diff --git a/apps/rathole/0.5.0/.env.sample b/apps/rathole/0.5.0/.env.sample
new file mode 100644
index 00000000..46da082e
--- /dev/null
+++ b/apps/rathole/0.5.0/.env.sample
@@ -0,0 +1,6 @@
+CONTAINER_NAME="rathole"
+PANEL_APP_PORT_HTTP=7333
+SERVICE_MODE="server"
+CONFIG_PATH="./data/server.toml"
+#SERVICE_MODE="client"
+#CONFIG_PATH="./data/client.toml"
\ No newline at end of file
diff --git a/apps/rathole/0.5.0/data.yml b/apps/rathole/0.5.0/data.yml
new file mode 100644
index 00000000..aa831c01
--- /dev/null
+++ b/apps/rathole/0.5.0/data.yml
@@ -0,0 +1,33 @@
+additionalProperties:
+  formFields:
+    - default: 7333
+      disabled: true
+      envKey: PANEL_APP_PORT_HTTP
+      labelEn: Port (determined by the configuration file)
+      labelZh: 端口 (由配置文件决定)
+      required: true
+      type: number
+    - default: "./data/server.toml"
+      edit: true
+      envKey: CONFIG_PATH
+      labelEn: Config Path
+      labelZh: 配置路径
+      required: true
+      type: select
+      values:
+        - label: Client Config
+          value: ./data/client.toml
+        - label: Server Config
+          value: ./data/server.toml
+    - default: "server"
+      edit: true
+      envKey: SERVICE_MODE
+      labelEn: Service Mode
+      labelZh: 服务模式
+      required: true
+      type: select
+      values:
+        - label: Server
+          value: server
+        - label: Client
+          value: client
diff --git a/apps/rathole/0.5.0/data/client.toml b/apps/rathole/0.5.0/data/client.toml
new file mode 100644
index 00000000..fa663dcd
--- /dev/null
+++ b/apps/rathole/0.5.0/data/client.toml
@@ -0,0 +1,13 @@
+[client]
+remote_addr = "127.0.0.1:7333"
+default_token = "puKAproP46cofREn3sTa"
+
+[client.transport]
+type = "tls"
+[client.transport.tls]
+trusted_root = "tls/rootCA.crt"
+hostname = "localhost"
+
+[client.services.my_nas_ssh]
+token = "use_a_secret_that_only_you_know" # 必须与服务器相同以通过验证
+local_addr = "127.0.0.1:22" # 需要被转发的服务的地址
diff --git a/apps/rathole/0.5.0/data/full_example.toml b/apps/rathole/0.5.0/data/full_example.toml
new file mode 100644
index 00000000..91085266
--- /dev/null
+++ b/apps/rathole/0.5.0/data/full_example.toml
@@ -0,0 +1,70 @@
+[client]
+remote_addr = "example.com:2333" # Necessary. The address of the server
+default_token = "default_token_if_not_specify" # Optional. The default token of services, if they don't define their own ones
+heartbeat_timeout = 40 # Optional. Set to 0 to disable the application-layer heartbeat test. The value must be greater than `server.heartbeat_interval`. Default: 40 seconds
+retry_interval = 1 # Optional. The interval between retry to connect to the server. Default: 1 second
+
+[client.transport] # The whole block is optional. Specify which transport to use
+type = "tcp" # Optional. Possible values: ["tcp", "tls", "noise"]. Default: "tcp"
+
+[client.transport.tcp] # Optional. Also affects `noise` and `tls`
+proxy = "socks5://user:passwd@127.0.0.1:1080" # Optional. The proxy used to connect to the server. `http` and `socks5` is supported.
