1
0

outbound.go 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929
  1. // Package link provides parsers for VPN share links (vmess://, vless://, etc.)
  2. // and subscription bodies (typically base64-encoded newline lists of such links).
  3. // The output shape matches the wire format used by the panel's Xray template
  4. // outbounds array so that parsed objects can be injected directly.
  5. package link
  6. import (
  7. "encoding/base64"
  8. "encoding/json"
  9. "fmt"
  10. "math"
  11. "net/url"
  12. "regexp"
  13. "strconv"
  14. "strings"
  15. "time"
  16. )
  17. // Outbound is the minimal shape we emit for each parsed link.
  18. // Extra fields (mux, etc.) are carried inside settings/streamSettings.
  19. type Outbound map[string]any
  20. // ParseResult holds a parsed outbound together with a stable identity string
  21. // that can be used to correlate the same logical server across refreshes
  22. // (even if the remark changes).
  23. type ParseResult struct {
  24. Outbound Outbound
  25. Identity string
  26. }
  27. // ParseSubscriptionBody accepts the raw body returned by a subscription URL.
  28. // It handles the common case where the body is a base64-encoded blob of
  29. // newline-separated links, and also tolerates an already-decoded text body.
  30. // It returns the list of successfully parsed outbounds (in order) and their
  31. // corresponding identities.
  32. func ParseSubscriptionBody(body []byte) ([]Outbound, []string, error) {
  33. text := strings.TrimSpace(string(body))
  34. if text == "" {
  35. return nil, nil, nil
  36. }
  37. // Try base64 decode first (standard and URL-safe variants).
  38. if decoded, ok := tryBase64(text); ok {
  39. text = strings.TrimSpace(decoded)
  40. }
  41. lines := splitLines(text)
  42. var outbounds []Outbound
  43. var identities []string
  44. for _, ln := range lines {
  45. ln = strings.TrimSpace(ln)
  46. if ln == "" || strings.HasPrefix(ln, "#") {
  47. continue
  48. }
  49. res, err := ParseLink(ln)
  50. if err != nil || res == nil {
  51. // Ignore unparseable lines (comments, unsupported protocols, etc.)
  52. continue
  53. }
  54. outbounds = append(outbounds, res.Outbound)
  55. identities = append(identities, res.Identity)
  56. }
  57. return outbounds, identities, nil
  58. }
  59. func tryBase64(s string) (string, bool) {
  60. // Remove whitespace that some providers insert.
  61. clean := strings.Map(func(r rune) rune {
  62. if r == ' ' || r == '\n' || r == '\r' || r == '\t' {
  63. return -1
  64. }
  65. return r
  66. }, s)
  67. // Common padding fix
  68. for len(clean)%4 != 0 {
  69. clean += "="
  70. }
  71. // Standard
  72. if b, err := base64.StdEncoding.DecodeString(clean); err == nil {
  73. return string(b), true
  74. }
  75. // URL-safe (no padding)
  76. if b, err := base64.RawURLEncoding.DecodeString(clean); err == nil {
  77. return string(b), true
  78. }
  79. // URL-safe with padding
  80. if b, err := base64.URLEncoding.DecodeString(clean); err == nil {
  81. return string(b), true
  82. }
  83. return "", false
  84. }
  85. func splitLines(s string) []string {
  86. // Accept \n, \r\n, and also some providers use literal \n in the text.
