compile binary size
 + Added access control to TCP proxy
 + Added "invalid config detect" in up time monitor for issue [#7](https://github.com/tobychui/zoraxy/issues/7)
 + Fixed minor bugs in advance stats panel
 + Reduced file size of embedded materials
 # v2.6.2 Jun 4 2023
 + Added advance stats operation tab
 + Added statistic reset [#13](https://github.com/tobychui/zoraxy/issues/13)
 + Added statistic export to csv and json (please use json)
 + Make subdomain clickable (not vdir) [#12](https://github.com/tobychui/zoraxy/issues/12)
 + Added TCP Proxy
 + Updates SMTP setup UI to make it more straight forward to setup
 # v2.6.1 May 31 2023
 + Added reverse proxy TLS skip verification
 + Added basic auth
 + Edit proxy settings
 + Whitelist
 + TCP Proxy (experimental)
 + Info (Utilities page)
 # v2.6 May 27 2023
 + Basic auth
 + Support TLS verification skip (for self signed certs)
 + Added trend analysis
 + Added referrer and file type analysis
 + Added cert expire day display
 + Moved subdomain proxy logic to dpcore
--- a/661
+++ b/661
@ -0,0 +1,661 @@
                    GNU AFFERO GENERAL PUBLIC LICENSE
                       Version 3, 19 November 2007
 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
                            Preamble
  The GNU Affero General Public License is a free, copyleft license for
 software and other kinds of works, specifically designed to ensure
 cooperation with the community in the case of network server software.
  The licenses for most software and other practical works are designed
 to take away your freedom to share and change the works.  By contrast,
 our General Public Licenses are intended to guarantee your freedom to
 share and change all versions of a program--to make sure it remains free
 software for all its users.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
  Developers that use our General Public Licenses protect your rights
 with two steps: (1) assert copyright on the software, and (2) offer
 you this License which gives you legal permission to copy, distribute
 and/or modify the software.
  A secondary benefit of defending all users' freedom is that
 improvements made in alternate versions of the program, if they
 receive widespread use, become available for other developers to
 incorporate.  Many developers of free software are heartened and
 encouraged by the resulting cooperation.  However, in the case of
 software used on network servers, this result may fail to come about.
 The GNU General Public License permits making a modified version and
 letting the public access it on a server without ever releasing its
 source code to the public.
  The GNU Affero General Public License is designed specifically to
 ensure that, in such cases, the modified source code becomes available
 to the community.  It requires the operator of a network server to
 provide the source code of the modified version running there to the
 users of that server.  Therefore, public use of a modified version, on
 a publicly accessible server, gives the public access to the source
 code of the modified version.
  An older license, called the Affero General Public License and
 published by Affero, was designed to accomplish similar goals.  This is
 a different license, not a version of the Affero GPL, but Affero has
 released a new version of the Affero GPL which permits relicensing under
 this license.
  The precise terms and conditions for copying, distribution and
 modification follow.
                       TERMS AND CONDITIONS
  0. Definitions.
  "This License" refers to version 3 of the GNU Affero General Public License.
  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
  "The Program" refers to any copyrightable work licensed under this
 License.  Each licensee is addressed as "you".  "Licensees" and
 "recipients" may be individuals or organizations.
  To "modify" a work means to copy from or adapt all or part of the work
 in a fashion requiring copyright permission, other than the making of an
 exact copy.  The resulting work is called a "modified version" of the
 earlier work or a work "based on" the earlier work.
  A "covered work" means either the unmodified Program or a work based
 on the Program.
  To "propagate" a work means to do anything with it that, without
 permission, would make you directly or secondarily liable for
 infringement under applicable copyright law, except executing it on a
 computer or modifying a private copy.  Propagation includes copying,
 distribution (with or without modification), making available to the
 public, and in some countries other activities as well.
  To "convey" a work means any kind of propagation that enables other
 parties to make or receive copies.  Mere interaction with a user through
 a computer network, with no transfer of a copy, is not conveying.
  An interactive user interface displays "Appropriate Legal Notices"
 to the extent that it includes a convenient and prominently visible
 feature that (1) displays an appropriate copyright notice, and (2)
 tells the user that there is no warranty for the work (except to the
 extent that warranties are provided), that licensees may convey the
 work under this License, and how to view a copy of this License.  If
 the interface presents a list of user commands or options, such as a
 menu, a prominent item in the list meets this criterion.
  1. Source Code.
  The "source code" for a work means the preferred form of the work
 for making modifications to it.  "Object code" means any non-source
 form of a work.
  A "Standard Interface" means an interface that either is an official
 standard defined by a recognized standards body, or, in the case of
 interfaces specified for a particular programming language, one that
 is widely used among developers working in that language.
  The "System Libraries" of an executable work include anything, other
 than the work as a whole, that (a) is included in the normal form of
 packaging a Major Component, but which is not part of that Major
 Component, and (b) serves only to enable use of the work with that
 Major Component, or to implement a Standard Interface for which an
 implementation is available to the public in source code form.  A
 "Major Component", in this context, means a major essential component
 (kernel, window system, and so on) of the specific operating system
 (if any) on which the executable work runs, or a compiler used to
 produce the work, or an object code interpreter used to run it.
  The "Corresponding Source" for a work in object code form means all
 the source code needed to generate, install, and (for an executable
 work) run the object code and to modify the work, including scripts to
 control those activities.  However, it does not include the work's
 System Libraries, or general-purpose tools or generally available free
 programs which are used unmodified in performing those activities but
 which are not part of the work.  For example, Corresponding Source
 includes interface definition files associated with source files for
 the work, and the source code for shared libraries and dynamically
 linked subprograms that the work is specifically designed to require,
 such as by intimate data communication or control flow between those
 subprograms and other parts of the work.
  The Corresponding Source need not include anything that users
 can regenerate automatically from other parts of the Corresponding
 Source.
  The Corresponding Source for a work in source code form is that
 same work.
  2. Basic Permissions.
  All rights granted under this License are granted for the term of
 copyright on the Program, and are irrevocable provided the stated
 conditions are met.  This License explicitly affirms your unlimited
 permission to run the unmodified Program.  The output from running a
 covered work is covered by this License only if the output, given its
 content, constitutes a covered work.  This License acknowledges your
 rights of fair use or other equivalent, as provided by copyright law.
  You may make, run and propagate covered works that you do not
 convey, without conditions so long as your license otherwise remains
 in force.  You may convey covered works to others for the sole purpose
 of having them make modifications exclusively for you, or provide you
 with facilities for running those works, provided that you comply with
 the terms of this License in conveying all material for which you do
 not control copyright.  Those thus making or running the covered works
 for you must do so exclusively on your behalf, under your direction
 and control, on terms that prohibit them from making any copies of
 your copyrighted material outside their relationship with you.
  Conveying under any other circumstances is permitted solely under
 the conditions stated below.  Sublicensing is not allowed; section 10
 makes it unnecessary.
  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
  No covered work shall be deemed part of an effective technological
 measure under any applicable law fulfilling obligations under article
 11 of the WIPO copyright treaty adopted on 20 December 1996, or
 similar laws prohibiting or restricting circumvention of such
 measures.
  When you convey a covered work, you waive any legal power to forbid
 circumvention of technological measures to the extent such circumvention
 is effected by exercising rights under this License with respect to
 the covered work, and you disclaim any intention to limit operation or
 modification of the work as a means of enforcing, against the work's
 users, your or third parties' legal rights to forbid circumvention of
 technological measures.
  4. Conveying Verbatim Copies.
  You may convey verbatim copies of the Program's source code as you
 receive it, in any medium, provided that you conspicuously and
 appropriately publish on each copy an appropriate copyright notice;
 keep intact all notices stating that this License and any
 non-permissive terms added in accord with section 7 apply to the code;
 keep intact all notices of the absence of any warranty; and give all
 recipients a copy of this License along with the Program.
  You may charge any price or no price for each copy that you convey,
 and you may offer support or warranty protection for a fee.
  5. Conveying Modified Source Versions.
  You may convey a work based on the Program, or the modifications to
 produce it from the Program, in the form of source code under the
 terms of section 4, provided that you also meet all of these conditions:
    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.
    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".
    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.
    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.
  A compilation of a covered work with other separate and independent
 works, which are not by their nature extensions of the covered work,
 and which are not combined with it such as to form a larger program,
 in or on a volume of a storage or distribution medium, is called an
 "aggregate" if the compilation and its resulting copyright are not
 used to limit the access or legal rights of the compilation's users
 beyond what the individual works permit.  Inclusion of a covered work
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.
  6. Conveying Non-Source Forms.
  You may convey a covered work in object code form under the terms
 of sections 4 and 5, provided that you also convey the
 machine-readable Corresponding Source under the terms of this License,
 in one of these ways:
    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.
    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.
    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.
    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.
    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.
  A separable portion of the object code, whose source code is excluded
 from the Corresponding Source as a System Library, need not be
 included in conveying the object code work.
  A "User Product" is either (1) a "consumer product", which means any
 tangible personal property which is normally used for personal, family,
 or household purposes, or (2) anything designed or sold for incorporation
 into a dwelling.  In determining whether a product is a consumer product,
 doubtful cases shall be resolved in favor of coverage.  For a particular
 product received by a particular user, "normally used" refers to a
 typical or common use of that class of product, regardless of the status
 of the particular user or of the way in which the particular user
 actually uses, or expects or is expected to use, the product.  A product
 is a consumer product regardless of whether the product has substantial
 commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
  "Installation Information" for a User Product means any methods,
 procedures, authorization keys, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object
 code is in no case prevented or interfered with solely because
 modification has been made.
  If you convey an object code work under this section in, or with, or
 specifically for use in, a User Product, and the conveying occurs as
 part of a transaction in which the right of possession and use of the
 User Product is transferred to the recipient in perpetuity or for a
 fixed term (regardless of how the transaction is characterized), the
 Corresponding Source conveyed under this section must be accompanied
 by the Installation Information.  But this requirement does not apply
 if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has
 been installed in ROM).
  The requirement to provide Installation Information does not include a
 requirement to continue to provide support service, warranty, or updates
 for a work that has been modified or installed by the recipient, or for
 the User Product in which it has been modified or installed.  Access to a
 network may be denied when the modification itself materially and
 adversely affects the operation of the network or violates the rules and
 protocols for communication across the network.
  Corresponding Source conveyed, and Installation Information provided,
 in accord with this section must be in a format that is publicly
 documented (and with an implementation available to the public in
 source code form), and must require no special password or key for
 unpacking, reading or copying.
  7. Additional Terms.
  "Additional permissions" are terms that supplement the terms of this
 License by making exceptions from one or more of its conditions.
 Additional permissions that are applicable to the entire Program shall
 be treated as though they were included in this License, to the extent
 that they are valid under applicable law.  If additional permissions
 apply only to part of the Program, that part may be used separately
 under those permissions, but the entire Program remains governed by
 this License without regard to the additional permissions.
  When you convey a copy of a covered work, you may at your option
 remove any additional permissions from that copy, or from any part of
 it.  (Additional permissions may be written to require their own
 removal in certain cases when you modify the work.)  You may place
 additional permissions on material, added by you to a covered work,
 for which you have or can give appropriate copyright permission.
  Notwithstanding any other provision of this License, for material you
 add to a covered work, you may (if authorized by the copyright holders of
 that material) supplement the terms of this License with terms:
    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or
    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or
    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or
    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or
    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or
    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.
  All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
 governed by this License along with a term that is a further
 restriction, you may remove that term.  If a license document contains
 a further restriction but permits relicensing or conveying under this
 License, you may add to a covered work material governed by the terms
 of that license document, provided that the further restriction does
 not survive such relicensing or conveying.
  If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
 additional terms that apply to those files, or a notice indicating
 where to find the applicable terms.
  Additional terms, permissive or non-permissive, may be stated in the
 form of a separately written license, or stated as exceptions;
 the above requirements apply either way.
  8. Termination.
  You may not propagate or modify a covered work except as expressly
 provided under this License.  Any attempt otherwise to propagate or
 modify it is void, and will automatically terminate your rights under
 this License (including any patent licenses granted under the third
 paragraph of section 11).
  However, if you cease all violation of this License, then your
 license from a particular copyright holder is reinstated (a)
 provisionally, unless and until the copyright holder explicitly and
 finally terminates your license, and (b) permanently, if the copyright
 holder fails to notify you of the violation by some reasonable means
 prior to 60 days after the cessation.
  Moreover, your license from a particular copyright holder is
 reinstated permanently if the copyright holder notifies you of the
 violation by some reasonable means, this is the first time you have
 received notice of violation of this License (for any work) from that
 copyright holder, and you cure the violation prior to 30 days after
 your receipt of the notice.
  Termination of your rights under this section does not terminate the
 licenses of parties who have received copies or rights from you under
 this License.  If your rights have been terminated and not permanently
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.
  9. Acceptance Not Required for Having Copies.
  You are not required to accept this License in order to receive or
 run a copy of the Program.  Ancillary propagation of a covered work
 occurring solely as a consequence of using peer-to-peer transmission
 to receive a copy likewise does not require acceptance.  However,
 nothing other than this License grants you permission to propagate or
 modify any covered work.  These actions infringe copyright if you do
 not accept this License.  Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.
  10. Automatic Licensing of Downstream Recipients.
  Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
 propagate that work, subject to this License.  You are not responsible
 for enforcing compliance by third parties with this License.
  An "entity transaction" is a transaction transferring control of an
 organization, or substantially all assets of one, or subdividing an
 organization, or merging organizations.  If propagation of a covered
 work results from an entity transaction, each party to that
 transaction who receives a copy of the work also receives whatever
 licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the
 Corresponding Source of the work from the predecessor in interest, if
 the predecessor has it or can get it with reasonable efforts.
  You may not impose any further restrictions on the exercise of the
 rights granted or affirmed under this License.  For example, you may
 not impose a license fee, royalty, or other charge for exercise of
 rights granted under this License, and you may not initiate litigation
 (including a cross-claim or counterclaim in a lawsuit) alleging that
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.
  11. Patents.
  A "contributor" is a copyright holder who authorizes use under this
 License of the Program or a work on which the Program is based.  The
 work thus licensed is called the contributor's "contributor version".
  A contributor's "essential patent claims" are all patent claims
 owned or controlled by the contributor, whether already acquired or
 hereafter acquired, that would be infringed by some manner, permitted
 by this License, of making, using, or selling its contributor version,
 but do not include claims that would be infringed only as a
 consequence of further modification of the contributor version.  For
 purposes of this definition, "control" includes the right to grant
 patent sublicenses in a manner consistent with the requirements of
 this License.
  Each contributor grants you a non-exclusive, worldwide, royalty-free
 patent license under the contributor's essential patent claims, to
 make, use, sell, offer for sale, import and otherwise run, modify and
 propagate the contents of its contributor version.
  In the following three paragraphs, a "patent license" is any express
 agreement or commitment, however denominated, not to enforce a patent
 (such as an express permission to practice a patent or covenant not to
 sue for patent infringement).  To "grant" such a patent license to a
 party means to make such an agreement or commitment not to enforce a
 patent against the party.
  If you convey a covered work, knowingly relying on a patent license,
 and the Corresponding Source of the work is not available for anyone
 to copy, free of charge and under the terms of this License, through a
 publicly available network server or other readily accessible means,
 then you must either (1) cause the Corresponding Source to be so
 available, or (2) arrange to deprive yourself of the benefit of the
 patent license for this particular work, or (3) arrange, in a manner
 consistent with the requirements of this License, to extend the patent
 license to downstream recipients.  "Knowingly relying" means you have
 actual knowledge that, but for the patent license, your conveying the
 covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that
 country that you have reason to believe are valid.
  If, pursuant to or in connection with a single transaction or
 arrangement, you convey, or propagate by procuring conveyance of, a
 covered work, and grant a patent license to some of the parties
 receiving the covered work authorizing them to use, propagate, modify
 or convey a specific copy of the covered work, then the patent license
 you grant is automatically extended to all recipients of the covered
 work and works based on it.
  A patent license is "discriminatory" if it does not include within
 the scope of its coverage, prohibits the exercise of, or is
 conditioned on the non-exercise of one or more of the rights that are
 specifically granted under this License.  You may not convey a covered
 work if you are a party to an arrangement with a third party that is
 in the business of distributing software, under which you make payment
 to the third party based on the extent of your activity of conveying
 the work, and under which the third party grants, to any of the
 parties who would receive the covered work from you, a discriminatory
 patent license (a) in connection with copies of the covered work
 conveyed by you (or copies made from those copies), or (b) primarily
 for and in connection with specific products or compilations that
 contain the covered work, unless you entered into that arrangement,
 or that patent license was granted, prior to 28 March 2007.
  Nothing in this License shall be construed as excluding or limiting
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.
  12. No Surrender of Others' Freedom.
  If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot convey a
 covered work so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you may
 not convey it at all.  For example, if you agree to terms that obligate you
 to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
  13. Remote Network Interaction; Use with the GNU General Public License.
  Notwithstanding any other provision of this License, if you modify the
 Program, your modified version must prominently offer all users
 interacting with it remotely through a computer network (if your version
 supports such interaction) an opportunity to receive the Corresponding
 Source of your version by providing access to the Corresponding Source
 from a network server at no charge, through some standard or customary
 means of facilitating copying of software.  This Corresponding Source
 shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
 under version 3 of the GNU General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
 but the work with which it is combined will remain governed by version
 3 of the GNU General Public License.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
 the GNU Affero General Public License from time to time.  Such new versions
 will be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
  Each version is given a distinguishing version number.  If the
 Program specifies that a certain numbered version of the GNU Affero General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
 GNU Affero General Public License, you may choose any version ever published
 by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
 versions of the GNU Affero General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
  Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
 author or copyright holder as a result of your choosing to follow a
 later version.
  15. Disclaimer of Warranty.
  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
 OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
 THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
 IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  16. Limitation of Liability.
  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
 THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
 GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
 USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
 DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
 EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGES.
  17. Interpretation of Sections 15 and 16.
  If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
 reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published
    by the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.
    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
  If your software can interact with users remotely through a computer
 network, you should also make sure that it provides a way for users to
 get its source.  For example, if your program is a web application, its
 interface could display a "Source" link that leads users to an archive
 of the code.  There are many ways you could offer source, and different
 solutions will be better for different programs; see section 13 for the
 specific requirements.
  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU AGPL, see
 <https://www.gnu.org/licenses/>.
--- a/README.md
+++ b/README.md
@ -2,40 +2,73 @@
 # Zoraxy
-General purpose request (reverse) proxy and forwarding tool for low power devices. Now written in Go!
+A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
 ### Features
 - Simple to use interface with detail in-system instructions
- Reverse Proxy
+- Reverse Proxy (HTTP/2)
-  
+  - Virtual Directory
-  - Subdomain Reverse Proxy
+  - WebSocket Proxy (automatic, no set-up needed) 
-  
+  - Basic Auth
-  - Virtual Directory Reverse Proxy
+  - Alias Hostnames
  - Custom Headers
 - Redirection Rules
 - TLS / SSL setup and deploy
- Blacklist by country or IP address (single IP, CIDR or wildcard for beginners)
+  - ACME features like auto-renew to serve your sites in http**s**
  - SNI support (and SAN certs)
  - DNS Challenge for Let's Encrypt and [these DNS providers](https://go-acme.github.io/lego/dns/)
 - Blacklist / Whitelist by country or IP address (single IP, CIDR or wildcard for beginners)
 - Global Area Network Controller Web UI (ZeroTier not included)
 - Stream Proxy (TCP & UDP)
 - Integrated Up-time Monitor
 - Web-SSH Terminal
 - Utilities
  - CIDR IP converters
  - mDNS Scanner
  - Wake-On-Lan
  - Debug Forward Proxy
  - IP Scanner
 - Others
  - Basic single-admin management mode
  - External permission management system for easy system integration
  - SMTP config for password reset
-  
+
 ## Downloads
 [Windows](https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_windows_amd64.exe)
 / [Linux (amd64)](https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_amd64)
 / [Linux (arm64)](https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_arm64)
 For other systems or architectures, please see [Releases](https://github.com/tobychui/zoraxy/releases/latest/) 
 ## Getting Started
 [Installing Zoraxy Reverse Proxy: Your Gateway to Efficient Web Routing](https://geekscircuit.com/installing-zoraxy-reverse-proxy-your-gateway-to-efficient-web-routing/)
 Thank you for the well written and easy to follow tutorial by Reddit user [itsvmn](https://www.reddit.com/user/itsvmn/)! 
 If you have no background in setting up reverse proxy or web routing, you should check this out before you start setting up your Zoraxy. 
 ## Build from Source
 Requires Go 1.23 or higher
 ```bash
 git clone https://github.com/tobychui/zoraxy
 cd ./zoraxy/src/
 go mod tidy
 go build
 sudo ./zoraxy -port=:8000
 ```
 ## Usage
-Zoraxy provide basic authentication system for standalone mode. To use it in standalone mode, follow the instruction below for your desired deployment platform.
+Zoraxy provides basic authentication system for standalone mode. To use it in standalone mode, follow the instructions below for your desired deployment platform.
 ### Standalone Mode
-Standalone mode is the default mode for Zoraxy. This allow single account to manage your reverse proxy server just like a home router. This mode is suitable for new owners for homelab or makers start growing their web services into multiple servers.
+Standalone mode is the default mode for Zoraxy. This allows a single account to manage your reverse proxy server just like a basic home router. This mode is suitable for new owners to homelabs or makers starting growing their web services into multiple servers. A full "Getting Started" guide can be found [here](https://github.com/tobychui/zoraxy/wiki/Getting-Started).
 #### Linux
@ -49,111 +82,113 @@ Download the binary executable and double click the binary file to start it.
 #### Raspberry Pi
-The installation method is same as Linux. If you are using Raspberry Pi 4 or newer models, pick the arm64 release. For older version of Pis, use the arm (armv6) version instead.
+The installation method is same as Linux. If you are using a Raspberry Pi 4 or newer models, pick the arm64 release. For older version of Pis, use the arm (armv6) version instead.
 #### Other ARM SBCs or Android phone with Termux
 The installation method is same as Linux. For other ARM SBCs, please refer to your SBC's CPU architecture and pick the one that is suitable for your device. 
 #### Docker
 See the [/docker](https://github.com/tobychui/zoraxy/tree/main/docker) folder for more details.
 ### Start Parameters
 ```
 Usage of zoraxy:
  -autorenew int
        ACME auto TLS/SSL certificate renew check interval (seconds) (default 86400)
  -cfgupgrade
        Enable auto config upgrade if breaking change is detected (default true)
  -docker
        Run Zoraxy in docker compatibility mode
  -fastgeoip
        Enable high speed geoip lookup, require 1GB extra memory (Not recommend for low end devices)
  -mdns
        Enable mDNS scanner and transponder (default true)
  -mdnsname string
        mDNS name, leave empty to use default (zoraxy_{node-uuid}.local)
  -noauth
        Disable authentication for management interface
  -port string
        Management web interface listening port (default ":8000")
  -sshlb
        Allow loopback web ssh connection (DANGER)
  -version
        Show version of this server
  -webfm
        Enable web file manager for static web server root folder (default true)
  -webroot string
        Static web server root folder. Only allow change in start parameters (default "./www")
  -ztauth string
        ZeroTier authtoken for the local node
  -ztport int
        ZeroTier controller API port (default 9993)
 ```
 ### External Permission Management Mode
-If you already have a up-stream reverse proxy server in place with permission management, you can use Zoraxy in noauth mode. To enable noauth mode, start Zoraxy with the following flag
+If you already have an upstream reverse proxy server in place with permission management, you can use Zoraxy in noauth mode. To enable noauth mode, start Zoraxy with the following flag:
 ```bash
 ./zoraxy -noauth=true
 ```
-*Note: For security reaons, you should only enable no-auth if you are running Zoraxy in a trusted environment or with another authentication management proxy in front.*
+*Note: For security reasons, you should only enable no-auth if you are running Zoraxy in a trusted environment or with another authentication management proxy in front.*
 #### Use with ArozOS
 [ArozOS ](https://arozos.com)subservice is a build in permission managed reverse proxy server. To use zoraxy with arozos, connect to your arozos host via ssh and use the following command to install zoraxy
 ```bash
 # cd into your arozos subservice folder. Sometime it is under ~/arozos/src/subservice
 cd ~/arozos/subservices
 mkdir zoraxy
 cd ./zoraxy
 # Download the release binary from Github release
 wget {binary executable link from release page}
 # Set permission. Change this if required
 sudo chmod 775 -R ./
 # Start zoraxy to see if the downloaded arch is correct.
 ./zoraxy
 # After the unzip done, press Ctrl + C to kill it
 # Rename it to valid arozos subservice binary format
 mv ./zoraxy zoraxy_linux_amd64
 # If you are using SBCs with different CPU arch, use the following names
 # mv ./zoraxy zoraxy_linux_arm
 # mv ./zoraxy zoraxy_linux_arm64
 # Restart arozos
 sudo systemctl restart arozos
 ```
 To start the module, go to System Settings > Modules > Subservice and enable it in the menu. You should be able to see a new module named "Zoraxy" pop up in the start menu.
 ## Screenshots
 ![](img/screenshots/0_1.png)
 ![](img/screenshots/0_2.png)
 ![](img/screenshots/1.png)
 ![](img/screenshots/2.png)
-![](img/screenshots/3.png)
+More screenshots on the wikipage [Screenshots](https://github.com/tobychui/zoraxy/wiki/Screenshots)!
-![](img/screenshots/4.png)
+## FAQ
-![](img/screenshots/5.png)
+There is a wikipage with [Frequently-Asked-Questions](https://github.com/tobychui/zoraxy/wiki/FAQ---Frequently-Asked-Questions)!
 ![](img/screenshots/7.png)
 ![](img/screenshots/8.png)
 ![](img/screenshots/9.png)
 ![](img/screenshots/10_1.png)
 ![](img/screenshots/10_2.png)
 ## Global Area Network Controller
 This project also compatible with [ZeroTier](https://www.zerotier.com/). However, due to licensing issues, ZeroTier is not included in the binary. 
-Assuming you already have a valid license, to use Zoraxy with ZeroTier, install ZeroTier on your host and then run Zoraxy in sudo mode (or Run As Administrator if you are on Windows). The program will automatically grab the authtoken at correct location in your host.
+To use Zoraxy with ZeroTier, assuming you already have a valid license, install ZeroTier on your host and then run Zoraxy in sudo mode (or Run As Administrator if you are on Windows). The program will automatically grab the authtoken in the correct location on your host.
-If you prefer not to run Zoraxy in sudo mode or you have some wierd installation profile, you can also pass in the ZeroTier auth token using the following flags
+If you prefer not to run Zoraxy in sudo mode or you have some weird installation profile, you can also pass in the ZeroTier auth token using the following flags::
-```
+```bash
 ./zoraxy -ztauth="your_zerotier_authtoken" -ztport=9993
 ```
 The ZeroTier auth token can usually be found at ```/var/lib/zerotier-one/authtoken.secret``` or ```C:\ProgramData\ZeroTier\One\authtoken.secret```. 
-This allows you to have infinite number of network members in your Global Area Network controller. For more technical details, see [here](https://docs.zerotier.com/self-hosting/network-controllers/).
+This allows you to have an infinite number of network members in your Global Area Network controller. For more technical details, see [here](https://docs.zerotier.com/self-hosting/network-controllers/).
-## Web.SSH
+## Web SSH
-Web SSH currently only support Linux based OS.
+Web SSH currently only supports Linux based OSes. The following platforms are supported:
-### Loopback Connection 
+- linux/amd64
 - linux/arm64
 - linux/armv6 (experimental)
 - linux/386 (experimental)
-Loopback web ssh connection, by default, is disabled. This means that if you are trying to connect to address like 127.0.0.1 or localhost, the system will reject your connection due to security issues. To enable loopback for testing or development purpose, use the following flags to override the loopback checking.
+### Loopback Connection
-```
+Loopback web SSH connection, by default, is disabled. This means that if you are trying to connect to an address like 127.0.0.1 or localhost, the system will reject your connection for security reasons. To enable loopback for testing or development purpose, use the following flags to override the loopback checking:
 ```bash
 ./zoraxy -sshlb=true
 ```
 ## Sponsor This Project
 If you like the project and want to support us, please consider a donation. You can use the links below
 - [tobychui (Primary author)](https://paypal.me/tobychui)
 - PassiveLemon (Docker compatibility maintainer)
 ## License
-This Github repo is for storing the release binary and collecting issue only. **This project is not open source and the provided binaries are for function review purpose only.** For business users, please contact toby@imuslab.com for commercial licensing details.
+This project is open-sourced under AGPL. I open-sourced this project so everyone can check for security issues and benefit all users. **This software is intended to be free of charge. If you have acquired this software from a third-party seller, the authors of this repository bears no responsibility for any technical difficulties assistance or support.**
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -0,0 +1,66 @@
 FROM docker.io/golang:alpine AS build-zoraxy
 RUN mkdir -p /opt/zoraxy/source/ &&\
    mkdir -p /usr/local/bin/
 # If you build it yourself, you will need to add the src directory into the docker directory.
 COPY ./src/ /opt/zoraxy/source/
 WORKDIR /opt/zoraxy/source/
 RUN go mod tidy &&\
    go build -o /usr/local/bin/zoraxy &&\
    chmod 755 /usr/local/bin/zoraxy
 FROM docker.io/ubuntu:latest AS build-zerotier
 RUN mkdir -p /opt/zerotier/source/ &&\
    mkdir -p /usr/local/bin/
 WORKDIR /opt/zerotier/source/
 RUN apt-get update -y &&\
    apt-get install -y curl jq build-essential pkg-config clang cargo libssl-dev
 RUN curl -Lo ZeroTierOne.tar.gz https://codeload.github.com/zerotier/ZeroTierOne/tar.gz/refs/tags/1.10.6 &&\
    tar -xzvf ZeroTierOne.tar.gz &&\
    cd ZeroTierOne-* &&\
    make &&\
    mv ./zerotier-one /usr/local/bin/zerotier-one &&\
    chmod 755 /usr/local/bin/zerotier-one
 FROM docker.io/ubuntu:latest
 RUN apt-get update -y &&\
    apt-get install -y bash sudo netcat-openbsd libssl-dev ca-certificates
 COPY --chmod=700 ./entrypoint.sh /opt/zoraxy/
 COPY --from=build-zoraxy /usr/local/bin/zoraxy /usr/local/bin/zoraxy
 COPY --from=build-zerotier /usr/local/bin/zerotier-one /usr/local/bin/zerotier-one
 WORKDIR /opt/zoraxy/config/
 ENV ZEROTIER="false"
 ENV AUTORENEW="86400"
 ENV CFGUPGRADE="true"
 ENV DOCKER="true"
 ENV EARLYRENEW="30"
 ENV FASTGEOIP="false"
 ENV MDNS="true"
 ENV MDNSNAME="''"
 ENV NOAUTH="false"
 ENV PORT="8000"
 ENV SSHLB="false"
 ENV VERSION="false"
 ENV WEBFM="true"
 ENV WEBROOT="./www"
 ENV ZTAUTH=""
 ENV ZTPORT="9993"
 VOLUME [ "/opt/zoraxy/config/", "/var/lib/zerotier-one/" ]
 ENTRYPOINT [ "/opt/zoraxy/entrypoint.sh" ]
 HEALTHCHECK --interval=15s --timeout=5s --start-period=10s --retries=3 CMD nc -vz 127.0.0.1 $PORT || exit 1
--- a/docker/README.md
+++ b/docker/README.md
@ -0,0 +1,98 @@
 # Zoraxy Docker
 [![Repo](https://img.shields.io/badge/Docker-Repo-007EC6?labelColor-555555&color-007EC6&logo=docker&logoColor=fff&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
 [![Version](https://img.shields.io/docker/v/zoraxydocker/zoraxy/latest?labelColor-555555&color-007EC6&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
 [![Size](https://img.shields.io/docker/image-size/zoraxydocker/zoraxy/latest?sort=semver&labelColor-555555&color-007EC6&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
 [![Pulls](https://img.shields.io/docker/pulls/zoraxydocker/zoraxy?labelColor-555555&color-007EC6&style=flat-square)](https://hub.docker.com/r/zoraxydocker/zoraxy)
 ## Usage
 If you are attempting to access your service from outside your network, make sure to forward ports 80 and 443 to the Zoraxy host to allow web traffic. If you know how to do this, great! If not, find the manufacturer of your router and search on how to do that. There are too many to be listed here. Read more about it from [whatismyip](https://www.whatismyip.com/port-forwarding/).