+nodelay = true # Optional. Override the `client.transport.nodelay` per service
+keepalive_secs = 20 # Optional. Specify `tcp_keepalive_time` in `tcp(7)`, if applicable. Default: 20 seconds
+keepalive_interval = 8 # Optional. Specify `tcp_keepalive_intvl` in `tcp(7)`, if applicable. Default: 8 seconds
+
+[client.transport.tls] # Necessary if `type` is "tls"
+trusted_root = "ca.pem" # Necessary. The certificate of CA that signed the server's certificate
+hostname = "example.com" # Optional. The hostname that the client uses to validate the certificate. If not set, fallback to `client.remote_addr`
+
+[client.transport.noise] # Noise protocol. See `docs/transport.md` for further explanation
+pattern = "Noise_NK_25519_ChaChaPoly_BLAKE2s" # Optional. Default value as shown
+local_private_key = "key_encoded_in_base64" # Optional
+remote_public_key = "key_encoded_in_base64" # Optional
+
+[client.transport.websocket] # Necessary if `type` is "websocket"
+tls = true # If `true` then it will use settings in `client.transport.tls`
+
+[client.services.service1] # A service that needs forwarding. The name `service1` can change arbitrarily, as long as identical to the name in the server's configuration
+type = "tcp" # Optional. The protocol that needs forwarding. Possible values: ["tcp", "udp"]. Default: "tcp"
+token = "whatever" # Necessary if `client.default_token` not set
+local_addr = "127.0.0.1:1081" # Necessary. The address of the service that needs to be forwarded
+nodelay = true # Optional. Determine whether to enable TCP_NODELAY for data transmission, if applicable, to improve the latency but decrease the bandwidth. Default: true
+retry_interval = 1 # Optional. The interval between retry to connect to the server. Default: inherits the global config
+
+[client.services.service2] # Multiple services can be defined
+local_addr = "127.0.0.1:1082"
+
+[server]
+bind_addr = "0.0.0.0:2333" # Necessary. The address that the server listens for clients. Generally only the port needs to be change.
+default_token = "default_token_if_not_specify" # Optional
+heartbeat_interval = 30 # Optional. The interval between two application-layer heartbeat. Set to 0 to disable sending heartbeat. Default: 30 seconds
+
+[server.transport] # Same as `[client.transport]`
+type = "tcp"
+
+[server.transport.tcp] # Same as the client
+nodelay = true
+keepalive_secs = 20
+keepalive_interval = 8
+
+[server.transport.tls] # Necessary if `type` is "tls"
+pkcs12 = "identify.pfx" # Necessary. pkcs12 file of server's certificate and private key
+pkcs12_password = "password" # Necessary. Password of the pkcs12 file
+
+[server.transport.noise] # Same as `[client.transport.noise]`
+pattern = "Noise_NK_25519_ChaChaPoly_BLAKE2s"
+local_private_key = "key_encoded_in_base64"
+remote_public_key = "key_encoded_in_base64"
+
+[server.transport.websocket] # Necessary if `type` is "websocket"
+tls = true # If `true` then it will use settings in `server.transport.tls`
+
+[server.services.service1] # The service name must be identical to the client side
+type = "tcp" # Optional. Same as the client `[client.services.X.type]
+token = "whatever" # Necessary if `server.default_token` not set
+bind_addr = "0.0.0.0:8081" # Necessary. The address of the service is exposed at. Generally only the port needs to be change.
