版本号修改为1.0.4

缓存索引数据库加载失败时自动尝试重建数据库文件
环路（127.0.0.1）请求也统计带宽
2023-04-24 10:17:55 +08:00 · 2023-04-21 17:38:31 +08:00 · 2023-04-21 15:08:44 +08:00 · 2023-04-19 22:15:57 +08:00 · 2023-04-19 22:06:39 +08:00 · 2023-04-19 13:20:31 +08:00
172 changed files with 4926 additions and 1229 deletions
--- a/build/configs/README.md
+++ b/build/configs/README.md
@@ -1 +1,2 @@
-* `global.yaml` - 全局配置
+* `api.template.yaml` - API相关配置模板
+* `cluster.template.yaml` - 通过集群自动接入节点模板
--- a/cmd/edge-node/main.go
+++ b/cmd/edge-node/main.go
@@ -25,7 +25,7 @@ func main() {
 		Product(teaconst.ProductName).
 		Usage(teaconst.ProcessName + " [-v|start|stop|restart|status|quit|test|reload|service|daemon|pprof|accesslog]").
 		Usage(teaconst.ProcessName + " [trackers|goman|conns|gc]").
-		Usage(teaconst.ProcessName + " [ip.drop|ip.reject|ip.remove] IP")
+		Usage(teaconst.ProcessName + " [ip.drop|ip.reject|ip.remove|ip.close] IP")

 	app.On("test", func() {
 		err := nodes.NewNode().Test()
@@ -241,6 +241,38 @@ func main() {
 			}
 		}
 	})
+	app.On("ip.close", func() {
+		var args = os.Args[2:]
+		if len(args) == 0 {
+			fmt.Println("Usage: edge-node ip.close IP")
+			return
+		}
+		var ip = args[0]
+		if len(net.ParseIP(ip)) == 0 {
+			fmt.Println("IP '" + ip + "' is invalid")
+			return
+		}
+
+		fmt.Println("close ip '" + ip)
+
+		var sock = gosock.NewTmpSock(teaconst.ProcessName)
+		reply, err := sock.Send(&gosock.Command{
+			Code: "closeIP",
+			Params: map[string]any{
+				"ip": ip,
+			},
+		})
+		if err != nil {
+			fmt.Println("[ERROR]" + err.Error())
+		} else {
+			var errString = maps.NewMap(reply.Params).GetString("error")
+			if len(errString) > 0 {
+				fmt.Println("[ERROR]" + errString)
+			} else {
+				fmt.Println("ok")
+			}
+		}
+	})
 	app.On("ip.remove", func() {
 		var args = os.Args[2:]
 		if len(args) == 0 {
--- a/internal/apps/main.go
+++ b/internal/apps/main.go
@@ -0,0 +1,11 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package apps
+
+import teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
+
+func RunMain(f func()) {
+	if teaconst.IsMain {
+		f()
+	}
+}
--- a/internal/caches/item.go
+++ b/internal/caches/item.go
@@ -1,7 +1,7 @@
 package caches

 import (
-	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"strings"
 	"time"
 )
@@ -36,7 +36,7 @@ type Item struct {
 }

 func (this *Item) IsExpired() bool {
-	return this.ExpiredAt < utils.UnixTime()
+	return this.ExpiredAt < fasttime.Now().Unix()
 }

 func (this *Item) TotalSize() int64 {
--- a/internal/caches/list_file.go
+++ b/internal/caches/list_file.go
@@ -7,9 +7,9 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/ttlcache"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/dbs"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/fnv"
 	"github.com/iwind/TeaGo/types"
-	_ "github.com/mattn/go-sqlite3"
 	"os"
 	"sync/atomic"
 	"time"
@@ -450,7 +450,7 @@ func (this *FileList) UpgradeV3(oldDir string, brokenOnError bool) error {
 		remotelogs.Println("CACHE", "upgrading local database finished")
 	}()

-	db, err := sql.Open("sqlite3", "file:"+indexDBPath+"?cache=shared&mode=rwc&_journal_mode=WAL&_sync=OFF")
+	db, err := dbs.OpenWriter("file:" + indexDBPath + "?cache=shared&mode=rwc&_journal_mode=WAL&_sync=OFF&_locking_mode=EXCLUSIVE")
 	if err != nil {
 		return err
 	}
--- a/internal/caches/list_file_db.go
+++ b/internal/caches/list_file_db.go
@@ -3,13 +3,13 @@
 package caches

 import (
-	"database/sql"
 	"errors"
 	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/dbs"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"github.com/iwind/TeaGo/logs"
 	"github.com/iwind/TeaGo/types"
 	timeutil "github.com/iwind/TeaGo/utils/time"
@@ -82,14 +82,15 @@ func (this *FileListDB) Open(dbPath string) error {
 	}

 	// write db
-	writeDB, err := sql.Open("sqlite3", "file:"+dbPath+"?cache=private&mode=rwc&_journal_mode=WAL&_sync=OFF&_cache_size="+types.String(cacheSize)+"&_secure_delete=FAST")
+	// 这里不能加 EXCLUSIVE 锁，不然异步事务可能会失败
+	writeDB, err := dbs.OpenWriter("file:" + dbPath + "?cache=private&mode=rwc&_journal_mode=WAL&_sync=OFF&_cache_size=" + types.String(cacheSize) + "&_secure_delete=FAST")
 	if err != nil {
 		return errors.New("open write database failed: " + err.Error())
 	}

 	writeDB.SetMaxOpenConns(1)

-	this.writeDB = dbs.NewDB(writeDB)
+	this.writeDB = writeDB

 	// TODO 耗时过长，暂时不整理数据库
 	// TODO 需要根据行数来判断是否VACUUM
@@ -109,7 +110,7 @@ func (this *FileListDB) Open(dbPath string) error {
 		}
 	}

-	this.writeBatch = dbs.NewBatch(writeDB, 4)
+	this.writeBatch = dbs.NewBatch(writeDB.RawDB(), 4)
 	this.writeBatch.OnFail(func(err error) {
 		remotelogs.Warn("LIST_FILE_DB", "run batch failed: "+err.Error()+" ("+filepath.Base(this.dbPath)+")")
 	})
@@ -124,14 +125,14 @@ func (this *FileListDB) Open(dbPath string) error {
 	}

 	// read db
-	readDB, err := sql.Open("sqlite3", "file:"+dbPath+"?cache=private&mode=ro&_journal_mode=WAL&_sync=OFF&_cache_size="+types.String(cacheSize))
+	readDB, err := dbs.OpenReader("file:" + dbPath + "?cache=private&mode=ro&_journal_mode=WAL&_sync=OFF&_cache_size=" + types.String(cacheSize))
 	if err != nil {
 		return errors.New("open read database failed: " + err.Error())
 	}

 	readDB.SetMaxOpenConns(runtime.NumCPU())

-	this.readDB = dbs.NewDB(readDB)
+	this.readDB = readDB

 	if teaconst.EnableDBStat {
 		this.readDB.EnableStat(true)
@@ -180,6 +181,9 @@ func (this *FileListDB) Init() error {
 	}

 	this.selectHashListStmt, err = this.readDB.Prepare(`SELECT "id", "hash" FROM "` + this.itemsTableName + `" WHERE id>:id ORDER BY id ASC LIMIT 2000`)
+	if err != nil {
+		return err
+	}

 	this.deleteByHashSQL = `DELETE FROM "` + this.itemsTableName + `" WHERE "hash"=?`
 	this.deleteByHashStmt, err = this.writeDB.Prepare(this.deleteByHashSQL)
@@ -222,6 +226,20 @@ func (this *FileListDB) Init() error {
 		err := this.hashMap.Load(this)
 		if err != nil {
 			remotelogs.Error("LIST_FILE_DB", "load hash map failed: "+err.Error()+"(file: "+this.dbPath+")")
+
+			// 自动修复错误
+			// TODO 将来希望能尽可能恢复以往数据库中的内容
+			if strings.Contains(err.Error(), "database is closed") || strings.Contains(err.Error(), "database disk image is malformed") {
+				_ = this.Close()
+				this.deleteDB()
+				remotelogs.Println("LIST_FILE_DB", "recreating the database (file:"+this.dbPath+") ...")
+				err = this.Open(this.dbPath)
+				if err != nil {
+					remotelogs.Error("LIST_FILE_DB", "recreate the database failed: "+err.Error()+" (file:"+this.dbPath+")")
+				} else {
+					_ = this.Init()
+				}
+			}
 		}
 	}()

@@ -243,7 +261,7 @@ func (this *FileListDB) AddAsync(hash string, item *Item) error {
 		item.StaleAt = item.ExpiredAt
 	}

-	this.writeBatch.Add(this.insertSQL, hash, item.Key, item.HeaderSize, item.BodySize, item.MetaSize, item.ExpiredAt, item.StaleAt, item.Host, item.ServerId, utils.UnixTime(), timeutil.Format("YW"))
+	this.writeBatch.Add(this.insertSQL, hash, item.Key, item.HeaderSize, item.BodySize, item.MetaSize, item.ExpiredAt, item.StaleAt, item.Host, item.ServerId, fasttime.Now().Unix(), timeutil.Format("YW"))
 	return nil

 }
@@ -255,7 +273,7 @@ func (this *FileListDB) AddSync(hash string, item *Item) error {
 		item.StaleAt = item.ExpiredAt
 	}

-	_, err := this.insertStmt.Exec(hash, item.Key, item.HeaderSize, item.BodySize, item.MetaSize, item.ExpiredAt, item.StaleAt, item.Host, item.ServerId, utils.UnixTime(), timeutil.Format("YW"))
+	_, err := this.insertStmt.Exec(hash, item.Key, item.HeaderSize, item.BodySize, item.MetaSize, item.ExpiredAt, item.StaleAt, item.Host, item.ServerId, fasttime.Now().Unix(), timeutil.Format("YW"))
 	if err != nil {
 		return this.WrapError(err)
 	}
@@ -374,8 +392,8 @@ func (this *FileListDB) CleanPrefix(prefix string) error {
 		return nil
 	}
 	var count = int64(10000)
-	var staleLife = 600             // TODO 需要可以设置
-	var unixTime = utils.UnixTime() // 只删除当前的，不删除新的
+	var staleLife = 600                  // TODO 需要可以设置
+	var unixTime = fasttime.Now().Unix() // 只删除当前的，不删除新的
 	for {
 		result, err := this.writeDB.Exec(`UPDATE "`+this.itemsTableName+`" SET expiredAt=0,staleAt=? WHERE id IN (SELECT id FROM "`+this.itemsTableName+`" WHERE expiredAt>0 AND createdAt<=? AND INSTR("key", ?)=1 LIMIT `+types.String(count)+`)`, unixTime+int64(staleLife), unixTime, prefix)
 		if err != nil {
@@ -421,8 +439,8 @@ func (this *FileListDB) CleanMatchKey(key string) error {
 	queryKey = strings.Replace(queryKey, "*", "%", 1)

 	// TODO 检查大批量数据下的操作性能
-	var staleLife = 600             // TODO 需要可以设置
-	var unixTime = utils.UnixTime() // 只删除当前的，不删除新的
+	var staleLife = 600                  // TODO 需要可以设置
+	var unixTime = fasttime.Now().Unix() // 只删除当前的，不删除新的

 	_, err = this.writeDB.Exec(`UPDATE "`+this.itemsTableName+`" SET "expiredAt"=0, "staleAt"=? WHERE "host" GLOB ? AND "host" NOT GLOB ? AND "key" LIKE ? ESCAPE '\'`, unixTime+int64(staleLife), host, "*."+host, queryKey)
 	if err != nil {
@@ -463,8 +481,8 @@ func (this *FileListDB) CleanMatchPrefix(prefix string) error {
 	queryPrefix += "%"

 	// TODO 检查大批量数据下的操作性能
-	var staleLife = 600             // TODO 需要可以设置
-	var unixTime = utils.UnixTime() // 只删除当前的，不删除新的
+	var staleLife = 600                  // TODO 需要可以设置
+	var unixTime = fasttime.Now().Unix() // 只删除当前的，不删除新的

 	_, err = this.writeDB.Exec(`UPDATE "`+this.itemsTableName+`" SET "expiredAt"=0, "staleAt"=? WHERE "host" GLOB ? AND "host" NOT GLOB ? AND "key" LIKE ? ESCAPE '\'`, unixTime+int64(staleLife), host, "*."+host, queryPrefix)
 	return err
@@ -679,3 +697,10 @@ func (this *FileListDB) shouldRecover() bool {
 	_ = result.Close()
 	return shouldRecover
 }
+
+// 删除数据库文件
+func (this *FileListDB) deleteDB() {
+	_ = os.Remove(this.dbPath)
+	_ = os.Remove(this.dbPath + "-shm")
+	_ = os.Remove(this.dbPath + "-wal")
+}
--- a/internal/caches/manager.go
+++ b/internal/caches/manager.go
@@ -3,6 +3,7 @@ package caches
 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/iwind/TeaGo/lists"
@@ -14,6 +15,10 @@ import (
 var SharedManager = NewManager()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventQuit, func() {
 		remotelogs.Println("CACHE", "quiting cache manager")
 		SharedManager.UpdatePolicies([]*serverconfigs.HTTPCachePolicy{})
@@ -172,10 +177,15 @@ func (this *Manager) TotalDiskSize() int64 {
 	this.locker.RLock()
 	defer this.locker.RUnlock()

-	total := int64(0)
+	var total = int64(0)
 	for _, storage := range this.storageMap {
 		total += storage.TotalDiskSize()
 	}
+
+	if total < 0 {
+		total = 0
+	}
+
 	return total
 }

--- a/internal/caches/open_file_cache.go
+++ b/internal/caches/open_file_cache.go
@@ -129,6 +129,9 @@ func (this *OpenFileCache) Close(filename string) {

 	pool, ok := this.poolMap[filename]
 	if ok {
+		// 设置关闭状态
+		pool.SetClosing()
+
 		delete(this.poolMap, filename)
 		this.poolList.Remove(pool.linkItem)
 		_ = this.watcher.Remove(filename)
--- a/internal/caches/open_file_pool.go
+++ b/internal/caches/open_file_pool.go
@@ -3,7 +3,7 @@
 package caches

 import (
-	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/linkedlist"
 )

@@ -12,13 +12,14 @@ type OpenFilePool struct {
 	linkItem *linkedlist.Item
 	filename string
 	version  int64
+	isClosed bool
 }

 func NewOpenFilePool(filename string) *OpenFilePool {
 	var pool = &OpenFilePool{
 		filename: filename,
 		c:        make(chan *OpenFile, 1024),
-		version:  utils.UnixTimeMilli(),
+		version:  fasttime.Now().UnixMilli(),
 	}
 	pool.linkItem = linkedlist.NewItem(pool)
 	return pool
@@ -29,26 +30,43 @@ func (this *OpenFilePool) Filename() string {
 }

 func (this *OpenFilePool) Get() (*OpenFile, bool) {
+	// 如果已经关闭，直接返回
+	if this.isClosed {
+		return nil, false
+	}
+
 	select {
 	case file := <-this.c:
-		err := file.SeekStart()
-		if err != nil {
-			_ = file.Close()
-			return nil, true
-		}
-		file.version = this.version
+		if file != nil {
+			err := file.SeekStart()
+			if err != nil {
+				_ = file.Close()
+				return nil, true
+			}
+			file.version = this.version

-		return file, true
+			return file, true
+		}
+		return nil, false
 	default:
 		return nil, false
 	}
 }

 func (this *OpenFilePool) Put(file *OpenFile) bool {
+	// 如果已关闭，则不接受新的文件
+	if this.isClosed {
+		_ = file.Close()
+		return false
+	}
+
+	// 检查文件版本号
 	if this.version > 0 && file.version > 0 && file.version != this.version {
 		_ = file.Close()
 		return false
 	}
+
+	// 加入Pool
 	select {
 	case this.c <- file:
 		return true
@@ -63,14 +81,18 @@ func (this *OpenFilePool) Len() int {
 	return len(this.c)
 }

+func (this *OpenFilePool) SetClosing() {
+	this.isClosed = true
+}
+
 func (this *OpenFilePool) Close() {
-Loop:
+	this.isClosed = true
 	for {
 		select {
 		case file := <-this.c:
 			_ = file.Close()
 		default:
-			break Loop
+			return
 		}
 	}
 }
--- a/internal/caches/reader_file.go
+++ b/internal/caches/reader_file.go
@@ -215,6 +215,10 @@ func (this *FileReader) ReadHeader(buf []byte, callback ReaderFunc) error {
 }

 func (this *FileReader) ReadBody(buf []byte, callback ReaderFunc) error {
+	if this.bodySize == 0 {
+		return nil
+	}
+
 	var isOk = false

 	defer func() {
@@ -257,6 +261,12 @@ func (this *FileReader) ReadBody(buf []byte, callback ReaderFunc) error {
 }

 func (this *FileReader) Read(buf []byte) (n int, err error) {
+	if this.bodySize == 0 {
+		n = 0
+		err = io.EOF
+		return
+	}
+
 	n, err = this.fp.Read(buf)
 	if err != nil && err != io.EOF {
 		_ = this.discard()
--- a/internal/caches/storage_file.go
+++ b/internal/caches/storage_file.go
@@ -710,9 +710,6 @@ func (this *FileStorage) Delete(key string) error {
 		return nil
 	}

-	this.locker.Lock()
-	defer this.locker.Unlock()
-
 	// 先尝试内存缓存
 	this.runMemoryStorageSafety(func(memoryStorage *MemoryStorage) {
 		_ = memoryStorage.Delete(key)
@@ -733,9 +730,6 @@ func (this *FileStorage) Delete(key string) error {

 // Stat 统计
 func (this *FileStorage) Stat() (*Stat, error) {
-	this.locker.RLock()
-	defer this.locker.RUnlock()
-
 	return this.list.Stat(func(hash string) bool {
 		return true
 	})
@@ -767,57 +761,61 @@ func (this *FileStorage) CleanAll() error {
 		}
 	}

+	var dirNameReg = regexp.MustCompile(`^[0-9a-f]{2}$`)
 	for _, rootDir := range rootDirs {
 		var dir = rootDir + "/p" + types.String(this.policy.Id)
-		fp, err := os.Open(dir)
-		if err != nil {
-			return err
-		}
-		defer func() {
-			_ = fp.Close()
-		}()
+		err = func(dir string) error {
+			fp, err := os.Open(dir)
+			if err != nil {
+				return err
+			}
+			defer func() {
+				_ = fp.Close()
+			}()

-		stat, err := fp.Stat()
-		if err != nil {
-			return err
-		}
+			stat, err := fp.Stat()
+			if err != nil {
+				return err
+			}
+
+			if !stat.IsDir() {
+				return nil
+			}
+
+			// 改成待删除
+			subDirs, err := fp.Readdir(-1)
+			if err != nil {
+				return err
+			}
+			for _, info := range subDirs {
+				subDir := info.Name()
+
+				// 检查目录名
+				if !dirNameReg.MatchString(subDir) {
+					continue
+				}
+
+				// 修改目录名
+				tmpDir := dir + "/" + subDir + "-deleted"
+				err = os.Rename(dir+"/"+subDir, tmpDir)
+				if err != nil {
+					return err
+				}
+			}
+
+			// 重新遍历待删除
+			goman.New(func() {
+				err = this.cleanDeletedDirs(dir)
+				if err != nil {
+					remotelogs.Warn("CACHE", "delete '*-deleted' dirs failed: "+err.Error())
+				}
+			})

-		if !stat.IsDir() {
 			return nil
-		}
-
-		// 改成待删除
-		subDirs, err := fp.Readdir(-1)
+		}(dir)
 		if err != nil {
 			return err
 		}
-		for _, info := range subDirs {
-			subDir := info.Name()
-
-			// 检查目录名
-			ok, err := regexp.MatchString(`^[0-9a-f]{2}$`, subDir)
-			if err != nil {
-				return err
-			}
-			if !ok {
-				continue
-			}
-
-			// 修改目录名
-			tmpDir := dir + "/" + subDir + "-deleted"
-			err = os.Rename(dir+"/"+subDir, tmpDir)
-			if err != nil {
-				return err
-			}
-		}
-
-		// 重新遍历待删除
-		goman.New(func() {
-			err = this.cleanDeletedDirs(dir)
-			if err != nil {
-				remotelogs.Warn("CACHE", "delete '*-deleted' dirs failed: "+err.Error())
-			}
-		})
 	}

 	return nil
@@ -830,9 +828,6 @@ func (this *FileStorage) Purge(keys []string, urlType string) error {
 		return nil
 	}

-	this.locker.Lock()
-	defer this.locker.Unlock()
-
 	// 先尝试内存缓存
 	this.runMemoryStorageSafety(func(memoryStorage *MemoryStorage) {
 		_ = memoryStorage.Purge(keys, urlType)
@@ -1218,9 +1213,12 @@ func (this *FileStorage) hotLoop() {
 			}

 			err = reader.ReadBody(buf, func(n int) (goNext bool, err error) {
-				_, err = writer.Write(buf[:n])
-				if err == nil {
-					goNext = true
+				goNext = true
+				if n > 0 {
+					_, err = writer.Write(buf[:n])
+					if err != nil {
+						goNext = false
+					}
 				}
 				return
 			})
--- a/internal/caches/storage_memory.go
+++ b/internal/caches/storage_memory.go
@@ -6,6 +6,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/trackers"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	setutils "github.com/TeaOSLab/EdgeNode/internal/utils/sets"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/sizes"
 	"github.com/TeaOSLab/EdgeNode/internal/zero"
@@ -32,7 +33,7 @@ type MemoryItem struct {
 }

 func (this *MemoryItem) IsExpired() bool {
-	return this.ExpiresAt < utils.UnixTime()
+	return this.ExpiresAt < fasttime.Now().Unix()
 }

 type MemoryStorage struct {
@@ -119,7 +120,7 @@ func (this *MemoryStorage) OpenReader(key string, useStale bool, isPartial bool)
 		return nil, ErrNotFound
 	}

-	if useStale || (item.ExpiresAt > utils.UnixTime()) {
+	if useStale || (item.ExpiresAt > fasttime.Now().Unix()) {
 		reader := NewMemoryReader(item)
 		err := reader.Init()
 		if err != nil {
@@ -508,7 +509,11 @@ func (this *MemoryStorage) flushItem(key string) {
 	if !ok {
 		return
 	}
-	if !item.IsDone || item.IsExpired() {
+	if !item.IsDone {
+		remotelogs.Error("CACHE", "flush items failed: open writer failed: item has not been done")
+		return
+	}
+	if item.IsExpired() {
 		return
 	}

--- a/internal/caches/storage_memory_test.go
+++ b/internal/caches/storage_memory_test.go
@@ -14,15 +14,22 @@ import (
 )

 func TestMemoryStorage_OpenWriter(t *testing.T) {
-	storage := NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
+	var storage = NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)

 	writer, err := storage.OpenWriter("abc", time.Now().Unix()+60, 200, -1, -1, -1, false)
 	if err != nil {
 		t.Fatal(err)
 	}
+	if err != nil {
+		t.Fatal(err)
+	}
 	_, _ = writer.WriteHeader([]byte("Header"))
 	_, _ = writer.Write([]byte("Hello"))
 	_, _ = writer.Write([]byte(", World"))
+	err = writer.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
 	t.Log(storage.valuesMap)

 	{
@@ -30,6 +37,7 @@ func TestMemoryStorage_OpenWriter(t *testing.T) {
 		if err != nil {
 			if err == ErrNotFound {
 				t.Log("not found: abc")
+				return
 			} else {
 				t.Fatal(err)
 			}
@@ -102,13 +110,17 @@ func TestMemoryStorage_OpenReaderLock(t *testing.T) {
 }

 func TestMemoryStorage_Delete(t *testing.T) {
-	storage := NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
+	var storage = NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
 	{
 		writer, err := storage.OpenWriter("abc", time.Now().Unix()+60, 200, -1, -1, -1, false)
 		if err != nil {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		t.Log(len(storage.valuesMap))
 	}
 	{
@@ -117,6 +129,10 @@ func TestMemoryStorage_Delete(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		t.Log(len(storage.valuesMap))
 	}
 	_ = storage.Delete("abc1")
@@ -124,7 +140,7 @@ func TestMemoryStorage_Delete(t *testing.T) {
 }

 func TestMemoryStorage_Stat(t *testing.T) {
-	storage := NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
+	var storage = NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
 	expiredAt := time.Now().Unix() + 60
 	{
 		writer, err := storage.OpenWriter("abc", expiredAt, 200, -1, -1, -1, false)
@@ -132,6 +148,10 @@ func TestMemoryStorage_Stat(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		t.Log(len(storage.valuesMap))
 		storage.AddToList(&Item{
 			Key:       "abc",
@@ -145,6 +165,10 @@ func TestMemoryStorage_Stat(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		t.Log(len(storage.valuesMap))
 		storage.AddToList(&Item{
 			Key:       "abc1",
@@ -161,14 +185,18 @@ func TestMemoryStorage_Stat(t *testing.T) {
 }

 func TestMemoryStorage_CleanAll(t *testing.T) {
-	storage := NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
-	expiredAt := time.Now().Unix() + 60
+	var storage = NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
+	var expiredAt = time.Now().Unix() + 60
 	{
 		writer, err := storage.OpenWriter("abc", expiredAt, 200, -1, -1, -1, false)
 		if err != nil {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		storage.AddToList(&Item{
 			Key:       "abc",
 			BodySize:  5,
@@ -181,6 +209,10 @@ func TestMemoryStorage_CleanAll(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		storage.AddToList(&Item{
 			Key:       "abc1",
 			BodySize:  5,
@@ -204,6 +236,10 @@ func TestMemoryStorage_Purge(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		storage.AddToList(&Item{
 			Key:       "abc",
 			BodySize:  5,
@@ -216,6 +252,10 @@ func TestMemoryStorage_Purge(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		storage.AddToList(&Item{
 			Key:       "abc1",
 			BodySize:  5,
@@ -231,7 +271,7 @@ func TestMemoryStorage_Purge(t *testing.T) {
 }

 func TestMemoryStorage_Expire(t *testing.T) {
-	storage := NewMemoryStorage(&serverconfigs.HTTPCachePolicy{
+	var storage = NewMemoryStorage(&serverconfigs.HTTPCachePolicy{
 		MemoryAutoPurgeInterval: 5,
 	}, nil)
 	err := storage.Init()
@@ -247,6 +287,10 @@ func TestMemoryStorage_Expire(t *testing.T) {
 			t.Fatal(err)
 		}
 		_, _ = writer.Write([]byte("Hello"))
+		err = writer.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 		storage.AddToList(&Item{
 			Key:       key,
 			BodySize:  5,
@@ -257,7 +301,7 @@ func TestMemoryStorage_Expire(t *testing.T) {
 }

 func TestMemoryStorage_Locker(t *testing.T) {
-	storage := NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
+	var storage = NewMemoryStorage(&serverconfigs.HTTPCachePolicy{}, nil)
 	err := storage.Init()
 	if err != nil {
 		t.Fatal(err)
--- a/internal/compressions/reader_pool_brotli.go
+++ b/internal/compressions/reader_pool_brotli.go
@@ -11,7 +11,7 @@ import (
 var sharedBrotliReaderPool *ReaderPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/reader_pool_deflate.go
+++ b/internal/compressions/reader_pool_deflate.go
@@ -11,7 +11,7 @@ import (
 var sharedDeflateReaderPool *ReaderPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/reader_pool_gzip.go
+++ b/internal/compressions/reader_pool_gzip.go
@@ -11,7 +11,7 @@ import (
 var sharedGzipReaderPool *ReaderPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/reader_pool_zstd.go
+++ b/internal/compressions/reader_pool_zstd.go
@@ -11,7 +11,7 @@ import (
 var sharedZSTDReaderPool *ReaderPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/writer_pool_brotli.go
+++ b/internal/compressions/writer_pool_brotli.go
@@ -12,7 +12,7 @@ import (
 var sharedBrotliWriterPool *WriterPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/writer_pool_deflate.go
+++ b/internal/compressions/writer_pool_deflate.go
@@ -12,7 +12,7 @@ import (
 var sharedDeflateWriterPool *WriterPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/writer_pool_gzip.go
+++ b/internal/compressions/writer_pool_gzip.go
@@ -12,7 +12,7 @@ import (
 var sharedGzipWriterPool *WriterPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/compressions/writer_pool_zstd.go
+++ b/internal/compressions/writer_pool_zstd.go
@@ -12,7 +12,7 @@ import (
 var sharedZSTDWriterPool *WriterPool

