Update build.yaml

bump version
fix pr
2026-02-17 14:06:14 +08:00 · 2026-01-13 10:26:46 +08:00 · 2026-01-13 10:20:40 +08:00 · 2026-01-12 17:28:25 +08:00 · 2026-01-12 15:08:01 +08:00 · 2026-01-12 14:59:45 +08:00
127 changed files with 13347 additions and 2764 deletions
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -0,0 +1,8 @@
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-Ctarget-feature=+crt-static"]
+[target.i686-pc-windows-msvc]
+rustflags = ["-Ctarget-feature=+crt-static"]
+[target.'cfg(target_os="macos")']
+rustflags = [
+    "-C", "link-args=-sectcreate __CGPreLoginApp __cgpreloginapp /dev/null",
+]
--- a/.env
+++ b/.env
@@ -0,0 +1 @@
+DATABASE_URL=sqlite://./db_v2.sqlite3
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+* text=auto
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,35 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Describe the environment**
+ - Install environment: docker, docker swarm, podman, kubernetes, or package
+ - If available, the `docker-compose.yaml` file
+ - If package, we need the distribution and release: Ubuntu 22.04, Debian 11, ...
+ - Or if you're running the plain binary, how you're running it
+ - In any case, you have to specify the version in use
+
+**How to Reproduce the bug**
+Steps to reproduce the behavior:
+1. Given the previously described environment
+2. Do this and that
+3. I get this error
+
+**Expected behavior**
+This should happen instead.
+
+**Additional context**
+Add any other context about the problem here.
+
+**Notes**
+ - Please write in english only. If you provide some images in different languages, you're required to write a translation in english.
+ - In any case, **NEVER** put here the content if your `id_ed25519` file
+ 
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: false
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'enhancement'
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context about the feature request here.
+
+**Notes**
+ - Please write in english only. If you provide some images in different languages, you're required to write a translation in english.
+ - In any case, **NEVER** put here the content if your `id_ed25519` file
+ 
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Git submodule"
+    labels:
+      - "dependencies"
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,602 @@
+name: build
+
+# ------------- NOTE
+# please setup some secrets before running this workflow:
+# DOCKER_IMAGE should be the target image name on docker hub (e.g. "rustdesk/rustdesk-server-s6" )
+# DOCKER_IMAGE_CLASSIC should be the target image name on docker hub for the old build (e.g. "rustdesk/rustdesk-server" )
+# DOCKER_HUB_USERNAME is the username you normally use to login at https://hub.docker.com/
+# DOCKER_HUB_PASSWORD is a token you should create under "account settings / security" with read/write access
+
+permissions:
+  contents: read
+  packages: write
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - '[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-[0-9]+'
+      - '[0-9]+.[0-9]+.[0-9]+-[0-9]+'
+
+env:
+  CARGO_TERM_COLOR: always
+  LATEST_TAG: latest
+  GHCR_IMAGE: ghcr.io/rustdesk/rustdesk-server-s6
+  GHCR_IMAGE_CLASSIC: ghcr.io/rustdesk/rustdesk-server
+  
+jobs:
+
+  # binary build
+  build:
+
+    name: Build - ${{ matrix.job.name }}
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { name: "amd64",   target: "x86_64-unknown-linux-musl" }
+          - { name: "arm64v8", target: "aarch64-unknown-linux-musl" }
+          - { name: "armv7",   target: "armv7-unknown-linux-musleabihf" }
+          - { name: "i386",    target: "i686-unknown-linux-musl" }
+          #- { name: "amd64fb",    target: "x86_64-unknown-freebsd" }
+
+    steps:
+      
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Install toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: "1.90"
+          override: true
+          default: true
+          components: rustfmt
+          profile: minimal
+          target: ${{ matrix.job.target }}
+
+      - name: Build
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --release --all-features --target=${{ matrix.job.target }}
+          use-cross: true  
+
+      - name: Exec chmod
+        run: chmod -v a+x target/${{ matrix.job.target }}/release/*
+
+      - name: Publish Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-linux-${{ matrix.job.name }}
+          path: |
+            target/${{ matrix.job.target }}/release/hbbr
+            target/${{ matrix.job.target }}/release/hbbs
+            target/${{ matrix.job.target }}/release/rustdesk-utils
+          if-no-files-found: error
+
+  build-win:
+    name: Build - windows
+    runs-on: windows-2022
+
+    steps:
+      
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Install toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: "1.90"
+          override: true
+          default: true
+          components: rustfmt
+          profile: minimal
+          target: x86_64-pc-windows-msvc
+
+      - name: Build
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --release --all-features --target=x86_64-pc-windows-msvc
+          use-cross: true
+
+      - name: Install NSIS
+        run: |
+          iwr -useb get.scoop.sh -outfile 'install.ps1'
+          .\install.ps1 -RunAsAdmin
+          scoop update
+          scoop bucket add extras
+          scoop install nsis
+
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: Sign exe files
+        uses: GermanBluefox/code-sign-action@v7
+        if: false
+        with:
+          certificate: '${{ secrets.WINDOWS_PFX_BASE64 }}'
+          password: '${{ secrets.WINDOWS_PFX_PASSWORD }}'
+          certificatesha1: '${{ secrets.WINDOWS_PFX_SHA1_THUMBPRINT }}'
+          folder: 'target\x86_64-pc-windows-msvc\release'
+          recursive: false
+
+      - name: Build UI browser file
+        run: |
+          npm i
+          npm run build
+        working-directory: ./ui/html
+
+      - name: Build UI setup file
+        run: |
+          rustup default nightly
+          cargo build --release
+          xcopy /y ..\target\x86_64-pc-windows-msvc\release\*.exe setup\bin\
+          xcopy /y target\release\*.exe setup\
+          mkdir setup\logs
+          makensis /V1 setup.nsi
+          mkdir SignOutput
+          mv RustDeskServer.Setup.exe SignOutput\
+          mv ..\target\x86_64-pc-windows-msvc\release\*.exe SignOutput\
+        working-directory: ./ui
+
+      - name: Sign UI setup file 
+        uses: GermanBluefox/code-sign-action@v7
+        if: false
+        with:
+          certificate: '${{ secrets.WINDOWS_PFX_BASE64 }}'
+          password: '${{ secrets.WINDOWS_PFX_PASSWORD }}'
+          certificatesha1: '${{ secrets.WINDOWS_PFX_SHA1_THUMBPRINT }}'
+          folder: './ui/SignOutput'
+          recursive: false
+
+      - name: Publish Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-windows-x86_64
+          path: |
+            ui\SignOutput\hbbr.exe
+            ui\SignOutput\hbbs.exe
+            ui\SignOutput\rustdesk-utils.exe
+            ui\SignOutput\RustDeskServer.Setup.exe
+          if-no-files-found: error
+
+  # github (draft) release with all binaries
+  release:
+
+    name: Github release
+    needs: 
+      - build
+      - build-win
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { os: "linux", name: "amd64", suffix: "" }
+          - { os: "linux", name: "arm64v8", suffix: "" }
+          - { os: "linux", name: "armv7", suffix: "" }
+          - { os: "linux", name: "i386", suffix: "" }
+          #- { os: "linux", name: "amd64fb", suffix: "" }
+          - { os: "windows", name: "x86_64", suffix: "-unsigned" }
+          
+    steps:
+
+      - name: Download binaries (${{ matrix.job.os }} - ${{ matrix.job.name }})
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries-${{ matrix.job.os }}-${{ matrix.job.name }}
+          path: ${{ matrix.job.name }}
+
+      - name: Exec chmod
+        run: chmod -v a+x ${{ matrix.job.name }}/*
+
+      - name: Pack files (${{ matrix.job.os }} - ${{ matrix.job.name }})
+        run: |
+          sudo apt update
+          DEBIAN_FRONTEND=noninteractive sudo apt install -y zip
+          zip ${{ matrix.job.name }}/rustdesk-server-${{ matrix.job.os }}-${{ matrix.job.name }}${{ matrix.job.suffix }}.zip ${{ matrix.job.name }}/*
+
+      - name: Create Release (${{ matrix.job.os }} - (${{ matrix.job.name }})
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          files: ${{ matrix.job.name }}/rustdesk-server-${{ matrix.job.os }}-${{ matrix.job.name }}${{ matrix.job.suffix }}.zip
+            
+  # docker build and push of single-arch images
+  docker:
+
+    name: Docker push - ${{ matrix.job.name }}
+    needs: build
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { name: "amd64",   docker_platform: "linux/amd64",  s6_platform: "x86_64" }
+          - { name: "arm64v8", docker_platform: "linux/arm64",  s6_platform: "aarch64" }
+          - { name: "armv7",   docker_platform: "linux/arm/v7", s6_platform: "armhf" }
+          - { name: "i386",    docker_platform: "linux/386",    s6_platform: "i686" }
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+        
+      - name: Download binaries
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries-linux-${{ matrix.job.name }}
+          path: docker/rootfs/usr/bin
+
+      - name: Make binaries executable
+        run: chmod -v a+x docker/rootfs/usr/bin/*
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: rustdesk
+          password: ${{ secrets.GITHUB_TOKEN }}
+        
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: registry.hub.docker.com/${{ secrets.DOCKER_IMAGE }}
+
+      - name: Get git tag
+        id: vars
+        run: |
+          T=${GITHUB_REF#refs/*/}
+          M=${T%%.*}
+          echo "GIT_TAG=$T" >> $GITHUB_ENV
+          echo "MAJOR_TAG=$M" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: "./docker"
+          platforms: ${{ matrix.job.docker_platform }}
+          push: true
+          provenance: false
+          build-args: |
+            S6_ARCH=${{ matrix.job.s6_platform }}
+          tags: |
+            ${{ secrets.DOCKER_IMAGE }}:${{ env.LATEST_TAG }}-${{ matrix.job.name }}
+            ${{ secrets.DOCKER_IMAGE }}:${{ env.GIT_TAG }}-${{ matrix.job.name }}
+            ${{ secrets.DOCKER_IMAGE }}:${{ env.MAJOR_TAG }}-${{ matrix.job.name }}
+            ${{ env.GHCR_IMAGE }}:${{ env.LATEST_TAG }}-${{ matrix.job.name }}
+            ${{ env.GHCR_IMAGE }}:${{ env.GIT_TAG }}-${{ matrix.job.name }}
+            ${{ env.GHCR_IMAGE }}:${{ env.MAJOR_TAG }}-${{ matrix.job.name }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  # docker build and push of multiarch images
+  docker-manifest:
+
+    name: Docker manifest
+    needs: docker
+    runs-on: ubuntu-22.04
+
+    steps:
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Get git tag
+        id: vars
+        run: |
+          T=${GITHUB_REF#refs/*/}
+          M=${T%%.*}
+          echo "GIT_TAG=$T" >> $GITHUB_ENV
+          echo "MAJOR_TAG=$M" >> $GITHUB_ENV
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: rustdesk
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # manifest for :1.2.3 tag
+      #  this has to run only if invoked by a new tag
+      - name: Create and push manifest (:ve.rs.ion)
+        uses: Noelware/docker-manifest-action@0.4.3
+        if: github.event_name != 'workflow_dispatch'
+        with:
+          base-image: ${{ secrets.DOCKER_IMAGE }}:${{ env.GIT_TAG }}
+          extra-images: ${{ secrets.DOCKER_IMAGE }}:${{ env.GIT_TAG }}-amd64,${{ secrets.DOCKER_IMAGE }}:${{ env.GIT_TAG }}-arm64v8,${{ secrets.DOCKER_IMAGE }}:${{ env.GIT_TAG }}-armv7,${{ secrets.DOCKER_IMAGE }}:${{ env.GIT_TAG }}-i386
+          push: true
+
+      # manifest for :1 tag (major release)
+      - name: Create and push manifest (:major)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ secrets.DOCKER_IMAGE }}:${{ env.MAJOR_TAG }}
+          extra-images: ${{ secrets.DOCKER_IMAGE }}:${{ env.MAJOR_TAG }}-amd64,${{ secrets.DOCKER_IMAGE }}:${{ env.MAJOR_TAG }}-arm64v8,${{ secrets.DOCKER_IMAGE }}:${{ env.MAJOR_TAG }}-armv7,${{ secrets.DOCKER_IMAGE }}:${{ env.MAJOR_TAG }}-i386
+          push: true
+
+      # manifest for :latest tag
+      - name: Create and push manifest (:latest)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ secrets.DOCKER_IMAGE }}:${{ env.LATEST_TAG }}
+          extra-images: ${{ secrets.DOCKER_IMAGE }}:${{ env.LATEST_TAG }}-amd64,${{ secrets.DOCKER_IMAGE }}:${{ env.LATEST_TAG }}-arm64v8,${{ secrets.DOCKER_IMAGE }}:${{ env.LATEST_TAG }}-armv7,${{ secrets.DOCKER_IMAGE }}:${{ env.LATEST_TAG }}-i386
+          push: true
+
+      # GHCR manifests
+      # manifest for :1.2.3 tag
+      - name: Create and push GHCR manifest (:ve.rs.ion)
+        uses: Noelware/docker-manifest-action@0.4.3
+        if: github.event_name != 'workflow_dispatch'
+        with:
+          base-image: ${{ env.GHCR_IMAGE }}:${{ env.GIT_TAG }}
+          extra-images: ${{ env.GHCR_IMAGE }}:${{ env.GIT_TAG }}-amd64,${{ env.GHCR_IMAGE }}:${{ env.GIT_TAG }}-arm64v8,${{ env.GHCR_IMAGE }}:${{ env.GIT_TAG }}-armv7,${{ env.GHCR_IMAGE }}:${{ env.GIT_TAG }}-i386
+          push: true
+
+      # manifest for :1 tag (major release)
+      - name: Create and push GHCR manifest (:major)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ env.GHCR_IMAGE }}:${{ env.MAJOR_TAG }}
+          extra-images: ${{ env.GHCR_IMAGE }}:${{ env.MAJOR_TAG }}-amd64,${{ env.GHCR_IMAGE }}:${{ env.MAJOR_TAG }}-arm64v8,${{ env.GHCR_IMAGE }}:${{ env.MAJOR_TAG }}-armv7,${{ env.GHCR_IMAGE }}:${{ env.MAJOR_TAG }}-i386
+          push: true
+
+      # manifest for :latest tag
+      - name: Create and push GHCR manifest (:latest)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ env.GHCR_IMAGE }}:${{ env.LATEST_TAG }}
+          extra-images: ${{ env.GHCR_IMAGE }}:${{ env.LATEST_TAG }}-amd64,${{ env.GHCR_IMAGE }}:${{ env.LATEST_TAG }}-arm64v8,${{ env.GHCR_IMAGE }}:${{ env.LATEST_TAG }}-armv7,${{ env.GHCR_IMAGE }}:${{ env.LATEST_TAG }}-i386
+          push: true
+
+            
+  # docker build and push of single-arch images
+  docker-classic:
+
+    name: Docker push - ${{ matrix.job.name }}
+    needs: build
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { name: "amd64",   docker_platform: "linux/amd64" }
+          - { name: "arm64v8", docker_platform: "linux/arm64" }
+          - { name: "armv7",   docker_platform: "linux/arm/v7" }
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+        
+      - name: Download binaries
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries-linux-${{ matrix.job.name }}
+          path: docker-classic/
+
+      - name: Make binaries executable
+        run: chmod -v a+x docker-classic/*
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: rustdesk
+          password: ${{ secrets.GITHUB_TOKEN }}
+        
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: registry.hub.docker.com/${{ secrets.DOCKER_IMAGE_CLASSIC }}
+
+      - name: Get git tag
+        id: vars
+        run: |
+          T=${GITHUB_REF#refs/*/}
+          M=${T%%.*}
+          echo "GIT_TAG=$T" >> $GITHUB_ENV
+          echo "MAJOR_TAG=$M" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: "./docker-classic"
+          platforms: ${{ matrix.job.docker_platform }}
+          push: true
+          provenance: false
+          tags: |
+            ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-${{ matrix.job.name }}
+            ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-${{ matrix.job.name }}
+            ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-${{ matrix.job.name }}
+            ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-${{ matrix.job.name }}
+            ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-${{ matrix.job.name }}
+            ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-${{ matrix.job.name }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  # docker build and push of multiarch images
+  docker-manifest-classic:
+
+    name: Docker manifest
+    needs: docker
+    runs-on: ubuntu-22.04
+
+    steps:
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Get git tag
+        id: vars
+        run: |
+          T=${GITHUB_REF#refs/*/}
+          M=${T%%.*}
+          echo "GIT_TAG=$T" >> $GITHUB_ENV
+          echo "MAJOR_TAG=$M" >> $GITHUB_ENV
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: rustdesk
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # manifest for :1.2.3 tag
+      #  this has to run only if invoked by a new tag
+      - name: Create and push manifest (:ve.rs.ion)
+        uses: Noelware/docker-manifest-action@0.4.3
+        if: github.event_name != 'workflow_dispatch'
+        with:
+          base-image: ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}
+          extra-images: ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-amd64,${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-arm64v8,${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-armv7
+          push: true
+
+      # manifest for :1 tag (major release)
+      - name: Create and push manifest (:major)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}
+          extra-images: ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-amd64,${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-arm64v8,${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-armv7
+          push: true
+
+      # manifest for :latest tag
+      - name: Create and push manifest (:latest)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}
+          extra-images: ${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-amd64,${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-arm64v8,${{ secrets.DOCKER_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-armv7
+          push: true
+
+      # GHCR manifests
+      # manifest for :1.2.3 tag
+      - name: Create and push GHCR manifest (:ve.rs.ion)
+        uses: Noelware/docker-manifest-action@0.4.3
+        if: github.event_name != 'workflow_dispatch'
+        with:
+          base-image: ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}
+          extra-images: ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-amd64,${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-arm64v8,${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.GIT_TAG }}-armv7
+          push: true
+
+      # manifest for :1 tag (major release)
+      - name: Create and push GHCR manifest (:major)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}
+          extra-images: ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-amd64,${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-arm64v8,${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.MAJOR_TAG }}-armv7
+          push: true
+
+      # manifest for :latest tag
+      - name: Create and push GHCR manifest (:latest)
+        uses: Noelware/docker-manifest-action@0.4.3
+        with:
+          base-image: ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}
+          extra-images: ${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-amd64,${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-arm64v8,${{ env.GHCR_IMAGE_CLASSIC }}:${{ env.LATEST_TAG }}-armv7
+          push: true
+
+
+  deb-package:
+
+    name: debian package - ${{ matrix.job.name }}
+    needs: build
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { name: "amd64",   debian_platform: "amd64",   crossbuild_package: "" }
+          - { name: "arm64v8", debian_platform: "arm64",   crossbuild_package: "crossbuild-essential-arm64" }
+          - { name: "armv7",   debian_platform: "armhf",   crossbuild_package: "crossbuild-essential-armhf" }
+          - { name: "i386",    debian_platform: "i386",    crossbuild_package: "crossbuild-essential-i386" }
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Create packaging env
+        run: |
+          sudo apt update
+          DEBIAN_FRONTEND=noninteractive sudo apt install -y devscripts build-essential debhelper pkg-config ${{ matrix.job.crossbuild_package }}
+          mkdir -p debian-build/${{ matrix.job.name }}/bin
+
+      - name: Download binaries
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries-linux-${{ matrix.job.name }}
+          path: debian-build/${{ matrix.job.name }}/bin
+
+      - name: Build package for ${{ matrix.job.name }} arch
+        run: |
+          chmod -v a+x debian-build/${{ matrix.job.name }}/bin/*
+          cp -vr debian systemd debian-build/${{ matrix.job.name }}/
+          cat debian/control.tpl | sed 's/{{ ARCH }}/${{ matrix.job.debian_platform }}/' > debian-build/${{ matrix.job.name }}/debian/control
+          cd debian-build/${{ matrix.job.name }}/
+          debuild -i -us -uc -b -a${{ matrix.job.debian_platform }}
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          files: |
+            debian-build/rustdesk-server-hbbr_*_${{ matrix.job.debian_platform }}.deb
+            debian-build/rustdesk-server-hbbs_*_${{ matrix.job.debian_platform }}.deb
+            debian-build/rustdesk-server-utils_*_${{ matrix.job.debian_platform }}.deb
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,12 @@
-/target
-**/*.rs.bk
-version.rs
-sled.db
-hbbs.sh
-hbbs.conf
+target
+id*
+db*
+debian-build
+debian/.debhelper
+debian/debhelper-build-stamp
+.DS_Store
+.vscode
+src/version.rs
+db_v2.sqlite3
+test.*
+.idea
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "libs/hbb_common"]
 	path = libs/hbb_common
-	url = https://github.com/open-trade/hbb_common
+	url = https://github.com/rustdesk/hbb_common
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,6 @@
+{
+    "rust.checkWith": "clippy",
+    "rust.formatOnSave": true,
+    "rust.checkOnSave": true,
+    "rust.useNewErrorFormat": true
+}
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,14 +1,19 @@
 [package]
 name = "hbbs"
-version = "1.1.4"
-authors = ["open-trade <info@opentradesolutions.com>"]
-edition = "2018"
-build= "build.rs"
+version = "1.1.15"
+authors = ["rustdesk <info@rustdesk.com>"]
+edition = "2021"
+build = "build.rs"
+default-run = "hbbs"

 [[bin]]
 name = "hbbr"
 path = "src/hbbr.rs"

+[[bin]]
+name = "rustdesk-utils"
+path = "src/utils.rs"
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [dependencies]
@@ -17,22 +22,57 @@ serde_derive = "1.0"
 serde = "1.0"
 serde_json = "1.0"
 lazy_static = "1.4"
-clap = "2.33"
-rust-ini = "0.16"
-minreq = { version = "2.3.1", features = ["punycode"] }
+clap = "2"
+rust-ini = "0.18"
+minreq = { version = "2.4", features = ["punycode"] }
 machine-uid = "0.2"
-mac_address = "1.1"
-whoami = "0.9"
+mac_address = "1.1.5"
+whoami = "1.2"
 base64 = "0.13"
-cryptoxide = "0.3"
+axum = { version = "0.5", features = ["headers"] }
+sqlx = { version = "0.6", features = [ "runtime-tokio-rustls", "sqlite", "macros", "chrono", "json" ] }
+deadpool = "0.8"
+async-trait = "0.1"
+async-speed-limit = { git = "https://github.com/open-trade/async-speed-limit" }
+uuid = { version = "1.0", features = ["v4"] }
+bcrypt = "0.13"
+chrono = "0.4"
+jsonwebtoken = "8"
+headers = "0.3"
+once_cell = "1.8"
+sodiumoxide = "0.2"
+tokio-tungstenite = "0.17"
+tungstenite = "0.17"
+regex = "1.4"
+tower-http = { version = "0.3", features = ["fs", "trace", "cors"] }
+http = "0.2"
+flexi_logger = { version = "0.22", features = ["async", "use_chrono_for_offset", "dont_minimize_extra_stacks"] }
+ipnetwork = "0.20"
+local-ip-address = "0.5.1"
+dns-lookup = "1.0.8"
+ping = "0.4.0"
+flate2 = "1.0"
+
+[target.'cfg(any(target_os = "macos", target_os = "windows"))'.dependencies]
+# https://github.com/rustdesk/rustdesk-server-pro/issues/189, using native-tls for better tls support
+reqwest = { git = "https://github.com/rustdesk-org/reqwest", features = ["blocking", "socks", "json", "native-tls", "gzip"], default-features=false }
+
+[target.'cfg(not(any(target_os = "macos", target_os = "windows")))'.dependencies]
+reqwest = { git = "https://github.com/rustdesk-org/reqwest", features = ["blocking", "socks", "json", "rustls-tls", "rustls-tls-native-roots", "gzip"], default-features=false }

 [build-dependencies]
 hbb_common = { path = "libs/hbb_common" }

 [workspace]
 members = ["libs/hbb_common"]
+exclude = ["ui"]

-[dependencies.rocksdb]
-default-features = false
-features = ["lz4"]
-version = "0.15"
+#https://github.com/johnthagen/min-sized-rust
+#https://doc.rust-lang.org/cargo/reference/profiles.html#default-profiles
+[profile.release]
+lto = true
+codegen-units = 1
+panic = 'abort'
+strip = true
+#opt-level = 'z' # only have smaller size after strip # Default is 3, better performance
+#rpath = true # Not needed
--- a/4
+++ b/4
@@ -1,4 +0,0 @@
-FROM ubuntu:20.04
-COPY target/release/hbbs /usr/bin/hbbs
-COPY target/release/hbbr /usr/bin/hbbr
-WORKDIR /root
--- a/661
+++ b/661
@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.
--- a/README.md
+++ b/README.md
@@ -0,0 +1,35 @@
+# RustDesk Server Program
+
+[![build](https://github.com/rustdesk/rustdesk-server/actions/workflows/build.yaml/badge.svg)](https://github.com/rustdesk/rustdesk-server/actions/workflows/build.yaml)
+
+[**Download**](https://github.com/rustdesk/rustdesk-server/releases)
+
+[**Manual**](https://rustdesk.com/docs/en/self-host/)
+
+[**FAQ**](https://github.com/rustdesk/rustdesk/wiki/FAQ)
+
+[**How to migrate OSS to Pro**](https://rustdesk.com/docs/en/self-host/rustdesk-server-pro/installscript/#convert-from-open-source)
+
+Self-host your own RustDesk server, it is free and open source.
+
+## How to build manually
+
+```bash
+cargo build --release
+```
+
+Three executables will be generated in target/release.
+
+- hbbs - RustDesk ID/Rendezvous server
+- hbbr - RustDesk relay server
+- rustdesk-utils - RustDesk CLI utilities
+
+You can find updated binaries on the [Releases](https://github.com/rustdesk/rustdesk-server/releases) page.
+
+If you want extra features, [RustDesk Server Pro](https://rustdesk.com/pricing.html) might suit you better.
