update README

README.md

@@ -12,15 +12,14 @@ gost - GO Simple Tunnel
 * 支持标准HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5代理协议
 * SOCKS5代理支持TLS协商加密
 * Tunnel UDP over TCP
-* 支持Shadowsocks协议
+* 支持Shadowsocks协议 (UDP: 2.4+)
-* Shadowsocks UDP relay (2.4+)
+* 本地/远程TCP/UDP端口转发 (2.1+)
-* 本地/远程TCP/UDP端口转发
 * 支持KCP协议 (2.3+)
 * TCP透明代理 (2.3+)
-* HTTP2隧道 (2.4+)
+* HTTP2通道 (2.4+)
-* SSH隧道 (2.4+)
+* SSH通道 (2.4+)
-* QUIC隧道 (2.4+)
+* QUIC通道 (2.4+)
-* obfs4隧道 (2.4+)
+* obfs4通道 (2.4+)
 
 二进制文件下载：https://github.com/ginuerzh/gost/releases
 
@@ -39,17 +38,17 @@ Google讨论组: https://groups.google.com/d/forum/go-gost
 ```
 scheme分为两部分: protocol+transport
 
-protocol: 代理协议类型(http, socks4(a), socks5, ss), transport: 数据传输方式(ws, wss, tls, quic, kcp, ssh, h2, h2c), 二者可以任意组合，或单独使用:
+protocol: 代理协议类型(http, socks4(a), socks5, ss), transport: 数据传输方式(ws, wss, tls, quic, kcp, ssh, h2, h2c, obfs4), 二者可以任意组合，或单独使用:
 
 > http - 标准HTTP代理: http://:8080
 
-> https - 标准HTTPS代理(可能需要提供受信任的证书): https://:443或https://:443
+> https - 标准HTTPS代理(可能需要提供受信任的证书): http+tls://:443或https://:443
 
 > http2 - 标准HTTP2代理并向下兼容HTTPS: http2://:443
 
-> h2 - HTTP2 h2隧道: h2://:443
+> h2 - HTTP2 h2通道: h2://:443
 
-> h2c - HTTP2 h2c隧道: h2c://:443
+> h2c - HTTP2 h2c通道: h2c://:443
 
 > socks4(a) - 标准SOCKS4(A)代理: socks4://:1080或socks4a://:1080
 
@@ -63,15 +62,15 @@ protocol: 代理协议类型(http, socks4(a), socks5, ss), transport: 数据传
 
 > ssu - Shadowsocks UDP relay: ssu://chacha20:123456@:8338
 
-> quic - QUIC隧道: quic://:6121
+> quic - QUIC通道: quic://:6121
 
 > kcp - KCP通道: kcp://:8388或kcp://aes:123456@:8388
 
 > redirect - 透明代理: redirect://:12345
 
-> ssh - SSH代理隧道: ssh://:2222，SSH转发隧道: forward+ssh://:2222
+> ssh - SSH代理通道: ssh://:2222，SSH转发通道: forward+ssh://:2222
 
-> obfs4 - obfs4隧道: obfs4://:8080
+> obfs4 - obfs4通道: obfs4://:8080
 
 
 #### 端口转发
@@ -162,14 +161,14 @@ gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
 ```bash
 gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN
 ```
-gost按照-F设置的顺序通过代理链将请求最终转发给a.b.c.d:NNNN处理，每一个转发代理可以是任意HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks类型代理。
+gost按照-F设置的顺序通过代理链将请求最终转发给a.b.c.d:NNNN处理，每一个转发代理可以是任意HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks类型代理。
 
 #### 本地端口转发(TCP)
 
 ```bash
 gost -L=tcp://:2222/192.168.1.1:22 [-F=...]
 ```
-将本地TCP端口2222上的数据(通过代理链)转发到192.168.1.1:22上。当代理链末端(最后一个-F参数)为SSH转发隧道类型时，gost会直接使用SSH的本地端口转发功能:
+将本地TCP端口2222上的数据(通过代理链)转发到192.168.1.1:22上。当代理链末端(最后一个-F参数)为SSH转发通道类型时，gost会直接使用SSH的本地端口转发功能:
 
