diff --git a/internal/net/http/header_utils.go b/internal/net/http/header_utils.go
index ab736589..ffd0f222 100644
--- a/internal/net/http/header_utils.go
+++ b/internal/net/http/header_utils.go
@@ -2,7 +2,6 @@ package http
 
 import (
 	"net/http"
-	"slices"
 )
 
 func RemoveHop(h http.Header) {
@@ -25,18 +24,30 @@ func CopyHeader(dst, src http.Header) {
 	}
 }
 
-func FilterHeaders(h http.Header, allowed []string) {
-	if allowed == nil {
-		return
+func FilterHeaders(h http.Header, allowed []string) http.Header {
+	if len(allowed) == 0 {
+		return h
 	}
 
-	for i := range allowed {
-		allowed[i] = http.CanonicalHeaderKey(allowed[i])
+	filtered := make(http.Header)
+
+	for i, header := range allowed {
+		values := h.Values(header)
+		if len(values) == 0 {
+			continue
+		}
+		filtered[http.CanonicalHeaderKey(allowed[i])] = append([]string(nil), values...)
 	}
 
-	for key := range h {
-		if !slices.Contains(allowed, key) {
-			h.Del(key)
+	return filtered
+}
+
+func HeaderToMap(h http.Header) map[string]string {
+	result := make(map[string]string)
+	for k, v := range h {
+		if len(v) > 0 {
+			result[k] = v[0] // Take the first value
 		}
 	}
+	return result
 }
diff --git a/internal/net/http/middleware/forward_auth.go b/internal/net/http/middleware/forward_auth.go
index 1e88eca2..9153feed 100644
--- a/internal/net/http/middleware/forward_auth.go
+++ b/internal/net/http/middleware/forward_auth.go
@@ -54,7 +54,7 @@ func NewForwardAuthfunc(optsRaw OptionsRaw) (*Middleware, E.NestedError) {
 	}
 
 	// TODO: use tr from reverse proxy
-	tr, ok := fa.forwardAuthOpts.transport.(*http.Transport)
+	tr, ok := fa.transport.(*http.Transport)
 	if ok {
 		tr = tr.Clone()
 	} else {
@@ -81,7 +81,7 @@ func (fa *forwardAuth) forward(next http.HandlerFunc, w ResponseWriter, req *Req
 		nil,
 	)
 	if err != nil {
-		fa.m.AddTracef("new request err to %s", fa.Address).With("error", err)
+		fa.m.AddTracef("new request err to %s", fa.Address).WithError(err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
@@ -89,12 +89,13 @@ func (fa *forwardAuth) forward(next http.HandlerFunc, w ResponseWriter, req *Req
 	gpHTTP.CopyHeader(faReq.Header, req.Header)
 	gpHTTP.RemoveHop(faReq.Header)
 
-	gpHTTP.FilterHeaders(faReq.Header, fa.AuthResponseHeaders)
+	faReq.Header = gpHTTP.FilterHeaders(faReq.Header, fa.AuthResponseHeaders)
 	fa.setAuthHeaders(req, faReq)
+	fa.m.AddTraceRequest("forward auth request", faReq)
 
 	faResp, err := fa.client.Do(faReq)
 	if err != nil {
-		fa.m.AddTracef("failed to call %s", fa.Address).With("error", err)
+		fa.m.AddTracef("failed to call %s", fa.Address).WithError(err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
@@ -102,30 +103,30 @@ func (fa *forwardAuth) forward(next http.HandlerFunc, w ResponseWriter, req *Req
 
 	body, err := io.ReadAll(faResp.Body)
 	if err != nil {
-		fa.m.AddTracef("failed to read response body from %s", fa.Address).With("error", err)
+		fa.m.AddTracef("failed to read response body from %s", fa.Address).WithError(err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
 	if faResp.StatusCode < http.StatusOK || faResp.StatusCode >= http.StatusMultipleChoices {
-		fa.m.AddTracef("status %d", faResp.StatusCode)
+		fa.m.AddTraceResponse("forward auth response", faResp)
 		gpHTTP.CopyHeader(w.Header(), faResp.Header)
 		gpHTTP.RemoveHop(w.Header())
 