+
+If you want to develop your own server, [rustdesk-server-demo](https://github.com/rustdesk/rustdesk-server-demo) might be a better and simpler start for you than this repo.
+
+## Installation
+
+Please follow this [doc](https://rustdesk.com/docs/en/self-host/rustdesk-server-oss/)
--- a/db_v2.sqlite3
+++ b/db_v2.sqlite3
--- a/debian/README.source
+++ b/debian/README.source
@@ -0,0 +1,62 @@
+#
+# Juli Augustus 2025 was building the downloadable Debian packages done
+# by github.com CI, meaning you being depended on github.com
+# for getting a .deb of the libre source code (four GNU freedoms) you have.
+#
+# And in those days there was no official Debian package.
+#
+# What follows are instructions that make it possible to do
+# a succesfull
+#
+#   debuild -uc -us
+#
+# in the directory  target/rustdesk-server
+#
+# The instructions are written in bash syntax,
+#
+#   bash debian/README.source
+#
+# should help you immens
+#
+
+# Make sure the submodules are present
+git submodule update --init --recursive
+
+rm -rf target/rustdesk-server  # avoid clutter from previous iteration
+mkdir -p target/rustdesk-server #  FYI: target/ is ignored by git
+
+tar cf - \
+    --exclude .git \
+    Cargo.toml Cargo.lock \
+	LICENSE README.md \
+    db_v2.sqlite3 \
+	build.rs \
+	debian \
+	libs rcd src \
+    systemd ui \
+| ( cd target/rustdesk-server && tar x )
+
+mv target/rustdesk-server/debian/Makefile target/rustdesk-server/
+
+tar cjf target/rustdesk-server-orig.tar.xz \
+    --strip-components=1 \
+    target/rustdesk-server
+
+# an .orig.tar.xz tarball exists, 
+# work on the debian directory 
+
+eval $( dpkg-architecture )
+sed -e "s/{{ ARCH }}/${DEB_TARGET_ARCH}/" \
+    debian/control.tpl > target/rustdesk-server/debian/control
+    
+
+cd target/rustdesk-server
+dpkg-checkbuilddeps || echo sudo apt install dpkg-dev
+debuild -uc -us
+
+#
+# For what it is worth:
+# Early September 2025 there were
+# several WARNINGS and ERRORS from Lintian
+#
+# l l
--- a/debian/changelog
+++ b/debian/changelog
@@ -0,0 +1,78 @@
+rustdesk-server (1.1.15) UNRELEASED; urgency=medium
+
+  * Fix: 127.0.0.1 is not loopback (#515)
+  * Higher default bandwidth
+  * Define the HOME env to allow running rootless (#612)
+  * Add option to log (failed) authentication attempts to enable the usage of tools like fail2ban and crowdsec (#435)
+  * Connection log query
+ 
+ -- rustdesk <info@rustdesk.com>  Sat, 10 Jan 2026 16:04:19 +0800
+
+rustdesk-server (1.1.14) UNRELEASED; urgency=medium
+
+  * Fix windows crash
+
+ -- rustdesk <info@rustdesk.com>  Sat, 25 Jan 2025 20:47:19 +0800
+
+rustdesk-server (1.1.13) UNRELEASED; urgency=medium
+
+  * Version check and refactor hbb_common to share with rustdesk client
+
+ -- rustdesk <info@rustdesk.com>  Tue, 21 Jan 2025 01:33:42 +0800
+
+rustdesk-server (1.1.12) UNRELEASED; urgency=medium
+
+  * WS real ip
+  * Bump s6-overlay to v3.2.0.0 and fix env warnings
+
+ -- rustdesk <info@rustdesk.com>  Mon, 7 Oct 2024 16:21:36 +0800
+
+rustdesk-server (1.1.11-1) UNRELEASED; urgency=medium
+
+  * set reuse port to make restart friendly
+  * revert hbbr `-k` to not ruin back-compatibility
+
+ -- rustdesk <info@rustdesk.com>  Fri, 24 May 2024 18:37:11 +0800
+
+rustdesk-server (1.1.11) UNRELEASED; urgency=medium
+
+  * change -k to default '-', so you need not to set -k any more
+
+ -- rustdesk <info@rustdesk.com>  Fri, 24 May 2024 18:09:12 +0800
+
+rustdesk-server (1.1.10-3) UNRELEASED; urgency=medium
+
+  * fix on -2
+
+ -- rustdesk <info@rustdesk.com>  Wed, 31 Jan 2024 11:30:42 +0800
+
+rustdesk-server (1.1.10-2) UNRELEASED; urgency=medium
+
+  * fix hangup signal exit when run with nohup
+  * some minors
+
+ -- rustdesk <info@rustdesk.com>  Tue, 30 Jan 2024 19:23:36 +0800
+
+rustdesk-server (1.1.9) UNRELEASED; urgency=medium
+
+  * remove unsafe
+
+ -- rustdesk <info@rustdesk.com>  Tue, 5 Dec 2023 17:22:40 +0800
+
+rustdesk-server (1.1.8) UNRELEASED; urgency=medium
+
+  * fix test_hbbs and mask in lan
+
+ -- rustdesk <info@rustdesk.com>  Thu, 6 Jul 2023 00:50:11 +0800
+
+rustdesk-server (1.1.7) UNRELEASED; urgency=medium
+
+  * ipv6 support
+
+ -- rustdesk <info@rustdesk.com>  Wed, 11 Jan 2023 11:27:00 +0800
+
+rustdesk-server (1.1.6) UNRELEASED; urgency=medium
+
+  * Initial release
+
+ -- open-trade <info@rustdesk.com>  Fri, 15 Jul 2022 12:27:27 +0200
--- a/debian/compat
+++ b/debian/compat
@@ -0,0 +1 @@
+10
--- a/debian/control.tpl
+++ b/debian/control.tpl
@@ -0,0 +1,27 @@
+Source: rustdesk-server
+Section: net
+Priority: optional
+Maintainer: open-trade <info@rustdesk.com>
+Build-Depends: debhelper (>= 10), pkg-config
+Standards-Version: 4.5.0
+Homepage: https://rustdesk.com/
+
+Package: rustdesk-server-hbbs
+Architecture: {{ ARCH }}
+Depends: systemd ${misc:Depends}
+Description: RustDesk server
+ Self-host your own RustDesk server, it is free and open source.
+
+Package: rustdesk-server-hbbr
+Architecture: {{ ARCH }}
+Depends: systemd ${misc:Depends}
+Description: RustDesk server
+ Self-host your own RustDesk server, it is free and open source.
+ This package contains the RustDesk relay server.
+
+Package: rustdesk-server-utils
+Architecture: {{ ARCH }}
+Depends: ${misc:Depends}
+Description: RustDesk server
+ Self-host your own RustDesk server, it is free and open source.
+ This package contains the rustdesk-utils binary.
--- a/debian/copyright
+++ b/debian/copyright
@@ -0,0 +1,679 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: rustdesk-server
+Files: *
+Copyright: Copyright 2022 open-trade <info@rustdesk.com>
+License: AGPL-3.0
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU Affero General Public License for more details.
+ .
+ You should have received a copy of the GNU Affero General Public License
+ along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ .
+                     GNU AFFERO GENERAL PUBLIC LICENSE
+                        Version 3, 19 November 2007
+ .
+  Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+  Everyone is permitted to copy and distribute verbatim copies
+  of this license document, but changing it is not allowed.
+ .
+                             Preamble
+ .
+   The GNU Affero General Public License is a free, copyleft license for
+ software and other kinds of works, specifically designed to ensure
+ cooperation with the community in the case of network server software.
+ .
+   The licenses for most software and other practical works are designed
+ to take away your freedom to share and change the works.  By contrast,
+ our General Public Licenses are intended to guarantee your freedom to
+ share and change all versions of a program--to make sure it remains free
+ software for all its users.
+ .
+   When we speak of free software, we are referring to freedom, not
+ price.  Our General Public Licenses are designed to make sure that you
+ have the freedom to distribute copies of free software (and charge for
+ them if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new
+ free programs, and that you know you can do these things.
+ .
+   Developers that use our General Public Licenses protect your rights
+ with two steps: (1) assert copyright on the software, and (2) offer
+ you this License which gives you legal permission to copy, distribute
+ and/or modify the software.
+ .
+   A secondary benefit of defending all users' freedom is that
+ improvements made in alternate versions of the program, if they
+ receive widespread use, become available for other developers to
+ incorporate.  Many developers of free software are heartened and
+ encouraged by the resulting cooperation.  However, in the case of
+ software used on network servers, this result may fail to come about.
+ The GNU General Public License permits making a modified version and
+ letting the public access it on a server without ever releasing its
+ source code to the public.
+ .
+   The GNU Affero General Public License is designed specifically to
+ ensure that, in such cases, the modified source code becomes available
+ to the community.  It requires the operator of a network server to
+ provide the source code of the modified version running there to the
+ users of that server.  Therefore, public use of a modified version, on
+ a publicly accessible server, gives the public access to the source
+ code of the modified version.
+ .
+   An older license, called the Affero General Public License and
+ published by Affero, was designed to accomplish similar goals.  This is
+ a different license, not a version of the Affero GPL, but Affero has
+ released a new version of the Affero GPL which permits relicensing under
+ this license.
+ .
+   The precise terms and conditions for copying, distribution and
+ modification follow.
+ .
+                        TERMS AND CONDITIONS
+ .
+   0. Definitions.
+ .
+   "This License" refers to version 3 of the GNU Affero General Public License.
+ .
+   "Copyright" also means copyright-like laws that apply to other kinds of
+ works, such as semiconductor masks.
+ .
+   "The Program" refers to any copyrightable work licensed under this
+ License.  Each licensee is addressed as "you".  "Licensees" and
+ "recipients" may be individuals or organizations.
+ .
+   To "modify" a work means to copy from or adapt all or part of the work
+ in a fashion requiring copyright permission, other than the making of an
+ exact copy.  The resulting work is called a "modified version" of the
+ earlier work or a work "based on" the earlier work.
+ .
+   A "covered work" means either the unmodified Program or a work based
+ on the Program.
+ .
+   To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on a
+ computer or modifying a private copy.  Propagation includes copying,
+ distribution (with or without modification), making available to the
+ public, and in some countries other activities as well.
+ .
+   To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies.  Mere interaction with a user through
+ a computer network, with no transfer of a copy, is not conveying.
+ .
+   An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to the
+ extent that warranties are provided), that licensees may convey the
+ work under this License, and how to view a copy of this License.  If
+ the interface presents a list of user commands or options, such as a
+ menu, a prominent item in the list meets this criterion.
+ .
+   1. Source Code.
+ .
+   The "source code" for a work means the preferred form of the work
+ for making modifications to it.  "Object code" means any non-source
+ form of a work.
+ .
+   A "Standard Interface" means an interface that either is an official
+ standard defined by a recognized standards body, or, in the case of
+ interfaces specified for a particular programming language, one that
+ is widely used among developers working in that language.
+ .
+   The "System Libraries" of an executable work include anything, other
+ than the work as a whole, that (a) is included in the normal form of
+ packaging a Major Component, but which is not part of that Major
+ Component, and (b) serves only to enable use of the work with that
+ Major Component, or to implement a Standard Interface for which an
+ implementation is available to the public in source code form.  A
+ "Major Component", in this context, means a major essential component
+ (kernel, window system, and so on) of the specific operating system
+ (if any) on which the executable work runs, or a compiler used to
+ produce the work, or an object code interpreter used to run it.
+ .
+   The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts to
+ control those activities.  However, it does not include the work's
+ System Libraries, or general-purpose tools or generally available free
+ programs which are used unmodified in performing those activities but
+ which are not part of the work.  For example, Corresponding Source
+ includes interface definition files associated with source files for
+ the work, and the source code for shared libraries and dynamically
+ linked subprograms that the work is specifically designed to require,
+ such as by intimate data communication or control flow between those
+ subprograms and other parts of the work.
+ .
+   The Corresponding Source need not include anything that users
+ can regenerate automatically from other parts of the Corresponding
+ Source.
+ .
+   The Corresponding Source for a work in source code form is that
+ same work.
+ .
+   2. Basic Permissions.
+ .
+   All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met.  This License explicitly affirms your unlimited
+ permission to run the unmodified Program.  The output from running a
+ covered work is covered by this License only if the output, given its
+ content, constitutes a covered work.  This License acknowledges your
+ rights of fair use or other equivalent, as provided by copyright law.
+ .
+   You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise remains
+ in force.  You may convey covered works to others for the sole purpose
+ of having them make modifications exclusively for you, or provide you
+ with facilities for running those works, provided that you comply with
+ the terms of this License in conveying all material for which you do
+ not control copyright.  Those thus making or running the covered works
+ for you must do so exclusively on your behalf, under your direction
+ and control, on terms that prohibit them from making any copies of
+ your copyrighted material outside their relationship with you.
+ .
+   Conveying under any other circumstances is permitted solely under
+ the conditions stated below.  Sublicensing is not allowed; section 10
+ makes it unnecessary.
+ .
+   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+ .
+   No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under article
+ 11 of the WIPO copyright treaty adopted on 20 December 1996, or
+ similar laws prohibiting or restricting circumvention of such
+ measures.
+ .
+   When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such circumvention
+ is effected by exercising rights under this License with respect to
+ the covered work, and you disclaim any intention to limit operation or
+ modification of the work as a means of enforcing, against the work's
+ users, your or third parties' legal rights to forbid circumvention of
+ technological measures.
+ .
+   4. Conveying Verbatim Copies.
+ .
+   You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the code;
+ keep intact all notices of the absence of any warranty; and give all
+ recipients a copy of this License along with the Program.
+ .
+   You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+ .
+   5. Conveying Modified Source Versions.
+ .
+   You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these conditions:
+ .
+     a) The work must carry prominent notices stating that you modified
+     it, and giving a relevant date.
+ .
+     b) The work must carry prominent notices stating that it is
+     released under this License and any conditions added under section
+     7.  This requirement modifies the requirement in section 4 to
+     "keep intact all notices".
+ .
+     c) You must license the entire work, as a whole, under this
+     License to anyone who comes into possession of a copy.  This
+     License will therefore apply, along with any applicable section 7
+     additional terms, to the whole of the work, and all its parts,
+     regardless of how they are packaged.  This License gives no
+     permission to license the work in any other way, but it does not
+     invalidate such permission if you have separately received it.
+ .
+     d) If the work has interactive user interfaces, each must display
+     Appropriate Legal Notices; however, if the Program has interactive
+     interfaces that do not display Appropriate Legal Notices, your
+     work need not make them do so.
+ .
+   A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered work,
+ and which are not combined with it such as to form a larger program,
+ in or on a volume of a storage or distribution medium, is called an
+ "aggregate" if the compilation and its resulting copyright are not
+ used to limit the access or legal rights of the compilation's users
+ beyond what the individual works permit.  Inclusion of a covered work
+ in an aggregate does not cause this License to apply to the other
+ parts of the aggregate.
+ .
+   6. Conveying Non-Source Forms.
+ .
+   You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this License,
+ in one of these ways:
+ .
+     a) Convey the object code in, or embodied in, a physical product
+     (including a physical distribution medium), accompanied by the
+     Corresponding Source fixed on a durable physical medium
+     customarily used for software interchange.
+ .
+     b) Convey the object code in, or embodied in, a physical product
+     (including a physical distribution medium), accompanied by a
+     written offer, valid for at least three years and valid for as
+     long as you offer spare parts or customer support for that product
+     model, to give anyone who possesses the object code either (1) a
+     copy of the Corresponding Source for all the software in the
+     product that is covered by this License, on a durable physical
+     medium customarily used for software interchange, for a price no
+     more than your reasonable cost of physically performing this
+     conveying of source, or (2) access to copy the
+     Corresponding Source from a network server at no charge.
+ .
+     c) Convey individual copies of the object code with a copy of the
+     written offer to provide the Corresponding Source.  This
+     alternative is allowed only occasionally and noncommercially, and
+     only if you received the object code with such an offer, in accord
+     with subsection 6b.
+ .
+     d) Convey the object code by offering access from a designated
+     place (gratis or for a charge), and offer equivalent access to the
+     Corresponding Source in the same way through the same place at no
+     further charge.  You need not require recipients to copy the
+     Corresponding Source along with the object code.  If the place to
+     copy the object code is a network server, the Corresponding Source
+     may be on a different server (operated by you or a third party)
+     that supports equivalent copying facilities, provided you maintain
+     clear directions next to the object code saying where to find the
+     Corresponding Source.  Regardless of what server hosts the
+     Corresponding Source, you remain obligated to ensure that it is
+     available for as long as needed to satisfy these requirements.
+ .
+     e) Convey the object code using peer-to-peer transmission, provided
+     you inform other peers where the object code and Corresponding
+     Source of the work are being offered to the general public at no
+     charge under subsection 6d.
+ .
+   A separable portion of the object code, whose source code is excluded
+ from the Corresponding Source as a System Library, need not be
+ included in conveying the object code work.
+ .
+   A "User Product" is either (1) a "consumer product", which means any
+ tangible personal property which is normally used for personal, family,
+ or household purposes, or (2) anything designed or sold for incorporation
+ into a dwelling.  In determining whether a product is a consumer product,
+ doubtful cases shall be resolved in favor of coverage.  For a particular
+ product received by a particular user, "normally used" refers to a
+ typical or common use of that class of product, regardless of the status
+ of the particular user or of the way in which the particular user
+ actually uses, or expects or is expected to use, the product.  A product
+ is a consumer product regardless of whether the product has substantial
+ commercial, industrial or non-consumer uses, unless such uses represent
+ the only significant mode of use of the product.
+ .
+   "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to install
+ and execute modified versions of a covered work in that User Product from
+ a modified version of its Corresponding Source.  The information must
+ suffice to ensure that the continued functioning of the modified object
+ code is in no case prevented or interfered with solely because
+ modification has been made.
+ .
+   If you convey an object code work under this section in, or with, or
+ specifically for use in, a User Product, and the conveying occurs as
+ part of a transaction in which the right of possession and use of the
+ User Product is transferred to the recipient in perpetuity or for a
+ fixed term (regardless of how the transaction is characterized), the
+ Corresponding Source conveyed under this section must be accompanied
+ by the Installation Information.  But this requirement does not apply
+ if neither you nor any third party retains the ability to install
+ modified object code on the User Product (for example, the work has
+ been installed in ROM).
+ .
+   The requirement to provide Installation Information does not include a
+ requirement to continue to provide support service, warranty, or updates
+ for a work that has been modified or installed by the recipient, or for
+ the User Product in which it has been modified or installed.  Access to a
+ network may be denied when the modification itself materially and
+ adversely affects the operation of the network or violates the rules and
+ protocols for communication across the network.
+ .
+   Corresponding Source conveyed, and Installation Information provided,
+ in accord with this section must be in a format that is publicly
+ documented (and with an implementation available to the public in
+ source code form), and must require no special password or key for
+ unpacking, reading or copying.
+ .
+   7. Additional Terms.
+ .
+   "Additional permissions" are terms that supplement the terms of this
+ License by making exceptions from one or more of its conditions.
+ Additional permissions that are applicable to the entire Program shall
+ be treated as though they were included in this License, to the extent
+ that they are valid under applicable law.  If additional permissions
+ apply only to part of the Program, that part may be used separately
+ under those permissions, but the entire Program remains governed by
+ this License without regard to the additional permissions.
+ .
+   When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part of
+ it.  (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.)  You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+ .
+   Notwithstanding any other provision of this License, for material you
+ add to a covered work, you may (if authorized by the copyright holders of
+ that material) supplement the terms of this License with terms:
+ .
+     a) Disclaiming warranty or limiting liability differently from the
+     terms of sections 15 and 16 of this License; or
+ .
+     b) Requiring preservation of specified reasonable legal notices or
+     author attributions in that material or in the Appropriate Legal
+     Notices displayed by works containing it; or
+ .
+     c) Prohibiting misrepresentation of the origin of that material, or
+     requiring that modified versions of such material be marked in
+     reasonable ways as different from the original version; or
+ .
+     d) Limiting the use for publicity purposes of names of licensors or
+     authors of the material; or
+ .
+     e) Declining to grant rights under trademark law for use of some
+     trade names, trademarks, or service marks; or
+ .
+     f) Requiring indemnification of licensors and authors of that
+     material by anyone who conveys the material (or modified versions of
+     it) with contractual assumptions of liability to the recipient, for
+     any liability that these contractual assumptions directly impose on
+     those licensors and authors.
+ .
+   All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10.  If the Program as you
+ received it, or any part of it, contains a notice stating that it is
+ governed by this License along with a term that is a further
+ restriction, you may remove that term.  If a license document contains
+ a further restriction but permits relicensing or conveying under this
+ License, you may add to a covered work material governed by the terms
+ of that license document, provided that the further restriction does
+ not survive such relicensing or conveying.
+ .
+   If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+ .
+   Additional terms, permissive or non-permissive, may be stated in the
+ form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+ .
+   8. Termination.
+ .
+   You may not propagate or modify a covered work except as expressly
+ provided under this License.  Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights under
+ this License (including any patent licenses granted under the third
+ paragraph of section 11).
+ .
+   However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the copyright
+ holder fails to notify you of the violation by some reasonable means
+ prior to 60 days after the cessation.
+ .
+   Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from that
+ copyright holder, and you cure the violation prior to 30 days after
+ your receipt of the notice.
+ .
+   Termination of your rights under this section does not terminate the
+ licenses of parties who have received copies or rights from you under
+ this License.  If your rights have been terminated and not permanently
+ reinstated, you do not qualify to receive new licenses for the same
+ material under section 10.
+ .
+   9. Acceptance Not Required for Having Copies.
+ .
+   You are not required to accept this License in order to receive or
+ run a copy of the Program.  Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer transmission
+ to receive a copy likewise does not require acceptance.  However,
+ nothing other than this License grants you permission to propagate or
+ modify any covered work.  These actions infringe copyright if you do
+ not accept this License.  Therefore, by modifying or propagating a
+ covered work, you indicate your acceptance of this License to do so.
+ .
+   10. Automatic Licensing of Downstream Recipients.
+ .
+   Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License.  You are not responsible
+ for enforcing compliance by third parties with this License.
+ .
+   An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations.  If propagation of a covered
+ work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or could
+ give under the previous paragraph, plus a right to possession of the
+ Corresponding Source of the work from the predecessor in interest, if
+ the predecessor has it or can get it with reasonable efforts.
+ .
+   You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License.  For example, you may
+ not impose a license fee, royalty, or other charge for exercise of
+ rights granted under this License, and you may not initiate litigation
+ (including a cross-claim or counterclaim in a lawsuit) alleging that
+ any patent claim is infringed by making, using, selling, offering for
+ sale, or importing the Program or any portion of it.
+ .
+   11. Patents.
+ .
+   A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.  The
+ work thus licensed is called the contributor's "contributor version".
+ .
+   A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner, permitted
+ by this License, of making, using, or selling its contributor version,
+ but do not include claims that would be infringed only as a
+ consequence of further modification of the contributor version.  For
+ purposes of this definition, "control" includes the right to grant
+ patent sublicenses in a manner consistent with the requirements of
+ this License.
+ .
+   Each contributor grants you a non-exclusive, worldwide, royalty-free
+ patent license under the contributor's essential patent claims, to
+ make, use, sell, offer for sale, import and otherwise run, modify and
+ propagate the contents of its contributor version.
+ .
+   In the following three paragraphs, a "patent license" is any express
+ agreement or commitment, however denominated, not to enforce a patent
+ (such as an express permission to practice a patent or covenant not to
+ sue for patent infringement).  To "grant" such a patent license to a
+ party means to make such an agreement or commitment not to enforce a
+ patent against the party.
+ .
+   If you convey a covered work, knowingly relying on a patent license,
+ and the Corresponding Source of the work is not available for anyone
+ to copy, free of charge and under the terms of this License, through a
+ publicly available network server or other readily accessible means,
+ then you must either (1) cause the Corresponding Source to be so
+ available, or (2) arrange to deprive yourself of the benefit of the
+ patent license for this particular work, or (3) arrange, in a manner
+ consistent with the requirements of this License, to extend the patent
+ license to downstream recipients.  "Knowingly relying" means you have
+ actual knowledge that, but for the patent license, your conveying the
+ covered work in a country, or your recipient's use of the covered work
+ in a country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+ .
+   If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate, modify
+ or convey a specific copy of the covered work, then the patent license
+ you grant is automatically extended to all recipients of the covered
+ work and works based on it.
+ .
+   A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that are
+ specifically granted under this License.  You may not convey a covered
+ work if you are a party to an arrangement with a third party that is
+ in the business of distributing software, under which you make payment
+ to the third party based on the extent of your activity of conveying
+ the work, and under which the third party grants, to any of the
+ parties who would receive the covered work from you, a discriminatory
+ patent license (a) in connection with copies of the covered work
+ conveyed by you (or copies made from those copies), or (b) primarily
+ for and in connection with specific products or compilations that
+ contain the covered work, unless you entered into that arrangement,
+ or that patent license was granted, prior to 28 March 2007.
+ .
+   Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+ .
+   12. No Surrender of Others' Freedom.
+ .
+   If conditions are imposed on you (whether by court order, agreement or
+ otherwise) that contradict the conditions of this License, they do not
+ excuse you from the conditions of this License.  If you cannot convey a
+ covered work so as to satisfy simultaneously your obligations under this
+ License and any other pertinent obligations, then as a consequence you may
+ not convey it at all.  For example, if you agree to terms that obligate you
+ to collect a royalty for further conveying from those to whom you convey
+ the Program, the only way you could satisfy both those terms and this
+ License would be to refrain entirely from conveying the Program.
+ .
+   13. Remote Network Interaction; Use with the GNU General Public License.
+ .
