Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>

mux内网穿透切换smux到yamux
2018-06-06 15:06:56 +08:00 · 2018-06-06 14:44:04 +08:00 · 2018-05-31 16:26:40 +08:00 · 2018-05-31 11:39:50 +08:00 · 2018-05-31 11:39:29 +08:00 · 2018-05-24 11:22:35 +08:00
81 changed files with 7280 additions and 1544 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,10 @@
 proxy
+goproxy
 *.exe
 *.exe~
 .*
+*.prof
+!.gitignore
 release-*
 proxy.crt
 proxy.key
--- a/39
+++ b/39
@ -1,4 +1,43 @@
 proxy更新日志
+v4.9
+1.修复了HTTP Basic代理返回不合适的头部,导致浏览器不会弹框,个别代理插件无法认证的问题.
+2.内网穿透切换smux到yamux.
+3.优化了HTTP(S)\SOCKS5代理--always的处理逻辑.
+
+v4.8
+1.优化了SPS连接HTTP上级的指令,避免了某些代理不响应的问题.
+2.SPS功能增加了参数:
+  --disable-http:禁用http(s)代理
+  --disable-socks:禁用socks代理
+  默认都是false(开启).
+3.重构了部分代码的日志部分,保证了日志按着预期输出.
+4.修复了sps\http代理初始化服务的时机不正确,导致nil异常的bug.
+5.优化了sps日志输出.
+6.--debug参数增加了Profiling功能,可以保存cpu,内存等多种调试数据到文件.
+7.优化了服务注册,避免了不必要的内存开销.
+8.增加了Dockerfile和docker安装手册.
+9.优化了ioCopy避免了内存泄漏,大大提升了内存占用的稳定性.
+
+
+v4.7
+1.增加了基于gomobile的sdk,对android/ios/windows/linux/mac提供SDK支持.
+2.优化了bridge的日志,增加了client和server的掉线日志.
+3.优化了sps读取http(s)代理响应的缓冲大小,同时优化了CONNECT请求,
+ 避免了某些代理服务器返回过多数据导致不能正常通讯的问题.
+4.去除了鸡肋连接池功能.
+5.优化了所有服务代码,方便对sdk提供支持.
+6.增加了SDK手册.
+7.增加了GUI客户端(windows/web/android/ios)介绍主页.
+8.SPS\HTTP(s)\Socks代理增加了自定义加密传输,只需要通过参数-z和-Z设置一个密码即可.
+9.SPS\HTTP(s)\Socks代理增加了压缩传输,只需要通过参数-m和-M设置即可.
+10.手册增加了SPS\HTTP(s)\Socks自定义加密的使用示例.
+11.手册增加了SPS\HTTP(s)\Socks压缩传输的使用示例.
+12.优化了多链接版本的内网穿透,融合了多链接和smux的优点,即能够拥有大的吞吐量,
+ 同时又具备mux的心跳机制保证了链接的稳定性.
+13.手册增加了大量配图.
+14.优化了socks代理udp上级的设置逻辑,智能判断parent上级填充udp parent.
+15.优化了项目文件夹结构,使用源码可以直接go get.
+
 v4.6
 1.sps,http(s),socks5,内网穿透都做了大量的超时优化处理,更加稳定.
 2.sps增加了强大的树形级联认证支持,可以轻松构建你的认证代理网络.
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+FROM golang:1.8.5-alpine as builder
+ARG GOPROXY_VERSION=master
+RUN apk update && apk upgrade && \
+    apk add --no-cache git && cd /go/src/ && git clone https://github.com/snail007/goproxy && \
+	cd goproxy && git checkout ${GOPROXY_VERSION} && \
+    go get && CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o proxy
+FROM alpine:3.7
+COPY --from=builder /go/src/goproxy/proxy /
+CMD /proxy ${OPTS}
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -1,11 +1,27 @@
 {
-	"ImportPath": "snail007/proxy",
-	"GoVersion": "go1.9",
+	"ImportPath": "github.com/snail007/goproxy",
+	"GoVersion": "go1.8",
 	"GodepVersion": "v80",
 	"Packages": [
 		"./..."
 	],
 	"Deps": [
+		{
+			"ImportPath": "github.com/Yawning/chacha20",
+			"Rev": "e3b1f968fc6397b51d963fee8ec8711a47bc0ce8"
+		},
+		{
+			"ImportPath": "github.com/alecthomas/template",
+			"Rev": "a0175ee3bccc567396460bf5acd36800cb10c49c"
+		},
+		{
+			"ImportPath": "github.com/alecthomas/template/parse",
+			"Rev": "a0175ee3bccc567396460bf5acd36800cb10c49c"
+		},
+		{
+			"ImportPath": "github.com/alecthomas/units",
+			"Rev": "2efee857e7cfd4f3d0138cc3cbb1b4966962b93a"
+		},
 		{
 			"ImportPath": "github.com/golang/snappy",
 			"Rev": "553a641470496b2327abcac10b36396bd98e45c9"
@ -15,66 +31,15 @@
 			"Comment": "v1.0.4-1-g40b5202",
 			"Rev": "40b520211179dbf7eaafaa7fe1ffaa1b7d929ee0"
 		},
-		{
-			"ImportPath": "github.com/xtaci/kcp-go",
-			"Comment": "v3.19-6-g21da33a",
-			"Rev": "21da33a6696d67c1bffb3c954366499d613097a6"
-		},
-		{
-			"ImportPath": "github.com/xtaci/smux",
-			"Comment": "v1.0.6",
-			"Rev": "ebec7ef2574b42a7088cd7751176483e0a27d458"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/pbkdf2",
-			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/ssh",
-			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
-		},
-		{
-			"ImportPath": "golang.org/x/time/rate",
-			"Rev": "6dc17368e09b0e8634d71cac8168d853e869a0c7"
-		},
-		{
-			"ImportPath": "gopkg.in/alecthomas/kingpin.v2",
-			"Comment": "v2.2.5",
-			"Rev": "1087e65c9441605df944fb12c33f0fe7072d18ca"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/ed25519",
-			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
-		},
-		{
-			"ImportPath": "golang.org/x/net/ipv4",
-			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
-		},
-		{
-			"ImportPath": "golang.org/x/net/ipv6",
-			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/ed25519/internal/edwards25519",
-			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
-		},
-		{
-			"ImportPath": "golang.org/x/net/bpf",
-			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
-		},
-		{
-			"ImportPath": "golang.org/x/net/internal/iana",
-			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
-		},
-		{
-			"ImportPath": "golang.org/x/net/internal/socket",
-			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
-		},
 		{
 			"ImportPath": "github.com/pkg/errors",
 			"Comment": "v0.8.0-6-g602255c",
 			"Rev": "602255cdb6deaf1523ea53ac30eae5554ba7bee9"
 		},
+		{
+			"ImportPath": "github.com/templexxx/cpufeat",
+			"Rev": "3794dfbfb04749f896b521032f69383f24c3687e"
+		},
 		{
 			"ImportPath": "github.com/templexxx/reedsolomon",
 			"Comment": "0.1.1-4-g7092926",
@ -90,6 +55,16 @@
 			"Comment": "v1.0.1-3-g9d99fac",
 			"Rev": "9d99face20b0dd300b7db50b3f69758de41c096a"
 		},
+		{
+			"ImportPath": "github.com/xtaci/kcp-go",
+			"Comment": "v3.19-6-g21da33a",
+			"Rev": "21da33a6696d67c1bffb3c954366499d613097a6"
+		},
+		{
+			"ImportPath": "github.com/xtaci/smux",
+			"Comment": "v1.0.6",
+			"Rev": "ebec7ef2574b42a7088cd7751176483e0a27d458"
+		},
 		{
 			"ImportPath": "golang.org/x/crypto/blowfish",
 			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
@ -98,10 +73,34 @@
 			"ImportPath": "golang.org/x/crypto/cast5",
 			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
+		{
+			"ImportPath": "golang.org/x/crypto/curve25519",
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+		},
+		{
+			"ImportPath": "golang.org/x/crypto/ed25519",
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+		},
+		{
+			"ImportPath": "golang.org/x/crypto/ed25519/internal/edwards25519",
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+		},
+		{
+			"ImportPath": "golang.org/x/crypto/pbkdf2",
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+		},
 		{
 			"ImportPath": "golang.org/x/crypto/salsa20",
 			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
+		{
+			"ImportPath": "golang.org/x/crypto/salsa20/salsa",
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+		},
+		{
+			"ImportPath": "golang.org/x/crypto/ssh",
+			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+		},
 		{
 			"ImportPath": "golang.org/x/crypto/tea",
 			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
@ -115,28 +114,33 @@
 			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
 		},
 		{
-			"ImportPath": "github.com/templexxx/cpufeat",
-			"Rev": "3794dfbfb04749f896b521032f69383f24c3687e"
+			"ImportPath": "golang.org/x/net/bpf",
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
-			"ImportPath": "golang.org/x/crypto/salsa20/salsa",
-			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+			"ImportPath": "golang.org/x/net/internal/iana",
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
-			"ImportPath": "golang.org/x/crypto/curve25519",
-			"Rev": "0fcca4842a8d74bfddc2c96a073bd2a4d2a7a2e8"
+			"ImportPath": "golang.org/x/net/internal/socket",
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
-			"ImportPath": "github.com/alecthomas/template",
-			"Rev": "a0175ee3bccc567396460bf5acd36800cb10c49c"
+			"ImportPath": "golang.org/x/net/ipv4",
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
-			"ImportPath": "github.com/alecthomas/units",
-			"Rev": "2efee857e7cfd4f3d0138cc3cbb1b4966962b93a"
+			"ImportPath": "golang.org/x/net/ipv6",
+			"Rev": "5ccada7d0a7ba9aeb5d3aca8d3501b4c2a509fec"
 		},
 		{
-			"ImportPath": "github.com/alecthomas/template/parse",
-			"Rev": "a0175ee3bccc567396460bf5acd36800cb10c49c"
+			"ImportPath": "golang.org/x/time/rate",
+			"Rev": "6dc17368e09b0e8634d71cac8168d853e869a0c7"
+		},
+		{
+			"ImportPath": "gopkg.in/alecthomas/kingpin.v2",
+			"Comment": "v2.2.5",
+			"Rev": "1087e65c9441605df944fb12c33f0fe7072d18ca"
 		}
 	]
 }
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@ Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 prox
  
 [![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy/) [![license](https://img.shields.io/github/license/snail007/goproxy.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy/total.svg?style=plastic)](https://github.com/snail007/goproxy/releases) [![download](https://img.shields.io/github/release/snail007/goproxy.svg?style=plastic)](https://github.com/snail007/goproxy/releases)  
  
-[中文手册](/README_ZH.md)  
+[中文手册](/README_ZH.md)  **[全平台GUI版本](/gui/README.md)**  **[全平台SDK](/sdk/README.md)**   

 ### Features  
 - chain-style proxy: the program itself can be a primary proxy, and if a parent proxy is set, it can be used as a second level proxy or even a N level proxy.  
@ -23,6 +23,8 @@ Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 prox
 - Reverse proxy: goproxy supports directly parsing the domain to proxy monitor IP, and then proxy will help you to access the HTTP (S) site that you need to access.
 - Transparent proxy: with the iptables, goproxy can directly forward the 80 and 443 port's traffic to proxy in the gateway, and can realize the unaware intelligent router proxy.  
 - Protocol conversion: The existing HTTP (S) or SOCKS5 proxy can be converted to a proxy which support both HTTP (S) and SOCKS5 by one port, but the converted SOCKS5 proxy does not support the UDP function.Also support powerful cascading authentication.  
+- Custom underlying encrypted transmission, HTTP(s)\sps\socks proxy can encrypt TCP data through TLS standard encryption and KCP protocol encryption. In addition, it also supports custom encryption after TLS and KCP. That is to say, custom encryption and tls|kcp can be used together. The internal uses AES256 encryption, and it only needs to define one password by yourself when is used.   
+- Low level compression and efficient transmission，The HTTP(s)\sps\socks proxy can encrypt TCP data through a custom encryption and TLS standard encryption and KCP protocol encryption, and can also compress the data after encryption. That is to say, the compression and custom encryption and tls|kcp can be used together.
  
 ### Why need these?  
 - Because for some reason, we cannot access our services elsewhere. We can build a secure tunnel to access our services through multiple connected proxy nodes.  
@ -34,7 +36,10 @@ Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5 prox
 - ...  

 
-This page is the v4.6 manual, and the other version of the manual can be checked by the following link.  
+This page is the v4.9 manual, and the other version of the manual can be checked by the following link.  
+- [v4.8 manual](https://github.com/snail007/goproxy/tree/v4.8)
+- [v4.7 manual](https://github.com/snail007/goproxy/tree/v4.7)
+- [v4.6 manual](https://github.com/snail007/goproxy/tree/v4.6)
 - [v4.5 manual](https://github.com/snail007/goproxy/tree/v4.5)
 - [v4.4 manual](https://github.com/snail007/goproxy/tree/v4.4)
 - [v4.3 manual](https://github.com/snail007/goproxy/tree/v4.3)
@ -59,6 +64,7 @@ This page is the v4.6 manual, and the other version of the manual can be checked
 ### Installation
 - [Quick installation](#quick-installation)
 - [Manual installation](#manual-installation)
+- [Docker installation](#docker-installation)

 ### First use must read
 - [Environmental Science](#environmental-science)
@ -85,7 +91,9 @@ This page is the v4.6 manual, and the other version of the manual can be checked
    - [1.9 HTTP(S) reverse proxy](#19http-reverse-proxy)
    - [1.10 HTTP(S) transparent proxy](#110http-transparent-proxy)
    - [1.11 Custom DNS](#111custom-dns)
-    - [1.12 View help](#112view-help)
+    - [1.12 Custom encryption](#112-custom-encryption)
+    - [1.13 Compressed transmission](#113-compressed-transmission)
+    - [1.14 View help](#114view-help)
 - [2.TCP proxy](#2tcp-proxy)
    - [2.1 Common TCP first level proxy](#21common-tcp-first-level-proxy)
    - [2.2 Common TCP second level proxy](#22common-tcp-second-level-proxy)
@ -121,7 +129,9 @@ This page is the v4.6 manual, and the other version of the manual can be checked
    - [5.7 Authentication](#57authentication)
    - [5.8 KCP protocol transmission](#58kcp-protocol-transmission)
    - [5.9 Custom DNS](#59custom-dns)
-    - [5.10 View help](#510view-help)
+    - [5.10 Custom encryption](#510custom-encryption)
+    - [5.11 Compressed transmission](#511compressed-transmission)
+    - [5.12 View help](#512view-help)
 - [6.Proxy protocol conversion](#6proxy-protocol-conversion)
    - [6.1 Functional introduction](#61functional-introduction)
    - [6.2 HTTP(S) to HTTP(S) + SOCKS5](#62http-to-http-socks5)
@ -129,7 +139,9 @@ This page is the v4.6 manual, and the other version of the manual can be checked
    - [6.4 Chain style connection](#64chain-style-connection)
    - [6.5 Listening on multiple ports](#65listening-on-multiple-ports)
    - [6.6 Authentication](#66authentication)
-    - [6.7 View Help](#67view-help)
+    - [6.7 Custom encryption](#67-custom-encryption)
+    - [6.8 Compressed transmission](#68-compressed-transmission)
+    - [6.9 View Help](#69view-help)
 - [7.KCP Configuration](#7kcp-configuration)
    - [7.1 Configuration introduction](#71configuration-introduction)
    - [7.2 Configuration details](#72configuration-details)
@ -151,7 +163,7 @@ If the installation fails or your VPS is not a linux64 system, please follow the
 Download address: https://github.com/snail007/goproxy/releases  
 ```shell  
 cd /root/proxy/  
-wget https://github.com/snail007/goproxy/releases/download/v4.6/proxy-linux-amd64.tar.gz  
+wget https://github.com/snail007/goproxy/releases/download/v4.9/proxy-linux-amd64.tar.gz  
 ```  
 #### **2.Download the automatic installation script**  
 ```shell  
@ -161,6 +173,36 @@ chmod +x install.sh
 ./install.sh  
 ```  

+#### Docker installation 
+
+Dockerfile root of project uses multistage build and alpine project to comply with best practices. Uses golang 1.8.5 for building as noted in the project README.md and will be pretty small image. total extracted size will be 17.3MB for goproxy version 4.7.
+
+The default build process builds the master branch (latest commits/ cutting edge), and it can be configured to build specific version, just edit Dockerfile before build, following builds release version 4.7:
+
+```
+ARG GOPROXY_VERSION=v4.7
+```
+
+To Run:
+1. Clone the repository and cd into it.
+```
+sudo docker build .
+```
+2. Tag the image:
+```
+sudo docker tag <id from previous step>  goproxy/goproxy:latest
+```
+3. Run! 
+Just put your arguments to proxy binary in the OPTS environmental variable (this is just a sample http proxy):
+```
+sudo docker run -d --restart=always --name goproxy -e OPTS="http -p :33080" -p 33080:33080 goproxy/goproxy:latest
+```
+4. View logs:
+```
+sudo docker logs -f goproxy
+```
+
+  
 ## **First use must be read**  
  
 ### **Environmental Science**  
@ -210,10 +252,11 @@ Assuming that your VPS outer external network IP is 23.23.23.23, the following c

 ### **1.HTTP proxy**  
 #### **1.1.common HTTP proxy**  
-![1.1](/docs/images/1.1.jpg)
+![1.1](/docs/images/http-1.png)  
 `./proxy http -t tcp -p "0.0.0.0:38080"`  
  
 #### **1.2.Common HTTP second level proxy**  
+![1.2](/docs/images/http-2.png)  
 Using local port 8090, assume the parent HTTP proxy is: `22.22.22.22:8080`  
 `./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
 The connection pool is closed by default. If you want to speed up access speed, -L can open the connection pool, the 10 is the size of the connection pool, and the 0 is closed.  
@ -223,6 +266,7 @@ We can also specify the black and white list files of the domain name, one line
 `./proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **1.3.HTTP second level encrypted proxy**  
+![1.3](/docs/images/http-tls-2.png)  
 HTTP first level proxy(VPS,IP:22.22.22.22)    
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -235,6 +279,7 @@ HTTP second level proxy(local windows)
 In your windos system, the mode of the program that needs to surf the Internet by proxy is setted up as HTTP mode, the address is 127.0.0.1, the port is: 8080, the program can go through the encrypted channel through VPS to surf on the internet.  
  
 #### **1.4.HTTP third level encrypted proxy**  
+![1.4](/docs/images/http-tls-3.png)  
 HTTP first level proxy VPS_01,IP:22.22.22.22    
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 HTTP second level proxy VPS_02,IP:33.33.33.33   
@ -271,6 +316,7 @@ Through --always, all HTTP proxy traffic can be coercion to the parent HTTP prox
 `./proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **1.7.Transfer through SSH**  
+![1.7](/docs/images/http-ssh-1.png)  
 Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access to the target address through the SSH proxy.  
 Suppose there is a vps  
 - IP is 2.2.2.2, ssh port is 22, ssh username is user, ssh password is demo  
@ -284,6 +330,7 @@ Local HTTP (S) proxy use 28080 port,excute:
 `./proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`  

 #### **1.8.KCP protocol transmission**  
+![1.8](/docs/images/http-kcp.png)  
 The KCP protocol requires a --kcp-key parameter to set a password which can encrypt and decrypt data.   

 Http first level proxy(VPS,IP:22.22.22.22)  
@ -293,6 +340,7 @@ Http second level proxy(os is Linux)
 `./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`  
 Then access to the local 8080 port is access to the proxy's port 38080 on the VPS, and the data is transmitted through the KCP protocol.  
 #### **1.9.HTTP reverse proxy** 
+![1.9](/docs/images/fxdl.png)  
 Proxy supports not only set up a proxy through in other software, to provide services for other software, but support the request directly to the website domain to proxy monitor IP when proxy monitors 80 and 443 ports, then proxy will automatically access to the HTTP proxy access website for you.  

 How to use:  
@ -358,19 +406,61 @@ they also can specify dns result cache time (--dns-ttl) which unit is second. th
 for example:  
 `./proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  

-#### **1.12.view help**  
+#### **1.12 Custom encryption**  
+HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.    
+Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -z demo_password -p :7777`  
+Local second level execution:  
+`proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -z demo_password -p :7777`  
+Second level VPS (ip:2.2.2.2) execution:  
+`proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888`    
+Local third level execution:  
+`proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+#### **1.13 Compressed transmission**  
+HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.  
+That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.     
+The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -m -p :7777`  
+Local second level execution:  
+`proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy http -t tcp -m -p :7777`  
+Second level VPS (ip:3.3.3.3) execution:  
+`proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+Local third level execution:  
+`proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+#### **1.14.view help**  
 `./proxy help http`  
  
 ### **2.TCP proxy**  
  
 #### **2.1.Common TCP first level proxy**  
-![2.1](/docs/images/2.1.png)
+![2.1](/docs/images/tcp-1.png)  
 Local execution:  
 `./proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" -L 0`  
 Then access to the local 33080 port is the 22 port of access to 192.168.22.33.  
  
 #### **2.2.Common TCP second level proxy**  
-![2.2](/docs/images/2.2.png)
+![2.2](/docs/images/tcp-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0`  
 local execution:  
@ -378,6 +468,7 @@ local execution:
 Then access to the local 23080 port is the 8080 port of access to 22.22.22.33.  
  
 #### **2.3.Common TCP third level proxy**  
+![2.3](/docs/images/tcp-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080" -L 0`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -387,6 +478,7 @@ TCP third level proxy (local)
 Then access to the local 8080 port is to access the 8080 port of the 66.66.66.66 by encrypting the TCP tunnel.  
  
 #### **2.4.TCP second level encrypted proxy**  
+![2.4](/docs/images/tcp-tls-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp --tls -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0 -C proxy.crt -K proxy.key`  
 local execution:  
@ -394,6 +486,7 @@ local execution:
 Then access to the local 23080 port is to access the 8080 port of the 22.22.22.33 by encrypting the TCP tunnel.  
  
 #### **2.5.TCP third level encrypted proxy**  
+![2.5](/docs/images/tcp-tls-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp --tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -408,11 +501,13 @@ Then access to the local 8080 port is to access the 8080 port of the 66.66.66.66
 ### **3.UDP proxy**  
  
 #### **3.1.Common UDP first level proxy**  
+![3.1](/docs/images/udp-1.png)  
 local execution:  
 `./proxy udp -p ":5353" -T udp -P "8.8.8.8:53"`  
 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8.  
  
 #### **3.2.Common UDP second level proxy**  
+![3.2](/docs/images/udp-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"`  
 local execution:  
@ -420,6 +515,7 @@ local execution:
 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 through the TCP tunnel.  
  
 #### **3.3.Common UDP third level proxy**  
+![3.3](/docs/images/udp-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -429,6 +525,7 @@ TCP third level proxy (local)
 Then access to the local 5353 port is access to the 53 port of the 8.8.8.8 through the TCP tunnel.  
  
 #### **3.4.UDP second level encrypted proxy**  
+![3.4](/docs/images/udp-tls-2.png)  
 VPS(IP:22.22.22.33) execute:  
 `./proxy tcp --tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 local execution:  
@ -436,6 +533,7 @@ local execution:
 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 by the encrypting TCP tunnel. 
  
 #### **3.5.UDP third level encrypted proxy**  
+![3.5](/docs/images/udp-tls-3.png)  
 TCP first level proxy VPS_01,IP:22.22.22.22  
 `./proxy tcp --tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 TCP second level proxy VPS_02,IP:33.33.33.33  
@ -592,6 +690,7 @@ Tips: SOCKS5 proxy, support CONNECT, UDP protocol and don't support BIND and sup
 `./proxy socks -t tcp -p "0.0.0.0:38080"`  
   
 #### **5.2.Common SOCKS5 second level proxy**  
+![5.2](/docs/images/socks-2.png)  
 ![5.2](/docs/images/5.2.png)
 Using local port 8090, assume that the parent SOCKS5 proxy is `22.22.22.22:8080`  
 `./proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
@ -599,6 +698,7 @@ We can also specify the black and white list files of the domain name, one line
 `./proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **5.3.SOCKS second level encrypted proxy**  
+![5.3](/docs/images/socks-tls-2.png)  
 SOCKS5 first level proxy(VPS,IP:22.22.22.22)  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -611,6 +711,7 @@ SOCKS5 second level proxy(local windows)
 Then set up your windows system, the proxy that needs to surf the Internet by proxy is Socks5 mode, the address is: 127.0.0.1, the port is: 8080. the program can surf the Internet through the encrypted channel which is running on VPS.  
  
 #### **5.4.SOCKS third level encrypted proxy**  
+![5.4](/docs/images/socks-tls-3.png)  
 SOCKS5 first level proxy VPS_01,IP:22.22.22.22  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 SOCKS5 second level proxy VPS_02,IP:33.33.33.33  
@ -624,6 +725,7 @@ By default, proxy will intelligently judge whether a domain name can be accessed
 `./proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **5.6.Transfer through SSH**  
+![5.6](/docs/images/socks-ssh.png)  
 Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access the target address by the SSH.  
 Suppose there is a vps  
 - IP is 2.2.2.2, SSH port is 22, SSH username is user, SSH password is Demo
@ -646,7 +748,7 @@ You can also be placed in a file, which is a line, a ‘username: password’, a
 `./proxy socks -t tcp -p ":33080" -F auth-file.txt`  

 In addition, socks5 proxy also integrates external HTTP API authentication, we can specify a http url interface address through the --auth-url parameter,  
-Then when the user is connected, the proxy request this url by get way, with the following four parameters, if the return HTTP status code 204, on behalf of the authentication is successful.  
+Then when the user is connected, the proxy request this url by get way, with the following three parameters, if the return HTTP status code 204, on behalf of the authentication is successful.  
 In other cases, the authentication fails.  
 for example:  
 `./proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`  
@ -675,8 +777,49 @@ they also can specify dns result cache time (--dns-ttl) which unit is second. th
 for example:  
 `./proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  

+#### **5.10.Custom encryption**  
+HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.
+Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:  

-#### **5.10.view help**  
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+Local second level execution:  
+`proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+Second level VPS (ip:2.2.2.2) execution:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+Local third level execution:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+#### **5.11.Compressed transmission**  
+HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.
+That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.
+The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -m -p :7777`  
+Local second level execution:  
+`proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy socks -t tcp -m -p :7777`  
+Second level VPS (ip:3.3.3.3) execution:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+Local third level execution:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+#### **5.12.view help**  
 `./proxy help socks`  

 ### **6.Proxy protocol conversion** 
@ -711,6 +854,7 @@ command：
 `./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123`  

 #### **6.4.Chain style connection** 
+![6.4](/docs/images/sps-tls.png)  
 It is mentioned above that multiple SPS nodes can be connected to build encrypted channels, assuming you have the following VPS and a PC.  
 vps01：2.2.2.2  
 vps02：3.3.3.3  
@ -775,7 +919,49 @@ target: if the client is the HTTP (s) proxy request, this represents the complet
 If there is no -a or -F or --auth-url parameters, local authentication is closed.  
 If there is no -A parameter, the connection to the father proxy does not use authentication.  

-#### **6.7.view help** 
+#### **6.7 Custom encryption**  
+HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.
+Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:  
+Suppose there is already a HTTP (s) proxy:`6.6.6.6:6666`  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+Local second level execution:  
+`proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+Second level VPS (ip:2.2.2.2) execution:  
+`proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+Local third level execution:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy.  
+
+#### **6.8 Compressed transmission**  
+HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.
+That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.
+The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:  
+
+**two level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -t tcp -m -p :7777`  
+Local second level execution:  
+`proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.  
+
+**three level example**  
+First level VPS (ip:2.2.2.2) execution:  
+`proxy sps -t tcp -m -p :7777`  
+Second level VPS (ip:3.3.3.3) execution::  
+`proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+Local third level execution:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy.
+
+#### **6.9.view help** 
 `./proxy help sps` 

