web: ensure npm install runs before build (#5154 )

bump version to 0.67.0 (#5146 )
web/frpc: redesign dashboard (#5145 )
2026-02-04 12:55:24 +08:00 · 2026-01-31 13:49:29 +08:00 · 2026-01-31 12:43:31 +08:00 · 2026-01-31 02:18:35 +08:00 · 2026-01-27 02:56:57 +08:00 · 2026-01-27 02:45:57 +08:00
179 changed files with 21855 additions and 7969 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -2,10 +2,18 @@ version: 2
 jobs:
  go-version-latest:
    docker:
-    - image: cimg/go:1.23-node
+    - image: cimg/go:1.24-node
    resource_class: large
    steps:
    - checkout
    - run:
        name: Build web assets (frps)
        command: make install build
        working_directory: web/frps
    - run:
        name: Build web assets (frpc)
        command: make install build
        working_directory: web/frpc
    - run: make
    - run: make alltest
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -17,8 +17,17 @@ jobs:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: '1.23'
+        go-version: '1.24'
        cache: false
    - uses: actions/setup-node@v4
      with:
        node-version: '22'
    - name: Build web assets (frps)
      run: make build
      working-directory: web/frps
    - name: Build web assets (frpc)
      run: make build
      working-directory: web/frpc
    - name: golangci-lint
      uses: golangci/golangci-lint-action@v8
      with:
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@ -15,14 +15,22 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.23'
+          go-version: '1.24'
-          
+      - uses: actions/setup-node@v4
        with:
          node-version: '22'
      - name: Build web assets (frps)
        run: make build
        working-directory: web/frps
      - name: Build web assets (frpc)
        run: make build
        working-directory: web/frpc
      - name: Make All
        run: |
          ./package.sh
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: release --clean --release-notes=./Release.md
--- a/.golangci.yml
+++ b/.golangci.yml
@ -39,6 +39,7 @@ linters:
      - G404
      - G501
      - G115
      - G204
      severity: low
      confidence: low
    govet:
--- a/21
+++ b/21
@ -2,19 +2,22 @@ export PATH := $(PATH):`go env GOPATH`/bin
 export GO111MODULE=on
 LDFLAGS := -s -w
-all: env fmt build
+.PHONY: web frps-web frpc-web frps frpc
 all: env fmt web build
 build: frps frpc
 env:
 	@go version
-# compile assets into binary file
+web: frps-web frpc-web
-file:
+
-	rm -rf ./assets/frps/static/*
+frps-web:
-	rm -rf ./assets/frpc/static/*
+	$(MAKE) -C web/frps build
-	cp -rf ./web/frps/dist/* ./assets/frps/static
+
-	cp -rf ./web/frpc/dist/* ./assets/frpc/static
+frpc-web:
 	$(MAKE) -C web/frpc build
 fmt:
 	go fmt ./...
@ -25,7 +28,7 @@ fmt-more:
 gci:
 	gci write -s standard -s default -s "prefix(github.com/fatedier/frp/)" ./
-vet:
+vet: web
 	go vet ./...
 frps:
@ -36,7 +39,7 @@ frpc:
 test: gotest
-gotest:
+gotest: web
 	go test -v --cover ./assets/...
 	go test -v --cover ./cmd/...
 	go test -v --cover ./client/...
--- a/README.md
+++ b/README.md
@ -14,14 +14,15 @@ frp is an open source project with its ongoing development made possible entirel
 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
 <p align="center">
-  <a href="https://go.warp.dev/frp" target="_blank">
+  <a href="https://requestly.com/?utm_source=github&utm_medium=partnered&utm_campaign=frp" target="_blank">
-    <img width="360px" src="https://raw.githubusercontent.com/warpdotdev/brand-assets/refs/heads/main/Github/Sponsor/Warp-Github-LG-01.png">
+    <img width="480px" src="https://github.com/user-attachments/assets/24670320-997d-4d62-9bca-955c59fe883d">
    <br>
-    <b>Warp, the intelligent terminal</b>
+    <b>Requestly - Free & Open-Source alternative to Postman</b>
    <br>
-	<sub>Available for macOS, Linux and Windows</sub>
+    <sub>All-in-one platform to Test, Mock and Intercept APIs.</sub>
  </a>
 </p>
 <p align="center">
  <a href="https://jb.gg/frp" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
@ -29,13 +30,7 @@ frp is an open source project with its ongoing development made possible entirel
 	<b>The complete IDE crafted for professional Go developers</b>
  </a>
 </p>
-<p align="center">
+
  <a href="https://github.com/daytonaio/daytona" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
 	<br>
 	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/beclab/Olares" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
@ -45,6 +40,15 @@ frp is an open source project with its ongoing development made possible entirel
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
 <div align="center">
 ## Recall.ai - API for meeting recordings
 If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
 an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
 </div>
 <!--gold sponsors end-->
 ## What is frp?
@ -519,7 +523,7 @@ name = "ssh"
 type = "tcp"
 localIP = "127.0.0.1"
 localPort = 22
-remotePort = "{{ .Envs.FRP_SSH_REMOTE_PORT }}"
+remotePort = {{ .Envs.FRP_SSH_REMOTE_PORT }}
 ```
 With the config above, variables can be passed into `frpc` program like this:
--- a/README_zh.md
+++ b/README_zh.md
@ -15,21 +15,42 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者
 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
 <p align="center">
  <a href="https://requestly.com/?utm_source=github&utm_medium=partnered&utm_campaign=frp" target="_blank">
    <img width="480px" src="https://github.com/user-attachments/assets/24670320-997d-4d62-9bca-955c59fe883d">
    <br>
    <b>Requestly - Free & Open-Source alternative to Postman</b>
    <br>
    <sub>All-in-one platform to Test, Mock and Intercept APIs.</sub>
  </a>
 </p>
 <p align="center">
  <a href="https://jb.gg/frp" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
 	<br>
 	<b>The complete IDE crafted for professional Go developers</b>
  </a>
 </p>
-<p align="center">
+
  <a href="https://github.com/daytonaio/daytona" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/beclab/Olares" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
 	<br>
 	<b>The sovereign cloud that puts you in control</b>
 	<br>
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
 <div align="center">
 ## Recall.ai - API for meeting recordings
 If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
 an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
 </div>
 <!--gold sponsors end-->
 ## 为什么使用 frp ？
@ -102,9 +123,3 @@ frp 是一个免费且开源的项目，我们欢迎任何人为其开发和进
 国内用户可以通过 [爱发电](https://afdian.com/a/fatedier) 赞助我们。
 企业赞助者可以将贵公司的 Logo 以及链接放置在项目 README 文件中。
 ### 知识星球
 如果您想了解更多 frp 相关技术以及更新详解，或者寻求任何 frp 使用方面的帮助，都可以通过微信扫描下方的二维码付费加入知识星球的官方社群：
 ![zsxq](/doc/pic/zsxq.jpg)
--- a/Release.md
+++ b/Release.md
@ -1,7 +1,8 @@
 ## Features
-* Support tokenSource for loading authentication tokens from files.
+* frpc now supports a `clientID` option to uniquely identify client instances. The server dashboard displays all connected clients with their online/offline status, connection history, and metadata, making it easier to monitor and manage multiple frpc deployments.
 * Redesigned the frp web dashboard with a modern UI, dark mode support, and improved navigation.
 ## Fixes
-* Fix SSH tunnel gateway incorrectly binding to proxyBindAddr instead of bindAddr, which caused external connections to fail when proxyBindAddr was set to 127.0.0.1.
+* Fixed UDP proxy protocol sending header on every packet instead of only the first packet of each session.
--- a/assets/assets.go
+++ b/assets/assets.go
@ -41,7 +41,7 @@ func Load(path string) {
 }
 func Register(fileSystem fs.FS) {
-	subFs, err := fs.Sub(fileSystem, "static")
+	subFs, err := fs.Sub(fileSystem, "dist")
 	if err == nil {
 		content = subFs
 	}
--- a/assets/frpc/static/favicon.ico
+++ b/assets/frpc/static/favicon.ico
--- a/assets/frpc/static/index-bLBhaJo8.js
+++ b/assets/frpc/static/index-bLBhaJo8.js
--- a/assets/frpc/static/index-iuf46MlF.css
+++ b/assets/frpc/static/index-iuf46MlF.css
--- a/assets/frpc/static/index.html
+++ b/assets/frpc/static/index.html
@ -1,15 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="utf-8">
    <title>frp client admin UI</title>
  <script type="module" crossorigin src="./index-bLBhaJo8.js"></script>
  <link rel="stylesheet" crossorigin href="./index-iuf46MlF.css">
 </head>
 <body>
    <div id="app"></div>
 </body>
 </html>
--- a/assets/frps/embed.go
+++ b/assets/frps/embed.go
@ -1,14 +0,0 @@
 package frpc
 import (
 	"embed"
 	"github.com/fatedier/frp/assets"
 )
 //go:embed static/*
 var content embed.FS
 func init() {
 	assets.Register(content)
 }
--- a/assets/frps/static/favicon.ico
+++ b/assets/frps/static/favicon.ico
--- a/assets/frps/static/index-82-40HIG.js
+++ b/assets/frps/static/index-82-40HIG.js
--- a/assets/frps/static/index-rzPDshRD.css
+++ b/assets/frps/static/index-rzPDshRD.css
--- a/assets/frps/static/index.html
+++ b/assets/frps/static/index.html
@ -1,15 +0,0 @@
 <!DOCTYPE html>
 <html lang="en" class="dark">
 <head>
    <meta charset="utf-8">
    <title>frps dashboard</title>
  <script type="module" crossorigin src="./index-82-40HIG.js"></script>
  <link rel="stylesheet" crossorigin href="./index-rzPDshRD.css">
 </head>
 <body>
    <div id="app"></div>
 </body>
 </html>
--- a/client/admin_api.go
+++ b/client/admin_api.go
@ -15,44 +15,29 @@
 package client
 import (
 	"cmp"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"os"
 	"slices"
 	"strconv"
 	"time"
 	"github.com/fatedier/frp/client/api"
 	"github.com/fatedier/frp/client/proxy"
 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )
 type GeneralResponse struct {
 	Code int
 	Msg  string
 }
 func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper) {
-	helper.Router.HandleFunc("/healthz", svr.healthz)
+	apiController := newAPIController(svr)
 	// Healthz endpoint without auth
 	helper.Router.HandleFunc("/healthz", healthz)
 	// API routes and static files with auth
 	subRouter := helper.Router.NewRoute().Subrouter()
-
+	subRouter.Use(helper.AuthMiddleware)
-	subRouter.Use(helper.AuthMiddleware.Middleware)
+	subRouter.Use(httppkg.NewRequestLogger)
-
+	subRouter.HandleFunc("/api/reload", httppkg.MakeHTTPHandlerFunc(apiController.Reload)).Methods(http.MethodGet)
-	// api, see admin_api.go
+	subRouter.HandleFunc("/api/stop", httppkg.MakeHTTPHandlerFunc(apiController.Stop)).Methods(http.MethodPost)
-	subRouter.HandleFunc("/api/reload", svr.apiReload).Methods("GET")
+	subRouter.HandleFunc("/api/status", httppkg.MakeHTTPHandlerFunc(apiController.Status)).Methods(http.MethodGet)
-	subRouter.HandleFunc("/api/stop", svr.apiStop).Methods("POST")
+	subRouter.HandleFunc("/api/config", httppkg.MakeHTTPHandlerFunc(apiController.GetConfig)).Methods(http.MethodGet)
-	subRouter.HandleFunc("/api/status", svr.apiStatus).Methods("GET")
+	subRouter.HandleFunc("/api/config", httppkg.MakeHTTPHandlerFunc(apiController.PutConfig)).Methods(http.MethodPut)
 	subRouter.HandleFunc("/api/config", svr.apiGetConfig).Methods("GET")
 	subRouter.HandleFunc("/api/config", svr.apiPutConfig).Methods("PUT")
 	// view
 	subRouter.Handle("/favicon.ico", http.FileServer(helper.AssetsFS)).Methods("GET")
 	subRouter.PathPrefix("/static/").Handler(
 		netpkg.MakeHTTPGzipHandler(http.StripPrefix("/static/", http.FileServer(helper.AssetsFS))),
@ -62,201 +47,28 @@ func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper)
 	})
 }
-// /healthz
+func healthz(w http.ResponseWriter, _ *http.Request) {
-func (svr *Service) healthz(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
 	w.WriteHeader(200)
 }
-// GET /api/reload
+func newAPIController(svr *Service) *api.Controller {
-func (svr *Service) apiReload(w http.ResponseWriter, r *http.Request) {
+	return api.NewController(api.ControllerParams{
-	res := GeneralResponse{Code: 200}
+		GetProxyStatus: svr.getAllProxyStatus,
-	strictConfigMode := false
+		ServerAddr:     svr.common.ServerAddr,
-	strictStr := r.URL.Query().Get("strictConfig")
+		ConfigFilePath: svr.configFilePath,
-	if strictStr != "" {
+		UnsafeFeatures: svr.unsafeFeatures,
-		strictConfigMode, _ = strconv.ParseBool(strictStr)
+		UpdateConfig:   svr.UpdateAllConfigurer,
-	}
+		GracefulClose:  svr.GracefulClose,
-
+	})
 	log.Infof("api request [/api/reload]")
 	defer func() {
 		log.Infof("api response [/api/reload], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(svr.configFilePath, strictConfigMode)
 	if err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs); err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	if err := svr.UpdateAllConfigurer(proxyCfgs, visitorCfgs); err != nil {
 		res.Code = 500
 		res.Msg = err.Error()
 		log.Warnf("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	log.Infof("success reload conf")
 }
-// POST /api/stop
+// getAllProxyStatus returns all proxy statuses.
-func (svr *Service) apiStop(w http.ResponseWriter, _ *http.Request) {
+func (svr *Service) getAllProxyStatus() []*proxy.WorkingStatus {
 	res := GeneralResponse{Code: 200}
 	log.Infof("api request [/api/stop]")
 	defer func() {
 		log.Infof("api response [/api/stop], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	go svr.GracefulClose(100 * time.Millisecond)
 }
 type StatusResp map[string][]ProxyStatusResp
 type ProxyStatusResp struct {
 	Name       string `json:"name"`
 	Type       string `json:"type"`
 	Status     string `json:"status"`
 	Err        string `json:"err"`
 	LocalAddr  string `json:"local_addr"`
 	Plugin     string `json:"plugin"`
 	RemoteAddr string `json:"remote_addr"`
 }
 func NewProxyStatusResp(status *proxy.WorkingStatus, serverAddr string) ProxyStatusResp {
 	psr := ProxyStatusResp{
 		Name:   status.Name,
 		Type:   status.Type,
 		Status: status.Phase,
 		Err:    status.Err,
 	}
 	baseCfg := status.Cfg.GetBaseConfig()
 	if baseCfg.LocalPort != 0 {
 		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
 	}
 	psr.Plugin = baseCfg.Plugin.Type
 	if status.Err == "" {
 		psr.RemoteAddr = status.RemoteAddr
 		if slices.Contains([]string{"tcp", "udp"}, status.Type) {
 			psr.RemoteAddr = serverAddr + psr.RemoteAddr
 		}
 	}
 	return psr
 }
 // GET /api/status
 func (svr *Service) apiStatus(w http.ResponseWriter, _ *http.Request) {
 	var (
 		buf []byte
 		res StatusResp = make(map[string][]ProxyStatusResp)
 	)
 	log.Infof("http request [/api/status]")
 	defer func() {
 		log.Infof("http response [/api/status]")
 		buf, _ = json.Marshal(&res)
 		_, _ = w.Write(buf)
 	}()
 	svr.ctlMu.RLock()
 	ctl := svr.ctl
 	svr.ctlMu.RUnlock()
 	if ctl == nil {
-		return
+		return nil
 	}
 	ps := ctl.pm.GetAllProxyStatus()
 	for _, status := range ps {
 		res[status.Type] = append(res[status.Type], NewProxyStatusResp(status, svr.common.ServerAddr))
 	}
 	for _, arrs := range res {
 		if len(arrs) <= 1 {
 			continue
 		}
 		slices.SortFunc(arrs, func(a, b ProxyStatusResp) int {
 			return cmp.Compare(a.Name, b.Name)
 		})
 	}
 }
 // GET /api/config
 func (svr *Service) apiGetConfig(w http.ResponseWriter, _ *http.Request) {
 	res := GeneralResponse{Code: 200}
 	log.Infof("http get request [/api/config]")
 	defer func() {
 		log.Infof("http get response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	if svr.configFilePath == "" {
 		res.Code = 400
 		res.Msg = "frpc has no config file path"
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	content, err := os.ReadFile(svr.configFilePath)
 	if err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
 		log.Warnf("load frpc config file error: %s", res.Msg)
 		return
 	}
 	res.Msg = string(content)
 }
 // PUT /api/config
 func (svr *Service) apiPutConfig(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	log.Infof("http put request [/api/config]")
 	defer func() {
 		log.Infof("http put response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	// get new config content
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		res.Code = 400
 		res.Msg = fmt.Sprintf("read request body error: %v", err)
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	if len(body) == 0 {
 		res.Code = 400
 		res.Msg = "body can't be empty"
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	if err := os.WriteFile(svr.configFilePath, body, 0o600); err != nil {
 		res.Code = 500
 		res.Msg = fmt.Sprintf("write content to frpc config file error: %v", err)
 		log.Warnf("%s", res.Msg)
 		return
 	}
 	return ctl.pm.GetAllProxyStatus()
 }
--- a/client/api/controller.go
+++ b/client/api/controller.go
@ -0,0 +1,189 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package api
 import (
 	"cmp"
 	"fmt"
 	"net"
 	"net/http"
 	"os"
 	"slices"
 	"strconv"
 	"time"
 	"github.com/fatedier/frp/client/proxy"
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 // Controller handles HTTP API requests for frpc.
 type Controller struct {
 	// getProxyStatus returns the current proxy status.
 	// Returns nil if the control connection is not established.
 	getProxyStatus func() []*proxy.WorkingStatus
 	// serverAddr is the frps server address for display.
 	serverAddr string
 	// configFilePath is the path to the configuration file.
 	configFilePath string
 	// unsafeFeatures is used for validation.
 	unsafeFeatures *security.UnsafeFeatures
 	// updateConfig updates proxy and visitor configurations.
 	updateConfig func(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error
 	// gracefulClose gracefully stops the service.
 	gracefulClose func(d time.Duration)
 }
 // ControllerParams contains parameters for creating an APIController.
 type ControllerParams struct {
 	GetProxyStatus func() []*proxy.WorkingStatus
 	ServerAddr     string
 	ConfigFilePath string
 	UnsafeFeatures *security.UnsafeFeatures
 	UpdateConfig   func(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error
 	GracefulClose  func(d time.Duration)
 }
 // NewController creates a new Controller.
 func NewController(params ControllerParams) *Controller {
 	return &Controller{
 		getProxyStatus: params.GetProxyStatus,
 		serverAddr:     params.ServerAddr,
 		configFilePath: params.ConfigFilePath,
 		unsafeFeatures: params.UnsafeFeatures,
 		updateConfig:   params.UpdateConfig,
 		gracefulClose:  params.GracefulClose,
 	}
 }
 // Reload handles GET /api/reload
 func (c *Controller) Reload(ctx *httppkg.Context) (any, error) {
 	strictConfigMode := false
 	strictStr := ctx.Query("strictConfig")
 	if strictStr != "" {
 		strictConfigMode, _ = strconv.ParseBool(strictStr)
 	}
 	cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(c.configFilePath, strictConfigMode)
 	if err != nil {
 		log.Warnf("reload frpc proxy config error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
 	}
 	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, c.unsafeFeatures); err != nil {
 		log.Warnf("reload frpc proxy config error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
 	}
 	if err := c.updateConfig(proxyCfgs, visitorCfgs); err != nil {
 		log.Warnf("reload frpc proxy config error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
 	}
 	log.Infof("success reload conf")
 	return nil, nil
 }
 // Stop handles POST /api/stop
 func (c *Controller) Stop(ctx *httppkg.Context) (any, error) {
 	go c.gracefulClose(100 * time.Millisecond)
 	return nil, nil
 }
 // Status handles GET /api/status
 func (c *Controller) Status(ctx *httppkg.Context) (any, error) {
 	res := make(StatusResp)
 	ps := c.getProxyStatus()
 	if ps == nil {
 		return res, nil
 	}
 	for _, status := range ps {
 		res[status.Type] = append(res[status.Type], c.buildProxyStatusResp(status))
 	}
 	for _, arrs := range res {
 		if len(arrs) <= 1 {
 			continue
 		}
 		slices.SortFunc(arrs, func(a, b ProxyStatusResp) int {
 			return cmp.Compare(a.Name, b.Name)
 		})
 	}
 	return res, nil
 }
 // GetConfig handles GET /api/config
 func (c *Controller) GetConfig(ctx *httppkg.Context) (any, error) {
 	if c.configFilePath == "" {
 		return nil, httppkg.NewError(http.StatusBadRequest, "frpc has no config file path")
 	}
 	content, err := os.ReadFile(c.configFilePath)
 	if err != nil {
 		log.Warnf("load frpc config file error: %s", err.Error())
 		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
 	}
 	return string(content), nil
 }
 // PutConfig handles PUT /api/config
 func (c *Controller) PutConfig(ctx *httppkg.Context) (any, error) {
 	body, err := ctx.Body()
 	if err != nil {
 		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read request body error: %v", err))
 	}
 	if len(body) == 0 {
 		return nil, httppkg.NewError(http.StatusBadRequest, "body can't be empty")
 	}
 	if err := os.WriteFile(c.configFilePath, body, 0o600); err != nil {
 		return nil, httppkg.NewError(http.StatusInternalServerError, fmt.Sprintf("write content to frpc config file error: %v", err))
 	}
 	return nil, nil
 }
 // buildProxyStatusResp creates a ProxyStatusResp from proxy.WorkingStatus
 func (c *Controller) buildProxyStatusResp(status *proxy.WorkingStatus) ProxyStatusResp {
 	psr := ProxyStatusResp{
 		Name:   status.Name,
 		Type:   status.Type,
 		Status: status.Phase,
 		Err:    status.Err,
 	}
 	baseCfg := status.Cfg.GetBaseConfig()
 	if baseCfg.LocalPort != 0 {
 		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
 	}
 	psr.Plugin = baseCfg.Plugin.Type
 	if status.Err == "" {
 		psr.RemoteAddr = status.RemoteAddr
 		if slices.Contains([]string{"tcp", "udp"}, status.Type) {
 			psr.RemoteAddr = c.serverAddr + psr.RemoteAddr
 		}
 	}
 	return psr
 }
--- a/client/api/types.go
+++ b/client/api/types.go
@ -0,0 +1,29 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package api
 // StatusResp is the response for GET /api/status
 type StatusResp map[string][]ProxyStatusResp
 // ProxyStatusResp contains proxy status information
 type ProxyStatusResp struct {
 	Name       string `json:"name"`
 	Type       string `json:"type"`
 	Status     string `json:"status"`
 	Err        string `json:"err"`
 	LocalAddr  string `json:"local_addr"`
 	Plugin     string `json:"plugin"`
 	RemoteAddr string `json:"remote_addr"`
 }
--- a/client/connector.go
+++ b/client/connector.go
@ -17,7 +17,6 @@ package client
 import (
 	"context"
 	"crypto/tls"
 	"io"
 	"net"
 	"strconv"
 	"strings"
@ -115,7 +114,8 @@ func (c *defaultConnectorImpl) Open() error {
 	fmuxCfg := fmux.DefaultConfig()
 	fmuxCfg.KeepAliveInterval = time.Duration(c.cfg.Transport.TCPMuxKeepaliveInterval) * time.Second
-	fmuxCfg.LogOutput = io.Discard
+	// Use trace level for yamux logs
 	fmuxCfg.LogOutput = xlog.NewTraceWriter(xl)
 	fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
 	session, err := fmux.Client(conn, fmuxCfg)
 	if err != nil {
--- a/client/control.go
+++ b/client/control.go
@ -43,8 +43,8 @@ type SessionContext struct {
 	Conn net.Conn
 	// Indicates whether the connection is encrypted.