+   Notwithstanding any other provision of this License, if you modify the
+ Program, your modified version must prominently offer all users
+ interacting with it remotely through a computer network (if your version
+ supports such interaction) an opportunity to receive the Corresponding
+ Source of your version by providing access to the Corresponding Source
+ from a network server at no charge, through some standard or customary
+ means of facilitating copying of software.  This Corresponding Source
+ shall include the Corresponding Source for any work covered by version 3
+ of the GNU General Public License that is incorporated pursuant to the
+ following paragraph.
+ .
+   Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU General Public License into a single
+ combined work, and to convey the resulting work.  The terms of this
+ License will continue to apply to the part which is the covered work,
+ but the work with which it is combined will remain governed by version
+ 3 of the GNU General Public License.
+ .
+   14. Revised Versions of this License.
+ .
+   The Free Software Foundation may publish revised and/or new versions of
+ the GNU Affero General Public License from time to time.  Such new versions
+ will be similar in spirit to the present version, but may differ in detail to
+ address new problems or concerns.
+ .
+   Each version is given a distinguishing version number.  If the
+ Program specifies that a certain numbered version of the GNU Affero General
+ Public License "or any later version" applies to it, you have the
+ option of following the terms and conditions either of that numbered
+ version or of any later version published by the Free Software
+ Foundation.  If the Program does not specify a version number of the
+ GNU Affero General Public License, you may choose any version ever published
+ by the Free Software Foundation.
+ .
+   If the Program specifies that a proxy can decide which future
+ versions of the GNU Affero General Public License can be used, that proxy's
+ public statement of acceptance of a version permanently authorizes you
+ to choose that version for the Program.
+ .
+   Later license versions may give you additional or different
+ permissions.  However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+ .
+   15. Disclaimer of Warranty.
+ .
+   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+ HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+ OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+ IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+ .
+   16. Limitation of Liability.
+ .
+   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+ THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+ GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+ USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+ DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+ EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
+ .
+   17. Interpretation of Sections 15 and 16.
+ .
+   If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely approximates
+ an absolute waiver of all civil liability in connection with the
+ Program, unless a warranty or assumption of liability accompanies a
+ copy of the Program in return for a fee.
+ .
+                      END OF TERMS AND CONDITIONS
+ .
+             How to Apply These Terms to Your New Programs
+ .
+   If you develop a new program, and you want it to be of the greatest
+ possible use to the public, the best way to achieve this is to make it
+ free software which everyone can redistribute and change under these terms.
+ .
+   To do so, attach the following notices to the program.  It is safest
+ to attach them to the start of each source file to most effectively
+ state the exclusion of warranty; and each file should have at least
+ the "copyright" line and a pointer to where the full notice is found.
+ .
+     <one line to give the program's name and a brief idea of what it does.>
+     Copyright (C) <year>  <name of author>
+ .
+     This program is free software: you can redistribute it and/or modify
+     it under the terms of the GNU Affero General Public License as published by
+     the Free Software Foundation, either version 3 of the License, or
+     (at your option) any later version.
+ .
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU Affero General Public License for more details.
+ .
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ .
+ Also add information on how to contact you by electronic and paper mail.
+ .
+   If your software can interact with users remotely through a computer
+ network, you should also make sure that it provides a way for users to
+ get its source.  For example, if your program is a web application, its
+ interface could display a "Source" link that leads users to an archive
+ of the code.  There are many ways you could offer source, and different
+ solutions will be better for different programs; see section 13 for the
+ specific requirements.
+ .
+   You should also get your employer (if you work as a programmer) or school,
+ if any, to sign a "copyright disclaimer" for the program, if necessary.
+ For more information on this, and how to apply and follow the GNU AGPL, see
+ <http://www.gnu.org/licenses/>.
--- a/debian/rules
+++ b/debian/rules
@@ -0,0 +1,6 @@
+#!/usr/bin/make -f
+%:
+	dh $@
+
+override_dh_builddeb:
+	dh_builddeb -- -Zgzip
--- a/debian/rustdesk-server-hbbr.install
+++ b/debian/rustdesk-server-hbbr.install
@@ -0,0 +1,2 @@
+bin/hbbr usr/bin
+systemd/rustdesk-hbbr.service lib/systemd/system
--- a/debian/rustdesk-server-hbbr.postinst
+++ b/debian/rustdesk-server-hbbr.postinst
@@ -0,0 +1,28 @@
+#!/bin/sh
+set -e
+
+SERVICE=rustdesk-hbbr.service
+
+if [ "$1" = "configure" ]; then
+    mkdir -p /var/log/rustdesk-server
+fi
+
+case "$1" in
+    configure|abort-upgrade|abort-deconfigure|abort-remove)
+      mkdir -p /var/lib/rustdesk-server/
+	  deb-systemd-helper unmask "${SERVICE}" >/dev/null || true
+	  if deb-systemd-helper --quiet was-enabled "${SERVICE}"; then
+	  	deb-systemd-invoke enable "${SERVICE}" >/dev/null || true
+	  else
+	  	deb-systemd-invoke update-state "${SERVICE}" >/dev/null || true
+	  fi
+	  systemctl --system daemon-reload >/dev/null || true
+	  if [ -n "$2" ]; then
+		deb-systemd-invoke restart "${SERVICE}" >/dev/null || true
+	  else
+		deb-systemd-invoke start "${SERVICE}" >/dev/null || true
+	  fi
+    ;;
+esac
+
+exit 0
--- a/debian/rustdesk-server-hbbr.postrm
+++ b/debian/rustdesk-server-hbbr.postrm
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+SERVICE=rustdesk-hbbr.service
+
+systemctl --system daemon-reload >/dev/null || true
+
+if [ "$1" = "purge" ]; then
+	rm -rf /var/log/rustdesk-server/rustdesk-hbbr.*
+	deb-systemd-helper purge "${SERVICE}" >/dev/null || true
+	deb-systemd-helper unmask "${SERVICE}" >/dev/null || true
+fi
+
+if [ "$1" = "remove" ]; then
+	deb-systemd-helper mask "${SERVICE}" >/dev/null || true
+fi
+
+exit 0
--- a/debian/rustdesk-server-hbbr.prerm
+++ b/debian/rustdesk-server-hbbr.prerm
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+SERVICE=rustdesk-hbbr.service
+
+case "$1" in
+    remove|deconfigure)
+	  deb-systemd-invoke stop "${SERVICE}" >/dev/null || true
+	  deb-systemd-invoke disable "${SERVICE}" >/dev/null || true
+	;;
+esac
+
+exit 0
--- a/debian/rustdesk-server-hbbs.install
+++ b/debian/rustdesk-server-hbbs.install
@@ -0,0 +1,2 @@
+bin/hbbs usr/bin
+systemd/rustdesk-hbbs.service lib/systemd/system
--- a/debian/rustdesk-server-hbbs.postinst
+++ b/debian/rustdesk-server-hbbs.postinst
@@ -0,0 +1,28 @@
+#!/bin/sh
+set -e
+
+SERVICE=rustdesk-hbbs.service
+
+if [ "$1" = "configure" ]; then
+    mkdir -p /var/log/rustdesk-server
+fi
+
+case "$1" in
+    configure|abort-upgrade|abort-deconfigure|abort-remove)
+      mkdir -p /var/lib/rustdesk-server/
+	  deb-systemd-helper unmask "${SERVICE}" >/dev/null || true
+	  if deb-systemd-helper --quiet was-enabled "${SERVICE}"; then
+	  	deb-systemd-invoke enable "${SERVICE}" >/dev/null || true
+	  else
+	  	deb-systemd-invoke update-state "${SERVICE}" >/dev/null || true
+	  fi
+	  systemctl --system daemon-reload >/dev/null || true
+	  if [ -n "$2" ]; then
+		deb-systemd-invoke restart "${SERVICE}" >/dev/null || true
+	  else
+		deb-systemd-invoke start "${SERVICE}" >/dev/null || true
+	  fi
+    ;;
+esac
+
+exit 0
--- a/debian/rustdesk-server-hbbs.postrm
+++ b/debian/rustdesk-server-hbbs.postrm
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+SERVICE=rustdesk-hbbs.service
+
+systemctl --system daemon-reload >/dev/null || true
+
+if [ "$1" = "purge" ]; then
+	rm -rf /var/lib/rustdesk-server/ /var/log/rustdesk-server/rustdesk-hbbs.*
+	deb-systemd-helper purge "${SERVICE}" >/dev/null || true
+	deb-systemd-helper unmask "${SERVICE}" >/dev/null || true
+fi
+
+if [ "$1" = "remove" ]; then
+	deb-systemd-helper mask "${SERVICE}" >/dev/null || true
+fi
+
+exit 0
--- a/debian/rustdesk-server-hbbs.prerm
+++ b/debian/rustdesk-server-hbbs.prerm
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+SERVICE=rustdesk-hbbs.service
+
+case "$1" in
+    remove|deconfigure)
+	  deb-systemd-invoke stop "${SERVICE}" >/dev/null || true
+	  deb-systemd-invoke disable "${SERVICE}" >/dev/null || true
+	;;
+esac
+
+exit 0
--- a/debian/rustdesk-server-utils.install
+++ b/debian/rustdesk-server-utils.install
@@ -0,0 +1 @@
+bin/rustdesk-utils usr/bin
--- a/debian/source/format
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
--- a/docker-classic/Dockerfile
+++ b/docker-classic/Dockerfile
@@ -0,0 +1,5 @@
+FROM scratch
+COPY hbbs /usr/bin/hbbs
+COPY hbbr /usr/bin/hbbr
+WORKDIR /root
+ENV HOME=/root
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,36 @@
+version: '3'
+
+networks:
+  rustdesk-net:
+    external: false
+
+services:
+  hbbs:
+    container_name: hbbs
+    ports:
+      - 21115:21115
+      - 21116:21116
+      - 21116:21116/udp
+      - 21118:21118
+    image: rustdesk/rustdesk-server:latest
+    command: hbbs -r rustdesk.example.com:21117
+    volumes:
+      - ./data:/root
+    networks:
+      - rustdesk-net
+    depends_on:
+      - hbbr
+    restart: unless-stopped
+
+  hbbr:
+    container_name: hbbr
+    ports:
+      - 21117:21117
+      - 21119:21119
+    image: rustdesk/rustdesk-server:latest
+    command: hbbr
+    volumes:
+      - ./data:/root
+    networks:
+      - rustdesk-net
+    restart: unless-stopped
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -0,0 +1,26 @@
+FROM busybox:stable
+
+ARG S6_OVERLAY_VERSION=3.2.0.0
+ARG S6_ARCH=x86_64
+ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
+ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz /tmp
+RUN \
+  tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
+  tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz && \
+  rm /tmp/s6-overlay*.tar.xz && \
+  ln -s /run /var/run
+
+COPY rootfs /
+
+ENV RELAY=relay.example.com
+ENV ENCRYPTED_ONLY=0
+
+EXPOSE 21115 21116 21116/udp 21117 21118 21119
+
+HEALTHCHECK --interval=10s --timeout=5s CMD /usr/bin/healthcheck.sh
+
+WORKDIR /data
+
+VOLUME /data
+
+ENTRYPOINT ["/init"]
--- a/docker/healthcheck.sh
+++ b/docker/healthcheck.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+/package/admin/s6/command/s6-svstat /run/s6-rc/servicedirs/hbbr || exit 1
+/package/admin/s6/command/s6-svstat /run/s6-rc/servicedirs/hbbs || exit 1
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
@@ -0,0 +1 @@
+key-secret
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run
@@ -0,0 +1,5 @@
+#!/command/with-contenv sh
+cd /data
+PARAMS=
+[ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _"
+/usr/bin/hbbr $PARAMS
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/type
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/type
@@ -0,0 +1 @@
+longrun
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
@@ -0,0 +1,2 @@
+key-secret
+hbbr
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run
@@ -0,0 +1,6 @@
+#!/command/with-contenv sh
+sleep 2
+cd /data
+PARAMS=
+[ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _"
+/usr/bin/hbbs -r $RELAY $PARAMS
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/type
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/type
@@ -0,0 +1 @@
+longrun
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
@@ -0,0 +1 @@
+oneshot
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/key-secret/up.real
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
@@ -0,0 +1,58 @@
+#!/command/with-contenv sh
+
+if [ ! -d /data ] ; then
+  mkdir /data
+fi
+
+# normal docker secrets
+if [ ! -f /data/id_ed25519.pub ] && [ -r /run/secrets/key_pub ] ; then
+  cp /run/secrets/key_pub /data/id_ed25519.pub
+  echo "Public key created from secret"
+fi
+
+if [ ! -f /data/id_ed25519 ] && [ -r /run/secrets/key_priv ] ; then
+  cp /run/secrets/key_priv /data/id_ed25519
+  echo "Private key created from secret"
+fi
+
+# ENV variables
+if [ ! -f /data/id_ed25519.pub ] && [ ! "$KEY_PUB" = "" ] ; then
+  echo -n "$KEY_PUB" > /data/id_ed25519.pub
+  echo "Public key created from ENV variable"
+fi
+
+if [ ! -f /data/id_ed25519 ] && [ ! "$KEY_PRIV" = "" ] ; then
+  echo -n "$KEY_PRIV" > /data/id_ed25519
+  echo "Private key created from ENV variable"
+fi
+
+# check if both keys provided
+if [ -f /data/id_ed25519.pub ] && [ ! -f /data/id_ed25519 ] ; then
+  echo "Private key missing."
+  echo "You must provide BOTH the private and the public key."
+  /run/s6/basedir/bin/halt
+  exit 1
+fi
+
+if [ ! -f /data/id_ed25519.pub ] && [ -f /data/id_ed25519 ] ; then
+  echo "Public key missing."
+  echo "You must provide BOTH the private and the public key."
+  /run/s6/basedir/bin/halt
+  exit 1
+fi
+
+# here we have either no keys or both
+
+# if we have both keys, we fix permissions and ownership
+# and check for keypair validation
+if [ -f /data/id_ed25519.pub ] && [ -f /data/id_ed25519 ] ; then
+  chmod 0600 /data/id_ed25519.pub /data/id_ed25519
+  chown root:root /data/id_ed25519.pub /data/id_ed25519
+  /usr/bin/rustdesk-utils validatekeypair "$(cat /data/id_ed25519.pub)" "$(cat /data/id_ed25519)" || {
+    echo "Key pair not valid"
+    /run/s6/basedir/bin/halt
+    exit 1
+  }
+fi
+
+# if we have no keypair, hbbs will generate one
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/hbbr
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/hbbr
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/hbbs
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/hbbs
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret
--- a/docker/rootfs/usr/bin/healthcheck.sh
+++ b/docker/rootfs/usr/bin/healthcheck.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+/package/admin/s6/command/s6-svstat /run/s6-rc/servicedirs/hbbr || exit 1
+/package/admin/s6/command/s6-svstat /run/s6-rc/servicedirs/hbbs || exit 1
--- a/kubernetes/example.yaml
+++ b/kubernetes/example.yaml
@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rustdesk-server
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: rustdesk
+  template:
+    metadata:
+      labels:
+        app: rustdesk
+    spec:
+      containers:
+        # id Server (HBBS)
+        - name: hbbs
+          image: rustdesk/rustdesk-server:latest
+          env:
+            - name: RELAY_HOST
+              value: "rustdesk.yourdomain.tld"
+          command: ["hbbs", "-r", "$(RELAY_HOST):21117", "-k", "_"]
+          volumeMounts:
+            - mountPath: /root
+              name: rustdesk-data
+          ports:
+            - containerPort: 21115
+            - containerPort: 21116
+              protocol: TCP
+            - containerPort: 21116
+              protocol: UDP
+            - containerPort: 21118
+
+        # Relay Server (HBBR)
+        - name: hbbr
+          image: rustdesk/rustdesk-server:latest
+          command: ["hbbr", "-k", "_"]
+          volumeMounts:
+            - mountPath: /root
+              name: rustdesk-data
+          ports:
+            - containerPort: 21117
+            - containerPort: 21119
+
+      volumes:
+        - name: rustdesk-data
+          persistentVolumeClaim:
+            claimName: rustdesk-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustdesk-service
+spec:
+  type: LoadBalancer # Or NodePort
+  selector:
+    app: rustdesk
+  ports:
+    - name: hbbs-tcp
+      port: 21115
+      targetPort: 21115
+      protocol: TCP
+    - name: hbbs-udp
+      port: 21116
+      targetPort: 21116
+      protocol: UDP
+    - name: hbbs-tcp-main
+      port: 21116
+      targetPort: 21116
+      protocol: TCP
+    - name: hbbr-tcp
+      port: 21117
+      targetPort: 21117
+      protocol: TCP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rustdesk-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce # RWM would be available only with pro version
+  resources:
+    requests:
+      storage: 1Gi
--- a/libs/hbb_common
+++ b/libs/hbb_common
--- a/mod.rs
+++ b/mod.rs
@@ -1,45 +0,0 @@
-mod src;
-pub use src::*;
-
-use hbb_common::{allow_err, log};
-use std::sync::{Arc, Mutex};
-
-lazy_static::lazy_static! {
-    static ref STOP: Arc<Mutex<bool>> = Arc::new(Mutex::new(true));
-}
-
-pub fn bootstrap(key: &str, host: &str) {
-    let port = rendezvous_server::DEFAULT_PORT;
-    let addr = format!("0.0.0.0:{}", port);
-    let addr2 = format!("0.0.0.0:{}", port.parse::<i32>().unwrap_or(0) - 1);
-    let relay_servers: Vec<String> = vec![format!("{}:{}", host, relay_server::DEFAULT_PORT)];
-    let tmp_key = key.to_owned();
-    std::thread::spawn(move || {
-        allow_err!(rendezvous_server::RendezvousServer::start(
-            &addr,
-            &addr2,
-            relay_servers,
-            0,
-            Default::default(),
-            Default::default(),
-            &tmp_key,
-            STOP.clone(),
-        ));
-    });
-    let tmp_key = key.to_owned();
-    std::thread::spawn(move || {
-        allow_err!(relay_server::start(
-            relay_server::DEFAULT_PORT,
-            &tmp_key,
-            STOP.clone()
-        ));
-    });
-}
-
-pub fn stop() {
-    *STOP.lock().unwrap() = true;
-}
-
-pub fn start() {
-    *STOP.lock().unwrap() = false;
-}
--- a/7
+++ b/7
@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-cargo build --release
-strip target/release/hbbr
-strip target/release/hbbs
-sudo docker image build -t rustdesk/rustdesk-server .
-#sudo docker login
-sudo docker image push rustdesk/rustdesk-server:latest
--- a/rcd/rustdesk-hbbr
+++ b/rcd/rustdesk-hbbr
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# PROVIDE: rustdesk_hbbr
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# rustdesk_hbbr_enable (bool):            Set to NO by default.
+#               Set it to YES to enable rustdesk_hbbr.
+# rustdesk_hbbr_args (string):            Set extra arguments to pass to rustdesk_hbbr
+#               Default is "-k _".
+# rustdesk_hbbr_user (string):            Set user that rustdesk_hbbr will run under
+#               Default is "root".
+# rustdesk_hbbr_group (string):           Set group that rustdesk_hbbr will run under
+#               Default is "wheel".
+
+. /etc/rc.subr
+
+name=rustdesk_hbbr
+desc="Rustdesk Relay Server"
+rcvar=rustdesk_hbbr_enable
+
+load_rc_config $name
+
+: ${rustdesk_hbbr_enable:=NO}
+: ${rustdesk_hbbr_args="-k _"}
+: ${rustdesk_hbbr_user:=rustdesk}
+: ${rustdesk_hbbr_group:=rustdesk}
+
+pidfile=/var/run/rustdesk_hbbr.pid
+command=/usr/sbin/daemon
+procname=/usr/local/sbin/hbbr
+rustdesk_hbbr_chdir=/var/db/rustdesk-server
+command_args="-p ${pidfile} -o /var/log/rustdesk-hbbr.log ${procname} ${rustdesk_hbbr_args}"
+## If you want the daemon do its log over syslog comment out the above line and remove the comment from the below replacement
+#command_args="-p ${pidfile} -T ${name} ${procname} ${rustdesk_hbbr_args}"
+
+start_precmd=rustdesk_hbbr_startprecmd
+
+rustdesk_hbbr_startprecmd()
+{
+    if [ -e ${pidfile} ]; then
+        chown ${rustdesk_hbbr_user}:${rustdesk_hbbr_group} ${pidfile};
+    else
+        install -o ${rustdesk_hbbr_user} -g ${rustdesk_hbbr_group} /dev/null ${pidfile};
+    fi
+    if [ -e ${rustdesk_hbbr_chdir} ]; then
+        chown -R ${rustdesk_hbbr_user}:${rustdesk_hbbr_group} ${rustdesk_hbbr_chdir};
+        chmod -R 770 ${rustdesk_hbbr_chdir};
+    else
+        mkdir -m 770 ${rustdesk_hbbr_chdir};
+        chown ${rustdesk_hbbr_user}:${rustdesk_hbbr_group} ${rustdesk_hbbr_chdir};
+    fi
+    if [ -e /var/log/rustdesk-hbbr.log ]; then
+        chown -R ${rustdesk_hbbr_user}:${rustdesk_hbbr_group} /var/log/rustdesk-hbbr.log;
+        chmod 660 /var/log/rustdesk-hbbr.log;
+    else
+        install -o ${rustdesk_hbbr_user} -g ${rustdesk_hbbr_group} /dev/null /var/log/rustdesk-hbbr.log;
+        chmod 660 /var/log/rustdesk-hbbr.log;
+    fi
+}
+
+run_rc_command "$1"
--- a/rcd/rustdesk-hbbs
+++ b/rcd/rustdesk-hbbs
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# PROVIDE: rustdesk_hbbs
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# rustdesk_hbbs_enable (bool):            Set to NO by default.
+#               Set it to YES to enable rustdesk_hbbs.
+# rustdesk_hbbs_ip (string):              Set IP address/hostname of relay server to use
+#               Defaults to "127.0.0.1", please replace with your server hostname/IP.
+# rustdesk_hbbs_args (string):            Set extra arguments to pass to rustdesk_hbbs
+#               Default is "-r ${rustdesk_hbbs_ip} -k _".
+# rustdesk_hbbs_user (string):            Set user that rustdesk_hbbs will run under
+#               Default is "root".
+# rustdesk_hbbs_group (string):           Set group that rustdesk_hbbs will run under
+#               Default is "wheel".
+
+. /etc/rc.subr
+
+name=rustdesk_hbbs
+desc="Rustdesk ID/Rendezvous Server"
+rcvar=rustdesk_hbbs_enable
+
+load_rc_config $name
+
+: ${rustdesk_hbbs_enable:=NO}
+: ${rustdesk_hbbs_ip:=127.0.0.1}
+: ${rustdesk_hbbs_args="-r ${rustdesk_hbbs_ip} -k _"}
+: ${rustdesk_hbbs_user:=rustdesk}
+: ${rustdesk_hbbs_group:=rustdesk}
+
+pidfile=/var/run/rustdesk_hbbs.pid
+command=/usr/sbin/daemon
+procname=/usr/local/sbin/hbbs
+rustdesk_hbbs_chdir=/var/db/rustdesk-server
+command_args="-p ${pidfile} -o /var/log/rustdesk-hbbs.log ${procname} ${rustdesk_hbbs_args}"
+## If you want the daemon to do its log over syslog, comment out the above line and remove the comment from the below replacement
+#command_args="-p ${pidfile} -T ${name} ${procname} ${rustdesk_hbbs_args}"
+
+start_precmd=rustdesk_hbbs_startprecmd
+
+rustdesk_hbbs_startprecmd()
+{
+    if [ -e ${pidfile} ]; then
+        chown ${rustdesk_hbbs_user}:${rustdesk_hbbs_group} ${pidfile};
+    else
+        install -o ${rustdesk_hbbs_user} -g ${rustdesk_hbbs_group} /dev/null ${pidfile};
+    fi
+    if [ -e ${rustdesk_hbbs_chdir} ]; then
+        chown -R ${rustdesk_hbbs_user}:${rustdesk_hbbs_group} ${rustdesk_hbbs_chdir};
+        chmod -R 770 ${rustdesk_hbbs_chdir};
+    else
+        mkdir -m 770 ${rustdesk_hbbs_chdir};
+        chown ${rustdesk_hbbs_user}:${rustdesk_hbbs_group} ${rustdesk_hbbs_chdir};
+    fi
+    if [ -e /var/log/rustdesk-hbbs.log ]; then
+        chown -R ${rustdesk_hbbs_user}:${rustdesk_hbbs_group} /var/log/rustdesk-hbbs.log;
+        chmod 660 /var/log/rustdesk-hbbs.log;
+    else
+        install -o ${rustdesk_hbbs_user} -g ${rustdesk_hbbs_group} /dev/null /var/log/rustdesk-hbbs.log;
+        chmod 660 /var/log/rustdesk-hbbs.log;
+    fi
+}
+
+run_rc_command "$1"
--- a/spk.sh
+++ b/spk.sh
@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-# here is Breaking Changes of package in 7.0: https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/7.0/enu/DSM_Developer_Guide_7_0_Beta.pdf
-# https://blog.cmj.tw/SynologyApp.htm 暂时不搞签名
-/bin/rm -rf package
-mkdir package
-cd package
-mkdir bin logs config
-echo port=21116 > config/hbbs.conf
-echo key= >> config/hbbs.conf
-echo email= >> config/hbbs.conf
-echo port=21117 > config/hbbr.conf
-cp ../target/release/hbbs bin/
-cp ../target/release/hbbr bin/
-strip bin/hbbs
-strip bin/hbbr
-tar -czf ../spk/package.tgz *
-cd ..
-cd spk
-#md5 package.tgz | awk '{print "checksum=\"" $4 "\""}' >> INFO
-file=rustdesk-server-synology-x64.spk
-tar -cvf $file *
-mv $file ..
