chore(version): update version to 0.67.4

feat(plugin): add HTTP2HTTPS redirect plugin implementation
chore(version): update version to 0.67.3
2026-03-10 18:26:34 +08:00 · 2026-03-10 18:26:20 +08:00 · 2026-03-08 18:35:40 +08:00 · 2026-03-08 18:33:42 +08:00 · 2026-02-21 07:42:17 +08:00 · 2026-02-20 15:28:31 +08:00
199 changed files with 23251 additions and 8136 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,6 +6,14 @@ jobs:
    resource_class: large
    steps:
    - checkout
    - run:
        name: Build web assets (frps)
        command: make install build
        working_directory: web/frps
    - run:
        name: Build web assets (frpc)
        command: make install build
        working_directory: web/frpc
    - run: make
    - run: make alltest
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
 * text=auto eol=lf
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,4 +0,0 @@
 # These are supported funding model platforms
 github: [fatedier]
 custom: ["https://afdian.com/a/fatedier"]
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,3 +0,0 @@
 ### WHY
 <!-- author to complete -->
--- a/.github/workflows/build-all.yaml
+++ b/.github/workflows/build-all.yaml
@@ -0,0 +1,189 @@
 name: Build FRP Binaries
 on:
  push:
    branches:
      - '**'
  workflow_dispatch:
  workflow_call:
 permissions:
  contents: read
 jobs:
  build:
    name: Build FRP ${{ matrix.goos }}-${{ matrix.goarch }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        goos: [linux, windows, darwin, freebsd, openbsd, android]
        goarch: [amd64, 386, arm, arm64]
        exclude:
          - goos: darwin
            goarch: arm
          - goos: darwin
            goarch: 386
          - goos: freebsd
            goarch: arm
          - goos: openbsd
            goarch: arm
          - goos: android
            goarch: amd64
          - goos: android
            goarch: 386
          # 排除 Android ARM 32位,在单独的 job 中处理
          - goos: android
            goarch: arm
    steps:
      - name: Checkout source
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.22'
      - name: Install dependencies
        run: |
          sudo apt-get update -y
          sudo apt-get install -y zip tar make gcc g++ upx
      - name: Build FRP for ${{ matrix.goos }}-${{ matrix.goarch }}
        run: |
          mkdir -p release/packages
          echo "Building for ${{ matrix.goos }}-${{ matrix.goarch }}"
          # 构建版本号
          make
          version=$(./bin/frps --version)
          echo "Detected version: $version"
          export GOOS=${{ matrix.goos }}
          export GOARCH=${{ matrix.goarch }}
          export CGO_ENABLED=0
          # 构建可执行文件
          make frpc frps
          if [ "${{ matrix.goos }}" = "windows" ]; then
            if [ -f "./bin/frpc" ]; then mv ./bin/frpc ./bin/frpc.exe; fi
            if [ -f "./bin/frps" ]; then mv ./bin/frps ./bin/frps.exe; fi
          fi
          out_dir="release/packages/frp_${version}_${{ matrix.goos }}_${{ matrix.goarch }}"
          mkdir -p "$out_dir"
          if [ "${{ matrix.goos }}" = "windows" ]; then
            mv ./bin/frpc.exe "$out_dir/frpc.exe"
            mv ./bin/frps.exe "$out_dir/frps.exe"
          else
            mv ./bin/frpc "$out_dir/frpc"
            mv ./bin/frps "$out_dir/frps"
          fi
          cp LICENSE "$out_dir"
          cp -f conf/frpc.toml "$out_dir"
          cp -f conf/frps.toml "$out_dir"
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: LoliaFrp_${{ matrix.goos }}_${{ matrix.goarch }}
          path: |
            release/packages/frp_*
          retention-days: 7
  build-android-arm:
    name: Build FRP android-arm
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.22'
      - name: Install dependencies and Android NDK
        run: |
          sudo apt-get update -y
          sudo apt-get install -y zip tar make gcc g++ upx wget unzip
          # 下载并安装 Android NDK
          echo "Downloading Android NDK..."
          wget -q https://dl.google.com/android/repository/android-ndk-r26c-linux.zip
          echo "Extracting Android NDK..."
          unzip -q android-ndk-r26c-linux.zip
          echo "NDK installed at: $PWD/android-ndk-r26c"
      - name: Build FRP for android-arm
        run: |
          mkdir -p release/packages
          mkdir -p bin
          echo "Building for android-arm with CGO"
          # 首先构建一次获取版本号
          CGO_ENABLED=0 make
          version=$(./bin/frps --version)
          echo "Detected version: $version"
          # 清理之前的构建
          rm -rf ./bin/*
          # 设置 Android ARM 交叉编译环境
          export GOOS=android
          export GOARCH=arm
          export GOARM=7
          export CGO_ENABLED=1
          export CC=$PWD/android-ndk-r26c/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi21-clang
          export CXX=$PWD/android-ndk-r26c/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi21-clang++
          echo "Environment:"
          echo "GOOS=$GOOS"
          echo "GOARCH=$GOARCH"
          echo "GOARM=$GOARM"
          echo "CGO_ENABLED=$CGO_ENABLED"
          echo "CC=$CC"
          # 直接使用 go build 命令，不通过 Makefile，防止 CGO_ENABLED 被覆盖
          echo "Building frps..."
          go build -trimpath -ldflags "-s -w" -tags frps -o bin/frps ./cmd/frps
          echo "Building frpc..."
          go build -trimpath -ldflags "-s -w" -tags frpc -o bin/frpc ./cmd/frpc
          # 验证文件已生成
          ls -lh ./bin/
          file ./bin/frpc
          file ./bin/frps
          out_dir="release/packages/frp_${version}_android_arm"
          mkdir -p "$out_dir"
          mv ./bin/frpc "$out_dir/frpc"
          mv ./bin/frps "$out_dir/frps"
          cp LICENSE "$out_dir"
          cp -f conf/frpc.toml "$out_dir"
          cp -f conf/frps.toml "$out_dir"
          echo "Build completed for android-arm"
          ls -lh "$out_dir"
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: LoliaFrp_android_arm
          path: |
            release/packages/frp_*
          retention-days: 7
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@@ -1,83 +0,0 @@
 name: Build Image and Publish to Dockerhub & GPR
 on:
  release:
    types: [ published ]
  workflow_dispatch:
    inputs:
      tag:
        description: 'Image tag'
        required: true
        default: 'test'
 permissions:
  contents: read
 jobs:
  image:
    name: Build Image from Dockerfile and binaries
    runs-on: ubuntu-latest
    steps:
      # environment
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: '0'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      # get image tag name
      - name: Get Image Tag Name
        run: |
          if [ x${{ github.event.inputs.tag }} == x"" ]; then
            echo "TAG_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
          else
            echo "TAG_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
          fi
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Login to the GPR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GPR_TOKEN }}
      # prepare image tags
      - name: Prepare Image Tags
        run: |
          echo "DOCKERFILE_FRPC_PATH=dockerfiles/Dockerfile-for-frpc" >> $GITHUB_ENV
          echo "DOCKERFILE_FRPS_PATH=dockerfiles/Dockerfile-for-frps" >> $GITHUB_ENV
          echo "TAG_FRPC=fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV
          echo "TAG_FRPS=fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV
          echo "TAG_FRPC_GPR=ghcr.io/fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV
          echo "TAG_FRPS_GPR=ghcr.io/fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV
      - name: Build and push frpc
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./dockerfiles/Dockerfile-for-frpc
          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
          push: true
          tags: |
            ${{ env.TAG_FRPC }}
            ${{ env.TAG_FRPC_GPR }}
      - name: Build and push frps
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./dockerfiles/Dockerfile-for-frps
          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
          push: true
          tags: |
            ${{ env.TAG_FRPS }}
            ${{ env.TAG_FRPS_GPR }}
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -0,0 +1,82 @@
 name: Docker Build and Push
 on:
  push:
    branches:
      - main
      - dev
    tags:
      - 'v*'
  pull_request:
    branches:
      - main
      - dev
  workflow_dispatch:
 env:
  REGISTRY: ghcr.io
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    strategy:
      matrix:
        include:
          - name: frps
            dockerfile: dockerfiles/Dockerfile-for-frps
            image_name: ghcr.io/${{ github.repository_owner }}/loliacli-frps
          - name: frpc
            dockerfile: dockerfiles/Dockerfile-for-frpc
            image_name: ghcr.io/${{ github.repository_owner }}/loliacli-frpc
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ matrix.image_name }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=raw,value=latest,enable={{is_default_branch}}
      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64,linux/arm64
      - name: Generate image digest
        if: github.event_name != 'pull_request'
        run: |
          echo "Image pushed to: ${{ matrix.image_name }}"
          echo "Tags: ${{ steps.meta.outputs.tags }}"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,8 +19,17 @@ jobs:
      with:
        go-version: '1.24'
        cache: false
    - uses: actions/setup-node@v4
      with:
        node-version: '22'
    - name: Build web assets (frps)
      run: make build
      working-directory: web/frps
    - name: Build web assets (frpc)
      run: make build
      working-directory: web/frpc
    - name: golangci-lint
      uses: golangci/golangci-lint-action@v8
      with:
        # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-        version: v2.3
+        version: v2.3
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -16,13 +16,21 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: '1.24'
-          
+      - uses: actions/setup-node@v4
        with:
          node-version: '22'
      - name: Build web assets (frps)
        run: make build
        working-directory: web/frps
      - name: Build web assets (frpc)
        run: make build
        working-directory: web/frpc
      - name: Make All
        run: |
          ./package.sh
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: release --clean --release-notes=./Release.md
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,129 @@
 name: Release FRP Binaries
 on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag to release (e.g., v1.0.0)"
        required: true
        type: string
 permissions:
  contents: write
 jobs:
  # 调用 build-all workflow
  build:
    uses: ./.github/workflows/build-all.yaml
    permissions:
      contents: read
  # 创建 release
  release:
    name: Create Release
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Get tag name
        id: tag
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
          else
            echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
          fi
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: artifacts
      - name: Display artifact structure
        run: |
          echo "Artifact structure:"
          ls -R artifacts/
      - name: Organize release files
        run: |
          mkdir -p release_files
          # 查找并复制所有压缩包
          find artifacts -type f \( -name "*.zip" -o -name "*.tar.gz" \) -exec cp {} release_files/ \;
          # 如果没有压缩包，尝试查找二进制文件并打包
          if [ -z "$(ls -A release_files/)" ]; then
            echo "No archives found, looking for directories to package..."
            for dir in artifacts/*/; do
              if [ -d "$dir" ]; then
                artifact_name=$(basename "$dir")
                echo "Packaging $artifact_name"
                # 检查是否是 Windows 构建
                if echo "$artifact_name" | grep -q "windows"; then
                  (cd "$dir" && zip -r "../../release_files/${artifact_name}.zip" .)
                else
                  tar -czf "release_files/${artifact_name}.tar.gz" -C "$dir" .
                fi
              fi
            done
          fi
          echo "Files in release_files:"
          ls -lh release_files/
      - name: Generate checksums
        run: |
          cd release_files
          if [ -n "$(ls -A .)" ]; then
            sha256sum * > sha256sum.txt
            cat sha256sum.txt
          else
            echo "No files to generate checksums for!"
            exit 1
          fi
      - name: Debug - Check tags and commits
        run: |
          echo "Current tag: ${{ steps.tag.outputs.tag }}"
          PREV_TAG=$(git describe --tags --abbrev=0 ${{ steps.tag.outputs.tag }}^ 2>/dev/null || echo "none")
          echo "Previous tag: $PREV_TAG"
          echo ""
          echo "Commits between tags:"
          if [ "$PREV_TAG" != "none" ]; then
            git log --oneline $PREV_TAG..${{ steps.tag.outputs.tag }}
          else
            echo "First tag, showing all commits:"
            git log --oneline ${{ steps.tag.outputs.tag }}
          fi
      - name: Build Changelog
        id: changelog
        uses: requarks/changelog-action@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.tag.outputs.tag }}
          writeToFile: false
          includeInvalidCommits: true
          useGitmojis: false
      - name: Create Release
        uses: softprops/action-gh-release@v1
        with:
          tag_name: ${{ steps.tag.outputs.tag }}
          name: Release ${{ steps.tag.outputs.tag }}
          body: ${{ steps.changelog.outputs.changes }}
          draft: false
          prerelease: false
          files: |
            release_files/*
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -42,3 +42,6 @@ client.key
 # AI
 CLAUDE.md
 # TLS
 .autotls-cache
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -39,6 +39,7 @@ linters:
      - G404
      - G501
      - G115
      - G204
      severity: low
      confidence: low
    govet:
--- a/21
+++ b/21
@@ -2,19 +2,22 @@ export PATH := $(PATH):`go env GOPATH`/bin
 export GO111MODULE=on
 LDFLAGS := -s -w
-all: env fmt build
+.PHONY: web frps-web frpc-web frps frpc
 all: env fmt web build
 build: frps frpc
 env:
 	@go version
-# compile assets into binary file
+web: frps-web frpc-web
-file:
+
-	rm -rf ./assets/frps/static/*
+frps-web:
-	rm -rf ./assets/frpc/static/*
+	$(MAKE) -C web/frps build
-	cp -rf ./web/frps/dist/* ./assets/frps/static
+
-	cp -rf ./web/frpc/dist/* ./assets/frpc/static
+frpc-web:
 	$(MAKE) -C web/frpc build
 fmt:
 	go fmt ./...
@@ -25,7 +28,7 @@ fmt-more:
 gci:
 	gci write -s standard -s default -s "prefix(github.com/fatedier/frp/)" ./
-vet:
+vet: web
 	go vet ./...
 frps:
@@ -36,7 +39,7 @@ frpc:
 test: gotest
-gotest:
+gotest: web
 	go test -v --cover ./assets/...
 	go test -v --cover ./cmd/...
 	go test -v --cover ./client/...
--- a/README.md
+++ b/README.md
@@ -14,21 +14,15 @@ frp is an open source project with its ongoing development made possible entirel
 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
 <p align="center">
-  <a href="https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp" target="_blank">
+  <a href="https://requestly.com/?utm_source=github&utm_medium=partnered&utm_campaign=frp" target="_blank">
-    <b>Recall.ai - API for meeting recordings</b><br>
+    <img width="480px" src="https://github.com/user-attachments/assets/24670320-997d-4d62-9bca-955c59fe883d">
    <br>
-    <sup>If you're looking for a meeting recording API, consider checking out Recall.ai, an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.</sup>
+    <b>Requestly - Free & Open-Source alternative to Postman</b>
-  </a>
+    <br>
-</p>
+    <sub>All-in-one platform to Test, Mock and Intercept APIs.</sub>
 <p align="center">
  <a href="https://go.warp.dev/frp" target="_blank">
    <img width="360px" src="https://raw.githubusercontent.com/warpdotdev/brand-assets/refs/heads/main/Github/Sponsor/Warp-Github-LG-01.png">
    <br>
    <b>Warp, built for collaborating with AI Agents</b>
    <br>
 	<sub>Available for macOS, Linux and Windows</sub>
  </a>
 </p>
 <p align="center">
  <a href="https://jb.gg/frp" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
@@ -36,13 +30,7 @@ frp is an open source project with its ongoing development made possible entirel
 	<b>The complete IDE crafted for professional Go developers</b>
  </a>
 </p>
-<p align="center">
+
  <a href="https://github.com/daytonaio/daytona" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
 	<br>
 	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/beclab/Olares" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
@@ -52,6 +40,15 @@ frp is an open source project with its ongoing development made possible entirel
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
 <div align="center">
 ## Recall.ai - API for meeting recordings
 If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
 an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
 </div>
 <!--gold sponsors end-->
 ## What is frp?
--- a/README_zh.md
+++ b/README_zh.md
@@ -16,21 +16,15 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者
 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
 <p align="center">
-  <a href="https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp" target="_blank">
+  <a href="https://requestly.com/?utm_source=github&utm_medium=partnered&utm_campaign=frp" target="_blank">
-    <b>Recall.ai - API for meeting recordings</b><br>
+    <img width="480px" src="https://github.com/user-attachments/assets/24670320-997d-4d62-9bca-955c59fe883d">
    <br>
-    <sup>If you're looking for a meeting recording API, consider checking out Recall.ai, an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.</sup>
+    <b>Requestly - Free & Open-Source alternative to Postman</b>
-  </a>
+    <br>
-</p>
+    <sub>All-in-one platform to Test, Mock and Intercept APIs.</sub>
 <p align="center">
  <a href="https://go.warp.dev/frp" target="_blank">
    <img width="360px" src="https://raw.githubusercontent.com/warpdotdev/brand-assets/refs/heads/main/Github/Sponsor/Warp-Github-LG-01.png">
    <br>
    <b>Warp, built for collaborating with AI Agents</b>
    <br>
 	<sub>Available for macOS, Linux and Windows</sub>
  </a>
 </p>
 <p align="center">
  <a href="https://jb.gg/frp" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
@@ -38,13 +32,7 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者
 	<b>The complete IDE crafted for professional Go developers</b>
  </a>
 </p>
-<p align="center">
+
  <a href="https://github.com/daytonaio/daytona" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
 	<br>
 	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/beclab/Olares" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
@@ -54,6 +42,15 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
 <div align="center">
 ## Recall.ai - API for meeting recordings
 If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
 an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
 </div>
 <!--gold sponsors end-->
 ## 为什么使用 frp ？
@@ -126,9 +123,3 @@ frp 是一个免费且开源的项目，我们欢迎任何人为其开发和进
 国内用户可以通过 [爱发电](https://afdian.com/a/fatedier) 赞助我们。
 企业赞助者可以将贵公司的 Logo 以及链接放置在项目 README 文件中。
 ### 知识星球
 如果您想了解更多 frp 相关技术以及更新详解，或者寻求任何 frp 使用方面的帮助，都可以通过微信扫描下方的二维码付费加入知识星球的官方社群：
 ![zsxq](/doc/pic/zsxq.jpg)
--- a/Release.md
+++ b/Release.md
@@ -1,5 +1,8 @@
 ## Features
-* Add NAT traversal configuration options for XTCP proxies and visitors. Support disabling assisted addresses to avoid using slow VPN connections during NAT hole punching.
+* frpc now supports a `clientID` option to uniquely identify client instances. The server dashboard displays all connected clients with their online/offline status, connection history, and metadata, making it easier to monitor and manage multiple frpc deployments.
-* Enhanced OIDC client configuration with support for custom TLS certificate verification and proxy settings. Added `trustedCaFile`, `insecureSkipVerify`, and `proxyURL` options for OIDC token endpoint connections.
+* Redesigned the frp web dashboard with a modern UI, dark mode support, and improved navigation.
-* Added detailed Prometheus metrics with `proxy_counts_detailed` metric that includes both proxy type and proxy name labels, enabling monitoring of individual proxy connections instead of just aggregate counts.
+
 ## Fixes
 * Fixed UDP proxy protocol sending header on every packet instead of only the first packet of each session.
