Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>

2018-05-22 11:32:31 +08:00 · 2018-05-22 11:30:19 +08:00 · 2018-05-22 11:26:34 +08:00 · 2018-05-22 11:21:58 +08:00 · 2018-05-21 16:04:40 +08:00 · 2018-05-20 22:46:51 +08:00
431 changed files with 35124 additions and 2009 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,10 @@
 proxy
+goproxy
 *.exe
 *.exe~
 .*
+*.prof
+!.gitignore
 release-*
 proxy.crt
 proxy.key
--- a/69
+++ b/69
@ -1,4 +1,73 @@
 proxy更新日志
+v4.8
+1.优化了SPS连接HTTP上级的指令,避免了某些代理不响应的问题.
+2.SPS功能增加了参数:
+  --disable-http:禁用http(s)代理
+  --disable-socks:禁用socks代理
+  默认都是false(开启).
+3.重构了部分代码的日志部分,保证了日志按着预期输出.
+4.修复了sps\http代理初始化服务的时机不正确,导致nil异常的bug.
+5.优化了sps日志输出.
+6.--debug参数增加了Profiling功能,可以保存cpu,内存等多种调试数据到文件.
+7.优化了服务注册,避免了不必要的内存开销.
+8.增加了Dockerfile和docker安装手册.
+9.优化了ioCopy避免了内存泄漏,大大提升了内存占用的稳定性.
+
+
+v4.7
+1.增加了基于gomobile的sdk,对android/ios/windows/linux/mac提供SDK支持.
+2.优化了bridge的日志,增加了client和server的掉线日志.
+3.优化了sps读取http(s)代理响应的缓冲大小,同时优化了CONNECT请求,
+ 避免了某些代理服务器返回过多数据导致不能正常通讯的问题.
+4.去除了鸡肋连接池功能.
+5.优化了所有服务代码,方便对sdk提供支持.
+6.增加了SDK手册.
+7.增加了GUI客户端(windows/web/android/ios)介绍主页.
+8.SPS\HTTP(s)\Socks代理增加了自定义加密传输,只需要通过参数-z和-Z设置一个密码即可.
+9.SPS\HTTP(s)\Socks代理增加了压缩传输,只需要通过参数-m和-M设置即可.
+10.手册增加了SPS\HTTP(s)\Socks自定义加密的使用示例.
+11.手册增加了SPS\HTTP(s)\Socks压缩传输的使用示例.
+12.优化了多链接版本的内网穿透,融合了多链接和smux的优点,即能够拥有大的吞吐量,
+ 同时又具备mux的心跳机制保证了链接的稳定性.
+13.手册增加了大量配图.
+14.优化了socks代理udp上级的设置逻辑,智能判断parent上级填充udp parent.
+15.优化了项目文件夹结构,使用源码可以直接go get.
+
+v4.6
+1.sps,http(s),socks5,内网穿透都做了大量的超时优化处理,更加稳定.
+2.sps增加了强大的树形级联认证支持,可以轻松构建你的认证代理网络.
+3.手册增加了6.6对sps认证功能的介绍.
+
+
+v4.5
+1.优化了mux内网穿透连接管理逻辑,增强了稳定性.  
+2.mux内网穿透增加了tcp和kcp协议支持,之前是tls,现在支持三种协议tcp,tls,kcp.  
+3.keygen参数增加了用法: proxy keygen usage.  
+4.http(s)/socks5代理,tls增加了自签名证书支持.  
+5.建议升级.   
+v4.4
+1.增加了协议转换sps功能，代理协议转换使用的是sps子命令(socks+https的缩写)，
+sps本身不提供代理功能，只是接受代理请求"转换并转发"给已经存在的http(s)代理
+或者socks5代理；sps可以把已经存在的http(s)代理或者socks5代理转换为一个端口
+同时支持http(s)和socks5代理，而且http(s)代理支持正向代理和反向代理(SNI)，转
+换后的SOCKS5代理不支持UDP功能；另外对于已经存在的http(s)代理或者socks5代理，
+支持tls、tcp、kcp三种模式，支持链式连接，也就是可以多个sps结点层级连接构建
+加密通道。
+2.增加了对KCP传输参数的配置，多达17个参数可以自由的配置对kcp传输效率调优。
+3.内网穿透功能，server和client增加了--session-count参数，可以设置server每个
+监听端口到bridge打开的session数量，可以设置client到bridge打开的session数量，
+之前都是1个，现在性能提升N倍，N就是你自己设置的--session-count，这个参数很大
+程度上解决了多路复用的拥塞问题，v4.4开始默认10个。
+
+v4.3
+1.优化了参数keygen生成证书逻辑，避免证书出现特征。
+2.http(s)和socks代理增加了--dns-address和--dns-ttl参数。
+ 用于自己指定proxy访问域名的时候使用的dns（--dns-address）以及解析结果缓存时间（--dns-ttl）秒数，
+ 避免系统dns对proxy的干扰，另外缓存功能还能减少dns解析时间提高访问速度。
+3.优化了http代理的basic认证逻辑。
+提示：
+v4.3生成的证书不适用于v4.2及以下版本。
+
 v4.2
 1.优化了内网穿透,避免了client意外下线,导致链接信息残留的问题.
 2.http代理增加了SNI支持,现在http(s)代理模式支持反向代理,支持http(s)透明代理.
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+FROM golang:1.8.5-alpine as builder
+ARG GOPROXY_VERSION=master
+RUN apk update && apk upgrade && \
+    apk add --no-cache git && cd /go/src/ && git clone https://github.com/snail007/goproxy && \
+	cd goproxy && git checkout ${GOPROXY_VERSION} && \
+    go get && CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o proxy
+FROM alpine:3.7
+COPY --from=builder /go/src/goproxy/proxy /
+CMD /proxy ${OPTS}
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -1,11 +1,15 @@
 {
-	"ImportPath": "proxy",
+	"ImportPath": "github.com/snail007/goproxy",
 	"GoVersion": "go1.8",
-	"GodepVersion": "v79",
+	"GodepVersion": "v80",
 	"Packages": [
 		"./..."
 	],
 	"Deps": [
+		{
+			"ImportPath": "github.com/Yawning/chacha20",
+			"Rev": "e3b1f968fc6397b51d963fee8ec8711a47bc0ce8"
+		},
 		{
 			"ImportPath": "github.com/alecthomas/template",
 			"Rev": "a0175ee3bccc567396460bf5acd36800cb10c49c"
@ -22,6 +26,11 @@
 			"ImportPath": "github.com/golang/snappy",
 			"Rev": "553a641470496b2327abcac10b36396bd98e45c9"
 		},
+		{
+			"ImportPath": "github.com/miekg/dns",
+			"Comment": "v1.0.4-1-g40b5202",
+			"Rev": "40b520211179dbf7eaafaa7fe1ffaa1b7d929ee0"
+		},
 		{
 			"ImportPath": "github.com/pkg/errors",
 			"Comment": "v0.8.0-6-g602255c",
@ -58,71 +67,75 @@
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/blowfish",
-			"Rev": "f899cbd3df85058aa20d1cf129473b18f2a2b49f"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/cast5",
-			"Rev": "86e16787bfd59cb4db9e278c51a95488c141a5d6"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/curve25519",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/ed25519",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/ed25519/internal/edwards25519",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/pbkdf2",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/salsa20",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/salsa20/salsa",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/ssh",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/tea",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/twofish",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/xtea",
-			"Rev": "1843fabd21d7180cf65e36759986d00c13dbb0fd"
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
 			"ImportPath": "golang.org/x/net/bpf",
-			"Rev": "114479435b31b5077a087cc5303a45cb5d355dc4"
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
 			"ImportPath": "golang.org/x/net/internal/iana",
-			"Rev": "114479435b31b5077a087cc5303a45cb5d355dc4"
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
 			"ImportPath": "golang.org/x/net/internal/socket",
-			"Rev": "114479435b31b5077a087cc5303a45cb5d355dc4"
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
 			"ImportPath": "golang.org/x/net/ipv4",
-			"Rev": "114479435b31b5077a087cc5303a45cb5d355dc4"
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
+		},
+		{
+			"ImportPath": "golang.org/x/net/ipv6",
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
 			"ImportPath": "golang.org/x/time/rate",
-			"Rev": "8be79e1e0910c292df4e79c241bb7e8f7e725959"
+			"Rev": "6dc17368e09b0e8634d71cac8168d853e869a0c7"
 		},
 		{
 			"ImportPath": "gopkg.in/alecthomas/kingpin.v2",
--- a/README.md
+++ b/README.md
@ -1,11 +1,12 @@
-<img src="https://github.com/snail007/goproxy/blob/master/docs/images/logo.jpg?raw=true" width="200"/>  
-Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 proxy server implemented by golang. It supports parent proxy,nat forward,TCP/UDP port forwarding, SSH transfer. you can expose a local server behind a NAT or firewall to the internet.  
+<img src="https://github.com/snail007/goproxy/blob/master/docs/images/logo.jpg?raw=true" width="200"/>
+Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 proxy server implemented by golang. It supports parent proxy,nat forward,TCP/UDP port forwarding, SSH transfer, TLS encrypted transmission, protocol conversion. you can expose a local server behind a NAT or firewall to the internet.  
+
  
 ---  
  
 [![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy/) [![license](https://img.shields.io/github/license/snail007/goproxy.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy/total.svg?style=plastic)](https://github.com/snail007/goproxy/releases) [![download](https://img.shields.io/github/release/snail007/goproxy.svg?style=plastic)](https://github.com/snail007/goproxy/releases)  
  
-[中文手册](/README_ZH.md)  
+[中文手册](/README_ZH.md)  **[全平台GUI版本](/gui/README.md)**  **[全平台SDK](/sdk/README.md)**   

 ### Features  
 - chain-style proxy: the program itself can be a primary proxy, and if a parent proxy is set, it can be used as a second level proxy or even a N level proxy.  
@ -19,6 +20,11 @@ Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 prox
 - SSH forwarding: HTTP (S), SOCKS5 proxy support SSH transfer, parent Linux server does not need any server, a local proxy can be happy to access the Internet.  
 - [KCP](https://github.com/xtaci/kcp-go) protocol is supported: HTTP (S), SOCKS5 proxy supports the KCP protocol which can transmit data, reduce latency, and improve the browsing experience.  
 - The integrated external API, HTTP (S): SOCKS5 proxy authentication can be integrated with the external HTTP API, which can easily control the user's access through the external system.  
+- Reverse proxy: goproxy supports directly parsing the domain to proxy monitor IP, and then proxy will help you to access the HTTP (S) site that you need to access.
+- Transparent proxy: with the iptables, goproxy can directly forward the 80 and 443 port's traffic to proxy in the gateway, and can realize the unaware intelligent router proxy.  
+- Protocol conversion: The existing HTTP (S) or SOCKS5 proxy can be converted to a proxy which support both HTTP (S) and SOCKS5 by one port, but the converted SOCKS5 proxy does not support the UDP function.Also support powerful cascading authentication.  
+- Custom underlying encrypted transmission, HTTP(s)\sps\socks proxy can encrypt TCP data through TLS standard encryption and KCP protocol encryption. In addition, it also supports custom encryption after TLS and KCP. That is to say, custom encryption and tls|kcp can be used together. The internal uses AES256 encryption, and it only needs to define one password by yourself when is used.   
+- Low level compression and efficient transmission，The HTTP(s)\sps\socks proxy can encrypt TCP data through a custom encryption and TLS standard encryption and KCP protocol encryption, and can also compress the data after encryption. That is to say, the compression and custom encryption and tls|kcp can be used together.
  
 ### Why need these?  
 - Because for some reason, we cannot access our services elsewhere. We can build a secure tunnel to access our services through multiple connected proxy nodes.  
@ -30,7 +36,13 @@ Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 prox
 - ...  

 
-This page is the v4.0-v4.1 manual, and the other version of the manual can be checked by the following link.  
+This page is the v4.7 manual, and the other version of the manual can be checked by the following link.  
+- [v4.6 manual](https://github.com/snail007/goproxy/tree/v4.6)
+- [v4.5 manual](https://github.com/snail007/goproxy/tree/v4.5)
+- [v4.4 manual](https://github.com/snail007/goproxy/tree/v4.4)
+- [v4.3 manual](https://github.com/snail007/goproxy/tree/v4.3)
+- [v4.2 manual](https://github.com/snail007/goproxy/tree/v4.2)
+- [v4.0-4.1 manual](https://github.com/snail007/goproxy/tree/v4.1)
 - [v3.9 manual](https://github.com/snail007/goproxy/tree/v3.9)
 - [v3.8 manual](https://github.com/snail007/goproxy/tree/v3.8)
 - [v3.6-v3.7 manual](https://github.com/snail007/goproxy/tree/v3.6)
@ -43,13 +55,16 @@ This page is the v4.0-v4.1 manual, and the other version of the manual can be ch
 - [v2.x manual](https://github.com/snail007/goproxy/tree/v2.2)  

 ### How to find the organization?  
-[Click to join the communication organization](https://gitter.im/go-proxy/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link)  
+[Click to join the proxy group of gitter](https://gitter.im/go-proxy/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link)  
+[Click to join the proxy group of telegram](https://t.me/joinchat/GYHXghCDSBmkKZrvu4wIdQ)    
+

 ### Installation
 - [Quick installation](#quick-installation)
 - [Manual installation](#manual-installation)
+- [Docker installation](#docker-installation)

-### First use must be read
+### First use must read
 - [Environmental Science](#environmental-science)
 - [Use configuration file](#use-configuration-file)
 - [Debug output](#debug-output)
@ -71,7 +86,12 @@ This page is the v4.0-v4.1 manual, and the other version of the manual can be ch
        - [1.7.1 The way of username and password](#171the-way-of-username-and-password)
        - [1.7.2 The way of username and key](#172the-way-of-username-and-key)
    - [1.8 KCP protocol transmission](#18kcp-protocol-transmission)
-    - [1.9 View help](#19view-help)
+    - [1.9 HTTP(S) reverse proxy](#19http-reverse-proxy)
+    - [1.10 HTTP(S) transparent proxy](#110http-transparent-proxy)
+    - [1.11 Custom DNS](#111custom-dns)
+    - [1.12 Custom encryption](#112-custom-encryption)
+    - [1.13 Compressed transmission](#113-compressed-transmission)
+    - [1.14 View help](#114view-help)
 - [2.TCP proxy](#2tcp-proxy)
    - [2.1 Common TCP first level proxy](#21common-tcp-first-level-proxy)
    - [2.2 Common TCP second level proxy](#22common-tcp-second-level-proxy)
@ -106,12 +126,29 @@ This page is the v4.0-v4.1 manual, and the other version of the manual can be ch
        - [5.6.2 The way of username and key](#562the-way-of-username-and-key)
    - [5.7 Authentication](#57authentication)
    - [5.8 KCP protocol transmission](#58kcp-protocol-transmission)
-    - [5.9 View help](#59view-help)
+    - [5.9 Custom DNS](#59custom-dns)
+    - [5.10 Custom encryption](#510custom-encryption)
+    - [5.11 Compressed transmission](#511compressed-transmission)
+    - [5.12 View help](#512view-help)
+- [6.Proxy protocol conversion](#6proxy-protocol-conversion)
+    - [6.1 Functional introduction](#61functional-introduction)
+    - [6.2 HTTP(S) to HTTP(S) + SOCKS5](#62http-to-http-socks5)
+    - [6.3 SOCKS5 to HTTP(S) + SOCKS5](#63socks5-to-http-socks5)
+    - [6.4 Chain style connection](#64chain-style-connection)
+    - [6.5 Listening on multiple ports](#65listening-on-multiple-ports)
+    - [6.6 Authentication](#66authentication)
+    - [6.7 Custom encryption](#67-custom-encryption)
+    - [6.8 Compressed transmission](#68-compressed-transmission)
+    - [6.9 View Help](#69view-help)
+- [7.KCP Configuration](#7kcp-configuration)
+    - [7.1 Configuration introduction](#71configuration-introduction)
+    - [7.2 Configuration details](#72configuration-details)
+

 ### Fast Start  
 tips:all operations require root permissions.   
 #### Quick installation
-#### **0. If your VPS is a linux64 system, you can complete the automatic installation and configuration by the following sentence.**  
+#### **0. If your VPS is linux64, you can complete the automatic installation and configuration by the following sentence.**  
 ```shell  
 curl -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto.sh | bash  
 ```  
@ -124,7 +161,7 @@ If the installation fails or your VPS is not a linux64 system, please follow the
 Download address: https://github.com/snail007/goproxy/releases  
 ```shell  
 cd /root/proxy/  
-wget https://github.com/snail007/goproxy/releases/download/v4.0/proxy-linux-amd64.tar.gz  
+wget https://github.com/snail007/goproxy/releases/download/v4.8/proxy-linux-amd64.tar.gz  
 ```  
 #### **2.Download the automatic installation script**  
 ```shell  
@ -133,18 +170,48 @@ wget https://raw.githubusercontent.com/snail007/goproxy/master/install.sh
 chmod +x install.sh  
 ./install.sh  
 ```  
+
+#### Docker installation 
+
+Dockerfile root of project uses multistage build and alpine project to comply with best practices. Uses golang 1.8.5 for building as noted in the project README.md and will be pretty small image. total extracted size will be 17.3MB for goproxy version 4.7.
+
+The default build process builds the master branch (latest commits/ cutting edge), and it can be configured to build specific version, just edit Dockerfile before build, following builds release version 4.7:
+
+```
+ARG GOPROXY_VERSION=v4.7
+```
+
+To Run:
+1. Clone the repository and cd into it.
+```
+sudo docker build .
+```
+2. Tag the image:
+```
+sudo docker tag <id from previous step>  goproxy/goproxy:latest
+```
+3. Run! 
+Just put your arguments to proxy binary in the OPTS environmental variable (this is just a sample http proxy):
+```
+sudo docker run -d --restart=always --name goproxy -e OPTS="http -p :33080" -p 33080:33080 goproxy/goproxy:latest
+```
+4. View logs:
+```
+sudo docker logs -f goproxy
+```
+
  
 ## **First use must be read**  
  
 ### **Environmental Science**  
-The following tutorial, the default system is Linux, the program is proxy; all operations require root permissions.   
+The following tutorial defaults system is Linux, the program is proxy and all operations require root permissions.   
 If the system are windows, please use proxy.exe.  
  
 ### **Use configuration file**  
-The following tutorial is to introduce the use method by the command line parameters, or by reading the configuration file to get the parameters.  
+The following tutorial is to introduce the useage by the command line parameters, or by reading the configuration file to get the parameters.  
 The specific format is to specify a configuration file by the @ symbol, for example, ./proxy @configfile.txt.   
-configfile.txt's format: The first line is the subcommand name, and the second line begins one line: the long format of the parameter = the parameter value, there is no space and double quotes before and after.  
-The long format of the parameter's beginning is always --, the short format of the parameter's beginning is always -. If you don't know which short form parameter corresponds to the long format parameter, please look at the help command.  
+configfile.txt's format: The first line is the subcommand name, and the second line begins a new line: the long format of the parameter = the parameter value, there is no space and double quotes before and after.  
+The long format of the parameter's beginning is --, the short format of the parameter's beginning is -. If you don't know which short form corresponds to the long format, please look at the help command.  
 For example, the contents of configfile.txt are as follows:
 ```shell
 http
@ -183,9 +250,11 @@ Assuming that your VPS outer external network IP is 23.23.23.23, the following c

 ### **1.HTTP proxy**  
 #### **1.1.common HTTP proxy**  
+![1.1](/docs/images/http-1.png)  
 `./proxy http -t tcp -p "0.0.0.0:38080"`  
  
 #### **1.2.Common HTTP second level proxy**  
+![1.2](/docs/images/http-2.png)  
 Using local port 8090, assume the parent HTTP proxy is: `22.22.22.22:8080`  
 `./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
 The connection pool is closed by default. If you want to speed up access speed, -L can open the connection pool, the 10 is the size of the connection pool, and the 0 is closed.  
@ -195,6 +264,7 @@ We can also specify the black and white list files of the domain name, one line
 `./proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **1.3.HTTP second level encrypted proxy**  
+![1.3](/docs/images/http-tls-2.png)  
 HTTP first level proxy(VPS,IP:22.22.22.22)    
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -207,6 +277,7 @@ HTTP second level proxy(local windows)
 In your windos system, the mode of the program that needs to surf the Internet by proxy is setted up as HTTP mode, the address is 127.0.0.1, the port is: 8080, the program can go through the encrypted channel through VPS to surf on the internet.  
  
 #### **1.4.HTTP third level encrypted proxy**  
+![1.4](/docs/images/http-tls-3.png)  
 HTTP first level proxy VPS_01,IP:22.22.22.22    
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 HTTP second level proxy VPS_02,IP:33.33.33.33   
@ -243,6 +314,7 @@ Through --always, all HTTP proxy traffic can be coercion to the parent HTTP prox
 `./proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **1.7.Transfer through SSH**  
+![1.7](/docs/images/http-ssh-1.png)  
 Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access to the target address through the SSH proxy.  
 Suppose there is a vps  
 - IP is 2.2.2.2, ssh port is 22, ssh username is user, ssh password is demo  
@ -256,26 +328,137 @@ Local HTTP (S) proxy use 28080 port,excute:
 `./proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`  

 #### **1.8.KCP protocol transmission**  
-The KCP protocol requires a -B parameter to set a password which can encrypt and decrypt data.  
+![1.8](/docs/images/http-kcp.png)  
+The KCP protocol requires a --kcp-key parameter to set a password which can encrypt and decrypt data.   

 Http first level proxy(VPS,IP:22.22.22.22)  
-`./proxy http -t kcp -p ":38080" -B mypassword`  
+`./proxy http -t kcp -p ":38080" --kcp-key mypassword`  
  
 Http second level proxy(os is Linux)  
-`./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" -B mypassword`  
+`./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`  
 Then access to the local 8080 port is access to the proxy's port 38080 on the VPS, and the data is transmitted through the KCP protocol.  
+#### **1.9.HTTP reverse proxy** 
+![1.9](/docs/images/fxdl.png)  
+Proxy supports not only set up a proxy through in other software, to provide services for other software, but support the request directly to the website domain to proxy monitor IP when proxy monitors 80 and 443 ports, then proxy will automatically access to the HTTP proxy access website for you.  

-#### **1.9.view help**  
+How to use:  
+On the last level proxy computer, because proxy is disguised as all websites and the default port of HTTP is 80, HTTPS is 443, the proxy listens to 80 and 443 port. Parameters -p multiple addresses are separated by commas.  
+`./proxy http -t tcp -p :80,:443`    
+
+This command starts a proxy on the computer, and listens to 80 and 443 ports. It can be used as a common proxy and it can directly resolve the domain that needs proxy to the IP of the computer. 
+
+If a parent proxy exist, you can refer to the above tutorial to set up a parent. The way of use is exactly the same.  
+`./proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key`   
+
+Notice:  
+The result of the DNS parsing of the server in which proxy is located can not affected by a custom parsing, if not, it is dead cycle.  
+  
+#### **1.10.HTTP transparent proxy** 
+The mode needs a certain network knowledge, if the related concepts don't understand, you must search it by yourself.  
+Assuming that proxy is now running on the router, the boot command is as follows:  
+`./proxy http -t tcp -p :33080 -T tls -P "2.2.2.2:33090" -C proxy.crt -K proxy.key`   
+
+Then the iptables rule is added, and the following rule is a reference rule:  
+```shell
+#IP of parent proxy:
+proxy_server_ip=2.2.2.2
+
+#Proxy that the router runs monitor the port:
+proxy_local_port=33080
+
+#The following don't need to be modified
+#create a new chain named PROXY
+iptables -t nat -N PROXY
+
+# Ignore your PROXY server's addresses
+# It's very IMPORTANT, just be careful.
+
+iptables -t nat -A PROXY -d $proxy_server_ip -j RETURN
+
+# Ignore LANs IP address
+iptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN
+iptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN
+iptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN
+iptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN
+iptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN
+iptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN
+iptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN
+iptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN
+
+# Anything to port 80 443 should be redirected to PROXY's local port
+iptables -t nat -A PROXY -p tcp --dport 80 -j REDIRECT --to-ports $proxy_local_port
+iptables -t nat -A PROXY -p tcp --dport 443 -j REDIRECT --to-ports $proxy_local_port
+
+# Apply the rules to nat client
+iptables -t nat -A PREROUTING -p tcp -j PROXY
+# Apply the rules to localhost
+iptables -t nat -A OUTPUT -p tcp -j PROXY
+```
+- Clearing the whole chain command is iptables -F chain name, such as iptables -t NAT -F PROXY
+- Deleting the specified chain that user defined command is iptables -X chain name, such as iptables -t NAT -X PROXY
+- Deleting the rules of the chain command is iptables -D chain name from the selected chain, such as  iptables -t nat -D PROXY -d 223.223.192.0/255.255.240.0 -j RETURN
+
+#### **1.11.Custom DNS** 
+--dns-address and --dns-ttl parameters can be used to specify DNS（--dns-address） when you use proxy to access to a domain.  
+they also can specify dns result cache time (--dns-ttl) which unit is second. they can avoid the interference of system DNS to proxy. cache can reduce DNS resolution time and increase access speed.  
+for example:  
+`./proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  
+
+#### **1.12 Custom encryption**  
+HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.    
+Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -z demo_password -p :7777`  
+Local second level execution:  
+`proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -z demo_password -p :7777`  
+Second level VPS (ip:2.2.2.2) execution:  
+`proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888`    
+Local third level execution:  
+`proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+#### **1.13 Compressed transmission**  
+HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.  
+That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.     
+The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -m -p :7777`  
+Local second level execution:  
+`proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -m -p :7777`  
+Second level VPS (ip:3.3.3.3) execution:  
+`proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+Local third level execution:  
+`proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+#### **1.14.view help**  
 `./proxy help http`  
  
 ### **2.TCP proxy**  
  
 #### **2.1.Common TCP first level proxy**  
+![2.1](/docs/images/tcp-1.png)  
 Local execution:  
 `./proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" -L 0`  
 Then access to the local 33080 port is the 22 port of access to 192.168.22.33.  
  
 #### **2.2.Common TCP second level proxy**  
+![2.2](/docs/images/tcp-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0`  
 local execution:  
@ -283,6 +466,7 @@ local execution:
 Then access to the local 23080 port is the 8080 port of access to 22.22.22.33.  
  
 #### **2.3.Common TCP third level proxy**  
+![2.3](/docs/images/tcp-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080" -L 0`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -292,6 +476,7 @@ TCP third level proxy (local)
 Then access to the local 8080 port is to access the 8080 port of the 66.66.66.66 by encrypting the TCP tunnel.  
  
 #### **2.4.TCP second level encrypted proxy**  
+![2.4](/docs/images/tcp-tls-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp --tls -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0 -C proxy.crt -K proxy.key`  
 local execution:  
@ -299,6 +484,7 @@ local execution:
 Then access to the local 23080 port is to access the 8080 port of the 22.22.22.33 by encrypting the TCP tunnel.  
  
 #### **2.5.TCP third level encrypted proxy**  
+![2.5](/docs/images/tcp-tls-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp --tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -313,11 +499,13 @@ Then access to the local 8080 port is to access the 8080 port of the 66.66.66.66
 ### **3.UDP proxy**  
  
 #### **3.1.Common UDP first level proxy**  
+![3.1](/docs/images/udp-1.png)  
 local execution:  
 `./proxy udp -p ":5353" -T udp -P "8.8.8.8:53"`  
 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8.  
  
 #### **3.2.Common UDP second level proxy**  
+![3.2](/docs/images/udp-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"`  
 local execution:  
@ -325,6 +513,7 @@ local execution:
 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 through the TCP tunnel.  
  
 #### **3.3.Common UDP third level proxy**  
+![3.3](/docs/images/udp-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -334,6 +523,7 @@ TCP third level proxy (local)
 Then access to the local 5353 port is access to the 53 port of the 8.8.8.8 through the TCP tunnel.  
  
 #### **3.4.UDP second level encrypted proxy**  
+![3.4](/docs/images/udp-tls-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp --tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 local execution:  
@ -341,6 +531,7 @@ local execution:
 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 by the encrypting TCP tunnel. 
  
 #### **3.5.UDP third level encrypted proxy**  
+![3.5](/docs/images/udp-tls-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp --tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -354,7 +545,7 @@ Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8
  
 ### **4.Nat forward**  
 #### **4.1、Principle explanation**  
-Nat forward, divided into two versions, "multi-link version" and "multiplexed version", generally like web services Which is not a long time to connect the service recommended "multi-link version", if you want to keep long Time connection, "multiplexed version" is recommended.
+Nat forward, is divided into two versions, "multi-link version" and "multiplexed version", generally like web services Which is not a long time to connect the service recommende "multi-link version", if you want to keep long Time connection, "multiplexed version" is recommended.
 1. Multilink version, the corresponding subcommand is tserver，tclient，tbridge。  
 1. Multiplexed version, the corresponding subcommand is server，client，bridge。  
 1. the parameters and use of Multilink version and multiplexed is exactly the same.  
@ -476,8 +667,8 @@ Procedure:
  
  4.7.1.PROTOCOL is tcp or udp.  
  for example: `-r "udp://:10053@:53" -r "tcp://:10800@:1080" -r ":8080@:80"`  
-  If the --udp parameter is specified, PROTOCOL is UDP by default, then `-r ": 8080@: 80"` is UDP.  
-  If the --udp parameter is not specified, PROTOCOL is TCP by default, then `-r ": 8080@: 80"` is TCP.  
+  If the --udp parameter is specified, PROTOCOL is UDP by default, then `-r ":8080@:80"` is UDP.  
+  If the --udp parameter is not specified, PROTOCOL is TCP by default, then `-r ":8080@:80"` is TCP.  
  
  4.7.2.CLIENT_KEY by default is 'default'.  
  for example: -r "udp://:10053@[test1]:53" -r "tcp://:10800@[test2]:1080" -r ":8080@:80"  
@ -489,7 +680,7 @@ Procedure:
 #### **4.8.view help**  
 `./proxy help bridge`  
 `./proxy help server`  
-`./proxy help server`  
+`./proxy help client`  
  
 ### **5.SOCKS5 proxy**  
 Tips: SOCKS5 proxy, support CONNECT, UDP protocol and don't support BIND and support username password authentication.  
@ -497,12 +688,15 @@ Tips: SOCKS5 proxy, support CONNECT, UDP protocol and don't support BIND and sup
 `./proxy socks -t tcp -p "0.0.0.0:38080"`  
   
 #### **5.2.Common SOCKS5 second level proxy**  
+![5.2](/docs/images/socks-2.png)  
+![5.2](/docs/images/5.2.png)
 Using local port 8090, assume that the parent SOCKS5 proxy is `22.22.22.22:8080`  
 `./proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
 We can also specify the black and white list files of the domain name, one line for one domain name. The matching rule is the most right-hand matching. For example, baidu.com is *.*.baidu.com, the domain name of the blacklist is directly accessed by the parent proxy, and the domain name of the white list does not access to the parent proxy.  
 `./proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **5.3.SOCKS second level encrypted proxy**  
+![5.3](/docs/images/socks-tls-2.png)  
 SOCKS5 first level proxy(VPS,IP:22.22.22.22)  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -515,6 +709,7 @@ SOCKS5 second level proxy(local windows)
 Then set up your windows system, the proxy that needs to surf the Internet by proxy is Socks5 mode, the address is: 127.0.0.1, the port is: 8080. the program can surf the Internet through the encrypted channel which is running on VPS.  
  
 #### **5.4.SOCKS third level encrypted proxy**  
+![5.4](/docs/images/socks-tls-3.png)  
 SOCKS5 first level proxy VPS_01,IP:22.22.22.22  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 SOCKS5 second level proxy VPS_02,IP:33.33.33.33  
@ -528,6 +723,7 @@ By default, proxy will intelligently judge whether a domain name can be accessed
 `./proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **5.6.Transfer through SSH**  
+![5.6](/docs/images/socks-ssh.png)  
 Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access the target address by the SSH.  
 Suppose there is a vps  
 - IP is 2.2.2.2, SSH port is 22, SSH username is user, SSH password is Demo
@ -550,7 +746,7 @@ You can also be placed in a file, which is a line, a ‘username: password’, a
 `./proxy socks -t tcp -p ":33080" -F auth-file.txt`  

 In addition, socks5 proxy also integrates external HTTP API authentication, we can specify a http url interface address through the --auth-url parameter,  
-Then when the user is connected, the proxy GET request this url, with the following four parameters, if the return HTTP status code 204, on behalf of the authentication is successful.  
+Then when the user is connected, the proxy request this url by get way, with the following three parameters, if the return HTTP status code 204, on behalf of the authentication is successful.  
 In other cases, the authentication fails.  
 for example:  
 `./proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`  
@ -564,26 +760,257 @@ ip: user's IP, for example: 192.168.1.200
 If there is no -a or -F or --auth-url parameters, it means to turn off the authentication.    

 #### **5.8.KCP protocol transmission**  
-The KCP protocol requires a -B parameter to set a password to encrypt and decrypt data.  
+The KCP protocol requires a --kcp-key parameter which can set a password to encrypt and decrypt data.  

 HTTP first level proxy(VPS,IP:22.22.22.22)  
-`./proxy socks -t kcp -p ":38080" -B mypassword`  
+`./proxy socks -t kcp -p ":38080" --kcp-key mypassword`  
  
 HTTP two level proxy(local os is Linux)  
-`./proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" -B mypassword`  
-Then access to the local 8080 port is access to the proxy port 38080 on the VPS, and the data is transmitted through the KCP protocol.  
+`./proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`  
+Then access to the local 8080 port is access to the proxy port 38080 on the VPS, and the data is transmitted through the KCP protocol.

-#### **5.9.view help**  
+#### **5.9.Custom DNS** 
+--dns-address and --dns-ttl parameters can be used to specify DNS（--dns-address） when you use proxy to access to a domain.  
+they also can specify dns result cache time (--dns-ttl) which unit is second. they can avoid the interference of system DNS to proxy. cache can reduce DNS resolution time and increase access speed.  
+for example:  
+`./proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  
+
+#### **5.10.Custom encryption**  
+HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.
+Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+Local second level execution:  
+`proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+Second level VPS (ip:2.2.2.2) execution:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+Local third level execution:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+#### **5.11.Compressed transmission**  
+HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.
+That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.
+The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -m -p :7777`  
+Local second level execution:  
+`proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -m -p :7777`  
+Second level VPS (ip:3.3.3.3) execution:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+Local third level execution:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+#### **5.12.view help**  
 `./proxy help socks`  

-### TODO  
- Welcome adding group feedback...
+### **6.Proxy protocol conversion** 

-### How to use the source code?   
-use command cd to enter your go SRC directory and then git clone https://github.com/snail007/goproxy.git and execute ./proxy.   
-Direct compilation: go build     
-execution: go run *.go    
-Utils is a toolkit, and service is a specific service class.  
+#### **6.1.Functional introduction** 
+The proxy protocol conversion use the SPS subcommand (abbreviation of socks+https), SPS itself does not provide the proxy function, just accept the proxy request and then converse protocol and forwarded to the existing HTTP (s) or Socks5 proxy. SPS can use existing HTTP (s) or Socks5 proxy converse to support HTTP (s) and Socks5 HTTP (s) proxy at the same time by one port, and proxy supports forward and reverse proxy (SNI), SOCKS5 proxy which is conversed does not support UDP. in addition to the existing HTTP or Socks5 proxy, which supports TLS, TCP, KCP three modes and chain-style connection. That is more than one SPS node connection can build encryption channel.
+
+#### **6.2.HTTP(S) to HTTP(S) + SOCKS5** 
+Suppose there is a common HTTP (s) proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s) and Socks5 at the same time. The local port after transformation is 18080.  
+command：  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p :18080`
+
+Suppose that there is a TLS HTTP (s) proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s) and Socks5 at the same time. The local port after transformation is 18080, TLS needs certificate file.  
+command：  
+`./proxy sps -S http -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key`   
+
+Suppose there is a KCP HTTP (s) proxy (password: demo123): 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s) and Socks5 at the same time. The local port after transformation is 18080.  
+command：  
+`./proxy sps -S http -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123`  
+
+#### **6.3.SOCKS5 to HTTP(S) + SOCKS5** 
+Suppose there is a common Socks5 proxy: 127.0.0.1:8080, now we turn it into a common proxy that supports HTTP (s) and Socks5 at the same time, and the local port after transformation is 18080.  
+command：  
+`./proxy sps -S socks -T tcp -P 127.0.0.1:8080 -t tcp -p :18080`
+
+Suppose there is a TLS Socks5 proxy: 127.0.0.1:8080. Now we turn it into a common proxy that support HTTP (s) and Socks5 at the same time. The local port after transformation is 18080, TLS needs certificate file.  
+command：  
+`./proxy sps -S socks -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key`   
+
+Suppose there is a KCP Socks5 proxy (password: demo123): 127.0.0.1:8080, now we turn it into a common proxy that support HTTP (s) and Socks5 at the same time, and the local port after transformation is 18080.  
+command：  
+`./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123`  
+
+#### **6.4.Chain style connection** 
+![6.4](/docs/images/sps-tls.png)  
+It is mentioned above that multiple SPS nodes can be connected to build encrypted channels, assuming you have the following VPS and a PC.  
+vps01：2.2.2.2  
+vps02：3.3.3.3  
+Now we want to use PC and vps01 and vps02 to build an encrypted channel. In this example, TLS is used. KCP also supports encryption in addition to TLS. and accessing to local 18080 port on PC is accessing to the local 8080 ports of vps01.  
+First, on vps01 (2.2.2.2), we run a HTTP (s) proxy that only can be accessed locally,excute：  
+`./proxy -t tcp -p 127.0.0.1:8080`  
+
+Then run a SPS node on vps01 (2.2.2.2)，excute：  
+`./proxy -S http -T tcp -P 127.0.0.1:8080 -t tls -p :8081 -C proxy.crt -K proxy.key`  
+
+Then run a SPS node on vps02 (3.3.3.3)，excute：  
+`./proxy -S http -T tls -P 2.2.2.2:8081 -t tls -p :8082 -C proxy.crt -K proxy.key`  
+
+Then run a SPS node on the PC，excute：  
+`./proxy -S http -T tls -P 3.3.3.3:8082 -t tcp -p :18080 -C proxy.crt -K proxy.key`  
+
+finish。  
+
+#### **6.5.Listening on multiple ports**   
+In general, listening one port is enough, but if you need to monitor 80 and 443 ports at the same time as a reverse proxy, the -p parameter can support it.  
+The format is：`-p 0.0.0.0:80,0.0.0.0:443`, Multiple bindings are separated by a comma.  
+
+#### **6.6.Authentication** 
+SPS supports HTTP(s)\socks5 proxy authentication, which can concatenate authentication, there are four important information:  
+1:Users send authentication information`user-auth`。   
+2:Local authentication information set up`local-auth`。  
+3:Set the authentication information accessing to the father proxy`parent-auth`。  
+4:The final authentication information sent to the father proxy`auth-info-to-parent`。  
+The relationship between them is as follows:   
+
+| user-auth | local-auth | parent-auth | auth-info-to-paren 
+| ------ | ------ | ------ | ------  
+| yes/no  | yes    | yes   |  come from parent-auth  
+| yes/no  | no    |    yes    |   come from parent-auth  
+| yes/no  | yes     |     no  |   no  
+| no   | no    |   no    |   no  
+| yes    | no    |   no    |   come from user-auth  
+
+For SPS proxy we can have username and password to authenticate, and the authentication username and password can be specified on the command line    
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"`  
+if there are multiple users, repeat the -a parameters.  
+It can also be placed in a file, which is a line to a username: password, and then specified in -F parameter.  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -F auth-file.txt`  
+
+If the father proxy is authenticated, the lower level can set the authentication information through the -A parameters, such as:  
+father proxy:`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"`  
+local proxy:`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -A "user1:pass1" -t tcp -p ":33080" `  
+
+In addition, SPS proxy, local authentication is integrated with external HTTP API authentication, and we can specify a HTTP URL interface address through the --auth-url parameter,    
+Then, when there is a user connection, proxy will request this URL by GET way, with the following four parameters, and if the HTTP state code 204 is returned, the authentication is successful.  
+Other cases consider authentication failure.  
+for example:  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`  
+When the user is connected, proxy will request this URL by GET way("http://test.com/auth.php"),  
+Four parameters with user, pass, IP, and target:  
+http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP}&target={TARGET}  
+user:username   
+pass:password   
+ip:user's ip,for example:192.168.1.200   
+target: if the client is the HTTP (s) proxy request, this represents the complete URL of the request, and the other cases are empty.  
+
+If there is no -a or -F or --auth-url parameters, local authentication is closed.  
+If there is no -A parameter, the connection to the father proxy does not use authentication.  
+
+#### **6.7 Custom encryption**  
+HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.
+Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:  
+Suppose there is already a HTTP (s) proxy:`6.6.6.6:6666`  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+Local second level execution:  
+`proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+Second level VPS (ip:2.2.2.2) execution:  
+`proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+Local third level execution:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+#### **6.8 Compressed transmission**  
+HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.
+That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.
+The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -t tcp -m -p :7777`  
+Local second level execution:  
+`proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -t tcp -m -p :7777`  
+Second level VPS (ip:3.3.3.3) execution::  
+`proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+Local third level execution:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.
+
+#### **6.9.view help** 
+`./proxy help sps` 
+
+### **7.KCP Configuration**   
+
+#### **7.1.Configuration introduction**   
+Many functions of the proxy support the KCP protocol, and all the functions that can use the KCP protocol support the configuration parameters introduced here.  
+So here is a unified introduction to the KCP configuration parameters.  
+
+#### **7.2.Configuration details**   
+The number of KCP configuration parameters is 17, you don't have to set up them. they all have the default value, if for the best effect,  
+You need to configure the parameters according to your own network conditions. Due to the complexity of KCP configuration, a certain network basic knowledge is required,  
+If you want to get a more detailed configuration and explanation of the KCP parameters, search for yourself. The command line name for each parameter, as well as the default and simple functions, are described as follows：  
+```
+--kcp-key="secrect"        pre-shared secret between client and server
+--kcp-method="aes"         encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish, 
+                           twofish, cast5, 3des, tea, xtea, xor, sm4, none
+--kcp-mode="secrect"       profiles: fast3, fast2, fast, normal, manual
+--kcp-mtu=1350             set maximum transmission unit for UDP packets
+--kcp-sndwnd=1024          set send window size(num of packets)
+--kcp-rcvwnd=1024          set receive window size(num of packets)
+--kcp-ds=10                set reed-solomon erasure coding - datashard
+--kcp-ps=3                 set reed-solomon erasure coding - parityshard
+--kcp-dscp=0               set DSCP(6bit)
+--kcp-nocomp               disable compression
+--kcp-acknodelay           be carefull! flush ack immediately when a packet is received
+--kcp-nodelay=0            be carefull!
+--kcp-interval=50          be carefull!
+--kcp-resend=0             be carefull!
+--kcp-nc=0                 be carefull! no congestion
+--kcp-sockbuf=4194304      be carefull!
+--kcp-keepalive=10         be carefull!
+```
+
+### TODO  
+- HTTP, socks proxy which has multi parents proxy load balancing?
+- HTTP (s) proxy support PAC?
+- Welcome joining group feedback...   
+
+### How to contribute to the code (Pull Request)?  
+First, you need to clone the project to your account, and then modify the code on the dev branch.   
+Finally, Pull Request to dev branch of goproxy project, and contribute code for efficiency.   
+PR needs to explain what changes have been made and why you change them.  
+
+### How to use the source code?    
+Recommend go1.8.5, which does not guarantee that version >=1.9 can be used.   
+`go get github.com/snail007/goproxy`   
+use command cd to enter your go SRC directory   
+then cd to enter `github.com/snail007/goproxy`.    
+Direct compilation:`go build -o proxy`        
+execution: `go run *.go`       
+`utils` is a toolkit, and `service` is a specific service class.  

 ### License  
 Proxy is licensed under GPLv3 license.  
--- a/README_ZH.md
+++ b/README_ZH.md
@ -1,11 +1,13 @@
 <img src="https://github.com/snail007/goproxy/blob/master/docs/images/logo.jpg?raw=true" width="200"/>  
-Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务器,支持正向代理、反向代理、透明代理、内网穿透、TCP/UDP端口映射、SSH中转，TLS加密传输。下载地址:https://github.com/snail007/goproxy/releases 官方QQ交流群:189618940  
-  
+Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务器,支持正向代理、反向代理、透明代理、内网穿透、TCP/UDP端口映射、SSH中转，TLS加密传输，协议转换。
+
+[点击下载](https://github.com/snail007/goproxy/releases) 官方QQ交流群:189618940  
+
 ---  
  
 [![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy/) [![license](https://img.shields.io/github/license/snail007/goproxy.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy/total.svg?style=plastic)](https://github.com/snail007/goproxy/releases) [![download](https://img.shields.io/github/release/snail007/goproxy.svg?style=plastic)](https://github.com/snail007/goproxy/releases)  
  
-[English Manual](/README.md) 
+**[English Manual](/README.md)** **[全平台GUI版本](/gui/README.md)**  **[全平台SDK](/sdk/README.md)**

 ### Features  
 - 链式代理,程序本身可以作为一级代理,如果设置了上级代理那么可以作为二级代理,乃至N级代理.  
@ -21,6 +23,9 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
 - 集成外部API，HTTP(S),SOCKS5代理认证功能可以与外部HTTP API集成，可以方便的通过外部系统控制代理用户．  
 - 反向代理,支持直接把域名解析到proxy监听的ip,然后proxy就会帮你代理访问需要访问的HTTP(S)网站.
 - 透明HTTP(S)代理,配合iptables,在网关直接把出去的80,443方向的流量转发到proxy,就能实现无感知的智能路由器代理.  
+- 协议转换，可以把已经存在的HTTP(S)或SOCKS5代理转换为一个端口同时支持HTTP(S)和SOCKS5代理，转换后的SOCKS5代理不支持UDP功能,同时支持强大的级联认证功能。
+- 自定义底层加密传输，http(s)\sps\socks代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可。
+- 底层压缩高效传输，http(s)\sps\socks代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在加密之后还可以对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的。

 ### Why need these?  
 - 当由于某某原因,我们不能访问我们在其它地方的服务,我们可以通过多个相连的proxy节点建立起一个安全的隧道访问我们的服务.  
@ -32,7 +37,12 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
 - ...  

 
-本页是v4.2手册,其他版本手册请点击下面链接查看.  
+本页是v4.7手册,其他版本手册请点击下面链接查看. 
+- [v4.6手册](https://github.com/snail007/goproxy/tree/v4.6) 
+- [v4.5手册](https://github.com/snail007/goproxy/tree/v4.5) 
+- [v4.4手册](https://github.com/snail007/goproxy/tree/v4.4) 
+- [v4.3手册](https://github.com/snail007/goproxy/tree/v4.3) 
+- [v4.2手册](https://github.com/snail007/goproxy/tree/v4.2) 
 - [v4.0-v4.1手册](https://github.com/snail007/goproxy/tree/v4.1)
 - [v3.9手册](https://github.com/snail007/goproxy/tree/v3.9)
 - [v3.8手册](https://github.com/snail007/goproxy/tree/v3.8)
@ -46,11 +56,12 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
 - [v2.x手册](https://github.com/snail007/goproxy/tree/v2.2)  

 ### 怎么找到组织?  
-[点击加入交流组织](https://gitter.im/go-proxy/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link)  
-
+[点击加入交流组织gitter](https://gitter.im/go-proxy/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link)  
+[点击加入交流组织TG](https://t.me/joinchat/GYHXghCDSBmkKZrvu4wIdQ)  
 ### 安装 
 1. [快速安装](#自动安装)
 1. [手动安装](#手动安装)
+1. [Docker安装](#docker安装)

 ### 首次使用必看
 - [环境](#首次使用必看-1)
@ -76,7 +87,10 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
    - [1.8 KCP协议传输](#18kcp协议传输)
    - [1.9 HTTP(S)反向代理](#19-https反向代理)
    - [1.10 HTTP(S)透明代理](#110-https透明代理)
-    - [1.11 查看帮助](#111查看帮助)
+    - [1.11 自定义DNS](#111-自定义dns)
+    - [1.12 自定义加密](#112-自定义加密)
+    - [1.13 压缩传输](#113-压缩传输)
+    - [1.14 查看帮助](#114-查看帮助)
 - [2. TCP代理](#2tcp代理)
    - [2.1 普通一级TCP代理](#21普通一级tcp代理)
    - [2.2 普通二级TCP代理](#22普通二级tcp代理)
@ -111,7 +125,24 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
        - [5.6.2 用户名和密钥的方式](#562-ssh用户名和密钥的方式)
    - [5.7 认证](#57认证)
    - [5.8 KCP协议传输](#58kcp协议传输)
-    - [5.9 查看帮助](#59查看帮助)
+    - [5.9 自定义DNS](#59自定义dns)
+    - [5.10 自定义加密](#510-自定义加密)
+    - [5.11 压缩传输](#511-压缩传输)
+    - [5.12 查看帮助](#512查看帮助)
+- [6. 代理协议转换](#6代理协议转换)
+    - [6.1 功能介绍](#61-功能介绍)
+    - [6.2 HTTP(S)转HTTP(S)+SOCKS5](#62-https转httpssocks5)
+    - [6.3 SOCKS5转HTTP(S)+SOCKS5](#63-socks5转httpssocks5)
+    - [6.4 链式连接](#64-链式连接)
+    - [6.5 监听多个端口](#65-监听多个端口)
+    - [6.6 认证功能](#66-认证功能)
+    - [6.7 自定义加密](#67-自定义加密)
+    - [6.8 压缩传输](#68-压缩传输)
+    - [6.9 禁用协议](#69-禁用协议)
+    - [6.10 查看帮助](#610-查看帮助)
+- [7. KCP配置](#7kcp配置)
+    - [7.1 配置介绍](#71-配置介绍)
+    - [7.2 详细配置](#72-详细配置)

 ### Fast Start  
 提示:所有操作需要root权限.  
@ -129,7 +160,7 @@ curl -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto.s
 下载地址:https://github.com/snail007/goproxy/releases  
 ```shell  
 cd /root/proxy/  
-wget https://github.com/snail007/goproxy/releases/download/v4.2/proxy-linux-amd64.tar.gz  
+wget https://github.com/snail007/goproxy/releases/download/v4.8/proxy-linux-amd64.tar.gz  
 ```  
 #### **2.下载自动安装脚本**  
 ```shell  
@ -138,7 +169,36 @@ wget https://raw.githubusercontent.com/snail007/goproxy/master/install.sh
 chmod +x install.sh  
 ./install.sh  
 ```  
-  
+
+#### Docker安装 
+项目根目录的Dockerfile文件用来构建,使用golang 1.8.5,构建基于goproxy v4.7,
+全部大小17.3MB,默认情况下使用master分支,不过可以通过修改配置文件Dockerfile,指定构建的goproxy版本.
+
+```
+ARG GOPROXY_VERSION=v4.7
+```
+
+步骤:  
+1. 克隆仓库,然后cd进入仓库文件夹,执行:
+```
+sudo docker build .
+```
+2. 镜像打标签:
+```
+sudo docker tag <上一步的结果ID> goproxy/goproxy:latest
+```
+3. 运行 
+参数OPTS的值就是传递给proxy的所有参数
+比如下面的例子启动了一个http服务: 
+
+```
+sudo docker run -d --restart=always --name goproxy -e OPTS="http -p :33080" -p 33080:33080 goproxy/goproxy:latest
+```
+4. 查看日志:
+```
+sudo docker logs -f goproxy
+```
+
 ## **首次使用必看**  
  
 ### **环境**  
@ -170,7 +230,8 @@ http,tcp,udp代理过程会和上级通讯,为了安全我们采用加密通讯,
 在linux上并安装了openssl命令，可以直接通过下面的命令生成证书和key文件.  
 `./proxy keygen`  
 默认会在当前程序目录下面生成证书文件proxy.crt和key文件proxy.key。  
-  
+更多用法:`proxy keygen usage`。    
+
 ### **后台运行**
 默认执行proxy之后,如果要保持proxy运行,不能关闭命令行.  
 如果想在后台运行proxy,命令行可以关闭,只需要在命令最后加上--daemon参数即可.  
@ -190,20 +251,21 @@ proxy会fork子进程,然后监控子进程,如果子进程异常退出,5秒后
 `./proxy http -g "23.23.23.23"`  

 ### **1.HTTP代理**  
-#### **1.1.普通HTTP代理**  
-![1.1](/docs/images/1.1.jpg)  
+#### **1.1.普通一级HTTP代理**  
+![1.1](/docs/images/http-1.png)  
 `./proxy http -t tcp -p "0.0.0.0:38080"`  
  
 #### **1.2.普通二级HTTP代理**  
+![1.2](/docs/images/http-2.png)  
 使用本地端口8090,假设上级HTTP代理是`22.22.22.22:8080`  
 `./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
-默认关闭了连接池,如果要加快访问速度,-L可以开启连接池,10就是连接池大小,0为关闭,  
-开启连接池在网络不好的情况下,稳定不是很好.   
-`./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -L 10`  
-我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名域名直接走上级代理,白名单的域名不走上级代理.  
+我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名直接走上级代理,白名单的域名不走上级代理.  
 `./proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **1.3.HTTP二级代理(加密)**  
+> 注意: 后面二级代理使用的`proxy.crt`和`proxy.key`应与一级代理一致  
+
+![1.3](/docs/images/http-tls-2.png)  
 一级HTTP代理(VPS,IP:22.22.22.22)  
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -216,6 +278,7 @@ proxy会fork子进程,然后监控子进程,如果子进程异常退出,5秒后
 然后设置你的windos系统中，需要通过代理上网的程序的代理为http模式，地址为：127.0.0.1，端口为：8080,程序即可通过加密通道通过vps上网。  
  
 #### **1.4.HTTP三级代理(加密)**  
+![1.3](/docs/images/http-tls-3.png)  
 一级HTTP代理VPS_01,IP:22.22.22.22  
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 二级HTTP代理VPS_02,IP:33.33.33.33  
@ -251,6 +314,7 @@ target:用户访问的URL,比如:http://demo.com:80/1.html或https://www.baidu.c
 `./proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **1.7.HTTP(S)通过SSH中转**  
+![1.7](/docs/images/http-ssh-1.png)  
 说明:ssh中转的原理是利用了ssh的转发功能,就是你连接上ssh之后,可以通过ssh代理访问目标地址.  
 假设有:vps  
 - IP是2.2.2.2, ssh端口是22, ssh用户名是:user, ssh用户密码是:demo  
@ -264,16 +328,18 @@ target:用户访问的URL,比如:http://demo.com:80/1.html或https://www.baidu.c
 `./proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`  

 #### **1.8.KCP协议传输**  
-KCP协议需要-B参数设置一个密码用于加密解密数据  
+![1.8](/docs/images/http-kcp.png)  
+KCP协议需要--kcp-key参数设置一个密码用于加密解密数据  

 一级HTTP代理(VPS,IP:22.22.22.22)  
-`./proxy http -t kcp -p ":38080" -B mypassword`  
+`./proxy http -t kcp -p ":38080" --kcp-key mypassword`  
  
 二级HTTP代理(本地Linux)  
-`./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" -B mypassword`  
-那么访问本地的8080端口就是访问VPS上面的代理端口38080,数据通过kcp协议传输.  
+`./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`  
+那么访问本地的8080端口就是访问VPS上面的代理端口38080,数据通过kcp协议传输,注意kcp走的是udp协议协议,所以防火墙需放开38080的udp协议.   

-#### **1.9 HTTP(S)反向代理** 
+#### **1.9 HTTP(S)反向代理**   
+![1.9](/docs/images/fxdl.png)  
 proxy不仅支持在其他软件里面通过设置代理的方式,为其他软件提供代理服务,而且支持直接把请求的网站域名解析到proxy监听的ip上,然后proxy监听80和443端口,那么proxy就会自动为你代理访问需要访问的HTTP(S)网站.  

 使用方式:  
@ -286,7 +352,7 @@ proxy不仅支持在其他软件里面通过设置代理的方式,为其他软
 `./proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key`   

 注意:  
-proxy所在的服务器的DNS解析结果不能受到自定义的解析影响,不然就死循环了.  
+proxy所在的服务器的DNS解析结果不能受到自定义的解析影响,不然就死循环了,proxy代理最好指定`--dns 8.8.8.8`参数.  
  
 #### **1.10 HTTP(S)透明代理** 
 该模式需要具有一定的网络基础,相关概念不懂的请自行搜索解决.  
@ -333,19 +399,71 @@ iptables -t nat -A OUTPUT -p tcp -j PROXY
 - 删除指定的用户自定义链 iptables -X 链名 比如 iptables -t nat -X PROXY
 - 从所选链中删除规则 iptables -D 链名 规则详情 比如 iptables -t nat -D PROXY -d 223.223.192.0/255.255.240.0 -j RETURN

-#### **1.9.查看帮助**  
+#### **1.11 自定义DNS** 
+--dns-address和--dns-ttl参数,用于自己指定proxy访问域名的时候使用的dns（--dns-address）  
+以及解析结果缓存时间（--dns-ttl）秒数，避免系统dns对proxy的干扰，另外缓存功能还能减少dns解析时间提高访问速度.    
+比如：  
+`./proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  
+
+#### **1.12 自定义加密**  
+proxy的http(s)代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义  
+加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可,  
+加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密.    
+自定义加密要求两端都是proxy才可以,下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -z demo_password -p :7777`  
+本地二级执行:  
+`proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -z demo_password -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+本地三级执行:  
+`proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+#### **1.13 压缩传输**  
+proxy的http(s)代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以对数据进行压缩,  
+也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,一部分是本地(-m)是否压缩传输,  
+一部分是与上级(-M)传输是否压缩.    
+压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据,下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -m -p :7777`  
+本地二级执行:  
+`proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -m -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+本地三级执行:  
+`proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+#### **1.14 查看帮助**  
 `./proxy help http`  
  
 ### **2.TCP代理**  
  
 #### **2.1.普通一级TCP代理**  
-![2.1](/docs/images/2.1.png)  
+![2.1](/docs/images/tcp-1.png)  
 本地执行:  
 `./proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22"`  
 那么访问本地33080端口就是访问192.168.22.33的22端口.  
  
 #### **2.2.普通二级TCP代理**  
-![2.2](/docs/images/2.2.png)  
+![2.2](/docs/images/tcp-2.png)  
 VPS(IP:22.22.22.33)执行:  
 `./proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080"`  
 本地执行:  
@ -353,6 +471,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地23080端口就是访问22.22.22.33的8080端口.  
  
 #### **2.3.普通三级TCP代理**  
+![2.3](/docs/images/tcp-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080"`  
 二级TCP代理VPS_02,IP:33.33.33.33  
@ -362,17 +481,19 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地8080端口就是通过加密TCP隧道访问66.66.66.66的8080端口.  
  
 #### **2.4.加密二级TCP代理**  
+![2.4](/docs/images/tcp-tls-2.png)  
 VPS(IP:22.22.22.33)执行:  
-`./proxy tcp -t tcp -p ":33080" -T tcp -P "127.0.0.1:8080" -C proxy.crt -K proxy.key`  
+`./proxy tcp -t tls -p ":33080" -T tcp -P "127.0.0.1:8080" -C proxy.crt -K proxy.key`  
 本地执行:  
 `./proxy tcp -p ":23080" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key`  
 那么访问本地23080端口就是通过加密TCP隧道访问22.22.22.33的8080端口.  
  
 #### **2.5.加密三级TCP代理**  
+![2.5](/docs/images/tcp-tls-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
-`./proxy tcp -t tcp -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key`  
+`./proxy tcp -t tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key`  
 二级TCP代理VPS_02,IP:33.33.33.33  
-`./proxy tcp -t tcp -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
+`./proxy tcp -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
 三级TCP代理(本地)  
 `./proxy tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`  
 那么访问本地8080端口就是通过加密TCP隧道访问66.66.66.66的8080端口.  
@ -383,11 +504,13 @@ VPS(IP:22.22.22.33)执行:
 ### **3.UDP代理**  
  
 #### **3.1.普通一级UDP代理**  
+![3.1](/docs/images/udp-1.png)  
 本地执行:  
 `./proxy udp -p ":5353" -T udp -P "8.8.8.8:53"`  
 那么访问本地UDP:5353端口就是访问8.8.8.8的UDP:53端口.  
  
 #### **3.2.普通二级UDP代理**  
+![3.2](/docs/images/udp-2.png)  
 VPS(IP:22.22.22.33)执行:  
 `./proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"`  
 本地执行:  
@ -395,6 +518,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地UDP:5353端口就是通过TCP隧道,通过VPS访问8.8.8.8的UDP:53端口.  
  
 #### **3.3.普通三级UDP代理**  
+![3.3](/docs/images/udp-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"`  
 二级TCP代理VPS_02,IP:33.33.33.33  
@ -404,17 +528,19 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地5353端口就是通过TCP隧道,通过VPS访问8.8.8.8的53端口.  
  
 #### **3.4.加密二级UDP代理**  
+![3.4](/docs/images/udp-tls-2.png)  
 VPS(IP:22.22.22.33)执行:  
-`./proxy tcp -t tcp -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
+`./proxy tcp -t tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 本地执行:  
 `./proxy udp -p ":5353" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key`  
 那么访问本地UDP:5353端口就是通过加密TCP隧道,通过VPS访问8.8.8.8的UDP:53端口.  
  
 #### **3.5.加密三级UDP代理**  
+![3.5](/docs/images/udp-tls-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
-`./proxy tcp -t tcp -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
+`./proxy tcp -t tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 二级TCP代理VPS_02,IP:33.33.33.33  
-`./proxy tcp -t tcp -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
+`./proxy tcp -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
 三级TCP代理(本地)  
 `./proxy udp -p ":5353" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`  
 那么访问本地5353端口就是通过加密TCP隧道,通过VPS_01访问8.8.8.8的53端口.  
@ -562,7 +688,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 #### **4.8.查看帮助**  
 `./proxy help bridge`  
 `./proxy help server`  
-`./proxy help server`  
+`./proxy help client`  
  
 ### **5.SOCKS5代理**  
 提示:SOCKS5代理,支持CONNECT,UDP协议,不支持BIND,支持用户名密码认证.  
@ -570,13 +696,14 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 `./proxy socks -t tcp -p "0.0.0.0:38080"`  
  
 #### **5.2.普通二级SOCKS5代理**  
-![5.2](/docs/images/5.2.png)  
+![5.2](/docs/images/socks-2.png)  
 使用本地端口8090,假设上级SOCKS5代理是`22.22.22.22:8080`  
 `./proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
-我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名域名直接走上级代理,白名单的域名不走上级代理.  
+我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名域名直接走上级代理,白名单的域名不走上级代理;如果域名即在黑名单又在白名单中,那么黑名单起作用.  
 `./proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **5.3.SOCKS二级代理(加密)**  
+![5.3](/docs/images/socks-tls-2.png)  
 一级SOCKS代理(VPS,IP:22.22.22.22)  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -589,6 +716,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 然后设置你的windos系统中，需要通过代理上网的程序的代理为socks5模式，地址为：127.0.0.1，端口为：8080,程序即可通过加密通道通过vps上网。  
  
 #### **5.4.SOCKS三级代理(加密)**  
+![5.4](/docs/images/socks-tls-3.png)  
 一级SOCKS代理VPS_01,IP:22.22.22.22  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 二级SOCKS代理VPS_02,IP:33.33.33.33  
@ -602,6 +730,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 `./proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **5.6.SOCKS通过SSH中转**  
+![5.6](/docs/images/socks-ssh.png)  
 说明:ssh中转的原理是利用了ssh的转发功能,就是你连接上ssh之后,可以通过ssh代理访问目标地址.  
 假设有:vps  
 - IP是2.2.2.2, ssh端口是22, ssh用户名是:user, ssh用户密码是:demo
@ -624,7 +753,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 `./proxy socks -t tcp -p ":33080" -F auth-file.txt`  

 另外,socks5代理还集成了外部HTTP API认证,我们可以通过--auth-url参数指定一个http url接口地址,  
-然后有用户连接的时候,proxy会GET方式请求这url,带上下面四个参数,如果返回HTTP状态码204,代表认证成功  
+然后有用户连接的时候,proxy会GET方式请求这url,带上下面三个参数,如果返回HTTP状态码204,代表认证成功  
 其它情况认为认证失败.  
 比如:  
 `./proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`  
@ -638,29 +767,296 @@ ip:用户的IP,比如:192.168.1.200
 如果没有-a或-F或--auth-url参数,就是关闭认证.    

 #### **5.8.KCP协议传输**  
-KCP协议需要-B参数设置一个密码用于加密解密数据  
+KCP协议需要--kcp-key参数设置一个密码用于加密解密数据  

 一级HTTP代理(VPS,IP:22.22.22.22)  
-`./proxy socks -t kcp -p ":38080" -B mypassword`  
+`./proxy socks -t kcp -p ":38080" --kcp-key mypassword`  
  
 二级HTTP代理(本地Linux)  
-`./proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" -B mypassword`  
+`./proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`  
 那么访问本地的8080端口就是访问VPS上面的代理端口38080,数据通过kcp协议传输.  

-#### **5.9.查看帮助**  
+#### **5.9.自定义DNS** 
+--dns-address和--dns-ttl参数,用于自己指定proxy访问域名的时候使用的dns（--dns-address）  
+以及解析结果缓存时间（--dns-ttl）秒数，避免系统dns对proxy的干扰，另外缓存功能还能减少dns解析时间提高访问速度.    
+比如：  
+`./proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  
+
+#### **5.10 自定义加密**  
+proxy的socks代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可,  
+加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密.    
+
+自定义加密要求两端都是proxy才可以.  
+
+下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+本地二级执行:  
+`proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+本地三级执行:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+#### **5.11 压缩传输**  
+proxy的socks代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以  
+对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,   
+一部分是本地(-m)是否压缩传输,一部分是与上级(-M)传输是否压缩.    
+
+压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据.  
+
+下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -m -p :7777`  
+本地二级执行:  
+`proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -m -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+本地三级执行:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+#### **5.12.查看帮助**  
 `./proxy help socks`  

+### **6.代理协议转换** 
+
+#### **6.1 功能介绍** 
+代理协议转换使用的是sps子命令(socks+https的缩写)，sps本身不提供代理功能，只是接受代理请求"转换并转发"给已经存在的http(s)代理或者socks5代理；sps可以把已经存在的http(s)代理或者socks5代理转换为一个端口同时支持http(s)和socks5代理，而且http(s)代理支持正向代理和反向代理(SNI)，转换后的SOCKS5代理不支持UDP功能；另外对于已经存在的http(s)代理或者socks5代理，支持tls、tcp、kcp三种模式，支持链式连接，也就是可以多个sps结点层级连接构建加密通道。
+
+#### **6.2 HTTP(S)转HTTP(S)+SOCKS5** 
+假设已经存在一个普通的http(s)代理：127.0.0.1:8080,现在我们把它转为同时支持http(s)和socks5的普通代理,转换后的本地端口为18080。  
+命令如下：  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p :18080`
+
+假设已经存在一个tls的http(s)代理：127.0.0.1:8080,现在我们把它转为同时支持http(s)和socks5的普通代理,转换后的本地端口为18080，tls需要证书文件。  
+命令如下：  
+`./proxy sps -S http -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key`   
+
+假设已经存在一个kcp的http(s)代理（密码是：demo123）：127.0.0.1:8080,现在我们把它转为同时支持http(s)和socks5的普通代理,转换后的本地端口为18080。  
+命令如下：  
+`./proxy sps -S http -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123`  
+
+#### **6.3 SOCKS5转HTTP(S)+SOCKS5** 
+假设已经存在一个普通的socks5代理：127.0.0.1:8080,现在我们把它转为同时支持http(s)和socks5的普通代理,转换后的本地端口为18080。  
+命令如下：  
+`./proxy sps -S socks -T tcp -P 127.0.0.1:8080 -t tcp -p :18080`
+
+假设已经存在一个tls的socks5代理：127.0.0.1:8080,现在我们把它转为同时支持http(s)和socks5的普通代理,转换后的本地端口为18080，tls需要证书文件。  
+命令如下：  
+`./proxy sps -S socks -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key`   
+
+假设已经存在一个kcp的socks5代理（密码是：demo123）：127.0.0.1:8080,现在我们把它转为同时支持http(s)和socks5的普通代理,转换后的本地端口为18080。  
+命令如下：  
+`./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123`  
+
+#### **6.4 链式连接**   
+![6.4](/docs/images/sps-tls.png)  
+上面提过多个sps结点可以层级连接构建加密通道，假设有如下vps和家里的pc电脑。  
+vps01：2.2.2.2  
+vps02：3.3.3.3  
+现在我们想利用pc和vps01和vps02构建一个加密通道，本例子用tls加密也可以用kcp，在pc上访问本地18080端口就是访问vps01的本地8080端口。  
+首先在vps01(2.2.2.2)上我们运行一个只有本地可以访问的http(s)代理,执行：  
+`./proxy http -t tcp -p 127.0.0.1:8080`  
+
+然后在vps01(2.2.2.2)上运行一个sps结点，执行：  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tls -p :8081 -C proxy.crt -K proxy.key`  
+
+然后在vps02(3.3.3.3)上运行一个sps结点，执行：  
+`./proxy sps -S http -T tls -P 2.2.2.2:8081 -t tls -p :8082 -C proxy.crt -K proxy.key`  
+
+然后在pc上运行一个sps结点，执行：  
+`./proxy sps -S http -T tls -P 3.3.3.3:8082 -t tcp -p :18080 -C proxy.crt -K proxy.key`  
+
+完成。  
+
+#### **6.5 监听多个端口**   
+一般情况下监听一个端口就可以，不过如果作为反向代理需要同时监听80和443两个端口，那么-p参数是支持的，  
+格式是：`-p 0.0.0.0:80,0.0.0.0:443`，多个绑定用逗号分隔即可。  
+
+#### **6.6 认证功能**   
+sps支持http(s)\socks5代理认证,可以级联认证,有四个重要的信息:  
+1:用户发送认证信息`user-auth`。   
+2:设置的本地认证信息`local-auth`。  
+3:设置的连接上级使用的认证信息`parent-auth`。  
+4:最终发送给上级的认证信息`auth-info-to-parent`。  
+他们的情况关系如下:  
+
+| user-auth | local-auth | parent-auth | auth-info-to-paren 
+| ------ | ------ | ------ | ------  
+| 有/没有  | 有     |     有   |   来自parent-auth  
+| 有/没有  | 没有    |    有    |   来自parent-auth  
+| 有/没有  | 有     |     没有  |   无  
+| 没有   | 没有    |   没有    |   无  
+| 有    | 没有    |   没有    |   来自user-auth  
+
+对于sps代理我们可以进行用户名密码认证,认证的用户名和密码可以在命令行指定    
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"`  
+多个用户,重复-a参数即可.  