--- a/spk/INFO
+++ b/spk/INFO
@@ -1,18 +0,0 @@
-package="RustDesk Server"
-version="1.1.3"
-description="RustDesk is a remote desktop software allowing your own rendezvous/relay server. It attempts to make direct connect via TCP hole punch first, and then forward via relay server if direct connection fails. 4 ports are used. NAT test port: 21115(tcp), ID/rendezvous port: 21116(tcp/udp), relay port: 21117(tcp), Email: (), Key: ()"
-displayname="RustDesk Rendezvous/Relay Server"
-maintainer="CarrieZ Studio"
-maintainer_url="https://rustdesk.com/zh/"
-distributor="RustDesk & 裙下孤魂"
-support_url="https://rustdesk.com/contact/"
-arch="apollolake avoton braswell broadwell broadwellnk bromolow cedarview denverton dockerx64 geminilake grantley kvmx64 purley v1000 x86 x86_64"
-os_min_ver="6.1"
-reloadui="yes"
-startable="yes"
-thirdparty="yes"
-install_reboot="no"
-install_dep_packages=""
-install_conflict_packages=""
-extractsize=""
-checkport="no"
--- a/spk/PACKAGE_ICON.PNG
+++ b/spk/PACKAGE_ICON.PNG
--- a/spk/PACKAGE_ICON_256.PNG
+++ b/spk/PACKAGE_ICON_256.PNG
--- a/spk/WIZARD_UIFILES/install_uifile
+++ b/spk/WIZARD_UIFILES/install_uifile
@@ -1,54 +0,0 @@
-[{
-    "step_title": "Install Settings",
-    "items": [{
-        "type": "textfield",
-        "desc": "Listening Ports",
-        "subitems": [{
-            "key": "hbbs_port",
-            "desc": "RustDesk ID Server Port",
-            "defaultValue": "21116",
-            "validator": {
-                "allowBlank": false,
-                "regex": {
-                    "expr": "/^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$/",
-                    "errorText": "Digit number only"
-                }
-            }
-        }, {
-            "key": "hbbr_port",
-            "desc": "RustDesk Relay Server Port",
-            "defaultValue": "21117",
-            "validator": {
-                "allowBlank": false,
-                "regex": {
-                    "expr": "/^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$/",
-                    "errorText": "Digit number only"
-                }
-            }
-        }]
-    },{
-        "type": "textfield",
-        "desc": "Registered email, check http://rustdesk.com/server for more information",
-        "subitems": [{
-            "key": "email",
-            "desc": "Email",
-            "validator": {
-                "allowBlank": false,
-                "regex": {
-                  "expr": "/^\\w+([-+.']\\w+)*@\\w+([-.]\\w+)*\\.\\w+([-.]\\w+)*$/",
-                  "errorText": "Invalid email format"
-                }
-            }
-        }]
-    },{
-        "type": "textfield",
-        "desc": "Only allow the client with the same key",
-        "subitems": [{
-            "key": "key",
-            "desc": "Key",
-            "validator": {
-                "allowBlank": true
-            }
-        }]
-    }]
-    }]
--- a/spk/scripts/RustDesk_Server.sc
+++ b/spk/scripts/RustDesk_Server.sc
@@ -1,23 +0,0 @@
-[RustDesk_Server_HBBR]
-title="RustDesk Server (HBBR_TCP)"
-desc="RustDesk Server"
-port_forward="yes"
-dst.ports="21117/tcp"
-
-[RustDesk_Server_HBBS_TCP]
-title="RustDesk Server (HBBS_TCP)"
-desc="RustDesk Server"
-port_forward="yes"
-dst.ports="21116/tcp"
-
-[RustDesk_Server_HBBS_UDP]
-title="RustDesk Server (HBBS_UDP)"
-desc="RustDesk Server"
-port_forward="yes"
-dst.ports="21116/udp"
-
-[RustDesk_Server_NAT_TCP]
-title="RustDesk Server (NAT_TCP)"
-desc="RustDesk Server"
-port_forward="yes"
-dst.ports="21115/tcp"
--- a/spk/scripts/installer
+++ b/spk/scripts/installer
@@ -1,167 +0,0 @@
-#!/bin/sh
-
-PACKAGE_NAME="$SYNOPKG_PKGNAME"
-PACKAGE_BASE="/var/packages/${PACKAGE_NAME}/target"
-PACKAGE_SSS="/var/packages/${PACKAGE_NAME}/scripts/start-stop-status"
-
-SERVICETOOL="/usr/syno/bin/servicetool"
-GETKEYVALUE="/usr/syno/bin/synogetkeyvalue"
-SETKEYVALUE="/usr/syno/bin/synosetkeyvalue"
-FWFILENAME="RustDesk_Server.sc"
-
-[ "${hbbr_port}" == "" ]  && hbbr_port="21117"
-[ "${hbbs_port}" == "" ]  && hbbs_port="21116"
-[ "${key}" == "" ]  && key=""
-[ "${email}" == "" ]  && email=""
-nat_port=`expr ${hbbs_port} - 1`
-
-preinst() {
-    exit 0
-}
-
-postinst() {
-    if [ "${SYNOPKG_PKG_STATUS}" == "INSTALL" ]; then
-        # 导入另一个RustDesk服务器数据
-        import_db="false"
-        import_all="false"
-        if [ "${rds_old_import_all}" == "true" ]; then
-            rds_old_import_db="true"
-            import_all="true"
-        elif [ "${rds_import_all}" == "true" ]; then
-            rds_import_db="true"
-            import_all="true"
-        fi
-        if [ "${rds_old_import_db}" == "true" ]; then
-            import_db="true"
-            PACKAGE_IMPORT_DIR="/var/packages/RustDesk_Server"
-        elif [ "${rds_import_db}" == "true" ]; then
-            import_db="true"
-            PACKAGE_IMPORT_DIR="/var/packages/RustDesk Server"
-        fi
-        if [ "${import_db}" == "true" ]; then
-            [ -x "${PACKAGE_IMPORT_DIR}/scripts/start-stop-status" ] \
-                && SYNOPKG_PKGNAME="RustDesk Server" "${PACKAGE_IMPORT_DIR}/scripts/start-stop-status" stop 2>&1
-            [ -f "${PACKAGE_IMPORT_DIR}/enabled" ] && rm -f "${PACKAGE_IMPORT_DIR}/enabled"
-            [ -d "${PACKAGE_IMPORT_DIR}/target/hbbs.db" ] && cp -prf "${PACKAGE_IMPORT_DIR}/target/hbbs.db" "${PACKAGE_BASE}"
-        fi
-        if [ "${import_all}" == "true" ]; then
-            [ -d "${PACKAGE_IMPORT_DIR}/target/logs" ] && cp -prf "${PACKAGE_IMPORT_DIR}/target/logs" "${PACKAGE_BASE}"
-        fi
-
-        # 添加应用配置
-				sed -i "s/relay port: 21117/relay port: ${hbbr_port}/" "/var/packages/${PACKAGE_NAME}/INFO"
-				sed -i "s/ID\/rendezvous port: 21116/ID\/rendezvous port: ${hbbs_port}/" "/var/packages/${PACKAGE_NAME}/INFO"
-				sed -i "s/NAT test port: 21115/NAT test port: ${nat_port}/" "/var/packages/${PACKAGE_NAME}/INFO"
-        sed -i "s/Key: ()/Key: (${key})/" "/var/packages/${PACKAGE_NAME}/INFO"
-        sed -i "s/Email: ()/Email: (${email})/" "/var/packages/${PACKAGE_NAME}/INFO"
-        sed -i "s/21117/${hbbr_port}/" "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}"
-        sed -i "s/21116/${hbbs_port}/" "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}"
-        sed -i "s/21115/${nat_port}/" "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}"
-        sed -i "s/port=[^ ]*/port=${hbbr_port}/g" "${PACKAGE_BASE}/config/hbbr.conf"
-        sed -i "s/port=[^ ]*/port=${hbbs_port}/g" "${PACKAGE_BASE}/config/hbbs.conf"
-        sed -i "s/key=[^ ]*/key=${key}/g" "${PACKAGE_BASE}/config/hbbs.conf"
-        sed -i "s/email=[^ ]*/email=${email}/g" "${PACKAGE_BASE}/config/hbbs.conf"
-
-        # 添加防火墙配置
-        cat "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}" >"/tmp/${FWFILENAME}"
-        ${SERVICETOOL} --install-configure-file --package "/tmp/${FWFILENAME}" >/dev/null
-        rm -f "/tmp/${FWFILENAME}"
-
-        # 设置文件权限
-        chmod -R 755 "${PACKAGE_BASE}"/*
-		chmod -R 755 "/var/packages/${PACKAGE_NAME}/scripts"/*
-		chmod -R 755 "/var/packages/${PACKAGE_NAME}/WIZARD_UIFILES"/*
-        chmod 644 "/var/packages/${PACKAGE_NAME}/INFO"
-    fi
-
-    exit 0
-}
-
-preuninst() {
-    # 停用套件
-    "${PACKAGE_SSS}" stop
-
-    # 删除防火墙配置
-    if [ "${SYNOPKG_PKG_STATUS}" == "UNINSTALL" ]; then
-        ${SERVICETOOL} --remove-configure-file --package "${FWFILENAME}" >/dev/null
-    fi
-
-    exit 0
-}
-
-postuninst() {
-    # 删除不必要的目录...
-    if [ -d "/usr/syno/etc/packages/${PACKAGE_NAME}" ]; then
-        rm -rf "/usr/syno/etc/packages/${PACKAGE_NAME}"
-    fi
-
-    exit 0
-}
-
-preupgrade() {
-    # 停用套件
-    "${PACKAGE_SSS}" stop
-
-#  Not working yet...
-#    # 检索旧设置...
-#    hbbr_port=`${GETKEYVALUE} "${PACKAGE_BASE}/config/hbbr.conf" port`
-#    hbbs_port=`${GETKEYVALUE} "${PACKAGE_BASE}/config/hbbs.conf" port`
-#    sed -i "s/21117/${hbbr_port}/" "/var/packages/${PACKAGE_NAME}/WIZARD_UIFILES/upgrade_uifile"
-#    sed -i "s/21116/${hbbs_port}/" "/var/packages/${PACKAGE_NAME}/WIZARD_UIFILES/upgrade_uifile"
-##  Not working yet...
-
-    # 备份数据文件...
-    if [ -d "${SYNOPKG_PKGDEST}" ]; then
-        DIRS4BACKUP="data logs hbbs.db config"
-        for DIR in $DIRS4BACKUP; do
-            if [ -d "${SYNOPKG_PKGDEST}/${DIR}" ]; then
-                mkdir -p "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}"
-                mv "${SYNOPKG_PKGDEST}/${DIR}"/* "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}"
-                rmdir "${SYNOPKG_PKGDEST}/${DIR}"
-            elif [ -f "${SYNOPKG_PKGDEST}/${DIR}" ]; then
-                mv "${SYNOPKG_PKGDEST}/${DIR}" "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade"
-            fi
-        done
-    fi
-
-    exit 0
-}
-
-postupgrade() {
-    # 恢复数据文件...
-    if [ -d "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade" ]; then
-        for DIR in `ls "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade"`
-        do
-            if [ -d "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}" ]; then
-                [ ! -d "${SYNOPKG_PKGDEST}/${DIR}" ] && mkdir "${SYNOPKG_PKGDEST}/${DIR}"
-                mv "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}"/* "${SYNOPKG_PKGDEST}/${DIR}"
-                rmdir "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}"
-            elif [ -f "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}" ]; then
-                mv "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade/${DIR}" "${SYNOPKG_PKGDEST}"
-            fi
-        done
-        rmdir "${SYNOPKG_PKGDEST}/../${PACKAGE_NAME}_upgrade"
-    fi
-
-    # 恢复设置...
-    hbbr_port=`${GETKEYVALUE} "${PACKAGE_BASE}/config/hbbr.conf" port` >>/tmp/wakko.txt
-    hbbs_port=`${GETKEYVALUE} "${PACKAGE_BASE}/config/hbbs.conf" port` >>/tmp/wakko.txt
-    nat_port=`expr ${hbbs_port} - 1`
-    key=`${GETKEYVALUE} "${PACKAGE_BASE}/config/hbbs.conf" key` >>/tmp/wakko.txt
-    email=`${GETKEYVALUE} "${PACKAGE_BASE}/config/hbbs.conf" email` >>/tmp/wakko.txt
-    sed -i "s/relay port: 21117/relay port: ${hbbr_port}/" "/var/packages/${PACKAGE_NAME}/INFO" >>/tmp/wakko.txt
-    sed -i "s/ID\/rendezvous port: 21116/ID\/rendezvous port: ${hbbs_port}/" "/var/packages/${PACKAGE_NAME}/INFO" >>/tmp/wakko.txt
-    sed -i "s/NAT test port: 21115/NAT test port: ${nat_port}/" "/var/packages/${PACKAGE_NAME}/INFO" >>/tmp/wakko.txt
-    sed -i "s/Key: ()/Key: (${key})/" "/var/packages/${PACKAGE_NAME}/INFO"
-    sed -i "s/Email: ()/Email: (${email})/" "/var/packages/${PACKAGE_NAME}/INFO"
-    sed -i "s/21117/${hbbr_port}/" "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}" >>/tmp/wakko.txt
-    sed -i "s/21116/${hbbs_port}/" "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}" >>/tmp/wakko.txt
-    sed -i "s/21115/${nat_port}/" "/var/packages/${PACKAGE_NAME}/scripts/${FWFILENAME}" >>/tmp/wakko.txt
-
-    # 设置文件权限
-    chmod -R 755 "/var/packages/${PACKAGE_NAME}/scripts"/*
-    chmod -R 755 "/var/packages/${PACKAGE_NAME}/WIZARD_UIFILES"/*
-    chmod 644 "/var/packages/${PACKAGE_NAME}/INFO"
-
-    exit 0
-}
--- a/spk/scripts/postinst
+++ b/spk/scripts/postinst
@@ -1,3 +0,0 @@
-#!/bin/sh
-. "`dirname \"$0\"`/installer"
-`basename "$0"` >$SYNOPKG_TEMP_LOGFILE
--- a/spk/scripts/postuninst
+++ b/spk/scripts/postuninst
@@ -1,3 +0,0 @@
-#!/bin/sh
-. "`dirname \"$0\"`/installer"
-`basename "$0"` >$SYNOPKG_TEMP_LOGFILE
--- a/spk/scripts/postupgrade
+++ b/spk/scripts/postupgrade
@@ -1,3 +0,0 @@
-#!/bin/sh
-. "`dirname \"$0\"`/installer"
-`basename "$0"` >$SYNOPKG_TEMP_LOGFILE
--- a/spk/scripts/preinst
+++ b/spk/scripts/preinst
@@ -1,3 +0,0 @@
-#!/bin/sh
-. "`dirname \"$0\"`/installer"
-`basename "$0"` >$SYNOPKG_TEMP_LOGFILE
--- a/spk/scripts/preuninst
+++ b/spk/scripts/preuninst
@@ -1,3 +0,0 @@
-#!/bin/sh
-. "`dirname \"$0\"`/installer"
-`basename "$0"` >$SYNOPKG_TEMP_LOGFILE
--- a/spk/scripts/preupgrade
+++ b/spk/scripts/preupgrade
@@ -1,3 +0,0 @@
-#!/bin/sh
-. "`dirname \"$0\"`/installer"
-`basename "$0"` >$SYNOPKG_TEMP_LOGFILE
--- a/spk/scripts/start-stop-status
+++ b/spk/scripts/start-stop-status
@@ -1,158 +0,0 @@
-#!/bin/sh
-
-
-sError="ERROR: "
-[ ! -z "$SYNOPKG_PKGNAME" ] && sError="<br />${sError}"
-TIMEOUT=120
-PACKAGE_NAME="RustDesk Server"
-PACKAGE_BASE="/var/packages/${PACKAGE_NAME}/target"
-HBBR_BIN="${PACKAGE_BASE}/bin/hbbr"
-HBBR_PORT=`synogetkeyvalue "${PACKAGE_BASE}/config/hbbr.conf" port`
-HBBR_LOG="/var/log/hbbr.log"
-HBBS_BIN="${PACKAGE_BASE}/bin/hbbs"
-HBBS_PORT=`synogetkeyvalue "${PACKAGE_BASE}/config/hbbs.conf" port`
-KEY=`synogetkeyvalue "${PACKAGE_BASE}/config/hbbs.conf" key`
-EMAIL=`synogetkeyvalue "${PACKAGE_BASE}/config/hbbs.conf" email`
-HBBS_LOG="/var/log/hbbs.log"
-PACKAGE_ENABLED="/var/packages/${PACKAGE_NAME}/enabled"
-PS_CMD="/bin/ps -w"
-DSM_MAJORVERSION=`synogetkeyvalue /etc.defaults/VERSION majorversion`
-if [[ $DSM_MAJORVERSION -gt 5 ]]; then
-    PS_CMD="$PS_CMD -x"
-fi
-
-CheckIfDaemonAlive() {
-    local PID="$1"
-    PROCESS_ALIVE="0"
-    [ -z "$PID" ] && return 1
-
-    kill -0 "$PID"
-    [ "0" == "$?" ] && PROCESS_ALIVE="1"
-}
-
-running_hbbr() {
-    local PID=$(${PS_CMD} | sed -e 's/^[ \t]*//' | grep -v grep | grep hbbr | grep "${PACKAGE_NAME}" | head -n1 | cut -f1 -d' ')
-    CheckIfDaemonAlive $PID
-    [ "0" == "$PROCESS_ALIVE" ] && return 1
-    return 0
-}
-
-running_hbbs() {
-    local PID=$(${PS_CMD} | sed -e 's/^[ \t]*//' | grep -v grep | grep hbbs | grep "${PACKAGE_NAME}" | head -n1 | cut -f1 -d' ')
-    CheckIfDaemonAlive $PID
-    [ "0" == "$PROCESS_ALIVE" ] && return 1
-    return 0
-}
-
-start() {  
-    [ "$SYNOPKG_TEMP_LOGFILE" == "" ] && SYNOPKG_TEMP_LOGFILE="/var/log/rustdeskserver.start.log"
-    LANG=C cd "$PACKAGE_BASE" && (nohup "$HBBR_BIN" -p $HBBR_PORT -k "$KEY" -m "$EMAIL" > "$HBBR_LOG" 2>&1 &) && (nohup "$HBBS_BIN" -p $HBBS_PORT -k "$KEY" -m "$EMAIL" > "$HBBS_LOG" 2>&1 &)
-
-
-    i=0
-    while true; do
-        if ! running_hbbr || ! running_hbbs ; then
-#           echo "WAIT: ${i}s of ${TIMEOUT}s"
-            sleep 5s
-            i=$((i+5))
-        else
-            break
-        fi
-        [ $i -ge $TIMEOUT ] && break
-    done
-
-    # 检查hbbr进程状态
-    if ! running_hbbr ; then
-        echo -e "${sError}hbbr process not running" | tee -a $SYNOPKG_TEMP_LOGFILE
-        stop
-        return 1
-    fi
-
-    # 检查hbbs进程状态
-    if ! running_hbbs ; then
-        echo -e "${sError}hbbs process not running" | tee -a $SYNOPKG_TEMP_LOGFILE
-        stop
-        return 1
-    fi
-
-    return 0
-}
-
-stop() {
-    [ "$SYNOPKG_TEMP_LOGFILE" == "" ] && SYNOPKG_TEMP_LOGFILE="/var/log/rustdeskserver.stop.log"
-    # 检查hbbr进程状态
-    if running_hbbr ; then
-        local PID=$(${PS_CMD} | sed -e 's/^[ \t]*//' | grep -v grep | grep hbbr | grep "${PACKAGE_NAME}" | head -n1 | cut -f1 -d' ')
-        [ -z "$PID" ] && return 0
-        kill -15 $PID
-        sleep 5s
-
-        # 检查hbbr进程状态
-        if running_hbbr ; then
-            kill -9 $PID
-            sleep 5s
-            if running_hbbr ; then
-                echo "${sError}Failed to kill hbbr process(pid=$PID)!" | tee -a $SYNOPKG_TEMP_LOGFILE
-                return 1
-            fi
-        fi
-    fi
-
-    # 检查hbbs进程状态
-    if running_hbbs ; then
-        local PID=$(${PS_CMD} | sed -e 's/^[ \t]*//' | grep -v grep | grep hbbs | grep "${PACKAGE_NAME}" | head -n1 | cut -f1 -d' ')
-        [ -z "$PID" ] && return 0
-        kill -15 $PID
-        sleep 5s
-
-        # 检查hbbs进程状态
-        if running_hbbs ; then
-            kill -9 $PID
-            sleep 5s
-            if running_hbbs ; then
-                echo "${sError}无法关闭hbbs进程 (pid=$PID)!" | tee -a $SYNOPKG_TEMP_LOGFILE
-                return 1
-            fi
-        fi
-    fi
-
-    return 0
-}
-
-case $1 in
-    start)
-        # 启动服务器
-        start
-        exit $?
-    ;;
-    stop)
-        # 关闭服务器
-        stop
-        exit $?
-    ;;
-    status)
-        # 检查套件开关
-        if [ ! -f "${PACKAGE_ENABLED}" ]; then
-            echo "${sError}package not started" | tee -a $SYNOPKG_TEMP_LOGFILE
-            exit 0
-        fi
-
-        # 检查hbbr进程状态
-        if ! running_hbbr ; then
-            echo "${sError}hbbr process killed" | tee -a $SYNOPKG_TEMP_LOGFILE
-            exit 1
-        fi
-
-        # 检查hbbs进程状态
-        if ! running_hbbs ; then
-            echo "${sError}hbbs process killed" | tee -a $SYNOPKG_TEMP_LOGFILE
-            exit 1
-        fi
-
-        exit 0
-    ;;
-    log)
-        echo "$PACKAGE_BASE/logs/server.log"
-        exit 0
-    ;;
-esac
--- a/src/common.rs
+++ b/src/common.rs
@@ -0,0 +1,218 @@
+use clap::App;
+use hbb_common::{
+    allow_err, anyhow::{Context, Result}, get_version_number, log, tokio, ResultType
+};
+use ini::Ini;
+use sodiumoxide::crypto::sign;
+use std::{
+    io::prelude::*,
+    io::Read,
+    net::SocketAddr,
+    time::{Instant, SystemTime},
+};
+
+#[allow(dead_code)]
+pub(crate) fn get_expired_time() -> Instant {
+    let now = Instant::now();
+    now.checked_sub(std::time::Duration::from_secs(3600))
+        .unwrap_or(now)
+}
+
+#[allow(dead_code)]
+pub(crate) fn test_if_valid_server(host: &str, name: &str) -> ResultType<SocketAddr> {
+    use std::net::ToSocketAddrs;
+    let res = if host.contains(':') {
+        host.to_socket_addrs()?.next().context("")
+    } else {
+        format!("{}:{}", host, 0)
+            .to_socket_addrs()?
+            .next()
+            .context("")
+    };
+    if res.is_err() {
+        log::error!("Invalid {} {}: {:?}", name, host, res);
+    }
+    res
+}
+
+#[allow(dead_code)]
+pub(crate) fn get_servers(s: &str, tag: &str) -> Vec<String> {
+    let servers: Vec<String> = s
+        .split(',')
+        .filter(|x| !x.is_empty() && test_if_valid_server(x, tag).is_ok())
+        .map(|x| x.to_owned())
+        .collect();
+    log::info!("{}={:?}", tag, servers);
+    servers
+}
+
+#[allow(dead_code)]
+#[inline]
+fn arg_name(name: &str) -> String {
+    name.to_uppercase().replace('_', "-")
+}
+
+#[allow(dead_code)]
+pub fn init_args(args: &str, name: &str, about: &str) {
+    let matches = App::new(name)
+        .version(crate::version::VERSION)
+        .author("Purslane Ltd. <info@rustdesk.com>")
+        .about(about)
+        .args_from_usage(args)
+        .get_matches();
+    if let Ok(v) = Ini::load_from_file(".env") {
+        if let Some(section) = v.section(None::<String>) {
+            section
+                .iter()
+                .for_each(|(k, v)| std::env::set_var(arg_name(k), v));
+        }
+    }
+    if let Some(config) = matches.value_of("config") {
+        if let Ok(v) = Ini::load_from_file(config) {
+            if let Some(section) = v.section(None::<String>) {
+                section
+                    .iter()
+                    .for_each(|(k, v)| std::env::set_var(arg_name(k), v));
+            }
+        }
+    }
+    for (k, v) in matches.args {
+        if let Some(v) = v.vals.first() {
+            std::env::set_var(arg_name(k), v.to_string_lossy().to_string());
+        }
+    }
+}
+
+#[allow(dead_code)]
+#[inline]
+pub fn get_arg(name: &str) -> String {
+    get_arg_or(name, "".to_owned())
+}
+
+#[allow(dead_code)]
+#[inline]
+pub fn get_arg_or(name: &str, default: String) -> String {
+    std::env::var(arg_name(name)).unwrap_or(default)
+}
+
+#[allow(dead_code)]
+#[inline]
+pub fn now() -> u64 {
+    SystemTime::now()
+        .duration_since(SystemTime::UNIX_EPOCH)
+        .map(|x| x.as_secs())
+        .unwrap_or_default()
+}
+
+pub fn gen_sk(wait: u64) -> (String, Option<sign::SecretKey>) {
+    let sk_file = "id_ed25519";
+    if wait > 0 && !std::path::Path::new(sk_file).exists() {
+        std::thread::sleep(std::time::Duration::from_millis(wait));
+    }
+    if let Ok(mut file) = std::fs::File::open(sk_file) {
+        let mut contents = String::new();
+        if file.read_to_string(&mut contents).is_ok() {
+            let contents = contents.trim();
+            let sk = base64::decode(contents).unwrap_or_default();
+            if sk.len() == sign::SECRETKEYBYTES {
+                let mut tmp = [0u8; sign::SECRETKEYBYTES];
+                tmp[..].copy_from_slice(&sk);
+                let pk = base64::encode(&tmp[sign::SECRETKEYBYTES / 2..]);
+                log::info!("Private key comes from {}", sk_file);
+                return (pk, Some(sign::SecretKey(tmp)));
+            } else {
+                // don't use log here, since it is async
+                println!("Fatal error: malformed private key in {sk_file}.");
+                std::process::exit(1);
+            }
+        }
+    } else {
+        let gen_func = || {
+            let (tmp, sk) = sign::gen_keypair();
+            (base64::encode(tmp), sk)
+        };
+        let (mut pk, mut sk) = gen_func();
+        for _ in 0..300 {
+            if !pk.contains('/') && !pk.contains(':') {
+                break;
+            }
+            (pk, sk) = gen_func();
+        }
+        let pub_file = format!("{sk_file}.pub");
+        if let Ok(mut f) = std::fs::File::create(&pub_file) {
+            f.write_all(pk.as_bytes()).ok();
+            if let Ok(mut f) = std::fs::File::create(sk_file) {
+                let s = base64::encode(&sk);
+                if f.write_all(s.as_bytes()).is_ok() {
+                    log::info!("Private/public key written to {}/{}", sk_file, pub_file);
+                    log::debug!("Public key: {}", pk);
+                    return (pk, Some(sk));
+                }
+            }
+        }
+    }
+    ("".to_owned(), None)
+}
+
+#[cfg(unix)]
+pub async fn listen_signal() -> Result<()> {
+    use hbb_common::tokio;
+    use hbb_common::tokio::signal::unix::{signal, SignalKind};
+
+    tokio::spawn(async {
+        let mut s = signal(SignalKind::terminate())?;
+        let terminate = s.recv();
+        let mut s = signal(SignalKind::interrupt())?;
+        let interrupt = s.recv();
+        let mut s = signal(SignalKind::quit())?;
+        let quit = s.recv();
+
+        tokio::select! {
+            _ = terminate => {
+                log::info!("signal terminate");
+            }
+            _ = interrupt => {
+                log::info!("signal interrupt");
+            }
+            _ = quit => {
+                log::info!("signal quit");
+            }
+        }
+        Ok(())
+    })
+    .await?
