Merge pull request #672 from fatedier/dev

bump version to v0.16.1
vhost: typo fix
2025-07-29 01:07:38 +00:00 · 2018-03-21 18:09:39 +08:00 · 2018-03-21 18:06:43 +08:00 · 2018-03-21 18:00:31 +08:00 · 2018-03-21 11:52:11 +08:00 · 2018-03-21 11:45:48 +08:00
1499 changed files with 337991 additions and 1145 deletions
--- a/.github/ISSUE_TEMPLATE
+++ b/.github/ISSUE_TEMPLATE
@@ -1,4 +1,5 @@
 Issue is only used for submiting bug report and documents typo. If there are same issues or answers can be found in documents, we will close it directly.
+(为了节约时间，提高处理问题的效率，不按照格式填写的 issue 将会直接关闭。)

 Use the commands below to provide key information from your environment:
 You do NOT have to include this information if this is a FEATURE REQUEST
@@ -9,6 +10,9 @@ You do NOT have to include this information if this is a FEATURE REQUEST
 **What operating system and processor architecture are you using (`go env`)?**


+**Configures you used:**
+
+
 **Steps to reproduce the issue:**
 1.
 2.
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,8 +2,7 @@ sudo: false
 language: go

 go:
-    - 1.7.5
-    - 1.8
+    - 1.10.x

 install:
    - make
--- a/6
+++ b/6
@@ -1,4 +1,4 @@
-FROM golang:1.6
+FROM golang:1.8

 COPY . /go/src/github.com/fatedier/frp

@@ -6,8 +6,8 @@ RUN cd /go/src/github.com/fatedier/frp \
 && make \
 && mv bin/frpc /frpc \
 && mv bin/frps /frps \
- && mv conf/frpc_min.ini /frpc.ini \
- && mv conf/frps_min.ini /frps.ini \
+ && mv conf/frpc.ini /frpc.ini \
+ && mv conf/frps.ini /frps.ini \
 && make clean

 WORKDIR /
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+FROM golang:1.8 as frpBuild
+
+COPY . /go/src/github.com/fatedier/frp
+
+ENV CGO_ENABLED=0
+
+RUN cd /go/src/github.com/fatedier/frp \
+ && make
+
+FROM alpine:3.6
+
+COPY --from=frpBuild /go/src/github.com/fatedier/frp/bin/frpc /
+COPY --from=frpBuild /go/src/github.com/fatedier/frp/conf/frpc.ini /
+COPY --from=frpBuild /go/src/github.com/fatedier/frp/bin/frps /
+COPY --from=frpBuild /go/src/github.com/fatedier/frp/conf/frps.ini /
+
+EXPOSE 80 443 6000 7000 7500
+
+WORKDIR /
+
+CMD ["/frps","-c","frps.ini"]
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -1,67 +0,0 @@
-{
-	"ImportPath": "github.com/fatedier/frp",
-	"GoVersion": "go1.8",
-	"GodepVersion": "v79",
-	"Packages": [
-		"./..."
-	],
-	"Deps": [
-		{
-			"ImportPath": "github.com/davecgh/go-spew/spew",
-			"Comment": "v1.1.0",
-			"Rev": "346938d642f2ec3594ed81d874461961cd0faa76"
-		},
-		{
-			"ImportPath": "github.com/docopt/docopt-go",
-			"Comment": "0.6.2",
-			"Rev": "784ddc588536785e7299f7272f39101f7faccc3f"
-		},
-		{
-			"ImportPath": "github.com/fatedier/beego/logs",
-			"Comment": "v1.7.2-72-gf73c369",
-			"Rev": "f73c3692bbd70a83728cb59b2c0423ff95e4ecea"
-		},
-		{
-			"ImportPath": "github.com/golang/snappy",
-			"Rev": "5979233c5d6225d4a8e438cdd0b411888449ddab"
-		},
-		{
-			"ImportPath": "github.com/julienschmidt/httprouter",
-			"Comment": "v1.1-41-g8a45e95",
-			"Rev": "8a45e95fc75cb77048068a62daed98cc22fdac7c"
-		},
-		{
-			"ImportPath": "github.com/pkg/errors",
-			"Comment": "v0.8.0-5-gc605e28",
-			"Rev": "c605e284fe17294bda444b34710735b29d1a9d90"
-		},
-		{
-			"ImportPath": "github.com/pmezard/go-difflib/difflib",
-			"Comment": "v1.0.0",
-			"Rev": "792786c7400a136282c1664665ae0a8db921c6c2"
-		},
-		{
-			"ImportPath": "github.com/rakyll/statik/fs",
-			"Comment": "v0.1.0",
-			"Rev": "274df120e9065bdd08eb1120e0375e3dc1ae8465"
-		},
-		{
-			"ImportPath": "github.com/stretchr/testify/assert",
-			"Comment": "v1.1.4-25-g2402e8e",
-			"Rev": "2402e8e7a02fc811447d11f881aa9746cdc57983"
-		},
-		{
-			"ImportPath": "github.com/vaughan0/go-ini",
-			"Rev": "a98ad7ee00ec53921f08832bc06ecf7fd600e6a1"
-		},
-		{
-			"ImportPath": "github.com/xtaci/smux",
-			"Comment": "v1.0.5-8-g2de5471",
-			"Rev": "2de5471dfcbc029f5fe1392b83fe784127c4943e"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/pbkdf2",
-			"Rev": "1f22c0103821b9390939b6776727195525381532"
-		}
-	]
-}
--- a/12
+++ b/12
@@ -34,15 +34,17 @@ gotest:
 	go test -v ./server/...
 	go test -v ./utils/...

-alltest: gotest
+ci:
 	cd ./tests && ./run_test.sh && cd -
 	go test -v ./tests/...
 	cd ./tests && ./clean_test.sh && cd -

+ciclean:
+	cd ./tests && ./clean_test.sh && cd -
+
+alltest: gotest ci
+	
 clean:
 	rm -f ./bin/frpc
 	rm -f ./bin/frps
-	cd ./test && ./clean_test.sh && cd -
-
-save:
-	godep save ./...
+	cd ./tests && ./clean_test.sh && cd -
--- a/Makefile.cross-compiles
+++ b/Makefile.cross-compiles
@@ -9,6 +9,10 @@ build: app
 app:
 	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_darwin_amd64 ./cmd/frpc
 	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_darwin_amd64 ./cmd/frps
+	env CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frpc_freebsd_386 ./cmd/frpc
+	env CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frps_freebsd_386 ./cmd/frps
+	env CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_freebsd_amd64 ./cmd/frpc
+	env CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_freebsd_amd64 ./cmd/frps
 	env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_386 ./cmd/frpc
 	env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_386 ./cmd/frps
 	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_amd64 ./cmd/frpc
@@ -23,10 +27,10 @@ app:
 	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips64 ./cmd/frps
 	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mips64le ./cmd/frpc
 	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips64le ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mips ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mipsle ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mipsle ./cmd/frps
+	env CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mips ./cmd/frpc
+	env CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips ./cmd/frps
+	env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mipsle ./cmd/frpc
+	env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mipsle ./cmd/frps

 temp:
 	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_amd64 ./cmd/frps
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@ frp is a fast reverse proxy to help you expose a local server behind a NAT or fi
 ## Table of Contents

 <!-- vim-markdown-toc GFM -->
+
 * [What can I do with frp?](#what-can-i-do-with-frp)
 * [Status](#status)
 * [Architecture](#architecture)
@@ -18,24 +19,35 @@ frp is a fast reverse proxy to help you expose a local server behind a NAT or fi
    * [Access your computer in LAN by SSH](#access-your-computer-in-lan-by-ssh)
    * [Visit your web service in LAN by custom domains](#visit-your-web-service-in-lan-by-custom-domains)
    * [Forward DNS query request](#forward-dns-query-request)
+    * [Forward unix domain socket](#forward-unix-domain-socket)
+    * [Expose a simple http file server](#expose-a-simple-http-file-server)
+    * [Expose your service in security](#expose-your-service-in-security)
+    * [P2P Mode](#p2p-mode)
+    * [Connect website through frpc's network](#connect-website-through-frpcs-network)
 * [Features](#features)
+    * [Configuration File](#configuration-file)
    * [Dashboard](#dashboard)
    * [Authentication](#authentication)
    * [Encryption and Compression](#encryption-and-compression)
-    * [Reload configures without frps stopped](#reload-configures-without-frps-stopped)
+    * [Hot-Reload frpc configuration](#hot-reload-frpc-configuration)
+    * [Get proxy status from client](#get-proxy-status-from-client)
    * [Privilege Mode](#privilege-mode)
        * [Port White List](#port-white-list)
    * [TCP Stream Multiplexing](#tcp-stream-multiplexing)
+    * [Support KCP Protocol](#support-kcp-protocol)
    * [Connection Pool](#connection-pool)
    * [Rewriting the Host Header](#rewriting-the-host-header)
+    * [Get Real IP](#get-real-ip)
    * [Password protecting your web service](#password-protecting-your-web-service)
    * [Custom subdomain names](#custom-subdomain-names)
    * [URL routing](#url-routing)
    * [Connect frps by HTTP PROXY](#connect-frps-by-http-proxy)
+    * [Plugin](#plugin)
 * [Development Plan](#development-plan)
 * [Contributing](#contributing)
 * [Donation](#donation)
    * [AliPay](#alipay)
+    * [Wechat Pay](#wechat-pay)
    * [Paypal](#paypal)

 <!-- vim-markdown-toc -->
@@ -143,7 +155,7 @@ However, we can expose a http or https service using frp.

 ### Forward DNS query request

-1. Modify frps.ini, configure a reverse proxy named [dns]:
+1. Modify frps.ini:

  ```ini
  # frps.ini
@@ -176,10 +188,181 @@ However, we can expose a http or https service using frp.

 5. Send dns query request by dig:

-  `dig @x.x.x.x -p 6000 www.goolge.com`
+  `dig @x.x.x.x -p 6000 www.google.com`
+
+### Forward unix domain socket
+
+Using tcp port to connect unix domain socket like docker daemon.
+
+Configure frps same as above.
+
+1. Start frpc with configurations:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [unix_domain_socket]
+  type = tcp
+  remote_port = 6000
+  plugin = unix_domain_socket
+  plugin_unix_path = /var/run/docker.sock
+  ```
+
+2. Get docker version by curl command:
+
+  `curl http://x.x.x.x:6000/version`
+
+### Expose a simple http file server
+
+A simple way to visit files in the LAN.
+
+Configure frps same as above.
+
+1. Start frpc with configurations:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [test_static_file]
+  type = tcp
+  remote_port = 6000
+  plugin = static_file
+  plugin_local_path = /tmp/file
+  plugin_strip_prefix = static
+  plugin_http_user = abc
+  plugin_http_passwd = abc
+  ```
+
+2. Visit `http://x.x.x.x:6000/static/` by your browser, set correct user and password, so you can see files in `/tmp/file`.
+
+### Expose your service in security
+
+For some services, if expose them to the public network directly will be a security risk.
+
+**stcp(secret tcp)** help you create a proxy avoiding any one can access it.
+
+Configure frps same as above.
+
+1. Start frpc, forward ssh port and `remote_port` is useless:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [secret_ssh]
+  type = stcp
+  sk = abcdefg
+  local_ip = 127.0.0.1
+  local_port = 22
+  ```
+
+2. Start another frpc in which you want to connect this ssh server:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [secret_ssh_visitor]
+  type = stcp
+  role = visitor
+  server_name = secret_ssh
+  sk = abcdefg
+  bind_addr = 127.0.0.1
+  bind_port = 6000
+  ```
+
+3. Connect to server in LAN by ssh assuming that username is test:
+
+  `ssh -oPort=6000 test@127.0.0.1`
+
+### P2P Mode
+
+**xtcp** is designed for transmitting a large amount of data directly between two client.
+
+Now it can't penetrate all types of NAT devices. You can try **stcp** if **xtcp** doesn't work.
+
+1. Configure a udp port for xtcp:
+
+  ```ini
+  bind_udp_port = 7001
+  ```
+
+2. Start frpc, forward ssh port and `remote_port` is useless:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [p2p_ssh]
+  type = xtcp
+  sk = abcdefg
+  local_ip = 127.0.0.1
+  local_port = 22
+  ```
+
+3. Start another frpc in which you want to connect this ssh server:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [p2p_ssh_visitor]
+  type = xtcp
+  role = visitor
+  server_name = p2p_ssh
+  sk = abcdefg
+  bind_addr = 127.0.0.1
+  bind_port = 6000
+  ```
+
+4. Connect to server in LAN by ssh assuming that username is test:
+
+  `ssh -oPort=6000 test@127.0.0.1`
+
+### Connect website through frpc's network
+
+Configure frps same as above.
+
+1. Start frpc with configurations:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [http_proxy]
+  type = tcp
+  remote_port = 6000
+  plugin = http_proxy # or socks5
+  ```
+
+2. Set http proxy or socks5 proxy `x.x.x.x:6000` in your browser and visit website through frpc's network.

 ## Features

+### Configuration File
+
+You can find features which this document not metioned from full example configuration files.
+
+[frps full configuration file](./conf/frps_full.ini)
+
+[frpc full configuration file](./conf/frpc_full.ini)
+
 ### Dashboard

 Check frp's status and proxies's statistics information by Dashboard.
@@ -220,9 +403,24 @@ use_encryption = true
 use_compression = true
 ```

-### Reload configures without frps stopped
+### Hot-Reload frpc configuration

-This feature is removed since v0.10.0.
+First you need to set admin port in frpc's configure file to let it provide HTTP API for more features.
+
+```ini
+# frpc.ini
+[common]
+admin_addr = 127.0.0.1
+admin_port = 7400
+```
+
+Then run command `frpc reload -c ./frpc.ini` and wait for about 10 seconds to let frpc create or update or delete proxies.
+
+**Note that parameters in [common] section won't be modified except 'start' now.**
+
+### Get proxy status from client
+
+Use `frpc status -c ./frpc.ini` to get status of all proxies. You need to set admin port in frpc's configure file.

 ### Privilege Mode

@@ -252,6 +450,35 @@ You can disable this feature by modify frps.ini and frpc.ini:
 tcp_mux = false
 ```

+### Support KCP Protocol
+
+frp support kcp protocol since v0.12.0.
+
+KCP is a fast and reliable protocol that can achieve the transmission effect of a reduction of the average latency by 30% to 40% and reduction of the maximum delay by a factor of three, at the cost of 10% to 20% more bandwidth wasted than TCP.
+
+Using kcp in frp:
+
+1. Enable kcp protocol in frps:
+
+  ```ini
+  # frps.ini
+  [common]
+  bind_port = 7000
+  # kcp needs to bind a udp port, it can be same with 'bind_port'
+  kcp_bind_port = 7000
+  ```
+
+2. Configure the protocol used in frpc to connect frps:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  # specify the 'kcp_bind_port' in frps
+  server_port = 7000
+  protocol = kcp
+  ```
+
 ### Connection Pool

 By default, frps send message to frpc for create a new connection to backward service when getting an user request.If a proxy's connection pool is enabled, there will be a specified number of connections pre-established.
@@ -289,6 +516,14 @@ host_header_rewrite = dev.yourdomain.com

 If `host_header_rewrite` is specified, the Host header will be rewritten to match the hostname portion of the forwarding address.

+### Get Real IP
+
+Features for http proxy only.
+
+You can get user's real IP from http request header `X-Forwarded-For` and `X-Real-IP`.
+
+**Note that now you can only get these two headers in first request of each user connection.**
+
 ### Password protecting your web service

 Anyone who can guess your tunnel URL can access your local web server unless you protect it with a password.
@@ -358,25 +593,60 @@ Http requests with url prefix `/news` and `/about` will be forwarded to **web02*

 frpc can connect frps using HTTP PROXY if you set os environment `HTTP_PROXY` or configure `http_proxy` param in frpc.ini file.

+It only works when protocol is tcp.
+
 ```ini
 # frpc.ini
+[common]
 server_addr = x.x.x.x
 server_port = 7000
 http_proxy = http://user:pwd@192.168.1.128:8080
 ```

+### Range ports mapping
+
+Proxy name has prefix `range:` will support mapping range ports.
+
+```ini
+# frpc.ini
+[range:test_tcp]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 6000-6006,6007
+remote_port = 6000-6006,6007
+```
+
+frpc will generate 6 proxies like `test_tcp_0, test_tcp_1 ... test_tcp_5`.
+
+### Plugin
+
+frpc only forward request to local tcp or udp port by default.
+
+Plugin is used for providing rich features. There are built-in plugins such as `unix_domain_socket`, `http_proxy`, `socks5`, `static_file` and you can see [example usage](#example-usage).
+
+Specify which plugin to use by `plugin` parameter. Configuration parameters of plugin should be started with `plugin_`. `local_ip` and `local_port` is useless for plugin.
+
+Using plugin **http_proxy**:
+
+```ini
+# frpc.ini
+[http_proxy]
+type = tcp
+remote_port = 6000
+plugin = http_proxy
+plugin_http_user = abc
+plugin_http_passwd = abc
+```
+
+`plugin_http_user` and `plugin_http_passwd` are configuration parameters used in `http_proxy` plugin.
+
 ## Development Plan

 * Log http request information in frps.
 * Direct reverse proxy, like haproxy.
 * Load balance to different service in frpc.
-* Frpc can directly be a webserver for static files.
-* Full control mode, dynamically modify frpc's configure with dashboard in frps.
-* P2p communicate by make udp hole to penetrate NAT.
-* Client Plugin (http proxy).
 * kubernetes ingress support.

-
 ## Contributing

 Interested in getting involved? We would like to help you!
@@ -384,7 +654,7 @@ Interested in getting involved? We would like to help you!
 * Take a look at our [issues list](https://github.com/fatedier/frp/issues) and consider sending a Pull Request to **dev branch**.
 * If you want to add a new feature, please create an issue first to describe the new feature, as well as the implementation approach. Once a proposal is accepted, create an implementation of the new features and submit it as a pull request.
 * Sorry for my poor english and improvement for this document is welcome even some typo fix.
-* If you have some wanderful ideas, send email to fatedier@gmail.com.
+* If you have some wonderful ideas, send email to fatedier@gmail.com.

 **Note: We prefer you to give your advise in [issues](https://github.com/fatedier/frp/issues), so others with a same question can search it quickly and we don't need to answer them repeatly.**

@@ -398,6 +668,10 @@ frp QQ group: 606194980

 ![donation-alipay](/doc/pic/donate-alipay.png)

+### Wechat Pay
+
+![donation-wechatpay](/doc/pic/donate-wechatpay.png)
+
 ### Paypal

 Donate money by [paypal](https://www.paypal.me/fatedier) to my account **fatedier@gmail.com**.
--- a/README_zh.md
+++ b/README_zh.md
@@ -9,6 +9,7 @@ frp 是一个可用于内网穿透的高性能的反向代理应用，支持 tcp
 ## 目录

 <!-- vim-markdown-toc GFM -->
+
 * [frp 的作用](#frp-的作用)
 * [开发状态](#开发状态)
 * [架构](#架构)
@@ -16,24 +17,36 @@ frp 是一个可用于内网穿透的高性能的反向代理应用，支持 tcp
    * [通过 ssh 访问公司内网机器](#通过-ssh-访问公司内网机器)
    * [通过自定义域名访问部署于内网的 web 服务](#通过自定义域名访问部署于内网的-web-服务)
    * [转发 DNS 查询请求](#转发-dns-查询请求)
+    * [转发 Unix域套接字](#转发-unix域套接字)
+    * [对外提供简单的文件访问服务](#对外提供简单的文件访问服务)
+    * [安全地暴露内网服务](#安全地暴露内网服务)
+    * [点对点内网穿透](#点对点内网穿透)
+    * [通过 frpc 所在机器访问外网](#通过-frpc-所在机器访问外网)
 * [功能说明](#功能说明)
+    * [配置文件](#配置文件)
    * [Dashboard](#dashboard)
    * [身份验证](#身份验证)
    * [加密与压缩](#加密与压缩)
-    * [服务器端热加载配置文件](#服务器端热加载配置文件)
+    * [客户端热加载配置文件](#客户端热加载配置文件)
+    * [客户端查看代理状态](#客户端查看代理状态)
    * [特权模式](#特权模式)
        * [端口白名单](#端口白名单)
    * [TCP 多路复用](#tcp-多路复用)
+    * [底层通信可选 kcp 协议](#底层通信可选-kcp-协议)
    * [连接池](#连接池)
    * [修改 Host Header](#修改-host-header)
+    * [获取用户真实 IP](#获取用户真实-ip)
    * [通过密码保护你的 web 服务](#通过密码保护你的-web-服务)
    * [自定义二级域名](#自定义二级域名)
    * [URL 路由](#url-路由)
    * [通过代理连接 frps](#通过代理连接-frps)
+    * [范围端口映射](#范围端口映射)
+    * [插件](#插件)
 * [开发计划](#开发计划)
 * [为 frp 做贡献](#为-frp-做贡献)
 * [捐助](#捐助)
    * [支付宝扫码捐赠](#支付宝扫码捐赠)
+    * [微信支付捐赠](#微信支付捐赠)
    * [Paypal 捐赠](#paypal-捐赠)

 <!-- vim-markdown-toc -->
@@ -177,10 +190,197 @@ DNS 查询请求通常使用 UDP 协议，frp 支持对内网 UDP 服务的穿

 5. 通过 dig 测试 UDP 包转发是否成功，预期会返回 `www.google.com` 域名的解析结果：

-  `dig @x.x.x.x -p 6000 www.goolge.com`
+  `dig @x.x.x.x -p 6000 www.google.com`
+
+### 转发 Unix域套接字
+
+通过 tcp 端口访问内网的 unix域套接字(例如和 docker daemon 通信)。
+
+frps 的部署步骤同上。
+
+1. 启动 frpc，启用 `unix_domain_socket` 插件，配置如下：
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+  
+  [unix_domain_socket]
+  type = tcp
+  remote_port = 6000
+  plugin = unix_domain_socket
+  plugin_unix_path = /var/run/docker.sock
+  ```
+
+2. 通过 curl 命令查看 docker 版本信息
+
+  `curl http://x.x.x.x:6000/version`
+
+### 对外提供简单的文件访问服务
+
+通过 `static_file` 插件可以对外提供一个简单的基于 HTTP 的文件访问服务。
+
+frps 的部署步骤同上。
+
+1. 启动 frpc，启用 `static_file` 插件，配置如下：
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [test_static_file]
+  type = tcp
+  remote_port = 6000
+  plugin = static_file
+  # 要对外暴露的文件目录
+  plugin_local_path = /tmp/file
+  # 访问 url 中会被去除的前缀，保留的内容即为要访问的文件路径
+  plugin_strip_prefix = static
+  plugin_http_user = abc
+  plugin_http_passwd = abc
+  ```
+
+2. 通过浏览器访问 `http://x.x.x.x:6000/static/` 来查看位于 `/tmp/file` 目录下的文件，会要求输入已设置好的用户名和密码。
+
+### 安全地暴露内网服务
+
+对于某些服务来说如果直接暴露于公网上将会存在安全隐患。
+
+使用 **stcp(secret tcp)** 类型的代理可以避免让任何人都能访问到要穿透的服务，但是访问者也需要运行另外一个 frpc。
+
+以下示例将会创建一个只有自己能访问到的 ssh 服务代理。
+
+frps 的部署步骤同上。
+
+1. 启动 frpc，转发内网的 ssh 服务，配置如下，不需要指定远程端口：
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [secret_ssh]
+  type = stcp
+  # 只有 sk 一致的用户才能访问到此服务
+  sk = abcdefg
+  local_ip = 127.0.0.1
+  local_port = 22
+  ```
+
+2. 在要访问这个服务的机器上启动另外一个 frpc，配置如下：
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [secret_ssh_visitor]
+  type = stcp
+  # stcp 的访问者
+  role = visitor
+  # 要访问的 stcp 代理的名字
+  server_name = secret_ssh
+  sk = abcdefg
+  # 绑定本地端口用于访问 ssh 服务
+  bind_addr = 127.0.0.1
+  bind_port = 6000
+  ```
+
+3. 通过 ssh 访问内网机器，假设用户名为 test：
+
+  `ssh -oPort=6000 test@127.0.0.1`
+
+### 点对点内网穿透
+
+frp 提供了一种新的代理类型 **xtcp** 用于应对在希望传输大量数据且流量不经过服务器的场景。
+
+使用方式同 **stcp** 类似，需要在两边都部署上 frpc 用于建立直接的连接。
+
+目前处于开发的初级阶段，并不能穿透所有类型的 NAT 设备，所以穿透成功率较低。穿透失败时可以尝试 **stcp** 的方式。
+
+1. frps 除正常配置外需要额外配置一个 udp 端口用于支持该类型的客户端:
+
+  ```ini
+  bind_udp_port = 7001
+  ```
+
+2. 启动 frpc，转发内网的 ssh 服务，配置如下，不需要指定远程端口:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [p2p_ssh]
+  type = xtcp
+  # 只有 sk 一致的用户才能访问到此服务
+  sk = abcdefg
+  local_ip = 127.0.0.1
+  local_port = 22
+  ```
+
+3. 在要访问这个服务的机器上启动另外一个 frpc，配置如下:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+
+  [p2p_ssh_visitor]
+  type = xtcp
+  # xtcp 的访问者
+  role = visitor
+  # 要访问的 xtcp 代理的名字
+  server_name = p2p_ssh
+  sk = abcdefg
+  # 绑定本地端口用于访问 ssh 服务
+  bind_addr = 127.0.0.1
+  bind_port = 6000
+  ```
+
+4. 通过 ssh 访问内网机器，假设用户名为 test:
+
+  `ssh -oPort=6000 test@127.0.0.1`
+
+### 通过 frpc 所在机器访问外网
+
+frpc 内置了 http proxy 和 socks5 插件，可以使其他机器通过 frpc 的网络访问互联网。
+
+frps 的部署步骤同上。
+
+1. 启动 frpc，启用 http_proxy 或 socks5 插件(plugin 换为 socks5 即可)， 配置如下：
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  server_port = 7000
+  
+  [http_proxy]
+  type = tcp
+  remote_port = 6000
+  plugin = http_proxy
+  ```
+
+2. 浏览器设置 http 或 socks5 代理地址为 `x.x.x.x:6000`，通过 frpc 机器的网络访问互联网。

 ## 功能说明

+### 配置文件
+
+由于 frp 目前支持的功能和配置项较多，未在文档中列出的功能可以从完整的示例配置文件中发现。
+
+[frps 完整配置文件](./conf/frps_full.ini)
+
+[frpc 完整配置文件](./conf/frpc_full.ini)
+
 ### Dashboard

 通过浏览器查看 frp 的状态以及代理统计信息展示。
@@ -225,9 +425,30 @@ use_compression = true

 如果传输的报文长度较长，通过设置 `use_compression = true` 对传输内容进行压缩，可以有效减小 frpc 与 frps 之间的网络流量，加快流量转发速度，但是会额外消耗一些 cpu 资源。

-### 服务器端热加载配置文件
+### 客户端热加载配置文件

-由于从 v0.10.0 版本开始，所有 proxy 都在客户端配置，这个功能暂时移除。
+当修改了 frpc 中的代理配置，可以通过 `frpc reload` 命令来动态加载配置文件，通常会在 10 秒内完成代理的更新。
+
+启用此功能需要在 frpc 中启用 admin 端口，用于提供 API 服务。配置如下：
+
+```ini
+# frpc.ini
+[common]
+admin_addr = 127.0.0.1
+admin_port = 7400
+```
+
+之后执行重启命令：
+
+`frpc reload -c ./frpc.ini`
+
+等待一段时间后客户端会根据新的配置文件创建、更新、删除代理。
+
+**需要注意的是，[common] 中的参数除了 start 外目前无法被修改。**
+
+### 客户端查看代理状态
+
+frpc 支持通过 `frpc status -c ./frpc.ini` 命令查看代理的状态信息，此功能需要在 frpc 中配置 admin 端口。

 ### 特权模式

@@ -257,6 +478,35 @@ privilege_allow_ports 可以配置允许使用的某个指定端口或者是一
 tcp_mux = false
 ```

+### 底层通信可选 kcp 协议
+
+从 v0.12.0 版本开始，底层通信协议支持选择 kcp 协议，在弱网环境下传输效率提升明显，但是会有一些额外的流量消耗。
+
+开启 kcp 协议支持：
+
+1. 在 frps.ini 中启用 kcp 协议支持，指定一个 udp 端口用于接收客户端请求：
+
+  ```ini
+  # frps.ini
+  [common]
+  bind_port = 7000
+  # kcp 绑定的是 udp 端口，可以和 bind_port 一样
+  kcp_bind_port = 7000
+  ```
+
+2. 在 frpc.ini 指定需要使用的协议类型，目前只支持 tcp 和 kcp。其他代理配置不需要变更：
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  # server_port 指定为 frps 的 kcp_bind_port
+  server_port = 7000
+  protocol = kcp
+  ```
+
+3. 像之前一样使用 frp，需要注意开放相关机器上的 udp 的端口的访问权限。
+
 ### 连接池

 默认情况下，当用户请求建立连接后，frps 才会请求 frpc 主动与后端服务建立一个连接。当为指定的代理启用连接池后，frp 会预先和后端服务建立起指定数量的连接，每次接收到用户请求后，会从连接池中取出一个连接和用户连接关联起来，避免了等待与后端服务建立连接以及 frpc 和 frps 之间传递控制信息的时间。
@@ -294,6 +544,12 @@ host_header_rewrite = dev.yourdomain.com

 原来 http 请求中的 host 字段 `test.yourdomain.com` 转发到后端服务时会被替换为 `dev.yourdomain.com`。

+### 获取用户真实 IP
+
+目前只有 **http** 类型的代理支持这一功能，可以通过用户请求的 header 中的 `X-Forwarded-For` 和 `X-Real-IP` 来获取用户真实 IP。
+
+**需要注意的是，目前只在每一个用户连接的第一个 HTTP 请求中添加了这两个 header。**
+
 ### 通过密码保护你的 web 服务

 由于所有客户端共用一个 frps 的 http 服务端口，任何知道你的域名和 url 的人都能访问到你部署在内网的 web 服务，但是在某些场景下需要确保只有限定的用户才能访问。
@@ -373,13 +629,57 @@ locations = /news,/about

 可以通过设置 `HTTP_PROXY` 系统环境变量或者通过在 frpc 的配置文件中设置 `http_proxy` 参数来使用此功能。

+仅在 `protocol = tcp` 时生效。
+
 ```ini
 # frpc.ini
+[common]
 server_addr = x.x.x.x
 server_port = 7000
 http_proxy = http://user:pwd@192.168.1.128:8080
 ```

+### 范围端口映射
+
+在 frpc 的配置文件中可以指定映射多个端口，目前只支持 tcp 和 udp 的类型。
+
+这一功能通过 `range:` 段落标记来实现，客户端会解析这个标记中的配置，将其拆分成多个 proxy，每一个 proxy 以数字为后缀命名。
+
+例如要映射本地 6000-6005, 6007 这6个端口，主要配置如下：
+
+```ini
+# frpc.ini
+[range:test_tcp]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 6000-6006,6007
+remote_port = 6000-6006,6007
+```
+
+实际连接成功后会创建 6 个 proxy，命名为 `test_tcp_0, test_tcp_1 ... test_tcp_5`。
+
+### 插件
+
+默认情况下，frpc 只会转发请求到本地 tcp 或 udp 端口。
+
+插件模式是为了在客户端提供更加丰富的功能，目前内置的插件有 `unix_domain_socket`、`http_proxy`、`socks5`、`static_file`。具体使用方式请查看[使用示例](#使用示例)。
+
+通过 `plugin` 指定需要使用的插件，插件的配置参数都以 `plugin_` 开头。使用插件后 `local_ip` 和 `local_port` 不再需要配置。
+
+使用 **http_proxy** 插件的示例:
+
+```ini
+# frpc.ini
+[http_proxy]
+type = tcp
+remote_port = 6000
+plugin = http_proxy
+plugin_http_user = abc
+plugin_http_passwd = abc
+```
+
+`plugin_http_user` 和 `plugin_http_passwd` 即为 `http_proxy` 插件可选的配置参数。
+
 ## 开发计划

 计划在后续版本中加入的功能与优化，排名不分先后，如果有其他功能建议欢迎在 [issues](https://github.com/fatedier/frp/issues) 中反馈。
@@ -387,10 +687,6 @@ http_proxy = http://user:pwd@192.168.1.128:8080
 * frps 记录 http 请求日志。
 * frps 支持直接反向代理，类似 haproxy。
 * frpc 支持负载均衡到后端不同服务。
-* frpc 支持直接作为 webserver 访问指定静态页面。
-* frpc 完全控制模式，通过 dashboard 对 frpc 进行在线操作。
-* 支持 udp 打洞的方式，提供两边内网机器直接通信，流量不经过服务器转发。
-* 支持 plugin，frpc 获取到的连接可以交给指定 plugin 处理，例如 http 代理，简单的 web server。
 * 集成对 k8s 等平台的支持。

 ## 为 frp 做贡献
@@ -416,6 +712,10 @@ frp 交流群：606194980 (QQ 群号)

 ![donate-alipay](/doc/pic/donate-alipay.png)

+### 微信支付捐赠
+
+![donate-wechatpay](/doc/pic/donate-wechatpay.png)
+
 ### Paypal 捐赠

 海外用户推荐通过 [Paypal](https://www.paypal.me/fatedier) 向我的账户 **fatedier@gmail.com** 进行捐赠。
--- a/assets/static/index.html
+++ b/assets/static/index.html
@@ -1 +1 @@
-<!DOCTYPE html> <html lang=en> <head> <meta charset=utf-8> <title>frps dashboard</title> <link rel="shortcut icon" href="favicon.ico"></head> <body> <div id=app></div> <script type="text/javascript" src="manifest.js?b52826060da73c6b5a10"></script><script type="text/javascript" src="vendor.js?66dfcf2d1c500e900413"></script><script type="text/javascript" src="index.js?ceb589f1be7a87112dbd"></script></body> </html> 
+<!DOCTYPE html> <html lang=en> <head> <meta charset=utf-8> <title>frps dashboard</title> <link rel="shortcut icon" href="favicon.ico"></head> <body> <div id=app></div> <script type="text/javascript" src="manifest.js?facf06d98c7e1aea259d"></script><script type="text/javascript" src="vendor.js?a05a344be2b42183469b"></script><script type="text/javascript" src="index.js?a914c2dc7a5bb16ad443"></script></body> </html> 
--- a/assets/static/index.js
+++ b/assets/static/index.js
--- a/assets/static/manifest.js
+++ b/assets/static/manifest.js
@@ -1 +1 @@
-!function(e){function r(n){if(t[n])return t[n].exports;var o=t[n]={i:n,l:!1,exports:{}};return e[n].call(o.exports,o,o.exports,r),o.l=!0,o.exports}var n=window.webpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length;l++)a=t[l],o[a]&&s.push(o[a][0]),o[a]=0;for(i in c)Object.prototype.hasOwnProperty.call(c,i)&&(e[i]=c[i]);for(n&&n(t,c,u);s.length;)s.shift()();if(u)for(l=0;l<u.length;l++)f=r(r.s=u[l]);return f};var t={},o={2:0};r.e=function(e){function n(){u.onerror=u.onload=null,clearTimeout(i);var r=o[e];0!==r&&(r&&r[1](new Error("Loading chunk "+e+" failed.")),o[e]=void 0)}if(0===o[e])return Promise.resolve();if(o[e])return o[e][2];var t=new Promise(function(r,n){o[e]=[r,n]});o[e][2]=t;var c=document.getElementsByTagName("head")[0],u=document.createElement("script");u.type="text/javascript",u.charset="utf-8",u.async=!0,u.timeout=12e4,r.nc&&u.setAttribute("nonce",r.nc),u.src=r.p+""+e+".js?"+{0:"ceb589f1be7a87112dbd",1:"66dfcf2d1c500e900413"}[e];var i=setTimeout(n,12e4);return u.onerror=u.onload=n,c.appendChild(u),t},r.m=e,r.c=t,r.i=function(e){return e},r.d=function(e,n,t){r.o(e,n)||Object.defineProperty(e,n,{configurable:!1,enumerable:!0,get:t})},r.n=function(e){var n=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(n,"a",n),n},r.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},r.p="",r.oe=function(e){throw console.error(e),e}}([]);
+!function(e){function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}var r=window.webpackJsonp;window.webpackJsonp=function(t,a,c){for(var u,i,f,l=0,s=[];l<t.length;l++)i=t[l],o[i]&&s.push(o[i][0]),o[i]=0;for(u in a)Object.prototype.hasOwnProperty.call(a,u)&&(e[u]=a[u]);for(r&&r(t,a,c);s.length;)s.shift()();if(c)for(l=0;l<c.length;l++)f=n(n.s=c[l]);return f};var t={},o={2:0};n.e=function(e){function r(){u.onerror=u.onload=null,clearTimeout(i);var n=o[e];0!==n&&(n&&n[1](new Error("Loading chunk "+e+" failed.")),o[e]=void 0)}var t=o[e];if(0===t)return new Promise(function(e){e()});if(t)return t[2];var a=new Promise(function(n,r){t=o[e]=[n,r]});t[2]=a;var c=document.getElementsByTagName("head")[0],u=document.createElement("script");u.type="text/javascript",u.charset="utf-8",u.async=!0,u.timeout=12e4,n.nc&&u.setAttribute("nonce",n.nc),u.src=n.p+""+e+".js?"+{0:"a914c2dc7a5bb16ad443",1:"a05a344be2b42183469b"}[e];var i=setTimeout(r,12e4);return u.onerror=u.onload=r,c.appendChild(u),a},n.m=e,n.c=t,n.i=function(e){return e},n.d=function(e,r,t){n.o(e,r)||Object.defineProperty(e,r,{configurable:!1,enumerable:!0,get:t})},n.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(r,"a",r),r},n.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},n.p="",n.oe=function(e){throw console.error(e),e}}([]);
--- a/assets/static/vendor.js
+++ b/assets/static/vendor.js
--- a/assets/statik/statik.go
+++ b/assets/statik/statik.go
--- a/client/admin.go
+++ b/client/admin.go
@@ -0,0 +1,61 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/fatedier/frp/models/config"
+	frpNet "github.com/fatedier/frp/utils/net"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+var (
+	httpServerReadTimeout  = 10 * time.Second
+	httpServerWriteTimeout = 10 * time.Second
+)
+
+func (svr *Service) RunAdminServer(addr string, port int) (err error) {
+	// url router
+	router := httprouter.New()
+
+	user, passwd := config.ClientCommonCfg.AdminUser, config.ClientCommonCfg.AdminPwd
+
+	// api, see dashboard_api.go
+	router.GET("/api/reload", frpNet.HttprouterBasicAuth(svr.apiReload, user, passwd))
+	router.GET("/api/status", frpNet.HttprouterBasicAuth(svr.apiStatus, user, passwd))
+
+	address := fmt.Sprintf("%s:%d", addr, port)
+	server := &http.Server{
+		Addr:         address,
+		Handler:      router,
+		ReadTimeout:  httpServerReadTimeout,
+		WriteTimeout: httpServerWriteTimeout,
+	}
+	if address == "" {
+		address = ":http"
+	}
+	ln, err := net.Listen("tcp", address)
+	if err != nil {
+		return err
+	}
+
+	go server.Serve(ln)
+	return
+}
--- a/client/admin_api.go
+++ b/client/admin_api.go
@@ -0,0 +1,211 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"sort"
+	"strings"
+
+	"github.com/julienschmidt/httprouter"
+	ini "github.com/vaughan0/go-ini"
+
+	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/utils/log"
+)
+
+type GeneralResponse struct {
+	Code int64  `json:"code"`
+	Msg  string `json:"msg"`
+}
+
+// api/reload
+type ReloadResp struct {
+	GeneralResponse
+}
+
+func (svr *Service) apiReload(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var (
+		buf []byte
+		res ReloadResp
+	)
+	defer func() {
+		log.Info("Http response [/api/reload]: code [%d]", res.Code)
+		buf, _ = json.Marshal(&res)
+		w.Write(buf)
+	}()
+
+	log.Info("Http request: [/api/reload]")
+
+	conf, err := ini.LoadFile(config.ClientCommonCfg.ConfigFile)
+	if err != nil {
+		res.Code = 1
+		res.Msg = err.Error()
+		log.Error("reload frpc config file error: %v", err)
+		return
+	}
+
+	newCommonCfg, err := config.LoadClientCommonConf(conf)
+	if err != nil {
+		res.Code = 2
+		res.Msg = err.Error()
+		log.Error("reload frpc common section error: %v", err)
+		return
+	}
+
+	pxyCfgs, visitorCfgs, err := config.LoadProxyConfFromFile(config.ClientCommonCfg.User, conf, newCommonCfg.Start)
+	if err != nil {
+		res.Code = 3
+		res.Msg = err.Error()
+		log.Error("reload frpc proxy config error: %v", err)
+		return
+	}
+
+	err = svr.ctl.reloadConf(pxyCfgs, visitorCfgs)
+	if err != nil {
+		res.Code = 4
+		res.Msg = err.Error()
+		log.Error("reload frpc proxy config error: %v", err)
+		return
+	}
+	log.Info("success reload conf")
+	return
+}
+
+type StatusResp struct {
+	Tcp   []ProxyStatusResp `json:"tcp"`
+	Udp   []ProxyStatusResp `json:"udp"`
+	Http  []ProxyStatusResp `json:"http"`
+	Https []ProxyStatusResp `json:"https"`
+	Stcp  []ProxyStatusResp `json:"stcp"`
+	Xtcp  []ProxyStatusResp `json:"xtcp"`
+}
+
+type ProxyStatusResp struct {
+	Name       string `json:"name"`
+	Type       string `json:"type"`
+	Status     string `json:"status"`
+	Err        string `json:"err"`
+	LocalAddr  string `json:"local_addr"`
+	Plugin     string `json:"plugin"`
+	RemoteAddr string `json:"remote_addr"`
+}
+
+type ByProxyStatusResp []ProxyStatusResp
+
+func (a ByProxyStatusResp) Len() int           { return len(a) }
+func (a ByProxyStatusResp) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a ByProxyStatusResp) Less(i, j int) bool { return strings.Compare(a[i].Name, a[j].Name) < 0 }
+
+func NewProxyStatusResp(status *ProxyStatus) ProxyStatusResp {
+	psr := ProxyStatusResp{
+		Name:   status.Name,
+		Type:   status.Type,
+		Status: status.Status,
+		Err:    status.Err,
+	}
+	switch cfg := status.Cfg.(type) {
+	case *config.TcpProxyConf:
+		if cfg.LocalPort != 0 {
+			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		}
+		psr.Plugin = cfg.Plugin
+		if status.Err != "" {
+			psr.RemoteAddr = fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, cfg.RemotePort)
+		} else {
+			psr.RemoteAddr = config.ClientCommonCfg.ServerAddr + status.RemoteAddr
+		}
+	case *config.UdpProxyConf:
+		if cfg.LocalPort != 0 {
+			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		}
+		if status.Err != "" {
+			psr.RemoteAddr = fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, cfg.RemotePort)
+		} else {
+			psr.RemoteAddr = config.ClientCommonCfg.ServerAddr + status.RemoteAddr
+		}
+	case *config.HttpProxyConf:
+		if cfg.LocalPort != 0 {
+			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		}
+		psr.Plugin = cfg.Plugin
+		psr.RemoteAddr = status.RemoteAddr
+	case *config.HttpsProxyConf:
+		if cfg.LocalPort != 0 {
+			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		}
+		psr.Plugin = cfg.Plugin
+		psr.RemoteAddr = status.RemoteAddr
+	case *config.StcpProxyConf:
+		if cfg.LocalPort != 0 {
+			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		}
+		psr.Plugin = cfg.Plugin
+	case *config.XtcpProxyConf:
+		if cfg.LocalPort != 0 {
+			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		}
+		psr.Plugin = cfg.Plugin
+	}
+	return psr
+}
+
+// api/status
+func (svr *Service) apiStatus(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var (
+		buf []byte
+		res StatusResp
+	)
+	res.Tcp = make([]ProxyStatusResp, 0)
+	res.Udp = make([]ProxyStatusResp, 0)
+	res.Http = make([]ProxyStatusResp, 0)
+	res.Https = make([]ProxyStatusResp, 0)
+	res.Stcp = make([]ProxyStatusResp, 0)
+	res.Xtcp = make([]ProxyStatusResp, 0)
+	defer func() {
+		log.Info("Http response [/api/status]")
+		buf, _ = json.Marshal(&res)
+		w.Write(buf)
+	}()
+
+	log.Info("Http request: [/api/status]")
+
+	ps := svr.ctl.pm.GetAllProxyStatus()
+	for _, status := range ps {
+		switch status.Type {
+		case "tcp":
+			res.Tcp = append(res.Tcp, NewProxyStatusResp(status))
+		case "udp":
+			res.Udp = append(res.Udp, NewProxyStatusResp(status))
+		case "http":
+			res.Http = append(res.Http, NewProxyStatusResp(status))
+		case "https":
+			res.Https = append(res.Https, NewProxyStatusResp(status))
+		case "stcp":
+			res.Stcp = append(res.Stcp, NewProxyStatusResp(status))
+		case "xtcp":
+			res.Xtcp = append(res.Xtcp, NewProxyStatusResp(status))
+		}
+	}
+	sort.Sort(ByProxyStatusResp(res.Tcp))
+	sort.Sort(ByProxyStatusResp(res.Udp))
+	sort.Sort(ByProxyStatusResp(res.Http))
+	sort.Sort(ByProxyStatusResp(res.Https))
+	sort.Sort(ByProxyStatusResp(res.Stcp))
+	sort.Sort(ByProxyStatusResp(res.Xtcp))
+	return
+}
--- a/client/control.go
+++ b/client/control.go
@@ -25,7 +25,8 @@ import (
 	"github.com/fatedier/frp/models/msg"
 	"github.com/fatedier/frp/utils/crypto"
 	"github.com/fatedier/frp/utils/log"
-	"github.com/fatedier/frp/utils/net"
+	frpNet "github.com/fatedier/frp/utils/net"
+	"github.com/fatedier/frp/utils/shutdown"
 	"github.com/fatedier/frp/utils/util"
 	"github.com/fatedier/frp/utils/version"
 	"github.com/xtaci/smux"
@@ -39,17 +40,13 @@ type Control struct {
 	// frpc service
 	svr *Service

-	// login message to server
+	// login message to server, only used
 	loginMsg *msg.Login

-	// proxy configures
-	pxyCfgs map[string]config.ProxyConf
-
-	// proxies
-	proxies map[string]Proxy
+	pm *ProxyManager

 	// control connection
-	conn net.Conn
+	conn frpNet.Conn

 	// tcp stream multiplexing, if enabled
 	session *smux.Session
@@ -63,8 +60,8 @@ type Control struct {
 	// run id got from server
 	runId string

-	// connection or other error happens , control will try to reconnect to server
-	closed int32
+	// if we call close() in control, do not reconnect to server
+	exit bool

 	// goroutines can block by reading from this channel, it will be closed only in reader() when control connection is closed
 	closedCh chan int
@@ -72,12 +69,16 @@ type Control struct {
 	// last time got the Pong message
 	lastPong time.Time