  87. s = strings.ReplaceAll(s, `\n`, "\n")
  88. return strings.FieldsFunc(s, func(r rune) bool { return r == '\n' || r == '\r' })
  89. }
  90. // ParseLink parses a single share link and returns the outbound object plus
  91. // a stable identity for tag correlation. Supported schemes:
  92. // - vmess://
  93. // - vless://
  94. // - trojan://
  95. // - ss:// (modern and legacy)
  96. // - hysteria2:// (also hy2://)
  97. // - wireguard:// (also wg://)
  98. func ParseLink(link string) (*ParseResult, error) {
  99. link = strings.TrimSpace(link)
  100. switch {
  101. case strings.HasPrefix(link, "vmess://"):
  102. return parseVmess(link)
  103. case strings.HasPrefix(link, "vless://"):
  104. return parseVless(link)
  105. case strings.HasPrefix(link, "trojan://"):
  106. return parseTrojan(link)
  107. case strings.HasPrefix(link, "ss://"):
  108. return parseShadowsocks(link)
  109. case strings.HasPrefix(link, "hysteria2://"), strings.HasPrefix(link, "hy2://"):
  110. return parseHysteria2(link)
  111. case strings.HasPrefix(link, "wireguard://"), strings.HasPrefix(link, "wg://"):
  112. return parseWireguard(link)
  113. default:
  114. return nil, fmt.Errorf("unsupported link scheme")
  115. }
  116. }
  117. // --- vmess ---
  118. func parseVmess(link string) (*ParseResult, error) {
  119. b64 := strings.TrimPrefix(link, "vmess://")
  120. // vmess:// base64(json)
  121. raw, err := base64.StdEncoding.DecodeString(padBase64(b64))
  122. if err != nil {
  123. // Some providers use raw URL-safe
  124. raw, err = base64.RawURLEncoding.DecodeString(b64)
  125. }
  126. if err != nil {
  127. return nil, fmt.Errorf("vmess decode: %w", err)
  128. }
  129. var j map[string]any
  130. if err := json.Unmarshal(raw, &j); err != nil {
  131. return nil, fmt.Errorf("vmess json: %w", err)
  132. }
  133. identity := vmessIdentity(j)
  134. network := getString(j, "net", "tcp")
  135. security := "none"
  136. if tls, _ := j["tls"].(string); tls == "tls" {
  137. security = "tls"
  138. }
  139. stream := buildStream(network, security)
  140. // Map known fields (best effort, matching frontend parser coverage)
  141. switch network {
  142. case "ws":
  143. host, _ := j["host"].(string)
  144. setWS(stream, host, getString(j, "path", "/"))
  145. case "grpc":
  146. svc := getString(j, "path", "")
  147. if auth, ok := j["authority"].(string); ok && auth != "" {
  148. (stream["grpcSettings"].(map[string]any))["authority"] = auth
  149. }
  150. (stream["grpcSettings"].(map[string]any))["serviceName"] = svc
  151. (stream["grpcSettings"].(map[string]any))["multiMode"] = getString(j, "type", "") == "multi"
  152. case "httpupgrade":
  153. setHTTPUpgrade(stream, getString(j, "host", ""), getString(j, "path", "/"))
  154. case "xhttp":
  155. xh := stream["xhttpSettings"].(map[string]any)
  156. xh["host"] = getString(j, "host", "")
  157. xh["path"] = getString(j, "path", "/")
  158. if m := getString(j, "mode", ""); m != "" {
  159. xh["mode"] = m
  160. }
  161. // xhttp advanced keys are passed through if present in the json
  162. for _, k := range []string{"xPaddingBytes", "scMaxEachPostBytes", "scMinPostsIntervalMs"} {
  163. if v, ok := j[k]; ok {
  164. xh[k] = v
  165. }
  166. }
  167. case "tcp":
  168. if getString(j, "type", "") == "http" {
  169. stream["tcpSettings"] = map[string]any{
  170. "header": map[string]any{
  171. "type": "http",
  172. "request": map[string]any{
  173. "version": "1.1",
  174. "method": "GET",
  175. "path": splitComma(getString(j, "path", "/")),
  176. "headers": map[string]any{"Host": splitComma(getString(j, "host", ""))},
  177. },
  178. },
  179. }
  180. }
  181. }
  182. if security == "tls" {
  183. tls := stream["tlsSettings"].(map[string]any)
  184. tls["serverName"] = getString(j, "sni", "")
  185. tls["fingerprint"] = getString(j, "fp", "")
  186. if alpn := getString(j, "alpn", ""); alpn != "" {
  187. tls["alpn"] = splitComma(alpn)
  188. }
  189. }
  190. port := num(j["port"])
  191. scy := getString(j, "scy", "auto")
  192. if scy == "none" || scy == "zero" {
  193. scy = "auto"