 	ConnEncrypted bool
-	// Sets authentication based on selected method
+	// Auth runtime used for login, heartbeats, and encryption.
-	AuthSetter auth.Setter
+	Auth *auth.ClientAuth
 	// Connector is used to create new connections, which could be real TCP connections or virtual streams.
 	Connector Connector
 	// Virtual net controller
@ -91,7 +91,7 @@ func NewControl(ctx context.Context, sessionCtx *SessionContext) (*Control, erro
 	ctl.lastPong.Store(time.Now())
 	if sessionCtx.ConnEncrypted {
-		cryptoRW, err := netpkg.NewCryptoReadWriter(sessionCtx.Conn, []byte(sessionCtx.Common.Auth.Token))
+		cryptoRW, err := netpkg.NewCryptoReadWriter(sessionCtx.Conn, sessionCtx.Auth.EncryptionKey())
 		if err != nil {
 			return nil, err
 		}
@ -100,9 +100,9 @@ func NewControl(ctx context.Context, sessionCtx *SessionContext) (*Control, erro
 		ctl.msgDispatcher = msg.NewDispatcher(sessionCtx.Conn)
 	}
 	ctl.registerMsgHandlers()
-	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher.SendChannel())
+	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher)
-	ctl.pm = proxy.NewManager(ctl.ctx, sessionCtx.Common, ctl.msgTransporter, sessionCtx.VnetController)
+	ctl.pm = proxy.NewManager(ctl.ctx, sessionCtx.Common, sessionCtx.Auth.EncryptionKey(), ctl.msgTransporter, sessionCtx.VnetController)
 	ctl.vm = visitor.NewManager(ctl.ctx, sessionCtx.RunID, sessionCtx.Common,
 		ctl.connectServer, ctl.msgTransporter, sessionCtx.VnetController)
 	return ctl, nil
@ -133,7 +133,7 @@ func (ctl *Control) handleReqWorkConn(_ msg.Message) {
 	m := &msg.NewWorkConn{
 		RunID: ctl.sessionCtx.RunID,
 	}
-	if err = ctl.sessionCtx.AuthSetter.SetNewWorkConn(m); err != nil {
+	if err = ctl.sessionCtx.Auth.Setter.SetNewWorkConn(m); err != nil {
 		xl.Warnf("error during NewWorkConn authentication: %v", err)
 		workConn.Close()
 		return
@ -243,7 +243,7 @@ func (ctl *Control) heartbeatWorker() {
 		sendHeartBeat := func() (bool, error) {
 			xl.Debugf("send heartbeat to server")
 			pingMsg := &msg.Ping{}
-			if err := ctl.sessionCtx.AuthSetter.SetPing(pingMsg); err != nil {
+			if err := ctl.sessionCtx.Auth.Setter.SetPing(pingMsg); err != nil {
 				xl.Warnf("error during ping authentication: %v, skip sending ping message", err)
 				return false, err
 			}
@ -276,10 +276,12 @@ func (ctl *Control) heartbeatWorker() {
 }
 func (ctl *Control) worker() {
 	xl := ctl.xl
 	go ctl.heartbeatWorker()
 	go ctl.msgDispatcher.Run()
 	<-ctl.msgDispatcher.Done()
 	xl.Debugf("control message dispatcher exited")
 	ctl.closeSession()
 	ctl.pm.Close()
--- a/client/proxy/proxy.go
+++ b/client/proxy/proxy.go
@ -57,6 +57,7 @@ func NewProxy(
 	ctx context.Context,
 	pxyConf v1.ProxyConfigurer,
 	clientCfg *v1.ClientCommonConfig,
 	encryptionKey []byte,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
 ) (pxy Proxy) {
@ -69,6 +70,7 @@ func NewProxy(
 	baseProxy := BaseProxy{
 		baseCfg:        pxyConf.GetBaseConfig(),
 		clientCfg:      clientCfg,
 		encryptionKey:  encryptionKey,
 		limiter:        limiter,
 		msgTransporter: msgTransporter,
 		vnetController: vnetController,
@ -86,6 +88,7 @@ func NewProxy(
 type BaseProxy struct {
 	baseCfg        *v1.ProxyBaseConfig
 	clientCfg      *v1.ClientCommonConfig
 	encryptionKey  []byte
 	msgTransporter transport.MessageTransporter
 	vnetController *vnet.Controller
 	limiter        *rate.Limiter
@ -129,7 +132,7 @@ func (pxy *BaseProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
 			return
 		}
 	}
-	pxy.HandleTCPWorkConnection(conn, m, []byte(pxy.clientCfg.Auth.Token))
+	pxy.HandleTCPWorkConnection(conn, m, pxy.encryptionKey)
 }
 // Common handler for tcp work connections.
--- a/client/proxy/proxy_manager.go
+++ b/client/proxy/proxy_manager.go
@ -40,7 +40,8 @@ type Manager struct {
 	closed bool
 	mu     sync.RWMutex
-	clientCfg *v1.ClientCommonConfig
+	encryptionKey []byte
 	clientCfg     *v1.ClientCommonConfig
 	ctx context.Context
 }
@ -48,6 +49,7 @@ type Manager struct {
 func NewManager(
 	ctx context.Context,
 	clientCfg *v1.ClientCommonConfig,
 	encryptionKey []byte,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
 ) *Manager {
@ -56,6 +58,7 @@ func NewManager(
 		msgTransporter: msgTransporter,
 		vnetController: vnetController,
 		closed:         false,
 		encryptionKey:  encryptionKey,
 		clientCfg:      clientCfg,
 		ctx:            ctx,
 	}
@ -163,7 +166,7 @@ func (pm *Manager) UpdateAll(proxyCfgs []v1.ProxyConfigurer) {
 	for _, cfg := range proxyCfgs {
 		name := cfg.GetBaseConfig().Name
 		if _, ok := pm.proxies[name]; !ok {
-			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.HandleEvent, pm.msgTransporter, pm.vnetController)
+			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.encryptionKey, pm.HandleEvent, pm.msgTransporter, pm.vnetController)
 			if pm.inWorkConnCallback != nil {
 				pxy.SetInWorkConnCallback(pm.inWorkConnCallback)
 			}
--- a/client/proxy/proxy_wrapper.go
+++ b/client/proxy/proxy_wrapper.go
@ -92,6 +92,7 @@ func NewWrapper(
 	ctx context.Context,
 	cfg v1.ProxyConfigurer,
 	clientCfg *v1.ClientCommonConfig,
 	encryptionKey []byte,
 	eventHandler event.Handler,
 	msgTransporter transport.MessageTransporter,
 	vnetController *vnet.Controller,
@ -122,7 +123,7 @@ func NewWrapper(
 		xl.Tracef("enable health check monitor")
 	}
-	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, pw.msgTransporter, pw.vnetController)
+	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, encryptionKey, pw.msgTransporter, pw.vnetController)
 	return pw
 }
--- a/client/proxy/sudp.go
+++ b/client/proxy/sudp.go
@ -91,7 +91,7 @@ func (pxy *SUDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		})
 	}
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Auth.Token))
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
 		if err != nil {
 			conn.Close()
 			xl.Errorf("create encryption stream error: %v", err)
--- a/client/proxy/udp.go
+++ b/client/proxy/udp.go
@ -102,7 +102,7 @@ func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		})
 	}
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Auth.Token))
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
 		if err != nil {
 			conn.Close()
 			xl.Errorf("create encryption stream error: %v", err)
--- a/client/proxy/xtcp.go
+++ b/client/proxy/xtcp.go
@ -64,11 +64,19 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
 	}
 	xl.Tracef("nathole prepare start")
-	prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
+
 	// Prepare NAT traversal options
 	var opts nathole.PrepareOptions
 	if pxy.cfg.NatTraversal != nil && pxy.cfg.NatTraversal.DisableAssistedAddrs {
 		opts.DisableAssistedAddrs = true
 	}
 	prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer}, opts)
 	if err != nil {
 		xl.Warnf("nathole prepare error: %v", err)
 		return
 	}
 	xl.Infof("nathole prepare success, nat type: %s, behavior: %s, addresses: %v, assistedAddresses: %v",
 		prepareResult.NatType, prepareResult.Behavior, prepareResult.Addrs, prepareResult.AssistedAddrs)
 	defer prepareResult.ListenConn.Close()
--- a/client/service.go
+++ b/client/service.go
@ -31,6 +31,7 @@ import (
 	"github.com/fatedier/frp/pkg/auth"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 	"github.com/fatedier/frp/pkg/policy/security"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
@ -64,6 +65,8 @@ type ServiceOptions struct {
 	ProxyCfgs   []v1.ProxyConfigurer
 	VisitorCfgs []v1.VisitorConfigurer
 	UnsafeFeatures *security.UnsafeFeatures
 	// ConfigFilePath is the path to the configuration file used to initialize.
 	// If it is empty, it means that the configuration file is not used for initialization.
 	// It may be initialized using command line parameters or called directly.
@ -108,8 +111,8 @@ type Service struct {
 	// Uniq id got from frps, it will be attached to loginMsg.
 	runID string
-	// Sets authentication based on selected method
+	// Auth runtime and encryption materials
-	authSetter auth.Setter
+	auth *auth.ClientAuth
 	// web server for admin UI and apis
 	webServer *httppkg.Server
@ -122,6 +125,8 @@ type Service struct {
 	visitorCfgs []v1.VisitorConfigurer
 	clientSpec  *msg.ClientSpec
 	unsafeFeatures *security.UnsafeFeatures
 	// The configuration file used to initialize this client, or an empty
 	// string if no configuration file was used.
 	configFilePath string
@ -149,12 +154,19 @@ func NewService(options ServiceOptions) (*Service, error) {
 		}
 		webServer = ws
 	}
 	authRuntime, err := auth.BuildClientAuth(&options.Common.Auth)
 	if err != nil {
 		return nil, err
 	}
 	s := &Service{
 		ctx:              context.Background(),
-		authSetter:       auth.NewAuthSetter(options.Common.Auth),
+		auth:             authRuntime,
 		webServer:        webServer,
 		common:           options.Common,
 		configFilePath:   options.ConfigFilePath,
 		unsafeFeatures:   options.UnsafeFeatures,
 		proxyCfgs:        options.ProxyCfgs,
 		visitorCfgs:      options.VisitorCfgs,
 		clientSpec:       options.ClientSpec,
@ -269,11 +281,15 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 		return
 	}
 	hostname, _ := os.Hostname()
 	loginMsg := &msg.Login{
 		Arch:      runtime.GOARCH,
 		Os:        runtime.GOOS,
 		Hostname:  hostname,
 		PoolCount: svr.common.Transport.PoolCount,
 		User:      svr.common.User,
 		ClientID:  svr.common.ClientID,
 		Version:   version.Full(),
 		Timestamp: time.Now().Unix(),
 		RunID:     svr.runID,
@ -284,7 +300,7 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 	}
 	// Add auth
-	if err = svr.authSetter.SetLogin(loginMsg); err != nil {
+	if err = svr.auth.Setter.SetLogin(loginMsg); err != nil {
 		return
 	}
@ -338,7 +354,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 			RunID:          svr.runID,
 			Conn:           conn,
 			ConnEncrypted:  connEncrypted,
-			AuthSetter:     svr.authSetter,
+			Auth:           svr.auth,
 			Connector:      connector,
 			VnetController: svr.vnetController,
 		}
--- a/client/visitor/stcp.go
+++ b/client/visitor/stcp.go
@ -15,6 +15,7 @@
 package visitor
 import (
 	"fmt"
 	"io"
 	"net"
 	"strconv"
@ -81,11 +82,22 @@ func (sv *STCPVisitor) internalConnWorker() {
 func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	defer userConn.Close()
+	var tunnelErr error
 	defer func() {
 		// If there was an error and connection supports CloseWithError, use it
 		if tunnelErr != nil {
 			if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
 				_ = eConn.CloseWithError(tunnelErr)
 				return
 			}
 		}
 		userConn.Close()
 	}()
 	xl.Debugf("get a new stcp user connection")
 	visitorConn, err := sv.helper.ConnectServer()
 	if err != nil {
 		tunnelErr = err
 		return
 	}
 	defer visitorConn.Close()
@ -102,6 +114,7 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
 	if err != nil {
 		xl.Warnf("send newVisitorConnMsg to server error: %v", err)
 		tunnelErr = err
 		return
 	}
@ -110,12 +123,14 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
 	if err != nil {
 		xl.Warnf("get newVisitorConnRespMsg error: %v", err)
 		tunnelErr = err
 		return
 	}
 	_ = visitorConn.SetReadDeadline(time.Time{})
 	if newVisitorConnRespMsg.Error != "" {
 		xl.Warnf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
 		tunnelErr = fmt.Errorf("%s", newVisitorConnRespMsg.Error)
 		return
 	}
@ -125,6 +140,7 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.SecretKey))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			tunnelErr = err
 			return
 		}
 	}
--- a/client/visitor/visitor.go
+++ b/client/visitor/visitor.go
@ -71,7 +71,7 @@ func NewVisitor(
 				Name:           cfg.GetBaseConfig().Name,
 				Ctx:            ctx,
 				VnetController: helper.VNetController(),
-				HandleConn: func(conn net.Conn) {
+				SendConnToVisitor: func(conn net.Conn) {
 					_ = baseVisitor.AcceptConn(conn)
 				},
 			},
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@ -145,7 +145,7 @@ func (sv *XTCPVisitor) keepTunnelOpenWorker() {
 			return
 		case <-ticker.C:
 			xl.Debugf("keepTunnelOpenWorker try to check tunnel...")
-			conn, err := sv.getTunnelConn()
+			conn, err := sv.getTunnelConn(sv.ctx)
 			if err != nil {
 				xl.Warnf("keepTunnelOpenWorker get tunnel connection error: %v", err)
 				_ = sv.retryLimiter.Wait(sv.ctx)
@ -161,9 +161,17 @@ func (sv *XTCPVisitor) keepTunnelOpenWorker() {
 func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	isConnTransfered := false
+	isConnTransferred := false
 	var tunnelErr error
 	defer func() {
-		if !isConnTransfered {
+		if !isConnTransferred {
 			// If there was an error and connection supports CloseWithError, use it
 			if tunnelErr != nil {
 				if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
 					_ = eConn.CloseWithError(tunnelErr)
 					return
 				}
 			}
 			userConn.Close()
 		}
 	}()
@ -172,7 +180,7 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	// Open a tunnel connection to the server. If there is already a successful hole-punching connection,
 	// it will be reused. Otherwise, it will block and wait for a successful hole-punching connection until timeout.
-	ctx := context.Background()
+	ctx := sv.ctx
 	if sv.cfg.FallbackTo != "" {
 		timeoutCtx, cancel := context.WithTimeout(ctx, time.Duration(sv.cfg.FallbackTimeoutMs)*time.Millisecond)
 		defer cancel()
@ -181,6 +189,8 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	tunnelConn, err := sv.openTunnel(ctx)
 	if err != nil {
 		xl.Errorf("open tunnel error: %v", err)
 		tunnelErr = err
 		// no fallback, just return
 		if sv.cfg.FallbackTo == "" {
 			return
@ -191,7 +201,7 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 			xl.Errorf("transfer connection to visitor %s error: %v", sv.cfg.FallbackTo, err)
 			return
 		}
-		isConnTransfered = true
+		isConnTransferred = true
 		return
 	}
@ -200,6 +210,7 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 		muxConnRWCloser, err = libio.WithEncryption(muxConnRWCloser, []byte(sv.cfg.SecretKey))
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			tunnelErr = err
 			return
 		}
 	}
@ -219,40 +230,37 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 // openTunnel will open a tunnel connection to the target server.
 func (sv *XTCPVisitor) openTunnel(ctx context.Context) (conn net.Conn, err error) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	ticker := time.NewTicker(500 * time.Millisecond)
+	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
-	defer ticker.Stop()
+	defer cancel()
-	timeoutC := time.After(20 * time.Second)
+	timer := time.NewTimer(0)
-	immediateTrigger := make(chan struct{}, 1)
+	defer timer.Stop()
 	defer close(immediateTrigger)
 	immediateTrigger <- struct{}{}
 	for {
 		select {
 		case <-sv.ctx.Done():
 			return nil, sv.ctx.Err()
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-		case <-immediateTrigger:
+				return nil, fmt.Errorf("open tunnel timeout")
 			conn, err = sv.getTunnelConn()
 		case <-ticker.C:
 			conn, err = sv.getTunnelConn()
 		case <-timeoutC:
 			return nil, fmt.Errorf("open tunnel timeout")
 		}
 		if err != nil {
 			if err != ErrNoTunnelSession {
 				xl.Warnf("get tunnel connection error: %v", err)
 			}
-			continue
+			return nil, ctx.Err()
 		case <-timer.C:
 			conn, err = sv.getTunnelConn(ctx)
 			if err != nil {
 				if !errors.Is(err, ErrNoTunnelSession) {
 					xl.Warnf("get tunnel connection error: %v", err)
 				}
 				timer.Reset(500 * time.Millisecond)
 				continue
 			}
 			return conn, nil
 		}
 		return conn, nil
 	}
 }
-func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
+func (sv *XTCPVisitor) getTunnelConn(ctx context.Context) (net.Conn, error) {
-	conn, err := sv.session.OpenConn(sv.ctx)
+	conn, err := sv.session.OpenConn(ctx)
 	if err == nil {
 		return conn, nil
 	}
@ -279,11 +287,19 @@ func (sv *XTCPVisitor) makeNatHole() {
 	}
 	xl.Tracef("nathole prepare start")
-	prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
+
 	// Prepare NAT traversal options
 	var opts nathole.PrepareOptions
 	if sv.cfg.NatTraversal != nil && sv.cfg.NatTraversal.DisableAssistedAddrs {
 		opts.DisableAssistedAddrs = true
 	}
 	prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer}, opts)
 	if err != nil {
 		xl.Warnf("nathole prepare error: %v", err)
 		return
 	}
 	xl.Infof("nathole prepare success, nat type: %s, behavior: %s, addresses: %v, assistedAddresses: %v",
 		prepareResult.NatType, prepareResult.Behavior, prepareResult.Addrs, prepareResult.AssistedAddrs)
--- a/cmd/frpc/main.go
+++ b/cmd/frpc/main.go
@ -15,9 +15,9 @@
 package main
 import (
 	_ "github.com/fatedier/frp/assets/frpc"
 	"github.com/fatedier/frp/cmd/frpc/sub"
 	"github.com/fatedier/frp/pkg/util/system"
 	_ "github.com/fatedier/frp/web/frpc"
 )
 func main() {
--- a/cmd/frpc/sub/proxy.go
+++ b/cmd/frpc/sub/proxy.go
@ -24,6 +24,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 var proxyTypes = []v1.ProxyType{
@ -77,7 +78,10 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
+
 			unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 			validator := validation.NewConfigValidator(unsafeFeatures)
 			if _, err := validator.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
@ -88,7 +92,7 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, "")
+			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, unsafeFeatures, "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@ -106,7 +110,9 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
+			unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 			validator := validation.NewConfigValidator(unsafeFeatures)
 			if _, err := validator.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
@ -117,7 +123,7 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, "")
+			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, unsafeFeatures, "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
--- a/cmd/frpc/sub/root.go
+++ b/cmd/frpc/sub/root.go
@ -21,6 +21,7 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
@ -31,7 +32,8 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/featuregate"
+	"github.com/fatedier/frp/pkg/policy/featuregate"
 	"github.com/fatedier/frp/pkg/policy/security"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 )
@ -41,6 +43,7 @@ var (
 	cfgDir           string
 	showVersion      bool
 	strictConfigMode bool
 	allowUnsafe      []string
 )
 func init() {
@ -48,6 +51,9 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgDir, "config_dir", "", "", "config directory, run one frpc service for each file in config directory")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause an errors")
 	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
 		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ClientUnsafeFeatures, ", ")))
 }
 var rootCmd = &cobra.Command{
@ -59,15 +65,17 @@ var rootCmd = &cobra.Command{
 			return nil
 		}
 		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		// If cfgDir is not empty, run multiple frpc service for each config file in cfgDir.
 		// Note that it's only designed for testing. It's not guaranteed to be stable.
 		if cfgDir != "" {
-			_ = runMultipleClients(cfgDir)
+			_ = runMultipleClients(cfgDir, unsafeFeatures)
 			return nil
 		}
 		// Do not show command usage here.