+	readerShutdown     *shutdown.Shutdown
+	writerShutdown     *shutdown.Shutdown
+	msgHandlerShutdown *shutdown.Shutdown
+
 	mu sync.RWMutex

 	log.Logger
 }

-func NewControl(svr *Service, pxyCfgs map[string]config.ProxyConf) *Control {
+func NewControl(svr *Service, pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.ProxyConf) *Control {
 	loginMsg := &msg.Login{
 		Arch:      runtime.GOARCH,
 		Os:        runtime.GOOS,
@@ -85,66 +86,52 @@ func NewControl(svr *Service, pxyCfgs map[string]config.ProxyConf) *Control {
 		User:      config.ClientCommonCfg.User,
 		Version:   version.Full(),
 	}
-	return &Control{
-		svr:      svr,
-		loginMsg: loginMsg,
-		pxyCfgs:  pxyCfgs,
-		proxies:  make(map[string]Proxy),
-		sendCh:   make(chan msg.Message, 10),
-		readCh:   make(chan msg.Message, 10),
-		closedCh: make(chan int),
-		Logger:   log.NewPrefixLogger(""),
+	ctl := &Control{
+		svr:                svr,
+		loginMsg:           loginMsg,
+		sendCh:             make(chan msg.Message, 100),
+		readCh:             make(chan msg.Message, 100),
+		closedCh:           make(chan int),
+		readerShutdown:     shutdown.New(),
+		writerShutdown:     shutdown.New(),
+		msgHandlerShutdown: shutdown.New(),
+		Logger:             log.NewPrefixLogger(""),
 	}
+	ctl.pm = NewProxyManager(ctl, ctl.sendCh, "")
+	ctl.pm.Reload(pxyCfgs, visitorCfgs, false)
+	return ctl
 }

-// 1. login
-// 2. start reader() writer() manager()
-// 3. connection closed
-// 4. In reader(): close closedCh and exit, controler() get it
-// 5. In controler(): close readCh and sendCh, manager() and writer() will exit
-// 6. In controler(): ini readCh, sendCh, closedCh
-// 7. In controler(): start new reader(), writer(), manager()
-// controler() will keep running
-func (ctl *Control) Run() error {
-	err := ctl.login()
-	if err != nil {
-		return err
+func (ctl *Control) Run() (err error) {
+	for {
+		err = ctl.login()
+		if err != nil {
+			ctl.Warn("login to server failed: %v", err)
+
+			// if login_fail_exit is true, just exit this program
+			// otherwise sleep a while and continues relogin to server
+			if config.ClientCommonCfg.LoginFailExit {
+				return
+			} else {
+				time.Sleep(10 * time.Second)
+			}
+		} else {
+			break
+		}
 	}

-	go ctl.controler()
-	go ctl.manager()
-	go ctl.writer()
-	go ctl.reader()
+	go ctl.worker()

-	// send NewProxy message for all configured proxies
-	for _, cfg := range ctl.pxyCfgs {
-		var newProxyMsg msg.NewProxy
-		cfg.UnMarshalToMsg(&newProxyMsg)
-		ctl.sendCh <- &newProxyMsg
-	}
+	// start all local visitors and send NewProxy message for all configured proxies
+	ctl.pm.Reset(ctl.sendCh, ctl.runId)
+	ctl.pm.CheckAndStartProxy([]string{ProxyStatusNew})
 	return nil
 }

-func (ctl *Control) NewWorkConn() {
-	var (
-		workConn net.Conn
-		err      error
-	)
-	if config.ClientCommonCfg.TcpMux {
-		stream, err := ctl.session.OpenStream()
-		if err != nil {
-			ctl.Warn("start new work connection error: %v", err)
-			return
-		}
-		workConn = net.WrapConn(stream)
-
-	} else {
-		workConn, err = net.ConnectTcpServerByHttpProxy(config.ClientCommonCfg.HttpProxy,
-			fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, config.ClientCommonCfg.ServerPort))
-		if err != nil {
-			ctl.Warn("start new work connection error: %v", err)
-			return
-		}
+func (ctl *Control) HandleReqWorkConn(inMsg *msg.ReqWorkConn) {
+	workConn, err := ctl.connectServer()
+	if err != nil {
+		return
 	}

 	m := &msg.NewWorkConn{
@@ -165,18 +152,26 @@ func (ctl *Control) NewWorkConn() {
 	workConn.AddLogPrefix(startMsg.ProxyName)

 	// dispatch this work connection to related proxy
-	if pxy, ok := ctl.proxies[startMsg.ProxyName]; ok {
-		workConn.Info("start a new work connection, localAddr: %s remoteAddr: %s", workConn.LocalAddr().String(), workConn.RemoteAddr().String())
-		go pxy.InWorkConn(workConn)
+	ctl.pm.HandleWorkConn(startMsg.ProxyName, workConn)
+}
+
+func (ctl *Control) HandleNewProxyResp(inMsg *msg.NewProxyResp) {
+	// Server will return NewProxyResp message to each NewProxy message.
+	// Start a new proxy handler if no error got
+	err := ctl.pm.StartProxy(inMsg.ProxyName, inMsg.RemoteAddr, inMsg.Error)
+	if err != nil {
+		ctl.Warn("[%s] start error: %v", inMsg.ProxyName, err)
 	} else {
-		workConn.Close()
+		ctl.Info("[%s] start proxy success", inMsg.ProxyName)
 	}
 }

-func (ctl *Control) init() {
-	ctl.sendCh = make(chan msg.Message, 10)
-	ctl.readCh = make(chan msg.Message, 10)
-	ctl.closedCh = make(chan int)
+func (ctl *Control) Close() error {
+	ctl.mu.Lock()
+	defer ctl.mu.Unlock()
+	ctl.exit = true
+	ctl.pm.CloseProxies()
+	return nil
 }

 // login send a login message to server and wait for a loginResp message.
@@ -188,7 +183,7 @@ func (ctl *Control) login() (err error) {
 		ctl.session.Close()
 	}

-	conn, err := net.ConnectTcpServerByHttpProxy(config.ClientCommonCfg.HttpProxy,
+	conn, err := frpNet.ConnectServerByHttpProxy(config.ClientCommonCfg.HttpProxy, config.ClientCommonCfg.Protocol,
 		fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, config.ClientCommonCfg.ServerPort))
 	if err != nil {
 		return err
@@ -210,7 +205,7 @@ func (ctl *Control) login() (err error) {
 			session.Close()
 			return errRet
 		}
-		conn = net.WrapConn(stream)
+		conn = frpNet.WrapConn(stream)
 		ctl.session = session
 	}

@@ -239,23 +234,41 @@ func (ctl *Control) login() (err error) {
 	ctl.conn = conn
 	// update runId got from server
 	ctl.runId = loginRespMsg.RunId
+	config.ClientCommonCfg.ServerUdpPort = loginRespMsg.ServerUdpPort
 	ctl.ClearLogPrefix()
 	ctl.AddLogPrefix(loginRespMsg.RunId)
-	ctl.Info("login to server success, get run id [%s]", loginRespMsg.RunId)
-
-	// login success, so we let closedCh available again
-	ctl.closedCh = make(chan int)
-	ctl.lastPong = time.Now()
-
+	ctl.Info("login to server success, get run id [%s], server udp port [%d]", loginRespMsg.RunId, loginRespMsg.ServerUdpPort)
 	return nil
 }

+func (ctl *Control) connectServer() (conn frpNet.Conn, err error) {
+	if config.ClientCommonCfg.TcpMux {
+		stream, errRet := ctl.session.OpenStream()
+		if errRet != nil {
+			err = errRet
+			ctl.Warn("start new connection to server error: %v", err)
+			return
+		}
+		conn = frpNet.WrapConn(stream)
+	} else {
+		conn, err = frpNet.ConnectServerByHttpProxy(config.ClientCommonCfg.HttpProxy, config.ClientCommonCfg.Protocol,
+			fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, config.ClientCommonCfg.ServerPort))
+		if err != nil {
+			ctl.Warn("start new connection to server error: %v", err)
+			return
+		}
+	}
+	return
+}
+
+// reader read all messages from frps and send to readCh
 func (ctl *Control) reader() {
 	defer func() {
 		if err := recover(); err != nil {
 			ctl.Error("panic error: %v", err)
 		}
 	}()
+	defer ctl.readerShutdown.Done()
 	defer close(ctl.closedCh)

 	encReader := crypto.NewReader(ctl.conn, []byte(config.ClientCommonCfg.PrivilegeToken))
@@ -274,7 +287,9 @@ func (ctl *Control) reader() {
 	}
 }

+// writer writes messages got from sendCh to frps
 func (ctl *Control) writer() {
+	defer ctl.writerShutdown.Done()
 	encWriter, err := crypto.NewWriter(ctl.conn, []byte(config.ClientCommonCfg.PrivilegeToken))
 	if err != nil {
 		ctl.conn.Error("crypto new writer error: %v", err)
@@ -294,18 +309,22 @@ func (ctl *Control) writer() {
 	}
 }

-func (ctl *Control) manager() {
+// msgHandler handles all channel events and do corresponding operations.
+func (ctl *Control) msgHandler() {
 	defer func() {
 		if err := recover(); err != nil {
 			ctl.Error("panic error: %v", err)
 		}
 	}()
+	defer ctl.msgHandlerShutdown.Done()

 	hbSend := time.NewTicker(time.Duration(config.ClientCommonCfg.HeartBeatInterval) * time.Second)
 	defer hbSend.Stop()
 	hbCheck := time.NewTicker(time.Second)
 	defer hbCheck.Stop()

+	ctl.lastPong = time.Now()
+
 	for {
 		select {
 		case <-hbSend.C:
@@ -326,31 +345,9 @@ func (ctl *Control) manager() {

 			switch m := rawMsg.(type) {
 			case *msg.ReqWorkConn:
-				go ctl.NewWorkConn()
+				go ctl.HandleReqWorkConn(m)
 			case *msg.NewProxyResp:
-				// Server will return NewProxyResp message to each NewProxy message.
-				// Start a new proxy handler if no error got
-				if m.Error != "" {
-					ctl.Warn("[%s] start error: %s", m.ProxyName, m.Error)
-					continue
-				}
-				cfg, ok := ctl.pxyCfgs[m.ProxyName]
-				if !ok {
-					// it will never go to this branch now
-					ctl.Warn("[%s] no proxy conf found", m.ProxyName)
-					continue
-				}
-				oldPxy, ok := ctl.proxies[m.ProxyName]
-				if ok {
-					oldPxy.Close()
-				}
-				pxy := NewProxy(ctl, cfg)
-				if err := pxy.Run(); err != nil {
-					ctl.Warn("[%s] proxy start running error: %v", m.ProxyName, err)
-					continue
-				}
-				ctl.proxies[m.ProxyName] = pxy
-				ctl.Info("[%s] start proxy success", m.ProxyName)
+				ctl.HandleNewProxyResp(m)
 			case *msg.Pong:
 				ctl.lastPong = time.Now()
 				ctl.Debug("receive heartbeat from server")
@@ -359,39 +356,45 @@ func (ctl *Control) manager() {
 	}
 }

-// control keep watching closedCh, start a new connection if previous control connection is closed
-func (ctl *Control) controler() {
+// controler keep watching closedCh, start a new connection if previous control connection is closed.
+// If controler is notified by closedCh, reader and writer and handler will exit, then recall these functions.
+func (ctl *Control) worker() {
+	go ctl.msgHandler()
+	go ctl.reader()
+	go ctl.writer()
+
 	var err error
-	maxDelayTime := 30 * time.Second
+	maxDelayTime := 20 * time.Second
 	delayTime := time.Second

-	checkInterval := 30 * time.Second
+	checkInterval := 60 * time.Second
 	checkProxyTicker := time.NewTicker(checkInterval)
 	for {
 		select {
 		case <-checkProxyTicker.C:
-			// Every 30 seconds, check which proxy registered failed and reregister it to server.
-			for _, cfg := range ctl.pxyCfgs {
-				if _, exist := ctl.proxies[cfg.GetName()]; !exist {
-					ctl.Info("try to reregister proxy [%s]", cfg.GetName())
-					var newProxyMsg msg.NewProxy
-					cfg.UnMarshalToMsg(&newProxyMsg)
-					ctl.sendCh <- &newProxyMsg
-				}
-			}
+			// check which proxy registered failed and reregister it to server
+			ctl.pm.CheckAndStartProxy([]string{ProxyStatusStartErr, ProxyStatusClosed})
 		case _, ok := <-ctl.closedCh:
 			// we won't get any variable from this channel
 			if !ok {
-				// close related channels
+				// close related channels and wait until other goroutines done
 				close(ctl.readCh)
+				ctl.readerShutdown.WaitDone()
+				ctl.msgHandlerShutdown.WaitDone()
+
 				close(ctl.sendCh)
+				ctl.writerShutdown.WaitDone()

-				for _, pxy := range ctl.proxies {
-					pxy.Close()
+				ctl.pm.CloseProxies()
+				// if ctl.exit is true, just exit
+				ctl.mu.RLock()
+				exit := ctl.exit
+				ctl.mu.RUnlock()
+				if exit {
+					return
 				}
-				time.Sleep(time.Second)

-				// loop util reconnect to server success
+				// loop util reconnecting to server success
 				for {
 					ctl.Info("try to reconnect to server...")
 					err = ctl.login()
@@ -404,25 +407,27 @@ func (ctl *Control) controler() {
 						}
 						continue
 					}
-					// reconnect success, init the delayTime
+					// reconnect success, init delayTime
 					delayTime = time.Second
 					break
 				}

 				// init related channels and variables
-				ctl.init()
+				ctl.sendCh = make(chan msg.Message, 100)
+				ctl.readCh = make(chan msg.Message, 100)
+				ctl.closedCh = make(chan int)
+				ctl.readerShutdown = shutdown.New()
+				ctl.writerShutdown = shutdown.New()
+				ctl.msgHandlerShutdown = shutdown.New()
+				ctl.pm.Reset(ctl.sendCh, ctl.runId)

 				// previous work goroutines should be closed and start them here
-				go ctl.manager()
+				go ctl.msgHandler()
 				go ctl.writer()
 				go ctl.reader()

-				// send NewProxy message for all configured proxies
-				for _, cfg := range ctl.pxyCfgs {
-					var newProxyMsg msg.NewProxy
-					cfg.UnMarshalToMsg(&newProxyMsg)
-					ctl.sendCh <- &newProxyMsg
-				}
+				// start all configured proxies
+				ctl.pm.CheckAndStartProxy([]string{ProxyStatusNew, ProxyStatusClosed})

 				checkProxyTicker.Stop()
 				checkProxyTicker = time.NewTicker(checkInterval)
@@ -430,3 +435,8 @@ func (ctl *Control) controler() {
 		}
 	}
 }
+
+func (ctl *Control) reloadConf(pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.ProxyConf) error {
+	err := ctl.pm.Reload(pxyCfgs, visitorCfgs, true)
+	return err
+}
--- a/client/proxy.go
+++ b/client/proxy.go
@@ -15,6 +15,7 @@
 package client

 import (
+	"bytes"
 	"fmt"
 	"io"
 	"net"
@@ -23,26 +24,28 @@ import (

 	"github.com/fatedier/frp/models/config"
 	"github.com/fatedier/frp/models/msg"
-	"github.com/fatedier/frp/models/proto/tcp"
+	"github.com/fatedier/frp/models/plugin"
 	"github.com/fatedier/frp/models/proto/udp"
 	"github.com/fatedier/frp/utils/errors"
+	frpIo "github.com/fatedier/frp/utils/io"
 	"github.com/fatedier/frp/utils/log"
 	frpNet "github.com/fatedier/frp/utils/net"
+	"github.com/fatedier/frp/utils/pool"
 )

-// Proxy defines how to work for different proxy type.
+// Proxy defines how to deal with work connections for different proxy type.
 type Proxy interface {
 	Run() error

 	// InWorkConn accept work connections registered to server.
 	InWorkConn(conn frpNet.Conn)
+
 	Close()
 	log.Logger
 }

-func NewProxy(ctl *Control, pxyConf config.ProxyConf) (pxy Proxy) {
+func NewProxy(pxyConf config.ProxyConf) (pxy Proxy) {
 	baseProxy := BaseProxy{
-		ctl:    ctl,
 		Logger: log.NewPrefixLogger(pxyConf.GetName()),
 	}
 	switch cfg := pxyConf.(type) {
@@ -66,12 +69,21 @@ func NewProxy(ctl *Control, pxyConf config.ProxyConf) (pxy Proxy) {
 			BaseProxy: baseProxy,
 			cfg:       cfg,
 		}
+	case *config.StcpProxyConf:
+		pxy = &StcpProxy{
+			BaseProxy: baseProxy,
+			cfg:       cfg,
+		}
+	case *config.XtcpProxyConf:
+		pxy = &XtcpProxy{
+			BaseProxy: baseProxy,
+			cfg:       cfg,
+		}
 	}
 	return
 }

 type BaseProxy struct {
-	ctl    *Control
 	closed bool
 	mu     sync.RWMutex
 	log.Logger
@@ -81,57 +93,209 @@ type BaseProxy struct {
 type TcpProxy struct {
 	BaseProxy

-	cfg *config.TcpProxyConf
+	cfg         *config.TcpProxyConf
+	proxyPlugin plugin.Plugin
 }

 func (pxy *TcpProxy) Run() (err error) {
+	if pxy.cfg.Plugin != "" {
+		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
+		if err != nil {
+			return
+		}
+	}
 	return
 }

 func (pxy *TcpProxy) Close() {
+	if pxy.proxyPlugin != nil {
+		pxy.proxyPlugin.Close()
+	}
 }

 func (pxy *TcpProxy) InWorkConn(conn frpNet.Conn) {
-	defer conn.Close()
-	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, &pxy.cfg.BaseProxyConf, conn)
+	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, conn,
+		[]byte(config.ClientCommonCfg.PrivilegeToken))
 }

 // HTTP
 type HttpProxy struct {
 	BaseProxy

-	cfg *config.HttpProxyConf
+	cfg         *config.HttpProxyConf
+	proxyPlugin plugin.Plugin
 }

 func (pxy *HttpProxy) Run() (err error) {
+	if pxy.cfg.Plugin != "" {
+		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
+		if err != nil {
+			return
+		}
+	}
 	return
 }

 func (pxy *HttpProxy) Close() {
+	if pxy.proxyPlugin != nil {
+		pxy.proxyPlugin.Close()
+	}
 }

 func (pxy *HttpProxy) InWorkConn(conn frpNet.Conn) {
-	defer conn.Close()
-	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, &pxy.cfg.BaseProxyConf, conn)
+	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, conn,
+		[]byte(config.ClientCommonCfg.PrivilegeToken))
 }

 // HTTPS
 type HttpsProxy struct {
 	BaseProxy

-	cfg *config.HttpsProxyConf
+	cfg         *config.HttpsProxyConf
+	proxyPlugin plugin.Plugin
 }

 func (pxy *HttpsProxy) Run() (err error) {
+	if pxy.cfg.Plugin != "" {
+		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
+		if err != nil {
+			return
+		}
+	}
 	return
 }

 func (pxy *HttpsProxy) Close() {
+	if pxy.proxyPlugin != nil {
+		pxy.proxyPlugin.Close()
+	}
 }

 func (pxy *HttpsProxy) InWorkConn(conn frpNet.Conn) {
+	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, conn,
+		[]byte(config.ClientCommonCfg.PrivilegeToken))
+}
+
+// STCP
+type StcpProxy struct {
+	BaseProxy
+
+	cfg         *config.StcpProxyConf
+	proxyPlugin plugin.Plugin
+}
+
+func (pxy *StcpProxy) Run() (err error) {
+	if pxy.cfg.Plugin != "" {
+		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+
+func (pxy *StcpProxy) Close() {
+	if pxy.proxyPlugin != nil {
+		pxy.proxyPlugin.Close()
+	}
+}
+
+func (pxy *StcpProxy) InWorkConn(conn frpNet.Conn) {
+	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, conn,
+		[]byte(config.ClientCommonCfg.PrivilegeToken))
+}
+
+// XTCP
+type XtcpProxy struct {
+	BaseProxy
+
+	cfg         *config.XtcpProxyConf
+	proxyPlugin plugin.Plugin
+}
+
+func (pxy *XtcpProxy) Run() (err error) {
+	if pxy.cfg.Plugin != "" {
+		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+
+func (pxy *XtcpProxy) Close() {
+	if pxy.proxyPlugin != nil {
+		pxy.proxyPlugin.Close()
+	}
+}
+
+func (pxy *XtcpProxy) InWorkConn(conn frpNet.Conn) {
 	defer conn.Close()
-	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, &pxy.cfg.BaseProxyConf, conn)
+	var natHoleSidMsg msg.NatHoleSid
+	err := msg.ReadMsgInto(conn, &natHoleSidMsg)
+	if err != nil {
+		pxy.Error("xtcp read from workConn error: %v", err)
+		return
+	}
+
+	natHoleClientMsg := &msg.NatHoleClient{
+		ProxyName: pxy.cfg.ProxyName,
+		Sid:       natHoleSidMsg.Sid,
+	}
+	raddr, _ := net.ResolveUDPAddr("udp",
+		fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, config.ClientCommonCfg.ServerUdpPort))
+	clientConn, err := net.DialUDP("udp", nil, raddr)
+	defer clientConn.Close()
+
+	err = msg.WriteMsg(clientConn, natHoleClientMsg)
+	if err != nil {
+		pxy.Error("send natHoleClientMsg to server error: %v", err)
+		return
+	}
+
+	// Wait for client address at most 5 seconds.
+	var natHoleRespMsg msg.NatHoleResp
+	clientConn.SetReadDeadline(time.Now().Add(5 * time.Second))
+
+	buf := pool.GetBuf(1024)
+	n, err := clientConn.Read(buf)
+	if err != nil {
+		pxy.Error("get natHoleRespMsg error: %v", err)
+		return
+	}
+	err = msg.ReadMsgInto(bytes.NewReader(buf[:n]), &natHoleRespMsg)
+	if err != nil {
+		pxy.Error("get natHoleRespMsg error: %v", err)
+		return
+	}
+	clientConn.SetReadDeadline(time.Time{})
+	clientConn.Close()
+	pxy.Trace("get natHoleRespMsg, sid [%s], client address [%s]", natHoleRespMsg.Sid, natHoleRespMsg.ClientAddr)
+
+	// Send sid to visitor udp address.
+	time.Sleep(time.Second)
+	laddr, _ := net.ResolveUDPAddr("udp", clientConn.LocalAddr().String())
+	daddr, err := net.ResolveUDPAddr("udp", natHoleRespMsg.VisitorAddr)
+	if err != nil {
+		pxy.Error("resolve visitor udp address error: %v", err)
+		return
+	}
+
+	lConn, err := net.DialUDP("udp", laddr, daddr)
+	if err != nil {
+		pxy.Error("dial visitor udp address error: %v", err)
+		return
+	}
+	lConn.Write([]byte(natHoleRespMsg.Sid))
+
+	kcpConn, err := frpNet.NewKcpConnFromUdp(lConn, true, natHoleRespMsg.VisitorAddr)
+	if err != nil {
+		pxy.Error("create kcp connection from udp connection error: %v", err)
+		return
+	}
+
+	HandleTcpWorkConnection(&pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf,
+		frpNet.WrapConn(kcpConn), []byte(pxy.cfg.Sk))
 }

 // UDP
@@ -240,27 +404,44 @@ func (pxy *UdpProxy) InWorkConn(conn frpNet.Conn) {
 }

 // Common handler for tcp work connections.
-func HandleTcpWorkConnection(localInfo *config.LocalSvrConf, baseInfo *config.BaseProxyConf, workConn frpNet.Conn) {
-	localConn, err := frpNet.ConnectTcpServer(fmt.Sprintf("%s:%d", localInfo.LocalIp, localInfo.LocalPort))
-	if err != nil {
-		workConn.Error("connect to local service [%s:%d] error: %v", localInfo.LocalIp, localInfo.LocalPort, err)
-		return
-	}
+func HandleTcpWorkConnection(localInfo *config.LocalSvrConf, proxyPlugin plugin.Plugin,
+	baseInfo *config.BaseProxyConf, workConn frpNet.Conn, encKey []byte) {

-	var remote io.ReadWriteCloser
+	var (
+		remote io.ReadWriteCloser
+		err    error
+	)
 	remote = workConn
+
 	if baseInfo.UseEncryption {
-		remote, err = tcp.WithEncryption(remote, []byte(config.ClientCommonCfg.PrivilegeToken))
+		remote, err = frpIo.WithEncryption(remote, encKey)
 		if err != nil {
+			workConn.Close()
 			workConn.Error("create encryption stream error: %v", err)
 			return
 		}
 	}
 	if baseInfo.UseCompression {
-		remote = tcp.WithCompression(remote)
+		remote = frpIo.WithCompression(remote)
+	}
+
+	if proxyPlugin != nil {
+		// if plugin is set, let plugin handle connections first
+		workConn.Debug("handle by plugin: %s", proxyPlugin.Name())
+		proxyPlugin.Handle(remote, workConn)
+		workConn.Debug("handle by plugin finished")
+		return
+	} else {
+		localConn, err := frpNet.ConnectServer("tcp", fmt.Sprintf("%s:%d", localInfo.LocalIp, localInfo.LocalPort))
+		if err != nil {
+			workConn.Close()
+			workConn.Error("connect to local service [%s:%d] error: %v", localInfo.LocalIp, localInfo.LocalPort, err)
+			return
+		}
+
+		workConn.Debug("join connections, localConn(l[%s] r[%s]) workConn(l[%s] r[%s])", localConn.LocalAddr().String(),
+			localConn.RemoteAddr().String(), workConn.LocalAddr().String(), workConn.RemoteAddr().String())
+		frpIo.Join(localConn, remote)
+		workConn.Debug("join connections closed")
 	}
-	workConn.Debug("join connections, localConn(l[%s] r[%s]) workConn(l[%s] r[%s])", localConn.LocalAddr().String(),
-		localConn.RemoteAddr().String(), workConn.LocalAddr().String(), workConn.RemoteAddr().String())
-	tcp.Join(localConn, remote)
-	workConn.Debug("join connections closed")
 }
--- a/client/proxy_manager.go
+++ b/client/proxy_manager.go
@@ -0,0 +1,363 @@
+package client
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/models/msg"
+	"github.com/fatedier/frp/utils/errors"
+	"github.com/fatedier/frp/utils/log"
+	frpNet "github.com/fatedier/frp/utils/net"
+)
+
+const (
+	ProxyStatusNew       = "new"
+	ProxyStatusStartErr  = "start error"
+	ProxyStatusWaitStart = "wait start"
+	ProxyStatusRunning   = "running"
+	ProxyStatusClosed    = "closed"
+)
+
+type ProxyManager struct {
+	ctl *Control
+
+	proxies map[string]*ProxyWrapper
+
+	visitorCfgs map[string]config.ProxyConf
+	visitors    map[string]Visitor
+
+	sendCh chan (msg.Message)
+
+	closed bool
+	mu     sync.RWMutex
+
+	log.Logger
+}
+
+type ProxyWrapper struct {
+	Name   string
+	Type   string
+	Status string
+	Err    string
+	Cfg    config.ProxyConf
+
+	RemoteAddr string
+
+	pxy Proxy
+
+	mu sync.RWMutex
+}
+
+type ProxyStatus struct {
+	Name   string           `json:"name"`
+	Type   string           `json:"type"`
+	Status string           `json:"status"`
+	Err    string           `json:"err"`
+	Cfg    config.ProxyConf `json:"cfg"`
+
+	// Got from server.
+	RemoteAddr string `json:"remote_addr"`
+}
+
+func NewProxyWrapper(cfg config.ProxyConf) *ProxyWrapper {
+	return &ProxyWrapper{
+		Name:   cfg.GetName(),
+		Type:   cfg.GetType(),
+		Status: ProxyStatusNew,
+		Cfg:    cfg,
+		pxy:    nil,
+	}
+}
+
+func (pw *ProxyWrapper) GetStatusStr() string {
+	pw.mu.RLock()
+	defer pw.mu.RUnlock()
+	return pw.Status
+}
+
+func (pw *ProxyWrapper) GetStatus() *ProxyStatus {
+	pw.mu.RLock()
+	defer pw.mu.RUnlock()
+	ps := &ProxyStatus{
+		Name:       pw.Name,
+		Type:       pw.Type,
+		Status:     pw.Status,
+		Err:        pw.Err,
+		Cfg:        pw.Cfg,
+		RemoteAddr: pw.RemoteAddr,
+	}
+	return ps
+}
+
+func (pw *ProxyWrapper) WaitStart() {
+	pw.mu.Lock()
+	defer pw.mu.Unlock()
+	pw.Status = ProxyStatusWaitStart
+}
+
+func (pw *ProxyWrapper) Start(remoteAddr string, serverRespErr string) error {
+	if pw.pxy != nil {
+		pw.pxy.Close()
+		pw.pxy = nil
+	}
+
+	if serverRespErr != "" {
+		pw.mu.Lock()
+		pw.Status = ProxyStatusStartErr
+		pw.RemoteAddr = remoteAddr
+		pw.Err = serverRespErr
+		pw.mu.Unlock()
+		return fmt.Errorf(serverRespErr)
+	}
+
+	pxy := NewProxy(pw.Cfg)
+	pw.mu.Lock()
+	defer pw.mu.Unlock()
+	pw.RemoteAddr = remoteAddr
+	if err := pxy.Run(); err != nil {
+		pw.Status = ProxyStatusStartErr
+		pw.Err = err.Error()
+		return err
+	}
+	pw.Status = ProxyStatusRunning
+	pw.Err = ""
+	pw.pxy = pxy
+	return nil
+}
+
+func (pw *ProxyWrapper) InWorkConn(workConn frpNet.Conn) {
+	pw.mu.RLock()
+	pxy := pw.pxy
+	pw.mu.RUnlock()
+	if pxy != nil {
+		workConn.Debug("start a new work connection, localAddr: %s remoteAddr: %s", workConn.LocalAddr().String(), workConn.RemoteAddr().String())
+		go pxy.InWorkConn(workConn)
+	} else {
+		workConn.Close()
+	}
+}
+
+func (pw *ProxyWrapper) Close() {
+	pw.mu.Lock()
+	defer pw.mu.Unlock()
+	if pw.pxy != nil {
+		pw.pxy.Close()
+		pw.pxy = nil
+	}
+	pw.Status = ProxyStatusClosed
+}
+
+func NewProxyManager(ctl *Control, msgSendCh chan (msg.Message), logPrefix string) *ProxyManager {
+	return &ProxyManager{
+		ctl:         ctl,
+		proxies:     make(map[string]*ProxyWrapper),
+		visitorCfgs: make(map[string]config.ProxyConf),
+		visitors:    make(map[string]Visitor),
+		sendCh:      msgSendCh,
+		closed:      false,
+		Logger:      log.NewPrefixLogger(logPrefix),
+	}
+}
+
+func (pm *ProxyManager) Reset(msgSendCh chan (msg.Message), logPrefix string) {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+	pm.closed = false
+	pm.sendCh = msgSendCh
+	pm.ClearLogPrefix()
+	pm.AddLogPrefix(logPrefix)
+}
+
+// Must hold the lock before calling this function.
+func (pm *ProxyManager) sendMsg(m msg.Message) error {
+	err := errors.PanicToError(func() {
+		pm.sendCh <- m
+	})
+	if err != nil {
+		pm.closed = true
+	}
+	return err
+}
+
+func (pm *ProxyManager) StartProxy(name string, remoteAddr string, serverRespErr string) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+	if pm.closed {
+		return fmt.Errorf("ProxyManager is closed now")
+	}
+
+	pxy, ok := pm.proxies[name]
+	if !ok {
+		return fmt.Errorf("no proxy found")
+	}
+
+	if err := pxy.Start(remoteAddr, serverRespErr); err != nil {
+		errRet := err
+		err = pm.sendMsg(&msg.CloseProxy{
+			ProxyName: name,
+		})
+		if err != nil {
+			errRet = fmt.Errorf("send CloseProxy message error")
+		}
+		return errRet
+	}
+	return nil
+}
+
+func (pm *ProxyManager) CloseProxies() {
+	pm.mu.RLock()
+	defer pm.mu.RUnlock()
+	for _, pxy := range pm.proxies {
+		pxy.Close()
+	}
+}
+
+// pxyStatus: check and start proxies in which status
+func (pm *ProxyManager) CheckAndStartProxy(pxyStatus []string) {
+	pm.mu.RLock()
+	defer pm.mu.RUnlock()
+	if pm.closed {
+		pm.Warn("CheckAndStartProxy error: ProxyManager is closed now")
+		return
+	}
+
+	for _, pxy := range pm.proxies {
+		status := pxy.GetStatusStr()
+		for _, s := range pxyStatus {
+			if status == s {
+				var newProxyMsg msg.NewProxy
+				pxy.Cfg.UnMarshalToMsg(&newProxyMsg)
+				err := pm.sendMsg(&newProxyMsg)
+				if err != nil {
+					pm.Warn("[%s] proxy send NewProxy message error")
+					return
+				}
+				pxy.WaitStart()
+				break
+			}
+		}
+	}
+
+	for _, cfg := range pm.visitorCfgs {
+		if _, exist := pm.visitors[cfg.GetName()]; !exist {
+			pm.Info("try to start visitor [%s]", cfg.GetName())
+			visitor := NewVisitor(pm.ctl, cfg)
+			err := visitor.Run()
+			if err != nil {
+				visitor.Warn("start error: %v", err)
+				continue
+			}
+			pm.visitors[cfg.GetName()] = visitor
+			visitor.Info("start visitor success")
+		}
+	}
+}
+
+func (pm *ProxyManager) Reload(pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.ProxyConf, startNow bool) error {
+	pm.mu.Lock()
+	defer func() {
+		pm.mu.Unlock()
+		if startNow {
+			go pm.CheckAndStartProxy([]string{ProxyStatusNew})
+		}
+	}()
+	if pm.closed {
+		err := fmt.Errorf("Reload error: ProxyManager is closed now")
+		pm.Warn(err.Error())
+		return err
+	}
+
+	delPxyNames := make([]string, 0)
+	for name, pxy := range pm.proxies {
+		del := false
+		cfg, ok := pxyCfgs[name]
+		if !ok {
+			del = true
+		} else {
+			if !pxy.Cfg.Compare(cfg) {
+				del = true
+			}
+		}
+
+		if del {
+			delPxyNames = append(delPxyNames, name)
+			delete(pm.proxies, name)
+
+			pxy.Close()
+			err := pm.sendMsg(&msg.CloseProxy{
+				ProxyName: name,
+			})
+			if err != nil {
+				err = fmt.Errorf("Reload error: ProxyManager is closed now")
+				pm.Warn(err.Error())
+				return err
+			}
+		}
+	}
+	pm.Info("proxy removed: %v", delPxyNames)
+
+	addPxyNames := make([]string, 0)
+	for name, cfg := range pxyCfgs {
+		if _, ok := pm.proxies[name]; !ok {
+			pxy := NewProxyWrapper(cfg)
+			pm.proxies[name] = pxy
+			addPxyNames = append(addPxyNames, name)
+		}
+	}
+	pm.Info("proxy added: %v", addPxyNames)
+
+	delVisitorName := make([]string, 0)
+	for name, oldVisitorCfg := range pm.visitorCfgs {
+		del := false
+		cfg, ok := visitorCfgs[name]
+		if !ok {
+			del = true
+		} else {
+			if !oldVisitorCfg.Compare(cfg) {
+				del = true
+			}
+		}
+
+		if del {
+			delVisitorName = append(delVisitorName, name)
+			delete(pm.visitorCfgs, name)
+			if visitor, ok := pm.visitors[name]; ok {
+				visitor.Close()
+			}
+			delete(pm.visitors, name)
+		}
+	}
+	pm.Info("visitor removed: %v", delVisitorName)
+
+	addVisitorName := make([]string, 0)
+	for name, visitorCfg := range visitorCfgs {
+		if _, ok := pm.visitorCfgs[name]; !ok {
+			pm.visitorCfgs[name] = visitorCfg
+			addVisitorName = append(addVisitorName, name)
+		}
+	}
+	pm.Info("visitor added: %v", addVisitorName)
+	return nil
+}
+
+func (pm *ProxyManager) HandleWorkConn(name string, workConn frpNet.Conn) {
+	pm.mu.RLock()
+	pw, ok := pm.proxies[name]
+	pm.mu.RUnlock()
+	if ok {
+		pw.InWorkConn(workConn)
+	} else {
+		workConn.Close()
+	}
+}
+
+func (pm *ProxyManager) GetAllProxyStatus() []*ProxyStatus {
+	ps := make([]*ProxyStatus, 0)
+	pm.mu.RLock()
+	defer pm.mu.RUnlock()
+	for _, pxy := range pm.proxies {
+		ps = append(ps, pxy.GetStatus())
+	}
+	return ps
+}
--- a/client/service.go
+++ b/client/service.go
@@ -14,7 +14,10 @@

 package client

-import "github.com/fatedier/frp/models/config"
+import (
+	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/utils/log"
+)

 type Service struct {
 	// manager control connection with server
@@ -23,11 +26,11 @@ type Service struct {
 	closedCh chan int
 }

-func NewService(pxyCfgs map[string]config.ProxyConf) (svr *Service) {
+func NewService(pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.ProxyConf) (svr *Service) {
 	svr = &Service{
 		closedCh: make(chan int),
 	}
-	ctl := NewControl(svr, pxyCfgs)
+	ctl := NewControl(svr, pxyCfgs, visitorCfgs)
 	svr.ctl = ctl
 	return
 }
@@ -38,6 +41,18 @@ func (svr *Service) Run() error {
 		return err
 	}

+	if config.ClientCommonCfg.AdminPort != 0 {
+		err = svr.RunAdminServer(config.ClientCommonCfg.AdminAddr, config.ClientCommonCfg.AdminPort)
+		if err != nil {
+			log.Warn("run admin server error: %v", err)
+		}
+		log.Info("admin server listen on %s:%d", config.ClientCommonCfg.AdminAddr, config.ClientCommonCfg.AdminPort)
+	}
+
 	<-svr.closedCh
 	return nil
 }
+
+func (svr *Service) Close() {
+	svr.ctl.Close()
+}
--- a/client/visitor.go
+++ b/client/visitor.go
@@ -0,0 +1,322 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/net/ipv4"
+
+	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/models/msg"
+	frpIo "github.com/fatedier/frp/utils/io"
+	"github.com/fatedier/frp/utils/log"
+	frpNet "github.com/fatedier/frp/utils/net"
+	"github.com/fatedier/frp/utils/pool"
+	"github.com/fatedier/frp/utils/util"
+)
+
+// Visitor is used for forward traffics from local port tot remote service.
+type Visitor interface {
+	Run() error
+	Close()
+	log.Logger
+}
+
+func NewVisitor(ctl *Control, pxyConf config.ProxyConf) (visitor Visitor) {
+	baseVisitor := BaseVisitor{
+		ctl:    ctl,
+		Logger: log.NewPrefixLogger(pxyConf.GetName()),
+	}
+	switch cfg := pxyConf.(type) {
+	case *config.StcpProxyConf:
+		visitor = &StcpVisitor{
+			BaseVisitor: baseVisitor,
+			cfg:         cfg,
+		}
+	case *config.XtcpProxyConf:
+		visitor = &XtcpVisitor{
+			BaseVisitor: baseVisitor,
+			cfg:         cfg,
+		}
+	}
+	return
+}
+
+type BaseVisitor struct {
+	ctl    *Control
+	l      frpNet.Listener
+	closed bool
+	mu     sync.RWMutex
+	log.Logger
+}
+
+type StcpVisitor struct {
+	BaseVisitor
+
+	cfg *config.StcpProxyConf
+}
+
+func (sv *StcpVisitor) Run() (err error) {
+	sv.l, err = frpNet.ListenTcp(sv.cfg.BindAddr, sv.cfg.BindPort)
+	if err != nil {
+		return
+	}
+
+	go sv.worker()
+	return
+}
+
+func (sv *StcpVisitor) Close() {
+	sv.l.Close()
+}
+
+func (sv *StcpVisitor) worker() {
+	for {
+		conn, err := sv.l.Accept()
+		if err != nil {
+			sv.Warn("stcp local listener closed")
+			return
+		}
+
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *StcpVisitor) handleConn(userConn frpNet.Conn) {
+	defer userConn.Close()
+
+	sv.Debug("get a new stcp user connection")
+	visitorConn, err := sv.ctl.connectServer()
+	if err != nil {
+		return
+	}
+	defer visitorConn.Close()
+
+	now := time.Now().Unix()
+	newVisitorConnMsg := &msg.NewVisitorConn{
+		ProxyName:      sv.cfg.ServerName,
+		SignKey:        util.GetAuthKey(sv.cfg.Sk, now),
+		Timestamp:      now,
+		UseEncryption:  sv.cfg.UseEncryption,
+		UseCompression: sv.cfg.UseCompression,
+	}
+	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
+	if err != nil {
+		sv.Warn("send newVisitorConnMsg to server error: %v", err)
+		return
+	}
+
+	var newVisitorConnRespMsg msg.NewVisitorConnResp
+	visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
+	if err != nil {
+		sv.Warn("get newVisitorConnRespMsg error: %v", err)
+		return
+	}
+	visitorConn.SetReadDeadline(time.Time{})
+
+	if newVisitorConnRespMsg.Error != "" {
+		sv.Warn("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
+		return
+	}
+
+	var remote io.ReadWriteCloser
+	remote = visitorConn
+	if sv.cfg.UseEncryption {
+		remote, err = frpIo.WithEncryption(remote, []byte(sv.cfg.Sk))
+		if err != nil {
+			sv.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+
+	if sv.cfg.UseCompression {
+		remote = frpIo.WithCompression(remote)
+	}
+
+	frpIo.Join(userConn, remote)
+}
+
+type XtcpVisitor struct {
+	BaseVisitor
+
+	cfg *config.XtcpProxyConf
+}
+
+func (sv *XtcpVisitor) Run() (err error) {
+	sv.l, err = frpNet.ListenTcp(sv.cfg.BindAddr, sv.cfg.BindPort)
+	if err != nil {
+		return
+	}
+
+	go sv.worker()
+	return
+}
+
+func (sv *XtcpVisitor) Close() {
+	sv.l.Close()
+}
+
+func (sv *XtcpVisitor) worker() {
+	for {
+		conn, err := sv.l.Accept()
+		if err != nil {
+			sv.Warn("stcp local listener closed")
+			return
+		}
+
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *XtcpVisitor) handleConn(userConn frpNet.Conn) {
+	defer userConn.Close()
+
+	sv.Debug("get a new xtcp user connection")
+	if config.ClientCommonCfg.ServerUdpPort == 0 {
+		sv.Error("xtcp is not supported by server")
+		return
+	}
+
+	raddr, err := net.ResolveUDPAddr("udp",
+		fmt.Sprintf("%s:%d", config.ClientCommonCfg.ServerAddr, config.ClientCommonCfg.ServerUdpPort))
+	visitorConn, err := net.DialUDP("udp", nil, raddr)
+	defer visitorConn.Close()
+
+	now := time.Now().Unix()
+	natHoleVisitorMsg := &msg.NatHoleVisitor{
+		ProxyName: sv.cfg.ServerName,
+		SignKey:   util.GetAuthKey(sv.cfg.Sk, now),
+		Timestamp: now,
+	}
+	err = msg.WriteMsg(visitorConn, natHoleVisitorMsg)
+	if err != nil {
+		sv.Warn("send natHoleVisitorMsg to server error: %v", err)
+		return
+	}
+
+	// Wait for client address at most 10 seconds.
+	var natHoleRespMsg msg.NatHoleResp
+	visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	buf := pool.GetBuf(1024)
+	n, err := visitorConn.Read(buf)
+	if err != nil {
+		sv.Warn("get natHoleRespMsg error: %v", err)
+		return
+	}
+
+	err = msg.ReadMsgInto(bytes.NewReader(buf[:n]), &natHoleRespMsg)
+	if err != nil {
+		sv.Warn("get natHoleRespMsg error: %v", err)
+		return
+	}
+	visitorConn.SetReadDeadline(time.Time{})
+	pool.PutBuf(buf)
+
+	sv.Trace("get natHoleRespMsg, sid [%s], client address [%s]", natHoleRespMsg.Sid, natHoleRespMsg.ClientAddr)
+
+	// Close visitorConn, so we can use it's local address.
+	visitorConn.Close()
+
+	// Send detect message.
+	array := strings.Split(natHoleRespMsg.ClientAddr, ":")
+	if len(array) <= 1 {
+		sv.Error("get natHoleResp client address error: %s", natHoleRespMsg.ClientAddr)
+		return
+	}
+	laddr, _ := net.ResolveUDPAddr("udp", visitorConn.LocalAddr().String())
+	/*
+		for i := 1000; i < 65000; i++ {
+			sv.sendDetectMsg(array[0], int64(i), laddr, "a")
+		}
+	*/
+	port, err := strconv.ParseInt(array[1], 10, 64)
+	if err != nil {
+		sv.Error("get natHoleResp client address error: %s", natHoleRespMsg.ClientAddr)
+		return
+	}
+	sv.sendDetectMsg(array[0], int(port), laddr, []byte(natHoleRespMsg.Sid))
+	sv.Trace("send all detect msg done")
+
+	// Listen for visitorConn's address and wait for client connection.
+	lConn, err := net.ListenUDP("udp", laddr)
+	if err != nil {
+		sv.Error("listen on visitorConn's local adress error: %v", err)
+		return
+	}
+	lConn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	sidBuf := pool.GetBuf(1024)
+	n, _, err = lConn.ReadFromUDP(sidBuf)
+	if err != nil {
+		sv.Warn("get sid from client error: %v", err)
+		return
+	}
+	lConn.SetReadDeadline(time.Time{})
+	if string(sidBuf[:n]) != natHoleRespMsg.Sid {
+		sv.Warn("incorrect sid from client")
+		return
+	}
+	sv.Info("nat hole connection make success, sid [%s]", string(sidBuf[:n]))
+	pool.PutBuf(sidBuf)
+
+	var remote io.ReadWriteCloser
+	remote, err = frpNet.NewKcpConnFromUdp(lConn, false, natHoleRespMsg.ClientAddr)
+	if err != nil {
+		sv.Error("create kcp connection from udp connection error: %v", err)
+		return
+	}
+
+	if sv.cfg.UseEncryption {
+		remote, err = frpIo.WithEncryption(remote, []byte(sv.cfg.Sk))
+		if err != nil {
+			sv.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+
+	if sv.cfg.UseCompression {
+		remote = frpIo.WithCompression(remote)
+	}
+
+	frpIo.Join(userConn, remote)
+	sv.Debug("join connections closed")
+}
+
+func (sv *XtcpVisitor) sendDetectMsg(addr string, port int, laddr *net.UDPAddr, content []byte) (err error) {
+	daddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", addr, port))
+	if err != nil {
+		return err
+	}
+
+	tConn, err := net.DialUDP("udp", laddr, daddr)
+	if err != nil {
+		return err
+	}
+
+	uConn := ipv4.NewConn(tConn)
+	uConn.SetTTL(3)
+
+	tConn.Write(content)
+	tConn.Close()
+	return nil
+}
--- a/cmd/frpc/main.go
+++ b/cmd/frpc/main.go
@@ -15,12 +15,20 @@
 package main

 import (
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"net/http"
 	"os"
+	"os/signal"
 	"strconv"
 	"strings"
+	"syscall"
+	"time"

 	docopt "github.com/docopt/docopt-go"
+	"github.com/rodaine/table"
 	ini "github.com/vaughan0/go-ini"