 In the examples below, make sure to update `/path/to/zoraxy/config/` with your actual path. If a path is not provided, a Docker volume will be created at the location but it is recommended to store the data at a defined host location.
 Once setup, access the webui at `http://<host-ip>:8000` to configure Zoraxy. Change the port in the URL if you changed the management port.
 ### Docker Run
 ```
 docker run -d \
  --name zoraxy \
  --restart unless-stopped \
  -p 80:80 \
  -p 443:443 \
  -p 8000:8000 \
  -v /path/to/zoraxy/config/:/opt/zoraxy/config/ \
  -v /path/to/zerotier/config/:/var/lib/zerotier-one/ \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /etc/localtime:/etc/localtime \
  -e FASTGEOIP="true" \
  -e ZEROTIER="true" \
  zoraxydocker/zoraxy:latest
 ```
 ### Docker Compose
 ```yml
 services:
  zoraxy:
    image: zoraxydocker/zoraxy:latest
    container_name: zoraxy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 8000:8000
    volumes:
      - /path/to/zoraxy/config/:/opt/zoraxy/config/
      - /path/to/zerotier/config/:/var/lib/zerotier-one/
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime
    environment:
      FASTGEOIP: "true"
      ZEROTIER: "true"
 ```
 ### Ports
 | Port | Details |
 |:-|:-|
 | `80` | HTTP traffic. |
 | `443` | HTTPS traffic. |
 | `8000` | Management interface. Can be changed with the `PORT` env. |
 ### Volumes
 | Volume | Details |
 |:-|:-|
 | `/opt/zoraxy/config/` | Zoraxy configuration. |
 | `/var/lib/zerotier-one/` | ZeroTier configuration. Only required if you wish to use ZeroTier. |
 | `/var/run/docker.sock` | Docker socket. Used for additional functionality with Zoraxy. |
 | `/etc/localtime` | Localtime. Set to ensure the host and container are synchronized. |
 ### Environment
 Variables are the same as those in [Start Parameters](https://github.com/tobychui/zoraxy?tab=readme-ov-file#start-paramters).
 | Variable | Default | Details |
 |:-|:-|:-|
 | `AUTORENEW` | `86400` (Integer) | ACME auto TLS/SSL certificate renew check interval. |
 | `CFGUPGRADE` | `true` (Boolean) | Enable auto config upgrade if breaking change is detected. |
 | `DOCKER` | `true` (Boolean) | Run Zoraxy in docker compatibility mode. |
 | `EARLYRENEW` | `30` (Integer) | Number of days to early renew a soon expiring certificate. |
 | `FASTGEOIP` | `false`  (Boolean) | Enable high speed geoip lookup, require 1GB extra memory (Not recommend for low end devices). |
 | `MDNS` | `true` (Boolean) | Enable mDNS scanner and transponder. |
 | `MDNSNAME` | `''` (String) | mDNS name, leave empty to use default (zoraxy_{node-uuid}.local). |
 | `NOAUTH` | `false` (Boolean) | Disable authentication for management interface. |
 | `PORT` | `8000` (Integer) | Management web interface listening port |
 | `SSHLB` | `false` (Boolean) | Allow loopback web ssh connection (DANGER). |
 | `VERSION` | `false` (Boolean) | Show version of this server. |
 | `WEBFM` | `true` (Boolean) | Enable web file manager for static web server root folder. |
 | `WEBROOT` | `./www` (String) | Static web server root folder. Only allow change in start parameters. |
 | `ZEROTIER` | `false` (Boolean) | Enable ZeroTier functionality for GAN. |
 | `ZTAUTH` | `""` (String) | ZeroTier authtoken for the local node. |
 | `ZTPORT` | `9993` (Integer) | ZeroTier controller API port. |
 > [!IMPORTANT]
 > Contrary to the Zoraxy README, Docker usage of the port flag should NOT include the colon. Ex: `-e PORT="8000"` for Docker run and `PORT: "8000"` for Docker compose.
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -0,0 +1,28 @@
 #!/usr/bin/env bash
 update-ca-certificates
 echo "CA certificates updated"
 if [ "$ZEROTIER" = "true" ]; then
  zerotier-one -d
  echo "ZeroTier daemon started"
 fi
 echo "Starting Zoraxy..."
 exec zoraxy \
  -autorenew="$AUTORENEW" \
  -cfgupgrade="$CFGUPGRADE" \
  -docker="$DOCKER" \
  -earlyrenew="$EARLYRENEW" \
  -fastgeoip="$FASTGEOIP" \
  -mdns="$MDNS" \
  -mdnsname="$MDNSNAME" \
  -noauth="$NOAUTH" \
  -port=:"$PORT" \
  -sshlb="$SSHLB" \
  -version="$VERSION" \
  -webfm="$WEBFM" \
  -webroot="$WEBROOT" \
  -ztauth="$ZTAUTH" \
  -ztport="$ZTPORT"
--- a/docs/CNAME
+++ b/docs/CNAME
@ -0,0 +1 @@
 zoraxy.aroz.org
--- a/docs/favicon.png
+++ b/docs/favicon.png
--- a/docs/img/icon.png
+++ b/docs/img/icon.png
--- a/docs/img/icons/awesome.svg
+++ b/docs/img/icons/awesome.svg
@ -0,0 +1 @@
 <svg class="item-icon"  xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="m772-635-43-100-104-46 104-45 43-95 43 95 104 45-104 46-43 100Zm0 595-43-96-104-45 104-45 43-101 43 101 104 45-104 45-43 96ZM333-194l-92-197-201-90 201-90 92-196 93 196 200 90-200 90-93 197Zm0-148 48-96 98-43-98-43-48-96-47 96-99 43 99 43 47 96Zm0-139Z"/></svg>
--- a/docs/img/icons/blacklist.svg
+++ b/docs/img/icons/blacklist.svg
@ -0,0 +1 @@
 <svg fill="#ff7a7a" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M280-453h400v-60H280v60ZM480-80q-82 0-155-31.5t-127.5-86Q143-252 111.5-325T80-480q0-83 31.5-156t86-127Q252-817 325-848.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82-31.5 155T763-197.5q-54 54.5-127 86T480-80Zm0-60q142 0 241-99.5T820-480q0-142-99-241t-241-99q-141 0-240.5 99T140-480q0 141 99.5 240.5T480-140Zm0-340Z"/></svg>
--- a/docs/img/icons/code.svg
+++ b/docs/img/icons/code.svg
@ -0,0 +1 @@
 <svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M320-242 80-482l242-242 43 43-199 199 197 197-43 43Zm318 2-43-43 199-199-197-197 43-43 240 240-242 242Z"/></svg>
--- a/docs/img/icons/gan.svg
+++ b/docs/img/icons/gan.svg
@ -0,0 +1 @@
 <svg fill="#919191" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M120-80v-270h120v-160h210v-100H330v-270h300v270H510v100h210v160h120v270H540v-270h120v-100H300v100h120v270H120Zm270-590h180v-150H390v150ZM180-140h180v-150H180v150Zm420 0h180v-150H600v150ZM480-670ZM360-290Zm240 0Z"/></svg>
--- a/docs/img/icons/home.svg
+++ b/docs/img/icons/home.svg
@ -0,0 +1 @@
 <svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M220-180h150v-250h220v250h150v-390L480-765 220-570v390Zm-60 60v-480l320-240 320 240v480H530v-250H430v250H160Zm320-353Z"/></svg>
--- a/docs/img/icons/plugin.svg
+++ b/docs/img/icons/plugin.svg
@ -0,0 +1 @@
 <svg  class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M356-120H180q-24 0-42-18t-18-42v-176q44-5 75.5-34.5T227-463q0-43-31.5-72.5T120-570v-176q0-24 18-42t42-18h177q11-40 39.5-67t68.5-27q40 0 68.5 27t39.5 67h173q24 0 42 18t18 42v173q40 11 65.5 41.5T897-461q0 40-25.5 67T806-356v176q0 24-18 42t-42 18H570q-5-48-35.5-77.5T463-227q-41 0-71.5 29.5T356-120Zm-176-60h130q25-61 69.888-84 44.888-23 83-23T546-264q45 23 70 84h130v-235h45q20 0 33-13t13-33q0-20-13-33t-33-13h-45v-239H511v-48q0-20-13-33t-33-13q-20 0-33 13t-13 33v48H180v130q48.15 17.817 77.575 59.686Q287-514.445 287-462.777 287-412 257.5-370T180-310v130Zm329-330Z"/></svg>
--- a/docs/img/icons/proxy.svg
+++ b/docs/img/icons/proxy.svg
@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48" fill="#fcba03"><path d="M273-160 80-353l193-193 42 42-121 121h316v60H194l121 121-42 42Zm414-254-42-42 121-121H450v-60h316L645-758l42-42 193 193-193 193Z"/></svg>
--- a/docs/img/icons/redirect.svg
+++ b/docs/img/icons/redirect.svg
@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" fill="#0388fc" height="48" viewBox="0 -960 960 960" width="48"><path d="M700-160v-410H275l153 153-42 43-226-226 226-226 42 42-153 154h485v470h-60Z"/></svg>
--- a/docs/img/icons/scan.svg
+++ b/docs/img/icons/scan.svg
@ -0,0 +1 @@
 <svg fill="#83f2c4" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M197-197q-54-54-85.5-126.5T80-480q0-84 31.5-156.5T197-763l43 43q-46 46-73 107.5T140-480q0 71 26.5 132T240-240l-43 43Zm113-113q-32-32-51-75.5T240-480q0-51 19-94.5t51-75.5l43 43q-24 24-38.5 56.5T300-480q0 38 14 70t39 57l-43 43Zm170-90q-33 0-56.5-23.5T400-480q0-33 23.5-56.5T480-560q33 0 56.5 23.5T560-480q0 33-23.5 56.5T480-400Zm170 90-43-43q24-24 38.5-56.5T660-480q0-38-14-70t-39-57l43-43q32 32 51 75.5t19 94.5q0 50-19 93.5T650-310Zm113 113-43-43q46-46 73-107.5T820-480q0-71-26.5-132T720-720l43-43q54 55 85.5 127.5T880-480q0 83-31.5 155.5T763-197Z"/></svg>
--- a/docs/img/icons/screenshots.svg
+++ b/docs/img/icons/screenshots.svg
@ -0,0 +1 @@
 <svg class="item-icon"  xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M345-377h391L609-548 506-413l-68-87-93 123Zm-85 177q-24 0-42-18t-18-42v-560q0-24 18-42t42-18h560q24 0 42 18t18 42v560q0 24-18 42t-42 18H260Zm0-60h560v-560H260v560ZM140-80q-24 0-42-18t-18-42v-620h60v620h620v60H140Zm120-740v560-560Z"/></svg>
--- a/docs/img/icons/stats.svg
+++ b/docs/img/icons/stats.svg
@ -0,0 +1 @@
 <svg fill="#edf230" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M109.912-150Q81-150 60.5-170.589 40-191.177 40-220.089 40-249 60.494-269.5t49.273-20.5q5.233 0 10.233.5 5 .5 13 2.5l200-200q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q371.177-580 400.089-580 429-580 449.5-559.366t20.5 49.61Q470-508 467-487l110 110q8-2 13-2.5t10-.5q5 0 10 .5t13 2.5l160-160q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q821.177-630 850.089-630 879-630 899.5-609.411q20.5 20.588 20.5 49.5Q920-531 899.506-510.5T850.233-490Q845-490 840-490.5q-5-.5-13-2.5L667-333q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q628.823-240 599.911-240 571-240 550.5-260.494T530-309.767q0-5.233.5-10.233.5-5 2.5-13L423-443q-8 2-13 2.5t-10.25.5q-1.75 0-22.75-3L177-243q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q138.823-150 109.912-150ZM160-592l-20.253-43.747L96-656l43.747-20.253L160-720l20.253 43.747L224-656l-43.747 20.253L160-592Zm440-51-30.717-66.283L503-740l66.283-30.717L600-837l30.717 66.283L697-740l-66.283 30.717L600-643Z"/></svg>
--- a/docs/img/icons/terminal.svg
+++ b/docs/img/icons/terminal.svg
@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M140-160q-24 0-42-18t-18-42v-520q0-24 18-42t42-18h680q24 0 42 18t18 42v520q0 24-18 42t-42 18H140Zm0-60h680v-436H140v436Zm160-72-42-42 103-104-104-104 43-42 146 146-146 146Zm190 4v-60h220v60H490Z"/></svg>
--- a/docs/img/logo.png
+++ b/docs/img/logo.png
--- a/docs/img/og.png
+++ b/docs/img/og.png
--- a/docs/img/og.psd
+++ b/docs/img/og.psd
--- a/docs/img/screenshots/1.png
+++ b/docs/img/screenshots/1.png
--- a/docs/img/screenshots/10.png
+++ b/docs/img/screenshots/10.png
--- a/docs/img/screenshots/2.png
+++ b/docs/img/screenshots/2.png
--- a/docs/img/screenshots/3.png
+++ b/docs/img/screenshots/3.png
--- a/docs/img/screenshots/4.png
+++ b/docs/img/screenshots/4.png
--- a/docs/img/screenshots/5.png
+++ b/docs/img/screenshots/5.png
--- a/docs/img/screenshots/6.png
+++ b/docs/img/screenshots/6.png
--- a/docs/img/screenshots/7.png
+++ b/docs/img/screenshots/7.png
--- a/docs/img/screenshots/8.png
+++ b/docs/img/screenshots/8.png
--- a/docs/img/screenshots/9.png
+++ b/docs/img/screenshots/9.png
--- a/docs/img/title.png
+++ b/docs/img/title.png
--- a/docs/img/title.psd
+++ b/docs/img/title.psd
--- a/docs/index.html
+++ b/docs/index.html
@ -0,0 +1,386 @@
 <!DOCTYPE html>
 <html lang="en">
  <head>
    <meta charset="utf-8">
    <meta content="width=device-width, initial-scale=1.0" name="viewport">
    <meta content="Reverse Proxy, Cluster, Gateway, Go, Homelab, Network Tools" name="keywords">
    <meta content="A reverse proxy server and cluster network gateway for noobs" name="description">
    <meta name="author" content="tobychui">
    <!-- HTML Meta Tags -->
    <title>Reverse Proxy Server | Zoraxy</title>
    <meta name="description" content="A reverse proxy server and cluster network gateway for noobs">
    <!-- Facebook Meta Tags -->
    <meta property="og:url" content="https://zoraxy.aroz.org/">
    <meta property="og:type" content="website">
    <meta property="og:title" content="Cluster Proxy Gateway | Zoraxy">
    <meta property="og:description" content="A reverse proxy server and cluster network gateway for noobs">
    <meta property="og:image" content="https://zoraxy.aroz.org/img/og.png">
    <!-- Twitter Meta Tags -->
    <meta name="twitter:card" content="summary_large_image">
    <meta property="twitter:domain" content="aroz.org">
    <meta property="twitter:url" content="https://zoraxy.aroz.org/">
    <meta name="twitter:title" content="Cluster Proxy Gateway | Zoraxy">
    <meta name="twitter:description" content="A reverse proxy server and cluster network gateway for noobs">
    <meta name="twitter:image" content="https://zoraxy.aroz.org/img/og.png">
    <!-- Favicons -->
    <link href="favicon.png" rel="icon">
    <!-- Google Fonts -->
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Source+Sans+Pro:wght@100;300;400;600;700;900&display=swap" rel="stylesheet">
    <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@48,400,0,0" />
    <!-- Main Stylesheet File -->
    <link href="style.css" rel="stylesheet">
    <script
      src="https://code.jquery.com/jquery-3.7.0.min.js"
      integrity="sha256-2Pmvv0kuTBOenSvLm6bvfBSSHrUJ+3A7x6P5Ebd07/g="
      crossorigin="anonymous"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.js" integrity="sha512-5cguXwRllb+6bcc2pogwIeQmQPXEzn2ddsqAexIBhh7FO1z5Hkek1J9mrK2+rmZCTU6b6pERxI7acnp1MpAg4Q==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.css" integrity="sha512-n//BDM4vMPvyca4bJjZPDh7hlqsQ7hqbP9RH18GF2hTXBY5amBwM2501M0GPiwCU/v9Tor2m13GOTFjk00tkQA==" crossorigin="anonymous" referrerpolicy="no-referrer" />
    <style>
      p,a,div,span,h1,h2,h3,h4,h5,h6{
        font-family: 'Source Sans Pro', sans-serif !important;
        color: #404040;
      }
    </style>
  </head>
  <body>
    <div class="main section">
      <div class="left-menu">
        <div class="iconWrapper">
          <a href="index.html"><img class="ui fluid image" src="img/icon.png"></a>
        </div>
        <a href="#home" class="menu-item active" align="center">
          <img src="img/icons/home.svg">
        </a>
        <a href="#features" class="menu-item" align="center">
          <img src="img/icons/awesome.svg">
        </a>
        <a href="#screenshots" class="menu-item" align="center">
          <img src="img/icons/screenshots.svg">
        </a>
        <a href="#plugins" class="menu-item" align="center">
          <img src="img/icons/plugin.svg">
        </a>
        <a href="#source" class="menu-item" align="center">
          <img src="img/icons/code.svg">
        </a>
      </div>
      <div class="right-content">
        <!-- Hero Banner Section -->
        <div class="headbanner"></div>
        <div id="home" class="herotext">
          <div class="ui basic segment">
            <div class="bannerHeaderWrapper">
              <h1 class="bannerHeader">Zoraxy</h1>
 			  <div class="ui divider"></div><br>
              <p class="bannerSubheader">Beyond Reverse Proxy: Your Ultimate Homelab Network Tool</p>
            </div>
            <br><br>
            <a class="ui basic big button" style="background-color: white;" href="#features"><i class="ui blue arrow down icon"></i> Learn More</a>
            <br><br>
            <table class="ui very basic collapsing unstackable celled table">
              <thead>
                <tr><th colspan="2">Quick Access</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td>
                  <h4 class="ui image header">
                    <i class="ui download icon"></i>
                    <div class="content">
                      Download
                      <div class="sub header">Prebuild Binary
                    </div>
                  </div>
                </h4></td>
                <td>
                  <a href="https://github.com/tobychui/zoraxy/releases" target="_blank">Open <i class="ui external icon"></i></a>
                </td>
              </tr>
              <tr>
                <td>
                  <h4 class="ui image header">
                    <i class="ui github icon"></i>
                    <div class="content">
                      Github
                      <div class="sub header">Source Code
                    </div>
                  </div>
                </h4></td>
                <td>
                  <a href="https://github.com/tobychui/zoraxy" target="_blank">Open <i class="ui external icon"></i></a>
                </td>
              </tr>
            </table>
          </div>
 		  <div id="wavesWrapper">
            <!-- CSS waves-->
            <svg class="waves" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
            viewBox="0 24 150 28" preserveAspectRatio="none" shape-rendering="auto">
                <defs>
                <path id="gentle-wave" d="M-160 44c30 0 58-18 88-18s 58 18 88 18 58-18 88-18 58 18 88 18 v44h-352z" />
                </defs>
                <g class="parallax">
                <use xlink:href="#gentle-wave" x="48" y="0" fill="rgba(255,255,255,0.7" />
                <use xlink:href="#gentle-wave" x="48" y="3" fill="rgba(255,255,255,0.5)" />
                <use xlink:href="#gentle-wave" x="48" y="5" fill="rgba(255,255,255,0.3)" />
                <use xlink:href="#gentle-wave" x="48" y="7" fill="#fff" />
                </g>
            </svg>
        </div>
        </div>
        <!-- Features -->
        <div id="features" class="section">
          <div class="ui container">
            <div class="ui basic segment">
              <h1 class="ui header">
                <img class="ui small image" src="img/icons/awesome.svg">
                <div class="content">
                    Features
                    <div class="sub header">Highlighting a few important features of Zoraxy</div>
                </div>
              </h1>
              <br>
              <div class="ui stackable grid featureList">
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/proxy.svg">
                    <div class="content">
                      Reverse Proxy
                    </div>
                  </h3>
                  <p>Simple to use noob-friendly reverse proxy server that can be easily set up using a web form and a few toggle switches.</p>
                </div>
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/redirect.svg">
                    <div class="content">
                      Redirection
                    </div>
                  </h3>
                  <p>Direct and intuitive redirection rules with basic rewrite options. Suitable for most simple use cases.</p>
                </div>
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/blacklist.svg">
                    <div class="content">
                      Geo-IP & Blacklist
                    </div>
                  </h3>
                  <p>Blacklist with GeoIP support. Allows easy setup for regional services.</p>
                </div>
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/gan.svg">
                    <div class="content">
                      Global Area Network
                    </div>
                  </h3>
                  <p>ZeroTier controller integrated GAN. Enable unlimited nodes in your network with a few clicks.</p>
                </div>
                <!-- Row 2-->
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/terminal.svg">
                    <div class="content">
                      Web SSH
                    </div>
                  </h3>
                  <p>Integration with Gotty Web SSH terminal allows one-stop management of your nodes inside private LAN via gateway nodes.</p>
                </div>
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/stats.svg">
                    <div class="content">
                      Real Time Statistics
                    </div>
                  </h3>
                  <p>Traffic data collection and real-time analytic tools provide you the best insight of visitors data without cookies.</p>
                </div>
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/scan.svg">
                    <div class="content">
                      Scanner & Utilities
                    </div>
                  </h3>
                  <p>Build in IP scanner and mDNS discovery service to enable automatic service discovery within LAN.</p>
                </div>
                <div class="four wide column featureItem">
                  <h3 class="ui header featureHeader">
                    <img class="ui image" src="img/icons/code.svg">
                    <div class="content">
                      Open Source
                    </div>
                  </h3>
                  <p>Project is open-source under AGPL on Github. Feel free to contribute on missing functions you need! </p>
                </div>
              </div>
            </div>
          </div>
        </div>
        <!-- Screenshots -->
        <div id="screenshots" class="ui container">
          <div class="ui basic segment">
            <br>
            <h1 class="ui header">
              <img class="ui small image" src="img/icons/screenshots.svg">
              <div class="content">
                  Screenshots
                  <div class="sub header">A quick overview of the UI designs</div>
              </div>
            </h1>
            <div class="ui three column stackable grid">
              <div class="column">
                <a href="img/screenshots/1.png" target="_blank"><img src="img/screenshots/1.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/2.png" target="_blank"><img src="img/screenshots/2.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/3.png" target="_blank"><img src="img/screenshots/3.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/4.png" target="_blank"><img src="img/screenshots/4.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/5.png" target="_blank"><img src="img/screenshots/5.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/6.png" target="_blank"><img src="img/screenshots/6.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/7.png" target="_blank"><img src="img/screenshots/7.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/8.png" target="_blank"><img src="img/screenshots/8.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/9.png" target="_blank"><img src="img/screenshots/9.png" class="ui fluid image screenshot"></a>
              </div>
              <div class="column">
                <a href="img/screenshots/10.png" target="_blank"><img src="img/screenshots/10.png" class="ui fluid image screenshot"></a>
              </div>
            </div> 
          </div>
        </div>
        <!-- Plugin Developments -->
        <div id="plugins" class="ui container">
          <div class="ui basic segment">
            <br>
            <h1 class="ui header">
              <img class="ui small image" src="img/icons/plugin.svg">
              <div class="content">
                  Plugins
                  <div class="sub header">Add custom routing rules via simple scripts</div>
              </div>
            </h1>
            <div style="width: 100%; text-align: center;">
              <br>
              <p>Documentation work in progress</p>
            </div>
          </div>
        </div>
        <!-- Source code -->
        <div id="source" class="ui container">
          <div class="ui basic segment">
            <br>
            <h1 class="ui header">
              <img class="ui small image" src="img/icons/code.svg">
              <div class="content">
                  Source Code
                  <div class="sub header">Feel free to give us a ⭐ star ⭐.</div>
              </div>
            </h1>
            <br>
            <div class="ui two column stackable grid">
              <div class="column">
                  <h3 class="ui header">
                    <i class="grey github icon"></i>
                    <div class="content" style="text-align: left;">
                      <a href="https://github.com/tobychui/zoraxy">
                        Github
                        <div class="sub header">https://github.com/tobychui/zoraxy</div>
                      </a>
                    </div>
                  </h3>
              </div>
              <div class="column">
                <h3 class="ui header">
                  <i class="blue mail icon"></i>
                  <div class="content" style="text-align: left;">
                    <a href="mailto:toby@imuslab.com">
                      Email Contact
                      <div class="sub header">toby@imuslab.com</div>
                    </a>
                  </div>
                </h3>
              </div>
            </div>
          </div>
        </div>
        <br><br>
        <div class="ui container">
          <p style="color: #3a3a3a">CopyRight Zoraxy Project and its authors © 2021 - <span class="year"></span></p>
        </div>
        <br><br><br>
      </div>
    </div>
    <br>
    <script>
      $(".year").text(new Date().getFullYear()  );
      $(".menu-item").on("click", function(){
        $(".menu-item.active").removeClass("active");
        $(this).addClass("active");
      });
      $(".right-content").on("scroll", function() {
        var scrollPos = $(".right-content").scrollTop();
        if (scrollPos < 10){
          //Reaching the top
          $('.menu-item.active').removeClass("active");
          $($('.menu-item')[0]).addClass('active');
          return;
        }else if ($(".right-content")[0].scrollHeight  ==  $(".right-content").scrollTop() + window.innerHeight ){
          //Reaching the bottom
          $('.menu-item.active').removeClass("active");
          $($('.menu-item').get().reverse()[0]).addClass('active');
          return
        }
        $('.menu-item').each(function() {
          var currLink = $(this);
          var refElement = $(currLink.attr("href"));
          if (refElement.offset().top <= (window.innerHeight / 2)) {
            $('.menu-item.active').removeClass("active");
            currLink.addClass("active");
            console.log(currLink.attr("href"));
          }
        });
      });
    </script>
  </body>
 </html>
--- a/docs/style.css
+++ b/docs/style.css
@ -0,0 +1,237 @@
 body{
    background: #ffffff !important;
    margin: 0;
    padding: 0;
    overflow-y: hidden;
 }
 :root{
    --themeTextColor: #404040;
    --themeSkyblueColor: #a9d1f3;
    --themeSkyblueColorDecondary: #8eb9df;
 }
 .main {
    display: flex;
    height: 100vh;
 }
 .left-menu {
    width: 80px;
    min-width: 80px;
    background-color: #fcfcfc;
    min-height: 100vh;
    padding-top: 1.5em;
 }
 .iconWrapper{
    padding: 1em;
    border-bottom: 1px solid #f6f6f6;
 }
 .right-content {
    flex-grow: 1;
    position: relative;
    max-height: 100%;
    overflow-y: auto;
 }
 .ui.black.button{
    background-color: var(--themeTextColor) !important;
 }
 /* Menu items */
 .menu-item{
    display: block;
    padding: 0.4em;
    padding-top: 1.2em;
    padding-bottom: 1.2em;
    text-align: center;
    border-bottom: 1px solid #f6f6f6;
    width: 100%;
    transition: border-left ease-in-out 0.1s, background-color ease-in-out 0.1s;
 }
 .menu-item.active{
    background: linear-gradient(60deg, rgba(84, 58, 183, 0.3) 0%, rgba(0, 172, 193, 0.3) 100%);
 }
 .menu-item .item-icon{
 	fill: #fcfcfc;
 }
 .menu-item:hover{
   background: rgba(35,35,35,0.1);
 }
 .menu-item img{
    width: 30px;
    display: inline-block;
    vertical-align: middle;
 }
 /* Head banner */
 .herotext{
    padding-top: 15em; 
    padding-left: 8vw;
    min-height: 100vh;
 }
 .bannerHeader{
    font-size: 8em; 
    font-weight: 600;
 	color: white;
 }
 .bannerSubheader{
    font-weight: 400; 
    font-size: 1.2em; 
 	color: #ebebeb;
    margin-top: -20px;
 }
 .bannerHeaderWrapper{
    text-align: center; 
    display: inline-block;
 }
 #home{
 	background: linear-gradient(60deg, rgba(84,58,183,1) 0%, rgba(0,172,193,1) 100%);
 }
 #home .table th, #home .table h4{
 	color: white;
 }
 #home .table h4 .content, #home .table h4 .sub.header{
 	color: white;
 }
 #home .table td a{
 	color: #d6ddff;
 }
 /* features */
 #features{
    padding-top: 4em;
    padding-bottom: 4em;
    background-color: white;
 }
 /* screenshots */
 .screenshot{
    transition: transform ease-in-out 0.1s;
    box-shadow: 3px 3px 5px 0px rgba(51,51,51,0.14);
    margin-bottom: 1em;
 }
 .screenshot:hover {
    transform: scale(1.1); /* (150% zoom - Note: if the zoom is too large, it will go outside of the viewport) */
 }
 /* RWD */
@media (max-width:960px) {
    /* Menu RWD */
    .left-menu {
        width: 50px;
        min-width: 50px;
    }
    .iconWrapper{
        padding: 0.2em;
        border-bottom: 1px solid #f6f6f6;
    }
    .menu-item{
        padding: 0.3em;
        padding-top: 0.5em;
        padding-bottom: 0.5em;
    }
    .menu-item img{
        width: 26px;
    }
    /* head banner RWD */
    .headbanner{
        opacity: 0.1;
    }
    .herotext{
        padding-left: 0;
        text-align: center;
    }
    .bannerSubheader{
        font-size: 1.2em; 
    }
    .bannerHeader{
        font-size: 5em; 
    }
    .bannerHeaderWrapper{
        display: inline;
        width: 100%;
    }
    .herotext .ui.collapsing.table{
        width: 100%;
    }
 }
 /* 
 	Waves CSS 
 */
 #wavesWrapper{
 	position: absolute;
 	bottom: 0;
 	width: 100%;
 	left: 0;
 }
 .waves {
 	position:relative;
 	width: 100%;
 	height:15vh;
 	margin-bottom:-7px; /*Fix for safari gap*/
 	min-height:100px;
 	max-height:150px;
 }
 .parallax > use {
 	animation: move-forever 25s cubic-bezier(.55,.5,.45,.5)     infinite;
 }
 .parallax > use:nth-child(1) {
 	animation-delay: -8s;
 	animation-duration: 28s;
 }
 .parallax > use:nth-child(2) {
 	animation-delay: -12s;
 	animation-duration: 40s;
 }
 .parallax > use:nth-child(3) {
 	animation-delay: -16s;
 	animation-duration: 52s;
 }
 .parallax > use:nth-child(4) {
 	animation-delay: -20s;
 	animation-duration: 80s;
 }
@keyframes move-forever {
 	0% {
 		transform: translate3d(-90px,0,0);
 	}
 	100% { 
 		transform: translate3d(85px,0,0);
 	}
 }
 /*Shrinking for mobile*/
@media (max-width: 768px) {
 	.waves {
 		height:40px;
 		min-height:40px;
 	}
 }
--- a/example/README.md
+++ b/example/README.md
@ -0,0 +1,26 @@
 # Example www Folder
 This is an example www folder that contains two sub-folders.
