将版本号修改为1.3.4

提升登录SESSION安全性
节点SSH密码和私钥均以掩码方式显示
2024-03-24 20:08:27 +08:00 · 2024-03-18 12:43:13 +08:00 · 2024-03-18 10:51:47 +08:00 · 2024-03-18 10:20:22 +08:00 · 2024-03-15 15:08:05 +08:00 · 2024-03-15 15:07:07 +08:00
72 changed files with 5336 additions and 495 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -115,7 +115,11 @@ function build() {
 	fi

 	# building api node
-	env GOOS="$OS" GOARCH="$ARCH" go build -trimpath -tags $TAG --ldflags="-s -w" -o "$DIST"/bin/edge-api "$ROOT"/../cmd/edge-api/main.go
+	env GOOS="$OS" GOARCH="$ARCH" go build -trimpath -tags $TAG --ldflags="-s -w" -o "$DIST/bin/$NAME" "$ROOT"/../cmd/edge-api/main.go
+	if [ ! -f "${DIST}/bin/${NAME}" ]; then
+		echo "build failed!"
+		exit
+	fi

 	# delete hidden files
 	find "$DIST" -name ".DS_Store" -delete
--- a/cmd/edge-instance-installer/.gitignore
+++ b/cmd/edge-instance-installer/.gitignore
@@ -0,0 +1,2 @@
+edge-instance-installer*
+prepare.sh
--- a/cmd/edge-instance-installer/build.sh
+++ b/cmd/edge-instance-installer/build.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+function build() {
+	ROOT=$(dirname "$0")
+
+	OS="${1}"
+	ARCH="${2}"
+	TAG="${3}"
+
+	if [ -z "$OS" ]; then
+		echo "usage: build.sh OS ARCH"
+		exit
+	fi
+
+	if [ -z "$ARCH" ]; then
+		echo "usage: build.sh OS ARCH"
+		exit
+	fi
+
+	VERSION=$(lookup_version "${ROOT}/../../internal/const/const.go")
+	TARGET_NAME="edge-instance-installer-${OS}-${ARCH}-v${VERSION}"
+
+	env GOOS=linux GOARCH="${ARCH}" go build -tags="${TAG}" -trimpath -ldflags="-s -w" -o "${TARGET_NAME}" main.go
+
+	if [ -f "${TARGET_NAME}" ]; then
+		cp "${TARGET_NAME}" "${ROOT}/../../../EdgeAdmin/docker/instance/edge-instance/assets"
+	fi
+
+	echo "[done]"
+}
+
+function lookup_version() {
+	FILE=$1
+	VERSION_DATA=$(cat "$FILE")
+	re="Version[ ]+=[ ]+\"([0-9.]+)\""
+	if [[ $VERSION_DATA =~ $re ]]; then
+		VERSION=${BASH_REMATCH[1]}
+		echo "$VERSION"
+	else
+		echo "could not match version"
+		exit
+	fi
+}
+
+build "$1" "$2" "$3"
--- a/cmd/edge-instance-installer/main.go
+++ b/cmd/edge-instance-installer/main.go
@@ -0,0 +1,97 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package main
+
+import (
+	"fmt"
+	"github.com/TeaOSLab/EdgeAPI/internal/instances"
+	_ "github.com/iwind/TeaGo/bootstrap"
+	"github.com/iwind/TeaGo/lists"
+	"log"
+	"os"
+)
+
+func main() {
+	var verbose = lists.ContainsString(os.Args, "-v")
+
+	var dbHost = "127.0.0.1"
+	var dbPassword = "123456"
+	var dbName = "edges"
+
+	envDBHost, _ := os.LookupEnv("EDGE_DB_HOST")
+	if len(envDBHost) > 0 {
+		dbHost = envDBHost
+		if verbose {
+			log.Println("env EDGE_DB_HOST=" + envDBHost)
+		}
+	}
+
+	envDBPassword, _ := os.LookupEnv("EDGE_DB_PASSWORD")
+	if len(envDBPassword) > 0 {
+		dbPassword = envDBPassword
+		if verbose {
+			log.Println("env EDGE_DB_PASSWORD=" + envDBPassword)
+		}
+	}
+
+	envDBName, _ := os.LookupEnv("EDGE_DB_NAME")
+	if len(envDBName) > 0 {
+		dbName = envDBName
+		if verbose {
+			log.Println("env EDGE_DB_NAME=" + envDBName)
+		}
+	}
+
+	var isTesting = lists.ContainsString(os.Args, "-test") || lists.ContainsString(os.Args, "--test")
+	if isTesting {
+		fmt.Println("testing mode ...")
+	}
+
+	var instance = instances.NewInstance(instances.Options{
+		IsTesting: isTesting,
+		Verbose:   verbose,
+		Cacheable: false,
+		WorkDir:   "",
+		SrcDir:    "/usr/local/goedge/src",
+		DB: struct {
+			Host     string
+			Port     int
+			Username string
+			Password string
+			Name     string
+		}{
+			Host:     dbHost,
+			Port:     3306,
+			Username: "root",
+			Password: dbPassword,
+			Name:     dbName,
+		},
+		AdminNode: struct {
+			Port int
+		}{
+			Port: 7788,
+		},
+		APINode: struct {
+			HTTPPort     int
+			RestHTTPPort int
+		}{
+			HTTPPort:     8001,
+			RestHTTPPort: 8002,
+		},
+		Node: struct{ HTTPPort int }{
+			HTTPPort: 80,
+		},
+		UserNode: struct {
+			HTTPPort int
+		}{
+			HTTPPort: 7799,
+		},
+	})
+	err := instance.SetupAll()
+	if err != nil {
+		fmt.Println("[ERROR]setup failed: " + err.Error())
+		return
+	}
+
+	fmt.Println("ok")
+}
--- a/internal/const/const.go
+++ b/internal/const/const.go
@@ -1,7 +1,7 @@
 package teaconst

 const (
-	Version = "1.3.2"
+	Version = "1.3.4"

 	ProductName   = "Edge API"
 	ProcessName   = "edge-api"
@@ -20,7 +20,7 @@ const (

 	// 其他节点版本号，用来检测是否有需要升级的节点

-	NodeVersion = "1.3.2"
+	NodeVersion = "1.3.4"

 	// SQLVersion SQL版本号
 	SQLVersion = "11"
--- a/internal/db/models/admin_dao.go
+++ b/internal/db/models/admin_dao.go
@@ -130,6 +130,19 @@ func (this *AdminDAO) FindAdminIdWithUsername(tx *dbs.Tx, username string) (int6
 	return int64(one.(*Admin).Id), nil
 }

+// FindAdminWithUsername 根据用户名查询管理员信息
+func (this *AdminDAO) FindAdminWithUsername(tx *dbs.Tx, username string) (*Admin, error) {
+	one, err := this.Query(tx).
+		Attr("username", username).
+		State(AdminStateEnabled).
+		ResultPk().
+		Find()
+	if err != nil || one == nil {
+		return nil, err
+	}
+	return one.(*Admin), nil
+}
+
 // UpdateAdminPassword 更改管理员密码
 func (this *AdminDAO) UpdateAdminPassword(tx *dbs.Tx, adminId int64, password string) error {
 	if adminId <= 0 {
@@ -212,7 +225,7 @@ func (this *AdminDAO) UpdateAdmin(tx *dbs.Tx, adminId int64, username string, ca
 	return nil
 }

-// CheckAdminUsername 检查用户名是否存在
+// CheckAdminUsername 检查管理员用户名是否存在
 func (this *AdminDAO) CheckAdminUsername(tx *dbs.Tx, adminId int64, username string) (bool, error) {
 	query := this.Query(tx).
 		State(AdminStateEnabled).
--- a/internal/db/models/http_firewall_policy_dao.go
+++ b/internal/db/models/http_firewall_policy_dao.go
@@ -149,6 +149,14 @@ func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64
 		}
 		op.BlockOptions = blockOptionsJSON

+		// page options
+		var pageOptions = firewallconfigs.DefaultHTTPFirewallPageAction()
+		pageOptionsJSON, err := json.Marshal(pageOptions)
+		if err != nil {
+			return 0, err
+		}
+		op.PageOptions = pageOptionsJSON
+
 		// captcha options
 		var captchaOptions = firewallconfigs.DefaultHTTPFirewallCaptchaAction()
 		captchaOptionsJSON, err := json.Marshal(captchaOptions)
@@ -313,6 +321,7 @@ func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx,
 	inboundJSON []byte,
 	outboundJSON []byte,
 	blockOptionsJSON []byte,
+	pageOptionsJSON []byte,
 	captchaOptionsJSON []byte,
 	mode firewallconfigs.FirewallMode,
 	useLocalFirewall bool,
@@ -343,6 +352,9 @@ func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx,
 	if IsNotNull(blockOptionsJSON) {
 		op.BlockOptions = blockOptionsJSON
 	}
+	if IsNotNull(pageOptionsJSON) {
+		op.PageOptions = pageOptionsJSON
+	}
 	if IsNotNull(captchaOptionsJSON) {
 		op.CaptchaOptions = captchaOptionsJSON
 	}
@@ -524,6 +536,16 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId in
 		config.BlockOptions = blockAction
 	}

+	// Page动作配置
+	if IsNotNull(policy.PageOptions) {
+		var pageAction = firewallconfigs.DefaultHTTPFirewallPageAction()
+		err = json.Unmarshal(policy.PageOptions, pageAction)
+		if err != nil {
+			return config, err
+		}
+		config.PageOptions = pageAction
+	}
+
 	// Captcha动作配置
 	if IsNotNull(policy.CaptchaOptions) {
 		var captchaAction = &firewallconfigs.HTTPFirewallCaptchaAction{}
--- a/internal/db/models/http_firewall_policy_model.go
+++ b/internal/db/models/http_firewall_policy_model.go
@@ -16,8 +16,9 @@ const (
 	HTTPFirewallPolicyField_Description        dbs.FieldName = "description"        // 描述
 	HTTPFirewallPolicyField_Inbound            dbs.FieldName = "inbound"            // 入站规则
 	HTTPFirewallPolicyField_Outbound           dbs.FieldName = "outbound"           // 出站规则
-	HTTPFirewallPolicyField_BlockOptions       dbs.FieldName = "blockOptions"       // BLOCK选项
-	HTTPFirewallPolicyField_CaptchaOptions     dbs.FieldName = "captchaOptions"     // 验证码选项
+	HTTPFirewallPolicyField_BlockOptions       dbs.FieldName = "blockOptions"       // BLOCK动作选项
+	HTTPFirewallPolicyField_PageOptions        dbs.FieldName = "pageOptions"        // PAGE动作选项
+	HTTPFirewallPolicyField_CaptchaOptions     dbs.FieldName = "captchaOptions"     // 验证码动作选项
 	HTTPFirewallPolicyField_Mode               dbs.FieldName = "mode"               // 模式
 	HTTPFirewallPolicyField_UseLocalFirewall   dbs.FieldName = "useLocalFirewall"   // 是否自动使用本地防火墙
 	HTTPFirewallPolicyField_SynFlood           dbs.FieldName = "synFlood"           // SynFlood防御设置
@@ -42,8 +43,9 @@ type HTTPFirewallPolicy struct {
 	Description        string   `field:"description"`        // 描述
 	Inbound            dbs.JSON `field:"inbound"`            // 入站规则
 	Outbound           dbs.JSON `field:"outbound"`           // 出站规则
-	BlockOptions       dbs.JSON `field:"blockOptions"`       // BLOCK选项
-	CaptchaOptions     dbs.JSON `field:"captchaOptions"`     // 验证码选项
+	BlockOptions       dbs.JSON `field:"blockOptions"`       // BLOCK动作选项
+	PageOptions        dbs.JSON `field:"pageOptions"`        // PAGE动作选项
+	CaptchaOptions     dbs.JSON `field:"captchaOptions"`     // 验证码动作选项
 	Mode               string   `field:"mode"`               // 模式
 	UseLocalFirewall   uint8    `field:"useLocalFirewall"`   // 是否自动使用本地防火墙
 	SynFlood           dbs.JSON `field:"synFlood"`           // SynFlood防御设置
@@ -67,8 +69,9 @@ type HTTPFirewallPolicyOperator struct {
 	Description        any // 描述
 	Inbound            any // 入站规则
 	Outbound           any // 出站规则
-	BlockOptions       any // BLOCK选项
-	CaptchaOptions     any // 验证码选项
+	BlockOptions       any // BLOCK动作选项
+	PageOptions        any // PAGE动作选项
+	CaptchaOptions     any // 验证码动作选项
 	Mode               any // 模式
 	UseLocalFirewall   any // 是否自动使用本地防火墙
 	SynFlood           any // SynFlood防御设置
--- a/internal/db/models/http_web_dao.go
+++ b/internal/db/models/http_web_dao.go
@@ -554,6 +554,18 @@ func (this *HTTPWebDAO) ComposeWebConfig(tx *dbs.Tx, webId int64, isLocationOrGr
 		}
 	}

+	// hls
+	if IsNotNull(web.Hls) {
+		var hlsConfig = &serverconfigs.HLSConfig{}
+		err = json.Unmarshal(web.Hls, hlsConfig)
+		if err != nil {
+			return nil, err
+		}
+		if this.shouldCompose(isLocationOrGroup, forNode, hlsConfig.IsPrior, true) {
+			config.HLS = hlsConfig
+		}
+	}
+
 	if cacheMap != nil {
 		cacheMap.Put(cacheKey, config)
 	}
@@ -1454,7 +1466,7 @@ func (this *HTTPWebDAO) UpdateWebReferers(tx *dbs.Tx, webId int64, referersConfi
 	return this.NotifyUpdate(tx, webId)
 }

-// FindWebReferers 查找服务的防盗链配置
+// FindWebReferers 查找网站的防盗链配置
 func (this *HTTPWebDAO) FindWebReferers(tx *dbs.Tx, webId int64) ([]byte, error) {
 	return this.Query(tx).
 		Pk(webId).
@@ -1464,6 +1476,10 @@ func (this *HTTPWebDAO) FindWebReferers(tx *dbs.Tx, webId int64) ([]byte, error)