--- a/assets/assets.go
+++ b/assets/assets.go
@@ -41,7 +41,7 @@ func Load(path string) {
 }
 func Register(fileSystem fs.FS) {
-	subFs, err := fs.Sub(fileSystem, "static")
+	subFs, err := fs.Sub(fileSystem, "dist")
 	if err == nil {
 		content = subFs
 	}
--- a/assets/frpc/embed.go
+++ b/assets/frpc/embed.go
@@ -1,14 +0,0 @@
 package frpc
 import (
 	"embed"
 	"github.com/fatedier/frp/assets"
 )
 //go:embed static/*
 var content embed.FS
 func init() {
 	assets.Register(content)
 }
--- a/assets/frpc/static/favicon.ico
+++ b/assets/frpc/static/favicon.ico
--- a/assets/frpc/static/index-bLBhaJo8.js
+++ b/assets/frpc/static/index-bLBhaJo8.js
--- a/assets/frpc/static/index-iuf46MlF.css
+++ b/assets/frpc/static/index-iuf46MlF.css
--- a/assets/frpc/static/index.html
+++ b/assets/frpc/static/index.html
@@ -1,15 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="utf-8">
    <title>frp client admin UI</title>
  <script type="module" crossorigin src="./index-bLBhaJo8.js"></script>
  <link rel="stylesheet" crossorigin href="./index-iuf46MlF.css">
 </head>
 <body>
    <div id="app"></div>
 </body>
 </html>
--- a/assets/frps/static/favicon.ico
+++ b/assets/frps/static/favicon.ico
--- a/assets/frps/static/index-82-40HIG.js
+++ b/assets/frps/static/index-82-40HIG.js
--- a/assets/frps/static/index-rzPDshRD.css
+++ b/assets/frps/static/index-rzPDshRD.css
--- a/assets/frps/static/index.html
+++ b/assets/frps/static/index.html
@@ -1,15 +0,0 @@
 <!DOCTYPE html>
 <html lang="en" class="dark">
 <head>
    <meta charset="utf-8">
    <title>frps dashboard</title>
  <script type="module" crossorigin src="./index-82-40HIG.js"></script>
  <link rel="stylesheet" crossorigin href="./index-rzPDshRD.css">
 </head>
 <body>
    <div id="app"></div>
 </body>
 </html>
--- a/client/admin_api.go
+++ b/client/admin_api.go
@@ -15,44 +15,29 @@
 package client
 import (
 	"cmp"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"os"
 	"slices"
 	"strconv"
 	"time"
 	"github.com/fatedier/frp/client/api"
 	"github.com/fatedier/frp/client/proxy"
 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )
 type GeneralResponse struct {
 	Code int
 	Msg  string
 }
 func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper) {
-	helper.Router.HandleFunc("/healthz", svr.healthz)
+	apiController := newAPIController(svr)
 	// Healthz endpoint without auth
 	helper.Router.HandleFunc("/healthz", healthz)
 	// API routes and static files with auth
 	subRouter := helper.Router.NewRoute().Subrouter()
-
+	subRouter.Use(helper.AuthMiddleware)
-	subRouter.Use(helper.AuthMiddleware.Middleware)
+	subRouter.Use(httppkg.NewRequestLogger)
-
+	subRouter.HandleFunc("/api/reload", httppkg.MakeHTTPHandlerFunc(apiController.Reload)).Methods(http.MethodGet)
-	// api, see admin_api.go
+	subRouter.HandleFunc("/api/stop", httppkg.MakeHTTPHandlerFunc(apiController.Stop)).Methods(http.MethodPost)
-	subRouter.HandleFunc("/api/reload", svr.apiReload).Methods("GET")
+	subRouter.HandleFunc("/api/status", httppkg.MakeHTTPHandlerFunc(apiController.Status)).Methods(http.MethodGet)
-	subRouter.HandleFunc("/api/stop", svr.apiStop).Methods("POST")
+	subRouter.HandleFunc("/api/config", httppkg.MakeHTTPHandlerFunc(apiController.GetConfig)).Methods(http.MethodGet)
-	subRouter.HandleFunc("/api/status", svr.apiStatus).Methods("GET")
+	subRouter.HandleFunc("/api/config", httppkg.MakeHTTPHandlerFunc(apiController.PutConfig)).Methods(http.MethodPut)
 	subRouter.HandleFunc("/api/config", svr.apiGetConfig).Methods("GET")
 	subRouter.HandleFunc("/api/config", svr.apiPutConfig).Methods("PUT")
 	// view
 	subRouter.Handle("/favicon.ico", http.FileServer(helper.AssetsFS)).Methods("GET")
 	subRouter.PathPrefix("/static/").Handler(
 		netpkg.MakeHTTPGzipHandler(http.StripPrefix("/static/", http.FileServer(helper.AssetsFS))),
@@ -62,201 +47,28 @@ func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper)
 	})
 }
-// /healthz
+func healthz(w http.ResponseWriter, _ *http.Request) {
-func (svr *Service) healthz(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
 	w.WriteHeader(200)
 }
-// GET /api/reload
+func newAPIController(svr *Service) *api.Controller {
-func (svr *Service) apiReload(w http.ResponseWriter, r *http.Request) {
+	return api.NewController(api.ControllerParams{
-	res := GeneralResponse{Code: 200}
+		GetProxyStatus: svr.getAllProxyStatus,
-	strictConfigMode := false
+		ServerAddr:     svr.common.ServerAddr,
-	strictStr := r.URL.Query().Get("strictConfig")
+		ConfigFilePath: svr.configFilePath,
-	if strictStr != "" {
+		UnsafeFeatures: svr.unsafeFeatures,
-		strictConfigMode, _ = strconv.ParseBool(strictStr)
+		UpdateConfig:   svr.UpdateAllConfigurer,
-	}
+		GracefulClose:  svr.GracefulClose,
-
+	})
 	log.Infof("api request [/api/reload]")
 	defer func() {
 		log.Infof("api response [/api/reload], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(svr.configFilePath, strictConfigMode)
 	if err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs); err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	if err := svr.UpdateAllConfigurer(proxyCfgs, visitorCfgs); err != nil {
 		res.Code = 500
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	log.Infof("success reload conf")
 }
-// POST /api/stop
+// getAllProxyStatus returns all proxy statuses.
-func (svr *Service) apiStop(w http.ResponseWriter, _ *http.Request) {
+func (svr *Service) getAllProxyStatus() []*proxy.WorkingStatus {
 	res := GeneralResponse{Code: 200}
 	log.Infof("api request [/api/stop]")
 	defer func() {
 		log.Infof("api response [/api/stop], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	go svr.GracefulClose(100 * time.Millisecond)
 }
 type StatusResp map[string][]ProxyStatusResp
 type ProxyStatusResp struct {
 	Name       string `json:"name"`
 	Type       string `json:"type"`
 	Status     string `json:"status"`
 	Err        string `json:"err"`
 	LocalAddr  string `json:"local_addr"`
 	Plugin     string `json:"plugin"`
 	RemoteAddr string `json:"remote_addr"`
 }
 func NewProxyStatusResp(status *proxy.WorkingStatus, serverAddr string) ProxyStatusResp {
 	psr := ProxyStatusResp{
 		Name:   status.Name,
 		Type:   status.Type,
 		Status: status.Phase,
 		Err:    status.Err,
 	}
 	baseCfg := status.Cfg.GetBaseConfig()
 	if baseCfg.LocalPort != 0 {
 		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
 	}
 	psr.Plugin = baseCfg.Plugin.Type
 	if status.Err == "" {
 		psr.RemoteAddr = status.RemoteAddr
 		if slices.Contains([]string{"tcp", "udp"}, status.Type) {
 			psr.RemoteAddr = serverAddr + psr.RemoteAddr
 		}
 	}
 	return psr
 }
 // GET /api/status
 func (svr *Service) apiStatus(w http.ResponseWriter, _ *http.Request) {
 	var (
 		buf []byte
 		res StatusResp = make(map[string][]ProxyStatusResp)
 	)
 	log.Infof("http request [/api/status]")
 	defer func() {
 		log.Infof("http response [/api/status]")
 		buf, _ = json.Marshal(&res)
 		_, _ = w.Write(buf)
 	}()
 	svr.ctlMu.RLock()
 	ctl := svr.ctl
 	svr.ctlMu.RUnlock()
 	if ctl == nil {
-		return
+		return nil
 	}
 	ps := ctl.pm.GetAllProxyStatus()
 	for _, status := range ps {
 		res[status.Type] = append(res[status.Type], NewProxyStatusResp(status, svr.common.ServerAddr))
 	}
 	for _, arrs := range res {
 		if len(arrs) <= 1 {
 			continue
 		}
 		slices.SortFunc(arrs, func(a, b ProxyStatusResp) int {
 			return cmp.Compare(a.Name, b.Name)
 		})
 	}
 }
 // GET /api/config
 func (svr *Service) apiGetConfig(w http.ResponseWriter, _ *http.Request) {
 	res := GeneralResponse{Code: 200}
 	log.Infof("http get request [/api/config]")
 	defer func() {
 		log.Infof("http get response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	if svr.configFilePath == "" {
 		res.Code = 400
 		res.Msg = "frpc has no config file path"
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	content, err := os.ReadFile(svr.configFilePath)
 	if err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("load frpc config file error: %s", res.Msg)
 		return
 	}
 	res.Msg = string(content)
 }
 // PUT /api/config
 func (svr *Service) apiPutConfig(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	log.Infof("http put request [/api/config]")
 	defer func() {
 		log.Infof("http put response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	// get new config content
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		res.Code = 400
 		res.Msg = fmt.Sprintf("read request body error: %v", err)
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	if len(body) == 0 {
 		res.Code = 400
 		res.Msg = "body can't be empty"
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	if err := os.WriteFile(svr.configFilePath, body, 0o600); err != nil {
 		res.Code = 500
 		res.Msg = fmt.Sprintf("write content to frpc config file error: %v", err)
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	return ctl.pm.GetAllProxyStatus()
 }
--- a/client/api/controller.go
+++ b/client/api/controller.go
@@ -0,0 +1,189 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package api
 import (
 	"cmp"
 	"fmt"
 	"net"
 	"net/http"
 	"os"
 	"slices"
 	"strconv"
 	"time"
 	"github.com/fatedier/frp/client/proxy"
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 // Controller handles HTTP API requests for frpc.
 type Controller struct {
 	// getProxyStatus returns the current proxy status.
 	// Returns nil if the control connection is not established.
 	getProxyStatus func() []*proxy.WorkingStatus
 	// serverAddr is the frps server address for display.
 	serverAddr string
 	// configFilePath is the path to the configuration file.
 	configFilePath string
 	// unsafeFeatures is used for validation.
 	unsafeFeatures *security.UnsafeFeatures
 	// updateConfig updates proxy and visitor configurations.
 	updateConfig func(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error
 	// gracefulClose gracefully stops the service.
 	gracefulClose func(d time.Duration)
 }
 // ControllerParams contains parameters for creating an APIController.
 type ControllerParams struct {
 	GetProxyStatus func() []*proxy.WorkingStatus
 	ServerAddr     string
 	ConfigFilePath string
 	UnsafeFeatures *security.UnsafeFeatures
 	UpdateConfig   func(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error
 	GracefulClose  func(d time.Duration)
 }
 // NewController creates a new Controller.
 func NewController(params ControllerParams) *Controller {
 	return &Controller{
 		getProxyStatus: params.GetProxyStatus,
 		serverAddr:     params.ServerAddr,
 		configFilePath: params.ConfigFilePath,
 		unsafeFeatures: params.UnsafeFeatures,
 		updateConfig:   params.UpdateConfig,
 		gracefulClose:  params.GracefulClose,
 	}
 }
 // Reload handles GET /api/reload
 func (c *Controller) Reload(ctx *httppkg.Context) (any, error) {
 	strictConfigMode := false
 	strictStr := ctx.Query("strictConfig")
 	if strictStr != "" {
 		strictConfigMode, _ = strconv.ParseBool(strictStr)
 	}
 	cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(c.configFilePath, strictConfigMode)
 	if err != nil {
 		log.Warnf("reload frpc proxy config error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
 	}
 	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, c.unsafeFeatures); err != nil {
 		log.Warnf("reload frpc proxy config error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
 	}
 	if err := c.updateConfig(proxyCfgs, visitorCfgs); err != nil {
 		log.Warnf("reload frpc proxy config error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
 	}
 	log.Infof("success reload conf")
 	return nil, nil
 }
 // Stop handles POST /api/stop
 func (c *Controller) Stop(ctx *httppkg.Context) (any, error) {
 	go c.gracefulClose(100 * time.Millisecond)
 	return nil, nil
 }
 // Status handles GET /api/status
 func (c *Controller) Status(ctx *httppkg.Context) (any, error) {
 	res := make(StatusResp)
 	ps := c.getProxyStatus()
 	if ps == nil {
 		return res, nil
 	}
 	for _, status := range ps {
 		res[status.Type] = append(res[status.Type], c.buildProxyStatusResp(status))
 	}
 	for _, arrs := range res {
 		if len(arrs) <= 1 {
 			continue
 		}
 		slices.SortFunc(arrs, func(a, b ProxyStatusResp) int {
 			return cmp.Compare(a.Name, b.Name)
 		})
 	}
 	return res, nil
 }
 // GetConfig handles GET /api/config
 func (c *Controller) GetConfig(ctx *httppkg.Context) (any, error) {
 	if c.configFilePath == "" {
 		return nil, httppkg.NewError(http.StatusBadRequest, "frpc has no config file path")
 	}
 	content, err := os.ReadFile(c.configFilePath)
 	if err != nil {
 		log.Warnf("load frpc config file error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
 	}
 	return string(content), nil
 }
 // PutConfig handles PUT /api/config
 func (c *Controller) PutConfig(ctx *httppkg.Context) (any, error) {
 	body, err := ctx.Body()
 	if err != nil {
 		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read request body error: %v", err))
 	}
 	if len(body) == 0 {
 		return nil, httppkg.NewError(http.StatusBadRequest, "body can't be empty")
 	}
 	if err := os.WriteFile(c.configFilePath, body, 0o600); err != nil {
 		return nil, httppkg.NewError(http.StatusInternalServerError, fmt.Sprintf("write content to frpc config file error: %v", err))
 	}
 	return nil, nil
 }
 // buildProxyStatusResp creates a ProxyStatusResp from proxy.WorkingStatus
 func (c *Controller) buildProxyStatusResp(status *proxy.WorkingStatus) ProxyStatusResp {
 	psr := ProxyStatusResp{
 		Name:   status.Name,
 		Type:   status.Type,
 		Status: status.Phase,
 		Err:    status.Err,
 	}
 	baseCfg := status.Cfg.GetBaseConfig()
 	if baseCfg.LocalPort != 0 {
 		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
 	}
 	psr.Plugin = baseCfg.Plugin.Type
 	if status.Err == "" {
 		psr.RemoteAddr = status.RemoteAddr
 		if slices.Contains([]string{"tcp", "udp"}, status.Type) {
 			psr.RemoteAddr = c.serverAddr + psr.RemoteAddr
 		}
 	}
 	return psr
 }
--- a/client/api/types.go
+++ b/client/api/types.go
@@ -0,0 +1,29 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package api
 // StatusResp is the response for GET /api/status
 type StatusResp map[string][]ProxyStatusResp
 // ProxyStatusResp contains proxy status information
 type ProxyStatusResp struct {
 	Name       string `json:"name"`
 	Type       string `json:"type"`
 	Status     string `json:"status"`
 	Err        string `json:"err"`
 	LocalAddr  string `json:"local_addr"`
 	Plugin     string `json:"plugin"`
 	RemoteAddr string `json:"remote_addr"`
 }
--- a/client/control.go
+++ b/client/control.go
@@ -16,7 +16,9 @@ package client
 import (
 	"context"
 	"fmt"
 	"net"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -43,8 +45,8 @@ type SessionContext struct {
 	Conn net.Conn
 	// Indicates whether the connection is encrypted.
 	ConnEncrypted bool
-	// Sets authentication based on selected method
+	// Auth runtime used for login, heartbeats, and encryption.
-	AuthSetter auth.Setter
+	Auth *auth.ClientAuth
 	// Connector is used to create new connections, which could be real TCP connections or virtual streams.
 	Connector Connector
 	// Virtual net controller
@@ -91,7 +93,7 @@ func NewControl(ctx context.Context, sessionCtx *SessionContext) (*Control, erro
 	ctl.lastPong.Store(time.Now())
 	if sessionCtx.ConnEncrypted {
-		cryptoRW, err := netpkg.NewCryptoReadWriter(sessionCtx.Conn, []byte(sessionCtx.Common.Auth.Token))
+		cryptoRW, err := netpkg.NewCryptoReadWriter(sessionCtx.Conn, sessionCtx.Auth.EncryptionKey())
 		if err != nil {
 			return nil, err
 		}
@@ -100,9 +102,9 @@ func NewControl(ctx context.Context, sessionCtx *SessionContext) (*Control, erro
 		ctl.msgDispatcher = msg.NewDispatcher(sessionCtx.Conn)
 	}
 	ctl.registerMsgHandlers()
-	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher.SendChannel())
+	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher)
-	ctl.pm = proxy.NewManager(ctl.ctx, sessionCtx.Common, ctl.msgTransporter, sessionCtx.VnetController)
+	ctl.pm = proxy.NewManager(ctl.ctx, sessionCtx.Common, sessionCtx.Auth.EncryptionKey(), ctl.msgTransporter, sessionCtx.VnetController)
 	ctl.vm = visitor.NewManager(ctl.ctx, sessionCtx.RunID, sessionCtx.Common,
 		ctl.connectServer, ctl.msgTransporter, sessionCtx.VnetController)
 	return ctl, nil
@@ -133,7 +135,7 @@ func (ctl *Control) handleReqWorkConn(_ msg.Message) {
 	m := &msg.NewWorkConn{
 		RunID: ctl.sessionCtx.RunID,
 	}
-	if err = ctl.sessionCtx.AuthSetter.SetNewWorkConn(m); err != nil {
+	if err = ctl.sessionCtx.Auth.Setter.SetNewWorkConn(m); err != nil {
 		xl.Warnf("error during NewWorkConn authentication: %v", err)
 		workConn.Close()
 		return
@@ -167,9 +169,44 @@ func (ctl *Control) handleNewProxyResp(m msg.Message) {
 	// Start a new proxy handler if no error got
 	err := ctl.pm.StartProxy(inMsg.ProxyName, inMsg.RemoteAddr, inMsg.Error)
 	if err != nil {
-		xl.Warnf("[%s] start error: %v", inMsg.ProxyName, err)
+		xl.Warnf("[%s] 启动失败: %v", inMsg.ProxyName, err)
 	} else {
-		xl.Infof("[%s] start proxy success", inMsg.ProxyName)
+		xl.Infof("[%s] 成功启动隧道", inMsg.ProxyName)
 		if inMsg.RemoteAddr != "" {
 			// Get proxy type to format access message
 			if status, ok := ctl.pm.GetProxyStatus(inMsg.ProxyName); ok {
 				proxyType := status.Type
 				remoteAddr := inMsg.RemoteAddr
 				var accessMsg string
 				switch proxyType {
 				case "tcp", "udp", "stcp", "xtcp", "sudp", "tcpmux":
 					// If remoteAddr only contains port (e.g., ":8080"), prepend server address
 					if strings.HasPrefix(remoteAddr, ":") {
 						serverAddr := ctl.sessionCtx.Common.ServerAddr
 						remoteAddr = serverAddr + remoteAddr
 					}
 					accessMsg = fmt.Sprintf("您可通过 %s 访问您的服务", remoteAddr)
 				case "http", "https":
 					// Format as URL with protocol
 					protocol := proxyType
 					addr := remoteAddr
 					// Remove standard ports for cleaner URL
 					if proxyType == "http" && strings.HasSuffix(addr, ":80") {
 						addr = strings.TrimSuffix(addr, ":80")
 					} else if proxyType == "https" && strings.HasSuffix(addr, ":443") {
 						addr = strings.TrimSuffix(addr, ":443")
 					}
 					accessMsg = fmt.Sprintf("您可通过 %s://%s 访问您的服务", protocol, addr)
 				default:
 					accessMsg = fmt.Sprintf("您可通过 %s 访问您的服务", remoteAddr)
 				}
 				xl.Infof("[%s] %s", inMsg.ProxyName, accessMsg)
 			} else {
 				xl.Infof("[%s] 您可通过 %s 访问您的服务", inMsg.ProxyName, inMsg.RemoteAddr)
 			}
 		}
 	}
 }
@@ -243,7 +280,7 @@ func (ctl *Control) heartbeatWorker() {
 		sendHeartBeat := func() (bool, error) {
 			xl.Debugf("send heartbeat to server")
 			pingMsg := &msg.Ping{}
-			if err := ctl.sessionCtx.AuthSetter.SetPing(pingMsg); err != nil {
+			if err := ctl.sessionCtx.Auth.Setter.SetPing(pingMsg); err != nil {
 				xl.Warnf("error during ping authentication: %v, skip sending ping message", err)
 				return false, err
 			}
--- a/client/proxy/proxy.go
+++ b/client/proxy/proxy.go
@@ -19,7 +19,9 @@ import (
 	"io"
 	"net"
 	"reflect"
 	"slices"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -57,6 +59,7 @@ func NewProxy(
 	ctx context.Context,
 	pxyConf v1.ProxyConfigurer,
 	clientCfg *v1.ClientCommonConfig,
 	encryptionKey []byte,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
 ) (pxy Proxy) {
@@ -68,7 +71,9 @@ func NewProxy(
 	baseProxy := BaseProxy{
 		baseCfg:        pxyConf.GetBaseConfig(),
 		configurer:     pxyConf,
 		clientCfg:      clientCfg,
 		encryptionKey:  encryptionKey,
 		limiter:        limiter,
 		msgTransporter: msgTransporter,
 		vnetController: vnetController,
@@ -85,7 +90,9 @@ func NewProxy(
 type BaseProxy struct {
 	baseCfg        *v1.ProxyBaseConfig
 	configurer     v1.ProxyConfigurer
 	clientCfg      *v1.ClientCommonConfig
 	encryptionKey  []byte
 	msgTransporter transport.MessageTransporter
 	vnetController *vnet.Controller
 	limiter        *rate.Limiter
@@ -103,6 +110,7 @@ func (pxy *BaseProxy) Run() error {
 	if pxy.baseCfg.Plugin.Type != "" {
 		p, err := plugin.Create(pxy.baseCfg.Plugin.Type, plugin.PluginContext{
 			Name:           pxy.baseCfg.Name,
 			HostAllowList:  pxy.getPluginHostAllowList(),
 			VnetController: pxy.vnetController,
 		}, pxy.baseCfg.Plugin.ClientPluginOptions)
 		if err != nil {
@@ -113,6 +121,39 @@ func (pxy *BaseProxy) Run() error {
 	return nil
 }
 func (pxy *BaseProxy) getPluginHostAllowList() []string {
 	dedupHosts := make([]string, 0)
 	addHost := func(host string) {
 		host = strings.TrimSpace(strings.ToLower(host))
 		if host == "" {
 			return
 		}
 		// autocert.HostWhitelist only supports exact host names.
 		if strings.Contains(host, "*") {
 			return
 		}
 		if !slices.Contains(dedupHosts, host) {
 			dedupHosts = append(dedupHosts, host)
 		}
 	}
 	switch cfg := pxy.configurer.(type) {
 	case *v1.HTTPProxyConfig:
 		for _, host := range cfg.CustomDomains {
 			addHost(host)
 		}
 	case *v1.HTTPSProxyConfig:
 		for _, host := range cfg.CustomDomains {
 			addHost(host)
 		}
 	case *v1.TCPMuxProxyConfig:
 		for _, host := range cfg.CustomDomains {
 			addHost(host)
 		}
 	}
 	return dedupHosts
 }
 func (pxy *BaseProxy) Close() {
 	if pxy.proxyPlugin != nil {
 		pxy.proxyPlugin.Close()
@@ -129,7 +170,7 @@ func (pxy *BaseProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
 			return
 		}
 	}
-	pxy.HandleTCPWorkConnection(conn, m, []byte(pxy.clientCfg.Auth.Token))
+	pxy.HandleTCPWorkConnection(conn, m, pxy.encryptionKey)
 }
 // Common handler for tcp work connections.