  194. }
  195. ob := Outbound{
  196. "protocol": "vmess",
  197. "tag": getString(j, "ps", ""),
  198. "settings": map[string]any{
  199. "vnext": []any{
  200. map[string]any{
  201. "address": getString(j, "add", ""),
  202. "port": port,
  203. "users": []any{
  204. map[string]any{
  205. "id": getString(j, "id", ""),
  206. "security": scy,
  207. },
  208. },
  209. },
  210. },
  211. },
  212. "streamSettings": stream,
  213. }
  214. return &ParseResult{Outbound: ob, Identity: identity}, nil
  215. }
  216. func vmessIdentity(j map[string]any) string {
  217. // Remove ps (remark) for identity
  218. core := map[string]any{}
  219. for k, v := range j {
  220. if k == "ps" {
  221. continue
  222. }
  223. core[k] = v
  224. }
  225. b, _ := json.Marshal(core)
  226. return "vmess:" + string(b)
  227. }
  228. // --- vless / trojan (URL forms) ---
  229. func parseVless(link string) (*ParseResult, error) {
  230. u, err := url.Parse(link)
  231. if err != nil {
  232. return nil, err
  233. }
  234. if u.Scheme != "vless" {
  235. return nil, fmt.Errorf("not vless")
  236. }
  237. id := u.User.Username()
  238. host := u.Hostname()
  239. port := defaultPort(u.Port(), 443)
  240. params := u.Query()
  241. network := params.Get("type")
  242. if network == "" {
  243. network = "tcp"
  244. }
  245. security := params.Get("security")
  246. if security == "" {
  247. security = "none"
  248. }
  249. stream := buildStream(network, security)
  250. applyTransport(stream, params)
  251. applySecurity(stream, params)
  252. applyFinalMask(stream, params)
  253. identity := "vless:" + u.Scheme + "://" + id + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  254. ob := Outbound{
  255. "protocol": "vless",
  256. "tag": decodeHash(u.Fragment),
  257. "settings": map[string]any{
  258. "address": host,
  259. "port": port,
  260. "id": id,
  261. "flow": params.Get("flow"),
  262. "encryption": firstNonEmpty(params.Get("encryption"), "none"),
  263. },
  264. "streamSettings": stream,
  265. }
  266. return &ParseResult{Outbound: ob, Identity: identity}, nil
  267. }
  268. func parseTrojan(link string) (*ParseResult, error) {
  269. u, err := url.Parse(link)
  270. if err != nil {
  271. return nil, err
  272. }
  273. if u.Scheme != "trojan" {
  274. return nil, fmt.Errorf("not trojan")
  275. }
  276. pw := u.User.Username()
  277. host := u.Hostname()
  278. port := defaultPort(u.Port(), 443)
  279. params := u.Query()
  280. network := params.Get("type")
  281. if network == "" {
  282. network = "tcp"
  283. }
  284. security := params.Get("security")
  285. if security == "" {
  286. security = "tls"
  287. }
  288. stream := buildStream(network, security)
  289. applyTransport(stream, params)
  290. applySecurity(stream, params)
  291. applyFinalMask(stream, params)
  292. identity := "trojan:" + u.Scheme + "://" + pw + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  293. ob := Outbound{
  294. "protocol": "trojan",
  295. "tag": decodeHash(u.Fragment),
  296. "settings": map[string]any{
  297. "servers": []any{
  298. map[string]any{"address": host, "port": port, "password": pw},
  299. },
  300. },
  301. "streamSettings": stream,
  302. }
  303. return &ParseResult{Outbound: ob, Identity: identity}, nil
  304. }
  305. // --- shadowsocks ---
  306. func parseShadowsocks(link string) (*ParseResult, error) {
  307. // Two shapes:
  308. // ss://base64(method:pass)@host:port#remark
  309. // ss://base64(method:pass@host:port)#remark
  310. remark := ""
  311. if i := strings.Index(link, "#"); i >= 0 {
  312. remark, _ = url.QueryUnescape(link[i+1:])
  313. link = link[:i]
  314. }
  315. if i := strings.Index(link, "?"); i >= 0 {
  316. link = link[:i]
  317. }
  318. core := strings.TrimPrefix(link, "ss://")
  319. at := strings.Index(core, "@")
  320. if at >= 0 {
  321. // modern
  322. userB64 := core[:at]
  323. hp := strings.TrimRight(core[at+1:], "/")
  324. userInfo, err := base64DecodeFlexible(userB64)
  325. if err != nil {
  326. // SIP022 (2022-blake3-*) userinfo is percent-encoded, not base64.