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/conns/linger.go
+++ b/internal/conns/linger.go
@@ -0,0 +1,7 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package conns
+
+type LingerConn interface {
+	SetLinger(sec int) error
+}
--- a/internal/conns/map.go
+++ b/internal/conns/map.go
@@ -10,7 +10,7 @@ import (
 var SharedMap = NewMap()

 type Map struct {
-	m map[string]map[int]net.Conn // ip => { port => Conn }
+	m map[string]map[int]net.Conn // ip => { port => Conn  }

 	locker sync.RWMutex
 }
@@ -37,9 +37,7 @@ func (this *Map) Add(conn net.Conn) {
 	defer this.locker.Unlock()
 	connMap, ok := this.m[ip]
 	if !ok {
-		this.m[ip] = map[int]net.Conn{
-			port: conn,
-		}
+		this.m[ip] = map[int]net.Conn{port: conn}
 	} else {
 		connMap[port] = conn
 	}
@@ -96,6 +94,13 @@ func (this *Map) CloseIPConns(ip string) {

 	if ok {
 		for _, conn := range conns {
+			// 设置Linger
+			lingerConn, isLingerConn := conn.(LingerConn)
+			if isLingerConn {
+				_ = lingerConn.SetLinger(0)
+			}
+
+			// 关闭
 			_ = conn.Close()
 		}

@@ -109,9 +114,10 @@ func (this *Map) AllConns() []net.Conn {

 	var result = []net.Conn{}
 	for _, m := range this.m {
-		for _, conn := range m {
-			result = append(result, conn)
+		for _, connInfo := range m {
+			result = append(result, connInfo)
 		}
 	}
+
 	return result
 }
--- a/internal/const/const.go
+++ b/internal/const/const.go
@@ -1,7 +1,7 @@
 package teaconst

 const (
-	Version = "0.5.8"
+	Version = "1.0.4"

 	ProductName = "Edge Node"
 	ProcessName = "edge-node"
--- a/internal/const/vars.go
+++ b/internal/const/vars.go
@@ -5,6 +5,7 @@ package teaconst
 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"os"
+	"strings"
 )

 var (
@@ -15,7 +16,7 @@ var (

 	NodeId       int64 = 0
 	NodeIdString       = ""
-	IsDaemon           = len(os.Args) > 1 && os.Args[1] == "daemon"
+	IsMain             = checkMain()

 	GlobalProductName = nodeconfigs.DefaultProductName

@@ -24,3 +25,15 @@ var (

 	DiskIsFast = false // 是否为高速硬盘
 )
+
+// 检查是否为主程序
+func checkMain() bool {
+	if len(os.Args) == 1 ||
+		(len(os.Args) >= 2 && os.Args[1] == "pprof") {
+		return true
+	}
+	exe, _ := os.Executable()
+	return strings.HasSuffix(exe, ".test") ||
+		strings.HasSuffix(exe, ".test.exe") ||
+		strings.Contains(exe, "___")
+}
--- a/internal/firewalls/ddos_protection.go
+++ b/internal/firewalls/ddos_protection.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/firewalls/nftables"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -19,14 +20,18 @@ import (
 	"github.com/iwind/TeaGo/types"
 	stringutil "github.com/iwind/TeaGo/utils/string"
 	"net"
-	"os/exec"
 	"strings"
+	"sync"
 	"time"
 )

 var SharedDDoSProtectionManager = NewDDoSProtectionManager()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventReload, func() {
 		if nftablesInstance == nil {
 			return
@@ -56,6 +61,8 @@ func init() {
 type DDoSProtectionManager struct {
 	lastAllowIPList []string
 	lastConfig      []byte
+
+	locker sync.Mutex
 }

 // NewDDoSProtectionManager 获取新对象
@@ -65,6 +72,12 @@ func NewDDoSProtectionManager() *DDoSProtectionManager {

 // Apply 应用配置
 func (this *DDoSProtectionManager) Apply(config *ddosconfigs.ProtectionConfig) error {
+	// 加锁防止并发更改
+	if !this.locker.TryLock() {
+		return nil
+	}
+	defer this.locker.Unlock()
+
 	// 同集群节点IP白名单
 	var allowIPListChanged = false
 	nodeConfig, _ := nodeconfigs.SharedNodeConfig()
@@ -86,7 +99,7 @@ func (this *DDoSProtectionManager) Apply(config *ddosconfigs.ProtectionConfig) e
 	}
 	remotelogs.Println("FIREWALL", "change DDoS protection config")

-	if len(this.nftExe()) == 0 {
+	if len(nftables.NftExePath()) == 0 {
 		return errors.New("can not find nft command")
 	}

@@ -152,7 +165,7 @@ func (this *DDoSProtectionManager) Apply(config *ddosconfigs.ProtectionConfig) e

 // 添加TCP规则
 func (this *DDoSProtectionManager) addTCPRules(tcpConfig *ddosconfigs.TCPConfig) error {
-	var nftExe = this.nftExe()
+	var nftExe = nftables.NftExePath()
 	if len(nftExe) == 0 {
 		return nil
 	}
@@ -541,7 +554,7 @@ func (this *DDoSProtectionManager) updateAllowIPList(allIPList []string) error {
 				_, ok := oldMap[ip]
 				if !ok {
 					// 不存在则添加
-					err = set.AddIPElement(ip, nil)
+					err = set.AddIPElement(ip, nil, false)
 					if err != nil {
 						return errors.New("add ip '" + ip + "' failed: " + err.Error())
 					}
@@ -552,8 +565,3 @@ func (this *DDoSProtectionManager) updateAllowIPList(allIPList []string) error {

 	return nil
 }
-
-func (this *DDoSProtectionManager) nftExe() string {
-	path, _ := exec.LookPath("nft")
-	return path
-}
--- a/internal/firewalls/firewall.go
+++ b/internal/firewalls/firewall.go
@@ -3,6 +3,7 @@
 package firewalls

 import (
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"runtime"
@@ -14,6 +15,10 @@ var firewallLocker = &sync.Mutex{}

 // 初始化
 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventLoaded, func() {
 		var firewall = Firewall()
 		if firewall.Name() != "mock" {
--- a/internal/firewalls/firewall_nftables.go
+++ b/internal/firewalls/firewall_nftables.go
@@ -1,11 +1,11 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build linux
-// +build linux

 package firewalls

 import (
 	"errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
 	"github.com/TeaOSLab/EdgeNode/internal/conns"
 	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
@@ -13,9 +13,9 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	executils "github.com/TeaOSLab/EdgeNode/internal/utils/exec"
+	"github.com/google/nftables/expr"
 	"github.com/iwind/TeaGo/types"
 	"net"
-	"os/exec"
 	"regexp"
 	"runtime"
 	"strings"
@@ -24,7 +24,7 @@ import (

 // check nft status, if being enabled we load it automatically
 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

@@ -37,8 +37,8 @@ func init() {
 					ticker.Stop()
 					break
 				}
-				_, err := exec.LookPath("nft")
-				if err == nil {
+				var nftExe = nftables.NftExePath()
+				if len(nftExe) > 0 {
 					nftablesFirewall, err := NewNFTablesFirewall()
 					if err != nil {
 						continue
@@ -88,11 +88,15 @@ type blockIPItem struct {
 }

 func NewNFTablesFirewall() (*NFTablesFirewall, error) {
+	conn, err := nftables.NewConn()
+	if err != nil {
+		return nil, err
+	}
 	var firewall = &NFTablesFirewall{
-		conn:        nftables.NewConn(),
+		conn:        conn,
 		dropIPQueue: make(chan *blockIPItem, 4096),
 	}
-	err := firewall.init()
+	err = firewall.init()
 	if err != nil {
 		return nil, err
 	}
@@ -110,8 +114,8 @@ type NFTablesFirewall struct {
 	allowIPv4Set *nftables.Set
 	allowIPv6Set *nftables.Set

-	denyIPv4Set *nftables.Set
-	denyIPv6Set *nftables.Set
+	denyIPv4Sets []*nftables.Set
+	denyIPv6Sets []*nftables.Set

 	firewalld *Firewalld

@@ -120,9 +124,9 @@ type NFTablesFirewall struct {

 func (this *NFTablesFirewall) init() error {
 	// check nft
-	nftPath, err := exec.LookPath("nft")
-	if err != nil {
-		return errors.New("nft not found")
+	var nftPath = nftables.NftExePath()
+	if len(nftPath) == 0 {
+		return errors.New("'nft' not found")
 	}
 	this.version = this.readVersion(nftPath)

@@ -186,7 +190,7 @@ func (this *NFTablesFirewall) init() error {

 		// allow set
 		// "allow" should be always first
-		for _, setAction := range []string{"allow", "deny"} {
+		for _, setAction := range []string{"allow", "deny", "deny1", "deny2", "deny3", "deny4"} {
 			var setName = setAction + "_set"

 			set, err := table.GetSet(setName)
@@ -216,32 +220,42 @@ func (this *NFTablesFirewall) init() error {
 				if setAction == "allow" {
 					this.allowIPv4Set = set
 				} else {
-					this.denyIPv4Set = set
+					this.denyIPv4Sets = append(this.denyIPv4Sets, set)
 				}
 			} else if tableDef.IsIPv6 {
 				if setAction == "allow" {
 					this.allowIPv6Set = set
 				} else {
-					this.denyIPv6Set = set
+					this.denyIPv6Sets = append(this.denyIPv6Sets, set)
 				}
 			}

 			// rule
 			var ruleName = []byte(setAction)
 			rule, err := chain.GetRuleWithUserData(ruleName)
+
+			// 将以前的drop规则删掉，替换成后面的reject
+			if err == nil && setAction != "allow" && rule != nil && rule.VerDict() == expr.VerdictDrop {
+				deleteErr := chain.DeleteRule(rule)
+				if deleteErr == nil {
+					err = nftables.ErrRuleNotFound
+					rule = nil
+				}
+			}
+
 			if err != nil {
 				if nftables.IsNotFound(err) {
 					if tableDef.IsIPv4 {
 						if setAction == "allow" {
 							rule, err = chain.AddAcceptIPv4SetRule(setName, ruleName)
 						} else {
-							rule, err = chain.AddDropIPv4SetRule(setName, ruleName)
+							rule, err = chain.AddRejectIPv4SetRule(setName, ruleName)
 						}
 					} else if tableDef.IsIPv6 {
 						if setAction == "allow" {
 							rule, err = chain.AddAcceptIPv6SetRule(setName, ruleName)
 						} else {
-							rule, err = chain.AddDropIPv6SetRule(setName, ruleName)
+							rule, err = chain.AddRejectIPv6SetRule(setName, ruleName)
 						}
 					}
 					if err != nil {
@@ -265,7 +279,7 @@ func (this *NFTablesFirewall) init() error {
 		for ipItem := range this.dropIPQueue {
 			switch ipItem.action {
 			case "drop":
-				err = this.DropSourceIP(ipItem.ip, ipItem.timeoutSeconds, false)
+				err := this.DropSourceIP(ipItem.ip, ipItem.timeoutSeconds, false)
 				if err != nil {
 					remotelogs.Warn("NFTABLES", "drop ip '"+ipItem.ip+"' failed: "+err.Error())
 				}
@@ -324,14 +338,14 @@ func (this *NFTablesFirewall) AllowSourceIP(ip string) error {
 		if this.allowIPv6Set == nil {
 			return errors.New("ipv6 ip set is nil")
 		}
-		return this.allowIPv6Set.AddElement(data.To16(), nil)
+		return this.allowIPv6Set.AddElement(data.To16(), nil, false)
 	}

 	// ipv4
 	if this.allowIPv4Set == nil {
 		return errors.New("ipv4 ip set is nil")
 	}
-	return this.allowIPv4Set.AddElement(data.To4(), nil)
+	return this.allowIPv4Set.AddElement(data.To4(), nil, false)
 }

 // RejectSourceIP 拒绝某个源IP连接
@@ -371,22 +385,23 @@ func (this *NFTablesFirewall) DropSourceIP(ip string, timeoutSeconds int, async
 	// 再次尝试关闭连接
 	defer conns.SharedMap.CloseIPConns(ip)

+	var ipLong = configutils.IPString2Long(ip)
 	if strings.Contains(ip, ":") { // ipv6
-		if this.denyIPv6Set == nil {
-			return errors.New("ipv6 ip set is nil")
+		if len(this.denyIPv6Sets) == 0 {
+			return errors.New("ipv6 ip set not found")
 		}
-		return this.denyIPv6Set.AddElement(data.To16(), &nftables.ElementOptions{
+		return this.denyIPv6Sets[ipLong%uint64(len(this.denyIPv6Sets))].AddElement(data.To16(), &nftables.ElementOptions{
 			Timeout: time.Duration(timeoutSeconds) * time.Second,
-		})
+		}, false)
 	}

 	// ipv4
-	if this.denyIPv4Set == nil {
-		return errors.New("ipv4 ip set is nil")
+	if len(this.denyIPv4Sets) == 0 {
+		return errors.New("ipv4 ip set not found")
 	}
-	return this.denyIPv4Set.AddElement(data.To4(), &nftables.ElementOptions{
+	return this.denyIPv4Sets[ipLong%uint64(len(this.denyIPv4Sets))].AddElement(data.To4(), &nftables.ElementOptions{
 		Timeout: time.Duration(timeoutSeconds) * time.Second,
-	})
+	}, false)
 }

 // RemoveSourceIP 删除某个源IP
@@ -396,9 +411,10 @@ func (this *NFTablesFirewall) RemoveSourceIP(ip string) error {
 		return errors.New("invalid ip '" + ip + "'")
 	}

+	var ipLong = configutils.IPString2Long(ip)
 	if strings.Contains(ip, ":") { // ipv6
-		if this.denyIPv6Set != nil {
-			err := this.denyIPv6Set.DeleteElement(data.To16())
+		if len(this.denyIPv6Sets) > 0 {
+			err := this.denyIPv6Sets[ipLong%uint64(len(this.denyIPv6Sets))].DeleteElement(data.To16())
 			if err != nil {
 				return err
 			}
@@ -415,13 +431,14 @@ func (this *NFTablesFirewall) RemoveSourceIP(ip string) error {
 	}

 	// ipv4
-	if this.allowIPv4Set != nil {
-		err := this.denyIPv4Set.DeleteElement(data.To4())
+	if len(this.denyIPv4Sets) > 0 {
+		err := this.denyIPv4Sets[ipLong%uint64(len(this.denyIPv4Sets))].DeleteElement(data.To4())
 		if err != nil {
 			return err
 		}
-
-		err = this.allowIPv4Set.DeleteElement(data.To4())
+	}
+	if this.allowIPv4Set != nil {
+		err := this.allowIPv4Set.DeleteElement(data.To4())
 		if err != nil {
 			return err
 		}
--- a/internal/firewalls/nftables/chain.go
+++ b/internal/firewalls/nftables/chain.go
@@ -1,6 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build linux
-// +build linux

 package nftables

--- a/internal/firewalls/nftables/chain_policy.go
+++ b/internal/firewalls/nftables/chain_policy.go
@@ -1,4 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+//go:build linux

 package nftables

--- a/internal/firewalls/nftables/chain_test.go
+++ b/internal/firewalls/nftables/chain_test.go
@@ -1,6 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build linux
-// +build linux

 package nftables_test

@@ -11,7 +10,10 @@ import (
 )

 func getIPv4Chain(t *testing.T) *nftables.Chain {
-	var conn = nftables.NewConn()
+	conn, err := nftables.NewConn()
+	if err != nil {
+		t.Fatal(err)
+	}
 	table, err := conn.GetTable("test_ipv4", nftables.TableFamilyIPv4)
 	if err != nil {
 		if err == nftables.ErrTableNotFound {
--- a/internal/firewalls/nftables/conn.go
+++ b/internal/firewalls/nftables/conn.go
@@ -15,10 +15,14 @@ type Conn struct {
 	rawConn *nft.Conn
 }

-func NewConn() *Conn {
-	return &Conn{
-		rawConn: &nft.Conn{},
+func NewConn() (*Conn, error) {
+	conn, err := nft.New()
+	if err != nil {
+		return nil, err
 	}
+	return &Conn{
+		rawConn: conn,
+	}, nil
 }

 func (this *Conn) Raw() *nft.Conn {
--- a/internal/firewalls/nftables/errors.go
+++ b/internal/firewalls/nftables/errors.go
@@ -4,7 +4,10 @@

 package nftables

-import "errors"
+import (
+	"errors"
+	"strings"
+)

 var ErrTableNotFound = errors.New("table not found")
 var ErrChainNotFound = errors.New("chain not found")
@@ -15,5 +18,5 @@ func IsNotFound(err error) bool {
 	if err == nil {
 		return false
 	}
-	return err == ErrTableNotFound || err == ErrChainNotFound || err == ErrSetNotFound || err == ErrRuleNotFound
+	return err == ErrTableNotFound || err == ErrChainNotFound || err == ErrSetNotFound || err == ErrRuleNotFound || strings.Contains(err.Error(), "no such file or directory")
 }
--- a/internal/firewalls/nftables/expration.go
+++ b/internal/firewalls/nftables/expration.go
@@ -0,0 +1,65 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package nftables
+
+import (
+	"sync"
+	"time"
+)
+
+type Expiration struct {
+	m map[string]time.Time // key => expires time
+
+	lastGCAt int64
+
+	locker sync.RWMutex
+}
+
+func NewExpiration() *Expiration {
+	return &Expiration{
+		m: map[string]time.Time{},
+	}
+}
+
+func (this *Expiration) AddUnsafe(key []byte, expires time.Time) {
+	this.m[string(key)] = expires
+}
+
+func (this *Expiration) Add(key []byte, expires time.Time) {
+	this.locker.Lock()
+	this.m[string(key)] = expires
+	this.gc()
+	this.locker.Unlock()
+}
+
+func (this *Expiration) Remove(key []byte) {
+	this.locker.Lock()
+	delete(this.m, string(key))
+	this.locker.Unlock()
+}
+
+func (this *Expiration) Contains(key []byte) bool {
+	this.locker.RLock()
+	expires, ok := this.m[string(key)]
+	if ok && expires.Year() > 2000 && time.Now().After(expires) {
+		ok = false
+	}
+	this.locker.RUnlock()
+	return ok
+}
+
+func (this *Expiration) gc() {
+	// we won't gc too frequently
+	var currentTime = time.Now().Unix()
+	if this.lastGCAt >= currentTime {
+		return
+	}
+	this.lastGCAt = currentTime
+
+	var now = time.Now().Add(-10 * time.Second) // gc elements expired before 10 seconds ago
+	for key, expires := range this.m {
+		if expires.Year() > 2000 && now.After(expires) {
+			delete(this.m, key)
+		}
+	}
+}
--- a/internal/firewalls/nftables/expration_test.go
+++ b/internal/firewalls/nftables/expration_test.go
@@ -0,0 +1,59 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package nftables_test
+
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/firewalls/nftables"
+	"github.com/iwind/TeaGo/rands"
+	"github.com/iwind/TeaGo/types"
+	"net"
+	"testing"
+	"time"
+)
+
+func TestExpiration_Add(t *testing.T) {
+	var expiration = nftables.NewExpiration()
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Now())
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Now().Add(1*time.Second))
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Time{})
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Now().Add(-1*time.Second))
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Now().Add(-10*time.Second))
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add([]byte{'a', 'b', 'c'}, time.Now().Add(1*time.Second))
+		expiration.Remove([]byte{'a', 'b', 'c'})
+		t.Log(expiration.Contains([]byte{'a', 'b', 'c'}))
+	}
+	{
+		expiration.Add(net.ParseIP("10.254.0.75").To4(), time.Now())
+		t.Log(expiration.Contains(net.ParseIP("10.254.0.75").To4()))
+	}
+}
+
+func BenchmarkNewExpiration(b *testing.B) {
+	var expiration = nftables.NewExpiration()
+	for i := 0; i < 10_000; i++ {
+		expiration.Add([]byte(types.String(types.String(rands.Int(0, 255))+"."+types.String(rands.Int(0, 255))+"."+types.String(rands.Int(0, 255))+"."+types.String(rands.Int(0, 255)))), time.Now().Add(3600*time.Second))
+	}
+	b.ResetTimer()
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			expiration.Add([]byte(types.String(types.String(rands.Int(0, 255))+"."+types.String(rands.Int(0, 255))+"."+types.String(rands.Int(0, 255))+"."+types.String(rands.Int(0, 255)))), time.Now().Add(3600*time.Second))
+		}
+	})
+}
--- a/internal/firewalls/nftables/family.go
+++ b/internal/firewalls/nftables/family.go
@@ -1,4 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+//go:build linux

 package nftables

--- a/internal/firewalls/nftables/installer.go
+++ b/internal/firewalls/nftables/installer.go
@@ -1,10 +1,12 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build linux

 package nftables

 import (
 	"errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -17,6 +19,10 @@ import (
 )

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventReload, func() {
 		// linux only
 		if runtime.GOOS != "linux" {
@@ -33,8 +39,7 @@ func init() {
 		}

 		if os.Getgid() == 0 { // root user only
-			_, err := exec.LookPath("nft")
-			if err == nil {
+			if len(NftExePath()) > 0 {
 				return
 			}
 			goman.New(func() {
@@ -48,6 +53,25 @@ func init() {
 	})
 }

+// NftExePath 查找nftables可执行文件路径
+func NftExePath() string {
+	path, _ := exec.LookPath("nft")
+	if len(path) > 0 {
+		return path
+	}
+
+	for _, possiblePath := range []string{
+		"/usr/sbin/nft",
+	} {
+		_, err := os.Stat(possiblePath)
+		if err == nil {
+			return possiblePath
+		}
+	}
+
+	return ""
+}
+
 type Installer struct {
 }

@@ -62,8 +86,7 @@ func (this *Installer) Install() error {
 	}

 	// 检查是否已经存在
-	_, err := exec.LookPath("nft")
-	if err == nil {
+	if len(NftExePath()) > 0  {
 		return nil
 	}

--- a/internal/firewalls/nftables/rule.go
+++ b/internal/firewalls/nftables/rule.go
@@ -1,4 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+//go:build linux

 package nftables

--- a/internal/firewalls/nftables/set.go
+++ b/internal/firewalls/nftables/set.go
@@ -1,6 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build linux
-// +build linux

 package nftables

@@ -35,17 +34,25 @@ type Set struct {
 	conn   *Conn
 	rawSet *nft.Set
 	batch  *SetBatch
+
+	expiration *Expiration
 }

 func NewSet(conn *Conn, rawSet *nft.Set) *Set {
-	return &Set{
-		conn:   conn,
-		rawSet: rawSet,
+	var set = &Set{
+		conn:       conn,
+		rawSet:     rawSet,
+		expiration: nil,
 		batch: &SetBatch{
 			conn:   conn,
 			rawSet: rawSet,
 		},
 	}
+
+	// retrieve set elements to improve "delete" speed
+	set.initElements()
+
+	return set
 }

 func (this *Set) Raw() *nft.Set {
@@ -56,12 +63,22 @@ func (this *Set) Name() string {
 	return this.rawSet.Name
 }

-func (this *Set) AddElement(key []byte, options *ElementOptions) error {
+func (this *Set) AddElement(key []byte, options *ElementOptions, overwrite bool) error {
+	// check if already exists
+	if this.expiration != nil && !overwrite && this.expiration.Contains(key) {
+		return nil
+	}
+
+	var expiresTime = time.Time{}
 	var rawElement = nft.SetElement{
 		Key: key,
 	}
 	if options != nil {
 		rawElement.Timeout = options.Timeout
+
+		if options.Timeout > 0 {
+			expiresTime = time.UnixMilli(time.Now().UnixMilli() + options.Timeout.Milliseconds())
+		}
 	}
 	err := this.conn.Raw().SetAddElements(this.rawSet, []nft.SetElement{
 		rawElement,
@@ -71,9 +88,19 @@ func (this *Set) AddElement(key []byte, options *ElementOptions) error {
 	}

 	err = this.conn.Commit()
-	if err != nil {
+	if err == nil {
+		if this.expiration != nil {
+			this.expiration.Add(key, expiresTime)
+		}
+	} else {
+		var isFileExistsErr = strings.Contains(err.Error(), "file exists")
+		if !overwrite && isFileExistsErr {
+			// ignore file exists error
+			return nil
+		}
+
 		// retry if exists
-		if strings.Contains(err.Error(), "file exists") {
+		if overwrite && isFileExistsErr {
 			deleteErr := this.conn.Raw().SetDeleteElements(this.rawSet, []nft.SetElement{
 				{
 					Key: key,
@@ -85,6 +112,11 @@ func (this *Set) AddElement(key []byte, options *ElementOptions) error {
 				})
 				if err == nil {
 					err = this.conn.Commit()
+					if err == nil {
+						if this.expiration != nil {
+							this.expiration.Add(key, expiresTime)
+						}
+					}
 				}
 			}
 		}
@@ -93,20 +125,25 @@ func (this *Set) AddElement(key []byte, options *ElementOptions) error {
 	return err
 }

