diff --git a/Cargo.lock b/Cargo.lock
index e553f5d..90dc033 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -185,6 +185,19 @@ dependencies = [
  "syn 2.0.87",
 ]
 
+[[package]]
+name = "async-compression"
+version = "0.4.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cb8f1d480b0ea3783ab015936d2a55c87e219676f0c0b7dec61494043f21857"
+dependencies = [
+ "flate2",
+ "futures-core",
+ "memchr",
+ "pin-project-lite",
+ "tokio",
+]
+
 [[package]]
 name = "async-lock"
 version = "3.4.0"
@@ -706,6 +719,22 @@ version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
 
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
 [[package]]
 name = "coset"
 version = "0.3.8"
@@ -975,6 +1004,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "encoding_rs"
+version = "0.8.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
+dependencies = [
+ "cfg-if",
+]
+
 [[package]]
 name = "equivalent"
 version = "1.0.1"
@@ -1022,6 +1060,12 @@ dependencies = [
  "pin-project-lite",
 ]
 
+[[package]]
+name = "fastrand"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8c02a5121d4ea3eb16a80748c74f5549a5665e4c21333c6098f283870fbdea6"
+
 [[package]]
 name = "ff"
 version = "0.13.0"
@@ -1038,12 +1082,37 @@ version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
+[[package]]
+name = "flate2"
+version = "1.0.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1b589b4dc103969ad3cf85c950899926ec64300a1a46d76c03a6072957036f0"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
 [[package]]
 name = "fnv"
 version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.2.1"
@@ -1353,6 +1422,7 @@ dependencies = [
  "hyper",
  "hyper-util",
  "rustls",
+ "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls",
@@ -1360,6 +1430,22 @@ dependencies = [
  "webpki-roots",
 ]
 
+[[package]]
+name = "hyper-tls"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
+dependencies = [
+ "bytes",
+ "http-body-util",
+ "hyper",
+ "hyper-util",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+]
+
 [[package]]
 name = "hyper-util"
 version = "0.1.10"
@@ -1667,6 +1753,7 @@ dependencies = [
  "ic_tee_nitro_attestation",
  "pkcs8",
  "rand",
+ "reqwest",
  "serde_bytes",
  "tokio",
 ]
@@ -2123,6 +2210,23 @@ version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1"
 
+[[package]]
+name = "native-tls"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
 [[package]]
 name = "nix"
 version = "0.26.4"
@@ -2212,6 +2316,50 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
+[[package]]
+name = "openssl"
+version = "0.10.68"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
+dependencies = [
+ "bitflags 2.6.0",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.87",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.104"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "p256"
 version = "0.13.2"
@@ -2335,6 +2483,12 @@ dependencies = [
  "spki",
 ]
 
+[[package]]
+name = "pkg-config"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+
 [[package]]
 name = "polyval"
 version = "0.6.2"
@@ -2573,33 +2727,41 @@ version = "0.12.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a77c62af46e79de0a562e1a9849205ffcb7fc1238876e9bd743357570e04046f"
 dependencies = [
+ "async-compression",
  "base64",
  "bytes",
+ "encoding_rs",
  "futures-channel",
  "futures-core",
  "futures-util",
+ "h2",
  "http",
  "http-body",
  "http-body-util",
  "hyper",
  "hyper-rustls",
+ "hyper-tls",
  "hyper-util",
  "ipnet",
  "js-sys",
  "log",
  "mime",
+ "native-tls",
  "once_cell",
  "percent-encoding",
  "pin-project-lite",
  "quinn",
  "rustls",
+ "rustls-native-certs",
  "rustls-pemfile",
  "rustls-pki-types",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "sync_wrapper 1.0.1",
+ "system-configuration",
  "tokio",
+ "tokio-native-tls",
  "tokio-rustls",
  "tokio-util",
  "tower-service",
@@ -2702,6 +2864,19 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcaf18a4f2be7326cd874a5fa579fae794320a0f388d365dca7e480e55f83f8a"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
 [[package]]
 name = "rustls-pemfile"
 version = "2.2.0"
@@ -2741,6 +2916,15 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
 
