|
|
@@ -2286,6 +2286,11 @@ setup_fail2ban_iplimit() {
|
|
|
apt-get update && apt-get install fail2ban nftables -y
|
|
|
;;
|
|
|
fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
|
|
|
+ if [[ "${release}" != "fedora" ]] && ! dnf repolist enabled 2> /dev/null | grep -qiw epel; then
|
|
|
+ dnf install -y epel-release \
|
|
|
+ || dnf install -y "https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E %rhel).noarch.rpm" \
|
|
|
+ || echo -e "${yellow}Could not enable the EPEL repository; fail2ban is only available from EPEL on this distro.${plain}"
|
|
|
+ fi
|
|
|
dnf makecache -y && dnf -y install fail2ban nftables
|
|
|
;;
|
|
|
centos)
|
|
|
@@ -2846,6 +2851,37 @@ purge_postgresql() {
|
|
|
LOGI "PostgreSQL has been purged."
|
|
|
}
|
|
|
|
|
|
+# RHEL-family initdb writes pg_hba.conf host rules with ident auth, which
|
|
|
+# compares the OS username against the Postgres role and always rejects the
|
|
|
+# randomly generated panel role over TCP (#5806). Prepend password-auth rules
|
|
|
+# scoped to the panel database; first match wins, and md5 also accepts
|
|
|
+# scram-sha-256-stored verifiers, so this works on every supported distro.
|
|
|
+# Mirrors pg_ensure_hba_password_auth() from install.sh.
|
|
|
+pg_ensure_hba_password_auth() {
|
|
|
+ local pg_db="$1"
|
|
|
+ local hba_file
|
|
|
+ hba_file=$(sudo -u postgres psql -tAc 'SHOW hba_file' 2> /dev/null | tr -d '[:space:]')
|
|
|
+ [[ -n "${hba_file}" && -f "${hba_file}" ]] || return 0
|
|
|
+ grep -Eq "^host[[:space:]]+${pg_db}[[:space:]]" "${hba_file}" && return 0
|
|
|
+ local tmp
|
|
|
+ tmp=$(mktemp) || return 1
|
|
|
+ {
|
|
|
+ echo "# Added by 3x-ui: allow password logins for the panel database."
|
|
|
+ echo "host ${pg_db} all 127.0.0.1/32 md5"
|
|
|
+ echo "host ${pg_db} all ::1/128 md5"
|
|
|
+ cat "${hba_file}"
|
|
|
+ } > "${tmp}" || {
|
|
|
+ rm -f "${tmp}"
|
|
|
+ return 1
|
|
|
+ }
|
|
|
+ cat "${tmp}" > "${hba_file}" || {
|
|
|
+ rm -f "${tmp}"
|
|
|
+ return 1
|
|
|
+ }
|
|
|
+ rm -f "${tmp}"
|
|
|
+ sudo -u postgres psql -tAc 'SELECT pg_reload_conf()' > /dev/null 2>&1 || true
|
|
|
+}
|
|
|
+
|
|
|
# Installs a local PostgreSQL server and creates a dedicated xui user/database.
|
|
|
# Progress goes to stderr; on success the connection DSN is printed to stdout so
|
|
|
# callers can capture it. Mirrors install_postgres_local() from install.sh, so the
|
|
|
@@ -2930,6 +2966,9 @@ pg_install_local() {
|
|
|
|
|
|
sudo -u postgres psql -c "ALTER USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1
|
|
|
|
|
|
+ pg_ensure_hba_password_auth "${pg_db}" \
|
|
|
+ || echo -e "${yellow}Warning: could not update pg_hba.conf; PostgreSQL may reject the panel's TCP login (ident auth).${plain}" >&2
|
|
|
+
|
|
|
local pg_pass_enc
|
|
|
pg_pass_enc=$(printf '%s' "${pg_pass}" | sed -e 's/%/%25/g' -e 's/:/%3A/g' -e 's/@/%40/g' -e 's|/|%2F|g' -e 's/?/%3F/g' -e 's/#/%23/g')
|
|
|
|