--- a/client/proxy/proxy_manager.go
+++ b/client/proxy/proxy_manager.go
@@ -40,7 +40,8 @@ type Manager struct {
 	closed bool
 	mu     sync.RWMutex
-	clientCfg *v1.ClientCommonConfig
+	encryptionKey []byte
 	clientCfg     *v1.ClientCommonConfig
 	ctx context.Context
 }
@@ -48,6 +49,7 @@ type Manager struct {
 func NewManager(
 	ctx context.Context,
 	clientCfg *v1.ClientCommonConfig,
 	encryptionKey []byte,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
 ) *Manager {
@@ -56,6 +58,7 @@ func NewManager(
 		msgTransporter: msgTransporter,
 		vnetController: vnetController,
 		closed:         false,
 		encryptionKey:  encryptionKey,
 		clientCfg:      clientCfg,
 		ctx:            ctx,
 	}
@@ -156,14 +159,14 @@ func (pm *Manager) UpdateAll(proxyCfgs []v1.ProxyConfigurer) {
 		}
 	}
 	if len(delPxyNames) > 0 {
-		xl.Infof("proxy removed: %s", delPxyNames)
+		xl.Infof("隧道移除: %s", delPxyNames)
 	}
 	addPxyNames := make([]string, 0)
 	for _, cfg := range proxyCfgs {
 		name := cfg.GetBaseConfig().Name
 		if _, ok := pm.proxies[name]; !ok {
-			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.HandleEvent, pm.msgTransporter, pm.vnetController)
+			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.encryptionKey, pm.HandleEvent, pm.msgTransporter, pm.vnetController)
 			if pm.inWorkConnCallback != nil {
 				pxy.SetInWorkConnCallback(pm.inWorkConnCallback)
 			}
@@ -174,6 +177,6 @@ func (pm *Manager) UpdateAll(proxyCfgs []v1.ProxyConfigurer) {
 		}
 	}
 	if len(addPxyNames) > 0 {
-		xl.Infof("proxy added: %s", addPxyNames)
+		xl.Infof("添加隧道: %s", addPxyNames)
 	}
 }
--- a/client/proxy/proxy_wrapper.go
+++ b/client/proxy/proxy_wrapper.go
@@ -92,6 +92,7 @@ func NewWrapper(
 	ctx context.Context,
 	cfg v1.ProxyConfigurer,
 	clientCfg *v1.ClientCommonConfig,
 	encryptionKey []byte,
 	eventHandler event.Handler,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
@@ -122,7 +123,7 @@ func NewWrapper(
 		xl.Tracef("enable health check monitor")
 	}
-	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, pw.msgTransporter, pw.vnetController)
+	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, encryptionKey, pw.msgTransporter, pw.vnetController)
 	return pw
 }
--- a/client/proxy/sudp.go
+++ b/client/proxy/sudp.go
@@ -91,7 +91,7 @@ func (pxy *SUDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		})
 	}
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Auth.Token))
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
 		if err != nil {
 			conn.Close()
 			xl.Errorf("create encryption stream error: %v", err)
--- a/client/proxy/udp.go
+++ b/client/proxy/udp.go
@@ -90,7 +90,7 @@ func (pxy *UDPProxy) Close() {
 func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 	xl := pxy.xl
-	xl.Infof("incoming a new work connection for udp proxy, %s", conn.RemoteAddr().String())
+	xl.Infof("收到一条新的 UDP 代理工作连接, %s", conn.RemoteAddr().String())
 	// close resources related with old workConn
 	pxy.Close()
@@ -102,7 +102,7 @@ func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		})
 	}
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Auth.Token))
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
 		if err != nil {
 			conn.Close()
 			xl.Errorf("create encryption stream error: %v", err)
--- a/client/service.go
+++ b/client/service.go
@@ -31,6 +31,7 @@ import (
 	"github.com/fatedier/frp/pkg/auth"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 	"github.com/fatedier/frp/pkg/policy/security"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
@@ -64,6 +65,8 @@ type ServiceOptions struct {
 	ProxyCfgs   []v1.ProxyConfigurer
 	VisitorCfgs []v1.VisitorConfigurer
 	UnsafeFeatures *security.UnsafeFeatures
 	// ConfigFilePath is the path to the configuration file used to initialize.
 	// If it is empty, it means that the configuration file is not used for initialization.
 	// It may be initialized using command line parameters or called directly.
@@ -108,8 +111,8 @@ type Service struct {
 	// Uniq id got from frps, it will be attached to loginMsg.
 	runID string
-	// Sets authentication based on selected method
+	// Auth runtime and encryption materials
-	authSetter auth.Setter
+	auth *auth.ClientAuth
 	// web server for admin UI and apis
 	webServer *httppkg.Server
@@ -122,6 +125,8 @@ type Service struct {
 	visitorCfgs []v1.VisitorConfigurer
 	clientSpec  *msg.ClientSpec
 	unsafeFeatures *security.UnsafeFeatures
 	// The configuration file used to initialize this client, or an empty
 	// string if no configuration file was used.
 	configFilePath string
@@ -150,17 +155,18 @@ func NewService(options ServiceOptions) (*Service, error) {
 		webServer = ws
 	}
-	authSetter, err := auth.NewAuthSetter(options.Common.Auth)
+	authRuntime, err := auth.BuildClientAuth(&options.Common.Auth)
 	if err != nil {
 		return nil, err
 	}
 	s := &Service{
 		ctx:              context.Background(),
-		authSetter:       authSetter,
+		auth:             authRuntime,
 		webServer:        webServer,
 		common:           options.Common,
 		configFilePath:   options.ConfigFilePath,
 		unsafeFeatures:   options.UnsafeFeatures,
 		proxyCfgs:        options.ProxyCfgs,
 		visitorCfgs:      options.VisitorCfgs,
 		clientSpec:       options.ClientSpec,
@@ -213,7 +219,7 @@ func (svr *Service) Run(ctx context.Context) error {
 	if svr.ctl == nil {
 		cancelCause := cancelErr{}
 		_ = errors.As(context.Cause(svr.ctx), &cancelCause)
-		return fmt.Errorf("login to the server failed: %v. With loginFailExit enabled, no additional retries will be attempted", cancelCause.Err)
+		return fmt.Errorf("登录服务器失败: %v. 启用 loginFailExit 后，将不再尝试重试", cancelCause.Err)
 	}
 	go svr.keepControllerWorking()
@@ -275,11 +281,15 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 		return
 	}
 	hostname, _ := os.Hostname()
 	loginMsg := &msg.Login{
 		Arch:      runtime.GOARCH,
 		Os:        runtime.GOOS,
 		Hostname:  hostname,
 		PoolCount: svr.common.Transport.PoolCount,
 		User:      svr.common.User,
 		ClientID:  svr.common.ClientID,
 		Version:   version.Full(),
 		Timestamp: time.Now().Unix(),
 		RunID:     svr.runID,
@@ -290,7 +300,7 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 	}
 	// Add auth
-	if err = svr.authSetter.SetLogin(loginMsg); err != nil {
+	if err = svr.auth.Setter.SetLogin(loginMsg); err != nil {
 		return
 	}
@@ -314,7 +324,7 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 	svr.runID = loginRespMsg.RunID
 	xl.AddPrefix(xlog.LogPrefix{Name: "runID", Value: svr.runID})
-	xl.Infof("login to server success, get run id [%s]", loginRespMsg.RunID)
+	xl.Infof("登录服务器成功, 获取 run id [%s]", loginRespMsg.RunID)
 	return
 }
@@ -322,10 +332,10 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 	xl := xlog.FromContextSafe(svr.ctx)
 	loginFunc := func() (bool, error) {
-		xl.Infof("try to connect to server...")
+		xl.Infof("尝试连接到服务器...")
 		conn, connector, err := svr.login()
 		if err != nil {
-			xl.Warnf("connect to server error: %v", err)
+			xl.Warnf("连接服务器错误: %v", err)
 			if firstLoginExit {
 				svr.cancel(cancelErr{Err: err})
 			}
@@ -344,7 +354,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 			RunID:          svr.runID,
 			Conn:           conn,
 			ConnEncrypted:  connEncrypted,
-			AuthSetter:     svr.authSetter,
+			Auth:           svr.auth,
 			Connector:      connector,
 			VnetController: svr.vnetController,
 		}
--- a/client/visitor/stcp.go
+++ b/client/visitor/stcp.go
@@ -15,6 +15,7 @@
 package visitor
 import (
 	"fmt"
 	"io"
 	"net"
 	"strconv"
@@ -81,11 +82,22 @@ func (sv *STCPVisitor) internalConnWorker() {
 func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	defer userConn.Close()
+	var tunnelErr error
 	defer func() {
 		// If there was an error and connection supports CloseWithError, use it
 		if tunnelErr != nil {
 			if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
 				_ = eConn.CloseWithError(tunnelErr)
 				return
 			}
 		}
 		userConn.Close()
 	}()
 	xl.Debugf("get a new stcp user connection")
 	visitorConn, err := sv.helper.ConnectServer()
 	if err != nil {
 		tunnelErr = err
 		return
 	}
 	defer visitorConn.Close()
@@ -102,6 +114,7 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
 	if err != nil {
 		xl.Warnf("send newVisitorConnMsg to server error: %v", err)
 		tunnelErr = err
 		return
 	}
@@ -110,12 +123,14 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
 	if err != nil {
 		xl.Warnf("get newVisitorConnRespMsg error: %v", err)
 		tunnelErr = err
 		return
 	}
 	_ = visitorConn.SetReadDeadline(time.Time{})
 	if newVisitorConnRespMsg.Error != "" {
 		xl.Warnf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
 		tunnelErr = fmt.Errorf("%s", newVisitorConnRespMsg.Error)
 		return
 	}
@@ -125,6 +140,7 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.SecretKey))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			tunnelErr = err
 			return
 		}
 	}
--- a/client/visitor/visitor.go
+++ b/client/visitor/visitor.go
@@ -71,7 +71,7 @@ func NewVisitor(
 				Name:           cfg.GetBaseConfig().Name,
 				Ctx:            ctx,
 				VnetController: helper.VNetController(),
-				HandleConn: func(conn net.Conn) {
+				SendConnToVisitor: func(conn net.Conn) {
 					_ = baseVisitor.AcceptConn(conn)
 				},
 			},
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@@ -162,8 +162,16 @@ func (sv *XTCPVisitor) keepTunnelOpenWorker() {
 func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
 	isConnTransferred := false
 	var tunnelErr error
 	defer func() {
 		if !isConnTransferred {
 			// If there was an error and connection supports CloseWithError, use it
 			if tunnelErr != nil {
 				if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
 					_ = eConn.CloseWithError(tunnelErr)
 					return
 				}
 			}
 			userConn.Close()
 		}
 	}()
@@ -181,6 +189,8 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	tunnelConn, err := sv.openTunnel(ctx)
 	if err != nil {
 		xl.Errorf("open tunnel error: %v", err)
 		tunnelErr = err
 		// no fallback, just return
 		if sv.cfg.FallbackTo == "" {
 			return
@@ -200,6 +210,7 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 		muxConnRWCloser, err = libio.WithEncryption(muxConnRWCloser, []byte(sv.cfg.SecretKey))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			tunnelErr = err
 			return
 		}
 	}
--- a/cmd/frpc/main.go
+++ b/cmd/frpc/main.go
@@ -15,9 +15,9 @@
 package main
 import (
 	_ "github.com/fatedier/frp/assets/frpc"
 	"github.com/fatedier/frp/cmd/frpc/sub"
 	"github.com/fatedier/frp/pkg/util/system"
 	_ "github.com/fatedier/frp/web/frpc"
 )
 func main() {
--- a/cmd/frpc/sub/admin.go
+++ b/cmd/frpc/sub/admin.go
@@ -54,7 +54,11 @@ func NewAdminCommand(name, short string, handler func(*v1.ClientCommonConfig) er
 		Use:   name,
 		Short: short,
 		Run: func(cmd *cobra.Command, args []string) {
-			cfg, _, _, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
+			if len(cfgFiles) == 0 || cfgFiles[0] == "" {
 				fmt.Println("frpc: the configuration file is not specified")
 				os.Exit(1)
 			}
 			cfg, _, _, _, err := config.LoadClientConfig(cfgFiles[0], strictConfigMode)
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
--- a/cmd/frpc/sub/nathole.go
+++ b/cmd/frpc/sub/nathole.go
@@ -48,8 +48,17 @@ var natholeDiscoveryCmd = &cobra.Command{
 	Short: "Discover nathole information from stun server",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		// ignore error here, because we can use command line pameters
-		cfg, _, _, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
+		var cfg *v1.ClientCommonConfig
-		if err != nil {
+		if len(cfgFiles) > 0 && cfgFiles[0] != "" {
 			_, _, _, _, err := config.LoadClientConfig(cfgFiles[0], strictConfigMode)
 			if err != nil {
 				cfg = &v1.ClientCommonConfig{}
 				if err := cfg.Complete(); err != nil {
 					fmt.Printf("failed to complete config: %v\n", err)
 					os.Exit(1)
 				}
 			}
 		} else {
 			cfg = &v1.ClientCommonConfig{}
 			if err := cfg.Complete(); err != nil {
 				fmt.Printf("failed to complete config: %v\n", err)
--- a/cmd/frpc/sub/proxy.go
+++ b/cmd/frpc/sub/proxy.go
@@ -24,6 +24,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 var proxyTypes = []v1.ProxyType{
@@ -77,7 +78,10 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
+
 			unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 			validator := validation.NewConfigValidator(unsafeFeatures)
 			if _, err := validator.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
@@ -88,7 +92,7 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, "")
+			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, unsafeFeatures, "", "", "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@@ -106,7 +110,9 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
+			unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 			validator := validation.NewConfigValidator(unsafeFeatures)
 			if _, err := validator.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
@@ -117,7 +123,7 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, "")
+			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, unsafeFeatures, "", "", "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
--- a/cmd/frpc/sub/root.go
+++ b/cmd/frpc/sub/root.go
@@ -16,11 +16,15 @@ package sub
 import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/fs"
 	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
@@ -31,23 +35,32 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/featuregate"
+	"github.com/fatedier/frp/pkg/policy/featuregate"
 	"github.com/fatedier/frp/pkg/policy/security"
 	"github.com/fatedier/frp/pkg/util/banner"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 )
 var (
-	cfgFile          string
+	cfgFiles         []string
 	cfgDir           string
 	showVersion      bool
 	strictConfigMode bool
 	allowUnsafe      []string
 	authTokens       []string
 	bannerDisplayed bool
 )
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "./frpc.ini", "config file of frpc")
+	rootCmd.PersistentFlags().StringSliceVarP(&cfgFiles, "config", "c", []string{"./frpc.ini"}, "config files of frpc (support multiple files)")
 	rootCmd.PersistentFlags().StringVarP(&cfgDir, "config_dir", "", "", "config directory, run one frpc service for each file in config directory")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause an errors")
 	rootCmd.PersistentFlags().StringSliceVarP(&authTokens, "token", "t", []string{}, "authentication tokens in format 'id:token' (LoliaFRP only)")
 	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
 		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ClientUnsafeFeatures, ", ")))
 }
 var rootCmd = &cobra.Command{
@@ -59,15 +72,32 @@ var rootCmd = &cobra.Command{
 			return nil
 		}
 		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		// If authTokens is provided, fetch config from API
 		if len(authTokens) > 0 {
 			err := runClientWithTokens(authTokens, unsafeFeatures)
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			return nil
 		}
 		// If cfgDir is not empty, run multiple frpc service for each config file in cfgDir.
 		// Note that it's only designed for testing. It's not guaranteed to be stable.
 		if cfgDir != "" {
-			_ = runMultipleClients(cfgDir)
+			_ = runMultipleClients(cfgDir, unsafeFeatures)
 			return nil
 		}
 		// If multiple config files are specified, run one frpc service for each file
 		if len(cfgFiles) > 1 {
 			runMultipleClientsFromFiles(cfgFiles, unsafeFeatures)
 			return nil
 		}
 		// Do not show command usage here.
