增加修改节点停用/启用状态API

版本号修改为1.3.3
查询集群列表API增加ID排序
2024-01-21 17:43:20 +08:00 · 2024-01-21 16:57:37 +08:00 · 2024-01-21 16:57:17 +08:00 · 2024-01-20 16:19:11 +08:00 · 2024-01-16 20:59:18 +08:00 · 2024-01-15 08:40:23 +08:00
698 changed files with 280110 additions and 22410 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 *_plus.go
-*-plus.sh
+*-plus.sh
+*_plus_test.go
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,75 @@
+# https://golangci-lint.run/usage/configuration/
+
+linters:
+  enable-all: true
+  disable:
+    - ifshort
+    - exhaustivestruct
+    - golint
+    - nosnakecase
+    - scopelint
+    - varcheck
+    - structcheck
+    - interfacer
+    - maligned
+    - deadcode
+    - dogsled
+    - wrapcheck
+    - wastedassign
+    - varnamelen
+    - testpackage
+    - thelper
+    - nilerr
+    - sqlclosecheck
+    - paralleltest
+    - nonamedreturns
+    - nlreturn
+    - nakedret
+    - ireturn
+    - interfacebloat
+    - gosmopolitan
+    - gomnd
+    - goerr113
+    - gochecknoglobals
+    - exhaustruct
+    - errorlint
+    - depguard
+    - exhaustive
+    - containedctx
+    - wsl
+    - cyclop
+    - dupword
+    - errchkjson
+    - contextcheck
+    - tagalign
+    - dupl
+    - forbidigo
+    - funlen
+    - goconst
+    - godox
+    - gosec
+    - lll
+    - nestif
+    - revive
+    - unparam
+    - stylecheck
+    - gocritic
+    - gofumpt
+    - gomoddirectives
+    - godot
+    - gofmt
+    - gocognit
+    - mirror
+    - gocyclo
+    - gochecknoinits
+    - gci
+    - maintidx
+    - prealloc
+    - goimports
+    - errname
+    - musttag
+    - forcetypeassert
+    - whitespace
+    - noctx
+    - tagliatelle
+    - nilnil
--- a/build/build.sh
+++ b/build/build.sh
@@ -88,15 +88,13 @@ function build() {
 		mkdir "$DIST"/bin
 		mkdir "$DIST"/configs
 		mkdir "$DIST"/logs
+		mkdir "$DIST"/data
 	fi
 	cp "$ROOT"/configs/api.template.yaml "$DIST"/configs/
 	cp "$ROOT"/configs/db.template.yaml "$DIST"/configs/
 	cp -R "$ROOT"/deploy "$DIST/"
 	rm -f "$DIST"/deploy/.gitignore
 	cp -R "$ROOT"/installers "$DIST"/
-	cp -R "$ROOT"/resources "$DIST"/
-	rm -f "$DIST"/resources/ipdata/ip2region/global_region.csv
-	rm -f "$DIST"/resources/ipdata/ip2region/ip.merge.txt

 	# building edge installer
 	echo "building node installer ..."
@@ -107,12 +105,14 @@ function build() {
 	done

 	# building edge dns installer
-	echo "building dns node installer ..."
-	architects=("amd64" "arm64")
-	for arch in "${architects[@]}"; do
-		# TODO support arm, mips ...
-		env GOOS=linux GOARCH="${arch}" go build -trimpath -tags $TAG --ldflags="-s -w" -o "$ROOT"/installers/edge-installer-dns-helper-linux-"${arch}" "$ROOT"/../cmd/installer-dns-helper/main.go
-	done
+	if [ $TAG = "plus" ]; then
+		echo "building dns node installer ..."
+		architects=("amd64" "arm64")
+		for arch in "${architects[@]}"; do
+			# TODO support arm, mips ...
+			env GOOS=linux GOARCH="${arch}" go build -trimpath -tags $TAG --ldflags="-s -w" -o "$ROOT"/installers/edge-installer-dns-helper-linux-"${arch}" "$ROOT"/../cmd/installer-dns-helper/main.go
+		done
+	fi

 	# building api node
 	env GOOS="$OS" GOARCH="$ARCH" go build -trimpath -tags $TAG --ldflags="-s -w" -o "$DIST"/bin/edge-api "$ROOT"/../cmd/edge-api/main.go
--- a/build/configs/db.template.yaml
+++ b/build/configs/db.template.yaml
@@ -9,3 +9,8 @@ dbs:
    prefix: "edge"
    models:
      package: internal/web/models
+
+
+fields:
+  bool: [ "uamIsOn", "followPort", "requestHostExcludingPort", "autoRemoteStart", "autoInstallNftables", "enableIPLists", "detectAgents", "checkingPorts", "enableRecordHealthCheck", "offlineIsNotified", "http2Enabled", "http3Enabled", "enableHTTP2", "retry50X", "retry40X", "autoSystemTuning", "disableDefaultDB" ]
+
--- a/build/resources/ipdata/ip2region/global_region.csv
+++ b/build/resources/ipdata/ip2region/global_region.csv
--- a/build/resources/ipdata/ip2region/ip2region.db
+++ b/build/resources/ipdata/ip2region/ip2region.db
--- a/build/sql.sh
+++ b/build/sql.sh
@@ -1,3 +1,7 @@
 #!/usr/bin/env bash

-go run `dirname $0`/../cmd/sql-dump/main.go -dir=`dirname $0`
+# generate 'internal/setup/sql.json' file
+
+CWD="$(dirname "$0")"
+
+go run "${CWD}"/../cmd/sql-dump/main.go -dir="${CWD}"
--- a/cmd/edge-api/main.go
+++ b/cmd/edge-api/main.go
@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"github.com/TeaOSLab/EdgeAPI/internal/apps"
+	"github.com/TeaOSLab/EdgeAPI/internal/configs"
 	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
 	"github.com/TeaOSLab/EdgeAPI/internal/nodes"
 	"github.com/TeaOSLab/EdgeAPI/internal/setup"
@@ -14,9 +15,9 @@ import (
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
 	"github.com/iwind/gosock/pkg/gosock"
-	"io/ioutil"
 	"log"
 	"os"
+	"strings"
 )

 func main() {
@@ -26,11 +27,16 @@ func main() {
 	var app = apps.NewAppCmd()
 	app.Version(teaconst.Version)
 	app.Product(teaconst.ProductName)
-	app.Usage(teaconst.ProcessName + " [start|stop|restart|setup|upgrade|service|daemon|issues]")
+	app.Usage(teaconst.ProcessName + " [-h|-v|start|stop|restart|setup|upgrade|service|daemon|issues]")
+
+	// 短版本号
+	app.On("-V", func() {
+		_, _ = os.Stdout.WriteString(teaconst.Version)
+	})
 	app.On("setup", func() {
 		var setupCmd = setup.NewSetupFromCmd()
 		err := setupCmd.Run()
-		result := maps.Map{}
+		var result = maps.Map{}
 		if err != nil {
 			result["isOk"] = false
 			result["error"] = err.Error()
@@ -72,6 +78,14 @@ func main() {
 		}
 		fmt.Println("done")
 	})
+	app.On("reset", func() {
+		err := configs.ResetAPIConfig()
+		if err != nil {
+			fmt.Println("[ERROR]reset failed: " + err.Error())
+			return
+		}
+		fmt.Println("done")
+	})
 	app.On("goman", func() {
 		var sock = gosock.NewTmpSock(teaconst.ProcessName)
 		reply, err := sock.Send(&gosock.Command{Code: "goman"})
@@ -130,7 +144,7 @@ func main() {
 		flagSet.BoolVar(&formatJSON, "json", false, "")
 		_ = flagSet.Parse(os.Args[2:])

-		data, err := ioutil.ReadFile(Tea.LogFile("issues.log"))
+		data, err := os.ReadFile(Tea.LogFile("issues.log"))
 		if err != nil {
 			if formatJSON {
 				fmt.Print("[]")
@@ -175,6 +189,38 @@ func main() {
 			}
 		}
 	})
+	app.On("token", func() {
+		var role = ""
+		if len(os.Args) <= 2 {
+			fmt.Println("require --role parameter")
+			return
+		}
+
+		var set = flag.NewFlagSet("", flag.ExitOnError)
+		set.StringVar(&role, "role", "", "edge-api token --role=[admin|user|api]")
+		_ = set.Parse(os.Args[2:])
+
+		var sock = gosock.NewTmpSock(teaconst.ProcessName)
+		reply, err := sock.Send(&gosock.Command{Code: "lookupToken", Params: map[string]any{
+			"role": role,
+		}})
+		if err != nil {
+			fmt.Println("[ERROR]" + err.Error())
+		} else {
+			var resultMap = maps.NewMap(reply.Params)
+			if resultMap.GetBool("isOk") {
+				var tokens = resultMap.GetSlice("tokens")
+				fmt.Printf("%-35s | %-35s\n", "nodeId", "secret")
+				fmt.Println(strings.Repeat("-", 70))
+				for _, tokenMap := range tokens {
+					var m = maps.NewMap(tokenMap)
+					fmt.Printf("%-35s | %-35s\n", m.GetString("nodeId"), m.GetString("secret"))
+				}
+			} else {
+				fmt.Println("[ERROR]" + resultMap.GetString("err"))
+			}
+		}
+	})

 	app.Run(func() {
 		nodes.NewAPINode().Start()
--- a/cmd/installer-dns-helper/main.go
+++ b/cmd/installer-dns-helper/main.go
@@ -2,7 +2,7 @@ package main

 import (
 	"flag"
-	"github.com/TeaOSLab/EdgeAPI/internal/utils"
+	"github.com/TeaOSLab/EdgeAPI/internal/installers/helpers"
 	"github.com/iwind/gosock/pkg/gosock"
 	"os"
 	"os/exec"
@@ -51,7 +51,7 @@ func main() {
 			return
 		}

-		unzip := utils.NewUnzip(zipPath, targetPath)
+		unzip := helpers.NewUnzip(zipPath, targetPath)
 		err := unzip.Run()
 		if err != nil {
 			stderr("ERROR: " + err.Error())
--- a/cmd/installer-helper/main.go
+++ b/cmd/installer-helper/main.go
@@ -1,8 +1,9 @@
 package main

+// 注意这里的依赖文件应该最小化，从而使编译后的文件最小化
 import (
 	"flag"
-	"github.com/TeaOSLab/EdgeAPI/internal/utils"
+	"github.com/TeaOSLab/EdgeAPI/internal/installers/helpers"
 	"github.com/iwind/gosock/pkg/gosock"
 	"os"
 	"os/exec"
@@ -51,7 +52,7 @@ func main() {
 			return
 		}

-		unzip := utils.NewUnzip(zipPath, targetPath)
+		var unzip = helpers.NewUnzip(zipPath, targetPath)
 		err := unzip.Run()
 		if err != nil {
 			stderr("ERROR: " + err.Error())
--- a/cmd/ip2region/main.go
+++ b/cmd/ip2region/main.go
@@ -1,193 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"github.com/TeaOSLab/EdgeAPI/internal/db/models/regions"
-	"github.com/iwind/TeaGo/Tea"
-	_ "github.com/iwind/TeaGo/bootstrap"
-	"github.com/iwind/TeaGo/dbs"
-	"github.com/iwind/TeaGo/lists"
-	"github.com/iwind/TeaGo/logs"
-	"io/ioutil"
-	"os"
-	"regexp"
-	"strings"
-)
-
-func main() {
-	// 导入数据
-	if lists.ContainsString(os.Args, "import") {
-		dbs.NotifyReady()
-
-		data, err := ioutil.ReadFile(Tea.Root + "/resources/ipdata/ip2region/global_region.csv")
-		if err != nil {
-			logs.Println("[ERROR]" + err.Error())
-			return
-		}
-		if len(data) == 0 {
-			logs.Println("[ERROR]file content should not be empty")
-			return
-		}
-		lines := bytes.Split(data, []byte{'\n'})
-		for _, line := range lines {
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 {
-				continue
-			}
-
-			s := string(line)
-			reg := regexp.MustCompile(`(?U)(\d+),(\d+),(.+),(\d+),`)
-			if !reg.MatchString(s) {
-				continue
-			}
-			result := reg.FindStringSubmatch(s)
-			dataId := result[1]
-			parentDataId := result[2]
-			name := result[3]
-			level := result[4]
-
-			switch level {
-			case "1": // 国家|地区
-				countryId, err := regions.SharedRegionCountryDAO.FindCountryIdWithDataId(nil, dataId)
-				if err != nil {
-					logs.Println("[ERROR]" + err.Error())
-					return
-				}
-				if countryId == 0 {
-					logs.Println("creating country or region ", name)
-					_, err = regions.SharedRegionCountryDAO.CreateCountry(nil, name, dataId)
-					if err != nil {
-						logs.Println("[ERROR]" + err.Error())
-						return
-					}
-				}
-			case "2": // 省份|地区
-				provinceId, err := regions.SharedRegionProvinceDAO.FindProvinceIdWithDataId(nil, dataId)
-				if err != nil {
-					logs.Println("[ERROR]" + err.Error())
-					return
-				}
-				if provinceId == 0 {
-					logs.Println("creating province", name)
-
-					countryId, err := regions.SharedRegionCountryDAO.FindCountryIdWithDataId(nil, parentDataId)
-					if err != nil {
-						logs.Println("[ERROR]" + err.Error())
-						return
-					}
-					if countryId == 0 {
-						logs.Println("[ERROR]can not find country from data id '" + parentDataId + "'")
-						return
-					}
-
-					_, err = regions.SharedRegionProvinceDAO.CreateProvince(nil, countryId, name, dataId)
-					if err != nil {
-						logs.Println("[ERROR]" + err.Error())
-						return
-					}
-				}
-			case "3": // 城市
-				cityId, err := regions.SharedRegionCityDAO.FindCityWithDataId(nil, dataId)
-				if err != nil {
-					logs.Println("[ERROR]" + err.Error())
-					return
-				}
-				if cityId == 0 {
-					logs.Println("creating city", name)
-
-					provinceId, err := regions.SharedRegionProvinceDAO.FindProvinceIdWithDataId(nil, parentDataId)
-					if err != nil {
-						logs.Println("[ERROR]" + err.Error())
-						return
-					}
-					_, err = regions.SharedRegionCityDAO.CreateCity(nil, provinceId, name, dataId)
-					if err != nil {
-						logs.Println("[ERROR]" + err.Error())
-						return
-					}
-				}
-			}
-		}
-
-		logs.Println("done")
-	}
-
-	// 检查数据
-	if lists.ContainsString(os.Args, "check") {
-		dbs.NotifyReady()
-
-		data, err := ioutil.ReadFile(Tea.Root + "/resources/ipdata/ip2region/ip.merge.txt")
-		if err != nil {
-			logs.Println("[ERROR]" + err.Error())
-			return
-		}
-		if len(data) == 0 {
-			logs.Println("[ERROR]file should not be empty")
-			return
-		}
-		lines := bytes.Split(data, []byte("\n"))
-		for index, line := range lines {
-			s := string(bytes.TrimSpace(line))
-			if len(s) == 0 {
-				continue
-			}
-			pieces := strings.Split(s, "|")
-			countryName := pieces[2]
-			provinceName := pieces[4]
-			providerName := pieces[6]
-
-			// 记录provider
-			if len(providerName) > 0 && providerName != "0" {
-				providerId, err := regions.SharedRegionProviderDAO.FindProviderIdWithNameCacheable(nil, providerName)
-				if err != nil {
-					logs.Println("[ERROR]find provider id failed: " + err.Error())
-					return
-				}
-				if providerId == 0 {
-					logs.Println("creating new provider '"+providerName+"' ... ", index, "line")
-					_, err = regions.SharedRegionProviderDAO.CreateProvider(nil, providerName)
-					if err != nil {
-						logs.Println("create new provider failed: " + providerName)
-						return
-					}
-					logs.Println("created new provider '" + providerName + "'")
-					return
-				}
-			}
-
-			if lists.ContainsString([]string{"0", "欧洲", "北美地区", "法国南部领地", "非洲地区", "亚太地区"}, countryName) {
-				continue
-			}
-
-			// 检查国家
-			countryId, err := regions.SharedRegionCountryDAO.FindCountryIdWithNameCacheable(nil, countryName)
-			if err != nil {
-				logs.Println("[ERROR]" + err.Error())
-				return
-			}
-			if countryId == 0 {
-				logs.Println("[ERROR]can not find country '"+countryName+"', index: ", index, "data: "+s)
-				return
-			}
-
-			// 检查省份
-			if countryName == "中国" {
-				if lists.ContainsString([]string{"0"}, provinceName) {
-					continue
-				}
-
-				provinceId, err := regions.SharedRegionProvinceDAO.FindProvinceIdWithNameCacheable(nil, countryId, provinceName)
-				if err != nil {
-					logs.Println("[ERROR]" + err.Error())
-					return
-				}
-				if provinceId == 0 {
-					logs.Println("[ERROR]can not find province '"+provinceName+"', index: ", index, "data: "+s)
-					return
-				}
-			}
-		}
-
-		logs.Println("done")
-	}
-}
--- a/cmd/sql-dump/main.go
+++ b/cmd/sql-dump/main.go
@@ -4,13 +4,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/TeaOSLab/EdgeAPI/internal/setup"
+	"github.com/iwind/TeaGo/Tea"
 	_ "github.com/iwind/TeaGo/bootstrap"
 	"github.com/iwind/TeaGo/dbs"
-	"go/format"
-	"io/ioutil"
 	"os"
 	"path/filepath"
-	"strconv"
 )

 func main() {
@@ -19,58 +17,25 @@ func main() {
 		fmt.Println("[ERROR]" + err.Error())
 		return
 	}
-	results, err := setup.NewSQLDump().Dump(db)
+	results, err := setup.NewSQLDump().Dump(db, true)
 	if err != nil {
 		fmt.Println("[ERROR]" + err.Error())
 		return
 	}
-	resultsJSON, err := json.Marshal(results)
+
+	prettyResultsJSON, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		fmt.Println("[ERROR]" + err.Error())
 		return
 	}
-	dir, _ := os.Getwd()
-	var sqlFile string
-	for i := 0; i < 5; i++ {
-		lookupFile := dir + "/internal/setup/sql.go"
-		_, err = os.Stat(lookupFile)
-		if err != nil {
-			dir = filepath.Dir(dir)
-			continue
-		}
-		sqlFile = lookupFile
-	}

-	if len(sqlFile) == 0 {
-		fmt.Println("[ERROR]can not find sql.go")
-		return
-	}
-	content := []byte(`package setup
-
-import (
-	"encoding/json"
-	"github.com/iwind/TeaGo/logs"
-)
-
-// 最新版本的数据库SQL语句，用来对比并升级已有的数据库
-// 由 sql-dump/main.go 自动生成
-func init() {
-	err := json.Unmarshal([]byte(` + strconv.Quote(string(resultsJSON)) + `), LatestSQLResult)
+	// 写入到 sql.json 中
+	var dir = filepath.Dir(Tea.Root)
+	err = os.WriteFile(dir+"/internal/setup/sql.json", prettyResultsJSON, 0666)
 	if err != nil {
-		logs.Println("[ERROR]load sql failed: " + err.Error())
-	}
-}
-`)
-	dst, err := format.Source(content)
-	if err != nil {
-		fmt.Println("[ERROR]format code failed: " + err.Error())
+		fmt.Println("[ERROR]" + err.Error())
 		return
 	}