 - `html/`
 - `templates/`
 The html file contain static resources that will be served by Zoraxy build-in static web server. You can use it as a generic web server with a static site generator like [Hugo](https://gohugo.io/) or use it as a small CDN for serving your scripts / image that commonly use across many of your sites.
 The templates folder contains the template for overriding the build in error or access denied pages. The following templates are supported
 - notfound.html (Default site Not-Found error page)
 - whitelist.html (Error page when client being blocked by whitelist rule)
 - blacklist.html (Error page when client being blocked by blacklist rule)
 To use the template, copy and paste the `wwww` folder to the same directory as zoraxy executable (aka the src/ file if you `go build` with the current folder tree). 
 ### Other Templates
 There are a few pre-built templates that works with Zoraxy where you can find in the `other-templates` folder. Copy the folder into `www` and rename the folder to `templates` to active them. 
 It is worth mentioning that the uwu icons for not-found and access-denied are created by @SAWARATSUKI
--- a/example/other-templates/templates_cf/blacklist.html
+++ b/example/other-templates/templates_cf/blacklist.html
--- a/example/other-templates/templates_cf/notfound.html
+++ b/example/other-templates/templates_cf/notfound.html
@ -0,0 +1,154 @@
 <!DOCTYPE html>
 <html>
    <head>
        <meta name="apple-mobile-web-app-capable" content="yes" />
        <meta name="viewport" content="user-scalable=no, width=device-width, initial-scale=1, maximum-scale=1"/>
        <meta charset="UTF-8">
        <meta name="theme-color" content="#4b75ff">
        <link rel="icon" type="image/png" href="img/small_icon.png"/>
        <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.css">
        <link rel="preconnect" href="https://fonts.googleapis.com">
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link href="https://fonts.googleapis.com/css2?family=Noto+Sans+TC:wght@300;400;500;700;900&display=swap" rel="stylesheet">
        <script src="https://code.jquery.com/jquery-3.6.4.min.js"></script>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/fomantic-ui/2.9.2/semantic.min.js"></script>
        <title>404 - Host Not Found</title>
        <style>
            h1, h2, h3, h4, h5, p, a, span, .ui.list .item{
                font-family: 'Noto Sans TC', sans-serif;
                font-weight: 300;
                color: rgb(88, 88, 88)
            }
            .diagram{
                background-color: #ebebeb;
                padding-bottom: 2em;
            }
            .diagramHeader{
                margin-top: 0.2em;
            }
            @media (max-width:512px) { 
                .widescreenOnly{
                    display: none !important;
                }
                .four.wide.column:not(.widescreenOnly){
                    width: 50% !important;
                }
                .ui.grid{
                    justify-content: center !important;
                }
            }
        </style>
    </head>
    <body>
        <div>
            <br><br>
            <div class="ui container">
                <h1 style="font-size: 4rem;">Error 404</h1>
                <p style="font-size: 2rem; margin-bottom: 0.4em;">Target Host Not Found</p>
                <small id="timestamp"></small>
            </div>
            <br><br>
        </div>
        <div class="diagram">
            <div class="ui text container">
                <div class="ui grid">
                    <div class="four wide column widescreenOnly" align="center">
                        <svg version="1.1" id="client_svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
                            width="100%" viewBox="0 0 200 200" enable-background="new 0 0 200 200" xml:space="preserve">
                        <path fill="#C9CACA" d="M184.795,143.037c0,9.941-8.059,18-18,18H33.494c-9.941,0-18-8.059-18-18V44.952c0-9.941,8.059-18,18-18
                            h133.301c9.941,0,18,8.059,18,18V143.037z"/>
                        <circle fill="#FFFFFF" cx="37.39" cy="50.88" r="6.998"/>
                        <circle fill="#FFFFFF" cx="54.115" cy="50.88" r="6.998"/>
                        <path fill="#FFFFFF" d="M167.188,50.88c0,3.865-3.133,6.998-6.998,6.998H72.379c-3.865,0-6.998-3.133-6.998-6.998l0,0
                            c0-3.865,3.133-6.998,6.998-6.998h87.811C164.055,43.882,167.188,47.015,167.188,50.88L167.188,50.88z"/>
                        <rect x="31.296" y="66.907" fill="#FFFFFF" width="132.279" height="77.878"/>
                        <circle fill="#9BCA3E" cx="96.754" cy="144.785" r="37.574"/>
                        <polyline fill="none" stroke="#FFFFFF" stroke-width="8" stroke-miterlimit="10" points="108.497,133.047 93.373,153.814 
                            82.989,143.204 "/>
                        </svg>
                        <small>You</small>
                        <h2 class="diagramHeader">Browser</h2>
                        <p style="font-weight: 500; color: #9bca3e;">Working</p>
                    </div>  
                    <div class="two wide column widescreenOnly" style="margin-top: 8em; text-align: center;">
                        <i class="ui big grey exchange alternate icon" style="color:rgb(167, 167, 167) !important;"></i>
                    </div>
                    <div class="four wide column widescreenOnly" align="center">
                        <svg version="1.1" id="cloud_svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
                            width="100%" viewBox="0 0 200 200" enable-background="new 0 0 200 200" xml:space="preserve">
                            <ellipse fill="#9FA0A0" cx="46.979" cy="108.234" rx="25.399" ry="25.139"/>
                            <circle fill="#9FA0A0" cx="109.407" cy="100.066" r="50.314"/>
                            <circle fill="#9FA0A0" cx="22.733" cy="129.949" r="19.798"/>
                            <circle fill="#9FA0A0" cx="172.635" cy="125.337" r="24.785"/>
                            <path fill="#9FA0A0" d="M193.514,133.318c0,9.28-7.522,16.803-16.803,16.803H28.223c-9.281,0-16.803-7.522-16.803-16.803l0,0
                                c0-9.28,7.522-16.804,16.803-16.804h148.488C185.991,116.515,193.514,124.038,193.514,133.318L193.514,133.318z"/>
                            <circle fill="#9BCA3D" cx="100" cy="149.572" r="38.267"/>
                            <polyline fill="none" stroke="#FFFFFF" stroke-width="8" stroke-miterlimit="10" points="113.408,136.402 95.954,160.369 
                                83.971,148.123 "/>
                        </svg>
                        <small>Gateway Node</small>
                        <h2 class="diagramHeader">Reverse Proxy</h2>
                        <p style="font-weight: 500; color: #9bca3e;">Working</p>
                    </div>  
                    <div class="two wide column widescreenOnly" style="margin-top: 8em; text-align: center;">
                        <i class="ui big grey exchange alternate icon" style="color:rgb(167, 167, 167) !important;"></i>
                    </div>
                    <div class="four wide column" align="center">
                        <svg version="1.1" id="host_svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
                            width="100%" viewBox="0 0 200 200" enable-background="new 0 0 200 200" xml:space="preserve">
                        <path fill="#999999" d="M168.484,113.413c0,9.941,3.317,46.324-6.624,46.324H35.359c-9.941,0-5.873-39.118-5.715-46.324
                            l17.053-50.909c1.928-9.879,8.059-18,18-18h69.419c9.941,0,15.464,7.746,18,18L168.484,113.413z"/>
                        <rect x="38.068" y="118.152" fill="#FFFFFF" width="122.573" height="34.312"/>
                        <circle fill="#BD2426" cx="141.566" cy="135.873" r="8.014"/>
                        <circle fill="#BD2426" cx="99.354" cy="152.464" r="36.343"/>
                        <line fill="none" stroke="#FFFFFF" stroke-width="6" stroke-miterlimit="10" x1="90.5" y1="144.125" x2="107.594" y2="161.946"/>
                        <line fill="none" stroke="#FFFFFF" stroke-width="6" stroke-miterlimit="10" x1="90.5" y1="161.946" x2="107.594" y2="144.79"/>
                        </svg>
                        <small id="host"></small>
                        <h2 class="diagramHeader">Host</h2>
                        <p style="font-weight: 500; color: #bd2426;">Not Found</p>
                    </div>
                  </div>
            </div>
        </div>
        <div>
            <br>
            <div class="ui container">
                <div class="ui stackable grid">
                    <div class="eight wide column">
                        <h1>What happend?</h1>
                        <p>The reverse proxy target domain is not found.<br>For more information, see the error message on the reverse proxy terminal.</p>
                    </div>
                    <div class="eight wide column">
                        <h1>What can I do?</h1>
                        <h5 style="font-weight: 500;">If you are a visitor of this website: </h5>
                        <p>Please try again in a few minutes</p>
                        <h5 style="font-weight: 500;">If you are the owner of this website:</h5>
                        <div class="ui bulleted list">
                            <div class="item">Check if the proxy rules that match this hostname exists</div>
                            <div class="item">Visit the Reverse Proxy management interface to correct any setting errors</div>
                        </div>
                    </div>
                  </div>
            </div>
            <br>
        </div>
        <div class="ui divider"></div>
        <div class="ui container" style="color: grey; font-size: 90%">
            <p>Powered by Zoraxy</p>
        </div>
        <br><br>
        <script>
            $("#timestamp").text(new Date());
            $("#host").text(location.href);
        </script>
    </body>
 </html>
--- a/example/other-templates/templates_cf/whitelist.html
+++ b/example/other-templates/templates_cf/whitelist.html
--- a/example/other-templates/templates_uwu/blacklist.html
+++ b/example/other-templates/templates_uwu/blacklist.html
--- a/example/other-templates/templates_uwu/notfound.html
+++ b/example/other-templates/templates_uwu/notfound.html
--- a/example/other-templates/templates_uwu/whitelist.html
+++ b/example/other-templates/templates_uwu/whitelist.html
--- a/example/www/html/index.html
+++ b/example/www/html/index.html
@ -0,0 +1,229 @@
 <html>
    <head>
        <title>Zoraxy Firework!</title>
        <style>
            body{
                margin: 0 !important;
            }
            canvas {
                display: block;
                width: 100vw;
                height: 100vh;
            }
        </style>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.2/anime.min.js" integrity="sha512-aNMyYYxdIxIaot0Y1/PLuEu3eipGCmsEUBrUq+7aVyPGMFH8z0eTP0tkqAvv34fzN6z+201d3T8HPb1svWSKHQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
    </head>
    <body>
        <canvas id="c"></canvas>
        <script>
            var c = document.getElementById("c");
            var ctx = c.getContext("2d");
            var cH;
            var cW;
            var bgColor = "#FF6138";
            var animations = [];
            var circles = [];
            var colorPicker = (function() {
            var colors = ["#FF6138", "#FFBE53", "#2980B9", "#FCFCFC", "#282741"];
            var index = 0;
            function next() {
                index = index++ < colors.length-1 ? index : 0;
                return colors[index];
            }
            function current() {
                return colors[index]
            }
            return {
                next: next,
                current: current
            }
            })();
            function removeAnimation(animation) {
            var index = animations.indexOf(animation);
            if (index > -1) animations.splice(index, 1);
            }
            function calcPageFillRadius(x, y) {
            var l = Math.max(x - 0, cW - x);
            var h = Math.max(y - 0, cH - y);
            return Math.sqrt(Math.pow(l, 2) + Math.pow(h, 2));
            }
            function addClickListeners() {
            document.addEventListener("touchstart", handleEvent);
            document.addEventListener("mousedown", handleEvent);
            };
            function handleEvent(e) {
                if (e.touches) { 
                e.preventDefault();
                e = e.touches[0];
                }
                var currentColor = colorPicker.current();
                var nextColor = colorPicker.next();
                var targetR = calcPageFillRadius(e.pageX, e.pageY);
                var rippleSize = Math.min(200, (cW * .4));
                var minCoverDuration = 750;
                var pageFill = new Circle({
                x: e.pageX,
                y: e.pageY,
                r: 0,
                fill: nextColor
                });
                var fillAnimation = anime({
                targets: pageFill,
                r: targetR,
                duration:  Math.max(targetR / 2 , minCoverDuration ),
                easing: "easeOutQuart",
                complete: function(){
                    bgColor = pageFill.fill;
                    removeAnimation(fillAnimation);
                }
                });
                var ripple = new Circle({
                x: e.pageX,
                y: e.pageY,
                r: 0,
                fill: currentColor,
                stroke: {
                    width: 3,
                    color: currentColor
                },
                opacity: 1
                });
                var rippleAnimation = anime({
                targets: ripple,
                r: rippleSize,
                opacity: 0,
                easing: "easeOutExpo",
                duration: 900,
                complete: removeAnimation
                });
                var particles = [];
                for (var i=0; i<32; i++) {
                var particle = new Circle({
                    x: e.pageX,
                    y: e.pageY,
                    fill: currentColor,
                    r: anime.random(24, 48)
                })
                particles.push(particle);
                }
                var particlesAnimation = anime({
                targets: particles,
                x: function(particle){
                    return particle.x + anime.random(rippleSize, -rippleSize);
                },
                y: function(particle){
                    return particle.y + anime.random(rippleSize * 1.15, -rippleSize * 1.15);
                },
                r: 0,
                easing: "easeOutExpo",
                duration: anime.random(1000,1300),
                complete: removeAnimation
                });
                animations.push(fillAnimation, rippleAnimation, particlesAnimation);
            }
            function extend(a, b){
            for(var key in b) {
                if(b.hasOwnProperty(key)) {
                a[key] = b[key];
                }
            }
            return a;
            }
            var Circle = function(opts) {
            extend(this, opts);
            }
            Circle.prototype.draw = function() {
            ctx.globalAlpha = this.opacity || 1;
            ctx.beginPath();
            ctx.arc(this.x, this.y, this.r, 0, 2 * Math.PI, false);
            if (this.stroke) {
                ctx.strokeStyle = this.stroke.color;
                ctx.lineWidth = this.stroke.width;
                ctx.stroke();
            }
            if (this.fill) {
                ctx.fillStyle = this.fill;
                ctx.fill();
            }
            ctx.closePath();
            ctx.globalAlpha = 1;
            }
            var animate = anime({
            duration: Infinity,
            update: function() {
                ctx.fillStyle = bgColor;
                ctx.fillRect(0, 0, cW, cH);
                animations.forEach(function(anim) {
                anim.animatables.forEach(function(animatable) {
                    animatable.target.draw();
                });
                });
            }
            });
            var resizeCanvas = function() {
            cW = window.innerWidth;
            cH = window.innerHeight;
            c.width = cW * devicePixelRatio;
            c.height = cH * devicePixelRatio;
            ctx.scale(devicePixelRatio, devicePixelRatio);
            };
            (function init() {
            resizeCanvas();
            if (window.CP) {
                // CodePen's loop detection was causin' problems
                // and I have no idea why, so...
                window.CP.PenTimer.MAX_TIME_IN_LOOP_WO_EXIT = 6000; 
            }
            window.addEventListener("resize", resizeCanvas);
            addClickListeners();
            if (!!window.location.pathname.match(/fullcpgrid/)) {
                startFauxClicking();
            }
            handleInactiveUser();
            })();
            function handleInactiveUser() {
            var inactive = setTimeout(function(){
                fauxClick(cW/2, cH/2);
            }, 2000);
            function clearInactiveTimeout() {
                clearTimeout(inactive);
                document.removeEventListener("mousedown", clearInactiveTimeout);
                document.removeEventListener("touchstart", clearInactiveTimeout);
            }
            document.addEventListener("mousedown", clearInactiveTimeout);
            document.addEventListener("touchstart", clearInactiveTimeout);
            }
            function startFauxClicking() {
            setTimeout(function(){
                fauxClick(anime.random( cW * .2, cW * .8), anime.random(cH * .2, cH * .8));
                startFauxClicking();
            }, anime.random(200, 900));
            }
            function fauxClick(x, y) {
            var fauxClick = new Event("mousedown");
            fauxClick.pageX = x;
            fauxClick.pageY = y;
            document.dispatchEvent(fauxClick);
            }
        </script>
    </body>
 </html>
--- a/example/www/templates/blacklist.html
+++ b/example/www/templates/blacklist.html
--- a/example/www/templates/notfound.html
+++ b/example/www/templates/notfound.html
--- a/example/www/templates/whitelist.html
+++ b/example/www/templates/whitelist.html
--- a/img/screenshots/0_1.png
+++ b/img/screenshots/0_1.png
--- a/img/screenshots/0_2.png
+++ b/img/screenshots/0_2.png
--- a/img/screenshots/1.png
+++ b/img/screenshots/1.png
--- a/img/screenshots/10_1.png
+++ b/img/screenshots/10_1.png
--- a/img/screenshots/10_2.png
+++ b/img/screenshots/10_2.png
--- a/img/screenshots/2.png
+++ b/img/screenshots/2.png
--- a/img/screenshots/3.png
+++ b/img/screenshots/3.png
--- a/img/screenshots/4.png
+++ b/img/screenshots/4.png
--- a/img/screenshots/5.png
+++ b/img/screenshots/5.png
--- a/img/screenshots/7.png
+++ b/img/screenshots/7.png
--- a/img/screenshots/8.png
+++ b/img/screenshots/8.png
--- a/img/screenshots/9.png
+++ b/img/screenshots/9.png
--- a/img/social_banner.png
+++ b/img/social_banner.png
--- a/img/social_banner.psd
+++ b/img/social_banner.psd
--- a/img/title.png
+++ b/img/title.png
--- a/img/title.psd
+++ b/img/title.psd
--- a/src/Makefile
+++ b/src/Makefile
@ -0,0 +1,61 @@
 # PLATFORMS := darwin/amd64 darwin/arm64 freebsd/amd64 linux/386 linux/amd64 linux/arm linux/arm64 linux/mipsle windows/386 windows/amd64 windows/arm windows/arm64
 PLATFORMS := linux/amd64 linux/386 linux/arm linux/arm64 linux/mipsle linux/riscv64 windows/amd64
 temp = $(subst /, ,$@)
 os = $(word 1, $(temp))
 arch = $(word 2, $(temp))
 #all:  web.tar.gz $(PLATFORMS) fixwindows zoraxy_file_checksum.sha1
 all:  clear_old $(PLATFORMS) fixwindows
 binary: $(PLATFORMS)
 hash: zoraxy_file_checksum.sha1
 web: web.tar.gz
 clean: 
 	rm -f zoraxy_*_*
 	rm -f web.tar.gz
 $(PLATFORMS):
 	@echo "Building $(os)/$(arch)"
 	GOROOT_FINAL=Git/ GOOS=$(os) GOARCH=$(arch) $(if $(filter linux/arm,$(os)/$(arch)),GOARM=6,) CGO_ENABLED="0" go build -o './dist/zoraxy_$(os)_$(arch)'  -ldflags "-s -w" -trimpath
 #	GOROOT_FINAL=Git/ GOOS=$(os) GOARCH=$(arch) GOARM=6 go build -o './dist/zoraxy_$(os)_$(arch)'  -ldflags "-s -w" -trimpath
 fixwindows:
 	-mv ./dist/zoraxy_windows_amd64 ./dist/zoraxy_windows_amd64.exe
 #	-mv ./dist/zoraxy_windows_arm64 ./dist/zoraxy_windows_arm64.exe
 clear_old:
 	-rm -rf ./dist/
 	-mkdir ./dist/
 web.tar.gz:
 	@echo "Removing old build resources, if exists"
 	-rm -rf ./dist/
 	-mkdir ./dist/
 	@echo "Moving subfolders to build folder"
 	-cp -r ./web ./dist/web/
 	-cp -r ./system ./dist/system/
 	@ echo "Remove sensitive information"
 	-rm -rf ./dist/certs/
 	-rm -rf ./dist/conf/
 	-rm -rf ./dist/rules/
 	@echo "Creating tarball for all required files"
 	-rm ./dist/web.tar.gz
 	-cd ./dist/ && tar -czf ./web.tar.gz system/ web/
 	@echo "Clearing up unzipped folder structures"
 	-rm -rf "./dist/web"
 	-rm -rf "./dist/system"
 zoraxy_file_checksum.sha1:
 	@echo "Generating the checksum, if sha1sum installed"
 	-sha1sum ./dist/web.tar.gz > ./dist/zoraxy_file_checksum.sha1
--- a/src/accesslist.go
+++ b/src/accesslist.go
@ -0,0 +1,507 @@
 package main
 import (
 	"encoding/json"
 	"net/http"
 	"strings"
 	"github.com/google/uuid"
 	"github.com/microcosm-cc/bluemonday"
 	"imuslab.com/zoraxy/mod/access"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	accesslist.go
 	This script file is added to extend the
 	reverse proxy function to include
 	banning / whitelist a specific IP address or country code
 */
 /*
 	General Function
 */
 func handleListAccessRules(w http.ResponseWriter, r *http.Request) {
 	allAccessRules := accessController.ListAllAccessRules()
 	js, _ := json.Marshal(allAccessRules)
 	utils.SendJSONResponse(w, string(js))
 }
 func handleAttachRuleToHost(w http.ResponseWriter, r *http.Request) {
 	ruleid, err := utils.PostPara(r, "id")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid rule name")
 		return
 	}
 	host, err := utils.PostPara(r, "host")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid rule name")
 		return
 	}
 	//Check if access rule and proxy rule exists
 	targetProxyEndpoint, err := dynamicProxyRouter.LoadProxy(host)
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid host given")
 		return
 	}
 	if !accessController.AccessRuleExists(ruleid) {
 		utils.SendErrorResponse(w, "access rule not exists")
 		return
 	}
 	//Update the proxy host acess rule id
 	targetProxyEndpoint.AccessFilterUUID = ruleid
 	targetProxyEndpoint.UpdateToRuntime()
 	err = SaveReverseProxyConfig(targetProxyEndpoint)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	utils.SendOK(w)
 }
 // Create a new access rule, require name and desc only
 func handleCreateAccessRule(w http.ResponseWriter, r *http.Request) {
 	ruleName, err := utils.PostPara(r, "name")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid rule name")
 		return
 	}
 	ruleDesc, _ := utils.PostPara(r, "desc")
 	//Filter out injection if any
 	p := bluemonday.StripTagsPolicy()
 	ruleName = p.Sanitize(ruleName)
 	ruleDesc = p.Sanitize(ruleDesc)
 	ruleUUID := uuid.New().String()
 	newAccessRule := access.AccessRule{
 		ID:               ruleUUID,
 		Name:             ruleName,
 		Desc:             ruleDesc,
 		BlacklistEnabled: false,
 		WhitelistEnabled: false,
 	}
 	//Add it to runtime
 	err = accessController.AddNewAccessRule(&newAccessRule)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	utils.SendOK(w)
 }
 // Handle removing an access rule. All proxy endpoint using this rule will be
 // set to use the default rule
 func handleRemoveAccessRule(w http.ResponseWriter, r *http.Request) {
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid rule id given")
 		return
 	}
 	if ruleID == "default" {
 		utils.SendErrorResponse(w, "default access rule cannot be removed")
 		return
 	}
 	ruleID = strings.TrimSpace(ruleID)
 	//Set all proxy hosts that use this access rule back to using "default"
 	allProxyEndpoints := dynamicProxyRouter.GetProxyEndpointsAsMap()
 	for _, proxyEndpoint := range allProxyEndpoints {
 		if strings.EqualFold(proxyEndpoint.AccessFilterUUID, ruleID) {
 			//This proxy endpoint is using the current access filter.