 ### **7.KCP Configuration**   
@ -810,14 +996,21 @@ If you want to get a more detailed configuration and explanation of the KCP para
 ```

 ### TODO  
+- HTTP, socks proxy which has multi parents proxy load balancing?
+- HTTP (s) proxy support PAC?
 - Welcome joining group feedback...   

+### How to contribute to the code (Pull Request)?  
+First, you need to clone the project to your account, and then modify the code on the dev branch.   
+Finally, Pull Request to dev branch of goproxy project, and contribute code for efficiency.   
+PR needs to explain what changes have been made and why you change them.  
+
 ### How to use the source code?    
-use command cd to enter your go SRC directory and then  
-mkdir snail007  
-cd snail007   
-execute `git clone https://github.com/snail007/goproxy.git ./proxy`     
-Direct compilation: `go build`    
+Recommend go1.8.5, which does not guarantee that version >=1.9 can be used.   
+`go get github.com/snail007/goproxy`   
+use command cd to enter your go SRC directory   
+then cd to enter `github.com/snail007/goproxy`.    
+Direct compilation:`go build -o proxy`        
 execution: `go run *.go`       
 `utils` is a toolkit, and `service` is a specific service class.  

--- a/README_ZH.md
+++ b/README_ZH.md
@ -7,7 +7,7 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
  
 [![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy/) [![license](https://img.shields.io/github/license/snail007/goproxy.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy/total.svg?style=plastic)](https://github.com/snail007/goproxy/releases) [![download](https://img.shields.io/github/release/snail007/goproxy.svg?style=plastic)](https://github.com/snail007/goproxy/releases)  
  
-[English Manual](/README.md) 
+**[English Manual](/README.md)** **[全平台GUI版本](/gui/README.md)**  **[全平台SDK](/sdk/README.md)**

 ### Features  
 - 链式代理,程序本身可以作为一级代理,如果设置了上级代理那么可以作为二级代理,乃至N级代理.  
@ -24,6 +24,8 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
 - 反向代理,支持直接把域名解析到proxy监听的ip,然后proxy就会帮你代理访问需要访问的HTTP(S)网站.
 - 透明HTTP(S)代理,配合iptables,在网关直接把出去的80,443方向的流量转发到proxy,就能实现无感知的智能路由器代理.  
 - 协议转换，可以把已经存在的HTTP(S)或SOCKS5代理转换为一个端口同时支持HTTP(S)和SOCKS5代理，转换后的SOCKS5代理不支持UDP功能,同时支持强大的级联认证功能。
+- 自定义底层加密传输，http(s)\sps\socks代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可。
+- 底层压缩高效传输，http(s)\sps\socks代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在加密之后还可以对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的。

 ### Why need these?  
 - 当由于某某原因,我们不能访问我们在其它地方的服务,我们可以通过多个相连的proxy节点建立起一个安全的隧道访问我们的服务.  
@ -35,7 +37,10 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
 - ...  

 
-本页是v4.6手册,其他版本手册请点击下面链接查看. 
+本页是v4.9手册,其他版本手册请点击下面链接查看. 
+- [v4.8手册](https://github.com/snail007/goproxy/tree/v4.8) 
+- [v4.7手册](https://github.com/snail007/goproxy/tree/v4.7) 
+- [v4.6手册](https://github.com/snail007/goproxy/tree/v4.6) 
 - [v4.5手册](https://github.com/snail007/goproxy/tree/v4.5) 
 - [v4.4手册](https://github.com/snail007/goproxy/tree/v4.4) 
 - [v4.3手册](https://github.com/snail007/goproxy/tree/v4.3) 
@ -58,6 +63,7 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
 ### 安装 
 1. [快速安装](#自动安装)
 1. [手动安装](#手动安装)
+1. [Docker安装](#docker安装)

 ### 首次使用必看
 - [环境](#首次使用必看-1)
@ -84,7 +90,9 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
    - [1.9 HTTP(S)反向代理](#19-https反向代理)
    - [1.10 HTTP(S)透明代理](#110-https透明代理)
    - [1.11 自定义DNS](#111-自定义dns)
-    - [1.12 查看帮助](#112-查看帮助)
+    - [1.12 自定义加密](#112-自定义加密)
+    - [1.13 压缩传输](#113-压缩传输)
+    - [1.14 查看帮助](#114-查看帮助)
 - [2. TCP代理](#2tcp代理)
    - [2.1 普通一级TCP代理](#21普通一级tcp代理)
    - [2.2 普通二级TCP代理](#22普通二级tcp代理)
@ -120,7 +128,9 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
    - [5.7 认证](#57认证)
    - [5.8 KCP协议传输](#58kcp协议传输)
    - [5.9 自定义DNS](#59自定义dns)
-    - [5.10 查看帮助](#510查看帮助)
+    - [5.10 自定义加密](#510-自定义加密)
+    - [5.11 压缩传输](#511-压缩传输)
+    - [5.12 查看帮助](#512查看帮助)
 - [6. 代理协议转换](#6代理协议转换)
    - [6.1 功能介绍](#61-功能介绍)
    - [6.2 HTTP(S)转HTTP(S)+SOCKS5](#62-https转httpssocks5)
@ -128,7 +138,10 @@ Proxy是golang实现的高性能http,https,websocket,tcp,udp,socks5代理服务
    - [6.4 链式连接](#64-链式连接)
    - [6.5 监听多个端口](#65-监听多个端口)
    - [6.6 认证功能](#66-认证功能)
-    - [6.7 查看帮助](#67-查看帮助)
+    - [6.7 自定义加密](#67-自定义加密)
+    - [6.8 压缩传输](#68-压缩传输)
+    - [6.9 禁用协议](#69-禁用协议)
+    - [6.10 查看帮助](#610-查看帮助)
 - [7. KCP配置](#7kcp配置)
    - [7.1 配置介绍](#71-配置介绍)
    - [7.2 详细配置](#72-详细配置)
@ -149,7 +162,7 @@ curl -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto.s
 下载地址:https://github.com/snail007/goproxy/releases  
 ```shell  
 cd /root/proxy/  
-wget https://github.com/snail007/goproxy/releases/download/v4.6/proxy-linux-amd64.tar.gz  
+wget https://github.com/snail007/goproxy/releases/download/v4.9/proxy-linux-amd64.tar.gz  
 ```  
 #### **2.下载自动安装脚本**  
 ```shell  
@ -159,6 +172,35 @@ chmod +x install.sh
 ./install.sh  
 ```  

+#### Docker安装 
+项目根目录的Dockerfile文件用来构建,使用golang 1.8.5,构建基于goproxy v4.7,
+全部大小17.3MB,默认情况下使用master分支,不过可以通过修改配置文件Dockerfile,指定构建的goproxy版本.
+
+```
+ARG GOPROXY_VERSION=v4.7
+```
+
+步骤:  
+1. 克隆仓库,然后cd进入仓库文件夹,执行:
+```
+sudo docker build .
+```
+2. 镜像打标签:
+```
+sudo docker tag <上一步的结果ID> goproxy/goproxy:latest
+```
+3. 运行 
+参数OPTS的值就是传递给proxy的所有参数
+比如下面的例子启动了一个http服务: 
+
+```
+sudo docker run -d --restart=always --name goproxy -e OPTS="http -p :33080" -p 33080:33080 goproxy/goproxy:latest
+```
+4. 查看日志:
+```
+sudo docker logs -f goproxy
+```
+
 ## **首次使用必看**  
  
 ### **环境**  
@ -211,20 +253,21 @@ proxy会fork子进程,然后监控子进程,如果子进程异常退出,5秒后
 `./proxy http -g "23.23.23.23"`  

 ### **1.HTTP代理**  
-#### **1.1.普通HTTP代理**  
-![1.1](/docs/images/1.1.jpg)  
+#### **1.1.普通一级HTTP代理**  
+![1.1](/docs/images/http-1.png)  
 `./proxy http -t tcp -p "0.0.0.0:38080"`  
  
 #### **1.2.普通二级HTTP代理**  
+![1.2](/docs/images/http-2.png)  
 使用本地端口8090,假设上级HTTP代理是`22.22.22.22:8080`  
 `./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
-默认关闭了连接池,如果要加快访问速度,-L可以开启连接池,10就是连接池大小,0为关闭,  
-开启连接池在网络不好的情况下,稳定不是很好.   
-`./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -L 10`  
-我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名域名直接走上级代理,白名单的域名不走上级代理.  
+我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名直接走上级代理,白名单的域名不走上级代理.  
 `./proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **1.3.HTTP二级代理(加密)**  
+> 注意: 后面二级代理使用的`proxy.crt`和`proxy.key`应与一级代理一致  
+
+![1.3](/docs/images/http-tls-2.png)  
 一级HTTP代理(VPS,IP:22.22.22.22)  
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -237,6 +280,7 @@ proxy会fork子进程,然后监控子进程,如果子进程异常退出,5秒后
 然后设置你的windos系统中，需要通过代理上网的程序的代理为http模式，地址为：127.0.0.1，端口为：8080,程序即可通过加密通道通过vps上网。  
  
 #### **1.4.HTTP三级代理(加密)**  
+![1.3](/docs/images/http-tls-3.png)  
 一级HTTP代理VPS_01,IP:22.22.22.22  
 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 二级HTTP代理VPS_02,IP:33.33.33.33  
@ -272,6 +316,7 @@ target:用户访问的URL,比如:http://demo.com:80/1.html或https://www.baidu.c
 `./proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **1.7.HTTP(S)通过SSH中转**  
+![1.7](/docs/images/http-ssh-1.png)  
 说明:ssh中转的原理是利用了ssh的转发功能,就是你连接上ssh之后,可以通过ssh代理访问目标地址.  
 假设有:vps  
 - IP是2.2.2.2, ssh端口是22, ssh用户名是:user, ssh用户密码是:demo  
@ -285,6 +330,7 @@ target:用户访问的URL,比如:http://demo.com:80/1.html或https://www.baidu.c
 `./proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`  

 #### **1.8.KCP协议传输**  
+![1.8](/docs/images/http-kcp.png)  
 KCP协议需要--kcp-key参数设置一个密码用于加密解密数据  

 一级HTTP代理(VPS,IP:22.22.22.22)  
@ -292,9 +338,10 @@ KCP协议需要--kcp-key参数设置一个密码用于加密解密数据
  
 二级HTTP代理(本地Linux)  
 `./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`  
-那么访问本地的8080端口就是访问VPS上面的代理端口38080,数据通过kcp协议传输.  
+那么访问本地的8080端口就是访问VPS上面的代理端口38080,数据通过kcp协议传输,注意kcp走的是udp协议协议,所以防火墙需放开38080的udp协议.   

 #### **1.9 HTTP(S)反向代理**   
+![1.9](/docs/images/fxdl.png)  
 proxy不仅支持在其他软件里面通过设置代理的方式,为其他软件提供代理服务,而且支持直接把请求的网站域名解析到proxy监听的ip上,然后proxy监听80和443端口,那么proxy就会自动为你代理访问需要访问的HTTP(S)网站.  

 使用方式:  
@ -307,7 +354,7 @@ proxy不仅支持在其他软件里面通过设置代理的方式,为其他软
 `./proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key`   

 注意:  
-proxy所在的服务器的DNS解析结果不能受到自定义的解析影响,不然就死循环了.  
+proxy所在的服务器的DNS解析结果不能受到自定义的解析影响,不然就死循环了,proxy代理最好指定`--dns 8.8.8.8`参数.  
  
 #### **1.10 HTTP(S)透明代理** 
 该模式需要具有一定的网络基础,相关概念不懂的请自行搜索解决.  
@ -360,19 +407,65 @@ iptables -t nat -A OUTPUT -p tcp -j PROXY
 比如：  
 `./proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  

-#### **1.12 查看帮助**  
+#### **1.12 自定义加密**  
+proxy的http(s)代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义  
+加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可,  
+加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密.    
+自定义加密要求两端都是proxy才可以,下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -z demo_password -p :7777`  
+本地二级执行:  
+`proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -z demo_password -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+本地三级执行:  
+`proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+#### **1.13 压缩传输**  
+proxy的http(s)代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以对数据进行压缩,  
+也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,一部分是本地(-m)是否压缩传输,  
+一部分是与上级(-M)传输是否压缩.    
+压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据,下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -m -p :7777`  
+本地二级执行:  
+`proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy http -t tcp -m -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+本地三级执行:  
+`proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+#### **1.14 查看帮助**  
 `./proxy help http`  
  
 ### **2.TCP代理**  
  
 #### **2.1.普通一级TCP代理**  
-![2.1](/docs/images/2.1.png)  
+![2.1](/docs/images/tcp-1.png)  
 本地执行:  
 `./proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22"`  
 那么访问本地33080端口就是访问192.168.22.33的22端口.  
  
 #### **2.2.普通二级TCP代理**  
-![2.2](/docs/images/2.2.png)  
+![2.2](/docs/images/tcp-2.png)  
 VPS(IP:22.22.22.33)执行:  
 `./proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080"`  
 本地执行:  
@ -380,6 +473,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地23080端口就是访问22.22.22.33的8080端口.  
  
 #### **2.3.普通三级TCP代理**  
+![2.3](/docs/images/tcp-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080"`  
 二级TCP代理VPS_02,IP:33.33.33.33  
@ -389,6 +483,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地8080端口就是通过加密TCP隧道访问66.66.66.66的8080端口.  
  
 #### **2.4.加密二级TCP代理**  
+![2.4](/docs/images/tcp-tls-2.png)  
 VPS(IP:22.22.22.33)执行:  
 `./proxy tcp -t tls -p ":33080" -T tcp -P "127.0.0.1:8080" -C proxy.crt -K proxy.key`  
 本地执行:  
@ -396,6 +491,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地23080端口就是通过加密TCP隧道访问22.22.22.33的8080端口.  
  
 #### **2.5.加密三级TCP代理**  
+![2.5](/docs/images/tcp-tls-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
 `./proxy tcp -t tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key`  
 二级TCP代理VPS_02,IP:33.33.33.33  
@ -410,11 +506,13 @@ VPS(IP:22.22.22.33)执行:
 ### **3.UDP代理**  
  
 #### **3.1.普通一级UDP代理**  
+![3.1](/docs/images/udp-1.png)  
 本地执行:  
 `./proxy udp -p ":5353" -T udp -P "8.8.8.8:53"`  
 那么访问本地UDP:5353端口就是访问8.8.8.8的UDP:53端口.  
  
 #### **3.2.普通二级UDP代理**  
+![3.2](/docs/images/udp-2.png)  
 VPS(IP:22.22.22.33)执行:  
 `./proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"`  
 本地执行:  
@ -422,6 +520,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地UDP:5353端口就是通过TCP隧道,通过VPS访问8.8.8.8的UDP:53端口.  
  
 #### **3.3.普通三级UDP代理**  
+![3.3](/docs/images/udp-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
 `./proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"`  
 二级TCP代理VPS_02,IP:33.33.33.33  
@ -431,6 +530,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地5353端口就是通过TCP隧道,通过VPS访问8.8.8.8的53端口.  
  
 #### **3.4.加密二级UDP代理**  
+![3.4](/docs/images/udp-tls-2.png)  
 VPS(IP:22.22.22.33)执行:  
 `./proxy tcp -t tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 本地执行:  
@ -438,6 +538,7 @@ VPS(IP:22.22.22.33)执行:
 那么访问本地UDP:5353端口就是通过加密TCP隧道,通过VPS访问8.8.8.8的UDP:53端口.  
  
 #### **3.5.加密三级UDP代理**  
+![3.5](/docs/images/udp-tls-3.png)  
 一级TCP代理VPS_01,IP:22.22.22.22  
 `./proxy tcp -t tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`  
 二级TCP代理VPS_02,IP:33.33.33.33  
@ -597,13 +698,14 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 `./proxy socks -t tcp -p "0.0.0.0:38080"`  
  
 #### **5.2.普通二级SOCKS5代理**  
-![5.2](/docs/images/5.2.png)  
+![5.2](/docs/images/socks-2.png)  
 使用本地端口8090,假设上级SOCKS5代理是`22.22.22.22:8080`  
 `./proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `  
 我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名域名直接走上级代理,白名单的域名不走上级代理;如果域名即在黑名单又在白名单中,那么黑名单起作用.  
 `./proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"  -b blocked.txt -d direct.txt`  
  
 #### **5.3.SOCKS二级代理(加密)**  
+![5.3](/docs/images/socks-tls-2.png)  
 一级SOCKS代理(VPS,IP:22.22.22.22)  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
  
@ -616,6 +718,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 然后设置你的windos系统中，需要通过代理上网的程序的代理为socks5模式，地址为：127.0.0.1，端口为：8080,程序即可通过加密通道通过vps上网。  
  
 #### **5.4.SOCKS三级代理(加密)**  
+![5.4](/docs/images/socks-tls-3.png)  
 一级SOCKS代理VPS_01,IP:22.22.22.22  
 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`  
 二级SOCKS代理VPS_02,IP:33.33.33.33  
@ -629,6 +732,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 `./proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`  
  
 #### **5.6.SOCKS通过SSH中转**  
+![5.6](/docs/images/socks-ssh.png)  
 说明:ssh中转的原理是利用了ssh的转发功能,就是你连接上ssh之后,可以通过ssh代理访问目标地址.  
 假设有:vps  
 - IP是2.2.2.2, ssh端口是22, ssh用户名是:user, ssh用户密码是:demo
@ -651,7 +755,7 @@ server连接到bridge的时候,如果同时有多个client连接到同一个brid
 `./proxy socks -t tcp -p ":33080" -F auth-file.txt`  

 另外,socks5代理还集成了外部HTTP API认证,我们可以通过--auth-url参数指定一个http url接口地址,  
-然后有用户连接的时候,proxy会GET方式请求这url,带上下面四个参数,如果返回HTTP状态码204,代表认证成功  
+然后有用户连接的时候,proxy会GET方式请求这url,带上下面三个参数,如果返回HTTP状态码204,代表认证成功  
 其它情况认为认证失败.  
 比如:  
 `./proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`  
@ -680,7 +784,58 @@ KCP协议需要--kcp-key参数设置一个密码用于加密解密数据
 比如：  
 `./proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`  

-#### **5.10.查看帮助**  
+#### **5.10 自定义加密**  
+proxy的socks代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可,  
+加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密.    
+
+自定义加密要求两端都是proxy才可以.  
+
+下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+本地二级执行:  
+`proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -z demo_password -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+本地三级执行:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+#### **5.11 压缩传输**  
+proxy的socks代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以  
+对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,   
+一部分是本地(-m)是否压缩传输,一部分是与上级(-M)传输是否压缩.    
+
+压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据.  
+
+下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -m -p :7777`  
+本地二级执行:  
+`proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy socks -t tcp -m -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+本地三级执行:  
+`proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+#### **5.12.查看帮助**  
 `./proxy help socks`  

 ### **6.代理协议转换** 
@ -715,6 +870,7 @@ KCP协议需要--kcp-key参数设置一个密码用于加密解密数据
 `./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123`  

 #### **6.4 链式连接**   
+![6.4](/docs/images/sps-tls.png)  
 上面提过多个sps结点可以层级连接构建加密通道，假设有如下vps和家里的pc电脑。  
 vps01：2.2.2.2  
 vps02：3.3.3.3  
@ -779,7 +935,72 @@ target:如果客户端是http(s)代理请求,这里代表的是请求的完整ur
 如果没有-a或-F或--auth-url参数,就是关闭本地认证.  
 如果没有-A参数,连接上级不使用认证.  

-#### **6.7 查看帮助** 
+
+#### **6.7 自定义加密**  
+proxy的sps代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行  
+自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义  
+一个密码即可,加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密.      
+
+自定义加密要求两端都是proxy才可以.  
+
+下面分别用二级,三级为例:  
+
+假设已经存在一个http(s)代理:`6.6.6.6:6666`  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+本地二级执行:  
+`proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 
+本地三级执行:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站.  
+
+#### **6.8 压缩传输**  
+proxy的sps代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以  
+对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,   
+一部分是本地(-m)是否压缩传输,一部分是与上级(-M)传输是否压缩.    
+
+压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据.  
+
+下面分别用二级,三级为例:  
+
+**二级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -t tcp -m -p :7777`  
+本地二级执行:  
+`proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+**三级实例**  
+一级vps(ip:2.2.2.2)上执行:  
+`proxy sps -t tcp -m -p :7777`  
+二级vps(ip:3.3.3.3)上执行:  
+`proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 
+本地三级执行:  
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`  
+这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站.  
+
+
+#### **6.9 禁用协议** 
+SPS默认情况下一个端口支持http(s)和socks5两种代理协议,我们可以通过参数禁用某个协议  
+比如:  
+1.禁用HTTP(S)代理功能只保留SOCKS5代理功能,参数:`--disable-http`.   
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http`   
+
+1.禁用SOCKS5代理功能只保留HTTP(S)代理功能,参数:`--disable-socks`.   
+`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http`   
+
+#### **6.10 查看帮助** 
 `./proxy help sps`  

 ### **7.KCP配置**   
@ -825,12 +1046,18 @@ fast3：`--nodelay=1 --interval=10 --resend=2 --nc=1`
 - http(s)代理增加pac支持?
 - 欢迎加群反馈...

+### 如何贡献代码(Pull Request)?  
+首先需要clone本项目到自己的帐号下面,然后在dev分支上面修改代码,  
+最后发Pull Request到goproxy项目的dev分支即可,为了高效贡献代码,  
+pr的时候需要说明做了什么变更,原因是什么.  
+
 ### 如何使用源码?   
 建议go1.8.5,不保证>=1.9能用.       
-cd进入你的go src目录,新建文件夹snail007,   
-cd进入snail007,然后git clone https://github.com/snail007/goproxy.git ./proxy 即可.     
-编译直接:go build       
-运行: go run *.go      
+`go get github.com/snail007/goproxy`   
+cd进入你的go src目录  
+cd进入`github.com/snail007/goproxy`即可.    
+编译直接:`go build -o proxy`        
+运行: `go run *.go`       
 utils是工具包,service是具体的每个服务类. 

 ### License  
--- a/config.go
+++ b/config.go
@ -4,14 +4,16 @@ import (
 	"bufio"
 	"crypto/sha1"
 	"fmt"
-	"log"
+	logger "log"
 	"os"
 	"os/exec"
-	"snail007/proxy/services"
-	"snail007/proxy/services/kcpcfg"
-	"snail007/proxy/utils"
+	"runtime/pprof"
 	"time"

+	"github.com/snail007/goproxy/services"
+	"github.com/snail007/goproxy/services/kcpcfg"
+	"github.com/snail007/goproxy/utils"
+
 	kcp "github.com/xtaci/kcp-go"
 	"golang.org/x/crypto/pbkdf2"
 	kingpin "gopkg.in/alecthomas/kingpin.v2"
@ -21,6 +23,8 @@ var (
 	app                                                                                                       *kingpin.Application
 	service                                                                                                   *services.ServiceItem
 	cmd                                                                                                       *exec.Cmd
+	cpuProfilingFile, memProfilingFile, blockProfilingFile, goroutineProfilingFile, threadcreateProfilingFile *os.File
+	isDebug                                                                                                   bool
 )

 func initConfig() (err error) {
@ -86,7 +90,6 @@ func initConfig() (err error) {
 	httpArgs.Direct = http.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
 	httpArgs.AuthFile = http.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
 	httpArgs.Auth = http.Flag("auth", "http basic auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
-	httpArgs.PoolSize = http.Flag("pool-size", "conn pool size , which connect to parent proxy, zero: means turn off pool").Short('L').Default("0").Int()
 	httpArgs.CheckParentInterval = http.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
 	httpArgs.Local = http.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
 	httpArgs.SSHUser = http.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
@ -100,6 +103,10 @@ func initConfig() (err error) {
 	httpArgs.AuthURLRetry = http.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("1").Int()
 	httpArgs.DNSAddress = http.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
 	httpArgs.DNSTTL = http.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	httpArgs.LocalKey = http.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	httpArgs.ParentKey = http.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	httpArgs.LocalCompress = http.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	httpArgs.ParentCompress = http.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()

 	//########tcp#########
 	tcp := app.Command("tcp", "proxy on tcp mode")
@ -109,7 +116,6 @@ func initConfig() (err error) {
 	tcpArgs.Timeout = tcp.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('e').Default("2000").Int()
 	tcpArgs.ParentType = tcp.Flag("parent-type", "parent protocol type <tls|tcp|kcp|udp>").Short('T').Enum("tls", "tcp", "udp", "kcp")
 	tcpArgs.LocalType = tcp.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
-	tcpArgs.PoolSize = tcp.Flag("pool-size", "conn pool size , which connect to parent proxy, zero: means turn off pool").Short('L').Default("0").Int()
 	tcpArgs.CheckParentInterval = tcp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
 	tcpArgs.Local = tcp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()

@ -120,7 +126,6 @@ func initConfig() (err error) {
 	udpArgs.KeyFile = udp.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
 	udpArgs.Timeout = udp.Flag("timeout", "tcp timeout milliseconds when connect to parent proxy").Short('t').Default("2000").Int()
 	udpArgs.ParentType = udp.Flag("parent-type", "parent protocol type <tls|tcp|udp>").Short('T').Enum("tls", "tcp", "udp")
-	udpArgs.PoolSize = udp.Flag("pool-size", "conn pool size , which connect to parent proxy, zero: means turn off pool").Short('L').Default("0").Int()
 	udpArgs.CheckParentInterval = udp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
 	udpArgs.Local = udp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()

@ -210,6 +215,11 @@ func initConfig() (err error) {
 	socksArgs.AuthURLRetry = socks.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
 	socksArgs.DNSAddress = socks.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
 	socksArgs.DNSTTL = socks.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	socksArgs.LocalKey = socks.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	socksArgs.ParentKey = socks.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	socksArgs.LocalCompress = socks.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	socksArgs.ParentCompress = socks.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+
 	//########socks+http(s)#########
 	sps := app.Command("sps", "proxy on socks+http(s) mode")
 	spsArgs.Parent = sps.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
@ -220,7 +230,7 @@ func initConfig() (err error) {
 	spsArgs.ParentType = sps.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Short('T').Enum("tls", "tcp", "kcp")
 	spsArgs.LocalType = sps.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
 	spsArgs.Local = sps.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
-	spsArgs.ParentServiceType = sps.Flag("parent-service-type", "parent service type <http|socks>").Short('S').Enum("http", "socks")
+	spsArgs.ParentServiceType = sps.Flag("parent-service-type", "parent service type <http|socks>").Short('S').Enum("http", "socks", "ss")
 	spsArgs.DNSAddress = sps.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
 	spsArgs.DNSTTL = sps.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
 	spsArgs.AuthFile = sps.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
@ -231,9 +241,18 @@ func initConfig() (err error) {
 	spsArgs.AuthURLOkCode = sps.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
 	spsArgs.AuthURLRetry = sps.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
 	spsArgs.ParentAuth = sps.Flag("parent-auth", "parent socks auth username and password, such as: -A user1:pass1").Short('A').String()
+	spsArgs.LocalKey = sps.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	spsArgs.ParentKey = sps.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	spsArgs.LocalCompress = sps.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	spsArgs.ParentCompress = sps.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+	spsArgs.DisableHTTP = sps.Flag("disable-http", "disable http(s) proxy").Default("false").Bool()
+	spsArgs.DisableSocks5 = sps.Flag("disable-socks", "disable socks proxy").Default("false").Bool()
+
 	//parse args
 	serviceName := kingpin.MustParse(app.Parse(os.Args[1:]))

+	isDebug = *debug
+
 	//set kcp config

 	switch *kcpArgs.Mode {
@ -286,11 +305,19 @@ func initConfig() (err error) {
 	muxServerArgs.KCP = kcpArgs
 	muxClientArgs.KCP = kcpArgs

-	flags := log.Ldate
+	log := logger.New(os.Stderr, "", logger.Ldate|logger.Ltime)
+
+	flags := logger.Ldate
 	if *debug {
-		flags |= log.Lshortfile | log.Lmicroseconds
+		flags |= logger.Lshortfile | logger.Lmicroseconds
+		cpuProfilingFile, _ = os.Create("cpu.prof")
+		memProfilingFile, _ = os.Create("memory.prof")
+		blockProfilingFile, _ = os.Create("block.prof")
+		goroutineProfilingFile, _ = os.Create("goroutine.prof")
+		threadcreateProfilingFile, _ = os.Create("threadcreate.prof")
+		pprof.StartCPUProfile(cpuProfilingFile)
 	} else {
-		flags |= log.Ltime
+		flags |= logger.Ltime
 	}
 	log.SetFlags(flags)

@ -370,20 +397,41 @@ func initConfig() (err error) {
 	}
 	if *logfile == "" {
 		poster()
+		if *debug {
+			log.Println("[profiling] cpu profiling save to file : cpu.prof")
+			log.Println("[profiling] memory profiling save to file : memory.prof")
+			log.Println("[profiling] block profiling save to file : block.prof")
+			log.Println("[profiling] goroutine profiling save to file : goroutine.prof")
+			log.Println("[profiling] threadcreate profiling save to file : threadcreate.prof")
+		}
 	}
 	//regist services and run service
-	services.Regist("http", services.NewHTTP(), httpArgs)
-	services.Regist("tcp", services.NewTCP(), tcpArgs)
-	services.Regist("udp", services.NewUDP(), udpArgs)
-	services.Regist("tserver", services.NewTunnelServerManager(), tunnelServerArgs)
-	services.Regist("tclient", services.NewTunnelClient(), tunnelClientArgs)
-	services.Regist("tbridge", services.NewTunnelBridge(), tunnelBridgeArgs)
-	services.Regist("server", services.NewMuxServerManager(), muxServerArgs)
-	services.Regist("client", services.NewMuxClient(), muxClientArgs)
-	services.Regist("bridge", services.NewMuxBridge(), muxBridgeArgs)
-	services.Regist("socks", services.NewSocks(), socksArgs)
-	services.Regist("sps", services.NewSPS(), spsArgs)
-	service, err = services.Run(serviceName)
+	//regist services and run service
+	switch serviceName {
+	case "http":
+		services.Regist(serviceName, services.NewHTTP(), httpArgs, log)
+	case "tcp":
+		services.Regist(serviceName, services.NewTCP(), tcpArgs, log)
+	case "udp":
+		services.Regist(serviceName, services.NewUDP(), udpArgs, log)
+	case "tserver":
+		services.Regist(serviceName, services.NewTunnelServerManager(), tunnelServerArgs, log)
+	case "tclient":
+		services.Regist(serviceName, services.NewTunnelClient(), tunnelClientArgs, log)
+	case "tbridge":
+		services.Regist(serviceName, services.NewTunnelBridge(), tunnelBridgeArgs, log)
+	case "server":
+		services.Regist(serviceName, services.NewMuxServerManager(), muxServerArgs, log)
+	case "client":
+		services.Regist(serviceName, services.NewMuxClient(), muxClientArgs, log)
+	case "bridge":
+		services.Regist(serviceName, services.NewMuxBridge(), muxBridgeArgs, log)
+	case "socks":
+		services.Regist(serviceName, services.NewSocks(), socksArgs, log)
+	case "sps":
+		services.Regist(serviceName, services.NewSPS(), spsArgs, log)
+	}
+	service, err = services.Run(serviceName, nil)
 	if err != nil {
 		log.Fatalf("run service [%s] fail, ERR:%s", serviceName, err)
 	}
@ -402,3 +450,14 @@ func poster() {
 		
 		v%s`+" by snail , blog : http://www.host900.com/\n\n", APP_VERSION)
 }
+func saveProfiling() {
+	goroutine := pprof.Lookup("goroutine")
+	goroutine.WriteTo(goroutineProfilingFile, 1)
+	heap := pprof.Lookup("heap")
+	heap.WriteTo(memProfilingFile, 1)
+	block := pprof.Lookup("block")
+	block.WriteTo(blockProfilingFile, 1)
+	threadcreate := pprof.Lookup("threadcreate")
+	threadcreate.WriteTo(threadcreateProfilingFile, 1)
+	pprof.StopCPUProfile()
+}
--- a/docs/images/fxdl.png
+++ b/docs/images/fxdl.png
--- a/docs/images/http-1.png
+++ b/docs/images/http-1.png
--- a/docs/images/http-2.png
+++ b/docs/images/http-2.png
--- a/docs/images/http-kcp.png
+++ b/docs/images/http-kcp.png
--- a/docs/images/http-ssh-1.png
+++ b/docs/images/http-ssh-1.png
--- a/docs/images/http-tls-2.png
+++ b/docs/images/http-tls-2.png
--- a/docs/images/http-tls-3.png
+++ b/docs/images/http-tls-3.png
--- a/docs/images/socks-2.png
+++ b/docs/images/socks-2.png
--- a/docs/images/socks-ssh.png
+++ b/docs/images/socks-ssh.png
--- a/docs/images/socks-tls-2.png
+++ b/docs/images/socks-tls-2.png
--- a/docs/images/socks-tls-3.png
+++ b/docs/images/socks-tls-3.png
--- a/docs/images/sps-tls.png
+++ b/docs/images/sps-tls.png
--- a/docs/images/tcp-1.png
+++ b/docs/images/tcp-1.png
--- a/docs/images/tcp-2.png
+++ b/docs/images/tcp-2.png
--- a/docs/images/tcp-3.png
+++ b/docs/images/tcp-3.png
--- a/docs/images/tcp-tls-2.png
+++ b/docs/images/tcp-tls-2.png
--- a/docs/images/tcp-tls-3.png
+++ b/docs/images/tcp-tls-3.png
--- a/docs/images/udp-1.png
+++ b/docs/images/udp-1.png
--- a/docs/images/udp-2.png
+++ b/docs/images/udp-2.png
--- a/docs/images/udp-3.png
+++ b/docs/images/udp-3.png
--- a/docs/images/udp-tls-2.png
+++ b/docs/images/udp-tls-2.png
--- a/docs/images/udp-tls-3.png
+++ b/docs/images/udp-tls-3.png
--- a/gui/README.md
+++ b/gui/README.md
@ -0,0 +1,27 @@
+# Proxy-GUI
+基于proxy的各平台SDK,作者和众多热心人士开发了各平台的GUI版本的proxy,下面分平台介绍.  
+
+## Windows
+
+- 官方java版本,项目主页:[goproxy-jui](https://github.com/snail007/goproxy-jui)
+
+## Linux
+
+- 官方java版本,项目主页:[goproxy-jui](https://github.com/snail007/goproxy-jui)
+
+## MacOS
+
+- Coming Soon ...
+
+## Android
+
+- proxy-go,一个非官方实现版本,界面比较简陋,但是够用.下载地址:[proxy-go](https://github.com/snail007/goproxy-gui-stuff/releases/tag/proxy-go-release)
+
+
+## IOS
+
+- Coming Soon ...
+
+## 跨平台
+
+- proxy-web,一个跨平台的web UI版本,项目主页:[proxy-web](https://github.com/yincongcyincong/proxy-web)
--- a/install_auto.sh
+++ b/install_auto.sh
@ -5,7 +5,7 @@ if [ -e /tmp/proxy ]; then
 fi
 mkdir /tmp/proxy
 cd /tmp/proxy
-wget https://github.com/snail007/goproxy/releases/download/v4.6/proxy-linux-amd64.tar.gz
+wget https://github.com/snail007/goproxy/releases/download/v4.9/proxy-linux-amd64.tar.gz

 # #install proxy
 tar zxvf proxy-linux-amd64.tar.gz
--- a/main.go
+++ b/main.go
@ -4,11 +4,12 @@ import (
 	"log"
 	"os"
 	"os/signal"
-	"snail007/proxy/services"
 	"syscall"
+
+	"github.com/snail007/goproxy/services"
 )

-const APP_VERSION = "4.6"
+const APP_VERSION = "4.9"

 func main() {
 	err := initConfig()
@ -40,6 +41,9 @@ func Clean(s *services.Service) {
 				log.Printf("clean process %d", cmd.Process.Pid)
 				cmd.Process.Kill()
 			}
+			if isDebug {
+				saveProfiling()
+			}
 			cleanupDone <- true
 		}
 	}()
--- a/release.sh
+++ b/release.sh
@ -1,69 +1,71 @@
 #!/bin/bash
-VER="4.6"
+VER="4.9"
 RELEASE="release-${VER}"
 rm -rf .cert
 mkdir .cert
-go build 
+go build -o proxy 
 cd .cert
 ../proxy keygen
 cd ..
 rm -rf ${RELEASE}
 mkdir ${RELEASE}
 #linux
-CGO_ENABLED=0 GOOS=linux GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-linux-386.tar.gz" proxy direct blocked
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-linux-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build && tar zcfv "${RELEASE}/proxy-linux-arm-v6.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=6 go build && tar zcfv "${RELEASE}/proxy-linux-arm64-v6.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build && tar zcfv "${RELEASE}/proxy-linux-arm-v7.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=7 go build && tar zcfv "${RELEASE}/proxy-linux-arm64-v7.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=5 go build && tar zcfv "${RELEASE}/proxy-linux-arm-v5.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=5 go build && tar zcfv "${RELEASE}/proxy-linux-arm64-v5.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mips go build && tar zcfv "${RELEASE}/proxy-linux-mips.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build && tar zcfv "${RELEASE}/proxy-linux-mips64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build && tar zcfv "${RELEASE}/proxy-linux-mips64le.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build && tar zcfv "${RELEASE}/proxy-linux-mipsle.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=ppc64 go build && tar zcfv "${RELEASE}/proxy-linux-ppc64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build && tar zcfv "${RELEASE}/proxy-linux-ppc64le.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build && tar zcfv "${RELEASE}/proxy-linux-s390x.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-386.tar.gz" proxy direct blocked
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm-v6.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=6 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm64-v6.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm-v7.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=7 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm64-v7.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=5 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm-v5.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=5 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-arm64-v5.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mips go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mips.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mips64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mips64le.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-mipsle.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=ppc64 go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-ppc64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-ppc64le.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -o proxy && tar zcfv "${RELEASE}/proxy-linux-s390x.tar.gz" proxy direct blocked 
 #android
-CGO_ENABLED=0 GOOS=android GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-android-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=android GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-android-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=android GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-android-arm.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=android GOARCH=arm64 go build && tar zcfv "${RELEASE}/proxy-android-arm64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-android-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-android-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-android-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=android GOARCH=arm64 go build -o proxy && tar zcfv "${RELEASE}/proxy-android-arm64.tar.gz" proxy direct blocked 
 #darwin
-CGO_ENABLED=0 GOOS=darwin GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-darwin-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-darwin-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=darwin GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-darwin-arm.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build && tar zcfv "${RELEASE}/proxy-darwin-arm64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o proxy && tar zcfv "${RELEASE}/proxy-darwin-arm64.tar.gz" proxy direct blocked 
 #dragonfly
-CGO_ENABLED=0 GOOS=dragonfly GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-dragonfly-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=dragonfly GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-dragonfly-amd64.tar.gz" proxy direct blocked 
 #freebsd
-CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-freebsd-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-freebsd-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=freebsd GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-freebsd-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-freebsd-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-freebsd-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=freebsd GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-freebsd-arm.tar.gz" proxy direct blocked 
 #nacl
-CGO_ENABLED=0 GOOS=nacl GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-nacl-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=nacl GOARCH=amd64p32 go build && tar zcfv "${RELEASE}/proxy-nacl-amd64p32.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=nacl GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-nacl-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=nacl GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-nacl-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=nacl GOARCH=amd64p32 go build -o proxy && tar zcfv "${RELEASE}/proxy-nacl-amd64p32.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=nacl GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-nacl-arm.tar.gz" proxy direct blocked 
 #netbsd
-CGO_ENABLED=0 GOOS=netbsd GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-netbsd-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=netbsd GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-netbsd-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=netbsd GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-netbsd-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=netbsd GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-netbsd-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=netbsd GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-netbsd-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=netbsd GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-netbsd-arm.tar.gz" proxy direct blocked 
 #openbsd
-CGO_ENABLED=0 GOOS=openbsd GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-openbsd-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=openbsd GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-openbsd-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=openbsd GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-openbsd-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=openbsd GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-openbsd-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=openbsd GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-openbsd-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=openbsd GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-openbsd-arm.tar.gz" proxy direct blocked 
 #plan9
-CGO_ENABLED=0 GOOS=plan9 GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-plan9-386.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=plan9 GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-plan9-amd64.tar.gz" proxy direct blocked 
-CGO_ENABLED=0 GOOS=plan9 GOARCH=arm go build && tar zcfv "${RELEASE}/proxy-plan9-arm.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=plan9 GOARCH=386 go build -o proxy && tar zcfv "${RELEASE}/proxy-plan9-386.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=plan9 GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-plan9-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=plan9 GOARCH=arm go build -o proxy && tar zcfv "${RELEASE}/proxy-plan9-arm.tar.gz" proxy direct blocked 
 #solaris
-CGO_ENABLED=0 GOOS=solaris GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-solaris-amd64.tar.gz" proxy direct blocked 
+CGO_ENABLED=0 GOOS=solaris GOARCH=amd64 go build -o proxy && tar zcfv "${RELEASE}/proxy-solaris-amd64.tar.gz" proxy direct blocked 
 #windows
-CGO_ENABLED=0 GOOS=windows GOARCH=386 go build && tar zcfv "${RELEASE}/proxy-windows-386.tar.gz" proxy.exe  direct blocked .cert/proxy.crt .cert/proxy.key
-CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build && tar zcfv "${RELEASE}/proxy-windows-amd64.tar.gz" proxy.exe  direct blocked .cert/proxy.crt .cert/proxy.key
+CGO_ENABLED=0 GOOS=windows GOARCH=386 go build  -ldflags="-H=windowsgui" -o proxy-wingui.exe
+CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -o proxy.exe && tar zcfv "${RELEASE}/proxy-windows-386.tar.gz" proxy.exe proxy-wingui.exe direct blocked .cert/proxy.crt .cert/proxy.key
+CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-H=windowsgui" -o proxy-wingui.exe
+CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o proxy.exe && tar zcfv "${RELEASE}/proxy-windows-amd64.tar.gz" proxy.exe proxy-wingui.exe direct blocked .cert/proxy.crt .cert/proxy.key