+也可以放在文件中,格式是一行一个"用户名:密码",然后用-F指定.  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -F auth-file.txt`  
+
+如果上级有认证,下级可以通过-A参数设置认证信息,比如:  
+上级:`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"`  
+下级:`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -A "user1:pass1" -t tcp -p ":33080" `  
+
+另外,sps代理,本地认证集成了外部HTTP API认证,我们可以通过--auth-url参数指定一个http url接口地址,    
+然后有用户连接的时候,proxy会GET方式请求这url,带上下面四个参数,如果返回HTTP状态码204,代表认证成功  
+其它情况认为认证失败.  
+比如:  
+`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`  
+用户连接的时候,proxy会GET方式请求这url("http://test.com/auth.php"),  
+带上user,pass,ip,target四个参数:  
+http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP}&target={TARGET}  
+user:用户名   
+pass:密码   
+ip:用户的IP,比如:192.168.1.200   
+target:如果客户端是http(s)代理请求,这里代表的是请求的完整url,其它情况为空.  
+
+如果没有-a或-F或--auth-url参数,就是关闭本地认证.  
+如果没有-A参数,连接上级不使用认证.  
+
+
+#### **6.7 自定义加密**  
+proxy的sps代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行  
+自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义  
+一个密码即可,加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密.      
+
+自定义加密要求两端都是proxy才可以.  
+
+下面分别用二级,三级为例:  
+
+假设已经存在一个http(s)代理:`6.6.6.6:6666`  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+本地二级执行:  
+`proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+本地三级执行:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+#### **6.8 压缩传输**  
+proxy的sps代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以  
+对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,   
+一部分是本地(-m)是否压缩传输,一部分是与上级(-M)传输是否压缩.    
+
+压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据.  
+
+下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -t tcp -m -p :7777`  
+本地二级执行:  
+`proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -t tcp -m -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+本地三级执行:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+#### **6.9 禁用协议** 
+SPS默认情况下一个端口支持http(s)和socks5两种代理协议,我们可以通过参数禁用某个协议  
+比如:  
+1.禁用HTTP(S)代理功能只保留SOCKS5代理功能,参数:`--disable-http`.   
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http`   
+
+1.禁用SOCKS5代理功能只保留HTTP(S)代理功能,参数:`--disable-socks`.   
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http`   
+
+#### **6.10 查看帮助** 
+`./proxy help sps`  
+
+### **7.KCP配置**   
+
+#### **7.1 配置介绍**   
+proxy的很多功能都支持kcp协议，凡是使用了kcp协议的功能都支持这里介绍的配置参数。  
+所以这里统一对KCP配置参数进行介绍。  
+
+#### **7.2 详细配置**   
+所有的KCP配置参数共有17个，你可以都不用设置，他们都有默认值，如果为了或者最好的效果，  
+就需要自己根据自己根据网络情况对参数进行配置。由于kcp配置很复杂需要一定的网络基础知识，  
+如果想获得kcp参数更详细的配置和解说，请自行搜索。每个参数的命令行名称以及默认值和简单的功能说明如下：  
+```
+--kcp-key="secrect"        pre-shared secret between client and server
+--kcp-method="aes"         encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish, 
+                           twofish, cast5, 3des, tea, xtea, xor, sm4, none
+--kcp-mode="fast"       profiles: fast3, fast2, fast, normal, manual
+--kcp-mtu=1350             set maximum transmission unit for UDP packets
+--kcp-sndwnd=1024          set send window size(num of packets)
+--kcp-rcvwnd=1024          set receive window size(num of packets)
+--kcp-ds=10                set reed-solomon erasure coding - datashard
+--kcp-ps=3                 set reed-solomon erasure coding - parityshard
+--kcp-dscp=0               set DSCP(6bit)
+--kcp-nocomp               disable compression
+--kcp-acknodelay           be carefull! flush ack immediately when a packet is received
+--kcp-nodelay=0            be carefull!
+--kcp-interval=50          be carefull!
+--kcp-resend=0             be carefull!
+--kcp-nc=0                 be carefull! no congestion
+--kcp-sockbuf=4194304      be carefull!
+--kcp-keepalive=10         be carefull!
+```
+提示：  
+参数：--kcp-mode中的四种fast3, fast2, fast, normal模式，  
+相当于设置了下面四个参数：  
+normal：`--nodelay=0 --interval=40 --resend=2 --nc=1`  
+fast ：`--nodelay=0 --interval=30 --resend=2 --nc=1`  
+fast2：`--nodelay=1 --interval=20 --resend=2 --nc=1`  
+fast3：`--nodelay=1 --interval=10 --resend=2 --nc=1`  
+
 ### TODO  
 - http,socks代理多个上级负载均衡?
 - http(s)代理增加pac支持?
 - 欢迎加群反馈...

-### 如何使用源码? 
-建议go1.8,不保证>=1.9能用.   
-cd进入你的go src目录,然后git clone https://github.com/snail007/goproxy.git ./proxy 即可.   
-编译直接:go build     
-运行: go run *.go    
-utils是工具包,service是具体的每个服务类.   
+### 如何贡献代码(Pull Request)?  
+首先需要clone本项目到自己的帐号下面,然后在dev分支上面修改代码,  
+最后发Pull Request到goproxy项目的dev分支即可,为了高效贡献代码,  
+pr的时候需要说明做了什么变更,原因是什么.  
+
+### 如何使用源码?   
+建议go1.8.5,不保证>=1.9能用.       
+`go get github.com/snail007/goproxy`   
+cd进入你的go src目录  
+cd进入`github.com/snail007/goproxy`即可.    
+编译直接:`go build -o proxy`        
+运行: `go run *.go`       
+utils是工具包,service是具体的每个服务类. 

 ### License  
 Proxy is licensed under GPLv3 license.  
@ -673,4 +1069,4 @@ QQ交流群:189618940
 <img src="https://github.com/snail007/goproxy/blob/master/docs/images/alipay.jpg?raw=true" width="200"/>  
 <img src="https://github.com/snail007/goproxy/blob/master/docs/images/wxpay.jpg?raw=true" width="200"/>  

-  
+  
--- a/config.go
+++ b/config.go
@ -2,21 +2,29 @@ package main

 import (
 	"bufio"
+	"crypto/sha1"
 	"fmt"
-	"log"
+	logger "log"
 	"os"
 	"os/exec"
-	"proxy/services"
-	"proxy/utils"
+	"runtime/pprof"
 	"time"

+	"github.com/snail007/goproxy/services"
+	"github.com/snail007/goproxy/services/kcpcfg"
+	"github.com/snail007/goproxy/utils"
+
+	kcp "github.com/xtaci/kcp-go"
+	"golang.org/x/crypto/pbkdf2"
 	kingpin "gopkg.in/alecthomas/kingpin.v2"
 )

 var (
-	app     *kingpin.Application
-	service *services.ServiceItem
-	cmd     *exec.Cmd
+	app                                                                                                       *kingpin.Application
+	service                                                                                                   *services.ServiceItem
+	cmd                                                                                                       *exec.Cmd
+	cpuProfilingFile, memProfilingFile, blockProfilingFile, goroutineProfilingFile, threadcreateProfilingFile *os.File
+	isDebug                                                                                                   bool
 )

 func initConfig() (err error) {
@ -39,6 +47,8 @@ func initConfig() (err error) {
 	muxBridgeArgs := services.MuxBridgeArgs{}
 	udpArgs := services.UDPArgs{}
 	socksArgs := services.SocksArgs{}
+	spsArgs := services.SPSArgs{}
+	kcpArgs := kcpcfg.KCPConfigArgs{}
 	//build srvice args
 	app = kingpin.New("proxy", "happy with proxy")
 	app.Author("snail").Version(APP_VERSION)
@ -46,10 +56,28 @@ func initConfig() (err error) {
 	daemon := app.Flag("daemon", "run proxy in background").Default("false").Bool()
 	forever := app.Flag("forever", "run proxy in forever,fail and retry").Default("false").Bool()
 	logfile := app.Flag("log", "log file path").Default("").String()
+	kcpArgs.Key = app.Flag("kcp-key", "pre-shared secret between client and server").Default("secrect").String()
+	kcpArgs.Crypt = app.Flag("kcp-method", "encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none").Default("aes").Enum("aes", "aes-128", "aes-192", "salsa20", "blowfish", "twofish", "cast5", "3des", "tea", "xtea", "xor", "sm4", "none")
+	kcpArgs.Mode = app.Flag("kcp-mode", "profiles: fast3, fast2, fast, normal, manual").Default("fast").Enum("fast3", "fast2", "fast", "normal", "manual")
+	kcpArgs.MTU = app.Flag("kcp-mtu", "set maximum transmission unit for UDP packets").Default("1350").Int()
+	kcpArgs.SndWnd = app.Flag("kcp-sndwnd", "set send window size(num of packets)").Default("1024").Int()
+	kcpArgs.RcvWnd = app.Flag("kcp-rcvwnd", "set receive window size(num of packets)").Default("1024").Int()
+	kcpArgs.DataShard = app.Flag("kcp-ds", "set reed-solomon erasure coding - datashard").Default("10").Int()
+	kcpArgs.ParityShard = app.Flag("kcp-ps", "set reed-solomon erasure coding - parityshard").Default("3").Int()
+	kcpArgs.DSCP = app.Flag("kcp-dscp", "set DSCP(6bit)").Default("0").Int()
+	kcpArgs.NoComp = app.Flag("kcp-nocomp", "disable compression").Default("false").Bool()
+	kcpArgs.AckNodelay = app.Flag("kcp-acknodelay", "be carefull! flush ack immediately when a packet is received").Default("true").Bool()
+	kcpArgs.NoDelay = app.Flag("kcp-nodelay", "be carefull!").Default("0").Int()
+	kcpArgs.Interval = app.Flag("kcp-interval", "be carefull!").Default("50").Int()
+	kcpArgs.Resend = app.Flag("kcp-resend", "be carefull!").Default("0").Int()
+	kcpArgs.NoCongestion = app.Flag("kcp-nc", "be carefull! no congestion").Default("0").Int()
+	kcpArgs.SockBuf = app.Flag("kcp-sockbuf", "be carefull!").Default("4194304").Int()
+	kcpArgs.KeepAlive = app.Flag("kcp-keepalive", "be carefull!").Default("10").Int()

 	//########http#########
 	http := app.Command("http", "proxy on http mode")
 	httpArgs.Parent = http.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	httpArgs.CaCertFile = http.Flag("ca", "ca cert file for tls").Default("").String()
 	httpArgs.CertFile = http.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
 	httpArgs.KeyFile = http.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
 	httpArgs.LocalType = http.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
@ -62,20 +90,23 @@ func initConfig() (err error) {
 	httpArgs.Direct = http.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
 	httpArgs.AuthFile = http.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
 	httpArgs.Auth = http.Flag("auth", "http basic auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
-	httpArgs.PoolSize = http.Flag("pool-size", "conn pool size , which connect to parent proxy, zero: means turn off pool").Short('L').Default("0").Int()
 	httpArgs.CheckParentInterval = http.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
 	httpArgs.Local = http.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
 	httpArgs.SSHUser = http.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
 	httpArgs.SSHKeyFile = http.Flag("ssh-key", "private key file for ssh").Short('S').Default("").String()
 	httpArgs.SSHKeyFileSalt = http.Flag("ssh-keysalt", "salt of ssh private key").Short('s').Default("").String()
 	httpArgs.SSHPassword = http.Flag("ssh-password", "password for ssh").Short('A').Default("").String()
-	httpArgs.KCPKey = http.Flag("kcp-key", "key for kcp encrypt/decrypt data").Short('B').Default("encrypt").String()
-	httpArgs.KCPMethod = http.Flag("kcp-method", "kcp encrypt/decrypt method").Short('M').Default("3des").String()
 	httpArgs.LocalIPS = http.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
 	httpArgs.AuthURL = http.Flag("auth-url", "http basic auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
 	httpArgs.AuthURLTimeout = http.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
 	httpArgs.AuthURLOkCode = http.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
 	httpArgs.AuthURLRetry = http.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("1").Int()
+	httpArgs.DNSAddress = http.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	httpArgs.DNSTTL = http.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	httpArgs.LocalKey = http.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	httpArgs.ParentKey = http.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	httpArgs.LocalCompress = http.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	httpArgs.ParentCompress = http.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()

 	//########tcp#########
 	tcp := app.Command("tcp", "proxy on tcp mode")
@ -85,11 +116,8 @@ func initConfig() (err error) {
 	tcpArgs.Timeout = tcp.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('e').Default("2000").Int()
 	tcpArgs.ParentType = tcp.Flag("parent-type", "parent protocol type <tls|tcp|kcp|udp>").Short('T').Enum("tls", "tcp", "udp", "kcp")
 	tcpArgs.LocalType = tcp.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
-	tcpArgs.PoolSize = tcp.Flag("pool-size", "conn pool size , which connect to parent proxy, zero: means turn off pool").Short('L').Default("0").Int()
 	tcpArgs.CheckParentInterval = tcp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
 	tcpArgs.Local = tcp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
-	tcpArgs.KCPKey = tcp.Flag("kcp-key", "key for kcp encrypt/decrypt data").Short('B').Default("encrypt").String()
-	tcpArgs.KCPMethod = tcp.Flag("kcp-method", "kcp encrypt/decrypt method").Short('M').Default("3des").String()

 	//########udp#########
 	udp := app.Command("udp", "proxy on udp mode")
@ -98,36 +126,40 @@ func initConfig() (err error) {
 	udpArgs.KeyFile = udp.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
 	udpArgs.Timeout = udp.Flag("timeout", "tcp timeout milliseconds when connect to parent proxy").Short('t').Default("2000").Int()
 	udpArgs.ParentType = udp.Flag("parent-type", "parent protocol type <tls|tcp|udp>").Short('T').Enum("tls", "tcp", "udp")
-	udpArgs.PoolSize = udp.Flag("pool-size", "conn pool size , which connect to parent proxy, zero: means turn off pool").Short('L').Default("0").Int()
 	udpArgs.CheckParentInterval = udp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
 	udpArgs.Local = udp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()

 	//########mux-server#########
 	muxServer := app.Command("server", "proxy on mux server mode")
 	muxServerArgs.Parent = muxServer.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	muxServerArgs.ParentType = muxServer.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Default("tls").Short('T').Enum("tls", "tcp", "kcp")
 	muxServerArgs.CertFile = muxServer.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
 	muxServerArgs.KeyFile = muxServer.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
-	muxServerArgs.Timeout = muxServer.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	muxServerArgs.Timeout = muxServer.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
 	muxServerArgs.IsUDP = muxServer.Flag("udp", "proxy on udp mux server mode").Default("false").Bool()
 	muxServerArgs.Key = muxServer.Flag("k", "client key").Default("default").String()
 	muxServerArgs.Route = muxServer.Flag("route", "local route to client's network, such as: PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT").Short('r').Default("").Strings()
-	muxServerArgs.IsCompress = muxServer.Flag("c", "compress data when tcp mode").Default("false").Bool()
+	muxServerArgs.IsCompress = muxServer.Flag("c", "compress data when tcp|tls mode").Default("false").Bool()
+	muxServerArgs.SessionCount = muxServer.Flag("session-count", "session count which connect to bridge").Short('n').Default("10").Int()

 	//########mux-client#########
 	muxClient := app.Command("client", "proxy on mux client mode")
 	muxClientArgs.Parent = muxClient.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	muxClientArgs.ParentType = muxClient.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Default("tls").Short('T').Enum("tls", "tcp", "kcp")
 	muxClientArgs.CertFile = muxClient.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
 	muxClientArgs.KeyFile = muxClient.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
-	muxClientArgs.Timeout = muxClient.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	muxClientArgs.Timeout = muxClient.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
 	muxClientArgs.Key = muxClient.Flag("k", "key same with server").Default("default").String()
-	muxClientArgs.IsCompress = muxClient.Flag("c", "compress data when tcp mode").Default("false").Bool()
+	muxClientArgs.IsCompress = muxClient.Flag("c", "compress data when tcp|tls mode").Default("false").Bool()
+	muxClientArgs.SessionCount = muxClient.Flag("session-count", "session count which connect to bridge").Short('n').Default("10").Int()

 	//########mux-bridge#########
 	muxBridge := app.Command("bridge", "proxy on mux bridge mode")
 	muxBridgeArgs.CertFile = muxBridge.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
 	muxBridgeArgs.KeyFile = muxBridge.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
-	muxBridgeArgs.Timeout = muxBridge.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	muxBridgeArgs.Timeout = muxBridge.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
 	muxBridgeArgs.Local = muxBridge.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+	muxBridgeArgs.LocalType = muxBridge.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tls").Short('t').Enum("tls", "tcp", "kcp")

 	//########tunnel-server#########
 	tunnelServer := app.Command("tserver", "proxy on tunnel server mode")
@ -163,6 +195,7 @@ func initConfig() (err error) {
 	socksArgs.UDPParent = socks.Flag("udp-parent", "udp parent address, such as: \"23.32.32.19:33090\"").Default("").Short('X').String()
 	socksArgs.UDPLocal = socks.Flag("udp-local", "udp local ip:port to listen").Short('x').Default(":33090").String()
 	socksArgs.CertFile = socks.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	socksArgs.CaCertFile = socks.Flag("ca", "ca cert file for tls").Default("").String()
 	socksArgs.KeyFile = socks.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
 	socksArgs.SSHUser = socks.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
 	socksArgs.SSHKeyFile = socks.Flag("ssh-key", "private key file for ssh").Short('S').Default("").String()
@ -175,21 +208,116 @@ func initConfig() (err error) {
 	socksArgs.Direct = socks.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
 	socksArgs.AuthFile = socks.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
 	socksArgs.Auth = socks.Flag("auth", "socks auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
-	socksArgs.KCPKey = socks.Flag("kcp-key", "key for kcp encrypt/decrypt data").Short('B').Default("encrypt").String()
-	socksArgs.KCPMethod = socks.Flag("kcp-method", "kcp encrypt/decrypt method").Short('M').Default("3des").String()
 	socksArgs.LocalIPS = socks.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
 	socksArgs.AuthURL = socks.Flag("auth-url", "auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
 	socksArgs.AuthURLTimeout = socks.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
 	socksArgs.AuthURLOkCode = socks.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
 	socksArgs.AuthURLRetry = socks.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
+	socksArgs.DNSAddress = socks.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	socksArgs.DNSTTL = socks.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	socksArgs.LocalKey = socks.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	socksArgs.ParentKey = socks.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	socksArgs.LocalCompress = socks.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	socksArgs.ParentCompress = socks.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+
+	//########socks+http(s)#########
+	sps := app.Command("sps", "proxy on socks+http(s) mode")
+	spsArgs.Parent = sps.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	spsArgs.CertFile = sps.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	spsArgs.KeyFile = sps.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	spsArgs.CaCertFile = sps.Flag("ca", "ca cert file for tls").Default("").String()
+	spsArgs.Timeout = sps.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('i').Default("2000").Int()
+	spsArgs.ParentType = sps.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Short('T').Enum("tls", "tcp", "kcp")
+	spsArgs.LocalType = sps.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	spsArgs.Local = sps.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
+	spsArgs.ParentServiceType = sps.Flag("parent-service-type", "parent service type <http|socks>").Short('S').Enum("http", "socks", "ss")
+	spsArgs.DNSAddress = sps.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	spsArgs.DNSTTL = sps.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	spsArgs.AuthFile = sps.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	spsArgs.Auth = sps.Flag("auth", "socks auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	spsArgs.LocalIPS = sps.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	spsArgs.AuthURL = sps.Flag("auth-url", "auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	spsArgs.AuthURLTimeout = sps.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	spsArgs.AuthURLOkCode = sps.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	spsArgs.AuthURLRetry = sps.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
+	spsArgs.ParentAuth = sps.Flag("parent-auth", "parent socks auth username and password, such as: -A user1:pass1").Short('A').String()
+	spsArgs.LocalKey = sps.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	spsArgs.ParentKey = sps.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	spsArgs.LocalCompress = sps.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	spsArgs.ParentCompress = sps.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+	spsArgs.DisableHTTP = sps.Flag("disable-http", "disable http(s) proxy").Default("false").Bool()
+	spsArgs.DisableSocks5 = sps.Flag("disable-socks", "disable socks proxy").Default("false").Bool()

 	//parse args
 	serviceName := kingpin.MustParse(app.Parse(os.Args[1:]))
-	flags := log.Ldate
+
+	isDebug = *debug
+
+	//set kcp config
+
+	switch *kcpArgs.Mode {
+	case "normal":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 0, 40, 2, 1
+	case "fast":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 0, 30, 2, 1
+	case "fast2":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 1, 20, 2, 1
+	case "fast3":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 1, 10, 2, 1
+	}
+	pass := pbkdf2.Key([]byte(*kcpArgs.Key), []byte("snail007-goproxy"), 4096, 32, sha1.New)
+
+	switch *kcpArgs.Crypt {
+	case "sm4":
+		kcpArgs.Block, _ = kcp.NewSM4BlockCrypt(pass[:16])
+	case "tea":
+		kcpArgs.Block, _ = kcp.NewTEABlockCrypt(pass[:16])
+	case "xor":
+		kcpArgs.Block, _ = kcp.NewSimpleXORBlockCrypt(pass)
+	case "none":
+		kcpArgs.Block, _ = kcp.NewNoneBlockCrypt(pass)
+	case "aes-128":
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass[:16])
+	case "aes-192":
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass[:24])
+	case "blowfish":
+		kcpArgs.Block, _ = kcp.NewBlowfishBlockCrypt(pass)
+	case "twofish":
+		kcpArgs.Block, _ = kcp.NewTwofishBlockCrypt(pass)
+	case "cast5":
+		kcpArgs.Block, _ = kcp.NewCast5BlockCrypt(pass[:16])
+	case "3des":
+		kcpArgs.Block, _ = kcp.NewTripleDESBlockCrypt(pass[:24])
+	case "xtea":
+		kcpArgs.Block, _ = kcp.NewXTEABlockCrypt(pass[:16])
+	case "salsa20":
+		kcpArgs.Block, _ = kcp.NewSalsa20BlockCrypt(pass)
+	default:
+		*kcpArgs.Crypt = "aes"
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass)
+	}
+	//attach kcp config
+	tcpArgs.KCP = kcpArgs
+	httpArgs.KCP = kcpArgs
+	socksArgs.KCP = kcpArgs
+	spsArgs.KCP = kcpArgs
+	muxBridgeArgs.KCP = kcpArgs
+	muxServerArgs.KCP = kcpArgs
+	muxClientArgs.KCP = kcpArgs
+
+	log := logger.New(os.Stderr, "", logger.Ldate|logger.Ltime)
+
+	flags := logger.Ldate
 	if *debug {
-		flags |= log.Lshortfile | log.Lmicroseconds
+		flags |= logger.Lshortfile | logger.Lmicroseconds
+		cpuProfilingFile, _ = os.Create("cpu.prof")
+		memProfilingFile, _ = os.Create("memory.prof")
+		blockProfilingFile, _ = os.Create("block.prof")
+		goroutineProfilingFile, _ = os.Create("goroutine.prof")
+		threadcreateProfilingFile, _ = os.Create("threadcreate.prof")
+		pprof.StartCPUProfile(cpuProfilingFile)
 	} else {
-		flags |= log.Ltime
+		flags |= logger.Ltime
 	}
 	log.SetFlags(flags)

@ -269,19 +397,41 @@ func initConfig() (err error) {
 	}
 	if *logfile == "" {
 		poster()
+		if *debug {
+			log.Println("[profiling] cpu profiling save to file : cpu.prof")
+			log.Println("[profiling] memory profiling save to file : memory.prof")
+			log.Println("[profiling] block profiling save to file : block.prof")
+			log.Println("[profiling] goroutine profiling save to file : goroutine.prof")
+			log.Println("[profiling] threadcreate profiling save to file : threadcreate.prof")
+		}
 	}
 	//regist services and run service
-	services.Regist("http", services.NewHTTP(), httpArgs)
-	services.Regist("tcp", services.NewTCP(), tcpArgs)
-	services.Regist("udp", services.NewUDP(), udpArgs)
-	services.Regist("tserver", services.NewTunnelServerManager(), tunnelServerArgs)
-	services.Regist("tclient", services.NewTunnelClient(), tunnelClientArgs)
-	services.Regist("tbridge", services.NewTunnelBridge(), tunnelBridgeArgs)
-	services.Regist("server", services.NewMuxServerManager(), muxServerArgs)
-	services.Regist("client", services.NewMuxClient(), muxClientArgs)
-	services.Regist("bridge", services.NewMuxBridge(), muxBridgeArgs)
-	services.Regist("socks", services.NewSocks(), socksArgs)
-	service, err = services.Run(serviceName)
+	//regist services and run service
+	switch serviceName {
+	case "http":
+		services.Regist(serviceName, services.NewHTTP(), httpArgs, log)
+	case "tcp":
+		services.Regist(serviceName, services.NewTCP(), tcpArgs, log)
+	case "udp":
+		services.Regist(serviceName, services.NewUDP(), udpArgs, log)
+	case "tserver":
+		services.Regist(serviceName, services.NewTunnelServerManager(), tunnelServerArgs, log)
+	case "tclient":
+		services.Regist(serviceName, services.NewTunnelClient(), tunnelClientArgs, log)
+	case "tbridge":
+		services.Regist(serviceName, services.NewTunnelBridge(), tunnelBridgeArgs, log)
+	case "server":
+		services.Regist(serviceName, services.NewMuxServerManager(), muxServerArgs, log)
+	case "client":
+		services.Regist(serviceName, services.NewMuxClient(), muxClientArgs, log)
+	case "bridge":
+		services.Regist(serviceName, services.NewMuxBridge(), muxBridgeArgs, log)
+	case "socks":
+		services.Regist(serviceName, services.NewSocks(), socksArgs, log)
+	case "sps":
+		services.Regist(serviceName, services.NewSPS(), spsArgs, log)
+	}
+	service, err = services.Run(serviceName, nil)
 	if err != nil {
 		log.Fatalf("run service [%s] fail, ERR:%s", serviceName, err)
 	}
@ -300,3 +450,14 @@ func poster() {
 		
 		v%s`+" by snail , blog : http://www.host900.com/\n\n", APP_VERSION)
 }
+func saveProfiling() {
+	goroutine := pprof.Lookup("goroutine")
+	goroutine.WriteTo(goroutineProfilingFile, 1)
+	heap := pprof.Lookup("heap")
+	heap.WriteTo(memProfilingFile, 1)
+	block := pprof.Lookup("block")
+	block.WriteTo(blockProfilingFile, 1)
+	threadcreate := pprof.Lookup("threadcreate")
+	threadcreate.WriteTo(threadcreateProfilingFile, 1)
+	pprof.StopCPUProfile()
+}
--- a/docs/images/fxdl.png
+++ b/docs/images/fxdl.png
--- a/docs/images/http-1.png
+++ b/docs/images/http-1.png
--- a/docs/images/http-2.png
+++ b/docs/images/http-2.png
--- a/docs/images/http-kcp.png
+++ b/docs/images/http-kcp.png
--- a/docs/images/http-ssh-1.png
+++ b/docs/images/http-ssh-1.png
--- a/docs/images/http-tls-2.png
+++ b/docs/images/http-tls-2.png
--- a/docs/images/http-tls-3.png
+++ b/docs/images/http-tls-3.png
--- a/docs/images/socks-2.png
+++ b/docs/images/socks-2.png
--- a/docs/images/socks-ssh.png
+++ b/docs/images/socks-ssh.png
--- a/docs/images/socks-tls-2.png
+++ b/docs/images/socks-tls-2.png
--- a/docs/images/socks-tls-3.png
+++ b/docs/images/socks-tls-3.png
--- a/docs/images/sps-tls.png
+++ b/docs/images/sps-tls.png
--- a/docs/images/tcp-1.png
+++ b/docs/images/tcp-1.png
--- a/docs/images/tcp-2.png
+++ b/docs/images/tcp-2.png
--- a/docs/images/tcp-3.png
+++ b/docs/images/tcp-3.png
--- a/docs/images/tcp-tls-2.png
+++ b/docs/images/tcp-tls-2.png
--- a/docs/images/tcp-tls-3.png
+++ b/docs/images/tcp-tls-3.png
--- a/docs/images/udp-1.png
+++ b/docs/images/udp-1.png
--- a/docs/images/udp-2.png
+++ b/docs/images/udp-2.png
--- a/docs/images/udp-3.png
+++ b/docs/images/udp-3.png
--- a/docs/images/udp-tls-2.png
+++ b/docs/images/udp-tls-2.png
--- a/docs/images/udp-tls-3.png
+++ b/docs/images/udp-tls-3.png
--- a/gui/README.md
+++ b/gui/README.md
@ -0,0 +1,27 @@
+# Proxy-GUI
+基于proxy的各平台SDK,作者和众多热心人士开发了各平台的GUI版本的proxy,下面分平台介绍.  
+
+## Windows
+
+- 官方java版本,项目主页:[goproxy-jui](https://github.com/snail007/goproxy-jui)
+
+## Linux
+
+- 官方java版本,项目主页:[goproxy-jui](https://github.com/snail007/goproxy-jui)
+
+## MacOS
+
+- Coming Soon ...
+
+## Android
+
+- proxy-go,一个非官方实现版本,界面比较简陋,但是够用.下载地址:[proxy-go](https://github.com/snail007/goproxy-gui-stuff/releases/tag/proxy-go-release)
+
+
+## IOS
+
+- Coming Soon ...
+
+## 跨平台
+
+- proxy-web,一个跨平台的web UI版本,项目主页:[proxy-web](https://github.com/yincongcyincong/proxy-web)
--- a/install_auto.sh
+++ b/install_auto.sh
@ -5,7 +5,7 @@ if [ -e /tmp/proxy ]; then
 fi
 mkdir /tmp/proxy
 cd /tmp/proxy
-wget https://github.com/snail007/goproxy/releases/download/v4.2/proxy-linux-amd64.tar.gz
+wget https://github.com/snail007/goproxy/releases/download/v4.8/proxy-linux-amd64.tar.gz

 # #install proxy
 tar zxvf proxy-linux-amd64.tar.gz
--- a/main.go
+++ b/main.go
@ -4,11 +4,12 @@ import (
 	"log"
 	"os"
 	"os/signal"
-	"proxy/services"
 	"syscall"
+
+	"github.com/snail007/goproxy/services"
 )

-const APP_VERSION = "4.2"
+const APP_VERSION = "4.8"

 func main() {
 	err := initConfig()
@ -40,6 +41,9 @@ func Clean(s *services.Service) {
 				log.Printf("clean process %d", cmd.Process.Pid)
 				cmd.Process.Kill()
 			}
+			if isDebug {
+				saveProfiling()
+			}
 			cleanupDone <- true
 		}
 	}()
--- a/release.sh
+++ b/release.sh
@ -1,72 +1,74 @@
 #!/bin/bash
-VER="4.2"
+VER="4.8"
 RELEASE="release-${VER}"
 rm -rf .cert
 mkdir .cert
-go build 
+go build -o proxy 
 cd .cert
 ../proxy keygen
 cd ..
 rm -rf ${RELEASE}
 mkdir ${RELEASE}
 #linux
-CGO_ENABLED=0 GOOS=linux GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-linux-386.tar.gz" proxy direct blocked
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-linux-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build && tar zcfv "${RELEASE}/proxy-linux-arm-v6.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=6 go build && tar zcfv "${RELEASE}/proxy-linux-arm64-v6.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build && tar zcfv "${RELEASE}/proxy-linux-arm-v7.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=7 go build && tar zcfv "${RELEASE}/proxy-linux-arm64-v7.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=5 go build && tar zcfv "${RELEASE}/proxy-linux-arm-v5.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=5 go build && tar zcfv "${RELEASE}/proxy-linux-arm64-v5.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mips go build && tar zcfv "${RELEASE}/proxy-linux-mips.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build && tar zcfv "${RELEASE}/proxy-linux-mips64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build && tar zcfv "${RELEASE}/proxy-linux-mips64le.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build && tar zcfv "${RELEASE}/proxy-linux-mipsle.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=ppc64 go build && tar zcfv "${RELEASE}/proxy-linux-ppc64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build && tar zcfv "${RELEASE}/proxy-linux-ppc64le.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build && tar zcfv "${RELEASE}/proxy-linux-s390x.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-386.tar.gz" proxy direct blocked
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm-v6.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=6 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm64-v6.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm-v7.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=7 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm64-v7.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=5 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm-v5.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=5 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm64-v5.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mips go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mips.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mips64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mips64le.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mipsle.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=ppc64 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-ppc64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-ppc64le.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-s390x.tar.gz" proxy direct blocked 
 #android
-CGO_ENABLED=0 GOOS=android GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-android-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=android GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-android-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=android GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-android-arm.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=android GOARCH=arm64 go build && tar zcfv "${RELEASE}/proxy-android-arm64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-android-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-android-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-android-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=arm64 go build -o proxy && tar zcfv "${RELEASE}/proxy-android-arm64.tar.gz" proxy direct blocked 
 #darwin
-CGO_ENABLED=0 GOOS=darwin GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-darwin-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-darwin-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=darwin GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-darwin-arm.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build && tar zcfv "${RELEASE}/proxy-darwin-arm64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-arm64.tar.gz" proxy direct blocked 
 #dragonfly
-CGO_ENABLED=0 GOOS=dragonfly GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-dragonfly-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=dragonfly GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-dragonfly-amd64.tar.gz" proxy direct blocked 
 #freebsd
-CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-freebsd-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-freebsd-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=freebsd GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-freebsd-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-freebsd-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-freebsd-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=freebsd GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-freebsd-arm.tar.gz" proxy direct blocked 
 #nacl
-CGO_ENABLED=0 GOOS=nacl GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-nacl-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=nacl GOARCH=amd64p32 go build && tar zcfv "${RELEASE}/proxy-nacl-amd64p32.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=nacl GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-nacl-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=nacl GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-nacl-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=nacl GOARCH=amd64p32 go build -o proxy && tar zcfv "${RELEASE}/proxy-nacl-amd64p32.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=nacl GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-nacl-arm.tar.gz" proxy direct blocked 
 #netbsd
-CGO_ENABLED=0 GOOS=netbsd GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-netbsd-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=netbsd GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-netbsd-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=netbsd GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-netbsd-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=netbsd GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-netbsd-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=netbsd GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-netbsd-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=netbsd GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-netbsd-arm.tar.gz" proxy direct blocked 
 #openbsd
-CGO_ENABLED=0 GOOS=openbsd GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-openbsd-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=openbsd GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-openbsd-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=openbsd GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-openbsd-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=openbsd GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-openbsd-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=openbsd GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-openbsd-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=openbsd GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-openbsd-arm.tar.gz" proxy direct blocked 
 #plan9
-CGO_ENABLED=0 GOOS=plan9 GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-plan9-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=plan9 GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-plan9-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=plan9 GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-plan9-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=plan9 GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-plan9-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=plan9 GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-plan9-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=plan9 GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-plan9-arm.tar.gz" proxy direct blocked 
 #solaris
-CGO_ENABLED=0 GOOS=solaris GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-solaris-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=solaris GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-solaris-amd64.tar.gz" proxy direct blocked 
 #windows
-CGO_ENABLED=0 GOOS=windows GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-windows-386.tar.gz" proxy.exe  direct blocked .cert/proxy.crt .cert/proxy.key
-CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-windows-amd64.tar.gz" proxy.exe  direct blocked .cert/proxy.crt .cert/proxy.key
+CGO_ENABLED=0 GOOS=windows GOARCH=386 go build  -ldflags="-H=windowsgui" -o proxy-wingui.exe
+CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -o proxy.exe && tar zcfv "${RELEASE}/proxy-windows-386.tar.gz" proxy.exe proxy-wingui.exe direct blocked .cert/proxy.crt .cert/proxy.key
+CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-H=windowsgui" -o proxy-wingui.exe
+CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o proxy.exe && tar zcfv "${RELEASE}/proxy-windows-amd64.tar.gz" proxy.exe proxy-wingui.exe direct blocked .cert/proxy.crt .cert/proxy.key

-rm -rf proxy proxy.exe .cert
+rm -rf proxy proxy.exe proxy-wingui.exe .cert

 #todo
 #1.release.sh        VER="xxx"
 #2.main.go           APP_VERSION="xxx"
 #3.install_auto.sh   goproxy/releases/download/vxxx
-#4.README            goproxy/releases/download/vxxx
+#4.README            goproxy/releases/download/vxxx
--- a/sdk/CHANGELOG
+++ b/sdk/CHANGELOG
@ -0,0 +1,3 @@
+v4.8
+1.修复了多个服务同时开启日志,只会输出到最后一个日志文件的bug.  
+2.增加了获取sdk版本的Version()方法.  
--- a/sdk/README.md
+++ b/sdk/README.md
@ -0,0 +1,259 @@
+
+# Proxy SDK 使用说明  
+
+支持以下平台:  
+- Android,`.arr`库
+- IOS,`.framework`库
+- Windows,`.dll`库
+- Linux,`.so`库
+- MacOS,`.dylib`库
+
+proxy使用gombile实现了一份go代码编译为android和ios平台下面可以直接调用的sdk类库, 
+另外还为linux和windows,MacOS提供sdk支持，基于这些类库,APP开发者可以轻松的开发出各种形式的代理工具。    
+
+# 下面分平台介绍SDK的用法  
+
+## Android SDK
+  
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-android/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-android.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-android/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-android/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-android.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-android/releases)  
+  
+[点击下载Android-SDK](https://github.com/snail007/goproxy-sdk-android/releases)  
+在Android系统提供的sdk形式是一个后缀为.aar的类库文件,开发的时候只需要把arr类库文件引入android项目即可.  
+
+### Android-SDK使用实例
+
+#### 1.导入包
+
+```java
+import snail007.proxy.Porxy
+```
+
+#### 2.启动一个服务
+
+```java
+String serviceID="http01";//这里serviceID是自定义的唯一标识字符串,保证每个启动的服务不一样即可
+String serviceArgs="http -p :8080";
+String err=Proxy.start(serviceID,serviceArgs);
+if (!err.isEmpty()){
+    //启动失败
+    System.out.println("start fail,error:"+err);
+}else{
+    //启动成功
+}
+```
+
+#### 3.停止一个服务
+
+```java
+String serviceID="http01";
+Proxy.stop(serviceID);
+//停止完毕
+
+```
+
+## IOS SDK
+  
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-ios/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-ios.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-ios/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-ios/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-ios.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-ios/releases)  
+  
+[点击下载IOS-SDK](https://github.com/snail007/goproxy-sdk-ios/releases)  
+在IOS系统提供的sdk形式是一个后缀为.framework的类库文件夹,开发的时候只需要把类库文件引入项目,然后调用方法即可.  
+
+### IOS-SDK使用实例
+
+#### 导入包
+
+```objc
+#import <Proxy/Proxy.objc.h>
+```
+
+#### 2.启动一个服务
+
+```objc
+-(IBAction)doStart:(id)sender
+{
+	//这里serviceID是自定义的唯一标识字符串,保证每个启动的服务不一样
+	NSString *serviceID = @"http01";
+    NSString *serviceArgs = @"http -p :8080";
+    NSString *error = ProxyStart(serviceID,serviceArgs);
+    
+    if (error != nil && error.length > 0)
+    {
+        NSLog(@"start error %@",error);
+    }else{
+        NSLog(@"启动成功");
+    }
+}
+```
+
+#### 3.停止一个服务
+
+```objc
+-(IBAction)doStop:(id)sender
+{
+    NSString *serviceID = @"http01";
+    ProxyStop(serviceID);
+    //停止完毕
+}
+```
+
+
+## Windows SDK
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-windows/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-windows.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-windows/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-windows/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-windows.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-windows/releases)  
+  
+[点击下载Windows-SDK](https://github.com/snail007/goproxy-sdk-windows/releases)  
+在Windows系统提供的sdk形式是一个后缀为.dll的类库文件,开发的时候只需要把dll类库文件加载,然后调用方法即可.  
+
+### Windows-SDK使用实例  
+C++示例，不需要包含头文件，只需要加载proxy-sdk.dll即可，ieshims.dll需要和proxy-sdk.dll在一起。  
+作者：[yjbdsky](https://github.com/yjbdsky)     
+
+```cpp
+#include <stdio.h>
+#include<stdlib.h>
+#include <string.h>
+#include<pthread.h>
+#include<Windows.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef char *(*GOSTART)(char *s);
+typedef char *(*GOSTOP)(char *s);
+typedef int(*GOISRUN)(char *s);
+HMODULE GODLL = LoadLibrary("proxy-sdk.dll");
+
+char * Start(char * p0,char * p1)
+{
+	if (GODLL != NULL)
+	{
+		GOSTART gostart = *(GOSTART)(GetProcAddress(GODLL, "Start"));
+		if (gostart != NULL){
+			printf("%s:%s\n",p0, p1);
+			char *ret = gostart(p0,p1);
+			return ret;
+		}
+	}
+	return "Cannot Find dll";
+}
+char * Stop(char * p)
+{
+	if (GODLL != NULL)
+	{
+		GOSTOP gostop = *(GOSTOP)(GetProcAddress(GODLL, "Stop"));
+		if (gostop != NULL){
+			printf("%s\n", p);
+			char *ret = gostop(p);
+			return ret;
+		}
+	}
+	return "Cannot Find dll";
+}
+
+int main()
+{
+	//这里p0是自定义的唯一标识字符串,保证每个启动的服务不一样
+	char *p0 = "http01";
+	char *p1 = "http -t tcp -p :38080";
+	printf("This is demo application.\n");
+	//启动服务,返回空字符串说明启动成功;返回非空字符串说明启动失败,返回的字符串是错误原因
+	printf("start result %s\n", Start(p0,p1));
+	//停止服务,没有返回值
+	Stop(p0);
+	return 0;
+}
+
+
+#ifdef __cplusplus
+}
+#endif
+```
+
+C++示例2，请移步：[GoProxyForC](https://github.com/SuperPowerLF2/GoProxyForC)   
+
+## Linux SDK
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-linux/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-linux.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-linux/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-linux/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-linux.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-linux/releases)  
+  
+[点击下载Linux-SDK](https://github.com/snail007/goproxy-sdk-linux/releases)  
+在Linux系统提供的sdk形式是一个后缀为.so的类库文件,开发的时候只需要把so类库加载,调用方法即可.  
+
+### Linux-SDK使用实例
+Linux下面使用的sdk是so文件即libproxy-sdk.so,下面写一个简单的C程序示例,调用so库里面的方法.  
+
+`vi test-proxy.c`  
+
+```c
+#include <stdio.h>
+#include "libproxy-sdk.h"
+
+int main() {
+     printf("This is demo application.\n");
+	 //这里p0是自定义的唯一标识字符串,保证每个启动的服务不一样
+	 char *p0 = "http01";
+     char *p1 = "http -t tcp -p :38080";
+     //启动服务,返回空字符串说明启动成功;返回非空字符串说明启动失败,返回的字符串是错误原因
+     printf("start result %s\n",Start(p0,p1));
+     //停止服务,没有返回值
+     Stop(p0);
+     return 0;
+}
+```
+
+#### 编译test-proxy.c ####  
+`export LD_LIBRARY_PATH=./ && gcc -o test-proxy test.c libproxy-sdk.so`  
+
+#### 执行 ####  
+`./test-proxy`  
+
+## MacOS SDK
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-mac/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-mac.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-mac/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-mac/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-mac.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-mac/releases)  
+  
+[点击下载MacOS-SDK](https://github.com/snail007/goproxy-sdk-mac/releases)  
+在MacOS系统提供的sdk形式是一个后缀为.dylib的类库文件,开发的时候只需要把so类库加载,调用方法即可.  
+
+### MacOS-SDK使用实例
+MacOS下面使用的sdk是dylib文件即libproxy-sdk.dylib,下面写一个简单的Obj-C程序示例,调用dylib库里面的方法.  
+
+```objc
+#import "libproxy-sdk.h"
+-(IBAction)doStart:(id)sender
+{
+    char *result =  Start("http01", "http -t tcp -p :38080");
+    
+    if (result)
+    {
+        printf("started");
+    }else{
+        printf("not started");
+    }
+  
+}
+-(IBAction)doStop:(id)sender
+{
+     Stop("http01");
+
+}
+```
+
+### 关于服务  
+proxy的服务有11种,分别是:  
+
+```shell
+http  
+socks  
+sps  
+tcp  
+udp  
+bridge  
+server  
+client  
+tbridge  
+tserver  
+tclient  
+```
+服务启动时,如果存在正在运行的相同ID的服务,那么之前的服务会被停掉,后面启动的服务覆盖之前的服务.  
+所以要保证每次启动服务的时候,第一个ID参数唯一.  
+上面这些服务的具体使用方式和具体参数,可以参考[proxy手册](https://github.com/snail007/goproxy/blob/master/README_ZH.md)  
+sdk里面的服务不支持手册里面的：--daemon和--forever参数.  
+
+
--- a/sdk/android-ios/.gitignore
+++ b/sdk/android-ios/.gitignore
@ -0,0 +1,7 @@
+*.jar
+*.aar
+*.tar.gz
+ios
+android
+Proxy.framework
+  
--- a/sdk/android-ios/release_android.sh
+++ b/sdk/android-ios/release_android.sh
@ -0,0 +1,24 @@
+#/bin/bash
+VER="v4.8"
+rm -rf sdk-android-*.tar.gz
+rm -rf android
+mkdir android
+
+#android ; jdk,android ndk & android sdk required, install gomobile go1.10 required
+#export GOPATH="$HOME/go"
+#export GOROOT="/usr/local/go"
+#export PATH="$GOROOT/bin:$GOPATH/bin:$PATH"
+#export ANDROID_HOME="$HOME/Android/Sdk"
+#export NDK_ROOT="$HOME/Android/Sdk/ndk-bundle"
+#export PATH="$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools:$NDK_ROOT:$PATH"
+#go get -v golang.org/x/mobile/cmd/gomobile
+#gomobile init
+
+gomobile bind -v -target=android -javapkg=snail007 -ldflags="-s -w"
+mv proxy.aar android/snail007.goproxy.sdk.aar
+mv proxy-sources.jar android/snail007.goproxy.sdk-sources.jar
+cp ../README.md android
+tar zcfv sdk-android-${VER}.tar.gz android
+rm -rf android
+
+echo "done."
--- a/sdk/android-ios/release_ios.sh
+++ b/sdk/android-ios/release_ios.sh
@ -0,0 +1,14 @@
+#/bin/bash
+VER="v4.8"
+rm -rf sdk-ios-*.tar.gz
+rm -rf ios
+mkdir ios
+
+#ios  XCode required
+gomobile bind -v -target=ios -ldflags="-s -w"
+mv Proxy.framework ios
+cp ../README.md ios
+tar zcfv sdk-ios-${VER}.tar.gz ios
+rm -rf ios
+
+echo "done."
--- a/sdk/android-ios/sdk.go
+++ b/sdk/android-ios/sdk.go
@ -0,0 +1,366 @@
+package proxy
+
+import (
+	"crypto/sha1"
+	"fmt"
+	logger "log"
+	"os"
+	"strings"
+
+	"github.com/snail007/goproxy/services"
+	"github.com/snail007/goproxy/services/kcpcfg"
+
+	kcp "github.com/xtaci/kcp-go"
+	"golang.org/x/crypto/pbkdf2"
+	kingpin "gopkg.in/alecthomas/kingpin.v2"
+)
+
+const SDK_VERSION = "4.8"
+
+var (
+	app *kingpin.Application
+)
+
+//Start
+//serviceID : is service identify id,different service's id should be difference
+//serviceArgsStr: is the whole command line args string
+//such as :
+//1."http -t tcp -p :8989"
+//2."socks -t tcp -p :8989"
+//and so on.
+//if an error occured , errStr will be the error reason
+//if start success, errStr is empty.
+func Start(serviceID, serviceArgsStr string) (errStr string) {
+	//define  args
+	tcpArgs := services.TCPArgs{}
+	httpArgs := services.HTTPArgs{}
+	tunnelServerArgs := services.TunnelServerArgs{}
+	tunnelClientArgs := services.TunnelClientArgs{}
+	tunnelBridgeArgs := services.TunnelBridgeArgs{}
+	muxServerArgs := services.MuxServerArgs{}
+	muxClientArgs := services.MuxClientArgs{}
+	muxBridgeArgs := services.MuxBridgeArgs{}
+	udpArgs := services.UDPArgs{}
+	socksArgs := services.SocksArgs{}
+	spsArgs := services.SPSArgs{}
+	kcpArgs := kcpcfg.KCPConfigArgs{}
+	//build srvice args
+	app = kingpin.New("proxy", "happy with proxy")
+	app.Author("snail").Version(SDK_VERSION)
+	debug := app.Flag("debug", "debug log output").Default("false").Bool()
+	logfile := app.Flag("log", "log file path").Default("").String()
+	kcpArgs.Key = app.Flag("kcp-key", "pre-shared secret between client and server").Default("secrect").String()
+	kcpArgs.Crypt = app.Flag("kcp-method", "encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none").Default("aes").Enum("aes", "aes-128", "aes-192", "salsa20", "blowfish", "twofish", "cast5", "3des", "tea", "xtea", "xor", "sm4", "none")
+	kcpArgs.Mode = app.Flag("kcp-mode", "profiles: fast3, fast2, fast, normal, manual").Default("fast3").Enum("fast3", "fast2", "fast", "normal", "manual")
+	kcpArgs.MTU = app.Flag("kcp-mtu", "set maximum transmission unit for UDP packets").Default("1350").Int()
+	kcpArgs.SndWnd = app.Flag("kcp-sndwnd", "set send window size(num of packets)").Default("1024").Int()
+	kcpArgs.RcvWnd = app.Flag("kcp-rcvwnd", "set receive window size(num of packets)").Default("1024").Int()
+	kcpArgs.DataShard = app.Flag("kcp-ds", "set reed-solomon erasure coding - datashard").Default("10").Int()
+	kcpArgs.ParityShard = app.Flag("kcp-ps", "set reed-solomon erasure coding - parityshard").Default("3").Int()
+	kcpArgs.DSCP = app.Flag("kcp-dscp", "set DSCP(6bit)").Default("0").Int()
+	kcpArgs.NoComp = app.Flag("kcp-nocomp", "disable compression").Default("false").Bool()
+	kcpArgs.AckNodelay = app.Flag("kcp-acknodelay", "be carefull! flush ack immediately when a packet is received").Default("true").Bool()
+	kcpArgs.NoDelay = app.Flag("kcp-nodelay", "be carefull!").Default("0").Int()
+	kcpArgs.Interval = app.Flag("kcp-interval", "be carefull!").Default("50").Int()
+	kcpArgs.Resend = app.Flag("kcp-resend", "be carefull!").Default("0").Int()
+	kcpArgs.NoCongestion = app.Flag("kcp-nc", "be carefull! no congestion").Default("0").Int()
+	kcpArgs.SockBuf = app.Flag("kcp-sockbuf", "be carefull!").Default("4194304").Int()
+	kcpArgs.KeepAlive = app.Flag("kcp-keepalive", "be carefull!").Default("10").Int()
+
+	//########http#########
+	http := app.Command("http", "proxy on http mode")
+	httpArgs.Parent = http.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	httpArgs.CaCertFile = http.Flag("ca", "ca cert file for tls").Default("").String()
+	httpArgs.CertFile = http.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	httpArgs.KeyFile = http.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	httpArgs.LocalType = http.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	httpArgs.ParentType = http.Flag("parent-type", "parent protocol type <tls|tcp|ssh|kcp>").Short('T').Enum("tls", "tcp", "ssh", "kcp")
+	httpArgs.Always = http.Flag("always", "always use parent proxy").Default("false").Bool()
+	httpArgs.Timeout = http.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Default("2000").Int()
+	httpArgs.HTTPTimeout = http.Flag("http-timeout", "check domain if blocked , http request timeout milliseconds when connect to host").Default("3000").Int()
+	httpArgs.Interval = http.Flag("interval", "check domain if blocked every interval seconds").Default("10").Int()
+	httpArgs.Blocked = http.Flag("blocked", "blocked domain file , one domain each line").Default("blocked").Short('b').String()
+	httpArgs.Direct = http.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
+	httpArgs.AuthFile = http.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	httpArgs.Auth = http.Flag("auth", "http basic auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	httpArgs.CheckParentInterval = http.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
+	httpArgs.Local = http.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
+	httpArgs.SSHUser = http.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
+	httpArgs.SSHKeyFile = http.Flag("ssh-key", "private key file for ssh").Short('S').Default("").String()
+	httpArgs.SSHKeyFileSalt = http.Flag("ssh-keysalt", "salt of ssh private key").Short('s').Default("").String()
+	httpArgs.SSHPassword = http.Flag("ssh-password", "password for ssh").Short('A').Default("").String()
+	httpArgs.LocalIPS = http.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	httpArgs.AuthURL = http.Flag("auth-url", "http basic auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	httpArgs.AuthURLTimeout = http.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	httpArgs.AuthURLOkCode = http.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	httpArgs.AuthURLRetry = http.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("1").Int()
+	httpArgs.DNSAddress = http.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	httpArgs.DNSTTL = http.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	httpArgs.LocalKey = http.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	httpArgs.ParentKey = http.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	httpArgs.LocalCompress = http.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	httpArgs.ParentCompress = http.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+
+	//########tcp#########
+	tcp := app.Command("tcp", "proxy on tcp mode")
+	tcpArgs.Parent = tcp.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	tcpArgs.CertFile = tcp.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tcpArgs.KeyFile = tcp.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tcpArgs.Timeout = tcp.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('e').Default("2000").Int()
+	tcpArgs.ParentType = tcp.Flag("parent-type", "parent protocol type <tls|tcp|kcp|udp>").Short('T').Enum("tls", "tcp", "udp", "kcp")
+	tcpArgs.LocalType = tcp.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	tcpArgs.CheckParentInterval = tcp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
+	tcpArgs.Local = tcp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+
+	//########udp#########
+	udp := app.Command("udp", "proxy on udp mode")
+	udpArgs.Parent = udp.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	udpArgs.CertFile = udp.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	udpArgs.KeyFile = udp.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	udpArgs.Timeout = udp.Flag("timeout", "tcp timeout milliseconds when connect to parent proxy").Short('t').Default("2000").Int()
+	udpArgs.ParentType = udp.Flag("parent-type", "parent protocol type <tls|tcp|udp>").Short('T').Enum("tls", "tcp", "udp")
+	udpArgs.CheckParentInterval = udp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
+	udpArgs.Local = udp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+
+	//########mux-server#########
+	muxServer := app.Command("server", "proxy on mux server mode")
+	muxServerArgs.Parent = muxServer.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	muxServerArgs.ParentType = muxServer.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Default("tls").Short('T').Enum("tls", "tcp", "kcp")
+	muxServerArgs.CertFile = muxServer.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	muxServerArgs.KeyFile = muxServer.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	muxServerArgs.Timeout = muxServer.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
+	muxServerArgs.IsUDP = muxServer.Flag("udp", "proxy on udp mux server mode").Default("false").Bool()
+	muxServerArgs.Key = muxServer.Flag("k", "client key").Default("default").String()
+	muxServerArgs.Route = muxServer.Flag("route", "local route to client's network, such as: PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT").Short('r').Default("").Strings()
+	muxServerArgs.IsCompress = muxServer.Flag("c", "compress data when tcp|tls mode").Default("false").Bool()
+	muxServerArgs.SessionCount = muxServer.Flag("session-count", "session count which connect to bridge").Short('n').Default("10").Int()
+
+	//########mux-client#########
+	muxClient := app.Command("client", "proxy on mux client mode")
+	muxClientArgs.Parent = muxClient.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	muxClientArgs.ParentType = muxClient.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Default("tls").Short('T').Enum("tls", "tcp", "kcp")
+	muxClientArgs.CertFile = muxClient.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	muxClientArgs.KeyFile = muxClient.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	muxClientArgs.Timeout = muxClient.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
+	muxClientArgs.Key = muxClient.Flag("k", "key same with server").Default("default").String()
+	muxClientArgs.IsCompress = muxClient.Flag("c", "compress data when tcp|tls mode").Default("false").Bool()
+	muxClientArgs.SessionCount = muxClient.Flag("session-count", "session count which connect to bridge").Short('n').Default("10").Int()
+
+	//########mux-bridge#########
+	muxBridge := app.Command("bridge", "proxy on mux bridge mode")
+	muxBridgeArgs.CertFile = muxBridge.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	muxBridgeArgs.KeyFile = muxBridge.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	muxBridgeArgs.Timeout = muxBridge.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
+	muxBridgeArgs.Local = muxBridge.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+	muxBridgeArgs.LocalType = muxBridge.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tls").Short('t').Enum("tls", "tcp", "kcp")
+
+	//########tunnel-server#########
+	tunnelServer := app.Command("tserver", "proxy on tunnel server mode")
+	tunnelServerArgs.Parent = tunnelServer.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	tunnelServerArgs.CertFile = tunnelServer.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tunnelServerArgs.KeyFile = tunnelServer.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tunnelServerArgs.Timeout = tunnelServer.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	tunnelServerArgs.IsUDP = tunnelServer.Flag("udp", "proxy on udp tunnel server mode").Default("false").Bool()
+	tunnelServerArgs.Key = tunnelServer.Flag("k", "client key").Default("default").String()
+	tunnelServerArgs.Route = tunnelServer.Flag("route", "local route to client's network, such as: PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT").Short('r').Default("").Strings()
+
+	//########tunnel-client#########
+	tunnelClient := app.Command("tclient", "proxy on tunnel client mode")
+	tunnelClientArgs.Parent = tunnelClient.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	tunnelClientArgs.CertFile = tunnelClient.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tunnelClientArgs.KeyFile = tunnelClient.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tunnelClientArgs.Timeout = tunnelClient.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	tunnelClientArgs.Key = tunnelClient.Flag("k", "key same with server").Default("default").String()
+
+	//########tunnel-bridge#########
+	tunnelBridge := app.Command("tbridge", "proxy on tunnel bridge mode")
+	tunnelBridgeArgs.CertFile = tunnelBridge.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tunnelBridgeArgs.KeyFile = tunnelBridge.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tunnelBridgeArgs.Timeout = tunnelBridge.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	tunnelBridgeArgs.Local = tunnelBridge.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+
+	//########ssh#########
+	socks := app.Command("socks", "proxy on ssh mode")
+	socksArgs.Parent = socks.Flag("parent", "parent ssh address, such as: \"23.32.32.19:22\"").Default("").Short('P').String()
+	socksArgs.ParentType = socks.Flag("parent-type", "parent protocol type <tls|tcp|kcp|ssh>").Default("tcp").Short('T').Enum("tls", "tcp", "kcp", "ssh")
+	socksArgs.LocalType = socks.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	socksArgs.Local = socks.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+	socksArgs.UDPParent = socks.Flag("udp-parent", "udp parent address, such as: \"23.32.32.19:33090\"").Default("").Short('X').String()
+	socksArgs.UDPLocal = socks.Flag("udp-local", "udp local ip:port to listen").Short('x').Default(":33090").String()
+	socksArgs.CertFile = socks.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	socksArgs.CaCertFile = socks.Flag("ca", "ca cert file for tls").Default("").String()
+	socksArgs.KeyFile = socks.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	socksArgs.SSHUser = socks.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
+	socksArgs.SSHKeyFile = socks.Flag("ssh-key", "private key file for ssh").Short('S').Default("").String()
+	socksArgs.SSHKeyFileSalt = socks.Flag("ssh-keysalt", "salt of ssh private key").Short('s').Default("").String()
+	socksArgs.SSHPassword = socks.Flag("ssh-password", "password for ssh").Short('A').Default("").String()
+	socksArgs.Always = socks.Flag("always", "always use parent proxy").Default("false").Bool()
+	socksArgs.Timeout = socks.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Default("5000").Int()
+	socksArgs.Interval = socks.Flag("interval", "check domain if blocked every interval seconds").Default("10").Int()
+	socksArgs.Blocked = socks.Flag("blocked", "blocked domain file , one domain each line").Default("blocked").Short('b').String()
+	socksArgs.Direct = socks.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
+	socksArgs.AuthFile = socks.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	socksArgs.Auth = socks.Flag("auth", "socks auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	socksArgs.LocalIPS = socks.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	socksArgs.AuthURL = socks.Flag("auth-url", "auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	socksArgs.AuthURLTimeout = socks.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	socksArgs.AuthURLOkCode = socks.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	socksArgs.AuthURLRetry = socks.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
+	socksArgs.DNSAddress = socks.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	socksArgs.DNSTTL = socks.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	socksArgs.LocalKey = socks.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	socksArgs.ParentKey = socks.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	socksArgs.LocalCompress = socks.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	socksArgs.ParentCompress = socks.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+
+	//########socks+http(s)#########
+	sps := app.Command("sps", "proxy on socks+http(s) mode")
+	spsArgs.Parent = sps.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	spsArgs.CertFile = sps.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	spsArgs.KeyFile = sps.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	spsArgs.CaCertFile = sps.Flag("ca", "ca cert file for tls").Default("").String()
+	spsArgs.Timeout = sps.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('i').Default("2000").Int()
+	spsArgs.ParentType = sps.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Short('T').Enum("tls", "tcp", "kcp")
+	spsArgs.LocalType = sps.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	spsArgs.Local = sps.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
+	spsArgs.ParentServiceType = sps.Flag("parent-service-type", "parent service type <http|socks>").Short('S').Enum("http", "socks")
+	spsArgs.DNSAddress = sps.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	spsArgs.DNSTTL = sps.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	spsArgs.AuthFile = sps.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	spsArgs.Auth = sps.Flag("auth", "socks auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	spsArgs.LocalIPS = sps.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	spsArgs.AuthURL = sps.Flag("auth-url", "auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	spsArgs.AuthURLTimeout = sps.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	spsArgs.AuthURLOkCode = sps.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	spsArgs.AuthURLRetry = sps.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
+	spsArgs.ParentAuth = sps.Flag("parent-auth", "parent socks auth username and password, such as: -A user1:pass1").Short('A').String()
+	spsArgs.LocalKey = sps.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	spsArgs.ParentKey = sps.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	spsArgs.LocalCompress = sps.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	spsArgs.ParentCompress = sps.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+	spsArgs.SSMethod = sps.Flag("ss-method", "").Hidden().Short('h').Default("aes-256-cfb").String()
+	spsArgs.SSKey = sps.Flag("ss-key", "").Hidden().Short('j').Default("sspassword").String()
+	spsArgs.ParentSSMethod = sps.Flag("parent-ss-method", "").Hidden().Short('H').Default("aes-256-cfb").String()
+	spsArgs.ParentSSKey = sps.Flag("parent-ss-key", "").Hidden().Short('J').Default("sspassword").String()
+	spsArgs.DisableHTTP = sps.Flag("disable-http", "disable http(s) proxy").Default("false").Bool()
+	spsArgs.DisableSocks5 = sps.Flag("disable-socks", "disable socks proxy").Default("false").Bool()
+	spsArgs.DisableSS = sps.Flag("disable-ss", "").Hidden().Default("false").Bool()
+
+	//parse args
+	_args := strings.Fields(strings.Trim(serviceArgsStr, " "))
+	args := []string{}
+	for _, a := range _args {
+		args = append(args, strings.Trim(a, "\""))
+	}
+	serviceName, err := app.Parse(args)
+	if err != nil {
+		return fmt.Sprintf("parse args fail,err: %s", err)
+	}
+	//set kcp config
+
+	switch *kcpArgs.Mode {
+	case "normal":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 0, 40, 2, 1
+	case "fast":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 0, 30, 2, 1
+	case "fast2":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 1, 20, 2, 1
+	case "fast3":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 1, 10, 2, 1
+	}
+	pass := pbkdf2.Key([]byte(*kcpArgs.Key), []byte("snail007-goproxy"), 4096, 32, sha1.New)
+
+	switch *kcpArgs.Crypt {
+	case "sm4":
+		kcpArgs.Block, _ = kcp.NewSM4BlockCrypt(pass[:16])
+	case "tea":
+		kcpArgs.Block, _ = kcp.NewTEABlockCrypt(pass[:16])
+	case "xor":
+		kcpArgs.Block, _ = kcp.NewSimpleXORBlockCrypt(pass)
+	case "none":
+		kcpArgs.Block, _ = kcp.NewNoneBlockCrypt(pass)
+	case "aes-128":
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass[:16])
+	case "aes-192":
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass[:24])
+	case "blowfish":
+		kcpArgs.Block, _ = kcp.NewBlowfishBlockCrypt(pass)
+	case "twofish":
+		kcpArgs.Block, _ = kcp.NewTwofishBlockCrypt(pass)
+	case "cast5":
+		kcpArgs.Block, _ = kcp.NewCast5BlockCrypt(pass[:16])
+	case "3des":
+		kcpArgs.Block, _ = kcp.NewTripleDESBlockCrypt(pass[:24])
+	case "xtea":
+		kcpArgs.Block, _ = kcp.NewXTEABlockCrypt(pass[:16])
+	case "salsa20":
+		kcpArgs.Block, _ = kcp.NewSalsa20BlockCrypt(pass)
+	default:
+		*kcpArgs.Crypt = "aes"
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass)
+	}
+	//attach kcp config
+	tcpArgs.KCP = kcpArgs
+	httpArgs.KCP = kcpArgs
+	socksArgs.KCP = kcpArgs
+	spsArgs.KCP = kcpArgs
+	muxBridgeArgs.KCP = kcpArgs
+	muxServerArgs.KCP = kcpArgs
+	muxClientArgs.KCP = kcpArgs
+
+	log := logger.New(os.Stderr, "", logger.Ldate|logger.Ltime)
+	flags := logger.Ldate
+	if *debug {
+		flags |= logger.Lshortfile | logger.Lmicroseconds
+	} else {
+		flags |= logger.Ltime
+	}
+	log.SetFlags(flags)
+
+	if *logfile != "" {
+		f, e := os.OpenFile(*logfile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
+		if e != nil {
+			log.Fatal(e)
+		}
+		log.SetOutput(f)
+	}
+
+	//regist services and run service
+	switch serviceName {
+	case "http":
+		services.Regist(serviceID, services.NewHTTP(), httpArgs, log)
+	case "tcp":
+		services.Regist(serviceID, services.NewTCP(), tcpArgs, log)
+	case "udp":
+		services.Regist(serviceID, services.NewUDP(), udpArgs, log)
+	case "tserver":
+		services.Regist(serviceID, services.NewTunnelServerManager(), tunnelServerArgs, log)
+	case "tclient":
+		services.Regist(serviceID, services.NewTunnelClient(), tunnelClientArgs, log)
+	case "tbridge":
+		services.Regist(serviceID, services.NewTunnelBridge(), tunnelBridgeArgs, log)
+	case "server":
+		services.Regist(serviceID, services.NewMuxServerManager(), muxServerArgs, log)
+	case "client":
+		services.Regist(serviceID, services.NewMuxClient(), muxClientArgs, log)
+	case "bridge":
+		services.Regist(serviceID, services.NewMuxBridge(), muxBridgeArgs, log)
+	case "socks":
+		services.Regist(serviceID, services.NewSocks(), socksArgs, log)
+	case "sps":
+		services.Regist(serviceID, services.NewSPS(), spsArgs, log)
+	}
+	_, err = services.Run(serviceID, nil)
+	if err != nil {
+		return fmt.Sprintf("run service [%s:%s] fail, ERR:%s", serviceID, serviceName, err)
+	}
+	return
+}
+
+func Stop(serviceID string) {
+	services.Stop(serviceID)
+}
+
+func Version() string {
+	return SDK_VERSION
+}
--- a/sdk/windows-linux/.gitignore
+++ b/sdk/windows-linux/.gitignore
@ -0,0 +1,6 @@
+proxy-sdk.dll
+proxy-sdk.h
+proxy-sdk.so
+proxy-sdk.a
+*.tar.gz
+test.c
--- a/sdk/windows-linux/ieshims.dll
+++ b/sdk/windows-linux/ieshims.dll
--- a/sdk/windows-linux/release_linux.sh
+++ b/sdk/windows-linux/release_linux.sh
@ -0,0 +1,24 @@
+#/bin/bash
+VER="v4.8"
+
+rm -rf sdk-linux-*.tar.gz
+rm -rf README.md libproxy-sdk.so libproxy-sdk.h libproxy-sdk.a
+
+#linux 32bit
+CGO_ENABLED=1 GOARCH=386 GOOS=linux go build -buildmode=c-archive -ldflags "-s -w" -o libproxy-sdk.a sdk.go
+CGO_ENABLED=1 GOARCH=386 GOOS=linux go build -buildmode=c-shared -ldflags "-s -w" -o libproxy-sdk.so sdk.go
+cp ../README.md .
+tar zcf sdk-linux-32bit-${VER}.tar.gz README.md libproxy-sdk.so libproxy-sdk.a libproxy-sdk.h
+rm -rf README.md libproxy-sdk.so libproxy-sdk.h libproxy-sdk.a
+
+#linux 64bit
+CGO_ENABLED=1 GOARCH=amd64 GOOS=linux go build -buildmode=c-archive -ldflags "-s -w" -o libproxy-sdk.a sdk.go
+CGO_ENABLED=1 GOARCH=amd64 GOOS=linux go build -buildmode=c-shared -ldflags "-s -w" -o libproxy-sdk.so sdk.go
+cp ../README.md .
+tar zcf sdk-linux-64bit-${VER}.tar.gz README.md libproxy-sdk.so libproxy-sdk.a libproxy-sdk.h
+rm -rf README.md libproxy-sdk.so libproxy-sdk.h libproxy-sdk.a
+
+echo "done."
+
+
+
--- a/sdk/windows-linux/release_mac.sh
+++ b/sdk/windows-linux/release_mac.sh
@ -0,0 +1,13 @@
+#/bin/bash
+VER="v4.8"
+
+rm -rf *.tar.gz
+rm -rf README.md libproxy-sdk.dylib libproxy-sdk.h
+
+#mac  , macos required
+CGO_ENABLED=1 GOARCH=amd64 GOOS=darwin go build -buildmode=c-shared -ldflags "-s -w" -o libproxy-sdk.dylib sdk.go
+cp ../README.md .
+tar zcf sdk-mac-${VER}.tar.gz README.md libproxy-sdk.dylib libproxy-sdk.h
+rm -rf README.md libproxy-sdk.dylib libproxy-sdk.h
+
+echo "done."