 	"github.com/fatedier/frp/client"
@@ -37,6 +45,8 @@ var usage string = `frpc is the client of frp

 Usage: 
    frpc [-c config_file] [-L log_file] [--log-level=<log_level>] [--server-addr=<server_addr>]
+    frpc reload [-c config_file]
+    frpc status [-c config_file]
    frpc -h | --help
    frpc -v | --version

@@ -46,7 +56,7 @@ Options:
    --log-level=<log_level>     set log level: debug, info, warn, error
    --server-addr=<server_addr> addr which frps is listening for, example: 0.0.0.0:7000
    -h --help                   show this screen
-    --version                   show version
+    -v --version                show version
 `

 func main() {
@@ -70,6 +80,32 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
+	config.ClientCommonCfg.ConfigFile = confFile
+
+	// check if reload command
+	if args["reload"] != nil {
+		if args["reload"].(bool) {
+			if err = CmdReload(); err != nil {
+				fmt.Printf("frpc reload error: %v\n", err)
+				os.Exit(1)
+			} else {
+				fmt.Printf("reload success\n")
+				os.Exit(0)
+			}
+		}
+	}
+
+	// check if status command
+	if args["status"] != nil {
+		if args["status"].(bool) {
+			if err = CmdStatus(); err != nil {
+				fmt.Printf("frpc get status error: %v\n", err)
+				os.Exit(1)
+			} else {
+				os.Exit(0)
+			}
+		}
+	}

 	if args["-L"] != nil {
 		if args["-L"].(string) == "console" {
@@ -96,7 +132,7 @@ func main() {
 			os.Exit(1)
 		}
 		config.ClientCommonCfg.ServerAddr = addr[0]
-		config.ClientCommonCfg.ServerPort = serverPort
+		config.ClientCommonCfg.ServerPort = int(serverPort)
 	}

 	if args["-v"] != nil {
@@ -106,7 +142,7 @@ func main() {
 		}
 	}

-	pxyCfgs, err := config.LoadProxyConfFromFile(conf)
+	pxyCfgs, visitorCfgs, err := config.LoadProxyConfFromFile(config.ClientCommonCfg.User, conf, config.ClientCommonCfg.Start)
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
@@ -115,10 +151,155 @@ func main() {
 	log.InitLog(config.ClientCommonCfg.LogWay, config.ClientCommonCfg.LogFile,
 		config.ClientCommonCfg.LogLevel, config.ClientCommonCfg.LogMaxDays)

-	svr := client.NewService(pxyCfgs)
+	svr := client.NewService(pxyCfgs, visitorCfgs)
+
+	// Capture the exit signal if we use kcp.
+	if config.ClientCommonCfg.Protocol == "kcp" {
+		go HandleSignal(svr)
+	}
+
 	err = svr.Run()
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
 	}
 }
+
+func HandleSignal(svr *client.Service) {
+	ch := make(chan os.Signal)
+	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
+	<-ch
+	svr.Close()
+	time.Sleep(250 * time.Millisecond)
+	os.Exit(0)
+}
+
+func CmdReload() error {
+	if config.ClientCommonCfg.AdminPort == 0 {
+		return fmt.Errorf("admin_port shoud be set if you want to use reload feature")
+	}
+
+	req, err := http.NewRequest("GET", "http://"+
+		config.ClientCommonCfg.AdminAddr+":"+fmt.Sprintf("%d", config.ClientCommonCfg.AdminPort)+"/api/reload", nil)
+	if err != nil {
+		return err
+	}
+
+	authStr := "Basic " + base64.StdEncoding.EncodeToString([]byte(config.ClientCommonCfg.AdminUser+":"+
+		config.ClientCommonCfg.AdminPwd))
+
+	req.Header.Add("Authorization", authStr)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	} else {
+		if resp.StatusCode != 200 {
+			return fmt.Errorf("admin api status code [%d]", resp.StatusCode)
+		}
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return err
+		}
+		res := &client.GeneralResponse{}
+		err = json.Unmarshal(body, &res)
+		if err != nil {
+			return fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(string(body)))
+		} else if res.Code != 0 {
+			return fmt.Errorf(res.Msg)
+		}
+	}
+	return nil
+}
+
+func CmdStatus() error {
+	if config.ClientCommonCfg.AdminPort == 0 {
+		return fmt.Errorf("admin_port shoud be set if you want to get proxy status")
+	}
+
+	req, err := http.NewRequest("GET", "http://"+
+		config.ClientCommonCfg.AdminAddr+":"+fmt.Sprintf("%d", config.ClientCommonCfg.AdminPort)+"/api/status", nil)
+	if err != nil {
+		return err
+	}
+
+	authStr := "Basic " + base64.StdEncoding.EncodeToString([]byte(config.ClientCommonCfg.AdminUser+":"+
+		config.ClientCommonCfg.AdminPwd))
+
+	req.Header.Add("Authorization", authStr)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	} else {
+		if resp.StatusCode != 200 {
+			return fmt.Errorf("admin api status code [%d]", resp.StatusCode)
+		}
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return err
+		}
+		res := &client.StatusResp{}
+		err = json.Unmarshal(body, &res)
+		if err != nil {
+			return fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(string(body)))
+		}
+
+		fmt.Println("Proxy Status...")
+		if len(res.Tcp) > 0 {
+			fmt.Printf("TCP")
+			tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+			for _, ps := range res.Tcp {
+				tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+			}
+			tbl.Print()
+			fmt.Println("")
+		}
+		if len(res.Udp) > 0 {
+			fmt.Printf("UDP")
+			tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+			for _, ps := range res.Udp {
+				tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+			}
+			tbl.Print()
+			fmt.Println("")
+		}
+		if len(res.Http) > 0 {
+			fmt.Printf("HTTP")
+			tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+			for _, ps := range res.Http {
+				tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+			}
+			tbl.Print()
+			fmt.Println("")
+		}
+		if len(res.Https) > 0 {
+			fmt.Printf("HTTPS")
+			tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+			for _, ps := range res.Https {
+				tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+			}
+			tbl.Print()
+			fmt.Println("")
+		}
+		if len(res.Stcp) > 0 {
+			fmt.Printf("STCP")
+			tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+			for _, ps := range res.Stcp {
+				tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+			}
+			tbl.Print()
+			fmt.Println("")
+		}
+		if len(res.Xtcp) > 0 {
+			fmt.Printf("XTCP")
+			tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+			for _, ps := range res.Xtcp {
+				tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+			}
+			tbl.Print()
+			fmt.Println("")
+		}
+	}
+	return nil
+}
--- a/cmd/frps/main.go
+++ b/cmd/frps/main.go
@@ -91,7 +91,7 @@ func main() {
 			os.Exit(1)
 		}
 		config.ServerCommonCfg.BindAddr = addr[0]
-		config.ServerCommonCfg.BindPort = bindPort
+		config.ServerCommonCfg.BindPort = int(bindPort)
 	}

 	if args["-v"] != nil {
--- a/conf/frpc.ini
+++ b/conf/frpc.ini
@@ -1,83 +1,9 @@
-# [common] is integral section
 [common]
-# A literal address or host name for IPv6 must be enclosed
-# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
-server_addr = 0.0.0.0
+server_addr = 127.0.0.1
 server_port = 7000

-# if you want to connect frps by http proxy, you can set http_proxy here or in global environment variables
-# http_proxy = http://user:pwd@192.168.1.128:8080
-
-# console or real logFile path like ./frpc.log
-log_file = ./frpc.log
-
-# trace, debug, info, warn, error
-log_level = info
-
-log_max_days = 3
-
-# for authentication
-privilege_token = 12345678
-
-# connections will be established in advance, default value is zero
-pool_count = 5
-
-# if tcp stream multiplexing is used, default is true, it must be same with frps
-tcp_mux = true
-
-# your proxy name will be changed to {user}.{proxy}
-user = your_name
-
-# heartbeat configure, it's not recommended to modify the default value
-# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
-# heartbeat_interval = 30
-# heartbeat_timeout = 90
-
-# ssh is the proxy name same as server's configuration
-# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as your_name.ssh
 [ssh]
-# tcp | udp | http | https, default is tcp
 type = tcp
 local_ip = 127.0.0.1
 local_port = 22
-# true or false, if true, messages between frps and frpc will be encrypted, default is false
-use_encryption = false
-# if true, message will be compressed
-use_compression = false
-# remote port listen by frps
-remote_port = 6001
-
-[dns]
-type = udp
-local_ip = 114.114.114.114
-local_port = 53
-remote_port = 6002
-use_encryption = false
-use_compression = false
-
-# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
-[web01]
-type = http
-local_ip = 127.0.0.1
-local_port = 80
-use_encryption = false
-use_compression = true
-# http username and password are safety certification for http protocol
-# if not set, you can access this custom_domains without certification
-http_user = admin
-http_pwd = admin
-# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
-subdomain = web01
-custom_domains = web02.yourdomain.com
-# locations is only useful for http type
-locations = /,/pic
-host_header_rewrite = example.com
-
-[web02]
-type = https
-local_ip = 127.0.0.1
-local_port = 8000
-use_encryption = false
-use_compression = false 
-subdomain = web01
-custom_domains = web02.yourdomain.com
+remote_port = 6000
--- a/conf/frpc_full.ini
+++ b/conf/frpc_full.ini
@@ -0,0 +1,202 @@
+# [common] is integral section
+[common]
+# A literal address or host name for IPv6 must be enclosed
+# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
+server_addr = 0.0.0.0
+server_port = 7000
+
+# if you want to connect frps by http proxy, you can set http_proxy here or in global environment variables
+# it only works when protocol is tcp
+# http_proxy = http://user:pwd@192.168.1.128:8080
+
+# console or real logFile path like ./frpc.log
+log_file = ./frpc.log
+
+# trace, debug, info, warn, error
+log_level = info
+
+log_max_days = 3
+
+# for authentication
+privilege_token = 12345678
+
+# set admin address for control frpc's action by http api such as reload
+admin_addr = 127.0.0.1
+admin_port = 7400
+admin_user = admin
+admin_pwd = admin
+
+# connections will be established in advance, default value is zero
+pool_count = 5
+
+# if tcp stream multiplexing is used, default is true, it must be same with frps
+tcp_mux = true
+
+# your proxy name will be changed to {user}.{proxy}
+user = your_name
+
+# decide if exit program when first login failed, otherwise continuous relogin to frps
+# default is true
+login_fail_exit = true
+
+# communication protocol used to connect to server
+# now it supports tcp and kcp, default is tcp
+protocol = tcp
+
+# proxy names you want to start divided by ','
+# default is empty, means all proxies
+# start = ssh,dns
+
+# heartbeat configure, it's not recommended to modify the default value
+# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
+# heartbeat_interval = 30
+# heartbeat_timeout = 90
+
+# ssh is the proxy name same as server's configuration
+# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as your_name.ssh
+[ssh]
+# tcp | udp | http | https, default is tcp
+type = tcp
+local_ip = 127.0.0.1
+local_port = 22
+# true or false, if true, messages between frps and frpc will be encrypted, default is false
+use_encryption = false
+# if true, message will be compressed
+use_compression = false
+# remote port listen by frps
+remote_port = 6001
+
+[ssh_random]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 22
+# if remote_port is 0, frps will assgin a random port for you
+remote_port = 0
+
+# if you want to expose multiple ports, add 'range:' prefix to the section name
+# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
+[range:tcp_port]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 6010-6020,6022,6024-6028
+remote_port = 6010-6020,6022,6024-6028
+use_encryption = false
+use_compression = false
+
+[dns]
+type = udp
+local_ip = 114.114.114.114
+local_port = 53
+remote_port = 6002
+use_encryption = false
+use_compression = false
+
+[range:udp_port]
+type = udp
+local_ip = 127.0.0.1
+local_port = 6010-6020
+remote_port = 6010-6020
+use_encryption = false
+use_compression = false
+
+# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
+[web01]
+type = http
+local_ip = 127.0.0.1
+local_port = 80
+use_encryption = false
+use_compression = true
+# http username and password are safety certification for http protocol
+# if not set, you can access this custom_domains without certification
+http_user = admin
+http_pwd = admin
+# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
+subdomain = web01
+custom_domains = web02.yourdomain.com
+# locations is only available for http type
+locations = /,/pic
+host_header_rewrite = example.com
+
+[web02]
+type = https
+local_ip = 127.0.0.1
+local_port = 8000
+use_encryption = false
+use_compression = false 
+subdomain = web01
+custom_domains = web02.yourdomain.com
+
+[plugin_unix_domain_socket]
+type = tcp
+remote_port = 6003
+# if plugin is defined, local_ip and local_port is useless
+# plugin will handle connections got from frps
+plugin = unix_domain_socket
+# params set with prefix "plugin_" that plugin needed
+plugin_unix_path = /var/run/docker.sock
+
+[plugin_http_proxy]
+type = tcp
+remote_port = 6004
+plugin = http_proxy
+plugin_http_user = abc
+plugin_http_passwd = abc
+
+[plugin_socks5]
+type = tcp
+remote_port = 6005
+plugin = socks5
+plugin_user = abc
+plugin_passwd = abc
+
+[plugin_static_file]
+type = tcp
+remote_port = 6006
+plugin = static_file
+plugin_local_path = /var/www/blog
+plugin_strip_prefix = static
+plugin_http_user = abc
+plugin_http_passwd = abc
+
+[secret_tcp]
+# If the type is secret tcp, remote_port is useless
+# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
+type = stcp
+# sk used for authentication for visitors
+sk = abcdefg
+local_ip = 127.0.0.1
+local_port = 22
+use_encryption = false
+use_compression = false
+
+# user of frpc should be same in both stcp server and stcp visitor
+[secret_tcp_visitor]
+# frpc role visitor -> frps -> frpc role server
+role = visitor
+type = stcp
+# the server name you want to visitor
+server_name = secret_tcp
+sk = abcdefg
+# connect this address to visitor stcp server
+bind_addr = 127.0.0.1
+bind_port = 9000
+use_encryption = false
+use_compression = false
+
+[p2p_tcp]
+type = xtcp
+sk = abcdefg
+local_ip = 127.0.0.1
+local_port = 22
+use_encryption = false
+use_compression = false
+
+[p2p_tcp_visitor]
+role = visitor
+type = xtcp
+server_name = p2p_tcp
+sk = abcdefg
+bind_addr = 127.0.0.1
+bind_port = 9001
+use_encryption = false
+use_compression = false
--- a/conf/frpc_min.ini
+++ b/conf/frpc_min.ini
@@ -1,10 +0,0 @@
-[common]
-server_addr = 0.0.0.0
-server_port = 7000
-#privilege_token = 12345678
-
-[ssh]
-type = tcp
-local_ip = 127.0.0.1
-local_port = 22
-remote_port = 6000
--- a/conf/frps.ini
+++ b/conf/frps.ini
@@ -1,51 +1,2 @@
-# [common] is integral section
 [common]
-# A literal address or host name for IPv6 must be enclosed
-# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
-bind_addr = 0.0.0.0
 bind_port = 7000
-
-# if you want to support virtual host, you must set the http port for listening (optional)
-vhost_http_port = 80
-vhost_https_port = 443
-
-# if you want to configure or reload frps by dashboard, dashboard_port must be set
-dashboard_port = 7500
-
-# dashboard user and pwd for basic auth protect, if not set, both default value is admin
-dashboard_user = admin
-dashboard_pwd = admin
-
-# dashboard assets directory(only for debug mode)
-# assets_dir = ./static
-# console or real logFile path like ./frps.log
-log_file = ./frps.log
-
-# trace, debug, info, warn, error
-log_level = info
-
-log_max_days = 3
-
-# privilege mode is the only supported mode since v0.10.0
-privilege_token = 12345678
-
-# heartbeat configure, it's not recommended to modify the default value
-# the default value of heartbeat_timeout is 90
-# heartbeat_timeout = 90
-
-# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
-privilege_allow_ports = 2000-3000,3001,3003,4000-50000
-
-# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
-max_pool_count = 5
-
-# authentication_timeout means the timeout interval (seconds) when the frpc connects frps
-# if authentication_timeout is zero, the time is not verified, default is 900s
-authentication_timeout = 900
-
-# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
-# when subdomain is test, the host used by routing is test.frps.com
-subdomain_host = frps.com
-
-# if tcp stream multiplexing is used, default is true
-tcp_mux = true
--- a/conf/frps_full.ini
+++ b/conf/frps_full.ini
@@ -0,0 +1,67 @@
+# [common] is integral section
+[common]
+# A literal address or host name for IPv6 must be enclosed
+# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
+bind_addr = 0.0.0.0
+bind_port = 7000
+
+# udp port to help make udp hole to penetrate nat
+bind_udp_port = 7001
+
+# udp port used for kcp protocol, it can be same with 'bind_port'
+# if not set, kcp is disabled in frps
+kcp_bind_port = 7000
+
+# specify which address proxy will listen for, default value is same with bind_addr
+# proxy_bind_addr = 127.0.0.1
+
+# if you want to support virtual host, you must set the http port for listening (optional)
+vhost_http_port = 80
+vhost_https_port = 443
+
+# set dashboard_addr and dashboard_port to view dashboard of frps
+# dashboard_addr's default value is same with bind_addr
+# dashboard is available only if dashboard_port is set
+dashboard_addr = 0.0.0.0
+dashboard_port = 7500
+
+# dashboard user and pwd for basic auth protect, if not set, both default value is admin
+dashboard_user = admin
+dashboard_pwd = admin
+
+# dashboard assets directory(only for debug mode)
+# assets_dir = ./static
+# console or real logFile path like ./frps.log
+log_file = ./frps.log
+
+# trace, debug, info, warn, error
+log_level = info
+
+log_max_days = 3
+
+# privilege mode is the only supported mode since v0.10.0
+privilege_token = 12345678
+
+# heartbeat configure, it's not recommended to modify the default value
+# the default value of heartbeat_timeout is 90
+# heartbeat_timeout = 90
+
+# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
+privilege_allow_ports = 2000-3000,3001,3003,4000-50000
+
+# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
+max_pool_count = 5
+
+# max ports can be used for each client, default value is 0 means no limit
+max_ports_per_client = 0
+
+# authentication_timeout means the timeout interval (seconds) when the frpc connects frps
+# if authentication_timeout is zero, the time is not verified, default is 900s
+authentication_timeout = 900
+
+# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
+# when subdomain is test, the host used by routing is test.frps.com
+subdomain_host = frps.com
+
+# if tcp stream multiplexing is used, default is true
+tcp_mux = true
--- a/conf/frps_min.ini
+++ b/conf/frps_min.ini
@@ -1,7 +0,0 @@
-[common]
-bind_addr = 0.0.0.0
-bind_port = 7000
-vhost_http_port = 80
-vhost_https_port = 443
-dashboard_port = 7500
-#privilege_token = 12345678
--- a/doc/pic/donate-wechatpay.png
+++ b/doc/pic/donate-wechatpay.png
--- a/glide.lock
+++ b/glide.lock
@@ -0,0 +1,79 @@
+hash: 4095d78a15bf0e7ffdd63331ce75d7199d663cc8710dcd08b9dcd09ba3183eac
+updated: 2018-01-23T14:48:38.764359+08:00
+imports:
+- name: github.com/armon/go-socks5
+  version: e75332964ef517daa070d7c38a9466a0d687e0a5
+- name: github.com/davecgh/go-spew
+  version: 346938d642f2ec3594ed81d874461961cd0faa76
+  subpackages:
+  - spew
+- name: github.com/docopt/docopt-go
+  version: 784ddc588536785e7299f7272f39101f7faccc3f
+- name: github.com/fatedier/beego
+  version: 6c6a4f5bd5eb5a39f7e289b8f345b55f75e7e3e8
+  subpackages:
+  - logs
+- name: github.com/fatedier/kcp-go
+  version: cd167d2f15f451b0f33780ce862fca97adc0331e
+- name: github.com/golang/snappy
+  version: 5979233c5d6225d4a8e438cdd0b411888449ddab
+- name: github.com/gorilla/websocket
+  version: 292fd08b2560ad524ee37396253d71570339a821
+- name: github.com/julienschmidt/httprouter
+  version: 8a45e95fc75cb77048068a62daed98cc22fdac7c
+- name: github.com/klauspost/cpuid
+  version: 09cded8978dc9e80714c4d85b0322337b0a1e5e0
+- name: github.com/klauspost/reedsolomon
+  version: dde6ad55c5e5a6379a4e82dcca32ee407346eb6d
+- name: github.com/pkg/errors
+  version: c605e284fe17294bda444b34710735b29d1a9d90
+- name: github.com/pmezard/go-difflib
+  version: 792786c7400a136282c1664665ae0a8db921c6c2
+  subpackages:
+  - difflib
+- name: github.com/rakyll/statik
+  version: 274df120e9065bdd08eb1120e0375e3dc1ae8465
+  subpackages:
+  - fs
+- name: github.com/rodaine/table
+  version: 212a2ad1c462ed4d5b5511ea2b480a573281dbbd
+- name: github.com/stretchr/testify
+  version: 2402e8e7a02fc811447d11f881aa9746cdc57983
+  subpackages:
+  - assert
+- name: github.com/templexxx/cpufeat
+  version: 3794dfbfb04749f896b521032f69383f24c3687e
+- name: github.com/templexxx/reedsolomon
+  version: 7092926d7d05c415fabb892b1464a03f8228ab80
+- name: github.com/templexxx/xor
+  version: 0af8e873c554da75f37f2049cdffda804533d44c
+- name: github.com/tjfoc/gmsm
+  version: 21d76dee237dbbc8dfe1510000b9bf2733635aa1
+  subpackages:
+  - sm4
+- name: github.com/vaughan0/go-ini
+  version: a98ad7ee00ec53921f08832bc06ecf7fd600e6a1
+- name: github.com/xtaci/kcp-go
+  version: df437e2b8ec365a336200f9d9da53441cf72ed47
+- name: github.com/xtaci/smux
+  version: 2de5471dfcbc029f5fe1392b83fe784127c4943e
+- name: golang.org/x/crypto
+  version: e1a4589e7d3ea14a3352255d04b6f1a418845e5e
+  subpackages:
+  - blowfish
+  - cast5
+  - pbkdf2
+  - salsa20
+  - salsa20/salsa
+  - tea
+  - twofish
+  - xtea
+- name: golang.org/x/net
+  version: e4fa1c5465ad6111f206fc92186b8c83d64adbe1
+  subpackages:
+  - bpf
+  - context
+  - internal/iana
+  - internal/socket
+  - ipv4
+testImports: []
--- a/glide.yaml
+++ b/glide.yaml
@@ -0,0 +1,76 @@
+package: github.com/fatedier/frp
+import:
+- package: github.com/armon/go-socks5
+  version: e75332964ef517daa070d7c38a9466a0d687e0a5
+- package: github.com/davecgh/go-spew
+  version: v1.1.0
+  subpackages:
+  - spew
+- package: github.com/docopt/docopt-go
+  version: 0.6.2
+- package: github.com/fatedier/beego
+  version: 6c6a4f5bd5eb5a39f7e289b8f345b55f75e7e3e8
+  subpackages:
+  - logs
+- package: github.com/fatedier/kcp-go
+  version: cd167d2f15f451b0f33780ce862fca97adc0331e
+- package: github.com/golang/snappy
+  version: 5979233c5d6225d4a8e438cdd0b411888449ddab
+- package: github.com/julienschmidt/httprouter
+  version: 8a45e95fc75cb77048068a62daed98cc22fdac7c
+- package: github.com/klauspost/cpuid
+  version: v1.0
+- package: github.com/klauspost/reedsolomon
+  version: dde6ad55c5e5a6379a4e82dcca32ee407346eb6d
+- package: github.com/pkg/errors
+  version: c605e284fe17294bda444b34710735b29d1a9d90
+- package: github.com/pmezard/go-difflib
+  version: v1.0.0
+  subpackages:
+  - difflib
+- package: github.com/rakyll/statik
+  version: v0.1.0
+  subpackages:
+  - fs
+- package: github.com/stretchr/testify
+  version: 2402e8e7a02fc811447d11f881aa9746cdc57983
+  subpackages:
+  - assert
+- package: github.com/templexxx/cpufeat
+  version: 3794dfbfb04749f896b521032f69383f24c3687e
+- package: github.com/templexxx/reedsolomon
+  version: 7092926d7d05c415fabb892b1464a03f8228ab80
+- package: github.com/templexxx/xor
+  version: 0.1.2
+- package: github.com/tjfoc/gmsm
+  version: 21d76dee237dbbc8dfe1510000b9bf2733635aa1
+  subpackages:
+  - sm4
+- package: github.com/vaughan0/go-ini
+  version: a98ad7ee00ec53921f08832bc06ecf7fd600e6a1
+- package: github.com/xtaci/kcp-go
+  version: v3.17
+- package: github.com/xtaci/smux
+  version: 2de5471dfcbc029f5fe1392b83fe784127c4943e
+- package: golang.org/x/crypto
+  version: e1a4589e7d3ea14a3352255d04b6f1a418845e5e
+  subpackages:
+  - blowfish
+  - cast5
+  - pbkdf2
+  - salsa20
+  - salsa20/salsa
+  - tea
+  - twofish
+  - xtea
+- package: golang.org/x/net
+  version: e4fa1c5465ad6111f206fc92186b8c83d64adbe1
+  subpackages:
+  - bpf
+  - context
+  - internal/iana
+  - internal/socket
+  - ipv4
+- package: github.com/rodaine/table
+  version: v1.0.0
+- package: github.com/gorilla/websocket
--- a/models/config/client_common.go
+++ b/models/config/client_common.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"os"
 	"strconv"
+	"strings"

 	ini "github.com/vaughan0/go-ini"
 )
@@ -28,16 +29,24 @@ var ClientCommonCfg *ClientCommonConf
 type ClientCommonConf struct {
 	ConfigFile        string
 	ServerAddr        string
-	ServerPort        int64
+	ServerPort        int
+	ServerUdpPort     int // this is specified by login response message from frps
 	HttpProxy         string
 	LogFile           string
 	LogWay            string
 	LogLevel          string
 	LogMaxDays        int64
 	PrivilegeToken    string
+	AdminAddr         string
+	AdminPort         int
+	AdminUser         string
+	AdminPwd          string
 	PoolCount         int
 	TcpMux            bool
 	User              string
+	LoginFailExit     bool
+	Start             map[string]struct{}
+	Protocol          string
 	HeartBeatInterval int64
 	HeartBeatTimeout  int64
 }
@@ -47,15 +56,23 @@ func GetDeaultClientCommonConf() *ClientCommonConf {
 		ConfigFile:        "./frpc.ini",
 		ServerAddr:        "0.0.0.0",
 		ServerPort:        7000,
+		ServerUdpPort:     0,
 		HttpProxy:         "",
 		LogFile:           "console",
 		LogWay:            "console",
 		LogLevel:          "info",
 		LogMaxDays:        3,
 		PrivilegeToken:    "",
+		AdminAddr:         "127.0.0.1",
+		AdminPort:         0,
+		AdminUser:         "",
+		AdminPwd:          "",
 		PoolCount:         1,
 		TcpMux:            true,
 		User:              "",
+		LoginFailExit:     true,
+		Start:             make(map[string]struct{}),
+		Protocol:          "tcp",
 		HeartBeatInterval: 30,
 		HeartBeatTimeout:  90,
 	}
@@ -76,7 +93,12 @@ func LoadClientCommonConf(conf ini.File) (cfg *ClientCommonConf, err error) {

 	tmpStr, ok = conf.Get("common", "server_port")
 	if ok {
-		cfg.ServerPort, _ = strconv.ParseInt(tmpStr, 10, 64)
+		v, err = strconv.ParseInt(tmpStr, 10, 64)
+		if err != nil {
+			err = fmt.Errorf("Parse conf error: invalid server_port")
+			return
+		}
+		cfg.ServerPort = int(v)
 	}

 	tmpStr, ok = conf.Get("common", "http_proxy")
@@ -104,7 +126,9 @@ func LoadClientCommonConf(conf ini.File) (cfg *ClientCommonConf, err error) {

 	tmpStr, ok = conf.Get("common", "log_max_days")
 	if ok {
-		cfg.LogMaxDays, _ = strconv.ParseInt(tmpStr, 10, 64)
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err == nil {
+			cfg.LogMaxDays = v
+		}
 	}

 	tmpStr, ok = conf.Get("common", "privilege_token")
@@ -112,6 +136,31 @@ func LoadClientCommonConf(conf ini.File) (cfg *ClientCommonConf, err error) {
 		cfg.PrivilegeToken = tmpStr
 	}

+	tmpStr, ok = conf.Get("common", "admin_addr")
+	if ok {
+		cfg.AdminAddr = tmpStr
+	}
+
+	tmpStr, ok = conf.Get("common", "admin_port")
+	if ok {
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err == nil {
+			cfg.AdminPort = int(v)
+		} else {
+			err = fmt.Errorf("Parse conf error: invalid admin_port")
+			return
+		}
+	}
+
+	tmpStr, ok = conf.Get("common", "admin_user")
+	if ok {
+		cfg.AdminUser = tmpStr
+	}
+
+	tmpStr, ok = conf.Get("common", "admin_pwd")
+	if ok {
+		cfg.AdminPwd = tmpStr
+	}
+
 	tmpStr, ok = conf.Get("common", "pool_count")
 	if ok {
 		v, err = strconv.ParseInt(tmpStr, 10, 64)
@@ -134,11 +183,35 @@ func LoadClientCommonConf(conf ini.File) (cfg *ClientCommonConf, err error) {
 		cfg.User = tmpStr
 	}

+	tmpStr, ok = conf.Get("common", "start")
+	if ok {
+		proxyNames := strings.Split(tmpStr, ",")
+		for _, name := range proxyNames {
+			cfg.Start[strings.TrimSpace(name)] = struct{}{}
+		}
+	}
+
+	tmpStr, ok = conf.Get("common", "login_fail_exit")
+	if ok && tmpStr == "false" {
+		cfg.LoginFailExit = false
+	} else {
+		cfg.LoginFailExit = true
+	}
+
+	tmpStr, ok = conf.Get("common", "protocol")
+	if ok {
+		// Now it only support tcp and kcp.
+		if tmpStr != "kcp" {
+			tmpStr = "tcp"
+		}
+		cfg.Protocol = tmpStr
+	}
+
 	tmpStr, ok = conf.Get("common", "heartbeat_timeout")
 	if ok {
 		v, err = strconv.ParseInt(tmpStr, 10, 64)
 		if err != nil {
-			err = fmt.Errorf("Parse conf error: heartbeat_timeout is incorrect")
+			err = fmt.Errorf("Parse conf error: invalid heartbeat_timeout")
 			return
 		} else {
 			cfg.HeartBeatTimeout = v
@@ -149,7 +222,7 @@ func LoadClientCommonConf(conf ini.File) (cfg *ClientCommonConf, err error) {
 	if ok {
 		v, err = strconv.ParseInt(tmpStr, 10, 64)
 		if err != nil {
-			err = fmt.Errorf("Parse conf error: heartbeat_interval is incorrect")
+			err = fmt.Errorf("Parse conf error: invalid heartbeat_interval")
 			return
 		} else {
 			cfg.HeartBeatInterval = v
@@ -157,12 +230,12 @@ func LoadClientCommonConf(conf ini.File) (cfg *ClientCommonConf, err error) {
 	}

 	if cfg.HeartBeatInterval <= 0 {
-		err = fmt.Errorf("Parse conf error: heartbeat_interval is incorrect")
+		err = fmt.Errorf("Parse conf error: invalid heartbeat_interval")
 		return
 	}

 	if cfg.HeartBeatTimeout < cfg.HeartBeatInterval {
-		err = fmt.Errorf("Parse conf error: heartbeat_timeout is incorrect, heartbeat_timeout is less than heartbeat_interval")
+		err = fmt.Errorf("Parse conf error: invalid heartbeat_timeout, heartbeat_timeout is less than heartbeat_interval")
 		return
 	}
 	return
--- a/models/config/proxy.go
+++ b/models/config/proxy.go
@@ -22,8 +22,8 @@ import (

 	"github.com/fatedier/frp/models/consts"
 	"github.com/fatedier/frp/models/msg"
-
 	"github.com/fatedier/frp/utils/util"
+
 	ini "github.com/vaughan0/go-ini"
 )

@@ -35,6 +35,8 @@ func init() {
 	proxyConfTypeMap[consts.UdpProxy] = reflect.TypeOf(UdpProxyConf{})
 	proxyConfTypeMap[consts.HttpProxy] = reflect.TypeOf(HttpProxyConf{})
 	proxyConfTypeMap[consts.HttpsProxy] = reflect.TypeOf(HttpsProxyConf{})
+	proxyConfTypeMap[consts.StcpProxy] = reflect.TypeOf(StcpProxyConf{})
+	proxyConfTypeMap[consts.XtcpProxy] = reflect.TypeOf(XtcpProxyConf{})
 }

 // NewConfByType creates a empty ProxyConf object by proxyType.
@@ -50,11 +52,13 @@ func NewConfByType(proxyType string) ProxyConf {

 type ProxyConf interface {
 	GetName() string
+	GetType() string
 	GetBaseInfo() *BaseProxyConf
 	LoadFromMsg(pMsg *msg.NewProxy)
 	LoadFromFile(name string, conf ini.Section) error
 	UnMarshalToMsg(pMsg *msg.NewProxy)
 	Check() error
+	Compare(conf ProxyConf) bool
 }

 func NewProxyConf(pMsg *msg.NewProxy) (cfg ProxyConf, err error) {
@@ -100,10 +104,24 @@ func (cfg *BaseProxyConf) GetName() string {
 	return cfg.ProxyName
 }

+func (cfg *BaseProxyConf) GetType() string {
+	return cfg.ProxyType
+}
+
 func (cfg *BaseProxyConf) GetBaseInfo() *BaseProxyConf {
 	return cfg
 }

+func (cfg *BaseProxyConf) compare(cmp *BaseProxyConf) bool {
+	if cfg.ProxyName != cmp.ProxyName ||
+		cfg.ProxyType != cmp.ProxyType ||
+		cfg.UseEncryption != cmp.UseEncryption ||
+		cfg.UseCompression != cmp.UseCompression {
+		return false
+	}
+	return true
+}
+
 func (cfg *BaseProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
 	cfg.ProxyName = pMsg.ProxyName
 	cfg.ProxyType = pMsg.ProxyType
@@ -145,11 +163,19 @@ func (cfg *BaseProxyConf) UnMarshalToMsg(pMsg *msg.NewProxy) {
 // Bind info
 type BindInfoConf struct {
 	BindAddr   string `json:"bind_addr"`
-	RemotePort int64  `json:"remote_port"`
+	RemotePort int    `json:"remote_port"`
+}
+
+func (cfg *BindInfoConf) compare(cmp *BindInfoConf) bool {
+	if cfg.BindAddr != cmp.BindAddr ||
+		cfg.RemotePort != cmp.RemotePort {
+		return false
+	}
+	return true
 }

 func (cfg *BindInfoConf) LoadFromMsg(pMsg *msg.NewProxy) {
-	cfg.BindAddr = ServerCommonCfg.BindAddr
+	cfg.BindAddr = ServerCommonCfg.ProxyBindAddr
 	cfg.RemotePort = pMsg.RemotePort
 }

@@ -157,10 +183,13 @@ func (cfg *BindInfoConf) LoadFromFile(name string, section ini.Section) (err err
 	var (
 		tmpStr string
 		ok     bool
+		v      int64
 	)
 	if tmpStr, ok = section["remote_port"]; ok {
-		if cfg.RemotePort, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
 			return fmt.Errorf("Parse conf error: proxy [%s] remote_port error", name)
+		} else {
+			cfg.RemotePort = int(v)
 		}
 	} else {
 		return fmt.Errorf("Parse conf error: proxy [%s] remote_port not found", name)
@@ -173,11 +202,6 @@ func (cfg *BindInfoConf) UnMarshalToMsg(pMsg *msg.NewProxy) {
 }

 func (cfg *BindInfoConf) check() (err error) {
-	if len(ServerCommonCfg.PrivilegeAllowPorts) != 0 {
-		if ok := util.ContainsPort(ServerCommonCfg.PrivilegeAllowPorts, cfg.RemotePort); !ok {
-			return fmt.Errorf("remote port [%d] isn't allowed", cfg.RemotePort)
-		}
-	}
 	return nil
 }

@@ -187,6 +211,14 @@ type DomainConf struct {
 	SubDomain     string   `json:"sub_domain"`
 }

+func (cfg *DomainConf) compare(cmp *DomainConf) bool {
+	if strings.Join(cfg.CustomDomains, " ") != strings.Join(cmp.CustomDomains, " ") ||
+		cfg.SubDomain != cmp.SubDomain {
+		return false
+	}
+	return true
+}
+
 func (cfg *DomainConf) LoadFromMsg(pMsg *msg.NewProxy) {
 	cfg.CustomDomains = pMsg.CustomDomains
 	cfg.SubDomain = pMsg.SubDomain
@@ -239,11 +271,20 @@ func (cfg *DomainConf) check() (err error) {
 	return nil
 }

+// Local service info
 type LocalSvrConf struct {
 	LocalIp   string `json:"-"`
 	LocalPort int    `json:"-"`
 }

+func (cfg *LocalSvrConf) compare(cmp *LocalSvrConf) bool {
+	if cfg.LocalIp != cmp.LocalIp ||
+		cfg.LocalPort != cmp.LocalPort {
+		return false
+	}
+	return true
+}
+
 func (cfg *LocalSvrConf) LoadFromFile(name string, section ini.Section) (err error) {
 	if cfg.LocalIp = section["local_ip"]; cfg.LocalIp == "" {
 		cfg.LocalIp = "127.0.0.1"
@@ -259,12 +300,63 @@ func (cfg *LocalSvrConf) LoadFromFile(name string, section ini.Section) (err err
 	return nil
 }

+type PluginConf struct {
+	Plugin       string            `json:"-"`
+	PluginParams map[string]string `json:"-"`
+}
+
+func (cfg *PluginConf) compare(cmp *PluginConf) bool {
+	if cfg.Plugin != cmp.Plugin ||
+		len(cfg.PluginParams) != len(cmp.PluginParams) {
+		return false
+	}
+	for k, v := range cfg.PluginParams {
+		value, ok := cmp.PluginParams[k]
+		if !ok || v != value {
+			return false
+		}
+	}
+	return true
+}
+
+func (cfg *PluginConf) LoadFromFile(name string, section ini.Section) (err error) {
+	cfg.Plugin = section["plugin"]
+	cfg.PluginParams = make(map[string]string)
+	if cfg.Plugin != "" {
+		// get params begin with "plugin_"
+		for k, v := range section {
+			if strings.HasPrefix(k, "plugin_") {
+				cfg.PluginParams[k] = v
+			}
+		}
+	} else {
+		return fmt.Errorf("Parse conf error: proxy [%s] no plugin info found", name)
+	}
+	return
+}
+
 // TCP
 type TcpProxyConf struct {
 	BaseProxyConf
 	BindInfoConf

 	LocalSvrConf
+	PluginConf
+}
+
+func (cfg *TcpProxyConf) Compare(cmp ProxyConf) bool {
+	cmpConf, ok := cmp.(*TcpProxyConf)
+	if !ok {
+		return false
+	}
+
+	if !cfg.BaseProxyConf.compare(&cmpConf.BaseProxyConf) ||
+		!cfg.BindInfoConf.compare(&cmpConf.BindInfoConf) ||
+		!cfg.LocalSvrConf.compare(&cmpConf.LocalSvrConf) ||
+		!cfg.PluginConf.compare(&cmpConf.PluginConf) {
+		return false
+	}
+	return true
 }

 func (cfg *TcpProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
@@ -279,8 +371,11 @@ func (cfg *TcpProxyConf) LoadFromFile(name string, section ini.Section) (err err
 	if err = cfg.BindInfoConf.LoadFromFile(name, section); err != nil {
 		return
 	}
-	if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
-		return
+
+	if err = cfg.PluginConf.LoadFromFile(name, section); err != nil {
+		if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
+			return
+		}
 	}
 	return
 }
@@ -303,6 +398,20 @@ type UdpProxyConf struct {
 	LocalSvrConf
 }

+func (cfg *UdpProxyConf) Compare(cmp ProxyConf) bool {
+	cmpConf, ok := cmp.(*UdpProxyConf)
+	if !ok {
+		return false
+	}
+
+	if !cfg.BaseProxyConf.compare(&cmpConf.BaseProxyConf) ||
+		!cfg.BindInfoConf.compare(&cmpConf.BindInfoConf) ||
+		!cfg.LocalSvrConf.compare(&cmpConf.LocalSvrConf) {
+		return false
+	}
+	return true
+}
+
 func (cfg *UdpProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
 	cfg.BaseProxyConf.LoadFromMsg(pMsg)
 	cfg.BindInfoConf.LoadFromMsg(pMsg)
@@ -337,6 +446,7 @@ type HttpProxyConf struct {
 	DomainConf

 	LocalSvrConf
+	PluginConf

 	Locations         []string `json:"locations"`
 	HostHeaderRewrite string   `json:"host_header_rewrite"`
@@ -344,6 +454,25 @@ type HttpProxyConf struct {
 	HttpPwd           string   `json:"-"`
 }

+func (cfg *HttpProxyConf) Compare(cmp ProxyConf) bool {
+	cmpConf, ok := cmp.(*HttpProxyConf)
+	if !ok {
+		return false
+	}
+
+	if !cfg.BaseProxyConf.compare(&cmpConf.BaseProxyConf) ||
+		!cfg.DomainConf.compare(&cmpConf.DomainConf) ||
+		!cfg.LocalSvrConf.compare(&cmpConf.LocalSvrConf) ||
+		!cfg.PluginConf.compare(&cmpConf.PluginConf) ||
+		strings.Join(cfg.Locations, " ") != strings.Join(cmpConf.Locations, " ") ||
+		cfg.HostHeaderRewrite != cmpConf.HostHeaderRewrite ||
+		cfg.HttpUser != cmpConf.HttpUser ||
+		cfg.HttpPwd != cmpConf.HttpPwd {
+		return false
+	}
+	return true
+}
+
 func (cfg *HttpProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
 	cfg.BaseProxyConf.LoadFromMsg(pMsg)
 	cfg.DomainConf.LoadFromMsg(pMsg)
@@ -361,8 +490,10 @@ func (cfg *HttpProxyConf) LoadFromFile(name string, section ini.Section) (err er
 	if err = cfg.DomainConf.LoadFromFile(name, section); err != nil {
 		return
 	}
-	if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
-		return
+	if err = cfg.PluginConf.LoadFromFile(name, section); err != nil {
+		if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
+			return
+		}
 	}

 	var (
@@ -405,6 +536,22 @@ type HttpsProxyConf struct {
 	DomainConf

 	LocalSvrConf
+	PluginConf
+}
+
+func (cfg *HttpsProxyConf) Compare(cmp ProxyConf) bool {
+	cmpConf, ok := cmp.(*HttpsProxyConf)
+	if !ok {
+		return false
+	}
+
+	if !cfg.BaseProxyConf.compare(&cmpConf.BaseProxyConf) ||
+		!cfg.DomainConf.compare(&cmpConf.DomainConf) ||
+		!cfg.LocalSvrConf.compare(&cmpConf.LocalSvrConf) ||
+		!cfg.PluginConf.compare(&cmpConf.PluginConf) {
+		return false
+	}
+	return true
 }

 func (cfg *HttpsProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
@@ -419,8 +566,10 @@ func (cfg *HttpsProxyConf) LoadFromFile(name string, section ini.Section) (err e
 	if err = cfg.DomainConf.LoadFromFile(name, section); err != nil {
 		return
 	}
-	if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
-		return
+	if err = cfg.PluginConf.LoadFromFile(name, section); err != nil {
+		if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
+			return
+		}
 	}
 	return
 }
@@ -438,20 +587,283 @@ func (cfg *HttpsProxyConf) Check() (err error) {
 	return
 }

