修复glibc版本过低无法启动的问题

修复手机下菜单太宽的问题
更新docker版本
2024-03-25 16:50:19 +08:00 · 2024-03-25 11:47:21 +08:00 · 2024-03-24 20:43:02 +08:00 · 2024-03-24 20:08:01 +08:00 · 2024-03-21 17:38:24 +08:00 · 2024-03-18 15:59:46 +08:00
1104 changed files with 66184 additions and 11005 deletions
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,74 @@
+# https://golangci-lint.run/usage/configuration/
+
+linters:
+  enable-all: true
+  disable:
+    - ifshort
+    - exhaustivestruct
+    - golint
+    - nosnakecase
+    - scopelint
+    - varcheck
+    - structcheck
+    - interfacer
+    - maligned
+    - deadcode
+    - dogsled
+    - wrapcheck
+    - wastedassign
+    - varnamelen
+    - testpackage
+    - thelper
+    - nilerr
+    - sqlclosecheck
+    - paralleltest
+    - nonamedreturns
+    - nlreturn
+    - nakedret
+    - ireturn
+    - interfacebloat
+    - gosmopolitan
+    - gomnd
+    - goerr113
+    - gochecknoglobals
+    - exhaustruct
+    - errorlint
+    - depguard
+    - exhaustive
+    - containedctx
+    - wsl
+    - cyclop
+    - dupword
+    - errchkjson
+    - contextcheck
+    - tagalign
+    - dupl
+    - forbidigo
+    - funlen
+    - goconst
+    - godox
+    - gosec
+    - lll
+    - nestif
+    - revive
+    - unparam
+    - stylecheck
+    - gocritic
+    - gofumpt
+    - gomoddirectives
+    - godot
+    - gofmt
+    - gocognit
+    - mirror
+    - gocyclo
+    - gochecknoinits
+    - gci
+    - maintidx
+    - prealloc
+    - goimports
+    - errname
+    - musttag
+    - forcetypeassert
+    - whitespace
+    - noctx
+    - reassign
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@
 * [开发者指南](https://goedge.cn/docs/Developer/Build.md)

 ## 架构
-![架构](doc/architect-zh.jpg)
+![架构图](doc/architect-zh.png)

 其中的组件源码地址如下：
 * [边缘节点](https://github.com/TeaOSLab/EdgeNode)
@@ -54,7 +54,10 @@
 * [管理平台](https://github.com/TeaOSLab/EdgeAdmin)

 ## 联系我们
-有什么问题和建议都可以加入QQ群 `659832182` 或者 [Telegram群](https://t.me/+5kVCMGxQhZxiODY9) 。
+有什么问题和建议都可以加入 [Telegram群](https://t.me/+5kVCMGxQhZxiODY9) 
+
+## 企业版
+* [GoEdge企业版](https://goedge.cn/commercial) - 功能更强大的CDN系统

 ## 感谢
 * 感谢 [Gitee](https://gitee.com/) 提供国内源代码托管平台
--- a/build/build.sh
+++ b/build/build.sh
@@ -53,13 +53,15 @@ function build() {

    # generate files
    echo "generating files ..."
-	go run -tags $TAG "$ROOT"/../cmd/edge-admin/main.go generate
+	env CGO_ENABLED=0 go run -tags $TAG "$ROOT"/../cmd/edge-admin/main.go generate
 	if [ "$(which uglifyjs)" ]; then
    	echo "compress to component.js ..."
    	uglifyjs --compress --mangle -- "${JS_ROOT}"/components.src.js > "${JS_ROOT}"/components.js
+    	uglifyjs --compress --mangle -- "${JS_ROOT}"/utils.js > "${JS_ROOT}"/utils.min.js
    else
    	echo "copy to component.js ..."
    	cp "${JS_ROOT}"/components.src.js "${JS_ROOT}"/components.js
+    	cp "${JS_ROOT}"/utils.js "${JS_ROOT}"/utils.min.js
    fi

 	# create dir & copy files
@@ -97,16 +99,43 @@ function build() {
 	rm -f "$(basename "$EDGE_API_ZIP_FILE")"
 	cd - || exit

+	# find gcc
+	GCC_DIR=""
+	CC_PATH=""
+	CXX_PATH=""
+	if [ "${ARCH}" == "amd64" ]; then
+		GCC_DIR="/usr/local/gcc/x86_64-unknown-linux-gnu/bin"
+		CC_PATH="x86_64-unknown-linux-gnu-gcc"
+		CXX_PATH="x86_64-unknown-linux-gnu-g++"
+	fi
+	if [ "${ARCH}" == "arm64" ]; then
+		GCC_DIR="/usr/local/gcc/aarch64-unknown-linux-gnu/bin"
+		CC_PATH="aarch64-unknown-linux-gnu-gcc"
+		CXX_PATH="aarch64-unknown-linux-gnu-g++"
+	fi
+
 	# build
 	echo "building ${NAME} ..."
-	env GOOS="$OS" GOARCH="$ARCH" go build -trimpath -tags $TAG -ldflags="-s -w" -o "$DIST"/bin/${NAME} "$ROOT"/../cmd/edge-admin/main.go
+	if [ -f "${GCC_DIR}/${CC_PATH}" ]; then
+		echo "  building ${NAME} with gcc ..."
+		env CC="${GCC_DIR}/${CC_PATH}" \
+			CXX="${GCC_DIR}/${CXX_PATH}" \
+			CGO_ENABLED=1 \
+			GOOS="$OS" GOARCH="$ARCH" go build -trimpath -tags "${TAG} gcc" -ldflags="-linkmode external -extldflags -static -s -w" -o "$DIST"/bin/${NAME} "$ROOT"/../cmd/edge-admin/main.go
+	else
+		GOOS="$OS" GOARCH="$ARCH" go build -trimpath -tags $TAG -ldflags="-s -w" -o "$DIST"/bin/${NAME} "$ROOT"/../cmd/edge-admin/main.go
+	fi
+	if [ ! -f "${DIST}/bin/${NAME}" ]; then
+		echo "build '${NAME}' failed!"
+		exit
+	fi

 	# delete hidden files
 	find "$DIST" -name ".DS_Store" -delete
 	find "$DIST" -name ".gitignore" -delete
 	find "$DIST" -name "*.less" -delete
-	find "$DIST" -name "*.css.map" -delete
-	find "$DIST" -name "*.js.map" -delete
+	#find "$DIST" -name "*.css.map" -delete
+	#find "$DIST" -name "*.js.map" -delete

 	# zip
 	echo "zip files ..."
--- a/build/configs/.gitignore
+++ b/build/configs/.gitignore
@@ -1,4 +1,5 @@
 api.yaml
+api_admin.yaml
 server.yaml
 api_db.yaml
 *.pem
--- a/build/configs/api.template.yaml
+++ b/build/configs/api.template.yaml
@@ -1,4 +0,0 @@
-rpc:
-  endpoints: [ "http://127.0.0.1:8003" ]
-nodeId: ""
-secret: ""
--- a/build/configs/api_admin.template.yaml
+++ b/build/configs/api_admin.template.yaml
@@ -0,0 +1,3 @@
+rpc.endpoints: [ "http://127.0.0.1:8003" ]
+nodeId: ""
+secret: ""
--- a/build/generate.sh
+++ b/build/generate.sh
@@ -2,15 +2,21 @@

 JS_ROOT=../web/public/js

-echo "generate component.src.js ..."
-go run -tags=community ../cmd/edge-admin/main.go  generate
+echo "generating component.src.js ..."
+env CGO_ENABLED=0 go run -tags=community ../cmd/edge-admin/main.go generate

-if [ `which uglifyjs` ]; then
+if [ "$(which uglifyjs)" ]; then
 	echo "compress to component.js ..."
 	uglifyjs --compress --mangle -- ${JS_ROOT}/components.src.js > ${JS_ROOT}/components.js
+
+	echo "compress to utils.min.js ..."
+	uglifyjs --compress --mangle -- ${JS_ROOT}/utils.js > ${JS_ROOT}/utils.min.js
 else
 	echo "copy to component.js ..."
 	cp ${JS_ROOT}/components.src.js ${JS_ROOT}/components.js
+
+	echo "copy to utils.min.js ..."
+	cp ${JS_ROOT}/utils.js ${JS_ROOT}/utils.min.js
 fi

 echo "ok"
--- a/build/licenses/README.md
+++ b/build/licenses/README.md
@@ -1 +1 @@
-这个目录下我们列举了所有需要公开声明的第三方License，如果有遗漏，烦请告知 iwind.liu@gmail.com。再次感谢这些开源软件项目和贡献人员！ 
+这个目录下我们列举了所有需要公开声明的第三方License，如果有遗漏，烦请告知 goedge.cdn@gmail.com。再次感谢这些开源软件项目和贡献人员！ 
--- a/cmd/edge-admin/main.go
+++ b/cmd/edge-admin/main.go
@@ -2,6 +2,7 @@ package main

 import (
 	"bytes"
+	"flag"
 	"fmt"
 	"github.com/TeaOSLab/EdgeAdmin/internal/apps"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
@@ -10,6 +11,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/nodes"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
 	_ "github.com/TeaOSLab/EdgeAdmin/internal/web"
+	_ "github.com/TeaOSLab/EdgeCommon/pkg/langs/messages"
 	"github.com/iwind/TeaGo/Tea"
 	_ "github.com/iwind/TeaGo/bootstrap"
 	"github.com/iwind/TeaGo/maps"
@@ -24,7 +26,7 @@ func main() {
 	var app = apps.NewAppCmd().
 		Version(teaconst.Version).
 		Product(teaconst.ProductName).
-		Usage(teaconst.ProcessName+" [-v|start|stop|restart|service|daemon|reset|recover|demo|upgrade]").
+		Usage(teaconst.ProcessName+" [-h|-v|start|stop|restart|service|daemon|reset|recover|demo|upgrade]").
 		Usage(teaconst.ProcessName+" [dev|prod]").
 		Option("-h", "show this help").
 		Option("-v", "show version").
@@ -38,7 +40,8 @@ func main() {
 		Option("demo", "switch to demo mode").
 		Option("dev", "switch to 'dev' mode").
 		Option("prod", "switch to 'prod' mode").
-		Option("upgrade", "upgrade from official site")
+		Option("upgrade [--url=URL]", "upgrade from official site or an url").
+		Option("install-local-node", "install a local node")

 	app.On("daemon", func() {
 		nodes.NewAdminNode().Daemon()
@@ -74,7 +77,7 @@ func main() {
 		fmt.Println("done")
 	})
 	app.On("recover", func() {
-		sock := gosock.NewTmpSock(teaconst.ProcessName)
+		var sock = gosock.NewTmpSock(teaconst.ProcessName)
 		if !sock.IsListening() {
 			fmt.Println("[ERROR]the service not started yet, you should start the service first")
 			return
@@ -87,7 +90,7 @@ func main() {
 		fmt.Println("enter recovery mode successfully")
 	})
 	app.On("demo", func() {
-		sock := gosock.NewTmpSock(teaconst.ProcessName)
+		var sock = gosock.NewTmpSock(teaconst.ProcessName)
 		if !sock.IsListening() {
 			fmt.Println("[ERROR]the service not started yet, you should start the service first")
 			return
@@ -138,7 +141,12 @@ func main() {
 		}
 	})
 	app.On("upgrade", func() {
-		var manager = utils.NewUpgradeManager("admin")
+		var downloadURL = ""
+		var flagSet = flag.NewFlagSet("", flag.ContinueOnError)
+		flagSet.StringVar(&downloadURL, "url", "", "new version download url")
+		_ = flagSet.Parse(os.Args[2:])
+
+		var manager = utils.NewUpgradeManager("admin", downloadURL)
 		log.Println("checking latest version ...")
 		var ticker = time.NewTicker(1 * time.Second)
 		go func() {
@@ -154,7 +162,7 @@ func main() {
 					if progress >= 0 {
 						if progress == 0 || progress == 1 || progress-lastProgress >= 0.1 {
 							lastProgress = progress
-							log.Println(fmt.Sprintf("%.2f%%", manager.Progress()*100))
+							log.Printf("%.2f%%", manager.Progress()*100)
 						}
 					}
 				} else {
--- a/doc/architect-zh.jpg
+++ b/doc/architect-zh.jpg
--- a/doc/architect-zh.png
+++ b/doc/architect-zh.png
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,11 +1,16 @@
-FROM alpine:latest
-LABEL maintainer="iwind.liu@gmail.com"
+FROM --platform=linux/amd64 alpine:latest
+LABEL maintainer="goedge.cdn@gmail.com"
 ENV TZ "Asia/Shanghai"
-ENV VERSION 0.5.7
+ENV VERSION 1.3.4
 ENV ROOT_DIR /usr/local/goedge
 ENV TAR_FILE edge-admin-linux-amd64-plus-v${VERSION}.zip
+
+# remote official repository
 ENV TAR_URL "https://dl.goedge.cn/edge/v${VERSION}/edge-admin-linux-amd64-plus-v${VERSION}.zip"

+# your local repository
+#ENV TAR_URL "http://192.168.2.61:8080/edge-admin-linux-amd64-plus-v${VERSION}.zip"
+
 RUN apk add --no-cache tzdata

 RUN apk add wget
--- a/go.mod
+++ b/go.mod
@@ -8,37 +8,47 @@ require (
 	github.com/TeaOSLab/EdgeCommon v0.0.0-00010101000000-000000000000
 	github.com/cespare/xxhash v1.1.0
 	github.com/go-sql-driver/mysql v1.5.0
-	github.com/iwind/TeaGo v0.0.0-20220304043459-0dd944a5b475
+	github.com/iwind/TeaGo v0.0.0-20231214114820-1bfb0013bcf6
 	github.com/iwind/gosock v0.0.0-20211103081026-ee4652210ca4
 	github.com/miekg/dns v1.1.43
+	github.com/quic-go/quic-go v0.40.0
 	github.com/shirou/gopsutil/v3 v3.22.5
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tealeg/xlsx/v3 v3.2.3
 	github.com/xlzd/gotp v0.0.0-20181030022105-c8557ba2c119
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
+	golang.org/x/crypto v0.16.0
+	golang.org/x/sys v0.15.0
 	google.golang.org/grpc v1.45.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+	gopkg.in/yaml.v3 v3.0.1
 )

 require (
 	github.com/frankban/quicktest v1.11.3 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.0.0 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/pprof v0.0.0-20231203200248-ad67f76aa53d // indirect
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
+	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
 	github.com/rogpeppe/fastuuid v1.2.0 // indirect
 	github.com/shabbyrobe/xmlwriter v0.0.0-20200208144257-9fca06d00ffa // indirect
+	github.com/tdewolff/minify/v2 v2.12.7 // indirect
+	github.com/tdewolff/parse/v2 v2.6.6 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
-	golang.org/x/text v0.3.7 // indirect
+	go.uber.org/mock v0.3.0 // indirect
+	golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 	google.golang.org/genproto v0.0.0-20220317150908-0efb43f6373e // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -12,6 +12,7 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cheekybits/is v0.0.0-20150225183255-68e9c0620927/go.mod h1:h/aW8ynjgkuj+NQRlZcDbAbM1ORAbXjXX77sX7T289U=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -24,6 +25,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200624174652-8d2f3be8b2d9/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/djherbis/atime v1.1.0/go.mod h1:28OF6Y8s3NQWwacXc5eZTsEsiMzp7LF8MbXE+XJPdBE=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -35,13 +38,17 @@ github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebP
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-redis/redis/v8 v8.0.0-beta.7/go.mod h1:FGJAWDWFht1sQ4qxyJHZZbVyvnVcKQN0E3u5/5lRz+g=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -56,8 +63,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -68,19 +76,23 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20231203200248-ad67f76aa53d h1:bM3Cipp7U7Sdn0DpYngVaLWFV9yonxQ1IB7ZPQ41OLw=
+github.com/google/pprof v0.0.0-20231203200248-ad67f76aa53d/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/iwind/TeaGo v0.0.0-20220304043459-0dd944a5b475 h1:EseyfFaQOjWanGiby9KMw7PjDBMg/95tLDgIw/ns0Cw=
-github.com/iwind/TeaGo v0.0.0-20220304043459-0dd944a5b475/go.mod h1:HRHK0zoC/og3c9/hKosD9yYVMTnnzm3PgXUdhRYHaLc=
+github.com/iwind/TeaGo v0.0.0-20210411134150-ddf57e240c2f/go.mod h1:KU4mS7QNiZ7QWEuDBk1zw0/Q2LrAPZv3tycEFBsuUwc=
+github.com/iwind/TeaGo v0.0.0-20230623080147-cd1e53b4915f h1:xo6XmXLtveKcwcZAXV6VMxkWNzy/2dStfHEnyowsGAE=
+github.com/iwind/TeaGo v0.0.0-20230623080147-cd1e53b4915f/go.mod h1:fi/Pq+/5m2HZoseM+39dMF57ANXRt6w4PkGu3NXPc5s=
+github.com/iwind/TeaGo v0.0.0-20231214114820-1bfb0013bcf6 h1:l8MW552d+gLzRd+MAtM/2X+80n/uS5nJAlBTYWHroRI=
+github.com/iwind/TeaGo v0.0.0-20231214114820-1bfb0013bcf6/go.mod h1:Ng3xWekHSVy0E/6/jYqJ7Htydm/H+mWIl0AS+Eg3H2M=
 github.com/iwind/gosock v0.0.0-20211103081026-ee4652210ca4 h1:VWGsCqTzObdlbf7UUE3oceIpcEKi4C/YBUszQXk118A=
 github.com/iwind/gosock v0.0.0-20211103081026-ee4652210ca4/go.mod h1:H5Q7SXwbx3a97ecJkaS2sD77gspzE7HFUafBO0peEyA=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -89,23 +101,23 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/matryer/try v0.0.0-20161228173917-9ac251b645a2/go.mod h1:0KeJpeMD6o+O4hW7qJOT7vyQPKrWmj26uf5wMc/IiIs=
 github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs=
+github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/opentracing/opentracing-go v1.1.1-0.20190913142402-a7454ce5950e/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -116,6 +128,12 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
+github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
+github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
+github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/quic-go v0.40.0 h1:GYd1iznlKm7dpHD7pOVpUvItgMPo/jrMgDWZhMCecqw=
+github.com/quic-go/quic-go v0.40.0/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
 github.com/rogpeppe/fastuuid v1.2.0 h1:Ppwyp6VYCF1nvBTXL3trRso7mXMlRrw9ooo375wvi2s=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/shabbyrobe/xmlwriter v0.0.0-20200208144257-9fca06d00ffa h1:2cO3RojjYl3hVTbEvJVqrMaFmORhL6O06qdW42toftk=
@@ -126,6 +144,7 @@ github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -133,6 +152,13 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/tdewolff/minify/v2 v2.12.7 h1:pBzz2tAfz5VghOXiQIsSta6srhmTeinQPjRDHWoumCA=
+github.com/tdewolff/minify/v2 v2.12.7/go.mod h1:ZRKTheiOGyLSK8hOZWWv+YoJAECzDivNgAlVYDHp/Ws=
+github.com/tdewolff/parse/v2 v2.6.6 h1:Yld+0CrKUJaCV78DL1G2nk3C9lKrxyRTux5aaK/AkDo=
+github.com/tdewolff/parse/v2 v2.6.6/go.mod h1:woz0cgbLwFdtbjJu8PIKxhW05KplTFQkOdX78o+Jgrs=
+github.com/tdewolff/test v1.0.7/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
+github.com/tdewolff/test v1.0.9 h1:SswqJCmeN4B+9gEAi/5uqT0qpi1y2/2O47V/1hhGZT0=
+github.com/tdewolff/test v1.0.9/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
 github.com/tealeg/xlsx/v3 v3.2.3 h1:MXnVh+9Y8cUglowItTy2HL3Kv6z+q/0aNjeKuTsVqZQ=
 github.com/tealeg/xlsx/v3 v3.2.3/go.mod h1:0hGmAEoZ48SS1ZAE6eqZJkJVXgOMY+8a33vjXa8S8HA=
 github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
@@ -143,12 +169,18 @@ github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPR
 github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opentelemetry.io/otel v0.7.0/go.mod h1:aZMyHG5TqDOXEgH2tyLiXSUKly1jT3yqE9PmrzIeCdo=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
+go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20200513190911-00229845015e/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
+golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
+golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -157,6 +189,8 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -170,16 +204,16 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -198,26 +232,27 @@ golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -250,8 +285,9 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -266,7 +302,7 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/internal/apps/app_cmd.go
+++ b/internal/apps/app_cmd.go
@@ -1,6 +1,7 @@
 package apps

 import (
+	"errors"
 	"fmt"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/iwind/TeaGo/logs"
@@ -9,8 +10,10 @@ import (
 	"github.com/iwind/gosock/pkg/gosock"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"runtime"
 	"strconv"
+	"strings"
 	"time"
 )

@@ -186,13 +189,16 @@ func (this *AppCmd) runStart() {
 		return
 	}

-	cmd := exec.Command(os.Args[0])
+	var cmd = exec.Command(this.exe())
 	err := cmd.Start()
 	if err != nil {
 		fmt.Println(this.product+"  start failed:", err.Error())
 		return
 	}

+	// create symbolic links
+	_ = this.createSymLinks()
+
 	fmt.Println(this.product+" started ok, pid:", cmd.Process.Pid)
 }

@@ -209,7 +215,7 @@ func (this *AppCmd) runStop() {
 	fmt.Println(this.product+" stopped ok, pid:", types.String(pid))
 }

-// 重启
+// RunRestart 重启
 func (this *AppCmd) RunRestart() {
 	this.runStop()
 	time.Sleep(1 * time.Second)
@@ -239,3 +245,58 @@ func (this *AppCmd) getPID() int {
 	}
 	return maps.NewMap(reply.Params).GetInt("pid")
 }
+
+func (this *AppCmd) exe() string {
+	var exe, _ = os.Executable()
+	if len(exe) == 0 {
+		exe = os.Args[0]
+	}
+	return exe
+}
+
+// 创建软链接
+func (this *AppCmd) createSymLinks() error {
+	if runtime.GOOS != "linux" {
+		return nil
+	}
+
+	var exe, _ = os.Executable()
+	if len(exe) == 0 {
+		return nil
+	}
+
+	var errorList = []string{}
+
+	// bin
+	{
+		var target = "/usr/bin/" + teaconst.ProcessName
+		old, _ := filepath.EvalSymlinks(target)
+		if old != exe {
+			_ = os.Remove(target)
+			err := os.Symlink(exe, target)
+			if err != nil {
+				errorList = append(errorList, err.Error())
+			}
+		}
+	}
+
+	// log
+	{
+		var realPath = filepath.Dir(filepath.Dir(exe)) + "/logs/run.log"
+		var target = "/var/log/" + teaconst.ProcessName + ".log"
+		old, _ := filepath.EvalSymlinks(target)
+		if old != realPath {
+			_ = os.Remove(target)
+			err := os.Symlink(realPath, target)
+			if err != nil {
+				errorList = append(errorList, err.Error())
+			}
+		}
+	}
+
+	if len(errorList) > 0 {
+		return errors.New(strings.Join(errorList, "\n"))
+	}
+
+	return nil
+}
--- a/internal/configloaders/admin_module.go
+++ b/internal/configloaders/admin_module.go
@@ -3,8 +3,11 @@ package configloaders
 import (
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
+	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/maps"
 )

@@ -47,6 +50,7 @@ func loadAdminModuleMapping() (map[int64]*AdminModuleList, error) {
 			IsSuper:  m.IsSuper,
 			Fullname: m.Fullname,
 			Theme:    m.Theme,
+			Lang:     m.Lang,
 		}

 		for _, pbModule := range m.Modules {
@@ -158,50 +162,91 @@ func UpdateAdminTheme(adminId int64, theme string) {
 	}
 }

+// FindAdminLang 查找某个管理员选择的语言
+func FindAdminLang(adminId int64) string {
+	locker.Lock()
+	defer locker.Unlock()
+
+	list, ok := sharedAdminModuleMapping[adminId]
+	if ok {
+		return list.Lang
+	}
+	return ""
+}
+
+// UpdateAdminLang 修改某个管理员选择的语言
+func UpdateAdminLang(adminId int64, langCode string) {
+	locker.Lock()
+	defer locker.Unlock()
+
+	list, ok := sharedAdminModuleMapping[adminId]
+	if ok {
+		list.Lang = langCode
+	}
+}
+
+func FindAdminLangForAction(actionPtr actions.ActionWrapper) (langCode langs.LangCode) {
+	locker.Lock()
+	defer locker.Unlock()
+
+	var adminId = actionPtr.Object().Session().GetInt64(teaconst.SessionAdminId)
+	list, ok := sharedAdminModuleMapping[adminId]
+	var result = ""
+	if ok {
+		result = list.Lang
+	}
+
+	if len(result) == 0 {
+		result = langs.ParseLangFromAction(actionPtr)
+	}
+
+	return result
+}
+
 // AllModuleMaps 所有权限列表
-func AllModuleMaps() []maps.Map {
+func AllModuleMaps(langCode string) []maps.Map {
 	var m = []maps.Map{
 		{
-			"name": "看板",
+			"name": langs.Message(langCode, codes.AdminMenu_Dashboard),
 			"code": AdminModuleCodeDashboard,
 			"url":  "/dashboard",
 		},
 		{
-			"name": "网站服务",
+			"name": langs.Message(langCode, codes.AdminMenu_Servers),
 			"code": AdminModuleCodeServer,
 			"url":  "/servers",
 		},
 		{
-			"name": "边缘节点",
+			"name": langs.Message(langCode, codes.AdminMenu_Nodes),
 			"code": AdminModuleCodeNode,
 			"url":  "/clusters",
 		},
 		{
-			"name": "域名解析",
+			"name": langs.Message(langCode, codes.AdminMenu_DNS),
 			"code": AdminModuleCodeDNS,
 			"url":  "/dns",
 		},
 	}
 	if teaconst.IsPlus {
 		m = append(m, maps.Map{
-			"name": "智能DNS",
+			"name": langs.Message(langCode, codes.AdminMenu_NS),
 			"code": AdminModuleCodeNS,
 			"url":  "/ns",
 		})
 	}
 	m = append(m, []maps.Map{
 		{
-			"name": "平台用户",
+			"name": langs.Message(langCode, codes.AdminMenu_Users),
 			"code": AdminModuleCodeUser,
 			"url":  "/users",
 		},
 		{
-			"name": "系统用户",
+			"name": langs.Message(langCode, codes.AdminMenu_Admins),
 			"code": AdminModuleCodeAdmin,
 			"url":  "/admins",
 		},
 		{
-			"name": "财务管理",
+			"name": langs.Message(langCode, codes.AdminMenu_Finance),
 			"code": AdminModuleCodeFinance,
 			"url":  "/finance",
 		},
@@ -210,12 +255,12 @@ func AllModuleMaps() []maps.Map {
 	if teaconst.IsPlus {
 		m = append(m, []maps.Map{
 			{
-				"name": "套餐管理",
+				"name": langs.Message(langCode, codes.AdminMenu_Plans),
 				"code": AdminModuleCodePlan,
 				"url":  "/plans",
 			},
 			{
-				"name": "工单系统",
+				"name": langs.Message(langCode, codes.AdminMenu_Tickets),
 				"code": AdminModuleCodeTicket,
 				"url":  "/tickets",
 			},
@@ -224,12 +269,12 @@ func AllModuleMaps() []maps.Map {

 	m = append(m, []maps.Map{
 		{
-			"name": "日志审计",
+			"name": langs.Message(langCode, codes.AdminMenu_Logs),
 			"code": AdminModuleCodeLog,
 			"url":  "/log",
 		},
 		{
-			"name": "系统设置",
+			"name": langs.Message(langCode, codes.AdminMenu_Settings),
 			"code": AdminModuleCodeSetting,
 			"url":  "/settings",
 		},
--- a/internal/configloaders/admin_module_list.go
+++ b/internal/configloaders/admin_module_list.go
@@ -7,6 +7,7 @@ type AdminModuleList struct {
 	Modules  []*systemconfigs.AdminModule
 	Fullname string
 	Theme    string
+	Lang     string
 }

 func (this *AdminModuleList) Allow(module string) bool {
--- a/internal/configloaders/admin_ui_config.go
+++ b/internal/configloaders/admin_ui_config.go
@@ -3,6 +3,8 @@ package configloaders
 import (
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
@@ -107,8 +109,8 @@ func loadAdminUIConfig() (*systemconfigs.AdminUIConfig, error) {

 func defaultAdminUIConfig() *systemconfigs.AdminUIConfig {
 	return &systemconfigs.AdminUIConfig{
-		ProductName:        "GoEdge",
-		AdminSystemName:    "GoEdge管理员系统",
+		ProductName:        langs.DefaultMessage(codes.AdminUI_DefaultProductName),
+		AdminSystemName:    langs.DefaultMessage(codes.AdminUI_DefaultSystemName),
 		ShowOpenSourceInfo: true,
 		ShowVersion:        true,
 		ShowFinance:        true,
--- a/internal/configloaders/security_config.go
+++ b/internal/configloaders/security_config.go
@@ -29,7 +29,7 @@ func LoadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		return nil, err
 	}

-	v := reflect.Indirect(reflect.ValueOf(config)).Interface().(systemconfigs.SecurityConfig)
+	var v = reflect.Indirect(reflect.ValueOf(config)).Interface().(systemconfigs.SecurityConfig)
 	return &v, nil
 }

@@ -83,7 +83,14 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		return sharedSecurityConfig, nil
 	}

-	config := &systemconfigs.SecurityConfig{}
+	var config = &systemconfigs.SecurityConfig{
+		Frame:                  FrameSameOrigin,
+		AllowLocal:             true,
+		CheckClientFingerprint: false,
+		CheckClientRegion:      true,
+		DenySearchEngines:      true,
+		DenySpiders:            true,
+	}
 	err = json.Unmarshal(resp.ValueJSON, config)
 	if err != nil {
 		logs.Println("[SECURITY_MANAGER]" + err.Error())
@@ -100,7 +107,11 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {

 func defaultSecurityConfig() *systemconfigs.SecurityConfig {
 	return &systemconfigs.SecurityConfig{
-		Frame:      FrameSameOrigin,
-		AllowLocal: true,
+		Frame:                  FrameSameOrigin,
+		AllowLocal:             true,
+		CheckClientFingerprint: false,
+		CheckClientRegion:      true,
+		DenySearchEngines:      true,
+		DenySpiders:            true,
 	}
 }
--- a/internal/configs/api_config.go
+++ b/internal/configs/api_config.go
@@ -1,6 +1,7 @@
 package configs

 import (
+	"errors"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/iwind/TeaGo/Tea"
 	"gopkg.in/yaml.v3"
@@ -8,12 +9,19 @@ import (
 	"path/filepath"
 )

+const ConfigFileName = "api_admin.yaml"
+const oldConfigFileName = "api.yaml"
+
 // APIConfig API配置
 type APIConfig struct {
-	RPC struct {
+	OldRPC struct {
 		Endpoints     []string `yaml:"endpoints"`
 		DisableUpdate bool     `yaml:"disableUpdate"`
-	} `yaml:"rpc"`
+	} `yaml:"rpc,omitempty"`
+
+	RPCEndpoints     []string `yaml:"rpc.endpoints,flow" json:"rpc.endpoints"`
+	RPCDisableUpdate bool     `yaml:"rpc.disableUpdate" json:"rpc.disableUpdate"`
+
 	NodeId string `yaml:"nodeId"`
 	Secret string `yaml:"secret"`
 }
@@ -21,23 +29,29 @@ type APIConfig struct {
 // LoadAPIConfig 加载API配置
 func LoadAPIConfig() (*APIConfig, error) {
 	// 候选文件
-	localFile := Tea.ConfigFile("api.yaml")
-	isFromLocal := false
-	paths := []string{localFile}
+	var realFile = Tea.ConfigFile(ConfigFileName)
+	var oldRealFile = Tea.ConfigFile(oldConfigFileName)
+	var isFromLocal = false
+	var paths = []string{realFile, oldRealFile}
 	homeDir, homeErr := os.UserHomeDir()
 	if homeErr == nil {
-		paths = append(paths, homeDir+"/."+teaconst.ProcessName+"/api.yaml")
+		paths = append(paths, homeDir+"/."+teaconst.ProcessName+"/"+ConfigFileName)
 	}
-	paths = append(paths, "/etc/"+teaconst.ProcessName+"/api.yaml")
+	paths = append(paths, "/etc/"+teaconst.ProcessName+"/"+ConfigFileName)

 	var data []byte
 	var err error
+	var isFromOld = false
 	for _, path := range paths {
 		data, err = os.ReadFile(path)
 		if err == nil {
-			if path == localFile {
+			if path == realFile || path == oldRealFile {
 				isFromLocal = true
 			}
+
+			// 自动生成新的配置文件
+			isFromOld = path == oldRealFile
+
 			break
 		}
 	}
@@ -45,15 +59,26 @@ func LoadAPIConfig() (*APIConfig, error) {
 		return nil, err
 	}