--- a/sdk/windows-linux/release_windows.sh
+++ b/sdk/windows-linux/release_windows.sh
@ -0,0 +1,28 @@
+#/bin/bash
+VER="v4.8"
+
+sudo rm /usr/local/go
+sudo ln -s /usr/local/go1.10.1 /usr/local/go
+rm -rf sdk-windows-*.tar.gz
+rm -rf README.md proxy-sdk.h proxy-sdk.dll
+
+
+#apt-get install gcc-multilib 
+#apt-get install gcc-mingw-w64
+
+#windows 64bit
+CC=x86_64-w64-mingw32-gcc GOARCH=amd64 CGO_ENABLED=1 GOOS=windows go build -buildmode=c-shared -ldflags "-s -w" -o proxy-sdk.dll sdk.go
+cp ../README.md .
+tar zcf sdk-windows-64bit-${VER}.tar.gz README.md proxy-sdk.dll proxy-sdk.h ieshims.dll
+rm -rf README.md proxy-sdk.h proxy-sdk.dll
+
+#windows 32bit
+CC=i686-w64-mingw32-gcc-win32 GOARCH=386 CGO_ENABLED=1 GOOS=windows go build -buildmode=c-shared -ldflags "-s -w" -o proxy-sdk.dll sdk.go
+cp ../README.md .
+tar zcf sdk-windows-32bit-${VER}.tar.gz README.md proxy-sdk.dll proxy-sdk.h ieshims.dll
+rm -rf README.md proxy-sdk.h proxy-sdk.dll
+
+sudo rm /usr/local/go
+sudo ln -s /usr/local/go1.8.5 /usr/local/go
+
+echo "done."
--- a/sdk/windows-linux/sdk.go
+++ b/sdk/windows-linux/sdk.go
@ -0,0 +1,25 @@
+package main
+
+import (
+	"C"
+
+	sdk "github.com/snail007/goproxy/sdk/android-ios"
+)
+
+//export Start
+func Start(serviceID *C.char, serviceArgsStr *C.char) (errStr *C.char) {
+	return C.CString(sdk.Start(C.GoString(serviceID), C.GoString(serviceArgsStr)))
+}
+
+//export Stop
+func Stop(serviceID *C.char) {
+	sdk.Stop(C.GoString(serviceID))
+}
+
+//export Version
+func Version() (ver *C.char) {
+	return C.CString(sdk.Version())
+}
+
+func main() {
+}
--- a/services/args.go
+++ b/services/args.go
@ -1,6 +1,10 @@
 package services

-import "golang.org/x/crypto/ssh"
+import (
+	"github.com/snail007/goproxy/services/kcpcfg"
+
+	"golang.org/x/crypto/ssh"
+)

 // tcp := app.Command("tcp", "proxy on tcp mode")
 // t := tcp.Flag("tcp-timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Default("2000").Int()
@ -21,39 +25,46 @@ const (
 )

 type MuxServerArgs struct {
-	Parent     *string
-	CertFile   *string
-	KeyFile    *string
-	CertBytes  []byte
-	KeyBytes   []byte
-	Local      *string
-	IsUDP      *bool
-	Key        *string
-	Remote     *string
-	Timeout    *int
-	Route      *[]string
-	Mgr        *MuxServerManager
-	IsCompress *bool
+	Parent       *string
+	ParentType   *string
+	CertFile     *string
+	KeyFile      *string
+	CertBytes    []byte
+	KeyBytes     []byte
+	Local        *string
+	IsUDP        *bool
+	Key          *string
+	Remote       *string
+	Timeout      *int
+	Route        *[]string
+	Mgr          *MuxServerManager
+	IsCompress   *bool
+	SessionCount *int
+	KCP          kcpcfg.KCPConfigArgs
 }
 type MuxClientArgs struct {
-	Parent     *string
-	CertFile   *string
-	KeyFile    *string
-	CertBytes  []byte
-	KeyBytes   []byte
-	Key        *string
-	Timeout    *int
-	IsCompress *bool
+	Parent       *string
+	ParentType   *string
+	CertFile     *string
+	KeyFile      *string
+	CertBytes    []byte
+	KeyBytes     []byte
+	Key          *string
+	Timeout      *int
+	IsCompress   *bool
+	SessionCount *int
+	KCP          kcpcfg.KCPConfigArgs
 }
 type MuxBridgeArgs struct {
-	Parent     *string
 	CertFile   *string
 	KeyFile    *string
 	CertBytes  []byte
 	KeyBytes   []byte
 	Local      *string
+	LocalType  *string
 	Timeout    *int
 	IsCompress *bool
+	KCP        kcpcfg.KCPConfigArgs
 }
 type TunnelServerArgs struct {
 	Parent    *string
@ -100,16 +111,16 @@ type TCPArgs struct {
 	ParentType          *string
 	LocalType           *string
 	Timeout             *int
-	PoolSize            *int
 	CheckParentInterval *int
-	KCPMethod           *string
-	KCPKey              *string
+	KCP                 kcpcfg.KCPConfigArgs
 }

 type HTTPArgs struct {
 	Parent              *string
 	CertFile            *string
 	KeyFile             *string
+	CaCertFile          *string
+	CaCertBytes         []byte
 	CertBytes           []byte
 	KeyBytes            []byte
 	Local               *string
@ -127,7 +138,6 @@ type HTTPArgs struct {
 	ParentType          *string
 	LocalType           *string
 	Timeout             *int
-	PoolSize            *int
 	CheckParentInterval *int
 	SSHKeyFile          *string
 	SSHKeyFileSalt      *string
@ -135,9 +145,14 @@ type HTTPArgs struct {
 	SSHUser             *string
 	SSHKeyBytes         []byte
 	SSHAuthMethod       ssh.AuthMethod
-	KCPMethod           *string
-	KCPKey              *string
+	KCP                 kcpcfg.KCPConfigArgs
 	LocalIPS            *[]string
+	DNSAddress          *string
+	DNSTTL              *int
+	LocalKey            *string
+	ParentKey           *string
+	LocalCompress       *bool
+	ParentCompress      *bool
 }
 type UDPArgs struct {
 	Parent              *string
@ -148,7 +163,6 @@ type UDPArgs struct {
 	Local               *string
 	ParentType          *string
 	Timeout             *int
-	PoolSize            *int
 	CheckParentInterval *int
 }
 type SocksArgs struct {
@ -158,6 +172,8 @@ type SocksArgs struct {
 	LocalType      *string
 	CertFile       *string
 	KeyFile        *string
+	CaCertFile     *string
+	CaCertBytes    []byte
 	CertBytes      []byte
 	KeyBytes       []byte
 	SSHKeyFile     *string
@ -177,13 +193,60 @@ type SocksArgs struct {
 	AuthURLOkCode  *int
 	AuthURLTimeout *int
 	AuthURLRetry   *int
-	KCPMethod      *string
-	KCPKey         *string
+	KCP            kcpcfg.KCPConfigArgs
 	UDPParent      *string
 	UDPLocal       *string
 	LocalIPS       *[]string
+	DNSAddress     *string
+	DNSTTL         *int
+	LocalKey       *string
+	ParentKey      *string
+	LocalCompress  *bool
+	ParentCompress *bool
+}
+type SPSArgs struct {
+	Parent            *string
+	CertFile          *string
+	KeyFile           *string
+	CaCertFile        *string
+	CaCertBytes       []byte
+	CertBytes         []byte
+	KeyBytes          []byte
+	Local             *string
+	ParentType        *string
+	LocalType         *string
+	Timeout           *int
+	KCP               kcpcfg.KCPConfigArgs
+	ParentServiceType *string
+	DNSAddress        *string
+	DNSTTL            *int
+	AuthFile          *string
+	Auth              *[]string
+	AuthURL           *string
+	AuthURLOkCode     *int
+	AuthURLTimeout    *int
+	AuthURLRetry      *int
+	LocalIPS          *[]string
+	ParentAuth        *string
+	LocalKey          *string
+	ParentKey         *string
+	LocalCompress     *bool
+	ParentCompress    *bool
+	DisableHTTP       *bool
+	DisableSocks5     *bool
 }

+func (a *SPSArgs) Protocol() string {
+	switch *a.LocalType {
+	case TYPE_TLS:
+		return TYPE_TLS
+	case TYPE_TCP:
+		return TYPE_TCP
+	case TYPE_KCP:
+		return TYPE_KCP
+	}
+	return "unknown"
+}
 func (a *TCPArgs) Protocol() string {
 	switch *a.LocalType {
 	case TYPE_TLS:
--- a/services/http.go
+++ b/services/http.go
@ -4,49 +4,71 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils"
+	"github.com/snail007/goproxy/utils/conncrypt"
+
 	"golang.org/x/crypto/ssh"
 )

 type HTTP struct {
-	outPool   utils.OutPool
-	cfg       HTTPArgs
-	checker   utils.Checker
-	basicAuth utils.BasicAuth
-	sshClient *ssh.Client
-	lockChn   chan bool
+	outPool        utils.OutConn
+	cfg            HTTPArgs
+	checker        utils.Checker
+	basicAuth      utils.BasicAuth
+	sshClient      *ssh.Client
+	lockChn        chan bool
+	domainResolver utils.DomainResolver
+	isStop         bool
+	serverChannels []*utils.ServerChannel
+	userConns      utils.ConcurrentMap
+	log            *logger.Logger
 }

 func NewHTTP() Service {
 	return &HTTP{
-		outPool:   utils.OutPool{},
-		cfg:       HTTPArgs{},
-		checker:   utils.Checker{},
-		basicAuth: utils.BasicAuth{},
-		lockChn:   make(chan bool, 1),
+		outPool:        utils.OutConn{},
+		cfg:            HTTPArgs{},
+		checker:        utils.Checker{},
+		basicAuth:      utils.BasicAuth{},
+		lockChn:        make(chan bool, 1),
+		isStop:         false,
+		serverChannels: []*utils.ServerChannel{},
+		userConns:      utils.NewConcurrentMap(),
 	}
 }
-func (s *HTTP) CheckArgs() {
-	var err error
+func (s *HTTP) CheckArgs() (err error) {
 	if *s.cfg.Parent != "" && *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp|ssh>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp|ssh|kcp>")
+		return
 	}
 	if *s.cfg.ParentType == "tls" || *s.cfg.LocalType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
+		if *s.cfg.CaCertFile != "" {
+			s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
+			if err != nil {
+				err = fmt.Errorf("read ca file error,ERR:%s", err)
+				return
+			}
+		}
 	}
 	if *s.cfg.ParentType == "ssh" {
 		if *s.cfg.SSHUser == "" {
-			log.Fatalf("ssh user required")
+			err = fmt.Errorf("ssh user required")
+			return
 		}
 		if *s.cfg.SSHKeyFile == "" && *s.cfg.SSHPassword == "" {
-			log.Fatalf("ssh password or key required")
+			err = fmt.Errorf("ssh password or key required")
+			return
 		}

 		if *s.cfg.SSHPassword != "" {
@ -55,7 +77,8 @@ func (s *HTTP) CheckArgs() {
 			var SSHSigner ssh.Signer
 			s.cfg.SSHKeyBytes, err = ioutil.ReadFile(*s.cfg.SSHKeyFile)
 			if err != nil {
-				log.Fatalf("read key file ERR: %s", err)
+				err = fmt.Errorf("read key file ERR: %s", err)
+				return
 			}
 			if *s.cfg.SSHKeyFileSalt != "" {
 				SSHSigner, err = ssh.ParsePrivateKeyWithPassphrase(s.cfg.SSHKeyBytes, []byte(*s.cfg.SSHKeyFileSalt))
@ -63,28 +86,39 @@ func (s *HTTP) CheckArgs() {
 				SSHSigner, err = ssh.ParsePrivateKey(s.cfg.SSHKeyBytes)
 			}
 			if err != nil {
-				log.Fatalf("parse ssh private key fail,ERR: %s", err)
+				err = fmt.Errorf("parse ssh private key fail,ERR: %s", err)
+				return
 			}
 			s.cfg.SSHAuthMethod = ssh.PublicKeys(SSHSigner)
 		}
 	}
+	return
 }
-func (s *HTTP) InitService() {
+func (s *HTTP) InitService() (err error) {
 	s.InitBasicAuth()
 	if *s.cfg.Parent != "" {
-		s.checker = utils.NewChecker(*s.cfg.HTTPTimeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct)
+		s.checker = utils.NewChecker(*s.cfg.HTTPTimeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct, s.log)
+	}
+	if *s.cfg.DNSAddress != "" {
+		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL, s.log)
 	}
 	if *s.cfg.ParentType == "ssh" {
-		err := s.ConnectSSH()
+		err = s.ConnectSSH()
 		if err != nil {
-			log.Fatalf("init service fail, ERR: %s", err)
+			err = fmt.Errorf("init service fail, ERR: %s", err)
+			return
 		}
 		go func() {
 			//循环检查ssh网络连通性
 			for {
-				conn, err := utils.ConnectHost(*s.cfg.Parent, *s.cfg.Timeout*2)
+				if s.isStop {
+					return
+				}
+				conn, err := utils.ConnectHost(s.Resolve(*s.cfg.Parent), *s.cfg.Timeout*2)
 				if err == nil {
+					conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 					_, err = conn.Write([]byte{0})
+					conn.SetDeadline(time.Time{})
 				}
 				if err != nil {
 					if s.sshClient != nil {
@ -93,7 +127,7 @@ func (s *HTTP) InitService() {
 							s.sshClient.Conn.Close()
 						}
 					}
-					log.Printf("ssh offline, retrying...")
+					s.log.Printf("ssh offline, retrying...")
 					s.ConnectSSH()
 				} else {
 					conn.Close()
@ -102,36 +136,64 @@ func (s *HTTP) InitService() {
 			}
 		}()
 	}
+	return
 }
 func (s *HTTP) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop http(s) service crashed,%s", e)
+		} else {
+			s.log.Printf("service http(s) stoped")
+		}
+	}()
+	s.isStop = true
+	s.checker.Stop()
+	if s.sshClient != nil {
+		s.sshClient.Close()
+	}
+	for _, sc := range s.serverChannels {
+		if sc.Listener != nil && *sc.Listener != nil {
+			(*sc.Listener).Close()
+		}
+		if sc.UDPListener != nil {
+			(*sc.UDPListener).Close()
+		}
 	}
 }
-func (s *HTTP) Start(args interface{}) (err error) {
+func (s *HTTP) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(HTTPArgs)
-	s.CheckArgs()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+
+	if err = s.InitService(); err != nil {
+		return
+	}
+
 	if *s.cfg.Parent != "" {
-		log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+		s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
 		s.InitOutConnPool()
 	}
-	s.InitService()
+
 	for _, addr := range strings.Split(*s.cfg.Local, ",") {
 		if addr != "" {
 			host, port, _ := net.SplitHostPort(addr)
 			p, _ := strconv.Atoi(port)
-			sc := utils.NewServerChannel(host, p)
+			sc := utils.NewServerChannel(host, p, s.log)
 			if *s.cfg.LocalType == TYPE_TCP {
 				err = sc.ListenTCP(s.callback)
 			} else if *s.cfg.LocalType == TYPE_TLS {
-				err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.callback)
+				err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes, s.callback)
 			} else if *s.cfg.LocalType == TYPE_KCP {
-				err = sc.ListenKCP(*s.cfg.KCPMethod, *s.cfg.KCPKey, s.callback)
+				err = sc.ListenKCP(s.cfg.KCP, s.callback, s.log)
 			}
 			if err != nil {
 				return
 			}
-			log.Printf("%s http(s) proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+			s.log.Printf("%s http(s) proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+			s.serverChannels = append(s.serverChannels, &sc)
 		}
 	}
 	return
@ -143,15 +205,23 @@ func (s *HTTP) Clean() {
 func (s *HTTP) callback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("http(s) conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+			s.log.Printf("http(s) conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 		}
 	}()
+	if *s.cfg.LocalCompress {
+		inConn = utils.NewCompConn(inConn)
+	}
+	if *s.cfg.LocalKey != "" {
+		inConn = conncrypt.New(inConn, &conncrypt.Config{
+			Password: *s.cfg.LocalKey,
+		})
+	}
 	var err interface{}
 	var req utils.HTTPRequest
-	req, err = utils.NewHTTPRequest(&inConn, 4096, s.IsBasicAuth(), &s.basicAuth)
+	req, err = utils.NewHTTPRequest(&inConn, 4096, s.IsBasicAuth(), &s.basicAuth, s.log)
 	if err != nil {
 		if err != io.EOF {
-			log.Printf("decoder error , from %s, ERR:%s", inConn.RemoteAddr(), err)
+			s.log.Printf("decoder error , from %s, ERR:%s", inConn.RemoteAddr(), err)
 		}
 		utils.CloseConn(&inConn)
 		return
@ -166,22 +236,22 @@ func (s *HTTP) callback(inConn net.Conn) {
 		} else if *s.cfg.Always {
 			useProxy = true
 		} else {
-			s.checker.Add(address)
+			k := s.Resolve(address)
+			s.checker.Add(k)
 			//var n, m uint
-			useProxy, _, _ = s.checker.IsBlocked(req.Host)
-			//log.Printf("blocked ? : %v, %s , fail:%d ,success:%d", useProxy, address, n, m)
+			useProxy, _, _ = s.checker.IsBlocked(k)
+			//s.log.Printf("blocked ? : %v, %s , fail:%d ,success:%d", useProxy, address, n, m)
 		}
 	}

-	log.Printf("use proxy : %v, %s", useProxy, address)
+	s.log.Printf("use proxy : %v, %s", useProxy, address)

 	err = s.OutToTCP(useProxy, address, &inConn, &req)
-
 	if err != nil {
 		if *s.cfg.Parent == "" {
-			log.Printf("connect to %s fail, ERR:%s", address, err)
+			s.log.Printf("connect to %s fail, ERR:%s", address, err)
 		} else {
-			log.Printf("connect to %s parent %s fail", *s.cfg.ParentType, *s.cfg.Parent)
+			s.log.Printf("connect to %s parent %s fail", *s.cfg.ParentType, *s.cfg.Parent)
 		}
 		utils.CloseConn(&inConn)
 	}
@ -196,58 +266,75 @@ func (s *HTTP) OutToTCP(useProxy bool, address string, inConn *net.Conn, req *ut
 		return
 	}
 	var outConn net.Conn
-	var _outConn interface{}
 	tryCount := 0
 	maxTryCount := 5
 	for {
+		if s.isStop {
+			return
+		}
 		if useProxy {
 			if *s.cfg.ParentType == "ssh" {
 				outConn, err = s.getSSHConn(address)
 			} else {
-				//log.Printf("%v", s.outPool)
-				_outConn, err = s.outPool.Pool.Get()
-				if err == nil {
-					outConn = _outConn.(net.Conn)
-				}
+				// s.log.Printf("%v", s.outPool)
+				outConn, err = s.outPool.Get()
 			}
 		} else {
-			outConn, err = utils.ConnectHost(address, *s.cfg.Timeout)
+			outConn, err = utils.ConnectHost(s.Resolve(address), *s.cfg.Timeout)
 		}
 		tryCount++
 		if err == nil || tryCount > maxTryCount {
 			break
 		} else {
-			log.Printf("connect to %s , err:%s,retrying...", *s.cfg.Parent, err)
+			s.log.Printf("connect to %s , err:%s,retrying...", *s.cfg.Parent, err)
 			time.Sleep(time.Second * 2)
 		}
 	}
 	if err != nil {
-		log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
+		s.log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
 		utils.CloseConn(inConn)
 		return
 	}
+	if *s.cfg.ParentCompress {
+		outConn = utils.NewCompConn(outConn)
+	}
+	if *s.cfg.ParentKey != "" {
+		outConn = conncrypt.New(outConn, &conncrypt.Config{
+			Password: *s.cfg.ParentKey,
+		})
+	}

 	outAddr := outConn.RemoteAddr().String()
 	//outLocalAddr := outConn.LocalAddr().String()
-
 	if req.IsHTTPS() && (!useProxy || *s.cfg.ParentType == "ssh") {
 		//https无上级或者上级非代理,proxy需要响应connect请求,并直连目标
 		err = req.HTTPSReply()
 	} else {
 		//https或者http,上级是代理,proxy需要转发
-		_, err = outConn.Write(req.HeadBuf)
+		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+		//直连目标或上级非代理,清理HTTP头部的代理头信息
+		if !useProxy || *s.cfg.ParentType == "ssh" {
+			_, err = outConn.Write(utils.RemoveProxyHeaders(req.HeadBuf))
+		} else {
+			_, err = outConn.Write(req.HeadBuf)
+		}
+		outConn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("write to %s , err:%s", *s.cfg.Parent, err)
+			s.log.Printf("write to %s , err:%s", *s.cfg.Parent, err)
 			utils.CloseConn(inConn)
 			return
 		}
 	}

 	utils.IoBind((*inConn), outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released [%s]", inAddr, outAddr, req.Host)
-	})
-	log.Printf("conn %s - %s connected [%s]", inAddr, outAddr, req.Host)
-
+		s.log.Printf("conn %s - %s released [%s]", inAddr, outAddr, req.Host)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	s.log.Printf("conn %s - %s connected [%s]", inAddr, outAddr, req.Host)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, inConn)
 	return
 }

@ -255,7 +342,7 @@ func (s *HTTP) getSSHConn(host string) (outConn net.Conn, err interface{}) {
 	maxTryCount := 1
 	tryCount := 0
 RETRY:
-	if tryCount >= maxTryCount {
+	if tryCount >= maxTryCount || s.isStop {
 		return
 	}
 	wait := make(chan bool, 1)
@ -274,7 +361,7 @@ RETRY:
 		err = fmt.Errorf("ssh dial %s timeout", host)
 	}
 	if err != nil {
-		log.Printf("connect ssh fail, ERR: %s, retrying...", err)
+		s.log.Printf("connect ssh fail, ERR: %s, retrying...", err)
 		e := s.ConnectSSH()
 		if e == nil {
 			tryCount++
@ -304,7 +391,7 @@ func (s *HTTP) ConnectSSH() (err error) {
 	if s.sshClient != nil {
 		s.sshClient.Close()
 	}
-	s.sshClient, err = ssh.Dial("tcp", *s.cfg.Parent, &config)
+	s.sshClient, err = ssh.Dial("tcp", s.Resolve(*s.cfg.Parent), &config)
 	<-s.lockChn
 	return
 }
@ -312,24 +399,25 @@ func (s *HTTP) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP || *s.cfg.ParentType == TYPE_KCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			*s.cfg.CheckParentInterval,
 			*s.cfg.ParentType,
-			*s.cfg.KCPMethod,
-			*s.cfg.KCPKey,
-			s.cfg.CertBytes, s.cfg.KeyBytes,
-			*s.cfg.Parent,
+			s.cfg.KCP,
+			s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes,
+			s.Resolve(*s.cfg.Parent),
 			*s.cfg.Timeout,
-			*s.cfg.PoolSize,
-			*s.cfg.PoolSize*2,
 		)
 	}
 }
 func (s *HTTP) InitBasicAuth() (err error) {
-	s.basicAuth = utils.NewBasicAuth()
+	if *s.cfg.DNSAddress != "" {
+		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver, s.log)
+	} else {
+		s.basicAuth = utils.NewBasicAuth(nil, s.log)
+	}
 	if *s.cfg.AuthURL != "" {
 		s.basicAuth.SetAuthURL(*s.cfg.AuthURL, *s.cfg.AuthURLOkCode, *s.cfg.AuthURLTimeout, *s.cfg.AuthURLRetry)
-		log.Printf("auth from %s", *s.cfg.AuthURL)
+		s.log.Printf("auth from %s", *s.cfg.AuthURL)
 	}
 	if *s.cfg.AuthFile != "" {
 		var n = 0
@ -338,11 +426,11 @@ func (s *HTTP) InitBasicAuth() (err error) {
 			err = fmt.Errorf("auth-file ERR:%s", err)
 			return
 		}
-		log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
 	}
 	if len(*s.cfg.Auth) > 0 {
 		n := s.basicAuth.Add(*s.cfg.Auth)
-		log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
 	}
 	return
 }
@ -360,7 +448,11 @@ func (s *HTTP) IsDeadLoop(inLocalAddr string, host string) bool {
 	}
 	if inPort == outPort {
 		var outIPs []net.IP
-		outIPs, err = net.LookupIP(outDomain)
+		if *s.cfg.DNSAddress != "" {
+			outIPs = []net.IP{net.ParseIP(s.Resolve(outDomain))}
+		} else {
+			outIPs, err = net.LookupIP(outDomain)
+		}
 		if err == nil {
 			for _, ip := range outIPs {
 				if ip.String() == inIP {
@ -384,3 +476,13 @@ func (s *HTTP) IsDeadLoop(inLocalAddr string, host string) bool {
 	}
 	return false
 }
+func (s *HTTP) Resolve(address string) string {
+	if *s.cfg.DNSAddress == "" {
+		return address
+	}
+	ip, err := s.domainResolver.Resolve(address)
+	if err != nil {
+		s.log.Printf("dns error %s , ERR:%s", address, err)
+	}
+	return ip
+}
--- a/services/kcpcfg/args.go
+++ b/services/kcpcfg/args.go
@ -0,0 +1,24 @@
+package kcpcfg
+
+import kcp "github.com/xtaci/kcp-go"
+
+type KCPConfigArgs struct {
+	Key          *string
+	Crypt        *string
+	Mode         *string
+	MTU          *int
+	SndWnd       *int
+	RcvWnd       *int
+	DataShard    *int
+	ParityShard  *int
+	DSCP         *int
+	NoComp       *bool
+	AckNodelay   *bool
+	NoDelay      *int
+	Interval     *int
+	Resend       *int
+	NoCongestion *int
+	SockBuf      *int
+	KeepAlive    *int
+	Block        kcp.BlockCrypt
+}
--- a/services/mux_bridge.go
+++ b/services/mux_bridge.go
@ -2,135 +2,263 @@ package services

 import (
 	"bufio"
+	"fmt"
 	"io"
-	"log"
+	logger "log"
+	"math/rand"
 	"net"
-	"proxy/utils"
 	"strconv"
+	"strings"
+	"sync"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"github.com/xtaci/smux"
 )

 type MuxBridge struct {
 	cfg                MuxBridgeArgs
 	clientControlConns utils.ConcurrentMap
+	serverConns        utils.ConcurrentMap
+	router             utils.ClientKeyRouter
+	l                  *sync.Mutex
+	isStop             bool
+	sc                 *utils.ServerChannel
+	log                *logger.Logger
 }

 func NewMuxBridge() Service {
-	return &MuxBridge{
+	b := &MuxBridge{
 		cfg:                MuxBridgeArgs{},
 		clientControlConns: utils.NewConcurrentMap(),
+		serverConns:        utils.NewConcurrentMap(),
+		l:                  &sync.Mutex{},
+		isStop:             false,
 	}
+	b.router = utils.NewClientKeyRouter(&b.clientControlConns, 50000)
+	return b
 }

-func (s *MuxBridge) InitService() {
-
+func (s *MuxBridge) InitService() (err error) {
+	return
 }
-func (s *MuxBridge) CheckArgs() {
+func (s *MuxBridge) CheckArgs() (err error) {
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
-}
-func (s *MuxBridge) StopService() {
-
-}
-func (s *MuxBridge) Start(args interface{}) (err error) {
-	s.cfg = args.(MuxBridgeArgs)
-	s.CheckArgs()
-	s.InitService()
-	host, port, _ := net.SplitHostPort(*s.cfg.Local)
-	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
-
-	err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, func(inConn net.Conn) {
-		reader := bufio.NewReader(inConn)
-
-		var err error
-		var connType uint8
-		var key string
-		err = utils.ReadPacket(reader, &connType, &key)
+	if *s.cfg.LocalType == TYPE_TLS {
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
 		if err != nil {
-			log.Printf("read error,ERR:%s", err)
 			return
 		}
-		switch connType {
-		case CONN_SERVER:
-			var serverID string
-			err = utils.ReadPacketData(reader, &serverID)
-			if err != nil {
-				log.Printf("read error,ERR:%s", err)
-				return
-			}
-			log.Printf("server connection %s %s connected", serverID, key)
-			session, err := smux.Server(inConn, nil)
-			if err != nil {
-				utils.CloseConn(&inConn)
-				log.Printf("server session error,ERR:%s", err)
-				return
-			}
-			for {
-				stream, err := session.AcceptStream()
-				if err != nil {
-					session.Close()
-					utils.CloseConn(&inConn)
-					return
-				}
-				go s.callback(stream, serverID, key)
-			}
-		case CONN_CLIENT:
-
-			log.Printf("client connection %s connected", key)
-			session, err := smux.Client(inConn, nil)
-			if err != nil {
-				utils.CloseConn(&inConn)
-				log.Printf("client session error,ERR:%s", err)
-				return
-			}
-			s.clientControlConns.Set(key, session)
-			go func() {
-				for {
-					if session.IsClosed() {
-						s.clientControlConns.Remove(key)
-						break
-					}
-					time.Sleep(time.Second * 5)
-				}
-			}()
-			//log.Printf("set client session,key: %s", key)
+	}
+	return
+}
+func (s *MuxBridge) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop bridge service crashed,%s", e)
+		} else {
+			s.log.Printf("service bridge stoped")
 		}
+	}()
+	s.isStop = true
+	if s.sc != nil && (*s.sc).Listener != nil {
+		(*(*s.sc).Listener).Close()
+	}
+	for _, g := range s.clientControlConns.Items() {
+		for _, session := range g.(utils.ConcurrentMap).Items() {
+			(session.(*smux.Session)).Close()
+		}
+	}
+	for _, c := range s.serverConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
+}
+func (s *MuxBridge) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
+	s.cfg = args.(MuxBridgeArgs)
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}

-	})
+	host, port, _ := net.SplitHostPort(*s.cfg.Local)
+	p, _ := strconv.Atoi(port)
+	sc := utils.NewServerChannel(host, p, s.log)
+	if *s.cfg.LocalType == TYPE_TCP {
+		err = sc.ListenTCP(s.handler)
+	} else if *s.cfg.LocalType == TYPE_TLS {
+		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.handler)
+	} else if *s.cfg.LocalType == TYPE_KCP {
+		err = sc.ListenKCP(s.cfg.KCP, s.handler, s.log)
+	}
 	if err != nil {
 		return
 	}
-	log.Printf("proxy on mux bridge mode %s", (*sc.Listener).Addr())
+	s.sc = &sc
+	s.log.Printf("%s bridge on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
 	return
 }
 func (s *MuxBridge) Clean() {
 	s.StopService()
 }
+func (s *MuxBridge) handler(inConn net.Conn) {
+	reader := bufio.NewReader(inConn)
+
+	var err error
+	var connType uint8
+	var key string
+	inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+	err = utils.ReadPacket(reader, &connType, &key)
+	inConn.SetDeadline(time.Time{})
+	if err != nil {
+		s.log.Printf("read error,ERR:%s", err)
+		return
+	}
+	switch connType {
+	case CONN_SERVER:
+		var serverID string
+		inAddr := inConn.RemoteAddr().String()
+		inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+		err = utils.ReadPacketData(reader, &serverID)
+		inConn.SetDeadline(time.Time{})
+		if err != nil {
+			s.log.Printf("read error,ERR:%s", err)
+			return
+		}
+		s.log.Printf("server connection %s %s connected", serverID, key)
+		if c, ok := s.serverConns.Get(inAddr); ok {
+			(*c.(*net.Conn)).Close()
+		}
+		s.serverConns.Set(inAddr, &inConn)
+		session, err := smux.Server(inConn, nil)
+		if err != nil {
+			utils.CloseConn(&inConn)
+			s.log.Printf("server session error,ERR:%s", err)
+			return
+		}
+		for {
+			if s.isStop {
+				return
+			}
+			stream, err := session.AcceptStream()
+			if err != nil {
+				session.Close()
+				utils.CloseConn(&inConn)
+				s.serverConns.Remove(inAddr)
+				s.log.Printf("server connection %s %s released", serverID, key)
+				return
+			}
+			go func() {
+				defer func() {
+					if e := recover(); e != nil {
+						s.log.Printf("bridge callback crashed,err: %s", e)
+					}
+				}()
+				s.callback(stream, serverID, key)
+			}()
+		}
+	case CONN_CLIENT:
+		s.log.Printf("client connection %s connected", key)
+		session, err := smux.Client(inConn, nil)
+		if err != nil {
+			utils.CloseConn(&inConn)
+			s.log.Printf("client session error,ERR:%s", err)
+			return
+		}
+		keyInfo := strings.Split(key, "-")
+		if len(keyInfo) != 2 {
+			utils.CloseConn(&inConn)
+			s.log.Printf("client key format error,key:%s", key)
+			return
+		}
+		groupKey := keyInfo[0]
+		index := keyInfo[1]
+		s.l.Lock()
+		defer s.l.Unlock()
+		if !s.clientControlConns.Has(groupKey) {
+			item := utils.NewConcurrentMap()
+			s.clientControlConns.Set(groupKey, &item)
+		}
+		_group, _ := s.clientControlConns.Get(groupKey)
+		group := _group.(*utils.ConcurrentMap)
+		if v, ok := group.Get(index); ok {
+			v.(*smux.Session).Close()
+		}
+		group.Set(index, session)
+		// s.clientControlConns.Set(key, session)
+		go func() {
+			for {
+				if s.isStop {
+					return
+				}
+				if session.IsClosed() {
+					s.l.Lock()
+					defer s.l.Unlock()
+					if sess, ok := group.Get(index); ok && sess.(*smux.Session).IsClosed() {
+						group.Remove(index)
+						s.log.Printf("client connection %s released", key)
+					}
+					if group.IsEmpty() {
+						s.clientControlConns.Remove(groupKey)
+					}
+					break
+				}
+				time.Sleep(time.Second * 5)
+			}
+		}()
+		//s.log.Printf("set client session,key: %s", key)
+	}
+
+}
 func (s *MuxBridge) callback(inConn net.Conn, serverID, key string) {
 	try := 20
 	for {
+		if s.isStop {
+			return
+		}
 		try--
 		if try == 0 {
 			break
 		}
-		session, ok := s.clientControlConns.Get(key)
+		if key == "*" {
+			key = s.router.GetKey()
+		}
+		_group, ok := s.clientControlConns.Get(key)
 		if !ok {
-			log.Printf("client %s session not exists for server stream %s", key, serverID)
+			s.log.Printf("client %s session not exists for server stream %s, retrying...", key, serverID)
 			time.Sleep(time.Second * 3)
 			continue
 		}
+		group := _group.(*utils.ConcurrentMap)
+		keys := group.Keys()
+		keysLen := len(keys)
+		i := 0
+		if keysLen > 0 {
+			i = rand.Intn(keysLen)
+		} else {
+			s.log.Printf("client %s session empty for server stream %s, retrying...", key, serverID)
+			time.Sleep(time.Second * 3)
+			continue
+		}
+		index := keys[i]
+		s.log.Printf("select client : %s-%s", key, index)
+		session, _ := group.Get(index)
+		session.(*smux.Session).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		stream, err := session.(*smux.Session).OpenStream()
+		session.(*smux.Session).SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("%s client session open stream %s fail, err: %s, retrying...", key, serverID, err)
+			s.log.Printf("%s client session open stream %s fail, err: %s, retrying...", key, serverID, err)
 			time.Sleep(time.Second * 3)
 			continue
 		} else {
-			log.Printf("%s server %s stream created", key, serverID)
+			s.log.Printf("stream %s -> %s created", serverID, key)
 			die1 := make(chan bool, 1)
 			die2 := make(chan bool, 1)
 			go func() {
@ -147,7 +275,7 @@ func (s *MuxBridge) callback(inConn net.Conn, serverID, key string) {
 			}
 			stream.Close()
 			inConn.Close()
-			log.Printf("%s server %s stream released", key, serverID)
+			s.log.Printf("%s server %s stream released", key, serverID)
 			break
 		}
 	}
--- a/services/mux_client.go
+++ b/services/mux_client.go
@ -2,117 +2,208 @@ package services

 import (
 	"crypto/tls"
+	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"github.com/golang/snappy"
 	"github.com/xtaci/smux"
 )

 type MuxClient struct {
-	cfg MuxClientArgs
+	cfg      MuxClientArgs
+	isStop   bool
+	sessions utils.ConcurrentMap
+	log      *logger.Logger
 }

 func NewMuxClient() Service {
 	return &MuxClient{
-		cfg: MuxClientArgs{},
+		cfg:      MuxClientArgs{},
+		isStop:   false,
+		sessions: utils.NewConcurrentMap(),
 	}
 }

-func (s *MuxClient) InitService() {
-
+func (s *MuxClient) InitService() (err error) {
+	return
 }

-func (s *MuxClient) CheckArgs() {
+func (s *MuxClient) CheckArgs() (err error) {
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use tls parent %s", *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	if *s.cfg.ParentType == "tls" {
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
+	}
+	return
 }
 func (s *MuxClient) StopService() {
-
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop client service crashed,%s", e)
+		} else {
+			s.log.Printf("service client stoped")
+		}
+	}()
+	s.isStop = true
+	for _, sess := range s.sessions.Items() {
+		sess.(*smux.Session).Close()
+	}
 }
-func (s *MuxClient) Start(args interface{}) (err error) {
+func (s *MuxClient) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxClientArgs)
-	s.CheckArgs()
-	s.InitService()
-	log.Printf("proxy on mux client mode, compress %v", *s.cfg.IsCompress)
-	for {
-		var _conn tls.Conn
-		_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes)
-		if err != nil {
-			log.Printf("connection err: %s, retrying...", err)
-			time.Sleep(time.Second * 3)
-			continue
-		}
-		conn := net.Conn(&_conn)
-		_, err = conn.Write(utils.BuildPacket(CONN_CLIENT, *s.cfg.Key))
-		if err != nil {
-			conn.Close()
-			log.Printf("connection err: %s, retrying...", err)
-			time.Sleep(time.Second * 3)
-			continue
-		}
-		session, err := smux.Server(conn, nil)
-		if err != nil {
-			log.Printf("session err: %s, retrying...", err)
-			conn.Close()
-			time.Sleep(time.Second * 3)
-			continue
-		}
-		for {
-			stream, err := session.AcceptStream()
-			if err != nil {
-				log.Printf("accept stream err: %s, retrying...", err)
-				session.Close()
-				time.Sleep(time.Second * 3)
-				break
-			}
-			go func() {
-				var ID, clientLocalAddr, serverID string
-				err = utils.ReadPacketData(stream, &ID, &clientLocalAddr, &serverID)
-				if err != nil {
-					log.Printf("read stream signal err: %s", err)
-					stream.Close()
-					return
-				}
-				log.Printf("signal revecived,server %s stream %s %s", serverID, ID, clientLocalAddr)
-				protocol := clientLocalAddr[:3]
-				localAddr := clientLocalAddr[4:]
-				if protocol == "udp" {
-					s.ServeUDP(stream, localAddr, ID)
-				} else {
-					s.ServeConn(stream, localAddr, ID)
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("client started")
+	count := 1
+	if *s.cfg.SessionCount > 0 {
+		count = *s.cfg.SessionCount
+	}
+	for i := 1; i <= count; i++ {
+		key := fmt.Sprintf("worker[%d]", i)
+		s.log.Printf("session %s started", key)
+		go func(i int) {
+			defer func() {
+				e := recover()
+				if e != nil {
+					s.log.Printf("session worker crashed: %s", e)
 				}
 			}()
-		}
+			for {
+				if s.isStop {
+					return
+				}
+				conn, err := s.getParentConn()
+				if err != nil {
+					s.log.Printf("connection err: %s, retrying...", err)
+					time.Sleep(time.Second * 3)
+					continue
+				}
+				conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+				_, err = conn.Write(utils.BuildPacket(CONN_CLIENT, fmt.Sprintf("%s-%d", *s.cfg.Key, i)))
+				conn.SetDeadline(time.Time{})
+				if err != nil {
+					conn.Close()
+					s.log.Printf("connection err: %s, retrying...", err)
+					time.Sleep(time.Second * 3)
+					continue
+				}
+				session, err := smux.Server(conn, nil)
+				if err != nil {
+					s.log.Printf("session err: %s, retrying...", err)
+					conn.Close()
+					time.Sleep(time.Second * 3)
+					continue
+				}
+				if _sess, ok := s.sessions.Get(key); ok {
+					_sess.(*smux.Session).Close()
+				}
+				s.sessions.Set(key, session)
+				for {
+					if s.isStop {
+						return
+					}
+					stream, err := session.AcceptStream()
+					if err != nil {
+						s.log.Printf("accept stream err: %s, retrying...", err)
+						session.Close()
+						time.Sleep(time.Second * 3)
+						break
+					}
+					go func() {
+						defer func() {
+							e := recover()
+							if e != nil {
+								s.log.Printf("stream handler crashed: %s", e)
+							}
+						}()
+						var ID, clientLocalAddr, serverID string
+						stream.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+						err = utils.ReadPacketData(stream, &ID, &clientLocalAddr, &serverID)
+						stream.SetDeadline(time.Time{})
+						if err != nil {
+							s.log.Printf("read stream signal err: %s", err)
+							stream.Close()
+							return
+						}
+						s.log.Printf("worker[%d] signal revecived,server %s stream %s %s", i, serverID, ID, clientLocalAddr)
+						protocol := clientLocalAddr[:3]
+						localAddr := clientLocalAddr[4:]
+						if protocol == "udp" {
+							s.ServeUDP(stream, localAddr, ID)
+						} else {
+							s.ServeConn(stream, localAddr, ID)
+						}
+					}()
+				}
+			}
+		}(i)
 	}
-
+	return
 }
 func (s *MuxClient) Clean() {
 	s.StopService()
 }
-
+func (s *MuxClient) getParentConn() (conn net.Conn, err error) {
+	if *s.cfg.ParentType == "tls" {
+		var _conn tls.Conn
+		_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
+		if err == nil {
+			conn = net.Conn(&_conn)
+		}
+	} else if *s.cfg.ParentType == "kcp" {
+		conn, err = utils.ConnectKCPHost(*s.cfg.Parent, s.cfg.KCP)
+	} else {
+		conn, err = utils.ConnectHost(*s.cfg.Parent, *s.cfg.Timeout)
+	}
+	return
+}
 func (s *MuxClient) ServeUDP(inConn *smux.Stream, localAddr, ID string) {

 	for {
+		if s.isStop {
+			return
+		}
+		inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		srcAddr, body, err := utils.ReadUDPPacket(inConn)
+		inConn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("udp packet revecived fail, err: %s", err)
-			log.Printf("connection %s released", ID)
+			s.log.Printf("udp packet revecived fail, err: %s", err)
+			s.log.Printf("connection %s released", ID)
 			inConn.Close()
 			break
 		} else {
-			//log.Printf("udp packet revecived:%s,%v", srcAddr, body)
-			go s.processUDPPacket(inConn, srcAddr, localAddr, body)
+			//s.log.Printf("udp packet revecived:%s,%v", srcAddr, body)
+			go func() {
+				defer func() {
+					if e := recover(); e != nil {
+						s.log.Printf("client processUDPPacket crashed,err: %s", e)
+					}
+				}()
+				s.processUDPPacket(inConn, srcAddr, localAddr, body)
+			}()
+
 		}

 	}
@ -121,52 +212,60 @@ func (s *MuxClient) ServeUDP(inConn *smux.Stream, localAddr, ID string) {
 func (s *MuxClient) processUDPPacket(inConn *smux.Stream, srcAddr, localAddr string, body []byte) {
 	dstAddr, err := net.ResolveUDPAddr("udp", localAddr)
 	if err != nil {
-		log.Printf("can't resolve address: %s", err)
+		s.log.Printf("can't resolve address: %s", err)
 		inConn.Close()
 		return
 	}
 	clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 	if err != nil {
-		log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = conn.Write(body)
+	conn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("send udp packet to %s success", dstAddr.String())
+	//s.log.Printf("send udp packet to %s success", dstAddr.String())
 	buf := make([]byte, 1024)
+	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	length, _, err := conn.ReadFromUDP(buf)
+	conn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	respBody := buf[0:length]
-	//log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
+	//s.log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 	bs := utils.UDPPacket(srcAddr, respBody)
+	(*inConn).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = (*inConn).Write(bs)
+	(*inConn).SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("send udp response fail ,ERR:%s", err)
+		s.log.Printf("send udp response fail ,ERR:%s", err)
 		inConn.Close()
 		return
 	}
-	//log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
+	//s.log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
 }
 func (s *MuxClient) ServeConn(inConn *smux.Stream, localAddr, ID string) {
 	var err error
 	var outConn net.Conn
 	i := 0
 	for {
+		if s.isStop {
+			return
+		}
 		i++
 		outConn, err = utils.ConnectHost(localAddr, *s.cfg.Timeout)
 		if err == nil || i == 3 {
 			break
 		} else {
 			if i == 3 {
-				log.Printf("connect to %s err: %s, retrying...", localAddr, err)
+				s.log.Printf("connect to %s err: %s, retrying...", localAddr, err)
 				time.Sleep(2 * time.Second)
 				continue
 			}
@ -175,11 +274,11 @@ func (s *MuxClient) ServeConn(inConn *smux.Stream, localAddr, ID string) {
 	if err != nil {
 		inConn.Close()
 		utils.CloseConn(&outConn)
-		log.Printf("build connection error, err: %s", err)
+		s.log.Printf("build connection error, err: %s", err)
 		return
 	}

-	log.Printf("stream %s created", ID)
+	s.log.Printf("stream %s created", ID)
 	if *s.cfg.IsCompress {
 		die1 := make(chan bool, 1)
 		die2 := make(chan bool, 1)
@ -197,10 +296,10 @@ func (s *MuxClient) ServeConn(inConn *smux.Stream, localAddr, ID string) {
 		}
 		outConn.Close()
 		inConn.Close()
-		log.Printf("%s stream %s released", *s.cfg.Key, ID)
+		s.log.Printf("%s stream %s released", *s.cfg.Key, ID)
 	} else {
 		utils.IoBind(inConn, outConn, func(err interface{}) {
-			log.Printf("stream %s released", ID)
-		})
+			s.log.Printf("stream %s released", ID)
+		}, s.log)
 	}
 }
--- a/services/mux_server.go
+++ b/services/mux_server.go
@ -4,31 +4,37 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
+	"math/rand"
 	"net"
-	"proxy/utils"
 	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"github.com/golang/snappy"
 	"github.com/xtaci/smux"
 )

 type MuxServer struct {
-	cfg     MuxServerArgs
-	udpChn  chan MuxUDPItem
-	sc      utils.ServerChannel
-	session *smux.Session
-	lockChn chan bool
+	cfg      MuxServerArgs
+	udpChn   chan MuxUDPItem
+	sc       utils.ServerChannel
+	sessions utils.ConcurrentMap
+	lockChn  chan bool
+	isStop   bool
+	udpConn  *net.Conn
+	log      *logger.Logger
 }

 type MuxServerManager struct {
 	cfg      MuxServerArgs
 	udpChn   chan MuxUDPItem
-	sc       utils.ServerChannel
 	serverID string
+	servers  []*Service
+	log      *logger.Logger
 }

 func NewMuxServerManager() Service {
@ -36,21 +42,29 @@ func NewMuxServerManager() Service {
 		cfg:      MuxServerArgs{},
 		udpChn:   make(chan MuxUDPItem, 50000),
 		serverID: utils.Uniqueid(),
+		servers:  []*Service{},
 	}
 }
-func (s *MuxServerManager) Start(args interface{}) (err error) {
+
+func (s *MuxServerManager) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxServerArgs)
-	s.CheckArgs()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}

-	s.InitService()
+	if err = s.InitService(); err != nil {
+		return
+	}

-	log.Printf("server id: %s", s.serverID)
-	//log.Printf("route:%v", *s.cfg.Route)
+	s.log.Printf("server id: %s", s.serverID)
+	//s.log.Printf("route:%v", *s.cfg.Route)
 	for _, _info := range *s.cfg.Route {
 		if _info == "" {
 			continue
@ -63,6 +77,7 @@ func (s *MuxServerManager) Start(args interface{}) (err error) {
 		info = strings.TrimPrefix(info, "tcp://")
 		_routeInfo := strings.Split(info, "@")
 		server := NewMuxServer()
+
 		local := _routeInfo[0]
 		remote := _routeInfo[1]
 		KEY := *s.cfg.Key
@ -74,23 +89,27 @@ func (s *MuxServerManager) Start(args interface{}) (err error) {
 			remote = fmt.Sprintf("127.0.0.1%s", remote)
 		}
 		err = server.Start(MuxServerArgs{
-			CertBytes:  s.cfg.CertBytes,
-			KeyBytes:   s.cfg.KeyBytes,
-			Parent:     s.cfg.Parent,
-			CertFile:   s.cfg.CertFile,
-			KeyFile:    s.cfg.KeyFile,
-			Local:      &local,
-			IsUDP:      &IsUDP,
-			Remote:     &remote,
-			Key:        &KEY,
-			Timeout:    s.cfg.Timeout,
-			Mgr:        s,
-			IsCompress: s.cfg.IsCompress,
-		})
+			CertBytes:    s.cfg.CertBytes,
+			KeyBytes:     s.cfg.KeyBytes,
+			Parent:       s.cfg.Parent,
+			CertFile:     s.cfg.CertFile,
+			KeyFile:      s.cfg.KeyFile,
+			Local:        &local,
+			IsUDP:        &IsUDP,
+			Remote:       &remote,
+			Key:          &KEY,
+			Timeout:      s.cfg.Timeout,
+			Mgr:          s,
+			IsCompress:   s.cfg.IsCompress,
+			SessionCount: s.cfg.SessionCount,
+			KCP:          s.cfg.KCP,
+			ParentType:   s.cfg.ParentType,
+		}, log)

 		if err != nil {
 			return
 		}
+		s.servers = append(s.servers, &server)
 	}
 	return
 }
@ -98,21 +117,34 @@ func (s *MuxServerManager) Clean() {
 	s.StopService()
 }
 func (s *MuxServerManager) StopService() {
-}
-func (s *MuxServerManager) CheckArgs() {
-	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+	for _, server := range s.servers {
+		(*server).Clean()
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
 }
-func (s *MuxServerManager) InitService() {
+func (s *MuxServerManager) CheckArgs() (err error) {
+	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
+		err = fmt.Errorf("cert and key file required")
+		return
+	}
+	if *s.cfg.ParentType == "tls" {
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+func (s *MuxServerManager) InitService() (err error) {
+	return
 }

 func NewMuxServer() Service {
 	return &MuxServer{
-		cfg:     MuxServerArgs{},
-		udpChn:  make(chan MuxUDPItem, 50000),
-		lockChn: make(chan bool, 1),
+		cfg:      MuxServerArgs{},
+		udpChn:   make(chan MuxUDPItem, 50000),
+		lockChn:  make(chan bool, 1),
+		sessions: utils.NewConcurrentMap(),
+		isStop:   false,
 	}
 }

@ -122,22 +154,53 @@ type MuxUDPItem struct {
 	srcAddr   *net.UDPAddr
 }

-func (s *MuxServer) InitService() {
-	s.UDPConnDeamon()
-}
-func (s *MuxServer) CheckArgs() {
-	if *s.cfg.Remote == "" {
-		log.Fatalf("remote required")
+func (s *MuxServer) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop server service crashed,%s", e)
+		} else {
+			s.log.Printf("service server stoped")
+		}
+	}()
+	s.isStop = true
+	for _, sess := range s.sessions.Items() {
+		sess.(*smux.Session).Close()
+	}
+	if s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
+	}
+	if s.udpConn != nil {
+		(*s.udpConn).Close()
 	}
 }
+func (s *MuxServer) InitService() (err error) {
+	s.UDPConnDeamon()
+	return
+}
+func (s *MuxServer) CheckArgs() (err error) {
+	if *s.cfg.Remote == "" {
+		err = fmt.Errorf("remote required")
+		return
+	}
+	return
+}

-func (s *MuxServer) Start(args interface{}) (err error) {
+func (s *MuxServer) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxServerArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	s.sc = utils.NewServerChannel(host, p)
+	s.sc = utils.NewServerChannel(host, p, s.log)
 	if *s.cfg.IsUDP {
 		err = s.sc.ListenUDP(func(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 			s.udpChn <- MuxUDPItem{
@ -149,28 +212,31 @@ func (s *MuxServer) Start(args interface{}) (err error) {
 		if err != nil {
 			return
 		}
-		log.Printf("proxy on udp mux server mode %s", (*s.sc.UDPListener).LocalAddr())
+		s.log.Printf("server on %s", (*s.sc.UDPListener).LocalAddr())
 	} else {
 		err = s.sc.ListenTCP(func(inConn net.Conn) {
 			defer func() {
 				if err := recover(); err != nil {
-					log.Printf("connection handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+					s.log.Printf("connection handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 				}
 			}()
 			var outConn net.Conn
 			var ID string
 			for {
+				if s.isStop {
+					return
+				}
 				outConn, ID, err = s.GetOutConn()
 				if err != nil {
 					utils.CloseConn(&outConn)
-					log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+					s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 					time.Sleep(time.Second * 3)
 					continue
 				} else {
 					break
 				}
 			}
-			log.Printf("%s stream %s created", *s.cfg.Key, ID)
+			s.log.Printf("%s stream %s created", *s.cfg.Key, ID)
 			if *s.cfg.IsCompress {
 				die1 := make(chan bool, 1)
 				die2 := make(chan bool, 1)
@ -188,27 +254,31 @@ func (s *MuxServer) Start(args interface{}) (err error) {
 				}
 				outConn.Close()
 				inConn.Close()
-				log.Printf("%s stream %s released", *s.cfg.Key, ID)
+				s.log.Printf("%s stream %s released", *s.cfg.Key, ID)
 			} else {
 				utils.IoBind(inConn, outConn, func(err interface{}) {
-					log.Printf("%s stream %s released", *s.cfg.Key, ID)
-				})
+					s.log.Printf("%s stream %s released", *s.cfg.Key, ID)
+				}, s.log)
 			}
 		})
 		if err != nil {
 			return
 		}
-		log.Printf("proxy on mux server mode %s, compress %v", (*s.sc.Listener).Addr(), *s.cfg.IsCompress)
+		s.log.Printf("server on %s", (*s.sc.Listener).Addr())
 	}
 	return
 }
 func (s *MuxServer) Clean() {
-
+	s.StopService()
 }
 func (s *MuxServer) GetOutConn() (outConn net.Conn, ID string, err error) {
-	outConn, err = s.GetConn()
+	i := 1
+	if *s.cfg.SessionCount > 0 {
+		i = rand.Intn(*s.cfg.SessionCount)
+	}
+	outConn, err = s.GetConn(fmt.Sprintf("%d", i))
 	if err != nil {
-		log.Printf("connection err: %s", err)
+		s.log.Printf("connection err: %s", err)
 		return
 	}
 	remoteAddr := "tcp:" + *s.cfg.Remote
@ -216,15 +286,17 @@ func (s *MuxServer) GetOutConn() (outConn net.Conn, ID string, err error) {
 		remoteAddr = "udp:" + *s.cfg.Remote
 	}
 	ID = utils.Uniqueid()
+	outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = outConn.Write(utils.BuildPacketData(ID, remoteAddr, s.cfg.Mgr.serverID))
+	outConn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("write stream data err: %s ,retrying...", err)
+		s.log.Printf("write stream data err: %s ,retrying...", err)
 		utils.CloseConn(&outConn)
 		return
 	}
 	return
 }
-func (s *MuxServer) GetConn() (conn net.Conn, err error) {
+func (s *MuxServer) GetConn(index string) (conn net.Conn, err error) {
 	select {
 	case s.lockChn <- true:
 	default:
@ -234,84 +306,133 @@ func (s *MuxServer) GetConn() (conn net.Conn, err error) {
 	defer func() {
 		<-s.lockChn
 	}()
-	if s.session == nil {
-		var _conn tls.Conn
-		_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes)
+	var session *smux.Session
+	_session, ok := s.sessions.Get(index)
+	if !ok {
+		var c net.Conn
+		c, err = s.getParentConn()
 		if err != nil {
-			s.session = nil
 			return
 		}
-		c := net.Conn(&_conn)
+		c.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = c.Write(utils.BuildPacket(CONN_SERVER, *s.cfg.Key, s.cfg.Mgr.serverID))
+		c.SetDeadline(time.Time{})
 		if err != nil {
 			c.Close()
-			s.session = nil
 			return
 		}
 		if err == nil {
-			s.session, err = smux.Client(c, nil)
+			session, err = smux.Client(c, nil)
 			if err != nil {
-				s.session = nil
 				return
 			}
 		}
+		if _sess, ok := s.sessions.Get(index); ok {
+			_sess.(*smux.Session).Close()
+		}
+		s.sessions.Set(index, session)
+		s.log.Printf("session[%s] created", index)
+		go func() {
+			for {
+				if s.isStop {
+					return
+				}
+				if session.IsClosed() {
+					s.sessions.Remove(index)
+					break
+				}
+				time.Sleep(time.Second * 5)
+			}
+		}()
+	} else {
+		session = _session.(*smux.Session)
 	}
-	conn, err = s.session.OpenStream()
+	conn, err = session.OpenStream()
 	if err != nil {
-		s.session.Close()
-		s.session = nil
+		session.Close()
+		s.sessions.Remove(index)
+	}
+	return
+}
+func (s *MuxServer) getParentConn() (conn net.Conn, err error) {
+	if *s.cfg.ParentType == "tls" {
+		var _conn tls.Conn
+		_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
+		if err == nil {
+			conn = net.Conn(&_conn)
+		}
+	} else if *s.cfg.ParentType == "kcp" {
+		conn, err = utils.ConnectKCPHost(*s.cfg.Parent, s.cfg.KCP)
+	} else {
+		conn, err = utils.ConnectHost(*s.cfg.Parent, *s.cfg.Timeout)
 	}
-
 	return
 }
 func (s *MuxServer) UDPConnDeamon() {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
-				log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+				s.log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 			}
 		}()
 		var outConn net.Conn
 		var ID string
 		var err error
 		for {
+			if s.isStop {
+				return
+			}
 			item := <-s.udpChn
 		RETRY:
+			if s.isStop {
+				return
+			}
 			if outConn == nil {
 				for {
+					if s.isStop {
+						return
+					}
 					outConn, ID, err = s.GetOutConn()
 					if err != nil {
 						outConn = nil
 						utils.CloseConn(&outConn)
-						log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+						s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 						time.Sleep(time.Second * 3)
 						continue
 					} else {
 						go func(outConn net.Conn, ID string) {
-							go func() {
-								// outConn.Close()
-							}()
+							if s.udpConn != nil {
+								(*s.udpConn).Close()
+							}
+							s.udpConn = &outConn
 							for {
+								if s.isStop {
+									return
+								}
+								outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 								srcAddrFromConn, body, err := utils.ReadUDPPacket(outConn)
+								outConn.SetDeadline(time.Time{})
 								if err != nil {
-									log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
-									log.Printf("UDP deamon connection %s exited", ID)
+									s.log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
+									s.log.Printf("UDP deamon connection %s exited", ID)
 									break
 								}
-								//log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
+								//s.log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
 								_srcAddr := strings.Split(srcAddrFromConn, ":")
 								if len(_srcAddr) != 2 {
-									log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
+									s.log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
 									continue
 								}
 								port, _ := strconv.Atoi(_srcAddr[1])
 								dstAddr := &net.UDPAddr{IP: net.ParseIP(_srcAddr[0]), Port: port}
+								s.sc.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 								_, err = s.sc.UDPListener.WriteToUDP(body, dstAddr)
+								s.sc.UDPListener.SetDeadline(time.Time{})
 								if err != nil {
-									log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
+									s.log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
 									continue
 								}
-								//log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
+								//s.log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
 							}
 						}(outConn, ID)
 						break
@ -324,10 +445,10 @@ func (s *MuxServer) UDPConnDeamon() {
 			if err != nil {
 				utils.CloseConn(&outConn)
 				outConn = nil
-				log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
+				s.log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
 				goto RETRY
 			}
-			//log.Printf("write packet %v", *item.packet)
+			//s.log.Printf("write packet %v", *item.packet)
 		}
 	}()
 }
--- a/services/service.go
+++ b/services/service.go
@ -2,50 +2,62 @@ package services

 import (
 	"fmt"
-	"log"
+	logger "log"
 	"runtime/debug"
 )

 type Service interface {
-	Start(args interface{}) (err error)
+	Start(args interface{}, log *logger.Logger) (err error)
 	Clean()
 }
 type ServiceItem struct {
 	S    Service
 	Args interface{}
 	Name string
+	Log  *logger.Logger
 }

 var servicesMap = map[string]*ServiceItem{}

-func Regist(name string, s Service, args interface{}) {
+func Regist(name string, s Service, args interface{}, log *logger.Logger) {
+	Stop(name)
 	servicesMap[name] = &ServiceItem{
 		S:    s,
 		Args: args,
 		Name: name,
+		Log:  log,
 	}
 }
-func Run(name string, args ...interface{}) (service *ServiceItem, err error) {
+func GetService(name string) *ServiceItem {
+	if s, ok := servicesMap[name]; ok && s.S != nil {
+		return s
+	}
+	return nil
+
+}
+func Stop(name string) {
+	if s, ok := servicesMap[name]; ok && s.S != nil {
+		s.S.Clean()
+	}
+}
+func Run(name string, args interface{}) (service *ServiceItem, err error) {
 	service, ok := servicesMap[name]
 	if ok {
-		go func() {
-			defer func() {
-				err := recover()
-				if err != nil {
-					log.Fatalf("%s servcie crashed, ERR: %s\ntrace:%s", name, err, string(debug.Stack()))
-				}
-			}()
-			if len(args) == 1 {
-				err = service.S.Start(args[0])
-			} else {
-				err = service.S.Start(service.Args)
-			}
-			if err != nil {
-				log.Fatalf("%s servcie fail, ERR: %s", name, err)
+		defer func() {
+			e := recover()
+			if e != nil {
+				err = fmt.Errorf("%s servcie crashed, ERR: %s\ntrace:%s", name, e, string(debug.Stack()))
 			}
 		}()
-	}
-	if !ok {
+		if args != nil {
+			err = service.S.Start(args, service.Log)
+		} else {
+			err = service.S.Start(service.Args, service.Log)
+		}
+		if err != nil {
+			err = fmt.Errorf("%s servcie fail, ERR: %s", name, err)
+		}
+	} else {
 		err = fmt.Errorf("service %s not found", name)
 	}
 	return
--- a/services/socks.go
+++ b/services/socks.go
@ -4,25 +4,32 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
-	"proxy/utils/aes"
-	"proxy/utils/socks"
 	"runtime/debug"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils"
+	"github.com/snail007/goproxy/utils/aes"
+	"github.com/snail007/goproxy/utils/conncrypt"
+	"github.com/snail007/goproxy/utils/socks"
+
 	"golang.org/x/crypto/ssh"
 )

 type Socks struct {
-	cfg       SocksArgs
-	checker   utils.Checker
-	basicAuth utils.BasicAuth
-	sshClient *ssh.Client
-	lockChn   chan bool
-	udpSC     utils.ServerChannel
+	cfg            SocksArgs
+	checker        utils.Checker
+	basicAuth      utils.BasicAuth
+	sshClient      *ssh.Client
+	lockChn        chan bool
+	udpSC          utils.ServerChannel
+	sc             *utils.ServerChannel
+	domainResolver utils.DomainResolver
+	isStop         bool
+	userConns      utils.ConcurrentMap
+	log            *logger.Logger
 }

 func NewSocks() Service {
@ -31,27 +38,50 @@ func NewSocks() Service {
 		checker:   utils.Checker{},
 		basicAuth: utils.BasicAuth{},
 		lockChn:   make(chan bool, 1),
+		isStop:    false,
+		userConns: utils.NewConcurrentMap(),
 	}
 }

-func (s *Socks) CheckArgs() {
-	var err error
-	if *s.cfg.LocalType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+func (s *Socks) CheckArgs() (err error) {
+
+	if *s.cfg.LocalType == "tls" || (*s.cfg.Parent != "" && *s.cfg.ParentType == "tls") {
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
+		if *s.cfg.CaCertFile != "" {
+			s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
+			if err != nil {
+				err = fmt.Errorf("read ca file error,ERR:%s", err)
+				return
+			}
+		}
 	}
 	if *s.cfg.Parent != "" {
 		if *s.cfg.ParentType == "" {
-			log.Fatalf("parent type unkown,use -T <tls|tcp|ssh>")
+			err = fmt.Errorf("parent type unkown,use -T <tls|tcp|ssh|kcp>")
+			return
 		}
-		if *s.cfg.ParentType == "tls" {
-			s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		host, _, e := net.SplitHostPort(*s.cfg.Parent)
+		if e != nil {
+			err = fmt.Errorf("parent format error : %s", e)
+			return
+		}
+		if *s.cfg.UDPParent == "" {
+			*s.cfg.UDPParent = net.JoinHostPort(host, "33090")
+		}
+		if strings.HasPrefix(*s.cfg.UDPParent, ":") {
+			*s.cfg.UDPParent = net.JoinHostPort(host, strings.TrimLeft(*s.cfg.UDPParent, ":"))
 		}
 		if *s.cfg.ParentType == "ssh" {
 			if *s.cfg.SSHUser == "" {
-				log.Fatalf("ssh user required")
+				err = fmt.Errorf("ssh user required")
+				return
 			}
 			if *s.cfg.SSHKeyFile == "" && *s.cfg.SSHPassword == "" {
-				log.Fatalf("ssh password or key required")
+				err = fmt.Errorf("ssh password or key required")
+				return
 			}
 			if *s.cfg.SSHPassword != "" {
 				s.cfg.SSHAuthMethod = ssh.Password(*s.cfg.SSHPassword)
@ -59,7 +89,8 @@ func (s *Socks) CheckArgs() {
 				var SSHSigner ssh.Signer
 				s.cfg.SSHKeyBytes, err = ioutil.ReadFile(*s.cfg.SSHKeyFile)
 				if err != nil {
-					log.Fatalf("read key file ERR: %s", err)
+					err = fmt.Errorf("read key file ERR: %s", err)
+					return
 				}
 				if *s.cfg.SSHKeyFileSalt != "" {
 					SSHSigner, err = ssh.ParsePrivateKeyWithPassphrase(s.cfg.SSHKeyBytes, []byte(*s.cfg.SSHKeyFileSalt))
@ -67,34 +98,44 @@ func (s *Socks) CheckArgs() {
 					SSHSigner, err = ssh.ParsePrivateKey(s.cfg.SSHKeyBytes)
 				}
 				if err != nil {
-					log.Fatalf("parse ssh private key fail,ERR: %s", err)
+					err = fmt.Errorf("parse ssh private key fail,ERR: %s", err)
+					return
 				}
 				s.cfg.SSHAuthMethod = ssh.PublicKeys(SSHSigner)
 			}
 		}
 	}
-
+	return
 }
-func (s *Socks) InitService() {
+func (s *Socks) InitService() (err error) {
 	s.InitBasicAuth()
-	s.checker = utils.NewChecker(*s.cfg.Timeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct)
+	if *s.cfg.DNSAddress != "" {
+		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL, s.log)
+	}
+	s.checker = utils.NewChecker(*s.cfg.Timeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct, s.log)
 	if *s.cfg.ParentType == "ssh" {
-		err := s.ConnectSSH()
-		if err != nil {
-			log.Fatalf("init service fail, ERR: %s", err)
+		e := s.ConnectSSH()
+		if e != nil {
+			err = fmt.Errorf("init service fail, ERR: %s", e)
+			return
 		}
 		go func() {
 			//循环检查ssh网络连通性
 			for {
-				conn, err := utils.ConnectHost(*s.cfg.Parent, *s.cfg.Timeout*2)
+				if s.isStop {
+					return
+				}
+				conn, err := utils.ConnectHost(s.Resolve(*s.cfg.Parent), *s.cfg.Timeout*2)
 				if err == nil {
+					conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 					_, err = conn.Write([]byte{0})
+					conn.SetDeadline(time.Time{})
 				}
 				if err != nil {
 					if s.sshClient != nil {
 						s.sshClient.Close()
 					}
-					log.Printf("ssh offline, retrying...")