-func (this *Set) AddIPElement(ip string, options *ElementOptions) error {
+func (this *Set) AddIPElement(ip string, options *ElementOptions, overwrite bool) error {
 	var ipObj = net.ParseIP(ip)
 	if ipObj == nil {
 		return errors.New("invalid ip '" + ip + "'")
 	}

 	if utils.IsIPv4(ip) {
-		return this.AddElement(ipObj.To4(), options)
+		return this.AddElement(ipObj.To4(), options, overwrite)
 	} else {
-		return this.AddElement(ipObj.To16(), options)
+		return this.AddElement(ipObj.To16(), options, overwrite)
 	}
 }

 func (this *Set) DeleteElement(key []byte) error {
+	// if set element does not exist, we return immediately
+	if this.expiration != nil && !this.expiration.Contains(key) {
+		return nil
+	}
+
 	err := this.conn.Raw().SetDeleteElements(this.rawSet, []nft.SetElement{
 		{
 			Key: key,
@@ -116,9 +153,17 @@ func (this *Set) DeleteElement(key []byte) error {
 		return err
 	}
 	err = this.conn.Commit()
-	if err != nil {
+	if err == nil {
+		if this.expiration != nil {
+			this.expiration.Remove(key)
+		}
+	} else {
 		if strings.Contains(err.Error(), "no such file or directory") {
 			err = nil
+
+			if this.expiration != nil {
+				this.expiration.Remove(key)
+			}
 		}
 	}
 	return err
--- a/internal/firewalls/nftables/set_data_type.go
+++ b/internal/firewalls/nftables/set_data_type.go
@@ -1,4 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+//go:build linux

 package nftables

--- a/internal/firewalls/nftables/set_ext.go
+++ b/internal/firewalls/nftables/set_ext.go
@@ -0,0 +1,8 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build linux && !plus
+
+package nftables
+
+func (this *Set) initElements() {
+	// NOT IMPLEMENTED
+}
--- a/internal/firewalls/nftables/set_test.go
+++ b/internal/firewalls/nftables/set_test.go
@@ -34,7 +34,7 @@ func getIPv4Set(t *testing.T) *nftables.Set {

 func TestSet_AddElement(t *testing.T) {
 	var set = getIPv4Set(t)
-	err := set.AddElement(net.ParseIP("192.168.2.31").To4(), &nftables.ElementOptions{Timeout: 86400 * time.Second})
+	err := set.AddElement(net.ParseIP("192.168.2.31").To4(), &nftables.ElementOptions{Timeout: 86400 * time.Second}, false)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/internal/firewalls/nftables/table.go
+++ b/internal/firewalls/nftables/table.go
@@ -1,6 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build linux
-// +build linux

 package nftables

--- a/internal/firewalls/nftables/table_test.go
+++ b/internal/firewalls/nftables/table_test.go
@@ -1,6 +1,5 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 //go:build linux
-// +build linux

 package nftables_test

@@ -10,7 +9,10 @@ import (
 )

 func getIPv4Table(t *testing.T) *nftables.Table {
-	var conn = nftables.NewConn()
+	conn, err := nftables.NewConn()
+	if err != nil {
+		t.Fatal(err)
+	}
 	table, err := conn.GetTable("test_ipv4", nftables.TableFamilyIPv4)
 	if err != nil {
 		if err == nftables.ErrTableNotFound {
--- a/internal/firewalls/utils.go
+++ b/internal/firewalls/utils.go
@@ -0,0 +1,30 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package firewalls
+
+import (
+	"time"
+)
+
+// DropTemporaryTo 使用本地防火墙临时拦截IP数据包
+func DropTemporaryTo(ip string, expiresAt int64) {
+	// 如果为0，则表示是长期有效
+	if expiresAt <= 0 {
+		expiresAt = time.Now().Unix() + 3600
+	}
+
+	var timeout = expiresAt - time.Now().Unix()
+	if timeout < 1 {
+		return
+	}
+	if timeout > 3600 {
+		timeout = 3600
+	}
+
+	// 使用本地防火墙延长封禁
+	var fw = Firewall()
+	if fw != nil && !fw.IsMock() {
+		// 这里 int(int64) 转换的前提是限制了 timeout <= 3600，否则将有整型溢出的风险
+		_ = fw.DropSourceIP(ip, int(timeout), true)
+	}
+}
--- a/internal/goman/lib.go
+++ b/internal/goman/lib.go
@@ -15,7 +15,7 @@ var instanceId = uint64(0)

 // New 新创建goroutine
 func New(f func()) {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

@@ -47,7 +47,7 @@ func New(f func()) {

 // NewWithArgs 创建带有参数的goroutine
 func NewWithArgs(f func(args ...interface{}), args ...interface{}) {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

--- a/internal/iplibrary/ip_item.go
+++ b/internal/iplibrary/ip_item.go
@@ -1,6 +1,8 @@
 package iplibrary

-import "github.com/TeaOSLab/EdgeNode/internal/utils"
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
+)

 type IPItemType = string

@@ -45,7 +47,7 @@ func (this *IPItem) containsIPv4(ip uint64) bool {
 			return false
 		}
 	}
-	if this.ExpiredAt > 0 && this.ExpiredAt < utils.UnixTime() {
+	if this.ExpiredAt > 0 && this.ExpiredAt < fasttime.Now().Unix() {
 		return false
 	}
 	return true
@@ -56,7 +58,7 @@ func (this *IPItem) containsIPv6(ip uint64) bool {
 	if this.IPFrom != ip {
 		return false
 	}
-	if this.ExpiredAt > 0 && this.ExpiredAt < utils.UnixTime() {
+	if this.ExpiredAt > 0 && this.ExpiredAt < fasttime.Now().Unix() {
 		return false
 	}
 	return true
@@ -64,7 +66,7 @@ func (this *IPItem) containsIPv6(ip uint64) bool {

 // 检查是否包所有IP
 func (this *IPItem) containsAll() bool {
-	if this.ExpiredAt > 0 && this.ExpiredAt < utils.UnixTime() {
+	if this.ExpiredAt > 0 && this.ExpiredAt < fasttime.Now().Unix() {
 		return false
 	}
 	return true
--- a/internal/iplibrary/ip_list.go
+++ b/internal/iplibrary/ip_list.go
@@ -3,6 +3,7 @@ package iplibrary
 import (
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/expires"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"sort"
 	"sync"
 )
@@ -72,6 +73,25 @@ func (this *IPList) Contains(ip uint64) bool {
 	return item != nil
 }

+// ContainsExpires 判断是否包含某个IP
+func (this *IPList) ContainsExpires(ip uint64) (expiresAt int64, ok bool) {
+	this.locker.RLock()
+	if len(this.allItemsMap) > 0 {
+		this.locker.RUnlock()
+		return 0, true
+	}
+
+	var item = this.lookupIP(ip)
+
+	this.locker.RUnlock()
+
+	if item == nil {
+		return
+	}
+
+	return item.ExpiredAt, true
+}
+
 // ContainsIPStrings 是否包含一组IP中的任意一个，并返回匹配的第一个Item
 func (this *IPList) ContainsIPStrings(ipStrings []string) (item *IPItem, found bool) {
 	if len(ipStrings) == 0 {
@@ -110,7 +130,7 @@ func (this *IPList) addItem(item *IPItem, sortable bool) {
 		return
 	}

-	if item.ExpiredAt > 0 && item.ExpiredAt < utils.UnixTime() {
+	if item.ExpiredAt > 0 && item.ExpiredAt < fasttime.Now().Unix() {
 		return
 	}

@@ -155,7 +175,7 @@ func (this *IPList) addItem(item *IPItem, sortable bool) {
 	this.locker.Unlock()
 }

-//  对列表进行排序
+// 对列表进行排序
 func (this *IPList) sortItems() {
 	sort.Slice(this.sortedItems, func(i, j int) bool {
 		var item1 = this.sortedItems[i]
--- a/internal/iplibrary/ip_list_db.go
+++ b/internal/iplibrary/ip_list_db.go
@@ -3,28 +3,31 @@
 package iplibrary

 import (
-	"database/sql"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/dbs"
 	"github.com/iwind/TeaGo/Tea"
-	_ "github.com/mattn/go-sqlite3"
 	"os"
 	"path/filepath"
 	"time"
 )

 type IPListDB struct {
-	db *sql.DB
+	db *dbs.DB

-	itemTableName string
+	itemTableName    string
+	versionTableName string

-	deleteExpiredItemsStmt *sql.Stmt
-	deleteItemStmt         *sql.Stmt
-	insertItemStmt         *sql.Stmt
-	selectItemsStmt        *sql.Stmt
-	selectMaxVersionStmt   *sql.Stmt
+	deleteExpiredItemsStmt   *dbs.Stmt
+	deleteItemStmt           *dbs.Stmt
+	insertItemStmt           *dbs.Stmt
+	selectItemsStmt          *dbs.Stmt
+	selectMaxItemVersionStmt *dbs.Stmt
+
+	selectVersionStmt *dbs.Stmt
+	updateVersionStmt *dbs.Stmt

 	cleanTicker *time.Ticker

@@ -35,9 +38,10 @@ type IPListDB struct {

 func NewIPListDB() (*IPListDB, error) {
 	var db = &IPListDB{
-		itemTableName: "ipItems",
-		dir:           filepath.Clean(Tea.Root + "/data"),
-		cleanTicker:   time.NewTicker(24 * time.Hour),
+		itemTableName:    "ipItems",
+		versionTableName: "versions",
+		dir:              filepath.Clean(Tea.Root + "/data"),
+		cleanTicker:      time.NewTicker(24 * time.Hour),
 	}
 	err := db.init()
 	return db, err
@@ -56,7 +60,7 @@ func (this *IPListDB) init() error {

 	var path = this.dir + "/ip_list.db"

-	db, err := sql.Open("sqlite3", "file:"+path+"?cache=shared&mode=rwc&_journal_mode=WAL&_sync=OFF")
+	db, err := dbs.OpenWriter("file:" + path + "?cache=shared&mode=rwc&_journal_mode=WAL&_sync=OFF&_locking_mode=EXCLUSIVE")
 	if err != nil {
 		return err
 	}
@@ -109,6 +113,15 @@ ON "` + this.itemTableName + `" (
 		return err
 	}

+	_, err = db.Exec(`CREATE TABLE IF NOT EXISTS "` + this.versionTableName + `" (
+  "id" integer NOT NULL PRIMARY KEY AUTOINCREMENT,
+  "version" integer DEFAULT 0
+);
+`)
+	if err != nil {
+		return err
+	}
+
 	// 初始化SQL语句
 	this.deleteExpiredItemsStmt, err = this.db.Prepare(`DELETE FROM "` + this.itemTableName + `" WHERE  "expiredAt">0 AND "expiredAt"<?`)
 	if err != nil {
@@ -130,7 +143,20 @@ ON "` + this.itemTableName + `" (
 		return err
 	}

-	this.selectMaxVersionStmt, err = this.db.Prepare(`SELECT "version" FROM "` + this.itemTableName + `" ORDER BY "id" DESC LIMIT 1`)
+	this.selectMaxItemVersionStmt, err = this.db.Prepare(`SELECT "version" FROM "` + this.itemTableName + `" ORDER BY "id" DESC LIMIT 1`)
+	if err != nil {
+		return err
+	}
+
+	this.selectVersionStmt, err = this.db.Prepare(`SELECT "version" FROM "` + this.versionTableName + `" LIMIT 1`)
+	if err != nil {
+		return err
+	}
+
+	this.updateVersionStmt, err = this.db.Prepare(`REPLACE INTO "` + this.versionTableName + `" ("id", "version") VALUES (1, ?)`)
+	if err != nil {
+		return err
+	}

 	this.db = db

@@ -173,11 +199,15 @@ func (this *IPListDB) AddItem(item *pb.IPItem) error {

 	// 如果是删除，则不再创建新记录
 	if item.IsDeleted {
-		return nil
+		return this.UpdateMaxVersion(item.Version)
 	}

 	_, err = this.insertItemStmt.Exec(item.ListId, item.ListType, item.IsGlobal, item.Type, item.Id, item.IpFrom, item.IpTo, item.ExpiredAt, item.EventLevel, item.IsDeleted, item.Version, item.NodeId, item.ServerId)
-	return err
+	if err != nil {
+		return err
+	}
+
+	return this.UpdateMaxVersion(item.Version)
 }

 func (this *IPListDB) ReadItems(offset int64, size int64) (items []*pb.IPItem, err error) {
@@ -211,27 +241,63 @@ func (this *IPListDB) ReadMaxVersion() int64 {
 		return 0
 	}

-	var row = this.selectMaxVersionStmt.QueryRow()
-	if row == nil {
-		return 0
+	// from version table
+	{
+		var row = this.selectVersionStmt.QueryRow()
+		if row == nil {
+			return 0
+		}
+		var version int64
+		err := row.Scan(&version)
+		if err == nil {
+			return version
+		}
 	}
-	var version int64
-	err := row.Scan(&version)
-	if err != nil {
-		return 0
+
+	// from items table
+	{
+		var row = this.selectMaxItemVersionStmt.QueryRow()
+		if row == nil {
+			return 0
+		}
+		var version int64
+		err := row.Scan(&version)
+		if err != nil {
+			return 0
+		}
+
+		return version
 	}
-	return version
+}
+
+// UpdateMaxVersion 修改版本号
+func (this *IPListDB) UpdateMaxVersion(version int64) error {
+	if this.isClosed {
+		return nil
+	}
+
+	_, err := this.updateVersionStmt.Exec(version)
+	return err
 }

 func (this *IPListDB) Close() error {
 	this.isClosed = true

 	if this.db != nil {
-		_ = this.deleteExpiredItemsStmt.Close()
-		_ = this.deleteItemStmt.Close()
-		_ = this.insertItemStmt.Close()
-		_ = this.selectItemsStmt.Close()
-		_ = this.selectMaxVersionStmt.Close()
+		for _, stmt := range []*dbs.Stmt{
+			this.deleteExpiredItemsStmt,
+			this.deleteItemStmt,
+			this.insertItemStmt,
+			this.selectItemsStmt,
+			this.selectMaxItemVersionStmt, // ipItems table
+
+			this.selectVersionStmt, // versions table
+			this.updateVersionStmt,
+		} {
+			if stmt != nil {
+				_ = stmt.Close()
+			}
+		}

 		return this.db.Close()
 	}
--- a/internal/iplibrary/ip_list_db_test.go
+++ b/internal/iplibrary/ip_list_db_test.go
@@ -79,3 +79,15 @@ func TestIPListDB_ReadMaxVersion(t *testing.T) {
 	}
 	t.Log(db.ReadMaxVersion())
 }
+
+func TestIPListDB_UpdateMaxVersion(t *testing.T) {
+	db, err := iplibrary.NewIPListDB()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = db.UpdateMaxVersion(1027)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(db.ReadMaxVersion())
+}
--- a/internal/iplibrary/list_utils.go
+++ b/internal/iplibrary/list_utils.go
@@ -10,50 +10,54 @@ import (

 // AllowIP 检查IP是否被允许访问
 // 如果一个IP不在任何名单中，则允许访问
-func AllowIP(ip string, serverId int64) (canGoNext bool, inAllowList bool) {
+func AllowIP(ip string, serverId int64) (canGoNext bool, inAllowList bool, expiresAt int64) {
 	if !Tea.IsTesting() { // 如果在测试环境，我们不加入一些白名单，以便于可以在本地和局域网正常测试
 		// 放行lo
 		if ip == "127.0.0.1" || ip == "::1" {
-			return true, true
+			return true, true, 0
 		}

 		// check node
 		nodeConfig, err := nodeconfigs.SharedNodeConfig()
 		if err == nil && nodeConfig.IPIsAutoAllowed(ip) {
-			return true, true
+			return true, true, 0
 		}
 	}

 	var ipLong = utils.IP2Long(ip)
 	if ipLong == 0 {
-		return false, false
+		return false, false, 0
 	}

 	// check white lists
 	if GlobalWhiteIPList.Contains(ipLong) {
-		return true, true
+		return true, true, 0
 	}

 	if serverId > 0 {
 		var list = SharedServerListManager.FindWhiteList(serverId, false)
 		if list != nil && list.Contains(ipLong) {
-			return true, true
+			return true, true, 0
 		}
 	}

 	// check black lists
-	if GlobalBlackIPList.Contains(ipLong) {
-		return false, false
+	expiresAt, ok := GlobalBlackIPList.ContainsExpires(ipLong)
+	if ok {
+		return false, false, expiresAt
 	}

 	if serverId > 0 {
 		var list = SharedServerListManager.FindBlackList(serverId, false)
-		if list != nil && list.Contains(ipLong) {
-			return false, false
+		if list != nil {
+			expiresAt, ok = list.ContainsExpires(ipLong)
+			if ok {
+				return false, false, expiresAt
+			}
 		}
 	}

-	return true, false
+	return true, false, 0
 }

 // IsInWhiteList 检查IP是否在白名单中
@@ -73,7 +77,7 @@ func AllowIPStrings(ipStrings []string, serverId int64) bool {
 		return true
 	}
 	for _, ip := range ipStrings {
-		isAllowed, _ := AllowIP(ip, serverId)
+		isAllowed, _, _ := AllowIP(ip, serverId)
 		if !isAllowed {
 			return false
 		}
--- a/internal/iplibrary/manager_ip_list.go
+++ b/internal/iplibrary/manager_ip_list.go
@@ -20,7 +20,7 @@ var SharedIPListManager = NewIPListManager()
 var IPListUpdateNotify = make(chan bool, 1)

 func init() {
-	if teaconst.IsDaemon {
+	if !teaconst.IsMain {
 		return
 	}

@@ -47,17 +47,20 @@ type IPListManager struct {

 	db *IPListDB

-	version  int64
-	pageSize int64
+	lastVersion   int64
+	fetchPageSize int64

 	listMap map[int64]*IPList
 	locker  sync.Mutex
+
+	isFirstTime bool
 }

 func NewIPListManager() *IPListManager {
 	return &IPListManager{
-		pageSize: 1000,
-		listMap:  map[int64]*IPList{},
+		fetchPageSize: 5_000,
+		listMap:       map[int64]*IPList{},
+		isFirstTime:   true,
 	}
 }

@@ -117,11 +120,11 @@ func (this *IPListManager) init() {
 		_ = db.DeleteExpiredItems()

 		// 本地数据库中最大版本号
-		this.version = db.ReadMaxVersion()
+		this.lastVersion = db.ReadMaxVersion()

 		// 从本地数据库中加载
 		var offset int64 = 0
-		var size int64 = 1000
+		var size int64 = 2_000
 		for {
 			items, err := db.ReadItems(offset, size)
 			var l = len(items)
@@ -148,6 +151,11 @@ func (this *IPListManager) loop() error {
 		return nil
 	}

+	// 第一次同步则打印信息
+	if this.isFirstTime {
+		remotelogs.Println("IP_LIST_MANAGER", "initializing ip items ...")
+	}
+
 	for {
 		hasNext, err := this.fetch()
 		if err != nil {
@@ -159,6 +167,12 @@ func (this *IPListManager) loop() error {
 		time.Sleep(1 * time.Second)
 	}

+	// 第一次同步则打印信息
+	if this.isFirstTime {
+		this.isFirstTime = false
+		remotelogs.Println("IP_LIST_MANAGER", "finished initializing ip items")
+	}
+
 	return nil
 }

@@ -168,8 +182,8 @@ func (this *IPListManager) fetch() (hasNext bool, err error) {
 		return false, err
 	}
 	itemsResp, err := rpcClient.IPItemRPC.ListIPItemsAfterVersion(rpcClient.Context(), &pb.ListIPItemsAfterVersionRequest{
-		Version: this.version,
-		Size:    this.pageSize,
+		Version: this.lastVersion,
+		Size:    this.fetchPageSize,
 	})
 	if err != nil {
 		if rpc.IsConnError(err) {
@@ -211,6 +225,7 @@ func (this *IPListManager) DeleteExpiredItems() {
 	}
 }

+// 处理IP条目
 func (this *IPListManager) processItems(items []*pb.IPItem, fromRemote bool) {
 	var changedLists = map[*IPList]zero.Zero{}
 	for _, item := range items {
@@ -280,8 +295,8 @@ func (this *IPListManager) processItems(items []*pb.IPItem, fromRemote bool) {

 	if fromRemote {
 		var latestVersion = items[len(items)-1].Version
-		if latestVersion > this.version {
-			this.version = latestVersion
+		if latestVersion > this.lastVersion {
+			this.lastVersion = latestVersion
 		}
 	}
 }
--- a/internal/metrics/manager.go
+++ b/internal/metrics/manager.go
@@ -4,6 +4,7 @@ package metrics

 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"strconv"
@@ -13,6 +14,10 @@ import (
 var SharedManager = NewManager()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventQuit, func() {
 		SharedManager.Quit()
 	})
--- a/internal/metrics/task.go
+++ b/internal/metrics/task.go
@@ -3,7 +3,6 @@
 package metrics

 import (
-	"database/sql"
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
@@ -17,7 +16,6 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/zero"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/types"
-	_ "github.com/mattn/go-sqlite3"
 	"os"
 	"strconv"
 	"sync"
@@ -50,11 +48,11 @@ type Task struct {

 	cleanVersion int32

-	insertStatStmt          *sql.Stmt
-	deleteByVersionStmt     *sql.Stmt
-	deleteByExpiresTimeStmt *sql.Stmt
-	selectTopStmt           *sql.Stmt
-	sumStmt                 *sql.Stmt
+	insertStatStmt          *dbs.Stmt
+	deleteByVersionStmt     *dbs.Stmt
+	deleteByExpiresTimeStmt *dbs.Stmt
+	selectTopStmt           *dbs.Stmt
+	sumStmt                 *dbs.Stmt

 	serverIdMap       map[int64]zero.Zero  // 所有的服务Ids
 	timeMap           map[string]zero.Zero // time => bool
@@ -92,12 +90,12 @@ func (this *Task) Init() error {

 	var path = dir + "/metric." + types.String(this.item.Id) + ".db"

-	db, err := sql.Open("sqlite3", "file:"+path+"?cache=shared&mode=rwc&_journal_mode=WAL&_sync=OFF")
+	db, err := dbs.OpenWriter("file:" + path + "?cache=shared&mode=rwc&_journal_mode=WAL&_sync=OFF&_locking_mode=EXCLUSIVE")
 	if err != nil {
 		return err
 	}
 	db.SetMaxOpenConns(1)
-	this.db = dbs.NewDB(db)
+	this.db = db

 	// 恢复数据库
 	var recoverEnv, _ = os.LookupEnv("EdgeRecover")
--- a/internal/monitor/value_queue.go
+++ b/internal/monitor/value_queue.go
@@ -5,6 +5,7 @@ package monitor
 import (
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -16,6 +17,10 @@ import (
 var SharedValueQueue = NewValueQueue()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventLoaded, func() {
 		goman.New(func() {
 			SharedValueQueue.Start()
--- a/internal/nodes/client_conn.go
+++ b/internal/nodes/client_conn.go
@@ -3,6 +3,7 @@
 package nodes

 import (
+	"errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/conns"
@@ -11,6 +12,8 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/stats"
 	"github.com/TeaOSLab/EdgeNode/internal/ttlcache"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	connutils "github.com/TeaOSLab/EdgeNode/internal/utils/conns"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"github.com/TeaOSLab/EdgeNode/internal/waf"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/types"
@@ -25,29 +28,53 @@ import (
 type ClientConn struct {
 	BaseClientConn

-	isTLS       bool
-	hasDeadline bool
-	hasRead     bool
+	createdAt int64
+
+	isTLS   bool
+	isHTTP  bool
+	hasRead bool

 	isLO          bool // 是否为环路
+	isNoStat      bool // 是否不统计带宽
 	isInAllowList bool

 	hasResetSYNFlood bool
+
+	lastReadAt  int64
+	lastWriteAt int64
+	lastErr     error
+
+	readDeadlineTime int64
+	isShortReading   bool // reading header or tls handshake
+
+	isDebugging      bool
+	autoReadTimeout  bool
+	autoWriteTimeout bool
 }

-func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool, isInAllowList bool) net.Conn {
+func NewClientConn(rawConn net.Conn, isHTTP bool, isTLS bool, isInAllowList bool) net.Conn {
 	// 是否为环路
 	var remoteAddr = rawConn.RemoteAddr().String()
-	var isLO = strings.HasPrefix(remoteAddr, "127.0.0.1:") || strings.HasPrefix(remoteAddr, "[::1]:")

 	var conn = &ClientConn{
 		BaseClientConn: BaseClientConn{rawConn: rawConn},
 		isTLS:          isTLS,
-		isLO:           isLO,
+		isHTTP:         isHTTP,
+		isLO:           strings.HasPrefix(remoteAddr, "127.0.0.1:") || strings.HasPrefix(remoteAddr, "[::1]:"),
+		isNoStat:       connutils.IsNoStatConn(rawConn.RemoteAddr().String()),
 		isInAllowList:  isInAllowList,
+		createdAt:      fasttime.Now().Unix(),
 	}

-	if quickClose {
+	var globalServerConfig = sharedNodeConfig.GlobalServerConfig
+	if globalServerConfig != nil {
+		var performanceConfig = globalServerConfig.Performance
+		conn.isDebugging = performanceConfig.Debug
+		conn.autoReadTimeout = performanceConfig.AutoReadTimeout
+		conn.autoWriteTimeout = performanceConfig.AutoWriteTimeout
+	}
+
+	if isHTTP {
 		// TODO 可以在配置中设置此值
 		_ = conn.SetLinger(nodeconfigs.DefaultTCPLinger)
 	}
@@ -59,6 +86,18 @@ func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool, isInAllowList
 }

 func (this *ClientConn) Read(b []byte) (n int, err error) {
+	if this.isDebugging {
+		this.lastReadAt = fasttime.Now().Unix()
+
+		defer func() {
+			if err != nil {
+				this.lastErr = errors.New("read error: " + err.Error())
+			} else {
+				this.lastErr = nil
+			}
+		}()
+	}
+
 	// 环路直接读取
 	if this.isLO {
 		n, err = this.rawConn.Read(b)
@@ -68,34 +107,29 @@ func (this *ClientConn) Read(b []byte) (n int, err error) {
 		return
 	}