+nodelay = true # Optional. Same as the client
+
+[server.services.service2]
+bind_addr = "0.0.0.1:8082"
\ No newline at end of file
diff --git a/apps/rathole/0.5.0/data/server.toml b/apps/rathole/0.5.0/data/server.toml
new file mode 100644
index 00000000..93fff0c7
--- /dev/null
+++ b/apps/rathole/0.5.0/data/server.toml
@@ -0,0 +1,13 @@
+[server]
+bind_addr = "0.0.0.0:7333"
+default_token = "puKAproP46cofREn3sTa"
+
+[server.transport]
+type = "tls"
+[server.transport.tls]
+pkcs12 = "tls/identity.pfx"
+pkcs12_password = "1234"
+
+[server.services.my_nas_ssh]
+token = "use_a_secret_that_only_you_know" # 用于验证的 token
+bind_addr = "0.0.0.0:5202" # `5202` 配置了将 `my_nas_ssh` 暴露给互联网的端口
\ No newline at end of file
diff --git a/apps/rathole/0.5.0/data/tls/create_self_signed_cert.sh b/apps/rathole/0.5.0/data/tls/create_self_signed_cert.sh
new file mode 100644
index 00000000..55302a63
--- /dev/null
+++ b/apps/rathole/0.5.0/data/tls/create_self_signed_cert.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# create CA 
+openssl req -x509 \
+            -sha256 -days 5000 \
+            -nodes \
+            -newkey rsa:2048 \
+            -subj "/CN=MyOwnCA/C=US/L=San Fransisco" \
+            -keyout rootCA.key -out rootCA.crt 
+
+# create server private key
+openssl genrsa -out server.key 2048
+
+# create certificate signing request (CSR)
+cat > csr.conf <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = California
+L = San Fransisco
+O = Someone
+OU = Someone
+CN = localhost
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+EOF
+
+openssl req -new -key server.key -out server.csr -config csr.conf
+
+# create server cert
+cat > cert.conf <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+EOF
+
+openssl x509 -req \
+    -in server.csr \
+    -CA rootCA.crt -CAkey rootCA.key \
+    -out server.crt \
+    -days 36500 \
+    -sha256 -extfile cert.conf
+
+# create pkcs12
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile rootCA.crt \
+    -passout pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
+
+# clean up
+rm server.csr csr.conf cert.conf
diff --git a/apps/rathole/0.5.0/data/tls/identity.pfx b/apps/rathole/0.5.0/data/tls/identity.pfx
new file mode 100644
index 00000000..2041157a
Binary files /dev/null and b/apps/rathole/0.5.0/data/tls/identity.pfx differ
diff --git a/apps/rathole/0.5.0/data/tls/rootCA.crt b/apps/rathole/0.5.0/data/tls/rootCA.crt
new file mode 100644
index 00000000..b48e63d0
--- /dev/null
+++ b/apps/rathole/0.5.0/data/tls/rootCA.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUHPYndZflmbDV/30C+BHQSiNvUTQwDQYJKoZIhvcNAQEL
+BQAwNzEQMA4GA1UEAwwHTXlPd25DQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNh
+biBGcmFuc2lzY28wHhcNMjQwMjE1MDUwNDQ5WhcNMjUwMjA1MDUwNDQ5WjA3MRAw
+DgYDVQQDDAdNeU93bkNBMQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5z
+aXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKIx0LdgvDrXGoGw
+XJ9s3Y+nr34NMPPLTbo/C2Yj1pD4mxZKK7d1VuwuBNM1h/WQLhA9+x4ZcKYZ1S1g
+3BRMuAdm/ZJyeeI1QDRqUlZD16ehPnY0Zy9sZX7oMKVS0m7l8zDv4nvDp9prC5yf
+8eoI7zoAWiMv/xPacYXFTAJbUb0VgovFyf3rzgIzs/NBF675FxrQtbhM2j4DdMkJ
+9UwRi+qmqtH/Z/Ddy4oMkPflEgKSgDEidmqa552CRExO3c+1ZbMEzq8iOUZ3Vb+g
+enfo0SwQUxQ9PEUOAd13siEXs51jZ7JqNmj1d/lEIbAuX8znWDqLYz9FUN4QNsim
+8Q/trBcCAwEAAaNTMFEwHQYDVR0OBBYEFP7eOqvUgs8/LOMonEZ6ubRaLkQMMB8G
+A1UdIwQYMBaAFP7eOqvUgs8/LOMonEZ6ubRaLkQMMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBABfLdbsbchr8Ep4mCv75ojWe11Mdd3Eg8EOePukC
+w918zqU6dZMmbnLtoXFk6QgFZnvD5MpmU4/d/BmvL9+CJJ9mJPwR2Vb/rIOPXV13
++kjHo/NwNbw5TdmPMbneyCjMdxRqmYKGoWYwbsI09YCK5Cb0J2fYmMrcACSVIUvz
+WC7CPPwTA3zvzf9xab+naoE1dbThRDGvVPXEFFOSMIXC0UzCvG0Lj3NTyXyu4XJ0
+TUcQUlnptLSejb+uh/5MSqwnEoc1dm2mW/oij1Gqg29+6WNw6wPv/cnC7VvlY4Eu
+CR9tvTjMNb7G6VRok9W0HJec6dNf3FJJ1pVzVL8bKI19G54=
+-----END CERTIFICATE-----