  327. if dec, uerr := url.QueryUnescape(userB64); uerr == nil {
  328. userInfo = dec
  329. } else {
  330. userInfo = userB64 // not b64, rare
  331. }
  332. }
  333. colon := strings.LastIndex(hp, ":")
  334. if colon < 0 {
  335. return nil, fmt.Errorf("bad ss host:port")
  336. }
  337. host := hp[:colon]
  338. port, err := strconv.Atoi(hp[colon+1:])
  339. if err != nil {
  340. return nil, fmt.Errorf("bad ss port %q: %w", hp[colon+1:], err)
  341. }
  342. method, pass := splitMethodPass(userInfo)
  343. identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
  344. ob := Outbound{
  345. "protocol": "shadowsocks",
  346. "tag": remark,
  347. "settings": map[string]any{
  348. "servers": []any{
  349. map[string]any{"address": host, "port": port, "password": pass, "method": method},
  350. },
  351. },
  352. }
  353. return &ParseResult{Outbound: ob, Identity: identity}, nil
  354. }
  355. // legacy: whole thing b64
  356. dec, err := base64DecodeFlexible(core)
  357. if err != nil {
  358. return nil, err
  359. }
  360. at = strings.Index(dec, "@")
  361. if at < 0 {
  362. return nil, fmt.Errorf("bad legacy ss")
  363. }
  364. userInfo := dec[:at]
  365. hp := dec[at+1:]
  366. colon := strings.LastIndex(hp, ":")
  367. if colon < 0 {
  368. return nil, fmt.Errorf("bad legacy ss hp")
  369. }
  370. host := hp[:colon]
  371. port, err := strconv.Atoi(hp[colon+1:])
  372. if err != nil {
  373. return nil, fmt.Errorf("bad legacy ss port %q: %w", hp[colon+1:], err)
  374. }
  375. method, pass := splitMethodPass(userInfo)
  376. identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
  377. ob := Outbound{
  378. "protocol": "shadowsocks",
  379. "tag": remark,
  380. "settings": map[string]any{
  381. "servers": []any{
  382. map[string]any{"address": host, "port": port, "password": pass, "method": method},
  383. },
  384. },
  385. }
  386. return &ParseResult{Outbound: ob, Identity: identity}, nil
  387. }
  388. func splitMethodPass(userInfo string) (string, string) {
  389. before, after, ok := strings.Cut(userInfo, ":")
  390. if !ok {
  391. return "2022-blake3-aes-128-gcm", userInfo // guess
  392. }
  393. return before, after
  394. }
  395. // --- hysteria2 ---
  396. func parseHysteria2(link string) (*ParseResult, error) {
  397. u, err := url.Parse(link)
  398. if err != nil {
  399. return nil, err
  400. }
  401. if u.Scheme != "hysteria2" && u.Scheme != "hy2" {
  402. return nil, fmt.Errorf("not hysteria2")
  403. }
  404. auth := u.User.Username()
  405. host := u.Hostname()
  406. port := defaultPort(u.Port(), 443)
  407. params := u.Query()
  408. stream := map[string]any{
  409. "network": "hysteria",
  410. "security": "tls",
  411. "hysteriaSettings": map[string]any{
  412. "version": 2,
  413. "auth": auth,
  414. "udpIdleTimeout": 60,
  415. },
  416. "tlsSettings": map[string]any{
  417. "serverName": params.Get("sni"),
  418. "alpn": splitCommaOrDefault(params.Get("alpn"), []string{"h3"}),
  419. "fingerprint": params.Get("fp"),
  420. "echConfigList": params.Get("ech"),
  421. "verifyPeerCertByName": params.Get("vcn"),
  422. "pinnedPeerCertSha256": params.Get("pinSHA256"),
  423. },
  424. }
  425. applyFinalMask(stream, params)
  426. identity := "hysteria2:" + auth + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  427. ob := Outbound{
  428. "protocol": "hysteria",
  429. "tag": decodeHash(u.Fragment),
  430. "settings": map[string]any{"address": host, "port": port, "version": 2},