-	// TLS
-	if this.isTLS {
-		if !this.hasDeadline {
-			_ = this.rawConn.SetReadDeadline(time.Now().Add(time.Duration(nodeconfigs.DefaultTLSHandshakeTimeout) * time.Second)) // TODO 握手超时时间可以设置
-			this.hasDeadline = true
-			defer func() {
-				_ = this.rawConn.SetReadDeadline(time.Time{})
-			}()
-		}
+	// 设置读超时时间
+	if this.isHTTP && !this.isPersistent && !this.isShortReading && this.autoReadTimeout {
+		this.setHTTPReadTimeout()
 	}

 	// 开始读取
 	n, err = this.rawConn.Read(b)
 	if n > 0 {
 		atomic.AddUint64(&teaconst.InTrafficBytes, uint64(n))
-		if !this.hasRead {
-			this.hasRead = true
-		}
+		this.hasRead = true
 	}

-	// 检测是否为握手错误
-	var isHandshakeError = err != nil && os.IsTimeout(err) && !this.hasRead
-	if isHandshakeError {
+	// 检测是否为超时错误
+	var isTimeout = err != nil && os.IsTimeout(err)
+	var isHandshakeError = isTimeout && !this.hasRead
+	if isTimeout {
 		_ = this.SetLinger(0)
+	} else {
+		_ = this.SetLinger(nodeconfigs.DefaultTCPLinger)
 	}

 	// 忽略白名单和局域网
-	if !this.isInAllowList && !utils.IsLocalIP(this.RawIP()) {
+	if this.isHTTP && !this.isInAllowList && !utils.IsLocalIP(this.RawIP()) {
 		// SYN Flood检测
 		if this.serverId == 0 || !this.hasResetSYNFlood {
 			var synFloodConfig = sharedNodeConfig.SYNFloodConfig()
@@ -114,17 +148,68 @@ func (this *ClientConn) Read(b []byte) (n int, err error) {
 }

 func (this *ClientConn) Write(b []byte) (n int, err error) {
+	if len(b) == 0 {
+		return 0, nil
+	}
+
+	if this.isDebugging {
+		this.lastWriteAt = fasttime.Now().Unix()
+
+		defer func() {
+			if err != nil {
+				this.lastErr = errors.New("write error: " + err.Error())
+			} else {
+				this.lastErr = nil
+			}
+		}()
+	}
+
+	// 设置写超时时间
+	if this.autoWriteTimeout {
+		// TODO L2 -> L1 写入时不限制时间
+		var timeoutSeconds = len(b) / 1024
+		if timeoutSeconds < 3 {
+			timeoutSeconds = 3
+		}
+		_ = this.rawConn.SetWriteDeadline(time.Now().Add(time.Duration(timeoutSeconds) * time.Second)) // TODO 时间可以设置
+	}
+
+	// 延长读超时时间
+	if this.isHTTP && !this.isPersistent && this.autoReadTimeout {
+		this.setHTTPReadTimeout()
+	}
+
+	// 开始写入
+	var before = time.Now()
 	n, err = this.rawConn.Write(b)
 	if n > 0 {
 		// 统计当前服务带宽
 		if this.serverId > 0 {
-			if !this.isLO || Tea.IsTesting() { // 环路不统计带宽，避免缓存预热等行为产生带宽
+			// TODO 需要加入在serverId绑定之前的带宽
+			if !this.isNoStat || Tea.IsTesting() { // 环路不统计带宽，避免缓存预热等行为产生带宽
 				atomic.AddUint64(&teaconst.OutTrafficBytes, uint64(n))
-				stats.SharedBandwidthStatManager.Add(this.userId, this.serverId, int64(n))
+
+				var cost = time.Since(before).Seconds()
+				if cost > 1 {
+					stats.SharedBandwidthStatManager.AddBandwidth(this.userId, this.serverId, int64(float64(n)/cost), int64(n))
+				} else {
+					stats.SharedBandwidthStatManager.AddBandwidth(this.userId, this.serverId, int64(n), int64(n))
+				}
 			}
 		}
 	}

+	// 如果是写入超时，则立即关闭连接
+	if err != nil && os.IsTimeout(err) {
+		// TODO 考虑对多次慢连接的IP做出惩罚
+		conn, ok := this.rawConn.(LingerConn)
+		if ok {
+			_ = conn.SetLinger(0)
+		}
+
+		_ = this.Close()
+	}
+
 	return
 }

@@ -156,6 +241,26 @@ func (this *ClientConn) SetDeadline(t time.Time) error {
 }

 func (this *ClientConn) SetReadDeadline(t time.Time) error {
+	// 如果开启了HTTP自动读超时选项，则自动控制超时时间
+	if this.isHTTP && !this.isPersistent && this.autoReadTimeout {
+		this.isShortReading = false
+
+		var unixTime = t.Unix()
+		if unixTime < 10 {
+			return nil
+		}
+		if unixTime == this.readDeadlineTime {
+			return nil
+		}
+		this.readDeadlineTime = unixTime
+		var seconds = -time.Since(t)
+		if seconds <= 0 || seconds > HTTPIdleTimeout {
+			return nil
+		}
+		if seconds < HTTPIdleTimeout-1*time.Second {
+			this.isShortReading = true
+		}
+	}
 	return this.rawConn.SetReadDeadline(t)
 }

@@ -163,6 +268,22 @@ func (this *ClientConn) SetWriteDeadline(t time.Time) error {
 	return this.rawConn.SetWriteDeadline(t)
 }

+func (this *ClientConn) CreatedAt() int64 {
+	return this.createdAt
+}
+
+func (this *ClientConn) LastReadAt() int64 {
+	return this.lastReadAt
+}
+
+func (this *ClientConn) LastWriteAt() int64 {
+	return this.lastWriteAt
+}
+
+func (this *ClientConn) LastErr() error {
+	return this.lastErr
+}
+
 func (this *ClientConn) resetSYNFlood() {
 	ttlcache.SharedCache.Delete("SYN_FLOOD:" + this.RawIP())
 }
@@ -170,7 +291,7 @@ func (this *ClientConn) resetSYNFlood() {
 func (this *ClientConn) increaseSYNFlood(synFloodConfig *firewallconfigs.SYNFloodConfig) {
 	var ip = this.RawIP()
 	if len(ip) > 0 && !iplibrary.IsInWhiteList(ip) && (!synFloodConfig.IgnoreLocal || !utils.IsLocalIP(ip)) {
-		var timestamp = utils.NextMinuteUnixTime()
+		var timestamp = fasttime.Now().UnixNextMinute()
 		var result = ttlcache.SharedCache.IncreaseInt64("SYN_FLOOD:"+ip, 1, timestamp, true)
 		var minAttempts = synFloodConfig.MinAttempts
 		if minAttempts < 5 {
@@ -190,7 +311,12 @@ func (this *ClientConn) increaseSYNFlood(synFloodConfig *firewallconfigs.SYNFloo
 			_ = this.SetLinger(0)
 			_ = this.Close()

-			waf.SharedIPBlackList.RecordIP(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip, time.Now().Unix()+int64(timeout), 0, true, 0, 0, "疑似SYN Flood攻击，当前1分钟"+types.String(result)+"次空连接")
+			waf.SharedIPBlackList.RecordIP(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip, fasttime.Now().Unix()+int64(timeout), 0, true, 0, 0, "疑似SYN Flood攻击，当前1分钟"+types.String(result)+"次空连接")
 		}
 	}
 }
+
+// 设置读超时时间
+func (this *ClientConn) setHTTPReadTimeout() {
+	_ = this.SetReadDeadline(time.Now().Add(HTTPIdleTimeout))
+}
--- a/internal/nodes/client_conn_base.go
+++ b/internal/nodes/client_conn_base.go
@@ -4,6 +4,8 @@ package nodes

 import (
 	"crypto/tls"
+	"github.com/TeaOSLab/EdgeNode/internal/firewalls"
+	"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
 	"net"
 )

@@ -16,6 +18,9 @@ type BaseClientConn struct {
 	remoteAddr string
 	hasLimit   bool

+	isPersistent bool // 是否为持久化连接
+	fingerprint  []byte
+
 	isClosed bool

 	rawIP string
@@ -45,7 +50,20 @@ func (this *BaseClientConn) Bind(serverId int64, remoteAddr string, maxConnsPerS
 }

 // SetServerId 设置服务ID
-func (this *BaseClientConn) SetServerId(serverId int64) {
+func (this *BaseClientConn) SetServerId(serverId int64) (goNext bool) {
+	goNext = true
+
+	// 检查服务相关IP黑名单
+	if serverId > 0 && len(this.rawIP) > 0 {
+		// 是否在白名单中
+		ok, _, expiresAt := iplibrary.AllowIP(this.rawIP, serverId)
+		if !ok {
+			_ = this.rawConn.Close()
+			firewalls.DropTemporaryTo(this.rawIP, expiresAt)
+			return false
+		}
+	}
+
 	this.serverId = serverId

 	// 设置包装前连接
@@ -58,6 +76,8 @@ func (this *BaseClientConn) SetServerId(serverId int64) {
 	case *ClientConn:
 		conn.SetServerId(serverId)
 	}
+
+	return true
 }

 // ServerId 读取当前连接绑定的服务ID
@@ -122,3 +142,17 @@ func (this *BaseClientConn) SetLinger(seconds int) error {
 	}
 	return nil
 }
+
+func (this *BaseClientConn) SetIsPersistent(isPersistent bool) {
+	this.isPersistent = isPersistent
+}
+
+// SetFingerprint 设置指纹信息
+func (this *BaseClientConn) SetFingerprint(fingerprint []byte) {
+	this.fingerprint = fingerprint
+}
+
+// Fingerprint 读取指纹信息
+func (this *BaseClientConn) Fingerprint() []byte {
+	return this.fingerprint
+}
--- a/internal/nodes/client_conn_interface.go
+++ b/internal/nodes/client_conn_interface.go
@@ -16,11 +16,20 @@ type ClientConnInterface interface {
 	ServerId() int64

 	// SetServerId 设置服务ID
-	SetServerId(serverId int64)
+	SetServerId(serverId int64) (goNext bool)

 	// SetUserId 设置所属服务的用户ID
 	SetUserId(userId int64)

 	// UserId 获取当前连接所属服务的用户ID
 	UserId() int64
+
+	// SetIsPersistent 设置是否为持久化
+	SetIsPersistent(isPersistent bool)
+
+	// SetFingerprint 设置指纹信息
+	SetFingerprint(fingerprint []byte)
+
+	// Fingerprint 读取指纹信息
+	Fingerprint() []byte
 }
--- a/internal/nodes/client_conn_traffic.go
+++ b/internal/nodes/client_conn_traffic.go
@@ -15,6 +15,10 @@ import (

 // 发送监控流量
 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventStart, func() {
 		var ticker = time.NewTicker(1 * time.Minute)
 		goman.New(func() {
--- a/internal/nodes/client_listener.go
+++ b/internal/nodes/client_listener.go
@@ -8,20 +8,19 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
 	"github.com/TeaOSLab/EdgeNode/internal/waf"
 	"net"
-	"time"
 )

 // ClientListener 客户端网络监听
 type ClientListener struct {
 	rawListener net.Listener
+	isHTTP      bool
 	isTLS       bool
-	quickClose  bool
 }

-func NewClientListener(listener net.Listener, quickClose bool) *ClientListener {
+func NewClientListener(listener net.Listener, isHTTP bool) *ClientListener {
 	return &ClientListener{
 		rawListener: listener,
-		quickClose:  quickClose,
+		isHTTP:      isHTTP,
 	}
 }

@@ -43,25 +42,17 @@ func (this *ClientListener) Accept() (net.Conn, error) {
 	ip, _, err := net.SplitHostPort(conn.RemoteAddr().String())
 	var isInAllowList = false
 	if err == nil {
-		canGoNext, inAllowList := iplibrary.AllowIP(ip, 0)
+		canGoNext, inAllowList, expiresAt := iplibrary.AllowIP(ip, 0)
 		isInAllowList = inAllowList
-		if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip) {
-			expiresAt, ok := waf.SharedIPBlackList.ContainsExpires(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip)
-			if ok {
-				var timeout = expiresAt - time.Now().Unix()
-				if timeout > 0 {
+		if !canGoNext {
+			firewalls.DropTemporaryTo(ip, expiresAt)
+		} else {
+			if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip) {
+				var ok = false
+				expiresAt, ok = waf.SharedIPBlackList.ContainsExpires(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip)
+				if ok {
 					canGoNext = false
-
-					if timeout > 3600 {
-						timeout = 3600
-					}
-
-					// 使用本地防火墙延长封禁
-					var fw = firewalls.Firewall()
-					if fw != nil && !fw.IsMock() {
-						// 这里 int(int64) 转换的前提是限制了 timeout <= 3600，否则将有整型溢出的风险
-						_ = fw.DropSourceIP(ip, int(timeout), true)
-					}
+					firewalls.DropTemporaryTo(ip, expiresAt)
 				}
 			}
 		}
@@ -78,7 +69,7 @@ func (this *ClientListener) Accept() (net.Conn, error) {
 		}
 	}

-	return NewClientConn(conn, this.isTLS, this.quickClose, isInAllowList), nil
+	return NewClientConn(conn, this.isHTTP, this.isTLS, isInAllowList), nil
 }

 func (this *ClientListener) Close() error {
--- a/internal/nodes/client_tls_conn.go
+++ b/internal/nodes/client_tls_conn.go
@@ -55,3 +55,30 @@ func (this *ClientTLSConn) SetReadDeadline(t time.Time) error {
 func (this *ClientTLSConn) SetWriteDeadline(t time.Time) error {
 	return this.rawConn.SetWriteDeadline(t)
 }
+
+func (this *ClientTLSConn) SetIsPersistent(isPersistent bool) {
+	tlsConn, ok := this.rawConn.(*tls.Conn)
+	if ok {
+		var rawConn = tlsConn.NetConn()
+		if rawConn != nil {
+			clientConn, ok := rawConn.(*ClientConn)
+			if ok {
+				clientConn.SetIsPersistent(isPersistent)
+			}
+		}
+	}
+}
+
+func (this *ClientTLSConn) Fingerprint() []byte {
+	tlsConn, ok := this.rawConn.(*tls.Conn)
+	if ok {
+		var rawConn = tlsConn.NetConn()
+		if rawConn != nil {
+			clientConn, ok := rawConn.(*ClientConn)
+			if ok {
+				return clientConn.fingerprint
+			}
+		}
+	}
+	return nil
+}
--- a/internal/nodes/http_access_log_queue.go
+++ b/internal/nodes/http_access_log_queue.go
@@ -11,6 +11,7 @@ import (
 	"google.golang.org/grpc/status"
 	"strings"
 	"time"
+	"unicode/utf8"
 )

 var sharedHTTPAccessLogQueue = NewHTTPAccessLogQueue()
@@ -25,9 +26,12 @@ type HTTPAccessLogQueue struct {
 // NewHTTPAccessLogQueue 获取新对象
 func NewHTTPAccessLogQueue() *HTTPAccessLogQueue {
 	// 队列中最大的值，超出此数量的访问日志会被丢弃
-	// TODO 需要可以在界面中设置
-	maxSize := 20000
-	queue := &HTTPAccessLogQueue{
+	var maxSize = 2_000 * (1 + utils.SystemMemoryGB()/2)
+	if maxSize > 20_000 {
+		maxSize = 20_000
+	}
+
+	var queue = &HTTPAccessLogQueue{
 		queue: make(chan *pb.HTTPAccessLog, maxSize),
 	}
 	goman.New(func() {
@@ -134,14 +138,23 @@ Loop:
 	return nil
 }

+// ToValidUTF8 处理访问日志中的非UTF-8字节
 func (this *HTTPAccessLogQueue) ToValidUTF8(accessLog *pb.HTTPAccessLog) {
+	accessLog.RemoteAddr = utils.ToValidUTF8string(accessLog.RemoteAddr)
 	accessLog.RemoteUser = utils.ToValidUTF8string(accessLog.RemoteUser)
 	accessLog.RequestURI = utils.ToValidUTF8string(accessLog.RequestURI)
 	accessLog.RequestPath = utils.ToValidUTF8string(accessLog.RequestPath)
 	accessLog.RequestFilename = utils.ToValidUTF8string(accessLog.RequestFilename)
 	accessLog.RequestBody = bytes.ToValidUTF8(accessLog.RequestBody, []byte{})
+	accessLog.Host = utils.ToValidUTF8string(accessLog.Host)
+	accessLog.Hostname = utils.ToValidUTF8string(accessLog.Hostname)
+
+	for k, v := range accessLog.SentHeader {
+		if !utf8.ValidString(k) {
+			delete(accessLog.SentHeader, k)
+			continue
+		}

-	for _, v := range accessLog.SentHeader {
 		for index, s := range v.Values {
 			v.Values[index] = utils.ToValidUTF8string(s)
 		}
@@ -153,15 +166,27 @@ func (this *HTTPAccessLogQueue) ToValidUTF8(accessLog *pb.HTTPAccessLog) {
 	accessLog.ContentType = utils.ToValidUTF8string(accessLog.ContentType)

 	for k, c := range accessLog.Cookie {
+		if !utf8.ValidString(k) {
+			delete(accessLog.Cookie, k)
+			continue
+		}
 		accessLog.Cookie[k] = utils.ToValidUTF8string(c)
 	}

 	accessLog.Args = utils.ToValidUTF8string(accessLog.Args)
 	accessLog.QueryString = utils.ToValidUTF8string(accessLog.QueryString)

-	for _, v := range accessLog.Header {
+	for k, v := range accessLog.Header {
+		if !utf8.ValidString(k) {
+			delete(accessLog.Header, k)
+			continue
+		}
 		for index, s := range v.Values {
 			v.Values[index] = utils.ToValidUTF8string(s)
 		}
 	}
+
+	for k, v := range accessLog.Errors {
+		accessLog.Errors[k] = utils.ToValidUTF8string(v)
+	}
 }
--- a/internal/nodes/http_access_log_queue_test.go
+++ b/internal/nodes/http_access_log_queue_test.go
@@ -17,6 +17,7 @@ import (
 	"strings"
 	"testing"
 	"time"
+	"unicode/utf8"
 )

 func TestHTTPAccessLogQueue_Push(t *testing.T) {
@@ -135,6 +136,16 @@ func TestHTTPAccessLogQueue_Memory(t *testing.T) {
 	time.Sleep(5 * time.Second)
 }

+func TestUTF8_IsValid(t *testing.T) {
+	t.Log(utf8.ValidString("abc"))
+
+	var noneUTF8Bytes = []byte{}
+	for i := 0; i < 254; i++ {
+		noneUTF8Bytes = append(noneUTF8Bytes, uint8(i))
+	}
+	t.Log(utf8.ValidString(string(noneUTF8Bytes)))
+}
+
 func BenchmarkHTTPAccessLogQueue_ToValidUTF8(b *testing.B) {
 	runtime.GOMAXPROCS(1)

--- a/internal/nodes/http_cache_task_manager.go
+++ b/internal/nodes/http_cache_task_manager.go
@@ -9,10 +9,12 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeNode/internal/caches"
 	"github.com/TeaOSLab/EdgeNode/internal/compressions"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/rpc"
+	connutils "github.com/TeaOSLab/EdgeNode/internal/utils/conns"
 	"github.com/iwind/TeaGo/Tea"
 	"io"
 	"net"
@@ -23,6 +25,10 @@ import (
 )

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventStart, func() {
 		goman.New(func() {
 			SharedHTTPCacheTaskManager.Start()
@@ -56,7 +62,12 @@ func NewHTTPCacheTaskManager() *HTTPCacheTaskManager {
 					if err != nil {
 						return nil, err
 					}
-					return net.Dial(network, "127.0.0.1:"+port)
+					conn, err := net.Dial(network, "127.0.0.1:"+port)
+					if err != nil {
+						return nil, err
+					}
+
+					return connutils.NewNoStat(conn), nil
 				},
 				MaxIdleConns:          128,
 				MaxIdleConnsPerHost:   32,
--- a/internal/nodes/http_client.go
+++ b/internal/nodes/http_client.go
@@ -1,7 +1,7 @@
 package nodes

 import (
-	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"net/http"
 )

@@ -15,7 +15,7 @@ type HTTPClient struct {
 func NewHTTPClient(rawClient *http.Client) *HTTPClient {
 	return &HTTPClient{
 		rawClient: rawClient,
-		accessAt:  utils.UnixTime(),
+		accessAt:  fasttime.Now().Unix(),
 	}
 }

@@ -26,7 +26,7 @@ func (this *HTTPClient) RawClient() *http.Client {

 // UpdateAccessTime 更新访问时间
 func (this *HTTPClient) UpdateAccessTime() {
-	this.accessAt = utils.UnixTime()
+	this.accessAt = fasttime.Now().Unix()
 }

 // AccessTime 获取访问时间
--- a/internal/nodes/http_client_pool.go
+++ b/internal/nodes/http_client_pool.go
@@ -95,11 +95,11 @@ func (this *HTTPClientPool) Client(req *HTTPRequest,
 		numberCPU = 8
 	}
 	if maxConnections <= 0 {
-		maxConnections = numberCPU * 32
+		maxConnections = numberCPU * 64
 	}

 	if idleConns <= 0 {
-		idleConns = numberCPU * 8
+		idleConns = numberCPU * 16
 	}

 	// 可以判断为Ln节点请求
--- a/internal/nodes/http_client_pool_test.go
+++ b/internal/nodes/http_client_pool_test.go
@@ -11,12 +11,12 @@ func TestHTTPClientPool_Client(t *testing.T) {
 	pool := NewHTTPClientPool()

 	{
-		origin := &serverconfigs.OriginConfig{
+		var origin = &serverconfigs.OriginConfig{
 			Id:      1,
 			Version: 2,
 			Addr:    &serverconfigs.NetworkAddressConfig{Host: "127.0.0.1", PortRange: "1234"},
 		}
-		err := origin.Init()
+		err := origin.Init(nil)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -43,7 +43,7 @@ func TestHTTPClientPool_cleanClients(t *testing.T) {
 		Version: 2,
 		Addr:    &serverconfigs.NetworkAddressConfig{Host: "127.0.0.1", PortRange: "1234"},
 	}
-	err := origin.Init()
+	err := origin.Init(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -60,17 +60,19 @@ func TestHTTPClientPool_cleanClients(t *testing.T) {
 func BenchmarkHTTPClientPool_Client(b *testing.B) {
 	runtime.GOMAXPROCS(1)

-	origin := &serverconfigs.OriginConfig{
+	var origin = &serverconfigs.OriginConfig{
 		Id:      1,
 		Version: 2,
 		Addr:    &serverconfigs.NetworkAddressConfig{Host: "127.0.0.1", PortRange: "1234"},
 	}
-	err := origin.Init()
+	err := origin.Init(nil)
 	if err != nil {
 		b.Fatal(err)
 	}

-	pool := NewHTTPClientPool()
+	b.ResetTimer()
+
+	var pool = NewHTTPClientPool()
 	for i := 0; i < b.N; i++ {
 		_, _ = pool.Client(nil, origin, origin.Addr.PickAddress(), nil, false)
 	}
--- a/internal/nodes/http_request.go
+++ b/internal/nodes/http_request.go
@@ -221,6 +221,18 @@ func (this *HTTPRequest) Do() {
 			}
 		}

+		// CC
+		if !isHealthCheck {
+			if this.web.CC != nil {
+				if this.web.CC.IsOn {
+					if this.doCC() {
+						this.doEnd()
+						return
+					}
+				}
+			}
+		}
+
 		// WAF
 		if this.web.FirewallRef != nil && this.web.FirewallRef.IsOn {
 			if this.doWAFRequest() {
@@ -237,6 +249,14 @@ func (this *HTTPRequest) Do() {
 			}
 		}

+		// UA名单
+		if !this.isSubRequest && this.web.UserAgent != nil && this.web.UserAgent.IsOn {
+			if this.doCheckUserAgent() {
+				this.doEnd()
+				return
+			}
+		}
+
 		// 访问控制
 		if !this.isSubRequest && this.web.Auth != nil && this.web.Auth.IsOn {
 			if this.doAuth() {
@@ -383,7 +403,7 @@ func (this *HTTPRequest) doEnd() {
 			attackBytes = this.CalculateSize()
 		}

-		stats.SharedTrafficStatManager.Add(this.ReqServer.Id, this.ReqHost, this.writer.SentBodyBytes()+this.writer.SentHeaderBytes(), cachedBytes, 1, countCached, countAttacks, attackBytes, this.ReqServer.ShouldCheckTrafficLimit(), this.ReqServer.PlanId())
+		stats.SharedTrafficStatManager.Add(this.ReqServer.UserId, this.ReqServer.Id, this.ReqHost, this.writer.SentBodyBytes()+this.writer.SentHeaderBytes(), cachedBytes, 1, countCached, countAttacks, attackBytes, this.ReqServer.ShouldCheckTrafficLimit(), this.ReqServer.PlanId())

 		// 指标
 		if metrics.SharedManager.HasHTTPMetrics() {
@@ -526,6 +546,11 @@ func (this *HTTPRequest) configureWeb(web *serverconfigs.HTTPWebConfig, isTop bo
 		this.web.Referers = web.Referers
 	}

+	// user agent
+	if web.UserAgent != nil && (web.UserAgent.IsPrior || isTop) {
+		this.web.UserAgent = web.UserAgent
+	}
+
 	// request limit
 	if web.RequestLimit != nil && (web.RequestLimit.IsPrior || isTop) {
 		this.web.RequestLimit = web.RequestLimit
@@ -559,6 +584,11 @@ func (this *HTTPRequest) configureWeb(web *serverconfigs.HTTPWebConfig, isTop bo
 		this.web.UAM = web.UAM
 	}