-		err := runClient(cfgFile)
+		err := runClient(cfgFiles[0], unsafeFeatures)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -76,7 +106,7 @@ var rootCmd = &cobra.Command{
 	},
 }
-func runMultipleClients(cfgDir string) error {
+func runMultipleClients(cfgDir string, unsafeFeatures *security.UnsafeFeatures) error {
 	var wg sync.WaitGroup
 	err := filepath.WalkDir(cfgDir, func(path string, d fs.DirEntry, err error) error {
 		if err != nil || d.IsDir() {
@@ -86,7 +116,7 @@ func runMultipleClients(cfgDir string) error {
 		time.Sleep(time.Millisecond)
 		go func() {
 			defer wg.Done()
-			err := runClient(path)
+			err := runClient(path, unsafeFeatures)
 			if err != nil {
 				fmt.Printf("frpc service error for config file [%s]\n", path)
 			}
@@ -97,6 +127,29 @@ func runMultipleClients(cfgDir string) error {
 	return err
 }
 func runMultipleClientsFromFiles(cfgFiles []string, unsafeFeatures *security.UnsafeFeatures) {
 	var wg sync.WaitGroup
 	// Display banner first
 	banner.DisplayBanner()
 	bannerDisplayed = true
 	log.Infof("检测到 %d 个配置文件，将启动多个 frpc 服务实例", len(cfgFiles))
 	for _, cfgFile := range cfgFiles {
 		wg.Add(1)
 		// Add a small delay to avoid log output mixing
 		time.Sleep(100 * time.Millisecond)
 		go func(path string) {
 			defer wg.Done()
 			err := runClient(path, unsafeFeatures)
 			if err != nil {
 				fmt.Printf("\n配置文件 [%s] 启动失败: %v\n", path, err)
 			}
 		}(cfgFile)
 	}
 	wg.Wait()
 }
 func Execute() {
 	rootCmd.SetGlobalNormalizationFunc(config.WordSepNormalizeFunc)
 	if err := rootCmd.Execute(); err != nil {
@@ -111,7 +164,7 @@ func handleTermSignal(svr *client.Service) {
 	svr.GracefulClose(500 * time.Millisecond)
 }
-func runClient(cfgFilePath string) error {
+func runClient(cfgFilePath string, unsafeFeatures *security.UnsafeFeatures) error {
 	cfg, proxyCfgs, visitorCfgs, isLegacyFormat, err := config.LoadClientConfig(cfgFilePath, strictConfigMode)
 	if err != nil {
 		return err
@@ -127,32 +180,48 @@ func runClient(cfgFilePath string) error {
 		}
 	}
-	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs)
+	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs, unsafeFeatures)
 	if warning != nil {
 		fmt.Printf("WARNING: %v\n", warning)
 	}
 	if err != nil {
 		return err
 	}
-	return startService(cfg, proxyCfgs, visitorCfgs, cfgFilePath)
+
 	return startService(cfg, proxyCfgs, visitorCfgs, unsafeFeatures, cfgFilePath, "", "")
 }
 func startService(
 	cfg *v1.ClientCommonConfig,
 	proxyCfgs []v1.ProxyConfigurer,
 	visitorCfgs []v1.VisitorConfigurer,
 	unsafeFeatures *security.UnsafeFeatures,
 	cfgFile string,
 	nodeName string,
 	tunnelRemark string,
 ) error {
 	log.InitLogger(cfg.Log.To, cfg.Log.Level, int(cfg.Log.MaxDays), cfg.Log.DisablePrintColor)
 	// Display banner only once before starting the first service
 	if !bannerDisplayed {
 		banner.DisplayBanner()
 		bannerDisplayed = true
 	}
 	// Display node information if available
 	if nodeName != "" {
 		log.Info("已获取到配置文件", "隧道名称", tunnelRemark, "使用节点", nodeName)
 	}
 	if cfgFile != "" {
-		log.Infof("start frpc service for config file [%s]", cfgFile)
+		log.Infof("启动 frpc 服务 [%s]", cfgFile)
-		defer log.Infof("frpc service for config file [%s] stopped", cfgFile)
+		defer log.Infof("frpc 服务 [%s] 已停止", cfgFile)
 	}
 	svr, err := client.NewService(client.ServiceOptions{
 		Common:         cfg,
 		ProxyCfgs:      proxyCfgs,
 		VisitorCfgs:    visitorCfgs,
 		UnsafeFeatures: unsafeFeatures,
 		ConfigFilePath: cfgFile,
 	})
 	if err != nil {
@@ -166,3 +235,187 @@ func startService(
 	}
 	return svr.Run(context.Background())
 }
 // APIResponse represents the response from LoliaFRP API
 type APIResponse struct {
 	Code int    `json:"code"`
 	Msg  string `json:"msg"`
 	Data struct {
 		Config       string `json:"config"`
 		NodeName     string `json:"node_name"`
 		TunnelRemark string `json:"tunnel_remark"`
 	} `json:"data"`
 }
 // TokenInfo stores parsed id and token from the -t parameter
 type TokenInfo struct {
 	ID    string
 	Token string
 }
 func runClientWithTokens(tokens []string, unsafeFeatures *security.UnsafeFeatures) error {
 	// Parse all tokens (format: id:token)
 	tokenInfos := make([]TokenInfo, 0, len(tokens))
 	for _, t := range tokens {
 		parts := strings.SplitN(t, ":", 2)
 		if len(parts) != 2 {
 			return fmt.Errorf("invalid token format '%s', expected 'id:token'", t)
 		}
 		tokenInfos = append(tokenInfos, TokenInfo{
 			ID:    strings.TrimSpace(parts[0]),
 			Token: strings.TrimSpace(parts[1]),
 		})
 	}
 	// Group tokens by token value (same token can have multiple IDs)
 	tokenToIDs := make(map[string][]string)
 	for _, ti := range tokenInfos {
 		tokenToIDs[ti.Token] = append(tokenToIDs[ti.Token], ti.ID)
 	}
 	// If we have multiple different tokens, start one service for each token group
 	if len(tokenToIDs) > 1 {
 		return runMultipleClientsWithTokens(tokenToIDs, unsafeFeatures)
 	}
 	// Get the single token and all its IDs
 	var token string
 	var ids []string
 	for t, idList := range tokenToIDs {
 		token = t
 		ids = idList
 		break
 	}
 	return runClientWithTokenAndIDs(token, ids, unsafeFeatures)
 }
 func runClientWithTokenAndIDs(token string, ids []string, unsafeFeatures *security.UnsafeFeatures) error {
 	// Get API server address from environment variable
 	apiServer := os.Getenv("LOLIA_API")
 	if apiServer == "" {
 		apiServer = "https://api.lolia.link"
 	}
 	// Build URL with query parameters
 	url := fmt.Sprintf("%s/api/v1/tunnel/frpc/config?token=%s&id=%s", apiServer, token, strings.Join(ids, ","))
 	// #nosec G107 -- URL is constructed from trusted source (environment variable or hardcoded)
 	resp, err := http.Get(url)
 	if err != nil {
 		return fmt.Errorf("failed to fetch config from API: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("API returned status code: %d", resp.StatusCode)
 	}
 	var apiResp APIResponse
 	if err := json.NewDecoder(resp.Body).Decode(&apiResp); err != nil {
 		return fmt.Errorf("failed to decode API response: %v", err)
 	}
 	if apiResp.Code != 200 {
 		return fmt.Errorf("API error: %s", apiResp.Msg)
 	}
 	// Decode base64 config
 	configBytes, err := base64.StdEncoding.DecodeString(apiResp.Data.Config)
 	if err != nil {
 		return fmt.Errorf("failed to decode base64 config: %v", err)
 	}
 	// Load config directly from bytes
 	return runClientWithConfig(configBytes, unsafeFeatures, apiResp.Data.NodeName, apiResp.Data.TunnelRemark)
 }
 func runMultipleClientsWithTokens(tokenToIDs map[string][]string, unsafeFeatures *security.UnsafeFeatures) error {
 	var wg sync.WaitGroup
 	// Display banner first
 	banner.DisplayBanner()
 	bannerDisplayed = true
 	log.Infof("检测到 %d 个不同的 token，将并行启动多个 frpc 服务实例", len(tokenToIDs))
 	index := 0
 	for token, ids := range tokenToIDs {
 		wg.Add(1)
 		currentIndex := index
 		currentToken := token
 		currentIDs := ids
 		totalCount := len(tokenToIDs)
 		// Add a small delay to avoid log output mixing
 		time.Sleep(100 * time.Millisecond)
 		go func() {
 			defer wg.Done()
 			maskedToken := currentToken
 			if len(maskedToken) > 6 {
 				maskedToken = maskedToken[:3] + "***" + maskedToken[len(maskedToken)-3:]
 			} else {
 				maskedToken = "***"
 			}
 			log.Infof("[%d/%d] 启动 token: %s (IDs: %v)", currentIndex+1, totalCount, maskedToken, currentIDs)
 			err := runClientWithTokenAndIDs(currentToken, currentIDs, unsafeFeatures)
 			if err != nil {
 				fmt.Printf("\nToken [%s] 启动失败: %v\n", maskedToken, err)
 			}
 		}()
 		index++
 	}
 	wg.Wait()
 	return nil
 }
 func runClientWithConfig(configBytes []byte, unsafeFeatures *security.UnsafeFeatures, nodeName, tunnelRemark string) error {
 	// Render template first
 	renderedBytes, err := config.RenderWithTemplate(configBytes, config.GetValues())
 	if err != nil {
 		return fmt.Errorf("failed to render template: %v", err)
 	}
 	var allCfg v1.ClientConfig
 	if err := config.LoadConfigure(renderedBytes, &allCfg, strictConfigMode); err != nil {
 		return fmt.Errorf("failed to parse config: %v", err)
 	}
 	cfg := &allCfg.ClientCommonConfig
 	proxyCfgs := make([]v1.ProxyConfigurer, 0, len(allCfg.Proxies))
 	for _, c := range allCfg.Proxies {
 		proxyCfgs = append(proxyCfgs, c.ProxyConfigurer)
 	}
 	visitorCfgs := make([]v1.VisitorConfigurer, 0, len(allCfg.Visitors))
 	for _, c := range allCfg.Visitors {
 		visitorCfgs = append(visitorCfgs, c.VisitorConfigurer)
 	}
 	// Call Complete to fill in default values
 	if err := cfg.Complete(); err != nil {
 		return fmt.Errorf("failed to complete config: %v", err)
 	}
 	// Call Complete for all proxies to add name prefix (e.g., user.tunnel_name)
 	for _, c := range proxyCfgs {
 		c.Complete(cfg.User)
 	}
 	for _, c := range visitorCfgs {
 		c.Complete(cfg)
 	}
 	if len(cfg.FeatureGates) > 0 {
 		if err := featuregate.SetFromMap(cfg.FeatureGates); err != nil {
 			return err
 		}
 	}
 	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs, unsafeFeatures)
 	if warning != nil {
 		fmt.Printf("WARNING: %v\n", warning)
 	}
 	if err != nil {
 		return err
 	}
 	return startService(cfg, proxyCfgs, visitorCfgs, unsafeFeatures, "", nodeName, tunnelRemark)
 }
--- a/cmd/frpc/sub/verify.go
+++ b/cmd/frpc/sub/verify.go
@@ -22,6 +22,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 func init() {
@@ -32,17 +33,19 @@ var verifyCmd = &cobra.Command{
 	Use:   "verify",
 	Short: "Verify that the configures is valid",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if cfgFile == "" {
+		if len(cfgFiles) == 0 || cfgFiles[0] == "" {
 			fmt.Println("frpc: the configuration file is not specified")
 			return nil
 		}
 		cfgFile := cfgFiles[0]
 		cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}
-		warning, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs)
+		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		warning, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, unsafeFeatures)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/cmd/frps/main.go
+++ b/cmd/frps/main.go
@@ -15,9 +15,9 @@
 package main
 import (
 	_ "github.com/fatedier/frp/assets/frps"
 	_ "github.com/fatedier/frp/pkg/metrics"
 	"github.com/fatedier/frp/pkg/util/system"
 	_ "github.com/fatedier/frp/web/frps"
 )
 func main() {
--- a/cmd/frps/root.go
+++ b/cmd/frps/root.go
@@ -18,12 +18,14 @@ import (
 	"context"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 	"github.com/fatedier/frp/server"
@@ -33,6 +35,7 @@ var (
 	cfgFile          string
 	showVersion      bool
 	strictConfigMode bool
 	allowUnsafe      []string
 	serverCfg v1.ServerConfig
 )
@@ -41,6 +44,8 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "", "config file of frps")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frps")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause errors")
 	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
 		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ServerUnsafeFeatures, ", ")))
 	config.RegisterServerConfigFlags(rootCmd, &serverCfg)
 }
@@ -77,7 +82,9 @@ var rootCmd = &cobra.Command{
 			svrCfg = &serverCfg
 		}
-		warning, err := validation.ValidateServerConfig(svrCfg)
+		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		validator := validation.NewConfigValidator(unsafeFeatures)
 		warning, err := validator.ValidateServerConfig(svrCfg)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/cmd/frps/verify.go
+++ b/cmd/frps/verify.go
@@ -22,6 +22,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 func init() {
@@ -42,7 +43,9 @@ var verifyCmd = &cobra.Command{
 			os.Exit(1)
 		}
-		warning, err := validation.ValidateServerConfig(svrCfg)
+		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		validator := validation.NewConfigValidator(unsafeFeatures)
 		warning, err := validator.ValidateServerConfig(svrCfg)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/conf/frpc_full_example.toml
+++ b/conf/frpc_full_example.toml
@@ -1,5 +1,7 @@
 # This configuration file is for reference only. Please do not use this configuration directly to run the program as it may have various issues.
 # Optional unique identifier for this frpc instance.
 clientID = "your_client_id"
 # your proxy name will be changed to {user}.{proxy}
 user = "your_name"
@@ -143,6 +145,11 @@ transport.tls.enable = true
 # Default is empty, means all proxies.
 # start = ["ssh", "dns"]
 # Alternative to 'start': You can control each proxy individually using the 'enabled' field.
 # Set 'enabled = false' in a proxy configuration to disable it.
 # If 'enabled' is not set or set to true, the proxy is enabled by default.
 # The 'enabled' field provides more granular control and is recommended over 'start'.
 # Specify udp packet size, unit is byte. If not set, the default value is 1500.
 # This parameter should be same between client and server.
 # It affects the udp and sudp proxy.
@@ -169,6 +176,8 @@ metadatas.var2 = "123"
 # If global user is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
 name = "ssh"
 type = "tcp"
 # Enable or disable this proxy. true or omit this field to enable, false to disable.
 # enabled = true
 localIP = "127.0.0.1"
 localPort = 22
 # Limit bandwidth for this proxy, unit is KB and MB
@@ -253,6 +262,8 @@ healthCheck.httpHeaders=[
 [[proxies]]
 name = "web02"
 type = "https"
 # Disable this proxy by setting enabled to false
 # enabled = false
 localIP = "127.0.0.1"
 localPort = 8000
 subdomain = "web02"
@@ -318,6 +329,14 @@ type = "https2http"
 localAddr = "127.0.0.1:80"
 crtPath = "./server.crt"
 keyPath = "./server.key"
 # autoTLS can replace crtPath/keyPath and automatically apply/renew certificates.
 # [proxies.plugin.autoTLS]
 # enable = true
 # email = "admin@example.com"
 # cacheDir = "./.autotls-cache"
 # hostAllowList is optional. If omitted, frpc will use customDomains automatically.
 # hostAllowList = ["test.yourdomain.com"]
 # caDirURL = "https://acme-v02.api.letsencrypt.org/directory"
 hostHeaderRewrite = "127.0.0.1"
 requestHeaders.set.x-from-where = "frp"
@@ -330,6 +349,14 @@ type = "https2https"
 localAddr = "127.0.0.1:443"
 crtPath = "./server.crt"
 keyPath = "./server.key"
 # autoTLS can replace crtPath/keyPath and automatically apply/renew certificates.
 # [proxies.plugin.autoTLS]
 # enable = true
 # email = "admin@example.com"
 # cacheDir = "./.autotls-cache"
 # hostAllowList is optional. If omitted, frpc will use customDomains automatically.
 # hostAllowList = ["test.yourdomain.com"]
 # caDirURL = "https://acme-v02.api.letsencrypt.org/directory"
 hostHeaderRewrite = "127.0.0.1"
 requestHeaders.set.x-from-where = "frp"
@@ -343,6 +370,15 @@ localAddr = "127.0.0.1:443"
 hostHeaderRewrite = "127.0.0.1"
 requestHeaders.set.x-from-where = "frp"
 [[proxies]]
 name = "plugin_http2https_redirect"
 type = "http"
 customDomains = ["test.yourdomain.com"]
 [proxies.plugin]
 type = "http2https_redirect"
 # Optional. Defaults to 443. Set this if the HTTPS entry is exposed on a non-standard port.
 # httpsPort = 443
 [[proxies]]
 name = "plugin_http2http"
 type = "tcp"
@@ -362,6 +398,14 @@ type = "tls2raw"
 localAddr = "127.0.0.1:80"
 crtPath = "./server.crt"
 keyPath = "./server.key"
 # autoTLS can replace crtPath/keyPath and automatically apply/renew certificates.
 # [proxies.plugin.autoTLS]
 # enable = true
 # email = "admin@example.com"
 # cacheDir = "./.autotls-cache"
 # hostAllowList is optional. If omitted, frpc will use customDomains automatically.
 # hostAllowList = ["test.yourdomain.com"]
 # caDirURL = "https://acme-v02.api.letsencrypt.org/directory"
 [[proxies]]
 name = "secret_tcp"
--- a/doc/pic/sponsor_daytona.png
+++ b/doc/pic/sponsor_daytona.png
--- a/doc/pic/sponsor_lokal.png
+++ b/doc/pic/sponsor_lokal.png
--- a/doc/pic/sponsor_workos.png
+++ b/doc/pic/sponsor_workos.png
--- a/doc/pic/zsxq.jpg
+++ b/doc/pic/zsxq.jpg
--- a/dockerfiles/Dockerfile-for-frpc
+++ b/dockerfiles/Dockerfile-for-frpc
@@ -1,9 +1,17 @@
-FROM golang:1.24 AS building
+FROM node:22 AS web-builder
 WORKDIR /web/frpc
 COPY web/frpc/ ./
 RUN npm install
 RUN npm run build
 FROM golang:1.25 AS building
 COPY . /building
 COPY --from=web-builder /web/frpc/dist /building/web/frpc/dist
 WORKDIR /building
-RUN make frpc
+RUN env CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -tags frpc -o bin/frpc ./cmd/frpc
 FROM alpine:3
--- a/dockerfiles/Dockerfile-for-frps
+++ b/dockerfiles/Dockerfile-for-frps
@@ -1,9 +1,17 @@
-FROM golang:1.24 AS building
+FROM node:22 AS web-builder
 WORKDIR /web/frps
 COPY web/frps/ ./
 RUN npm install
 RUN npm run build
 FROM golang:1.25 AS building
 COPY . /building
 COPY --from=web-builder /web/frps/dist /building/web/frps/dist
 WORKDIR /building
-RUN make frps
+RUN env CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -tags frps -o bin/frps ./cmd/frps
 FROM alpine:3
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/pion/stun/v2 v2.0.0
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.19.1
-	github.com/quic-go/quic-go v0.53.0
+	github.com/quic-go/quic-go v0.55.0
 	github.com/rodaine/table v1.2.0
 	github.com/samber/lo v1.47.0
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
@@ -26,10 +26,10 @@ require (
 	github.com/tidwall/gjson v1.17.1
 	github.com/vishvananda/netlink v1.3.0
 	github.com/xtaci/kcp-go/v5 v5.6.13
-	golang.org/x/crypto v0.37.0
+	golang.org/x/crypto v0.41.0
-	golang.org/x/net v0.39.0
+	golang.org/x/net v0.43.0
 	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.13.0
+	golang.org/x/sync v0.16.0
 	golang.org/x/time v0.5.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	gopkg.in/ini.v1 v1.67.0
@@ -39,10 +39,18 @@ require (
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
 	github.com/charmbracelet/log v0.4.2 // indirect
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
@@ -51,6 +59,10 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/klauspost/reedsolomon v1.12.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/pion/dtls/v2 v2.2.7 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/transport/v2 v2.2.1 // indirect
@@ -60,18 +72,20 @@ require (
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/templexxx/cpu v0.1.1 // indirect
 	github.com/templexxx/xorsimd v0.4.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -4,11 +4,25 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzS
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/log v0.4.2 h1:hYt8Qj6a8yLnvR+h7MwsJv/XvmBJXiueUcI3cIxsyig=
 github.com/charmbracelet/log v0.4.2/go.mod h1:qifHGX/tc7eluv2R6pWIpyHDDrrb/AG71Pf2ysQu5nw=
 github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
 github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
 github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd h1:vy0GVL4jeHEwG5YOXDmi86oYw2yuYUGqz6a8sLwg0X8=
 github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
@@ -26,6 +40,8 @@ github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6 h1:u92UUy6FURPmNsMB
 github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6/go.mod h1:c5/tk6G0dSpXGzJN7Wk1OEie8grdSJAmeawId9Zvd34=
 github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
 github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
 github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -70,8 +86,16 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
@@ -105,10 +129,12 @@ github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSz
 github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/quic-go/quic-go v0.53.0 h1:QHX46sISpG2S03dPeZBgVIZp8dGagIaiu2FiVYvpCZI=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
-github.com/quic-go/quic-go v0.53.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rodaine/table v1.2.0 h1:38HEnwK4mKSHQJIkavVj+bst1TEY7j9zhLMWu4QJrMA=
 github.com/rodaine/table v1.2.0/go.mod h1:wejb/q/Yd4T/SVmBSRMr7GCq3KlcZp3gyNYdLSBhkaE=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
@@ -149,6 +175,8 @@ github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQ
 github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/xtaci/kcp-go/v5 v5.6.13 h1:FEjtz9+D4p8t2x4WjciGt/jsIuhlWjjgPCCWjrVR4Hk=
 github.com/xtaci/kcp-go/v5 v5.6.13/go.mod h1:75S1AKYYzNUSXIv30h+jPKJYZUwqpfvLshu63nCNSOM=
 github.com/xtaci/lossyconn v0.0.0-20200209145036-adba10fffc37 h1:EWU6Pktpas0n8lLQwDsRyZfmkPeRbdgPtW609es+/9E=
@@ -156,24 +184,26 @@ github.com/xtaci/lossyconn v0.0.0-20200209145036-adba10fffc37/go.mod h1:HpMP7DB2
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -187,8 +217,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
 golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
@@ -197,8 +227,8 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -209,28 +239,29 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -241,8 +272,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
--- a/package.sh
+++ b/package.sh
@@ -18,7 +18,7 @@ rm -rf ./release/packages
 mkdir -p ./release/packages
 os_all='linux windows darwin freebsd openbsd android'
-arch_all='386 amd64 arm arm64 mips64 mips64le mips mipsle riscv64 loong64'
+arch_all='amd64 arm arm64'
 extra_all='_ hf'
 cd ./release
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -15,6 +15,7 @@
 package auth
 import (
 	"context"
 	"fmt"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
@@ -27,14 +28,51 @@ type Setter interface {
 	SetNewWorkConn(*msg.NewWorkConn) error
 }
 type ClientAuth struct {
 	Setter Setter
 	key    []byte
 }
 func (a *ClientAuth) EncryptionKey() []byte {
 	return a.key
 }
 // BuildClientAuth resolves any dynamic auth values and returns a prepared auth runtime.
 // Caller must run validation before calling this function.
 func BuildClientAuth(cfg *v1.AuthClientConfig) (*ClientAuth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("auth config is nil")
 	}
 	resolved := *cfg
 	if resolved.Method == v1.AuthMethodToken && resolved.TokenSource != nil {
 		token, err := resolved.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return nil, fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		resolved.Token = token
 	}
 	setter, err := NewAuthSetter(resolved)
 	if err != nil {
 		return nil, err
 	}
 	return &ClientAuth{
 		Setter: setter,
 		key:    []byte(resolved.Token),
 	}, nil
 }
 func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter, err error) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
 		authProvider = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		authProvider, err = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
+		if cfg.OIDC.TokenSource != nil {
-		if err != nil {
+			authProvider = NewOidcTokenSourceAuthSetter(cfg.AdditionalScopes, cfg.OIDC.TokenSource)
-			return nil, err
+		} else {
 			authProvider, err = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
 			if err != nil {
 				return nil, err
 			}
 		}
 	default:
 		return nil, fmt.Errorf("unsupported auth method: %s", cfg.Method)
@@ -48,6 +86,35 @@ type Verifier interface {
 	VerifyNewWorkConn(*msg.NewWorkConn) error
 }
 type ServerAuth struct {
 	Verifier Verifier
 	key      []byte
 }
 func (a *ServerAuth) EncryptionKey() []byte {
 	return a.key
 }
 // BuildServerAuth resolves any dynamic auth values and returns a prepared auth runtime.