  431. "streamSettings": stream,
  432. }
  433. return &ParseResult{Outbound: ob, Identity: identity}, nil
  434. }
  435. // --- wireguard ---
  436. func parseWireguard(link string) (*ParseResult, error) {
  437. u, err := url.Parse(link)
  438. if err != nil {
  439. return nil, err
  440. }
  441. if u.Scheme != "wireguard" && u.Scheme != "wg" {
  442. return nil, fmt.Errorf("not wireguard")
  443. }
  444. secret, _ := url.QueryUnescape(u.User.Username())
  445. params := u.Query()
  446. host := u.Hostname()
  447. portStr := u.Port()
  448. endpoint := host
  449. if portStr != "" {
  450. endpoint = host + ":" + portStr
  451. }
  452. addrRaw := firstParam(params, "address", "ip")
  453. allowedRaw := firstParam(params, "allowedips", "allowed_ips")
  454. addrs := splitComma(addrRaw)
  455. if len(addrs) == 0 {
  456. addrs = []string{"0.0.0.0/0", "::/0"}
  457. }
  458. allowed := splitComma(allowedRaw)
  459. if len(allowed) == 0 {
  460. allowed = []string{"0.0.0.0/0", "::/0"}
  461. }
  462. peer := map[string]any{
  463. "publicKey": firstParam(params, "publickey", "publicKey", "public_key", "peerPublicKey"),
  464. "endpoint": endpoint,
  465. "allowedIPs": allowed,
  466. }
  467. if psk := firstParam(params, "presharedkey", "preshared_key", "pre-shared-key", "psk"); psk != "" {
  468. peer["preSharedKey"] = psk
  469. }
  470. if ka := firstParam(params, "keepalive", "persistentkeepalive", "persistent_keepalive"); ka != "" {
  471. if n, err := strconv.Atoi(ka); err == nil {
  472. peer["keepAlive"] = n
  473. }
  474. }
  475. settings := map[string]any{
  476. "secretKey": secret,
  477. "address": addrs,
  478. "peers": []any{peer},
  479. }
  480. if mtu := params.Get("mtu"); mtu != "" {
  481. if n, err := strconv.Atoi(mtu); err == nil {
  482. settings["mtu"] = n
  483. }
  484. }
  485. if res := params.Get("reserved"); res != "" {
  486. parts := splitComma(res)
  487. var iv []int
  488. for _, p := range parts {
  489. if n, err := strconv.Atoi(strings.TrimSpace(p)); err == nil {
  490. iv = append(iv, n)
  491. }
  492. }
  493. if len(iv) > 0 {
  494. settings["reserved"] = iv
  495. }
  496. }
  497. identity := "wireguard:" + secret + "@" + endpoint + "?" + canonicalQuery(params)
  498. ob := Outbound{
  499. "protocol": "wireguard",
  500. "tag": decodeHash(u.Fragment),
  501. "settings": settings,
  502. }
  503. return &ParseResult{Outbound: ob, Identity: identity}, nil
  504. }
  505. // --- helpers ---
  506. func buildStream(network, security string) map[string]any {
  507. stream := map[string]any{"network": network, "security": security}
  508. switch network {
  509. case "tcp":
  510. stream["tcpSettings"] = map[string]any{"header": map[string]any{"type": "none"}}
  511. case "kcp":
  512. stream["kcpSettings"] = map[string]any{
  513. "mtu": 1350, "tti": 20, "uplinkCapacity": 5, "downlinkCapacity": 20,
  514. "cwndMultiplier": 1, "maxSendingWindow": 2097152,
  515. }
  516. case "ws":
  517. stream["wsSettings"] = map[string]any{"path": "/", "host": "", "headers": map[string]any{}, "heartbeatPeriod": 0}
  518. case "grpc":
  519. stream["grpcSettings"] = map[string]any{"serviceName": "", "authority": "", "multiMode": false}
  520. case "httpupgrade":
  521. stream["httpupgradeSettings"] = map[string]any{"path": "/", "host": "", "headers": map[string]any{}}
  522. case "xhttp":
  523. // No scMaxEachPostBytes/scMinPostsIntervalMs seed: xray-core's own
  524. // defaults apply, and the literal values fingerprint traffic (#5141).