-		err := runClient(cfgFile)
+		err := runClient(cfgFile, unsafeFeatures)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@ -76,7 +84,7 @@ var rootCmd = &cobra.Command{
 	},
 }
-func runMultipleClients(cfgDir string) error {
+func runMultipleClients(cfgDir string, unsafeFeatures *security.UnsafeFeatures) error {
 	var wg sync.WaitGroup
 	err := filepath.WalkDir(cfgDir, func(path string, d fs.DirEntry, err error) error {
 		if err != nil || d.IsDir() {
@ -86,7 +94,7 @@ func runMultipleClients(cfgDir string) error {
 		time.Sleep(time.Millisecond)
 		go func() {
 			defer wg.Done()
-			err := runClient(path)
+			err := runClient(path, unsafeFeatures)
 			if err != nil {
 				fmt.Printf("frpc service error for config file [%s]\n", path)
 			}
@ -111,7 +119,7 @@ func handleTermSignal(svr *client.Service) {
 	svr.GracefulClose(500 * time.Millisecond)
 }
-func runClient(cfgFilePath string) error {
+func runClient(cfgFilePath string, unsafeFeatures *security.UnsafeFeatures) error {
 	cfg, proxyCfgs, visitorCfgs, isLegacyFormat, err := config.LoadClientConfig(cfgFilePath, strictConfigMode)
 	if err != nil {
 		return err
@ -127,20 +135,22 @@ func runClient(cfgFilePath string) error {
 		}
 	}
-	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs)
+	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs, unsafeFeatures)
 	if warning != nil {
 		fmt.Printf("WARNING: %v\n", warning)
 	}
 	if err != nil {
 		return err
 	}
-	return startService(cfg, proxyCfgs, visitorCfgs, cfgFilePath)
+
 	return startService(cfg, proxyCfgs, visitorCfgs, unsafeFeatures, cfgFilePath)
 }
 func startService(
 	cfg *v1.ClientCommonConfig,
 	proxyCfgs []v1.ProxyConfigurer,
 	visitorCfgs []v1.VisitorConfigurer,
 	unsafeFeatures *security.UnsafeFeatures,
 	cfgFile string,
 ) error {
 	log.InitLogger(cfg.Log.To, cfg.Log.Level, int(cfg.Log.MaxDays), cfg.Log.DisablePrintColor)
@ -153,6 +163,7 @@ func startService(
 		Common:         cfg,
 		ProxyCfgs:      proxyCfgs,
 		VisitorCfgs:    visitorCfgs,
 		UnsafeFeatures: unsafeFeatures,
 		ConfigFilePath: cfgFile,
 	})
 	if err != nil {
--- a/cmd/frpc/sub/verify.go
+++ b/cmd/frpc/sub/verify.go
@ -22,6 +22,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 func init() {
@ -42,7 +43,8 @@ var verifyCmd = &cobra.Command{
 			fmt.Println(err)
 			os.Exit(1)
 		}
-		warning, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs)
+		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		warning, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, unsafeFeatures)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/cmd/frps/main.go
+++ b/cmd/frps/main.go
@ -15,9 +15,9 @@
 package main
 import (
 	_ "github.com/fatedier/frp/assets/frps"
 	_ "github.com/fatedier/frp/pkg/metrics"
 	"github.com/fatedier/frp/pkg/util/system"
 	_ "github.com/fatedier/frp/web/frps"
 )
 func main() {
--- a/cmd/frps/root.go
+++ b/cmd/frps/root.go
@ -18,12 +18,14 @@ import (
 	"context"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
 	"github.com/fatedier/frp/pkg/config"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 	"github.com/fatedier/frp/server"
@ -33,6 +35,7 @@ var (
 	cfgFile          string
 	showVersion      bool
 	strictConfigMode bool
 	allowUnsafe      []string
 	serverCfg v1.ServerConfig
 )
@ -41,6 +44,8 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "", "config file of frps")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frps")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause errors")
 	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
 		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ServerUnsafeFeatures, ", ")))
 	config.RegisterServerConfigFlags(rootCmd, &serverCfg)
 }
@ -77,7 +82,9 @@ var rootCmd = &cobra.Command{
 			svrCfg = &serverCfg
 		}
-		warning, err := validation.ValidateServerConfig(svrCfg)
+		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		validator := validation.NewConfigValidator(unsafeFeatures)
 		warning, err := validator.ValidateServerConfig(svrCfg)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/cmd/frps/verify.go
+++ b/cmd/frps/verify.go
@ -22,6 +22,7 @@ import (
 	"github.com/fatedier/frp/pkg/config"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 func init() {
@ -42,7 +43,9 @@ var verifyCmd = &cobra.Command{
 			os.Exit(1)
 		}
-		warning, err := validation.ValidateServerConfig(svrCfg)
+		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)
 		validator := validation.NewConfigValidator(unsafeFeatures)
 		warning, err := validator.ValidateServerConfig(svrCfg)
 		if warning != nil {
 			fmt.Printf("WARNING: %v\n", warning)
 		}
--- a/conf/frpc_full_example.toml
+++ b/conf/frpc_full_example.toml
@ -1,5 +1,7 @@
 # This configuration file is for reference only. Please do not use this configuration directly to run the program as it may have various issues.
 # Optional unique identifier for this frpc instance.
 clientID = "your_client_id"
 # your proxy name will be changed to {user}.{proxy}
 user = "your_name"
@ -55,6 +57,20 @@ auth.token = "12345678"
 # auth.oidc.additionalEndpointParams.audience = "https://dev.auth.com/api/v2/"
 # auth.oidc.additionalEndpointParams.var1 = "foobar"
 # OIDC TLS and proxy configuration
 # Specify a custom CA certificate file for verifying the OIDC token endpoint's TLS certificate.
 # This is useful when the OIDC provider uses a self-signed certificate or a custom CA.
 # auth.oidc.trustedCaFile = "/path/to/ca.crt"
 # Skip TLS certificate verification for the OIDC token endpoint.
 # INSECURE: Only use this for debugging purposes, not recommended for production.
 # auth.oidc.insecureSkipVerify = false
 # Specify a proxy server for OIDC token endpoint connections.
 # Supports http, https, socks5, and socks5h proxy protocols.
 # If not specified, no proxy is used for OIDC connections.
 # auth.oidc.proxyURL = "http://proxy.example.com:8080"
 # Set admin address for control frpc's action by http api such as reload
 webServer.addr = "127.0.0.1"
 webServer.port = 7400
@ -129,6 +145,11 @@ transport.tls.enable = true
 # Default is empty, means all proxies.
 # start = ["ssh", "dns"]
 # Alternative to 'start': You can control each proxy individually using the 'enabled' field.
 # Set 'enabled = false' in a proxy configuration to disable it.
 # If 'enabled' is not set or set to true, the proxy is enabled by default.
 # The 'enabled' field provides more granular control and is recommended over 'start'.
 # Specify udp packet size, unit is byte. If not set, the default value is 1500.
 # This parameter should be same between client and server.
 # It affects the udp and sudp proxy.
@ -155,6 +176,8 @@ metadatas.var2 = "123"
 # If global user is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
 name = "ssh"
 type = "tcp"
 # Enable or disable this proxy. true or omit this field to enable, false to disable.
 # enabled = true
 localIP = "127.0.0.1"
 localPort = 22
 # Limit bandwidth for this proxy, unit is KB and MB
@ -239,6 +262,8 @@ healthCheck.httpHeaders=[
 [[proxies]]
 name = "web02"
 type = "https"
 # Disable this proxy by setting enabled to false
 # enabled = false
 localIP = "127.0.0.1"
 localPort = 8000
 subdomain = "web02"
@ -372,6 +397,14 @@ localPort = 22
 # Otherwise, visitors from same user can connect. '*' means allow all users.
 allowUsers = ["user1", "user2"]
 # NAT traversal configuration (optional)
 [proxies.natTraversal]
 # Disable the use of local network interfaces (assisted addresses) for NAT traversal.
 # When enabled, only STUN-discovered public addresses will be used.
 # This can improve performance when you have slow VPN connections.
 # Default: false
 disableAssistedAddrs = false
 [[proxies]]
 name = "vnet-server"
 type = "stcp"
@ -411,6 +444,13 @@ minRetryInterval = 90
 # fallbackTo = "stcp_visitor"
 # fallbackTimeoutMs = 500
 # NAT traversal configuration (optional)
 [visitors.natTraversal]
 # Disable the use of local network interfaces (assisted addresses) for NAT traversal.
 # When enabled, only STUN-discovered public addresses will be used.
 # Default: false
 disableAssistedAddrs = false
 [[visitors]]
 name = "vnet-visitor"
 type = "stcp"
--- a/doc/pic/sponsor_daytona.png
+++ b/doc/pic/sponsor_daytona.png
--- a/doc/pic/sponsor_lokal.png
+++ b/doc/pic/sponsor_lokal.png
--- a/doc/pic/sponsor_workos.png
+++ b/doc/pic/sponsor_workos.png
--- a/doc/pic/zsxq.jpg
+++ b/doc/pic/zsxq.jpg
--- a/dockerfiles/Dockerfile-for-frpc
+++ b/dockerfiles/Dockerfile-for-frpc
@ -1,9 +1,17 @@
-FROM golang:1.23 AS building
+FROM node:22 AS web-builder
 WORKDIR /web/frpc
 COPY web/frpc/ ./
 RUN npm install
 RUN npm run build
 FROM golang:1.24 AS building
 COPY . /building
 COPY --from=web-builder /web/frpc/dist /building/web/frpc/dist
 WORKDIR /building
-RUN make frpc
+RUN env CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -tags frpc -o bin/frpc ./cmd/frpc
 FROM alpine:3
--- a/dockerfiles/Dockerfile-for-frps
+++ b/dockerfiles/Dockerfile-for-frps
@ -1,9 +1,17 @@
-FROM golang:1.23 AS building
+FROM node:22 AS web-builder
 WORKDIR /web/frps
 COPY web/frps/ ./
 RUN npm install
 RUN npm run build
 FROM golang:1.24 AS building
 COPY . /building
 COPY --from=web-builder /web/frps/dist /building/web/frps/dist
 WORKDIR /building
-RUN make frps
+RUN env CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -tags frps -o bin/frps ./cmd/frps
 FROM alpine:3
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/fatedier/frp
-go 1.23.0
+go 1.24.0
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
@ -16,7 +16,7 @@ require (
 	github.com/pion/stun/v2 v2.0.0
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.19.1
-	github.com/quic-go/quic-go v0.53.0
+	github.com/quic-go/quic-go v0.55.0
 	github.com/rodaine/table v1.2.0
 	github.com/samber/lo v1.47.0
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
@ -26,10 +26,10 @@ require (
 	github.com/tidwall/gjson v1.17.1
 	github.com/vishvananda/netlink v1.3.0
 	github.com/xtaci/kcp-go/v5 v5.6.13
-	golang.org/x/crypto v0.37.0
+	golang.org/x/crypto v0.41.0
-	golang.org/x/net v0.39.0
+	golang.org/x/net v0.43.0
 	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.13.0
+	golang.org/x/sync v0.16.0
 	golang.org/x/time v0.5.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	gopkg.in/ini.v1 v1.67.0
@ -67,11 +67,10 @@ require (
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	golang.org/x/tools v0.31.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@ -82,4 +81,4 @@ require (
 )
 // TODO(fatedier): Temporary use the modified version, update to the official version after merging into the official repository.
-replace github.com/hashicorp/yamux => github.com/fatedier/yamux v0.0.0-20230628132301-7aca4898904d
+replace github.com/hashicorp/yamux => github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6
--- a/go.sum
+++ b/go.sum
@ -22,8 +22,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatedier/golib v0.5.1 h1:hcKAnaw5mdI/1KWRGejxR+i1Hn/NvbY5UsMKDr7o13M=
 github.com/fatedier/golib v0.5.1/go.mod h1:W6kIYkIFxHsTzbgqg5piCxIiDo4LzwgTY6R5W8l9NFQ=
-github.com/fatedier/yamux v0.0.0-20230628132301-7aca4898904d h1:ynk1ra0RUqDWQfvFi5KtMiSobkVQ3cNc0ODb8CfIETo=
+github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6 h1:u92UUy6FURPmNsMBUuongRWC0rBqN6gd01Dzu+D21NE=
-github.com/fatedier/yamux v0.0.0-20230628132301-7aca4898904d/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
+github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6/go.mod h1:c5/tk6G0dSpXGzJN7Wk1OEie8grdSJAmeawId9Zvd34=
 github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
 github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
@ -105,8 +105,8 @@ github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSz
 github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/quic-go/quic-go v0.53.0 h1:QHX46sISpG2S03dPeZBgVIZp8dGagIaiu2FiVYvpCZI=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
-github.com/quic-go/quic-go v0.53.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rodaine/table v1.2.0 h1:38HEnwK4mKSHQJIkavVj+bst1TEY7j9zhLMWu4QJrMA=
@ -156,24 +156,24 @@ github.com/xtaci/lossyconn v0.0.0-20200209145036-adba10fffc37/go.mod h1:HpMP7DB2
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -187,8 +187,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
 golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
@ -197,8 +197,8 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -213,24 +213,24 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -241,8 +241,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -15,6 +15,7 @@
 package auth
 import (
 	"context"
 	"fmt"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
@ -27,16 +28,56 @@ type Setter interface {
 	SetNewWorkConn(*msg.NewWorkConn) error
 }
-func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter) {
+type ClientAuth struct {
 	Setter Setter
 	key    []byte
 }
 func (a *ClientAuth) EncryptionKey() []byte {
 	return a.key
 }
 // BuildClientAuth resolves any dynamic auth values and returns a prepared auth runtime.
 // Caller must run validation before calling this function.
 func BuildClientAuth(cfg *v1.AuthClientConfig) (*ClientAuth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("auth config is nil")
 	}
 	resolved := *cfg
 	if resolved.Method == v1.AuthMethodToken && resolved.TokenSource != nil {
 		token, err := resolved.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return nil, fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		resolved.Token = token
 	}
 	setter, err := NewAuthSetter(resolved)
 	if err != nil {
 		return nil, err
 	}
 	return &ClientAuth{
 		Setter: setter,
 		key:    []byte(resolved.Token),
 	}, nil
 }
 func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter, err error) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
 		authProvider = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		authProvider = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
+		if cfg.OIDC.TokenSource != nil {
 			authProvider = NewOidcTokenSourceAuthSetter(cfg.AdditionalScopes, cfg.OIDC.TokenSource)
 		} else {
 			authProvider, err = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
 			if err != nil {
 				return nil, err
 			}
 		}
 	default:
-		panic(fmt.Sprintf("wrong method: '%s'", cfg.Method))
+		return nil, fmt.Errorf("unsupported auth method: %s", cfg.Method)
 	}
-	return authProvider
+	return authProvider, nil
 }
 type Verifier interface {
@ -45,6 +86,35 @@ type Verifier interface {
 	VerifyNewWorkConn(*msg.NewWorkConn) error
 }
 type ServerAuth struct {
 	Verifier Verifier
 	key      []byte
 }
 func (a *ServerAuth) EncryptionKey() []byte {
 	return a.key
 }
 // BuildServerAuth resolves any dynamic auth values and returns a prepared auth runtime.
 // Caller must run validation before calling this function.
 func BuildServerAuth(cfg *v1.AuthServerConfig) (*ServerAuth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("auth config is nil")
 	}
 	resolved := *cfg
 	if resolved.Method == v1.AuthMethodToken && resolved.TokenSource != nil {
 		token, err := resolved.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return nil, fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		resolved.Token = token
 	}
 	return &ServerAuth{
 		Verifier: NewAuthVerifier(resolved),
 		key:      []byte(resolved.Token),
 	}, nil
 }
 func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@ -16,23 +16,72 @@ package auth
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"slices"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 )
 // createOIDCHTTPClient creates an HTTP client with custom TLS and proxy configuration for OIDC token requests
 func createOIDCHTTPClient(trustedCAFile string, insecureSkipVerify bool, proxyURL string) (*http.Client, error) {
 	// Clone the default transport to get all reasonable defaults
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	// Configure TLS settings
 	if trustedCAFile != "" || insecureSkipVerify {
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: insecureSkipVerify,
 		}
 		if trustedCAFile != "" && !insecureSkipVerify {
 			caCert, err := os.ReadFile(trustedCAFile)
 			if err != nil {
 				return nil, fmt.Errorf("failed to read OIDC CA certificate file %q: %w", trustedCAFile, err)
 			}
 			caCertPool := x509.NewCertPool()
 			if !caCertPool.AppendCertsFromPEM(caCert) {
 				return nil, fmt.Errorf("failed to parse OIDC CA certificate from file %q", trustedCAFile)
 			}
 			tlsConfig.RootCAs = caCertPool
 		}
 		transport.TLSClientConfig = tlsConfig
 	}
 	// Configure proxy settings
 	if proxyURL != "" {
 		parsedURL, err := url.Parse(proxyURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse OIDC proxy URL %q: %w", proxyURL, err)
 		}
 		transport.Proxy = http.ProxyURL(parsedURL)
 	} else {
 		// Explicitly disable proxy to override DefaultTransport's ProxyFromEnvironment
 		transport.Proxy = nil
 	}
 	return &http.Client{Transport: transport}, nil
 }
 type OidcAuthProvider struct {
 	additionalAuthScopes []v1.AuthScope
 	tokenGenerator *clientcredentials.Config
 	httpClient     *http.Client
 }
-func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClientConfig) *OidcAuthProvider {
+func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClientConfig) (*OidcAuthProvider, error) {
 	eps := make(map[string][]string)
 	for k, v := range cfg.AdditionalEndpointParams {
 		eps[k] = []string{v}
@ -50,14 +99,30 @@ func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClien
 		EndpointParams: eps,
 	}
 	// Create custom HTTP client if needed
 	var httpClient *http.Client
 	if cfg.TrustedCaFile != "" || cfg.InsecureSkipVerify || cfg.ProxyURL != "" {
 		var err error
 		httpClient, err = createOIDCHTTPClient(cfg.TrustedCaFile, cfg.InsecureSkipVerify, cfg.ProxyURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create OIDC HTTP client: %w", err)
 		}
 	}
 	return &OidcAuthProvider{
 		additionalAuthScopes: additionalAuthScopes,
 		tokenGenerator:       tokenGenerator,
-	}
+		httpClient:           httpClient,
 	}, nil
 }
 func (auth *OidcAuthProvider) generateAccessToken() (accessToken string, err error) {
-	tokenObj, err := auth.tokenGenerator.Token(context.Background())
+	ctx := context.Background()
 	if auth.httpClient != nil {
 		ctx = context.WithValue(ctx, oauth2.HTTPClient, auth.httpClient)
 	}
 	tokenObj, err := auth.tokenGenerator.Token(ctx)
 	if err != nil {
 		return "", fmt.Errorf("couldn't generate OIDC token for login: %v", err)
 	}
@ -87,6 +152,51 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e
 	return err
 }
 type OidcTokenSourceAuthProvider struct {
 	additionalAuthScopes []v1.AuthScope
 	valueSource *v1.ValueSource
 }
 func NewOidcTokenSourceAuthSetter(additionalAuthScopes []v1.AuthScope, valueSource *v1.ValueSource) *OidcTokenSourceAuthProvider {
 	return &OidcTokenSourceAuthProvider{
 		additionalAuthScopes: additionalAuthScopes,
 		valueSource:          valueSource,
 	}
 }
 func (auth *OidcTokenSourceAuthProvider) generateAccessToken() (accessToken string, err error) {
 	ctx := context.Background()
 	accessToken, err = auth.valueSource.Resolve(ctx)
 	if err != nil {
 		return "", fmt.Errorf("couldn't acquire OIDC token for login: %v", err)
 	}
 	return
 }
 func (auth *OidcTokenSourceAuthProvider) SetLogin(loginMsg *msg.Login) (err error) {
 	loginMsg.PrivilegeKey, err = auth.generateAccessToken()
 	return err
 }
 func (auth *OidcTokenSourceAuthProvider) SetPing(pingMsg *msg.Ping) (err error) {
 	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
 		return nil
 	}
 	pingMsg.PrivilegeKey, err = auth.generateAccessToken()
 	return err
 }
 func (auth *OidcTokenSourceAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (err error) {
 	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
 		return nil
 	}
 	newWorkConnMsg.PrivilegeKey, err = auth.generateAccessToken()
 	return err
 }
 type TokenVerifier interface {
 	Verify(context.Context, string) (*oidc.IDToken, error)
 }
--- a/pkg/config/flags.go
+++ b/pkg/config/flags.go
@ -167,6 +167,7 @@ func RegisterClientCommonConfigFlags(cmd *cobra.Command, c *v1.ClientCommonConfi
 		c.Transport.TLS.Enable = cmd.PersistentFlags().BoolP("tls_enable", "", true, "enable frpc tls")
 	}
 	cmd.PersistentFlags().StringVarP(&c.User, "user", "u", "", "user")
 	cmd.PersistentFlags().StringVar(&c.ClientID, "client-id", "", "unique identifier for this frpc instance")
 	cmd.PersistentFlags().StringVarP(&c.Auth.Token, "token", "t", "", "auth token")
 }
--- a/pkg/config/load.go
+++ b/pkg/config/load.go
@ -281,6 +281,17 @@ func LoadClientConfig(path string, strict bool) (
 		})
 	}
 	// Filter by enabled field in each proxy
 	// nil or true means enabled, false means disabled
 	proxyCfgs = lo.Filter(proxyCfgs, func(c v1.ProxyConfigurer, _ int) bool {
 		enabled := c.GetBaseConfig().Enabled
 		return enabled == nil || *enabled
 	})
 	visitorCfgs = lo.Filter(visitorCfgs, func(c v1.VisitorConfigurer, _ int) bool {
 		enabled := c.GetBaseConfig().Enabled
 		return enabled == nil || *enabled
 	})
 	if cliCfg != nil {
 		if err := cliCfg.Complete(); err != nil {
 			return nil, nil, nil, isLegacyFormat, err
--- a/pkg/config/v1/client.go
+++ b/pkg/config/v1/client.go
@ -15,8 +15,6 @@
 package v1
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/samber/lo"
@ -39,6 +37,8 @@ type ClientCommonConfig struct {
 	// clients. If this value is not "", proxy names will automatically be
 	// changed to "{user}.{proxy_name}".
 	User string `json:"user,omitempty"`
 	// ClientID uniquely identifies this frpc instance.
 	ClientID string `json:"clientID,omitempty"`
 	// ServerAddr specifies the address of the server to connect to. By
 	// default, this value is "0.0.0.0".
@ -198,17 +198,6 @@ type AuthClientConfig struct {
 func (c *AuthClientConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
 	// Resolve tokenSource during configuration loading
 	if c.Method == AuthMethodToken && c.TokenSource != nil {
 		token, err := c.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		// Move the resolved token to the Token field and clear TokenSource
 		c.Token = token
 		c.TokenSource = nil
 	}
 	return nil
 }
@ -228,6 +217,21 @@ type AuthOIDCClientConfig struct {
 	// AdditionalEndpointParams specifies additional parameters to be sent
 	// this field will be transfer to map[string][]string in OIDC token generator.
 	AdditionalEndpointParams map[string]string `json:"additionalEndpointParams,omitempty"`
 	// TrustedCaFile specifies the path to a custom CA certificate file
 	// for verifying the OIDC token endpoint's TLS certificate.
 	TrustedCaFile string `json:"trustedCaFile,omitempty"`
 	// InsecureSkipVerify disables TLS certificate verification for the
 	// OIDC token endpoint. Only use this for debugging, not recommended for production.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
 	// ProxyURL specifies a proxy to use when connecting to the OIDC token endpoint.
 	// Supports http, https, socks5, and socks5h proxy protocols.
 	// If empty, no proxy is used for OIDC connections.
 	ProxyURL string `json:"proxyURL,omitempty"`
 	// TokenSource specifies a custom dynamic source for the authorization token.
 	// This is mutually exclusive with every other field of this structure.