-	err = ioutil.WriteFile(sqlFile, dst, 0666)
-	if err != nil {
-		fmt.Println("[ERROR]write file failed: " + err.Error())
-		return
-	}
 	fmt.Println("ok")
 }
--- a/go.mod
+++ b/go.mod
@@ -5,43 +5,67 @@ go 1.18
 replace github.com/TeaOSLab/EdgeCommon => ../EdgeCommon

 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.1.0
 	github.com/TeaOSLab/EdgeCommon v0.0.0-00010101000000-000000000000
-	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1183
+	github.com/aliyun/alibaba-cloud-sdk-go v1.62.587
 	github.com/andybalholm/brotli v1.0.4
-	github.com/cespare/xxhash/v2 v2.1.1
-	github.com/go-acme/lego/v4 v4.5.2
-	github.com/go-sql-driver/mysql v1.5.0
-	github.com/golang/protobuf v1.5.2
-	github.com/iwind/TeaGo v0.0.0-20220408111647-f36b9bba3570
+	github.com/aws/aws-sdk-go v1.40.45
+	github.com/cespare/xxhash v1.1.0
+	github.com/cespare/xxhash/v2 v2.1.2
+	github.com/fsnotify/fsnotify v1.6.0
+	github.com/go-acme/lego/v4 v4.10.2
+	github.com/go-sql-driver/mysql v1.7.0
+	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
+	github.com/iwind/TeaGo v0.0.0-20230704135818-4a5646ab1f5b
 	github.com/iwind/gosock v0.0.0-20220505115348-f88412125a62
+	github.com/miekg/dns v1.1.50
 	github.com/mozillazg/go-pinyin v0.18.0
 	github.com/pkg/sftp v1.12.0
 	github.com/shirou/gopsutil/v3 v3.22.2
-	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
-	golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8
+	github.com/smartwalle/alipay/v3 v3.1.7
+	github.com/volcengine/volc-sdk-golang v1.0.124
+	golang.org/x/crypto v0.14.0
+	golang.org/x/net v0.15.0
+	golang.org/x/sys v0.13.0
 	google.golang.org/grpc v1.45.0
-	google.golang.org/protobuf v1.27.1
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	github.com/cenkalti/backoff/v4 v4.1.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/uuid v1.3.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/fs v0.1.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/miekg/dns v1.1.43 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
+	github.com/smartwalle/crypto4go v1.0.2 // indirect
+	github.com/tdewolff/minify/v2 v2.12.7 // indirect
+	github.com/tdewolff/parse/v2 v2.6.6 // indirect
+	github.com/technoweenie/multipartstreamer v1.0.1 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.801 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.801 // indirect
 	github.com/tklauser/go-sysconf v0.3.9 // indirect
 	github.com/tklauser/numcpus v0.3.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/genproto v0.0.0-20220317150908-0efb43f6373e // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/ini.v1 v1.66.6 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/accesslogs/storage_base.go
+++ b/internal/accesslogs/storage_base.go
@@ -1,71 +0,0 @@
-// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
-
-package accesslogs
-
-import (
-	"encoding/json"
-	"fmt"
-	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"strconv"
-	"time"
-)
-
-type BaseStorage struct {
-	isOk         bool
-	version      int
-	firewallOnly bool
-}
-
-func (this *BaseStorage) SetVersion(version int) {
-	this.version = version
-}
-
-func (this *BaseStorage) Version() int {
-	return this.version
-}
-
-func (this *BaseStorage) IsOk() bool {
-	return this.isOk
-}
-
-func (this *BaseStorage) SetOk(isOk bool) {
-	this.isOk = isOk
-}
-
-func (this *BaseStorage) SetFirewallOnly(firewallOnly bool) {
-	this.firewallOnly = firewallOnly
-}
-
-// Marshal 对日志进行编码
-func (this *BaseStorage) Marshal(accessLog *pb.HTTPAccessLog) ([]byte, error) {
-	return json.Marshal(accessLog)
-}
-
-// FormatVariables 格式化字符串中的变量
-func (this *BaseStorage) FormatVariables(s string) string {
-	var now = time.Now()
-	return configutils.ParseVariables(s, func(varName string) (value string) {
-		switch varName {
-		case "year":
-			return strconv.Itoa(now.Year())
-		case "month":
-			return fmt.Sprintf("%02d", now.Month())
-		case "week":
-			_, week := now.ISOWeek()
-			return fmt.Sprintf("%02d", week)
-		case "day":
-			return fmt.Sprintf("%02d", now.Day())
-		case "hour":
-			return fmt.Sprintf("%02d", now.Hour())
-		case "minute":
-			return fmt.Sprintf("%02d", now.Minute())
-		case "second":
-			return fmt.Sprintf("%02d", now.Second())
-		case "date":
-			return fmt.Sprintf("%d%02d%02d", now.Year(), now.Month(), now.Day())
-		}
-
-		return varName
-	})
-}
--- a/internal/accesslogs/storage_command.go
+++ b/internal/accesslogs/storage_command.go
@@ -1,99 +0,0 @@
-package accesslogs
-
-import (
-	"bytes"
-	"errors"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/iwind/TeaGo/logs"
-	"os/exec"
-	"sync"
-)
-
-// CommandStorage 通过命令行存储
-type CommandStorage struct {
-	BaseStorage
-
-	config *serverconfigs.AccessLogCommandStorageConfig
-
-	writeLocker sync.Mutex
-}
-
-func NewCommandStorage(config *serverconfigs.AccessLogCommandStorageConfig) *CommandStorage {
-	return &CommandStorage{config: config}
-}
-
-func (this *CommandStorage) Config() interface{} {
-	return this.config
-}
-
-// Start 启动
-func (this *CommandStorage) Start() error {
-	if len(this.config.Command) == 0 {
-		return errors.New("'command' should not be empty")
-	}
-	return nil
-}
-
-// 写入日志
-func (this *CommandStorage) Write(accessLogs []*pb.HTTPAccessLog) error {
-	if len(accessLogs) == 0 {
-		return nil
-	}
-
-	this.writeLocker.Lock()
-	defer this.writeLocker.Unlock()
-
-	cmd := exec.Command(this.config.Command, this.config.Args...)
-	if len(this.config.Dir) > 0 {
-		cmd.Dir = this.config.Dir
-	}
-
-	stdout := bytes.NewBuffer([]byte{})
-	cmd.Stdout = stdout
-
-	w, err := cmd.StdinPipe()
-	if err != nil {
-		return err
-	}
-	err = cmd.Start()
-	if err != nil {
-		return err
-	}
-	for _, accessLog := range accessLogs {
-		if this.firewallOnly && accessLog.FirewallPolicyId == 0 {
-			continue
-		}
-
-		data, err := this.Marshal(accessLog)
-		if err != nil {
-			logs.Error(err)
-			continue
-		}
-		_, err = w.Write(data)
-		if err != nil {
-			logs.Error(err)
-		}
-
-		_, err = w.Write([]byte("\n"))
-		if err != nil {
-			logs.Error(err)
-		}
-	}
-	_ = w.Close()
-	err = cmd.Wait()
-	if err != nil {
-		logs.Error(err)
-
-		if stdout.Len() > 0 {
-			logs.Error(errors.New(string(stdout.Bytes())))
-		}
-	}
-
-	return nil
-}
-
-// Close 关闭
-func (this *CommandStorage) Close() error {
-	return nil
-}
--- a/internal/accesslogs/storage_command_test.go
+++ b/internal/accesslogs/storage_command_test.go
@@ -1,63 +0,0 @@
-package accesslogs
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"os"
-	"os/exec"
-	"testing"
-	"time"
-)
-
-func TestCommandStorage_Write(t *testing.T) {
-	php, err := exec.LookPath("php")
-	if err != nil { // not found php, so we can not test
-		t.Log("php:", err)
-		return
-	}
-
-	cwd, err := os.Getwd()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	before := time.Now()
-
-	storage := NewCommandStorage(&serverconfigs.AccessLogCommandStorageConfig{
-		Command: php,
-		Args:    []string{cwd + "/tests/command_storage.php"},
-	})
-	err = storage.Start()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = storage.Write([]*pb.HTTPAccessLog{
-		{
-			RequestMethod: "GET",
-			RequestPath:   "/hello",
-		},
-		{
-			RequestMethod: "GET",
-			RequestPath:   "/world",
-		},
-		{
-			RequestMethod: "GET",
-			RequestPath:   "/lu",
-		},
-		{
-			RequestMethod: "GET",
-			RequestPath:   "/ping",
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = storage.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Log(time.Since(before).Seconds(), "seconds")
-}
--- a/internal/accesslogs/storage_es.go
+++ b/internal/accesslogs/storage_es.go
@@ -1,131 +0,0 @@
-package accesslogs
-
-import (
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
-	"github.com/TeaOSLab/EdgeAPI/internal/remotelogs"
-	"github.com/TeaOSLab/EdgeAPI/internal/utils"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"io/ioutil"
-	"net/http"
-	"regexp"
-	"strings"
-	"time"
-)
-
-// ESStorage ElasticSearch存储策略
-type ESStorage struct {
-	BaseStorage
-
-	config *serverconfigs.AccessLogESStorageConfig
-}
-
-func NewESStorage(config *serverconfigs.AccessLogESStorageConfig) *ESStorage {
-	return &ESStorage{config: config}
-}
-
-func (this *ESStorage) Config() interface{} {
-	return this.config
-}
-
-// Start 开启
-func (this *ESStorage) Start() error {
-	if len(this.config.Endpoint) == 0 {
-		return errors.New("'endpoint' should not be nil")
-	}
-	if !regexp.MustCompile(`(?i)^(http|https)://`).MatchString(this.config.Endpoint) {
-		this.config.Endpoint = "http://" + this.config.Endpoint
-	}
-	if len(this.config.Index) == 0 {
-		return errors.New("'index' should not be nil")
-	}
-	if len(this.config.MappingType) == 0 {
-		return errors.New("'mappingType' should not be nil")
-	}
-	return nil
-}
-
-// 写入日志
-func (this *ESStorage) Write(accessLogs []*pb.HTTPAccessLog) error {
-	if len(accessLogs) == 0 {
-		return nil
-	}
-
-	bulk := &strings.Builder{}
-	indexName := this.FormatVariables(this.config.Index)
-	typeName := this.FormatVariables(this.config.MappingType)
-	for _, accessLog := range accessLogs {
-		if this.firewallOnly && accessLog.FirewallPolicyId == 0 {
-			continue
-		}
-
-		if len(accessLog.RequestId) == 0 {
-			continue
-		}
-
-		opData, err := json.Marshal(map[string]interface{}{
-			"index": map[string]interface{}{
-				"_index": indexName,
-				"_type":  typeName,
-				"_id":    accessLog.RequestId,
-			},
-		})
-		if err != nil {
-			remotelogs.Error("ACCESS_LOG_ES_STORAGE", "write failed: "+err.Error())
-			continue
-		}
-
-		data, err := this.Marshal(accessLog)
-		if err != nil {
-			remotelogs.Error("ACCESS_LOG_ES_STORAGE", "marshal data failed: "+err.Error())
-			continue
-		}
-
-		bulk.Write(opData)
-		bulk.WriteString("\n")
-		bulk.Write(data)
-		bulk.WriteString("\n")
-	}
-
-	if bulk.Len() == 0 {
-		return nil
-	}
-
-	req, err := http.NewRequest(http.MethodPost, this.config.Endpoint+"/_bulk", strings.NewReader(bulk.String()))
-	if err != nil {
-		return err
-	}
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("User-Agent", strings.ReplaceAll(teaconst.ProductName, " ", "-")+"/"+teaconst.Version)
-	if len(this.config.Username) > 0 || len(this.config.Password) > 0 {
-		req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(this.config.Username+":"+this.config.Password)))
-	}
-	client := utils.SharedHttpClient(10 * time.Second)
-	defer func() {
-		_ = req.Body.Close()
-	}()
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		_ = resp.Body.Close()
-	}()
-
-	if resp.StatusCode != http.StatusOK {
-		bodyData, _ := ioutil.ReadAll(resp.Body)
-		return errors.New("ElasticSearch response status code: " + fmt.Sprintf("%d", resp.StatusCode) + " content: " + string(bodyData))
-	}
-
-	return nil
-}
-
-// Close 关闭
-func (this *ESStorage) Close() error {
-	return nil
-}
--- a/internal/accesslogs/storage_es_test.go
+++ b/internal/accesslogs/storage_es_test.go
@@ -1,53 +0,0 @@
-package accesslogs
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"testing"
-	"time"
-)
-
-func TestESStorage_Write(t *testing.T) {
-	storage := NewESStorage(&serverconfigs.AccessLogESStorageConfig{
-		Endpoint:    "http://127.0.0.1:9200",
-		Index:       "logs",
-		MappingType: "accessLogs",
-		Username:    "hello",
-		Password:    "world",
-	})
-	err := storage.Start()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	{
-		err = storage.Write([]*pb.HTTPAccessLog{
-			{
-				RequestMethod: "POST",
-				RequestPath:   "/1",
-				TimeLocal:     time.Now().Format("2/Jan/2006:15:04:05 -0700"),
-				TimeISO8601:   "2018-07-23T22:23:35+08:00",
-				Header: map[string]*pb.Strings{
-					"Content-Type": {Values: []string{"text/html"}},
-				},
-			},
-			{
-				RequestMethod: "GET",
-				RequestPath:   "/2",
-				TimeLocal:     time.Now().Format("2/Jan/2006:15:04:05 -0700"),
-				TimeISO8601:   "2018-07-23T22:23:35+08:00",
-				Header: map[string]*pb.Strings{
-					"Content-Type": {Values: []string{"text/css"}},
-				},
-			},
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	err = storage.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-}
--- a/internal/accesslogs/storage_file.go
+++ b/internal/accesslogs/storage_file.go
@@ -1,130 +0,0 @@
-package accesslogs
-
-import (
-	"errors"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/iwind/TeaGo/logs"
-	"os"
-	"path/filepath"
-	"sync"
-)
-
-// FileStorage 文件存储策略
-type FileStorage struct {
-	BaseStorage
-
-	config *serverconfigs.AccessLogFileStorageConfig
-
-	writeLocker sync.Mutex
-
-	files       map[string]*os.File // path => *File
-	filesLocker sync.Mutex
-}
-
-func NewFileStorage(config *serverconfigs.AccessLogFileStorageConfig) *FileStorage {
-	return &FileStorage{
-		config: config,
-	}
-}
-
-func (this *FileStorage) Config() interface{} {
-	return this.config
-}
-
-// Start 开启
-func (this *FileStorage) Start() error {
-	if len(this.config.Path) == 0 {
-		return errors.New("'path' should not be empty")
-	}
-
-	this.files = map[string]*os.File{}
-
-	return nil
-}
-
-// Write 写入日志
-func (this *FileStorage) Write(accessLogs []*pb.HTTPAccessLog) error {
-	if len(accessLogs) == 0 {
-		return nil
-	}
-
-	fp := this.fp()
-	if fp == nil {
-		return errors.New("file pointer should not be nil")
-	}
-	this.writeLocker.Lock()
-	defer this.writeLocker.Unlock()
-
-	for _, accessLog := range accessLogs {
-		if this.firewallOnly && accessLog.FirewallPolicyId == 0 {
-			continue
-		}
-		data, err := this.Marshal(accessLog)
-		if err != nil {
-			logs.Error(err)
-			continue
-		}
-		_, err = fp.Write(data)
-		if err != nil {
-			_ = this.Close()
-			break
-		}
-		_, _ = fp.WriteString("\n")
-	}
-	return nil
-}
-
-// Close 关闭
-func (this *FileStorage) Close() error {
-	this.filesLocker.Lock()
-	defer this.filesLocker.Unlock()
-
-	var resultErr error
-	for _, f := range this.files {
-		err := f.Close()
-		if err != nil {
-			resultErr = err
-		}
-	}
-	return resultErr
-}
-
-func (this *FileStorage) fp() *os.File {
-	path := this.FormatVariables(this.config.Path)
-
-	this.filesLocker.Lock()
-	defer this.filesLocker.Unlock()
-	fp, ok := this.files[path]
-	if ok {
-		return fp
-	}
-
-	// 关闭其他的文件
-	for _, f := range this.files {
-		_ = f.Close()
-	}
-
-	// 是否创建文件目录
-	if this.config.AutoCreate {
-		dir := filepath.Dir(path)
-		_, err := os.Stat(dir)
-		if os.IsNotExist(err) {
-			err = os.MkdirAll(dir, 0777)
-			if err != nil {
-				logs.Error(err)
-				return nil
-			}
-		}
-	}
-
-	// 打开新文件
-	fp, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
-	if err != nil {
-		logs.Error(err)
-		return nil
-	}
-	this.files[path] = fp
-
-	return fp
-}
--- a/internal/accesslogs/storage_file_test.go
+++ b/internal/accesslogs/storage_file_test.go
@@ -1,70 +0,0 @@
-package accesslogs
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/iwind/TeaGo/Tea"
-	"testing"
-	"time"
-)
-
-func TestFileStorage_Write(t *testing.T) {
-	storage := NewFileStorage(&serverconfigs.AccessLogFileStorageConfig{
-		Path: Tea.Root + "/logs/access-${date}.log",
-	})
-	err := storage.Start()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	{
-		err = storage.Write([]*pb.HTTPAccessLog{
-			{
-				RequestPath: "/hello",
-			},
-			{
-				RequestPath: "/world",
-			},
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	{
-		err = storage.Write([]*pb.HTTPAccessLog{
-			{
-				RequestPath: "/1",
-			},
-			{
-				RequestPath: "/2",
-			},
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	{
-		err = storage.Write([]*pb.HTTPAccessLog{
-			{
-				RequestMethod: "POST",
-				RequestPath:   "/1",
-				TimeLocal:     time.Now().Format("2/Jan/2006:15:04:05 -0700"),
-			},
-			{
-				RequestMethod: "GET",
-				RequestPath:   "/2",
-				TimeLocal:     time.Now().Format("2/Jan/2006:15:04:05 -0700"),
-			},
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	err = storage.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-}
--- a/internal/accesslogs/storage_interface.go
+++ b/internal/accesslogs/storage_interface.go
@@ -1,33 +0,0 @@
-// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
-
-package accesslogs
-
-import "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-
-// StorageInterface 日志存储接口
-type StorageInterface interface {
-	// Version 获取版本
-	Version() int
-
-	// SetVersion 设置版本
-	SetVersion(version int)
-
-	// SetFirewallOnly 设置是否只处理防火墙相关的访问日志
-	SetFirewallOnly(firewallOnly bool)
-
-	IsOk() bool
-
-	SetOk(ok bool)
-
-	// Config 获取配置
-	Config() interface{}
-
-	// Start 开启
-	Start() error
-
-	// Write 写入日志
-	Write(accessLogs []*pb.HTTPAccessLog) error
-
-	// Close 关闭
-	Close() error
-}
--- a/internal/accesslogs/storage_manager.go
+++ b/internal/accesslogs/storage_manager.go
@@ -1,185 +0,0 @@
-// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
-
-package accesslogs
-
-import (
-	"encoding/json"
-	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
-	"github.com/TeaOSLab/EdgeAPI/internal/errors"
-	"github.com/TeaOSLab/EdgeAPI/internal/remotelogs"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/iwind/TeaGo/Tea"
-	"github.com/iwind/TeaGo/lists"
-	"github.com/iwind/TeaGo/types"
-	"sync"
-	"time"
-)
-
-var SharedStorageManager = NewStorageManager()
-
-type StorageManager struct {
-	storageMap map[int64]StorageInterface // policyId => Storage
-
-	locker sync.Mutex
-}
-
-func NewStorageManager() *StorageManager {
-	return &StorageManager{
-		storageMap: map[int64]StorageInterface{},
-	}
-}
-
-func (this *StorageManager) Start() {
-	var ticker = time.NewTicker(1 * time.Minute)
-	if Tea.IsTesting() {
-		ticker = time.NewTicker(5 * time.Second)
-	}
-
-	// 启动时执行一次
-	var err = this.Loop()
-	if err != nil {
-		remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "update error: "+err.Error())
-	}
-
-	// 循环执行
-	for range ticker.C {
-		err := this.Loop()
-		if err != nil {
-			remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "update error: "+err.Error())
-		}
-	}
-}
-
-// Loop 更新
-func (this *StorageManager) Loop() error {
-	policies, err := models.SharedHTTPAccessLogPolicyDAO.FindAllEnabledAndOnPolicies(nil)
-	if err != nil {
-		return err
-	}
-	var policyIds = []int64{}
-	for _, policy := range policies {
-		if policy.IsOn {
-			policyIds = append(policyIds, int64(policy.Id))
-		}
-	}
-
-	this.locker.Lock()
-	defer this.locker.Unlock()
-
-	// 关闭不用的
-	for policyId, storage := range this.storageMap {
-		if !lists.ContainsInt64(policyIds, policyId) {
-			err := storage.Close()
-			if err != nil {
-				remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "close '"+types.String(policyId)+"' failed: "+err.Error())
-			}
-			delete(this.storageMap, policyId)
-			remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "remove '"+types.String(policyId)+"'")
-		}
-	}
-
-	for _, policy := range policies {
-		var policyId = int64(policy.Id)
-		storage, ok := this.storageMap[policyId]
-		if ok {
-			// 检查配置是否有变更
-			if types.Int(policy.Version) != storage.Version() {
-				err = storage.Close()
-				if err != nil {
-					remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "close policy '"+types.String(policyId)+"' failed: "+err.Error())
-
-					// 继续往下执行
-				}
-
-				if len(policy.Options) > 0 {
-					err = json.Unmarshal(policy.Options, storage.Config())
-					if err != nil {
-						remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "unmarshal policy '"+types.String(policyId)+"' config failed: "+err.Error())
-						storage.SetOk(false)
-						continue
-					}
-				}
-
-				storage.SetVersion(types.Int(policy.Version))
-				storage.SetFirewallOnly(policy.FirewallOnly == 1)
-				err := storage.Start()
-				if err != nil {
-					remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "start policy '"+types.String(policyId)+"' failed: "+err.Error())
-					continue
-				}
-				storage.SetOk(true)
-				remotelogs.Println("ACCESS_LOG_STORAGE_MANAGER", "restart policy '"+types.String(policyId)+"'")
-			}
-		} else {
-			storage, err := this.createStorage(policy.Type, policy.Options)
-			if err != nil {
-				remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "create policy '"+types.String(policyId)+"' failed: "+err.Error())
-				continue
-			}
-			storage.SetVersion(types.Int(policy.Version))
-			storage.SetFirewallOnly(policy.FirewallOnly == 1)
-			this.storageMap[policyId] = storage
-			err = storage.Start()
-			if err != nil {
-				remotelogs.Error("ACCESS_LOG_STORAGE_MANAGER", "start policy '"+types.String(policyId)+"' failed: "+err.Error())
-				continue
-			}
-			storage.SetOk(true)
-			remotelogs.Println("ACCESS_LOG_STORAGE_MANAGER", "start policy '"+types.String(policyId)+"'")
-		}
-	}
-
-	return nil
-}
-
-func (this *StorageManager) createStorage(storageType string, optionsJSON []byte) (StorageInterface, error) {
-	switch storageType {
-	case serverconfigs.AccessLogStorageTypeFile:
-		var config = &serverconfigs.AccessLogFileStorageConfig{}
-		if len(optionsJSON) > 0 {
-			err := json.Unmarshal(optionsJSON, config)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return NewFileStorage(config), nil
-	case serverconfigs.AccessLogStorageTypeES:
-		var config = &serverconfigs.AccessLogESStorageConfig{}
-		if len(optionsJSON) > 0 {
-			err := json.Unmarshal(optionsJSON, config)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return NewESStorage(config), nil
-	case serverconfigs.AccessLogStorageTypeTCP:
-		var config = &serverconfigs.AccessLogTCPStorageConfig{}
-		if len(optionsJSON) > 0 {
-			err := json.Unmarshal(optionsJSON, config)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return NewTCPStorage(config), nil
-	case serverconfigs.AccessLogStorageTypeSyslog:
-		var config = &serverconfigs.AccessLogSyslogStorageConfig{}
-		if len(optionsJSON) > 0 {
-			err := json.Unmarshal(optionsJSON, config)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return NewSyslogStorage(config), nil
-	case serverconfigs.AccessLogStorageTypeCommand:
-		var config = &serverconfigs.AccessLogCommandStorageConfig{}
-		if len(optionsJSON) > 0 {
-			err := json.Unmarshal(optionsJSON, config)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return NewCommandStorage(config), nil
-	}
-
-	return nil, errors.New("invalid policy type '" + storageType + "'")
-}
--- a/internal/accesslogs/storage_manager_test.go
+++ b/internal/accesslogs/storage_manager_test.go
@@ -1,17 +0,0 @@
-package accesslogs
-
-import (
-	"github.com/iwind/TeaGo/dbs"
-	"testing"
-)
-
-func TestStorageManager_Loop(t *testing.T) {
-	dbs.NotifyReady()
-
-	var storage = NewStorageManager()
-	err := storage.Loop()
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Log(storage.storageMap)
-}
--- a/internal/accesslogs/storage_manager_write.go
+++ b/internal/accesslogs/storage_manager_write.go
@@ -1,15 +0,0 @@
-// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
-
-//go:build !plus
-// +build !plus
-
-package accesslogs
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-)
-
-// 写入日志
-func (this *StorageManager) Write(policyId int64, accessLogs []*pb.HTTPAccessLog) error {
-	return nil
-}
--- a/internal/accesslogs/storage_syslog.go
+++ b/internal/accesslogs/storage_syslog.go
@@ -1,146 +0,0 @@
-package accesslogs
-
-import (
-	"bytes"
-	"errors"
-	"github.com/TeaOSLab/EdgeAPI/internal/remotelogs"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/iwind/TeaGo/logs"
-	"os/exec"
-	"runtime"
-	"strconv"
-)
-
-type SyslogStorageProtocol = string
-
-const (
-	SyslogStorageProtocolTCP    SyslogStorageProtocol = "tcp"
-	SyslogStorageProtocolUDP    SyslogStorageProtocol = "udp"
-	SyslogStorageProtocolNone   SyslogStorageProtocol = "none"
-	SyslogStorageProtocolSocket SyslogStorageProtocol = "socket"
-)
-
-type SyslogStoragePriority = int
-
-// SyslogStorage syslog存储策略
-type SyslogStorage struct {
-	BaseStorage
-
-	config *serverconfigs.AccessLogSyslogStorageConfig
-
-	exe string
-}
-
-func NewSyslogStorage(config *serverconfigs.AccessLogSyslogStorageConfig) *SyslogStorage {
-	return &SyslogStorage{config: config}
-}
-
-func (this *SyslogStorage) Config() interface{} {
-	return this.config
-}
-
-// Start 开启
-func (this *SyslogStorage) Start() error {
-	if runtime.GOOS != "linux" {
-		return errors.New("'syslog' storage only works on linux")
-	}
-
-	exe, err := exec.LookPath("logger")
-	if err != nil {
-		return err
-	}
-
-	this.exe = exe
-
-	return nil
-}
-
-// 写入日志
-func (this *SyslogStorage) Write(accessLogs []*pb.HTTPAccessLog) error {
-	if len(accessLogs) == 0 {
-		return nil
-	}
-
-	args := []string{}
-	if len(this.config.Tag) > 0 {
-		args = append(args, "-t", this.config.Tag)
-	}
-
-	if this.config.Priority >= 0 {
-		args = append(args, "-p", strconv.Itoa(this.config.Priority))
-	}
-
-	switch this.config.Protocol {
-	case SyslogStorageProtocolTCP:
-		args = append(args, "-T")
-		if len(this.config.ServerAddr) > 0 {
-			args = append(args, "-n", this.config.ServerAddr)
-		}
-		if this.config.ServerPort > 0 {
-			args = append(args, "-P", strconv.Itoa(this.config.ServerPort))
-		}
-	case SyslogStorageProtocolUDP:
-		args = append(args, "-d")
-		if len(this.config.ServerAddr) > 0 {
-			args = append(args, "-n", this.config.ServerAddr)
-		}
-		if this.config.ServerPort > 0 {
-			args = append(args, "-P", strconv.Itoa(this.config.ServerPort))
-		}
-	case SyslogStorageProtocolSocket:
-		args = append(args, "-u")
-		args = append(args, this.config.Socket)
-	case SyslogStorageProtocolNone:
-		// do nothing
-	}
-
-	args = append(args, "-S", "10240")
-
-	var cmd = exec.Command(this.exe, args...)
-	var stderrBuffer = &bytes.Buffer{}
-	cmd.Stderr = stderrBuffer
-
-	w, err := cmd.StdinPipe()
-	if err != nil {
-		return err
-	}
-	err = cmd.Start()
-	if err != nil {
-		return err
-	}
-
-	for _, accessLog := range accessLogs {
-		if this.firewallOnly && accessLog.FirewallPolicyId == 0 {
-			continue
-		}
-		data, err := this.Marshal(accessLog)
-		if err != nil {
-			remotelogs.Error("ACCESS_LOG_POLICY_SYSLOG", "marshal accesslog failed: "+err.Error())
-			continue
-		}
-		_, err = w.Write(data)
-		if err != nil {
-			logs.Error(err)
-		}
-
-		_, err = w.Write([]byte("\n"))
-		if err != nil {
-			remotelogs.Error("ACCESS_LOG_POLICY_SYSLOG", "write accesslog failed: "+err.Error())
-		}
-	}
-
-	_ = w.Close()
-
-	err = cmd.Wait()
-	if err != nil {
-		return errors.New("send syslog failed: " + err.Error() + ", stderr: " + stderrBuffer.String())
-	}
-
-	return nil
-}
-
-// Close 关闭
-func (this *SyslogStorage) Close() error {
-	return nil
-}
--- a/internal/accesslogs/storage_tcp.go
+++ b/internal/accesslogs/storage_tcp.go
@@ -1,114 +0,0 @@
-package accesslogs
-
-import (
-	"errors"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/iwind/TeaGo/logs"
-	"net"
-	"sync"
-)
-
-// TCPStorage TCP存储策略
-type TCPStorage struct {
-	BaseStorage
-
-	config *serverconfigs.AccessLogTCPStorageConfig
-
-	writeLocker sync.Mutex
-
-	connLocker sync.Mutex
-	conn       net.Conn
-}
-
-func NewTCPStorage(config *serverconfigs.AccessLogTCPStorageConfig) *TCPStorage {
-	return &TCPStorage{config: config}
-}
-
-func (this *TCPStorage) Config() interface{} {
-	return this.config
-}
-
-// Start 开启
-func (this *TCPStorage) Start() error {
-	if len(this.config.Network) == 0 {
-		return errors.New("'network' should not be empty")
-	}
-	if len(this.config.Addr) == 0 {
-		return errors.New("'addr' should not be empty")
-	}
-	return nil
-}
-
-// 写入日志
-func (this *TCPStorage) Write(accessLogs []*pb.HTTPAccessLog) error {
-	if len(accessLogs) == 0 {
-		return nil
-	}
-
-	err := this.connect()
-	if err != nil {
-		return err
-	}
-
-	conn := this.conn
-	if conn == nil {
-		return errors.New("connection should not be nil")
-	}
-
-	this.writeLocker.Lock()
-	defer this.writeLocker.Unlock()
-
-	for _, accessLog := range accessLogs {
-		if this.firewallOnly && accessLog.FirewallPolicyId == 0 {
-			continue
-		}
-		data, err := this.Marshal(accessLog)
-		if err != nil {
-			logs.Error(err)
-			continue
-		}
-		_, err = conn.Write(data)
-		if err != nil {
-			_ = this.Close()
-			break
-		}
-		_, err = conn.Write([]byte("\n"))
-		if err != nil {
-			_ = this.Close()
-			break
-		}
-	}
-
-	return nil
-}
-
-// Close 关闭
-func (this *TCPStorage) Close() error {
-	this.connLocker.Lock()
-	defer this.connLocker.Unlock()
-
-	if this.conn != nil {
-		err := this.conn.Close()
-		this.conn = nil
-		return err
-	}
-	return nil
-}
-
-func (this *TCPStorage) connect() error {
-	this.connLocker.Lock()
-	defer this.connLocker.Unlock()
-
-	if this.conn != nil {
-		return nil
-	}
-
-	conn, err := net.Dial(this.config.Network, this.config.Addr)
-	if err != nil {
-		return err
-	}
-	this.conn = conn
-
-	return nil
-}
--- a/internal/accesslogs/storage_tcp_test.go
+++ b/internal/accesslogs/storage_tcp_test.go
@@ -1,72 +0,0 @@
-package accesslogs
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"net"
-	"testing"
-	"time"
-)
-
-func TestTCPStorage_Write(t *testing.T) {
-	go func() {
-		server, err := net.Listen("tcp", "127.0.0.1:9981")
-		if err != nil {
-			t.Error(err)
-			return
-		}
-		for {
-			conn, err := server.Accept()
-			if err != nil {
-				break
-			}
-
-			buf := make([]byte, 1024)
-			for {
-				n, err := conn.Read(buf)
-				if n > 0 {
-					t.Log(string(buf[:n]))
-				}
-				if err != nil {
-					break
-				}
-			}
-			break
-		}
-		_ = server.Close()
-	}()
-
-	storage := NewTCPStorage(&serverconfigs.AccessLogTCPStorageConfig{
-		Network: "tcp",
-		Addr:    "127.0.0.1:9981",
-	})
-	err := storage.Start()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	{
-		err = storage.Write([]*pb.HTTPAccessLog{
-			{
-				RequestMethod: "POST",
-				RequestPath:   "/1",
-				TimeLocal:     time.Now().Format("2/Jan/2006:15:04:05 -0700"),
-			},
-			{
-				RequestMethod: "GET",
-				RequestPath:   "/2",
-				TimeLocal:     time.Now().Format("2/Jan/2006:15:04:05 -0700"),
-			},
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	time.Sleep(2 * time.Second)
-
-	err = storage.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-}
--- a/internal/accesslogs/tests/command_storage.php
+++ b/internal/accesslogs/tests/command_storage.php
@@ -1,24 +0,0 @@
-<?php
-
-// test command storage
-
-// open access log file
-$fp = fopen("/tmp/goedge-command-storage.log", "a+");
-
-// read access logs from stdin
-$stdin = fopen("php://stdin", "r");
-while(true) {
-    if (feof($stdin)) {
-        break;
-    }
-    $line = fgets($stdin);
-
-    // write to access log file
-    fwrite($fp, $line);
-}
-
-// close file pointers
-fclose($fp);
-fclose($stdin);
-
-?>
--- a/internal/acme/acme_test.go
+++ b/internal/acme/acme_test.go
@@ -10,7 +10,7 @@ import (
 	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/go-acme/lego/v4/lego"
 	acmelog "github.com/go-acme/lego/v4/log"
-	"io/ioutil"
+	"io"
 	"log"
 	"testing"

