diff --git a/Dockerfile b/Dockerfile
index d58640a..5ade1c8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -63,38 +63,30 @@
 # For more information, please refer to the project repository:
 #   https://github.com/alexzhangs/shadowsocks-libev-v2ray
 #
-FROM shadowsocks/shadowsocks-libev:edge
 
-# Set work directory
-WORKDIR /shadowsocks-libev-v2ray
+# To enable proxy at build time, use:
+# docker build --build-arg https_proxy=http://host.docker.internal:$PROXY_HTTP_PORT_ON_HOST ...
+ARG http_proxy https_proxy all_proxy
 
-# Copy the current directory contents at local into the container
-COPY . .
-
-RUN chmod +x docker-entrypoint.sh
+### First stage: build environment
+FROM alpine as builder
 
-# Instal file, git, curl, and openssl
-RUN apk add file git curl openssl
-
-# Install acme.sh
-RUN curl -sL https://get.acme.sh | sh
-
-# Set the PATH for acme.sh
-ENV PATH=$PATH:/root/.acme.sh
+# Instal file, git, curl
+RUN apk add file git curl
 
-# Verify that acme.sh is installed
-RUN acme.sh --version
+# v2ray-plugin requires Go 1.16
+ENV GO_VERSION=1.16.10
 
-# Install Go 1.16 (v2ray-plugin requires Go 1.16)
+# Install Go
 RUN <<EOF
     set -ex
     ARCH=$(uname -m)
     case ${ARCH} in
         x86_64)
-            GO_BINARY_URL="https://dl.google.com/go/go1.16.10.linux-amd64.tar.gz"
+            GO_BINARY_URL="https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz"
             ;;
         aarch64)
-            GO_BINARY_URL="https://dl.google.com/go/go1.16.10.linux-arm64.tar.gz"
+            GO_BINARY_URL="https://dl.google.com/go/go${GO_VERSION}.linux-arm64.tar.gz"
             ;;
         *)
             echo "${ARCH}: Unsupported architecture"
@@ -102,7 +94,7 @@ RUN <<EOF
             ;;
     esac
     curl -LO ${GO_BINARY_URL}
-    tar -C /usr/local -xzf go1.16.10.linux-*.tar.gz
+    tar -C /usr/local -xzf go*.tar.gz
 
     # Workaround to fix error: go: not found
     # Use `file $(which go)` to debug the missing library
@@ -112,7 +104,7 @@ RUN <<EOF
             ln -s /lib/ld-musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
             ;;
         aarch64)
-            ln -s /lib/ld-musl-aarch64.so.1 /lib/ld-linux-aarch64.so.1
+            ln -s ld-musl-aarch64.so.1 /lib/ld-linux-aarch64.so.1
             ;;
     esac
 EOF
@@ -133,8 +125,64 @@ EOF
 # Verify that v2ray-plugin is installed
 RUN v2ray-plugin -version
 