 ```bash
 gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
@@ -190,7 +189,7 @@ gost -L=udp://:5353/192.168.1.1:53?ttl=60 [-F=...]
 ```bash
 gost -L=rtcp://:2222/192.168.1.1:22 [-F=...]
 ```
-将172.24.10.1:2222上的数据(通过代理链)转发到192.168.1.1:22上。当代理链末端(最后一个-F参数)为SSH转发隧道类型时，gost会直接使用SSH的远程端口转发功能:
+将172.24.10.1:2222上的数据(通过代理链)转发到192.168.1.1:22上。当代理链末端(最后一个-F参数)为SSH转发通道类型时，gost会直接使用SSH的远程端口转发功能:
 
 ```bash
 gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
@@ -209,7 +208,7 @@ gost -L=rudp://:5353/192.168.1.1:53 [-F=...]
 
 gost的HTTP2支持两种模式：
 * 作为标准的HTTP2代理，并向下兼容HTTPS代理。
-* 作为隧道传输其他协议。
+* 作为通道传输其他协议。
 
 ##### 代理模式
 服务端:
@@ -221,7 +220,7 @@ gost -L=http2://:443
 gost -L=:8080 -F=http2://server_ip:443
 ```
 
-##### 隧道模式
+##### 通道模式
 服务端:
 ```bash
 gost -L=h2://:443
@@ -269,8 +268,8 @@ gost -L=kcp://:8388?c=/path/to/conf/file
 #### SSH
 
 gost的SSH支持两种模式：
-* 作为转发隧道，配合本地/远程TCP端口转发使用。
+* 作为转发通道，配合本地/远程TCP端口转发使用。
-* 作为隧道传输其他协议。
+* 作为通道传输其他协议。
 
 ##### 转发模式
 服务端:
@@ -282,7 +281,7 @@ gost -L=forward+ssh://:2222
 gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222
 ```
 
-##### 隧道模式
+##### 通道模式
 服务端:
 ```bash
 gost -L=ssh://:2222
@@ -337,7 +336,7 @@ gost -L=:8080 -F=http+tls://server_ip:443
 #### HTTP2
 gost的HTTP2代理模式仅支持使用TLS加密的HTTP2协议，不支持明文HTTP2传输。
 
-gost的HTTP2隧道模式支持加密(h2)和明文(h2c)两种模式。
+gost的HTTP2通道模式支持加密(h2)和明文(h2c)两种模式。
 
 #### SOCKS5
 gost支持标准SOCKS5协议的no-auth(0x00)和user/pass(0x02)方法，并在此基础上扩展了两个：tls(0x80)和tls-auth(0x82)，用于数据加密。
@@ -382,11 +381,11 @@ gost内置了TLS证书，如果需要使用其他TLS证书，有两种方法：
 gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
 ```
 
-对于客户端可以指定CA证书进行证书锁定(Certificate Pinning):
+对于客户端可以指定CA证书进行[证书锁定](https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning)(Certificate Pinning):
 ```bash
 gost -L=:8080 -F="http2://:443?ca=ca.pem"
 ```
-此功能由[@sheerun](https://github.com/sheerun)贡献
+证书锁定功能由[@sheerun](https://github.com/sheerun)贡献
 
 SOCKS5 UDP数据处理
 ------
@@ -421,7 +420,7 @@ gost作为标准SOCKS5代理处理UDP数据
 
 多组权限可以通过`+`进行连接:
 
-`whitelist=rtcp,rudp:localhost,127.0.0.1:2222,8000-9000+udp:8.8.8.8,8.8.4.4:53`(允许TCP/UDP远程端口转发绑定到localhost,127.0.0.1的2222端口和8000-9000端口范围，同时允许UDP转发到8.8.8.8:53和8.8.4.4:53)
+`whitelist=rtcp,rudp:localhost,127.0.0.1:2222,8000-9000+udp:8.8.8.8,8.8.4.4:53`(允许TCP/UDP远程端口转发绑定到localhost,127.0.0.1的2222端口和8000-9000端口范围，同时允许UDP转发到8.8.8.8:53和8.8.4.4:53)。
 
