From 6bface4581bb70dd70a011a78e35633bb90fe1c4 Mon Sep 17 00:00:00 2001
From: ginuerzh <ginuerzh@gmail.com>
Date: Thu, 9 Nov 2023 20:34:59 +0800
Subject: [PATCH] add path option for hop

---
 config/config.go                  |   7 +-
 config/parsing/node/parse.go      |  11 +-
 config/parsing/service/parse.go   |   1 +
 go.mod                            |   4 +-
 go.sum                            |   4 +
 handler/forward/local/handler.go  |  11 +-
 handler/forward/remote/handler.go |  11 +-
 hop/hop.go                        |  21 +++
 hop/plugin.go                     |   3 +
 internal/util/tls/tls.go          | 217 +++++++++++-------------------
 10 files changed, 143 insertions(+), 147 deletions(-)

diff --git a/config/config.go b/config/config.go
index 16110b0..a4bf055 100644
--- a/config/config.go
+++ b/config/config.go
@@ -327,6 +327,7 @@ type ForwardNodeConfig struct {
 	Host     string          `yaml:",omitempty" json:"host,omitempty"`
 	Network  string          `yaml:",omitempty" json:"network,omitempty"`
 	Protocol string          `yaml:",omitempty" json:"protocol,omitempty"`
+	Path     string          `yaml:",omitempty" json:"path,omitempty"`
 	Bypass   string          `yaml:",omitempty" json:"bypass,omitempty"`
 	Bypasses []string        `yaml:",omitempty" json:"bypasses,omitempty"`
 	HTTP     *HTTPNodeConfig `yaml:",omitempty" json:"http,omitempty"`
@@ -340,8 +341,9 @@ type HTTPNodeConfig struct {
 }
 
 type TLSNodeConfig struct {
-	ServerName string `yaml:"serverName,omitempty" json:"serverName,omitempty"`
-	Secure     bool   `yaml:",omitempty" json:"secure,omitempty"`
+	ServerName string      `yaml:"serverName,omitempty" json:"serverName,omitempty"`
+	Secure     bool        `yaml:",omitempty" json:"secure,omitempty"`
+	Options    *TLSOptions `yaml:",omitempty" json:"options,omitempty"`
 }
 