-	config := &APIConfig{}
+	var config = &APIConfig{}
 	err = yaml.Unmarshal(data, config)
 	if err != nil {
 		return nil, err
 	}

+	err = config.Init()
+	if err != nil {
+		return nil, errors.New("init error: " + err.Error())
+	}
+
 	if !isFromLocal {
 		// 恢复文件
-		_ = os.WriteFile(localFile, data, 0666)
+		_ = os.WriteFile(realFile, data, 0666)
+	}
+
+	// 自动生成新配置文件
+	if isFromOld {
+		config.OldRPC.Endpoints = nil
+		_ = config.WriteFile(Tea.ConfigFile(ConfigFileName))
 	}

 	return config, nil
@@ -61,9 +86,9 @@ func LoadAPIConfig() (*APIConfig, error) {

 // ResetAPIConfig 重置配置
 func ResetAPIConfig() error {
-	var filename = "api.yaml"
+	var filename = ConfigFileName

-	// 重置 configs/api.yaml
+	// 重置 configs/api_admin.yaml
 	{
 		var configFile = Tea.ConfigFile(filename)
 		stat, err := os.Stat(configFile)
@@ -75,7 +100,7 @@ func ResetAPIConfig() error {
 		}
 	}

-	// 重置 ~/.edge-admin/api.yaml
+	// 重置 ~/.edge-admin/api_admin.yaml
 	homeDir, homeErr := os.UserHomeDir()
 	if homeErr == nil {
 		var configFile = homeDir + "/." + teaconst.ProcessName + "/" + filename
@@ -88,7 +113,7 @@ func ResetAPIConfig() error {
 		}
 	}

-	// 重置 /etc/edge-admin/api.yaml
+	// 重置 /etc/edge-admin/api_admin.yaml
 	{
 		var configFile = "/etc/" + teaconst.ProcessName + "/" + filename
 		stat, err := os.Stat(configFile)
@@ -103,6 +128,22 @@ func ResetAPIConfig() error {
 	return nil
 }

+func IsNewInstalled() bool {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return false
+	}
+
+	for _, filename := range []string{ConfigFileName, oldConfigFileName} {
+		_, err = os.Stat(homeDir + "/." + teaconst.ProcessName + "/" + filename)
+		if err == nil {
+			return false
+		}
+	}
+
+	return true
+}
+
 // WriteFile 写入API配置
 func (this *APIConfig) WriteFile(path string) error {
 	data, err := yaml.Marshal(this)
@@ -155,3 +196,31 @@ func (this *APIConfig) WriteFile(path string) error {

 	return nil
 }
+
+// Clone 克隆当前配置
+func (this *APIConfig) Clone() *APIConfig {
+	return &APIConfig{
+		NodeId: this.NodeId,
+		Secret: this.Secret,
+	}
+}
+
+func (this *APIConfig) Init() error {
+	// compatible with old
+	if len(this.RPCEndpoints) == 0 && len(this.OldRPC.Endpoints) > 0 {
+		this.RPCEndpoints = this.OldRPC.Endpoints
+		this.RPCDisableUpdate = this.OldRPC.DisableUpdate
+	}
+
+	if len(this.RPCEndpoints) == 0 {
+		return errors.New("no valid 'rpc.endpoints'")
+	}
+
+	if len(this.NodeId) == 0 {
+		return errors.New("'nodeId' required")
+	}
+	if len(this.Secret) == 0 {
+		return errors.New("'secret' required")
+	}
+	return nil
+}
--- a/internal/configs/api_config_test.go
+++ b/internal/configs/api_config_test.go
@@ -2,6 +2,7 @@ package configs

 import (
 	_ "github.com/iwind/TeaGo/bootstrap"
+	"gopkg.in/yaml.v3"
 	"testing"
 )

@@ -11,10 +12,16 @@ func TestLoadAPIConfig(t *testing.T) {
 		t.Fatal(err)
 	}
 	t.Log(config)
+
+	configData, err := yaml.Marshal(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(string(configData))
 }

 func TestAPIConfig_WriteFile(t *testing.T) {
-	config := &APIConfig{}
+	var config = &APIConfig{}
 	err := config.WriteFile("/tmp/api_config.yaml")
 	if err != nil {
 		t.Fatal(err)
--- a/internal/configs/plus_config.go
+++ b/internal/configs/plus_config.go
@@ -1,42 +0,0 @@
-// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
-
-package configs
-
-import (
-	"encoding/json"
-	"github.com/iwind/TeaGo/Tea"
-	"os"
-)
-
-var plusConfigFile = "plus.cache.json"
-
-type PlusConfig struct {
-	IsPlus     bool     `json:"isPlus"`
-	Components []string `json:"components"`
-	DayTo      string   `json:"dayTo"`
-}
-
-func ReadPlusConfig() *PlusConfig {
-	data, err := os.ReadFile(Tea.ConfigFile(plusConfigFile))
-	if err != nil {
-		return &PlusConfig{IsPlus: false}
-	}
-	var config = &PlusConfig{IsPlus: false}
-	err = json.Unmarshal(data, config)
-	if err != nil {
-		return config
-	}
-	return config
-}
-
-func WritePlusConfig(config *PlusConfig) error {
-	configJSON, err := json.Marshal(config)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(Tea.ConfigFile(plusConfigFile), configJSON, 0777)
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/internal/const/const.go
+++ b/internal/const/const.go
@@ -1,9 +1,9 @@
 package teaconst

 const (
-	Version = "0.5.8"
+	Version = "1.3.4"

-	APINodeVersion = "0.5.8"
+	APINodeVersion = "1.3.4"

 	ProductName   = "Edge Admin"
 	ProcessName   = "edge-admin"
@@ -14,9 +14,9 @@ const (
 	EncryptKey    = "8f983f4d69b83aaa0d74b21a212f6967"
 	EncryptMethod = "aes-256-cfb"

-	ErrServer = "服务器出了点小问题，请联系技术人员处理。"
-	CookieSID = "edgesid"
+	CookieSID      = "geadsid"
+	SessionAdminId = "adminId"

 	SystemdServiceName = "edge-admin"
-	UpdatesURL         = "https://goedge.cn/api/boot/versions?os=${os}&arch=${arch}"
+	UpdatesURL         = "https://goedge.cn/api/boot/versions?os=${os}&arch=${arch}&version=${version}"
 )
--- a/internal/const/vars.go
+++ b/internal/const/vars.go
@@ -2,6 +2,11 @@

 package teaconst

+import (
+	"os"
+	"strings"
+)
+
 var (
 	IsRecoverMode = false

@@ -10,4 +15,18 @@ var (

 	NewVersionCode        = "" // 有新的版本
 	NewVersionDownloadURL = "" // 新版本下载地址
+
+	IsMain = checkMain()
 )
+
+// 检查是否为主程序
+func checkMain() bool {
+	if len(os.Args) == 1 ||
+		(len(os.Args) >= 2 && os.Args[1] == "pprof") {
+		return true
+	}
+	exe, _ := os.Executable()
+	return strings.HasSuffix(exe, ".test") ||
+		strings.HasSuffix(exe, ".test.exe") ||
+		strings.Contains(exe, "___")
+}
--- a/internal/encrypt/method_aes_128_cfb_test.go
+++ b/internal/encrypt/method_aes_128_cfb_test.go
@@ -19,7 +19,6 @@ func TestAES128CFBMethod_Encrypt(t *testing.T) {
 	dst = dst[:len(src)]
 	t.Log("dst:", string(dst))

-	src = make([]byte, len(src))
 	src, err = method.Decrypt(dst)
 	if err != nil {
 		t.Fatal(err)
@@ -64,7 +63,6 @@ func TestAES128CFBMethod_Encrypt2(t *testing.T) {

 	for _, dst := range sources {
 		dst2 := append([]byte{}, dst...)
-		src2 := make([]byte, len(dst2))
 		src2, err := method.Decrypt(dst2)
 		if err != nil {
 			t.Fatal(err)
--- a/internal/events/utils.go
+++ b/internal/events/utils.go
@@ -5,22 +5,22 @@ import "sync"
 var eventsMap = map[string][]func(){} // event => []callbacks
 var locker = sync.Mutex{}

-// 增加事件回调
+// On 增加事件回调
 func On(event string, callback func()) {
 	locker.Lock()
 	defer locker.Unlock()

-	callbacks, _ := eventsMap[event]
+	var callbacks = eventsMap[event]
 	callbacks = append(callbacks, callback)
 	eventsMap[event] = callbacks
 }

-// 通知事件
+// Notify 通知事件
 func Notify(event string) {
 	locker.Lock()
-	callbacks, _ := eventsMap[event]
+	var callbacks = eventsMap[event]
 	locker.Unlock()
-	
+
 	for _, callback := range callbacks {
 		callback()
 	}
--- a/internal/gen/generate.go
+++ b/internal/gen/generate.go
@@ -5,14 +5,16 @@ package gen
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
+	"fmt"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/servers/server/settings/conds/condutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/files"
 	"github.com/iwind/TeaGo/logs"
+	"github.com/iwind/TeaGo/maps"
 	"io"
 	"os"
 	"path/filepath"
@@ -21,7 +23,7 @@ import (
 func Generate() error {
 	err := generateComponentsJSFile()
 	if err != nil {
-		return errors.New("generate 'components.src.js' failed: " + err.Error())
+		return fmt.Errorf("generate 'components.src.js' failed: %w", err)
 	}

 	return nil
@@ -62,7 +64,7 @@ func generateComponentsJSFile() error {
 	} else {
 		buffer.WriteString("window.REQUEST_COND_COMPONENTS = ")
 		buffer.Write(typesJSON)
-		buffer.Write([]byte{'\n', '\n'})
+		buffer.Write([]byte{';', '\n', '\n'})
 	}

 	// 条件操作符
@@ -72,7 +74,7 @@ func generateComponentsJSFile() error {
 	} else {
 		buffer.WriteString("window.REQUEST_COND_OPERATORS = ")
 		buffer.Write(requestOperatorsJSON)
-		buffer.Write([]byte{'\n', '\n'})
+		buffer.Write([]byte{';', '\n', '\n'})
 	}

 	// 请求变量
@@ -82,7 +84,7 @@ func generateComponentsJSFile() error {
 	} else {
 		buffer.WriteString("window.REQUEST_VARIABLES = ")
 		buffer.Write(requestVariablesJSON)
-		buffer.Write([]byte{'\n', '\n'})
+		buffer.Write([]byte{';', '\n', '\n'})
 	}

 	// 指标
@@ -92,7 +94,7 @@ func generateComponentsJSFile() error {
 	} else {
 		buffer.WriteString("window.METRIC_HTTP_KEYS = ")
 		buffer.Write(metricHTTPKeysJSON)
-		buffer.Write([]byte{'\n', '\n'})
+		buffer.Write([]byte{';', '\n', '\n'})
 	}

 	// IP地址阈值项目
@@ -102,7 +104,7 @@ func generateComponentsJSFile() error {
 	} else {
 		buffer.WriteString("window.IP_ADDR_THRESHOLD_ITEMS = ")
 		buffer.Write(ipAddrThresholdItemsJSON)
-		buffer.Write([]byte{'\n', '\n'})
+		buffer.Write([]byte{';', '\n', '\n'})
 	}

 	// IP地址阈值动作
@@ -112,7 +114,45 @@ func generateComponentsJSFile() error {
 	} else {
 		buffer.WriteString("window.IP_ADDR_THRESHOLD_ACTIONS = ")
 		buffer.Write(ipAddrThresholdActionsJSON)
-		buffer.Write([]byte{'\n', '\n'})
+		buffer.Write([]byte{';', '\n', '\n'})
+	}
+
+	// WAF checkpoints
+	var wafCheckpointsMaps = []maps.Map{}
+	for _, checkpoint := range firewallconfigs.AllCheckpoints {
+		wafCheckpointsMaps = append(wafCheckpointsMaps, maps.Map{
+			"name":        checkpoint.Name,
+			"prefix":      checkpoint.Prefix,
+			"description": checkpoint.Description,
+		})
+	}
+	wafCheckpointsJSON, err := json.Marshal(wafCheckpointsMaps)
+	if err != nil {
+		logs.Println("ComponentsAction marshal waf rule checkpoints failed: " + err.Error())
+	} else {
+		buffer.WriteString("window.WAF_RULE_CHECKPOINTS = ")
+		buffer.Write(wafCheckpointsJSON)
+		buffer.Write([]byte{';', '\n', '\n'})
+	}
+
+	// WAF操作符
+	wafOperatorsJSON, err := json.Marshal(firewallconfigs.AllRuleOperators)
+	if err != nil {
+		logs.Println("ComponentsAction marshal waf rule operators failed: " + err.Error())
+	} else {
+		buffer.WriteString("window.WAF_RULE_OPERATORS = ")
+		buffer.Write(wafOperatorsJSON)
+		buffer.Write([]byte{';', '\n', '\n'})
+	}
+
+	// WAF验证码类型
+	captchaTypesJSON, err := json.Marshal(firewallconfigs.FindAllCaptchaTypes())
+	if err != nil {
+		logs.Println("ComponentsAction marshal captcha types failed: " + err.Error())
+	} else {
+		buffer.WriteString("window.WAF_CAPTCHA_TYPES = ")
+		buffer.Write(captchaTypesJSON)
+		buffer.Write([]byte{';', '\n', '\n'})
 	}

 	fp, err := os.OpenFile(filepath.Clean(Tea.PublicFile("/js/components.src.js")), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0777)
--- a/internal/nodes/admin_node.go
+++ b/internal/nodes/admin_node.go
@@ -2,6 +2,7 @@ package nodes

 import (
 	"errors"
+	"fmt"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/events"
@@ -12,7 +13,6 @@ import (
 	"github.com/iwind/TeaGo/logs"
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/rands"
-	"github.com/iwind/TeaGo/sessions"
 	"github.com/iwind/TeaGo/types"
 	"github.com/iwind/gosock/pkg/gosock"
 	"gopkg.in/yaml.v3"
@@ -21,6 +21,8 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
+	"path/filepath"
+	"strings"
 	"syscall"
 	"time"
 )
@@ -64,7 +66,7 @@ func (this *AdminNode) Run() {
 	this.addPortsToFirewall()

 	// 监听信号
-	sigQueue := make(chan os.Signal)
+	var sigQueue = make(chan os.Signal, 8)
 	signal.Notify(sigQueue, syscall.SIGTERM, syscall.SIGINT, syscall.SIGKILL, syscall.SIGQUIT)
 	go func() {
 		for range sigQueue {
@@ -84,11 +86,19 @@ func (this *AdminNode) Run() {
 	// 启动API节点
 	this.startAPINode()

+	// 启动IP库
+	this.startIPLibrary()
+
 	// 启动Web服务
+	sessionManager, err := NewSessionManager()
+	if err != nil {
+		log.Fatal("start session failed: " + err.Error())
+		return
+	}
 	TeaGo.NewServer(false).
 		AccessLog(false).
 		EndAll().
-		Session(sessions.NewFileSessionManager(86400, secret), teaconst.CookieSID).
+		Session(sessionManager, teaconst.CookieSID).
 		ReadHeaderTimeout(3 * time.Second).
 		ReadTimeout(1200 * time.Second).
 		Start()
@@ -97,8 +107,7 @@ func (this *AdminNode) Run() {
 // Daemon 实现守护进程
 func (this *AdminNode) Daemon() {
 	var sock = gosock.NewTmpSock(teaconst.ProcessName)
-	isDebug := lists.ContainsString(os.Args, "debug")
-	isDebug = true
+	var isDebug = lists.ContainsString(os.Args, "debug")
 	for {
 		conn, err := sock.Dial()
 		if err != nil {
@@ -176,7 +185,7 @@ func (this *AdminNode) checkServer() error {
 		if err == nil {
 			err = os.WriteFile(configFile, data, 0666)
 			if err != nil {
-				return errors.New("create config file failed: " + err.Error())
+				return fmt.Errorf("create config file failed: %w", err)
 			}
 		} else {
 			templateYAML := `# environment code
@@ -196,11 +205,11 @@ https:
 `
 			err = os.WriteFile(configFile, []byte(templateYAML), 0666)
 			if err != nil {
-				return errors.New("create config file failed: " + err.Error())
+				return fmt.Errorf("create config file failed: %w", err)
 			}
 		}
 	} else {
-		return errors.New("can not read config from 'configs/server.yaml': " + err.Error())
+		return fmt.Errorf("can not read config from 'configs/server.yaml': %w", err)
 	}

 	return nil
@@ -246,7 +255,7 @@ func (this *AdminNode) addPortsToFirewall() {

 // 启动API节点
 func (this *AdminNode) startAPINode() {
-	configPath := Tea.Root + "/edge-api/configs/api.yaml"
+	var configPath = Tea.Root + "/edge-api/configs/api.yaml"
 	_, err := os.Stat(configPath)
 	canStart := false
 	if err == nil {
@@ -360,6 +369,16 @@ func (this *AdminNode) listenSock() error {
 					}
 				}

+				// 停止当前目录下的API节点
+				var apiSock = gosock.NewTmpSock("edge-api")
+				apiReply, err := apiSock.Send(&gosock.Command{Code: "info"})
+				if err == nil {
+					adminExe, _ := os.Executable()
+					if len(adminExe) > 0 && apiReply != nil && strings.HasPrefix(maps.NewMap(apiReply.Params).GetString("path"), filepath.Dir(filepath.Dir(adminExe))) {
+						_, _ = apiSock.Send(&gosock.Command{Code: "stop"})
+					}
+				}
+
 				// 退出主进程
 				events.Notify(events.EventQuit)
 				os.Exit(0)
--- a/internal/nodes/admin_node_ext.go
+++ b/internal/nodes/admin_node_ext.go
@@ -0,0 +1,18 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package nodes
+
+import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
+	"github.com/iwind/TeaGo/logs"
+)
+
+// 启动IP库
+func (this *AdminNode) startIPLibrary() {
+	logs.Println("[NODE]initializing ip library ...")
+	err := iplibrary.InitDefault()
+	if err != nil {
+		logs.Println("[NODE]initialize ip library failed: "+err.Error())
+	}
+}
--- a/internal/nodes/session_manager.go
+++ b/internal/nodes/session_manager.go
@@ -0,0 +1,112 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package nodes
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeAdmin/internal/ttlcache"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/logs"
+	"strings"
+	"time"
+)
+
+// SessionManager SESSION管理
+type SessionManager struct {
+	life uint
+}
+
+func NewSessionManager() (*SessionManager, error) {
+	return &SessionManager{}, nil
+}
+
+func (this *SessionManager) Init(config *actions.SessionConfig) {
+	this.life = config.Life
+}
+
+func (this *SessionManager) Read(sid string) map[string]string {
+	// 忽略OTP
+	if strings.HasSuffix(sid, "_otp") {
+		return map[string]string{}
+	}
+
+	var result = map[string]string{}
+
+	var cacheKey = "SESSION@" + sid
+	var item = ttlcache.DefaultCache.Read(cacheKey)
+	if item != nil && item.Value != nil {
+		itemMap, ok := item.Value.(map[string]string)
+		if ok {
+			return itemMap
+		}
+	}
+
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		return map[string]string{}
+	}
+
+	resp, err := rpcClient.LoginSessionRPC().FindLoginSession(rpcClient.Context(0), &pb.FindLoginSessionRequest{Sid: sid})
+	if err != nil {
+		logs.Println("SESSION", "read '"+sid+"' failed: "+err.Error())
+		result["@error"] = err.Error()
+		return result
+	}
+
+	var session = resp.LoginSession
+	if session == nil || len(session.ValuesJSON) == 0 {
+		return result
+	}
+
+	err = json.Unmarshal(session.ValuesJSON, &result)
+	if err != nil {
+		logs.Println("SESSION", "decode '"+sid+"' values failed: "+err.Error())
+	}
+
+	// Write to cache
+	ttlcache.DefaultCache.Write(cacheKey, result, time.Now().Unix()+300 /** must not be too long **/)
+
+	return result
+}
+
+func (this *SessionManager) WriteItem(sid string, key string, value string) bool {
+	// 忽略OTP
+	if strings.HasSuffix(sid, "_otp") {
+		return false
+	}
+
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		return false
+	}
+
+	_, err = rpcClient.LoginSessionRPC().WriteLoginSessionValue(rpcClient.Context(0), &pb.WriteLoginSessionValueRequest{
+		Sid:   sid,
+		Key:   key,
+		Value: value,
+	})
+	if err != nil {
+		logs.Println("SESSION", "write sid:'"+sid+"' key:'"+key+"' failed: "+err.Error())
+	}
+
+	return true
+}
+
+func (this *SessionManager) Delete(sid string) bool {
+	// 忽略OTP
+	if strings.HasSuffix(sid, "_otp") {
+		return false
+	}
+
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		return false
+	}
+	_, err = rpcClient.LoginSessionRPC().DeleteLoginSession(rpcClient.Context(0), &pb.DeleteLoginSessionRequest{Sid: sid})
+	if err != nil {
+		logs.Println("SESSION", "delete '"+sid+"' failed: "+err.Error())
+	}
+	return true
+}
--- a/internal/rpc/rpc_client.go
+++ b/internal/rpc/rpc_client.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/encrypt"
@@ -19,6 +20,7 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/encoding/gzip"
+	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/metadata"
 	"net"
 	"net/url"
@@ -279,34 +281,6 @@ func (this *RPCClient) MessageRPC() pb.MessageServiceClient {
 	return pb.NewMessageServiceClient(this.pickConn())
 }

-func (this *RPCClient) MessageRecipientGroupRPC() pb.MessageRecipientGroupServiceClient {
-	return pb.NewMessageRecipientGroupServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) MessageRecipientRPC() pb.MessageRecipientServiceClient {
-	return pb.NewMessageRecipientServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) MessageMediaRPC() pb.MessageMediaServiceClient {
-	return pb.NewMessageMediaServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) MessageMediaInstanceRPC() pb.MessageMediaInstanceServiceClient {
-	return pb.NewMessageMediaInstanceServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) MessageTaskRPC() pb.MessageTaskServiceClient {
-	return pb.NewMessageTaskServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) MessageTaskLogRPC() pb.MessageTaskLogServiceClient {
-	return pb.NewMessageTaskLogServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) MessageReceiverRPC() pb.MessageReceiverServiceClient {
-	return pb.NewMessageReceiverServiceClient(this.pickConn())
-}
-
 func (this *RPCClient) IPLibraryRPC() pb.IPLibraryServiceClient {
 	return pb.NewIPLibraryServiceClient(this.pickConn())
 }
@@ -407,18 +381,14 @@ func (this *RPCClient) LoginRPC() pb.LoginServiceClient {
 	return pb.NewLoginServiceClient(this.pickConn())
 }

+func (this *RPCClient) LoginSessionRPC() pb.LoginSessionServiceClient {
+	return pb.NewLoginSessionServiceClient(this.pickConn())
+}
+
 func (this *RPCClient) NodeTaskRPC() pb.NodeTaskServiceClient {
 	return pb.NewNodeTaskServiceClient(this.pickConn())
 }

-func (this *RPCClient) AuthorityKeyRPC() pb.AuthorityKeyServiceClient {
-	return pb.NewAuthorityKeyServiceClient(this.pickConn())
-}
-
-func (this *RPCClient) AuthorityNodeRPC() pb.AuthorityNodeServiceClient {
-	return pb.NewAuthorityNodeServiceClient(this.pickConn())
-}
-
 func (this *RPCClient) LatestItemRPC() pb.LatestItemServiceClient {
 	return pb.NewLatestItemServiceClient(this.pickConn())
 }
@@ -518,10 +488,10 @@ func (this *RPCClient) init() error {

 	// 重新连接
 	var conns = []*grpc.ClientConn{}
-	for _, endpoint := range this.apiConfig.RPC.Endpoints {
+	for _, endpoint := range this.apiConfig.RPCEndpoints {
 		u, err := url.Parse(endpoint)
 		if err != nil {
-			return errors.New("parse endpoint failed: " + err.Error())
+			return fmt.Errorf("parse endpoint failed: %w", err)
 		}

 		var apiHost = u.Host
@@ -540,14 +510,20 @@ func (this *RPCClient) init() error {
 		}

 		var conn *grpc.ClientConn
-		var callOptions = grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(128*1024*1024),
-			grpc.UseCompressor(gzip.Name))
+		var callOptions = grpc.WithDefaultCallOptions(
+			grpc.MaxCallRecvMsgSize(128<<20),
+			grpc.MaxCallSendMsgSize(128<<20),
+			grpc.UseCompressor(gzip.Name),
+		)
+		var keepaliveParams = grpc.WithKeepaliveParams(keepalive.ClientParameters{
+			Time: 30 * time.Second,
+		})
 		if u.Scheme == "http" {
-			conn, err = grpc.Dial(apiHost, grpc.WithTransportCredentials(insecure.NewCredentials()), callOptions)
+			conn, err = grpc.Dial(apiHost, grpc.WithTransportCredentials(insecure.NewCredentials()), callOptions, keepaliveParams)
 		} else if u.Scheme == "https" {
 			conn, err = grpc.Dial(apiHost, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 				InsecureSkipVerify: true,
-			})), callOptions)
+			})), callOptions, keepaliveParams)
 		} else {
 			return errors.New("parse endpoint failed: invalid scheme '" + u.Scheme + "'")
 		}
--- a/internal/rpc/rpc_client_test.go
+++ b/internal/rpc/rpc_client_test.go
@@ -34,14 +34,9 @@ func TestRPCClient_NodeRPC(t *testing.T) {

 func TestRPC_Dial_HTTP(t *testing.T) {
 	client, err := NewRPCClient(&configs.APIConfig{
-		RPC: struct {
-			Endpoints     []string `yaml:"endpoints"`
-			DisableUpdate bool     `yaml:"disableUpdate"`
-		}{
-			Endpoints: []string{"http://127.0.0.1:8004"},
-		},
-		NodeId: "a7e55782dab39bce0901058a1e14a0e6",
-		Secret: "lvyPobI3BszkJopz5nPTocOs0OLkEJ7y",
+		RPCEndpoints: []string{"https://127.0.0.1:8003"},
+		NodeId:       "a7e55782dab39bce0901058a1e14a0e6",
+		Secret:       "lvyPobI3BszkJopz5nPTocOs0OLkEJ7y",
 	}, true)
 	if err != nil {
 		t.Fatal(err)
@@ -56,14 +51,9 @@ func TestRPC_Dial_HTTP(t *testing.T) {

 func TestRPC_Dial_HTTP_2(t *testing.T) {
 	client, err := NewRPCClient(&configs.APIConfig{
-		RPC: struct {
-			Endpoints     []string `yaml:"endpoints"`
-			DisableUpdate bool     `yaml:"disableUpdate"`
-		}{
-			Endpoints: []string{"https://127.0.0.1:8003"},
-		},
-		NodeId: "a7e55782dab39bce0901058a1e14a0e6",
-		Secret: "lvyPobI3BszkJopz5nPTocOs0OLkEJ7y",
+		RPCEndpoints: []string{"https://127.0.0.1:8003"},
+		NodeId:       "a7e55782dab39bce0901058a1e14a0e6",
+		Secret:       "lvyPobI3BszkJopz5nPTocOs0OLkEJ7y",
 	}, true)
 	if err != nil {
 		t.Fatal(err)
@@ -78,14 +68,9 @@ func TestRPC_Dial_HTTP_2(t *testing.T) {

 func TestRPC_Dial_HTTPS(t *testing.T) {
 	client, err := NewRPCClient(&configs.APIConfig{
-		RPC: struct {
-			Endpoints     []string `yaml:"endpoints"`
-			DisableUpdate bool     `yaml:"disableUpdate"`
-		}{
-			Endpoints: []string{"https://127.0.0.1:8004"},
-		},
-		NodeId: "a7e55782dab39bce0901058a1e14a0e6",
-		Secret: "lvyPobI3BszkJopz5nPTocOs0OLkEJ7y",
+		RPCEndpoints: []string{"https://127.0.0.1:8004"},
+		NodeId:       "a7e55782dab39bce0901058a1e14a0e6",
+		Secret:       "lvyPobI3BszkJopz5nPTocOs0OLkEJ7y",
 	}, true)
 	if err != nil {
 		t.Fatal(err)
--- a/internal/rpc/rpc_utils.go
+++ b/internal/rpc/rpc_utils.go
@@ -2,6 +2,9 @@ package rpc

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"strings"
 	"sync"
 )

@@ -28,3 +31,39 @@ func SharedRPC() (*RPCClient, error) {
 	sharedRPC = client
 	return sharedRPC, nil
 }
+
+// IsConnError 是否为连接错误
+func IsConnError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	// 检查是否为连接错误
+	statusErr, ok := status.FromError(err)
+	if ok {
+		var errorCode = statusErr.Code()
+		return errorCode == codes.Unavailable || errorCode == codes.Canceled
+	}
+
+	if strings.Contains(err.Error(), "code = Canceled") {
+		return true
+	}
+
+	return false
+}
+
+// IsUnimplementedError 检查是否为未实现错误
+func IsUnimplementedError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	statusErr, ok := status.FromError(err)
+	if ok {
+		if statusErr.Code() == codes.Unimplemented {
+			return true
+		}
+	}
+
+	return false
+}
--- a/internal/setup/utils.go
+++ b/internal/setup/utils.go
@@ -2,8 +2,6 @@ package setup

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
-	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
-	"os"
 )

 var isConfigured bool
@@ -21,13 +19,5 @@ func IsConfigured() bool {

 // IsNewInstalled IsNew 检查是否新安装
 func IsNewInstalled() bool {
-	homeDir, err := os.UserHomeDir()
-	if err != nil {
-		return false
-	}
-	_, err = os.Stat(homeDir + "/." + teaconst.ProcessName + "/api.yaml")
-	if err != nil {
-		return true
-	}
-	return false
+	return configs.IsNewInstalled()
 }
--- a/internal/tasks/task_check_updates.go
+++ b/internal/tasks/task_check_updates.go
@@ -5,6 +5,7 @@ package tasks
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/events"
 	"github.com/TeaOSLab/EdgeAdmin/internal/goman"
@@ -59,11 +60,11 @@ func (this *CheckUpdatesTask) Loop() error {
 		return err
 	}
 	var valueJSON = valueResp.ValueJSON
-	var config = &systemconfigs.CheckUpdatesConfig{AutoCheck: false}
+	var config = systemconfigs.NewCheckUpdatesConfig()
 	if len(valueJSON) > 0 {
 		err = json.Unmarshal(valueJSON, config)
 		if err != nil {
-			return errors.New("decode config failed: " + err.Error())
+			return fmt.Errorf("decode config failed: %w", err)
 		}
 		if !config.AutoCheck {
 			return nil
@@ -87,9 +88,10 @@ func (this *CheckUpdatesTask) Loop() error {
 	var apiURL = teaconst.UpdatesURL
 	apiURL = strings.ReplaceAll(apiURL, "${os}", runtime.GOOS)
 	apiURL = strings.ReplaceAll(apiURL, "${arch}", runtime.GOARCH)
+	apiURL = strings.ReplaceAll(apiURL, "${version}", teaconst.Version)
 	resp, err := http.Get(apiURL)
 	if err != nil {
-		return errors.New("read api failed: " + err.Error())
+		return fmt.Errorf("read api failed: %w", err)
 	}

 	defer func() {
@@ -97,13 +99,13 @@ func (this *CheckUpdatesTask) Loop() error {
 	}()
 	data, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return errors.New("read api failed: " + err.Error())
+		return fmt.Errorf("read api failed: %w", err)
 	}

 	var apiResponse = &Response{}
 	err = json.Unmarshal(data, apiResponse)
 	if err != nil {
-		return errors.New("decode version data failed: " + err.Error())
+		return fmt.Errorf("decode version data failed: %w", err)
 	}

 	if apiResponse.Code != 200 {
@@ -118,7 +120,7 @@ func (this *CheckUpdatesTask) Loop() error {
 			var vMap = maps.NewMap(version)
 			if vMap.GetString("code") == "admin" {
 				var latestVersion = vMap.GetString("version")
-				if stringutil.VersionCompare(teaconst.Version, latestVersion) < 0 {
+				if stringutil.VersionCompare(teaconst.Version, latestVersion) < 0 && (len(config.IgnoredVersion) == 0 || stringutil.VersionCompare(latestVersion, config.IgnoredVersion) > 0) {
 					teaconst.NewVersionCode = latestVersion
 					teaconst.NewVersionDownloadURL = dlHost + vMap.GetString("url")
 					return nil
--- a/internal/tasks/task_sync_api_nodes.go
+++ b/internal/tasks/task_sync_api_nodes.go
@@ -65,7 +65,7 @@ func (this *SyncAPINodesTask) Loop() error {
 	}