 // UpdateWebUserAgent 修改User-Agent设置
 func (this *HTTPWebDAO) UpdateWebUserAgent(tx *dbs.Tx, webId int64, userAgentConfig *serverconfigs.UserAgentConfig) error {
+	if webId <= 0 {
+		return errors.New("require 'webId'")
+	}
+
 	if userAgentConfig == nil {
 		return nil
 	}
--- a/internal/db/models/http_web_model.go
+++ b/internal/db/models/http_web_model.go
@@ -41,6 +41,7 @@ const (
 	HTTPWebField_Referers           dbs.FieldName = "referers"           // 防盗链设置
 	HTTPWebField_UserAgent          dbs.FieldName = "userAgent"          // UserAgent设置
 	HTTPWebField_Optimization       dbs.FieldName = "optimization"       // 页面优化配置
+	HTTPWebField_Hls                dbs.FieldName = "hls"                // HLS设置
 )

 // HTTPWeb HTTP Web
@@ -83,6 +84,7 @@ type HTTPWeb struct {
 	Referers           dbs.JSON `field:"referers"`           // 防盗链设置
 	UserAgent          dbs.JSON `field:"userAgent"`          // UserAgent设置
 	Optimization       dbs.JSON `field:"optimization"`       // 页面优化配置
+	Hls                dbs.JSON `field:"hls"`                // HLS设置
 }

 type HTTPWebOperator struct {
@@ -124,6 +126,7 @@ type HTTPWebOperator struct {
 	Referers           any // 防盗链设置
 	UserAgent          any // UserAgent设置
 	Optimization       any // 页面优化配置
+	Hls                any // HLS设置
 }

 func NewHTTPWebOperator() *HTTPWebOperator {
--- a/internal/db/models/ip_library_file_dao.go
+++ b/internal/db/models/ip_library_file_dao.go
@@ -13,6 +13,7 @@ import (
 	"github.com/iwind/TeaGo/types"
 	"io"
 	"os"
+	"strings"
 	"time"
 )

@@ -449,6 +450,14 @@ func (this *IPLibraryFileDAO) GenerateIPLibrary(tx *dbs.Tx, libraryFileId int64)
 	for _, province := range dbProvinces {
 		for _, code := range province.AllCodes() {
 			provinceMap[types.String(province.CountryId)+"_"+code] = int64(province.ValueId)
+
+			for _, suffix := range regions.RegionProvinceSuffixes {
+				if strings.HasSuffix(code, suffix) {
+					provinceMap[types.String(province.CountryId)+"_"+strings.TrimSuffix(code, suffix)] = int64(province.ValueId)
+				} else {
+					provinceMap[types.String(province.CountryId)+"_"+(code+suffix)] = int64(province.ValueId)
+				}
+			}
 		}
 	}

--- a/internal/db/models/login_session_dao.go
+++ b/internal/db/models/login_session_dao.go
@@ -135,40 +135,16 @@ func (this *LoginSessionDAO) WriteSessionValue(tx *dbs.Tx, sid string, key strin
 		sessionOp.UserId = userId

 		if isNewSession {
-			// 删除此用户之前创建的SESSION，防止单个用户SESSION过多
-			// TODO 将来改成按照活跃时间排序
-			const maxSessionsPerUser = 10
-			oldOnes, err := this.Query(tx).
+			// 删除此用户之前创建的SESSION，不再保存以往的SESSION，避免安全问题
+			err = this.Query(tx).
 				ResultPk().
 				Attr("adminId", adminId).
 				Attr("userId", userId).
-				Asc("createdAt").
-				FindAll()
+				Neq("sid", sid).
+				DeleteQuickly()
 			if err != nil {
 				return err
 			}
-			var countOldOnes = len(oldOnes)
-			if countOldOnes > maxSessionsPerUser {
-				var countDeleted int
-				for _, oldOne := range oldOnes {
-					var oldSessionId = int64(oldOne.(*LoginSession).Id)
-					if oldSessionId == sessionId {
-						continue
-					}
-
-					if countDeleted < countOldOnes-maxSessionsPerUser {
-						err = this.Query(tx).
-							Pk(oldSessionId).
-							DeleteQuickly()
-						if err != nil {
-							return err
-						}
-						countDeleted++
-					} else {
-						break
-					}
-				}
-			}
 		}
 	}

--- a/internal/db/models/metric_stat_dao.go
+++ b/internal/db/models/metric_stat_dao.go
@@ -5,7 +5,6 @@ import (
 	"github.com/TeaOSLab/EdgeAPI/internal/goman"
 	"github.com/TeaOSLab/EdgeAPI/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/go-sql-driver/mysql"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/dbs"
@@ -759,10 +758,5 @@ func (this *MetricStatDAO) canIgnore(err error) bool {
 	}

 	// 忽略 Error 1213: Deadlock found 错误
-	mysqlErr, ok := err.(*mysql.MySQLError)
-	if ok && mysqlErr.Number == 1213 {
-		return true
-	}
-
-	return false
+	return CheckSQLErrCode(err, 1213)
 }
--- a/internal/db/models/metric_sum_stat_dao.go
+++ b/internal/db/models/metric_sum_stat_dao.go
@@ -4,7 +4,6 @@ import (
 	"github.com/TeaOSLab/EdgeAPI/internal/goman"
 	"github.com/TeaOSLab/EdgeAPI/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/go-sql-driver/mysql"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/dbs"
@@ -289,10 +288,5 @@ func (this *MetricSumStatDAO) canIgnore(err error) bool {
 	}

 	// 忽略 Error 1213: Deadlock found 错误
-	mysqlErr, ok := err.(*mysql.MySQLError)
-	if ok && mysqlErr.Number == 1213 {
-		return true
-	}
-
-	return false
+	return CheckSQLErrCode(err, 1213)
 }
--- a/internal/db/models/node_cluster_dao.go
+++ b/internal/db/models/node_cluster_dao.go
@@ -264,13 +264,22 @@ func (this *NodeClusterDAO) CountAllEnabledClusters(tx *dbs.Tx, keyword string)
 }

 // ListEnabledClusters 列出单页集群
-func (this *NodeClusterDAO) ListEnabledClusters(tx *dbs.Tx, keyword string, offset, size int64) (result []*NodeCluster, err error) {
+func (this *NodeClusterDAO) ListEnabledClusters(tx *dbs.Tx, keyword string, idDesc bool, idAsc bool, offset, size int64) (result []*NodeCluster, err error) {
 	var query = this.Query(tx).
 		State(NodeClusterStateEnabled)
 	if len(keyword) > 0 {
 		query.Where("(name LIKE :keyword OR dnsName like :keyword OR (dnsDomainId > 0 AND dnsDomainId IN (SELECT id FROM "+dns.SharedDNSDomainDAO.Table+" WHERE name LIKE :keyword AND state=1)))").
 			Param("keyword", dbutils.QuoteLike(keyword))
 	}
+
+	if idDesc {
+		query.DescPk()
+	} else if idAsc {
+		query.AscPk()
+	} else {
+		query.Desc("isPinned").DescPk()
+	}
+
 	_, err = query.
 		Result(
 			NodeClusterField_Id,
@@ -295,8 +304,6 @@ func (this *NodeClusterDAO) ListEnabledClusters(tx *dbs.Tx, keyword string, offs
 		Offset(offset).
 		Limit(size).
 		Slice(&result).
-		Desc("isPinned").
-		DescPk().
 		FindAll()

 	return
--- a/internal/db/models/node_dao.go
+++ b/internal/db/models/node_dao.go
@@ -882,9 +882,28 @@ func (this *NodeDAO) FindNodeStatus(tx *dbs.Tx, nodeId int64) (*nodeconfigs.Node
 	return status, nil
 }

+// UpdateNodeIsOn 修改节点启用状态
+func (this *NodeDAO) UpdateNodeIsOn(tx *dbs.Tx, nodeId int64, isOn bool) error {
+	if nodeId <= 0 {
+		return errors.New("invalid nodeId")
+	}
+	err := this.Query(tx).
+		Pk(nodeId).
+		Set("isOn", isOn).
+		UpdateQuickly()
+	if err != nil {
+		return err
+	}
+
+	return this.NotifyDNSUpdate(tx, nodeId)
+}
+
 // UpdateNodeIsActive 更改节点在线状态
 func (this *NodeDAO) UpdateNodeIsActive(tx *dbs.Tx, nodeId int64, isActive bool) error {
-	b := "true"
+	if nodeId <= 0 {
+		return errors.New("invalid nodeId")
+	}
+	var b = "true"
 	if !isActive {
 		b = "false"
 	}
@@ -898,6 +917,9 @@ func (this *NodeDAO) UpdateNodeIsActive(tx *dbs.Tx, nodeId int64, isActive bool)

 // UpdateNodeIsInstalled 设置节点安装状态
 func (this *NodeDAO) UpdateNodeIsInstalled(tx *dbs.Tx, nodeId int64, isInstalled bool) error {
+	if nodeId <= 0 {
+		return errors.New("invalid nodeId")
+	}
 	_, err := this.Query(tx).
 		Pk(nodeId).
 		Set("isInstalled", isInstalled).
--- a/internal/db/models/node_task_dao.go
+++ b/internal/db/models/node_task_dao.go
@@ -34,6 +34,7 @@ const (
 	NodeTaskTypeWebPPolicyChanged            NodeTaskType = "webPPolicyChanged"            // WebP策略变化
 	NodeTaskTypeUpdatingServers              NodeTaskType = "updatingServers"              // 更新一组服务
 	NodeTaskTypeTOAChanged                   NodeTaskType = "toaChanged"                   // TOA配置变化
+	NodeTaskTypePlanChanged                  NodeTaskType = "planChanged"                  // 套餐变化

 	// NS相关

--- a/internal/db/models/origin_dao.go
+++ b/internal/db/models/origin_dao.go
@@ -538,6 +538,17 @@ func (this *OriginDAO) CheckUserOrigin(tx *dbs.Tx, userId int64, originId int64)
 	return SharedReverseProxyDAO.CheckUserReverseProxy(tx, userId, reverseProxyId)
 }

+// ExistsOrigin 检查源站是否存在
+func (this *OriginDAO) ExistsOrigin(tx *dbs.Tx, originId int64) (bool, error) {
+	if originId <= 0 {
+		return false, nil
+	}
+	return this.Query(tx).
+		Pk(originId).
+		State(OriginStateEnabled).
+		Exist()
+}
+
 // NotifyUpdate 通知更新
 func (this *OriginDAO) NotifyUpdate(tx *dbs.Tx, originId int64) error {
 	reverseProxyId, err := SharedReverseProxyDAO.FindReverseProxyContainsOriginId(tx, originId)
--- a/internal/db/models/plan_dao.go
+++ b/internal/db/models/plan_dao.go
@@ -49,7 +49,12 @@ func (this *PlanDAO) EnablePlan(tx *dbs.Tx, id uint32) error {

 // DisablePlan 禁用条目
 func (this *PlanDAO) DisablePlan(tx *dbs.Tx, id int64) error {
-	_, err := this.Query(tx).
+	clusterId, err := this.FindPlanClusterId(tx, id)
+	if err != nil {
+		return err
+	}
+
+	_, err = this.Query(tx).
 		Pk(id).
 		Set("state", PlanStateDisabled).
 		Update()
@@ -57,7 +62,7 @@ func (this *PlanDAO) DisablePlan(tx *dbs.Tx, id int64) error {
 		return err
 	}

-	return this.NotifyUpdate(tx, id)
+	return this.NotifyUpdate(tx, id, clusterId)
 }

 // FindEnabledPlan 查找启用中的条目
@@ -175,18 +180,18 @@ func (this *PlanDAO) FindEnabledPlanTrafficLimit(tx *dbs.Tx, planId int64, cache
 	return config, nil
 }

-// NotifyUpdate 通知变更
-func (this *PlanDAO) NotifyUpdate(tx *dbs.Tx, planId int64) error {
-	// 这里不要加入状态参数，因为需要适应删除后的更新
-	clusterId, err := this.Query(tx).
+// FindPlanClusterId 查找套餐所属集群
+func (this *PlanDAO) FindPlanClusterId(tx *dbs.Tx, planId int64) (clusterId int64, err error) {
+	return this.Query(tx).
 		Pk(planId).
 		Result("clusterId").
 		FindInt64Col(0)
-	if err != nil {
-		return err
-	}
-	if clusterId > 0 {
-		return SharedNodeClusterDAO.NotifyUpdate(tx, clusterId)
-	}
-	return nil
+}
+
+// NotifyUpdate 通知变更
+func (this *PlanDAO) NotifyUpdate(tx *dbs.Tx, planId int64, clusterId int64) error {
+	if clusterId <= 0 {
+		return nil
+	}
+	return SharedNodeClusterDAO.NotifyUpdate(tx, clusterId)
 }
--- a/internal/db/models/plan_model.go
+++ b/internal/db/models/plan_model.go
@@ -6,9 +6,10 @@ const (
 	PlanField_Id                          dbs.FieldName = "id"                          // ID
 	PlanField_IsOn                        dbs.FieldName = "isOn"                        // 是否启用
 	PlanField_Name                        dbs.FieldName = "name"                        // 套餐名
-	PlanField_Description                 dbs.FieldName = "description"                 // 描述
+	PlanField_Description                 dbs.FieldName = "description"                 // 套餐简介
 	PlanField_ClusterId                   dbs.FieldName = "clusterId"                   // 集群ID
 	PlanField_TrafficLimit                dbs.FieldName = "trafficLimit"                // 流量限制
+	PlanField_BandwidthLimitPerNode       dbs.FieldName = "bandwidthLimitPerNode"       // 单节点带宽限制
 	PlanField_Features                    dbs.FieldName = "features"                    // 允许的功能
 	PlanField_HasFullFeatures             dbs.FieldName = "hasFullFeatures"             // 是否有完整的功能
 	PlanField_TrafficPrice                dbs.FieldName = "trafficPrice"                // 流量价格设定
@@ -26,6 +27,7 @@ const (
 	PlanField_DailyRequests               dbs.FieldName = "dailyRequests"               // 每日访问量额度
 	PlanField_DailyWebsocketConnections   dbs.FieldName = "dailyWebsocketConnections"   // 每日Websocket连接数
 	PlanField_MonthlyWebsocketConnections dbs.FieldName = "monthlyWebsocketConnections" // 每月Websocket连接数
+	PlanField_MaxUploadSize               dbs.FieldName = "maxUploadSize"               // 最大上传
 )