@@ -50,7 +50,7 @@ func (this *MyProvider) CleanUp(domain, token, keyAuth string) error {

 // 参考  https://go-acme.github.io/lego/usage/library/
 func TestGenerate(t *testing.T) {
-	acmelog.Logger = log.New(ioutil.Discard, "", log.LstdFlags)
+	acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)

 	// 生成私钥
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
@@ -94,7 +94,7 @@ func TestGenerate(t *testing.T) {
 }

 func TestGenerate_EAB(t *testing.T) {
-	acmelog.Logger = log.New(ioutil.Discard, "", log.LstdFlags)
+	acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)

 	// 生成私钥
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
@@ -130,6 +130,9 @@ func TestGenerate_EAB(t *testing.T) {
 	} else {
 		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 	}
+	if err != nil {
+		t.Fatal(err)
+	}
 	myUser.Registration = reg

 	request := certificate.ObtainRequest{
--- a/internal/acme/dns_provider.go
+++ b/internal/acme/dns_provider.go
@@ -1,16 +1,23 @@
 package acme

 import (
+	"fmt"
 	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
 	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients/dnstypes"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/iwind/TeaGo/lists"
+	"os"
 	"strings"
+	"sync"
 )

 type DNSProvider struct {
 	raw       dnsclients.ProviderInterface
 	dnsDomain string
+
+	locker             sync.Mutex
+	deletedRecordNames []string
 }

 func NewDNSProvider(raw dnsclients.ProviderInterface, dnsDomain string) *DNSProvider {
@@ -21,39 +28,47 @@ func NewDNSProvider(raw dnsclients.ProviderInterface, dnsDomain string) *DNSProv
 }

 func (this *DNSProvider) Present(domain, token, keyAuth string) error {
+	_ = os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", "true")
 	fqdn, value := dns01.GetRecord(domain, keyAuth)

 	// 设置记录
-	index := strings.Index(fqdn, "."+this.dnsDomain)
+	var index = strings.Index(fqdn, "."+this.dnsDomain)
 	if index < 0 {
 		return errors.New("invalid fqdn value")
 	}
-	recordName := fqdn[:index]
-	record, err := this.raw.QueryRecord(this.dnsDomain, recordName, dnstypes.RecordTypeTXT)
-	if err != nil {
-		return errors.New("query DNS record failed: " + err.Error())
+	var recordName = fqdn[:index]
+
+	// 先删除老的
+	this.locker.Lock()
+	var wasDeleted = lists.ContainsString(this.deletedRecordNames, recordName)
+	this.locker.Unlock()
+
+	if !wasDeleted {
+		records, err := this.raw.QueryRecords(this.dnsDomain, recordName, dnstypes.RecordTypeTXT)
+		if err != nil {
+			return fmt.Errorf("query DNS record failed: %w", err)
+		}
+		for _, record := range records {
+			err = this.raw.DeleteRecord(this.dnsDomain, record)
+			if err != nil {
+				return err
+			}
+		}
+		this.locker.Lock()
+		this.deletedRecordNames = append(this.deletedRecordNames, recordName)
+		this.locker.Unlock()
 	}
-	if record == nil {
-		err = this.raw.AddRecord(this.dnsDomain, &dnstypes.Record{
-			Id:    "",
-			Name:  recordName,
-			Type:  dnstypes.RecordTypeTXT,
-			Value: value,
-			Route: this.raw.DefaultRoute(),
-		})
-		if err != nil {
-			return errors.New("create DNS record failed: " + err.Error())
-		}
-	} else {
-		err = this.raw.UpdateRecord(this.dnsDomain, record, &dnstypes.Record{
-			Name:  recordName,
-			Type:  dnstypes.RecordTypeTXT,
-			Value: value,
-			Route: this.raw.DefaultRoute(),
-		})
-		if err != nil {
-			return errors.New("update DNS record failed: " + err.Error())
-		}
+
+	// 添加新的
+	err := this.raw.AddRecord(this.dnsDomain, &dnstypes.Record{
+		Id:    "",
+		Name:  recordName,
+		Type:  dnstypes.RecordTypeTXT,
+		Value: value,
+		Route: this.raw.DefaultRoute(),
+	})
+	if err != nil {
+		return fmt.Errorf("create DNS record failed: %w", err)
 	}

 	return nil
--- a/internal/acme/providers.go
+++ b/internal/acme/providers.go
@@ -9,30 +9,11 @@ type Provider struct {
 	Code           string `json:"code"`
 	Description    string `json:"description"`
 	APIURL         string `json:"apiURL"`
+	TestAPIURL     string `json:"testAPIURL"`
 	RequireEAB     bool   `json:"requireEAB"`
 	EABDescription string `json:"eabDescription"`
 }