 			//set it to default
 			proxyEndpoint.AccessFilterUUID = "default"
 			proxyEndpoint.UpdateToRuntime()
 			err = SaveReverseProxyConfig(proxyEndpoint)
 			if err != nil {
 				SystemWideLogger.PrintAndLog("Access", "Unable to save updated proxy endpoint "+proxyEndpoint.RootOrMatchingDomain, err)
 			} else {
 				SystemWideLogger.PrintAndLog("Access", "Updated "+proxyEndpoint.RootOrMatchingDomain+" access filter to \"default\"", nil)
 			}
 		}
 	}
 	//Remove the access rule by ID
 	err = accessController.RemoveAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	SystemWideLogger.PrintAndLog("Access", "Access Rule "+ruleID+" removed", nil)
 	utils.SendOK(w)
 }
 // Only the name and desc, for other properties use blacklist / whitelist api
 func handleUpadateAccessRule(w http.ResponseWriter, r *http.Request) {
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid rule id")
 		return
 	}
 	ruleName, err := utils.PostPara(r, "name")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid rule name")
 		return
 	}
 	ruleDesc, _ := utils.PostPara(r, "desc")
 	//Filter anything weird
 	p := bluemonday.StrictPolicy()
 	ruleName = p.Sanitize(ruleName)
 	ruleDesc = p.Sanitize(ruleDesc)
 	err = accessController.UpdateAccessRule(ruleID, ruleName, ruleDesc)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	utils.SendOK(w)
 }
 /*
 	Blacklist Related
 */
 // List a of blacklisted ip address or country code
 func handleListBlacklisted(w http.ResponseWriter, r *http.Request) {
 	bltype, err := utils.GetPara(r, "type")
 	if err != nil {
 		bltype = "country"
 	}
 	ruleID, err := utils.GetPara(r, "id")
 	if err != nil {
 		//Use default if not set
 		ruleID = "default"
 	}
 	//Load the target rule from access controller
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	resulst := []string{}
 	if bltype == "country" {
 		resulst = rule.GetAllBlacklistedCountryCode()
 	} else if bltype == "ip" {
 		resulst = rule.GetAllBlacklistedIp()
 	}
 	js, _ := json.Marshal(resulst)
 	utils.SendJSONResponse(w, string(js))
 }
 func handleCountryBlacklistAdd(w http.ResponseWriter, r *http.Request) {
 	countryCode, err := utils.PostPara(r, "cc")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty country code")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	comment, _ := utils.PostPara(r, "comment")
 	p := bluemonday.StripTagsPolicy()
 	comment = p.Sanitize(comment)
 	//Load the target rule from access controller
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	rule.AddCountryCodeToBlackList(countryCode, comment)
 	utils.SendOK(w)
 }
 func handleCountryBlacklistRemove(w http.ResponseWriter, r *http.Request) {
 	countryCode, err := utils.PostPara(r, "cc")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty country code")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	//Load the target rule from access controller
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	rule.RemoveCountryCodeFromBlackList(countryCode)
 	utils.SendOK(w)
 }
 func handleIpBlacklistAdd(w http.ResponseWriter, r *http.Request) {
 	ipAddr, err := utils.PostPara(r, "ip")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty ip address")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	//Load the target rule from access controller
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	comment, _ := utils.GetPara(r, "comment")
 	p := bluemonday.StripTagsPolicy()
 	comment = p.Sanitize(comment)
 	rule.AddIPToBlackList(ipAddr, comment)
 	utils.SendOK(w)
 }
 func handleIpBlacklistRemove(w http.ResponseWriter, r *http.Request) {
 	ipAddr, err := utils.PostPara(r, "ip")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty ip address")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	//Load the target rule from access controller
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	rule.RemoveIPFromBlackList(ipAddr)
 	utils.SendOK(w)
 }
 func handleBlacklistEnable(w http.ResponseWriter, r *http.Request) {
 	enable, _ := utils.PostPara(r, "enable")
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	if enable == "" {
 		//enable paramter not set
 		currentEnabled := rule.BlacklistEnabled
 		js, _ := json.Marshal(currentEnabled)
 		utils.SendJSONResponse(w, string(js))
 	} else {
 		if enable == "true" {
 			rule.ToggleBlacklist(true)
 		} else if enable == "false" {
 			rule.ToggleBlacklist(false)
 		} else {
 			utils.SendErrorResponse(w, "invalid enable state: only true and false is accepted")
 			return
 		}
 		utils.SendOK(w)
 	}
 }
 /*
 	Whitelist Related
 */
 func handleListWhitelisted(w http.ResponseWriter, r *http.Request) {
 	bltype, err := utils.GetPara(r, "type")
 	if err != nil {
 		bltype = "country"
 	}
 	ruleID, err := utils.GetPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	resulst := []*access.WhitelistEntry{}
 	if bltype == "country" {
 		resulst = rule.GetAllWhitelistedCountryCode()
 	} else if bltype == "ip" {
 		resulst = rule.GetAllWhitelistedIp()
 	}
 	js, _ := json.Marshal(resulst)
 	utils.SendJSONResponse(w, string(js))
 }
 func handleCountryWhitelistAdd(w http.ResponseWriter, r *http.Request) {
 	countryCode, err := utils.PostPara(r, "cc")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty country code")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	comment, _ := utils.PostPara(r, "comment")
 	p := bluemonday.StrictPolicy()
 	comment = p.Sanitize(comment)
 	rule.AddCountryCodeToWhitelist(countryCode, comment)
 	utils.SendOK(w)
 }
 func handleCountryWhitelistRemove(w http.ResponseWriter, r *http.Request) {
 	countryCode, err := utils.PostPara(r, "cc")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty country code")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	rule.RemoveCountryCodeFromWhitelist(countryCode)
 	utils.SendOK(w)
 }
 func handleIpWhitelistAdd(w http.ResponseWriter, r *http.Request) {
 	ipAddr, err := utils.PostPara(r, "ip")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty ip address")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	comment, _ := utils.PostPara(r, "comment")
 	p := bluemonday.StrictPolicy()
 	comment = p.Sanitize(comment)
 	rule.AddIPToWhiteList(ipAddr, comment)
 	utils.SendOK(w)
 }
 func handleIpWhitelistRemove(w http.ResponseWriter, r *http.Request) {
 	ipAddr, err := utils.PostPara(r, "ip")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid or empty ip address")
 		return
 	}
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	rule.RemoveIPFromWhiteList(ipAddr)
 	utils.SendOK(w)
 }
 func handleWhitelistEnable(w http.ResponseWriter, r *http.Request) {
 	enable, _ := utils.PostPara(r, "enable")
 	ruleID, err := utils.PostPara(r, "id")
 	if err != nil {
 		ruleID = "default"
 	}
 	rule, err := accessController.GetAccessRuleByID(ruleID)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	if enable == "" {
 		//Return the current enabled state
 		currentEnabled := rule.WhitelistEnabled
 		js, _ := json.Marshal(currentEnabled)
 		utils.SendJSONResponse(w, string(js))
 	} else {
 		if enable == "true" {
 			rule.ToggleWhitelist(true)
 		} else if enable == "false" {
 			rule.ToggleWhitelist(false)
 		} else {
 			utils.SendErrorResponse(w, "invalid enable state: only true and false is accepted")
 			return
 		}
 		utils.SendOK(w)
 	}
 }
--- a/src/acme.go
+++ b/src/acme.go
@ -0,0 +1,162 @@
 package main
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"math/rand"
 	"net/http"
 	"regexp"
 	"strconv"
 	"time"
 	"imuslab.com/zoraxy/mod/acme"
 	"imuslab.com/zoraxy/mod/dynamicproxy"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	acme.go
 	This script handle special routing required for acme auto cert renew functions
 */
 // Helper function to generate a random port above a specified value
 func getRandomPort(minPort int) int {
 	return rand.Intn(65535-minPort) + minPort
 }
 // init the new ACME instance
 func initACME() *acme.ACMEHandler {
 	SystemWideLogger.Println("Starting ACME handler")
 	rand.Seed(time.Now().UnixNano())
 	// Generate a random port above 30000
 	port := getRandomPort(30000)
 	// Check if the port is already in use
 	for acme.IsPortInUse(port) {
 		port = getRandomPort(30000)
 	}
 	return acme.NewACME("https://acme-v02.api.letsencrypt.org/directory", strconv.Itoa(port), sysdb, SystemWideLogger)
 }
 // create the special routing rule for ACME
 func acmeRegisterSpecialRoutingRule() {
 	SystemWideLogger.Println("Assigned temporary port:" + acmeHandler.Getport())
 	err := dynamicProxyRouter.AddRoutingRules(&dynamicproxy.RoutingRule{
 		ID: "acme-autorenew",
 		MatchRule: func(r *http.Request) bool {
 			found, _ := regexp.MatchString("/.well-known/acme-challenge/*", r.RequestURI)
 			return found
 		},
 		RoutingHandler: func(w http.ResponseWriter, r *http.Request) {
 			req, err := http.NewRequest(http.MethodGet, "http://localhost:"+acmeHandler.Getport()+r.RequestURI, nil)
 			req.Host = r.Host
 			if err != nil {
 				fmt.Printf("client: could not create request: %s\n", err)
 				return
 			}
 			res, err := http.DefaultClient.Do(req)
 			if err != nil {
 				fmt.Printf("client: error making http request: %s\n", err)
 				return
 			}
 			resBody, err := io.ReadAll(res.Body)
 			defer res.Body.Close()
 			if err != nil {
 				fmt.Printf("error reading: %s\n", err)
 				return
 			}
 			w.Write(resBody)
 		},
 		Enabled:                true,
 		UseSystemAccessControl: false,
 	})
 	if err != nil {
 		SystemWideLogger.PrintAndLog("ACME", "Unable register temp port for DNS resolver", err)
 	}
 }
 // This function check if the renew setup is satisfied. If not, toggle them automatically
 func AcmeCheckAndHandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
 	isForceHttpsRedirectEnabledOriginally := false
 	requireRestorePort80 := false
 	dnsPara, _ := utils.PostBool(r, "dns")
 	if !dnsPara {
 		if dynamicProxyRouter.Option.Port == 443 {
 			//Check if port 80 is enabled
 			if !dynamicProxyRouter.Option.ListenOnPort80 {
 				//Enable port 80 temporarily
 				SystemWideLogger.PrintAndLog("ACME", "Temporarily enabling port 80 listener to handle ACME request ", nil)
 				dynamicProxyRouter.UpdatePort80ListenerState(true)
 				requireRestorePort80 = true
 				time.Sleep(2 * time.Second)
 			}
 			//Enable port 80 to 443 redirect
 			if !dynamicProxyRouter.Option.ForceHttpsRedirect {
 				SystemWideLogger.Println("Temporary enabling HTTP to HTTPS redirect for ACME certificate renew requests")
 				dynamicProxyRouter.UpdateHttpToHttpsRedirectSetting(true)
 			} else {
 				//Set this to true, so after renew, do not turn it off
 				isForceHttpsRedirectEnabledOriginally = true
 			}
 		} else if dynamicProxyRouter.Option.Port == 80 {
 			//Go ahead
 		} else {
 			//This port do not support ACME
 			utils.SendErrorResponse(w, "ACME renew only support web server listening on port 80 (http) or 443 (https)")
 			return
 		}
 	}
 	//Add a 2 second delay to make sure everything is settle down
 	time.Sleep(2 * time.Second)
 	// Pass over to the acmeHandler to deal with the communication
 	acmeHandler.HandleRenewCertificate(w, r)
 	//Update the TLS cert store buffer
 	tlsCertManager.UpdateLoadedCertList()
 	//Restore original settings
 	if requireRestorePort80 {
 		//Restore port 80 listener
 		SystemWideLogger.PrintAndLog("ACME", "Restoring previous port 80 listener settings", nil)
 		dynamicProxyRouter.UpdatePort80ListenerState(false)
 	}
 	if !isForceHttpsRedirectEnabledOriginally {
 		//Default is off. Turn the redirection off
 		SystemWideLogger.PrintAndLog("ACME", "Restoring HTTP to HTTPS redirect settings", nil)
 		dynamicProxyRouter.UpdateHttpToHttpsRedirectSetting(false)
 	}
 }
 // HandleACMEPreferredCA return the user preferred / default CA for new subdomain auto creation
 func HandleACMEPreferredCA(w http.ResponseWriter, r *http.Request) {
 	ca, err := utils.PostPara(r, "set")
 	if err != nil {
 		//Return the current ca to user
 		prefCA := "Let's Encrypt"
 		sysdb.Read("acmepref", "prefca", &prefCA)
 		js, _ := json.Marshal(prefCA)
 		utils.SendJSONResponse(w, string(js))
 	} else {
 		//Check if the CA is supported
 		acme.IsSupportedCA(ca)
 		//Set the new config
 		sysdb.Write("acmepref", "prefca", ca)
 		SystemWideLogger.Println("Updating prefered ACME CA to " + ca)
 		utils.SendOK(w)
 	}
 }
--- a/src/api.go
+++ b/src/api.go
@ -0,0 +1,336 @@
 package main
 import (
 	"encoding/json"
 	"net/http"
 	"net/http/pprof"
 	"imuslab.com/zoraxy/mod/acme/acmedns"
 	"imuslab.com/zoraxy/mod/acme/acmewizard"
 	"imuslab.com/zoraxy/mod/auth"
 	"imuslab.com/zoraxy/mod/ipscan"
 	"imuslab.com/zoraxy/mod/netstat"
 	"imuslab.com/zoraxy/mod/netutils"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	API.go
 	This file contains all the API called by the web management interface
 */
 var requireAuth = true
 func initAPIs(targetMux *http.ServeMux) {
 	authRouter := auth.NewManagedHTTPRouter(auth.RouterOption{
 		AuthAgent:   authAgent,
 		RequireAuth: requireAuth,
 		TargetMux:   targetMux,
 		DeniedHandler: func(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "401 - Unauthorized", http.StatusUnauthorized)
 		},
 	})
 	//Register the standard web services urls
 	fs := http.FileServer(http.FS(webres))
 	if development {
 		fs = http.FileServer(http.Dir("web/"))
 	}
 	//Add a layer of middleware for advance control
 	advHandler := FSHandler(fs)
 	targetMux.Handle("/", advHandler)
 	//Authentication APIs
 	registerAuthAPIs(requireAuth, targetMux)
 	//Reverse proxy
 	authRouter.HandleFunc("/api/proxy/enable", ReverseProxyHandleOnOff)
 	authRouter.HandleFunc("/api/proxy/add", ReverseProxyHandleAddEndpoint)
 	authRouter.HandleFunc("/api/proxy/status", ReverseProxyStatus)
 	authRouter.HandleFunc("/api/proxy/toggle", ReverseProxyToggleRuleSet)
 	authRouter.HandleFunc("/api/proxy/list", ReverseProxyList)
 	authRouter.HandleFunc("/api/proxy/detail", ReverseProxyListDetail)
 	authRouter.HandleFunc("/api/proxy/edit", ReverseProxyHandleEditEndpoint)
 	authRouter.HandleFunc("/api/proxy/setAlias", ReverseProxyHandleAlias)
 	authRouter.HandleFunc("/api/proxy/del", DeleteProxyEndpoint)
 	authRouter.HandleFunc("/api/proxy/updateCredentials", UpdateProxyBasicAuthCredentials)
 	authRouter.HandleFunc("/api/proxy/tlscheck", HandleCheckSiteSupportTLS)
 	authRouter.HandleFunc("/api/proxy/setIncoming", HandleIncomingPortSet)
 	authRouter.HandleFunc("/api/proxy/useHttpsRedirect", HandleUpdateHttpsRedirect)
 	authRouter.HandleFunc("/api/proxy/listenPort80", HandleUpdatePort80Listener)
 	authRouter.HandleFunc("/api/proxy/requestIsProxied", HandleManagementProxyCheck)
 	authRouter.HandleFunc("/api/proxy/developmentMode", HandleDevelopmentModeChange)
 	//Reverse proxy upstream (load balance) APIs
 	authRouter.HandleFunc("/api/proxy/upstream/list", ReverseProxyUpstreamList)
 	authRouter.HandleFunc("/api/proxy/upstream/add", ReverseProxyUpstreamAdd)
 	authRouter.HandleFunc("/api/proxy/upstream/setPriority", ReverseProxyUpstreamSetPriority)
 	authRouter.HandleFunc("/api/proxy/upstream/update", ReverseProxyUpstreamUpdate)
 	authRouter.HandleFunc("/api/proxy/upstream/remove", ReverseProxyUpstreamDelete)
 	//Reverse proxy virtual directory APIs
 	authRouter.HandleFunc("/api/proxy/vdir/list", ReverseProxyListVdir)
 	authRouter.HandleFunc("/api/proxy/vdir/add", ReverseProxyAddVdir)
 	authRouter.HandleFunc("/api/proxy/vdir/del", ReverseProxyDeleteVdir)
 	authRouter.HandleFunc("/api/proxy/vdir/edit", ReverseProxyEditVdir)
 	//Reverse proxy user define header apis
 	authRouter.HandleFunc("/api/proxy/header/list", HandleCustomHeaderList)
 	authRouter.HandleFunc("/api/proxy/header/add", HandleCustomHeaderAdd)
 	authRouter.HandleFunc("/api/proxy/header/remove", HandleCustomHeaderRemove)
 	authRouter.HandleFunc("/api/proxy/header/handleHSTS", HandleHSTSState)
 	authRouter.HandleFunc("/api/proxy/header/handleHopByHop", HandleHopByHop)
 	authRouter.HandleFunc("/api/proxy/header/handleHostOverwrite", HandleHostOverwrite)
 	authRouter.HandleFunc("/api/proxy/header/handlePermissionPolicy", HandlePermissionPolicy)
 	//Reverse proxy auth related APIs
 	authRouter.HandleFunc("/api/proxy/auth/exceptions/list", ListProxyBasicAuthExceptionPaths)
 	authRouter.HandleFunc("/api/proxy/auth/exceptions/add", AddProxyBasicAuthExceptionPaths)
 	authRouter.HandleFunc("/api/proxy/auth/exceptions/delete", RemoveProxyBasicAuthExceptionPaths)
 	//TLS / SSL config
 	authRouter.HandleFunc("/api/cert/tls", handleToggleTLSProxy)
 	authRouter.HandleFunc("/api/cert/tlsRequireLatest", handleSetTlsRequireLatest)
 	authRouter.HandleFunc("/api/cert/upload", handleCertUpload)
 	authRouter.HandleFunc("/api/cert/download", handleCertDownload)
 	authRouter.HandleFunc("/api/cert/list", handleListCertificate)
 	authRouter.HandleFunc("/api/cert/listdomains", handleListDomains)
 	authRouter.HandleFunc("/api/cert/checkDefault", handleDefaultCertCheck)
 	authRouter.HandleFunc("/api/cert/delete", handleCertRemove)
 	//SSO and Oauth
 	authRouter.HandleFunc("/api/sso/status", ssoHandler.HandleSSOStatus)
 	authRouter.HandleFunc("/api/sso/enable", ssoHandler.HandleSSOEnable)
 	authRouter.HandleFunc("/api/sso/setPort", ssoHandler.HandlePortChange)
 	authRouter.HandleFunc("/api/sso/setAuthURL", ssoHandler.HandleSetAuthURL)
 	authRouter.HandleFunc("/api/sso/app/register", ssoHandler.HandleRegisterApp)
 	//authRouter.HandleFunc("/api/sso/app/list", ssoHandler.HandleListApp)
 	//authRouter.HandleFunc("/api/sso/app/remove", ssoHandler.HandleRemoveApp)
 	authRouter.HandleFunc("/api/sso/user/list", ssoHandler.HandleListUser)
 	authRouter.HandleFunc("/api/sso/user/add", ssoHandler.HandleAddUser)
 	authRouter.HandleFunc("/api/sso/user/edit", ssoHandler.HandleEditUser)
 	authRouter.HandleFunc("/api/sso/user/remove", ssoHandler.HandleRemoveUser)
 	//Redirection config
 	authRouter.HandleFunc("/api/redirect/list", handleListRedirectionRules)
 	authRouter.HandleFunc("/api/redirect/add", handleAddRedirectionRule)
 	authRouter.HandleFunc("/api/redirect/delete", handleDeleteRedirectionRule)
 	authRouter.HandleFunc("/api/redirect/regex", handleToggleRedirectRegexpSupport)
 	//Access Rules API
 	authRouter.HandleFunc("/api/access/list", handleListAccessRules)
 	authRouter.HandleFunc("/api/access/attach", handleAttachRuleToHost)
 	authRouter.HandleFunc("/api/access/create", handleCreateAccessRule)
 	authRouter.HandleFunc("/api/access/remove", handleRemoveAccessRule)
 	authRouter.HandleFunc("/api/access/update", handleUpadateAccessRule)
 	//Blacklist APIs
 	authRouter.HandleFunc("/api/blacklist/list", handleListBlacklisted)
 	authRouter.HandleFunc("/api/blacklist/country/add", handleCountryBlacklistAdd)
 	authRouter.HandleFunc("/api/blacklist/country/remove", handleCountryBlacklistRemove)
 	authRouter.HandleFunc("/api/blacklist/ip/add", handleIpBlacklistAdd)
 	authRouter.HandleFunc("/api/blacklist/ip/remove", handleIpBlacklistRemove)
 	authRouter.HandleFunc("/api/blacklist/enable", handleBlacklistEnable)
 	//Whitelist APIs
 	authRouter.HandleFunc("/api/whitelist/list", handleListWhitelisted)
 	authRouter.HandleFunc("/api/whitelist/country/add", handleCountryWhitelistAdd)
 	authRouter.HandleFunc("/api/whitelist/country/remove", handleCountryWhitelistRemove)
 	authRouter.HandleFunc("/api/whitelist/ip/add", handleIpWhitelistAdd)
 	authRouter.HandleFunc("/api/whitelist/ip/remove", handleIpWhitelistRemove)
 	authRouter.HandleFunc("/api/whitelist/enable", handleWhitelistEnable)
 	//Path Blocker APIs
 	authRouter.HandleFunc("/api/pathrule/add", pathRuleHandler.HandleAddBlockingPath)
 	authRouter.HandleFunc("/api/pathrule/list", pathRuleHandler.HandleListBlockingPath)
 	authRouter.HandleFunc("/api/pathrule/remove", pathRuleHandler.HandleRemoveBlockingPath)
 	//Statistic & uptime monitoring API
 	authRouter.HandleFunc("/api/stats/summary", statisticCollector.HandleTodayStatLoad)
 	authRouter.HandleFunc("/api/stats/countries", HandleCountryDistrSummary)
 	authRouter.HandleFunc("/api/stats/netstat", netstatBuffers.HandleGetNetworkInterfaceStats)
 	authRouter.HandleFunc("/api/stats/netstatgraph", netstatBuffers.HandleGetBufferedNetworkInterfaceStats)
 	authRouter.HandleFunc("/api/stats/listnic", netstat.HandleListNetworkInterfaces)
 	authRouter.HandleFunc("/api/utm/list", HandleUptimeMonitorListing)
 	//Global Area Network APIs
 	authRouter.HandleFunc("/api/gan/network/info", ganManager.HandleGetNodeID)
 	authRouter.HandleFunc("/api/gan/network/add", ganManager.HandleAddNetwork)
 	authRouter.HandleFunc("/api/gan/network/remove", ganManager.HandleRemoveNetwork)
 	authRouter.HandleFunc("/api/gan/network/list", ganManager.HandleListNetwork)
 	authRouter.HandleFunc("/api/gan/network/name", ganManager.HandleNetworkNaming)
 	//authRouter.HandleFunc("/api/gan/network/detail", ganManager.HandleNetworkDetails)
 	authRouter.HandleFunc("/api/gan/network/setRange", ganManager.HandleSetRanges)
 	authRouter.HandleFunc("/api/gan/network/join", ganManager.HandleServerJoinNetwork)
 	authRouter.HandleFunc("/api/gan/network/leave", ganManager.HandleServerLeaveNetwork)
 	authRouter.HandleFunc("/api/gan/members/list", ganManager.HandleMemberList)
 	authRouter.HandleFunc("/api/gan/members/ip", ganManager.HandleMemberIP)
 	authRouter.HandleFunc("/api/gan/members/name", ganManager.HandleMemberNaming)
 	authRouter.HandleFunc("/api/gan/members/authorize", ganManager.HandleMemberAuthorization)
 	authRouter.HandleFunc("/api/gan/members/delete", ganManager.HandleMemberDelete)
 	//Stream (TCP / UDP) Proxy
 	authRouter.HandleFunc("/api/streamprox/config/add", streamProxyManager.HandleAddProxyConfig)
 	authRouter.HandleFunc("/api/streamprox/config/edit", streamProxyManager.HandleEditProxyConfigs)
 	authRouter.HandleFunc("/api/streamprox/config/list", streamProxyManager.HandleListConfigs)
 	authRouter.HandleFunc("/api/streamprox/config/start", streamProxyManager.HandleStartProxy)
 	authRouter.HandleFunc("/api/streamprox/config/stop", streamProxyManager.HandleStopProxy)
 	authRouter.HandleFunc("/api/streamprox/config/delete", streamProxyManager.HandleRemoveProxy)
 	authRouter.HandleFunc("/api/streamprox/config/status", streamProxyManager.HandleGetProxyStatus)
 	//mDNS APIs
 	authRouter.HandleFunc("/api/mdns/list", HandleMdnsListing)
 	authRouter.HandleFunc("/api/mdns/discover", HandleMdnsScanning)
 	//Zoraxy Analytic
 	authRouter.HandleFunc("/api/analytic/list", AnalyticLoader.HandleSummaryList)
 	authRouter.HandleFunc("/api/analytic/load", AnalyticLoader.HandleLoadTargetDaySummary)
 	authRouter.HandleFunc("/api/analytic/loadRange", AnalyticLoader.HandleLoadTargetRangeSummary)
 	authRouter.HandleFunc("/api/analytic/exportRange", AnalyticLoader.HandleRangeExport)
 	authRouter.HandleFunc("/api/analytic/resetRange", AnalyticLoader.HandleRangeReset)
 	//Network utilities
 	authRouter.HandleFunc("/api/tools/ipscan", ipscan.HandleIpScan)
 	authRouter.HandleFunc("/api/tools/portscan", ipscan.HandleScanPort)
 	authRouter.HandleFunc("/api/tools/traceroute", netutils.HandleTraceRoute)
 	authRouter.HandleFunc("/api/tools/ping", netutils.HandlePing)
 	authRouter.HandleFunc("/api/tools/whois", netutils.HandleWhois)
 	authRouter.HandleFunc("/api/tools/webssh", HandleCreateProxySession)
 	authRouter.HandleFunc("/api/tools/websshSupported", HandleWebSshSupportCheck)
 	authRouter.HandleFunc("/api/tools/wol", HandleWakeOnLan)
 	authRouter.HandleFunc("/api/tools/smtp/get", HandleSMTPGet)
 	authRouter.HandleFunc("/api/tools/smtp/set", HandleSMTPSet)
 	authRouter.HandleFunc("/api/tools/smtp/admin", HandleAdminEmailGet)
 	authRouter.HandleFunc("/api/tools/smtp/test", HandleTestEmailSend)
 	authRouter.HandleFunc("/api/tools/fwdproxy/enable", forwardProxy.HandleToogle)
 	authRouter.HandleFunc("/api/tools/fwdproxy/port", forwardProxy.HandlePort)
 	//Account Reset
 	targetMux.HandleFunc("/api/account/reset", HandleAdminAccountResetEmail)
 	targetMux.HandleFunc("/api/account/new", HandleNewPasswordSetup)
 	//ACME & Auto Renewer
 	authRouter.HandleFunc("/api/acme/listExpiredDomains", acmeHandler.HandleGetExpiredDomains)
 	authRouter.HandleFunc("/api/acme/obtainCert", AcmeCheckAndHandleRenewCertificate)
 	authRouter.HandleFunc("/api/acme/autoRenew/enable", acmeAutoRenewer.HandleAutoRenewEnable)
 	authRouter.HandleFunc("/api/acme/autoRenew/ca", HandleACMEPreferredCA)
 	authRouter.HandleFunc("/api/acme/autoRenew/email", acmeAutoRenewer.HandleACMEEmail)
 	authRouter.HandleFunc("/api/acme/autoRenew/setDomains", acmeAutoRenewer.HandleSetAutoRenewDomains)
 	authRouter.HandleFunc("/api/acme/autoRenew/setEAB", acmeAutoRenewer.HanldeSetEAB)
 	authRouter.HandleFunc("/api/acme/autoRenew/setDNS", acmeAutoRenewer.HanldeSetDNS)
 	authRouter.HandleFunc("/api/acme/autoRenew/listDomains", acmeAutoRenewer.HandleLoadAutoRenewDomains)
 	authRouter.HandleFunc("/api/acme/autoRenew/renewPolicy", acmeAutoRenewer.HandleRenewPolicy)
 	authRouter.HandleFunc("/api/acme/autoRenew/renewNow", acmeAutoRenewer.HandleRenewNow)
 	authRouter.HandleFunc("/api/acme/dns/providers", acmedns.HandleServeProvidersJson)
 	authRouter.HandleFunc("/api/acme/wizard", acmewizard.HandleGuidedStepCheck) //ACME Wizard
 	//Static Web Server
 	authRouter.HandleFunc("/api/webserv/status", staticWebServer.HandleGetStatus)
 	authRouter.HandleFunc("/api/webserv/start", staticWebServer.HandleStartServer)
 	authRouter.HandleFunc("/api/webserv/stop", staticWebServer.HandleStopServer)
 	authRouter.HandleFunc("/api/webserv/setPort", HandleStaticWebServerPortChange)
 	authRouter.HandleFunc("/api/webserv/setDirList", staticWebServer.SetEnableDirectoryListing)
 	if *allowWebFileManager {
 		//Web Directory Manager file operation functions
 		authRouter.HandleFunc("/api/fs/list", staticWebServer.FileManager.HandleList)
 		authRouter.HandleFunc("/api/fs/upload", staticWebServer.FileManager.HandleUpload)
 		authRouter.HandleFunc("/api/fs/download", staticWebServer.FileManager.HandleDownload)
 		authRouter.HandleFunc("/api/fs/newFolder", staticWebServer.FileManager.HandleNewFolder)
 		authRouter.HandleFunc("/api/fs/copy", staticWebServer.FileManager.HandleFileCopy)
 		authRouter.HandleFunc("/api/fs/move", staticWebServer.FileManager.HandleFileMove)
 		authRouter.HandleFunc("/api/fs/properties", staticWebServer.FileManager.HandleFileProperties)
 		authRouter.HandleFunc("/api/fs/del", staticWebServer.FileManager.HandleFileDelete)
 	}
 	//Docker UX Optimizations
 	authRouter.HandleFunc("/api/docker/available", DockerUXOptimizer.HandleDockerAvailable)
 	authRouter.HandleFunc("/api/docker/containers", DockerUXOptimizer.HandleDockerContainersList)
 	//Others
 	targetMux.HandleFunc("/api/info/x", HandleZoraxyInfo)
 	authRouter.HandleFunc("/api/info/geoip", HandleGeoIpLookup)
 	authRouter.HandleFunc("/api/conf/export", ExportConfigAsZip)
 	authRouter.HandleFunc("/api/conf/import", ImportConfigFromZip)
 	authRouter.HandleFunc("/api/log/list", LogViewer.HandleListLog)
 	authRouter.HandleFunc("/api/log/read", LogViewer.HandleReadLog)
 	//Debug
 	authRouter.HandleFunc("/api/info/pprof", pprof.Index)
 	//If you got APIs to add, append them here
 }
 // Function to renders Auth related APIs
 func registerAuthAPIs(requireAuth bool, targetMux *http.ServeMux) {
 	//Auth APIs
 	targetMux.HandleFunc("/api/auth/login", authAgent.HandleLogin)
 	targetMux.HandleFunc("/api/auth/logout", authAgent.HandleLogout)
 	targetMux.HandleFunc("/api/auth/checkLogin", func(w http.ResponseWriter, r *http.Request) {
 		if requireAuth {
 			authAgent.CheckLogin(w, r)
 		} else {
 			utils.SendJSONResponse(w, "true")
 		}
 	})
 	targetMux.HandleFunc("/api/auth/username", func(w http.ResponseWriter, r *http.Request) {
 		username, err := authAgent.GetUserName(w, r)
 		if err != nil {
 			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 			return
 		}
 		js, _ := json.Marshal(username)
 		utils.SendJSONResponse(w, string(js))
 	})
 	targetMux.HandleFunc("/api/auth/userCount", func(w http.ResponseWriter, r *http.Request) {
 		uc := authAgent.GetUserCounts()
 		js, _ := json.Marshal(uc)
 		utils.SendJSONResponse(w, string(js))
 	})
 	targetMux.HandleFunc("/api/auth/register", func(w http.ResponseWriter, r *http.Request) {
 		if authAgent.GetUserCounts() == 0 {
 			//Allow register root admin
 			authAgent.HandleRegisterWithoutEmail(w, r, func(username, reserved string) {
 			})
 		} else {
 			//This function is disabled
 			utils.SendErrorResponse(w, "Root management account already exists")
 		}
 	})
 	targetMux.HandleFunc("/api/auth/changePassword", func(w http.ResponseWriter, r *http.Request) {
 		username, err := authAgent.GetUserName(w, r)
 		if err != nil {
 			http.Error(w, "401 - Unauthorized", http.StatusUnauthorized)
 			return
 		}
 		oldPassword, err := utils.PostPara(r, "oldPassword")
 		if err != nil {
 			utils.SendErrorResponse(w, "empty current password")
 			return
 		}
 		newPassword, err := utils.PostPara(r, "newPassword")
 		if err != nil {
 			utils.SendErrorResponse(w, "empty new password")
 			return
 		}
 		confirmPassword, _ := utils.PostPara(r, "confirmPassword")
 		if newPassword != confirmPassword {
 			utils.SendErrorResponse(w, "confirm password not match")
 			return
 		}
 		//Check if the old password correct
 		oldPasswordCorrect, _ := authAgent.ValidateUsernameAndPasswordWithReason(username, oldPassword)
 		if !oldPasswordCorrect {
 			utils.SendErrorResponse(w, "Invalid current password given")
 			return
 		}
 		//Change the password of the root user
 		authAgent.UnregisterUser(username)
 		authAgent.CreateUserAccount(username, newPassword, "")
 	})
 }
--- a/src/cert.go
+++ b/src/cert.go
@ -0,0 +1,363 @@
 package main
 import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"imuslab.com/zoraxy/mod/acme"
 	"imuslab.com/zoraxy/mod/utils"
 )
 // Check if the default certificates is correctly setup
 func handleDefaultCertCheck(w http.ResponseWriter, r *http.Request) {
 	type CheckResult struct {
 		DefaultPubExists bool
 		DefaultPriExists bool
 	}
 	pub, pri := tlsCertManager.DefaultCertExistsSep()
 	js, _ := json.Marshal(CheckResult{
 		pub,
 		pri,
 	})
 	utils.SendJSONResponse(w, string(js))
 }
 // Return a list of domains where the certificates covers
 func handleListCertificate(w http.ResponseWriter, r *http.Request) {
 	filenames, err := tlsCertManager.ListCertDomains()
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	showDate, _ := utils.GetPara(r, "date")
 	if showDate == "true" {
 		type CertInfo struct {
 			Domain           string
 			LastModifiedDate string
 			ExpireDate       string
 			RemainingDays    int
 			UseDNS           bool
 		}
 		results := []*CertInfo{}
 		for _, filename := range filenames {
 			certFilepath := filepath.Join(tlsCertManager.CertStore, filename+".pem")
 			//keyFilepath := filepath.Join(tlsCertManager.CertStore, filename+".key")
 			fileInfo, err := os.Stat(certFilepath)
 			if err != nil {
 				utils.SendErrorResponse(w, "invalid domain certificate discovered: "+filename)
 				return
 			}
 			modifiedTime := fileInfo.ModTime().Format("2006-01-02 15:04:05")
 			certExpireTime := "Unknown"
 			certBtyes, err := os.ReadFile(certFilepath)
 			expiredIn := 0
 			if err != nil {
 				//Unable to load this file
 				continue
 			} else {
 				//Cert loaded. Check its expire time
 				block, _ := pem.Decode(certBtyes)
 				if block != nil {
 					cert, err := x509.ParseCertificate(block.Bytes)
 					if err == nil {
 						certExpireTime = cert.NotAfter.Format("2006-01-02 15:04:05")
 						duration := cert.NotAfter.Sub(time.Now())
 						// Convert the duration to days
 						expiredIn = int(duration.Hours() / 24)
 					}
 				}
 			}
 			certInfoFilename := filepath.Join(tlsCertManager.CertStore, filename+".json")
 			useDNSValidation := false                                //Default to false for HTTP TLS certificates
 			certInfo, err := acme.LoadCertInfoJSON(certInfoFilename) //Note: Not all certs have info json
 			if err == nil {
 				useDNSValidation = certInfo.UseDNS
 			}
 			thisCertInfo := CertInfo{
 				Domain:           filename,
 				LastModifiedDate: modifiedTime,
 				ExpireDate:       certExpireTime,
 				RemainingDays:    expiredIn,
 				UseDNS:           useDNSValidation,
 			}
 			results = append(results, &thisCertInfo)
 		}
 		js, _ := json.Marshal(results)
 		w.Header().Set("Content-Type", "application/json")
 		w.Write(js)
 	} else {
 		response, err := json.Marshal(filenames)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
 		w.Header().Set("Content-Type", "application/json")
 		w.Write(response)
 	}
 }
 // List all certificates and map all their domains to the cert filename
 func handleListDomains(w http.ResponseWriter, r *http.Request) {
 	filenames, err := os.ReadDir("./conf/certs/")
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	certnameToDomainMap := map[string]string{}
 	for _, filename := range filenames {
 		if filename.IsDir() {
 			continue
 		}
 		certFilepath := filepath.Join("./conf/certs/", filename.Name())
 		certBtyes, err := os.ReadFile(certFilepath)
 		if err != nil {
 			// Unable to load this file
 			SystemWideLogger.PrintAndLog("TLS", "Unable to load certificate: "+certFilepath, err)
 			continue
 		} else {
 			// Cert loaded. Check its expiry time
 			block, _ := pem.Decode(certBtyes)
 			if block != nil {
 				cert, err := x509.ParseCertificate(block.Bytes)
 				if err == nil {
 					certname := strings.TrimSuffix(filepath.Base(certFilepath), filepath.Ext(certFilepath))
 					for _, dnsName := range cert.DNSNames {
 						certnameToDomainMap[dnsName] = certname
 					}
 					certnameToDomainMap[cert.Subject.CommonName] = certname
 				}
 			}
 		}
 	}
 	requireCompact, _ := utils.GetPara(r, "compact")
 	if requireCompact == "true" {
 		result := make(map[string][]string)
 		for key, value := range certnameToDomainMap {
 			if _, ok := result[value]; !ok {
 				result[value] = make([]string, 0)
 			}
 			result[value] = append(result[value], key)
 		}
 		js, _ := json.Marshal(result)
 		utils.SendJSONResponse(w, string(js))
 		return
 	}
 	js, _ := json.Marshal(certnameToDomainMap)
 	utils.SendJSONResponse(w, string(js))
 }
 // Handle front-end toggling TLS mode
 func handleToggleTLSProxy(w http.ResponseWriter, r *http.Request) {
 	currentTlsSetting := false
 	if sysdb.KeyExists("settings", "usetls") {
 		sysdb.Read("settings", "usetls", &currentTlsSetting)
 	}
 	if r.Method == http.MethodGet {
 		//Get the current status
 		js, _ := json.Marshal(currentTlsSetting)
 		utils.SendJSONResponse(w, string(js))
 	} else if r.Method == http.MethodPost {
 		newState, err := utils.PostBool(r, "set")
 		if err != nil {
 			utils.SendErrorResponse(w, "new state not set or invalid")
 			return
 		}
 		if newState {
 			sysdb.Write("settings", "usetls", true)
 			SystemWideLogger.Println("Enabling TLS mode on reverse proxy")
 			dynamicProxyRouter.UpdateTLSSetting(true)
 		} else {
 			sysdb.Write("settings", "usetls", false)
 			SystemWideLogger.Println("Disabling TLS mode on reverse proxy")
 			dynamicProxyRouter.UpdateTLSSetting(false)
 		}
 		utils.SendOK(w)
 	} else {
 		http.Error(w, "405 - Method not allowed", http.StatusMethodNotAllowed)
 	}
 }
 // Handle the GET and SET of reverse proxy TLS versions
 func handleSetTlsRequireLatest(w http.ResponseWriter, r *http.Request) {
 	newState, err := utils.PostPara(r, "set")
 	if err != nil {
 		//GET
 		var reqLatestTLS bool = false
 		if sysdb.KeyExists("settings", "forceLatestTLS") {
 			sysdb.Read("settings", "forceLatestTLS", &reqLatestTLS)
 		}
 		js, _ := json.Marshal(reqLatestTLS)
 		utils.SendJSONResponse(w, string(js))
 	} else {
 		if newState == "true" {
 			sysdb.Write("settings", "forceLatestTLS", true)
 			SystemWideLogger.Println("Updating minimum TLS version to v1.2 or above")
 			dynamicProxyRouter.UpdateTLSVersion(true)
 		} else if newState == "false" {
 			sysdb.Write("settings", "forceLatestTLS", false)
 			SystemWideLogger.Println("Updating minimum TLS version to v1.0 or above")
 			dynamicProxyRouter.UpdateTLSVersion(false)
 		} else {
 			utils.SendErrorResponse(w, "invalid state given")
 		}
 	}
 }
 // Handle download of the selected certificate
 func handleCertDownload(w http.ResponseWriter, r *http.Request) {
 	// get the certificate name
 	certname, err := utils.GetPara(r, "certname")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid certname given")
 		return
 	}
 	certname = filepath.Base(certname) //prevent path escape
 	// check if the cert exists
 	pubKey := filepath.Join(filepath.Join("./conf/certs"), certname+".key")
 	priKey := filepath.Join(filepath.Join("./conf/certs"), certname+".pem")
 	if utils.FileExists(pubKey) && utils.FileExists(priKey) {
 		//Zip them and serve them via http download
 		seeking, _ := utils.GetBool(r, "seek")
 		if seeking {
 			//This request only check if the key exists. Do not provide download
 			utils.SendOK(w)
 			return
 		}
 		//Serve both file in zip
 		zipTmpFolder := "./tmp/download"
 		os.MkdirAll(zipTmpFolder, 0775)
 		zipFileName := filepath.Join(zipTmpFolder, certname+".zip")
 		err := utils.ZipFiles(zipFileName, pubKey, priKey)
 		if err != nil {
 			http.Error(w, "Failed to create zip file", http.StatusInternalServerError)
 			return
 		}
 		defer os.Remove(zipFileName) // Clean up the zip file after serving
 		// Serve the zip file
 		w.Header().Set("Content-Disposition", "attachment; filename=\""+certname+"_export.zip\"")
 		w.Header().Set("Content-Type", "application/zip")
 		http.ServeFile(w, r, zipFileName)
 	} else {
 		//Not both key exists
 		utils.SendErrorResponse(w, "invalid key-pairs: private key or public key not found in key store")
 		return
 	}
 }
 // Handle upload of the certificate
 func handleCertUpload(w http.ResponseWriter, r *http.Request) {
 	// check if request method is POST
 	if r.Method != "POST" {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 	// get the key type
 	keytype, err := utils.GetPara(r, "ktype")
 	overWriteFilename := ""
 	if err != nil {
 		http.Error(w, "Not defined key type (pub / pri)", http.StatusBadRequest)
 		return
 	}
 	// get the domain
 	domain, err := utils.GetPara(r, "domain")
 	if err != nil {
 		//Assume localhost
 		domain = "default"
 	}
 	if keytype == "pub" {
 		overWriteFilename = domain + ".pem"
 	} else if keytype == "pri" {
 		overWriteFilename = domain + ".key"
 	} else {
 		http.Error(w, "Not supported keytype: "+keytype, http.StatusBadRequest)
 		return
 	}
 	// parse multipart form data
 	err = r.ParseMultipartForm(10 << 20) // 10 MB
 	if err != nil {
 		http.Error(w, "Failed to parse form data", http.StatusBadRequest)
 		return
 	}
 	// get file from form data
 	file, _, err := r.FormFile("file")
 	if err != nil {
 		http.Error(w, "Failed to get file", http.StatusBadRequest)
 		return
 	}
 	defer file.Close()
 	// create file in upload directory
 	os.MkdirAll("./conf/certs", 0775)
 	f, err := os.Create(filepath.Join("./conf/certs", overWriteFilename))
 	if err != nil {
 		http.Error(w, "Failed to create file", http.StatusInternalServerError)
 		return
 	}
 	defer f.Close()
 	// copy file contents to destination file
 	_, err = io.Copy(f, file)
 	if err != nil {
 		http.Error(w, "Failed to save file", http.StatusInternalServerError)
 		return
 	}
 	//Update cert list
 	tlsCertManager.UpdateLoadedCertList()
 	// send response
 	fmt.Fprintln(w, "File upload successful!")