+	// CC
+	if web.CC != nil && (web.CC.IsPrior || isTop) {
+		this.web.CC = web.CC
+	}
+
 	// 重写规则
 	if len(web.RewriteRefs) > 0 {
 		for index, ref := range web.RewriteRefs {
@@ -715,6 +745,8 @@ func (this *HTTPRequest) Format(source string) string {
 			return this.Path()
 		case "requestPathExtension":
 			return filepath.Ext(this.Path())
+		case "requestPathLowerExtension":
+			return strings.ToLower(filepath.Ext(this.Path()))
 		case "requestLength":
 			return strconv.FormatInt(this.requestLength(), 10)
 		case "requestTime":
@@ -828,7 +860,7 @@ func (this *HTTPRequest) Format(source string) string {
 			}

 			// response.xxx.xxx
-			dotIndex := strings.Index(suffix, ".")
+			dotIndex = strings.Index(suffix, ".")
 			if dotIndex < 0 {
 				return "${" + varName + "}"
 			}
@@ -1133,6 +1165,8 @@ func (this *HTTPRequest) requestRemoteAddr(supportVar bool) string {

 // 获取请求的客户端地址列表
 func (this *HTTPRequest) requestRemoteAddrs() (result []string) {
+	result = append(result, this.requestRemoteAddr(true))
+
 	// X-Forwarded-For
 	var forwardedFor = this.RawReq.Header.Get("X-Forwarded-For")
 	if len(forwardedFor) > 0 {
@@ -1554,7 +1588,7 @@ func (this *HTTPRequest) processRequestHeaders(reqHeader http.Header) {
 			}

 			// 是否已删除
-			if this.web.ResponseHeaderPolicy.ContainsDeletedHeader(header.Name) {
+			if this.web.RequestHeaderPolicy.ContainsDeletedHeader(header.Name) {
 				continue
 			}

@@ -1692,6 +1726,36 @@ func (this *HTTPRequest) processResponseHeaders(responseHeader http.Header, stat
 				responseHeader[header.Name] = []string{headerValue}
 			}
 		}
+
+		// CORS
+		if this.web.ResponseHeaderPolicy.CORS != nil && this.web.ResponseHeaderPolicy.CORS.IsOn {
+			var corsConfig = this.web.ResponseHeaderPolicy.CORS
+
+			// Allow-Origin
+			if len(corsConfig.AllowOrigin) == 0 {
+				var origin = this.RawReq.Header.Get("Origin")
+				if len(origin) > 0 {
+					responseHeader.Set("Access-Control-Allow-Origin", origin)
+				}
+			} else {
+				responseHeader.Set("Access-Control-Allow-Origin", corsConfig.AllowOrigin)
+			}
+
+			// Allow-Methods
+			if len(corsConfig.AllowMethods) == 0 {
+				responseHeader.Set("Access-Control-Allow-Methods", "PUT, GET, POST, DELETE, HEAD, OPTIONS")
+			} else {
+				responseHeader.Set("Access-Control-Allow-Methods", strings.Join(corsConfig.AllowMethods, ", "))
+			}
+
+			// Max-Age
+			if corsConfig.MaxAge > 0 {
+				responseHeader.Set("Access-Control-Max-Age", types.String(corsConfig.MaxAge))
+			}
+
+			// Allow-Credentials
+			responseHeader.Set("Access-Control-Allow-Credentials", "true")
+		}
 	}

 	// HSTS
--- a/internal/nodes/http_request_cache.go
+++ b/internal/nodes/http_request_cache.go
@@ -7,6 +7,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/compressions"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	rangeutils "github.com/TeaOSLab/EdgeNode/internal/utils/ranges"
 	"github.com/iwind/TeaGo/types"
 	"io"
@@ -328,7 +329,7 @@ func (this *HTTPRequest) doCacheRead(useStale bool) (shouldStop bool) {
 	}

 	// 设置cache.age变量
-	var age = strconv.FormatInt(utils.UnixTime()-reader.LastModified(), 10)
+	var age = strconv.FormatInt(fasttime.Now().Unix()-reader.LastModified(), 10)
 	this.varMapping["cache.age"] = age

 	if addStatusHeader {
--- a/internal/nodes/http_request_cc.go
+++ b/internal/nodes/http_request_cc.go
@@ -0,0 +1,8 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package nodes
+
+func (this *HTTPRequest) doCC() (block bool) {
+	return
+}
--- a/internal/nodes/http_request_fastcgi.go
+++ b/internal/nodes/http_request_fastcgi.go
@@ -73,6 +73,16 @@ func (this *HTTPRequest) doFastcgi() (shouldStop bool) {
 		}
 	}

+	// 设置为持久化连接
+	var requestConn = this.RawReq.Context().Value(HTTPConnContextKey)
+	if requestConn == nil {
+		return
+	}
+	requestClientConn, ok := requestConn.(ClientConnInterface)
+	if ok {
+		requestClientConn.SetIsPersistent(true)
+	}
+
 	// 连接池配置
 	poolSize := fastcgi.PoolSize
 	if poolSize <= 0 {
--- a/internal/nodes/http_request_health_check.go
+++ b/internal/nodes/http_request_health_check.go
@@ -21,6 +21,8 @@ func (this *HTTPRequest) doHealthCheck(key string, isHealthCheck *bool) (stop bo
 	}
 	*isHealthCheck = true

+	this.web.StatRef = nil
+
 	if !data.GetBool("accessLogIsOn") {
 		this.disableLog = true
 	}
--- a/internal/nodes/http_request_host_redirect.go
+++ b/internal/nodes/http_request_host_redirect.go
@@ -25,6 +25,16 @@ func (this *HTTPRequest) doHostRedirect() (blocked bool) {
 		if !u.MatchRequest(this.Format) {
 			continue
 		}
+
+		var status = u.Status
+		if status <= 0 {
+			if searchEngineRegex.MatchString(this.RawReq.UserAgent()) {
+				status = http.StatusMovedPermanently
+			} else {
+				status = http.StatusTemporaryRedirect
+			}
+		}
+
 		if len(u.Type) == 0 || u.Type == serverconfigs.HTTPHostRedirectTypeURL {
 			if u.MatchPrefix { // 匹配前缀
 				if strings.HasPrefix(fullURL, u.BeforeURL) {
@@ -38,11 +48,8 @@ func (this *HTTPRequest) doHostRedirect() (blocked bool) {
 						return false
 					}

-					if u.Status <= 0 {
-						u.Status = http.StatusTemporaryRedirect
-					}
-					this.processResponseHeaders(this.writer.Header(), u.Status)
-					http.Redirect(this.RawWriter, this.RawReq, afterURL, u.Status)
+					this.processResponseHeaders(this.writer.Header(), status)
+					http.Redirect(this.RawWriter, this.RawReq, afterURL, status)
 					return true
 				}
 			} else if u.MatchRegexp { // 正则匹配
@@ -83,11 +90,8 @@ func (this *HTTPRequest) doHostRedirect() (blocked bool) {
 					}
 				}

-				if u.Status <= 0 {
-					u.Status = http.StatusTemporaryRedirect
-				}
-				this.processResponseHeaders(this.writer.Header(), u.Status)
-				http.Redirect(this.RawWriter, this.RawReq, afterURL, u.Status)
+				this.processResponseHeaders(this.writer.Header(), status)
+				http.Redirect(this.RawWriter, this.RawReq, afterURL, status)
 				return true
 			} else { // 精准匹配
 				if fullURL == u.RealBeforeURL() {
@@ -104,11 +108,8 @@ func (this *HTTPRequest) doHostRedirect() (blocked bool) {
 						}
 					}

-					if u.Status <= 0 {
-						u.Status = http.StatusTemporaryRedirect
-					}
-					this.processResponseHeaders(this.writer.Header(), u.Status)
-					http.Redirect(this.RawWriter, this.RawReq, afterURL, u.Status)
+					this.processResponseHeaders(this.writer.Header(), status)
+					http.Redirect(this.RawWriter, this.RawReq, afterURL, status)
 					return true
 				}
 			}
@@ -142,11 +143,16 @@ func (this *HTTPRequest) doHostRedirect() (blocked bool) {
 					// 终止匹配
 					return false
 				}
-				if u.Status <= 0 {
-					u.Status = http.StatusTemporaryRedirect
+
+				this.processResponseHeaders(this.writer.Header(), status)
+
+				// 参数
+				var qIndex = strings.Index(this.uri, "?")
+				if qIndex >= 0 {
+					afterURL += this.uri[qIndex:]
 				}
-				this.processResponseHeaders(this.writer.Header(), u.Status)
-				http.Redirect(this.RawWriter, this.RawReq, afterURL, u.Status)
+
+				http.Redirect(this.RawWriter, this.RawReq, afterURL, status)
 				return true
 			}
 		} else if u.Type == serverconfigs.HTTPHostRedirectTypePort {
@@ -193,11 +199,9 @@ func (this *HTTPRequest) doHostRedirect() (blocked bool) {
 					// 终止匹配
 					return false
 				}
-				if u.Status <= 0 {
-					u.Status = http.StatusTemporaryRedirect
-				}
-				this.processResponseHeaders(this.writer.Header(), u.Status)
-				http.Redirect(this.RawWriter, this.RawReq, afterURL, u.Status)
+
+				this.processResponseHeaders(this.writer.Header(), status)
+				http.Redirect(this.RawWriter, this.RawReq, afterURL, status)
 				return true
 			}
 		}
--- a/internal/nodes/http_request_limit.go
+++ b/internal/nodes/http_request_limit.go
@@ -9,7 +9,7 @@ import (

 func (this *HTTPRequest) doRequestLimit() (shouldStop bool) {
 	// 是否在全局名单中
-	_, isInAllowedList := iplibrary.AllowIP(this.RemoteAddr(), this.ReqServer.Id)
+	_, isInAllowedList, _ := iplibrary.AllowIP(this.RemoteAddr(), this.ReqServer.Id)
 	if isInAllowedList {
 		return false
 	}
--- a/internal/nodes/http_request_mismatch.go
+++ b/internal/nodes/http_request_mismatch.go
@@ -35,12 +35,13 @@ func (this *HTTPRequest) doMismatch() {
 	if sharedNodeConfig.GlobalServerConfig != nil && sharedNodeConfig.GlobalServerConfig.HTTPAll.MatchDomainStrictly {
 		// 检查cc
 		// TODO 可以在管理端配置是否开启以及最多尝试次数
+		// 要考虑到服务在切换集群时，域名未生效状态时，用户访问的仍然是老集群中的节点，就会产生找不到域名的情况
 		if len(remoteIP) > 0 {
 			const maxAttempts = 100
 			if ttlcache.SharedCache.IncreaseInt64("MISMATCH_DOMAIN:"+remoteIP, int64(1), time.Now().Unix()+60, false) > maxAttempts {
 				// 在加入之前再次检查黑名单
 				if !waf.SharedIPBlackList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, remoteIP) {
-					waf.SharedIPBlackList.RecordIP(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, remoteIP, time.Now().Unix()+int64(3600), 0, true, 0, 0, "access mismatch domain '"+this.RawReq.Host+"' too frequently")
+					waf.SharedIPBlackList.Add(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, remoteIP, time.Now().Unix()+3600)
 				}
 			}
 		}
--- a/internal/nodes/http_request_redirect_https.go
+++ b/internal/nodes/http_request_redirect_https.go
@@ -8,7 +8,7 @@ import (
 )

 func (this *HTTPRequest) doRedirectToHTTPS(redirectToHTTPSConfig *serverconfigs.HTTPRedirectToHTTPSConfig) (shouldBreak bool) {
-	host := this.RawReq.Host
+	var host = this.RawReq.Host

 	// 检查域名是否匹配
 	if !redirectToHTTPSConfig.MatchDomain(host) {
@@ -22,7 +22,7 @@ func (this *HTTPRequest) doRedirectToHTTPS(redirectToHTTPSConfig *serverconfigs.
 			host = redirectToHTTPSConfig.Host
 		}
 	} else if redirectToHTTPSConfig.Port > 0 {
-		lastIndex := strings.LastIndex(host, ":")
+		var lastIndex = strings.LastIndex(host, ":")
 		if lastIndex > 0 {
 			host = host[:lastIndex]
 		}
@@ -30,18 +30,18 @@ func (this *HTTPRequest) doRedirectToHTTPS(redirectToHTTPSConfig *serverconfigs.
 			host = host + ":" + strconv.Itoa(redirectToHTTPSConfig.Port)
 		}
 	} else {
-		lastIndex := strings.LastIndex(host, ":")
+		var lastIndex = strings.LastIndex(host, ":")
 		if lastIndex > 0 {
 			host = host[:lastIndex]
 		}
 	}

-	statusCode := http.StatusMovedPermanently
+	var statusCode = http.StatusMovedPermanently
 	if redirectToHTTPSConfig.Status > 0 {
 		statusCode = redirectToHTTPSConfig.Status
 	}

-	newURL := "https://" + host + this.RawReq.RequestURI
+	var newURL = "https://" + host + this.RawReq.RequestURI
 	this.processResponseHeaders(this.writer.Header(), statusCode)
 	http.Redirect(this.writer, this.RawReq, newURL, statusCode)

--- a/internal/nodes/http_request_reverse_proxy.go
+++ b/internal/nodes/http_request_reverse_proxy.go
@@ -21,13 +21,15 @@ func (this *HTTPRequest) doReverseProxy() {
 		return
 	}

+	var isLowVersionHTTP = this.RawReq.ProtoMajor < 1 /** 0.x **/ || (this.RawReq.ProtoMajor == 1 && this.RawReq.ProtoMinor == 0 /** 1.0 **/)
+
 	var retries = 3

 	var failedOriginIds []int64
 	var failedLnNodeIds []int64

 	for i := 0; i < retries; i++ {
-		originId, lnNodeId, shouldRetry := this.doOriginRequest(failedOriginIds, failedLnNodeIds, i == 0, i == retries-1)
+		originId, lnNodeId, shouldRetry := this.doOriginRequest(failedOriginIds, failedLnNodeIds, i == 0, i == retries-1, isLowVersionHTTP)
 		if !shouldRetry {
 			break
 		}
@@ -41,7 +43,7 @@ func (this *HTTPRequest) doReverseProxy() {
 }

 // 请求源站
-func (this *HTTPRequest) doOriginRequest(failedOriginIds []int64, failedLnNodeIds []int64, isFirstTry bool, isLastRetry bool) (originId int64, lnNodeId int64, shouldRetry bool) {
+func (this *HTTPRequest) doOriginRequest(failedOriginIds []int64, failedLnNodeIds []int64, isFirstTry bool, isLastRetry bool, isLowVersionHTTP bool) (originId int64, lnNodeId int64, shouldRetry bool) {
 	// 对URL的处理
 	var stripPrefix = this.reverseProxy.StripPrefix
 	var requestURI = this.reverseProxy.RequestURI
@@ -321,6 +323,16 @@ func (this *HTTPRequest) doOriginRequest(failedOriginIds []int64, failedLnNodeId
 		return
 	}

+	// 是否为1.1以下
+	if isLowVersionHTTP && resp.ContentLength < 0 {
+		this.writer.WriteHeader(http.StatusBadRequest)
+		_, _ = this.writer.WriteString("The content does not support " + this.RawReq.Proto + " request.")
+		if resp.Body != nil {
+			_ = resp.Body.Close()
+		}
+		return
+	}
+
 	// 记录相关数据
 	this.originStatus = int32(resp.StatusCode)

--- a/internal/nodes/http_request_stat.go
+++ b/internal/nodes/http_request_stat.go
@@ -6,11 +6,11 @@ import (

 // 统计
 func (this *HTTPRequest) doStat() {
-	if this.ReqServer == nil {
+	if this.ReqServer == nil || this.web == nil || this.web.StatRef == nil {
 		return
 	}

 	// 内置的统计
 	stats.SharedHTTPRequestStatManager.AddRemoteAddr(this.ReqServer.Id, this.requestRemoteAddr(true), this.writer.SentBodyBytes(), this.isAttack)
-	stats.SharedHTTPRequestStatManager.AddUserAgent(this.ReqServer.Id, this.requestHeader("User-Agent"))
+	stats.SharedHTTPRequestStatManager.AddUserAgent(this.ReqServer.Id, this.requestHeader("User-Agent"), this.remoteAddr)
 }
--- a/internal/nodes/http_request_user_agent.go
+++ b/internal/nodes/http_request_user_agent.go
@@ -0,0 +1,24 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package nodes
+
+import (
+	"net/http"
+)
+
+func (this *HTTPRequest) doCheckUserAgent() (shouldStop bool) {
+	if this.web.UserAgent == nil {
+		return
+	}
+
+	const cacheSeconds = "3600" // 时间不能过长，防止修改设置后长期无法生效
+
+	if !this.web.UserAgent.AllowRequest(this.RawReq) {
+		this.tags = append(this.tags, "userAgentCheck")
+		this.writer.Header().Set("Cache-Control", "max-age="+cacheSeconds)
+		this.writeCode(http.StatusForbidden, "The User-Agent has been blocked.", "当前访问已被UA名单拦截。")
+		return true
+	}
+
+	return
+}
--- a/internal/nodes/http_request_utils.go
+++ b/internal/nodes/http_request_utils.go
@@ -4,7 +4,7 @@ import (
 	"crypto/rand"
 	"fmt"
 	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
-	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/ranges"
 	"github.com/iwind/TeaGo/types"
 	"io"
@@ -15,7 +15,11 @@ import (
 	"sync/atomic"
 )

-// 其中的每个括号里的内容都在被引用，不能轻易修改
+// 搜索引擎和爬虫正则
+var searchEngineRegex = regexp.MustCompile(`(?i)(60spider|adldxbot|adsbot-google|applebot|admantx|alexa|baidu|bingbot|bingpreview|facebookexternalhit|googlebot|proximic|slurp|sogou|twitterbot|yandex)`)
+var spiderRegexp = regexp.MustCompile(`(?i)(python|pycurl|http-client|httpclient|apachebench|nethttp|http_request|java|perl|ruby|scrapy|php|rust)`)
+
+// 内容范围正则，其中的每个括号里的内容都在被引用，不能轻易修改
 var contentRangeRegexp = regexp.MustCompile(`^bytes (\d+)-(\d+)/(\d+|\*)`)

 // 分解Range
@@ -180,7 +184,7 @@ var httpRequestTimestamp int64
 var httpRequestId int32 = 1_000_000

 func httpRequestNextId() string {
-	unixTime, unixTimeString := utils.UnixTimeMilliString()
+	unixTime, unixTimeString := fasttime.Now().UnixMilliString()
 	if unixTime > httpRequestTimestamp {
 		atomic.StoreInt32(&httpRequestId, 1_000_000)
 		httpRequestTimestamp = unixTime
@@ -208,3 +212,13 @@ func httpAcceptEncoding(acceptEncodings string, encoding string) bool {
 	}
 	return false
 }
+
+// 跳转到某个URL
+func httpRedirect(writer http.ResponseWriter, req *http.Request, url string, code int) {
+	if len(writer.Header().Get("Content-Type")) == 0 {
+		// 设置Content-Type，是为了让页面不输出链接
+		writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	}
+
+	http.Redirect(writer, req, url, code)
+}
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -35,7 +35,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
 	}

 	// 是否在全局名单中
-	canGoNext, isInAllowedList := iplibrary.AllowIP(remoteAddr, this.ReqServer.Id)
+	canGoNext, isInAllowedList, _ := iplibrary.AllowIP(remoteAddr, this.ReqServer.Id)
 	if !canGoNext {
 		this.disableLog = true
 		this.Close()
@@ -67,7 +67,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {

 	// 当前服务的独立设置
 	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
-		blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying)
+		blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying, false)
 		if blocked {
 			return true
 		}
@@ -78,7 +78,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {

 	// 公用的防火墙设置
 	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
-		blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying)
+		blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying, this.web.FirewallRef.IgnoreGlobalRules)
 		if blocked {
 			return true
 		}
@@ -90,7 +90,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
 	return
 }

-func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool) (blocked bool, breakChecking bool) {
+func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool) (blocked bool, breakChecking bool) {
 	// 检查配置是否为空
 	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
 		return
@@ -211,8 +211,13 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
 		}
 	}

+	// 是否执行规则
+	if ignoreRules {
+		return
+	}
+
 	// 规则测试
-	w := waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
+	var w = waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
 	if w == nil {
 		return
 	}
@@ -267,7 +272,7 @@ func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
 	}

 	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
-		blocked := this.checkWAFResponse(this.web.FirewallPolicy, resp, forceLog, forceLogRequestBody)
+		blocked := this.checkWAFResponse(this.web.FirewallPolicy, resp, forceLog, forceLogRequestBody, false)
 		if blocked {
 			return true
 		}
@@ -275,7 +280,7 @@ func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {

 	// 公用的防火墙设置
 	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
-		blocked := this.checkWAFResponse(this.ReqServer.HTTPFirewallPolicy, resp, forceLog, forceLogRequestBody)
+		blocked := this.checkWAFResponse(this.ReqServer.HTTPFirewallPolicy, resp, forceLog, forceLogRequestBody, this.web.FirewallRef.IgnoreGlobalRules)
 		if blocked {
 			return true
 		}
@@ -283,12 +288,17 @@ func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
 	return
 }

-func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response, forceLog bool, logRequestBody bool) (blocked bool) {
+func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response, forceLog bool, logRequestBody bool, ignoreRules bool) (blocked bool) {
 	if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
 		return
 	}

-	w := waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
+	// 是否执行规则
+	if ignoreRules {
+		return
+	}
+
+	var w = waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
 	if w == nil {
 		return
 	}
@@ -392,3 +402,27 @@ func (this *HTTPRequest) WAFOnAction(action interface{}) (goNext bool) {
 	}
 	return true
 }
+
+func (this *HTTPRequest) WAFFingerprint() []byte {
+	// 目前只有HTTPS请求才有指纹
+	if !this.IsHTTPS {
+		return nil
+	}
+
+	var requestConn = this.RawReq.Context().Value(HTTPConnContextKey)
+	if requestConn == nil {
+		return nil
+	}
+
+	clientConn, ok := requestConn.(ClientConnInterface)
+	if ok {
+		return clientConn.Fingerprint()
+	}
+
+	return nil
+}
+
+// DisableAccessLog 在当前请求中不使用访问日志
+func (this *HTTPRequest) DisableAccessLog() {
+	this.disableLog = true
+}
--- a/internal/nodes/http_request_websocket.go
+++ b/internal/nodes/http_request_websocket.go
@@ -70,6 +70,13 @@ func (this *HTTPRequest) doWebsocket(requestHost string, isLastRetry bool) (shou
 		this.RawReq.Header.Set("Origin", newRequestOrigin)
 	}

+	// 获取当前连接
+	var requestConn = this.RawReq.Context().Value(HTTPConnContextKey)
+	if requestConn == nil {
+		return
+	}
+
+	// 连接源站
 	// TODO 增加N次错误重试，重试的时候需要尝试不同的源站
 	originConn, _, err := OriginConnect(this.origin, this.requestServerPort(), this.RawReq.RemoteAddr, requestHost)
 	if err != nil {
@@ -102,6 +109,11 @@ func (this *HTTPRequest) doWebsocket(requestHost string, isLastRetry bool) (shou
 		return
 	}

+	requestClientConn, ok := requestConn.(ClientConnInterface)
+	if ok {
+		requestClientConn.SetIsPersistent(true)
+	}
+
 	clientConn, _, err := this.writer.Hijack()
 	if err != nil || clientConn == nil {
 		this.write50x(err, http.StatusInternalServerError, "Failed to get origin site connection", "获取源站连接失败", false)
--- a/internal/nodes/http_writer.go
+++ b/internal/nodes/http_writer.go
@@ -10,8 +10,10 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/caches"
 	"github.com/TeaOSLab/EdgeNode/internal/compressions"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/readers"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/writers"
 	_ "github.com/biessek/golang-ico"
@@ -39,6 +41,10 @@ var webpMaxBufferSize int64 = 1_000_000_000
 var webpTotalBufferSize int64 = 0

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	var systemMemory = utils.SystemMemoryGB() / 8
 	if systemMemory > 0 {
 		webpMaxBufferSize = int64(systemMemory) * 1024 * 1024 * 1024
@@ -99,6 +105,18 @@ func NewHTTPWriter(req *HTTPRequest, httpResponseWriter http.ResponseWriter) *HT

 // Prepare 准备输出
 func (this *HTTPWriter) Prepare(resp *http.Response, size int64, status int, enableCache bool) (delayHeaders bool) {
+	// 清理以前数据，防止重试时发生异常错误
+	if this.compressionCacheWriter != nil {
+		_ = this.compressionCacheWriter.Discard()
+		this.compressionCacheWriter = nil
+	}
+
+	if this.cacheWriter != nil {
+		_ = this.cacheWriter.Discard()
+		this.cacheWriter = nil
+	}
+
+	// 新的请求相关数据
 	this.size = size
 	this.statusCode = status

@@ -132,7 +150,7 @@ func (this *HTTPWriter) Prepare(resp *http.Response, size int64, status int, ena
 		this.req.web.RequestLimit != nil &&
 		this.req.web.RequestLimit.IsOn &&
 		this.req.web.RequestLimit.OutBandwidthPerConnBytes() > 0 {
-		this.writer = writers.NewRateLimitWriter(this.writer, this.req.web.RequestLimit.OutBandwidthPerConnBytes())
+		this.writer = writers.NewRateLimitWriter(this.req.RawReq.Context(), this.writer, this.req.web.RequestLimit.OutBandwidthPerConnBytes())
 	}

 	return
@@ -282,7 +300,7 @@ func (this *HTTPWriter) PrepareCache(resp *http.Response, size int64) {
 		}
 	}

-	var expiresAt = utils.UnixTime() + life
+	var expiresAt = fasttime.Now().Unix() + life

 	if this.req.isLnRequest {
 		// 返回上级节点过期时间
@@ -315,6 +333,12 @@ func (this *HTTPWriter) PrepareCache(resp *http.Response, size int64) {
 			}
 		}
 	}
+
+	// 先清理以前的
+	if this.cacheWriter != nil {
+		_ = this.cacheWriter.Discard()
+	}
+
 	cacheWriter, err := storage.OpenWriter(cacheKey, expiresAt, this.StatusCode(), this.calculateHeaderLength(), totalSize, cacheRef.MaxSizeBytes(), this.isPartial)
 	if err != nil {
 		if err == caches.ErrEntityTooLarge && addStatusHeader {
@@ -584,6 +608,11 @@ func (this *HTTPWriter) PrepareCompression(resp *http.Response, size int64) {
 		return
 	}