-# Install Bash
-RUN apk add bash
+
+### Second stage: final image
+FROM shadowsocks/shadowsocks-libev:edge
+
+# Copy the v2ray-plugin binary from the builder stage
+COPY --from=builder /usr/bin/v2ray-plugin /usr/bin/v2ray-plugin
+
+# Link the missing library
+RUN <<EOF
+    # Workaround to fix error: v2ray-plugin: not found
+    # Use `file $(which v2ray-plugin)` to debug the missing library
+    set -ex
+    ARCH=$(uname -m)
+    case ${ARCH} in
+        x86_64)
+            mkdir /lib64
+            ln -s /lib/ld-musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
+            ;;
+        aarch64)
+            ln -s ld-musl-aarch64.so.1 /lib/ld-linux-aarch64.so.1
+            ;;
+    esac
+EOF
+
+# Verify that v2ray-plugin is installed
+RUN v2ray-plugin -version
+
+# Instal file, curl, openssl, bash, python3, py3-pip
+RUN apk update && \
+    apk add file \
+        # used by acme.sh
+        curl openssl \
+        # used by docker-entrypoint.sh
+        bash \
+        # used by dns-lexicon and its dependencies
+        python3 py3-pip gcc linux-headers libc-dev python3-dev libffi-dev && \
+    if [[ ! -e /usr/bin/python ]]; then ln -s python3 /usr/bin/python ; fi && \
+    if [[ ! -e /usr/bin/pip ]]; then ln -s pip3 /usr/bin/pip ; fi
+
+# Install dns-lexicon
+RUN pip install dns-lexicon
+
+# Install acme.sh
+RUN curl -sL https://get.acme.sh | sh
+
+# Set the PATH for acme.sh
+ENV PATH=$PATH:/root/.acme.sh
+
+# Verify that acme.sh is installed
+RUN acme.sh --version
+
+# Set work directory
+WORKDIR /shadowsocks-libev-v2ray
+
+# Copy the current directory contents at local into the container
+COPY . .
+
+RUN chmod +x docker-entrypoint.sh
 