+}
+
+#[cfg(not(unix))]
+pub async fn listen_signal() -> Result<()> {
+    let () = std::future::pending().await;
+    unreachable!();
+}
+
+
+pub fn check_software_update() {
+    const ONE_DAY_IN_SECONDS: u64 = 60 * 60 * 24;
+    std::thread::spawn(move || loop {
+        std::thread::spawn(move || allow_err!(check_software_update_()));
+        std::thread::sleep(std::time::Duration::from_secs(ONE_DAY_IN_SECONDS));
+    });
+}
+
+#[tokio::main(flavor = "current_thread")]
+async fn check_software_update_() -> hbb_common::ResultType<()> {
+    let (request, url) = hbb_common::version_check_request(hbb_common::VER_TYPE_RUSTDESK_SERVER.to_string());
+    let latest_release_response = reqwest::Client::builder().build()?
+        .post(url)
+        .json(&request)
+        .send()
+        .await?;
+
+    let bytes = latest_release_response.bytes().await?;
+    let resp: hbb_common::VersionCheckResponse = serde_json::from_slice(&bytes)?;
+    let response_url = resp.url;
+    let latest_release_version = response_url.rsplit('/').next().unwrap_or_default();
+    if get_version_number(&latest_release_version) > get_version_number(crate::version::VERSION) {
+       log::info!("new version is available: {}", latest_release_version);
+    }
+    Ok(())
+}
--- a/src/database.rs
+++ b/src/database.rs
@@ -0,0 +1,181 @@
+use async_trait::async_trait;
+use hbb_common::{log, ResultType};
+use sqlx::{
+    sqlite::SqliteConnectOptions, ConnectOptions, Connection, Error as SqlxError, SqliteConnection,
+};
+use std::{ops::DerefMut, str::FromStr};
+//use sqlx::postgres::PgPoolOptions;
+//use sqlx::mysql::MySqlPoolOptions;
+
+type Pool = deadpool::managed::Pool<DbPool>;
+
+pub struct DbPool {
+    url: String,
+}
+
+#[async_trait]
+impl deadpool::managed::Manager for DbPool {
+    type Type = SqliteConnection;
+    type Error = SqlxError;
+    async fn create(&self) -> Result<SqliteConnection, SqlxError> {
+        let mut opt = SqliteConnectOptions::from_str(&self.url).unwrap();
+        opt.log_statements(log::LevelFilter::Debug);
+        SqliteConnection::connect_with(&opt).await
+    }
+    async fn recycle(
+        &self,
+        obj: &mut SqliteConnection,
+    ) -> deadpool::managed::RecycleResult<SqlxError> {
+        Ok(obj.ping().await?)
+    }
+}
+
+#[derive(Clone)]
+pub struct Database {
+    pool: Pool,
+}
+
+#[derive(Default)]
+pub struct Peer {
+    pub guid: Vec<u8>,
+    pub id: String,
+    pub uuid: Vec<u8>,
+    pub pk: Vec<u8>,
+    pub user: Option<Vec<u8>>,
+    pub info: String,
+    pub status: Option<i64>,
+}
+
+impl Database {
+    pub async fn new(url: &str) -> ResultType<Database> {
+        if !std::path::Path::new(url).exists() {
+            std::fs::File::create(url).ok();
+        }
+        let n: usize = std::env::var("MAX_DATABASE_CONNECTIONS")
+            .unwrap_or_else(|_| "1".to_owned())
+            .parse()
+            .unwrap_or(1);
+        log::debug!("MAX_DATABASE_CONNECTIONS={}", n);
+        let pool = Pool::new(
+            DbPool {
+                url: url.to_owned(),
+            },
+            n,
+        );
+        let _ = pool.get().await?; // test
+        let db = Database { pool };
+        db.create_tables().await?;
+        Ok(db)
+    }
+
+    async fn create_tables(&self) -> ResultType<()> {
+        sqlx::query!(
+            "
+            create table if not exists peer (
+                guid blob primary key not null,
+                id varchar(100) not null,
+                uuid blob not null,
+                pk blob not null,
+                created_at datetime not null default(current_timestamp),
+                user blob,
+                status tinyint,
+                note varchar(300),
+                info text not null
+            ) without rowid;
+            create unique index if not exists index_peer_id on peer (id);
+            create index if not exists index_peer_user on peer (user);
+            create index if not exists index_peer_created_at on peer (created_at);
+            create index if not exists index_peer_status on peer (status);
+        "
+        )
+        .execute(self.pool.get().await?.deref_mut())
+        .await?;
+        Ok(())
+    }
+
+    pub async fn get_peer(&self, id: &str) -> ResultType<Option<Peer>> {
+        Ok(sqlx::query_as!(
+            Peer,
+            "select guid, id, uuid, pk, user, status, info from peer where id = ?",
+            id
+        )
+        .fetch_optional(self.pool.get().await?.deref_mut())
+        .await?)
+    }
+
+    pub async fn insert_peer(
+        &self,
+        id: &str,
+        uuid: &[u8],
+        pk: &[u8],
+        info: &str,
+    ) -> ResultType<Vec<u8>> {
+        let guid = uuid::Uuid::new_v4().as_bytes().to_vec();
+        sqlx::query!(
+            "insert into peer(guid, id, uuid, pk, info) values(?, ?, ?, ?, ?)",
+            guid,
+            id,
+            uuid,
+            pk,
+            info
+        )
+        .execute(self.pool.get().await?.deref_mut())
+        .await?;
+        Ok(guid)
+    }
+
+    pub async fn update_pk(
+        &self,
+        guid: &Vec<u8>,
+        id: &str,
+        pk: &[u8],
+        info: &str,
+    ) -> ResultType<()> {
+        sqlx::query!(
+            "update peer set id=?, pk=?, info=? where guid=?",
+            id,
+            pk,
+            info,
+            guid
+        )
+        .execute(self.pool.get().await?.deref_mut())
+        .await?;
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use hbb_common::tokio;
+    #[test]
+    fn test_insert() {
+        insert();
+    }
+
+    #[tokio::main(flavor = "multi_thread")]
+    async fn insert() {
+        let db = super::Database::new("test.sqlite3").await.unwrap();
+        let mut jobs = vec![];
+        for i in 0..10000 {
+            let cloned = db.clone();
+            let id = i.to_string();
+            let a = tokio::spawn(async move {
+                let empty_vec = Vec::new();
+                cloned
+                    .insert_peer(&id, &empty_vec, &empty_vec, "")
+                    .await
+                    .unwrap();
+            });
+            jobs.push(a);
+        }
+        for i in 0..10000 {
+            let cloned = db.clone();
+            let id = i.to_string();
+            let a = tokio::spawn(async move {
+                cloned.get_peer(&id).await.unwrap();
+            });
+            jobs.push(a);
+        }
+        hbb_common::futures::future::join_all(jobs).await;
+    }
+}
--- a/src/hbbr.rs
+++ b/src/hbbr.rs
@@ -1,34 +1,45 @@
 use clap::App;
+mod common;
 mod relay_server;
-use hbb_common::{env_logger::*, ResultType};
+use flexi_logger::*;
+use hbb_common::{config::RELAY_PORT, ResultType};
 use relay_server::*;
-use std::sync::{Arc, Mutex};
-mod lic;
+mod version;

 fn main() -> ResultType<()> {
-    init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info"));
+    let _logger = Logger::try_with_env_or_str("info")?
+        .log_to_stdout()
+        .format(opt_format)
+        .write_mode(WriteMode::Async)
+        .start()?;
    let args = format!(
-        "-p, --port=[NUMBER(default={})] 'Sets the listening port'
+        "-p, --port=[NUMBER(default={RELAY_PORT})] 'Sets the listening port'
        -k, --key=[KEY] 'Only allow the client with the same key'
-        {}
        ",
-        DEFAULT_PORT,
-        lic::EMAIL_ARG
    );
    let matches = App::new("hbbr")
-        .version(hbbs::VERSION)
-        .author("CarrieZ Studio<info@rustdesk.com>")
+        .version(version::VERSION)
+        .author("Purslane Ltd. <info@rustdesk.com>")
        .about("RustDesk Relay Server")
        .args_from_usage(&args)
        .get_matches();
-    if !lic::check_lic(matches.value_of("email").unwrap_or(""), hbbs::VERSION) {
-        return Ok(());
+    if let Ok(v) = ini::Ini::load_from_file(".env") {
+        if let Some(section) = v.section(None::<String>) {
+            section.iter().for_each(|(k, v)| std::env::set_var(k, v));
+        }
+    }
+    let mut port = RELAY_PORT;
+    if let Ok(v) = std::env::var("PORT") {
+        let v: i32 = v.parse().unwrap_or_default();
+        if v > 0 {
+            port = v + 1;
+        }
    }
-    let stop: Arc<Mutex<bool>> = Default::default();
    start(
-        matches.value_of("port").unwrap_or(DEFAULT_PORT),
-        matches.value_of("key").unwrap_or(""),
-        stop,
+        matches.value_of("port").unwrap_or(&port.to_string()),
+        matches
+            .value_of("key")
+            .unwrap_or(&std::env::var("KEY").unwrap_or_default()),
    )?;
    Ok(())
 }
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,6 +1,6 @@
 mod rendezvous_server;
-mod sled_async;
 pub use rendezvous_server::*;
-use sled_async::*;
+pub mod common;
+mod database;
+mod peer;
 mod version;
-pub use version::*;
--- a/src/lic.rs
+++ b/src/lic.rs
@@ -1,170 +0,0 @@
-use hbb_common::{bail, log, ResultType, rand::{self, Rng}};
-use serde_derive::{Deserialize, Serialize};
-use std::io::prelude::*;
-use std::path::Path;
-
-#[derive(Debug, PartialEq, Default, Serialize, Deserialize, Clone)]
-pub struct Machine {
-    #[serde(default)]
-    hostname: String,
-    #[serde(default)]
-    uid: String,
-    #[serde(default)]
-    mac: String,
-}
-
-#[derive(Debug, PartialEq, Default, Serialize, Deserialize, Clone)]
-pub struct Post {
-    #[serde(default)]
-    machine: String,
-    #[serde(default)]
-    email: String,
-    #[serde(default)]
-    status: String,
-    #[serde(default)]
-    version: String,
-    #[serde(default)]
-    next_check_time: u64,
-    #[serde(default)]
-    nonce: String,
-    #[serde(default)]
-    tip: String,
-}
-
-const LICENSE_FILE: &'static str = ".license.txt";
-
-pub fn check_lic(email: &str, version: &str) -> bool {
-    if email.is_empty() {
-        log::error!("Registered email required (-m option). Please pay and register on https://rustdesk.com/server.");
-        return false;
-    }
-
-    let is_docker = std::path::Path::new("/.dockerenv").exists();
-    let machine = if is_docker { "".to_owned() } else { get_lic() };
-    if !is_docker {
-        let path = Path::new(LICENSE_FILE);
-        if Path::is_file(&path) {
-            let contents = std::fs::read_to_string(&path).unwrap_or("".to_owned());
-            if verify(&contents, &machine) {
-                async_check_email(&machine, email, version, 0);
-                return true;
-            }
-        }
-    }
-
-    match check_email(machine.clone(), email.to_owned(), version.to_owned()) {
-        Ok(v) => {
-            async_check_email(&machine, email, version, v);
-            return true;
-        }
-        Err(err) => {
-            log::error!("{}", err);
-            return false;
-        }
-    }
-}
-
-fn async_check_email(machine: &str, email: &str, version: &str, wait: u64) {
-    let machine = machine.to_owned();
-    let email = email.to_owned();
-    let version = version.to_owned();
-    std::thread::spawn(move || {
-        let mut wait = wait;
-        loop {
-            let machine = machine.clone();
-            let email = email.clone();
-            let version = version.clone();
-            std::thread::sleep(std::time::Duration::from_secs(wait));
-            match check_email(machine, email, version) {
-                Ok(v) => {
-                    wait = v;
-                }
-                Err(err) => {
-                    log::error!("{}", err);
-                    std::process::exit(-1);
-                }
-            }
-        }
-    });
-}
-
-fn write_lic(lic: &str) {
-    if let Ok(mut f) = std::fs::File::create(LICENSE_FILE) {
-        f.write_all(lic.as_bytes()).ok();
-        f.sync_all().ok();
-    }
-}
-
-fn check_email(machine: String, email: String, version: String) -> ResultType<u64> {
-    log::info!("Checking email with the license server ...");
-    let mut rng = rand::thread_rng();
-    let nonce: usize = rng.gen();
-    let nonce = nonce.to_string();
-    let resp = minreq::post("http://rustdesk.com/api/check-email")
-        .with_body(
-            serde_json::to_string(&Post {
-                machine: machine.clone(),
-                version,
-                email,
-                nonce: nonce.clone(),
-                ..Default::default()
-            })
-            .unwrap(),
-        )
-        .send()?;
-    if resp.reason_phrase == "OK" {
-        let p: Post = serde_json::from_str(&resp.as_str()?)?;
-        if !p.status.is_empty() {
-            std::fs::remove_file(LICENSE_FILE).ok();
-            bail!("{}", p.status);
-        }
-        if p.nonce.is_empty() {
-            bail!("Verification failure: nonce required");
-        }
-        if !verify(&p.nonce, &nonce) {
-            bail!("Verification failure: nonce mismatch");
-        }
-        if !machine.is_empty() {
-            if !verify(&p.machine, &machine) {
-                bail!("Verification failure");
-            }
-            write_lic(&p.machine);
-        }
-        log::info!("License OK");
-        if !p.tip.is_empty() {
-            log::info!("{}", p.tip);
-        }
-        let mut wait = p.next_check_time;
-        if wait == 0 {
-            wait = 3600 * 24 * 30;
-        }
-
-        Ok(wait)
-    } else {
-        bail!("Server error: {}", resp.reason_phrase);
-    }
-}
-
-fn get_lic() -> String {
-    let hostname = whoami::hostname();
-    let uid = machine_uid::get().unwrap_or("".to_owned());
-    let mac = if let Ok(Some(ma)) = mac_address::get_mac_address() {
-        base64::encode(ma.bytes())
-    } else {
-        "".to_owned()
-    };
-    serde_json::to_string(&Machine { hostname, uid, mac }).unwrap()
-}
-
-fn verify(enc_str: &str, msg: &str) -> bool {
-    if let Ok(data) = base64::decode(enc_str) {
-        let key =
-            b"\xf1T\xc0\x1c\xffee\x86,S*\xd9.\x91\xcd\x85\x12:\xec\xa9 \x99:\x8a\xa2S\x1f Yy\x93R";
-        cryptoxide::ed25519::verify(msg.as_bytes(), &key[..], &data)
-    } else {
-        false
-    }
-}
-
-pub const EMAIL_ARG: &'static str =
-    "-m, --email=[EMAIL] 'Sets your email address registered with RustDesk'";
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,83 +1,37 @@
 // https://tools.ietf.org/rfc/rfc5128.txt
 // https://blog.csdn.net/bytxl/article/details/44344855

-use clap::App;
-use hbb_common::{env_logger::*, log, ResultType};
-use hbbs::*;
-mod lic;
-use ini::Ini;
-use std::sync::{Arc, Mutex};
+use flexi_logger::*;
+use hbb_common::{bail, config::RENDEZVOUS_PORT, ResultType};
+use hbbs::{common::*, *};
+
+const RMEM: usize = 0;

 fn main() -> ResultType<()> {
-    init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info"));
+    let _logger = Logger::try_with_env_or_str("info")?
+        .log_to_stdout()
+        .format(opt_format)
+        .write_mode(WriteMode::Async)
+        .start()?;
    let args = format!(
        "-c --config=[FILE] +takes_value 'Sets a custom config file'
-        -p, --port=[NUMBER(default={})] 'Sets the listening port'
+        -p, --port=[NUMBER(default={RENDEZVOUS_PORT})] 'Sets the listening port'
        -s, --serial=[NUMBER(default=0)] 'Sets configure update serial number'
-        -R, --rendezvous-servers=[HOSTS] 'Sets rendezvous servers, seperated by colon'
+        -R, --rendezvous-servers=[HOSTS] 'Sets rendezvous servers, separated by comma'
        -u, --software-url=[URL] 'Sets download url of RustDesk software of newest version'
-        -r, --relay-servers=[HOST] 'Sets the default relay servers, seperated by colon'
-        -C, --change-id=[BOOL(default=Y)] 'Sets if support to change id'
-        {}
+        -r, --relay-servers=[HOST] 'Sets the default relay servers, separated by comma'
+        -M, --rmem=[NUMBER(default={RMEM})] 'Sets UDP recv buffer size, set system rmem_max first, e.g., sudo sysctl -w net.core.rmem_max=52428800. vi /etc/sysctl.conf, net.core.rmem_max=52428800, sudo sysctl –p'
+        , --mask=[MASK] 'Determine if the connection comes from LAN, e.g. 192.168.0.0/16'
        -k, --key=[KEY] 'Only allow the client with the same key'",
-        DEFAULT_PORT,
-        lic::EMAIL_ARG
    );
-    let matches = App::new("hbbs")
-        .version(crate::VERSION)
-        .author("CarrieZ Studio<info@rustdesk.com>")
-        .about("RustDesk ID/Rendezvous Server")
-        .args_from_usage(&args)
-        .get_matches();
-    let mut section = None;
-    let conf; // for holding section
-    if let Some(config) = matches.value_of("config") {
-        if let Ok(v) = Ini::load_from_file(config) {
-            conf = v;
-            section = conf.section(None::<String>);
-        }
+    init_args(&args, "hbbs", "RustDesk ID/Rendezvous Server");
+    let port = get_arg_or("port", RENDEZVOUS_PORT.to_string()).parse::<i32>()?;
+    if port < 3 {
+        bail!("Invalid port");
    }
-    let get_arg = |name: &str, default: &str| -> String {
-        if let Some(v) = matches.value_of(name) {
-            return v.to_owned();
-        } else if let Some(section) = section {
-            if let Some(v) = section.get(name) {
-                return v.to_owned();
-            }
-        }
-        return default.to_owned();
-    };
-    if !lic::check_lic(&get_arg("email", ""), crate::VERSION) {
-        return Ok(());
-    }
-    let port = get_arg("port", DEFAULT_PORT);
-    let relay_servers: Vec<String> = get_arg("relay-servers", "")
-        .split(",")
-        .filter(|x| !x.is_empty() && test_if_valid_server(x, "relay-server").is_ok())
-        .map(|x| x.to_owned())
-        .collect();
-    let serial: i32 = get_arg("serial", "").parse().unwrap_or(0);
-    let id_change_support: bool = get_arg("change-id", "Y").to_uppercase() == "Y";
-    let rendezvous_servers: Vec<String> = get_arg("rendezvous-servers", "")
-        .split(",")
-        .filter(|x| !x.is_empty() && test_if_valid_server(x, "rendezvous-server").is_ok())
-        .map(|x| x.to_owned())
-        .collect();
-    let addr = format!("0.0.0.0:{}", port);
-    let addr2 = format!("0.0.0.0:{}", port.parse::<i32>().unwrap_or(0) - 1);
-    log::info!("serial={}", serial);
-    log::info!("rendezvous-servers={:?}", rendezvous_servers);
-    let stop: Arc<Mutex<bool>> = Default::default();
-    RendezvousServer::start(
-        &addr,
-        &addr2,
-        relay_servers,
-        serial,
-        rendezvous_servers,
-        get_arg("software-url", ""),
-        &get_arg("key", ""),
-        stop,
-        id_change_support,
-    )?;
+    let rmem = get_arg("rmem").parse::<usize>().unwrap_or(RMEM);
+    let serial: i32 = get_arg("serial").parse().unwrap_or(0);
+    crate::common::check_software_update();
+    RendezvousServer::start(port, serial, &get_arg_or("key", "-".to_owned()), rmem)?;
    Ok(())
 }
--- a/src/peer.rs
+++ b/src/peer.rs
@@ -0,0 +1,180 @@
+use crate::common::*;
+use crate::database;
+use hbb_common::{
+    bytes::Bytes,
+    log,
+    rendezvous_proto::*,
+    tokio::sync::{Mutex, RwLock},
+    ResultType,
+};
+use serde_derive::{Deserialize, Serialize};
+use std::{collections::HashMap, collections::HashSet, net::SocketAddr, sync::Arc, time::Instant};
+
+type IpBlockMap = HashMap<String, ((u32, Instant), (HashSet<String>, Instant))>;
+type UserStatusMap = HashMap<Vec<u8>, Arc<(Option<Vec<u8>>, bool)>>;
+type IpChangesMap = HashMap<String, (Instant, HashMap<String, i32>)>;
+lazy_static::lazy_static! {
+    pub(crate) static ref IP_BLOCKER: Mutex<IpBlockMap> = Default::default();
+    pub(crate) static ref USER_STATUS: RwLock<UserStatusMap> = Default::default();
+    pub(crate) static ref IP_CHANGES: Mutex<IpChangesMap> = Default::default();
+}
+pub const IP_CHANGE_DUR: u64 = 180;
+pub const IP_CHANGE_DUR_X2: u64 = IP_CHANGE_DUR * 2;
+pub const DAY_SECONDS: u64 = 3600 * 24;
+pub const IP_BLOCK_DUR: u64 = 60;
+
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub(crate) struct PeerInfo {
+    #[serde(default)]
+    pub(crate) ip: String,
+}
+
+pub(crate) struct Peer {
+    pub(crate) socket_addr: SocketAddr,
+    pub(crate) last_reg_time: Instant,
+    pub(crate) guid: Vec<u8>,
+    pub(crate) uuid: Bytes,
+    pub(crate) pk: Bytes,
+    // pub(crate) user: Option<Vec<u8>>,
+    pub(crate) info: PeerInfo,
+    // pub(crate) disabled: bool,
+    pub(crate) reg_pk: (u32, Instant), // how often register_pk
+}
+
+impl Default for Peer {
+    fn default() -> Self {
+        Self {
+            socket_addr: "0.0.0.0:0".parse().unwrap(),
+            last_reg_time: get_expired_time(),
+            guid: Vec::new(),
+            uuid: Bytes::new(),
+            pk: Bytes::new(),
+            info: Default::default(),
+            // user: None,
+            // disabled: false,
+            reg_pk: (0, get_expired_time()),
+        }
+    }
+}
+
+pub(crate) type LockPeer = Arc<RwLock<Peer>>;
+
+#[derive(Clone)]
+pub(crate) struct PeerMap {
+    map: Arc<RwLock<HashMap<String, LockPeer>>>,
+    pub(crate) db: database::Database,
+}
+
+impl PeerMap {
+    pub(crate) async fn new() -> ResultType<Self> {
+        let db = std::env::var("DB_URL").unwrap_or({
+            let mut db = "db_v2.sqlite3".to_owned();
+            #[cfg(all(windows, not(debug_assertions)))]
+            {
+                if let Some(path) = hbb_common::config::Config::icon_path().parent() {
+                    db = format!("{}\\{}", path.to_str().unwrap_or("."), db);
+                }
+            }
+            #[cfg(not(windows))]
+            {
+                db = format!("./{db}");
+            }
+            db
+        });
+        log::info!("DB_URL={}", db);
+        let pm = Self {
+            map: Default::default(),
+            db: database::Database::new(&db).await?,
+        };
+        Ok(pm)
+    }
+
+    #[inline]
+    pub(crate) async fn update_pk(
+        &mut self,
+        id: String,
+        peer: LockPeer,
+        addr: SocketAddr,
+        uuid: Bytes,
+        pk: Bytes,
+        ip: String,
+    ) -> register_pk_response::Result {
+        log::info!("update_pk {} {:?} {:?} {:?}", id, addr, uuid, pk);
+        let (info_str, guid) = {
+            let mut w = peer.write().await;
+            w.socket_addr = addr;
+            w.uuid = uuid.clone();
+            w.pk = pk.clone();
+            w.last_reg_time = Instant::now();
+            w.info.ip = ip;
+            (
+                serde_json::to_string(&w.info).unwrap_or_default(),
+                w.guid.clone(),
+            )
+        };
+        if guid.is_empty() {
+            match self.db.insert_peer(&id, &uuid, &pk, &info_str).await {
+                Err(err) => {
+                    log::error!("db.insert_peer failed: {}", err);
+                    return register_pk_response::Result::SERVER_ERROR;
+                }
+                Ok(guid) => {
+                    peer.write().await.guid = guid;
+                }
+            }
+        } else {
+            if let Err(err) = self.db.update_pk(&guid, &id, &pk, &info_str).await {
+                log::error!("db.update_pk failed: {}", err);
+                return register_pk_response::Result::SERVER_ERROR;
+            }
+            log::info!("pk updated instead of insert");
+        }
+        register_pk_response::Result::OK
+    }
+
+    #[inline]
+    pub(crate) async fn get(&self, id: &str) -> Option<LockPeer> {
+        let p = self.map.read().await.get(id).cloned();
+        if p.is_some() {
+            return p;
+        } else if let Ok(Some(v)) = self.db.get_peer(id).await {
+            let peer = Peer {
+                guid: v.guid,
+                uuid: v.uuid.into(),
+                pk: v.pk.into(),
+                // user: v.user,
+                info: serde_json::from_str::<PeerInfo>(&v.info).unwrap_or_default(),
+                // disabled: v.status == Some(0),
+                ..Default::default()
+            };
+            let peer = Arc::new(RwLock::new(peer));
+            self.map.write().await.insert(id.to_owned(), peer.clone());
+            return Some(peer);
+        }
+        None
+    }
+
+    #[inline]
+    pub(crate) async fn get_or(&self, id: &str) -> LockPeer {
+        if let Some(p) = self.get(id).await {
+            return p;
+        }
+        let mut w = self.map.write().await;
+        if let Some(p) = w.get(id) {
+            return p.clone();
+        }
+        let tmp = LockPeer::default();
+        w.insert(id.to_owned(), tmp.clone());
+        tmp
+    }
+
+    #[inline]
+    pub(crate) async fn get_in_memory(&self, id: &str) -> Option<LockPeer> {
+        self.map.read().await.get(id).cloned()
+    }
+
+    #[inline]
+    pub(crate) async fn is_in_memory(&self, id: &str) -> bool {
+        self.map.read().await.contains_key(id)
+    }
+}
--- a/src/protos/message.rs
+++ b/src/protos/message.rs
@@ -1,930 +0,0 @@
-// This file is generated by rust-protobuf 2.10.2. Do not edit
-// @generated
-
-// https://github.com/rust-lang/rust-clippy/issues/702
-#![allow(unknown_lints)]
-#![allow(clippy::all)]
-
-#![cfg_attr(rustfmt, rustfmt_skip)]
-
-#![allow(box_pointers)]
-#![allow(dead_code)]
-#![allow(missing_docs)]
-#![allow(non_camel_case_types)]
-#![allow(non_snake_case)]
-#![allow(non_upper_case_globals)]
-#![allow(trivial_casts)]
-#![allow(unsafe_code)]
-#![allow(unused_imports)]
-#![allow(unused_results)]
-//! Generated file from `message.proto`
-
-use protobuf::Message as Message_imported_for_functions;
-use protobuf::ProtobufEnum as ProtobufEnum_imported_for_functions;
-
-/// Generated files are compatible only with the same version
-/// of protobuf runtime.
