diff --git a/alist-proxy.js b/alist-proxy.js
new file mode 100644
index 00000000..78e48a8d
--- /dev/null
+++ b/alist-proxy.js
@@ -0,0 +1,133 @@
+// We support the GET, POST, HEAD, and OPTIONS methods from any origin,
+// and allow any header on requests. These headers must be present
+// on all responses to all CORS preflight requests. In practice, this means
+// all responses to OPTIONS requests.
+
+const HOST = "YOUR_HOST";
+const TOKEN = "YOUR_TOKEN";
+
+const corsHeaders = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET,HEAD,POST,OPTIONS",
+    "Access-Control-Max-Age": "86400",
+};
+
+!function(a){"use strict";function b(a,b){var c=(65535&a)+(65535&b),d=(a>>16)+(b>>16)+(c>>16);return d<<16|65535&c}function c(a,b){return a<<b|a>>>32-b}function d(a,d,e,f,g,h){return b(c(b(b(d,a),b(f,h)),g),e)}function e(a,b,c,e,f,g,h){return d(b&c|~b&e,a,b,f,g,h)}function f(a,b,c,e,f,g,h){return d(b&e|c&~e,a,b,f,g,h)}function g(a,b,c,e,f,g,h){return d(b^c^e,a,b,f,g,h)}function h(a,b,c,e,f,g,h){return d(c^(b|~e),a,b,f,g,h)}function i(a,c){a[c>>5]|=128<<c%32,a[(c+64>>>9<<4)+14]=c;var d,i,j,k,l,m=1732584193,n=-271733879,o=-1732584194,p=271733878;for(d=0;d<a.length;d+=16)i=m,j=n,k=o,l=p,m=e(m,n,o,p,a[d],7,-680876936),p=e(p,m,n,o,a[d+1],12,-389564586),o=e(o,p,m,n,a[d+2],17,606105819),n=e(n,o,p,m,a[d+3],22,-1044525330),m=e(m,n,o,p,a[d+4],7,-176418897),p=e(p,m,n,o,a[d+5],12,1200080426),o=e(o,p,m,n,a[d+6],17,-1473231341),n=e(n,o,p,m,a[d+7],22,-45705983),m=e(m,n,o,p,a[d+8],7,1770035416),p=e(p,m,n,o,a[d+9],12,-1958414417),o=e(o,p,m,n,a[d+10],17,-42063),n=e(n,o,p,m,a[d+11],22,-1990404162),m=e(m,n,o,p,a[d+12],7,1804603682),p=e(p,m,n,o,a[d+13],12,-40341101),o=e(o,p,m,n,a[d+14],17,-1502002290),n=e(n,o,p,m,a[d+15],22,1236535329),m=f(m,n,o,p,a[d+1],5,-165796510),p=f(p,m,n,o,a[d+6],9,-1069501632),o=f(o,p,m,n,a[d+11],14,643717713),n=f(n,o,p,m,a[d],20,-373897302),m=f(m,n,o,p,a[d+5],5,-701558691),p=f(p,m,n,o,a[d+10],9,38016083),o=f(o,p,m,n,a[d+15],14,-660478335),n=f(n,o,p,m,a[d+4],20,-405537848),m=f(m,n,o,p,a[d+9],5,568446438),p=f(p,m,n,o,a[d+14],9,-1019803690),o=f(o,p,m,n,a[d+3],14,-187363961),n=f(n,o,p,m,a[d+8],20,1163531501),m=f(m,n,o,p,a[d+13],5,-1444681467),p=f(p,m,n,o,a[d+2],9,-51403784),o=f(o,p,m,n,a[d+7],14,1735328473),n=f(n,o,p,m,a[d+12],20,-1926607734),m=g(m,n,o,p,a[d+5],4,-378558),p=g(p,m,n,o,a[d+8],11,-2022574463),o=g(o,p,m,n,a[d+11],16,1839030562),n=g(n,o,p,m,a[d+14],23,-35309556),m=g(m,n,o,p,a[d+1],4,-1530992060),p=g(p,m,n,o,a[d+4],11,1272893353),o=g(o,p,m,n,a[d+7],16,-155497632),n=g(n,o,p,m,a[d+10],23,-1094730640),m=g(m,n,o,p,a[d+13],4,681279174),p=g(p,m,n,o,a[d],11,-358537222),o=g(o,p,m,n,a[d+3],16,-722521979),n=g(n,o,p,m,a[d+6],23,76029189),m=g(m,n,o,p,a[d+9],4,-640364487),p=g(p,m,n,o,a[d+12],11,-421815835),o=g(o,p,m,n,a[d+15],16,530742520),n=g(n,o,p,m,a[d+2],23,-995338651),m=h(m,n,o,p,a[d],6,-198630844),p=h(p,m,n,o,a[d+7],10,1126891415),o=h(o,p,m,n,a[d+14],15,-1416354905),n=h(n,o,p,m,a[d+5],21,-57434055),m=h(m,n,o,p,a[d+12],6,1700485571),p=h(p,m,n,o,a[d+3],10,-1894986606),o=h(o,p,m,n,a[d+10],15,-1051523),n=h(n,o,p,m,a[d+1],21,-2054922799),m=h(m,n,o,p,a[d+8],6,1873313359),p=h(p,m,n,o,a[d+15],10,-30611744),o=h(o,p,m,n,a[d+6],15,-1560198380),n=h(n,o,p,m,a[d+13],21,1309151649),m=h(m,n,o,p,a[d+4],6,-145523070),p=h(p,m,n,o,a[d+11],10,-1120210379),o=h(o,p,m,n,a[d+2],15,718787259),n=h(n,o,p,m,a[d+9],21,-343485551),m=b(m,i),n=b(n,j),o=b(o,k),p=b(p,l);return[m,n,o,p]}function j(a){var b,c="";for(b=0;b<32*a.length;b+=8)c+=String.fromCharCode(a[b>>5]>>>b%32&255);return c}function k(a){var b,c=[];for(c[(a.length>>2)-1]=void 0,b=0;b<c.length;b+=1)c[b]=0;for(b=0;b<8*a.length;b+=8)c[b>>5]|=(255&a.charCodeAt(b/8))<<b%32;return c}function l(a){return j(i(k(a),8*a.length))}function m(a,b){var c,d,e=k(a),f=[],g=[];for(f[15]=g[15]=void 0,e.length>16&&(e=i(e,8*a.length)),c=0;16>c;c+=1)f[c]=909522486^e[c],g[c]=1549556828^e[c];return d=i(f.concat(k(b)),512+8*b.length),j(i(g.concat(d),640))}function n(a){var b,c,d="0123456789abcdef",e="";for(c=0;c<a.length;c+=1)b=a.charCodeAt(c),e+=d.charAt(b>>>4&15)+d.charAt(15&b);return e}function o(a){return unescape(encodeURIComponent(a))}function p(a){return l(o(a))}function q(a){return n(p(a))}function r(a,b){return m(o(a),o(b))}function s(a,b){return n(r(a,b))}function t(a,b,c){return b?c?r(b,a):s(b,a):c?p(a):q(a)}"function"==typeof define&&define.amd?define(function(){return t}):a.md5=t}(this);