  525. stream["xhttpSettings"] = map[string]any{
  526. "path": "/", "host": "", "mode": "auto", "headers": map[string]any{},
  527. "xPaddingBytes": "100-1000",
  528. }
  529. default:
  530. stream["tcpSettings"] = map[string]any{"header": map[string]any{"type": "none"}}
  531. }
  532. switch security {
  533. case "tls":
  534. stream["tlsSettings"] = map[string]any{
  535. "serverName": "", "alpn": []any{}, "fingerprint": "",
  536. "echConfigList": "", "verifyPeerCertByName": "", "pinnedPeerCertSha256": "",
  537. }
  538. case "reality":
  539. stream["realitySettings"] = map[string]any{
  540. "publicKey": "", "fingerprint": "chrome", "serverName": "",
  541. "shortId": "", "spiderX": "", "mldsa65Verify": "",
  542. }
  543. }
  544. return stream
  545. }
  546. func setWS(stream map[string]any, host, path string) {
  547. ws := stream["wsSettings"].(map[string]any)
  548. ws["host"] = host
  549. ws["path"] = path
  550. }
  551. func setHTTPUpgrade(stream map[string]any, host, path string) {
  552. h := stream["httpupgradeSettings"].(map[string]any)
  553. h["host"] = host
  554. h["path"] = path
  555. }
  556. func applyTransport(stream map[string]any, p url.Values) {
  557. net := stream["network"].(string)
  558. host := p.Get("host")
  559. path := firstNonEmpty(p.Get("path"), "/")
  560. switch net {
  561. case "ws":
  562. setWS(stream, host, path)
  563. case "grpc":
  564. gs := stream["grpcSettings"].(map[string]any)
  565. gs["serviceName"] = firstNonEmpty(p.Get("serviceName"), p.Get("path"))
  566. gs["authority"] = p.Get("authority")
  567. gs["multiMode"] = p.Get("mode") == "multi"
  568. case "httpupgrade":
  569. setHTTPUpgrade(stream, host, path)
  570. case "xhttp":
  571. xh := stream["xhttpSettings"].(map[string]any)
  572. xh["host"] = host
  573. xh["path"] = path
  574. if m := p.Get("mode"); m != "" {
  575. xh["mode"] = m
  576. }
  577. // The panel's own emitters carry the advanced xhttp knobs as a
  578. // snake_case x_padding_bytes plus an extra=<json> blob, not as top-level
  579. // camelCase params. Mirror the TS parser's precedence (snake_case alias
  580. // -> extra JSON -> explicit camelCase) so a re-imported share link keeps
  581. // them instead of silently reverting to the stream defaults.
  582. if v := p.Get("x_padding_bytes"); v != "" {
  583. xh["xPaddingBytes"] = v
  584. }
  585. if extra := p.Get("extra"); extra != "" {
  586. var parsed map[string]any
  587. if err := json.Unmarshal([]byte(extra), &parsed); err == nil {
  588. for k, v := range parsed {
  589. xh[k] = v
  590. }
  591. }
  592. }
  593. for _, k := range []string{"xPaddingBytes", "scMaxEachPostBytes", "scMinPostsIntervalMs", "uplinkChunkSize"} {
  594. if v := p.Get(k); v != "" {
  595. xh[k] = v
  596. }
  597. }
  598. case "tcp":
  599. if p.Get("headerType") == "http" || p.Get("type") == "http" {
  600. stream["tcpSettings"] = map[string]any{
  601. "header": map[string]any{
  602. "type": "http",
  603. "request": map[string]any{
  604. "version": "1.1",
  605. "method": "GET",
  606. "path": splitComma(path),
  607. "headers": map[string]any{"Host": splitComma(host)},
  608. },
  609. },
  610. }
  611. }
  612. }
  613. }
  614. func applySecurity(stream map[string]any, p url.Values) {
  615. sec := stream["security"].(string)
  616. switch sec {
  617. case "tls":
  618. tls := stream["tlsSettings"].(map[string]any)
  619. tls["serverName"] = p.Get("sni")
  620. tls["fingerprint"] = p.Get("fp")
  621. if alpn := p.Get("alpn"); alpn != "" {
  622. tls["alpn"] = splitComma(alpn)
  623. }
  624. tls["echConfigList"] = p.Get("ech")
  625. tls["pinnedPeerCertSha256"] = p.Get("pcs")
  626. case "reality":
  627. re := stream["realitySettings"].(map[string]any)
  628. re["serverName"] = p.Get("sni")
  629. re["fingerprint"] = firstNonEmpty(p.Get("fp"), "chrome")
  630. re["publicKey"] = p.Get("pbk")
  631. re["shortId"] = p.Get("sid")
  632. re["spiderX"] = p.Get("spx")
  633. re["mldsa65Verify"] = p.Get("pqv")
  634. }
  635. }
  636. func applyFinalMask(stream map[string]any, p url.Values) {
  637. if fm := p.Get("fm"); fm != "" {
  638. var parsed any
  639. if json.Unmarshal([]byte(fm), &parsed) == nil {
  640. sanitizeFinalMaskQuicParams(parsed)
  641. stream["finalmask"] = parsed
  642. }
  643. }
  644. }
  645. // sanitizeFinalMaskQuicParams coerces the strictly numeric quicParams fields
  646. // of a finalmask blob taken verbatim from a share link's fm= parameter.