 	// 是否禁止自动升级
-	if config.RPC.DisableUpdate {
+	if config.RPCDisableUpdate {
 		return nil
 	}

@@ -88,7 +88,7 @@ func (this *SyncAPINodesTask) Loop() error {
 	}

 	// 和现有的对比
-	if this.isSame(newEndpoints, config.RPC.Endpoints) {
+	if this.isSame(newEndpoints, config.RPCEndpoints) {
 		return nil
 	}

@@ -99,14 +99,14 @@ func (this *SyncAPINodesTask) Loop() error {
 	}

 	// 修改RPC对象配置
-	config.RPC.Endpoints = newEndpoints
+	config.RPCEndpoints = newEndpoints
 	err = rpcClient.UpdateConfig(config)
 	if err != nil {
 		return err
 	}

 	// 保存到文件
-	err = config.WriteFile(Tea.ConfigFile("api.yaml"))
+	err = config.WriteFile(Tea.ConfigFile(configs.ConfigFileName))
 	if err != nil {
 		return err
 	}
--- a/internal/ttlcache/cache.go
+++ b/internal/ttlcache/cache.go
@@ -10,8 +10,10 @@ var DefaultCache = NewCache()
 // TTL缓存
 // 最大的缓存时间为30 * 86400
 // Piece数据结构：
-//      Piece1          |  Piece2 | Piece3 | ...
-//  [ Item1, Item2, ... |   ...
+//
+//	    Piece1          |  Piece2 | Piece3 | ...
+//	[ Item1, Item2, ... |   ...
+//
 // KeyMap列表数据结构
 // { timestamp1 => [key1, key2, ...] }, ...
 type Cache struct {
@@ -109,19 +111,11 @@ func (this *Cache) Read(key string) (item *Item) {
 	return this.pieces[uint64Key%this.countPieces].Read(uint64Key)
 }

-func (this *Cache) readIntKey(key uint64) (value *Item) {
-	return this.pieces[key%this.countPieces].Read(key)
-}
-
 func (this *Cache) Delete(key string) {
 	uint64Key := HashKey([]byte(key))
 	this.pieces[uint64Key%this.countPieces].Delete(uint64Key)
 }

-func (this *Cache) deleteIntKey(key uint64) {
-	this.pieces[key%this.countPieces].Delete(key)
-}
-
 func (this *Cache) Count() (count int) {
 	for _, piece := range this.pieces {
 		count += piece.Count()
--- a/internal/ttlcache/utils.go
+++ b/internal/ttlcache/utils.go
@@ -1,6 +1,6 @@
 package ttlcache

-import "github.com/cespare/xxhash"
+import "github.com/cespare/xxhash/v2"

 func HashKey(key []byte) uint64 {
 	return xxhash.Sum64(key)
--- a/internal/utils/apinodeutils/deploy_file.go
+++ b/internal/utils/apinodeutils/deploy_file.go
@@ -0,0 +1,79 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package apinodeutils
+
+import (
+	"crypto/md5"
+	"fmt"
+	"io"
+	"os"
+)
+
+// DeployFile 部署文件描述
+type DeployFile struct {
+	OS      string
+	Arch    string
+	Version string
+	Path    string
+}
+
+// Sum 计算概要
+func (this *DeployFile) Sum() (string, error) {
+	fp, err := os.Open(this.Path)
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		_ = fp.Close()
+	}()
+
+	m := md5.New()
+	buffer := make([]byte, 128*1024)
+	for {
+		n, err := fp.Read(buffer)
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return "", err
+		}
+		_, err = m.Write(buffer[:n])
+		if err != nil {
+			return "", err
+		}
+	}
+	sum := m.Sum(nil)
+	return fmt.Sprintf("%x", sum), nil
+}
+
+// Read 读取一个片段数据
+func (this *DeployFile) Read(offset int64) (data []byte, newOffset int64, err error) {
+	fp, err := os.Open(this.Path)
+	if err != nil {
+		return nil, offset, err
+	}
+	defer func() {
+		_ = fp.Close()
+	}()
+
+	stat, err := fp.Stat()
+	if err != nil {
+		return nil, offset, err
+	}
+	if offset >= stat.Size() {
+		return nil, offset, io.EOF
+	}
+
+	_, err = fp.Seek(offset, io.SeekStart)
+	if err != nil {
+		return nil, offset, err
+	}
+
+	buffer := make([]byte, 128*1024)
+	n, err := fp.Read(buffer)
+	if err != nil {
+		return nil, offset, err
+	}
+
+	return buffer[:n], offset + int64(n), nil
+}
--- a/internal/utils/apinodeutils/deploy_manager.go
+++ b/internal/utils/apinodeutils/deploy_manager.go
@@ -0,0 +1,96 @@
+package apinodeutils
+
+import (
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/files"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"regexp"
+)
+
+// DeployManager 节点部署文件管理器
+// 如果节点部署文件有变化，需要重启API节点以便于生效
+type DeployManager struct {
+	dir string
+}
+
+// NewDeployManager 获取新节点部署文件管理器
+func NewDeployManager() *DeployManager {
+	var manager = &DeployManager{
+		dir: Tea.Root + "/edge-api/deploy",
+	}
+	manager.LoadNodeFiles()
+	manager.LoadNSNodeFiles()
+	return manager
+}
+
+// LoadNodeFiles 加载所有边缘节点文件
+func (this *DeployManager) LoadNodeFiles() []*DeployFile {
+	var keyMap = map[string]*DeployFile{} // key => File
+
+	var reg = regexp.MustCompile(`^edge-node-(\w+)-(\w+)-v([0-9.]+)\.zip$`)
+	for _, file := range files.NewFile(this.dir).List() {
+		var name = file.Name()
+		if !reg.MatchString(name) {
+			continue
+		}
+		var matches = reg.FindStringSubmatch(name)
+		var osName = matches[1]
+		var arch = matches[2]
+		var version = matches[3]
+
+		var key = osName + "_" + arch
+		oldFile, ok := keyMap[key]
+		if ok && stringutil.VersionCompare(oldFile.Version, version) > 0 {
+			continue
+		}
+		keyMap[key] = &DeployFile{
+			OS:      osName,
+			Arch:    arch,
+			Version: version,
+			Path:    file.Path(),
+		}
+	}
+
+	var result = []*DeployFile{}
+	for _, v := range keyMap {
+		result = append(result, v)
+	}
+
+	return result
+}
+
+// LoadNSNodeFiles 加载所有NS节点安装文件
+func (this *DeployManager) LoadNSNodeFiles() []*DeployFile {
+	var keyMap = map[string]*DeployFile{} // key => File
+
+	var reg = regexp.MustCompile(`^edge-dns-(\w+)-(\w+)-v([0-9.]+)\.zip$`)
+	for _, file := range files.NewFile(this.dir).List() {
+		var name = file.Name()
+		if !reg.MatchString(name) {
+			continue
+		}
+		var matches = reg.FindStringSubmatch(name)
+		var osName = matches[1]
+		var arch = matches[2]
+		var version = matches[3]
+
+		var key = osName + "_" + arch
+		oldFile, ok := keyMap[key]
+		if ok && stringutil.VersionCompare(oldFile.Version, version) > 0 {
+			continue
+		}
+		keyMap[key] = &DeployFile{
+			OS:      osName,
+			Arch:    arch,
+			Version: version,
+			Path:    file.Path(),
+		}
+	}
+
+	var result = []*DeployFile{}
+	for _, v := range keyMap {
+		result = append(result, v)
+	}
+
+	return result
+}
--- a/internal/utils/apinodeutils/manager.go
+++ b/internal/utils/apinodeutils/manager.go
@@ -0,0 +1,30 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package apinodeutils
+
+var SharedManager = NewManager()
+
+type Manager struct {
+	upgraderMap map[int64]*Upgrader
+}
+
+func NewManager() *Manager {
+	return &Manager{
+		upgraderMap: map[int64]*Upgrader{},
+	}
+}
+
+func (this *Manager) AddUpgrader(upgrader *Upgrader) {
+	this.upgraderMap[upgrader.apiNodeId] = upgrader
+}
+
+func (this *Manager) FindUpgrader(apiNodeId int64) *Upgrader {
+	return this.upgraderMap[apiNodeId]
+}
+
+func (this *Manager) RemoveUpgrader(upgrader *Upgrader) {
+	if upgrader == nil {
+		return
+	}
+	delete(this.upgraderMap, upgrader.apiNodeId)
+}
--- a/internal/utils/apinodeutils/upgrader.go
+++ b/internal/utils/apinodeutils/upgrader.go
@@ -0,0 +1,349 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package apinodeutils
+
+import (
+	"compress/gzip"
+	"context"
+	"crypto/md5"
+	"errors"
+	"fmt"
+	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/types"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+)
+
+type Progress struct {
+	Percent float64
+}
+
+type Upgrader struct {
+	progress  *Progress
+	apiExe    string
+	apiNodeId int64
+}
+
+func NewUpgrader(apiNodeId int64) *Upgrader {
+	return &Upgrader{
+		apiExe:    apiExe(),
+		progress:  &Progress{Percent: 0},
+		apiNodeId: apiNodeId,
+	}
+}
+
+func (this *Upgrader) Upgrade() error {
+	sharedClient, err := rpc.SharedRPC()
+	if err != nil {
+		return err
+	}
+	apiNodeResp, err := sharedClient.APINodeRPC().FindEnabledAPINode(sharedClient.Context(0), &pb.FindEnabledAPINodeRequest{ApiNodeId: this.apiNodeId})
+	if err != nil {
+		return err
+	}
+	var apiNode = apiNodeResp.ApiNode
+	if apiNode == nil {
+		return errors.New("could not find api node with id '" + types.String(this.apiNodeId) + "'")
+	}
+
+	apiConfig, err := configs.LoadAPIConfig()
+	if err != nil {
+		return err
+	}
+	var newAPIConfig = apiConfig.Clone()
+	newAPIConfig.RPCEndpoints = apiNode.AccessAddrs
+
+	rpcClient, err := rpc.NewRPCClient(newAPIConfig, false)
+	if err != nil {
+		return err
+	}
+
+	// 升级边缘节点
+	err = this.upgradeNodes(sharedClient.Context(0), rpcClient)
+	if err != nil {
+		return err
+	}
+
+	// 升级NS节点
+	err = this.upgradeNSNodes(sharedClient.Context(0), rpcClient)
+	if err != nil {
+		return err
+	}
+
+	// 升级API节点
+	err = this.upgradeAPINode(sharedClient.Context(0), rpcClient)
+	if err != nil {
+		return fmt.Errorf("upgrade api node failed: %w", err)
+	}
+
+	return nil
+}
+
+// Progress 查看升级进程
+func (this *Upgrader) Progress() *Progress {
+	return this.progress
+}
+
+// 升级API节点
+func (this *Upgrader) upgradeAPINode(ctx context.Context, rpcClient *rpc.RPCClient) error {
+	versionResp, err := rpcClient.APINodeRPC().FindCurrentAPINodeVersion(ctx, &pb.FindCurrentAPINodeVersionRequest{})
+	if err != nil {
+		return err
+	}
+	if !Tea.IsTesting() /** 开发环境下允许突破此限制方便测试 **/ &&
+		(stringutil.VersionCompare(versionResp.Version, "0.6.4" /** 从0.6.4开始支持 **/) < 0 || versionResp.Os != runtime.GOOS || versionResp.Arch != runtime.GOARCH) {
+		return errors.New("could not upgrade api node v" + versionResp.Version + "/" + versionResp.Os + "/" + versionResp.Arch)
+	}
+
+	// 检查本地文件版本
+	canUpgrade, reason := CanUpgrade(versionResp.Version, versionResp.Os, versionResp.Arch)
+	if !canUpgrade {
+		return errors.New(reason)
+	}
+
+	localVersion, err := lookupLocalVersion()
+	if err != nil {
+		return fmt.Errorf("lookup version failed: %w", err)
+	}
+
+	// 检查要升级的文件
+	var gzFile = this.apiExe + "." + localVersion + ".gz"
+
+	gzReader, err := os.Open(gzFile)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return err
+		}
+		err = func() error {
+			// 压缩文件
+			exeReader, err := os.Open(this.apiExe)
+			if err != nil {
+				return err
+			}
+			defer func() {
+				_ = exeReader.Close()
+			}()
+			var tmpGzFile = gzFile + ".tmp"
+			gzFileWriter, err := os.OpenFile(tmpGzFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0666)
+			if err != nil {
+				return err
+			}
+			var gzWriter = gzip.NewWriter(gzFileWriter)
+			defer func() {
+				_ = gzWriter.Close()
+				_ = gzFileWriter.Close()
+
+				_ = os.Rename(tmpGzFile, gzFile)
+			}()
+			_, err = io.Copy(gzWriter, exeReader)
+			if err != nil {
+				return err
+			}
+
+			return nil
+		}()
+		if err != nil {
+			return err
+		}
+		gzReader, err = os.Open(gzFile)
+		if err != nil {
+			return err
+		}
+	}
+
+	defer func() {
+		_ = gzReader.Close()
+	}()
+
+	// 开始上传
+	var hash = md5.New()
+	var buf = make([]byte, 128*4096)
+	var isFirst = true
+	stat, err := gzReader.Stat()
+	if err != nil {
+		return err
+	}
+	var totalSize = stat.Size()
+	if totalSize == 0 {
+		_ = gzReader.Close()
+		_ = os.Remove(gzFile)
+		return errors.New("invalid gz file")
+	}
+
+	var uploadedSize int64 = 0
+	for {
+		n, err := gzReader.Read(buf)
+		if n > 0 {
+			// 计算Hash
+			hash.Write(buf[:n])
+
+			// 上传
+			_, uploadErr := rpcClient.APINodeRPC().UploadAPINodeFile(rpcClient.Context(0), &pb.UploadAPINodeFileRequest{
+				Filename:     filepath.Base(this.apiExe),
+				Sum:          "",
+				ChunkData:    buf[:n],
+				IsFirstChunk: isFirst,
+				IsLastChunk:  false,
+			})
+			if uploadErr != nil {
+				return uploadErr
+			}
+
+			// 进度
+			uploadedSize += int64(n)
+			this.progress = &Progress{Percent: float64(uploadedSize*100) / float64(totalSize)}
+		}
+		if isFirst {
+			isFirst = false
+		}
+		if err != nil {
+			if err != io.EOF {
+				return err
+			}
+			if err == io.EOF {
+				_, uploadErr := rpcClient.APINodeRPC().UploadAPINodeFile(rpcClient.Context(0), &pb.UploadAPINodeFileRequest{
+					Filename:     filepath.Base(this.apiExe),
+					Sum:          fmt.Sprintf("%x", hash.Sum(nil)),
+					ChunkData:    buf[:n],
+					IsFirstChunk: isFirst,
+					IsLastChunk:  true,
+				})
+				if uploadErr != nil {
+					return uploadErr
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+// 升级边缘节点
+func (this *Upgrader) upgradeNodes(ctx context.Context, rpcClient *rpc.RPCClient) error {
+	// 本地的
+	var manager = NewDeployManager()
+	var localFileMap = map[string]*DeployFile{} // os_arch => *DeployFile
+	for _, deployFile := range manager.LoadNodeFiles() {
+		localFileMap[deployFile.OS+"_"+deployFile.Arch] = deployFile
+	}
+
+	remoteFilesResp, err := rpcClient.APINodeRPC().FindLatestDeployFiles(ctx, &pb.FindLatestDeployFilesRequest{})
+	if err != nil {
+		return err
+	}
+
+	var remoteFileMap = map[string]*pb.FindLatestDeployFilesResponse_DeployFile{} // os_arch => *DeployFile
+	for _, nodeFile := range remoteFilesResp.NodeDeployFiles {
+		remoteFileMap[nodeFile.Os+"_"+nodeFile.Arch] = nodeFile
+	}
+
+	// 对比版本
+	for key, deployFile := range localFileMap {
+		remoteDeployFile, ok := remoteFileMap[key]
+		if !ok || stringutil.VersionCompare(remoteDeployFile.Version, deployFile.Version) < 0 {
+			err = this.uploadNodeDeployFile(ctx, rpcClient, deployFile.Path)
+			if err != nil {
+				return fmt.Errorf("upload deploy file '%s' failed: %w", filepath.Base(deployFile.Path), err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// 升级NS节点
+func (this *Upgrader) upgradeNSNodes(ctx context.Context, rpcClient *rpc.RPCClient) error {
+	// 本地的
+	var manager = NewDeployManager()
+	var localFileMap = map[string]*DeployFile{} // os_arch => *DeployFile
+	for _, deployFile := range manager.LoadNSNodeFiles() {
+		localFileMap[deployFile.OS+"_"+deployFile.Arch] = deployFile
+	}
+
+	remoteFilesResp, err := rpcClient.APINodeRPC().FindLatestDeployFiles(ctx, &pb.FindLatestDeployFilesRequest{})
+	if err != nil {
+		return err
+	}
+
+	var remoteFileMap = map[string]*pb.FindLatestDeployFilesResponse_DeployFile{} // os_arch => *DeployFile
+	for _, nodeFile := range remoteFilesResp.NsNodeDeployFiles {
+		remoteFileMap[nodeFile.Os+"_"+nodeFile.Arch] = nodeFile
+	}
+
+	// 对比版本
+	for key, deployFile := range localFileMap {
+		remoteDeployFile, ok := remoteFileMap[key]
+		if !ok || stringutil.VersionCompare(remoteDeployFile.Version, deployFile.Version) < 0 {
+			err = this.uploadNodeDeployFile(ctx, rpcClient, deployFile.Path)
+			if err != nil {
+				return fmt.Errorf("upload deploy file '%s' failed: %w", filepath.Base(deployFile.Path), err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// 上传节点文件
+func (this *Upgrader) uploadNodeDeployFile(ctx context.Context, rpcClient *rpc.RPCClient, path string) error {
+	fp, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		_ = fp.Close()
+	}()
+
+	var buf = make([]byte, 128*4096)
+	var isFirst = true
+
+	var hash = md5.New()
+
+	for {
+		n, err := fp.Read(buf)
+		if n > 0 {
+			hash.Write(buf[:n])
+
+			_, uploadErr := rpcClient.APINodeRPC().UploadDeployFileToAPINode(ctx, &pb.UploadDeployFileToAPINodeRequest{
+				Filename:     filepath.Base(path),
+				Sum:          "",
+				ChunkData:    buf[:n],
+				IsFirstChunk: isFirst,
+				IsLastChunk:  false,
+			})
+			if uploadErr != nil {
+				return uploadErr
+			}
+			isFirst = false
+		}
+		if err != nil {
+			if err == io.EOF {
+				err = nil
+
+				_, uploadErr := rpcClient.APINodeRPC().UploadDeployFileToAPINode(ctx, &pb.UploadDeployFileToAPINodeRequest{
+					Filename:     filepath.Base(path),
+					Sum:          fmt.Sprintf("%x", hash.Sum(nil)),
+					ChunkData:    nil,
+					IsFirstChunk: false,
+					IsLastChunk:  true,
+				})
+				if uploadErr != nil {
+					return uploadErr
+				}
+
+				break
+			}
+			return err
+		}
+	}
+
+	return nil
+}
--- a/internal/utils/apinodeutils/upgrader_test.go
+++ b/internal/utils/apinodeutils/upgrader_test.go
@@ -0,0 +1,22 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package apinodeutils_test
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils/apinodeutils"
+	_ "github.com/iwind/TeaGo/bootstrap"
+	"runtime"
+	"testing"
+)
+
+func TestUpgrader_CanUpgrade(t *testing.T) {
+	t.Log(apinodeutils.CanUpgrade("0.6.3", runtime.GOOS, runtime.GOARCH))
+}
+
+func TestUpgrader_Upgrade(t *testing.T) {
+	var upgrader = apinodeutils.NewUpgrader(1)
+	err := upgrader.Upgrade()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
--- a/internal/utils/apinodeutils/utils.go
+++ b/internal/utils/apinodeutils/utils.go
@@ -0,0 +1,77 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package apinodeutils
+
+import (
+	"bytes"
+	"errors"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/iwind/TeaGo/Tea"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"os"
+	"os/exec"
+	"regexp"
+	"runtime"
+	"strings"
+)
+
+func CanUpgrade(apiVersion string, osName string, arch string) (canUpgrade bool, reason string) {
+	if len(apiVersion) == 0 {
+		return false, "current api version should not be empty"
+	}
+
+	if stringutil.VersionCompare(apiVersion, "0.6.4") < 0 {
+		return false, "api node version must greater than or equal to 0.6.4"
+	}
+
+	if osName != runtime.GOOS {
+		return false, "os not match: " + osName
+	}
+	if arch != runtime.GOARCH {
+		return false, "arch not match: " + arch
+	}
+
+	stat, err := os.Stat(apiExe())
+	if err != nil {
+		return false, "stat error: " + err.Error()
+	}
+	if stat.IsDir() {
+		return false, "is directory"
+	}
+
+	localVersion, err := lookupLocalVersion()
+	if err != nil {
+		return false, "lookup version failed: " + err.Error()
+	}
+	if localVersion != teaconst.APINodeVersion {
+		return false, "not newest api node"
+	}
+	if stringutil.VersionCompare(localVersion, apiVersion) <= 0 {
+		return false, "need not upgrade, local '" + localVersion + "' vs remote '" + apiVersion + "'"
+	}
+
+	return true, ""
+}
+
+func lookupLocalVersion() (string, error) {
+	var cmd = exec.Command(apiExe(), "-V")
+	var output = &bytes.Buffer{}
+	cmd.Stdout = output
+	err := cmd.Run()
+	if err != nil {
+		return "", err
+	}
+	var localVersion = strings.TrimSpace(output.String())
+
+	// 检查版本号
+	var reg = regexp.MustCompile(`^[\d.]+$`)
+	if !reg.MatchString(localVersion) {
+		return "", errors.New("lookup version failed: " + localVersion)
+	}
+
+	return localVersion, nil
+}
+
+func apiExe() string {
+	return Tea.Root + "/edge-api/bin/edge-api"
+}
--- a/internal/utils/dateutils/utils.go
+++ b/internal/utils/dateutils/utils.go
@@ -0,0 +1,12 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package dateutils
+
+// SplitYmd 分隔Ymd格式的日期
+// Ymd => Y-m-d
+func SplitYmd(day string) string {
+	if len(day) != 8 {
+		return day
+	}
+	return day[:4] + "-" + day[4:6] + "-" + day[6:]
+}
--- a/internal/utils/email_test.go
+++ b/internal/utils/email_test.go
@@ -3,7 +3,7 @@
 package utils_test

 import (
-	"github.com/TeaOSLab/EdgeAPI/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
 	"github.com/iwind/TeaGo/assert"
 	"testing"
 )
--- a/internal/utils/exec/cmd.go
+++ b/internal/utils/exec/cmd.go
@@ -0,0 +1,162 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package executils
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+type Cmd struct {
+	name string
+	args []string
+	env  []string
+	dir  string
+
+	ctx        context.Context
+	timeout    time.Duration
+	cancelFunc func()
+
+	captureStdout bool
+	captureStderr bool
+
+	stdout *bytes.Buffer
+	stderr *bytes.Buffer
+
+	rawCmd *exec.Cmd
+}
+
+func NewCmd(name string, args ...string) *Cmd {
+	return &Cmd{
+		name: name,
+		args: args,
+	}
+}
+
+func NewTimeoutCmd(timeout time.Duration, name string, args ...string) *Cmd {
+	return (&Cmd{
+		name: name,
+		args: args,
+	}).WithTimeout(timeout)
+}
+
+func (this *Cmd) WithTimeout(timeout time.Duration) *Cmd {
+	this.timeout = timeout
+
+	ctx, cancelFunc := context.WithTimeout(context.Background(), timeout)
+	this.ctx = ctx
+	this.cancelFunc = cancelFunc
+
+	return this
+}
+
+func (this *Cmd) WithStdout() *Cmd {
+	this.captureStdout = true
+	return this
+}
+
+func (this *Cmd) WithStderr() *Cmd {
+	this.captureStderr = true
+	return this
+}
+
+func (this *Cmd) WithEnv(env []string) *Cmd {
+	this.env = env
+	return this
+}
+
+func (this *Cmd) WithDir(dir string) *Cmd {
+	this.dir = dir
+	return this
+}
+
+func (this *Cmd) Start() error {
+	var cmd = this.compose()
+	return cmd.Start()
+}
+
+func (this *Cmd) Wait() error {
+	var cmd = this.compose()
+	return cmd.Wait()
+}
+
+func (this *Cmd) Run() error {
+	if this.cancelFunc != nil {
+		defer this.cancelFunc()
+	}
+
+	var cmd = this.compose()
+	return cmd.Run()
+}
+
+func (this *Cmd) RawStdout() string {
+	if this.stdout != nil {
+		return this.stdout.String()
+	}
+	return ""
+}
+
+func (this *Cmd) Stdout() string {
+	return strings.TrimSpace(this.RawStdout())
+}
+
+func (this *Cmd) RawStderr() string {
+	if this.stderr != nil {
+		return this.stderr.String()
+	}
+	return ""
+}
+
+func (this *Cmd) Stderr() string {
+	return strings.TrimSpace(this.RawStderr())
+}
+
+func (this *Cmd) String() string {
+	if this.rawCmd != nil {
+		return this.rawCmd.String()
+	}
+	var newCmd = exec.Command(this.name, this.args...)
+	return newCmd.String()
+}
+
+func (this *Cmd) Process() *os.Process {
+	if this.rawCmd != nil {
+		return this.rawCmd.Process
+	}
+	return nil
+}
+
+func (this *Cmd) compose() *exec.Cmd {
+	if this.rawCmd != nil {
+		return this.rawCmd
+	}
+
+	if this.ctx != nil {
+		this.rawCmd = exec.CommandContext(this.ctx, this.name, this.args...)
+	} else {
+		this.rawCmd = exec.Command(this.name, this.args...)
+	}
+
+	if this.env != nil {
+		this.rawCmd.Env = this.env
+	}
+
+	if len(this.dir) > 0 {
+		this.rawCmd.Dir = this.dir
+	}
+
+	if this.captureStdout {
+		this.stdout = &bytes.Buffer{}
+		this.rawCmd.Stdout = this.stdout
+	}
+	if this.captureStderr {
+		this.stderr = &bytes.Buffer{}
+		this.rawCmd.Stderr = this.stderr
+	}
+
+	return this.rawCmd
+}
--- a/internal/utils/exec/cmd_test.go
+++ b/internal/utils/exec/cmd_test.go
@@ -0,0 +1,61 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package executils_test
+
+import (
+	executils "github.com/TeaOSLab/EdgeAdmin/internal/utils/exec"
+	"testing"
+	"time"
+)
+
+func TestNewTimeoutCmd_Sleep(t *testing.T) {
+	var cmd = executils.NewTimeoutCmd(1*time.Second, "sleep", "3")
+	cmd.WithStdout()
+	cmd.WithStderr()
+	err := cmd.Run()
+	t.Log("error:", err)
+	t.Log("stdout:", cmd.Stdout())
+	t.Log("stderr:", cmd.Stderr())
+}
+
+func TestNewTimeoutCmd_Echo(t *testing.T) {
+	var cmd = executils.NewTimeoutCmd(10*time.Second, "echo", "-n", "hello")
+	cmd.WithStdout()
+	cmd.WithStderr()
+	err := cmd.Run()
+	t.Log("error:", err)
+	t.Log("stdout:", cmd.Stdout())
+	t.Log("stderr:", cmd.Stderr())
+}
+
+func TestNewTimeoutCmd_Echo2(t *testing.T) {
+	var cmd = executils.NewCmd("echo", "hello")
+	cmd.WithStdout()
+	cmd.WithStderr()
+	err := cmd.Run()
+	t.Log("error:", err)
+	t.Log("stdout:", cmd.Stdout())
+	t.Log("raw stdout:", cmd.RawStdout())
+	t.Log("stderr:", cmd.Stderr())
+	t.Log("raw stderr:", cmd.RawStderr())
+}
+
+func TestNewTimeoutCmd_Echo3(t *testing.T) {
+	var cmd = executils.NewCmd("echo", "-n", "hello")
+	err := cmd.Run()
+	t.Log("error:", err)
+	t.Log("stdout:", cmd.Stdout())
+	t.Log("stderr:", cmd.Stderr())
+}
+
+func TestCmd_Process(t *testing.T) {
+	var cmd = executils.NewCmd("echo", "-n", "hello")
+	err := cmd.Run()
+	t.Log("error:", err)
+	t.Log(cmd.Process())
+}
+
+func TestNewTimeoutCmd_String(t *testing.T) {
+	var cmd = executils.NewCmd("echo", "-n", "hello")
+	t.Log("stdout:", cmd.String())
+}
--- a/internal/utils/exec/look_linux.go
+++ b/internal/utils/exec/look_linux.go
@@ -0,0 +1,58 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build linux
+
+package executils
+
+import (
+	"golang.org/x/sys/unix"
+	"io/fs"
+	"os"
+	"os/exec"
+	"syscall"
+)
+
+// LookPath customize our LookPath() function, to work in broken $PATH environment variable
+func LookPath(file string) (string, error) {
+	result, err := exec.LookPath(file)
+	if err == nil && len(result) > 0 {
+		return result, nil
+	}
+
+	// add common dirs contains executable files these may be excluded in $PATH environment variable
+	var binPaths = []string{
+		"/usr/sbin",
+		"/usr/bin",
+		"/usr/local/sbin",
+		"/usr/local/bin",
+	}
+
+	for _, binPath := range binPaths {
+		var fullPath = binPath + string(os.PathSeparator) + file
+
+		stat, err := os.Stat(fullPath)
+		if err != nil {
+			continue
+		}
+		if stat.IsDir() {
+			return "", syscall.EISDIR
+		}
+
+		var mode = stat.Mode()
+		if mode.IsDir() {
+			return "", syscall.EISDIR
+		}
+		err = syscall.Faccessat(unix.AT_FDCWD, fullPath, unix.X_OK, unix.AT_EACCESS)
+		if err == nil || (err != syscall.ENOSYS && err != syscall.EPERM) {
+			return fullPath, err
+		}
+		if mode&0111 != 0 {
+			return fullPath, nil
+		}
+		return "", fs.ErrPermission
+	}
+
+	return "", &exec.Error{
+		Name: file,
+		Err:  exec.ErrNotFound,
+	}
+}
--- a/internal/utils/exec/look_others.go
+++ b/internal/utils/exec/look_others.go
@@ -0,0 +1,10 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !linux
+
+package executils
+
+import "os/exec"
+
+func LookPath(file string) (string, error) {
+	return exec.LookPath(file)
+}
--- a/internal/utils/firewall.go
+++ b/internal/utils/firewall.go
@@ -3,6 +3,7 @@
 package utils

 import (
+	executils "github.com/TeaOSLab/EdgeAdmin/internal/utils/exec"
 	"github.com/iwind/TeaGo/logs"
 	"github.com/iwind/TeaGo/types"
 	"os/exec"
@@ -14,7 +15,7 @@ func AddPortsToFirewall(ports []int) {
 		// Linux
 		if runtime.GOOS == "linux" {
 			// firewalld
-			firewallCmd, _ := exec.LookPath("firewall-cmd")
+			firewallCmd, _ := executils.LookPath("firewall-cmd")
 			if len(firewallCmd) > 0 {
 				err := exec.Command(firewallCmd, "--add-port="+types.String(port)+"/tcp").Run()
 				if err == nil {
--- a/internal/utils/json.go
+++ b/internal/utils/json.go
@@ -3,7 +3,9 @@
 package utils

 import (
+	"bytes"
 	"encoding/json"
+	"errors"
 	"reflect"
 )