+	// 分区内容不压缩，防止读取失败
+	if !this.compressionConfig.EnablePartialContent && this.StatusCode() == http.StatusPartialContent {
+		return
+	}
+
 	if this.compressionConfig.Level <= 0 {
 		return
 	}
@@ -686,6 +715,9 @@ func (this *HTTPWriter) PrepareCompression(resp *http.Response, size int64) {
 		}

 		if compressionCacheWriter != nil {
+			if this.compressionCacheWriter != nil {
+				_ = this.compressionCacheWriter.Close()
+			}
 			this.compressionCacheWriter = compressionCacheWriter
 			var teeWriter = writers.NewTeeWriterCloser(this.writer, compressionCacheWriter)
 			teeWriter.OnFail(func(err error) {
--- a/internal/nodes/listener_base.go
+++ b/internal/nodes/listener_base.go
@@ -36,7 +36,16 @@ func (this *BaseListener) buildTLSConfig() *tls.Config {
 	return &tls.Config{
 		Certificates: nil,
 		GetConfigForClient: func(clientInfo *tls.ClientHelloInfo) (config *tls.Config, e error) {
-			tlsPolicy, _, err := this.matchSSL(clientInfo.ServerName)
+			// 指纹信息
+			var fingerprint = this.calculateFingerprint(clientInfo)
+			if len(fingerprint) > 0 {
+				clientConn, ok := clientInfo.Conn.(ClientConnInterface)
+				if ok {
+					clientConn.SetFingerprint(fingerprint)
+				}
+			}
+
+			tlsPolicy, _, err := this.matchSSL(this.helloServerName(clientInfo))
 			if err != nil {
 				return nil, err
 			}
@@ -50,7 +59,16 @@ func (this *BaseListener) buildTLSConfig() *tls.Config {
 			return tlsPolicy.TLSConfig(), nil
 		},
 		GetCertificate: func(clientInfo *tls.ClientHelloInfo) (certificate *tls.Certificate, e error) {
-			tlsPolicy, cert, err := this.matchSSL(clientInfo.ServerName)
+			// 指纹信息
+			var fingerprint = this.calculateFingerprint(clientInfo)
+			if len(fingerprint) > 0 {
+				clientConn, ok := clientInfo.Conn.(ClientConnInterface)
+				if ok {
+					clientConn.SetFingerprint(fingerprint)
+				}
+			}
+
+			tlsPolicy, cert, err := this.matchSSL(this.helloServerName(clientInfo))
 			if err != nil {
 				return nil, err
 			}
@@ -182,3 +200,18 @@ func (this *BaseListener) findNamedServerMatched(name string) (serverConfig *ser

 	return nil, name
 }
+
+// 从Hello信息中获取服务名称
+func (this *BaseListener) helloServerName(clientInfo *tls.ClientHelloInfo) string {
+	var serverName = clientInfo.ServerName
+	if len(serverName) == 0 {
+		var localAddr = clientInfo.Conn.LocalAddr()
+		if localAddr != nil {
+			tcpAddr, ok := localAddr.(*net.TCPAddr)
+			if ok {
+				serverName = tcpAddr.IP.String()
+			}
+		}
+	}
+	return serverName
+}
--- a/internal/nodes/listener_base_ext.go
+++ b/internal/nodes/listener_base_ext.go
@@ -0,0 +1,10 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package nodes
+
+import "crypto/tls"
+
+func (this *BaseListener) calculateFingerprint(clientInfo *tls.ClientHelloInfo) []byte {
+	return nil
+}
--- a/internal/nodes/listener_base_test.go
+++ b/internal/nodes/listener_base_test.go
@@ -14,7 +14,7 @@ func TestBaseListener_FindServer(t *testing.T) {
 	sharedNodeConfig = &nodeconfigs.NodeConfig{}

 	var listener = &BaseListener{}
-	listener.Group = &serverconfigs.ServerAddressGroup{}
+	listener.Group = serverconfigs.NewServerAddressGroup("https://*:443")
 	for i := 0; i < 1_000_000; i++ {
 		var server = &serverconfigs.ServerConfig{
 			IsOn: true,
@@ -23,7 +23,7 @@ func TestBaseListener_FindServer(t *testing.T) {
 				{Name: types.String(i) + ".hello.com"},
 			},
 		}
-		_ = server.Init()
+		_ = server.Init(nil)
 		listener.Group.Add(server)
 	}

--- a/internal/nodes/listener_http.go
+++ b/internal/nodes/listener_http.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/iwind/TeaGo/Tea"
-	"golang.org/x/net/http2"
 	"io"
 	"log"
 	"net"
@@ -18,6 +16,8 @@ import (

 var httpErrorLogger = log.New(io.Discard, "", 0)

+const HTTPIdleTimeout = 75 * time.Second
+
 type contextKey struct {
 	key string
 }
@@ -43,16 +43,12 @@ func (this *HTTPListener) Serve() error {
 	this.httpServer = &http.Server{
 		Addr:              this.addr,
 		Handler:           this,
-		ReadTimeout:       1 * time.Hour,    // TODO 改成可以配置
-		ReadHeaderTimeout: 3 * time.Second,  // TODO 改成可以配置
-		WriteTimeout:      2 * time.Hour,    // TODO 改成可以配置
-		IdleTimeout:       75 * time.Second, // TODO 改成可以配置
+		ReadHeaderTimeout: 3 * time.Second, // TODO 改成可以配置
+		IdleTimeout:       HTTPIdleTimeout, // TODO 改成可以配置
 		ConnState: func(conn net.Conn, state http.ConnState) {
 			switch state {
 			case http.StateNew:
 				atomic.AddInt64(&this.countActiveConnections, 1)
-			case http.StateActive, http.StateIdle, http.StateHijacked:
-				// Nothing to do
 			case http.StateClosed:
 				atomic.AddInt64(&this.countActiveConnections, -1)
 			}
@@ -86,13 +82,7 @@ func (this *HTTPListener) Serve() error {
 	if this.isHTTPS {
 		this.httpServer.TLSConfig = this.buildTLSConfig()

-		// support http/2
-		err := http2.ConfigureServer(this.httpServer, nil)
-		if err != nil {
-			remotelogs.Error("HTTP_LISTENER", "configure http2 error: "+err.Error())
-		}
-
-		err = this.httpServer.ServeTLS(this.Listener, "", "")
+		err := this.httpServer.ServeTLS(this.Listener, "", "")
 		if err != nil && err != http.ErrServerClosed {
 			return err
 		}
@@ -116,8 +106,20 @@ func (this *HTTPListener) Reload(group *serverconfigs.ServerAddressGroup) {

 // ServerHTTP 处理HTTP请求
 func (this *HTTPListener) ServeHTTP(rawWriter http.ResponseWriter, rawReq *http.Request) {
+	var globalServerConfig = sharedNodeConfig.GlobalServerConfig
+	if globalServerConfig != nil && !globalServerConfig.HTTPAll.SupportsLowVersionHTTP && (rawReq.ProtoMajor < 1 /** 0.x **/ || (rawReq.ProtoMajor == 1 && rawReq.ProtoMinor == 0 /** 1.0 **/)) {
+		http.Error(rawWriter, rawReq.Proto+" request is not supported.", http.StatusBadRequest)
+		return
+	}
+
+	// 不支持Connect
+	if rawReq.Method == http.MethodConnect {
+		http.Error(rawWriter, "Method Not Allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
 	// 域名
-	var reqHost = strings.TrimRight(rawReq.Host, ".")
+	var reqHost = strings.ToLower(strings.TrimRight(rawReq.Host, "."))

 	// TLS域名
 	if this.isIP(reqHost) {
@@ -169,7 +171,10 @@ func (this *HTTPListener) ServeHTTP(rawWriter http.ResponseWriter, rawReq *http.
 		if requestConn != nil {
 			clientConn, ok := requestConn.(ClientConnInterface)
 			if ok {
-				clientConn.SetServerId(server.Id)
+				var goNext = clientConn.SetServerId(server.Id)
+				if !goNext {
+					return
+				}
 				clientConn.SetUserId(server.UserId)
 			}
 		}
@@ -222,14 +227,21 @@ func (this *HTTPListener) emptyServer() *serverconfigs.ServerConfig {
 		Type: serverconfigs.ServerTypeHTTPProxy,
 	}

-	var accessLogRef = serverconfigs.NewHTTPAccessLogRef()
-	// TODO 需要配置是否记录日志
-	accessLogRef.IsOn = true
-	accessLogRef.Fields = append([]int{}, serverconfigs.HTTPAccessLogDefaultFieldsCodes...)
-	server.Web = &serverconfigs.HTTPWebConfig{
-		IsOn:         true,
-		AccessLogRef: accessLogRef,
+	// 检查是否开启访问日志
+	if sharedNodeConfig != nil {
+		var globalServerConfig = sharedNodeConfig.GlobalServerConfig
+		if globalServerConfig != nil && globalServerConfig.HTTPAccessLog.EnableServerNotFound {
+			var accessLogRef = serverconfigs.NewHTTPAccessLogRef()
+			accessLogRef.IsOn = true
+			accessLogRef.Fields = append([]int{}, serverconfigs.HTTPAccessLogDefaultFieldsCodes...)
+			server.Web = &serverconfigs.HTTPWebConfig{
+				IsOn:         true,
+				AccessLogRef: accessLogRef,
+			}
+		}
 	}

+	// TODO 需要对访问频率过多的IP进行惩罚
+
 	return server
 }
--- a/internal/nodes/listener_manager.go
+++ b/internal/nodes/listener_manager.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/firewalls"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -23,7 +24,15 @@ import (
 	"time"
 )

-var sharedListenerManager = NewListenerManager()
+var sharedListenerManager *ListenerManager
+
+func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
+	sharedListenerManager = NewListenerManager()
+}

 // ListenerManager 端口监听管理器
 type ListenerManager struct {
@@ -77,12 +86,6 @@ func (this *ListenerManager) Start(node *nodeconfigs.NodeConfig) error {
 	}**/
 	this.lastConfig = node

-	// 初始化
-	err, _ := node.Init()
-	if err != nil {
-		return err
-	}
-
 	// 所有的新地址
 	groupAddrs := []string{}
 	availableServerGroups := node.AvailableGroups()
@@ -115,7 +118,7 @@ func (this *ListenerManager) Start(node *nodeconfigs.NodeConfig) error {
 		addr := group.FullAddr()
 		listener, ok := this.listenersMap[addr]
 		if ok {
-			remotelogs.Println("LISTENER_MANAGER", "reload '"+this.prettyAddress(addr)+"'")
+			// 不需要打印reload信息，防止日志数量过多
 			listener.Reload(group)
 		} else {
 			remotelogs.Println("LISTENER_MANAGER", "listen '"+this.prettyAddress(addr)+"'")
--- a/internal/nodes/listener_tcp.go
+++ b/internal/nodes/listener_tcp.go
@@ -75,7 +75,10 @@ func (this *TCPListener) handleConn(conn net.Conn) error {
 	// 绑定连接和服务
 	clientConn, ok := conn.(ClientConnInterface)
 	if ok {
-		clientConn.SetServerId(server.Id)
+		var goNext = clientConn.SetServerId(server.Id)
+		if !goNext {
+			return nil
+		}
 		clientConn.SetUserId(server.UserId)
 	} else {
 		tlsConn, ok := conn.(*tls.Conn)
@@ -84,7 +87,10 @@ func (this *TCPListener) handleConn(conn net.Conn) error {
 			if internalConn != nil {
 				clientConn, ok = internalConn.(ClientConnInterface)
 				if ok {
-					clientConn.SetServerId(server.Id)
+					var goNext = clientConn.SetServerId(server.Id)
+					if !goNext {
+						return nil
+					}
 					clientConn.SetUserId(server.UserId)
 				}
 			}
@@ -114,14 +120,14 @@ func (this *TCPListener) handleConn(conn net.Conn) error {
 		serverName = tlsConn.ConnectionState().ServerName
 		if len(serverName) > 0 {
 			// 统计
-			stats.SharedTrafficStatManager.Add(server.Id, serverName, 0, 0, 1, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
+			stats.SharedTrafficStatManager.Add(server.UserId, server.Id, serverName, 0, 0, 1, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
 			recordStat = true
 		}
 	}

 	// 统计
 	if !recordStat {
-		stats.SharedTrafficStatManager.Add(server.Id, "", 0, 0, 1, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
+		stats.SharedTrafficStatManager.Add(server.UserId, server.Id, "", 0, 0, 1, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
 	}

 	originConn, err := this.connectOrigin(server.Id, serverName, server.ReverseProxy, conn.RemoteAddr().String())
@@ -176,7 +182,7 @@ func (this *TCPListener) handleConn(conn net.Conn) error {

 				// 记录流量
 				if server != nil {
-					stats.SharedTrafficStatManager.Add(server.Id, "", int64(n), 0, 0, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
+					stats.SharedTrafficStatManager.Add(server.UserId, server.Id, "", int64(n), 0, 0, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
 				}
 			}
 			if err != nil {
--- a/internal/nodes/listener_udp.go
+++ b/internal/nodes/listener_udp.go
@@ -370,7 +370,7 @@ func NewUDPConn(server *serverconfigs.ServerConfig, addr net.Addr, proxyListener

 	// 统计
 	if server != nil {
-		stats.SharedTrafficStatManager.Add(server.Id, "", 0, 0, 1, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
+		stats.SharedTrafficStatManager.Add(server.UserId, server.Id, "", 0, 0, 1, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
 	}

 	// 处理ControlMessage
@@ -401,10 +401,10 @@ func NewUDPConn(server *serverconfigs.ServerConfig, addr net.Addr, proxyListener
 				// 记录流量和带宽
 				if server != nil {
 					// 流量
-					stats.SharedTrafficStatManager.Add(server.Id, "", int64(n), 0, 0, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())
+					stats.SharedTrafficStatManager.Add(server.UserId, server.Id, "", int64(n), 0, 0, 0, 0, 0, server.ShouldCheckTrafficLimit(), server.PlanId())

 					// 带宽
-					stats.SharedBandwidthStatManager.Add(server.UserId, server.Id, int64(n))
+					stats.SharedBandwidthStatManager.AddBandwidth(server.UserId, server.Id, int64(n), int64(n))
 				}
 			}
 			if err != nil {
--- a/internal/nodes/node.go
+++ b/internal/nodes/node.go
@@ -9,7 +9,6 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/caches"
 	"github.com/TeaOSLab/EdgeNode/internal/configs"
@@ -25,7 +24,8 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/stats"
 	"github.com/TeaOSLab/EdgeNode/internal/trackers"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
-	_ "github.com/TeaOSLab/EdgeNode/internal/utils/clock" // 触发时钟更新
+	_ "github.com/TeaOSLab/EdgeNode/internal/utils/agents" // 引入Agent管理器
+	_ "github.com/TeaOSLab/EdgeNode/internal/utils/clock"  // 触发时钟更新
 	"github.com/TeaOSLab/EdgeNode/internal/utils/jsonutils"
 	"github.com/TeaOSLab/EdgeNode/internal/waf"
 	"github.com/andybalholm/brotli"
@@ -43,6 +43,7 @@ import (
 	"runtime"
 	"runtime/debug"
 	"sort"
+	"strings"
 	"sync"
 	"syscall"
 	"time"
@@ -54,6 +55,7 @@ var nodeConfigChangedNotify = make(chan bool, 8)
 var nodeConfigUpdatedAt int64
 var DaemonIsOn = false
 var DaemonPid = 0
+var nodeInstance *Node

 // Node 节点
 type Node struct {
@@ -74,16 +76,18 @@ type Node struct {
 	lastAPINodeVersion int64
 	lastAPINodeAddrs   []string // 以前的API节点地址

-	lastTaskVersion int64
+	lastTaskVersion          int64
+	lastUpdatingServerListId int64
 }

 func NewNode() *Node {
-	return &Node{
+	nodeInstance = &Node{
 		sock:              gosock.NewTmpSock(teaconst.ProcessName),
 		oldMaxThreads:     -1,
 		oldMaxCPU:         -1,
 		updatingServerMap: map[int64]*serverconfigs.ServerConfig{},
 	}
+	return nodeInstance
 }

 // Test 检查配置
@@ -134,6 +138,9 @@ func (this *Node) Start() {
 		remotelogs.Error("NODE", "initialize ip library failed: "+err.Error())
 	}

+	// 调整系统参数
+	this.checkSystem()
+
 	// 检查硬盘类型
 	this.checkDisk()

@@ -190,7 +197,7 @@ func (this *Node) Start() {
 	}
 	teaconst.NodeId = nodeConfig.Id
 	teaconst.NodeIdString = types.String(teaconst.NodeId)
-	err, serverErrors := nodeConfig.Init()
+	err, serverErrors := nodeConfig.Init(nil)
 	if err != nil {
 		remotelogs.Error("NODE", "init node config failed: "+err.Error())
 		return
@@ -235,8 +242,6 @@ func (this *Node) Start() {

 // Daemon 实现守护进程
 func (this *Node) Daemon() {
-	teaconst.IsDaemon = true
-
 	var isDebug = lists.ContainsString(os.Args, "debug")
 	for {
 		conn, err := this.sock.Dial()
@@ -305,208 +310,6 @@ func (this *Node) InstallSystemService() error {
 	return nil
 }

-// 循环
-func (this *Node) loop() error {
-	var tr = trackers.Begin("CHECK_NODE_CONFIG_CHANGES")
-	defer tr.End()
-
-	// 检查api.yaml是否存在
-	var apiConfigFile = Tea.ConfigFile("api.yaml")
-	_, err := os.Stat(apiConfigFile)
-	if err != nil {
-		return nil
-	}
-
-	rpcClient, err := rpc.SharedRPC()
-	if err != nil {
-		return errors.New("create rpc client failed: " + err.Error())
-	}
-
-	tasksResp, err := rpcClient.NodeTaskRPC.FindNodeTasks(rpcClient.Context(), &pb.FindNodeTasksRequest{
-		Version: this.lastTaskVersion,
-	})
-	if err != nil {
-		if rpc.IsConnError(err) && !Tea.IsTesting() {
-			return nil
-		}
-		return errors.New("read node tasks failed: " + err.Error())
-	}
-	for _, task := range tasksResp.NodeTasks {
-		err := this.execTask(rpcClient, task)
-		if !this.finishTask(task.Id, task.Version, err) {
-			// 防止失败的任务无法重试
-			break
-		}
-	}
-
-	return nil
-}
-
-// 执行任务
-func (this *Node) execTask(rpcClient *rpc.RPCClient, task *pb.NodeTask) error {
-	switch task.Type {
-	case "ipItemChanged":
-		// 防止阻塞
-		select {
-		case iplibrary.IPListUpdateNotify <- true:
-		default:
-
-		}
-	case "configChanged":
-		if task.ServerId > 0 {
-			return this.syncServerConfig(task.ServerId)
-		}
-		if !task.IsPrimary {
-			// 我们等等主节点配置准备完毕
-			time.Sleep(2 * time.Second)
-		}
-		return this.syncConfig(task.Version)
-	case "nodeVersionChanged":
-		if !sharedUpgradeManager.IsInstalling() {
-			goman.New(func() {
-				sharedUpgradeManager.Start()
-			})
-		}
-	case "scriptsChanged":
-		err := this.reloadCommonScripts()
-		if err != nil {
-			return errors.New("reload common scripts failed: " + err.Error())
-		}
-	case "nodeLevelChanged":
-		levelInfoResp, err := rpcClient.NodeRPC.FindNodeLevelInfo(rpcClient.Context(), &pb.FindNodeLevelInfoRequest{})
-		if err != nil {
-			return err
-		}
-
-		if sharedNodeConfig != nil {
-			sharedNodeConfig.Level = levelInfoResp.Level
-		}
-
-		var parentNodes = map[int64][]*nodeconfigs.ParentNodeConfig{}
-		if len(levelInfoResp.ParentNodesMapJSON) > 0 {
-			err = json.Unmarshal(levelInfoResp.ParentNodesMapJSON, &parentNodes)
-			if err != nil {
-				return errors.New("decode level info failed: " + err.Error())
-			}
-		}
-
-		if sharedNodeConfig != nil {
-			sharedNodeConfig.ParentNodes = parentNodes
-		}
-	case "ddosProtectionChanged":
-		resp, err := rpcClient.NodeRPC.FindNodeDDoSProtection(rpcClient.Context(), &pb.FindNodeDDoSProtectionRequest{})
-		if err != nil {
-			return err
-		}
-		if len(resp.DdosProtectionJSON) == 0 {
-			if sharedNodeConfig != nil {
-				sharedNodeConfig.DDoSProtection = nil
-			}
-			return nil
-		}
-
-		var ddosProtectionConfig = &ddosconfigs.ProtectionConfig{}
-		err = json.Unmarshal(resp.DdosProtectionJSON, ddosProtectionConfig)
-		if err != nil {
-			return errors.New("decode DDoS protection config failed: " + err.Error())
-		}
-
-		if ddosProtectionConfig != nil && sharedNodeConfig != nil {
-			sharedNodeConfig.DDoSProtection = ddosProtectionConfig
-		}
-
-		err = firewalls.SharedDDoSProtectionManager.Apply(ddosProtectionConfig)
-		if err != nil {
-			// 不阻塞
-			remotelogs.Warn("NODE", "apply DDoS protection failed: "+err.Error())
-			return nil
-		}
-	case "globalServerConfigChanged":
-		resp, err := rpcClient.NodeRPC.FindNodeGlobalServerConfig(rpcClient.Context(), &pb.FindNodeGlobalServerConfigRequest{})
-		if err != nil {
-			return err
-		}
-		if len(resp.GlobalServerConfigJSON) > 0 {
-			var globalServerConfig = serverconfigs.DefaultGlobalServerConfig()
-			err = json.Unmarshal(resp.GlobalServerConfigJSON, globalServerConfig)
-			if err != nil {
-				return errors.New("decode global server config failed: " + err.Error())
-			}
-
-			if globalServerConfig != nil {
-				err = globalServerConfig.Init()
-				if err != nil {
-					return errors.New("validate global server config failed: " + err.Error())
-				}
-				if sharedNodeConfig != nil {
-					sharedNodeConfig.GlobalServerConfig = globalServerConfig
-				}
-			}
-		}
-	case "userServersStateChanged":
-		if task.UserId > 0 {
-			resp, err := rpcClient.UserRPC.CheckUserServersState(rpcClient.Context(), &pb.CheckUserServersStateRequest{UserId: task.UserId})
-			if err != nil {
-				return err
-			}
-
-			SharedUserManager.UpdateUserServersIsEnabled(task.UserId, resp.IsEnabled)
-
-			if resp.IsEnabled {
-				err = this.syncUserServersConfig(task.UserId)
-				if err != nil {
-					return err
-				}
-			}
-		}
-	default:
-		remotelogs.Error("NODE", "task '"+types.String(task.Id)+"', type '"+task.Type+"' has not been handled")
-	}
-
-	return nil
-}
-
-// 标记任务完成
-func (this *Node) finishTask(taskId int64, taskVersion int64, taskErr error) (success bool) {
-	if taskId <= 0 {
-		return true
-	}
-
-	rpcClient, err := rpc.SharedRPC()
-	if err != nil {
-		remotelogs.Debug("NODE", "create rpc client failed: "+err.Error())
-		return false
-	}
-
-	var isOk = taskErr == nil
-	if isOk && taskVersion > this.lastTaskVersion {
-		this.lastTaskVersion = taskVersion
-	}
-
-	var errMsg = ""
-	if taskErr != nil {
-		errMsg = taskErr.Error()
-	}
-
-	_, err = rpcClient.NodeTaskRPC.ReportNodeTaskDone(rpcClient.Context(), &pb.ReportNodeTaskDoneRequest{
-		NodeTaskId: taskId,
-		IsOk:       isOk,
-		Error:      errMsg,
-	})
-	success = err == nil
-
-	if err != nil {
-		// 连接错误不需要上报到服务中心
-		if rpc.IsConnError(err) {
-			remotelogs.Debug("NODE", "report task done failed: "+err.Error())
-		} else {
-			remotelogs.Error("NODE", "report task done failed: "+err.Error())
-		}
-	}
-
-	return success
-}
-
 // 读取API配置
 func (this *Node) syncConfig(taskVersion int64) error {
 	this.locker.Lock()
@@ -540,6 +343,7 @@ func (this *Node) syncConfig(taskVersion int64) error {
 		Version:         -1, // 更新所有版本
 		Compress:        true,
 		NodeTaskVersion: taskVersion,
+		UseDataMap:      true,
 	})
 	if err != nil {
 		return errors.New("read config from rpc failed: " + err.Error())
@@ -590,7 +394,7 @@ func (this *Node) syncConfig(taskVersion int64) error {
 		return err
 	}

-	err, serverErrors := nodeConfig.Init()
+	err, serverErrors := nodeConfig.Init(nil)
 	if err != nil {
 		return err
 	}
@@ -602,9 +406,9 @@ func (this *Node) syncConfig(taskVersion int64) error {

 	// 刷新配置
 	if this.isLoaded {
-		remotelogs.Println("NODE", "reloading config ...")
+		remotelogs.Println("NODE", "reloading node config ...")
 	} else {
-		remotelogs.Println("NODE", "loading config ...")
+		remotelogs.Println("NODE", "loading node config ...")
 	}

 	this.onReload(nodeConfig, true)
@@ -618,6 +422,9 @@ func (this *Node) syncConfig(taskVersion int64) error {

 	this.isLoaded = true

+	// 整体更新不需要再更新单个服务
+	this.updatingServerMap = map[int64]*serverconfigs.ServerConfig{}
+
 	return nil
 }