 	TokenSource *ValueSource `json:"tokenSource,omitempty"`
 }
 type VirtualNetConfig struct {
--- a/pkg/config/v1/client_test.go
+++ b/pkg/config/v1/client_test.go
@ -15,8 +15,6 @@
 package v1
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/samber/lo"
@ -38,68 +36,9 @@ func TestClientConfigComplete(t *testing.T) {
 }
 func TestAuthClientConfig_Complete(t *testing.T) {
-	// Create a temporary file for testing
+	require := require.New(t)
-	tmpDir := t.TempDir()
+	cfg := &AuthClientConfig{}
-	testFile := filepath.Join(tmpDir, "test_token")
+	err := cfg.Complete()
-	testContent := "client-token-value"
+	require.NoError(err)
-	err := os.WriteFile(testFile, []byte(testContent), 0o600)
+	require.EqualValues("token", cfg.Method)
 	require.NoError(t, err)
 	tests := []struct {
 		name        string
 		config      AuthClientConfig
 		expectToken string
 		expectPanic bool
 	}{
 		{
 			name: "tokenSource resolved to token",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: testFile,
 					},
 				},
 			},
 			expectToken: testContent,
 			expectPanic: false,
 		},
 		{
 			name: "direct token unchanged",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				Token:  "direct-token",
 			},
 			expectToken: "direct-token",
 			expectPanic: false,
 		},
 		{
 			name: "invalid tokenSource should panic",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: "/non/existent/file",
 					},
 				},
 			},
 			expectPanic: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.expectPanic {
 				err := tt.config.Complete()
 				require.Error(t, err)
 			} else {
 				err := tt.config.Complete()
 				require.NoError(t, err)
 				require.Equal(t, tt.expectToken, tt.config.Token)
 				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
 			}
 		})
 	}
 }
--- a/pkg/config/v1/common.go
+++ b/pkg/config/v1/common.go
@ -85,9 +85,9 @@ func (c *WebServerConfig) Complete() {
 }
 type TLSConfig struct {
-	// CertPath specifies the path of the cert file that client will load.
+	// CertFile specifies the path of the cert file that client will load.
 	CertFile string `json:"certFile,omitempty"`
-	// KeyPath specifies the path of the secret key file that client will load.
+	// KeyFile specifies the path of the secret key file that client will load.
 	KeyFile string `json:"keyFile,omitempty"`
 	// TrustedCaFile specifies the path of the trusted ca file that will load.
 	TrustedCaFile string `json:"trustedCaFile,omitempty"`
@ -96,6 +96,14 @@ type TLSConfig struct {
 	ServerName string `json:"serverName,omitempty"`
 }
 // NatTraversalConfig defines configuration options for NAT traversal
 type NatTraversalConfig struct {
 	// DisableAssistedAddrs disables the use of local network interfaces
 	// for assisted connections during NAT traversal. When enabled,
 	// only STUN-discovered public addresses will be used.
 	DisableAssistedAddrs bool `json:"disableAssistedAddrs,omitempty"`
 }
 type LogConfig struct {
 	// This is destination where frp should write the logs.
 	// If "console" is used, logs will be printed to stdout, otherwise,
--- a/pkg/config/v1/proxy.go
+++ b/pkg/config/v1/proxy.go
@ -108,8 +108,11 @@ type DomainConfig struct {
 }
 type ProxyBaseConfig struct {
-	Name        string            `json:"name"`
+	Name string `json:"name"`
-	Type        string            `json:"type"`
+	Type string `json:"type"`
 	// Enabled controls whether this proxy is enabled. nil or true means enabled, false means disabled.
 	// This allows individual control over each proxy, complementing the global "start" field.
 	Enabled     *bool             `json:"enabled,omitempty"`
 	Annotations map[string]string `json:"annotations,omitempty"`
 	Transport   ProxyTransport    `json:"transport,omitempty"`
 	// metadata info for each proxy
@ -422,6 +425,9 @@ type XTCPProxyConfig struct {
 	Secretkey  string   `json:"secretKey,omitempty"`
 	AllowUsers []string `json:"allowUsers,omitempty"`
 	// NatTraversal configuration for NAT traversal
 	NatTraversal *NatTraversalConfig `json:"natTraversal,omitempty"`
 }
 func (c *XTCPProxyConfig) MarshalToMsg(m *msg.NewProxy) {
--- a/pkg/config/v1/server.go
+++ b/pkg/config/v1/server.go
@ -15,9 +15,6 @@
 package v1
 import (
 	"context"
 	"fmt"
 	"github.com/samber/lo"
 	"github.com/fatedier/frp/pkg/config/types"
@ -138,17 +135,6 @@ type AuthServerConfig struct {
 func (c *AuthServerConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
 	// Resolve tokenSource during configuration loading
 	if c.Method == AuthMethodToken && c.TokenSource != nil {
 		token, err := c.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		// Move the resolved token to the Token field and clear TokenSource
 		c.Token = token
 		c.TokenSource = nil
 	}
 	return nil
 }
--- a/pkg/config/v1/server_test.go
+++ b/pkg/config/v1/server_test.go
@ -15,8 +15,6 @@
 package v1
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/samber/lo"
@ -35,68 +33,9 @@ func TestServerConfigComplete(t *testing.T) {
 }
 func TestAuthServerConfig_Complete(t *testing.T) {
-	// Create a temporary file for testing
+	require := require.New(t)
-	tmpDir := t.TempDir()
+	cfg := &AuthServerConfig{}
-	testFile := filepath.Join(tmpDir, "test_token")
+	err := cfg.Complete()
-	testContent := "file-token-value"
+	require.NoError(err)
-	err := os.WriteFile(testFile, []byte(testContent), 0o600)
+	require.EqualValues("token", cfg.Method)
 	require.NoError(t, err)
 	tests := []struct {
 		name        string
 		config      AuthServerConfig
 		expectToken string
 		expectPanic bool
 	}{
 		{
 			name: "tokenSource resolved to token",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: testFile,
 					},
 				},
 			},
 			expectToken: testContent,
 			expectPanic: false,
 		},
 		{
 			name: "direct token unchanged",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				Token:  "direct-token",
 			},
 			expectToken: "direct-token",
 			expectPanic: false,
 		},
 		{
 			name: "invalid tokenSource should panic",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: "/non/existent/file",
 					},
 				},
 			},
 			expectPanic: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.expectPanic {
 				err := tt.config.Complete()
 				require.Error(t, err)
 			} else {
 				err := tt.config.Complete()
 				require.NoError(t, err)
 				require.Equal(t, tt.expectToken, tt.config.Token)
 				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
 			}
 		})
 	}
 }
--- a/pkg/config/v1/validation/client.go
+++ b/pkg/config/v1/validation/client.go
@ -23,55 +23,109 @@ import (
 	"github.com/samber/lo"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/featuregate"
+	"github.com/fatedier/frp/pkg/policy/featuregate"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
-func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
+func (v *ConfigValidator) ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 	var (
 		warnings Warning
 		errs     error
 	)
-	// validate feature gates
+
-	if c.VirtualNet.Address != "" {
+	validators := []func() (Warning, error){
-		if !featuregate.Enabled(featuregate.VirtualNet) {
+		func() (Warning, error) { return validateFeatureGates(c) },
-			return warnings, fmt.Errorf("VirtualNet feature is not enabled; enable it by setting the appropriate feature gate flag")
+		func() (Warning, error) { return v.validateAuthConfig(&c.Auth) },
-		}
+		func() (Warning, error) { return nil, validateLogConfig(&c.Log) },
 		func() (Warning, error) { return nil, validateWebServerConfig(&c.WebServer) },
 		func() (Warning, error) { return validateTransportConfig(&c.Transport) },
 		func() (Warning, error) { return validateIncludeFiles(c.IncludeConfigFiles) },
 	}
-	if !slices.Contains(SupportedAuthMethods, c.Auth.Method) {
+	for _, validator := range validators {
 		w, err := validator()
 		warnings = AppendError(warnings, w)
 		errs = AppendError(errs, err)
 	}
 	return warnings, errs
 }
 func validateFeatureGates(c *v1.ClientCommonConfig) (Warning, error) {
 	if c.VirtualNet.Address != "" {
 		if !featuregate.Enabled(featuregate.VirtualNet) {
 			return nil, fmt.Errorf("VirtualNet feature is not enabled; enable it by setting the appropriate feature gate flag")
 		}
 	}
 	return nil, nil
 }
 func (v *ConfigValidator) validateAuthConfig(c *v1.AuthClientConfig) (Warning, error) {
 	var errs error
 	if !slices.Contains(SupportedAuthMethods, c.Method) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth method, optional values are %v", SupportedAuthMethods))
 	}
-	if !lo.Every(SupportedAuthAdditionalScopes, c.Auth.AdditionalScopes) {
+	if !lo.Every(SupportedAuthAdditionalScopes, c.AdditionalScopes) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", SupportedAuthAdditionalScopes))
 	}
 	// Validate token/tokenSource mutual exclusivity
-	if c.Auth.Token != "" && c.Auth.TokenSource != nil {
+	if c.Token != "" && c.TokenSource != nil {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.token and auth.tokenSource"))
 	}
 	// Validate tokenSource if specified
-	if c.Auth.TokenSource != nil {
+	if c.TokenSource != nil {
-		if err := c.Auth.TokenSource.Validate(); err != nil {
+		if c.TokenSource.Type == "exec" {
 			if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
 				errs = AppendError(errs, err)
 			}
 		}
 		if err := c.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
 	}
-	if err := validateLogConfig(&c.Log); err != nil {
+	if err := v.validateOIDCConfig(&c.OIDC); err != nil {
 		errs = AppendError(errs, err)
 	}
 	return nil, errs
 }
-	if err := validateWebServerConfig(&c.WebServer); err != nil {
+func (v *ConfigValidator) validateOIDCConfig(c *v1.AuthOIDCClientConfig) error {
-		errs = AppendError(errs, err)
+	if c.TokenSource == nil {
 		return nil
 	}
 	var errs error
 	// Validate oidc.tokenSource mutual exclusivity with other fields of oidc
 	if c.ClientID != "" || c.ClientSecret != "" || c.Audience != "" ||
 		c.Scope != "" || c.TokenEndpointURL != "" || len(c.AdditionalEndpointParams) > 0 ||
 		c.TrustedCaFile != "" || c.InsecureSkipVerify || c.ProxyURL != "" {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.oidc.tokenSource and any other field of auth.oidc"))
 	}
 	if c.TokenSource.Type == "exec" {
 		if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
 			errs = AppendError(errs, err)
 		}
 	}
 	if err := c.TokenSource.Validate(); err != nil {
 		errs = AppendError(errs, fmt.Errorf("invalid auth.oidc.tokenSource: %v", err))
 	}
 	return errs
 }
-	if c.Transport.HeartbeatTimeout > 0 && c.Transport.HeartbeatInterval > 0 {
+func validateTransportConfig(c *v1.ClientTransportConfig) (Warning, error) {
-		if c.Transport.HeartbeatTimeout < c.Transport.HeartbeatInterval {
+	var (
 		warnings Warning
 		errs     error
 	)
 	if c.HeartbeatTimeout > 0 && c.HeartbeatInterval > 0 {
 		if c.HeartbeatTimeout < c.HeartbeatInterval {
 			errs = AppendError(errs, fmt.Errorf("invalid transport.heartbeatTimeout, heartbeat timeout should not less than heartbeat interval"))
 		}
 	}
-	if !lo.FromPtr(c.Transport.TLS.Enable) {
+	if !lo.FromPtr(c.TLS.Enable) {
 		checkTLSConfig := func(name string, value string) Warning {
 			if value != "" {
 				return fmt.Errorf("%s is invalid when transport.tls.enable is false", name)
@ -79,16 +133,20 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 			return nil
 		}
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.certFile", c.Transport.TLS.CertFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.certFile", c.TLS.CertFile))
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.keyFile", c.Transport.TLS.KeyFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.keyFile", c.TLS.KeyFile))
-		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.Transport.TLS.TrustedCaFile))
+		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.TLS.TrustedCaFile))
 	}
-	if !slices.Contains(SupportedTransportProtocols, c.Transport.Protocol) {
+	if !slices.Contains(SupportedTransportProtocols, c.Protocol) {
 		errs = AppendError(errs, fmt.Errorf("invalid transport.protocol, optional values are %v", SupportedTransportProtocols))
 	}
 	return warnings, errs
 }
-	for _, f := range c.IncludeConfigFiles {
+func validateIncludeFiles(files []string) (Warning, error) {
 	var errs error
 	for _, f := range files {
 		absDir, err := filepath.Abs(filepath.Dir(f))
 		if err != nil {
 			errs = AppendError(errs, fmt.Errorf("include: parse directory of %s failed: %v", f, err))
@ -98,13 +156,19 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 			errs = AppendError(errs, fmt.Errorf("include: directory of %s not exist", f))
 		}
 	}
-	return warnings, errs
+	return nil, errs
 }
-func ValidateAllClientConfig(c *v1.ClientCommonConfig, proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) (Warning, error) {
+func ValidateAllClientConfig(
 	c *v1.ClientCommonConfig,
 	proxyCfgs []v1.ProxyConfigurer,
 	visitorCfgs []v1.VisitorConfigurer,
 	unsafeFeatures *security.UnsafeFeatures,
 ) (Warning, error) {
 	validator := NewConfigValidator(unsafeFeatures)
 	var warnings Warning
 	if c != nil {
-		warning, err := ValidateClientCommonConfig(c)
+		warning, err := validator.ValidateClientCommonConfig(c)
 		warnings = AppendError(warnings, warning)
 		if err != nil {
 			return warnings, err
--- a/pkg/config/v1/validation/server.go
+++ b/pkg/config/v1/validation/server.go
@ -21,9 +21,10 @@ import (
 	"github.com/samber/lo"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
-func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
+func (v *ConfigValidator) ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 	var (
 		warnings Warning
 		errs     error
@ -42,6 +43,11 @@ func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 	// Validate tokenSource if specified
 	if c.Auth.TokenSource != nil {
 		if c.Auth.TokenSource.Type == "exec" {
 			if err := v.ValidateUnsafeFeature(security.TokenSourceExec); err != nil {
 				errs = AppendError(errs, err)
 			}
 		}
 		if err := c.Auth.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
--- a/pkg/config/v1/validation/validator.go
+++ b/pkg/config/v1/validation/validator.go
@ -0,0 +1,28 @@
 package validation
 import (
 	"fmt"
 	"github.com/fatedier/frp/pkg/policy/security"
 )
 // ConfigValidator holds the context dependencies for configuration validation.
 type ConfigValidator struct {
 	unsafeFeatures *security.UnsafeFeatures
 }
 // NewConfigValidator creates a new ConfigValidator instance.
 func NewConfigValidator(unsafeFeatures *security.UnsafeFeatures) *ConfigValidator {
 	return &ConfigValidator{
 		unsafeFeatures: unsafeFeatures,
 	}
 }
 // ValidateUnsafeFeature checks if a specific unsafe feature is enabled.
 func (v *ConfigValidator) ValidateUnsafeFeature(feature string) error {
 	if !v.unsafeFeatures.IsEnabled(feature) {
 		return fmt.Errorf("unsafe feature %q is not enabled. "+
 			"To enable it, ensure it is allowed in the configuration or command line flags", feature)
 	}
 	return nil
 }
--- a/pkg/config/v1/value_source.go
+++ b/pkg/config/v1/value_source.go
@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"strings"
 )
@ -27,6 +28,7 @@ import (
 type ValueSource struct {
 	Type string      `json:"type"`
 	File *FileSource `json:"file,omitempty"`
 	Exec *ExecSource `json:"exec,omitempty"`
 }
 // FileSource specifies how to load a value from a file.
@ -34,6 +36,18 @@ type FileSource struct {
 	Path string `json:"path"`
 }
 // ExecSource specifies how to get a value from another program launched as subprocess.
 type ExecSource struct {
 	Command string       `json:"command"`
 	Args    []string     `json:"args,omitempty"`
 	Env     []ExecEnvVar `json:"env,omitempty"`
 }
 type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
 // Validate validates the ValueSource configuration.
 func (v *ValueSource) Validate() error {
 	if v == nil {
@ -46,8 +60,13 @@ func (v *ValueSource) Validate() error {
 			return errors.New("file configuration is required when type is 'file'")
 		}
 		return v.File.Validate()
 	case "exec":
 		if v.Exec == nil {
 			return errors.New("exec configuration is required when type is 'exec'")
 		}
 		return v.Exec.Validate()
 	default:
-		return fmt.Errorf("unsupported value source type: %s (only 'file' is supported)", v.Type)
+		return fmt.Errorf("unsupported value source type: %s (only 'file' and 'exec' are supported)", v.Type)
 	}
 }
@ -60,6 +79,8 @@ func (v *ValueSource) Resolve(ctx context.Context) (string, error) {
 	switch v.Type {
 	case "file":
 		return v.File.Resolve(ctx)
 	case "exec":
 		return v.Exec.Resolve(ctx)
 	default:
 		return "", fmt.Errorf("unsupported value source type: %s", v.Type)
 	}
@ -91,3 +112,47 @@ func (f *FileSource) Resolve(_ context.Context) (string, error) {
 	// Trim whitespace, which is important for file-based tokens
 	return strings.TrimSpace(string(content)), nil
 }
 // Validate validates the ExecSource configuration.
 func (e *ExecSource) Validate() error {
 	if e == nil {
 		return errors.New("execSource cannot be nil")
 	}
 	if e.Command == "" {
 		return errors.New("exec command cannot be empty")
 	}
 	for _, env := range e.Env {
 		if env.Name == "" {
 			return errors.New("exec env name cannot be empty")
 		}
 		if strings.Contains(env.Name, "=") {
 			return errors.New("exec env name cannot contain '='")
 		}
 	}
 	return nil
 }
 // Resolve reads and returns the content captured from stdout of launched subprocess.
 func (e *ExecSource) Resolve(ctx context.Context) (string, error) {
 	if err := e.Validate(); err != nil {
 		return "", err
 	}
 	cmd := exec.CommandContext(ctx, e.Command, e.Args...)
 	if len(e.Env) != 0 {
 		cmd.Env = os.Environ()
 		for _, env := range e.Env {
 			cmd.Env = append(cmd.Env, env.Name+"="+env.Value)
 		}
 	}
 	content, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to execute command %v: %v", e.Command, err)
 	}
 	// Trim whitespace, which is important for exec-based tokens
 	return strings.TrimSpace(string(content)), nil
 }
--- a/pkg/config/v1/visitor.go
+++ b/pkg/config/v1/visitor.go
@ -32,8 +32,11 @@ type VisitorTransport struct {
 }
 type VisitorBaseConfig struct {
-	Name      string           `json:"name"`
+	Name string `json:"name"`
-	Type      string           `json:"type"`
+	Type string `json:"type"`
 	// Enabled controls whether this visitor is enabled. nil or true means enabled, false means disabled.
 	// This allows individual control over each visitor, complementing the global "start" field.
 	Enabled   *bool            `json:"enabled,omitempty"`
 	Transport VisitorTransport `json:"transport,omitempty"`
 	SecretKey string           `json:"secretKey,omitempty"`
 	// if the server user is not set, it defaults to the current user
@ -160,6 +163,9 @@ type XTCPVisitorConfig struct {
 	MinRetryInterval  int    `json:"minRetryInterval,omitempty"`
 	FallbackTo        string `json:"fallbackTo,omitempty"`
 	FallbackTimeoutMs int    `json:"fallbackTimeoutMs,omitempty"`
 	// NatTraversal configuration for NAT traversal
 	NatTraversal *NatTraversalConfig `json:"natTraversal,omitempty"`
 }
 func (c *XTCPVisitorConfig) Complete(g *ClientCommonConfig) {
--- a/pkg/metrics/aggregate/server.go
+++ b/pkg/metrics/aggregate/server.go
@ -56,9 +56,9 @@ func (m *serverMetrics) CloseClient() {
 	}
 }
-func (m *serverMetrics) NewProxy(name string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string, user string, clientID string) {
 	for _, v := range m.ms {
-		v.NewProxy(name, proxyType)
+		v.NewProxy(name, proxyType, user, clientID)
 	}
 }
--- a/pkg/metrics/mem/server.go
+++ b/pkg/metrics/mem/server.go
@ -98,7 +98,7 @@ func (m *serverMetrics) CloseClient() {
 	m.info.ClientCounts.Dec(1)
 }
-func (m *serverMetrics) NewProxy(name string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string, user string, clientID string) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	counter, ok := m.info.ProxyTypeCounts[proxyType]
@ -119,6 +119,8 @@ func (m *serverMetrics) NewProxy(name string, proxyType string) {
 		}
 		m.info.ProxyStatistics[name] = proxyStats
 	}
 	proxyStats.User = user
 	proxyStats.ClientID = clientID
 	proxyStats.LastStartTime = time.Now()
 }
@ -214,6 +216,8 @@ func (m *serverMetrics) GetProxiesByType(proxyType string) []*ProxyStats {
 		ps := &ProxyStats{
 			Name:            name,
 			Type:            proxyStats.ProxyType,
 			User:            proxyStats.User,
 			ClientID:        proxyStats.ClientID,
 			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        int64(proxyStats.CurConns.Count()),
@ -245,6 +249,8 @@ func (m *serverMetrics) GetProxiesByTypeAndName(proxyType string, proxyName stri
 		res = &ProxyStats{
 			Name:            name,
 			Type:            proxyStats.ProxyType,
 			User:            proxyStats.User,
 			ClientID:        proxyStats.ClientID,
 			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        int64(proxyStats.CurConns.Count()),
@ -260,6 +266,31 @@ func (m *serverMetrics) GetProxiesByTypeAndName(proxyType string, proxyName stri
 	return
 }
 func (m *serverMetrics) GetProxyByName(proxyName string) (res *ProxyStats) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	proxyStats, ok := m.info.ProxyStatistics[proxyName]
 	if ok {
 		res = &ProxyStats{
 			Name:            proxyName,
 			Type:            proxyStats.ProxyType,
 			User:            proxyStats.User,
 			ClientID:        proxyStats.ClientID,
 			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
 			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
 			CurConns:        int64(proxyStats.CurConns.Count()),
 		}
 		if !proxyStats.LastStartTime.IsZero() {
 			res.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
 		}
 		if !proxyStats.LastCloseTime.IsZero() {
 			res.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
 		}
 	}
 	return
 }
 func (m *serverMetrics) GetProxyTraffic(name string) (res *ProxyTrafficInfo) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
--- a/pkg/metrics/mem/types.go
+++ b/pkg/metrics/mem/types.go
@ -35,6 +35,8 @@ type ServerStats struct {
 type ProxyStats struct {
 	Name            string
 	Type            string
 	User            string
 	ClientID        string
 	TodayTrafficIn  int64
 	TodayTrafficOut int64
 	LastStartTime   string
@ -51,6 +53,8 @@ type ProxyTrafficInfo struct {
 type ProxyStatistics struct {
 	Name          string
 	ProxyType     string
 	User          string
 	ClientID      string
 	TrafficIn     metric.DateCounter
 	TrafficOut    metric.DateCounter
 	CurConns      metric.Counter
@ -78,6 +82,7 @@ type Collector interface {
 	GetServer() *ServerStats
 	GetProxiesByType(proxyType string) []*ProxyStats
 	GetProxiesByTypeAndName(proxyType string, proxyName string) *ProxyStats
 	GetProxyByName(proxyName string) *ProxyStats
 	GetProxyTraffic(name string) *ProxyTrafficInfo
 	ClearOfflineProxies() (int, int)
 }
--- a/pkg/metrics/prometheus/server.go
+++ b/pkg/metrics/prometheus/server.go
@ -14,11 +14,12 @@ const (
 var ServerMetrics metrics.ServerMetrics = newServerMetrics()
 type serverMetrics struct {
-	clientCount     prometheus.Gauge
+	clientCount        prometheus.Gauge
-	proxyCount      *prometheus.GaugeVec
+	proxyCount         *prometheus.GaugeVec
-	connectionCount *prometheus.GaugeVec
+	proxyCountDetailed *prometheus.GaugeVec
-	trafficIn       *prometheus.CounterVec
+	connectionCount    *prometheus.GaugeVec
-	trafficOut      *prometheus.CounterVec
+	trafficIn          *prometheus.CounterVec
 	trafficOut         *prometheus.CounterVec
 }
 func (m *serverMetrics) NewClient() {
@ -29,12 +30,14 @@ func (m *serverMetrics) CloseClient() {
 	m.clientCount.Dec()
 }
-func (m *serverMetrics) NewProxy(_ string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string, _ string, _ string) {
 	m.proxyCount.WithLabelValues(proxyType).Inc()
 	m.proxyCountDetailed.WithLabelValues(proxyType, name).Inc()
 }
-func (m *serverMetrics) CloseProxy(_ string, proxyType string) {
+func (m *serverMetrics) CloseProxy(name string, proxyType string) {
 	m.proxyCount.WithLabelValues(proxyType).Dec()
 	m.proxyCountDetailed.WithLabelValues(proxyType, name).Dec()
 }
 func (m *serverMetrics) OpenConnection(name string, proxyType string) {
@ -67,6 +70,12 @@ func newServerMetrics() *serverMetrics {
 			Name:      "proxy_counts",
 			Help:      "The current proxy counts",
 		}, []string{"type"}),
 		proxyCountDetailed: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Namespace: namespace,
 			Subsystem: serverSubsystem,
 			Name:      "proxy_counts_detailed",
 			Help:      "The current number of proxies grouped by type and name",
 		}, []string{"type", "name"}),
 		connectionCount: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Namespace: namespace,
 			Subsystem: serverSubsystem,
@ -88,6 +97,7 @@ func newServerMetrics() *serverMetrics {
 	}
 	prometheus.MustRegister(m.clientCount)
 	prometheus.MustRegister(m.proxyCount)
 	prometheus.MustRegister(m.proxyCountDetailed)
 	prometheus.MustRegister(m.connectionCount)
 	prometheus.MustRegister(m.trafficIn)
 	prometheus.MustRegister(m.trafficOut)
--- a/pkg/msg/handler.go
+++ b/pkg/msg/handler.go
@ -86,10 +86,6 @@ func (d *Dispatcher) Send(m Message) error {
 	}
 }
 func (d *Dispatcher) SendChannel() chan Message {
 	return d.sendCh
 }
 func (d *Dispatcher) RegisterHandler(msg Message, handler func(Message)) {
 	d.msgHandlers[reflect.TypeOf(msg)] = handler
 }
--- a/pkg/msg/msg.go
+++ b/pkg/msg/msg.go
@ -82,6 +82,7 @@ type Login struct {
 	PrivilegeKey string            `json:"privilege_key,omitempty"`
 	Timestamp    int64             `json:"timestamp,omitempty"`
 	RunID        string            `json:"run_id,omitempty"`
 	ClientID     string            `json:"client_id,omitempty"`
 	Metas        map[string]string `json:"metas,omitempty"`
 	// Currently only effective for VirtualClient.
