diff --git a/goutils b/goutils
index 813b4fae..061245e9 160000
--- a/goutils
+++ b/goutils
@@ -1 +1 @@
-Subproject commit 813b4fae7feeb0591544eb68704d1204c1c22192
+Subproject commit 061245e9696a84a7f32b4dc9102b9d47503d8c30
diff --git a/internal/acl/config.go b/internal/acl/config.go
index f54b50be..aff37289 100644
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"math"
 	"net"
-	"sync/atomic"
 	"time"
 
 	"github.com/puzpuzpuz/xsync/v4"
@@ -75,8 +74,7 @@ type ipLog struct {
 	allowed bool
 }
 
-// could be nil
-var ActiveConfig atomic.Pointer[Config]
+type ContextKey struct{}
 
 const cacheTTL = 1 * time.Minute
 
diff --git a/internal/config/state.go b/internal/config/state.go
index 8003a1b9..13166e41 100644
--- a/internal/config/state.go
+++ b/internal/config/state.go
@@ -74,7 +74,6 @@ func SetState(state config.State) {
 
 	cfg := state.Value()
 	config.ActiveState.Store(state)
-	acl.ActiveConfig.Store(cfg.ACL)
 	entrypoint.ActiveConfig.Store(&cfg.Entrypoint)
 	homepage.ActiveConfig.Store(&cfg.Homepage)
 	if autocertProvider := state.AutoCertProvider(); autocertProvider != nil {
@@ -197,7 +196,12 @@ func (state *state) initAccessLogger() error {
 	if !state.ACL.Valid() {
 		return nil
 	}
-	return state.ACL.Start(state.task)
+	err := state.ACL.Start(state.task)
+	if err != nil {
+		return err
+	}
+	state.task.SetValue(acl.ContextKey{}, state.ACL)
+	return nil
 }
 
 func (state *state) initEntrypoint() error {
diff --git a/internal/route/stream/tcp_tcp.go b/internal/route/stream/tcp_tcp.go
index 83f85262..f9ecd743 100644
--- a/internal/route/stream/tcp_tcp.go
+++ b/internal/route/stream/tcp_tcp.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/pires/go-proxyproto"
 	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/godoxy/internal/acl"
 	"github.com/yusing/godoxy/internal/agentpool"
 	"github.com/yusing/godoxy/internal/entrypoint"
@@ -50,12 +51,14 @@ func (s *TCPTCPStream) ListenAndServe(ctx context.Context, preDial, onRead netty
 		return
 	}
 
+	if acl, ok := ctx.Value(acl.ContextKey{}).(*acl.Config); ok {
+		log.Debug().Str("listener", s.listener.Addr().String()).Msg("wrapping listener with ACL")
+		s.listener = acl.WrapTCP(s.listener)
+	}
+
 	if proxyProto := entrypoint.ActiveConfig.Load().SupportProxyProtocol; proxyProto {
 		s.listener = &proxyproto.Listener{Listener: s.listener}
 	}
-	if acl := acl.ActiveConfig.Load(); acl != nil {
-		s.listener = acl.WrapTCP(s.listener)
-	}
 
 	s.preDial = preDial
 	s.onRead = onRead
diff --git a/internal/route/stream/udp_udp.go b/internal/route/stream/udp_udp.go
index 39f96360..65972cc8 100644
--- a/internal/route/stream/udp_udp.go
+++ b/internal/route/stream/udp_udp.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/yusing/godoxy/internal/acl"
 	"github.com/yusing/godoxy/internal/agentpool"
 	nettypes "github.com/yusing/godoxy/internal/net/types"
@@ -81,7 +82,8 @@ func (s *UDPUDPStream) ListenAndServe(ctx context.Context, preDial, onRead netty
 		return
 	}
 	s.listener = l
-	if acl := acl.ActiveConfig.Load(); acl != nil {
+	if acl, ok := ctx.Value(acl.ContextKey{}).(*acl.Config); ok {
+		log.Debug().Str("listener", s.listener.LocalAddr().String()).Msg("wrapping listener with ACL")
 		s.listener = acl.WrapUDP(s.listener)
 	}
 	s.preDial = preDial