-func FindAllProviders() []*Provider {
-	return []*Provider{
-		{
-			Name:        "Let's Encrypt",
-			Code:        DefaultProviderCode,
-			Description: "非盈利组织Let's Encrypt提供的免费证书。",
-			APIURL:      "https://acme-v02.api.letsencrypt.org/directory",
-			RequireEAB:  false,
-		},
-		{
-			Name:           "ZeroSSL",
-			Code:           "zerossl",
-			Description:    "相关文档 <a href=\"https://zerossl.com/documentation/acme/\" target=\"_blank\">https://zerossl.com/documentation/acme/</a>。",
-			APIURL:         "https://acme.zerossl.com/v2/DV90",
-			RequireEAB:     true,
-			EABDescription: "在官网<a href=\"https://app.zerossl.com/developer\" target=\"_blank\">[Developer]</a>页面底部点击\"Generate\"按钮生成。",
-		},
-	}
-}
-
 func FindProviderWithCode(code string) *Provider {
 	for _, provider := range FindAllProviders() {
 		if provider.Code == code {
--- a/internal/acme/providers_ext.go
+++ b/internal/acme/providers_ext.go
@@ -0,0 +1,24 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package acme
+
+func FindAllProviders() []*Provider {
+	return []*Provider{
+		{
+			Name:        "Let's Encrypt",
+			Code:        DefaultProviderCode,
+			Description: "非盈利组织Let's Encrypt提供的免费证书。",
+			APIURL:      "https://acme-v02.api.letsencrypt.org/directory",
+			RequireEAB:  false,
+		},
+		{
+			Name:           "ZeroSSL",
+			Code:           "zerossl",
+			Description:    "相关文档 <a href=\"https://zerossl.com/documentation/acme/\" target=\"_blank\">https://zerossl.com/documentation/acme/</a>。",
+			APIURL:         "https://acme.zerossl.com/v2/DV90",
+			RequireEAB:     true,
+			EABDescription: "在官网<a href=\"https://app.zerossl.com/developer\" target=\"_blank\">[Developer]</a>页面底部点击\"Generate\"按钮生成。",
+		},
+	}
+}
--- a/internal/acme/request.go
+++ b/internal/acme/request.go
@@ -1,6 +1,7 @@
 package acme

 import (
+	"fmt"
 	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	"github.com/go-acme/lego/v4/certcrypto"
@@ -8,7 +9,8 @@ import (
 	"github.com/go-acme/lego/v4/lego"
 	acmelog "github.com/go-acme/lego/v4/log"
 	"github.com/go-acme/lego/v4/registration"
-	"io/ioutil"
+	"github.com/iwind/TeaGo/Tea"
+	"io"
 	"log"
 )

@@ -40,6 +42,7 @@ func (this *Request) Run() (certData []byte, keyData []byte, err error) {
 	}
 	if this.task.Provider.RequireEAB && this.task.Account == nil {
 		err = errors.New("account should not be nil when provider require EAB")
+		return
 	}

 	switch this.task.AuthType {
@@ -55,7 +58,9 @@ func (this *Request) Run() (certData []byte, keyData []byte, err error) {

 func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {
 	if !this.debug {
-		acmelog.Logger = log.New(ioutil.Discard, "", log.LstdFlags)
+		if !Tea.IsTesting() {
+			acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)
+		}
 	}

 	if this.task.User == nil {
@@ -75,7 +80,7 @@ func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {
 		return
 	}

-	config := lego.NewConfig(this.task.User)
+	var config = lego.NewConfig(this.task.User)
 	config.Certificate.KeyType = certcrypto.RSA2048
 	config.CADirURL = this.task.Provider.APIURL
 	config.UserAgent = teaconst.ProductName + "/" + teaconst.Version
@@ -86,28 +91,28 @@ func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {
 	}

 	// 注册用户
-	resource := this.task.User.GetRegistration()
+	var resource = this.task.User.GetRegistration()
 	if resource != nil {
-		resource, err = client.Registration.QueryRegistration()
+		_, err = client.Registration.QueryRegistration()
 		if err != nil {
 			return nil, nil, err
 		}
 	} else {
 		if this.task.Provider.RequireEAB {
-			resource, err := client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			resource, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
 				TermsOfServiceAgreed: true,
 				Kid:                  this.task.Account.EABKid,
 				HmacEncoded:          this.task.Account.EABKey,
 			})
 			if err != nil {
-				return nil, nil, errors.New("register user failed: " + err.Error())
+				return nil, nil, fmt.Errorf("register user failed: %w", err)
 			}
 			err = this.task.User.Register(resource)
 			if err != nil {
 				return nil, nil, err
 			}
 		} else {
-			resource, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+			resource, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 			if err != nil {
 				return nil, nil, err
 			}
@@ -124,13 +129,13 @@ func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {
 	}

 	// 申请证书
-	request := certificate.ObtainRequest{
+	var request = certificate.ObtainRequest{
 		Domains: this.task.Domains,
 		Bundle:  true,
 	}
 	certResource, err := client.Certificate.Obtain(request)
 	if err != nil {
-		return nil, nil, errors.New("obtain cert failed: " + err.Error())
+		return nil, nil, fmt.Errorf("obtain cert failed: %w", err)
 	}

 	return certResource.Certificate, certResource.PrivateKey, nil
@@ -138,7 +143,9 @@ func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {

 func (this *Request) runHTTP() (certData []byte, keyData []byte, err error) {
 	if !this.debug {
-		acmelog.Logger = log.New(ioutil.Discard, "", log.LstdFlags)
+		if !Tea.IsTesting() {
+			acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)
+		}
 	}

 	if this.task.User == nil {
@@ -146,7 +153,7 @@ func (this *Request) runHTTP() (certData []byte, keyData []byte, err error) {
 		return
 	}

-	config := lego.NewConfig(this.task.User)
+	var config = lego.NewConfig(this.task.User)
 	config.Certificate.KeyType = certcrypto.RSA2048
 	config.CADirURL = this.task.Provider.APIURL
 	config.UserAgent = teaconst.ProductName + "/" + teaconst.Version
@@ -157,28 +164,28 @@ func (this *Request) runHTTP() (certData []byte, keyData []byte, err error) {
 	}

 	// 注册用户
-	resource := this.task.User.GetRegistration()
+	var resource = this.task.User.GetRegistration()
 	if resource != nil {
-		resource, err = client.Registration.QueryRegistration()
+		_, err = client.Registration.QueryRegistration()
 		if err != nil {
 			return nil, nil, err
 		}
 	} else {
 		if this.task.Provider.RequireEAB {
-			resource, err := client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			resource, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
 				TermsOfServiceAgreed: true,
 				Kid:                  this.task.Account.EABKid,
 				HmacEncoded:          this.task.Account.EABKey,
 			})
 			if err != nil {
-				return nil, nil, errors.New("register user failed: " + err.Error())
+				return nil, nil, fmt.Errorf("register user failed: %w", err)
 			}
 			err = this.task.User.Register(resource)
 			if err != nil {
 				return nil, nil, err
 			}
 		} else {
-			resource, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+			resource, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 			if err != nil {
 				return nil, nil, err
 			}
@@ -195,7 +202,7 @@ func (this *Request) runHTTP() (certData []byte, keyData []byte, err error) {
 	}

 	// 申请证书
-	request := certificate.ObtainRequest{
+	var request = certificate.ObtainRequest{
 		Domains: this.task.Domains,
 		Bundle:  true,
 	}
--- a/internal/apps/app_cmd.go
+++ b/internal/apps/app_cmd.go
@@ -1,6 +1,7 @@
 package apps

 import (
+	"errors"
 	"fmt"
 	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
 	"github.com/iwind/TeaGo/logs"
@@ -9,8 +10,10 @@ import (
 	"github.com/iwind/gosock/pkg/gosock"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"runtime"
 	"strconv"
+	"strings"
 	"time"
 )

@@ -184,13 +187,16 @@ func (this *AppCmd) runStart() {
 		return
 	}

-	cmd := exec.Command(os.Args[0])
+	var cmd = exec.Command(this.exe())
 	err := cmd.Start()
 	if err != nil {
 		fmt.Println(this.product+"  start failed:", err.Error())
 		return
 	}

+	// create symbolic links
+	_ = this.createSymLinks()
+
 	fmt.Println(this.product+" started ok, pid:", cmd.Process.Pid)
 }

@@ -237,3 +243,58 @@ func (this *AppCmd) getPID() int {
 	}
 	return maps.NewMap(reply.Params).GetInt("pid")
 }
+
+func (this *AppCmd) exe() string {
+	var exe, _ = os.Executable()
+	if len(exe) == 0 {
+		exe = os.Args[0]
+	}
+	return exe
+}
+
+// 创建软链接
+func (this *AppCmd) createSymLinks() error {
+	if runtime.GOOS != "linux" {
+		return nil
+	}
+
+	var exe, _ = os.Executable()
+	if len(exe) == 0 {
+		return nil
+	}
+
+	var errorList = []string{}
+
+	// bin
+	{
+		var target = "/usr/bin/" + teaconst.ProcessName
+		old, _ := filepath.EvalSymlinks(target)
+		if old != exe {
+			_ = os.Remove(target)
+			err := os.Symlink(exe, target)
+			if err != nil {
+				errorList = append(errorList, err.Error())
+			}
+		}
+	}
+
+	// log
+	{
+		var realPath = filepath.Dir(filepath.Dir(exe)) + "/logs/run.log"
+		var target = "/var/log/" + teaconst.ProcessName + ".log"
+		old, _ := filepath.EvalSymlinks(target)
+		if old != realPath {
+			_ = os.Remove(target)
+			err := os.Symlink(realPath, target)
+			if err != nil {
+				errorList = append(errorList, err.Error())
+			}
+		}
+	}
+
+	if len(errorList) > 0 {
+		return errors.New(strings.Join(errorList, "\n"))
+	}
+
+	return nil
+}
--- a/internal/configs/api_config.go
+++ b/internal/configs/api_config.go
@@ -4,7 +4,6 @@ import (
 	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
 	"github.com/iwind/TeaGo/Tea"
 	"gopkg.in/yaml.v3"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 )
@@ -42,7 +41,7 @@ func SharedAPIConfig() (*APIConfig, error) {
 	var data []byte
 	var err error
 	for _, path := range paths {
-		data, err = ioutil.ReadFile(path)
+		data, err = os.ReadFile(path)
 		if err == nil {
 			if path == localFile {
 				isFromLocal = true
@@ -63,7 +62,7 @@ func SharedAPIConfig() (*APIConfig, error) {

 	if !isFromLocal {
 		// 恢复文件
-		_ = ioutil.WriteFile(localFile, data, 0666)
+		_ = os.WriteFile(localFile, data, 0666)
 	}

 	// 恢复数据库文件
@@ -80,9 +79,9 @@ func SharedAPIConfig() (*APIConfig, error) {
 			for _, path := range paths {
 				_, err := os.Stat(path)
 				if err == nil {
-					data, err := ioutil.ReadFile(path)
+					data, err := os.ReadFile(path)
 					if err == nil {
-						_ = ioutil.WriteFile(dbConfigFile, data, 0666)
+						_ = os.WriteFile(dbConfigFile, data, 0666)
 						break
 					}
 				}
@@ -122,14 +121,58 @@ func (this *APIConfig) WriteFile(path string) error {
 	for _, backupDir := range backupDirs {
 		stat, err := os.Stat(backupDir)
 		if err == nil && stat.IsDir() {
-			_ = ioutil.WriteFile(backupDir+"/"+filename, data, 0666)
+			_ = os.WriteFile(backupDir+"/"+filename, data, 0666)
 		} else if err != nil && os.IsNotExist(err) {
 			err = os.Mkdir(backupDir, 0777)
 			if err == nil {
-				_ = ioutil.WriteFile(backupDir+"/"+filename, data, 0666)
+				_ = os.WriteFile(backupDir+"/"+filename, data, 0666)
 			}
 		}
 	}

-	return ioutil.WriteFile(path, data, 0666)
+	return os.WriteFile(path, data, 0666)
+}
+
+// ResetAPIConfig 重置配置
+func ResetAPIConfig() error {
+	for _, filename := range []string{"api.yaml", "db.yaml"} {
+		// 重置 configs/api.yaml
+		{
+			var configFile = Tea.ConfigFile(filename)
+			stat, err := os.Stat(configFile)
+			if err == nil && !stat.IsDir() {
+				err = os.Remove(configFile)
+				if err != nil {
+					return err
+				}
+			}
+		}
+
+		// 重置 ~/.edge-api/api.yaml
+		homeDir, homeErr := os.UserHomeDir()
+		if homeErr == nil {
+			var configFile = homeDir + "/." + teaconst.ProcessName + "/" + filename
+			stat, err := os.Stat(configFile)
+			if err == nil && !stat.IsDir() {
+				err = os.Remove(configFile)
+				if err != nil {
+					return err
+				}
+			}
+		}
+
+		// 重置 /etc/edge-api/api.yaml
+		{
+			var configFile = "/etc/" + teaconst.ProcessName + "/" + filename
+			stat, err := os.Stat(configFile)
+			if err == nil && !stat.IsDir() {
+				err = os.Remove(configFile)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
 }
--- a/internal/const/const.go
+++ b/internal/const/const.go
@@ -1,12 +1,14 @@
 package teaconst

 const (
-	Version = "0.4.10"
+	Version = "1.3.3"

 	ProductName   = "Edge API"
 	ProcessName   = "edge-api"
 	ProductNameZH = "Edge"

+	GlobalProductName = "GoEdge"
+
 	Role = "api"

 	EncryptKey    = "8f983f4d69b83aaa0d74b21a212f6967"
@@ -18,13 +20,8 @@ const (

 	// 其他节点版本号，用来检测是否有需要升级的节点

-	NodeVersion          = "0.4.10"
-	UserNodeVersion      = "0.3.6"
-	AuthorityNodeVersion = "0.0.2"
-	MonitorNodeVersion   = "0.0.4"
-	DNSNodeVersion       = "0.2.4"
-	ReportNodeVersion    = "0.1.1"
+	NodeVersion = "1.3.3"

 	// SQLVersion SQL版本号
-	SQLVersion = "2"
+	SQLVersion = "11"
 )
--- a/internal/const/const_community.go
+++ b/internal/const/const_community.go
@@ -0,0 +1,9 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package teaconst
+
+const (
+	// DefaultMaxNodes 节点数限制
+	DefaultMaxNodes int32 = 50
+)
--- a/internal/const/vars.go
+++ b/internal/const/vars.go
@@ -7,13 +7,29 @@ import (
 	"fmt"
 	"github.com/iwind/TeaGo/rands"
 	"github.com/iwind/TeaGo/types"
+	"os"
+	"strings"
 	"time"
 )