diff --git a/apps/rathole/0.5.0/docker-compose.yml b/apps/rathole/0.5.0/docker-compose.yml
new file mode 100644
index 00000000..03b29883
--- /dev/null
+++ b/apps/rathole/0.5.0/docker-compose.yml
@@ -0,0 +1,13 @@
+
+services:
+  rathole:
+    image: "rapiz1/rathole:v0.5.0"
+    container_name: ${CONTAINER_NAME}
+    restart: always
+    network_mode: "host"
+    volumes:
+      - "${CONFIG_PATH}:/app/config.toml"
+      - "./data/tls/:/app/tls/"
+    command: --${SERVICE_MODE} /app/config.toml
+    labels:
+      createdBy: "Apps"
diff --git a/apps/rathole/README.md b/apps/rathole/README.md
new file mode 100644
index 00000000..6bc2e3b7
--- /dev/null
+++ b/apps/rathole/README.md
@@ -0,0 +1,19 @@
+# rathole
+
+![rathole-logo](https://github.com/rapiz1/rathole/raw/main/docs/img/rathole-logo.png)
+
+[![GitHub stars](https://img.shields.io/github/stars/rapiz1/rathole)](https://github.com/rapiz1/rathole/stargazers)
+[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/rapiz1/rathole)](https://github.com/rapiz1/rathole/releases)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/actions/workflow/status/rapiz1/rathole/rust.yml?branch=main)
+[![GitHub all releases](https://img.shields.io/github/downloads/rapiz1/rathole/total)](https://github.com/rapiz1/rathole/releases)
+[![Docker Pulls](https://img.shields.io/docker/pulls/rapiz1/rathole)](https://hub.docker.com/r/rapiz1/rathole)
+
+[English](https://github.com/rapiz1/rathole/blob/main/README.md) | [简体中文](https://github.com/rapiz1/rathole/blob/main/README-zh.md)
+
+安全、稳定、高性能的内网穿透工具，用 Rust 语言编写
+
+rathole，类似于 [frp](https://github.com/fatedier/frp) 和 [ngrok](https://github.com/inconshreveable/ngrok)，可以让 NAT 后的设备上的服务通过具有公网 IP 的服务器暴露在公网上。
+
+# 使用说明
+- 配置文件如何编写参考原项目说明。
+- 所需的证书可以使用应用目录下的`create_self_signed_cert.sh`脚本来生成。
diff --git a/apps/rathole/data.yml b/apps/rathole/data.yml
new file mode 100644
index 00000000..94f22276
--- /dev/null
+++ b/apps/rathole/data.yml
@@ -0,0 +1,19 @@
+name: Rathole
+tags:
+    - 实用工具
+title: 安全、稳定、高性能的内网穿透工具
+description: 安全、稳定、高性能的内网穿透工具
+additionalProperties:
+    key: rathole
+    name: Rathole
+    tags:
+        - Tool
+    shortDescZh: 安全、稳定、高性能的内网穿透工具
+    shortDescEn: A secure, stable and high-performance reverse proxy for NAT traversal
+    type: tool
+    crossVersionUpdate: true
+    limit: 0
+    recommend: 0
+    website: https://github.com/rapiz1/rathole
+    github: https://github.com/rapiz1/rathole
+    document: https://github.com/rapiz1/rathole/blob/main/README-zh.md
diff --git a/apps/rathole/latest/.env.sample b/apps/rathole/latest/.env.sample
new file mode 100644
index 00000000..46da082e
--- /dev/null
+++ b/apps/rathole/latest/.env.sample
@@ -0,0 +1,6 @@
+CONTAINER_NAME="rathole"
+PANEL_APP_PORT_HTTP=7333
+SERVICE_MODE="server"
+CONFIG_PATH="./data/server.toml"
+#SERVICE_MODE="client"
+#CONFIG_PATH="./data/client.toml"
\ No newline at end of file
diff --git a/apps/rathole/latest/data.yml b/apps/rathole/latest/data.yml
new file mode 100644
index 00000000..aa831c01
--- /dev/null
+++ b/apps/rathole/latest/data.yml
@@ -0,0 +1,33 @@
+additionalProperties:
+  formFields:
+    - default: 7333
+      disabled: true
+      envKey: PANEL_APP_PORT_HTTP
+      labelEn: Port (determined by the configuration file)
+      labelZh: 端口 (由配置文件决定)
+      required: true
+      type: number
+    - default: "./data/server.toml"
+      edit: true
+      envKey: CONFIG_PATH
+      labelEn: Config Path
+      labelZh: 配置路径
+      required: true
+      type: select
+      values:
+        - label: Client Config
+          value: ./data/client.toml
+        - label: Server Config
+          value: ./data/server.toml
+    - default: "server"
+      edit: true
+      envKey: SERVICE_MODE
+      labelEn: Service Mode
+      labelZh: 服务模式
+      required: true