--- a/pkg/nathole/nathole.go
+++ b/pkg/nathole/nathole.go
@ -68,6 +68,13 @@ var (
 	DetectRoleReceiver = "receiver"
 )
 // PrepareOptions defines options for NAT traversal preparation
 type PrepareOptions struct {
 	// DisableAssistedAddrs disables the use of local network interfaces
 	// for assisted connections during NAT traversal
 	DisableAssistedAddrs bool
 }
 type PrepareResult struct {
 	Addrs         []string
 	AssistedAddrs []string
@ -108,7 +115,7 @@ func PreCheck(
 }
 // Prepare is used to do some preparation work before penetration.
-func Prepare(stunServers []string) (*PrepareResult, error) {
+func Prepare(stunServers []string, opts PrepareOptions) (*PrepareResult, error) {
 	// discover for Nat type
 	addrs, localAddr, err := Discover(stunServers, "")
 	if err != nil {
@ -133,9 +140,13 @@ func Prepare(stunServers []string) (*PrepareResult, error) {
 		return nil, fmt.Errorf("listen local udp addr error: %v", err)
 	}
-	assistedAddrs := make([]string, 0, len(localIPs))
+	// Apply NAT traversal options
-	for _, ip := range localIPs {
+	var assistedAddrs []string
-		assistedAddrs = append(assistedAddrs, net.JoinHostPort(ip, strconv.Itoa(laddr.Port)))
+	if !opts.DisableAssistedAddrs {
 		assistedAddrs = make([]string, 0, len(localIPs))
 		for _, ip := range localIPs {
 			assistedAddrs = append(assistedAddrs, net.JoinHostPort(ip, strconv.Itoa(laddr.Port)))
 		}
 	}
 	return &PrepareResult{
 		Addrs:         addrs,
--- a/pkg/plugin/visitor/plugin.go
+++ b/pkg/plugin/visitor/plugin.go
@ -23,11 +23,20 @@ import (
 	"github.com/fatedier/frp/pkg/vnet"
 )
 // PluginContext provides the necessary context and callbacks for visitor plugins.
 type PluginContext struct {
-	Name           string
+	// Name is the unique identifier for this visitor, used for logging and routing.
-	Ctx            context.Context
+	Name string
 	// Ctx manages the plugin's lifecycle and carries the logger for structured logging.
 	Ctx context.Context
 	// VnetController manages TUN device routing. May be nil if virtual networking is disabled.
 	VnetController *vnet.Controller
-	HandleConn     func(net.Conn)
+
 	// SendConnToVisitor sends a connection to the visitor's internal processing queue.
 	// Does not return error; failures are handled by closing the connection.
 	SendConnToVisitor func(net.Conn)
 }
 // Creators is used for create plugins to handle connections.
--- a/pkg/plugin/visitor/virtual_net.go
+++ b/pkg/plugin/visitor/virtual_net.go
@ -42,6 +42,8 @@ type VirtualNetPlugin struct {
 	controllerConn net.Conn
 	closeSignal    chan struct{}
 	consecutiveErrors int // Tracks consecutive connection errors for exponential backoff
 	ctx    context.Context
 	cancel context.CancelFunc
 }
@ -98,7 +100,6 @@ func (p *VirtualNetPlugin) Start() {
 func (p *VirtualNetPlugin) run() {
 	xl := xlog.FromContextSafe(p.ctx)
 	reconnectDelay := 10 * time.Second
 	for {
 		currentCloseSignal := make(chan struct{})
@ -121,7 +122,10 @@ func (p *VirtualNetPlugin) run() {
 		p.controllerConn = controllerConn
 		p.mu.Unlock()
-		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func() {
+		// Wrap with CloseNotifyConn which supports both close notification and error recording
 		var closeErr error
 		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func(err error) {
 			closeErr = err
 			close(currentCloseSignal) // Signal the run loop on close.
 		})
@ -129,9 +133,9 @@ func (p *VirtualNetPlugin) run() {
 		p.pluginCtx.VnetController.RegisterClientRoute(p.ctx, p.pluginCtx.Name, p.routes, controllerConn)
 		xl.Infof("successfully registered client route for visitor [%s]. Starting connection handler with CloseNotifyConn.", p.pluginCtx.Name)
-		// Pass the CloseNotifyConn to HandleConn.
+		// Pass the CloseNotifyConn to the visitor for handling.
-		// HandleConn is responsible for calling Close() on pluginNotifyConn.
+		// The visitor can call CloseWithError to record the failure reason.
-		p.pluginCtx.HandleConn(pluginNotifyConn)
+		p.pluginCtx.SendConnToVisitor(pluginNotifyConn)
 		// Wait for context cancellation or connection close.
 		select {
@ -140,8 +144,32 @@ func (p *VirtualNetPlugin) run() {
 			p.cleanupControllerConn(xl)
 			return
 		case <-currentCloseSignal:
-			xl.Infof("detected connection closed via CloseNotifyConn for visitor [%s].", p.pluginCtx.Name)
+			// Determine reconnect delay based on error with exponential backoff
-			// HandleConn closed the plugin side. Close the controller side.
+			var reconnectDelay time.Duration
 			if closeErr != nil {
 				p.consecutiveErrors++
 				xl.Warnf("connection closed with error for visitor [%s] (consecutive errors: %d): %v",
 					p.pluginCtx.Name, p.consecutiveErrors, closeErr)
 				// Exponential backoff: 60s, 120s, 240s, 300s (capped)
 				baseDelay := 60 * time.Second
 				reconnectDelay = baseDelay * time.Duration(1<<uint(p.consecutiveErrors-1))
 				if reconnectDelay > 300*time.Second {
 					reconnectDelay = 300 * time.Second
 				}
 			} else {
 				// Reset consecutive errors on successful connection
 				if p.consecutiveErrors > 0 {
 					xl.Infof("connection closed normally for visitor [%s], resetting error counter (was %d)",
 						p.pluginCtx.Name, p.consecutiveErrors)
 					p.consecutiveErrors = 0
 				} else {
 					xl.Infof("connection closed normally for visitor [%s]", p.pluginCtx.Name)
 				}
 				reconnectDelay = 10 * time.Second
 			}
 			// The visitor closed the plugin side. Close the controller side.
 			p.cleanupControllerConn(xl)
 			xl.Infof("waiting %v before attempting reconnection for visitor [%s]...", reconnectDelay, p.pluginCtx.Name)
@ -184,7 +212,7 @@ func (p *VirtualNetPlugin) Close() error {
 	}
 	// Explicitly close the controller side of the pipe.
-	// This ensures the pipe is broken even if the run loop is stuck or HandleConn hasn't closed its end.
+	// This ensures the pipe is broken even if the run loop is stuck or the visitor hasn't closed its end.
 	p.cleanupControllerConn(xl)
 	xl.Infof("finished cleaning up connections during close for visitor [%s]", p.pluginCtx.Name)
--- a/pkg/policy/featuregate/feature_gate.go
+++ b/pkg/policy/featuregate/feature_gate.go
--- a/pkg/policy/security/unsafe.go
+++ b/pkg/policy/security/unsafe.go
@ -0,0 +1,34 @@
 package security
 const (
 	TokenSourceExec = "TokenSourceExec"
 )
 var (
 	ClientUnsafeFeatures = []string{
 		TokenSourceExec,
 	}
 	ServerUnsafeFeatures = []string{
 		TokenSourceExec,
 	}
 )
 type UnsafeFeatures struct {
 	features map[string]bool
 }
 func NewUnsafeFeatures(allowed []string) *UnsafeFeatures {
 	features := make(map[string]bool)
 	for _, f := range allowed {
 		features[f] = true
 	}
 	return &UnsafeFeatures{features: features}
 }
 func (u *UnsafeFeatures) IsEnabled(feature string) bool {
 	if u == nil {
 		return false
 	}
 	return u.features[feature]
 }
--- a/pkg/proto/udp/udp.go
+++ b/pkg/proto/udp/udp.go
@ -124,8 +124,8 @@ func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UDPPacket, sendCh chan<-
 			}
 			mu.Unlock()
-			// Add proxy protocol header if configured
+			// Add proxy protocol header if configured (only for the first packet of a new connection)
-			if proxyProtocolVersion != "" && udpMsg.RemoteAddr != nil {
+			if !ok && proxyProtocolVersion != "" && udpMsg.RemoteAddr != nil {
 				ppBuf, err := netpkg.BuildProxyProtocolHeader(udpMsg.RemoteAddr, dstAddr, proxyProtocolVersion)
 				if err == nil {
 					// Prepend proxy protocol header to the UDP payload
--- a/pkg/sdk/client/client.go
+++ b/pkg/sdk/client/client.go
@ -11,7 +11,7 @@ import (
 	"strconv"
 	"strings"
-	"github.com/fatedier/frp/client"
+	"github.com/fatedier/frp/client/api"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 )
@ -32,7 +32,7 @@ func (c *Client) SetAuth(user, pwd string) {
 	c.authPwd = pwd
 }
-func (c *Client) GetProxyStatus(ctx context.Context, name string) (*client.ProxyStatusResp, error) {
+func (c *Client) GetProxyStatus(ctx context.Context, name string) (*api.ProxyStatusResp, error) {
 	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+c.address+"/api/status", nil)
 	if err != nil {
 		return nil, err
@ -41,7 +41,7 @@ func (c *Client) GetProxyStatus(ctx context.Context, name string) (*client.Proxy
 	if err != nil {
 		return nil, err
 	}
-	allStatus := make(client.StatusResp)
+	allStatus := make(api.StatusResp)
 	if err = json.Unmarshal([]byte(content), &allStatus); err != nil {
 		return nil, fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(content))
 	}
@ -55,7 +55,7 @@ func (c *Client) GetProxyStatus(ctx context.Context, name string) (*client.Proxy
 	return nil, fmt.Errorf("no proxy status found")
 }
-func (c *Client) GetAllProxyStatus(ctx context.Context) (client.StatusResp, error) {
+func (c *Client) GetAllProxyStatus(ctx context.Context) (api.StatusResp, error) {
 	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+c.address+"/api/status", nil)
 	if err != nil {
 		return nil, err
@ -64,7 +64,7 @@ func (c *Client) GetAllProxyStatus(ctx context.Context) (client.StatusResp, erro
 	if err != nil {
 		return nil, err
 	}
-	allStatus := make(client.StatusResp)
+	allStatus := make(api.StatusResp)
 	if err = json.Unmarshal([]byte(content), &allStatus); err != nil {
 		return nil, fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(content))
 	}
--- a/pkg/transport/message.go
+++ b/pkg/transport/message.go
@ -35,15 +35,19 @@ type MessageTransporter interface {
 	DispatchWithType(m msg.Message, msgType, laneKey string) bool
 }
-func NewMessageTransporter(sendCh chan msg.Message) MessageTransporter {
+type MessageSender interface {
 	Send(msg.Message) error
 }
 func NewMessageTransporter(sender MessageSender) MessageTransporter {
 	return &transporterImpl{
-		sendCh:   sendCh,
+		sender:   sender,
 		registry: make(map[string]map[string]chan msg.Message),
 	}
 }
 type transporterImpl struct {
-	sendCh chan msg.Message
+	sender MessageSender
 	// First key is message type and second key is lane key.
 	// Dispatch will dispatch message to related channel by its message type
@ -53,9 +57,7 @@ type transporterImpl struct {
 }
 func (impl *transporterImpl) Send(m msg.Message) error {
-	return errors.PanicToError(func() {
+	return impl.sender.Send(m)
 		impl.sendCh <- m
 	})
 }
 func (impl *transporterImpl) Do(ctx context.Context, req msg.Message, laneKey, recvMsgType string) (msg.Message, error) {
--- a/pkg/util/http/context.go
+++ b/pkg/util/http/context.go
@ -0,0 +1,57 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import (
 	"encoding/json"
 	"io"
 	"net/http"
 	"github.com/gorilla/mux"
 )
 type Context struct {
 	Req  *http.Request
 	Resp http.ResponseWriter
 	vars map[string]string
 }
 func NewContext(w http.ResponseWriter, r *http.Request) *Context {
 	return &Context{
 		Req:  r,
 		Resp: w,
 		vars: mux.Vars(r),
 	}
 }
 func (c *Context) Param(key string) string {
 	return c.vars[key]
 }
 func (c *Context) Query(key string) string {
 	return c.Req.URL.Query().Get(key)
 }
 func (c *Context) BindJSON(obj any) error {
 	body, err := io.ReadAll(c.Req.Body)
 	if err != nil {
 		return err
 	}
 	return json.Unmarshal(body, obj)
 }
 func (c *Context) Body() ([]byte, error) {
 	return io.ReadAll(c.Req.Body)
 }
--- a/pkg/util/http/error.go
+++ b/pkg/util/http/error.go
@ -0,0 +1,33 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import "fmt"
 type Error struct {
 	Code int
 	Err  error
 }
 func (e *Error) Error() string {
 	return e.Err.Error()
 }
 func NewError(code int, msg string) *Error {
 	return &Error{
 		Code: code,
 		Err:  fmt.Errorf("%s", msg),
 	}
 }
--- a/pkg/util/http/handler.go
+++ b/pkg/util/http/handler.go
@ -0,0 +1,66 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import (
 	"encoding/json"
 	"net/http"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 type GeneralResponse struct {
 	Code int
 	Msg  string
 }
 // APIHandler is a handler function that returns a response object or an error.
 type APIHandler func(ctx *Context) (any, error)
 // MakeHTTPHandlerFunc turns a normal APIHandler into a http.HandlerFunc.
 func MakeHTTPHandlerFunc(handler APIHandler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := NewContext(w, r)
 		res, err := handler(ctx)
 		if err != nil {
 			log.Warnf("http response [%s]: error: %v", r.URL.Path, err)
 			code := http.StatusInternalServerError
 			if e, ok := err.(*Error); ok {
 				code = e.Code
 			}
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(code)
 			_ = json.NewEncoder(w).Encode(GeneralResponse{Code: code, Msg: err.Error()})
 			return
 		}
 		if res == nil {
 			w.WriteHeader(http.StatusOK)
 			return
 		}
 		switch v := res.(type) {
 		case []byte:
 			_, _ = w.Write(v)
 		case string:
 			_, _ = w.Write([]byte(v))
 		default:
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(http.StatusOK)
 			_ = json.NewEncoder(w).Encode(v)
 		}
 	}
 }
--- a/pkg/util/http/middleware.go
+++ b/pkg/util/http/middleware.go
@ -0,0 +1,40 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package http
 import (
 	"net/http"
 	"github.com/fatedier/frp/pkg/util/log"
 )
 type responseWriter struct {
 	http.ResponseWriter
 	code int
 }
 func (rw *responseWriter) WriteHeader(code int) {
 	rw.code = code
 	rw.ResponseWriter.WriteHeader(code)
 }
 func NewRequestLogger(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		log.Infof("http request: [%s]", r.URL.Path)
 		rw := &responseWriter{ResponseWriter: w, code: http.StatusOK}
 		next.ServeHTTP(rw, r)
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, rw.code)
 	})
 }
--- a/pkg/util/net/conn.go
+++ b/pkg/util/net/conn.go
@ -135,11 +135,11 @@ type CloseNotifyConn struct {
 	// 1 means closed
 	closeFlag int32
-	closeFn func()
+	closeFn func(error)
 }
-// closeFn will be only called once
+// closeFn will be only called once with the error (nil if Close() was called, non-nil if CloseWithError() was called)
-func WrapCloseNotifyConn(c net.Conn, closeFn func()) net.Conn {
+func WrapCloseNotifyConn(c net.Conn, closeFn func(error)) *CloseNotifyConn {
 	return &CloseNotifyConn{
 		Conn:    c,
 		closeFn: closeFn,
@ -149,14 +149,27 @@ func WrapCloseNotifyConn(c net.Conn, closeFn func()) net.Conn {
 func (cc *CloseNotifyConn) Close() (err error) {
 	pflag := atomic.SwapInt32(&cc.closeFlag, 1)
 	if pflag == 0 {
-		err = cc.Close()
+		err = cc.Conn.Close()
 		if cc.closeFn != nil {
-			cc.closeFn()
+			cc.closeFn(nil)
 		}
 	}
 	return
 }
 // CloseWithError closes the connection and passes the error to the close callback.
 func (cc *CloseNotifyConn) CloseWithError(err error) error {
 	pflag := atomic.SwapInt32(&cc.closeFlag, 1)
 	if pflag == 0 {
 		closeErr := cc.Conn.Close()
 		if cc.closeFn != nil {
 			cc.closeFn(err)
 		}
 		return closeErr
 	}
 	return nil
 }
 type StatsConn struct {
 	net.Conn
--- a/pkg/util/net/websocket.go
+++ b/pkg/util/net/websocket.go
@ -32,7 +32,7 @@ func NewWebsocketListener(ln net.Listener) (wl *WebsocketListener) {
 	muxer := http.NewServeMux()
 	muxer.Handle(FrpWebsocketPath, websocket.Handler(func(c *websocket.Conn) {
 		notifyCh := make(chan struct{})
-		conn := WrapCloseNotifyConn(c, func() {
+		conn := WrapCloseNotifyConn(c, func(_ error) {
 			close(notifyCh)
 		})
 		wl.acceptCh <- conn
--- a/pkg/util/version/version.go
+++ b/pkg/util/version/version.go
@ -14,7 +14,7 @@
 package version
-var version = "0.64.0"
+var version = "0.67.0"
 func Full() string {
 	return version
--- a/pkg/util/xlog/log_writer.go
+++ b/pkg/util/xlog/log_writer.go
@ -0,0 +1,65 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package xlog
 import "strings"
 // LogWriter forwards writes to frp's logger at configurable level.
 // It is safe for concurrent use as long as the underlying Logger is thread-safe.
 type LogWriter struct {
 	xl      *Logger
 	logFunc func(string)
 }
 func (w LogWriter) Write(p []byte) (n int, err error) {
 	msg := strings.TrimSpace(string(p))
 	w.logFunc(msg)
 	return len(p), nil
 }
 func NewTraceWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Tracef("%s", msg) },
 	}
 }
 func NewDebugWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Debugf("%s", msg) },
 	}
 }
 func NewInfoWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Infof("%s", msg) },
 	}
 }
 func NewWarnWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Warnf("%s", msg) },
 	}
 }
 func NewErrorWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Errorf("%s", msg) },
 	}
 }
--- a/server/api/controller.go
+++ b/server/api/controller.go
@ -0,0 +1,424 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package api
 import (
 	"cmp"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
 	"time"
 	"github.com/fatedier/frp/pkg/config/types"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/metrics/mem"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 	"github.com/fatedier/frp/server/proxy"
 	"github.com/fatedier/frp/server/registry"
 )
 type Controller struct {
 	// dependencies
 	serverCfg      *v1.ServerConfig
 	clientRegistry *registry.ClientRegistry
 	pxyManager     ProxyManager
 }
 type ProxyManager interface {
 	GetByName(name string) (proxy.Proxy, bool)
 }
 func NewController(
 	serverCfg *v1.ServerConfig,
 	clientRegistry *registry.ClientRegistry,
 	pxyManager ProxyManager,
 ) *Controller {
 	return &Controller{
 		serverCfg:      serverCfg,
 		clientRegistry: clientRegistry,
 		pxyManager:     pxyManager,
 	}
 }
 // /api/serverinfo
 func (c *Controller) APIServerInfo(ctx *httppkg.Context) (any, error) {
 	serverStats := mem.StatsCollector.GetServer()
 	svrResp := ServerInfoResp{
 		Version:               version.Full(),
 		BindPort:              c.serverCfg.BindPort,
 		VhostHTTPPort:         c.serverCfg.VhostHTTPPort,
 		VhostHTTPSPort:        c.serverCfg.VhostHTTPSPort,
 		TCPMuxHTTPConnectPort: c.serverCfg.TCPMuxHTTPConnectPort,
 		KCPBindPort:           c.serverCfg.KCPBindPort,
 		QUICBindPort:          c.serverCfg.QUICBindPort,
 		SubdomainHost:         c.serverCfg.SubDomainHost,
 		MaxPoolCount:          c.serverCfg.Transport.MaxPoolCount,
 		MaxPortsPerClient:     c.serverCfg.MaxPortsPerClient,
 		HeartBeatTimeout:      c.serverCfg.Transport.HeartbeatTimeout,
 		AllowPortsStr:         types.PortsRangeSlice(c.serverCfg.AllowPorts).String(),
 		TLSForce:              c.serverCfg.Transport.TLS.Force,
 		TotalTrafficIn:  serverStats.TotalTrafficIn,
 		TotalTrafficOut: serverStats.TotalTrafficOut,
 		CurConns:        serverStats.CurConns,
 		ClientCounts:    serverStats.ClientCounts,
 		ProxyTypeCounts: serverStats.ProxyTypeCounts,
 	}
 	// For API that returns struct, we can just return it.