@@ -692,7 +499,7 @@ func (this *Node) startSyncTimer() {
 		for {
 			select {
 			case <-taskTicker.C: // 定期执行
-				err := this.loop()
+				err := this.loopTasks()
 				if err != nil {
 					remotelogs.Error("NODE", "sync config error: "+err.Error())
 					continue
@@ -700,7 +507,7 @@ func (this *Node) startSyncTimer() {
 			case <-serverChangeTicker.C: // 服务变化
 				this.reloadServer()
 			case <-nodeTaskNotify: // 有新的更新任务
-				err := this.loop()
+				err := this.loopTasks()
 				if err != nil {
 					remotelogs.Error("NODE", "sync config error: "+err.Error())
 					continue
@@ -879,16 +686,56 @@ func (this *Node) listenSock() error {
 					},
 				})
 			case "conns":
-				var addrs = []string{}
+				var connMaps = []maps.Map{}
 				var connMap = conns.SharedMap.AllConns()
 				for _, conn := range connMap {
-					addrs = append(addrs, conn.RemoteAddr().String())
+					var createdAt int64
+					var lastReadAt int64
+					var lastWriteAt int64
+					var lastErrString = ""
+					clientConn, ok := conn.(*ClientConn)
+					if ok {
+						createdAt = clientConn.CreatedAt()
+						lastReadAt = clientConn.LastReadAt()
+						lastWriteAt = clientConn.LastWriteAt()
+
+						var lastErr = clientConn.LastErr()
+						if lastErr != nil {
+							lastErrString = lastErr.Error()
+						}
+					}
+					var age int64 = -1
+					var lastReadAge int64 = -1
+					var lastWriteAge int64 = -1
+					var currentTime = time.Now().Unix()
+					if createdAt > 0 {
+						age = currentTime - createdAt
+					}
+					if lastReadAt > 0 {
+						lastReadAge = currentTime - lastReadAt
+					}
+					if lastWriteAt > 0 {
+						lastWriteAge = currentTime - lastWriteAt
+					}
+
+					connMaps = append(connMaps, maps.Map{
+						"addr":     conn.RemoteAddr().String(),
+						"age":      age,
+						"readAge":  lastReadAge,
+						"writeAge": lastWriteAge,
+						"lastErr":  lastErrString,
+					})
 				}
+				sort.Slice(connMaps, func(i, j int) bool {
+					var m1 = connMaps[i]
+					var m2 = connMaps[j]
+					return m1.GetInt64("age") < m2.GetInt64("age")
+				})

 				_ = cmd.Reply(&gosock.Command{
 					Params: map[string]interface{}{
-						"addrs": addrs,
-						"total": len(addrs),
+						"conns": connMaps,
+						"total": len(connMaps),
 					},
 				})
 			case "dropIP":
@@ -920,6 +767,11 @@ func (this *Node) listenSock() error {
 				} else {
 					_ = cmd.ReplyOk()
 				}
+			case "closeIP":
+				var m = maps.NewMap(cmd.Params)
+				var ip = m.GetString("ip")
+				conns.SharedMap.CloseIPConns(ip)
+				_ = cmd.ReplyOk()
 			case "removeIP":
 				var m = maps.NewMap(cmd.Params)
 				var ip = m.GetString("ip")
@@ -987,50 +839,48 @@ func (this *Node) onReload(config *nodeconfigs.NodeConfig, reloadAll bool) {
 	nodeconfigs.ResetNodeConfig(config)
 	sharedNodeConfig = config

-	// 不需要每次都全部重新加载
-	if !reloadAll {
-		return
-	}
-
-	// 缓存策略
-	var subDirs = config.CacheDiskSubDirs
-	for _, subDir := range subDirs {
-		subDir.Path = filepath.Clean(subDir.Path)
-	}
-	if len(subDirs) > 0 {
-		sort.Slice(subDirs, func(i, j int) bool {
-			return subDirs[i].Path < subDirs[j].Path
-		})
-	}
-
-	var cachePoliciesChanged = !jsonutils.Equal(caches.SharedManager.MaxDiskCapacity, config.MaxCacheDiskCapacity) ||
-		!jsonutils.Equal(caches.SharedManager.MaxMemoryCapacity, config.MaxCacheMemoryCapacity) ||
-		!jsonutils.Equal(caches.SharedManager.MainDiskDir, config.CacheDiskDir) ||
-		!jsonutils.Equal(caches.SharedManager.SubDiskDirs, subDirs) ||
-		!jsonutils.Equal(this.oldHTTPCachePolicies, config.HTTPCachePolicies)
-
-	caches.SharedManager.MaxDiskCapacity = config.MaxCacheDiskCapacity
-	caches.SharedManager.MaxMemoryCapacity = config.MaxCacheMemoryCapacity
-	caches.SharedManager.MainDiskDir = config.CacheDiskDir
-	caches.SharedManager.SubDiskDirs = subDirs
-
-	if cachePoliciesChanged {
-		// copy
-		this.oldHTTPCachePolicies = []*serverconfigs.HTTPCachePolicy{}
-		err := jsonutils.Copy(&this.oldHTTPCachePolicies, config.HTTPCachePolicies)
-		if err != nil {
-			remotelogs.Error("NODE", "onReload: copy HTTPCachePolicies failed: "+err.Error())
+	if reloadAll {
+		// 缓存策略
+		var subDirs = config.CacheDiskSubDirs
+		for _, subDir := range subDirs {
+			subDir.Path = filepath.Clean(subDir.Path)
+		}
+		if len(subDirs) > 0 {
+			sort.Slice(subDirs, func(i, j int) bool {
+				return subDirs[i].Path < subDirs[j].Path
+			})
 		}

-		// update
-		if len(config.HTTPCachePolicies) > 0 {
-			caches.SharedManager.UpdatePolicies(config.HTTPCachePolicies)
-		} else {
-			caches.SharedManager.UpdatePolicies([]*serverconfigs.HTTPCachePolicy{})
+		var cachePoliciesChanged = !jsonutils.Equal(caches.SharedManager.MaxDiskCapacity, config.MaxCacheDiskCapacity) ||
+			!jsonutils.Equal(caches.SharedManager.MaxMemoryCapacity, config.MaxCacheMemoryCapacity) ||
+			!jsonutils.Equal(caches.SharedManager.MainDiskDir, config.CacheDiskDir) ||
+			!jsonutils.Equal(caches.SharedManager.SubDiskDirs, subDirs) ||
+			!jsonutils.Equal(this.oldHTTPCachePolicies, config.HTTPCachePolicies)
+
+		caches.SharedManager.MaxDiskCapacity = config.MaxCacheDiskCapacity
+		caches.SharedManager.MaxMemoryCapacity = config.MaxCacheMemoryCapacity
+		caches.SharedManager.MainDiskDir = config.CacheDiskDir
+		caches.SharedManager.SubDiskDirs = subDirs
+
+		if cachePoliciesChanged {
+			// copy
+			this.oldHTTPCachePolicies = []*serverconfigs.HTTPCachePolicy{}
+			err := jsonutils.Copy(&this.oldHTTPCachePolicies, config.HTTPCachePolicies)
+			if err != nil {
+				remotelogs.Error("NODE", "onReload: copy HTTPCachePolicies failed: "+err.Error())
+			}
+
+			// update
+			if len(config.HTTPCachePolicies) > 0 {
+				caches.SharedManager.UpdatePolicies(config.HTTPCachePolicies)
+			} else {
+				caches.SharedManager.UpdatePolicies([]*serverconfigs.HTTPCachePolicy{})
+			}
 		}
 	}

 	// WAF策略
+	// 包含了服务里的WAF策略，所以需要整体更新
 	var allFirewallPolicies = config.FindAllFirewallPolicies()
 	if !jsonutils.Equal(allFirewallPolicies, this.oldHTTPFirewallPolicies) {
 		// copy
@@ -1044,105 +894,110 @@ func (this *Node) onReload(config *nodeconfigs.NodeConfig, reloadAll bool) {
 		waf.SharedWAFManager.UpdatePolicies(allFirewallPolicies)
 	}

-	if !jsonutils.Equal(config.FirewallActions, this.oldFirewallActions) {
-		// copy
-		this.oldFirewallActions = []*firewallconfigs.FirewallActionConfig{}
-		err := jsonutils.Copy(&this.oldFirewallActions, config.FirewallActions)
-		if err != nil {
-			remotelogs.Error("NODE", "onReload: copy FirewallActionConfigs failed: "+err.Error())
+	if reloadAll {
+		if !jsonutils.Equal(config.FirewallActions, this.oldFirewallActions) {
+			// copy
+			this.oldFirewallActions = []*firewallconfigs.FirewallActionConfig{}
+			err := jsonutils.Copy(&this.oldFirewallActions, config.FirewallActions)
+			if err != nil {
+				remotelogs.Error("NODE", "onReload: copy FirewallActionConfigs failed: "+err.Error())
+			}
+
+			// update
+			iplibrary.SharedActionManager.UpdateActions(config.FirewallActions)
 		}

-		// update
-		iplibrary.SharedActionManager.UpdateActions(config.FirewallActions)
-	}
+		// 统计指标
+		if !jsonutils.Equal(this.oldMetricItems, config.MetricItems) {
+			// copy
+			this.oldMetricItems = []*serverconfigs.MetricItemConfig{}
+			err := jsonutils.Copy(&this.oldMetricItems, config.MetricItems)
+			if err != nil {
+				remotelogs.Error("NODE", "onReload: copy MetricItemConfigs failed: "+err.Error())
+			}

-	// 统计指标
-	if !jsonutils.Equal(this.oldMetricItems, config.MetricItems) {
-		// copy
-		this.oldMetricItems = []*serverconfigs.MetricItemConfig{}
-		err := jsonutils.Copy(&this.oldMetricItems, config.MetricItems)
-		if err != nil {
-			remotelogs.Error("NODE", "onReload: copy MetricItemConfigs failed: "+err.Error())
+			// update
+			metrics.SharedManager.Update(config.MetricItems)
 		}

-		// update
-		metrics.SharedManager.Update(config.MetricItems)
-	}
+		// max cpu
+		if config.MaxCPU != this.oldMaxCPU {
+			if config.MaxCPU > 0 && config.MaxCPU < int32(runtime.NumCPU()) {
+				runtime.GOMAXPROCS(int(config.MaxCPU))
+				remotelogs.Println("NODE", "[CPU]set max cpu to '"+types.String(config.MaxCPU)+"'")
+			} else {
+				var threads = runtime.NumCPU() * 4
+				runtime.GOMAXPROCS(threads)
+				remotelogs.Println("NODE", "[CPU]set max cpu to '"+types.String(threads)+"'")
+			}

-	// max cpu
-	if config.MaxCPU != this.oldMaxCPU {
-		if config.MaxCPU > 0 && config.MaxCPU < int32(runtime.NumCPU()) {
-			runtime.GOMAXPROCS(int(config.MaxCPU))
-			remotelogs.Println("NODE", "[CPU]set max cpu to '"+types.String(config.MaxCPU)+"'")
+			this.oldMaxCPU = config.MaxCPU
+		}
+
+		// max threads
+		if config.MaxThreads != this.oldMaxThreads {
+			if config.MaxThreads > 0 {
+				debug.SetMaxThreads(config.MaxThreads)
+				remotelogs.Println("NODE", "[THREADS]set max threads to '"+types.String(config.MaxThreads)+"'")
+			} else {
+				debug.SetMaxThreads(nodeconfigs.DefaultMaxThreads)
+				remotelogs.Println("NODE", "[THREADS]set max threads to '"+types.String(nodeconfigs.DefaultMaxThreads)+"'")
+			}
+			this.oldMaxThreads = config.MaxThreads
+		}
+
+		// timezone
+		var timeZone = config.TimeZone
+		if len(timeZone) == 0 {
+			timeZone = "Asia/Shanghai"
+		}
+
+		if this.oldTimezone != timeZone {
+			location, err := time.LoadLocation(timeZone)
+			if err != nil {
+				remotelogs.Error("NODE", "[TIMEZONE]change time zone failed: "+err.Error())
+				return
+			}
+
+			remotelogs.Println("NODE", "[TIMEZONE]change time zone to '"+timeZone+"'")
+			time.Local = location
+			this.oldTimezone = timeZone
+		}
+
+		// product information
+		if config.ProductConfig != nil {
+			teaconst.GlobalProductName = config.ProductConfig.Name
+		}
+
+		// DNS resolver
+		if config.DNSResolver != nil {
+			var err error
+			switch config.DNSResolver.Type {
+			case nodeconfigs.DNSResolverTypeGoNative:
+				err = os.Setenv("GODEBUG", "netdns=go")
+			case nodeconfigs.DNSResolverTypeCGO:
+				err = os.Setenv("GODEBUG", "netdns=cgo")
+			default:
+				// 默认使用go原生
+				err = os.Setenv("GODEBUG", "netdns=go")
+			}
+			if err != nil {
+				remotelogs.Error("NODE", "[DNS_RESOLVER]set env failed: "+err.Error())
+			}
 		} else {
-			var threads = runtime.NumCPU() * 4
-			runtime.GOMAXPROCS(threads)
-			remotelogs.Println("NODE", "[CPU]set max cpu to '"+types.String(threads)+"'")
-		}
-
-		this.oldMaxCPU = config.MaxCPU
-	}
-
-	// max threads
-	if config.MaxThreads != this.oldMaxThreads {
-		if config.MaxThreads > 0 {
-			debug.SetMaxThreads(config.MaxThreads)
-			remotelogs.Println("NODE", "[THREADS]set max threads to '"+types.String(config.MaxThreads)+"'")
-		} else {
-			debug.SetMaxThreads(nodeconfigs.DefaultMaxThreads)
-			remotelogs.Println("NODE", "[THREADS]set max threads to '"+types.String(nodeconfigs.DefaultMaxThreads)+"'")
-		}
-		this.oldMaxThreads = config.MaxThreads
-	}
-
-	// timezone
-	var timeZone = config.TimeZone
-	if len(timeZone) == 0 {
-		timeZone = "Asia/Shanghai"
-	}
-
-	if this.oldTimezone != timeZone {
-		location, err := time.LoadLocation(timeZone)
-		if err != nil {
-			remotelogs.Error("NODE", "[TIMEZONE]change time zone failed: "+err.Error())
-			return
-		}
-
-		remotelogs.Println("NODE", "[TIMEZONE]change time zone to '"+timeZone+"'")
-		time.Local = location
-		this.oldTimezone = timeZone
-	}
-
-	// product information
-	if config.ProductConfig != nil {
-		teaconst.GlobalProductName = config.ProductConfig.Name
-	}
-
-	// DNS resolver
-	if config.DNSResolver != nil {
-		var err error
-		switch config.DNSResolver.Type {
-		case nodeconfigs.DNSResolverTypeGoNative:
-			err = os.Setenv("GODEBUG", "netdns=go")
-		case nodeconfigs.DNSResolverTypeCGO:
-			err = os.Setenv("GODEBUG", "netdns=cgo")
-		default:
 			// 默认使用go原生
-			err = os.Setenv("GODEBUG", "netdns=go")
-		}
-		if err != nil {
-			remotelogs.Error("NODE", "[DNS_RESOLVER]set env failed: "+err.Error())
-		}
-	} else {
-		// 默认使用go原生
-		err := os.Setenv("GODEBUG", "netdns=go")
-		if err != nil {
-			remotelogs.Error("NODE", "[DNS_RESOLVER]set env failed: "+err.Error())
+			err := os.Setenv("GODEBUG", "netdns=go")
+			if err != nil {
+				remotelogs.Error("NODE", "[DNS_RESOLVER]set env failed: "+err.Error())
+			}
 		}
+
+		// API Node地址，这里不限制是否为空，因为在为空时仍然要有对应的处理
+		this.changeAPINodeAddrs(config.APINodeAddrs)
 	}

-	// API Node地址，这里不限制是否为空，因为在为空时仍然要有对应的处理
-	this.changeAPINodeAddrs(config.APINodeAddrs)
+	// 刷新IP库
+	this.reloadIPLibrary()
 }

 // reload server config
@@ -1150,7 +1005,9 @@ func (this *Node) reloadServer() {
 	this.locker.Lock()
 	defer this.locker.Unlock()

-	if len(this.updatingServerMap) > 0 {
+	var countUpdatingServers = len(this.updatingServerMap)
+	const maxPrintServers = 10
+	if countUpdatingServers > 0 {
 		var updatingServerMap = this.updatingServerMap
 		this.updatingServerMap = map[int64]*serverconfigs.ServerConfig{}
 		newNodeConfig, err := nodeconfigs.CloneNodeConfig(sharedNodeConfig)
@@ -1160,13 +1017,23 @@ func (this *Node) reloadServer() {
 		}
 		for serverId, serverConfig := range updatingServerMap {
 			if serverConfig != nil {
+				if countUpdatingServers < maxPrintServers {
+					remotelogs.Debug("NODE", "load server '"+types.String(serverId)+"'")
+				}
 				newNodeConfig.AddServer(serverConfig)
 			} else {
+				if countUpdatingServers < maxPrintServers {
+					remotelogs.Debug("NODE", "remove server '"+types.String(serverId)+"'")
+				}
 				newNodeConfig.RemoveServer(serverId)
 			}
 		}

-		err, serverErrors := newNodeConfig.Init()
+		if countUpdatingServers >= maxPrintServers {
+			remotelogs.Debug("NODE", "reload "+types.String(countUpdatingServers)+" servers")
+		}
+
+		err, serverErrors := newNodeConfig.Init(nil)
 		if err != nil {
 			remotelogs.Error("NODE", "apply server config error: "+err.Error())
 			return
@@ -1186,6 +1053,56 @@ func (this *Node) reloadServer() {
 	}
 }

+// 检查系统
+func (this *Node) checkSystem() {
+	if runtime.GOOS != "linux" || os.Getgid() != 0 {
+		return
+	}
+
+	type variable struct {
+		name     string
+		minValue int
+		maxValue int
+	}
+
+	const dir = "/proc/sys"
+
+	for _, v := range []variable{
+		{name: "net.core.somaxconn", minValue: 2048},
+		{name: "net.ipv4.tcp_max_syn_backlog", minValue: 2048},
+		{name: "net.core.netdev_max_backlog", minValue: 4096},
+		{name: "net.ipv4.tcp_fin_timeout", maxValue: 10},
+		{name: "net.ipv4.tcp_max_tw_buckets", minValue: 65535},
+		{name: "net.core.rmem_default", minValue: 4 << 20},
+		{name: "net.core.wmem_default", minValue: 4 << 20},
+		{name: "net.core.rmem_max", minValue: 32 << 20},
+		{name: "net.core.wmem_max", minValue: 32 << 20},
+	} {
+		var path = dir + "/" + strings.Replace(v.name, ".", "/", -1)
+		data, err := os.ReadFile(path)
+		if err != nil {
+			continue
+		}
+		data = bytes.TrimSpace(data)
+		if len(data) == 0 {
+			continue
+		}
+
+		var oldValue = types.Int(string(data))
+		if v.minValue > 0 && oldValue < v.minValue {
+			err = os.WriteFile(path, []byte(types.String(v.minValue)), 0666)
+			if err == nil {
+				remotelogs.Println("NODE", "change kernel parameter '"+v.name+"' from '"+types.String(oldValue)+"' to '"+types.String(v.minValue)+"'")
+			}
+		} else if v.maxValue > 0 && oldValue > v.maxValue {
+			err = os.WriteFile(path, []byte(types.String(v.maxValue)), 0666)
+			if err == nil {
+				remotelogs.Println("NODE", "change kernel parameter '"+v.name+"' from '"+types.String(oldValue)+"' to '"+types.String(v.maxValue)+"'")
+			}
+		}
+	}
+}
+
 // 检查硬盘
 func (this *Node) checkDisk() {
 	if runtime.GOOS != "linux" {
--- a/internal/nodes/node_ext.go
+++ b/internal/nodes/node_ext.go
@@ -7,3 +7,11 @@ package nodes
 func (this *Node) reloadCommonScripts() error {
 	return nil
 }
+
+func (this *Node) reloadIPLibrary() {
+
+}
+
+func (this *Node) notifyPlusChange() error {
+	return nil
+}
--- a/internal/nodes/node_status_executor_unix.go
+++ b/internal/nodes/node_status_executor_unix.go
@@ -8,6 +8,8 @@ import (
 	"github.com/iwind/TeaGo/maps"
 	"github.com/shirou/gopsutil/v3/load"
 	"github.com/shirou/gopsutil/v3/mem"
+	"runtime"
+	"runtime/debug"
 )

 // 更新内存
@@ -31,6 +33,18 @@ func (this *NodeStatusExecutor) updateMem(status *nodeconfigs.NodeStatus) {
 		"total": status.MemoryTotal,
 		"used":  stat.Used,
 	})
+
+	// 内存严重不足时自动释放内存
+	if stat.Total > 0 {
+		var minFreeMemory = stat.Total / 8
+		if minFreeMemory > 1<<30 {
+			minFreeMemory = 1 << 30
+		}
+		if stat.Available > 0 && stat.Available < minFreeMemory {
+			runtime.GC()
+			debug.FreeOSMemory()
+		}
+	}
 }