 }
 // Handle cert remove
 func handleCertRemove(w http.ResponseWriter, r *http.Request) {
 	domain, err := utils.PostPara(r, "domain")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid domain given")
 		return
 	}
 	err = tlsCertManager.RemoveCert(domain)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 	}
 }
--- a/src/config.go
+++ b/src/config.go
@ -0,0 +1,357 @@
 package main
 import (
 	"archive/zip"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
 	"imuslab.com/zoraxy/mod/dynamicproxy"
 	"imuslab.com/zoraxy/mod/dynamicproxy/loadbalance"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	Reverse Proxy Configs
 	The following section handle
 	the reverse proxy configs
 */
 type Record struct {
 	ProxyType               string
 	Rootname                string
 	ProxyTarget             string
 	UseTLS                  bool
 	BypassGlobalTLS         bool
 	SkipTlsValidation       bool
 	RequireBasicAuth        bool
 	BasicAuthCredentials    []*dynamicproxy.BasicAuthCredentials
 	BasicAuthExceptionRules []*dynamicproxy.BasicAuthExceptionRule
 }
 /*
 Load Reverse Proxy Config from file and append it to current runtime proxy router
 */
 func LoadReverseProxyConfig(configFilepath string) error {
 	//Load the config file from disk
 	endpointConfig, err := os.ReadFile(configFilepath)
 	if err != nil {
 		return err
 	}
 	//Parse it into dynamic proxy endpoint
 	thisConfigEndpoint := dynamicproxy.ProxyEndpoint{}
 	err = json.Unmarshal(endpointConfig, &thisConfigEndpoint)
 	if err != nil {
 		return err
 	}
 	//Matching domain not set. Assume root
 	if thisConfigEndpoint.RootOrMatchingDomain == "" {
 		thisConfigEndpoint.RootOrMatchingDomain = "/"
 	}
 	if thisConfigEndpoint.ProxyType == dynamicproxy.ProxyType_Root {
 		//This is a root config file
 		rootProxyEndpoint, err := dynamicProxyRouter.PrepareProxyRoute(&thisConfigEndpoint)
 		if err != nil {
 			return err
 		}
 		dynamicProxyRouter.SetProxyRouteAsRoot(rootProxyEndpoint)
 	} else if thisConfigEndpoint.ProxyType == dynamicproxy.ProxyType_Host {
 		//This is a host config file
 		readyProxyEndpoint, err := dynamicProxyRouter.PrepareProxyRoute(&thisConfigEndpoint)
 		if err != nil {
 			return err
 		}
 		dynamicProxyRouter.AddProxyRouteToRuntime(readyProxyEndpoint)
 	} else {
 		return errors.New("not supported proxy type")
 	}
 	SystemWideLogger.PrintAndLog("proxy-config", thisConfigEndpoint.RootOrMatchingDomain+" -> "+loadbalance.GetUpstreamsAsString(thisConfigEndpoint.ActiveOrigins)+" routing rule loaded", nil)
 	return nil
 }
 func filterProxyConfigFilename(filename string) string {
 	//Filter out wildcard characters
 	filename = strings.ReplaceAll(filename, "*", "(ST)")
 	filename = strings.ReplaceAll(filename, "?", "(QM)")
 	filename = strings.ReplaceAll(filename, "[", "(OB)")
 	filename = strings.ReplaceAll(filename, "]", "(CB)")
 	filename = strings.ReplaceAll(filename, "#", "(HT)")
 	return filepath.ToSlash(filename)
 }
 func SaveReverseProxyConfig(endpoint *dynamicproxy.ProxyEndpoint) error {
 	//Get filename for saving
 	filename := filepath.Join("./conf/proxy/", endpoint.RootOrMatchingDomain+".config")
 	if endpoint.ProxyType == dynamicproxy.ProxyType_Root {
 		filename = "./conf/proxy/root.config"
 	}
 	filename = filterProxyConfigFilename(filename)
 	//Save config to file
 	js, err := json.MarshalIndent(endpoint, "", " ")
 	if err != nil {
 		return err
 	}
 	return os.WriteFile(filename, js, 0775)
 }
 func RemoveReverseProxyConfig(endpoint string) error {
 	filename := filepath.Join("./conf/proxy/", endpoint+".config")
 	if endpoint == "/" {
 		filename = "./conf/proxy/root.config"
 	}
 	filename = filterProxyConfigFilename(filename)
 	if !utils.FileExists(filename) {
 		return errors.New("target endpoint not exists")
 	}
 	return os.Remove(filename)
 }
 // Get the default root config that point to the internal static web server
 // this will be used if root config is not found (new deployment / missing root.config file)
 func GetDefaultRootConfig() (*dynamicproxy.ProxyEndpoint, error) {
 	//Default settings
 	rootProxyEndpoint, err := dynamicProxyRouter.PrepareProxyRoute(&dynamicproxy.ProxyEndpoint{
 		ProxyType:            dynamicproxy.ProxyType_Root,
 		RootOrMatchingDomain: "/",
 		ActiveOrigins: []*loadbalance.Upstream{
 			{
 				OriginIpOrDomain:    "127.0.0.1:" + staticWebServer.GetListeningPort(),
 				RequireTLS:          false,
 				SkipCertValidations: false,
 				Weight:              0,
 			},
 		},
 		InactiveOrigins:         []*loadbalance.Upstream{},
 		BypassGlobalTLS:         false,
 		VirtualDirectories:      []*dynamicproxy.VirtualDirectoryEndpoint{},
 		RequireBasicAuth:        false,
 		BasicAuthCredentials:    []*dynamicproxy.BasicAuthCredentials{},
 		BasicAuthExceptionRules: []*dynamicproxy.BasicAuthExceptionRule{},
 		DefaultSiteOption:       dynamicproxy.DefaultSite_InternalStaticWebServer,
 		DefaultSiteValue:        "",
 	})
 	if err != nil {
 		return nil, err
 	}
 	return rootProxyEndpoint, nil
 }
 /*
 	Importer and Exporter of Zoraxy proxy config
 */
 func ExportConfigAsZip(w http.ResponseWriter, r *http.Request) {
 	includeSysDBRaw, _ := utils.GetPara(r, "includeDB")
 	includeSysDB := false
 	if includeSysDBRaw == "true" {
 		//Include the system database in backup snapshot
 		//Temporary set it to read only
 		sysdb.ReadOnly = true
 		includeSysDB = true
 	}
 	// Specify the folder path to be zipped
 	folderPath := "./conf/"
 	// Set the Content-Type header to indicate it's a zip file
 	w.Header().Set("Content-Type", "application/zip")
 	// Set the Content-Disposition header to specify the file name
 	w.Header().Set("Content-Disposition", "attachment; filename=\"config.zip\"")
 	// Create a zip writer
 	zipWriter := zip.NewWriter(w)
 	defer zipWriter.Close()
 	// Walk through the folder and add files to the zip
 	err := filepath.Walk(folderPath, func(filePath string, fileInfo os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
 		if folderPath == filePath {
 			//Skip root folder
 			return nil
 		}
 		// Create a new file in the zip
 		if !utils.IsDir(filePath) {
 			zipFile, err := zipWriter.Create(filePath)
 			if err != nil {
 				return err
 			}
 			// Open the file on disk
 			file, err := os.Open(filePath)
 			if err != nil {
 				return err
 			}
 			defer file.Close()
 			// Copy the file contents to the zip file
 			_, err = io.Copy(zipFile, file)
 			if err != nil {
 				return err
 			}
 		}
 		return nil
 	})
 	if includeSysDB {
 		//Also zip in the sysdb
 		zipFile, err := zipWriter.Create("sys.db")
 		if err != nil {
 			SystemWideLogger.PrintAndLog("Backup", "Unable to zip sysdb", err)
 			return
 		}
 		// Open the file on disk
 		file, err := os.Open("sys.db")
 		if err != nil {
 			SystemWideLogger.PrintAndLog("Backup", "Unable to open sysdb", err)
 			return
 		}
 		defer file.Close()
 		// Copy the file contents to the zip file
 		_, err = io.Copy(zipFile, file)
 		if err != nil {
 			SystemWideLogger.Println(err)
 			return
 		}
 		//Restore sysdb state
 		sysdb.ReadOnly = false
 	}
 	if err != nil {
 		// Handle the error and send an HTTP response with the error message
 		http.Error(w, fmt.Sprintf("Failed to zip folder: %v", err), http.StatusInternalServerError)
 		return
 	}
 }
 func ImportConfigFromZip(w http.ResponseWriter, r *http.Request) {
 	// Check if the request is a POST with a file upload
 	if r.Method != http.MethodPost {
 		http.Error(w, "Invalid request method", http.StatusBadRequest)
 		return
 	}
 	// Max file size limit (10 MB in this example)
 	r.ParseMultipartForm(10 << 20)
 	// Get the uploaded file
 	file, handler, err := r.FormFile("file")
 	if err != nil {
 		http.Error(w, "Failed to retrieve uploaded file", http.StatusInternalServerError)
 		return
 	}
 	defer file.Close()
 	if filepath.Ext(handler.Filename) != ".zip" {
 		http.Error(w, "Upload file is not a zip file", http.StatusInternalServerError)
 		return
 	}
 	// Create the target directory to unzip the files
 	targetDir := "./conf"
 	if utils.FileExists(targetDir) {
 		//Backup the old config to old
 		os.Rename("./conf", "./conf.old_"+strconv.Itoa(int(time.Now().Unix())))
 	}
 	err = os.MkdirAll(targetDir, os.ModePerm)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("Failed to create target directory: %v", err), http.StatusInternalServerError)
 		return
 	}
 	// Open the zip file
 	zipReader, err := zip.NewReader(file, handler.Size)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("Failed to open zip file: %v", err), http.StatusInternalServerError)
 		return
 	}
 	restoreDatabase := false
 	// Extract each file from the zip archive
 	for _, zipFile := range zipReader.File {
 		// Open the file in the zip archive
 		rc, err := zipFile.Open()
 		if err != nil {
 			http.Error(w, fmt.Sprintf("Failed to open file in zip: %v", err), http.StatusInternalServerError)
 			return
 		}
 		defer rc.Close()
 		// Create the corresponding file on disk
 		zipFile.Name = strings.ReplaceAll(zipFile.Name, "../", "")
 		fmt.Println("Restoring: " + strings.ReplaceAll(zipFile.Name, "\\", "/"))
 		if zipFile.Name == "sys.db" {
 			//Sysdb replacement. Close the database and restore
 			sysdb.Close()
 			restoreDatabase = true
 		} else if !strings.HasPrefix(strings.ReplaceAll(zipFile.Name, "\\", "/"), "conf/") {
 			//Malformed zip file.
 			http.Error(w, fmt.Sprintf("Invalid zip file structure or version too old"), http.StatusInternalServerError)
 			return
 		}
 		//Check if parent dir exists
 		if !utils.FileExists(filepath.Dir(zipFile.Name)) {
 			os.MkdirAll(filepath.Dir(zipFile.Name), 0775)
 		}
 		//Create the file
 		newFile, err := os.Create(zipFile.Name)
 		if err != nil {
 			http.Error(w, fmt.Sprintf("Failed to create file: %v", err), http.StatusInternalServerError)
 			return
 		}
 		defer newFile.Close()
 		// Copy the file contents from the zip to the new file
 		_, err = io.Copy(newFile, rc)
 		if err != nil {
 			http.Error(w, fmt.Sprintf("Failed to extract file from zip: %v", err), http.StatusInternalServerError)
 			return
 		}
 	}
 	// Send a success response
 	w.WriteHeader(http.StatusOK)
 	SystemWideLogger.Println("Configuration restored")
 	fmt.Fprintln(w, "Configuration restored")
 	if restoreDatabase {
 		go func() {
 			SystemWideLogger.Println("Database altered. Restarting in 3 seconds...")
 			time.Sleep(3 * time.Second)
 			os.Exit(0)
 		}()
 	}
 }
--- a/src/emails.go
+++ b/src/emails.go
@ -0,0 +1,288 @@
 package main
 import (
 	"bytes"
 	"encoding/gob"
 	"encoding/json"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"imuslab.com/zoraxy/mod/email"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	SMTP Settings and Test Email Handlers
 */
 func HandleSMTPSet(w http.ResponseWriter, r *http.Request) {
 	hostname, err := utils.PostPara(r, "hostname")
 	if err != nil {
 		utils.SendErrorResponse(w, "hostname cannot be empty")
 		return
 	}
 	portString, err := utils.PostPara(r, "port")
 	if err != nil {
 		utils.SendErrorResponse(w, "port must be a valid integer")
 		return
 	}
 	port, err := strconv.Atoi(portString)
 	if err != nil {
 		utils.SendErrorResponse(w, "port must be a valid integer")
 		return
 	}
 	username, err := utils.PostPara(r, "username")
 	if err != nil {
 		utils.SendErrorResponse(w, "username cannot be empty")
 		return
 	}
 	password, err := utils.PostPara(r, "password")
 	if err != nil {
 		//Empty password. Use old one if exists
 		oldConfig := loadSMTPConfig()
 		if oldConfig.Password == "" {
 			utils.SendErrorResponse(w, "password cannot be empty")
 			return
 		} else {
 			password = oldConfig.Password
 		}
 	}
 	senderAddr, err := utils.PostPara(r, "senderAddr")
 	if err != nil {
 		utils.SendErrorResponse(w, "senderAddr cannot be empty")
 		return
 	}
 	adminAddr, err := utils.PostPara(r, "adminAddr")
 	if err != nil {
 		utils.SendErrorResponse(w, "adminAddr cannot be empty")
 		return
 	}
 	//Set the email sender properties
 	thisEmailSender := email.Sender{
 		Hostname:   strings.TrimSpace(hostname),
 		Port:       port,
 		Username:   strings.TrimSpace(username),
 		Password:   strings.TrimSpace(password),
 		SenderAddr: strings.TrimSpace(senderAddr),
 	}
 	//Write this into database
 	setSMTPConfig(&thisEmailSender)
 	//Update the current EmailSender
 	EmailSender = &thisEmailSender
 	//Set the admin address of password reset
 	setSMTPAdminAddress(adminAddr)
 	//Reply ok
 	utils.SendOK(w)
 }
 func HandleSMTPGet(w http.ResponseWriter, r *http.Request) {
 	// Create a buffer to store the encoded value
 	var buf bytes.Buffer
 	// Encode the original object into the buffer
 	encoder := gob.NewEncoder(&buf)
 	err := encoder.Encode(*EmailSender)
 	if err != nil {
 		utils.SendErrorResponse(w, "Internal encode error")
 		return
 	}
 	// Decode the buffer into a new object
 	var copied email.Sender
 	decoder := gob.NewDecoder(&buf)
 	err = decoder.Decode(&copied)
 	if err != nil {
 		utils.SendErrorResponse(w, "Internal decode error")
 		return
 	}
 	copied.Password = ""
 	js, _ := json.Marshal(copied)
 	utils.SendJSONResponse(w, string(js))
 }
 func HandleAdminEmailGet(w http.ResponseWriter, r *http.Request) {
 	js, _ := json.Marshal(loadSMTPAdminAddr())
 	utils.SendJSONResponse(w, string(js))
 }
 func HandleTestEmailSend(w http.ResponseWriter, r *http.Request) {
 	adminEmailAccount := loadSMTPAdminAddr()
 	if adminEmailAccount == "" {
 		utils.SendErrorResponse(w, "Management account not set")
 		return
 	}
 	err := EmailSender.SendEmail(adminEmailAccount,
 		"SMTP Testing Email | Zoraxy", "This is a test email sent by Zoraxy. Please do not reply to this email.<br>Zoraxy からのテストメールです。このメールには返信しないでください。<br>這是由 Zoraxy 發送的測試電子郵件。請勿回覆此郵件。<br>Ceci est un email de test envoyé par Zoraxy. Merci de ne pas répondre à cet email.<br>Dies ist eine Test-E-Mail, die von Zoraxy gesendet wurde. Bitte antworten Sie nicht auf diese E-Mail.")
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	utils.SendOK(w)
 }
 /*
 	SMTP config
 	The following handle SMTP configs
 */
 func setSMTPConfig(config *email.Sender) error {
 	return sysdb.Write("smtp", "config", config)
 }
 func loadSMTPConfig() *email.Sender {
 	if sysdb.KeyExists("smtp", "config") {
 		thisEmailSender := email.Sender{
 			Port: 587,
 		}
 		err := sysdb.Read("smtp", "config", &thisEmailSender)
 		if err != nil {
 			return &email.Sender{
 				Port: 587,
 			}
 		}
 		return &thisEmailSender
 	} else {
 		//Not set. Return an empty one
 		return &email.Sender{
 			Port: 587,
 		}
 	}
 }
 func setSMTPAdminAddress(adminAddr string) error {
 	return sysdb.Write("smtp", "admin", adminAddr)
 }
 // Load SMTP admin address. Return empty string if not set
 func loadSMTPAdminAddr() string {
 	adminAddr := ""
 	if sysdb.KeyExists("smtp", "admin") {
 		err := sysdb.Read("smtp", "admin", &adminAddr)
 		if err != nil {
 			return ""
 		}
 		return adminAddr
 	} else {
 		return ""
 	}
 }
 /*
 	Admin Account Reset
 */
 var (
 	accountResetEmailDelay   int64  = 30      //Delay between each account reset email, default 30s
 	tokenValidDuration       int64  = 15 * 60 //Duration of the token, default 15 minutes
 	lastAccountResetEmail    int64  = 0       //Timestamp for last sent account reset email
 	passwordResetAccessToken string = ""      //Access token for resetting password
 )
 func HandleAdminAccountResetEmail(w http.ResponseWriter, r *http.Request) {
 	if EmailSender.Username == "" {
 		//Reset account not setup
 		utils.SendErrorResponse(w, "Reset account not setup.")
 		return
 	}
 	if loadSMTPAdminAddr() == "" {
 		utils.SendErrorResponse(w, "Reset account not setup.")
 	}
 	//Check if the delay expired
 	if lastAccountResetEmail+accountResetEmailDelay > time.Now().Unix() {
 		//Too frequent
 		utils.SendErrorResponse(w, "You cannot send another account reset email in cooldown time")
 		return
 	}
 	passwordResetAccessToken = uuid.New().String()
 	//SMTP info exists. Send reset account email
 	lastAccountResetEmail = time.Now().Unix()
 	EmailSender.SendEmail(loadSMTPAdminAddr(), "Management Account Reset | Zoraxy",
 		"Enter the following reset token to reset your password on your Zoraxy router.<br>"+passwordResetAccessToken+"<br><br> This is an automated generated email. DO NOT REPLY TO THIS EMAIL.")
 	utils.SendOK(w)
 }
 func HandleNewPasswordSetup(w http.ResponseWriter, r *http.Request) {
 	if passwordResetAccessToken == "" {
 		//Not initiated
 		utils.SendErrorResponse(w, "Invalid usage")
 		return
 	}
 	username, err := utils.PostPara(r, "username")
 	if err != nil {
 		utils.SendErrorResponse(w, "Invalid username given")
 		return
 	}
 	token, err := utils.PostPara(r, "token")
 	if err != nil {
 		utils.SendErrorResponse(w, "Invalid token given")
 		return
 	}
 	newPassword, err := utils.PostPara(r, "newpw")
 	if err != nil {
 		utils.SendErrorResponse(w, "Invalid new password given")
 		return
 	}
 	token = strings.TrimSpace(token)
 	username = strings.TrimSpace(username)
 	//Validate the token
 	if token != passwordResetAccessToken {
 		utils.SendErrorResponse(w, "Invalid Token")
 		return
 	}
 	//Check if time expired
 	if lastAccountResetEmail+tokenValidDuration < time.Now().Unix() {
 		//Expired
 		utils.SendErrorResponse(w, "Token expired")
 		return
 	}
 	//Check if user exists
 	if !authAgent.UserExists(username) {
 		//Invalid admin account name
 		utils.SendErrorResponse(w, "Invalid Username")
 		return
 	}
 	// Un register the user account
 	if err := authAgent.UnregisterUser(username); err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	//Ok. Set the new password
 	if err := authAgent.CreateUserAccount(username, newPassword, ""); err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	utils.SendOK(w)
 }
--- a/src/go.mod
+++ b/src/go.mod
@ -0,0 +1,210 @@
 module imuslab.com/zoraxy
 go 1.22.0
 toolchain go1.22.2
 require (
 	github.com/boltdb/bolt v1.3.1
 	github.com/docker/docker v27.0.0+incompatible
 	github.com/go-acme/lego/v4 v4.19.2
 	github.com/go-ping/ping v1.1.0
 	github.com/go-session/session v3.1.2+incompatible
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/sessions v1.2.2
 	github.com/gorilla/websocket v1.5.1
 	github.com/grandcat/zeroconf v1.0.0
 	github.com/likexian/whois v1.15.1
 	github.com/microcosm-cc/bluemonday v1.0.26
 	golang.org/x/net v0.29.0
 	golang.org/x/sys v0.25.0
 	golang.org/x/text v0.18.0
 )
 require (
 	cloud.google.com/go/auth v0.9.3 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.114 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/tidwall/btree v0.0.0-20191029221954-400434d76274 // indirect
 	github.com/tidwall/buntdb v1.1.2 // indirect
 	github.com/tidwall/gjson v1.12.1 // indirect
 	github.com/tidwall/grect v0.0.0-20161006141115-ba9a043346eb // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tidwall/rtree v0.0.0-20180113144539-6cd427091e0e // indirect
 	github.com/tidwall/tinyqueue v0.0.0-20180302190814-1e39f5511563 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/vultr/govultr/v3 v3.9.1 // indirect
 	go.mongodb.org/mongo-driver v1.12.0 // indirect
 )
 require (
 	cloud.google.com/go/compute/metadata v0.5.1 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.2.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/Microsoft/go-winio v0.4.14 // indirect
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.63.15 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.27.33 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
 	github.com/aws/aws-sdk-go-v2/service/lightsail v1.40.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.43.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
 	github.com/aws/smithy-go v1.20.4 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/civo/civogo v0.3.11 // indirect
 	github.com/cloudflare/cloudflare-go v0.104.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-oauth2/oauth2/v4 v4.5.2
 	github.com/go-resty/resty/v2 v2.13.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.1.0 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/gophercloud/gophercloud v1.14.0 // indirect
 	github.com/gorilla/csrf v1.7.2
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/infobloxopen/infoblox-go-client v1.1.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/linode/linodego v1.40.0 // indirect
 	github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.62 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
 	github.com/nrdcg/bunny-go v0.0.0-20240207213615-dde5bf4577a3 // indirect
 	github.com/nrdcg/desec v0.8.0 // indirect
 	github.com/nrdcg/dnspod-go v0.4.0 // indirect
 	github.com/nrdcg/freemyip v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.10.0 // indirect
 	github.com/nrdcg/mailinabox v0.2.0 // indirect
 	github.com/nrdcg/namesilo v0.2.1 // indirect
 	github.com/nrdcg/nodion v0.1.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/ovh/go-ovh v1.6.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/otp v1.4.0 // indirect
 	github.com/sacloud/api-client-go v0.2.10 // indirect
 	github.com/sacloud/go-http v0.1.8 // indirect
 	github.com/sacloud/iaas-api-go v1.12.0 // indirect
 	github.com/sacloud/packages-go v0.0.10 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.30 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
 	github.com/softlayer/softlayer-go v1.1.5 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1002 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1002 // indirect
 	github.com/transip/gotransip/v6 v6.26.0 // indirect
 	github.com/ultradns/ultradns-go-sdk v1.7.0-20240913052650-970ca9a // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
 	github.com/xlzd/gotp v0.1.0
 	github.com/yandex-cloud/go-genproto v0.0.0-20240911120709-1fa0cb6f47c2 // indirect
 	github.com/yandex-cloud/go-sdk v0.0.0-20240911121212-e4e74d0d02f5 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
 	go.opentelemetry.io/otel v1.29.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.uber.org/ratelimit v0.3.0 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.25.0 // indirect
 	google.golang.org/api v0.197.0 // indirect
 	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/grpc v1.66.1 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/ns1/ns1-go.v2 v2.12.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )
--- a/src/go.sum
+++ b/src/go.sum
--- a/src/main.go
+++ b/src/main.go
@ -0,0 +1,218 @@
 package main
 import (
 	"embed"
 	"flag"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 	"github.com/google/uuid"
 	"github.com/gorilla/csrf"
 	"imuslab.com/zoraxy/mod/access"
 	"imuslab.com/zoraxy/mod/acme"
 	"imuslab.com/zoraxy/mod/auth"
 	"imuslab.com/zoraxy/mod/auth/sso"
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/dockerux"
 	"imuslab.com/zoraxy/mod/dynamicproxy/loadbalance"
 	"imuslab.com/zoraxy/mod/dynamicproxy/redirection"
 	"imuslab.com/zoraxy/mod/email"
 	"imuslab.com/zoraxy/mod/forwardproxy"
 	"imuslab.com/zoraxy/mod/ganserv"
 	"imuslab.com/zoraxy/mod/geodb"
 	"imuslab.com/zoraxy/mod/info/logger"
 	"imuslab.com/zoraxy/mod/info/logviewer"
 	"imuslab.com/zoraxy/mod/mdns"
 	"imuslab.com/zoraxy/mod/netstat"
 	"imuslab.com/zoraxy/mod/pathrule"
 	"imuslab.com/zoraxy/mod/sshprox"
 	"imuslab.com/zoraxy/mod/statistic"
 	"imuslab.com/zoraxy/mod/statistic/analytic"
 	"imuslab.com/zoraxy/mod/streamproxy"
 	"imuslab.com/zoraxy/mod/tlscert"
 	"imuslab.com/zoraxy/mod/update"
 	"imuslab.com/zoraxy/mod/uptime"
 	"imuslab.com/zoraxy/mod/utils"
 	"imuslab.com/zoraxy/mod/webserv"
 )
 // General flags
 var webUIPort = flag.String("port", ":8000", "Management web interface listening port")
 var noauth = flag.Bool("noauth", false, "Disable authentication for management interface")
 var showver = flag.Bool("version", false, "Show version of this server")
 var allowSshLoopback = flag.Bool("sshlb", false, "Allow loopback web ssh connection (DANGER)")
 var allowMdnsScanning = flag.Bool("mdns", true, "Enable mDNS scanner and transponder")
 var mdnsName = flag.String("mdnsname", "", "mDNS name, leave empty to use default (zoraxy_{node-uuid}.local)")
 var ztAuthToken = flag.String("ztauth", "", "ZeroTier authtoken for the local node")
 var ztAPIPort = flag.Int("ztport", 9993, "ZeroTier controller API port")
 var runningInDocker = flag.Bool("docker", false, "Run Zoraxy in docker compatibility mode")
 var acmeAutoRenewInterval = flag.Int("autorenew", 86400, "ACME auto TLS/SSL certificate renew check interval (seconds)")
 var acmeCertAutoRenewDays = flag.Int("earlyrenew", 30, "Number of days to early renew a soon expiring certificate (days)")
 var enableHighSpeedGeoIPLookup = flag.Bool("fastgeoip", false, "Enable high speed geoip lookup, require 1GB extra memory (Not recommend for low end devices)")
 var staticWebServerRoot = flag.String("webroot", "./www", "Static web server root folder. Only allow chnage in start paramters")
 var allowWebFileManager = flag.Bool("webfm", true, "Enable web file manager for static web server root folder")
 var enableAutoUpdate = flag.Bool("cfgupgrade", true, "Enable auto config upgrade if breaking change is detected")
 var (
 	name        = "Zoraxy"
 	version     = "3.1.2"
 	nodeUUID    = "generic" //System uuid, in uuidv4 format
 	development = false     //Set this to false to use embedded web fs
 	bootTime    = time.Now().Unix()
 	/*
 		Binary Embedding File System
 	*/
 	//go:embed web/*
 	webres embed.FS
 	/*
 		Handler Modules
 	*/
 	sysdb          *database.Database              //System database
 	authAgent      *auth.AuthAgent                 //Authentication agent
 	tlsCertManager *tlscert.Manager                //TLS / SSL management
 	redirectTable  *redirection.RuleTable          //Handle special redirection rule sets
 	webminPanelMux *http.ServeMux                  //Server mux for handling webmin panel APIs
 	csrfMiddleware func(http.Handler) http.Handler //CSRF protection middleware
 	pathRuleHandler    *pathrule.Handler         //Handle specific path blocking or custom headers
 	geodbStore         *geodb.Store              //GeoIP database, for resolving IP into country code
 	accessController   *access.Controller        //Access controller, handle black list and white list
 	netstatBuffers     *netstat.NetStatBuffers   //Realtime graph buffers
 	statisticCollector *statistic.Collector      //Collecting statistic from visitors
 	uptimeMonitor      *uptime.Monitor           //Uptime monitor service worker
 	mdnsScanner        *mdns.MDNSHost            //mDNS discovery services
 	ganManager         *ganserv.NetworkManager   //Global Area Network Manager
 	webSshManager      *sshprox.Manager          //Web SSH connection service
 	streamProxyManager *streamproxy.Manager      //Stream Proxy Manager for TCP / UDP forwarding
 	acmeHandler        *acme.ACMEHandler         //Handler for ACME Certificate renew
 	acmeAutoRenewer    *acme.AutoRenewer         //Handler for ACME auto renew ticking
 	staticWebServer    *webserv.WebServer        //Static web server for hosting simple stuffs
 	forwardProxy       *forwardproxy.Handler     //HTTP Forward proxy, basically VPN for web browser
 	loadBalancer       *loadbalance.RouteManager //Global scope loadbalancer, store the state of the lb routing
 	ssoHandler         *sso.SSOHandler           //Single Sign On handler
 	//Helper modules
 	EmailSender       *email.Sender         //Email sender that handle email sending
 	AnalyticLoader    *analytic.DataLoader  //Data loader for Zoraxy Analytic
 	DockerUXOptimizer *dockerux.UXOptimizer //Docker user experience optimizer, community contribution only
 	SystemWideLogger  *logger.Logger        //Logger for Zoraxy
 	LogViewer         *logviewer.Viewer
 )
 // Kill signal handler. Do something before the system the core terminate.