 # Use the entrypoint script from this repository over the one from shadowsocks/shadowsocks-libev:edge
 ENTRYPOINT [ "./docker-entrypoint.sh" ]
diff --git a/build-and-run.sh b/build-and-run.sh
deleted file mode 100644
index 68635fa..0000000
--- a/build-and-run.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-#? Description:
-#?   Build the Docker image and run the container for testing.
-#?
-#? Usage:
-#?   build-and-run.sh
-#?
-#? Options:
-#?   None
-#?
-#? Environment:
-#?   The following environment variables are used by this script:
-#?
-#?   - XSH_AWS_CFN_VPN_DOMAIN
-#?
-#?     Required, default is unset.
-#?     The domain name for the V2Ray service.
-#?
-#?   - Namecom_Username
-#?
-#?     Required, default is unset.
-#?     The username for the Name.com API.
-#?
-#?   - Namecom_Token
-#?
-#?     Required, default is unset.
-#?     The token for the Name.com API.
-#?
-
-set -e -o pipefail
-
-declare tag
-tag=dev-$(date +%Y%m%d-%H%M%S)
-docker build -t "alexzhangs/shadowsocks-libev-v2ray:$tag" .
-
-declare MGR_PORT=6001 SS_PORTS=8381-8385 ENCRYPT=aes-256-cfb DOMAIN=$XSH_AWS_CFN_VPN_DOMAIN
-declare DNS=dns_namecom DNS_ENV="Namecom_Username=$Namecom_Username,Namecom_Token=$Namecom_Token"
-
-docker run -e V2RAY=1 -e DOMAIN="$DOMAIN" \
-  -e DNS="$DNS" -e DNS_ENV="$DNS_ENV" \
-  --restart=always -d -p $MGR_PORT:$MGR_PORT/UDP -p $SS_PORTS:$SS_PORTS -p $SS_PORTS:$SS_PORTS/UDP\
-  --name "ss-manager-v2ray-$tag" "alexzhangs/shadowsocks-libev-v2ray:$tag" \
-  ss-manager --manager-address 0.0.0.0:$MGR_PORT \
-    --executable /usr/local/bin/ss-server -m "$ENCRYPT" -s 0.0.0.0 -u \
-    --plugin v2ray-plugin --plugin-opts "server;tls;host=$DOMAIN"
\ No newline at end of file
diff --git a/docker-build-and-run.sh b/docker-build-and-run.sh
new file mode 100644
index 0000000..fbc792d
--- /dev/null
+++ b/docker-build-and-run.sh
@@ -0,0 +1,162 @@
+#!/usr/bin/env bash
+
+#? Description:
+#?   Build the Docker images and run the containers for testing.
+#?
+#?   Without any option, it will build the images and run the containers in the foreground.
+#?
+#? Usage:
+#?   docker-build-and-run.sh [-P] [-m MGT_PORT] [-p SS_PORTS] [-e ENCRYPT] -d DOMAIN [-N DNS] [-E DNS_ENV]
+#?   docker-build-and-run.sh [-h]
+#?
+#? Options:
+#?   [-P]
+#?
+#?   Enable to fetch the env `DOCKER_BUILD_ARGS_PROXY` and pass to docker build command.
+#?   If the env `DOCKER_BUILD_ARGS_PROXY` is not set or empty, exit with error.
+#?
+#?   [-m MGT_PORT]
+#?
+#?   Specify the management port for the shadowsocks manager.
+#?   Default is 6001.
+#?
+#?   [-p SS_PORTS]
+#?
+#?   Specify the shadowsocks ports to be exposed.
+#?   Default is 8381-8385.
+#?
+#?   [-e ENCRYPT]
+#?
+#?   Specify the encryption method for shadowsocks.
+#?   Default is aes-256-cfb.
+#?
+#?   -d DOMAIN
+#?
+#?   Specify the domain for the shadowsocks server.
+#?
+#?   [-N DNS]
+#?
+#?   Specify the DNS provider for the DOMAIN.
+#?
+#?   [-E DNS_ENV]
+#?
+#?   Specify the environment variables for the DNS provider.
+#?
+#?   [-h]
+#?
+#?   This help.
+#?
+#? Environment:
+#?   The following environment variables are used by this script conditionally:
+#?
+#?   - DOCKER_BUILD_ARGS_PROXY="--build-arg http_proxy=http://host.docker.internal:1086 --build-arg https_proxy=http://host.docker.internal:1086 --build-arg all_proxy=socks5://host.docker.internal:1086"
+#?
+#?     Optional, default is unset.
+#?     Set the proxy for the Docker build. Please replace the proxy port with your actual port.
+#?
+
+# exit on any error
+set -e -o pipefail
+
+function usage () {
+    awk '/^#\?/ {sub("^[ ]*#\\?[ ]?", ""); print}' "$0" \
+        | awk '{gsub(/^[^ ]+.*/, "\033[1m&\033[0m"); print}'
+}
+
+function check-vars () {
+    declare var ret=0
+    for var in "$@"; do
+        if [[ -z ${!var} ]]; then
+            echo "FATAL: environment variable $var is not set or empty." >&2
+            (( ret++ ))
+        fi
+    done
+    return $ret
+}
+
+function main () {
+    declare proxy_flag=0 \
+            mgt_port=6001 ss_ports=8381-8385 encrypt=aes-256-cfb domain dns dns_env \
+            OPTIND OPTARG opt
+
+    while getopts Pm:p:e:d:N:E:h opt; do
+        case $opt in
+            P)
+                proxy_flag=1
+                ;;