 // Plan 用户套餐
@@ -33,9 +35,10 @@ type Plan struct {
 	Id                          uint32   `field:"id"`                          // ID
 	IsOn                        bool     `field:"isOn"`                        // 是否启用
 	Name                        string   `field:"name"`                        // 套餐名
-	Description                 string   `field:"description"`                 // 描述
+	Description                 string   `field:"description"`                 // 套餐简介
 	ClusterId                   uint32   `field:"clusterId"`                   // 集群ID
 	TrafficLimit                dbs.JSON `field:"trafficLimit"`                // 流量限制
+	BandwidthLimitPerNode       dbs.JSON `field:"bandwidthLimitPerNode"`       // 单节点带宽限制
 	Features                    dbs.JSON `field:"features"`                    // 允许的功能
 	HasFullFeatures             bool     `field:"hasFullFeatures"`             // 是否有完整的功能
 	TrafficPrice                dbs.JSON `field:"trafficPrice"`                // 流量价格设定
@@ -53,15 +56,17 @@ type Plan struct {
 	DailyRequests               uint64   `field:"dailyRequests"`               // 每日访问量额度
 	DailyWebsocketConnections   uint64   `field:"dailyWebsocketConnections"`   // 每日Websocket连接数
 	MonthlyWebsocketConnections uint64   `field:"monthlyWebsocketConnections"` // 每月Websocket连接数
+	MaxUploadSize               dbs.JSON `field:"maxUploadSize"`               // 最大上传
 }

 type PlanOperator struct {
 	Id                          any // ID
 	IsOn                        any // 是否启用
 	Name                        any // 套餐名
-	Description                 any // 描述
+	Description                 any // 套餐简介
 	ClusterId                   any // 集群ID
 	TrafficLimit                any // 流量限制
+	BandwidthLimitPerNode       any // 单节点带宽限制
 	Features                    any // 允许的功能
 	HasFullFeatures             any // 是否有完整的功能
 	TrafficPrice                any // 流量价格设定
@@ -79,6 +84,7 @@ type PlanOperator struct {
 	DailyRequests               any // 每日访问量额度
 	DailyWebsocketConnections   any // 每日Websocket连接数
 	MonthlyWebsocketConnections any // 每月Websocket连接数
+	MaxUploadSize               any // 最大上传
 }

 func NewPlanOperator() *PlanOperator {
--- a/internal/db/models/posts/post_category_dao.go
+++ b/internal/db/models/posts/post_category_dao.go
@@ -0,0 +1,71 @@
+package posts
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	PostCategoryStateEnabled  = 1 // 已启用
+	PostCategoryStateDisabled = 0 // 已禁用
+)
+
+type PostCategoryDAO dbs.DAO
+
+func NewPostCategoryDAO() *PostCategoryDAO {
+	return dbs.NewDAO(&PostCategoryDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgePostCategories",
+			Model:  new(PostCategory),
+			PkName: "id",
+		},
+	}).(*PostCategoryDAO)
+}
+
+var SharedPostCategoryDAO *PostCategoryDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedPostCategoryDAO = NewPostCategoryDAO()
+	})
+}
+
+// EnablePostCategory 启用条目
+func (this *PostCategoryDAO) EnablePostCategory(tx *dbs.Tx, categoryId int64) error {
+	_, err := this.Query(tx).
+		Pk(categoryId).
+		Set("state", PostCategoryStateEnabled).
+		Update()
+	return err
+}
+
+// DisablePostCategory 禁用条目
+func (this *PostCategoryDAO) DisablePostCategory(tx *dbs.Tx, categoryId int64) error {
+	_, err := this.Query(tx).
+		Pk(categoryId).
+		Set("state", PostCategoryStateDisabled).
+		Update()
+	return err
+}
+
+// FindEnabledPostCategory 查找启用中的条目
+func (this *PostCategoryDAO) FindEnabledPostCategory(tx *dbs.Tx, categoryId int64) (*PostCategory, error) {
+	result, err := this.Query(tx).
+		Pk(categoryId).
+		State(PostCategoryStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*PostCategory), err
+}
+
+// FindPostCategoryName 根据主键查找名称
+func (this *PostCategoryDAO) FindPostCategoryName(tx *dbs.Tx, categoryId int64) (string, error) {
+	return this.Query(tx).
+		Pk(categoryId).
+		Result("name").
+		FindStringCol("")
+}
--- a/internal/db/models/posts/post_category_dao_test.go
+++ b/internal/db/models/posts/post_category_dao_test.go
@@ -0,0 +1,6 @@
+package posts_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/posts/post_category_model.go
+++ b/internal/db/models/posts/post_category_model.go
@@ -0,0 +1,35 @@
+package posts
+
+import "github.com/iwind/TeaGo/dbs"
+
+const (
+	PostCategoryField_Id    dbs.FieldName = "id"    // ID
+	PostCategoryField_Name  dbs.FieldName = "name"  // 分类名称
+	PostCategoryField_IsOn  dbs.FieldName = "isOn"  // 是否启用
+	PostCategoryField_Code  dbs.FieldName = "code"  // 代号
+	PostCategoryField_Order dbs.FieldName = "order" // 排序
+	PostCategoryField_State dbs.FieldName = "state" // 分类状态
+)
+
+// PostCategory 文章分类
+type PostCategory struct {
+	Id    uint32 `field:"id"`    // ID
+	Name  string `field:"name"`  // 分类名称
+	IsOn  bool   `field:"isOn"`  // 是否启用
+	Code  string `field:"code"`  // 代号
+	Order uint32 `field:"order"` // 排序
+	State uint8  `field:"state"` // 分类状态
+}
+
+type PostCategoryOperator struct {
+	Id    any // ID
+	Name  any // 分类名称
+	IsOn  any // 是否启用
+	Code  any // 代号
+	Order any // 排序
+	State any // 分类状态
+}
+
+func NewPostCategoryOperator() *PostCategoryOperator {
+	return &PostCategoryOperator{}
+}
--- a/internal/db/models/posts/post_category_model_ext.go
+++ b/internal/db/models/posts/post_category_model_ext.go
@@ -0,0 +1 @@
+package posts
--- a/internal/db/models/posts/post_dao.go
+++ b/internal/db/models/posts/post_dao.go
@@ -0,0 +1,63 @@
+package posts
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	PostStateEnabled  = 1 // 已启用
+	PostStateDisabled = 0 // 已禁用
+)
+
+type PostDAO dbs.DAO
+
+func NewPostDAO() *PostDAO {
+	return dbs.NewDAO(&PostDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgePosts",
+			Model:  new(Post),
+			PkName: "id",
+		},
+	}).(*PostDAO)
+}
+
+var SharedPostDAO *PostDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedPostDAO = NewPostDAO()
+	})
+}
+
+// EnablePost 启用条目
+func (this *PostDAO) EnablePost(tx *dbs.Tx, postId int64) error {
+	_, err := this.Query(tx).
+		Pk(postId).
+		Set("state", PostStateEnabled).
+		Update()
+	return err
+}
+
+// DisablePost 禁用条目
+func (this *PostDAO) DisablePost(tx *dbs.Tx, postId int64) error {
+	_, err := this.Query(tx).
+		Pk(postId).
+		Set("state", PostStateDisabled).
+		Update()
+	return err
+}
+
+// FindEnabledPost 查找启用中的条目
+func (this *PostDAO) FindEnabledPost(tx *dbs.Tx, postId int64) (*Post, error) {
+	result, err := this.Query(tx).
+		Pk(postId).
+		State(PostStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*Post), err
+}
--- a/internal/db/models/posts/post_dao_test.go
+++ b/internal/db/models/posts/post_dao_test.go
@@ -0,0 +1,6 @@
+package posts_test
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/posts/post_model.go
+++ b/internal/db/models/posts/post_model.go
@@ -0,0 +1,50 @@
+package posts
+
+import "github.com/iwind/TeaGo/dbs"
+
+const (
+	PostField_Id          dbs.FieldName = "id"          // ID
+	PostField_CategoryId  dbs.FieldName = "categoryId"  // 文章分类
+	PostField_Type        dbs.FieldName = "type"        // 类型：normal, url
+	PostField_Url         dbs.FieldName = "url"         // URL
+	PostField_Subject     dbs.FieldName = "subject"     // 标题
+	PostField_Body        dbs.FieldName = "body"        // 内容
+	PostField_CreatedAt   dbs.FieldName = "createdAt"   // 创建时间
+	PostField_IsPublished dbs.FieldName = "isPublished" // 是否已发布
+	PostField_PublishedAt dbs.FieldName = "publishedAt" // 发布时间
+	PostField_ProductCode dbs.FieldName = "productCode" // 产品代号
+	PostField_State       dbs.FieldName = "state"       // 状态
+)
+
+// Post 文章管理
+type Post struct {
+	Id          uint32 `field:"id"`          // ID
+	CategoryId  uint32 `field:"categoryId"`  // 文章分类
+	Type        string `field:"type"`        // 类型：normal, url
+	Url         string `field:"url"`         // URL
+	Subject     string `field:"subject"`     // 标题
+	Body        string `field:"body"`        // 内容
+	CreatedAt   uint64 `field:"createdAt"`   // 创建时间
+	IsPublished bool   `field:"isPublished"` // 是否已发布
+	PublishedAt uint64 `field:"publishedAt"` // 发布时间
+	ProductCode string `field:"productCode"` // 产品代号
+	State       uint8  `field:"state"`       // 状态
+}
+
+type PostOperator struct {
+	Id          any // ID
+	CategoryId  any // 文章分类
+	Type        any // 类型：normal, url
+	Url         any // URL
+	Subject     any // 标题
+	Body        any // 内容
+	CreatedAt   any // 创建时间
+	IsPublished any // 是否已发布
+	PublishedAt any // 发布时间
+	ProductCode any // 产品代号
+	State       any // 状态
+}
+
+func NewPostOperator() *PostOperator {
+	return &PostOperator{}
+}
--- a/internal/db/models/posts/post_model_ext.go
+++ b/internal/db/models/posts/post_model_ext.go
@@ -0,0 +1 @@
+package posts
--- a/internal/db/models/regions/region_country_dao.go
+++ b/internal/db/models/regions/region_country_dao.go
@@ -98,6 +98,14 @@ func (this *RegionCountryDAO) FindRegionCountryName(tx *dbs.Tx, id int64) (strin
 	return name, nil
 }

+// FindRegionCountryRouteCode 查找国家｜地区线路代号
+func (this *RegionCountryDAO) FindRegionCountryRouteCode(tx *dbs.Tx, countryId int64) (string, error) {
+	return this.Query(tx).
+		Attr("valueId", countryId).
+		Result("routeCode").
+		FindStringCol("")
+}
+
 // FindCountryIdWithDataId 根据数据ID查找国家
 func (this *RegionCountryDAO) FindCountryIdWithDataId(tx *dbs.Tx, dataId string) (int64, error) {
 	return this.Query(tx).
--- a/internal/db/models/regions/region_country_model.go
+++ b/internal/db/models/regions/region_country_model.go
@@ -14,11 +14,12 @@ const (
 	RegionCountryField_DataId      dbs.FieldName = "dataId"      // 原始数据ID
 	RegionCountryField_Pinyin      dbs.FieldName = "pinyin"      // 拼音
 	RegionCountryField_IsCommon    dbs.FieldName = "isCommon"    // 是否常用
+	RegionCountryField_RouteCode   dbs.FieldName = "routeCode"   // 线路代号
 )

 // RegionCountry 区域-国家/地区
 type RegionCountry struct {
-	Id1          uint32   `field:"id"`          // ID
+	Id          uint32   `field:"id"`          // ID
 	ValueId     uint32   `field:"valueId"`     // 实际ID
 	ValueCode   string   `field:"valueCode"`   // 值代号
 	Name        string   `field:"name"`        // 名称
@@ -29,6 +30,7 @@ type RegionCountry struct {
 	DataId      string   `field:"dataId"`      // 原始数据ID
 	Pinyin      dbs.JSON `field:"pinyin"`      // 拼音
 	IsCommon    bool     `field:"isCommon"`    // 是否常用
+	RouteCode   string   `field:"routeCode"`   // 线路代号
 }

 type RegionCountryOperator struct {
@@ -43,6 +45,7 @@ type RegionCountryOperator struct {
 	DataId      any // 原始数据ID
 	Pinyin      any // 拼音
 	IsCommon    any // 是否常用
+	RouteCode   any // 线路代号
 }

 func NewRegionCountryOperator() *RegionCountryOperator {
--- a/internal/db/models/regions/region_province_dao.go
+++ b/internal/db/models/regions/region_province_dao.go
@@ -11,6 +11,7 @@ import (
 	"github.com/iwind/TeaGo/types"
 	"sort"
 	"strconv"
+	"strings"
 )

 const (
@@ -18,6 +19,8 @@ const (
 	RegionProvinceStateDisabled = 0 // 已禁用
 )

+var RegionProvinceSuffixes = []string{"省", "州", "区", "大区", "特区", "港", "岛", "环礁", "谷地", "山", "口岸", "郡", "县", "城", "河", "河畔", "市"}
+
 type RegionProvinceDAO dbs.DAO

 func NewRegionProvinceDAO() *RegionProvinceDAO {
@@ -77,6 +80,14 @@ func (this *RegionProvinceDAO) FindRegionProvinceName(tx *dbs.Tx, id int64) (str
 		FindStringCol("")
 }

+// FindRegionCountryId 获取省份对应的国家|地区
+func (this *RegionProvinceDAO) FindRegionCountryId(tx *dbs.Tx, provinceId int64) (int64, error) {
+	return this.Query(tx).
+		Attr("valueId", provinceId).
+		Result("countryId").
+		FindInt64Col(0)
+}
+
 // FindProvinceIdWithDataId 根据数据ID查找省份
 func (this *RegionProvinceDAO) FindProvinceIdWithDataId(tx *dbs.Tx, dataId string) (int64, error) {
 	return this.Query(tx).
@@ -87,6 +98,37 @@ func (this *RegionProvinceDAO) FindProvinceIdWithDataId(tx *dbs.Tx, dataId strin

 // FindProvinceIdWithName 根据省份名查找省份ID
 func (this *RegionProvinceDAO) FindProvinceIdWithName(tx *dbs.Tx, countryId int64, provinceName string) (int64, error) {
+	{
+		provinceId, err := this.findProvinceIdWithExactName(tx, countryId, provinceName)
+		if err != nil {
+			return 0, err
+		}
+		if provinceId > 0 {
+			return provinceId, nil
+		}
+	}
+
+	// 候选词
+	for _, suffix := range RegionProvinceSuffixes {
+		var name string
+		if strings.HasSuffix(provinceName, suffix) {
+			name = strings.TrimSuffix(provinceName, suffix)
+		} else {
+			name = provinceName + suffix
+		}
+		provinceId, err := this.findProvinceIdWithExactName(tx, countryId, name)
+		if err != nil {
+			return 0, err
+		}
+		if provinceId > 0 {
+			return provinceId, nil
+		}
+	}
+
+	return 0, nil
+}
+
+func (this *RegionProvinceDAO) findProvinceIdWithExactName(tx *dbs.Tx, countryId int64, provinceName string) (int64, error) {
 	return this.Query(tx).
 		Attr("countryId", countryId).
 		Where("(name=:provinceName OR customName=:provinceName OR JSON_CONTAINS(codes, :provinceNameJSON) OR JSON_CONTAINS(customCodes, :provinceNameJSON))").
--- a/internal/db/models/regions/region_province_dao_test.go
+++ b/internal/db/models/regions/region_province_dao_test.go
@@ -26,6 +26,25 @@ func TestRegionProvinceDAO_FindProvinceIdWithName(t *testing.T) {
 	}
 }