 type DialerConfig struct {
@@ -419,6 +421,7 @@ type NodeConfig struct {
 	Host      string           `yaml:",omitempty" json:"host,omitempty"`
 	Network   string           `yaml:",omitempty" json:"network,omitempty"`
 	Protocol  string           `yaml:",omitempty" json:"protocol,omitempty"`
+	Path      string           `yaml:",omitempty" json:"path,omitempty"`
 	Interface string           `yaml:",omitempty" json:"interface,omitempty"`
 	SockOpts  *SockOptsConfig  `yaml:"sockopts,omitempty" json:"sockopts,omitempty"`
 	Bypass    string           `yaml:",omitempty" json:"bypass,omitempty"`
diff --git a/config/parsing/node/parse.go b/config/parsing/node/parse.go
index 04f051c..1600f2d 100644
--- a/config/parsing/node/parse.go
+++ b/config/parsing/node/parse.go
@@ -164,6 +164,7 @@ func ParseNode(hop string, cfg *config.NodeConfig) (*chain.Node, error) {
 		chain.MetadataNodeOption(nm),
 		chain.HostNodeOption(host),
 		chain.ProtocolNodeOption(cfg.Protocol),
+		chain.PathNodeOption(cfg.Path),
 		chain.NetworkNodeOption(cfg.Network),
 	}
 	if cfg.HTTP != nil {
@@ -173,10 +174,16 @@ func ParseNode(hop string, cfg *config.NodeConfig) (*chain.Node, error) {
 		}))
 	}
 	if cfg.TLS != nil {
-		opts = append(opts, chain.TLSNodeOption(&chain.TLSNodeSettings{
+		tlsCfg := &chain.TLSNodeSettings{
 			ServerName: cfg.TLS.ServerName,
 			Secure:     cfg.TLS.Secure,
-		}))
+		}
+		if o := cfg.TLS.Options; o != nil {
+			tlsCfg.Options.MinVersion = o.MinVersion
+			tlsCfg.Options.MaxVersion = o.MaxVersion
+			tlsCfg.Options.CipherSuites = o.CipherSuites
+		}
+		opts = append(opts, chain.TLSNodeOption(tlsCfg))
 	}
 	if cfg.Auth != nil {
 		opts = append(opts, chain.AutherNodeOption(
diff --git a/config/parsing/service/parse.go b/config/parsing/service/parse.go
index 089c1b7..96f0645 100644
--- a/config/parsing/service/parse.go
+++ b/config/parsing/service/parse.go
@@ -265,6 +265,7 @@ func parseForwarder(cfg *config.ForwarderConfig) (hop.Hop, error) {
 					Host:     node.Host,
 					Network:  node.Network,
 					Protocol: node.Protocol,
+					Path:     node.Path,
 					Bypass:   node.Bypass,
 					Bypasses: node.Bypasses,
 					HTTP:     node.HTTP,
diff --git a/go.mod b/go.mod
index 6532bf0..40a13a1 100644
--- a/go.mod
+++ b/go.mod
@@ -7,10 +7,10 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/gin-contrib/cors v1.3.1
 	github.com/gin-gonic/gin v1.9.1
-	github.com/go-gost/core v0.0.0-20231107150907-7f581cb668b1
+	github.com/go-gost/core v0.0.0-20231109123312-8e4fc06cf1b7
 	github.com/go-gost/gosocks4 v0.0.1
 	github.com/go-gost/gosocks5 v0.4.0
-	github.com/go-gost/plugin v0.0.0-20231102125124-a1cc7a13e066
+	github.com/go-gost/plugin v0.0.0-20231109123346-0ae4157b9d25
 	github.com/go-gost/relay v0.4.1-0.20230916134211-828f314ddfe7
 	github.com/go-gost/tls-dissector v0.0.2-0.20220408131628-aac992c27451
 	github.com/go-redis/redis/v8 v8.11.5
diff --git a/go.sum b/go.sum
index 20784fd..1c228df 100644
--- a/go.sum
+++ b/go.sum
@@ -93,12 +93,16 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gost/core v0.0.0-20231107150907-7f581cb668b1 h1:hzxZgut10J3Rm0meINWB5yal3gIV9IkThKLbshsd/Mk=
 github.com/go-gost/core v0.0.0-20231107150907-7f581cb668b1/go.mod h1:ndkgWVYRLwupVaFFWv8ML1Nr8tD3xhHK245PLpUDg4E=
+github.com/go-gost/core v0.0.0-20231109123312-8e4fc06cf1b7 h1:sDsPtmP51qf8zN/RbZZj/3vNLCoH0sdvpIRwV6TfzvY=
+github.com/go-gost/core v0.0.0-20231109123312-8e4fc06cf1b7/go.mod h1:ndkgWVYRLwupVaFFWv8ML1Nr8tD3xhHK245PLpUDg4E=
 github.com/go-gost/gosocks4 v0.0.1 h1:+k1sec8HlELuQV7rWftIkmy8UijzUt2I6t+iMPlGB2s=
 github.com/go-gost/gosocks4 v0.0.1/go.mod h1:3B6L47HbU/qugDg4JnoFPHgJXE43Inz8Bah1QaN9qCc=
 github.com/go-gost/gosocks5 v0.4.0 h1:EIrOEkpJez4gwHrMa33frA+hHXJyevjp47thpMQsJzI=
 github.com/go-gost/gosocks5 v0.4.0/go.mod h1:1G6I7HP7VFVxveGkoK8mnprnJqSqJjdcASKsdUn4Pp4=
 github.com/go-gost/plugin v0.0.0-20231102125124-a1cc7a13e066 h1:/pDM9JP9ESSRuAr237yAXB6WiDdjEeulDkaLa9Gw0ss=
 github.com/go-gost/plugin v0.0.0-20231102125124-a1cc7a13e066/go.mod h1:qXr2Zm9Ex2ATqnWuNUzVZqySPMnuIihvblYZt4MlZLw=
+github.com/go-gost/plugin v0.0.0-20231109123346-0ae4157b9d25 h1:sOarC0xAJij4VtEhkJRng5okZW23KlXprxhb5XFZ+pw=
+github.com/go-gost/plugin v0.0.0-20231109123346-0ae4157b9d25/go.mod h1:qXr2Zm9Ex2ATqnWuNUzVZqySPMnuIihvblYZt4MlZLw=
 github.com/go-gost/relay v0.4.1-0.20230916134211-828f314ddfe7 h1:qAG1OyjvdA5h221CfFSS3J359V3d2E7dJWyP29QoDSI=
 github.com/go-gost/relay v0.4.1-0.20230916134211-828f314ddfe7/go.mod h1:lcX+23LCQ3khIeASBo+tJ/WbwXFO32/N5YN6ucuYTG8=
 github.com/go-gost/tls-dissector v0.0.2-0.20220408131628-aac992c27451 h1:xj8gUZGYO3nb5+6Bjw9+tsFkA9sYynrOvDvvC4uDV2I=
diff --git a/handler/forward/local/handler.go b/handler/forward/local/handler.go
index 289c20e..d90ca24 100644
--- a/handler/forward/local/handler.go
+++ b/handler/forward/local/handler.go
@@ -20,10 +20,12 @@ import (
 	"github.com/go-gost/core/hop"
 	"github.com/go-gost/core/logger"
 	md "github.com/go-gost/core/metadata"
+	"github.com/go-gost/x/config"
 	xio "github.com/go-gost/x/internal/io"
 	xnet "github.com/go-gost/x/internal/net"
 	auth_util "github.com/go-gost/x/internal/util/auth"
 	"github.com/go-gost/x/internal/util/forward"
+	tls_util "github.com/go-gost/x/internal/util/tls"
 	"github.com/go-gost/x/registry"
 )
 