 SSH远程端口转发只能绑定到127.0.0.1:8000
 ```bash

README_en.md

@@ -7,16 +7,17 @@ Features
 ------
 * Listening on multiple ports
 * Multi-level forward proxy - proxy chain
-* Standard HTTP/HTTPS/SOCKS4(A)/SOCKS5 proxy protocols support
+* Standard HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5 proxy protocols support
 * TLS encryption via negotiation support for SOCKS5 proxy
 * Tunnel UDP over TCP
-* Shadowsocks protocol support (OTA: 2.2+, UDP: 2.4+)
+* Shadowsocks protocol support (UDP: 2.4+)
-* Local/remote port forwarding (2.1+)
+* Local/remote TCP/UDP port forwarding (2.1+)
-* HTTP 2.0 support (2.2+)
-* Experimental QUIC support (2.3+)
 * KCP protocol support (2.3+)
-* Transparent proxy (2.3+)
+* Transparent TCP proxy (2.3+)
+* HTTP2 tunnel (2.4+)
 * SSH tunnel (2.4+)
+* QUIC tunnel (2.4+)
+* obfs4 tunnel (2.4+)
 
 Binary file download：https://github.com/ginuerzh/gost/releases
 
@@ -36,36 +37,40 @@ Effective for the -L and -F parameters
 ```
 scheme can be divided into two parts: protocol+transport
 
-protocol: proxy protocol types (http, socks4(a), socks5, shadowsocks), 
+protocol: proxy protocol types (http, socks4(a), socks5, ss), 
-transport: data transmission mode (ws, wss, tls, http2, quic, kcp, pht), may be used in any combination or individually:
+transport: data transmission mode (ws, wss, tls, quic, kcp, ssh, h2, h2c, obfs4), may be used in any combination or individually:
 
 > http - standard HTTP proxy: http://:8080
 
-> http+tls - standard HTTPS proxy (may need to provide a trusted certificate): http+tls://:443 or https://:443
+> https - standard HTTPS proxy (may need to provide a trusted certificate): http+tls://:443 or https://:443
 
 > http2 - HTTP2 proxy and backwards-compatible with HTTPS proxy: http2://:443
 
+> h2 - HTTP2 h2 tunnel: h2://:443
+
+> h2c - HTTP2 h2c tunnel: h2c://:443
+
 > socks4(a) - standard SOCKS4(A) proxy: socks4://:1080 or socks4a://:1080
 
-> socks - standard SOCKS5 proxy: socks://:1080
+> socks5 - standard SOCKS5 proxy: socks5://:1080
 
-> socks+wss - SOCKS5 over websocket: socks+wss://:1080
+> socks5+wss - SOCKS5 over websocket: socks5+wss://:1080
 
-> tls - HTTPS/SOCKS5 over TLS: tls://:443
+> tls - HTTPS/SOCKS4/SOCKS5 over TLS: tls://:443
 
-> ss - standard shadowsocks proxy, ss://chacha20:123456@:8338
+> ss - standard shadowsocks proxy: ss://chacha20:123456@:8338
 
-> ssu - shadowsocks UDP relay，ssu://chacha20:123456@:8338
+> ssu - shadowsocks UDP relay server: ssu://chacha20:123456@:8338
 
-> quic - standard QUIC proxy, quic://:6121
+> quic - QUIC tunnel: quic://:6121
 
-> kcp - standard KCP tunnel，kcp://:8388 or kcp://aes:123456@:8388
+> kcp - KCP tunnel: kcp://:8388 or kcp://aes:123456@:8388
 
-> pht - plain HTTP tunnel, pht://:8080
+> redirect - transparent proxy: redirect://:12345
 
-> redirect - transparent proxy，redirect://:12345
+> ssh - SSH proxy tunnel: ssh://:2222, SSH forward tunnel: forward+ssh://:2222
 
-> ssh - SSH tunnel, ssh://admin:123456@:2222
+> obfs4 - obfs4 tunnel: obfs4://:8080
 
 #### Port forwarding
 
@@ -82,6 +87,8 @@ scheme://[bind_address]:port/[host]:hostport
 
 #### Configuration file
 
+Contributed by [@septs](https://github.com/septs).
+
 > -C : specifies the configuration file path
 
 The configuration file is in standard JSON format:
@@ -100,21 +107,13 @@ The configuration file is in standard JSON format:
 
 ServeNodes is equivalent to the -L parameter, ChainNodes is equivalent to the -F parameter.
 