-rm -rf proxy proxy.exe .cert
+rm -rf proxy proxy.exe proxy-wingui.exe .cert

 #todo
 #1.release.sh        VER="xxx"
--- a/sdk/CHANGELOG
+++ b/sdk/CHANGELOG
@ -0,0 +1,3 @@
+v4.8
+1.修复了多个服务同时开启日志,只会输出到最后一个日志文件的bug.  
+2.增加了获取sdk版本的Version()方法.  
--- a/sdk/README.md
+++ b/sdk/README.md
@ -0,0 +1,259 @@
+
+# Proxy SDK 使用说明  
+
+支持以下平台:  
+- Android,`.arr`库
+- IOS,`.framework`库
+- Windows,`.dll`库
+- Linux,`.so`库
+- MacOS,`.dylib`库
+
+proxy使用gombile实现了一份go代码编译为android和ios平台下面可以直接调用的sdk类库, 
+另外还为linux和windows,MacOS提供sdk支持，基于这些类库,APP开发者可以轻松的开发出各种形式的代理工具。    
+
+# 下面分平台介绍SDK的用法  
+
+## Android SDK
+  
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-android/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-android.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-android/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-android/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-android.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-android/releases)  
+  
+[点击下载Android-SDK](https://github.com/snail007/goproxy-sdk-android/releases)  
+在Android系统提供的sdk形式是一个后缀为.aar的类库文件,开发的时候只需要把arr类库文件引入android项目即可.  
+
+### Android-SDK使用实例
+
+#### 1.导入包
+
+```java
+import snail007.proxy.Porxy
+```
+
+#### 2.启动一个服务
+
+```java
+String serviceID="http01";//这里serviceID是自定义的唯一标识字符串,保证每个启动的服务不一样即可
+String serviceArgs="http -p :8080";
+String err=Proxy.start(serviceID,serviceArgs);
+if (!err.isEmpty()){
+    //启动失败
+    System.out.println("start fail,error:"+err);
+}else{
+    //启动成功
+}
+```
+
+#### 3.停止一个服务
+
+```java
+String serviceID="http01";
+Proxy.stop(serviceID);
+//停止完毕
+
+```
+
+## IOS SDK
+  
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-ios/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-ios.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-ios/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-ios/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-ios.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-ios/releases)  
+  
+[点击下载IOS-SDK](https://github.com/snail007/goproxy-sdk-ios/releases)  
+在IOS系统提供的sdk形式是一个后缀为.framework的类库文件夹,开发的时候只需要把类库文件引入项目,然后调用方法即可.  
+
+### IOS-SDK使用实例
+
+#### 导入包
+
+```objc
+#import <Proxy/Proxy.objc.h>
+```
+
+#### 2.启动一个服务
+
+```objc
+-(IBAction)doStart:(id)sender
+{
+	//这里serviceID是自定义的唯一标识字符串,保证每个启动的服务不一样
+	NSString *serviceID = @"http01";
+    NSString *serviceArgs = @"http -p :8080";
+    NSString *error = ProxyStart(serviceID,serviceArgs);
+    
+    if (error != nil && error.length > 0)
+    {
+        NSLog(@"start error %@",error);
+    }else{
+        NSLog(@"启动成功");
+    }
+}
+```
+
+#### 3.停止一个服务
+
+```objc
+-(IBAction)doStop:(id)sender
+{
+    NSString *serviceID = @"http01";
+    ProxyStop(serviceID);
+    //停止完毕
+}
+```
+
+
+## Windows SDK
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-windows/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-windows.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-windows/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-windows/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-windows.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-windows/releases)  
+  
+[点击下载Windows-SDK](https://github.com/snail007/goproxy-sdk-windows/releases)  
+在Windows系统提供的sdk形式是一个后缀为.dll的类库文件,开发的时候只需要把dll类库文件加载,然后调用方法即可.  
+
+### Windows-SDK使用实例  
+C++示例，不需要包含头文件，只需要加载proxy-sdk.dll即可，ieshims.dll需要和proxy-sdk.dll在一起。  
+作者：[yjbdsky](https://github.com/yjbdsky)     
+
+```cpp
+#include <stdio.h>
+#include<stdlib.h>
+#include <string.h>
+#include<pthread.h>
+#include<Windows.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef char *(*GOSTART)(char *s);
+typedef char *(*GOSTOP)(char *s);
+typedef int(*GOISRUN)(char *s);
+HMODULE GODLL = LoadLibrary("proxy-sdk.dll");
+
+char * Start(char * p0,char * p1)
+{
+	if (GODLL != NULL)
+	{
+		GOSTART gostart = *(GOSTART)(GetProcAddress(GODLL, "Start"));
+		if (gostart != NULL){
+			printf("%s:%s\n",p0, p1);
+			char *ret = gostart(p0,p1);
+			return ret;
+		}
+	}
+	return "Cannot Find dll";
+}
+char * Stop(char * p)
+{
+	if (GODLL != NULL)
+	{
+		GOSTOP gostop = *(GOSTOP)(GetProcAddress(GODLL, "Stop"));
+		if (gostop != NULL){
+			printf("%s\n", p);
+			char *ret = gostop(p);
+			return ret;
+		}
+	}
+	return "Cannot Find dll";
+}
+
+int main()
+{
+	//这里p0是自定义的唯一标识字符串,保证每个启动的服务不一样
+	char *p0 = "http01";
+	char *p1 = "http -t tcp -p :38080";
+	printf("This is demo application.\n");
+	//启动服务,返回空字符串说明启动成功;返回非空字符串说明启动失败,返回的字符串是错误原因
+	printf("start result %s\n", Start(p0,p1));
+	//停止服务,没有返回值
+	Stop(p0);
+	return 0;
+}
+
+
+#ifdef __cplusplus
+}
+#endif
+```
+
+C++示例2，请移步：[GoProxyForC](https://github.com/SuperPowerLF2/GoProxyForC)   
+
+## Linux SDK
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-linux/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-linux.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-linux/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-linux/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-linux.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-linux/releases)  
+  
+[点击下载Linux-SDK](https://github.com/snail007/goproxy-sdk-linux/releases)  
+在Linux系统提供的sdk形式是一个后缀为.so的类库文件,开发的时候只需要把so类库加载,调用方法即可.  
+
+### Linux-SDK使用实例
+Linux下面使用的sdk是so文件即libproxy-sdk.so,下面写一个简单的C程序示例,调用so库里面的方法.  
+
+`vi test-proxy.c`  
+
+```c
+#include <stdio.h>
+#include "libproxy-sdk.h"
+
+int main() {
+     printf("This is demo application.\n");
+	 //这里p0是自定义的唯一标识字符串,保证每个启动的服务不一样
+	 char *p0 = "http01";
+     char *p1 = "http -t tcp -p :38080";
+     //启动服务,返回空字符串说明启动成功;返回非空字符串说明启动失败,返回的字符串是错误原因
+     printf("start result %s\n",Start(p0,p1));
+     //停止服务,没有返回值
+     Stop(p0);
+     return 0;
+}
+```
+
+#### 编译test-proxy.c ####  
+`export LD_LIBRARY_PATH=./ && gcc -o test-proxy test.c libproxy-sdk.so`  
+
+#### 执行 ####  
+`./test-proxy`  
+
+## MacOS SDK
+[![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/snail007/goproxy-sdk-mac/) [![license](https://img.shields.io/github/license/snail007/goproxy-sdk-mac.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/snail007/goproxy-sdk-mac/total.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-mac/releases) [![download](https://img.shields.io/github/release/snail007/goproxy-sdk-mac.svg?style=plastic)](https://github.com/snail007/goproxy-sdk-mac/releases)  
+  
+[点击下载MacOS-SDK](https://github.com/snail007/goproxy-sdk-mac/releases)  
+在MacOS系统提供的sdk形式是一个后缀为.dylib的类库文件,开发的时候只需要把so类库加载,调用方法即可.  
+
+### MacOS-SDK使用实例
+MacOS下面使用的sdk是dylib文件即libproxy-sdk.dylib,下面写一个简单的Obj-C程序示例,调用dylib库里面的方法.  
+
+```objc
+#import "libproxy-sdk.h"
+-(IBAction)doStart:(id)sender
+{
+    char *result =  Start("http01", "http -t tcp -p :38080");
+    
+    if (result)
+    {
+        printf("started");
+    }else{
+        printf("not started");
+    }
+  
+}
+-(IBAction)doStop:(id)sender
+{
+     Stop("http01");
+
+}
+```
+
+### 关于服务  
+proxy的服务有11种,分别是:  
+
+```shell
+http  
+socks  
+sps  
+tcp  
+udp  
+bridge  
+server  
+client  
+tbridge  
+tserver  
+tclient  
+```
+服务启动时,如果存在正在运行的相同ID的服务,那么之前的服务会被停掉,后面启动的服务覆盖之前的服务.  
+所以要保证每次启动服务的时候,第一个ID参数唯一.  
+上面这些服务的具体使用方式和具体参数,可以参考[proxy手册](https://github.com/snail007/goproxy/blob/master/README_ZH.md)  
+sdk里面的服务不支持手册里面的：--daemon和--forever参数.  
+
+
--- a/sdk/android-ios/.gitignore
+++ b/sdk/android-ios/.gitignore
@ -0,0 +1,7 @@
+*.jar
+*.aar
+*.tar.gz
+ios
+android
+Proxy.framework
+  
--- a/sdk/android-ios/release_android.sh
+++ b/sdk/android-ios/release_android.sh
@ -0,0 +1,24 @@
+#/bin/bash
+VER="v4.8"
+rm -rf sdk-android-*.tar.gz
+rm -rf android
+mkdir android
+
+#android ; jdk,android ndk & android sdk required, install gomobile go1.10 required
+#export GOPATH="$HOME/go"
+#export GOROOT="/usr/local/go"
+#export PATH="$GOROOT/bin:$GOPATH/bin:$PATH"
+#export ANDROID_HOME="$HOME/Android/Sdk"
+#export NDK_ROOT="$HOME/Android/Sdk/ndk-bundle"
+#export PATH="$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools:$NDK_ROOT:$PATH"
+#go get -v golang.org/x/mobile/cmd/gomobile
+#gomobile init
+
+gomobile bind -v -target=android -javapkg=snail007 -ldflags="-s -w"
+mv proxy.aar android/snail007.goproxy.sdk.aar
+mv proxy-sources.jar android/snail007.goproxy.sdk-sources.jar
+cp ../README.md android
+tar zcfv sdk-android-${VER}.tar.gz android
+rm -rf android
+
+echo "done."
--- a/sdk/android-ios/release_ios.sh
+++ b/sdk/android-ios/release_ios.sh
@ -0,0 +1,14 @@
+#/bin/bash
+VER="v4.8"
+rm -rf sdk-ios-*.tar.gz
+rm -rf ios
+mkdir ios
+
+#ios  XCode required
+gomobile bind -v -target=ios -ldflags="-s -w"
+mv Proxy.framework ios
+cp ../README.md ios
+tar zcfv sdk-ios-${VER}.tar.gz ios
+rm -rf ios
+
+echo "done."
--- a/sdk/android-ios/sdk.go
+++ b/sdk/android-ios/sdk.go
@ -0,0 +1,361 @@
+package proxy
+
+import (
+	"crypto/sha1"
+	"fmt"
+	logger "log"
+	"os"
+	"strings"
+
+	"github.com/snail007/goproxy/services"
+	"github.com/snail007/goproxy/services/kcpcfg"
+
+	kcp "github.com/xtaci/kcp-go"
+	"golang.org/x/crypto/pbkdf2"
+	kingpin "gopkg.in/alecthomas/kingpin.v2"
+)
+
+const SDK_VERSION = "4.8"
+
+var (
+	app *kingpin.Application
+)
+
+//Start
+//serviceID : is service identify id,different service's id should be difference
+//serviceArgsStr: is the whole command line args string
+//such as :
+//1."http -t tcp -p :8989"
+//2."socks -t tcp -p :8989"
+//and so on.
+//if an error occured , errStr will be the error reason
+//if start success, errStr is empty.
+func Start(serviceID, serviceArgsStr string) (errStr string) {
+	//define  args
+	tcpArgs := services.TCPArgs{}
+	httpArgs := services.HTTPArgs{}
+	tunnelServerArgs := services.TunnelServerArgs{}
+	tunnelClientArgs := services.TunnelClientArgs{}
+	tunnelBridgeArgs := services.TunnelBridgeArgs{}
+	muxServerArgs := services.MuxServerArgs{}
+	muxClientArgs := services.MuxClientArgs{}
+	muxBridgeArgs := services.MuxBridgeArgs{}
+	udpArgs := services.UDPArgs{}
+	socksArgs := services.SocksArgs{}
+	spsArgs := services.SPSArgs{}
+	kcpArgs := kcpcfg.KCPConfigArgs{}
+	//build srvice args
+	app = kingpin.New("proxy", "happy with proxy")
+	app.Author("snail").Version(SDK_VERSION)
+	debug := app.Flag("debug", "debug log output").Default("false").Bool()
+	logfile := app.Flag("log", "log file path").Default("").String()
+	kcpArgs.Key = app.Flag("kcp-key", "pre-shared secret between client and server").Default("secrect").String()
+	kcpArgs.Crypt = app.Flag("kcp-method", "encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none").Default("aes").Enum("aes", "aes-128", "aes-192", "salsa20", "blowfish", "twofish", "cast5", "3des", "tea", "xtea", "xor", "sm4", "none")
+	kcpArgs.Mode = app.Flag("kcp-mode", "profiles: fast3, fast2, fast, normal, manual").Default("fast3").Enum("fast3", "fast2", "fast", "normal", "manual")
+	kcpArgs.MTU = app.Flag("kcp-mtu", "set maximum transmission unit for UDP packets").Default("1350").Int()
+	kcpArgs.SndWnd = app.Flag("kcp-sndwnd", "set send window size(num of packets)").Default("1024").Int()
+	kcpArgs.RcvWnd = app.Flag("kcp-rcvwnd", "set receive window size(num of packets)").Default("1024").Int()
+	kcpArgs.DataShard = app.Flag("kcp-ds", "set reed-solomon erasure coding - datashard").Default("10").Int()
+	kcpArgs.ParityShard = app.Flag("kcp-ps", "set reed-solomon erasure coding - parityshard").Default("3").Int()
+	kcpArgs.DSCP = app.Flag("kcp-dscp", "set DSCP(6bit)").Default("0").Int()
+	kcpArgs.NoComp = app.Flag("kcp-nocomp", "disable compression").Default("false").Bool()
+	kcpArgs.AckNodelay = app.Flag("kcp-acknodelay", "be carefull! flush ack immediately when a packet is received").Default("true").Bool()
+	kcpArgs.NoDelay = app.Flag("kcp-nodelay", "be carefull!").Default("0").Int()
+	kcpArgs.Interval = app.Flag("kcp-interval", "be carefull!").Default("50").Int()
+	kcpArgs.Resend = app.Flag("kcp-resend", "be carefull!").Default("0").Int()
+	kcpArgs.NoCongestion = app.Flag("kcp-nc", "be carefull! no congestion").Default("0").Int()
+	kcpArgs.SockBuf = app.Flag("kcp-sockbuf", "be carefull!").Default("4194304").Int()
+	kcpArgs.KeepAlive = app.Flag("kcp-keepalive", "be carefull!").Default("10").Int()
+
+	//########http#########
+	http := app.Command("http", "proxy on http mode")
+	httpArgs.Parent = http.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	httpArgs.CaCertFile = http.Flag("ca", "ca cert file for tls").Default("").String()
+	httpArgs.CertFile = http.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	httpArgs.KeyFile = http.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	httpArgs.LocalType = http.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	httpArgs.ParentType = http.Flag("parent-type", "parent protocol type <tls|tcp|ssh|kcp>").Short('T').Enum("tls", "tcp", "ssh", "kcp")
+	httpArgs.Always = http.Flag("always", "always use parent proxy").Default("false").Bool()
+	httpArgs.Timeout = http.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Default("2000").Int()
+	httpArgs.HTTPTimeout = http.Flag("http-timeout", "check domain if blocked , http request timeout milliseconds when connect to host").Default("3000").Int()
+	httpArgs.Interval = http.Flag("interval", "check domain if blocked every interval seconds").Default("10").Int()
+	httpArgs.Blocked = http.Flag("blocked", "blocked domain file , one domain each line").Default("blocked").Short('b').String()
+	httpArgs.Direct = http.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
+	httpArgs.AuthFile = http.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	httpArgs.Auth = http.Flag("auth", "http basic auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	httpArgs.CheckParentInterval = http.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
+	httpArgs.Local = http.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
+	httpArgs.SSHUser = http.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
+	httpArgs.SSHKeyFile = http.Flag("ssh-key", "private key file for ssh").Short('S').Default("").String()
+	httpArgs.SSHKeyFileSalt = http.Flag("ssh-keysalt", "salt of ssh private key").Short('s').Default("").String()
+	httpArgs.SSHPassword = http.Flag("ssh-password", "password for ssh").Short('A').Default("").String()
+	httpArgs.LocalIPS = http.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	httpArgs.AuthURL = http.Flag("auth-url", "http basic auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	httpArgs.AuthURLTimeout = http.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	httpArgs.AuthURLOkCode = http.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	httpArgs.AuthURLRetry = http.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("1").Int()
+	httpArgs.DNSAddress = http.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	httpArgs.DNSTTL = http.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	httpArgs.LocalKey = http.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	httpArgs.ParentKey = http.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	httpArgs.LocalCompress = http.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	httpArgs.ParentCompress = http.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+
+	//########tcp#########
+	tcp := app.Command("tcp", "proxy on tcp mode")
+	tcpArgs.Parent = tcp.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	tcpArgs.CertFile = tcp.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tcpArgs.KeyFile = tcp.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tcpArgs.Timeout = tcp.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('e').Default("2000").Int()
+	tcpArgs.ParentType = tcp.Flag("parent-type", "parent protocol type <tls|tcp|kcp|udp>").Short('T').Enum("tls", "tcp", "udp", "kcp")
+	tcpArgs.LocalType = tcp.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	tcpArgs.CheckParentInterval = tcp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
+	tcpArgs.Local = tcp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+
+	//########udp#########
+	udp := app.Command("udp", "proxy on udp mode")
+	udpArgs.Parent = udp.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	udpArgs.CertFile = udp.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	udpArgs.KeyFile = udp.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	udpArgs.Timeout = udp.Flag("timeout", "tcp timeout milliseconds when connect to parent proxy").Short('t').Default("2000").Int()
+	udpArgs.ParentType = udp.Flag("parent-type", "parent protocol type <tls|tcp|udp>").Short('T').Enum("tls", "tcp", "udp")
+	udpArgs.CheckParentInterval = udp.Flag("check-parent-interval", "check if proxy is okay every interval seconds,zero: means no check").Short('I').Default("3").Int()
+	udpArgs.Local = udp.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+
+	//########mux-server#########
+	muxServer := app.Command("server", "proxy on mux server mode")
+	muxServerArgs.Parent = muxServer.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	muxServerArgs.ParentType = muxServer.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Default("tls").Short('T').Enum("tls", "tcp", "kcp")
+	muxServerArgs.CertFile = muxServer.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	muxServerArgs.KeyFile = muxServer.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	muxServerArgs.Timeout = muxServer.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
+	muxServerArgs.IsUDP = muxServer.Flag("udp", "proxy on udp mux server mode").Default("false").Bool()
+	muxServerArgs.Key = muxServer.Flag("k", "client key").Default("default").String()
+	muxServerArgs.Route = muxServer.Flag("route", "local route to client's network, such as: PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT").Short('r').Default("").Strings()
+	muxServerArgs.IsCompress = muxServer.Flag("c", "compress data when tcp|tls mode").Default("false").Bool()
+	muxServerArgs.SessionCount = muxServer.Flag("session-count", "session count which connect to bridge").Short('n').Default("10").Int()
+
+	//########mux-client#########
+	muxClient := app.Command("client", "proxy on mux client mode")
+	muxClientArgs.Parent = muxClient.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	muxClientArgs.ParentType = muxClient.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Default("tls").Short('T').Enum("tls", "tcp", "kcp")
+	muxClientArgs.CertFile = muxClient.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	muxClientArgs.KeyFile = muxClient.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	muxClientArgs.Timeout = muxClient.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
+	muxClientArgs.Key = muxClient.Flag("k", "key same with server").Default("default").String()
+	muxClientArgs.IsCompress = muxClient.Flag("c", "compress data when tcp|tls mode").Default("false").Bool()
+	muxClientArgs.SessionCount = muxClient.Flag("session-count", "session count which connect to bridge").Short('n').Default("10").Int()
+
+	//########mux-bridge#########
+	muxBridge := app.Command("bridge", "proxy on mux bridge mode")
+	muxBridgeArgs.CertFile = muxBridge.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	muxBridgeArgs.KeyFile = muxBridge.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	muxBridgeArgs.Timeout = muxBridge.Flag("timeout", "tcp timeout with milliseconds").Short('i').Default("2000").Int()
+	muxBridgeArgs.Local = muxBridge.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+	muxBridgeArgs.LocalType = muxBridge.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tls").Short('t').Enum("tls", "tcp", "kcp")
+
+	//########tunnel-server#########
+	tunnelServer := app.Command("tserver", "proxy on tunnel server mode")
+	tunnelServerArgs.Parent = tunnelServer.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	tunnelServerArgs.CertFile = tunnelServer.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tunnelServerArgs.KeyFile = tunnelServer.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tunnelServerArgs.Timeout = tunnelServer.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	tunnelServerArgs.IsUDP = tunnelServer.Flag("udp", "proxy on udp tunnel server mode").Default("false").Bool()
+	tunnelServerArgs.Key = tunnelServer.Flag("k", "client key").Default("default").String()
+	tunnelServerArgs.Route = tunnelServer.Flag("route", "local route to client's network, such as: PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT").Short('r').Default("").Strings()
+
+	//########tunnel-client#########
+	tunnelClient := app.Command("tclient", "proxy on tunnel client mode")
+	tunnelClientArgs.Parent = tunnelClient.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	tunnelClientArgs.CertFile = tunnelClient.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tunnelClientArgs.KeyFile = tunnelClient.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tunnelClientArgs.Timeout = tunnelClient.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	tunnelClientArgs.Key = tunnelClient.Flag("k", "key same with server").Default("default").String()
+
+	//########tunnel-bridge#########
+	tunnelBridge := app.Command("tbridge", "proxy on tunnel bridge mode")
+	tunnelBridgeArgs.CertFile = tunnelBridge.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	tunnelBridgeArgs.KeyFile = tunnelBridge.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	tunnelBridgeArgs.Timeout = tunnelBridge.Flag("timeout", "tcp timeout with milliseconds").Short('t').Default("2000").Int()
+	tunnelBridgeArgs.Local = tunnelBridge.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+
+	//########ssh#########
+	socks := app.Command("socks", "proxy on ssh mode")
+	socksArgs.Parent = socks.Flag("parent", "parent ssh address, such as: \"23.32.32.19:22\"").Default("").Short('P').String()
+	socksArgs.ParentType = socks.Flag("parent-type", "parent protocol type <tls|tcp|kcp|ssh>").Default("tcp").Short('T').Enum("tls", "tcp", "kcp", "ssh")
+	socksArgs.LocalType = socks.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	socksArgs.Local = socks.Flag("local", "local ip:port to listen").Short('p').Default(":33080").String()
+	socksArgs.UDPParent = socks.Flag("udp-parent", "udp parent address, such as: \"23.32.32.19:33090\"").Default("").Short('X').String()
+	socksArgs.UDPLocal = socks.Flag("udp-local", "udp local ip:port to listen").Short('x').Default(":33090").String()
+	socksArgs.CertFile = socks.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	socksArgs.CaCertFile = socks.Flag("ca", "ca cert file for tls").Default("").String()
+	socksArgs.KeyFile = socks.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	socksArgs.SSHUser = socks.Flag("ssh-user", "user for ssh").Short('u').Default("").String()
+	socksArgs.SSHKeyFile = socks.Flag("ssh-key", "private key file for ssh").Short('S').Default("").String()
+	socksArgs.SSHKeyFileSalt = socks.Flag("ssh-keysalt", "salt of ssh private key").Short('s').Default("").String()
+	socksArgs.SSHPassword = socks.Flag("ssh-password", "password for ssh").Short('A').Default("").String()
+	socksArgs.Always = socks.Flag("always", "always use parent proxy").Default("false").Bool()
+	socksArgs.Timeout = socks.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Default("5000").Int()
+	socksArgs.Interval = socks.Flag("interval", "check domain if blocked every interval seconds").Default("10").Int()
+	socksArgs.Blocked = socks.Flag("blocked", "blocked domain file , one domain each line").Default("blocked").Short('b').String()
+	socksArgs.Direct = socks.Flag("direct", "direct domain file , one domain each line").Default("direct").Short('d').String()
+	socksArgs.AuthFile = socks.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	socksArgs.Auth = socks.Flag("auth", "socks auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	socksArgs.LocalIPS = socks.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	socksArgs.AuthURL = socks.Flag("auth-url", "auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	socksArgs.AuthURLTimeout = socks.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	socksArgs.AuthURLOkCode = socks.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	socksArgs.AuthURLRetry = socks.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
+	socksArgs.DNSAddress = socks.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	socksArgs.DNSTTL = socks.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	socksArgs.LocalKey = socks.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	socksArgs.ParentKey = socks.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	socksArgs.LocalCompress = socks.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	socksArgs.ParentCompress = socks.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+
+	//########socks+http(s)#########
+	sps := app.Command("sps", "proxy on socks+http(s) mode")
+	spsArgs.Parent = sps.Flag("parent", "parent address, such as: \"23.32.32.19:28008\"").Default("").Short('P').String()
+	spsArgs.CertFile = sps.Flag("cert", "cert file for tls").Short('C').Default("proxy.crt").String()
+	spsArgs.KeyFile = sps.Flag("key", "key file for tls").Short('K').Default("proxy.key").String()
+	spsArgs.CaCertFile = sps.Flag("ca", "ca cert file for tls").Default("").String()
+	spsArgs.Timeout = sps.Flag("timeout", "tcp timeout milliseconds when connect to real server or parent proxy").Short('i').Default("2000").Int()
+	spsArgs.ParentType = sps.Flag("parent-type", "parent protocol type <tls|tcp|kcp>").Short('T').Enum("tls", "tcp", "kcp")
+	spsArgs.LocalType = sps.Flag("local-type", "local protocol type <tls|tcp|kcp>").Default("tcp").Short('t').Enum("tls", "tcp", "kcp")
+	spsArgs.Local = sps.Flag("local", "local ip:port to listen,multiple address use comma split,such as: 0.0.0.0:80,0.0.0.0:443").Short('p').Default(":33080").String()
+	spsArgs.ParentServiceType = sps.Flag("parent-service-type", "parent service type <http|socks>").Short('S').Enum("http", "socks")
+	spsArgs.DNSAddress = sps.Flag("dns-address", "if set this, proxy will use this dns for resolve doamin").Short('q').Default("").String()
+	spsArgs.DNSTTL = sps.Flag("dns-ttl", "caching seconds of dns query result").Short('e').Default("300").Int()
+	spsArgs.AuthFile = sps.Flag("auth-file", "http basic auth file,\"username:password\" each line in file").Short('F').String()
+	spsArgs.Auth = sps.Flag("auth", "socks auth username and password, mutiple user repeat -a ,such as: -a user1:pass1 -a user2:pass2").Short('a').Strings()
+	spsArgs.LocalIPS = sps.Flag("local bind ips", "if your host behind a nat,set your public ip here avoid dead loop").Short('g').Strings()
+	spsArgs.AuthURL = sps.Flag("auth-url", "auth username and password will send to this url,response http code equal to 'auth-code' means ok,others means fail.").Default("").String()
+	spsArgs.AuthURLTimeout = sps.Flag("auth-timeout", "access 'auth-url' timeout milliseconds").Default("3000").Int()
+	spsArgs.AuthURLOkCode = sps.Flag("auth-code", "access 'auth-url' success http code").Default("204").Int()
+	spsArgs.AuthURLRetry = sps.Flag("auth-retry", "access 'auth-url' fail and retry count").Default("0").Int()
+	spsArgs.ParentAuth = sps.Flag("parent-auth", "parent socks auth username and password, such as: -A user1:pass1").Short('A').String()
+	spsArgs.LocalKey = sps.Flag("local-key", "the password for auto encrypt/decrypt local connection data").Short('z').Default("").String()
+	spsArgs.ParentKey = sps.Flag("parent-key", "the password for auto encrypt/decrypt parent connection data").Short('Z').Default("").String()
+	spsArgs.LocalCompress = sps.Flag("local-compress", "auto compress/decompress data on local connection").Short('m').Default("false").Bool()
+	spsArgs.ParentCompress = sps.Flag("parent-compress", "auto compress/decompress data on parent connection").Short('M').Default("false").Bool()
+	spsArgs.DisableHTTP = sps.Flag("disable-http", "disable http(s) proxy").Default("false").Bool()
+	spsArgs.DisableSocks5 = sps.Flag("disable-socks", "disable socks proxy").Default("false").Bool()
+
+	//parse args
+	_args := strings.Fields(strings.Trim(serviceArgsStr, " "))
+	args := []string{}
+	for _, a := range _args {
+		args = append(args, strings.Trim(a, "\""))
+	}
+	serviceName, err := app.Parse(args)
+	if err != nil {
+		return fmt.Sprintf("parse args fail,err: %s", err)
+	}
+	//set kcp config
+
+	switch *kcpArgs.Mode {
+	case "normal":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 0, 40, 2, 1
+	case "fast":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 0, 30, 2, 1
+	case "fast2":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 1, 20, 2, 1
+	case "fast3":
+		*kcpArgs.NoDelay, *kcpArgs.Interval, *kcpArgs.Resend, *kcpArgs.NoCongestion = 1, 10, 2, 1
+	}
+	pass := pbkdf2.Key([]byte(*kcpArgs.Key), []byte("snail007-goproxy"), 4096, 32, sha1.New)
+
+	switch *kcpArgs.Crypt {
+	case "sm4":
+		kcpArgs.Block, _ = kcp.NewSM4BlockCrypt(pass[:16])
+	case "tea":
+		kcpArgs.Block, _ = kcp.NewTEABlockCrypt(pass[:16])
+	case "xor":
+		kcpArgs.Block, _ = kcp.NewSimpleXORBlockCrypt(pass)
+	case "none":
+		kcpArgs.Block, _ = kcp.NewNoneBlockCrypt(pass)
+	case "aes-128":
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass[:16])
+	case "aes-192":
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass[:24])
+	case "blowfish":
+		kcpArgs.Block, _ = kcp.NewBlowfishBlockCrypt(pass)
+	case "twofish":
+		kcpArgs.Block, _ = kcp.NewTwofishBlockCrypt(pass)
+	case "cast5":
+		kcpArgs.Block, _ = kcp.NewCast5BlockCrypt(pass[:16])
+	case "3des":
+		kcpArgs.Block, _ = kcp.NewTripleDESBlockCrypt(pass[:24])
+	case "xtea":
+		kcpArgs.Block, _ = kcp.NewXTEABlockCrypt(pass[:16])
+	case "salsa20":
+		kcpArgs.Block, _ = kcp.NewSalsa20BlockCrypt(pass)
+	default:
+		*kcpArgs.Crypt = "aes"
+		kcpArgs.Block, _ = kcp.NewAESBlockCrypt(pass)
+	}
+	//attach kcp config
+	tcpArgs.KCP = kcpArgs
+	httpArgs.KCP = kcpArgs
+	socksArgs.KCP = kcpArgs
+	spsArgs.KCP = kcpArgs
+	muxBridgeArgs.KCP = kcpArgs
+	muxServerArgs.KCP = kcpArgs
+	muxClientArgs.KCP = kcpArgs
+
+	log := logger.New(os.Stderr, "", logger.Ldate|logger.Ltime)
+	flags := logger.Ldate
+	if *debug {
+		flags |= logger.Lshortfile | logger.Lmicroseconds
+	} else {
+		flags |= logger.Ltime
+	}
+	log.SetFlags(flags)
+
+	if *logfile != "" {
+		f, e := os.OpenFile(*logfile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
+		if e != nil {
+			log.Fatal(e)
+		}
+		log.SetOutput(f)
+	}
+
+	//regist services and run service
+	switch serviceName {
+	case "http":
+		services.Regist(serviceID, services.NewHTTP(), httpArgs, log)
+	case "tcp":
+		services.Regist(serviceID, services.NewTCP(), tcpArgs, log)
+	case "udp":
+		services.Regist(serviceID, services.NewUDP(), udpArgs, log)
+	case "tserver":
+		services.Regist(serviceID, services.NewTunnelServerManager(), tunnelServerArgs, log)
+	case "tclient":
+		services.Regist(serviceID, services.NewTunnelClient(), tunnelClientArgs, log)
+	case "tbridge":
+		services.Regist(serviceID, services.NewTunnelBridge(), tunnelBridgeArgs, log)
+	case "server":
+		services.Regist(serviceID, services.NewMuxServerManager(), muxServerArgs, log)
+	case "client":
+		services.Regist(serviceID, services.NewMuxClient(), muxClientArgs, log)
+	case "bridge":
+		services.Regist(serviceID, services.NewMuxBridge(), muxBridgeArgs, log)
+	case "socks":
+		services.Regist(serviceID, services.NewSocks(), socksArgs, log)
+	case "sps":
+		services.Regist(serviceID, services.NewSPS(), spsArgs, log)
+	}
+	_, err = services.Run(serviceID, nil)
+	if err != nil {
+		return fmt.Sprintf("run service [%s:%s] fail, ERR:%s", serviceID, serviceName, err)
+	}
+	return
+}
+
+func Stop(serviceID string) {
+	services.Stop(serviceID)
+}
+
+func Version() string {
+	return SDK_VERSION
+}
--- a/sdk/windows-linux/.gitignore
+++ b/sdk/windows-linux/.gitignore
@ -0,0 +1,6 @@
+proxy-sdk.dll
+proxy-sdk.h
+proxy-sdk.so
+proxy-sdk.a
+*.tar.gz
+test.c
--- a/sdk/windows-linux/ieshims.dll
+++ b/sdk/windows-linux/ieshims.dll
--- a/sdk/windows-linux/release_linux.sh
+++ b/sdk/windows-linux/release_linux.sh
@ -0,0 +1,24 @@
+#/bin/bash
+VER="v4.8"
+
+rm -rf sdk-linux-*.tar.gz
+rm -rf README.md libproxy-sdk.so libproxy-sdk.h libproxy-sdk.a
+
+#linux 32bit
+CGO_ENABLED=1 GOARCH=386 GOOS=linux go build -buildmode=c-archive -ldflags "-s -w" -o libproxy-sdk.a sdk.go
+CGO_ENABLED=1 GOARCH=386 GOOS=linux go build -buildmode=c-shared -ldflags "-s -w" -o libproxy-sdk.so sdk.go
+cp ../README.md .
+tar zcf sdk-linux-32bit-${VER}.tar.gz README.md libproxy-sdk.so libproxy-sdk.a libproxy-sdk.h
+rm -rf README.md libproxy-sdk.so libproxy-sdk.h libproxy-sdk.a
+
+#linux 64bit
+CGO_ENABLED=1 GOARCH=amd64 GOOS=linux go build -buildmode=c-archive -ldflags "-s -w" -o libproxy-sdk.a sdk.go
+CGO_ENABLED=1 GOARCH=amd64 GOOS=linux go build -buildmode=c-shared -ldflags "-s -w" -o libproxy-sdk.so sdk.go
+cp ../README.md .
+tar zcf sdk-linux-64bit-${VER}.tar.gz README.md libproxy-sdk.so libproxy-sdk.a libproxy-sdk.h
+rm -rf README.md libproxy-sdk.so libproxy-sdk.h libproxy-sdk.a
+
+echo "done."
+
+
+
--- a/sdk/windows-linux/release_mac.sh
+++ b/sdk/windows-linux/release_mac.sh
@ -0,0 +1,13 @@
+#/bin/bash
+VER="v4.8"
+
+rm -rf *.tar.gz
+rm -rf README.md libproxy-sdk.dylib libproxy-sdk.h
+
+#mac  , macos required
+CGO_ENABLED=1 GOARCH=amd64 GOOS=darwin go build -buildmode=c-shared -ldflags "-s -w" -o libproxy-sdk.dylib sdk.go
+cp ../README.md .
+tar zcf sdk-mac-${VER}.tar.gz README.md libproxy-sdk.dylib libproxy-sdk.h
+rm -rf README.md libproxy-sdk.dylib libproxy-sdk.h
+
+echo "done."
--- a/sdk/windows-linux/release_windows.sh
+++ b/sdk/windows-linux/release_windows.sh
@ -0,0 +1,28 @@
+#/bin/bash
+VER="v4.8"
+
+sudo rm /usr/local/go
+sudo ln -s /usr/local/go1.10.1 /usr/local/go
+rm -rf sdk-windows-*.tar.gz
+rm -rf README.md proxy-sdk.h proxy-sdk.dll
+
+
+#apt-get install gcc-multilib 
+#apt-get install gcc-mingw-w64
+
+#windows 64bit
+CC=x86_64-w64-mingw32-gcc GOARCH=amd64 CGO_ENABLED=1 GOOS=windows go build -buildmode=c-shared -ldflags "-s -w" -o proxy-sdk.dll sdk.go
+cp ../README.md .
+tar zcf sdk-windows-64bit-${VER}.tar.gz README.md proxy-sdk.dll proxy-sdk.h ieshims.dll
+rm -rf README.md proxy-sdk.h proxy-sdk.dll
+
+#windows 32bit
+CC=i686-w64-mingw32-gcc-win32 GOARCH=386 CGO_ENABLED=1 GOOS=windows go build -buildmode=c-shared -ldflags "-s -w" -o proxy-sdk.dll sdk.go
+cp ../README.md .
+tar zcf sdk-windows-32bit-${VER}.tar.gz README.md proxy-sdk.dll proxy-sdk.h ieshims.dll
+rm -rf README.md proxy-sdk.h proxy-sdk.dll
+
+sudo rm /usr/local/go
+sudo ln -s /usr/local/go1.8.5 /usr/local/go
+
+echo "done."
--- a/sdk/windows-linux/sdk.go
+++ b/sdk/windows-linux/sdk.go
@ -0,0 +1,25 @@
+package main
+
+import (
+	"C"
+
+	sdk "github.com/snail007/goproxy/sdk/android-ios"
+)
+
+//export Start
+func Start(serviceID *C.char, serviceArgsStr *C.char) (errStr *C.char) {
+	return C.CString(sdk.Start(C.GoString(serviceID), C.GoString(serviceArgsStr)))
+}
+
+//export Stop
+func Stop(serviceID *C.char) {
+	sdk.Stop(C.GoString(serviceID))
+}
+
+//export Version
+func Version() (ver *C.char) {
+	return C.CString(sdk.Version())
+}
+
+func main() {
+}
--- a/services/args.go
+++ b/services/args.go
@ -1,7 +1,7 @@
 package services

 import (
-	"snail007/proxy/services/kcpcfg"
+	"github.com/snail007/goproxy/services/kcpcfg"

 	"golang.org/x/crypto/ssh"
 )
@ -111,7 +111,6 @@ type TCPArgs struct {
 	ParentType          *string
 	LocalType           *string
 	Timeout             *int
-	PoolSize            *int
 	CheckParentInterval *int
 	KCP                 kcpcfg.KCPConfigArgs
 }
@ -139,7 +138,6 @@ type HTTPArgs struct {
 	ParentType          *string
 	LocalType           *string
 	Timeout             *int
-	PoolSize            *int
 	CheckParentInterval *int
 	SSHKeyFile          *string
 	SSHKeyFileSalt      *string
@ -151,6 +149,10 @@ type HTTPArgs struct {
 	LocalIPS            *[]string
 	DNSAddress          *string
 	DNSTTL              *int
+	LocalKey            *string
+	ParentKey           *string
+	LocalCompress       *bool
+	ParentCompress      *bool
 }
 type UDPArgs struct {
 	Parent              *string
@ -161,7 +163,6 @@ type UDPArgs struct {
 	Local               *string
 	ParentType          *string
 	Timeout             *int
-	PoolSize            *int
 	CheckParentInterval *int
 }
 type SocksArgs struct {
@ -198,6 +199,10 @@ type SocksArgs struct {
 	LocalIPS       *[]string
 	DNSAddress     *string
 	DNSTTL         *int
+	LocalKey       *string
+	ParentKey      *string
+	LocalCompress  *bool
+	ParentCompress *bool
 }
 type SPSArgs struct {
 	Parent            *string
@ -223,6 +228,12 @@ type SPSArgs struct {
 	AuthURLRetry      *int
 	LocalIPS          *[]string
 	ParentAuth        *string
+	LocalKey          *string
+	ParentKey         *string
+	LocalCompress     *bool
+	ParentCompress    *bool
+	DisableHTTP       *bool
+	DisableSocks5     *bool
 }

 func (a *SPSArgs) Protocol() string {
--- a/services/http.go
+++ b/services/http.go
@ -4,56 +4,71 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/utils"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils"
+	"github.com/snail007/goproxy/utils/conncrypt"
+
 	"golang.org/x/crypto/ssh"
 )

 type HTTP struct {
-	outPool        utils.OutPool
+	outPool        utils.OutConn
 	cfg            HTTPArgs
 	checker        utils.Checker
 	basicAuth      utils.BasicAuth
 	sshClient      *ssh.Client
 	lockChn        chan bool
 	domainResolver utils.DomainResolver
+	isStop         bool
+	serverChannels []*utils.ServerChannel
+	userConns      utils.ConcurrentMap
+	log            *logger.Logger
 }

 func NewHTTP() Service {
 	return &HTTP{
-		outPool:   utils.OutPool{},
+		outPool:        utils.OutConn{},
 		cfg:            HTTPArgs{},
 		checker:        utils.Checker{},
 		basicAuth:      utils.BasicAuth{},
 		lockChn:        make(chan bool, 1),
+		isStop:         false,
+		serverChannels: []*utils.ServerChannel{},
+		userConns:      utils.NewConcurrentMap(),
 	}
 }
-func (s *HTTP) CheckArgs() {
-	var err error
+func (s *HTTP) CheckArgs() (err error) {
 	if *s.cfg.Parent != "" && *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp|ssh|kcp>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp|ssh|kcp>")
+		return
 	}
 	if *s.cfg.ParentType == "tls" || *s.cfg.LocalType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
 		if *s.cfg.CaCertFile != "" {
 			s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
 			if err != nil {
-				log.Fatalf("read ca file error,ERR:%s", err)
+				err = fmt.Errorf("read ca file error,ERR:%s", err)
+				return
 			}
 		}
 	}
 	if *s.cfg.ParentType == "ssh" {
 		if *s.cfg.SSHUser == "" {
-			log.Fatalf("ssh user required")
+			err = fmt.Errorf("ssh user required")
+			return
 		}
 		if *s.cfg.SSHKeyFile == "" && *s.cfg.SSHPassword == "" {
-			log.Fatalf("ssh password or key required")
+			err = fmt.Errorf("ssh password or key required")
+			return
 		}

 		if *s.cfg.SSHPassword != "" {
@ -62,7 +77,8 @@ func (s *HTTP) CheckArgs() {
 			var SSHSigner ssh.Signer
 			s.cfg.SSHKeyBytes, err = ioutil.ReadFile(*s.cfg.SSHKeyFile)
 			if err != nil {
-				log.Fatalf("read key file ERR: %s", err)
+				err = fmt.Errorf("read key file ERR: %s", err)
+				return
 			}
 			if *s.cfg.SSHKeyFileSalt != "" {
 				SSHSigner, err = ssh.ParsePrivateKeyWithPassphrase(s.cfg.SSHKeyBytes, []byte(*s.cfg.SSHKeyFileSalt))
@ -70,28 +86,34 @@ func (s *HTTP) CheckArgs() {
 				SSHSigner, err = ssh.ParsePrivateKey(s.cfg.SSHKeyBytes)
 			}
 			if err != nil {
-				log.Fatalf("parse ssh private key fail,ERR: %s", err)
+				err = fmt.Errorf("parse ssh private key fail,ERR: %s", err)
+				return
 			}
 			s.cfg.SSHAuthMethod = ssh.PublicKeys(SSHSigner)
 		}
 	}
+	return
 }
-func (s *HTTP) InitService() {
+func (s *HTTP) InitService() (err error) {
 	s.InitBasicAuth()
 	if *s.cfg.Parent != "" {
-		s.checker = utils.NewChecker(*s.cfg.HTTPTimeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct)
+		s.checker = utils.NewChecker(*s.cfg.HTTPTimeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct, s.log)
 	}
 	if *s.cfg.DNSAddress != "" {
-		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL)
+		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL, s.log)
 	}
 	if *s.cfg.ParentType == "ssh" {
-		err := s.ConnectSSH()
+		err = s.ConnectSSH()
 		if err != nil {
-			log.Fatalf("init service fail, ERR: %s", err)