 func SetupCloseHandler() {
 	c := make(chan os.Signal, 2)
 	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
 	go func() {
 		<-c
 		ShutdownSeq()
 		os.Exit(0)
 	}()
 }
 func ShutdownSeq() {
 	SystemWideLogger.Println("Shutting down " + name)
 	//SystemWideLogger.Println("Closing GeoDB")
 	//geodbStore.Close()
 	SystemWideLogger.Println("Closing Netstats Listener")
 	netstatBuffers.Close()
 	SystemWideLogger.Println("Closing Statistic Collector")
 	statisticCollector.Close()
 	if mdnsTickerStop != nil {
 		SystemWideLogger.Println("Stopping mDNS Discoverer (might take a few minutes)")
 		// Stop the mdns service
 		mdnsTickerStop <- true
 	}
 	mdnsScanner.Close()
 	SystemWideLogger.Println("Shutting down load balancer")
 	loadBalancer.Close()
 	SystemWideLogger.Println("Closing Certificates Auto Renewer")
 	acmeAutoRenewer.Close()
 	//Remove the tmp folder
 	SystemWideLogger.Println("Cleaning up tmp files")
 	os.RemoveAll("./tmp")
 	//Close database
 	SystemWideLogger.Println("Stopping system database")
 	sysdb.Close()
 	//Close logger
 	SystemWideLogger.Println("Closing system wide logger")
 	SystemWideLogger.Close()
 }
 func main() {
 	//Parse startup flags
 	flag.Parse()
 	if *showver {
 		fmt.Println(name + " - Version " + version)
 		os.Exit(0)
 	}
 	if !utils.ValidateListeningAddress(*webUIPort) {
 		fmt.Println("Malformed -port (listening address) paramter. Do you mean -port=:" + *webUIPort + "?")
 		os.Exit(0)
 	}
 	if *enableAutoUpdate {
 		fmt.Println("Checking required config update")
 		update.RunConfigUpdate(0, update.GetVersionIntFromVersionNumber(version))
 	}
 	SetupCloseHandler()
 	//Read or create the system uuid
 	uuidRecord := "./sys.uuid"
 	if !utils.FileExists(uuidRecord) {
 		newSystemUUID := uuid.New().String()
 		os.WriteFile(uuidRecord, []byte(newSystemUUID), 0775)
 	}
 	uuidBytes, err := os.ReadFile(uuidRecord)
 	if err != nil {
 		SystemWideLogger.PrintAndLog("ZeroTier", "Unable to read system uuid from file system", nil)
 		panic(err)
 	}
 	nodeUUID = string(uuidBytes)
 	//Create a new webmin mux and csrf middleware layer
 	webminPanelMux = http.NewServeMux()
 	csrfMiddleware = csrf.Protect(
 		[]byte(nodeUUID),
 		csrf.CookieName("zoraxy-csrf"),
 		csrf.Secure(false),
 		csrf.Path("/"),
 		csrf.SameSite(csrf.SameSiteLaxMode),
 	)
 	//Startup all modules
 	startupSequence()
 	//Initiate management interface APIs
 	requireAuth = !(*noauth)
 	initAPIs(webminPanelMux)
 	//Start the reverse proxy server in go routine
 	go func() {
 		ReverseProxtInit()
 	}()
 	time.Sleep(500 * time.Millisecond)
 	//Start the finalize sequences
 	finalSequence()
 	SystemWideLogger.Println("Zoraxy started. Visit control panel at http://localhost" + *webUIPort)
 	err = http.ListenAndServe(*webUIPort, csrfMiddleware(webminPanelMux))
 	if err != nil {
 		log.Fatal(err)
 	}
 }
--- a/src/mod/access/access.go
+++ b/src/mod/access/access.go
@ -0,0 +1,221 @@
 package access
 import (
 	"encoding/json"
 	"errors"
 	"os"
 	"path/filepath"
 	"sync"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	Access.go
 	This module is the new version of access control system
 	where now the blacklist / whitelist are seperated from
 	geodb module
 */
 // Create a new access controller to handle blacklist / whitelist
 func NewAccessController(options *Options) (*Controller, error) {
 	sysdb := options.Database
 	if sysdb == nil {
 		return nil, errors.New("missing database access")
 	}
 	//Create the config folder if not exists
 	confFolder := options.ConfigFolder
 	if !utils.FileExists(confFolder) {
 		err := os.MkdirAll(confFolder, 0775)
 		if err != nil {
 			return nil, err
 		}
 	}
 	// Create the global access rule if not exists
 	var defaultAccessRule = AccessRule{
 		ID:                   "default",
 		Name:                 "Default",
 		Desc:                 "Default access rule for all HTTP proxy hosts",
 		BlacklistEnabled:     false,
 		WhitelistEnabled:     false,
 		WhiteListCountryCode: &map[string]string{},
 		WhiteListIP:          &map[string]string{},
 		BlackListContryCode:  &map[string]string{},
 		BlackListIP:          &map[string]string{},
 	}
 	defaultRuleSettingFile := filepath.Join(confFolder, "default.json")
 	if utils.FileExists(defaultRuleSettingFile) {
 		//Load from file
 		defaultRuleBytes, err := os.ReadFile(defaultRuleSettingFile)
 		if err == nil {
 			err = json.Unmarshal(defaultRuleBytes, &defaultAccessRule)
 			if err != nil {
 				options.Logger.PrintAndLog("Access", "Unable to parse default routing rule config file. Using default", err)
 			}
 		}
 	} else {
 		//Create one
 		js, _ := json.MarshalIndent(defaultAccessRule, "", " ")
 		os.WriteFile(defaultRuleSettingFile, js, 0775)
 	}
 	//Generate a controller object
 	thisController := Controller{
 		DefaultAccessRule: &defaultAccessRule,
 		ProxyAccessRule:   &sync.Map{},
 		Options:           options,
 	}
 	//Assign default access rule parent
 	thisController.DefaultAccessRule.parent = &thisController
 	//Load all acccess rules from file
 	configFiles, err := filepath.Glob(options.ConfigFolder + "/*.json")
 	if err != nil {
 		return nil, err
 	}
 	ProxyAccessRules := sync.Map{}
 	for _, configFile := range configFiles {
 		if filepath.Base(configFile) == "default.json" {
 			//Skip this, as this was already loaded as default
 			continue
 		}
 		configContent, err := os.ReadFile(configFile)
 		if err != nil {
 			options.Logger.PrintAndLog("Access", "Unable to load config "+filepath.Base(configFile), err)
 			continue
 		}
 		//Parse the config file into AccessRule
 		thisAccessRule := AccessRule{}
 		err = json.Unmarshal(configContent, &thisAccessRule)
 		if err != nil {
 			options.Logger.PrintAndLog("Access", "Unable to parse config "+filepath.Base(configFile), err)
 			continue
 		}
 		thisAccessRule.parent = &thisController
 		ProxyAccessRules.Store(thisAccessRule.ID, &thisAccessRule)
 	}
 	thisController.ProxyAccessRule = &ProxyAccessRules
 	return &thisController, nil
 }
 // Get the global access rule
 func (c *Controller) GetGlobalAccessRule() (*AccessRule, error) {
 	if c.DefaultAccessRule == nil {
 		return nil, errors.New("global access rule is not set")
 	}
 	return c.DefaultAccessRule, nil
 }
 // Load access rules to runtime, require rule ID
 func (c *Controller) GetAccessRuleByID(accessRuleID string) (*AccessRule, error) {
 	if accessRuleID == "default" || accessRuleID == "" {
 		return c.DefaultAccessRule, nil
 	}
 	//Load from sync.Map, should be O(1)
 	targetRule, ok := c.ProxyAccessRule.Load(accessRuleID)
 	if !ok {
 		return nil, errors.New("target access rule not exists")
 	}
 	ar, ok := targetRule.(*AccessRule)
 	if !ok {
 		return nil, errors.New("assertion of access rule failed, version too old?")
 	}
 	return ar, nil
 }
 // Return all the access rules currently in runtime, including default
 func (c *Controller) ListAllAccessRules() []*AccessRule {
 	results := []*AccessRule{c.DefaultAccessRule}
 	c.ProxyAccessRule.Range(func(key, value interface{}) bool {
 		results = append(results, value.(*AccessRule))
 		return true
 	})
 	return results
 }
 // Check if an access rule exists given the rule id
 func (c *Controller) AccessRuleExists(ruleID string) bool {
 	r, _ := c.GetAccessRuleByID(ruleID)
 	if r != nil {
 		//An access rule with identical ID exists
 		return true
 	}
 	return false
 }
 // Add a new access rule to runtime and save it to file
 func (c *Controller) AddNewAccessRule(newRule *AccessRule) error {
 	r, _ := c.GetAccessRuleByID(newRule.ID)
 	if r != nil {
 		//An access rule with identical ID exists
 		return errors.New("access rule already exists")
 	}
 	//Check if the blacklist and whitelist are populated with empty map
 	if newRule.BlackListContryCode == nil {
 		newRule.BlackListContryCode = &map[string]string{}
 	}
 	if newRule.BlackListIP == nil {
 		newRule.BlackListIP = &map[string]string{}
 	}
 	if newRule.WhiteListCountryCode == nil {
 		newRule.WhiteListCountryCode = &map[string]string{}
 	}
 	if newRule.WhiteListIP == nil {
 		newRule.WhiteListIP = &map[string]string{}
 	}
 	//Add access rule to runtime
 	newRule.parent = c
 	c.ProxyAccessRule.Store(newRule.ID, newRule)
 	//Save rule to file
 	newRule.SaveChanges()
 	return nil
 }
 // Update the access rule meta info.
 func (c *Controller) UpdateAccessRule(ruleID string, name string, desc string) error {
 	targetAccessRule, err := c.GetAccessRuleByID(ruleID)
 	if err != nil {
 		return err
 	}
 	///Update the name and desc
 	targetAccessRule.Name = name
 	targetAccessRule.Desc = desc
 	//Overwrite the rule currently in sync map
 	if ruleID == "default" {
 		c.DefaultAccessRule = targetAccessRule
 	} else {
 		c.ProxyAccessRule.Store(ruleID, targetAccessRule)
 	}
 	return targetAccessRule.SaveChanges()
 }
 // Remove the access rule by its id
 func (c *Controller) RemoveAccessRuleByID(ruleID string) error {
 	if !c.AccessRuleExists(ruleID) {
 		return errors.New("access rule not exists")
 	}
 	//Default cannot be removed
 	if ruleID == "default" {
 		return errors.New("default access rule cannot be removed")
 	}
 	//Remove it
 	return c.DeleteAccessRuleByID(ruleID)
 }
--- a/src/mod/access/accessRule.go
+++ b/src/mod/access/accessRule.go
@ -0,0 +1,153 @@
 package access
 import (
 	"encoding/json"
 	"errors"
 	"net"
 	"os"
 	"path/filepath"
 )
 // Check both blacklist and whitelist for access for both geoIP and ip / CIDR ranges
 func (s *AccessRule) AllowIpAccess(ipaddr string) bool {
 	if s.IsBlacklisted(ipaddr) {
 		return false
 	}
 	return s.IsWhitelisted(ipaddr)
 }
 // Check both blacklist and whitelist for access using net.Conn
 func (s *AccessRule) AllowConnectionAccess(conn net.Conn) bool {
 	if addr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
 		return s.AllowIpAccess(addr.IP.String())
 	}
 	return true
 }
 // Toggle black list
 func (s *AccessRule) ToggleBlacklist(enabled bool) {
 	s.BlacklistEnabled = enabled
 	s.SaveChanges()
 }
 // Toggel white list
 func (s *AccessRule) ToggleWhitelist(enabled bool) {
 	s.WhitelistEnabled = enabled
 	s.SaveChanges()
 }
 /*
 Check if a IP address is blacklisted, in either country or IP blacklist
 IsBlacklisted default return is false (allow access)
 */
 func (s *AccessRule) IsBlacklisted(ipAddr string) bool {
 	if !s.BlacklistEnabled {
 		//Blacklist not enabled. Always return false
 		return false
 	}
 	if ipAddr == "" {
 		//Unable to get the target IP address
 		return false
 	}
 	countryCode, err := s.parent.Options.GeoDB.ResolveCountryCodeFromIP(ipAddr)
 	if err != nil {
 		return false
 	}
 	if s.IsCountryCodeBlacklisted(countryCode.CountryIsoCode) {
 		return true
 	}
 	if s.IsIPBlacklisted(ipAddr) {
 		return true
 	}
 	return false
 }
 /*
 IsWhitelisted check if a given IP address is in the current
 server's white list.
 Note that the Whitelist default result is true even
 when encountered error
 */
 func (s *AccessRule) IsWhitelisted(ipAddr string) bool {
 	if !s.WhitelistEnabled {
 		//Whitelist not enabled. Always return true (allow access)
 		return true
 	}
 	if ipAddr == "" {
 		//Unable to get the target IP address, assume ok
 		return true
 	}
 	countryCode, err := s.parent.Options.GeoDB.ResolveCountryCodeFromIP(ipAddr)
 	if err != nil {
 		return true
 	}
 	if s.IsCountryCodeWhitelisted(countryCode.CountryIsoCode) {
 		return true
 	}
 	if s.IsIPWhitelisted(ipAddr) {
 		return true
 	}
 	return false
 }
 /* Utilities function */
 // Update the current access rule to json file
 func (s *AccessRule) SaveChanges() error {
 	if s.parent == nil {
 		return errors.New("save failed: access rule detached from controller")
 	}
 	saveTarget := filepath.Join(s.parent.Options.ConfigFolder, s.ID+".json")
 	js, err := json.MarshalIndent(s, "", " ")
 	if err != nil {
 		return err
 	}
 	err = os.WriteFile(saveTarget, js, 0775)
 	return err
 }
 // Delete this access rule, this will only delete the config file.
 // for runtime delete, use DeleteAccessRuleByID from parent Controller
 func (s *AccessRule) DeleteConfigFile() error {
 	saveTarget := filepath.Join(s.parent.Options.ConfigFolder, s.ID+".json")
 	return os.Remove(saveTarget)
 }
 // Delete the access rule by given ID
 func (c *Controller) DeleteAccessRuleByID(accessRuleID string) error {
 	targetAccessRule, err := c.GetAccessRuleByID(accessRuleID)
 	if err != nil {
 		return err
 	}
 	//Delete config file associated with this access rule
 	err = targetAccessRule.DeleteConfigFile()
 	if err != nil {
 		return err
 	}
 	//Delete the access rule in runtime
 	c.ProxyAccessRule.Delete(accessRuleID)
 	return nil
 }
 // Create a deep copy object of the access rule list
 func deepCopy(valueList map[string]string) map[string]string {
 	result := map[string]string{}
 	js, _ := json.Marshal(valueList)
 	json.Unmarshal(js, &result)
 	return result
 }
--- a/src/mod/access/blacklist.go
+++ b/src/mod/access/blacklist.go
@ -0,0 +1,94 @@
 package access
 import (
 	"strings"
 	"imuslab.com/zoraxy/mod/netutils"
 )
 /*
 	Blacklist.go
 	This script store the blacklist related functions
 */
 // Geo Blacklist
 func (s *AccessRule) AddCountryCodeToBlackList(countryCode string, comment string) {
 	countryCode = strings.ToLower(countryCode)
 	newBlacklistCountryCode := deepCopy(*s.BlackListContryCode)
 	newBlacklistCountryCode[countryCode] = comment
 	s.BlackListContryCode = &newBlacklistCountryCode
 	s.SaveChanges()
 }
 func (s *AccessRule) RemoveCountryCodeFromBlackList(countryCode string) {
 	countryCode = strings.ToLower(countryCode)
 	newBlacklistCountryCode := deepCopy(*s.BlackListContryCode)
 	delete(newBlacklistCountryCode, countryCode)
 	s.BlackListContryCode = &newBlacklistCountryCode
 	s.SaveChanges()
 }
 func (s *AccessRule) IsCountryCodeBlacklisted(countryCode string) bool {
 	countryCode = strings.ToLower(countryCode)
 	blacklistMap := *s.BlackListContryCode
 	_, ok := blacklistMap[countryCode]
 	return ok
 }
 func (s *AccessRule) GetAllBlacklistedCountryCode() []string {
 	bannedCountryCodes := []string{}
 	blacklistMap := *s.BlackListContryCode
 	for cc, _ := range blacklistMap {
 		bannedCountryCodes = append(bannedCountryCodes, cc)
 	}
 	return bannedCountryCodes
 }
 // IP Blacklsits
 func (s *AccessRule) AddIPToBlackList(ipAddr string, comment string) {
 	newBlackListIP := deepCopy(*s.BlackListIP)
 	newBlackListIP[ipAddr] = comment
 	s.BlackListIP = &newBlackListIP
 	s.SaveChanges()
 }
 func (s *AccessRule) RemoveIPFromBlackList(ipAddr string) {
 	newBlackListIP := deepCopy(*s.BlackListIP)
 	delete(newBlackListIP, ipAddr)
 	s.BlackListIP = &newBlackListIP
 	s.SaveChanges()
 }
 func (s *AccessRule) GetAllBlacklistedIp() []string {
 	bannedIps := []string{}
 	blacklistMap := *s.BlackListIP
 	for ip, _ := range blacklistMap {
 		bannedIps = append(bannedIps, ip)
 	}
 	return bannedIps
 }
 func (s *AccessRule) IsIPBlacklisted(ipAddr string) bool {
 	IPBlacklist := *s.BlackListIP
 	_, ok := IPBlacklist[ipAddr]
 	if ok {
 		return true
 	}
 	//Check for CIDR
 	for ipOrCIDR, _ := range IPBlacklist {
 		wildcardMatch := netutils.MatchIpWildcard(ipAddr, ipOrCIDR)
 		if wildcardMatch {
 			return true
 		}
 		cidrMatch := netutils.MatchIpCIDR(ipAddr, ipOrCIDR)
 		if cidrMatch {
 			return true
 		}
 	}
 	return false
 }
--- a/src/mod/access/typedef.go
+++ b/src/mod/access/typedef.go
@ -0,0 +1,38 @@
 package access
 import (
 	"sync"
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/geodb"
 	"imuslab.com/zoraxy/mod/info/logger"
 )
 type Options struct {
 	Logger       logger.Logger
 	ConfigFolder string             //Path for storing config files
 	GeoDB        *geodb.Store       //For resolving country code
 	Database     *database.Database //System key-value database
 }
 type AccessRule struct {
 	ID               string
 	Name             string
 	Desc             string
 	BlacklistEnabled bool
 	WhitelistEnabled bool
 	/* Whitelist Blacklist Table, value is comment if supported */
 	WhiteListCountryCode *map[string]string
 	WhiteListIP          *map[string]string
 	BlackListContryCode  *map[string]string
 	BlackListIP          *map[string]string
 	parent *Controller
 }
 type Controller struct {
 	DefaultAccessRule *AccessRule
 	ProxyAccessRule   *sync.Map
 	Options           *Options
 }
--- a/src/mod/access/whitelist.go
+++ b/src/mod/access/whitelist.go
@ -0,0 +1,112 @@
 package access
 import (
 	"strings"
 	"imuslab.com/zoraxy/mod/netutils"
 )
 /*
 	Whitelist.go
 	This script handles whitelist related functions
 */
 const (
 	EntryType_CountryCode int = 0
 	EntryType_IP          int = 1
 )
 type WhitelistEntry struct {
 	EntryType int    //Entry type of whitelist, Country Code or IP
 	CC        string //ISO Country Code
 	IP        string //IP address or range
 	Comment   string //Comment for this entry
 }
 //Geo Whitelist
 func (s *AccessRule) AddCountryCodeToWhitelist(countryCode string, comment string) {
 	countryCode = strings.ToLower(countryCode)
 	newWhitelistCC := deepCopy(*s.WhiteListCountryCode)
 	newWhitelistCC[countryCode] = comment
 	s.WhiteListCountryCode = &newWhitelistCC
 	s.SaveChanges()
 }
 func (s *AccessRule) RemoveCountryCodeFromWhitelist(countryCode string) {
 	countryCode = strings.ToLower(countryCode)
 	newWhitelistCC := deepCopy(*s.WhiteListCountryCode)
 	delete(newWhitelistCC, countryCode)
 	s.WhiteListCountryCode = &newWhitelistCC
 	s.SaveChanges()
 }
 func (s *AccessRule) IsCountryCodeWhitelisted(countryCode string) bool {
 	countryCode = strings.ToLower(countryCode)
 	whitelistCC := *s.WhiteListCountryCode
 	_, ok := whitelistCC[countryCode]
 	return ok
 }
 func (s *AccessRule) GetAllWhitelistedCountryCode() []*WhitelistEntry {
 	whitelistedCountryCode := []*WhitelistEntry{}
 	whitelistCC := *s.WhiteListCountryCode
 	for cc, comment := range whitelistCC {
 		whitelistedCountryCode = append(whitelistedCountryCode, &WhitelistEntry{
 			EntryType: EntryType_CountryCode,
 			CC:        cc,
 			Comment:   comment,
 		})
 	}
 	return whitelistedCountryCode
 }
 //IP Whitelist
 func (s *AccessRule) AddIPToWhiteList(ipAddr string, comment string) {
 	newWhitelistIP := deepCopy(*s.WhiteListIP)
 	newWhitelistIP[ipAddr] = comment
 	s.WhiteListIP = &newWhitelistIP
 	s.SaveChanges()
 }
 func (s *AccessRule) RemoveIPFromWhiteList(ipAddr string) {
 	newWhitelistIP := deepCopy(*s.WhiteListIP)
 	delete(newWhitelistIP, ipAddr)
 	s.WhiteListIP = &newWhitelistIP
 	s.SaveChanges()
 }
 func (s *AccessRule) IsIPWhitelisted(ipAddr string) bool {
 	//Check for IP wildcard and CIRD rules
 	WhitelistedIP := *s.WhiteListIP
 	for ipOrCIDR, _ := range WhitelistedIP {
 		wildcardMatch := netutils.MatchIpWildcard(ipAddr, ipOrCIDR)
 		if wildcardMatch {
 			return true
 		}
 		cidrMatch := netutils.MatchIpCIDR(ipAddr, ipOrCIDR)
 		if cidrMatch {
 			return true
 		}
 	}
 	return false
 }
 func (s *AccessRule) GetAllWhitelistedIp() []*WhitelistEntry {
 	whitelistedIp := []*WhitelistEntry{}
 	currentWhitelistedIP := *s.WhiteListIP
 	for ipOrCIDR, comment := range currentWhitelistedIP {
 		thisEntry := WhitelistEntry{
 			EntryType: EntryType_IP,
 			IP:        ipOrCIDR,
 			Comment:   comment,
 		}
 		whitelistedIp = append(whitelistedIp, &thisEntry)
 	}
 	return whitelistedIp
 }
--- a/src/mod/acme/acme.go
+++ b/src/mod/acme/acme.go
@ -0,0 +1,524 @@
 package acme
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/challenge/http01"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/info/logger"
 	"imuslab.com/zoraxy/mod/utils"
 )
 type CertificateInfoJSON struct {
 	AcmeName    string `json:"acme_name"` //ACME provider name
 	AcmeUrl     string `json:"acme_url"`  //Custom ACME URL (if any)
 	SkipTLS     bool   `json:"skip_tls"`  //Skip TLS verification of upstream
 	UseDNS      bool   `json:"dns"`       //Use DNS challenge
 	PropTimeout int    `json:"prop_time"` //Propagation timeout
 }
 // ACMEUser represents a user in the ACME system.
 type ACMEUser struct {
 	Email        string
 	Registration *registration.Resource
 	key          crypto.PrivateKey
 }
 type EABConfig struct {
 	Kid     string `json:"kid"`
 	HmacKey string `json:"HmacKey"`
 }
 // GetEmail returns the email of the ACMEUser.
 func (u *ACMEUser) GetEmail() string {
 	return u.Email
 }
 // GetRegistration returns the registration resource of the ACMEUser.
 func (u ACMEUser) GetRegistration() *registration.Resource {
 	return u.Registration
 }
 // GetPrivateKey returns the private key of the ACMEUser.
 func (u *ACMEUser) GetPrivateKey() crypto.PrivateKey {
 	return u.key
 }
 // ACMEHandler handles ACME-related operations.
 type ACMEHandler struct {
 	DefaultAcmeServer string
 	Port              string
 	Database          *database.Database
 	Logger            *logger.Logger
 }
 // NewACME creates a new ACMEHandler instance.
 func NewACME(defaultAcmeServer string, port string, database *database.Database, logger *logger.Logger) *ACMEHandler {
 	return &ACMEHandler{
 		DefaultAcmeServer: defaultAcmeServer,
 		Port:              port,
 		Database:          database,
 		Logger:            logger,
 	}
 }
 func (a *ACMEHandler) Logf(message string, err error) {
 	a.Logger.PrintAndLog("ACME", message, err)
 }
 // ObtainCert obtains a certificate for the specified domains.
 func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, caName string, caUrl string, skipTLS bool, useDNS bool, propagationTimeout int) (bool, error) {
 	a.Logf("Obtaining certificate for: "+strings.Join(domains, ", "), nil)
 	// generate private key
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		a.Logf("Private key generation failed", err)
 		return false, err
 	}
 	// create a admin user for our new generation
 	adminUser := ACMEUser{
 		Email: email,
 		key:   privateKey,
 	}
 	// create config
 	config := lego.NewConfig(&adminUser)
 	// skip TLS verify if need
 	// Ref: https://github.com/go-acme/lego/blob/6af2c756ac73a9cb401621afca722d0f4112b1b8/lego/client_config.go#L74
 	if skipTLS {
 		a.Logf("Ignoring TLS/SSL Verification Error for ACME Server", nil)
 		config.HTTPClient.Transport = &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
 			DialContext: (&net.Dialer{
 				Timeout:   30 * time.Second,
 				KeepAlive: 30 * time.Second,
 			}).DialContext,
 			TLSHandshakeTimeout:   30 * time.Second,
 			ResponseHeaderTimeout: 30 * time.Second,
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
 			},
 		}
 	}
 	//Fallback to Let's Encrypt if it is not set
 	if caName == "" {
 		caName = "Let's Encrypt"
 	}
 	// setup the custom ACME url endpoint.
 	if caUrl != "" {
 		config.CADirURL = caUrl
 	}
 	// if not custom ACME url, load it from ca.json
 	if caName == "custom" {
 		a.Logf("Using Custom ACME "+caUrl+" for CA Directory URL", nil)
 	} else {
 		caLinkOverwrite, err := loadCAApiServerFromName(caName)
 		if err == nil {
 			config.CADirURL = caLinkOverwrite
 			a.Logf("Using "+caLinkOverwrite+" for CA Directory URL", nil)
 		} else {
 			// (caName == "" || caUrl == "") will use default acme
 			config.CADirURL = a.DefaultAcmeServer
 			a.Logf("Using Default ACME "+a.DefaultAcmeServer+" for CA Directory URL", nil)
 		}
 	}
 	config.Certificate.KeyType = certcrypto.RSA2048
 	client, err := lego.NewClient(config)
 	if err != nil {
 		a.Logf("Failed to spawn new ACME client from current config", err)
 		return false, err
 	}
 	// setup how to receive challenge
 	if useDNS {
 		if !a.Database.TableExists("acme") {
 			a.Database.NewTable("acme")
 			return false, errors.New("DNS Provider and DNS Credenital configuration required for ACME Provider (Error -1)")
 		}
 		if !a.Database.KeyExists("acme", certificateName+"_dns_provider") || !a.Database.KeyExists("acme", certificateName+"_dns_credentials") {
 			return false, errors.New("DNS Provider and DNS Credenital configuration required for ACME Provider (Error -2)")
 		}
 		var dnsCredentials string
 		err := a.Database.Read("acme", certificateName+"_dns_credentials", &dnsCredentials)
 		if err != nil {
 			a.Logf("Read DNS credential failed", err)
 			return false, err
 		}
 		var dnsProvider string
 		err = a.Database.Read("acme", certificateName+"_dns_provider", &dnsProvider)
 		if err != nil {
 			a.Logf("Read DNS Provider failed", err)
 			return false, err
 		}
 		provider, err := GetDnsChallengeProviderByName(dnsProvider, dnsCredentials, propagationTimeout)
 		if err != nil {
 			a.Logf("Unable to resolve DNS challenge provider", err)
 			return false, err
 		}
 		err = client.Challenge.SetDNS01Provider(provider)
 		if err != nil {
 			a.Logf("Failed to resolve DNS01 Provider", err)
 			return false, err
 		}
 	} else {
 		err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", a.Port))
 		if err != nil {
 			a.Logf("Failed to resolve HTTP01 Provider", err)
 			return false, err
 		}
 	}
 	// New users will need to register
 	/*
 		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 		if err != nil {
 			log.Println(err)
 			return false, err
 		}
 	*/
 	var reg *registration.Resource
 	// New users will need to register
 	if client.GetExternalAccountRequired() {
 		a.Logf("External Account Required for this ACME Provider", nil)
 		// IF KID and HmacEncoded is overidden
 		if !a.Database.TableExists("acme") {
 			a.Database.NewTable("acme")
 			return false, errors.New("kid and HmacEncoded configuration required for ACME Provider (Error -1)")
 		}
 		if !a.Database.KeyExists("acme", config.CADirURL+"_kid") || !a.Database.KeyExists("acme", config.CADirURL+"_hmacEncoded") {
 			return false, errors.New("kid and HmacEncoded configuration required for ACME Provider (Error -2)")
 		}
 		var kid string
 		var hmacEncoded string
 		err := a.Database.Read("acme", config.CADirURL+"_kid", &kid)
 		if err != nil {
 			a.Logf("Failed to read kid from database", err)
 			return false, err
 		}
 		err = a.Database.Read("acme", config.CADirURL+"_hmacEncoded", &hmacEncoded)
 		if err != nil {
 			a.Logf("Failed to read HMAC from database", err)
 			return false, err
 		}
 		a.Logf("EAB Credential retrieved: "+kid+" / "+hmacEncoded, nil)
 		if kid != "" && hmacEncoded != "" {
 			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
 				TermsOfServiceAgreed: true,
 				Kid:                  kid,
 				HmacEncoded:          hmacEncoded,
 			})
 		}
 		if err != nil {
 			a.Logf("Register with external account binder failed", err)
 			return false, err
 		}
 		//return false, errors.New("External Account Required for this ACME Provider.")