 	// But current GeneralResponse.Msg in legacy code expects a JSON string.
 	// Since MakeHTTPHandlerFunc handles struct by encoding to JSON, we can return svrResp directly?
 	// The original code wraps it in GeneralResponse{Msg: string(json)}.
 	// If we return svrResp, the response body will be the JSON of svrResp.
 	// We should check if the frontend expects { "code": 200, "msg": "{...}" } or just {...}.
 	// Looking at previous code:
 	// res := GeneralResponse{Code: 200}
 	// buf, _ := json.Marshal(&svrResp)
 	// res.Msg = string(buf)
 	// Response body: {"code": 200, "msg": "{\"version\":...}"}
 	// Wait, is it double encoded JSON? Yes it seems so!
 	// Let's check dashboard_api.go original code again.
 	// Yes: res.Msg = string(buf).
 	// So the frontend expects { "code": 200, "msg": "JSON_STRING" }.
 	// This is kind of ugly, but we must preserve compatibility.
 	return svrResp, nil
 }
 // /api/clients
 func (c *Controller) APIClientList(ctx *httppkg.Context) (any, error) {
 	if c.clientRegistry == nil {
 		return nil, fmt.Errorf("client registry unavailable")
 	}
 	userFilter := ctx.Query("user")
 	clientIDFilter := ctx.Query("clientId")
 	runIDFilter := ctx.Query("runId")
 	statusFilter := strings.ToLower(ctx.Query("status"))
 	records := c.clientRegistry.List()
 	items := make([]ClientInfoResp, 0, len(records))
 	for _, info := range records {
 		if userFilter != "" && info.User != userFilter {
 			continue
 		}
 		if clientIDFilter != "" && info.ClientID() != clientIDFilter {
 			continue
 		}
 		if runIDFilter != "" && info.RunID != runIDFilter {
 			continue
 		}
 		if !matchStatusFilter(info.Online, statusFilter) {
 			continue
 		}
 		items = append(items, buildClientInfoResp(info))
 	}
 	slices.SortFunc(items, func(a, b ClientInfoResp) int {
 		if v := cmp.Compare(a.User, b.User); v != 0 {
 			return v
 		}
 		if v := cmp.Compare(a.ClientID, b.ClientID); v != 0 {
 			return v
 		}
 		return cmp.Compare(a.Key, b.Key)
 	})
 	return items, nil
 }
 // /api/clients/{key}
 func (c *Controller) APIClientDetail(ctx *httppkg.Context) (any, error) {
 	key := ctx.Param("key")
 	if key == "" {
 		return nil, fmt.Errorf("missing client key")
 	}
 	if c.clientRegistry == nil {
 		return nil, fmt.Errorf("client registry unavailable")
 	}
 	info, ok := c.clientRegistry.GetByKey(key)
 	if !ok {
 		return nil, httppkg.NewError(http.StatusNotFound, fmt.Sprintf("client %s not found", key))
 	}
 	return buildClientInfoResp(info), nil
 }
 // /api/proxy/:type
 func (c *Controller) APIProxyByType(ctx *httppkg.Context) (any, error) {
 	proxyType := ctx.Param("type")
 	proxyInfoResp := GetProxyInfoResp{}
 	proxyInfoResp.Proxies = c.getProxyStatsByType(proxyType)
 	slices.SortFunc(proxyInfoResp.Proxies, func(a, b *ProxyStatsInfo) int {
 		return cmp.Compare(a.Name, b.Name)
 	})
 	return proxyInfoResp, nil
 }
 // /api/proxy/:type/:name
 func (c *Controller) APIProxyByTypeAndName(ctx *httppkg.Context) (any, error) {
 	proxyType := ctx.Param("type")
 	name := ctx.Param("name")
 	proxyStatsResp, code, msg := c.getProxyStatsByTypeAndName(proxyType, name)
 	if code != 200 {
 		return nil, httppkg.NewError(code, msg)
 	}
 	return proxyStatsResp, nil
 }
 // /api/traffic/:name
 func (c *Controller) APIProxyTraffic(ctx *httppkg.Context) (any, error) {
 	name := ctx.Param("name")
 	trafficResp := GetProxyTrafficResp{}
 	trafficResp.Name = name
 	proxyTrafficInfo := mem.StatsCollector.GetProxyTraffic(name)
 	if proxyTrafficInfo == nil {
 		return nil, httppkg.NewError(http.StatusNotFound, "no proxy info found")
 	}
 	trafficResp.TrafficIn = proxyTrafficInfo.TrafficIn
 	trafficResp.TrafficOut = proxyTrafficInfo.TrafficOut
 	return trafficResp, nil
 }
 // /api/proxies/:name
 func (c *Controller) APIProxyByName(ctx *httppkg.Context) (any, error) {
 	name := ctx.Param("name")
 	ps := mem.StatsCollector.GetProxyByName(name)
 	if ps == nil {
 		return nil, httppkg.NewError(http.StatusNotFound, "no proxy info found")
 	}
 	proxyInfo := GetProxyStatsResp{
 		Name:            ps.Name,
 		User:            ps.User,
 		ClientID:        ps.ClientID,
 		TodayTrafficIn:  ps.TodayTrafficIn,
 		TodayTrafficOut: ps.TodayTrafficOut,
 		CurConns:        ps.CurConns,
 		LastStartTime:   ps.LastStartTime,
 		LastCloseTime:   ps.LastCloseTime,
 	}
 	if pxy, ok := c.pxyManager.GetByName(name); ok {
 		content, err := json.Marshal(pxy.GetConfigurer())
 		if err != nil {
 			log.Warnf("marshal proxy [%s] conf info error: %v", name, err)
 			return nil, httppkg.NewError(http.StatusBadRequest, "parse conf error")
 		}
 		proxyInfo.Conf = getConfByType(ps.Type)
 		if err = json.Unmarshal(content, &proxyInfo.Conf); err != nil {
 			log.Warnf("unmarshal proxy [%s] conf info error: %v", name, err)
 			return nil, httppkg.NewError(http.StatusBadRequest, "parse conf error")
 		}
 		proxyInfo.Status = "online"
 		c.fillProxyClientInfo(&proxyClientInfo{
 			clientVersion: &proxyInfo.ClientVersion,
 		}, pxy)
 	} else {
 		proxyInfo.Status = "offline"
 	}
 	return proxyInfo, nil
 }
 // DELETE /api/proxies?status=offline
 func (c *Controller) DeleteProxies(ctx *httppkg.Context) (any, error) {
 	status := ctx.Query("status")
 	if status != "offline" {
 		return nil, httppkg.NewError(http.StatusBadRequest, "status only support offline")
 	}
 	cleared, total := mem.StatsCollector.ClearOfflineProxies()
 	log.Infof("cleared [%d] offline proxies, total [%d] proxies", cleared, total)
 	return nil, nil
 }
 func (c *Controller) getProxyStatsByType(proxyType string) (proxyInfos []*ProxyStatsInfo) {
 	proxyStats := mem.StatsCollector.GetProxiesByType(proxyType)
 	proxyInfos = make([]*ProxyStatsInfo, 0, len(proxyStats))
 	for _, ps := range proxyStats {
 		proxyInfo := &ProxyStatsInfo{
 			User:     ps.User,
 			ClientID: ps.ClientID,
 		}
 		if pxy, ok := c.pxyManager.GetByName(ps.Name); ok {
 			content, err := json.Marshal(pxy.GetConfigurer())
 			if err != nil {
 				log.Warnf("marshal proxy [%s] conf info error: %v", ps.Name, err)
 				continue
 			}
 			proxyInfo.Conf = getConfByType(ps.Type)
 			if err = json.Unmarshal(content, &proxyInfo.Conf); err != nil {
 				log.Warnf("unmarshal proxy [%s] conf info error: %v", ps.Name, err)
 				continue
 			}
 			proxyInfo.Status = "online"
 			c.fillProxyClientInfo(&proxyClientInfo{
 				clientVersion: &proxyInfo.ClientVersion,
 			}, pxy)
 		} else {
 			proxyInfo.Status = "offline"
 		}
 		proxyInfo.Name = ps.Name
 		proxyInfo.TodayTrafficIn = ps.TodayTrafficIn
 		proxyInfo.TodayTrafficOut = ps.TodayTrafficOut
 		proxyInfo.CurConns = ps.CurConns
 		proxyInfo.LastStartTime = ps.LastStartTime
 		proxyInfo.LastCloseTime = ps.LastCloseTime
 		proxyInfos = append(proxyInfos, proxyInfo)
 	}
 	return
 }
 func (c *Controller) getProxyStatsByTypeAndName(proxyType string, proxyName string) (proxyInfo GetProxyStatsResp, code int, msg string) {
 	proxyInfo.Name = proxyName
 	ps := mem.StatsCollector.GetProxiesByTypeAndName(proxyType, proxyName)
 	if ps == nil {
 		code = 404
 		msg = "no proxy info found"
 	} else {
 		proxyInfo.User = ps.User
 		proxyInfo.ClientID = ps.ClientID
 		if pxy, ok := c.pxyManager.GetByName(proxyName); ok {
 			content, err := json.Marshal(pxy.GetConfigurer())
 			if err != nil {
 				log.Warnf("marshal proxy [%s] conf info error: %v", ps.Name, err)
 				code = 400
 				msg = "parse conf error"
 				return
 			}
 			proxyInfo.Conf = getConfByType(ps.Type)
 			if err = json.Unmarshal(content, &proxyInfo.Conf); err != nil {
 				log.Warnf("unmarshal proxy [%s] conf info error: %v", ps.Name, err)
 				code = 400
 				msg = "parse conf error"
 				return
 			}
 			proxyInfo.Status = "online"
 		} else {
 			proxyInfo.Status = "offline"
 		}
 		proxyInfo.TodayTrafficIn = ps.TodayTrafficIn
 		proxyInfo.TodayTrafficOut = ps.TodayTrafficOut
 		proxyInfo.CurConns = ps.CurConns
 		proxyInfo.LastStartTime = ps.LastStartTime
 		proxyInfo.LastCloseTime = ps.LastCloseTime
 		code = 200
 	}
 	return
 }
 func buildClientInfoResp(info registry.ClientInfo) ClientInfoResp {
 	resp := ClientInfoResp{
 		Key:              info.Key,
 		User:             info.User,
 		ClientID:         info.ClientID(),
 		RunID:            info.RunID,
 		Hostname:         info.Hostname,
 		ClientIP:         info.IP,
 		FirstConnectedAt: toUnix(info.FirstConnectedAt),
 		LastConnectedAt:  toUnix(info.LastConnectedAt),
 		Online:           info.Online,
 	}
 	if !info.DisconnectedAt.IsZero() {
 		resp.DisconnectedAt = info.DisconnectedAt.Unix()
 	}
 	return resp
 }
 type proxyClientInfo struct {
 	user          *string
 	clientID      *string
 	clientVersion *string
 }
 func (c *Controller) fillProxyClientInfo(proxyInfo *proxyClientInfo, pxy proxy.Proxy) {
 	loginMsg := pxy.GetLoginMsg()
 	if loginMsg == nil {
 		return
 	}
 	if proxyInfo.user != nil {
 		*proxyInfo.user = loginMsg.User
 	}
 	if proxyInfo.clientVersion != nil {
 		*proxyInfo.clientVersion = loginMsg.Version
 	}
 	if info, ok := c.clientRegistry.GetByRunID(loginMsg.RunID); ok {
 		if proxyInfo.clientID != nil {
 			*proxyInfo.clientID = info.ClientID()
 		}
 		return
 	}
 	if proxyInfo.clientID != nil {
 		*proxyInfo.clientID = loginMsg.ClientID
 		if *proxyInfo.clientID == "" {
 			*proxyInfo.clientID = loginMsg.RunID
 		}
 	}
 }
 func toUnix(t time.Time) int64 {
 	if t.IsZero() {
 		return 0
 	}
 	return t.Unix()
 }
 func matchStatusFilter(online bool, filter string) bool {
 	switch strings.ToLower(filter) {
 	case "", "all":
 		return true
 	case "online":
 		return online
 	case "offline":
 		return !online
 	default:
 		return true
 	}
 }
 func getConfByType(proxyType string) any {
 	switch v1.ProxyType(proxyType) {
 	case v1.ProxyTypeTCP:
 		return &TCPOutConf{}
 	case v1.ProxyTypeTCPMUX:
 		return &TCPMuxOutConf{}
 	case v1.ProxyTypeUDP:
 		return &UDPOutConf{}
 	case v1.ProxyTypeHTTP:
 		return &HTTPOutConf{}
 	case v1.ProxyTypeHTTPS:
 		return &HTTPSOutConf{}
 	case v1.ProxyTypeSTCP:
 		return &STCPOutConf{}
 	case v1.ProxyTypeXTCP:
 		return &XTCPOutConf{}
 	default:
 		return nil
 	}
 }
--- a/server/api/types.go
+++ b/server/api/types.go
@ -0,0 +1,136 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package api
 import (
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 )
 type ServerInfoResp struct {
 	Version               string `json:"version"`
 	BindPort              int    `json:"bindPort"`
 	VhostHTTPPort         int    `json:"vhostHTTPPort"`
 	VhostHTTPSPort        int    `json:"vhostHTTPSPort"`
 	TCPMuxHTTPConnectPort int    `json:"tcpmuxHTTPConnectPort"`
 	KCPBindPort           int    `json:"kcpBindPort"`
 	QUICBindPort          int    `json:"quicBindPort"`
 	SubdomainHost         string `json:"subdomainHost"`
 	MaxPoolCount          int64  `json:"maxPoolCount"`
 	MaxPortsPerClient     int64  `json:"maxPortsPerClient"`
 	HeartBeatTimeout      int64  `json:"heartbeatTimeout"`
 	AllowPortsStr         string `json:"allowPortsStr,omitempty"`
 	TLSForce              bool   `json:"tlsForce,omitempty"`
 	TotalTrafficIn  int64            `json:"totalTrafficIn"`
 	TotalTrafficOut int64            `json:"totalTrafficOut"`
 	CurConns        int64            `json:"curConns"`
 	ClientCounts    int64            `json:"clientCounts"`
 	ProxyTypeCounts map[string]int64 `json:"proxyTypeCount"`
 }
 type ClientInfoResp struct {
 	Key              string `json:"key"`
 	User             string `json:"user"`
 	ClientID         string `json:"clientID"`
 	RunID            string `json:"runID"`
 	Hostname         string `json:"hostname"`
 	ClientIP         string `json:"clientIP,omitempty"`
 	FirstConnectedAt int64  `json:"firstConnectedAt"`
 	LastConnectedAt  int64  `json:"lastConnectedAt"`
 	DisconnectedAt   int64  `json:"disconnectedAt,omitempty"`
 	Online           bool   `json:"online"`
 }
 type BaseOutConf struct {
 	v1.ProxyBaseConfig
 }
 type TCPOutConf struct {
 	BaseOutConf
 	RemotePort int `json:"remotePort"`
 }
 type TCPMuxOutConf struct {
 	BaseOutConf
 	v1.DomainConfig
 	Multiplexer     string `json:"multiplexer"`
 	RouteByHTTPUser string `json:"routeByHTTPUser"`
 }
 type UDPOutConf struct {
 	BaseOutConf
 	RemotePort int `json:"remotePort"`
 }
 type HTTPOutConf struct {
 	BaseOutConf
 	v1.DomainConfig
 	Locations         []string `json:"locations"`
 	HostHeaderRewrite string   `json:"hostHeaderRewrite"`
 }
 type HTTPSOutConf struct {
 	BaseOutConf
 	v1.DomainConfig
 }
 type STCPOutConf struct {
 	BaseOutConf
 }
 type XTCPOutConf struct {
 	BaseOutConf
 }
 // Get proxy info.
 type ProxyStatsInfo struct {
 	Name            string `json:"name"`
 	Conf            any    `json:"conf"`
 	User            string `json:"user,omitempty"`
 	ClientID        string `json:"clientID,omitempty"`
 	ClientVersion   string `json:"clientVersion,omitempty"`
 	TodayTrafficIn  int64  `json:"todayTrafficIn"`
 	TodayTrafficOut int64  `json:"todayTrafficOut"`
 	CurConns        int64  `json:"curConns"`
 	LastStartTime   string `json:"lastStartTime"`
 	LastCloseTime   string `json:"lastCloseTime"`
 	Status          string `json:"status"`
 }
 type GetProxyInfoResp struct {
 	Proxies []*ProxyStatsInfo `json:"proxies"`
 }
 // Get proxy info by name.