+					s.log.Printf("ssh offline, retrying...")
 					s.ConnectSSH()
 				} else {
 					conn.Close()
@ -104,45 +145,71 @@ func (s *Socks) InitService() {
 		}()
 	}
 	if *s.cfg.ParentType == "ssh" {
-		log.Println("warn: socks udp not suppored for ssh")
+		s.log.Printf("warn: socks udp not suppored for ssh")
 	} else {
-
-		s.udpSC = utils.NewServerChannelHost(*s.cfg.UDPLocal)
-		err := s.udpSC.ListenUDP(s.udpCallback)
-		if err != nil {
-			log.Fatalf("init udp service fail, ERR: %s", err)
+		s.udpSC = utils.NewServerChannelHost(*s.cfg.UDPLocal, s.log)
+		e := s.udpSC.ListenUDP(s.udpCallback)
+		if e != nil {
+			err = fmt.Errorf("init udp service fail, ERR: %s", e)
+			return
 		}
-		log.Printf("udp socks proxy on %s", s.udpSC.UDPListener.LocalAddr())
+		s.log.Printf("udp socks proxy on %s", s.udpSC.UDPListener.LocalAddr())
 	}
+	return
 }
 func (s *Socks) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop socks service crashed,%s", e)
+		} else {
+			s.log.Printf("service socks stoped")
+		}
+	}()
+	s.isStop = true
+	s.checker.Stop()
 	if s.sshClient != nil {
 		s.sshClient.Close()
 	}
 	if s.udpSC.UDPListener != nil {
 		s.udpSC.UDPListener.Close()
 	}
+	if s.sc != nil && (*s.sc).Listener != nil {
+		(*(*s.sc).Listener).Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
 }
-func (s *Socks) Start(args interface{}) (err error) {
+func (s *Socks) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	//start()
 	s.cfg = args.(SocksArgs)
-	s.CheckArgs()
-	s.InitService()
-	if *s.cfg.Parent != "" {
-		log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+	if err = s.CheckArgs(); err != nil {
+		return
 	}
-	sc := utils.NewServerChannelHost(*s.cfg.Local)
+	if err = s.InitService(); err != nil {
+		s.InitService()
+	}
+	if *s.cfg.Parent != "" {
+		s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+	}
+	if *s.cfg.UDPParent != "" {
+		s.log.Printf("use socks udp parent %s", *s.cfg.UDPParent)
+	}
+	sc := utils.NewServerChannelHost(*s.cfg.Local, s.log)
 	if *s.cfg.LocalType == TYPE_TCP {
 		err = sc.ListenTCP(s.socksConnCallback)
 	} else if *s.cfg.LocalType == TYPE_TLS {
-		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.socksConnCallback)
+		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.socksConnCallback)
 	} else if *s.cfg.LocalType == TYPE_KCP {
-		err = sc.ListenKCP(*s.cfg.KCPMethod, *s.cfg.KCPKey, s.socksConnCallback)
+		err = sc.ListenKCP(s.cfg.KCP, s.socksConnCallback, s.log)
 	}
 	if err != nil {
 		return
 	}
-	log.Printf("%s socks proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+	s.sc = &sc
+	s.log.Printf("%s socks proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
 	return
 }
 func (s *Socks) Clean() {
@ -158,29 +225,29 @@ func (s *Socks) udpCallback(b []byte, localAddr, srcAddr *net.UDPAddr) {
 		//decode b
 		rawB, err = goaes.Decrypt(s.UDPKey(), b)
 		if err != nil {
-			log.Printf("decrypt udp packet fail from %s", srcAddr.String())
+			s.log.Printf("decrypt udp packet fail from %s", srcAddr.String())
 			return
 		}
 	}
 	p, err := socks.ParseUDPPacket(rawB)
-	log.Printf("udp revecived:%v", len(p.Data()))
+	s.log.Printf("udp revecived:%v", len(p.Data()))
 	if err != nil {
-		log.Printf("parse udp packet fail, ERR:%s", err)
+		s.log.Printf("parse udp packet fail, ERR:%s", err)
 		return
 	}
 	//防止死循环
 	if s.IsDeadLoop((*localAddr).String(), p.Host()) {
-		log.Printf("dead loop detected , %s", p.Host())
+		s.log.Printf("dead loop detected , %s", p.Host())
 		return
 	}
-	//log.Printf("##########udp to -> %s:%s###########", p.Host(), p.Port())
+	//s.log.Printf("##########udp to -> %s:%s###########", p.Host(), p.Port())
 	if *s.cfg.Parent != "" {
 		//有上级代理,转发给上级
 		if *s.cfg.ParentType == "tls" {
 			//encode b
 			rawB, err = goaes.Encrypt(s.UDPKey(), rawB)
 			if err != nil {
-				log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
+				s.log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
 				return
 			}
 		}
@ -188,42 +255,45 @@ func (s *Socks) udpCallback(b []byte, localAddr, srcAddr *net.UDPAddr) {
 		if parent == "" {
 			parent = *s.cfg.Parent
 		}
-		dstAddr, err := net.ResolveUDPAddr("udp", parent)
+		dstAddr, err := net.ResolveUDPAddr("udp", s.Resolve(parent))
 		if err != nil {
-			log.Printf("can't resolve address: %s", err)
+			s.log.Printf("can't resolve address: %s", err)
 			return
 		}
 		clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 		conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 		if err != nil {
-			log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 			return
 		}
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout*5)))
 		_, err = conn.Write(rawB)
-		log.Printf("udp request:%v", len(rawB))
+		conn.SetDeadline(time.Time{})
+		s.log.Printf("udp request:%v", len(rawB))
 		if err != nil {
-			log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}

-		//log.Printf("send udp packet to %s success", dstAddr.String())
+		//s.log.Printf("send udp packet to %s success", dstAddr.String())
 		buf := make([]byte, 10*1024)
+		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		length, _, err := conn.ReadFromUDP(buf)
+		conn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}
 		respBody := buf[0:length]
-		log.Printf("udp response:%v", len(respBody))
-		//log.Printf("revecived udp packet from %s", dstAddr.String())
+		s.log.Printf("udp response:%v", len(respBody))
+		//s.log.Printf("revecived udp packet from %s", dstAddr.String())
 		if *s.cfg.ParentType == "tls" {
 			//decode b
 			respBody, err = goaes.Decrypt(s.UDPKey(), respBody)
 			if err != nil {
-				log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
+				s.log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
 				conn.Close()
 				return
 			}
@ -231,72 +301,94 @@ func (s *Socks) udpCallback(b []byte, localAddr, srcAddr *net.UDPAddr) {
 		if *s.cfg.LocalType == "tls" {
 			d, err := goaes.Encrypt(s.UDPKey(), respBody)
 			if err != nil {
-				log.Printf("encrypt udp data fail from %s", dstAddr.String())
+				s.log.Printf("encrypt udp data fail from %s", dstAddr.String())
 				conn.Close()
 				return
 			}
+			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(d, srcAddr)
-			log.Printf("udp reply:%v", len(d))
+			s.udpSC.UDPListener.SetDeadline(time.Time{})
+			s.log.Printf("udp reply:%v", len(d))
+			d = nil
 		} else {
+			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(respBody, srcAddr)
-			log.Printf("udp reply:%v", len(respBody))
+			s.udpSC.UDPListener.SetDeadline(time.Time{})
+			s.log.Printf("udp reply:%v", len(respBody))
 		}

 	} else {
 		//本地代理
-		dstAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(p.Host(), p.Port()))
+		dstAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(s.Resolve(p.Host()), p.Port()))
 		if err != nil {
-			log.Printf("can't resolve address: %s", err)
+			s.log.Printf("can't resolve address: %s", err)
 			return
 		}
 		clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 		conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 		if err != nil {
-			log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 			return
 		}
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout*3)))
 		_, err = conn.Write(p.Data())
-		log.Printf("udp send:%v", len(p.Data()))
+		conn.SetDeadline(time.Time{})
+		s.log.Printf("udp send:%v", len(p.Data()))
 		if err != nil {
-			log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}
-		//log.Printf("send udp packet to %s success", dstAddr.String())
+		//s.log.Printf("send udp packet to %s success", dstAddr.String())
 		buf := make([]byte, 10*1024)
+		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		length, _, err := conn.ReadFromUDP(buf)
+		conn.SetDeadline(time.Time{})
+
 		if err != nil {
-			log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}
 		respBody := buf[0:length]
 		//封装来自真实服务器的数据,返回给访问者
 		respPacket := p.NewReply(respBody)
-		//log.Printf("revecived udp packet from %s", dstAddr.String())
+		//s.log.Printf("revecived udp packet from %s", dstAddr.String())
 		if *s.cfg.LocalType == "tls" {
 			d, err := goaes.Encrypt(s.UDPKey(), respPacket)
 			if err != nil {
-				log.Printf("encrypt udp data fail from %s", dstAddr.String())
+				s.log.Printf("encrypt udp data fail from %s", dstAddr.String())
 				conn.Close()
 				return
 			}
+			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(d, srcAddr)
+			s.udpSC.UDPListener.SetDeadline(time.Time{})
+			d = nil
 		} else {
+			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(respPacket, srcAddr)
+			s.udpSC.UDPListener.SetDeadline(time.Time{})
 		}
-		log.Printf("udp reply:%v", len(respPacket))
+		s.log.Printf("udp reply:%v", len(respPacket))
 	}

 }
 func (s *Socks) socksConnCallback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("socks conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+			s.log.Printf("socks conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 			inConn.Close()
 		}
 	}()
+	if *s.cfg.LocalCompress {
+		inConn = utils.NewCompConn(inConn)
+	}
+	if *s.cfg.LocalKey != "" {
+		inConn = conncrypt.New(inConn, &conncrypt.Config{
+			Password: *s.cfg.LocalKey,
+		})
+	}
 	//协商开始

 	//method select request
@ -306,7 +398,7 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 	if err != nil {
 		methodReq.Reply(socks.Method_NONE_ACCEPTABLE)
 		utils.CloseConn(&inConn)
-		log.Printf("new methods request fail,ERR: %s", err)
+		s.log.Printf("new methods request fail,ERR: %s", err)
 		return
 	}

@ -314,29 +406,29 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 		if !methodReq.Select(socks.Method_NO_AUTH) {
 			methodReq.Reply(socks.Method_NONE_ACCEPTABLE)
 			utils.CloseConn(&inConn)
-			log.Printf("none method found : Method_NO_AUTH")
+			s.log.Printf("none method found : Method_NO_AUTH")
 			return
 		}
 		//method select reply
 		err = methodReq.Reply(socks.Method_NO_AUTH)
 		if err != nil {
-			log.Printf("reply answer data fail,ERR: %s", err)
+			s.log.Printf("reply answer data fail,ERR: %s", err)
 			utils.CloseConn(&inConn)
 			return
 		}
-		// log.Printf("% x", methodReq.Bytes())
+		// s.log.Printf("% x", methodReq.Bytes())
 	} else {
 		//auth
 		if !methodReq.Select(socks.Method_USER_PASS) {
 			methodReq.Reply(socks.Method_NONE_ACCEPTABLE)
 			utils.CloseConn(&inConn)
-			log.Printf("none method found : Method_USER_PASS")
+			s.log.Printf("none method found : Method_USER_PASS")
 			return
 		}
 		//method reply need auth
 		err = methodReq.Reply(socks.Method_USER_PASS)
 		if err != nil {
-			log.Printf("reply answer data fail,ERR: %s", err)
+			s.log.Printf("reply answer data fail,ERR: %s", err)
 			utils.CloseConn(&inConn)
 			return
 		}
@ -352,13 +444,19 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 		r := buf[:n]
 		user := string(r[2 : r[1]+2])
 		pass := string(r[2+r[1]+1:])
-		//log.Printf("user:%s,pass:%s", user, pass)
+		//s.log.Printf("user:%s,pass:%s", user, pass)
 		//auth
 		_addr := strings.Split(inConn.RemoteAddr().String(), ":")
 		if s.basicAuth.CheckUserPass(user, pass, _addr[0], "") {
+			inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			inConn.Write([]byte{0x01, 0x00})
+			inConn.SetDeadline(time.Time{})
+
 		} else {
+			inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			inConn.Write([]byte{0x01, 0x01})
+			inConn.SetDeadline(time.Time{})
+
 			utils.CloseConn(&inConn)
 			return
 		}
@ -367,7 +465,7 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 	//request detail
 	request, err := socks.NewRequest(inConn)
 	if err != nil {
-		log.Printf("read request data fail,ERR: %s", err)
+		s.log.Printf("read request data fail,ERR: %s", err)
 		utils.CloseConn(&inConn)
 		return
 	}
@ -395,7 +493,7 @@ func (s *Socks) proxyUDP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 	}
 	host, _, _ := net.SplitHostPort((*inConn).LocalAddr().String())
 	_, port, _ := net.SplitHostPort(s.udpSC.UDPListener.LocalAddr().String())
-	log.Printf("proxy udp on %s", net.JoinHostPort(host, port))
+	s.log.Printf("proxy udp on %s", net.JoinHostPort(host, port))
 	request.UDPReply(socks.REP_SUCCESS, net.JoinHostPort(host, port))
 }
 func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, request socks.Request) {
@ -407,11 +505,14 @@ func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 	//防止死循环
 	if s.IsDeadLoop((*inConn).LocalAddr().String(), request.Host()) {
 		utils.CloseConn(inConn)
-		log.Printf("dead loop detected , %s", request.Host())
+		s.log.Printf("dead loop detected , %s", request.Host())
 		utils.CloseConn(inConn)
 		return
 	}
 	for {
+		if s.isStop {
+			return
+		}
 		if *s.cfg.Always {
 			outConn, err = s.getOutConn(methodReq.Bytes(), request.Bytes(), request.Addr())
 		} else {
@ -421,16 +522,17 @@ func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 				if utils.IsIternalIP(host) {
 					useProxy = false
 				} else {
-					s.checker.Add(request.Addr())
-					useProxy, _, _ = s.checker.IsBlocked(request.Addr())
+					k := s.Resolve(request.Addr())
+					s.checker.Add(k)
+					useProxy, _, _ = s.checker.IsBlocked(k)
 				}
 				if useProxy {
 					outConn, err = s.getOutConn(methodReq.Bytes(), request.Bytes(), request.Addr())
 				} else {
-					outConn, err = utils.ConnectHost(request.Addr(), *s.cfg.Timeout)
+					outConn, err = utils.ConnectHost(s.Resolve(request.Addr()), *s.cfg.Timeout)
 				}
 			} else {
-				outConn, err = utils.ConnectHost(request.Addr(), *s.cfg.Timeout)
+				outConn, err = utils.ConnectHost(s.Resolve(request.Addr()), *s.cfg.Timeout)
 				useProxy = false
 			}
 		}
@ -438,25 +540,31 @@ func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 		if err == nil || tryCount > maxTryCount || *s.cfg.Parent == "" {
 			break
 		} else {
-			log.Printf("get out conn fail,%s,retrying...", err)
+			s.log.Printf("get out conn fail,%s,retrying...", err)
 			time.Sleep(time.Second * 2)
 		}
 	}
 	if err != nil {
-		log.Printf("get out conn fail,%s", err)
+		s.log.Printf("get out conn fail,%s", err)
 		request.TCPReply(socks.REP_NETWOR_UNREACHABLE)
 		return
 	}
-	log.Printf("use proxy %v : %s", useProxy, request.Addr())
+
+	s.log.Printf("use proxy %v : %s", useProxy, request.Addr())

 	request.TCPReply(socks.REP_SUCCESS)
 	inAddr := (*inConn).RemoteAddr().String()
 	//inLocalAddr := (*inConn).LocalAddr().String()

-	log.Printf("conn %s - %s connected", inAddr, request.Addr())
+	s.log.Printf("conn %s - %s connected", inAddr, request.Addr())
 	utils.IoBind(*inConn, outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released", inAddr, request.Addr())
-	})
+		s.log.Printf("conn %s - %s released", inAddr, request.Addr())
+	}, s.log)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+		s.userConns.Remove(inAddr)
+	}
+	s.userConns.Set(inAddr, inConn)
 }
 func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn net.Conn, err interface{}) {
 	switch *s.cfg.ParentType {
@ -467,50 +575,65 @@ func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn n
 	case "tcp":
 		if *s.cfg.ParentType == "tls" {
 			var _outConn tls.Conn
-			_outConn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes)
+			_outConn, err = utils.TlsConnectHost(s.Resolve(*s.cfg.Parent), *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
 			outConn = net.Conn(&_outConn)
 		} else if *s.cfg.ParentType == "kcp" {
-			outConn, err = utils.ConnectKCPHost(*s.cfg.Parent, *s.cfg.KCPMethod, *s.cfg.KCPKey)
+			outConn, err = utils.ConnectKCPHost(s.Resolve(*s.cfg.Parent), s.cfg.KCP)
 		} else {
-			outConn, err = utils.ConnectHost(*s.cfg.Parent, *s.cfg.Timeout)
+			outConn, err = utils.ConnectHost(s.Resolve(*s.cfg.Parent), *s.cfg.Timeout)
 		}
 		if err != nil {
 			err = fmt.Errorf("connect fail,%s", err)
 			return
 		}
+		if *s.cfg.ParentCompress {
+			outConn = utils.NewCompConn(outConn)
+		}
+		if *s.cfg.ParentKey != "" {
+			outConn = conncrypt.New(outConn, &conncrypt.Config{
+				Password: *s.cfg.ParentKey,
+			})
+		}
 		var buf = make([]byte, 1024)
 		//var n int
+		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = outConn.Write(methodBytes)
+		outConn.SetDeadline(time.Time{})
 		if err != nil {
 			err = fmt.Errorf("write method fail,%s", err)
 			return
 		}
+		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = outConn.Read(buf)
+		outConn.SetDeadline(time.Time{})
 		if err != nil {
 			err = fmt.Errorf("read method reply fail,%s", err)
 			return
 		}
 		//resp := buf[:n]
-		//log.Printf("resp:%v", resp)
-
+		//s.log.Printf("resp:%v", resp)
+		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = outConn.Write(reqBytes)
+		outConn.SetDeadline(time.Time{})
 		if err != nil {
 			err = fmt.Errorf("write req detail fail,%s", err)
 			return
 		}
+		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = outConn.Read(buf)
+		outConn.SetDeadline(time.Time{})
 		if err != nil {
 			err = fmt.Errorf("read req reply fail,%s", err)
 			return
 		}
 		//result := buf[:n]
-		//log.Printf("result:%v", result)
+		//s.log.Printf("result:%v", result)

 	case "ssh":
 		maxTryCount := 1
 		tryCount := 0
 	RETRY:
-		if tryCount >= maxTryCount {
+		if tryCount >= maxTryCount || s.isStop {
 			return
 		}
 		wait := make(chan bool, 1)
@ -530,7 +653,7 @@ func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn n
 			s.sshClient.Close()
 		}
 		if err != nil {
-			log.Printf("connect ssh fail, ERR: %s, retrying...", err)
+			s.log.Printf("connect ssh fail, ERR: %s, retrying...", err)
 			e := s.ConnectSSH()
 			if e == nil {
 				tryCount++
@ -562,15 +685,19 @@ func (s *Socks) ConnectSSH() (err error) {
 	if s.sshClient != nil {
 		s.sshClient.Close()
 	}
-	s.sshClient, err = ssh.Dial("tcp", *s.cfg.Parent, &config)
+	s.sshClient, err = ssh.Dial("tcp", s.Resolve(*s.cfg.Parent), &config)
 	<-s.lockChn
 	return
 }
 func (s *Socks) InitBasicAuth() (err error) {
-	s.basicAuth = utils.NewBasicAuth()
+	if *s.cfg.DNSAddress != "" {
+		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver, s.log)
+	} else {
+		s.basicAuth = utils.NewBasicAuth(nil, s.log)
+	}
 	if *s.cfg.AuthURL != "" {
 		s.basicAuth.SetAuthURL(*s.cfg.AuthURL, *s.cfg.AuthURLOkCode, *s.cfg.AuthURLTimeout, *s.cfg.AuthURLRetry)
-		log.Printf("auth from %s", *s.cfg.AuthURL)
+		s.log.Printf("auth from %s", *s.cfg.AuthURL)
 	}
 	if *s.cfg.AuthFile != "" {
 		var n = 0
@ -579,11 +706,11 @@ func (s *Socks) InitBasicAuth() (err error) {
 			err = fmt.Errorf("auth-file ERR:%s", err)
 			return
 		}
-		log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
 	}
 	if len(*s.cfg.Auth) > 0 {
 		n := s.basicAuth.Add(*s.cfg.Auth)
-		log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
 	}
 	return
 }
@ -601,7 +728,11 @@ func (s *Socks) IsDeadLoop(inLocalAddr string, host string) bool {
 	}
 	if inPort == outPort {
 		var outIPs []net.IP
-		outIPs, err = net.LookupIP(outDomain)
+		if *s.cfg.DNSAddress != "" {
+			outIPs = []net.IP{net.ParseIP(s.Resolve(outDomain))}
+		} else {
+			outIPs, err = net.LookupIP(outDomain)
+		}
 		if err == nil {
 			for _, ip := range outIPs {
 				if ip.String() == inIP {
@ -625,3 +756,13 @@ func (s *Socks) IsDeadLoop(inLocalAddr string, host string) bool {
 	}
 	return false
 }
+func (s *Socks) Resolve(address string) string {
+	if *s.cfg.DNSAddress == "" {
+		return address
+	}
+	ip, err := s.domainResolver.Resolve(address)
+	if err != nil {
+		s.log.Printf("dns error %s , ERR:%s", address, err)
+	}
+	return ip
+}
--- a/services/sps.go
+++ b/services/sps.go
@ -0,0 +1,467 @@
+package services
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	logger "log"
+	"net"
+	"runtime/debug"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/snail007/goproxy/utils"
+	"github.com/snail007/goproxy/utils/conncrypt"
+	"github.com/snail007/goproxy/utils/socks"
+)
+
+type SPS struct {
+	outPool        utils.OutConn
+	cfg            SPSArgs
+	domainResolver utils.DomainResolver
+	basicAuth      utils.BasicAuth
+	serverChannels []*utils.ServerChannel
+	userConns      utils.ConcurrentMap
+	log            *logger.Logger
+}
+
+func NewSPS() Service {
+	return &SPS{
+		outPool:        utils.OutConn{},
+		cfg:            SPSArgs{},
+		basicAuth:      utils.BasicAuth{},
+		serverChannels: []*utils.ServerChannel{},
+		userConns:      utils.NewConcurrentMap(),
+	}
+}
+func (s *SPS) CheckArgs() (err error) {
+	if *s.cfg.Parent == "" {
+		err = fmt.Errorf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		return
+	}
+	if *s.cfg.ParentType == "" {
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp|kcp>")
+		return
+	}
+	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.LocalType == TYPE_TLS {
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
+		if *s.cfg.CaCertFile != "" {
+			s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
+			if err != nil {
+				err = fmt.Errorf("read ca file error,ERR:%s", err)
+				return
+			}
+		}
+	}
+	return
+}
+func (s *SPS) InitService() (err error) {
+	if *s.cfg.DNSAddress != "" {
+		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL, s.log)
+	}
+	s.InitOutConnPool()
+	err = s.InitBasicAuth()
+	return
+}
+func (s *SPS) InitOutConnPool() {
+	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP || *s.cfg.ParentType == TYPE_KCP {
+		//dur int, isTLS bool, certBytes, keyBytes []byte,
+		//parent string, timeout int, InitialCap int, MaxCap int
+		s.outPool = utils.NewOutConn(
+			0,
+			*s.cfg.ParentType,
+			s.cfg.KCP,
+			s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes,
+			*s.cfg.Parent,
+			*s.cfg.Timeout,
+		)
+	}
+}
+
+func (s *SPS) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop sps service crashed,%s", e)
+		} else {
+			s.log.Printf("service sps stoped")
+		}
+	}()
+	for _, sc := range s.serverChannels {
+		if sc.Listener != nil && *sc.Listener != nil {
+			(*sc.Listener).Close()
+		}
+		if sc.UDPListener != nil {
+			(*sc.UDPListener).Close()
+		}
+	}
+	for _, c := range s.userConns.Items() {
+		if _, ok := c.(*net.Conn); ok {
+			(*c.(*net.Conn)).Close()
+		}
+		if _, ok := c.(**net.Conn); ok {
+			(*(*c.(**net.Conn))).Close()
+		}
+	}
+}
+func (s *SPS) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
+	s.cfg = args.(SPSArgs)
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("use %s %s parent %s", *s.cfg.ParentType, *s.cfg.ParentServiceType, *s.cfg.Parent)
+	for _, addr := range strings.Split(*s.cfg.Local, ",") {
+		if addr != "" {
+			host, port, _ := net.SplitHostPort(*s.cfg.Local)
+			p, _ := strconv.Atoi(port)
+			sc := utils.NewServerChannel(host, p, s.log)
+			if *s.cfg.LocalType == TYPE_TCP {
+				err = sc.ListenTCP(s.callback)
+			} else if *s.cfg.LocalType == TYPE_TLS {
+				err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes, s.callback)
+			} else if *s.cfg.LocalType == TYPE_KCP {
+				err = sc.ListenKCP(s.cfg.KCP, s.callback, s.log)
+			}
+			if err != nil {
+				return
+			}
+			s.log.Printf("%s http(s)+socks proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+			s.serverChannels = append(s.serverChannels, &sc)
+		}
+	}
+	return
+}
+
+func (s *SPS) Clean() {
+	s.StopService()
+}
+func (s *SPS) callback(inConn net.Conn) {
+	defer func() {
+		if err := recover(); err != nil {
+			s.log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
+		}
+	}()
+	if *s.cfg.LocalCompress {
+		inConn = utils.NewCompConn(inConn)
+	}
+	if *s.cfg.LocalKey != "" {
+		inConn = conncrypt.New(inConn, &conncrypt.Config{
+			Password: *s.cfg.LocalKey,
+		})
+	}
+	var err error
+	switch *s.cfg.ParentType {
+	case TYPE_KCP:
+		fallthrough
+	case TYPE_TCP:
+		fallthrough
+	case TYPE_TLS:
+		err = s.OutToTCP(&inConn)
+	default:
+		err = fmt.Errorf("unkown parent type %s", *s.cfg.ParentType)
+	}
+	if err != nil {
+		s.log.Printf("connect to %s parent %s fail, ERR:%s from %s", *s.cfg.ParentType, *s.cfg.Parent, err, inConn.RemoteAddr())
+		utils.CloseConn(&inConn)
+	}
+}
+func (s *SPS) OutToTCP(inConn *net.Conn) (err error) {
+	bInConn := utils.NewBufferedConn(*inConn)
+	//important
+	//action read will regist read event to system,
+	//when data arrived , system call process
+	//so that we can get buffered bytes count
+	//otherwise Buffered() always return 0
+	bInConn.ReadByte()
+	bInConn.UnreadByte()
+
+	n := 8
+	if n > bInConn.Buffered() {
+		n = bInConn.Buffered()
+	}
+	h, err := bInConn.Peek(n)
+	if err != nil {
+		s.log.Printf("peek error %s ", err)
+		(*inConn).Close()
+		return
+	}
+
+	*inConn = bInConn
+	address := ""
+	var auth socks.Auth
+	var forwardBytes []byte
+	//fmt.Printf("%v", header)
+	if utils.IsSocks5(h) {
+		if *s.cfg.DisableSocks5 {
+			(*inConn).Close()
+			return
+		}
+		//socks5 server
+		var serverConn *socks.ServerConn
+		if s.IsBasicAuth() {
+			serverConn = socks.NewServerConn(inConn, time.Millisecond*time.Duration(*s.cfg.Timeout), &s.basicAuth, "", nil)
+		} else {
+			serverConn = socks.NewServerConn(inConn, time.Millisecond*time.Duration(*s.cfg.Timeout), nil, "", nil)
+		}
+		if err = serverConn.Handshake(); err != nil {
+			return
+		}
+		address = serverConn.Target()
+		auth = serverConn.AuthData()
+	} else if utils.IsHTTP(h) {
+		if *s.cfg.DisableHTTP {
+			(*inConn).Close()
+			return
+		}
+		//http
+		var request utils.HTTPRequest
+		(*inConn).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+		if s.IsBasicAuth() {
+			request, err = utils.NewHTTPRequest(inConn, 1024, true, &s.basicAuth, s.log)
+		} else {
+			request, err = utils.NewHTTPRequest(inConn, 1024, false, nil, s.log)
+		}
+		(*inConn).SetDeadline(time.Time{})
+		if err != nil {
+			s.log.Printf("new http request fail,ERR: %s", err)
+			utils.CloseConn(inConn)
+			return
+		}
+		if len(h) >= 7 && strings.ToLower(string(h[:7])) == "connect" {
+			//https
+			request.HTTPSReply()
+			//s.log.Printf("https reply: %s", request.Host)
+		} else {
+			//forwardBytes = bytes.TrimRight(request.HeadBuf,"\r\n")
+			forwardBytes = request.HeadBuf
+		}
+		address = request.Host
+		var userpass string
+		if s.IsBasicAuth() {
+			userpass, err = request.GetAuthDataStr()
+			if err != nil {
+				return
+			}
+			userpassA := strings.Split(userpass, ":")
+			if len(userpassA) == 2 {
+				auth = socks.Auth{User: userpassA[0], Password: userpassA[1]}
+			}
+		}
+	}
+	if err != nil || address == "" {
+		s.log.Printf("unknown request from: %s,%s", (*inConn).RemoteAddr(), string(h))
+		(*inConn).Close()
+		utils.CloseConn(inConn)
+		err = errors.New("unknown request")
+		return
+	}
+	//connect to parent
+	var outConn net.Conn
+	outConn, err = s.outPool.Get()
+	if err != nil {
+		s.log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
+		utils.CloseConn(inConn)
+		return
+	}
+	if *s.cfg.ParentCompress {
+		outConn = utils.NewCompConn(outConn)
+	}
+	if *s.cfg.ParentKey != "" {
+		outConn = conncrypt.New(outConn, &conncrypt.Config{
+			Password: *s.cfg.ParentKey,
+		})
+	}
+
+	if *s.cfg.ParentAuth != "" || s.IsBasicAuth() {
+		forwardBytes = utils.RemoveProxyHeaders(forwardBytes)
+	}
+
+	//ask parent for connect to target address
+	if *s.cfg.ParentServiceType == "http" {
+		//http parent
+		isHTTPS := false
+
+		pb := new(bytes.Buffer)
+		if len(forwardBytes) == 0 {
+			isHTTPS = true
+			pb.Write([]byte(fmt.Sprintf("CONNECT %s HTTP/1.1\r\n", address)))
+		}
+		pb.WriteString("Proxy-Connection: Keep-Alive\r\n")
+
+		u := ""
+		if *s.cfg.ParentAuth != "" {
+			a := strings.Split(*s.cfg.ParentAuth, ":")
+			if len(a) != 2 {
+				err = fmt.Errorf("parent auth data format error")
+				return
+			}
+			u = fmt.Sprintf("%s:%s", a[0], a[1])
+		} else {
+			if !s.IsBasicAuth() && auth.Password != "" && auth.User != "" {
+				u = fmt.Sprintf("%s:%s", auth.User, auth.Password)
+			}
+		}
+		if u != "" {
+			pb.Write([]byte(fmt.Sprintf("Proxy-Authorization: Basic %s\r\n", base64.StdEncoding.EncodeToString([]byte(u)))))
+		}
+
+		if isHTTPS {
+			pb.Write([]byte("\r\n"))
+		} else {
+			forwardBytes = utils.InsertProxyHeaders(forwardBytes, string(pb.Bytes()))
+			pb.Reset()
+			pb.Write(forwardBytes)
+			forwardBytes = nil
+		}
+
+		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+		_, err = outConn.Write(pb.Bytes())
+		outConn.SetDeadline(time.Time{})
+		if err != nil {
+			s.log.Printf("write CONNECT to %s , err:%s", *s.cfg.Parent, err)
+			utils.CloseConn(inConn)
+			utils.CloseConn(&outConn)
+			return
+		}
+
+		if isHTTPS {
+			reply := make([]byte, 1024)
+			outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+			_, err = outConn.Read(reply)
+			outConn.SetDeadline(time.Time{})
+			if err != nil {
+				s.log.Printf("read reply from %s , err:%s", *s.cfg.Parent, err)
+				utils.CloseConn(inConn)
+				utils.CloseConn(&outConn)
+				return
+			}
+			//s.log.Printf("reply: %s", string(reply[:n]))
+		}
+	} else if *s.cfg.ParentServiceType == "socks" {
+		s.log.Printf("connect %s", address)
+		//socks client
+		var clientConn *socks.ClientConn
+		if *s.cfg.ParentAuth != "" {
+			a := strings.Split(*s.cfg.ParentAuth, ":")
+			if len(a) != 2 {
+				err = fmt.Errorf("parent auth data format error")
+				return
+			}
+			clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), &socks.Auth{User: a[0], Password: a[1]}, nil)
+		} else {
+			if !s.IsBasicAuth() && auth.Password != "" && auth.User != "" {
+				clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), &auth, nil)
+			} else {
+				clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), nil, nil)
+			}
+		}
+		if err = clientConn.Handshake(); err != nil {
+			return
+		}
+	}
+
+	//forward client data to target,if necessary.
+	if len(forwardBytes) > 0 {
+		outConn.Write(forwardBytes)
+	}
+
+	//bind
+	inAddr := (*inConn).RemoteAddr().String()
+	outAddr := outConn.RemoteAddr().String()
+	utils.IoBind((*inConn), outConn, func(err interface{}) {
+		s.log.Printf("conn %s - %s released [%s]", inAddr, outAddr, address)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	s.log.Printf("conn %s - %s connected [%s]", inAddr, outAddr, address)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, inConn)
+	return
+}
+func (s *SPS) InitBasicAuth() (err error) {
+	if *s.cfg.DNSAddress != "" {
+		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver, s.log)
+	} else {
+		s.basicAuth = utils.NewBasicAuth(nil, s.log)
+	}
+	if *s.cfg.AuthURL != "" {
+		s.basicAuth.SetAuthURL(*s.cfg.AuthURL, *s.cfg.AuthURLOkCode, *s.cfg.AuthURLTimeout, *s.cfg.AuthURLRetry)
+		s.log.Printf("auth from %s", *s.cfg.AuthURL)
+	}
+	if *s.cfg.AuthFile != "" {
+		var n = 0
+		n, err = s.basicAuth.AddFromFile(*s.cfg.AuthFile)
+		if err != nil {
+			err = fmt.Errorf("auth-file ERR:%s", err)
+			return
+		}
+		s.log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
+	}
+	if len(*s.cfg.Auth) > 0 {
+		n := s.basicAuth.Add(*s.cfg.Auth)
+		s.log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
+	}
+	return
+}
+func (s *SPS) IsBasicAuth() bool {
+	return *s.cfg.AuthFile != "" || len(*s.cfg.Auth) > 0 || *s.cfg.AuthURL != ""
+}
+func (s *SPS) buildRequest(address string) (buf []byte, err error) {
+	host, portStr, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, err
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		err = errors.New("proxy: failed to parse port number: " + portStr)
+		return
+	}
+	if port < 1 || port > 0xffff {
+		err = errors.New("proxy: port number out of range: " + portStr)
+		return
+	}
+	buf = buf[:0]
+	buf = append(buf, 0x05, 0x01, 0 /* reserved */)
+
+	if ip := net.ParseIP(host); ip != nil {
+		if ip4 := ip.To4(); ip4 != nil {
+			buf = append(buf, 0x01)
+			ip = ip4
+		} else {
+			buf = append(buf, 0x04)
+		}
+		buf = append(buf, ip...)
+	} else {
+		if len(host) > 255 {
+			err = errors.New("proxy: destination host name too long: " + host)
+			return
+		}
+		buf = append(buf, 0x03)
+		buf = append(buf, byte(len(host)))
+		buf = append(buf, host...)
+	}
+	buf = append(buf, byte(port>>8), byte(port))
+	return
+}
+func (s *SPS) Resolve(address string) string {
+	if *s.cfg.DNSAddress == "" {
+		return address
+	}
+	ip, err := s.domainResolver.Resolve(address)
+	if err != nil {
+		s.log.Printf("dns error %s , ERR:%s", address, err)
+	}
+	return ip
+}
--- a/services/tcp.go
+++ b/services/tcp.go
@ -4,66 +4,100 @@ import (
 	"bufio"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"runtime/debug"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"strconv"
 )

 type TCP struct {
-	outPool utils.OutPool
-	cfg     TCPArgs
+	outPool   utils.OutConn
+	cfg       TCPArgs
+	sc        *utils.ServerChannel
+	isStop    bool
+	userConns utils.ConcurrentMap
+	log       *logger.Logger
 }

 func NewTCP() Service {
 	return &TCP{
-		outPool: utils.OutPool{},
-		cfg:     TCPArgs{},
+		outPool:   utils.OutConn{},
+		cfg:       TCPArgs{},
+		isStop:    false,
+		userConns: utils.NewConcurrentMap(),
 	}
 }
-func (s *TCP) CheckArgs() {
+func (s *TCP) CheckArgs() (err error) {
 	if *s.cfg.Parent == "" {
-		log.Fatalf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		err = fmt.Errorf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		return
 	}
 	if *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp|kcp|udp>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp|kcp|udp>")
+		return
 	}
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.LocalType == TYPE_TLS {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
 	}
+	return
 }
-func (s *TCP) InitService() {
+func (s *TCP) InitService() (err error) {
 	s.InitOutConnPool()
+	return
 }
 func (s *TCP) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop tcp service crashed,%s", e)
+		} else {
+			s.log.Printf("service tcp stoped")
+		}
+	}()
+	s.isStop = true
+	if s.sc.Listener != nil && *s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
 	}
 }
-func (s *TCP) Start(args interface{}) (err error) {
+func (s *TCP) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TCPArgs)
-	s.CheckArgs()
-	log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
-	s.InitService()
-
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)

 	if *s.cfg.LocalType == TYPE_TCP {
 		err = sc.ListenTCP(s.callback)
 	} else if *s.cfg.LocalType == TYPE_TLS {
-		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.callback)
+		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.callback)
 	} else if *s.cfg.LocalType == TYPE_KCP {
-		err = sc.ListenKCP(*s.cfg.KCPMethod, *s.cfg.KCPKey, s.callback)
+		err = sc.ListenKCP(s.cfg.KCP, s.callback, s.log)
 	}
 	if err != nil {
 		return
 	}
-	log.Printf("%s proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+	s.log.Printf("%s proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+	s.sc = &sc
 	return
 }

@ -73,7 +107,7 @@ func (s *TCP) Clean() {
 func (s *TCP) callback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
+			s.log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
 		}
 	}()
 	var err error
@ -90,19 +124,15 @@ func (s *TCP) callback(inConn net.Conn) {
 		err = fmt.Errorf("unkown parent type %s", *s.cfg.ParentType)
 	}
 	if err != nil {
-		log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
+		s.log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
 		utils.CloseConn(&inConn)
 	}
 }
 func (s *TCP) OutToTCP(inConn *net.Conn) (err error) {
 	var outConn net.Conn
-	var _outConn interface{}
-	_outConn, err = s.outPool.Pool.Get()
-	if err == nil {
-		outConn = _outConn.(net.Conn)
-	}
+	outConn, err = s.outPool.Get()
 	if err != nil {
-		log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
+		s.log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
 		utils.CloseConn(inConn)
 		return
 	}
@ -111,55 +141,64 @@ func (s *TCP) OutToTCP(inConn *net.Conn) (err error) {
 	outAddr := outConn.RemoteAddr().String()
 	//outLocalAddr := outConn.LocalAddr().String()
 	utils.IoBind((*inConn), outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released", inAddr, outAddr)
-	})
-	log.Printf("conn %s - %s connected", inAddr, outAddr)
+		s.log.Printf("conn %s - %s released", inAddr, outAddr)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	s.log.Printf("conn %s - %s connected", inAddr, outAddr)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, inConn)
 	return
 }
 func (s *TCP) OutToUDP(inConn *net.Conn) (err error) {
-	log.Printf("conn created , remote : %s ", (*inConn).RemoteAddr())
+	s.log.Printf("conn created , remote : %s ", (*inConn).RemoteAddr())
 	for {
+		if s.isStop {
+			(*inConn).Close()
+			return
+		}
 		srcAddr, body, err := utils.ReadUDPPacket(bufio.NewReader(*inConn))
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
-			//log.Printf("connection %s released", srcAddr)
+			//s.log.Printf("connection %s released", srcAddr)
 			utils.CloseConn(inConn)
 			break
 		}
 		//log.Debugf("udp packet revecived:%s,%v", srcAddr, body)
 		dstAddr, err := net.ResolveUDPAddr("udp", *s.cfg.Parent)
 		if err != nil {
-			log.Printf("can't resolve address: %s", err)
+			s.log.Printf("can't resolve address: %s", err)
 			utils.CloseConn(inConn)
 			break
 		}
 		clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 		conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 		if err != nil {
-			log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 			continue
 		}
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = conn.Write(body)
 		if err != nil {
-			log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 			continue
 		}
 		//log.Debugf("send udp packet to %s success", dstAddr.String())
 		buf := make([]byte, 512)
 		len, _, err := conn.ReadFromUDP(buf)
 		if err != nil {
-			log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 			continue
 		}
 		respBody := buf[0:len]
 		//log.Debugf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 		_, err = (*inConn).Write(utils.UDPPacket(srcAddr, respBody))
 		if err != nil {
-			log.Printf("send udp response fail ,ERR:%s", err)
+			s.log.Printf("send udp response fail ,ERR:%s", err)
 			utils.CloseConn(inConn)
 			break
 		}
-		//log.Printf("send udp response success ,from:%s", dstAddr.String())
+		//s.log.Printf("send udp response success ,from:%s", dstAddr.String())
 	}
 	return

@ -168,16 +207,13 @@ func (s *TCP) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP || *s.cfg.ParentType == TYPE_KCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			*s.cfg.CheckParentInterval,
 			*s.cfg.ParentType,
-			*s.cfg.KCPMethod,
-			*s.cfg.KCPKey,
-			s.cfg.CertBytes, s.cfg.KeyBytes,
+			s.cfg.KCP,
+			s.cfg.CertBytes, s.cfg.KeyBytes, nil,
 			*s.cfg.Parent,
 			*s.cfg.Timeout,
-			*s.cfg.PoolSize,
-			*s.cfg.PoolSize*2,
 		)
 	}
 }
--- a/services/tunnel_bridge.go
+++ b/services/tunnel_bridge.go
@ -1,12 +1,16 @@
 package services

 import (
-	"bufio"
-	"log"
+	"bytes"
+	"fmt"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"strconv"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+
+	"github.com/xtaci/smux"
 )

 type ServerConn struct {
@ -17,8 +21,8 @@ type TunnelBridge struct {
 	cfg                TunnelBridgeArgs
 	serverConns        utils.ConcurrentMap
 	clientControlConns utils.ConcurrentMap
-	// cmServer           utils.ConnManager
-	// cmClient           utils.ConnManager
+	isStop             bool
+	log                *logger.Logger
 }

 func NewTunnelBridge() Service {
@ -26,219 +30,166 @@ func NewTunnelBridge() Service {
 		cfg:                TunnelBridgeArgs{},
 		serverConns:        utils.NewConcurrentMap(),
 		clientControlConns: utils.NewConcurrentMap(),
-		// cmServer:           utils.NewConnManager(),
-		// cmClient:           utils.NewConnManager(),
+		isStop:             false,
 	}
 }

-func (s *TunnelBridge) InitService() {
-
+func (s *TunnelBridge) InitService() (err error) {
+	return
 }
-func (s *TunnelBridge) CheckArgs() {
+func (s *TunnelBridge) CheckArgs() (err error) {
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	return
 }
 func (s *TunnelBridge) StopService() {
-
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop tbridge service crashed,%s", e)
+		} else {
+			s.log.Printf("service tbridge stoped")
+		}
+	}()
+	s.isStop = true
+	for _, sess := range s.clientControlConns.Items() {
+		(*sess.(*net.Conn)).Close()
+	}
+	for _, sess := range s.serverConns.Items() {
+		(*sess.(ServerConn).Conn).Close()
+	}
 }
-func (s *TunnelBridge) Start(args interface{}) (err error) {
+func (s *TunnelBridge) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelBridgeArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)

-	err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, func(inConn net.Conn) {
-		//log.Printf("connection from %s ", inConn.RemoteAddr())
-
-		reader := bufio.NewReader(inConn)
-		var err error
-		var connType uint8
-		err = utils.ReadPacket(reader, &connType)
-		if err != nil {
-			log.Printf("read error,ERR:%s", err)
-			return
-		}
-		switch connType {
-		case CONN_SERVER:
-			var key, ID, clientLocalAddr, serverID string
-			err = utils.ReadPacketData(reader, &key, &ID, &clientLocalAddr, &serverID)
-			if err != nil {
-				log.Printf("read error,ERR:%s", err)
-				return
-			}
-			packet := utils.BuildPacketData(ID, clientLocalAddr, serverID)
-			log.Printf("server connection, key: %s , id: %s %s %s", key, ID, clientLocalAddr, serverID)
-
-			//addr := clientLocalAddr + "@" + ID
-			s.serverConns.Set(ID, ServerConn{
-				Conn: &inConn,
-			})
-			for {
-				item, ok := s.clientControlConns.Get(key)
-				if !ok {
-					log.Printf("client %s control conn not exists", key)
-					time.Sleep(time.Second * 3)
-					continue
-				}
-				(*item.(*net.Conn)).SetWriteDeadline(time.Now().Add(time.Second * 3))
-				_, err := (*item.(*net.Conn)).Write(packet)
-				(*item.(*net.Conn)).SetWriteDeadline(time.Time{})
-				if err != nil {
-					log.Printf("%s client control conn write signal fail, err: %s, retrying...", key, err)
-					time.Sleep(time.Second * 3)
-					continue
-				} else {
-					// s.cmServer.Add(serverID, ID, &inConn)
-					break
-				}
-			}
-		case CONN_CLIENT:
-			var key, ID, serverID string
-			err = utils.ReadPacketData(reader, &key, &ID, &serverID)
-			if err != nil {
-				log.Printf("read error,ERR:%s", err)
-				return
-			}
-			log.Printf("client connection , key: %s , id: %s, server id:%s", key, ID, serverID)
-
-			serverConnItem, ok := s.serverConns.Get(ID)
-			if !ok {
-				inConn.Close()
-				log.Printf("server conn %s exists", ID)
-				return
-			}
-			serverConn := serverConnItem.(ServerConn).Conn
-			utils.IoBind(*serverConn, inConn, func(err interface{}) {
-				s.serverConns.Remove(ID)
-				// s.cmClient.RemoveOne(key, ID)
-				// s.cmServer.RemoveOne(serverID, ID)
-				log.Printf("conn %s released", ID)
-			})
-			// s.cmClient.Add(key, ID, &inConn)
-			log.Printf("conn %s created", ID)
-
-		case CONN_CLIENT_CONTROL:
-			var key string
-			err = utils.ReadPacketData(reader, &key)
-			if err != nil {
-				log.Printf("read error,ERR:%s", err)
-				return
-			}
-			log.Printf("client control connection, key: %s", key)
-			if s.clientControlConns.Has(key) {
-				item, _ := s.clientControlConns.Get(key)
-				(*item.(*net.Conn)).Close()
-			}
-			s.clientControlConns.Set(key, &inConn)
-			log.Printf("set client %s control conn", key)
-
-			// case CONN_SERVER_HEARBEAT:
-			// 	var serverID string
-			// 	err = utils.ReadPacketData(reader, &serverID)
-			// 	if err != nil {
-			// 		log.Printf("read error,ERR:%s", err)
-			// 		return
-			// 	}
-			// 	log.Printf("server heartbeat connection, id: %s", serverID)
-			// 	writeDie := make(chan bool)
-			// 	readDie := make(chan bool)
-			// 	go func() {
-			// 		for {
-			// 			inConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-			// 			_, err = inConn.Write([]byte{0x00})
-			// 			inConn.SetWriteDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("server heartbeat connection write err %s", err)
-			// 				break
-			// 			}
-			// 			time.Sleep(time.Second * 3)
-			// 		}
-			// 		close(writeDie)
-			// 	}()
-			// 	go func() {
-			// 		for {
-			// 			signal := make([]byte, 1)
-			// 			inConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-			// 			_, err := inConn.Read(signal)
-			// 			inConn.SetReadDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("server heartbeat connection read err: %s", err)
-			// 				break
-			// 			} else {
-			// 				// log.Printf("heartbeat from server ,id:%s", serverID)
-			// 			}
-			// 		}
-			// 		close(readDie)
-			// 	}()
-			// 	select {
-			// 	case <-readDie:
-			// 	case <-writeDie:
-			// 	}
-			// 	utils.CloseConn(&inConn)
-			// 	s.cmServer.Remove(serverID)
-			// 	log.Printf("server heartbeat conn %s released", serverID)
-			// case CONN_CLIENT_HEARBEAT:
-			// 	var clientID string
-			// 	err = utils.ReadPacketData(reader, &clientID)
-			// 	if err != nil {
-			// 		log.Printf("read error,ERR:%s", err)
-			// 		return
-			// 	}
-			// 	log.Printf("client heartbeat connection, id: %s", clientID)
-			// 	writeDie := make(chan bool)
-			// 	readDie := make(chan bool)
-			// 	go func() {
-			// 		for {
-			// 			inConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-			// 			_, err = inConn.Write([]byte{0x00})
-			// 			inConn.SetWriteDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("client heartbeat connection write err %s", err)
-			// 				break
-			// 			}
-			// 			time.Sleep(time.Second * 3)
-			// 		}
-			// 		close(writeDie)
-			// 	}()
-			// 	go func() {
-			// 		for {
-			// 			signal := make([]byte, 1)
-			// 			inConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-			// 			_, err := inConn.Read(signal)
-			// 			inConn.SetReadDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("client control connection read err: %s", err)
-			// 				break
-			// 			} else {
-			// 				// log.Printf("heartbeat from client ,id:%s", clientID)
-			// 			}
-			// 		}
-			// 		close(readDie)
-			// 	}()
-			// 	select {
-			// 	case <-readDie:
-			// 	case <-writeDie:
-			// 	}
-			// 	utils.CloseConn(&inConn)
-			// 	s.cmClient.Remove(clientID)
-			// 	if s.clientControlConns.Has(clientID) {
-			// 		item, _ := s.clientControlConns.Get(clientID)
-			// 		(*item.(*net.Conn)).Close()
-			// 	}
-			// 	s.clientControlConns.Remove(clientID)
-			// 	log.Printf("client heartbeat conn %s released", clientID)
-		}
-	})
+	err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.callback)
 	if err != nil {
 		return
 	}
-	log.Printf("proxy on tunnel bridge mode %s", (*sc.Listener).Addr())
+	s.log.Printf("proxy on tunnel bridge mode %s", (*sc.Listener).Addr())
 	return
 }
 func (s *TunnelBridge) Clean() {
 	s.StopService()
 }
+func (s *TunnelBridge) callback(inConn net.Conn) {
+	var err error
+	//s.log.Printf("connection from %s ", inConn.RemoteAddr())
+	sess, err := smux.Server(inConn, &smux.Config{
+		KeepAliveInterval: 10 * time.Second,
+		KeepAliveTimeout:  time.Duration(*s.cfg.Timeout) * time.Second,
+		MaxFrameSize:      4096,
+		MaxReceiveBuffer:  4194304,
+	})
+	if err != nil {
+		s.log.Printf("new mux server conn error,ERR:%s", err)
+		return
+	}
+	inConn, err = sess.AcceptStream()
+	if err != nil {
+		s.log.Printf("mux server conn accept error,ERR:%s", err)
+		return
+	}
+
+	var buf = make([]byte, 1024)
+	n, _ := inConn.Read(buf)
+	reader := bytes.NewReader(buf[:n])
+	//reader := bufio.NewReader(inConn)
+
+	var connType uint8
+	err = utils.ReadPacket(reader, &connType)
+	if err != nil {
+		s.log.Printf("read error,ERR:%s", err)
+		return
+	}
+	switch connType {
+	case CONN_SERVER:
+		var key, ID, clientLocalAddr, serverID string
+		err = utils.ReadPacketData(reader, &key, &ID, &clientLocalAddr, &serverID)
+		if err != nil {
+			s.log.Printf("read error,ERR:%s", err)
+			return
+		}
+		packet := utils.BuildPacketData(ID, clientLocalAddr, serverID)
+		s.log.Printf("server connection, key: %s , id: %s %s %s", key, ID, clientLocalAddr, serverID)
+
+		//addr := clientLocalAddr + "@" + ID
+		s.serverConns.Set(ID, ServerConn{
+			Conn: &inConn,
+		})
+		for {
+			if s.isStop {
+				return
+			}
+			item, ok := s.clientControlConns.Get(key)
+			if !ok {
+				s.log.Printf("client %s control conn not exists", key)
+				time.Sleep(time.Second * 3)
+				continue
+			}
+			(*item.(*net.Conn)).SetWriteDeadline(time.Now().Add(time.Second * 3))
+			_, err := (*item.(*net.Conn)).Write(packet)
+			(*item.(*net.Conn)).SetWriteDeadline(time.Time{})
+			if err != nil {
+				s.log.Printf("%s client control conn write signal fail, err: %s, retrying...", key, err)
+				time.Sleep(time.Second * 3)
+				continue
+			} else {
+				// s.cmServer.Add(serverID, ID, &inConn)
+				break
+			}
+		}
+	case CONN_CLIENT:
+		var key, ID, serverID string
+		err = utils.ReadPacketData(reader, &key, &ID, &serverID)
+		if err != nil {
+			s.log.Printf("read error,ERR:%s", err)
+			return
+		}
+		s.log.Printf("client connection , key: %s , id: %s, server id:%s", key, ID, serverID)
+
+		serverConnItem, ok := s.serverConns.Get(ID)
+		if !ok {
+			inConn.Close()
+			s.log.Printf("server conn %s exists", ID)
+			return
+		}
+		serverConn := serverConnItem.(ServerConn).Conn
+		utils.IoBind(*serverConn, inConn, func(err interface{}) {
+			s.serverConns.Remove(ID)
+			// s.cmClient.RemoveOne(key, ID)
+			// s.cmServer.RemoveOne(serverID, ID)
+			s.log.Printf("conn %s released", ID)
+		}, s.log)
+		// s.cmClient.Add(key, ID, &inConn)
+		s.log.Printf("conn %s created", ID)
+
+	case CONN_CLIENT_CONTROL:
+		var key string
+		err = utils.ReadPacketData(reader, &key)
+		if err != nil {
+			s.log.Printf("read error,ERR:%s", err)
+			return
+		}
+		s.log.Printf("client control connection, key: %s", key)
+		if s.clientControlConns.Has(key) {
+			item, _ := s.clientControlConns.Get(key)
+			(*item.(*net.Conn)).Close()
+		}
+		s.clientControlConns.Set(key, &inConn)
+		s.log.Printf("set client %s control conn", key)
+	}
+}
--- a/services/tunnel_client.go
+++ b/services/tunnel_client.go
@ -4,117 +4,88 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+
+	"github.com/xtaci/smux"
 )

 type TunnelClient struct {
-	cfg TunnelClientArgs
-	// cm       utils.ConnManager
-	ctrlConn net.Conn
+	cfg       TunnelClientArgs
+	ctrlConn  net.Conn
+	isStop    bool
+	userConns utils.ConcurrentMap
+	log       *logger.Logger
 }

 func NewTunnelClient() Service {
 	return &TunnelClient{
-		cfg: TunnelClientArgs{},
-		// cm:  utils.NewConnManager(),
+		cfg:       TunnelClientArgs{},
+		userConns: utils.NewConcurrentMap(),
+		isStop:    false,
 	}
 }

-func (s *TunnelClient) InitService() {
-	// s.InitHeartbeatDeamon()
+func (s *TunnelClient) InitService() (err error) {
+	return
 }

-// func (s *TunnelClient) InitHeartbeatDeamon() {
-// 	log.Printf("heartbeat started")
-// 	go func() {
-// 		var heartbeatConn net.Conn
-// 		var ID = *s.cfg.Key
-// 		for {
-
-// 			//close all connection
-// 			s.cm.RemoveAll()
-// 			if s.ctrlConn != nil {
-// 				s.ctrlConn.Close()
-// 			}
-// 			utils.CloseConn(&heartbeatConn)
-// 			heartbeatConn, err := s.GetInConn(CONN_CLIENT_HEARBEAT, ID)
-// 			if err != nil {
-// 				log.Printf("heartbeat connection err: %s, retrying...", err)
-// 				time.Sleep(time.Second * 3)
-// 				utils.CloseConn(&heartbeatConn)
-// 				continue
-// 			}
-// 			log.Printf("heartbeat connection created,id:%s", ID)
-// 			writeDie := make(chan bool)
-// 			readDie := make(chan bool)
-// 			go func() {
-// 				for {
-// 					heartbeatConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-// 					_, err = heartbeatConn.Write([]byte{0x00})
-// 					heartbeatConn.SetWriteDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection write err %s", err)
-// 						break
-// 					}
-// 					time.Sleep(time.Second * 3)
-// 				}
-// 				close(writeDie)
-// 			}()
-// 			go func() {
-// 				for {
-// 					signal := make([]byte, 1)
-// 					heartbeatConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-// 					_, err := heartbeatConn.Read(signal)
-// 					heartbeatConn.SetReadDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection read err: %s", err)
-// 						break
-// 					} else {
-// 						//log.Printf("heartbeat from bridge")
-// 					}
-// 				}
-// 				close(readDie)
-// 			}()
-// 			select {
-// 			case <-readDie:
-// 			case <-writeDie:
-// 			}
-// 		}
-// 	}()
-// }
-func (s *TunnelClient) CheckArgs() {
+func (s *TunnelClient) CheckArgs() (err error) {
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use tls parent %s", *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	return
 }
 func (s *TunnelClient) StopService() {
-	// s.cm.RemoveAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop tclient service crashed,%s", e)
+		} else {
+			s.log.Printf("service tclient stoped")
+		}
+	}()
+	s.isStop = true
+	if s.ctrlConn != nil {
+		s.ctrlConn.Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
 }
-func (s *TunnelClient) Start(args interface{}) (err error) {
+func (s *TunnelClient) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelClientArgs)
-	s.CheckArgs()
-	s.InitService()
-	log.Printf("proxy on tunnel client mode")
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("proxy on tunnel client mode")

 	for {
-		//close all conn
-		// s.cm.Remove(*s.cfg.Key)
+		if s.isStop {
+			return
+		}
 		if s.ctrlConn != nil {
 			s.ctrlConn.Close()
 		}

 		s.ctrlConn, err = s.GetInConn(CONN_CLIENT_CONTROL, *s.cfg.Key)
 		if err != nil {
-			log.Printf("control connection err: %s, retrying...", err)
+			s.log.Printf("control connection err: %s, retrying...", err)
 			time.Sleep(time.Second * 3)
 			if s.ctrlConn != nil {
 				s.ctrlConn.Close()
@ -122,16 +93,19 @@ func (s *TunnelClient) Start(args interface{}) (err error) {
 			continue
 		}
 		for {
+			if s.isStop {
+				return
+			}
 			var ID, clientLocalAddr, serverID string
 			err = utils.ReadPacketData(s.ctrlConn, &ID, &clientLocalAddr, &serverID)
 			if err != nil {
 				if s.ctrlConn != nil {
 					s.ctrlConn.Close()
 				}
-				log.Printf("read connection signal err: %s, retrying...", err)
+				s.log.Printf("read connection signal err: %s, retrying...", err)
 				break
 			}
-			log.Printf("signal revecived:%s %s %s", serverID, ID, clientLocalAddr)
+			s.log.Printf("signal revecived:%s %s %s", serverID, ID, clientLocalAddr)
 			protocol := clientLocalAddr[:3]
 			localAddr := clientLocalAddr[4:]
 			if protocol == "udp" {
@ -161,9 +135,26 @@ func (s *TunnelClient) GetInConn(typ uint8, data ...string) (outConn net.Conn, e
 }
 func (s *TunnelClient) GetConn() (conn net.Conn, err error) {
 	var _conn tls.Conn
-	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes)
+	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
 	if err == nil {
 		conn = net.Conn(&_conn)
+		c, e := smux.Client(conn, &smux.Config{
+			KeepAliveInterval: 10 * time.Second,
+			KeepAliveTimeout:  time.Duration(*s.cfg.Timeout) * time.Second,
+			MaxFrameSize:      4096,
+			MaxReceiveBuffer:  4194304,
+		})
+		if e != nil {
+			s.log.Printf("new mux client conn error,ERR:%s", e)
+			err = e
+			return
+		}
+		conn, e = c.OpenStream()
+		if e != nil {
+			s.log.Printf("mux client conn open stream error,ERR:%s", e)
+			err = e
+			return
+		}
 	}
 	return
 }
@ -172,11 +163,17 @@ func (s *TunnelClient) ServeUDP(localAddr, ID, serverID string) {
 	var err error
 	// for {
 	for {
+		if s.isStop {
+			if inConn != nil {
+				inConn.Close()
+			}
+			return
+		}
 		// s.cm.RemoveOne(*s.cfg.Key, ID)
 		inConn, err = s.GetInConn(CONN_CLIENT, *s.cfg.Key, ID, serverID)
 		if err != nil {
 			utils.CloseConn(&inConn)
-			log.Printf("connection err: %s, retrying...", err)
+			s.log.Printf("connection err: %s, retrying...", err)
 			time.Sleep(time.Second * 3)
 			continue
 		} else {
@ -184,18 +181,21 @@ func (s *TunnelClient) ServeUDP(localAddr, ID, serverID string) {
 		}
 	}
 	// s.cm.Add(*s.cfg.Key, ID, &inConn)
-	log.Printf("conn %s created", ID)
+	s.log.Printf("conn %s created", ID)

 	for {
+		if s.isStop {
+			return
+		}
 		srcAddr, body, err := utils.ReadUDPPacket(inConn)
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
-			log.Printf("connection %s released", ID)
+			s.log.Printf("connection %s released", ID)
 			utils.CloseConn(&inConn)
 			break
 		} else if err != nil {
-			log.Printf("udp packet revecived fail, err: %s", err)
+			s.log.Printf("udp packet revecived fail, err: %s", err)
 		} else {
-			//log.Printf("udp packet revecived:%s,%v", srcAddr, body)
+			//s.log.Printf("udp packet revecived:%s,%v", srcAddr, body)
 			go s.processUDPPacket(&inConn, srcAddr, localAddr, body)
 		}

@ -205,48 +205,51 @@ func (s *TunnelClient) ServeUDP(localAddr, ID, serverID string) {
 func (s *TunnelClient) processUDPPacket(inConn *net.Conn, srcAddr, localAddr string, body []byte) {
 	dstAddr, err := net.ResolveUDPAddr("udp", localAddr)
 	if err != nil {
-		log.Printf("can't resolve address: %s", err)
+		s.log.Printf("can't resolve address: %s", err)
 		utils.CloseConn(inConn)
 		return
 	}
 	clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 	if err != nil {
-		log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = conn.Write(body)
 	if err != nil {
-		log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("send udp packet to %s success", dstAddr.String())
+	//s.log.Printf("send udp packet to %s success", dstAddr.String())
 	buf := make([]byte, 1024)
 	length, _, err := conn.ReadFromUDP(buf)
 	if err != nil {
-		log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	respBody := buf[0:length]
-	//log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
+	//s.log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 	bs := utils.UDPPacket(srcAddr, respBody)
 	_, err = (*inConn).Write(bs)
 	if err != nil {
-		log.Printf("send udp response fail ,ERR:%s", err)
+		s.log.Printf("send udp response fail ,ERR:%s", err)
 		utils.CloseConn(inConn)
 		return
 	}
-	//log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
+	//s.log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
 }
 func (s *TunnelClient) ServeConn(localAddr, ID, serverID string) {
 	var inConn, outConn net.Conn
 	var err error
 	for {
+		if s.isStop {
+			return
+		}
 		inConn, err = s.GetInConn(CONN_CLIENT, *s.cfg.Key, ID, serverID)
 		if err != nil {
 			utils.CloseConn(&inConn)
-			log.Printf("connection err: %s, retrying...", err)
+			s.log.Printf("connection err: %s, retrying...", err)
 			time.Sleep(time.Second * 3)
 			continue
 		} else {
@ -256,13 +259,16 @@ func (s *TunnelClient) ServeConn(localAddr, ID, serverID string) {

 	i := 0
 	for {
+		if s.isStop {
+			return
+		}
 		i++
 		outConn, err = utils.ConnectHost(localAddr, *s.cfg.Timeout)
 		if err == nil || i == 3 {
 			break
 		} else {
 			if i == 3 {
-				log.Printf("connect to %s err: %s, retrying...", localAddr, err)
+				s.log.Printf("connect to %s err: %s, retrying...", localAddr, err)
 				time.Sleep(2 * time.Second)
 				continue
 			}
@ -271,13 +277,17 @@ func (s *TunnelClient) ServeConn(localAddr, ID, serverID string) {
 	if err != nil {
 		utils.CloseConn(&inConn)
 		utils.CloseConn(&outConn)
-		log.Printf("build connection error, err: %s", err)
+		s.log.Printf("build connection error, err: %s", err)
 		return
 	}
+	inAddr := inConn.RemoteAddr().String()
 	utils.IoBind(inConn, outConn, func(err interface{}) {
-		log.Printf("conn %s released", ID)
-		// s.cm.RemoveOne(*s.cfg.Key, ID)
-	})
-	// s.cm.Add(*s.cfg.Key, ID, &inConn)
-	log.Printf("conn %s created", ID)
+		s.log.Printf("conn %s released", ID)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, &inConn)
+	s.log.Printf("conn %s created", ID)
 }
--- a/services/tunnel_server.go
+++ b/services/tunnel_server.go
@ -4,27 +4,34 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+
+	"github.com/xtaci/smux"
 )

 type TunnelServer struct {
-	cfg    TunnelServerArgs
-	udpChn chan UDPItem
-	sc     utils.ServerChannel
+	cfg       TunnelServerArgs
+	udpChn    chan UDPItem
+	sc        utils.ServerChannel
+	isStop    bool
+	udpConn   *net.Conn
+	userConns utils.ConcurrentMap
+	log       *logger.Logger
 }

 type TunnelServerManager struct {
 	cfg      TunnelServerArgs
 	udpChn   chan UDPItem
-	sc       utils.ServerChannel
 	serverID string
-	// cm       utils.ConnManager
+	servers  []*Service
+	log      *logger.Logger
 }

 func NewTunnelServerManager() Service {
@ -32,22 +39,28 @@ func NewTunnelServerManager() Service {
 		cfg:      TunnelServerArgs{},
 		udpChn:   make(chan UDPItem, 50000),
 		serverID: utils.Uniqueid(),
-		// cm:       utils.NewConnManager(),
+		servers:  []*Service{},
 	}
 }
-func (s *TunnelServerManager) Start(args interface{}) (err error) {
+func (s *TunnelServerManager) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelServerArgs)
-	s.CheckArgs()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use tls parent %s", *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}

-	s.InitService()
+	if err = s.InitService(); err != nil {
+		return
+	}

-	log.Printf("server id: %s", s.serverID)
-	//log.Printf("route:%v", *s.cfg.Route)
+	s.log.Printf("server id: %s", s.serverID)
+	//s.log.Printf("route:%v", *s.cfg.Route)
 	for _, _info := range *s.cfg.Route {
 		IsUDP := *s.cfg.IsUDP
 		if strings.HasPrefix(_info, "udp://") {
@ -79,11 +92,12 @@ func (s *TunnelServerManager) Start(args interface{}) (err error) {
 			Key:       &KEY,
 			Timeout:   s.cfg.Timeout,
 			Mgr:       s,
-		})
+		}, log)

 		if err != nil {
 			return
 		}
+		s.servers = append(s.servers, &server)
 	}
 	return
 }
@ -91,82 +105,32 @@ func (s *TunnelServerManager) Clean() {
 	s.StopService()
 }
 func (s *TunnelServerManager) StopService() {
-	// s.cm.RemoveAll()
-}
-func (s *TunnelServerManager) CheckArgs() {
-	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+	for _, server := range s.servers {
+		(*server).Clean()
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
 }
-func (s *TunnelServerManager) InitService() {
-	// s.InitHeartbeatDeamon()
+func (s *TunnelServerManager) CheckArgs() (err error) {
+	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
+		err = fmt.Errorf("cert and key file required")
+		return
+	}
+	s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	return
+}
+func (s *TunnelServerManager) InitService() (err error) {
+	return
 }

-// func (s *TunnelServerManager) InitHeartbeatDeamon() {
-// 	log.Printf("heartbeat started")
-// 	go func() {
-// 		var heartbeatConn net.Conn
-// 		var ID string
-// 		for {
-// 			//close all connection
-// 			s.cm.Remove(ID)
-// 			utils.CloseConn(&heartbeatConn)
-// 			heartbeatConn, ID, err := s.GetOutConn(CONN_SERVER_HEARBEAT)
-// 			if err != nil {
-// 				log.Printf("heartbeat connection err: %s, retrying...", err)
-// 				time.Sleep(time.Second * 3)
-// 				utils.CloseConn(&heartbeatConn)
-// 				continue
-// 			}
-// 			log.Printf("heartbeat connection created,id:%s", ID)
-// 			writeDie := make(chan bool)
-// 			readDie := make(chan bool)
-// 			go func() {
-// 				for {
-// 					heartbeatConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-// 					_, err = heartbeatConn.Write([]byte{0x00})
-// 					heartbeatConn.SetWriteDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection write err %s", err)
-// 						break
-// 					}
-// 					time.Sleep(time.Second * 3)
-// 				}
-// 				close(writeDie)
-// 			}()
-// 			go func() {
-// 				for {
-// 					signal := make([]byte, 1)
-// 					heartbeatConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-// 					_, err := heartbeatConn.Read(signal)
-// 					heartbeatConn.SetReadDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection read err: %s", err)
-// 						break
-// 					} else {
-// 						// log.Printf("heartbeat from bridge")
-// 					}
-// 				}
-// 				close(readDie)
-// 			}()
-// 			select {
-// 			case <-readDie:
-// 			case <-writeDie:
-// 			}
-// 		}
-// 	}()
-// }
 func (s *TunnelServerManager) GetOutConn(typ uint8) (outConn net.Conn, ID string, err error) {
 	outConn, err = s.GetConn()
 	if err != nil {
-		log.Printf("connection err: %s", err)
+		s.log.Printf("connection err: %s", err)
 		return
 	}
 	ID = s.serverID
 	_, err = outConn.Write(utils.BuildPacket(typ, s.serverID))
 	if err != nil {
-		log.Printf("write connection data err: %s ,retrying...", err)
+		s.log.Printf("write connection data err: %s ,retrying...", err)
 		utils.CloseConn(&outConn)
 		return
 	}
@ -174,7 +138,7 @@ func (s *TunnelServerManager) GetOutConn(typ uint8) (outConn net.Conn, ID string
 }
 func (s *TunnelServerManager) GetConn() (conn net.Conn, err error) {
 	var _conn tls.Conn
-	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes)
+	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
 	if err == nil {
 		conn = net.Conn(&_conn)
 	}
@ -182,8 +146,10 @@ func (s *TunnelServerManager) GetConn() (conn net.Conn, err error) {
 }
 func NewTunnelServer() Service {
 	return &TunnelServer{
-		cfg:    TunnelServerArgs{},
-		udpChn: make(chan UDPItem, 50000),
+		cfg:       TunnelServerArgs{},
+		udpChn:    make(chan UDPItem, 50000),
+		isStop:    false,
+		userConns: utils.NewConcurrentMap(),
 	}
 }

@ -193,22 +159,54 @@ type UDPItem struct {
 	srcAddr   *net.UDPAddr
 }

-func (s *TunnelServer) InitService() {
-	s.UDPConnDeamon()
-}
-func (s *TunnelServer) CheckArgs() {
-	if *s.cfg.Remote == "" {
-		log.Fatalf("remote required")
+func (s *TunnelServer) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop server service crashed,%s", e)
+		} else {
+			s.log.Printf("service server stoped")
+		}
+	}()
+	s.isStop = true
+
+	if s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
+	}
+	if s.udpConn != nil {
+		(*s.udpConn).Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
 	}
 }
+func (s *TunnelServer) InitService() (err error) {
+	s.UDPConnDeamon()
+	return
+}
+func (s *TunnelServer) CheckArgs() (err error) {
+	if *s.cfg.Remote == "" {
+		err = fmt.Errorf("remote required")
+		return
+	}
+	return
+}

-func (s *TunnelServer) Start(args interface{}) (err error) {
+func (s *TunnelServer) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelServerArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	s.sc = utils.NewServerChannel(host, p)
+	s.sc = utils.NewServerChannel(host, p, s.log)
 	if *s.cfg.IsUDP {
 		err = s.sc.ListenUDP(func(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 			s.udpChn <- UDPItem{
@ -220,39 +218,45 @@ func (s *TunnelServer) Start(args interface{}) (err error) {
 		if err != nil {
 			return
 		}
-		log.Printf("proxy on udp tunnel server mode %s", (*s.sc.UDPListener).LocalAddr())
+		s.log.Printf("proxy on udp tunnel server mode %s", (*s.sc.UDPListener).LocalAddr())
 	} else {
 		err = s.sc.ListenTCP(func(inConn net.Conn) {
 			defer func() {
 				if err := recover(); err != nil {
-					log.Printf("tserver conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+					s.log.Printf("tserver conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 				}
 			}()
 			var outConn net.Conn
 			var ID string
 			for {
+				if s.isStop {
+					return
+				}
 				outConn, ID, err = s.GetOutConn(CONN_SERVER)
 				if err != nil {
 					utils.CloseConn(&outConn)
-					log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+					s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 					time.Sleep(time.Second * 3)
 					continue
 				} else {
 					break
 				}
 			}
+			inAddr := inConn.RemoteAddr().String()
 			utils.IoBind(inConn, outConn, func(err interface{}) {
-				// s.cfg.Mgr.cm.RemoveOne(s.cfg.Mgr.serverID, ID)
-				log.Printf("%s conn %s released", *s.cfg.Key, ID)
-			})
-			//add conn
-			// s.cfg.Mgr.cm.Add(s.cfg.Mgr.serverID, ID, &inConn)
-			log.Printf("%s conn %s created", *s.cfg.Key, ID)
+				s.userConns.Remove(inAddr)
+				s.log.Printf("%s conn %s released", *s.cfg.Key, ID)
+			}, s.log)
+			if c, ok := s.userConns.Get(inAddr); ok {
+				(*c.(*net.Conn)).Close()
+			}
+			s.userConns.Set(inAddr, &inConn)
+			s.log.Printf("%s conn %s created", *s.cfg.Key, ID)
 		})
 		if err != nil {
 			return
 		}
-		log.Printf("proxy on tunnel server mode %s", (*s.sc.Listener).Addr())
+		s.log.Printf("proxy on tunnel server mode %s", (*s.sc.Listener).Addr())
 	}
 	return
 }
@ -262,7 +266,7 @@ func (s *TunnelServer) Clean() {
 func (s *TunnelServer) GetOutConn(typ uint8) (outConn net.Conn, ID string, err error) {
 	outConn, err = s.GetConn()
 	if err != nil {
-		log.Printf("connection err: %s", err)
+		s.log.Printf("connection err: %s", err)
 		return
 	}
 	remoteAddr := "tcp:" + *s.cfg.Remote
@ -272,7 +276,7 @@ func (s *TunnelServer) GetOutConn(typ uint8) (outConn net.Conn, ID string, err e
 	ID = utils.Uniqueid()
 	_, err = outConn.Write(utils.BuildPacket(typ, *s.cfg.Key, ID, remoteAddr, s.cfg.Mgr.serverID))
 	if err != nil {
-		log.Printf("write connection data err: %s ,retrying...", err)
+		s.log.Printf("write connection data err: %s ,retrying...", err)
 		utils.CloseConn(&outConn)
 		return
 	}
@ -280,9 +284,26 @@ func (s *TunnelServer) GetOutConn(typ uint8) (outConn net.Conn, ID string, err e
 }
 func (s *TunnelServer) GetConn() (conn net.Conn, err error) {
 	var _conn tls.Conn
-	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes)
+	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
 	if err == nil {
 		conn = net.Conn(&_conn)
+		c, e := smux.Client(conn, &smux.Config{
+			KeepAliveInterval: 10 * time.Second,
+			KeepAliveTimeout:  time.Duration(*s.cfg.Timeout) * time.Second,
+			MaxFrameSize:      4096,
+			MaxReceiveBuffer:  4194304,
+		})
+		if e != nil {
+			s.log.Printf("new mux client conn error,ERR:%s", e)
+			err = e
+			return
+		}
+		conn, e = c.OpenStream()
+		if e != nil {
+			s.log.Printf("mux client conn open stream error,ERR:%s", e)
+			err = e
+			return
+		}
 	}
 	return
 }
@ -290,7 +311,7 @@ func (s *TunnelServer) UDPConnDeamon() {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
-				log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+				s.log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 			}
 		}()
 		var outConn net.Conn
@ -299,48 +320,60 @@ func (s *TunnelServer) UDPConnDeamon() {
 		// var cmdChn = make(chan bool, 1000)
 		var err error
 		for {
+			if s.isStop {
+				return
+			}
 			item := <-s.udpChn
 		RETRY:
+			if s.isStop {
+				return
+			}
 			if outConn == nil {
 				for {
+					if s.isStop {
+						return
+					}
 					outConn, ID, err = s.GetOutConn(CONN_SERVER)
 					if err != nil {
 						// cmdChn <- true
 						outConn = nil
 						utils.CloseConn(&outConn)
-						log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+						s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 						time.Sleep(time.Second * 3)
 						continue
 					} else {
 						go func(outConn net.Conn, ID string) {
-							go func() {
-								// <-cmdChn
-								// outConn.Close()
-							}()
+							if s.udpConn != nil {
+								(*s.udpConn).Close()
+							}
+							s.udpConn = &outConn
 							for {
+								if s.isStop {
+									return
+								}
 								srcAddrFromConn, body, err := utils.ReadUDPPacket(outConn)
 								if err == io.EOF || err == io.ErrUnexpectedEOF {
-									log.Printf("UDP deamon connection %s exited", ID)
+									s.log.Printf("UDP deamon connection %s exited", ID)
 									break
 								}
 								if err != nil {
-									log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
+									s.log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
 									continue
 								}
-								//log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
+								//s.log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
 								_srcAddr := strings.Split(srcAddrFromConn, ":")
 								if len(_srcAddr) != 2 {
-									log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
+									s.log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
 									continue
 								}
 								port, _ := strconv.Atoi(_srcAddr[1])
 								dstAddr := &net.UDPAddr{IP: net.ParseIP(_srcAddr[0]), Port: port}
 								_, err = s.sc.UDPListener.WriteToUDP(body, dstAddr)
 								if err != nil {
-									log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
+									s.log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
 									continue
 								}
-								//log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
+								//s.log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
 							}
 						}(outConn, ID)
 						break
@ -353,10 +386,10 @@ func (s *TunnelServer) UDPConnDeamon() {
 			if err != nil {
 				utils.CloseConn(&outConn)
 				outConn = nil
-				log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
+				s.log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
 				goto RETRY
 			}
-			//log.Printf("write packet %v", *item.packet)
+			//s.log.Printf("write packet %v", *item.packet)
 		}
 	}()
 }
--- a/services/udp.go
+++ b/services/udp.go
@ -5,64 +5,92 @@ import (
 	"fmt"
 	"hash/crc32"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"proxy/utils"
 	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/snail007/goproxy/services/kcpcfg"
+	"github.com/snail007/goproxy/utils"
 )

 type UDP struct {
 	p       utils.ConcurrentMap
-	outPool utils.OutPool
+	outPool utils.OutConn
 	cfg     UDPArgs
 	sc      *utils.ServerChannel
+	isStop  bool
+	log     *logger.Logger
 }

 func NewUDP() Service {
 	return &UDP{
-		outPool: utils.OutPool{},
+		outPool: utils.OutConn{},
 		p:       utils.NewConcurrentMap(),
+		isStop:  false,
 	}
 }
-func (s *UDP) CheckArgs() {
+func (s *UDP) CheckArgs() (err error) {
 	if *s.cfg.Parent == "" {
-		log.Fatalf("parent required for udp %s", *s.cfg.Local)
+		err = fmt.Errorf("parent required for udp %s", *s.cfg.Local)
+		return
 	}
 	if *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp>")
+		return
 	}
 	if *s.cfg.ParentType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
 	}
+	return
 }
-func (s *UDP) InitService() {
+func (s *UDP) InitService() (err error) {
 	if *s.cfg.ParentType != TYPE_UDP {
 		s.InitOutConnPool()
 	}
+	return
 }
 func (s *UDP) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop udp service crashed,%s", e)
+		} else {
+			s.log.Printf("service udp stoped")
+		}
+	}()
+	s.isStop = true
+	if s.sc.Listener != nil && *s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
 	}
 }
-func (s *UDP) Start(args interface{}) (err error) {
+func (s *UDP) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(UDPArgs)
-	s.CheckArgs()
-	log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
-	s.InitService()
-
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)
 	s.sc = &sc
 	err = sc.ListenUDP(s.callback)
 	if err != nil {
 		return
 	}
-	log.Printf("udp proxy on %s", (*sc.UDPListener).LocalAddr())
+	s.log.Printf("udp proxy on %s", (*sc.UDPListener).LocalAddr())
 	return
 }

@ -72,7 +100,7 @@ func (s *UDP) Clean() {
 func (s *UDP) callback(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("udp conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+			s.log.Printf("udp conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 		}
 	}()
 	var err error
@ -87,14 +115,14 @@ func (s *UDP) callback(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 		err = fmt.Errorf("unkown parent type %s", *s.cfg.ParentType)
 	}
 	if err != nil {
-		log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
+		s.log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
 	}
 }
 func (s *UDP) GetConn(connKey string) (conn net.Conn, isNew bool, err error) {
 	isNew = !s.p.Has(connKey)
 	var _conn interface{}
 	if isNew {
-		_conn, err = s.outPool.Pool.Get()
+		_conn, err = s.outPool.Get()
 		if err != nil {
 			return nil, false, err
 		}
@ -108,112 +136,114 @@ func (s *UDP) GetConn(connKey string) (conn net.Conn, isNew bool, err error) {
 func (s *UDP) OutToTCP(packet []byte, localAddr, srcAddr *net.UDPAddr) (err error) {
 	numLocal := crc32.ChecksumIEEE([]byte(localAddr.String()))
 	numSrc := crc32.ChecksumIEEE([]byte(srcAddr.String()))
-	mod := uint32(*s.cfg.PoolSize)
+	mod := uint32(10)
 	if mod == 0 {
 		mod = 10
 	}
 	connKey := uint64((numLocal/10)*10 + numSrc%mod)
 	conn, isNew, err := s.GetConn(fmt.Sprintf("%d", connKey))
 	if err != nil {
-		log.Printf("upd get conn to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
+		s.log.Printf("upd get conn to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
 		return
 	}
 	if isNew {
 		go func() {
 			defer func() {
 				if err := recover(); err != nil {
-					log.Printf("udp conn handler out to tcp crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+					s.log.Printf("udp conn handler out to tcp crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 				}
 			}()
-			log.Printf("conn %d created , local: %s", connKey, srcAddr.String())
+			s.log.Printf("conn %d created , local: %s", connKey, srcAddr.String())
 			for {
+				if s.isStop {
+					conn.Close()
+					return
+				}
 				srcAddrFromConn, body, err := utils.ReadUDPPacket(bufio.NewReader(conn))
 				if err == io.EOF || err == io.ErrUnexpectedEOF {
-					//log.Printf("connection %d released", connKey)
+					//s.log.Printf("connection %d released", connKey)
 					s.p.Remove(fmt.Sprintf("%d", connKey))
 					break
 				}
 				if err != nil {
-					log.Printf("parse revecived udp packet fail, err: %s", err)
+					s.log.Printf("parse revecived udp packet fail, err: %s", err)
 					continue
 				}
-				//log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
+				//s.log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
 				_srcAddr := strings.Split(srcAddrFromConn, ":")
 				if len(_srcAddr) != 2 {
-					log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
+					s.log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
 					continue
 				}
 				port, _ := strconv.Atoi(_srcAddr[1])
 				dstAddr := &net.UDPAddr{IP: net.ParseIP(_srcAddr[0]), Port: port}
 				_, err = s.sc.UDPListener.WriteToUDP(body, dstAddr)
 				if err != nil {
-					log.Printf("udp response to local %s fail,ERR:%s", srcAddr, err)
+					s.log.Printf("udp response to local %s fail,ERR:%s", srcAddr, err)
 					continue
 				}
-				//log.Printf("udp response to local %s success", srcAddr)
+				//s.log.Printf("udp response to local %s success", srcAddr)
 			}
 		}()
 	}
-	//log.Printf("select conn %d , local: %s", connKey, srcAddr.String())
+	//s.log.Printf("select conn %d , local: %s", connKey, srcAddr.String())
 	writer := bufio.NewWriter(conn)
 	//fmt.Println(conn, writer)
 	writer.Write(utils.UDPPacket(srcAddr.String(), packet))
 	err = writer.Flush()
 	if err != nil {
-		log.Printf("write udp packet to %s fail ,flush err:%s", *s.cfg.Parent, err)
+		s.log.Printf("write udp packet to %s fail ,flush err:%s", *s.cfg.Parent, err)
 		return
 	}
-	//log.Printf("write packet %v", packet)
+	//s.log.Printf("write packet %v", packet)
 	return
 }
 func (s *UDP) OutToUDP(packet []byte, localAddr, srcAddr *net.UDPAddr) (err error) {
-	//log.Printf("udp packet revecived:%s,%v", srcAddr, packet)
+	//s.log.Printf("udp packet revecived:%s,%v", srcAddr, packet)
 	dstAddr, err := net.ResolveUDPAddr("udp", *s.cfg.Parent)
 	if err != nil {
-		log.Printf("resolve udp addr %s fail  fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("resolve udp addr %s fail  fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 	if err != nil {
-		log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = conn.Write(packet)
 	if err != nil {
-		log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("send udp packet to %s success", dstAddr.String())
+	//s.log.Printf("send udp packet to %s success", dstAddr.String())
 	buf := make([]byte, 512)
 	len, _, err := conn.ReadFromUDP(buf)
 	if err != nil {
-		log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
+	//s.log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 	_, err = s.sc.UDPListener.WriteToUDP(buf[0:len], srcAddr)
 	if err != nil {
-		log.Printf("send udp response to cluster fail ,ERR:%s", err)
+		s.log.Printf("send udp response to cluster fail ,ERR:%s", err)
 		return
 	}
-	//log.Printf("send udp response to cluster success ,from:%s", dstAddr.String())
+	//s.log.Printf("send udp response to cluster success ,from:%s", dstAddr.String())
 	return
 }
 func (s *UDP) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			*s.cfg.CheckParentInterval,
 			*s.cfg.ParentType,
-			"", "",
-			s.cfg.CertBytes, s.cfg.KeyBytes,
+			kcpcfg.KCPConfigArgs{},
+			s.cfg.CertBytes, s.cfg.KeyBytes, nil,
 			*s.cfg.Parent,
 			*s.cfg.Timeout,
-			*s.cfg.PoolSize,
-			*s.cfg.PoolSize*2,
 		)
 	}
 }
--- a/utils/conncrypt/conncrypt.go
+++ b/utils/conncrypt/conncrypt.go
@ -0,0 +1,95 @@
+package conncrypt
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"net"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+//Confg defaults
+const DefaultIterations = 2048
+const DefaultKeySize = 32 //256bits
+var DefaultHashFunc = sha256.New
+var DefaultSalt = []byte(`
+(;QUHj.BQ?RXzYSO]ifkXp/G!kFmWyXyEV6Nt!d|@bo+N$L9+<d$|g6e26T}
+Ao<:>SOd,6acYKY_ec+(x"R";\'4&fTAVu92GVA-wxBptOTM^2,iP5%)wnhW
+hwk=]Snsgymt!3gbP2pe=J//}1a?lp9ej=&TB!C_V(cT2?z8wyoL_-13fd[]
+`) //salt must be predefined in order to derive the same key
+
+//Config stores the PBKDF2 key generation parameters
+type Config struct {
+	Password   string
+	Salt       []byte
+	Iterations int
+	KeySize    int
+	HashFunc   func() hash.Hash
+}
+
+//New creates an AES encrypted net.Conn by generating
+//a key using PBKDF2 with the provided configuration
+func New(conn net.Conn, c *Config) net.Conn {
+	//set defaults
+	if len(c.Salt) == 0 {
+		c.Salt = DefaultSalt
+	}
+	if c.Iterations == 0 {
+		c.Iterations = DefaultIterations
+	}
+	if c.KeySize != 16 && c.KeySize != 24 && c.KeySize != 32 {
+		c.KeySize = DefaultKeySize
+	}
+	if c.HashFunc == nil {
+		c.HashFunc = DefaultHashFunc
+	}
+
+	//generate key
+	key := pbkdf2.Key([]byte(c.Password), c.Salt, c.Iterations, c.KeySize, c.HashFunc)
+
+	// could use scrypt, but it's a bit slow...