+			err = fmt.Errorf("init service fail, ERR: %s", err)
+			return
 		}
 		go func() {
 			//循环检查ssh网络连通性
 			for {
+				if s.isStop {
+					return
+				}
 				conn, err := utils.ConnectHost(s.Resolve(*s.cfg.Parent), *s.cfg.Timeout*2)
 				if err == nil {
 					conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
@ -105,7 +127,7 @@ func (s *HTTP) InitService() {
 							s.sshClient.Conn.Close()
 						}
 					}
-					log.Printf("ssh offline, retrying...")
+					s.log.Printf("ssh offline, retrying...")
 					s.ConnectSSH()
 				} else {
 					conn.Close()
@ -114,36 +136,64 @@ func (s *HTTP) InitService() {
 			}
 		}()
 	}
+	return
 }
 func (s *HTTP) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop http(s) service crashed,%s", e)
+		} else {
+			s.log.Printf("service http(s) stoped")
+		}
+	}()
+	s.isStop = true
+	s.checker.Stop()
+	if s.sshClient != nil {
+		s.sshClient.Close()
+	}
+	for _, sc := range s.serverChannels {
+		if sc.Listener != nil && *sc.Listener != nil {
+			(*sc.Listener).Close()
+		}
+		if sc.UDPListener != nil {
+			(*sc.UDPListener).Close()
 		}
 	}
-func (s *HTTP) Start(args interface{}) (err error) {
+}
+func (s *HTTP) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(HTTPArgs)
-	s.CheckArgs()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+
+	if err = s.InitService(); err != nil {
+		return
+	}
+
 	if *s.cfg.Parent != "" {
-		log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+		s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
 		s.InitOutConnPool()
 	}
-	s.InitService()
+
 	for _, addr := range strings.Split(*s.cfg.Local, ",") {
 		if addr != "" {
 			host, port, _ := net.SplitHostPort(addr)
 			p, _ := strconv.Atoi(port)
-			sc := utils.NewServerChannel(host, p)
+			sc := utils.NewServerChannel(host, p, s.log)
 			if *s.cfg.LocalType == TYPE_TCP {
 				err = sc.ListenTCP(s.callback)
 			} else if *s.cfg.LocalType == TYPE_TLS {
 				err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes, s.callback)
 			} else if *s.cfg.LocalType == TYPE_KCP {
-				err = sc.ListenKCP(s.cfg.KCP, s.callback)
+				err = sc.ListenKCP(s.cfg.KCP, s.callback, s.log)
 			}
 			if err != nil {
 				return
 			}
-			log.Printf("%s http(s) proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+			s.log.Printf("%s http(s) proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+			s.serverChannels = append(s.serverChannels, &sc)
 		}
 	}
 	return
@ -155,15 +205,23 @@ func (s *HTTP) Clean() {
 func (s *HTTP) callback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("http(s) conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+			s.log.Printf("http(s) conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 		}
 	}()
+	if *s.cfg.LocalCompress {
+		inConn = utils.NewCompConn(inConn)
+	}
+	if *s.cfg.LocalKey != "" {
+		inConn = conncrypt.New(inConn, &conncrypt.Config{
+			Password: *s.cfg.LocalKey,
+		})
+	}
 	var err interface{}
 	var req utils.HTTPRequest
-	req, err = utils.NewHTTPRequest(&inConn, 4096, s.IsBasicAuth(), &s.basicAuth)
+	req, err = utils.NewHTTPRequest(&inConn, 4096, s.IsBasicAuth(), &s.basicAuth, s.log)
 	if err != nil {
 		if err != io.EOF {
-			log.Printf("decoder error , from %s, ERR:%s", inConn.RemoteAddr(), err)
+			s.log.Printf("decoder error , from %s, ERR:%s", inConn.RemoteAddr(), err)
 		}
 		utils.CloseConn(&inConn)
 		return
@ -171,7 +229,7 @@ func (s *HTTP) callback(inConn net.Conn) {
 	address := req.Host
 	host, _, _ := net.SplitHostPort(address)
 	useProxy := false
-	if !utils.IsIternalIP(host) {
+	if !utils.IsIternalIP(host, *s.cfg.Always) {
 		useProxy = true
 		if *s.cfg.Parent == "" {
 			useProxy = false
@ -182,19 +240,18 @@ func (s *HTTP) callback(inConn net.Conn) {
 			s.checker.Add(k)
 			//var n, m uint
 			useProxy, _, _ = s.checker.IsBlocked(k)
-			//log.Printf("blocked ? : %v, %s , fail:%d ,success:%d", useProxy, address, n, m)
+			//s.log.Printf("blocked ? : %v, %s , fail:%d ,success:%d", useProxy, address, n, m)
 		}
 	}

-	log.Printf("use proxy : %v, %s", useProxy, address)
+	s.log.Printf("use proxy : %v, %s", useProxy, address)

 	err = s.OutToTCP(useProxy, address, &inConn, &req)
-
 	if err != nil {
 		if *s.cfg.Parent == "" {
-			log.Printf("connect to %s fail, ERR:%s", address, err)
+			s.log.Printf("connect to %s fail, ERR:%s", address, err)
 		} else {
-			log.Printf("connect to %s parent %s fail", *s.cfg.ParentType, *s.cfg.Parent)
+			s.log.Printf("connect to %s parent %s fail", *s.cfg.ParentType, *s.cfg.Parent)
 		}
 		utils.CloseConn(&inConn)
 	}
@ -209,19 +266,18 @@ func (s *HTTP) OutToTCP(useProxy bool, address string, inConn *net.Conn, req *ut
 		return
 	}
 	var outConn net.Conn
-	var _outConn interface{}
 	tryCount := 0
 	maxTryCount := 5
 	for {
+		if s.isStop {
+			return
+		}
 		if useProxy {
 			if *s.cfg.ParentType == "ssh" {
 				outConn, err = s.getSSHConn(address)
 			} else {
-				// log.Printf("%v", s.outPool)
-				_outConn, err = s.outPool.Pool.Get()
-				if err == nil {
-					outConn = _outConn.(net.Conn)
-				}
+				// s.log.Printf("%v", s.outPool)
+				outConn, err = s.outPool.Get()
 			}
 		} else {
 			outConn, err = utils.ConnectHost(s.Resolve(address), *s.cfg.Timeout)
@ -230,15 +286,24 @@ func (s *HTTP) OutToTCP(useProxy bool, address string, inConn *net.Conn, req *ut
 		if err == nil || tryCount > maxTryCount {
 			break
 		} else {
-			log.Printf("connect to %s , err:%s,retrying...", *s.cfg.Parent, err)
+			s.log.Printf("connect to %s , err:%s,retrying...", *s.cfg.Parent, err)
 			time.Sleep(time.Second * 2)
 		}
 	}
 	if err != nil {
-		log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
+		s.log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
 		utils.CloseConn(inConn)
 		return
 	}
+	if *s.cfg.ParentCompress {
+		outConn = utils.NewCompConn(outConn)
+	}
+	if *s.cfg.ParentKey != "" {
+		outConn = conncrypt.New(outConn, &conncrypt.Config{
+			Password: *s.cfg.ParentKey,
+		})
+	}
+
 	outAddr := outConn.RemoteAddr().String()
 	//outLocalAddr := outConn.LocalAddr().String()
 	if req.IsHTTPS() && (!useProxy || *s.cfg.ParentType == "ssh") {
@ -247,20 +312,29 @@ func (s *HTTP) OutToTCP(useProxy bool, address string, inConn *net.Conn, req *ut
 	} else {
 		//https或者http,上级是代理,proxy需要转发
 		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+		//直连目标或上级非代理,清理HTTP头部的代理头信息
+		if !useProxy || *s.cfg.ParentType == "ssh" {
+			_, err = outConn.Write(utils.RemoveProxyHeaders(req.HeadBuf))
+		} else {
 			_, err = outConn.Write(req.HeadBuf)
+		}
 		outConn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("write to %s , err:%s", *s.cfg.Parent, err)
+			s.log.Printf("write to %s , err:%s", *s.cfg.Parent, err)
 			utils.CloseConn(inConn)
 			return
 		}
 	}

 	utils.IoBind((*inConn), outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released [%s]", inAddr, outAddr, req.Host)
-	})
-	log.Printf("conn %s - %s connected [%s]", inAddr, outAddr, req.Host)
-
+		s.log.Printf("conn %s - %s released [%s]", inAddr, outAddr, req.Host)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	s.log.Printf("conn %s - %s connected [%s]", inAddr, outAddr, req.Host)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, inConn)
 	return
 }

@ -268,7 +342,7 @@ func (s *HTTP) getSSHConn(host string) (outConn net.Conn, err interface{}) {
 	maxTryCount := 1
 	tryCount := 0
 RETRY:
-	if tryCount >= maxTryCount {
+	if tryCount >= maxTryCount || s.isStop {
 		return
 	}
 	wait := make(chan bool, 1)
@ -287,7 +361,7 @@ RETRY:
 		err = fmt.Errorf("ssh dial %s timeout", host)
 	}
 	if err != nil {
-		log.Printf("connect ssh fail, ERR: %s, retrying...", err)
+		s.log.Printf("connect ssh fail, ERR: %s, retrying...", err)
 		e := s.ConnectSSH()
 		if e == nil {
 			tryCount++
@ -325,27 +399,25 @@ func (s *HTTP) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP || *s.cfg.ParentType == TYPE_KCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			*s.cfg.CheckParentInterval,
 			*s.cfg.ParentType,
 			s.cfg.KCP,
 			s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes,
 			s.Resolve(*s.cfg.Parent),
 			*s.cfg.Timeout,
-			*s.cfg.PoolSize,
-			*s.cfg.PoolSize*2,
 		)
 	}
 }
 func (s *HTTP) InitBasicAuth() (err error) {
 	if *s.cfg.DNSAddress != "" {
-		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver)
+		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver, s.log)
 	} else {
-		s.basicAuth = utils.NewBasicAuth(nil)
+		s.basicAuth = utils.NewBasicAuth(nil, s.log)
 	}
 	if *s.cfg.AuthURL != "" {
 		s.basicAuth.SetAuthURL(*s.cfg.AuthURL, *s.cfg.AuthURLOkCode, *s.cfg.AuthURLTimeout, *s.cfg.AuthURLRetry)
-		log.Printf("auth from %s", *s.cfg.AuthURL)
+		s.log.Printf("auth from %s", *s.cfg.AuthURL)
 	}
 	if *s.cfg.AuthFile != "" {
 		var n = 0
@ -354,11 +426,11 @@ func (s *HTTP) InitBasicAuth() (err error) {
 			err = fmt.Errorf("auth-file ERR:%s", err)
 			return
 		}
-		log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
 	}
 	if len(*s.cfg.Auth) > 0 {
 		n := s.basicAuth.Add(*s.cfg.Auth)
-		log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
 	}
 	return
 }
@ -410,7 +482,7 @@ func (s *HTTP) Resolve(address string) string {
 	}
 	ip, err := s.domainResolver.Resolve(address)
 	if err != nil {
-		log.Printf("dns error %s , ERR:%s", address, err)
+		s.log.Printf("dns error %s , ERR:%s", address, err)
 	}
 	return ip
 }
--- a/services/mux_bridge.go
+++ b/services/mux_bridge.go
@ -2,68 +2,108 @@ package services

 import (
 	"bufio"
+	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"math/rand"
 	"net"
-	"snail007/proxy/utils"
 	"strconv"
 	"strings"
 	"sync"
 	"time"

-	"github.com/xtaci/smux"
+	"github.com/snail007/goproxy/utils"
+
+	//"github.com/xtaci/smux"
+	smux "github.com/hashicorp/yamux"
 )

 type MuxBridge struct {
 	cfg                MuxBridgeArgs
 	clientControlConns utils.ConcurrentMap
+	serverConns        utils.ConcurrentMap
 	router             utils.ClientKeyRouter
 	l                  *sync.Mutex
+	isStop             bool
+	sc                 *utils.ServerChannel
+	log                *logger.Logger
 }

 func NewMuxBridge() Service {
 	b := &MuxBridge{
 		cfg:                MuxBridgeArgs{},
 		clientControlConns: utils.NewConcurrentMap(),
+		serverConns:        utils.NewConcurrentMap(),
 		l:                  &sync.Mutex{},
+		isStop:             false,
 	}
 	b.router = utils.NewClientKeyRouter(&b.clientControlConns, 50000)
 	return b
 }

-func (s *MuxBridge) InitService() {
-
+func (s *MuxBridge) InitService() (err error) {
+	return
 }
-func (s *MuxBridge) CheckArgs() {
+func (s *MuxBridge) CheckArgs() (err error) {
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
 	if *s.cfg.LocalType == TYPE_TLS {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
 		}
 	}
+	return
+}
 func (s *MuxBridge) StopService() {
-
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop bridge service crashed,%s", e)
+		} else {
+			s.log.Printf("service bridge stoped")
 		}
-func (s *MuxBridge) Start(args interface{}) (err error) {
+	}()
+	s.isStop = true
+	if s.sc != nil && (*s.sc).Listener != nil {
+		(*(*s.sc).Listener).Close()
+	}
+	for _, g := range s.clientControlConns.Items() {
+		for _, session := range g.(utils.ConcurrentMap).Items() {
+			(session.(*smux.Session)).Close()
+		}
+	}
+	for _, c := range s.serverConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
+}
+func (s *MuxBridge) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxBridgeArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)
 	if *s.cfg.LocalType == TYPE_TCP {
 		err = sc.ListenTCP(s.handler)
 	} else if *s.cfg.LocalType == TYPE_TLS {
 		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.handler)
 	} else if *s.cfg.LocalType == TYPE_KCP {
-		err = sc.ListenKCP(s.cfg.KCP, s.handler)
+		err = sc.ListenKCP(s.cfg.KCP, s.handler, s.log)
 	}
 	if err != nil {
 		return
 	}
-	log.Printf("%s bridge on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+	s.sc = &sc
+	s.log.Printf("%s bridge on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
 	return
 }
 func (s *MuxBridge) Clean() {
@ -79,47 +119,64 @@ func (s *MuxBridge) handler(inConn net.Conn) {
 	err = utils.ReadPacket(reader, &connType, &key)
 	inConn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("read error,ERR:%s", err)
+		s.log.Printf("read error,ERR:%s", err)
 		return
 	}
 	switch connType {
 	case CONN_SERVER:
 		var serverID string
+		inAddr := inConn.RemoteAddr().String()
 		inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		err = utils.ReadPacketData(reader, &serverID)
 		inConn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("read error,ERR:%s", err)
+			s.log.Printf("read error,ERR:%s", err)
 			return
 		}
-		log.Printf("server connection %s %s connected", serverID, key)
+		s.log.Printf("server connection %s %s connected", serverID, key)
+		if c, ok := s.serverConns.Get(inAddr); ok {
+			(*c.(*net.Conn)).Close()
+		}
+		s.serverConns.Set(inAddr, &inConn)
 		session, err := smux.Server(inConn, nil)
 		if err != nil {
 			utils.CloseConn(&inConn)
-			log.Printf("server session error,ERR:%s", err)
+			s.log.Printf("server session error,ERR:%s", err)
 			return
 		}
 		for {
+			if s.isStop {
+				return
+			}
 			stream, err := session.AcceptStream()
 			if err != nil {
 				session.Close()
 				utils.CloseConn(&inConn)
+				s.serverConns.Remove(inAddr)
+				s.log.Printf("server connection %s %s released", serverID, key)
 				return
 			}
-			go s.callback(stream, serverID, key)
+			go func() {
+				defer func() {
+					if e := recover(); e != nil {
+						s.log.Printf("bridge callback crashed,err: %s", e)
+					}
+				}()
+				s.callback(stream, serverID, key)
+			}()
 		}
 	case CONN_CLIENT:
-		log.Printf("client connection %s connected", key)
+		s.log.Printf("client connection %s connected", key)
 		session, err := smux.Client(inConn, nil)
 		if err != nil {
 			utils.CloseConn(&inConn)
-			log.Printf("client session error,ERR:%s", err)
+			s.log.Printf("client session error,ERR:%s", err)
 			return
 		}
 		keyInfo := strings.Split(key, "-")
 		if len(keyInfo) != 2 {
 			utils.CloseConn(&inConn)
-			log.Printf("client key format error,key:%s", key)
+			s.log.Printf("client key format error,key:%s", key)
 			return
 		}
 		groupKey := keyInfo[0]
@ -139,11 +196,15 @@ func (s *MuxBridge) handler(inConn net.Conn) {
 		// s.clientControlConns.Set(key, session)
 		go func() {
 			for {
+				if s.isStop {
+					return
+				}
 				if session.IsClosed() {
 					s.l.Lock()
 					defer s.l.Unlock()
 					if sess, ok := group.Get(index); ok && sess.(*smux.Session).IsClosed() {
 						group.Remove(index)
+						s.log.Printf("client connection %s released", key)
 					}
 					if group.IsEmpty() {
 						s.clientControlConns.Remove(groupKey)
@ -153,13 +214,16 @@ func (s *MuxBridge) handler(inConn net.Conn) {
 				time.Sleep(time.Second * 5)
 			}
 		}()
-		//log.Printf("set client session,key: %s", key)
+		//s.log.Printf("set client session,key: %s", key)
 	}

 }
 func (s *MuxBridge) callback(inConn net.Conn, serverID, key string) {
 	try := 20
 	for {
+		if s.isStop {
+			return
+		}
 		try--
 		if try == 0 {
 			break
@ -169,7 +233,7 @@ func (s *MuxBridge) callback(inConn net.Conn, serverID, key string) {
 		}
 		_group, ok := s.clientControlConns.Get(key)
 		if !ok {
-			log.Printf("client %s session not exists for server stream %s, retrying...", key, serverID)
+			s.log.Printf("client %s session not exists for server stream %s, retrying...", key, serverID)
 			time.Sleep(time.Second * 3)
 			continue
 		}
@ -180,22 +244,22 @@ func (s *MuxBridge) callback(inConn net.Conn, serverID, key string) {
 		if keysLen > 0 {
 			i = rand.Intn(keysLen)
 		} else {
-			log.Printf("client %s session empty for server stream %s, retrying...", key, serverID)
+			s.log.Printf("client %s session empty for server stream %s, retrying...", key, serverID)
 			time.Sleep(time.Second * 3)
 			continue
 		}
 		index := keys[i]
-		log.Printf("select client : %s-%s", key, index)
+		s.log.Printf("select client : %s-%s", key, index)
 		session, _ := group.Get(index)
-		session.(*smux.Session).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
+		//session.(*smux.Session).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		stream, err := session.(*smux.Session).OpenStream()
-		session.(*smux.Session).SetDeadline(time.Time{})
+		//session.(*smux.Session).SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("%s client session open stream %s fail, err: %s, retrying...", key, serverID, err)
+			s.log.Printf("%s client session open stream %s fail, err: %s, retrying...", key, serverID, err)
 			time.Sleep(time.Second * 3)
 			continue
 		} else {
-			log.Printf("stream %s -> %s created", serverID, key)
+			s.log.Printf("stream %s -> %s created", serverID, key)
 			die1 := make(chan bool, 1)
 			die2 := make(chan bool, 1)
 			go func() {
@ -212,7 +276,7 @@ func (s *MuxBridge) callback(inConn net.Conn, serverID, key string) {
 			}
 			stream.Close()
 			inConn.Close()
-			log.Printf("%s server %s stream released", key, serverID)
+			s.log.Printf("%s server %s stream released", key, serverID)
 			break
 		}
 	}
--- a/services/mux_client.go
+++ b/services/mux_client.go
@ -4,67 +4,100 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"snail007/proxy/utils"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"github.com/golang/snappy"
-	"github.com/xtaci/smux"
+	//"github.com/xtaci/smux"
+	smux "github.com/hashicorp/yamux"
 )

 type MuxClient struct {
 	cfg      MuxClientArgs
+	isStop   bool
+	sessions utils.ConcurrentMap
+	log      *logger.Logger
 }

 func NewMuxClient() Service {
 	return &MuxClient{
 		cfg:      MuxClientArgs{},
+		isStop:   false,
+		sessions: utils.NewConcurrentMap(),
 	}
 }

-func (s *MuxClient) InitService() {
-
+func (s *MuxClient) InitService() (err error) {
+	return
 }

-func (s *MuxClient) CheckArgs() {
+func (s *MuxClient) CheckArgs() (err error) {
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use tls parent %s", *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
 	if *s.cfg.ParentType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
 		}
 	}
+	return
+}
 func (s *MuxClient) StopService() {
-
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop client service crashed,%s", e)
+		} else {
+			s.log.Printf("service client stoped")
 		}
-func (s *MuxClient) Start(args interface{}) (err error) {
+	}()
+	s.isStop = true
+	for _, sess := range s.sessions.Items() {
+		sess.(*smux.Session).Close()
+	}
+}
+func (s *MuxClient) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxClientArgs)
-	s.CheckArgs()
-	s.InitService()
-	log.Printf("client started")
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("client started")
 	count := 1
 	if *s.cfg.SessionCount > 0 {
 		count = *s.cfg.SessionCount
 	}
 	for i := 1; i <= count; i++ {
-		log.Printf("session worker[%d] started", i)
+		key := fmt.Sprintf("worker[%d]", i)
+		s.log.Printf("session %s started", key)
 		go func(i int) {
 			defer func() {
 				e := recover()
 				if e != nil {
-					log.Printf("session worker crashed: %s", e)
+					s.log.Printf("session worker crashed: %s", e)
 				}
 			}()
 			for {
+				if s.isStop {
+					return
+				}
 				conn, err := s.getParentConn()
 				if err != nil {
-					log.Printf("connection err: %s, retrying...", err)
+					s.log.Printf("connection err: %s, retrying...", err)
 					time.Sleep(time.Second * 3)
 					continue
 				}
@ -73,21 +106,28 @@ func (s *MuxClient) Start(args interface{}) (err error) {
 				conn.SetDeadline(time.Time{})
 				if err != nil {
 					conn.Close()
-					log.Printf("connection err: %s, retrying...", err)
+					s.log.Printf("connection err: %s, retrying...", err)
 					time.Sleep(time.Second * 3)
 					continue
 				}
 				session, err := smux.Server(conn, nil)
 				if err != nil {
-					log.Printf("session err: %s, retrying...", err)
+					s.log.Printf("session err: %s, retrying...", err)
 					conn.Close()
 					time.Sleep(time.Second * 3)
 					continue
 				}
+				if _sess, ok := s.sessions.Get(key); ok {
+					_sess.(*smux.Session).Close()
+				}
+				s.sessions.Set(key, session)
 				for {
+					if s.isStop {
+						return
+					}
 					stream, err := session.AcceptStream()
 					if err != nil {
-						log.Printf("accept stream err: %s, retrying...", err)
+						s.log.Printf("accept stream err: %s, retrying...", err)
 						session.Close()
 						time.Sleep(time.Second * 3)
 						break
@ -96,7 +136,7 @@ func (s *MuxClient) Start(args interface{}) (err error) {
 						defer func() {
 							e := recover()
 							if e != nil {
-								log.Printf("stream handler crashed: %s", e)
+								s.log.Printf("stream handler crashed: %s", e)
 							}
 						}()
 						var ID, clientLocalAddr, serverID string
@ -104,11 +144,11 @@ func (s *MuxClient) Start(args interface{}) (err error) {
 						err = utils.ReadPacketData(stream, &ID, &clientLocalAddr, &serverID)
 						stream.SetDeadline(time.Time{})
 						if err != nil {
-							log.Printf("read stream signal err: %s", err)
+							s.log.Printf("read stream signal err: %s", err)
 							stream.Close()
 							return
 						}
-						log.Printf("worker[%d] signal revecived,server %s stream %s %s", i, serverID, ID, clientLocalAddr)
+						s.log.Printf("worker[%d] signal revecived,server %s stream %s %s", i, serverID, ID, clientLocalAddr)
 						protocol := clientLocalAddr[:3]
 						localAddr := clientLocalAddr[4:]
 						if protocol == "udp" {
@ -119,7 +159,6 @@ func (s *MuxClient) Start(args interface{}) (err error) {
 					}()
 				}
 			}
-
 		}(i)
 	}
 	return
@ -144,17 +183,28 @@ func (s *MuxClient) getParentConn() (conn net.Conn, err error) {
 func (s *MuxClient) ServeUDP(inConn *smux.Stream, localAddr, ID string) {

 	for {
+		if s.isStop {
+			return
+		}
 		inConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		srcAddr, body, err := utils.ReadUDPPacket(inConn)
 		inConn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("udp packet revecived fail, err: %s", err)
-			log.Printf("connection %s released", ID)
+			s.log.Printf("udp packet revecived fail, err: %s", err)
+			s.log.Printf("connection %s released", ID)
 			inConn.Close()
 			break
 		} else {
-			//log.Printf("udp packet revecived:%s,%v", srcAddr, body)
-			go s.processUDPPacket(inConn, srcAddr, localAddr, body)
+			//s.log.Printf("udp packet revecived:%s,%v", srcAddr, body)
+			go func() {
+				defer func() {
+					if e := recover(); e != nil {
+						s.log.Printf("client processUDPPacket crashed,err: %s", e)
+					}
+				}()
+				s.processUDPPacket(inConn, srcAddr, localAddr, body)
+			}()
+
 		}

 	}
@ -163,57 +213,60 @@ func (s *MuxClient) ServeUDP(inConn *smux.Stream, localAddr, ID string) {
 func (s *MuxClient) processUDPPacket(inConn *smux.Stream, srcAddr, localAddr string, body []byte) {
 	dstAddr, err := net.ResolveUDPAddr("udp", localAddr)
 	if err != nil {
-		log.Printf("can't resolve address: %s", err)
+		s.log.Printf("can't resolve address: %s", err)
 		inConn.Close()
 		return
 	}
 	clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 	if err != nil {
-		log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = conn.Write(body)
 	conn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("send udp packet to %s success", dstAddr.String())
+	//s.log.Printf("send udp packet to %s success", dstAddr.String())
 	buf := make([]byte, 1024)
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	length, _, err := conn.ReadFromUDP(buf)
 	conn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	respBody := buf[0:length]
-	//log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
+	//s.log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 	bs := utils.UDPPacket(srcAddr, respBody)
 	(*inConn).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = (*inConn).Write(bs)
 	(*inConn).SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("send udp response fail ,ERR:%s", err)
+		s.log.Printf("send udp response fail ,ERR:%s", err)
 		inConn.Close()
 		return
 	}
-	//log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
+	//s.log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
 }
 func (s *MuxClient) ServeConn(inConn *smux.Stream, localAddr, ID string) {
 	var err error
 	var outConn net.Conn
 	i := 0
 	for {
+		if s.isStop {
+			return
+		}
 		i++
 		outConn, err = utils.ConnectHost(localAddr, *s.cfg.Timeout)
 		if err == nil || i == 3 {
 			break
 		} else {
 			if i == 3 {
-				log.Printf("connect to %s err: %s, retrying...", localAddr, err)
+				s.log.Printf("connect to %s err: %s, retrying...", localAddr, err)
 				time.Sleep(2 * time.Second)
 				continue
 			}
@ -222,11 +275,11 @@ func (s *MuxClient) ServeConn(inConn *smux.Stream, localAddr, ID string) {
 	if err != nil {
 		inConn.Close()
 		utils.CloseConn(&outConn)
-		log.Printf("build connection error, err: %s", err)
+		s.log.Printf("build connection error, err: %s", err)
 		return
 	}

-	log.Printf("stream %s created", ID)
+	s.log.Printf("stream %s created", ID)
 	if *s.cfg.IsCompress {
 		die1 := make(chan bool, 1)
 		die2 := make(chan bool, 1)
@ -244,10 +297,10 @@ func (s *MuxClient) ServeConn(inConn *smux.Stream, localAddr, ID string) {
 		}
 		outConn.Close()
 		inConn.Close()
-		log.Printf("%s stream %s released", *s.cfg.Key, ID)
+		s.log.Printf("%s stream %s released", *s.cfg.Key, ID)
 	} else {
 		utils.IoBind(inConn, outConn, func(err interface{}) {
-			log.Printf("stream %s released", ID)
-		})
+			s.log.Printf("stream %s released", ID)
+		}, s.log)
 	}
 }
--- a/services/mux_server.go
+++ b/services/mux_server.go
@ -4,17 +4,19 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"math/rand"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/utils"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"github.com/golang/snappy"
-	"github.com/xtaci/smux"
+	//"github.com/xtaci/smux"
+	smux "github.com/hashicorp/yamux"
 )

 type MuxServer struct {
@ -23,13 +25,17 @@ type MuxServer struct {
 	sc       utils.ServerChannel
 	sessions utils.ConcurrentMap
 	lockChn  chan bool
+	isStop   bool
+	udpConn  *net.Conn
+	log      *logger.Logger
 }

 type MuxServerManager struct {
 	cfg      MuxServerArgs
 	udpChn   chan MuxUDPItem
-	sc       utils.ServerChannel
 	serverID string
+	servers  []*Service
+	log      *logger.Logger
 }

 func NewMuxServerManager() Service {
@ -37,21 +43,29 @@ func NewMuxServerManager() Service {
 		cfg:      MuxServerArgs{},
 		udpChn:   make(chan MuxUDPItem, 50000),
 		serverID: utils.Uniqueid(),
+		servers:  []*Service{},
 	}
 }
-func (s *MuxServerManager) Start(args interface{}) (err error) {
+
+func (s *MuxServerManager) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxServerArgs)
-	s.CheckArgs()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
 	if *s.cfg.Parent != "" {
-		log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+		s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}

-	s.InitService()
+	if err = s.InitService(); err != nil {
+		return
+	}

-	log.Printf("server id: %s", s.serverID)
-	//log.Printf("route:%v", *s.cfg.Route)
+	s.log.Printf("server id: %s", s.serverID)
+	//s.log.Printf("route:%v", *s.cfg.Route)
 	for _, _info := range *s.cfg.Route {
 		if _info == "" {
 			continue
@ -64,6 +78,7 @@ func (s *MuxServerManager) Start(args interface{}) (err error) {
 		info = strings.TrimPrefix(info, "tcp://")
 		_routeInfo := strings.Split(info, "@")
 		server := NewMuxServer()
+
 		local := _routeInfo[0]
 		remote := _routeInfo[1]
 		KEY := *s.cfg.Key
@ -90,11 +105,12 @@ func (s *MuxServerManager) Start(args interface{}) (err error) {
 			SessionCount: s.cfg.SessionCount,
 			KCP:          s.cfg.KCP,
 			ParentType:   s.cfg.ParentType,
-		})
+		}, log)

 		if err != nil {
 			return
 		}
+		s.servers = append(s.servers, &server)
 	}
 	return
 }
@ -102,16 +118,25 @@ func (s *MuxServerManager) Clean() {
 	s.StopService()
 }
 func (s *MuxServerManager) StopService() {
+	for _, server := range s.servers {
+		(*server).Clean()
 	}
-func (s *MuxServerManager) CheckArgs() {
+}
+func (s *MuxServerManager) CheckArgs() (err error) {
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
 	if *s.cfg.ParentType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
 		}
 	}
-func (s *MuxServerManager) InitService() {
+	return
+}
+func (s *MuxServerManager) InitService() (err error) {
+	return
 }

 func NewMuxServer() Service {
@ -120,6 +145,7 @@ func NewMuxServer() Service {
 		udpChn:   make(chan MuxUDPItem, 50000),
 		lockChn:  make(chan bool, 1),
 		sessions: utils.NewConcurrentMap(),
+		isStop:   false,
 	}
 }

@ -129,22 +155,53 @@ type MuxUDPItem struct {
 	srcAddr   *net.UDPAddr
 }

-func (s *MuxServer) InitService() {
+func (s *MuxServer) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop server service crashed,%s", e)
+		} else {
+			s.log.Printf("service server stoped")
+		}
+	}()
+	s.isStop = true
+	for _, sess := range s.sessions.Items() {
+		sess.(*smux.Session).Close()
+	}
+	if s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
+	}
+	if s.udpConn != nil {
+		(*s.udpConn).Close()
+	}
+}
+func (s *MuxServer) InitService() (err error) {
 	s.UDPConnDeamon()
+	return
 }
-func (s *MuxServer) CheckArgs() {
+func (s *MuxServer) CheckArgs() (err error) {
 	if *s.cfg.Remote == "" {
-		log.Fatalf("remote required")
+		err = fmt.Errorf("remote required")
+		return
 	}
+	return
 }

-func (s *MuxServer) Start(args interface{}) (err error) {
+func (s *MuxServer) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(MuxServerArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	s.sc = utils.NewServerChannel(host, p)
+	s.sc = utils.NewServerChannel(host, p, s.log)
 	if *s.cfg.IsUDP {
 		err = s.sc.ListenUDP(func(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 			s.udpChn <- MuxUDPItem{
@ -156,28 +213,31 @@ func (s *MuxServer) Start(args interface{}) (err error) {
 		if err != nil {
 			return
 		}
-		log.Printf("server on %s", (*s.sc.UDPListener).LocalAddr())
+		s.log.Printf("server on %s", (*s.sc.UDPListener).LocalAddr())
 	} else {
 		err = s.sc.ListenTCP(func(inConn net.Conn) {
 			defer func() {
 				if err := recover(); err != nil {
-					log.Printf("connection handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+					s.log.Printf("connection handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 				}
 			}()
 			var outConn net.Conn
 			var ID string
 			for {
+				if s.isStop {
+					return
+				}
 				outConn, ID, err = s.GetOutConn()
 				if err != nil {
 					utils.CloseConn(&outConn)
-					log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+					s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 					time.Sleep(time.Second * 3)
 					continue
 				} else {
 					break
 				}
 			}
-			log.Printf("%s stream %s created", *s.cfg.Key, ID)
+			s.log.Printf("%s stream %s created", *s.cfg.Key, ID)
 			if *s.cfg.IsCompress {
 				die1 := make(chan bool, 1)
 				die2 := make(chan bool, 1)
@ -195,22 +255,22 @@ func (s *MuxServer) Start(args interface{}) (err error) {
 				}
 				outConn.Close()
 				inConn.Close()
-				log.Printf("%s stream %s released", *s.cfg.Key, ID)
+				s.log.Printf("%s stream %s released", *s.cfg.Key, ID)
 			} else {
 				utils.IoBind(inConn, outConn, func(err interface{}) {
-					log.Printf("%s stream %s released", *s.cfg.Key, ID)
-				})
+					s.log.Printf("%s stream %s released", *s.cfg.Key, ID)
+				}, s.log)
 			}
 		})
 		if err != nil {
 			return
 		}
-		log.Printf("server on %s", (*s.sc.Listener).Addr())
+		s.log.Printf("server on %s", (*s.sc.Listener).Addr())
 	}
 	return
 }
 func (s *MuxServer) Clean() {
-
+	s.StopService()
 }
 func (s *MuxServer) GetOutConn() (outConn net.Conn, ID string, err error) {
 	i := 1
@ -219,7 +279,7 @@ func (s *MuxServer) GetOutConn() (outConn net.Conn, ID string, err error) {
 	}
 	outConn, err = s.GetConn(fmt.Sprintf("%d", i))
 	if err != nil {
-		log.Printf("connection err: %s", err)
+		s.log.Printf("connection err: %s", err)
 		return
 	}
 	remoteAddr := "tcp:" + *s.cfg.Remote
@ -231,7 +291,7 @@ func (s *MuxServer) GetOutConn() (outConn net.Conn, ID string, err error) {
 	_, err = outConn.Write(utils.BuildPacketData(ID, remoteAddr, s.cfg.Mgr.serverID))
 	outConn.SetDeadline(time.Time{})
 	if err != nil {
-		log.Printf("write stream data err: %s ,retrying...", err)
+		s.log.Printf("write stream data err: %s ,retrying...", err)
 		utils.CloseConn(&outConn)
 		return
 	}
@ -268,10 +328,16 @@ func (s *MuxServer) GetConn(index string) (conn net.Conn, err error) {
 				return
 			}
 		}
+		if _sess, ok := s.sessions.Get(index); ok {
+			_sess.(*smux.Session).Close()
+		}
 		s.sessions.Set(index, session)
-		log.Printf("session[%s] created", index)
+		s.log.Printf("session[%s] created", index)
 		go func() {
 			for {
+				if s.isStop {
+					return
+				}
 				if session.IsClosed() {
 					s.sessions.Remove(index)
 					break
@ -307,42 +373,55 @@ func (s *MuxServer) UDPConnDeamon() {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
-				log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+				s.log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 			}
 		}()
 		var outConn net.Conn
 		var ID string
 		var err error
 		for {
+			if s.isStop {
+				return
+			}
 			item := <-s.udpChn
 		RETRY:
+			if s.isStop {
+				return
+			}
 			if outConn == nil {
 				for {
+					if s.isStop {
+						return
+					}
 					outConn, ID, err = s.GetOutConn()
 					if err != nil {
 						outConn = nil
 						utils.CloseConn(&outConn)
-						log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+						s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 						time.Sleep(time.Second * 3)
 						continue
 					} else {
 						go func(outConn net.Conn, ID string) {
-							go func() {
-								// outConn.Close()
-							}()
+							if s.udpConn != nil {
+								(*s.udpConn).Close()
+							}
+							s.udpConn = &outConn
 							for {
+								if s.isStop {
+									return
+								}
 								outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 								srcAddrFromConn, body, err := utils.ReadUDPPacket(outConn)
 								outConn.SetDeadline(time.Time{})
 								if err != nil {
-									log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
-									log.Printf("UDP deamon connection %s exited", ID)
+									s.log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
+									s.log.Printf("UDP deamon connection %s exited", ID)
 									break
 								}
-								//log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
+								//s.log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
 								_srcAddr := strings.Split(srcAddrFromConn, ":")
 								if len(_srcAddr) != 2 {
-									log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
+									s.log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
 									continue
 								}
 								port, _ := strconv.Atoi(_srcAddr[1])
@ -351,10 +430,10 @@ func (s *MuxServer) UDPConnDeamon() {
 								_, err = s.sc.UDPListener.WriteToUDP(body, dstAddr)
 								s.sc.UDPListener.SetDeadline(time.Time{})
 								if err != nil {
-									log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
+									s.log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
 									continue
 								}
-								//log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
+								//s.log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
 							}
 						}(outConn, ID)
 						break
@ -367,10 +446,10 @@ func (s *MuxServer) UDPConnDeamon() {
 			if err != nil {
 				utils.CloseConn(&outConn)
 				outConn = nil
-				log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
+				s.log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
 				goto RETRY
 			}
-			//log.Printf("write packet %v", *item.packet)
+			//s.log.Printf("write packet %v", *item.packet)
 		}
 	}()
 }
--- a/services/service.go
+++ b/services/service.go
@ -2,50 +2,62 @@ package services

 import (
 	"fmt"
-	"log"
+	logger "log"
 	"runtime/debug"
 )

 type Service interface {
-	Start(args interface{}) (err error)
+	Start(args interface{}, log *logger.Logger) (err error)
 	Clean()
 }
 type ServiceItem struct {
 	S    Service
 	Args interface{}
 	Name string
+	Log  *logger.Logger
 }

 var servicesMap = map[string]*ServiceItem{}

-func Regist(name string, s Service, args interface{}) {
+func Regist(name string, s Service, args interface{}, log *logger.Logger) {
+	Stop(name)
 	servicesMap[name] = &ServiceItem{
 		S:    s,
 		Args: args,
 		Name: name,
+		Log:  log,
 	}
 }
-func Run(name string, args ...interface{}) (service *ServiceItem, err error) {
+func GetService(name string) *ServiceItem {
+	if s, ok := servicesMap[name]; ok && s.S != nil {
+		return s
+	}
+	return nil
+
+}
+func Stop(name string) {
+	if s, ok := servicesMap[name]; ok && s.S != nil {
+		s.S.Clean()
+	}
+}
+func Run(name string, args interface{}) (service *ServiceItem, err error) {
 	service, ok := servicesMap[name]
 	if ok {
-		go func() {
 		defer func() {
-				err := recover()
-				if err != nil {
-					log.Fatalf("%s servcie crashed, ERR: %s\ntrace:%s", name, err, string(debug.Stack()))
+			e := recover()
+			if e != nil {
+				err = fmt.Errorf("%s servcie crashed, ERR: %s\ntrace:%s", name, e, string(debug.Stack()))
 			}
 		}()
-			if len(args) == 1 {
-				err = service.S.Start(args[0])
+		if args != nil {
+			err = service.S.Start(args, service.Log)
 		} else {
-				err = service.S.Start(service.Args)
+			err = service.S.Start(service.Args, service.Log)
 		}
 		if err != nil {
-				log.Fatalf("%s servcie fail, ERR: %s", name, err)
+			err = fmt.Errorf("%s servcie fail, ERR: %s", name, err)
 		}
-		}()
-	}
-	if !ok {
+	} else {
 		err = fmt.Errorf("service %s not found", name)
 	}
 	return
--- a/services/socks.go
+++ b/services/socks.go
@ -4,15 +4,17 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/utils"
-	"snail007/proxy/utils/aes"
-	"snail007/proxy/utils/socks"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils"
+	"github.com/snail007/goproxy/utils/aes"
+	"github.com/snail007/goproxy/utils/conncrypt"
+	"github.com/snail007/goproxy/utils/socks"
+
 	"golang.org/x/crypto/ssh"
 )

@ -23,7 +25,11 @@ type Socks struct {
 	sshClient      *ssh.Client
 	lockChn        chan bool
 	udpSC          utils.ServerChannel
+	sc             *utils.ServerChannel
 	domainResolver utils.DomainResolver
+	isStop         bool
+	userConns      utils.ConcurrentMap
+	log            *logger.Logger
 }

 func NewSocks() Service {
@ -32,39 +38,50 @@ func NewSocks() Service {
 		checker:   utils.Checker{},
 		basicAuth: utils.BasicAuth{},
 		lockChn:   make(chan bool, 1),
+		isStop:    false,
+		userConns: utils.NewConcurrentMap(),
 	}
 }

-func (s *Socks) CheckArgs() {
-	var err error
+func (s *Socks) CheckArgs() (err error) {
+
 	if *s.cfg.LocalType == "tls" || (*s.cfg.Parent != "" && *s.cfg.ParentType == "tls") {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
 		if *s.cfg.CaCertFile != "" {
 			s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
 			if err != nil {
-				log.Fatalf("read ca file error,ERR:%s", err)
+				err = fmt.Errorf("read ca file error,ERR:%s", err)
+				return
 			}
 		}
 	}
 	if *s.cfg.Parent != "" {
 		if *s.cfg.ParentType == "" {
-			log.Fatalf("parent type unkown,use -T <tls|tcp|ssh|kcp>")
+			err = fmt.Errorf("parent type unkown,use -T <tls|tcp|ssh|kcp>")
+			return
+		}
+		host, _, e := net.SplitHostPort(*s.cfg.Parent)
+		if e != nil {
+			err = fmt.Errorf("parent format error : %s", e)
+			return
+		}
+		if *s.cfg.UDPParent == "" {
+			*s.cfg.UDPParent = net.JoinHostPort(host, "33090")
+		}
+		if strings.HasPrefix(*s.cfg.UDPParent, ":") {
+			*s.cfg.UDPParent = net.JoinHostPort(host, strings.TrimLeft(*s.cfg.UDPParent, ":"))
 		}
-		// if *s.cfg.ParentType == "tls" {
-		// 	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
-		// 	if *s.cfg.CaCertFile != "" {
-		// 		s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
-		// 		if err != nil {
-		// 			log.Fatalf("read ca file error,ERR:%s", err)
-		// 		}
-		// 	}
-		// }
 		if *s.cfg.ParentType == "ssh" {
 			if *s.cfg.SSHUser == "" {
-				log.Fatalf("ssh user required")
+				err = fmt.Errorf("ssh user required")
+				return
 			}