@@ -232,6 +234,7 @@ func (h *forwardHandler) handleHTTP(ctx context.Context, rw io.ReadWriter, remot
 				target = h.hop.Select(ctx,
 					hop.HostSelectOption(req.Host),
 					hop.ProtocolSelectOption(forward.ProtoHTTP),
+					hop.PathSelectOption(req.URL.Path),
 				)
 			}
 			if target == nil {
@@ -284,10 +287,16 @@ func (h *forwardHandler) handleHTTP(ctx context.Context, rw io.ReadWriter, remot
 			log.Debugf("connection to node %s(%s)", target.Name, target.Addr)
 
 			if tlsSettings := target.Options().TLS; tlsSettings != nil {
-				cc = tls.Client(cc, &tls.Config{
+				cfg := &tls.Config{
 					ServerName:         tlsSettings.ServerName,
 					InsecureSkipVerify: !tlsSettings.Secure,
+				}
+				tls_util.SetTLSOptions(cfg, &config.TLSOptions{
+					MinVersion: tlsSettings.Options.MinVersion,
+					MaxVersion: tlsSettings.Options.MaxVersion,
+					CipherSuites: tlsSettings.Options.CipherSuites,
 				})
+				cc = tls.Client(cc, cfg)
 			}
 
 			if err := req.Write(cc); err != nil {
diff --git a/handler/forward/remote/handler.go b/handler/forward/remote/handler.go
index 9926fec..2c91672 100644
--- a/handler/forward/remote/handler.go
+++ b/handler/forward/remote/handler.go
@@ -21,11 +21,13 @@ import (
 	"github.com/go-gost/core/logger"
 	mdata "github.com/go-gost/core/metadata"
 	mdutil "github.com/go-gost/core/metadata/util"
+	"github.com/go-gost/x/config"
 	xio "github.com/go-gost/x/internal/io"
 	xnet "github.com/go-gost/x/internal/net"
 	"github.com/go-gost/x/internal/net/proxyproto"
 	auth_util "github.com/go-gost/x/internal/util/auth"
 	"github.com/go-gost/x/internal/util/forward"
+	tls_util "github.com/go-gost/x/internal/util/tls"
 	"github.com/go-gost/x/registry"
 )
 
@@ -233,6 +235,7 @@ func (h *forwardHandler) handleHTTP(ctx context.Context, rw io.ReadWriter, remot
 				target = h.hop.Select(ctx,
 					hop.HostSelectOption(req.Host),
 					hop.ProtocolSelectOption(forward.ProtoHTTP),
+					hop.PathSelectOption(req.URL.Path),
 				)
 			}
 			if target == nil {
@@ -285,10 +288,16 @@ func (h *forwardHandler) handleHTTP(ctx context.Context, rw io.ReadWriter, remot
 			log.Debugf("new connection to node %s(%s)", target.Name, target.Addr)
 
 			if tlsSettings := target.Options().TLS; tlsSettings != nil {
-				cc = tls.Client(cc, &tls.Config{
+				cfg := &tls.Config{
 					ServerName:         tlsSettings.ServerName,
 					InsecureSkipVerify: !tlsSettings.Secure,
+				}
+				tls_util.SetTLSOptions(cfg, &config.TLSOptions{
+					MinVersion:   tlsSettings.Options.MinVersion,
+					MaxVersion:   tlsSettings.Options.MaxVersion,
+					CipherSuites: tlsSettings.Options.CipherSuites,
 				})
+				cc = tls.Client(cc, cfg)
 			}
 
 			cc = proxyproto.WrapClientConn(h.md.proxyProtocol, remoteAddr, localAddr, cc)
diff --git a/hop/hop.go b/hop/hop.go
index cbfdbe4..9ca780b 100644
--- a/hop/hop.go
+++ b/hop/hop.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"io"
 	"net"
+	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -179,6 +180,26 @@ func (p *chainHop) Select(ctx context.Context, opts ...hop.SelectOption) *chain.
 		}
 	}
 