+
+async function handleRequest(request) {
+    const origin = request.headers.get("origin");
+    const url = new URL(request.url);
+    const path = url.pathname;
+    const sign = url.searchParams.get("sign");
+    const name = path.split("/").pop();
+    const right = md5(`alist-${TOKEN}-${name}`).slice(8, 24);
+    if (sign !== right){
+        const resp = new Response(
+            JSON.stringify({
+                code: 401,
+                message: `sign mismatch`,
+                you: sign,
+                right: right,
+            }),
+            {
+                headers: {
+                    "content-type": "application/json;charset=UTF-8",
+                },
+            }
+        );
+        resp.headers.set("Access-Control-Allow-Origin", origin);
+        return resp;
+    }
+
+    let resp = await fetch(`${HOST}/api/admin/link`, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json;charset=UTF-8",
+            Authorization: TOKEN,
+        },
+        body: JSON.stringify({
+            path: decodeURI(path),
+        }),
+    });
+    let data = await resp.json();
+    if (data.code != 200) {
+        return new Response(JSON.stringify(data));
+    }
+    let headers = {};
+    if (data.data.header) {
+        headers[data.data.header.name] = data.data.header.value;
+    }
+    let response = await fetch(data.data.url, {
+        method: "GET",
+        headers: headers,
+    });
+
+    // Recreate the response so we can modify the headers
+    response = new Response(response.body, response);
+
+    // Set CORS headers
+    response.headers.set("Access-Control-Allow-Origin", origin);
+
+    // Append to/Add Vary header so browser will cache response correctly
+    response.headers.append("Vary", "Origin");
+
+    return response;
+}
+
+function handleOptions(request) {
+    // Make sure the necessary headers are present
+    // for this to be a valid pre-flight request
+    let headers = request.headers;
+    if (
+        headers.get("Origin") !== null &&
+        headers.get("Access-Control-Request-Method") !== null
+        // && headers.get("Access-Control-Request-Headers") !== null
+    ) {
+        // Handle CORS pre-flight request.
+        // If you want to check or reject the requested method + headers
+        // you can do that here.
+        let respHeaders = {
+            ...corsHeaders,
+            // Allow all future content Request headers to go back to browser
+            // such as Authorization (Bearer) or X-Client-Name-Version
+            "Access-Control-Allow-Headers": request.headers.get(
+                "Access-Control-Request-Headers"
+            ),
+        };
+
+        return new Response(null, {
+            headers: respHeaders,
+        });
+    } else {
+        // Handle standard OPTIONS request.
+        // If you want to allow other HTTP Methods, you can do that here.
+        return new Response(null, {
+            headers: {
+                Allow: "GET, HEAD, POST, OPTIONS",
+            },
+        });
+    }
+}
+
+addEventListener("fetch", (event) => {
+    const request = event.request;
+    // const url = new URL(request.url)
+    if (request.method === "OPTIONS") {
+        // Handle CORS preflight requests
+        event.respondWith(handleOptions(request));
+    } else if (
+        request.method === "GET" ||
+        request.method === "HEAD" ||
+        request.method === "POST"
+    ) {
+        // Handle requests to the API server
+        event.respondWith(handleRequest(request));
+    } else {
+        event.respondWith(
+            new Response(null, {
+                status: 405,
+                statusText: "Method Not Allowed",
+            })
+        );
+    }
+});