 // Caller must run validation before calling this function.
 func BuildServerAuth(cfg *v1.AuthServerConfig) (*ServerAuth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("auth config is nil")
 	}
 	resolved := *cfg
 	if resolved.Method == v1.AuthMethodToken && resolved.TokenSource != nil {
 		token, err := resolved.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return nil, fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		resolved.Token = token
 	}
 	return &ServerAuth{
 		Verifier: NewAuthVerifier(resolved),
 		key:      []byte(resolved.Token),
 	}, nil
 }
 func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -152,6 +152,51 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e
 	return err
 }
 type OidcTokenSourceAuthProvider struct {
 	additionalAuthScopes []v1.AuthScope
 	valueSource *v1.ValueSource
 }
 func NewOidcTokenSourceAuthSetter(additionalAuthScopes []v1.AuthScope, valueSource *v1.ValueSource) *OidcTokenSourceAuthProvider {
 	return &OidcTokenSourceAuthProvider{
 		additionalAuthScopes: additionalAuthScopes,
 		valueSource:          valueSource,
 	}
 }
 func (auth *OidcTokenSourceAuthProvider) generateAccessToken() (accessToken string, err error) {
 	ctx := context.Background()
 	accessToken, err = auth.valueSource.Resolve(ctx)
 	if err != nil {
 		return "", fmt.Errorf("couldn't acquire OIDC token for login: %v", err)
 	}
 	return
 }
 func (auth *OidcTokenSourceAuthProvider) SetLogin(loginMsg *msg.Login) (err error) {
 	loginMsg.PrivilegeKey, err = auth.generateAccessToken()
 	return err
 }
 func (auth *OidcTokenSourceAuthProvider) SetPing(pingMsg *msg.Ping) (err error) {
 	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
 		return nil
 	}
 	pingMsg.PrivilegeKey, err = auth.generateAccessToken()
 	return err
 }
 func (auth *OidcTokenSourceAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (err error) {
 	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
 		return nil
 	}
 	newWorkConnMsg.PrivilegeKey, err = auth.generateAccessToken()
 	return err
 }
 type TokenVerifier interface {
 	Verify(context.Context, string) (*oidc.IDToken, error)
 }
--- a/pkg/config/flags.go
+++ b/pkg/config/flags.go
@@ -167,6 +167,7 @@ func RegisterClientCommonConfigFlags(cmd *cobra.Command, c *v1.ClientCommonConfi
 		c.Transport.TLS.Enable = cmd.PersistentFlags().BoolP("tls_enable", "", true, "enable frpc tls")
 	}
 	cmd.PersistentFlags().StringVarP(&c.User, "user", "u", "", "user")
 	cmd.PersistentFlags().StringVar(&c.ClientID, "client-id", "", "unique identifier for this frpc instance")
 	cmd.PersistentFlags().StringVarP(&c.Auth.Token, "token", "t", "", "auth token")
 }
--- a/pkg/config/load.go
+++ b/pkg/config/load.go
@@ -281,6 +281,17 @@ func LoadClientConfig(path string, strict bool) (
 		})
 	}
 	// Filter by enabled field in each proxy
 	// nil or true means enabled, false means disabled
 	proxyCfgs = lo.Filter(proxyCfgs, func(c v1.ProxyConfigurer, _ int) bool {
 		enabled := c.GetBaseConfig().Enabled
 		return enabled == nil || *enabled
 	})
 	visitorCfgs = lo.Filter(visitorCfgs, func(c v1.VisitorConfigurer, _ int) bool {
 		enabled := c.GetBaseConfig().Enabled
 		return enabled == nil || *enabled
 	})
 	if cliCfg != nil {
 		if err := cliCfg.Complete(); err != nil {
 			return nil, nil, nil, isLegacyFormat, err
--- a/pkg/config/v1/client.go
+++ b/pkg/config/v1/client.go
@@ -15,8 +15,6 @@
 package v1
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/samber/lo"
@@ -39,6 +37,8 @@ type ClientCommonConfig struct {
 	// clients. If this value is not "", proxy names will automatically be
 	// changed to "{user}.{proxy_name}".
 	User string `json:"user,omitempty"`
 	// ClientID uniquely identifies this frpc instance.
 	ClientID string `json:"clientID,omitempty"`
 	// ServerAddr specifies the address of the server to connect to. By
 	// default, this value is "0.0.0.0".
@@ -198,17 +198,6 @@ type AuthClientConfig struct {
 func (c *AuthClientConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
 	// Resolve tokenSource during configuration loading
 	if c.Method == AuthMethodToken && c.TokenSource != nil {
 		token, err := c.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		// Move the resolved token to the Token field and clear TokenSource
 		c.Token = token
 		c.TokenSource = nil
 	}
 	return nil
 }
@@ -239,6 +228,10 @@ type AuthOIDCClientConfig struct {
 	// Supports http, https, socks5, and socks5h proxy protocols.
 	// If empty, no proxy is used for OIDC connections.
 	ProxyURL string `json:"proxyURL,omitempty"`
 	// TokenSource specifies a custom dynamic source for the authorization token.
 	// This is mutually exclusive with every other field of this structure.
 	TokenSource *ValueSource `json:"tokenSource,omitempty"`
 }
 type VirtualNetConfig struct {
--- a/pkg/config/v1/client_test.go
+++ b/pkg/config/v1/client_test.go
@@ -15,8 +15,6 @@
 package v1
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/samber/lo"
@@ -38,68 +36,9 @@ func TestClientConfigComplete(t *testing.T) {
 }
 func TestAuthClientConfig_Complete(t *testing.T) {
-	// Create a temporary file for testing
+	require := require.New(t)
-	tmpDir := t.TempDir()
+	cfg := &AuthClientConfig{}
-	testFile := filepath.Join(tmpDir, "test_token")
+	err := cfg.Complete()
-	testContent := "client-token-value"
+	require.NoError(err)
-	err := os.WriteFile(testFile, []byte(testContent), 0o600)
+	require.EqualValues("token", cfg.Method)
 	require.NoError(t, err)
 	tests := []struct {
 		name        string
 		config      AuthClientConfig
 		expectToken string
 		expectPanic bool
 	}{
 		{
 			name: "tokenSource resolved to token",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: testFile,
 					},
 				},
 			},
 			expectToken: testContent,
 			expectPanic: false,
 		},
 		{
 			name: "direct token unchanged",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				Token:  "direct-token",
 			},
 			expectToken: "direct-token",
 			expectPanic: false,
 		},
 		{
 			name: "invalid tokenSource should panic",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: "/non/existent/file",
 					},
 				},
 			},
 			expectPanic: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.expectPanic {
 				err := tt.config.Complete()
 				require.Error(t, err)
 			} else {
 				err := tt.config.Complete()
 				require.NoError(t, err)
 				require.Equal(t, tt.expectToken, tt.config.Token)
 				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
 			}
 		})
 	}
 }
--- a/pkg/config/v1/proxy.go
+++ b/pkg/config/v1/proxy.go
@@ -108,8 +108,11 @@ type DomainConfig struct {
 }
 type ProxyBaseConfig struct {
-	Name        string            `json:"name"`
+	Name string `json:"name"`
-	Type        string            `json:"type"`
+	Type string `json:"type"`
 	// Enabled controls whether this proxy is enabled. nil or true means enabled, false means disabled.
 	// This allows individual control over each proxy, complementing the global "start" field.
 	Enabled     *bool             `json:"enabled,omitempty"`
 	Annotations map[string]string `json:"annotations,omitempty"`
 	Transport   ProxyTransport    `json:"transport,omitempty"`
 	// metadata info for each proxy
--- a/pkg/config/v1/proxy_plugin.go
+++ b/pkg/config/v1/proxy_plugin.go
@@ -27,29 +27,31 @@ import (
 )
 const (
-	PluginHTTP2HTTPS       = "http2https"
+	PluginHTTP2HTTPS         = "http2https"
-	PluginHTTPProxy        = "http_proxy"
+	PluginHTTP2HTTPSRedirect = "http2https_redirect"
-	PluginHTTPS2HTTP       = "https2http"
+	PluginHTTPProxy          = "http_proxy"
-	PluginHTTPS2HTTPS      = "https2https"
+	PluginHTTPS2HTTP         = "https2http"
-	PluginHTTP2HTTP        = "http2http"
+	PluginHTTPS2HTTPS        = "https2https"
-	PluginSocks5           = "socks5"
+	PluginHTTP2HTTP          = "http2http"
-	PluginStaticFile       = "static_file"
+	PluginSocks5             = "socks5"
-	PluginUnixDomainSocket = "unix_domain_socket"
+	PluginStaticFile         = "static_file"
-	PluginTLS2Raw          = "tls2raw"
+	PluginUnixDomainSocket   = "unix_domain_socket"
-	PluginVirtualNet       = "virtual_net"
+	PluginTLS2Raw            = "tls2raw"
 	PluginVirtualNet         = "virtual_net"
 )
 var clientPluginOptionsTypeMap = map[string]reflect.Type{
-	PluginHTTP2HTTPS:       reflect.TypeOf(HTTP2HTTPSPluginOptions{}),
+	PluginHTTP2HTTPS:         reflect.TypeOf(HTTP2HTTPSPluginOptions{}),
-	PluginHTTPProxy:        reflect.TypeOf(HTTPProxyPluginOptions{}),
+	PluginHTTP2HTTPSRedirect: reflect.TypeOf(HTTP2HTTPSRedirectPluginOptions{}),
-	PluginHTTPS2HTTP:       reflect.TypeOf(HTTPS2HTTPPluginOptions{}),
+	PluginHTTPProxy:          reflect.TypeOf(HTTPProxyPluginOptions{}),
-	PluginHTTPS2HTTPS:      reflect.TypeOf(HTTPS2HTTPSPluginOptions{}),
+	PluginHTTPS2HTTP:         reflect.TypeOf(HTTPS2HTTPPluginOptions{}),
-	PluginHTTP2HTTP:        reflect.TypeOf(HTTP2HTTPPluginOptions{}),
+	PluginHTTPS2HTTPS:        reflect.TypeOf(HTTPS2HTTPSPluginOptions{}),
-	PluginSocks5:           reflect.TypeOf(Socks5PluginOptions{}),
+	PluginHTTP2HTTP:          reflect.TypeOf(HTTP2HTTPPluginOptions{}),
-	PluginStaticFile:       reflect.TypeOf(StaticFilePluginOptions{}),
+	PluginSocks5:             reflect.TypeOf(Socks5PluginOptions{}),
-	PluginUnixDomainSocket: reflect.TypeOf(UnixDomainSocketPluginOptions{}),
+	PluginStaticFile:         reflect.TypeOf(StaticFilePluginOptions{}),
-	PluginTLS2Raw:          reflect.TypeOf(TLS2RawPluginOptions{}),
+	PluginUnixDomainSocket:   reflect.TypeOf(UnixDomainSocketPluginOptions{}),
-	PluginVirtualNet:       reflect.TypeOf(VirtualNetPluginOptions{}),
+	PluginTLS2Raw:            reflect.TypeOf(TLS2RawPluginOptions{}),
 	PluginVirtualNet:         reflect.TypeOf(VirtualNetPluginOptions{}),
 }
 type ClientPluginOptions interface {
@@ -109,6 +111,13 @@ type HTTP2HTTPSPluginOptions struct {
 func (o *HTTP2HTTPSPluginOptions) Complete() {}
 type HTTP2HTTPSRedirectPluginOptions struct {
 	Type      string `json:"type,omitempty"`
 	HTTPSPort int    `json:"httpsPort,omitempty"`
 }
 func (o *HTTP2HTTPSRedirectPluginOptions) Complete() {}
 type HTTPProxyPluginOptions struct {
 	Type         string `json:"type,omitempty"`
 	HTTPUser     string `json:"httpUser,omitempty"`
@@ -117,6 +126,18 @@ type HTTPProxyPluginOptions struct {
 func (o *HTTPProxyPluginOptions) Complete() {}
 type AutoTLSOptions struct {
 	Enable bool `json:"enable,omitempty"`
 	// Contact email for certificate expiration and important notices.
 	Email string `json:"email,omitempty"`
 	// Directory used to cache ACME account and certificates.
 	CacheDir string `json:"cacheDir,omitempty"`
 	// ACME directory URL, e.g. Let's Encrypt staging/prod endpoint.
 	CADirURL string `json:"caDirURL,omitempty"`
 	// Restrict certificate issuance to the listed domains.
 	HostAllowList []string `json:"hostAllowList,omitempty"`
 }
 type HTTPS2HTTPPluginOptions struct {
 	Type              string           `json:"type,omitempty"`
 	LocalAddr         string           `json:"localAddr,omitempty"`
@@ -125,6 +146,7 @@ type HTTPS2HTTPPluginOptions struct {
 	EnableHTTP2       *bool            `json:"enableHTTP2,omitempty"`
 	CrtPath           string           `json:"crtPath,omitempty"`
 	KeyPath           string           `json:"keyPath,omitempty"`
 	AutoTLS           *AutoTLSOptions  `json:"autoTLS,omitempty"`
 }
 func (o *HTTPS2HTTPPluginOptions) Complete() {
@@ -139,6 +161,7 @@ type HTTPS2HTTPSPluginOptions struct {
 	EnableHTTP2       *bool            `json:"enableHTTP2,omitempty"`
 	CrtPath           string           `json:"crtPath,omitempty"`
 	KeyPath           string           `json:"keyPath,omitempty"`
 	AutoTLS           *AutoTLSOptions  `json:"autoTLS,omitempty"`
 }
 func (o *HTTPS2HTTPSPluginOptions) Complete() {
@@ -180,10 +203,11 @@ type UnixDomainSocketPluginOptions struct {
 func (o *UnixDomainSocketPluginOptions) Complete() {}
 type TLS2RawPluginOptions struct {
-	Type      string `json:"type,omitempty"`
+	Type      string          `json:"type,omitempty"`
-	LocalAddr string `json:"localAddr,omitempty"`
+	LocalAddr string          `json:"localAddr,omitempty"`
-	CrtPath   string `json:"crtPath,omitempty"`
+	CrtPath   string          `json:"crtPath,omitempty"`
-	KeyPath   string `json:"keyPath,omitempty"`
+	KeyPath   string          `json:"keyPath,omitempty"`
 	AutoTLS   *AutoTLSOptions `json:"autoTLS,omitempty"`
 }
 func (o *TLS2RawPluginOptions) Complete() {}
--- a/pkg/config/v1/server.go
+++ b/pkg/config/v1/server.go
@@ -15,9 +15,6 @@
 package v1
 import (
 	"context"
 	"fmt"
 	"github.com/samber/lo"
 	"github.com/fatedier/frp/pkg/config/types"
@@ -138,17 +135,6 @@ type AuthServerConfig struct {
 func (c *AuthServerConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
 	// Resolve tokenSource during configuration loading
 	if c.Method == AuthMethodToken && c.TokenSource != nil {
 		token, err := c.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		// Move the resolved token to the Token field and clear TokenSource
 		c.Token = token
 		c.TokenSource = nil
 	}
 	return nil
 }
--- a/pkg/config/v1/server_test.go
+++ b/pkg/config/v1/server_test.go
@@ -15,8 +15,6 @@
 package v1
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/samber/lo"
@@ -35,68 +33,9 @@ func TestServerConfigComplete(t *testing.T) {
 }
 func TestAuthServerConfig_Complete(t *testing.T) {
-	// Create a temporary file for testing
+	require := require.New(t)
-	tmpDir := t.TempDir()
+	cfg := &AuthServerConfig{}
-	testFile := filepath.Join(tmpDir, "test_token")
+	err := cfg.Complete()
-	testContent := "file-token-value"
+	require.NoError(err)
-	err := os.WriteFile(testFile, []byte(testContent), 0o600)
+	require.EqualValues("token", cfg.Method)
 	require.NoError(t, err)
 	tests := []struct {
 		name        string
 		config      AuthServerConfig
 		expectToken string
 		expectPanic bool
 	}{
 		{
 			name: "tokenSource resolved to token",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: testFile,
 					},
 				},
 			},
 			expectToken: testContent,
 			expectPanic: false,
 		},
 		{
 			name: "direct token unchanged",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				Token:  "direct-token",
 			},
 			expectToken: "direct-token",
 			expectPanic: false,
 		},
 		{
 			name: "invalid tokenSource should panic",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: "/non/existent/file",
 					},
 				},
 			},
 			expectPanic: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.expectPanic {
 				err := tt.config.Complete()
 				require.Error(t, err)
 			} else {
 				err := tt.config.Complete()
 				require.NoError(t, err)
 				require.Equal(t, tt.expectToken, tt.config.Token)
 				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
 			}
 		})
 	}
 }
--- a/pkg/config/v1/validation/client.go
+++ b/pkg/config/v1/validation/client.go
@@ -23,55 +23,109 @@ import (
 	"github.com/samber/lo"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/featuregate"
+	"github.com/fatedier/frp/pkg/policy/featuregate"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
-func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
+func (v *ConfigValidator) ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 	var (
 		warnings Warning
 		errs     error
 	)
-	// validate feature gates
+
-	if c.VirtualNet.Address != "" {
+	validators := []func() (Warning, error){
-		if !featuregate.Enabled(featuregate.VirtualNet) {
+		func() (Warning, error) { return validateFeatureGates(c) },
-			return warnings, fmt.Errorf("VirtualNet feature is not enabled; enable it by setting the appropriate feature gate flag")
+		func() (Warning, error) { return v.validateAuthConfig(&c.Auth) },
-		}
+		func() (Warning, error) { return nil, validateLogConfig(&c.Log) },
 		func() (Warning, error) { return nil, validateWebServerConfig(&c.WebServer) },
 		func() (Warning, error) { return validateTransportConfig(&c.Transport) },
 		func() (Warning, error) { return validateIncludeFiles(c.IncludeConfigFiles) },
 	}
-	if !slices.Contains(SupportedAuthMethods, c.Auth.Method) {
+	for _, validator := range validators {
 		w, err := validator()
 		warnings = AppendError(warnings, w)
 		errs = AppendError(errs, err)
 	}
 	return warnings, errs
 }
 func validateFeatureGates(c *v1.ClientCommonConfig) (Warning, error) {
 	if c.VirtualNet.Address != "" {
 		if !featuregate.Enabled(featuregate.VirtualNet) {
 			return nil, fmt.Errorf("VirtualNet feature is not enabled; enable it by setting the appropriate feature gate flag")
 		}
 	}
 	return nil, nil
 }
 func (v *ConfigValidator) validateAuthConfig(c *v1.AuthClientConfig) (Warning, error) {
 	var errs error
 	if !slices.Contains(SupportedAuthMethods, c.Method) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth method, optional values are %v", SupportedAuthMethods))
 	}
-	if !lo.Every(SupportedAuthAdditionalScopes, c.Auth.AdditionalScopes) {
+	if !lo.Every(SupportedAuthAdditionalScopes, c.AdditionalScopes) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", SupportedAuthAdditionalScopes))
 	}
 	// Validate token/tokenSource mutual exclusivity
-	if c.Auth.Token != "" && c.Auth.TokenSource != nil {
+	if c.Token != "" && c.TokenSource != nil {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.token and auth.tokenSource"))
 	}
 	// Validate tokenSource if specified
-	if c.Auth.TokenSource != nil {
+	if c.TokenSource != nil {
-		if err := c.Auth.TokenSource.Validate(); err != nil {
+		if c.TokenSource.Type == "exec" {
 			if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
 				errs = AppendError(errs, err)
 			}
 		}
 		if err := c.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
 	}
-	if err := validateLogConfig(&c.Log); err != nil {
+	if err := v.validateOIDCConfig(&c.OIDC); err != nil {
 		errs = AppendError(errs, err)
 	}
 	return nil, errs
 }
-	if err := validateWebServerConfig(&c.WebServer); err != nil {
+func (v *ConfigValidator) validateOIDCConfig(c *v1.AuthOIDCClientConfig) error {
-		errs = AppendError(errs, err)
+	if c.TokenSource == nil {
 		return nil
 	}
 	var errs error
 	// Validate oidc.tokenSource mutual exclusivity with other fields of oidc
 	if c.ClientID != "" || c.ClientSecret != "" || c.Audience != "" ||
 		c.Scope != "" || c.TokenEndpointURL != "" || len(c.AdditionalEndpointParams) > 0 ||
 		c.TrustedCaFile != "" || c.InsecureSkipVerify || c.ProxyURL != "" {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.oidc.tokenSource and any other field of auth.oidc"))
 	}
 	if c.TokenSource.Type == "exec" {
 		if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
 			errs = AppendError(errs, err)
 		}
 	}
 	if err := c.TokenSource.Validate(); err != nil {
 		errs = AppendError(errs, fmt.Errorf("invalid auth.oidc.tokenSource: %v", err))
 	}
 	return errs
 }
-	if c.Transport.HeartbeatTimeout > 0 && c.Transport.HeartbeatInterval > 0 {
+func validateTransportConfig(c *v1.ClientTransportConfig) (Warning, error) {
-		if c.Transport.HeartbeatTimeout < c.Transport.HeartbeatInterval {
+	var (
 		warnings Warning
 		errs     error
 	)
 	if c.HeartbeatTimeout > 0 && c.HeartbeatInterval > 0 {
 		if c.HeartbeatTimeout < c.HeartbeatInterval {
 			errs = AppendError(errs, fmt.Errorf("invalid transport.heartbeatTimeout, heartbeat timeout should not less than heartbeat interval"))
 		}
 	}
-	if !lo.FromPtr(c.Transport.TLS.Enable) {
+	if !lo.FromPtr(c.TLS.Enable) {
 		checkTLSConfig := func(name string, value string) Warning {