-// const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_2_10_2;
-
-#[derive(PartialEq,Clone,Default)]
-pub struct RegisterPeer {
-    // message fields
-    pub hbb_addr: ::std::string::String,
-    // special fields
-    pub unknown_fields: ::protobuf::UnknownFields,
-    pub cached_size: ::protobuf::CachedSize,
-}
-
-impl<'a> ::std::default::Default for &'a RegisterPeer {
-    fn default() -> &'a RegisterPeer {
-        <RegisterPeer as ::protobuf::Message>::default_instance()
-    }
-}
-
-impl RegisterPeer {
-    pub fn new() -> RegisterPeer {
-        ::std::default::Default::default()
-    }
-
-    // string hbb_addr = 1;
-
-
-    pub fn get_hbb_addr(&self) -> &str {
-        &self.hbb_addr
-    }
-    pub fn clear_hbb_addr(&mut self) {
-        self.hbb_addr.clear();
-    }
-
-    // Param is passed by value, moved
-    pub fn set_hbb_addr(&mut self, v: ::std::string::String) {
-        self.hbb_addr = v;
-    }
-
-    // Mutable pointer to the field.
-    // If field is not initialized, it is initialized with default value first.
-    pub fn mut_hbb_addr(&mut self) -> &mut ::std::string::String {
-        &mut self.hbb_addr
-    }
-
-    // Take field
-    pub fn take_hbb_addr(&mut self) -> ::std::string::String {
-        ::std::mem::replace(&mut self.hbb_addr, ::std::string::String::new())
-    }
-}
-
-impl ::protobuf::Message for RegisterPeer {
-    fn is_initialized(&self) -> bool {
-        true
-    }
-
-    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        while !is.eof()? {
-            let (field_number, wire_type) = is.read_tag_unpack()?;
-            match field_number {
-                1 => {
-                    ::protobuf::rt::read_singular_proto3_string_into(wire_type, is, &mut self.hbb_addr)?;
-                },
-                _ => {
-                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
-                },
-            };
-        }
-        ::std::result::Result::Ok(())
-    }
-
-    // Compute sizes of nested messages
-    #[allow(unused_variables)]
-    fn compute_size(&self) -> u32 {
-        let mut my_size = 0;
-        if !self.hbb_addr.is_empty() {
-            my_size += ::protobuf::rt::string_size(1, &self.hbb_addr);
-        }
-        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
-        self.cached_size.set(my_size);
-        my_size
-    }
-
-    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        if !self.hbb_addr.is_empty() {
-            os.write_string(1, &self.hbb_addr)?;
-        }
-        os.write_unknown_fields(self.get_unknown_fields())?;
-        ::std::result::Result::Ok(())
-    }
-
-    fn get_cached_size(&self) -> u32 {
-        self.cached_size.get()
-    }
-
-    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
-        &self.unknown_fields
-    }
-
-    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
-        &mut self.unknown_fields
-    }
-
-    fn as_any(&self) -> &dyn (::std::any::Any) {
-        self as &dyn (::std::any::Any)
-    }
-    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
-        self as &mut dyn (::std::any::Any)
-    }
-    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
-        self
-    }
-
-    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
-        Self::descriptor_static()
-    }
-
-    fn new() -> RegisterPeer {
-        RegisterPeer::new()
-    }
-
-    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
-        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
-        };
-        unsafe {
-            descriptor.get(|| {
-                let mut fields = ::std::vec::Vec::new();
-                fields.push(::protobuf::reflect::accessor::make_simple_field_accessor::<_, ::protobuf::types::ProtobufTypeString>(
-                    "hbb_addr",
-                    |m: &RegisterPeer| { &m.hbb_addr },
-                    |m: &mut RegisterPeer| { &mut m.hbb_addr },
-                ));
-                ::protobuf::reflect::MessageDescriptor::new::<RegisterPeer>(
-                    "RegisterPeer",
-                    fields,
-                    file_descriptor_proto()
-                )
-            })
-        }
-    }
-
-    fn default_instance() -> &'static RegisterPeer {
-        static mut instance: ::protobuf::lazy::Lazy<RegisterPeer> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const RegisterPeer,
-        };
-        unsafe {
-            instance.get(RegisterPeer::new)
-        }
-    }
-}
-
-impl ::protobuf::Clear for RegisterPeer {
-    fn clear(&mut self) {
-        self.hbb_addr.clear();
-        self.unknown_fields.clear();
-    }
-}
-
-impl ::std::fmt::Debug for RegisterPeer {
-    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
-        ::protobuf::text_format::fmt(self, f)
-    }
-}
-
-impl ::protobuf::reflect::ProtobufValue for RegisterPeer {
-    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
-        ::protobuf::reflect::ProtobufValueRef::Message(self)
-    }
-}
-
-#[derive(PartialEq,Clone,Default)]
-pub struct PeekPeer {
-    // message fields
-    pub hbb_addr: ::std::string::String,
-    // special fields
-    pub unknown_fields: ::protobuf::UnknownFields,
-    pub cached_size: ::protobuf::CachedSize,
-}
-
-impl<'a> ::std::default::Default for &'a PeekPeer {
-    fn default() -> &'a PeekPeer {
-        <PeekPeer as ::protobuf::Message>::default_instance()
-    }
-}
-
-impl PeekPeer {
-    pub fn new() -> PeekPeer {
-        ::std::default::Default::default()
-    }
-
-    // string hbb_addr = 1;
-
-
-    pub fn get_hbb_addr(&self) -> &str {
-        &self.hbb_addr
-    }
-    pub fn clear_hbb_addr(&mut self) {
-        self.hbb_addr.clear();
-    }
-
-    // Param is passed by value, moved
-    pub fn set_hbb_addr(&mut self, v: ::std::string::String) {
-        self.hbb_addr = v;
-    }
-
-    // Mutable pointer to the field.
-    // If field is not initialized, it is initialized with default value first.
-    pub fn mut_hbb_addr(&mut self) -> &mut ::std::string::String {
-        &mut self.hbb_addr
-    }
-
-    // Take field
-    pub fn take_hbb_addr(&mut self) -> ::std::string::String {
-        ::std::mem::replace(&mut self.hbb_addr, ::std::string::String::new())
-    }
-}
-
-impl ::protobuf::Message for PeekPeer {
-    fn is_initialized(&self) -> bool {
-        true
-    }
-
-    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        while !is.eof()? {
-            let (field_number, wire_type) = is.read_tag_unpack()?;
-            match field_number {
-                1 => {
-                    ::protobuf::rt::read_singular_proto3_string_into(wire_type, is, &mut self.hbb_addr)?;
-                },
-                _ => {
-                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
-                },
-            };
-        }
-        ::std::result::Result::Ok(())
-    }
-
-    // Compute sizes of nested messages
-    #[allow(unused_variables)]
-    fn compute_size(&self) -> u32 {
-        let mut my_size = 0;
-        if !self.hbb_addr.is_empty() {
-            my_size += ::protobuf::rt::string_size(1, &self.hbb_addr);
-        }
-        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
-        self.cached_size.set(my_size);
-        my_size
-    }
-
-    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        if !self.hbb_addr.is_empty() {
-            os.write_string(1, &self.hbb_addr)?;
-        }
-        os.write_unknown_fields(self.get_unknown_fields())?;
-        ::std::result::Result::Ok(())
-    }
-
-    fn get_cached_size(&self) -> u32 {
-        self.cached_size.get()
-    }
-
-    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
-        &self.unknown_fields
-    }
-
-    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
-        &mut self.unknown_fields
-    }
-
-    fn as_any(&self) -> &dyn (::std::any::Any) {
-        self as &dyn (::std::any::Any)
-    }
-    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
-        self as &mut dyn (::std::any::Any)
-    }
-    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
-        self
-    }
-
-    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
-        Self::descriptor_static()
-    }
-
-    fn new() -> PeekPeer {
-        PeekPeer::new()
-    }
-
-    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
-        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
-        };
-        unsafe {
-            descriptor.get(|| {
-                let mut fields = ::std::vec::Vec::new();
-                fields.push(::protobuf::reflect::accessor::make_simple_field_accessor::<_, ::protobuf::types::ProtobufTypeString>(
-                    "hbb_addr",
-                    |m: &PeekPeer| { &m.hbb_addr },
-                    |m: &mut PeekPeer| { &mut m.hbb_addr },
-                ));
-                ::protobuf::reflect::MessageDescriptor::new::<PeekPeer>(
-                    "PeekPeer",
-                    fields,
-                    file_descriptor_proto()
-                )
-            })
-        }
-    }
-
-    fn default_instance() -> &'static PeekPeer {
-        static mut instance: ::protobuf::lazy::Lazy<PeekPeer> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const PeekPeer,
-        };
-        unsafe {
-            instance.get(PeekPeer::new)
-        }
-    }
-}
-
-impl ::protobuf::Clear for PeekPeer {
-    fn clear(&mut self) {
-        self.hbb_addr.clear();
-        self.unknown_fields.clear();
-    }
-}
-
-impl ::std::fmt::Debug for PeekPeer {
-    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
-        ::protobuf::text_format::fmt(self, f)
-    }
-}
-
-impl ::protobuf::reflect::ProtobufValue for PeekPeer {
-    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
-        ::protobuf::reflect::ProtobufValueRef::Message(self)
-    }
-}
-
-#[derive(PartialEq,Clone,Default)]
-pub struct PeekPeerResponse {
-    // message fields
-    pub socket_addr: ::std::vec::Vec<u8>,
-    // special fields
-    pub unknown_fields: ::protobuf::UnknownFields,
-    pub cached_size: ::protobuf::CachedSize,
-}
-
-impl<'a> ::std::default::Default for &'a PeekPeerResponse {
-    fn default() -> &'a PeekPeerResponse {
-        <PeekPeerResponse as ::protobuf::Message>::default_instance()
-    }
-}
-
-impl PeekPeerResponse {
-    pub fn new() -> PeekPeerResponse {
-        ::std::default::Default::default()
-    }
-
-    // bytes socket_addr = 1;
-
-
-    pub fn get_socket_addr(&self) -> &[u8] {
-        &self.socket_addr
-    }
-    pub fn clear_socket_addr(&mut self) {
-        self.socket_addr.clear();
-    }
-
-    // Param is passed by value, moved
-    pub fn set_socket_addr(&mut self, v: ::std::vec::Vec<u8>) {
-        self.socket_addr = v;
-    }
-
-    // Mutable pointer to the field.
-    // If field is not initialized, it is initialized with default value first.
-    pub fn mut_socket_addr(&mut self) -> &mut ::std::vec::Vec<u8> {
-        &mut self.socket_addr
-    }
-
-    // Take field
-    pub fn take_socket_addr(&mut self) -> ::std::vec::Vec<u8> {
-        ::std::mem::replace(&mut self.socket_addr, ::std::vec::Vec::new())
-    }
-}
-
-impl ::protobuf::Message for PeekPeerResponse {
-    fn is_initialized(&self) -> bool {
-        true
-    }
-
-    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        while !is.eof()? {
-            let (field_number, wire_type) = is.read_tag_unpack()?;
-            match field_number {
-                1 => {
-                    ::protobuf::rt::read_singular_proto3_bytes_into(wire_type, is, &mut self.socket_addr)?;
-                },
-                _ => {
-                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
-                },
-            };
-        }
-        ::std::result::Result::Ok(())
-    }
-
-    // Compute sizes of nested messages
-    #[allow(unused_variables)]
-    fn compute_size(&self) -> u32 {
-        let mut my_size = 0;
-        if !self.socket_addr.is_empty() {
-            my_size += ::protobuf::rt::bytes_size(1, &self.socket_addr);
-        }
-        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
-        self.cached_size.set(my_size);
-        my_size
-    }
-
-    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        if !self.socket_addr.is_empty() {
-            os.write_bytes(1, &self.socket_addr)?;
-        }
-        os.write_unknown_fields(self.get_unknown_fields())?;
-        ::std::result::Result::Ok(())
-    }
-
-    fn get_cached_size(&self) -> u32 {
-        self.cached_size.get()
-    }
-
-    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
-        &self.unknown_fields
-    }
-
-    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
-        &mut self.unknown_fields
-    }
-
-    fn as_any(&self) -> &dyn (::std::any::Any) {
-        self as &dyn (::std::any::Any)
-    }
-    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
-        self as &mut dyn (::std::any::Any)
-    }
-    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
-        self
-    }
-
-    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
-        Self::descriptor_static()
-    }
-
-    fn new() -> PeekPeerResponse {
-        PeekPeerResponse::new()
-    }
-
-    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
-        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
-        };
-        unsafe {
-            descriptor.get(|| {
-                let mut fields = ::std::vec::Vec::new();
-                fields.push(::protobuf::reflect::accessor::make_simple_field_accessor::<_, ::protobuf::types::ProtobufTypeBytes>(
-                    "socket_addr",
-                    |m: &PeekPeerResponse| { &m.socket_addr },
-                    |m: &mut PeekPeerResponse| { &mut m.socket_addr },
-                ));
-                ::protobuf::reflect::MessageDescriptor::new::<PeekPeerResponse>(
-                    "PeekPeerResponse",
-                    fields,
-                    file_descriptor_proto()
-                )
-            })
-        }
-    }
-
-    fn default_instance() -> &'static PeekPeerResponse {
-        static mut instance: ::protobuf::lazy::Lazy<PeekPeerResponse> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const PeekPeerResponse,
-        };
-        unsafe {
-            instance.get(PeekPeerResponse::new)
-        }
-    }
-}
-
-impl ::protobuf::Clear for PeekPeerResponse {
-    fn clear(&mut self) {
-        self.socket_addr.clear();
-        self.unknown_fields.clear();
-    }
-}
-
-impl ::std::fmt::Debug for PeekPeerResponse {
-    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
-        ::protobuf::text_format::fmt(self, f)
-    }
-}
-
-impl ::protobuf::reflect::ProtobufValue for PeekPeerResponse {
-    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
-        ::protobuf::reflect::ProtobufValueRef::Message(self)
-    }
-}
-
-#[derive(PartialEq,Clone,Default)]
-pub struct Message {
-    // message oneof groups
-    pub union: ::std::option::Option<Message_oneof_union>,
-    // special fields
-    pub unknown_fields: ::protobuf::UnknownFields,
-    pub cached_size: ::protobuf::CachedSize,
-}
-
-impl<'a> ::std::default::Default for &'a Message {
-    fn default() -> &'a Message {
-        <Message as ::protobuf::Message>::default_instance()
-    }
-}
-
-#[derive(Clone,PartialEq,Debug)]
-pub enum Message_oneof_union {
-    register_peer(RegisterPeer),
-    peek_peer(PeekPeer),
-    peek_peer_response(PeekPeerResponse),
-}
-
-impl Message {
-    pub fn new() -> Message {
-        ::std::default::Default::default()
-    }
-
-    // .hbb.RegisterPeer register_peer = 6;
-
-
-    pub fn get_register_peer(&self) -> &RegisterPeer {
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::register_peer(ref v)) => v,
-            _ => RegisterPeer::default_instance(),
-        }
-    }
-    pub fn clear_register_peer(&mut self) {
-        self.union = ::std::option::Option::None;
-    }
-
-    pub fn has_register_peer(&self) -> bool {
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::register_peer(..)) => true,
-            _ => false,
-        }
-    }
-
-    // Param is passed by value, moved
-    pub fn set_register_peer(&mut self, v: RegisterPeer) {
-        self.union = ::std::option::Option::Some(Message_oneof_union::register_peer(v))
-    }
-
-    // Mutable pointer to the field.
-    pub fn mut_register_peer(&mut self) -> &mut RegisterPeer {
-        if let ::std::option::Option::Some(Message_oneof_union::register_peer(_)) = self.union {
-        } else {
-            self.union = ::std::option::Option::Some(Message_oneof_union::register_peer(RegisterPeer::new()));
-        }
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::register_peer(ref mut v)) => v,
-            _ => panic!(),
-        }
-    }
-
-    // Take field
-    pub fn take_register_peer(&mut self) -> RegisterPeer {
-        if self.has_register_peer() {
-            match self.union.take() {
-                ::std::option::Option::Some(Message_oneof_union::register_peer(v)) => v,
-                _ => panic!(),
-            }
-        } else {
-            RegisterPeer::new()
-        }
-    }
-
-    // .hbb.PeekPeer peek_peer = 7;
-
-
-    pub fn get_peek_peer(&self) -> &PeekPeer {
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::peek_peer(ref v)) => v,
-            _ => PeekPeer::default_instance(),
-        }
-    }
-    pub fn clear_peek_peer(&mut self) {
-        self.union = ::std::option::Option::None;
-    }
-
-    pub fn has_peek_peer(&self) -> bool {
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::peek_peer(..)) => true,
-            _ => false,
-        }
-    }
-
-    // Param is passed by value, moved
-    pub fn set_peek_peer(&mut self, v: PeekPeer) {
-        self.union = ::std::option::Option::Some(Message_oneof_union::peek_peer(v))
-    }
-
-    // Mutable pointer to the field.
-    pub fn mut_peek_peer(&mut self) -> &mut PeekPeer {
-        if let ::std::option::Option::Some(Message_oneof_union::peek_peer(_)) = self.union {
-        } else {
-            self.union = ::std::option::Option::Some(Message_oneof_union::peek_peer(PeekPeer::new()));
-        }
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::peek_peer(ref mut v)) => v,
-            _ => panic!(),
-        }
-    }
-
-    // Take field
-    pub fn take_peek_peer(&mut self) -> PeekPeer {
-        if self.has_peek_peer() {
-            match self.union.take() {
-                ::std::option::Option::Some(Message_oneof_union::peek_peer(v)) => v,
-                _ => panic!(),
-            }
-        } else {
-            PeekPeer::new()
-        }
-    }
-
-    // .hbb.PeekPeerResponse peek_peer_response = 8;
-
-
-    pub fn get_peek_peer_response(&self) -> &PeekPeerResponse {
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::peek_peer_response(ref v)) => v,
-            _ => PeekPeerResponse::default_instance(),
-        }
-    }
-    pub fn clear_peek_peer_response(&mut self) {
-        self.union = ::std::option::Option::None;
-    }
-
-    pub fn has_peek_peer_response(&self) -> bool {
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::peek_peer_response(..)) => true,
-            _ => false,
-        }
-    }
-
-    // Param is passed by value, moved
-    pub fn set_peek_peer_response(&mut self, v: PeekPeerResponse) {
-        self.union = ::std::option::Option::Some(Message_oneof_union::peek_peer_response(v))
-    }
-
-    // Mutable pointer to the field.