 			if *s.cfg.SSHKeyFile == "" && *s.cfg.SSHPassword == "" {
-				log.Fatalf("ssh password or key required")
+				err = fmt.Errorf("ssh password or key required")
+				return
 			}
 			if *s.cfg.SSHPassword != "" {
 				s.cfg.SSHAuthMethod = ssh.Password(*s.cfg.SSHPassword)
@ -72,7 +89,8 @@ func (s *Socks) CheckArgs() {
 				var SSHSigner ssh.Signer
 				s.cfg.SSHKeyBytes, err = ioutil.ReadFile(*s.cfg.SSHKeyFile)
 				if err != nil {
-					log.Fatalf("read key file ERR: %s", err)
+					err = fmt.Errorf("read key file ERR: %s", err)
+					return
 				}
 				if *s.cfg.SSHKeyFileSalt != "" {
 					SSHSigner, err = ssh.ParsePrivateKeyWithPassphrase(s.cfg.SSHKeyBytes, []byte(*s.cfg.SSHKeyFileSalt))
@ -80,28 +98,33 @@ func (s *Socks) CheckArgs() {
 					SSHSigner, err = ssh.ParsePrivateKey(s.cfg.SSHKeyBytes)
 				}
 				if err != nil {
-					log.Fatalf("parse ssh private key fail,ERR: %s", err)
+					err = fmt.Errorf("parse ssh private key fail,ERR: %s", err)
+					return
 				}
 				s.cfg.SSHAuthMethod = ssh.PublicKeys(SSHSigner)
 			}
 		}
 	}
-
+	return
 }
-func (s *Socks) InitService() {
+func (s *Socks) InitService() (err error) {
 	s.InitBasicAuth()
 	if *s.cfg.DNSAddress != "" {
-		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL)
+		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL, s.log)
 	}
-	s.checker = utils.NewChecker(*s.cfg.Timeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct)
+	s.checker = utils.NewChecker(*s.cfg.Timeout, int64(*s.cfg.Interval), *s.cfg.Blocked, *s.cfg.Direct, s.log)
 	if *s.cfg.ParentType == "ssh" {
-		err := s.ConnectSSH()
-		if err != nil {
-			log.Fatalf("init service fail, ERR: %s", err)
+		e := s.ConnectSSH()
+		if e != nil {
+			err = fmt.Errorf("init service fail, ERR: %s", e)
+			return
 		}
 		go func() {
 			//循环检查ssh网络连通性
 			for {
+				if s.isStop {
+					return
+				}
 				conn, err := utils.ConnectHost(s.Resolve(*s.cfg.Parent), *s.cfg.Timeout*2)
 				if err == nil {
 					conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
@ -112,7 +135,7 @@ func (s *Socks) InitService() {
 					if s.sshClient != nil {
 						s.sshClient.Close()
 					}
-					log.Printf("ssh offline, retrying...")
+					s.log.Printf("ssh offline, retrying...")
 					s.ConnectSSH()
 				} else {
 					conn.Close()
@ -122,44 +145,71 @@ func (s *Socks) InitService() {
 		}()
 	}
 	if *s.cfg.ParentType == "ssh" {
-		log.Println("warn: socks udp not suppored for ssh")
+		s.log.Printf("warn: socks udp not suppored for ssh")
 	} else {
-		s.udpSC = utils.NewServerChannelHost(*s.cfg.UDPLocal)
-		err := s.udpSC.ListenUDP(s.udpCallback)
-		if err != nil {
-			log.Fatalf("init udp service fail, ERR: %s", err)
+		s.udpSC = utils.NewServerChannelHost(*s.cfg.UDPLocal, s.log)
+		e := s.udpSC.ListenUDP(s.udpCallback)
+		if e != nil {
+			err = fmt.Errorf("init udp service fail, ERR: %s", e)
+			return
 		}
-		log.Printf("udp socks proxy on %s", s.udpSC.UDPListener.LocalAddr())
+		s.log.Printf("udp socks proxy on %s", s.udpSC.UDPListener.LocalAddr())
 	}
+	return
 }
 func (s *Socks) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop socks service crashed,%s", e)
+		} else {
+			s.log.Printf("service socks stoped")
+		}
+	}()
+	s.isStop = true
+	s.checker.Stop()
 	if s.sshClient != nil {
 		s.sshClient.Close()
 	}
 	if s.udpSC.UDPListener != nil {
 		s.udpSC.UDPListener.Close()
 	}
+	if s.sc != nil && (*s.sc).Listener != nil {
+		(*(*s.sc).Listener).Close()
 	}
-func (s *Socks) Start(args interface{}) (err error) {
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
+}
+func (s *Socks) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	//start()
 	s.cfg = args.(SocksArgs)
-	s.CheckArgs()
-	s.InitService()
-	if *s.cfg.Parent != "" {
-		log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+	if err = s.CheckArgs(); err != nil {
+		return
 	}
-	sc := utils.NewServerChannelHost(*s.cfg.Local)
+	if err = s.InitService(); err != nil {
+		s.InitService()
+	}
+	if *s.cfg.Parent != "" {
+		s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+	}
+	if *s.cfg.UDPParent != "" {
+		s.log.Printf("use socks udp parent %s", *s.cfg.UDPParent)
+	}
+	sc := utils.NewServerChannelHost(*s.cfg.Local, s.log)
 	if *s.cfg.LocalType == TYPE_TCP {
 		err = sc.ListenTCP(s.socksConnCallback)
 	} else if *s.cfg.LocalType == TYPE_TLS {
 		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.socksConnCallback)
 	} else if *s.cfg.LocalType == TYPE_KCP {
-		err = sc.ListenKCP(s.cfg.KCP, s.socksConnCallback)
+		err = sc.ListenKCP(s.cfg.KCP, s.socksConnCallback, s.log)
 	}
 	if err != nil {
 		return
 	}
-	log.Printf("%s socks proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
+	s.sc = &sc
+	s.log.Printf("%s socks proxy on %s", *s.cfg.LocalType, (*sc.Listener).Addr())
 	return
 }
 func (s *Socks) Clean() {
@ -175,29 +225,29 @@ func (s *Socks) udpCallback(b []byte, localAddr, srcAddr *net.UDPAddr) {
 		//decode b
 		rawB, err = goaes.Decrypt(s.UDPKey(), b)
 		if err != nil {
-			log.Printf("decrypt udp packet fail from %s", srcAddr.String())
+			s.log.Printf("decrypt udp packet fail from %s", srcAddr.String())
 			return
 		}
 	}
 	p, err := socks.ParseUDPPacket(rawB)
-	log.Printf("udp revecived:%v", len(p.Data()))
+	s.log.Printf("udp revecived:%v", len(p.Data()))
 	if err != nil {
-		log.Printf("parse udp packet fail, ERR:%s", err)
+		s.log.Printf("parse udp packet fail, ERR:%s", err)
 		return
 	}
 	//防止死循环
 	if s.IsDeadLoop((*localAddr).String(), p.Host()) {
-		log.Printf("dead loop detected , %s", p.Host())
+		s.log.Printf("dead loop detected , %s", p.Host())
 		return
 	}
-	//log.Printf("##########udp to -> %s:%s###########", p.Host(), p.Port())
+	//s.log.Printf("##########udp to -> %s:%s###########", p.Host(), p.Port())
 	if *s.cfg.Parent != "" {
 		//有上级代理,转发给上级
 		if *s.cfg.ParentType == "tls" {
 			//encode b
 			rawB, err = goaes.Encrypt(s.UDPKey(), rawB)
 			if err != nil {
-				log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
+				s.log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
 				return
 			}
 		}
@ -207,43 +257,43 @@ func (s *Socks) udpCallback(b []byte, localAddr, srcAddr *net.UDPAddr) {
 		}
 		dstAddr, err := net.ResolveUDPAddr("udp", s.Resolve(parent))
 		if err != nil {
-			log.Printf("can't resolve address: %s", err)
+			s.log.Printf("can't resolve address: %s", err)
 			return
 		}
 		clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 		conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 		if err != nil {
-			log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 			return
 		}
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout*5)))
 		_, err = conn.Write(rawB)
 		conn.SetDeadline(time.Time{})
-		log.Printf("udp request:%v", len(rawB))
+		s.log.Printf("udp request:%v", len(rawB))
 		if err != nil {
-			log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}

-		//log.Printf("send udp packet to %s success", dstAddr.String())
+		//s.log.Printf("send udp packet to %s success", dstAddr.String())
 		buf := make([]byte, 10*1024)
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		length, _, err := conn.ReadFromUDP(buf)
 		conn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}
 		respBody := buf[0:length]
-		log.Printf("udp response:%v", len(respBody))
-		//log.Printf("revecived udp packet from %s", dstAddr.String())
+		s.log.Printf("udp response:%v", len(respBody))
+		//s.log.Printf("revecived udp packet from %s", dstAddr.String())
 		if *s.cfg.ParentType == "tls" {
 			//decode b
 			respBody, err = goaes.Decrypt(s.UDPKey(), respBody)
 			if err != nil {
-				log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
+				s.log.Printf("encrypt udp data fail to %s", *s.cfg.Parent)
 				conn.Close()
 				return
 			}
@ -251,84 +301,94 @@ func (s *Socks) udpCallback(b []byte, localAddr, srcAddr *net.UDPAddr) {
 		if *s.cfg.LocalType == "tls" {
 			d, err := goaes.Encrypt(s.UDPKey(), respBody)
 			if err != nil {
-				log.Printf("encrypt udp data fail from %s", dstAddr.String())
+				s.log.Printf("encrypt udp data fail from %s", dstAddr.String())
 				conn.Close()
 				return
 			}
 			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(d, srcAddr)
 			s.udpSC.UDPListener.SetDeadline(time.Time{})
-			log.Printf("udp reply:%v", len(d))
+			s.log.Printf("udp reply:%v", len(d))
+			d = nil
 		} else {
 			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(respBody, srcAddr)
 			s.udpSC.UDPListener.SetDeadline(time.Time{})
-			log.Printf("udp reply:%v", len(respBody))
+			s.log.Printf("udp reply:%v", len(respBody))
 		}

 	} else {
 		//本地代理
 		dstAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(s.Resolve(p.Host()), p.Port()))
 		if err != nil {
-			log.Printf("can't resolve address: %s", err)
+			s.log.Printf("can't resolve address: %s", err)
 			return
 		}
 		clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 		conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 		if err != nil {
-			log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 			return
 		}
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout*3)))
 		_, err = conn.Write(p.Data())
 		conn.SetDeadline(time.Time{})
-		log.Printf("udp send:%v", len(p.Data()))
+		s.log.Printf("udp send:%v", len(p.Data()))
 		if err != nil {
-			log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}
-		//log.Printf("send udp packet to %s success", dstAddr.String())
+		//s.log.Printf("send udp packet to %s success", dstAddr.String())
 		buf := make([]byte, 10*1024)
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		length, _, err := conn.ReadFromUDP(buf)
 		conn.SetDeadline(time.Time{})

 		if err != nil {
-			log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 			conn.Close()
 			return
 		}
 		respBody := buf[0:length]
 		//封装来自真实服务器的数据,返回给访问者
 		respPacket := p.NewReply(respBody)
-		//log.Printf("revecived udp packet from %s", dstAddr.String())
+		//s.log.Printf("revecived udp packet from %s", dstAddr.String())
 		if *s.cfg.LocalType == "tls" {
 			d, err := goaes.Encrypt(s.UDPKey(), respPacket)
 			if err != nil {
-				log.Printf("encrypt udp data fail from %s", dstAddr.String())
+				s.log.Printf("encrypt udp data fail from %s", dstAddr.String())
 				conn.Close()
 				return
 			}
 			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(d, srcAddr)
 			s.udpSC.UDPListener.SetDeadline(time.Time{})
+			d = nil
 		} else {
 			s.udpSC.UDPListener.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			s.udpSC.UDPListener.WriteToUDP(respPacket, srcAddr)
 			s.udpSC.UDPListener.SetDeadline(time.Time{})
 		}
-		log.Printf("udp reply:%v", len(respPacket))
+		s.log.Printf("udp reply:%v", len(respPacket))
 	}

 }
 func (s *Socks) socksConnCallback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("socks conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+			s.log.Printf("socks conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 			inConn.Close()
 		}
 	}()
+	if *s.cfg.LocalCompress {
+		inConn = utils.NewCompConn(inConn)
+	}
+	if *s.cfg.LocalKey != "" {
+		inConn = conncrypt.New(inConn, &conncrypt.Config{
+			Password: *s.cfg.LocalKey,
+		})
+	}
 	//协商开始

 	//method select request
@ -338,7 +398,7 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 	if err != nil {
 		methodReq.Reply(socks.Method_NONE_ACCEPTABLE)
 		utils.CloseConn(&inConn)
-		log.Printf("new methods request fail,ERR: %s", err)
+		s.log.Printf("new methods request fail,ERR: %s", err)
 		return
 	}

@ -346,29 +406,29 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 		if !methodReq.Select(socks.Method_NO_AUTH) {
 			methodReq.Reply(socks.Method_NONE_ACCEPTABLE)
 			utils.CloseConn(&inConn)
-			log.Printf("none method found : Method_NO_AUTH")
+			s.log.Printf("none method found : Method_NO_AUTH")
 			return
 		}
 		//method select reply
 		err = methodReq.Reply(socks.Method_NO_AUTH)
 		if err != nil {
-			log.Printf("reply answer data fail,ERR: %s", err)
+			s.log.Printf("reply answer data fail,ERR: %s", err)
 			utils.CloseConn(&inConn)
 			return
 		}
-		// log.Printf("% x", methodReq.Bytes())
+		// s.log.Printf("% x", methodReq.Bytes())
 	} else {
 		//auth
 		if !methodReq.Select(socks.Method_USER_PASS) {
 			methodReq.Reply(socks.Method_NONE_ACCEPTABLE)
 			utils.CloseConn(&inConn)
-			log.Printf("none method found : Method_USER_PASS")
+			s.log.Printf("none method found : Method_USER_PASS")
 			return
 		}
 		//method reply need auth
 		err = methodReq.Reply(socks.Method_USER_PASS)
 		if err != nil {
-			log.Printf("reply answer data fail,ERR: %s", err)
+			s.log.Printf("reply answer data fail,ERR: %s", err)
 			utils.CloseConn(&inConn)
 			return
 		}
@ -384,7 +444,7 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 		r := buf[:n]
 		user := string(r[2 : r[1]+2])
 		pass := string(r[2+r[1]+1:])
-		//log.Printf("user:%s,pass:%s", user, pass)
+		//s.log.Printf("user:%s,pass:%s", user, pass)
 		//auth
 		_addr := strings.Split(inConn.RemoteAddr().String(), ":")
 		if s.basicAuth.CheckUserPass(user, pass, _addr[0], "") {
@ -405,7 +465,7 @@ func (s *Socks) socksConnCallback(inConn net.Conn) {
 	//request detail
 	request, err := socks.NewRequest(inConn)
 	if err != nil {
-		log.Printf("read request data fail,ERR: %s", err)
+		s.log.Printf("read request data fail,ERR: %s", err)
 		utils.CloseConn(&inConn)
 		return
 	}
@ -433,7 +493,7 @@ func (s *Socks) proxyUDP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 	}
 	host, _, _ := net.SplitHostPort((*inConn).LocalAddr().String())
 	_, port, _ := net.SplitHostPort(s.udpSC.UDPListener.LocalAddr().String())
-	log.Printf("proxy udp on %s", net.JoinHostPort(host, port))
+	s.log.Printf("proxy udp on %s", net.JoinHostPort(host, port))
 	request.UDPReply(socks.REP_SUCCESS, net.JoinHostPort(host, port))
 }
 func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, request socks.Request) {
@ -445,18 +505,21 @@ func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 	//防止死循环
 	if s.IsDeadLoop((*inConn).LocalAddr().String(), request.Host()) {
 		utils.CloseConn(inConn)
-		log.Printf("dead loop detected , %s", request.Host())
+		s.log.Printf("dead loop detected , %s", request.Host())
 		utils.CloseConn(inConn)
 		return
 	}
 	for {
+		if s.isStop {
+			return
+		}
 		if *s.cfg.Always {
 			outConn, err = s.getOutConn(methodReq.Bytes(), request.Bytes(), request.Addr())
 		} else {
 			if *s.cfg.Parent != "" {
 				host, _, _ := net.SplitHostPort(request.Addr())
 				useProxy := false
-				if utils.IsIternalIP(host) {
+				if utils.IsIternalIP(host, *s.cfg.Always) {
 					useProxy = false
 				} else {
 					k := s.Resolve(request.Addr())
@ -477,25 +540,32 @@ func (s *Socks) proxyTCP(inConn *net.Conn, methodReq socks.MethodsRequest, reque
 		if err == nil || tryCount > maxTryCount || *s.cfg.Parent == "" {
 			break
 		} else {
-			log.Printf("get out conn fail,%s,retrying...", err)
+			s.log.Printf("get out conn fail,%s,retrying...", err)
 			time.Sleep(time.Second * 2)
 		}
 	}
 	if err != nil {
-		log.Printf("get out conn fail,%s", err)
+		s.log.Printf("get out conn fail,%s", err)
 		request.TCPReply(socks.REP_NETWOR_UNREACHABLE)
 		return
 	}
-	log.Printf("use proxy %v : %s", useProxy, request.Addr())
+
+	s.log.Printf("use proxy %v : %s", useProxy, request.Addr())

 	request.TCPReply(socks.REP_SUCCESS)
 	inAddr := (*inConn).RemoteAddr().String()
 	//inLocalAddr := (*inConn).LocalAddr().String()

-	log.Printf("conn %s - %s connected", inAddr, request.Addr())
+	s.log.Printf("conn %s - %s connected", inAddr, request.Addr())
 	utils.IoBind(*inConn, outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released", inAddr, request.Addr())
-	})
+		s.log.Printf("conn %s - %s released", inAddr, request.Addr())
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+		s.userConns.Remove(inAddr)
+	}
+	s.userConns.Set(inAddr, inConn)
 }
 func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn net.Conn, err interface{}) {
 	switch *s.cfg.ParentType {
@ -517,6 +587,14 @@ func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn n
 			err = fmt.Errorf("connect fail,%s", err)
 			return
 		}
+		if *s.cfg.ParentCompress {
+			outConn = utils.NewCompConn(outConn)
+		}
+		if *s.cfg.ParentKey != "" {
+			outConn = conncrypt.New(outConn, &conncrypt.Config{
+				Password: *s.cfg.ParentKey,
+			})
+		}
 		var buf = make([]byte, 1024)
 		//var n int
 		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
@ -534,7 +612,7 @@ func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn n
 			return
 		}
 		//resp := buf[:n]
-		//log.Printf("resp:%v", resp)
+		//s.log.Printf("resp:%v", resp)
 		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = outConn.Write(reqBytes)
 		outConn.SetDeadline(time.Time{})
@ -550,13 +628,13 @@ func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn n
 			return
 		}
 		//result := buf[:n]
-		//log.Printf("result:%v", result)
+		//s.log.Printf("result:%v", result)

 	case "ssh":
 		maxTryCount := 1
 		tryCount := 0
 	RETRY:
-		if tryCount >= maxTryCount {
+		if tryCount >= maxTryCount || s.isStop {
 			return
 		}
 		wait := make(chan bool, 1)
@ -576,7 +654,7 @@ func (s *Socks) getOutConn(methodBytes, reqBytes []byte, host string) (outConn n
 			s.sshClient.Close()
 		}
 		if err != nil {
-			log.Printf("connect ssh fail, ERR: %s, retrying...", err)
+			s.log.Printf("connect ssh fail, ERR: %s, retrying...", err)
 			e := s.ConnectSSH()
 			if e == nil {
 				tryCount++
@ -614,13 +692,13 @@ func (s *Socks) ConnectSSH() (err error) {
 }
 func (s *Socks) InitBasicAuth() (err error) {
 	if *s.cfg.DNSAddress != "" {
-		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver)
+		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver, s.log)
 	} else {
-		s.basicAuth = utils.NewBasicAuth(nil)
+		s.basicAuth = utils.NewBasicAuth(nil, s.log)
 	}
 	if *s.cfg.AuthURL != "" {
 		s.basicAuth.SetAuthURL(*s.cfg.AuthURL, *s.cfg.AuthURLOkCode, *s.cfg.AuthURLTimeout, *s.cfg.AuthURLRetry)
-		log.Printf("auth from %s", *s.cfg.AuthURL)
+		s.log.Printf("auth from %s", *s.cfg.AuthURL)
 	}
 	if *s.cfg.AuthFile != "" {
 		var n = 0
@ -629,11 +707,11 @@ func (s *Socks) InitBasicAuth() (err error) {
 			err = fmt.Errorf("auth-file ERR:%s", err)
 			return
 		}
-		log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
 	}
 	if len(*s.cfg.Auth) > 0 {
 		n := s.basicAuth.Add(*s.cfg.Auth)
-		log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
 	}
 	return
 }
@ -685,7 +763,7 @@ func (s *Socks) Resolve(address string) string {
 	}
 	ip, err := s.domainResolver.Resolve(address)
 	if err != nil {
-		log.Printf("dns error %s , ERR:%s", address, err)
+		s.log.Printf("dns error %s , ERR:%s", address, err)
 	}
 	return ip
 }
--- a/services/sps.go
+++ b/services/sps.go
@ -6,99 +6,137 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/utils"
-	"snail007/proxy/utils/socks"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+	"github.com/snail007/goproxy/utils/conncrypt"
+	"github.com/snail007/goproxy/utils/socks"
 )

 type SPS struct {
-	outPool        utils.OutPool
+	outPool        utils.OutConn
 	cfg            SPSArgs
 	domainResolver utils.DomainResolver
 	basicAuth      utils.BasicAuth
+	serverChannels []*utils.ServerChannel
+	userConns      utils.ConcurrentMap
+	log            *logger.Logger
 }

 func NewSPS() Service {
 	return &SPS{
-		outPool:   utils.OutPool{},
+		outPool:        utils.OutConn{},
 		cfg:            SPSArgs{},
 		basicAuth:      utils.BasicAuth{},
+		serverChannels: []*utils.ServerChannel{},
+		userConns:      utils.NewConcurrentMap(),
 	}
 }
-func (s *SPS) CheckArgs() {
+func (s *SPS) CheckArgs() (err error) {
 	if *s.cfg.Parent == "" {
-		log.Fatalf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		err = fmt.Errorf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		return
 	}
 	if *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp|kcp>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp|kcp>")
+		return
 	}
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.LocalType == TYPE_TLS {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
+		}
 		if *s.cfg.CaCertFile != "" {
-			var err error
 			s.cfg.CaCertBytes, err = ioutil.ReadFile(*s.cfg.CaCertFile)
 			if err != nil {
-				log.Fatalf("read ca file error,ERR:%s", err)
+				err = fmt.Errorf("read ca file error,ERR:%s", err)
+				return
 			}
 		}
 	}
+	return
 }
-func (s *SPS) InitService() {
-	s.InitOutConnPool()
+func (s *SPS) InitService() (err error) {
 	if *s.cfg.DNSAddress != "" {
-		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL)
+		(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL, s.log)
 	}
-	s.InitBasicAuth()
+	s.InitOutConnPool()
+	err = s.InitBasicAuth()
+	return
 }
 func (s *SPS) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP || *s.cfg.ParentType == TYPE_KCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			0,
 			*s.cfg.ParentType,
 			s.cfg.KCP,
-			s.cfg.CertBytes, s.cfg.KeyBytes, nil,
+			s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes,
 			*s.cfg.Parent,
 			*s.cfg.Timeout,
-			0,
-			0,
 		)
 	}
 }

 func (s *SPS) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop sps service crashed,%s", e)
+		} else {
+			s.log.Printf("service sps stoped")
+		}
+	}()
+	for _, sc := range s.serverChannels {
+		if sc.Listener != nil && *sc.Listener != nil {
+			(*sc.Listener).Close()
+		}
+		if sc.UDPListener != nil {
+			(*sc.UDPListener).Close()
 		}
 	}
-func (s *SPS) Start(args interface{}) (err error) {
+	for _, c := range s.userConns.Items() {
+		if _, ok := c.(*net.Conn); ok {
+			(*c.(*net.Conn)).Close()
+		}
+		if _, ok := c.(**net.Conn); ok {
+			(*(*c.(**net.Conn))).Close()
+		}
+	}
+}
+func (s *SPS) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(SPSArgs)
-	s.CheckArgs()
-	log.Printf("use %s %s parent %s", *s.cfg.ParentType, *s.cfg.ParentServiceType, *s.cfg.Parent)
-	s.InitService()
-
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("use %s %s parent %s", *s.cfg.ParentType, *s.cfg.ParentServiceType, *s.cfg.Parent)
 	for _, addr := range strings.Split(*s.cfg.Local, ",") {
 		if addr != "" {
 			host, port, _ := net.SplitHostPort(*s.cfg.Local)
 			p, _ := strconv.Atoi(port)
-			sc := utils.NewServerChannel(host, p)
+			sc := utils.NewServerChannel(host, p, s.log)
 			if *s.cfg.LocalType == TYPE_TCP {
 				err = sc.ListenTCP(s.callback)
 			} else if *s.cfg.LocalType == TYPE_TLS {
-				err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.callback)
+				err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, s.cfg.CaCertBytes, s.callback)
 			} else if *s.cfg.LocalType == TYPE_KCP {
-				err = sc.ListenKCP(s.cfg.KCP, s.callback)
+				err = sc.ListenKCP(s.cfg.KCP, s.callback, s.log)
 			}
 			if err != nil {
 				return
 			}
-			log.Printf("%s http(s)+socks proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+			s.log.Printf("%s http(s)+socks proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+			s.serverChannels = append(s.serverChannels, &sc)
 		}
 	}
 	return
@ -110,9 +148,17 @@ func (s *SPS) Clean() {
 func (s *SPS) callback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
+			s.log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
 		}
 	}()
+	if *s.cfg.LocalCompress {
+		inConn = utils.NewCompConn(inConn)
+	}
+	if *s.cfg.LocalKey != "" {
+		inConn = conncrypt.New(inConn, &conncrypt.Config{
+			Password: *s.cfg.LocalKey,
+		})
+	}
 	var err error
 	switch *s.cfg.ParentType {
 	case TYPE_KCP:
@ -125,56 +171,78 @@ func (s *SPS) callback(inConn net.Conn) {
 		err = fmt.Errorf("unkown parent type %s", *s.cfg.ParentType)
 	}
 	if err != nil {
-		log.Printf("connect to %s parent %s fail, ERR:%s from %s", *s.cfg.ParentType, *s.cfg.Parent, err, inConn.RemoteAddr())
+		s.log.Printf("connect to %s parent %s fail, ERR:%s from %s", *s.cfg.ParentType, *s.cfg.Parent, err, inConn.RemoteAddr())
 		utils.CloseConn(&inConn)
 	}
 }
 func (s *SPS) OutToTCP(inConn *net.Conn) (err error) {
-	buf := make([]byte, 1024)
-	n, err := (*inConn).Read(buf)
-	header := buf[:n]
+	bInConn := utils.NewBufferedConn(*inConn)
+	//important
+	//action read will regist read event to system,
+	//when data arrived , system call process
+	//so that we can get buffered bytes count
+	//otherwise Buffered() always return 0
+	bInConn.ReadByte()
+	bInConn.UnreadByte()
+
+	n := 8
+	if n > bInConn.Buffered() {
+		n = bInConn.Buffered()
+	}
+	h, err := bInConn.Peek(n)
 	if err != nil {
-		log.Printf("ERR:%s", err)
-		utils.CloseConn(inConn)
+		s.log.Printf("peek error %s ", err)
+		(*inConn).Close()
 		return
 	}
+
+	*inConn = bInConn
 	address := ""
 	var auth socks.Auth
 	var forwardBytes []byte
 	//fmt.Printf("%v", header)
-	if header[0] == socks.VERSION_V5 {
+	if utils.IsSocks5(h) {
+		if *s.cfg.DisableSocks5 {
+			(*inConn).Close()
+			return
+		}
 		//socks5 server
 		var serverConn *socks.ServerConn
 		if s.IsBasicAuth() {
-			serverConn = socks.NewServerConn(inConn, time.Millisecond*time.Duration(*s.cfg.Timeout), &s.basicAuth, "", header)
+			serverConn = socks.NewServerConn(inConn, time.Millisecond*time.Duration(*s.cfg.Timeout), &s.basicAuth, "", nil)
 		} else {
-			serverConn = socks.NewServerConn(inConn, time.Millisecond*time.Duration(*s.cfg.Timeout), nil, "", header)
+			serverConn = socks.NewServerConn(inConn, time.Millisecond*time.Duration(*s.cfg.Timeout), nil, "", nil)
 		}
 		if err = serverConn.Handshake(); err != nil {
 			return
 		}
 		address = serverConn.Target()
 		auth = serverConn.AuthData()
-	} else if bytes.IndexByte(header, '\n') != -1 {
+	} else if utils.IsHTTP(h) {
+		if *s.cfg.DisableHTTP {
+			(*inConn).Close()
+			return
+		}
 		//http
 		var request utils.HTTPRequest
 		(*inConn).SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		if s.IsBasicAuth() {
-			request, err = utils.NewHTTPRequest(inConn, 1024, true, &s.basicAuth, header)
+			request, err = utils.NewHTTPRequest(inConn, 1024, true, &s.basicAuth, s.log)
 		} else {
-			request, err = utils.NewHTTPRequest(inConn, 1024, false, nil, header)
+			request, err = utils.NewHTTPRequest(inConn, 1024, false, nil, s.log)
 		}
 		(*inConn).SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("new http request fail,ERR: %s", err)
+			s.log.Printf("new http request fail,ERR: %s", err)
 			utils.CloseConn(inConn)
 			return
 		}
-		if len(header) >= 7 && strings.ToLower(string(header[:7])) == "connect" {
+		if len(h) >= 7 && strings.ToLower(string(h[:7])) == "connect" {
 			//https
 			request.HTTPSReply()
-			//log.Printf("https reply: %s", request.Host)
+			//s.log.Printf("https reply: %s", request.Host)
 		} else {
+			//forwardBytes = bytes.TrimRight(request.HeadBuf,"\r\n")
 			forwardBytes = request.HeadBuf
 		}
 		address = request.Host
@ -189,31 +257,47 @@ func (s *SPS) OutToTCP(inConn *net.Conn) (err error) {
 				auth = socks.Auth{User: userpassA[0], Password: userpassA[1]}
 			}
 		}
-	} else {
-		log.Printf("unknown request from: %s,%s", (*inConn).RemoteAddr(), string(header))
+	}
+	if err != nil || address == "" {
+		s.log.Printf("unknown request from: %s,%s", (*inConn).RemoteAddr(), string(h))
+		(*inConn).Close()
 		utils.CloseConn(inConn)
 		err = errors.New("unknown request")
 		return
 	}
 	//connect to parent
 	var outConn net.Conn
-	var _outConn interface{}
-	_outConn, err = s.outPool.Pool.Get()
-	if err == nil {
-		outConn = _outConn.(net.Conn)
-	}
+	outConn, err = s.outPool.Get()
 	if err != nil {
-		log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
+		s.log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
 		utils.CloseConn(inConn)
 		return
 	}
+	if *s.cfg.ParentCompress {
+		outConn = utils.NewCompConn(outConn)
+	}
+	if *s.cfg.ParentKey != "" {
+		outConn = conncrypt.New(outConn, &conncrypt.Config{
+			Password: *s.cfg.ParentKey,
+		})
+	}
+
+	if *s.cfg.ParentAuth != "" || s.IsBasicAuth() {
+		forwardBytes = utils.RemoveProxyHeaders(forwardBytes)
+	}

 	//ask parent for connect to target address
 	if *s.cfg.ParentServiceType == "http" {
 		//http parent
+		isHTTPS := false
+
 		pb := new(bytes.Buffer)
-		pb.Write([]byte(fmt.Sprintf("CONNECT %s HTTP/1.1\r\nProxy-Connection: Keep-Alive\r\n", address)))
-		//Proxy-Authorization:\r\n
+		if len(forwardBytes) == 0 {
+			isHTTPS = true
+			pb.Write([]byte(fmt.Sprintf("CONNECT %s HTTP/1.1\r\n", address)))
+		}
+		pb.WriteString("Proxy-Connection: Keep-Alive\r\n")
+
 		u := ""
 		if *s.cfg.ParentAuth != "" {
 			a := strings.Split(*s.cfg.ParentAuth, ":")
@ -230,28 +314,41 @@ func (s *SPS) OutToTCP(inConn *net.Conn) (err error) {
 		if u != "" {
 			pb.Write([]byte(fmt.Sprintf("Proxy-Authorization: Basic %s\r\n", base64.StdEncoding.EncodeToString([]byte(u)))))
 		}
+
+		if isHTTPS {
+			pb.Write([]byte("\r\n"))
+		} else {
+			forwardBytes = utils.InsertProxyHeaders(forwardBytes, string(pb.Bytes()))
+			pb.Reset()
+			pb.Write(forwardBytes)
+			forwardBytes = nil
+		}
+
 		outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = outConn.Write(pb.Bytes())
 		outConn.SetDeadline(time.Time{})
 		if err != nil {
-			log.Printf("write CONNECT to %s , err:%s", *s.cfg.Parent, err)
+			s.log.Printf("write CONNECT to %s , err:%s", *s.cfg.Parent, err)
 			utils.CloseConn(inConn)
 			utils.CloseConn(&outConn)
 			return
 		}
-		reply := make([]byte, 100)
+
+		if isHTTPS {
+			reply := make([]byte, 1024)
 			outConn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 			_, err = outConn.Read(reply)
 			outConn.SetDeadline(time.Time{})
 			if err != nil {
-			log.Printf("read reply from %s , err:%s", *s.cfg.Parent, err)
+				s.log.Printf("read reply from %s , err:%s", *s.cfg.Parent, err)
 				utils.CloseConn(inConn)
 				utils.CloseConn(&outConn)
 				return
 			}
-		//log.Printf("reply: %s", string(reply[:n]))
-	} else {
-		log.Printf("connect %s", address)
+			//s.log.Printf("reply: %s", string(reply[:n]))
+		}
+	} else if *s.cfg.ParentServiceType == "socks" {
+		s.log.Printf("connect %s", address)
 		//socks client
 		var clientConn *socks.ClientConn
 		if *s.cfg.ParentAuth != "" {
@ -260,40 +357,47 @@ func (s *SPS) OutToTCP(inConn *net.Conn) (err error) {
 				err = fmt.Errorf("parent auth data format error")
 				return
 			}
-			clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), &socks.Auth{User: a[0], Password: a[1]}, header)
+			clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), &socks.Auth{User: a[0], Password: a[1]}, nil)
 		} else {
 			if !s.IsBasicAuth() && auth.Password != "" && auth.User != "" {
-				clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), &auth, header)
+				clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), &auth, nil)
 			} else {
-				clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), nil, header)
+				clientConn = socks.NewClientConn(&outConn, "tcp", address, time.Millisecond*time.Duration(*s.cfg.Timeout), nil, nil)
 			}
 		}
 		if err = clientConn.Handshake(); err != nil {
 			return
 		}
 	}
+
 	//forward client data to target,if necessary.
 	if len(forwardBytes) > 0 {
 		outConn.Write(forwardBytes)
 	}
+
 	//bind
 	inAddr := (*inConn).RemoteAddr().String()
 	outAddr := outConn.RemoteAddr().String()
 	utils.IoBind((*inConn), outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released", inAddr, outAddr)
-	})
-	log.Printf("conn %s - %s connected", inAddr, outAddr)
+		s.log.Printf("conn %s - %s released [%s]", inAddr, outAddr, address)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	s.log.Printf("conn %s - %s connected [%s]", inAddr, outAddr, address)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, inConn)
 	return
 }
 func (s *SPS) InitBasicAuth() (err error) {
 	if *s.cfg.DNSAddress != "" {
-		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver)
+		s.basicAuth = utils.NewBasicAuth(&(*s).domainResolver, s.log)
 	} else {
-		s.basicAuth = utils.NewBasicAuth(nil)
+		s.basicAuth = utils.NewBasicAuth(nil, s.log)
 	}
 	if *s.cfg.AuthURL != "" {
 		s.basicAuth.SetAuthURL(*s.cfg.AuthURL, *s.cfg.AuthURLOkCode, *s.cfg.AuthURLTimeout, *s.cfg.AuthURLRetry)
-		log.Printf("auth from %s", *s.cfg.AuthURL)
+		s.log.Printf("auth from %s", *s.cfg.AuthURL)
 	}
 	if *s.cfg.AuthFile != "" {
 		var n = 0
@ -302,11 +406,11 @@ func (s *SPS) InitBasicAuth() (err error) {
 			err = fmt.Errorf("auth-file ERR:%s", err)
 			return
 		}
-		log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added from file %d , total:%d", n, s.basicAuth.Total())
 	}
 	if len(*s.cfg.Auth) > 0 {
 		n := s.basicAuth.Add(*s.cfg.Auth)
-		log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
+		s.log.Printf("auth data added %d, total:%d", n, s.basicAuth.Total())
 	}
 	return
 }
@ -357,7 +461,7 @@ func (s *SPS) Resolve(address string) string {
 	}
 	ip, err := s.domainResolver.Resolve(address)
 	if err != nil {
-		log.Printf("dns error %s , ERR:%s", address, err)
+		s.log.Printf("dns error %s , ERR:%s", address, err)
 	}
 	return ip
 }
--- a/services/tcp.go
+++ b/services/tcp.go
@ -4,66 +4,100 @@ import (
 	"bufio"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/utils"
 	"time"

+	"github.com/snail007/goproxy/utils"
+
 	"strconv"
 )

 type TCP struct {
-	outPool utils.OutPool
+	outPool   utils.OutConn
 	cfg       TCPArgs
+	sc        *utils.ServerChannel
+	isStop    bool
+	userConns utils.ConcurrentMap
+	log       *logger.Logger
 }

 func NewTCP() Service {
 	return &TCP{
-		outPool: utils.OutPool{},
+		outPool:   utils.OutConn{},
 		cfg:       TCPArgs{},
+		isStop:    false,
+		userConns: utils.NewConcurrentMap(),
 	}
 }
-func (s *TCP) CheckArgs() {
+func (s *TCP) CheckArgs() (err error) {
 	if *s.cfg.Parent == "" {
-		log.Fatalf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		err = fmt.Errorf("parent required for %s %s", s.cfg.Protocol(), *s.cfg.Local)
+		return
 	}
 	if *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp|kcp|udp>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp|kcp|udp>")
+		return
 	}
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.LocalType == TYPE_TLS {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
 		}
 	}
-func (s *TCP) InitService() {
+	return
+}
+func (s *TCP) InitService() (err error) {
 	s.InitOutConnPool()
+	return
 }
 func (s *TCP) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop tcp service crashed,%s", e)
+		} else {
+			s.log.Printf("service tcp stoped")
+		}
+	}()
+	s.isStop = true
+	if s.sc.Listener != nil && *s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
 	}
 }
-func (s *TCP) Start(args interface{}) (err error) {
+func (s *TCP) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TCPArgs)
-	s.CheckArgs()
-	log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
-	s.InitService()
-
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)

 	if *s.cfg.LocalType == TYPE_TCP {
 		err = sc.ListenTCP(s.callback)
 	} else if *s.cfg.LocalType == TYPE_TLS {
 		err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.callback)
 	} else if *s.cfg.LocalType == TYPE_KCP {
-		err = sc.ListenKCP(s.cfg.KCP, s.callback)
+		err = sc.ListenKCP(s.cfg.KCP, s.callback, s.log)
 	}
 	if err != nil {
 		return
 	}
-	log.Printf("%s proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+	s.log.Printf("%s proxy on %s", s.cfg.Protocol(), (*sc.Listener).Addr())
+	s.sc = &sc
 	return
 }

@ -73,7 +107,7 @@ func (s *TCP) Clean() {
 func (s *TCP) callback(inConn net.Conn) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
+			s.log.Printf("%s conn handler crashed with err : %s \nstack: %s", s.cfg.Protocol(), err, string(debug.Stack()))
 		}
 	}()
 	var err error
@ -90,19 +124,15 @@ func (s *TCP) callback(inConn net.Conn) {
 		err = fmt.Errorf("unkown parent type %s", *s.cfg.ParentType)
 	}
 	if err != nil {
-		log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
+		s.log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
 		utils.CloseConn(&inConn)
 	}
 }
 func (s *TCP) OutToTCP(inConn *net.Conn) (err error) {
 	var outConn net.Conn
-	var _outConn interface{}
-	_outConn, err = s.outPool.Pool.Get()
-	if err == nil {
-		outConn = _outConn.(net.Conn)
-	}
+	outConn, err = s.outPool.Get()
 	if err != nil {
-		log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
+		s.log.Printf("connect to %s , err:%s", *s.cfg.Parent, err)
 		utils.CloseConn(inConn)
 		return
 	}
@ -111,55 +141,64 @@ func (s *TCP) OutToTCP(inConn *net.Conn) (err error) {
 	outAddr := outConn.RemoteAddr().String()
 	//outLocalAddr := outConn.LocalAddr().String()
 	utils.IoBind((*inConn), outConn, func(err interface{}) {
-		log.Printf("conn %s - %s released", inAddr, outAddr)
-	})
-	log.Printf("conn %s - %s connected", inAddr, outAddr)
+		s.log.Printf("conn %s - %s released", inAddr, outAddr)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	s.log.Printf("conn %s - %s connected", inAddr, outAddr)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, inConn)
 	return
 }
 func (s *TCP) OutToUDP(inConn *net.Conn) (err error) {
-	log.Printf("conn created , remote : %s ", (*inConn).RemoteAddr())
+	s.log.Printf("conn created , remote : %s ", (*inConn).RemoteAddr())
 	for {
+		if s.isStop {
+			(*inConn).Close()
+			return
+		}
 		srcAddr, body, err := utils.ReadUDPPacket(bufio.NewReader(*inConn))
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
-			//log.Printf("connection %s released", srcAddr)
+			//s.log.Printf("connection %s released", srcAddr)
 			utils.CloseConn(inConn)
 			break
 		}
 		//log.Debugf("udp packet revecived:%s,%v", srcAddr, body)
 		dstAddr, err := net.ResolveUDPAddr("udp", *s.cfg.Parent)
 		if err != nil {
-			log.Printf("can't resolve address: %s", err)
+			s.log.Printf("can't resolve address: %s", err)
 			utils.CloseConn(inConn)
 			break
 		}
 		clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 		conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 		if err != nil {
-			log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 			continue
 		}
 		conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 		_, err = conn.Write(body)
 		if err != nil {
-			log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 			continue
 		}
 		//log.Debugf("send udp packet to %s success", dstAddr.String())
 		buf := make([]byte, 512)
 		len, _, err := conn.ReadFromUDP(buf)
 		if err != nil {
-			log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+			s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 			continue
 		}
 		respBody := buf[0:len]
 		//log.Debugf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 		_, err = (*inConn).Write(utils.UDPPacket(srcAddr, respBody))
 		if err != nil {
-			log.Printf("send udp response fail ,ERR:%s", err)
+			s.log.Printf("send udp response fail ,ERR:%s", err)
 			utils.CloseConn(inConn)
 			break
 		}
-		//log.Printf("send udp response success ,from:%s", dstAddr.String())
+		//s.log.Printf("send udp response success ,from:%s", dstAddr.String())
 	}
 	return

@ -168,15 +207,13 @@ func (s *TCP) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP || *s.cfg.ParentType == TYPE_KCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			*s.cfg.CheckParentInterval,
 			*s.cfg.ParentType,
 			s.cfg.KCP,
 			s.cfg.CertBytes, s.cfg.KeyBytes, nil,
 			*s.cfg.Parent,
 			*s.cfg.Timeout,
-			*s.cfg.PoolSize,
-			*s.cfg.PoolSize*2,
 		)
 	}
 }
--- a/services/tunnel_bridge.go
+++ b/services/tunnel_bridge.go
@ -1,12 +1,18 @@
 package services

 import (
-	"bufio"
-	"log"
+	"bytes"
+	"fmt"
+	logger "log"
 	"net"
-	"snail007/proxy/utils"
+	"os"
 	"strconv"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+
+	//"github.com/xtaci/smux"
+	smux "github.com/hashicorp/yamux"
 )

 type ServerConn struct {
@ -17,8 +23,8 @@ type TunnelBridge struct {
 	cfg                TunnelBridgeArgs
 	serverConns        utils.ConcurrentMap
 	clientControlConns utils.ConcurrentMap
-	// cmServer           utils.ConnManager
-	// cmClient           utils.ConnManager
+	isStop             bool
+	log                *logger.Logger
 }

 func NewTunnelBridge() Service {
@ -26,40 +32,91 @@ func NewTunnelBridge() Service {
 		cfg:                TunnelBridgeArgs{},
 		serverConns:        utils.NewConcurrentMap(),
 		clientControlConns: utils.NewConcurrentMap(),
-		// cmServer:           utils.NewConnManager(),
-		// cmClient:           utils.NewConnManager(),
+		isStop:             false,
 	}
 }

-func (s *TunnelBridge) InitService() {
-