+	// filter by path
+	if path := options.Path; path != "" {
+		p.options.logger.Debugf("filter by path: %s", path)
+		sort.SliceStable(filters, func(i, j int) bool {
+			return len(filters[i].Options().Path) > len(filters[j].Options().Path)
+		})
+		var nodes []*chain.Node
+		for _, node := range filters {
+			if node.Options().Path == "" {
+				nodes = append(nodes, node)
+				continue
+			}
+			if strings.HasPrefix(path, node.Options().Path) {
+				nodes = append(nodes, node)
+				break
+			}
+		}
+		filters = nodes
+	}
+
 	var nodes []*chain.Node
 	for _, node := range filters {
 		if node == nil {
diff --git a/hop/plugin.go b/hop/plugin.go
index 882ca18..612d0e1 100644
--- a/hop/plugin.go
+++ b/hop/plugin.go
@@ -67,6 +67,7 @@ func (p *grpcPlugin) Select(ctx context.Context, opts ...hop.SelectOption) *chai
 			Network: options.Network,
 			Addr:    options.Addr,
 			Host:    options.Host,
+			Path:    options.Path,
 			Client:  string(auth_util.IDFromContext(ctx)),
 		})
 	if err != nil {
@@ -103,6 +104,7 @@ type httpPluginRequest struct {
 	Network string `json:"network"`
 	Addr    string `json:"addr"`
 	Host    string `json:"host"`
+	Path    string `json:"path"`
 	Client  string `json:"client"`
 }
 
@@ -151,6 +153,7 @@ func (p *httpPlugin) Select(ctx context.Context, opts ...hop.SelectOption) *chai
 		Network: options.Network,
 		Addr:    options.Addr,
 		Host:    options.Host,
+		Path:    options.Path,
 		Client:  string(auth_util.IDFromContext(ctx)),
 	}
 	v, err := json.Marshal(&rb)
diff --git a/internal/util/tls/tls.go b/internal/util/tls/tls.go
index e6b67fb..d7301ec 100644
--- a/internal/util/tls/tls.go
+++ b/internal/util/tls/tls.go
@@ -88,76 +88,7 @@ func LoadServerConfig(config *config.TLSConfig) (*tls.Config, error) {
 		cfg.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 
-	if opts := config.Options; opts != nil {
-		switch strings.ToLower(opts.MinVersion) {
-		case strings.ToLower(VersionTLS10):
-			cfg.MinVersion = tls.VersionTLS10
-		case strings.ToLower(VersionTLS11):
-			cfg.MinVersion = tls.VersionTLS11
-		case strings.ToLower(VersionTLS12):
-			cfg.MinVersion = tls.VersionTLS12
-		case strings.ToLower(VersionTLS13):
-			cfg.MinVersion = tls.VersionTLS13
-		}
-		switch strings.ToLower(opts.MaxVersion) {
-		case strings.ToLower(VersionTLS10):
-			cfg.MaxVersion = tls.VersionTLS10
-		case strings.ToLower(VersionTLS11):
-			cfg.MaxVersion = tls.VersionTLS11
-		case strings.ToLower(VersionTLS12):
-			cfg.MaxVersion = tls.VersionTLS12
-		case strings.ToLower(VersionTLS13):
-			cfg.MaxVersion = tls.VersionTLS13
-		}
-		for _, v := range opts.CipherSuites {
-			switch strings.ToLower(v) {
-			case strings.ToLower(TLS_RSA_WITH_RC4_128_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_RC4_128_SHA)
-			case strings.ToLower(TLS_RSA_WITH_3DES_EDE_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-			case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
-			case strings.ToLower(TLS_RSA_WITH_AES_256_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
-			case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
-			case strings.ToLower(TLS_RSA_WITH_AES_128_GCM_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
-			case strings.ToLower(TLS_RSA_WITH_AES_256_GCM_SHA384):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_RC4_128_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)
-			}
-		}
-	}
+	SetTLSOptions(cfg, config.Options)
 
 	return cfg, nil
 }
@@ -188,75 +119,8 @@ func LoadClientConfig(config *config.TLSConfig) (*tls.Config, error) {
 	cfg.ServerName = config.ServerName
 	cfg.InsecureSkipVerify = !config.Secure
 