@@ -22,3 +24,37 @@ func JSONClone(v interface{}) (interface{}, error) {

 	return nv, nil
 }
+
+// JSONIsNull 判断JSON数据是否为null
+func JSONIsNull(jsonData []byte) bool {
+	return len(jsonData) == 0 || bytes.Equal(jsonData, []byte("null"))
+}
+
+// JSONDecodeConfig 解码并重新编码
+// 是为了去除原有JSON中不需要的数据
+func JSONDecodeConfig(data []byte, ptr any) (encodeJSON []byte, err error) {
+	err = json.Unmarshal(data, ptr)
+	if err != nil {
+		return
+	}
+
+	encodeJSON, err = json.Marshal(ptr)
+	if err != nil {
+		return
+	}
+
+	// validate config
+	if ptr != nil {
+		config, ok := ptr.(interface {
+			Init() error
+		})
+		if ok {
+			initErr := config.Init()
+			if initErr != nil {
+				err = errors.New("validate config failed: " + initErr.Error())
+			}
+		}
+	}
+
+	return
+}
--- a/internal/utils/json_test.go
+++ b/internal/utils/json_test.go
@@ -4,6 +4,7 @@ package utils_test

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/iwind/TeaGo/assert"
 	"testing"
 )

@@ -23,3 +24,12 @@ func TestJSONClone(t *testing.T) {
 		t.Logf("%p, %#v", c, c)
 	}
 }
+
+
+func TestJSONIsNull(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsTrue(utils.JSONIsNull(nil))
+	a.IsTrue(utils.JSONIsNull([]byte{}))
+	a.IsTrue(utils.JSONIsNull([]byte("null")))
+	a.IsFalse(utils.JSONIsNull([]byte{1, 2, 3}))
+}
--- a/internal/utils/lookup.go
+++ b/internal/utils/lookup.go
@@ -1,35 +1,81 @@
 package utils

 import (
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/logs"
 	"github.com/miekg/dns"
+	"sync"
 )

+var sharedDNSClient *dns.Client
+var sharedDNSConfig *dns.ClientConfig
+
+func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
+	config, err := dns.ClientConfigFromFile("/etc/resolv.conf")
+	if err != nil {
+		logs.Println("ERROR: configure dns client failed: " + err.Error())
+		return
+	}
+
+	sharedDNSConfig = config
+	sharedDNSClient = &dns.Client{}
+}
+
 // LookupCNAME 获取CNAME
 func LookupCNAME(host string) (string, error) {
-	config, err := dns.ClientConfigFromFile("/etc/resolv.conf")
-	if err != nil {
-		return "", err
-	}
-
-	c := new(dns.Client)
-	m := new(dns.Msg)
+	var m = new(dns.Msg)

 	m.SetQuestion(host+".", dns.TypeCNAME)
 	m.RecursionDesired = true

 	var lastErr error
-	for _, serverAddr := range config.Servers {
-		r, _, err := c.Exchange(m, configutils.QuoteIP(serverAddr)+":"+config.Port)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		if len(r.Answer) == 0 {
-			continue
-		}
+	var success = false
+	var result = ""

-		return r.Answer[0].(*dns.CNAME).Target, nil
+	var serverAddrs = sharedDNSConfig.Servers
+
+	{
+		var publicDNSHosts = []string{"8.8.8.8" /** Google **/, "8.8.4.4" /** Google **/}
+		for _, publicDNSHost := range publicDNSHosts {
+			if !lists.ContainsString(serverAddrs, publicDNSHost) {
+				serverAddrs = append(serverAddrs, publicDNSHost)
+			}
+		}
 	}
+
+	var wg = &sync.WaitGroup{}
+
+	for _, serverAddr := range serverAddrs {
+		wg.Add(1)
+
+		go func(serverAddr string) {
+			defer wg.Done()
+			r, _, err := sharedDNSClient.Exchange(m, configutils.QuoteIP(serverAddr)+":"+sharedDNSConfig.Port)
+			if err != nil {
+				lastErr = err
+				return
+			}
+
+			success = true
+
+			if len(r.Answer) == 0 {
+				return
+			}
+
+			result = r.Answer[0].(*dns.CNAME).Target
+		}(serverAddr)
+	}
+	wg.Wait()
+
+	if success {
+		return result, nil
+	}
+
 	return "", lastErr
 }
--- a/internal/utils/lookup_test.go
+++ b/internal/utils/lookup_test.go
@@ -0,0 +1,15 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package utils_test
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"testing"
+)
+
+func TestLookupCNAME(t *testing.T) {
+	for _, domain := range []string{"www.yun4s.cn", "example.com"} {
+		result, err := utils.LookupCNAME(domain)
+		t.Log(domain, "=>", result, err)
+	}
+}
--- a/internal/utils/nodelogutils/utils.go
+++ b/internal/utils/nodelogutils/utils.go
@@ -4,22 +4,24 @@
 package nodelogutils

 import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/iwind/TeaGo/maps"
 )

 // FindCommonTags 查找常用的标签
-func FindNodeCommonTags() []maps.Map {
+func FindNodeCommonTags(langCode langs.LangCode) []maps.Map {
 	return []maps.Map{
 		{
-			"name": "端口监听",
+			"name": langs.Message(langCode, codes.Log_TagListener),
 			"code": "LISTENER",
 		},
 		{
-			"name": "WAF",
+			"name": langs.Message(langCode, codes.Log_TagWAF),
 			"code": "WAF",
 		},
 		{
-			"name": "访问日志",
+			"name": langs.Message(langCode, codes.Log_TagAccessLog),
 			"code": "ACCESS_LOG",
 		},
 	}
--- a/internal/utils/numberutils/utils.go
+++ b/internal/utils/numberutils/utils.go
@@ -30,17 +30,17 @@ func FormatBytes(bytes int64) string {
 	if bytes < Pow1024(1) {
 		return FormatInt64(bytes) + "B"
 	} else if bytes < Pow1024(2) {
-		return TrimZeroSuffix(fmt.Sprintf("%.2fKB", float64(bytes)/float64(Pow1024(1))))
+		return TrimZeroSuffix(fmt.Sprintf("%.2fKiB", float64(bytes)/float64(Pow1024(1))))
 	} else if bytes < Pow1024(3) {
-		return TrimZeroSuffix(fmt.Sprintf("%.2fMB", float64(bytes)/float64(Pow1024(2))))
+		return TrimZeroSuffix(fmt.Sprintf("%.2fMiB", float64(bytes)/float64(Pow1024(2))))
 	} else if bytes < Pow1024(4) {
-		return TrimZeroSuffix(fmt.Sprintf("%.2fGB", float64(bytes)/float64(Pow1024(3))))
+		return TrimZeroSuffix(fmt.Sprintf("%.2fGiB", float64(bytes)/float64(Pow1024(3))))
 	} else if bytes < Pow1024(5) {
-		return TrimZeroSuffix(fmt.Sprintf("%.2fTB", float64(bytes)/float64(Pow1024(4))))
+		return TrimZeroSuffix(fmt.Sprintf("%.2fTiB", float64(bytes)/float64(Pow1024(4))))
 	} else if bytes < Pow1024(6) {
-		return TrimZeroSuffix(fmt.Sprintf("%.2fPB", float64(bytes)/float64(Pow1024(5))))
+		return TrimZeroSuffix(fmt.Sprintf("%.2fPiB", float64(bytes)/float64(Pow1024(5))))
 	} else {
-		return TrimZeroSuffix(fmt.Sprintf("%.2fEB", float64(bytes)/float64(Pow1024(6))))
+		return TrimZeroSuffix(fmt.Sprintf("%.2fEiB", float64(bytes)/float64(Pow1024(6))))
 	}
 }

@@ -75,7 +75,7 @@ func FormatCount(count int64) string {
 	return fmt.Sprintf("%.1fB", float32(count)/1000/1000/1000)
 }

-func FormatFloat(f interface{}, decimal int) string {
+func FormatFloat(f any, decimal int) string {
 	if f == nil {
 		return ""
 	}
@@ -101,10 +101,29 @@ func FormatFloat(f interface{}, decimal int) string {
 	return ""
 }

-func FormatFloat2(f interface{}) string {
+func FormatFloat2(f any) string {
 	return FormatFloat(f, 2)
 }

+// PadFloatZero 为浮点型数字字符串填充足够的0
+func PadFloatZero(s string, countZero int) string {
+	if countZero <= 0 {
+		return s
+	}
+	if len(s) == 0 {
+		s = "0"
+	}
+	var index = strings.Index(s, ".")
+	if index < 0 {
+		return s + "." + strings.Repeat("0", countZero)
+	}
+	var decimalLen = len(s) - 1 - index
+	if decimalLen < countZero {
+		return s + strings.Repeat("0", countZero-decimalLen)
+	}
+	return s
+}
+
 var decimalReg = regexp.MustCompile(`^(\d+\.\d+)([a-zA-Z]+)?$`)

 // TrimZeroSuffix 去除小数数字尾部多余的0
--- a/internal/utils/numberutils/utils_test.go
+++ b/internal/utils/numberutils/utils_test.go
@@ -4,6 +4,7 @@ package numberutils_test

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils/numberutils"
+	"github.com/iwind/TeaGo/assert"
 	"testing"
 )

@@ -49,6 +50,24 @@ func TestFormatFloat(t *testing.T) {
 	t.Log(numberutils.FormatFloat(-221745.12, 2))
 }

+func TestFormatFloat2(t *testing.T) {
+	t.Log(numberutils.FormatFloat2(0))
+	t.Log(numberutils.FormatFloat2(0.0))
+	t.Log(numberutils.FormatFloat2(1.23456))
+	t.Log(numberutils.FormatFloat2(1.0))
+}
+
+func TestPadFloatZero(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsTrue(numberutils.PadFloatZero("1", 0) == "1")
+	a.IsTrue(numberutils.PadFloatZero("1", 2) == "1.00")
+	a.IsTrue(numberutils.PadFloatZero("1.1", 2) == "1.10")
+	a.IsTrue(numberutils.PadFloatZero("1.12", 2) == "1.12")
+	a.IsTrue(numberutils.PadFloatZero("1.123", 2) == "1.123")
+	a.IsTrue(numberutils.PadFloatZero("10000.123", 2) == "10000.123")
+	a.IsTrue(numberutils.PadFloatZero("", 2) == "0.00")
+}
+
 func TestTrimZeroSuffix(t *testing.T) {
 	for _, s := range []string{
 		"1",
--- a/internal/utils/service.go
+++ b/internal/utils/service.go
@@ -39,7 +39,7 @@ func (this *ServiceManager) setup() {
 	this.onceLocker.Do(func() {
 		logFile := files.NewFile(Tea.Root + "/logs/service.log")
 		if logFile.Exists() {
-			logFile.Delete()
+			_ = logFile.Delete()
 		}

 		//logger
--- a/internal/utils/service_linux.go
+++ b/internal/utils/service_linux.go
@@ -5,6 +5,7 @@ package utils
 import (
 	"errors"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	executils "github.com/TeaOSLab/EdgeAdmin/internal/utils/exec"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/files"
 	"os"
@@ -21,7 +22,7 @@ func (this *ServiceManager) Install(exePath string, args []string) error {
 		return errors.New("only root users can install the service")
 	}

-	systemd, err := exec.LookPath("systemctl")
+	systemd, err := executils.LookPath("systemctl")
 	if err != nil {
 		return this.installInitService(exePath, args)
 	}
@@ -36,7 +37,7 @@ func (this *ServiceManager) Start() error {
 	}

 	if files.NewFile(systemdServiceFile).Exists() {
-		systemd, err := exec.LookPath("systemctl")
+		systemd, err := executils.LookPath("systemctl")
 		if err != nil {
 			return err
 		}
@@ -53,16 +54,16 @@ func (this *ServiceManager) Uninstall() error {
 	}

 	if files.NewFile(systemdServiceFile).Exists() {
-		systemd, err := exec.LookPath("systemctl")
+		systemd, err := executils.LookPath("systemctl")
 		if err != nil {
 			return err
 		}

 		// disable service
-		exec.Command(systemd, "disable", teaconst.SystemdServiceName+".service").Start()
+		_ = exec.Command(systemd, "disable", teaconst.SystemdServiceName+".service").Start()

 		// reload
-		exec.Command(systemd, "daemon-reload")
+		_ = exec.Command(systemd, "daemon-reload").Start()

 		return files.NewFile(systemdServiceFile).Delete()
 	}
@@ -93,7 +94,7 @@ func (this *ServiceManager) installInitService(exePath string, args []string) er
 		return err
 	}

-	chkCmd, err := exec.LookPath("chkconfig")
+	chkCmd, err := executils.LookPath("chkconfig")
 	if err != nil {
 		return err
 	}
@@ -111,6 +112,12 @@ func (this *ServiceManager) installSystemdService(systemd, exePath string, args
 	shortName := teaconst.SystemdServiceName
 	longName := "GoEdge Admin" // TODO 将来可以修改

+	var startCmd = exePath + " daemon"
+	bashPath, _ := executils.LookPath("bash")
+	if len(bashPath) > 0 {
+		startCmd = bashPath + " -c \"" + startCmd + "\""
+	}
+
 	desc := `### BEGIN INIT INFO
 # Provides:          ` + shortName + `
 # Required-Start:    $all
@@ -128,8 +135,8 @@ After=network-online.target
 [Service]
 Type=simple
 Restart=always
-RestartSec=1s
-ExecStart=` + exePath + ` daemon
+RestartSec=5s
+ExecStart=` + startCmd + `
 ExecStop=` + exePath + ` stop
 ExecReload=` + exePath + ` reload

@@ -143,10 +150,10 @@ WantedBy=multi-user.target`
 	}

 	// stop current systemd service if running
-	exec.Command(systemd, "stop", shortName+".service")
+	_ = exec.Command(systemd, "stop", shortName+".service").Start()

 	// reload
-	exec.Command(systemd, "daemon-reload")
+	_ = exec.Command(systemd, "daemon-reload").Start()

 	// enable
 	cmd := exec.Command(systemd, "enable", shortName+".service")
--- a/internal/utils/service_windows.go
+++ b/internal/utils/service_windows.go
@@ -4,6 +4,7 @@ package utils

 import (
 	"fmt"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/iwind/TeaGo/Tea"
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
@@ -15,7 +16,7 @@ import (
 func (this *ServiceManager) Install(exePath string, args []string) error {
 	m, err := mgr.Connect()
 	if err != nil {
-		return fmt.Errorf("connecting: %s please 'Run as administrator' again", err.Error())
+		return fmt.Errorf("connecting: %w please 'Run as administrator' again", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(this.Name)
@@ -30,7 +31,7 @@ func (this *ServiceManager) Install(exePath string, args []string) error {
 		StartType:   windows.SERVICE_AUTO_START,
 	}, args...)
 	if err != nil {
-		return fmt.Errorf("creating: %s", err.Error())
+		return fmt.Errorf("creating: %w", err)
 	}
 	defer s.Close()

@@ -46,12 +47,12 @@ func (this *ServiceManager) Start() error {
 	defer m.Disconnect()
 	s, err := m.OpenService(this.Name)
 	if err != nil {
-		return fmt.Errorf("could not access service: %v", err)
+		return fmt.Errorf("could not access service: %w", err)
 	}
 	defer s.Close()
 	err = s.Start("service")
 	if err != nil {
-		return fmt.Errorf("could not start service: %v", err)
+		return fmt.Errorf("could not start service: %w", err)
 	}

 	return nil
@@ -61,12 +62,12 @@ func (this *ServiceManager) Start() error {
 func (this *ServiceManager) Uninstall() error {
 	m, err := mgr.Connect()
 	if err != nil {
-		return fmt.Errorf("connecting: %s please 'Run as administrator' again", err.Error())
+		return fmt.Errorf("connecting: %w please 'Run as administrator' again", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(this.Name)
 	if err != nil {
-		return fmt.Errorf("open service: %s", err.Error())
+		return fmt.Errorf("open service: %w", err)
 	}

 	// shutdown service
@@ -78,7 +79,7 @@ func (this *ServiceManager) Uninstall() error {
 	defer s.Close()
 	err = s.Delete()
 	if err != nil {
-		return fmt.Errorf("deleting: %s", err.Error())
+		return fmt.Errorf("deleting: %w", err)
 	}
 	return nil
 }
--- a/internal/utils/taskutils/concurrent.go
+++ b/internal/utils/taskutils/concurrent.go
@@ -0,0 +1,56 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package taskutils
+
+import (
+	"errors"
+	"reflect"
+	"sync"
+)
+
+func RunConcurrent(tasks any, concurrent int, f func(task any)) error {
+	if tasks == nil {
+		return nil
+	}
+	var tasksValue = reflect.ValueOf(tasks)
+	if tasksValue.Type().Kind() != reflect.Slice {
+		return errors.New("ony works for slice")
+	}
+
+	var countTasks = tasksValue.Len()
+	if countTasks == 0 {
+		return nil
+	}
+
+	if concurrent <= 0 {
+		concurrent = 8
+	}
+	if concurrent > countTasks {
+		concurrent = countTasks
+	}
+
+	var taskChan = make(chan any, countTasks)
+	for i := 0; i < countTasks; i++ {
+		taskChan <- tasksValue.Index(i).Interface()
+	}
+
+	var wg = &sync.WaitGroup{}
+	wg.Add(concurrent)
+	for i := 0; i < concurrent; i++ {
+		go func() {
+			defer wg.Done()
+
+			for {
+				select {
+				case task := <-taskChan:
+					f(task)
+				default:
+					return
+				}
+			}
+		}()
+	}
+	wg.Wait()
+
+	return nil
+}
--- a/internal/utils/taskutils/concurrent_test.go
+++ b/internal/utils/taskutils/concurrent_test.go
@@ -0,0 +1,17 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package taskutils_test
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils/taskutils"
+	"testing"
+)
+
+func TestRunConcurrent(t *testing.T) {
+	err := taskutils.RunConcurrent([]string{"a", "b", "c", "d", "e"}, 3, func(task any) {
+		t.Log("run", task)
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
--- a/internal/utils/unzip.go
+++ b/internal/utils/unzip.go
@@ -0,0 +1,95 @@
+package utils
+
+import (
+	"archive/zip"
+	"errors"
+	"io"
+	"os"
+)
+
+type Unzip struct {
+	zipFile   string
+	targetDir string
+}
+
+func NewUnzip(zipFile string, targetDir string) *Unzip {
+	return &Unzip{
+		zipFile:   zipFile,
+		targetDir: targetDir,
+	}
+}
+
+func (this *Unzip) Run() error {
+	if len(this.zipFile) == 0 {
+		return errors.New("zip file should not be empty")
+	}
+	if len(this.targetDir) == 0 {
+		return errors.New("target dir should not be empty")
+	}
+
+	reader, err := zip.OpenReader(this.zipFile)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = reader.Close()
+	}()
+
+	for _, file := range reader.File {
+		var info = file.FileInfo()
+		var target = this.targetDir + "/" + file.Name
+
+		// 目录
+		if info.IsDir() {
+			stat, err := os.Stat(target)
+			if err != nil {
+				if !os.IsNotExist(err) {
+					return err
+				} else {
+					err = os.MkdirAll(target, info.Mode())
+					if err != nil {
+						return err
+					}
+				}
+			} else if !stat.IsDir() {
+				err = os.MkdirAll(target, info.Mode())
+				if err != nil {
+					return err
+				}
+			}
+			continue
+		}
+
+		// 文件
+		err = func(file *zip.File, target string) error {
+			fileReader, err := file.Open()
+			if err != nil {
+				return err
+			}
+			defer func() {
+				_ = fileReader.Close()
+			}()
+
+			// remove old
+			_ = os.Remove(target)
+
+			// create new
+			fileWriter, err := os.OpenFile(target, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, file.FileInfo().Mode())
+			if err != nil {
+				return err
+			}
+			defer func() {
+				_ = fileWriter.Close()
+			}()
+
+			_, err = io.Copy(fileWriter, fileReader)
+			return err
+		}(file, target)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/internal/utils/upgrade_manager.go
+++ b/internal/utils/upgrade_manager.go
@@ -7,7 +7,9 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
+	"fmt"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	executils "github.com/TeaOSLab/EdgeAdmin/internal/utils/exec"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
@@ -52,11 +54,14 @@ type UpgradeManager struct {
 	writer        *UpgradeFileWriter
 	body          io.ReadCloser
 	isCancelled   bool
+
+	downloadURL string
 }

-func NewUpgradeManager(component string) *UpgradeManager {
+func NewUpgradeManager(component string, downloadURL string) *UpgradeManager {
 	return &UpgradeManager{
-		component: component,
+		component:   component,
+		downloadURL: downloadURL,
 		client: &http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
@@ -83,21 +88,17 @@ func (this *UpgradeManager) Start() error {
 	}()

 	// 检查unzip
-	unzipExe, _ := exec.LookPath("unzip")
-	if len(unzipExe) == 0 {
-		// TODO install unzip automatically or pack with a static 'unzip' file
-		return errors.New("can not find 'unzip' command")
-	}
+	unzipExe, _ := executils.LookPath("unzip")

 	// 检查cp
-	cpExe, _ := exec.LookPath("cp")
+	cpExe, _ := executils.LookPath("cp")
 	if len(cpExe) == 0 {
 		return errors.New("can not find 'cp' command")
 	}

 	// 检查新版本
-	var downloadURL = ""
-	{
+	var downloadURL = this.downloadURL
+	if len(downloadURL) == 0 {
 		var url = teaconst.UpdatesURL
 		var osName = runtime.GOOS
 		if Tea.IsTesting() && osName == "darwin" {
@@ -105,14 +106,16 @@ func (this *UpgradeManager) Start() error {
 		}
 		url = strings.ReplaceAll(url, "${os}", osName)
 		url = strings.ReplaceAll(url, "${arch}", runtime.GOARCH)
+		url = strings.ReplaceAll(url, "${version}", teaconst.Version)
 		req, err := http.NewRequest(http.MethodGet, url, nil)
 		if err != nil {
-			return errors.New("create url request failed: " + err.Error())
+			return fmt.Errorf("create url request failed: %w", err)
 		}
+		req.Header.Set("User-Agent", "Edge-Admin/"+teaconst.Version)

 		resp, err := this.client.Do(req)
 		if err != nil {
-			return errors.New("read latest version failed: " + err.Error())
+			return fmt.Errorf("read latest version failed: %w", err)
 		}

 		defer func() {
@@ -125,13 +128,13 @@ func (this *UpgradeManager) Start() error {

 		data, err := io.ReadAll(resp.Body)
 		if err != nil {
-			return errors.New("read latest version failed: " + err.Error())
+			return fmt.Errorf("read latest version failed: %w", err)
 		}

 		var m = maps.Map{}
 		err = json.Unmarshal(data, &m)
 		if err != nil {
-			return errors.New("invalid response data: " + err.Error() + ", origin data: " + string(data))
+			return fmt.Errorf("invalid response data: %w, origin data: %s", err, string(data))
 		}

 		var code = m.GetInt("code")
@@ -167,12 +170,13 @@ func (this *UpgradeManager) Start() error {
 	{
 		req, err := http.NewRequest(http.MethodGet, downloadURL, nil)
 		if err != nil {
-			return errors.New("create download request failed: " + err.Error())
+			return fmt.Errorf("create download request failed: %w", err)
 		}
+		req.Header.Set("User-Agent", "Edge-Admin/"+teaconst.Version)

 		resp, err := this.client.Do(req)
 		if err != nil {
-			return errors.New("download failed: " + downloadURL + ": " + err.Error())
+			return fmt.Errorf("download failed: '%s': %w", downloadURL, err)
 		}

 		defer func() {
@@ -195,7 +199,7 @@ func (this *UpgradeManager) Start() error {

 		fp, err := os.Create(destFile)
 		if err != nil {
-			return errors.New("create file failed: " + err.Error())
+			return fmt.Errorf("create file failed: %w", err)
 		}

 		defer func() {
@@ -211,7 +215,7 @@ func (this *UpgradeManager) Start() error {
 			if this.isCancelled {
 				return nil
 			}
-			return errors.New("download failed: " + err.Error())
+			return fmt.Errorf("download failed: %w", err)
 		}

 		_ = fp.Close()
@@ -222,26 +226,38 @@ func (this *UpgradeManager) Start() error {
 		if err == nil && stat.IsDir() {
 			err = os.RemoveAll(unzipDir)
 			if err != nil {
-				return errors.New("remove old dir '" + unzipDir + "' failed: " + err.Error())
+				return fmt.Errorf("remove old dir '%s' failed: %w", unzipDir, err)
 			}
 		}
-		var unzipCmd = exec.Command(unzipExe, "-q", "-o", destFile, "-d", unzipDir)
-		var unzipStderr = &bytes.Buffer{}
-		unzipCmd.Stderr = unzipStderr
-		err = unzipCmd.Run()
-		if err != nil {
-			return errors.New("unzip installation file failed: " + err.Error() + ": " + unzipStderr.String())
+
+		if len(unzipExe) > 0 {
+			var unzipCmd = exec.Command(unzipExe, "-q", "-o", destFile, "-d", unzipDir)
+			var unzipStderr = &bytes.Buffer{}
+			unzipCmd.Stderr = unzipStderr
+			err = unzipCmd.Run()
+			if err != nil {
+				return fmt.Errorf("unzip installation file failed: %w: %s", err, unzipStderr.String())
+			}
+		} else {
+			var unzipCmd = &Unzip{
+				zipFile:   destFile,
+				targetDir: unzipDir,
+			}
+			err = unzipCmd.Run()
+			if err != nil {
+				return fmt.Errorf("unzip installation file failed: %w", err)
+			}
 		}

 		installationFiles, err := filepath.Glob(unzipDir + "/edge-" + this.component + "/*")
 		if err != nil {
-			return errors.New("lookup installation files failed: " + err.Error())
+			return fmt.Errorf("lookup installation files failed: %w", err)
 		}

 		// cp to target dir
 		currentExe, err := os.Executable()
 		if err != nil {
-			return errors.New("reveal current executable file path failed: " + err.Error())
+			return fmt.Errorf("reveal current executable file path failed: %w", err)
 		}
 		var targetDir = filepath.Dir(filepath.Dir(currentExe))
 		if !Tea.IsTesting() {
--- a/internal/utils/upgrade_manager_test.go
+++ b/internal/utils/upgrade_manager_test.go
@@ -9,7 +9,7 @@ import (
 )

 func TestNewUpgradeManager(t *testing.T) {
-	var manager = utils.NewUpgradeManager("admin")
+	var manager = utils.NewUpgradeManager("admin", "")