 		redirectURL, err := faResp.Location()
 		if err != nil {
-			fa.m.AddTracef("failed to get location from %s", fa.Address).With("error", err)
+			fa.m.AddTracef("failed to get location from %s", fa.Address).WithError(err).WithResponse(faResp)
 			w.WriteHeader(http.StatusInternalServerError)
 			return
 		} else if redirectURL.String() != "" {
 			w.Header().Set("Location", redirectURL.String())
-			fa.m.AddTracef("redirect to %q", redirectURL.String())
+			fa.m.AddTracef("redirect to %q", redirectURL.String()).WithResponse(faResp)
 		}
 
 		w.WriteHeader(faResp.StatusCode)
 
 		if _, err = w.Write(body); err != nil {
-			fa.m.AddTracef("failed to write response body from %s", fa.Address).With("error", err)
+			fa.m.AddTracef("failed to write response body from %s", fa.Address).WithError(err).WithResponse(faResp)
 		}
 		return
 	}
diff --git a/internal/net/http/middleware/trace.go b/internal/net/http/middleware/trace.go
index a9520c46..593dfcbd 100644
--- a/internal/net/http/middleware/trace.go
+++ b/internal/net/http/middleware/trace.go
@@ -2,22 +2,22 @@ package middleware
 
 import (
 	"fmt"
-	"net/http"
 	"sync"
 	"time"
 
+	gpHTTP "github.com/yusing/go-proxy/internal/net/http"
 	U "github.com/yusing/go-proxy/internal/utils"
 )
 
 type Trace struct {
-	Time        string         `json:"time,omitempty"`
-	Caller      string         `json:"caller,omitempty"`
-	URL         string         `json:"url,omitempty"`
-	Message     string         `json:"msg"`
-	ReqHeaders  http.Header    `json:"req_headers,omitempty"`
-	RespHeaders http.Header    `json:"resp_headers,omitempty"`
-	RespStatus  int            `json:"resp_status,omitempty"`
-	Additional  map[string]any `json:"additional,omitempty"`
+	Time        string            `json:"time,omitempty"`
+	Caller      string            `json:"caller,omitempty"`
+	URL         string            `json:"url,omitempty"`
+	Message     string            `json:"msg"`
+	ReqHeaders  map[string]string `json:"req_headers,omitempty"`
+	RespHeaders map[string]string `json:"resp_headers,omitempty"`
+	RespStatus  int               `json:"resp_status,omitempty"`
+	Additional  map[string]any    `json:"additional,omitempty"`
 }
 
 type Traces []*Trace
@@ -25,7 +25,7 @@ type Traces []*Trace
 var traces = Traces{}
 var tracesMu sync.Mutex
 
-const MaxTraceNum = 1000
+const MaxTraceNum = 100
 
 func GetAllTrace() []*Trace {
 	return traces
@@ -36,7 +36,7 @@ func (tr *Trace) WithRequest(req *Request) *Trace {
 		return nil
 	}
 	tr.URL = req.RequestURI
-	tr.ReqHeaders = req.Header.Clone()
+	tr.ReqHeaders = gpHTTP.HeaderToMap(req.Header)
 	return tr
 }
 
@@ -45,8 +45,8 @@ func (tr *Trace) WithResponse(resp *Response) *Trace {
 		return nil
 	}
 	tr.URL = resp.Request.RequestURI
-	tr.ReqHeaders = resp.Request.Header.Clone()
-	tr.RespHeaders = resp.Header.Clone()
+	tr.ReqHeaders = gpHTTP.HeaderToMap(resp.Request.Header)
+	tr.RespHeaders = gpHTTP.HeaderToMap(resp.Header)
 	tr.RespStatus = resp.StatusCode
 	return tr
 }
@@ -63,6 +63,18 @@ func (tr *Trace) With(what string, additional any) *Trace {
 	return tr
 }
 
+func (tr *Trace) WithError(err error) *Trace {
+	if tr == nil {
+		return nil
+	}
+
+	if tr.Additional == nil {
+		tr.Additional = map[string]any{}
+	}
+	tr.Additional["error"] = err.Error()
+	return tr
+}
+
 func (m *Middleware) EnableTrace() {
 	m.trace = true
 	for _, child := range m.children {