-	if opts := config.Options; opts != nil {
-		switch strings.ToLower(opts.MinVersion) {
-		case strings.ToLower(VersionTLS10):
-			cfg.MinVersion = tls.VersionTLS10
-		case strings.ToLower(VersionTLS11):
-			cfg.MinVersion = tls.VersionTLS11
-		case strings.ToLower(VersionTLS12):
-			cfg.MinVersion = tls.VersionTLS12
-		case strings.ToLower(VersionTLS13):
-			cfg.MinVersion = tls.VersionTLS13
-		}
-		switch strings.ToLower(opts.MaxVersion) {
-		case strings.ToLower(VersionTLS10):
-			cfg.MaxVersion = tls.VersionTLS10
-		case strings.ToLower(VersionTLS11):
-			cfg.MaxVersion = tls.VersionTLS11
-		case strings.ToLower(VersionTLS12):
-			cfg.MaxVersion = tls.VersionTLS12
-		case strings.ToLower(VersionTLS13):
-			cfg.MaxVersion = tls.VersionTLS13
-		}
-		for _, v := range opts.CipherSuites {
-			switch strings.ToLower(v) {
-			case strings.ToLower(TLS_RSA_WITH_RC4_128_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_RC4_128_SHA)
-			case strings.ToLower(TLS_RSA_WITH_3DES_EDE_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-			case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
-			case strings.ToLower(TLS_RSA_WITH_AES_256_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
-			case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
-			case strings.ToLower(TLS_RSA_WITH_AES_128_GCM_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
-			case strings.ToLower(TLS_RSA_WITH_AES_256_GCM_SHA384):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_RC4_128_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
-			case strings.ToLower(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)
-			case strings.ToLower(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256):
-				cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)
-			}
-		}
+	if config.Options != nil {
+		SetTLSOptions(cfg, config.Options)
 	}
 
 	// If the root ca is given, but skip verify, we verify the certificate manually.
@@ -285,6 +149,81 @@ func LoadClientConfig(config *config.TLSConfig) (*tls.Config, error) {
 	return cfg, nil
 }
 
+func SetTLSOptions(cfg *tls.Config, opts *config.TLSOptions) {
+	if cfg == nil || opts == nil {
+		return
+	}
+
+	switch strings.ToLower(opts.MinVersion) {
+	case strings.ToLower(VersionTLS10):
+		cfg.MinVersion = tls.VersionTLS10
+	case strings.ToLower(VersionTLS11):
+		cfg.MinVersion = tls.VersionTLS11
+	case strings.ToLower(VersionTLS12):
+		cfg.MinVersion = tls.VersionTLS12
+	case strings.ToLower(VersionTLS13):
+		cfg.MinVersion = tls.VersionTLS13
+	}
+	switch strings.ToLower(opts.MaxVersion) {
+	case strings.ToLower(VersionTLS10):
+		cfg.MaxVersion = tls.VersionTLS10
+	case strings.ToLower(VersionTLS11):
+		cfg.MaxVersion = tls.VersionTLS11
+	case strings.ToLower(VersionTLS12):
+		cfg.MaxVersion = tls.VersionTLS12
+	case strings.ToLower(VersionTLS13):
+		cfg.MaxVersion = tls.VersionTLS13
+	}
+	for _, v := range opts.CipherSuites {
+		switch strings.ToLower(v) {
+		case strings.ToLower(TLS_RSA_WITH_RC4_128_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_RC4_128_SHA)
+		case strings.ToLower(TLS_RSA_WITH_3DES_EDE_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+		case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
+		case strings.ToLower(TLS_RSA_WITH_AES_256_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
+		case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
+		case strings.ToLower(TLS_RSA_WITH_AES_128_GCM_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
+		case strings.ToLower(TLS_RSA_WITH_AES_256_GCM_SHA384):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_RC4_128_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
+		case strings.ToLower(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)
+		case strings.ToLower(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256):
+			cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)
+		}
+	}
+}
+
 func loadCA(caFile string) (cp *x509.CertPool, err error) {
 	if caFile == "" {
 		return