-#### Logging
-
-> -logtostderr : log to console
-
-> -v=3 : log level (1-5)，The higher the level, the more detailed the log (level 5 will enable HTTP2 debug)
-
-> -log_dir=/log/dir/path : log to directory /log/dir/path
-
 Usage
 ------
 #### No forward proxy
 
 <img src="https://ginuerzh.github.io/images/gost_01.png" />
 
-* Standard HTTP/SOCKS5 proxy
+* Standard HTTP/SOCKS4/SOCKS5 proxy
 ```bash
 gost -L=:8080
 ```
@@ -139,7 +138,7 @@ test002 12345678
 
 * Listen on multiple ports
 ```bash
-gost -L=http2://:443 -L=socks://:1080 -L=ss://aes-128-cfb:123456@:8338
+gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338
 ```
 
 #### Forward proxy
@@ -158,50 +157,58 @@ gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
 
 <img src="https://ginuerzh.github.io/images/gost_03.png" />
 ```bash
-gost -L=:8080 -F=http+tls://192.168.1.1:443 -F=socks+ws://192.168.1.2:1080 -F=ss://aes-128-cfb:123456@192.168.1.3:8338 -F=a.b.c.d:NNNN
+gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN
 ```
 Gost forwards the request to a.b.c.d:NNNN through the proxy chain in the order set by -F, 
-each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks type.
+each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type.
 
 #### Local TCP port forwarding
 
 ```bash
-gost -L=tcp://:2222/192.168.1.1:22 -F=...
+gost -L=tcp://:2222/192.168.1.1:22 [-F=...]
+```
+The data on the local TCP port 2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH forwad tunnel, then gost will use the local port forwarding function of SSH directly:
+
+```bash
+gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
 ```
-The data on the local TCP port 2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH tunnel, then gost will use the local port forwarding function of SSH directly.
 
 #### Local UDP port forwarding
 
 ```bash
-gost -L=udp://:5353/192.168.1.1:53?ttl=60 -F=...
+gost -L=udp://:5353/192.168.1.1:53?ttl=60 [-F=...]
 ```
 The data on the local UDP port 5353 is forwarded to 192.168.1.1:53 (through the proxy chain). 
 Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the `ttl` parameter. The default value is 60 seconds.
 
-**NOTE:** When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy.
+**NOTE:** When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy, gost will use UDP-over-TCP to forward data.
 
 #### Remote TCP port forwarding
 
 ```bash
-gost -L=rtcp://:2222/192.168.1.1:22 -F=... -F=socks://172.24.10.1:1080
+gost -L=rtcp://:2222/192.168.1.1:22 [-F=...]
+```
+The data on 172.24.10.1:2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH tunnel, then gost will use the remote port forwarding function of SSH directly:
+
+```bash
+gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
 ```
-The data on 172.24.10.1:2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH tunnel, then gost will use the remote port forwarding function of SSH directly.
 
 #### Remote UDP port forwarding
 
 ```bash
-gost -L=rudp://:5353/192.168.1.1:53 -F=... -F=socks://172.24.10.1:1080
+gost -L=rudp://:5353/192.168.1.1:53 [-F=...]
 ```
 The data on 172.24.10.1:5353 is forwarded to 192.168.1.1:53 (through the proxy chain).
 
-**NOTE:** To use the remote port forwarding feature, the proxy chain can not be empty (at least one -F parameter is set) 
+**NOTE:** When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy, gost will use UDP-over-TCP to forward data.
-and the end of the chain (last -F parameter) must be gost SOCKS5 proxy.
 
 #### HTTP2
-Gost HTTP2 supports two modes and self-adapting:
+Gost HTTP2 supports two modes:
 * As a standard HTTP2 proxy, and backwards-compatible with the HTTPS proxy.
-* As transport (similar to wss), tunnel other protocol.
+* As a transport tunnel.
 