 	var ticker = time.NewTicker(2 * time.Second)
 	go func() {
--- a/internal/waf/injectionutils/libinjection/COPYING
+++ b/internal/waf/injectionutils/libinjection/COPYING
@@ -0,0 +1,32 @@
+Copyright (c) 2012-2016, Nick Galbreath
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+https://github.com/client9/libinjection
+http://opensource.org/licenses/BSD-3-Clause
--- a/internal/waf/injectionutils/libinjection/README.md
+++ b/internal/waf/injectionutils/libinjection/README.md
@@ -0,0 +1 @@
+copy from https://github.com/libinjection/libinjection
--- a/internal/waf/injectionutils/libinjection/src/libinjection.h
+++ b/internal/waf/injectionutils/libinjection/src/libinjection.h
@@ -0,0 +1,65 @@
+/**
+ * Copyright 2012-2016 Nick Galbreath
+ * nickg@client9.com
+ * BSD License -- see COPYING.txt for details
+ *
+ * https://libinjection.client9.com/
+ *
+ */
+
+#ifndef LIBINJECTION_H
+#define LIBINJECTION_H
+
+#ifdef __cplusplus
+# define LIBINJECTION_BEGIN_DECLS    extern "C" {
+# define LIBINJECTION_END_DECLS      }
+#else
+# define LIBINJECTION_BEGIN_DECLS
+# define LIBINJECTION_END_DECLS
+#endif
+
+LIBINJECTION_BEGIN_DECLS
+
+/*
+ * Pull in size_t
+ */
+#include <string.h>
+
+/*
+ * Version info.
+ *
+ * This is moved into a function to allow SWIG and other auto-generated
+ * binding to not be modified during minor release changes.  We change
+ * change the version number in the c source file, and not regenerated
+ * the binding
+ *
+ * See python's normalized version
+ * http://www.python.org/dev/peps/pep-0386/#normalizedversion
+ */
+const char* libinjection_version(void);
+
+/**
+ * Simple API for SQLi detection - returns a SQLi fingerprint or NULL
+ * is benign input
+ *
+ * \param[in] s  input string, may contain nulls, does not need to be null-terminated
+ * \param[in] slen input string length
+ * \param[out] fingerprint buffer of 8+ characters.  c-string,
+ * \return 1 if SQLi, 0 if benign.  fingerprint will be set or set to empty string.
+ */
+int libinjection_sqli(const char* s, size_t slen, char fingerprint[]);
+
+/** ALPHA version of xss detector.
+ *
+ * NOT DONE.
+ *
+ * \param[in] s  input string, may contain nulls, does not need to be null-terminated
+ * \param[in] slen input string length
+ * \return 1 if XSS found, 0 if benign
+ *
+ */
+int libinjection_xss(const char* s, size_t slen, int strictMode);
+
+LIBINJECTION_END_DECLS
+
+#endif /* LIBINJECTION_H */
--- a/internal/waf/injectionutils/libinjection/src/libinjection_html5.c
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_html5.c
@@ -0,0 +1,868 @@
+#include "libinjection_html5.h"
+
+#include <string.h>
+#include <assert.h>
+
+#ifdef DEBUG
+#include <stdio.h>
+#define TRACE() printf("%s:%d\n", __FUNCTION__, __LINE__)
+#else
+#define TRACE()
+#endif
+
+
+#define CHAR_EOF -1
+#define CHAR_NULL 0
+#define CHAR_BANG 33
+#define CHAR_DOUBLE 34
+#define CHAR_PERCENT 37
+#define CHAR_SINGLE 39
+#define CHAR_DASH 45
+#define CHAR_SLASH 47
+#define CHAR_LT 60
+#define CHAR_EQUALS 61
+#define CHAR_GT 62
+#define CHAR_QUESTION 63
+#define CHAR_RIGHTB 93
+#define CHAR_TICK 96
+
+/* prototypes */
+
+static int h5_skip_white(h5_state_t* hs);
+static int h5_is_white(char ch);
+static int h5_state_eof(h5_state_t* hs);
+static int h5_state_data(h5_state_t* hs);
+static int h5_state_tag_open(h5_state_t* hs);
+static int h5_state_tag_name(h5_state_t* hs);
+static int h5_state_tag_name_close(h5_state_t* hs);
+static int h5_state_end_tag_open(h5_state_t* hs);
+static int h5_state_self_closing_start_tag(h5_state_t* hs);
+static int h5_state_attribute_name(h5_state_t* hs);
+static int h5_state_after_attribute_name(h5_state_t* hs);
+static int h5_state_before_attribute_name(h5_state_t* hs);
+static int h5_state_before_attribute_value(h5_state_t* hs);
+static int h5_state_attribute_value_double_quote(h5_state_t* hs);
+static int h5_state_attribute_value_single_quote(h5_state_t* hs);
+static int h5_state_attribute_value_back_quote(h5_state_t* hs);
+static int h5_state_attribute_value_no_quote(h5_state_t* hs);
+static int h5_state_after_attribute_value_quoted_state(h5_state_t* hs);
+static int h5_state_comment(h5_state_t* hs);
+static int h5_state_cdata(h5_state_t* hs);
+
+
+/* 12.2.4.44 */
+static int h5_state_bogus_comment(h5_state_t* hs);
+static int h5_state_bogus_comment2(h5_state_t* hs);
+
+/* 12.2.4.45 */
+static int h5_state_markup_declaration_open(h5_state_t* hs);
+
+/* 8.2.4.52 */
+static int h5_state_doctype(h5_state_t* hs);
+
+/**
+ * public function
+ */
+void libinjection_h5_init(h5_state_t* hs, const char* s, size_t len, enum html5_flags flags)
+{
+    memset(hs, 0, sizeof(h5_state_t));
+    hs->s = s;
+    hs->len = len;
+
+    switch (flags) {
+    case DATA_STATE:
+        hs->state = h5_state_data;
+        break;
+    case VALUE_NO_QUOTE:
+        hs->state = h5_state_before_attribute_name;
+        break;
+    case VALUE_SINGLE_QUOTE:
+        hs->state = h5_state_attribute_value_single_quote;
+        break;
+    case VALUE_DOUBLE_QUOTE:
+        hs->state = h5_state_attribute_value_double_quote;
+        break;
+    case VALUE_BACK_QUOTE:
+        hs->state = h5_state_attribute_value_back_quote;
+        break;
+    }
+}
+
+/**
+ * public function
+ */
+int libinjection_h5_next(h5_state_t* hs)
+{
+    assert(hs->state != NULL);
+    return (*hs->state)(hs);
+}
+
+/**
+ * Everything below here is private
+ *
+ */
+
+
+static int h5_is_white(char ch)
+{
+    /*
+     * \t = horizontal tab = 0x09
+     * \n = newline = 0x0A
+     * \v = vertical tab = 0x0B
+     * \f = form feed = 0x0C
+     * \r = cr  = 0x0D
+     */
+    return strchr(" \t\n\v\f\r", ch) != NULL;
+}
+
+static int h5_skip_white(h5_state_t* hs)
+{
+    char ch;
+    while (hs->pos < hs->len) {
+        ch = hs->s[hs->pos];
+        switch (ch) {
+        case 0x00: /* IE only */
+        case 0x20:
+        case 0x09:
+        case 0x0A:
+        case 0x0B: /* IE only */
+        case 0x0C:
+        case 0x0D: /* IE only */
+            hs->pos += 1;
+            break;
+        default:
+            return ch;
+        }
+    }
+    return CHAR_EOF;
+}
+
+static int h5_state_eof(h5_state_t* hs)
+{
+    /* eliminate unused function argument warning */
+    (void)hs;
+    return 0;
+}
+
+static int h5_state_data(h5_state_t* hs)
+{
+    const char* idx;
+
+    TRACE();
+    assert(hs->len >= hs->pos);
+    idx = (const char*) memchr(hs->s + hs->pos, CHAR_LT, hs->len - hs->pos);
+    if (idx == NULL) {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = hs->len - hs->pos;
+        hs->token_type = DATA_TEXT;
+        hs->state = h5_state_eof;
+        if (hs->token_len == 0) {
+            return 0;
+        }
+    } else {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_type = DATA_TEXT;
+        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+        hs->pos = (size_t)(idx - hs->s) + 1;
+        hs->state = h5_state_tag_open;
+        if (hs->token_len == 0) {
+            return h5_state_tag_open(hs);
+        }
+    }
+    return 1;
+}
+
+/**
+ * 12 2.4.8
+ */
+static int h5_state_tag_open(h5_state_t* hs)
+{
+    char ch;
+
+    TRACE();
+    if (hs->pos >= hs->len) {
+        return 0;
+    }
+    ch = hs->s[hs->pos];
+    if (ch == CHAR_BANG) {
+        hs->pos += 1;
+        return h5_state_markup_declaration_open(hs);
+    } else if (ch == CHAR_SLASH) {
+        hs->pos += 1;
+        hs->is_close = 1;
+        return h5_state_end_tag_open(hs);
+    } else if (ch == CHAR_QUESTION) {
+        hs->pos += 1;
+        return h5_state_bogus_comment(hs);
+    } else if (ch == CHAR_PERCENT) {
+        /* this is not in spec.. alternative comment format used
+           by IE <= 9 and Safari < 4.0.3 */
+        hs->pos += 1;
+        return h5_state_bogus_comment2(hs);
+    } else if ((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z')) {
+        return h5_state_tag_name(hs);
+    } else if (ch == CHAR_NULL) {
+        /* IE-ism  NULL characters are ignored */
+        return h5_state_tag_name(hs);
+    } else {
+        /* user input mistake in configuring state */
+        if (hs->pos == 0) {
+            return h5_state_data(hs);
+        }
+        hs->token_start = hs->s + hs->pos - 1;
+        hs->token_len = 1;
+        hs->token_type = DATA_TEXT;
+        hs->state = h5_state_data;
+        return 1;
+    }
+}
+/**
+ * 12.2.4.9
+ */
+static int h5_state_end_tag_open(h5_state_t* hs)
+{
+    char ch;
+
+    TRACE();
+
+    if (hs->pos >= hs->len) {
+        return 0;
+    }
+    ch = hs->s[hs->pos];
+    if (ch == CHAR_GT) {
+        return h5_state_data(hs);
+    } else if ((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z')) {
+        return h5_state_tag_name(hs);
+    }
+
+    hs->is_close = 0;
+    return h5_state_bogus_comment(hs);
+}
+/*
+ *
+ */
+static int h5_state_tag_name_close(h5_state_t* hs)
+{
+    TRACE();
+    hs->is_close = 0;
+    hs->token_start = hs->s + hs->pos;
+    hs->token_len = 1;
+    hs->token_type = TAG_NAME_CLOSE;
+    hs->pos += 1;
+    if (hs->pos < hs->len) {
+        hs->state = h5_state_data;
+    } else {
+        hs->state = h5_state_eof;
+    }
+
+    return 1;
+}
+
+/**
+ * 12.2.4.10
+ */
+static int h5_state_tag_name(h5_state_t* hs)
+{
+    char ch;
+    size_t pos;
+
+    TRACE();
+    pos = hs->pos;
+    while (pos < hs->len) {
+        ch = hs->s[pos];
+        if (ch == 0) {
+            /* special non-standard case */
+            /* allow nulls in tag name   */
+            /* some old browsers apparently allow and ignore them */
+            pos += 1;
+        } else if (h5_is_white(ch)) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = pos - hs->pos;
+            hs->token_type = TAG_NAME_OPEN;
+            hs->pos = pos + 1;
+            hs->state = h5_state_before_attribute_name;
+            return 1;
+        } else if (ch == CHAR_SLASH) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = pos - hs->pos;
+            hs->token_type = TAG_NAME_OPEN;
+            hs->pos = pos + 1;
+            hs->state = h5_state_self_closing_start_tag;
+            return 1;
+        } else if (ch == CHAR_GT) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = pos - hs->pos;
+            if (hs->is_close) {
+                hs->pos = pos + 1;
+                hs->is_close = 0;
+                hs->token_type = TAG_CLOSE;
+                hs->state = h5_state_data;
+            } else {
+                hs->pos = pos;
+                hs->token_type = TAG_NAME_OPEN;
+                hs->state = h5_state_tag_name_close;
+            }
+            return 1;
+        } else {
+            pos += 1;
+        }
+    }
+
+    hs->token_start = hs->s + hs->pos;
+    hs->token_len = hs->len - hs->pos;
+    hs->token_type = TAG_NAME_OPEN;
+    hs->state = h5_state_eof;
+    return 1;
+}
+
+/**
+ * 12.2.4.34
+ */
+static int h5_state_before_attribute_name(h5_state_t* hs)
+{
+    int ch;
+
+    TRACE();
+
+    /* for manual tail call optimization, see comment below */
+    tail_call:;
+
+    ch = h5_skip_white(hs);
+    switch (ch) {
+    case CHAR_EOF: {
+        return 0;
+    }
+    case CHAR_SLASH: {
+        hs->pos += 1;
+        /* Logically, We want to call h5_state_self_closing_start_tag(hs) here.
+
+           As this function may call us back and the compiler
+           might not implement automatic tail call optimization,
+           this might result in a deep recursion.
+
+           We detect this case here and start over with the current state.
+        */
+
+        if (hs->pos < hs->len && hs->s[hs->pos] != CHAR_GT) {
+            goto tail_call;
+        }
+        return h5_state_self_closing_start_tag(hs);
+    }
+    case CHAR_GT: {
+        hs->state = h5_state_data;
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = 1;
+        hs->token_type = TAG_NAME_CLOSE;
+        hs->pos += 1;
+        return 1;
+    }
+    default: {
+        return h5_state_attribute_name(hs);
+    }
+    }
+}
+
+static int h5_state_attribute_name(h5_state_t* hs)
+{
+    char ch;
+    size_t pos;
+
+    TRACE();
+    pos = hs->pos + 1;
+    while (pos < hs->len) {
+        ch = hs->s[pos];
+        if (h5_is_white(ch)) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len   = pos - hs->pos;
+            hs->token_type  = ATTR_NAME;
+            hs->state = h5_state_after_attribute_name;
+            hs->pos = pos + 1;
+            return 1;
+        } else if (ch == CHAR_SLASH) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len   = pos - hs->pos;
+            hs->token_type  = ATTR_NAME;
+            hs->state = h5_state_self_closing_start_tag;
+            hs->pos = pos + 1;
+            return 1;
+        } else if (ch == CHAR_EQUALS) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len   = pos - hs->pos;
+            hs->token_type  = ATTR_NAME;
+            hs->state = h5_state_before_attribute_value;
+            hs->pos = pos + 1;
+            return 1;
+        } else if (ch == CHAR_GT) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len   = pos - hs->pos;
+            hs->token_type  = ATTR_NAME;
+            hs->state = h5_state_tag_name_close;
+            hs->pos = pos;
+            return 1;
+        } else {
+            pos += 1;
+        }
+    }
+    /* EOF */
+    hs->token_start = hs->s + hs->pos;
+    hs->token_len   = hs->len - hs->pos;
+    hs->token_type  = ATTR_NAME;
+    hs->state = h5_state_eof;
+    hs->pos = hs->len;
+    return 1;
+}
+
+/**
+ * 12.2.4.36
+ */
+static int h5_state_after_attribute_name(h5_state_t* hs)
+{
+    int c;
+
+    TRACE();
+    c = h5_skip_white(hs);
+    switch (c) {
+    case CHAR_EOF: {
+        return 0;
+    }
+    case CHAR_SLASH: {
+        hs->pos += 1;
+        return h5_state_self_closing_start_tag(hs);
+    }
+    case CHAR_EQUALS: {
+        hs->pos += 1;
+        return h5_state_before_attribute_value(hs);
+    }
+    case CHAR_GT: {
+        return h5_state_tag_name_close(hs);
+    }
+    default: {
+        return h5_state_attribute_name(hs);
+    }
+    }
+}
+
+/**
+ * 12.2.4.37
+ */
+static int h5_state_before_attribute_value(h5_state_t* hs)
+{
+    int c;
+    TRACE();
+
+    c = h5_skip_white(hs);
+
+    if (c == CHAR_EOF) {
+        hs->state = h5_state_eof;
+        return 0;
+    }
+
+    if (c == CHAR_DOUBLE) {
+        return h5_state_attribute_value_double_quote(hs);
+    } else if (c == CHAR_SINGLE) {
+        return h5_state_attribute_value_single_quote(hs);
+    } else if (c == CHAR_TICK) {
+        /* NON STANDARD IE */
+        return h5_state_attribute_value_back_quote(hs);
+    } else {
+        return h5_state_attribute_value_no_quote(hs);
+    }
+}
+
+
+static int h5_state_attribute_value_quote(h5_state_t* hs, char qchar)
+{
+    const char* idx;
+
+    TRACE();
+
+    /* skip initial quote in normal case.
+     * don't do this "if (pos == 0)" since it means we have started
+     * in a non-data state.  given an input of '><foo
+     * we want to make 0-length attribute name
+     */
+    if (hs->pos > 0) {
+        hs->pos += 1;
+    }
+
+
+    idx = (const char*) memchr(hs->s + hs->pos, qchar, hs->len - hs->pos);
+    if (idx == NULL) {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = hs->len - hs->pos;
+        hs->token_type = ATTR_VALUE;
+        hs->state = h5_state_eof;
+    } else {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+        hs->token_type = ATTR_VALUE;
+        hs->state = h5_state_after_attribute_value_quoted_state;
+        hs->pos += hs->token_len + 1;
+    }
+    return 1;
+}
+
+static
+int h5_state_attribute_value_double_quote(h5_state_t* hs)
+{
+    TRACE();
+    return h5_state_attribute_value_quote(hs, CHAR_DOUBLE);
+}
+
+static
+int h5_state_attribute_value_single_quote(h5_state_t* hs)
+{
+    TRACE();
+    return h5_state_attribute_value_quote(hs, CHAR_SINGLE);
+}
+
+static
+int h5_state_attribute_value_back_quote(h5_state_t* hs)
+{
+    TRACE();
+    return h5_state_attribute_value_quote(hs, CHAR_TICK);
+}
+
+static int h5_state_attribute_value_no_quote(h5_state_t* hs)
+{
+    char ch;
+    size_t pos;
+
+    TRACE();
+    pos = hs->pos;
+    while (pos < hs->len) {
+        ch = hs->s[pos];
+        if (h5_is_white(ch)) {
+            hs->token_type = ATTR_VALUE;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = pos - hs->pos;
+            hs->pos = pos + 1;
+            hs->state = h5_state_before_attribute_name;
+            return 1;
+        } else if (ch == CHAR_GT) {
+            hs->token_type = ATTR_VALUE;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = pos - hs->pos;
+            hs->pos = pos;
+            hs->state = h5_state_tag_name_close;
+            return 1;
+        }
+        pos += 1;
+    }
+    TRACE();
+    /* EOF */
+    hs->state = h5_state_eof;
+    hs->token_start = hs->s + hs->pos;
+    hs->token_len = hs->len - hs->pos;
+    hs->token_type = ATTR_VALUE;
+    return 1;
+}
+
+/**
+ * 12.2.4.41
+ */
+static int h5_state_after_attribute_value_quoted_state(h5_state_t* hs)
+{
+    char ch;
+
+    TRACE();
+    if (hs->pos >= hs->len) {
+        return 0;
+    }
+    ch = hs->s[hs->pos];
+    if (h5_is_white(ch)) {
+        hs->pos += 1;
+        return h5_state_before_attribute_name(hs);
+    } else if (ch == CHAR_SLASH) {
+        hs->pos += 1;
+        return h5_state_self_closing_start_tag(hs);
+    } else if (ch == CHAR_GT) {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = 1;
+        hs->token_type = TAG_NAME_CLOSE;
+        hs->pos += 1;
+        hs->state = h5_state_data;
+        return 1;
+    } else {
+        return h5_state_before_attribute_name(hs);
+    }
+}
+
+/**
+ * 12.2.4.43
+ *
+ *  WARNING: This function is partially inlined into h5_state_before_attribute_name()
+ */
+static int h5_state_self_closing_start_tag(h5_state_t* hs)
+{
+    char ch;
+
+    TRACE();
+    if (hs->pos >= hs->len) {
+        return 0;
+    }
+    ch = hs->s[hs->pos];
+    if (ch == CHAR_GT) {
+        assert(hs->pos > 0);
+        hs->token_start = hs->s + hs->pos -1;
+        hs->token_len = 2;
+        hs->token_type = TAG_NAME_SELFCLOSE;
+        hs->state = h5_state_data;
+        hs->pos += 1;
+        return 1;
+    } else {
+        return h5_state_before_attribute_name(hs);
+    }
+}
+
+/**
+ * 12.2.4.44
+ */
+static int h5_state_bogus_comment(h5_state_t* hs)
+{
+    const char* idx;
+
+    TRACE();
+    idx = (const char*) memchr(hs->s + hs->pos, CHAR_GT, hs->len - hs->pos);
+    if (idx == NULL) {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = hs->len - hs->pos;
+        hs->pos = hs->len;
+        hs->state = h5_state_eof;
+    } else {
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+        hs->pos =  (size_t)(idx - hs->s) + 1;
+        hs->state = h5_state_data;
+    }
+
+    hs->token_type = TAG_COMMENT;
+    return 1;
+}
+
+/**
+ * 12.2.4.44 ALT
+ */
+static int h5_state_bogus_comment2(h5_state_t* hs)
+{
+    const char* idx;
+    size_t pos;
+
+    TRACE();
+    pos = hs->pos;
+    while (1) {
+        idx = (const char*) memchr(hs->s + pos, CHAR_PERCENT, hs->len - pos);
+        if (idx == NULL || (idx + 1 >= hs->s + hs->len)) {
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->pos = hs->len;
+            hs->token_type = TAG_COMMENT;
+            hs->state = h5_state_eof;
+            return 1;
+        }
+
+        if (*(idx +1) != CHAR_GT) {
+            pos = (size_t)(idx - hs->s) + 1;
+            continue;
+        }
+
+        /* ends in %> */
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+        hs->pos = (size_t)(idx - hs->s) + 2;
+        hs->state = h5_state_data;
+        hs->token_type = TAG_COMMENT;
+        return 1;
+    }
+}
+
+/**
+ * 8.2.4.45
+ */
+static int h5_state_markup_declaration_open(h5_state_t* hs)
+{
+    size_t remaining;
+
+    TRACE();
+    remaining = hs->len - hs->pos;
+    if (remaining >= 7 &&
+        /* case insensitive */
+        (hs->s[hs->pos + 0] == 'D' || hs->s[hs->pos + 0] == 'd') &&
+        (hs->s[hs->pos + 1] == 'O' || hs->s[hs->pos + 1] == 'o') &&
+        (hs->s[hs->pos + 2] == 'C' || hs->s[hs->pos + 2] == 'c') &&
+        (hs->s[hs->pos + 3] == 'T' || hs->s[hs->pos + 3] == 't') &&
+        (hs->s[hs->pos + 4] == 'Y' || hs->s[hs->pos + 4] == 'y') &&
+        (hs->s[hs->pos + 5] == 'P' || hs->s[hs->pos + 5] == 'p') &&
+        (hs->s[hs->pos + 6] == 'E' || hs->s[hs->pos + 6] == 'e')
+        ) {
+        return h5_state_doctype(hs);
+    } else if (remaining >= 7 &&
+               /* upper case required */
+               hs->s[hs->pos + 0] == '[' &&
+               hs->s[hs->pos + 1] == 'C' &&
+               hs->s[hs->pos + 2] == 'D' &&
+               hs->s[hs->pos + 3] == 'A' &&
+               hs->s[hs->pos + 4] == 'T' &&
+               hs->s[hs->pos + 5] == 'A' &&
+               hs->s[hs->pos + 6] == '['
+        ) {
+        hs->pos += 7;
+        return h5_state_cdata(hs);
+    } else if (remaining >= 2 &&
+               hs->s[hs->pos + 0] == '-' &&
+               hs->s[hs->pos + 1] == '-') {
+        hs->pos += 2;
+        return h5_state_comment(hs);
+    }
+
+    return h5_state_bogus_comment(hs);
+}
+
+/**
+ * 12.2.4.48
+ * 12.2.4.49
+ * 12.2.4.50
+ * 12.2.4.51
+ *   state machine spec is confusing since it can only look
+ *   at one character at a time but simply it's comments end by:
+ *   1) EOF
+ *   2) ending in -->
+ *   3) ending in -!>
+ */
+static int h5_state_comment(h5_state_t* hs)
+{
+    char ch;
+    const char* idx;
+    size_t pos;
+    size_t offset;
+    const char* end = hs->s + hs->len;
+
+    TRACE();
+    pos = hs->pos;
+    while (1) {
+
+        idx = (const char*) memchr(hs->s + pos, CHAR_DASH, hs->len - pos);
+
+        /* did not find anything or has less than 3 chars left */
+        if (idx == NULL || idx > hs->s + hs->len - 3) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+        offset = 1;
+
+        /* skip all nulls */
+        while (idx + offset < end && *(idx + offset) == 0) {
+            offset += 1;
+        }
+        if (idx + offset == end) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+
+        ch = *(idx + offset);
+        if (ch != CHAR_DASH && ch != CHAR_BANG) {
+            pos = (size_t)(idx - hs->s) + 1;
+            continue;
+        }
+
+        /* need to test */
+#if 0
+        /* skip all nulls */
+        while (idx + offset < end && *(idx + offset) == 0) {
+            offset += 1;
+        }
+        if (idx + offset == end) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+#endif
+
+        offset += 1;
+        if (idx + offset == end) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+
+
+        ch = *(idx + offset);
+        if (ch != CHAR_GT) {
+            pos = (size_t)(idx - hs->s) + 1;
+            continue;
+        }
+        offset += 1;
+
+        /* ends in --> or -!> */
+        hs->token_start = hs->s + hs->pos;
+        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+        hs->pos = (size_t)(idx + offset - hs->s);
+        hs->state = h5_state_data;
+        hs->token_type = TAG_COMMENT;
+        return 1;
+    }
+}
+
+static int h5_state_cdata(h5_state_t* hs)
+{
+    const char* idx;
+    size_t pos;
+
+    TRACE();
+    pos = hs->pos;
+    while (1) {
+        idx = (const char*) memchr(hs->s + pos, CHAR_RIGHTB, hs->len - pos);
+
+        /* did not find anything or has less than 3 chars left */
+        if (idx == NULL || idx > hs->s + hs->len - 3) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = DATA_TEXT;
+            return 1;
+        } else if ( *(idx+1) == CHAR_RIGHTB && *(idx+2) == CHAR_GT) {
+            hs->state = h5_state_data;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+            hs->pos = (size_t)(idx - hs->s) + 3;
+            hs->token_type = DATA_TEXT;
+            return 1;
+        } else {
+            pos = (size_t)(idx - hs->s) + 1;
+        }
+    }
+}
+
+/**
+ * 8.2.4.52
+ * http://www.w3.org/html/wg/drafts/html/master/syntax.html#doctype-state
+ */
+static int h5_state_doctype(h5_state_t* hs)
+{
+    const char* idx;
+
+    TRACE();
+    hs->token_start = hs->s + hs->pos;
+    hs->token_type = DOCTYPE;
+
+    idx = (const char*) memchr(hs->s + hs->pos, CHAR_GT, hs->len - hs->pos);
+    if (idx == NULL) {
+        hs->state = h5_state_eof;
+        hs->token_len = hs->len - hs->pos;
+    } else {
+        hs->state = h5_state_data;
+        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
+        hs->pos = (size_t)(idx - hs->s) + 1;
+    }
+    return 1;
+}
--- a/internal/waf/injectionutils/libinjection/src/libinjection_html5.h
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_html5.h
@@ -0,0 +1,54 @@
+#ifndef LIBINJECTION_HTML5
+#define LIBINJECTION_HTML5
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* pull in size_t */
+
+#include <stddef.h>
+
+enum html5_type {
+    DATA_TEXT
+    , TAG_NAME_OPEN
+    , TAG_NAME_CLOSE
+    , TAG_NAME_SELFCLOSE
+    , TAG_DATA
+    , TAG_CLOSE
+    , ATTR_NAME
+    , ATTR_VALUE
+    , TAG_COMMENT
+    , DOCTYPE
+};
+
+enum html5_flags {
+  DATA_STATE
+  , VALUE_NO_QUOTE
+  , VALUE_SINGLE_QUOTE
+  , VALUE_DOUBLE_QUOTE
+  , VALUE_BACK_QUOTE
+};
+
+struct h5_state;
+typedef int (*ptr_html5_state)(struct h5_state*);
+
+typedef struct h5_state {
+    const char* s;
+    size_t len;
+    size_t pos;
+    int is_close;
+    ptr_html5_state state;
+    const char* token_start;
+    size_t token_len;
+    enum html5_type token_type;
+} h5_state_t;
+
+
+void libinjection_h5_init(h5_state_t* hs, const char* s, size_t len, enum html5_flags);
+int libinjection_h5_next(h5_state_t* hs);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
--- a/internal/waf/injectionutils/libinjection/src/libinjection_sqli.c
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_sqli.c
--- a/internal/waf/injectionutils/libinjection/src/libinjection_sqli.h
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_sqli.h
@@ -0,0 +1,294 @@
+/**
+ * Copyright 2012-2016 Nick Galbreath
+ * nickg@client9.com
+ * BSD License -- see `COPYING.txt` for details
+ *
+ * https://libinjection.client9.com/
+ *
+ */
+
+#ifndef LIBINJECTION_SQLI_H
+#define LIBINJECTION_SQLI_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Pull in size_t
+ */
+#include <string.h>
+
+enum sqli_flags {
+    FLAG_NONE            = 0
+    , FLAG_QUOTE_NONE    = 1   /* 1 << 0 */
+    , FLAG_QUOTE_SINGLE  = 2   /* 1 << 1 */
+    , FLAG_QUOTE_DOUBLE  = 4   /* 1 << 2 */
+
+    , FLAG_SQL_ANSI      = 8   /* 1 << 3 */
+    , FLAG_SQL_MYSQL     = 16  /* 1 << 4 */
+};
+
+enum lookup_type {
+    LOOKUP_WORD        = 1
+    , LOOKUP_TYPE        = 2
+    , LOOKUP_OPERATOR    = 3
+    , LOOKUP_FINGERPRINT = 4
+};
+
+struct libinjection_sqli_token {
+#ifdef SWIG
+%immutable;
+#endif
+    /*
+     * position and length of token
+     * in original string
+     */
+    size_t pos;
+    size_t len;
+
+    /*  count:
+     *  in type 'v', used for number of opening '@'
+     *  but maybe used in other contexts
+     */
+    int  count;
+
+    char type;
+    char str_open;
+    char str_close;
+    char val[32];
+};
+
+typedef struct libinjection_sqli_token stoken_t;
+
+/**
+ * Pointer to function, takes c-string input,
+ *  returns '\0' for no match, else a char
+ */
+struct libinjection_sqli_state;
+typedef char (*ptr_lookup_fn)(struct libinjection_sqli_state*, int lookuptype, const char* word, size_t len);
+
+struct libinjection_sqli_state {
+#ifdef SWIG
+%immutable;
+#endif
+
+    /*
+     * input, does not need to be null terminated.
+     * it is also not modified.
+     */
+    const char *s;
+
+    /*
+     * input length
+     */
+    size_t slen;
+
+    /*
+     * How to lookup a word or fingerprint
+     */
+    ptr_lookup_fn lookup;
+    void*         userdata;
+
+    /*
+     *
+     */
+    int flags;
+
+    /*
+     * pos is the index in the string during tokenization
+     */
+    size_t pos;
+
+#ifndef SWIG
+    /* for SWIG.. don't use this.. use functional API instead */
+
+    /* MAX TOKENS + 1 since we use one extra token
+     * to determine the type of the previous token
+     */
+    struct libinjection_sqli_token tokenvec[8];
+#endif
+
+    /*
+     * Pointer to token position in tokenvec, above
+     */
+    struct libinjection_sqli_token *current;
+
+    /*
+     * fingerprint pattern c-string
+     * +1 for ending null
+     * Minimum of 8 bytes to add gcc's -fstack-protector to work
+     */
+    char fingerprint[8];
+
+    /*
+     * Line number of code that said decided if the input was SQLi or
+     * not.  Most of the time it's line that said "it's not a matching
+     * fingerprint" but there is other logic that sometimes approves
+     * an input. This is only useful for debugging.
+     *
+     */
+    int reason;
+
+    /* Number of ddw (dash-dash-white) comments
+     * These comments are in the form of
+     *   '--[whitespace]' or '--[EOF]'
+     *
+     * All databases treat this as a comment.
+     */
+     int stats_comment_ddw;
+
+    /* Number of ddx (dash-dash-[notwhite]) comments
+     *
+     * ANSI SQL treats these are comments, MySQL treats this as
+     * two unary operators '-' '-'
+     *
+     * If you are parsing result returns FALSE and
+     * stats_comment_dd > 0, you should reparse with
+     * COMMENT_MYSQL
+     *
+     */
+    int stats_comment_ddx;
+
+    /*
+     * c-style comments found  /x .. x/
+     */
+    int stats_comment_c;
+
+    /* '#' operators or MySQL EOL comments found
+     *
+     */
+    int stats_comment_hash;
+
+    /*
+     * number of tokens folded away
+     */
+    int stats_folds;
+
+    /*
+     * total tokens processed
+     */
+    int stats_tokens;
+
+};
+
+typedef struct libinjection_sqli_state sfilter;
+
+struct libinjection_sqli_token* libinjection_sqli_get_token(
+    struct libinjection_sqli_state* sql_state, int i);
+
+/*
+ * Version info.
+ *
+ * This is moved into a function to allow SWIG and other auto-generated
+ * binding to not be modified during minor release changes.  We change
+ * change the version number in the c source file, and not regenerated
+ * the binding
+ *
+ * See python's normalized version
+ * http://www.python.org/dev/peps/pep-0386/#normalizedversion
+ */
+const char* libinjection_version(void);
+
+/**
+ *
+ */
+void libinjection_sqli_init(struct libinjection_sqli_state *sf,