 type GetProxyStatsResp struct {
 	Name            string `json:"name"`
 	Conf            any    `json:"conf"`
 	User            string `json:"user,omitempty"`
 	ClientID        string `json:"clientID,omitempty"`
 	ClientVersion   string `json:"clientVersion,omitempty"`
 	TodayTrafficIn  int64  `json:"todayTrafficIn"`
 	TodayTrafficOut int64  `json:"todayTrafficOut"`
 	CurConns        int64  `json:"curConns"`
 	LastStartTime   string `json:"lastStartTime"`
 	LastCloseTime   string `json:"lastCloseTime"`
 	Status          string `json:"status"`
 }
 // /api/traffic/:name
 type GetProxyTrafficResp struct {
 	Name       string  `json:"name"`
 	TrafficIn  []int64 `json:"trafficIn"`
 	TrafficOut []int64 `json:"trafficOut"`
 }
--- a/server/control.go
+++ b/server/control.go
@ -40,6 +40,7 @@ import (
 	"github.com/fatedier/frp/server/controller"
 	"github.com/fatedier/frp/server/metrics"
 	"github.com/fatedier/frp/server/proxy"
 	"github.com/fatedier/frp/server/registry"
 )
 type ControlManager struct {
@ -106,6 +107,8 @@ type Control struct {
 	// verifies authentication based on selected method
 	authVerifier auth.Verifier
 	// key used for connection encryption
 	encryptionKey []byte
 	// other components can use this to communicate with client
 	msgTransporter transport.MessageTransporter
@ -145,6 +148,8 @@ type Control struct {
 	// Server configuration information
 	serverCfg *v1.ServerConfig
 	clientRegistry *registry.ClientRegistry
 	xl     *xlog.Logger
 	ctx    context.Context
 	doneCh chan struct{}
@ -157,6 +162,7 @@ func NewControl(
 	pxyManager *proxy.Manager,
 	pluginManager *plugin.Manager,
 	authVerifier auth.Verifier,
 	encryptionKey []byte,
 	ctlConn net.Conn,
 	ctlConnEncrypted bool,
 	loginMsg *msg.Login,
@ -171,6 +177,7 @@ func NewControl(
 		pxyManager:    pxyManager,
 		pluginManager: pluginManager,
 		authVerifier:  authVerifier,
 		encryptionKey: encryptionKey,
 		conn:          ctlConn,
 		loginMsg:      loginMsg,
 		workConnCh:    make(chan net.Conn, poolCount+10),
@ -186,7 +193,7 @@ func NewControl(
 	ctl.lastPing.Store(time.Now())
 	if ctlConnEncrypted {
-		cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, []byte(ctl.serverCfg.Auth.Token))
+		cryptoRW, err := netpkg.NewCryptoReadWriter(ctl.conn, ctl.encryptionKey)
 		if err != nil {
 			return nil, err
 		}
@ -195,7 +202,7 @@ func NewControl(
 		ctl.msgDispatcher = msg.NewDispatcher(ctl.conn)
 	}
 	ctl.registerMsgHandlers()
-	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher.SendChannel())
+	ctl.msgTransporter = transport.NewMessageTransporter(ctl.msgDispatcher)
 	return ctl, nil
 }
@ -354,6 +361,7 @@ func (ctl *Control) worker() {
 	}
 	metrics.Server.CloseClient()
 	ctl.clientRegistry.MarkOfflineByRunID(ctl.runID)
 	xl.Infof("client exit success")
 	close(ctl.doneCh)
 }
@ -397,7 +405,11 @@ func (ctl *Control) handleNewProxy(m msg.Message) {
 	} else {
 		resp.RemoteAddr = remoteAddr
 		xl.Infof("new proxy [%s] type [%s] success", inMsg.ProxyName, inMsg.ProxyType)
-		metrics.Server.NewProxy(inMsg.ProxyName, inMsg.ProxyType)
+		clientID := ctl.loginMsg.ClientID
 		if clientID == "" {
 			clientID = ctl.loginMsg.RunID
 		}
 		metrics.Server.NewProxy(inMsg.ProxyName, inMsg.ProxyType, ctl.loginMsg.User, clientID)
 	}
 	_ = ctl.msgDispatcher.Send(resp)
 }
@ -478,6 +490,7 @@ func (ctl *Control) RegisterProxy(pxyMsg *msg.NewProxy) (remoteAddr string, err
 		GetWorkConnFn:      ctl.GetWorkConn,
 		Configurer:         pxyConf,
 		ServerCfg:          ctl.serverCfg,
 		EncryptionKey:      ctl.encryptionKey,
 	})
 	if err != nil {
 		return remoteAddr, err
--- a/server/controller/resource.go
+++ b/server/controller/resource.go
@ -35,6 +35,9 @@ type ResourceController struct {
 	// HTTP Group Controller
 	HTTPGroupCtl *group.HTTPGroupController
 	// HTTPS Group Controller
 	HTTPSGroupCtl *group.HTTPSGroupController
 	// TCP Mux Group Controller
 	TCPMuxGroupCtl *group.TCPMuxGroupCtl
--- a/server/dashboard_api.go
+++ b/server/dashboard_api.go
@ -1,406 +0,0 @@
 // Copyright 2017 fatedier, fatedier@gmail.com
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package server
 import (
 	"cmp"
 	"encoding/json"
 	"net/http"
 	"slices"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/fatedier/frp/pkg/config/types"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/metrics/mem"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	"github.com/fatedier/frp/pkg/util/log"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 	"github.com/fatedier/frp/pkg/util/version"
 )
 type GeneralResponse struct {
 	Code int
 	Msg  string
 }
 func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper) {
 	helper.Router.HandleFunc("/healthz", svr.healthz)
 	subRouter := helper.Router.NewRoute().Subrouter()
 	subRouter.Use(helper.AuthMiddleware.Middleware)
 	// metrics
 	if svr.cfg.EnablePrometheus {
 		subRouter.Handle("/metrics", promhttp.Handler())
 	}
 	// apis
 	subRouter.HandleFunc("/api/serverinfo", svr.apiServerInfo).Methods("GET")
 	subRouter.HandleFunc("/api/proxy/{type}", svr.apiProxyByType).Methods("GET")
 	subRouter.HandleFunc("/api/proxy/{type}/{name}", svr.apiProxyByTypeAndName).Methods("GET")
 	subRouter.HandleFunc("/api/traffic/{name}", svr.apiProxyTraffic).Methods("GET")
 	subRouter.HandleFunc("/api/proxies", svr.deleteProxies).Methods("DELETE")
 	// view
 	subRouter.Handle("/favicon.ico", http.FileServer(helper.AssetsFS)).Methods("GET")
 	subRouter.PathPrefix("/static/").Handler(
 		netpkg.MakeHTTPGzipHandler(http.StripPrefix("/static/", http.FileServer(helper.AssetsFS))),
 	).Methods("GET")
 	subRouter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/static/", http.StatusMovedPermanently)
 	})
 }
 type serverInfoResp struct {
 	Version               string `json:"version"`
 	BindPort              int    `json:"bindPort"`
 	VhostHTTPPort         int    `json:"vhostHTTPPort"`
 	VhostHTTPSPort        int    `json:"vhostHTTPSPort"`
 	TCPMuxHTTPConnectPort int    `json:"tcpmuxHTTPConnectPort"`
 	KCPBindPort           int    `json:"kcpBindPort"`
 	QUICBindPort          int    `json:"quicBindPort"`
 	SubdomainHost         string `json:"subdomainHost"`
 	MaxPoolCount          int64  `json:"maxPoolCount"`
 	MaxPortsPerClient     int64  `json:"maxPortsPerClient"`
 	HeartBeatTimeout      int64  `json:"heartbeatTimeout"`
 	AllowPortsStr         string `json:"allowPortsStr,omitempty"`
 	TLSForce              bool   `json:"tlsForce,omitempty"`
 	TotalTrafficIn  int64            `json:"totalTrafficIn"`
 	TotalTrafficOut int64            `json:"totalTrafficOut"`
 	CurConns        int64            `json:"curConns"`
 	ClientCounts    int64            `json:"clientCounts"`
 	ProxyTypeCounts map[string]int64 `json:"proxyTypeCount"`
 }
 // /healthz
 func (svr *Service) healthz(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(200)
 }
 // /api/serverinfo
 func (svr *Service) apiServerInfo(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	defer func() {
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	log.Infof("http request: [%s]", r.URL.Path)
 	serverStats := mem.StatsCollector.GetServer()
 	svrResp := serverInfoResp{
 		Version:               version.Full(),
 		BindPort:              svr.cfg.BindPort,
 		VhostHTTPPort:         svr.cfg.VhostHTTPPort,
 		VhostHTTPSPort:        svr.cfg.VhostHTTPSPort,
 		TCPMuxHTTPConnectPort: svr.cfg.TCPMuxHTTPConnectPort,
 		KCPBindPort:           svr.cfg.KCPBindPort,
 		QUICBindPort:          svr.cfg.QUICBindPort,
 		SubdomainHost:         svr.cfg.SubDomainHost,
 		MaxPoolCount:          svr.cfg.Transport.MaxPoolCount,
 		MaxPortsPerClient:     svr.cfg.MaxPortsPerClient,
 		HeartBeatTimeout:      svr.cfg.Transport.HeartbeatTimeout,
 		AllowPortsStr:         types.PortsRangeSlice(svr.cfg.AllowPorts).String(),
 		TLSForce:              svr.cfg.Transport.TLS.Force,
 		TotalTrafficIn:  serverStats.TotalTrafficIn,
 		TotalTrafficOut: serverStats.TotalTrafficOut,
 		CurConns:        serverStats.CurConns,
 		ClientCounts:    serverStats.ClientCounts,
 		ProxyTypeCounts: serverStats.ProxyTypeCounts,
 	}
 	buf, _ := json.Marshal(&svrResp)
 	res.Msg = string(buf)
 }
 type BaseOutConf struct {
 	v1.ProxyBaseConfig
 }
 type TCPOutConf struct {
 	BaseOutConf
 	RemotePort int `json:"remotePort"`
 }
 type TCPMuxOutConf struct {
 	BaseOutConf
 	v1.DomainConfig
 	Multiplexer     string `json:"multiplexer"`
 	RouteByHTTPUser string `json:"routeByHTTPUser"`
 }
 type UDPOutConf struct {
 	BaseOutConf
 	RemotePort int `json:"remotePort"`
 }
 type HTTPOutConf struct {
 	BaseOutConf
 	v1.DomainConfig
 	Locations         []string `json:"locations"`
 	HostHeaderRewrite string   `json:"hostHeaderRewrite"`
 }
 type HTTPSOutConf struct {
 	BaseOutConf
 	v1.DomainConfig
 }
 type STCPOutConf struct {
 	BaseOutConf
 }
 type XTCPOutConf struct {
 	BaseOutConf
 }
 func getConfByType(proxyType string) any {
 	switch v1.ProxyType(proxyType) {
 	case v1.ProxyTypeTCP:
 		return &TCPOutConf{}
 	case v1.ProxyTypeTCPMUX:
 		return &TCPMuxOutConf{}
 	case v1.ProxyTypeUDP:
 		return &UDPOutConf{}
 	case v1.ProxyTypeHTTP:
 		return &HTTPOutConf{}
 	case v1.ProxyTypeHTTPS:
 		return &HTTPSOutConf{}
 	case v1.ProxyTypeSTCP:
 		return &STCPOutConf{}
 	case v1.ProxyTypeXTCP:
 		return &XTCPOutConf{}
 	default:
 		return nil
 	}
 }
 // Get proxy info.
 type ProxyStatsInfo struct {
 	Name            string `json:"name"`
 	Conf            any    `json:"conf"`
 	ClientVersion   string `json:"clientVersion,omitempty"`
 	TodayTrafficIn  int64  `json:"todayTrafficIn"`
 	TodayTrafficOut int64  `json:"todayTrafficOut"`
 	CurConns        int64  `json:"curConns"`
 	LastStartTime   string `json:"lastStartTime"`
 	LastCloseTime   string `json:"lastCloseTime"`
 	Status          string `json:"status"`
 }
 type GetProxyInfoResp struct {
 	Proxies []*ProxyStatsInfo `json:"proxies"`
 }
 // /api/proxy/:type
 func (svr *Service) apiProxyByType(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	params := mux.Vars(r)
 	proxyType := params["type"]
 	defer func() {
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	log.Infof("http request: [%s]", r.URL.Path)
 	proxyInfoResp := GetProxyInfoResp{}
 	proxyInfoResp.Proxies = svr.getProxyStatsByType(proxyType)
 	slices.SortFunc(proxyInfoResp.Proxies, func(a, b *ProxyStatsInfo) int {
 		return cmp.Compare(a.Name, b.Name)
 	})
 	buf, _ := json.Marshal(&proxyInfoResp)
 	res.Msg = string(buf)
 }
 func (svr *Service) getProxyStatsByType(proxyType string) (proxyInfos []*ProxyStatsInfo) {
 	proxyStats := mem.StatsCollector.GetProxiesByType(proxyType)
 	proxyInfos = make([]*ProxyStatsInfo, 0, len(proxyStats))
 	for _, ps := range proxyStats {
 		proxyInfo := &ProxyStatsInfo{}
 		if pxy, ok := svr.pxyManager.GetByName(ps.Name); ok {
 			content, err := json.Marshal(pxy.GetConfigurer())
 			if err != nil {
 				log.Warnf("marshal proxy [%s] conf info error: %v", ps.Name, err)
 				continue
 			}
 			proxyInfo.Conf = getConfByType(ps.Type)
 			if err = json.Unmarshal(content, &proxyInfo.Conf); err != nil {
 				log.Warnf("unmarshal proxy [%s] conf info error: %v", ps.Name, err)
 				continue
 			}
 			proxyInfo.Status = "online"
 			if pxy.GetLoginMsg() != nil {
 				proxyInfo.ClientVersion = pxy.GetLoginMsg().Version
 			}
 		} else {
 			proxyInfo.Status = "offline"
 		}
 		proxyInfo.Name = ps.Name
 		proxyInfo.TodayTrafficIn = ps.TodayTrafficIn
 		proxyInfo.TodayTrafficOut = ps.TodayTrafficOut
 		proxyInfo.CurConns = ps.CurConns
 		proxyInfo.LastStartTime = ps.LastStartTime
 		proxyInfo.LastCloseTime = ps.LastCloseTime
 		proxyInfos = append(proxyInfos, proxyInfo)
 	}
 	return
 }
 // Get proxy info by name.
 type GetProxyStatsResp struct {
 	Name            string `json:"name"`
 	Conf            any    `json:"conf"`
 	TodayTrafficIn  int64  `json:"todayTrafficIn"`
 	TodayTrafficOut int64  `json:"todayTrafficOut"`
 	CurConns        int64  `json:"curConns"`
 	LastStartTime   string `json:"lastStartTime"`
 	LastCloseTime   string `json:"lastCloseTime"`
 	Status          string `json:"status"`
 }
 // /api/proxy/:type/:name
 func (svr *Service) apiProxyByTypeAndName(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	params := mux.Vars(r)
 	proxyType := params["type"]
 	name := params["name"]
 	defer func() {
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	log.Infof("http request: [%s]", r.URL.Path)
 	var proxyStatsResp GetProxyStatsResp
 	proxyStatsResp, res.Code, res.Msg = svr.getProxyStatsByTypeAndName(proxyType, name)
 	if res.Code != 200 {
 		return
 	}
 	buf, _ := json.Marshal(&proxyStatsResp)
 	res.Msg = string(buf)
 }
 func (svr *Service) getProxyStatsByTypeAndName(proxyType string, proxyName string) (proxyInfo GetProxyStatsResp, code int, msg string) {
 	proxyInfo.Name = proxyName
 	ps := mem.StatsCollector.GetProxiesByTypeAndName(proxyType, proxyName)
 	if ps == nil {
 		code = 404
 		msg = "no proxy info found"
 	} else {
 		if pxy, ok := svr.pxyManager.GetByName(proxyName); ok {
 			content, err := json.Marshal(pxy.GetConfigurer())
 			if err != nil {
 				log.Warnf("marshal proxy [%s] conf info error: %v", ps.Name, err)
 				code = 400
 				msg = "parse conf error"
 				return
 			}
 			proxyInfo.Conf = getConfByType(ps.Type)
 			if err = json.Unmarshal(content, &proxyInfo.Conf); err != nil {
 				log.Warnf("unmarshal proxy [%s] conf info error: %v", ps.Name, err)
 				code = 400
 				msg = "parse conf error"
 				return
 			}
 			proxyInfo.Status = "online"
 		} else {
 			proxyInfo.Status = "offline"
 		}
 		proxyInfo.TodayTrafficIn = ps.TodayTrafficIn
 		proxyInfo.TodayTrafficOut = ps.TodayTrafficOut
 		proxyInfo.CurConns = ps.CurConns
 		proxyInfo.LastStartTime = ps.LastStartTime
 		proxyInfo.LastCloseTime = ps.LastCloseTime
 		code = 200
 	}
 	return
 }
 // /api/traffic/:name
 type GetProxyTrafficResp struct {
 	Name       string  `json:"name"`
 	TrafficIn  []int64 `json:"trafficIn"`
 	TrafficOut []int64 `json:"trafficOut"`
 }
 func (svr *Service) apiProxyTraffic(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	params := mux.Vars(r)
 	name := params["name"]
 	defer func() {
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	log.Infof("http request: [%s]", r.URL.Path)
 	trafficResp := GetProxyTrafficResp{}
 	trafficResp.Name = name
 	proxyTrafficInfo := mem.StatsCollector.GetProxyTraffic(name)
 	if proxyTrafficInfo == nil {
 		res.Code = 404
 		res.Msg = "no proxy info found"
 		return
 	}
 	trafficResp.TrafficIn = proxyTrafficInfo.TrafficIn
 	trafficResp.TrafficOut = proxyTrafficInfo.TrafficOut
 	buf, _ := json.Marshal(&trafficResp)
 	res.Msg = string(buf)
 }
 // DELETE /api/proxies?status=offline
 func (svr *Service) deleteProxies(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	log.Infof("http request: [%s]", r.URL.Path)
 	defer func() {
 		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
 	status := r.URL.Query().Get("status")
 	if status != "offline" {
 		res.Code = 400
 		res.Msg = "status only support offline"
 		return
 	}
 	cleared, total := mem.StatsCollector.ClearOfflineProxies()
 	log.Infof("cleared [%d] offline proxies, total [%d] proxies", cleared, total)
 }
--- a/server/group/https.go
+++ b/server/group/https.go
@ -0,0 +1,197 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package group
 import (
 	"context"
 	"net"
 	"sync"
 	gerr "github.com/fatedier/golib/errors"
 	"github.com/fatedier/frp/pkg/util/vhost"
 )
 type HTTPSGroupController struct {
 	groups map[string]*HTTPSGroup
 	httpsMuxer *vhost.HTTPSMuxer
 	mu sync.Mutex
 }
 func NewHTTPSGroupController(httpsMuxer *vhost.HTTPSMuxer) *HTTPSGroupController {
 	return &HTTPSGroupController{
 		groups:     make(map[string]*HTTPSGroup),
 		httpsMuxer: httpsMuxer,
 	}
 }
 func (ctl *HTTPSGroupController) Listen(
 	ctx context.Context,
 	group, groupKey string,
 	routeConfig vhost.RouteConfig,
 ) (l net.Listener, err error) {
 	indexKey := group
 	ctl.mu.Lock()
 	g, ok := ctl.groups[indexKey]
 	if !ok {
 		g = NewHTTPSGroup(ctl)
 		ctl.groups[indexKey] = g
 	}
 	ctl.mu.Unlock()
 	return g.Listen(ctx, group, groupKey, routeConfig)
 }
 func (ctl *HTTPSGroupController) RemoveGroup(group string) {
 	ctl.mu.Lock()
 	defer ctl.mu.Unlock()
 	delete(ctl.groups, group)
 }
 type HTTPSGroup struct {
 	group    string
 	groupKey string
 	domain   string
 	acceptCh chan net.Conn
 	httpsLn  *vhost.Listener
 	lns      []*HTTPSGroupListener
 	ctl      *HTTPSGroupController
 	mu       sync.Mutex
 }
 func NewHTTPSGroup(ctl *HTTPSGroupController) *HTTPSGroup {
 	return &HTTPSGroup{
 		lns:      make([]*HTTPSGroupListener, 0),
 		ctl:      ctl,
 		acceptCh: make(chan net.Conn),
 	}
 }
 func (g *HTTPSGroup) Listen(
 	ctx context.Context,
 	group, groupKey string,
 	routeConfig vhost.RouteConfig,
 ) (ln *HTTPSGroupListener, err error) {
 	g.mu.Lock()
 	defer g.mu.Unlock()
 	if len(g.lns) == 0 {
 		// the first listener, listen on the real address
 		httpsLn, errRet := g.ctl.httpsMuxer.Listen(ctx, &routeConfig)
 		if errRet != nil {
 			return nil, errRet
 		}
 		ln = newHTTPSGroupListener(group, g, httpsLn.Addr())
 		g.group = group
 		g.groupKey = groupKey
 		g.domain = routeConfig.Domain
 		g.httpsLn = httpsLn
 		g.lns = append(g.lns, ln)
 		go g.worker()
 	} else {
 		// route config in the same group must be equal
 		if g.group != group || g.domain != routeConfig.Domain {
 			return nil, ErrGroupParamsInvalid
 		}
 		if g.groupKey != groupKey {
 			return nil, ErrGroupAuthFailed
 		}
 		ln = newHTTPSGroupListener(group, g, g.lns[0].Addr())
 		g.lns = append(g.lns, ln)
 	}
 	return
 }
 func (g *HTTPSGroup) worker() {
 	for {
 		c, err := g.httpsLn.Accept()
 		if err != nil {
 			return
 		}
 		err = gerr.PanicToError(func() {
 			g.acceptCh <- c
 		})
 		if err != nil {
 			return
 		}
 	}
 }
 func (g *HTTPSGroup) Accept() <-chan net.Conn {
 	return g.acceptCh
 }
 func (g *HTTPSGroup) CloseListener(ln *HTTPSGroupListener) {
 	g.mu.Lock()
 	defer g.mu.Unlock()
 	for i, tmpLn := range g.lns {
 		if tmpLn == ln {
 			g.lns = append(g.lns[:i], g.lns[i+1:]...)
 			break
 		}
 	}
 	if len(g.lns) == 0 {
 		close(g.acceptCh)
 		if g.httpsLn != nil {
 			g.httpsLn.Close()
 		}
 		g.ctl.RemoveGroup(g.group)
 	}
 }
 type HTTPSGroupListener struct {
 	groupName string
 	group     *HTTPSGroup
 	addr    net.Addr
 	closeCh chan struct{}
 }
 func newHTTPSGroupListener(name string, group *HTTPSGroup, addr net.Addr) *HTTPSGroupListener {
 	return &HTTPSGroupListener{
 		groupName: name,
 		group:     group,
 		addr:      addr,
 		closeCh:   make(chan struct{}),
 	}
 }
 func (ln *HTTPSGroupListener) Accept() (c net.Conn, err error) {
 	var ok bool
 	select {
 	case <-ln.closeCh:
 		return nil, ErrListenerClosed
 	case c, ok = <-ln.group.Accept():
 		if !ok {
 			return nil, ErrListenerClosed
 		}
 		return c, nil
 	}
 }
 func (ln *HTTPSGroupListener) Addr() net.Addr {
 	return ln.addr
 }
 func (ln *HTTPSGroupListener) Close() (err error) {
 	close(ln.closeCh)
 	// remove self from HTTPSGroup
 	ln.group.CloseListener(ln)
 	return
 }
--- a/server/metrics/metrics.go
+++ b/server/metrics/metrics.go
@ -7,7 +7,7 @@ import (
 type ServerMetrics interface {
 	NewClient()
 	CloseClient()
-	NewProxy(name string, proxyType string)
+	NewProxy(name string, proxyType string, user string, clientID string)
 	CloseProxy(name string, proxyType string)
 	OpenConnection(name string, proxyType string)
 	CloseConnection(name string, proxyType string)
@ -27,11 +27,11 @@ func Register(m ServerMetrics) {
 type noopServerMetrics struct{}
-func (noopServerMetrics) NewClient()                          {}
+func (noopServerMetrics) NewClient()                              {}
-func (noopServerMetrics) CloseClient()                        {}
+func (noopServerMetrics) CloseClient()                            {}
-func (noopServerMetrics) NewProxy(string, string)             {}
+func (noopServerMetrics) NewProxy(string, string, string, string) {}
-func (noopServerMetrics) CloseProxy(string, string)           {}
+func (noopServerMetrics) CloseProxy(string, string)               {}
-func (noopServerMetrics) OpenConnection(string, string)       {}
+func (noopServerMetrics) OpenConnection(string, string)           {}
-func (noopServerMetrics) CloseConnection(string, string)      {}
+func (noopServerMetrics) CloseConnection(string, string)          {}
-func (noopServerMetrics) AddTrafficIn(string, string, int64)  {}
+func (noopServerMetrics) AddTrafficIn(string, string, int64)      {}
-func (noopServerMetrics) AddTrafficOut(string, string, int64) {}
+func (noopServerMetrics) AddTrafficOut(string, string, int64)     {}
--- a/server/proxy/http.go
+++ b/server/proxy/http.go
@ -165,7 +165,7 @@ func (pxy *HTTPProxy) GetRealConn(remoteAddr string) (workConn net.Conn, err err
 	var rwc io.ReadWriteCloser = tmpConn
 	if pxy.cfg.Transport.UseEncryption {
-		rwc, err = libio.WithEncryption(rwc, []byte(pxy.serverCfg.Auth.Token))
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			return
--- a/server/proxy/https.go
+++ b/server/proxy/https.go
@ -15,6 +15,7 @@
 package proxy
 import (
 	"net"
 	"reflect"
 	"strings"
@ -58,27 +59,24 @@ func (pxy *HTTPSProxy) Run() (remoteAddr string, err error) {
 			continue
 		}
-		routeConfig.Domain = domain
+		l, err := pxy.listenForDomain(routeConfig, domain)
-		l, errRet := pxy.rc.VhostHTTPSMuxer.Listen(pxy.ctx, routeConfig)
+		if err != nil {
-		if errRet != nil {
+			return "", err
 			err = errRet
 			return
 		}
 		xl.Infof("https proxy listen for host [%s]", routeConfig.Domain)
 		pxy.listeners = append(pxy.listeners, l)
-		addrs = append(addrs, util.CanonicalAddr(routeConfig.Domain, pxy.serverCfg.VhostHTTPSPort))
+		addrs = append(addrs, util.CanonicalAddr(domain, pxy.serverCfg.VhostHTTPSPort))
 		xl.Infof("https proxy listen for host [%s] group [%s]", domain, pxy.cfg.LoadBalancer.Group)
 	}
 	if pxy.cfg.SubDomain != "" {
-		routeConfig.Domain = pxy.cfg.SubDomain + "." + pxy.serverCfg.SubDomainHost
+		domain := pxy.cfg.SubDomain + "." + pxy.serverCfg.SubDomainHost
-		l, errRet := pxy.rc.VhostHTTPSMuxer.Listen(pxy.ctx, routeConfig)
+		l, err := pxy.listenForDomain(routeConfig, domain)
-		if errRet != nil {
+		if err != nil {
-			err = errRet
+			return "", err
 			return
 		}
 		xl.Infof("https proxy listen for host [%s]", routeConfig.Domain)
 		pxy.listeners = append(pxy.listeners, l)
-		addrs = append(addrs, util.CanonicalAddr(routeConfig.Domain, pxy.serverCfg.VhostHTTPSPort))
+		addrs = append(addrs, util.CanonicalAddr(domain, pxy.serverCfg.VhostHTTPSPort))
 		xl.Infof("https proxy listen for host [%s] group [%s]", domain, pxy.cfg.LoadBalancer.Group)
 	}
 	pxy.startCommonTCPListenersHandler()
@ -89,3 +87,18 @@ func (pxy *HTTPSProxy) Run() (remoteAddr string, err error) {
 func (pxy *HTTPSProxy) Close() {
 	pxy.BaseProxy.Close()
 }
 func (pxy *HTTPSProxy) listenForDomain(routeConfig *vhost.RouteConfig, domain string) (net.Listener, error) {
 	tmpRouteConfig := *routeConfig
 	tmpRouteConfig.Domain = domain
 	if pxy.cfg.LoadBalancer.Group != "" {
 		return pxy.rc.HTTPSGroupCtl.Listen(
 			pxy.ctx,
 			pxy.cfg.LoadBalancer.Group,
 			pxy.cfg.LoadBalancer.GroupKey,
 			tmpRouteConfig,
 		)
 	}
 	return pxy.rc.VhostHTTPSMuxer.Listen(pxy.ctx, &tmpRouteConfig)
 }
--- a/server/proxy/proxy.go
+++ b/server/proxy/proxy.go
@ -68,6 +68,7 @@ type BaseProxy struct {
 	poolCount     int
 	getWorkConnFn GetWorkConnFn
 	serverCfg     *v1.ServerConfig
 	encryptionKey []byte
 	limiter       *rate.Limiter
 	userInfo      plugin.UserInfo
 	loginMsg      *msg.Login
@ -213,7 +214,6 @@ func (pxy *BaseProxy) handleUserTCPConnection(userConn net.Conn) {
 	xl := xlog.FromContextSafe(pxy.Context())
 	defer userConn.Close()
 	serverCfg := pxy.serverCfg
 	cfg := pxy.configurer.GetBaseConfig()
 	// server plugin hook
 	rc := pxy.GetResourceController()
@ -240,7 +240,7 @@ func (pxy *BaseProxy) handleUserTCPConnection(userConn net.Conn) {
 	xl.Tracef("handler user tcp connection, use_encryption: %t, use_compression: %t",
 		cfg.Transport.UseEncryption, cfg.Transport.UseCompression)
 	if cfg.Transport.UseEncryption {
-		local, err = libio.WithEncryption(local, []byte(serverCfg.Auth.Token))
+		local, err = libio.WithEncryption(local, pxy.encryptionKey)
 		if err != nil {
 			xl.Errorf("create encryption stream error: %v", err)
 			return
@ -279,6 +279,7 @@ type Options struct {
 	GetWorkConnFn      GetWorkConnFn
 	Configurer         v1.ProxyConfigurer
 	ServerCfg          *v1.ServerConfig
 	EncryptionKey      []byte
 }
 func NewProxy(ctx context.Context, options *Options) (pxy Proxy, err error) {
@ -298,6 +299,7 @@ func NewProxy(ctx context.Context, options *Options) (pxy Proxy, err error) {
 		poolCount:     options.PoolCount,
 		getWorkConnFn: options.GetWorkConnFn,
 		serverCfg:     options.ServerCfg,
 		encryptionKey: options.EncryptionKey,
 		limiter:       limiter,
 		xl:            xl,
 		ctx:           xlog.NewContext(ctx, xl),
--- a/server/proxy/udp.go
+++ b/server/proxy/udp.go
@ -205,7 +205,7 @@ func (pxy *UDPProxy) Run() (remoteAddr string, err error) {
 			var rwc io.ReadWriteCloser = workConn
 			if pxy.cfg.Transport.UseEncryption {
-				rwc, err = libio.WithEncryption(rwc, []byte(pxy.serverCfg.Auth.Token))
+				rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
 				if err != nil {
 					xl.Errorf("create encryption stream error: %v", err)
 					workConn.Close()
--- a/server/registry/registry.go
+++ b/server/registry/registry.go
@ -0,0 +1,179 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package registry
 import (
 	"fmt"
 	"sync"
 	"time"
 )
 // ClientInfo captures metadata about a connected frpc instance.