+            m)
+                mgt_port=$OPTARG
+                ;;
+            p)
+                ss_ports=$OPTARG
+                ;;
+            e)
+                encrypt=$OPTARG
+                ;;
+            d)
+                domain=$OPTARG
+                ;;
+            N)
+                dns=$OPTARG
+                ;;
+            E)
+                dns_env=$OPTARG
+                ;;
+            *)
+                usage
+                return 255
+                ;;
+        esac
+    done
+
+    check-vars domain mgt_port ss_ports encrypt
+
+    declare build_opts=() \
+            run_opts=(--restart=always) \
+            run_env_opts=(-e V2RAY=1 -e DOMAIN="$domain" -e DNS="$dns" -e DNS_ENV="$dns_env") \
+            run_port_opts=(-p "$mgt_port:$mgt_port/UDP" -p "$ss_ports:$ss_ports" -p "$ss_ports:$ss_ports/UDP") \
+            run_cmd_opts=( ss-manager
+                --manager-address "0.0.0.0:$mgt_port"
+                --executable /usr/local/bin/ss-server -m "$encrypt" -s 0.0.0.0 -u
+                --plugin v2ray-plugin --plugin-opts "server;tls;host=$domain"
+            )
+
+    if [[ $proxy_flag -eq 1 ]]; then
+        check-vars DOCKER_BUILD_ARGS_PROXY
+        # do not quote it
+        # shellcheck disable=SC2206
+        build_opts+=($DOCKER_BUILD_ARGS_PROXY)
+    fi
+
+    declare image_name=alexzhangs/shadowsocks-libev-v2ray
+
+    declare script_dir
+    script_dir=$(dirname "$0")
+
+    declare -a BUILD_OPTS RUN_OPTS
+
+    function __build_and_run__ () {
+        # build the image
+        echo ""
+        echo "INFO: docker build ${BUILD_OPTS[*]}"
+        docker build "${BUILD_OPTS[@]}"
+
+        # run the container
+        echo ""
+        echo "INFO: docker run ${RUN_OPTS[*]}"
+        docker run "${RUN_OPTS[@]}" || :
+    }
+
+    declare image_tag image container
+    image_tag=dev-$(date +%Y%m%d-%H%M)
+    image="$image_name:$image_tag"
+    container="ss-libev-$image_tag"
+    BUILD_OPTS=( "${build_opts[@]}" -t "$image" -f "$script_dir/Dockerfile" "$script_dir" )
+    RUN_OPTS=( "${run_opts[@]}" "${run_env_opts[@]}" "${run_port_opts[@]}" --name "$container" "$image" "${run_cmd_opts[@]}" )
+
+    __build_and_run__
+}
+
+main "$@"
+
+exit
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index b94602c..97ce459 100644
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -32,12 +32,12 @@
 #?     The domain name for the V2Ray service.
 #?     Please replace `v2ray.ss.yourdomain.com` with your actual domain name.
 #?     And make sure the domain name matches the value used for `--plugin-opts` option.
-#?   
+#?
 #?   - DNS=<dns_hook>
 #?
 #?     Optional, used if env `V2RAY` is set, default is unset.
 #?     Specify the <dns_hook> for your domain to automate domain owner verification.
-#?     The <dns_hook> won't be verified until the domain owner verification is triggered.
+#?     The Shell DNS library `acme.sh` is leveraged to achieve this.
 #?     For the list of supported <dns_hook>, please refer to:
 #?     * https://github.com/acmesh-official/acme.sh/wiki/dnsapi
 #?
@@ -49,22 +49,21 @@
 #?     Specify the environment variables required by the <dns_hook>, usually for the username and token.
 #?     The <name> and <value> are separated by `=`, and multiple pairs are separated by `,`.
 #?     The <name> and <value> are case-sensitive.
-#?     The <name> and <value> won't be verified until the domain owner verification is triggered.
 #?     For the required <name> and <value>, please refer to:
 #?     * https://github.com/acmesh-official/acme.sh/wiki/dnsapi
 #?
 #? File:
 #?   The following files are created by this script:
 #?
-#?   - ~/.acme-account-done
+#?   - ~/.acme-account-done-{DOMAIN}
 #?
 #?     This file is created after the account registration with acme.sh.
-#?     The account registration is skipped if this file exists.
+#?     The account registration will be skipped if this file exists.
 #?
-#?   - ~/.acme-cert-done
+#?   - ~/.acme-cert-done-{DOMAIN}
 #?
 #?     This file is created after the certificate is issued for the domain with acme.sh.
-#?     The certificate issuance is skipped if this file exists.
+#?     The certificate issuance will be skipped if this file exists.
 #?
 