-func LoadProxyConfFromFile(conf ini.File) (proxyConfs map[string]ProxyConf, err error) {
-	var prefix string
-	if ClientCommonCfg.User != "" {
-		prefix = ClientCommonCfg.User + "."
+// STCP
+type StcpProxyConf struct {
+	BaseProxyConf
+
+	Role string `json:"role"`
+	Sk   string `json:"sk"`
+
+	// used in role server
+	LocalSvrConf
+	PluginConf
+
+	// used in role visitor
+	ServerName string `json:"server_name"`
+	BindAddr   string `json:"bind_addr"`
+	BindPort   int    `json:"bind_port"`
+}
+
+func (cfg *StcpProxyConf) Compare(cmp ProxyConf) bool {
+	cmpConf, ok := cmp.(*StcpProxyConf)
+	if !ok {
+		return false
 	}
-	proxyConfs = make(map[string]ProxyConf)
-	for name, section := range conf {
-		if name != "common" {
-			cfg, err := NewProxyConfFromFile(name, section)
-			if err != nil {
-				return proxyConfs, err
+
+	if !cfg.BaseProxyConf.compare(&cmpConf.BaseProxyConf) ||
+		!cfg.LocalSvrConf.compare(&cmpConf.LocalSvrConf) ||
+		!cfg.PluginConf.compare(&cmpConf.PluginConf) ||
+		cfg.Role != cmpConf.Role ||
+		cfg.Sk != cmpConf.Sk ||
+		cfg.ServerName != cmpConf.ServerName ||
+		cfg.BindAddr != cmpConf.BindAddr ||
+		cfg.BindPort != cmpConf.BindPort {
+		return false
+	}
+	return true
+}
+
+// Only for role server.
+func (cfg *StcpProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
+	cfg.BaseProxyConf.LoadFromMsg(pMsg)
+	cfg.Sk = pMsg.Sk
+}
+
+func (cfg *StcpProxyConf) LoadFromFile(name string, section ini.Section) (err error) {
+	if err = cfg.BaseProxyConf.LoadFromFile(name, section); err != nil {
+		return
+	}
+
+	tmpStr := section["role"]
+	if tmpStr == "" {
+		tmpStr = "server"
+	}
+	if tmpStr == "server" || tmpStr == "visitor" {
+		cfg.Role = tmpStr
+	} else {
+		return fmt.Errorf("Parse conf error: proxy [%s] incorrect role [%s]", name, tmpStr)
+	}
+
+	cfg.Sk = section["sk"]
+
+	if tmpStr == "visitor" {
+		prefix := section["prefix"]
+		cfg.ServerName = prefix + section["server_name"]
+		if cfg.BindAddr = section["bind_addr"]; cfg.BindAddr == "" {
+			cfg.BindAddr = "127.0.0.1"
+		}
+
+		if tmpStr, ok := section["bind_port"]; ok {
+			if cfg.BindPort, err = strconv.Atoi(tmpStr); err != nil {
+				return fmt.Errorf("Parse conf error: proxy [%s] bind_port error", name)
+			}
+		} else {
+			return fmt.Errorf("Parse conf error: proxy [%s] bind_port not found", name)
+		}
+	} else {
+		if err = cfg.PluginConf.LoadFromFile(name, section); err != nil {
+			if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
+				return
 			}
-			proxyConfs[prefix+name] = cfg
 		}
 	}
 	return
 }
+
+func (cfg *StcpProxyConf) UnMarshalToMsg(pMsg *msg.NewProxy) {
+	cfg.BaseProxyConf.UnMarshalToMsg(pMsg)
+	pMsg.Sk = cfg.Sk
+}
+
+func (cfg *StcpProxyConf) Check() (err error) {
+	return
+}
+
+// XTCP
+type XtcpProxyConf struct {
+	BaseProxyConf
+
+	Role string `json:"role"`
+	Sk   string `json:"sk"`
+
+	// used in role server
+	LocalSvrConf
+	PluginConf
+
+	// used in role visitor
+	ServerName string `json:"server_name"`
+	BindAddr   string `json:"bind_addr"`
+	BindPort   int    `json:"bind_port"`
+}
+
+func (cfg *XtcpProxyConf) Compare(cmp ProxyConf) bool {
+	cmpConf, ok := cmp.(*XtcpProxyConf)
+	if !ok {
+		return false
+	}
+
+	if !cfg.BaseProxyConf.compare(&cmpConf.BaseProxyConf) ||
+		!cfg.LocalSvrConf.compare(&cmpConf.LocalSvrConf) ||
+		!cfg.PluginConf.compare(&cmpConf.PluginConf) ||
+		cfg.Role != cmpConf.Role ||
+		cfg.Sk != cmpConf.Sk ||
+		cfg.ServerName != cmpConf.ServerName ||
+		cfg.BindAddr != cmpConf.BindAddr ||
+		cfg.BindPort != cmpConf.BindPort {
+		return false
+	}
+	return true
+}
+
+// Only for role server.
+func (cfg *XtcpProxyConf) LoadFromMsg(pMsg *msg.NewProxy) {
+	cfg.BaseProxyConf.LoadFromMsg(pMsg)
+	cfg.Sk = pMsg.Sk
+}
+
+func (cfg *XtcpProxyConf) LoadFromFile(name string, section ini.Section) (err error) {
+	if err = cfg.BaseProxyConf.LoadFromFile(name, section); err != nil {
+		return
+	}
+
+	tmpStr := section["role"]
+	if tmpStr == "" {
+		tmpStr = "server"
+	}
+	if tmpStr == "server" || tmpStr == "visitor" {
+		cfg.Role = tmpStr
+	} else {
+		return fmt.Errorf("Parse conf error: proxy [%s] incorrect role [%s]", name, tmpStr)
+	}
+
+	cfg.Sk = section["sk"]
+
+	if tmpStr == "visitor" {
+		prefix := section["prefix"]
+		cfg.ServerName = prefix + section["server_name"]
+		if cfg.BindAddr = section["bind_addr"]; cfg.BindAddr == "" {
+			cfg.BindAddr = "127.0.0.1"
+		}
+
+		if tmpStr, ok := section["bind_port"]; ok {
+			if cfg.BindPort, err = strconv.Atoi(tmpStr); err != nil {
+				return fmt.Errorf("Parse conf error: proxy [%s] bind_port error", name)
+			}
+		} else {
+			return fmt.Errorf("Parse conf error: proxy [%s] bind_port not found", name)
+		}
+	} else {
+		if err = cfg.PluginConf.LoadFromFile(name, section); err != nil {
+			if err = cfg.LocalSvrConf.LoadFromFile(name, section); err != nil {
+				return
+			}
+		}
+	}
+	return
+}
+
+func (cfg *XtcpProxyConf) UnMarshalToMsg(pMsg *msg.NewProxy) {
+	cfg.BaseProxyConf.UnMarshalToMsg(pMsg)
+	pMsg.Sk = cfg.Sk
+}
+
+func (cfg *XtcpProxyConf) Check() (err error) {
+	return
+}
+
+func ParseRangeSection(name string, section ini.Section) (sections map[string]ini.Section, err error) {
+	localPorts, errRet := util.ParseRangeNumbers(section["local_port"])
+	if errRet != nil {
+		err = fmt.Errorf("Parse conf error: range section [%s] local_port invalid, %v", name, errRet)
+		return
+	}
+
+	remotePorts, errRet := util.ParseRangeNumbers(section["remote_port"])
+	if errRet != nil {
+		err = fmt.Errorf("Parse conf error: range section [%s] remote_port invalid, %v", name, errRet)
+		return
+	}
+	if len(localPorts) != len(remotePorts) {
+		err = fmt.Errorf("Parse conf error: range section [%s] local ports number should be same with remote ports number", name)
+		return
+	}
+	if len(localPorts) == 0 {
+		err = fmt.Errorf("Parse conf error: range section [%s] local_port and remote_port is necessary", name)
+		return
+	}
+
+	sections = make(map[string]ini.Section)
+	for i, port := range localPorts {
+		subName := fmt.Sprintf("%s_%d", name, i)
+		subSection := copySection(section)
+		subSection["local_port"] = fmt.Sprintf("%d", port)
+		subSection["remote_port"] = fmt.Sprintf("%d", remotePorts[i])
+		sections[subName] = subSection
+	}
+	return
+}
+
+// if len(startProxy) is 0, start all
+// otherwise just start proxies in startProxy map
+func LoadProxyConfFromFile(prefix string, conf ini.File, startProxy map[string]struct{}) (
+	proxyConfs map[string]ProxyConf, visitorConfs map[string]ProxyConf, err error) {
+
+	if prefix != "" {
+		prefix += "."
+	}
+
+	startAll := true
+	if len(startProxy) > 0 {
+		startAll = false
+	}
+	proxyConfs = make(map[string]ProxyConf)
+	visitorConfs = make(map[string]ProxyConf)
+	for name, section := range conf {
+		if name == "common" {
+			continue
+		}
+
+		_, shouldStart := startProxy[name]
+		if !startAll && !shouldStart {
+			continue
+		}
+
+		subSections := make(map[string]ini.Section)
+
+		if strings.HasPrefix(name, "range:") {
+			// range section
+			rangePrefix := strings.TrimSpace(strings.TrimPrefix(name, "range:"))
+			subSections, err = ParseRangeSection(rangePrefix, section)
+			if err != nil {
+				return
+			}
+		} else {
+			subSections[name] = section
+		}
+
+		for subName, subSection := range subSections {
+			// some proxy or visotr configure may be used this prefix
+			subSection["prefix"] = prefix
+			cfg, err := NewProxyConfFromFile(subName, subSection)
+			if err != nil {
+				return proxyConfs, visitorConfs, err
+			}
+
+			role := subSection["role"]
+			if role == "visitor" {
+				visitorConfs[prefix+subName] = cfg
+			} else {
+				proxyConfs[prefix+subName] = cfg
+			}
+		}
+	}
+	return
+}
+
+func copySection(section ini.Section) (out ini.Section) {
+	out = make(ini.Section)
+	for k, v := range section {
+		out[k] = v
+	}
+	return
+}
--- a/models/config/server_common.go
+++ b/models/config/server_common.go
@@ -19,26 +19,31 @@ import (
 	"strconv"
 	"strings"

-	"github.com/fatedier/frp/utils/util"
 	ini "github.com/vaughan0/go-ini"
+
+	"github.com/fatedier/frp/utils/util"
 )

 var ServerCommonCfg *ServerCommonConf

 // common config
 type ServerCommonConf struct {
-	ConfigFile string
-	BindAddr   string
-	BindPort   int64
+	ConfigFile    string
+	BindAddr      string
+	BindPort      int
+	BindUdpPort   int
+	KcpBindPort   int
+	ProxyBindAddr string

 	// If VhostHttpPort equals 0, don't listen a public port for http protocol.
-	VhostHttpPort int64
+	VhostHttpPort int

 	// if VhostHttpsPort equals 0, don't listen a public port for https protocol
-	VhostHttpsPort int64
+	VhostHttpsPort int
+	DashboardAddr  string

 	// if DashboardPort equals 0, dashboard is not available
-	DashboardPort  int64
+	DashboardPort  int
 	DashboardUser  string
 	DashboardPwd   string
 	AssetsDir      string
@@ -52,36 +57,42 @@ type ServerCommonConf struct {
 	SubDomainHost  string
 	TcpMux         bool

-	// if PrivilegeAllowPorts is not nil, tcp proxies which remote port exist in this map can be connected
-	PrivilegeAllowPorts [][2]int64
+	PrivilegeAllowPorts map[int]struct{}
 	MaxPoolCount        int64
+	MaxPortsPerClient   int64
 	HeartBeatTimeout    int64
 	UserConnTimeout     int64
 }

 func GetDefaultServerCommonConf() *ServerCommonConf {
 	return &ServerCommonConf{
-		ConfigFile:       "./frps.ini",
-		BindAddr:         "0.0.0.0",
-		BindPort:         7000,
-		VhostHttpPort:    0,
-		VhostHttpsPort:   0,
-		DashboardPort:    0,
-		DashboardUser:    "admin",
-		DashboardPwd:     "admin",
-		AssetsDir:        "",
-		LogFile:          "console",
-		LogWay:           "console",
-		LogLevel:         "info",
-		LogMaxDays:       3,
-		PrivilegeMode:    true,
-		PrivilegeToken:   "",
-		AuthTimeout:      900,
-		SubDomainHost:    "",
-		TcpMux:           true,
-		MaxPoolCount:     5,
-		HeartBeatTimeout: 90,
-		UserConnTimeout:  10,
+		ConfigFile:          "./frps.ini",
+		BindAddr:            "0.0.0.0",
+		BindPort:            7000,
+		BindUdpPort:         0,
+		KcpBindPort:         0,
+		ProxyBindAddr:       "0.0.0.0",
+		VhostHttpPort:       0,
+		VhostHttpsPort:      0,
+		DashboardAddr:       "0.0.0.0",
+		DashboardPort:       0,
+		DashboardUser:       "admin",
+		DashboardPwd:        "admin",
+		AssetsDir:           "",
+		LogFile:             "console",
+		LogWay:              "console",
+		LogLevel:            "info",
+		LogMaxDays:          3,
+		PrivilegeMode:       true,
+		PrivilegeToken:      "",
+		AuthTimeout:         900,
+		SubDomainHost:       "",
+		TcpMux:              true,
+		PrivilegeAllowPorts: make(map[int]struct{}),
+		MaxPoolCount:        5,
+		MaxPortsPerClient:   0,
+		HeartBeatTimeout:    90,
+		UserConnTimeout:     10,
 	}
 }

@@ -101,18 +112,48 @@ func LoadServerCommonConf(conf ini.File) (cfg *ServerCommonConf, err error) {

 	tmpStr, ok = conf.Get("common", "bind_port")
 	if ok {
-		v, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err == nil {
-			cfg.BindPort = v
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid bind_port")
+			return
+		} else {
+			cfg.BindPort = int(v)
 		}
 	}

+	tmpStr, ok = conf.Get("common", "bind_udp_port")
+	if ok {
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid bind_udp_port")
+			return
+		} else {
+			cfg.BindUdpPort = int(v)
+		}
+	}
+
+	tmpStr, ok = conf.Get("common", "kcp_bind_port")
+	if ok {
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid kcp_bind_port")
+			return
+		} else {
+			cfg.KcpBindPort = int(v)
+		}
+	}
+
+	tmpStr, ok = conf.Get("common", "proxy_bind_addr")
+	if ok {
+		cfg.ProxyBindAddr = tmpStr
+	} else {
+		cfg.ProxyBindAddr = cfg.BindAddr
+	}
+
 	tmpStr, ok = conf.Get("common", "vhost_http_port")
 	if ok {
-		cfg.VhostHttpPort, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err != nil {
-			err = fmt.Errorf("Parse conf error: vhost_http_port is incorrect")
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid vhost_http_port")
 			return
+		} else {
+			cfg.VhostHttpPort = int(v)
 		}
 	} else {
 		cfg.VhostHttpPort = 0
@@ -120,21 +161,30 @@ func LoadServerCommonConf(conf ini.File) (cfg *ServerCommonConf, err error) {

 	tmpStr, ok = conf.Get("common", "vhost_https_port")
 	if ok {
-		cfg.VhostHttpsPort, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err != nil {
-			err = fmt.Errorf("Parse conf error: vhost_https_port is incorrect")
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid vhost_https_port")
 			return
+		} else {
+			cfg.VhostHttpsPort = int(v)
 		}
 	} else {
 		cfg.VhostHttpsPort = 0
 	}

+	tmpStr, ok = conf.Get("common", "dashboard_addr")
+	if ok {
+		cfg.DashboardAddr = tmpStr
+	} else {
+		cfg.DashboardAddr = cfg.BindAddr
+	}
+
 	tmpStr, ok = conf.Get("common", "dashboard_port")
 	if ok {
-		cfg.DashboardPort, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err != nil {
-			err = fmt.Errorf("Parse conf error: dashboard_port is incorrect")
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid dashboard_port")
 			return
+		} else {
+			cfg.DashboardPort = int(v)
 		}
 	} else {
 		cfg.DashboardPort = 0
@@ -190,24 +240,48 @@ func LoadServerCommonConf(conf ini.File) (cfg *ServerCommonConf, err error) {
 		cfg.PrivilegeToken, _ = conf.Get("common", "privilege_token")

 		allowPortsStr, ok := conf.Get("common", "privilege_allow_ports")
-		// TODO: check if conflicts exist in port ranges
 		if ok {
-			cfg.PrivilegeAllowPorts, err = util.GetPortRanges(allowPortsStr)
-			if err != nil {
-				err = fmt.Errorf("Parse conf error: privilege_allow_ports is incorrect, %v", err)
+			// e.g. 1000-2000,2001,2002,3000-4000
+			ports, errRet := util.ParseRangeNumbers(allowPortsStr)
+			if errRet != nil {
+				err = fmt.Errorf("Parse conf error: privilege_allow_ports: %v", errRet)
 				return
 			}
+
+			for _, port := range ports {
+				cfg.PrivilegeAllowPorts[int(port)] = struct{}{}
+			}
 		}
 	}

 	tmpStr, ok = conf.Get("common", "max_pool_count")
 	if ok {
-		v, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err == nil && v >= 0 {
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid max_pool_count")
+			return
+		} else {
+			if v < 0 {
+				err = fmt.Errorf("Parse conf error: invalid max_pool_count")
+				return
+			}
 			cfg.MaxPoolCount = v
 		}
 	}

+	tmpStr, ok = conf.Get("common", "max_ports_per_client")
+	if ok {
+		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
+			err = fmt.Errorf("Parse conf error: invalid max_ports_per_client")
+			return
+		} else {
+			if v < 0 {
+				err = fmt.Errorf("Parse conf error: invalid max_ports_per_client")
+				return
+			}
+			cfg.MaxPortsPerClient = v
+		}
+	}
+
 	tmpStr, ok = conf.Get("common", "authentication_timeout")
 	if ok {
 		v, errRet := strconv.ParseInt(tmpStr, 10, 64)
--- a/models/consts/consts.go
+++ b/models/consts/consts.go
@@ -27,4 +27,6 @@ var (
 	UdpProxy   string = "udp"
 	HttpProxy  string = "http"
 	HttpsProxy string = "https"
+	StcpProxy  string = "stcp"
+	XtcpProxy  string = "xtcp"
 )
--- a/models/msg/msg.go
+++ b/models/msg/msg.go
@@ -20,16 +20,23 @@ import (
 )

 const (
-	TypeLogin         = 'o'
-	TypeLoginResp     = '1'
-	TypeNewProxy      = 'p'
-	TypeNewProxyResp  = '2'
-	TypeNewWorkConn   = 'w'
-	TypeReqWorkConn   = 'r'
-	TypeStartWorkConn = 's'
-	TypePing          = 'h'
-	TypePong          = '4'
-	TypeUdpPacket     = 'u'
+	TypeLogin              = 'o'
+	TypeLoginResp          = '1'
+	TypeNewProxy           = 'p'
+	TypeNewProxyResp       = '2'
+	TypeCloseProxy         = 'c'
+	TypeNewWorkConn        = 'w'
+	TypeReqWorkConn        = 'r'
+	TypeStartWorkConn      = 's'
+	TypeNewVisitorConn     = 'v'
+	TypeNewVisitorConnResp = '3'
+	TypePing               = 'h'
+	TypePong               = '4'
+	TypeUdpPacket          = 'u'
+	TypeNatHoleVisitor     = 'i'
+	TypeNatHoleClient      = 'n'
+	TypeNatHoleResp        = 'm'
+	TypeNatHoleSid         = '5'
 )

 var (
@@ -45,12 +52,19 @@ func init() {
 	TypeMap[TypeLoginResp] = reflect.TypeOf(LoginResp{})
 	TypeMap[TypeNewProxy] = reflect.TypeOf(NewProxy{})
 	TypeMap[TypeNewProxyResp] = reflect.TypeOf(NewProxyResp{})
+	TypeMap[TypeCloseProxy] = reflect.TypeOf(CloseProxy{})
 	TypeMap[TypeNewWorkConn] = reflect.TypeOf(NewWorkConn{})
 	TypeMap[TypeReqWorkConn] = reflect.TypeOf(ReqWorkConn{})
 	TypeMap[TypeStartWorkConn] = reflect.TypeOf(StartWorkConn{})
+	TypeMap[TypeNewVisitorConn] = reflect.TypeOf(NewVisitorConn{})
+	TypeMap[TypeNewVisitorConnResp] = reflect.TypeOf(NewVisitorConnResp{})
 	TypeMap[TypePing] = reflect.TypeOf(Ping{})
 	TypeMap[TypePong] = reflect.TypeOf(Pong{})
 	TypeMap[TypeUdpPacket] = reflect.TypeOf(UdpPacket{})
+	TypeMap[TypeNatHoleVisitor] = reflect.TypeOf(NatHoleVisitor{})
+	TypeMap[TypeNatHoleClient] = reflect.TypeOf(NatHoleClient{})
+	TypeMap[TypeNatHoleResp] = reflect.TypeOf(NatHoleResp{})
+	TypeMap[TypeNatHoleSid] = reflect.TypeOf(NatHoleSid{})

 	for k, v := range TypeMap {
 		TypeStringMap[v] = k
@@ -76,9 +90,10 @@ type Login struct {
 }

 type LoginResp struct {
-	Version string `json:"version"`
-	RunId   string `json:"run_id"`
-	Error   string `json:"error"`
+	Version       string `json:"version"`
+	RunId         string `json:"run_id"`
+	ServerUdpPort int    `json:"server_udp_port"`
+	Error         string `json:"error"`
 }

 // When frpc login success, send this message to frps for running a new proxy.
@@ -89,7 +104,7 @@ type NewProxy struct {
 	UseCompression bool   `json:"use_compression"`

 	// tcp and udp only
-	RemotePort int64 `json:"remote_port"`
+	RemotePort int `json:"remote_port"`

 	// http and https only
 	CustomDomains     []string `json:"custom_domains"`
@@ -98,11 +113,19 @@ type NewProxy struct {
 	HostHeaderRewrite string   `json:"host_header_rewrite"`
 	HttpUser          string   `json:"http_user"`
 	HttpPwd           string   `json:"http_pwd"`
+
+	// stcp
+	Sk string `json:"sk"`
 }

 type NewProxyResp struct {
+	ProxyName  string `json:"proxy_name"`
+	RemoteAddr string `json:"remote_addr"`
+	Error      string `json:"error"`
+}
+
+type CloseProxy struct {
 	ProxyName string `json:"proxy_name"`
-	Error     string `json:"error"`
 }

 type NewWorkConn struct {
@@ -116,6 +139,19 @@ type StartWorkConn struct {
 	ProxyName string `json:"proxy_name"`
 }

+type NewVisitorConn struct {
+	ProxyName      string `json:"proxy_name"`
+	SignKey        string `json:"sign_key"`
+	Timestamp      int64  `json:"timestamp"`
+	UseEncryption  bool   `json:"use_encryption"`
+	UseCompression bool   `json:"use_compression"`
+}
+
+type NewVisitorConnResp struct {
+	ProxyName string `json:"proxy_name"`
+	Error     string `json:"error"`
+}
+
 type Ping struct {
 }

@@ -127,3 +163,24 @@ type UdpPacket struct {
 	LocalAddr  *net.UDPAddr `json:"l"`
 	RemoteAddr *net.UDPAddr `json:"r"`
 }
+
+type NatHoleVisitor struct {
+	ProxyName string `json:"proxy_name"`
+	SignKey   string `json:"sign_key"`
+	Timestamp int64  `json:"timestamp"`
+}
+
+type NatHoleClient struct {
+	ProxyName string `json:"proxy_name"`
+	Sid       string `json:"sid"`
+}
+
+type NatHoleResp struct {
+	Sid         string `json:"sid"`
+	VisitorAddr string `json:"visitor_addr"`
+	ClientAddr  string `json:"client_addr"`
+}
+
+type NatHoleSid struct {
+	Sid string `json:"sid"`
+}
--- a/models/plugin/http_proxy.go
+++ b/models/plugin/http_proxy.go
@@ -0,0 +1,234 @@
+// Copyright 2017 frp team
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugin
+
+import (
+	"bufio"
+	"encoding/base64"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+
+	frpIo "github.com/fatedier/frp/utils/io"
+	frpNet "github.com/fatedier/frp/utils/net"
+)
+
+const PluginHttpProxy = "http_proxy"
+
+func init() {
+	Register(PluginHttpProxy, NewHttpProxyPlugin)
+}
+
+type HttpProxy struct {
+	l          *Listener
+	s          *http.Server
+	AuthUser   string
+	AuthPasswd string
+}
+
+func NewHttpProxyPlugin(params map[string]string) (Plugin, error) {
+	user := params["plugin_http_user"]
+	passwd := params["plugin_http_passwd"]
+	listener := NewProxyListener()
+
+	hp := &HttpProxy{
+		l:          listener,
+		AuthUser:   user,
+		AuthPasswd: passwd,
+	}
+
+	hp.s = &http.Server{
+		Handler: hp,
+	}
+
+	go hp.s.Serve(listener)
+	return hp, nil
+}
+
+func (hp *HttpProxy) Name() string {
+	return PluginHttpProxy
+}
+
+func (hp *HttpProxy) Handle(conn io.ReadWriteCloser, realConn frpNet.Conn) {
+	wrapConn := frpNet.WrapReadWriteCloserToConn(conn, realConn)
+
+	sc, rd := frpNet.NewShareConn(wrapConn)
+	request, err := http.ReadRequest(bufio.NewReader(rd))
+	if err != nil {
+		wrapConn.Close()
+		return
+	}
+
+	if request.Method == http.MethodConnect {
+		hp.handleConnectReq(request, frpIo.WrapReadWriteCloser(rd, wrapConn, nil))
+		return
+	}
+
+	hp.l.PutConn(sc)
+	return
+}
+
+func (hp *HttpProxy) Close() error {
+	hp.s.Close()
+	hp.l.Close()
+	return nil
+}
+
+func (hp *HttpProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	if ok := hp.Auth(req); !ok {
+		rw.Header().Set("Proxy-Authenticate", "Basic")
+		rw.WriteHeader(http.StatusProxyAuthRequired)
+		return
+	}
+
+	if req.Method == http.MethodConnect {
+		// deprecated
+		// Connect request is handled in Handle function.
+		hp.ConnectHandler(rw, req)
+	} else {
+		hp.HttpHandler(rw, req)
+	}
+}
+
+func (hp *HttpProxy) HttpHandler(rw http.ResponseWriter, req *http.Request) {
+	removeProxyHeaders(req)
+
+	resp, err := http.DefaultTransport.RoundTrip(req)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	defer resp.Body.Close()
+
+	copyHeaders(rw.Header(), resp.Header)
+	rw.WriteHeader(resp.StatusCode)
+
+	_, err = io.Copy(rw, resp.Body)
+	if err != nil && err != io.EOF {
+		return
+	}
+}
+
+// deprecated
+// Hijack needs to SetReadDeadline on the Conn of the request, but if we use stream compression here,
+// we may always get i/o timeout error.
+func (hp *HttpProxy) ConnectHandler(rw http.ResponseWriter, req *http.Request) {
+	hj, ok := rw.(http.Hijacker)
+	if !ok {
+		rw.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	client, _, err := hj.Hijack()
+	if err != nil {
+		rw.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	remote, err := net.Dial("tcp", req.URL.Host)
+	if err != nil {
+		http.Error(rw, "Failed", http.StatusBadRequest)
+		client.Close()
+		return
+	}
+	client.Write([]byte("HTTP/1.1 200 OK\r\n\r\n"))
+
+	go frpIo.Join(remote, client)
+}
+
+func (hp *HttpProxy) Auth(req *http.Request) bool {
+	if hp.AuthUser == "" && hp.AuthPasswd == "" {
+		return true
+	}
+
+	s := strings.SplitN(req.Header.Get("Proxy-Authorization"), " ", 2)
+	if len(s) != 2 {
+		return false
+	}
+
+	b, err := base64.StdEncoding.DecodeString(s[1])
+	if err != nil {
+		return false
+	}
+
+	pair := strings.SplitN(string(b), ":", 2)
+	if len(pair) != 2 {
+		return false
+	}
+
+	if pair[0] != hp.AuthUser || pair[1] != hp.AuthPasswd {
+		return false
+	}
+	return true
+}
+
+func (hp *HttpProxy) handleConnectReq(req *http.Request, rwc io.ReadWriteCloser) {
+	defer rwc.Close()
+	if ok := hp.Auth(req); !ok {
+		res := getBadResponse()
+		res.Write(rwc)
+		return
+	}
+
+	remote, err := net.Dial("tcp", req.URL.Host)
+	if err != nil {
+		res := &http.Response{
+			StatusCode: 400,
+			Proto:      "HTTP/1.1",
+			ProtoMajor: 1,
+			ProtoMinor: 1,
+		}
+		res.Write(rwc)
+		return
+	}
+	rwc.Write([]byte("HTTP/1.1 200 OK\r\n\r\n"))
+
+	frpIo.Join(remote, rwc)
+}
+
+func copyHeaders(dst, src http.Header) {
+	for key, values := range src {
+		for _, value := range values {
+			dst.Add(key, value)
+		}
+	}
+}
+
+func removeProxyHeaders(req *http.Request) {
+	req.RequestURI = ""
+	req.Header.Del("Proxy-Connection")
+	req.Header.Del("Connection")
+	req.Header.Del("Proxy-Authenticate")
+	req.Header.Del("Proxy-Authorization")
+	req.Header.Del("TE")
+	req.Header.Del("Trailers")
+	req.Header.Del("Transfer-Encoding")
+	req.Header.Del("Upgrade")
+}
+
+func getBadResponse() *http.Response {
+	header := make(map[string][]string)
+	header["Proxy-Authenticate"] = []string{"Basic"}
+	res := &http.Response{
+		Status:     "407 Not authorized",
+		StatusCode: 407,
+		Proto:      "HTTP/1.1",
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     header,
+	}
+	return res
+}
--- a/models/plugin/plugin.go
+++ b/models/plugin/plugin.go
@@ -0,0 +1,91 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugin
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"sync"
+
+	"github.com/fatedier/frp/utils/errors"
+	frpNet "github.com/fatedier/frp/utils/net"
+)
+
+// Creators is used for create plugins to handle connections.
+var creators = make(map[string]CreatorFn)
+
+// params has prefix "plugin_"
+type CreatorFn func(params map[string]string) (Plugin, error)
+
+func Register(name string, fn CreatorFn) {
+	creators[name] = fn
+}
+
+func Create(name string, params map[string]string) (p Plugin, err error) {
+	if fn, ok := creators[name]; ok {
+		p, err = fn(params)
+	} else {
+		err = fmt.Errorf("plugin [%s] is not registered", name)
+	}
+	return
+}
+
+type Plugin interface {
+	Name() string
+	Handle(conn io.ReadWriteCloser, realConn frpNet.Conn)
+	Close() error
+}
+
+type Listener struct {
+	conns  chan net.Conn
+	closed bool
+	mu     sync.Mutex
+}
+
+func NewProxyListener() *Listener {
+	return &Listener{
+		conns: make(chan net.Conn, 64),
+	}
+}
+
+func (l *Listener) Accept() (net.Conn, error) {
+	conn, ok := <-l.conns
+	if !ok {
+		return nil, fmt.Errorf("listener closed")
+	}
+	return conn, nil
+}
+
+func (l *Listener) PutConn(conn net.Conn) error {
+	err := errors.PanicToError(func() {
+		l.conns <- conn
+	})
+	return err
+}
+
+func (l *Listener) Close() error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	if !l.closed {
+		close(l.conns)
+		l.closed = true
+	}
+	return nil
+}
+
+func (l *Listener) Addr() net.Addr {
+	return (*net.TCPAddr)(nil)
+}
--- a/models/plugin/socks5.go
+++ b/models/plugin/socks5.go
@@ -0,0 +1,68 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugin
+
+import (
+	"io"
+	"io/ioutil"
+	"log"
+
+	frpNet "github.com/fatedier/frp/utils/net"
+
+	gosocks5 "github.com/armon/go-socks5"
+)
+
+const PluginSocks5 = "socks5"
+
+func init() {
+	Register(PluginSocks5, NewSocks5Plugin)
+}
+
+type Socks5Plugin struct {
+	Server *gosocks5.Server
+
+	user   string
+	passwd string
+}
+
+func NewSocks5Plugin(params map[string]string) (p Plugin, err error) {
+	user := params["plugin_user"]
+	passwd := params["plugin_passwd"]
+
+	cfg := &gosocks5.Config{
+		Logger: log.New(ioutil.Discard, "", log.LstdFlags),
+	}
+	if user != "" || passwd != "" {
+		cfg.Credentials = gosocks5.StaticCredentials(map[string]string{user: passwd})
+	}
+	sp := &Socks5Plugin{}
+	sp.Server, err = gosocks5.New(cfg)
+	p = sp
+	return
+}
+
+func (sp *Socks5Plugin) Handle(conn io.ReadWriteCloser, realConn frpNet.Conn) {
+	defer conn.Close()
+	wrapConn := frpNet.WrapReadWriteCloserToConn(conn, realConn)
+	sp.Server.ServeConn(wrapConn)
+}
+
+func (sp *Socks5Plugin) Name() string {
+	return PluginSocks5
+}
+
+func (sp *Socks5Plugin) Close() error {
+	return nil
+}
--- a/models/plugin/static_file.go
+++ b/models/plugin/static_file.go
@@ -0,0 +1,87 @@
+// Copyright 2018 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugin
+
+import (
+	"io"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+
+	frpNet "github.com/fatedier/frp/utils/net"
+)
+
+const PluginStaticFile = "static_file"
+
+func init() {
+	Register(PluginStaticFile, NewStaticFilePlugin)
+}
+
+type StaticFilePlugin struct {
+	localPath   string
+	stripPrefix string
+	httpUser    string
+	httpPasswd  string
+
+	l *Listener
+	s *http.Server
+}
+
+func NewStaticFilePlugin(params map[string]string) (Plugin, error) {
+	localPath := params["plugin_local_path"]
+	stripPrefix := params["plugin_strip_prefix"]
+	httpUser := params["plugin_http_user"]
+	httpPasswd := params["plugin_http_passwd"]
+
+	listener := NewProxyListener()
+
+	sp := &StaticFilePlugin{
+		localPath:   localPath,
+		stripPrefix: stripPrefix,
+		httpUser:    httpUser,
+		httpPasswd:  httpPasswd,
+
+		l: listener,
+	}
+	var prefix string
+	if stripPrefix != "" {
+		prefix = "/" + stripPrefix + "/"
+	} else {
+		prefix = "/"
+	}
+	router := httprouter.New()
+	router.Handler("GET", prefix+"*filepath", frpNet.MakeHttpGzipHandler(
+		frpNet.NewHttpBasicAuthWraper(http.StripPrefix(prefix, http.FileServer(http.Dir(localPath))), httpUser, httpPasswd)))
+	sp.s = &http.Server{
+		Handler: router,
+	}
+	go sp.s.Serve(listener)
+	return sp, nil
+}
+
+func (sp *StaticFilePlugin) Handle(conn io.ReadWriteCloser, realConn frpNet.Conn) {
+	wrapConn := frpNet.WrapReadWriteCloserToConn(conn, realConn)
+	sp.l.PutConn(wrapConn)
+}
+
+func (sp *StaticFilePlugin) Name() string {
+	return PluginStaticFile
+}
+
+func (sp *StaticFilePlugin) Close() error {
+	sp.s.Close()
+	sp.l.Close()
+	return nil
+}
--- a/models/plugin/unix_domain_socket.go
+++ b/models/plugin/unix_domain_socket.go
@@ -0,0 +1,70 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugin
+
+import (
+	"fmt"
+	"io"
+	"net"
+
+	frpIo "github.com/fatedier/frp/utils/io"
+	frpNet "github.com/fatedier/frp/utils/net"
+)
+
+const PluginUnixDomainSocket = "unix_domain_socket"
+
+func init() {
+	Register(PluginUnixDomainSocket, NewUnixDomainSocketPlugin)
+}
+
+type UnixDomainSocketPlugin struct {
+	UnixAddr *net.UnixAddr
+}
+
+func NewUnixDomainSocketPlugin(params map[string]string) (p Plugin, err error) {
+	unixPath, ok := params["plugin_unix_path"]
+	if !ok {
+		err = fmt.Errorf("plugin_unix_path not found")
+		return
+	}
+
+	unixAddr, errRet := net.ResolveUnixAddr("unix", unixPath)
+	if errRet != nil {
+		err = errRet
+		return
+	}
+
+	p = &UnixDomainSocketPlugin{
+		UnixAddr: unixAddr,
+	}
+	return
+}
+
+func (uds *UnixDomainSocketPlugin) Handle(conn io.ReadWriteCloser, realConn frpNet.Conn) {
+	localConn, err := net.DialUnix("unix", nil, uds.UnixAddr)
+	if err != nil {
+		return
+	}
+
+	frpIo.Join(localConn, conn)
+}
+
+func (uds *UnixDomainSocketPlugin) Name() string {
+	return PluginUnixDomainSocket
+}
+
+func (uds *UnixDomainSocketPlugin) Close() error {
+	return nil
+}
--- a/models/proto/tcp/process.go
+++ b/models/proto/tcp/process.go
@@ -1,38 +0,0 @@
-// Copyright 2016 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package tcp
-
-import (
-	"io"
-	"sync"
-)
-
-// Join two io.ReadWriteCloser and do some operations.
-func Join(c1 io.ReadWriteCloser, c2 io.ReadWriteCloser) (inCount int64, outCount int64) {
-	var wait sync.WaitGroup
-	pipe := func(to io.ReadWriteCloser, from io.ReadWriteCloser, count *int64) {
-		defer to.Close()
-		defer from.Close()
-		defer wait.Done()
-
-		*count, _ = io.Copy(to, from)
-	}
-
-	wait.Add(2)
-	go pipe(c1, c2, &inCount)
-	go pipe(c2, c1, &outCount)
-	wait.Wait()
-	return
-}
--- a/models/proto/tcp/process_test.go
+++ b/models/proto/tcp/process_test.go
@@ -1,67 +0,0 @@
-// Copyright 2017 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package tcp
-
-import (
-	"io"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestJoin(t *testing.T) {
-	assert := assert.New(t)
-
-	var (
-		n   int
-		err error
-	)
-	text1 := "A document that gives tips for writing clear, idiomatic Go code. A must read for any new Go programmer. It augments the tour and the language specification, both of which should be read first."
-	text2 := "A document that specifies the conditions under which reads of a variable in one goroutine can be guaranteed to observe values produced by writes to the same variable in a different goroutine."
-
-	// Forward bytes directly.
-	pr, pw := io.Pipe()
-	pr2, pw2 := io.Pipe()
-	pr3, pw3 := io.Pipe()
-	pr4, pw4 := io.Pipe()
-
-	conn1 := WrapReadWriteCloser(pr, pw2)
-	conn2 := WrapReadWriteCloser(pr2, pw)
-	conn3 := WrapReadWriteCloser(pr3, pw4)
-	conn4 := WrapReadWriteCloser(pr4, pw3)
-
-	go func() {
-		Join(conn2, conn3)
-	}()
-
-	buf1 := make([]byte, 1024)
-	buf2 := make([]byte, 1024)
-
-	conn1.Write([]byte(text1))
-	conn4.Write([]byte(text2))
-
-	n, err = conn4.Read(buf1)
-	assert.NoError(err)
-	assert.Equal(text1, string(buf1[:n]))
-
-	n, err = conn1.Read(buf2)
-	assert.NoError(err)
-	assert.Equal(text2, string(buf2[:n]))
-
-	conn1.Close()
-	conn2.Close()
-	conn3.Close()
-	conn4.Close()
-}
--- a/models/proto/udp/udp.go
+++ b/models/proto/udp/udp.go
@@ -82,6 +82,7 @@ func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UdpPacket, sendCh chan<-
 			mu.Lock()
 			delete(udpConnMap, addr)
 			mu.Unlock()
+			udpConn.Close()
 		}()

 		buf := pool.GetBuf(1500)
--- a/package.sh
+++ b/package.sh
@@ -14,7 +14,7 @@ make -f ./Makefile.cross-compiles
 rm -rf ./packages
 mkdir ./packages

-os_all='linux windows darwin'
+os_all='linux windows darwin freebsd'
 arch_all='386 amd64 arm mips64 mips64le mips mipsle'

 for os in $os_all; do
--- a/server/control.go
+++ b/server/control.go
@@ -50,11 +50,14 @@ type Control struct {
 	workConnCh chan net.Conn

 	// proxies in one client
-	proxies []Proxy
+	proxies map[string]Proxy

 	// pool count
 	poolCount int

+	// ports used, for limitations
+	portsUsedNum int
+
 	// last time got the Ping message
 	lastPing time.Time

@@ -82,8 +85,9 @@ func NewControl(svr *Service, ctlConn net.Conn, loginMsg *msg.Login) *Control {
 		sendCh:          make(chan msg.Message, 10),
 		readCh:          make(chan msg.Message, 10),
 		workConnCh:      make(chan net.Conn, loginMsg.PoolCount+10),
-		proxies:         make([]Proxy, 0),
+		proxies:         make(map[string]Proxy),
 		poolCount:       loginMsg.PoolCount,
+		portsUsedNum:    0,
 		lastPing:        time.Now(),
 		runId:           loginMsg.RunId,
 		status:          consts.Working,
@@ -97,9 +101,10 @@ func NewControl(svr *Service, ctlConn net.Conn, loginMsg *msg.Login) *Control {
 // Start send a login success message to client and start working.
 func (ctl *Control) Start() {
 	loginRespMsg := &msg.LoginResp{
-		Version: version.Full(),
-		RunId:   ctl.runId,
-		Error:   "",
+		Version:       version.Full(),
+		RunId:         ctl.runId,
+		ServerUdpPort: config.ServerCommonCfg.BindUdpPort,
+		Error:         "",
 	}
 	msg.WriteMsg(ctl.conn, loginRespMsg)

@@ -252,13 +257,16 @@ func (ctl *Control) stoper() {
 	ctl.allShutdown.WaitStart()

 	close(ctl.readCh)
-	ctl.managerShutdown.WaitDown()
+	ctl.managerShutdown.WaitDone()

 	close(ctl.sendCh)
-	ctl.writerShutdown.WaitDown()
+	ctl.writerShutdown.WaitDone()

 	ctl.conn.Close()
-	ctl.readerShutdown.WaitDown()
+	ctl.readerShutdown.WaitDone()
+
+	ctl.mu.Lock()
+	defer ctl.mu.Unlock()

 	close(ctl.workConnCh)
 	for workConn := range ctl.workConnCh {
@@ -268,7 +276,7 @@ func (ctl *Control) stoper() {
 	for _, pxy := range ctl.proxies {
 		pxy.Close()
 		ctl.svr.DelProxy(pxy.GetName())
-		StatsCloseProxy(pxy.GetConf().GetBaseInfo().ProxyType)
+		StatsCloseProxy(pxy.GetName(), pxy.GetConf().GetBaseInfo().ProxyType)
 	}

 	ctl.allShutdown.Done()
@@ -296,6 +304,7 @@ func (ctl *Control) manager() {
 			if time.Since(ctl.lastPing) > time.Duration(config.ServerCommonCfg.HeartBeatTimeout)*time.Second {
 				ctl.conn.Warn("heartbeat timeout")
 				ctl.allShutdown.Start()
+				return
 			}
 		case rawMsg, ok := <-ctl.readCh:
 			if !ok {
@@ -305,7 +314,7 @@ func (ctl *Control) manager() {
 			switch m := rawMsg.(type) {
 			case *msg.NewProxy:
 				// register proxy in this control
-				err := ctl.RegisterProxy(m)
+				remoteAddr, err := ctl.RegisterProxy(m)
 				resp := &msg.NewProxyResp{
 					ProxyName: m.ProxyName,
 				}
@@ -313,10 +322,14 @@ func (ctl *Control) manager() {
 					resp.Error = err.Error()
 					ctl.conn.Warn("new proxy [%s] error: %v", m.ProxyName, err)
 				} else {
+					resp.RemoteAddr = remoteAddr
 					ctl.conn.Info("new proxy [%s] success", m.ProxyName)
 					StatsNewProxy(m.ProxyName, m.ProxyType)
 				}
 				ctl.sendCh <- resp
+			case *msg.CloseProxy:
+				ctl.CloseProxy(m)
+				ctl.conn.Info("close proxy [%s] success", m.ProxyName)
 			case *msg.Ping:
 				ctl.lastPing = time.Now()
 				ctl.conn.Debug("receive heartbeat")
@@ -326,24 +339,44 @@ func (ctl *Control) manager() {
 	}
 }

-func (ctl *Control) RegisterProxy(pxyMsg *msg.NewProxy) (err error) {
+func (ctl *Control) RegisterProxy(pxyMsg *msg.NewProxy) (remoteAddr string, err error) {
 	var pxyConf config.ProxyConf
 	// Load configures from NewProxy message and check.
 	pxyConf, err = config.NewProxyConf(pxyMsg)
 	if err != nil {
-		return err
+		return
 	}

 	// NewProxy will return a interface Proxy.
 	// In fact it create different proxies by different proxy type, we just call run() here.
 	pxy, err := NewProxy(ctl, pxyConf)
 	if err != nil {
-		return err
+		return remoteAddr, err
 	}

-	err = pxy.Run()
+	// Check ports used number in each client
+	if config.ServerCommonCfg.MaxPortsPerClient > 0 {
+		ctl.mu.Lock()
+		if ctl.portsUsedNum+pxy.GetUsedPortsNum() > int(config.ServerCommonCfg.MaxPortsPerClient) {
+			ctl.mu.Unlock()
+			err = fmt.Errorf("exceed the max_ports_per_client")
+			return
+		}
+		ctl.portsUsedNum = ctl.portsUsedNum + pxy.GetUsedPortsNum()
+		ctl.mu.Unlock()
+
+		defer func() {
+			if err != nil {
+				ctl.mu.Lock()
+				ctl.portsUsedNum = ctl.portsUsedNum - pxy.GetUsedPortsNum()
+				ctl.mu.Unlock()
+			}
+		}()
+	}
+
+	remoteAddr, err = pxy.Run()
 	if err != nil {
-		return err
+		return
 	}
 	defer func() {
 		if err != nil {
@@ -353,8 +386,32 @@ func (ctl *Control) RegisterProxy(pxyMsg *msg.NewProxy) (err error) {

 	err = ctl.svr.RegisterProxy(pxyMsg.ProxyName, pxy)
 	if err != nil {
-		return err
+		return
 	}
-	ctl.proxies = append(ctl.proxies, pxy)
-	return nil
+
+	ctl.mu.Lock()
+	ctl.proxies[pxy.GetName()] = pxy
+	ctl.mu.Unlock()
+	return
+}
+
+func (ctl *Control) CloseProxy(closeMsg *msg.CloseProxy) (err error) {
+	ctl.mu.Lock()
+
+	pxy, ok := ctl.proxies[closeMsg.ProxyName]
+	if !ok {
+		ctl.mu.Unlock()
+		return
+	}
+
+	if config.ServerCommonCfg.MaxPortsPerClient > 0 {
+		ctl.portsUsedNum = ctl.portsUsedNum - pxy.GetUsedPortsNum()
+	}
+	pxy.Close()
+	ctl.svr.DelProxy(pxy.GetName())
+	delete(ctl.proxies, closeMsg.ProxyName)
+	ctl.mu.Unlock()
+
+	StatsCloseProxy(pxy.GetName(), pxy.GetConf().GetBaseInfo().ProxyType)
+	return
 }
--- a/server/dashboard.go
+++ b/server/dashboard.go
@@ -22,6 +22,7 @@ import (

 	"github.com/fatedier/frp/assets"
 	"github.com/fatedier/frp/models/config"
+	frpNet "github.com/fatedier/frp/utils/net"

 	"github.com/julienschmidt/httprouter"
 )
@@ -31,24 +32,28 @@ var (
 	httpServerWriteTimeout = 10 * time.Second
 )

-func RunDashboardServer(addr string, port int64) (err error) {
+func RunDashboardServer(addr string, port int) (err error) {
 	// url router
 	router := httprouter.New()

+	user, passwd := config.ServerCommonCfg.DashboardUser, config.ServerCommonCfg.DashboardPwd
+
 	// api, see dashboard_api.go
-	router.GET("/api/serverinfo", httprouterBasicAuth(apiServerInfo))
-	router.GET("/api/proxy/tcp", httprouterBasicAuth(apiProxyTcp))
-	router.GET("/api/proxy/udp", httprouterBasicAuth(apiProxyUdp))
-	router.GET("/api/proxy/http", httprouterBasicAuth(apiProxyHttp))
-	router.GET("/api/proxy/https", httprouterBasicAuth(apiProxyHttps))
-	router.GET("/api/proxy/traffic/:name", httprouterBasicAuth(apiProxyTraffic))
+	router.GET("/api/serverinfo", frpNet.HttprouterBasicAuth(apiServerInfo, user, passwd))
+	router.GET("/api/proxy/tcp", frpNet.HttprouterBasicAuth(apiProxyTcp, user, passwd))
+	router.GET("/api/proxy/udp", frpNet.HttprouterBasicAuth(apiProxyUdp, user, passwd))
+	router.GET("/api/proxy/http", frpNet.HttprouterBasicAuth(apiProxyHttp, user, passwd))
+	router.GET("/api/proxy/https", frpNet.HttprouterBasicAuth(apiProxyHttps, user, passwd))
+	router.GET("/api/proxy/traffic/:name", frpNet.HttprouterBasicAuth(apiProxyTraffic, user, passwd))