 // 更新负载
--- a/internal/nodes/node_tasks.go
+++ b/internal/nodes/node_tasks.go
@@ -0,0 +1,355 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package nodes
+
+import (
+	"encoding/json"
+	"errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
+	"github.com/TeaOSLab/EdgeNode/internal/firewalls"
+	"github.com/TeaOSLab/EdgeNode/internal/goman"
+	"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
+	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
+	"github.com/TeaOSLab/EdgeNode/internal/rpc"
+	"github.com/TeaOSLab/EdgeNode/internal/trackers"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/types"
+	"os"
+	"time"
+)
+
+// 循环
+func (this *Node) loopTasks() error {
+	var tr = trackers.Begin("CHECK_NODE_CONFIG_CHANGES")
+	defer tr.End()
+
+	// 检查api.yaml是否存在
+	var apiConfigFile = Tea.ConfigFile("api.yaml")
+	_, err := os.Stat(apiConfigFile)
+	if err != nil {
+		return nil
+	}
+
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		return errors.New("create rpc client failed: " + err.Error())
+	}
+
+	tasksResp, err := rpcClient.NodeTaskRPC.FindNodeTasks(rpcClient.Context(), &pb.FindNodeTasksRequest{
+		Version: this.lastTaskVersion,
+	})
+	if err != nil {
+		if rpc.IsConnError(err) && !Tea.IsTesting() {
+			return nil
+		}
+		return errors.New("read node tasks failed: " + err.Error())
+	}
+	for _, task := range tasksResp.NodeTasks {
+		err := this.execTask(rpcClient, task)
+		if !this.finishTask(task.Id, task.Version, err) {
+			// 防止失败的任务无法重试
+			break
+		}
+	}
+
+	return nil
+}
+
+// 执行任务
+func (this *Node) execTask(rpcClient *rpc.RPCClient, task *pb.NodeTask) error {
+	var err error
+	switch task.Type {
+	case "ipItemChanged":
+		err = this.execIPItemChangedTask()
+	case "configChanged":
+		err = this.execConfigChangedTask(task)
+	case "nodeVersionChanged":
+		err = this.execNodeVersionChangedTask()
+	case "scriptsChanged":
+		err = this.execScriptsChangedTask()
+	case "nodeLevelChanged":
+		err = this.execNodeLevelChangedTask(rpcClient)
+	case "ddosProtectionChanged":
+		err = this.execDDoSProtectionChangedTask(rpcClient)
+	case "globalServerConfigChanged":
+		err = this.execGlobalServerConfigChangedTask(rpcClient)
+	case "userServersStateChanged":
+		err = this.execUserServersStateChangedTask(rpcClient, task)
+	case "uamPolicyChanged":
+		err = this.execUAMPolicyChangedTask(rpcClient)
+	case "updatingServers":
+		err = this.execUpdatingServersTask(rpcClient)
+	case "plusChanged":
+		err = this.notifyPlusChange()
+	default:
+		remotelogs.Error("NODE", "task '"+types.String(task.Id)+"', type '"+task.Type+"' has not been handled")
+	}
+
+	return err
+}
+
+// 更新IP条目变更
+func (this *Node) execIPItemChangedTask() error {
+	// 防止阻塞
+	select {
+	case iplibrary.IPListUpdateNotify <- true:
+	default:
+
+	}
+	return nil
+}
+
+// 更新节点配置变更
+func (this *Node) execConfigChangedTask(task *pb.NodeTask) error {
+	if task.ServerId > 0 {
+		return this.syncServerConfig(task.ServerId)
+	}
+	if !task.IsPrimary {
+		// 我们等等主节点配置准备完毕
+		time.Sleep(2 * time.Second)
+	}
+	return this.syncConfig(task.Version)
+}
+
+// 节点程序版本号变更
+func (this *Node) execNodeVersionChangedTask() error {
+	if !sharedUpgradeManager.IsInstalling() {
+		goman.New(func() {
+			sharedUpgradeManager.Start()
+		})
+	}
+	return nil
+}
+
+// 脚本库变更
+func (this *Node) execScriptsChangedTask() error {
+	err := this.reloadCommonScripts()
+	if err != nil {
+		return errors.New("reload common scripts failed: " + err.Error())
+	}
+	return nil
+}
+
+// 节点级别变更
+func (this *Node) execNodeLevelChangedTask(rpcClient *rpc.RPCClient) error {
+	levelInfoResp, err := rpcClient.NodeRPC.FindNodeLevelInfo(rpcClient.Context(), &pb.FindNodeLevelInfoRequest{})
+	if err != nil {
+		return err
+	}
+
+	if sharedNodeConfig != nil {
+		sharedNodeConfig.Level = levelInfoResp.Level
+	}
+
+	var parentNodes = map[int64][]*nodeconfigs.ParentNodeConfig{}
+	if len(levelInfoResp.ParentNodesMapJSON) > 0 {
+		err = json.Unmarshal(levelInfoResp.ParentNodesMapJSON, &parentNodes)
+		if err != nil {
+			return errors.New("decode level info failed: " + err.Error())
+		}
+	}
+
+	if sharedNodeConfig != nil {
+		sharedNodeConfig.ParentNodes = parentNodes
+	}
+
+	return nil
+}
+
+// UAM策略变更
+func (this *Node) execUAMPolicyChangedTask(rpcClient *rpc.RPCClient) error {
+	remotelogs.Println("NODE", "updating uam policies ...")
+	resp, err := rpcClient.NodeRPC.FindNodeUAMPolicies(rpcClient.Context(), &pb.FindNodeUAMPoliciesRequest{})
+	if err != nil {
+		return err
+	}
+	var uamPolicyMap = map[int64]*nodeconfigs.UAMPolicy{}
+	for _, policy := range resp.UamPolicies {
+		if len(policy.UamPolicyJSON) > 0 {
+			var uamPolicy = &nodeconfigs.UAMPolicy{}
+			err = json.Unmarshal(policy.UamPolicyJSON, uamPolicy)
+			if err != nil {
+				remotelogs.Error("NODE", "decode uam policy failed: "+err.Error())
+				continue
+			}
+			err = uamPolicy.Init()
+			if err != nil {
+				remotelogs.Error("NODE", "initialize uam policy failed: "+err.Error())
+				continue
+			}
+			uamPolicyMap[policy.NodeClusterId] = uamPolicy
+		}
+	}
+	sharedNodeConfig.UpdateUAMPolicies(uamPolicyMap)
+	return nil
+}
+
+// DDoS配置变更
+func (this *Node) execDDoSProtectionChangedTask(rpcClient *rpc.RPCClient) error {
+	resp, err := rpcClient.NodeRPC.FindNodeDDoSProtection(rpcClient.Context(), &pb.FindNodeDDoSProtectionRequest{})
+	if err != nil {
+		return err
+	}
+	if len(resp.DdosProtectionJSON) == 0 {
+		if sharedNodeConfig != nil {
+			sharedNodeConfig.DDoSProtection = nil
+		}
+		return nil
+	}
+
+	var ddosProtectionConfig = &ddosconfigs.ProtectionConfig{}
+	err = json.Unmarshal(resp.DdosProtectionJSON, ddosProtectionConfig)
+	if err != nil {
+		return errors.New("decode DDoS protection config failed: " + err.Error())
+	}
+
+	if ddosProtectionConfig != nil && sharedNodeConfig != nil {
+		sharedNodeConfig.DDoSProtection = ddosProtectionConfig
+	}
+
+	go func() {
+		err = firewalls.SharedDDoSProtectionManager.Apply(ddosProtectionConfig)
+		if err != nil {
+			// 不阻塞
+			remotelogs.Warn("NODE", "apply DDoS protection failed: "+err.Error())
+		}
+	}()
+
+	return nil
+}
+
+// 服务全局配置变更
+func (this *Node) execGlobalServerConfigChangedTask(rpcClient *rpc.RPCClient) error {
+	resp, err := rpcClient.NodeRPC.FindNodeGlobalServerConfig(rpcClient.Context(), &pb.FindNodeGlobalServerConfigRequest{})
+	if err != nil {
+		return err
+	}
+	if len(resp.GlobalServerConfigJSON) > 0 {
+		var globalServerConfig = serverconfigs.DefaultGlobalServerConfig()
+		err = json.Unmarshal(resp.GlobalServerConfigJSON, globalServerConfig)
+		if err != nil {
+			return errors.New("decode global server config failed: " + err.Error())
+		}
+
+		if globalServerConfig != nil {
+			err = globalServerConfig.Init()
+			if err != nil {
+				return errors.New("validate global server config failed: " + err.Error())
+			}
+			if sharedNodeConfig != nil {
+				sharedNodeConfig.GlobalServerConfig = globalServerConfig
+			}
+		}
+	}
+	return nil
+}
+
+// 单个用户服务状态变更
+func (this *Node) execUserServersStateChangedTask(rpcClient *rpc.RPCClient, task *pb.NodeTask) error {
+	if task.UserId > 0 {
+		resp, err := rpcClient.UserRPC.CheckUserServersState(rpcClient.Context(), &pb.CheckUserServersStateRequest{UserId: task.UserId})
+		if err != nil {
+			return err
+		}
+
+		SharedUserManager.UpdateUserServersIsEnabled(task.UserId, resp.IsEnabled)
+
+		if resp.IsEnabled {
+			err = this.syncUserServersConfig(task.UserId)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// 更新一组服务列表
+func (this *Node) execUpdatingServersTask(rpcClient *rpc.RPCClient) error {
+	if this.lastUpdatingServerListId <= 0 {
+		this.lastUpdatingServerListId = sharedNodeConfig.UpdatingServerListId
+	}
+
+	resp, err := rpcClient.UpdatingServerListRPC.FindUpdatingServerLists(rpcClient.Context(), &pb.FindUpdatingServerListsRequest{LastId: this.lastUpdatingServerListId})
+	if err != nil {
+		return err
+	}
+
+	if resp.MaxId <= 0 || len(resp.ServersJSON) == 0 {
+		return nil
+	}
+
+	var serverConfigs = []*serverconfigs.ServerConfig{}
+	err = json.Unmarshal(resp.ServersJSON, &serverConfigs)
+	if err != nil {
+		return errors.New("decode server configs failed: " + err.Error())
+	}
+
+	if resp.MaxId > this.lastUpdatingServerListId {
+		this.lastUpdatingServerListId = resp.MaxId
+	}
+
+	if len(serverConfigs) == 0 {
+		return nil
+	}
+
+	this.locker.Lock()
+	defer this.locker.Unlock()
+	for _, serverConfig := range serverConfigs {
+		if serverConfig == nil {
+			continue
+		}
+
+		if serverConfig.IsOn {
+			this.updatingServerMap[serverConfig.Id] = serverConfig
+		} else {
+			this.updatingServerMap[serverConfig.Id] = nil
+		}
+	}
+
+	return nil
+}
+
+// 标记任务完成
+func (this *Node) finishTask(taskId int64, taskVersion int64, taskErr error) (success bool) {
+	if taskId <= 0 {
+		return true
+	}
+
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		remotelogs.Debug("NODE", "create rpc client failed: "+err.Error())
+		return false
+	}
+
+	var isOk = taskErr == nil
+	if isOk && taskVersion > this.lastTaskVersion {
+		this.lastTaskVersion = taskVersion
+	}
+
+	var errMsg = ""
+	if taskErr != nil {
+		errMsg = taskErr.Error()
+	}
+
+	_, err = rpcClient.NodeTaskRPC.ReportNodeTaskDone(rpcClient.Context(), &pb.ReportNodeTaskDoneRequest{
+		NodeTaskId: taskId,
+		IsOk:       isOk,
+		Error:      errMsg,
+	})
+	success = err == nil
+
+	if err != nil {
+		// 连接错误不需要上报到服务中心
+		if rpc.IsConnError(err) {
+			remotelogs.Debug("NODE", "report task done failed: "+err.Error())
+		} else {
+			remotelogs.Error("NODE", "report task done failed: "+err.Error())
+		}
+	}
+
+	return success
+}
--- a/internal/nodes/origin_state_manager.go
+++ b/internal/nodes/origin_state_manager.go
@@ -4,6 +4,7 @@ package nodes

 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -16,6 +17,10 @@ import (
 var SharedOriginStateManager = NewOriginStateManager()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventLoaded, func() {
 		goman.New(func() {
 			SharedOriginStateManager.Start()
--- a/internal/nodes/system_services.go
+++ b/internal/nodes/system_services.go
@@ -19,6 +19,10 @@ import (
 )

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	var manager = NewSystemServiceManager()
 	events.On(events.EventReload, func() {
 		goman.New(func() {
--- a/internal/nodes/task_ocsp_update.go
+++ b/internal/nodes/task_ocsp_update.go
@@ -4,6 +4,7 @@ package nodes

 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -15,6 +16,10 @@ import (
 var sharedOCSPTask = NewOCSPUpdateTask()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventLoaded, func() {
 		sharedOCSPTask.version = sharedNodeConfig.OCSPVersion

--- a/internal/nodes/task_sync_api_nodes.go
+++ b/internal/nodes/task_sync_api_nodes.go
@@ -3,6 +3,7 @@ package nodes
 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeNode/internal/configs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/rpc"
@@ -16,6 +17,10 @@ import (
 var sharedSyncAPINodesTask = NewSyncAPINodesTask()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventStart, func() {
 		goman.New(func() {
 			sharedSyncAPINodesTask.Start()
--- a/internal/nodes/toa_manager.go
+++ b/internal/nodes/toa_manager.go
@@ -3,6 +3,7 @@ package nodes
 import (
 	"errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
+	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/events"
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
@@ -17,6 +18,10 @@ import (
 var sharedTOAManager = NewTOAManager()

 func init() {
+	if !teaconst.IsMain {
+		return
+	}
+
 	events.On(events.EventReload, func() {
 		err := sharedTOAManager.Run(sharedNodeConfig.TOA)
 		if err != nil {
--- a/internal/re/regexp_test.go
+++ b/internal/re/regexp_test.go
@@ -57,6 +57,79 @@ func TestRegexp_ParseKeywords(t *testing.T) {
 	}
 }

+func TestRegexp_Special(t *testing.T) {
+	var unescape = func(v string) string {
+		//replace urlencoded characters
+
+		var chars = [][2]string{
+			{`\s`, `(\s|%09|%0A|\+)`},
+			{`\(`, `(\(|%28)`},
+			{`=`, `(=|%3D)`},
+			{`<`, `(<|%3C)`},
+			{`\*`, `(\*|%2A)`},
+			{`\\`, `(\\|%2F)`},
+			{`!`, `(!|%21)`},
+			{`/`, `(/|%2F)`},
+			{`;`, `(;|%3B)`},
+			{`\+`, `(\+|%20)`},
+		}
+
+		for _, c := range chars {
+			if !strings.Contains(v, c[0]) {
+				continue
+			}
+			var pieces = strings.Split(v, c[0])
+
+			// 修复piece中错误的\
+			for pieceIndex, piece := range pieces {
+				var l = len(piece)
+				if l == 0 {
+					continue
+				}
+				if piece[l-1] != '\\' {
+					continue
+				}
+
+				// 计算\的数量
+				var countBackSlashes = 0
+				for i := l - 1; i >= 0; i-- {
+					if piece[i] == '\\' {
+						countBackSlashes++
+					} else {
+						break
+					}
+				}
+				if countBackSlashes%2 == 1 {
+					// 去掉最后一个
+					pieces[pieceIndex] = piece[:len(piece)-1]
+				}
+			}
+
+			v = strings.Join(pieces, c[1])
+		}
+
+		return v
+	}
+
+	for _, s := range []string{
+		`\\s`,
+		`\s\W`,
+		`aaaa/\W`,
+		`aaaa\/\W`,
+		`aaaa\=\W`,
+		`aaaa\\=\W`,
+		`aaaa\\\=\W`,
+		`aaaa\\\\=\W`,
+	} {
+		var es = unescape(s)
+		t.Log(s, "=>", es)
+		_, err := re.Compile(es)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
 func TestRegexp_ParseKeywords2(t *testing.T) {
 	var a = assert.NewAssertion(t)

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
刘祥超	20bee16d28	版本号修改为1.0.4	2023-04-24 10:17:55 +08:00
刘祥超	b1cd971a21	缓存索引数据库加载失败时自动尝试重建数据库文件	2023-04-21 17:38:31 +08:00
刘祥超	d976a39711	环路（127.0.0.1）请求也统计带宽	2023-04-21 15:08:44 +08:00
刘祥超	accd0236ea	优化统计相关代码	2023-04-19 22:15:57 +08:00
刘祥超	fc401a1426	限制单次处理的服务城市数量	2023-04-19 22:06:39 +08:00
刘祥超	7e8c09a684	优化nftables集合元素过期时间判断	2023-04-19 13:20:31 +08:00
刘祥超	37ddff86f1	优化IP名单同步速度	2023-04-19 12:01:02 +08:00
刘祥超	4dc25fb71e	优化请求统计	2023-04-18 15:07:22 +08:00
刘祥超	42883fbe22	优化可用内存检查	2023-04-11 18:51:56 +08:00
刘祥超	a88d9a07be	版本号改为1.1.0	2023-04-11 18:51:47 +08:00
刘祥超	544f1e482a	版本号修改为1.0.1	2023-04-10 09:18:45 +08:00
刘祥超	f53d4c8951	更好地从访问日志中删除非UTF-8字符内容	2023-04-09 17:50:54 +08:00
刘祥超	70d8aa5b33	版本号改为1.0.0	2023-04-09 17:17:49 +08:00
刘祥超	1aa4be9000	优化代码	2023-04-08 13:49:41 +08:00
刘祥超	a7c7c73f70	优化代码：使用fasttime取代以往的utils.UnixTime	2023-04-08 12:47:04 +08:00
刘祥超	0b441021d8	URL跳转时默认对搜索引擎访问使用301，以提升SEO效果	2023-04-07 19:19:53 +08:00
刘祥超	7db0c8cf62	优化HTTP2、HTTP跳转	2023-04-07 15:09:06 +08:00
刘祥超	6da9cb6dcf	从文件恢复带宽数据时跳过非今天的数据	2023-04-07 11:32:40 +08:00
刘祥超	0af580eb26	优化统计性能	2023-04-07 11:23:37 +08:00
刘祥超	52085bdc1c	增加测试用例	2023-04-07 10:52:09 +08:00
刘祥超	72f1eea721	提供批量更新服务配置API（阶段性提交）	2023-04-06 20:50:34 +08:00
刘祥超	6d52b022b2	访问不存在的域名加入到黑名单时，只对当前节点有效	2023-04-05 19:42:14 +08:00
刘祥超	ea41c9b0b3	健康检查时不记录统计	2023-04-05 16:44:26 +08:00
刘祥超	ed6127c2bb	更好地处理访问日志中的非UTF-8字节	2023-04-05 15:54:07 +08:00
刘祥超	b6d95a84fc	进程退出时停止上传带宽数据	2023-04-05 11:34:15 +08:00
刘祥超	c71e68bdea	优化nftables查找程序	2023-04-05 09:33:03 +08:00
刘祥超	c44583f249	优化IP黑名单检测	2023-04-05 09:25:33 +08:00
刘祥超	c53773c2db	可以只更新UAM策略变化	2023-04-03 16:12:14 +08:00
刘祥超	793994a3fe	在节点启动时自动调整系统内核参数	2023-04-02 21:30:03 +08:00
刘祥超	4c3deb1156	将nftables黑名单扩展到5个	2023-04-02 20:32:36 +08:00
刘祥超	24ca5a5ace	优化nftables可执行文件查找方法	2023-04-02 18:37:24 +08:00
刘祥超	8bbbf57827	重启服务前先将带宽统计数据缓存，以便于在重启后继续使用	2023-04-02 17:24:55 +08:00
刘祥超	888df02d0c	优化IP名单上传程序	2023-04-01 20:51:49 +08:00
刘祥超	8988765cef	修复在高并发下修改服务配置可能导致服务崩溃（panic）的问题	2023-04-01 18:41:50 +08:00
刘祥超	f675b88761	nftables：自动升级以前的drop规则为reject规则	2023-04-01 17:09:53 +08:00
刘祥超	9bd4975478	创建nftables规则时，使用REJECT代替DROP	2023-04-01 15:55:24 +08:00
刘祥超	95abb7bfae	集群服务设置增加“支持低版本HTTP”选项/分片内容提示不支持低版本HTTP协议	2023-04-01 09:57:24 +08:00
刘祥超	d9fa3dcc3b	优化WAF黑名单处理	2023-03-31 21:37:15 +08:00
刘祥超	964524816f	支持商业版本状态查询	2023-03-31 14:06:01 +08:00
刘祥超	d124c9be18	增加注释	2023-03-29 20:09:19 +08:00
刘祥超	1a05402076	增加固定Map定义	2023-03-23 10:52:52 +08:00
刘祥超	c4b1790102	上传流量统计数据时同时上传用户ID	2023-03-22 19:51:36 +08:00
刘祥超	613acbff95	限制单个服务每次上传的域名统计数不超过20个	2023-03-22 19:05:10 +08:00
刘祥超	e6ab98ad11	上传带宽信息时同时缓存流量、统计流量、请求数等参数，为将来的流量和带宽合并做准备	2023-03-22 18:00:35 +08:00
刘祥超	1121869f14	增加网站服务加载和删除调试日志	2023-03-19 11:05:03 +08:00
刘祥超	91efe57e1b	不提示单个端口Reload信息，防止不重要的日志过多	2023-03-19 11:00:27 +08:00
刘祥超	95f2573263	增加RPC消息最大尺寸到512MB	2023-03-18 22:43:48 +08:00
刘祥超	09aa85f51c	节点组合配置时服务间可以共用证书数据	2023-03-18 22:18:48 +08:00
刘祥超	c6279a1076	版本号更改为0.6.5	2023-03-17 15:54:44 +08:00
刘祥超	47ccb64cfb	优化日志提示	2023-03-16 17:24:55 +08:00
刘祥超	5c218567e1	在GET302和CAPTCHA验证中不记录特殊URL的访问日志	2023-03-16 10:38:40 +08:00
刘祥超	c161d84fdf	版本号变更为0.6.4.2	2023-03-16 08:59:46 +08:00
刘祥超	495b553285	修复存储空间统计可能为负值的问题	2023-03-16 08:59:35 +08:00
刘祥超	21b770ba8b	修复运行测试用例时init()无法起作用的Bug	2023-03-13 21:49:41 +08:00
刘祥超	e9f94e0767	改进README.md	2023-03-13 08:56:18 +08:00
刘祥超	644ada1da9	优化代码	2023-03-12 20:32:15 +08:00
刘祥超	0c40250849	优化代码	2023-03-12 16:36:59 +08:00
刘祥超	1d1134a86d	优化代码	2023-03-12 16:18:16 +08:00
刘祥超	28e7664eb7	修复源站重试时可能产生的file is writing错误	2023-03-12 16:09:06 +08:00
刘祥超	50f3ad641c	优化统计相关程序	2023-03-12 12:19:25 +08:00
刘祥超	cc7cf5f8c5	限制统计系统和浏览器的最大长度，减少随机UserAgent攻击影响	2023-03-11 11:58:05 +08:00
刘祥超	339f0f6e94	上传统计数据时增加单次上传数量限制	2023-03-11 11:21:03 +08:00
刘祥超	f558e43342	根据系统内存调整访问日志队列长度	2023-03-10 22:31:40 +08:00
刘祥超	e374e5c90c	优化命令识别	2023-03-10 22:05:40 +08:00
刘祥超	563b775e49	优化命令执行速度	2023-03-10 22:01:39 +08:00
刘祥超	de9e1a4515	执行一般命令时不运行init()中内容	2023-03-10 15:14:14 +08:00
刘祥超	f64b36f17a	WAF cc防护增加“检查请求来源指纹”选项	2023-03-10 10:41:16 +08:00
刘祥超	f0e8c82d31	增加CC防护（开源用户需要自己实现）	2023-03-09 15:15:22 +08:00
刘祥超	5770d43230	WAF cc2尝试使用指纹统计方法	2023-03-08 16:59:44 +08:00
刘祥超	d4944c236f	修复几处测试用例	2023-03-08 10:13:41 +08:00
刘祥超	33c761a187	修复本地数据库无法异步提交事务的Bug	2023-03-07 16:48:03 +08:00
刘祥超	d7e6da8d2c	对本地数据库文件进行加锁	2023-03-07 16:22:32 +08:00
刘祥超	44d1a2415c	集群服务设置增加“记录找不到网站日志”选项	2023-03-07 10:30:55 +08:00
刘祥超	c98ff50f06	暂时取消GET302和POST307的迟滞	2023-03-07 08:51:39 +08:00
刘祥超	8835fcb09e	GET302/POST307增加访问迟滞	2023-03-06 16:28:54 +08:00
刘祥超	77c56e58c0	GET302/POST307兼容safari浏览器	2023-03-06 16:27:06 +08:00
刘祥超	72c65ca4ee	修复GET302和POST307关闭连接后无法响应的问题	2023-03-06 16:10:58 +08:00
刘祥超	ab019b0bdc	修复在连接读写优化模式下fastcgi无法正常工作的Bug	2023-03-06 10:33:54 +08:00
刘祥超	9709e45ad2	修改软内存限制设置错误	2023-03-05 21:19:10 +08:00
刘祥超	be1f80003c	增加软内存最大值限制	2023-03-05 12:34:46 +08:00
刘祥超	252fcca383	增加测试用例	2023-03-03 14:28:58 +08:00
刘祥超	04ae8fa4a0	系统内存不足时，尝试自动回收内存	2023-03-02 10:54:25 +08:00
刘祥超	c95bd7776a	WAF拦截动作可以设置最大封禁时间，从而实现封禁时间随机	2023-03-01 19:00:08 +08:00
刘祥超	8219167d05	WAF支持忽略全局WAF规则	2023-03-01 16:46:43 +08:00
刘祥超	e0a6881343	上传带宽数据时同时上传流量数据	2023-02-27 10:48:16 +08:00
刘祥超	6e985d7f06	修复GET302和POST307无限循环的问题	2023-02-24 17:02:59 +08:00
刘祥超	66719b05dd	修复WAF验证码不能输入超出6位数字的Bug	2023-02-16 14:44:56 +08:00
刘祥超	7197583fea	增加变量${requestPathLowerExtension}	2023-02-10 10:43:30 +08:00
刘祥超	ce29024eef	写入Agent IP时，不提示id重复错误	2023-02-01 10:18:08 +08:00
刘祥超	e1ac67f7fa	版本更改为0.6.4	2023-02-01 10:07:30 +08:00
刘祥超	01812144dd	优化带宽统计	2023-01-12 19:09:57 +08:00
刘祥超	1c34e49629	优化代码	2023-01-12 19:02:38 +08:00
刘祥超	f233fbfb25	版本号修改为0.6.3	2023-01-11 15:44:53 +08:00
刘祥超	5387115e4a	优化代码	2023-01-11 15:24:48 +08:00
刘祥超	d82c03db23	修复在HTTPS下无法连接Websocket的问题	2023-01-10 21:20:27 +08:00
刘祥超	230c5c3766	版本号修改为0.6.2	2023-01-10 21:18:53 +08:00
刘祥超	927425149e	优化代码	2023-01-10 09:47:56 +08:00
刘祥超	5ce1aab92c	修复域名跳转时没有携带参数的Bug	2023-01-09 20:06:09 +08:00
刘祥超	195742bb26	修复读超时时间（ReadDeadline）导致WAFGET302、POST307延时关闭连接的问题	2023-01-09 15:56:59 +08:00
刘祥超	006cc2912d	版本修改为0.6.1	2023-01-09 15:49:16 +08:00
刘祥超	2d4ba90c3b	改进在自动读超时模式下的Websocket连接	2023-01-09 12:36:33 +08:00
刘祥超	a2e6aaaa18	WAF增加“在IP列表内”操作符/优化部分操作符代号	2023-01-08 10:15:46 +08:00
刘祥超	8e68da7725	集群服务设置增加自动读超时选项	2023-01-07 20:04:05 +08:00
刘祥超	7abb84c880	优化网络连接关闭速度	2023-01-07 10:03:32 +08:00
刘祥超	a17878f5b2	WAF增加包含任一字符串、包含所有字符串操作符	2023-01-06 20:07:15 +08:00
刘祥超	8a8881ac47	IP范围支持多行	2023-01-06 19:14:09 +08:00
刘祥超	c567404b7a	优化连接相关代码	2023-01-05 11:13:35 +08:00
刘祥超	b220b0f48e	优化读取HTTP请求Header和握手超时时间	2023-01-05 00:40:49 +08:00
刘祥超	9609c90d75	边缘节点增加数据读超时，以改进客户端上传数据过慢的问题	2023-01-04 20:43:10 +08:00
刘祥超	2c3c32af5b	优化代码	2023-01-02 10:44:10 +08:00
刘祥超	b4a4b2e9b1	集群服务设置中增加性能设置	2023-01-01 19:27:38 +08:00
刘祥超	c42ff1e1e9	实现UA名单功能	2022-12-30 20:49:43 +08:00
刘祥超	9fed1141c2	默认情况下内容压缩不支持Partial Content	2022-12-30 11:44:07 +08:00
刘祥超	e87f031293	增加CORS自适应跨域	2022-12-29 17:16:42 +08:00
刘祥超	c4bac7f43c	优化代码	2022-12-27 18:58:29 +08:00
刘祥超	47818f972e	自动转换访问域名中的大写字母	2022-12-25 15:23:56 +08:00
刘祥超	218a0300c5	修复测试用例	2022-12-23 18:53:49 +08:00
刘祥超	63f6c4177f	修复测试用例	2022-12-23 18:17:32 +08:00
刘祥超	1830c22a31	增加自动Agent识别	2022-12-22 11:38:59 +08:00
刘祥超	18611e8a7c	写数据超时时断开同客户端连接	2022-12-21 16:11:55 +08:00
刘祥超	c45f7adf04	优化连接相关代码	2022-12-21 15:59:07 +08:00
刘祥超	1a200918a8	不支持CONNECT方法	2022-12-19 16:27:58 +08:00
刘祥超	b942bb776e	国家/地区封禁、省份封禁时支持IP变量	2022-12-18 16:04:12 +08:00
刘祥超	5cf84efccd	优化内容为空的缓存	2022-12-14 15:26:18 +08:00
刘祥超	ebb6ebd10c	修复WAF中反斜杠符号（\）有可能解析错误的Bug	2022-12-14 12:27:07 +08:00
刘祥超	42d0d63cf4	优化代码	2022-12-13 18:08:50 +08:00
刘祥超	96f8f7e925	增加edge-node ip.close IP命令	2022-12-12 19:23:58 +08:00
刘祥超	e7e7214d58	调整慢连接超时算法	2022-12-12 10:04:36 +08:00
刘祥超	ade979a725	向客户端写入数据超时时立即关闭连接	2022-12-10 19:51:05 +08:00
刘祥超	60a8de13e7	TCP单次向客户端写入数据时超过30秒即认为超时	2022-12-10 18:22:00 +08:00
刘祥超	9fa24bed0a	修复WAF记录IP动作时无法不超时的Bug	2022-12-06 11:01:34 +08:00
刘祥超	87bc1a7e03	优化OpenFileCache	2022-12-05 11:16:04 +08:00
刘祥超	1a05f56149	优化缓存相关代码	2022-12-05 10:46:44 +08:00
刘祥超	f88db576e1	优化代码	2022-12-05 09:57:01 +08:00
刘祥超	dc3f26ea1a	减少WAF预读尺寸	2022-12-02 21:08:03 +08:00
刘祥超	6fc30144f7	在edge-node conns命令中显示连接时长	2022-12-02 17:03:16 +08:00
刘祥超	25b0b98bd4	增加默认的源站连接数	2022-12-02 10:39:07 +08:00
刘祥超	27b5817d5e	优化请求限制逻辑，连接关闭时自动终止内容发送	2022-11-29 19:14:46 +08:00
刘祥超	dcb61dfd33	版本号更改为0.6.0	2022-11-29 15:42:21 +08:00
刘祥超	bbcfdbbf5e	优化代码	2022-11-29 15:33:12 +08:00
刘祥超	b2a1bef08f	修复服务WAF配置无法更新的Bug	2022-11-28 18:13:08 +08:00
刘祥超	2b18b5c2ca	修改版本号为0.5.9	2022-11-28 18:08:19 +08:00