+func TestRegionProvinceDAO_FindProvinceIdWithName_Suffix(t *testing.T) {
+	dbs.NotifyReady()
+
+	var tx *dbs.Tx
+	for _, name := range []string{
+		"维埃纳",
+		"维埃纳省",
+		"维埃纳大区",
+		"维埃纳市",
+		"维埃纳小区", // expect 0
+	} {
+		provinceId, err := SharedRegionProvinceDAO.FindProvinceIdWithName(tx, 74, name)
+		if err != nil {
+			t.Fatal(err)
+		}
+		t.Log(name, "=>", provinceId)
+	}
+}
+
 func TestRegionProvinceDAO_FindSimilarProvinces(t *testing.T) {
 	dbs.NotifyReady()

--- a/internal/db/models/regions/region_province_model.go
+++ b/internal/db/models/regions/region_province_model.go
@@ -12,11 +12,12 @@ const (
 	RegionProvinceField_CustomCodes dbs.FieldName = "customCodes" // 自定义代号
 	RegionProvinceField_State       dbs.FieldName = "state"       // 状态
 	RegionProvinceField_DataId      dbs.FieldName = "dataId"      // 原始数据ID
+	RegionProvinceField_RouteCode   dbs.FieldName = "routeCode"   // 线路代号
 )

 // RegionProvince 区域-省份
 type RegionProvince struct {
-	Id1          uint32   `field:"id"`          // ID
+	Id          uint32   `field:"id"`          // ID
 	ValueId     uint32   `field:"valueId"`     // 实际ID
 	CountryId   uint32   `field:"countryId"`   // 国家ID
 	Name        string   `field:"name"`        // 名称
@@ -25,6 +26,7 @@ type RegionProvince struct {
 	CustomCodes dbs.JSON `field:"customCodes"` // 自定义代号
 	State       uint8    `field:"state"`       // 状态
 	DataId      string   `field:"dataId"`      // 原始数据ID
+	RouteCode   string   `field:"routeCode"`   // 线路代号
 }

 type RegionProvinceOperator struct {
@@ -37,6 +39,7 @@ type RegionProvinceOperator struct {
 	CustomCodes any // 自定义代号
 	State       any // 状态
 	DataId      any // 原始数据ID
+	RouteCode   any // 线路代号
 }

 func NewRegionProvinceOperator() *RegionProvinceOperator {
--- a/internal/db/models/reverse_proxy_dao.go
+++ b/internal/db/models/reverse_proxy_dao.go
@@ -376,14 +376,14 @@ func (this *ReverseProxyDAO) UpdateReverseProxyScheduling(tx *dbs.Tx, reversePro
 }

 // UpdateReverseProxyPrimaryOrigins 修改主要源站
-func (this *ReverseProxyDAO) UpdateReverseProxyPrimaryOrigins(tx *dbs.Tx, reverseProxyId int64, origins []byte) error {
+func (this *ReverseProxyDAO) UpdateReverseProxyPrimaryOrigins(tx *dbs.Tx, reverseProxyId int64, originRefs []byte) error {
 	if reverseProxyId <= 0 {
 		return errors.New("invalid reverseProxyId")
 	}
 	var op = NewReverseProxyOperator()
 	op.Id = reverseProxyId
-	if len(origins) > 0 {
-		op.PrimaryOrigins = origins
+	if len(originRefs) > 0 {
+		op.PrimaryOrigins = originRefs
 	} else {
 		op.PrimaryOrigins = "[]"
 	}
--- a/internal/db/models/reverse_proxy_model_ext.go
+++ b/internal/db/models/reverse_proxy_model_ext.go
@@ -1 +1,31 @@
 package models
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/iwind/TeaGo/logs"
+)
+
+// DecodePrimaryOrigins 解析主要源站
+func (this *ReverseProxy) DecodePrimaryOrigins() []*serverconfigs.OriginRef {
+	var refs = []*serverconfigs.OriginRef{}
+	if IsNotNull(this.PrimaryOrigins) {
+		err := json.Unmarshal(this.PrimaryOrigins, &refs)
+		if err != nil {
+			logs.Error(err)
+		}
+	}
+	return refs
+}
+
+// DecodeBackupOrigins 解析备用源站
+func (this *ReverseProxy) DecodeBackupOrigins() []*serverconfigs.OriginRef {
+	var refs = []*serverconfigs.OriginRef{}
+	if IsNotNull(this.BackupOrigins) {
+		err := json.Unmarshal(this.BackupOrigins, &refs)
+		if err != nil {
+			logs.Error(err)
+		}
+	}
+	return refs
+}
--- a/internal/db/models/server_dao.go
+++ b/internal/db/models/server_dao.go
@@ -757,14 +757,14 @@ func (this *ServerDAO) UpdateServerAuditing(tx *dbs.Tx, serverId int64, result *
 	return this.NotifyDNSUpdate(tx, serverId)
 }

-// UpdateServerReverseProxy 修改反向代理配置
-func (this *ServerDAO) UpdateServerReverseProxy(tx *dbs.Tx, serverId int64, config []byte) error {
+// UpdateServerReverseProxyRef 修改反向代理配置
+func (this *ServerDAO) UpdateServerReverseProxyRef(tx *dbs.Tx, serverId int64, reverseProxyRefJSON []byte) error {
 	if serverId <= 0 {
 		return errors.New("serverId should not be smaller than 0")
 	}
 	var op = NewServerOperator()
 	op.Id = serverId
-	op.ReverseProxy = JSONBytes(config)
+	op.ReverseProxy = JSONBytes(reverseProxyRefJSON)
 	err := this.Save(tx, op)
 	if err != nil {
 		return err
@@ -773,6 +773,28 @@ func (this *ServerDAO) UpdateServerReverseProxy(tx *dbs.Tx, serverId int64, conf
 	return this.NotifyUpdate(tx, serverId)
 }

+// CreateServerReverseProxyRef 创建反向代理配置
+func (this *ServerDAO) CreateServerReverseProxyRef(tx *dbs.Tx, userId int64, serverId int64) (reverseProxyId int64, err error) {
+	reverseProxyId, err = SharedReverseProxyDAO.CreateReverseProxy(tx, 0, userId, nil, []byte("[]"), []byte("[]"))
+	if err != nil {
+		return 0, err
+	}
+	var reverseProxyRef = &serverconfigs.ReverseProxyRef{
+		IsPrior:        false,
+		IsOn:           true,
+		ReverseProxyId: reverseProxyId,
+	}
+	reverseProxyRefJSON, err := json.Marshal(reverseProxyRef)
+	if err != nil {
+		return 0, err
+	}
+	err = this.UpdateServerReverseProxyRef(tx, serverId, reverseProxyRefJSON)
+	if err != nil {
+		return 0, err
+	}
+	return reverseProxyId, nil
+}
+
 // CountAllEnabledServers 计算所有可用服务数量
 func (this *ServerDAO) CountAllEnabledServers(tx *dbs.Tx) (int64, error) {
 	return this.Query(tx).
@@ -1322,28 +1344,10 @@ func (this *ServerDAO) ComposeServerConfig(tx *dbs.Tx, server *Server, ignoreCer
 			}

 			// 套餐是否依然有效
-			plan, err := SharedPlanDAO.FindEnabledPlan(tx, int64(userPlan.PlanId), cacheMap)
-			if err != nil {
-				return nil, err
-			}
-			if plan != nil {
-				config.UserPlan = &serverconfigs.UserPlanConfig{
-					Id:    int64(userPlan.Id),
-					DayTo: userPlan.DayTo,
-					Plan: &serverconfigs.PlanConfig{
-						Id:   int64(plan.Id),
-						Name: plan.Name,
-					},
-				}
-
-				if len(plan.TrafficLimit) > 0 && (config.TrafficLimit == nil || !config.TrafficLimit.IsOn) {
-					var trafficLimitConfig = &serverconfigs.TrafficLimitConfig{}
-					err = json.Unmarshal(plan.TrafficLimit, trafficLimitConfig)
-					if err != nil {
-						return nil, err
-					}
-					config.TrafficLimit = trafficLimitConfig
-				}
+			config.UserPlan = &serverconfigs.UserPlanConfig{
+				Id:     int64(userPlan.Id),
+				DayTo:  userPlan.DayTo,
+				PlanId: int64(userPlan.PlanId),
 			}
 		}
 	}
@@ -1380,8 +1384,8 @@ func (this *ServerDAO) ComposeServerConfig(tx *dbs.Tx, server *Server, ignoreCer
 	return config, nil
 }

-// FindReverseProxyRef 根据条件获取反向代理配置
-func (this *ServerDAO) FindReverseProxyRef(tx *dbs.Tx, serverId int64) (*serverconfigs.ReverseProxyRef, error) {
+// FindServerReverseProxyRef 根据条件获取反向代理配置
+func (this *ServerDAO) FindServerReverseProxyRef(tx *dbs.Tx, serverId int64) (*serverconfigs.ReverseProxyRef, error) {
 	reverseProxy, err := this.Query(tx).
 		Pk(serverId).
 		Result("reverseProxy").
@@ -1392,7 +1396,7 @@ func (this *ServerDAO) FindReverseProxyRef(tx *dbs.Tx, serverId int64) (*serverc
 	if len(reverseProxy) == 0 || reverseProxy == "null" {
 		return nil, nil
 	}
-	config := &serverconfigs.ReverseProxyRef{}
+	var config = &serverconfigs.ReverseProxyRef{}
 	err = json.Unmarshal([]byte(reverseProxy), config)
 	return config, err
 }
@@ -2358,8 +2362,36 @@ func (this *ServerDAO) UpdateServerTrafficLimitConfig(tx *dbs.Tx, serverId int64

 // RenewServerTrafficLimitStatus 根据限流配置更新网站的流量限制状态
 func (this *ServerDAO) RenewServerTrafficLimitStatus(tx *dbs.Tx, trafficLimitConfig *serverconfigs.TrafficLimitConfig, serverId int64, isUpdatingConfig bool) error {
+	if serverId <= 0 {
+		return nil
+	}
+
 	if !trafficLimitConfig.IsOn {
 		if isUpdatingConfig {
+			var oldStatus = &serverconfigs.TrafficLimitStatus{}
+			trafficLimitStatus, err := this.Query(tx).
+				Pk(serverId).
+				Result("trafficLimitStatus").
+				FindJSONCol()
+			if err != nil {
+				return err
+			}
+			if IsNotNull(trafficLimitStatus) {
+				err = json.Unmarshal(trafficLimitStatus, oldStatus)
+				if err != nil {
+					return err
+				}
+				if oldStatus.PlanId == 0 /** 说明是网站自行设置的限制 **/ {
+					err = this.Query(tx).
+						Pk(serverId).
+						Set("trafficLimitStatus", dbs.SQL("NULL")).
+						UpdateQuickly()
+					if err != nil {
+						return err
+					}
+				}
+			}
+
 			return this.NotifyUpdate(tx, serverId)
 		}
 		return nil
@@ -2470,7 +2502,9 @@ func (this *ServerDAO) UpdateServerTrafficLimitStatus(tx *dbs.Tx, serverId int64
 		if err != nil {
 			return err
 		}
-		if len(oldStatus.UntilDay) > 0 && oldStatus.UntilDay >= day /** 如果已经限制，且比当前日期长，则无需重复 **/ {
+		if len(oldStatus.UntilDay) > 0 &&
+			oldStatus.UntilDay >= day /** 如果已经限制，且比当前日期长，则无需重复 **/ &&
+			oldStatus.PlanId == planId /** 套餐无变化 **/ {
 			// no need to change
 			return nil
 		}
@@ -2986,6 +3020,17 @@ func (this *ServerDAO) CheckServerPlanQuota(tx *dbs.Tx, serverId int64, countSer
 	return nil
 }

+// ExistsServer 检查网站是否存在
+func (this *ServerDAO) ExistsServer(tx *dbs.Tx, serverId int64) (bool, error) {
+	if serverId <= 0 {
+		return false, nil
+	}
+	return this.Query(tx).
+		Pk(serverId).
+		State(ServerStateEnabled).
+		Exist()
+}
+
 // NotifyUpdate 同步服务所在的集群
 func (this *ServerDAO) NotifyUpdate(tx *dbs.Tx, serverId int64) error {
 	if serverId <= 0 {
--- a/internal/db/models/sys_setting_dao.go
+++ b/internal/db/models/sys_setting_dao.go
@@ -177,10 +177,10 @@ func (this *SysSettingDAO) ReadUserUIConfig(tx *dbs.Tx) (*systemconfigs.UserUICo
 		return nil, err
 	}
 	if len(valueJSON) == 0 {
-		return systemconfigs.DefaultUserUIConfig(), nil
+		return systemconfigs.NewUserUIConfig(), nil
 	}

-	var config = systemconfigs.DefaultUserUIConfig()
+	var config = systemconfigs.NewUserUIConfig()
 	err = json.Unmarshal(valueJSON, config)
 	if err != nil {
 		return nil, err
--- a/internal/db/models/utils.go
+++ b/internal/db/models/utils.go
@@ -1,6 +1,7 @@
 package models

 import (
+	"errors"
 	"github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/dbs"
 	"github.com/iwind/TeaGo/types"
@@ -60,8 +61,8 @@ func CheckSQLErrCode(err error, code uint16) bool {
 	}

 	// 快速判断错误方法
-	mysqlErr, ok := err.(*mysql.MySQLError)
-	if ok && mysqlErr.Number == code { // Error 1050: Table 'xxx' already exists
+	var mysqlErr *mysql.MySQLError
+	if errors.As(err, &mysqlErr) && mysqlErr.Number == code { // Error 1050: Table 'xxx' already exists
 		return true
 	}