 	// view
 	router.Handler("GET", "/favicon.ico", http.FileServer(assets.FileSystem))
-	router.Handler("GET", "/static/*filepath", basicAuthWraper(http.StripPrefix("/static/", http.FileServer(assets.FileSystem))))
-	router.HandlerFunc("GET", "/", basicAuth(func(w http.ResponseWriter, r *http.Request) {
+	router.Handler("GET", "/static/*filepath", frpNet.MakeHttpGzipHandler(
+		frpNet.NewHttpBasicAuthWraper(http.StripPrefix("/static/", http.FileServer(assets.FileSystem)), user, passwd)))
+
+	router.HandlerFunc("GET", "/", frpNet.HttpBasicAuth(func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/static/", http.StatusMovedPermanently)
-	}))
+	}, user, passwd))

 	address := fmt.Sprintf("%s:%d", addr, port)
 	server := &http.Server{
@@ -68,60 +73,3 @@ func RunDashboardServer(addr string, port int64) (err error) {
 	go server.Serve(ln)
 	return
 }
-
-func use(h http.HandlerFunc, middleware ...func(http.HandlerFunc) http.HandlerFunc) http.HandlerFunc {
-	for _, m := range middleware {
-		h = m(h)
-	}
-	return h
-}
-
-type AuthWraper struct {
-	h      http.Handler
-	user   string
-	passwd string
-}
-
-func (aw *AuthWraper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	user, passwd, hasAuth := r.BasicAuth()
-	if (aw.user == "" && aw.passwd == "") || (hasAuth && user == aw.user || passwd == aw.passwd) {
-		aw.h.ServeHTTP(w, r)
-	} else {
-		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-	}
-}
-
-func basicAuthWraper(h http.Handler) http.Handler {
-	return &AuthWraper{
-		h:      h,
-		user:   config.ServerCommonCfg.DashboardUser,
-		passwd: config.ServerCommonCfg.DashboardPwd,
-	}
-}
-
-func basicAuth(h http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		user, passwd, hasAuth := r.BasicAuth()
-		if (config.ServerCommonCfg.DashboardUser == "" && config.ServerCommonCfg.DashboardPwd == "") ||
-			(hasAuth && user == config.ServerCommonCfg.DashboardUser || passwd == config.ServerCommonCfg.DashboardPwd) {
-			h.ServeHTTP(w, r)
-		} else {
-			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-		}
-	}
-}
-
-func httprouterBasicAuth(h httprouter.Handle) httprouter.Handle {
-	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-		user, passwd, hasAuth := r.BasicAuth()
-		if (config.ServerCommonCfg.DashboardUser == "" && config.ServerCommonCfg.DashboardPwd == "") ||
-			(hasAuth && user == config.ServerCommonCfg.DashboardUser || passwd == config.ServerCommonCfg.DashboardPwd) {
-			h(w, r, ps)
-		} else {
-			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-		}
-	}
-}
--- a/server/dashboard_api.go
+++ b/server/dashboard_api.go
@@ -21,6 +21,7 @@ import (
 	"github.com/fatedier/frp/models/config"
 	"github.com/fatedier/frp/models/consts"
 	"github.com/fatedier/frp/utils/log"
+	"github.com/fatedier/frp/utils/version"

 	"github.com/julienschmidt/httprouter"
 )
@@ -34,8 +35,9 @@ type GeneralResponse struct {
 type ServerInfoResp struct {
 	GeneralResponse

-	VhostHttpPort    int64  `json:"vhost_http_port"`
-	VhostHttpsPort   int64  `json:"vhost_https_port"`
+	Version          string `json:"version"`
+	VhostHttpPort    int    `json:"vhost_http_port"`
+	VhostHttpsPort   int    `json:"vhost_https_port"`
 	AuthTimeout      int64  `json:"auth_timeout"`
 	SubdomainHost    string `json:"subdomain_host"`
 	MaxPoolCount     int64  `json:"max_pool_count"`
@@ -61,6 +63,7 @@ func apiServerInfo(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
 	cfg := config.ServerCommonCfg
 	serverStats := StatsGetServer()
 	res = ServerInfoResp{
+		Version:          version.Full(),
 		VhostHttpPort:    cfg.VhostHttpPort,
 		VhostHttpsPort:   cfg.VhostHttpsPort,
 		AuthTimeout:      cfg.AuthTimeout,
@@ -86,6 +89,8 @@ type ProxyStatsInfo struct {
 	TodayTrafficIn  int64            `json:"today_traffic_in"`
 	TodayTrafficOut int64            `json:"today_traffic_out"`
 	CurConns        int64            `json:"cur_conns"`
+	LastStartTime   string           `json:"last_start_time"`
+	LastCloseTime   string           `json:"last_close_time"`
 	Status          string           `json:"status"`
 }

@@ -173,10 +178,12 @@ func getProxyStatsByType(proxyType string) (proxyInfos []*ProxyStatsInfo) {
 		} else {
 			proxyInfo.Status = consts.Offline
 		}
+		proxyInfo.Name = ps.Name
 		proxyInfo.TodayTrafficIn = ps.TodayTrafficIn
 		proxyInfo.TodayTrafficOut = ps.TodayTrafficOut
 		proxyInfo.CurConns = ps.CurConns
-		proxyInfo.Name = ps.Name
+		proxyInfo.LastStartTime = ps.LastStartTime
+		proxyInfo.LastCloseTime = ps.LastCloseTime
 		proxyInfos = append(proxyInfos, proxyInfo)
 	}
 	return
--- a/server/manager.go
+++ b/server/manager.go
@@ -16,7 +16,12 @@ package server

 import (
 	"fmt"
+	"io"
 	"sync"
+
+	frpIo "github.com/fatedier/frp/utils/io"
+	frpNet "github.com/fatedier/frp/utils/net"
+	"github.com/fatedier/frp/utils/util"
 )

 type ControlManager struct {
@@ -87,3 +92,72 @@ func (pm *ProxyManager) GetByName(name string) (pxy Proxy, ok bool) {
 	pxy, ok = pm.pxys[name]
 	return
 }
+
+// Manager for visitor listeners.
+type VisitorManager struct {
+	visitorListeners map[string]*frpNet.CustomListener
+	skMap            map[string]string
+
+	mu sync.RWMutex
+}
+
+func NewVisitorManager() *VisitorManager {
+	return &VisitorManager{
+		visitorListeners: make(map[string]*frpNet.CustomListener),
+		skMap:            make(map[string]string),
+	}
+}
+
+func (vm *VisitorManager) Listen(name string, sk string) (l *frpNet.CustomListener, err error) {
+	vm.mu.Lock()
+	defer vm.mu.Unlock()
+
+	if _, ok := vm.visitorListeners[name]; ok {
+		err = fmt.Errorf("custom listener for [%s] is repeated", name)
+		return
+	}
+
+	l = frpNet.NewCustomListener()
+	vm.visitorListeners[name] = l
+	vm.skMap[name] = sk
+	return
+}
+
+func (vm *VisitorManager) NewConn(name string, conn frpNet.Conn, timestamp int64, signKey string,
+	useEncryption bool, useCompression bool) (err error) {
+
+	vm.mu.RLock()
+	defer vm.mu.RUnlock()
+
+	if l, ok := vm.visitorListeners[name]; ok {
+		var sk string
+		if sk = vm.skMap[name]; util.GetAuthKey(sk, timestamp) != signKey {
+			err = fmt.Errorf("visitor connection of [%s] auth failed", name)
+			return
+		}
+
+		var rwc io.ReadWriteCloser = conn
+		if useEncryption {
+			if rwc, err = frpIo.WithEncryption(rwc, []byte(sk)); err != nil {
+				err = fmt.Errorf("create encryption connection failed: %v", err)
+				return
+			}
+		}
+		if useCompression {
+			rwc = frpIo.WithCompression(rwc)
+		}
+		err = l.PutConn(frpNet.WrapReadWriteCloserToConn(rwc, conn))
+	} else {
+		err = fmt.Errorf("custom listener for [%s] doesn't exist", name)
+		return
+	}
+	return
+}
+
+func (vm *VisitorManager) CloseListener(name string) {
+	vm.mu.Lock()
+	defer vm.mu.Unlock()
+
+	delete(vm.visitorListeners, name)
+	delete(vm.skMap, name)
+}
--- a/server/metric.go
+++ b/server/metric.go
@@ -16,8 +16,10 @@ package server

 import (
 	"sync"
+	"time"

 	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/utils/log"
 	"github.com/fatedier/frp/utils/metric"
 )

@@ -46,10 +48,13 @@ type ServerStatistics struct {
 }

 type ProxyStatistics struct {
-	ProxyType  string
-	TrafficIn  metric.DateCounter
-	TrafficOut metric.DateCounter
-	CurConns   metric.Counter
+	Name          string
+	ProxyType     string
+	TrafficIn     metric.DateCounter
+	TrafficOut    metric.DateCounter
+	CurConns      metric.Counter
+	LastStartTime time.Time
+	LastCloseTime time.Time
 }

 func init() {
@@ -63,6 +68,27 @@ func init() {

 		ProxyStatistics: make(map[string]*ProxyStatistics),
 	}
+
+	go func() {
+		for {
+			time.Sleep(12 * time.Hour)
+			log.Debug("start to clear useless proxy statistics data...")
+			StatsClearUselessInfo()
+			log.Debug("finish to clear useless proxy statistics data")
+		}
+	}()
+}
+
+func StatsClearUselessInfo() {
+	// To check if there are proxies that closed than 7 days and drop them.
+	globalStats.mu.Lock()
+	defer globalStats.mu.Unlock()
+	for name, data := range globalStats.ProxyStatistics {
+		if !data.LastCloseTime.IsZero() && time.Since(data.LastCloseTime) > time.Duration(7*24)*time.Hour {
+			delete(globalStats.ProxyStatistics, name)
+			log.Trace("clear proxy [%s]'s statistics data, lastCloseTime: [%s]", name, data.LastCloseTime.String())
+		}
+	}
 }

 func StatsNewClient() {
@@ -91,6 +117,7 @@ func StatsNewProxy(name string, proxyType string) {
 		proxyStats, ok := globalStats.ProxyStatistics[name]
 		if !(ok && proxyStats.ProxyType == proxyType) {
 			proxyStats = &ProxyStatistics{
+				Name:       name,
 				ProxyType:  proxyType,
 				CurConns:   metric.NewCounter(),
 				TrafficIn:  metric.NewDateCounter(ReserveDays),
@@ -98,16 +125,20 @@ func StatsNewProxy(name string, proxyType string) {
 			}
 			globalStats.ProxyStatistics[name] = proxyStats
 		}
+		proxyStats.LastStartTime = time.Now()
 	}
 }

-func StatsCloseProxy(proxyType string) {
+func StatsCloseProxy(proxyName string, proxyType string) {
 	if config.ServerCommonCfg.DashboardPort != 0 {
 		globalStats.mu.Lock()
 		defer globalStats.mu.Unlock()
 		if counter, ok := globalStats.ProxyTypeCounts[proxyType]; ok {
 			counter.Dec(1)
 		}
+		if proxyStats, ok := globalStats.ProxyStatistics[proxyName]; ok {
+			proxyStats.LastCloseTime = time.Now()
+		}
 	}
 }

@@ -199,6 +230,8 @@ type ProxyStats struct {
 	Type            string
 	TodayTrafficIn  int64
 	TodayTrafficOut int64
+	LastStartTime   string
+	LastCloseTime   string
 	CurConns        int64
 }

@@ -219,6 +252,12 @@ func StatsGetProxiesByType(proxyType string) []*ProxyStats {
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        proxyStats.CurConns.Count(),
 		}
+		if !proxyStats.LastStartTime.IsZero() {
+			ps.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
+		}
+		if !proxyStats.LastCloseTime.IsZero() {
+			ps.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
+		}
 		res = append(res, ps)
 	}
 	return res
--- a/server/nathole.go
+++ b/server/nathole.go
@@ -0,0 +1,182 @@
+package server
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/fatedier/frp/models/msg"
+	"github.com/fatedier/frp/utils/errors"
+	"github.com/fatedier/frp/utils/log"
+	"github.com/fatedier/frp/utils/pool"
+	"github.com/fatedier/frp/utils/util"
+)
+
+// Timeout seconds.
+var NatHoleTimeout int64 = 10
+
+type NatHoleController struct {
+	listener *net.UDPConn
+
+	clientCfgs map[string]*NatHoleClientCfg
+	sessions   map[string]*NatHoleSession
+
+	mu sync.RWMutex
+}
+
+func NewNatHoleController(udpBindAddr string) (nc *NatHoleController, err error) {
+	addr, err := net.ResolveUDPAddr("udp", udpBindAddr)
+	if err != nil {
+		return nil, err
+	}
+	lconn, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		return nil, err
+	}
+	nc = &NatHoleController{
+		listener:   lconn,
+		clientCfgs: make(map[string]*NatHoleClientCfg),
+		sessions:   make(map[string]*NatHoleSession),
+	}
+	return nc, nil
+}
+
+func (nc *NatHoleController) ListenClient(name string, sk string) (sidCh chan string) {
+	clientCfg := &NatHoleClientCfg{
+		Name:  name,
+		Sk:    sk,
+		SidCh: make(chan string),
+	}
+	nc.mu.Lock()
+	nc.clientCfgs[name] = clientCfg
+	nc.mu.Unlock()
+	return clientCfg.SidCh
+}
+
+func (nc *NatHoleController) CloseClient(name string) {
+	nc.mu.Lock()
+	defer nc.mu.Unlock()
+	delete(nc.clientCfgs, name)
+}
+
+func (nc *NatHoleController) Run() {
+	for {
+		buf := pool.GetBuf(1024)
+		n, raddr, err := nc.listener.ReadFromUDP(buf)
+		if err != nil {
+			log.Trace("nat hole listener read from udp error: %v", err)
+			return
+		}
+
+		rd := bytes.NewReader(buf[:n])
+		rawMsg, err := msg.ReadMsg(rd)
+		if err != nil {
+			log.Trace("read nat hole message error: %v", err)
+			continue
+		}
+
+		switch m := rawMsg.(type) {
+		case *msg.NatHoleVisitor:
+			go nc.HandleVisitor(m, raddr)
+		case *msg.NatHoleClient:
+			go nc.HandleClient(m, raddr)
+		default:
+			log.Trace("error nat hole message type")
+			continue
+		}
+		pool.PutBuf(buf)
+	}
+}
+
+func (nc *NatHoleController) GenSid() string {
+	t := time.Now().Unix()
+	id, _ := util.RandId()
+	return fmt.Sprintf("%d%s", t, id)
+}
+
+func (nc *NatHoleController) HandleVisitor(m *msg.NatHoleVisitor, raddr *net.UDPAddr) {
+	sid := nc.GenSid()
+	session := &NatHoleSession{
+		Sid:         sid,
+		VisitorAddr: raddr,
+		NotifyCh:    make(chan struct{}, 0),
+	}
+	nc.mu.Lock()
+	clientCfg, ok := nc.clientCfgs[m.ProxyName]
+	if !ok || m.SignKey != util.GetAuthKey(clientCfg.Sk, m.Timestamp) {
+		nc.mu.Unlock()
+		return
+	}
+	nc.sessions[sid] = session
+	nc.mu.Unlock()
+	log.Trace("handle visitor message, sid [%s]", sid)
+
+	defer func() {
+		nc.mu.Lock()
+		delete(nc.sessions, sid)
+		nc.mu.Unlock()
+	}()
+
+	err := errors.PanicToError(func() {
+		clientCfg.SidCh <- sid
+	})
+	if err != nil {
+		return
+	}
+
+	// Wait client connections.
+	select {
+	case <-session.NotifyCh:
+		resp := nc.GenNatHoleResponse(raddr, session)
+		log.Trace("send nat hole response to visitor")
+		nc.listener.WriteToUDP(resp, raddr)
+	case <-time.After(time.Duration(NatHoleTimeout) * time.Second):
+		return
+	}
+}
+
+func (nc *NatHoleController) HandleClient(m *msg.NatHoleClient, raddr *net.UDPAddr) {
+	nc.mu.RLock()
+	session, ok := nc.sessions[m.Sid]
+	nc.mu.RUnlock()
+	if !ok {
+		return
+	}
+	log.Trace("handle client message, sid [%s]", session.Sid)
+	session.ClientAddr = raddr
+	session.NotifyCh <- struct{}{}
+
+	resp := nc.GenNatHoleResponse(raddr, session)
+	log.Trace("send nat hole response to client")
+	nc.listener.WriteToUDP(resp, raddr)
+}
+
+func (nc *NatHoleController) GenNatHoleResponse(raddr *net.UDPAddr, session *NatHoleSession) []byte {
+	m := &msg.NatHoleResp{
+		Sid:         session.Sid,
+		VisitorAddr: session.VisitorAddr.String(),
+		ClientAddr:  session.ClientAddr.String(),
+	}
+	b := bytes.NewBuffer(nil)
+	err := msg.WriteMsg(b, m)
+	if err != nil {
+		return []byte("")
+	}
+	return b.Bytes()
+}
+
+type NatHoleSession struct {
+	Sid         string
+	VisitorAddr *net.UDPAddr
+	ClientAddr  *net.UDPAddr
+
+	NotifyCh chan struct{}
+}
+
+type NatHoleClientCfg struct {
+	Name  string
+	Sk    string
+	SidCh chan string
+}
--- a/server/ports.go
+++ b/server/ports.go
@@ -0,0 +1,180 @@
+package server
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"sync"
+	"time"
+)
+
+const (
+	MinPort                    = 1
+	MaxPort                    = 65535
+	MaxPortReservedDuration    = time.Duration(24) * time.Hour
+	CleanReservedPortsInterval = time.Hour
+)
+
+var (
+	ErrPortAlreadyUsed = errors.New("port already used")
+	ErrPortNotAllowed  = errors.New("port not allowed")
+	ErrPortUnAvailable = errors.New("port unavailable")
+	ErrNoAvailablePort = errors.New("no available port")
+)
+
+type PortCtx struct {
+	ProxyName  string
+	Port       int
+	Closed     bool
+	UpdateTime time.Time
+}
+
+type PortManager struct {
+	reservedPorts map[string]*PortCtx
+	usedPorts     map[int]*PortCtx
+	freePorts     map[int]struct{}
+
+	bindAddr string
+	netType  string
+	mu       sync.Mutex
+}
+
+func NewPortManager(netType string, bindAddr string, allowPorts map[int]struct{}) *PortManager {
+	pm := &PortManager{
+		reservedPorts: make(map[string]*PortCtx),
+		usedPorts:     make(map[int]*PortCtx),
+		freePorts:     make(map[int]struct{}),
+		bindAddr:      bindAddr,
+		netType:       netType,
+	}
+	if len(allowPorts) > 0 {
+		for port, _ := range allowPorts {
+			pm.freePorts[port] = struct{}{}
+		}
+	} else {
+		for i := MinPort; i <= MaxPort; i++ {
+			pm.freePorts[i] = struct{}{}
+		}
+	}
+	go pm.cleanReservedPortsWorker()
+	return pm
+}
+
+func (pm *PortManager) Acquire(name string, port int) (realPort int, err error) {
+	portCtx := &PortCtx{
+		ProxyName:  name,
+		Closed:     false,
+		UpdateTime: time.Now(),
+	}
+
+	var ok bool
+
+	pm.mu.Lock()
+	defer func() {
+		if err == nil {
+			portCtx.Port = realPort
+		}
+		pm.mu.Unlock()
+	}()
+
+	// check reserved ports first
+	if port == 0 {
+		if ctx, ok := pm.reservedPorts[name]; ok {
+			if pm.isPortAvailable(ctx.Port) {
+				realPort = ctx.Port
+				pm.usedPorts[realPort] = portCtx
+				pm.reservedPorts[name] = portCtx
+				delete(pm.freePorts, realPort)
+				return
+			}
+		}
+	}
+
+	if port == 0 {
+		// get random port
+		count := 0
+		maxTryTimes := 5
+		for k, _ := range pm.freePorts {
+			count++
+			if count > maxTryTimes {
+				break
+			}
+			if pm.isPortAvailable(k) {
+				realPort = k
+				pm.usedPorts[realPort] = portCtx
+				pm.reservedPorts[name] = portCtx
+				delete(pm.freePorts, realPort)
+				break
+			}
+		}
+		if realPort == 0 {
+			err = ErrNoAvailablePort
+		}
+	} else {
+		// specified port
+		if _, ok = pm.freePorts[port]; ok {
+			if pm.isPortAvailable(port) {
+				realPort = port
+				pm.usedPorts[realPort] = portCtx
+				pm.reservedPorts[name] = portCtx
+				delete(pm.freePorts, realPort)
+			} else {
+				err = ErrPortUnAvailable
+			}
+		} else {
+			if _, ok = pm.usedPorts[port]; ok {
+				err = ErrPortAlreadyUsed
+			} else {
+				err = ErrPortNotAllowed
+			}
+		}
+	}
+	return
+}
+
+func (pm *PortManager) isPortAvailable(port int) bool {
+	if pm.netType == "udp" {
+		addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pm.bindAddr, port))
+		if err != nil {
+			return false
+		}
+		l, err := net.ListenUDP("udp", addr)
+		if err != nil {
+			return false
+		}
+		l.Close()
+		return true
+	} else {
+		l, err := net.Listen(pm.netType, fmt.Sprintf("%s:%d", pm.bindAddr, port))
+		if err != nil {
+			return false
+		}
+		l.Close()
+		return true
+	}
+}
+
+func (pm *PortManager) Release(port int) {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+	if ctx, ok := pm.usedPorts[port]; ok {
+		pm.freePorts[port] = struct{}{}
+		delete(pm.usedPorts, port)
+		ctx.Closed = true
+		ctx.UpdateTime = time.Now()
+	}
+}
+
+// Release reserved port if it isn't used in last 24 hours.
+func (pm *PortManager) cleanReservedPortsWorker() {
+	for {
+		time.Sleep(CleanReservedPortsInterval)
+		pm.mu.Lock()
+		for name, ctx := range pm.reservedPorts {
+			if ctx.Closed && time.Since(ctx.UpdateTime) > MaxPortReservedDuration {
+				delete(pm.reservedPorts, name)
+			}
+		}
+		pm.mu.Unlock()
+	}
+}
--- a/server/proxy.go
+++ b/server/proxy.go
@@ -19,34 +19,39 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"strings"
 	"sync"
 	"time"

 	"github.com/fatedier/frp/models/config"
 	"github.com/fatedier/frp/models/msg"
-	"github.com/fatedier/frp/models/proto/tcp"
 	"github.com/fatedier/frp/models/proto/udp"
 	"github.com/fatedier/frp/utils/errors"
+	frpIo "github.com/fatedier/frp/utils/io"
 	"github.com/fatedier/frp/utils/log"
 	frpNet "github.com/fatedier/frp/utils/net"
+	"github.com/fatedier/frp/utils/util"
 	"github.com/fatedier/frp/utils/vhost"
 )

 type Proxy interface {
-	Run() error
+	Run() (remoteAddr string, err error)
 	GetControl() *Control
 	GetName() string
 	GetConf() config.ProxyConf
 	GetWorkConnFromPool() (workConn frpNet.Conn, err error)
+	GetUsedPortsNum() int
 	Close()
 	log.Logger
 }

 type BaseProxy struct {
-	name      string
-	ctl       *Control
-	listeners []frpNet.Listener
-	mu        sync.RWMutex
+	name         string
+	ctl          *Control
+	listeners    []frpNet.Listener
+	usedPortsNum int
+
+	mu sync.RWMutex
 	log.Logger
 }

@@ -58,6 +63,10 @@ func (pxy *BaseProxy) GetControl() *Control {
 	return pxy.ctl
 }

+func (pxy *BaseProxy) GetUsedPortsNum() int {
+	return pxy.usedPortsNum
+}
+
 func (pxy *BaseProxy) Close() {
 	pxy.Info("proxy closing")
 	for _, l := range pxy.listeners {
@@ -124,6 +133,7 @@ func NewProxy(ctl *Control, pxyConf config.ProxyConf) (pxy Proxy, err error) {
 	}
 	switch cfg := pxyConf.(type) {
 	case *config.TcpProxyConf:
+		basePxy.usedPortsNum = 1
 		pxy = &TcpProxy{
 			BaseProxy: basePxy,
 			cfg:       cfg,
@@ -139,10 +149,21 @@ func NewProxy(ctl *Control, pxyConf config.ProxyConf) (pxy Proxy, err error) {
 			cfg:       cfg,
 		}
 	case *config.UdpProxyConf:
+		basePxy.usedPortsNum = 1
 		pxy = &UdpProxy{
 			BaseProxy: basePxy,
 			cfg:       cfg,
 		}
+	case *config.StcpProxyConf:
+		pxy = &StcpProxy{
+			BaseProxy: basePxy,
+			cfg:       cfg,
+		}
+	case *config.XtcpProxyConf:
+		pxy = &XtcpProxy{
+			BaseProxy: basePxy,
+			cfg:       cfg,
+		}
 	default:
 		return pxy, fmt.Errorf("proxy type not support")
 	}
@@ -153,19 +174,34 @@ func NewProxy(ctl *Control, pxyConf config.ProxyConf) (pxy Proxy, err error) {
 type TcpProxy struct {
 	BaseProxy
 	cfg *config.TcpProxyConf
+
+	realPort int
 }

-func (pxy *TcpProxy) Run() error {
-	listener, err := frpNet.ListenTcp(config.ServerCommonCfg.BindAddr, pxy.cfg.RemotePort)
+func (pxy *TcpProxy) Run() (remoteAddr string, err error) {
+	pxy.realPort, err = pxy.ctl.svr.tcpPortManager.Acquire(pxy.name, pxy.cfg.RemotePort)
 	if err != nil {
-		return err
+		return
+	}
+	defer func() {
+		if err != nil {
+			pxy.ctl.svr.tcpPortManager.Release(pxy.realPort)
+		}
+	}()
+
+	remoteAddr = fmt.Sprintf(":%d", pxy.realPort)
+	pxy.cfg.RemotePort = pxy.realPort
+	listener, errRet := frpNet.ListenTcp(config.ServerCommonCfg.ProxyBindAddr, pxy.realPort)
+	if errRet != nil {
+		err = errRet
+		return
 	}
 	listener.AddLogPrefix(pxy.name)
 	pxy.listeners = append(pxy.listeners, listener)
 	pxy.Info("tcp proxy listen port [%d]", pxy.cfg.RemotePort)

 	pxy.startListenHandler(pxy, HandleUserTcpConnection)
-	return nil
+	return
 }

 func (pxy *TcpProxy) GetConf() config.ProxyConf {
@@ -174,35 +210,45 @@ func (pxy *TcpProxy) GetConf() config.ProxyConf {

 func (pxy *TcpProxy) Close() {
 	pxy.BaseProxy.Close()
+	pxy.ctl.svr.tcpPortManager.Release(pxy.realPort)
 }

 type HttpProxy struct {
 	BaseProxy
 	cfg *config.HttpProxyConf
+
+	closeFuncs []func()
 }

-func (pxy *HttpProxy) Run() (err error) {
-	routeConfig := &vhost.VhostRouteConfig{
-		RewriteHost: pxy.cfg.HostHeaderRewrite,
-		Username:    pxy.cfg.HttpUser,
-		Password:    pxy.cfg.HttpPwd,
+func (pxy *HttpProxy) Run() (remoteAddr string, err error) {
+	routeConfig := vhost.VhostRouteConfig{
+		RewriteHost:  pxy.cfg.HostHeaderRewrite,
+		Username:     pxy.cfg.HttpUser,
+		Password:     pxy.cfg.HttpPwd,
+		CreateConnFn: pxy.GetRealConn,
 	}

 	locations := pxy.cfg.Locations
 	if len(locations) == 0 {
 		locations = []string{""}
 	}
+
+	addrs := make([]string, 0)
 	for _, domain := range pxy.cfg.CustomDomains {
 		routeConfig.Domain = domain
 		for _, location := range locations {
 			routeConfig.Location = location
-			l, err := pxy.ctl.svr.VhostHttpMuxer.Listen(routeConfig)
+			err = pxy.ctl.svr.httpReverseProxy.Register(routeConfig)
 			if err != nil {
-				return err
+				return
 			}
-			l.AddLogPrefix(pxy.name)
+			tmpDomain := routeConfig.Domain
+			tmpLocation := routeConfig.Location
+			addrs = append(addrs, util.CanonicalAddr(tmpDomain, int(config.ServerCommonCfg.VhostHttpPort)))
+			pxy.closeFuncs = append(pxy.closeFuncs, func() {
+				pxy.ctl.svr.httpReverseProxy.UnRegister(tmpDomain, tmpLocation)
+			})
 			pxy.Info("http proxy listen for host [%s] location [%s]", routeConfig.Domain, routeConfig.Location)
-			pxy.listeners = append(pxy.listeners, l)
 		}
 	}

@@ -210,17 +256,20 @@ func (pxy *HttpProxy) Run() (err error) {
 		routeConfig.Domain = pxy.cfg.SubDomain + "." + config.ServerCommonCfg.SubDomainHost
 		for _, location := range locations {
 			routeConfig.Location = location
-			l, err := pxy.ctl.svr.VhostHttpMuxer.Listen(routeConfig)
+			err = pxy.ctl.svr.httpReverseProxy.Register(routeConfig)
 			if err != nil {
-				return err
+				return
 			}
-			l.AddLogPrefix(pxy.name)
+			tmpDomain := routeConfig.Domain
+			tmpLocation := routeConfig.Location
+			addrs = append(addrs, util.CanonicalAddr(tmpDomain, int(config.ServerCommonCfg.VhostHttpPort)))
+			pxy.closeFuncs = append(pxy.closeFuncs, func() {
+				pxy.ctl.svr.httpReverseProxy.UnRegister(tmpDomain, tmpLocation)
+			})
 			pxy.Info("http proxy listen for host [%s] location [%s]", routeConfig.Domain, routeConfig.Location)
-			pxy.listeners = append(pxy.listeners, l)
 		}
 	}
-
-	pxy.startListenHandler(pxy, HandleUserTcpConnection)
+	remoteAddr = strings.Join(addrs, ",")
 	return
 }

@@ -228,8 +277,42 @@ func (pxy *HttpProxy) GetConf() config.ProxyConf {
 	return pxy.cfg
 }

+func (pxy *HttpProxy) GetRealConn() (workConn frpNet.Conn, err error) {
+	tmpConn, errRet := pxy.GetWorkConnFromPool()
+	if errRet != nil {
+		err = errRet
+		return
+	}
+
+	var rwc io.ReadWriteCloser = tmpConn
+	if pxy.cfg.UseEncryption {
+		rwc, err = frpIo.WithEncryption(rwc, []byte(config.ServerCommonCfg.PrivilegeToken))
+		if err != nil {
+			pxy.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+	if pxy.cfg.UseCompression {
+		rwc = frpIo.WithCompression(rwc)
+	}
+	workConn = frpNet.WrapReadWriteCloserToConn(rwc, tmpConn)
+	workConn = frpNet.WrapStatsConn(workConn, pxy.updateStatsAfterClosedConn)
+	StatsOpenConnection(pxy.GetName())
+	return
+}
+
+func (pxy *HttpProxy) updateStatsAfterClosedConn(totalRead, totalWrite int64) {
+	name := pxy.GetName()
+	StatsCloseConnection(name)
+	StatsAddTrafficIn(name, totalWrite)
+	StatsAddTrafficOut(name, totalRead)
+}
+
 func (pxy *HttpProxy) Close() {
 	pxy.BaseProxy.Close()
+	for _, closeFn := range pxy.closeFuncs {
+		closeFn()
+	}
 }

 type HttpsProxy struct {
@@ -237,32 +320,38 @@ type HttpsProxy struct {
 	cfg *config.HttpsProxyConf
 }

-func (pxy *HttpsProxy) Run() (err error) {
+func (pxy *HttpsProxy) Run() (remoteAddr string, err error) {
 	routeConfig := &vhost.VhostRouteConfig{}

+	addrs := make([]string, 0)
 	for _, domain := range pxy.cfg.CustomDomains {
 		routeConfig.Domain = domain
-		l, err := pxy.ctl.svr.VhostHttpsMuxer.Listen(routeConfig)
-		if err != nil {
-			return err
+		l, errRet := pxy.ctl.svr.VhostHttpsMuxer.Listen(routeConfig)
+		if errRet != nil {
+			err = errRet
+			return
 		}
 		l.AddLogPrefix(pxy.name)
 		pxy.Info("https proxy listen for host [%s]", routeConfig.Domain)
 		pxy.listeners = append(pxy.listeners, l)
+		addrs = append(addrs, util.CanonicalAddr(routeConfig.Domain, int(config.ServerCommonCfg.VhostHttpsPort)))
 	}

 	if pxy.cfg.SubDomain != "" {
 		routeConfig.Domain = pxy.cfg.SubDomain + "." + config.ServerCommonCfg.SubDomainHost
-		l, err := pxy.ctl.svr.VhostHttpsMuxer.Listen(routeConfig)
-		if err != nil {
-			return err
+		l, errRet := pxy.ctl.svr.VhostHttpsMuxer.Listen(routeConfig)
+		if errRet != nil {
+			err = errRet
+			return
 		}
 		l.AddLogPrefix(pxy.name)
 		pxy.Info("https proxy listen for host [%s]", routeConfig.Domain)
 		pxy.listeners = append(pxy.listeners, l)
+		addrs = append(addrs, util.CanonicalAddr(routeConfig.Domain, int(config.ServerCommonCfg.VhostHttpsPort)))
 	}

 	pxy.startListenHandler(pxy, HandleUserTcpConnection)
+	remoteAddr = strings.Join(addrs, ",")
 	return
 }

@@ -274,10 +363,89 @@ func (pxy *HttpsProxy) Close() {
 	pxy.BaseProxy.Close()
 }

+type StcpProxy struct {
+	BaseProxy
+	cfg *config.StcpProxyConf
+}
+
+func (pxy *StcpProxy) Run() (remoteAddr string, err error) {
+	listener, errRet := pxy.ctl.svr.visitorManager.Listen(pxy.GetName(), pxy.cfg.Sk)
+	if errRet != nil {
+		err = errRet
+		return
+	}
+	listener.AddLogPrefix(pxy.name)
+	pxy.listeners = append(pxy.listeners, listener)
+	pxy.Info("stcp proxy custom listen success")
+
+	pxy.startListenHandler(pxy, HandleUserTcpConnection)
+	return
+}
+
+func (pxy *StcpProxy) GetConf() config.ProxyConf {
+	return pxy.cfg
+}
+
+func (pxy *StcpProxy) Close() {
+	pxy.BaseProxy.Close()
+	pxy.ctl.svr.visitorManager.CloseListener(pxy.GetName())
+}
+
+type XtcpProxy struct {
+	BaseProxy
+	cfg *config.XtcpProxyConf
+
+	closeCh chan struct{}
+}
+
+func (pxy *XtcpProxy) Run() (remoteAddr string, err error) {
+	if pxy.ctl.svr.natHoleController == nil {
+		pxy.Error("udp port for xtcp is not specified.")
+		err = fmt.Errorf("xtcp is not supported in frps")
+		return
+	}
+	sidCh := pxy.ctl.svr.natHoleController.ListenClient(pxy.GetName(), pxy.cfg.Sk)
+	go func() {
+		for {
+			select {
+			case <-pxy.closeCh:
+				break
+			case sid := <-sidCh:
+				workConn, errRet := pxy.GetWorkConnFromPool()
+				if errRet != nil {
+					continue
+				}
+				m := &msg.NatHoleSid{
+					Sid: sid,
+				}
+				errRet = msg.WriteMsg(workConn, m)
+				if errRet != nil {
+					pxy.Warn("write nat hole sid package error, %v", errRet)
+				}
+			}
+		}
+	}()
+	return
+}
+
+func (pxy *XtcpProxy) GetConf() config.ProxyConf {
+	return pxy.cfg
+}
+
+func (pxy *XtcpProxy) Close() {
+	pxy.BaseProxy.Close()
+	pxy.ctl.svr.natHoleController.CloseClient(pxy.GetName())
+	errors.PanicToError(func() {
+		close(pxy.closeCh)
+	})
+}
+
 type UdpProxy struct {
 	BaseProxy
 	cfg *config.UdpProxyConf

+	realPort int
+
 	// udpConn is the listener of udp packages
 	udpConn *net.UDPConn

@@ -297,15 +465,29 @@ type UdpProxy struct {
 	isClosed bool
 }

-func (pxy *UdpProxy) Run() (err error) {
-	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", config.ServerCommonCfg.BindAddr, pxy.cfg.RemotePort))
+func (pxy *UdpProxy) Run() (remoteAddr string, err error) {
+	pxy.realPort, err = pxy.ctl.svr.udpPortManager.Acquire(pxy.name, pxy.cfg.RemotePort)
 	if err != nil {
-		return err
+		return
 	}
-	udpConn, err := net.ListenUDP("udp", addr)
-	if err != nil {
+	defer func() {
+		if err != nil {
+			pxy.ctl.svr.udpPortManager.Release(pxy.realPort)
+		}
+	}()
+
+	remoteAddr = fmt.Sprintf(":%d", pxy.realPort)
+	pxy.cfg.RemotePort = pxy.realPort
+	addr, errRet := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", config.ServerCommonCfg.ProxyBindAddr, pxy.realPort))
+	if errRet != nil {
+		err = errRet
+		return
+	}
+	udpConn, errRet := net.ListenUDP("udp", addr)
+	if errRet != nil {
+		err = errRet
 		pxy.Warn("listen udp port error: %v", err)
-		return err
+		return
 	}
 	pxy.Info("udp proxy listen port [%d]", pxy.cfg.RemotePort)

@@ -420,7 +602,7 @@ func (pxy *UdpProxy) Run() (err error) {
 		udp.ForwardUserConn(udpConn, pxy.readCh, pxy.sendCh)
 		pxy.Close()
 	}()
-	return nil
+	return remoteAddr, nil
 }

 func (pxy *UdpProxy) GetConf() config.ProxyConf {
@@ -444,6 +626,7 @@ func (pxy *UdpProxy) Close() {
 		close(pxy.readCh)
 		close(pxy.sendCh)
 	}
+	pxy.ctl.svr.udpPortManager.Release(pxy.realPort)
 }

 // HandleUserTcpConnection is used for incoming tcp user connections.
@@ -461,20 +644,20 @@ func HandleUserTcpConnection(pxy Proxy, userConn frpNet.Conn) {
 	var local io.ReadWriteCloser = workConn
 	cfg := pxy.GetConf().GetBaseInfo()
 	if cfg.UseEncryption {
-		local, err = tcp.WithEncryption(local, []byte(config.ServerCommonCfg.PrivilegeToken))
+		local, err = frpIo.WithEncryption(local, []byte(config.ServerCommonCfg.PrivilegeToken))
 		if err != nil {
 			pxy.Error("create encryption stream error: %v", err)
 			return
 		}
 	}
 	if cfg.UseCompression {
-		local = tcp.WithCompression(local)
+		local = frpIo.WithCompression(local)
 	}
 	pxy.Debug("join connections, workConn(l[%s] r[%s]) userConn(l[%s] r[%s])", workConn.LocalAddr().String(),
 		workConn.RemoteAddr().String(), userConn.LocalAddr().String(), userConn.RemoteAddr().String())

 	StatsOpenConnection(pxy.GetName())
-	inCount, outCount := tcp.Join(local, userConn)
+	inCount, outCount := frpIo.Join(local, userConn)
 	StatsCloseConnection(pxy.GetName())
 	StatsAddTrafficIn(pxy.GetName(), inCount)
 	StatsAddTrafficOut(pxy.GetName(), outCount)
--- a/server/service.go
+++ b/server/service.go
@@ -16,6 +16,8 @@ package server

 import (
 	"fmt"
+	"net"
+	"net/http"
 	"time"

 	"github.com/fatedier/frp/assets"
@@ -41,58 +43,92 @@ type Service struct {
 	// Accept connections from client.
 	listener frpNet.Listener

-	// For http proxies, route requests to different clients by hostname and other infomation.
-	VhostHttpMuxer *vhost.HttpMuxer
+	// Accept connections using kcp.
+	kcpListener frpNet.Listener

 	// For https proxies, route requests to different clients by hostname and other infomation.
 	VhostHttpsMuxer *vhost.HttpsMuxer

+	httpReverseProxy *vhost.HttpReverseProxy
+
 	// Manage all controllers.
 	ctlManager *ControlManager

 	// Manage all proxies.
 	pxyManager *ProxyManager
+
+	// Manage all visitor listeners.
+	visitorManager *VisitorManager
+
+	// Manage all tcp ports.
+	tcpPortManager *PortManager
+
+	// Manage all udp ports.
+	udpPortManager *PortManager
+
+	// Controller for nat hole connections.
+	natHoleController *NatHoleController
 }

 func NewService() (svr *Service, err error) {
+	cfg := config.ServerCommonCfg
 	svr = &Service{
-		ctlManager: NewControlManager(),
-		pxyManager: NewProxyManager(),
+		ctlManager:     NewControlManager(),
+		pxyManager:     NewProxyManager(),
+		visitorManager: NewVisitorManager(),
+		tcpPortManager: NewPortManager("tcp", cfg.ProxyBindAddr, cfg.PrivilegeAllowPorts),
+		udpPortManager: NewPortManager("udp", cfg.ProxyBindAddr, cfg.PrivilegeAllowPorts),
 	}

 	// Init assets.
-	err = assets.Load(config.ServerCommonCfg.AssetsDir)
+	err = assets.Load(cfg.AssetsDir)
 	if err != nil {
 		err = fmt.Errorf("Load assets error: %v", err)
 		return
 	}

 	// Listen for accepting connections from client.
-	svr.listener, err = frpNet.ListenTcp(config.ServerCommonCfg.BindAddr, config.ServerCommonCfg.BindPort)
+	svr.listener, err = frpNet.ListenTcp(cfg.BindAddr, cfg.BindPort)
 	if err != nil {
 		err = fmt.Errorf("Create server listener error, %v", err)
 		return
 	}
+	log.Info("frps tcp listen on %s:%d", cfg.BindAddr, cfg.BindPort)
+
+	// Listen for accepting connections from client using kcp protocol.
+	if cfg.KcpBindPort > 0 {
+		svr.kcpListener, err = frpNet.ListenKcp(cfg.BindAddr, cfg.KcpBindPort)
+		if err != nil {
+			err = fmt.Errorf("Listen on kcp address udp [%s:%d] error: %v", cfg.BindAddr, cfg.KcpBindPort, err)
+			return
+		}
+		log.Info("frps kcp listen on udp %s:%d", cfg.BindAddr, cfg.KcpBindPort)
+	}

 	// Create http vhost muxer.
-	if config.ServerCommonCfg.VhostHttpPort != 0 {
-		var l frpNet.Listener
-		l, err = frpNet.ListenTcp(config.ServerCommonCfg.BindAddr, config.ServerCommonCfg.VhostHttpPort)
+	if cfg.VhostHttpPort > 0 {
+		rp := vhost.NewHttpReverseProxy()
+		svr.httpReverseProxy = rp
+
+		address := fmt.Sprintf("%s:%d", cfg.ProxyBindAddr, cfg.VhostHttpPort)
+		server := &http.Server{
+			Addr:    address,
+			Handler: rp,
+		}
+		var l net.Listener
+		l, err = net.Listen("tcp", address)
 		if err != nil {
 			err = fmt.Errorf("Create vhost http listener error, %v", err)
 			return
 		}
-		svr.VhostHttpMuxer, err = vhost.NewHttpMuxer(l, 30*time.Second)
-		if err != nil {
-			err = fmt.Errorf("Create vhost httpMuxer error, %v", err)
-			return
-		}
+		go server.Serve(l)
+		log.Info("http service listen on %s:%d", cfg.ProxyBindAddr, cfg.VhostHttpPort)
 	}

 	// Create https vhost muxer.
-	if config.ServerCommonCfg.VhostHttpsPort != 0 {
+	if cfg.VhostHttpsPort > 0 {
 		var l frpNet.Listener
-		l, err = frpNet.ListenTcp(config.ServerCommonCfg.BindAddr, config.ServerCommonCfg.VhostHttpsPort)
+		l, err = frpNet.ListenTcp(cfg.ProxyBindAddr, cfg.VhostHttpsPort)
 		if err != nil {
 			err = fmt.Errorf("Create vhost https listener error, %v", err)
 			return
@@ -102,24 +138,49 @@ func NewService() (svr *Service, err error) {
 			err = fmt.Errorf("Create vhost httpsMuxer error, %v", err)
 			return
 		}
+		log.Info("https service listen on %s:%d", cfg.ProxyBindAddr, cfg.VhostHttpsPort)
+	}
+
+	// Create nat hole controller.
+	if cfg.BindUdpPort > 0 {
+		var nc *NatHoleController
+		addr := fmt.Sprintf("%s:%d", cfg.BindAddr, cfg.BindUdpPort)
+		nc, err = NewNatHoleController(addr)
+		if err != nil {
+			err = fmt.Errorf("Create nat hole controller error, %v", err)
+			return
+		}
+		svr.natHoleController = nc
+		log.Info("nat hole udp service listen on %s:%d", cfg.BindAddr, cfg.BindUdpPort)
 	}

 	// Create dashboard web server.
-	if config.ServerCommonCfg.DashboardPort != 0 {
-		err = RunDashboardServer(config.ServerCommonCfg.BindAddr, config.ServerCommonCfg.DashboardPort)
+	if cfg.DashboardPort > 0 {
+		err = RunDashboardServer(cfg.DashboardAddr, cfg.DashboardPort)
 		if err != nil {
 			err = fmt.Errorf("Create dashboard web server error, %v", err)
 			return
 		}
-		log.Info("Dashboard listen on %s:%d", config.ServerCommonCfg.BindAddr, config.ServerCommonCfg.DashboardPort)
+		log.Info("Dashboard listen on %s:%d", cfg.DashboardAddr, cfg.DashboardPort)
 	}
 	return
 }

 func (svr *Service) Run() {
+	if svr.natHoleController != nil {
+		go svr.natHoleController.Run()
+	}
+	if config.ServerCommonCfg.KcpBindPort > 0 {
+		go svr.HandleListener(svr.kcpListener)
+	}
+	svr.HandleListener(svr.listener)
+
+}
+
+func (svr *Service) HandleListener(l frpNet.Listener) {
 	// Listen for incoming connections from client.
 	for {
-		c, err := svr.listener.Accept()
+		c, err := l.Accept()
 		if err != nil {
 			log.Warn("Listener for incoming connections from client closed")
 			return
@@ -131,7 +192,7 @@ func (svr *Service) Run() {
 				var rawMsg msg.Message
 				conn.SetReadDeadline(time.Now().Add(connReadTimeout))
 				if rawMsg, err = msg.ReadMsg(conn); err != nil {
-					log.Warn("Failed to read message: %v", err)
+					log.Trace("Failed to read message: %v", err)
 					conn.Close()
 					return
 				}
@@ -152,6 +213,20 @@ func (svr *Service) Run() {
 					}
 				case *msg.NewWorkConn:
 					svr.RegisterWorkConn(conn, m)
+				case *msg.NewVisitorConn:
+					if err = svr.RegisterVisitorConn(conn, m); err != nil {
+						conn.Warn("%v", err)
+						msg.WriteMsg(conn, &msg.NewVisitorConnResp{
+							ProxyName: m.ProxyName,
+							Error:     err.Error(),
+						})
+						conn.Close()
+					} else {
+						msg.WriteMsg(conn, &msg.NewVisitorConnResp{
+							ProxyName: m.ProxyName,
+							Error:     "",
+						})
+					}
 				default:
 					log.Warn("Error message type for the new connection [%s]", conn.RemoteAddr().String())
 					conn.Close()
@@ -216,7 +291,7 @@ func (svr *Service) RegisterControl(ctlConn frpNet.Conn, loginMsg *msg.Login) (e
 	ctl := NewControl(svr, ctlConn, loginMsg)

 	if oldCtl := svr.ctlManager.Add(loginMsg.RunId, ctl); oldCtl != nil {
-		oldCtl.allShutdown.WaitDown()
+		oldCtl.allShutdown.WaitDone()
 	}

 	ctlConn.AddLogPrefix(loginMsg.RunId)
@@ -238,9 +313,13 @@ func (svr *Service) RegisterWorkConn(workConn frpNet.Conn, newMsg *msg.NewWorkCo
 	return
 }