+      type: select
+      values:
+        - label: Server
+          value: server
+        - label: Client
+          value: client
diff --git a/apps/rathole/latest/data/client.toml b/apps/rathole/latest/data/client.toml
new file mode 100644
index 00000000..fa663dcd
--- /dev/null
+++ b/apps/rathole/latest/data/client.toml
@@ -0,0 +1,13 @@
+[client]
+remote_addr = "127.0.0.1:7333"
+default_token = "puKAproP46cofREn3sTa"
+
+[client.transport]
+type = "tls"
+[client.transport.tls]
+trusted_root = "tls/rootCA.crt"
+hostname = "localhost"
+
+[client.services.my_nas_ssh]
+token = "use_a_secret_that_only_you_know" # 必须与服务器相同以通过验证
+local_addr = "127.0.0.1:22" # 需要被转发的服务的地址
diff --git a/apps/rathole/latest/data/full_example.toml b/apps/rathole/latest/data/full_example.toml
new file mode 100644
index 00000000..91085266
--- /dev/null
+++ b/apps/rathole/latest/data/full_example.toml
@@ -0,0 +1,70 @@
+[client]
+remote_addr = "example.com:2333" # Necessary. The address of the server
+default_token = "default_token_if_not_specify" # Optional. The default token of services, if they don't define their own ones
+heartbeat_timeout = 40 # Optional. Set to 0 to disable the application-layer heartbeat test. The value must be greater than `server.heartbeat_interval`. Default: 40 seconds
+retry_interval = 1 # Optional. The interval between retry to connect to the server. Default: 1 second
+
+[client.transport] # The whole block is optional. Specify which transport to use
+type = "tcp" # Optional. Possible values: ["tcp", "tls", "noise"]. Default: "tcp"
+
+[client.transport.tcp] # Optional. Also affects `noise` and `tls`
+proxy = "socks5://user:passwd@127.0.0.1:1080" # Optional. The proxy used to connect to the server. `http` and `socks5` is supported.
+nodelay = true # Optional. Override the `client.transport.nodelay` per service
+keepalive_secs = 20 # Optional. Specify `tcp_keepalive_time` in `tcp(7)`, if applicable. Default: 20 seconds
+keepalive_interval = 8 # Optional. Specify `tcp_keepalive_intvl` in `tcp(7)`, if applicable. Default: 8 seconds
+
+[client.transport.tls] # Necessary if `type` is "tls"
+trusted_root = "ca.pem" # Necessary. The certificate of CA that signed the server's certificate
+hostname = "example.com" # Optional. The hostname that the client uses to validate the certificate. If not set, fallback to `client.remote_addr`
+
+[client.transport.noise] # Noise protocol. See `docs/transport.md` for further explanation
+pattern = "Noise_NK_25519_ChaChaPoly_BLAKE2s" # Optional. Default value as shown
+local_private_key = "key_encoded_in_base64" # Optional
+remote_public_key = "key_encoded_in_base64" # Optional
+
+[client.transport.websocket] # Necessary if `type` is "websocket"
+tls = true # If `true` then it will use settings in `client.transport.tls`
+
+[client.services.service1] # A service that needs forwarding. The name `service1` can change arbitrarily, as long as identical to the name in the server's configuration
+type = "tcp" # Optional. The protocol that needs forwarding. Possible values: ["tcp", "udp"]. Default: "tcp"
+token = "whatever" # Necessary if `client.default_token` not set
+local_addr = "127.0.0.1:1081" # Necessary. The address of the service that needs to be forwarded
+nodelay = true # Optional. Determine whether to enable TCP_NODELAY for data transmission, if applicable, to improve the latency but decrease the bandwidth. Default: true
+retry_interval = 1 # Optional. The interval between retry to connect to the server. Default: inherits the global config
+
+[client.services.service2] # Multiple services can be defined
+local_addr = "127.0.0.1:1082"
+
+[server]
+bind_addr = "0.0.0.0:2333" # Necessary. The address that the server listens for clients. Generally only the port needs to be change.