+##### Standard proxy
 Server:
 ```bash
 gost -L=http2://:443
@@ -211,11 +218,15 @@ Client:
 gost -L=:8080 -F=http2://server_ip:443?ping=30
 ```
 
-The client supports the `ping` parameter to enable heartbeat detection (which is disabled by default). 
+##### Tunnel 
-Parameter value represents heartbeat interval seconds.
+服务端:
-
+```bash
-**NOTE:** The proxy chain of gost supports only one HTTP2 proxy node and the nearest rule applies, 
+gost -L=h2://:443
-the first HTTP2 proxy node is treated as an HTTP2 proxy, and the other HTTP2 proxy nodes are treated as HTTPS proxies.
+```
+客户端:
+```bash
+gost -L=:8080 -F=h2://server_ip:443
+```
 
 #### QUIC
 Support for QUIC is based on library [quic-go](https://github.com/lucas-clemente/quic-go).
@@ -224,12 +235,12 @@ Server:
 ```bash
 gost -L=quic://:6121
 ```
-Client(Chrome):
+Client:
 ```bash
-chrome --enable-quic --proxy-server=quic://server_ip:6121
+gost -L=:8080 -F=quic://server_ip:6121
 ```
 
-**NOTE:** Due to Chrome's limitations, it is currently only possible to access the HTTP (but not HTTPS) site through QUIC.
+**NOTE:** QUIC node can only be used as the first node of the proxy chain.
 
 #### KCP
 Support for KCP is based on libraries [kcp-go](https://github.com/xtaci/kcp-go) and [kcptun](https://github.com/xtaci/kcptun).
@@ -243,25 +254,41 @@ Client:
 gost -L=:8080 -F=kcp://server_ip:8388
 ```
 
-Or manually specify the encryption method and password (Manually specifying the encryption method and password overwrites the corresponding value in the configuration file)
-
-Server:
-```bash
-gost -L=kcp://aes:123456@:8388
-```
-
-Client:
-```bash
-gost -L=:8080 -F=kcp://aes:123456@server_ip:8388
-```
-
 Gost will automatically load kcp.json configuration file from current working directory if exists, 
 or you can use the parameter to specify the path to the file.
 ```bash
 gost -L=kcp://:8388?c=/path/to/conf/file
 ```
 
-**NOTE:** KCP will be enabled if and only if the proxy chain is not empty and the first proxy node (the first -F parameter) is of type KCP.
+**NOTE:** KCP node can only be used as the first node of the proxy chain.
+
+#### SSH
+Gost SSH supports two modes:
+* As a forward tunnel, used by local/remote TCP port forwarding.
+* As a transport tunnel.
+
+
+##### Forward tunnel
+Server:
+```bash
+gost -L=forward+ssh://:2222
+```
+Client:
+```bash
+gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222
+```
+
+##### Transport tunnel
+Server:
+```bash
+gost -L=ssh://:2222
+```
+Client:
+```bash
+gost -L=:8080 -F=ssh://server_ip:2222?ping=60
+```
+
+The client supports the ping parameter to enable heartbeat detection (which is disabled by default). Parameter value represents heartbeat interval seconds.
 
 #### Transparent proxy
 Iptables-based transparent proxy
@@ -270,6 +297,25 @@ Iptables-based transparent proxy
 gost -L=redirect://:12345 -F=http2://server_ip:443
 ```
 