-    pub fn mut_peek_peer_response(&mut self) -> &mut PeekPeerResponse {
-        if let ::std::option::Option::Some(Message_oneof_union::peek_peer_response(_)) = self.union {
-        } else {
-            self.union = ::std::option::Option::Some(Message_oneof_union::peek_peer_response(PeekPeerResponse::new()));
-        }
-        match self.union {
-            ::std::option::Option::Some(Message_oneof_union::peek_peer_response(ref mut v)) => v,
-            _ => panic!(),
-        }
-    }
-
-    // Take field
-    pub fn take_peek_peer_response(&mut self) -> PeekPeerResponse {
-        if self.has_peek_peer_response() {
-            match self.union.take() {
-                ::std::option::Option::Some(Message_oneof_union::peek_peer_response(v)) => v,
-                _ => panic!(),
-            }
-        } else {
-            PeekPeerResponse::new()
-        }
-    }
-}
-
-impl ::protobuf::Message for Message {
-    fn is_initialized(&self) -> bool {
-        if let Some(Message_oneof_union::register_peer(ref v)) = self.union {
-            if !v.is_initialized() {
-                return false;
-            }
-        }
-        if let Some(Message_oneof_union::peek_peer(ref v)) = self.union {
-            if !v.is_initialized() {
-                return false;
-            }
-        }
-        if let Some(Message_oneof_union::peek_peer_response(ref v)) = self.union {
-            if !v.is_initialized() {
-                return false;
-            }
-        }
-        true
-    }
-
-    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        while !is.eof()? {
-            let (field_number, wire_type) = is.read_tag_unpack()?;
-            match field_number {
-                6 => {
-                    if wire_type != ::protobuf::wire_format::WireTypeLengthDelimited {
-                        return ::std::result::Result::Err(::protobuf::rt::unexpected_wire_type(wire_type));
-                    }
-                    self.union = ::std::option::Option::Some(Message_oneof_union::register_peer(is.read_message()?));
-                },
-                7 => {
-                    if wire_type != ::protobuf::wire_format::WireTypeLengthDelimited {
-                        return ::std::result::Result::Err(::protobuf::rt::unexpected_wire_type(wire_type));
-                    }
-                    self.union = ::std::option::Option::Some(Message_oneof_union::peek_peer(is.read_message()?));
-                },
-                8 => {
-                    if wire_type != ::protobuf::wire_format::WireTypeLengthDelimited {
-                        return ::std::result::Result::Err(::protobuf::rt::unexpected_wire_type(wire_type));
-                    }
-                    self.union = ::std::option::Option::Some(Message_oneof_union::peek_peer_response(is.read_message()?));
-                },
-                _ => {
-                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
-                },
-            };
-        }
-        ::std::result::Result::Ok(())
-    }
-
-    // Compute sizes of nested messages
-    #[allow(unused_variables)]
-    fn compute_size(&self) -> u32 {
-        let mut my_size = 0;
-        if let ::std::option::Option::Some(ref v) = self.union {
-            match v {
-                &Message_oneof_union::register_peer(ref v) => {
-                    let len = v.compute_size();
-                    my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
-                },
-                &Message_oneof_union::peek_peer(ref v) => {
-                    let len = v.compute_size();
-                    my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
-                },
-                &Message_oneof_union::peek_peer_response(ref v) => {
-                    let len = v.compute_size();
-                    my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
-                },
-            };
-        }
-        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
-        self.cached_size.set(my_size);
-        my_size
-    }
-
-    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
-        if let ::std::option::Option::Some(ref v) = self.union {
-            match v {
-                &Message_oneof_union::register_peer(ref v) => {
-                    os.write_tag(6, ::protobuf::wire_format::WireTypeLengthDelimited)?;
-                    os.write_raw_varint32(v.get_cached_size())?;
-                    v.write_to_with_cached_sizes(os)?;
-                },
-                &Message_oneof_union::peek_peer(ref v) => {
-                    os.write_tag(7, ::protobuf::wire_format::WireTypeLengthDelimited)?;
-                    os.write_raw_varint32(v.get_cached_size())?;
-                    v.write_to_with_cached_sizes(os)?;
-                },
-                &Message_oneof_union::peek_peer_response(ref v) => {
-                    os.write_tag(8, ::protobuf::wire_format::WireTypeLengthDelimited)?;
-                    os.write_raw_varint32(v.get_cached_size())?;
-                    v.write_to_with_cached_sizes(os)?;
-                },
-            };
-        }
-        os.write_unknown_fields(self.get_unknown_fields())?;
-        ::std::result::Result::Ok(())
-    }
-
-    fn get_cached_size(&self) -> u32 {
-        self.cached_size.get()
-    }
-
-    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
-        &self.unknown_fields
-    }
-
-    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
-        &mut self.unknown_fields
-    }
-
-    fn as_any(&self) -> &dyn (::std::any::Any) {
-        self as &dyn (::std::any::Any)
-    }
-    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
-        self as &mut dyn (::std::any::Any)
-    }
-    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
-        self
-    }
-
-    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
-        Self::descriptor_static()
-    }
-
-    fn new() -> Message {
-        Message::new()
-    }
-
-    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
-        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
-        };
-        unsafe {
-            descriptor.get(|| {
-                let mut fields = ::std::vec::Vec::new();
-                fields.push(::protobuf::reflect::accessor::make_singular_message_accessor::<_, RegisterPeer>(
-                    "register_peer",
-                    Message::has_register_peer,
-                    Message::get_register_peer,
-                ));
-                fields.push(::protobuf::reflect::accessor::make_singular_message_accessor::<_, PeekPeer>(
-                    "peek_peer",
-                    Message::has_peek_peer,
-                    Message::get_peek_peer,
-                ));
-                fields.push(::protobuf::reflect::accessor::make_singular_message_accessor::<_, PeekPeerResponse>(
-                    "peek_peer_response",
-                    Message::has_peek_peer_response,
-                    Message::get_peek_peer_response,
-                ));
-                ::protobuf::reflect::MessageDescriptor::new::<Message>(
-                    "Message",
-                    fields,
-                    file_descriptor_proto()
-                )
-            })
-        }
-    }
-
-    fn default_instance() -> &'static Message {
-        static mut instance: ::protobuf::lazy::Lazy<Message> = ::protobuf::lazy::Lazy {
-            lock: ::protobuf::lazy::ONCE_INIT,
-            ptr: 0 as *const Message,
-        };
-        unsafe {
-            instance.get(Message::new)
-        }
-    }
-}
-
-impl ::protobuf::Clear for Message {
-    fn clear(&mut self) {
-        self.union = ::std::option::Option::None;
-        self.union = ::std::option::Option::None;
-        self.union = ::std::option::Option::None;
-        self.unknown_fields.clear();
-    }
-}
-
-impl ::std::fmt::Debug for Message {
-    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
-        ::protobuf::text_format::fmt(self, f)
-    }
-}
-
-impl ::protobuf::reflect::ProtobufValue for Message {
-    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
-        ::protobuf::reflect::ProtobufValueRef::Message(self)
-    }
-}
-
-static file_descriptor_proto_data: &'static [u8] = b"\
-    \n\rmessage.proto\x12\x03hbb\"$\n\x0cRegisterPeer\x12\x12\n\x08hbb_addr\
-    \x18\x01\x20\x01(\tB\0:\0\"\x20\n\x08PeekPeer\x12\x12\n\x08hbb_addr\x18\
-    \x01\x20\x01(\tB\0:\0\"+\n\x10PeekPeerResponse\x12\x15\n\x0bsocket_addr\
-    \x18\x01\x20\x01(\x0cB\0:\0\"\x9f\x01\n\x07Message\x12,\n\rregister_peer\
-    \x18\x06\x20\x01(\x0b2\x11.hbb.RegisterPeerH\0B\0\x12$\n\tpeek_peer\x18\
-    \x07\x20\x01(\x0b2\r.hbb.PeekPeerH\0B\0\x125\n\x12peek_peer_response\x18\
-    \x08\x20\x01(\x0b2\x15.hbb.PeekPeerResponseH\0B\0B\x07\n\x05union:\0B\0b\
-    \x06proto3\
-";
-
-static mut file_descriptor_proto_lazy: ::protobuf::lazy::Lazy<::protobuf::descriptor::FileDescriptorProto> = ::protobuf::lazy::Lazy {
-    lock: ::protobuf::lazy::ONCE_INIT,
-    ptr: 0 as *const ::protobuf::descriptor::FileDescriptorProto,
-};
-
-fn parse_descriptor_proto() -> ::protobuf::descriptor::FileDescriptorProto {
-    ::protobuf::parse_from_bytes(file_descriptor_proto_data).unwrap()
-}
-
-pub fn file_descriptor_proto() -> &'static ::protobuf::descriptor::FileDescriptorProto {
-    unsafe {
-        file_descriptor_proto_lazy.get(|| {
-            parse_descriptor_proto()
-        })
-    }
-}
--- a/src/relay_server.rs
+++ b/src/relay_server.rs
@@ -1,114 +1,647 @@
+use async_speed_limit::Limiter;
+use async_trait::async_trait;
 use hbb_common::{
+    allow_err, bail,
+    bytes::{Bytes, BytesMut},
+    futures_util::{sink::SinkExt, stream::StreamExt},
    log,
    protobuf::Message as _,
    rendezvous_proto::*,
    sleep,
-    tcp::{new_listener, FramedStream},
+    tcp::{listen_any, FramedStream},
+    timeout,
    tokio::{
        self,
-        net::TcpListener,
+        io::{AsyncReadExt, AsyncWriteExt},
+        net::{TcpListener, TcpStream},
+        sync::{Mutex, RwLock},
        time::{interval, Duration},
    },
    ResultType,
 };
+use sodiumoxide::crypto::sign;
 use std::{
-    collections::HashMap,
+    collections::{HashMap, HashSet},
+    io::prelude::*,
+    io::Error,
    net::SocketAddr,
-    sync::{Arc, Mutex},
+    sync::atomic::{AtomicUsize, Ordering},
 };

+type Usage = (usize, usize, usize, usize);
+
 lazy_static::lazy_static! {
-    static ref PEERS: Arc<Mutex<HashMap<String, FramedStream>>> = Arc::new(Mutex::new(HashMap::new()));
+    static ref PEERS: Mutex<HashMap<String, Box<dyn StreamTrait>>> = Default::default();
+    static ref USAGE: RwLock<HashMap<String, Usage>> = Default::default();
+    static ref BLACKLIST: RwLock<HashSet<String>> = Default::default();
+    static ref BLOCKLIST: RwLock<HashSet<String>> = Default::default();
 }

-pub const DEFAULT_PORT: &'static str = "21117";
+static DOWNGRADE_THRESHOLD_100: AtomicUsize = AtomicUsize::new(66); // 0.66
+static DOWNGRADE_START_CHECK: AtomicUsize = AtomicUsize::new(1_800_000); // in ms
+static LIMIT_SPEED: AtomicUsize = AtomicUsize::new(32 * 1024 * 1024); // in bit/s
+static TOTAL_BANDWIDTH: AtomicUsize = AtomicUsize::new(1024 * 1024 * 1024); // in bit/s
+static SINGLE_BANDWIDTH: AtomicUsize = AtomicUsize::new(128 * 1024 * 1024); // in bit/s
+const BLACKLIST_FILE: &str = "blacklist.txt";
+const BLOCKLIST_FILE: &str = "blocklist.txt";

-#[tokio::main(basic_scheduler)]
-pub async fn start(port: &str, key: &str, stop: Arc<Mutex<bool>>) -> ResultType<()> {
-    if !key.is_empty() {
-        log::info!("Key: {}", key);
-    }
-    let addr = format!("0.0.0.0:{}", port);
-    log::info!("Listening on tcp {}", addr);
-    let mut listener = new_listener(addr, false).await?;
-    loop {
-        if *stop.lock().unwrap() {
-            sleep(0.1).await;
-            continue;
+#[tokio::main(flavor = "multi_thread")]
+pub async fn start(port: &str, key: &str) -> ResultType<()> {
+    let key = get_server_sk(key);
+    if let Ok(mut file) = std::fs::File::open(BLACKLIST_FILE) {
+        let mut contents = String::new();
+        if file.read_to_string(&mut contents).is_ok() {
+            for x in contents.split('\n') {
+                if let Some(ip) = x.trim().split(' ').next() {
+                    BLACKLIST.write().await.insert(ip.to_owned());
+                }
+            }
        }
-        log::info!("Start");
-        io_loop(&mut listener, key, stop.clone()).await;
    }
+    log::info!(
+        "#blacklist({}): {}",
+        BLACKLIST_FILE,
+        BLACKLIST.read().await.len()
+    );
+    if let Ok(mut file) = std::fs::File::open(BLOCKLIST_FILE) {
+        let mut contents = String::new();
+        if file.read_to_string(&mut contents).is_ok() {
+            for x in contents.split('\n') {
+                if let Some(ip) = x.trim().split(' ').next() {
+                    BLOCKLIST.write().await.insert(ip.to_owned());
+                }
+            }
+        }
+    }
+    log::info!(
+        "#blocklist({}): {}",
+        BLOCKLIST_FILE,
+        BLOCKLIST.read().await.len()
+    );
+    let port: u16 = port.parse()?;
+    log::info!("Listening on tcp :{}", port);
+    let port2 = port + 2;
+    log::info!("Listening on websocket :{}", port2);
+    let main_task = async move {
+        loop {
+            log::info!("Start");
+            io_loop(listen_any(port).await?, listen_any(port2).await?, &key).await;
+        }
+    };
+    let listen_signal = crate::common::listen_signal();
+    tokio::select!(
+        res = main_task => res,
+        res = listen_signal => res,
+    )
 }

-async fn io_loop(listener: &mut TcpListener, key: &str, stop: Arc<Mutex<bool>>) {
-    let mut timer = interval(Duration::from_millis(100));
+fn check_params() {
+    let tmp = std::env::var("DOWNGRADE_THRESHOLD")
+        .map(|x| x.parse::<f64>().unwrap_or(0.))
+        .unwrap_or(0.);
+    if tmp > 0. {
+        DOWNGRADE_THRESHOLD_100.store((tmp * 100.) as _, Ordering::SeqCst);
+    }
+    log::info!(
+        "DOWNGRADE_THRESHOLD: {}",
+        DOWNGRADE_THRESHOLD_100.load(Ordering::SeqCst) as f64 / 100.
+    );
+    let tmp = std::env::var("DOWNGRADE_START_CHECK")
+        .map(|x| x.parse::<usize>().unwrap_or(0))
+        .unwrap_or(0);
+    if tmp > 0 {
+        DOWNGRADE_START_CHECK.store(tmp * 1000, Ordering::SeqCst);
+    }
+    log::info!(
+        "DOWNGRADE_START_CHECK: {}s",
+        DOWNGRADE_START_CHECK.load(Ordering::SeqCst) / 1000
+    );
+    let tmp = std::env::var("LIMIT_SPEED")
+        .map(|x| x.parse::<f64>().unwrap_or(0.))
+        .unwrap_or(0.);
+    if tmp > 0. {
+        LIMIT_SPEED.store((tmp * 1024. * 1024.) as usize, Ordering::SeqCst);
+    }
+    log::info!(
+        "LIMIT_SPEED: {}Mb/s",
+        LIMIT_SPEED.load(Ordering::SeqCst) as f64 / 1024. / 1024.
+    );
+    let tmp = std::env::var("TOTAL_BANDWIDTH")
+        .map(|x| x.parse::<f64>().unwrap_or(0.))
+        .unwrap_or(0.);
+    if tmp > 0. {
+        TOTAL_BANDWIDTH.store((tmp * 1024. * 1024.) as usize, Ordering::SeqCst);
+    }
+
+    log::info!(
+        "TOTAL_BANDWIDTH: {}Mb/s",
+        TOTAL_BANDWIDTH.load(Ordering::SeqCst) as f64 / 1024. / 1024.
+    );
+    let tmp = std::env::var("SINGLE_BANDWIDTH")
+        .map(|x| x.parse::<f64>().unwrap_or(0.))
+        .unwrap_or(0.);
+    if tmp > 0. {
+        SINGLE_BANDWIDTH.store((tmp * 1024. * 1024.) as usize, Ordering::SeqCst);
+    }
+    log::info!(
+        "SINGLE_BANDWIDTH: {}Mb/s",
+        SINGLE_BANDWIDTH.load(Ordering::SeqCst) as f64 / 1024. / 1024.
+    )
+}
+
+async fn check_cmd(cmd: &str, limiter: Limiter) -> String {
+    use std::fmt::Write;
+
+    let mut res = "".to_owned();
+    let mut fds = cmd.trim().split(' ');
+    match fds.next() {
+        Some("h") => {
+            res = format!(
+                "{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n",
+                "blacklist-add(ba) <ip>",
+                "blacklist-remove(br) <ip>",
+                "blacklist(b) <ip>",
+                "blocklist-add(Ba) <ip>",
+                "blocklist-remove(Br) <ip>",
+                "blocklist(B) <ip>",
+                "downgrade-threshold(dt) [value]",
+                "downgrade-start-check(t) [value(second)]",
+                "limit-speed(ls) [value(Mb/s)]",
+                "total-bandwidth(tb) [value(Mb/s)]",
+                "single-bandwidth(sb) [value(Mb/s)]",
+                "usage(u)"
+            )
+        }
+        Some("blacklist-add" | "ba") => {
+            if let Some(ip) = fds.next() {
+                for ip in ip.split('|') {
+                    BLACKLIST.write().await.insert(ip.to_owned());
+                }
+            }
+        }
+        Some("blacklist-remove" | "br") => {
+            if let Some(ip) = fds.next() {
+                if ip == "all" {
+                    BLACKLIST.write().await.clear();
+                } else {
+                    for ip in ip.split('|') {
+                        BLACKLIST.write().await.remove(ip);
+                    }
+                }
+            }
+        }
+        Some("blacklist" | "b") => {
+            if let Some(ip) = fds.next() {
+                res = format!("{}\n", BLACKLIST.read().await.get(ip).is_some());
+            } else {
+                for ip in BLACKLIST.read().await.clone().into_iter() {
+                    let _ = writeln!(res, "{ip}");
+                }
+            }
+        }
+        Some("blocklist-add" | "Ba") => {
+            if let Some(ip) = fds.next() {
+                for ip in ip.split('|') {
+                    BLOCKLIST.write().await.insert(ip.to_owned());
+                }
+            }
+        }
+        Some("blocklist-remove" | "Br") => {
+            if let Some(ip) = fds.next() {
+                if ip == "all" {
+                    BLOCKLIST.write().await.clear();
+                } else {
+                    for ip in ip.split('|') {
+                        BLOCKLIST.write().await.remove(ip);
+                    }
+                }
+            }
+        }
+        Some("blocklist" | "B") => {
+            if let Some(ip) = fds.next() {
+                res = format!("{}\n", BLOCKLIST.read().await.get(ip).is_some());
+            } else {
+                for ip in BLOCKLIST.read().await.clone().into_iter() {
+                    let _ = writeln!(res, "{ip}");
+                }
+            }
+        }
+        Some("downgrade-threshold" | "dt") => {
+            if let Some(v) = fds.next() {
+                if let Ok(v) = v.parse::<f64>() {
+                    if v > 0. {
+                        DOWNGRADE_THRESHOLD_100.store((v * 100.) as _, Ordering::SeqCst);
+                    }
+                }
+            } else {
+                res = format!(
+                    "{}\n",
+                    DOWNGRADE_THRESHOLD_100.load(Ordering::SeqCst) as f64 / 100.
+                );
+            }
+        }
+        Some("downgrade-start-check" | "t") => {
+            if let Some(v) = fds.next() {
+                if let Ok(v) = v.parse::<usize>() {
+                    if v > 0 {
+                        DOWNGRADE_START_CHECK.store(v * 1000, Ordering::SeqCst);
+                    }
+                }
+            } else {
+                res = format!("{}s\n", DOWNGRADE_START_CHECK.load(Ordering::SeqCst) / 1000);
+            }
+        }
+        Some("limit-speed" | "ls") => {
+            if let Some(v) = fds.next() {
+                if let Ok(v) = v.parse::<f64>() {
+                    if v > 0. {
+                        LIMIT_SPEED.store((v * 1024. * 1024.) as _, Ordering::SeqCst);
+                    }
+                }
+            } else {
+                res = format!(
+                    "{}Mb/s\n",
+                    LIMIT_SPEED.load(Ordering::SeqCst) as f64 / 1024. / 1024.
+                );
+            }
+        }
+        Some("total-bandwidth" | "tb") => {
+            if let Some(v) = fds.next() {
+                if let Ok(v) = v.parse::<f64>() {
+                    if v > 0. {
+                        TOTAL_BANDWIDTH.store((v * 1024. * 1024.) as _, Ordering::SeqCst);
+                        limiter.set_speed_limit(TOTAL_BANDWIDTH.load(Ordering::SeqCst) as _);
+                    }
+                }
+            } else {
+                res = format!(
+                    "{}Mb/s\n",
+                    TOTAL_BANDWIDTH.load(Ordering::SeqCst) as f64 / 1024. / 1024.
+                );
+            }
+        }
+        Some("single-bandwidth" | "sb") => {
+            if let Some(v) = fds.next() {
+                if let Ok(v) = v.parse::<f64>() {
+                    if v > 0. {
+                        SINGLE_BANDWIDTH.store((v * 1024. * 1024.) as _, Ordering::SeqCst);
+                    }
+                }
+            } else {
+                res = format!(
+                    "{}Mb/s\n",
+                    SINGLE_BANDWIDTH.load(Ordering::SeqCst) as f64 / 1024. / 1024.
+                );
+            }
+        }
+        Some("usage" | "u") => {
+            let mut tmp: Vec<(String, Usage)> = USAGE
+                .read()
+                .await
+                .iter()
+                .map(|x| (x.0.clone(), *x.1))
+                .collect();
+            tmp.sort_by(|a, b| ((b.1).1).partial_cmp(&(a.1).1).unwrap());
+            for (ip, (elapsed, total, highest, speed)) in tmp {
+                if elapsed == 0 {
+                    continue;
+                }
+                let _ = writeln!(
+                    res,
+                    "{}: {}s {:.2}MB {}kb/s {}kb/s {}kb/s",
+                    ip,
+                    elapsed / 1000,
+                    total as f64 / 1024. / 1024. / 8.,
+                    highest,
+                    total / elapsed,
+                    speed
+                );
+            }
+        }
+        _ => {}
+    }
+    res
+}
+
+async fn io_loop(listener: TcpListener, listener2: TcpListener, key: &str) {
+    check_params();
+    let limiter = <Limiter>::new(TOTAL_BANDWIDTH.load(Ordering::SeqCst) as _);
    loop {
        tokio::select! {
-            Ok((stream, addr)) = listener.accept() => {
-                let key = key.to_owned();
-                tokio::spawn(async move {
-                    make_pair(FramedStream::from(stream), addr, &key).await.ok();
-                });
-            }
-            _ = timer.tick() => {
-                if *stop.lock().unwrap() {
-                    log::info!("Stopped");
-                    break;
+            res = listener.accept() => {
+                match res {
+                    Ok((stream, addr))  => {
+                        stream.set_nodelay(true).ok();
+                        handle_connection(stream, addr, &limiter, key, false).await;
+                    }
+                    Err(err) => {
+                       log::error!("listener.accept failed: {}", err);
+                       break;
+                    }
                }
            }
-        }
-    }
-}
-
-async fn make_pair(stream: FramedStream, addr: SocketAddr, key: &str) -> ResultType<()> {
-    let mut stream = stream;
-    if let Some(Ok(bytes)) = stream.next_timeout(30_000).await {
-        if let Ok(msg_in) = RendezvousMessage::parse_from_bytes(&bytes) {
-            if let Some(rendezvous_message::Union::request_relay(rf)) = msg_in.union {
-                if !key.is_empty() && rf.licence_key != key {
-                    return Ok(());
-                }
-                if !rf.uuid.is_empty() {
-                    let peer = PEERS.lock().unwrap().remove(&rf.uuid);
-                    if let Some(peer) = peer {
-                        log::info!("Forward request {} from {} got paired", rf.uuid, addr);
-                        return relay(stream, peer).await;
-                    } else {
-                        log::info!("New relay request {} from {}", rf.uuid, addr);
-                        PEERS.lock().unwrap().insert(rf.uuid.clone(), stream);
-                        sleep(30.).await;
-                        PEERS.lock().unwrap().remove(&rf.uuid);
+            res = listener2.accept() => {
+                match res {
+                    Ok((stream, addr))  => {
+                        stream.set_nodelay(true).ok();
+                        handle_connection(stream, addr, &limiter, key, true).await;
+                    }
+                    Err(err) => {
+                       log::error!("listener2.accept failed: {}", err);
+                       break;
                    }
                }
            }
        }
    }
+}
+
+async fn handle_connection(
+    stream: TcpStream,
+    addr: SocketAddr,
+    limiter: &Limiter,
+    key: &str,
+    ws: bool,
+) {
+    let ip = hbb_common::try_into_v4(addr).ip();
+    if !ws && ip.is_loopback() {
+        let limiter = limiter.clone();
+        tokio::spawn(async move {
+            let mut stream = stream;
+            let mut buffer = [0; 1024];
+            if let Ok(Ok(n)) = timeout(1000, stream.read(&mut buffer[..])).await {
+                if let Ok(data) = std::str::from_utf8(&buffer[..n]) {
+                    let res = check_cmd(data, limiter).await;
+                    stream.write(res.as_bytes()).await.ok();
+                }
+            }
+        });
+        return;
+    }
+    let ip = ip.to_string();
+    if BLOCKLIST.read().await.get(&ip).is_some() {
+        log::info!("{} blocked", ip);
+        return;
+    }
+    let key = key.to_owned();
+    let limiter = limiter.clone();
+    tokio::spawn(async move {
+        allow_err!(make_pair(stream, addr, &key, limiter, ws).await);
+    });
+}
+
+async fn make_pair(
+    stream: TcpStream,
+    mut addr: SocketAddr,
+    key: &str,
+    limiter: Limiter,
+    ws: bool,
+) -> ResultType<()> {
+    if ws {
+        use tokio_tungstenite::tungstenite::handshake::server::{Request, Response};
+        let callback = |req: &Request, response: Response| {
+            let headers = req.headers();
+            let real_ip = headers
+                .get("X-Real-IP")
+                .or_else(|| headers.get("X-Forwarded-For"))
+                .and_then(|header_value| header_value.to_str().ok());
+            if let Some(ip) = real_ip {
+                if ip.contains('.') {
+                    addr = format!("{ip}:0").parse().unwrap_or(addr);
+                } else {
+                    addr = format!("[{ip}]:0").parse().unwrap_or(addr);
+                }
+            }
+            Ok(response)
+        };
+        let ws_stream = tokio_tungstenite::accept_hdr_async(stream, callback).await?;
+        make_pair_(ws_stream, addr, key, limiter).await;
+    } else {
+        make_pair_(FramedStream::from(stream, addr), addr, key, limiter).await;
+    }
    Ok(())
 }

-async fn relay(stream: FramedStream, peer: FramedStream) -> ResultType<()> {
-    let mut peer = peer;
+async fn make_pair_(stream: impl StreamTrait, addr: SocketAddr, key: &str, limiter: Limiter) {
    let mut stream = stream;
-    peer.set_raw();
-    stream.set_raw();
+    if let Ok(Some(Ok(bytes))) = timeout(30_000, stream.recv()).await {
+        if let Ok(msg_in) = RendezvousMessage::parse_from_bytes(&bytes) {
+            if let Some(rendezvous_message::Union::RequestRelay(rf)) = msg_in.union {