+	// dk, err := scrypt.Key([]byte(c.Password), c.Salt, 16384, 8, 1, 32)
+
+	//key will be always be the correct size so this will never error
+	conn, _ = NewFromKey(conn, key)
+	return conn
+}
+
+//NewFromKey creates an AES encrypted net.Conn using the provided key
+func NewFromKey(conn net.Conn, key []byte) (net.Conn, error) {
+	block, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return nil, err
+	}
+	//hash(key) -> read IV
+	riv := DefaultHashFunc().Sum(key)
+	rstream := cipher.NewCFBDecrypter(block, riv[:aes.BlockSize])
+	reader := &cipher.StreamReader{S: rstream, R: conn}
+	//hash(read IV) -> write IV
+	wiv := DefaultHashFunc().Sum(riv)
+	wstream := cipher.NewCFBEncrypter(block, wiv[:aes.BlockSize])
+	writer := &cipher.StreamWriter{S: wstream, W: conn}
+
+	return &cryptoConn{
+		Conn: conn,
+		r:    reader,
+		w:    writer,
+	}, nil
+}
+
+type cryptoConn struct {
+	net.Conn
+	r io.Reader
+	w io.Writer
+}
+
+//replace read and write methods
+func (c *cryptoConn) Read(p []byte) (int, error) {
+	return c.r.Read(p)
+}
+func (c *cryptoConn) Write(p []byte) (int, error) {
+	return c.w.Write(p)
+}
--- a/utils/functions.go
+++ b/utils/functions.go
@ -7,27 +7,32 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/binary"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
+	logger "log"
+	"math/rand"
 	"net"
 	"net/http"
 	"os"
 	"os/exec"

+	"github.com/snail007/goproxy/services/kcpcfg"
+
 	"golang.org/x/crypto/pbkdf2"

-	"proxy/utils/id"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils/id"
+
 	kcp "github.com/xtaci/kcp-go"
 )

-func IoBind(dst io.ReadWriteCloser, src io.ReadWriteCloser, fn func(err interface{})) {
+func IoBind(dst io.ReadWriteCloser, src io.ReadWriteCloser, fn func(err interface{}), log *logger.Logger) {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
@ -65,11 +70,14 @@ func IoBind(dst io.ReadWriteCloser, src io.ReadWriteCloser, fn func(err interfac
 		}
 		src.Close()
 		dst.Close()
-		fn(err)
+		if fn != nil {
+			fn(err)
+		}
 	}()
 }
 func ioCopy(dst io.ReadWriter, src io.ReadWriter) (err error) {
-	buf := make([]byte, 32*1024)
+	buf := LeakyBuffer.Get()
+	defer LeakyBuffer.Put(buf)
 	n := 0
 	for {
 		n, err = src.Read(buf)
@ -83,14 +91,14 @@ func ioCopy(dst io.ReadWriter, src io.ReadWriter) (err error) {
 		}
 	}
 }
-func TlsConnectHost(host string, timeout int, certBytes, keyBytes []byte) (conn tls.Conn, err error) {
+func TlsConnectHost(host string, timeout int, certBytes, keyBytes, caCertBytes []byte) (conn tls.Conn, err error) {
 	h := strings.Split(host, ":")
 	port, _ := strconv.Atoi(h[1])
-	return TlsConnect(h[0], port, timeout, certBytes, keyBytes)
+	return TlsConnect(h[0], port, timeout, certBytes, keyBytes, caCertBytes)
 }

-func TlsConnect(host string, port, timeout int, certBytes, keyBytes []byte) (conn tls.Conn, err error) {
-	conf, err := getRequestTlsConfig(certBytes, keyBytes)
+func TlsConnect(host string, port, timeout int, certBytes, keyBytes, caCertBytes []byte) (conn tls.Conn, err error) {
+	conf, err := getRequestTlsConfig(certBytes, keyBytes, caCertBytes)
 	if err != nil {
 		return
 	}
@ -100,22 +108,49 @@ func TlsConnect(host string, port, timeout int, certBytes, keyBytes []byte) (con
 	}
 	return *tls.Client(_conn, conf), err
 }
-func getRequestTlsConfig(certBytes, keyBytes []byte) (conf *tls.Config, err error) {
+func getRequestTlsConfig(certBytes, keyBytes, caCertBytes []byte) (conf *tls.Config, err error) {
+
 	var cert tls.Certificate
 	cert, err = tls.X509KeyPair(certBytes, keyBytes)
 	if err != nil {
 		return
 	}
 	serverCertPool := x509.NewCertPool()
-	ok := serverCertPool.AppendCertsFromPEM(certBytes)
+	caBytes := certBytes
+	if caCertBytes != nil {
+		caBytes = caCertBytes
+
+	}
+	ok := serverCertPool.AppendCertsFromPEM(caBytes)
 	if !ok {
 		err = errors.New("failed to parse root certificate")
 	}
+	block, _ := pem.Decode(caBytes)
+	if block == nil {
+		panic("failed to parse certificate PEM")
+	}
+	x509Cert, _ := x509.ParseCertificate(block.Bytes)
+	if x509Cert == nil {
+		panic("failed to parse block")
+	}
 	conf = &tls.Config{
 		RootCAs:            serverCertPool,
 		Certificates:       []tls.Certificate{cert},
-		ServerName:         "proxy",
-		InsecureSkipVerify: false,
+		InsecureSkipVerify: true,
+		ServerName:         x509Cert.Subject.CommonName,
+		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			opts := x509.VerifyOptions{
+				Roots: serverCertPool,
+			}
+			for _, rawCert := range rawCerts {
+				cert, _ := x509.ParseCertificate(rawCert)
+				_, err := cert.Verify(opts)
+				if err != nil {
+					return err
+				}
+			}
+			return nil
+		},
 	}
 	return
 }
@ -124,40 +159,23 @@ func ConnectHost(hostAndPort string, timeout int) (conn net.Conn, err error) {
 	conn, err = net.DialTimeout("tcp", hostAndPort, time.Duration(timeout)*time.Millisecond)
 	return
 }
-func ConnectKCPHost(hostAndPort, method, key string) (conn net.Conn, err error) {
-	kcpconn, err := kcp.DialWithOptions(hostAndPort, GetKCPBlock(method, key), 10, 3)
+func ConnectKCPHost(hostAndPort string, config kcpcfg.KCPConfigArgs) (conn net.Conn, err error) {
+	kcpconn, err := kcp.DialWithOptions(hostAndPort, config.Block, *config.DataShard, *config.ParityShard)
 	if err != nil {
 		return
 	}
-	kcpconn.SetNoDelay(1, 10, 2, 1)
-	kcpconn.SetWindowSize(1024, 1024)
-	kcpconn.SetMtu(1400)
-	kcpconn.SetACKNoDelay(false)
-	return kcpconn, err
-}
-func ListenTls(ip string, port int, certBytes, keyBytes []byte) (ln *net.Listener, err error) {
-	var cert tls.Certificate
-	cert, err = tls.X509KeyPair(certBytes, keyBytes)
-	if err != nil {
-		return
-	}
-	clientCertPool := x509.NewCertPool()
-	ok := clientCertPool.AppendCertsFromPEM(certBytes)
-	if !ok {
-		err = errors.New("failed to parse root certificate")
-	}
-	config := &tls.Config{
-		ClientCAs:    clientCertPool,
-		ServerName:   "proxy",
-		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-	_ln, err := tls.Listen("tcp", fmt.Sprintf("%s:%d", ip, port), config)
-	if err == nil {
-		ln = &_ln
-	}
-	return
+	kcpconn.SetStreamMode(true)
+	kcpconn.SetWriteDelay(true)
+	kcpconn.SetNoDelay(*config.NoDelay, *config.Interval, *config.Resend, *config.NoCongestion)
+	kcpconn.SetMtu(*config.MTU)
+	kcpconn.SetWindowSize(*config.SndWnd, *config.RcvWnd)
+	kcpconn.SetACKNoDelay(*config.AckNodelay)
+	if *config.NoComp {
+		return kcpconn, err
+	}
+	return NewCompStream(kcpconn), err
 }
+
 func PathExists(_path string) bool {
 	_, err := os.Stat(_path)
 	if err != nil && os.IsNotExist(err) {
@ -193,20 +211,95 @@ func CloseConn(conn *net.Conn) {
 	}
 }
 func Keygen() (err error) {
-	cmd := exec.Command("sh", "-c", "openssl genrsa -out proxy.key 2048")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		log.Printf("err:%s", err)
-		return
+	CList := []string{"AD", "AE", "AF", "AG", "AI", "AL", "AM", "AO", "AR", "AT", "AU", "AZ", "BB", "BD", "BE", "BF", "BG", "BH", "BI", "BJ", "BL", "BM", "BN", "BO", "BR", "BS", "BW", "BY", "BZ", "CA", "CF", "CG", "CH", "CK", "CL", "CM", "CN", "CO", "CR", "CS", "CU", "CY", "CZ", "DE", "DJ", "DK", "DO", "DZ", "EC", "EE", "EG", "ES", "ET", "FI", "FJ", "FR", "GA", "GB", "GD", "GE", "GF", "GH", "GI", "GM", "GN", "GR", "GT", "GU", "GY", "HK", "HN", "HT", "HU", "ID", "IE", "IL", "IN", "IQ", "IR", "IS", "IT", "JM", "JO", "JP", "KE", "KG", "KH", "KP", "KR", "KT", "KW", "KZ", "LA", "LB", "LC", "LI", "LK", "LR", "LS", "LT", "LU", "LV", "LY", "MA", "MC", "MD", "MG", "ML", "MM", "MN", "MO", "MS", "MT", "MU", "MV", "MW", "MX", "MY", "MZ", "NA", "NE", "NG", "NI", "NL", "NO", "NP", "NR", "NZ", "OM", "PA", "PE", "PF", "PG", "PH", "PK", "PL", "PR", "PT", "PY", "QA", "RO", "RU", "SA", "SB", "SC", "SD", "SE", "SG", "SI", "SK", "SL", "SM", "SN", "SO", "SR", "ST", "SV", "SY", "SZ", "TD", "TG", "TH", "TJ", "TM", "TN", "TO", "TR", "TT", "TW", "TZ", "UA", "UG", "US", "UY", "UZ", "VC", "VE", "VN", "YE", "YU", "ZA", "ZM", "ZR", "ZW"}
+	domainSubfixList := []string{".com", ".edu", ".gov", ".int", ".mil", ".net", ".org", ".biz", ".info", ".pro", ".name", ".museum", ".coop", ".aero", ".xxx", ".idv", ".ac", ".ad", ".ae", ".af", ".ag", ".ai", ".al", ".am", ".an", ".ao", ".aq", ".ar", ".as", ".at", ".au", ".aw", ".az", ".ba", ".bb", ".bd", ".be", ".bf", ".bg", ".bh", ".bi", ".bj", ".bm", ".bn", ".bo", ".br", ".bs", ".bt", ".bv", ".bw", ".by", ".bz", ".ca", ".cc", ".cd", ".cf", ".cg", ".ch", ".ci", ".ck", ".cl", ".cm", ".cn", ".co", ".cr", ".cu", ".cv", ".cx", ".cy", ".cz", ".de", ".dj", ".dk", ".dm", ".do", ".dz", ".ec", ".ee", ".eg", ".eh", ".er", ".es", ".et", ".eu", ".fi", ".fj", ".fk", ".fm", ".fo", ".fr", ".ga", ".gd", ".ge", ".gf", ".gg", ".gh", ".gi", ".gl", ".gm", ".gn", ".gp", ".gq", ".gr", ".gs", ".gt", ".gu", ".gw", ".gy", ".hk", ".hm", ".hn", ".hr", ".ht", ".hu", ".id", ".ie", ".il", ".im", ".in", ".io", ".iq", ".ir", ".is", ".it", ".je", ".jm", ".jo", ".jp", ".ke", ".kg", ".kh", ".ki", ".km", ".kn", ".kp", ".kr", ".kw", ".ky", ".kz", ".la", ".lb", ".lc", ".li", ".lk", ".lr", ".ls", ".lt", ".lu", ".lv", ".ly", ".ma", ".mc", ".md", ".mg", ".mh", ".mk", ".ml", ".mm", ".mn", ".mo", ".mp", ".mq", ".mr", ".ms", ".mt", ".mu", ".mv", ".mw", ".mx", ".my", ".mz", ".na", ".nc", ".ne", ".nf", ".ng", ".ni", ".nl", ".no", ".np", ".nr", ".nu", ".nz", ".om", ".pa", ".pe", ".pf", ".pg", ".ph", ".pk", ".pl", ".pm", ".pn", ".pr", ".ps", ".pt", ".pw", ".py", ".qa", ".re", ".ro", ".ru", ".rw", ".sa", ".sb", ".sc", ".sd", ".se", ".sg", ".sh", ".si", ".sj", ".sk", ".sl", ".sm", ".sn", ".so", ".sr", ".st", ".sv", ".sy", ".sz", ".tc", ".td", ".tf", ".tg", ".th", ".tj", ".tk", ".tl", ".tm", ".tn", ".to", ".tp", ".tr", ".tt", ".tv", ".tw", ".tz", ".ua", ".ug", ".uk", ".um", ".us", ".uy", ".uz", ".va", ".vc", ".ve", ".vg", ".vi", ".vn", ".vu", ".wf", ".ws", ".ye", ".yt", ".yu", ".yr", ".za", ".zm", ".zw"}
+	C := CList[int(RandInt(4))%len(CList)]
+	ST := RandString(int(RandInt(4) % 10))
+	O := RandString(int(RandInt(4) % 10))
+	CN := strings.ToLower(RandString(int(RandInt(4)%10)) + domainSubfixList[int(RandInt(4))%len(domainSubfixList)])
+	//log.Printf("C: %s, ST: %s, O: %s, CN: %s", C, ST, O, CN)
+	var out []byte
+	if len(os.Args) == 3 && os.Args[2] == "ca" {
+		cmd := exec.Command("sh", "-c", "openssl genrsa -out ca.key 2048")
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+		fmt.Println(string(out))
+
+		cmdStr := fmt.Sprintf("openssl req -new -key ca.key -x509 -days 36500 -out ca.crt -subj /C=%s/ST=%s/O=%s/CN=%s", C, ST, O, "*."+CN)
+		cmd = exec.Command("sh", "-c", cmdStr)
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+		fmt.Println(string(out))
+	} else if len(os.Args) == 5 && os.Args[2] == "ca" && os.Args[3] != "" && os.Args[4] != "" {
+		certBytes, _ := ioutil.ReadFile("ca.crt")
+		block, _ := pem.Decode(certBytes)
+		if block == nil || certBytes == nil {
+			panic("failed to parse ca certificate PEM")
+		}
+		x509Cert, _ := x509.ParseCertificate(block.Bytes)
+		if x509Cert == nil {
+			panic("failed to parse block")
+		}
+		name := os.Args[3]
+		days := os.Args[4]
+		cmd := exec.Command("sh", "-c", "openssl genrsa -out "+name+".key 2048")
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+		fmt.Println(string(out))
+
+		cmdStr := fmt.Sprintf("openssl req -new -key %s.key -out %s.csr -subj /C=%s/ST=%s/O=%s/CN=%s", name, name, C, ST, O, CN)
+		fmt.Printf("%s", cmdStr)
+		cmd = exec.Command("sh", "-c", cmdStr)
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+		fmt.Println(string(out))
+
+		cmdStr = fmt.Sprintf("openssl x509 -req -days %s -in %s.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out %s.crt", days, name, name)
+		fmt.Printf("%s", cmdStr)
+		cmd = exec.Command("sh", "-c", cmdStr)
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+
+		fmt.Println(string(out))
+	} else if len(os.Args) == 3 && os.Args[2] == "usage" {
+		fmt.Println(`proxy keygen //generate proxy.crt and proxy.key
+proxy keygen ca //generate ca.crt and ca.key
+proxy keygen ca client0 30 //generate client0.crt client0.key and use ca.crt sign it with 30 days
+	`)
+	} else if len(os.Args) == 2 {
+		cmd := exec.Command("sh", "-c", "openssl genrsa -out proxy.key 2048")
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+		fmt.Println(string(out))
+
+		cmdStr := fmt.Sprintf("openssl req -new -key proxy.key -x509 -days 36500 -out proxy.crt -subj /C=%s/ST=%s/O=%s/CN=%s", C, ST, O, CN)
+		cmd = exec.Command("sh", "-c", cmdStr)
+		out, err = cmd.CombinedOutput()
+		if err != nil {
+			logger.Printf("err:%s", err)
+			return
+		}
+		fmt.Println(string(out))
 	}
-	fmt.Println(string(out))
-	cmd = exec.Command("sh", "-c", `openssl req -new -key proxy.key -x509 -days 3650 -out proxy.crt -subj /C=CN/ST=BJ/O="Localhost Ltd"/CN=proxy`)
-	out, err = cmd.CombinedOutput()
-	if err != nil {
-		log.Printf("err:%s", err)
-		return
-	}
-	fmt.Println(string(out))
+
 	return
 }
 func GetAllInterfaceAddr() ([]net.IP, error) {
@ -306,6 +399,29 @@ func Uniqueid() string {
 	// s := fmt.Sprintf("%d", src.Int63())
 	// return s[len(s)-5:len(s)-1] + fmt.Sprintf("%d", uint64(time.Now().UnixNano()))[8:]
 }
+func RandString(strlen int) string {
+	codes := "QWERTYUIOPLKJHGFDSAZXCVBNMabcdefghijklmnopqrstuvwxyz0123456789"
+	codeLen := len(codes)
+	data := make([]byte, strlen)
+	rand.Seed(time.Now().UnixNano() + rand.Int63() + rand.Int63() + rand.Int63() + rand.Int63())
+	for i := 0; i < strlen; i++ {
+		idx := rand.Intn(codeLen)
+		data[i] = byte(codes[idx])
+	}
+	return string(data)
+}
+func RandInt(strLen int) int64 {
+	codes := "123456789"
+	codeLen := len(codes)
+	data := make([]byte, strLen)
+	rand.Seed(time.Now().UnixNano() + rand.Int63() + rand.Int63() + rand.Int63() + rand.Int63())
+	for i := 0; i < strLen; i++ {
+		idx := rand.Intn(codeLen)
+		data[i] = byte(codes[idx])
+	}
+	i, _ := strconv.ParseInt(string(data), 10, 64)
+	return i
+}
 func ReadData(r io.Reader) (data string, err error) {
 	var len uint16
 	err = binary.Read(r, binary.LittleEndian, &len)
@ -386,15 +502,15 @@ func SubBytes(bytes []byte, start, end int) []byte {
 	}
 	return bytes[start:end]
 }
-func TlsBytes(cert, key string) (certBytes, keyBytes []byte) {
-	certBytes, err := ioutil.ReadFile(cert)
+func TlsBytes(cert, key string) (certBytes, keyBytes []byte, err error) {
+	certBytes, err = ioutil.ReadFile(cert)
 	if err != nil {
-		log.Fatalf("err : %s", err)
+		err = fmt.Errorf("err : %s", err)
 		return
 	}
 	keyBytes, err = ioutil.ReadFile(key)
 	if err != nil {
-		log.Fatalf("err : %s", err)
+		err = fmt.Errorf("err : %s", err)
 		return
 	}
 	return
@ -431,7 +547,7 @@ func GetKCPBlock(method, key string) (block kcp.BlockCrypt) {
 	}
 	return
 }
-func HttpGet(URL string, timeout int) (body []byte, code int, err error) {
+func HttpGet(URL string, timeout int, host ...string) (body []byte, code int, err error) {
 	var tr *http.Transport
 	var client *http.Client
 	conf := &tls.Config{
@ -445,7 +561,16 @@ func HttpGet(URL string, timeout int) (body []byte, code int, err error) {
 		client = &http.Client{Timeout: time.Millisecond * time.Duration(timeout), Transport: tr}
 	}
 	defer tr.CloseIdleConnections()
-	resp, err := client.Get(URL)
+
+	//resp, err := client.Get(URL)
+	req, err := http.NewRequest("GET", URL, nil)
+	if err != nil {
+		return
+	}
+	if len(host) == 1 && host[0] != "" {
+		req.Host = host[0]
+	}
+	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}
@ -477,6 +602,53 @@ func IsIternalIP(domainOrIP string) bool {
 	}
 	return false
 }
+func IsHTTP(head []byte) bool {
+	keys := []string{"GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"}
+	for _, key := range keys {
+		if bytes.HasPrefix(head, []byte(key)) || bytes.HasPrefix(head, []byte(strings.ToLower(key))) {
+			return true
+		}
+	}
+	return false
+}
+func IsSocks5(head []byte) bool {
+	if len(head) < 3 {
+		return false
+	}
+	if head[0] == uint8(0x05) && 0 < int(head[1]) && int(head[1]) < 255 {
+		if len(head) == 2+int(head[1]) {
+			return true
+		}
+	}
+	return false
+}
+func RemoveProxyHeaders(head []byte) []byte {
+	newLines := [][]byte{}
+	var keys = map[string]bool{}
+	lines := bytes.Split(head, []byte("\r\n"))
+	IsBody := false
+	for _, line := range lines {
+		if len(line) == 0 || IsBody {
+			newLines = append(newLines, line)
+			IsBody = true
+		} else {
+			hline := bytes.SplitN(line, []byte(":"), 2)
+			if len(hline) != 2 {
+				continue
+			}
+			k := strings.ToUpper(string(hline[0]))
+			if _, ok := keys[k]; ok || strings.HasPrefix(k, "PROXY-") {
+				continue
+			}
+			keys[k] = true
+			newLines = append(newLines, line)
+		}
+	}
+	return bytes.Join(newLines, []byte("\r\n"))
+}
+func InsertProxyHeaders(head []byte, headers string) []byte {
+	return bytes.Replace(head, []byte("\r\n"), []byte("\r\n"+headers), 1)
+}

 // type sockaddr struct {
 // 	family uint16
--- a/utils/leakybuf.go
+++ b/utils/leakybuf.go
@ -0,0 +1,45 @@
+// Provides leaky buffer, based on the example in Effective Go.
+package utils
+
+type LeakyBuf struct {
+	bufSize  int // size of each buffer
+	freeList chan []byte
+}
+
+const LeakyBufSize = 2048 // data.len(2) + hmacsha1(10) + data(4096)
+const maxNBuf = 2048
+
+var LeakyBuffer = NewLeakyBuf(maxNBuf, LeakyBufSize)
+
+// NewLeakyBuf creates a leaky buffer which can hold at most n buffer, each
+// with bufSize bytes.
+func NewLeakyBuf(n, bufSize int) *LeakyBuf {
+	return &LeakyBuf{
+		bufSize:  bufSize,
+		freeList: make(chan []byte, n),
+	}
+}
+
+// Get returns a buffer from the leaky buffer or create a new buffer.
+func (lb *LeakyBuf) Get() (b []byte) {
+	select {
+	case b = <-lb.freeList:
+	default:
+		b = make([]byte, lb.bufSize)
+	}
+	return
+}
+
+// Put add the buffer into the free buffer pool for reuse. Panic if the buffer
+// size is not the same with the leaky buffer's. This is intended to expose
+// error usage of leaky buffer.
+func (lb *LeakyBuf) Put(b []byte) {
+	if len(b) != lb.bufSize {
+		panic("invalid buffer size that's put into leaky buffer")
+	}
+	select {
+	case lb.freeList <- b:
+	default:
+	}
+	return
+}
--- a/utils/pool.go
+++ b/utils/pool.go
@ -1,145 +0,0 @@
-package utils
-
-import (
-	"log"
-	"sync"
-	"time"
-)
-
-//ConnPool to use
-type ConnPool interface {
-	Get() (conn interface{}, err error)
-	Put(conn interface{})
-	ReleaseAll()
-	Len() (length int)
-}
-type poolConfig struct {
-	Factory    func() (interface{}, error)
-	IsActive   func(interface{}) bool
-	Release    func(interface{})
-	InitialCap int
-	MaxCap     int
-}
-
-func NewConnPool(poolConfig poolConfig) (pool ConnPool, err error) {
-	p := netPool{
-		config: poolConfig,
-		conns:  make(chan interface{}, poolConfig.MaxCap),
-		lock:   &sync.Mutex{},
-	}
-	//log.Printf("pool MaxCap:%d", poolConfig.MaxCap)
-	if poolConfig.MaxCap > 0 {
-		err = p.initAutoFill(false)
-		if err == nil {
-			p.initAutoFill(true)
-		}
-	}
-	return &p, nil
-}
-
-type netPool struct {
-	conns  chan interface{}
-	lock   *sync.Mutex
-	config poolConfig
-}
-
-func (p *netPool) initAutoFill(async bool) (err error) {
-	var worker = func() (err error) {
-		for {
-			//log.Printf("pool fill: %v , len: %d", p.Len() <= p.config.InitialCap/2, p.Len())
-			if p.Len() <= p.config.InitialCap/2 {
-				p.lock.Lock()
-				errN := 0
-				for i := 0; i < p.config.InitialCap; i++ {
-					c, err := p.config.Factory()
-					if err != nil {
-						errN++
-						if async {
-							continue
-						} else {
-							p.lock.Unlock()
-							return err
-						}
-					}
-					select {
-					case p.conns <- c:
-					default:
-						p.config.Release(c)
-						break
-					}
-					if p.Len() >= p.config.InitialCap {
-						break
-					}
-				}
-				if errN > 0 {
-					log.Printf("fill conn pool fail , ERRN:%d", errN)
-				}
-				p.lock.Unlock()
-			}
-			if !async {
-				return
-			}
-			time.Sleep(time.Second * 2)
-		}
-	}
-	if async {
-		go worker()
-	} else {
-		err = worker()
-	}
-	return
-
-}
-
-func (p *netPool) Get() (conn interface{}, err error) {
-	// defer func() {
-	// 	log.Printf("pool len : %d", p.Len())
-	// }()
-	p.lock.Lock()
-	defer p.lock.Unlock()
-	// for {
-	select {
-	case conn = <-p.conns:
-		if p.config.IsActive(conn) {
-			return
-		}
-		p.config.Release(conn)
-	default:
-		conn, err = p.config.Factory()
-		if err != nil {
-			return nil, err
-		}
-		return conn, nil
-	}
-	// }
-	return
-}
-
-func (p *netPool) Put(conn interface{}) {
-	if conn == nil {
-		return
-	}
-	p.lock.Lock()
-	defer p.lock.Unlock()
-	if !p.config.IsActive(conn) {
-		p.config.Release(conn)
-	}
-	select {
-	case p.conns <- conn:
-	default:
-		p.config.Release(conn)
-	}
-}
-func (p *netPool) ReleaseAll() {
-	p.lock.Lock()
-	defer p.lock.Unlock()
-	close(p.conns)
-	for c := range p.conns {
-		p.config.Release(c)
-	}
-	p.conns = make(chan interface{}, p.config.InitialCap)
-
-}
-func (p *netPool) Len() (length int) {
-	return len(p.conns)
-}
--- a/utils/serve-channel.go
+++ b/utils/serve-channel.go
@ -1,12 +1,17 @@
 package utils

 import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"fmt"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
 	"strconv"

+	"github.com/snail007/goproxy/services/kcpcfg"
+
 	kcp "github.com/xtaci/kcp-go"
 )

@ -16,23 +21,26 @@ type ServerChannel struct {
 	Listener         *net.Listener
 	UDPListener      *net.UDPConn
 	errAcceptHandler func(err error)
+	log              *logger.Logger
 }

-func NewServerChannel(ip string, port int) ServerChannel {
+func NewServerChannel(ip string, port int, log *logger.Logger) ServerChannel {
 	return ServerChannel{
 		ip:   ip,
 		port: port,
+		log:  log,
 		errAcceptHandler: func(err error) {
-			fmt.Printf("accept error , ERR:%s", err)
+			log.Printf("accept error , ERR:%s", err)
 		},
 	}
 }
-func NewServerChannelHost(host string) ServerChannel {
+func NewServerChannelHost(host string, log *logger.Logger) ServerChannel {
 	h, port, _ := net.SplitHostPort(host)
 	p, _ := strconv.Atoi(port)
 	return ServerChannel{
 		ip:   h,
 		port: p,
+		log:  log,
 		errAcceptHandler: func(err error) {
 			log.Printf("accept error , ERR:%s", err)
 		},
@ -41,13 +49,13 @@ func NewServerChannelHost(host string) ServerChannel {
 func (sc *ServerChannel) SetErrAcceptHandler(fn func(err error)) {
 	sc.errAcceptHandler = fn
 }
-func (sc *ServerChannel) ListenTls(certBytes, keyBytes []byte, fn func(conn net.Conn)) (err error) {
-	sc.Listener, err = ListenTls(sc.ip, sc.port, certBytes, keyBytes)
+func (sc *ServerChannel) ListenTls(certBytes, keyBytes, caCertBytes []byte, fn func(conn net.Conn)) (err error) {
+	sc.Listener, err = sc.listenTls(sc.ip, sc.port, certBytes, keyBytes, caCertBytes)
 	if err == nil {
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenTls crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenTls crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -57,7 +65,7 @@ func (sc *ServerChannel) ListenTls(certBytes, keyBytes []byte, fn func(conn net.
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("tls connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("tls connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						fn(conn)
@ -72,7 +80,33 @@ func (sc *ServerChannel) ListenTls(certBytes, keyBytes []byte, fn func(conn net.
 	}
 	return
 }
+func (sc *ServerChannel) listenTls(ip string, port int, certBytes, keyBytes, caCertBytes []byte) (ln *net.Listener, err error) {

+	var cert tls.Certificate
+	cert, err = tls.X509KeyPair(certBytes, keyBytes)
+	if err != nil {
+		return
+	}
+	clientCertPool := x509.NewCertPool()
+	caBytes := certBytes
+	if caCertBytes != nil {
+		caBytes = caCertBytes
+	}
+	ok := clientCertPool.AppendCertsFromPEM(caBytes)
+	if !ok {
+		err = errors.New("failed to parse root certificate")
+	}
+	config := &tls.Config{
+		ClientCAs:    clientCertPool,
+		Certificates: []tls.Certificate{cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+	_ln, err := tls.Listen("tcp", fmt.Sprintf("%s:%d", ip, port), config)
+	if err == nil {
+		ln = &_ln
+	}
+	return
+}
 func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
 	var l net.Listener
 	l, err = net.Listen("tcp", fmt.Sprintf("%s:%d", sc.ip, sc.port))
@ -81,7 +115,7 @@ func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenTCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenTCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -91,7 +125,7 @@ func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("tcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("tcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						fn(conn)
@ -113,7 +147,7 @@ func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, srcAddr *ne
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenUDP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenUDP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -124,7 +158,7 @@ func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, srcAddr *ne
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("udp data handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("udp data handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						fn(packet, addr, srcAddr)
@ -138,28 +172,51 @@ func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, srcAddr *ne
 	}
 	return
 }
-func (sc *ServerChannel) ListenKCP(method, key string, fn func(conn net.Conn)) (err error) {
-	var l net.Listener
-	l, err = kcp.ListenWithOptions(fmt.Sprintf("%s:%d", sc.ip, sc.port), GetKCPBlock(method, key), 10, 3)
+func (sc *ServerChannel) ListenKCP(config kcpcfg.KCPConfigArgs, fn func(conn net.Conn), log *logger.Logger) (err error) {
+	lis, err := kcp.ListenWithOptions(fmt.Sprintf("%s:%d", sc.ip, sc.port), config.Block, *config.DataShard, *config.ParityShard)
 	if err == nil {
-		sc.Listener = &l
+		if err = lis.SetDSCP(*config.DSCP); err != nil {
+			log.Println("SetDSCP:", err)
+			return
+		}
+		if err = lis.SetReadBuffer(*config.SockBuf); err != nil {
+			log.Println("SetReadBuffer:", err)
+			return
+		}
+		if err = lis.SetWriteBuffer(*config.SockBuf); err != nil {
+			log.Println("SetWriteBuffer:", err)
+			return
+		}
+		sc.Listener = new(net.Listener)
+		*sc.Listener = lis
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenKCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenKCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
-				var conn net.Conn
-				conn, err = (*sc.Listener).Accept()
+				//var conn net.Conn
+				conn, err := lis.AcceptKCP()
 				if err == nil {
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("kcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("kcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
-						fn(conn)
+						conn.SetStreamMode(true)
+						conn.SetWriteDelay(true)
+						conn.SetNoDelay(*config.NoDelay, *config.Interval, *config.Resend, *config.NoCongestion)
+						conn.SetMtu(*config.MTU)
+						conn.SetWindowSize(*config.SndWnd, *config.RcvWnd)
+						conn.SetACKNoDelay(*config.AckNodelay)
+						if *config.NoComp {
+							fn(conn)
+						} else {
+							cconn := NewCompStream(conn)
+							fn(cconn)
+						}
 					}()
 				} else {
 					sc.errAcceptHandler(err)
--- a/utils/socks/client.go
+++ b/utils/socks/client.go
@ -0,0 +1,253 @@
+package socks
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"time"
+)
+
+var socks5Errors = []string{
+	"",
+	"general failure",
+	"connection forbidden",
+	"network unreachable",
+	"host unreachable",
+	"connection refused",
+	"TTL expired",
+	"command not supported",
+	"address type not supported",
+}
+
+type Auth struct {
+	User, Password string
+}
+type ClientConn struct {
+	user     string
+	password string
+	conn     *net.Conn
+	header   []byte
+	timeout  time.Duration
+	addr     string
+	network  string
+	udpAddr  string
+}
+
+// SOCKS5 returns a Dialer that makes SOCKSv5 connections to the given address
+// with an optional username and password. See RFC 1928 and RFC 1929.
+// target must be a canonical address with a host and port.
+// network : tcp udp
+func NewClientConn(conn *net.Conn, network, target string, timeout time.Duration, auth *Auth, header []byte) *ClientConn {
+	s := &ClientConn{
+		conn:    conn,
+		network: network,
+		timeout: timeout,
+	}
+	if auth != nil {
+		s.user = auth.User
+		s.password = auth.Password
+	}
+	if header != nil && len(header) > 0 {
+		s.header = header
+	}
+	if network == "udp" && target == "" {
+		target = "0.0.0.0:1"
+	}
+	s.addr = target
+	return s
+}
+
+// connect takes an existing connection to a socks5 proxy server,
+// and commands the server to extend that connection to target,
+// which must be a canonical address with a host and port.
+func (s *ClientConn) Handshake() error {
+	host, portStr, err := net.SplitHostPort(s.addr)
+	if err != nil {
+		return err
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return errors.New("proxy: failed to parse port number: " + portStr)
+	}
+	if port < 1 || port > 0xffff {
+		return errors.New("proxy: port number out of range: " + portStr)
+	}
+
+	if err := s.handshake(host); err != nil {
+		return err
+	}
+	buf := []byte{}
+	if s.network == "tcp" {
+		buf = append(buf, VERSION_V5, CMD_CONNECT, 0 /* reserved */)
+
+	} else {
+		buf = append(buf, VERSION_V5, CMD_ASSOCIATE, 0 /* reserved */)
+	}
+	if ip := net.ParseIP(host); ip != nil {
+		if ip4 := ip.To4(); ip4 != nil {
+			buf = append(buf, ATYP_IPV4)
+			ip = ip4
+		} else {
+			buf = append(buf, ATYP_IPV6)
+		}
+		buf = append(buf, ip...)
+	} else {
+		if len(host) > 255 {
+			return errors.New("proxy: destination host name too long: " + host)
+		}
+		buf = append(buf, ATYP_DOMAIN)
+		buf = append(buf, byte(len(host)))
+		buf = append(buf, host...)
+	}
+	buf = append(buf, byte(port>>8), byte(port))
+	(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+	if _, err := (*s.conn).Write(buf); err != nil {
+		return errors.New("proxy: failed to write connect request to SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	(*s.conn).SetDeadline(time.Time{})
+	(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+	if _, err := io.ReadFull((*s.conn), buf[:4]); err != nil {
+		return errors.New("proxy: failed to read connect reply from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	(*s.conn).SetDeadline(time.Time{})
+	failure := "unknown error"
+	if int(buf[1]) < len(socks5Errors) {
+		failure = socks5Errors[buf[1]]
+	}
+
+	if len(failure) > 0 {
+		return errors.New("proxy: SOCKS5 proxy at " + s.addr + " failed to connect: " + failure)
+	}
+
+	bytesToDiscard := 0
+	switch buf[3] {
+	case ATYP_IPV4:
+		bytesToDiscard = net.IPv4len
+	case ATYP_IPV6:
+		bytesToDiscard = net.IPv6len
+	case ATYP_DOMAIN:
+		(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+		_, err := io.ReadFull((*s.conn), buf[:1])
+		(*s.conn).SetDeadline(time.Time{})
+		if err != nil {
+			return errors.New("proxy: failed to read domain length from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+		}
+		bytesToDiscard = int(buf[0])
+	default:
+		return errors.New("proxy: got unknown address type " + strconv.Itoa(int(buf[3])) + " from SOCKS5 proxy at " + s.addr)
+	}
+
+	if cap(buf) < bytesToDiscard {
+		buf = make([]byte, bytesToDiscard)
+	} else {
+		buf = buf[:bytesToDiscard]
+	}
+	(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+	if _, err := io.ReadFull((*s.conn), buf); err != nil {
+		return errors.New("proxy: failed to read address from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	(*s.conn).SetDeadline(time.Time{})
+	var ip net.IP
+	ip = buf
+	ipStr := ""
+	if bytesToDiscard == net.IPv4len || bytesToDiscard == net.IPv6len {
+		if ipv4 := ip.To4(); ipv4 != nil {
+			ipStr = ipv4.String()
+		} else {
+			ipStr = ip.To16().String()
+		}
+	}
+	//log.Printf("%v", ipStr)
+	// Also need to discard the port number
+	(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+	if _, err := io.ReadFull((*s.conn), buf[:2]); err != nil {
+		return errors.New("proxy: failed to read port from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	p := binary.BigEndian.Uint16([]byte{buf[0], buf[1]})
+	//log.Printf("%v", p)
+	s.udpAddr = net.JoinHostPort(ipStr, fmt.Sprintf("%d", p))
+	//log.Printf("%v", s.udpAddr)
+	(*s.conn).SetDeadline(time.Time{})
+	return nil
+}
+func (s *ClientConn) SendUDP(data []byte, addr string) (respData []byte, err error) {
+
+	c, err := net.DialTimeout("udp", s.udpAddr, s.timeout)
+	if err != nil {
+		return
+	}
+	conn := c.(*net.UDPConn)
+
+	p := NewPacketUDP()
+	p.Build(addr, data)
+	conn.SetDeadline(time.Now().Add(s.timeout))
+	conn.Write(p.Bytes())
+	conn.SetDeadline(time.Time{})
+
+	buf := make([]byte, 1024)
+	conn.SetDeadline(time.Now().Add(s.timeout))
+	n, _, err := conn.ReadFrom(buf)
+	conn.SetDeadline(time.Time{})
+	if err != nil {
+		return
+	}
+	respData = buf[:n]
+	return
+}
+func (s *ClientConn) handshake(host string) error {
+
+	// the size here is just an estimate
+	buf := make([]byte, 0, 6+len(host))
+
+	buf = append(buf, VERSION_V5)
+	if len(s.user) > 0 && len(s.user) < 256 && len(s.password) < 256 {
+		buf = append(buf, 2 /* num auth methods */, Method_NO_AUTH, Method_USER_PASS)
+	} else {
+		buf = append(buf, 1 /* num auth methods */, Method_NO_AUTH)
+	}
+	(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+	if _, err := (*s.conn).Write(buf); err != nil {
+		return errors.New("proxy: failed to write greeting to SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	(*s.conn).SetDeadline(time.Time{})
+
+	(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+	if _, err := io.ReadFull((*s.conn), buf[:2]); err != nil {
+		return errors.New("proxy: failed to read greeting from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+	}
+	(*s.conn).SetDeadline(time.Time{})
+
+	if buf[0] != 5 {
+		return errors.New("proxy: SOCKS5 proxy at " + s.addr + " has unexpected version " + strconv.Itoa(int(buf[0])))
+	}
+	if buf[1] == 0xff {
+		return errors.New("proxy: SOCKS5 proxy at " + s.addr + " requires authentication")
+	}
+
+	// See RFC 1929
+	if buf[1] == Method_USER_PASS {
+		buf = buf[:0]
+		buf = append(buf, 1 /* password protocol version */)
+		buf = append(buf, uint8(len(s.user)))
+		buf = append(buf, s.user...)
+		buf = append(buf, uint8(len(s.password)))
+		buf = append(buf, s.password...)
+		(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+		if _, err := (*s.conn).Write(buf); err != nil {
+			return errors.New("proxy: failed to write authentication request to SOCKS5 proxy at " + s.addr + ": " + err.Error())
+		}
+		(*s.conn).SetDeadline(time.Time{})
+		(*s.conn).SetDeadline(time.Now().Add(s.timeout))
+		if _, err := io.ReadFull((*s.conn), buf[:2]); err != nil {
+			return errors.New("proxy: failed to read authentication reply from SOCKS5 proxy at " + s.addr + ": " + err.Error())
+		}
+		(*s.conn).SetDeadline(time.Time{})
+		if buf[1] != 0 {
+			return errors.New("proxy: SOCKS5 proxy at " + s.addr + " rejected username/password")
+		}
+	}
+	return nil
+}
--- a/utils/socks/server.go
+++ b/utils/socks/server.go
@ -0,0 +1,226 @@
+package socks
+
+import (
+	"fmt"
+	"github.com/snail007/goproxy/utils"
+	"net"
+	"strings"
+	"time"
+)
+
+const (
+	Method_NO_AUTH         = uint8(0x00)
+	Method_GSSAPI          = uint8(0x01)
+	Method_USER_PASS       = uint8(0x02)
+	Method_IANA            = uint8(0x7F)
+	Method_RESVERVE        = uint8(0x80)
+	Method_NONE_ACCEPTABLE = uint8(0xFF)
+	VERSION_V5             = uint8(0x05)
+	CMD_CONNECT            = uint8(0x01)
+	CMD_BIND               = uint8(0x02)
+	CMD_ASSOCIATE          = uint8(0x03)
+	ATYP_IPV4              = uint8(0x01)
+	ATYP_DOMAIN            = uint8(0x03)
+	ATYP_IPV6              = uint8(0x04)
+	REP_SUCCESS            = uint8(0x00)
+	REP_REQ_FAIL           = uint8(0x01)
+	REP_RULE_FORBIDDEN     = uint8(0x02)
+	REP_NETWOR_UNREACHABLE = uint8(0x03)
+	REP_HOST_UNREACHABLE   = uint8(0x04)
+	REP_CONNECTION_REFUSED = uint8(0x05)
+	REP_TTL_TIMEOUT        = uint8(0x06)
+	REP_CMD_UNSUPPORTED    = uint8(0x07)
+	REP_ATYP_UNSUPPORTED   = uint8(0x08)
+	REP_UNKNOWN            = uint8(0x09)
+	RSV                    = uint8(0x00)
+)
+
+var (
+	ZERO_IP   = []byte{0x00, 0x00, 0x00, 0x00}
+	ZERO_PORT = []byte{0x00, 0x00}
+)
+
+type ServerConn struct {
+	target   string
+	user     string
+	password string
+	conn     *net.Conn
+	timeout  time.Duration
+	auth     *utils.BasicAuth
+	header   []byte
+	ver      uint8
+	//method
+	methodsCount uint8
+	methods      []uint8
+	method       uint8
+	//request
+	cmd         uint8
+	reserve     uint8
+	addressType uint8
+	dstAddr     string
+	dstPort     string
+	dstHost     string
+	udpAddress  string
+}
+
+func NewServerConn(conn *net.Conn, timeout time.Duration, auth *utils.BasicAuth, udpAddress string, header []byte) *ServerConn {
+	if udpAddress == "" {
+		udpAddress = "0.0.0.0:16666"
+	}
+	s := &ServerConn{
+		conn:       conn,
+		timeout:    timeout,
+		auth:       auth,
+		header:     header,
+		ver:        VERSION_V5,
+		udpAddress: udpAddress,
+	}
+	return s
+
+}
+func (s *ServerConn) Close() {
+	utils.CloseConn(s.conn)
+}
+func (s *ServerConn) AuthData() Auth {
+	return Auth{s.user, s.password}
+}
+func (s *ServerConn) Method() uint8 {
+	return s.method
+}
+func (s *ServerConn) Target() string {
+	return s.target
+}
+func (s *ServerConn) Handshake() (err error) {
+	remoteAddr := (*s.conn).RemoteAddr()
+	//协商开始
+	//method select request
+	var methodReq MethodsRequest
+	(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+
+	methodReq, e := NewMethodsRequest((*s.conn), s.header)
+	(*s.conn).SetReadDeadline(time.Time{})
+	if e != nil {
+		(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+		methodReq.Reply(Method_NONE_ACCEPTABLE)
+		(*s.conn).SetReadDeadline(time.Time{})
+		err = fmt.Errorf("new methods request fail,ERR: %s", e)
+		return
+	}
+	//log.Printf("%v,s.auth == %v && methodReq.Select(Method_NO_AUTH) %v", methodReq.methods, s.auth, methodReq.Select(Method_NO_AUTH))
+	if s.auth == nil && methodReq.Select(Method_NO_AUTH) && !methodReq.Select(Method_USER_PASS) {
+		// if !methodReq.Select(Method_NO_AUTH) {
+		// 	(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+		// 	methodReq.Reply(Method_NONE_ACCEPTABLE)
+		// 	(*s.conn).SetReadDeadline(time.Time{})
+		// 	err = fmt.Errorf("none method found : Method_NO_AUTH")
+		// 	return
+		// }
+		s.method = Method_NO_AUTH
+		//method select reply
+		(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+		err = methodReq.Reply(Method_NO_AUTH)
+		(*s.conn).SetReadDeadline(time.Time{})
+		if err != nil {
+			err = fmt.Errorf("reply answer data fail,ERR: %s", err)
+			return
+		}
+		// err = fmt.Errorf("% x", methodReq.Bytes())
+	} else {
+		//auth
+		if !methodReq.Select(Method_USER_PASS) {
+			(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+			methodReq.Reply(Method_NONE_ACCEPTABLE)
+			(*s.conn).SetReadDeadline(time.Time{})
+			err = fmt.Errorf("none method found : Method_USER_PASS")
+			return
+		}
+		s.method = Method_USER_PASS
+		//method reply need auth
+		(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+		err = methodReq.Reply(Method_USER_PASS)
+		(*s.conn).SetReadDeadline(time.Time{})
+		if err != nil {
+			err = fmt.Errorf("reply answer data fail,ERR: %s", err)
+			return
+		}
+		//read auth
+		buf := make([]byte, 500)
+		var n int
+		(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+		n, err = (*s.conn).Read(buf)
+		(*s.conn).SetReadDeadline(time.Time{})
+		if err != nil {
+			err = fmt.Errorf("read auth info fail,ERR: %s", err)
+			return
+		}
+		r := buf[:n]
+		s.user = string(r[2 : r[1]+2])
+		s.password = string(r[2+r[1]+1:])
+		//err = fmt.Errorf("user:%s,pass:%s", user, pass)
+		//auth
+		_addr := strings.Split(remoteAddr.String(), ":")
+		if s.auth == nil || s.auth.CheckUserPass(s.user, s.password, _addr[0], "") {
+			(*s.conn).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(s.timeout)))
+			_, err = (*s.conn).Write([]byte{0x01, 0x00})
+			(*s.conn).SetDeadline(time.Time{})
+			if err != nil {
+				err = fmt.Errorf("answer auth success to %s fail,ERR: %s", remoteAddr, err)
+				return
+			}
+		} else {
+			(*s.conn).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(s.timeout)))
+			_, err = (*s.conn).Write([]byte{0x01, 0x01})
+			(*s.conn).SetDeadline(time.Time{})
+			if err != nil {
+				err = fmt.Errorf("answer auth fail to %s fail,ERR: %s", remoteAddr, err)
+				return
+			}
+			err = fmt.Errorf("auth fail from %s", remoteAddr)
+			return
+		}
+	}
+	//request detail
+	(*s.conn).SetReadDeadline(time.Now().Add(time.Second * s.timeout))
+	request, e := NewRequest(*s.conn)
+	(*s.conn).SetReadDeadline(time.Time{})
+	if e != nil {
+		err = fmt.Errorf("read request data fail,ERR: %s", e)
+		return
+	}
+	//协商结束
+
+	switch request.CMD() {
+	case CMD_BIND:
+		err = request.TCPReply(REP_UNKNOWN)
+		if err != nil {
+			err = fmt.Errorf("TCPReply REP_UNKNOWN to %s fail,ERR: %s", remoteAddr, err)
+			return
+		}
+		err = fmt.Errorf("cmd bind not supported, form: %s", remoteAddr)
+		return
+	case CMD_CONNECT:
+		err = request.TCPReply(REP_SUCCESS)
+		if err != nil {
+			err = fmt.Errorf("TCPReply REP_SUCCESS to %s fail,ERR: %s", remoteAddr, err)
+			return
+		}
+	case CMD_ASSOCIATE:
+		err = request.UDPReply(REP_SUCCESS, s.udpAddress)
+		if err != nil {
+			err = fmt.Errorf("UDPReply REP_SUCCESS to %s fail,ERR: %s", remoteAddr, err)
+			return
+		}
+	}
+
+	//fill socks info
+	s.target = request.Addr()
+	s.methodsCount = methodReq.MethodsCount()
+	s.methods = methodReq.Methods()
+	s.cmd = request.CMD()
+	s.reserve = request.reserve
+	s.addressType = request.addressType
+	s.dstAddr = request.dstAddr
+	s.dstHost = request.dstHost
+	s.dstPort = request.dstPort
+	return
+}
--- a/utils/socks/structs.go
+++ b/utils/socks/structs.go
@ -3,44 +3,13 @@ package socks
 import (
 	"bytes"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"net"
 	"strconv"
 )

-const (
-	Method_NO_AUTH         = uint8(0x00)
-	Method_GSSAPI          = uint8(0x01)
-	Method_USER_PASS       = uint8(0x02)
-	Method_IANA            = uint8(0x7F)
-	Method_RESVERVE        = uint8(0x80)
-	Method_NONE_ACCEPTABLE = uint8(0xFF)
-	VERSION_V5             = uint8(0x05)
-	CMD_CONNECT            = uint8(0x01)
-	CMD_BIND               = uint8(0x02)
-	CMD_ASSOCIATE          = uint8(0x03)
-	ATYP_IPV4              = uint8(0x01)
-	ATYP_DOMAIN            = uint8(0x03)
-	ATYP_IPV6              = uint8(0x04)
-	REP_SUCCESS            = uint8(0x00)
-	REP_REQ_FAIL           = uint8(0x01)
-	REP_RULE_FORBIDDEN     = uint8(0x02)
-	REP_NETWOR_UNREACHABLE = uint8(0x03)
-	REP_HOST_UNREACHABLE   = uint8(0x04)
-	REP_CONNECTION_REFUSED = uint8(0x05)
-	REP_TTL_TIMEOUT        = uint8(0x06)
-	REP_CMD_UNSUPPORTED    = uint8(0x07)
-	REP_ATYP_UNSUPPORTED   = uint8(0x08)
-	REP_UNKNOWN            = uint8(0x09)
-	RSV                    = uint8(0x00)
-)
-
-var (
-	ZERO_IP   = []byte{0x00, 0x00, 0x00, 0x00}
-	ZERO_PORT = []byte{0x00, 0x00}
-)
-
 type Request struct {
 	ver         uint8
 	cmd         uint8
@ -53,20 +22,24 @@ type Request struct {
 	rw          io.ReadWriter
 }

-func NewRequest(rw io.ReadWriter) (req Request, err interface{}) {
-	var b [1024]byte
+func NewRequest(rw io.ReadWriter, header ...[]byte) (req Request, err interface{}) {
+	var b = make([]byte, 1024)
 	var n int
 	req = Request{rw: rw}
-	n, err = rw.Read(b[:])
-	if err != nil {
-		err = fmt.Errorf("read req data fail,ERR: %s", err)
-		return
+	if header != nil && len(header) == 1 && len(header[0]) > 1 {
+		b = header[0]
+		n = len(header[0])
+	} else {
+		n, err = rw.Read(b[:])
+		if err != nil {
+			err = fmt.Errorf("read req data fail,ERR: %s", err)
+			return
+		}
 	}
 	req.ver = uint8(b[0])
 	req.cmd = uint8(b[1])
 	req.reserve = uint8(b[2])
 	req.addressType = uint8(b[3])
-
 	if b[0] != 0x5 {
 		err = fmt.Errorf("sosck version supported")
 		req.TCPReply(REP_REQ_FAIL)
@ -124,7 +97,7 @@ func (s *Request) NewReply(rep uint8, addr string) []byte {
 		ipv6[4], ipv6[5], ipv6[6], ipv6[7],
 		ipv6[8], ipv6[9], ipv6[10], ipv6[11],
 	)
-	if ipv6 != nil && "0000000000255255" != zeroiIPv6 {
+	if ipb == nil && ipv6 != nil && "0000000000255255" != zeroiIPv6 {
 		atyp = ATYP_IPV6
 		ipb = ip.To16()
 	}
@ -150,7 +123,7 @@ type MethodsRequest struct {
 	rw           *io.ReadWriter
 }

-func NewMethodsRequest(r io.ReadWriter) (s MethodsRequest, err interface{}) {
+func NewMethodsRequest(r io.ReadWriter, header ...[]byte) (s MethodsRequest, err interface{}) {
 	defer func() {
 		if err == nil {
 			err = recover()
@ -160,9 +133,14 @@ func NewMethodsRequest(r io.ReadWriter) (s MethodsRequest, err interface{}) {
 	s.rw = &r
 	var buf = make([]byte, 300)
 	var n int
-	n, err = r.Read(buf)
-	if err != nil {
-		return
+	if header != nil && len(header) == 1 && len(header[0]) > 1 {
+		buf = header[0]
+		n = len(header[0])
+	} else {
+		n, err = r.Read(buf)
+		if err != nil {
+			return
+		}
 	}
 	if buf[0] != 0x05 {
 		err = fmt.Errorf("socks version not supported")
@ -172,7 +150,6 @@ func NewMethodsRequest(r io.ReadWriter) (s MethodsRequest, err interface{}) {
 		err = fmt.Errorf("socks methods data length error")
 		return
 	}
-
 	s.ver = buf[0]
 	s.methodsCount = buf[1]
 	s.methods = buf[2:n]
@ -185,6 +162,9 @@ func (s *MethodsRequest) Version() uint8 {
 func (s *MethodsRequest) MethodsCount() uint8 {
 	return s.methodsCount
 }
+func (s *MethodsRequest) Methods() []uint8 {
+	return s.methods
+}
 func (s *MethodsRequest) Select(method uint8) bool {
 	for _, m := range s.methods {
 		if m == method {
@ -201,17 +181,6 @@ func (s *MethodsRequest) Bytes() []byte {
 	return s.bytes
 }

-type UDPPacket struct {
-	rsv     uint16
-	frag    uint8
-	atype   uint8
-	dstHost string
-	dstPort string
-	data    []byte
-	header  []byte
-	bytes   []byte
-}
-
 func ParseUDPPacket(b []byte) (p UDPPacket, err error) {
 	p = UDPPacket{}
 	p.frag = uint8(b[2])
@ -239,6 +208,18 @@ func ParseUDPPacket(b []byte) (p UDPPacket, err error) {
 	p.header = b[:portIndex+2]
 	return
 }
+
+type UDPPacket struct {
+	rsv     uint16
+	frag    uint8
+	atype   uint8
+	dstHost string
+	dstPort string
+	data    []byte
+	header  []byte
+	bytes   []byte
+}
+
 func (s *UDPPacket) Header() []byte {
 	return s.header
 }
@ -258,3 +239,104 @@ func (s *UDPPacket) Port() string {
 func (s *UDPPacket) Data() []byte {
 	return s.data
 }
+
+type PacketUDP struct {
+	rsv     uint16
+	frag    uint8
+	atype   uint8
+	dstHost string
+	dstPort string
+	data    []byte
+}
+
+func NewPacketUDP() (p PacketUDP) {
+	return PacketUDP{}
+}
+func (p *PacketUDP) Build(destAddr string, data []byte) (err error) {
+	host, port, err := net.SplitHostPort(destAddr)
+	if err != nil {
+		return
+	}
+	p.rsv = 0
+	p.frag = 0
+	p.dstHost = host
+	p.dstPort = port
+	p.atype = ATYP_IPV4
+	if ip := net.ParseIP(host); ip != nil {
+		if ip4 := ip.To4(); ip4 != nil {
+			p.atype = ATYP_IPV4
+			ip = ip4
+		} else {
+			p.atype = ATYP_IPV6
+		}
+	} else {
+		if len(host) > 255 {
+			err = errors.New("proxy: destination host name too long: " + host)
+			return
+		}
+		p.atype = ATYP_DOMAIN
+	}
+	p.data = data
+
+	return
+}
+func (p *PacketUDP) Parse(b []byte) (err error) {
+	p.frag = uint8(b[2])
+	if p.frag != 0 {
+		err = fmt.Errorf("FRAG only support for 0 , %v ,%v", p.frag, b[:4])
+		return
+	}
+	portIndex := 0
+	p.atype = b[3]
+	switch p.atype {
+	case ATYP_IPV4: //IP V4
+		p.dstHost = net.IPv4(b[4], b[5], b[6], b[7]).String()
+		portIndex = 8
+	case ATYP_DOMAIN: //域名
+		domainLen := uint8(b[4])
+		p.dstHost = string(b[5 : 5+domainLen]) //b[4]表示域名的长度
+		portIndex = int(5 + domainLen)
+	case ATYP_IPV6: //IP V6
+		p.dstHost = net.IP{b[4], b[5], b[6], b[7], b[8], b[9], b[10], b[11], b[12], b[13], b[14], b[15], b[16], b[17], b[18], b[19]}.String()
+		portIndex = 20
+	}
+	p.dstPort = strconv.Itoa(int(b[portIndex])<<8 | int(b[portIndex+1]))
+	p.data = b[portIndex+2:]
+	return
+}
+func (p *PacketUDP) Header() []byte {
+	header := new(bytes.Buffer)
+	header.Write([]byte{0x00, 0x00, p.frag, p.atype})
+	if p.atype == ATYP_IPV4 {
+		ip := net.ParseIP(p.dstHost)
+		header.Write(ip.To4())
+	} else if p.atype == ATYP_IPV6 {
+		ip := net.ParseIP(p.dstHost)
+		header.Write(ip.To16())
+	} else if p.atype == ATYP_DOMAIN {
+		hBytes := []byte(p.dstHost)
+		header.WriteByte(byte(len(hBytes)))
+		header.Write(hBytes)
+	}
+	port, _ := strconv.ParseUint(p.dstPort, 10, 64)
+	portBytes := new(bytes.Buffer)
+	binary.Write(portBytes, binary.BigEndian, port)
+	header.Write(portBytes.Bytes()[portBytes.Len()-2:])
+	return header.Bytes()
+}
+func (p *PacketUDP) Bytes() []byte {
+	packBytes := new(bytes.Buffer)
+	packBytes.Write(p.Header())
+	packBytes.Write(p.data)
+	return packBytes.Bytes()
+}
+func (p *PacketUDP) Host() string {
+	return p.dstHost
+}
+
+func (p *PacketUDP) Port() string {
+	return p.dstPort
+}
+func (p *PacketUDP) Data() []byte {
+	return p.data
+}
--- a/utils/structs.go
+++ b/utils/structs.go
@ -1,20 +1,26 @@
 package utils

 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
 	"encoding/base64"
-	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
 	"net/url"
-	"proxy/utils/sni"
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/snail007/goproxy/services/kcpcfg"
+	"github.com/snail007/goproxy/utils/sni"
+
+	"github.com/golang/snappy"
+	"github.com/miekg/dns"
 )

 type Checker struct {
@ -23,6 +29,8 @@ type Checker struct {
 	directMap  ConcurrentMap
 	interval   int64
 	timeout    int
+	isStop     bool
+	log        *logger.Logger
 }
 type CheckerItem struct {
 	IsHTTPS      bool
@ -38,11 +46,13 @@ type CheckerItem struct {
 //NewChecker args:
 //timeout : tcp timeout milliseconds ,connect to host
 //interval: recheck domain interval seconds
-func NewChecker(timeout int, interval int64, blockedFile, directFile string) Checker {
+func NewChecker(timeout int, interval int64, blockedFile, directFile string, log *logger.Logger) Checker {
 	ch := Checker{
 		data:     NewConcurrentMap(),
 		interval: interval,
 		timeout:  timeout,
+		isStop:   false,
+		log:      log,
 	}
 	ch.blockedMap = ch.loadMap(blockedFile)
 	ch.directMap = ch.loadMap(directFile)
@ -52,7 +62,10 @@ func NewChecker(timeout int, interval int64, blockedFile, directFile string) Che
 	if !ch.directMap.IsEmpty() {
 		log.Printf("direct file loaded , domains : %d", ch.directMap.Count())
 	}
-	ch.start()
+	if interval > 0 {
+		ch.start()
+	}
+
 	return ch
 }

@ -61,7 +74,7 @@ func (c *Checker) loadMap(f string) (dataMap ConcurrentMap) {
 	if PathExists(f) {
 		_contents, err := ioutil.ReadFile(f)
 		if err != nil {
-			log.Printf("load file err:%s", err)
+			c.log.Printf("load file err:%s", err)
 			return
 		}
 		for _, line := range strings.Split(string(_contents), "\n") {
@ -73,6 +86,9 @@ func (c *Checker) loadMap(f string) (dataMap ConcurrentMap) {
 	}
 	return
 }
+func (c *Checker) Stop() {
+	c.isStop = true
+}
 func (c *Checker) start() {
 	go func() {
 		//log.Printf("checker started")
@ -99,6 +115,9 @@ func (c *Checker) start() {
 				}(v.(CheckerItem))
 			}
 			time.Sleep(time.Second * time.Duration(c.interval))
+			if c.isStop {
+				return
+			}
 		}
 	}()
 }
@ -134,7 +153,7 @@ func (c *Checker) IsBlocked(address string) (blocked bool, failN, successN uint)
 func (c *Checker) domainIsInMap(address string, blockedMap bool) bool {
 	u, err := url.Parse("http://" + address)
 	if err != nil {
-		log.Printf("blocked check , url parse err:%s", err)
+		c.log.Printf("blocked check , url parse err:%s", err)
 		return true
 	}
 	domainSlice := strings.Split(u.Hostname(), ".")