@@ -86,6 +87,6 @@ func IsMySQLError(err error) bool {
 	if err == nil {
 		return false
 	}
-	_, ok := err.(*mysql.MySQLError)
-	return ok
+	var mysqlErr *mysql.MySQLError
+	return errors.As(err, &mysqlErr)
 }
--- a/internal/db/models/utils_test.go
+++ b/internal/db/models/utils_test.go
@@ -0,0 +1,39 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package models_test
+
+import (
+	"errors"
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
+	"github.com/iwind/TeaGo/assert"
+	"github.com/iwind/TeaGo/dbs"
+	"testing"
+)
+
+func TestIsMySQLError(t *testing.T) {
+	var a = assert.NewAssertion(t)
+
+	{
+		var err error
+		a.IsFalse(models.IsMySQLError(err))
+	}
+
+	{
+		var err = errors.New("hello")
+		a.IsFalse(models.IsMySQLError(err))
+	}
+
+	{
+		db, err := dbs.Default()
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer func() {
+			_ = db.Close()
+		}()
+		_, err = db.Exec("SELECT abc")
+		a.IsTrue(models.IsMySQLError(err))
+		a.IsTrue(models.CheckSQLErrCode(err, 1054))
+		a.IsFalse(models.CheckSQLErrCode(err, 1000))
+	}
+}
--- a/internal/dnsclients/provider_alidns.go
+++ b/internal/dnsclients/provider_alidns.go
@@ -42,6 +42,14 @@ func (this *AliDNSProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *AliDNSProvider) MaskParams(params maps.Map) {
+	if params == nil {
+		return
+	}
+	params["accessKeySecret"] = MaskString(params.GetString("accessKeySecret"))
+}
+
 // GetDomains 获取所有域名列表
 func (this *AliDNSProvider) GetDomains() (domains []string, err error) {
 	var pageNumber = 1
--- a/internal/dnsclients/provider_cloud_flare.go
+++ b/internal/dnsclients/provider_cloud_flare.go
@@ -66,6 +66,14 @@ func (this *CloudFlareProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *CloudFlareProvider) MaskParams(params maps.Map) {
+	if params == nil {
+		return
+	}
+	params["apiKey"] = MaskString(params.GetString("apiKey"))
+}
+
 // GetDomains 获取所有域名列表
 func (this *CloudFlareProvider) GetDomains() (domains []string, err error) {
 	for page := 1; page <= 500; page++ {
--- a/internal/dnsclients/provider_custom_http.go
+++ b/internal/dnsclients/provider_custom_http.go
@@ -53,6 +53,11 @@ func (this *CustomHTTPProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *CustomHTTPProvider) MaskParams(params maps.Map) {
+	// 这里暂时不要掩码，避免用户忘记
+}
+
 // GetDomains 获取所有域名列表
 func (this *CustomHTTPProvider) GetDomains() (domains []string, err error) {
 	resp, err := this.post(maps.Map{
--- a/internal/dnsclients/provider_dnspod.go
+++ b/internal/dnsclients/provider_dnspod.go
@@ -69,6 +69,19 @@ func (this *DNSPodProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *DNSPodProvider) MaskParams(params maps.Map) {
+	if params == nil {
+		return
+	}
+
+	if params.GetString("apiType") == "tencentDNS" {
+		params["accessKeySecret"] = MaskString(params.GetString("accessKeySecret"))
+	} else {
+		params["token"] = MaskString(params.GetString("token"))
+	}
+}
+
 // GetDomains 获取所有域名列表
 func (this *DNSPodProvider) GetDomains() (domains []string, err error) {
 	if this.tencentDNSProvider != nil {
--- a/internal/dnsclients/provider_edge_dns_api.go
+++ b/internal/dnsclients/provider_edge_dns_api.go
@@ -71,6 +71,14 @@ func (this *EdgeDNSAPIProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *EdgeDNSAPIProvider) MaskParams(params maps.Map) {
+	if params == nil {
+		return
+	}
+	params["accessKeySecret"] = MaskString(params.GetString("accessKeySecret"))
+}
+
 // GetDomains 获取所有域名列表
 func (this *EdgeDNSAPIProvider) GetDomains() (domains []string, err error) {
 	var offset = 0
--- a/internal/dnsclients/provider_huawei_dns.go
+++ b/internal/dnsclients/provider_huawei_dns.go
@@ -71,6 +71,14 @@ func (this *HuaweiDNSProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *HuaweiDNSProvider) MaskParams(params maps.Map) {
+	if params == nil {
+		return
+	}
+	params["accessKeySecret"] = MaskString(params.GetString("accessKeySecret"))
+}
+
 // GetDomains 获取所有域名列表
 func (this *HuaweiDNSProvider) GetDomains() (domains []string, err error) {
 	var resp = new(huaweidns.ZonesResponse)
--- a/internal/dnsclients/provider_interface.go
+++ b/internal/dnsclients/provider_interface.go
@@ -10,6 +10,9 @@ type ProviderInterface interface {
 	// Auth 认证
 	Auth(params maps.Map) error

+	// MaskParams 对参数进行掩码
+	MaskParams(params maps.Map)
+
 	// GetDomains 获取所有域名列表
 	GetDomains() (domains []string, err error)

--- a/internal/dnsclients/provider_tencent_dns.go
+++ b/internal/dnsclients/provider_tencent_dns.go
@@ -47,6 +47,14 @@ func (this *TencentDNSProvider) Auth(params maps.Map) error {
 	return nil
 }

+// MaskParams 对参数进行掩码
+func (this *TencentDNSProvider) MaskParams(params maps.Map) {
+	if params == nil {
+		return
+	}
+	params["accessKeySecret"] = MaskString(params.GetString("accessKeySecret"))
+}
+
 // GetDomains 获取所有域名列表
 func (this *TencentDNSProvider) GetDomains() (domains []string, err error) {
 	var offset int64 = 0
--- a/internal/dnsclients/utils.go
+++ b/internal/dnsclients/utils.go
@@ -0,0 +1,67 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package dnsclients
+
+import (
+	"encoding/json"
+	"github.com/iwind/TeaGo/maps"
+	"strings"
+)
+
+// MaskString 对字符串进行掩码
+func MaskString(s string) string {
+	var l = len(s)
+	if l == 0 {
+		return ""
+	}
+	if l < 8 {
+		return strings.Repeat("*", l)
+	}
+	return s[:4] + strings.Repeat("*", l-4)
+}
+
+// IsMasked 判断字符串是否被掩码
+func IsMasked(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	return s == strings.Repeat("*", len(s)) || strings.HasSuffix(s, "**")
+}
+
+// UnmaskAPIParams 恢复API参数
+func UnmaskAPIParams(oldParamsJSON []byte, newParamsJSON []byte) (resultJSON []byte, err error) {
+	var oldParams maps.Map
+	var newParams maps.Map
+
+	if len(oldParamsJSON) == 0 || len(newParamsJSON) == 0 {
+		return newParamsJSON, nil
+	}
+	err = json.Unmarshal(oldParamsJSON, &oldParams)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(newParamsJSON, &newParams)
+	if err != nil {
+		return nil, err
+	}
+
+	if oldParams == nil || newParams == nil {
+		return newParamsJSON, nil
+	}
+
+	for k, v := range newParams {
+		if v != nil {
+			s, ok := v.(string)
+			if ok && IsMasked(s) {
+				var oldV = oldParams.GetString(k)
+				if len(oldV) > 0 {
+					newParams[k] = oldV
+				}
+			}
+		}
+	}
+
+	resultJSON, err = json.Marshal(newParams)
+	return
+}
--- a/internal/dnsclients/utils_test.go
+++ b/internal/dnsclients/utils_test.go
@@ -0,0 +1,35 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package dnsclients_test
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
+	"github.com/iwind/TeaGo/assert"
+	"testing"
+)
+
+func TestIsMasked(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsFalse(dnsclients.IsMasked(""))
+	a.IsFalse(dnsclients.IsMasked("abc"))
+	a.IsFalse(dnsclients.IsMasked("abc*"))
+	a.IsTrue(dnsclients.IsMasked("*"))
+	a.IsTrue(dnsclients.IsMasked("**"))
+	a.IsTrue(dnsclients.IsMasked("***"))
+	a.IsTrue(dnsclients.IsMasked("*******"))
+	a.IsTrue(dnsclients.IsMasked("abc**"))
+	a.IsTrue(dnsclients.IsMasked("abcd*********"))
+}
+
+func TestUnmaskAPIParams(t *testing.T) {
+	data, err := dnsclients.UnmaskAPIParams([]byte(`{
+	"key": "a",
+	"secret": "abc12"
+}`), []byte(`{
+	"secret": "abc**"
+}`))
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(string(data))
+}
--- a/internal/instances/README.md
+++ b/internal/instances/README.md
@@ -0,0 +1,39 @@
+# 实例
+
+## 目录结构：
+~~~
+/opt/cache
+/usr/local/goedge/
+	edge-admin/
+	   configs/
+	      api_admin.yaml
+	      api_db.yaml
+	      server.yaml
+	edge-api/
+	   configs/api.yaml
+	   configs/db.yaml
+	api-node/
+	   configs/api_node.yaml
+	api-user/
+	   configs/api_user.yaml
+    src/	   
+/usr/bin/
+  edge-admin -> ...
+  edge-api -> ...
+  edge-node -> ...
+  edge-user -> ...
+/usr/local/mysql
+~~~
+
+* 其中 `->` 表示软链接。
+* `src/` 目录下放置zip格式的待安装压缩包
+
+## 端口
+* Admin：7788
+* API：8001
+* API HTTP：8002
+* User: 7799
+* Server: 8080
+
+## 数据库
+数据库名称为 `edges`
--- a/internal/instances/api_config.go
+++ b/internal/instances/api_config.go
@@ -0,0 +1,16 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package instances
+
+import "gopkg.in/yaml.v3"
+
+type APIConfig struct {
+	RPCEndpoints     []string `yaml:"rpc.endpoints,flow,omitempty" json:"rpc.endpoints"`
+	RPCDisableUpdate bool     `yaml:"rpc.disableUpdate,omitempty" json:"rpc.disableUpdate"`
+	NodeId           string   `yaml:"nodeId" json:"nodeId"`
+	Secret           string   `yaml:"secret" json:"secret"`
+}
+
+func (this *APIConfig) AsYAML() ([]byte, error) {
+	return yaml.Marshal(this)
+}
--- a/internal/instances/instance.go
+++ b/internal/instances/instance.go
--- a/internal/instances/instance_test.go
+++ b/internal/instances/instance_test.go
@@ -0,0 +1,98 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package instances_test
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/instances"
+	"github.com/iwind/TeaGo/Tea"
+	_ "github.com/iwind/TeaGo/bootstrap"
+	"testing"
+)
+
+var instance = instances.NewInstance(instances.Options{
+	Cacheable: true,
+	WorkDir:   Tea.Root + "/standalone-instance",
+	SrcDir:    Tea.Root + "/standalone-instance/src",
+	DB: struct {
+		Host     string
+		Port     int
+		Username string
+		Password string
+		Name     string
+	}{
+		Host:     "127.0.0.1",
+		Port:     3306,
+		Username: "root",
+		Password: "123456",
+		Name:     "edges2",
+	},
+	AdminNode: struct {
+		Port int
+	}{
+		Port: 7788,
+	},
+	APINode: struct {
+		HTTPPort     int
+		RestHTTPPort int
+	}{
+		HTTPPort:     8001,
+		RestHTTPPort: 8002,
+	},
+	Node: struct{ HTTPPort int }{
+		HTTPPort: 8080,
+	},
+	UserNode: struct {
+		HTTPPort int
+	}{
+		HTTPPort: 7799,
+	},
+})
+
+func TestInstanceSetupAll(t *testing.T) {
+	err := instance.SetupAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestInstance_SetupDB(t *testing.T) {
+	err := instance.SetupDB()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestInstance_SetupAdminNode(t *testing.T) {
+	err := instance.SetupAdminNode()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestInstance_SetupAPINode(t *testing.T) {
+	err := instance.SetupAPINode()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestInstance_SetupUserNode(t *testing.T) {
+	err := instance.SetupUserNode()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestInstance_SetupNode(t *testing.T) {
+	err := instance.SetupNode()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestInstance_Clean(t *testing.T) {
+	err := instance.Clean()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
--- a/internal/instances/options.go
+++ b/internal/instances/options.go
@@ -0,0 +1,32 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package instances
+
+type Options struct {
+	IsTesting bool
+	Verbose   bool
+	Cacheable bool
+
+	WorkDir string
+	SrcDir  string
+	DB      struct {
+		Host     string
+		Port     int
+		Username string
+		Password string
+		Name     string
+	}
+	AdminNode struct {
+		Port int
+	}
+	APINode struct {
+		HTTPPort     int
+		RestHTTPPort int
+	}
+	Node struct {
+		HTTPPort int
+	}
+	UserNode struct {
+		HTTPPort int
+	}
+}
--- a/internal/nodes/rest_server.go
+++ b/internal/nodes/rest_server.go
@@ -67,6 +67,11 @@ func (this *RestServer) handle(writer http.ResponseWriter, req *http.Request) {
 	var matches = servicePathReg.FindStringSubmatch(path)
 	if len(matches) != 3 {
 		writer.WriteHeader(http.StatusNotFound)
+		this.writeJSON(writer, maps.Map{
+			"code":    "404",
+			"message": "invalid api path '" + path + "'",
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}

@@ -76,11 +81,21 @@ func (this *RestServer) handle(writer http.ResponseWriter, req *http.Request) {
 	serviceType, ok := restServicesMap[serviceName]
 	if !ok {
 		writer.WriteHeader(http.StatusNotFound)
+		this.writeJSON(writer, maps.Map{
+			"code":    "404",
+			"message": "service '" + serviceName + "' not found",
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}

 	if len(methodName) == 0 {
 		writer.WriteHeader(http.StatusNotFound)
+		this.writeJSON(writer, maps.Map{
+			"code":    "404",
+			"message": "method '" + methodName + "' not found",
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}