+func (s *TunnelBridge) InitService() (err error) {
+	return
 }
-func (s *TunnelBridge) CheckArgs() {
+func (s *TunnelBridge) CheckArgs() (err error) {
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	return
 }
 func (s *TunnelBridge) StopService() {
-
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop tbridge service crashed,%s", e)
+		} else {
+			s.log.Printf("service tbridge stoped")
 		}
-func (s *TunnelBridge) Start(args interface{}) (err error) {
+	}()
+	s.isStop = true
+	for _, sess := range s.clientControlConns.Items() {
+		(*sess.(*net.Conn)).Close()
+	}
+	for _, sess := range s.serverConns.Items() {
+		(*sess.(ServerConn).Conn).Close()
+	}
+}
+func (s *TunnelBridge) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelBridgeArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)

-	err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, func(inConn net.Conn) {
-		//log.Printf("connection from %s ", inConn.RemoteAddr())
-
-		reader := bufio.NewReader(inConn)
+	err = sc.ListenTls(s.cfg.CertBytes, s.cfg.KeyBytes, nil, s.callback)
+	if err != nil {
+		return
+	}
+	s.log.Printf("proxy on tunnel bridge mode %s", (*sc.Listener).Addr())
+	return
+}
+func (s *TunnelBridge) Clean() {
+	s.StopService()
+}
+func (s *TunnelBridge) callback(inConn net.Conn) {
 	var err error
+	//s.log.Printf("connection from %s ", inConn.RemoteAddr())
+	sess, err := smux.Server(inConn, &smux.Config{
+		AcceptBacklog:          256,
+		EnableKeepAlive:        true,
+		KeepAliveInterval:      9 * time.Second,
+		ConnectionWriteTimeout: 3 * time.Second,
+		MaxStreamWindowSize:    512 * 1024,
+		LogOutput:              os.Stderr,
+	})
+	if err != nil {
+		s.log.Printf("new mux server conn error,ERR:%s", err)
+		return
+	}
+	inConn, err = sess.AcceptStream()
+	if err != nil {
+		s.log.Printf("mux server conn accept error,ERR:%s", err)
+		return
+	}
+
+	var buf = make([]byte, 1024)
+	n, _ := inConn.Read(buf)
+	reader := bytes.NewReader(buf[:n])
+	//reader := bufio.NewReader(inConn)
+
 	var connType uint8
 	err = utils.ReadPacket(reader, &connType)
 	if err != nil {
-			log.Printf("read error,ERR:%s", err)
+		s.log.Printf("read error,ERR:%s", err)
 		return
 	}
 	switch connType {
@ -67,20 +124,23 @@ func (s *TunnelBridge) Start(args interface{}) (err error) {
 		var key, ID, clientLocalAddr, serverID string
 		err = utils.ReadPacketData(reader, &key, &ID, &clientLocalAddr, &serverID)
 		if err != nil {
-				log.Printf("read error,ERR:%s", err)
+			s.log.Printf("read error,ERR:%s", err)
 			return
 		}
 		packet := utils.BuildPacketData(ID, clientLocalAddr, serverID)
-			log.Printf("server connection, key: %s , id: %s %s %s", key, ID, clientLocalAddr, serverID)
+		s.log.Printf("server connection, key: %s , id: %s %s %s", key, ID, clientLocalAddr, serverID)

 		//addr := clientLocalAddr + "@" + ID
 		s.serverConns.Set(ID, ServerConn{
 			Conn: &inConn,
 		})
 		for {
+			if s.isStop {
+				return
+			}
 			item, ok := s.clientControlConns.Get(key)
 			if !ok {
-					log.Printf("client %s control conn not exists", key)
+				s.log.Printf("client %s control conn not exists", key)
 				time.Sleep(time.Second * 3)
 				continue
 			}
@ -88,7 +148,7 @@ func (s *TunnelBridge) Start(args interface{}) (err error) {
 			_, err := (*item.(*net.Conn)).Write(packet)
 			(*item.(*net.Conn)).SetWriteDeadline(time.Time{})
 			if err != nil {
-					log.Printf("%s client control conn write signal fail, err: %s, retrying...", key, err)
+				s.log.Printf("%s client control conn write signal fail, err: %s, retrying...", key, err)
 				time.Sleep(time.Second * 3)
 				continue
 			} else {
@ -100,15 +160,15 @@ func (s *TunnelBridge) Start(args interface{}) (err error) {
 		var key, ID, serverID string
 		err = utils.ReadPacketData(reader, &key, &ID, &serverID)
 		if err != nil {
-				log.Printf("read error,ERR:%s", err)
+			s.log.Printf("read error,ERR:%s", err)
 			return
 		}
-			log.Printf("client connection , key: %s , id: %s, server id:%s", key, ID, serverID)
+		s.log.Printf("client connection , key: %s , id: %s, server id:%s", key, ID, serverID)

 		serverConnItem, ok := s.serverConns.Get(ID)
 		if !ok {
 			inConn.Close()
-				log.Printf("server conn %s exists", ID)
+			s.log.Printf("server conn %s exists", ID)
 			return
 		}
 		serverConn := serverConnItem.(ServerConn).Conn
@ -116,129 +176,24 @@ func (s *TunnelBridge) Start(args interface{}) (err error) {
 			s.serverConns.Remove(ID)
 			// s.cmClient.RemoveOne(key, ID)
 			// s.cmServer.RemoveOne(serverID, ID)
-				log.Printf("conn %s released", ID)
-			})
+			s.log.Printf("conn %s released", ID)
+		}, s.log)
 		// s.cmClient.Add(key, ID, &inConn)
-			log.Printf("conn %s created", ID)
+		s.log.Printf("conn %s created", ID)

 	case CONN_CLIENT_CONTROL:
 		var key string
 		err = utils.ReadPacketData(reader, &key)
 		if err != nil {
-				log.Printf("read error,ERR:%s", err)
+			s.log.Printf("read error,ERR:%s", err)
 			return
 		}
-			log.Printf("client control connection, key: %s", key)
+		s.log.Printf("client control connection, key: %s", key)
 		if s.clientControlConns.Has(key) {
 			item, _ := s.clientControlConns.Get(key)
 			(*item.(*net.Conn)).Close()
 		}
 		s.clientControlConns.Set(key, &inConn)
-			log.Printf("set client %s control conn", key)
-
-			// case CONN_SERVER_HEARBEAT:
-			// 	var serverID string
-			// 	err = utils.ReadPacketData(reader, &serverID)
-			// 	if err != nil {
-			// 		log.Printf("read error,ERR:%s", err)
-			// 		return
-			// 	}
-			// 	log.Printf("server heartbeat connection, id: %s", serverID)
-			// 	writeDie := make(chan bool)
-			// 	readDie := make(chan bool)
-			// 	go func() {
-			// 		for {
-			// 			inConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-			// 			_, err = inConn.Write([]byte{0x00})
-			// 			inConn.SetWriteDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("server heartbeat connection write err %s", err)
-			// 				break
-			// 			}
-			// 			time.Sleep(time.Second * 3)
-			// 		}
-			// 		close(writeDie)
-			// 	}()
-			// 	go func() {
-			// 		for {
-			// 			signal := make([]byte, 1)
-			// 			inConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-			// 			_, err := inConn.Read(signal)
-			// 			inConn.SetReadDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("server heartbeat connection read err: %s", err)
-			// 				break
-			// 			} else {
-			// 				// log.Printf("heartbeat from server ,id:%s", serverID)
-			// 			}
-			// 		}
-			// 		close(readDie)
-			// 	}()
-			// 	select {
-			// 	case <-readDie:
-			// 	case <-writeDie:
-			// 	}
-			// 	utils.CloseConn(&inConn)
-			// 	s.cmServer.Remove(serverID)
-			// 	log.Printf("server heartbeat conn %s released", serverID)
-			// case CONN_CLIENT_HEARBEAT:
-			// 	var clientID string
-			// 	err = utils.ReadPacketData(reader, &clientID)
-			// 	if err != nil {
-			// 		log.Printf("read error,ERR:%s", err)
-			// 		return
-			// 	}
-			// 	log.Printf("client heartbeat connection, id: %s", clientID)
-			// 	writeDie := make(chan bool)
-			// 	readDie := make(chan bool)
-			// 	go func() {
-			// 		for {
-			// 			inConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-			// 			_, err = inConn.Write([]byte{0x00})
-			// 			inConn.SetWriteDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("client heartbeat connection write err %s", err)
-			// 				break
-			// 			}
-			// 			time.Sleep(time.Second * 3)
-			// 		}
-			// 		close(writeDie)
-			// 	}()
-			// 	go func() {
-			// 		for {
-			// 			signal := make([]byte, 1)
-			// 			inConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-			// 			_, err := inConn.Read(signal)
-			// 			inConn.SetReadDeadline(time.Time{})
-			// 			if err != nil {
-			// 				log.Printf("client control connection read err: %s", err)
-			// 				break
-			// 			} else {
-			// 				// log.Printf("heartbeat from client ,id:%s", clientID)
-			// 			}
-			// 		}
-			// 		close(readDie)
-			// 	}()
-			// 	select {
-			// 	case <-readDie:
-			// 	case <-writeDie:
-			// 	}
-			// 	utils.CloseConn(&inConn)
-			// 	s.cmClient.Remove(clientID)
-			// 	if s.clientControlConns.Has(clientID) {
-			// 		item, _ := s.clientControlConns.Get(clientID)
-			// 		(*item.(*net.Conn)).Close()
-			// 	}
-			// 	s.clientControlConns.Remove(clientID)
-			// 	log.Printf("client heartbeat conn %s released", clientID)
+		s.log.Printf("set client %s control conn", key)
 	}
-	})
-	if err != nil {
-		return
-	}
-	log.Printf("proxy on tunnel bridge mode %s", (*sc.Listener).Addr())
-	return
-}
-func (s *TunnelBridge) Clean() {
-	s.StopService()
 }
--- a/services/tunnel_client.go
+++ b/services/tunnel_client.go
@ -4,117 +4,90 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
-	"snail007/proxy/utils"
+	"os"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+
+	//"github.com/xtaci/smux"
+	smux "github.com/hashicorp/yamux"
 )

 type TunnelClient struct {
 	cfg       TunnelClientArgs
-	// cm       utils.ConnManager
 	ctrlConn  net.Conn
+	isStop    bool
+	userConns utils.ConcurrentMap
+	log       *logger.Logger
 }

 func NewTunnelClient() Service {
 	return &TunnelClient{
 		cfg:       TunnelClientArgs{},
-		// cm:  utils.NewConnManager(),
+		userConns: utils.NewConcurrentMap(),
+		isStop:    false,
 	}
 }

-func (s *TunnelClient) InitService() {
-	// s.InitHeartbeatDeamon()
+func (s *TunnelClient) InitService() (err error) {
+	return
 }

-// func (s *TunnelClient) InitHeartbeatDeamon() {
-// 	log.Printf("heartbeat started")
-// 	go func() {
-// 		var heartbeatConn net.Conn
-// 		var ID = *s.cfg.Key
-// 		for {
-
-// 			//close all connection
-// 			s.cm.RemoveAll()
-// 			if s.ctrlConn != nil {
-// 				s.ctrlConn.Close()
-// 			}
-// 			utils.CloseConn(&heartbeatConn)
-// 			heartbeatConn, err := s.GetInConn(CONN_CLIENT_HEARBEAT, ID)
-// 			if err != nil {
-// 				log.Printf("heartbeat connection err: %s, retrying...", err)
-// 				time.Sleep(time.Second * 3)
-// 				utils.CloseConn(&heartbeatConn)
-// 				continue
-// 			}
-// 			log.Printf("heartbeat connection created,id:%s", ID)
-// 			writeDie := make(chan bool)
-// 			readDie := make(chan bool)
-// 			go func() {
-// 				for {
-// 					heartbeatConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-// 					_, err = heartbeatConn.Write([]byte{0x00})
-// 					heartbeatConn.SetWriteDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection write err %s", err)
-// 						break
-// 					}
-// 					time.Sleep(time.Second * 3)
-// 				}
-// 				close(writeDie)
-// 			}()
-// 			go func() {
-// 				for {
-// 					signal := make([]byte, 1)
-// 					heartbeatConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-// 					_, err := heartbeatConn.Read(signal)
-// 					heartbeatConn.SetReadDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection read err: %s", err)
-// 						break
-// 					} else {
-// 						//log.Printf("heartbeat from bridge")
-// 					}
-// 				}
-// 				close(readDie)
-// 			}()
-// 			select {
-// 			case <-readDie:
-// 			case <-writeDie:
-// 			}
-// 		}
-// 	}()
-// }
-func (s *TunnelClient) CheckArgs() {
+func (s *TunnelClient) CheckArgs() (err error) {
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use tls parent %s", *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	return
 }
 func (s *TunnelClient) StopService() {
-	// s.cm.RemoveAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop tclient service crashed,%s", e)
+		} else {
+			s.log.Printf("service tclient stoped")
 		}
-func (s *TunnelClient) Start(args interface{}) (err error) {
+	}()
+	s.isStop = true
+	if s.ctrlConn != nil {
+		s.ctrlConn.Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
+}
+func (s *TunnelClient) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelClientArgs)
-	s.CheckArgs()
-	s.InitService()
-	log.Printf("proxy on tunnel client mode")
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
+	s.log.Printf("proxy on tunnel client mode")

 	for {
-		//close all conn
-		// s.cm.Remove(*s.cfg.Key)
+		if s.isStop {
+			return
+		}
 		if s.ctrlConn != nil {
 			s.ctrlConn.Close()
 		}

 		s.ctrlConn, err = s.GetInConn(CONN_CLIENT_CONTROL, *s.cfg.Key)
 		if err != nil {
-			log.Printf("control connection err: %s, retrying...", err)
+			s.log.Printf("control connection err: %s, retrying...", err)
 			time.Sleep(time.Second * 3)
 			if s.ctrlConn != nil {
 				s.ctrlConn.Close()
@ -122,16 +95,19 @@ func (s *TunnelClient) Start(args interface{}) (err error) {
 			continue
 		}
 		for {
+			if s.isStop {
+				return
+			}
 			var ID, clientLocalAddr, serverID string
 			err = utils.ReadPacketData(s.ctrlConn, &ID, &clientLocalAddr, &serverID)
 			if err != nil {
 				if s.ctrlConn != nil {
 					s.ctrlConn.Close()
 				}
-				log.Printf("read connection signal err: %s, retrying...", err)
+				s.log.Printf("read connection signal err: %s, retrying...", err)
 				break
 			}
-			log.Printf("signal revecived:%s %s %s", serverID, ID, clientLocalAddr)
+			s.log.Printf("signal revecived:%s %s %s", serverID, ID, clientLocalAddr)
 			protocol := clientLocalAddr[:3]
 			localAddr := clientLocalAddr[4:]
 			if protocol == "udp" {
@ -164,6 +140,25 @@ func (s *TunnelClient) GetConn() (conn net.Conn, err error) {
 	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
 	if err == nil {
 		conn = net.Conn(&_conn)
+		c, e := smux.Client(conn, &smux.Config{
+			AcceptBacklog:          256,
+			EnableKeepAlive:        true,
+			KeepAliveInterval:      9 * time.Second,
+			ConnectionWriteTimeout: 3 * time.Second,
+			MaxStreamWindowSize:    512 * 1024,
+			LogOutput:              os.Stderr,
+		})
+		if e != nil {
+			s.log.Printf("new mux client conn error,ERR:%s", e)
+			err = e
+			return
+		}
+		conn, e = c.OpenStream()
+		if e != nil {
+			s.log.Printf("mux client conn open stream error,ERR:%s", e)
+			err = e
+			return
+		}
 	}
 	return
 }
@ -172,11 +167,17 @@ func (s *TunnelClient) ServeUDP(localAddr, ID, serverID string) {
 	var err error
 	// for {
 	for {
+		if s.isStop {
+			if inConn != nil {
+				inConn.Close()
+			}
+			return
+		}
 		// s.cm.RemoveOne(*s.cfg.Key, ID)
 		inConn, err = s.GetInConn(CONN_CLIENT, *s.cfg.Key, ID, serverID)
 		if err != nil {
 			utils.CloseConn(&inConn)
-			log.Printf("connection err: %s, retrying...", err)
+			s.log.Printf("connection err: %s, retrying...", err)
 			time.Sleep(time.Second * 3)
 			continue
 		} else {
@ -184,18 +185,21 @@ func (s *TunnelClient) ServeUDP(localAddr, ID, serverID string) {
 		}
 	}
 	// s.cm.Add(*s.cfg.Key, ID, &inConn)
-	log.Printf("conn %s created", ID)
+	s.log.Printf("conn %s created", ID)

 	for {
+		if s.isStop {
+			return
+		}
 		srcAddr, body, err := utils.ReadUDPPacket(inConn)
 		if err == io.EOF || err == io.ErrUnexpectedEOF {
-			log.Printf("connection %s released", ID)
+			s.log.Printf("connection %s released", ID)
 			utils.CloseConn(&inConn)
 			break
 		} else if err != nil {
-			log.Printf("udp packet revecived fail, err: %s", err)
+			s.log.Printf("udp packet revecived fail, err: %s", err)
 		} else {
-			//log.Printf("udp packet revecived:%s,%v", srcAddr, body)
+			//s.log.Printf("udp packet revecived:%s,%v", srcAddr, body)
 			go s.processUDPPacket(&inConn, srcAddr, localAddr, body)
 		}

@ -205,48 +209,51 @@ func (s *TunnelClient) ServeUDP(localAddr, ID, serverID string) {
 func (s *TunnelClient) processUDPPacket(inConn *net.Conn, srcAddr, localAddr string, body []byte) {
 	dstAddr, err := net.ResolveUDPAddr("udp", localAddr)
 	if err != nil {
-		log.Printf("can't resolve address: %s", err)
+		s.log.Printf("can't resolve address: %s", err)
 		utils.CloseConn(inConn)
 		return
 	}
 	clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 	if err != nil {
-		log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = conn.Write(body)
 	if err != nil {
-		log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("send udp packet to %s success", dstAddr.String())
+	//s.log.Printf("send udp packet to %s success", dstAddr.String())
 	buf := make([]byte, 1024)
 	length, _, err := conn.ReadFromUDP(buf)
 	if err != nil {
-		log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	respBody := buf[0:length]
-	//log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
+	//s.log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 	bs := utils.UDPPacket(srcAddr, respBody)
 	_, err = (*inConn).Write(bs)
 	if err != nil {
-		log.Printf("send udp response fail ,ERR:%s", err)
+		s.log.Printf("send udp response fail ,ERR:%s", err)
 		utils.CloseConn(inConn)
 		return
 	}
-	//log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
+	//s.log.Printf("send udp response success ,from:%s ,%d ,%v", dstAddr.String(), len(bs), bs)
 }
 func (s *TunnelClient) ServeConn(localAddr, ID, serverID string) {
 	var inConn, outConn net.Conn
 	var err error
 	for {
+		if s.isStop {
+			return
+		}
 		inConn, err = s.GetInConn(CONN_CLIENT, *s.cfg.Key, ID, serverID)
 		if err != nil {
 			utils.CloseConn(&inConn)
-			log.Printf("connection err: %s, retrying...", err)
+			s.log.Printf("connection err: %s, retrying...", err)
 			time.Sleep(time.Second * 3)
 			continue
 		} else {
@ -256,13 +263,16 @@ func (s *TunnelClient) ServeConn(localAddr, ID, serverID string) {

 	i := 0
 	for {
+		if s.isStop {
+			return
+		}
 		i++
 		outConn, err = utils.ConnectHost(localAddr, *s.cfg.Timeout)
 		if err == nil || i == 3 {
 			break
 		} else {
 			if i == 3 {
-				log.Printf("connect to %s err: %s, retrying...", localAddr, err)
+				s.log.Printf("connect to %s err: %s, retrying...", localAddr, err)
 				time.Sleep(2 * time.Second)
 				continue
 			}
@ -271,13 +281,17 @@ func (s *TunnelClient) ServeConn(localAddr, ID, serverID string) {
 	if err != nil {
 		utils.CloseConn(&inConn)
 		utils.CloseConn(&outConn)
-		log.Printf("build connection error, err: %s", err)
+		s.log.Printf("build connection error, err: %s", err)
 		return
 	}
+	inAddr := inConn.RemoteAddr().String()
 	utils.IoBind(inConn, outConn, func(err interface{}) {
-		log.Printf("conn %s released", ID)
-		// s.cm.RemoveOne(*s.cfg.Key, ID)
-	})
-	// s.cm.Add(*s.cfg.Key, ID, &inConn)
-	log.Printf("conn %s created", ID)
+		s.log.Printf("conn %s released", ID)
+		s.userConns.Remove(inAddr)
+	}, s.log)
+	if c, ok := s.userConns.Get(inAddr); ok {
+		(*c.(*net.Conn)).Close()
+	}
+	s.userConns.Set(inAddr, &inConn)
+	s.log.Printf("conn %s created", ID)
 }
--- a/services/tunnel_server.go
+++ b/services/tunnel_server.go
@ -4,27 +4,36 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
-	"log"
+	logger "log"
 	"net"
+	"os"
 	"runtime/debug"
-	"snail007/proxy/utils"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/snail007/goproxy/utils"
+
+	//"github.com/xtaci/smux"
+	smux "github.com/hashicorp/yamux"
 )

 type TunnelServer struct {
 	cfg       TunnelServerArgs
 	udpChn    chan UDPItem
 	sc        utils.ServerChannel
+	isStop    bool
+	udpConn   *net.Conn
+	userConns utils.ConcurrentMap
+	log       *logger.Logger
 }

 type TunnelServerManager struct {
 	cfg      TunnelServerArgs
 	udpChn   chan UDPItem
-	sc       utils.ServerChannel
 	serverID string
-	// cm       utils.ConnManager
+	servers  []*Service
+	log      *logger.Logger
 }

 func NewTunnelServerManager() Service {
@ -32,22 +41,28 @@ func NewTunnelServerManager() Service {
 		cfg:      TunnelServerArgs{},
 		udpChn:   make(chan UDPItem, 50000),
 		serverID: utils.Uniqueid(),
-		// cm:       utils.NewConnManager(),
+		servers:  []*Service{},
 	}
 }
-func (s *TunnelServerManager) Start(args interface{}) (err error) {
+func (s *TunnelServerManager) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelServerArgs)
-	s.CheckArgs()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
 	if *s.cfg.Parent != "" {
-		log.Printf("use tls parent %s", *s.cfg.Parent)
+		s.log.Printf("use tls parent %s", *s.cfg.Parent)
 	} else {
-		log.Fatalf("parent required")
+		err = fmt.Errorf("parent required")
+		return
 	}

-	s.InitService()
+	if err = s.InitService(); err != nil {
+		return
+	}

-	log.Printf("server id: %s", s.serverID)
-	//log.Printf("route:%v", *s.cfg.Route)
+	s.log.Printf("server id: %s", s.serverID)
+	//s.log.Printf("route:%v", *s.cfg.Route)
 	for _, _info := range *s.cfg.Route {
 		IsUDP := *s.cfg.IsUDP
 		if strings.HasPrefix(_info, "udp://") {
@ -79,11 +94,12 @@ func (s *TunnelServerManager) Start(args interface{}) (err error) {
 			Key:       &KEY,
 			Timeout:   s.cfg.Timeout,
 			Mgr:       s,
-		})
+		}, log)

 		if err != nil {
 			return
 		}
+		s.servers = append(s.servers, &server)
 	}
 	return
 }
@ -91,82 +107,32 @@ func (s *TunnelServerManager) Clean() {
 	s.StopService()
 }
 func (s *TunnelServerManager) StopService() {
-	// s.cm.RemoveAll()
+	for _, server := range s.servers {
+		(*server).Clean()
 	}
-func (s *TunnelServerManager) CheckArgs() {
+}
+func (s *TunnelServerManager) CheckArgs() (err error) {
 	if *s.cfg.CertFile == "" || *s.cfg.KeyFile == "" {
-		log.Fatalf("cert and key file required")
+		err = fmt.Errorf("cert and key file required")
+		return
 	}
-	s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+	return
 }
-func (s *TunnelServerManager) InitService() {
-	// s.InitHeartbeatDeamon()
+func (s *TunnelServerManager) InitService() (err error) {
+	return
 }

-// func (s *TunnelServerManager) InitHeartbeatDeamon() {
-// 	log.Printf("heartbeat started")
-// 	go func() {
-// 		var heartbeatConn net.Conn
-// 		var ID string
-// 		for {
-// 			//close all connection
-// 			s.cm.Remove(ID)
-// 			utils.CloseConn(&heartbeatConn)
-// 			heartbeatConn, ID, err := s.GetOutConn(CONN_SERVER_HEARBEAT)
-// 			if err != nil {
-// 				log.Printf("heartbeat connection err: %s, retrying...", err)
-// 				time.Sleep(time.Second * 3)
-// 				utils.CloseConn(&heartbeatConn)
-// 				continue
-// 			}
-// 			log.Printf("heartbeat connection created,id:%s", ID)
-// 			writeDie := make(chan bool)
-// 			readDie := make(chan bool)
-// 			go func() {
-// 				for {
-// 					heartbeatConn.SetWriteDeadline(time.Now().Add(time.Second * 3))
-// 					_, err = heartbeatConn.Write([]byte{0x00})
-// 					heartbeatConn.SetWriteDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection write err %s", err)
-// 						break
-// 					}
-// 					time.Sleep(time.Second * 3)
-// 				}
-// 				close(writeDie)
-// 			}()
-// 			go func() {
-// 				for {
-// 					signal := make([]byte, 1)
-// 					heartbeatConn.SetReadDeadline(time.Now().Add(time.Second * 6))
-// 					_, err := heartbeatConn.Read(signal)
-// 					heartbeatConn.SetReadDeadline(time.Time{})
-// 					if err != nil {
-// 						log.Printf("heartbeat connection read err: %s", err)
-// 						break
-// 					} else {
-// 						// log.Printf("heartbeat from bridge")
-// 					}
-// 				}
-// 				close(readDie)
-// 			}()
-// 			select {
-// 			case <-readDie:
-// 			case <-writeDie:
-// 			}
-// 		}
-// 	}()
-// }
 func (s *TunnelServerManager) GetOutConn(typ uint8) (outConn net.Conn, ID string, err error) {
 	outConn, err = s.GetConn()
 	if err != nil {
-		log.Printf("connection err: %s", err)
+		s.log.Printf("connection err: %s", err)
 		return
 	}
 	ID = s.serverID
 	_, err = outConn.Write(utils.BuildPacket(typ, s.serverID))
 	if err != nil {
-		log.Printf("write connection data err: %s ,retrying...", err)
+		s.log.Printf("write connection data err: %s ,retrying...", err)
 		utils.CloseConn(&outConn)
 		return
 	}
@ -184,6 +150,8 @@ func NewTunnelServer() Service {
 	return &TunnelServer{
 		cfg:       TunnelServerArgs{},
 		udpChn:    make(chan UDPItem, 50000),
+		isStop:    false,
+		userConns: utils.NewConcurrentMap(),
 	}
 }

@ -193,22 +161,54 @@ type UDPItem struct {
 	srcAddr   *net.UDPAddr
 }

-func (s *TunnelServer) InitService() {
+func (s *TunnelServer) StopService() {
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop server service crashed,%s", e)
+		} else {
+			s.log.Printf("service server stoped")
+		}
+	}()
+	s.isStop = true
+
+	if s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
+	}
+	if s.udpConn != nil {
+		(*s.udpConn).Close()
+	}
+	for _, c := range s.userConns.Items() {
+		(*c.(*net.Conn)).Close()
+	}
+}
+func (s *TunnelServer) InitService() (err error) {
 	s.UDPConnDeamon()
+	return
 }
-func (s *TunnelServer) CheckArgs() {
+func (s *TunnelServer) CheckArgs() (err error) {
 	if *s.cfg.Remote == "" {
-		log.Fatalf("remote required")
+		err = fmt.Errorf("remote required")
+		return
 	}
+	return
 }

-func (s *TunnelServer) Start(args interface{}) (err error) {
+func (s *TunnelServer) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(TunnelServerArgs)
-	s.CheckArgs()
-	s.InitService()
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	s.sc = utils.NewServerChannel(host, p)
+	s.sc = utils.NewServerChannel(host, p, s.log)
 	if *s.cfg.IsUDP {
 		err = s.sc.ListenUDP(func(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 			s.udpChn <- UDPItem{
@ -220,39 +220,45 @@ func (s *TunnelServer) Start(args interface{}) (err error) {
 		if err != nil {
 			return
 		}
-		log.Printf("proxy on udp tunnel server mode %s", (*s.sc.UDPListener).LocalAddr())
+		s.log.Printf("proxy on udp tunnel server mode %s", (*s.sc.UDPListener).LocalAddr())
 	} else {
 		err = s.sc.ListenTCP(func(inConn net.Conn) {
 			defer func() {
 				if err := recover(); err != nil {
-					log.Printf("tserver conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+					s.log.Printf("tserver conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 				}
 			}()
 			var outConn net.Conn
 			var ID string
 			for {
+				if s.isStop {
+					return
+				}
 				outConn, ID, err = s.GetOutConn(CONN_SERVER)
 				if err != nil {
 					utils.CloseConn(&outConn)
-					log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+					s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 					time.Sleep(time.Second * 3)
 					continue
 				} else {
 					break
 				}
 			}
+			inAddr := inConn.RemoteAddr().String()
 			utils.IoBind(inConn, outConn, func(err interface{}) {
-				// s.cfg.Mgr.cm.RemoveOne(s.cfg.Mgr.serverID, ID)
-				log.Printf("%s conn %s released", *s.cfg.Key, ID)
-			})
-			//add conn
-			// s.cfg.Mgr.cm.Add(s.cfg.Mgr.serverID, ID, &inConn)
-			log.Printf("%s conn %s created", *s.cfg.Key, ID)
+				s.userConns.Remove(inAddr)
+				s.log.Printf("%s conn %s released", *s.cfg.Key, ID)
+			}, s.log)
+			if c, ok := s.userConns.Get(inAddr); ok {
+				(*c.(*net.Conn)).Close()
+			}
+			s.userConns.Set(inAddr, &inConn)
+			s.log.Printf("%s conn %s created", *s.cfg.Key, ID)
 		})
 		if err != nil {
 			return
 		}
-		log.Printf("proxy on tunnel server mode %s", (*s.sc.Listener).Addr())
+		s.log.Printf("proxy on tunnel server mode %s", (*s.sc.Listener).Addr())
 	}
 	return
 }
@ -262,7 +268,7 @@ func (s *TunnelServer) Clean() {
 func (s *TunnelServer) GetOutConn(typ uint8) (outConn net.Conn, ID string, err error) {
 	outConn, err = s.GetConn()
 	if err != nil {
-		log.Printf("connection err: %s", err)
+		s.log.Printf("connection err: %s", err)
 		return
 	}
 	remoteAddr := "tcp:" + *s.cfg.Remote
@ -272,7 +278,7 @@ func (s *TunnelServer) GetOutConn(typ uint8) (outConn net.Conn, ID string, err e
 	ID = utils.Uniqueid()
 	_, err = outConn.Write(utils.BuildPacket(typ, *s.cfg.Key, ID, remoteAddr, s.cfg.Mgr.serverID))
 	if err != nil {
-		log.Printf("write connection data err: %s ,retrying...", err)
+		s.log.Printf("write connection data err: %s ,retrying...", err)
 		utils.CloseConn(&outConn)
 		return
 	}
@ -283,6 +289,25 @@ func (s *TunnelServer) GetConn() (conn net.Conn, err error) {
 	_conn, err = utils.TlsConnectHost(*s.cfg.Parent, *s.cfg.Timeout, s.cfg.CertBytes, s.cfg.KeyBytes, nil)
 	if err == nil {
 		conn = net.Conn(&_conn)
+		c, e := smux.Client(conn, &smux.Config{
+			AcceptBacklog:          256,
+			EnableKeepAlive:        true,
+			KeepAliveInterval:      9 * time.Second,
+			ConnectionWriteTimeout: 3 * time.Second,
+			MaxStreamWindowSize:    512 * 1024,
+			LogOutput:              os.Stderr,
+		})
+		if e != nil {
+			s.log.Printf("new mux client conn error,ERR:%s", e)
+			err = e
+			return
+		}
+		conn, e = c.OpenStream()
+		if e != nil {
+			s.log.Printf("mux client conn open stream error,ERR:%s", e)
+			err = e
+			return
+		}
 	}
 	return
 }
@ -290,7 +315,7 @@ func (s *TunnelServer) UDPConnDeamon() {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
-				log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+				s.log.Printf("udp conn deamon crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 			}
 		}()
 		var outConn net.Conn
@ -299,48 +324,60 @@ func (s *TunnelServer) UDPConnDeamon() {
 		// var cmdChn = make(chan bool, 1000)
 		var err error
 		for {
+			if s.isStop {
+				return
+			}
 			item := <-s.udpChn
 		RETRY:
+			if s.isStop {
+				return
+			}
 			if outConn == nil {
 				for {
+					if s.isStop {
+						return
+					}
 					outConn, ID, err = s.GetOutConn(CONN_SERVER)
 					if err != nil {
 						// cmdChn <- true
 						outConn = nil
 						utils.CloseConn(&outConn)
-						log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
+						s.log.Printf("connect to %s fail, err: %s, retrying...", *s.cfg.Parent, err)
 						time.Sleep(time.Second * 3)
 						continue
 					} else {
 						go func(outConn net.Conn, ID string) {
-							go func() {
-								// <-cmdChn
-								// outConn.Close()
-							}()
+							if s.udpConn != nil {
+								(*s.udpConn).Close()
+							}
+							s.udpConn = &outConn
 							for {
+								if s.isStop {
+									return
+								}
 								srcAddrFromConn, body, err := utils.ReadUDPPacket(outConn)
 								if err == io.EOF || err == io.ErrUnexpectedEOF {
-									log.Printf("UDP deamon connection %s exited", ID)
+									s.log.Printf("UDP deamon connection %s exited", ID)
 									break
 								}
 								if err != nil {
-									log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
+									s.log.Printf("parse revecived udp packet fail, err: %s ,%v", err, body)
 									continue
 								}
-								//log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
+								//s.log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
 								_srcAddr := strings.Split(srcAddrFromConn, ":")
 								if len(_srcAddr) != 2 {
-									log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
+									s.log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
 									continue
 								}
 								port, _ := strconv.Atoi(_srcAddr[1])
 								dstAddr := &net.UDPAddr{IP: net.ParseIP(_srcAddr[0]), Port: port}
 								_, err = s.sc.UDPListener.WriteToUDP(body, dstAddr)
 								if err != nil {
-									log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
+									s.log.Printf("udp response to local %s fail,ERR:%s", srcAddrFromConn, err)
 									continue
 								}
-								//log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
+								//s.log.Printf("udp response to local %s success , %v", srcAddrFromConn, body)
 							}
 						}(outConn, ID)
 						break
@ -353,10 +390,10 @@ func (s *TunnelServer) UDPConnDeamon() {
 			if err != nil {
 				utils.CloseConn(&outConn)
 				outConn = nil
-				log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
+				s.log.Printf("write udp packet to %s fail ,flush err:%s ,retrying...", *s.cfg.Parent, err)
 				goto RETRY
 			}
-			//log.Printf("write packet %v", *item.packet)
+			//s.log.Printf("write packet %v", *item.packet)
 		}
 	}()
 }
--- a/services/udp.go
+++ b/services/udp.go
@ -5,65 +5,92 @@ import (
 	"fmt"
 	"hash/crc32"
 	"io"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/services/kcpcfg"
-	"snail007/proxy/utils"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/snail007/goproxy/services/kcpcfg"
+	"github.com/snail007/goproxy/utils"
 )

 type UDP struct {
 	p       utils.ConcurrentMap
-	outPool utils.OutPool
+	outPool utils.OutConn
 	cfg     UDPArgs
 	sc      *utils.ServerChannel
+	isStop  bool
+	log     *logger.Logger
 }

 func NewUDP() Service {
 	return &UDP{
-		outPool: utils.OutPool{},
+		outPool: utils.OutConn{},
 		p:       utils.NewConcurrentMap(),
+		isStop:  false,
 	}
 }
-func (s *UDP) CheckArgs() {
+func (s *UDP) CheckArgs() (err error) {
 	if *s.cfg.Parent == "" {
-		log.Fatalf("parent required for udp %s", *s.cfg.Local)
+		err = fmt.Errorf("parent required for udp %s", *s.cfg.Local)
+		return
 	}
 	if *s.cfg.ParentType == "" {
-		log.Fatalf("parent type unkown,use -T <tls|tcp>")
+		err = fmt.Errorf("parent type unkown,use -T <tls|tcp>")
+		return
 	}
 	if *s.cfg.ParentType == "tls" {
-		s.cfg.CertBytes, s.cfg.KeyBytes = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		s.cfg.CertBytes, s.cfg.KeyBytes, err = utils.TlsBytes(*s.cfg.CertFile, *s.cfg.KeyFile)
+		if err != nil {
+			return
 		}
 	}
-func (s *UDP) InitService() {
+	return
+}
+func (s *UDP) InitService() (err error) {
 	if *s.cfg.ParentType != TYPE_UDP {
 		s.InitOutConnPool()
 	}
+	return
 }
 func (s *UDP) StopService() {
-	if s.outPool.Pool != nil {
-		s.outPool.Pool.ReleaseAll()
+	defer func() {
+		e := recover()
+		if e != nil {
+			s.log.Printf("stop udp service crashed,%s", e)
+		} else {
+			s.log.Printf("service udp stoped")
+		}
+	}()
+	s.isStop = true
+	if s.sc.Listener != nil && *s.sc.Listener != nil {
+		(*s.sc.Listener).Close()
+	}
+	if s.sc.UDPListener != nil {
+		(*s.sc.UDPListener).Close()
 	}
 }
-func (s *UDP) Start(args interface{}) (err error) {
+func (s *UDP) Start(args interface{}, log *logger.Logger) (err error) {
+	s.log = log
 	s.cfg = args.(UDPArgs)
-	s.CheckArgs()
-	log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
-	s.InitService()
-
+	if err = s.CheckArgs(); err != nil {
+		return
+	}
+	s.log.Printf("use %s parent %s", *s.cfg.ParentType, *s.cfg.Parent)
+	if err = s.InitService(); err != nil {
+		return
+	}
 	host, port, _ := net.SplitHostPort(*s.cfg.Local)
 	p, _ := strconv.Atoi(port)
-	sc := utils.NewServerChannel(host, p)
+	sc := utils.NewServerChannel(host, p, s.log)
 	s.sc = &sc
 	err = sc.ListenUDP(s.callback)
 	if err != nil {
 		return
 	}
-	log.Printf("udp proxy on %s", (*sc.UDPListener).LocalAddr())
+	s.log.Printf("udp proxy on %s", (*sc.UDPListener).LocalAddr())
 	return
 }

@ -73,7 +100,7 @@ func (s *UDP) Clean() {
 func (s *UDP) callback(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 	defer func() {
 		if err := recover(); err != nil {
-			log.Printf("udp conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+			s.log.Printf("udp conn handler crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 		}
 	}()
 	var err error
@ -88,14 +115,14 @@ func (s *UDP) callback(packet []byte, localAddr, srcAddr *net.UDPAddr) {
 		err = fmt.Errorf("unkown parent type %s", *s.cfg.ParentType)
 	}
 	if err != nil {
-		log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
+		s.log.Printf("connect to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
 	}
 }
 func (s *UDP) GetConn(connKey string) (conn net.Conn, isNew bool, err error) {
 	isNew = !s.p.Has(connKey)
 	var _conn interface{}
 	if isNew {
-		_conn, err = s.outPool.Pool.Get()
+		_conn, err = s.outPool.Get()
 		if err != nil {
 			return nil, false, err
 		}
@ -109,112 +136,114 @@ func (s *UDP) GetConn(connKey string) (conn net.Conn, isNew bool, err error) {
 func (s *UDP) OutToTCP(packet []byte, localAddr, srcAddr *net.UDPAddr) (err error) {
 	numLocal := crc32.ChecksumIEEE([]byte(localAddr.String()))
 	numSrc := crc32.ChecksumIEEE([]byte(srcAddr.String()))
-	mod := uint32(*s.cfg.PoolSize)
+	mod := uint32(10)
 	if mod == 0 {
 		mod = 10
 	}
 	connKey := uint64((numLocal/10)*10 + numSrc%mod)
 	conn, isNew, err := s.GetConn(fmt.Sprintf("%d", connKey))
 	if err != nil {
-		log.Printf("upd get conn to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
+		s.log.Printf("upd get conn to %s parent %s fail, ERR:%s", *s.cfg.ParentType, *s.cfg.Parent, err)
 		return
 	}
 	if isNew {
 		go func() {
 			defer func() {
 				if err := recover(); err != nil {
-					log.Printf("udp conn handler out to tcp crashed with err : %s \nstack: %s", err, string(debug.Stack()))
+					s.log.Printf("udp conn handler out to tcp crashed with err : %s \nstack: %s", err, string(debug.Stack()))
 				}
 			}()
-			log.Printf("conn %d created , local: %s", connKey, srcAddr.String())
+			s.log.Printf("conn %d created , local: %s", connKey, srcAddr.String())
 			for {
+				if s.isStop {
+					conn.Close()
+					return
+				}
 				srcAddrFromConn, body, err := utils.ReadUDPPacket(bufio.NewReader(conn))
 				if err == io.EOF || err == io.ErrUnexpectedEOF {
-					//log.Printf("connection %d released", connKey)
+					//s.log.Printf("connection %d released", connKey)
 					s.p.Remove(fmt.Sprintf("%d", connKey))
 					break
 				}
 				if err != nil {
-					log.Printf("parse revecived udp packet fail, err: %s", err)
+					s.log.Printf("parse revecived udp packet fail, err: %s", err)
 					continue
 				}
-				//log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
+				//s.log.Printf("udp packet revecived over parent , local:%s", srcAddrFromConn)
 				_srcAddr := strings.Split(srcAddrFromConn, ":")
 				if len(_srcAddr) != 2 {
-					log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
+					s.log.Printf("parse revecived udp packet fail, addr error : %s", srcAddrFromConn)
 					continue
 				}
 				port, _ := strconv.Atoi(_srcAddr[1])
 				dstAddr := &net.UDPAddr{IP: net.ParseIP(_srcAddr[0]), Port: port}
 				_, err = s.sc.UDPListener.WriteToUDP(body, dstAddr)
 				if err != nil {
-					log.Printf("udp response to local %s fail,ERR:%s", srcAddr, err)
+					s.log.Printf("udp response to local %s fail,ERR:%s", srcAddr, err)
 					continue
 				}
-				//log.Printf("udp response to local %s success", srcAddr)
+				//s.log.Printf("udp response to local %s success", srcAddr)
 			}
 		}()
 	}
-	//log.Printf("select conn %d , local: %s", connKey, srcAddr.String())
+	//s.log.Printf("select conn %d , local: %s", connKey, srcAddr.String())
 	writer := bufio.NewWriter(conn)
 	//fmt.Println(conn, writer)
 	writer.Write(utils.UDPPacket(srcAddr.String(), packet))
 	err = writer.Flush()
 	if err != nil {
-		log.Printf("write udp packet to %s fail ,flush err:%s", *s.cfg.Parent, err)
+		s.log.Printf("write udp packet to %s fail ,flush err:%s", *s.cfg.Parent, err)
 		return
 	}
-	//log.Printf("write packet %v", packet)
+	//s.log.Printf("write packet %v", packet)
 	return
 }
 func (s *UDP) OutToUDP(packet []byte, localAddr, srcAddr *net.UDPAddr) (err error) {
-	//log.Printf("udp packet revecived:%s,%v", srcAddr, packet)
+	//s.log.Printf("udp packet revecived:%s,%v", srcAddr, packet)
 	dstAddr, err := net.ResolveUDPAddr("udp", *s.cfg.Parent)
 	if err != nil {
-		log.Printf("resolve udp addr %s fail  fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("resolve udp addr %s fail  fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	clientSrcAddr := &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	conn, err := net.DialUDP("udp", clientSrcAddr, dstAddr)
 	if err != nil {
-		log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("connect to udp %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
 	conn.SetDeadline(time.Now().Add(time.Millisecond * time.Duration(*s.cfg.Timeout)))
 	_, err = conn.Write(packet)
 	if err != nil {
-		log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("send udp packet to %s fail,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("send udp packet to %s success", dstAddr.String())
+	//s.log.Printf("send udp packet to %s success", dstAddr.String())
 	buf := make([]byte, 512)
 	len, _, err := conn.ReadFromUDP(buf)
 	if err != nil {
-		log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
+		s.log.Printf("read udp response from %s fail ,ERR:%s", dstAddr.String(), err)
 		return
 	}
-	//log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
+	//s.log.Printf("revecived udp packet from %s , %v", dstAddr.String(), respBody)
 	_, err = s.sc.UDPListener.WriteToUDP(buf[0:len], srcAddr)
 	if err != nil {
-		log.Printf("send udp response to cluster fail ,ERR:%s", err)
+		s.log.Printf("send udp response to cluster fail ,ERR:%s", err)
 		return
 	}
-	//log.Printf("send udp response to cluster success ,from:%s", dstAddr.String())
+	//s.log.Printf("send udp response to cluster success ,from:%s", dstAddr.String())
 	return
 }
 func (s *UDP) InitOutConnPool() {