+                if !key.is_empty() && rf.licence_key != key {
+                    log::warn!("Relay authentication failed from {} - invalid key", addr);
+                    return;
+                }
+                if !rf.uuid.is_empty() {
+                    let mut peer = PEERS.lock().await.remove(&rf.uuid);
+                    if let Some(peer) = peer.as_mut() {
+                        log::info!("Relayrequest {} from {} got paired", rf.uuid, addr);
+                        let id = format!("{}:{}", addr.ip(), addr.port());
+                        USAGE.write().await.insert(id.clone(), Default::default());
+                        if !stream.is_ws() && !peer.is_ws() {
+                            peer.set_raw();
+                            stream.set_raw();
+                            log::info!("Both are raw");
+                        }
+                        if let Err(err) = relay(addr, &mut stream, peer, limiter, id.clone()).await
+                        {
+                            log::info!("Relay of {} closed: {}", addr, err);
+                        } else {
+                            log::info!("Relay of {} closed", addr);
+                        }
+                        USAGE.write().await.remove(&id);
+                    } else {
+                        log::info!("New relay request {} from {}", rf.uuid, addr);
+                        PEERS.lock().await.insert(rf.uuid.clone(), Box::new(stream));
+                        sleep(30.).await;
+                        PEERS.lock().await.remove(&rf.uuid);
+                    }
+                }
+            }
+        }
+    }
+}
+
+async fn relay(
+    addr: SocketAddr,
+    stream: &mut impl StreamTrait,
+    peer: &mut Box<dyn StreamTrait>,
+    total_limiter: Limiter,
+    id: String,
+) -> ResultType<()> {
+    let ip = addr.ip().to_string();
+    let mut tm = std::time::Instant::now();
+    let mut elapsed = 0;
+    let mut total = 0;
+    let mut total_s = 0;
+    let mut highest_s = 0;
+    let mut downgrade: bool = false;
+    let mut blacked: bool = false;
+    let sb = SINGLE_BANDWIDTH.load(Ordering::SeqCst) as f64;
+    let limiter = <Limiter>::new(sb);
+    let blacklist_limiter = <Limiter>::new(LIMIT_SPEED.load(Ordering::SeqCst) as _);
+    let downgrade_threshold =
+        (sb * DOWNGRADE_THRESHOLD_100.load(Ordering::SeqCst) as f64 / 100. / 1000.) as usize; // in bit/ms
+    let mut timer = interval(Duration::from_secs(3));
+    let mut last_recv_time = std::time::Instant::now();
    loop {
        tokio::select! {
-            res = peer.next() => {
+            res = peer.recv() => {
                if let Some(Ok(bytes)) = res {
-                    stream.send_bytes(bytes.into()).await?;
+                    last_recv_time = std::time::Instant::now();
+                    let nb = bytes.len() * 8;
+                    if blacked || downgrade {
+                        blacklist_limiter.consume(nb).await;
+                    } else {
+                        limiter.consume(nb).await;
+                    }
+                    total_limiter.consume(nb).await;
+                    total += nb;
+                    total_s += nb;
+                    if !bytes.is_empty() {
+                        stream.send_raw(bytes.into()).await?;
+                    }
                } else {
                    break;
                }
            },
-            res = stream.next() => {
+            res = stream.recv() => {
                if let Some(Ok(bytes)) = res {
-                    peer.send_bytes(bytes.into()).await?;
+                    last_recv_time = std::time::Instant::now();
+                    let nb = bytes.len() * 8;
+                    if blacked || downgrade {
+                        blacklist_limiter.consume(nb).await;
+                    } else {
+                        limiter.consume(nb).await;
+                    }
+                    total_limiter.consume(nb).await;
+                    total += nb;
+                    total_s += nb;
+                    if !bytes.is_empty() {
+                        peer.send_raw(bytes.into()).await?;
+                    }
                } else {
                    break;
                }
            },
+            _ = timer.tick() => {
+                if last_recv_time.elapsed().as_secs() > 30 {
+                    bail!("Timeout");
+                }
+            }
+        }
+
+        let n = tm.elapsed().as_millis() as usize;
+        if n >= 1_000 {
+            if BLOCKLIST.read().await.get(&ip).is_some() {
+                log::info!("{} blocked", ip);
+                break;
+            }
+            blacked = BLACKLIST.read().await.get(&ip).is_some();
+            tm = std::time::Instant::now();
+            let speed = total_s / n;
+            if speed > highest_s {
+                highest_s = speed;
+            }
+            elapsed += n;
+            USAGE.write().await.insert(
+                id.clone(),
+                (elapsed as _, total as _, highest_s as _, speed as _),
+            );
+            total_s = 0;
+            if elapsed > DOWNGRADE_START_CHECK.load(Ordering::SeqCst)
+                && !downgrade
+                && total > elapsed * downgrade_threshold
+            {
+                downgrade = true;
+                log::info!(
+                    "Downgrade {}, exceed downgrade threshold {}bit/ms in {}ms",
+                    id,
+                    downgrade_threshold,
+                    elapsed
+                );
+            }
        }
    }
    Ok(())
 }
+
+fn get_server_sk(key: &str) -> String {
+    let mut key = key.to_owned();
+    if let Ok(sk) = base64::decode(&key) {
+        if sk.len() == sign::SECRETKEYBYTES {
+            log::info!("The key is a crypto private key");
+            key = base64::encode(&sk[(sign::SECRETKEYBYTES / 2)..]);
+        }
+    }
+
+    if key == "-" || key == "_" {
+        let (pk, _) = crate::common::gen_sk(300);
+        key = pk;
+    }
+
+    if !key.is_empty() {
+        log::info!("Key: {}", key);
+    }
+
+    key
+}
+
+#[async_trait]
+trait StreamTrait: Send + Sync + 'static {
+    async fn recv(&mut self) -> Option<Result<BytesMut, Error>>;
+    async fn send_raw(&mut self, bytes: Bytes) -> ResultType<()>;
+    fn is_ws(&self) -> bool;
+    fn set_raw(&mut self);
+}
+
+#[async_trait]
+impl StreamTrait for FramedStream {
+    async fn recv(&mut self) -> Option<Result<BytesMut, Error>> {
+        self.next().await
+    }
+
+    async fn send_raw(&mut self, bytes: Bytes) -> ResultType<()> {
+        self.send_bytes(bytes).await
+    }
+
+    fn is_ws(&self) -> bool {
+        false
+    }
+
+    fn set_raw(&mut self) {
+        self.set_raw();
+    }
+}
+
+#[async_trait]
+impl StreamTrait for tokio_tungstenite::WebSocketStream<TcpStream> {
+    async fn recv(&mut self) -> Option<Result<BytesMut, Error>> {
+        if let Some(msg) = self.next().await {
+            match msg {
+                Ok(msg) => {
+                    match msg {
+                        tungstenite::Message::Binary(bytes) => {
+                            Some(Ok(bytes[..].into())) // to-do: poor performance
+                        }
+                        _ => Some(Ok(BytesMut::new())),
+                    }
+                }
+                Err(err) => Some(Err(Error::new(std::io::ErrorKind::Other, err.to_string()))),
+            }
+        } else {
+            None
+        }
+    }
+
+    async fn send_raw(&mut self, bytes: Bytes) -> ResultType<()> {
+        Ok(self
+            .send(tungstenite::Message::Binary(bytes.to_vec()))
+            .await?) // to-do: poor performance
+    }
+
+    fn is_ws(&self) -> bool {
+        true
+    }
+
+    fn set_raw(&mut self) {}
+}
--- a/src/rendezvous_server.rs
+++ b/src/rendezvous_server.rs
--- a/src/sled_async.rs
+++ b/src/sled_async.rs
@@ -1,101 +0,0 @@
-use hbb_common::{
-    allow_err, log,
-    tokio::{self, sync::mpsc},
-    ResultType,
-};
-use rocksdb::DB;
-
-#[derive(Debug)]
-enum Action {
-    Insert((String, Vec<u8>)),
-    Get((String, mpsc::Sender<Option<Vec<u8>>>)),
-    _Close,
-}
-
-#[derive(Clone)]
-pub struct SledAsync {
-    tx: Option<mpsc::UnboundedSender<Action>>,
-    path: String,
-}
-
-impl SledAsync {
-    pub fn new(path: &str, run: bool) -> ResultType<Self> {
-        let mut res = Self {
-            tx: None,
-            path: path.to_owned(),
-        };
-        if run {
-            res.run()?;
-        }
-        Ok(res)
-    }
-
-    pub fn run(&mut self) -> ResultType<std::thread::JoinHandle<()>> {
-        let (tx, rx) = mpsc::unbounded_channel::<Action>();
-        self.tx = Some(tx);
-        let db = DB::open_default(&self.path)?;
-        Ok(std::thread::spawn(move || {
-            Self::io_loop(db, rx);
-            log::debug!("Exit SledAsync loop");
-        }))
-    }
-
-    #[tokio::main(basic_scheduler)]
-    async fn io_loop(db: DB, rx: mpsc::UnboundedReceiver<Action>) {
-        let mut rx = rx;
-        while let Some(x) = rx.recv().await {
-            match x {
-                Action::Insert((key, value)) => {
-                    allow_err!(db.put(&key, &value));
-                }
-                Action::Get((key, sender)) => {
-                    let mut sender = sender;
-                    allow_err!(
-                        sender
-                            .send(if let Ok(v) = db.get(key) { v } else { None })
-                            .await
-                    );
-                }
-                Action::_Close => break,
-            }
-        }
-    }
-
-    pub fn _close(self, j: std::thread::JoinHandle<()>) {
-        if let Some(tx) = &self.tx {
-            allow_err!(tx.send(Action::_Close));
-        }
-        allow_err!(j.join());
-    }
-
-    pub async fn get(&mut self, key: String) -> Option<Vec<u8>> {
-        if let Some(tx) = &self.tx {
-            let (tx_once, mut rx) = mpsc::channel::<Option<Vec<u8>>>(1);
-            allow_err!(tx.send(Action::Get((key, tx_once))));
-            if let Some(v) = rx.recv().await {
-                return v;
-            }
-        }
-        None
-    }
-
-    #[inline]
-    pub fn deserialize<'a, T: serde::Deserialize<'a>>(v: &'a Option<Vec<u8>>) -> Option<T> {
-        if let Some(v) = v {
-            if let Ok(v) = std::str::from_utf8(v) {
-                if let Ok(v) = serde_json::from_str::<T>(&v) {
-                    return Some(v);
-                }
-            }
-        }
-        None
-    }
-
-    pub fn insert<T: serde::Serialize>(&mut self, key: String, v: T) {
-        if let Some(tx) = &self.tx {
-            if let Ok(v) = serde_json::to_vec(&v) {
-                allow_err!(tx.send(Action::Insert((key, v))));
-            }
-        }
-    }
-}
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -0,0 +1,170 @@
+use dns_lookup::{lookup_addr, lookup_host};
+use hbb_common::{bail, ResultType};
+use sodiumoxide::crypto::sign;
+use std::{
+    env,
+    net::{IpAddr, TcpStream},
+    process, str,
+};
+
+fn print_help() {
+    println!(
+        "Usage:
+    rustdesk-utils [command]\n
+Available Commands:
+    genkeypair                                   Generate a new keypair
+    validatekeypair [public key] [secret key]    Validate an existing keypair
+    doctor [rustdesk-server]                     Check for server connection problems"
+    );
+    process::exit(0x0001);
+}
+
+fn error_then_help(msg: &str) {
+    println!("ERROR: {msg}\n");
+    print_help();
+}
+
+fn gen_keypair() {
+    let (pk, sk) = sign::gen_keypair();
+    let public_key = base64::encode(pk);
+    let secret_key = base64::encode(sk);
+    println!("Public Key:  {public_key}");
+    println!("Secret Key:  {secret_key}");
+}
+
+fn validate_keypair(pk: &str, sk: &str) -> ResultType<()> {
+    let sk1 = base64::decode(sk);
+    if sk1.is_err() {
+        bail!("Invalid secret key");
+    }
+    let sk1 = sk1.unwrap();
+
+    let secret_key = sign::SecretKey::from_slice(sk1.as_slice());
+    if secret_key.is_none() {
+        bail!("Invalid Secret key");
+    }
+    let secret_key = secret_key.unwrap();
+
+    let pk1 = base64::decode(pk);
+    if pk1.is_err() {
+        bail!("Invalid public key");
+    }
+    let pk1 = pk1.unwrap();
+
+    let public_key = sign::PublicKey::from_slice(pk1.as_slice());
+    if public_key.is_none() {
+        bail!("Invalid Public key");
+    }
+    let public_key = public_key.unwrap();
+
+    let random_data_to_test = b"This is meh.";
+    let signed_data = sign::sign(random_data_to_test, &secret_key);
+    let verified_data = sign::verify(&signed_data, &public_key);
+    if verified_data.is_err() {
+        bail!("Key pair is INVALID");
+    }
+    let verified_data = verified_data.unwrap();
+
+    if random_data_to_test != &verified_data[..] {
+        bail!("Key pair is INVALID");
+    }
+
+    Ok(())
+}
+
+fn doctor_tcp(address: std::net::IpAddr, port: &str, desc: &str) {
+    let start = std::time::Instant::now();
+    let conn = format!("{address}:{port}");
+    if let Ok(_stream) = TcpStream::connect(conn.as_str()) {
+        let elapsed = std::time::Instant::now().duration_since(start);
+        println!(
+            "TCP Port {} ({}): OK in {} ms",
+            port,
+            desc,
+            elapsed.as_millis()
+        );
+    } else {
+        println!("TCP Port {port} ({desc}): ERROR");
+    }
+}
+
+fn doctor_ip(server_ip_address: std::net::IpAddr, server_address: Option<&str>) {
+    println!("\nChecking IP address: {server_ip_address}");
+    println!("Is IPV4: {}", server_ip_address.is_ipv4());
+    println!("Is IPV6: {}", server_ip_address.is_ipv6());
+
+    // reverse dns lookup
+    // TODO: (check) doesn't seem to do reverse lookup on OSX...
+    let reverse = lookup_addr(&server_ip_address).unwrap();
+    if let Some(server_address) = server_address {
+        if reverse == server_address {
+            println!("Reverse DNS lookup: '{reverse}' MATCHES server address");
+        } else {
+            println!(
+                "Reverse DNS lookup: '{reverse}' DOESN'T MATCH server address '{server_address}'"
+            );
+        }
+    }
+
+    // TODO: ICMP ping?
+
+    // port check TCP (UDP is hard to check)
+    doctor_tcp(server_ip_address, "21114", "API");
+    doctor_tcp(server_ip_address, "21115", "hbbs extra port for nat test");
+    doctor_tcp(server_ip_address, "21116", "hbbs");
+    doctor_tcp(server_ip_address, "21117", "hbbr tcp");
+    doctor_tcp(server_ip_address, "21118", "hbbs websocket");
+    doctor_tcp(server_ip_address, "21119", "hbbr websocket");
+
+    // TODO: key check
+}
+
+fn doctor(server_address_unclean: &str) {
+    let server_address3 = server_address_unclean.trim();
+    let server_address2 = server_address3.to_lowercase();
+    let server_address = server_address2.as_str();
+    println!("Checking server:  {server_address}\n");
+    if let Ok(server_ipaddr) = server_address.parse::<IpAddr>() {
+        // user requested an ip address
+        doctor_ip(server_ipaddr, None);
+    } else {
+        // the passed string is not an ip address
+        let ips: Vec<std::net::IpAddr> = lookup_host(server_address).unwrap();
+        println!("Found {} IP addresses: ", ips.len());
+
+        ips.iter().for_each(|ip| println!(" - {ip}"));
+
+        ips.iter()
+            .for_each(|ip| doctor_ip(*ip, Some(server_address)));
+    }
+}
+
+fn main() {
+    let args: Vec<_> = env::args().collect();
+    if args.len() <= 1 {
+        print_help();
+    }
+
+    let command = args[1].to_lowercase();
+    match command.as_str() {
+        "genkeypair" => gen_keypair(),
+        "validatekeypair" => {
+            if args.len() <= 3 {
+                error_then_help("You must supply both the public and the secret key");
+            }
+            let res = validate_keypair(args[2].as_str(), args[3].as_str());
+            if let Err(e) = res {
+                println!("{e}");
+                process::exit(0x0001);
+            }
+            println!("Key pair is VALID");
+        }
+        "doctor" => {
+            if args.len() <= 2 {
+                error_then_help("You must supply the rustdesk-server address");
+            }
+            doctor(args[2].as_str());
+        }
+        _ => print_help(),
+    }
+}
--- a/systemd/rustdesk-hbbr.service
+++ b/systemd/rustdesk-hbbr.service
@@ -0,0 +1,20 @@
+
+[Unit]
+Description=Rustdesk Relay Server
+
+[Service]
+Type=simple
+LimitNOFILE=1000000
+ExecStart=/usr/bin/hbbr
+WorkingDirectory=/var/lib/rustdesk-server/
+User=
+Group=
+Restart=always
+StandardOutput=append:/var/log/rustdesk-server/hbbr.log
+StandardError=append:/var/log/rustdesk-server/hbbr.error
+# Restart service after 10 seconds if node service crashes
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+
--- a/systemd/rustdesk-hbbs.service
+++ b/systemd/rustdesk-hbbs.service
@@ -0,0 +1,20 @@
+
+[Unit]
+Description=Rustdesk Signal Server
+
+[Service]
+Type=simple
+LimitNOFILE=1000000
+ExecStart=/usr/bin/hbbs
+WorkingDirectory=/var/lib/rustdesk-server/
+User=
+Group=
+Restart=always
+StandardOutput=append:/var/log/rustdesk-server/hbbs.log
+StandardError=append:/var/log/rustdesk-server/hbbs.error
+# Restart service after 10 seconds if node service crashes
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+
--- a/ui/.cargo/config.toml
+++ b/ui/.cargo/config.toml
@@ -0,0 +1,8 @@
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-Ctarget-feature=+crt-static"]
+[target.i686-pc-windows-msvc]
+rustflags = ["-Ctarget-feature=+crt-static"]
+[target.'cfg(target_os="macos")']
+rustflags = [
+    "-C", "link-args=-sectcreate __CGPreLoginApp __cgpreloginapp /dev/null",
+]
--- a/ui/.gitignore
+++ b/ui/.gitignore
@@ -0,0 +1,4 @@
+# Generated by Cargo
+# will have compiled files and executables
+/target/
+
--- a/ui/Cargo.lock
+++ b/ui/Cargo.lock
--- a/ui/Cargo.toml
+++ b/ui/Cargo.toml
@@ -0,0 +1,31 @@
+[package]
+name = "rustdesk_server"
+version = "0.1.2"
+description = "rustdesk server gui"
+authors = ["elilchen"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[build-dependencies]
+tauri-build = { version = "1.2", features = [] }
+winres = "0.1"
+
+[dependencies]
+async-std = { version = "1.12", features = ["attributes", "unstable"] }
+crossbeam-channel = "0.5"
+derive-new = "0.5"
+notify = "5.1"
+once_cell = "1.17"
+serde_json = "1.0"
+serde = { version = "1.0", features = ["derive"] }
+tauri = { version = "1.2", features = ["fs-exists", "fs-read-dir", "fs-read-file", "fs-write-file", "path-all", "shell-open", "system-tray"] }
+windows-service = "0.5.0"
+
+[features]
+# by default Tauri runs in production mode
+# when `tauri dev` runs it is executed with `cargo run --no-default-features` if `devPath` is an URL
+default = ["custom-protocol"]
+# this feature is used used for production builds where `devPath` points to the filesystem
+# DO NOT remove this
+custom-protocol = ["tauri/custom-protocol"]
--- a/ui/build.rs
+++ b/ui/build.rs
@@ -0,0 +1,21 @@
+fn main() {
+    tauri_build::build();
+    if cfg!(target_os = "windows") {
+        let mut res = winres::WindowsResource::new();
+        res.set_icon("icons\\icon.ico");
+        res.set_manifest(
+            r#"
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+    <security>
+        <requestedPrivileges>
+            <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
+        </requestedPrivileges>
+    </security>
+</trustInfo>
+</assembly>
+"#,
+        );
+        res.compile().unwrap();
+    }
+}
--- a/ui/html/.gitignore
+++ b/ui/html/.gitignore
@@ -0,0 +1,24 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+dist
+dist-ssr
+*.local
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+.DS_Store
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?
--- a/ui/html/index.html
+++ b/ui/html/index.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+<title>RustDesk Server</title>
+<link rel="icon" href="data:;base64,=">
+<script>addEventListener('contextmenu', e => e.preventDefault());</script>
+<script type="module" src="/main.js" defer></script>
+</head>
+<body style="visibility: hidden">
+<textarea></textarea>
+<form>
+<label><input type="checkbox"> <p>Turn on auto scroll</p></label>
+<label><p>Press ctrl + s to save</p></label>
+</form>
+</body>
+</html>
--- a/ui/html/main.js
+++ b/ui/html/main.js
@@ -0,0 +1,159 @@
+import 'codemirror/lib/codemirror.css';
+import './style.css';
+import 'codemirror/mode/toml/toml.js';
+import CodeMirror from 'codemirror';
+
+const { event, fs, path, tauri } = window.__TAURI__;
+
+class View {
+    constructor() {
+        Object.assign(this, {
+            content: '',
+            action_time: 0,
+            is_auto_scroll: true,
+            is_edit_mode: false,
+            is_file_changed: false,
+            is_form_changed: false,
+            is_content_changed: false
+        }, ...arguments);
+        addEventListener('DOMContentLoaded', this.init.bind(this));
+    }
+    async init() {
+        this.editor = this.renderEditor();
+        this.editor.on('scroll', this.editorScroll.bind(this));
+        this.editor.on('keypress', this.editorSave.bind(this));
+        this.form = this.renderForm();
+        this.form.addEventListener('change', this.formChange.bind(this));
+        event.listen('__update__', this.appAction.bind(this));
+        event.emit('__action__', '__init__');
+        while (true) {
+            let now = Date.now();
+            try {
+                await this.update();
+                this.render();
+            } catch (e) {
+                console.error(e);
+            }
+            await new Promise(r => setTimeout(r, Math.max(0, 33 - (Date.now() - now))));
+        }
+    }
+    async update() {
+        if (this.is_file_changed) {
+            this.is_file_changed = false;
+            let now = Date.now(),
+                file = await path.resolveResource(this.file);
+            if (await fs.exists(file)) {
+                let content = await fs.readTextFile(file);
+                if (this.action_time < now) {
+                    this.content = content;
+                    this.is_content_changed = true;
+                }
+            } else {
+                if (now >= this.action_time) {
+                    if (this.is_edit_mode) {
+                        this.content = `# https://github.com/rustdesk/rustdesk-server#env-variables
+RUST_LOG=info
+`;
+                    }
+                    this.is_content_changed = true;
+                }
+                console.warn(`${this.file} file is missing`);
+            }
+        }
+    }
+    async editorSave(editor, e) {
+        if (e.ctrlKey && e.keyCode === 19 && this.is_edit_mode && !this.locked) {
+            this.locked = true;
+            try {
+                let now = Date.now(),
+                    content = this.editor.doc.getValue(),
+                    file = await path.resolveResource(this.file);
+                await fs.writeTextFile(file, content);
+                event.emit('__action__', 'restart');
+            } catch (e) {
+                console.error(e);
+            } finally {
+                this.locked = false;
+            }
+        }
+    }
+    editorScroll(e) {
+        let info = this.editor.getScrollInfo(),
+            distance = info.height - info.top - info.clientHeight,
+            is_end = distance < 1;
+        if (this.is_auto_scroll !== is_end) {
+            this.is_auto_scroll = is_end;
+            this.is_form_changed = true;
+        }
+    }
+    formChange(e) {
+        switch (e.target.tagName.toLowerCase()) {
+            case 'input':
+                this.is_auto_scroll = e.target.checked;
+                break;
+        }
+    }
+    appAction(e) {
+        let [action, data] = e.payload;
+        switch (action) {
+            case 'file':
+                if (data === '.env') {
+                    this.is_edit_mode = true;
+                    this.file = `bin/${data}`;
+                } else {
+                    this.is_edit_mode = false;
+                    this.file = `logs/${data}`;
+                }
+                this.action_time = Date.now();
+                this.is_file_changed = true;
+                this.is_form_changed = true;
+                break;
+        }
+    }
+    render() {
+        if (this.is_form_changed) {
+            this.is_form_changed = false;
+            this.renderForm();
+        }
+        if (this.is_content_changed) {
+            this.is_content_changed = false;
+            this.renderEditor();
+        }
+        if (this.is_auto_scroll && !this.is_edit_mode) {
+            this.renderScrollbar();
+        }
+    }
+    renderForm() {
+        let form = this.form || document.querySelector('form'),
+            label = form.querySelectorAll('label'),
+            input = form.querySelector('input');
+        input.checked = this.is_auto_scroll;
+        if (this.is_edit_mode) {
+            label[0].style.display = 'none';
+            label[1].style.display = 'block';
+        } else {
+            label[0].style.display = 'block';
+            label[1].style.display = 'none';
+        }
+        return form;
+    }
+    renderEditor() {
+        let editor = this.editor || CodeMirror.fromTextArea(document.querySelector('textarea'), {
+            mode: { name: 'toml' },
+            lineNumbers: true,
+            autofocus: true
+        });
+        editor.setOption('readOnly', !this.is_edit_mode);
+        editor.doc.setValue(this.content);
+        editor.doc.clearHistory();
+        this.content = '';
+        editor.focus();
+        return editor;
+    }
+    renderScrollbar() {
+        let info = this.editor.getScrollInfo();
+        this.editor.scrollTo(info.left, info.height);
+    }
+}
+
+new View();
--- a/ui/html/package.json
+++ b/ui/html/package.json
@@ -0,0 +1,17 @@
+{
+  "name": "rustdesk_server",
+  "private": true,
+  "version": "0.1.2",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview"
+  },
+  "devDependencies": {
+    "vite": "^4.1.0"
+  },
+  "dependencies": {
+    "codemirror": "v5"
+  }
+}
--- a/ui/html/style.css
+++ b/ui/html/style.css
@@ -0,0 +1,35 @@
+body {
+    visibility: visible !important;
+    margin: 0;
+    background: #fff;
+}
+
+.CodeMirror {
+    height: calc(100vh - 20px);
+}
+
+form {
+    height: 20px;
+    position: fixed;
+    right: 0;
+    bottom: 0;
+    left: 5px;
+    font-size: 13px;
+    background: #fff;
+}
+
+form>label {
+    display: none;
+    vertical-align: middle;
+}
+
+form>label>input,
+form>label>p {
+    height: 19px;
+    padding: 0;
+    display: inline-block;
+    margin: 0;
+    vertical-align: middle;
+    cursor: pointer;
+    user-select: none;
+}
--- a/ui/html/vite.config.js
+++ b/ui/html/vite.config.js
@@ -0,0 +1,8 @@
+import { defineConfig } from 'vite';
+
+export default defineConfig({
+    server: {
+        port: '5177',
+        strictPort: true
+    }
+});
--- a/ui/icons/128x128.png
+++ b/ui/icons/128x128.png
--- a/ui/icons/128x128@2x.png
+++ b/ui/icons/128x128@2x.png
--- a/ui/icons/32x32.png
+++ b/ui/icons/32x32.png
--- a/ui/icons/Square107x107Logo.png
+++ b/ui/icons/Square107x107Logo.png
--- a/ui/icons/Square142x142Logo.png
+++ b/ui/icons/Square142x142Logo.png
--- a/Show More
+++ b/Show More