@@ -94,19 +109,39 @@ func (this *RestServer) handle(writer http.ResponseWriter, req *http.Request) {
 			method = serviceType.MethodByName(methodName)
 			if !method.IsValid() {
 				writer.WriteHeader(http.StatusNotFound)
+				this.writeJSON(writer, maps.Map{
+					"code":    "404",
+					"message": "method '" + methodName + "' not found",
+					"data":    maps.Map{},
+				}, shouldPretty)
 				return
 			}
 		} else {
 			writer.WriteHeader(http.StatusNotFound)
+			this.writeJSON(writer, maps.Map{
+				"code":    "404",
+				"message": "method '" + methodName + "' not found",
+				"data":    maps.Map{},
+			}, shouldPretty)
 			return
 		}
 	}
 	if method.Type().NumIn() != 2 || method.Type().NumOut() != 2 {
 		writer.WriteHeader(http.StatusNotFound)
+		this.writeJSON(writer, maps.Map{
+			"code":    "404",
+			"message": "method '" + methodName + "' not found",
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}
 	if method.Type().In(0).Name() != "Context" {
 		writer.WriteHeader(http.StatusNotFound)
+		this.writeJSON(writer, maps.Map{
+			"code":    "404",
+			"message": "method '" + methodName + "' not found (or invalid context)",
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}

@@ -166,7 +201,11 @@ func (this *RestServer) handle(writer http.ResponseWriter, req *http.Request) {
 	body, err := io.ReadAll(io.LimitReader(req.Body, 32*sizes.M))
 	if err != nil {
 		writer.WriteHeader(http.StatusBadRequest)
-		_, _ = writer.Write([]byte(err.Error()))
+		this.writeJSON(writer, maps.Map{
+			"code":    400,
+			"message": err.Error(),
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}

@@ -180,7 +219,11 @@ func (this *RestServer) handle(writer http.ResponseWriter, req *http.Request) {
 	err = json.Unmarshal(body, reqValue)
 	if err != nil {
 		writer.WriteHeader(http.StatusBadRequest)
-		_, _ = writer.Write([]byte("Decode request failed: " + err.Error() + ". Request body should be a valid JSON data"))
+		this.writeJSON(writer, maps.Map{
+			"code":    400,
+			"message": "Decode request failed: " + err.Error() + ". Request body should be a valid JSON data",
+			"data":    maps.Map{},
+		}, shouldPretty)
 		return
 	}

--- a/internal/rpc/services/service_admin.go
+++ b/internal/rpc/services/service_admin.go
@@ -104,6 +104,39 @@ func (this *AdminService) CheckAdminUsername(ctx context.Context, req *pb.CheckA
 	return &pb.CheckAdminUsernameResponse{Exists: exists}, nil
 }

+// FindAdminWithUsername 使用用管理员户名查找管理员信息
+func (this *AdminService) FindAdminWithUsername(ctx context.Context, req *pb.FindAdminWithUsernameRequest) (*pb.FindAdminWithUsernameResponse, error) {
+	// 校验请求
+	_, err := this.ValidateAdmin(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+
+	if len(req.Username) == 0 {
+		return nil, errors.New("require 'username'")
+	}
+	admin, err := models.SharedAdminDAO.FindAdminWithUsername(tx, req.Username)
+	if err != nil {
+		return nil, err
+	}
+	if admin == nil {
+		return &pb.FindAdminWithUsernameResponse{Admin: nil}, nil
+	}
+
+	return &pb.FindAdminWithUsernameResponse{
+		Admin: &pb.Admin{
+			Id:       int64(admin.Id),
+			Fullname: admin.Fullname,
+			Username: admin.Username,
+			IsOn:     admin.IsOn,
+			IsSuper:  admin.IsSuper,
+			CanLogin: admin.CanLogin,
+		},
+	}, nil
+}
+
 // FindAdminFullname 获取管理员名称
 func (this *AdminService) FindAdminFullname(ctx context.Context, req *pb.FindAdminFullnameRequest) (*pb.FindAdminFullnameResponse, error) {
 	// 校验请求
@@ -503,7 +536,7 @@ func (this *AdminService) ComposeAdminDashboard(ctx context.Context, req *pb.Com

 	// 默认集群
 	this.BeginTag(ctx, "SharedNodeClusterDAO.ListEnabledClusters")
-	nodeClusters, err := models.SharedNodeClusterDAO.ListEnabledClusters(tx, "", 0, 1)
+	nodeClusters, err := models.SharedNodeClusterDAO.ListEnabledClusters(tx, "", true, false, 0, 1)
 	this.EndTag(ctx, "SharedNodeClusterDAO.ListEnabledClusters")
 	if err != nil {
 		return nil, err
--- a/internal/rpc/services/service_dns_provider.go
+++ b/internal/rpc/services/service_dns_provider.go
@@ -2,9 +2,11 @@ package services

 import (
 	"context"
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAPI/internal/db/models/dns"
 	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/maps"
 )

 // DNSProviderService DNS服务商相关服务
@@ -42,6 +44,21 @@ func (this *DNSProviderService) UpdateDNSProvider(ctx context.Context, req *pb.U

 	var tx = this.NullTx()

+	provider, err := dns.SharedDNSProviderDAO.FindEnabledDNSProvider(tx, req.DnsProviderId)
+	if err != nil {
+		return nil, err
+	}
+	if provider == nil {
+		// do nothing here
+		return this.Success()
+	}
+
+	// 恢复被掩码的数据
+	req.ApiParamsJSON, err = dnsclients.UnmaskAPIParams(provider.ApiParams, req.ApiParamsJSON)
+	if err != nil {
+		return nil, err
+	}
+
 	err = dns.SharedDNSProviderDAO.UpdateDNSProvider(tx, req.DnsProviderId, req.Name, req.ApiParamsJSON)
 	if err != nil {
 		return nil, err
@@ -175,14 +192,34 @@ func (this *DNSProviderService) FindEnabledDNSProvider(ctx context.Context, req
 		return &pb.FindEnabledDNSProviderResponse{DnsProvider: nil}, nil
 	}

-	return &pb.FindEnabledDNSProviderResponse{DnsProvider: &pb.DNSProvider{
-		Id:            int64(provider.Id),
-		Name:          provider.Name,
-		Type:          provider.Type,
-		TypeName:      dnsclients.FindProviderTypeName(provider.Type),
-		ApiParamsJSON: provider.ApiParams,
-		DataUpdatedAt: int64(provider.DataUpdatedAt),
-	}}, nil
+	if req.MaskParams {
+		var providerObj = dnsclients.FindProvider(provider.Type, int64(provider.Id))
+		if providerObj != nil {
+			var paramsMap = maps.Map{}
+			if len(provider.ApiParams) > 0 {
+				err = json.Unmarshal(provider.ApiParams, &paramsMap)
+				if err != nil {
+					return nil, err
+				}
+				providerObj.MaskParams(paramsMap)
+				provider.ApiParams, err = json.Marshal(paramsMap)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
+	return &pb.FindEnabledDNSProviderResponse{
+		DnsProvider: &pb.DNSProvider{
+			Id:            int64(provider.Id),
+			Name:          provider.Name,
+			Type:          provider.Type,
+			TypeName:      dnsclients.FindProviderTypeName(provider.Type),
+			ApiParamsJSON: provider.ApiParams,
+			DataUpdatedAt: int64(provider.DataUpdatedAt),
+		},
+	}, nil
 }

 // FindAllDNSProviderTypes 取得所有服务商类型
--- a/internal/rpc/services/service_http_cache_task.go
+++ b/internal/rpc/services/service_http_cache_task.go
@@ -353,14 +353,28 @@ func (this *HTTPCacheTaskService) FindEnabledHTTPCacheTask(ctx context.Context,
 			key.Errors = nil
 		}

+		// 集群信息
+		var pbNodeCluster *pb.NodeCluster
+		if !isFromUser && key.ClusterId > 0 {
+			clusterName, findClusterErr := models.SharedNodeClusterDAO.FindNodeClusterName(tx, int64(key.ClusterId))
+			if findClusterErr != nil {
+				return nil, findClusterErr
+			}
+			pbNodeCluster = &pb.NodeCluster{
+				Id:   int64(key.ClusterId),
+				Name: clusterName,
+			}
+		}
+
 		pbKeys = append(pbKeys, &pb.HTTPCacheTaskKey{
-			Id:         int64(key.Id),
-			TaskId:     int64(key.TaskId),
-			Key:        key.Key,
-			KeyType:    key.KeyType,
-			IsDone:     key.IsDone,
-			IsDoing:    !key.IsDone && len(key.DecodeNodes()) > 0,
-			ErrorsJSON: key.Errors,
+			Id:          int64(key.Id),
+			TaskId:      int64(key.TaskId),
+			Key:         key.Key,
+			KeyType:     key.KeyType,
+			IsDone:      key.IsDone,
+			IsDoing:     !key.IsDone && len(key.DecodeNodes()) > 0,
+			ErrorsJSON:  key.Errors,
+			NodeCluster: pbNodeCluster,
 		})
 	}

--- a/internal/rpc/services/service_http_firewall_policy.go
+++ b/internal/rpc/services/service_http_firewall_policy.go
@@ -305,7 +305,7 @@ func (this *HTTPFirewallPolicyService) UpdateHTTPFirewallPolicy(ctx context.Cont
 		req.MaxRequestBodySize = 0
 	}

-	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicy(tx, req.HttpFirewallPolicyId, req.IsOn, req.Name, req.Description, inboundConfigJSON, outboundConfigJSON, req.BlockOptionsJSON, req.CaptchaOptionsJSON, req.Mode, req.UseLocalFirewall, synFloodConfig, logConfig, req.MaxRequestBodySize, req.DenyCountryHTML, req.DenyProvinceHTML)
+	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicy(tx, req.HttpFirewallPolicyId, req.IsOn, req.Name, req.Description, inboundConfigJSON, outboundConfigJSON, req.BlockOptionsJSON, req.PageOptionsJSON, req.CaptchaOptionsJSON, req.Mode, req.UseLocalFirewall, synFloodConfig, logConfig, req.MaxRequestBodySize, req.DenyCountryHTML, req.DenyProvinceHTML)
 	if err != nil {
 		return nil, err
 	}
@@ -500,6 +500,7 @@ func (this *HTTPFirewallPolicyService) FindEnabledHTTPFirewallPolicy(ctx context
 			Mode:               policy.Mode,
 			SynFloodJSON:       policy.SynFlood,
 			BlockOptionsJSON:   policy.BlockOptions,
+			PageOptionsJSON:    policy.PageOptions,
 			CaptchaOptionsJSON: policy.CaptchaOptions,
 		},
 	}, nil
--- a/internal/rpc/services/service_http_web.go
+++ b/internal/rpc/services/service_http_web.go
@@ -972,18 +972,13 @@ func (this *HTTPWebService) FindHTTPWebReferers(ctx context.Context, req *pb.Fin
 		}
 	}

-	config, err := models.SharedHTTPWebDAO.FindWebReferers(tx, req.HttpWebId)
-	if err != nil {
-		return nil, err
-	}
-
-	configJSON, err := json.Marshal(config)
+	referersJSON, err := models.SharedHTTPWebDAO.FindWebReferers(tx, req.HttpWebId)
 	if err != nil {
 		return nil, err
 	}

 	return &pb.FindHTTPWebReferersResponse{
-		ReferersJSON: configJSON,
+		ReferersJSON: referersJSON,
 	}, nil
 }

@@ -1040,18 +1035,13 @@ func (this *HTTPWebService) FindHTTPWebUserAgent(ctx context.Context, req *pb.Fi
 		}
 	}

-	config, err := models.SharedHTTPWebDAO.FindWebUserAgent(tx, req.HttpWebId)
-	if err != nil {
-		return nil, err
-	}
-
-	configJSON, err := json.Marshal(config)
+	userAgentJSON, err := models.SharedHTTPWebDAO.FindWebUserAgent(tx, req.HttpWebId)
 	if err != nil {
 		return nil, err
 	}

 	return &pb.FindHTTPWebUserAgentResponse{
-		UserAgentJSON: configJSON,
+		UserAgentJSON: userAgentJSON,
 	}, nil
 }

--- a/internal/rpc/services/service_http_web_community.go
+++ b/internal/rpc/services/service_http_web_community.go
@@ -32,3 +32,13 @@ func (this *HTTPWebService) FindHTTPWebCC(ctx context.Context, req *pb.FindHTTPW
 func (this *HTTPWebService) UpdateHTTPWebRequestScripts(ctx context.Context, req *pb.UpdateHTTPWebRequestScriptsRequest) (*pb.RPCSuccess, error) {
 	return nil, this.NotImplementedYet()
 }
+
+// UpdateHTTPWebHLS 修改HLS设置
+func (this *HTTPWebService) UpdateHTTPWebHLS(ctx context.Context, req *pb.UpdateHTTPWebHLSRequest) (*pb.RPCSuccess, error) {
+	return nil, this.NotImplementedYet()
+}
+
+// FindHTTPWebHLS 查找HLS设置
+func (this *HTTPWebService) FindHTTPWebHLS(ctx context.Context, req *pb.FindHTTPWebHLSRequest) (*pb.FindHTTPWebHLSResponse, error) {
+	return nil, this.NotImplementedYet()
+}
--- a/internal/rpc/services/service_node.go
+++ b/internal/rpc/services/service_node.go
@@ -2293,3 +2293,19 @@ func (this *NodeService) FindNodeWebPPolicies(ctx context.Context, req *pb.FindN
 		WebPPolicies: pbPolicies,
 	}, nil
 }
+
+// UpdateNodeIsOn 修改节点的启用状态
+func (this *NodeService) UpdateNodeIsOn(ctx context.Context, req *pb.UpdateNodeIsOnRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	err = models.SharedNodeDAO.UpdateNodeIsOn(tx, req.NodeId, req.IsOn)
+	if err != nil {
+		return nil, err
+	}
+
+	return this.Success()
+}
--- a/internal/rpc/services/service_node_cluster.go
+++ b/internal/rpc/services/service_node_cluster.go
@@ -349,12 +349,12 @@ func (this *NodeClusterService) ListEnabledNodeClusters(ctx context.Context, req

 	var tx = this.NullTx()

-	clusters, err := models.SharedNodeClusterDAO.ListEnabledClusters(tx, req.Keyword, req.Offset, req.Size)
+	clusters, err := models.SharedNodeClusterDAO.ListEnabledClusters(tx, req.Keyword, req.IdDesc, req.IdAsc, req.Offset, req.Size)
 	if err != nil {
 		return nil, err
 	}

-	result := []*pb.NodeCluster{}
+	var result = []*pb.NodeCluster{}
 	for _, cluster := range clusters {
 		result = append(result, &pb.NodeCluster{
 			Id:          int64(cluster.Id),
--- a/internal/rpc/services/service_node_grant.go
+++ b/internal/rpc/services/service_node_grant.go
@@ -10,6 +10,8 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"golang.org/x/crypto/ssh"
 	"net"
+	"regexp"
+	"strings"
 	"time"
 )