@ -171,11 +190,15 @@ type BasicAuth struct {
 	authOkCode  int
 	authTimeout int
 	authRetry   int
+	dns         *DomainResolver
+	log         *logger.Logger
 }

-func NewBasicAuth() BasicAuth {
+func NewBasicAuth(dns *DomainResolver, log *logger.Logger) BasicAuth {
 	return BasicAuth{
 		data: NewConcurrentMap(),
+		dns:  dns,
+		log:  log,
 	}
 }
 func (ba *BasicAuth) SetAuthURL(URL string, code, timeout, retry int) {
@ -228,7 +251,7 @@ func (ba *BasicAuth) Check(userpass string, ip, target string) (ok bool) {
 			if err == nil {
 				return true
 			}
-			log.Printf("%s", err)
+			ba.log.Printf("%s", err)
 		}
 		return false
 	}
@ -239,18 +262,27 @@ func (ba *BasicAuth) checkFromURL(userpass, ip, target string) (err error) {
 	if len(u) != 2 {
 		return
 	}
+
 	URL := ba.authURL
 	if strings.Contains(URL, "?") {
 		URL += "&"
 	} else {
 		URL += "?"
 	}
-	URL += fmt.Sprintf("user=%s&pass=%s&ip=%s&target=%s", u[0], u[1], ip, target)
+	URL += fmt.Sprintf("user=%s&pass=%s&ip=%s&target=%s", u[0], u[1], ip, url.QueryEscape(target))
+	getURL := URL
+	var domain string
+	if ba.dns != nil {
+		_url, _ := url.Parse(ba.authURL)
+		domain = _url.Host
+		domainIP := ba.dns.MustResolve(domain)
+		getURL = strings.Replace(URL, domain, domainIP, 1)
+	}
 	var code int
 	var tryCount = 0
 	var body []byte
 	for tryCount <= ba.authRetry {
-		body, code, err = HttpGet(URL, ba.authTimeout)
+		body, code, err = HttpGet(getURL, ba.authTimeout, domain)
 		if err == nil && code == ba.authOkCode {
 			break
 		} else if err != nil {
@ -261,10 +293,14 @@ func (ba *BasicAuth) checkFromURL(userpass, ip, target string) (err error) {
 			} else {
 				err = fmt.Errorf("token error")
 			}
-			err = fmt.Errorf("auth fail from url %s,resonse code: %d, except: %d , %s , %s", URL, code, ba.authOkCode, ip, string(body))
+			b := string(body)
+			if len(b) > 50 {
+				b = b[:50]
+			}
+			err = fmt.Errorf("auth fail from url %s,resonse code: %d, except: %d , %s , %s", URL, code, ba.authOkCode, ip, b)
 		}
 		if err != nil && tryCount < ba.authRetry {
-			log.Print(err)
+			ba.log.Print(err)
 			time.Sleep(time.Second * 2)
 		}
 		tryCount++
@ -290,23 +326,31 @@ type HTTPRequest struct {
 	hostOrURL   string
 	isBasicAuth bool
 	basicAuth   *BasicAuth
+	log         *logger.Logger
 }

-func NewHTTPRequest(inConn *net.Conn, bufSize int, isBasicAuth bool, basicAuth *BasicAuth) (req HTTPRequest, err error) {
+func NewHTTPRequest(inConn *net.Conn, bufSize int, isBasicAuth bool, basicAuth *BasicAuth, log *logger.Logger, header ...[]byte) (req HTTPRequest, err error) {
 	buf := make([]byte, bufSize)
-	len := 0
+	n := 0
 	req = HTTPRequest{
 		conn: inConn,
+		log:  log,
 	}
-	len, err = (*inConn).Read(buf[:])
-	if err != nil {
-		if err != io.EOF {
-			err = fmt.Errorf("http decoder read err:%s", err)
+	if header != nil && len(header) == 1 && len(header[0]) > 1 {
+		buf = header[0]
+		n = len(header[0])
+	} else {
+		n, err = (*inConn).Read(buf[:])
+		if err != nil {
+			if err != io.EOF {
+				err = fmt.Errorf("http decoder read err:%s", err)
+			}
+			CloseConn(inConn)
+			return
 		}
-		CloseConn(inConn)
-		return
 	}
-	req.HeadBuf = buf[:len]
+
+	req.HeadBuf = buf[:n]
 	//fmt.Println(string(req.HeadBuf))
 	//try sni
 	serverName, err0 := sni.ServerNameFromBytes(req.HeadBuf)
@ -348,16 +392,14 @@ func (req *HTTPRequest) HTTP() (err error) {
 			return
 		}
 	}
-	req.URL, err = req.getHTTPURL()
-	if err == nil {
-		var u *url.URL
-		u, err = url.Parse(req.URL)
-		if err != nil {
-			return
-		}
-		req.Host = u.Host
-		req.addPortIfNot()
+	req.URL = req.getHTTPURL()
+	var u *url.URL
+	u, err = url.Parse(req.URL)
+	if err != nil {
+		return
 	}
+	req.Host = u.Host
+	req.addPortIfNot()
 	return
 }
 func (req *HTTPRequest) HTTPS() (err error) {
@ -369,7 +411,6 @@ func (req *HTTPRequest) HTTPS() (err error) {
 	}
 	req.Host = req.hostOrURL
 	req.addPortIfNot()
-	//_, err = fmt.Fprint(*req.conn, "HTTP/1.1 200 Connection established\r\n\r\n")
 	return
 }
 func (req *HTTPRequest) HTTPSReply() (err error) {
@ -380,26 +421,18 @@ func (req *HTTPRequest) IsHTTPS() bool {
 	return req.Method == "CONNECT"
 }

-func (req *HTTPRequest) BasicAuth() (err error) {
+func (req *HTTPRequest) GetAuthDataStr() (basicInfo string, err error) {
+	// log.Printf("request :%s", string(req.HeadBuf))
+	authorization := req.getHeader("Proxy-Authorization")

-	//log.Printf("request :%s", string(b[:n]))authorization
-	isProxyAuthorization := false
-	authorization, err := req.getHeader("Authorization")
-	if err != nil {
-		fmt.Fprint((*req.conn), "HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"\"\r\n\r\nUnauthorized")
+	authorization = strings.Trim(authorization, " \r\n\t")
+	if authorization == "" {
+		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Unauthorized\r\nWWW-Authenticate: Basic realm=\"\"\r\n\r\nUnauthorized", "407")
 		CloseConn(req.conn)
+		err = errors.New("require auth header data")
 		return
 	}
-	if authorization == "" {
-		authorization, err = req.getHeader("Proxy-Authorization")
-		if err != nil {
-			fmt.Fprint((*req.conn), "HTTP/1.1 407 Unauthorized\r\nWWW-Authenticate: Basic realm=\"\"\r\n\r\nUnauthorized")
-			CloseConn(req.conn)
-			return
-		}
-		isProxyAuthorization = true
-	}
-	//log.Printf("Authorization:%s", authorization)
+	//log.Printf("Authorization:%authorization = req.getHeader("Authorization")
 	basic := strings.Fields(authorization)
 	if len(basic) != 2 {
 		err = fmt.Errorf("authorization data error,ERR:%s", authorization)
@ -412,47 +445,51 @@ func (req *HTTPRequest) BasicAuth() (err error) {
 		CloseConn(req.conn)
 		return
 	}
+	basicInfo = string(user)
+	return
+}
+func (req *HTTPRequest) BasicAuth() (err error) {
 	addr := strings.Split((*req.conn).RemoteAddr().String(), ":")
 	URL := ""
 	if req.IsHTTPS() {
 		URL = "https://" + req.Host
 	} else {
-		URL, _ = req.getHTTPURL()
+		URL = req.getHTTPURL()
+	}
+	user, err := req.GetAuthDataStr()
+	if err != nil {
+		return
 	}
 	authOk := (*req.basicAuth).Check(string(user), addr[0], URL)
 	//log.Printf("auth %s,%v", string(user), authOk)
 	if !authOk {
-		code := "401"
-		if isProxyAuthorization {
-			code = "407"
-		}
-		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Unauthorized\r\n\r\nUnauthorized", code)
+		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Unauthorized\r\n\r\nUnauthorized", "407")
 		CloseConn(req.conn)
 		err = fmt.Errorf("basic auth fail")
 		return
 	}
 	return
 }
-func (req *HTTPRequest) getHTTPURL() (URL string, err error) {
+func (req *HTTPRequest) getHTTPURL() (URL string) {
 	if !strings.HasPrefix(req.hostOrURL, "/") {
-		return req.hostOrURL, nil
+		return req.hostOrURL
 	}
-	_host, err := req.getHeader("host")
-	if err != nil {
+	_host := req.getHeader("host")
+	if _host == "" {
 		return
 	}
 	URL = fmt.Sprintf("http://%s%s", _host, req.hostOrURL)
 	return
 }
-func (req *HTTPRequest) getHeader(key string) (val string, err error) {
+func (req *HTTPRequest) getHeader(key string) (val string) {
 	key = strings.ToUpper(key)
 	lines := strings.Split(string(req.HeadBuf), "\r\n")
 	//log.Println(lines)
 	for _, line := range lines {
-		line := strings.SplitN(strings.Trim(line, "\r\n "), ":", 2)
-		if len(line) == 2 {
-			k := strings.ToUpper(strings.Trim(line[0], " "))
-			v := strings.Trim(line[1], " ")
+		hline := strings.SplitN(strings.Trim(line, "\r\n "), ":", 2)
+		if len(hline) == 2 {
+			k := strings.ToUpper(strings.Trim(hline[0], " "))
+			v := strings.Trim(hline[1], " ")
 			if key == k {
 				val = v
 				return
@ -476,252 +513,55 @@ func (req *HTTPRequest) addPortIfNot() (newHost string) {
 	return
 }

-type OutPool struct {
-	Pool      ConnPool
-	dur       int
-	typ       string
-	certBytes []byte
-	keyBytes  []byte
-	kcpMethod string
-	kcpKey    string
-	address   string
-	timeout   int
+type OutConn struct {
+	dur         int
+	typ         string
+	certBytes   []byte
+	keyBytes    []byte
+	caCertBytes []byte
+	kcp         kcpcfg.KCPConfigArgs
+	address     string
+	timeout     int
 }

-func NewOutPool(dur int, typ, kcpMethod, kcpKey string, certBytes, keyBytes []byte, address string, timeout int, InitialCap int, MaxCap int) (op OutPool) {
-	op = OutPool{
-		dur:       dur,
-		typ:       typ,
-		certBytes: certBytes,
-		keyBytes:  keyBytes,
-		kcpMethod: kcpMethod,
-		kcpKey:    kcpKey,
-		address:   address,
-		timeout:   timeout,
+func NewOutConn(dur int, typ string, kcp kcpcfg.KCPConfigArgs, certBytes, keyBytes, caCertBytes []byte, address string, timeout int) (op OutConn) {
+	return OutConn{
+		dur:         dur,
+		typ:         typ,
+		certBytes:   certBytes,
+		keyBytes:    keyBytes,
+		caCertBytes: caCertBytes,
+		kcp:         kcp,
+		address:     address,
+		timeout:     timeout,
 	}
-	var err error
-	op.Pool, err = NewConnPool(poolConfig{
-		IsActive: func(conn interface{}) bool { return true },
-		Release: func(conn interface{}) {
-			if conn != nil {
-				conn.(net.Conn).SetDeadline(time.Now().Add(time.Millisecond))
-				conn.(net.Conn).Close()
-				// log.Println("conn released")
-			}
-		},
-		InitialCap: InitialCap,
-		MaxCap:     MaxCap,
-		Factory: func() (conn interface{}, err error) {
-			conn, err = op.getConn()
-			return
-		},
-	})
-	if err != nil {
-		log.Fatalf("init conn pool fail ,%s", err)
-	} else {
-		if InitialCap > 0 {
-			log.Printf("init conn pool success")
-			op.initPoolDeamon()
-		} else {
-			log.Printf("conn pool closed")
-		}
-	}
-	return
 }
-func (op *OutPool) getConn() (conn interface{}, err error) {
+func (op *OutConn) Get() (conn net.Conn, err error) {
 	if op.typ == "tls" {
 		var _conn tls.Conn
-		_conn, err = TlsConnectHost(op.address, op.timeout, op.certBytes, op.keyBytes)
+		_conn, err = TlsConnectHost(op.address, op.timeout, op.certBytes, op.keyBytes, op.caCertBytes)
 		if err == nil {
 			conn = net.Conn(&_conn)
 		}
 	} else if op.typ == "kcp" {
-		conn, err = ConnectKCPHost(op.address, op.kcpMethod, op.kcpKey)
+		conn, err = ConnectKCPHost(op.address, op.kcp)
 	} else {
 		conn, err = ConnectHost(op.address, op.timeout)
 	}
 	return
 }

-func (op *OutPool) initPoolDeamon() {
-	go func() {
-		if op.dur <= 0 {
-			return
-		}
-		log.Printf("pool deamon started")
-		for {
-			time.Sleep(time.Second * time.Duration(op.dur))
-			conn, err := op.getConn()
-			if err != nil {
-				log.Printf("pool deamon err %s , release pool", err)
-				op.Pool.ReleaseAll()
-			} else {
-				conn.(net.Conn).SetDeadline(time.Now().Add(time.Millisecond))
-				conn.(net.Conn).Close()
-			}
-		}
-	}()
-}
-
-type HeartbeatData struct {
-	Data  []byte
-	N     int
-	Error error
-}
-type HeartbeatReadWriter struct {
-	conn *net.Conn
-	// rchn       chan HeartbeatData
-	l          *sync.Mutex
-	dur        int
-	errHandler func(err error, hb *HeartbeatReadWriter)
-	once       *sync.Once
-	datachn    chan byte
-	// rbuf       bytes.Buffer
-	// signal     chan bool
-	rerrchn chan error
-}
-
-func NewHeartbeatReadWriter(conn *net.Conn, dur int, fn func(err error, hb *HeartbeatReadWriter)) (hrw HeartbeatReadWriter) {
-	hrw = HeartbeatReadWriter{
-		conn: conn,
-		l:    &sync.Mutex{},
-		dur:  dur,
-		// rchn:       make(chan HeartbeatData, 10000),
-		// signal:     make(chan bool, 1),
-		errHandler: fn,
-		datachn:    make(chan byte, 4*1024),
-		once:       &sync.Once{},
-		rerrchn:    make(chan error, 1),
-		// rbuf:       bytes.Buffer{},
-	}
-	hrw.heartbeat()
-	hrw.reader()
-	return
-}
-
-func (rw *HeartbeatReadWriter) Close() {
-	CloseConn(rw.conn)
-}
-func (rw *HeartbeatReadWriter) reader() {
-	go func() {
-		//log.Printf("heartbeat read started")
-		for {
-			n, data, err := rw.read()
-			if n == -1 {
-				continue
-			}
-			//log.Printf("n:%d , data:%s ,err:%s", n, string(data), err)
-			if err == nil {
-				//fmt.Printf("write data %s\n", string(data))
-				for _, b := range data {
-					rw.datachn <- b
-				}
-			}
-			if err != nil {
-				//log.Printf("heartbeat reader err: %s", err)
-				select {
-				case rw.rerrchn <- err:
-				default:
-				}
-				rw.once.Do(func() {
-					rw.errHandler(err, rw)
-				})
-				break
-			}
-		}
-		//log.Printf("heartbeat read exited")
-	}()
-}
-func (rw *HeartbeatReadWriter) read() (n int, data []byte, err error) {
-	var typ uint8
-	err = binary.Read((*rw.conn), binary.LittleEndian, &typ)
-	if err != nil {
-		return
-	}
-	if typ == 0 {
-		// log.Printf("heartbeat revecived")
-		n = -1
-		return
-	}
-	var dataLength uint32
-	binary.Read((*rw.conn), binary.LittleEndian, &dataLength)
-	_data := make([]byte, dataLength)
-	// log.Printf("dataLength:%d , data:%s", dataLength, string(data))
-	n, err = (*rw.conn).Read(_data)
-	//log.Printf("n:%d , data:%s ,err:%s", n, string(data), err)
-	if err != nil {
-		return
-	}
-	if uint32(n) != dataLength {
-		err = fmt.Errorf("read short data body")
-		return
-	}
-	data = _data[:n]
-	return
-}
-func (rw *HeartbeatReadWriter) heartbeat() {
-	go func() {
-		//log.Printf("heartbeat started")
-		for {
-			if rw.conn == nil || *rw.conn == nil {
-				//log.Printf("heartbeat err: conn nil")
-				break
-			}
-			rw.l.Lock()
-			_, err := (*rw.conn).Write([]byte{0})
-			rw.l.Unlock()
-			if err != nil {
-				//log.Printf("heartbeat err: %s", err)
-				rw.once.Do(func() {
-					rw.errHandler(err, rw)
-				})
-				break
-			} else {
-				// log.Printf("heartbeat send ok")
-			}
-			time.Sleep(time.Second * time.Duration(rw.dur))
-		}
-		//log.Printf("heartbeat exited")
-	}()
-}
-func (rw *HeartbeatReadWriter) Read(p []byte) (n int, err error) {
-	data := make([]byte, cap(p))
-	for i := 0; i < cap(p); i++ {
-		data[i] = <-rw.datachn
-		n++
-		//fmt.Printf("read  %d %v\n", i, data[:n])
-		if len(rw.datachn) == 0 {
-			n = i + 1
-			copy(p, data[:n])
-			return
-		}
-	}
-	return
-}
-func (rw *HeartbeatReadWriter) Write(p []byte) (n int, err error) {
-	defer rw.l.Unlock()
-	rw.l.Lock()
-	pkg := new(bytes.Buffer)
-	binary.Write(pkg, binary.LittleEndian, uint8(1))
-	binary.Write(pkg, binary.LittleEndian, uint32(len(p)))
-	binary.Write(pkg, binary.LittleEndian, p)
-	bs := pkg.Bytes()
-	n, err = (*rw.conn).Write(bs)
-	if err == nil {
-		n = len(p)
-	}
-	return
-}
-
 type ConnManager struct {
 	pool ConcurrentMap
 	l    *sync.Mutex
+	log  *logger.Logger
 }

-func NewConnManager() ConnManager {
+func NewConnManager(log *logger.Logger) ConnManager {
 	cm := ConnManager{
 		pool: NewConcurrentMap(),
 		l:    &sync.Mutex{},
+		log:  log,
 	}
 	return cm
 }
@ -738,7 +578,7 @@ func (cm *ConnManager) Add(key, ID string, conn *net.Conn) {
 			(*v.(*net.Conn)).Close()
 		}
 		conns.Set(ID, conn)
-		log.Printf("%s conn added", key)
+		cm.log.Printf("%s conn added", key)
 		return conns
 	})
 }
@ -749,7 +589,7 @@ func (cm *ConnManager) Remove(key string) {
 		conns.IterCb(func(key string, v interface{}) {
 			CloseConn(v.(*net.Conn))
 		})
-		log.Printf("%s conns closed", key)
+		cm.log.Printf("%s conns closed", key)
 	}
 	cm.pool.Remove(key)
 }
@ -764,7 +604,7 @@ func (cm *ConnManager) RemoveOne(key string, ID string) {
 			(*v.(*net.Conn)).Close()
 			conns.Remove(ID)
 			cm.pool.Set(key, conns)
-			log.Printf("%s %s conn closed", key, ID)
+			cm.log.Printf("%s %s conn closed", key, ID)
 		}
 	}
 }
@ -773,3 +613,223 @@ func (cm *ConnManager) RemoveAll() {
 		cm.Remove(k)
 	}
 }
+
+type ClientKeyRouter struct {
+	keyChan chan string
+	ctrl    *ConcurrentMap
+	lock    *sync.Mutex
+}
+
+func NewClientKeyRouter(ctrl *ConcurrentMap, size int) ClientKeyRouter {
+	return ClientKeyRouter{
+		keyChan: make(chan string, size),
+		ctrl:    ctrl,
+		lock:    &sync.Mutex{},
+	}
+}
+func (c *ClientKeyRouter) GetKey() string {
+	defer c.lock.Unlock()
+	c.lock.Lock()
+	if len(c.keyChan) == 0 {
+	EXIT:
+		for _, k := range c.ctrl.Keys() {
+			select {
+			case c.keyChan <- k:
+			default:
+				goto EXIT
+			}
+		}
+	}
+	for {
+		if len(c.keyChan) == 0 {
+			return "*"
+		}
+		select {
+		case key := <-c.keyChan:
+			if c.ctrl.Has(key) {
+				return key
+			}
+		default:
+			return "*"
+		}
+	}
+
+}
+
+type DomainResolver struct {
+	ttl         int
+	dnsAddrress string
+	data        ConcurrentMap
+	log         *logger.Logger
+}
+type DomainResolverItem struct {
+	ip        string
+	domain    string
+	expiredAt int64
+}
+
+func NewDomainResolver(dnsAddrress string, ttl int, log *logger.Logger) DomainResolver {
+	return DomainResolver{
+		ttl:         ttl,
+		dnsAddrress: dnsAddrress,
+		data:        NewConcurrentMap(),
+		log:         log,
+	}
+}
+func (a *DomainResolver) MustResolve(address string) (ip string) {
+	ip, _ = a.Resolve(address)
+	return
+}
+func (a *DomainResolver) Resolve(address string) (ip string, err error) {
+	domain := address
+	port := ""
+	fromCache := "false"
+	defer func() {
+		if port != "" {
+			ip = net.JoinHostPort(ip, port)
+		}
+		a.log.Printf("dns:%s->%s,cache:%s", address, ip, fromCache)
+		//a.PrintData()
+	}()
+	if strings.Contains(domain, ":") {
+		domain, port, err = net.SplitHostPort(domain)
+		if err != nil {
+			return
+		}
+	}
+	if net.ParseIP(domain) != nil {
+		ip = domain
+		fromCache = "ip ignore"
+		return
+	}
+	item, ok := a.data.Get(domain)
+	if ok {
+		//log.Println("find ", domain)
+		if (*item.(*DomainResolverItem)).expiredAt > time.Now().Unix() {
+			ip = (*item.(*DomainResolverItem)).ip
+			fromCache = "true"
+			//log.Println("from cache ", domain)
+			return
+		}
+	} else {
+		item = &DomainResolverItem{
+			domain: domain,
+		}
+
+	}
+	c := new(dns.Client)
+	c.DialTimeout = time.Millisecond * 5000
+	c.ReadTimeout = time.Millisecond * 5000
+	c.WriteTimeout = time.Millisecond * 5000
+	m := new(dns.Msg)
+	m.SetQuestion(dns.Fqdn(domain), dns.TypeA)
+	m.RecursionDesired = true
+	r, _, err := c.Exchange(m, a.dnsAddrress)
+	if r == nil {
+		return
+	}
+	if r.Rcode != dns.RcodeSuccess {
+		err = fmt.Errorf(" *** invalid answer name %s after A query for %s", domain, a.dnsAddrress)
+		return
+	}
+	for _, answer := range r.Answer {
+		if answer.Header().Rrtype == dns.TypeA {
+			info := strings.Fields(answer.String())
+			if len(info) >= 5 {
+				ip = info[4]
+				_item := item.(*DomainResolverItem)
+				(*_item).expiredAt = time.Now().Unix() + int64(a.ttl)
+				(*_item).ip = ip
+				a.data.Set(domain, item)
+				return
+			}
+		}
+	}
+	return
+}
+func (a *DomainResolver) PrintData() {
+	for k, item := range a.data.Items() {
+		d := item.(*DomainResolverItem)
+		a.log.Printf("%s:ip[%s],domain[%s],expired at[%d]\n", k, (*d).ip, (*d).domain, (*d).expiredAt)
+	}
+}
+func NewCompStream(conn net.Conn) *CompStream {
+	c := new(CompStream)
+	c.conn = conn
+	c.w = snappy.NewBufferedWriter(conn)
+	c.r = snappy.NewReader(conn)
+	return c
+}
+func NewCompConn(conn net.Conn) net.Conn {
+	c := CompStream{}
+	c.conn = conn
+	c.w = snappy.NewBufferedWriter(conn)
+	c.r = snappy.NewReader(conn)
+	return &c
+}
+
+type CompStream struct {
+	net.Conn
+	conn net.Conn
+	w    *snappy.Writer
+	r    *snappy.Reader
+}
+
+func (c *CompStream) Read(p []byte) (n int, err error) {
+	return c.r.Read(p)
+}
+
+func (c *CompStream) Write(p []byte) (n int, err error) {
+	n, err = c.w.Write(p)
+	err = c.w.Flush()
+	return n, err
+}
+
+func (c *CompStream) Close() error {
+	return c.conn.Close()
+}
+func (c *CompStream) LocalAddr() net.Addr {
+	return c.conn.LocalAddr()
+}
+func (c *CompStream) RemoteAddr() net.Addr {
+	return c.conn.RemoteAddr()
+}
+func (c *CompStream) SetDeadline(t time.Time) error {
+	return c.conn.SetDeadline(t)
+}
+func (c *CompStream) SetReadDeadline(t time.Time) error {
+	return c.conn.SetReadDeadline(t)
+}
+func (c *CompStream) SetWriteDeadline(t time.Time) error {
+	return c.conn.SetWriteDeadline(t)
+}
+
+type BufferedConn struct {
+	r        *bufio.Reader
+	net.Conn // So that most methods are embedded
+}
+
+func NewBufferedConn(c net.Conn) BufferedConn {
+	return BufferedConn{bufio.NewReader(c), c}
+}
+
+func NewBufferedConnSize(c net.Conn, n int) BufferedConn {
+	return BufferedConn{bufio.NewReaderSize(c, n), c}
+}
+
+func (b BufferedConn) Peek(n int) ([]byte, error) {
+	return b.r.Peek(n)
+}
+
+func (b BufferedConn) Read(p []byte) (int, error) {
+	return b.r.Read(p)
+}
+func (b BufferedConn) ReadByte() (byte, error) {
+	return b.r.ReadByte()
+}
+func (b BufferedConn) UnreadByte() error {
+	return b.r.UnreadByte()
+}
+func (b BufferedConn) Buffered() int {
+	return b.r.Buffered()
+}
--- a/vendor/github.com/Yawning/chacha20/LICENSE
+++ b/vendor/github.com/Yawning/chacha20/LICENSE
@ -0,0 +1,122 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
+
--- a/vendor/github.com/Yawning/chacha20/README.md
+++ b/vendor/github.com/Yawning/chacha20/README.md
@ -0,0 +1,14 @@
+### chacha20 - ChaCha20
+#### Yawning Angel (yawning at schwanenlied dot me)
+
+Yet another Go ChaCha20 implementation.  Everything else I found  was slow,
+didn't support all the variants I need to use, or relied on cgo to go fast.
+
+Features:
+
+ * 20 round, 256 bit key only.  Everything else is pointless and stupid.
+ * IETF 96 bit nonce variant.
+ * XChaCha 24 byte nonce variant.
+ * SSE2 and AVX2 support on amd64 targets.
+ * Incremental encrypt/decrypt support, unlike golang.org/x/crypto/salsa20.
+
--- a/vendor/github.com/Yawning/chacha20/chacha20.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20.go
@ -0,0 +1,273 @@
+// chacha20.go - A ChaCha stream cipher implementation.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+package chacha20
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+	"math"
+	"runtime"
+)
+
+const (
+	// KeySize is the ChaCha20 key size in bytes.
+	KeySize = 32
+
+	// NonceSize is the ChaCha20 nonce size in bytes.
+	NonceSize = 8
+
+	// INonceSize is the IETF ChaCha20 nonce size in bytes.
+	INonceSize = 12
+
+	// XNonceSize is the XChaCha20 nonce size in bytes.
+	XNonceSize = 24
+
+	// HNonceSize is the HChaCha20 nonce size in bytes.
+	HNonceSize = 16
+
+	// BlockSize is the ChaCha20 block size in bytes.
+	BlockSize = 64
+
+	stateSize    = 16
+	chachaRounds = 20
+
+	// The constant "expand 32-byte k" as little endian uint32s.
+	sigma0 = uint32(0x61707865)
+	sigma1 = uint32(0x3320646e)
+	sigma2 = uint32(0x79622d32)
+	sigma3 = uint32(0x6b206574)
+)
+
+var (
+	// ErrInvalidKey is the error returned when the key is invalid.
+	ErrInvalidKey = errors.New("key length must be KeySize bytes")
+
+	// ErrInvalidNonce is the error returned when the nonce is invalid.
+	ErrInvalidNonce = errors.New("nonce length must be NonceSize/INonceSize/XNonceSize bytes")
+
+	// ErrInvalidCounter is the error returned when the counter is invalid.
+	ErrInvalidCounter = errors.New("block counter is invalid (out of range)")
+
+	useUnsafe    = false
+	usingVectors = false
+	blocksFn     = blocksRef
+)
+
+// A Cipher is an instance of ChaCha20/XChaCha20 using a particular key and
+// nonce.
+type Cipher struct {
+	state [stateSize]uint32
+
+	buf  [BlockSize]byte
+	off  int
+	ietf bool
+}
+
+// Reset zeros the key data so that it will no longer appear in the process's
+// memory.
+func (c *Cipher) Reset() {
+	for i := range c.state {
+		c.state[i] = 0
+	}
+	for i := range c.buf {
+		c.buf[i] = 0
+	}
+}
+
+// XORKeyStream sets dst to the result of XORing src with the key stream.  Dst
+// and src may be the same slice but otherwise should not overlap.
+func (c *Cipher) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		src = src[:len(dst)]
+	}
+
+	for remaining := len(src); remaining > 0; {
+		// Process multiple blocks at once.
+		if c.off == BlockSize {
+			nrBlocks := remaining / BlockSize
+			directBytes := nrBlocks * BlockSize
+			if nrBlocks > 0 {
+				blocksFn(&c.state, src, dst, nrBlocks, c.ietf)
+				remaining -= directBytes
+				if remaining == 0 {
+					return
+				}
+				dst = dst[directBytes:]
+				src = src[directBytes:]
+			}
+
+			// If there's a partial block, generate 1 block of keystream into
+			// the internal buffer.
+			blocksFn(&c.state, nil, c.buf[:], 1, c.ietf)
+			c.off = 0
+		}
+
+		// Process partial blocks from the buffered keystream.
+		toXor := BlockSize - c.off
+		if remaining < toXor {
+			toXor = remaining
+		}
+		if toXor > 0 {
+			for i, v := range src[:toXor] {
+				dst[i] = v ^ c.buf[c.off+i]
+			}
+			dst = dst[toXor:]
+			src = src[toXor:]
+
+			remaining -= toXor
+			c.off += toXor
+		}
+	}
+}
+
+// KeyStream sets dst to the raw keystream.
+func (c *Cipher) KeyStream(dst []byte) {
+	for remaining := len(dst); remaining > 0; {
+		// Process multiple blocks at once.
+		if c.off == BlockSize {
+			nrBlocks := remaining / BlockSize
+			directBytes := nrBlocks * BlockSize
+			if nrBlocks > 0 {
+				blocksFn(&c.state, nil, dst, nrBlocks, c.ietf)
+				remaining -= directBytes
+				if remaining == 0 {
+					return
+				}
+				dst = dst[directBytes:]
+			}
+
+			// If there's a partial block, generate 1 block of keystream into
+			// the internal buffer.
+			blocksFn(&c.state, nil, c.buf[:], 1, c.ietf)
+			c.off = 0
+		}
+
+		// Process partial blocks from the buffered keystream.
+		toCopy := BlockSize - c.off
+		if remaining < toCopy {
+			toCopy = remaining
+		}
+		if toCopy > 0 {
+			copy(dst[:toCopy], c.buf[c.off:c.off+toCopy])
+			dst = dst[toCopy:]
+			remaining -= toCopy
+			c.off += toCopy
+		}
+	}
+}
+
+// ReKey reinitializes the ChaCha20/XChaCha20 instance with the provided key
+// and nonce.
+func (c *Cipher) ReKey(key, nonce []byte) error {
+	if len(key) != KeySize {
+		return ErrInvalidKey
+	}
+
+	switch len(nonce) {
+	case NonceSize:
+	case INonceSize:
+	case XNonceSize:
+		var subkey [KeySize]byte
+		var subnonce [HNonceSize]byte
+		copy(subnonce[:], nonce[0:16])
+		HChaCha(key, &subnonce, &subkey)
+		key = subkey[:]
+		nonce = nonce[16:24]
+		defer func() {
+			for i := range subkey {
+				subkey[i] = 0
+			}
+		}()
+	default:
+		return ErrInvalidNonce
+	}
+
+	c.Reset()
+	c.state[0] = sigma0
+	c.state[1] = sigma1
+	c.state[2] = sigma2
+	c.state[3] = sigma3
+	c.state[4] = binary.LittleEndian.Uint32(key[0:4])
+	c.state[5] = binary.LittleEndian.Uint32(key[4:8])
+	c.state[6] = binary.LittleEndian.Uint32(key[8:12])
+	c.state[7] = binary.LittleEndian.Uint32(key[12:16])
+	c.state[8] = binary.LittleEndian.Uint32(key[16:20])
+	c.state[9] = binary.LittleEndian.Uint32(key[20:24])
+	c.state[10] = binary.LittleEndian.Uint32(key[24:28])
+	c.state[11] = binary.LittleEndian.Uint32(key[28:32])
+	c.state[12] = 0
+	if len(nonce) == INonceSize {
+		c.state[13] = binary.LittleEndian.Uint32(nonce[0:4])
+		c.state[14] = binary.LittleEndian.Uint32(nonce[4:8])
+		c.state[15] = binary.LittleEndian.Uint32(nonce[8:12])
+		c.ietf = true
+	} else {
+		c.state[13] = 0
+		c.state[14] = binary.LittleEndian.Uint32(nonce[0:4])
+		c.state[15] = binary.LittleEndian.Uint32(nonce[4:8])
+		c.ietf = false
+	}
+	c.off = BlockSize
+	return nil
+
+}
+
+// Seek sets the block counter to a given offset.
+func (c *Cipher) Seek(blockCounter uint64) error {
+	if c.ietf {
+		if blockCounter > math.MaxUint32 {
+			return ErrInvalidCounter
+		}
+		c.state[12] = uint32(blockCounter)
+	} else {
+		c.state[12] = uint32(blockCounter)
+		c.state[13] = uint32(blockCounter >> 32)
+	}
+	c.off = BlockSize
+	return nil
+}
+
+// NewCipher returns a new ChaCha20/XChaCha20 instance.
+func NewCipher(key, nonce []byte) (*Cipher, error) {
+	c := new(Cipher)
+	if err := c.ReKey(key, nonce); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+// HChaCha is the HChaCha20 hash function used to make XChaCha.
+func HChaCha(key []byte, nonce *[HNonceSize]byte, out *[32]byte) {
+	var x [stateSize]uint32 // Last 4 slots unused, sigma hardcoded.
+	x[0] = binary.LittleEndian.Uint32(key[0:4])
+	x[1] = binary.LittleEndian.Uint32(key[4:8])
+	x[2] = binary.LittleEndian.Uint32(key[8:12])
+	x[3] = binary.LittleEndian.Uint32(key[12:16])
+	x[4] = binary.LittleEndian.Uint32(key[16:20])
+	x[5] = binary.LittleEndian.Uint32(key[20:24])
+	x[6] = binary.LittleEndian.Uint32(key[24:28])
+	x[7] = binary.LittleEndian.Uint32(key[28:32])
+	x[8] = binary.LittleEndian.Uint32(nonce[0:4])
+	x[9] = binary.LittleEndian.Uint32(nonce[4:8])
+	x[10] = binary.LittleEndian.Uint32(nonce[8:12])
+	x[11] = binary.LittleEndian.Uint32(nonce[12:16])
+	hChaChaRef(&x, out)
+}
+
+func init() {
+	switch runtime.GOARCH {
+	case "386", "amd64":
+		// Abuse unsafe to skip calling binary.LittleEndian.PutUint32
+		// in the critical path.  This is a big boost on systems that are
+		// little endian and not overly picky about alignment.
+		useUnsafe = true
+	}
+}
+
+var _ cipher.Stream = (*Cipher)(nil)
--- a/vendor/github.com/Yawning/chacha20/chacha20_amd64.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20_amd64.go
@ -0,0 +1,95 @@
+// chacha20_amd64.go - AMD64 optimized chacha20.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+// +build amd64,!gccgo,!appengine
+
+package chacha20
+
+import (
+	"math"
+)
+
+var usingAVX2 = false
+
+func blocksAmd64SSE2(x *uint32, inp, outp *byte, nrBlocks uint)
+
+func blocksAmd64AVX2(x *uint32, inp, outp *byte, nrBlocks uint)
+
+func cpuidAmd64(cpuidParams *uint32)
+
+func xgetbv0Amd64(xcrVec *uint32)
+
+func blocksAmd64(x *[stateSize]uint32, in []byte, out []byte, nrBlocks int, isIetf bool) {
+	// Probably unneeded, but stating this explicitly simplifies the assembly.
+	if nrBlocks == 0 {
+		return
+	}
+
+	if isIetf {
+		var totalBlocks uint64
+		totalBlocks = uint64(x[12]) + uint64(nrBlocks)
+		if totalBlocks > math.MaxUint32 {
+			panic("chacha20: Exceeded keystream per nonce limit")
+		}
+	}
+
+	if in == nil {
+		for i := range out {
+			out[i] = 0
+		}
+		in = out
+	}
+
+	// Pointless to call the AVX2 code for just a single block, since half of
+	// the output gets discarded...
+	if usingAVX2 && nrBlocks > 1 {
+		blocksAmd64AVX2(&x[0], &in[0], &out[0], uint(nrBlocks))
+	} else {
+		blocksAmd64SSE2(&x[0], &in[0], &out[0], uint(nrBlocks))
+	}
+}
+
+func supportsAVX2() bool {
+	// https://software.intel.com/en-us/articles/how-to-detect-new-instruction-support-in-the-4th-generation-intel-core-processor-family
+	const (
+		osXsaveBit = 1 << 27
+		avx2Bit    = 1 << 5
+	)
+
+	// Check to see if CPUID actually supports the leaf that indicates AVX2.
+	// CPUID.(EAX=0H, ECX=0H) >= 7
+	regs := [4]uint32{0x00}
+	cpuidAmd64(&regs[0])
+	if regs[0] < 7 {
+		return false
+	}
+
+	// Check to see if the OS knows how to save/restore XMM/YMM state.
+	// CPUID.(EAX=01H, ECX=0H):ECX.OSXSAVE[bit 27]==1
+	regs = [4]uint32{0x01}
+	cpuidAmd64(&regs[0])
+	if regs[2]&osXsaveBit == 0 {
+		return false
+	}
+	xcrRegs := [2]uint32{}
+	xgetbv0Amd64(&xcrRegs[0])
+	if xcrRegs[0]&6 != 6 {
+		return false
+	}
+
+	// Check for AVX2 support.
+	// CPUID.(EAX=07H, ECX=0H):EBX.AVX2[bit 5]==1
+	regs = [4]uint32{0x07}
+	cpuidAmd64(&regs[0])
+	return regs[1]&avx2Bit != 0
+}
+
+func init() {
+	blocksFn = blocksAmd64
+	usingVectors = true
+	usingAVX2 = supportsAVX2()
+}
--- a/vendor/github.com/Yawning/chacha20/chacha20_amd64.py
+++ b/vendor/github.com/Yawning/chacha20/chacha20_amd64.py
--- a/vendor/github.com/Yawning/chacha20/chacha20_amd64.s
+++ b/vendor/github.com/Yawning/chacha20/chacha20_amd64.s
--- a/vendor/github.com/Yawning/chacha20/chacha20_ref.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20_ref.go
@ -0,0 +1,394 @@
+// chacha20_ref.go - Reference ChaCha20.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+// +build !go1.9
+
+package chacha20
+
+import (
+	"encoding/binary"
+	"math"
+	"unsafe"
+)
+
+func blocksRef(x *[stateSize]uint32, in []byte, out []byte, nrBlocks int, isIetf bool) {
+	if isIetf {
+		var totalBlocks uint64
+		totalBlocks = uint64(x[12]) + uint64(nrBlocks)
+		if totalBlocks > math.MaxUint32 {
+			panic("chacha20: Exceeded keystream per nonce limit")
+		}
+	}
+
+	// This routine ignores x[0]...x[4] in favor the const values since it's
+	// ever so slightly faster.
+
+	for n := 0; n < nrBlocks; n++ {
+		x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+		x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11], x[12], x[13], x[14], x[15]
+
+		for i := chachaRounds; i > 0; i -= 2 {
+			// quarterround(x, 0, 4, 8, 12)
+			x0 += x4
+			x12 ^= x0
+			x12 = (x12 << 16) | (x12 >> 16)
+			x8 += x12
+			x4 ^= x8
+			x4 = (x4 << 12) | (x4 >> 20)
+			x0 += x4
+			x12 ^= x0
+			x12 = (x12 << 8) | (x12 >> 24)
+			x8 += x12
+			x4 ^= x8
+			x4 = (x4 << 7) | (x4 >> 25)
+
+			// quarterround(x, 1, 5, 9, 13)
+			x1 += x5
+			x13 ^= x1
+			x13 = (x13 << 16) | (x13 >> 16)
+			x9 += x13
+			x5 ^= x9
+			x5 = (x5 << 12) | (x5 >> 20)
+			x1 += x5
+			x13 ^= x1
+			x13 = (x13 << 8) | (x13 >> 24)
+			x9 += x13
+			x5 ^= x9
+			x5 = (x5 << 7) | (x5 >> 25)
+
+			// quarterround(x, 2, 6, 10, 14)
+			x2 += x6
+			x14 ^= x2
+			x14 = (x14 << 16) | (x14 >> 16)
+			x10 += x14
+			x6 ^= x10
+			x6 = (x6 << 12) | (x6 >> 20)
+			x2 += x6
+			x14 ^= x2
+			x14 = (x14 << 8) | (x14 >> 24)
+			x10 += x14
+			x6 ^= x10
+			x6 = (x6 << 7) | (x6 >> 25)
+
+			// quarterround(x, 3, 7, 11, 15)
+			x3 += x7
+			x15 ^= x3
+			x15 = (x15 << 16) | (x15 >> 16)
+			x11 += x15
+			x7 ^= x11
+			x7 = (x7 << 12) | (x7 >> 20)
+			x3 += x7
+			x15 ^= x3
+			x15 = (x15 << 8) | (x15 >> 24)
+			x11 += x15
+			x7 ^= x11
+			x7 = (x7 << 7) | (x7 >> 25)
+
+			// quarterround(x, 0, 5, 10, 15)
+			x0 += x5
+			x15 ^= x0
+			x15 = (x15 << 16) | (x15 >> 16)
+			x10 += x15
+			x5 ^= x10
+			x5 = (x5 << 12) | (x5 >> 20)
+			x0 += x5
+			x15 ^= x0
+			x15 = (x15 << 8) | (x15 >> 24)
+			x10 += x15
+			x5 ^= x10
+			x5 = (x5 << 7) | (x5 >> 25)
+
+			// quarterround(x, 1, 6, 11, 12)
+			x1 += x6
+			x12 ^= x1
+			x12 = (x12 << 16) | (x12 >> 16)
+			x11 += x12
+			x6 ^= x11
+			x6 = (x6 << 12) | (x6 >> 20)
+			x1 += x6
+			x12 ^= x1
+			x12 = (x12 << 8) | (x12 >> 24)
+			x11 += x12
+			x6 ^= x11
+			x6 = (x6 << 7) | (x6 >> 25)
+
+			// quarterround(x, 2, 7, 8, 13)
+			x2 += x7
+			x13 ^= x2
+			x13 = (x13 << 16) | (x13 >> 16)
+			x8 += x13
+			x7 ^= x8
+			x7 = (x7 << 12) | (x7 >> 20)
+			x2 += x7
+			x13 ^= x2
+			x13 = (x13 << 8) | (x13 >> 24)
+			x8 += x13
+			x7 ^= x8
+			x7 = (x7 << 7) | (x7 >> 25)
+
+			// quarterround(x, 3, 4, 9, 14)
+			x3 += x4
+			x14 ^= x3
+			x14 = (x14 << 16) | (x14 >> 16)
+			x9 += x14
+			x4 ^= x9
+			x4 = (x4 << 12) | (x4 >> 20)
+			x3 += x4
+			x14 ^= x3
+			x14 = (x14 << 8) | (x14 >> 24)
+			x9 += x14
+			x4 ^= x9
+			x4 = (x4 << 7) | (x4 >> 25)
+		}
+
+		// On amd64 at least, this is a rather big boost.
+		if useUnsafe {
+			if in != nil {
+				inArr := (*[16]uint32)(unsafe.Pointer(&in[n*BlockSize]))
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = inArr[0] ^ (x0 + sigma0)
+				outArr[1] = inArr[1] ^ (x1 + sigma1)
+				outArr[2] = inArr[2] ^ (x2 + sigma2)
+				outArr[3] = inArr[3] ^ (x3 + sigma3)
+				outArr[4] = inArr[4] ^ (x4 + x[4])
+				outArr[5] = inArr[5] ^ (x5 + x[5])
+				outArr[6] = inArr[6] ^ (x6 + x[6])
+				outArr[7] = inArr[7] ^ (x7 + x[7])
+				outArr[8] = inArr[8] ^ (x8 + x[8])
+				outArr[9] = inArr[9] ^ (x9 + x[9])
+				outArr[10] = inArr[10] ^ (x10 + x[10])
+				outArr[11] = inArr[11] ^ (x11 + x[11])
+				outArr[12] = inArr[12] ^ (x12 + x[12])
+				outArr[13] = inArr[13] ^ (x13 + x[13])
+				outArr[14] = inArr[14] ^ (x14 + x[14])
+				outArr[15] = inArr[15] ^ (x15 + x[15])
+			} else {
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = x0 + sigma0
+				outArr[1] = x1 + sigma1
+				outArr[2] = x2 + sigma2
+				outArr[3] = x3 + sigma3
+				outArr[4] = x4 + x[4]
+				outArr[5] = x5 + x[5]
+				outArr[6] = x6 + x[6]
+				outArr[7] = x7 + x[7]
+				outArr[8] = x8 + x[8]
+				outArr[9] = x9 + x[9]
+				outArr[10] = x10 + x[10]
+				outArr[11] = x11 + x[11]
+				outArr[12] = x12 + x[12]
+				outArr[13] = x13 + x[13]
+				outArr[14] = x14 + x[14]
+				outArr[15] = x15 + x[15]
+			}
+		} else {
+			// Slow path, either the architecture cares about alignment, or is not little endian.
+			x0 += sigma0
+			x1 += sigma1
+			x2 += sigma2
+			x3 += sigma3
+			x4 += x[4]
+			x5 += x[5]
+			x6 += x[6]
+			x7 += x[7]
+			x8 += x[8]
+			x9 += x[9]
+			x10 += x[10]
+			x11 += x[11]
+			x12 += x[12]
+			x13 += x[13]
+			x14 += x[14]
+			x15 += x[15]
+			if in != nil {
+				binary.LittleEndian.PutUint32(out[0:4], binary.LittleEndian.Uint32(in[0:4])^x0)
+				binary.LittleEndian.PutUint32(out[4:8], binary.LittleEndian.Uint32(in[4:8])^x1)
+				binary.LittleEndian.PutUint32(out[8:12], binary.LittleEndian.Uint32(in[8:12])^x2)
+				binary.LittleEndian.PutUint32(out[12:16], binary.LittleEndian.Uint32(in[12:16])^x3)
+				binary.LittleEndian.PutUint32(out[16:20], binary.LittleEndian.Uint32(in[16:20])^x4)
+				binary.LittleEndian.PutUint32(out[20:24], binary.LittleEndian.Uint32(in[20:24])^x5)
+				binary.LittleEndian.PutUint32(out[24:28], binary.LittleEndian.Uint32(in[24:28])^x6)
+				binary.LittleEndian.PutUint32(out[28:32], binary.LittleEndian.Uint32(in[28:32])^x7)
+				binary.LittleEndian.PutUint32(out[32:36], binary.LittleEndian.Uint32(in[32:36])^x8)
+				binary.LittleEndian.PutUint32(out[36:40], binary.LittleEndian.Uint32(in[36:40])^x9)
+				binary.LittleEndian.PutUint32(out[40:44], binary.LittleEndian.Uint32(in[40:44])^x10)
+				binary.LittleEndian.PutUint32(out[44:48], binary.LittleEndian.Uint32(in[44:48])^x11)
+				binary.LittleEndian.PutUint32(out[48:52], binary.LittleEndian.Uint32(in[48:52])^x12)
+				binary.LittleEndian.PutUint32(out[52:56], binary.LittleEndian.Uint32(in[52:56])^x13)
+				binary.LittleEndian.PutUint32(out[56:60], binary.LittleEndian.Uint32(in[56:60])^x14)
+				binary.LittleEndian.PutUint32(out[60:64], binary.LittleEndian.Uint32(in[60:64])^x15)
+				in = in[BlockSize:]
+			} else {
+				binary.LittleEndian.PutUint32(out[0:4], x0)
+				binary.LittleEndian.PutUint32(out[4:8], x1)
+				binary.LittleEndian.PutUint32(out[8:12], x2)
+				binary.LittleEndian.PutUint32(out[12:16], x3)
+				binary.LittleEndian.PutUint32(out[16:20], x4)
+				binary.LittleEndian.PutUint32(out[20:24], x5)
+				binary.LittleEndian.PutUint32(out[24:28], x6)
+				binary.LittleEndian.PutUint32(out[28:32], x7)
+				binary.LittleEndian.PutUint32(out[32:36], x8)
+				binary.LittleEndian.PutUint32(out[36:40], x9)
+				binary.LittleEndian.PutUint32(out[40:44], x10)
+				binary.LittleEndian.PutUint32(out[44:48], x11)
+				binary.LittleEndian.PutUint32(out[48:52], x12)
+				binary.LittleEndian.PutUint32(out[52:56], x13)
+				binary.LittleEndian.PutUint32(out[56:60], x14)
+				binary.LittleEndian.PutUint32(out[60:64], x15)
+			}
+			out = out[BlockSize:]
+		}
+
+		// Stoping at 2^70 bytes per nonce is the user's responsibility.
+		ctr := uint64(x[13])<<32 | uint64(x[12])
+		ctr++
+		x[12] = uint32(ctr)
+		x[13] = uint32(ctr >> 32)
+	}
+}
+
+func hChaChaRef(x *[stateSize]uint32, out *[32]byte) {
+	x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+	x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11]
+
+	for i := chachaRounds; i > 0; i -= 2 {
+		// quarterround(x, 0, 4, 8, 12)
+		x0 += x4
+		x12 ^= x0
+		x12 = (x12 << 16) | (x12 >> 16)
+		x8 += x12
+		x4 ^= x8
+		x4 = (x4 << 12) | (x4 >> 20)
+		x0 += x4
+		x12 ^= x0
+		x12 = (x12 << 8) | (x12 >> 24)
+		x8 += x12
+		x4 ^= x8
+		x4 = (x4 << 7) | (x4 >> 25)
+
+		// quarterround(x, 1, 5, 9, 13)
+		x1 += x5
+		x13 ^= x1
+		x13 = (x13 << 16) | (x13 >> 16)
+		x9 += x13
+		x5 ^= x9
+		x5 = (x5 << 12) | (x5 >> 20)
+		x1 += x5
+		x13 ^= x1
+		x13 = (x13 << 8) | (x13 >> 24)
+		x9 += x13
+		x5 ^= x9
+		x5 = (x5 << 7) | (x5 >> 25)
+
+		// quarterround(x, 2, 6, 10, 14)
+		x2 += x6
+		x14 ^= x2
+		x14 = (x14 << 16) | (x14 >> 16)
+		x10 += x14
+		x6 ^= x10
+		x6 = (x6 << 12) | (x6 >> 20)
+		x2 += x6
+		x14 ^= x2
+		x14 = (x14 << 8) | (x14 >> 24)
+		x10 += x14
+		x6 ^= x10
+		x6 = (x6 << 7) | (x6 >> 25)
+
+		// quarterround(x, 3, 7, 11, 15)
+		x3 += x7
+		x15 ^= x3
+		x15 = (x15 << 16) | (x15 >> 16)
+		x11 += x15
+		x7 ^= x11
+		x7 = (x7 << 12) | (x7 >> 20)
+		x3 += x7
+		x15 ^= x3
+		x15 = (x15 << 8) | (x15 >> 24)
+		x11 += x15
+		x7 ^= x11
+		x7 = (x7 << 7) | (x7 >> 25)
+
+		// quarterround(x, 0, 5, 10, 15)
+		x0 += x5
+		x15 ^= x0
+		x15 = (x15 << 16) | (x15 >> 16)
+		x10 += x15
+		x5 ^= x10
+		x5 = (x5 << 12) | (x5 >> 20)
+		x0 += x5
+		x15 ^= x0
+		x15 = (x15 << 8) | (x15 >> 24)
+		x10 += x15
+		x5 ^= x10
+		x5 = (x5 << 7) | (x5 >> 25)
+
+		// quarterround(x, 1, 6, 11, 12)
+		x1 += x6
+		x12 ^= x1
+		x12 = (x12 << 16) | (x12 >> 16)
+		x11 += x12
+		x6 ^= x11
+		x6 = (x6 << 12) | (x6 >> 20)
+		x1 += x6
+		x12 ^= x1
+		x12 = (x12 << 8) | (x12 >> 24)
+		x11 += x12
+		x6 ^= x11
+		x6 = (x6 << 7) | (x6 >> 25)
+
+		// quarterround(x, 2, 7, 8, 13)
+		x2 += x7
+		x13 ^= x2
+		x13 = (x13 << 16) | (x13 >> 16)
+		x8 += x13
+		x7 ^= x8
+		x7 = (x7 << 12) | (x7 >> 20)
+		x2 += x7
+		x13 ^= x2
+		x13 = (x13 << 8) | (x13 >> 24)
+		x8 += x13
+		x7 ^= x8
+		x7 = (x7 << 7) | (x7 >> 25)
+
+		// quarterround(x, 3, 4, 9, 14)
+		x3 += x4
+		x14 ^= x3
+		x14 = (x14 << 16) | (x14 >> 16)
+		x9 += x14
+		x4 ^= x9
+		x4 = (x4 << 12) | (x4 >> 20)
+		x3 += x4
+		x14 ^= x3
+		x14 = (x14 << 8) | (x14 >> 24)
+		x9 += x14
+		x4 ^= x9
+		x4 = (x4 << 7) | (x4 >> 25)
+	}
+
+	// HChaCha returns x0...x3 | x12...x15, which corresponds to the
+	// indexes of the ChaCha constant and the indexes of the IV.
+	if useUnsafe {
+		outArr := (*[16]uint32)(unsafe.Pointer(&out[0]))
+		outArr[0] = x0
+		outArr[1] = x1
+		outArr[2] = x2
+		outArr[3] = x3
+		outArr[4] = x12
+		outArr[5] = x13
+		outArr[6] = x14
+		outArr[7] = x15
+	} else {
+		binary.LittleEndian.PutUint32(out[0:4], x0)
+		binary.LittleEndian.PutUint32(out[4:8], x1)
+		binary.LittleEndian.PutUint32(out[8:12], x2)
+		binary.LittleEndian.PutUint32(out[12:16], x3)
+		binary.LittleEndian.PutUint32(out[16:20], x12)
+		binary.LittleEndian.PutUint32(out[20:24], x13)
+		binary.LittleEndian.PutUint32(out[24:28], x14)
+		binary.LittleEndian.PutUint32(out[28:32], x15)
+	}
+	return
+}
--- a/vendor/github.com/Yawning/chacha20/chacha20_ref_go19.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20_ref_go19.go
@ -0,0 +1,395 @@
+// chacha20_ref.go - Reference ChaCha20.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+// +build go1.9
+
+package chacha20
+
+import (
+	"encoding/binary"
+	"math"
+	"math/bits"
+	"unsafe"
+)
+
+func blocksRef(x *[stateSize]uint32, in []byte, out []byte, nrBlocks int, isIetf bool) {
+	if isIetf {
+		var totalBlocks uint64
+		totalBlocks = uint64(x[12]) + uint64(nrBlocks)
+		if totalBlocks > math.MaxUint32 {
+			panic("chacha20: Exceeded keystream per nonce limit")
+		}
+	}
+
+	// This routine ignores x[0]...x[4] in favor the const values since it's
+	// ever so slightly faster.
+
+	for n := 0; n < nrBlocks; n++ {
+		x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+		x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11], x[12], x[13], x[14], x[15]
+
+		for i := chachaRounds; i > 0; i -= 2 {
+			// quarterround(x, 0, 4, 8, 12)
+			x0 += x4
+			x12 ^= x0
+			x12 = bits.RotateLeft32(x12, 16)
+			x8 += x12
+			x4 ^= x8
+			x4 = bits.RotateLeft32(x4, 12)
+			x0 += x4
+			x12 ^= x0
+			x12 = bits.RotateLeft32(x12, 8)
+			x8 += x12
+			x4 ^= x8
+			x4 = bits.RotateLeft32(x4, 7)
+
+			// quarterround(x, 1, 5, 9, 13)
+			x1 += x5
+			x13 ^= x1
+			x13 = bits.RotateLeft32(x13, 16)
+			x9 += x13
+			x5 ^= x9
+			x5 = bits.RotateLeft32(x5, 12)
+			x1 += x5
+			x13 ^= x1
+			x13 = bits.RotateLeft32(x13, 8)
+			x9 += x13
+			x5 ^= x9
+			x5 = bits.RotateLeft32(x5, 7)
+
+			// quarterround(x, 2, 6, 10, 14)
+			x2 += x6
+			x14 ^= x2
+			x14 = bits.RotateLeft32(x14, 16)
+			x10 += x14
+			x6 ^= x10
+			x6 = bits.RotateLeft32(x6, 12)
+			x2 += x6
+			x14 ^= x2
+			x14 = bits.RotateLeft32(x14, 8)
+			x10 += x14
+			x6 ^= x10
+			x6 = bits.RotateLeft32(x6, 7)
+
+			// quarterround(x, 3, 7, 11, 15)
+			x3 += x7
+			x15 ^= x3
+			x15 = bits.RotateLeft32(x15, 16)
+			x11 += x15
+			x7 ^= x11
+			x7 = bits.RotateLeft32(x7, 12)
+			x3 += x7
+			x15 ^= x3
+			x15 = bits.RotateLeft32(x15, 8)
+			x11 += x15
+			x7 ^= x11
+			x7 = bits.RotateLeft32(x7, 7)
+
+			// quarterround(x, 0, 5, 10, 15)
+			x0 += x5
+			x15 ^= x0
+			x15 = bits.RotateLeft32(x15, 16)
+			x10 += x15
+			x5 ^= x10
+			x5 = bits.RotateLeft32(x5, 12)
+			x0 += x5
+			x15 ^= x0
+			x15 = bits.RotateLeft32(x15, 8)
+			x10 += x15
+			x5 ^= x10
+			x5 = bits.RotateLeft32(x5, 7)
+
+			// quarterround(x, 1, 6, 11, 12)
+			x1 += x6
+			x12 ^= x1
+			x12 = bits.RotateLeft32(x12, 16)
+			x11 += x12
+			x6 ^= x11
+			x6 = bits.RotateLeft32(x6, 12)
+			x1 += x6
+			x12 ^= x1
+			x12 = bits.RotateLeft32(x12, 8)
+			x11 += x12
+			x6 ^= x11
+			x6 = bits.RotateLeft32(x6, 7)
+
+			// quarterround(x, 2, 7, 8, 13)
+			x2 += x7
+			x13 ^= x2
+			x13 = bits.RotateLeft32(x13, 16)
+			x8 += x13
+			x7 ^= x8
+			x7 = bits.RotateLeft32(x7, 12)
+			x2 += x7
+			x13 ^= x2
+			x13 = bits.RotateLeft32(x13, 8)
+			x8 += x13
+			x7 ^= x8
+			x7 = bits.RotateLeft32(x7, 7)
+
+			// quarterround(x, 3, 4, 9, 14)
+			x3 += x4
+			x14 ^= x3
+			x14 = bits.RotateLeft32(x14, 16)
+			x9 += x14
+			x4 ^= x9
+			x4 = bits.RotateLeft32(x4, 12)
+			x3 += x4
+			x14 ^= x3
+			x14 = bits.RotateLeft32(x14, 8)
+			x9 += x14
+			x4 ^= x9
+			x4 = bits.RotateLeft32(x4, 7)
+		}
+
+		// On amd64 at least, this is a rather big boost.
+		if useUnsafe {
+			if in != nil {
+				inArr := (*[16]uint32)(unsafe.Pointer(&in[n*BlockSize]))
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = inArr[0] ^ (x0 + sigma0)
+				outArr[1] = inArr[1] ^ (x1 + sigma1)
+				outArr[2] = inArr[2] ^ (x2 + sigma2)
+				outArr[3] = inArr[3] ^ (x3 + sigma3)
+				outArr[4] = inArr[4] ^ (x4 + x[4])
+				outArr[5] = inArr[5] ^ (x5 + x[5])
+				outArr[6] = inArr[6] ^ (x6 + x[6])
+				outArr[7] = inArr[7] ^ (x7 + x[7])
+				outArr[8] = inArr[8] ^ (x8 + x[8])
+				outArr[9] = inArr[9] ^ (x9 + x[9])
+				outArr[10] = inArr[10] ^ (x10 + x[10])
+				outArr[11] = inArr[11] ^ (x11 + x[11])
+				outArr[12] = inArr[12] ^ (x12 + x[12])
+				outArr[13] = inArr[13] ^ (x13 + x[13])
+				outArr[14] = inArr[14] ^ (x14 + x[14])
+				outArr[15] = inArr[15] ^ (x15 + x[15])
+			} else {
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = x0 + sigma0
+				outArr[1] = x1 + sigma1
+				outArr[2] = x2 + sigma2
+				outArr[3] = x3 + sigma3
+				outArr[4] = x4 + x[4]
+				outArr[5] = x5 + x[5]
+				outArr[6] = x6 + x[6]
+				outArr[7] = x7 + x[7]
+				outArr[8] = x8 + x[8]
+				outArr[9] = x9 + x[9]
+				outArr[10] = x10 + x[10]
+				outArr[11] = x11 + x[11]
+				outArr[12] = x12 + x[12]
+				outArr[13] = x13 + x[13]
+				outArr[14] = x14 + x[14]
+				outArr[15] = x15 + x[15]
+			}
+		} else {
+			// Slow path, either the architecture cares about alignment, or is not little endian.