 var (
 	IsPlus             = false
+	Edition            = ""
 	MaxNodes     int32 = 0
 	NodeId       int64 = 0
 	Debug              = false
 	InstanceCode       = fmt.Sprintf("%x", sha1.Sum([]byte("INSTANCE"+types.String(time.Now().UnixNano())+"@"+types.String(rands.Int64()))))
+	IsMain             = checkMain()
 )
+
+// 检查是否为主程序
+func checkMain() bool {
+	if len(os.Args) == 1 ||
+		(len(os.Args) >= 2 && os.Args[1] == "pprof") {
+		return true
+	}
+	exe, _ := os.Executable()
+	return strings.HasSuffix(exe, ".test") ||
+		strings.HasSuffix(exe, ".test.exe") ||
+		strings.Contains(exe, "___")
+}
--- a/internal/db/models/accounts/order_method_dao.go
+++ b/internal/db/models/accounts/order_method_dao.go
@@ -0,0 +1,33 @@
+package accounts
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	OrderMethodStateEnabled  = 1 // 已启用
+	OrderMethodStateDisabled = 0 // 已禁用
+)
+
+type OrderMethodDAO dbs.DAO
+
+func NewOrderMethodDAO() *OrderMethodDAO {
+	return dbs.NewDAO(&OrderMethodDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeOrderMethods",
+			Model:  new(OrderMethod),
+			PkName: "id",
+		},
+	}).(*OrderMethodDAO)
+}
+
+var SharedOrderMethodDAO *OrderMethodDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedOrderMethodDAO = NewOrderMethodDAO()
+	})
+}
--- a/internal/db/models/accounts/order_method_dao_test.go
+++ b/internal/db/models/accounts/order_method_dao_test.go
@@ -0,0 +1,6 @@
+package accounts_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/accounts/order_method_model.go
+++ b/internal/db/models/accounts/order_method_model.go
@@ -0,0 +1,40 @@
+package accounts
+
+import "github.com/iwind/TeaGo/dbs"
+
+// OrderMethod 订单支付方式
+type OrderMethod struct {
+	Id          uint32   `field:"id"`          // ID
+	Name        string   `field:"name"`        // 名称
+	IsOn        bool     `field:"isOn"`        // 是否启用
+	Description string   `field:"description"` // 描述
+	ParentCode  string   `field:"parentCode"`  // 内置的父级代号
+	Code        string   `field:"code"`        // 代号
+	Url         string   `field:"url"`         // URL
+	Secret      string   `field:"secret"`      // 密钥
+	Params      dbs.JSON `field:"params"`      // 参数
+	ClientType  string   `field:"clientType"`  // 客户端类型
+	QrcodeTitle string   `field:"qrcodeTitle"` // 二维码标题
+	Order       uint32   `field:"order"`       // 排序
+	State       uint8    `field:"state"`       // 状态
+}
+
+type OrderMethodOperator struct {
+	Id          any // ID
+	Name        any // 名称
+	IsOn        any // 是否启用
+	Description any // 描述
+	ParentCode  any // 内置的父级代号
+	Code        any // 代号
+	Url         any // URL
+	Secret      any // 密钥
+	Params      any // 参数
+	ClientType  any // 客户端类型
+	QrcodeTitle any // 二维码标题
+	Order       any // 排序
+	State       any // 状态
+}
+
+func NewOrderMethodOperator() *OrderMethodOperator {
+	return &OrderMethodOperator{}
+}
--- a/internal/db/models/accounts/order_method_model_ext.go
+++ b/internal/db/models/accounts/order_method_model_ext.go
@@ -0,0 +1 @@
+package accounts
--- a/internal/db/models/accounts/user_account_daily_stat_dao.go
+++ b/internal/db/models/accounts/user_account_daily_stat_dao.go
@@ -1,80 +0,0 @@
-package accounts
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/userconfigs"
-	_ "github.com/go-sql-driver/mysql"
-	"github.com/iwind/TeaGo/Tea"
-	"github.com/iwind/TeaGo/dbs"
-	"github.com/iwind/TeaGo/maps"
-	timeutil "github.com/iwind/TeaGo/utils/time"
-)
-
-type UserAccountDailyStatDAO dbs.DAO
-
-func NewUserAccountDailyStatDAO() *UserAccountDailyStatDAO {
-	return dbs.NewDAO(&UserAccountDailyStatDAO{
-		DAOObject: dbs.DAOObject{
-			DB:     Tea.Env,
-			Table:  "edgeUserAccountDailyStats",
-			Model:  new(UserAccountDailyStat),
-			PkName: "id",
-		},
-	}).(*UserAccountDailyStatDAO)
-}
-
-var SharedUserAccountDailyStatDAO *UserAccountDailyStatDAO
-
-func init() {
-	dbs.OnReady(func() {
-		SharedUserAccountDailyStatDAO = NewUserAccountDailyStatDAO()
-	})
-}
-
-// UpdateDailyStat 更新当天统计数据
-func (this *UserAccountDailyStatDAO) UpdateDailyStat(tx *dbs.Tx) error {
-	var day = timeutil.Format("Ymd")
-	var month = timeutil.Format("Ym")
-	income, err := SharedUserAccountLogDAO.SumDailyEventTypes(tx, day, userconfigs.AccountIncomeEventTypes)
-	if err != nil {
-		return err
-	}
-
-	expense, err := SharedUserAccountLogDAO.SumDailyEventTypes(tx, day, userconfigs.AccountExpenseEventTypes)
-	if err != nil {
-		return err
-	}
-	if expense < 0 {
-		expense = -expense
-	}
-
-	return this.Query(tx).
-		InsertOrUpdateQuickly(maps.Map{
-			"day":     day,
-			"month":   month,
-			"income":  income,
-			"expense": expense,
-		}, maps.Map{
-			"income":  income,
-			"expense": expense,
-		})
-}
-
-// FindDailyStats 查看按天统计
-func (this *UserAccountDailyStatDAO) FindDailyStats(tx *dbs.Tx, dayFrom string, dayTo string) (result []*UserAccountDailyStat, err error) {
-	_, err = this.Query(tx).
-		Between("day", dayFrom, dayTo).
-		Slice(&result).
-		FindAll()
-	return
-}
-
-// FindMonthlyStats 查看某月统计
-func (this *UserAccountDailyStatDAO) FindMonthlyStats(tx *dbs.Tx, dayFrom string, dayTo string) (result []*UserAccountDailyStat, err error) {
-	_, err = this.Query(tx).
-		Result("SUM(income) AS income", "SUM(expense) AS expense", "month").
-		Between("day", dayFrom, dayTo).
-		Group("month").
-		Slice(&result).
-		FindAll()
-	return
-}
--- a/internal/db/models/accounts/user_account_dao.go
+++ b/internal/db/models/accounts/user_account_dao.go
@@ -1,253 +0,0 @@
-package accounts
-
-import (
-	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
-	"github.com/TeaOSLab/EdgeAPI/internal/errors"
-	"github.com/TeaOSLab/EdgeAPI/internal/goman"
-	"github.com/TeaOSLab/EdgeAPI/internal/remotelogs"
-	"github.com/TeaOSLab/EdgeCommon/pkg/userconfigs"
-	_ "github.com/go-sql-driver/mysql"
-	"github.com/iwind/TeaGo/Tea"
-	"github.com/iwind/TeaGo/dbs"
-	"github.com/iwind/TeaGo/lists"
-	"github.com/iwind/TeaGo/maps"
-	"github.com/iwind/TeaGo/types"
-	"time"
-)
-
-func init() {
-	dbs.OnReadyDone(func() {
-		goman.New(func() {
-			// 自动支付账单任务
-			var ticker = time.NewTicker(12 * time.Hour)
-			for range ticker.C {
-				if SharedUserAccountDAO.Instance != nil {
-					err := SharedUserAccountDAO.Instance.RunTx(func(tx *dbs.Tx) error {
-						return SharedUserAccountDAO.PayBills(tx)
-					})
-					if err != nil {
-						remotelogs.Error("USER_ACCOUNT_DAO", "pay bills task failed: "+err.Error())
-					}
-				}
-			}
-		})
-	})
-}
-
-type UserAccountDAO dbs.DAO
-
-func NewUserAccountDAO() *UserAccountDAO {
-	return dbs.NewDAO(&UserAccountDAO{
-		DAOObject: dbs.DAOObject{
-			DB:     Tea.Env,
-			Table:  "edgeUserAccounts",
-			Model:  new(UserAccount),
-			PkName: "id",
-		},
-	}).(*UserAccountDAO)
-}
-
-var SharedUserAccountDAO *UserAccountDAO
-
-func init() {
-	dbs.OnReady(func() {
-		SharedUserAccountDAO = NewUserAccountDAO()
-	})
-}
-
-// FindUserAccountWithUserId 根据用户ID查找用户账户
-func (this *UserAccountDAO) FindUserAccountWithUserId(tx *dbs.Tx, userId int64) (*UserAccount, error) {
-	if userId <= 0 {
-		return nil, errors.New("invalid userId '" + types.String(userId) + "'")
-	}
-
-	// 用户是否存在
-	user, err := models.SharedUserDAO.FindEnabledUser(tx, userId, nil)
-	if err != nil {
-		return nil, err
-	}
-	if user == nil {
-		return nil, errors.New("invalid userId '" + types.String(userId) + "'")
-	}
-
-	account, err := this.Query(tx).
-		Attr("userId", userId).
-		Find()
-	if err != nil {
-		return nil, err
-	}
-	if account != nil {
-		return account.(*UserAccount), nil
-	}
-
-	var op = NewUserAccountOperator()
-	op.UserId = userId
-	_, err = this.SaveInt64(tx, op)
-	if err != nil {
-		return nil, err
-	}
-	return this.FindUserAccountWithUserId(tx, userId)
-}
-
-// FindUserAccountWithAccountId 根据ID查找用户账户
-func (this *UserAccountDAO) FindUserAccountWithAccountId(tx *dbs.Tx, accountId int64) (*UserAccount, error) {
-	one, err := this.Query(tx).
-		Pk(accountId).
-		Find()
-	if one != nil {
-		return one.(*UserAccount), nil
-	}
-	return nil, err
-}
-
-// UpdateUserAccount 操作用户账户
-func (this *UserAccountDAO) UpdateUserAccount(tx *dbs.Tx, accountId int64, delta float32, eventType userconfigs.AccountEventType, description string, params maps.Map) error {
-	account, err := this.FindUserAccountWithAccountId(tx, accountId)
-	if err != nil {
-		return err
-	}
-	if account == nil {
-		return errors.New("invalid account id '" + types.String(accountId) + "'")
-	}
-	var userId = int64(account.UserId)
-	var deltaFloat64 = float64(delta)
-	if deltaFloat64 < 0 && account.Total < -deltaFloat64 {
-		return errors.New("not enough account quota to decrease")
-	}
-
-	// 操作账户
-	err = this.Query(tx).
-		Pk(account.Id).
-		Set("total", dbs.SQL("total+:delta")).
-		Param("delta", delta).
-		UpdateQuickly()
-	if err != nil {
-		return err
-	}
-
-	// 生成日志
-	err = SharedUserAccountLogDAO.CreateAccountLog(tx, userId, accountId, delta, 0, eventType, description, params)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// UpdateUserAccountFrozen 操作用户账户冻结余额
-func (this *UserAccountDAO) UpdateUserAccountFrozen(tx *dbs.Tx, userId int64, delta float32, eventType userconfigs.AccountEventType, description string, params maps.Map) error {
-	account, err := this.FindUserAccountWithUserId(tx, userId)
-	if err != nil {
-		return err
-	}
-	var deltaFloat64 = float64(delta)
-	if deltaFloat64 < 0 && account.TotalFrozen < -deltaFloat64 {
-		return errors.New("not enough account frozen quota to decrease")
-	}
-
-	// 操作账户
-	err = this.Query(tx).
-		Pk(account.Id).
-		Set("totalFrozen", dbs.SQL("total+:delta")).
-		Param("delta", delta).
-		UpdateQuickly()
-	if err != nil {
-		return err
-	}
-
-	// 生成日志
-	err = SharedUserAccountLogDAO.CreateAccountLog(tx, userId, int64(account.Id), 0, delta, eventType, description, params)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// CountAllAccounts 计算所有账户数量
-func (this *UserAccountDAO) CountAllAccounts(tx *dbs.Tx, keyword string) (int64, error) {
-	var query = this.Query(tx)
-	if len(keyword) > 0 {
-		query.Where("userId IN (SELECT id FROM " + models.SharedUserDAO.Table + " WHERE state=1 AND (username LIKE :keyword OR fullname LIKE :keyword))")
-		query.Param("keyword", keyword)
-	} else {
-		query.Where("userId IN (SELECT id FROM " + models.SharedUserDAO.Table + " WHERE state=1)")
-	}
-	return query.Count()
-}
-
-// ListAccounts 列出单页账户
-func (this *UserAccountDAO) ListAccounts(tx *dbs.Tx, keyword string, offset int64, size int64) (result []*UserAccount, err error) {
-	var query = this.Query(tx)
-	if len(keyword) > 0 {
-		query.Where("userId IN (SELECT id FROM " + models.SharedUserDAO.Table + " WHERE state=1 AND (username LIKE :keyword OR fullname LIKE :keyword))")
-		query.Param("keyword", keyword)
-	} else {
-		query.Where("userId IN (SELECT id FROM " + models.SharedUserDAO.Table + " WHERE state=1)")
-	}
-	_, err = query.
-		DescPk().
-		Offset(offset).
-		Limit(size).
-		Slice(&result).
-		FindAll()
-	return
-}
-
-// PayBills 尝试自动支付账单
-func (this *UserAccountDAO) PayBills(tx *dbs.Tx) error {
-	bills, err := models.SharedUserBillDAO.FindUnpaidBills(tx, 10000)
-	if err != nil {
-		return err
-	}
-
-	// 先支付久远的
-	lists.Reverse(bills)
-
-	for _, bill := range bills {
-		if bill.Amount <= 0 {
-			err = models.SharedUserBillDAO.UpdateUserBillIsPaid(tx, int64(bill.Id), true)
-			if err != nil {
-				return err
-			}
-			continue
-		}
-
-		account, err := SharedUserAccountDAO.FindUserAccountWithUserId(tx, int64(bill.UserId))
-		if err != nil {
-			return err
-		}
-		if account == nil || account.Total < bill.Amount {
-			continue
-		}
-
-		// 扣款
-		err = SharedUserAccountDAO.UpdateUserAccount(tx, int64(account.Id), -float32(bill.Amount), userconfigs.AccountEventTypePayBill, "支付账单"+bill.Code, maps.Map{"billId": bill.Id})
-		if err != nil {
-			return err
-		}
-
-		// 改为已支付
-		err = models.SharedUserBillDAO.UpdateUserBillIsPaid(tx, int64(bill.Id), true)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// CheckUserAccount 检查用户账户
-func (this *UserAccountDAO) CheckUserAccount(tx *dbs.Tx, userId int64, accountId int64) error {
-	exists, err := this.Query(tx).
-		Pk(accountId).
-		Attr("userId", userId).
-		Exist()
-	if err != nil {
-		return err
-	}
-	if !exists {
-		return models.ErrNotFound
-	}
-	return nil
-}
--- a/internal/db/models/accounts/user_account_dao_test.go
+++ b/internal/db/models/accounts/user_account_dao_test.go
@@ -1,18 +0,0 @@
-package accounts
-
-import (
-	_ "github.com/go-sql-driver/mysql"
-	_ "github.com/iwind/TeaGo/bootstrap"
-	"github.com/iwind/TeaGo/dbs"
-	"testing"
-)
-
-func TestUserAccountDAO_PayBills(t *testing.T) {
-	dbs.NotifyReady()
-
-	err := NewUserAccountDAO().PayBills(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Log("ok")
-}
--- a/internal/db/models/accounts/user_account_log_dao.go
+++ b/internal/db/models/accounts/user_account_log_dao.go
@@ -1,129 +0,0 @@
-package accounts
-
-import (
-	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
-	dbutils "github.com/TeaOSLab/EdgeAPI/internal/db/utils"
-	"github.com/TeaOSLab/EdgeAPI/internal/errors"
-	"github.com/TeaOSLab/EdgeCommon/pkg/userconfigs"
-	_ "github.com/go-sql-driver/mysql"
-	"github.com/iwind/TeaGo/Tea"
-	"github.com/iwind/TeaGo/dbs"
-	"github.com/iwind/TeaGo/maps"
-	"github.com/iwind/TeaGo/types"
-	timeutil "github.com/iwind/TeaGo/utils/time"
-)
-
-type UserAccountLogDAO dbs.DAO
-
-func NewUserAccountLogDAO() *UserAccountLogDAO {
-	return dbs.NewDAO(&UserAccountLogDAO{
-		DAOObject: dbs.DAOObject{
-			DB:     Tea.Env,
-			Table:  "edgeUserAccountLogs",
-			Model:  new(UserAccountLog),
-			PkName: "id",
-		},
-	}).(*UserAccountLogDAO)
-}
-
-var SharedUserAccountLogDAO *UserAccountLogDAO
-
-func init() {
-	dbs.OnReady(func() {
-		SharedUserAccountLogDAO = NewUserAccountLogDAO()
-	})
-}
-
-// CreateAccountLog 生成用户账户日志
-func (this *UserAccountLogDAO) CreateAccountLog(tx *dbs.Tx, userId int64, accountId int64, delta float32, deltaFrozen float32, eventType userconfigs.AccountEventType, description string, params maps.Map) error {
-	var op = NewUserAccountLogOperator()
-	op.UserId = userId
-	op.AccountId = accountId
-	op.Delta = delta
-	op.DeltaFrozen = deltaFrozen
-
-	account, err := SharedUserAccountDAO.FindUserAccountWithAccountId(tx, accountId)
-	if err != nil {
-		return err
-	}
-	if account == nil {
-		return errors.New("invalid account id '" + types.String(accountId) + "'")
-	}
-	op.Total = account.Total
-	op.TotalFrozen = account.TotalFrozen
-
-	op.EventType = eventType
-	op.Description = description
-
-	if params == nil {
-		params = maps.Map{}
-	}
-	op.Params = params.AsJSON()
-
-	op.Day = timeutil.Format("Ymd")
-	err = this.Save(tx, op)
-	if err != nil {
-		return err
-	}
-
-	return SharedUserAccountDailyStatDAO.UpdateDailyStat(tx)
-}
-
-// CountAccountLogs 计算日志数量
-func (this *UserAccountLogDAO) CountAccountLogs(tx *dbs.Tx, userId int64, accountId int64, keyword string, eventType string) (int64, error) {
-	var query = this.Query(tx)
-	if userId > 0 {
-		query.Attr("userId", userId)
-	}
-	if accountId > 0 {
-		query.Attr("accountId", accountId)
-	}
-	if len(keyword) > 0 {
-		query.Where("(userId IN (SELECT id FROM " + models.SharedUserDAO.Table + " WHERE state=1 AND (username LIKE :keyword OR fullname LIKE :keyword)) OR description LIKE :keyword)")
-		query.Param("keyword", dbutils.QuoteLike(keyword))
-	}
-	if len(eventType) > 0 {
-		query.Attr("eventType", eventType)
-	}
-	return query.Count()
-}
-
-// ListAccountLogs 列出单页日志
-func (this *UserAccountLogDAO) ListAccountLogs(tx *dbs.Tx, userId int64, accountId int64, keyword string, eventType string, offset int64, size int64) (result []*UserAccountLog, err error) {
-	var query = this.Query(tx)
-	if userId > 0 {
-		query.Attr("userId", userId)
-	}
-	if accountId > 0 {
-		query.Attr("accountId", accountId)
-	}
-	if len(keyword) > 0 {
-		query.Where("(userId IN (SELECT id FROM " + models.SharedUserDAO.Table + " WHERE state=1 AND (username LIKE :keyword OR fullname LIKE :keyword)) OR description LIKE :keyword)")
-		query.Param("keyword", dbutils.QuoteLike(keyword))
-	}
-	if len(eventType) > 0 {
-		query.Attr("eventType", eventType)
-	}
-	_, err = query.
-		DescPk().
-		Offset(offset).
-		Limit(size).
-		Slice(&result).
-		FindAll()
-	return
-}
-
-// SumDailyEventTypes 统计某天数据总和
-func (this *UserAccountLogDAO) SumDailyEventTypes(tx *dbs.Tx, day string, eventTypes []userconfigs.AccountEventType) (float32, error) {
-	if len(eventTypes) == 0 {
-		return 0, nil
-	}
-	result, err := this.Query(tx).
-		Attr("day", day).
-		Attr("eventType", eventTypes).
-		Sum("delta", 0)
-	if err != nil {
-		return 0, err
-	}
-	return types.Float32(result), nil
-}
--- a/internal/db/models/accounts/user_order_dao.go
+++ b/internal/db/models/accounts/user_order_dao.go
@@ -0,0 +1,33 @@
+package accounts
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	UserOrderStateEnabled  = 1 // 已启用
+	UserOrderStateDisabled = 0 // 已禁用
+)
+
+type UserOrderDAO dbs.DAO
+
+func NewUserOrderDAO() *UserOrderDAO {
+	return dbs.NewDAO(&UserOrderDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeUserOrders",
+			Model:  new(UserOrder),
+			PkName: "id",
+		},
+	}).(*UserOrderDAO)
+}
+
+var SharedUserOrderDAO *UserOrderDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedUserOrderDAO = NewUserOrderDAO()
+	})
+}
--- a/internal/db/models/accounts/user_order_dao_test.go
+++ b/internal/db/models/accounts/user_order_dao_test.go
@@ -0,0 +1,6 @@
+package accounts_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/accounts/user_order_log_dao.go
+++ b/internal/db/models/accounts/user_order_log_dao.go
@@ -0,0 +1,28 @@
+package accounts
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+type UserOrderLogDAO dbs.DAO
+
+func NewUserOrderLogDAO() *UserOrderLogDAO {
+	return dbs.NewDAO(&UserOrderLogDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeUserOrderLogs",
+			Model:  new(UserOrderLog),
+			PkName: "id",
+		},
+	}).(*UserOrderLogDAO)
+}
+
+var SharedUserOrderLogDAO *UserOrderLogDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedUserOrderLogDAO = NewUserOrderLogDAO()
+	})
+}
--- a/internal/db/models/accounts/user_order_log_dao_test.go
+++ b/internal/db/models/accounts/user_order_log_dao_test.go
@@ -0,0 +1,6 @@
+package accounts_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/accounts/user_order_log_model.go
+++ b/internal/db/models/accounts/user_order_log_model.go
@@ -0,0 +1,28 @@
+package accounts
+
+import "github.com/iwind/TeaGo/dbs"
+
+// UserOrderLog 订单日志
+type UserOrderLog struct {
+	Id        uint64   `field:"id"`        // ID
+	AdminId   uint64   `field:"adminId"`   // 管理员ID
+	UserId    uint64   `field:"userId"`    // 用户ID
+	OrderId   uint64   `field:"orderId"`   // 订单ID
+	Status    string   `field:"status"`    // 状态
+	Snapshot  dbs.JSON `field:"snapshot"`  // 状态快照
+	CreatedAt uint64   `field:"createdAt"` // 创建时间
+}
+
+type UserOrderLogOperator struct {
+	Id        interface{} // ID
+	AdminId   interface{} // 管理员ID
+	UserId    interface{} // 用户ID
+	OrderId   interface{} // 订单ID
+	Status    interface{} // 状态
+	Snapshot  interface{} // 状态快照
+	CreatedAt interface{} // 创建时间
+}
+
+func NewUserOrderLogOperator() *UserOrderLogOperator {
+	return &UserOrderLogOperator{}
+}
--- a/internal/db/models/accounts/user_order_log_model_ext.go
+++ b/internal/db/models/accounts/user_order_log_model_ext.go
@@ -0,0 +1 @@
+package accounts
--- a/internal/db/models/accounts/user_order_model.go
+++ b/internal/db/models/accounts/user_order_model.go
@@ -0,0 +1,40 @@
+package accounts
+
+import "github.com/iwind/TeaGo/dbs"
+
+// UserOrder 用户订单
+type UserOrder struct {
+	Id          uint64   `field:"id"`          // 用户订单
+	UserId      uint64   `field:"userId"`      // 用户ID
+	Code        string   `field:"code"`        // 订单号
+	Type        string   `field:"type"`        // 订单类型
+	MethodId    uint32   `field:"methodId"`    // 支付方式
+	Status      string   `field:"status"`      // 订单状态
+	Amount      float64  `field:"amount"`      // 金额
+	Params      dbs.JSON `field:"params"`      // 附加参数
+	ExpiredAt   uint64   `field:"expiredAt"`   // 过期时间
+	CreatedAt   uint64   `field:"createdAt"`   // 创建时间
+	CancelledAt uint64   `field:"cancelledAt"` // 取消时间
+	FinishedAt  uint64   `field:"finishedAt"`  // 结束时间
+	State       uint8    `field:"state"`       // 状态
+}
+
+type UserOrderOperator struct {
+	Id          interface{} // 用户订单
+	UserId      interface{} // 用户ID
+	Code        interface{} // 订单号
+	Type        interface{} // 订单类型
+	MethodId    interface{} // 支付方式
+	Status      interface{} // 订单状态
+	Amount      interface{} // 金额
+	Params      interface{} // 附加参数
+	ExpiredAt   interface{} // 过期时间
+	CreatedAt   interface{} // 创建时间
+	CancelledAt interface{} // 取消时间
+	FinishedAt  interface{} // 结束时间
+	State       interface{} // 状态
+}
+
+func NewUserOrderOperator() *UserOrderOperator {
+	return &UserOrderOperator{}
+}
--- a/internal/db/models/accounts/user_order_model_ext.go
+++ b/internal/db/models/accounts/user_order_model_ext.go
@@ -0,0 +1 @@
+package accounts
--- a/internal/db/models/acme/acme_provider_account_dao.go
+++ b/internal/db/models/acme/acme_provider_account_dao.go
@@ -1,6 +1,7 @@
 package acme

 import (
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
@@ -72,8 +73,9 @@ func (this *ACMEProviderAccountDAO) FindACMEProviderAccountName(tx *dbs.Tx, id i
 }