+                            const char* s, size_t len,
+                            int flags);
+
+/**
+ * Main API: tests for SQLi in three possible contexts, no quotes,
+ * single quote and double quote
+ *
+ * \param sql_state core data structure
+ *
+ * \return 1 (true) if SQLi, 0 (false) if benign
+ */
+int libinjection_is_sqli(struct libinjection_sqli_state* sql_state);
+
+/*  FOR HACKERS ONLY
+ *   provides deep hooks into the decision making process
+ */
+void libinjection_sqli_callback(struct libinjection_sqli_state *sf,
+                                ptr_lookup_fn fn,
+                                void* userdata);
+
+
+/*
+ * Resets state, but keeps initial string and callbacks
+ */
+void libinjection_sqli_reset(struct libinjection_sqli_state *sf,
+                             int flags);
+
+/**
+ *
+ */
+
+/**
+ * This detects SQLi in a single context, mostly useful for custom
+ * logic and debugging.
+ *
+ * \param sql_state  Main data structure
+ * \param flags flags to adjust parsing
+ *
+ * \returns a pointer to sfilter.fingerprint as convenience
+ *          do not free!
+ *
+ */
+const char* libinjection_sqli_fingerprint(struct libinjection_sqli_state *sql_state,
+                                          int flags);
+
+/**
+ * The default "word" to token-type or fingerprint function.  This
+ * uses a ASCII case-insensitive binary tree.
+ */
+char libinjection_sqli_lookup_word(struct libinjection_sqli_state *sql_state,
+                                   int lookup_type,
+                                   const char* str,
+                                   size_t len);
+
+/* Streaming tokenization interface.
+ *
+ * sql_state->current is updated with the current token.
+ *
+ * \returns 1, has a token, keep going, or 0 no tokens
+ *
+ */
+int  libinjection_sqli_tokenize(struct libinjection_sqli_state *sf);
+
+/**
+ * parses and folds input, up to 5 tokens
+ *
+ */
+int libinjection_sqli_fold(struct libinjection_sqli_state *sf);
+
+/** The built-in default function to match fingerprints
+ *  and do false negative/positive analysis.  This calls the following
+ *  two functions.  With this, you over-ride one part or the other.
+ *
+ *     return libinjection_sqli_blacklist(sql_state) &&
+ *        libinjection_sqli_not_whitelist(sql_state);
+ *
+ * \param sql_state should be filled out after libinjection_sqli_fingerprint is called
+ */
+int libinjection_sqli_check_fingerprint(struct libinjection_sqli_state * sql_state);
+
+/* Given a pattern determine if it's a SQLi pattern.
+ *
+ * \return TRUE if sqli, false otherwise
+ */
+int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state);
+
+/* Given a positive match for a pattern (i.e. pattern is SQLi), this function
+ * does additional analysis to reduce false positives.
+ *
+ * \return TRUE if SQLi, false otherwise
+ */
+int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* LIBINJECTION_SQLI_H */
--- a/internal/waf/injectionutils/libinjection/src/libinjection_sqli_data.h
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_sqli_data.h
--- a/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
@@ -0,0 +1,918 @@
+
+#include "libinjection.h"
+#include "libinjection_xss.h"
+#include "libinjection_html5.h"
+
+#include <assert.h>
+#include <stdio.h>
+
+typedef enum attribute {
+    TYPE_NONE
+    , TYPE_BLACK     /* ban always */
+    , TYPE_ATTR_URL   /* attribute value takes a URL-like object */
+    , TYPE_STYLE
+    , TYPE_ATTR_INDIRECT  /* attribute *name* is given in *value* */
+} attribute_t;
+
+
+static attribute_t is_black_attr(const char* s, size_t len, int strictMode);
+static int is_black_tag(const char* s, size_t len, int strictMode);
+static int is_black_url(const char* s, size_t len);
+static int cstrcasecmp_with_null(const char *a, const char *b, size_t n);
+static int html_decode_char_at(const char* src, size_t len, size_t* consumed);
+static int htmlencode_startswith(const char *a/* prefix */, const char *b /* src */, size_t n);
+
+
+typedef struct stringtype {
+    const char* name;
+    attribute_t atype;
+} stringtype_t;
+
+
+static const int gsHexDecodeMap[256] = {
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 256, 256,
+    256, 256, 256, 256, 256,  10,  11,  12,  13,  14,  15, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256,  10,  11,  12,  13,  14,  15, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+    256, 256, 256, 256
+};
+
+static int html_decode_char_at(const char* src, size_t len, size_t* consumed)
+{
+    int val = 0;
+    size_t i;
+    int ch;
+
+    if (len == 0 || src == NULL) {
+        *consumed = 0;
+        return -1;
+    }
+
+    *consumed = 1;
+    if (*src != '&' || len < 2) {
+        return (unsigned char)(*src);
+    }
+
+
+    if (*(src+1) != '#') {
+        /* normally this would be for named entities
+         * but for this case we don't actually care
+         */
+        return '&';
+    }
+
+    if (*(src+2) == 'x' || *(src+2) == 'X') {
+        ch = (unsigned char) (*(src+3));
+        ch = gsHexDecodeMap[ch];
+        if (ch == 256) {
+            /* degenerate case  '&#[?]' */
+            return '&';
+        }
+        val = ch;
+        i = 4;
+        while (i < len) {
+            ch = (unsigned char) src[i];
+            if (ch == ';') {
+                *consumed = i + 1;
+                return val;
+            }
+            ch = gsHexDecodeMap[ch];
+            if (ch == 256) {
+                *consumed = i;
+                return val;
+            }
+            val = (val * 16) + ch;
+            if (val > 0x1000FF) {
+                return '&';
+            }
+            ++i;
+        }
+        *consumed = i;
+        return val;
+    } else {
+        i = 2;
+        ch = (unsigned char) src[i];
+        if (ch < '0' || ch > '9') {
+            return '&';
+        }
+        val = ch - '0';
+        i += 1;
+        while (i < len) {
+            ch = (unsigned char) src[i];
+            if (ch == ';') {
+                *consumed = i + 1;
+                return val;
+            }
+            if (ch < '0' || ch > '9') {
+                *consumed = i;
+                return val;
+            }
+            val = (val * 10) + (ch - '0');
+            if (val > 0x1000FF) {
+                return '&';
+            }
+            ++i;
+        }
+        *consumed = i;
+        return val;
+    }
+}
+
+/*
+ * These were mostly extracted from: https://raw.githubusercontent.com/WebKit/WebKit/main/Source/WebCore/dom/EventNames.h
+ *
+ * view-source:
+ * data:
+ * javascript:
+ * events:
+ */
+static stringtype_t BLACKATTREVENT[] = {
+   { "ABORT", TYPE_BLACK }
+ , { "ACTIVATE", TYPE_BLACK }
+ , { "ACTIVE", TYPE_BLACK }
+ , { "ADDSOURCEBUFFER", TYPE_BLACK }
+ , { "ADDSTREAM", TYPE_BLACK }
+ , { "ADDTRACK", TYPE_BLACK }
+ , { "AFTERPRINT", TYPE_BLACK }
+ , { "ANIMATIONCANCEL", TYPE_BLACK }
+ , { "ANIMATIONEND", TYPE_BLACK }
+ , { "ANIMATIONITERATION", TYPE_BLACK }
+ , { "ANIMATIONSTART", TYPE_BLACK }
+ , { "AUDIOEND", TYPE_BLACK }
+ , { "AUDIOPROCESS", TYPE_BLACK }
+ , { "AUDIOSTART", TYPE_BLACK }
+ , { "AUTOCOMPLETEERROR", TYPE_BLACK }
+ , { "AUTOCOMPLETE", TYPE_BLACK }
+ , { "BEFOREACTIVATE", TYPE_BLACK }
+ , { "BEFORECOPY", TYPE_BLACK }
+ , { "BEFORECUT", TYPE_BLACK }
+ , { "BEFOREINPUT", TYPE_BLACK }
+ , { "BEFORELOAD", TYPE_BLACK }
+ , { "BEFOREPASTE", TYPE_BLACK }
+ , { "BEFOREPRINT", TYPE_BLACK }
+ , { "BEFOREUNLOAD", TYPE_BLACK }
+ , { "BEGINEVENT", TYPE_BLACK }
+ , { "BLOCKED", TYPE_BLACK }
+ , { "BLUR", TYPE_BLACK }
+ , { "BOUNDARY", TYPE_BLACK }
+ , { "BUFFEREDAMOUNTLOW", TYPE_BLACK }
+ , { "CACHED", TYPE_BLACK }
+ , { "CANCEL", TYPE_BLACK }
+ , { "CANPLAYTHROUGH", TYPE_BLACK }
+ , { "CANPLAY", TYPE_BLACK }
+ , { "CHANGE", TYPE_BLACK }
+ , { "CHARGINGCHANGE", TYPE_BLACK }
+ , { "CHARGINGTIMECHANGE", TYPE_BLACK }
+ , { "CHECKING", TYPE_BLACK }
+ , { "CLICK", TYPE_BLACK }
+ , { "CLOSE", TYPE_BLACK }
+ , { "COMPLETE", TYPE_BLACK }
+ , { "COMPOSITIONEND", TYPE_BLACK }
+ , { "COMPOSITIONSTART", TYPE_BLACK }
+ , { "COMPOSITIONUPDATE", TYPE_BLACK }
+ , { "CONNECTING", TYPE_BLACK }
+ , { "CONNECTIONSTATECHANGE", TYPE_BLACK }
+ , { "CONNECT", TYPE_BLACK }
+ , { "CONTEXTMENU", TYPE_BLACK }
+ , { "CONTROLLERCHANGE", TYPE_BLACK }
+ , { "COPY", TYPE_BLACK }
+ , { "CUECHANGE", TYPE_BLACK }
+ , { "CUT", TYPE_BLACK }
+ , { "DATAAVAILABLE", TYPE_BLACK }
+ , { "DATACHANNEL", TYPE_BLACK }
+ , { "DBLCLICK", TYPE_BLACK }
+ , { "DEVICECHANGE", TYPE_BLACK }
+ , { "DEVICEMOTION", TYPE_BLACK }
+ , { "DEVICEORIENTATION", TYPE_BLACK }
+ , { "DISCHARGINGTIMECHANGE", TYPE_BLACK }
+ , { "DISCONNECT", TYPE_BLACK }
+ , { "DOMACTIVATE", TYPE_BLACK }
+ , { "DOMCHARACTERDATAMODIFIED", TYPE_BLACK }
+ , { "DOMCONTENTLOADED", TYPE_BLACK }
+ , { "DOMFOCUSIN", TYPE_BLACK }
+ , { "DOMFOCUSOUT", TYPE_BLACK }
+ , { "DOMNODEINSERTEDINTODOCUMENT", TYPE_BLACK }
+ , { "DOMNODEINSERTED", TYPE_BLACK }
+ , { "DOMNODEREMOVEDFROMDOCUMENT", TYPE_BLACK }
+ , { "DOMNODEREMOVED", TYPE_BLACK }
+ , { "DOMSUBTREEMODIFIED", TYPE_BLACK }
+ , { "DOWNLOADING", TYPE_BLACK }
+ , { "DRAGEND", TYPE_BLACK }
+ , { "DRAGENTER", TYPE_BLACK }
+ , { "DRAGLEAVE", TYPE_BLACK }
+ , { "DRAGOVER", TYPE_BLACK }
+ , { "DRAGSTART", TYPE_BLACK }
+ , { "DRAG", TYPE_BLACK }
+ , { "DROP", TYPE_BLACK }
+ , { "DURATIONCHANGE", TYPE_BLACK }
+ , { "EMPTIED", TYPE_BLACK }
+ , { "ENCRYPTED", TYPE_BLACK }
+ , { "ENDED", TYPE_BLACK }
+ , { "ENDEVENT", TYPE_BLACK }
+ , { "END", TYPE_BLACK }
+ , { "ENTERPICTUREINPICTURE", TYPE_BLACK }
+ , { "ENTER", TYPE_BLACK }
+ , { "ERROR", TYPE_BLACK }
+ , { "EXIT", TYPE_BLACK }
+ , { "FETCH", TYPE_BLACK }
+ , { "FINISH", TYPE_BLACK }
+ , { "FOCUSIN", TYPE_BLACK }
+ , { "FOCUSOUT", TYPE_BLACK }
+ , { "FOCUS", TYPE_BLACK }
+ , { "FORMCHANGE", TYPE_BLACK }
+ , { "FORMINPUT", TYPE_BLACK }
+ , { "GAMEPADCONNECTED", TYPE_BLACK }
+ , { "GAMEPADDISCONNECTED", TYPE_BLACK }
+ , { "GESTURECHANGE", TYPE_BLACK }
+ , { "GESTUREEND", TYPE_BLACK }
+ , { "GESTURESCROLLEND", TYPE_BLACK }
+ , { "GESTURESCROLLSTART", TYPE_BLACK }
+ , { "GESTURESCROLLUPDATE", TYPE_BLACK }
+ , { "GESTURESTART", TYPE_BLACK }
+ , { "GESTURETAPDOWN", TYPE_BLACK }
+ , { "GESTURETAP", TYPE_BLACK }
+ , { "GOTPOINTERCAPTURE", TYPE_BLACK }
+ , { "HASHCHANGE", TYPE_BLACK }
+ , { "ICECANDIDATEERROR", TYPE_BLACK }
+ , { "ICECANDIDATE", TYPE_BLACK }
+ , { "ICECONNECTIONSTATECHANGE", TYPE_BLACK }
+ , { "ICEGATHERINGSTATECHANGE", TYPE_BLACK }
+ , { "INACTIVE", TYPE_BLACK }
+ , { "INPUTSOURCESCHANGE", TYPE_BLACK }
+ , { "INPUT", TYPE_BLACK }
+ , { "INSTALL", TYPE_BLACK }
+ , { "INVALID", TYPE_BLACK }
+ , { "KEYDOWN", TYPE_BLACK }
+ , { "KEYPRESS", TYPE_BLACK }
+ , { "KEYSTATUSESCHANGE", TYPE_BLACK }
+ , { "KEYUP", TYPE_BLACK }
+ , { "LANGUAGECHANGE", TYPE_BLACK }
+ , { "LEAVEPICTUREINPICTURE", TYPE_BLACK }
+ , { "LEVELCHANGE", TYPE_BLACK }
+ , { "LOADEDDATA", TYPE_BLACK }
+ , { "LOADEDMETADATA", TYPE_BLACK }
+ , { "LOADEND", TYPE_BLACK }
+ , { "LOADINGDONE", TYPE_BLACK }
+ , { "LOADINGERROR", TYPE_BLACK }
+ , { "LOADING", TYPE_BLACK }
+ , { "LOADSTART", TYPE_BLACK }
+ , { "LOAD", TYPE_BLACK }
+ , { "LOSTPOINTERCAPTURE", TYPE_BLACK }
+ , { "MARK", TYPE_BLACK }
+ , { "MERCHANTVALIDATION", TYPE_BLACK }
+ , { "MESSAGEERROR", TYPE_BLACK }
+ , { "MESSAGE", TYPE_BLACK }
+ , { "MOUSEDOWN", TYPE_BLACK }
+ , { "MOUSEENTER", TYPE_BLACK }
+ , { "MOUSELEAVE", TYPE_BLACK }
+ , { "MOUSEMOVE", TYPE_BLACK }
+ , { "MOUSEOUT", TYPE_BLACK }
+ , { "MOUSEOVER", TYPE_BLACK }
+ , { "MOUSEUP", TYPE_BLACK }
+ , { "MOUSEWHEEL", TYPE_BLACK }
+ , { "MUTE", TYPE_BLACK }
+ , { "NEGOTIATIONNEEDED", TYPE_BLACK }
+ , { "NEXTTRACK", TYPE_BLACK }
+ , { "NOMATCH", TYPE_BLACK }
+ , { "NOUPDATE", TYPE_BLACK }
+ , { "OBSOLETE", TYPE_BLACK }
+ , { "OFFLINE", TYPE_BLACK }
+ , { "ONLINE", TYPE_BLACK }
+ , { "OPEN", TYPE_BLACK }
+ , { "ORIENTATIONCHANGE", TYPE_BLACK }
+ , { "OVERCONSTRAINED", TYPE_BLACK }
+ , { "OVERFLOWCHANGED", TYPE_BLACK }
+ , { "PAGEHIDE", TYPE_BLACK }
+ , { "PAGESHOW", TYPE_BLACK }
+ , { "PASTE", TYPE_BLACK }
+ , { "PAUSE", TYPE_BLACK }
+ , { "PAYERDETAILCHANGE", TYPE_BLACK }
+ , { "PAYMENTAUTHORIZED", TYPE_BLACK }
+ , { "PAYMENTMETHODCHANGE", TYPE_BLACK }
+ , { "PAYMENTMETHODSELECTED", TYPE_BLACK }
+ , { "PLAYING", TYPE_BLACK }
+ , { "PLAY", TYPE_BLACK }
+ , { "POINTERCANCEL", TYPE_BLACK }
+ , { "POINTERDOWN", TYPE_BLACK }
+ , { "POINTERENTER", TYPE_BLACK }
+ , { "POINTERLEAVE", TYPE_BLACK }
+ , { "POINTERLOCKCHANGE", TYPE_BLACK }
+ , { "POINTERLOCKERROR", TYPE_BLACK }
+ , { "POINTERMOVE", TYPE_BLACK }
+ , { "POINTEROUT", TYPE_BLACK }
+ , { "POINTEROVER", TYPE_BLACK }
+ , { "POINTERUP", TYPE_BLACK }
+ , { "POPSTATE", TYPE_BLACK }
+ , { "PREVIOUSTRACK", TYPE_BLACK }
+ , { "PROCESSORERROR", TYPE_BLACK }
+ , { "PROGRESS", TYPE_BLACK }
+ , { "PROPERTYCHANGE", TYPE_BLACK }
+ , { "RATECHANGE", TYPE_BLACK }
+ , { "READYSTATECHANGE", TYPE_BLACK }
+ , { "REJECTIONHANDLED", TYPE_BLACK }
+ , { "REMOVESOURCEBUFFER", TYPE_BLACK }
+ , { "REMOVESTREAM", TYPE_BLACK }
+ , { "REMOVETRACK", TYPE_BLACK }
+ , { "REMOVE", TYPE_BLACK }
+ , { "RESET", TYPE_BLACK }
+ , { "RESIZE", TYPE_BLACK }
+ , { "RESOURCETIMINGBUFFERFULL", TYPE_BLACK }
+ , { "RESULT", TYPE_BLACK }
+ , { "RESUME", TYPE_BLACK }
+ , { "SCROLL", TYPE_BLACK }
+ , { "SEARCH", TYPE_BLACK }
+ , { "SECURITYPOLICYVIOLATION", TYPE_BLACK }
+ , { "SEEKED", TYPE_BLACK }
+ , { "SEEKING", TYPE_BLACK }
+ , { "SELECTEND", TYPE_BLACK }
+ , { "SELECTIONCHANGE", TYPE_BLACK }
+ , { "SELECTSTART", TYPE_BLACK }
+ , { "SELECT", TYPE_BLACK }
+ , { "SHIPPINGADDRESSCHANGE", TYPE_BLACK }
+ , { "SHIPPINGCONTACTSELECTED", TYPE_BLACK }
+ , { "SHIPPINGMETHODSELECTED", TYPE_BLACK }
+ , { "SHIPPINGOPTIONCHANGE", TYPE_BLACK }
+ , { "SHOW", TYPE_BLACK }
+ , { "SIGNALINGSTATECHANGE", TYPE_BLACK }
+ , { "SLOTCHANGE", TYPE_BLACK }
+ , { "SOUNDEND", TYPE_BLACK }
+ , { "SOUNDSTART", TYPE_BLACK }
+ , { "SOURCECLOSE", TYPE_BLACK }
+ , { "SOURCEENDED", TYPE_BLACK }
+ , { "SOURCEOPEN", TYPE_BLACK }
+ , { "SPEECHEND", TYPE_BLACK }
+ , { "SPEECHSTART", TYPE_BLACK }
+ , { "SQUEEZEEND", TYPE_BLACK }
+ , { "SQUEEZESTART", TYPE_BLACK }
+ , { "SQUEEZE", TYPE_BLACK }
+ , { "STALLED", TYPE_BLACK }
+ , { "STARTED", TYPE_BLACK }
+ , { "START", TYPE_BLACK }
+ , { "STATECHANGE", TYPE_BLACK }
+ , { "STOP", TYPE_BLACK }
+ , { "STORAGE", TYPE_BLACK }
+ , { "SUBMIT", TYPE_BLACK }
+ , { "SUCCESS", TYPE_BLACK }
+ , { "SUSPEND", TYPE_BLACK }
+ , { "TEXTINPUT", TYPE_BLACK }
+ , { "TIMEOUT", TYPE_BLACK }
+ , { "TIMEUPDATE", TYPE_BLACK }
+ , { "TOGGLE", TYPE_BLACK }
+ , { "TOGGLE", TYPE_BLACK }	
+ , { "TONECHANGE", TYPE_BLACK }
+ , { "TOUCHCANCEL", TYPE_BLACK }
+ , { "TOUCHEND", TYPE_BLACK }
+ , { "TOUCHFORCECHANGE", TYPE_BLACK }
+ , { "TOUCHMOVE", TYPE_BLACK }
+ , { "TOUCHSTART", TYPE_BLACK }
+ , { "TRACK", TYPE_BLACK }
+ , { "TRANSITIONCANCEL", TYPE_BLACK }
+ , { "TRANSITIONEND", TYPE_BLACK }
+ , { "TRANSITIONRUN", TYPE_BLACK }
+ , { "TRANSITIONSTART", TYPE_BLACK }
+ , { "UNCAPTUREDERROR", TYPE_BLACK }
+ , { "UNHANDLEDREJECTION", TYPE_BLACK }
+ , { "UNLOAD", TYPE_BLACK }
+ , { "UNMUTE", TYPE_BLACK }
+ , { "UPDATEEND", TYPE_BLACK }
+ , { "UPDATEFOUND", TYPE_BLACK }
+ , { "UPDATEREADY", TYPE_BLACK }
+ , { "UPDATESTART", TYPE_BLACK }
+ , { "UPDATE", TYPE_BLACK }
+ , { "UPGRADENEEDED", TYPE_BLACK }
+ , { "VALIDATEMERCHANT", TYPE_BLACK }
+ , { "VERSIONCHANGE", TYPE_BLACK }
+ , { "VISIBILITYCHANGE", TYPE_BLACK }
+ , { "VOLUMECHANGE", TYPE_BLACK }
+ , { "WAITINGFORKEY", TYPE_BLACK }
+ , { "WAITING", TYPE_BLACK }
+ , { "WEBGLCONTEXTCHANGED", TYPE_BLACK }
+ , { "WEBGLCONTEXTCREATIONERROR", TYPE_BLACK }
+ , { "WEBGLCONTEXTLOST", TYPE_BLACK }
+ , { "WEBGLCONTEXTRESTORED", TYPE_BLACK }
+ , { "WEBKITANIMATIONEND", TYPE_BLACK }
+ , { "WEBKITANIMATIONITERATION", TYPE_BLACK }
+ , { "WEBKITANIMATIONSTART", TYPE_BLACK }
+ , { "WEBKITBEFORETEXTINSERTED", TYPE_BLACK }
+ , { "WEBKITBEGINFULLSCREEN", TYPE_BLACK }
+ , { "WEBKITCURRENTPLAYBACKTARGETISWIRELESSCHANGED", TYPE_BLACK }
+ , { "WEBKITENDFULLSCREEN", TYPE_BLACK }
+ , { "WEBKITFULLSCREENCHANGE", TYPE_BLACK }
+ , { "WEBKITFULLSCREENERROR", TYPE_BLACK }
+ , { "WEBKITKEYADDED", TYPE_BLACK }
+ , { "WEBKITKEYERROR", TYPE_BLACK }
+ , { "WEBKITKEYMESSAGE", TYPE_BLACK }
+ , { "WEBKITMOUSEFORCECHANGED", TYPE_BLACK }
+ , { "WEBKITMOUSEFORCEDOWN", TYPE_BLACK }
+ , { "WEBKITMOUSEFORCEUP", TYPE_BLACK }
+ , { "WEBKITMOUSEFORCEWILLBEGIN", TYPE_BLACK }
+ , { "WEBKITNEEDKEY", TYPE_BLACK }
+ , { "WEBKITNETWORKINFOCHANGE", TYPE_BLACK }
+ , { "WEBKITPLAYBACKTARGETAVAILABILITYCHANGED", TYPE_BLACK }
+ , { "WEBKITPRESENTATIONMODECHANGED", TYPE_BLACK }
+ , { "WEBKITREGIONOVERSETCHANGE", TYPE_BLACK }
+ , { "WEBKITREMOVESOURCEBUFFER", TYPE_BLACK }
+ , { "WEBKITSOURCECLOSE", TYPE_BLACK }
+ , { "WEBKITSOURCEENDED", TYPE_BLACK }
+ , { "WEBKITSOURCEOPEN", TYPE_BLACK }
+ , { "WEBKITSPEECHCHANGE", TYPE_BLACK }
+ , { "WEBKITTRANSITIONEND", TYPE_BLACK }
+ , { "WEBKITWILLREVEALBOTTOM", TYPE_BLACK }
+ , { "WEBKITWILLREVEALLEFT", TYPE_BLACK }
+ , { "WEBKITWILLREVEALRIGHT", TYPE_BLACK }
+ , { "WEBKITWILLREVEALTOP", TYPE_BLACK }
+ , { "WHEEL", TYPE_BLACK }
+ , { "WRITEEND", TYPE_BLACK }
+ , { "WRITESTART", TYPE_BLACK }
+ , { "WRITE", TYPE_BLACK }
+ , { "ZOOM", TYPE_BLACK }
+ , { NULL, TYPE_NONE }
+};
+
+/*
+ * view-source:
+ * data:
+ * javascript:
+ */
+static stringtype_t STRICT_BLACKATTR[] = {
+    { "ACTION", TYPE_ATTR_URL }     /* form */
+    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
+    , { "BY", TYPE_ATTR_URL }         /* SVG */
+    , { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
+    , { "DATAFORMATAS", TYPE_BLACK }  /* IE */
+    , { "DATASRC", TYPE_BLACK }       /* IE */
+    , { "DYNSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "FILTER", TYPE_STYLE }        /* Opera, SVG inline style */
+    , { "FORMACTION", TYPE_ATTR_URL } /* HTML 5 */
+    , { "FOLDER", TYPE_ATTR_URL }     /* Only on A tags, IE-only */
+    , { "FROM", TYPE_ATTR_URL }       /* SVG */
+    , { "HANDLER", TYPE_ATTR_URL }    /* SVG Tiny, Opera */
+    , { "HREF", TYPE_ATTR_URL }
+    , { "LOWSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "POSTER", TYPE_ATTR_URL }     /* Opera 10,11 */
+    , { "SRC", TYPE_ATTR_URL }
+    , { "STYLE", TYPE_STYLE }
+    , { "TO", TYPE_ATTR_URL }         /* SVG */
+    , { "VALUES", TYPE_ATTR_URL }     /* SVG */
+    , { "XLINK:HREF", TYPE_ATTR_URL }
+    , { NULL, TYPE_NONE }
+};
+
+static stringtype_t BLACKATTR[] = {
+    { "ACTION", TYPE_ATTR_URL }     /* form */
+    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
+    , { "BY", TYPE_ATTR_URL }         /* SVG */
+    , { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
+    , { "DATAFORMATAS", TYPE_BLACK }  /* IE */
+    , { "DATASRC", TYPE_BLACK }       /* IE */
+    , { "DYNSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "FILTER", TYPE_STYLE }        /* Opera, SVG inline style */
+    , { "FORMACTION", TYPE_ATTR_URL } /* HTML 5 */
+    , { "FOLDER", TYPE_ATTR_URL }     /* Only on A tags, IE-only */
+    , { "FROM", TYPE_ATTR_URL }       /* SVG */
+    , { "HANDLER", TYPE_ATTR_URL }    /* SVG Tiny, Opera */
+    , { "HREF", TYPE_ATTR_URL }
+    , { "LOWSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "POSTER", TYPE_ATTR_URL }     /* Opera 10,11 */
+    , { "SRC", TYPE_ATTR_URL }
+    , { "TO", TYPE_ATTR_URL }         /* SVG */
+    , { "VALUES", TYPE_ATTR_URL }     /* SVG */
+    , { "XLINK:HREF", TYPE_ATTR_URL }
+    , { NULL, TYPE_NONE }
+};
+
+
+
+/* xmlns */
+/* `xml-stylesheet` > <eval>, <if expr=> */
+
+/*
+  static const char* BLACKATTR[] = {
+  "ATTRIBUTENAME",
+  "BACKGROUND",
+  "DATAFORMATAS",
+  "HREF",
+  "SCROLL",
+  "SRC",
+  "STYLE",
+  "SRCDOC",
+  NULL
+  };
+*/
+
+// GoEdge: change BLACKTAG to STRICT_BLACKTAG
+static const char* STRICT_BLACKTAG[] = {
+    "APPLET"
+    , "AUDIO"
+    , "BASE"
+    , "COMMENT"  /* IE http://html5sec.org/#38 */
+    , "EMBED"
+    , "FORM"
+    , "FRAME"
+    , "FRAMESET"
+    , "HANDLER" /* Opera SVG, effectively a script tag */
+    , "IFRAME"
+    , "IMPORT"
+    , "ISINDEX"
+    , "LINK"
+    , "LISTENER"
+    /*    , "MARQUEE" */
+    , "META"
+    , "NOSCRIPT"
+    , "OBJECT"
+    , "SCRIPT"
+    , "STYLE"
+    , "VIDEO"
+    , "VMLFRAME"
+    , "XML"
+    , "XSS"
+    , NULL
+};
+
+static const char* BLACKTAG[] = {
+    "APPLET"
+    /*    , "AUDIO" */
+    , "BASE"
+    , "COMMENT"  /* IE http://html5sec.org/#38 */
+    , "EMBED"
+    /*   ,  "FORM" */
+    , "FRAME"
+    , "FRAMESET"
+    , "HANDLER" /* Opera SVG, effectively a script tag */
+    , "IFRAME"
+    , "IMPORT"
+    , "ISINDEX"
+    , "LINK"
+    , "LISTENER"
+    /*    , "MARQUEE" */
+    , "META"
+    , "NOSCRIPT"
+    , "OBJECT"
+    , "SCRIPT"
+    , "STYLE"
+    /*    , "VIDEO" */
+    , "VMLFRAME"
+    , "XSS"
+    , NULL
+};
+
+
+static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
+{
+    char ca;
+    char cb;
+    /* printf("Comparing to %s %.*s\n", a, (int)n, b); */
+    while (n-- > 0) {
+        cb = *b++;
+        if (cb == '\0') continue;
+
+        ca = *a++;
+
+        if (cb >= 'a' && cb <= 'z') {
+            cb -= 0x20;
+        }
+        /* printf("Comparing %c vs %c with %d left\n", ca, cb, (int)n); */
+        if (ca != cb) {
+            return 1;
+        }
+    }
+
+    if (*a == 0) {
+        /* printf(" MATCH \n"); */
+        return 0;
+    } else {
+        return 1;
+    }
+}
+
+/*
+ * Does an HTML encoded  binary string (const char*, length) start with
+ * a all uppercase c-string (null terminated), case insensitive!
+ *
+ * also ignore any embedded nulls in the HTML string!
+ *
+ * return 1 if match / starts with
+ * return 0 if not
+ */
+static int htmlencode_startswith(const char *a, const char *b, size_t n)
+{
+    size_t consumed;
+    int cb;
+    int first = 1;
+    /* printf("Comparing %s with %.*s\n", a,(int)n,b); */
+    while (n > 0) {
+        if (*a == 0) {
+            /* printf("Match EOL!\n"); */
+            return 1;
+        }
+        cb = html_decode_char_at(b, n, &consumed);
+        b += consumed;
+        n -= consumed;
+
+        if (first && cb <= 32) {
+            /* ignore all leading whitespace and control characters */
+            continue;
+        }
+        first = 0;
+
+        if (cb == 0) {
+            /* always ignore null characters in user input */
+            continue;
+        }
+
+        if (cb == 10) {
+            /* always ignore vertical tab characters in user input */
+            /* who allows this?? */
+            continue;
+        }
+
+        if (cb >= 'a' && cb <= 'z') {
+            /* upcase */
+            cb -= 0x20;
+        }
+
+        if (*a != (char) cb) {
+            /* printf("    %c != %c\n", *a, cb); */
+            /* mismatch */
+            return 0;
+        }
+        a++;
+    }
+
+    return (*a == 0) ? 1 : 0;
+}
+
+static int is_black_tag(const char* s, size_t len, int strictMode)
+{
+    const char** black;
+
+    if (len < 3) {
+        return 0;
+    }
+
+	if (strictMode == 1) {
+    	black = STRICT_BLACKTAG;
+    } else {
+    	black = BLACKTAG;
+    }
+    while (*black != NULL) {
+        if (cstrcasecmp_with_null(*black, s, len) == 0) {
+            /* printf("Got black tag %s\n", *black); */
+            return 1;
+        }
+        black += 1;
+    }
+
+    /* anything SVG related */
+    if ((s[0] == 's' || s[0] == 'S') &&
+        (s[1] == 'v' || s[1] == 'V') &&
+        (s[2] == 'g' || s[2] == 'G')) {
+        /*        printf("Got SVG tag \n"); */
+        return 1;
+    }
+
+    /* Anything XSL(t) related */
+    if ((s[0] == 'x' || s[0] == 'X') &&
+        (s[1] == 's' || s[1] == 'S') &&
+        (s[2] == 'l' || s[2] == 'L')) {
+        /*      printf("Got XSL tag\n"); */
+        return 1;
+    }
+
+    return 0;
+}
+
+static attribute_t is_black_attr(const char* s, size_t len, int strictMode)
+{
+    stringtype_t* black;
+
+    if (len < 2) {
+        return TYPE_NONE;
+    }
+
+    if (len >= 5) {
+
+	/* JavaScript on.* event handlers */
+        if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
+            black = BLACKATTREVENT;
+            const char *s_without_on = &s[2]; // start comparing from the third char
+            while (black->name != NULL) {
+                if (cstrcasecmp_with_null(black->name, s_without_on, strlen(black->name)) == 0) {
+                    /* printf("Got banned attribute name %s\n", black->name); */
+                    return black->atype;
+                }
+                black += 1;
+            }
+        }
+
+
+        /* XMLNS can be used to create arbitrary tags */
+        // goedge: commented for photo uploading
+        //if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
+            /*      printf("Got XMLNS and XLINK tags\n"); */
+        //    return TYPE_BLACK;
+        //}
+    }
+
+	if (strictMode == 1) {
+    	black = STRICT_BLACKATTR;
+    } else {
+    	black = BLACKATTR;
+    }
+    while (black->name != NULL) {
+        if (cstrcasecmp_with_null(black->name, s, len) == 0) {
+            /*      printf("Got banned attribute name %s\n", black->name); */
+            return black->atype;
+        }
+        black += 1;
+    }
+
+    return TYPE_NONE;
+}
+
+static int is_black_url(const char* s, size_t len)
+{
+
+    static const char* data_url = "DATA";
+    static const char* viewsource_url = "VIEW-SOURCE";
+
+    /* obsolete but interesting signal */
+    static const char* vbscript_url = "VBSCRIPT";
+
+    /* covers JAVA, JAVASCRIPT, + colon */
+    static const char* javascript_url = "JAVA";
+
+    /* skip whitespace */
+    while (len > 0 && (*s <= 32 || *s >= 127)) {
+        /*
+         * HEY: this is a signed character.
+         *  We are intentionally skipping high-bit characters too
+         *  since they are not ASCII, and Opera sometimes uses UTF-8 whitespace.
+         *
+         * Also in EUC-JP some of the high bytes are just ignored.
+         */
+        ++s;
+        --len;
+    }
+
+    if (htmlencode_startswith(data_url, s, len)) {
+        return 1;
+    }
+
+    if (htmlencode_startswith(viewsource_url, s, len)) {
+        return 1;
+    }
+
+    if (htmlencode_startswith(javascript_url, s, len)) {
+        return 1;
+    }
+
+    if (htmlencode_startswith(vbscript_url, s, len)) {
+        return 1;
+    }
+    return 0;
+}
+
+int libinjection_is_xss(const char* s, size_t len, int flags, int strictMode)
+{
+    h5_state_t h5;
+    attribute_t attr = TYPE_NONE;
+
+    libinjection_h5_init(&h5, s, len, (enum html5_flags) flags);
+    while (libinjection_h5_next(&h5)) {
+        if (h5.token_type != ATTR_VALUE) {
+            attr = TYPE_NONE;
+        }
+
+        if (h5.token_type == DOCTYPE) {
+            return 1;
+        } else if (h5.token_type == TAG_NAME_OPEN) {
+            if (is_black_tag(h5.token_start, h5.token_len, strictMode)) {
+                return 1;
+            }
+        } else if (h5.token_type == ATTR_NAME) {
+            attr = is_black_attr(h5.token_start, h5.token_len, strictMode);
+        } else if (h5.token_type == ATTR_VALUE) {
+            /*
+             * IE6,7,8 parsing works a bit differently so
+             * a whole <script> or other black tag might be hiding
+             * inside an attribute value under HTML 5 parsing
+             * See http://html5sec.org/#102
+             * to avoid doing a full reparse of the value, just
+             * look for "<".  This probably need adjusting to
+             * handle escaped characters
+             */
+            /*
+              if (memchr(h5.token_start, '<', h5.token_len) != NULL) {
+              return 1;
+              }
+            */
+
+            switch (attr) {
+            case TYPE_NONE:
+                break;
+            case TYPE_BLACK:
+                return 1;
+            case TYPE_ATTR_URL:
+                if (is_black_url(h5.token_start, h5.token_len)) {
+                    return 1;
+                }
+                break;
+            case TYPE_STYLE:
+                return 1;
+            case TYPE_ATTR_INDIRECT:
+                /* an attribute name is specified in a _value_ */
+                if (is_black_attr(h5.token_start, h5.token_len, strictMode)) {
+                    return 1;
+                }
+                break;
+/*
+  default:
+  assert(0);
+*/
+            }
+            attr = TYPE_NONE;
+        } else if (h5.token_type == TAG_COMMENT) {
+            /* IE uses a "`" as a tag ending char */
+            // goedge: commented for photo uploading
+            /**if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
+                return 1;
+            }**/
+
+            /* IE conditional comment */
+            if (h5.token_len > 3) {
+                if (h5.token_start[0] == '[' &&
+                    (h5.token_start[1] == 'i' || h5.token_start[1] == 'I') &&
+                    (h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) {
+                    return 1;
+                }
+                if ((h5.token_start[0] == 'x' || h5.token_start[0] == 'X') &&
+                    (h5.token_start[1] == 'm' || h5.token_start[1] == 'M') &&
+                    (h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) {
+                    return 1;
+                }
+            }
+
+            if (h5.token_len > 5) {
+                /*  IE <?import pseudo-tag */
+                if (cstrcasecmp_with_null("IMPORT", h5.token_start, 6) == 0) {
+                    return 1;
+                }
+
+                /*  XML Entity definition */
+                if (cstrcasecmp_with_null("ENTITY", h5.token_start, 6) == 0) {
+                    return 1;
+                }
+            }
+        }
+    }
+    return 0;
+}
+
+
+/*
+ * wrapper
+ *
+ *
+ * const char* s: input string, may contain nulls, does not need to be null-terminated.
+ * size_t len: input string length.
+ * 
+ *
+ */
+int libinjection_xss(const char* s, size_t slen, int strictMode)
+{
+    if (libinjection_is_xss(s, slen, DATA_STATE, strictMode)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, slen, VALUE_NO_QUOTE, strictMode)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, slen, VALUE_SINGLE_QUOTE, strictMode)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, slen, VALUE_DOUBLE_QUOTE, strictMode)) {
+        return 1;
+    }
+    if (libinjection_is_xss(s, slen, VALUE_BACK_QUOTE, strictMode)) {