+func (svr *Service) RegisterVisitorConn(visitorConn frpNet.Conn, newMsg *msg.NewVisitorConn) error {
+	return svr.visitorManager.NewConn(newMsg.ProxyName, visitorConn, newMsg.Timestamp, newMsg.SignKey,
+		newMsg.UseEncryption, newMsg.UseCompression)
+}
+
 func (svr *Service) RegisterProxy(name string, pxy Proxy) error {
-	err := svr.pxyManager.Add(name, pxy)
-	return err
+	return svr.pxyManager.Add(name, pxy)
 }

 func (svr *Service) DelProxy(name string) {
--- a/tests/clean_test.sh
+++ b/tests/clean_test.sh
@@ -10,5 +10,11 @@ if [ -n "${pid}" ]; then
    kill ${pid}
 fi

+pid=`ps aux|grep './../bin/frpc -c ./conf/auto_test_frpc_visitor.ini'|grep -v grep|awk {'print $2'}`
+if [ -n "${pid}" ]; then
+    kill ${pid}
+fi
+
 rm -f ./frps.log
 rm -f ./frpc.log
+rm -f ./frpc_visitor.log
--- a/tests/conf/auto_test_frpc.ini
+++ b/tests/conf/auto_test_frpc.ini
@@ -1,29 +1,169 @@
 [common]
-server_addr = 0.0.0.0
+server_addr = 127.0.0.1
 server_port = 10700
 log_file = ./frpc.log
 # debug, info, warn, error
 log_level = debug
 privilege_token = 123456
+admin_port = 10600
+admin_user = abc
+admin_pwd = abc

-[echo]
+[tcp_normal]
 type = tcp
 local_ip = 127.0.0.1
 local_port = 10701
-remote_port = 10711
-use_encryption = true
-use_compression  = true
+remote_port = 10801

-[web]
-type = http
+[tcp_ec]
+type = tcp
 local_ip = 127.0.0.1
-local_port = 10702
+local_port = 10701
+remote_port = 10901
 use_encryption = true
 use_compression = true
-custom_domains = 127.0.0.1

-[udp]
+[udp_normal]
 type = udp
 local_ip = 127.0.0.1
-local_port = 10703
-remote_port = 10712
+local_port = 10702
+remote_port = 10802
+
+[udp_ec]
+type = udp
+local_ip = 127.0.0.1
+local_port = 10702
+remote_port = 10902
+use_encryption = true
+use_compression = true
+
+[unix_domain]
+type = tcp
+remote_port = 10803
+plugin = unix_domain_socket
+plugin_unix_path = /tmp/frp_echo_server.sock
+
+[stcp]
+type = stcp
+sk = abcdefg
+local_ip = 127.0.0.1
+local_port = 10701
+
+[stcp_ec]
+type = stcp
+sk = abc
+local_ip = 127.0.0.1
+local_port = 10701
+use_encryption = true
+use_compression = true
+
+[web01]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+custom_domains = 127.0.0.1
+
+[web02]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+custom_domains = test2.frp.com
+host_header_rewrite = test2.frp.com
+use_encryption = true
+use_compression = true
+
+[web03]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+custom_domains = test3.frp.com
+use_encryption = true
+use_compression = true
+host_header_rewrite = test3.frp.com
+locations = /,/foo
+
+[web04]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+custom_domains = test3.frp.com
+use_encryption = true
+use_compression = true
+host_header_rewrite = test3.frp.com
+locations = /bar
+
+[web05]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+custom_domains = test5.frp.com
+host_header_rewrite = test5.frp.com
+use_encryption = true
+use_compression = true
+http_user = test
+http_user = test
+
+[subhost01]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+subdomain = test01
+
+[subhost02]
+type = http
+local_ip = 127.0.0.1
+local_port = 10704
+subdomain = test02
+
+[tcp_port_not_allowed]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 10701
+remote_port = 20001
+
+[tcp_port_unavailable]
+type =tcp
+local_ip = 127.0.0.1
+local_port = 10701
+remote_port = 10700
+
+[tcp_port_normal]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 10701
+remote_port = 20002
+
+[tcp_random_port]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 10701
+remote_port = 0
+
+[udp_port_not_allowed]
+type = udp
+local_ip = 127.0.0.1
+local_port = 10702
+remote_port = 20001
+
+[udp_port_normal]
+type = udp
+local_ip = 127.0.0.1
+local_port = 10702
+remote_port = 20002
+
+[udp_random_port]
+type = udp
+local_ip = 127.0.0.1
+local_port = 10702
+remote_port = 0
+
+[http_proxy]
+type = tcp
+plugin = http_proxy
+remote_port = 0
+
+[range:range_tcp]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 30000-30001,30003
+remote_port = 30000-30001,30003
--- a/tests/conf/auto_test_frpc_visitor.ini
+++ b/tests/conf/auto_test_frpc_visitor.ini
@@ -0,0 +1,25 @@
+[common]
+server_addr = 0.0.0.0
+server_port = 10700
+log_file = ./frpc_visitor.log
+# debug, info, warn, error
+log_level = debug
+privilege_token = 123456
+
+[stcp_visitor]
+type = stcp
+role = visitor
+server_name = stcp
+sk = abcdefg
+bind_addr = 127.0.0.1
+bind_port = 10805
+
+[stcp_ec_visitor]
+type = stcp
+role = visitor
+server_name = stcp_ec
+sk = abc
+bind_addr = 127.0.0.1
+bind_port = 10905
+use_encryption = true
+use_compression = true
--- a/tests/conf/auto_test_frps.ini
+++ b/tests/conf/auto_test_frps.ini
@@ -1,7 +1,9 @@
 [common]
 bind_addr = 0.0.0.0
 bind_port = 10700
-vhost_http_port = 10710
+vhost_http_port = 10804
 log_file = ./frps.log
 log_level = debug
 privilege_token = 123456
+privilege_allow_ports = 10000-20000,20002,30000-50000
+subdomain_host = sub.com
--- a/tests/echo_server.go
+++ b/tests/echo_server.go
@@ -1,15 +1,17 @@
 package tests

 import (
-	"bufio"
 	"fmt"
 	"io"
+	"net"
+	"os"
+	"syscall"

-	"github.com/fatedier/frp/utils/net"
+	frpNet "github.com/fatedier/frp/utils/net"
 )

-func StartEchoServer() {
-	l, err := net.ListenTcp("127.0.0.1", 10701)
+func StartTcpEchoServer() {
+	l, err := frpNet.ListenTcp("127.0.0.1", TEST_TCP_PORT)
 	if err != nil {
 		fmt.Printf("echo server listen error: %v\n", err)
 		return
@@ -27,7 +29,7 @@ func StartEchoServer() {
 }

 func StartUdpEchoServer() {
-	l, err := net.ListenUDP("127.0.0.1", 10703)
+	l, err := frpNet.ListenUDP("127.0.0.1", TEST_UDP_PORT)
 	if err != nil {
 		fmt.Printf("udp echo server listen error: %v\n", err)
 		return
@@ -44,18 +46,42 @@ func StartUdpEchoServer() {
 	}
 }

-func echoWorker(c net.Conn) {
-	br := bufio.NewReader(c)
+func StartUnixDomainServer() {
+	unixPath := TEST_UNIX_DOMAIN_ADDR
+	os.Remove(unixPath)
+	syscall.Umask(0)
+	l, err := net.Listen("unix", unixPath)
+	if err != nil {
+		fmt.Printf("unix domain server listen error: %v\n", err)
+		return
+	}
+
 	for {
-		buf, err := br.ReadString('\n')
-		if err == io.EOF {
-			break
-		}
+		c, err := l.Accept()
 		if err != nil {
-			fmt.Printf("echo server read error: %v\n", err)
+			fmt.Printf("unix domain server accept error: %v\n", err)
 			return
 		}

-		c.Write([]byte(buf + "\n"))
+		go echoWorker(c)
+	}
+}
+
+func echoWorker(c net.Conn) {
+	buf := make([]byte, 2048)
+
+	for {
+		n, err := c.Read(buf)
+		if err != nil {
+			if err == io.EOF {
+				c.Close()
+				break
+			} else {
+				fmt.Printf("echo server read error: %v\n", err)
+				return
+			}
+		}
+
+		c.Write(buf[:n])
 	}
 }
--- a/tests/func_test.go
+++ b/tests/func_test.go
@@ -1,97 +1,301 @@
 package tests

 import (
-	"bufio"
-	"bytes"
 	"fmt"
-	"io/ioutil"
-	"net"
-	"net/http"
+	"net/url"
 	"strings"
 	"testing"
 	"time"

-	frpNet "github.com/fatedier/frp/utils/net"
+	"github.com/gorilla/websocket"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/fatedier/frp/client"
+	"github.com/fatedier/frp/server"
+	"github.com/fatedier/frp/utils/net"
 )

 var (
-	ECHO_PORT     int64  = 10711
-	UDP_ECHO_PORT int64  = 10712
-	HTTP_PORT     int64  = 10710
-	ECHO_TEST_STR string = "Hello World\n"
-	HTTP_RES_STR  string = "Hello World"
+	SERVER_ADDR = "127.0.0.1"
+	ADMIN_ADDR  = "127.0.0.1:10600"
+	ADMIN_USER  = "abc"
+	ADMIN_PWD   = "abc"
+
+	TEST_STR                    = "frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet."
+	TEST_TCP_PORT        int    = 10701
+	TEST_TCP_FRP_PORT    int    = 10801
+	TEST_TCP_EC_FRP_PORT int    = 10901
+	TEST_TCP_ECHO_STR    string = "tcp type:" + TEST_STR
+
+	TEST_UDP_PORT        int    = 10702
+	TEST_UDP_FRP_PORT    int    = 10802
+	TEST_UDP_EC_FRP_PORT int    = 10902
+	TEST_UDP_ECHO_STR    string = "udp type:" + TEST_STR
+
+	TEST_UNIX_DOMAIN_ADDR     string = "/tmp/frp_echo_server.sock"
+	TEST_UNIX_DOMAIN_FRP_PORT int    = 10803
+	TEST_UNIX_DOMAIN_STR      string = "unix domain type:" + TEST_STR
+
+	TEST_HTTP_PORT       int    = 10704
+	TEST_HTTP_FRP_PORT   int    = 10804
+	TEST_HTTP_NORMAL_STR string = "http normal string: " + TEST_STR
+	TEST_HTTP_FOO_STR    string = "http foo string: " + TEST_STR
+	TEST_HTTP_BAR_STR    string = "http bar string: " + TEST_STR
+
+	TEST_STCP_FRP_PORT    int    = 10805
+	TEST_STCP_EC_FRP_PORT int    = 10905
+	TEST_STCP_ECHO_STR    string = "stcp type:" + TEST_STR
+
+	ProxyTcpPortNotAllowed  string = "tcp_port_not_allowed"
+	ProxyTcpPortUnavailable string = "tcp_port_unavailable"
+	ProxyTcpPortNormal      string = "tcp_port_normal"
+	ProxyTcpRandomPort      string = "tcp_random_port"
+	ProxyUdpPortNotAllowed  string = "udp_port_not_allowed"
+	ProxyUdpPortNormal      string = "udp_port_normal"
+	ProxyUdpRandomPort      string = "udp_random_port"
+	ProxyHttpProxy          string = "http_proxy"
+
+	ProxyRangeTcpPrefix string = "range_tcp"
 )

 func init() {
-	go StartEchoServer()
+	go StartTcpEchoServer()
 	go StartUdpEchoServer()
+	go StartUnixDomainServer()
 	go StartHttpServer()
 	time.Sleep(500 * time.Millisecond)
 }

-func TestEchoServer(t *testing.T) {
-	c, err := frpNet.ConnectTcpServer(fmt.Sprintf("127.0.0.1:%d", ECHO_PORT))
-	if err != nil {
-		t.Fatalf("connect to echo server error: %v", err)
-	}
-	timer := time.Now().Add(time.Duration(5) * time.Second)
-	c.SetDeadline(timer)
+func TestTcp(t *testing.T) {
+	assert := assert.New(t)
+	// Normal
+	addr := fmt.Sprintf("127.0.0.1:%d", TEST_TCP_FRP_PORT)
+	res, err := sendTcpMsg(addr, TEST_TCP_ECHO_STR)
+	assert.NoError(err)
+	assert.Equal(TEST_TCP_ECHO_STR, res)

-	c.Write([]byte(ECHO_TEST_STR + "\n"))
+	// Encrytion and compression
+	addr = fmt.Sprintf("127.0.0.1:%d", TEST_TCP_EC_FRP_PORT)
+	res, err = sendTcpMsg(addr, TEST_TCP_ECHO_STR)
+	assert.NoError(err)
+	assert.Equal(TEST_TCP_ECHO_STR, res)
+}

-	br := bufio.NewReader(c)
-	buf, err := br.ReadString('\n')
-	if err != nil {
-		t.Fatalf("read from echo server error: %v", err)
-	}
+func TestUdp(t *testing.T) {
+	assert := assert.New(t)
+	// Normal
+	addr := fmt.Sprintf("127.0.0.1:%d", TEST_UDP_FRP_PORT)
+	res, err := sendUdpMsg(addr, TEST_UDP_ECHO_STR)
+	assert.NoError(err)
+	assert.Equal(TEST_UDP_ECHO_STR, res)

-	if ECHO_TEST_STR != buf {
-		t.Fatalf("content error, send [%s], get [%s]", strings.Trim(ECHO_TEST_STR, "\n"), strings.Trim(buf, "\n"))
+	// Encrytion and compression
+	addr = fmt.Sprintf("127.0.0.1:%d", TEST_UDP_EC_FRP_PORT)
+	res, err = sendUdpMsg(addr, TEST_UDP_ECHO_STR)
+	assert.NoError(err)
+	assert.Equal(TEST_UDP_ECHO_STR, res)
+}
+
+func TestUnixDomain(t *testing.T) {
+	assert := assert.New(t)
+	// Normal
+	addr := fmt.Sprintf("127.0.0.1:%d", TEST_UNIX_DOMAIN_FRP_PORT)
+	res, err := sendTcpMsg(addr, TEST_UNIX_DOMAIN_STR)
+	if assert.NoError(err) {
+		assert.Equal(TEST_UNIX_DOMAIN_STR, res)
 	}
 }

-func TestHttpServer(t *testing.T) {
-	client := &http.Client{}
-	req, _ := http.NewRequest("GET", fmt.Sprintf("http://127.0.0.1:%d", HTTP_PORT), nil)
-	res, err := client.Do(req)
-	if err != nil {
-		t.Fatalf("do http request error: %v", err)
+func TestStcp(t *testing.T) {
+	assert := assert.New(t)
+	// Normal
+	addr := fmt.Sprintf("127.0.0.1:%d", TEST_STCP_FRP_PORT)
+	res, err := sendTcpMsg(addr, TEST_STCP_ECHO_STR)
+	if assert.NoError(err) {
+		assert.Equal(TEST_STCP_ECHO_STR, res)
 	}
-	if res.StatusCode == 200 {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			t.Fatalf("read from http server error: %v", err)
+
+	// Encrytion and compression
+	addr = fmt.Sprintf("127.0.0.1:%d", TEST_STCP_EC_FRP_PORT)
+	res, err = sendTcpMsg(addr, TEST_STCP_ECHO_STR)
+	if assert.NoError(err) {
+		assert.Equal(TEST_STCP_ECHO_STR, res)
+	}
+}
+
+func TestHttp(t *testing.T) {
+	assert := assert.New(t)
+	// web01
+	code, body, err := sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal(TEST_HTTP_NORMAL_STR, body)
+	}
+
+	// web02
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "test2.frp.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal(TEST_HTTP_NORMAL_STR, body)
+	}
+
+	// error host header
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "errorhost.frp.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(404, code)
+	}
+
+	// web03
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "test3.frp.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal(TEST_HTTP_NORMAL_STR, body)
+	}
+
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d/foo", TEST_HTTP_FRP_PORT), "test3.frp.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal(TEST_HTTP_FOO_STR, body)
+	}
+
+	// web04
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d/bar", TEST_HTTP_FRP_PORT), "test3.frp.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal(TEST_HTTP_BAR_STR, body)
+	}
+
+	// web05
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "test5.frp.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(401, code)
+	}
+
+	header := make(map[string]string)
+	header["Authorization"] = basicAuth("test", "test")
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "test5.frp.com", header, "")
+	if assert.NoError(err) {
+		assert.Equal(401, code)
+	}
+
+	// subhost01
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "test01.sub.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal("test01.sub.com", body)
+	}
+
+	// subhost02
+	code, body, err = sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT), "test02.sub.com", nil, "")
+	if assert.NoError(err) {
+		assert.Equal(200, code)
+		assert.Equal("test02.sub.com", body)
+	}
+}
+
+func TestWebSocket(t *testing.T) {
+	assert := assert.New(t)
+
+	u := url.URL{Scheme: "ws", Host: fmt.Sprintf("%s:%d", "127.0.0.1", TEST_HTTP_FRP_PORT), Path: "/ws"}
+	c, _, err := websocket.DefaultDialer.Dial(u.String(), nil)
+	assert.NoError(err)
+	defer c.Close()
+
+	err = c.WriteMessage(websocket.TextMessage, []byte(TEST_HTTP_NORMAL_STR))
+	assert.NoError(err)
+
+	_, msg, err := c.ReadMessage()
+	assert.NoError(err)
+	assert.Equal(TEST_HTTP_NORMAL_STR, string(msg))
+}
+
+func TestPrivilegeAllowPorts(t *testing.T) {
+	assert := assert.New(t)
+	// Port not allowed
+	status, err := getProxyStatus(ProxyTcpPortNotAllowed)
+	if assert.NoError(err) {
+		assert.Equal(client.ProxyStatusStartErr, status.Status)
+		assert.True(strings.Contains(status.Err, server.ErrPortNotAllowed.Error()))
+	}
+
+	status, err = getProxyStatus(ProxyUdpPortNotAllowed)
+	if assert.NoError(err) {
+		assert.Equal(client.ProxyStatusStartErr, status.Status)
+		assert.True(strings.Contains(status.Err, server.ErrPortNotAllowed.Error()))
+	}
+
+	status, err = getProxyStatus(ProxyTcpPortUnavailable)
+	if assert.NoError(err) {
+		assert.Equal(client.ProxyStatusStartErr, status.Status)
+		assert.True(strings.Contains(status.Err, server.ErrPortUnAvailable.Error()))
+	}
+
+	// Port normal
+	status, err = getProxyStatus(ProxyTcpPortNormal)
+	if assert.NoError(err) {
+		assert.Equal(client.ProxyStatusRunning, status.Status)
+	}
+
+	status, err = getProxyStatus(ProxyUdpPortNormal)
+	if assert.NoError(err) {
+		assert.Equal(client.ProxyStatusRunning, status.Status)
+	}
+}
+
+func TestRandomPort(t *testing.T) {
+	assert := assert.New(t)
+	// tcp
+	status, err := getProxyStatus(ProxyTcpRandomPort)
+	if assert.NoError(err) {
+		addr := status.RemoteAddr
+		res, err := sendTcpMsg(addr, TEST_TCP_ECHO_STR)
+		assert.NoError(err)
+		assert.Equal(TEST_TCP_ECHO_STR, res)
+	}
+
+	// udp
+	status, err = getProxyStatus(ProxyUdpRandomPort)
+	if assert.NoError(err) {
+		addr := status.RemoteAddr
+		res, err := sendUdpMsg(addr, TEST_UDP_ECHO_STR)
+		assert.NoError(err)
+		assert.Equal(TEST_UDP_ECHO_STR, res)
+	}
+}
+
+func TestPluginHttpProxy(t *testing.T) {
+	assert := assert.New(t)
+	status, err := getProxyStatus(ProxyHttpProxy)
+	if assert.NoError(err) {
+		assert.Equal(client.ProxyStatusRunning, status.Status)
+
+		// http proxy
+		addr := status.RemoteAddr
+		code, body, err := sendHttpMsg("GET", fmt.Sprintf("http://127.0.0.1:%d", TEST_HTTP_FRP_PORT),
+			"", nil, "http://"+addr)
+		if assert.NoError(err) {
+			assert.Equal(200, code)
+			assert.Equal(TEST_HTTP_NORMAL_STR, body)
 		}
-		bodystr := string(body)
-		if bodystr != HTTP_RES_STR {
-			t.Fatalf("content from http server error [%s], correct string is [%s]", bodystr, HTTP_RES_STR)
+
+		// connect method
+		conn, err := net.ConnectTcpServerByHttpProxy("http://"+addr, fmt.Sprintf("127.0.0.1:%d", TEST_TCP_FRP_PORT))
+		if assert.NoError(err) {
+			res, err := sendTcpMsgByConn(conn, TEST_TCP_ECHO_STR)
+			assert.NoError(err)
+			assert.Equal(TEST_TCP_ECHO_STR, res)
 		}
-	} else {
-		t.Fatalf("http code from http server error [%d]", res.StatusCode)
 	}
 }

-func TestUdpEchoServer(t *testing.T) {
-	addr, err := net.ResolveUDPAddr("udp", "127.0.0.1:10712")
-	if err != nil {
-		t.Fatalf("do udp request error: %v", err)
-	}
-	conn, err := net.DialUDP("udp", nil, addr)
-	if err != nil {
-		t.Fatalf("dial udp server error: %v", err)
-	}
-	defer conn.Close()
-	_, err = conn.Write([]byte("hello frp\n"))
-	if err != nil {
-		t.Fatalf("write to udp server error: %v", err)
-	}
-	data := make([]byte, 20)
-	n, err := conn.Read(data)
-	if err != nil {
-		t.Fatalf("read from udp server error: %v", err)
-	}
+func TestRangePortsMapping(t *testing.T) {
+	assert := assert.New(t)

-	if string(bytes.TrimSpace(data[:n])) != "hello frp" {
-		t.Fatalf("message got from udp server error, get %s", string(data[:n-1]))
+	for i := 0; i < 3; i++ {
+		name := fmt.Sprintf("%s_%d", ProxyRangeTcpPrefix, i)
+		status, err := getProxyStatus(name)
+		if assert.NoError(err) {
+			assert.Equal(client.ProxyStatusRunning, status.Status)
+		}
 	}
 }
--- a/tests/http_server.go
+++ b/tests/http_server.go
@@ -2,14 +2,70 @@ package tests

 import (
 	"fmt"
+	"log"
 	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/gorilla/websocket"
 )

+var upgrader = websocket.Upgrader{}
+
 func StartHttpServer() {
-	http.HandleFunc("/", request)
-	http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", 10702), nil)
+	http.HandleFunc("/", handleHttp)
+	http.HandleFunc("/ws", handleWebSocket)
+	http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", TEST_HTTP_PORT), nil)
 }

-func request(w http.ResponseWriter, r *http.Request) {
-	w.Write([]byte(HTTP_RES_STR))
+func handleWebSocket(w http.ResponseWriter, r *http.Request) {
+	c, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		log.Print("upgrade:", err)
+		return
+	}
+	defer c.Close()
+	for {
+		mt, message, err := c.ReadMessage()
+		if err != nil {
+			break
+		}
+		err = c.WriteMessage(mt, message)
+		if err != nil {
+			log.Println("write:", err)
+			break
+		}
+	}
+}
+
+func handleHttp(w http.ResponseWriter, r *http.Request) {
+	match, err := regexp.Match(`.*\.sub\.com`, []byte(r.Host))
+	if err != nil {
+		w.WriteHeader(500)
+		return
+	}
+
+	if match {
+		w.WriteHeader(200)
+		w.Write([]byte(r.Host))
+		return
+	}
+
+	if strings.Contains(r.Host, "127.0.0.1") || strings.Contains(r.Host, "test2.frp.com") ||
+		strings.Contains(r.Host, "test5.frp.com") {
+		w.WriteHeader(200)
+		w.Write([]byte(TEST_HTTP_NORMAL_STR))
+	} else if strings.Contains(r.Host, "test3.frp.com") {
+		w.WriteHeader(200)
+		if strings.Contains(r.URL.Path, "foo") {
+			w.Write([]byte(TEST_HTTP_FOO_STR))
+		} else if strings.Contains(r.URL.Path, "bar") {
+			w.Write([]byte(TEST_HTTP_BAR_STR))
+		} else {
+			w.Write([]byte(TEST_HTTP_NORMAL_STR))
+		}
+	} else {
+		w.WriteHeader(404)
+	}
+	return
 }
--- a/tests/run_test.sh
+++ b/tests/run_test.sh
@@ -3,6 +3,7 @@
 ./../bin/frps -c ./conf/auto_test_frps.ini &
 sleep 1
 ./../bin/frpc -c ./conf/auto_test_frpc.ini &
+./../bin/frpc -c ./conf/auto_test_frpc_visitor.ini &

 # wait until proxies are connected
 sleep 2
--- a/tests/util.go
+++ b/tests/util.go
@@ -0,0 +1,182 @@
+package tests
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/fatedier/frp/client"
+	frpNet "github.com/fatedier/frp/utils/net"
+)
+
+func getProxyStatus(name string) (status *client.ProxyStatusResp, err error) {
+	req, err := http.NewRequest("GET", "http://"+ADMIN_ADDR+"/api/status", nil)
+	if err != nil {
+		return status, err
+	}
+
+	authStr := "Basic " + base64.StdEncoding.EncodeToString([]byte(ADMIN_USER+":"+ADMIN_PWD))
+	req.Header.Add("Authorization", authStr)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return status, err
+	} else {
+		if resp.StatusCode != 200 {
+			return status, fmt.Errorf("admin api status code [%d]", resp.StatusCode)
+		}
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return status, err
+		}
+		allStatus := &client.StatusResp{}
+		err = json.Unmarshal(body, &allStatus)
+		if err != nil {
+			return status, fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(string(body)))
+		}
+		for _, s := range allStatus.Tcp {
+			if s.Name == name {
+				return &s, nil
+			}
+		}
+		for _, s := range allStatus.Udp {
+			if s.Name == name {
+				return &s, nil
+			}
+		}
+		for _, s := range allStatus.Http {
+			if s.Name == name {
+				return &s, nil
+			}
+		}
+		for _, s := range allStatus.Https {
+			if s.Name == name {
+				return &s, nil
+			}
+		}
+		for _, s := range allStatus.Stcp {
+			if s.Name == name {
+				return &s, nil
+			}
+		}
+		for _, s := range allStatus.Xtcp {
+			if s.Name == name {
+				return &s, nil
+			}
+		}
+	}
+	return status, errors.New("no proxy status found")
+}
+
+func sendTcpMsg(addr string, msg string) (res string, err error) {
+	c, err := frpNet.ConnectTcpServer(addr)
+	if err != nil {
+		err = fmt.Errorf("connect to tcp server error: %v", err)
+		return
+	}
+	defer c.Close()
+	return sendTcpMsgByConn(c, msg)
+}
+
+func sendTcpMsgByConn(c net.Conn, msg string) (res string, err error) {
+	timer := time.Now().Add(5 * time.Second)
+	c.SetDeadline(timer)
+	c.Write([]byte(msg))
+
+	buf := make([]byte, 2048)
+	n, errRet := c.Read(buf)
+	if errRet != nil {
+		err = fmt.Errorf("read from tcp server error: %v", errRet)
+		return
+	}
+	return string(buf[:n]), nil
+}
+
+func sendUdpMsg(addr string, msg string) (res string, err error) {
+	udpAddr, errRet := net.ResolveUDPAddr("udp", addr)
+	if errRet != nil {
+		err = fmt.Errorf("resolve udp addr error: %v", err)
+		return
+	}
+	conn, errRet := net.DialUDP("udp", nil, udpAddr)
+	if errRet != nil {
+		err = fmt.Errorf("dial udp server error: %v", err)
+		return
+	}
+	defer conn.Close()
+	_, err = conn.Write([]byte(msg))
+	if err != nil {
+		err = fmt.Errorf("write to udp server error: %v", err)
+		return
+	}
+
+	buf := make([]byte, 2048)
+	n, errRet := conn.Read(buf)
+	if errRet != nil {
+		err = fmt.Errorf("read from udp server error: %v", err)
+		return
+	}
+	return string(buf[:n]), nil
+}
+
+func sendHttpMsg(method, urlStr string, host string, header map[string]string, proxy string) (code int, body string, err error) {
+	req, errRet := http.NewRequest(method, urlStr, nil)
+	if errRet != nil {
+		err = errRet
+		return
+	}
+
+	if host != "" {
+		req.Host = host
+	}
+	for k, v := range header {
+		req.Header.Set(k, v)
+	}
+
+	tr := &http.Transport{
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	if len(proxy) != 0 {
+		tr.Proxy = func(req *http.Request) (*url.URL, error) {
+			return url.Parse(proxy)
+		}
+	}
+	client := http.Client{
+		Transport: tr,
+	}
+
+	resp, errRet := client.Do(req)
+	if errRet != nil {
+		err = errRet
+		return
+	}
+	code = resp.StatusCode
+	buf, errRet := ioutil.ReadAll(resp.Body)
+	if errRet != nil {
+		err = errRet
+		return
+	}
+	body = string(buf)
+	return
+}
+
+func basicAuth(username, passwd string) string {
+	auth := username + ":" + passwd
+	return "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
+}
--- a/models/proto/tcp/tcp.go
+++ b/models/proto/tcp/tcp.go
@@ -12,38 +12,74 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package tcp
+package io

 import (
 	"io"
-
-	"github.com/golang/snappy"
+	"sync"

 	"github.com/fatedier/frp/utils/crypto"
+	"github.com/fatedier/frp/utils/pool"
 )

+// Join two io.ReadWriteCloser and do some operations.
+func Join(c1 io.ReadWriteCloser, c2 io.ReadWriteCloser) (inCount int64, outCount int64) {
+	var wait sync.WaitGroup
+	pipe := func(to io.ReadWriteCloser, from io.ReadWriteCloser, count *int64) {
+		defer to.Close()
+		defer from.Close()
+		defer wait.Done()
+
+		buf := pool.GetBuf(16 * 1024)
+		defer pool.PutBuf(buf)
+		*count, _ = io.CopyBuffer(to, from, buf)
+	}
+
+	wait.Add(2)
+	go pipe(c1, c2, &inCount)
+	go pipe(c2, c1, &outCount)
+	wait.Wait()
+	return
+}
+
 func WithEncryption(rwc io.ReadWriteCloser, key []byte) (io.ReadWriteCloser, error) {
 	w, err := crypto.NewWriter(rwc, key)
 	if err != nil {
 		return nil, err
 	}
-	return WrapReadWriteCloser(crypto.NewReader(rwc, key), w), nil
+	return WrapReadWriteCloser(crypto.NewReader(rwc, key), w, func() error {
+		return rwc.Close()
+	}), nil
 }

 func WithCompression(rwc io.ReadWriteCloser) io.ReadWriteCloser {
-	return WrapReadWriteCloser(snappy.NewReader(rwc), snappy.NewWriter(rwc))
-}
-
-func WrapReadWriteCloser(r io.Reader, w io.Writer) io.ReadWriteCloser {
-	return &ReadWriteCloser{
-		r: r,
-		w: w,
-	}
+	sr := pool.GetSnappyReader(rwc)
+	sw := pool.GetSnappyWriter(rwc)
+	return WrapReadWriteCloser(sr, sw, func() error {
+		err := rwc.Close()
+		pool.PutSnappyReader(sr)
+		pool.PutSnappyWriter(sw)
+		return err
+	})
 }

 type ReadWriteCloser struct {
-	r io.Reader
-	w io.Writer
+	r       io.Reader
+	w       io.Writer
+	closeFn func() error
+
+	closed bool
+	mu     sync.Mutex
+}
+
+// closeFn will be called only once
+func WrapReadWriteCloser(r io.Reader, w io.Writer, closeFn func() error) io.ReadWriteCloser {
+	return &ReadWriteCloser{
+		r:       r,
+		w:       w,
+		closeFn: closeFn,
+		closed:  false,
+	}
 }

 func (rwc *ReadWriteCloser) Read(p []byte) (n int, err error) {
@@ -55,6 +91,14 @@ func (rwc *ReadWriteCloser) Write(p []byte) (n int, err error) {
 }

 func (rwc *ReadWriteCloser) Close() (errRet error) {
+	rwc.mu.Lock()
+	if rwc.closed {
+		rwc.mu.Unlock()
+		return
+	}
+	rwc.closed = true
+	rwc.mu.Unlock()
+
 	var err error
 	if rc, ok := rwc.r.(io.Closer); ok {
 		err = rc.Close()
@@ -69,5 +113,12 @@ func (rwc *ReadWriteCloser) Close() (errRet error) {
 			errRet = err
 		}
 	}
+
+	if rwc.closeFn != nil {
+		err = rwc.closeFn()
+		if err != nil {
+			errRet = err
+		}
+	}
 	return
 }
--- a/models/proto/tcp/tcp_test.go
+++ b/models/proto/tcp/tcp_test.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package tcp
+package io

 import (
 	"io"
@@ -21,6 +21,51 @@ import (
 	"github.com/stretchr/testify/assert"
 )

+func TestJoin(t *testing.T) {
+	assert := assert.New(t)
+
+	var (
+		n   int
+		err error
+	)
+	text1 := "A document that gives tips for writing clear, idiomatic Go code. A must read for any new Go programmer. It augments the tour and the language specification, both of which should be read first."
+	text2 := "A document that specifies the conditions under which reads of a variable in one goroutine can be guaranteed to observe values produced by writes to the same variable in a different goroutine."
+
+	// Forward bytes directly.
+	pr, pw := io.Pipe()
+	pr2, pw2 := io.Pipe()
+	pr3, pw3 := io.Pipe()
+	pr4, pw4 := io.Pipe()
+
+	conn1 := WrapReadWriteCloser(pr, pw2, nil)
+	conn2 := WrapReadWriteCloser(pr2, pw, nil)
+	conn3 := WrapReadWriteCloser(pr3, pw4, nil)
+	conn4 := WrapReadWriteCloser(pr4, pw3, nil)
+
+	go func() {
+		Join(conn2, conn3)
+	}()
+
+	buf1 := make([]byte, 1024)
+	buf2 := make([]byte, 1024)
+
+	conn1.Write([]byte(text1))
+	conn4.Write([]byte(text2))
+
+	n, err = conn4.Read(buf1)
+	assert.NoError(err)
+	assert.Equal(text1, string(buf1[:n]))
+
+	n, err = conn1.Read(buf2)
+	assert.NoError(err)
+	assert.Equal(text2, string(buf2[:n]))
+
+	conn1.Close()
+	conn2.Close()
+	conn3.Close()
+	conn4.Close()
+}
+
 func TestWithCompression(t *testing.T) {
 	assert := assert.New(t)

@@ -28,8 +73,8 @@ func TestWithCompression(t *testing.T) {
 	pr, pw := io.Pipe()
 	pr2, pw2 := io.Pipe()

-	conn1 := WrapReadWriteCloser(pr, pw2)
-	conn2 := WrapReadWriteCloser(pr2, pw)
+	conn1 := WrapReadWriteCloser(pr, pw2, nil)
+	conn2 := WrapReadWriteCloser(pr2, pw, nil)

 	compressionStream1 := WithCompression(conn1)
 	compressionStream2 := WithCompression(conn2)
@@ -71,12 +116,12 @@ func TestWithEncryption(t *testing.T) {
 	pr5, pw5 := io.Pipe()
 	pr6, pw6 := io.Pipe()

-	conn1 := WrapReadWriteCloser(pr, pw2)
-	conn2 := WrapReadWriteCloser(pr2, pw)
-	conn3 := WrapReadWriteCloser(pr3, pw4)
-	conn4 := WrapReadWriteCloser(pr4, pw3)
-	conn5 := WrapReadWriteCloser(pr5, pw6)
-	conn6 := WrapReadWriteCloser(pr6, pw5)
+	conn1 := WrapReadWriteCloser(pr, pw2, nil)
+	conn2 := WrapReadWriteCloser(pr2, pw, nil)
+	conn3 := WrapReadWriteCloser(pr3, pw4, nil)
+	conn4 := WrapReadWriteCloser(pr4, pw3, nil)
+	conn5 := WrapReadWriteCloser(pr5, pw6, nil)
+	conn6 := WrapReadWriteCloser(pr6, pw5, nil)

 	encryptStream1, err := WithEncryption(conn3, []byte(key))
 	assert.NoError(err)
--- a/utils/log/log.go
+++ b/utils/log/log.go
@@ -88,6 +88,7 @@ func Trace(format string, v ...interface{}) {
 // Logger
 type Logger interface {
 	AddLogPrefix(string)
+	GetPrefixStr() string
 	GetAllPrefix() []string
 	ClearLogPrefix()
 	Error(string, ...interface{})
@@ -119,6 +120,10 @@ func (pl *PrefixLogger) AddLogPrefix(prefix string) {
 	pl.allPrefix = append(pl.allPrefix, prefix)
 }

+func (pl *PrefixLogger) GetPrefixStr() string {
+	return pl.prefix
+}
+
 func (pl *PrefixLogger) GetAllPrefix() []string {
 	return pl.allPrefix
 }
--- a/utils/net/conn.go
+++ b/utils/net/conn.go
@@ -15,9 +15,18 @@
 package net

 import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
 	"net"
+	"sync"
+	"sync/atomic"
+	"time"

 	"github.com/fatedier/frp/utils/log"
+
+	kcp "github.com/xtaci/kcp-go"
 )

 // Conn is the interface of connections used in frp.
@@ -32,14 +41,176 @@ type WrapLogConn struct {
 }

 func WrapConn(c net.Conn) Conn {
-	return WrapLogConn{
+	return &WrapLogConn{
 		Conn:   c,
 		Logger: log.NewPrefixLogger(""),
 	}
 }

-type Listener interface {
-	Accept() (Conn, error)
-	Close() error
+type WrapReadWriteCloserConn struct {
+	io.ReadWriteCloser
 	log.Logger
+
+	underConn net.Conn
+}
+
+func WrapReadWriteCloserToConn(rwc io.ReadWriteCloser, underConn net.Conn) Conn {
+	return &WrapReadWriteCloserConn{
+		ReadWriteCloser: rwc,
+		Logger:          log.NewPrefixLogger(""),
+		underConn:       underConn,
+	}
+}
+
+func (conn *WrapReadWriteCloserConn) LocalAddr() net.Addr {
+	if conn.underConn != nil {
+		return conn.underConn.LocalAddr()
+	}
+	return (*net.TCPAddr)(nil)
+}
+
+func (conn *WrapReadWriteCloserConn) RemoteAddr() net.Addr {
+	if conn.underConn != nil {
+		return conn.underConn.RemoteAddr()
+	}
+	return (*net.TCPAddr)(nil)
+}
+
+func (conn *WrapReadWriteCloserConn) SetDeadline(t time.Time) error {
+	if conn.underConn != nil {
+		return conn.underConn.SetDeadline(t)
+	}
+	return &net.OpError{Op: "set", Net: "wrap", Source: nil, Addr: nil, Err: errors.New("deadline not supported")}
+}
+
+func (conn *WrapReadWriteCloserConn) SetReadDeadline(t time.Time) error {
+	if conn.underConn != nil {
+		return conn.underConn.SetReadDeadline(t)
+	}
+	return &net.OpError{Op: "set", Net: "wrap", Source: nil, Addr: nil, Err: errors.New("deadline not supported")}
+}
+
+func (conn *WrapReadWriteCloserConn) SetWriteDeadline(t time.Time) error {
+	if conn.underConn != nil {
+		return conn.underConn.SetWriteDeadline(t)
+	}
+	return &net.OpError{Op: "set", Net: "wrap", Source: nil, Addr: nil, Err: errors.New("deadline not supported")}
+}
+
+func ConnectServer(protocol string, addr string) (c Conn, err error) {
+	switch protocol {
+	case "tcp":
+		return ConnectTcpServer(addr)
+	case "kcp":
+		kcpConn, errRet := kcp.DialWithOptions(addr, nil, 10, 3)
+		if errRet != nil {
+			err = errRet
+			return
+		}
+		kcpConn.SetStreamMode(true)
+		kcpConn.SetWriteDelay(true)
+		kcpConn.SetNoDelay(1, 20, 2, 1)
+		kcpConn.SetWindowSize(128, 512)
+		kcpConn.SetMtu(1350)
+		kcpConn.SetACKNoDelay(false)
+		kcpConn.SetReadBuffer(4194304)
+		kcpConn.SetWriteBuffer(4194304)
+		c = WrapConn(kcpConn)
+		return
+	default:
+		return nil, fmt.Errorf("unsupport protocol: %s", protocol)
+	}
+}
+
+func ConnectServerByHttpProxy(httpProxy string, protocol string, addr string) (c Conn, err error) {
+	switch protocol {
+	case "tcp":
+		return ConnectTcpServerByHttpProxy(httpProxy, addr)
+	case "kcp":
+		// http proxy is not supported for kcp
+		return ConnectServer(protocol, addr)
+	default:
+		return nil, fmt.Errorf("unsupport protocol: %s", protocol)
+	}
+}
+
+type SharedConn struct {
+	Conn
+	sync.Mutex
+	buf *bytes.Buffer
+}
+
+// the bytes you read in io.Reader, will be reserved in SharedConn
+func NewShareConn(conn Conn) (*SharedConn, io.Reader) {
+	sc := &SharedConn{
+		Conn: conn,
+		buf:  bytes.NewBuffer(make([]byte, 0, 1024)),
+	}
+	return sc, io.TeeReader(conn, sc.buf)
+}
+
+func (sc *SharedConn) Read(p []byte) (n int, err error) {
+	sc.Lock()
+	if sc.buf == nil {
+		sc.Unlock()
+		return sc.Conn.Read(p)
+	}
+	sc.Unlock()
+	n, err = sc.buf.Read(p)
+
+	if err == io.EOF {
+		sc.Lock()
+		sc.buf = nil
+		sc.Unlock()
+		var n2 int
+		n2, err = sc.Conn.Read(p[n:])
+
+		n += n2
+	}
+	return
+}
+
+func (sc *SharedConn) WriteBuff(buffer []byte) (err error) {
+	sc.buf.Reset()
+	_, err = sc.buf.Write(buffer)
+	return err
+}
+
+type StatsConn struct {
+	Conn
+
+	closed     int64 // 1 means closed
+	totalRead  int64
+	totalWrite int64
+	statsFunc  func(totalRead, totalWrite int64)
+}
+
+func WrapStatsConn(conn Conn, statsFunc func(total, totalWrite int64)) *StatsConn {
+	return &StatsConn{
+		Conn:      conn,
+		statsFunc: statsFunc,
+	}
+}
+
+func (statsConn *StatsConn) Read(p []byte) (n int, err error) {
+	n, err = statsConn.Conn.Read(p)
+	statsConn.totalRead += int64(n)
+	return
+}
+
+func (statsConn *StatsConn) Write(p []byte) (n int, err error) {
+	n, err = statsConn.Conn.Write(p)
+	statsConn.totalWrite += int64(n)
+	return
+}
+
+func (statsConn *StatsConn) Close() (err error) {
+	old := atomic.SwapInt64(&statsConn.closed, 1)
+	if old != 1 {
+		err = statsConn.Conn.Close()
+		if statsConn.statsFunc != nil {
+			statsConn.statsFunc(statsConn.totalRead, statsConn.totalWrite)
+		}
+	}
+	return
 }
--- a/utils/net/http.go
+++ b/utils/net/http.go
@@ -0,0 +1,105 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package net
+
+import (
+	"compress/gzip"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+type HttpAuthWraper struct {
+	h      http.Handler
+	user   string
+	passwd string
+}
+
+func NewHttpBasicAuthWraper(h http.Handler, user, passwd string) http.Handler {
+	return &HttpAuthWraper{
+		h:      h,
+		user:   user,
+		passwd: passwd,
+	}
+}
+
+func (aw *HttpAuthWraper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	user, passwd, hasAuth := r.BasicAuth()
+	if (aw.user == "" && aw.passwd == "") || (hasAuth && user == aw.user && passwd == aw.passwd) {
+		aw.h.ServeHTTP(w, r)
+	} else {
+		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+	}
+}
+
+func HttpBasicAuth(h http.HandlerFunc, user, passwd string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		reqUser, reqPasswd, hasAuth := r.BasicAuth()
+		if (user == "" && passwd == "") ||
+			(hasAuth && reqUser == user && reqPasswd == passwd) {
+			h.ServeHTTP(w, r)
+		} else {
+			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+		}
+	}
+}
+
+func HttprouterBasicAuth(h httprouter.Handle, user, passwd string) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+		reqUser, reqPasswd, hasAuth := r.BasicAuth()
+		if (user == "" && passwd == "") ||
+			(hasAuth && reqUser == user && reqPasswd == passwd) {
+			h(w, r, ps)
+		} else {
+			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+		}
+	}
+}
+
+type HttpGzipWraper struct {
+	h http.Handler
+}
+
+func (gw *HttpGzipWraper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
+		gw.h.ServeHTTP(w, r)
+		return
+	}
+	w.Header().Set("Content-Encoding", "gzip")
+	gz := gzip.NewWriter(w)
+	defer gz.Close()
+	gzr := gzipResponseWriter{Writer: gz, ResponseWriter: w}
+	gw.h.ServeHTTP(gzr, r)
+}
+
+func MakeHttpGzipHandler(h http.Handler) http.Handler {
+	return &HttpGzipWraper{
+		h: h,
+	}
+}
+
+type gzipResponseWriter struct {
+	io.Writer
+	http.ResponseWriter
+}
+
+func (w gzipResponseWriter) Write(b []byte) (int, error) {
+	return w.Writer.Write(b)
+}
--- a/utils/net/kcp.go
+++ b/utils/net/kcp.go
@@ -0,0 +1,101 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package net
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/fatedier/frp/utils/log"
+
+	kcp "github.com/fatedier/kcp-go"
+)
+
+type KcpListener struct {
+	net.Addr
+	listener  net.Listener
+	accept    chan Conn
+	closeFlag bool
+	log.Logger
+}
+
+func ListenKcp(bindAddr string, bindPort int) (l *KcpListener, err error) {
+	listener, err := kcp.ListenWithOptions(fmt.Sprintf("%s:%d", bindAddr, bindPort), nil, 10, 3)
+	if err != nil {
+		return l, err
+	}
+	listener.SetReadBuffer(4194304)
+	listener.SetWriteBuffer(4194304)
+
+	l = &KcpListener{
+		Addr:      listener.Addr(),
+		listener:  listener,
+		accept:    make(chan Conn),
+		closeFlag: false,
+		Logger:    log.NewPrefixLogger(""),
+	}
+
+	go func() {
+		for {
+			conn, err := listener.AcceptKCP()
+			if err != nil {
+				if l.closeFlag {
+					close(l.accept)
+					return
+				}
+				continue
+			}
+			conn.SetStreamMode(true)
+			conn.SetWriteDelay(true)
+			conn.SetNoDelay(1, 20, 2, 1)
+			conn.SetMtu(1350)
+			conn.SetWindowSize(1024, 1024)
+			conn.SetACKNoDelay(false)
+
+			l.accept <- WrapConn(conn)
+		}
+	}()
+	return l, err
+}
+
+func (l *KcpListener) Accept() (Conn, error) {
+	conn, ok := <-l.accept
+	if !ok {
+		return conn, fmt.Errorf("channel for kcp listener closed")
+	}
+	return conn, nil
+}
+
+func (l *KcpListener) Close() error {
+	if !l.closeFlag {
+		l.closeFlag = true
+		l.listener.Close()
+	}
+	return nil
+}
+
+func NewKcpConnFromUdp(conn *net.UDPConn, connected bool, raddr string) (net.Conn, error) {
+	kcpConn, err := kcp.NewConnEx(1, connected, raddr, nil, 10, 3, conn)
+	if err != nil {
+		return nil, err
+	}
+	kcpConn.SetStreamMode(true)
+	kcpConn.SetWriteDelay(true)
+	kcpConn.SetNoDelay(1, 20, 2, 1)
+	kcpConn.SetMtu(1350)
+	kcpConn.SetWindowSize(1024, 1024)
+	kcpConn.SetACKNoDelay(false)
+	return kcpConn, nil
+}
--- a/utils/net/listener.go
+++ b/utils/net/listener.go
@@ -0,0 +1,99 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package net
+
+import (
+	"fmt"
+	"net"
+	"sync"
+
+	"github.com/fatedier/frp/utils/errors"
+	"github.com/fatedier/frp/utils/log"
+)
+
+type Listener interface {
+	Accept() (Conn, error)
+	Close() error
+	log.Logger
+}
+
+type LogListener struct {
+	l net.Listener
+	net.Listener
+	log.Logger
+}
+
+func WrapLogListener(l net.Listener) Listener {
+	return &LogListener{
+		l:        l,
+		Listener: l,
+		Logger:   log.NewPrefixLogger(""),
+	}
+}
+
+func (logL *LogListener) Accept() (Conn, error) {
+	c, err := logL.l.Accept()
+	return WrapConn(c), err
+}
+
+// Custom listener
+type CustomListener struct {
+	conns  chan Conn
+	closed bool
+	mu     sync.Mutex
+
+	log.Logger
+}
+
+func NewCustomListener() *CustomListener {
+	return &CustomListener{
+		conns:  make(chan Conn, 64),
+		Logger: log.NewPrefixLogger(""),
+	}
+}
+
+func (l *CustomListener) Accept() (Conn, error) {
+	conn, ok := <-l.conns
+	if !ok {
+		return nil, fmt.Errorf("listener closed")
+	}
+	conn.AddLogPrefix(l.GetPrefixStr())
+	return conn, nil
+}
+
+func (l *CustomListener) PutConn(conn Conn) error {
+	err := errors.PanicToError(func() {
+		select {
+		case l.conns <- conn:
+		default:
+			conn.Close()
+		}
+	})
+	return err
+}
+
+func (l *CustomListener) Close() error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	if !l.closed {
+		close(l.conns)
+		l.closed = true
+	}
+	return nil
+}
+
+func (l *CustomListener) Addr() net.Addr {
+	return (*net.TCPAddr)(nil)
+}
--- a/utils/net/tcp.go
+++ b/utils/net/tcp.go
@@ -33,7 +33,7 @@ type TcpListener struct {
 	log.Logger
 }