 # exit on any error
@@ -76,17 +75,20 @@ function usage () {
 }
 
 function issue-tls-cert () {
-    # Check if the required environment variables are set
-    if [[ -z $DOMAIN ]]; then
-        echo "FATAL: environment variable DOMAIN is not set." >&2
-        exit 255
-    fi
+    #? Description:
+    #?   Issue a TLS certificate with acme.sh.
+    #?
+    #? Usage:
+    #?   issue-tls-cert DOMAIN DNS DNS_ENV [--renew-hook "COMMAND"]
+    #?
 
-    declare acme_account_done_file=~/.acme-account-done
-    declare acme_cert_done_file=~/.acme-cert-done
+    declare domain=${1:?} dns=$2 dns_env=$3 renew_opts=("${@:4}")
+
+    declare acme_account_done_file=~/.acme-account-done-${domain}
+    declare acme_cert_done_file=~/.acme-cert-done-${domain}
 
     if [[ -f $acme_cert_done_file ]]; then
-        echo "INFO: TLS certificate has been issued for the domain $DOMAIN."
+        echo "INFO: TLS certificate has been issued for the domain $domain."
         return
     fi
 
@@ -94,32 +96,29 @@ function issue-tls-cert () {
 
     # Register an account with acme.sh if not done
     if [[ ! -f $acme_account_done_file ]]; then
-        acme.sh --register-account -m "acme@$DOMAIN"
+        acme.sh --register-account -m "acme@$domain"
         touch "$acme_account_done_file"
     fi
 
-    declare -a acme_common_opts=(--force-color --domain "$DOMAIN")
-    declare -a acme_issue_opts=("${acme_common_opts[@]}" --renew-hook reboot --dns)
+    declare -a acme_common_opts=(--force-color --domain "$domain")
+    declare -a acme_issue_opts=("${acme_common_opts[@]}" "${renew_opts[@]}" --dns)
 
-    # Setup DNS hook if DNS is set
-    if [[ -n $DNS ]]; then
-        # Check if the required environment variables are set
-        if [[ -z $DNS_ENV ]]; then
-            echo "WARNING: environment variable DNS_ENV is not set." >&2
+    # Setup DNS hook if DNS_ENV is set
+    if [[ -n $dns ]]; then
+        # Check if the dns_env is set
+        if [[ -z $dns_env ]]; then
+            echo "WARNING: dns_env is not set." >&2
         fi
 
-        declare -a DNS_ENVS
+        declare -a dns_envs
         # Read the DNS_ENV into an array
-        IFS=',' read -r -a DNS_ENVS <<< "$DNS_ENV"
+        IFS=',' read -r -a dns_envs <<< "$dns_env"
 
-        declare expr
-        # Export the DNS_ENVS
-        for expr in "${DNS_ENVS[@]}"; do
-            export "${expr:?}"
-        done
+        # Export the dns_envs
+        export "${dns_envs[@]}"
 
         # Issue a certificate for the domain with acme.sh, using DNS hook
-        acme.sh --issue "${acme_issue_opts[@]}" "$DNS"
+        acme.sh --issue "${acme_issue_opts[@]}" "$dns"
     else
         # Issue a certificate for the domain with acme.sh, using manual mode, ignoring the non-zero exit code
         acme.sh --issue "${acme_issue_opts[@]}" --yes-I-know-dns-manual-mode-enough-go-ahead-please || :
@@ -136,7 +135,7 @@ function issue-tls-cert () {
     fi
 
     # Create a symbolic link for the certificate directory, v2ray-plugin seaches only the path without the _ecc suffix
-    ln -s "${DOMAIN}_ecc" "/root/.acme.sh/${DOMAIN}"
+    ln -s "${domain}_ecc" "/root/.acme.sh/${domain}"
 
     # Create the cert done file
     touch "$acme_cert_done_file"
@@ -151,7 +150,8 @@ function main () {
 
     if [[ $V2RAY -eq 1 ]]; then
         # Issue a TLS certificate
-        issue-tls-cert
+        # shellcheck disable=SC2153
+        issue-tls-cert "$DOMAIN" "$DNS" "$DNS_ENV" --renew-hook reboot
     fi
 
     exec "$@"