 	if *s.cfg.ParentType == TYPE_TLS || *s.cfg.ParentType == TYPE_TCP {
 		//dur int, isTLS bool, certBytes, keyBytes []byte,
 		//parent string, timeout int, InitialCap int, MaxCap int
-		s.outPool = utils.NewOutPool(
+		s.outPool = utils.NewOutConn(
 			*s.cfg.CheckParentInterval,
 			*s.cfg.ParentType,
 			kcpcfg.KCPConfigArgs{},
 			s.cfg.CertBytes, s.cfg.KeyBytes, nil,
 			*s.cfg.Parent,
 			*s.cfg.Timeout,
-			*s.cfg.PoolSize,
-			*s.cfg.PoolSize*2,
 		)
 	}
 }
--- a/utils/conncrypt/conncrypt.go
+++ b/utils/conncrypt/conncrypt.go
@ -0,0 +1,95 @@
+package conncrypt
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"hash"
+	"io"
+	"net"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+//Confg defaults
+const DefaultIterations = 2048
+const DefaultKeySize = 32 //256bits
+var DefaultHashFunc = sha256.New
+var DefaultSalt = []byte(`
+(;QUHj.BQ?RXzYSO]ifkXp/G!kFmWyXyEV6Nt!d|@bo+N$L9+<d$|g6e26T}
+Ao<:>SOd,6acYKY_ec+(x"R";\'4&fTAVu92GVA-wxBptOTM^2,iP5%)wnhW
+hwk=]Snsgymt!3gbP2pe=J//}1a?lp9ej=&TB!C_V(cT2?z8wyoL_-13fd[]
+`) //salt must be predefined in order to derive the same key
+
+//Config stores the PBKDF2 key generation parameters
+type Config struct {
+	Password   string
+	Salt       []byte
+	Iterations int
+	KeySize    int
+	HashFunc   func() hash.Hash
+}
+
+//New creates an AES encrypted net.Conn by generating
+//a key using PBKDF2 with the provided configuration
+func New(conn net.Conn, c *Config) net.Conn {
+	//set defaults
+	if len(c.Salt) == 0 {
+		c.Salt = DefaultSalt
+	}
+	if c.Iterations == 0 {
+		c.Iterations = DefaultIterations
+	}
+	if c.KeySize != 16 && c.KeySize != 24 && c.KeySize != 32 {
+		c.KeySize = DefaultKeySize
+	}
+	if c.HashFunc == nil {
+		c.HashFunc = DefaultHashFunc
+	}
+
+	//generate key
+	key := pbkdf2.Key([]byte(c.Password), c.Salt, c.Iterations, c.KeySize, c.HashFunc)
+
+	// could use scrypt, but it's a bit slow...
+	// dk, err := scrypt.Key([]byte(c.Password), c.Salt, 16384, 8, 1, 32)
+
+	//key will be always be the correct size so this will never error
+	conn, _ = NewFromKey(conn, key)
+	return conn
+}
+
+//NewFromKey creates an AES encrypted net.Conn using the provided key
+func NewFromKey(conn net.Conn, key []byte) (net.Conn, error) {
+	block, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return nil, err
+	}
+	//hash(key) -> read IV
+	riv := DefaultHashFunc().Sum(key)
+	rstream := cipher.NewCFBDecrypter(block, riv[:aes.BlockSize])
+	reader := &cipher.StreamReader{S: rstream, R: conn}
+	//hash(read IV) -> write IV
+	wiv := DefaultHashFunc().Sum(riv)
+	wstream := cipher.NewCFBEncrypter(block, wiv[:aes.BlockSize])
+	writer := &cipher.StreamWriter{S: wstream, W: conn}
+
+	return &cryptoConn{
+		Conn: conn,
+		r:    reader,
+		w:    writer,
+	}, nil
+}
+
+type cryptoConn struct {
+	net.Conn
+	r io.Reader
+	w io.Writer
+}
+
+//replace read and write methods
+func (c *cryptoConn) Read(p []byte) (int, error) {
+	return c.r.Read(p)
+}
+func (c *cryptoConn) Write(p []byte) (int, error) {
+	return c.w.Write(p)
+}
--- a/utils/functions.go
+++ b/utils/functions.go
@ -12,25 +12,27 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"math/rand"
 	"net"
 	"net/http"
 	"os"
 	"os/exec"
-	"snail007/proxy/services/kcpcfg"
+
+	"github.com/snail007/goproxy/services/kcpcfg"

 	"golang.org/x/crypto/pbkdf2"

-	"snail007/proxy/utils/id"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/snail007/goproxy/utils/id"
+
 	kcp "github.com/xtaci/kcp-go"
 )

-func IoBind(dst io.ReadWriteCloser, src io.ReadWriteCloser, fn func(err interface{})) {
+func IoBind(dst io.ReadWriteCloser, src io.ReadWriteCloser, fn func(err interface{}), log *logger.Logger) {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
@ -68,11 +70,14 @@ func IoBind(dst io.ReadWriteCloser, src io.ReadWriteCloser, fn func(err interfac
 		}
 		src.Close()
 		dst.Close()
+		if fn != nil {
 			fn(err)
+		}
 	}()
 }
 func ioCopy(dst io.ReadWriter, src io.ReadWriter) (err error) {
-	buf := make([]byte, 32*1024)
+	buf := LeakyBuffer.Get()
+	defer LeakyBuffer.Put(buf)
 	n := 0
 	for {
 		n, err = src.Read(buf)
@ -171,33 +176,6 @@ func ConnectKCPHost(hostAndPort string, config kcpcfg.KCPConfigArgs) (conn net.C
 	return NewCompStream(kcpconn), err
 }

-func ListenTls(ip string, port int, certBytes, keyBytes, caCertBytes []byte) (ln *net.Listener, err error) {
-
-	var cert tls.Certificate
-	cert, err = tls.X509KeyPair(certBytes, keyBytes)
-	if err != nil {
-		return
-	}
-	clientCertPool := x509.NewCertPool()
-	caBytes := certBytes
-	if caCertBytes != nil {
-		caBytes = caCertBytes
-	}
-	ok := clientCertPool.AppendCertsFromPEM(caBytes)
-	if !ok {
-		err = errors.New("failed to parse root certificate")
-	}
-	config := &tls.Config{
-		ClientCAs:    clientCertPool,
-		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-	_ln, err := tls.Listen("tcp", fmt.Sprintf("%s:%d", ip, port), config)
-	if err == nil {
-		ln = &_ln
-	}
-	return
-}
 func PathExists(_path string) bool {
 	_, err := os.Stat(_path)
 	if err != nil && os.IsNotExist(err) {
@ -245,7 +223,7 @@ func Keygen() (err error) {
 		cmd := exec.Command("sh", "-c", "openssl genrsa -out ca.key 2048")
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}
 		fmt.Println(string(out))
@ -254,7 +232,7 @@ func Keygen() (err error) {
 		cmd = exec.Command("sh", "-c", cmdStr)
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}
 		fmt.Println(string(out))
@ -273,7 +251,7 @@ func Keygen() (err error) {
 		cmd := exec.Command("sh", "-c", "openssl genrsa -out "+name+".key 2048")
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}
 		fmt.Println(string(out))
@ -283,7 +261,7 @@ func Keygen() (err error) {
 		cmd = exec.Command("sh", "-c", cmdStr)
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}
 		fmt.Println(string(out))
@ -293,7 +271,7 @@ func Keygen() (err error) {
 		cmd = exec.Command("sh", "-c", cmdStr)
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}

@ -307,7 +285,7 @@ proxy keygen ca client0 30 //generate client0.crt client0.key and use ca.crt sig
 		cmd := exec.Command("sh", "-c", "openssl genrsa -out proxy.key 2048")
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}
 		fmt.Println(string(out))
@ -316,7 +294,7 @@ proxy keygen ca client0 30 //generate client0.crt client0.key and use ca.crt sig
 		cmd = exec.Command("sh", "-c", cmdStr)
 		out, err = cmd.CombinedOutput()
 		if err != nil {
-			log.Printf("err:%s", err)
+			logger.Printf("err:%s", err)
 			return
 		}
 		fmt.Println(string(out))
@ -524,15 +502,15 @@ func SubBytes(bytes []byte, start, end int) []byte {
 	}
 	return bytes[start:end]
 }
-func TlsBytes(cert, key string) (certBytes, keyBytes []byte) {
-	certBytes, err := ioutil.ReadFile(cert)
+func TlsBytes(cert, key string) (certBytes, keyBytes []byte, err error) {
+	certBytes, err = ioutil.ReadFile(cert)
 	if err != nil {
-		log.Fatalf("err : %s", err)
+		err = fmt.Errorf("err : %s", err)
 		return
 	}
 	keyBytes, err = ioutil.ReadFile(key)
 	if err != nil {
-		log.Fatalf("err : %s", err)
+		err = fmt.Errorf("err : %s", err)
 		return
 	}
 	return
@ -601,9 +579,23 @@ func HttpGet(URL string, timeout int, host ...string) (body []byte, code int, er
 	body, err = ioutil.ReadAll(resp.Body)
 	return
 }
-func IsIternalIP(domainOrIP string) bool {
+func IsIternalIP(domainOrIP string, always bool) bool {
 	var outIPs []net.IP
-	outIPs, err := net.LookupIP(domainOrIP)
+	var err error
+	var isDomain bool
+	if net.ParseIP(domainOrIP) == nil {
+		isDomain = true
+	}
+	if always && isDomain {
+		return false
+	}
+
+	if isDomain {
+		outIPs, err = net.LookupIP(domainOrIP)
+	} else {
+		outIPs = []net.IP{net.ParseIP(domainOrIP)}
+	}
+
 	if err != nil {
 		return false
 	}
@ -624,6 +616,53 @@ func IsIternalIP(domainOrIP string) bool {
 	}
 	return false
 }
+func IsHTTP(head []byte) bool {
+	keys := []string{"GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"}
+	for _, key := range keys {
+		if bytes.HasPrefix(head, []byte(key)) || bytes.HasPrefix(head, []byte(strings.ToLower(key))) {
+			return true
+		}
+	}
+	return false
+}
+func IsSocks5(head []byte) bool {
+	if len(head) < 3 {
+		return false
+	}
+	if head[0] == uint8(0x05) && 0 < int(head[1]) && int(head[1]) < 255 {
+		if len(head) == 2+int(head[1]) {
+			return true
+		}
+	}
+	return false
+}
+func RemoveProxyHeaders(head []byte) []byte {
+	newLines := [][]byte{}
+	var keys = map[string]bool{}
+	lines := bytes.Split(head, []byte("\r\n"))
+	IsBody := false
+	for _, line := range lines {
+		if len(line) == 0 || IsBody {
+			newLines = append(newLines, line)
+			IsBody = true
+		} else {
+			hline := bytes.SplitN(line, []byte(":"), 2)
+			if len(hline) != 2 {
+				continue
+			}
+			k := strings.ToUpper(string(hline[0]))
+			if _, ok := keys[k]; ok || strings.HasPrefix(k, "PROXY-") {
+				continue
+			}
+			keys[k] = true
+			newLines = append(newLines, line)
+		}
+	}
+	return bytes.Join(newLines, []byte("\r\n"))
+}
+func InsertProxyHeaders(head []byte, headers string) []byte {
+	return bytes.Replace(head, []byte("\r\n"), []byte("\r\n"+headers), 1)
+}

 // type sockaddr struct {
 // 	family uint16
--- a/utils/leakybuf.go
+++ b/utils/leakybuf.go
@ -0,0 +1,45 @@
+// Provides leaky buffer, based on the example in Effective Go.
+package utils
+
+type LeakyBuf struct {
+	bufSize  int // size of each buffer
+	freeList chan []byte
+}
+
+const LeakyBufSize = 2048 // data.len(2) + hmacsha1(10) + data(4096)
+const maxNBuf = 2048
+
+var LeakyBuffer = NewLeakyBuf(maxNBuf, LeakyBufSize)
+
+// NewLeakyBuf creates a leaky buffer which can hold at most n buffer, each
+// with bufSize bytes.
+func NewLeakyBuf(n, bufSize int) *LeakyBuf {
+	return &LeakyBuf{
+		bufSize:  bufSize,
+		freeList: make(chan []byte, n),
+	}
+}
+
+// Get returns a buffer from the leaky buffer or create a new buffer.
+func (lb *LeakyBuf) Get() (b []byte) {
+	select {
+	case b = <-lb.freeList:
+	default:
+		b = make([]byte, lb.bufSize)
+	}
+	return
+}
+
+// Put add the buffer into the free buffer pool for reuse. Panic if the buffer
+// size is not the same with the leaky buffer's. This is intended to expose
+// error usage of leaky buffer.
+func (lb *LeakyBuf) Put(b []byte) {
+	if len(b) != lb.bufSize {
+		panic("invalid buffer size that's put into leaky buffer")
+	}
+	select {
+	case lb.freeList <- b:
+	default:
+	}
+	return
+}
--- a/utils/pool.go
+++ b/utils/pool.go
@ -1,145 +0,0 @@
-package utils
-
-import (
-	"log"
-	"sync"
-	"time"
-)
-
-//ConnPool to use
-type ConnPool interface {
-	Get() (conn interface{}, err error)
-	Put(conn interface{})
-	ReleaseAll()
-	Len() (length int)
-}
-type poolConfig struct {
-	Factory    func() (interface{}, error)
-	IsActive   func(interface{}) bool
-	Release    func(interface{})
-	InitialCap int
-	MaxCap     int
-}
-
-func NewConnPool(poolConfig poolConfig) (pool ConnPool, err error) {
-	p := netPool{
-		config: poolConfig,
-		conns:  make(chan interface{}, poolConfig.MaxCap),
-		lock:   &sync.Mutex{},
-	}
-	//log.Printf("pool MaxCap:%d", poolConfig.MaxCap)
-	if poolConfig.MaxCap > 0 {
-		err = p.initAutoFill(false)
-		if err == nil {
-			p.initAutoFill(true)
-		}
-	}
-	return &p, nil
-}
-
-type netPool struct {
-	conns  chan interface{}
-	lock   *sync.Mutex
-	config poolConfig
-}
-
-func (p *netPool) initAutoFill(async bool) (err error) {
-	var worker = func() (err error) {
-		for {
-			//log.Printf("pool fill: %v , len: %d", p.Len() <= p.config.InitialCap/2, p.Len())
-			if p.Len() <= p.config.InitialCap/2 {
-				p.lock.Lock()
-				errN := 0
-				for i := 0; i < p.config.InitialCap; i++ {
-					c, err := p.config.Factory()
-					if err != nil {
-						errN++
-						if async {
-							continue
-						} else {
-							p.lock.Unlock()
-							return err
-						}
-					}
-					select {
-					case p.conns <- c:
-					default:
-						p.config.Release(c)
-						break
-					}
-					if p.Len() >= p.config.InitialCap {
-						break
-					}
-				}
-				if errN > 0 {
-					log.Printf("fill conn pool fail , ERRN:%d", errN)
-				}
-				p.lock.Unlock()
-			}
-			if !async {
-				return
-			}
-			time.Sleep(time.Second * 2)
-		}
-	}
-	if async {
-		go worker()
-	} else {
-		err = worker()
-	}
-	return
-
-}
-
-func (p *netPool) Get() (conn interface{}, err error) {
-	// defer func() {
-	// 	log.Printf("pool len : %d", p.Len())
-	// }()
-	p.lock.Lock()
-	defer p.lock.Unlock()
-	// for {
-	select {
-	case conn = <-p.conns:
-		if p.config.IsActive(conn) {
-			return
-		}
-		p.config.Release(conn)
-	default:
-		conn, err = p.config.Factory()
-		if err != nil {
-			return nil, err
-		}
-		return conn, nil
-	}
-	// }
-	return
-}
-
-func (p *netPool) Put(conn interface{}) {
-	if conn == nil {
-		return
-	}
-	p.lock.Lock()
-	defer p.lock.Unlock()
-	if !p.config.IsActive(conn) {
-		p.config.Release(conn)
-	}
-	select {
-	case p.conns <- conn:
-	default:
-		p.config.Release(conn)
-	}
-}
-func (p *netPool) ReleaseAll() {
-	p.lock.Lock()
-	defer p.lock.Unlock()
-	close(p.conns)
-	for c := range p.conns {
-		p.config.Release(c)
-	}
-	p.conns = make(chan interface{}, p.config.InitialCap)
-
-}
-func (p *netPool) Len() (length int) {
-	return len(p.conns)
-}
--- a/utils/serve-channel.go
+++ b/utils/serve-channel.go
@ -1,13 +1,17 @@
 package utils

 import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"fmt"
-	"log"
+	logger "log"
 	"net"
 	"runtime/debug"
-	"snail007/proxy/services/kcpcfg"
 	"strconv"

+	"github.com/snail007/goproxy/services/kcpcfg"
+
 	kcp "github.com/xtaci/kcp-go"
 )

@ -17,23 +21,26 @@ type ServerChannel struct {
 	Listener         *net.Listener
 	UDPListener      *net.UDPConn
 	errAcceptHandler func(err error)
+	log              *logger.Logger
 }

-func NewServerChannel(ip string, port int) ServerChannel {
+func NewServerChannel(ip string, port int, log *logger.Logger) ServerChannel {
 	return ServerChannel{
 		ip:   ip,
 		port: port,
+		log:  log,
 		errAcceptHandler: func(err error) {
-			fmt.Printf("accept error , ERR:%s", err)
+			log.Printf("accept error , ERR:%s", err)
 		},
 	}
 }
-func NewServerChannelHost(host string) ServerChannel {
+func NewServerChannelHost(host string, log *logger.Logger) ServerChannel {
 	h, port, _ := net.SplitHostPort(host)
 	p, _ := strconv.Atoi(port)
 	return ServerChannel{
 		ip:   h,
 		port: p,
+		log:  log,
 		errAcceptHandler: func(err error) {
 			log.Printf("accept error , ERR:%s", err)
 		},
@ -43,12 +50,12 @@ func (sc *ServerChannel) SetErrAcceptHandler(fn func(err error)) {
 	sc.errAcceptHandler = fn
 }
 func (sc *ServerChannel) ListenTls(certBytes, keyBytes, caCertBytes []byte, fn func(conn net.Conn)) (err error) {
-	sc.Listener, err = ListenTls(sc.ip, sc.port, certBytes, keyBytes, caCertBytes)
+	sc.Listener, err = sc.listenTls(sc.ip, sc.port, certBytes, keyBytes, caCertBytes)
 	if err == nil {
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenTls crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenTls crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -58,7 +65,7 @@ func (sc *ServerChannel) ListenTls(certBytes, keyBytes, caCertBytes []byte, fn f
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("tls connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("tls connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						fn(conn)
@ -73,7 +80,33 @@ func (sc *ServerChannel) ListenTls(certBytes, keyBytes, caCertBytes []byte, fn f
 	}
 	return
 }
+func (sc *ServerChannel) listenTls(ip string, port int, certBytes, keyBytes, caCertBytes []byte) (ln *net.Listener, err error) {

+	var cert tls.Certificate
+	cert, err = tls.X509KeyPair(certBytes, keyBytes)
+	if err != nil {
+		return
+	}
+	clientCertPool := x509.NewCertPool()
+	caBytes := certBytes
+	if caCertBytes != nil {
+		caBytes = caCertBytes
+	}
+	ok := clientCertPool.AppendCertsFromPEM(caBytes)
+	if !ok {
+		err = errors.New("failed to parse root certificate")
+	}
+	config := &tls.Config{
+		ClientCAs:    clientCertPool,
+		Certificates: []tls.Certificate{cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+	_ln, err := tls.Listen("tcp", fmt.Sprintf("%s:%d", ip, port), config)
+	if err == nil {
+		ln = &_ln
+	}
+	return
+}
 func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
 	var l net.Listener
 	l, err = net.Listen("tcp", fmt.Sprintf("%s:%d", sc.ip, sc.port))
@ -82,7 +115,7 @@ func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenTCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenTCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -92,7 +125,7 @@ func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("tcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("tcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						fn(conn)
@ -114,7 +147,7 @@ func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, srcAddr *ne
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenUDP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenUDP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -125,7 +158,7 @@ func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, srcAddr *ne
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("udp data handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("udp data handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						fn(packet, addr, srcAddr)
@ -139,7 +172,7 @@ func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, srcAddr *ne
 	}
 	return
 }
-func (sc *ServerChannel) ListenKCP(config kcpcfg.KCPConfigArgs, fn func(conn net.Conn)) (err error) {
+func (sc *ServerChannel) ListenKCP(config kcpcfg.KCPConfigArgs, fn func(conn net.Conn), log *logger.Logger) (err error) {
 	lis, err := kcp.ListenWithOptions(fmt.Sprintf("%s:%d", sc.ip, sc.port), config.Block, *config.DataShard, *config.ParityShard)
 	if err == nil {
 		if err = lis.SetDSCP(*config.DSCP); err != nil {
@ -159,7 +192,7 @@ func (sc *ServerChannel) ListenKCP(config kcpcfg.KCPConfigArgs, fn func(conn net
 		go func() {
 			defer func() {
 				if e := recover(); e != nil {
-					log.Printf("ListenKCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+					sc.log.Printf("ListenKCP crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 				}
 			}()
 			for {
@ -169,7 +202,7 @@ func (sc *ServerChannel) ListenKCP(config kcpcfg.KCPConfigArgs, fn func(conn net
 					go func() {
 						defer func() {
 							if e := recover(); e != nil {
-								log.Printf("kcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
+								sc.log.Printf("kcp connection handler crashed , err : %s , \ntrace:%s", e, string(debug.Stack()))
 							}
 						}()
 						conn.SetStreamMode(true)
--- a/utils/socks/server.go
+++ b/utils/socks/server.go
@ -2,8 +2,8 @@ package socks

 import (
 	"fmt"
+	"github.com/snail007/goproxy/utils"
 	"net"
-	"snail007/proxy/utils"
 	"strings"
 	"time"
 )
--- a/utils/structs.go
+++ b/utils/structs.go
@ -1,23 +1,24 @@
 package utils

 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
 	"encoding/base64"
-	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
+	logger "log"
 	"net"
 	"net/url"
-	"snail007/proxy/services/kcpcfg"
-	"snail007/proxy/utils/sni"
 	"strings"
 	"sync"
 	"time"

+	"github.com/snail007/goproxy/services/kcpcfg"
+	"github.com/snail007/goproxy/utils/sni"
+
 	"github.com/golang/snappy"
 	"github.com/miekg/dns"
 )
@ -28,6 +29,8 @@ type Checker struct {
 	directMap  ConcurrentMap
 	interval   int64
 	timeout    int
+	isStop     bool
+	log        *logger.Logger
 }
 type CheckerItem struct {
 	IsHTTPS      bool
@ -43,11 +46,13 @@ type CheckerItem struct {
 //NewChecker args:
 //timeout : tcp timeout milliseconds ,connect to host
 //interval: recheck domain interval seconds
-func NewChecker(timeout int, interval int64, blockedFile, directFile string) Checker {
+func NewChecker(timeout int, interval int64, blockedFile, directFile string, log *logger.Logger) Checker {
 	ch := Checker{
 		data:     NewConcurrentMap(),
 		interval: interval,
 		timeout:  timeout,
+		isStop:   false,
+		log:      log,
 	}
 	ch.blockedMap = ch.loadMap(blockedFile)
 	ch.directMap = ch.loadMap(directFile)
@ -69,7 +74,7 @@ func (c *Checker) loadMap(f string) (dataMap ConcurrentMap) {
 	if PathExists(f) {
 		_contents, err := ioutil.ReadFile(f)
 		if err != nil {
-			log.Printf("load file err:%s", err)
+			c.log.Printf("load file err:%s", err)
 			return
 		}
 		for _, line := range strings.Split(string(_contents), "\n") {
@ -81,6 +86,9 @@ func (c *Checker) loadMap(f string) (dataMap ConcurrentMap) {
 	}
 	return
 }
+func (c *Checker) Stop() {
+	c.isStop = true
+}
 func (c *Checker) start() {
 	go func() {
 		//log.Printf("checker started")
@ -107,6 +115,9 @@ func (c *Checker) start() {
 				}(v.(CheckerItem))
 			}
 			time.Sleep(time.Second * time.Duration(c.interval))
+			if c.isStop {
+				return
+			}
 		}
 	}()
 }
@ -142,7 +153,7 @@ func (c *Checker) IsBlocked(address string) (blocked bool, failN, successN uint)
 func (c *Checker) domainIsInMap(address string, blockedMap bool) bool {
 	u, err := url.Parse("http://" + address)
 	if err != nil {
-		log.Printf("blocked check , url parse err:%s", err)
+		c.log.Printf("blocked check , url parse err:%s", err)
 		return true
 	}
 	domainSlice := strings.Split(u.Hostname(), ".")
@ -180,12 +191,14 @@ type BasicAuth struct {
 	authTimeout int
 	authRetry   int
 	dns         *DomainResolver
+	log         *logger.Logger
 }

-func NewBasicAuth(dns *DomainResolver) BasicAuth {
+func NewBasicAuth(dns *DomainResolver, log *logger.Logger) BasicAuth {
 	return BasicAuth{
 		data: NewConcurrentMap(),
 		dns:  dns,
+		log:  log,
 	}
 }
 func (ba *BasicAuth) SetAuthURL(URL string, code, timeout, retry int) {
@ -238,7 +251,7 @@ func (ba *BasicAuth) Check(userpass string, ip, target string) (ok bool) {
 			if err == nil {
 				return true
 			}
-			log.Printf("%s", err)
+			ba.log.Printf("%s", err)
 		}
 		return false
 	}
@ -280,10 +293,14 @@ func (ba *BasicAuth) checkFromURL(userpass, ip, target string) (err error) {
 			} else {
 				err = fmt.Errorf("token error")
 			}
-			err = fmt.Errorf("auth fail from url %s,resonse code: %d, except: %d , %s , %s", URL, code, ba.authOkCode, ip, string(body))
+			b := string(body)
+			if len(b) > 50 {
+				b = b[:50]
+			}
+			err = fmt.Errorf("auth fail from url %s,resonse code: %d, except: %d , %s , %s", URL, code, ba.authOkCode, ip, b)
 		}
 		if err != nil && tryCount < ba.authRetry {
-			log.Print(err)
+			ba.log.Print(err)
 			time.Sleep(time.Second * 2)
 		}
 		tryCount++
@ -309,13 +326,15 @@ type HTTPRequest struct {
 	hostOrURL   string
 	isBasicAuth bool
 	basicAuth   *BasicAuth
+	log         *logger.Logger
 }

-func NewHTTPRequest(inConn *net.Conn, bufSize int, isBasicAuth bool, basicAuth *BasicAuth, header ...[]byte) (req HTTPRequest, err error) {
+func NewHTTPRequest(inConn *net.Conn, bufSize int, isBasicAuth bool, basicAuth *BasicAuth, log *logger.Logger, header ...[]byte) (req HTTPRequest, err error) {
 	buf := make([]byte, bufSize)
 	n := 0
 	req = HTTPRequest{
 		conn: inConn,
+		log:  log,
 	}
 	if header != nil && len(header) == 1 && len(header[0]) > 1 {
 		buf = header[0]
@ -408,7 +427,7 @@ func (req *HTTPRequest) GetAuthDataStr() (basicInfo string, err error) {

 	authorization = strings.Trim(authorization, " \r\n\t")
 	if authorization == "" {
-		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Unauthorized\r\nWWW-Authenticate: Basic realm=\"\"\r\n\r\nUnauthorized", "407")
+		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Proxy Authentication Required\r\nProxy-Authenticate: Basic realm=\"\"\r\n\r\nProxy Authentication Required", "407")
 		CloseConn(req.conn)
 		err = errors.New("require auth header data")
 		return
@ -444,7 +463,7 @@ func (req *HTTPRequest) BasicAuth() (err error) {
 	authOk := (*req.basicAuth).Check(string(user), addr[0], URL)
 	//log.Printf("auth %s,%v", string(user), authOk)
 	if !authOk {
-		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Unauthorized\r\n\r\nUnauthorized", "407")
+		fmt.Fprintf((*req.conn), "HTTP/1.1 %s Proxy Authentication Required\r\n\r\nProxy Authentication Required", "407")
 		CloseConn(req.conn)
 		err = fmt.Errorf("basic auth fail")
 		return
@ -467,10 +486,10 @@ func (req *HTTPRequest) getHeader(key string) (val string) {
 	lines := strings.Split(string(req.HeadBuf), "\r\n")
 	//log.Println(lines)
 	for _, line := range lines {
-		line := strings.SplitN(strings.Trim(line, "\r\n "), ":", 2)
-		if len(line) == 2 {
-			k := strings.ToUpper(strings.Trim(line[0], " "))
-			v := strings.Trim(line[1], " ")
+		hline := strings.SplitN(strings.Trim(line, "\r\n "), ":", 2)
+		if len(hline) == 2 {
+			k := strings.ToUpper(strings.Trim(hline[0], " "))
+			v := strings.Trim(hline[1], " ")
 			if key == k {
 				val = v
 				return
@ -494,8 +513,7 @@ func (req *HTTPRequest) addPortIfNot() (newHost string) {
 	return
 }

-type OutPool struct {
-	Pool        ConnPool
+type OutConn struct {
 	dur         int
 	typ         string
 	certBytes   []byte
@ -506,8 +524,8 @@ type OutPool struct {
 	timeout     int
 }

-func NewOutPool(dur int, typ string, kcp kcpcfg.KCPConfigArgs, certBytes, keyBytes, caCertBytes []byte, address string, timeout int, InitialCap int, MaxCap int) (op OutPool) {
-	op = OutPool{
+func NewOutConn(dur int, typ string, kcp kcpcfg.KCPConfigArgs, certBytes, keyBytes, caCertBytes []byte, address string, timeout int) (op OutConn) {
+	return OutConn{
 		dur:         dur,
 		typ:         typ,
 		certBytes:   certBytes,
@ -517,36 +535,8 @@ func NewOutPool(dur int, typ string, kcp kcpcfg.KCPConfigArgs, certBytes, keyByt
 		address:     address,
 		timeout:     timeout,
 	}
-	var err error
-	op.Pool, err = NewConnPool(poolConfig{
-		IsActive: func(conn interface{}) bool { return true },
-		Release: func(conn interface{}) {
-			if conn != nil {
-				conn.(net.Conn).SetDeadline(time.Now().Add(time.Millisecond))
-				conn.(net.Conn).Close()
-				// log.Println("conn released")
 }
-		},
-		InitialCap: InitialCap,
-		MaxCap:     MaxCap,
-		Factory: func() (conn interface{}, err error) {
-			conn, err = op.getConn()
-			return
-		},
-	})
-	if err != nil {
-		log.Fatalf("init conn pool fail ,%s", err)
-	} else {
-		if InitialCap > 0 {
-			log.Printf("init conn pool success")
-			op.initPoolDeamon()
-		} else {
-			log.Printf("conn pool closed")
-		}
-	}
-	return
-}
-func (op *OutPool) getConn() (conn interface{}, err error) {
+func (op *OutConn) Get() (conn net.Conn, err error) {
 	if op.typ == "tls" {
 		var _conn tls.Conn
 		_conn, err = TlsConnectHost(op.address, op.timeout, op.certBytes, op.keyBytes, op.caCertBytes)
@ -561,185 +551,17 @@ func (op *OutPool) getConn() (conn interface{}, err error) {
 	return
 }

-func (op *OutPool) initPoolDeamon() {
-	go func() {
-		if op.dur <= 0 {
-			return
-		}
-		log.Printf("pool deamon started")
-		for {
-			time.Sleep(time.Second * time.Duration(op.dur))
-			conn, err := op.getConn()
-			if err != nil {
-				log.Printf("pool deamon err %s , release pool", err)
-				op.Pool.ReleaseAll()
-			} else {
-				conn.(net.Conn).SetDeadline(time.Now().Add(time.Millisecond))
-				conn.(net.Conn).Close()
-			}
-		}
-	}()
-}
-
-type HeartbeatData struct {
-	Data  []byte
-	N     int
-	Error error
-}
-type HeartbeatReadWriter struct {
-	conn *net.Conn
-	// rchn       chan HeartbeatData
-	l          *sync.Mutex
-	dur        int
-	errHandler func(err error, hb *HeartbeatReadWriter)
-	once       *sync.Once
-	datachn    chan byte
-	// rbuf       bytes.Buffer
-	// signal     chan bool
-	rerrchn chan error
-}
-
-func NewHeartbeatReadWriter(conn *net.Conn, dur int, fn func(err error, hb *HeartbeatReadWriter)) (hrw HeartbeatReadWriter) {
-	hrw = HeartbeatReadWriter{
-		conn: conn,
-		l:    &sync.Mutex{},
-		dur:  dur,
-		// rchn:       make(chan HeartbeatData, 10000),
-		// signal:     make(chan bool, 1),
-		errHandler: fn,
-		datachn:    make(chan byte, 4*1024),
-		once:       &sync.Once{},
-		rerrchn:    make(chan error, 1),
-		// rbuf:       bytes.Buffer{},
-	}
-	hrw.heartbeat()
-	hrw.reader()
-	return
-}
-
-func (rw *HeartbeatReadWriter) Close() {
-	CloseConn(rw.conn)
-}
-func (rw *HeartbeatReadWriter) reader() {
-	go func() {
-		//log.Printf("heartbeat read started")
-		for {
-			n, data, err := rw.read()
-			if n == -1 {
-				continue
-			}
-			//log.Printf("n:%d , data:%s ,err:%s", n, string(data), err)
-			if err == nil {
-				//fmt.Printf("write data %s\n", string(data))
-				for _, b := range data {
-					rw.datachn <- b
-				}
-			}
-			if err != nil {
-				//log.Printf("heartbeat reader err: %s", err)
-				select {
-				case rw.rerrchn <- err:
-				default:
-				}
-				rw.once.Do(func() {
-					rw.errHandler(err, rw)
-				})
-				break
-			}
-		}
-		//log.Printf("heartbeat read exited")
-	}()
-}
-func (rw *HeartbeatReadWriter) read() (n int, data []byte, err error) {
-	var typ uint8
-	err = binary.Read((*rw.conn), binary.LittleEndian, &typ)
-	if err != nil {
-		return
-	}
-	if typ == 0 {
-		// log.Printf("heartbeat revecived")
-		n = -1
-		return
-	}
-	var dataLength uint32
-	binary.Read((*rw.conn), binary.LittleEndian, &dataLength)
-	_data := make([]byte, dataLength)
-	// log.Printf("dataLength:%d , data:%s", dataLength, string(data))
-	n, err = (*rw.conn).Read(_data)
-	//log.Printf("n:%d , data:%s ,err:%s", n, string(data), err)
-	if err != nil {
-		return
-	}
-	if uint32(n) != dataLength {
-		err = fmt.Errorf("read short data body")
-		return
-	}
-	data = _data[:n]
-	return
-}
-func (rw *HeartbeatReadWriter) heartbeat() {
-	go func() {
-		//log.Printf("heartbeat started")
-		for {
-			if rw.conn == nil || *rw.conn == nil {
-				//log.Printf("heartbeat err: conn nil")
-				break
-			}
-			rw.l.Lock()
-			_, err := (*rw.conn).Write([]byte{0})
-			rw.l.Unlock()
-			if err != nil {
-				//log.Printf("heartbeat err: %s", err)
-				rw.once.Do(func() {
-					rw.errHandler(err, rw)
-				})
-				break
-			} else {
-				// log.Printf("heartbeat send ok")
-			}
-			time.Sleep(time.Second * time.Duration(rw.dur))
-		}
-		//log.Printf("heartbeat exited")
-	}()
-}
-func (rw *HeartbeatReadWriter) Read(p []byte) (n int, err error) {
-	data := make([]byte, cap(p))
-	for i := 0; i < cap(p); i++ {
-		data[i] = <-rw.datachn
-		n++
-		//fmt.Printf("read  %d %v\n", i, data[:n])
-		if len(rw.datachn) == 0 {
-			n = i + 1
-			copy(p, data[:n])
-			return
-		}
-	}
-	return
-}
-func (rw *HeartbeatReadWriter) Write(p []byte) (n int, err error) {
-	defer rw.l.Unlock()
-	rw.l.Lock()
-	pkg := new(bytes.Buffer)
-	binary.Write(pkg, binary.LittleEndian, uint8(1))
-	binary.Write(pkg, binary.LittleEndian, uint32(len(p)))
-	binary.Write(pkg, binary.LittleEndian, p)
-	bs := pkg.Bytes()
-	n, err = (*rw.conn).Write(bs)
-	if err == nil {
-		n = len(p)
-	}
-	return
-}
-
 type ConnManager struct {
 	pool ConcurrentMap
 	l    *sync.Mutex
+	log  *logger.Logger
 }

-func NewConnManager() ConnManager {
+func NewConnManager(log *logger.Logger) ConnManager {
 	cm := ConnManager{
 		pool: NewConcurrentMap(),
 		l:    &sync.Mutex{},
+		log:  log,
 	}
 	return cm
 }
@ -756,7 +578,7 @@ func (cm *ConnManager) Add(key, ID string, conn *net.Conn) {
 			(*v.(*net.Conn)).Close()
 		}
 		conns.Set(ID, conn)
-		log.Printf("%s conn added", key)
+		cm.log.Printf("%s conn added", key)
 		return conns
 	})
 }
@ -767,7 +589,7 @@ func (cm *ConnManager) Remove(key string) {
 		conns.IterCb(func(key string, v interface{}) {
 			CloseConn(v.(*net.Conn))
 		})
-		log.Printf("%s conns closed", key)
+		cm.log.Printf("%s conns closed", key)
 	}
 	cm.pool.Remove(key)
 }
@ -782,7 +604,7 @@ func (cm *ConnManager) RemoveOne(key string, ID string) {
 			(*v.(*net.Conn)).Close()
 			conns.Remove(ID)
 			cm.pool.Set(key, conns)
-			log.Printf("%s %s conn closed", key, ID)
+			cm.log.Printf("%s %s conn closed", key, ID)
 		}
 	}
 }
@ -838,6 +660,7 @@ type DomainResolver struct {
 	ttl         int
 	dnsAddrress string
 	data        ConcurrentMap
+	log         *logger.Logger
 }
 type DomainResolverItem struct {
 	ip        string
@ -845,12 +668,12 @@ type DomainResolverItem struct {
 	expiredAt int64
 }

-func NewDomainResolver(dnsAddrress string, ttl int) DomainResolver {
-
+func NewDomainResolver(dnsAddrress string, ttl int, log *logger.Logger) DomainResolver {
 	return DomainResolver{
 		ttl:         ttl,
 		dnsAddrress: dnsAddrress,
 		data:        NewConcurrentMap(),
+		log:         log,
 	}
 }
 func (a *DomainResolver) MustResolve(address string) (ip string) {
@ -865,7 +688,7 @@ func (a *DomainResolver) Resolve(address string) (ip string, err error) {
 		if port != "" {
 			ip = net.JoinHostPort(ip, port)
 		}
-		log.Printf("dns:%s->%s,cache:%s", address, ip, fromCache)
+		a.log.Printf("dns:%s->%s,cache:%s", address, ip, fromCache)
 		//a.PrintData()
 	}()
 	if strings.Contains(domain, ":") {
@ -927,7 +750,7 @@ func (a *DomainResolver) Resolve(address string) (ip string, err error) {
 func (a *DomainResolver) PrintData() {
 	for k, item := range a.data.Items() {
 		d := item.(*DomainResolverItem)
-		fmt.Printf("%s:ip[%s],domain[%s],expired at[%d]\n", k, (*d).ip, (*d).domain, (*d).expiredAt)
+		a.log.Printf("%s:ip[%s],domain[%s],expired at[%d]\n", k, (*d).ip, (*d).domain, (*d).expiredAt)
 	}
 }
 func NewCompStream(conn net.Conn) *CompStream {
@ -937,8 +760,16 @@ func NewCompStream(conn net.Conn) *CompStream {
 	c.r = snappy.NewReader(conn)
 	return c
 }
+func NewCompConn(conn net.Conn) net.Conn {
+	c := CompStream{}
+	c.conn = conn
+	c.w = snappy.NewBufferedWriter(conn)
+	c.r = snappy.NewReader(conn)
+	return &c
+}

 type CompStream struct {
+	net.Conn
 	conn net.Conn
 	w    *snappy.Writer
 	r    *snappy.Reader
@ -972,3 +803,33 @@ func (c *CompStream) SetReadDeadline(t time.Time) error {
 func (c *CompStream) SetWriteDeadline(t time.Time) error {
 	return c.conn.SetWriteDeadline(t)
 }
+
+type BufferedConn struct {
+	r        *bufio.Reader
+	net.Conn // So that most methods are embedded
+}
+
+func NewBufferedConn(c net.Conn) BufferedConn {
+	return BufferedConn{bufio.NewReader(c), c}
+}
+
+func NewBufferedConnSize(c net.Conn, n int) BufferedConn {
+	return BufferedConn{bufio.NewReaderSize(c, n), c}
+}
+
+func (b BufferedConn) Peek(n int) ([]byte, error) {
+	return b.r.Peek(n)
+}
+
+func (b BufferedConn) Read(p []byte) (int, error) {
+	return b.r.Read(p)
+}
+func (b BufferedConn) ReadByte() (byte, error) {
+	return b.r.ReadByte()
+}
+func (b BufferedConn) UnreadByte() error {
+	return b.r.UnreadByte()
+}
+func (b BufferedConn) Buffered() int {
+	return b.r.Buffered()
+}
--- a/vendor/github.com/Yawning/chacha20/LICENSE
+++ b/vendor/github.com/Yawning/chacha20/LICENSE
@ -0,0 +1,122 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
+
--- a/vendor/github.com/Yawning/chacha20/README.md
+++ b/vendor/github.com/Yawning/chacha20/README.md
@ -0,0 +1,14 @@
+### chacha20 - ChaCha20
+#### Yawning Angel (yawning at schwanenlied dot me)
+
+Yet another Go ChaCha20 implementation.  Everything else I found  was slow,
+didn't support all the variants I need to use, or relied on cgo to go fast.
+
+Features:
+
+ * 20 round, 256 bit key only.  Everything else is pointless and stupid.
+ * IETF 96 bit nonce variant.
+ * XChaCha 24 byte nonce variant.
+ * SSE2 and AVX2 support on amd64 targets.
+ * Incremental encrypt/decrypt support, unlike golang.org/x/crypto/salsa20.
+
--- a/vendor/github.com/Yawning/chacha20/chacha20.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20.go
@ -0,0 +1,273 @@
+// chacha20.go - A ChaCha stream cipher implementation.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+package chacha20
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+	"math"
+	"runtime"
+)
+
+const (
+	// KeySize is the ChaCha20 key size in bytes.
+	KeySize = 32
+
+	// NonceSize is the ChaCha20 nonce size in bytes.
+	NonceSize = 8
+
+	// INonceSize is the IETF ChaCha20 nonce size in bytes.
+	INonceSize = 12
+
+	// XNonceSize is the XChaCha20 nonce size in bytes.
+	XNonceSize = 24
+
+	// HNonceSize is the HChaCha20 nonce size in bytes.
+	HNonceSize = 16
+
+	// BlockSize is the ChaCha20 block size in bytes.
+	BlockSize = 64
+
+	stateSize    = 16
+	chachaRounds = 20
+
+	// The constant "expand 32-byte k" as little endian uint32s.
+	sigma0 = uint32(0x61707865)
+	sigma1 = uint32(0x3320646e)
+	sigma2 = uint32(0x79622d32)
+	sigma3 = uint32(0x6b206574)
+)
+
+var (
+	// ErrInvalidKey is the error returned when the key is invalid.
+	ErrInvalidKey = errors.New("key length must be KeySize bytes")
+
+	// ErrInvalidNonce is the error returned when the nonce is invalid.
+	ErrInvalidNonce = errors.New("nonce length must be NonceSize/INonceSize/XNonceSize bytes")
+
+	// ErrInvalidCounter is the error returned when the counter is invalid.
+	ErrInvalidCounter = errors.New("block counter is invalid (out of range)")
+
+	useUnsafe    = false
+	usingVectors = false
+	blocksFn     = blocksRef
+)
+
+// A Cipher is an instance of ChaCha20/XChaCha20 using a particular key and
+// nonce.
+type Cipher struct {
+	state [stateSize]uint32
+
+	buf  [BlockSize]byte
+	off  int
+	ietf bool
+}
+
+// Reset zeros the key data so that it will no longer appear in the process's
+// memory.
+func (c *Cipher) Reset() {
+	for i := range c.state {
+		c.state[i] = 0
+	}
+	for i := range c.buf {
+		c.buf[i] = 0
+	}
+}
+
+// XORKeyStream sets dst to the result of XORing src with the key stream.  Dst
+// and src may be the same slice but otherwise should not overlap.
+func (c *Cipher) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		src = src[:len(dst)]
+	}
+
+	for remaining := len(src); remaining > 0; {
+		// Process multiple blocks at once.
+		if c.off == BlockSize {
+			nrBlocks := remaining / BlockSize
+			directBytes := nrBlocks * BlockSize
+			if nrBlocks > 0 {
+				blocksFn(&c.state, src, dst, nrBlocks, c.ietf)
+				remaining -= directBytes
+				if remaining == 0 {
+					return
+				}
+				dst = dst[directBytes:]
+				src = src[directBytes:]
+			}
+
+			// If there's a partial block, generate 1 block of keystream into
+			// the internal buffer.
+			blocksFn(&c.state, nil, c.buf[:], 1, c.ietf)
+			c.off = 0
+		}
+
+		// Process partial blocks from the buffered keystream.
+		toXor := BlockSize - c.off
+		if remaining < toXor {
+			toXor = remaining
+		}
+		if toXor > 0 {
+			for i, v := range src[:toXor] {
+				dst[i] = v ^ c.buf[c.off+i]
+			}
+			dst = dst[toXor:]
+			src = src[toXor:]
+
+			remaining -= toXor
+			c.off += toXor
+		}
+	}
+}
+
+// KeyStream sets dst to the raw keystream.
+func (c *Cipher) KeyStream(dst []byte) {
+	for remaining := len(dst); remaining > 0; {
+		// Process multiple blocks at once.
+		if c.off == BlockSize {
+			nrBlocks := remaining / BlockSize
+			directBytes := nrBlocks * BlockSize
+			if nrBlocks > 0 {
+				blocksFn(&c.state, nil, dst, nrBlocks, c.ietf)
+				remaining -= directBytes
+				if remaining == 0 {
+					return
+				}
+				dst = dst[directBytes:]
+			}
+
+			// If there's a partial block, generate 1 block of keystream into
+			// the internal buffer.
+			blocksFn(&c.state, nil, c.buf[:], 1, c.ietf)
+			c.off = 0
+		}
+
+		// Process partial blocks from the buffered keystream.
+		toCopy := BlockSize - c.off
+		if remaining < toCopy {
+			toCopy = remaining
+		}
+		if toCopy > 0 {
+			copy(dst[:toCopy], c.buf[c.off:c.off+toCopy])
+			dst = dst[toCopy:]
+			remaining -= toCopy
+			c.off += toCopy
+		}
+	}
+}
+
+// ReKey reinitializes the ChaCha20/XChaCha20 instance with the provided key
+// and nonce.
+func (c *Cipher) ReKey(key, nonce []byte) error {
+	if len(key) != KeySize {
+		return ErrInvalidKey
+	}
+
+	switch len(nonce) {
+	case NonceSize:
+	case INonceSize:
+	case XNonceSize:
+		var subkey [KeySize]byte
+		var subnonce [HNonceSize]byte
+		copy(subnonce[:], nonce[0:16])
+		HChaCha(key, &subnonce, &subkey)
+		key = subkey[:]
+		nonce = nonce[16:24]
+		defer func() {
+			for i := range subkey {
+				subkey[i] = 0
+			}
+		}()
+	default:
+		return ErrInvalidNonce
+	}
+
+	c.Reset()
+	c.state[0] = sigma0
+	c.state[1] = sigma1
+	c.state[2] = sigma2
+	c.state[3] = sigma3
+	c.state[4] = binary.LittleEndian.Uint32(key[0:4])
+	c.state[5] = binary.LittleEndian.Uint32(key[4:8])
+	c.state[6] = binary.LittleEndian.Uint32(key[8:12])
+	c.state[7] = binary.LittleEndian.Uint32(key[12:16])
+	c.state[8] = binary.LittleEndian.Uint32(key[16:20])
+	c.state[9] = binary.LittleEndian.Uint32(key[20:24])