 // CreateAccount 创建账号
-func (this *ACMEProviderAccountDAO) CreateAccount(tx *dbs.Tx, name string, providerCode string, eabKid string, eabKey string) (int64, error) {
+func (this *ACMEProviderAccountDAO) CreateAccount(tx *dbs.Tx, userId int64, name string, providerCode string, eabKid string, eabKey string) (int64, error) {
 	var op = NewACMEProviderAccountOperator()
+	op.UserId = userId
 	op.Name = name
 	op.ProviderCode = providerCode
 	op.EabKid = eabKid
@@ -98,15 +100,18 @@ func (this *ACMEProviderAccountDAO) UpdateAccount(tx *dbs.Tx, accountId int64, n
 }

 // CountAllEnabledAccounts 计算账号数量
-func (this *ACMEProviderAccountDAO) CountAllEnabledAccounts(tx *dbs.Tx) (int64, error) {
+func (this *ACMEProviderAccountDAO) CountAllEnabledAccounts(tx *dbs.Tx, userId int64) (int64, error) {
 	return this.Query(tx).
+		State(ACMEProviderAccountStateEnabled).
+		Attr("userId", userId).
 		Count()
 }

 // ListEnabledAccounts 查找单页账号
-func (this *ACMEProviderAccountDAO) ListEnabledAccounts(tx *dbs.Tx, offset int64, size int64) (result []*ACMEProviderAccount, err error) {
+func (this *ACMEProviderAccountDAO) ListEnabledAccounts(tx *dbs.Tx, userId int64, offset int64, size int64) (result []*ACMEProviderAccount, err error) {
 	_, err = this.Query(tx).
 		State(ACMEProviderAccountStateEnabled).
+		Attr("userId", userId).
 		Offset(offset).
 		Limit(size).
 		DescPk().
@@ -116,12 +121,34 @@ func (this *ACMEProviderAccountDAO) ListEnabledAccounts(tx *dbs.Tx, offset int64
 }

 // FindAllEnabledAccountsWithProviderCode 根据服务商代号查找账号
-func (this *ACMEProviderAccountDAO) FindAllEnabledAccountsWithProviderCode(tx *dbs.Tx, providerCode string) (result []*ACMEProviderAccount, err error) {
+func (this *ACMEProviderAccountDAO) FindAllEnabledAccountsWithProviderCode(tx *dbs.Tx, userId int64, providerCode string) (result []*ACMEProviderAccount, err error) {
 	_, err = this.Query(tx).
 		State(ACMEProviderAccountStateEnabled).
 		Attr("providerCode", providerCode).
+		Attr("userId", userId).
 		DescPk().
 		Slice(&result).
 		FindAll()
 	return
 }
+
+// CheckUserAccount 检查是否为用户的服务商账号
+func (this *ACMEProviderAccountDAO) CheckUserAccount(tx *dbs.Tx, userId int64, accountId int64) error {
+	if userId <= 0 || accountId <= 0 {
+		return models.ErrNotFound
+	}
+
+	b, err := this.Query(tx).
+		Pk(accountId).
+		State(ACMEProviderAccountStateEnabled).
+		Attr("userId", userId).
+		Exist()
+	if err != nil {
+		return err
+	}
+	if !b {
+		return models.ErrNotFound
+	}
+
+	return nil
+}
--- a/internal/db/models/acme/acme_provider_account_model.go
+++ b/internal/db/models/acme/acme_provider_account_model.go
@@ -3,24 +3,26 @@ package acme
 // ACMEProviderAccount ACME提供商
 type ACMEProviderAccount struct {
 	Id           uint64 `field:"id"`           // ID
+	UserId       uint64 `field:"userId"`       // 用户ID
 	IsOn         bool   `field:"isOn"`         // 是否启用
 	Name         string `field:"name"`         // 名称
 	ProviderCode string `field:"providerCode"` // 代号
-	Error        string `field:"error"`        // 最后一条错误信息
 	EabKid       string `field:"eabKid"`       // KID
 	EabKey       string `field:"eabKey"`       // Key
+	Error        string `field:"error"`        // 最后一条错误信息
 	State        uint8  `field:"state"`        // 状态
 }

 type ACMEProviderAccountOperator struct {
-	Id           interface{} // ID
-	IsOn         interface{} // 是否启用
-	Name         interface{} // 名称
-	ProviderCode interface{} // 代号
-	Error        interface{} // 最后一条错误信息
-	EabKid       interface{} // KID
-	EabKey       interface{} // Key
-	State        interface{} // 状态
+	Id           any // ID
+	UserId       any // 用户ID
+	IsOn         any // 是否启用
+	Name         any // 名称
+	ProviderCode any // 代号
+	EabKid       any // KID
+	EabKey       any // Key
+	Error        any // 最后一条错误信息
+	State        any // 状态
 }

 func NewACMEProviderAccountOperator() *ACMEProviderAccountOperator {
--- a/internal/db/models/acme/acme_task_dao.go
+++ b/internal/db/models/acme/acme_task_dao.go
@@ -2,6 +2,7 @@ package acme

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	acmeutils "github.com/TeaOSLab/EdgeAPI/internal/acme"
 	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
@@ -106,8 +107,17 @@ func (this *ACMETaskDAO) DisableAllTasksWithCertId(tx *dbs.Tx, certId int64) err
 }

 // CountAllEnabledACMETasks 计算所有任务数量
-func (this *ACMETaskDAO) CountAllEnabledACMETasks(tx *dbs.Tx, adminId int64, userId int64, isAvailable bool, isExpired bool, expiringDays int64, keyword string) (int64, error) {
-	query := dbutils.NewQuery(tx, this, adminId, userId)
+func (this *ACMETaskDAO) CountAllEnabledACMETasks(tx *dbs.Tx, userId int64, isAvailable bool, isExpired bool, expiringDays int64, keyword string, userOnly bool) (int64, error) {
+	var query = this.Query(tx)
+	if userId > 0 {
+		query.Attr("userId", userId)
+	} else {
+		if userOnly {
+			query.Gt("userId", 0)
+		} else {
+			query.Attr("userId", 0)
+		}
+	}
 	if isAvailable || isExpired || expiringDays > 0 {
 		query.Gt("certId", 0)

@@ -137,8 +147,17 @@ func (this *ACMETaskDAO) CountAllEnabledACMETasks(tx *dbs.Tx, adminId int64, use
 }

 // ListEnabledACMETasks 列出单页任务
-func (this *ACMETaskDAO) ListEnabledACMETasks(tx *dbs.Tx, adminId int64, userId int64, isAvailable bool, isExpired bool, expiringDays int64, keyword string, offset int64, size int64) (result []*ACMETask, err error) {
-	query := dbutils.NewQuery(tx, this, adminId, userId)
+func (this *ACMETaskDAO) ListEnabledACMETasks(tx *dbs.Tx, userId int64, isAvailable bool, isExpired bool, expiringDays int64, keyword string, userOnly bool, offset int64, size int64) (result []*ACMETask, err error) {
+	var query = this.Query(tx)
+	if userId > 0 {
+		query.Attr("userId", userId)
+	} else {
+		if userOnly {
+			query.Gt("userId", 0)
+		} else {
+			query.Attr("userId", 0)
+		}
+	}
 	if isAvailable || isExpired || expiringDays > 0 {
 		query.Gt("certId", 0)

@@ -226,14 +245,28 @@ func (this *ACMETaskDAO) UpdateACMETask(tx *dbs.Tx, acmeTaskId int64, acmeUserId
 	return err
 }

-// CheckACMETask 检查权限
-func (this *ACMETaskDAO) CheckACMETask(tx *dbs.Tx, adminId int64, userId int64, acmeTaskId int64) (bool, error) {
-	return dbutils.NewQuery(tx, this, adminId, userId).
+// CheckUserACMETask 检查用户权限
+func (this *ACMETaskDAO) CheckUserACMETask(tx *dbs.Tx, userId int64, acmeTaskId int64) (bool, error) {
+	var query = this.Query(tx)
+	if userId > 0 {
+		query.Attr("userId", userId)
+	}
+
+	return query.
 		State(ACMETaskStateEnabled).
 		Pk(acmeTaskId).
 		Exist()
 }

+// FindACMETaskUserId 查找任务所属用户ID
+func (this *ACMETaskDAO) FindACMETaskUserId(tx *dbs.Tx, taskId int64) (userId int64, err error) {
+	return this.Query(tx).
+		Pk(taskId).
+		Result("userId").
+		FindInt64Col(0)
+}
+
+
 // UpdateACMETaskCert 设置任务关联的证书
 func (this *ACMETaskDAO) UpdateACMETaskCert(tx *dbs.Tx, taskId int64, certId int64) error {
 	if taskId <= 0 {
@@ -319,7 +352,7 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 		return
 	}

-	remoteUser := acmeutils.NewUser(user.Email, privateKey, func(resource *registration.Resource) error {
+	var remoteUser = acmeutils.NewUser(user.Email, privateKey, func(resource *registration.Resource) error {
 		resourceJSON, err := json.Marshal(resource)
 		if err != nil {
 			return err
@@ -349,7 +382,7 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 			errMsg = "找不到DNS服务商账号"
 			return
 		}
-		providerInterface := dnsclients.FindProvider(dnsProvider.Type)
+		providerInterface := dnsclients.FindProvider(dnsProvider.Type, int64(dnsProvider.Id))
 		if providerInterface == nil {
 			errMsg = "暂不支持此类型的DNS服务商 '" + dnsProvider.Type + "'"
 			return
@@ -382,7 +415,7 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 	acmeTask.Provider = acmeProvider
 	acmeTask.Account = acmeAccount

-	acmeRequest := acmeutils.NewRequest(acmeTask)
+	var acmeRequest = acmeutils.NewRequest(acmeTask)
 	acmeRequest.OnAuth(func(domain, token, keyAuth string) {
 		err := SharedACMEAuthenticationDAO.CreateAuth(tx, taskId, domain, token, keyAuth)
 		if err != nil {
@@ -398,7 +431,7 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 				if err != nil {
 					remotelogs.Error("ACME", "encode auth data failed: '"+task.AuthURL+"'")
 				} else {
-					client := utils.SharedHttpClient(5 * time.Second)
+					var client = utils.SharedHttpClient(10 * time.Second)
 					req, err := http.NewRequest(http.MethodPost, task.AuthURL, bytes.NewReader(authJSON))
 					req.Header.Set("Content-Type", "application/json")
 					req.Header.Set("User-Agent", teaconst.ProductName+"/"+teaconst.Version)
@@ -423,11 +456,11 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 	}

 	// 分析证书
-	sslConfig := &sslconfigs.SSLCertConfig{
+	var sslConfig = &sslconfigs.SSLCertConfig{
 		CertData: certData,
 		KeyData:  keyData,
 	}
-	err = sslConfig.Init()
+	err = sslConfig.Init(context.Background())
 	if err != nil {
 		errMsg = "证书生成成功，但是分析证书信息时发生错误：" + err.Error()
 		return
--- a/internal/db/models/acme/acme_task_log_dao.go
+++ b/internal/db/models/acme/acme_task_log_dao.go
@@ -1,6 +1,7 @@
 package acme

 import (
+	"github.com/TeaOSLab/EdgeAPI/internal/utils"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/dbs"
@@ -27,17 +28,17 @@ func init() {
 	})
 }

-// 生成日志
+// CreateACMETaskLog 生成日志
 func (this *ACMETaskLogDAO) CreateACMETaskLog(tx *dbs.Tx, taskId int64, isOk bool, errMsg string) error {
 	var op = NewACMETaskLogOperator()
 	op.TaskId = taskId
-	op.Error = errMsg
+	op.Error = utils.LimitString(errMsg, 1024)
 	op.IsOk = isOk
 	err := this.Save(tx, op)
 	return err
 }

-// 取得任务的最后一条执行日志
+// FindLatestACMETasKLog 取得任务的最后一条执行日志
 func (this *ACMETaskLogDAO) FindLatestACMETasKLog(tx *dbs.Tx, taskId int64) (*ACMETaskLog, error) {
 	one, err := this.Query(tx).
 		Attr("taskId", taskId).
--- a/internal/db/models/acme/acme_user_dao.go
+++ b/internal/db/models/acme/acme_user_dao.go
@@ -131,6 +131,8 @@ func (this *ACMEUserDAO) CountACMEUsersWithAdminId(tx *dbs.Tx, adminId int64, us
 	}
 	if userId > 0 {
 		query.Attr("userId", userId)
+	} else {
+		query.Attr("userId", 0)
 	}
 	if accountId > 0 {
 		query.Attr("accountId", accountId)
@@ -149,6 +151,8 @@ func (this *ACMEUserDAO) ListACMEUsers(tx *dbs.Tx, adminId int64, userId int64,
 	}
 	if userId > 0 {
 		query.Attr("userId", userId)
+	} else {
+		query.Attr("userId", 0)
 	}

 	_, err = query.
--- a/internal/db/models/ad_network_dao.go
+++ b/internal/db/models/ad_network_dao.go
@@ -0,0 +1,71 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	ADNetworkStateEnabled  = 1 // 已启用
+	ADNetworkStateDisabled = 0 // 已禁用
+)
+
+type ADNetworkDAO dbs.DAO
+
+func NewADNetworkDAO() *ADNetworkDAO {
+	return dbs.NewDAO(&ADNetworkDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeADNetworks",
+			Model:  new(ADNetwork),
+			PkName: "id",
+		},
+	}).(*ADNetworkDAO)
+}
+
+var SharedADNetworkDAO *ADNetworkDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedADNetworkDAO = NewADNetworkDAO()
+	})
+}
+
+// EnableADNetwork 启用条目
+func (this *ADNetworkDAO) EnableADNetwork(tx *dbs.Tx, id uint32) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADNetworkStateEnabled).
+		Update()
+	return err
+}
+
+// DisableADNetwork 禁用条目
+func (this *ADNetworkDAO) DisableADNetwork(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADNetworkStateDisabled).
+		Update()
+	return err
+}
+
+// FindEnabledADNetwork 查找启用中的条目
+func (this *ADNetworkDAO) FindEnabledADNetwork(tx *dbs.Tx, id int64) (*ADNetwork, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		State(ADNetworkStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ADNetwork), err
+}
+
+// FindADNetworkName 根据主键查找名称
+func (this *ADNetworkDAO) FindADNetworkName(tx *dbs.Tx, id uint32) (string, error) {
+	return this.Query(tx).
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
--- a/internal/db/models/nameservers/ns_key_dao_test.go
+++ b/internal/db/models/nameservers/ns_key_dao_test.go
@@ -1,4 +1,4 @@
-package nameservers
+package models_test

 import (
 	_ "github.com/go-sql-driver/mysql"
--- a/internal/db/models/ad_network_model.go
+++ b/internal/db/models/ad_network_model.go
@@ -0,0 +1,24 @@
+package models
+
+// ADNetwork 高防线路
+type ADNetwork struct {
+	Id          uint32 `field:"id"`          // ID
+	IsOn        bool   `field:"isOn"`        // 是否启用
+	Name        string `field:"name"`        // 名称
+	Description string `field:"description"` // 描述
+	Order       uint32 `field:"order"`       // 排序
+	State       uint8  `field:"state"`       // 状态
+}
+
+type ADNetworkOperator struct {
+	Id          any // ID
+	IsOn        any // 是否启用
+	Name        any // 名称
+	Description any // 描述
+	Order       any // 排序
+	State       any // 状态
+}
+
+func NewADNetworkOperator() *ADNetworkOperator {
+	return &ADNetworkOperator{}
+}
--- a/internal/db/models/client_browser_model_ext.go
+++ b/internal/db/models/client_browser_model_ext.go
--- a/internal/db/models/ad_package_dao.go
+++ b/internal/db/models/ad_package_dao.go
@@ -0,0 +1,71 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	ADPackageStateEnabled  = 1 // 已启用
+	ADPackageStateDisabled = 0 // 已禁用
+)
+
+type ADPackageDAO dbs.DAO
+
+func NewADPackageDAO() *ADPackageDAO {
+	return dbs.NewDAO(&ADPackageDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeADPackages",
+			Model:  new(ADPackage),
+			PkName: "id",
+		},
+	}).(*ADPackageDAO)
+}
+
+var SharedADPackageDAO *ADPackageDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedADPackageDAO = NewADPackageDAO()
+	})
+}
+
+// EnableADPackage 启用条目
+func (this *ADPackageDAO) EnableADPackage(tx *dbs.Tx, id uint32) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADPackageStateEnabled).
+		Update()
+	return err
+}
+
+// DisableADPackage 禁用条目
+func (this *ADPackageDAO) DisableADPackage(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADPackageStateDisabled).
+		Update()
+	return err
+}
+
+// FindEnabledADPackage 查找启用中的条目
+func (this *ADPackageDAO) FindEnabledADPackage(tx *dbs.Tx, id int64) (*ADPackage, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		State(ADPackageStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ADPackage), err
+}
+
+// FindADPackageName 根据主键查找名称
+func (this *ADPackageDAO) FindADPackageName(tx *dbs.Tx, id uint32) (string, error) {
+	return this.Query(tx).
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
--- a/internal/db/models/monitor_node_dao_test.go
+++ b/internal/db/models/monitor_node_dao_test.go
@@ -1,4 +1,4 @@
-package models
+package models_test

