diff --git a/auth.go b/auth.go
index f3e4e31..1be96e9 100644
--- a/auth.go
+++ b/auth.go
@@ -56,7 +56,7 @@ func (au *LocalAuthenticator) Add(k, v string) {
 	au.kvs[k] = v
 }
 
-// Reload parses config from r, then live reloads the bypass.
+// Reload parses config from r, then live reloads the Authenticator.
 func (au *LocalAuthenticator) Reload(r io.Reader) error {
 	var period time.Duration
 	kvs := make(map[string]string)
diff --git a/cmd/gost/cfg.go b/cmd/gost/cfg.go
index aca4b2e..fdc4eab 100644
--- a/cmd/gost/cfg.go
+++ b/cmd/gost/cfg.go
@@ -45,12 +45,10 @@ var (
 
 // Load the certificate from cert and key files, will use the default certificate if the provided info are invalid.
 func tlsConfig(certFile, keyFile string) (*tls.Config, error) {
-	if certFile == "" {
-		certFile = defaultCertFile
-	}
-	if keyFile == "" {
-		keyFile = defaultKeyFile
+	if certFile == "" || keyFile == "" {
+		certFile, keyFile = defaultCertFile, defaultKeyFile
 	}
+
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	if err != nil {
 		return nil, err
diff --git a/cmd/gost/main.go b/cmd/gost/main.go
index 8e01dd3..a7bfad0 100644
--- a/cmd/gost/main.go
+++ b/cmd/gost/main.go
@@ -5,10 +5,11 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"net/http"
 	"os"
 	"runtime"
 
-	// _ "net/http/pprof"
+	_ "net/http/pprof"
 
 	"github.com/ginuerzh/gost"
 	"github.com/go-log/log"
@@ -53,9 +54,11 @@ func init() {
 }
 
 func main() {
-	// go func() {
-	// 	log.Log(http.ListenAndServe("localhost:6060", nil))
-	// }()
+	if os.Getenv("PROFILING") != "" {
+		go func() {
+			log.Log(http.ListenAndServe("127.0.0.1:16060", nil))
+		}()
+	}
 
 	// NOTE: as of 2.6, you can use custom cert/key files to initialize the default certificate.
 	tlsConfig, err := tlsConfig(defaultCertFile, defaultKeyFile)
diff --git a/http.go b/http.go
index 01ec157..75913d7 100644
--- a/http.go
+++ b/http.go
@@ -128,14 +128,14 @@ func (h *httpHandler) handleRequest(conn net.Conn, req *http.Request) {
 		return
 	}
 
-	host := req.Host
 	// try to get the actual host.
 	if v := req.Header.Get("Gost-Target"); v != "" {
 		if h, err := decodeServerName(v); err == nil {
-			host = h
+			req.Host = h
 		}
 	}
 
+	host := req.Host
 	if _, port, _ := net.SplitHostPort(host); port == "" {
 		host = net.JoinHostPort(host, "80")
 	}
@@ -152,7 +152,6 @@ func (h *httpHandler) handleRequest(conn net.Conn, req *http.Request) {
 		log.Logf("[http] %s -> %s\n%s", conn.RemoteAddr(), conn.LocalAddr(), string(dump))
 	}
 
-	req.Host = host
 	req.Header.Del("Gost-Target")
 
 	resp := &http.Response{
@@ -305,6 +304,8 @@ func (h *httpHandler) authenticate(conn net.Conn, req *http.Request, resp *http.
 
 	// probing resistance is enabled
 	if ss := strings.SplitN(h.options.ProbeResist, ":", 2); len(ss) == 2 {
+		resp.StatusCode = http.StatusServiceUnavailable // default status code
+
 		switch ss[0] {
 		case "code":
 			resp.StatusCode, _ = strconv.Atoi(ss[1])
diff --git a/http2.go b/http2.go
index 3368cdd..a750b89 100644
--- a/http2.go
+++ b/http2.go
@@ -463,6 +463,9 @@ func (h *http2Handler) authenticate(w http.ResponseWriter, r *http.Request, resp
 
 	// probing resistance is enabled
 	if ss := strings.SplitN(h.options.ProbeResist, ":", 2); len(ss) == 2 {
+		resp.StatusCode = http.StatusServiceUnavailable // default status code
+		w.Header().Del("Proxy-Agent")
+
 		switch ss[0] {
 		case "code":
 			resp.StatusCode, _ = strconv.Atoi(ss[1])
@@ -502,7 +505,6 @@ func (h *http2Handler) authenticate(w http.ResponseWriter, r *http.Request, resp
 		resp.StatusCode = http.StatusProxyAuthRequired
 		resp.Header.Add("Proxy-Authenticate", "Basic realm=\"gost\"")
 	} else {
-		w.Header().Del("Proxy-Agent")
 		resp.Header = http.Header{}
 		resp.Header.Set("Server", "nginx/1.14.1")
 		resp.Header.Set("Date", time.Now().Format(http.TimeFormat))