-func ListenTcp(bindAddr string, bindPort int64) (l *TcpListener, err error) {
+func ListenTcp(bindAddr string, bindPort int) (l *TcpListener, err error) {
 	tcpAddr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("%s:%d", bindAddr, bindPort))
 	if err != nil {
 		return l, err
@@ -128,7 +128,9 @@ func ConnectTcpServerByHttpProxy(httpProxy string, serverAddr string) (c Conn, e

 	var proxyAuth string
 	if proxyUrl.User != nil {
-		proxyAuth = "Basic " + base64.StdEncoding.EncodeToString([]byte(proxyUrl.User.String()))
+		username := proxyUrl.User.Username()
+		passwd, _ := proxyUrl.User.Password()
+		proxyAuth = "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+passwd))
 	}

 	if proxyUrl.Scheme != "http" {
--- a/utils/net/udp.go
+++ b/utils/net/udp.go
@@ -167,7 +167,7 @@ type UdpListener struct {
 	log.Logger
 }

-func ListenUDP(bindAddr string, bindPort int64) (l *UdpListener, err error) {
+func ListenUDP(bindAddr string, bindPort int) (l *UdpListener, err error) {
 	udpAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", bindAddr, bindPort))
 	if err != nil {
 		return l, err
--- a/utils/pool/buf.go
+++ b/utils/pool/buf.go
@@ -17,15 +17,18 @@ package pool
 import "sync"

 var (
-	bufPool5k sync.Pool
-	bufPool2k sync.Pool
-	bufPool1k sync.Pool
-	bufPool   sync.Pool
+	bufPool16k sync.Pool
+	bufPool5k  sync.Pool
+	bufPool2k  sync.Pool
+	bufPool1k  sync.Pool
+	bufPool    sync.Pool
 )

 func GetBuf(size int) []byte {
 	var x interface{}
-	if size >= 5*1024 {
+	if size >= 16*1024 {
+		x = bufPool16k.Get()
+	} else if size >= 5*1024 {
 		x = bufPool5k.Get()
 	} else if size >= 2*1024 {
 		x = bufPool2k.Get()
@@ -46,7 +49,9 @@ func GetBuf(size int) []byte {

 func PutBuf(buf []byte) {
 	size := cap(buf)
-	if size >= 5*1024 {
+	if size >= 16*1024 {
+		bufPool16k.Put(buf)
+	} else if size >= 5*1024 {
 		bufPool5k.Put(buf)
 	} else if size >= 2*1024 {
 		bufPool2k.Put(buf)
--- a/utils/pool/snappy.go
+++ b/utils/pool/snappy.go
@@ -0,0 +1,57 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pool
+
+import (
+	"io"
+	"sync"
+
+	"github.com/golang/snappy"
+)
+
+var (
+	snappyReaderPool sync.Pool
+	snappyWriterPool sync.Pool
+)
+
+func GetSnappyReader(r io.Reader) *snappy.Reader {
+	var x interface{}
+	x = snappyReaderPool.Get()
+	if x == nil {
+		return snappy.NewReader(r)
+	}
+	sr := x.(*snappy.Reader)
+	sr.Reset(r)
+	return sr
+}
+
+func PutSnappyReader(sr *snappy.Reader) {
+	snappyReaderPool.Put(sr)
+}
+
+func GetSnappyWriter(w io.Writer) *snappy.Writer {
+	var x interface{}
+	x = snappyWriterPool.Get()
+	if x == nil {
+		return snappy.NewWriter(w)
+	}
+	sw := x.(*snappy.Writer)
+	sw.Reset(w)
+	return sw
+}
+
+func PutSnappyWriter(sw *snappy.Writer) {
+	snappyWriterPool.Put(sw)
+}
--- a/utils/shutdown/shutdown.go
+++ b/utils/shutdown/shutdown.go
@@ -19,19 +19,19 @@ import (
 )

 type Shutdown struct {
-	doing  bool
-	ending bool
-	start  chan struct{}
-	down   chan struct{}
-	mu     sync.Mutex
+	doing   bool
+	ending  bool
+	startCh chan struct{}
+	doneCh  chan struct{}
+	mu      sync.Mutex
 }

 func New() *Shutdown {
 	return &Shutdown{
-		doing:  false,
-		ending: false,
-		start:  make(chan struct{}),
-		down:   make(chan struct{}),
+		doing:   false,
+		ending:  false,
+		startCh: make(chan struct{}),
+		doneCh:  make(chan struct{}),
 	}
 }

@@ -40,12 +40,12 @@ func (s *Shutdown) Start() {
 	defer s.mu.Unlock()
 	if !s.doing {
 		s.doing = true
-		close(s.start)
+		close(s.startCh)
 	}
 }

 func (s *Shutdown) WaitStart() {
-	<-s.start
+	<-s.startCh
 }

 func (s *Shutdown) Done() {
@@ -53,10 +53,10 @@ func (s *Shutdown) Done() {
 	defer s.mu.Unlock()
 	if !s.ending {
 		s.ending = true
-		close(s.down)
+		close(s.doneCh)
 	}
 }

-func (s *Shutdown) WaitDown() {
-	<-s.down
+func (s *Shutdown) WaitDone() {
+	<-s.doneCh
 }
--- a/utils/shutdown/shutdown_test.go
+++ b/utils/shutdown/shutdown_test.go
@@ -17,5 +17,5 @@ func TestShutdown(t *testing.T) {
 		time.Sleep(time.Millisecond)
 		s.Done()
 	}()
-	s.WaitDown()
+	s.WaitDone()
 }
--- a/utils/util/util.go
+++ b/utils/util/util.go
@@ -48,65 +48,56 @@ func GetAuthKey(token string, timestamp int64) (key string) {
 	return hex.EncodeToString(data)
 }

-// for example: rangeStr is "1000-2000,2001,2002,3000-4000", return an array as port ranges.
-func GetPortRanges(rangeStr string) (portRanges [][2]int64, err error) {
-	// for example: 1000-2000,2001,2002,3000-4000
-	rangeArray := strings.Split(rangeStr, ",")
-	for _, portRangeStr := range rangeArray {
+func CanonicalAddr(host string, port int) (addr string) {
+	if port == 80 || port == 443 {
+		addr = host
+	} else {
+		addr = fmt.Sprintf("%s:%d", host, port)
+	}
+	return
+}
+
+func ParseRangeNumbers(rangeStr string) (numbers []int64, err error) {
+	rangeStr = strings.TrimSpace(rangeStr)
+	numbers = make([]int64, 0)
+	// e.g. 1000-2000,2001,2002,3000-4000
+	numRanges := strings.Split(rangeStr, ",")
+	for _, numRangeStr := range numRanges {
 		// 1000-2000 or 2001
-		portArray := strings.Split(portRangeStr, "-")
+		numArray := strings.Split(numRangeStr, "-")
 		// length: only 1 or 2 is correct
-		rangeType := len(portArray)
+		rangeType := len(numArray)
 		if rangeType == 1 {
-			singlePort, err := strconv.ParseInt(portArray[0], 10, 64)
-			if err != nil {
-				return [][2]int64{}, err
+			// single number
+			singleNum, errRet := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)
+			if errRet != nil {
+				err = fmt.Errorf("range number is invalid, %v", errRet)
+				return
 			}
-			portRanges = append(portRanges, [2]int64{singlePort, singlePort})
+			numbers = append(numbers, singleNum)
 		} else if rangeType == 2 {
-			min, err := strconv.ParseInt(portArray[0], 10, 64)
-			if err != nil {
-				return [][2]int64{}, err
+			// range numbers
+			min, errRet := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)
+			if errRet != nil {
+				err = fmt.Errorf("range number is invalid, %v", errRet)
+				return
 			}
-			max, err := strconv.ParseInt(portArray[1], 10, 64)
-			if err != nil {
-				return [][2]int64{}, err
+			max, errRet := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)
+			if errRet != nil {
+				err = fmt.Errorf("range number is invalid, %v", errRet)
+				return
 			}
 			if max < min {
-				return [][2]int64{}, fmt.Errorf("range incorrect")
+				err = fmt.Errorf("range number is invalid")
+				return
 			}
-			portRanges = append(portRanges, [2]int64{min, max})
-		} else {
-			return [][2]int64{}, fmt.Errorf("format error")
-		}
-	}
-	return portRanges, nil
-}
-
-func ContainsPort(portRanges [][2]int64, port int64) bool {
-	for _, pr := range portRanges {
-		if port >= pr[0] && port <= pr[1] {
-			return true
-		}
-	}
-	return false
-}
-
-func PortRangesCut(portRanges [][2]int64, port int64) [][2]int64 {
-	var tmpRanges [][2]int64
-	for _, pr := range portRanges {
-		if port >= pr[0] && port <= pr[1] {
-			leftRange := [2]int64{pr[0], port - 1}
-			rightRange := [2]int64{port + 1, pr[1]}
-			if leftRange[0] <= leftRange[1] {
-				tmpRanges = append(tmpRanges, leftRange)
-			}
-			if rightRange[0] <= rightRange[1] {
-				tmpRanges = append(tmpRanges, rightRange)
+			for i := min; i <= max; i++ {
+				numbers = append(numbers, i)
 			}
 		} else {
-			tmpRanges = append(tmpRanges, pr)
+			err = fmt.Errorf("range number is invalid")
+			return
 		}
 	}
-	return tmpRanges
+	return
 }
--- a/utils/util/util_test.go
+++ b/utils/util/util_test.go
@@ -21,66 +21,28 @@ func TestGetAuthKey(t *testing.T) {
 	assert.Equal("6df41a43725f0c770fd56379e12acf8c", key)
 }

-func TestGetPortRanges(t *testing.T) {
+func TestParseRangeNumbers(t *testing.T) {
 	assert := assert.New(t)
-
-	rangesStr := "2000-3000,3001,4000-50000"
-	expect := [][2]int64{
-		[2]int64{2000, 3000},
-		[2]int64{3001, 3001},
-		[2]int64{4000, 50000},
+	numbers, err := ParseRangeNumbers("2-5")
+	if assert.NoError(err) {
+		assert.Equal([]int64{2, 3, 4, 5}, numbers)
 	}
-	actual, err := GetPortRanges(rangesStr)
-	assert.Nil(err)
-	t.Log(actual)
-	assert.Equal(expect, actual)
-}
-
-func TestContainsPort(t *testing.T) {
-	assert := assert.New(t)
-
-	rangesStr := "2000-3000,3001,4000-50000"
-	portRanges, err := GetPortRanges(rangesStr)
-	assert.Nil(err)
-
-	type Case struct {
-		Port   int64
-		Answer bool
-	}
-	cases := []Case{
-		Case{
-			Port:   3001,
-			Answer: true,
-		},
-		Case{
-			Port:   3002,
-			Answer: false,
-		},
-		Case{
-			Port:   44444,
-			Answer: true,
-		},
-	}
-	for _, elem := range cases {
-		ok := ContainsPort(portRanges, elem.Port)
-		assert.Equal(elem.Answer, ok)
-	}
-}
-
-func TestPortRangesCut(t *testing.T) {
-	assert := assert.New(t)
-
-	rangesStr := "2000-3000,3001,4000-50000"
-	portRanges, err := GetPortRanges(rangesStr)
-	assert.Nil(err)
-
-	expect := [][2]int64{
-		[2]int64{2000, 3000},
-		[2]int64{3001, 3001},
-		[2]int64{4000, 44443},
-		[2]int64{44445, 50000},
-	}
-	actual := PortRangesCut(portRanges, 44444)
-	t.Log(actual)
-	assert.Equal(expect, actual)
+
+	numbers, err = ParseRangeNumbers("1")
+	if assert.NoError(err) {
+		assert.Equal([]int64{1}, numbers)
+	}
+
+	numbers, err = ParseRangeNumbers("3-5,8")
+	if assert.NoError(err) {
+		assert.Equal([]int64{3, 4, 5, 8}, numbers)
+	}
+
+	numbers, err = ParseRangeNumbers(" 3-5,8, 10-12 ")
+	if assert.NoError(err) {
+		assert.Equal([]int64{3, 4, 5, 8, 10, 11, 12}, numbers)
+	}
+
+	_, err = ParseRangeNumbers("3-a")
+	assert.Error(err)
 }
--- a/utils/version/version.go
+++ b/utils/version/version.go
@@ -19,43 +19,37 @@ import (
 	"strings"
 )

-var version string = "0.10.0"
+var version string = "0.16.1"

 func Full() string {
 	return version
 }

-func Proto(v string) int64 {
+func getSubVersion(v string, position int) int64 {
 	arr := strings.Split(v, ".")
 	if len(arr) < 3 {
 		return 0
 	}
-	res, _ := strconv.ParseInt(arr[0], 10, 64)
+	res, _ := strconv.ParseInt(arr[position], 10, 64)
 	return res
 }

+func Proto(v string) int64 {
+	return getSubVersion(v, 0)
+}
+
 func Major(v string) int64 {
-	arr := strings.Split(v, ".")
-	if len(arr) < 3 {
-		return 0
-	}
-	res, _ := strconv.ParseInt(arr[1], 10, 64)
-	return res
+	return getSubVersion(v, 1)
 }

 func Minor(v string) int64 {
-	arr := strings.Split(v, ".")
-	if len(arr) < 3 {
-		return 0
-	}
-	res, _ := strconv.ParseInt(arr[2], 10, 64)
-	return res
+	return getSubVersion(v, 2)
 }

 // add every case there if server will not accept client's protocol and return false
 func Compat(client string) (ok bool, msg string) {
-	if LessThan(client, version) {
-		return false, "Please upgrade your frpc version to 0.10.0"
+	if LessThan(client, "0.10.0") {
+		return false, "Please upgrade your frpc version to at least 0.10.0"
 	}
 	return true, ""
 }
--- a/utils/vhost/http.go
+++ b/utils/vhost/http.go
@@ -35,7 +35,7 @@ type HttpMuxer struct {

 func GetHttpRequestInfo(c frpNet.Conn) (_ frpNet.Conn, _ map[string]string, err error) {
 	reqInfoMap := make(map[string]string, 0)
-	sc, rd := newShareConn(c)
+	sc, rd := frpNet.NewShareConn(c)

 	request, err := http.ReadRequest(bufio.NewReader(rd))
 	if err != nil {
@@ -57,30 +57,35 @@ func GetHttpRequestInfo(c frpNet.Conn) (_ frpNet.Conn, _ map[string]string, err
 }

 func NewHttpMuxer(listener frpNet.Listener, timeout time.Duration) (*HttpMuxer, error) {
-	mux, err := NewVhostMuxer(listener, GetHttpRequestInfo, HttpAuthFunc, HttpHostNameRewrite, timeout)
+	mux, err := NewVhostMuxer(listener, GetHttpRequestInfo, HttpAuthFunc, ModifyHttpRequest, timeout)
 	return &HttpMuxer{mux}, err
 }

-func HttpHostNameRewrite(c frpNet.Conn, rewriteHost string) (_ frpNet.Conn, err error) {
-	sc, rd := newShareConn(c)
+func ModifyHttpRequest(c frpNet.Conn, rewriteHost string) (_ frpNet.Conn, err error) {
+	sc, rd := frpNet.NewShareConn(c)
 	var buff []byte
-	if buff, err = hostNameRewrite(rd, rewriteHost); err != nil {
+	remoteIP := strings.Split(c.RemoteAddr().String(), ":")[0]
+	if buff, err = hostNameRewrite(rd, rewriteHost, remoteIP); err != nil {
 		return sc, err
 	}
 	err = sc.WriteBuff(buff)
 	return sc, err
 }

-func hostNameRewrite(request io.Reader, rewriteHost string) (_ []byte, err error) {
+func hostNameRewrite(request io.Reader, rewriteHost string, remoteIP string) (_ []byte, err error) {
 	buf := pool.GetBuf(1024)
 	defer pool.PutBuf(buf)

-	request.Read(buf)
-	retBuffer, err := parseRequest(buf, rewriteHost)
+	var n int
+	n, err = request.Read(buf)
+	if err != nil {
+		return
+	}
+	retBuffer, err := parseRequest(buf[:n], rewriteHost, remoteIP)
 	return retBuffer, err
 }

-func parseRequest(org []byte, rewriteHost string) (ret []byte, err error) {
+func parseRequest(org []byte, rewriteHost string, remoteIP string) (ret []byte, err error) {
 	tp := bytes.NewBuffer(org)
 	// First line: GET /index.html HTTP/1.0
 	var b []byte
@@ -106,10 +111,19 @@ func parseRequest(org []byte, rewriteHost string) (ret []byte, err error) {
 	//  GET /index.html HTTP/1.1
 	//  Host: www.google.com
 	if req.URL.Host == "" {
-		changedBuf, err := changeHostName(tp, rewriteHost)
+		var changedBuf []byte
+		if rewriteHost != "" {
+			changedBuf, err = changeHostName(tp, rewriteHost)
+		}
 		buf := new(bytes.Buffer)
 		buf.Write(b)
-		buf.Write(changedBuf)
+		buf.WriteString(fmt.Sprintf("X-Forwarded-For: %s\r\n", remoteIP))
+		buf.WriteString(fmt.Sprintf("X-Real-IP: %s\r\n", remoteIP))
+		if len(changedBuf) == 0 {
+			tp.WriteTo(buf)
+		} else {
+			buf.Write(changedBuf)
+		}
 		return buf.Bytes(), err
 	}

@@ -117,18 +131,21 @@ func parseRequest(org []byte, rewriteHost string) (ret []byte, err error) {
 	// GET http://www.google.com/index.html HTTP/1.1
 	// Host: doesntmatter
 	// In this case, any Host line is ignored.
-	hostPort := strings.Split(req.URL.Host, ":")
-	if len(hostPort) == 1 {
-		req.URL.Host = rewriteHost
-	} else if len(hostPort) == 2 {
-		req.URL.Host = fmt.Sprintf("%s:%s", rewriteHost, hostPort[1])
+	if rewriteHost != "" {
+		hostPort := strings.Split(req.URL.Host, ":")
+		if len(hostPort) == 1 {
+			req.URL.Host = rewriteHost
+		} else if len(hostPort) == 2 {
+			req.URL.Host = fmt.Sprintf("%s:%s", rewriteHost, hostPort[1])
+		}
 	}
 	firstLine := req.Method + " " + req.URL.String() + " " + req.Proto
 	buf := new(bytes.Buffer)
 	buf.WriteString(firstLine)
+	buf.WriteString(fmt.Sprintf("X-Forwarded-For: %s\r\n", remoteIP))
+	buf.WriteString(fmt.Sprintf("X-Real-IP: %s\r\n", remoteIP))
 	tp.WriteTo(buf)
 	return buf.Bytes(), err
-
 }

 // parseRequestLine parses "GET /foo HTTP/1.1" into its three parts.
@@ -162,9 +179,9 @@ func changeHostName(buff *bytes.Buffer, rewriteHost string) (_ []byte, err error
 			var hostHeader string
 			portPos := bytes.IndexByte(kv[j+1:], ':')
 			if portPos == -1 {
-				hostHeader = fmt.Sprintf("Host: %s\n", rewriteHost)
+				hostHeader = fmt.Sprintf("Host: %s\r\n", rewriteHost)
 			} else {
-				hostHeader = fmt.Sprintf("Host: %s:%s\n", rewriteHost, kv[portPos+1:])
+				hostHeader = fmt.Sprintf("Host: %s:%s\r\n", rewriteHost, kv[j+portPos+2:])
 			}
 			retBuf.WriteString(hostHeader)
 			peek = peek[i+1:]
--- a/utils/vhost/https.go
+++ b/utils/vhost/https.go
@@ -108,7 +108,7 @@ func readHandshake(rd io.Reader) (host string, err error) {
 		return
 	}
 	if len(data) < 2 {
-		err = fmt.Errorf("readHandshake: extension dataLen[%d] is too short")
+		err = fmt.Errorf("readHandshake: extension dataLen[%d] is too short", len(data))
 		return
 	}

@@ -179,7 +179,7 @@ func readHandshake(rd io.Reader) (host string, err error) {

 func GetHttpsHostname(c frpNet.Conn) (sc frpNet.Conn, _ map[string]string, err error) {
 	reqInfoMap := make(map[string]string, 0)
-	sc, rd := newShareConn(c)
+	sc, rd := frpNet.NewShareConn(c)
 	host, err := readHandshake(rd)
 	if err != nil {
 		return sc, reqInfoMap, err
--- a/utils/vhost/newhttp.go
+++ b/utils/vhost/newhttp.go
@@ -0,0 +1,191 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package vhost
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"log"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	frpLog "github.com/fatedier/frp/utils/log"
+	"github.com/fatedier/frp/utils/pool"
+)
+
+var (
+	responseHeaderTimeout = time.Duration(30) * time.Second
+
+	ErrRouterConfigConflict = errors.New("router config conflict")
+	ErrNoDomain             = errors.New("no such domain")
+)
+
+func getHostFromAddr(addr string) (host string) {
+	strs := strings.Split(addr, ":")
+	if len(strs) > 1 {
+		host = strs[0]
+	} else {
+		host = addr
+	}
+	return
+}
+
+type HttpReverseProxy struct {
+	proxy *ReverseProxy
+	tr    *http.Transport
+
+	vhostRouter *VhostRouters
+
+	cfgMu sync.RWMutex
+}
+
+func NewHttpReverseProxy() *HttpReverseProxy {
+	rp := &HttpReverseProxy{
+		vhostRouter: NewVhostRouters(),
+	}
+	proxy := &ReverseProxy{
+		Director: func(req *http.Request) {
+			req.URL.Scheme = "http"
+			url := req.Context().Value("url").(string)
+			host := getHostFromAddr(req.Context().Value("host").(string))
+			host = rp.GetRealHost(host, url)
+			if host != "" {
+				req.Host = host
+			}
+			req.URL.Host = req.Host
+		},
+		Transport: &http.Transport{
+			ResponseHeaderTimeout: responseHeaderTimeout,
+			DisableKeepAlives:     true,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				url := ctx.Value("url").(string)
+				host := getHostFromAddr(ctx.Value("host").(string))
+				return rp.CreateConnection(host, url)
+			},
+		},
+		WebSocketDialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			url := ctx.Value("url").(string)
+			host := getHostFromAddr(ctx.Value("host").(string))
+			return rp.CreateConnection(host, url)
+		},
+		BufferPool: newWrapPool(),
+		ErrorLog:   log.New(newWrapLogger(), "", 0),
+	}
+	rp.proxy = proxy
+	return rp
+}
+
+func (rp *HttpReverseProxy) Register(routeCfg VhostRouteConfig) error {
+	rp.cfgMu.Lock()
+	defer rp.cfgMu.Unlock()
+	_, ok := rp.vhostRouter.Exist(routeCfg.Domain, routeCfg.Location)
+	if ok {
+		return ErrRouterConfigConflict
+	} else {
+		rp.vhostRouter.Add(routeCfg.Domain, routeCfg.Location, &routeCfg)
+	}
+	return nil
+}
+
+func (rp *HttpReverseProxy) UnRegister(domain string, location string) {
+	rp.cfgMu.Lock()
+	defer rp.cfgMu.Unlock()
+	rp.vhostRouter.Del(domain, location)
+}
+
+func (rp *HttpReverseProxy) GetRealHost(domain string, location string) (host string) {
+	vr, ok := rp.getVhost(domain, location)
+	if ok {
+		host = vr.payload.(*VhostRouteConfig).RewriteHost
+	}
+	return
+}
+
+func (rp *HttpReverseProxy) CreateConnection(domain string, location string) (net.Conn, error) {
+	vr, ok := rp.getVhost(domain, location)
+	if ok {
+		fn := vr.payload.(*VhostRouteConfig).CreateConnFn
+		if fn != nil {
+			return fn()
+		}
+	}
+	return nil, ErrNoDomain
+}
+
+func (rp *HttpReverseProxy) CheckAuth(domain, location, user, passwd string) bool {
+	vr, ok := rp.getVhost(domain, location)
+	if ok {
+		checkUser := vr.payload.(*VhostRouteConfig).Username
+		checkPasswd := vr.payload.(*VhostRouteConfig).Password
+		if (checkUser != "" || checkPasswd != "") && (checkUser != user || checkPasswd != passwd) {
+			return false
+		}
+	}
+	return true
+}
+
+func (rp *HttpReverseProxy) getVhost(domain string, location string) (vr *VhostRouter, ok bool) {
+	rp.cfgMu.RLock()
+	defer rp.cfgMu.RUnlock()
+
+	// first we check the full hostname
+	// if not exist, then check the wildcard_domain such as *.example.com
+	vr, ok = rp.vhostRouter.Get(domain, location)
+	if ok {
+		return
+	}
+
+	domainSplit := strings.Split(domain, ".")
+	if len(domainSplit) < 3 {
+		return vr, false
+	}
+	domainSplit[0] = "*"
+	domain = strings.Join(domainSplit, ".")
+	vr, ok = rp.vhostRouter.Get(domain, location)
+	return
+}
+
+func (rp *HttpReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	domain := getHostFromAddr(req.Host)
+	location := req.URL.Path
+	user, passwd, _ := req.BasicAuth()
+	if !rp.CheckAuth(domain, location, user, passwd) {
+		rw.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+		http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+		return
+	}
+	rp.proxy.ServeHTTP(rw, req)
+}
+
+type wrapPool struct{}
+
+func newWrapPool() *wrapPool { return &wrapPool{} }
+
+func (p *wrapPool) Get() []byte { return pool.GetBuf(32 * 1024) }
+
+func (p *wrapPool) Put(buf []byte) { pool.PutBuf(buf) }
+
+type wrapLogger struct{}
+
+func newWrapLogger() *wrapLogger { return &wrapLogger{} }
+
+func (l *wrapLogger) Write(p []byte) (n int, err error) {
+	frpLog.Warn("%s", string(bytes.TrimRight(p, "\n")))
+	return len(p), nil
+}
--- a/utils/vhost/resource.go
+++ b/utils/vhost/resource.go
@@ -0,0 +1,63 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package vhost
+
+import (
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/fatedier/frp/utils/version"
+)
+
+const (
+	NotFound = `<!DOCTYPE html>
+<html>
+<head>
+<title>Not Found</title>
+<style>
+    body {
+        width: 35em;
+        margin: 0 auto;
+        font-family: Tahoma, Verdana, Arial, sans-serif;
+    }
+</style>
+</head>
+<body>
+<h1>The page you visit not found.</h1>
+<p>Sorry, the page you are looking for is currently unavailable.<br/>
+Please try again later.</p>
+<p>The server is powered by <a href="https://github.com/fatedier/frp">frp</a>.</p>
+<p><em>Faithfully yours, frp.</em></p>
+</body>
+</html>
+`
+)
+
+func notFoundResponse() *http.Response {
+	header := make(http.Header)
+	header.Set("server", "frp/"+version.Full())
+	header.Set("Content-Type", "text/html")
+	res := &http.Response{
+		Status:     "Not Found",
+		StatusCode: 404,
+		Proto:      "HTTP/1.0",
+		ProtoMajor: 1,
+		ProtoMinor: 0,
+		Header:     header,
+		Body:       ioutil.NopCloser(strings.NewReader(NotFound)),
+	}
+	return res
+}
--- a/utils/vhost/reverseproxy.go
+++ b/utils/vhost/reverseproxy.go
@@ -0,0 +1,429 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// HTTP reverse proxy handler
+
+package vhost
+
+import (
+	"context"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	frpIo "github.com/fatedier/frp/utils/io"
+)
+
+// onExitFlushLoop is a callback set by tests to detect the state of the
+// flushLoop() goroutine.
+var onExitFlushLoop func()
+
+// ReverseProxy is an HTTP Handler that takes an incoming request and
+// sends it to another server, proxying the response back to the
+// client.
+type ReverseProxy struct {
+	// Director must be a function which modifies
+	// the request into a new request to be sent
+	// using Transport. Its response is then copied
+	// back to the original client unmodified.
+	// Director must not access the provided Request
+	// after returning.
+	Director func(*http.Request)
+
+	// The transport used to perform proxy requests.
+	// If nil, http.DefaultTransport is used.
+	Transport http.RoundTripper
+
+	// FlushInterval specifies the flush interval
+	// to flush to the client while copying the
+	// response body.
+	// If zero, no periodic flushing is done.
+	FlushInterval time.Duration
+
+	// ErrorLog specifies an optional logger for errors
+	// that occur when attempting to proxy the request.
+	// If nil, logging goes to os.Stderr via the log package's
+	// standard logger.
+	ErrorLog *log.Logger
+
+	// BufferPool optionally specifies a buffer pool to
+	// get byte slices for use by io.CopyBuffer when
+	// copying HTTP response bodies.
+	BufferPool BufferPool
+
+	// ModifyResponse is an optional function that
+	// modifies the Response from the backend.
+	// If it returns an error, the proxy returns a StatusBadGateway error.
+	ModifyResponse func(*http.Response) error
+
+	WebSocketDialContext func(ctx context.Context, network, addr string) (net.Conn, error)
+}
+
+// A BufferPool is an interface for getting and returning temporary
+// byte slices for use by io.CopyBuffer.
+type BufferPool interface {
+	Get() []byte
+	Put([]byte)
+}
+
+func singleJoiningSlash(a, b string) string {
+	aslash := strings.HasSuffix(a, "/")
+	bslash := strings.HasPrefix(b, "/")
+	switch {
+	case aslash && bslash:
+		return a + b[1:]
+	case !aslash && !bslash:
+		return a + "/" + b
+	}
+	return a + b
+}
+
+// NewSingleHostReverseProxy returns a new ReverseProxy that routes
+// URLs to the scheme, host, and base path provided in target. If the
+// target's path is "/base" and the incoming request was for "/dir",
+// the target request will be for /base/dir.
+// NewSingleHostReverseProxy does not rewrite the Host header.
+// To rewrite Host headers, use ReverseProxy directly with a custom
+// Director policy.
+func NewSingleHostReverseProxy(target *url.URL) *ReverseProxy {
+	targetQuery := target.RawQuery
+	director := func(req *http.Request) {
+		req.URL.Scheme = target.Scheme
+		req.URL.Host = target.Host
+		req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
+		if targetQuery == "" || req.URL.RawQuery == "" {
+			req.URL.RawQuery = targetQuery + req.URL.RawQuery
+		} else {
+			req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
+		}
+		if _, ok := req.Header["User-Agent"]; !ok {
+			// explicitly disable User-Agent so it's not set to default value
+			req.Header.Set("User-Agent", "")
+		}
+	}
+	return &ReverseProxy{Director: director}
+}
+
+func copyHeader(dst, src http.Header) {
+	for k, vv := range src {
+		for _, v := range vv {
+			dst.Add(k, v)
+		}
+	}
+}
+
+func cloneHeader(h http.Header) http.Header {
+	h2 := make(http.Header, len(h))
+	for k, vv := range h {
+		vv2 := make([]string, len(vv))
+		copy(vv2, vv)
+		h2[k] = vv2
+	}
+	return h2
+}
+
+// Hop-by-hop headers. These are removed when sent to the backend.
+// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
+var hopHeaders = []string{
+	"Connection",
+	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+	"Keep-Alive",
+	"Proxy-Authenticate",
+	"Proxy-Authorization",
+	"Te",      // canonicalized version of "TE"
+	"Trailer", // not Trailers per URL above; http://www.rfc-editor.org/errata_search.php?eid=4522
+	"Transfer-Encoding",
+	"Upgrade",
+}
+
+func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	if IsWebsocketRequest(req) {
+		p.serveWebSocket(rw, req)
+	} else {
+		p.serveHTTP(rw, req)
+	}
+}
+
+func (p *ReverseProxy) serveWebSocket(rw http.ResponseWriter, req *http.Request) {
+	if p.WebSocketDialContext == nil {
+		rw.WriteHeader(500)
+		return
+	}
+
+	req = req.WithContext(context.WithValue(req.Context(), "url", req.URL.Path))
+	req = req.WithContext(context.WithValue(req.Context(), "host", req.Host))
+
+	targetConn, err := p.WebSocketDialContext(req.Context(), "tcp", "")
+	if err != nil {
+		rw.WriteHeader(501)
+		return
+	}
+	defer targetConn.Close()
+
+	p.Director(req)
+
+	hijacker, ok := rw.(http.Hijacker)
+	if !ok {
+		rw.WriteHeader(500)
+		return
+	}
+	conn, _, errHijack := hijacker.Hijack()
+	if errHijack != nil {
+		rw.WriteHeader(500)
+		return
+	}
+	defer conn.Close()
+
+	req.Write(targetConn)
+	frpIo.Join(conn, targetConn)
+}
+
+func (p *ReverseProxy) serveHTTP(rw http.ResponseWriter, req *http.Request) {
+	transport := p.Transport
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+
+	ctx := req.Context()
+	if cn, ok := rw.(http.CloseNotifier); ok {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithCancel(ctx)
+		defer cancel()
+		notifyChan := cn.CloseNotify()
+		go func() {
+			select {
+			case <-notifyChan:
+				cancel()
+			case <-ctx.Done():
+			}
+		}()
+	}
+
+	outreq := req.WithContext(ctx) // includes shallow copies of maps, but okay
+	if req.ContentLength == 0 {
+		outreq.Body = nil // Issue 16036: nil Body for http.Transport retries
+	}
+
+	outreq.Header = cloneHeader(req.Header)
+
+	// Modify for frp
+	outreq = outreq.WithContext(context.WithValue(outreq.Context(), "url", req.URL.Path))
+	outreq = outreq.WithContext(context.WithValue(outreq.Context(), "host", req.Host))
+
+	p.Director(outreq)
+	outreq.Close = false
+
+	// Remove hop-by-hop headers listed in the "Connection" header.
+	// See RFC 2616, section 14.10.
+	if c := outreq.Header.Get("Connection"); c != "" {
+		for _, f := range strings.Split(c, ",") {
+			if f = strings.TrimSpace(f); f != "" {
+				outreq.Header.Del(f)
+			}
+		}
+	}
+
+	// Remove hop-by-hop headers to the backend. Especially
+	// important is "Connection" because we want a persistent
+	// connection, regardless of what the client sent to us.
+	for _, h := range hopHeaders {
+		if outreq.Header.Get(h) != "" {
+			outreq.Header.Del(h)
+		}
+	}
+
+	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+		// If we aren't the first proxy retain prior
+		// X-Forwarded-For information as a comma+space
+		// separated list and fold multiple headers into one.
+		if prior, ok := outreq.Header["X-Forwarded-For"]; ok {
+			clientIP = strings.Join(prior, ", ") + ", " + clientIP
+		}
+		outreq.Header.Set("X-Forwarded-For", clientIP)
+	}
+
+	res, err := transport.RoundTrip(outreq)
+	if err != nil {
+		p.logf("http: proxy error: %v", err)
+		rw.WriteHeader(http.StatusNotFound)
+		rw.Write([]byte(NotFound))
+		return
+	}
+
+	// Remove hop-by-hop headers listed in the
+	// "Connection" header of the response.
+	if c := res.Header.Get("Connection"); c != "" {
+		for _, f := range strings.Split(c, ",") {
+			if f = strings.TrimSpace(f); f != "" {
+				res.Header.Del(f)
+			}
+		}
+	}
+
+	for _, h := range hopHeaders {
+		res.Header.Del(h)
+	}
+
+	if p.ModifyResponse != nil {
+		if err := p.ModifyResponse(res); err != nil {
+			p.logf("http: proxy error: %v", err)
+			rw.WriteHeader(http.StatusBadGateway)
+			return
+		}
+	}
+
+	copyHeader(rw.Header(), res.Header)
+
+	// The "Trailer" header isn't included in the Transport's response,
+	// at least for *http.Transport. Build it up from Trailer.
+	announcedTrailers := len(res.Trailer)
+	if announcedTrailers > 0 {
+		trailerKeys := make([]string, 0, len(res.Trailer))
+		for k := range res.Trailer {
+			trailerKeys = append(trailerKeys, k)
+		}
+		rw.Header().Add("Trailer", strings.Join(trailerKeys, ", "))
+	}
+
+	rw.WriteHeader(res.StatusCode)
+	if len(res.Trailer) > 0 {
+		// Force chunking if we saw a response trailer.
+		// This prevents net/http from calculating the length for short
+		// bodies and adding a Content-Length.
+		if fl, ok := rw.(http.Flusher); ok {
+			fl.Flush()
+		}
+	}
+	p.copyResponse(rw, res.Body)
+	res.Body.Close() // close now, instead of defer, to populate res.Trailer
+
+	if len(res.Trailer) == announcedTrailers {
+		copyHeader(rw.Header(), res.Trailer)
+		return
+	}
+
+	for k, vv := range res.Trailer {
+		k = http.TrailerPrefix + k
+		for _, v := range vv {
+			rw.Header().Add(k, v)
+		}
+	}
+}
+
+func (p *ReverseProxy) copyResponse(dst io.Writer, src io.Reader) {
+	if p.FlushInterval != 0 {
+		if wf, ok := dst.(writeFlusher); ok {
+			mlw := &maxLatencyWriter{
+				dst:     wf,
+				latency: p.FlushInterval,
+				done:    make(chan bool),
+			}
+			go mlw.flushLoop()
+			defer mlw.stop()
+			dst = mlw
+		}
+	}
+
+	var buf []byte
+	if p.BufferPool != nil {
+		buf = p.BufferPool.Get()
+	}
+	p.copyBuffer(dst, src, buf)
+	if p.BufferPool != nil {
+		p.BufferPool.Put(buf)
+	}
+}
+
+func (p *ReverseProxy) copyBuffer(dst io.Writer, src io.Reader, buf []byte) (int64, error) {
+	if len(buf) == 0 {
+		buf = make([]byte, 32*1024)
+	}
+	var written int64
+	for {
+		nr, rerr := src.Read(buf)
+		if rerr != nil && rerr != io.EOF && rerr != context.Canceled {
+			p.logf("httputil: ReverseProxy read error during body copy: %v", rerr)
+		}
+		if nr > 0 {
+			nw, werr := dst.Write(buf[:nr])
+			if nw > 0 {
+				written += int64(nw)
+			}
+			if werr != nil {
+				return written, werr
+			}
+			if nr != nw {
+				return written, io.ErrShortWrite
+			}
+		}
+		if rerr != nil {
+			return written, rerr
+		}
+	}
+}
+
+func (p *ReverseProxy) logf(format string, args ...interface{}) {
+	if p.ErrorLog != nil {
+		p.ErrorLog.Printf(format, args...)
+	} else {
+		log.Printf(format, args...)
+	}
+}
+
+type writeFlusher interface {
+	io.Writer
+	http.Flusher
+}
+
+type maxLatencyWriter struct {
+	dst     writeFlusher
+	latency time.Duration
+
+	mu   sync.Mutex // protects Write + Flush
+	done chan bool
+}
+
+func (m *maxLatencyWriter) Write(p []byte) (int, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.dst.Write(p)
+}
+
+func (m *maxLatencyWriter) flushLoop() {
+	t := time.NewTicker(m.latency)
+	defer t.Stop()
+	for {
+		select {
+		case <-m.done:
+			if onExitFlushLoop != nil {
+				onExitFlushLoop()
+			}
+			return
+		case <-t.C:
+			m.mu.Lock()
+			m.dst.Flush()
+			m.mu.Unlock()
+		}
+	}
+}
+
+func (m *maxLatencyWriter) stop() { m.done <- true }
+
+func IsWebsocketRequest(req *http.Request) bool {
+	containsHeader := func(name, value string) bool {
+		items := strings.Split(req.Header.Get(name), ",")
+		for _, item := range items {
+			if value == strings.ToLower(strings.TrimSpace(item)) {
+				return true
+			}
+		}
+		return false
+	}
+	return containsHeader("Connection", "upgrade") && containsHeader("Upgrade", "websocket")
+}
--- a/utils/vhost/router.go
+++ b/utils/vhost/router.go
@@ -14,7 +14,8 @@ type VhostRouters struct {
 type VhostRouter struct {
 	domain   string
 	location string
-	listener *Listener
+
+	payload interface{}
 }

 func NewVhostRouters() *VhostRouters {
@@ -23,7 +24,7 @@ func NewVhostRouters() *VhostRouters {
 	}
 }

-func (r *VhostRouters) Add(domain, location string, l *Listener) {
+func (r *VhostRouters) Add(domain, location string, payload interface{}) {
 	r.mutex.Lock()
 	defer r.mutex.Unlock()

@@ -35,7 +36,7 @@ func (r *VhostRouters) Add(domain, location string, l *Listener) {
 	vr := &VhostRouter{
 		domain:   domain,
 		location: location,
-		listener: l,
+		payload:  payload,
 	}
 	vrs = append(vrs, vr)

--- a/utils/vhost/vhost.go
+++ b/utils/vhost/vhost.go
@@ -13,13 +13,12 @@
 package vhost

 import (
-	"bytes"
 	"fmt"
-	"io"
 	"strings"
 	"sync"
 	"time"

+	"github.com/fatedier/frp/utils/errors"
 	"github.com/fatedier/frp/utils/log"
 	frpNet "github.com/fatedier/frp/utils/net"
 )
@@ -51,12 +50,16 @@ func NewVhostMuxer(listener frpNet.Listener, vhostFunc muxFunc, authFunc httpAut
 	return mux, nil
 }

+type CreateConnFunc func() (frpNet.Conn, error)
+
 type VhostRouteConfig struct {
 	Domain      string
 	Location    string
 	RewriteHost string
 	Username    string
 	Password    string
+
+	CreateConnFn CreateConnFunc
 }

 // listen for a new domain name, if rewriteHost is not empty  and rewriteFunc is not nil
@@ -92,7 +95,7 @@ func (v *VhostMuxer) getListener(name, path string) (l *Listener, exist bool) {
 	// if not exist, then check the wildcard_domain such as *.example.com
 	vr, found := v.registryRouter.Get(name, path)
 	if found {
-		return vr.listener, true
+		return vr.payload.(*Listener), true
 	}

 	domainSplit := strings.Split(name, ".")
@@ -107,7 +110,7 @@ func (v *VhostMuxer) getListener(name, path string) (l *Listener, exist bool) {
 		return
 	}

-	return vr.listener, true
+	return vr.payload.(*Listener), true
 }

 func (v *VhostMuxer) run() {
@@ -128,7 +131,7 @@ func (v *VhostMuxer) handle(c frpNet.Conn) {

 	sConn, reqInfoMap, err := v.vhostFunc(c)
 	if err != nil {
-		log.Error("get hostname from http/https request error: %v", err)
+		log.Warn("get hostname from http/https request error: %v", err)
 		c.Close()
 		return
 	}
@@ -137,17 +140,19 @@ func (v *VhostMuxer) handle(c frpNet.Conn) {
 	path := strings.ToLower(reqInfoMap["Path"])
 	l, ok := v.getListener(name, path)
 	if !ok {
+		res := notFoundResponse()
+		res.Write(c)
 		log.Debug("http request for host [%s] path [%s] not found", name, path)
 		c.Close()
 		return
 	}

 	// if authFunc is exist and userName/password is set
-	// verify user access
+	// then verify user access
 	if l.mux.authFunc != nil && l.userName != "" && l.passWord != "" {
 		bAccess, err := l.mux.authFunc(c, l.userName, l.passWord, reqInfoMap["Authorization"])
 		if bAccess == false || err != nil {
-			l.Debug("check Authorization failed")
+			l.Debug("check http Authorization failed")
 			res := noAuthResponse()
 			res.Write(c)
 			c.Close()
@@ -162,7 +167,12 @@ func (v *VhostMuxer) handle(c frpNet.Conn) {
 	c = sConn

 	l.Debug("get new http request host [%s] path [%s]", name, path)
-	l.accept <- c
+	err = errors.PanicToError(func() {
+		l.accept <- c
+	})
+	if err != nil {
+		l.Warn("listener is already closed, ignore this request")
+	}
 }

 type Listener struct {
@@ -182,9 +192,10 @@ func (l *Listener) Accept() (frpNet.Conn, error) {
 		return nil, fmt.Errorf("Listener closed")
 	}