  647. // Xray-core rejects the whole config at startup when e.g. keepAlivePeriod
  648. // arrives as a duration string like "10s" or an out-of-range integer, so
  649. // numeric strings are parsed, duration strings are converted to whole
  650. // seconds, the ranged fields are clamped to what xray accepts, and anything
  651. // non-finite, negative, absurdly large, or unparseable is dropped so a bad
  652. // value falls back to xray's default instead of killing the config (#5783).
  653. func sanitizeFinalMaskQuicParams(parsed any) {
  654. fm, ok := parsed.(map[string]any)
  655. if !ok {
  656. return
  657. }
  658. qp, ok := fm["quicParams"].(map[string]any)
  659. if !ok {
  660. return
  661. }
  662. numericKeys := []string{
  663. "initStreamReceiveWindow", "maxStreamReceiveWindow",
  664. "initConnectionReceiveWindow", "maxConnectionReceiveWindow",
  665. "maxIdleTimeout", "keepAlivePeriod", "maxIncomingStreams",
  666. }
  667. for _, key := range numericKeys {
  668. raw, exists := qp[key]
  669. if !exists {
  670. continue
  671. }
  672. n, ok := coerceQuicNumeric(raw)
  673. if ok {
  674. n, ok = clampQuicNumeric(key, n)
  675. }
  676. if !ok {
  677. delete(qp, key)
  678. continue
  679. }
  680. qp[key] = int64(n)
  681. }
  682. }
  683. func coerceQuicNumeric(raw any) (float64, bool) {
  684. switch v := raw.(type) {
  685. case float64:
  686. return math.Trunc(v), true
  687. case string:
  688. if n, err := strconv.ParseFloat(v, 64); err == nil && !math.IsInf(n, 0) && !math.IsNaN(n) {
  689. return math.Trunc(n), true
  690. }
  691. if d, err := time.ParseDuration(v); err == nil {
  692. return math.Trunc(d.Seconds()), true
  693. }
  694. }
  695. return 0, false
  696. }
  697. // clampQuicNumeric enforces xray-core's QuicParamsConfig validation so a
  698. // coerced value cannot still fail the config load: keepAlivePeriod is 0 or
  699. // 2-60, maxIdleTimeout is 0 or 4-120, maxIncomingStreams is 0 or >= 8.
  700. // quicNumericMax keeps values in plain-integer JSON territory and far below
  701. // the uint64 window fields' range.