 			if value != "" {
 				return fmt.Errorf("%s is invalid when transport.tls.enable is false", name)
@@ -79,16 +133,20 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 			return nil
 		}
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.certFile", c.Transport.TLS.CertFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.certFile", c.TLS.CertFile))
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.keyFile", c.Transport.TLS.KeyFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.keyFile", c.TLS.KeyFile))
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.Transport.TLS.TrustedCaFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.TLS.TrustedCaFile))
 	}
-	if !slices.Contains(SupportedTransportProtocols, c.Transport.Protocol) {
+	if !slices.Contains(SupportedTransportProtocols, c.Protocol) {
 		errs = AppendError(errs, fmt.Errorf("invalid transport.protocol, optional values are %v", SupportedTransportProtocols))
 	}
 	return warnings, errs
 }
-	for _, f := range c.IncludeConfigFiles {
+func validateIncludeFiles(files []string) (Warning, error) {
 	var errs error
 	for _, f := range files {
 		absDir, err := filepath.Abs(filepath.Dir(f))
 		if err != nil {
 			errs = AppendError(errs, fmt.Errorf("include: parse directory of %s failed: %v", f, err))
@@ -98,13 +156,19 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 			errs = AppendError(errs, fmt.Errorf("include: directory of %s not exist", f))
 		}
 	}
-	return warnings, errs
+	return nil, errs
 }
-func ValidateAllClientConfig(c *v1.ClientCommonConfig, proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) (Warning, error) {
+func ValidateAllClientConfig(
 	c *v1.ClientCommonConfig,
 	proxyCfgs []v1.ProxyConfigurer,
 	visitorCfgs []v1.VisitorConfigurer,
 	unsafeFeatures *security.UnsafeFeatures,
 ) (Warning, error) {
 	validator := NewConfigValidator(unsafeFeatures)
 	var warnings Warning
 	if c != nil {
-		warning, err := ValidateClientCommonConfig(c)
+		warning, err := validator.ValidateClientCommonConfig(c)
 		warnings = AppendError(warnings, warning)
 		if err != nil {
 			return warnings, err
--- a/pkg/config/v1/validation/plugin.go
+++ b/pkg/config/v1/validation/plugin.go
@@ -16,6 +16,8 @@ package validation
 import (
 	"errors"
 	"fmt"
 	"strings"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 )
@@ -24,6 +26,8 @@ func ValidateClientPluginOptions(c v1.ClientPluginOptions) error {
 	switch v := c.(type) {
 	case *v1.HTTP2HTTPSPluginOptions:
 		return validateHTTP2HTTPSPluginOptions(v)
 	case *v1.HTTP2HTTPSRedirectPluginOptions:
 		return validateHTTP2HTTPSRedirectPluginOptions(v)
 	case *v1.HTTPS2HTTPPluginOptions:
 		return validateHTTPS2HTTPPluginOptions(v)
 	case *v1.HTTPS2HTTPSPluginOptions:
@@ -45,10 +49,17 @@ func validateHTTP2HTTPSPluginOptions(c *v1.HTTP2HTTPSPluginOptions) error {
 	return nil
 }
 func validateHTTP2HTTPSRedirectPluginOptions(c *v1.HTTP2HTTPSRedirectPluginOptions) error {
 	return ValidatePort(c.HTTPSPort, "httpsPort")
 }
 func validateHTTPS2HTTPPluginOptions(c *v1.HTTPS2HTTPPluginOptions) error {
 	if c.LocalAddr == "" {
 		return errors.New("localAddr is required")
 	}
 	if err := validateAutoTLSOptions(c.AutoTLS, c.CrtPath, c.KeyPath); err != nil {
 		return fmt.Errorf("invalid autoTLS options: %w", err)
 	}
 	return nil
 }
@@ -56,6 +67,9 @@ func validateHTTPS2HTTPSPluginOptions(c *v1.HTTPS2HTTPSPluginOptions) error {
 	if c.LocalAddr == "" {
 		return errors.New("localAddr is required")
 	}
 	if err := validateAutoTLSOptions(c.AutoTLS, c.CrtPath, c.KeyPath); err != nil {
 		return fmt.Errorf("invalid autoTLS options: %w", err)
 	}
 	return nil
 }
@@ -77,5 +91,29 @@ func validateTLS2RawPluginOptions(c *v1.TLS2RawPluginOptions) error {
 	if c.LocalAddr == "" {
 		return errors.New("localAddr is required")
 	}
 	if err := validateAutoTLSOptions(c.AutoTLS, c.CrtPath, c.KeyPath); err != nil {
 		return fmt.Errorf("invalid autoTLS options: %w", err)
 	}
 	return nil
 }
 func validateAutoTLSOptions(c *v1.AutoTLSOptions, crtPath, keyPath string) error {
 	if c == nil || !c.Enable {
 		return nil
 	}
 	if crtPath != "" || keyPath != "" {
 		return errors.New("crtPath and keyPath must be empty when autoTLS.enable is true")
 	}
 	if strings.TrimSpace(c.CacheDir) == "" {
 		return errors.New("autoTLS.cacheDir is required when autoTLS.enable is true")
 	}
 	if len(c.HostAllowList) > 0 {
 		for _, host := range c.HostAllowList {
 			if strings.TrimSpace(host) == "" {
 				return errors.New("autoTLS.hostAllowList cannot contain empty domain")
 			}
 		}
 	}
 	return nil
 }
--- a/pkg/config/v1/validation/server.go
+++ b/pkg/config/v1/validation/server.go
@@ -21,9 +21,10 @@ import (
 	"github.com/samber/lo"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
-func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
+func (v *ConfigValidator) ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 	var (
 		warnings Warning
 		errs     error
@@ -42,6 +43,11 @@ func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 	// Validate tokenSource if specified
 	if c.Auth.TokenSource != nil {
 		if c.Auth.TokenSource.Type == "exec" {
 			if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
 				errs = AppendError(errs, err)
 			}
 		}
 		if err := c.Auth.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
--- a/pkg/config/v1/validation/validator.go
+++ b/pkg/config/v1/validation/validator.go
@@ -0,0 +1,28 @@
 package validation
 import (
 	"fmt"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 // ConfigValidator holds the context dependencies for configuration validation.
 type ConfigValidator struct {
 	unsafeFeatures *security.UnsafeFeatures
 }
 // NewConfigValidator creates a new ConfigValidator instance.
 func NewConfigValidator(unsafeFeatures *security.UnsafeFeatures) *ConfigValidator {
 	return &ConfigValidator{
 		unsafeFeatures: unsafeFeatures,
 	}
 }
 // ValidateUnsafeFeature checks if a specific unsafe feature is enabled.
 func (v *ConfigValidator) ValidateUnsafeFeature(feature string) error {
 	if !v.unsafeFeatures.IsEnabled(feature) {
 		return fmt.Errorf("unsafe feature %q is not enabled. "+
 			"To enable it, ensure it is allowed in the configuration or command line flags", feature)
 	}
 	return nil
 }
--- a/pkg/config/v1/value_source.go
+++ b/pkg/config/v1/value_source.go
@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"strings"
 )
@@ -27,6 +28,7 @@ import (
 type ValueSource struct {
 	Type string      `json:"type"`
 	File *FileSource `json:"file,omitempty"`
 	Exec *ExecSource `json:"exec,omitempty"`
 }
 // FileSource specifies how to load a value from a file.
@@ -34,6 +36,18 @@ type FileSource struct {
 	Path string `json:"path"`
 }
 // ExecSource specifies how to get a value from another program launched as subprocess.
 type ExecSource struct {
 	Command string       `json:"command"`
 	Args    []string     `json:"args,omitempty"`
 	Env     []ExecEnvVar `json:"env,omitempty"`
 }
 type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
 // Validate validates the ValueSource configuration.
 func (v *ValueSource) Validate() error {
 	if v == nil {
@@ -46,8 +60,13 @@ func (v *ValueSource) Validate() error {
 			return errors.New("file configuration is required when type is 'file'")
 		}
 		return v.File.Validate()
 	case "exec":
 		if v.Exec == nil {
 			return errors.New("exec configuration is required when type is 'exec'")
 		}
 		return v.Exec.Validate()
 	default:
-		return fmt.Errorf("unsupported value source type: %s (only 'file' is supported)", v.Type)
+		return fmt.Errorf("unsupported value source type: %s (only 'file' and 'exec' are supported)", v.Type)
 	}
 }
@@ -60,6 +79,8 @@ func (v *ValueSource) Resolve(ctx context.Context) (string, error) {
 	switch v.Type {
 	case "file":
 		return v.File.Resolve(ctx)
 	case "exec":
 		return v.Exec.Resolve(ctx)
 	default:
 		return "", fmt.Errorf("unsupported value source type: %s", v.Type)
 	}
@@ -91,3 +112,47 @@ func (f *FileSource) Resolve(_ context.Context) (string, error) {
 	// Trim whitespace, which is important for file-based tokens
 	return strings.TrimSpace(string(content)), nil
 }
 // Validate validates the ExecSource configuration.
 func (e *ExecSource) Validate() error {
 	if e == nil {
 		return errors.New("execSource cannot be nil")
 	}
 	if e.Command == "" {
 		return errors.New("exec command cannot be empty")
 	}
 	for _, env := range e.Env {
 		if env.Name == "" {
 			return errors.New("exec env name cannot be empty")
 		}
 		if strings.Contains(env.Name, "=") {
 			return errors.New("exec env name cannot contain '='")
 		}
 	}
 	return nil
 }
 // Resolve reads and returns the content captured from stdout of launched subprocess.
 func (e *ExecSource) Resolve(ctx context.Context) (string, error) {
 	if err := e.Validate(); err != nil {
 		return "", err
 	}
 	cmd := exec.CommandContext(ctx, e.Command, e.Args...)
 	if len(e.Env) != 0 {
 		cmd.Env = os.Environ()
 		for _, env := range e.Env {
 			cmd.Env = append(cmd.Env, env.Name+"="+env.Value)
 		}
 	}
 	content, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to execute command %v: %v", e.Command, err)
 	}
 	// Trim whitespace, which is important for exec-based tokens
 	return strings.TrimSpace(string(content)), nil
 }
--- a/pkg/config/v1/visitor.go
+++ b/pkg/config/v1/visitor.go
@@ -32,8 +32,11 @@ type VisitorTransport struct {
 }
 type VisitorBaseConfig struct {
-	Name      string           `json:"name"`
+	Name string `json:"name"`
-	Type      string           `json:"type"`
+	Type string `json:"type"`
 	// Enabled controls whether this visitor is enabled. nil or true means enabled, false means disabled.
 	// This allows individual control over each visitor, complementing the global "start" field.
 	Enabled   *bool            `json:"enabled,omitempty"`
 	Transport VisitorTransport `json:"transport,omitempty"`
 	SecretKey string           `json:"secretKey,omitempty"`
 	// if the server user is not set, it defaults to the current user
--- a/pkg/metrics/aggregate/server.go
+++ b/pkg/metrics/aggregate/server.go
@@ -56,9 +56,9 @@ func (m *serverMetrics) CloseClient() {
 	}
 }
-func (m *serverMetrics) NewProxy(name string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string, user string, clientID string) {
 	for _, v := range m.ms {
-		v.NewProxy(name, proxyType)
+		v.NewProxy(name, proxyType, user, clientID)
 	}
 }
--- a/pkg/metrics/mem/server.go
+++ b/pkg/metrics/mem/server.go
@@ -98,7 +98,7 @@ func (m *serverMetrics) CloseClient() {
 	m.info.ClientCounts.Dec(1)
 }
-func (m *serverMetrics) NewProxy(name string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string, user string, clientID string) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	counter, ok := m.info.ProxyTypeCounts[proxyType]
@@ -119,6 +119,8 @@ func (m *serverMetrics) NewProxy(name string, proxyType string) {
 		}
 		m.info.ProxyStatistics[name] = proxyStats
 	}
 	proxyStats.User = user
 	proxyStats.ClientID = clientID
 	proxyStats.LastStartTime = time.Now()
 }
@@ -206,14 +208,17 @@ func (m *serverMetrics) GetProxiesByType(proxyType string) []*ProxyStats {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	filterAll := proxyType == "" || proxyType == "all"
 	for name, proxyStats := range m.info.ProxyStatistics {
-		if proxyStats.ProxyType != proxyType {
+		if !filterAll && proxyStats.ProxyType != proxyType {
 			continue
 		}
 		ps := &ProxyStats{
 			Name:            name,
 			Type:            proxyStats.ProxyType,
 			User:            proxyStats.User,
 			ClientID:        proxyStats.ClientID,
 			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        int64(proxyStats.CurConns.Count()),
@@ -233,8 +238,9 @@ func (m *serverMetrics) GetProxiesByTypeAndName(proxyType string, proxyName stri
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	filterAll := proxyType == "" || proxyType == "all"
 	for name, proxyStats := range m.info.ProxyStatistics {
-		if proxyStats.ProxyType != proxyType {
+		if !filterAll && proxyStats.ProxyType != proxyType {
 			continue
 		}
@@ -245,6 +251,8 @@ func (m *serverMetrics) GetProxiesByTypeAndName(proxyType string, proxyName stri
 		res = &ProxyStats{
 			Name:            name,
 			Type:            proxyStats.ProxyType,
 			User:            proxyStats.User,
 			ClientID:        proxyStats.ClientID,
 			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        int64(proxyStats.CurConns.Count()),
@@ -260,6 +268,31 @@ func (m *serverMetrics) GetProxiesByTypeAndName(proxyType string, proxyName stri
 	return
 }
 func (m *serverMetrics) GetProxyByName(proxyName string) (res *ProxyStats) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	proxyStats, ok := m.info.ProxyStatistics[proxyName]
 	if ok {
 		res = &ProxyStats{
 			Name:            proxyName,
 			Type:            proxyStats.ProxyType,
 			User:            proxyStats.User,
 			ClientID:        proxyStats.ClientID,
 			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        int64(proxyStats.CurConns.Count()),
 		}
 		if !proxyStats.LastStartTime.IsZero() {
 			res.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
 		}
 		if !proxyStats.LastCloseTime.IsZero() {
 			res.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
 		}
 	}
 	return
 }
 func (m *serverMetrics) GetProxyTraffic(name string) (res *ProxyTrafficInfo) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
--- a/pkg/metrics/mem/types.go
+++ b/pkg/metrics/mem/types.go
@@ -35,6 +35,8 @@ type ServerStats struct {
 type ProxyStats struct {
 	Name            string
 	Type            string
 	User            string
 	ClientID        string
 	TodayTrafficIn  int64
 	TodayTrafficOut int64
 	LastStartTime   string
@@ -51,6 +53,8 @@ type ProxyTrafficInfo struct {
 type ProxyStatistics struct {
 	Name          string
 	ProxyType     string
 	User          string
 	ClientID      string
 	TrafficIn     metric.DateCounter
 	TrafficOut    metric.DateCounter
 	CurConns      metric.Counter
@@ -78,6 +82,7 @@ type Collector interface {
 	GetServer() *ServerStats
 	GetProxiesByType(proxyType string) []*ProxyStats
 	GetProxiesByTypeAndName(proxyType string, proxyName string) *ProxyStats
 	GetProxyByName(proxyName string) *ProxyStats
 	GetProxyTraffic(name string) *ProxyTrafficInfo
 	ClearOfflineProxies() (int, int)
 }
--- a/pkg/metrics/prometheus/server.go
+++ b/pkg/metrics/prometheus/server.go
@@ -30,7 +30,7 @@ func (m *serverMetrics) CloseClient() {
 	m.clientCount.Dec()
 }
-func (m *serverMetrics) NewProxy(name string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string, _ string, _ string) {
 	m.proxyCount.WithLabelValues(proxyType).Inc()
 	m.proxyCountDetailed.WithLabelValues(proxyType, name).Inc()
 }
--- a/pkg/msg/handler.go
+++ b/pkg/msg/handler.go
@@ -86,10 +86,6 @@ func (d *Dispatcher) Send(m Message) error {
 	}
 }
 func (d *Dispatcher) SendChannel() chan Message {
 	return d.sendCh
 }
 func (d *Dispatcher) RegisterHandler(msg Message, handler func(Message)) {
 	d.msgHandlers[reflect.TypeOf(msg)] = handler
 }
--- a/pkg/msg/msg.go
+++ b/pkg/msg/msg.go
@@ -82,6 +82,7 @@ type Login struct {
 	PrivilegeKey string            `json:"privilege_key,omitempty"`
 	Timestamp    int64             `json:"timestamp,omitempty"`
 	RunID        string            `json:"run_id,omitempty"`
 	ClientID     string            `json:"client_id,omitempty"`
 	Metas        map[string]string `json:"metas,omitempty"`
 	// Currently only effective for VirtualClient.
--- a/pkg/nathole/controller.go
+++ b/pkg/nathole/controller.go
@@ -220,7 +220,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
 	// Make hole-punching decisions based on the NAT information of the client and visitor.
 	vResp, cResp, err := c.analysis(session)
 	if err != nil {
-		log.Debugf("sid [%s] analysis error: %v", err)
+		log.Debugf("sid [%s] analysis error: %v", sid, err)
 		vResp = c.GenNatHoleResponse(session.visitorMsg.TransactionID, nil, err.Error())
 		cResp = c.GenNatHoleResponse(session.clientMsg.TransactionID, nil, err.Error())
 	}
--- a/pkg/plugin/client/autotls.go
+++ b/pkg/plugin/client/autotls.go
@@ -0,0 +1,212 @@
 // Copyright 2026 The LoliaTeam Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //go:build !frps
 package client
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"os"
 	"strings"
 	"sync"
 	"time"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 func buildAutoTLSServerConfigWithHosts(pluginName string, auto *v1.AutoTLSOptions, fallbackHosts []string) (*tls.Config, error) {
 	if auto == nil || !auto.Enable {
 		return nil, fmt.Errorf("插件 %s 未启用 autoTLS", pluginName)
 	}
 	if err := os.MkdirAll(auto.CacheDir, 0o700); err != nil {
 		return nil, fmt.Errorf("插件 %s 创建 autoTLS 缓存目录失败: %w", pluginName, err)
 	}
 	hostSet := make(map[string]struct{})
 	hosts := make([]string, 0, len(auto.HostAllowList))
 	addHost := func(host string) {
 		host = strings.TrimSpace(strings.ToLower(host))
 		if host == "" {
 			return
 		}
 		if strings.Contains(host, "*") {
 			log.Warnf("[autoTLS][%s] 域名 [%s] 含通配符，自动申请不支持，已忽略", pluginName, host)
 			return
 		}
 		if _, ok := hostSet[host]; ok {
 			return
 		}
 		hostSet[host] = struct{}{}
 		hosts = append(hosts, host)
 	}
 	for _, host := range auto.HostAllowList {
 		addHost(host)
 	}
 	if len(hosts) == 0 {
 		for _, host := range fallbackHosts {
 			addHost(host)
 		}
 	}
 	if len(hosts) == 0 {
 		return nil, fmt.Errorf("插件 %s 的 hostAllowList 为空；请设置 autoTLS.hostAllowList 或 customDomains", pluginName)
 	}
 	manager := &autocert.Manager{
 		Prompt:     autocert.AcceptTOS,
 		Email:      strings.TrimSpace(auto.Email),
 		HostPolicy: autocert.HostWhitelist(hosts...),
 	}
 	caDirURL := strings.TrimSpace(auto.CADirURL)
 	if caDirURL != "" {
 		manager.Client = &acme.Client{DirectoryURL: caDirURL}
 	} else {
 		caDirURL = autocert.DefaultACMEDirectory
 	}
 	managedHosts := make(map[string]struct{}, len(hosts))
 	for _, host := range hosts {
 		managedHosts[host] = struct{}{}
 	}
 	var warmupInProgress sync.Map
 	var warmupMissLogged sync.Map
 	manager.Cache = &autoTLSCache{
 		inner:            autocert.DirCache(auto.CacheDir),
 		managedHosts:     managedHosts,
 		pluginName:       pluginName,
 		caDirURL:         caDirURL,
 		warmupInProgress: &warmupInProgress,
 		warmupMissLogged: &warmupMissLogged,
 	}
 	cfg := manager.TLSConfig()
 	log.Infof("[autoTLS][%s] 已启用 autoTLS，管理域名=%v，缓存目录=%s", pluginName, hosts, auto.CacheDir)
 	var readySeen sync.Map
 	handleCertReady := func(host string, cert *tls.Certificate) {
 		var (
 			notAfter  time.Time
 			hasExpiry bool
 		)
 		if t, ok := getCertificateNotAfter(cert); ok {
 			notAfter = t
 			hasExpiry = true
 		}
 		_, readyLogged := readySeen.LoadOrStore(host, struct{}{})
 		if hasExpiry {
 			if !readyLogged {
 				log.Infof("[autoTLS][%s] 域名 [%s] 证书已就绪，过期时间 %s", pluginName, host, notAfter.Format(time.RFC3339))
 			}
 		} else if !readyLogged {
 			log.Infof("[autoTLS][%s] 域名 [%s] 证书已就绪", pluginName, host)
 		}
 	}
 	cfg.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		host := strings.TrimSpace(strings.ToLower(hello.ServerName))
 		if host == "" {
 			host = "<空SNI>"
 		}
 		cert, err := manager.GetCertificate(hello)
 		if err != nil {
 			log.Warnf("[autoTLS][%s] 获取域名 [%s] 证书失败: %v", pluginName, host, err)
 			return nil, err
 		}
 		handleCertReady(host, cert)
 		return cert, nil
 	}
 	// Warm up certificates in background after startup.