+default_token = "default_token_if_not_specify" # Optional
+heartbeat_interval = 30 # Optional. The interval between two application-layer heartbeat. Set to 0 to disable sending heartbeat. Default: 30 seconds
+
+[server.transport] # Same as `[client.transport]`
+type = "tcp"
+
+[server.transport.tcp] # Same as the client
+nodelay = true
+keepalive_secs = 20
+keepalive_interval = 8
+
+[server.transport.tls] # Necessary if `type` is "tls"
+pkcs12 = "identify.pfx" # Necessary. pkcs12 file of server's certificate and private key
+pkcs12_password = "password" # Necessary. Password of the pkcs12 file
+
+[server.transport.noise] # Same as `[client.transport.noise]`
+pattern = "Noise_NK_25519_ChaChaPoly_BLAKE2s"
+local_private_key = "key_encoded_in_base64"
+remote_public_key = "key_encoded_in_base64"
+
+[server.transport.websocket] # Necessary if `type` is "websocket"
+tls = true # If `true` then it will use settings in `server.transport.tls`
+
+[server.services.service1] # The service name must be identical to the client side
+type = "tcp" # Optional. Same as the client `[client.services.X.type]
+token = "whatever" # Necessary if `server.default_token` not set
+bind_addr = "0.0.0.0:8081" # Necessary. The address of the service is exposed at. Generally only the port needs to be change.
+nodelay = true # Optional. Same as the client
+
+[server.services.service2]
+bind_addr = "0.0.0.1:8082"
\ No newline at end of file
diff --git a/apps/rathole/latest/data/server.toml b/apps/rathole/latest/data/server.toml
new file mode 100644
index 00000000..93fff0c7
--- /dev/null
+++ b/apps/rathole/latest/data/server.toml
@@ -0,0 +1,13 @@
+[server]
+bind_addr = "0.0.0.0:7333"
+default_token = "puKAproP46cofREn3sTa"
+
+[server.transport]
+type = "tls"
+[server.transport.tls]
+pkcs12 = "tls/identity.pfx"
+pkcs12_password = "1234"
+
+[server.services.my_nas_ssh]
+token = "use_a_secret_that_only_you_know" # 用于验证的 token
+bind_addr = "0.0.0.0:5202" # `5202` 配置了将 `my_nas_ssh` 暴露给互联网的端口
\ No newline at end of file
diff --git a/apps/rathole/latest/data/tls/create_self_signed_cert.sh b/apps/rathole/latest/data/tls/create_self_signed_cert.sh
new file mode 100644
index 00000000..55302a63
--- /dev/null
+++ b/apps/rathole/latest/data/tls/create_self_signed_cert.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# create CA 
+openssl req -x509 \
+            -sha256 -days 5000 \
+            -nodes \
+            -newkey rsa:2048 \
+            -subj "/CN=MyOwnCA/C=US/L=San Fransisco" \
+            -keyout rootCA.key -out rootCA.crt 
+
+# create server private key
+openssl genrsa -out server.key 2048
+
+# create certificate signing request (CSR)
+cat > csr.conf <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = California
+L = San Fransisco
+O = Someone
+OU = Someone
+CN = localhost
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+EOF
+
+openssl req -new -key server.key -out server.csr -config csr.conf