  702. const quicNumericMax = float64(1e15)
  703. func clampQuicNumeric(key string, n float64) (float64, bool) {
  704. if n < 0 || n > quicNumericMax {
  705. return 0, false
  706. }
  707. if n == 0 {
  708. return 0, true
  709. }
  710. switch key {
  711. case "keepAlivePeriod":
  712. return math.Min(math.Max(n, 2), 60), true
  713. case "maxIdleTimeout":
  714. return math.Min(math.Max(n, 4), 120), true
  715. case "maxIncomingStreams":
  716. return math.Max(n, 8), true
  717. }
  718. return n, true
  719. }
  720. func firstNonEmpty(a, b string) string {
  721. if a != "" {
  722. return a
  723. }
  724. return b
  725. }
  726. func firstParam(p url.Values, keys ...string) string {
  727. for _, k := range keys {
  728. if v := p.Get(k); v != "" {
  729. return v
  730. }
  731. }
  732. return ""
  733. }
  734. func canonicalQuery(p url.Values) string {
  735. // Sort keys for stable identity
  736. keys := make([]string, 0, len(p))
  737. for k := range p {
  738. keys = append(keys, k)
  739. }
  740. // simple sort
  741. for i := 0; i < len(keys); i++ {
  742. for j := i + 1; j < len(keys); j++ {
  743. if keys[j] < keys[i] {
  744. keys[i], keys[j] = keys[j], keys[i]
  745. }
  746. }
  747. }
  748. parts := make([]string, 0, len(keys))
  749. for _, k := range keys {
  750. for _, v := range p[k] {
  751. parts = append(parts, k+"="+v)
  752. }
  753. }
  754. return strings.Join(parts, "&")
  755. }
  756. func decodeHash(h string) string {
  757. if h == "" {
  758. return ""
  759. }
  760. if dec, err := url.QueryUnescape(h); err == nil {
  761. return dec
  762. }
  763. return h
  764. }
  765. func defaultPort(p string, def int) int {
  766. if p == "" {
  767. return def
  768. }
  769. n, err := strconv.Atoi(p)
  770. if err != nil || n <= 0 {
  771. return def
  772. }
  773. return n
  774. }
  775. func num(v any) int {
  776. switch x := v.(type) {
  777. case float64:
  778. return int(x)
  779. case int:
  780. return x
  781. case int64:
  782. return int(x)
  783. case string:
  784. n, _ := strconv.Atoi(x)
  785. return n
  786. }
  787. return 0
  788. }
  789. func getString(m map[string]any, key, def string) string {
  790. if v, ok := m[key]; ok {
  791. if s, ok := v.(string); ok {
  792. return s
  793. }
  794. }
  795. return def
  796. }
  797. func splitComma(s string) []string {
  798. if s == "" {
  799. return nil
  800. }
  801. parts := strings.Split(s, ",")
  802. out := make([]string, 0, len(parts))
  803. for _, p := range parts {
  804. p = strings.TrimSpace(p)
  805. if p != "" {
  806. out = append(out, p)
  807. }
  808. }
  809. return out
  810. }
  811. func splitCommaOrDefault(s string, def []string) []string {
  812. if s == "" {
  813. return def
  814. }
  815. return splitComma(s)
  816. }
  817. func padBase64(s string) string {
  818. for len(s)%4 != 0 {
  819. s += "="
  820. }
  821. return s
  822. }
  823. func base64DecodeFlexible(s string) (string, error) {
  824. s = padBase64(s)
  825. if b, err := base64.StdEncoding.DecodeString(s); err == nil {
  826. return string(b), nil
  827. }
  828. if b, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(s, "=")); err == nil {
  829. return string(b), nil
  830. }
  831. return "", fmt.Errorf("base64 decode failed")
  832. }
  833. // SlugRemark turns a free-form remark into a tag segment, keeping Unicode
  834. // letters and digits (so non-ASCII remarks like Cyrillic stay readable) and
  835. // replacing every other run of characters with a single dash.
  836. var slugRe = regexp.MustCompile(`[^\p{L}\p{N}]+`)
  837. func SlugRemark(remark string) string {
  838. s := strings.ToLower(strings.TrimSpace(remark))
  839. s = slugRe.ReplaceAllString(s, "-")
  840. s = strings.Trim(s, "-")
  841. if s == "" {
  842. return ""
  843. }
  844. // collapse runs of dashes
  845. for strings.Contains(s, "--") {
  846. s = strings.ReplaceAll(s, "--", "-")
  847. }
  848. return s
  849. }
  850. // SuggestTag builds a tag from a prefix and a remark (or index fallback).
  851. // It is intended for initial assignment; stability is handled by the service layer.
  852. func SuggestTag(prefix, remark string, idx int) string {
  853. base := SlugRemark(remark)
  854. if base == "" {
  855. base = fmt.Sprintf("%d", idx)
  856. }
  857. p := strings.TrimSuffix(prefix, "-")
  858. if p != "" {
  859. return p + "-" + base
  860. }
  861. return base
  862. }