 import (
 	_ "github.com/go-sql-driver/mysql"
--- a/internal/db/models/ad_package_instance_dao.go
+++ b/internal/db/models/ad_package_instance_dao.go
@@ -0,0 +1,54 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	ADPackageInstanceStateEnabled  = 1 // 已启用
+	ADPackageInstanceStateDisabled = 0 // 已禁用
+)
+
+type ADPackageInstanceDAO dbs.DAO
+
+func NewADPackageInstanceDAO() *ADPackageInstanceDAO {
+	return dbs.NewDAO(&ADPackageInstanceDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeADPackageInstances",
+			Model:  new(ADPackageInstance),
+			PkName: "id",
+		},
+	}).(*ADPackageInstanceDAO)
+}
+
+var SharedADPackageInstanceDAO *ADPackageInstanceDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedADPackageInstanceDAO = NewADPackageInstanceDAO()
+	})
+}
+
+// EnableADPackageInstance 启用条目
+func (this *ADPackageInstanceDAO) EnableADPackageInstance(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADPackageInstanceStateEnabled).
+		Update()
+	return err
+}
+
+// FindEnabledADPackageInstance 查找启用中的条目
+func (this *ADPackageInstanceDAO) FindEnabledADPackageInstance(tx *dbs.Tx, id int64) (*ADPackageInstance, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		State(ADPackageInstanceStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ADPackageInstance), err
+}
--- a/internal/db/models/ad_package_instance_dao_test.go
+++ b/internal/db/models/ad_package_instance_dao_test.go
@@ -0,0 +1,6 @@
+package models_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/ad_package_instance_model.go
+++ b/internal/db/models/ad_package_instance_model.go
@@ -0,0 +1,36 @@
+package models
+
+import "github.com/iwind/TeaGo/dbs"
+
+// ADPackageInstance 高防实例
+type ADPackageInstance struct {
+	Id             uint32   `field:"id"`             // ID
+	IsOn           bool     `field:"isOn"`           // 是否启用
+	PackageId      uint32   `field:"packageId"`      // 规格ID
+	ClusterId      uint32   `field:"clusterId"`      // 集群ID
+	NodeIds        dbs.JSON `field:"nodeIds"`        // 节点ID
+	IpAddresses    dbs.JSON `field:"ipAddresses"`    // IP地址
+	UserId         uint64   `field:"userId"`         // 用户ID
+	UserDayTo      string   `field:"userDayTo"`      // 用户有效期YYYYMMDD
+	UserInstanceId uint64   `field:"userInstanceId"` // 用户实例ID
+	State          uint8    `field:"state"`          // 状态
+	ObjectCodes    dbs.JSON `field:"objectCodes"`    // 防护对象
+}
+
+type ADPackageInstanceOperator struct {
+	Id             any // ID
+	IsOn           any // 是否启用
+	PackageId      any // 规格ID
+	ClusterId      any // 集群ID
+	NodeIds        any // 节点ID
+	IpAddresses    any // IP地址
+	UserId         any // 用户ID
+	UserDayTo      any // 用户有效期YYYYMMDD
+	UserInstanceId any // 用户实例ID
+	State          any // 状态
+	ObjectCodes    any // 防护对象
+}
+
+func NewADPackageInstanceOperator() *ADPackageInstanceOperator {
+	return &ADPackageInstanceOperator{}
+}
--- a/internal/db/models/ad_package_instance_model_ext.go
+++ b/internal/db/models/ad_package_instance_model_ext.go
--- a/internal/db/models/ad_package_model.go
+++ b/internal/db/models/ad_package_model.go
@@ -0,0 +1,32 @@
+package models
+
+// ADPackage 高防产品规格
+type ADPackage struct {
+	Id                      uint32 `field:"id"`                      // ID
+	IsOn                    bool   `field:"isOn"`                    // 是否启用
+	NetworkId               uint32 `field:"networkId"`               // 线路ID
+	ProtectionBandwidthSize uint32 `field:"protectionBandwidthSize"` // 防护带宽尺寸
+	ProtectionBandwidthUnit string `field:"protectionBandwidthUnit"` // 防护带宽单位
+	ProtectionBandwidthBits uint64 `field:"protectionBandwidthBits"` // 防护带宽比特
+	ServerBandwidthSize     uint32 `field:"serverBandwidthSize"`     // 业务带宽尺寸
+	ServerBandwidthUnit     string `field:"serverBandwidthUnit"`     // 业务带宽单位
+	ServerBandwidthBits     uint64 `field:"serverBandwidthBits"`     // 业务带宽比特
+	State                   uint8  `field:"state"`                   // 状态
+}
+
+type ADPackageOperator struct {
+	Id                      any // ID
+	IsOn                    any // 是否启用
+	NetworkId               any // 线路ID
+	ProtectionBandwidthSize any // 防护带宽尺寸
+	ProtectionBandwidthUnit any // 防护带宽单位
+	ProtectionBandwidthBits any // 防护带宽比特
+	ServerBandwidthSize     any // 业务带宽尺寸
+	ServerBandwidthUnit     any // 业务带宽单位
+	ServerBandwidthBits     any // 业务带宽比特
+	State                   any // 状态
+}
+
+func NewADPackageOperator() *ADPackageOperator {
+	return &ADPackageOperator{}
+}
--- a/internal/db/models/monitor_node_model_ext.go
+++ b/internal/db/models/monitor_node_model_ext.go
--- a/internal/db/models/ad_package_period_dao.go
+++ b/internal/db/models/ad_package_period_dao.go
@@ -0,0 +1,63 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	ADPackagePeriodStateEnabled  = 1 // 已启用
+	ADPackagePeriodStateDisabled = 0 // 已禁用
+)
+
+type ADPackagePeriodDAO dbs.DAO
+
+func NewADPackagePeriodDAO() *ADPackagePeriodDAO {
+	return dbs.NewDAO(&ADPackagePeriodDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeADPackagePeriods",
+			Model:  new(ADPackagePeriod),
+			PkName: "id",
+		},
+	}).(*ADPackagePeriodDAO)
+}
+
+var SharedADPackagePeriodDAO *ADPackagePeriodDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedADPackagePeriodDAO = NewADPackagePeriodDAO()
+	})
+}
+
+// EnableADPackagePeriod 启用条目
+func (this *ADPackagePeriodDAO) EnableADPackagePeriod(tx *dbs.Tx, id uint32) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADPackagePeriodStateEnabled).
+		Update()
+	return err
+}
+
+// DisableADPackagePeriod 禁用条目
+func (this *ADPackagePeriodDAO) DisableADPackagePeriod(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ADPackagePeriodStateDisabled).
+		Update()
+	return err
+}
+
+// FindEnabledADPackagePeriod 查找启用中的条目
+func (this *ADPackagePeriodDAO) FindEnabledADPackagePeriod(tx *dbs.Tx, id int64) (*ADPackagePeriod, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		State(ADPackagePeriodStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ADPackagePeriod), err
+}
--- a/internal/db/models/ad_package_period_dao_test.go
+++ b/internal/db/models/ad_package_period_dao_test.go
@@ -0,0 +1,6 @@
+package models_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/ad_package_period_model.go
+++ b/internal/db/models/ad_package_period_model.go
@@ -0,0 +1,24 @@
+package models
+
+// ADPackagePeriod 高防产品有效期
+type ADPackagePeriod struct {
+	Id     uint32 `field:"id"`     // ID
+	IsOn   bool   `field:"isOn"`   // 是否启用
+	Count  uint32 `field:"count"`  // 数量
+	Unit   string `field:"unit"`   // 单位：month, year
+	Months uint32 `field:"months"` // 月数
+	State  uint8  `field:"state"`  // 状态
+}
+
+type ADPackagePeriodOperator struct {
+	Id     any // ID
+	IsOn   any // 是否启用
+	Count  any // 数量
+	Unit   any // 单位：month, year
+	Months any // 月数
+	State  any // 状态
+}
+
+func NewADPackagePeriodOperator() *ADPackagePeriodOperator {
+	return &ADPackagePeriodOperator{}
+}
--- a/internal/db/models/ad_package_period_model_ext.go
+++ b/internal/db/models/ad_package_period_model_ext.go
@@ -0,0 +1 @@
+package models
--- a/internal/db/models/ad_package_price_dao.go
+++ b/internal/db/models/ad_package_price_dao.go
@@ -0,0 +1,28 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+type ADPackagePriceDAO dbs.DAO
+
+func NewADPackagePriceDAO() *ADPackagePriceDAO {
+	return dbs.NewDAO(&ADPackagePriceDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeADPackagePrices",
+			Model:  new(ADPackagePrice),
+			PkName: "id",
+		},
+	}).(*ADPackagePriceDAO)
+}
+
+var SharedADPackagePriceDAO *ADPackagePriceDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedADPackagePriceDAO = NewADPackagePriceDAO()
+	})
+}
--- a/internal/db/models/ad_package_price_dao_test.go
+++ b/internal/db/models/ad_package_price_dao_test.go
@@ -0,0 +1,6 @@
+package models_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/ad_package_price_model.go
+++ b/internal/db/models/ad_package_price_model.go
@@ -0,0 +1,22 @@
+package models
+
+// ADPackagePrice 流量包价格
+type ADPackagePrice struct {
+	Id            uint32  `field:"id"`            // ID
+	PackageId     uint32  `field:"packageId"`     // 高防产品ID
+	PeriodId      uint32  `field:"periodId"`      // 有效期ID
+	Price         float64 `field:"price"`         // 价格
+	DiscountPrice float64 `field:"discountPrice"` // 折后价格
+}
+
+type ADPackagePriceOperator struct {
+	Id            any // ID
+	PackageId     any // 高防产品ID
+	PeriodId      any // 有效期ID
+	Price         any // 价格
+	DiscountPrice any // 折后价格
+}
+
+func NewADPackagePriceOperator() *ADPackagePriceOperator {
+	return &ADPackagePriceOperator{}
+}
--- a/internal/db/models/ad_package_price_model_ext.go
+++ b/internal/db/models/ad_package_price_model_ext.go
@@ -0,0 +1 @@
+package models
--- a/internal/db/models/admin_dao.go
+++ b/internal/db/models/admin_dao.go
@@ -1,6 +1,7 @@
 package models

 import (
+	dbutils "github.com/TeaOSLab/EdgeAPI/internal/db/utils"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
@@ -44,11 +45,17 @@ func (this *AdminDAO) EnableAdmin(tx *dbs.Tx, id int64) (rowsAffected int64, err
 }

 // DisableAdmin 禁用条目
-func (this *AdminDAO) DisableAdmin(tx *dbs.Tx, id int64) (rowsAffected int64, err error) {
-	return this.Query(tx).
-		Pk(id).
+func (this *AdminDAO) DisableAdmin(tx *dbs.Tx, adminId int64) error {
+	err := this.Query(tx).
+		Pk(adminId).
 		Set("state", AdminStateDisabled).
-		Update()
+		UpdateQuickly()
+	if err != nil {
+		return err
+	}
+
+	// 删除AccessTokens
+	return SharedAPIAccessTokenDAO.DeleteAccessTokens(tx, adminId, 0)
 }

 // FindEnabledAdmin 查找启用中的条目
@@ -63,6 +70,19 @@ func (this *AdminDAO) FindEnabledAdmin(tx *dbs.Tx, id int64) (*Admin, error) {
 	return result.(*Admin), err
 }

+// FindBasicAdmin 查找管理员基本信息
+func (this *AdminDAO) FindBasicAdmin(tx *dbs.Tx, id int64) (*Admin, error) {
+	result, err := this.Query(tx).
+		Result("id", "username", "fullname").
+		Pk(id).
+		Attr("state", AdminStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*Admin), err
+}
+
 // ExistEnabledAdmin 检查管理员是否存在
 func (this *AdminDAO) ExistEnabledAdmin(tx *dbs.Tx, adminId int64) (bool, error) {
 	return this.Query(tx).
@@ -177,7 +197,19 @@ func (this *AdminDAO) UpdateAdmin(tx *dbs.Tx, adminId int64, username string, ca
 	}
 	op.IsOn = isOn
 	err := this.Save(tx, op)
-	return err
+	if err != nil {
+		return err
+	}
+
+	if !isOn {
+		// 删除AccessTokens
+		err = SharedAPIAccessTokenDAO.DeleteAccessTokens(tx, adminId, 0)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

 // CheckAdminUsername 检查用户名是否存在
@@ -228,24 +260,43 @@ func (this *AdminDAO) FindAllAdminModules(tx *dbs.Tx) (result []*Admin, err erro
 	_, err = this.Query(tx).
 		State(AdminStateEnabled).
 		Attr("isOn", true).
-		Result("id", "modules", "isSuper", "fullname", "theme").
+		Result("id", "modules", "isSuper", "fullname", "theme", "lang").
 		Slice(&result).
 		FindAll()
 	return
 }

 // CountAllEnabledAdmins 计算所有管理员数量
-func (this *AdminDAO) CountAllEnabledAdmins(tx *dbs.Tx) (int64, error) {
-	return this.Query(tx).
+func (this *AdminDAO) CountAllEnabledAdmins(tx *dbs.Tx, keyword string, hasWeakPasswords bool) (int64, error) {
+	var query = this.Query(tx)
+	if len(keyword) > 0 {
+		query.Where("(username LIKE :keyword OR fullname LIKE :keyword)")
+		query.Param("keyword", dbutils.QuoteLike(keyword))
+	}
+	if hasWeakPasswords {
+		query.Attr("password", weakPasswords)
+		query.Attr("isOn", true)
+	}
+	return query.
 		State(AdminStateEnabled).
 		Count()
 }

 // ListEnabledAdmins 列出单页的管理员
-func (this *AdminDAO) ListEnabledAdmins(tx *dbs.Tx, offset int64, size int64) (result []*Admin, err error) {
-	_, err = this.Query(tx).
+func (this *AdminDAO) ListEnabledAdmins(tx *dbs.Tx, keyword string, hasWeakPasswords bool, offset int64, size int64) (result []*Admin, err error) {
+	var query = this.Query(tx)
+	if len(keyword) > 0 {
+		query.Where("(username LIKE :keyword OR fullname LIKE :keyword)")
+		query.Param("keyword", dbutils.QuoteLike(keyword))
+	}
+	if hasWeakPasswords {
+		query.Attr("password", weakPasswords)
+		query.Attr("isOn", true)
+	}
+
+	_, err = query.
 		State(AdminStateEnabled).
-		Result("id", "isOn", "username", "fullname", "isSuper", "createdAt", "canLogin").
+		Result("id", "isOn", "username", "fullname", "isSuper", "createdAt", "canLogin", "password").
 		Offset(offset).
 		Limit(size).
 		DescPk().
@@ -261,3 +312,23 @@ func (this *AdminDAO) UpdateAdminTheme(tx *dbs.Tx, adminId int64, theme string)
 		Set("theme", theme).
 		UpdateQuickly()
 }
+
+// UpdateAdminLang 设置管理员语言
+func (this *AdminDAO) UpdateAdminLang(tx *dbs.Tx, adminId int64, langCode string) error {
+	return this.Query(tx).
+		Pk(adminId).
+		Set("lang", langCode).
+		UpdateQuickly()
+}
+
+// CheckSuperAdmin 检查管理员是否为超级管理员
+func (this *AdminDAO) CheckSuperAdmin(tx *dbs.Tx, adminId int64) (bool, error) {
+	if adminId <= 0 {
+		return false, nil
+	}
+	return this.Query(tx).
+		Pk(adminId).
+		State(AdminStateEnabled).
+		Attr("isSuper", true).
+		Exist()
+}
--- a/internal/db/models/admin_model.go
+++ b/internal/db/models/admin_model.go
@@ -2,6 +2,22 @@ package models

 import "github.com/iwind/TeaGo/dbs"

+const (
+	AdminField_Id        dbs.FieldName = "id"        // ID
+	AdminField_IsOn      dbs.FieldName = "isOn"      // 是否启用
+	AdminField_Username  dbs.FieldName = "username"  // 用户名
+	AdminField_Password  dbs.FieldName = "password"  // 密码
+	AdminField_Fullname  dbs.FieldName = "fullname"  // 全名
+	AdminField_IsSuper   dbs.FieldName = "isSuper"   // 是否为超级管理员
+	AdminField_CreatedAt dbs.FieldName = "createdAt" // 创建时间
+	AdminField_UpdatedAt dbs.FieldName = "updatedAt" // 修改时间
+	AdminField_State     dbs.FieldName = "state"     // 状态
+	AdminField_Modules   dbs.FieldName = "modules"   // 允许的模块
+	AdminField_CanLogin  dbs.FieldName = "canLogin"  // 是否可以登录
+	AdminField_Theme     dbs.FieldName = "theme"     // 模板设置
+	AdminField_Lang      dbs.FieldName = "lang"      // 语言代号
+)
+
 // Admin 管理员
 type Admin struct {
 	Id        uint32   `field:"id"`        // ID
@@ -14,23 +30,25 @@ type Admin struct {
 	UpdatedAt uint64   `field:"updatedAt"` // 修改时间
 	State     uint8    `field:"state"`     // 状态
 	Modules   dbs.JSON `field:"modules"`   // 允许的模块
-	CanLogin  uint8    `field:"canLogin"`  // 是否可以登录
+	CanLogin  bool     `field:"canLogin"`  // 是否可以登录
 	Theme     string   `field:"theme"`     // 模板设置
+	Lang      string   `field:"lang"`      // 语言代号
 }

 type AdminOperator struct {
-	Id        interface{} // ID
-	IsOn      interface{} // 是否启用
-	Username  interface{} // 用户名
-	Password  interface{} // 密码
-	Fullname  interface{} // 全名
-	IsSuper   interface{} // 是否为超级管理员
-	CreatedAt interface{} // 创建时间
-	UpdatedAt interface{} // 修改时间
-	State     interface{} // 状态
-	Modules   interface{} // 允许的模块
-	CanLogin  interface{} // 是否可以登录
-	Theme     interface{} // 模板设置
+	Id        any // ID
+	IsOn      any // 是否启用
+	Username  any // 用户名
+	Password  any // 密码
+	Fullname  any // 全名
+	IsSuper   any // 是否为超级管理员
+	CreatedAt any // 创建时间
+	UpdatedAt any // 修改时间
+	State     any // 状态
+	Modules   any // 允许的模块
+	CanLogin  any // 是否可以登录
+	Theme     any // 模板设置
+	Lang      any // 语言代号
 }

 func NewAdminOperator() *AdminOperator {
--- a/internal/db/models/admin_model_ext.go
+++ b/internal/db/models/admin_model_ext.go
@@ -1 +1,42 @@
 package models
+
+import stringutil "github.com/iwind/TeaGo/utils/string"
+
+// 弱密码集合
+var weakPasswords = []string{}
+
+func init() {
+	// 初始化弱密码集合
+	for _, password := range []string{
+		"123",
+		"1234",
+		"12345",
+		"123456",
+		"12345678",
+		"123456789",
+		"000000",
+		"111111",
+		"666666",
+		"888888",
+		"654321",
+		"123456789",
+		"password",
+		"qwerty",
+		"admin",
+	} {
+		weakPasswords = append(weakPasswords, stringutil.Md5(password))
+	}
+}
+
+func (this *Admin) HasWeakPassword() bool {
+	if len(this.Password) == 0 {
+		return false
+	}
+
+	for _, weakPassword := range weakPasswords {
+		if weakPassword == this.Password {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/db/models/api_access_token_dao.go
+++ b/internal/db/models/api_access_token_dao.go
@@ -81,3 +81,16 @@ func (this *APIAccessTokenDAO) FindAccessToken(tx *dbs.Tx, token string) (*APIAc
 	}
 	return one.(*APIAccessToken), nil
 }
+
+// DeleteAccessTokens 删除用户的令牌
+func (this *APIAccessTokenDAO) DeleteAccessTokens(tx *dbs.Tx, adminId int64, userId int64) error {
+	var query = this.Query(tx)
+	if adminId > 0 {
+		query.Attr("adminId", adminId)
+	} else if userId > 0 {
+		query.Attr("userId", userId)
+	} else {
+		return nil
+	}
+	return query.DeleteQuickly()
+}
--- a/internal/db/models/api_node_dao.go
+++ b/internal/db/models/api_node_dao.go
@@ -335,6 +335,7 @@ func (this *APINodeDAO) UpdateAPINodeStatus(tx *dbs.Tx, apiNodeId int64, statusJ
 func (this *APINodeDAO) CountAllLowerVersionNodes(tx *dbs.Tx, version string) (int64, error) {
 	return this.Query(tx).
 		State(APINodeStateEnabled).
+		Attr("isOn", true).
 		Where("status IS NOT NULL").
 		Where("(JSON_EXTRACT(status, '$.buildVersionCode') IS NULL OR JSON_EXTRACT(status, '$.buildVersionCode')<:version)").
 		Param("version", utils.VersionToLong(version)).
--- a/internal/db/models/api_node_model_ext.go
+++ b/internal/db/models/api_node_model_ext.go
@@ -1,6 +1,7 @@
 package models

 import (
+	"context"
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeAPI/internal/utils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
@@ -37,15 +38,15 @@ func (this *APINode) DecodeHTTPS(tx *dbs.Tx, cacheMap *utils.CacheMap) (*serverc
 		return nil, err
 	}