+
+#### obfs4
+Contributed by [@isofew](https://github.com/isofew).
+
+Server:
+```bash
+gost -L=obfs4://:443
+```
+
+When the server is running normally, the console prints out the connection address for the client to use:
+```
+obfs4://:443/?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0
+```
+
+Client:
+```
+gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0'
+```
+
 Encryption Mechanism
 ------
 #### HTTP
@@ -285,8 +331,9 @@ gost -L=:8080 -F=http+tls://server_ip:443
 ```
 
 #### HTTP2
-Gost supports only the HTTP2 protocol that uses TLS encryption (h2) and does not support plaintext HTTP2 (h2c) transport.
+Gost HTTP2 proxy mode only supports the use of TLS encrypted HTTP2 protocol, does not support plaintext HTTP2.
 
+Gost HTTP2 tunnel mode supports both encryption (h2) and plaintext (h2c) modes.
 
 #### SOCKS5
 Gost supports the standard SOCKS5 protocol methods: no-auth (0x00) and user/pass (0x02), 
@@ -304,22 +351,20 @@ gost -L=:8080 -F=socks://server_ip:1080
 If both ends are gosts (as example above), the data transfer will be encrypted (using tls or tls-auth). 
 Otherwise, use standard SOCKS5 for communication (no-auth or user/pass).
 
-**NOTE:** If transport already supports encryption (wss, tls, http2, kcp), SOCKS5 will no longer use the encryption method to prevent unnecessary double encryption.
-
 #### Shadowsocks
 Support for shadowsocks is based on library [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go).
 
-Server (The OTA mode can be enabled by the ota parameter. When enabled, the client must use OTA mode):
+Server:
 ```bash
-gost -L=ss://aes-128-cfb:123456@:8338?ota=1
+gost -L=ss://aes-128-cfb:123456@:8338
 ```
-Client (The OTA mode can be enabled by the ota parameter):
+Client:
 ```bash
-gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338?ota=1
+gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338
 ```
 
 ##### Shadowsocks UDP relay
-Currently, only the server supports UDP, and only OTA mode is supported.
+Currently, only the server supports UDP Relay.
 
 Server:
 ```bash
@@ -334,6 +379,13 @@ There is built-in TLS certificate in gost, if you need to use other TLS certific
 gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
 ```
 
+
+For client, you can specify a CA certificate to allow for [Certificate Pinning](https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning):
+```bash
+gost -L=:8080 -F="http2://:443?ca=ca.pem"
+```
+Certificate Pinning is contributed by [@sheerun](https://github.com/sheerun).
+
 SOCKS5 UDP Data Processing
 ------
 #### No forward proxy
@@ -350,7 +402,38 @@ Gost acts as the standard SOCKS5 proxy for UDP relay.
 
 <img src="https://ginuerzh.github.io/images/udp03.png" height=200 />
 
-When forward proxies are set, gost uses UDP-over-TCP to forward UDP data, proxy1 to proxyN can be any HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks type.
+When forward proxies are set, gost uses UDP-over-TCP to forward UDP data, proxy1 to proxyN can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type.
+
+Permission control
+------
+Contributed by [@sheerun](https://github.com/sheerun).
+
+One can pass available permissions with `whitelist` and `blacklist` values when starting a socks and ssh server. The format for each rule is as follows: `[actions]:[hosts]:[ports]`.
+
+`[actions]` are comma-separted list of allowed actions: `rtcp`, `rudp`, `tcp`, `udp`. can be `*` to encompass all actions.
+
+`[hosts]` are comma-separated list of allowed hosts that one can bind on (in case of `rtcp` and `rudp`), or forward to (incase of `tcp` and `udp`). hosts support globs, like `*.google.com`. can be `*` to encompass all hosts.
+
+`[ports]` are comma-separated list of ports that one can bind to (in case of `rtcp` and `rudp`), or forward to (incase of `tcp` and `udp`), can be `*` to encompass all ports.
+
+Multiple permissions can be passed if seperated with `+`: 
+
+`rtcp,rudp:localhost,127.0.0.1:2222,8000-9000+udp:8.8.8.8,8.8.4.4:53` (allow for reverse tcp and udp binding on localhost and 127.0.0.1 on ports 2222 and 8000-9000 port range, plus allow for udp forwarding to 8.8.8.8 and 8.8.4.4 on port 53)
+
+SSH remote port forwarding can only bind on 127.0.0.1:8000
+```bash
+gost -L=forward+ssh://localhost:8389?whitelist=rtcp:127.0.0.1:8000
+```
+
+SOCKS5 TCP/UDP remote port forwarding can only bind on ports greater than 1000
+```bash
+gost -L=socks://localhost:8389?blacklist=rtcp,rudp:*:0-1000
+```
+
+SOCKS5 UDP forwading can only forward to 8.8.8.8:53
+```bash
+gost -L=socks://localhost:8389?whitelist=udp:8.8.8.8:53
+```
 
 Limitation
 ------