@@ -48,6 +50,25 @@ func (this *NodeGrantService) UpdateNodeGrant(ctx context.Context, req *pb.Updat

 	var tx = this.NullTx()

+	// 从掩码中恢复密码和私钥
+	grant, err := models.SharedNodeGrantDAO.FindEnabledNodeGrant(tx, req.NodeGrantId)
+	if err != nil {
+		return nil, err
+	}
+	if grant == nil {
+		// do nothing here
+		return this.Success()
+	}
+
+	var maskReg = regexp.MustCompile(`^\*+$`)
+	if len(req.Password) > 0 && maskReg.MatchString(req.Password) {
+		req.Password = grant.Password
+	}
+
+	if len(req.PrivateKey) > 0 && strings.HasSuffix(req.PrivateKey, "********") {
+		req.PrivateKey = grant.PrivateKey
+	}
+
 	err = models.SharedNodeGrantDAO.UpdateGrant(tx, req.NodeGrantId, req.Name, req.Method, req.Username, req.Password, req.PrivateKey, req.Passphrase, req.Description, req.NodeId, req.Su)
 	return this.Success()
 }
--- a/internal/rpc/services/service_plan_community.go
+++ b/internal/rpc/services/service_plan_community.go
@@ -1,6 +1,5 @@
 // Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build !plus
-// +build !plus

 package services

@@ -34,6 +33,11 @@ func (this *PlanService) FindEnabledPlan(ctx context.Context, req *pb.FindEnable
 	return &pb.FindEnabledPlanResponse{Plan: nil}, nil
 }

+// FindBasicPlan 查找套餐基本信息
+func (this *PlanService) FindBasicPlan(ctx context.Context, req *pb.FindBasicPlanRequest) (*pb.FindBasicPlanResponse, error) {
+	return nil, this.NotImplementedYet()
+}
+
 // CountAllEnabledPlans 计算套餐数量
 func (this *PlanService) CountAllEnabledPlans(ctx context.Context, req *pb.CountAllEnabledPlansRequest) (*pb.RPCCountResponse, error) {
 	return this.SuccessCount(0)
@@ -53,3 +57,8 @@ func (this *PlanService) SortPlans(ctx context.Context, req *pb.SortPlansRequest
 func (this *PlanService) FindAllAvailablePlans(ctx context.Context, req *pb.FindAllAvailablePlansRequest) (*pb.FindAllAvailablePlansResponse, error) {
 	return nil, this.NotImplementedYet()
 }
+
+// FindAllAvailableBasicPlans 列出所有可用的套餐的基本信息
+func (this *PlanService) FindAllAvailableBasicPlans(ctx context.Context, req *pb.FindAllAvailableBasicPlansRequest) (*pb.FindAllAvailableBasicPlansResponse, error) {
+	return nil, this.NotImplementedYet()
+}
--- a/internal/rpc/services/service_region_province.go
+++ b/internal/rpc/services/service_region_province.go
@@ -88,9 +88,9 @@ func (this *RegionProvinceService) FindAllRegionProvincesWithRegionCountryId(ctx
 	if err != nil {
 		return nil, err
 	}
-	var result = []*pb.RegionProvince{}
+	var pbProvinces = []*pb.RegionProvince{}
 	for _, province := range provinces {
-		result = append(result, &pb.RegionProvince{
+		pbProvinces = append(pbProvinces, &pb.RegionProvince{
 			Id:          int64(province.ValueId),
 			Name:        province.Name,
 			Codes:       province.DecodeCodes(),
@@ -101,7 +101,61 @@ func (this *RegionProvinceService) FindAllRegionProvincesWithRegionCountryId(ctx
 	}

 	return &pb.FindAllRegionProvincesWithRegionCountryIdResponse{
-		RegionProvinces: result,
+		RegionProvinces: pbProvinces,
+	}, nil
+}
+
+// FindAllRegionProvinces 查找所有国家|地区的所有省份
+func (this *RegionProvinceService) FindAllRegionProvinces(ctx context.Context, req *pb.FindAllRegionProvincesRequest) (*pb.FindAllRegionProvincesResponse, error) {
+	_, _, err := this.ValidateAdminAndUser(ctx, true)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	provinces, err := regions.SharedRegionProvinceDAO.FindAllEnabledProvinces(tx)
+	if err != nil {
+		return nil, err
+	}
+
+	var pbProvinces = []*pb.RegionProvince{}
+	var countryRouteCodeCache = map[int64]string{} // countryId => routeCode
+	for _, province := range provinces {
+		// 国家|地区ID
+		var countryId = int64(province.CountryId)
+		if countryId <= 0 {
+			continue
+		}
+
+		// 国家|地区线路
+		countryRouteCode, ok := countryRouteCodeCache[countryId]
+		if !ok {
+			countryRouteCode, err = regions.SharedRegionCountryDAO.FindRegionCountryRouteCode(tx, countryId)
+			if err != nil {
+				return nil, err
+			}
+			countryRouteCodeCache[countryId] = countryRouteCode
+		}
+		if len(countryRouteCode) == 0 {
+			continue
+		}
+
+		pbProvinces = append(pbProvinces, &pb.RegionProvince{
+			Id:              int64(province.ValueId),
+			Name:            province.Name,
+			Codes:           province.DecodeCodes(),
+			CustomName:      province.CustomName,
+			CustomCodes:     province.DecodeCustomCodes(),
+			DisplayName:     province.DisplayName(),
+			RegionCountryId: countryId,
+			RegionCountry: &pb.RegionCountry{
+				Id:        countryId,
+				RouteCode: countryRouteCode,
+			},
+		})
+	}
+	return &pb.FindAllRegionProvincesResponse{
+		RegionProvinces: pbProvinces,
 	}, nil
 }

--- a/internal/rpc/services/service_server.go
+++ b/internal/rpc/services/service_server.go
@@ -695,6 +695,218 @@ func (this *ServerService) CreateBasicTCPServer(ctx context.Context, req *pb.Cre
 	return &pb.CreateBasicTCPServerResponse{ServerId: serverId}, nil
 }

+// AddServerOrigin 为网站添加源站
+func (this *ServerService) AddServerOrigin(ctx context.Context, req *pb.AddServerOriginRequest) (*pb.RPCSuccess, error) {
+	_, userId, err := this.ValidateAdminAndUser(ctx, true)
+	if err != nil {
+		return nil, err
+	}
+
+	if req.ServerId <= 0 {
+		return nil, errors.New("require 'serverId'")
+	}
+	if req.OriginId <= 0 {
+		return nil, errors.New("require 'originId'")
+	}
+
+	var tx = this.NullTx()
+
+	// check user
+	if userId > 0 {
+		err = models.SharedServerDAO.CheckUserServer(tx, userId, req.ServerId)
+		if err != nil {
+			return nil, err
+		}
+
+		err = models.SharedOriginDAO.CheckUserOrigin(tx, userId, req.OriginId)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// check server
+		existsServer, err := models.SharedServerDAO.ExistsServer(tx, req.ServerId)
+		if err != nil {
+			return nil, err
+		}
+		if !existsServer {
+			return nil, errors.New("server '" + types.String(req.ServerId) + "' not found")
+		}
+
+		// check origin
+		existsOrigin, err := models.SharedOriginDAO.ExistsOrigin(tx, req.OriginId)
+		if err != nil {
+			return nil, err
+		}
+		if !existsOrigin {
+			return nil, errors.New("origin '" + types.String(req.OriginId) + "' not found")
+		}
+	}
+
+	reverseProxyRef, err := models.SharedServerDAO.FindServerReverseProxyRef(tx, req.ServerId)
+	if err != nil {
+		return nil, err
+	}
+	if reverseProxyRef == nil || reverseProxyRef.ReverseProxyId <= 0 {
+		reverseProxyId, err := models.SharedServerDAO.CreateServerReverseProxyRef(tx, userId, req.ServerId)
+		if err != nil {
+			return nil, err
+		}
+		reverseProxyRef = &serverconfigs.ReverseProxyRef{
+			IsPrior:        false,
+			IsOn:           true,
+			ReverseProxyId: reverseProxyId,
+		}
+	}
+
+	reverseProxy, err := models.SharedReverseProxyDAO.FindEnabledReverseProxy(tx, reverseProxyRef.ReverseProxyId)
+	if err != nil {
+		return nil, err
+	}
+	if reverseProxy == nil {
+		return nil, errors.New("can not found reverse proxy")
+	}
+
+	if req.IsPrimary {
+		var refs = reverseProxy.DecodePrimaryOrigins()
+		refs = append(refs, &serverconfigs.OriginRef{
+			IsOn:     true,
+			OriginId: req.OriginId,
+		})
+		refsJSON, err := json.Marshal(refs)
+		if err != nil {
+			return nil, err
+		}
+		err = models.SharedReverseProxyDAO.UpdateReverseProxyPrimaryOrigins(tx, int64(reverseProxy.Id), refsJSON)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		var refs = reverseProxy.DecodeBackupOrigins()
+		refs = append(refs, &serverconfigs.OriginRef{
+			IsOn:     true,
+			OriginId: req.OriginId,
+		})
+		refsJSON, err := json.Marshal(refs)
+		if err != nil {
+			return nil, err
+		}
+		err = models.SharedReverseProxyDAO.UpdateReverseProxyBackupOrigins(tx, int64(reverseProxy.Id), refsJSON)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return this.Success()
+}
+
+// DeleteServerOrigin 从网站中删除某个源站
+func (this *ServerService) DeleteServerOrigin(ctx context.Context, req *pb.DeleteServerOriginRequest) (*pb.RPCSuccess, error) {
+	_, userId, err := this.ValidateAdminAndUser(ctx, true)
+	if err != nil {
+		return nil, err
+	}
+
+	if req.ServerId <= 0 {
+		return nil, errors.New("require 'serverId'")
+	}
+	if req.OriginId <= 0 {
+		return nil, errors.New("require 'originId'")
+	}
+
+	var tx = this.NullTx()
+
+	// check user
+	if userId > 0 {
+		err = models.SharedServerDAO.CheckUserServer(tx, userId, req.ServerId)
+		if err != nil {
+			return nil, err
+		}
+
+		err = models.SharedOriginDAO.CheckUserOrigin(tx, userId, req.OriginId)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// check server
+		existsServer, err := models.SharedServerDAO.ExistsServer(tx, req.ServerId)
+		if err != nil {
+			return nil, err
+		}
+		if !existsServer {
+			return nil, errors.New("server '" + types.String(req.ServerId) + "' not found")
+		}
+
+		// check origin
+		existsOrigin, err := models.SharedOriginDAO.ExistsOrigin(tx, req.OriginId)
+		if err != nil {
+			return nil, err
+		}
+		if !existsOrigin {
+			return nil, errors.New("origin '" + types.String(req.OriginId) + "' not found")
+		}
+	}
+
+	reverseProxyRef, err := models.SharedServerDAO.FindServerReverseProxyRef(tx, req.ServerId)
+	if err != nil {
+		return nil, err
+	}
+	if reverseProxyRef == nil || reverseProxyRef.ReverseProxyId <= 0 {
+		return this.Success()
+	}
+
+	reverseProxy, err := models.SharedReverseProxyDAO.FindEnabledReverseProxy(tx, reverseProxyRef.ReverseProxyId)
+	if err != nil {
+		return nil, err
+	}
+	if reverseProxy == nil {
+		return this.Success()
+	}
+
+	var primaryOrigins = reverseProxy.DecodePrimaryOrigins()
+	var newPrimaryOrigins = []*serverconfigs.OriginRef{}
+	var found = false
+	for _, origin := range primaryOrigins {
+		if origin.OriginId == req.OriginId {
+			found = true
+			continue
+		}
+		newPrimaryOrigins = append(newPrimaryOrigins, origin)
+	}
+	if found {
+		newPrimaryOriginsJSON, err := json.Marshal(newPrimaryOrigins)
+		if err != nil {
+			return nil, err
+		}
+		err = models.SharedReverseProxyDAO.UpdateReverseProxyPrimaryOrigins(tx, int64(reverseProxy.Id), newPrimaryOriginsJSON)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var backupOrigins = reverseProxy.DecodeBackupOrigins()
+	var newBackupOrigins = []*serverconfigs.OriginRef{}
+	found = false
+	for _, origin := range backupOrigins {
+		if origin.OriginId == req.OriginId {
+			found = true
+			continue
+		}
+		newBackupOrigins = append(newBackupOrigins, origin)
+	}
+	if found {
+		newBackupOriginsJSON, err := json.Marshal(newBackupOrigins)
+		if err != nil {
+			return nil, err
+		}
+		err = models.SharedReverseProxyDAO.UpdateReverseProxyBackupOrigins(tx, int64(reverseProxy.Id), newBackupOriginsJSON)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return this.Success()
+}
+
 // UpdateServerBasic 修改服务基本信息
 func (this *ServerService) UpdateServerBasic(ctx context.Context, req *pb.UpdateServerBasicRequest) (*pb.RPCSuccess, error) {
 	// 校验请求
@@ -1001,7 +1213,7 @@ func (this *ServerService) UpdateServerReverseProxy(ctx context.Context, req *pb
 	}

 	// 修改配置
-	err = models.SharedServerDAO.UpdateServerReverseProxy(tx, req.ServerId, req.ReverseProxyJSON)
+	err = models.SharedServerDAO.UpdateServerReverseProxyRef(tx, req.ServerId, req.ReverseProxyJSON)
 	if err != nil {
 		return nil, err
 	}
@@ -1462,7 +1674,7 @@ func (this *ServerService) ListEnabledServersMatch(ctx context.Context, req *pb.
 	return &pb.ListEnabledServersMatchResponse{Servers: result}, nil
 }

-// DeleteServer 禁用某服务
+// DeleteServer 删除某网站
 func (this *ServerService) DeleteServer(ctx context.Context, req *pb.DeleteServerRequest) (*pb.RPCSuccess, error) {
 	// 校验请求
 	_, userId, err := this.ValidateAdminAndUser(ctx, true)
@@ -1479,7 +1691,7 @@ func (this *ServerService) DeleteServer(ctx context.Context, req *pb.DeleteServe
 		}
 	}

-	// 禁用服务
+	// 禁用网站
 	err = models.SharedServerDAO.DisableServer(tx, req.ServerId)
 	if err != nil {
 		return nil, err
@@ -1488,6 +1700,37 @@ func (this *ServerService) DeleteServer(ctx context.Context, req *pb.DeleteServe
 	return this.Success()
 }