 	} else {
 		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 		if err != nil {
 			a.Logf("Unable to register client", err)
 			return false, err
 		}
 	}
 	adminUser.Registration = reg
 	// obtain the certificate
 	request := certificate.ObtainRequest{
 		Domains: domains,
 		Bundle:  true,
 	}
 	certificates, err := client.Certificate.Obtain(request)
 	if err != nil {
 		a.Logf("Obtain certificate failed", err)
 		return false, err
 	}
 	// Each certificate comes back with the cert bytes, the bytes of the client's
 	// private key, and a certificate URL.
 	err = os.WriteFile("./conf/certs/"+certificateName+".pem", certificates.Certificate, 0777)
 	if err != nil {
 		a.Logf("Failed to write public key to disk", err)
 		return false, err
 	}
 	err = os.WriteFile("./conf/certs/"+certificateName+".key", certificates.PrivateKey, 0777)
 	if err != nil {
 		a.Logf("Failed to write private key to disk", err)
 		return false, err
 	}
 	// Save certificate's ACME info for renew usage
 	certInfo := &CertificateInfoJSON{
 		AcmeName:    caName,
 		AcmeUrl:     caUrl,
 		SkipTLS:     skipTLS,
 		UseDNS:      useDNS,
 		PropTimeout: propagationTimeout,
 	}
 	certInfoBytes, err := json.Marshal(certInfo)
 	if err != nil {
 		a.Logf("Marshal certificate renew config failed", err)
 		return false, err
 	}
 	err = os.WriteFile("./conf/certs/"+certificateName+".json", certInfoBytes, 0777)
 	if err != nil {
 		a.Logf("Failed to write certificate renew config to file", err)
 		return false, err
 	}
 	return true, nil
 }
 // CheckCertificate returns a list of domains that are in expired certificates.
 // It will return all domains that is in expired certificates
 // *** if there is a vaild certificate contains the domain and there is a expired certificate contains the same domain
 // it will said expired as well!
 func (a *ACMEHandler) CheckCertificate() []string {
 	// read from dir
 	filenames, err := os.ReadDir("./conf/certs/")
 	expiredCerts := []string{}
 	if err != nil {
 		a.Logf("Failed to load certificate folder", err)
 		return []string{}
 	}
 	for _, filename := range filenames {
 		certFilepath := filepath.Join("./conf/certs/", filename.Name())
 		certBytes, err := os.ReadFile(certFilepath)
 		if err != nil {
 			// Unable to load this file
 			continue
 		} else {
 			// Cert loaded. Check its expiry time
 			block, _ := pem.Decode(certBytes)
 			if block != nil {
 				cert, err := x509.ParseCertificate(block.Bytes)
 				if err == nil {
 					elapsed := time.Since(cert.NotAfter)
 					if elapsed > 0 {
 						// if it is expired then add it in
 						// make sure it's uniqueless
 						for _, dnsName := range cert.DNSNames {
 							if !contains(expiredCerts, dnsName) {
 								expiredCerts = append(expiredCerts, dnsName)
 							}
 						}
 						if !contains(expiredCerts, cert.Subject.CommonName) {
 							expiredCerts = append(expiredCerts, cert.Subject.CommonName)
 						}
 					}
 				}
 			}
 		}
 	}
 	return expiredCerts
 }
 // return the current port number
 func (a *ACMEHandler) Getport() string {
 	return a.Port
 }
 // contains checks if a string is present in a slice.
 func contains(slice []string, str string) bool {
 	for _, s := range slice {
 		if s == str {
 			return true
 		}
 	}
 	return false
 }
 // HandleGetExpiredDomains handles the HTTP GET request to retrieve the list of expired domains.
 // It calls the CheckCertificate method to obtain the expired domains and sends a JSON response
 // containing the list of expired domains.
 func (a *ACMEHandler) HandleGetExpiredDomains(w http.ResponseWriter, r *http.Request) {
 	type ExpiredDomains struct {
 		Domain []string `json:"domain"`
 	}
 	info := ExpiredDomains{
 		Domain: a.CheckCertificate(),
 	}
 	js, _ := json.MarshalIndent(info, "", " ")
 	utils.SendJSONResponse(w, string(js))
 }
 // HandleRenewCertificate handles the HTTP GET request to renew a certificate for the provided domains.
 // It retrieves the domains and filename parameters from the request, calls the ObtainCert method
 // to renew the certificate, and sends a JSON response indicating the result of the renewal process.
 func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
 	domainPara, err := utils.PostPara(r, "domains")
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
 	}
 	filename, err := utils.PostPara(r, "filename")
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
 	}
 	//Make sure the wildcard * do not goes into the filename
 	filename = strings.ReplaceAll(filename, "*", "_")
 	email, err := utils.PostPara(r, "email")
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
 	}
 	var caUrl string
 	ca, err := utils.PostPara(r, "ca")
 	if err != nil {
 		a.Logf("CA not set. Using default", nil)
 		ca, caUrl = "", ""
 	}
 	if ca == "custom" {
 		caUrl, err = utils.PostPara(r, "caURL")
 		if err != nil {
 			a.Logf("Custom CA set but no URL provide, Using default", nil)
 			ca, caUrl = "", ""
 		}
 	}
 	if ca == "" {
 		//default. Use Let's Encrypt
 		ca = "Let's Encrypt"
 	}
 	var skipTLS bool
 	if skipTLSString, err := utils.PostPara(r, "skipTLS"); err != nil {
 		skipTLS = false
 	} else if skipTLSString != "true" {
 		skipTLS = false
 	} else {
 		skipTLS = true
 	}
 	var dns bool
 	if dnsString, err := utils.PostPara(r, "dns"); err != nil {
 		dns = false
 	} else if dnsString != "true" {
 		dns = false
 	} else {
 		dns = true
 	}
 	domains := strings.Split(domainPara, ",")
 	// Default propagation timeout is 300 seconds
 	propagationTimeout := 300
 	if dns {
 		ppgTimeout, err := utils.PostPara(r, "ppgTimeout")
 		if err == nil {
 			propagationTimeout, err = strconv.Atoi(ppgTimeout)
 			if err != nil {
 				utils.SendErrorResponse(w, "Invalid propagation timeout value")
 				return
 			}
 			if propagationTimeout < 60 {
 				//Minimum propagation timeout is 60 seconds
 				propagationTimeout = 60
 			}
 		}
 	}
 	//Clean spaces in front or behind each domain
 	cleanedDomains := []string{}
 	for _, domain := range domains {
 		cleanedDomains = append(cleanedDomains, strings.TrimSpace(domain))
 	}
 	result, err := a.ObtainCert(cleanedDomains, filename, email, ca, caUrl, skipTLS, dns, propagationTimeout)
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
 	}
 	utils.SendJSONResponse(w, strconv.FormatBool(result))
 }
 // Escape JSON string
 func jsonEscape(i string) string {
 	b, err := json.Marshal(i)
 	if err != nil {
 		//log.Println("Unable to escape json data: " + err.Error())
 		return i
 	}
 	s := string(b)
 	return s[1 : len(s)-1]
 }
 // Helper function to check if a port is in use
 func IsPortInUse(port int) bool {
 	address := fmt.Sprintf(":%d", port)
 	listener, err := net.Listen("tcp", address)
 	if err != nil {
 		return true // Port is in use
 	}
 	defer listener.Close()
 	return false // Port is not in use
 }
 // Load cert information from json file
 func LoadCertInfoJSON(filename string) (*CertificateInfoJSON, error) {
 	certInfoBytes, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
 	certInfo := &CertificateInfoJSON{}
 	if err = json.Unmarshal(certInfoBytes, certInfo); err != nil {
 		return nil, err
 	}
 	return certInfo, nil
 }
--- a/src/mod/acme/acme_dns.go
+++ b/src/mod/acme/acme_dns.go
@ -0,0 +1,56 @@
 package acme
 import (
 	"encoding/json"
 	"strconv"
 	"github.com/go-acme/lego/v4/challenge"
 	"imuslab.com/zoraxy/mod/acme/acmedns"
 )
 // Preprocessor function to get DNS challenge provider by name
 func GetDnsChallengeProviderByName(dnsProvider string, dnsCredentials string, ppgTimeout int) (challenge.Provider, error) {
 	//Unpack the dnsCredentials (json string) to map
 	var dnsCredentialsMap map[string]interface{}
 	err := json.Unmarshal([]byte(dnsCredentials), &dnsCredentialsMap)
 	if err != nil {
 		return nil, err
 	}
 	//Clear the PollingInterval and PropagationTimeout field and conert to int
 	userDefinedPollingInterval := 2
 	if dnsCredentialsMap["PollingInterval"] != nil {
 		userDefinedPollingIntervalRaw := dnsCredentialsMap["PollingInterval"].(string)
 		delete(dnsCredentialsMap, "PollingInterval")
 		convertedPollingInterval, err := strconv.Atoi(userDefinedPollingIntervalRaw)
 		if err == nil {
 			userDefinedPollingInterval = convertedPollingInterval
 		}
 	}
 	userDefinedPropagationTimeout := ppgTimeout
 	if dnsCredentialsMap["PropagationTimeout"] != nil {
 		userDefinedPropagationTimeoutRaw := dnsCredentialsMap["PropagationTimeout"].(string)
 		delete(dnsCredentialsMap, "PropagationTimeout")
 		convertedPropagationTimeout, err := strconv.Atoi(userDefinedPropagationTimeoutRaw)
 		if err == nil {
 			//Overwrite the default propagation timeout if it is requeted from UI
 			userDefinedPropagationTimeout = convertedPropagationTimeout
 		}
 	}
 	//Restructure dnsCredentials string from map
 	dnsCredentialsBytes, err := json.Marshal(dnsCredentialsMap)
 	if err != nil {
 		return nil, err
 	}
 	dnsCredentials = string(dnsCredentialsBytes)
 	//Using acmedns CICD pipeline generated datatype to optain the DNS provider
 	return acmedns.GetDNSProviderByJsonConfig(
 		dnsProvider,
 		dnsCredentials,
 		int64(userDefinedPropagationTimeout),
 		int64(userDefinedPollingInterval),
 	)
 }
--- a/src/mod/acme/acme_test.go
+++ b/src/mod/acme/acme_test.go
@ -0,0 +1,24 @@
 package acme_test
 import (
 	"fmt"
 	"testing"
 	"imuslab.com/zoraxy/mod/acme"
 )
 // Test if the issuer extraction is working
 func TestExtractIssuerNameFromPEM(t *testing.T) {
 	pemFilePath := "test/stackoverflow.pem"
 	expectedIssuer := "Let's Encrypt"
 	issuerName, err := acme.ExtractIssuerNameFromPEM(pemFilePath)
 	fmt.Println(issuerName)
 	if err != nil {
 		t.Errorf("Error extracting issuer name: %v", err)
 	}
 	if issuerName != expectedIssuer {
 		t.Errorf("Unexpected issuer name. Expected: %s, Got: %s", expectedIssuer, issuerName)
 	}
 }
--- a/src/mod/acme/acmedns/acmedns.go
+++ b/src/mod/acme/acmedns/acmedns.go
--- a/src/mod/acme/acmedns/acmedns_test.go
+++ b/src/mod/acme/acmedns/acmedns_test.go
@ -0,0 +1,27 @@
 package acmedns_test
 import (
 	"fmt"
 	"testing"
 	"imuslab.com/zoraxy/mod/acme/acmedns"
 )
 // Test if the structure of ACME DNS config can be reflected from lego source code definations
 func TestACMEDNSConfigStructureReflector(t *testing.T) {
 	providers := []string{
 		"gandi",
 		"cloudflare",
 		"azure",
 	}
 	for _, provider := range providers {
 		strcture, err := acmedns.GetProviderConfigStructure(provider)
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println(strcture)
 	}
 }
--- a/src/mod/acme/acmedns/providers.json
+++ b/src/mod/acme/acmedns/providers.json
--- a/src/mod/acme/acmedns/providerutils.go
+++ b/src/mod/acme/acmedns/providerutils.go
@ -0,0 +1,80 @@
 package acmedns
 import (
 	_ "embed"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"imuslab.com/zoraxy/mod/utils"
 )
 //go:embed providers.json
 var providers []byte //A list of providers generated by acmedns code-generator
 type ConfigTemplate struct {
 	Name             string `json:"Name"`
 	ConfigableFields []struct {
 		Title    string `json:"Title"`
 		Datatype string `json:"Datatype"`
 	} `json:"ConfigableFields"`
 	HiddenFields []struct {
 		Title    string `json:"Title"`
 		Datatype string `json:"Datatype"`
 	} `json:"HiddenFields"`
 }
 // Return a map of string => datatype
 func GetProviderConfigStructure(providerName string) (map[string]string, error) {
 	//Load the target config template from embedded providers.json
 	configTemplateMap := map[string]ConfigTemplate{}
 	err := json.Unmarshal(providers, &configTemplateMap)
 	if err != nil {
 		return map[string]string{}, err
 	}
 	targetConfigTemplate, ok := configTemplateMap[providerName]
 	if !ok {
 		return map[string]string{}, errors.New("provider not supported")
 	}
 	results := map[string]string{}
 	for _, field := range targetConfigTemplate.ConfigableFields {
 		results[field.Title] = field.Datatype
 	}
 	return results, nil
 }
 // HandleServeProvidersJson return the list of supported providers as json
 func HandleServeProvidersJson(w http.ResponseWriter, r *http.Request) {
 	providerName, _ := utils.GetPara(r, "name")
 	if providerName == "" {
 		//Send the current list of providers
 		configTemplateMap := map[string]ConfigTemplate{}
 		err := json.Unmarshal(providers, &configTemplateMap)
 		if err != nil {
 			utils.SendErrorResponse(w, "failed to load DNS provider")
 			return
 		}
 		//Parse the provider names into an array
 		providers := []string{}
 		for providerName, _ := range configTemplateMap {
 			providers = append(providers, providerName)
 		}
 		js, _ := json.Marshal(providers)
 		utils.SendJSONResponse(w, string(js))
 		return
 	}
 	//Get the config for that provider
 	confTemplate, err := GetProviderConfigStructure(providerName)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	js, _ := json.Marshal(confTemplate)
 	utils.SendJSONResponse(w, string(js))
 }
--- a/src/mod/acme/acmewizard/acmewizard.go
+++ b/src/mod/acme/acmewizard/acmewizard.go
@ -0,0 +1,172 @@
 package acmewizard
 import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	ACME Wizard
 	This wizard help validate the acme settings and configurations
 */
 func HandleGuidedStepCheck(w http.ResponseWriter, r *http.Request) {
 	stepNoStr, err := utils.GetPara(r, "step")
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid step number given")
 		return
 	}
 	stepNo, err := strconv.Atoi(stepNoStr)
 	if err != nil {
 		utils.SendErrorResponse(w, "invalid step number given")
 		return
 	}
 	if stepNo == 1 {
 		isListening, err := isLocalhostListening()
 		if err != nil {
 			utils.SendErrorResponse(w, err.Error())
 			return
 		}
 		js, _ := json.Marshal(isListening)
 		utils.SendJSONResponse(w, string(js))
 	} else if stepNo == 2 {
 		publicIp, err := getPublicIPAddress()
 		if err != nil {
 			utils.SendErrorResponse(w, err.Error())
 			return
 		}
 		publicIp = strings.TrimSpace(publicIp)
 		httpServerReachable := isHTTPServerAvailable(publicIp)
 		js, _ := json.Marshal(httpServerReachable)
 		utils.SendJSONResponse(w, string(js))
 	} else if stepNo == 3 {
 		domain, err := utils.GetPara(r, "domain")
 		if err != nil {
 			utils.SendErrorResponse(w, "domain cannot be empty")
 			return
 		}
 		domain = strings.TrimSpace(domain)
 		//Check if the domain is reachable
 		reachable := isDomainReachable(domain)
 		if !reachable {
 			utils.SendErrorResponse(w, "domain is not reachable")
 			return
 		}
 		//Check http is setup correctly
 		httpServerReachable := isHTTPServerAvailable(domain)
 		js, _ := json.Marshal(httpServerReachable)
 		utils.SendJSONResponse(w, string(js))
 	} else if stepNo == 10 {
 		//Resolve public Ip address for tour
 		publicIp, err := getPublicIPAddress()
 		if err != nil {
 			utils.SendErrorResponse(w, err.Error())
 			return
 		}
 		js, _ := json.Marshal(publicIp)
 		utils.SendJSONResponse(w, string(js))
 	} else {
 		utils.SendErrorResponse(w, "invalid step number")
 	}
 }
 // Step 1
 func isLocalhostListening() (isListening bool, err error) {
 	timeout := 2 * time.Second
 	isListening = false
 	// Check if localhost is listening on port 80 (HTTP)
 	conn, err := net.DialTimeout("tcp", "localhost:80", timeout)
 	if err == nil {
 		isListening = true
 		conn.Close()
 	}
 	// Check if localhost is listening on port 443 (HTTPS)
 	conn, err = net.DialTimeout("tcp", "localhost:443", timeout)
 	if err == nil {
 		isListening = true
 		conn.Close()
 	}
 	if isListening {
 		return true, nil
 	}
 	return isListening, err
 }
 // Step 2
 func getPublicIPAddress() (string, error) {
 	resp, err := http.Get("http://checkip.amazonaws.com/")
 	if err != nil {
 		return "", err
 	}
 	defer resp.Body.Close()
 	ip, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
 	return string(ip), nil
 }
 func isHTTPServerAvailable(ipAddress string) bool {
 	client := http.Client{
 		Timeout: 5 * time.Second, // Timeout for the HTTP request
 	}
 	urls := []string{
 		"http://" + ipAddress + ":80",
 		"https://" + ipAddress + ":443",
 	}
 	for _, url := range urls {
 		req, err := http.NewRequest("GET", url, nil)
 		if err != nil {
 			fmt.Println(err, url)
 			continue // Ignore invalid URLs
 		}
 		// Disable TLS verification to handle invalid certificates
 		client.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
 		resp, err := client.Do(req)
 		if err == nil {
 			resp.Body.Close()
 			return true // HTTP server is available
 		}
 	}
 	return false // HTTP server is not available
 }
 // Step 3
 func isDomainReachable(domain string) bool {
 	_, err := net.LookupHost(domain)
 	if err != nil {
 		return false // Domain is not reachable
 	}
 	return true // Domain is reachable
 }
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@ -0,0 +1,471 @@
 package acme
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/mail"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"imuslab.com/zoraxy/mod/info/logger"
 	"imuslab.com/zoraxy/mod/utils"
 )
 /*
 	autorenew.go
 	This script handle auto renew
 */
 type AutoRenewConfig struct {
 	Enabled      bool     //Automatic renew is enabled
 	Email        string   //Email for acme
 	RenewAll     bool     //Renew all or selective renew with the slice below
 	FilesToRenew []string //If RenewAll is false, renew these certificate files
 }
 type AutoRenewer struct {
 	ConfigFilePath    string
 	CertFolder        string
 	AcmeHandler       *ACMEHandler
 	RenewerConfig     *AutoRenewConfig
 	RenewTickInterval int64
 	EarlyRenewDays    int //How many days before cert expire to renew certificate
 	TickerstopChan    chan bool
 	Logger            *logger.Logger //System wide logger
 }
 type ExpiredCerts struct {
 	Domains  []string
 	Filepath string
 }
 // Create an auto renew agent, require config filepath and auto scan & renew interval (seconds)
 // Set renew check interval to 0 for auto (1 day)
 func NewAutoRenewer(config string, certFolder string, renewCheckInterval int64, earlyRenewDays int, AcmeHandler *ACMEHandler, logger *logger.Logger) (*AutoRenewer, error) {
 	if renewCheckInterval == 0 {
 		renewCheckInterval = 86400 //1 day
 	}
 	if earlyRenewDays == 0 {
 		earlyRenewDays = 30
 	}
 	//Load the config file. If not found, create one
 	if !utils.FileExists(config) {
 		//Create one
 		os.MkdirAll(filepath.Dir(config), 0775)
 		newConfig := AutoRenewConfig{
 			RenewAll:     true,
 			FilesToRenew: []string{},
 		}
 		js, _ := json.MarshalIndent(newConfig, "", " ")
 		err := os.WriteFile(config, js, 0775)
 		if err != nil {
 			return nil, errors.New("Failed to create acme auto renewer config: " + err.Error())
 		}
 	}
 	renewerConfig := AutoRenewConfig{}
 	content, err := os.ReadFile(config)
 	if err != nil {
 		return nil, errors.New("Failed to open acme auto renewer config: " + err.Error())
 	}
 	err = json.Unmarshal(content, &renewerConfig)
 	if err != nil {
 		return nil, errors.New("Malformed acme config file: " + err.Error())
 	}
 	//Create an Auto renew object
 	thisRenewer := AutoRenewer{
 		ConfigFilePath:    config,
 		CertFolder:        certFolder,
 		AcmeHandler:       AcmeHandler,
 		RenewerConfig:     &renewerConfig,
 		RenewTickInterval: renewCheckInterval,
 		EarlyRenewDays:    earlyRenewDays,
 		Logger:            logger,
 	}
 	thisRenewer.Logf("ACME early renew set to "+fmt.Sprint(earlyRenewDays)+" days and check interval set to "+fmt.Sprint(renewCheckInterval)+" seconds", nil)
 	if thisRenewer.RenewerConfig.Enabled {
 		//Start the renew ticker
 		thisRenewer.StartAutoRenewTicker()
 		//Check and renew certificate on startup
 		go thisRenewer.CheckAndRenewCertificates()
 	}
 	return &thisRenewer, nil
 }
 func (a *AutoRenewer) Logf(message string, err error) {
 	a.Logger.PrintAndLog("cert-renew", message, err)
 }
 func (a *AutoRenewer) StartAutoRenewTicker() {
 	//Stop the previous ticker if still running
 	if a.TickerstopChan != nil {
 		a.TickerstopChan <- true
 	}
 	time.Sleep(1 * time.Second)
 	ticker := time.NewTicker(time.Duration(a.RenewTickInterval) * time.Second)
 	done := make(chan bool)
 	//Start the ticker to check and renew every x seconds
 	go func(a *AutoRenewer) {
 		for {
 			select {
 			case <-done:
 				return
 			case <-ticker.C:
 				a.Logf("Check and renew certificates in progress", nil)
 				a.CheckAndRenewCertificates()
 			}
 		}
 	}(a)
 	a.TickerstopChan = done
 }
 func (a *AutoRenewer) StopAutoRenewTicker() {
 	if a.TickerstopChan != nil {
 		a.TickerstopChan <- true
 	}
 	a.TickerstopChan = nil
 }
 // Handle update auto renew domains
 // Set opr for different mode of operations
 // opr = setSelected -> Enter a list of file names (or matching rules) for auto renew
 // opr = setAuto -> Set to use auto detect certificates and renew
 func (a *AutoRenewer) HandleSetAutoRenewDomains(w http.ResponseWriter, r *http.Request) {
 	opr, err := utils.PostPara(r, "opr")
 	if err != nil {
 		utils.SendErrorResponse(w, "Operation not set")
 		return
 	}
 	if opr == "setSelected" {
 		files, err := utils.PostPara(r, "domains")
 		if err != nil {
 			utils.SendErrorResponse(w, "Domains is not defined")
 			return
 		}
 		//Parse it int array of string
 		matchingRuleFiles := []string{}
 		err = json.Unmarshal([]byte(files), &matchingRuleFiles)
 		if err != nil {
 			utils.SendErrorResponse(w, err.Error())
 			return
 		}
 		//Update the configs
 		a.RenewerConfig.RenewAll = false
 		a.RenewerConfig.FilesToRenew = matchingRuleFiles
 		a.saveRenewConfigToFile()
 		utils.SendOK(w)
 	} else if opr == "setAuto" {
 		a.RenewerConfig.RenewAll = true
 		a.saveRenewConfigToFile()
 		utils.SendOK(w)
 	} else {
 		utils.SendErrorResponse(w, "invalid operation given")
 	}
 }
 // if auto renew all is true (aka auto scan), it will return []string{"*"}
 func (a *AutoRenewer) HandleLoadAutoRenewDomains(w http.ResponseWriter, r *http.Request) {
 	results := []string{}
 	if a.RenewerConfig.RenewAll {
 		//Auto pick which cert to renew.
 		results = append(results, "*")
 	} else {
 		//Manually set the files to renew
 		results = a.RenewerConfig.FilesToRenew
 	}
 	js, _ := json.Marshal(results)
 	utils.SendJSONResponse(w, string(js))
 }
 func (a *AutoRenewer) HandleRenewPolicy(w http.ResponseWriter, r *http.Request) {
 	//Load the current value
 	js, _ := json.Marshal(a.RenewerConfig.RenewAll)
 	utils.SendJSONResponse(w, string(js))
 }
 func (a *AutoRenewer) HandleRenewNow(w http.ResponseWriter, r *http.Request) {
 	renewedDomains, err := a.CheckAndRenewCertificates()
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	message := "Domains renewed"
 	if len(renewedDomains) == 0 {
 		message = ("All certificates are up-to-date!")