 	for _, host := range hosts {
 		h := host
 		go func() {
 			// Leave time for listener setup and route registration.
 			time.Sleep(1 * time.Second)
 			warmupMissLogged.Delete(h)
 			warmupInProgress.Store(h, struct{}{})
 			cert, err := manager.GetCertificate(&tls.ClientHelloInfo{ServerName: h})
 			warmupInProgress.Delete(h)
 			if err != nil {
 				log.Warnf("[autoTLS][%s] 域名 [%s] 预申请失败: %v", pluginName, h, err)
 				return
 			}
 			handleCertReady(h, cert)
 		}()
 	}
 	return cfg, nil
 }
 func getCertificateNotAfter(cert *tls.Certificate) (time.Time, bool) {
 	if cert == nil {
 		return time.Time{}, false
 	}
 	if cert.Leaf != nil {
 		return cert.Leaf.NotAfter, true
 	}
 	if len(cert.Certificate) == 0 {
 		return time.Time{}, false
 	}
 	leaf, err := x509.ParseCertificate(cert.Certificate[0])
 	if err != nil {
 		return time.Time{}, false
 	}
 	return leaf.NotAfter, true
 }
 type autoTLSCache struct {
 	inner            autocert.Cache
 	managedHosts     map[string]struct{}
 	pluginName       string
 	caDirURL         string
 	warmupInProgress *sync.Map
 	warmupMissLogged *sync.Map
 }
 func (c *autoTLSCache) Get(ctx context.Context, key string) ([]byte, error) {
 	data, err := c.inner.Get(ctx, key)
 	if err != autocert.ErrCacheMiss {
 		return data, err
 	}
 	host := strings.TrimSuffix(key, "+rsa")
 	if _, ok := c.managedHosts[host]; !ok {
 		return data, err
 	}
 	if _, warming := c.warmupInProgress.Load(host); !warming {
 		return data, err
 	}
 	if _, loaded := c.warmupMissLogged.LoadOrStore(host, struct{}{}); !loaded {
 		log.Infof("[autoTLS][%s] 开始预申请域名 [%s] 证书，申请方式=TLS-ALPN-01，caDirURL=%s", c.pluginName, host, c.caDirURL)
 	}
 	return data, err
 }
 func (c *autoTLSCache) Put(ctx context.Context, key string, data []byte) error {
 	return c.inner.Put(ctx, key, data)
 }
 func (c *autoTLSCache) Delete(ctx context.Context, key string) error {
 	return c.inner.Delete(ctx, key)
 }
--- a/pkg/plugin/client/http2https_redirect.go
+++ b/pkg/plugin/client/http2https_redirect.go
@@ -0,0 +1,107 @@
 // Copyright 2026 The LoliaTeam Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //go:build !frps
 package client
 import (
 	"context"
 	"net"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )
 func init() {
 	Register(v1.PluginHTTP2HTTPSRedirect, NewHTTP2HTTPSRedirectPlugin)
 }
 type HTTP2HTTPSRedirectPlugin struct {
 	opts *v1.HTTP2HTTPSRedirectPluginOptions
 	l *Listener
 	s *http.Server
 }
 func NewHTTP2HTTPSRedirectPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.HTTP2HTTPSRedirectPluginOptions)
 	listener := NewProxyListener()
 	p := &HTTP2HTTPSRedirectPlugin{
 		opts: opts,
 		l:    listener,
 	}
 	p.s = &http.Server{
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			http.Redirect(w, req, buildHTTPSRedirectURL(req, opts.HTTPSPort), http.StatusFound)
 		}),
 	}
 	go func() {
 		_ = p.s.Serve(listener)
 	}()
 	return p, nil
 }
 func buildHTTPSRedirectURL(req *http.Request, httpsPort int) string {
 	host := strings.TrimSpace(req.Host)
 	if host == "" {
 		host = strings.TrimSpace(req.URL.Host)
 	}
 	targetHost := host
 	if parsedHost, parsedPort, err := net.SplitHostPort(host); err == nil {
 		targetHost = parsedHost
 		if httpsPort == 0 && parsedPort == "443" {
 			httpsPort = 443
 		}
 	} else if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
 		targetHost = strings.TrimSuffix(strings.TrimPrefix(host, "["), "]")
 	}
 	if httpsPort != 0 && httpsPort != 443 {
 		targetHost = net.JoinHostPort(targetHost, strconv.Itoa(httpsPort))
 	}
 	return (&url.URL{
 		Scheme:   "https",
 		Host:     targetHost,
 		Path:     req.URL.Path,
 		RawPath:  req.URL.RawPath,
 		RawQuery: req.URL.RawQuery,
 	}).String()
 }
 func (p *HTTP2HTTPSRedirectPlugin) Handle(_ context.Context, connInfo *ConnectionInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(connInfo.Conn, connInfo.UnderlyingConn)
 	if connInfo.SrcAddr != nil {
 		wrapConn.SetRemoteAddr(connInfo.SrcAddr)
 	}
 	_ = p.l.PutConn(wrapConn)
 }
 func (p *HTTP2HTTPSRedirectPlugin) Name() string {
 	return v1.PluginHTTP2HTTPSRedirect
 }
 func (p *HTTP2HTTPSRedirectPlugin) Close() error {
 	return p.s.Close()
 }
--- a/pkg/plugin/client/https2http.go
+++ b/pkg/plugin/client/https2http.go
@@ -46,7 +46,7 @@ type HTTPS2HTTPPlugin struct {
 	s *http.Server
 }
-func NewHTTPS2HTTPPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
+func NewHTTPS2HTTPPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.HTTPS2HTTPPluginOptions)
 	listener := NewProxyListener()
@@ -84,9 +84,18 @@ func NewHTTPS2HTTPPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugi
 		rp.ServeHTTP(w, r)
 	})
-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+	var tlsConfig *tls.Config
-	if err != nil {
+	var err error
-		return nil, fmt.Errorf("gen TLS config error: %v", err)
+	if p.opts.AutoTLS != nil && p.opts.AutoTLS.Enable {
 		tlsConfig, err = buildAutoTLSServerConfigWithHosts(pluginCtx.Name, p.opts.AutoTLS, pluginCtx.HostAllowList)
 		if err != nil {
 			return nil, fmt.Errorf("build autoTLS config error: %v", err)
 		}
 	} else {
 		tlsConfig, err = transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
 		if err != nil {
 			return nil, fmt.Errorf("gen TLS config error: %v", err)
 		}
 	}
 	p.s = &http.Server{
--- a/pkg/plugin/client/https2https.go
+++ b/pkg/plugin/client/https2https.go
@@ -46,7 +46,7 @@ type HTTPS2HTTPSPlugin struct {
 	s *http.Server
 }
-func NewHTTPS2HTTPSPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
+func NewHTTPS2HTTPSPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.HTTPS2HTTPSPluginOptions)
 	listener := NewProxyListener()
@@ -90,9 +90,18 @@ func NewHTTPS2HTTPSPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plug
 		rp.ServeHTTP(w, r)
 	})
-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+	var tlsConfig *tls.Config
-	if err != nil {
+	var err error
-		return nil, fmt.Errorf("gen TLS config error: %v", err)
+	if p.opts.AutoTLS != nil && p.opts.AutoTLS.Enable {
 		tlsConfig, err = buildAutoTLSServerConfigWithHosts(pluginCtx.Name, p.opts.AutoTLS, pluginCtx.HostAllowList)
 		if err != nil {
 			return nil, fmt.Errorf("build autoTLS config error: %v", err)
 		}
 	} else {
 		tlsConfig, err = transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
 		if err != nil {
 			return nil, fmt.Errorf("gen TLS config error: %v", err)
 		}
 	}
 	p.s = &http.Server{
--- a/pkg/plugin/client/plugin.go
+++ b/pkg/plugin/client/plugin.go
@@ -30,6 +30,7 @@ import (
 type PluginContext struct {
 	Name           string
 	HostAllowList  []string
 	VnetController *vnet.Controller
 }
--- a/pkg/plugin/client/tls2raw.go
+++ b/pkg/plugin/client/tls2raw.go
@@ -39,16 +39,25 @@ type TLS2RawPlugin struct {
 	tlsConfig *tls.Config
 }
-func NewTLS2RawPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
+func NewTLS2RawPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.TLS2RawPluginOptions)
 	p := &TLS2RawPlugin{
 		opts: opts,
 	}
-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+	var tlsConfig *tls.Config
-	if err != nil {
+	var err error
-		return nil, err
+	if p.opts.AutoTLS != nil && p.opts.AutoTLS.Enable {
 		tlsConfig, err = buildAutoTLSServerConfigWithHosts(pluginCtx.Name, p.opts.AutoTLS, pluginCtx.HostAllowList)
 		if err != nil {
 			return nil, err
 		}
 	} else {
 		tlsConfig, err = transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
 		if err != nil {
 			return nil, err
 		}
 	}
 	p.tlsConfig = tlsConfig
 	return p, nil
--- a/pkg/plugin/visitor/plugin.go
+++ b/pkg/plugin/visitor/plugin.go
@@ -23,11 +23,20 @@ import (
 	"github.com/fatedier/frp/pkg/vnet"
 )
 // PluginContext provides the necessary context and callbacks for visitor plugins.
 type PluginContext struct {
-	Name           string
+	// Name is the unique identifier for this visitor, used for logging and routing.
-	Ctx            context.Context
+	Name string
 	// Ctx manages the plugin's lifecycle and carries the logger for structured logging.
 	Ctx context.Context
 	// VnetController manages TUN device routing. May be nil if virtual networking is disabled.
 	VnetController *vnet.Controller
-	HandleConn     func(net.Conn)
+
 	// SendConnToVisitor sends a connection to the visitor's internal processing queue.
 	// Does not return error; failures are handled by closing the connection.
 	SendConnToVisitor func(net.Conn)
 }
 // Creators is used for create plugins to handle connections.
--- a/pkg/plugin/visitor/virtual_net.go
+++ b/pkg/plugin/visitor/virtual_net.go
@@ -42,6 +42,8 @@ type VirtualNetPlugin struct {
 	controllerConn net.Conn
 	closeSignal    chan struct{}
 	consecutiveErrors int // Tracks consecutive connection errors for exponential backoff
 	ctx    context.Context
 	cancel context.CancelFunc
 }
@@ -98,7 +100,6 @@ func (p *VirtualNetPlugin) Start() {
 func (p *VirtualNetPlugin) run() {
 	xl := xlog.FromContextSafe(p.ctx)
 	reconnectDelay := 10 * time.Second
 	for {
 		currentCloseSignal := make(chan struct{})
@@ -121,7 +122,10 @@ func (p *VirtualNetPlugin) run() {
 		p.controllerConn = controllerConn
 		p.mu.Unlock()
-		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func() {
+		// Wrap with CloseNotifyConn which supports both close notification and error recording
 		var closeErr error
 		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func(err error) {
 			closeErr = err
 			close(currentCloseSignal) // Signal the run loop on close.
 		})
@@ -129,9 +133,9 @@ func (p *VirtualNetPlugin) run() {
 		p.pluginCtx.VnetController.RegisterClientRoute(p.ctx, p.pluginCtx.Name, p.routes, controllerConn)
 		xl.Infof("successfully registered client route for visitor [%s]. Starting connection handler with CloseNotifyConn.", p.pluginCtx.Name)
-		// Pass the CloseNotifyConn to HandleConn.
+		// Pass the CloseNotifyConn to the visitor for handling.
-		// HandleConn is responsible for calling Close() on pluginNotifyConn.
+		// The visitor can call CloseWithError to record the failure reason.
-		p.pluginCtx.HandleConn(pluginNotifyConn)
+		p.pluginCtx.SendConnToVisitor(pluginNotifyConn)
 		// Wait for context cancellation or connection close.
 		select {
@@ -140,8 +144,32 @@ func (p *VirtualNetPlugin) run() {
 			p.cleanupControllerConn(xl)
 			return
 		case <-currentCloseSignal:
-			xl.Infof("detected connection closed via CloseNotifyConn for visitor [%s].", p.pluginCtx.Name)
+			// Determine reconnect delay based on error with exponential backoff
-			// HandleConn closed the plugin side. Close the controller side.
+			var reconnectDelay time.Duration
 			if closeErr != nil {
 				p.consecutiveErrors++
 				xl.Warnf("connection closed with error for visitor [%s] (consecutive errors: %d): %v",
 					p.pluginCtx.Name, p.consecutiveErrors, closeErr)
 				// Exponential backoff: 60s, 120s, 240s, 300s (capped)
 				baseDelay := 60 * time.Second
 				reconnectDelay = baseDelay * time.Duration(1<<uint(p.consecutiveErrors-1))
 				if reconnectDelay > 300*time.Second {
 					reconnectDelay = 300 * time.Second
 				}
 			} else {
 				// Reset consecutive errors on successful connection
 				if p.consecutiveErrors > 0 {
 					xl.Infof("connection closed normally for visitor [%s], resetting error counter (was %d)",
 						p.pluginCtx.Name, p.consecutiveErrors)
 					p.consecutiveErrors = 0
 				} else {
 					xl.Infof("connection closed normally for visitor [%s]", p.pluginCtx.Name)
 				}
 				reconnectDelay = 10 * time.Second
 			}
 			// The visitor closed the plugin side. Close the controller side.
 			p.cleanupControllerConn(xl)
 			xl.Infof("waiting %v before attempting reconnection for visitor [%s]...", reconnectDelay, p.pluginCtx.Name)
@@ -184,7 +212,7 @@ func (p *VirtualNetPlugin) Close() error {
 	}
 	// Explicitly close the controller side of the pipe.
-	// This ensures the pipe is broken even if the run loop is stuck or HandleConn hasn't closed its end.
+	// This ensures the pipe is broken even if the run loop is stuck or the visitor hasn't closed its end.
 	p.cleanupControllerConn(xl)
 	xl.Infof("finished cleaning up connections during close for visitor [%s]", p.pluginCtx.Name)
--- a/pkg/policy/featuregate/feature_gate.go
+++ b/pkg/policy/featuregate/feature_gate.go
--- a/pkg/policy/security/unsafe.go
+++ b/pkg/policy/security/unsafe.go
@@ -0,0 +1,34 @@
 package security
 const (
 	TokenSourceExec = "TokenSourceExec"
 )
 var (
 	ClientUnsafeFeatures = []string{
 		TokenSourceExec,
 	}
 	ServerUnsafeFeatures = []string{
 		TokenSourceExec,
 	}
 )
 type UnsafeFeatures struct {
 	features map[string]bool
 }
 func NewUnsafeFeatures(allowed []string) *UnsafeFeatures {
 	features := make(map[string]bool)
 	for _, f := range allowed {
 		features[f] = true
 	}
 	return &UnsafeFeatures{features: features}
 }
 func (u *UnsafeFeatures) IsEnabled(feature string) bool {
 	if u == nil {
 		return false
 	}
 	return u.features[feature]
 }
--- a/pkg/proto/udp/udp.go
+++ b/pkg/proto/udp/udp.go
@@ -124,8 +124,8 @@ func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UDPPacket, sendCh chan<-
 			}
 			mu.Unlock()
-			// Add proxy protocol header if configured
+			// Add proxy protocol header if configured (only for the first packet of a new connection)
-			if proxyProtocolVersion != "" && udpMsg.RemoteAddr != nil {
+			if !ok && proxyProtocolVersion != "" && udpMsg.RemoteAddr != nil {
 				ppBuf, err := netpkg.BuildProxyProtocolHeader(udpMsg.RemoteAddr, dstAddr, proxyProtocolVersion)
 				if err == nil {
 					// Prepend proxy protocol header to the UDP payload
--- a/pkg/sdk/client/client.go
+++ b/pkg/sdk/client/client.go
@@ -11,7 +11,7 @@ import (
 	"strconv"
 	"strings"
-	"github.com/fatedier/frp/client"
+	"github.com/fatedier/frp/client/api"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 )
@@ -32,7 +32,7 @@ func (c *Client) SetAuth(user, pwd string) {
 	c.authPwd = pwd
 }
-func (c *Client) GetProxyStatus(ctx context.Context, name string) (*client.ProxyStatusResp, error) {
+func (c *Client) GetProxyStatus(ctx context.Context, name string) (*api.ProxyStatusResp, error) {
 	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+c.address+"/api/status", nil)
 	if err != nil {
 		return nil, err
@@ -41,7 +41,7 @@ func (c *Client) GetProxyStatus(ctx context.Context, name string) (*client.Proxy
 	if err != nil {
 		return nil, err
 	}
-	allStatus := make(client.StatusResp)
+	allStatus := make(api.StatusResp)
 	if err = json.Unmarshal([]byte(content), &allStatus); err != nil {
 		return nil, fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(content))
 	}
@@ -55,7 +55,7 @@ func (c *Client) GetProxyStatus(ctx context.Context, name string) (*client.Proxy
 	return nil, fmt.Errorf("no proxy status found")
 }
-func (c *Client) GetAllProxyStatus(ctx context.Context) (client.StatusResp, error) {
+func (c *Client) GetAllProxyStatus(ctx context.Context) (api.StatusResp, error) {
 	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+c.address+"/api/status", nil)
 	if err != nil {
 		return nil, err
@@ -64,7 +64,7 @@ func (c *Client) GetAllProxyStatus(ctx context.Context) (client.StatusResp, erro
 	if err != nil {
 		return nil, err
 	}
-	allStatus := make(client.StatusResp)
+	allStatus := make(api.StatusResp)
 	if err = json.Unmarshal([]byte(content), &allStatus); err != nil {
 		return nil, fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(content))
 	}
--- a/pkg/transport/message.go
+++ b/pkg/transport/message.go
@@ -35,15 +35,19 @@ type MessageTransporter interface {
 	DispatchWithType(m msg.Message, msgType, laneKey string) bool
 }
-func NewMessageTransporter(sendCh chan msg.Message) MessageTransporter {
+type MessageSender interface {
 	Send(msg.Message) error
 }
 func NewMessageTransporter(sender MessageSender) MessageTransporter {
 	return &transporterImpl{
-		sendCh:   sendCh,
+		sender:   sender,
 		registry: make(map[string]map[string]chan msg.Message),
 	}
 }
 type transporterImpl struct {
-	sendCh chan msg.Message
+	sender MessageSender
 	// First key is message type and second key is lane key.