+// DeleteServers 删除一组网站
+func (this *ServerService) DeleteServers(ctx context.Context, req *pb.DeleteServersRequest) (*pb.RPCSuccess, error) {
+	// 校验请求
+	_, userId, err := this.ValidateAdminAndUser(ctx, true)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	for _, serverId := range req.ServerIds {
+		if serverId <= 0 {
+			continue
+		}
+
+		// 检查权限
+		if userId > 0 {
+			err = models.SharedServerDAO.CheckUserServer(tx, userId, serverId)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// 禁用网站
+		err = models.SharedServerDAO.DisableServer(tx, serverId)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return this.Success()
+}
+
 // FindEnabledServer 查找单个服务
 func (this *ServerService) FindEnabledServer(ctx context.Context, req *pb.FindEnabledServerRequest) (*pb.FindEnabledServerResponse, error) {
 	// 校验请求
@@ -1674,7 +1917,7 @@ func (this *ServerService) FindAndInitServerReverseProxyConfig(ctx context.Conte

 	var tx = this.NullTx()

-	reverseProxyRef, err := models.SharedServerDAO.FindReverseProxyRef(tx, req.ServerId)
+	reverseProxyRef, err := models.SharedServerDAO.FindServerReverseProxyRef(tx, req.ServerId)
 	if err != nil {
 		return nil, err
 	}
@@ -1693,7 +1936,7 @@ func (this *ServerService) FindAndInitServerReverseProxyConfig(ctx context.Conte
 		if err != nil {
 			return nil, err
 		}
-		err = models.SharedServerDAO.UpdateServerReverseProxy(tx, req.ServerId, refJSON)
+		err = models.SharedServerDAO.UpdateServerReverseProxyRef(tx, req.ServerId, refJSON)
 		if err != nil {
 			return nil, err
 		}
--- a/internal/setup/sql.json
+++ b/internal/setup/sql.json
--- a/internal/setup/sql_executor.go
+++ b/internal/setup/sql_executor.go
@@ -56,6 +56,12 @@ func (this *SQLExecutor) Run(showLog bool) error {
 		return err
 	}

+	// prevent default configure loading
+	var globalConfig = dbs.GlobalConfig()
+	if globalConfig != nil && len(globalConfig.DBs) == 0 {
+		globalConfig.DBs = map[string]*dbs.DBConfig{"prod": this.dbConfig}
+	}
+
 	defer func() {
 		_ = db.Close()
 	}()
@@ -91,56 +97,56 @@ func (this *SQLExecutor) checkData(db *dbs.DB) error {
 	// 检查管理员平台节点
 	err := this.checkAdminNode(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check admin node failed: %w", err)
 	}

 	// 检查用户平台节点
 	err = this.checkUserNode(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check user node failed: %w", err)
 	}

 	// 检查集群配置
 	err = this.checkCluster(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check cluster failed: %w", err)
 	}

 	// 检查初始化用户
 	// 需要放在检查集群后面
 	err = this.checkUser(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check user failed: %w", err)
 	}

 	// 检查IP名单
 	err = this.checkIPList(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check ip list failed: %w", err)
 	}

 	// 检查指标设置
 	err = this.checkMetricItems(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check metric items failed: %w", err)
 	}

 	// 检查自建DNS全局设置
 	err = this.checkNS(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check ns failed: %w", err)
 	}

 	// 更新Agents
 	err = this.checkClientAgents(db)
 	if err != nil {
-		return err
+		return fmt.Errorf("check client agents failed: %w", err)
 	}

 	// 更新版本号
 	err = this.updateVersion(db, ComposeSQLVersion())
 	if err != nil {
-		return err
+		return fmt.Errorf("update version failed: %w", err)
 	}

 	return nil
@@ -180,13 +186,13 @@ func (this *SQLExecutor) checkAdminNode(db *dbs.DB) error {
 	if err != nil {
 		return err
 	}
-	count := types.Int(col)
+	var count = types.Int(col)
 	if count > 0 {
 		return nil
 	}

-	nodeId := rands.HexString(32)
-	secret := rands.String(32)
+	var nodeId = rands.HexString(32)
+	var secret = rands.String(32)
 	_, err = db.Exec("INSERT INTO edgeAPITokens (nodeId, secret, role) VALUES (?, ?, ?)", nodeId, secret, "admin")
 	if err != nil {
 		return err
@@ -208,13 +214,13 @@ func (this *SQLExecutor) checkUserNode(db *dbs.DB) error {
 	if err != nil {
 		return err
 	}
-	count := types.Int(col)
+	var count = types.Int(col)
 	if count > 0 {
 		return nil
 	}

-	nodeId := rands.HexString(32)
-	secret := rands.String(32)
+	var nodeId = rands.HexString(32)
+	var secret = rands.String(32)
 	_, err = db.Exec("INSERT INTO edgeAPITokens (nodeId, secret, role) VALUES (?, ?, ?)", nodeId, secret, "user")
 	if err != nil {
 		return err
@@ -225,7 +231,7 @@ func (this *SQLExecutor) checkUserNode(db *dbs.DB) error {

 // 检查集群配置
 func (this *SQLExecutor) checkCluster(db *dbs.DB) error {
-	/// 检查是否有集群数字
+	/// 检查是否有集群数据
 	stmt, err := db.Prepare("SELECT COUNT(*) FROM edgeNodeClusters")
 	if err != nil {
 		return fmt.Errorf("query clusters failed: %w", err)
@@ -238,7 +244,7 @@ func (this *SQLExecutor) checkCluster(db *dbs.DB) error {
 	if err != nil {
 		return fmt.Errorf("query clusters failed: %w", err)
 	}
-	count := types.Int(col)
+	var count = types.Int(col)
 	if count > 0 {
 		return nil
 	}
@@ -281,6 +287,7 @@ func (this *SQLExecutor) checkCluster(db *dbs.DB) error {
 	}

 	// 默认缓存策略
+
 	models.SharedHTTPCachePolicyDAO = models.NewHTTPCachePolicyDAO()
 	models.SharedHTTPCachePolicyDAO.Instance = db
 	policyId, err := models.SharedHTTPCachePolicyDAO.CreateDefaultCachePolicy(nil, "默认集群")
@@ -305,6 +312,15 @@ func (this *SQLExecutor) checkCluster(db *dbs.DB) error {
 	models.SharedHTTPFirewallRuleDAO = models.NewHTTPFirewallRuleDAO()
 	models.SharedHTTPFirewallRuleDAO.Instance = db

+	models.SharedHTTPWebDAO = models.NewHTTPWebDAO()
+	models.SharedHTTPWebDAO.Instance = db
+
+	models.SharedServerDAO = models.NewServerDAO()
+	models.SharedServerDAO.Instance = db
+
+	models.SharedNodeClusterDAO = models.NewNodeClusterDAO()
+	models.SharedNodeClusterDAO.Instance = db
+
 	policyId, err = models.SharedHTTPFirewallPolicyDAO.CreateDefaultFirewallPolicy(nil, "默认集群")
 	if err != nil {
 		return err
@@ -331,7 +347,7 @@ func (this *SQLExecutor) checkIPList(db *dbs.DB) error {
 	if err != nil {
 		return fmt.Errorf("query ip lists failed: %w", err)
 	}
-	count := types.Int(col)
+	var count = types.Int(col)
 	if count > 0 {
 		return nil
 	}
@@ -388,7 +404,7 @@ func (this *SQLExecutor) checkMetricItems(db *dbs.DB) error {

 		// chart
 		for _, chartMap := range chartMaps {
-			chartCode := chartMap.GetString("code")
+			var chartCode = chartMap.GetString("code")
 			one, err := db.FindOne("SELECT id FROM edgeMetricCharts WHERE itemId=? AND code=? LIMIT 1", itemId, chartCode)
 			if err != nil {
 				return err
@@ -528,7 +544,7 @@ func (this *SQLExecutor) updateVersion(db *dbs.DB, version string) error {
 	if err != nil {
 		return fmt.Errorf("query version failed: %w", err)
 	}
-	count := types.Int(col)
+	var count = types.Int(col)
 	if count > 0 {
 		_, err = db.Exec("UPDATE edgeVersions SET version=?", version)
 		if err != nil {
--- a/internal/setup/sql_upgrade.go
+++ b/internal/setup/sql_upgrade.go
@@ -106,6 +106,9 @@ var upgradeFuncs = []*upgradeVersion{
 	{
 		"1.3.2", upgradeV1_3_2,
 	},
+	{
+		"1.3.4", upgradeV1_3_4,
+	},
 }

 // UpgradeSQLData 升级SQL数据
@@ -1230,3 +1233,13 @@ func upgradeV1_3_2(db *dbs.DB) error {

 	return nil
 }
+
+// 1.3.4
+func upgradeV1_3_4(db *dbs.DB) error {
+	_, err := db.Exec("DELETE FROM edgeLoginSessions WHERE adminId>0")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/internal/setup/sql_upgrade_ext_test.go
+++ b/internal/setup/sql_upgrade_ext_test.go
@@ -27,3 +27,26 @@ func TestUpgradeSQLData_v0_5_6(t *testing.T) {
 	}
 	t.Log("ok")
 }
+
+
+func TestUpgradeSQLData_v1_3_4(t *testing.T) {
+	db, err := dbs.NewInstanceFromConfig(&dbs.DBConfig{
+		Driver: "mysql",
+		Dsn:    "root:123456@tcp(127.0.0.1:3306)/db_edge?charset=utf8mb4&timeout=30s",
+		Prefix: "edge",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		_ = db.Close()
+	}()
+
+	err = upgradeV1_3_4(db)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log("ok")
+}
+
+
--- a/internal/utils/service_linux.go
+++ b/internal/utils/service_linux.go
@@ -113,6 +113,12 @@ func (this *ServiceManager) installSystemdService(systemd, exePath string, args
 	shortName := teaconst.SystemdServiceName
 	longName := "GoEdge API" // TODO 将来可以修改

+	var startCmd = exePath + " daemon"
+	bashPath, _ := executils.LookPath("bash")
+	if len(bashPath) > 0 {
+		startCmd = bashPath + " -c \"" + startCmd + "\""
+	}
+
 	desc := `### BEGIN INIT INFO
 # Provides:          ` + shortName + `
 # Required-Start:    $all
@@ -131,7 +137,7 @@ After=network-online.target
 Type=simple
 Restart=always
 RestartSec=1s
-ExecStart=` + exePath + ` daemon
+ExecStart=` + startCmd + `
 ExecStop=` + exePath + ` stop
 ExecReload=` + exePath + ` reload
Author	SHA1	Message	Date
刘祥超	d03455e3b0	将版本号修改为1.3.4	2024-03-24 20:08:27 +08:00
刘祥超	af1cb14110	提升登录SESSION安全性	2024-03-18 12:43:13 +08:00
刘祥超	0feffa755e	节点SSH密码和私钥均以掩码方式显示	2024-03-18 10:51:47 +08:00
刘祥超	7cfbe2e473	DNS服务商中的密钥数据以掩码方式显示	2024-03-18 10:20:22 +08:00
刘祥超	7f63dc4565	查找省份对应ID时，自动尝试省略省、区之类的后缀	2024-03-15 15:08:05 +08:00
刘祥超	e90424f80a	翻译部分英文地名	2024-03-15 15:07:07 +08:00
刘祥超	6271125296	省份表增加线路字段	2024-03-14 20:42:13 +08:00
刘祥超	44ac4b83c5	智能DNS中国家/地区线路下支持省/州的细分	2024-03-14 20:12:04 +08:00
刘祥超	c75e2c55c6	优化代码	2024-03-10 16:26:03 +08:00
刘祥超	51a3029c09	在缓存任务键值中增加集群信息，以便于调试问题	2024-03-10 11:26:28 +08:00
刘祥超	580341d397	优化systemd服务配置	2024-03-08 19:00:27 +08:00
刘祥超	fb4bad0731	单例应用设置数据库自动清理	2024-03-04 11:32:47 +08:00
刘祥超	70efff2e6b	优化实例安装脚本	2024-03-03 17:14:29 +08:00
刘祥超	97c76ef22f	优化单例应用安装程序	2024-03-02 20:51:13 +08:00
刘祥超	e763095756	修复部分API返回格式错误	2024-02-24 09:52:47 +08:00
刘祥超	b7dc2738e2	增加单体应用初始化标识	2024-01-29 18:56:37 +08:00
刘祥超	3db826b578	增加通过管理员用户名查找管理员信息的API	2024-01-29 18:55:04 +08:00
刘祥超	dc8975e374	版本号修改为1.3.3.1	2024-01-29 17:58:36 +08:00
刘祥超	c0cbd7c607	实现单体实例安装工具	2024-01-29 17:57:01 +08:00
刘祥超	4d9f404bb0	优化SQL升级代码	2024-01-29 10:22:27 +08:00
刘祥超	06bb61804b	优化编译脚本	2024-01-22 18:51:22 +08:00
刘祥超	32c1442878	增加修改节点停用/启用状态API	2024-01-21 17:43:20 +08:00
刘祥超	b99652801d	版本号修改为1.3.3	2024-01-21 16:57:37 +08:00
刘祥超	be565a98b9	查询集群列表API增加ID排序	2024-01-21 16:57:17 +08:00
刘祥超	5195a380db	WAF策略增加显示页面动作默认设置	2024-01-20 16:19:11 +08:00
刘祥超	8dbbabb0e8	修改版本号为1.3.2.2	2024-01-16 20:59:18 +08:00
刘祥超	bec4500746	版本号修改为1.3.2.1	2024-01-15 08:40:23 +08:00
刘祥超	66a31f599d	网站设置增加HLS加密功能（商业版本	2024-01-14 20:36:47 +08:00
刘祥超	534cfb2180	套餐增加文件最大上传尺寸设置	2024-01-13 19:32:48 +08:00
刘祥超	a9dc20ffbd	优化API错误提示	2024-01-12 12:11:13 +08:00
刘祥超	7f20ad32b6	调用API时找不到服务或方法时也提示JSON，防止小白开发者不知道如何获取响应状态	2024-01-12 11:51:06 +08:00
刘祥超	a3c0b43bc4	添加快捷添加和删除网站源站API	2024-01-12 11:50:10 +08:00
刘祥超	1f2c9a6b3a	增加删除一组网站API	2024-01-11 19:06:25 +08:00
刘祥超	194b0ec184	套餐可以设置带宽限制	2024-01-11 15:21:00 +08:00
刘祥超	c94895a7c4	增加用户系统文章相关管理	2024-01-09 10:20:52 +08:00