+[[package]]
+name = "schannel"
+version = "0.1.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "01227be5826fa0690321a2ba6c5cd57a19cf3f6a09e76973b58e61de6ab9d1c1"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@@ -2761,6 +2945,29 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags 2.6.0",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea4a292869320c0272d7bc55a5a6aafaff59b4f63404a003887b679a2e05b4b6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "semver"
 version = "1.0.23"
@@ -3182,6 +3389,40 @@ dependencies = [
  "syn 2.0.87",
 ]
 
+[[package]]
+name = "system-configuration"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
+dependencies = [
+ "bitflags 2.6.0",
+ "core-foundation",
+ "system-configuration-sys",
+]
+
+[[package]]
+name = "system-configuration-sys"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f2c9fc62d0beef6951ccffd757e241266a2c833136efbe35af6cd2567dca5b"
+dependencies = [
+ "cfg-if",
+ "fastrand",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.68"
@@ -3287,6 +3528,16 @@ dependencies = [
  "syn 2.0.87",
 ]
 
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-rustls"
 version = "0.26.0"
@@ -3497,6 +3748,12 @@ dependencies = [
  "sval_serde",
 ]
 
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
 [[package]]
 name = "version_check"
 version = "0.9.5"
diff --git a/Cargo.toml b/Cargo.toml
index 4c83897..dd05a08 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -67,3 +67,12 @@ structured-logger = "1"
 hyper-util = { version = "0.1.10", features = ["client-legacy"] }
 mime = "0.3"
 rustls = "0.23"
+reqwest = { version = "0.12", features = [
+  "rustls-tls",
+  "rustls-tls-native-roots",
+  "json",
+  "gzip",
+  "stream",
+  "http2",
+  # "hickory-dns",
+], default-features = true }
diff --git a/nitro_enclave/host_iptables-config.sh b/nitro_enclave/host_iptables-config.sh
index 7b19a71..bed5a07 100644
--- a/nitro_enclave/host_iptables-config.sh
+++ b/nitro_enclave/host_iptables-config.sh
@@ -20,9 +20,11 @@
 # 如果想立即运行脚本测试
 # sudo service iptables-config start
 # 查看所有 NAT 规则
-# sudo iptables -t nat -L -n -v
+# sudo iptables -t nat -L -n -v  --line-number
 # 查看所有 filter 规则
 # sudo iptables -L -n -v
+# delete a rule by line number 7
+# sudo iptables -t nat -D PREROUTING 7
 #
 # sysctl.conf
 # echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
diff --git a/src/ic_tee_cli/Cargo.toml b/src/ic_tee_cli/Cargo.toml
index 8a3aa7b..c52a00e 100644
--- a/src/ic_tee_cli/Cargo.toml
+++ b/src/ic_tee_cli/Cargo.toml
@@ -18,7 +18,8 @@ ic-agent = { workspace = true }
 ed25519-consensus = { workspace = true }
 ic_cose_types = { workspace = true }
 rand = { workspace = true }
-anyhow = "1"
+reqwest = { workspace = true }
+anyhow = { workspace = true }
 clap = { version = "=4.5", features = ["derive"] }
 pkcs8 = { version = "0.10", features = ["pem"] }
 ed25519 = { version = "2.2", features = ["pem", "pkcs8"] }
diff --git a/src/ic_tee_cli/src/main.rs b/src/ic_tee_cli/src/main.rs
index 5085bd5..c3df592 100644
--- a/src/ic_tee_cli/src/main.rs
+++ b/src/ic_tee_cli/src/main.rs
@@ -85,8 +85,12 @@ pub enum Commands {
         kind: String,
 
         /// TEE attestation document
-        #[arg(long, default_value = "")]
-        doc: String,
+        #[arg(long)]
+        doc: Option<String>,
+
+        /// TEE attestation document url
+        #[arg(long)]
+        url: Option<String>,
     },
     /// get a setting from the COSE canister
     SettingGet {
@@ -187,8 +191,16 @@ async fn main() -> Result<()> {
             println!("principal: {}", principal);
         }
 