-	err = config.Init()
+	err = config.Init(context.TODO())
 	if err != nil {
 		return nil, err
 	}

 	if config.SSLPolicyRef != nil {
-		policyId := config.SSLPolicyRef.SSLPolicyId
+		var policyId = config.SSLPolicyRef.SSLPolicyId
 		if policyId > 0 {
-			sslPolicy, err := SharedSSLPolicyDAO.ComposePolicyConfig(tx, policyId, cacheMap)
+			sslPolicy, err := SharedSSLPolicyDAO.ComposePolicyConfig(tx, policyId, false, nil, cacheMap)
 			if err != nil {
 				return nil, err
 			}
@@ -55,7 +56,7 @@ func (this *APINode) DecodeHTTPS(tx *dbs.Tx, cacheMap *utils.CacheMap) (*serverc
 		}
 	}

-	err = config.Init()
+	err = config.Init(context.TODO())
 	if err != nil {
 		return nil, err
 	}
@@ -129,13 +130,13 @@ func (this *APINode) DecodeRestHTTPS(tx *dbs.Tx, cacheMap *utils.CacheMap) (*ser
 	if !IsNotNull(this.RestHTTPS) {
 		return nil, nil
 	}
-	config := &serverconfigs.HTTPSProtocolConfig{}
+	var config = &serverconfigs.HTTPSProtocolConfig{}
 	err := json.Unmarshal(this.RestHTTPS, config)
 	if err != nil {
 		return nil, err
 	}

-	err = config.Init()
+	err = config.Init(context.TODO())
 	if err != nil {
 		return nil, err
 	}
@@ -143,7 +144,7 @@ func (this *APINode) DecodeRestHTTPS(tx *dbs.Tx, cacheMap *utils.CacheMap) (*ser
 	if config.SSLPolicyRef != nil {
 		policyId := config.SSLPolicyRef.SSLPolicyId
 		if policyId > 0 {
-			sslPolicy, err := SharedSSLPolicyDAO.ComposePolicyConfig(tx, policyId, cacheMap)
+			sslPolicy, err := SharedSSLPolicyDAO.ComposePolicyConfig(tx, policyId, false, nil, cacheMap)
 			if err != nil {
 				return nil, err
 			}
@@ -153,7 +154,7 @@ func (this *APINode) DecodeRestHTTPS(tx *dbs.Tx, cacheMap *utils.CacheMap) (*ser
 		}
 	}

-	err = config.Init()
+	err = config.Init(context.TODO())
 	if err != nil {
 		return nil, err
 	}
--- a/internal/db/models/api_token_dao.go
+++ b/internal/db/models/api_token_dao.go
@@ -77,7 +77,7 @@ func (this *ApiTokenDAO) FindEnabledTokenWithNodeCacheable(tx *dbs.Tx, nodeId st
 		State(ApiTokenStateEnabled).
 		Find()
 	if one != nil {
-		token := one.(*ApiToken)
+		token = one.(*ApiToken)
 		SharedCacheLocker.Lock()
 		apiTokenCacheMap[nodeId] = token
 		SharedCacheLocker.Unlock()
--- a/internal/db/models/authority/authority_key_dao.go
+++ b/internal/db/models/authority/authority_key_dao.go
@@ -1,13 +1,9 @@
 package authority

 import (
-	"encoding/json"
-	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/dbs"
-	timeutil "github.com/iwind/TeaGo/utils/time"
-	"time"
 )

 type AuthorityKeyDAO dbs.DAO
@@ -33,63 +29,3 @@ func init() {
 		_, _ = SharedAuthorityKeyDAO.IsPlus(nil)
 	})
 }
-
-// UpdateKey 设置Key
-func (this *AuthorityKeyDAO) UpdateKey(tx *dbs.Tx, value string, dayFrom string, dayTo string, hostname string, macAddresses []string, company string) error {
-	one, err := this.Query(tx).
-		AscPk().
-		Find()
-	if err != nil {
-		return err
-	}
-	var op = NewAuthorityKeyOperator()
-	if one != nil {
-		op.Id = one.(*AuthorityKey).Id
-	}
-	op.Value = value
-	op.DayFrom = dayFrom
-	op.DayTo = dayTo
-	op.Hostname = hostname
-
-	if len(macAddresses) == 0 {
-		macAddresses = []string{}
-	}
-	macAddressesJSON, err := json.Marshal(macAddresses)
-	if err != nil {
-		return err
-	}
-
-	op.MacAddresses = macAddressesJSON
-	op.Company = company
-	op.UpdatedAt = time.Now().Unix()
-
-	return this.Save(tx, op)
-}
-
-// ReadKey 读取Key
-func (this *AuthorityKeyDAO) ReadKey(tx *dbs.Tx) (key *AuthorityKey, err error) {
-	one, err := this.Query(tx).
-		AscPk().
-		Find()
-	if err != nil {
-		return nil, err
-	}
-	if one == nil {
-		return nil, nil
-	}
-	key = one.(*AuthorityKey)
-
-	// 顺便更新相关变量
-	if key.DayTo >= timeutil.Format("Y-m-d") {
-		teaconst.IsPlus = true
-	}
-
-	return
-}
-
-// ResetKey 重置Key
-func (this *AuthorityKeyDAO) ResetKey(tx *dbs.Tx) error {
-	_, err := this.Query(tx).
-		Delete()
-	return err
-}
--- a/internal/db/models/authority/authority_key_dao_test.go
+++ b/internal/db/models/authority/authority_key_dao_test.go
@@ -1,23 +1,6 @@
-package authority
+package authority_test

 import (
 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/iwind/TeaGo/bootstrap"
-	"testing"
 )
-
-func TestAuthorityKeyDAO_UpdateValue(t *testing.T) {
-	err := NewAuthorityKeyDAO().UpdateKey(nil, "12345678", "", "", "", []string{}, "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Log("ok")
-}
-
-func TestAuthorityKeyDAO_ReadValue(t *testing.T) {
-	value, err := NewAuthorityKeyDAO().ReadKey(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Log(value)
-}
--- a/internal/db/models/authority/authority_key_model.go
+++ b/internal/db/models/authority/authority_key_model.go
@@ -2,6 +2,18 @@ package authority

 import "github.com/iwind/TeaGo/dbs"

+const (
+	AuthorityKeyField_Id           dbs.FieldName = "id"           // ID
+	AuthorityKeyField_Value        dbs.FieldName = "value"        // Key值
+	AuthorityKeyField_DayFrom      dbs.FieldName = "dayFrom"      // 开始日期
+	AuthorityKeyField_DayTo        dbs.FieldName = "dayTo"        // 结束日期
+	AuthorityKeyField_Hostname     dbs.FieldName = "hostname"     // Hostname
+	AuthorityKeyField_MacAddresses dbs.FieldName = "macAddresses" // MAC地址
+	AuthorityKeyField_UpdatedAt    dbs.FieldName = "updatedAt"    // 创建/修改时间
+	AuthorityKeyField_Company      dbs.FieldName = "company"      // 公司组织
+	AuthorityKeyField_RequestCode  dbs.FieldName = "requestCode"  // 申请码
+)
+
 // AuthorityKey 企业版认证信息
 type AuthorityKey struct {
 	Id           uint32   `field:"id"`           // ID
@@ -12,17 +24,19 @@ type AuthorityKey struct {
 	MacAddresses dbs.JSON `field:"macAddresses"` // MAC地址
 	UpdatedAt    uint64   `field:"updatedAt"`    // 创建/修改时间
 	Company      string   `field:"company"`      // 公司组织
+	RequestCode  string   `field:"requestCode"`  // 申请码
 }

 type AuthorityKeyOperator struct {
-	Id           interface{} // ID
-	Value        interface{} // Key值
-	DayFrom      interface{} // 开始日期
-	DayTo        interface{} // 结束日期
-	Hostname     interface{} // Hostname
-	MacAddresses interface{} // MAC地址
-	UpdatedAt    interface{} // 创建/修改时间
-	Company      interface{} // 公司组织
+	Id           any // ID
+	Value        any // Key值
+	DayFrom      any // 开始日期
+	DayTo        any // 结束日期
+	Hostname     any // Hostname
+	MacAddresses any // MAC地址
+	UpdatedAt    any // 创建/修改时间
+	Company      any // 公司组织
+	RequestCode  any // 申请码
 }

 func NewAuthorityKeyOperator() *AuthorityKeyOperator {
--- a/internal/db/models/authority/authority_node_dao.go
+++ b/internal/db/models/authority/authority_node_dao.go
@@ -210,6 +210,7 @@ func (this *AuthorityNodeDAO) UpdateNodeStatus(tx *dbs.Tx, nodeId int64, nodeSta
 func (this *AuthorityNodeDAO) CountAllLowerVersionNodes(tx *dbs.Tx, version string) (int64, error) {
 	return this.Query(tx).
 		State(AuthorityNodeStateEnabled).
+		Attr("isOn", true).
 		Where("status IS NOT NULL").
 		Where("(JSON_EXTRACT(status, '$.buildVersionCode') IS NULL OR JSON_EXTRACT(status, '$.buildVersionCode')<:version)").
 		Param("version", utils.VersionToLong(version)).
--- a/internal/db/models/client_browser_model.go
+++ b/internal/db/models/client_browser_model.go
@@ -1,22 +0,0 @@
-package models
-
-import "github.com/iwind/TeaGo/dbs"
-
-// ClientBrowser 终端浏览器信息
-type ClientBrowser struct {
-	Id    uint32   `field:"id"`    // ID
-	Name  string   `field:"name"`  // 浏览器名称
-	Codes dbs.JSON `field:"codes"` // 代号
-	State uint8    `field:"state"` // 状态
-}
-
-type ClientBrowserOperator struct {
-	Id    interface{} // ID
-	Name  interface{} // 浏览器名称
-	Codes interface{} // 代号
-	State interface{} // 状态
-}
-
-func NewClientBrowserOperator() *ClientBrowserOperator {
-	return &ClientBrowserOperator{}
-}
--- a/internal/db/models/client_system_dao_test.go
+++ b/internal/db/models/client_system_dao_test.go
@@ -1,5 +0,0 @@
-package models
-
-import (
-	_ "github.com/go-sql-driver/mysql"
-)
--- a/internal/db/models/client_system_model.go
+++ b/internal/db/models/client_system_model.go
@@ -1,22 +0,0 @@
-package models
-
-import "github.com/iwind/TeaGo/dbs"
-
-// ClientSystem 终端操作系统信息
-type ClientSystem struct {
-	Id    uint32   `field:"id"`    // ID
-	Name  string   `field:"name"`  // 系统名称
-	Codes dbs.JSON `field:"codes"` // 代号
-	State uint8    `field:"state"` //
-}
-
-type ClientSystemOperator struct {
-	Id    interface{} // ID
-	Name  interface{} // 系统名称
-	Codes interface{} // 代号
-	State interface{} //
-}
-
-func NewClientSystemOperator() *ClientSystemOperator {
-	return &ClientSystemOperator{}
-}
--- a/internal/db/models/clients/client_agent_dao.go
+++ b/internal/db/models/clients/client_agent_dao.go
@@ -0,0 +1,98 @@
+package clients
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+type ClientAgentDAO dbs.DAO
+
+func NewClientAgentDAO() *ClientAgentDAO {
+	return dbs.NewDAO(&ClientAgentDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeClientAgents",
+			Model:  new(ClientAgent),
+			PkName: "id",
+		},
+	}).(*ClientAgentDAO)
+}
+
+var SharedClientAgentDAO *ClientAgentDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedClientAgentDAO = NewClientAgentDAO()
+	})
+}
+
+// FindClientAgentName 根据主键查找名称
+func (this *ClientAgentDAO) FindClientAgentName(tx *dbs.Tx, id int64) (string, error) {
+	return this.Query(tx).
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
+
+// FindAgent 查找Agent
+func (this *ClientAgentDAO) FindAgent(tx *dbs.Tx, agentId int64) (*ClientAgent, error) {
+	if agentId <= 0 {
+		return nil, nil
+	}
+
+	one, err := this.Query(tx).
+		Pk(agentId).
+		Find()
+	if err != nil || one == nil {
+		return nil, err
+	}
+
+	return one.(*ClientAgent), nil
+}
+
+// FindAgentIdWithCode 根据代号查找ID
+func (this *ClientAgentDAO) FindAgentIdWithCode(tx *dbs.Tx, code string) (int64, error) {
+	return this.Query(tx).
+		ResultPk().
+		Attr("code", code).
+		FindInt64Col(0)
+}
+
+// FindAgentNameWithCode 根据代号查找Agent名称
+func (this *ClientAgentDAO) FindAgentNameWithCode(tx *dbs.Tx, code string) (string, error) {
+	return this.Query(tx).
+		Result("name").
+		Attr("code", code).
+		FindStringCol("")
+}
+
+// UpdateAgentCountIPs 修改Agent拥有的IP数量
+func (this *ClientAgentDAO) UpdateAgentCountIPs(tx *dbs.Tx, agentId int64, countIPs int64) error {
+	return this.Query(tx).
+		Pk(agentId).
+		Set("countIPs", countIPs).
+		UpdateQuickly()
+}
+
+// FindAllAgents 查找所有Agents
+func (this *ClientAgentDAO) FindAllAgents(tx *dbs.Tx) (result []*ClientAgent, err error) {
+	_, err = this.Query(tx).
+		Desc("order").
+		AscPk().
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// FindAllNSAgents 查找所有DNS可以使用的Agents
+func (this *ClientAgentDAO) FindAllNSAgents(tx *dbs.Tx) (result []*ClientAgent, err error) {
+	// 注意：允许NS使用所有的Agent，不管有没有IP数据
+	_, err = this.Query(tx).
+		Result("id", "name", "code").
+		Desc("order").
+		AscPk().
+		Slice(&result).
+		FindAll()
+	return
+}
--- a/internal/db/models/clients/client_agent_dao_test.go
+++ b/internal/db/models/clients/client_agent_dao_test.go
@@ -0,0 +1,6 @@
+package clients_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/clients/client_agent_ip_dao.go
+++ b/internal/db/models/clients/client_agent_ip_dao.go
@@ -0,0 +1,105 @@
+package clients
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+// TODO 需要定时对所有IP的PTR进行检查，剔除已经变更的IP
+
+type ClientAgentIPDAO dbs.DAO
+
+func NewClientAgentIPDAO() *ClientAgentIPDAO {
+	return dbs.NewDAO(&ClientAgentIPDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeClientAgentIPs",
+			Model:  new(ClientAgentIP),
+			PkName: "id",
+		},
+	}).(*ClientAgentIPDAO)
+}
+
+var SharedClientAgentIPDAO *ClientAgentIPDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedClientAgentIPDAO = NewClientAgentIPDAO()
+	})
+}
+
+// CreateIP 写入IP
+func (this *ClientAgentIPDAO) CreateIP(tx *dbs.Tx, agentId int64, ip string, ptr string) error {
+	// 检查数据有效性
+	if agentId <= 0 || len(ip) == 0 {
+		return nil
+	}
+
+	// 限制ptr长度
+	if len(ptr) > 100 {
+		ptr = ptr[:100]
+	}
+
+	// 检查是否存在
+	exists, err := this.Query(tx).
+		Attr("agentId", agentId).
+		Attr("ip", ip).
+		Exist()
+
+	if err != nil {
+		return err
+	}
+	if exists {
+		return nil
+	}
+
+	var op = NewClientAgentIPOperator()
+	op.AgentId = agentId
+	op.IP = ip
+	op.Ptr = ptr
+	err = this.Save(tx, op)
+	if err != nil {
+		// 忽略duplicate错误
+		if models.CheckSQLDuplicateErr(err) {
+			return nil
+		}
+		return err
+	}
+
+	// 更新Agent IP数量
+	countIPs, err := this.CountAgentIPs(tx, agentId)
+	if err != nil {
+		return err
+	}
+	err = SharedClientAgentDAO.UpdateAgentCountIPs(tx, agentId, countIPs)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ListIPsAfterId 列出某个ID之后的IP
+func (this *ClientAgentIPDAO) ListIPsAfterId(tx *dbs.Tx, id int64, size int64) (result []*ClientAgentIP, err error) {
+	if id < 0 {
+		id = 0
+	}
+
+	_, err = this.Query(tx).
+		Result("id", "ip", "ptr", "agentId").
+		Gt("id", id).
+		AscPk().
+		Limit(size). // 限制单次读取个数
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// CountAgentIPs 计算Agent IP数量
+func (this *ClientAgentIPDAO) CountAgentIPs(tx *dbs.Tx, agentId int64) (int64, error) {
+	return this.Query(tx).
+		Attr("agentId", agentId).
+		Count()
+}
--- a/internal/db/models/clients/client_agent_ip_dao_test.go
+++ b/internal/db/models/clients/client_agent_ip_dao_test.go
@@ -0,0 +1,16 @@
+package clients_test
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models/clients"
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+	"testing"
+)
+
+func TestClientAgentIPDAO_CreateIP(t *testing.T) {
+	var dao = clients.NewClientAgentIPDAO()
+	err := dao.CreateIP(nil, 1, "127.0.0.1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
--- a/internal/db/models/clients/client_agent_ip_model.go
+++ b/internal/db/models/clients/client_agent_ip_model.go
@@ -0,0 +1,20 @@
+package clients
+
+// ClientAgentIP Agent IP
+type ClientAgentIP struct {
+	Id      uint64 `field:"id"`      // ID
+	AgentId uint32 `field:"agentId"` // Agent ID
+	IP      string `field:"ip"`      // IP地址
+	Ptr     string `field:"ptr"`     // PTR值
+}
+
+type ClientAgentIPOperator struct {
+	Id      any // ID
+	AgentId any // Agent ID
+	IP      any // IP地址
+	Ptr     any // PTR值
+}
+
+func NewClientAgentIPOperator() *ClientAgentIPOperator {
+	return &ClientAgentIPOperator{}
+}
--- a/internal/db/models/clients/client_agent_ip_model_ext.go
+++ b/internal/db/models/clients/client_agent_ip_model_ext.go
@@ -0,0 +1 @@
+package clients
--- a/Show More
+++ b/Show More