 	} else {
 		message = ("The following domains have been renewed: " + strings.Join(renewedDomains, ","))
 	}
 	js, _ := json.Marshal(message)
 	utils.SendJSONResponse(w, string(js))
 }
 // HandleAutoRenewEnable get and set the auto renew enable state
 func (a *AutoRenewer) HandleAutoRenewEnable(w http.ResponseWriter, r *http.Request) {
 	if r.Method == http.MethodGet {
 		js, _ := json.Marshal(a.RenewerConfig.Enabled)
 		utils.SendJSONResponse(w, string(js))
 	} else if r.Method == http.MethodPost {
 		val, err := utils.PostBool(r, "enable")
 		if err != nil {
 			utils.SendErrorResponse(w, "invalid or empty enable state")
 		}
 		if val {
 			//Check if the email is not empty
 			if a.RenewerConfig.Email == "" {
 				utils.SendErrorResponse(w, "Email is not set")
 				return
 			}
 			a.RenewerConfig.Enabled = true
 			a.saveRenewConfigToFile()
 			a.Logf("ACME auto renew enabled", nil)
 			a.StartAutoRenewTicker()
 		} else {
 			a.RenewerConfig.Enabled = false
 			a.saveRenewConfigToFile()
 			a.Logf("ACME auto renew disabled", nil)
 			a.StopAutoRenewTicker()
 		}
 	} else {
 		http.Error(w, "405 - Method not allowed", http.StatusMethodNotAllowed)
 	}
 }
 func (a *AutoRenewer) HandleACMEEmail(w http.ResponseWriter, r *http.Request) {
 	if r.Method == http.MethodGet {
 		//Return the current email to user
 		js, _ := json.Marshal(a.RenewerConfig.Email)
 		utils.SendJSONResponse(w, string(js))
 	} else if r.Method == http.MethodPost {
 		email, err := utils.PostPara(r, "set")
 		if err != nil {
 			utils.SendErrorResponse(w, "invalid or empty email given")
 			return
 		}
 		//Check if the email is valid
 		_, err = mail.ParseAddress(email)
 		if err != nil {
 			utils.SendErrorResponse(w, err.Error())
 			return
 		}
 		//Set the new config
 		a.RenewerConfig.Email = email
 		a.saveRenewConfigToFile()
 		utils.SendOK(w)
 	} else {
 		http.Error(w, "405 - Method not allowed", http.StatusMethodNotAllowed)
 	}
 }
 // Check and renew certificates. This check all the certificates in the
 // certificate folder and return a list of certs that is renewed in this call
 // Return string array with length 0 when no cert is expired
 func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
 	certFolder := a.CertFolder
 	files, err := os.ReadDir(certFolder)
 	if err != nil {
 		a.Logf("Read certificate store failed", err)
 		return []string{}, err
 	}
 	expiredCertList := []*ExpiredCerts{}
 	if a.RenewerConfig.RenewAll {
 		//Scan and renew all
 		for _, file := range files {
 			if filepath.Ext(file.Name()) == ".crt" || filepath.Ext(file.Name()) == ".pem" {
 				//This is a public key file
 				certBytes, err := os.ReadFile(filepath.Join(certFolder, file.Name()))
 				if err != nil {
 					continue
 				}
 				if CertExpireSoon(certBytes, a.EarlyRenewDays) || CertIsExpired(certBytes) {
 					//This cert is expired
 					DNSName, err := ExtractDomains(certBytes)
 					if err != nil {
 						//Maybe self signed. Ignore this
 						a.Logf("Encounted error when trying to resolve DNS name for cert "+file.Name(), err)
 						continue
 					}
 					expiredCertList = append(expiredCertList, &ExpiredCerts{
 						Filepath: filepath.Join(certFolder, file.Name()),
 						Domains:  DNSName,
 					})
 				}
 			}
 		}
 	} else {
 		//Only renew those in the list
 		for _, file := range files {
 			fileName := file.Name()
 			certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
 			if contains(a.RenewerConfig.FilesToRenew, certName) {
 				//This is the one to auto renew
 				certBytes, err := os.ReadFile(filepath.Join(certFolder, file.Name()))
 				if err != nil {
 					continue
 				}
 				if CertExpireSoon(certBytes, a.EarlyRenewDays) || CertIsExpired(certBytes) {
 					//This cert is expired
 					DNSName, err := ExtractDomains(certBytes)
 					if err != nil {
 						//Maybe self signed. Ignore this
 						a.Logf("Encounted error when trying to resolve DNS name for cert "+file.Name(), err)
 						continue
 					}
 					expiredCertList = append(expiredCertList, &ExpiredCerts{
 						Filepath: filepath.Join(certFolder, file.Name()),
 						Domains:  DNSName,
 					})
 				}
 			}
 		}
 	}
 	return a.renewExpiredDomains(expiredCertList)
 }
 func (a *AutoRenewer) Close() {
 	if a.TickerstopChan != nil {
 		a.TickerstopChan <- true
 	}
 }
 // Renew the certificate by filename extract all DNS name from the
 // certificate and renew them one by one by calling to the acmeHandler
 func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, error) {
 	renewedCertFiles := []string{}
 	for _, expiredCert := range certs {
 		a.Logf("Renewing "+expiredCert.Filepath+" (Might take a few minutes)", nil)
 		fileName := filepath.Base(expiredCert.Filepath)
 		certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
 		// Load certificate info for ACME detail
 		certInfoFilename := fmt.Sprintf("%s/%s.json", filepath.Dir(expiredCert.Filepath), certName)
 		certInfo, err := LoadCertInfoJSON(certInfoFilename)
 		if err != nil {
 			a.Logf("Renew "+certName+"certificate error, can't get the ACME detail for certificate, trying org section as ca", err)
 			if CAName, extractErr := ExtractIssuerNameFromPEM(expiredCert.Filepath); extractErr != nil {
 				a.Logf("Extract issuer name for cert error, using default ca", err)
 				certInfo = &CertificateInfoJSON{}
 			} else {
 				certInfo = &CertificateInfoJSON{AcmeName: CAName}
 			}
 		}
 		//For upgrading config from older version of Zoraxy which don't have timeout
 		if certInfo.PropTimeout == 0 {
 			//Set default timeout
 			certInfo.PropTimeout = 300
 		}
 		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS, certInfo.UseDNS, certInfo.PropTimeout)
 		if err != nil {
 			a.Logf("Renew "+fileName+"("+strings.Join(expiredCert.Domains, ",")+") failed", err)
 		} else {
 			a.Logf("Successfully renewed "+filepath.Base(expiredCert.Filepath), nil)
 			renewedCertFiles = append(renewedCertFiles, filepath.Base(expiredCert.Filepath))
 		}
 	}
 	return renewedCertFiles, nil
 }
 // Write the current renewer config to file
 func (a *AutoRenewer) saveRenewConfigToFile() error {
 	js, _ := json.MarshalIndent(a.RenewerConfig, "", " ")
 	return os.WriteFile(a.ConfigFilePath, js, 0775)
 }
 // Handle update auto renew EAD configuration
 func (a *AutoRenewer) HanldeSetEAB(w http.ResponseWriter, r *http.Request) {
 	kid, err := utils.GetPara(r, "kid")
 	if err != nil {
 		utils.SendErrorResponse(w, "kid not set")
 		return
 	}
 	hmacEncoded, err := utils.GetPara(r, "hmacEncoded")
 	if err != nil {
 		utils.SendErrorResponse(w, "hmacEncoded not set")
 		return
 	}
 	acmeDirectoryURL, err := utils.GetPara(r, "acmeDirectoryURL")
 	if err != nil {
 		utils.SendErrorResponse(w, "acmeDirectoryURL not set")
 		return
 	}
 	if !a.AcmeHandler.Database.TableExists("acme") {
 		a.AcmeHandler.Database.NewTable("acme")
 	}
 	a.AcmeHandler.Database.Write("acme", acmeDirectoryURL+"_kid", kid)
 	a.AcmeHandler.Database.Write("acme", acmeDirectoryURL+"_hmacEncoded", hmacEncoded)
 	utils.SendOK(w)
 }
 // Handle update auto renew DNS configuration
 func (a *AutoRenewer) HanldeSetDNS(w http.ResponseWriter, r *http.Request) {
 	dnsProvider, err := utils.PostPara(r, "dnsProvider")
 	if err != nil {
 		utils.SendErrorResponse(w, "dnsProvider not set")
 		return
 	}
 	dnsCredentials, err := utils.PostPara(r, "dnsCredentials")
 	if err != nil {
 		utils.SendErrorResponse(w, "dnsCredentials not set")
 		return
 	}
 	filename, err := utils.PostPara(r, "filename")
 	if err != nil {
 		utils.SendErrorResponse(w, "filename not set")
 		return
 	}
 	if !a.AcmeHandler.Database.TableExists("acme") {
 		a.AcmeHandler.Database.NewTable("acme")
 	}
 	a.AcmeHandler.Database.Write("acme", filename+"_dns_provider", dnsProvider)
 	a.AcmeHandler.Database.Write("acme", filename+"_dns_credentials", dnsCredentials)
 	utils.SendOK(w)
 }
--- a/src/mod/acme/ca.go
+++ b/src/mod/acme/ca.go
@ -0,0 +1,56 @@
 package acme
 /*
 	CA.go
 	This script load CA defination from embedded ca.json
 */
 import (
 	_ "embed"
 	"encoding/json"
 	"errors"
 	"log"
 	"strings"
 )
 // CA Defination, load from embeded json when startup
 type CaDef struct {
 	Production map[string]string
 	Test       map[string]string
 }
 //go:embed ca.json
 var caJson []byte
 var caDef CaDef = CaDef{}
 func init() {
 	runtimeCaDef := CaDef{}
 	err := json.Unmarshal(caJson, &runtimeCaDef)
 	if err != nil {
 		log.Println("[ERR] Unable to unmarshal CA def from embedded file. You sure your ca.json is valid?")
 		return
 	}
 	caDef = runtimeCaDef
 }
 // Get the CA ACME server endpoint and error if not found
 func loadCAApiServerFromName(caName string) (string, error) {
 	// handle BuyPass cert org section (Buypass AS-983163327)
 	if strings.HasPrefix(caName, "Buypass AS") {
 		caName = "Buypass"
 	}
 	val, ok := caDef.Production[caName]
 	if !ok {
 		return "", errors.New("This CA is not supported")
 	}
 	return val, nil
 }
 func IsSupportedCA(caName string) bool {
 	_, err := loadCAApiServerFromName(caName)
 	return err == nil
 }
--- a/src/mod/acme/ca.json
+++ b/src/mod/acme/ca.json
@ -0,0 +1,15 @@
 {
    "production": {
        "Let's Encrypt": "https://acme-v02.api.letsencrypt.org/directory",
        "Buypass": "https://api.buypass.com/acme/directory",
        "ZeroSSL": "https://acme.zerossl.com/v2/DV90",
        "Google": "https://dv.acme-v02.api.pki.goog/directory"
    },
    "test":{
        "Let's Encrypt": "https://acme-staging-v02.api.letsencrypt.org/directory",
        "Buypass": "https://api.test4.buypass.no/acme/directory",
        "Google": "https://dv.acme-v02.test-api.pki.goog/directory"
    }
  }
--- a/src/mod/acme/utils.go
+++ b/src/mod/acme/utils.go
@ -0,0 +1,100 @@
 package acme
 import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
 	"time"
 )
 // Get the issuer name from pem file
 func ExtractIssuerNameFromPEM(pemFilePath string) (string, error) {
 	// Read the PEM file
 	pemData, err := os.ReadFile(pemFilePath)
 	if err != nil {
 		return "", err
 	}
 	return ExtractIssuerName(pemData)
 }
 // Get the DNSName in the cert
 func ExtractDomains(certBytes []byte) ([]string, error) {
 	domains := []string{}
 	block, _ := pem.Decode(certBytes)
 	if block != nil {
 		cert, err := x509.ParseCertificate(block.Bytes)
 		if err != nil {
 			return []string{}, err
 		}
 		for _, dnsName := range cert.DNSNames {
 			if !contains(domains, dnsName) {
 				domains = append(domains, dnsName)
 			}
 		}
 		return domains, nil
 	}
 	return []string{}, errors.New("decode cert bytes failed")
 }
 func ExtractIssuerName(certBytes []byte) (string, error) {
 	// Parse the PEM block
 	block, _ := pem.Decode(certBytes)
 	if block == nil || block.Type != "CERTIFICATE" {
 		return "", fmt.Errorf("failed to decode PEM block containing certificate")
 	}
 	// Parse the certificate
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse certificate: %v", err)
 	}
 	// Check if exist incase some acme server didn't have org section
 	if len(cert.Issuer.Organization) == 0 {
 		return "", fmt.Errorf("cert didn't have org section exist")
 	}
 	// Extract the issuer name
 	issuer := cert.Issuer.Organization[0]
 	return issuer, nil
 }
 // Check if a cert is expired by public key
 func CertIsExpired(certBytes []byte) bool {
 	block, _ := pem.Decode(certBytes)
 	if block != nil {
 		cert, err := x509.ParseCertificate(block.Bytes)
 		if err == nil {
 			elapsed := time.Since(cert.NotAfter)
 			if elapsed > 0 {
 				// if it is expired then add it in
 				// make sure it's uniqueless
 				return true
 			}
 		}
 	}
 	return false
 }
 // CertExpireSoon check if the given cert bytes will expires within the given number of days from now
 func CertExpireSoon(certBytes []byte, numberOfDays int) bool {
 	block, _ := pem.Decode(certBytes)
 	if block != nil {
 		cert, err := x509.ParseCertificate(block.Bytes)
 		if err == nil {
 			expirationDate := cert.NotAfter
 			threshold := time.Duration(numberOfDays) * 24 * time.Hour
 			timeRemaining := time.Until(expirationDate)
 			if timeRemaining <= threshold {
 				return true
 			}
 		}
 	}
 	return false
 }
--- a/src/mod/auth/auth.go
+++ b/src/mod/auth/auth.go
@ -0,0 +1,484 @@
 package auth
 /*
 	author: tobychui
 */
 import (
 	"crypto/rand"
 	"crypto/sha512"
 	"errors"
 	"net/http"
 	"net/mail"
 	"strings"
 	"encoding/hex"
 	"github.com/gorilla/sessions"
 	db "imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/info/logger"
 	"imuslab.com/zoraxy/mod/utils"
 )
 type AuthAgent struct {
 	//Session related
 	SessionName             string
 	SessionStore            *sessions.CookieStore
 	Database                *db.Database
 	LoginRedirectionHandler func(http.ResponseWriter, *http.Request)
 	Logger                  *logger.Logger
 }
 type AuthEndpoints struct {
 	Login         string
 	Logout        string
 	Register      string
 	CheckLoggedIn string
 	Autologin     string
 }
 // Constructor
 func NewAuthenticationAgent(sessionName string, key []byte, sysdb *db.Database, allowReg bool, systemLogger *logger.Logger, loginRedirectionHandler func(http.ResponseWriter, *http.Request)) *AuthAgent {
 	store := sessions.NewCookieStore(key)
 	err := sysdb.NewTable("auth")
 	if err != nil {
 		systemLogger.Println("Failed to create auth database. Terminating.")
 		panic(err)
 	}
 	//Create a new AuthAgent object
 	newAuthAgent := AuthAgent{
 		SessionName:             sessionName,
 		SessionStore:            store,
 		Database:                sysdb,
 		LoginRedirectionHandler: loginRedirectionHandler,
 		Logger:                  systemLogger,
 	}
 	//Return the authAgent
 	return &newAuthAgent
 }
 func GetSessionKey(sysdb *db.Database, logger *logger.Logger) (string, error) {
 	sysdb.NewTable("auth")
 	sessionKey := ""
 	if !sysdb.KeyExists("auth", "sessionkey") {
 		key := make([]byte, 32)
 		rand.Read(key)
 		sessionKey = string(key)
 		sysdb.Write("auth", "sessionkey", sessionKey)
 		logger.PrintAndLog("auth", "New authentication session key generated", nil)
 	} else {
 		logger.PrintAndLog("auth", "Authentication session key loaded from database", nil)
 		err := sysdb.Read("auth", "sessionkey", &sessionKey)
 		if err != nil {
 			return "", errors.New("database read error. Is the database file corrupted?")
 		}
 	}
 	return sessionKey, nil
 }
 // This function will handle an http request and redirect to the given login address if not logged in
 func (a *AuthAgent) HandleCheckAuth(w http.ResponseWriter, r *http.Request, handler func(http.ResponseWriter, *http.Request)) {
 	if a.CheckAuth(r) {
 		//User already logged in
 		handler(w, r)
 	} else {
 		//User not logged in
 		a.LoginRedirectionHandler(w, r)
 	}
 }
 // Handle login request, require POST username and password
 func (a *AuthAgent) HandleLogin(w http.ResponseWriter, r *http.Request) {
 	//Get username from request using POST mode
 	username, err := utils.PostPara(r, "username")
 	if err != nil {
 		//Username not defined
 		a.Logger.PrintAndLog("auth", r.RemoteAddr+" trying to login with username: "+username, nil)
 		utils.SendErrorResponse(w, "Username not defined or empty.")
 		return
 	}
 	//Get password from request using POST mode
 	password, err := utils.PostPara(r, "password")
 	if err != nil {
 		//Password not defined
 		utils.SendErrorResponse(w, "Password not defined or empty.")
 		return
 	}
 	//Get rememberme settings
 	rememberme := false
 	rmbme, _ := utils.PostPara(r, "rmbme")
 	if rmbme == "true" {
 		rememberme = true
 	}
 	//Check the database and see if this user is in the database
 	passwordCorrect, rejectionReason := a.ValidateUsernameAndPasswordWithReason(username, password)
 	//The database contain this user information. Check its password if it is correct
 	if passwordCorrect {
 		//Password correct
 		// Set user as authenticated
 		a.LoginUserByRequest(w, r, username, rememberme)
 		//Print the login message to console
 		a.Logger.PrintAndLog("auth", username+" logged in.", nil)
 		utils.SendOK(w)
 	} else {
 		//Password incorrect
 		a.Logger.PrintAndLog("auth", username+" login request rejected: "+rejectionReason, nil)
 		utils.SendErrorResponse(w, rejectionReason)
 		return
 	}
 }
 func (a *AuthAgent) ValidateUsernameAndPassword(username string, password string) bool {
 	succ, _ := a.ValidateUsernameAndPasswordWithReason(username, password)
 	return succ
 }
 // validate the username and password, return reasons if the auth failed
 func (a *AuthAgent) ValidateUsernameAndPasswordWithReason(username string, password string) (bool, string) {
 	hashedPassword := Hash(password)
 	var passwordInDB string
 	err := a.Database.Read("auth", "passhash/"+username, &passwordInDB)
 	if err != nil {
 		//User not found or db exception
 		a.Logger.PrintAndLog("auth", username+" login with incorrect password", nil)
 		return false, "Invalid username or password"
 	}
 	if passwordInDB == hashedPassword {
 		return true, ""
 	} else {
 		return false, "Invalid username or password"
 	}
 }
 // Login the user by creating a valid session for this user
 func (a *AuthAgent) LoginUserByRequest(w http.ResponseWriter, r *http.Request, username string, rememberme bool) {
 	session, _ := a.SessionStore.Get(r, a.SessionName)
 	session.Values["authenticated"] = true
 	session.Values["username"] = username
 	session.Values["rememberMe"] = rememberme
 	//Check if remember me is clicked. If yes, set the maxage to 1 week.
 	if rememberme {
 		session.Options = &sessions.Options{
 			MaxAge: 3600 * 24 * 7, //One week
 			Path:   "/",
 		}
 	} else {
 		session.Options = &sessions.Options{
 			MaxAge: 3600 * 1, //One hour
 			Path:   "/",
 		}
 	}
 	session.Save(r, w)
 }
 // Handle logout, reply OK after logged out. WILL NOT DO REDIRECTION
 func (a *AuthAgent) HandleLogout(w http.ResponseWriter, r *http.Request) {
 	username, err := a.GetUserName(w, r)
 	if err != nil {
 		utils.SendErrorResponse(w, "user not logged in")
 		return
 	}
 	if username != "" {
 		a.Logger.PrintAndLog("auth", username+" logged out", nil)
 	}
 	// Revoke users authentication
 	err = a.Logout(w, r)
 	if err != nil {
 		utils.SendErrorResponse(w, "Logout failed")
 		return
 	}
 	utils.SendOK(w)
 }
 func (a *AuthAgent) Logout(w http.ResponseWriter, r *http.Request) error {
 	session, err := a.SessionStore.Get(r, a.SessionName)
 	if err != nil {
 		return err
 	}
 	session.Values["authenticated"] = false
 	session.Values["username"] = nil
 	session.Save(r, w)
 	return nil
 }
 // Get the current session username from request
 func (a *AuthAgent) GetUserName(w http.ResponseWriter, r *http.Request) (string, error) {
 	if a.CheckAuth(r) {
 		//This user has logged in.
 		session, _ := a.SessionStore.Get(r, a.SessionName)
 		return session.Values["username"].(string), nil
 	} else {
 		//This user has not logged in.
 		return "", errors.New("user not logged in")
 	}
 }
 // Get the current session user email from request
 func (a *AuthAgent) GetUserEmail(w http.ResponseWriter, r *http.Request) (string, error) {
 	if a.CheckAuth(r) {
 		//This user has logged in.
 		session, _ := a.SessionStore.Get(r, a.SessionName)
 		username := session.Values["username"].(string)
 		userEmail := ""
 		err := a.Database.Read("auth", "email/"+username, &userEmail)
 		if err != nil {
 			return "", err
 		}
 		return userEmail, nil
 	} else {
 		//This user has not logged in.
 		return "", errors.New("user not logged in")
 	}
 }
 // Check if the user has logged in, return true / false in JSON
 func (a *AuthAgent) CheckLogin(w http.ResponseWriter, r *http.Request) {
 	if a.CheckAuth(r) {
 		utils.SendJSONResponse(w, "true")
 	} else {
 		utils.SendJSONResponse(w, "false")
 	}
 }
 // Handle new user register. Require POST username, password, group.
 func (a *AuthAgent) HandleRegister(w http.ResponseWriter, r *http.Request, callback func(string, string)) {
 	//Get username from request
 	newusername, err := utils.PostPara(r, "username")
 	if err != nil {
 		utils.SendErrorResponse(w, "Missing 'username' paramter")
 		return
 	}
 	//Get password from request
 	password, err := utils.PostPara(r, "password")
 	if err != nil {
 		utils.SendErrorResponse(w, "Missing 'password' paramter")
 		return
 	}
 	//Get email from request
 	email, err := utils.PostPara(r, "email")
 	if err != nil {
 		utils.SendErrorResponse(w, "Missing 'email' paramter")
 		return
 	}
 	_, err = mail.ParseAddress(email)
 	if err != nil {
 		utils.SendErrorResponse(w, "Invalid or malformed email")
 		return
 	}
 	//Ok to proceed create this user
 	err = a.CreateUserAccount(newusername, password, email)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	//Do callback if exists
 	if callback != nil {
 		callback(newusername, email)
 	}
 	//Return to the client with OK
 	utils.SendOK(w)
 	a.Logger.PrintAndLog("auth", "New user "+newusername+" added to system.", nil)
 }
 // Handle new user register without confirmation email. Require POST username, password, group.
 func (a *AuthAgent) HandleRegisterWithoutEmail(w http.ResponseWriter, r *http.Request, callback func(string, string)) {
 	//Get username from request
 	newusername, err := utils.PostPara(r, "username")
 	if err != nil {
 		utils.SendErrorResponse(w, "Missing 'username' paramter")
 		return
 	}
 	//Get password from request
 	password, err := utils.PostPara(r, "password")
 	if err != nil {
 		utils.SendErrorResponse(w, "Missing 'password' paramter")
 		return
 	}
 	//Ok to proceed create this user
 	err = a.CreateUserAccount(newusername, password, "")
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	//Do callback if exists
 	if callback != nil {
 		callback(newusername, "")
 	}
 	//Return to the client with OK
 	utils.SendOK(w)
 	a.Logger.PrintAndLog("auth", "Admin account created: "+newusername, nil)
 }
 // Check authentication from request header's session value
 func (a *AuthAgent) CheckAuth(r *http.Request) bool {
 	session, err := a.SessionStore.Get(r, a.SessionName)
 	if err != nil {
 		return false
 	}
 	// Check if user is authenticated
 	if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
 		return false
 	}
 	return true
 }
 // Handle de-register of users. Require POST username.
 // THIS FUNCTION WILL NOT CHECK FOR PERMISSION. PLEASE USE WITH PERMISSION HANDLER
 func (a *AuthAgent) HandleUnregister(w http.ResponseWriter, r *http.Request) {
 	//Check if the user is logged in
 	if !a.CheckAuth(r) {
 		//This user has not logged in
 		utils.SendErrorResponse(w, "Login required to remove user from the system.")
 		return
 	}
 	//Get username from request
 	username, err := utils.PostPara(r, "username")
 	if err != nil {
 		utils.SendErrorResponse(w, "Missing 'username' paramter")
 		return
 	}
 	err = a.UnregisterUser(username)
 	if err != nil {
 		utils.SendErrorResponse(w, err.Error())
 		return
 	}
 	//Return to the client with OK
 	utils.SendOK(w)
 	a.Logger.PrintAndLog("auth", "User "+username+" has been removed from the system", nil)
 }
 func (a *AuthAgent) UnregisterUser(username string) error {
 	//Check if the user exists in the system database.
 	if !a.Database.KeyExists("auth", "passhash/"+username) {
 		//This user do not exists.
 		return errors.New("this user does not exists")
 	}
 	//OK! Remove the user from the database
 	a.Database.Delete("auth", "passhash/"+username)
 	a.Database.Delete("auth", "email/"+username)
 	return nil
 }
 // Get the number of users in the system
 func (a *AuthAgent) GetUserCounts() int {
 	entries, _ := a.Database.ListTable("auth")
 	usercount := 0
 	for _, keypairs := range entries {
 		if strings.Contains(string(keypairs[0]), "passhash/") {
 			//This is a user registry
 			usercount++
 		}
 	}
 	if usercount == 0 {
 		a.Logger.PrintAndLog("auth", "There are no user in the database", nil)
 	}
 	return usercount
 }
 // List all username within the system
 func (a *AuthAgent) ListUsers() []string {
 	entries, _ := a.Database.ListTable("auth")
 	results := []string{}
 	for _, keypairs := range entries {
 		if strings.Contains(string(keypairs[0]), "passhash/") {
 			username := strings.Split(string(keypairs[0]), "/")[1]
 			results = append(results, username)
 		}
 	}
 	return results
 }
 // Check if the given username exists
 func (a *AuthAgent) UserExists(username string) bool {
 	userpasswordhash := ""
 	err := a.Database.Read("auth", "passhash/"+username, &userpasswordhash)
 	if err != nil || userpasswordhash == "" {
 		return false
 	}
 	return true
 }
 // Update the session expire time given the request header.
 func (a *AuthAgent) UpdateSessionExpireTime(w http.ResponseWriter, r *http.Request) bool {
 	session, _ := a.SessionStore.Get(r, a.SessionName)
 	if session.Values["authenticated"].(bool) {
 		//User authenticated. Extend its expire time
 		rememberme := session.Values["rememberMe"].(bool)
 		//Extend the session expire time
 		if rememberme {
 			session.Options = &sessions.Options{
 				MaxAge: 3600 * 24 * 7, //One week
 				Path:   "/",
 			}
 		} else {
 			session.Options = &sessions.Options{
 				MaxAge: 3600 * 1, //One hour
 				Path:   "/",
 			}
 		}
 		session.Save(r, w)
 		return true
 	} else {
 		return false
 	}
 }
 // Create user account
 func (a *AuthAgent) CreateUserAccount(newusername string, password string, email string) error {
 	//Check user already exists
 	if a.UserExists(newusername) {
 		return errors.New("user with same name already exists")
 	}
 	key := newusername
 	hashedPassword := Hash(password)
 	err := a.Database.Write("auth", "passhash/"+key, hashedPassword)
 	if err != nil {
 		return err
 	}
 	if email != "" {
 		err = a.Database.Write("auth", "email/"+key, email)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Hash the given raw string into sha512 hash
 func Hash(raw string) string {
 	h := sha512.New()
 	h.Write([]byte(raw))
 	return hex.EncodeToString(h.Sum(nil))
 }
--- a/src/mod/auth/router.go
+++ b/src/mod/auth/router.go
@ -0,0 +1,67 @@
 package auth
 import (
 	"errors"
 	"fmt"
 	"net/http"
 )
 type RouterOption struct {
 	AuthAgent     *AuthAgent
 	RequireAuth   bool                                     //This router require authentication
 	DeniedHandler func(http.ResponseWriter, *http.Request) //Things to do when request is rejected
 	TargetMux     *http.ServeMux
 }
 type RouterDef struct {
 	option    RouterOption
 	endpoints map[string]func(http.ResponseWriter, *http.Request)
 }
 func NewManagedHTTPRouter(option RouterOption) *RouterDef {
 	return &RouterDef{
 		option:    option,
 		endpoints: map[string]func(http.ResponseWriter, *http.Request){},
 	}
 }
 func (router *RouterDef) HandleFunc(endpoint string, handler func(http.ResponseWriter, *http.Request)) error {
 	//Check if the endpoint already registered
 	if _, exist := router.endpoints[endpoint]; exist {
 		fmt.Println("WARNING! Duplicated registering of web endpoint: " + endpoint)
 		return errors.New("endpoint register duplicated")
 	}
 	authAgent := router.option.AuthAgent
 	//OK. Register handler
 	if router.option.TargetMux == nil {
 		http.HandleFunc(endpoint, func(w http.ResponseWriter, r *http.Request) {
 			//Check authentication of the user
 			if router.option.RequireAuth {
 				authAgent.HandleCheckAuth(w, r, func(w http.ResponseWriter, r *http.Request) {
 					handler(w, r)
 				})
 			} else {
 				handler(w, r)
 			}
 		})
 	} else {
 		router.option.TargetMux.HandleFunc(endpoint, func(w http.ResponseWriter, r *http.Request) {
 			//Check authentication of the user
 			if router.option.RequireAuth {
 				authAgent.HandleCheckAuth(w, r, func(w http.ResponseWriter, r *http.Request) {
 					handler(w, r)
 				})
 			} else {
 				handler(w, r)
 			}
 		})
 	}
 	router.endpoints[endpoint] = handler
 	return nil
 }
--- a/src/mod/auth/sso/app.go
+++ b/src/mod/auth/sso/app.go
@ -0,0 +1,34 @@
 package sso
 /*
 	app.go
 	This file contains the app structure and app management
 	functions for the SSO module.
 */
 // RegisteredUpstreamApp is a structure that contains the information of an
 // upstream app that is registered with the SSO server
 type RegisteredUpstreamApp struct {
 	ID              string
 	Secret          string
 	Domain          []string
 	Scopes          []string
 	SessionDuration int //in seconds, default to 1 hour
 }
 // RegisterUpstreamApp registers an upstream app with the SSO server
 func (s *SSOHandler) ListRegisteredApps() []*RegisteredUpstreamApp {
 	apps := make([]*RegisteredUpstreamApp, 0)
 	for _, app := range s.Apps {
 		apps = append(apps, &app)
 	}
 	return apps
 }
 // RegisterUpstreamApp registers an upstream app with the SSO server
 func (s *SSOHandler) GetAppByID(appID string) (*RegisteredUpstreamApp, bool) {
 	app, ok := s.Apps[appID]
 	return &app, ok
 }
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`<svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="m772-635-43-100-104-46 104-45 43-95 43 95 104 45-104 46-43 100Zm0 595-43-96-104-45 104-45 43-101 43 101 104 45-104 45-43 96ZM333-194l-92-197-201-90 201-90 92-196 93 196 200 90-200 90-93 197Zm0-148 48-96 98-43-98-43-48-96-47 96-99 43 99 43 47 96Zm0-139Z"/></svg>`
		`@ -0,0 +1 @@`
							`<svg fill="#ff7a7a" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M280-453h400v-60H280v60ZM480-80q-82 0-155-31.5t-127.5-86Q143-252 111.5-325T80-480q0-83 31.5-156t86-127Q252-817 325-848.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82-31.5 155T763-197.5q-54 54.5-127 86T480-80Zm0-60q142 0 241-99.5T820-480q0-142-99-241t-241-99q-141 0-240.5 99T140-480q0 141 99.5 240.5T480-140Zm0-340Z"/></svg>`
		`@ -0,0 +1 @@`
							`<svg fill="#919191" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M120-80v-270h120v-160h210v-100H330v-270h300v270H510v100h210v160h120v270H540v-270h120v-100H300v100h120v270H120Zm270-590h180v-150H390v150ZM180-140h180v-150H180v150Zm420 0h180v-150H600v150ZM480-670ZM360-290Zm240 0Z"/></svg>`
		`@ -0,0 +1 @@`
							<svg class="item-icon" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M356-120H180q-24 0-42-18t-18-42v-176q44-5 75.5-34.5T227-463q0-43-31.5-72.5T120-570v-176q0-24 18-42t42-18h177q11-40 39.5-67t68.5-27q40 0 68.5 27t39.5 67h173q24 0 42 18t18 42v173q40 11 65.5 41.5T897-461q0 40-25.5 67T806-356v176q0 24-18 42t-42 18H570q-5-48-35.5-77.5T463-227q-41 0-71.5 29.5T356-120Zm-176-60h130q25-61 69.888-84 44.888-23 83-23T546-264q45 23 70 84h130v-235h45q20 0 33-13t13-33q0-20-13-33t-33-13h-45v-239H511v-48q0-20-13-33t-33-13q-20 0-33 13t-13 33v48H180v130q48.15 17.817 77.575 59.686Q287-514.445 287-462.777 287-412 257.5-370T180-310v130Zm329-330Z"/></svg>
		`@ -0,0 +1 @@`
							`<svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48" fill="#fcba03"><path d="M273-160 80-353l193-193 42 42-121 121h316v60H194l121 121-42 42Zm414-254-42-42 121-121H450v-60h316L645-758l42-42 193 193-193 193Z"/></svg>`
		`@ -0,0 +1 @@`
							<svg fill="#83f2c4" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M197-197q-54-54-85.5-126.5T80-480q0-84 31.5-156.5T197-763l43 43q-46 46-73 107.5T140-480q0 71 26.5 132T240-240l-43 43Zm113-113q-32-32-51-75.5T240-480q0-51 19-94.5t51-75.5l43 43q-24 24-38.5 56.5T300-480q0 38 14 70t39 57l-43 43Zm170-90q-33 0-56.5-23.5T400-480q0-33 23.5-56.5T480-560q33 0 56.5 23.5T560-480q0 33-23.5 56.5T480-400Zm170 90-43-43q24-24 38.5-56.5T660-480q0-38-14-70t-39-57l43-43q32 32 51 75.5t19 94.5q0 50-19 93.5T650-310Zm113 113-43-43q46-46 73-107.5T820-480q0-71-26.5-132T720-720l43-43q54 55 85.5 127.5T880-480q0 83-31.5 155.5T763-197Z"/></svg>
		`@ -0,0 +1 @@`
							<svg fill="#edf230" xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 -960 960 960" width="48"><path d="M109.912-150Q81-150 60.5-170.589 40-191.177 40-220.089 40-249 60.494-269.5t49.273-20.5q5.233 0 10.233.5 5 .5 13 2.5l200-200q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q371.177-580 400.089-580 429-580 449.5-559.366t20.5 49.61Q470-508 467-487l110 110q8-2 13-2.5t10-.5q5 0 10 .5t13 2.5l160-160q-2-8-2.5-13t-.5-10.233q0-28.779 20.589-49.273Q821.177-630 850.089-630 879-630 899.5-609.411q20.5 20.588 20.5 49.5Q920-531 899.506-510.5T850.233-490Q845-490 840-490.5q-5-.5-13-2.5L667-333q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q628.823-240 599.911-240 571-240 550.5-260.494T530-309.767q0-5.233.5-10.233.5-5 2.5-13L423-443q-8 2-13 2.5t-10.25.5q-1.75 0-22.75-3L177-243q2 8 2.5 13t.5 10.233q0 28.779-20.589 49.273Q138.823-150 109.912-150ZM160-592l-20.253-43.747L96-656l43.747-20.253L160-720l20.253 43.747L224-656l-43.747 20.253L160-592Zm440-51-30.717-66.283L503-740l66.283-30.717L600-837l30.717 66.283L697-740l-66.283 30.717L600-643Z"/></svg>