-	// if rewriteFunc is exist and rewriteHost is set
+	// if rewriteFunc is exist
 	// rewrite http requests with a modified host header
-	if l.mux.rewriteFunc != nil && l.rewriteHost != "" {
+	// if l.rewriteHost is empty, nothing to do
+	if l.mux.rewriteFunc != nil {
 		sConn, err := l.mux.rewriteFunc(conn, l.rewriteHost)
 		if err != nil {
 			l.Warn("host header rewrite failed: %v", err)
@@ -209,45 +220,3 @@ func (l *Listener) Close() error {
 func (l *Listener) Name() string {
 	return l.name
 }
-
-type sharedConn struct {
-	frpNet.Conn
-	sync.Mutex
-	buff *bytes.Buffer
-}
-
-// the bytes you read in io.Reader, will be reserved in sharedConn
-func newShareConn(conn frpNet.Conn) (*sharedConn, io.Reader) {
-	sc := &sharedConn{
-		Conn: conn,
-		buff: bytes.NewBuffer(make([]byte, 0, 1024)),
-	}
-	return sc, io.TeeReader(conn, sc.buff)
-}
-
-func (sc *sharedConn) Read(p []byte) (n int, err error) {
-	sc.Lock()
-	if sc.buff == nil {
-		sc.Unlock()
-		return sc.Conn.Read(p)
-	}
-	sc.Unlock()
-	n, err = sc.buff.Read(p)
-
-	if err == io.EOF {
-		sc.Lock()
-		sc.buff = nil
-		sc.Unlock()
-		var n2 int
-		n2, err = sc.Conn.Read(p[n:])
-
-		n += n2
-	}
-	return
-}
-
-func (sc *sharedConn) WriteBuff(buffer []byte) (err error) {
-	sc.buff.Reset()
-	_, err = sc.buff.Write(buffer)
-	return err
-}
--- a/vendor/github.com/armon/go-socks5/.gitignore
+++ b/vendor/github.com/armon/go-socks5/.gitignore
@@ -0,0 +1,22 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
--- a/vendor/github.com/armon/go-socks5/.travis.yml
+++ b/vendor/github.com/armon/go-socks5/.travis.yml
@@ -0,0 +1,4 @@
+language: go
+go:
+  - 1.1
+  - tip
--- a/vendor/github.com/armon/go-socks5/LICENSE
+++ b/vendor/github.com/armon/go-socks5/LICENSE
@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Armon Dadgar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/vendor/github.com/armon/go-socks5/README.md
+++ b/vendor/github.com/armon/go-socks5/README.md
@@ -0,0 +1,45 @@
+go-socks5 [![Build Status](https://travis-ci.org/armon/go-socks5.png)](https://travis-ci.org/armon/go-socks5)
+=========
+
+Provides the `socks5` package that implements a [SOCKS5 server](http://en.wikipedia.org/wiki/SOCKS).
+SOCKS (Secure Sockets) is used to route traffic between a client and server through
+an intermediate proxy layer. This can be used to bypass firewalls or NATs.
+
+Feature
+=======
+
+The package has the following features:
+* "No Auth" mode
+* User/Password authentication
+* Support for the CONNECT command
+* Rules to do granular filtering of commands
+* Custom DNS resolution
+* Unit tests
+
+TODO
+====
+
+The package still needs the following:
+* Support for the BIND command
+* Support for the ASSOCIATE command
+
+
+Example
+=======
+
+Below is a simple example of usage
+
+```go
+// Create a SOCKS5 server
+conf := &socks5.Config{}
+server, err := socks5.New(conf)
+if err != nil {
+  panic(err)
+}
+
+// Create SOCKS5 proxy on localhost port 8000
+if err := server.ListenAndServe("tcp", "127.0.0.1:8000"); err != nil {
+  panic(err)
+}
+```
+
--- a/vendor/github.com/armon/go-socks5/auth.go
+++ b/vendor/github.com/armon/go-socks5/auth.go
@@ -0,0 +1,151 @@
+package socks5
+
+import (
+	"fmt"
+	"io"
+)
+
+const (
+	NoAuth          = uint8(0)
+	noAcceptable    = uint8(255)
+	UserPassAuth    = uint8(2)
+	userAuthVersion = uint8(1)
+	authSuccess     = uint8(0)
+	authFailure     = uint8(1)
+)
+
+var (
+	UserAuthFailed  = fmt.Errorf("User authentication failed")
+	NoSupportedAuth = fmt.Errorf("No supported authentication mechanism")
+)
+
+// A Request encapsulates authentication state provided
+// during negotiation
+type AuthContext struct {
+	// Provided auth method
+	Method uint8
+	// Payload provided during negotiation.
+	// Keys depend on the used auth method.
+	// For UserPassauth contains Username
+	Payload map[string]string
+}
+
+type Authenticator interface {
+	Authenticate(reader io.Reader, writer io.Writer) (*AuthContext, error)
+	GetCode() uint8
+}
+
+// NoAuthAuthenticator is used to handle the "No Authentication" mode
+type NoAuthAuthenticator struct{}
+
+func (a NoAuthAuthenticator) GetCode() uint8 {
+	return NoAuth
+}
+
+func (a NoAuthAuthenticator) Authenticate(reader io.Reader, writer io.Writer) (*AuthContext, error) {
+	_, err := writer.Write([]byte{socks5Version, NoAuth})
+	return &AuthContext{NoAuth, nil}, err
+}
+
+// UserPassAuthenticator is used to handle username/password based
+// authentication
+type UserPassAuthenticator struct {
+	Credentials CredentialStore
+}
+
+func (a UserPassAuthenticator) GetCode() uint8 {
+	return UserPassAuth
+}
+
+func (a UserPassAuthenticator) Authenticate(reader io.Reader, writer io.Writer) (*AuthContext, error) {
+	// Tell the client to use user/pass auth
+	if _, err := writer.Write([]byte{socks5Version, UserPassAuth}); err != nil {
+		return nil, err
+	}
+
+	// Get the version and username length
+	header := []byte{0, 0}
+	if _, err := io.ReadAtLeast(reader, header, 2); err != nil {
+		return nil, err
+	}
+
+	// Ensure we are compatible
+	if header[0] != userAuthVersion {
+		return nil, fmt.Errorf("Unsupported auth version: %v", header[0])
+	}
+
+	// Get the user name
+	userLen := int(header[1])
+	user := make([]byte, userLen)
+	if _, err := io.ReadAtLeast(reader, user, userLen); err != nil {
+		return nil, err
+	}
+
+	// Get the password length
+	if _, err := reader.Read(header[:1]); err != nil {
+		return nil, err
+	}
+
+	// Get the password
+	passLen := int(header[0])
+	pass := make([]byte, passLen)
+	if _, err := io.ReadAtLeast(reader, pass, passLen); err != nil {
+		return nil, err
+	}
+
+	// Verify the password
+	if a.Credentials.Valid(string(user), string(pass)) {
+		if _, err := writer.Write([]byte{userAuthVersion, authSuccess}); err != nil {
+			return nil, err
+		}
+	} else {
+		if _, err := writer.Write([]byte{userAuthVersion, authFailure}); err != nil {
+			return nil, err
+		}
+		return nil, UserAuthFailed
+	}
+
+	// Done
+	return &AuthContext{UserPassAuth, map[string]string{"Username": string(user)}}, nil
+}
+
+// authenticate is used to handle connection authentication
+func (s *Server) authenticate(conn io.Writer, bufConn io.Reader) (*AuthContext, error) {
+	// Get the methods
+	methods, err := readMethods(bufConn)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get auth methods: %v", err)
+	}
+
+	// Select a usable method
+	for _, method := range methods {
+		cator, found := s.authMethods[method]
+		if found {
+			return cator.Authenticate(bufConn, conn)
+		}
+	}
+
+	// No usable method found
+	return nil, noAcceptableAuth(conn)
+}
+
+// noAcceptableAuth is used to handle when we have no eligible
+// authentication mechanism
+func noAcceptableAuth(conn io.Writer) error {
+	conn.Write([]byte{socks5Version, noAcceptable})
+	return NoSupportedAuth
+}
+
+// readMethods is used to read the number of methods
+// and proceeding auth methods
+func readMethods(r io.Reader) ([]byte, error) {
+	header := []byte{0}
+	if _, err := r.Read(header); err != nil {
+		return nil, err
+	}
+
+	numMethods := int(header[0])
+	methods := make([]byte, numMethods)
+	_, err := io.ReadAtLeast(r, methods, numMethods)
+	return methods, err
+}
--- a/vendor/github.com/armon/go-socks5/auth_test.go
+++ b/vendor/github.com/armon/go-socks5/auth_test.go
@@ -0,0 +1,119 @@
+package socks5
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestNoAuth(t *testing.T) {
+	req := bytes.NewBuffer(nil)
+	req.Write([]byte{1, NoAuth})
+	var resp bytes.Buffer
+
+	s, _ := New(&Config{})
+	ctx, err := s.authenticate(&resp, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if ctx.Method != NoAuth {
+		t.Fatal("Invalid Context Method")
+	}
+
+	out := resp.Bytes()
+	if !bytes.Equal(out, []byte{socks5Version, NoAuth}) {
+		t.Fatalf("bad: %v", out)
+	}
+}
+
+func TestPasswordAuth_Valid(t *testing.T) {
+	req := bytes.NewBuffer(nil)
+	req.Write([]byte{2, NoAuth, UserPassAuth})
+	req.Write([]byte{1, 3, 'f', 'o', 'o', 3, 'b', 'a', 'r'})
+	var resp bytes.Buffer
+
+	cred := StaticCredentials{
+		"foo": "bar",
+	}
+
+	cator := UserPassAuthenticator{Credentials: cred}
+
+	s, _ := New(&Config{AuthMethods: []Authenticator{cator}})
+
+	ctx, err := s.authenticate(&resp, req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if ctx.Method != UserPassAuth {
+		t.Fatal("Invalid Context Method")
+	}
+
+	val, ok := ctx.Payload["Username"]
+	if !ok {
+		t.Fatal("Missing key Username in auth context's payload")
+	}
+
+	if val != "foo" {
+		t.Fatal("Invalid Username in auth context's payload")
+	}
+
+	out := resp.Bytes()
+	if !bytes.Equal(out, []byte{socks5Version, UserPassAuth, 1, authSuccess}) {
+		t.Fatalf("bad: %v", out)
+	}
+}
+
+func TestPasswordAuth_Invalid(t *testing.T) {
+	req := bytes.NewBuffer(nil)
+	req.Write([]byte{2, NoAuth, UserPassAuth})
+	req.Write([]byte{1, 3, 'f', 'o', 'o', 3, 'b', 'a', 'z'})
+	var resp bytes.Buffer
+
+	cred := StaticCredentials{
+		"foo": "bar",
+	}
+	cator := UserPassAuthenticator{Credentials: cred}
+	s, _ := New(&Config{AuthMethods: []Authenticator{cator}})
+
+	ctx, err := s.authenticate(&resp, req)
+	if err != UserAuthFailed {
+		t.Fatalf("err: %v", err)
+	}
+
+	if ctx != nil {
+		t.Fatal("Invalid Context Method")
+	}
+
+	out := resp.Bytes()
+	if !bytes.Equal(out, []byte{socks5Version, UserPassAuth, 1, authFailure}) {
+		t.Fatalf("bad: %v", out)
+	}
+}
+
+func TestNoSupportedAuth(t *testing.T) {
+	req := bytes.NewBuffer(nil)
+	req.Write([]byte{1, NoAuth})
+	var resp bytes.Buffer
+
+	cred := StaticCredentials{
+		"foo": "bar",
+	}
+	cator := UserPassAuthenticator{Credentials: cred}
+
+	s, _ := New(&Config{AuthMethods: []Authenticator{cator}})
+
+	ctx, err := s.authenticate(&resp, req)
+	if err != NoSupportedAuth {
+		t.Fatalf("err: %v", err)
+	}
+
+	if ctx != nil {
+		t.Fatal("Invalid Context Method")
+	}
+
+	out := resp.Bytes()
+	if !bytes.Equal(out, []byte{socks5Version, noAcceptable}) {
+		t.Fatalf("bad: %v", out)
+	}
+}
--- a/vendor/github.com/armon/go-socks5/credentials.go
+++ b/vendor/github.com/armon/go-socks5/credentials.go
@@ -0,0 +1,17 @@
+package socks5
+
+// CredentialStore is used to support user/pass authentication
+type CredentialStore interface {
+	Valid(user, password string) bool
+}
+
+// StaticCredentials enables using a map directly as a credential store
+type StaticCredentials map[string]string
+
+func (s StaticCredentials) Valid(user, password string) bool {
+	pass, ok := s[user]
+	if !ok {
+		return false
+	}
+	return password == pass
+}
--- a/vendor/github.com/armon/go-socks5/credentials_test.go
+++ b/vendor/github.com/armon/go-socks5/credentials_test.go
@@ -0,0 +1,24 @@
+package socks5
+
+import (
+	"testing"
+)
+
+func TestStaticCredentials(t *testing.T) {
+	creds := StaticCredentials{
+		"foo": "bar",
+		"baz": "",
+	}
+
+	if !creds.Valid("foo", "bar") {
+		t.Fatalf("expect valid")
+	}
+
+	if !creds.Valid("baz", "") {
+		t.Fatalf("expect valid")
+	}
+
+	if creds.Valid("foo", "") {
+		t.Fatalf("expect invalid")
+	}
+}
--- a/vendor/github.com/armon/go-socks5/request.go
+++ b/vendor/github.com/armon/go-socks5/request.go
@@ -0,0 +1,364 @@
+package socks5
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"strings"
+
+	"golang.org/x/net/context"
+)
+
+const (
+	ConnectCommand   = uint8(1)
+	BindCommand      = uint8(2)
+	AssociateCommand = uint8(3)
+	ipv4Address      = uint8(1)
+	fqdnAddress      = uint8(3)
+	ipv6Address      = uint8(4)
+)
+
+const (
+	successReply uint8 = iota
+	serverFailure
+	ruleFailure
+	networkUnreachable
+	hostUnreachable
+	connectionRefused
+	ttlExpired
+	commandNotSupported
+	addrTypeNotSupported
+)
+
+var (
+	unrecognizedAddrType = fmt.Errorf("Unrecognized address type")
+)
+
+// AddressRewriter is used to rewrite a destination transparently
+type AddressRewriter interface {
+	Rewrite(ctx context.Context, request *Request) (context.Context, *AddrSpec)
+}
+
+// AddrSpec is used to return the target AddrSpec
+// which may be specified as IPv4, IPv6, or a FQDN
+type AddrSpec struct {
+	FQDN string
+	IP   net.IP
+	Port int
+}
+
+func (a *AddrSpec) String() string {
+	if a.FQDN != "" {
+		return fmt.Sprintf("%s (%s):%d", a.FQDN, a.IP, a.Port)
+	}
+	return fmt.Sprintf("%s:%d", a.IP, a.Port)
+}
+
+// Address returns a string suitable to dial; prefer returning IP-based
+// address, fallback to FQDN
+func (a AddrSpec) Address() string {
+	if 0 != len(a.IP) {
+		return net.JoinHostPort(a.IP.String(), strconv.Itoa(a.Port))
+	}
+	return net.JoinHostPort(a.FQDN, strconv.Itoa(a.Port))
+}
+
+// A Request represents request received by a server
+type Request struct {
+	// Protocol version
+	Version uint8
+	// Requested command
+	Command uint8
+	// AuthContext provided during negotiation
+	AuthContext *AuthContext
+	// AddrSpec of the the network that sent the request
+	RemoteAddr *AddrSpec
+	// AddrSpec of the desired destination
+	DestAddr *AddrSpec
+	// AddrSpec of the actual destination (might be affected by rewrite)
+	realDestAddr *AddrSpec
+	bufConn      io.Reader
+}
+
+type conn interface {
+	Write([]byte) (int, error)
+	RemoteAddr() net.Addr
+}
+
+// NewRequest creates a new Request from the tcp connection
+func NewRequest(bufConn io.Reader) (*Request, error) {
+	// Read the version byte
+	header := []byte{0, 0, 0}
+	if _, err := io.ReadAtLeast(bufConn, header, 3); err != nil {
+		return nil, fmt.Errorf("Failed to get command version: %v", err)
+	}
+
+	// Ensure we are compatible
+	if header[0] != socks5Version {
+		return nil, fmt.Errorf("Unsupported command version: %v", header[0])
+	}
+
+	// Read in the destination address
+	dest, err := readAddrSpec(bufConn)
+	if err != nil {
+		return nil, err
+	}
+
+	request := &Request{
+		Version:  socks5Version,
+		Command:  header[1],
+		DestAddr: dest,
+		bufConn:  bufConn,
+	}
+
+	return request, nil
+}
+
+// handleRequest is used for request processing after authentication
+func (s *Server) handleRequest(req *Request, conn conn) error {
+	ctx := context.Background()
+
+	// Resolve the address if we have a FQDN
+	dest := req.DestAddr
+	if dest.FQDN != "" {
+		ctx_, addr, err := s.config.Resolver.Resolve(ctx, dest.FQDN)
+		if err != nil {
+			if err := sendReply(conn, hostUnreachable, nil); err != nil {
+				return fmt.Errorf("Failed to send reply: %v", err)
+			}
+			return fmt.Errorf("Failed to resolve destination '%v': %v", dest.FQDN, err)
+		}
+		ctx = ctx_
+		dest.IP = addr
+	}
+
+	// Apply any address rewrites
+	req.realDestAddr = req.DestAddr
+	if s.config.Rewriter != nil {
+		ctx, req.realDestAddr = s.config.Rewriter.Rewrite(ctx, req)
+	}
+
+	// Switch on the command
+	switch req.Command {
+	case ConnectCommand:
+		return s.handleConnect(ctx, conn, req)
+	case BindCommand:
+		return s.handleBind(ctx, conn, req)
+	case AssociateCommand:
+		return s.handleAssociate(ctx, conn, req)
+	default:
+		if err := sendReply(conn, commandNotSupported, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Unsupported command: %v", req.Command)
+	}
+}
+
+// handleConnect is used to handle a connect command
+func (s *Server) handleConnect(ctx context.Context, conn conn, req *Request) error {
+	// Check if this is allowed
+	if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
+		if err := sendReply(conn, ruleFailure, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Connect to %v blocked by rules", req.DestAddr)
+	} else {
+		ctx = ctx_
+	}
+
+	// Attempt to connect
+	dial := s.config.Dial
+	if dial == nil {
+		dial = func(ctx context.Context, net_, addr string) (net.Conn, error) {
+			return net.Dial(net_, addr)
+		}
+	}
+	target, err := dial(ctx, "tcp", req.realDestAddr.Address())
+	if err != nil {
+		msg := err.Error()
+		resp := hostUnreachable
+		if strings.Contains(msg, "refused") {
+			resp = connectionRefused
+		} else if strings.Contains(msg, "network is unreachable") {
+			resp = networkUnreachable
+		}
+		if err := sendReply(conn, resp, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Connect to %v failed: %v", req.DestAddr, err)
+	}
+	defer target.Close()
+
+	// Send success
+	local := target.LocalAddr().(*net.TCPAddr)
+	bind := AddrSpec{IP: local.IP, Port: local.Port}
+	if err := sendReply(conn, successReply, &bind); err != nil {
+		return fmt.Errorf("Failed to send reply: %v", err)
+	}
+
+	// Start proxying
+	errCh := make(chan error, 2)
+	go proxy(target, req.bufConn, errCh)
+	go proxy(conn, target, errCh)
+
+	// Wait
+	for i := 0; i < 2; i++ {
+		e := <-errCh
+		if e != nil {
+			// return from this function closes target (and conn).
+			return e
+		}
+	}
+	return nil
+}
+
+// handleBind is used to handle a connect command
+func (s *Server) handleBind(ctx context.Context, conn conn, req *Request) error {
+	// Check if this is allowed
+	if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
+		if err := sendReply(conn, ruleFailure, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Bind to %v blocked by rules", req.DestAddr)
+	} else {
+		ctx = ctx_
+	}
+
+	// TODO: Support bind
+	if err := sendReply(conn, commandNotSupported, nil); err != nil {
+		return fmt.Errorf("Failed to send reply: %v", err)
+	}
+	return nil
+}
+
+// handleAssociate is used to handle a connect command
+func (s *Server) handleAssociate(ctx context.Context, conn conn, req *Request) error {
+	// Check if this is allowed
+	if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
+		if err := sendReply(conn, ruleFailure, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Associate to %v blocked by rules", req.DestAddr)
+	} else {
+		ctx = ctx_
+	}
+
+	// TODO: Support associate
+	if err := sendReply(conn, commandNotSupported, nil); err != nil {
+		return fmt.Errorf("Failed to send reply: %v", err)
+	}
+	return nil
+}
+
+// readAddrSpec is used to read AddrSpec.
+// Expects an address type byte, follwed by the address and port
+func readAddrSpec(r io.Reader) (*AddrSpec, error) {
+	d := &AddrSpec{}
+
+	// Get the address type
+	addrType := []byte{0}
+	if _, err := r.Read(addrType); err != nil {
+		return nil, err
+	}
+
+	// Handle on a per type basis
+	switch addrType[0] {
+	case ipv4Address:
+		addr := make([]byte, 4)
+		if _, err := io.ReadAtLeast(r, addr, len(addr)); err != nil {
+			return nil, err
+		}
+		d.IP = net.IP(addr)
+
+	case ipv6Address:
+		addr := make([]byte, 16)
+		if _, err := io.ReadAtLeast(r, addr, len(addr)); err != nil {
+			return nil, err
+		}
+		d.IP = net.IP(addr)
+
+	case fqdnAddress:
+		if _, err := r.Read(addrType); err != nil {
+			return nil, err
+		}
+		addrLen := int(addrType[0])
+		fqdn := make([]byte, addrLen)
+		if _, err := io.ReadAtLeast(r, fqdn, addrLen); err != nil {
+			return nil, err
+		}
+		d.FQDN = string(fqdn)
+
+	default:
+		return nil, unrecognizedAddrType
+	}
+
+	// Read the port
+	port := []byte{0, 0}
+	if _, err := io.ReadAtLeast(r, port, 2); err != nil {
+		return nil, err
+	}
+	d.Port = (int(port[0]) << 8) | int(port[1])
+
+	return d, nil
+}
+
+// sendReply is used to send a reply message
+func sendReply(w io.Writer, resp uint8, addr *AddrSpec) error {
+	// Format the address
+	var addrType uint8
+	var addrBody []byte
+	var addrPort uint16
+	switch {
+	case addr == nil:
+		addrType = ipv4Address
+		addrBody = []byte{0, 0, 0, 0}
+		addrPort = 0
+
+	case addr.FQDN != "":
+		addrType = fqdnAddress
+		addrBody = append([]byte{byte(len(addr.FQDN))}, addr.FQDN...)
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To4() != nil:
+		addrType = ipv4Address
+		addrBody = []byte(addr.IP.To4())
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To16() != nil:
+		addrType = ipv6Address
+		addrBody = []byte(addr.IP.To16())
+		addrPort = uint16(addr.Port)
+
+	default:
+		return fmt.Errorf("Failed to format address: %v", addr)
+	}
+
+	// Format the message
+	msg := make([]byte, 6+len(addrBody))
+	msg[0] = socks5Version
+	msg[1] = resp
+	msg[2] = 0 // Reserved
+	msg[3] = addrType
+	copy(msg[4:], addrBody)
+	msg[4+len(addrBody)] = byte(addrPort >> 8)
+	msg[4+len(addrBody)+1] = byte(addrPort & 0xff)
+
+	// Send the message
+	_, err := w.Write(msg)
+	return err
+}
+
+type closeWriter interface {
+	CloseWrite() error
+}
+
+// proxy is used to suffle data from src to destination, and sends errors
+// down a dedicated channel
+func proxy(dst io.Writer, src io.Reader, errCh chan error) {
+	_, err := io.Copy(dst, src)
+	if tcpConn, ok := dst.(closeWriter); ok {
+		tcpConn.CloseWrite()
+	}
+	errCh <- err
+}
--- a/vendor/github.com/armon/go-socks5/request_test.go
+++ b/vendor/github.com/armon/go-socks5/request_test.go
@@ -0,0 +1,169 @@
+package socks5
+
+import (
+	"bytes"
+	"encoding/binary"
+	"io"
+	"log"
+	"net"
+	"os"
+	"strings"
+	"testing"
+)
+
+type MockConn struct {
+	buf bytes.Buffer
+}
+
+func (m *MockConn) Write(b []byte) (int, error) {
+	return m.buf.Write(b)
+}
+
+func (m *MockConn) RemoteAddr() net.Addr {
+	return &net.TCPAddr{IP: []byte{127, 0, 0, 1}, Port: 65432}
+}
+
+func TestRequest_Connect(t *testing.T) {
+	// Create a local listener
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	go func() {
+		conn, err := l.Accept()
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		defer conn.Close()
+
+		buf := make([]byte, 4)
+		if _, err := io.ReadAtLeast(conn, buf, 4); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if !bytes.Equal(buf, []byte("ping")) {
+			t.Fatalf("bad: %v", buf)
+		}
+		conn.Write([]byte("pong"))
+	}()
+	lAddr := l.Addr().(*net.TCPAddr)
+
+	// Make server
+	s := &Server{config: &Config{
+		Rules:    PermitAll(),
+		Resolver: DNSResolver{},
+		Logger:   log.New(os.Stdout, "", log.LstdFlags),
+	}}
+
+	// Create the connect request
+	buf := bytes.NewBuffer(nil)
+	buf.Write([]byte{5, 1, 0, 1, 127, 0, 0, 1})
+
+	port := []byte{0, 0}
+	binary.BigEndian.PutUint16(port, uint16(lAddr.Port))
+	buf.Write(port)
+
+	// Send a ping
+	buf.Write([]byte("ping"))
+
+	// Handle the request
+	resp := &MockConn{}
+	req, err := NewRequest(buf)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if err := s.handleRequest(req, resp); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify response
+	out := resp.buf.Bytes()
+	expected := []byte{
+		5,
+		0,
+		0,
+		1,
+		127, 0, 0, 1,
+		0, 0,
+		'p', 'o', 'n', 'g',
+	}
+
+	// Ignore the port for both
+	out[8] = 0
+	out[9] = 0
+
+	if !bytes.Equal(out, expected) {
+		t.Fatalf("bad: %v %v", out, expected)
+	}
+}
+
+func TestRequest_Connect_RuleFail(t *testing.T) {
+	// Create a local listener
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	go func() {
+		conn, err := l.Accept()
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		defer conn.Close()
+
+		buf := make([]byte, 4)
+		if _, err := io.ReadAtLeast(conn, buf, 4); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		if !bytes.Equal(buf, []byte("ping")) {
+			t.Fatalf("bad: %v", buf)
+		}
+		conn.Write([]byte("pong"))
+	}()
+	lAddr := l.Addr().(*net.TCPAddr)
+
+	// Make server
+	s := &Server{config: &Config{
+		Rules:    PermitNone(),
+		Resolver: DNSResolver{},
+		Logger:   log.New(os.Stdout, "", log.LstdFlags),
+	}}
+
+	// Create the connect request
+	buf := bytes.NewBuffer(nil)
+	buf.Write([]byte{5, 1, 0, 1, 127, 0, 0, 1})
+
+	port := []byte{0, 0}
+	binary.BigEndian.PutUint16(port, uint16(lAddr.Port))
+	buf.Write(port)
+
+	// Send a ping
+	buf.Write([]byte("ping"))
+
+	// Handle the request
+	resp := &MockConn{}
+	req, err := NewRequest(buf)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if err := s.handleRequest(req, resp); !strings.Contains(err.Error(), "blocked by rules") {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify response
+	out := resp.buf.Bytes()
+	expected := []byte{
+		5,
+		2,
+		0,
+		1,
+		0, 0, 0, 0,
+		0, 0,
+	}
+
+	if !bytes.Equal(out, expected) {
+		t.Fatalf("bad: %v %v", out, expected)
+	}
+}
--- a/vendor/github.com/armon/go-socks5/resolver.go
+++ b/vendor/github.com/armon/go-socks5/resolver.go
@@ -0,0 +1,23 @@
+package socks5
+
+import (
+	"net"
+
+	"golang.org/x/net/context"
+)
+
+// NameResolver is used to implement custom name resolution
+type NameResolver interface {
+	Resolve(ctx context.Context, name string) (context.Context, net.IP, error)
+}
+
+// DNSResolver uses the system DNS to resolve host names
+type DNSResolver struct{}
+
+func (d DNSResolver) Resolve(ctx context.Context, name string) (context.Context, net.IP, error) {
+	addr, err := net.ResolveIPAddr("ip", name)
+	if err != nil {
+		return ctx, nil, err
+	}
+	return ctx, addr.IP, err
+}
--- a/vendor/github.com/armon/go-socks5/resolver_test.go
+++ b/vendor/github.com/armon/go-socks5/resolver_test.go
@@ -0,0 +1,21 @@
+package socks5
+
+import (
+	"testing"
+
+	"golang.org/x/net/context"
+)
+
+func TestDNSResolver(t *testing.T) {
+	d := DNSResolver{}
+	ctx := context.Background()
+
+	_, addr, err := d.Resolve(ctx, "localhost")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !addr.IsLoopback() {
+		t.Fatalf("expected loopback")
+	}
+}
--- a/vendor/github.com/armon/go-socks5/ruleset.go
+++ b/vendor/github.com/armon/go-socks5/ruleset.go
@@ -0,0 +1,41 @@
+package socks5
+
+import (
+	"golang.org/x/net/context"
+)
+
+// RuleSet is used to provide custom rules to allow or prohibit actions
+type RuleSet interface {
+	Allow(ctx context.Context, req *Request) (context.Context, bool)
+}
+
+// PermitAll returns a RuleSet which allows all types of connections
+func PermitAll() RuleSet {
+	return &PermitCommand{true, true, true}
+}
+
+// PermitNone returns a RuleSet which disallows all types of connections
+func PermitNone() RuleSet {
+	return &PermitCommand{false, false, false}
+}
+
+// PermitCommand is an implementation of the RuleSet which
+// enables filtering supported commands
+type PermitCommand struct {
+	EnableConnect   bool
+	EnableBind      bool
+	EnableAssociate bool
+}
+
+func (p *PermitCommand) Allow(ctx context.Context, req *Request) (context.Context, bool) {
+	switch req.Command {
+	case ConnectCommand:
+		return ctx, p.EnableConnect
+	case BindCommand:
+		return ctx, p.EnableBind
+	case AssociateCommand:
+		return ctx, p.EnableAssociate
+	}
+
+	return ctx, false
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
fatedier	1325c59a4c	Merge pull request #672 from fatedier/dev bump version to v0.16.1	2018-03-21 18:09:39 +08:00
fatedier	82dc1e924f	vhost: typo fix	2018-03-21 18:06:43 +08:00
fatedier	3166bdf3f0	bump version to v0.16.1	2018-03-21 18:00:31 +08:00
fatedier	8af70c8822	update go version to go1.10	2018-03-21 11:52:11 +08:00
fatedier	87763e8251	Merge pull request #670 from fatedier/new some fix	2018-03-21 11:45:48 +08:00
fatedier	e9241aeb94	udp proxy: fix #652	2018-03-19 20:22:15 +08:00
fatedier	2eaf134042	Merge pull request #646 from travisghansen/dev build freebsd packages	2018-02-27 23:14:15 +08:00
Travis Glenn Hansen	1739e012d6	build freebsd packages	2018-02-26 21:00:55 -07:00
fatedier	9e8980429f	typo	2018-02-07 11:39:30 +08:00
fatedier	1d0865ca49	statsConn: avoid repetition of close function	2018-02-01 11:15:35 +08:00
fatedier	5c9909aeef	typo	2018-01-30 22:07:16 +08:00
fatedier	456ce09061	Merge pull request #630 from fatedier/dev bump version to v0.16.0	2018-01-30 00:04:02 +08:00
fatedier	ffc13b704a	update version	2018-01-30 00:00:05 +08:00
fatedier	5d239127bb	Merge pull request #629 from fatedier/new new feature	2018-01-29 23:58:55 +08:00
fatedier	9b990adf96	frpc: add proxy status 'wait start'	2018-01-29 23:51:46 +08:00
fatedier	44e8108910	ci: add test case for range ports mapping	2018-01-29 23:13:10 +08:00
fatedier	1c35e9a0c6	doc: update	2018-01-29 23:05:17 +08:00
fatedier	8e719ff0ff	frps: new params max_ports_per_client	2018-01-26 14:56:55 +08:00
fatedier	637ddbce1f	frpc: udpate proxies check and start logic	2018-01-26 00:23:48 +08:00
fatedier	ce8fde793c	new feature: range section for mapping range ports	2018-01-25 23:05:07 +08:00
fatedier	eede31c064	doc: about static_file plugin	2018-01-24 23:27:03 +08:00
fatedier	41c41789b6	plugin: socks5 support user password auth, close #484	2018-01-24 23:06:38 +08:00
fatedier	68dfc89bce	plugin: new plugin static_file for getting files by http protocol	2018-01-24 17:49:13 +08:00
fatedier	8690075c0c	Merge pull request #616 from fatedier/dev bump version to v0.15.1	2018-01-23 17:33:48 +08:00
fatedier	33d8816ced	version: to v0.15.1	2018-01-23 17:28:00 +08:00
fatedier	90cd25ac21	Merge pull request #615 from fatedier/ws fix websocket and plugin http_proxy	2018-01-23 17:25:32 +08:00
fatedier	ff28668cf2	ci: add plugin http_proxy test case	2018-01-23 17:11:59 +08:00
fatedier	a6f2736b80	fix plugin http_proxy error	2018-01-23 16:31:59 +08:00
fatedier	902f6f84a5	ci: add test for websocket	2018-01-23 14:49:04 +08:00
fatedier	cf9193a429	newhttp: support websocket	2018-01-23 01:29:52 +08:00
fatedier	3f64d73ea9	ci: add subdomain test case	2018-01-22 14:16:46 +08:00
fatedier	a77c7e8625	server: change MIN_PORT from 1024 to 1	2018-01-22 11:48:31 +08:00
fatedier	14733dd109	Merge pull request #608 from fatedier/dev bump version to 0.15.0	2018-01-18 16:49:55 +08:00
fatedier	74b75e8c57	Merge pull request #607 from fatedier/doc doc: update	2018-01-18 16:46:33 +08:00
fatedier	63e6e0dc92	doc: update	2018-01-18 16:43:03 +08:00
fatedier	4d4a738aa9	web: update assets	2018-01-18 15:26:30 +08:00
fatedier	1ed130e704	version: to v0.15.0	2018-01-18 15:08:16 +08:00
fatedier	2e773d550b	Merge pull request #606 from fatedier/test tests: more ci case	2018-01-18 15:04:03 +08:00
fatedier	e155ff056e	tests: more ci case	2018-01-18 14:53:44 +08:00
fatedier	37210d9983	Merge branch 'dev' of github.com:fatedier/frp into dev	2018-01-18 00:46:21 +08:00
fatedier	338d5bae37	fix panic when using socks5 plugin with encryption and compression, fix #446	2018-01-18 00:45:11 +08:00
fatedier	3e62198612	Merge pull request #604 from fatedier/http fix new http no traffic stats, fix #590	2018-01-17 23:28:48 +08:00
fatedier	4f7dfcdb31	fix new http no traffic stats, fix #590	2018-01-17 23:17:15 +08:00
fatedier	5b08201e5d	Merge pull request #603 from fatedier/test add test cases and new feature assgin a random port if remote_port is 0	2018-01-17 22:45:02 +08:00
fatedier	b2c846664d	new feature: assign a random port if remote_port is 0 in type tcp and udp	2018-01-17 22:18:34 +08:00
fatedier	3f6799c06a	add remoteAddr in NewProxyResp message	2018-01-17 15:01:26 +08:00
fatedier	9a5f0c23c4	fix ci	2018-01-17 01:18:40 +08:00
fatedier	afde0c515c	packages: add package github.com/rodaine/table	2018-01-17 01:15:34 +08:00
fatedier	584e098e8e	frpc: add status command	2018-01-17 01:09:33 +08:00
fatedier	37395b3ef5	Merge pull request #596 from NemoAlex/patch-2 Use sans-serif font in web	2018-01-10 10:36:28 +08:00
NemoAlex	43fb3f3ff7	Use sans-serif font in web	2018-01-08 13:56:51 +08:00
fatedier	82b127494c	Merge pull request #576 from gtt116/master Close connection if frpc can't connection to local server	2017-12-26 14:51:02 +08:00
gtt116	4d79648657	Close connection if frpc can't connection to local server Now, when frpc can't connect to local server it leaves the connection alone, the patch fix it. Fixed #575	2017-12-26 14:39:07 +08:00
fatedier	3bb404dfb5	more test case	2017-12-18 19:35:09 +08:00
fatedier	ff4bdec3f7	add test case	2017-12-16 23:59:46 +08:00
fatedier	69f8b08ac0	update role error log info	2017-12-16 21:56:13 +08:00
fatedier	d873df5ca8	let role default value to 'server'	2017-12-15 11:40:08 +08:00
fatedier	a384bf5580	Merge pull request #564 from fatedier/dev bump version to v0.14.1	2017-12-14 22:28:25 +08:00
fatedier	92046a7ca2	Merge pull request #561 from fatedier/http improve http vhost package	2017-12-13 23:48:18 +08:00
fatedier	4cc5ddc012	newhttp support BasicAuth	2017-12-13 23:44:27 +08:00
fatedier	46358d466d	support encryption and compression in new http reverser proxy	2017-12-13 04:28:58 +08:00
fatedier	7da61f004b	improve http vhost package	2017-12-13 03:27:43 +08:00
fatedier	63037f1c65	typo fix	2017-12-11 22:46:45 +08:00
fatedier	cc160995da	improve error role log info	2017-12-11 16:21:17 +08:00
fatedier	de48d97cb2	fix kcp port print error	2017-12-11 01:36:47 +08:00
fatedier	1a6a179b68	visitor: fix panic	2017-12-05 22:26:53 +08:00
fatedier	3a2946a2ff	Merge pull request #549 from fatedier/dev bump version to v0.14.0	2017-12-05 01:42:00 +08:00
fatedier	ae9a4623d9	Merge pull request #548 from fatedier/doc update doc and fix vistor -> visitor	2017-12-05 01:38:03 +08:00
fatedier	bd1e9a3010	update doc and fix vistor -> visitor	2017-12-05 01:34:33 +08:00
fatedier	92fff5c191	Merge pull request #539 from timerever/dev add custom dashboard bind address	2017-11-29 10:34:36 +08:00
timerever	8c65b337ca	add custom dashboard bind address	2017-11-28 15:56:34 +08:00
fatedier	0f1005ff61	using glide	2017-11-01 16:21:57 +08:00
fatedier	ad858a0d32	prevent sending on a closed channel in vhost package, fix #502	2017-11-01 10:51:30 +08:00
fatedier	1e905839f0	update kcp connection options	2017-10-25 03:02:25 +08:00
fatedier	bf50f932d9	update version to v0.14.0	2017-10-25 02:55:36 +08:00
fatedier	673047be2c	Merge pull request #496 from fatedier/0.14 xtcp for p2p communication	2017-10-24 13:54:32 -05:00
fatedier	fa2b9a836c	fix xtcp encryption	2017-10-25 02:49:56 +08:00
fatedier	9e0fd0c4ef	add packages	2017-10-25 02:29:04 +08:00
fatedier	0559865fe5	support xtcp for making nat hole	2017-10-25 01:27:04 +08:00
fatedier	4fc85a36c2	Merge pull request #486 from xiaox0321/patch-1 Update version.go	2017-10-20 04:12:47 -05:00
xiaox0321	3f1174a519	Update version.go Optimize duplicate code	2017-10-20 15:58:03 +08:00
fatedier	bcbdfcb99b	Merge pull request #473 from Hyduan/master doc: fix spelling error	2017-09-27 11:55:17 -05:00
Hyduan	df046bdeeb	doc: fix spelling error	2017-09-26 21:06:28 +08:00
fatedier	f83447c652	Merge pull request #461 from dvrkps/patch-1 travis: add 1.x to go versions	2017-09-11 06:04:14 -05:00
Davor Kapsa	9ae69b4aac	travis: add 1.x to go versions	2017-09-11 12:41:33 +02:00
fatedier	c48a89731a	Merge pull request #454 from GeorgeYuen/diamondyuan add Dockerfile_multiple_build	2017-09-06 01:07:36 -05:00
袁凡迪	36b58ab60c	add Dockerfile_multiple_build	2017-09-06 12:51:29 +08:00
fatedier	6320f15a7c	typo for default config file name used for frpc	2017-07-19 22:56:12 +08:00
fatedier	066172e9c1	Merge pull request #403 from fatedier/dev bump version to v0.13.0	2017-07-16 13:20:42 -05:00
fatedier	d5931758b6	fix user in reload command	2017-07-17 02:14:30 +08:00
fatedier	c75c3acd21	Merge pull request #402 from fatedier/doc update doc for v0.13.0	2017-07-16 13:12:06 -05:00
fatedier	0208ecd1d9	update doc for v0.13.0	2017-07-17 02:09:51 +08:00
fatedier	23e9845e65	Merge pull request #401 from fatedier/0.13 merge 0.13	2017-07-14 23:13:42 +08:00
fatedier	2b1ba3a946	update conf	2017-07-13 12:01:46 +08:00
fatedier	ee9ddf52cd	frpc: support --reload command	2017-07-13 02:30:25 +08:00
fatedier	d246400a71	frpc: add admin server for reload configure file	2017-07-13 02:20:49 +08:00
fatedier	f63a4f0cdd	frps: new parameter 'proxy_bind_addr'	2017-07-05 01:40:01 +08:00
fatedier	b743b5aaed	Merge pull request #390 from lukazh/patch-1 Update README.md	2017-07-05 01:27:41 +08:00
Lukaz	9d9416ab94	Update README.md fix a typo	2017-07-04 23:05:24 +08:00
fatedier	c081df40e1	vendor: add github.com/armon/go-socks5	2017-07-01 16:09:09 +08:00
fatedier	fe32a7c4bb	doc: update	2017-07-01 16:03:13 +08:00
fatedier	7bb8c10647	plugin: add socks5 plugin	2017-07-01 15:56:48 +08:00
fatedier	0752508469	vhost: a bug fix of reading request	2017-07-01 12:13:44 +08:00
fatedier	4cc1663a5f	vhost: add real ip in first request of one connection 1. fix #248 host_header_rewrite bug 2. close #270, #127	2017-07-01 01:54:37 +08:00
fatedier	b55a24a27e	update mutex used in frpc control	2017-06-27 23:31:02 +08:00
fatedier	aede4e54f8	close all proxies if protocol = kcp	2017-06-27 01:59:30 +08:00
fatedier	b811a620c3	vhost: fix 404 page	2017-06-26 22:24:47 +08:00
fatedier	07fe05a9d5	update version to v0.13.0	2017-06-26 20:57:10 +08:00
fatedier	171bc8dd22	new proxy type: stcp(secret tcp)	2017-06-26 03:02:33 +08:00
fatedier	9c175d4eb5	Merge pull request #380 from IanSmith123/fixbug fix backquote	2017-06-24 13:19:43 +08:00
Iansmith's win10	9f736558e2	fix backquote	2017-06-24 12:17:09 +08:00
fatedier	8f071dd2c2	Merge pull request #375 from fangqiuming/fangqiuming-patch-1 Fix dockerfile	2017-06-21 18:50:47 +08:00
方秋鸣	bcaf51a6ad	Fix dockerfile Fix incorrect filenames	2017-06-21 14:46:24 +08:00
fatedier	ad3cf9a64a	Merge pull request #372 from fatedier/dev bump verson to v0.12.0	2017-06-19 21:36:51 +08:00
fatedier	e3fc73dbc5	update doc	2017-06-17 18:01:08 +08:00
fatedier	f884e894f2	Merge pull request #363 from fatedier/doc update doc	2017-06-13 12:44:47 -05:00
fatedier	d57ed7d3d8	update doc	2017-06-14 01:40:20 +08:00
fatedier	a2c318d24c	update kcp mode	2017-06-13 23:36:10 +08:00
fatedier	32f8745d61	Merge pull request #360 from fatedier/doc update doc	2017-06-11 13:46:33 -05:00
fatedier	66120fe49d	update doc	2017-06-12 02:41:25 +08:00
fatedier	fca7f42b37	msg: new message CloseProxy	2017-06-11 17:22:05 +08:00
fatedier	5b303f5148	vhost: return 404 not found page if domain doesn't exist	2017-06-11 16:23:00 +08:00
fatedier	2a044c9d6d	http_proxy: fix error using encryption or compression	2017-06-09 02:13:24 +08:00
fatedier	70e2aee46d	format	2017-06-09 01:33:57 +08:00
fatedier	6742fa2ea8	io: WithCompression resuse snappy.Reader and snappy.Writer	2017-06-08 00:57:33 +08:00
fatedier	511503d34c	io.Copy use pool buffer	2017-06-06 18:48:40 +08:00
fatedier	1eaf17fd05	fix ci	2017-06-06 01:39:06 +08:00
fatedier	04f4fd0a81	proto/tcp: fix unexpected close function, fix #332	2017-06-05 23:52:24 +08:00
fatedier	3a4d769bb3	update packages	2017-06-04 20:52:42 +08:00
fatedier	84341b7fcc	vendor: add kcp-go package	2017-06-04 20:07:03 +08:00
fatedier	80ba931326	support protocol kcp	2017-06-04 19:56:21 +08:00
fatedier	7ebcc7503a	Merge pull request #351 from fatedier/dev update ISSUE_TEMPLATE	2017-06-03 10:50:40 -05:00
fatedier	74cf57feb3	update ISSUE_TEMPLATE	2017-06-03 23:48:38 +08:00
fatedier	712afed0ab	Merge pull request #344 from fatedier/dev bump version to 0.11.0	2017-06-01 10:46:16 -05:00
fatedier	e29a1330ed	dashboard: add proxy start and close time	2017-05-31 02:21:15 +08:00
fatedier	44971c7918	dashboard: use gzip for static files, resolve #333	2017-05-31 01:44:18 +08:00
fatedier	7bc6c72844	dashboard: fix dashboard auth error, fix #339	2017-05-31 01:07:51 +08:00
fatedier	93461e0094	Merge pull request #340 from fatedier/http_proxy plugin: add http_proxy	2017-05-30 03:12:16 -05:00
fatedier	03d55201b2	plugin: add http_proxy	2017-05-30 16:10:21 +08:00
fatedier	e6d82f3162	Merge pull request #336 from bingtianbaihua/refactoring add http proxy	2017-05-27 06:27:53 -05:00
ambitioner	1af6276be9	modify	2017-05-26 21:20:54 +08:00
ambitioner	d1f5ec083a	add http proxy add http proxy add proxy code add proxy	2017-05-26 20:57:03 +08:00
fatedier	716ec281f6	net: add WrapReadWriteCloserConn	2017-05-26 14:17:46 +08:00
fatedier	67bfae5d23	dashboard: add frps version in Overview page	2017-05-26 12:05:39 +08:00
fatedier	f0dc3ed47b	metric: clear useless proxy statistics data	2017-05-26 02:00:00 +08:00
fatedier	08b0885564	Merge pull request #335 from fatedier/start client: add start params	2017-05-24 12:50:23 -05:00
fatedier	49b503c17b	client: add start params Proxy names specified in 'start' params divided by ',' will be started. If it is empty or not defined, all proxies will be started.	2017-05-25 01:45:38 +08:00
fatedier	150682ec63	Merge pull request #334 from fatedier/start client: add login_fail_exit params, default is true	2017-05-24 12:16:02 -05:00
fatedier	4dc96f41c9	client: add login_fail_exit params, default is true if login_fail_exit is false, when frpc first login to server failed, it will continues relogin to server every 30 seconds.	2017-05-25 01:10:58 +08:00
fatedier	6c13b6d37a	net: fix HTTP_PROXY include escape characters error, fix #275	2017-05-23 02:10:36 +08:00
fatedier	1c04de380d	Merge pull request #328 from fatedier/plugin new feature plugin and unix domian socket plugin	2017-05-22 01:12:14 -05:00
fatedier	738e5dad22	new feature plugin and unix domian socket plugin	2017-05-22 00:15:18 +08:00