+        return 1;
+    }
+
+    return 0;
+}
--- a/internal/waf/injectionutils/libinjection/src/libinjection_xss.h
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_xss.h
@@ -0,0 +1,21 @@
+#ifndef LIBINJECTION_XSS
+#define LIBINJECTION_XSS
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * HEY THIS ISN'T DONE
+ */
+
+/* pull in size_t */
+
+#include <string.h>
+
+  int libinjection_is_xss(const char* s, size_t len, int flags, int strictMode);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
--- a/internal/waf/injectionutils/libinjection/src/reader.c
+++ b/internal/waf/injectionutils/libinjection/src/reader.c
@@ -0,0 +1,313 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#include "libinjection.h"
+#include "libinjection_sqli.h"
+#include "libinjection_xss.h"
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+static int g_test_ok = 0;
+static int g_test_fail = 0;
+
+typedef enum {
+    MODE_SQLI,
+    MODE_XSS
+} detect_mode_t;
+
+static void usage(const char* program_name);
+size_t modp_rtrim(char* str, size_t len);
+void modp_toprint(char* str, size_t len);
+void test_positive(FILE * fd, const char *fname, detect_mode_t mode,
+                   int flag_invert, int flag_true, int flag_quiet);
+
+int urlcharmap(char ch);
+size_t modp_url_decode(char* dest, const char* s, size_t len);
+
+int urlcharmap(char ch) {
+    switch (ch) {
+    case '0': return 0;
+    case '1': return 1;
+    case '2': return 2;
+    case '3': return 3;
+    case '4': return 4;
+    case '5': return 5;
+    case '6': return 6;
+    case '7': return 7;
+    case '8': return 8;
+    case '9': return 9;
+    case 'a': case 'A': return 10;
+    case 'b': case 'B': return 11;
+    case 'c': case 'C': return 12;
+    case 'd': case 'D': return 13;
+    case 'e': case 'E': return 14;
+    case 'f': case 'F': return 15;
+    default:
+        return 256;
+    }
+}
+
+size_t modp_url_decode(char* dest, const char* s, size_t len)
+{
+    const char* deststart = dest;
+
+    size_t i = 0;
+    int d = 0;
+    while (i < len) {
+        switch (s[i]) {
+        case '+':
+            *dest++ = ' ';
+            i += 1;
+            break;
+        case '%':
+            if (i+2 < len) {
+                d = (urlcharmap(s[i+1]) << 4) | urlcharmap(s[i+2]);
+                if ( d < 256) {
+                    *dest = (char) d;
+                    dest++;
+                    i += 3; /* loop will increment one time */
+                } else {
+                    *dest++ = '%';
+                    i += 1;
+                }
+            } else {
+                *dest++ = '%';
+                i += 1;
+            }
+            break;
+        default:
+            *dest++ = s[i];
+            i += 1;
+        }
+    }
+    *dest = '\0';
+    return (size_t)(dest - deststart); /* compute "strlen" of dest */
+}
+
+void modp_toprint(char* str, size_t len)
+{
+    size_t i;
+    for (i = 0; i < len; ++i) {
+        if (str[i] < 32 || str[i] > 126) {
+            str[i] = '?';
+        }
+    }
+}
+size_t modp_rtrim(char* str, size_t len)
+{
+    while (len) {
+        char c = str[len -1];
+        if (c == ' ' || c == '\n' || c == '\t' || c == '\r') {
+            str[len -1] = '\0';
+            len -= 1;
+        } else {
+            break;
+        }
+    }
+    return len;
+}
+
+void test_positive(FILE * fd, const char *fname, detect_mode_t mode,
+                   int flag_invert, int flag_true, int flag_quiet)
+{
+    char linebuf[8192];
+    int issqli = 0;
+    int linenum = 0;
+    size_t len;
+    sfilter sf;
+
+    while (fgets(linebuf, sizeof(linebuf), fd)) {
+        linenum += 1;
+        len = modp_rtrim(linebuf, strlen(linebuf));
+        if (len == 0) {
+            continue;
+        }
+        if (linebuf[0] == '#') {
+            continue;
+        }
+
+        len =  modp_url_decode(linebuf, linebuf, len);
+        switch (mode) {
+        case MODE_SQLI: {
+            libinjection_sqli_init(&sf, linebuf, len, 0);
+            issqli = libinjection_is_sqli(&sf);
+            break;
+        }
+        case MODE_XSS: {
+            issqli = libinjection_xss(linebuf, len);
+            break;
+        }
+        default:
+            assert(0);
+       }
+
+        if (issqli) {
+            g_test_ok += 1;
+        } else {
+            g_test_fail += 1;
+        }
+
+        if (!flag_quiet) {
+            if ((issqli && flag_true && ! flag_invert) ||
+                (!issqli && flag_true && flag_invert) ||
+                !flag_true) {
+
+                modp_toprint(linebuf, len);
+
+                switch (mode) {
+                case MODE_SQLI: {
+		    /*
+		     * if we didn't find a SQLi and fingerprint from
+                     * sqlstats is is 'sns' or 'snsns' then redo using
+                     * plain context
+		     */
+                    if (!issqli && (strcmp(sf.fingerprint, "sns") == 0 ||
+				    strcmp(sf.fingerprint, "snsns") == 0)) {
+                        libinjection_sqli_fingerprint(&sf, 0);
+                    }
+
+                    fprintf(stdout, "%s\t%d\t%s\t%s\t%s\n",
+                            fname, linenum,
+                            (issqli ? "True" : "False"), sf.fingerprint, linebuf);
+                    break;
+                }
+                case MODE_XSS: {
+                    fprintf(stdout, "%s\t%d\t%s\t%s\n",
+                            fname, linenum,
+                            (issqli ? "True" : "False"), linebuf);
+                    break;
+                }
+                default:
+                    assert(0);
+                }
+            }
+        }
+    }
+}
+
+static void usage(const char* program_name)
+{
+  fprintf(stdout, "usage: %s [flags] [files...]\n", program_name);
+  fprintf(stdout, "%s\n", "");
+  fprintf(stdout, "%s\n", "-q --quiet     : quiet mode");
+  fprintf(stdout, "%s\n", "-m --max-fails : number of failed cases need to fail entire test");
+  fprintf(stdout, "%s\n", "-s INTEGER     : repeat each test N time "
+	  "(for performance testing)");
+  fprintf(stdout, "%s\n", "-t             : only print positive matches");
+  fprintf(stdout, "%s\n", "-x --mode-xss  : test input for XSS");
+  fprintf(stdout, "%s\n", "-i --invert    : invert test logic "
+	  "(input is tested for being safe)");
+
+  fprintf(stdout, "%s\n", "");
+  fprintf(stdout, "%s\n", "-? -h -help --help : this page");
+  fprintf(stdout, "%s\n", "");
+}
+
+int main(int argc, const char *argv[])
+{
+    /*
+     * invert output, by
+     */
+    int flag_invert = FALSE;
+
+    /*
+     * don't print anything.. useful for
+     * performance monitors, gprof.
+     */
+    int flag_quiet = FALSE;
+
+    /*
+     * only print positive results
+     * with invert, only print negative results
+     */
+    int flag_true = FALSE;
+    detect_mode_t mode = MODE_SQLI;
+
+    int flag_slow = 1;
+    int count = 0;
+    int max = -1;
+
+    int i, j;
+    int offset = 1;
+
+    while (offset < argc) {
+        if (strcmp(argv[offset], "-?") == 0 ||
+            strcmp(argv[offset], "-h") == 0 ||
+	    strcmp(argv[offset], "-help") == 0 ||
+	    strcmp(argv[offset], "--help") == 0) {
+	  usage(argv[0]);
+	  exit(0);
+	}
+	  
+        if (strcmp(argv[offset], "-i") == 0) {
+            offset += 1;
+            flag_invert = TRUE;
+        } else if (strcmp(argv[offset], "-q") == 0 ||
+		   strcmp(argv[offset], "--quiet") == 0) {
+            offset += 1;
+            flag_quiet = TRUE;
+        } else if (strcmp(argv[offset], "-t") == 0) {
+            offset += 1;
+            flag_true = TRUE;
+        } else if (strcmp(argv[offset], "-s") == 0) {
+            offset += 1;
+            flag_slow = 100;
+        } else if (strcmp(argv[offset], "-m") == 0 ||
+		   strcmp(argv[offset], "--max-fails") == 0) {
+		     offset += 1;
+            max = atoi(argv[offset]);
+            offset += 1;
+        } else if (strcmp(argv[offset], "-x") == 0 ||
+		   strcmp(argv[offset], "--mode-xss") == 0) {
+            mode = MODE_XSS;
+            offset += 1;
+        } else {
+            break;
+        }
+    }
+
+    if (offset == argc) {
+        test_positive(stdin, "stdin", mode, flag_invert, flag_true, flag_quiet);
+    } else {
+        for (j = 0; j < flag_slow; ++j) {
+            for (i = offset; i < argc; ++i) {
+                FILE* fd = fopen(argv[i], "r");
+                if (fd) {
+                    test_positive(fd, argv[i], mode, flag_invert, flag_true, flag_quiet);
+                    fclose(fd);
+                }
+            }
+        }
+    }
+
+    if (!flag_quiet) {
+        fprintf(stdout, "%s", "\n");
+        fprintf(stdout, "SQLI  : %d\n", g_test_ok);
+        fprintf(stdout, "SAFE  : %d\n", g_test_fail);
+        fprintf(stdout, "TOTAL : %d\n", g_test_ok + g_test_fail);
+    }
+
+    if (max == -1) {
+        return 0;
+    }
+
+    count = g_test_ok;
+    if (flag_invert) {
+        count = g_test_fail;
+    }
+
+    if (count > max) {
+        printf("\nThreshold is %d, got %d, failing.\n", max, count);
+        return 1;
+    } else {
+        printf("\nThreshold is %d, got %d, passing.\n", max, count);
+        return 0;
+    }
+}
--- a/internal/waf/injectionutils/libinjection/src/sqli_cli.c
+++ b/internal/waf/injectionutils/libinjection/src/sqli_cli.c
@@ -0,0 +1,165 @@
+/**
+ * Copyright 2012, 2013 Nick Galbreath
+ * nickg@client9.com
+ * BSD License -- see COPYING.txt for details
+ *
+ * This is for testing against files in ../data/ *.txt
+ * Reads from stdin or a list of files, and emits if a line
+ * is a SQLi attack or not, and does basic statistics
+ *
+ */
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "libinjection.h"
+#include "libinjection_sqli.h"
+
+void print_string(stoken_t* t);
+void print_var(stoken_t* t);
+void print_token(stoken_t *t);
+void usage(void);
+
+void print_string(stoken_t* t)
+{
+    /* print opening quote */
+    if (t->str_open != '\0') {
+        printf("%c", t->str_open);
+    }
+
+    /* print content */
+    printf("%s", t->val);
+
+    /* print closing quote */
+    if (t->str_close != '\0') {
+        printf("%c", t->str_close);
+    }
+}
+
+void print_var(stoken_t* t)
+{
+    if (t->count >= 1) {
+        printf("%c", '@');
+    }
+    if (t->count == 2) {
+        printf("%c", '@');
+    }
+    print_string(t);
+}
+
+void print_token(stoken_t *t) {
+    printf("%c ", t->type);
+    switch (t->type) {
+    case 's':
+        print_string(t);
+        break;
+    case 'v':
+        print_var(t);
+        break;
+    default:
+        printf("%s", t->val);
+    }
+    printf("%s", "\n");
+}
+
+void usage(void) {
+    printf("\n");
+    printf("libinjection sqli tester\n");
+    printf("\n");
+    printf(" -ca  parse as ANSI SQL\n");
+    printf(" -cm  parse as MySQL SQL\n");
+    printf(" -q0  parse as is\n");
+    printf(" -q1  parse in single-quote mode\n");
+    printf(" -q2  parse in doiuble-quote mode\n");
+    printf("\n");
+    printf(" -f --fold  fold results\n");
+    printf("\n");
+    printf(" -d --detect  detect SQLI.  empty reply = not detected\n");
+    printf("\n");
+}
+
+int main(int argc, const char* argv[])
+{
+    size_t slen;
+    char* copy;
+
+    int flags = 0;
+    int fold = 0;
+    int detect = 0;
+
+    int i;
+    int count;
+    int offset = 1;
+    int issqli;
+
+    sfilter sf;
+
+    if (argc < 2) {
+        usage();
+        return 1;
+    }
+    while (1) {
+	if (strcmp(argv[offset], "-h") == 0 || strcmp(argv[offset], "-?") == 0 || strcmp(argv[offset], "--help") == 0) {
+	    usage();
+            return 1;
+	}
+        if (strcmp(argv[offset], "-m") == 0) {
+            flags |= FLAG_SQL_MYSQL;
+            offset += 1;
+        }
+        else if (strcmp(argv[offset], "-f") == 0 || strcmp(argv[offset], "--fold") == 0) {
+            fold = 1;
+            offset += 1;
+        } else if (strcmp(argv[offset], "-d") == 0 || strcmp(argv[offset], "--detect") == 0) {
+            detect = 1;
+            offset += 1;
+        } else if (strcmp(argv[offset], "-ca") == 0) {
+            flags |= FLAG_SQL_ANSI;
+            offset += 1;
+        } else if (strcmp(argv[offset], "-cm") == 0) {
+            flags |= FLAG_SQL_MYSQL;
+            offset += 1;
+        } else if (strcmp(argv[offset], "-q0") == 0) {
+            flags |= FLAG_QUOTE_NONE;
+            offset += 1;
+        } else if (strcmp(argv[offset], "-q1") == 0) {
+            flags |= FLAG_QUOTE_SINGLE;
+            offset += 1;
+        } else if (strcmp(argv[offset], "-q2") == 0) {
+            flags |= FLAG_QUOTE_DOUBLE;
+            offset += 1;
+        } else {
+            break;
+        }
+    }
+
+    /* ATTENTION: argv is a C-string, null terminated.  We copy this
+     * to it's own location, WITHOUT null byte.  This way, valgrind
+     * can see if we run past the buffer.
+     */
+
+    slen = strlen(argv[offset]);
+    copy = (char* ) malloc(slen);
+    memcpy(copy, argv[offset], slen);
+    libinjection_sqli_init(&sf, copy, slen, flags);
+
+    if (detect == 1) {
+        issqli = libinjection_is_sqli(&sf);
+        if (issqli) {
+            printf("%s\n", sf.fingerprint);
+        }
+    } else if (fold == 1) {
+        count = libinjection_sqli_fold(&sf);
+        for (i = 0; i < count; ++i) {
+            print_token(&(sf.tokenvec[i]));
+        }
+    } else {
+        while (libinjection_sqli_tokenize(&sf)) {
+            print_token(sf.current);
+        }
+    }
+
+    free(copy);
+
+    return 0;
+}
--- a/internal/waf/injectionutils/libinjection/src/sqlparse2c.py
+++ b/internal/waf/injectionutils/libinjection/src/sqlparse2c.py
@@ -0,0 +1,132 @@
+#!/usr/bin/env python3
+#
+#  Copyright 2012, 2013 Nick Galbreath
+#  nickg@client9.com
+#  BSD License -- see COPYING.txt for details
+#
+
+"""
+Converts a libinjection JSON data file to a C header (.h) file
+"""
+
+import sys
+
+def toc(obj):
+    """ main routine """
+
+    print("""
+#ifndef LIBINJECTION_SQLI_DATA_H
+#define LIBINJECTION_SQLI_DATA_H
+
+#include "libinjection.h"
+#include "libinjection_sqli.h"
+
+typedef struct {
+    const char *word;
+    char type;
+} keyword_t;
+
+static size_t parse_money(sfilter * sf);
+static size_t parse_other(sfilter * sf);
+static size_t parse_white(sfilter * sf);
+static size_t parse_operator1(sfilter *sf);
+static size_t parse_char(sfilter *sf);
+static size_t parse_hash(sfilter *sf);
+static size_t parse_dash(sfilter *sf);
+static size_t parse_slash(sfilter *sf);
+static size_t parse_backslash(sfilter * sf);
+static size_t parse_operator2(sfilter *sf);
+static size_t parse_string(sfilter *sf);
+static size_t parse_word(sfilter * sf);
+static size_t parse_var(sfilter * sf);
+static size_t parse_number(sfilter * sf);
+static size_t parse_tick(sfilter * sf);
+static size_t parse_ustring(sfilter * sf);
+static size_t parse_qstring(sfilter * sf);
+static size_t parse_nqstring(sfilter * sf);
+static size_t parse_xstring(sfilter * sf);
+static size_t parse_bstring(sfilter * sf);
+static size_t parse_estring(sfilter * sf);
+static size_t parse_bword(sfilter * sf);
+""")
+
+    #
+    # Mapping of character to function
+    #
+    fnmap = {
+        'CHAR_WORD' : 'parse_word',
+        'CHAR_WHITE': 'parse_white',
+        'CHAR_OP1'  : 'parse_operator1',
+	'CHAR_UNARY': 'parse_operator1',
+        'CHAR_OP2'  : 'parse_operator2',
+	'CHAR_BANG' : 'parse_operator2',
+        'CHAR_BACK' : 'parse_backslash',
+        'CHAR_DASH' : 'parse_dash',
+        'CHAR_STR'  : 'parse_string',
+        'CHAR_HASH' : 'parse_hash',
+        'CHAR_NUM'  : 'parse_number',
+        'CHAR_SLASH': 'parse_slash',
+        'CHAR_SEMICOLON' : 'parse_char',
+	'CHAR_COMMA': 'parse_char',
+	'CHAR_LEFTPARENS': 'parse_char',
+	'CHAR_RIGHTPARENS': 'parse_char',
+	'CHAR_LEFTBRACE': 'parse_char',
+	'CHAR_RIGHTBRACE': 'parse_char',
+        'CHAR_VAR'  : 'parse_var',
+        'CHAR_OTHER': 'parse_other',
+        'CHAR_MONEY': 'parse_money',
+        'CHAR_TICK' : 'parse_tick',
+        'CHAR_UNDERSCORE': 'parse_underscore',
+        'CHAR_USTRING'   : 'parse_ustring',
+        'CHAR_QSTRING'   : 'parse_qstring',
+        'CHAR_NQSTRING'  : 'parse_nqstring',
+        'CHAR_XSTRING'   : 'parse_xstring',
+        'CHAR_BSTRING'   : 'parse_bstring',
+        'CHAR_ESTRING'   : 'parse_estring',
+        'CHAR_BWORD'     : 'parse_bword'
+        }
+    print()
+    print("typedef size_t (*pt2Function)(sfilter *sf);")
+    print("static const pt2Function char_parse_map[] = {")
+    pos = 0
+    for character in obj['charmap']:
+        print("   &%s, /* %d */" % (fnmap[character], pos))
+        pos += 1
+    print("};")
+    print()
+
+    # keywords
+    #  load them
+    keywords = obj['keywords']
+
+    for  fingerprint in list(obj['fingerprints']):
+        fingerprint = '0' + fingerprint.upper()
+        keywords[fingerprint] = 'F'
+
+    needhelp = []
+    for key  in keywords.keys():
+        if key != key.upper():
+            needhelp.append(key)
+
+    for key in needhelp:
+        tmpv = keywords[key]
+        del keywords[key]
+        keywords[key.upper()] = tmpv
+
+    print("static const keyword_t sql_keywords[] = {")
+    for k in sorted(keywords.keys()):
+        if len(k) > 31:
+            sys.stderr.write("ERROR: keyword greater than 32 chars\n")
+            sys.exit(1)
+
+        print("    {\"%s\", '%s'}," % (k, keywords[k]))
+    print("};")
+    print("static const size_t sql_keywords_sz = %d;" % (len(keywords), ))
+
+    print("#endif")
+    return 0
+
+if __name__ == '__main__':
+    import json
+    sys.exit(toc(json.load(sys.stdin)))
+
--- a/internal/waf/injectionutils/libinjection_sqli.c
+++ b/internal/waf/injectionutils/libinjection_sqli.c
@@ -0,0 +1,3 @@
+#define LIBINJECTION_VERSION "3.9.1"
+
+#include "libinjection/src/libinjection_sqli.c"
--- a/internal/waf/injectionutils/libinjection_xss.c
+++ b/internal/waf/injectionutils/libinjection_xss.c
@@ -0,0 +1,6 @@
+#define LIBINJECTION_VERSION "3.9.1"
+
+#include "libinjection/src/libinjection_xss.c"
+#include "libinjection/src/libinjection_html5.c"
+
+#define GOEDGE_VERSION "25" // last version is for GoEdge change
--- a/internal/waf/injectionutils/utils_sqli.go
+++ b/internal/waf/injectionutils/utils_sqli.go
@@ -0,0 +1,91 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build gcc
+
+package injectionutils
+
+/*
+#cgo CFLAGS: -O2 -I./libinjection/src
+
+#include <libinjection.h>
+#include <stdlib.h>
+*/
+import "C"
+import (
+	"net/url"
+	"strings"
+	"unicode/utf8"
+	"unsafe"
+)
+
+// DetectSQLInjectionCache detect sql injection in string with cache
+func DetectSQLInjectionCache(input string, isStrict bool, cacheLife int) bool {
+	var l = len(input)
+
+	if l == 0 {
+		return false
+	}
+
+	if cacheLife <= 0 || l < 128 || l > MaxCacheDataSize {
+		return DetectSQLInjection(input, isStrict)
+	}
+
+	var result = DetectSQLInjection(input, isStrict)
+	return result
+}
+
+// DetectSQLInjection detect sql injection in string
+func DetectSQLInjection(input string, isStrict bool) bool {
+	if len(input) == 0 {
+		return false
+	}
+
+	if !isStrict {
+		if len(input) > 1024 {
+			if !utf8.ValidString(input[:1024]) && !utf8.ValidString(input[:1023]) && !utf8.ValidString(input[:1022]) {
+				return false
+			}
+		} else {
+			if !utf8.ValidString(input) {
+				return false
+			}
+		}
+	}
+
+	if detectSQLInjectionOne(input) {
+		return true
+	}
+
+	// 兼容 /PATH?URI
+	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 1024 {
+		var argsIndex = strings.Index(input, "?")
+		if argsIndex > 0 {
+			var args = input[argsIndex+1:]
+			unescapeArgs, err := url.QueryUnescape(args)
+			if err == nil && args != unescapeArgs {
+				return detectSQLInjectionOne(args) || detectSQLInjectionOne(unescapeArgs)
+			} else {
+				return detectSQLInjectionOne(args)
+			}
+		}
+	} else {
+		unescapedInput, err := url.QueryUnescape(input)
+		if err == nil && input != unescapedInput {
+			return detectSQLInjectionOne(unescapedInput)
+		}
+	}
+
+	return false
+}
+
+func detectSQLInjectionOne(input string) bool {
+	if len(input) == 0 {
+		return false
+	}
+
+	var fingerprint [8]C.char
+	var fingerprintPtr = (*C.char)(unsafe.Pointer(&fingerprint[0]))
+	var cInput = C.CString(input)
+	defer C.free(unsafe.Pointer(cInput))
+
+	return C.libinjection_sqli(cInput, C.size_t(len(input)), fingerprintPtr) == 1
+}
--- a/internal/waf/injectionutils/utils_sqli_stub.go
+++ b/internal/waf/injectionutils/utils_sqli_stub.go
@@ -0,0 +1,21 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !gcc
+
+package injectionutils
+
+// DetectSQLInjectionCache detect sql injection in string with cache
+func DetectSQLInjectionCache(input string, isStrict bool, cacheLife int) bool {
+	// stub
+	return false
+}
+
+// DetectSQLInjection detect sql injection in string
+func DetectSQLInjection(input string, isStrict bool) bool {
+	// stub
+	return false
+}
+
+func detectSQLInjectionOne(input string) bool {
+	// stub
+	return false
+}
--- a/internal/waf/injectionutils/utils_sqli_test.go
+++ b/internal/waf/injectionutils/utils_sqli_test.go
@@ -0,0 +1,130 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build gcc
+
+package injectionutils_test
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/waf/injectionutils"
+	"github.com/iwind/TeaGo/assert"
+	"github.com/iwind/TeaGo/rands"
+	"github.com/iwind/TeaGo/types"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+func TestDetectSQLInjection(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	for _, isStrict := range []bool{true, false} {
+		a.IsTrue(injectionutils.DetectSQLInjection("' UNION SELECT * FROM myTable", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("id=1 ' UNION  select * from a", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--", isStrict))
+		a.IsFalse(injectionutils.DetectSQLInjection("' UNION SELECT1 * FROM myTable", isStrict))
+		a.IsFalse(injectionutils.DetectSQLInjection("1234", isStrict))
+		a.IsFalse(injectionutils.DetectSQLInjection("", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("id=123 OR 1=1&b=2", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("id=123&b=456&c=1' or 2=2", isStrict))
+		a.IsFalse(injectionutils.DetectSQLInjection("?", isStrict))
+		a.IsFalse(injectionutils.DetectSQLInjection("/hello?age=22", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("id=123%20or%201=1", isStrict))
+		a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1", isStrict))
+	}
+}
+
+func BenchmarkDetectSQLInjection(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--", false)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1", false)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_Normal_Small(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=1234", false)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Normal_Small(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("/sql/injection?id="+types.String(rands.Int64()%10000), false)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Normal_Middle(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("/search?q=libinjection+fingerprint&newwindow=1&sca_esv=589290862&sxsrf=AMwHvKnxuLoejn2XlNniffC12E_xc35M7Q%3A1702090118361&ei=htvzzebfFZfo1e8PvLGggAk&ved=0ahUKEwjTsYmnq4GDAxUWdPOHHbwkCJAQ4ddDCBA&uact=5&oq=libinjection+fingerprint&gs_lp=Egxnd3Mtd2l6LXNlcnAiGIxpYmluamVjdGlvbmBmaW5nKXJwcmludTIEEAAYHjIGVAAYCBgeSiEaUPkRWKFZcAJ4AZABAJgBHgGgAfoEqgwDMC40uAEGyAEA-AEBwgIKEAFYTxjWMuiwA-IDBBgAVteIBgGQBgI&sclient=gws-wiz-serp#ip=1", false)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Normal_Small_Cache(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjectionCache("/sql/injection?id="+types.String(rands.Int64()%10000), false, 1800)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	var s = strings.Repeat("A", 512)
+	b.ResetTimer()
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s+"&v=%20", false)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_Normal_Large_Cache(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	var s = strings.Repeat("A", 512)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjectionCache("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s, false, 1800)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Unescape(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1", false)
+		}
+	})
+}
--- a/internal/waf/injectionutils/utils_xss.go
+++ b/internal/waf/injectionutils/utils_xss.go
@@ -0,0 +1,89 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build gcc
+
+package injectionutils
+
+/*
+#cgo CFLAGS: -O2 -I./libinjection/src
+
+#include <libinjection.h>
+#include <stdlib.h>
+*/
+import "C"
+import (
+	"github.com/cespare/xxhash/v2"
+	"net/url"
+	"strconv"
+	"strings"
+	"unsafe"
+)
+
+const MaxCacheDataSize = 1 << 20
+
+func DetectXSSCache(input string, isStrict bool, cacheLife int) bool {
+	var l = len(input)
+
+	if l == 0 {
+		return false
+	}
+
+	if cacheLife <= 0 || l < 512 || l > MaxCacheDataSize {
+		return DetectXSS(input, isStrict)
+	}
+
+	var hash = xxhash.Sum64String(input)
+	var key = "WAF@XSS@" + strconv.FormatUint(hash, 10)
+	if isStrict {
+		key += "@1"
+	}
+
+	var result = DetectXSS(input, isStrict)
+	return result
+}
+
+// DetectXSS detect XSS in string
+func DetectXSS(input string, isStrict bool) bool {
+	if len(input) == 0 {
+		return false
+	}
+
+	if detectXSSOne(input, isStrict) {
+		return true
+	}
+
+	// 兼容 /PATH?URI
+	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 1024 {
+		var argsIndex = strings.Index(input, "?")
+		if argsIndex > 0 {
+			var args = input[argsIndex+1:]
+			unescapeArgs, err := url.QueryUnescape(args)
+			if err == nil && args != unescapeArgs {
+				return detectXSSOne(args, isStrict) || detectXSSOne(unescapeArgs, isStrict)
+			} else {
+				return detectXSSOne(args, isStrict)
+			}
+		}
+	} else {
+		unescapedInput, err := url.QueryUnescape(input)
+		if err == nil && input != unescapedInput {
+			return detectXSSOne(unescapedInput, isStrict)
+		}
+	}
+
+	return false
+}
+
+func detectXSSOne(input string, isStrict bool) bool {
+	if len(input) == 0 {
+		return false
+	}
+
+	var cInput = C.CString(input)
+	defer C.free(unsafe.Pointer(cInput))
+
+	var isStrictInt = 0
+	if isStrict {
+		isStrictInt = 1
+	}
+	return C.libinjection_xss(cInput, C.size_t(len(input)), C.int(isStrictInt)) == 1
+}
--- a/internal/waf/injectionutils/utils_xss_stub.go
+++ b/internal/waf/injectionutils/utils_xss_stub.go
@@ -0,0 +1,22 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !gcc
+
+package injectionutils
+
+const MaxCacheDataSize = 1 << 20
+
+func DetectXSSCache(input string, isStrict bool, cacheLife int) bool {
+	// stub
+	return false
+}
+
+// DetectXSS detect XSS in string
+func DetectXSS(input string, isStrict bool) bool {
+	// stub
+	return false
+}
+
+func detectXSSOne(input string, isStrict bool) bool {
+	// stub
+	return false
+}
--- a/internal/waf/injectionutils/utils_xss_test.go
+++ b/internal/waf/injectionutils/utils_xss_test.go
@@ -0,0 +1,94 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build gcc
+
+package injectionutils_test
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/waf/injectionutils"
+	"github.com/iwind/TeaGo/assert"
+	"runtime"
+	"testing"
+)
+
+func TestDetectXSS(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsFalse(injectionutils.DetectXSS("", true))
+	a.IsFalse(injectionutils.DetectXSS("abc", true))
+	a.IsTrue(injectionutils.DetectXSS("<script>", true))
+	a.IsTrue(injectionutils.DetectXSS("<link>", true))
+	a.IsFalse(injectionutils.DetectXSS("<html><span>", true))
+	a.IsFalse(injectionutils.DetectXSS("&lt;script&gt;", true))
+	a.IsTrue(injectionutils.DetectXSS("/path?onmousedown=a", true))
+	a.IsTrue(injectionutils.DetectXSS("/path?onkeyup=a", true))
+	a.IsTrue(injectionutils.DetectXSS("onkeyup=a", true))
+	a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>", true))
+	a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", true))
+	a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E", true))
+	a.IsFalse(injectionutils.DetectXSS(`<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 6.0.0">
+   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+      <rdf:Description rdf:about=""
+            xmlns:tiff="http://ns.adobe.com/tiff/1.0/">
+         <tiff:Orientation>1</tiff:Orientation>
+      </rdf:Description>
+   </rdf:RDF>
+</x:xmpmeta>`, true)) // included in some photo files
+	a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false))
+}
+
+func TestDetectXSS_Strict(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false))
+	a.IsTrue(injectionutils.DetectXSS(`<xml></xml>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<img src=\"\"/>`, false))
+	a.IsFalse(injectionutils.DetectXSS(`<img src=\"test.jpg\"/>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<a href="aaaa"></a>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<span style="color: red"></span>`, false))
+	a.IsTrue(injectionutils.DetectXSS(`<span style="color: red"></span>`, true))
+	a.IsFalse(injectionutils.DetectXSS("https://example.com?style=list", false))
+	a.IsTrue(injectionutils.DetectXSS("https://example.com?style=list", true))
+}
+
+func BenchmarkDetectXSS_MISS(b *testing.B) {
+	var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", false)
+	if result {
+		b.Fatal("'result' should not be 'true'")
+	}
+
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", false)
+		}
+	})
+}
+
+func BenchmarkDetectXSS_MISS_Cache(b *testing.B) {
+	var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", false)
+	if result {
+		b.Fatal("'result' should not be 'true'")
+	}
+
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectXSSCache("<html><body><span>RequestId: 1234567890</span></body></html>", false, 1800)
+		}
+	})
+}
+
+func BenchmarkDetectXSS_HIT(b *testing.B) {
+	var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>", false)
+	if !result {
+		b.Fatal("'result' should not be 'false'")
+	}
+
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>", false)
+		}
+	})
+}
--- a/internal/web/actions/actionutils/parent_action.go
+++ b/internal/web/actions/actionutils/parent_action.go
@@ -5,9 +5,13 @@ import (
 	"errors"
 	"fmt"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
 	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/logs"
@@ -35,7 +39,7 @@ func (this *ParentAction) ErrorPage(err error) {
 	}