 	// Dispatch will dispatch message to related channel by its message type
@@ -53,9 +57,7 @@ type transporterImpl struct {
 }
 func (impl *transporterImpl) Send(m msg.Message) error {
-	return errors.PanicToError(func() {
+	return impl.sender.Send(m)
 		impl.sendCh <- m
 	})
 }
 func (impl *transporterImpl) Do(ctx context.Context, req msg.Message, laneKey, recvMsgType string) (msg.Message, error) {
--- a/pkg/util/banner/banner.go
+++ b/pkg/util/banner/banner.go
@@ -0,0 +1,18 @@
 package banner
 import (
 	"fmt"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 )
 func DisplayBanner() {
 	fmt.Println("    __          ___       __________  ____        ________    ____")
 	fmt.Println("   / /   ____  / (_)___ _/ ____/ __ \\/ __ \\      / ____/ /   /  _/")
 	fmt.Println("  / /   / __ \\/ / / __ `/ /_  / /_/ / /_/ /_____/ /   / /    / /  ")
 	fmt.Println(" / /___/ /_/ / / / /_/ / __/ / _, _/ ____/_____/ /___/ /____/ /   ")
 	fmt.Println("/_____/\\____/_/_/\\__,_/_/   /_/ |_/_/          \\____/_____/___/   ")
 	fmt.Println("                                                                  ")
 	log.Infof("Nya! %s 启动中", version.Full())
 }
--- a/pkg/util/http/context.go
+++ b/pkg/util/http/context.go
@@ -0,0 +1,57 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import (
 	"encoding/json"
 	"io"
 	"net/http"
 	"github.com/gorilla/mux"
 )
 type Context struct {
 	Req  *http.Request
 	Resp http.ResponseWriter
 	vars map[string]string
 }
 func NewContext(w http.ResponseWriter, r *http.Request) *Context {
 	return &Context{
 		Req:  r,
 		Resp: w,
 		vars: mux.Vars(r),
 	}
 }
 func (c *Context) Param(key string) string {
 	return c.vars[key]
 }
 func (c *Context) Query(key string) string {
 	return c.Req.URL.Query().Get(key)
 }
 func (c *Context) BindJSON(obj any) error {
 	body, err := io.ReadAll(c.Req.Body)
 	if err != nil {
 		return err
 	}
 	return json.Unmarshal(body, obj)
 }
 func (c *Context) Body() ([]byte, error) {
 	return io.ReadAll(c.Req.Body)
 }
--- a/pkg/util/http/error.go
+++ b/pkg/util/http/error.go
@@ -0,0 +1,33 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import "fmt"
 type Error struct {
 	Code int
 	Err  error
 }
 func (e *Error) Error() string {
 	return e.Err.Error()
 }
 func NewError(code int, msg string) *Error {
 	return &Error{
 		Code: code,
 		Err:  fmt.Errorf("%s", msg),
 	}
 }
--- a/pkg/util/http/handler.go
+++ b/pkg/util/http/handler.go
@@ -0,0 +1,66 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import (
 	"encoding/json"
 	"net/http"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 type GeneralResponse struct {
 	Code int
 	Msg  string
 }
 // APIHandler is a handler function that returns a response object or an error.
 type APIHandler func(ctx *Context) (any, error)
 // MakeHTTPHandlerFunc turns a normal APIHandler into a http.HandlerFunc.
 func MakeHTTPHandlerFunc(handler APIHandler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := NewContext(w, r)
 		res, err := handler(ctx)
 		if err != nil {
 			log.Warnf("http response [%s]: error: %v", r.URL.Path, err)
 			code := http.StatusInternalServerError
 			if e, ok := err.(*Error); ok {
 				code = e.Code
 			}
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(code)
 			_ = json.NewEncoder(w).Encode(GeneralResponse{Code: code, Msg: err.Error()})
 			return
 		}
 		if res == nil {
 			w.WriteHeader(http.StatusOK)
 			return
 		}
 		switch v := res.(type) {
 		case []byte:
 			_, _ = w.Write(v)
 		case string:
 			_, _ = w.Write([]byte(v))
 		default:
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(http.StatusOK)
 			_ = json.NewEncoder(w).Encode(v)
 		}
 	}
 }
--- a/pkg/util/http/middleware.go
+++ b/pkg/util/http/middleware.go
@@ -0,0 +1,40 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import (
 	"net/http"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 type responseWriter struct {
 	http.ResponseWriter
 	code int
 }
 func (rw *responseWriter) WriteHeader(code int) {
 	rw.code = code
 	rw.ResponseWriter.WriteHeader(code)
 }
 func NewRequestLogger(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		log.Infof("http request: [%s]", r.URL.Path)
 		rw := &responseWriter{ResponseWriter: w, code: http.StatusOK}
 		next.ServeHTTP(rw, r)
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, rw.code)
 	})
 }
--- a/pkg/util/log/log.go
+++ b/pkg/util/log/log.go
@@ -16,13 +16,18 @@ package log
 import (
 	"bytes"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
-	"github.com/fatedier/golib/log"
+	"github.com/charmbracelet/lipgloss"
 	"github.com/charmbracelet/log"
 )
 var (
-	TraceLevel = log.TraceLevel
+	TraceLevel = log.DebugLevel
 	DebugLevel = log.DebugLevel
 	InfoLevel  = log.InfoLevel
 	WarnLevel  = log.WarnLevel
@@ -32,39 +37,158 @@ var (
 var Logger *log.Logger
 func init() {
-	Logger = log.New(
+	Logger = log.NewWithOptions(os.Stderr, log.Options{
-		log.WithCaller(true),
+		ReportCaller:    true,
-		log.AddCallerSkip(1),
+		ReportTimestamp: true,
-		log.WithLevel(log.InfoLevel),
+		TimeFormat:      time.Kitchen,
-	)
+		Prefix:          "LoliaFRP-CLI",
 		CallerOffset:    1,
 	})
 	// 设置自定义样式以支持 Trace 级别
 	styles := log.DefaultStyles()
 	styles.Levels[TraceLevel] = lipgloss.NewStyle().
 		SetString("TRACE").
 		Bold(true).
 		MaxWidth(5).
 		Foreground(lipgloss.Color("61"))
 	Logger.SetStyles(styles)
 }
 func InitLogger(logPath string, levelStr string, maxDays int, disableLogColor bool) {
-	options := []log.Option{}
+	var output io.Writer
 	var err error
 	if logPath == "console" {
-		if !disableLogColor {
+		output = os.Stdout
 			options = append(options,
 				log.WithOutput(log.NewConsoleWriter(log.ConsoleConfig{
 					Colorful: true,
 				}, os.Stdout)),
 			)
 		}
 	} else {
-		writer := log.NewRotateFileWriter(log.RotateFileConfig{
+		// Use rotating file writer
-			FileName: logPath,
+		output, err = NewRotateFileWriter(logPath, maxDays)
-			Mode:     log.RotateFileModeDaily,
+		if err != nil {
-			MaxDays:  maxDays,
+			// Fallback to console if file creation fails
-		})
+			output = os.Stdout
-		writer.Init()
+		}
 		options = append(options, log.WithOutput(writer))
 	}
 	level, err := log.ParseLevel(levelStr)
 	if err != nil {
 		level = log.InfoLevel
 	}
-	options = append(options, log.WithLevel(level))
+
-	Logger = Logger.WithOptions(options...)
+	Logger = log.NewWithOptions(output, log.Options{
 		ReportCaller:    true,
 		ReportTimestamp: true,
 		TimeFormat:      time.Kitchen,
 		Prefix:          "LoliaFRP-CLI",
 		CallerOffset:    1,
 		Level:           level,
 	})
 }
 // NewRotateFileWriter creates a rotating file writer
 func NewRotateFileWriter(filePath string, maxDays int) (*RotateFileWriter, error) {
 	w := &RotateFileWriter{
 		filePath:    filePath,
 		maxDays:     maxDays,
 		lastRotate:  time.Now(),
 		currentDate: time.Now().Format("2006-01-02"),
 	}
 	if err := w.openFile(); err != nil {
 		return nil, err
 	}
 	return w, nil
 }
 // RotateFileWriter implements io.Writer with daily rotation
 type RotateFileWriter struct {
 	filePath    string
 	maxDays     int
 	file        *os.File
 	lastRotate  time.Time
 	currentDate string
 }
 func (w *RotateFileWriter) openFile() error {
 	var err error
 	w.file, err = os.OpenFile(w.filePath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
 	return err
 }
 func (w *RotateFileWriter) checkRotate() error {
 	now := time.Now()
 	currentDate := now.Format("2006-01-02")
 	if currentDate != w.currentDate {
 		// Close current file
 		if w.file != nil {
 			w.file.Close()
 		}
 		// Rename current file with date suffix
 		oldPath := w.filePath
 		newPath := w.filePath + "." + w.currentDate
 		if _, err := os.Stat(oldPath); err == nil {
 			if err := os.Rename(oldPath, newPath); err != nil {
 				return err
 			}
 		}
 		// Clean up old log files
 		w.cleanupOldLogs(now)
 		// Update current date and open new file
 		w.currentDate = currentDate
 		w.lastRotate = now
 		return w.openFile()
 	}
 	return nil
 }
 func (w *RotateFileWriter) cleanupOldLogs(now time.Time) {
 	if w.maxDays <= 0 {
 		return
 	}
 	cutoffDate := now.AddDate(0, 0, -w.maxDays)
 	// Find and remove old log files
 	dir := filepath.Dir(w.filePath)
 	base := filepath.Base(w.filePath)
 	files, _ := os.ReadDir(dir)
 	for _, f := range files {
 		if f.IsDir() {
 			continue
 		}
 		name := f.Name()
 		if strings.HasPrefix(name, base+".") {
 			// Extract date from filename (base.YYYY-MM-DD)
 			dateStr := strings.TrimPrefix(name, base+".")
 			if len(dateStr) == 10 {
 				fileDate, err := time.Parse("2006-01-02", dateStr)
 				if err == nil && fileDate.Before(cutoffDate) {
 					os.Remove(filepath.Join(dir, name))
 				}
 			}
 		}
 	}
 }
 func (w *RotateFileWriter) Write(p []byte) (n int, err error) {
 	if err := w.checkRotate(); err != nil {
 		return 0, err
 	}
 	return w.file.Write(p)
 }
 func (w *RotateFileWriter) Close() error {
 	if w.file != nil {
 		return w.file.Close()
 	}
 	return nil
 }
 func Errorf(format string, v ...any) {
@@ -75,6 +199,10 @@ func Warnf(format string, v ...any) {
 	Logger.Warnf(format, v...)
 }
 func Info(format string, v ...any) {
 	Logger.Info(format, v...)
 }
 func Infof(format string, v ...any) {
 	Logger.Infof(format, v...)
 }
@@ -84,11 +212,12 @@ func Debugf(format string, v ...any) {
 }
 func Tracef(format string, v ...any) {
-	Logger.Tracef(format, v...)
+	Logger.Logf(TraceLevel, format, v...)
 }
 func Logf(level log.Level, offset int, format string, v ...any) {
-	Logger.Logf(level, offset, format, v...)
+	// charmbracelet/log doesn't support offset, so we ignore it
 	Logger.Logf(level, format, v...)
 }
 type WriteLogger struct {
@@ -104,6 +233,8 @@ func NewWriteLogger(level log.Level, offset int) *WriteLogger {
 }
 func (w *WriteLogger) Write(p []byte) (n int, err error) {
-	Logger.Log(w.level, w.offset, string(bytes.TrimRight(p, "\n")))
+	// charmbracelet/log doesn't support offset in Log
 	msg := string(bytes.TrimRight(p, "\n"))
 	Logger.Log(w.level, msg)
 	return len(p), nil
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mxmilu666	cc0b8d0f94	chore(version): update version to 0.67.4	2026-03-10 18:26:34 +08:00
Mxmilu666	27237542c8	feat(plugin): add HTTP2HTTPS redirect plugin implementation	2026-03-10 18:26:20 +08:00
Mxmilu666	406ea5ebee	chore(version): update version to 0.67.3	2026-03-08 18:35:40 +08:00
Mxmilu666	81a92d19d5	feat(proxy): add traffic counting wrapper for connections	2026-03-08 18:33:42 +08:00
Mxmilu666	83847f32ed	feat(controller): add API to close proxy by name	2026-02-21 07:42:17 +08:00
Mxmilu666	1f2c26761d	refactor(release): update changelog generation process	2026-02-20 15:28:31 +08:00
Mxmilu666	c836e276a7	style(plugin): reorder import statements for clarity	2026-02-20 15:15:16 +08:00
Mxmilu	d16f07d3e8	Merge pull request 'feat(proxy): add AutoTLS support for HTTPS plugins' (#1 ) from https-acme into dev Reviewed-on: #1	2026-02-20 15:07:59 +08:00
Mxmilu666	6bd5eb92c3	feat(proxy): add AutoTLS support for HTTPS plugins	2026-02-19 09:01:07 +08:00
Mxmilu666	09602f5d74	chore(gitattributes): add .gitattributes for line endings	2026-02-19 06:37:58 +08:00
Mxmilu666	d7559b39e2	Merge remote-tracking branch 'upstream/dev' into dev	2026-02-08 00:57:08 +08:00
fatedier	519368b1fd	server/api: fix DeleteProxies endpoint returning empty response instead of JSON (#5163 )	2026-02-06 11:22:34 +08:00
Mxmilu666	72d147dfa5	fix(workflows): add missing architectures for build matrix	2026-02-04 19:32:24 +08:00
fatedier	9634fd99d1	web: ensure npm install runs before build (#5154 )	2026-02-04 12:55:24 +08:00
fatedier	7a1c248b67	bump version to 0.67.0 (#5146 )	2026-01-31 13:49:29 +08:00
fatedier	886c9c2fdb	web/frpc: redesign dashboard (#5145 )	2026-01-31 12:43:31 +08:00
fatedier	266c492b5d	web/frps: add detailed client and proxy views with enhanced tracking (#5144 )	2026-01-31 02:18:35 +08:00
fatedier	5dd70ace6b	refactor: move web embeds to web/ directory (#5139 )	2026-01-27 02:56:57 +08:00
fatedier	fb2c98e87b	rotate gold sponsor	2026-01-27 02:45:57 +08:00
Mxmilu666	481121a6c2	refactor(workflows): inline image name definitions in docker-build.yml	2026-01-16 00:20:37 +08:00
Mxmilu666	be252de683	chore(workflows): remove old build and push workflow file fix(dockerfiles): update base image to golang:1.25 for frpc and frps	2026-01-16 00:19:10 +08:00
fatedier	ed13141c56	refactor: separate API handlers into dedicated packages with improved HTTP utilities (#5127 )	2026-01-14 19:50:55 +08:00
Mxmilu666	0a99c1071b	feat(release): add debug step to check tags and commits[skip ci]	2026-01-14 00:30:05 +08:00
Mxmilu666	dd37b2e199	fix(frpc): fix goroutine closure in runMultipleClientsFromFiles	2026-01-14 00:11:41 +08:00
Mxmilu666	803e548f42	fix(version): update version to LoliaFRP-CLI 0.66.3	2026-01-14 00:03:50 +08:00
Mxmilu666	2dac44ac2e	fix(config): support multiple configuration files for frpc	2026-01-14 00:03:18 +08:00
Mxmilu666	655dc3cb2a	fix(version): update version to LoliaFRP-CLI 0.66.2	2026-01-13 00:10:24 +08:00
Mxmilu666	9894342f46	fix(auth): support multiple authentication tokens for frpc	2026-01-13 00:04:50 +08:00
Mxmilu666	e7cc706c86	fix(vhost): correct heading text for unbound domain page	2026-01-11 14:37:17 +08:00
Mxmilu666	92ac2b9153	fix(workflow): enhance artifact handling in release process [skip ci]	2026-01-11 14:08:20 +08:00
Mxmilu666	1ed369e962	fix(workflow): remove tags specification from push event [skip ci]	2026-01-11 14:04:37 +08:00
Mxmilu666	b74a8d0232	fix(workflow): remove branch specification from build-all workflow	2026-01-11 14:01:35 +08:00
Mxmilu666	d2180081a0	fix(workflow): correct path to build-all workflow	2026-01-11 13:58:22 +08:00
Mxmilu666	51f4e065b5	fix(workflow): correct path to build-all workflow	2026-01-11 13:55:26 +08:00
Mxmilu666	e58f774086	fix(workflow): specify branch for build-all workflow	2026-01-11 13:54:26 +08:00
Mxmilu666	178e381a26	fix(workflow): update build-all workflow path to absolute	2026-01-11 13:53:33 +08:00
Mxmilu666	26b93ae3a3	chore(version): update version to LoliaFRP-CLI 0.66.1	2026-01-11 13:52:10 +08:00
Mxmilu666	a2aeee28e4	feat(vhost): enhance Not Found page with Chinese localization	2026-01-11 13:51:37 +08:00
Mxmilu666	0416caef71	feat(workflow): enable workflow_call for build-all workflow [skip ci]	2026-01-11 13:36:14 +08:00
Mxmilu666	1004473e42	feat(workflow): add release workflow for FRP binaries	2026-01-11 13:30:40 +08:00
Mxmilu666	f386996928	fix(api): update comment for URL construction security	2026-01-11 04:05:27 +08:00
Mxmilu666	4eb4b202c5	fix(controller): include session ID in analysis error log style(log): use octal notation for file permissions	2026-01-11 04:00:52 +08:00
Mxmilu666	ac5bdad507	feat(client): add access messages for proxy services feat(client): translate log messages to Chinese feat(cmd): add authentication token support for API config feat(log): implement rotating file logger with custom styles feat(banner): add banner display function fix(version): update version string for CLI	2026-01-11 03:53:52 +08:00
Mxmilu666	42f4ea7f87	feat(build): enhance android-arm build process and output	2026-01-11 02:00:52 +08:00
Mxmilu666	36e5ac094b	feat(build): add android-arm build process and dependencies	2026-01-11 01:56:30 +08:00
fatedier	3370bd53f5	udp: fix proxy protocol header sent on every packet instead of first packet only (#5119 )	2026-01-09 11:33:00 +08:00
fatedier	1245f8804e	server: replace client metadata with IP address in registry (#5118 )	2026-01-09 11:07:19 +08:00
fatedier	479e9f50c2	web/frpc: refactor dashboard with improved structure and API layer (#5117 )	2026-01-09 00:40:51 +08:00
fatedier	a4175a2595	update release notes (#5116 )	2026-01-08 20:25:03 +08:00
fatedier	36718d88e4	server: add client registry with dashboard support (#5115 )	2026-01-08 20:07:14 +08:00
fatedier	bc378bcbec	rotate gold sponsor order periodically (#5114 )	2026-01-08 19:54:13 +08:00
fatedier	33428ab538	add e2e tests for exec-based token source (#5111 )	2026-01-04 14:45:51 +08:00
Mxmilu666	72f79d3357	feat(api): add endpoint to close proxy by name	2025-12-26 01:10:43 +08:00
Mxmilu666	e1f905f63f	chore: remove obsolete build-all workflow and update architectures in package script	2025-12-25 22:19:53 +08:00
Mxmilu666	eb58f09268	chore: remove funding and pull request template files	2025-12-25 22:19:50 +08:00
Mxmilu666	46955ffc80	feat(api): update kick proxy endpoint to use name only	2025-12-25 22:19:00 +08:00
Mxmilu666	2d63296576	feat(api): add endpoint to retrieve all proxies	2025-12-25 22:18:38 +08:00
Mxmilu666	a76ba823ee	feat(api): add endpoint to kick proxy by name	2025-12-25 22:16:41 +08:00
fatedier	ef96481f58	update version and release notes (#5106 )	2025-12-25 10:15:40 +08:00
fatedier	7526d7a69a	refactor: separate auth config from runtime and defer token resolution (#5105 )	2025-12-25 00:53:08 +08:00
fatedier	2bdf25bae6	rotate gold sponsor order periodically (#5094 )	2025-12-11 12:48:08 +08:00
fatedier	0fe8f7a0b6	refactor: reorganize security policy into dedicated packag (#5088 )	2025-12-05 16:26:09 +08:00
fatedier	2e2802ea13	refactor: use MessageSender interface for message transporter (#5083 )	2025-12-02 11:22:48 +08:00
fatedier	c3821202b1	docs: remove zsxq section (#5077 )	2025-11-26 23:55:54 +08:00
fatedier	15fd19a16d	fix lint (#5068 )	2025-11-18 01:11:44 +08:00
Krzysztof Bogacki	66973a03db	Add `exec` value source type (#5050 ) * config: introduce ExecSource value source * auth: introduce OidcTokenSourceAuthProvider * auth: use OidcTokenSourceAuthProvider if tokenSource config is present on the client * cmd: allow exec token source only if CLI flag was passed	2025-11-18 00:20:21 +08:00
fatedier	f736d171ac	rotate gold sponsor order periodically (#5067 )	2025-11-18 00:09:37 +08:00
fatedier	b27b846971	config: add enabled field for individual proxy and visitor (#5048 )	2025-11-06 14:05:03 +08:00
fatedier	e025843d3c	vnet: add exponential backoff for failed reconnections (#5035 )	2025-10-29 01:08:48 +08:00
fatedier	a75320ef2f	update quic-go dependency from v0.53.0 to v0.55.0 (#5033 )	2025-10-28 17:52:34 +08:00
fatedier	1cf325bb0c	https: add load balancing group support (#5032 )	2025-10-28 17:37:18 +08:00
fatedier	469097a549	update sponsor pic (#5031 )	2025-10-28 16:08:29 +08:00
fatedier	2def23bb0b	update sponsor (#5030 )	2025-10-28 15:44:03 +08:00
Zachary Whaley	ee3cc4b14e	Fix CloseNotifyConn.Close function (#5022 ) The CloseNotifyConn.Close() function calls itself if the closeFlag is equal to 0 which would mean it would immediately swap the closeFlag value to 1 and never call closeFn. It is unclear what the intent of this call to cc.Close() was but I assume it was meant to be a call to close the Conn object instead.	2025-10-17 10:53:43 +08:00
fatedier	e382676659	update README (#5001 )	2025-09-26 12:26:08 +08:00