+			x0 += sigma0
+			x1 += sigma1
+			x2 += sigma2
+			x3 += sigma3
+			x4 += x[4]
+			x5 += x[5]
+			x6 += x[6]
+			x7 += x[7]
+			x8 += x[8]
+			x9 += x[9]
+			x10 += x[10]
+			x11 += x[11]
+			x12 += x[12]
+			x13 += x[13]
+			x14 += x[14]
+			x15 += x[15]
+			if in != nil {
+				binary.LittleEndian.PutUint32(out[0:4], binary.LittleEndian.Uint32(in[0:4])^x0)
+				binary.LittleEndian.PutUint32(out[4:8], binary.LittleEndian.Uint32(in[4:8])^x1)
+				binary.LittleEndian.PutUint32(out[8:12], binary.LittleEndian.Uint32(in[8:12])^x2)
+				binary.LittleEndian.PutUint32(out[12:16], binary.LittleEndian.Uint32(in[12:16])^x3)
+				binary.LittleEndian.PutUint32(out[16:20], binary.LittleEndian.Uint32(in[16:20])^x4)
+				binary.LittleEndian.PutUint32(out[20:24], binary.LittleEndian.Uint32(in[20:24])^x5)
+				binary.LittleEndian.PutUint32(out[24:28], binary.LittleEndian.Uint32(in[24:28])^x6)
+				binary.LittleEndian.PutUint32(out[28:32], binary.LittleEndian.Uint32(in[28:32])^x7)
+				binary.LittleEndian.PutUint32(out[32:36], binary.LittleEndian.Uint32(in[32:36])^x8)
+				binary.LittleEndian.PutUint32(out[36:40], binary.LittleEndian.Uint32(in[36:40])^x9)
+				binary.LittleEndian.PutUint32(out[40:44], binary.LittleEndian.Uint32(in[40:44])^x10)
+				binary.LittleEndian.PutUint32(out[44:48], binary.LittleEndian.Uint32(in[44:48])^x11)
+				binary.LittleEndian.PutUint32(out[48:52], binary.LittleEndian.Uint32(in[48:52])^x12)
+				binary.LittleEndian.PutUint32(out[52:56], binary.LittleEndian.Uint32(in[52:56])^x13)
+				binary.LittleEndian.PutUint32(out[56:60], binary.LittleEndian.Uint32(in[56:60])^x14)
+				binary.LittleEndian.PutUint32(out[60:64], binary.LittleEndian.Uint32(in[60:64])^x15)
+				in = in[BlockSize:]
+			} else {
+				binary.LittleEndian.PutUint32(out[0:4], x0)
+				binary.LittleEndian.PutUint32(out[4:8], x1)
+				binary.LittleEndian.PutUint32(out[8:12], x2)
+				binary.LittleEndian.PutUint32(out[12:16], x3)
+				binary.LittleEndian.PutUint32(out[16:20], x4)
+				binary.LittleEndian.PutUint32(out[20:24], x5)
+				binary.LittleEndian.PutUint32(out[24:28], x6)
+				binary.LittleEndian.PutUint32(out[28:32], x7)
+				binary.LittleEndian.PutUint32(out[32:36], x8)
+				binary.LittleEndian.PutUint32(out[36:40], x9)
+				binary.LittleEndian.PutUint32(out[40:44], x10)
+				binary.LittleEndian.PutUint32(out[44:48], x11)
+				binary.LittleEndian.PutUint32(out[48:52], x12)
+				binary.LittleEndian.PutUint32(out[52:56], x13)
+				binary.LittleEndian.PutUint32(out[56:60], x14)
+				binary.LittleEndian.PutUint32(out[60:64], x15)
+			}
+			out = out[BlockSize:]
+		}
+
+		// Stoping at 2^70 bytes per nonce is the user's responsibility.
+		ctr := uint64(x[13])<<32 | uint64(x[12])
+		ctr++
+		x[12] = uint32(ctr)
+		x[13] = uint32(ctr >> 32)
+	}
+}
+
+func hChaChaRef(x *[stateSize]uint32, out *[32]byte) {
+	x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+	x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11]
+
+	for i := chachaRounds; i > 0; i -= 2 {
+		// quarterround(x, 0, 4, 8, 12)
+		x0 += x4
+		x12 ^= x0
+		x12 = bits.RotateLeft32(x12, 16)
+		x8 += x12
+		x4 ^= x8
+		x4 = bits.RotateLeft32(x4, 12)
+		x0 += x4
+		x12 ^= x0
+		x12 = bits.RotateLeft32(x12, 8)
+		x8 += x12
+		x4 ^= x8
+		x4 = bits.RotateLeft32(x4, 7)
+
+		// quarterround(x, 1, 5, 9, 13)
+		x1 += x5
+		x13 ^= x1
+		x13 = bits.RotateLeft32(x13, 16)
+		x9 += x13
+		x5 ^= x9
+		x5 = bits.RotateLeft32(x5, 12)
+		x1 += x5
+		x13 ^= x1
+		x13 = bits.RotateLeft32(x13, 8)
+		x9 += x13
+		x5 ^= x9
+		x5 = bits.RotateLeft32(x5, 7)
+
+		// quarterround(x, 2, 6, 10, 14)
+		x2 += x6
+		x14 ^= x2
+		x14 = bits.RotateLeft32(x14, 16)
+		x10 += x14
+		x6 ^= x10
+		x6 = bits.RotateLeft32(x6, 12)
+		x2 += x6
+		x14 ^= x2
+		x14 = bits.RotateLeft32(x14, 8)
+		x10 += x14
+		x6 ^= x10
+		x6 = bits.RotateLeft32(x6, 7)
+
+		// quarterround(x, 3, 7, 11, 15)
+		x3 += x7
+		x15 ^= x3
+		x15 = bits.RotateLeft32(x15, 16)
+		x11 += x15
+		x7 ^= x11
+		x7 = bits.RotateLeft32(x7, 12)
+		x3 += x7
+		x15 ^= x3
+		x15 = bits.RotateLeft32(x15, 8)
+		x11 += x15
+		x7 ^= x11
+		x7 = bits.RotateLeft32(x7, 7)
+
+		// quarterround(x, 0, 5, 10, 15)
+		x0 += x5
+		x15 ^= x0
+		x15 = bits.RotateLeft32(x15, 16)
+		x10 += x15
+		x5 ^= x10
+		x5 = bits.RotateLeft32(x5, 12)
+		x0 += x5
+		x15 ^= x0
+		x15 = bits.RotateLeft32(x15, 8)
+		x10 += x15
+		x5 ^= x10
+		x5 = bits.RotateLeft32(x5, 7)
+
+		// quarterround(x, 1, 6, 11, 12)
+		x1 += x6
+		x12 ^= x1
+		x12 = bits.RotateLeft32(x12, 16)
+		x11 += x12
+		x6 ^= x11
+		x6 = bits.RotateLeft32(x6, 12)
+		x1 += x6
+		x12 ^= x1
+		x12 = bits.RotateLeft32(x12, 8)
+		x11 += x12
+		x6 ^= x11
+		x6 = bits.RotateLeft32(x6, 7)
+
+		// quarterround(x, 2, 7, 8, 13)
+		x2 += x7
+		x13 ^= x2
+		x13 = bits.RotateLeft32(x13, 16)
+		x8 += x13
+		x7 ^= x8
+		x7 = bits.RotateLeft32(x7, 12)
+		x2 += x7
+		x13 ^= x2
+		x13 = bits.RotateLeft32(x13, 8)
+		x8 += x13
+		x7 ^= x8
+		x7 = bits.RotateLeft32(x7, 7)
+
+		// quarterround(x, 3, 4, 9, 14)
+		x3 += x4
+		x14 ^= x3
+		x14 = bits.RotateLeft32(x14, 16)
+		x9 += x14
+		x4 ^= x9
+		x4 = bits.RotateLeft32(x4, 12)
+		x3 += x4
+		x14 ^= x3
+		x14 = bits.RotateLeft32(x14, 8)
+		x9 += x14
+		x4 ^= x9
+		x4 = bits.RotateLeft32(x4, 7)
+	}
+
+	// HChaCha returns x0...x3 | x12...x15, which corresponds to the
+	// indexes of the ChaCha constant and the indexes of the IV.
+	if useUnsafe {
+		outArr := (*[16]uint32)(unsafe.Pointer(&out[0]))
+		outArr[0] = x0
+		outArr[1] = x1
+		outArr[2] = x2
+		outArr[3] = x3
+		outArr[4] = x12
+		outArr[5] = x13
+		outArr[6] = x14
+		outArr[7] = x15
+	} else {
+		binary.LittleEndian.PutUint32(out[0:4], x0)
+		binary.LittleEndian.PutUint32(out[4:8], x1)
+		binary.LittleEndian.PutUint32(out[8:12], x2)
+		binary.LittleEndian.PutUint32(out[12:16], x3)
+		binary.LittleEndian.PutUint32(out[16:20], x12)
+		binary.LittleEndian.PutUint32(out[20:24], x13)
+		binary.LittleEndian.PutUint32(out[24:28], x14)
+		binary.LittleEndian.PutUint32(out[28:32], x15)
+	}
+	return
+}
--- a/vendor/github.com/golang/snappy/.gitignore
+++ b/vendor/github.com/golang/snappy/.gitignore
@ -0,0 +1,16 @@
+cmd/snappytool/snappytool
+testdata/bench
+
+# These explicitly listed benchmark data files are for an obsolete version of
+# snappy_test.go.
+testdata/alice29.txt
+testdata/asyoulik.txt
+testdata/fireworks.jpeg
+testdata/geo.protodata
+testdata/html
+testdata/html_x_4
+testdata/kppkn.gtb
+testdata/lcet10.txt
+testdata/paper-100k.pdf
+testdata/plrabn12.txt
+testdata/urls.10K
--- a/vendor/github.com/miekg/dns/.gitignore
+++ b/vendor/github.com/miekg/dns/.gitignore
@ -0,0 +1,4 @@
+*.6
+tags
+test.out
+a.out
--- a/vendor/github.com/miekg/dns/AUTHORS
+++ b/vendor/github.com/miekg/dns/AUTHORS
@ -0,0 +1 @@
+Miek Gieben <miek@miek.nl>
--- a/vendor/github.com/miekg/dns/CONTRIBUTORS
+++ b/vendor/github.com/miekg/dns/CONTRIBUTORS
@ -0,0 +1,10 @@
+Alex A. Skinner
+Andrew Tunnell-Jones
+Ask Bjørn Hansen
+Dave Cheney
+Dusty Wilson
+Marek Majkowski
+Peter van Dijk
+Omri Bahumi
+Alex Sergeyev
+James Hartig
--- a/vendor/github.com/miekg/dns/COPYRIGHT
+++ b/vendor/github.com/miekg/dns/COPYRIGHT
@ -0,0 +1,9 @@
+Copyright 2009 The Go Authors. All rights reserved. Use of this source code
+is governed by a BSD-style license that can be found in the LICENSE file.
+Extensions of the original work are copyright (c) 2011 Miek Gieben
+
+Copyright 2011 Miek Gieben. All rights reserved. Use of this source code is
+governed by a BSD-style license that can be found in the LICENSE file.
+
+Copyright 2014 CloudFlare. All rights reserved. Use of this source code is
+governed by a BSD-style license that can be found in the LICENSE file.
--- a/vendor/github.com/miekg/dns/Gopkg.lock
+++ b/vendor/github.com/miekg/dns/Gopkg.lock
@ -0,0 +1,21 @@
+# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
+
+
+[[projects]]
+  branch = "master"
+  name = "golang.org/x/crypto"
+  packages = ["ed25519","ed25519/internal/edwards25519"]
+  revision = "b080dc9a8c480b08e698fb1219160d598526310f"
+
+[[projects]]
+  branch = "master"
+  name = "golang.org/x/net"
+  packages = ["bpf","internal/iana","internal/socket","ipv4","ipv6"]
+  revision = "894f8ed5849b15b810ae41e9590a0d05395bba27"
+
+[solve-meta]
+  analyzer-name = "dep"
+  analyzer-version = 1
+  inputs-digest = "c4abc38abaeeeeb9be92455c9c02cae32841122b8982aaa067ef25bb8e86ff9d"
+  solver-name = "gps-cdcl"
+  solver-version = 1
--- a/vendor/github.com/miekg/dns/Gopkg.toml
+++ b/vendor/github.com/miekg/dns/Gopkg.toml
@ -0,0 +1,26 @@
+
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+
+[[constraint]]
+  branch = "master"
+  name = "golang.org/x/crypto"
--- a/vendor/github.com/miekg/dns/LICENSE
+++ b/vendor/github.com/miekg/dns/LICENSE
@ -0,0 +1,32 @@
+Extensions of the original work are copyright (c) 2011 Miek Gieben
+
+As this is fork of the official Go code the same license applies:
+
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
--- a/vendor/github.com/miekg/dns/Makefile.fuzz
+++ b/vendor/github.com/miekg/dns/Makefile.fuzz
@ -0,0 +1,33 @@
+# Makefile for fuzzing
+#
+# Use go-fuzz and needs the tools installed.
+# See https://blog.cloudflare.com/dns-parser-meet-go-fuzzer/
+#
+# Installing go-fuzz:
+# $ make -f Makefile.fuzz get
+# Installs:
+# * github.com/dvyukov/go-fuzz/go-fuzz
+# * get github.com/dvyukov/go-fuzz/go-fuzz-build
+
+all: build
+
+.PHONY: build
+build:
+	go-fuzz-build -tags fuzz github.com/miekg/dns
+
+.PHONY: build-newrr
+build-newrr:
+	go-fuzz-build -func FuzzNewRR -tags fuzz github.com/miekg/dns
+
+.PHONY: fuzz
+fuzz:
+	go-fuzz -bin=dns-fuzz.zip -workdir=fuzz
+
+.PHONY: get
+get:
+	go get github.com/dvyukov/go-fuzz/go-fuzz
+	go get github.com/dvyukov/go-fuzz/go-fuzz-build
+
+.PHONY: clean
+clean:
+	rm *-fuzz.zip
--- a/vendor/github.com/miekg/dns/Makefile.release
+++ b/vendor/github.com/miekg/dns/Makefile.release
@ -0,0 +1,52 @@
+# Makefile for releasing.
+#
+# The release is controlled from version.go. The version found there is
+# used to tag the git repo, we're not building any artifects so there is nothing
+# to upload to github.
+#
+# * Up the version in version.go
+# * Run: make -f Makefile.release release
+#   * will *commit* your change with 'Release $VERSION'
+#   * push to github
+#
+
+define GO
+//+build ignore
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/miekg/dns"
+)
+
+func main() {
+	fmt.Println(dns.Version.String())
+}
+endef
+
+$(file > version_release.go,$(GO))
+VERSION:=$(shell go run version_release.go)
+TAG="v$(VERSION)"
+
+all:
+	@echo Use the \'release\' target to start a release $(VERSION)
+	rm -f version_release.go
+
+.PHONY: release
+release: commit push
+	@echo Released $(VERSION)
+	rm -f version_release.go
+
+.PHONY: commit
+commit:
+	@echo Committing release $(VERSION)
+	git commit -am"Release $(VERSION)"
+	git tag $(TAG)
+
+.PHONY: push
+push:
+	@echo Pushing release $(VERSION) to master
+	git push --tags
+	git push
--- a/vendor/github.com/miekg/dns/README.md
+++ b/vendor/github.com/miekg/dns/README.md
@ -0,0 +1,168 @@
+[![Build Status](https://travis-ci.org/miekg/dns.svg?branch=master)](https://travis-ci.org/miekg/dns)
+[![Code Coverage](https://img.shields.io/codecov/c/github/miekg/dns/master.svg)](https://codecov.io/github/miekg/dns?branch=master)
+[![Go Report Card](https://goreportcard.com/badge/github.com/miekg/dns)](https://goreportcard.com/report/miekg/dns)
+[![](https://godoc.org/github.com/miekg/dns?status.svg)](https://godoc.org/github.com/miekg/dns)
+
+# Alternative (more granular) approach to a DNS library
+
+> Less is more.
+
+Complete and usable DNS library. All widely used Resource Records are supported, including the
+DNSSEC types. It follows a lean and mean philosophy. If there is stuff you should know as a DNS
+programmer there isn't a convenience function for it. Server side and client side programming is
+supported, i.e. you can build servers and resolvers with it.
+
+We try to keep the "master" branch as sane as possible and at the bleeding edge of standards,
+avoiding breaking changes wherever reasonable. We support the last two versions of Go.
+
+# Goals
+
+* KISS;
+* Fast;
+* Small API. If it's easy to code in Go, don't make a function for it.
+
+# Users
+
+A not-so-up-to-date-list-that-may-be-actually-current:
+
+* https://github.com/coredns/coredns
+* https://cloudflare.com
+* https://github.com/abh/geodns
+* http://www.statdns.com/
+* http://www.dnsinspect.com/
+* https://github.com/chuangbo/jianbing-dictionary-dns
+* http://www.dns-lg.com/
+* https://github.com/fcambus/rrda
+* https://github.com/kenshinx/godns
+* https://github.com/skynetservices/skydns
+* https://github.com/hashicorp/consul
+* https://github.com/DevelopersPL/godnsagent
+* https://github.com/duedil-ltd/discodns
+* https://github.com/StalkR/dns-reverse-proxy
+* https://github.com/tianon/rawdns
+* https://mesosphere.github.io/mesos-dns/
+* https://pulse.turbobytes.com/
+* https://play.google.com/store/apps/details?id=com.turbobytes.dig
+* https://github.com/fcambus/statzone
+* https://github.com/benschw/dns-clb-go
+* https://github.com/corny/dnscheck for http://public-dns.info/
+* https://namesmith.io
+* https://github.com/miekg/unbound
+* https://github.com/miekg/exdns
+* https://dnslookup.org
+* https://github.com/looterz/grimd
+* https://github.com/phamhongviet/serf-dns
+* https://github.com/mehrdadrad/mylg
+* https://github.com/bamarni/dockness
+* https://github.com/fffaraz/microdns
+* http://kelda.io
+* https://github.com/ipdcode/hades (JD.COM)
+* https://github.com/StackExchange/dnscontrol/
+* https://www.dnsperf.com/
+* https://dnssectest.net/
+* https://dns.apebits.com
+* https://github.com/oif/apex
+* https://github.com/jedisct1/dnscrypt-proxy
+* https://github.com/jedisct1/rpdns
+
+Send pull request if you want to be listed here.
+
+# Features
+
+* UDP/TCP queries, IPv4 and IPv6;
+* RFC 1035 zone file parsing ($INCLUDE, $ORIGIN, $TTL and $GENERATE (for all record types) are supported;
+* Fast:
+    * Reply speed around ~ 80K qps (faster hardware results in more qps);
+    * Parsing RRs ~ 100K RR/s, that's 5M records in about 50 seconds;
+* Server side programming (mimicking the net/http package);
+* Client side programming;
+* DNSSEC: signing, validating and key generation for DSA, RSA, ECDSA and Ed25519;
+* EDNS0, NSID, Cookies;
+* AXFR/IXFR;
+* TSIG, SIG(0);
+* DNS over TLS: optional encrypted connection between client and server;
+* DNS name compression;
+* Depends only on the standard library.
+
+Have fun!
+
+Miek Gieben  -  2010-2012  -  <miek@miek.nl>
+
+# Building
+
+Building is done with the `go` tool. If you have setup your GOPATH correctly, the following should
+work:
+
+    go get github.com/miekg/dns
+    go build github.com/miekg/dns
+
+## Examples
+
+A short "how to use the API" is at the beginning of doc.go (this also will show
+when you call `godoc github.com/miekg/dns`).
+
+Example programs can be found in the `github.com/miekg/exdns` repository.
+
+## Supported RFCs
+
+*all of them*
+
+* 103{4,5} - DNS standard
+* 1348 - NSAP record (removed the record)
+* 1982 - Serial Arithmetic
+* 1876 - LOC record
+* 1995 - IXFR
+* 1996 - DNS notify
+* 2136 - DNS Update (dynamic updates)
+* 2181 - RRset definition - there is no RRset type though, just []RR
+* 2537 - RSAMD5 DNS keys
+* 2065 - DNSSEC (updated in later RFCs)
+* 2671 - EDNS record
+* 2782 - SRV record
+* 2845 - TSIG record
+* 2915 - NAPTR record
+* 2929 - DNS IANA Considerations
+* 3110 - RSASHA1 DNS keys
+* 3225 - DO bit (DNSSEC OK)
+* 340{1,2,3} - NAPTR record
+* 3445 - Limiting the scope of (DNS)KEY
+* 3597 - Unknown RRs
+* 403{3,4,5} - DNSSEC + validation functions
+* 4255 - SSHFP record
+* 4343 - Case insensitivity
+* 4408 - SPF record
+* 4509 - SHA256 Hash in DS
+* 4592 - Wildcards in the DNS
+* 4635 - HMAC SHA TSIG
+* 4701 - DHCID
+* 4892 - id.server
+* 5001 - NSID
+* 5155 - NSEC3 record
+* 5205 - HIP record
+* 5702 - SHA2 in the DNS
+* 5936 - AXFR
+* 5966 - TCP implementation recommendations
+* 6605 - ECDSA
+* 6725 - IANA Registry Update
+* 6742 - ILNP DNS
+* 6840 - Clarifications and Implementation Notes for DNS Security
+* 6844 - CAA record
+* 6891 - EDNS0 update
+* 6895 - DNS IANA considerations
+* 6975 - Algorithm Understanding in DNSSEC
+* 7043 - EUI48/EUI64 records
+* 7314 - DNS (EDNS) EXPIRE Option
+* 7477 - CSYNC RR
+* 7828 - edns-tcp-keepalive EDNS0 Option
+* 7553 - URI record
+* 7858 - DNS over TLS: Initiation and Performance Considerations
+* 7871 - EDNS0 Client Subnet
+* 7873 - Domain Name System (DNS) Cookies (draft-ietf-dnsop-cookies)
+* 8080 - EdDSA for DNSSEC
+
+## Loosely based upon
+
+* `ldns`
+* `NSD`
+* `Net::DNS`
+* `GRONG`
--- a/vendor/github.com/miekg/dns/client.go
+++ b/vendor/github.com/miekg/dns/client.go
@ -0,0 +1,506 @@
+package dns
+
+// A client implementation.
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/binary"
+	"io"
+	"net"
+	"strings"
+	"time"
+)
+
+const dnsTimeout time.Duration = 2 * time.Second
+const tcpIdleTimeout time.Duration = 8 * time.Second
+
+// A Conn represents a connection to a DNS server.
+type Conn struct {
+	net.Conn                         // a net.Conn holding the connection
+	UDPSize        uint16            // minimum receive buffer for UDP messages
+	TsigSecret     map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
+	rtt            time.Duration
+	t              time.Time
+	tsigRequestMAC string
+}
+
+// A Client defines parameters for a DNS client.
+type Client struct {
+	Net       string      // if "tcp" or "tcp-tls" (DNS over TLS) a TCP query will be initiated, otherwise an UDP one (default is "" for UDP)
+	UDPSize   uint16      // minimum receive buffer for UDP messages
+	TLSConfig *tls.Config // TLS connection configuration
+	Dialer    *net.Dialer // a net.Dialer used to set local address, timeouts and more
+	// Timeout is a cumulative timeout for dial, write and read, defaults to 0 (disabled) - overrides DialTimeout, ReadTimeout,
+	// WriteTimeout when non-zero. Can be overridden with net.Dialer.Timeout (see Client.ExchangeWithDialer and
+	// Client.Dialer) or context.Context.Deadline (see the deprecated ExchangeContext)
+	Timeout        time.Duration
+	DialTimeout    time.Duration     // net.DialTimeout, defaults to 2 seconds, or net.Dialer.Timeout if expiring earlier - overridden by Timeout when that value is non-zero
+	ReadTimeout    time.Duration     // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero
+	WriteTimeout   time.Duration     // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero
+	TsigSecret     map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
+	SingleInflight bool              // if true suppress multiple outstanding queries for the same Qname, Qtype and Qclass
+	group          singleflight
+}
+
+// Exchange performs a synchronous UDP query. It sends the message m to the address
+// contained in a and waits for a reply. Exchange does not retry a failed query, nor
+// will it fall back to TCP in case of truncation.
+// See client.Exchange for more information on setting larger buffer sizes.
+func Exchange(m *Msg, a string) (r *Msg, err error) {
+	client := Client{Net: "udp"}
+	r, _, err = client.Exchange(m, a)
+	return r, err
+}
+
+func (c *Client) dialTimeout() time.Duration {
+	if c.Timeout != 0 {
+		return c.Timeout
+	}
+	if c.DialTimeout != 0 {
+		return c.DialTimeout
+	}
+	return dnsTimeout
+}
+
+func (c *Client) readTimeout() time.Duration {
+	if c.ReadTimeout != 0 {
+		return c.ReadTimeout
+	}
+	return dnsTimeout
+}
+
+func (c *Client) writeTimeout() time.Duration {
+	if c.WriteTimeout != 0 {
+		return c.WriteTimeout
+	}
+	return dnsTimeout
+}
+
+// Dial connects to the address on the named network.
+func (c *Client) Dial(address string) (conn *Conn, err error) {
+	// create a new dialer with the appropriate timeout
+	var d net.Dialer
+	if c.Dialer == nil {
+		d = net.Dialer{}
+	} else {
+		d = net.Dialer(*c.Dialer)
+	}
+	d.Timeout = c.getTimeoutForRequest(c.writeTimeout())
+
+	network := "udp"
+	useTLS := false
+
+	switch c.Net {
+	case "tcp-tls":
+		network = "tcp"
+		useTLS = true
+	case "tcp4-tls":
+		network = "tcp4"
+		useTLS = true
+	case "tcp6-tls":
+		network = "tcp6"
+		useTLS = true
+	default:
+		if c.Net != "" {
+			network = c.Net
+		}
+	}
+
+	conn = new(Conn)
+	if useTLS {
+		conn.Conn, err = tls.DialWithDialer(&d, network, address, c.TLSConfig)
+	} else {
+		conn.Conn, err = d.Dial(network, address)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// Exchange performs a synchronous query. It sends the message m to the address
+// contained in a and waits for a reply. Basic use pattern with a *dns.Client:
+//
+//	c := new(dns.Client)
+//	in, rtt, err := c.Exchange(message, "127.0.0.1:53")
+//
+// Exchange does not retry a failed query, nor will it fall back to TCP in
+// case of truncation.
+// It is up to the caller to create a message that allows for larger responses to be
+// returned. Specifically this means adding an EDNS0 OPT RR that will advertise a larger
+// buffer, see SetEdns0. Messages without an OPT RR will fallback to the historic limit
+// of 512 bytes
+// To specify a local address or a timeout, the caller has to set the `Client.Dialer`
+// attribute appropriately
+func (c *Client) Exchange(m *Msg, address string) (r *Msg, rtt time.Duration, err error) {
+	if !c.SingleInflight {
+		return c.exchange(m, address)
+	}
+
+	t := "nop"
+	if t1, ok := TypeToString[m.Question[0].Qtype]; ok {
+		t = t1
+	}
+	cl := "nop"
+	if cl1, ok := ClassToString[m.Question[0].Qclass]; ok {
+		cl = cl1
+	}
+	r, rtt, err, shared := c.group.Do(m.Question[0].Name+t+cl, func() (*Msg, time.Duration, error) {
+		return c.exchange(m, address)
+	})
+	if r != nil && shared {
+		r = r.Copy()
+	}
+	return r, rtt, err
+}
+
+func (c *Client) exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
+	var co *Conn
+
+	co, err = c.Dial(a)
+
+	if err != nil {
+		return nil, 0, err
+	}
+	defer co.Close()
+
+	opt := m.IsEdns0()
+	// If EDNS0 is used use that for size.
+	if opt != nil && opt.UDPSize() >= MinMsgSize {
+		co.UDPSize = opt.UDPSize()
+	}
+	// Otherwise use the client's configured UDP size.
+	if opt == nil && c.UDPSize >= MinMsgSize {
+		co.UDPSize = c.UDPSize
+	}
+
+	co.TsigSecret = c.TsigSecret
+	// write with the appropriate write timeout
+	co.SetWriteDeadline(time.Now().Add(c.getTimeoutForRequest(c.writeTimeout())))
+	if err = co.WriteMsg(m); err != nil {
+		return nil, 0, err
+	}
+
+	co.SetReadDeadline(time.Now().Add(c.getTimeoutForRequest(c.readTimeout())))
+	r, err = co.ReadMsg()
+	if err == nil && r.Id != m.Id {
+		err = ErrId
+	}
+	return r, co.rtt, err
+}
+
+// ReadMsg reads a message from the connection co.
+// If the received message contains a TSIG record the transaction signature
+// is verified. This method always tries to return the message, however if an
+// error is returned there are no guarantees that the returned message is a
+// valid representation of the packet read.
+func (co *Conn) ReadMsg() (*Msg, error) {
+	p, err := co.ReadMsgHeader(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	m := new(Msg)
+	if err := m.Unpack(p); err != nil {
+		// If an error was returned, we still want to allow the user to use
+		// the message, but naively they can just check err if they don't want
+		// to use an erroneous message
+		return m, err
+	}
+	if t := m.IsTsig(); t != nil {
+		if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
+			return m, ErrSecret
+		}
+		// Need to work on the original message p, as that was used to calculate the tsig.
+		err = TsigVerify(p, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
+	}
+	return m, err
+}
+
+// ReadMsgHeader reads a DNS message, parses and populates hdr (when hdr is not nil).
+// Returns message as a byte slice to be parsed with Msg.Unpack later on.
+// Note that error handling on the message body is not possible as only the header is parsed.
+func (co *Conn) ReadMsgHeader(hdr *Header) ([]byte, error) {
+	var (
+		p   []byte
+		n   int
+		err error
+	)
+
+	switch t := co.Conn.(type) {
+	case *net.TCPConn, *tls.Conn:
+		r := t.(io.Reader)
+
+		// First two bytes specify the length of the entire message.
+		l, err := tcpMsgLen(r)
+		if err != nil {
+			return nil, err
+		}
+		p = make([]byte, l)
+		n, err = tcpRead(r, p)
+		co.rtt = time.Since(co.t)
+	default:
+		if co.UDPSize > MinMsgSize {
+			p = make([]byte, co.UDPSize)
+		} else {
+			p = make([]byte, MinMsgSize)
+		}
+		n, err = co.Read(p)
+		co.rtt = time.Since(co.t)
+	}
+
+	if err != nil {
+		return nil, err
+	} else if n < headerSize {
+		return nil, ErrShortRead
+	}
+
+	p = p[:n]
+	if hdr != nil {
+		dh, _, err := unpackMsgHdr(p, 0)
+		if err != nil {
+			return nil, err
+		}
+		*hdr = dh
+	}
+	return p, err
+}
+
+// tcpMsgLen is a helper func to read first two bytes of stream as uint16 packet length.
+func tcpMsgLen(t io.Reader) (int, error) {
+	p := []byte{0, 0}
+	n, err := t.Read(p)
+	if err != nil {
+		return 0, err
+	}
+
+	// As seen with my local router/switch, returns 1 byte on the above read,
+	// resulting a a ShortRead. Just write it out (instead of loop) and read the
+	// other byte.
+	if n == 1 {
+		n1, err := t.Read(p[1:])
+		if err != nil {
+			return 0, err
+		}
+		n += n1
+	}
+
+	if n != 2 {
+		return 0, ErrShortRead
+	}
+	l := binary.BigEndian.Uint16(p)
+	if l == 0 {
+		return 0, ErrShortRead
+	}
+	return int(l), nil
+}
+
+// tcpRead calls TCPConn.Read enough times to fill allocated buffer.
+func tcpRead(t io.Reader, p []byte) (int, error) {
+	n, err := t.Read(p)
+	if err != nil {
+		return n, err
+	}
+	for n < len(p) {
+		j, err := t.Read(p[n:])
+		if err != nil {
+			return n, err
+		}
+		n += j
+	}
+	return n, err
+}
+
+// Read implements the net.Conn read method.
+func (co *Conn) Read(p []byte) (n int, err error) {
+	if co.Conn == nil {
+		return 0, ErrConnEmpty
+	}
+	if len(p) < 2 {
+		return 0, io.ErrShortBuffer
+	}
+	switch t := co.Conn.(type) {
+	case *net.TCPConn, *tls.Conn:
+		r := t.(io.Reader)
+
+		l, err := tcpMsgLen(r)
+		if err != nil {
+			return 0, err
+		}
+		if l > len(p) {
+			return int(l), io.ErrShortBuffer
+		}
+		return tcpRead(r, p[:l])
+	}
+	// UDP connection
+	n, err = co.Conn.Read(p)
+	if err != nil {
+		return n, err
+	}
+	return n, err
+}
+
+// WriteMsg sends a message through the connection co.
+// If the message m contains a TSIG record the transaction
+// signature is calculated.
+func (co *Conn) WriteMsg(m *Msg) (err error) {
+	var out []byte
+	if t := m.IsTsig(); t != nil {
+		mac := ""
+		if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
+			return ErrSecret
+		}
+		out, mac, err = TsigGenerate(m, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
+		// Set for the next read, although only used in zone transfers
+		co.tsigRequestMAC = mac
+	} else {
+		out, err = m.Pack()
+	}
+	if err != nil {
+		return err
+	}
+	co.t = time.Now()
+	if _, err = co.Write(out); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Write implements the net.Conn Write method.
+func (co *Conn) Write(p []byte) (n int, err error) {
+	switch t := co.Conn.(type) {
+	case *net.TCPConn, *tls.Conn:
+		w := t.(io.Writer)
+
+		lp := len(p)
+		if lp < 2 {
+			return 0, io.ErrShortBuffer
+		}
+		if lp > MaxMsgSize {
+			return 0, &Error{err: "message too large"}
+		}
+		l := make([]byte, 2, lp+2)
+		binary.BigEndian.PutUint16(l, uint16(lp))
+		p = append(l, p...)
+		n, err := io.Copy(w, bytes.NewReader(p))
+		return int(n), err
+	}
+	n, err = co.Conn.Write(p)
+	return n, err
+}
+
+// Return the appropriate timeout for a specific request
+func (c *Client) getTimeoutForRequest(timeout time.Duration) time.Duration {
+	var requestTimeout time.Duration
+	if c.Timeout != 0 {
+		requestTimeout = c.Timeout
+	} else {
+		requestTimeout = timeout
+	}
+	// net.Dialer.Timeout has priority if smaller than the timeouts computed so
+	// far
+	if c.Dialer != nil && c.Dialer.Timeout != 0 {
+		if c.Dialer.Timeout < requestTimeout {
+			requestTimeout = c.Dialer.Timeout
+		}
+	}
+	return requestTimeout
+}
+
+// Dial connects to the address on the named network.
+func Dial(network, address string) (conn *Conn, err error) {
+	conn = new(Conn)
+	conn.Conn, err = net.Dial(network, address)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// ExchangeContext performs a synchronous UDP query, like Exchange. It
+// additionally obeys deadlines from the passed Context.
+func ExchangeContext(ctx context.Context, m *Msg, a string) (r *Msg, err error) {
+	client := Client{Net: "udp"}
+	r, _, err = client.ExchangeContext(ctx, m, a)
+	// ignorint rtt to leave the original ExchangeContext API unchanged, but
+	// this function will go away
+	return r, err
+}
+
+// ExchangeConn performs a synchronous query. It sends the message m via the connection
+// c and waits for a reply. The connection c is not closed by ExchangeConn.
+// This function is going away, but can easily be mimicked:
+//
+//	co := &dns.Conn{Conn: c} // c is your net.Conn
+//	co.WriteMsg(m)
+//	in, _  := co.ReadMsg()
+//	co.Close()
+//
+func ExchangeConn(c net.Conn, m *Msg) (r *Msg, err error) {
+	println("dns: ExchangeConn: this function is deprecated")
+	co := new(Conn)
+	co.Conn = c
+	if err = co.WriteMsg(m); err != nil {
+		return nil, err
+	}
+	r, err = co.ReadMsg()
+	if err == nil && r.Id != m.Id {
+		err = ErrId
+	}
+	return r, err
+}
+
+// DialTimeout acts like Dial but takes a timeout.
+func DialTimeout(network, address string, timeout time.Duration) (conn *Conn, err error) {
+	client := Client{Net: network, Dialer: &net.Dialer{Timeout: timeout}}
+	conn, err = client.Dial(address)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// DialWithTLS connects to the address on the named network with TLS.
+func DialWithTLS(network, address string, tlsConfig *tls.Config) (conn *Conn, err error) {
+	if !strings.HasSuffix(network, "-tls") {
+		network += "-tls"
+	}
+	client := Client{Net: network, TLSConfig: tlsConfig}
+	conn, err = client.Dial(address)
+
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// DialTimeoutWithTLS acts like DialWithTLS but takes a timeout.
+func DialTimeoutWithTLS(network, address string, tlsConfig *tls.Config, timeout time.Duration) (conn *Conn, err error) {
+	if !strings.HasSuffix(network, "-tls") {
+		network += "-tls"
+	}
+	client := Client{Net: network, Dialer: &net.Dialer{Timeout: timeout}, TLSConfig: tlsConfig}
+	conn, err = client.Dial(address)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// ExchangeContext acts like Exchange, but honors the deadline on the provided
+// context, if present. If there is both a context deadline and a configured
+// timeout on the client, the earliest of the two takes effect.
+func (c *Client) ExchangeContext(ctx context.Context, m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
+	var timeout time.Duration
+	if deadline, ok := ctx.Deadline(); !ok {
+		timeout = 0
+	} else {
+		timeout = deadline.Sub(time.Now())
+	}
+	// not passing the context to the underlying calls, as the API does not support
+	// context. For timeouts you should set up Client.Dialer and call Client.Exchange.
+	c.Dialer = &net.Dialer{Timeout: timeout}
+	return c.Exchange(m, a)
+}
--- a/vendor/github.com/miekg/dns/clientconfig.go
+++ b/vendor/github.com/miekg/dns/clientconfig.go
@ -0,0 +1,139 @@
+package dns
+
+import (
+	"bufio"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// ClientConfig wraps the contents of the /etc/resolv.conf file.
+type ClientConfig struct {
+	Servers  []string // servers to use
+	Search   []string // suffixes to append to local name
+	Port     string   // what port to use
+	Ndots    int      // number of dots in name to trigger absolute lookup
+	Timeout  int      // seconds before giving up on packet
+	Attempts int      // lost packets before giving up on server, not used in the package dns
+}
+
+// ClientConfigFromFile parses a resolv.conf(5) like file and returns
+// a *ClientConfig.
+func ClientConfigFromFile(resolvconf string) (*ClientConfig, error) {
+	file, err := os.Open(resolvconf)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+	return ClientConfigFromReader(file)
+}
+
+// ClientConfigFromReader works like ClientConfigFromFile but takes an io.Reader as argument
+func ClientConfigFromReader(resolvconf io.Reader) (*ClientConfig, error) {
+	c := new(ClientConfig)
+	scanner := bufio.NewScanner(resolvconf)
+	c.Servers = make([]string, 0)
+	c.Search = make([]string, 0)
+	c.Port = "53"
+	c.Ndots = 1
+	c.Timeout = 5
+	c.Attempts = 2
+
+	for scanner.Scan() {
+		if err := scanner.Err(); err != nil {
+			return nil, err
+		}
+		line := scanner.Text()
+		f := strings.Fields(line)
+		if len(f) < 1 {
+			continue
+		}
+		switch f[0] {
+		case "nameserver": // add one name server
+			if len(f) > 1 {
+				// One more check: make sure server name is
+				// just an IP address.  Otherwise we need DNS
+				// to look it up.
+				name := f[1]
+				c.Servers = append(c.Servers, name)
+			}
+
+		case "domain": // set search path to just this domain
+			if len(f) > 1 {
+				c.Search = make([]string, 1)
+				c.Search[0] = f[1]
+			} else {
+				c.Search = make([]string, 0)
+			}
+
+		case "search": // set search path to given servers
+			c.Search = make([]string, len(f)-1)
+			for i := 0; i < len(c.Search); i++ {
+				c.Search[i] = f[i+1]
+			}
+
+		case "options": // magic options
+			for i := 1; i < len(f); i++ {
+				s := f[i]
+				switch {
+				case len(s) >= 6 && s[:6] == "ndots:":
+					n, _ := strconv.Atoi(s[6:])
+					if n < 0 {
+						n = 0
+					} else if n > 15 {
+						n = 15
+					}
+					c.Ndots = n
+				case len(s) >= 8 && s[:8] == "timeout:":
+					n, _ := strconv.Atoi(s[8:])
+					if n < 1 {
+						n = 1
+					}
+					c.Timeout = n
+				case len(s) >= 8 && s[:9] == "attempts:":
+					n, _ := strconv.Atoi(s[9:])
+					if n < 1 {
+						n = 1
+					}
+					c.Attempts = n
+				case s == "rotate":
+					/* not imp */
+				}
+			}
+		}
+	}
+	return c, nil
+}
+
+// NameList returns all of the names that should be queried based on the
+// config. It is based off of go's net/dns name building, but it does not
+// check the length of the resulting names.
+func (c *ClientConfig) NameList(name string) []string {
+	// if this domain is already fully qualified, no append needed.
+	if IsFqdn(name) {
+		return []string{name}
+	}
+
+	// Check to see if the name has more labels than Ndots. Do this before making
+	// the domain fully qualified.
+	hasNdots := CountLabel(name) > c.Ndots
+	// Make the domain fully qualified.
+	name = Fqdn(name)
+
+	// Make a list of names based off search.
+	names := []string{}
+
+	// If name has enough dots, try that first.
+	if hasNdots {
+		names = append(names, name)
+	}
+	for _, s := range c.Search {
+		names = append(names, Fqdn(name+s))
+	}
+	// If we didn't have enough dots, try after suffixes.
+	if !hasNdots {
+		names = append(names, name)
+	}
+	return names
+}
--- a/vendor/github.com/miekg/dns/compress_generate.go
+++ b/vendor/github.com/miekg/dns/compress_generate.go
@ -0,0 +1,188 @@
+//+build ignore
+
+// compression_generate.go is meant to run with go generate. It will use
+// go/{importer,types} to track down all the RR struct types. Then for each type
+// it will look to see if there are (compressible) names, if so it will add that
+// type to compressionLenHelperType and comressionLenSearchType which "fake" the
+// compression so that Len() is fast.
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/types"
+	"log"
+	"os"
+)
+
+var packageHdr = `
+// Code generated by "go run compress_generate.go"; DO NOT EDIT.
+
+package dns
+
+`
+
+// getTypeStruct will take a type and the package scope, and return the
+// (innermost) struct if the type is considered a RR type (currently defined as
+// those structs beginning with a RR_Header, could be redefined as implementing
+// the RR interface). The bool return value indicates if embedded structs were
+// resolved.
+func getTypeStruct(t types.Type, scope *types.Scope) (*types.Struct, bool) {
+	st, ok := t.Underlying().(*types.Struct)
+	if !ok {
+		return nil, false
+	}
+	if st.Field(0).Type() == scope.Lookup("RR_Header").Type() {
+		return st, false
+	}
+	if st.Field(0).Anonymous() {
+		st, _ := getTypeStruct(st.Field(0).Type(), scope)
+		return st, true
+	}
+	return nil, false
+}
+
+func main() {
+	// Import and type-check the package
+	pkg, err := importer.Default().Import("github.com/miekg/dns")
+	fatalIfErr(err)
+	scope := pkg.Scope()
+
+	var domainTypes []string  // Types that have a domain name in them (either compressible or not).
+	var cdomainTypes []string // Types that have a compressible domain name in them (subset of domainType)
+Names:
+	for _, name := range scope.Names() {
+		o := scope.Lookup(name)
+		if o == nil || !o.Exported() {
+			continue
+		}
+		st, _ := getTypeStruct(o.Type(), scope)
+		if st == nil {
+			continue
+		}
+		if name == "PrivateRR" {
+			continue
+		}
+
+		if scope.Lookup("Type"+o.Name()) == nil && o.Name() != "RFC3597" {
+			log.Fatalf("Constant Type%s does not exist.", o.Name())
+		}
+
+		for i := 1; i < st.NumFields(); i++ {
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				if st.Tag(i) == `dns:"domain-name"` {
+					domainTypes = append(domainTypes, o.Name())
+					continue Names
+				}
+				if st.Tag(i) == `dns:"cdomain-name"` {
+					cdomainTypes = append(cdomainTypes, o.Name())
+					domainTypes = append(domainTypes, o.Name())
+					continue Names
+				}
+				continue
+			}
+
+			switch {
+			case st.Tag(i) == `dns:"domain-name"`:
+				domainTypes = append(domainTypes, o.Name())
+				continue Names
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				cdomainTypes = append(cdomainTypes, o.Name())
+				domainTypes = append(domainTypes, o.Name())
+				continue Names
+			}
+		}
+	}
+
+	b := &bytes.Buffer{}
+	b.WriteString(packageHdr)
+
+	// compressionLenHelperType - all types that have domain-name/cdomain-name can be used for compressing names
+
+	fmt.Fprint(b, "func compressionLenHelperType(c map[string]int, r RR) {\n")
+	fmt.Fprint(b, "switch x := r.(type) {\n")
+	for _, name := range domainTypes {
+		o := scope.Lookup(name)
+		st, _ := getTypeStruct(o.Type(), scope)
+
+		fmt.Fprintf(b, "case *%s:\n", name)
+		for i := 1; i < st.NumFields(); i++ {
+			out := func(s string) { fmt.Fprintf(b, "compressionLenHelper(c, x.%s)\n", st.Field(i).Name()) }
+
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				switch st.Tag(i) {
+				case `dns:"domain-name"`:
+					fallthrough
+				case `dns:"cdomain-name"`:
+					// For HIP we need to slice over the elements in this slice.
+					fmt.Fprintf(b, `for i := range x.%s {
+						compressionLenHelper(c, x.%s[i])
+					}
+`, st.Field(i).Name(), st.Field(i).Name())
+				}
+				continue
+			}
+
+			switch {
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				fallthrough
+			case st.Tag(i) == `dns:"domain-name"`:
+				out(st.Field(i).Name())
+			}
+		}
+	}
+	fmt.Fprintln(b, "}\n}\n\n")
+
+	// compressionLenSearchType - search cdomain-tags types for compressible names.
+
+	fmt.Fprint(b, "func compressionLenSearchType(c map[string]int, r RR) (int, bool) {\n")
+	fmt.Fprint(b, "switch x := r.(type) {\n")
+	for _, name := range cdomainTypes {
+		o := scope.Lookup(name)
+		st, _ := getTypeStruct(o.Type(), scope)
+
+		fmt.Fprintf(b, "case *%s:\n", name)
+		j := 1
+		for i := 1; i < st.NumFields(); i++ {
+			out := func(s string, j int) {
+				fmt.Fprintf(b, "k%d, ok%d := compressionLenSearch(c, x.%s)\n", j, j, st.Field(i).Name())
+			}
+
+			// There are no slice types with names that can be compressed.
+
+			switch {
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				out(st.Field(i).Name(), j)
+				j++
+			}
+		}
+		k := "k1"
+		ok := "ok1"
+		for i := 2; i < j; i++ {
+			k += fmt.Sprintf(" + k%d", i)
+			ok += fmt.Sprintf(" && ok%d", i)
+		}
+		fmt.Fprintf(b, "return %s, %s\n", k, ok)
+	}
+	fmt.Fprintln(b, "}\nreturn 0, false\n}\n\n")
+
+	// gofmt
+	res, err := format.Source(b.Bytes())
+	if err != nil {
+		b.WriteTo(os.Stderr)
+		log.Fatal(err)
+	}
+
+	f, err := os.Create("zcompress.go")
+	fatalIfErr(err)
+	defer f.Close()
+	f.Write(res)
+}
+
+func fatalIfErr(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}
--- a/vendor/github.com/miekg/dns/dane.go
+++ b/vendor/github.com/miekg/dns/dane.go
@ -0,0 +1,43 @@
+package dns
+
+import (
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
+	"encoding/hex"
+	"errors"
+)
+
+// CertificateToDANE converts a certificate to a hex string as used in the TLSA or SMIMEA records.
+func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
+	switch matchingType {
+	case 0:
+		switch selector {
+		case 0:
+			return hex.EncodeToString(cert.Raw), nil
+		case 1:
+			return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
+		}
+	case 1:
+		h := sha256.New()
+		switch selector {
+		case 0:
+			h.Write(cert.Raw)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		case 1:
+			h.Write(cert.RawSubjectPublicKeyInfo)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		}
+	case 2:
+		h := sha512.New()
+		switch selector {
+		case 0:
+			h.Write(cert.Raw)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		case 1:
+			h.Write(cert.RawSubjectPublicKeyInfo)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		}
+	}
+	return "", errors.New("dns: bad MatchingType or Selector")
+}
--- a/vendor/github.com/miekg/dns/defaults.go
+++ b/vendor/github.com/miekg/dns/defaults.go
@ -0,0 +1,288 @@
+package dns
+
+import (
+	"errors"
+	"net"
+	"strconv"
+)
+
+const hexDigit = "0123456789abcdef"
+
+// Everything is assumed in ClassINET.
+
+// SetReply creates a reply message from a request message.
+func (dns *Msg) SetReply(request *Msg) *Msg {
+	dns.Id = request.Id
+	dns.Response = true
+	dns.Opcode = request.Opcode
+	if dns.Opcode == OpcodeQuery {
+		dns.RecursionDesired = request.RecursionDesired // Copy rd bit
+		dns.CheckingDisabled = request.CheckingDisabled // Copy cd bit
+	}
+	dns.Rcode = RcodeSuccess
+	if len(request.Question) > 0 {
+		dns.Question = make([]Question, 1)
+		dns.Question[0] = request.Question[0]
+	}
+	return dns
+}
+
+// SetQuestion creates a question message, it sets the Question
+// section, generates an Id and sets the RecursionDesired (RD)
+// bit to true.
+func (dns *Msg) SetQuestion(z string, t uint16) *Msg {
+	dns.Id = Id()
+	dns.RecursionDesired = true
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, t, ClassINET}
+	return dns
+}
+
+// SetNotify creates a notify message, it sets the Question
+// section, generates an Id and sets the Authoritative (AA)
+// bit to true.
+func (dns *Msg) SetNotify(z string) *Msg {
+	dns.Opcode = OpcodeNotify
+	dns.Authoritative = true
+	dns.Id = Id()
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, TypeSOA, ClassINET}
+	return dns
+}
+
+// SetRcode creates an error message suitable for the request.
+func (dns *Msg) SetRcode(request *Msg, rcode int) *Msg {
+	dns.SetReply(request)
+	dns.Rcode = rcode
+	return dns
+}
+
+// SetRcodeFormatError creates a message with FormError set.
+func (dns *Msg) SetRcodeFormatError(request *Msg) *Msg {
+	dns.Rcode = RcodeFormatError
+	dns.Opcode = OpcodeQuery
+	dns.Response = true
+	dns.Authoritative = false
+	dns.Id = request.Id
+	return dns
+}
+
+// SetUpdate makes the message a dynamic update message. It
+// sets the ZONE section to: z, TypeSOA, ClassINET.
+func (dns *Msg) SetUpdate(z string) *Msg {
+	dns.Id = Id()
+	dns.Response = false
+	dns.Opcode = OpcodeUpdate
+	dns.Compress = false // BIND9 cannot handle compression
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, TypeSOA, ClassINET}
+	return dns
+}
+
+// SetIxfr creates message for requesting an IXFR.
+func (dns *Msg) SetIxfr(z string, serial uint32, ns, mbox string) *Msg {
+	dns.Id = Id()
+	dns.Question = make([]Question, 1)
+	dns.Ns = make([]RR, 1)
+	s := new(SOA)
+	s.Hdr = RR_Header{z, TypeSOA, ClassINET, defaultTtl, 0}
+	s.Serial = serial
+	s.Ns = ns
+	s.Mbox = mbox
+	dns.Question[0] = Question{z, TypeIXFR, ClassINET}
+	dns.Ns[0] = s
+	return dns
+}
+
+// SetAxfr creates message for requesting an AXFR.
+func (dns *Msg) SetAxfr(z string) *Msg {
+	dns.Id = Id()
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, TypeAXFR, ClassINET}
+	return dns
+}
+
+// SetTsig appends a TSIG RR to the message.
+// This is only a skeleton TSIG RR that is added as the last RR in the
+// additional section. The Tsig is calculated when the message is being send.
+func (dns *Msg) SetTsig(z, algo string, fudge uint16, timesigned int64) *Msg {
+	t := new(TSIG)
+	t.Hdr = RR_Header{z, TypeTSIG, ClassANY, 0, 0}
+	t.Algorithm = algo
+	t.Fudge = fudge
+	t.TimeSigned = uint64(timesigned)
+	t.OrigId = dns.Id
+	dns.Extra = append(dns.Extra, t)
+	return dns
+}
+
+// SetEdns0 appends a EDNS0 OPT RR to the message.
+// TSIG should always the last RR in a message.
+func (dns *Msg) SetEdns0(udpsize uint16, do bool) *Msg {
+	e := new(OPT)
+	e.Hdr.Name = "."
+	e.Hdr.Rrtype = TypeOPT
+	e.SetUDPSize(udpsize)
+	if do {
+		e.SetDo()
+	}
+	dns.Extra = append(dns.Extra, e)
+	return dns
+}
+
+// IsTsig checks if the message has a TSIG record as the last record
+// in the additional section. It returns the TSIG record found or nil.
+func (dns *Msg) IsTsig() *TSIG {
+	if len(dns.Extra) > 0 {
+		if dns.Extra[len(dns.Extra)-1].Header().Rrtype == TypeTSIG {
+			return dns.Extra[len(dns.Extra)-1].(*TSIG)
+		}
+	}
+	return nil
+}
+
+// IsEdns0 checks if the message has a EDNS0 (OPT) record, any EDNS0
+// record in the additional section will do. It returns the OPT record
+// found or nil.
+func (dns *Msg) IsEdns0() *OPT {
+	// EDNS0 is at the end of the additional section, start there.
+	// We might want to change this to *only* look at the last two
+	// records. So we see TSIG and/or OPT - this a slightly bigger
+	// change though.
+	for i := len(dns.Extra) - 1; i >= 0; i-- {
+		if dns.Extra[i].Header().Rrtype == TypeOPT {
+			return dns.Extra[i].(*OPT)
+		}
+	}
+	return nil
+}
+
+// IsDomainName checks if s is a valid domain name, it returns the number of
+// labels and true, when a domain name is valid.  Note that non fully qualified
+// domain name is considered valid, in this case the last label is counted in
+// the number of labels.  When false is returned the number of labels is not
+// defined.  Also note that this function is extremely liberal; almost any
+// string is a valid domain name as the DNS is 8 bit protocol. It checks if each
+// label fits in 63 characters, but there is no length check for the entire
+// string s. I.e.  a domain name longer than 255 characters is considered valid.
+func IsDomainName(s string) (labels int, ok bool) {
+	_, labels, err := packDomainName(s, nil, 0, nil, false)
+	return labels, err == nil
+}
+
+// IsSubDomain checks if child is indeed a child of the parent. If child and parent
+// are the same domain true is returned as well.
+func IsSubDomain(parent, child string) bool {
+	// Entire child is contained in parent
+	return CompareDomainName(parent, child) == CountLabel(parent)
+}
+
+// IsMsg sanity checks buf and returns an error if it isn't a valid DNS packet.
+// The checking is performed on the binary payload.
+func IsMsg(buf []byte) error {
+	// Header
+	if len(buf) < 12 {
+		return errors.New("dns: bad message header")
+	}
+	// Header: Opcode
+	// TODO(miek): more checks here, e.g. check all header bits.
+	return nil
+}
+
+// IsFqdn checks if a domain name is fully qualified.
+func IsFqdn(s string) bool {
+	l := len(s)
+	if l == 0 {
+		return false
+	}
+	return s[l-1] == '.'
+}
+
+// IsRRset checks if a set of RRs is a valid RRset as defined by RFC 2181.
+// This means the RRs need to have the same type, name, and class. Returns true
+// if the RR set is valid, otherwise false.
+func IsRRset(rrset []RR) bool {
+	if len(rrset) == 0 {
+		return false
+	}
+	if len(rrset) == 1 {
+		return true
+	}
+	rrHeader := rrset[0].Header()
+	rrType := rrHeader.Rrtype
+	rrClass := rrHeader.Class
+	rrName := rrHeader.Name
+
+	for _, rr := range rrset[1:] {
+		curRRHeader := rr.Header()
+		if curRRHeader.Rrtype != rrType || curRRHeader.Class != rrClass || curRRHeader.Name != rrName {
+			// Mismatch between the records, so this is not a valid rrset for
+			//signing/verifying
+			return false
+		}
+	}
+
+	return true
+}
+
+// Fqdn return the fully qualified domain name from s.
+// If s is already fully qualified, it behaves as the identity function.
+func Fqdn(s string) string {
+	if IsFqdn(s) {
+		return s
+	}
+	return s + "."
+}
+
+// Copied from the official Go code.
+
+// ReverseAddr returns the in-addr.arpa. or ip6.arpa. hostname of the IP
+// address suitable for reverse DNS (PTR) record lookups or an error if it fails
+// to parse the IP address.
+func ReverseAddr(addr string) (arpa string, err error) {
+	ip := net.ParseIP(addr)
+	if ip == nil {
+		return "", &Error{err: "unrecognized address: " + addr}
+	}
+	if ip.To4() != nil {
+		return strconv.Itoa(int(ip[15])) + "." + strconv.Itoa(int(ip[14])) + "." + strconv.Itoa(int(ip[13])) + "." +
+			strconv.Itoa(int(ip[12])) + ".in-addr.arpa.", nil
+	}
+	// Must be IPv6
+	buf := make([]byte, 0, len(ip)*4+len("ip6.arpa."))
+	// Add it, in reverse, to the buffer
+	for i := len(ip) - 1; i >= 0; i-- {
+		v := ip[i]
+		buf = append(buf, hexDigit[v&0xF])
+		buf = append(buf, '.')
+		buf = append(buf, hexDigit[v>>4])
+		buf = append(buf, '.')
+	}
+	// Append "ip6.arpa." and return (buf already has the final .)
+	buf = append(buf, "ip6.arpa."...)
+	return string(buf), nil
+}
+
+// String returns the string representation for the type t.
+func (t Type) String() string {
+	if t1, ok := TypeToString[uint16(t)]; ok {
+		return t1
+	}
+	return "TYPE" + strconv.Itoa(int(t))
+}
+
+// String returns the string representation for the class c.
+func (c Class) String() string {
+	if s, ok := ClassToString[uint16(c)]; ok {
+		// Only emit mnemonics when they are unambiguous, specically ANY is in both.
+		if _, ok := StringToType[s]; !ok {
+			return s
+		}
+	}
+	return "CLASS" + strconv.Itoa(int(c))
+}
+
+// String returns the string representation for the name n.
+func (n Name) String() string {
+	return sprintName(string(n))
+}
--- a/vendor/github.com/miekg/dns/dns.go
+++ b/vendor/github.com/miekg/dns/dns.go
@ -0,0 +1,107 @@
+package dns
+
+import "strconv"
+
+const (
+	year68     = 1 << 31 // For RFC1982 (Serial Arithmetic) calculations in 32 bits.
+	defaultTtl = 3600    // Default internal TTL.
+
+	// DefaultMsgSize is the standard default for messages larger than 512 bytes.
+	DefaultMsgSize = 4096
+	// MinMsgSize is the minimal size of a DNS packet.
+	MinMsgSize = 512
+	// MaxMsgSize is the largest possible DNS packet.
+	MaxMsgSize = 65535
+)
+
+// Error represents a DNS error.
+type Error struct{ err string }
+
+func (e *Error) Error() string {
+	if e == nil {
+		return "dns: <nil>"
+	}
+	return "dns: " + e.err
+}
+
+// An RR represents a resource record.
+type RR interface {
+	// Header returns the header of an resource record. The header contains
+	// everything up to the rdata.
+	Header() *RR_Header
+	// String returns the text representation of the resource record.
+	String() string
+
+	// copy returns a copy of the RR
+	copy() RR
+	// len returns the length (in octets) of the uncompressed RR in wire format.
+	len() int
+	// pack packs an RR into wire format.
+	pack([]byte, int, map[string]int, bool) (int, error)
+}
+
+// RR_Header is the header all DNS resource records share.
+type RR_Header struct {
+	Name     string `dns:"cdomain-name"`
+	Rrtype   uint16
+	Class    uint16
+	Ttl      uint32
+	Rdlength uint16 // Length of data after header.
+}
+
+// Header returns itself. This is here to make RR_Header implements the RR interface.
+func (h *RR_Header) Header() *RR_Header { return h }
+
+// Just to implement the RR interface.
+func (h *RR_Header) copy() RR { return nil }
+
+func (h *RR_Header) copyHeader() *RR_Header {
+	r := new(RR_Header)
+	r.Name = h.Name
+	r.Rrtype = h.Rrtype
+	r.Class = h.Class
+	r.Ttl = h.Ttl
+	r.Rdlength = h.Rdlength
+	return r
+}
+
+func (h *RR_Header) String() string {
+	var s string
+
+	if h.Rrtype == TypeOPT {
+		s = ";"
+		// and maybe other things
+	}
+
+	s += sprintName(h.Name) + "\t"
+	s += strconv.FormatInt(int64(h.Ttl), 10) + "\t"
+	s += Class(h.Class).String() + "\t"
+	s += Type(h.Rrtype).String() + "\t"
+	return s
+}
+
+func (h *RR_Header) len() int {
+	l := len(h.Name) + 1
+	l += 10 // rrtype(2) + class(2) + ttl(4) + rdlength(2)
+	return l
+}
+
+// ToRFC3597 converts a known RR to the unknown RR representation from RFC 3597.
+func (rr *RFC3597) ToRFC3597(r RR) error {
+	buf := make([]byte, r.len()*2)
+	off, err := PackRR(r, buf, 0, nil, false)
+	if err != nil {
+		return err
+	}
+	buf = buf[:off]
+	if int(r.Header().Rdlength) > off {
+		return ErrBuf
+	}
+
+	rfc3597, _, err := unpackRFC3597(*r.Header(), buf, off-int(r.Header().Rdlength))
+	if err != nil {
+		return err
+	}
+	*rr = *rfc3597.(*RFC3597)
+	return nil
+}
--- a/vendor/github.com/miekg/dns/dnssec.go
+++ b/vendor/github.com/miekg/dns/dnssec.go
@ -0,0 +1,784 @@
+package dns
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	_ "crypto/md5"
+	"crypto/rand"
+	"crypto/rsa"
+	_ "crypto/sha1"
+	_ "crypto/sha256"
+	_ "crypto/sha512"
+	"encoding/asn1"
+	"encoding/binary"
+	"encoding/hex"
+	"math/big"
+	"sort"
+	"strings"
+	"time"
+
+	"golang.org/x/crypto/ed25519"
+)
+
+// DNSSEC encryption algorithm codes.
+const (
+	_ uint8 = iota
+	RSAMD5
+	DH
+	DSA
+	_ // Skip 4, RFC 6725, section 2.1
+	RSASHA1
+	DSANSEC3SHA1
+	RSASHA1NSEC3SHA1
+	RSASHA256
+	_ // Skip 9, RFC 6725, section 2.1
+	RSASHA512
+	_ // Skip 11, RFC 6725, section 2.1
+	ECCGOST
+	ECDSAP256SHA256
+	ECDSAP384SHA384
+	ED25519
+	ED448
+	INDIRECT   uint8 = 252
+	PRIVATEDNS uint8 = 253 // Private (experimental keys)
+	PRIVATEOID uint8 = 254
+)
+
+// AlgorithmToString is a map of algorithm IDs to algorithm names.
+var AlgorithmToString = map[uint8]string{
+	RSAMD5:           "RSAMD5",
+	DH:               "DH",
+	DSA:              "DSA",
+	RSASHA1:          "RSASHA1",
+	DSANSEC3SHA1:     "DSA-NSEC3-SHA1",
+	RSASHA1NSEC3SHA1: "RSASHA1-NSEC3-SHA1",
+	RSASHA256:        "RSASHA256",
+	RSASHA512:        "RSASHA512",
+	ECCGOST:          "ECC-GOST",
+	ECDSAP256SHA256:  "ECDSAP256SHA256",
+	ECDSAP384SHA384:  "ECDSAP384SHA384",
+	ED25519:          "ED25519",
+	ED448:            "ED448",
+	INDIRECT:         "INDIRECT",
+	PRIVATEDNS:       "PRIVATEDNS",
+	PRIVATEOID:       "PRIVATEOID",
+}
+
+// StringToAlgorithm is the reverse of AlgorithmToString.
+var StringToAlgorithm = reverseInt8(AlgorithmToString)
+
+// AlgorithmToHash is a map of algorithm crypto hash IDs to crypto.Hash's.
+var AlgorithmToHash = map[uint8]crypto.Hash{
+	RSAMD5:           crypto.MD5, // Deprecated in RFC 6725
+	RSASHA1:          crypto.SHA1,
+	RSASHA1NSEC3SHA1: crypto.SHA1,
+	RSASHA256:        crypto.SHA256,
+	ECDSAP256SHA256:  crypto.SHA256,
+	ECDSAP384SHA384:  crypto.SHA384,
+	RSASHA512:        crypto.SHA512,
+	ED25519:          crypto.Hash(0),
+}
+
+// DNSSEC hashing algorithm codes.
+const (
+	_      uint8 = iota
+	SHA1         // RFC 4034
+	SHA256       // RFC 4509
+	GOST94       // RFC 5933
+	SHA384       // Experimental
+	SHA512       // Experimental
+)
+
+// HashToString is a map of hash IDs to names.
+var HashToString = map[uint8]string{
+	SHA1:   "SHA1",
+	SHA256: "SHA256",
+	GOST94: "GOST94",
+	SHA384: "SHA384",
+	SHA512: "SHA512",
+}
+
+// StringToHash is a map of names to hash IDs.
+var StringToHash = reverseInt8(HashToString)
+
+// DNSKEY flag values.
+const (
+	SEP    = 1
+	REVOKE = 1 << 7
+	ZONE   = 1 << 8
+)
+
+// The RRSIG needs to be converted to wireformat with some of the rdata (the signature) missing.
+type rrsigWireFmt struct {
+	TypeCovered uint16
+	Algorithm   uint8
+	Labels      uint8
+	OrigTtl     uint32
+	Expiration  uint32
+	Inception   uint32
+	KeyTag      uint16
+	SignerName  string `dns:"domain-name"`
+	/* No Signature */
+}
+
+// Used for converting DNSKEY's rdata to wirefmt.
+type dnskeyWireFmt struct {
+	Flags     uint16
+	Protocol  uint8
+	Algorithm uint8
+	PublicKey string `dns:"base64"`
+	/* Nothing is left out */
+}
+
+func divRoundUp(a, b int) int {
+	return (a + b - 1) / b
+}
+
+// KeyTag calculates the keytag (or key-id) of the DNSKEY.
+func (k *DNSKEY) KeyTag() uint16 {
+	if k == nil {
+		return 0
+	}
+	var keytag int
+	switch k.Algorithm {
+	case RSAMD5:
+		// Look at the bottom two bytes of the modules, which the last
+		// item in the pubkey. We could do this faster by looking directly
+		// at the base64 values. But I'm lazy.
+		modulus, _ := fromBase64([]byte(k.PublicKey))
+		if len(modulus) > 1 {
+			x := binary.BigEndian.Uint16(modulus[len(modulus)-2:])
+			keytag = int(x)
+		}
+	default:
+		keywire := new(dnskeyWireFmt)
+		keywire.Flags = k.Flags
+		keywire.Protocol = k.Protocol
+		keywire.Algorithm = k.Algorithm
+		keywire.PublicKey = k.PublicKey
+		wire := make([]byte, DefaultMsgSize)
+		n, err := packKeyWire(keywire, wire)
+		if err != nil {
+			return 0
+		}
+		wire = wire[:n]
+		for i, v := range wire {
+			if i&1 != 0 {
+				keytag += int(v) // must be larger than uint32
+			} else {
+				keytag += int(v) << 8
+			}
+		}
+		keytag += (keytag >> 16) & 0xFFFF
+		keytag &= 0xFFFF
+	}
+	return uint16(keytag)
+}
+
+// ToDS converts a DNSKEY record to a DS record.
+func (k *DNSKEY) ToDS(h uint8) *DS {
+	if k == nil {
+		return nil
+	}
+	ds := new(DS)
+	ds.Hdr.Name = k.Hdr.Name
+	ds.Hdr.Class = k.Hdr.Class
+	ds.Hdr.Rrtype = TypeDS
+	ds.Hdr.Ttl = k.Hdr.Ttl
+	ds.Algorithm = k.Algorithm
+	ds.DigestType = h
+	ds.KeyTag = k.KeyTag()
+
+	keywire := new(dnskeyWireFmt)
+	keywire.Flags = k.Flags
+	keywire.Protocol = k.Protocol
+	keywire.Algorithm = k.Algorithm
+	keywire.PublicKey = k.PublicKey
+	wire := make([]byte, DefaultMsgSize)
+	n, err := packKeyWire(keywire, wire)
+	if err != nil {
+		return nil
+	}
+	wire = wire[:n]
+
+	owner := make([]byte, 255)
+	off, err1 := PackDomainName(strings.ToLower(k.Hdr.Name), owner, 0, nil, false)
+	if err1 != nil {
+		return nil
+	}
+	owner = owner[:off]
+	// RFC4034:
+	// digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
+	// "|" denotes concatenation
+	// DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
+
+	var hash crypto.Hash
+	switch h {
+	case SHA1:
+		hash = crypto.SHA1
+	case SHA256:
+		hash = crypto.SHA256
+	case SHA384:
+		hash = crypto.SHA384
+	case SHA512:
+		hash = crypto.SHA512
+	default:
+		return nil
+	}
+
+	s := hash.New()
+	s.Write(owner)
+	s.Write(wire)
+	ds.Digest = hex.EncodeToString(s.Sum(nil))
+	return ds
+}
+
+// ToCDNSKEY converts a DNSKEY record to a CDNSKEY record.
+func (k *DNSKEY) ToCDNSKEY() *CDNSKEY {
+	c := &CDNSKEY{DNSKEY: *k}
+	c.Hdr = *k.Hdr.copyHeader()
+	c.Hdr.Rrtype = TypeCDNSKEY
+	return c
+}
+
+// ToCDS converts a DS record to a CDS record.
+func (d *DS) ToCDS() *CDS {
+	c := &CDS{DS: *d}
+	c.Hdr = *d.Hdr.copyHeader()
+	c.Hdr.Rrtype = TypeCDS
+	return c
+}
+
+// Sign signs an RRSet. The signature needs to be filled in with the values:
+// Inception, Expiration, KeyTag, SignerName and Algorithm.  The rest is copied
+// from the RRset. Sign returns a non-nill error when the signing went OK.
+// There is no check if RRSet is a proper (RFC 2181) RRSet.  If OrigTTL is non
+// zero, it is used as-is, otherwise the TTL of the RRset is used as the
+// OrigTTL.