 type ClientInfo struct {
 	Key              string
 	User             string
 	RawClientID      string
 	RunID            string
 	Hostname         string
 	IP               string
 	FirstConnectedAt time.Time
 	LastConnectedAt  time.Time
 	DisconnectedAt   time.Time
 	Online           bool
 }
 // ClientRegistry keeps track of active clients keyed by "{user}.{clientID}" (runID fallback when raw clientID is empty).
 // Entries without an explicit raw clientID are removed on disconnect to avoid stale offline records.
 type ClientRegistry struct {
 	mu       sync.RWMutex
 	clients  map[string]*ClientInfo
 	runIndex map[string]string
 }
 func NewClientRegistry() *ClientRegistry {
 	return &ClientRegistry{
 		clients:  make(map[string]*ClientInfo),
 		runIndex: make(map[string]string),
 	}
 }
 // Register stores/updates metadata for a client and returns the registry key plus whether it conflicts with an online client.
 func (cr *ClientRegistry) Register(user, rawClientID, runID, hostname, remoteAddr string) (key string, conflict bool) {
 	if runID == "" {
 		return "", false
 	}
 	effectiveID := rawClientID
 	if effectiveID == "" {
 		effectiveID = runID
 	}
 	key = cr.composeClientKey(user, effectiveID)
 	enforceUnique := rawClientID != ""
 	now := time.Now()
 	cr.mu.Lock()
 	defer cr.mu.Unlock()
 	info, exists := cr.clients[key]
 	if enforceUnique && exists && info.Online && info.RunID != "" && info.RunID != runID {
 		return key, true
 	}
 	if !exists {
 		info = &ClientInfo{
 			Key:              key,
 			User:             user,
 			FirstConnectedAt: now,
 		}
 		cr.clients[key] = info
 	} else if info.RunID != "" {
 		delete(cr.runIndex, info.RunID)
 	}
 	info.RawClientID = rawClientID
 	info.RunID = runID
 	info.Hostname = hostname
 	info.IP = remoteAddr
 	if info.FirstConnectedAt.IsZero() {
 		info.FirstConnectedAt = now
 	}
 	info.LastConnectedAt = now
 	info.DisconnectedAt = time.Time{}
 	info.Online = true
 	cr.runIndex[runID] = key
 	return key, false
 }
 // MarkOfflineByRunID marks the client as offline when the corresponding control disconnects.
 func (cr *ClientRegistry) MarkOfflineByRunID(runID string) {
 	cr.mu.Lock()
 	defer cr.mu.Unlock()
 	key, ok := cr.runIndex[runID]
 	if !ok {
 		return
 	}
 	if info, ok := cr.clients[key]; ok && info.RunID == runID {
 		if info.RawClientID == "" {
 			delete(cr.clients, key)
 		} else {
 			info.RunID = ""
 			info.Online = false
 			now := time.Now()
 			info.DisconnectedAt = now
 		}
 	}
 	delete(cr.runIndex, runID)
 }
 // List returns a snapshot of all known clients.
 func (cr *ClientRegistry) List() []ClientInfo {
 	cr.mu.RLock()
 	defer cr.mu.RUnlock()
 	result := make([]ClientInfo, 0, len(cr.clients))
 	for _, info := range cr.clients {
 		result = append(result, *info)
 	}
 	return result
 }
 // GetByKey retrieves a client by its composite key ({user}.{clientID} with runID fallback).
 func (cr *ClientRegistry) GetByKey(key string) (ClientInfo, bool) {
 	cr.mu.RLock()
 	defer cr.mu.RUnlock()
 	info, ok := cr.clients[key]
 	if !ok {
 		return ClientInfo{}, false
 	}
 	return *info, true
 }
 // ClientID returns the resolved client identifier for external use.
 func (info ClientInfo) ClientID() string {
 	if info.RawClientID != "" {
 		return info.RawClientID
 	}
 	return info.RunID
 }
 // GetByRunID retrieves a client by its run ID.
 func (cr *ClientRegistry) GetByRunID(runID string) (ClientInfo, bool) {
 	cr.mu.RLock()
 	defer cr.mu.RUnlock()
 	key, ok := cr.runIndex[runID]
 	if !ok {
 		return ClientInfo{}, false
 	}
 	info, ok := cr.clients[key]
 	if !ok {
 		return ClientInfo{}, false
 	}
 	return *info, true
 }
 func (cr *ClientRegistry) composeClientKey(user, id string) string {
 	switch {
 	case user == "":
 		return id
 	case id == "":
 		return user
 	default:
 		return fmt.Sprintf("%s.%s", user, id)
 	}
 }
--- a/server/service.go
+++ b/server/service.go
@ -19,7 +19,6 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"os"
@ -29,6 +28,7 @@ import (
 	"github.com/fatedier/golib/crypto"
 	"github.com/fatedier/golib/net/mux"
 	fmux "github.com/hashicorp/yamux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	quic "github.com/quic-go/quic-go"
 	"github.com/samber/lo"
@ -48,11 +48,13 @@ import (
 	"github.com/fatedier/frp/pkg/util/version"
 	"github.com/fatedier/frp/pkg/util/vhost"
 	"github.com/fatedier/frp/pkg/util/xlog"
 	"github.com/fatedier/frp/server/api"
 	"github.com/fatedier/frp/server/controller"
 	"github.com/fatedier/frp/server/group"
 	"github.com/fatedier/frp/server/metrics"
 	"github.com/fatedier/frp/server/ports"
 	"github.com/fatedier/frp/server/proxy"
 	"github.com/fatedier/frp/server/registry"
 	"github.com/fatedier/frp/server/visitor"
 )
@ -97,6 +99,9 @@ type Service struct {
 	// Manage all controllers
 	ctlManager *ControlManager
 	// Track logical clients keyed by user.clientID (runID fallback when raw clientID is empty).
 	clientRegistry *registry.ClientRegistry
 	// Manage all proxies
 	pxyManager *proxy.Manager
@ -114,8 +119,8 @@ type Service struct {
 	sshTunnelGateway *ssh.Gateway
-	// Verifies authentication based on selected method
+	// Auth runtime and encryption materials
-	authVerifier auth.Verifier
+	auth *auth.ServerAuth
 	tlsConfig *tls.Config
@ -150,10 +155,16 @@ func NewService(cfg *v1.ServerConfig) (*Service, error) {
 		}
 	}
 	authRuntime, err := auth.BuildServerAuth(&cfg.Auth)
 	if err != nil {
 		return nil, err
 	}
 	svr := &Service{
-		ctlManager:    NewControlManager(),
+		ctlManager:     NewControlManager(),
-		pxyManager:    proxy.NewManager(),
+		clientRegistry: registry.NewClientRegistry(),
-		pluginManager: plugin.NewManager(),
+		pxyManager:     proxy.NewManager(),
 		pluginManager:  plugin.NewManager(),
 		rc: &controller.ResourceController{
 			VisitorManager: visitor.NewManager(),
 			TCPPortManager: ports.NewManager("tcp", cfg.ProxyBindAddr, cfg.AllowPorts),
@ -161,7 +172,7 @@ func NewService(cfg *v1.ServerConfig) (*Service, error) {
 		},
 		sshTunnelListener: netpkg.NewInternalListener(),
 		httpVhostRouter:   vhost.NewRouters(),
-		authVerifier:      auth.NewAuthVerifier(cfg.Auth),
+		auth:              authRuntime,
 		webServer:         webServer,
 		tlsConfig:         tlsConfig,
 		cfg:               cfg,
@ -323,6 +334,9 @@ func NewService(cfg *v1.ServerConfig) (*Service, error) {
 		if err != nil {
 			return nil, fmt.Errorf("create vhost httpsMuxer error, %v", err)
 		}
 		// Init HTTPS group controller after HTTPSMuxer is created
 		svr.rc.HTTPSGroupCtl = group.NewHTTPSGroupController(svr.rc.VhostHTTPSMuxer)
 	}
 	// frp tls listener
@ -516,7 +530,8 @@ func (svr *Service) HandleListener(l net.Listener, internal bool) {
 			if lo.FromPtr(svr.cfg.Transport.TCPMux) && !internal {
 				fmuxCfg := fmux.DefaultConfig()
 				fmuxCfg.KeepAliveInterval = time.Duration(svr.cfg.Transport.TCPMuxKeepaliveInterval) * time.Second
-				fmuxCfg.LogOutput = io.Discard
+				// Use trace level for yamux logs
 				fmuxCfg.LogOutput = xlog.NewTraceWriter(xlog.FromContextSafe(ctx))
 				fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
 				session, err := fmux.Server(frpConn, fmuxCfg)
 				if err != nil {
@ -583,7 +598,7 @@ func (svr *Service) RegisterControl(ctlConn net.Conn, loginMsg *msg.Login, inter
 		ctlConn.RemoteAddr().String(), loginMsg.Version, loginMsg.Hostname, loginMsg.Os, loginMsg.Arch)
 	// Check auth.
-	authVerifier := svr.authVerifier
+	authVerifier := svr.auth.Verifier
 	if internal && loginMsg.ClientSpec.AlwaysAuthPass {
 		authVerifier = auth.AlwaysPassVerifier
 	}
@ -592,16 +607,29 @@ func (svr *Service) RegisterControl(ctlConn net.Conn, loginMsg *msg.Login, inter
 	}
 	// TODO(fatedier): use SessionContext
-	ctl, err := NewControl(ctx, svr.rc, svr.pxyManager, svr.pluginManager, authVerifier, ctlConn, !internal, loginMsg, svr.cfg)
+	ctl, err := NewControl(ctx, svr.rc, svr.pxyManager, svr.pluginManager, authVerifier, svr.auth.EncryptionKey(), ctlConn, !internal, loginMsg, svr.cfg)
 	if err != nil {
 		xl.Warnf("create new controller error: %v", err)
 		// don't return detailed errors to client
 		return fmt.Errorf("unexpected error when creating new controller")
 	}
 	if oldCtl := svr.ctlManager.Add(loginMsg.RunID, ctl); oldCtl != nil {
 		oldCtl.WaitClosed()
 	}
 	remoteAddr := ctlConn.RemoteAddr().String()
 	if host, _, err := net.SplitHostPort(remoteAddr); err == nil {
 		remoteAddr = host
 	}
 	_, conflict := svr.clientRegistry.Register(loginMsg.User, loginMsg.ClientID, loginMsg.RunID, loginMsg.Hostname, remoteAddr)
 	if conflict {
 		svr.ctlManager.Del(loginMsg.RunID, ctl)
 		ctl.Close()
 		return fmt.Errorf("client_id [%s] for user [%s] is already online", loginMsg.ClientID, loginMsg.User)
 	}
 	ctl.clientRegistry = svr.clientRegistry
 	ctl.Start()
 	// for statistics
@ -662,3 +690,42 @@ func (svr *Service) RegisterVisitorConn(visitorConn net.Conn, newMsg *msg.NewVis
 	return svr.rc.VisitorManager.NewConn(newMsg.ProxyName, visitorConn, newMsg.Timestamp, newMsg.SignKey,
 		newMsg.UseEncryption, newMsg.UseCompression, visitorUser)
 }
 func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper) {
 	helper.Router.HandleFunc("/healthz", healthz)
 	subRouter := helper.Router.NewRoute().Subrouter()
 	subRouter.Use(helper.AuthMiddleware)
 	subRouter.Use(httppkg.NewRequestLogger)
 	// metrics
 	if svr.cfg.EnablePrometheus {
 		subRouter.Handle("/metrics", promhttp.Handler())
 	}
 	apiController := api.NewController(svr.cfg, svr.clientRegistry, svr.pxyManager)
 	// apis
 	subRouter.HandleFunc("/api/serverinfo", httppkg.MakeHTTPHandlerFunc(apiController.APIServerInfo)).Methods("GET")
 	subRouter.HandleFunc("/api/proxy/{type}", httppkg.MakeHTTPHandlerFunc(apiController.APIProxyByType)).Methods("GET")
 	subRouter.HandleFunc("/api/proxy/{type}/{name}", httppkg.MakeHTTPHandlerFunc(apiController.APIProxyByTypeAndName)).Methods("GET")
 	subRouter.HandleFunc("/api/proxies/{name}", httppkg.MakeHTTPHandlerFunc(apiController.APIProxyByName)).Methods("GET")
 	subRouter.HandleFunc("/api/traffic/{name}", httppkg.MakeHTTPHandlerFunc(apiController.APIProxyTraffic)).Methods("GET")
 	subRouter.HandleFunc("/api/clients", httppkg.MakeHTTPHandlerFunc(apiController.APIClientList)).Methods("GET")
 	subRouter.HandleFunc("/api/clients/{key}", httppkg.MakeHTTPHandlerFunc(apiController.APIClientDetail)).Methods("GET")
 	subRouter.HandleFunc("/api/proxies", httppkg.MakeHTTPHandlerFunc(apiController.DeleteProxies)).Methods("DELETE")
 	// view
 	subRouter.Handle("/favicon.ico", http.FileServer(helper.AssetsFS)).Methods("GET")
 	subRouter.PathPrefix("/static/").Handler(
 		netpkg.MakeHTTPGzipHandler(http.StripPrefix("/static/", http.FileServer(helper.AssetsFS))),
 	).Methods("GET")
 	subRouter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/static/", http.StatusMovedPermanently)
 	})
 }
 func healthz(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(200)
 }
--- a/test/e2e/framework/process.go
+++ b/test/e2e/framework/process.go
@ -75,8 +75,8 @@ func (f *Framework) RunFrps(args ...string) (*process.Process, string, error) {
 	if err != nil {
 		return p, p.StdOutput(), err
 	}
-	// sleep for a while to get std output
+	// Give frps extra time to finish binding ports before proceeding.
-	time.Sleep(2 * time.Second)
+	time.Sleep(4 * time.Second)
 	return p, p.StdOutput(), nil
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
fatedier	9634fd99d1	web: ensure npm install runs before build (#5154 )	2026-02-04 12:55:24 +08:00
fatedier	7a1c248b67	bump version to 0.67.0 (#5146 )	2026-01-31 13:49:29 +08:00
fatedier	886c9c2fdb	web/frpc: redesign dashboard (#5145 )	2026-01-31 12:43:31 +08:00
fatedier	266c492b5d	web/frps: add detailed client and proxy views with enhanced tracking (#5144 )	2026-01-31 02:18:35 +08:00
fatedier	5dd70ace6b	refactor: move web embeds to web/ directory (#5139 )	2026-01-27 02:56:57 +08:00
fatedier	fb2c98e87b	rotate gold sponsor	2026-01-27 02:45:57 +08:00
fatedier	ed13141c56	refactor: separate API handlers into dedicated packages with improved HTTP utilities (#5127 )	2026-01-14 19:50:55 +08:00
fatedier	3370bd53f5	udp: fix proxy protocol header sent on every packet instead of first packet only (#5119 )	2026-01-09 11:33:00 +08:00
fatedier	1245f8804e	server: replace client metadata with IP address in registry (#5118 )	2026-01-09 11:07:19 +08:00
fatedier	479e9f50c2	web/frpc: refactor dashboard with improved structure and API layer (#5117 )	2026-01-09 00:40:51 +08:00
fatedier	a4175a2595	update release notes (#5116 )	2026-01-08 20:25:03 +08:00
fatedier	36718d88e4	server: add client registry with dashboard support (#5115 )	2026-01-08 20:07:14 +08:00
fatedier	bc378bcbec	rotate gold sponsor order periodically (#5114 )	2026-01-08 19:54:13 +08:00
fatedier	33428ab538	add e2e tests for exec-based token source (#5111 )	2026-01-04 14:45:51 +08:00
fatedier	ef96481f58	update version and release notes (#5106 )	2025-12-25 10:15:40 +08:00
fatedier	7526d7a69a	refactor: separate auth config from runtime and defer token resolution (#5105 )	2025-12-25 00:53:08 +08:00
fatedier	2bdf25bae6	rotate gold sponsor order periodically (#5094 )	2025-12-11 12:48:08 +08:00
fatedier	0fe8f7a0b6	refactor: reorganize security policy into dedicated packag (#5088 )	2025-12-05 16:26:09 +08:00
fatedier	2e2802ea13	refactor: use MessageSender interface for message transporter (#5083 )	2025-12-02 11:22:48 +08:00
fatedier	c3821202b1	docs: remove zsxq section (#5077 )	2025-11-26 23:55:54 +08:00
fatedier	15fd19a16d	fix lint (#5068 )	2025-11-18 01:11:44 +08:00
Krzysztof Bogacki	66973a03db	Add `exec` value source type (#5050 ) * config: introduce ExecSource value source * auth: introduce OidcTokenSourceAuthProvider * auth: use OidcTokenSourceAuthProvider if tokenSource config is present on the client * cmd: allow exec token source only if CLI flag was passed	2025-11-18 00:20:21 +08:00
fatedier	f736d171ac	rotate gold sponsor order periodically (#5067 )	2025-11-18 00:09:37 +08:00
fatedier	b27b846971	config: add enabled field for individual proxy and visitor (#5048 )	2025-11-06 14:05:03 +08:00
fatedier	e025843d3c	vnet: add exponential backoff for failed reconnections (#5035 )	2025-10-29 01:08:48 +08:00
fatedier	a75320ef2f	update quic-go dependency from v0.53.0 to v0.55.0 (#5033 )	2025-10-28 17:52:34 +08:00
fatedier	1cf325bb0c	https: add load balancing group support (#5032 )	2025-10-28 17:37:18 +08:00
fatedier	469097a549	update sponsor pic (#5031 )	2025-10-28 16:08:29 +08:00
fatedier	2def23bb0b	update sponsor (#5030 )	2025-10-28 15:44:03 +08:00
Zachary Whaley	ee3cc4b14e	Fix CloseNotifyConn.Close function (#5022 ) The CloseNotifyConn.Close() function calls itself if the closeFlag is equal to 0 which would mean it would immediately swap the closeFlag value to 1 and never call closeFn. It is unclear what the intent of this call to cc.Close() was but I assume it was meant to be a call to close the Conn object instead.	2025-10-17 10:53:43 +08:00
fatedier	e382676659	update README (#5001 )	2025-09-26 12:26:08 +08:00
fatedier	b5e90c03a1	bump version to v0.65.0 and update release notes (#4998 )	2025-09-25 20:11:17 +08:00
fatedier	b642a6323c	update sponsors info (#4997 )	2025-09-25 16:50:14 +08:00
juejinyuxitu	6561107945	chore: fix struct field name in comment (#4993 ) Signed-off-by: juejinyuxitu <juejinyuxitu@outlook.com>	2025-09-25 16:47:33 +08:00
fatedier	abf4942e8a	auth: enhance OIDC client with TLS and proxy configuration options (#4990 )	2025-09-25 10:19:19 +08:00
Charlie Blevins	7cfa546b55	add proxy name label to the proxy_count prometheus metric (#4985 ) * add proxy name label to the proxy_count metric * undo label addition in favor of a new metric - this change should not break existing queries * also register this new metric * add type label to proxy_counts_detailed * Update pkg/metrics/prometheus/server.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-09-23 00:18:49 +08:00
fatedier	0a798a7a69	update go version to 1.24 (#4960 )	2025-08-27 15:10:36 +08:00
fatedier	604700cea5	update README (#4957 )	2025-08-27 11:07:18 +08:00
fatedier	610e5ed479	improve yamux logging (#4952 )	2025-08-25 17:52:58 +08:00
fatedier	80d3f332e1	xtcp: add configuration to disable assisted addresses in NAT traversal (#4951 )	2025-08-25 15:52:52 +08:00
immomo808	14253afe2f	remove quotes (#4938 )	2025-08-15 16:11:06 +08:00
fatedier	024c334d9d	Merge pull request #4928 from fatedier/xtcp improve context and polling logic in xtcp visitor	2025-08-12 01:48:26 +08:00