-        Some(Commands::TeeVerify { doc, kind }) => {
-            let doc = decode_hex(doc)?;
+        Some(Commands::TeeVerify { kind, doc, url }) => {
+            let doc = match (doc, url) {
+                (Some(doc), None) => doc.to_owned(),
+                (None, Some(url)) => {
+                    let body = reqwest::get(url).await?.text().await?;
+                    body
+                }
+                _ => Err(anyhow::anyhow!("doc or url is required"))?,
+            };
+            let doc = decode_hex(&doc)?;
             let mut error: Option<String> = None;
             let doc = match parse_and_verify(&doc) {
                 Ok(doc) => doc,
diff --git a/src/ic_tee_nitro_gateway/README.md b/src/ic_tee_nitro_gateway/README.md
index eb5a2c3..8634087 100644
--- a/src/ic_tee_nitro_gateway/README.md
+++ b/src/ic_tee_nitro_gateway/README.md
@@ -57,13 +57,13 @@ sudo nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/ic_tee_nitro_gateway_e
 # {
 #   "Measurements": {
 #     "HashAlgorithm": "Sha384 { ... }",
-#     "PCR0": "1b2c6645b08d685dd673cb6271c81f26d668452bbcb63f5b6516745d6ef9401de9ed8e895218ab663a82f7bf2ebb63ad",
+#     "PCR0": "929c88889044592565f259bbae65baddcf0c426bc171017375777d55161bb662ac0fb97de301d8d6c1026b62b6061098",
 #     "PCR1": "4b4d5b3661b3efc12920900c80e126e4ce783c522de6c02a2a5bf7af3a2b9327b86776f188e4be1c1c404a129dbda493",
-#     "PCR2": "50193d35e1e8ee7ce4fa169fafd951fd55d3382afa7cc8d253484a2c576fdd66ded2affdda334d4c9edda0d53d0683d8"
+#     "PCR2": "3f260bf23af9b00afe2b5c1debd0e26c987abf83378a0e5f99ae49cbdd711c020c1f23d84bc93ba184baddc842c6f21b"
 #   }
 # }
-ic_tee_cli -c e7tgb-6aaaa-aaaap-akqfa-cai identity-derive --seed 1b2c6645b08d685dd673cb6271c81f26d668452bbcb63f5b6516745d6ef9401de9ed8e895218ab663a82f7bf2ebb63ad
-# principal: 7phvc-jpig7-tqnlh-nkik5-le57d-reruv-kjkkp-ngegn-uafjd-3j4p5-7qe
+ic_tee_cli -c e7tgb-6aaaa-aaaap-akqfa-cai identity-derive --seed 929c88889044592565f259bbae65baddcf0c426bc171017375777d55161bb662ac0fb97de301d8d6c1026b62b6061098
+# principal: 6y5sx-apnmh-blpp5-u7eyr-nnl2t-rflnm-7sw2q-ptbx3-iv47r-rsnun-eqe
 
 dfx canister call ic_cose_canister setting_add_readers '(record {
   ns = "_";
@@ -71,14 +71,14 @@ dfx canister call ic_cose_canister setting_add_readers '(record {
   subject = opt principal "fbi6t-ogdrt-s4de4-sxive-x4yid-xfrk2-e6jgf-jbnuh-rzxoj-qv2qa-zae";
   version = 1;
   user_owned = false;
-}, vec{ principal "7phvc-jpig7-tqnlh-nkik5-le57d-reruv-kjkkp-ngegn-uafjd-3j4p5-7qe" })' --ic
+}, vec{ principal "6y5sx-apnmh-blpp5-u7eyr-nnl2t-rflnm-7sw2q-ptbx3-iv47r-rsnun-eqe" })' --ic
 
 sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-path ic_tee_nitro_gateway_enclave_amd64.eif
 # Start allocating memory...
 # Started enclave with enclave-cid: 88, memory: 512 MiB, cpu-ids: [1, 3]
 # {
 #   "EnclaveName": "ic_tee_nitro_gateway_enclave_amd64",
-#   "EnclaveID": "i-056e1ab9a31cd77a0-enc192fc732d6e4e41",
+#   "EnclaveID": "i-056e1ab9a31cd77a0-enc193037029f7f152",
 #   "ProcessID": 14424,
 #   "EnclaveCID": 88,
 #   "NumberOfCPUs": 2,
@@ -89,7 +89,7 @@ sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-pat
 #   "MemoryMiB": 512
 # }
 sudo nitro-cli describe-enclaves
-sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc193006607ea8974
+sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc193037029f7f152
 ```
 
 ## License