+func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error {
+	if k == nil {
+		return ErrPrivKey
+	}
+	// s.Inception and s.Expiration may be 0 (rollover etc.), the rest must be set
+	if rr.KeyTag == 0 || len(rr.SignerName) == 0 || rr.Algorithm == 0 {
+		return ErrKey
+	}
+
+	rr.Hdr.Rrtype = TypeRRSIG
+	rr.Hdr.Name = rrset[0].Header().Name
+	rr.Hdr.Class = rrset[0].Header().Class
+	if rr.OrigTtl == 0 { // If set don't override
+		rr.OrigTtl = rrset[0].Header().Ttl
+	}
+	rr.TypeCovered = rrset[0].Header().Rrtype
+	rr.Labels = uint8(CountLabel(rrset[0].Header().Name))
+
+	if strings.HasPrefix(rrset[0].Header().Name, "*") {
+		rr.Labels-- // wildcard, remove from label count
+	}
+
+	sigwire := new(rrsigWireFmt)
+	sigwire.TypeCovered = rr.TypeCovered
+	sigwire.Algorithm = rr.Algorithm
+	sigwire.Labels = rr.Labels
+	sigwire.OrigTtl = rr.OrigTtl
+	sigwire.Expiration = rr.Expiration
+	sigwire.Inception = rr.Inception
+	sigwire.KeyTag = rr.KeyTag
+	// For signing, lowercase this name
+	sigwire.SignerName = strings.ToLower(rr.SignerName)
+
+	// Create the desired binary blob
+	signdata := make([]byte, DefaultMsgSize)
+	n, err := packSigWire(sigwire, signdata)
+	if err != nil {
+		return err
+	}
+	signdata = signdata[:n]
+	wire, err := rawSignatureData(rrset, rr)
+	if err != nil {
+		return err
+	}
+
+	hash, ok := AlgorithmToHash[rr.Algorithm]
+	if !ok {
+		return ErrAlg
+	}
+
+	switch rr.Algorithm {
+	case ED25519:
+		// ed25519 signs the raw message and performs hashing internally.
+		// All other supported signature schemes operate over the pre-hashed
+		// message, and thus ed25519 must be handled separately here.
+		//
+		// The raw message is passed directly into sign and crypto.Hash(0) is
+		// used to signal to the crypto.Signer that the data has not been hashed.
+		signature, err := sign(k, append(signdata, wire...), crypto.Hash(0), rr.Algorithm)
+		if err != nil {
+			return err
+		}
+
+		rr.Signature = toBase64(signature)
+	default:
+		h := hash.New()
+		h.Write(signdata)
+		h.Write(wire)
+
+		signature, err := sign(k, h.Sum(nil), hash, rr.Algorithm)
+		if err != nil {
+			return err
+		}
+
+		rr.Signature = toBase64(signature)
+	}
+
+	return nil
+}
+
+func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, error) {
+	signature, err := k.Sign(rand.Reader, hashed, hash)
+	if err != nil {
+		return nil, err
+	}
+
+	switch alg {
+	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512:
+		return signature, nil
+
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		ecdsaSignature := &struct {
+			R, S *big.Int
+		}{}
+		if _, err := asn1.Unmarshal(signature, ecdsaSignature); err != nil {
+			return nil, err
+		}
+
+		var intlen int
+		switch alg {
+		case ECDSAP256SHA256:
+			intlen = 32
+		case ECDSAP384SHA384:
+			intlen = 48
+		}
+
+		signature := intToBytes(ecdsaSignature.R, intlen)
+		signature = append(signature, intToBytes(ecdsaSignature.S, intlen)...)
+		return signature, nil
+
+	// There is no defined interface for what a DSA backed crypto.Signer returns
+	case DSA, DSANSEC3SHA1:
+		// 	t := divRoundUp(divRoundUp(p.PublicKey.Y.BitLen(), 8)-64, 8)
+		// 	signature := []byte{byte(t)}
+		// 	signature = append(signature, intToBytes(r1, 20)...)
+		// 	signature = append(signature, intToBytes(s1, 20)...)
+		// 	rr.Signature = signature
+
+	case ED25519:
+		return signature, nil
+	}
+
+	return nil, ErrAlg
+}
+
+// Verify validates an RRSet with the signature and key. This is only the
+// cryptographic test, the signature validity period must be checked separately.
+// This function copies the rdata of some RRs (to lowercase domain names) for the validation to work.
+func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error {
+	// First the easy checks
+	if !IsRRset(rrset) {
+		return ErrRRset
+	}
+	if rr.KeyTag != k.KeyTag() {
+		return ErrKey
+	}
+	if rr.Hdr.Class != k.Hdr.Class {
+		return ErrKey
+	}
+	if rr.Algorithm != k.Algorithm {
+		return ErrKey
+	}
+	if strings.ToLower(rr.SignerName) != strings.ToLower(k.Hdr.Name) {
+		return ErrKey
+	}
+	if k.Protocol != 3 {
+		return ErrKey
+	}
+
+	// IsRRset checked that we have at least one RR and that the RRs in
+	// the set have consistent type, class, and name. Also check that type and
+	// class matches the RRSIG record.
+	if rrset[0].Header().Class != rr.Hdr.Class {
+		return ErrRRset
+	}
+	if rrset[0].Header().Rrtype != rr.TypeCovered {
+		return ErrRRset
+	}
+
+	// RFC 4035 5.3.2.  Reconstructing the Signed Data
+	// Copy the sig, except the rrsig data
+	sigwire := new(rrsigWireFmt)
+	sigwire.TypeCovered = rr.TypeCovered
+	sigwire.Algorithm = rr.Algorithm
+	sigwire.Labels = rr.Labels
+	sigwire.OrigTtl = rr.OrigTtl
+	sigwire.Expiration = rr.Expiration
+	sigwire.Inception = rr.Inception
+	sigwire.KeyTag = rr.KeyTag
+	sigwire.SignerName = strings.ToLower(rr.SignerName)
+	// Create the desired binary blob
+	signeddata := make([]byte, DefaultMsgSize)
+	n, err := packSigWire(sigwire, signeddata)
+	if err != nil {
+		return err
+	}
+	signeddata = signeddata[:n]
+	wire, err := rawSignatureData(rrset, rr)
+	if err != nil {
+		return err
+	}
+
+	sigbuf := rr.sigBuf()           // Get the binary signature data
+	if rr.Algorithm == PRIVATEDNS { // PRIVATEOID
+		// TODO(miek)
+		// remove the domain name and assume its ours?
+	}
+
+	hash, ok := AlgorithmToHash[rr.Algorithm]
+	if !ok {
+		return ErrAlg
+	}
+
+	switch rr.Algorithm {
+	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512, RSAMD5:
+		// TODO(mg): this can be done quicker, ie. cache the pubkey data somewhere??
+		pubkey := k.publicKeyRSA() // Get the key
+		if pubkey == nil {
+			return ErrKey
+		}
+
+		h := hash.New()
+		h.Write(signeddata)
+		h.Write(wire)
+		return rsa.VerifyPKCS1v15(pubkey, hash, h.Sum(nil), sigbuf)
+
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		pubkey := k.publicKeyECDSA()
+		if pubkey == nil {
+			return ErrKey
+		}
+
+		// Split sigbuf into the r and s coordinates
+		r := new(big.Int).SetBytes(sigbuf[:len(sigbuf)/2])
+		s := new(big.Int).SetBytes(sigbuf[len(sigbuf)/2:])
+
+		h := hash.New()
+		h.Write(signeddata)
+		h.Write(wire)
+		if ecdsa.Verify(pubkey, h.Sum(nil), r, s) {
+			return nil
+		}
+		return ErrSig
+
+	case ED25519:
+		pubkey := k.publicKeyED25519()
+		if pubkey == nil {
+			return ErrKey
+		}
+
+		if ed25519.Verify(pubkey, append(signeddata, wire...), sigbuf) {
+			return nil
+		}
+		return ErrSig
+
+	default:
+		return ErrAlg
+	}
+}
+
+// ValidityPeriod uses RFC1982 serial arithmetic to calculate
+// if a signature period is valid. If t is the zero time, the
+// current time is taken other t is. Returns true if the signature
+// is valid at the given time, otherwise returns false.
+func (rr *RRSIG) ValidityPeriod(t time.Time) bool {
+	var utc int64
+	if t.IsZero() {
+		utc = time.Now().UTC().Unix()
+	} else {
+		utc = t.UTC().Unix()
+	}
+	modi := (int64(rr.Inception) - utc) / year68
+	mode := (int64(rr.Expiration) - utc) / year68
+	ti := int64(rr.Inception) + (modi * year68)
+	te := int64(rr.Expiration) + (mode * year68)
+	return ti <= utc && utc <= te
+}
+
+// Return the signatures base64 encodedig sigdata as a byte slice.
+func (rr *RRSIG) sigBuf() []byte {
+	sigbuf, err := fromBase64([]byte(rr.Signature))
+	if err != nil {
+		return nil
+	}
+	return sigbuf
+}
+
+// publicKeyRSA returns the RSA public key from a DNSKEY record.
+func (k *DNSKEY) publicKeyRSA() *rsa.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+
+	// RFC 2537/3110, section 2. RSA Public KEY Resource Records
+	// Length is in the 0th byte, unless its zero, then it
+	// it in bytes 1 and 2 and its a 16 bit number
+	explen := uint16(keybuf[0])
+	keyoff := 1
+	if explen == 0 {
+		explen = uint16(keybuf[1])<<8 | uint16(keybuf[2])
+		keyoff = 3
+	}
+	pubkey := new(rsa.PublicKey)
+
+	pubkey.N = big.NewInt(0)
+	shift := uint64((explen - 1) * 8)
+	expo := uint64(0)
+	for i := int(explen - 1); i > 0; i-- {
+		expo += uint64(keybuf[keyoff+i]) << shift
+		shift -= 8
+	}
+	// Remainder
+	expo += uint64(keybuf[keyoff])
+	if expo > (2<<31)+1 {
+		// Larger expo than supported.
+		// println("dns: F5 primes (or larger) are not supported")
+		return nil
+	}
+	pubkey.E = int(expo)
+
+	pubkey.N.SetBytes(keybuf[keyoff+int(explen):])
+	return pubkey
+}
+
+// publicKeyECDSA returns the Curve public key from the DNSKEY record.
+func (k *DNSKEY) publicKeyECDSA() *ecdsa.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+	pubkey := new(ecdsa.PublicKey)
+	switch k.Algorithm {
+	case ECDSAP256SHA256:
+		pubkey.Curve = elliptic.P256()
+		if len(keybuf) != 64 {
+			// wrongly encoded key
+			return nil
+		}
+	case ECDSAP384SHA384:
+		pubkey.Curve = elliptic.P384()
+		if len(keybuf) != 96 {
+			// Wrongly encoded key
+			return nil
+		}
+	}
+	pubkey.X = big.NewInt(0)
+	pubkey.X.SetBytes(keybuf[:len(keybuf)/2])
+	pubkey.Y = big.NewInt(0)
+	pubkey.Y.SetBytes(keybuf[len(keybuf)/2:])
+	return pubkey
+}
+
+func (k *DNSKEY) publicKeyDSA() *dsa.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+	if len(keybuf) < 22 {
+		return nil
+	}
+	t, keybuf := int(keybuf[0]), keybuf[1:]
+	size := 64 + t*8
+	q, keybuf := keybuf[:20], keybuf[20:]
+	if len(keybuf) != 3*size {
+		return nil
+	}
+	p, keybuf := keybuf[:size], keybuf[size:]
+	g, y := keybuf[:size], keybuf[size:]
+	pubkey := new(dsa.PublicKey)
+	pubkey.Parameters.Q = big.NewInt(0).SetBytes(q)
+	pubkey.Parameters.P = big.NewInt(0).SetBytes(p)
+	pubkey.Parameters.G = big.NewInt(0).SetBytes(g)
+	pubkey.Y = big.NewInt(0).SetBytes(y)
+	return pubkey
+}
+
+func (k *DNSKEY) publicKeyED25519() ed25519.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+	if len(keybuf) != ed25519.PublicKeySize {
+		return nil
+	}
+	return keybuf
+}
+
+type wireSlice [][]byte
+
+func (p wireSlice) Len() int      { return len(p) }
+func (p wireSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
+func (p wireSlice) Less(i, j int) bool {
+	_, ioff, _ := UnpackDomainName(p[i], 0)
+	_, joff, _ := UnpackDomainName(p[j], 0)
+	return bytes.Compare(p[i][ioff+10:], p[j][joff+10:]) < 0
+}
+
+// Return the raw signature data.
+func rawSignatureData(rrset []RR, s *RRSIG) (buf []byte, err error) {
+	wires := make(wireSlice, len(rrset))
+	for i, r := range rrset {
+		r1 := r.copy()
+		r1.Header().Ttl = s.OrigTtl
+		labels := SplitDomainName(r1.Header().Name)
+		// 6.2. Canonical RR Form. (4) - wildcards
+		if len(labels) > int(s.Labels) {
+			// Wildcard
+			r1.Header().Name = "*." + strings.Join(labels[len(labels)-int(s.Labels):], ".") + "."
+		}
+		// RFC 4034: 6.2.  Canonical RR Form. (2) - domain name to lowercase
+		r1.Header().Name = strings.ToLower(r1.Header().Name)
+		// 6.2. Canonical RR Form. (3) - domain rdata to lowercase.
+		//   NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
+		//   HINFO, MINFO, MX, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
+		//   SRV, DNAME, A6
+		//
+		// RFC 6840 - Clarifications and Implementation Notes for DNS Security (DNSSEC):
+		//	Section 6.2 of [RFC4034] also erroneously lists HINFO as a record
+		//	that needs conversion to lowercase, and twice at that.  Since HINFO
+		//	records contain no domain names, they are not subject to case
+		//	conversion.
+		switch x := r1.(type) {
+		case *NS:
+			x.Ns = strings.ToLower(x.Ns)
+		case *MD:
+			x.Md = strings.ToLower(x.Md)
+		case *MF:
+			x.Mf = strings.ToLower(x.Mf)
+		case *CNAME:
+			x.Target = strings.ToLower(x.Target)
+		case *SOA:
+			x.Ns = strings.ToLower(x.Ns)
+			x.Mbox = strings.ToLower(x.Mbox)
+		case *MB:
+			x.Mb = strings.ToLower(x.Mb)
+		case *MG:
+			x.Mg = strings.ToLower(x.Mg)
+		case *MR:
+			x.Mr = strings.ToLower(x.Mr)
+		case *PTR:
+			x.Ptr = strings.ToLower(x.Ptr)
+		case *MINFO:
+			x.Rmail = strings.ToLower(x.Rmail)
+			x.Email = strings.ToLower(x.Email)
+		case *MX:
+			x.Mx = strings.ToLower(x.Mx)
+		case *RP:
+			x.Mbox = strings.ToLower(x.Mbox)
+			x.Txt = strings.ToLower(x.Txt)
+		case *AFSDB:
+			x.Hostname = strings.ToLower(x.Hostname)
+		case *RT:
+			x.Host = strings.ToLower(x.Host)
+		case *SIG:
+			x.SignerName = strings.ToLower(x.SignerName)
+		case *PX:
+			x.Map822 = strings.ToLower(x.Map822)
+			x.Mapx400 = strings.ToLower(x.Mapx400)
+		case *NAPTR:
+			x.Replacement = strings.ToLower(x.Replacement)
+		case *KX:
+			x.Exchanger = strings.ToLower(x.Exchanger)
+		case *SRV:
+			x.Target = strings.ToLower(x.Target)
+		case *DNAME:
+			x.Target = strings.ToLower(x.Target)
+		}
+		// 6.2. Canonical RR Form. (5) - origTTL
+		wire := make([]byte, r1.len()+1) // +1 to be safe(r)
+		off, err1 := PackRR(r1, wire, 0, nil, false)
+		if err1 != nil {
+			return nil, err1
+		}
+		wire = wire[:off]
+		wires[i] = wire
+	}
+	sort.Sort(wires)
+	for i, wire := range wires {
+		if i > 0 && bytes.Equal(wire, wires[i-1]) {
+			continue
+		}
+		buf = append(buf, wire...)
+	}
+	return buf, nil
+}
+
+func packSigWire(sw *rrsigWireFmt, msg []byte) (int, error) {
+	// copied from zmsg.go RRSIG packing
+	off, err := packUint16(sw.TypeCovered, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(sw.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(sw.Labels, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(sw.OrigTtl, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(sw.Expiration, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(sw.Inception, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(sw.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(sw.SignerName, msg, off, nil, false)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
+
+func packKeyWire(dw *dnskeyWireFmt, msg []byte) (int, error) {
+	// copied from zmsg.go DNSKEY packing
+	off, err := packUint16(dw.Flags, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(dw.Protocol, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(dw.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(dw.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
--- a/vendor/github.com/miekg/dns/dnssec_keygen.go
+++ b/vendor/github.com/miekg/dns/dnssec_keygen.go
@ -0,0 +1,178 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"math/big"
+
+	"golang.org/x/crypto/ed25519"
+)
+
+// Generate generates a DNSKEY of the given bit size.
+// The public part is put inside the DNSKEY record.
+// The Algorithm in the key must be set as this will define
+// what kind of DNSKEY will be generated.
+// The ECDSA algorithms imply a fixed keysize, in that case
+// bits should be set to the size of the algorithm.
+func (k *DNSKEY) Generate(bits int) (crypto.PrivateKey, error) {
+	switch k.Algorithm {
+	case DSA, DSANSEC3SHA1:
+		if bits != 1024 {
+			return nil, ErrKeySize
+		}
+	case RSAMD5, RSASHA1, RSASHA256, RSASHA1NSEC3SHA1:
+		if bits < 512 || bits > 4096 {
+			return nil, ErrKeySize
+		}
+	case RSASHA512:
+		if bits < 1024 || bits > 4096 {
+			return nil, ErrKeySize
+		}
+	case ECDSAP256SHA256:
+		if bits != 256 {
+			return nil, ErrKeySize
+		}
+	case ECDSAP384SHA384:
+		if bits != 384 {
+			return nil, ErrKeySize
+		}
+	case ED25519:
+		if bits != 256 {
+			return nil, ErrKeySize
+		}
+	}
+
+	switch k.Algorithm {
+	case DSA, DSANSEC3SHA1:
+		params := new(dsa.Parameters)
+		if err := dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160); err != nil {
+			return nil, err
+		}
+		priv := new(dsa.PrivateKey)
+		priv.PublicKey.Parameters = *params
+		err := dsa.GenerateKey(priv, rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyDSA(params.Q, params.P, params.G, priv.PublicKey.Y)
+		return priv, nil
+	case RSAMD5, RSASHA1, RSASHA256, RSASHA512, RSASHA1NSEC3SHA1:
+		priv, err := rsa.GenerateKey(rand.Reader, bits)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyRSA(priv.PublicKey.E, priv.PublicKey.N)
+		return priv, nil
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		var c elliptic.Curve
+		switch k.Algorithm {
+		case ECDSAP256SHA256:
+			c = elliptic.P256()
+		case ECDSAP384SHA384:
+			c = elliptic.P384()
+		}
+		priv, err := ecdsa.GenerateKey(c, rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyECDSA(priv.PublicKey.X, priv.PublicKey.Y)
+		return priv, nil
+	case ED25519:
+		pub, priv, err := ed25519.GenerateKey(rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyED25519(pub)
+		return priv, nil
+	default:
+		return nil, ErrAlg
+	}
+}
+
+// Set the public key (the value E and N)
+func (k *DNSKEY) setPublicKeyRSA(_E int, _N *big.Int) bool {
+	if _E == 0 || _N == nil {
+		return false
+	}
+	buf := exponentToBuf(_E)
+	buf = append(buf, _N.Bytes()...)
+	k.PublicKey = toBase64(buf)
+	return true
+}
+
+// Set the public key for Elliptic Curves
+func (k *DNSKEY) setPublicKeyECDSA(_X, _Y *big.Int) bool {
+	if _X == nil || _Y == nil {
+		return false
+	}
+	var intlen int
+	switch k.Algorithm {
+	case ECDSAP256SHA256:
+		intlen = 32
+	case ECDSAP384SHA384:
+		intlen = 48
+	}
+	k.PublicKey = toBase64(curveToBuf(_X, _Y, intlen))
+	return true
+}
+
+// Set the public key for DSA
+func (k *DNSKEY) setPublicKeyDSA(_Q, _P, _G, _Y *big.Int) bool {
+	if _Q == nil || _P == nil || _G == nil || _Y == nil {
+		return false
+	}
+	buf := dsaToBuf(_Q, _P, _G, _Y)
+	k.PublicKey = toBase64(buf)
+	return true
+}
+
+// Set the public key for Ed25519
+func (k *DNSKEY) setPublicKeyED25519(_K ed25519.PublicKey) bool {
+	if _K == nil {
+		return false
+	}
+	k.PublicKey = toBase64(_K)
+	return true
+}
+
+// Set the public key (the values E and N) for RSA
+// RFC 3110: Section 2. RSA Public KEY Resource Records
+func exponentToBuf(_E int) []byte {
+	var buf []byte
+	i := big.NewInt(int64(_E)).Bytes()
+	if len(i) < 256 {
+		buf = make([]byte, 1, 1+len(i))
+		buf[0] = uint8(len(i))
+	} else {
+		buf = make([]byte, 3, 3+len(i))
+		buf[0] = 0
+		buf[1] = uint8(len(i) >> 8)
+		buf[2] = uint8(len(i))
+	}
+	buf = append(buf, i...)
+	return buf
+}
+
+// Set the public key for X and Y for Curve. The two
+// values are just concatenated.
+func curveToBuf(_X, _Y *big.Int, intlen int) []byte {
+	buf := intToBytes(_X, intlen)
+	buf = append(buf, intToBytes(_Y, intlen)...)
+	return buf
+}
+
+// Set the public key for X and Y for Curve. The two
+// values are just concatenated.
+func dsaToBuf(_Q, _P, _G, _Y *big.Int) []byte {
+	t := divRoundUp(divRoundUp(_G.BitLen(), 8)-64, 8)
+	buf := []byte{byte(t)}
+	buf = append(buf, intToBytes(_Q, 20)...)
+	buf = append(buf, intToBytes(_P, 64+t*8)...)
+	buf = append(buf, intToBytes(_G, 64+t*8)...)
+	buf = append(buf, intToBytes(_Y, 64+t*8)...)
+	return buf
+}
--- a/vendor/github.com/miekg/dns/dnssec_keyscan.go
+++ b/vendor/github.com/miekg/dns/dnssec_keyscan.go
@ -0,0 +1,297 @@
+package dns
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"io"
+	"math/big"
+	"strconv"
+	"strings"
+
+	"golang.org/x/crypto/ed25519"
+)
+
+// NewPrivateKey returns a PrivateKey by parsing the string s.
+// s should be in the same form of the BIND private key files.
+func (k *DNSKEY) NewPrivateKey(s string) (crypto.PrivateKey, error) {
+	if s == "" || s[len(s)-1] != '\n' { // We need a closing newline
+		return k.ReadPrivateKey(strings.NewReader(s+"\n"), "")
+	}
+	return k.ReadPrivateKey(strings.NewReader(s), "")
+}
+
+// ReadPrivateKey reads a private key from the io.Reader q. The string file is
+// only used in error reporting.
+// The public key must be known, because some cryptographic algorithms embed
+// the public inside the privatekey.
+func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (crypto.PrivateKey, error) {
+	m, err := parseKey(q, file)
+	if m == nil {
+		return nil, err
+	}
+	if _, ok := m["private-key-format"]; !ok {
+		return nil, ErrPrivKey
+	}
+	if m["private-key-format"] != "v1.2" && m["private-key-format"] != "v1.3" {
+		return nil, ErrPrivKey
+	}
+	// TODO(mg): check if the pubkey matches the private key
+	algo, err := strconv.ParseUint(strings.SplitN(m["algorithm"], " ", 2)[0], 10, 8)
+	if err != nil {
+		return nil, ErrPrivKey
+	}
+	switch uint8(algo) {
+	case DSA:
+		priv, err := readPrivateKeyDSA(m)
+		if err != nil {
+			return nil, err
+		}
+		pub := k.publicKeyDSA()
+		if pub == nil {
+			return nil, ErrKey
+		}
+		priv.PublicKey = *pub
+		return priv, nil
+	case RSAMD5:
+		fallthrough
+	case RSASHA1:
+		fallthrough
+	case RSASHA1NSEC3SHA1:
+		fallthrough
+	case RSASHA256:
+		fallthrough
+	case RSASHA512:
+		priv, err := readPrivateKeyRSA(m)
+		if err != nil {
+			return nil, err
+		}
+		pub := k.publicKeyRSA()
+		if pub == nil {
+			return nil, ErrKey
+		}
+		priv.PublicKey = *pub
+		return priv, nil
+	case ECCGOST:
+		return nil, ErrPrivKey
+	case ECDSAP256SHA256:
+		fallthrough
+	case ECDSAP384SHA384:
+		priv, err := readPrivateKeyECDSA(m)
+		if err != nil {
+			return nil, err
+		}
+		pub := k.publicKeyECDSA()
+		if pub == nil {
+			return nil, ErrKey
+		}
+		priv.PublicKey = *pub
+		return priv, nil
+	case ED25519:
+		return readPrivateKeyED25519(m)
+	default:
+		return nil, ErrPrivKey
+	}
+}
+
+// Read a private key (file) string and create a public key. Return the private key.
+func readPrivateKeyRSA(m map[string]string) (*rsa.PrivateKey, error) {
+	p := new(rsa.PrivateKey)
+	p.Primes = []*big.Int{nil, nil}
+	for k, v := range m {
+		switch k {
+		case "modulus", "publicexponent", "privateexponent", "prime1", "prime2":
+			v1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			switch k {
+			case "modulus":
+				p.PublicKey.N = big.NewInt(0)
+				p.PublicKey.N.SetBytes(v1)
+			case "publicexponent":
+				i := big.NewInt(0)
+				i.SetBytes(v1)
+				p.PublicKey.E = int(i.Int64()) // int64 should be large enough
+			case "privateexponent":
+				p.D = big.NewInt(0)
+				p.D.SetBytes(v1)
+			case "prime1":
+				p.Primes[0] = big.NewInt(0)
+				p.Primes[0].SetBytes(v1)
+			case "prime2":
+				p.Primes[1] = big.NewInt(0)
+				p.Primes[1].SetBytes(v1)
+			}
+		case "exponent1", "exponent2", "coefficient":
+			// not used in Go (yet)
+		case "created", "publish", "activate":
+			// not used in Go (yet)
+		}
+	}
+	return p, nil
+}
+
+func readPrivateKeyDSA(m map[string]string) (*dsa.PrivateKey, error) {
+	p := new(dsa.PrivateKey)
+	p.X = big.NewInt(0)
+	for k, v := range m {
+		switch k {
+		case "private_value(x)":
+			v1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			p.X.SetBytes(v1)
+		case "created", "publish", "activate":
+			/* not used in Go (yet) */
+		}
+	}
+	return p, nil
+}
+
+func readPrivateKeyECDSA(m map[string]string) (*ecdsa.PrivateKey, error) {
+	p := new(ecdsa.PrivateKey)
+	p.D = big.NewInt(0)
+	// TODO: validate that the required flags are present
+	for k, v := range m {
+		switch k {
+		case "privatekey":
+			v1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			p.D.SetBytes(v1)
+		case "created", "publish", "activate":
+			/* not used in Go (yet) */
+		}
+	}
+	return p, nil
+}
+
+func readPrivateKeyED25519(m map[string]string) (ed25519.PrivateKey, error) {
+	var p ed25519.PrivateKey
+	// TODO: validate that the required flags are present
+	for k, v := range m {
+		switch k {
+		case "privatekey":
+			p1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			if len(p1) != 32 {
+				return nil, ErrPrivKey
+			}
+			// RFC 8080 and Golang's x/crypto/ed25519 differ as to how the
+			// private keys are represented. RFC 8080 specifies that private
+			// keys be stored solely as the seed value (p1 above) while the
+			// ed25519 package represents them as the seed value concatenated
+			// to the public key, which is derived from the seed value.
+			//
+			// ed25519.GenerateKey reads exactly 32 bytes from the passed in
+			// io.Reader and uses them as the seed. It also derives the
+			// public key and produces a compatible private key.
+			_, p, err = ed25519.GenerateKey(bytes.NewReader(p1))
+			if err != nil {
+				return nil, err
+			}
+		case "created", "publish", "activate":
+			/* not used in Go (yet) */
+		}
+	}
+	return p, nil
+}
+
+// parseKey reads a private key from r. It returns a map[string]string,
+// with the key-value pairs, or an error when the file is not correct.
+func parseKey(r io.Reader, file string) (map[string]string, error) {
+	s, cancel := scanInit(r)
+	m := make(map[string]string)
+	c := make(chan lex)
+	k := ""
+	defer func() {
+		cancel()
+		// zlexer can send up to two tokens, the next one and possibly 1 remainders.
+		// Do a non-blocking read.
+		_, ok := <-c
+		_, ok = <-c
+		if !ok {
+			// too bad
+		}
+	}()
+	// Start the lexer
+	go klexer(s, c)
+	for l := range c {
+		// It should alternate
+		switch l.value {
+		case zKey:
+			k = l.token
+		case zValue:
+			if k == "" {
+				return nil, &ParseError{file, "no private key seen", l}
+			}
+			//println("Setting", strings.ToLower(k), "to", l.token, "b")
+			m[strings.ToLower(k)] = l.token
+			k = ""
+		}
+	}
+	return m, nil
+}
+
+// klexer scans the sourcefile and returns tokens on the channel c.
+func klexer(s *scan, c chan lex) {
+	var l lex
+	str := "" // Hold the current read text
+	commt := false
+	key := true
+	x, err := s.tokenText()
+	defer close(c)
+	for err == nil {
+		l.column = s.position.Column
+		l.line = s.position.Line
+		switch x {
+		case ':':
+			if commt {
+				break
+			}
+			l.token = str
+			if key {
+				l.value = zKey
+				c <- l
+				// Next token is a space, eat it
+				s.tokenText()
+				key = false
+				str = ""
+			} else {
+				l.value = zValue
+			}
+		case ';':
+			commt = true
+		case '\n':
+			if commt {
+				// Reset a comment
+				commt = false
+			}
+			l.value = zValue
+			l.token = str
+			c <- l
+			str = ""
+			commt = false
+			key = true
+		default:
+			if commt {
+				break
+			}
+			str += string(x)
+		}
+		x, err = s.tokenText()
+	}
+	if len(str) > 0 {
+		// Send remainder
+		l.token = str
+		l.value = zValue
+		c <- l
+	}
+}
--- a/vendor/github.com/miekg/dns/dnssec_privkey.go
+++ b/vendor/github.com/miekg/dns/dnssec_privkey.go
@ -0,0 +1,93 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"math/big"
+	"strconv"
+
+	"golang.org/x/crypto/ed25519"
+)
+
+const format = "Private-key-format: v1.3\n"
+
+// PrivateKeyString converts a PrivateKey to a string. This string has the same
+// format as the private-key-file of BIND9 (Private-key-format: v1.3).
+// It needs some info from the key (the algorithm), so its a method of the DNSKEY
+// It supports rsa.PrivateKey, ecdsa.PrivateKey and dsa.PrivateKey
+func (r *DNSKEY) PrivateKeyString(p crypto.PrivateKey) string {
+	algorithm := strconv.Itoa(int(r.Algorithm))
+	algorithm += " (" + AlgorithmToString[r.Algorithm] + ")"
+
+	switch p := p.(type) {
+	case *rsa.PrivateKey:
+		modulus := toBase64(p.PublicKey.N.Bytes())
+		e := big.NewInt(int64(p.PublicKey.E))
+		publicExponent := toBase64(e.Bytes())
+		privateExponent := toBase64(p.D.Bytes())
+		prime1 := toBase64(p.Primes[0].Bytes())
+		prime2 := toBase64(p.Primes[1].Bytes())
+		// Calculate Exponent1/2 and Coefficient as per: http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm
+		// and from: http://code.google.com/p/go/issues/detail?id=987
+		one := big.NewInt(1)
+		p1 := big.NewInt(0).Sub(p.Primes[0], one)
+		q1 := big.NewInt(0).Sub(p.Primes[1], one)
+		exp1 := big.NewInt(0).Mod(p.D, p1)
+		exp2 := big.NewInt(0).Mod(p.D, q1)
+		coeff := big.NewInt(0).ModInverse(p.Primes[1], p.Primes[0])
+
+		exponent1 := toBase64(exp1.Bytes())
+		exponent2 := toBase64(exp2.Bytes())
+		coefficient := toBase64(coeff.Bytes())
+
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"Modulus: " + modulus + "\n" +
+			"PublicExponent: " + publicExponent + "\n" +
+			"PrivateExponent: " + privateExponent + "\n" +
+			"Prime1: " + prime1 + "\n" +
+			"Prime2: " + prime2 + "\n" +
+			"Exponent1: " + exponent1 + "\n" +
+			"Exponent2: " + exponent2 + "\n" +
+			"Coefficient: " + coefficient + "\n"
+
+	case *ecdsa.PrivateKey:
+		var intlen int
+		switch r.Algorithm {
+		case ECDSAP256SHA256:
+			intlen = 32
+		case ECDSAP384SHA384:
+			intlen = 48
+		}
+		private := toBase64(intToBytes(p.D, intlen))
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"PrivateKey: " + private + "\n"
+
+	case *dsa.PrivateKey:
+		T := divRoundUp(divRoundUp(p.PublicKey.Parameters.G.BitLen(), 8)-64, 8)
+		prime := toBase64(intToBytes(p.PublicKey.Parameters.P, 64+T*8))
+		subprime := toBase64(intToBytes(p.PublicKey.Parameters.Q, 20))
+		base := toBase64(intToBytes(p.PublicKey.Parameters.G, 64+T*8))
+		priv := toBase64(intToBytes(p.X, 20))
+		pub := toBase64(intToBytes(p.PublicKey.Y, 64+T*8))
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"Prime(p): " + prime + "\n" +
+			"Subprime(q): " + subprime + "\n" +
+			"Base(g): " + base + "\n" +
+			"Private_value(x): " + priv + "\n" +
+			"Public_value(y): " + pub + "\n"
+
+	case ed25519.PrivateKey:
+		private := toBase64(p[:32])
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"PrivateKey: " + private + "\n"
+
+	default:
+		return ""
+	}
+}
--- a/vendor/github.com/miekg/dns/doc.go
+++ b/vendor/github.com/miekg/dns/doc.go
@ -0,0 +1,272 @@
+/*
+Package dns implements a full featured interface to the Domain Name System.
+Server- and client-side programming is supported.
+The package allows complete control over what is sent out to the DNS. The package
+API follows the less-is-more principle, by presenting a small, clean interface.
+
+The package dns supports (asynchronous) querying/replying, incoming/outgoing zone transfers,
+TSIG, EDNS0, dynamic updates, notifies and DNSSEC validation/signing.
+Note that domain names MUST be fully qualified, before sending them, unqualified
+names in a message will result in a packing failure.
+
+Resource records are native types. They are not stored in wire format.
+Basic usage pattern for creating a new resource record:
+
+     r := new(dns.MX)
+     r.Hdr = dns.RR_Header{Name: "miek.nl.", Rrtype: dns.TypeMX,
+     Class: dns.ClassINET, Ttl: 3600}
+     r.Preference = 10
+     r.Mx = "mx.miek.nl."
+
+Or directly from a string:
+
+     mx, err := dns.NewRR("miek.nl. 3600 IN MX 10 mx.miek.nl.")
+
+Or when the default origin (.) and TTL (3600) and class (IN) suit you:
+
+     mx, err := dns.NewRR("miek.nl MX 10 mx.miek.nl")
+
+Or even:
+
+     mx, err := dns.NewRR("$ORIGIN nl.\nmiek 1H IN MX 10 mx.miek")
+
+In the DNS messages are exchanged, these messages contain resource
+records (sets). Use pattern for creating a message:
+
+     m := new(dns.Msg)
+     m.SetQuestion("miek.nl.", dns.TypeMX)
+
+Or when not certain if the domain name is fully qualified:
+
+	m.SetQuestion(dns.Fqdn("miek.nl"), dns.TypeMX)
+
+The message m is now a message with the question section set to ask
+the MX records for the miek.nl. zone.
+
+The following is slightly more verbose, but more flexible:
+
+     m1 := new(dns.Msg)
+     m1.Id = dns.Id()
+     m1.RecursionDesired = true
+     m1.Question = make([]dns.Question, 1)
+     m1.Question[0] = dns.Question{"miek.nl.", dns.TypeMX, dns.ClassINET}
+
+After creating a message it can be sent.
+Basic use pattern for synchronous querying the DNS at a
+server configured on 127.0.0.1 and port 53:
+
+     c := new(dns.Client)
+     in, rtt, err := c.Exchange(m1, "127.0.0.1:53")
+
+Suppressing multiple outstanding queries (with the same question, type and
+class) is as easy as setting:
+
+	c.SingleInflight = true
+
+More advanced options are available using a net.Dialer and the corresponding API.
+For example it is possible to set a timeout, or to specify a source IP address
+and port to use for the connection:
+
+	c := new(dns.Client)
+	laddr := net.UDPAddr{
+		IP: net.ParseIP("[::1]"),
+		Port: 12345,
+		Zone: "",
+	}
+	d := net.Dialer{
+		Timeout: 200 * time.Millisecond,
+		LocalAddr: &laddr,
+	}
+	in, rtt, err := c.ExchangeWithDialer(&d, m1, "8.8.8.8:53")
+
+If these "advanced" features are not needed, a simple UDP query can be sent,
+with:
+
+	in, err := dns.Exchange(m1, "127.0.0.1:53")
+
+When this functions returns you will get dns message. A dns message consists
+out of four sections.
+The question section: in.Question, the answer section: in.Answer,
+the authority section: in.Ns and the additional section: in.Extra.
+
+Each of these sections (except the Question section) contain a []RR. Basic
+use pattern for accessing the rdata of a TXT RR as the first RR in
+the Answer section:
+
+	if t, ok := in.Answer[0].(*dns.TXT); ok {
+		// do something with t.Txt
+	}
+
+Domain Name and TXT Character String Representations
+
+Both domain names and TXT character strings are converted to presentation
+form both when unpacked and when converted to strings.
+
+For TXT character strings, tabs, carriage returns and line feeds will be
+converted to \t, \r and \n respectively. Back slashes and quotations marks
+will be escaped. Bytes below 32 and above 127 will be converted to \DDD
+form.
+
+For domain names, in addition to the above rules brackets, periods,
+spaces, semicolons and the at symbol are escaped.
+
+DNSSEC
+
+DNSSEC (DNS Security Extension) adds a layer of security to the DNS. It
+uses public key cryptography to sign resource records. The
+public keys are stored in DNSKEY records and the signatures in RRSIG records.
+
+Requesting DNSSEC information for a zone is done by adding the DO (DNSSEC OK) bit
+to a request.
+
+     m := new(dns.Msg)
+     m.SetEdns0(4096, true)
+
+Signature generation, signature verification and key generation are all supported.
+
+DYNAMIC UPDATES
+
+Dynamic updates reuses the DNS message format, but renames three of
+the sections. Question is Zone, Answer is Prerequisite, Authority is
+Update, only the Additional is not renamed. See RFC 2136 for the gory details.
+
+You can set a rather complex set of rules for the existence of absence of
+certain resource records or names in a zone to specify if resource records
+should be added or removed. The table from RFC 2136 supplemented with the Go
+DNS function shows which functions exist to specify the prerequisites.
+
+ 3.2.4 - Table Of Metavalues Used In Prerequisite Section
+
+  CLASS    TYPE     RDATA    Meaning                    Function
+  --------------------------------------------------------------
+  ANY      ANY      empty    Name is in use             dns.NameUsed
+  ANY      rrset    empty    RRset exists (value indep) dns.RRsetUsed
+  NONE     ANY      empty    Name is not in use         dns.NameNotUsed
+  NONE     rrset    empty    RRset does not exist       dns.RRsetNotUsed
+  zone     rrset    rr       RRset exists (value dep)   dns.Used
+
+The prerequisite section can also be left empty.
+If you have decided on the prerequisites you can tell what RRs should
+be added or deleted. The next table shows the options you have and
+what functions to call.
+
+ 3.4.2.6 - Table Of Metavalues Used In Update Section
+
+  CLASS    TYPE     RDATA    Meaning                     Function
+  ---------------------------------------------------------------
+  ANY      ANY      empty    Delete all RRsets from name dns.RemoveName
+  ANY      rrset    empty    Delete an RRset             dns.RemoveRRset
+  NONE     rrset    rr       Delete an RR from RRset     dns.Remove
+  zone     rrset    rr       Add to an RRset             dns.Insert
+
+TRANSACTION SIGNATURE
+
+An TSIG or transaction signature adds a HMAC TSIG record to each message sent.
+The supported algorithms include: HmacMD5, HmacSHA1, HmacSHA256 and HmacSHA512.
+
+Basic use pattern when querying with a TSIG name "axfr." (note that these key names
+must be fully qualified - as they are domain names) and the base64 secret
+"so6ZGir4GPAqINNh9U5c3A==":
+
+If an incoming message contains a TSIG record it MUST be the last record in
+the additional section (RFC2845 3.2).  This means that you should make the
+call to SetTsig last, right before executing the query.  If you make any
+changes to the RRset after calling SetTsig() the signature will be incorrect.
+
+	c := new(dns.Client)
+	c.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+	m := new(dns.Msg)
+	m.SetQuestion("miek.nl.", dns.TypeMX)
+	m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
+	...
+	// When sending the TSIG RR is calculated and filled in before sending
+
+When requesting an zone transfer (almost all TSIG usage is when requesting zone transfers), with
+TSIG, this is the basic use pattern. In this example we request an AXFR for
+miek.nl. with TSIG key named "axfr." and secret "so6ZGir4GPAqINNh9U5c3A=="
+and using the server 176.58.119.54:
+
+	t := new(dns.Transfer)
+	m := new(dns.Msg)
+	t.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+	m.SetAxfr("miek.nl.")
+	m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
+	c, err := t.In(m, "176.58.119.54:53")
+	for r := range c { ... }
+
+You can now read the records from the transfer as they come in. Each envelope is checked with TSIG.
+If something is not correct an error is returned.
+
+Basic use pattern validating and replying to a message that has TSIG set.
+
+	server := &dns.Server{Addr: ":53", Net: "udp"}
+	server.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+	go server.ListenAndServe()
+	dns.HandleFunc(".", handleRequest)
+
+	func handleRequest(w dns.ResponseWriter, r *dns.Msg) {
+		m := new(dns.Msg)
+		m.SetReply(r)
+		if r.IsTsig() != nil {
+			if w.TsigStatus() == nil {
+				// *Msg r has an TSIG record and it was validated
+				m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
+			} else {
+				// *Msg r has an TSIG records and it was not valided
+			}
+		}
+		w.WriteMsg(m)
+	}
+
+PRIVATE RRS
+
+RFC 6895 sets aside a range of type codes for private use. This range
+is 65,280 - 65,534 (0xFF00 - 0xFFFE). When experimenting with new Resource Records these
+can be used, before requesting an official type code from IANA.
+
+see http://miek.nl/2014/September/21/idn-and-private-rr-in-go-dns/ for more
+information.
+
+EDNS0
+
+EDNS0 is an extension mechanism for the DNS defined in RFC 2671 and updated
+by RFC 6891. It defines an new RR type, the OPT RR, which is then completely
+abused.
+Basic use pattern for creating an (empty) OPT RR:
+
+	o := new(dns.OPT)
+	o.Hdr.Name = "." // MUST be the root zone, per definition.
+	o.Hdr.Rrtype = dns.TypeOPT
+
+The rdata of an OPT RR consists out of a slice of EDNS0 (RFC 6891)
+interfaces. Currently only a few have been standardized: EDNS0_NSID
+(RFC 5001) and EDNS0_SUBNET (draft-vandergaast-edns-client-subnet-02). Note
+that these options may be combined in an OPT RR.
+Basic use pattern for a server to check if (and which) options are set:
+
+	// o is a dns.OPT
+	for _, s := range o.Option {
+		switch e := s.(type) {
+		case *dns.EDNS0_NSID:
+			// do stuff with e.Nsid
+		case *dns.EDNS0_SUBNET:
+			// access e.Family, e.Address, etc.
+		}
+	}
+
+SIG(0)
+
+From RFC 2931:
+
+    SIG(0) provides protection for DNS transactions and requests ....
+    ... protection for glue records, DNS requests, protection for message headers
+    on requests and responses, and protection of the overall integrity of a response.
+
+It works like TSIG, except that SIG(0) uses public key cryptography, instead of the shared
+secret approach in TSIG.
+Supported algorithms: DSA, ECDSAP256SHA256, ECDSAP384SHA384, RSASHA1, RSASHA256 and
+RSASHA512.
+
+Signing subsequent messages in multi-message sessions is not implemented.
+*/
+package dns
--- a/vendor/github.com/miekg/dns/edns.go
+++ b/vendor/github.com/miekg/dns/edns.go
@ -0,0 +1,627 @@
+package dns
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+)
+
+// EDNS0 Option codes.
+const (
+	EDNS0LLQ          = 0x1     // long lived queries: http://tools.ietf.org/html/draft-sekar-dns-llq-01
+	EDNS0UL           = 0x2     // update lease draft: http://files.dns-sd.org/draft-sekar-dns-ul.txt
+	EDNS0NSID         = 0x3     // nsid (See RFC 5001)
+	EDNS0DAU          = 0x5     // DNSSEC Algorithm Understood
+	EDNS0DHU          = 0x6     // DS Hash Understood
+	EDNS0N3U          = 0x7     // NSEC3 Hash Understood
+	EDNS0SUBNET       = 0x8     // client-subnet (See RFC 7871)
+	EDNS0EXPIRE       = 0x9     // EDNS0 expire
+	EDNS0COOKIE       = 0xa     // EDNS0 Cookie
+	EDNS0TCPKEEPALIVE = 0xb     // EDNS0 tcp keep alive (See RFC 7828)
+	EDNS0PADDING      = 0xc     // EDNS0 padding (See RFC 7830)
+	EDNS0LOCALSTART   = 0xFDE9  // Beginning of range reserved for local/experimental use (See RFC 6891)
+	EDNS0LOCALEND     = 0xFFFE  // End of range reserved for local/experimental use (See RFC 6891)
+	_DO               = 1 << 15 // DNSSEC OK
+)
+
+// OPT is the EDNS0 RR appended to messages to convey extra (meta) information.
+// See RFC 6891.
+type OPT struct {
+	Hdr    RR_Header
+	Option []EDNS0 `dns:"opt"`
+}
+
+func (rr *OPT) String() string {
+	s := "\n;; OPT PSEUDOSECTION:\n; EDNS: version " + strconv.Itoa(int(rr.Version())) + "; "
+	if rr.Do() {
+		s += "flags: do; "
+	} else {
+		s += "flags: ; "
+	}
+	s += "udp: " + strconv.Itoa(int(rr.UDPSize()))
+
+	for _, o := range rr.Option {
+		switch o.(type) {
+		case *EDNS0_NSID:
+			s += "\n; NSID: " + o.String()
+			h, e := o.pack()
+			var r string
+			if e == nil {
+				for _, c := range h {
+					r += "(" + string(c) + ")"
+				}
+				s += "  " + r
+			}
+		case *EDNS0_SUBNET:
+			s += "\n; SUBNET: " + o.String()
+		case *EDNS0_COOKIE:
+			s += "\n; COOKIE: " + o.String()
+		case *EDNS0_UL:
+			s += "\n; UPDATE LEASE: " + o.String()
+		case *EDNS0_LLQ:
+			s += "\n; LONG LIVED QUERIES: " + o.String()
+		case *EDNS0_DAU:
+			s += "\n; DNSSEC ALGORITHM UNDERSTOOD: " + o.String()
+		case *EDNS0_DHU:
+			s += "\n; DS HASH UNDERSTOOD: " + o.String()
+		case *EDNS0_N3U:
+			s += "\n; NSEC3 HASH UNDERSTOOD: " + o.String()
+		case *EDNS0_LOCAL:
+			s += "\n; LOCAL OPT: " + o.String()
+		case *EDNS0_PADDING:
+			s += "\n; PADDING: " + o.String()
+		}
+	}
+	return s
+}
+
+func (rr *OPT) len() int {
+	l := rr.Hdr.len()
+	for i := 0; i < len(rr.Option); i++ {
+		l += 4 // Account for 2-byte option code and 2-byte option length.
+		lo, _ := rr.Option[i].pack()
+		l += len(lo)
+	}
+	return l
+}
+
+// return the old value -> delete SetVersion?
+
+// Version returns the EDNS version used. Only zero is defined.
+func (rr *OPT) Version() uint8 {
+	return uint8((rr.Hdr.Ttl & 0x00FF0000) >> 16)
+}
+
+// SetVersion sets the version of EDNS. This is usually zero.
+func (rr *OPT) SetVersion(v uint8) {
+	rr.Hdr.Ttl = rr.Hdr.Ttl&0xFF00FFFF | (uint32(v) << 16)
+}
+
+// ExtendedRcode returns the EDNS extended RCODE field (the upper 8 bits of the TTL).
+func (rr *OPT) ExtendedRcode() int {
+	return int((rr.Hdr.Ttl & 0xFF000000) >> 24)
+}
+
+// SetExtendedRcode sets the EDNS extended RCODE field.
+func (rr *OPT) SetExtendedRcode(v uint8) {
+	rr.Hdr.Ttl = rr.Hdr.Ttl&0x00FFFFFF | (uint32(v) << 24)
+}
+
+// UDPSize returns the UDP buffer size.
+func (rr *OPT) UDPSize() uint16 {
+	return rr.Hdr.Class
+}
+
+// SetUDPSize sets the UDP buffer size.
+func (rr *OPT) SetUDPSize(size uint16) {
+	rr.Hdr.Class = size
+}
+
+// Do returns the value of the DO (DNSSEC OK) bit.
+func (rr *OPT) Do() bool {
+	return rr.Hdr.Ttl&_DO == _DO
+}
+
+// SetDo sets the DO (DNSSEC OK) bit.
+// If we pass an argument, set the DO bit to that value.
+// It is possible to pass 2 or more arguments. Any arguments after the 1st is silently ignored.
+func (rr *OPT) SetDo(do ...bool) {
+	if len(do) == 1 {
+		if do[0] {
+			rr.Hdr.Ttl |= _DO
+		} else {
+			rr.Hdr.Ttl &^= _DO
+		}
+	} else {
+		rr.Hdr.Ttl |= _DO
+	}
+}
+
+// EDNS0 defines an EDNS0 Option. An OPT RR can have multiple options appended to it.
+type EDNS0 interface {
+	// Option returns the option code for the option.
+	Option() uint16
+	// pack returns the bytes of the option data.
+	pack() ([]byte, error)
+	// unpack sets the data as found in the buffer. Is also sets
+	// the length of the slice as the length of the option data.
+	unpack([]byte) error
+	// String returns the string representation of the option.
+	String() string
+}
+
+// EDNS0_NSID option is used to retrieve a nameserver
+// identifier. When sending a request Nsid must be set to the empty string
+// The identifier is an opaque string encoded as hex.
+// Basic use pattern for creating an nsid option:
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_NSID)
+//	e.Code = dns.EDNS0NSID
+//	e.Nsid = "AA"
+//	o.Option = append(o.Option, e)
+type EDNS0_NSID struct {
+	Code uint16 // Always EDNS0NSID
+	Nsid string // This string needs to be hex encoded
+}
+
+func (e *EDNS0_NSID) pack() ([]byte, error) {
+	h, err := hex.DecodeString(e.Nsid)
+	if err != nil {
+		return nil, err
+	}
+	return h, nil
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_NSID) Option() uint16        { return EDNS0NSID } // Option returns the option code.
+func (e *EDNS0_NSID) unpack(b []byte) error { e.Nsid = hex.EncodeToString(b); return nil }
+func (e *EDNS0_NSID) String() string        { return string(e.Nsid) }
+
+// EDNS0_SUBNET is the subnet option that is used to give the remote nameserver
+// an idea of where the client lives. See RFC 7871. It can then give back a different
+// answer depending on the location or network topology.
+// Basic use pattern for creating an subnet option:
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_SUBNET)
+//	e.Code = dns.EDNS0SUBNET
+//	e.Family = 1	// 1 for IPv4 source address, 2 for IPv6
+//	e.SourceNetmask = 32	// 32 for IPV4, 128 for IPv6
+//	e.SourceScope = 0
+//	e.Address = net.ParseIP("127.0.0.1").To4()	// for IPv4
+//	// e.Address = net.ParseIP("2001:7b8:32a::2")	// for IPV6
+//	o.Option = append(o.Option, e)
+//
+// This code will parse all the available bits when unpacking (up to optlen).
+// When packing it will apply SourceNetmask. If you need more advanced logic,
+// patches welcome and good luck.
+type EDNS0_SUBNET struct {
+	Code          uint16 // Always EDNS0SUBNET
+	Family        uint16 // 1 for IP, 2 for IP6
+	SourceNetmask uint8
+	SourceScope   uint8
+	Address       net.IP
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_SUBNET) Option() uint16 { return EDNS0SUBNET }
+
+func (e *EDNS0_SUBNET) pack() ([]byte, error) {
+	b := make([]byte, 4)
+	binary.BigEndian.PutUint16(b[0:], e.Family)
+	b[2] = e.SourceNetmask
+	b[3] = e.SourceScope
+	switch e.Family {
+	case 0:
+		// "dig" sets AddressFamily to 0 if SourceNetmask is also 0
+		// We might don't need to complain either
+		if e.SourceNetmask != 0 {
+			return nil, errors.New("dns: bad address family")
+		}
+	case 1:
+		if e.SourceNetmask > net.IPv4len*8 {
+			return nil, errors.New("dns: bad netmask")
+		}
+		if len(e.Address.To4()) != net.IPv4len {
+			return nil, errors.New("dns: bad address")
+		}
+		ip := e.Address.To4().Mask(net.CIDRMask(int(e.SourceNetmask), net.IPv4len*8))
+		needLength := (e.SourceNetmask + 8 - 1) / 8 // division rounding up
+		b = append(b, ip[:needLength]...)
+	case 2:
+		if e.SourceNetmask > net.IPv6len*8 {
+			return nil, errors.New("dns: bad netmask")
+		}
+		if len(e.Address) != net.IPv6len {
+			return nil, errors.New("dns: bad address")
+		}
+		ip := e.Address.Mask(net.CIDRMask(int(e.SourceNetmask), net.IPv6len*8))
+		needLength := (e.SourceNetmask + 8 - 1) / 8 // division rounding up
+		b = append(b, ip[:needLength]...)
+	default:
+		return nil, errors.New("dns: bad address family")
+	}
+	return b, nil
+}
+
+func (e *EDNS0_SUBNET) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Family = binary.BigEndian.Uint16(b)
+	e.SourceNetmask = b[2]
+	e.SourceScope = b[3]
+	switch e.Family {
+	case 0:
+		// "dig" sets AddressFamily to 0 if SourceNetmask is also 0
+		// It's okay to accept such a packet
+		if e.SourceNetmask != 0 {
+			return errors.New("dns: bad address family")
+		}
+		e.Address = net.IPv4(0, 0, 0, 0)
+	case 1:
+		if e.SourceNetmask > net.IPv4len*8 || e.SourceScope > net.IPv4len*8 {
+			return errors.New("dns: bad netmask")
+		}
+		addr := make([]byte, net.IPv4len)
+		for i := 0; i < net.IPv4len && 4+i < len(b); i++ {
+			addr[i] = b[4+i]
+		}
+		e.Address = net.IPv4(addr[0], addr[1], addr[2], addr[3])
+	case 2:
+		if e.SourceNetmask > net.IPv6len*8 || e.SourceScope > net.IPv6len*8 {
+			return errors.New("dns: bad netmask")
+		}
+		addr := make([]byte, net.IPv6len)
+		for i := 0; i < net.IPv6len && 4+i < len(b); i++ {
+			addr[i] = b[4+i]
+		}
+		e.Address = net.IP{addr[0], addr[1], addr[2], addr[3], addr[4],
+			addr[5], addr[6], addr[7], addr[8], addr[9], addr[10],
+			addr[11], addr[12], addr[13], addr[14], addr[15]}
+	default:
+		return errors.New("dns: bad address family")
+	}
+	return nil
+}
+
+func (e *EDNS0_SUBNET) String() (s string) {
+	if e.Address == nil {
+		s = "<nil>"
+	} else if e.Address.To4() != nil {
+		s = e.Address.String()
+	} else {
+		s = "[" + e.Address.String() + "]"
+	}
+	s += "/" + strconv.Itoa(int(e.SourceNetmask)) + "/" + strconv.Itoa(int(e.SourceScope))
+	return
+}
+
+// The EDNS0_COOKIE option is used to add a DNS Cookie to a message.
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_COOKIE)
+//	e.Code = dns.EDNS0COOKIE
+//	e.Cookie = "24a5ac.."
+//	o.Option = append(o.Option, e)
+//
+// The Cookie field consists out of a client cookie (RFC 7873 Section 4), that is
+// always 8 bytes. It may then optionally be followed by the server cookie. The server
+// cookie is of variable length, 8 to a maximum of 32 bytes. In other words:
+//
+//	cCookie := o.Cookie[:16]
+//	sCookie := o.Cookie[16:]
+//
+// There is no guarantee that the Cookie string has a specific length.
+type EDNS0_COOKIE struct {
+	Code   uint16 // Always EDNS0COOKIE
+	Cookie string // Hex-encoded cookie data
+}
+
+func (e *EDNS0_COOKIE) pack() ([]byte, error) {
+	h, err := hex.DecodeString(e.Cookie)
+	if err != nil {
+		return nil, err
+	}
+	return h, nil
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_COOKIE) Option() uint16        { return EDNS0COOKIE }
+func (e *EDNS0_COOKIE) unpack(b []byte) error { e.Cookie = hex.EncodeToString(b); return nil }
+func (e *EDNS0_COOKIE) String() string        { return e.Cookie }
+
+// The EDNS0_UL (Update Lease) (draft RFC) option is used to tell the server to set
+// an expiration on an update RR. This is helpful for clients that cannot clean
+// up after themselves. This is a draft RFC and more information can be found at
+// http://files.dns-sd.org/draft-sekar-dns-ul.txt
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_UL)
+//	e.Code = dns.EDNS0UL
+//	e.Lease = 120 // in seconds
+//	o.Option = append(o.Option, e)
+type EDNS0_UL struct {
+	Code  uint16 // Always EDNS0UL
+	Lease uint32
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_UL) Option() uint16 { return EDNS0UL }
+func (e *EDNS0_UL) String() string { return strconv.FormatUint(uint64(e.Lease), 10) }
+
+// Copied: http://golang.org/src/pkg/net/dnsmsg.go
+func (e *EDNS0_UL) pack() ([]byte, error) {
+	b := make([]byte, 4)
+	binary.BigEndian.PutUint32(b, e.Lease)
+	return b, nil
+}
+
+func (e *EDNS0_UL) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Lease = binary.BigEndian.Uint32(b)
+	return nil
+}
+
+// EDNS0_LLQ stands for Long Lived Queries: http://tools.ietf.org/html/draft-sekar-dns-llq-01
+// Implemented for completeness, as the EDNS0 type code is assigned.
+type EDNS0_LLQ struct {
+	Code      uint16 // Always EDNS0LLQ
+	Version   uint16
+	Opcode    uint16
+	Error     uint16
+	Id        uint64
+	LeaseLife uint32
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_LLQ) Option() uint16 { return EDNS0LLQ }
+
+func (e *EDNS0_LLQ) pack() ([]byte, error) {
+	b := make([]byte, 18)
+	binary.BigEndian.PutUint16(b[0:], e.Version)
+	binary.BigEndian.PutUint16(b[2:], e.Opcode)
+	binary.BigEndian.PutUint16(b[4:], e.Error)
+	binary.BigEndian.PutUint64(b[6:], e.Id)
+	binary.BigEndian.PutUint32(b[14:], e.LeaseLife)
+	return b, nil
+}
+
+func (e *EDNS0_LLQ) unpack(b []byte) error {
+	if len(b) < 18 {
+		return ErrBuf
+	}
+	e.Version = binary.BigEndian.Uint16(b[0:])
+	e.Opcode = binary.BigEndian.Uint16(b[2:])
+	e.Error = binary.BigEndian.Uint16(b[4:])
+	e.Id = binary.BigEndian.Uint64(b[6:])
+	e.LeaseLife = binary.BigEndian.Uint32(b[14:])
+	return nil
+}
+
+func (e *EDNS0_LLQ) String() string {
+	s := strconv.FormatUint(uint64(e.Version), 10) + " " + strconv.FormatUint(uint64(e.Opcode), 10) +
+		" " + strconv.FormatUint(uint64(e.Error), 10) + " " + strconv.FormatUint(uint64(e.Id), 10) +
+		" " + strconv.FormatUint(uint64(e.LeaseLife), 10)
+	return s
+}
+
+// EDNS0_DUA implements the EDNS0 "DNSSEC Algorithm Understood" option. See RFC 6975.
+type EDNS0_DAU struct {
+	Code    uint16 // Always EDNS0DAU
+	AlgCode []uint8
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_DAU) Option() uint16        { return EDNS0DAU }
+func (e *EDNS0_DAU) pack() ([]byte, error) { return e.AlgCode, nil }
+func (e *EDNS0_DAU) unpack(b []byte) error { e.AlgCode = b; return nil }
+
+func (e *EDNS0_DAU) String() string {
+	s := ""
+	for i := 0; i < len(e.AlgCode); i++ {
+		if a, ok := AlgorithmToString[e.AlgCode[i]]; ok {
+			s += " " + a
+		} else {
+			s += " " + strconv.Itoa(int(e.AlgCode[i]))
+		}
+	}
+	return s
+}
+
+// EDNS0_DHU implements the EDNS0 "DS Hash Understood" option. See RFC 6975.
+type EDNS0_DHU struct {
+	Code    uint16 // Always EDNS0DHU
+	AlgCode []uint8
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_DHU) Option() uint16        { return EDNS0DHU }
+func (e *EDNS0_DHU) pack() ([]byte, error) { return e.AlgCode, nil }
+func (e *EDNS0_DHU) unpack(b []byte) error { e.AlgCode = b; return nil }
+
+func (e *EDNS0_DHU) String() string {
+	s := ""
+	for i := 0; i < len(e.AlgCode); i++ {
+		if a, ok := HashToString[e.AlgCode[i]]; ok {
+			s += " " + a
+		} else {
+			s += " " + strconv.Itoa(int(e.AlgCode[i]))
+		}
+	}
+	return s
+}
+
+// EDNS0_N3U implements the EDNS0 "NSEC3 Hash Understood" option. See RFC 6975.
+type EDNS0_N3U struct {
+	Code    uint16 // Always EDNS0N3U
+	AlgCode []uint8
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_N3U) Option() uint16        { return EDNS0N3U }
+func (e *EDNS0_N3U) pack() ([]byte, error) { return e.AlgCode, nil }
+func (e *EDNS0_N3U) unpack(b []byte) error { e.AlgCode = b; return nil }
+
+func (e *EDNS0_N3U) String() string {
+	// Re-use the hash map
+	s := ""
+	for i := 0; i < len(e.AlgCode); i++ {
+		if a, ok := HashToString[e.AlgCode[i]]; ok {
+			s += " " + a
+		} else {
+			s += " " + strconv.Itoa(int(e.AlgCode[i]))
+		}
+	}
+	return s
+}
+
+// EDNS0_EXPIRE implementes the EDNS0 option as described in RFC 7314.
+type EDNS0_EXPIRE struct {
+	Code   uint16 // Always EDNS0EXPIRE
+	Expire uint32
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_EXPIRE) Option() uint16 { return EDNS0EXPIRE }
+func (e *EDNS0_EXPIRE) String() string { return strconv.FormatUint(uint64(e.Expire), 10) }
+
+func (e *EDNS0_EXPIRE) pack() ([]byte, error) {
+	b := make([]byte, 4)
+	b[0] = byte(e.Expire >> 24)
+	b[1] = byte(e.Expire >> 16)
+	b[2] = byte(e.Expire >> 8)
+	b[3] = byte(e.Expire)
+	return b, nil
+}
+
+func (e *EDNS0_EXPIRE) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Expire = binary.BigEndian.Uint32(b)
+	return nil
+}
+
+// The EDNS0_LOCAL option is used for local/experimental purposes. The option
+// code is recommended to be within the range [EDNS0LOCALSTART, EDNS0LOCALEND]
+// (RFC6891), although any unassigned code can actually be used.  The content of
+// the option is made available in Data, unaltered.
+// Basic use pattern for creating a local option:
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_LOCAL)
+//	e.Code = dns.EDNS0LOCALSTART
+//	e.Data = []byte{72, 82, 74}
+//	o.Option = append(o.Option, e)
+type EDNS0_LOCAL struct {
+	Code uint16
+	Data []byte
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_LOCAL) Option() uint16 { return e.Code }
+func (e *EDNS0_LOCAL) String() string {
+	return strconv.FormatInt(int64(e.Code), 10) + ":0x" + hex.EncodeToString(e.Data)
+}
+
+func (e *EDNS0_LOCAL) pack() ([]byte, error) {
+	b := make([]byte, len(e.Data))
+	copied := copy(b, e.Data)
+	if copied != len(e.Data) {
+		return nil, ErrBuf
+	}
+	return b, nil
+}
+
+func (e *EDNS0_LOCAL) unpack(b []byte) error {
+	e.Data = make([]byte, len(b))
+	copied := copy(e.Data, b)
+	if copied != len(b) {
+		return ErrBuf
+	}
+	return nil
+}
+
+// EDNS0_TCP_KEEPALIVE is an EDNS0 option that instructs the server to keep
+// the TCP connection alive. See RFC 7828.
+type EDNS0_TCP_KEEPALIVE struct {
+	Code    uint16 // Always EDNSTCPKEEPALIVE
+	Length  uint16 // the value 0 if the TIMEOUT is omitted, the value 2 if it is present;
+	Timeout uint16 // an idle timeout value for the TCP connection, specified in units of 100 milliseconds, encoded in network byte order.
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_TCP_KEEPALIVE) Option() uint16 { return EDNS0TCPKEEPALIVE }
+
+func (e *EDNS0_TCP_KEEPALIVE) pack() ([]byte, error) {
+	if e.Timeout != 0 && e.Length != 2 {
+		return nil, errors.New("dns: timeout specified but length is not 2")
+	}
+	if e.Timeout == 0 && e.Length != 0 {
+		return nil, errors.New("dns: timeout not specified but length is not 0")
+	}
+	b := make([]byte, 4+e.Length)
+	binary.BigEndian.PutUint16(b[0:], e.Code)
+	binary.BigEndian.PutUint16(b[2:], e.Length)
+	if e.Length == 2 {
+		binary.BigEndian.PutUint16(b[4:], e.Timeout)
+	}
+	return b, nil
+}
+
+func (e *EDNS0_TCP_KEEPALIVE) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Length = binary.BigEndian.Uint16(b[2:4])
+	if e.Length != 0 && e.Length != 2 {
+		return errors.New("dns: length mismatch, want 0/2 but got " + strconv.FormatUint(uint64(e.Length), 10))
+	}
+	if e.Length == 2 {
+		if len(b) < 6 {
+			return ErrBuf
+		}
+		e.Timeout = binary.BigEndian.Uint16(b[4:6])
+	}
+	return nil
+}
+
+func (e *EDNS0_TCP_KEEPALIVE) String() (s string) {
+	s = "use tcp keep-alive"
+	if e.Length == 0 {
+		s += ", timeout omitted"
+	} else {
+		s += fmt.Sprintf(", timeout %dms", e.Timeout*100)
+	}
+	return
+}
+
+// EDNS0_PADDING option is used to add padding to a request/response. The default
+// value of padding SHOULD be 0x0 but other values MAY be used, for instance if
+// compression is applied before encryption which may break signatures.
+type EDNS0_PADDING struct {
+	Padding []byte
+}
+
+// Option implements the EDNS0 interface.
+func (e *EDNS0_PADDING) Option() uint16        { return EDNS0PADDING }
+func (e *EDNS0_PADDING) pack() ([]byte, error) { return e.Padding, nil }
+func (e *EDNS0_PADDING) unpack(b []byte) error { e.Padding = b; return nil }
+func (e *EDNS0_PADDING) String() string        { return fmt.Sprintf("%0X", e.Padding) }
--- a/vendor/github.com/miekg/dns/format.go
+++ b/vendor/github.com/miekg/dns/format.go
@ -0,0 +1,87 @@
+package dns
+
+import (
+	"net"
+	"reflect"
+	"strconv"
+)
+
+// NumField returns the number of rdata fields r has.
+func NumField(r RR) int {
+	return reflect.ValueOf(r).Elem().NumField() - 1 // Remove RR_Header
+}
+
+// Field returns the rdata field i as a string. Fields are indexed starting from 1.
+// RR types that holds slice data, for instance the NSEC type bitmap will return a single
+// string where the types are concatenated using a space.
+// Accessing non existing fields will cause a panic.
+func Field(r RR, i int) string {
+	if i == 0 {
+		return ""
+	}
+	d := reflect.ValueOf(r).Elem().Field(i)
+	switch k := d.Kind(); k {
+	case reflect.String:
+		return d.String()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return strconv.FormatInt(d.Int(), 10)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return strconv.FormatUint(d.Uint(), 10)
+	case reflect.Slice:
+		switch reflect.ValueOf(r).Elem().Type().Field(i).Tag {
+		case `dns:"a"`:
+			// TODO(miek): Hmm store this as 16 bytes
+			if d.Len() < net.IPv6len {
+				return net.IPv4(byte(d.Index(0).Uint()),
+					byte(d.Index(1).Uint()),
+					byte(d.Index(2).Uint()),
+					byte(d.Index(3).Uint())).String()
+			}
+			return net.IPv4(byte(d.Index(12).Uint()),
+				byte(d.Index(13).Uint()),
+				byte(d.Index(14).Uint()),
+				byte(d.Index(15).Uint())).String()
+		case `dns:"aaaa"`:
+			return net.IP{
+				byte(d.Index(0).Uint()),
+				byte(d.Index(1).Uint()),
+				byte(d.Index(2).Uint()),
+				byte(d.Index(3).Uint()),
+				byte(d.Index(4).Uint()),
+				byte(d.Index(5).Uint()),
+				byte(d.Index(6).Uint()),
+				byte(d.Index(7).Uint()),
+				byte(d.Index(8).Uint()),
+				byte(d.Index(9).Uint()),
+				byte(d.Index(10).Uint()),
+				byte(d.Index(11).Uint()),
+				byte(d.Index(12).Uint()),
+				byte(d.Index(13).Uint()),
+				byte(d.Index(14).Uint()),
+				byte(d.Index(15).Uint()),
+			}.String()
+		case `dns:"nsec"`:
+			if d.Len() == 0 {
+				return ""
+			}
+			s := Type(d.Index(0).Uint()).String()
+			for i := 1; i < d.Len(); i++ {
+				s += " " + Type(d.Index(i).Uint()).String()
+			}
+			return s
+		default:
+			// if it does not have a tag its a string slice
+			fallthrough
+		case `dns:"txt"`:
+			if d.Len() == 0 {
+				return ""
+			}
+			s := d.Index(0).String()
+			for i := 1; i < d.Len(); i++ {
+				s += " " + d.Index(i).String()
+			}
+			return s
+		}
+	}
+	return ""
+}
--- a/Show More
+++ b/Show More