 	// 日志
-	this.CreateLog(oplogs.LevelError, "系统发生错误：%s", err.Error())
+	this.CreateLog(oplogs.LevelError, codes.AdminCommon_LogSystemError, err.Error())

 	if this.Request.Method == http.MethodGet {
 		FailPage(this, err)
@@ -89,11 +93,12 @@ func (this *ParentAction) TinyMenu(menuItem string) {
 }

 func (this *ParentAction) AdminId() int64 {
-	return this.Context.GetInt64("adminId")
+	return this.Context.GetInt64(teaconst.SessionAdminId)
 }

-func (this *ParentAction) CreateLog(level string, description string, args ...interface{}) {
-	desc := fmt.Sprintf(description, args...)
+func (this *ParentAction) CreateLog(level string, messageCode langs.MessageCode, args ...any) {
+	var description = messageCode.For(this.LangCode())
+	var desc = fmt.Sprintf(description, args...)
 	if level == oplogs.LevelInfo {
 		if this.Code != 200 {
 			level = oplogs.LevelWarn
@@ -102,14 +107,14 @@ func (this *ParentAction) CreateLog(level string, description string, args ...in
 			}
 		}
 	}
-	err := dao.SharedLogDAO.CreateAdminLog(this.AdminContext(), level, this.Request.URL.Path, desc, this.RequestRemoteIP())
+	err := dao.SharedLogDAO.CreateAdminLog(this.AdminContext(), level, this.Request.URL.Path, desc, loginutils.RemoteIP(&this.ActionObject), messageCode, args)
 	if err != nil {
 		utils.PrintError(err)
 	}
 }

-func (this *ParentAction) CreateLogInfo(description string, args ...interface{}) {
-	this.CreateLog(oplogs.LevelInfo, description, args...)
+func (this *ParentAction) CreateLogInfo(messageCode langs.MessageCode, args ...any) {
+	this.CreateLog(oplogs.LevelInfo, messageCode, args...)
 }

 // RPC 获取RPC
@@ -148,3 +153,19 @@ func (this *ParentAction) AdminContext() context.Context {
 func (this *ParentAction) ViewData() maps.Map {
 	return this.Data
 }
+
+func (this *ParentAction) LangCode() string {
+	return configloaders.FindAdminLangForAction(this)
+}
+
+func (this *ParentAction) Lang(messageCode langs.MessageCode, args ...any) string {
+	return langs.Message(this.LangCode(), messageCode, args...)
+}
+
+func (this *ParentAction) FailLang(messageCode langs.MessageCode, args ...any) {
+	this.Fail(langs.Message(this.LangCode(), messageCode, args...))
+}
+
+func (this *ParentAction) FailFieldLang(field string, messageCode langs.MessageCode, args ...any) {
+	this.FailField(field, langs.Message(this.LangCode(), messageCode, args...))
+}
--- a/internal/web/actions/actionutils/tabbar.go
+++ b/internal/web/actions/actionutils/tabbar.go
@@ -2,37 +2,49 @@ package actionutils

 import (
 	"github.com/iwind/TeaGo/actions"
-	"github.com/iwind/TeaGo/maps"
 )

+type TabItem struct {
+	Name       string `json:"name"`
+	SubName    string `json:"subName"`
+	URL        string `json:"url"`
+	Icon       string `json:"icon"`
+	IsActive   bool   `json:"isActive"`
+	IsRight    bool   `json:"isRight"`
+	IsTitle    bool   `json:"isTitle"`
+	IsDisabled bool   `json:"isDisabled"`
+}
+
 // Tabbar Tabbar定义
 type Tabbar struct {
-	items []maps.Map
+	items []*TabItem
 }

 // NewTabbar 获取新对象
 func NewTabbar() *Tabbar {
 	return &Tabbar{
-		items: []maps.Map{},
+		items: []*TabItem{},
 	}
 }

 // Add 添加菜单项
-func (this *Tabbar) Add(name string, subName string, url string, icon string, active bool) maps.Map {
-	m := maps.Map{
-		"name":    name,
-		"subName": subName,
-		"url":     url,
-		"icon":    icon,
-		"active":  active,
-		"right":   false,
+func (this *Tabbar) Add(name string, subName string, url string, icon string, active bool) *TabItem {
+	var m = &TabItem{
+		Name:       name,
+		SubName:    subName,
+		URL:        url,
+		Icon:       icon,
+		IsActive:   active,
+		IsRight:    false,
+		IsTitle:    false,
+		IsDisabled: false,
 	}
 	this.items = append(this.items, m)
 	return m
 }

 // Items 取得所有的Items
-func (this *Tabbar) Items() []maps.Map {
+func (this *Tabbar) Items() []*TabItem {
 	return this.items
 }

--- a/internal/web/actions/actionutils/utils.go
+++ b/internal/web/actions/actionutils/utils.go
@@ -4,8 +4,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
-	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	rpcerrors "github.com/TeaOSLab/EdgeCommon/pkg/rpc/errors"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/actions"
@@ -23,86 +24,46 @@ import (
 )

 // Fail 提示服务器错误信息
-func Fail(action actions.ActionWrapper, err error) {
-	if err != nil {
-		logs.Println("[" + reflect.TypeOf(action).String() + "]" + findStack(err.Error()))
-	}
-	action.Object().Fail(teaconst.ErrServer + "（" + err.Error() + "）")
-}
-
-// FailPage 提示页面错误信息
-func FailPage(action actions.ActionWrapper, err error) {
+func Fail(actionPtr actions.ActionWrapper, err error) {
 	if err == nil {
 		err = errors.New("unknown error")
 	}

-	logs.Println("[" + reflect.TypeOf(action).String() + "]" + findStack(err.Error()))
+	var langCode = configloaders.FindAdminLangForAction(actionPtr)
+	var serverErrString = codes.AdminCommon_ServerError.For(langCode)

-	// 当前API终端地址
-	var apiEndpoints = []string{}
-	apiConfig, apiConfigErr := configs.LoadAPIConfig()
-	if apiConfigErr == nil && apiConfig != nil {
-		apiEndpoints = append(apiEndpoints, apiConfig.RPC.Endpoints...)
-	}
+	logs.Println("[" + reflect.TypeOf(actionPtr).String() + "]" + findStack(err.Error()))

-	var isRPCConnError bool
-	err, isRPCConnError = rpcerrors.HumanError(err, apiEndpoints, Tea.ConfigFile("api.yaml"))
-	var apiNodeIsStarting = false
-	var apiNodeProgress = ""
-	if isRPCConnError {
-		// API节点是否正在启动
-		var sock = gosock.NewTmpSock("edge-api")
-		reply, err := sock.SendTimeout(&gosock.Command{
-			Code:   "starting",
-			Params: nil,
-		}, 1*time.Second)
-		if err == nil && reply != nil {
-			var params = maps.NewMap(reply.Params)
-			if params.GetBool("isStarting") {
-				apiNodeIsStarting = true
-
-				var progressMap = params.GetMap("progress")
-				apiNodeProgress = progressMap.GetString("description")
-			}
-		}
-	}
-
-	action.Object().ResponseWriter.WriteHeader(http.StatusInternalServerError)
-	if len(action.Object().Request.Header.Get("X-Requested-With")) > 0 {
-		action.Object().WriteString(teaconst.ErrServer)
+	_, _, isLocalAPI, issuesHTML := parseAPIErr(actionPtr, err)
+	if isLocalAPI && len(issuesHTML) > 0 {
+		actionPtr.Object().Fail(serverErrString + "（" + err.Error() + "；最近一次错误提示：" + issuesHTML + "）")
 	} else {
-		// 本地的一些错误提示
-		var isLocalAPI = false
-		if isRPCConnError {
-			host, _, hostErr := net.SplitHostPort(action.Object().Request.Host)
-			if hostErr == nil {
-				for _, endpoint := range apiEndpoints {
-					if strings.HasPrefix(endpoint, "http://"+host) || strings.HasPrefix(endpoint, "https://"+host) || strings.HasPrefix(endpoint, host) {
-						isLocalAPI = true
-						break
-					}
-				}
-			}
-		}
+		actionPtr.Object().Fail(serverErrString + "（" + err.Error() + "）")
+	}

-		var issuesHTML = ""
-		if isLocalAPI {
-			// 读取本地API节点的issues
-			issuesData, issuesErr := os.ReadFile(Tea.Root + "/edge-api/logs/issues.log")
-			if issuesErr == nil {
-				var issueMaps = []maps.Map{}
-				issuesErr = json.Unmarshal(issuesData, &issueMaps)
-				if issuesErr == nil && len(issueMaps) > 0 {
-					var issueMap = issueMaps[0]
-					issuesHTML = "本地API节点启动错误：" + issueMap.GetString("message") + "，处理建议：" + issueMap.GetString("suggestion")
-				}
-			}
-		}
+}

+// FailPage 提示页面错误信息
+func FailPage(actionPtr actions.ActionWrapper, err error) {
+	if err == nil {
+		err = errors.New("unknown error")
+	}
+
+	var langCode = configloaders.FindAdminLangForAction(actionPtr)
+	var serverErrString = codes.AdminCommon_ServerError.For(langCode)
+
+	logs.Println("[" + reflect.TypeOf(actionPtr).String() + "]" + findStack(err.Error()))
+
+	actionPtr.Object().ResponseWriter.WriteHeader(http.StatusInternalServerError)
+
+	if len(actionPtr.Object().Request.Header.Get("X-Requested-With")) > 0 {
+		actionPtr.Object().WriteString(serverErrString)
+	} else {
+		apiNodeIsStarting, apiNodeProgress, _, issuesHTML := parseAPIErr(actionPtr, err)
 		var html = `<!DOCTYPE html>
 <html>
 	<head>
-		<title>有系统错误需要处理</title>
+		<title>正在处理...</title>
 		<meta charset="UTF-8"/>
 		<style type="text/css">
 		hr { border-top: 1px #ccc solid; }
@@ -116,12 +77,12 @@ func FailPage(action actions.ActionWrapper, err error) {
 			html += "<div class=\"red\">API节点正在启动，请耐心等待完成"

 			if len(apiNodeProgress) > 0 {
-				html += "：" + apiNodeProgress
+				html += "：" + apiNodeProgress + "（刷新当前页面查看最新状态）"
 			}

 			html += "</div>"
 		} else {
-			html += teaconst.ErrServer + `
+			html += serverErrString + `
 		<div>可以通过查看 <strong><em>$安装目录/logs/run.log</em></strong> 日志文件查看具体的错误提示。</div>
 		<hr/>
 		<div class="red">Error: ` + err.Error() + `</div>`
@@ -132,7 +93,7 @@ func FailPage(action actions.ActionWrapper, err error) {
 			}
 		}

-		action.Object().WriteString(html + `
+		actionPtr.Object().WriteString(html + `
 		</div>
 	</body>
 </html>`)
@@ -146,13 +107,13 @@ func MatchPath(action *actions.ActionObject, path string) bool {

 // FindParentAction 查找父级Action
 func FindParentAction(actionPtr actions.ActionWrapper) *ParentAction {
-	parentActionValue := reflect.ValueOf(actionPtr).Elem().FieldByName("ParentAction")
-	if parentActionValue.IsValid() {
-		parentAction, isOk := parentActionValue.Interface().(ParentAction)
-		if isOk {
-			return &parentAction
-		}
+	action, ok := actionPtr.(interface {
+		Parent() *ParentAction
+	})
+	if ok {
+		return action.Parent()
 	}
+
 	return nil
 }

@@ -179,7 +140,7 @@ func findStack(err string) string {
 				filename = filename[strings.Index(filename, "src"):]
 			}

-			err += "\n\t\t" + string(filename) + ":" + fmt.Sprintf("%d", lineNo)
+			err += "\n\t\t" + filename + ":" + fmt.Sprintf("%d", lineNo)

 			break
 		}
@@ -187,3 +148,61 @@ func findStack(err string) string {

 	return err
 }
+
+// 分析API节点的错误信息
+func parseAPIErr(action actions.ActionWrapper, err error) (apiNodeIsStarting bool, apiNodeProgress string, isLocalAPI bool, issuesHTML string) {
+	// 当前API终端地址
+	var apiEndpoints = []string{}
+	apiConfig, apiConfigErr := configs.LoadAPIConfig()
+	if apiConfigErr == nil && apiConfig != nil {
+		apiEndpoints = append(apiEndpoints, apiConfig.RPCEndpoints...)
+	}
+
+	var isRPCConnError bool
+	_, isRPCConnError = rpcerrors.HumanError(err, apiEndpoints, Tea.ConfigFile(configs.ConfigFileName))
+	if isRPCConnError {
+		// API节点是否正在启动
+		var sock = gosock.NewTmpSock("edge-api")
+		reply, err := sock.SendTimeout(&gosock.Command{
+			Code:   "starting",
+			Params: nil,
+		}, 1*time.Second)
+		if err == nil && reply != nil {
+			var params = maps.NewMap(reply.Params)
+			if params.GetBool("isStarting") {
+				apiNodeIsStarting = true
+
+				var progressMap = params.GetMap("progress")
+				apiNodeProgress = progressMap.GetString("description")
+			}
+		}
+	}
+
+	// 本地的一些错误提示
+	if isRPCConnError {
+		host, _, hostErr := net.SplitHostPort(action.Object().Request.Host)
+		if hostErr == nil {
+			for _, endpoint := range apiEndpoints {
+				if strings.HasPrefix(endpoint, "http://"+host) || strings.HasPrefix(endpoint, "https://"+host) || strings.HasPrefix(endpoint, host) {
+					isLocalAPI = true
+					break
+				}
+			}
+		}
+	}
+
+	if isLocalAPI {
+		// 读取本地API节点的issues
+		issuesData, issuesErr := os.ReadFile(Tea.Root + "/edge-api/logs/issues.log")
+		if issuesErr == nil {
+			var issueMaps = []maps.Map{}
+			issuesErr = json.Unmarshal(issuesData, &issueMaps)
+			if issuesErr == nil && len(issueMaps) > 0 {
+				var issueMap = issueMaps[0]
+				issuesHTML = "本地API节点启动错误：" + issueMap.GetString("message") + "，处理建议：" + issueMap.GetString("suggestion")
+			}
+		}
+	}
+
+	return
+}
--- a/internal/web/actions/default/admins/accesskeys/createPopup.go
+++ b/internal/web/actions/default/admins/accesskeys/createPopup.go
@@ -4,6 +4,7 @@ package accesskeys

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/actions"
 )
@@ -43,7 +44,7 @@ func (this *CreatePopupAction) RunPost(params struct {
 		return
 	}

-	defer this.CreateLogInfo("创建AccessKey %d", accessKeyIdResp.UserAccessKeyId)
+	defer this.CreateLogInfo(codes.UserAccessKey_LogCreateUserAccessKey, accessKeyIdResp.UserAccessKeyId)

 	this.Success()
 }
--- a/internal/web/actions/default/admins/accesskeys/delete.go
+++ b/internal/web/actions/default/admins/accesskeys/delete.go
@@ -2,6 +2,7 @@ package accesskeys

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 )

@@ -12,7 +13,7 @@ type DeleteAction struct {
 func (this *DeleteAction) RunPost(params struct {
 	AccessKeyId int64
 }) {
-	defer this.CreateLogInfo("删除AccessKey %d", params.AccessKeyId)
+	defer this.CreateLogInfo(codes.UserAccessKey_LogDeleteUserAccessKey, params.AccessKeyId)

 	_, err := this.RPC().UserAccessKeyRPC().DeleteUserAccessKey(this.AdminContext(), &pb.DeleteUserAccessKeyRequest{UserAccessKeyId: params.AccessKeyId})
 	if err != nil {
--- a/internal/web/actions/default/admins/accesskeys/updateIsOn.go
+++ b/internal/web/actions/default/admins/accesskeys/updateIsOn.go
@@ -2,6 +2,7 @@ package accesskeys

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 )

@@ -13,7 +14,7 @@ func (this *UpdateIsOnAction) RunPost(params struct {
 	AccessKeyId int64
 	IsOn        bool
 }) {
-	defer this.CreateLogInfo("设置AccessKey %d 启用状态", params.AccessKeyId)
+	defer this.CreateLogInfo(codes.UserAccessKey_LogUpdateUserAccessKeyIsOn, params.AccessKeyId)

 	_, err := this.RPC().UserAccessKeyRPC().UpdateUserAccessKeyIsOn(this.AdminContext(), &pb.UpdateUserAccessKeyIsOnRequest{
 		UserAccessKeyId: params.AccessKeyId,
--- a/internal/web/actions/default/admins/admin.go
+++ b/internal/web/actions/default/admins/admin.go
@@ -45,12 +45,13 @@ func (this *AdminAction) RunGet(params struct {
 		"isOn":            admin.IsOn,
 		"isSuper":         admin.IsSuper,
 		"canLogin":        admin.CanLogin,
+		"hasWeakPassword": admin.HasWeakPassword,
 		"countAccessKeys": countAccessKeys,
 	}

 	// 权限
 	moduleMaps := []maps.Map{}
-	for _, m := range configloaders.AllModuleMaps() {
+	for _, m := range configloaders.AllModuleMaps(this.LangCode()) {
 		code := m.GetString("code")
 		isChecked := false
 		for _, module := range admin.Modules {
--- a/internal/web/actions/default/admins/createPopup.go
+++ b/internal/web/actions/default/admins/createPopup.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
 	"github.com/iwind/TeaGo/actions"
@@ -20,7 +21,7 @@ func (this *CreatePopupAction) Init() {
 }

 func (this *CreatePopupAction) RunGet(params struct{}) {
-	this.Data["modules"] = configloaders.AllModuleMaps()
+	this.Data["modules"] = configloaders.AllModuleMaps(this.LangCode())
 	this.Show()
 }

@@ -114,7 +115,7 @@ func (this *CreatePopupAction) RunPost(params struct {
 		}
 	}

-	defer this.CreateLogInfo("创建系统用户 %d", createResp.AdminId)
+	defer this.CreateLogInfo(codes.Admin_LogCreateAdmin, createResp.AdminId)

 	// 通知更改
 	err = configloaders.NotifyAdminModuleMappingChange()
--- a/internal/web/actions/default/admins/delete.go
+++ b/internal/web/actions/default/admins/delete.go
@@ -3,6 +3,7 @@ package admins
 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 )

@@ -13,7 +14,7 @@ type DeleteAction struct {
 func (this *DeleteAction) RunPost(params struct {
 	AdminId int64
 }) {
-	defer this.CreateLogInfo("删除系统用户 %d", params.AdminId)
+	defer this.CreateLogInfo(codes.Admin_LogDeleteAdmin, params.AdminId)

 	_, err := this.RPC().AdminRPC().DeleteAdmin(this.AdminContext(), &pb.DeleteAdminRequest{AdminId: params.AdminId})
 	if err != nil {
--- a/internal/web/actions/default/admins/index.go
+++ b/internal/web/actions/default/admins/index.go
@@ -15,34 +15,46 @@ func (this *IndexAction) Init() {
 	this.Nav("", "", "")
 }

-func (this *IndexAction) RunGet(params struct{}) {
-	countResp, err := this.RPC().AdminRPC().CountAllEnabledAdmins(this.AdminContext(), &pb.CountAllEnabledAdminsRequest{})
-	if err != nil {
-		this.ErrorPage(err)
-		return
-	}
-	page := this.NewPage(countResp.Count)
-	this.Data["page"] = page.AsHTML()
+func (this *IndexAction) RunGet(params struct {
+	Keyword         string
+	HasWeakPassword bool
+}) {
+	this.Data["keyword"] = params.Keyword
+	this.Data["hasWeakPassword"] = params.HasWeakPassword

-	adminsResp, err := this.RPC().AdminRPC().ListEnabledAdmins(this.AdminContext(), &pb.ListEnabledAdminsRequest{
-		Offset: page.Offset,
-		Size:   page.Size,
+	countResp, err := this.RPC().AdminRPC().CountAllEnabledAdmins(this.AdminContext(), &pb.CountAllEnabledAdminsRequest{
+		Keyword:         params.Keyword,
+		HasWeakPassword: params.HasWeakPassword,
 	})
 	if err != nil {
 		this.ErrorPage(err)
 		return
 	}
-	adminMaps := []maps.Map{}
+	var page = this.NewPage(countResp.Count)
+	this.Data["page"] = page.AsHTML()
+
+	adminsResp, err := this.RPC().AdminRPC().ListEnabledAdmins(this.AdminContext(), &pb.ListEnabledAdminsRequest{
+		Keyword:         params.Keyword,
+		HasWeakPassword: params.HasWeakPassword,
+		Offset:          page.Offset,
+		Size:            page.Size,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var adminMaps = []maps.Map{}
 	for _, admin := range adminsResp.Admins {
 		adminMaps = append(adminMaps, maps.Map{
-			"id":           admin.Id,
-			"isOn":         admin.IsOn,
-			"isSuper":      admin.IsSuper,
-			"username":     admin.Username,
-			"fullname":     admin.Fullname,
-			"createdTime":  timeutil.FormatTime("Y-m-d H:i:s", admin.CreatedAt),
-			"otpLoginIsOn": admin.OtpLogin != nil && admin.OtpLogin.IsOn,
-			"canLogin":     admin.CanLogin,
+			"id":              admin.Id,
+			"isOn":            admin.IsOn,
+			"isSuper":         admin.IsSuper,
+			"username":        admin.Username,
+			"fullname":        admin.Fullname,
+			"createdTime":     timeutil.FormatTime("Y-m-d H:i:s", admin.CreatedAt),
+			"otpLoginIsOn":    admin.OtpLogin != nil && admin.OtpLogin.IsOn,
+			"canLogin":        admin.CanLogin,
+			"hasWeakPassword": admin.HasWeakPassword,
 		})
 	}
 	this.Data["admins"] = adminMaps
--- a/internal/web/actions/default/admins/otpQrcode.go
+++ b/internal/web/actions/default/admins/otpQrcode.go
@@ -67,5 +67,5 @@ func (this *OtpQrcodeAction) RunGet(params struct {
 		return
 	}
 	this.AddHeader("Content-Type", "image/png")
-	this.Write(data)
+	_, _ = this.Write(data)
 }
--- a/internal/web/actions/default/admins/recipients/createPopup.go
+++ b/internal/web/actions/default/admins/recipients/createPopup.go
@@ -1,81 +0,0 @@
-package recipients
-
-import (
-	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
-	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/iwind/TeaGo/actions"
-	"regexp"
-)
-
-type CreatePopupAction struct {
-	actionutils.ParentAction
-}
-
-func (this *CreatePopupAction) Init() {
-	this.Nav("", "", "")
-}
-
-func (this *CreatePopupAction) RunGet(params struct{}) {
-	this.Show()
-}
-
-func (this *CreatePopupAction) RunPost(params struct {
-	AdminId    int64
-	InstanceId int64
-	User       string
-
-	TelegramToken string
-
-	GroupIds    string
-	Description string
-
-	TimeFromHour   string
-	TimeFromMinute string
-	TimeFromSecond string
-
-	TimeToHour   string
-	TimeToMinute string
-	TimeToSecond string
-
-	Must *actions.Must
-	CSRF *actionutils.CSRF
-}) {
-	params.Must.
-		Field("adminId", params.AdminId).
-		Gt(0, "请选择系统用户").
-		Field("instanceId", params.InstanceId).
-		Gt(0, "请选择媒介")
-
-	groupIds := utils.SplitNumbers(params.GroupIds)
-
-	var digitReg = regexp.MustCompile(`^\d+$`)
-
-	var timeFrom = ""
-	if digitReg.MatchString(params.TimeFromHour) && digitReg.MatchString(params.TimeFromMinute) && digitReg.MatchString(params.TimeFromSecond) {
-		timeFrom = params.TimeFromHour + ":" + params.TimeFromMinute + ":" + params.TimeFromSecond
-	}
-
-	var timeTo = ""
-	if digitReg.MatchString(params.TimeToHour) && digitReg.MatchString(params.TimeToMinute) && digitReg.MatchString(params.TimeToSecond) {
-		timeTo = params.TimeToHour + ":" + params.TimeToMinute + ":" + params.TimeToSecond
-	}
-
-	resp, err := this.RPC().MessageRecipientRPC().CreateMessageRecipient(this.AdminContext(), &pb.CreateMessageRecipientRequest{
-		AdminId:                  params.AdminId,
-		MessageMediaInstanceId:   params.InstanceId,
-		User:                     params.User,
-		MessageRecipientGroupIds: groupIds,
-		Description:              params.Description,
-		TimeFrom:                 timeFrom,
-		TimeTo:                   timeTo,
-	})
-	if err != nil {
-		this.ErrorPage(err)
-		return
-	}
-
-	defer this.CreateLogInfo("创建媒介接收人 %d", resp.MessageRecipientId)
-
-	this.Success()
-}
--- a/internal/web/actions/default/admins/recipients/delete.go
+++ b/internal/web/actions/default/admins/recipients/delete.go
@@ -1,24 +0,0 @@
-package recipients
-
-import (
-	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-)
-
-type DeleteAction struct {
-	actionutils.ParentAction
-}
-
-func (this *DeleteAction) RunPost(params struct {
-	RecipientId int64
-}) {
-	defer this.CreateLogInfo("删除媒介接收人 %d", params.RecipientId)
-
-	_, err := this.RPC().MessageRecipientRPC().DeleteMessageRecipient(this.AdminContext(), &pb.DeleteMessageRecipientRequest{MessageRecipientId: params.RecipientId})
-	if err != nil {
-		this.ErrorPage(err)
-		return
-	}
-
-	this.Success()
-}
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`copy from https://github.com/libinjection/libinjection`