+
+# create server cert
+cat > cert.conf <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+EOF
+
+openssl x509 -req \
+    -in server.csr \
+    -CA rootCA.crt -CAkey rootCA.key \
+    -out server.crt \
+    -days 36500 \
+    -sha256 -extfile cert.conf
+
+# create pkcs12
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile rootCA.crt \
+    -passout pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
+
+# clean up
+rm server.csr csr.conf cert.conf
diff --git a/apps/rathole/latest/data/tls/identity.pfx b/apps/rathole/latest/data/tls/identity.pfx
new file mode 100644
index 00000000..2041157a
Binary files /dev/null and b/apps/rathole/latest/data/tls/identity.pfx differ
diff --git a/apps/rathole/latest/data/tls/rootCA.crt b/apps/rathole/latest/data/tls/rootCA.crt
new file mode 100644
index 00000000..b48e63d0
--- /dev/null
+++ b/apps/rathole/latest/data/tls/rootCA.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUHPYndZflmbDV/30C+BHQSiNvUTQwDQYJKoZIhvcNAQEL
+BQAwNzEQMA4GA1UEAwwHTXlPd25DQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNh
+biBGcmFuc2lzY28wHhcNMjQwMjE1MDUwNDQ5WhcNMjUwMjA1MDUwNDQ5WjA3MRAw
+DgYDVQQDDAdNeU93bkNBMQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5z
+aXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKIx0LdgvDrXGoGw
+XJ9s3Y+nr34NMPPLTbo/C2Yj1pD4mxZKK7d1VuwuBNM1h/WQLhA9+x4ZcKYZ1S1g
+3BRMuAdm/ZJyeeI1QDRqUlZD16ehPnY0Zy9sZX7oMKVS0m7l8zDv4nvDp9prC5yf
+8eoI7zoAWiMv/xPacYXFTAJbUb0VgovFyf3rzgIzs/NBF675FxrQtbhM2j4DdMkJ
+9UwRi+qmqtH/Z/Ddy4oMkPflEgKSgDEidmqa552CRExO3c+1ZbMEzq8iOUZ3Vb+g
+enfo0SwQUxQ9PEUOAd13siEXs51jZ7JqNmj1d/lEIbAuX8znWDqLYz9FUN4QNsim
+8Q/trBcCAwEAAaNTMFEwHQYDVR0OBBYEFP7eOqvUgs8/LOMonEZ6ubRaLkQMMB8G
+A1UdIwQYMBaAFP7eOqvUgs8/LOMonEZ6ubRaLkQMMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBABfLdbsbchr8Ep4mCv75ojWe11Mdd3Eg8EOePukC
+w918zqU6dZMmbnLtoXFk6QgFZnvD5MpmU4/d/BmvL9+CJJ9mJPwR2Vb/rIOPXV13
++kjHo/NwNbw5TdmPMbneyCjMdxRqmYKGoWYwbsI09YCK5Cb0J2fYmMrcACSVIUvz
+WC7CPPwTA3zvzf9xab+naoE1dbThRDGvVPXEFFOSMIXC0UzCvG0Lj3NTyXyu4XJ0
+TUcQUlnptLSejb+uh/5MSqwnEoc1dm2mW/oij1Gqg29+6WNw6wPv/cnC7VvlY4Eu
+CR9tvTjMNb7G6VRok9W0HJec6dNf3FJJ1pVzVL8bKI19G54=
+-----END CERTIFICATE-----
diff --git a/apps/rathole/latest/docker-compose.yml b/apps/rathole/latest/docker-compose.yml
new file mode 100644
index 00000000..03ba01d2
--- /dev/null
+++ b/apps/rathole/latest/docker-compose.yml
@@ -0,0 +1,13 @@
+
+services:
+  rathole:
+    image: "rapiz1/rathole:latest"
+    container_name: ${CONTAINER_NAME}
+    restart: always
+    network_mode: "host"
+    volumes:
+      - "${CONFIG_PATH}:/app/config.toml"
+      - "./data/tls/:/app/tls/"
+    command: --${SERVICE_MODE} /app/config.toml
+    labels:
+      createdBy: "Apps"
diff --git a/apps/rathole/logo.png b/apps/rathole/logo.png
new file mode 100644
index 00000000..5547fae8
Binary files /dev/null and b/apps/rathole/logo.png differ