+	c.state[10] = binary.LittleEndian.Uint32(key[24:28])
+	c.state[11] = binary.LittleEndian.Uint32(key[28:32])
+	c.state[12] = 0
+	if len(nonce) == INonceSize {
+		c.state[13] = binary.LittleEndian.Uint32(nonce[0:4])
+		c.state[14] = binary.LittleEndian.Uint32(nonce[4:8])
+		c.state[15] = binary.LittleEndian.Uint32(nonce[8:12])
+		c.ietf = true
+	} else {
+		c.state[13] = 0
+		c.state[14] = binary.LittleEndian.Uint32(nonce[0:4])
+		c.state[15] = binary.LittleEndian.Uint32(nonce[4:8])
+		c.ietf = false
+	}
+	c.off = BlockSize
+	return nil
+
+}
+
+// Seek sets the block counter to a given offset.
+func (c *Cipher) Seek(blockCounter uint64) error {
+	if c.ietf {
+		if blockCounter > math.MaxUint32 {
+			return ErrInvalidCounter
+		}
+		c.state[12] = uint32(blockCounter)
+	} else {
+		c.state[12] = uint32(blockCounter)
+		c.state[13] = uint32(blockCounter >> 32)
+	}
+	c.off = BlockSize
+	return nil
+}
+
+// NewCipher returns a new ChaCha20/XChaCha20 instance.
+func NewCipher(key, nonce []byte) (*Cipher, error) {
+	c := new(Cipher)
+	if err := c.ReKey(key, nonce); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+// HChaCha is the HChaCha20 hash function used to make XChaCha.
+func HChaCha(key []byte, nonce *[HNonceSize]byte, out *[32]byte) {
+	var x [stateSize]uint32 // Last 4 slots unused, sigma hardcoded.
+	x[0] = binary.LittleEndian.Uint32(key[0:4])
+	x[1] = binary.LittleEndian.Uint32(key[4:8])
+	x[2] = binary.LittleEndian.Uint32(key[8:12])
+	x[3] = binary.LittleEndian.Uint32(key[12:16])
+	x[4] = binary.LittleEndian.Uint32(key[16:20])
+	x[5] = binary.LittleEndian.Uint32(key[20:24])
+	x[6] = binary.LittleEndian.Uint32(key[24:28])
+	x[7] = binary.LittleEndian.Uint32(key[28:32])
+	x[8] = binary.LittleEndian.Uint32(nonce[0:4])
+	x[9] = binary.LittleEndian.Uint32(nonce[4:8])
+	x[10] = binary.LittleEndian.Uint32(nonce[8:12])
+	x[11] = binary.LittleEndian.Uint32(nonce[12:16])
+	hChaChaRef(&x, out)
+}
+
+func init() {
+	switch runtime.GOARCH {
+	case "386", "amd64":
+		// Abuse unsafe to skip calling binary.LittleEndian.PutUint32
+		// in the critical path.  This is a big boost on systems that are
+		// little endian and not overly picky about alignment.
+		useUnsafe = true
+	}
+}
+
+var _ cipher.Stream = (*Cipher)(nil)
--- a/vendor/github.com/Yawning/chacha20/chacha20_amd64.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20_amd64.go
@ -0,0 +1,95 @@
+// chacha20_amd64.go - AMD64 optimized chacha20.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+// +build amd64,!gccgo,!appengine
+
+package chacha20
+
+import (
+	"math"
+)
+
+var usingAVX2 = false
+
+func blocksAmd64SSE2(x *uint32, inp, outp *byte, nrBlocks uint)
+
+func blocksAmd64AVX2(x *uint32, inp, outp *byte, nrBlocks uint)
+
+func cpuidAmd64(cpuidParams *uint32)
+
+func xgetbv0Amd64(xcrVec *uint32)
+
+func blocksAmd64(x *[stateSize]uint32, in []byte, out []byte, nrBlocks int, isIetf bool) {
+	// Probably unneeded, but stating this explicitly simplifies the assembly.
+	if nrBlocks == 0 {
+		return
+	}
+
+	if isIetf {
+		var totalBlocks uint64
+		totalBlocks = uint64(x[12]) + uint64(nrBlocks)
+		if totalBlocks > math.MaxUint32 {
+			panic("chacha20: Exceeded keystream per nonce limit")
+		}
+	}
+
+	if in == nil {
+		for i := range out {
+			out[i] = 0
+		}
+		in = out
+	}
+
+	// Pointless to call the AVX2 code for just a single block, since half of
+	// the output gets discarded...
+	if usingAVX2 && nrBlocks > 1 {
+		blocksAmd64AVX2(&x[0], &in[0], &out[0], uint(nrBlocks))
+	} else {
+		blocksAmd64SSE2(&x[0], &in[0], &out[0], uint(nrBlocks))
+	}
+}
+
+func supportsAVX2() bool {
+	// https://software.intel.com/en-us/articles/how-to-detect-new-instruction-support-in-the-4th-generation-intel-core-processor-family
+	const (
+		osXsaveBit = 1 << 27
+		avx2Bit    = 1 << 5
+	)
+
+	// Check to see if CPUID actually supports the leaf that indicates AVX2.
+	// CPUID.(EAX=0H, ECX=0H) >= 7
+	regs := [4]uint32{0x00}
+	cpuidAmd64(&regs[0])
+	if regs[0] < 7 {
+		return false
+	}
+
+	// Check to see if the OS knows how to save/restore XMM/YMM state.
+	// CPUID.(EAX=01H, ECX=0H):ECX.OSXSAVE[bit 27]==1
+	regs = [4]uint32{0x01}
+	cpuidAmd64(&regs[0])
+	if regs[2]&osXsaveBit == 0 {
+		return false
+	}
+	xcrRegs := [2]uint32{}
+	xgetbv0Amd64(&xcrRegs[0])
+	if xcrRegs[0]&6 != 6 {
+		return false
+	}
+
+	// Check for AVX2 support.
+	// CPUID.(EAX=07H, ECX=0H):EBX.AVX2[bit 5]==1
+	regs = [4]uint32{0x07}
+	cpuidAmd64(&regs[0])
+	return regs[1]&avx2Bit != 0
+}
+
+func init() {
+	blocksFn = blocksAmd64
+	usingVectors = true
+	usingAVX2 = supportsAVX2()
+}
--- a/vendor/github.com/Yawning/chacha20/chacha20_amd64.py
+++ b/vendor/github.com/Yawning/chacha20/chacha20_amd64.py
--- a/vendor/github.com/Yawning/chacha20/chacha20_amd64.s
+++ b/vendor/github.com/Yawning/chacha20/chacha20_amd64.s
--- a/vendor/github.com/Yawning/chacha20/chacha20_ref.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20_ref.go
@ -0,0 +1,394 @@
+// chacha20_ref.go - Reference ChaCha20.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+// +build !go1.9
+
+package chacha20
+
+import (
+	"encoding/binary"
+	"math"
+	"unsafe"
+)
+
+func blocksRef(x *[stateSize]uint32, in []byte, out []byte, nrBlocks int, isIetf bool) {
+	if isIetf {
+		var totalBlocks uint64
+		totalBlocks = uint64(x[12]) + uint64(nrBlocks)
+		if totalBlocks > math.MaxUint32 {
+			panic("chacha20: Exceeded keystream per nonce limit")
+		}
+	}
+
+	// This routine ignores x[0]...x[4] in favor the const values since it's
+	// ever so slightly faster.
+
+	for n := 0; n < nrBlocks; n++ {
+		x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+		x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11], x[12], x[13], x[14], x[15]
+
+		for i := chachaRounds; i > 0; i -= 2 {
+			// quarterround(x, 0, 4, 8, 12)
+			x0 += x4
+			x12 ^= x0
+			x12 = (x12 << 16) | (x12 >> 16)
+			x8 += x12
+			x4 ^= x8
+			x4 = (x4 << 12) | (x4 >> 20)
+			x0 += x4
+			x12 ^= x0
+			x12 = (x12 << 8) | (x12 >> 24)
+			x8 += x12
+			x4 ^= x8
+			x4 = (x4 << 7) | (x4 >> 25)
+
+			// quarterround(x, 1, 5, 9, 13)
+			x1 += x5
+			x13 ^= x1
+			x13 = (x13 << 16) | (x13 >> 16)
+			x9 += x13
+			x5 ^= x9
+			x5 = (x5 << 12) | (x5 >> 20)
+			x1 += x5
+			x13 ^= x1
+			x13 = (x13 << 8) | (x13 >> 24)
+			x9 += x13
+			x5 ^= x9
+			x5 = (x5 << 7) | (x5 >> 25)
+
+			// quarterround(x, 2, 6, 10, 14)
+			x2 += x6
+			x14 ^= x2
+			x14 = (x14 << 16) | (x14 >> 16)
+			x10 += x14
+			x6 ^= x10
+			x6 = (x6 << 12) | (x6 >> 20)
+			x2 += x6
+			x14 ^= x2
+			x14 = (x14 << 8) | (x14 >> 24)
+			x10 += x14
+			x6 ^= x10
+			x6 = (x6 << 7) | (x6 >> 25)
+
+			// quarterround(x, 3, 7, 11, 15)
+			x3 += x7
+			x15 ^= x3
+			x15 = (x15 << 16) | (x15 >> 16)
+			x11 += x15
+			x7 ^= x11
+			x7 = (x7 << 12) | (x7 >> 20)
+			x3 += x7
+			x15 ^= x3
+			x15 = (x15 << 8) | (x15 >> 24)
+			x11 += x15
+			x7 ^= x11
+			x7 = (x7 << 7) | (x7 >> 25)
+
+			// quarterround(x, 0, 5, 10, 15)
+			x0 += x5
+			x15 ^= x0
+			x15 = (x15 << 16) | (x15 >> 16)
+			x10 += x15
+			x5 ^= x10
+			x5 = (x5 << 12) | (x5 >> 20)
+			x0 += x5
+			x15 ^= x0
+			x15 = (x15 << 8) | (x15 >> 24)
+			x10 += x15
+			x5 ^= x10
+			x5 = (x5 << 7) | (x5 >> 25)
+
+			// quarterround(x, 1, 6, 11, 12)
+			x1 += x6
+			x12 ^= x1
+			x12 = (x12 << 16) | (x12 >> 16)
+			x11 += x12
+			x6 ^= x11
+			x6 = (x6 << 12) | (x6 >> 20)
+			x1 += x6
+			x12 ^= x1
+			x12 = (x12 << 8) | (x12 >> 24)
+			x11 += x12
+			x6 ^= x11
+			x6 = (x6 << 7) | (x6 >> 25)
+
+			// quarterround(x, 2, 7, 8, 13)
+			x2 += x7
+			x13 ^= x2
+			x13 = (x13 << 16) | (x13 >> 16)
+			x8 += x13
+			x7 ^= x8
+			x7 = (x7 << 12) | (x7 >> 20)
+			x2 += x7
+			x13 ^= x2
+			x13 = (x13 << 8) | (x13 >> 24)
+			x8 += x13
+			x7 ^= x8
+			x7 = (x7 << 7) | (x7 >> 25)
+
+			// quarterround(x, 3, 4, 9, 14)
+			x3 += x4
+			x14 ^= x3
+			x14 = (x14 << 16) | (x14 >> 16)
+			x9 += x14
+			x4 ^= x9
+			x4 = (x4 << 12) | (x4 >> 20)
+			x3 += x4
+			x14 ^= x3
+			x14 = (x14 << 8) | (x14 >> 24)
+			x9 += x14
+			x4 ^= x9
+			x4 = (x4 << 7) | (x4 >> 25)
+		}
+
+		// On amd64 at least, this is a rather big boost.
+		if useUnsafe {
+			if in != nil {
+				inArr := (*[16]uint32)(unsafe.Pointer(&in[n*BlockSize]))
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = inArr[0] ^ (x0 + sigma0)
+				outArr[1] = inArr[1] ^ (x1 + sigma1)
+				outArr[2] = inArr[2] ^ (x2 + sigma2)
+				outArr[3] = inArr[3] ^ (x3 + sigma3)
+				outArr[4] = inArr[4] ^ (x4 + x[4])
+				outArr[5] = inArr[5] ^ (x5 + x[5])
+				outArr[6] = inArr[6] ^ (x6 + x[6])
+				outArr[7] = inArr[7] ^ (x7 + x[7])
+				outArr[8] = inArr[8] ^ (x8 + x[8])
+				outArr[9] = inArr[9] ^ (x9 + x[9])
+				outArr[10] = inArr[10] ^ (x10 + x[10])
+				outArr[11] = inArr[11] ^ (x11 + x[11])
+				outArr[12] = inArr[12] ^ (x12 + x[12])
+				outArr[13] = inArr[13] ^ (x13 + x[13])
+				outArr[14] = inArr[14] ^ (x14 + x[14])
+				outArr[15] = inArr[15] ^ (x15 + x[15])
+			} else {
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = x0 + sigma0
+				outArr[1] = x1 + sigma1
+				outArr[2] = x2 + sigma2
+				outArr[3] = x3 + sigma3
+				outArr[4] = x4 + x[4]
+				outArr[5] = x5 + x[5]
+				outArr[6] = x6 + x[6]
+				outArr[7] = x7 + x[7]
+				outArr[8] = x8 + x[8]
+				outArr[9] = x9 + x[9]
+				outArr[10] = x10 + x[10]
+				outArr[11] = x11 + x[11]
+				outArr[12] = x12 + x[12]
+				outArr[13] = x13 + x[13]
+				outArr[14] = x14 + x[14]
+				outArr[15] = x15 + x[15]
+			}
+		} else {
+			// Slow path, either the architecture cares about alignment, or is not little endian.
+			x0 += sigma0
+			x1 += sigma1
+			x2 += sigma2
+			x3 += sigma3
+			x4 += x[4]
+			x5 += x[5]
+			x6 += x[6]
+			x7 += x[7]
+			x8 += x[8]
+			x9 += x[9]
+			x10 += x[10]
+			x11 += x[11]
+			x12 += x[12]
+			x13 += x[13]
+			x14 += x[14]
+			x15 += x[15]
+			if in != nil {
+				binary.LittleEndian.PutUint32(out[0:4], binary.LittleEndian.Uint32(in[0:4])^x0)
+				binary.LittleEndian.PutUint32(out[4:8], binary.LittleEndian.Uint32(in[4:8])^x1)
+				binary.LittleEndian.PutUint32(out[8:12], binary.LittleEndian.Uint32(in[8:12])^x2)
+				binary.LittleEndian.PutUint32(out[12:16], binary.LittleEndian.Uint32(in[12:16])^x3)
+				binary.LittleEndian.PutUint32(out[16:20], binary.LittleEndian.Uint32(in[16:20])^x4)
+				binary.LittleEndian.PutUint32(out[20:24], binary.LittleEndian.Uint32(in[20:24])^x5)
+				binary.LittleEndian.PutUint32(out[24:28], binary.LittleEndian.Uint32(in[24:28])^x6)
+				binary.LittleEndian.PutUint32(out[28:32], binary.LittleEndian.Uint32(in[28:32])^x7)
+				binary.LittleEndian.PutUint32(out[32:36], binary.LittleEndian.Uint32(in[32:36])^x8)
+				binary.LittleEndian.PutUint32(out[36:40], binary.LittleEndian.Uint32(in[36:40])^x9)
+				binary.LittleEndian.PutUint32(out[40:44], binary.LittleEndian.Uint32(in[40:44])^x10)
+				binary.LittleEndian.PutUint32(out[44:48], binary.LittleEndian.Uint32(in[44:48])^x11)
+				binary.LittleEndian.PutUint32(out[48:52], binary.LittleEndian.Uint32(in[48:52])^x12)
+				binary.LittleEndian.PutUint32(out[52:56], binary.LittleEndian.Uint32(in[52:56])^x13)
+				binary.LittleEndian.PutUint32(out[56:60], binary.LittleEndian.Uint32(in[56:60])^x14)
+				binary.LittleEndian.PutUint32(out[60:64], binary.LittleEndian.Uint32(in[60:64])^x15)
+				in = in[BlockSize:]
+			} else {
+				binary.LittleEndian.PutUint32(out[0:4], x0)
+				binary.LittleEndian.PutUint32(out[4:8], x1)
+				binary.LittleEndian.PutUint32(out[8:12], x2)
+				binary.LittleEndian.PutUint32(out[12:16], x3)
+				binary.LittleEndian.PutUint32(out[16:20], x4)
+				binary.LittleEndian.PutUint32(out[20:24], x5)
+				binary.LittleEndian.PutUint32(out[24:28], x6)
+				binary.LittleEndian.PutUint32(out[28:32], x7)
+				binary.LittleEndian.PutUint32(out[32:36], x8)
+				binary.LittleEndian.PutUint32(out[36:40], x9)
+				binary.LittleEndian.PutUint32(out[40:44], x10)
+				binary.LittleEndian.PutUint32(out[44:48], x11)
+				binary.LittleEndian.PutUint32(out[48:52], x12)
+				binary.LittleEndian.PutUint32(out[52:56], x13)
+				binary.LittleEndian.PutUint32(out[56:60], x14)
+				binary.LittleEndian.PutUint32(out[60:64], x15)
+			}
+			out = out[BlockSize:]
+		}
+
+		// Stoping at 2^70 bytes per nonce is the user's responsibility.
+		ctr := uint64(x[13])<<32 | uint64(x[12])
+		ctr++
+		x[12] = uint32(ctr)
+		x[13] = uint32(ctr >> 32)
+	}
+}
+
+func hChaChaRef(x *[stateSize]uint32, out *[32]byte) {
+	x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+	x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11]
+
+	for i := chachaRounds; i > 0; i -= 2 {
+		// quarterround(x, 0, 4, 8, 12)
+		x0 += x4
+		x12 ^= x0
+		x12 = (x12 << 16) | (x12 >> 16)
+		x8 += x12
+		x4 ^= x8
+		x4 = (x4 << 12) | (x4 >> 20)
+		x0 += x4
+		x12 ^= x0
+		x12 = (x12 << 8) | (x12 >> 24)
+		x8 += x12
+		x4 ^= x8
+		x4 = (x4 << 7) | (x4 >> 25)
+
+		// quarterround(x, 1, 5, 9, 13)
+		x1 += x5
+		x13 ^= x1
+		x13 = (x13 << 16) | (x13 >> 16)
+		x9 += x13
+		x5 ^= x9
+		x5 = (x5 << 12) | (x5 >> 20)
+		x1 += x5
+		x13 ^= x1
+		x13 = (x13 << 8) | (x13 >> 24)
+		x9 += x13
+		x5 ^= x9
+		x5 = (x5 << 7) | (x5 >> 25)
+
+		// quarterround(x, 2, 6, 10, 14)
+		x2 += x6
+		x14 ^= x2
+		x14 = (x14 << 16) | (x14 >> 16)
+		x10 += x14
+		x6 ^= x10
+		x6 = (x6 << 12) | (x6 >> 20)
+		x2 += x6
+		x14 ^= x2
+		x14 = (x14 << 8) | (x14 >> 24)
+		x10 += x14
+		x6 ^= x10
+		x6 = (x6 << 7) | (x6 >> 25)
+
+		// quarterround(x, 3, 7, 11, 15)
+		x3 += x7
+		x15 ^= x3
+		x15 = (x15 << 16) | (x15 >> 16)
+		x11 += x15
+		x7 ^= x11
+		x7 = (x7 << 12) | (x7 >> 20)
+		x3 += x7
+		x15 ^= x3
+		x15 = (x15 << 8) | (x15 >> 24)
+		x11 += x15
+		x7 ^= x11
+		x7 = (x7 << 7) | (x7 >> 25)
+
+		// quarterround(x, 0, 5, 10, 15)
+		x0 += x5
+		x15 ^= x0
+		x15 = (x15 << 16) | (x15 >> 16)
+		x10 += x15
+		x5 ^= x10
+		x5 = (x5 << 12) | (x5 >> 20)
+		x0 += x5
+		x15 ^= x0
+		x15 = (x15 << 8) | (x15 >> 24)
+		x10 += x15
+		x5 ^= x10
+		x5 = (x5 << 7) | (x5 >> 25)
+
+		// quarterround(x, 1, 6, 11, 12)
+		x1 += x6
+		x12 ^= x1
+		x12 = (x12 << 16) | (x12 >> 16)
+		x11 += x12
+		x6 ^= x11
+		x6 = (x6 << 12) | (x6 >> 20)
+		x1 += x6
+		x12 ^= x1
+		x12 = (x12 << 8) | (x12 >> 24)
+		x11 += x12
+		x6 ^= x11
+		x6 = (x6 << 7) | (x6 >> 25)
+
+		// quarterround(x, 2, 7, 8, 13)
+		x2 += x7
+		x13 ^= x2
+		x13 = (x13 << 16) | (x13 >> 16)
+		x8 += x13
+		x7 ^= x8
+		x7 = (x7 << 12) | (x7 >> 20)
+		x2 += x7
+		x13 ^= x2
+		x13 = (x13 << 8) | (x13 >> 24)
+		x8 += x13
+		x7 ^= x8
+		x7 = (x7 << 7) | (x7 >> 25)
+
+		// quarterround(x, 3, 4, 9, 14)
+		x3 += x4
+		x14 ^= x3
+		x14 = (x14 << 16) | (x14 >> 16)
+		x9 += x14
+		x4 ^= x9
+		x4 = (x4 << 12) | (x4 >> 20)
+		x3 += x4
+		x14 ^= x3
+		x14 = (x14 << 8) | (x14 >> 24)
+		x9 += x14
+		x4 ^= x9
+		x4 = (x4 << 7) | (x4 >> 25)
+	}
+
+	// HChaCha returns x0...x3 | x12...x15, which corresponds to the
+	// indexes of the ChaCha constant and the indexes of the IV.
+	if useUnsafe {
+		outArr := (*[16]uint32)(unsafe.Pointer(&out[0]))
+		outArr[0] = x0
+		outArr[1] = x1
+		outArr[2] = x2
+		outArr[3] = x3
+		outArr[4] = x12
+		outArr[5] = x13
+		outArr[6] = x14
+		outArr[7] = x15
+	} else {
+		binary.LittleEndian.PutUint32(out[0:4], x0)
+		binary.LittleEndian.PutUint32(out[4:8], x1)
+		binary.LittleEndian.PutUint32(out[8:12], x2)
+		binary.LittleEndian.PutUint32(out[12:16], x3)
+		binary.LittleEndian.PutUint32(out[16:20], x12)
+		binary.LittleEndian.PutUint32(out[20:24], x13)
+		binary.LittleEndian.PutUint32(out[24:28], x14)
+		binary.LittleEndian.PutUint32(out[28:32], x15)
+	}
+	return
+}
--- a/vendor/github.com/Yawning/chacha20/chacha20_ref_go19.go
+++ b/vendor/github.com/Yawning/chacha20/chacha20_ref_go19.go
@ -0,0 +1,395 @@
+// chacha20_ref.go - Reference ChaCha20.
+//
+// To the extent possible under law, Yawning Angel has waived all copyright
+// and related or neighboring rights to chacha20, using the Creative
+// Commons "CC0" public domain dedication. See LICENSE or
+// <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
+
+// +build go1.9
+
+package chacha20
+
+import (
+	"encoding/binary"
+	"math"
+	"math/bits"
+	"unsafe"
+)
+
+func blocksRef(x *[stateSize]uint32, in []byte, out []byte, nrBlocks int, isIetf bool) {
+	if isIetf {
+		var totalBlocks uint64
+		totalBlocks = uint64(x[12]) + uint64(nrBlocks)
+		if totalBlocks > math.MaxUint32 {
+			panic("chacha20: Exceeded keystream per nonce limit")
+		}
+	}
+
+	// This routine ignores x[0]...x[4] in favor the const values since it's
+	// ever so slightly faster.
+
+	for n := 0; n < nrBlocks; n++ {
+		x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+		x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11], x[12], x[13], x[14], x[15]
+
+		for i := chachaRounds; i > 0; i -= 2 {
+			// quarterround(x, 0, 4, 8, 12)
+			x0 += x4
+			x12 ^= x0
+			x12 = bits.RotateLeft32(x12, 16)
+			x8 += x12
+			x4 ^= x8
+			x4 = bits.RotateLeft32(x4, 12)
+			x0 += x4
+			x12 ^= x0
+			x12 = bits.RotateLeft32(x12, 8)
+			x8 += x12
+			x4 ^= x8
+			x4 = bits.RotateLeft32(x4, 7)
+
+			// quarterround(x, 1, 5, 9, 13)
+			x1 += x5
+			x13 ^= x1
+			x13 = bits.RotateLeft32(x13, 16)
+			x9 += x13
+			x5 ^= x9
+			x5 = bits.RotateLeft32(x5, 12)
+			x1 += x5
+			x13 ^= x1
+			x13 = bits.RotateLeft32(x13, 8)
+			x9 += x13
+			x5 ^= x9
+			x5 = bits.RotateLeft32(x5, 7)
+
+			// quarterround(x, 2, 6, 10, 14)
+			x2 += x6
+			x14 ^= x2
+			x14 = bits.RotateLeft32(x14, 16)
+			x10 += x14
+			x6 ^= x10
+			x6 = bits.RotateLeft32(x6, 12)
+			x2 += x6
+			x14 ^= x2
+			x14 = bits.RotateLeft32(x14, 8)
+			x10 += x14
+			x6 ^= x10
+			x6 = bits.RotateLeft32(x6, 7)
+
+			// quarterround(x, 3, 7, 11, 15)
+			x3 += x7
+			x15 ^= x3
+			x15 = bits.RotateLeft32(x15, 16)
+			x11 += x15
+			x7 ^= x11
+			x7 = bits.RotateLeft32(x7, 12)
+			x3 += x7
+			x15 ^= x3
+			x15 = bits.RotateLeft32(x15, 8)
+			x11 += x15
+			x7 ^= x11
+			x7 = bits.RotateLeft32(x7, 7)
+
+			// quarterround(x, 0, 5, 10, 15)
+			x0 += x5
+			x15 ^= x0
+			x15 = bits.RotateLeft32(x15, 16)
+			x10 += x15
+			x5 ^= x10
+			x5 = bits.RotateLeft32(x5, 12)
+			x0 += x5
+			x15 ^= x0
+			x15 = bits.RotateLeft32(x15, 8)
+			x10 += x15
+			x5 ^= x10
+			x5 = bits.RotateLeft32(x5, 7)
+
+			// quarterround(x, 1, 6, 11, 12)
+			x1 += x6
+			x12 ^= x1
+			x12 = bits.RotateLeft32(x12, 16)
+			x11 += x12
+			x6 ^= x11
+			x6 = bits.RotateLeft32(x6, 12)
+			x1 += x6
+			x12 ^= x1
+			x12 = bits.RotateLeft32(x12, 8)
+			x11 += x12
+			x6 ^= x11
+			x6 = bits.RotateLeft32(x6, 7)
+
+			// quarterround(x, 2, 7, 8, 13)
+			x2 += x7
+			x13 ^= x2
+			x13 = bits.RotateLeft32(x13, 16)
+			x8 += x13
+			x7 ^= x8
+			x7 = bits.RotateLeft32(x7, 12)
+			x2 += x7
+			x13 ^= x2
+			x13 = bits.RotateLeft32(x13, 8)
+			x8 += x13
+			x7 ^= x8
+			x7 = bits.RotateLeft32(x7, 7)
+
+			// quarterround(x, 3, 4, 9, 14)
+			x3 += x4
+			x14 ^= x3
+			x14 = bits.RotateLeft32(x14, 16)
+			x9 += x14
+			x4 ^= x9
+			x4 = bits.RotateLeft32(x4, 12)
+			x3 += x4
+			x14 ^= x3
+			x14 = bits.RotateLeft32(x14, 8)
+			x9 += x14
+			x4 ^= x9
+			x4 = bits.RotateLeft32(x4, 7)
+		}
+
+		// On amd64 at least, this is a rather big boost.
+		if useUnsafe {
+			if in != nil {
+				inArr := (*[16]uint32)(unsafe.Pointer(&in[n*BlockSize]))
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = inArr[0] ^ (x0 + sigma0)
+				outArr[1] = inArr[1] ^ (x1 + sigma1)
+				outArr[2] = inArr[2] ^ (x2 + sigma2)
+				outArr[3] = inArr[3] ^ (x3 + sigma3)
+				outArr[4] = inArr[4] ^ (x4 + x[4])
+				outArr[5] = inArr[5] ^ (x5 + x[5])
+				outArr[6] = inArr[6] ^ (x6 + x[6])
+				outArr[7] = inArr[7] ^ (x7 + x[7])
+				outArr[8] = inArr[8] ^ (x8 + x[8])
+				outArr[9] = inArr[9] ^ (x9 + x[9])
+				outArr[10] = inArr[10] ^ (x10 + x[10])
+				outArr[11] = inArr[11] ^ (x11 + x[11])
+				outArr[12] = inArr[12] ^ (x12 + x[12])
+				outArr[13] = inArr[13] ^ (x13 + x[13])
+				outArr[14] = inArr[14] ^ (x14 + x[14])
+				outArr[15] = inArr[15] ^ (x15 + x[15])
+			} else {
+				outArr := (*[16]uint32)(unsafe.Pointer(&out[n*BlockSize]))
+				outArr[0] = x0 + sigma0
+				outArr[1] = x1 + sigma1
+				outArr[2] = x2 + sigma2
+				outArr[3] = x3 + sigma3
+				outArr[4] = x4 + x[4]
+				outArr[5] = x5 + x[5]
+				outArr[6] = x6 + x[6]
+				outArr[7] = x7 + x[7]
+				outArr[8] = x8 + x[8]
+				outArr[9] = x9 + x[9]
+				outArr[10] = x10 + x[10]
+				outArr[11] = x11 + x[11]
+				outArr[12] = x12 + x[12]
+				outArr[13] = x13 + x[13]
+				outArr[14] = x14 + x[14]
+				outArr[15] = x15 + x[15]
+			}
+		} else {
+			// Slow path, either the architecture cares about alignment, or is not little endian.
+			x0 += sigma0
+			x1 += sigma1
+			x2 += sigma2
+			x3 += sigma3
+			x4 += x[4]
+			x5 += x[5]
+			x6 += x[6]
+			x7 += x[7]
+			x8 += x[8]
+			x9 += x[9]
+			x10 += x[10]
+			x11 += x[11]
+			x12 += x[12]
+			x13 += x[13]
+			x14 += x[14]
+			x15 += x[15]
+			if in != nil {
+				binary.LittleEndian.PutUint32(out[0:4], binary.LittleEndian.Uint32(in[0:4])^x0)
+				binary.LittleEndian.PutUint32(out[4:8], binary.LittleEndian.Uint32(in[4:8])^x1)
+				binary.LittleEndian.PutUint32(out[8:12], binary.LittleEndian.Uint32(in[8:12])^x2)
+				binary.LittleEndian.PutUint32(out[12:16], binary.LittleEndian.Uint32(in[12:16])^x3)
+				binary.LittleEndian.PutUint32(out[16:20], binary.LittleEndian.Uint32(in[16:20])^x4)
+				binary.LittleEndian.PutUint32(out[20:24], binary.LittleEndian.Uint32(in[20:24])^x5)
+				binary.LittleEndian.PutUint32(out[24:28], binary.LittleEndian.Uint32(in[24:28])^x6)
+				binary.LittleEndian.PutUint32(out[28:32], binary.LittleEndian.Uint32(in[28:32])^x7)
+				binary.LittleEndian.PutUint32(out[32:36], binary.LittleEndian.Uint32(in[32:36])^x8)
+				binary.LittleEndian.PutUint32(out[36:40], binary.LittleEndian.Uint32(in[36:40])^x9)
+				binary.LittleEndian.PutUint32(out[40:44], binary.LittleEndian.Uint32(in[40:44])^x10)
+				binary.LittleEndian.PutUint32(out[44:48], binary.LittleEndian.Uint32(in[44:48])^x11)
+				binary.LittleEndian.PutUint32(out[48:52], binary.LittleEndian.Uint32(in[48:52])^x12)
+				binary.LittleEndian.PutUint32(out[52:56], binary.LittleEndian.Uint32(in[52:56])^x13)
+				binary.LittleEndian.PutUint32(out[56:60], binary.LittleEndian.Uint32(in[56:60])^x14)
+				binary.LittleEndian.PutUint32(out[60:64], binary.LittleEndian.Uint32(in[60:64])^x15)
+				in = in[BlockSize:]
+			} else {
+				binary.LittleEndian.PutUint32(out[0:4], x0)
+				binary.LittleEndian.PutUint32(out[4:8], x1)
+				binary.LittleEndian.PutUint32(out[8:12], x2)
+				binary.LittleEndian.PutUint32(out[12:16], x3)
+				binary.LittleEndian.PutUint32(out[16:20], x4)
+				binary.LittleEndian.PutUint32(out[20:24], x5)
+				binary.LittleEndian.PutUint32(out[24:28], x6)
+				binary.LittleEndian.PutUint32(out[28:32], x7)
+				binary.LittleEndian.PutUint32(out[32:36], x8)
+				binary.LittleEndian.PutUint32(out[36:40], x9)
+				binary.LittleEndian.PutUint32(out[40:44], x10)
+				binary.LittleEndian.PutUint32(out[44:48], x11)
+				binary.LittleEndian.PutUint32(out[48:52], x12)
+				binary.LittleEndian.PutUint32(out[52:56], x13)
+				binary.LittleEndian.PutUint32(out[56:60], x14)
+				binary.LittleEndian.PutUint32(out[60:64], x15)
+			}
+			out = out[BlockSize:]
+		}
+
+		// Stoping at 2^70 bytes per nonce is the user's responsibility.
+		ctr := uint64(x[13])<<32 | uint64(x[12])
+		ctr++
+		x[12] = uint32(ctr)
+		x[13] = uint32(ctr >> 32)
+	}
+}
+
+func hChaChaRef(x *[stateSize]uint32, out *[32]byte) {
+	x0, x1, x2, x3 := sigma0, sigma1, sigma2, sigma3
+	x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 := x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11]
+
+	for i := chachaRounds; i > 0; i -= 2 {
+		// quarterround(x, 0, 4, 8, 12)
+		x0 += x4
+		x12 ^= x0
+		x12 = bits.RotateLeft32(x12, 16)
+		x8 += x12
+		x4 ^= x8
+		x4 = bits.RotateLeft32(x4, 12)
+		x0 += x4
+		x12 ^= x0
+		x12 = bits.RotateLeft32(x12, 8)
+		x8 += x12
+		x4 ^= x8
+		x4 = bits.RotateLeft32(x4, 7)
+
+		// quarterround(x, 1, 5, 9, 13)
+		x1 += x5
+		x13 ^= x1
+		x13 = bits.RotateLeft32(x13, 16)
+		x9 += x13
+		x5 ^= x9
+		x5 = bits.RotateLeft32(x5, 12)
+		x1 += x5
+		x13 ^= x1
+		x13 = bits.RotateLeft32(x13, 8)
+		x9 += x13
+		x5 ^= x9
+		x5 = bits.RotateLeft32(x5, 7)
+
+		// quarterround(x, 2, 6, 10, 14)
+		x2 += x6
+		x14 ^= x2
+		x14 = bits.RotateLeft32(x14, 16)
+		x10 += x14
+		x6 ^= x10
+		x6 = bits.RotateLeft32(x6, 12)
+		x2 += x6
+		x14 ^= x2
+		x14 = bits.RotateLeft32(x14, 8)
+		x10 += x14
+		x6 ^= x10
+		x6 = bits.RotateLeft32(x6, 7)
+
+		// quarterround(x, 3, 7, 11, 15)
+		x3 += x7
+		x15 ^= x3
+		x15 = bits.RotateLeft32(x15, 16)
+		x11 += x15
+		x7 ^= x11
+		x7 = bits.RotateLeft32(x7, 12)
+		x3 += x7
+		x15 ^= x3
+		x15 = bits.RotateLeft32(x15, 8)
+		x11 += x15
+		x7 ^= x11
+		x7 = bits.RotateLeft32(x7, 7)
+
+		// quarterround(x, 0, 5, 10, 15)
+		x0 += x5
+		x15 ^= x0
+		x15 = bits.RotateLeft32(x15, 16)
+		x10 += x15
+		x5 ^= x10
+		x5 = bits.RotateLeft32(x5, 12)
+		x0 += x5
+		x15 ^= x0
+		x15 = bits.RotateLeft32(x15, 8)
+		x10 += x15
+		x5 ^= x10
+		x5 = bits.RotateLeft32(x5, 7)
+
+		// quarterround(x, 1, 6, 11, 12)
+		x1 += x6
+		x12 ^= x1
+		x12 = bits.RotateLeft32(x12, 16)
+		x11 += x12
+		x6 ^= x11
+		x6 = bits.RotateLeft32(x6, 12)
+		x1 += x6
+		x12 ^= x1
+		x12 = bits.RotateLeft32(x12, 8)
+		x11 += x12
+		x6 ^= x11
+		x6 = bits.RotateLeft32(x6, 7)
+
+		// quarterround(x, 2, 7, 8, 13)
+		x2 += x7
+		x13 ^= x2
+		x13 = bits.RotateLeft32(x13, 16)
+		x8 += x13
+		x7 ^= x8
+		x7 = bits.RotateLeft32(x7, 12)
+		x2 += x7
+		x13 ^= x2
+		x13 = bits.RotateLeft32(x13, 8)
+		x8 += x13
+		x7 ^= x8
+		x7 = bits.RotateLeft32(x7, 7)
+
+		// quarterround(x, 3, 4, 9, 14)
+		x3 += x4
+		x14 ^= x3
+		x14 = bits.RotateLeft32(x14, 16)
+		x9 += x14
+		x4 ^= x9
+		x4 = bits.RotateLeft32(x4, 12)
+		x3 += x4
+		x14 ^= x3
+		x14 = bits.RotateLeft32(x14, 8)
+		x9 += x14
+		x4 ^= x9
+		x4 = bits.RotateLeft32(x4, 7)
+	}
+
+	// HChaCha returns x0...x3 | x12...x15, which corresponds to the
+	// indexes of the ChaCha constant and the indexes of the IV.
+	if useUnsafe {
+		outArr := (*[16]uint32)(unsafe.Pointer(&out[0]))
+		outArr[0] = x0
+		outArr[1] = x1
+		outArr[2] = x2
+		outArr[3] = x3
+		outArr[4] = x12
+		outArr[5] = x13
+		outArr[6] = x14
+		outArr[7] = x15
+	} else {
+		binary.LittleEndian.PutUint32(out[0:4], x0)
+		binary.LittleEndian.PutUint32(out[4:8], x1)
+		binary.LittleEndian.PutUint32(out[8:12], x2)
+		binary.LittleEndian.PutUint32(out[12:16], x3)
+		binary.LittleEndian.PutUint32(out[16:20], x12)
+		binary.LittleEndian.PutUint32(out[20:24], x13)
+		binary.LittleEndian.PutUint32(out[24:28], x14)
+		binary.LittleEndian.PutUint32(out[28:32], x15)
+	}
+	return
+}
--- a/vendor/github.com/golang/snappy/.gitignore
+++ b/vendor/github.com/golang/snappy/.gitignore
@ -0,0 +1,16 @@
+cmd/snappytool/snappytool
+testdata/bench
+
+# These explicitly listed benchmark data files are for an obsolete version of
+# snappy_test.go.
+testdata/alice29.txt
+testdata/asyoulik.txt
+testdata/fireworks.jpeg
+testdata/geo.protodata
+testdata/html
+testdata/html_x_4
+testdata/kppkn.gtb
+testdata/lcet10.txt
+testdata/paper-100k.pdf
+testdata/plrabn12.txt
+testdata/urls.10K
--- a/vendor/github.com/miekg/dns/.gitignore
+++ b/vendor/github.com/miekg/dns/.gitignore
@ -0,0 +1,4 @@
+*.6
+tags
+test.out
+a.out
--- a/vendor/github.com/pkg/errors/.gitignore
+++ b/vendor/github.com/pkg/errors/.gitignore
@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
--- a/vendor/github.com/templexxx/cpufeat/.gitignore
+++ b/vendor/github.com/templexxx/cpufeat/.gitignore
@ -0,0 +1,14 @@
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
--- a/vendor/github.com/templexxx/reedsolomon/.gitignore
+++ b/vendor/github.com/templexxx/reedsolomon/.gitignore
@ -0,0 +1,40 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+/.idea
+/backup
+/loopunroll/
+cpu.out
+mathtool/galois/
+mathtool/matrix/
+mem.out
+/examples/
+/.DS_Store
+/mathtool/cntinverse
+/invert
+/bakcup
+/buf.svg
+*.svg
+*.out
+/escape
--- a/vendor/github.com/templexxx/xor/.gitignore
+++ b/vendor/github.com/templexxx/xor/.gitignore
@ -0,0 +1,18 @@
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
+/backup/
+/backup2/
+/.idea
+/backup3/
--- a/vendor/github.com/xtaci/kcp-go/.gitignore
+++ b/vendor/github.com/xtaci/kcp-go/.gitignore
@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
--- a/vendor/github.com/xtaci/smux/.gitignore
+++ b/vendor/github.com/xtaci/smux/.gitignore
@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
Author	SHA1	Message	Date
arraykeys@gmail.com	4214ec4239	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-06-06 15:06:56 +08:00
arraykeys@gmail.com	504de47999	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-06-06 14:44:04 +08:00
arraykeys@gmail.com	e185d734d0	mux内网穿透切换smux到yamux Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-31 16:26:40 +08:00
arraykeys@gmail.com	9b1ef52649	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-05-31 11:39:50 +08:00
arraykeys@gmail.com	5c9fc850d8	fix #84 fix #81 Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-31 11:39:29 +08:00
snail007	ff96e52a33	Merge pull request #89 from moonfruit/dev HTTP Basic 认证失败返回的 WWW-Authenticate 更正为 Proxy-Authenticate	2018-05-24 11:22:35 +08:00
MoonFruit	78004bcd39	HTTP Basic 认证失败返回的 WWW-Authenticate 更正为 Proxy-Authenticate	2018-05-24 09:58:04 +08:00
arraykeys@gmail.com	b16decf976	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-23 14:38:19 +08:00
arraykeys@gmail.com	828636553d	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-23 14:23:43 +08:00
arraykeys@gmail.com	bfcc27e70f	fix #85 Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-22 12:34:18 +08:00
arraykeys@gmail.com	7cb7d34d42	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-22 12:01:55 +08:00
arraykeys@gmail.com	5276154401	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-22 11:32:31 +08:00
arraykeys@gmail.com	dad091441e	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-22 11:30:19 +08:00
arraykeys@gmail.com	81ff3dadd5	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-22 11:26:34 +08:00
arraykeys@gmail.com	f559fb1cae	fix #58 fix #80 Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-22 11:21:58 +08:00
arraykeys@gmail.com	8649bbc191	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-21 16:04:40 +08:00
snail007	d775339948	Merge pull request #83 from yelongyu/dev Update README_ZH.md	2018-05-20 22:46:51 +08:00
yelongyu	69a5b906e0	Update README_ZH.md 删除多余的"域名"	2018-05-20 17:33:49 +08:00
yelongyu	2d66cc6215	Update README_ZH.md 添加多级加密HTTP代理设置注意事项	2018-05-20 17:26:46 +08:00
arraykeys@gmail.com	8d74baf48c	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-16 15:59:53 +08:00
arraykeys@gmail.com	d7641c4483	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-16 11:23:54 +08:00
arraykeys@gmail.com	ffe54c3af7	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-05-15 10:58:17 +08:00
arraykeys@gmail.com	53df3b5578	add docker support Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-15 10:56:57 +08:00
snail007	54c22f1410	Merge pull request #77 from FarhadF/dev Added Dockerfile	2018-05-15 08:58:30 +08:00
FarhadF	366b7e04f3	Added Dockerfile	2018-05-14 17:33:00 +04:30
snail007	a33a4d2bd3	Merge pull request #74 from whgfu/dev Dev-更新说明文件中socks5 http api认证中的 url参数为三个	2018-05-14 20:53:01 +08:00
粥冰涅槃	eb00d570a8	更新说明文件中socks5 http api认证中的 url参数为三个	2018-05-14 18:42:01 +08:00
whgfu	500142f4c8	Merge pull request #1 from snail007/dev Dev	2018-05-14 18:31:11 +08:00
arraykeys	bffd5891cc	no message	2018-05-08 08:45:29 +08:00
arraykeys	cf2e6f9ff0	no message	2018-05-08 07:28:05 +08:00
arraykeys	ed4b8d11e3	no message	2018-05-07 20:58:59 +08:00
arraykeys	905c1eac63	no message	2018-05-07 20:48:32 +08:00
arraykeys@gmail.com	61872133b1	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-07 17:46:23 +08:00
arraykeys@gmail.com	e18f53a5bb	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-07 17:32:38 +08:00
arraykeys@gmail.com	947fb51963	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-07 17:25:47 +08:00
arraykeys@gmail.com	7aeef3f8ba	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-07 17:14:20 +08:00
arraykeys@gmail.com	b42f6a6364	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-07 16:23:47 +08:00
arraykeys@gmail.com	92f4d31dfc	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-05-07 16:23:01 +08:00
arraykeys@gmail.com	4f11593f26	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-07 16:21:58 +08:00
arraykeys	795d63879f	no message	2018-05-04 18:24:52 +08:00
arraykeys	1c46eeaf43	no message	2018-05-04 18:10:09 +08:00
arraykeys	6f47d12498	no message	2018-05-04 17:49:56 +08:00
arraykeys	e6c56675ca	no message	2018-05-04 17:42:59 +08:00
snail007	ff92c96d8d	Merge pull request #70 from yincongcyincong/dev Update README.md	2018-05-03 23:15:19 +08:00
yincongcyincong	fed2afb964	Update README.md	2018-05-03 18:42:42 +08:00
arraykeys@gmail.com	b3feff7843	1.修复了多个服务同时开启日志,只会输出到最后一个日志文件的bug. 2.增加了获取sdk版本的Version()方法. Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-05-03 17:59:06 +08:00
arraykeys@gmail.com	edb2fb3458	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-28 14:18:03 +08:00
arraykeys@gmail.com	dc51a0bd9d	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-28 14:15:47 +08:00
arraykeys@gmail.com	34b30ac8c9	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-04-28 14:13:50 +08:00
arraykeys@gmail.com	8122af9096	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-28 14:13:20 +08:00
snail007	2b267fe4bb	Merge pull request #66 from shoaly/patch-4 good job	2018-04-28 13:54:32 +08:00
shoaly	90bf483976	Update README_ZH.md	2018-04-28 13:45:41 +08:00
arraykeys@gmail.com	b109f273a5	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-27 16:28:14 +08:00
arraykeys@gmail.com	482977a4ac	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-27 15:27:13 +08:00
arraykeys@gmail.com	515dcdbf1f	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-27 14:59:02 +08:00
arraykeys@gmail.com	0e033c1d85	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-27 12:22:37 +08:00
arraykeys@gmail.com	ad2441de3b	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-27 12:08:31 +08:00
arraykeys@gmail.com	7a881b3625	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-04-27 11:58:50 +08:00
arraykeys@gmail.com	faf61fdd60	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-27 11:58:27 +08:00
snail007	2b3d23f77c	Merge pull request #63 from yincongcyincong/dev Update README.md	2018-04-26 21:42:48 +08:00
yincongcyincong	06e1247706	Update README.md	2018-04-26 18:56:57 +08:00
arraykeys@gmail.com	6b5fdef8c7	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-26 17:43:53 +08:00
arraykeys@gmail.com	48b1621ee4	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-04-26 17:37:56 +08:00
snail007	c2ce973f61	Merge pull request #61 from onetwotrip/dev Fix imports path	2018-04-26 17:37:35 +08:00
arraykeys@gmail.com	cac648cc32	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-26 17:37:03 +08:00
Maxim Pogozhiy	b9bffcdf4b	Fix imports path	2018-04-25 11:28:20 +03:00
snail007	7a1e5c5de7	Merge pull request #62 from yincongcyincong/dev en doc	2018-04-25 15:54:41 +08:00
yc	e24dfc856a	Merge branch 'snail007-dev' into dev	2018-04-24 19:53:43 +08:00
yc	66a115c764	update readme	2018-04-24 19:53:27 +08:00
yincongcyincong	a6e80a30dc	Update README.md	2018-04-24 19:36:30 +08:00
arraykeys@gmail.com	52a2771382	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-24 18:25:04 +08:00
arraykeys@gmail.com	6b2b75bc50	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-24 18:18:49 +08:00
arraykeys@gmail.com	893baff6c6	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev # Conflicts: # sdk/windows-linux/release_linux.sh Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-24 18:17:25 +08:00
arraykeys@gmail.com	de62d956dd	Merge branch 'master' of https://github.com/snail007/goproxy.git into dev	2018-04-24 18:13:28 +08:00
arraykeys@gmail.com	b59cf1f144	增加了大量插图,优化了多链接版本内网穿透,实现了心跳机制. Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-24 18:09:33 +08:00
arraykeys	8b5cc3fb89	no message	2018-04-21 11:21:04 +08:00
arraykeys@gmail.com	fbd8c67649	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-20 13:35:05 +08:00
arraykeys	c6f6266592	no message	2018-04-20 13:31:58 +08:00
arraykeys	ab72640ffd	Merge branch 'dev' of github.com:snail007/goproxy into dev * 'dev' of github.com:snail007/goproxy: fix #56 Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-20 13:23:31 +08:00
arraykeys	905bfff92b	no message	2018-04-20 13:23:08 +08:00
arraykeys@gmail.com	4ef33d0ffd	fix #56 Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-19 14:55:56 +08:00
arraykeys@gmail.com	1597363dd1	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-18 15:27:32 +08:00
arraykeys	27896a0563	no message	2018-04-18 13:22:44 +08:00
arraykeys	bef385cfd1	no message	2018-04-18 13:11:43 +08:00
arraykeys@gmail.com	98e0154baa	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-18 11:19:51 +08:00
arraykeys@gmail.com	01961a798a	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-04-18 10:57:06 +08:00
arraykeys	d5a460bd09	no message	2018-04-18 10:55:54 +08:00
arraykeys@gmail.com	e94605644f	Merge branch 'dev' of https://github.com/snail007/goproxy.git into dev	2018-04-18 10:53:39 +08:00
arraykeys@gmail.com	8dc206e2d6	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-18 10:53:14 +08:00
arraykeys	e8acbbfabf	mac sdk	2018-04-18 10:52:57 +08:00
arraykeys	17335eb92b	no message	2018-04-17 22:25:10 +08:00
arraykeys	d2051e6e37	no message	2018-04-17 18:24:01 +08:00
arraykeys	0aa0e7c550	add windows sdk demo	2018-04-17 17:44:16 +08:00
arraykeys	57935c2296	no message	2018-04-17 13:57:52 +08:00
arraykeys@gmail.com	9d4930b29d	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-17 13:45:31 +08:00
arraykeys@gmail.com	66206e63b3	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-17 13:36:19 +08:00
arraykeys@gmail.com	19baccb91a	add linux .so and windows .dll sdk support, Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-16 18:33:10 +08:00
yincongcyincong	98bbd68448	Update README.md	2018-04-14 11:37:09 +08:00
yincongcyincong	45dee58203	Update README.md	2018-04-14 11:30:29 +08:00
yincongcyincong	e2557c44c4	Update README.md	2018-04-14 10:29:21 +08:00
arraykeys@gmail.com	f0ed6d73e4	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-13 18:31:12 +08:00
arraykeys@gmail.com	47790d1d58	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-13 18:23:26 +08:00
arraykeys@gmail.com	9aff5eda38	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-13 18:21:26 +08:00
arraykeys@gmail.com	eb2f055e07	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-13 18:14:32 +08:00
arraykeys@gmail.com	0998c06195	Add compress and encryt support on (tcp\|tls\|kcp) transport layer Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-13 17:23:42 +08:00
arraykeys@gmail.com	cf22866b2a	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-13 14:12:05 +08:00
arraykeys@gmail.com	16bb452640	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-12 17:03:16 +08:00
arraykeys@gmail.com	6f1d826ef5	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-12 16:45:39 +08:00
arraykeys@gmail.com	5a68fb3c3d	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-12 16:42:28 +08:00
arraykeys@gmail.com	350eb5b6ed	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-12 16:41:03 +08:00
arraykeys@gmail.com	d48f3b3323	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-12 16:36:36 +08:00
arraykeys@gmail.com	7a1491c7b3	android sdk Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-12 16:32:56 +08:00
arraykeys@gmail.com	68deae6bf8	优化服务stop方法,方便sdk开发. Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-10 18:32:17 +08:00
arraykeys@gmail.com	2086966a89	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-09 16:21:27 +08:00
arraykeys@gmail.com	3aba428b76	增加gomobile sdk对android/ios进行支持. 优化错误控制 Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-09 16:16:55 +08:00
arraykeys@gmail.com	a11ce38747	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-04-03 17:34:33 +08:00
arraykeys@gmail.com	f7b363ec73	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-03-29 17:31:38 +08:00
arraykeys@gmail.com	4c33a1e9b2	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-03-29 17:25:32 +08:00
arraykeys@gmail.com	c4d9382ac7	Signed-off-by: arraykeys@gmail.com <arraykeys@gmail.com>	2018-03-29 16:59:52 +08:00