1
0

outbound.go 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915
  1. // Package link provides parsers for VPN share links (vmess://, vless://, etc.)
  2. // and subscription bodies (typically base64-encoded newline lists of such links).
  3. // The output shape matches the wire format used by the panel's Xray template
  4. // outbounds array so that parsed objects can be injected directly.
  5. package link
  6. import (
  7. "encoding/base64"
  8. "encoding/json"
  9. "fmt"
  10. "math"
  11. "net/url"
  12. "regexp"
  13. "strconv"
  14. "strings"
  15. "time"
  16. )
  17. // Outbound is the minimal shape we emit for each parsed link.
  18. // Extra fields (mux, etc.) are carried inside settings/streamSettings.
  19. type Outbound map[string]any
  20. // ParseResult holds a parsed outbound together with a stable identity string
  21. // that can be used to correlate the same logical server across refreshes
  22. // (even if the remark changes).
  23. type ParseResult struct {
  24. Outbound Outbound
  25. Identity string
  26. }
  27. // ParseSubscriptionBody accepts the raw body returned by a subscription URL.
  28. // It handles the common case where the body is a base64-encoded blob of
  29. // newline-separated links, and also tolerates an already-decoded text body.
  30. // It returns the list of successfully parsed outbounds (in order) and their
  31. // corresponding identities.
  32. func ParseSubscriptionBody(body []byte) ([]Outbound, []string, error) {
  33. text := strings.TrimSpace(string(body))
  34. if text == "" {
  35. return nil, nil, nil
  36. }
  37. // Try base64 decode first (standard and URL-safe variants).
  38. if decoded, ok := tryBase64(text); ok {
  39. text = strings.TrimSpace(decoded)
  40. }
  41. lines := splitLines(text)
  42. var outbounds []Outbound
  43. var identities []string
  44. for _, ln := range lines {
  45. ln = strings.TrimSpace(ln)
  46. if ln == "" || strings.HasPrefix(ln, "#") {
  47. continue
  48. }
  49. res, err := ParseLink(ln)
  50. if err != nil || res == nil {
  51. // Ignore unparseable lines (comments, unsupported protocols, etc.)
  52. continue
  53. }
  54. outbounds = append(outbounds, res.Outbound)
  55. identities = append(identities, res.Identity)
  56. }
  57. return outbounds, identities, nil
  58. }
  59. func tryBase64(s string) (string, bool) {
  60. // Remove whitespace that some providers insert.
  61. clean := strings.Map(func(r rune) rune {
  62. if r == ' ' || r == '\n' || r == '\r' || r == '\t' {
  63. return -1
  64. }
  65. return r
  66. }, s)
  67. // Common padding fix
  68. for len(clean)%4 != 0 {
  69. clean += "="
  70. }
  71. // Standard
  72. if b, err := base64.StdEncoding.DecodeString(clean); err == nil {
  73. return string(b), true
  74. }
  75. // URL-safe (no padding)
  76. if b, err := base64.RawURLEncoding.DecodeString(clean); err == nil {
  77. return string(b), true
  78. }
  79. // URL-safe with padding
  80. if b, err := base64.URLEncoding.DecodeString(clean); err == nil {
  81. return string(b), true
  82. }
  83. return "", false
  84. }
  85. func splitLines(s string) []string {
  86. // Accept \n, \r\n, and also some providers use literal \n in the text.
  87. s = strings.ReplaceAll(s, `\n`, "\n")
  88. return strings.FieldsFunc(s, func(r rune) bool { return r == '\n' || r == '\r' })
  89. }
  90. // ParseLink parses a single share link and returns the outbound object plus
  91. // a stable identity for tag correlation. Supported schemes:
  92. // - vmess://
  93. // - vless://
  94. // - trojan://
  95. // - ss:// (modern and legacy)
  96. // - hysteria2:// (also hy2://)
  97. // - wireguard:// (also wg://)
  98. func ParseLink(link string) (*ParseResult, error) {
  99. link = strings.TrimSpace(link)
  100. switch {
  101. case strings.HasPrefix(link, "vmess://"):
  102. return parseVmess(link)
  103. case strings.HasPrefix(link, "vless://"):
  104. return parseVless(link)
  105. case strings.HasPrefix(link, "trojan://"):
  106. return parseTrojan(link)
  107. case strings.HasPrefix(link, "ss://"):
  108. return parseShadowsocks(link)
  109. case strings.HasPrefix(link, "hysteria2://"), strings.HasPrefix(link, "hy2://"):
  110. return parseHysteria2(link)
  111. case strings.HasPrefix(link, "wireguard://"), strings.HasPrefix(link, "wg://"):
  112. return parseWireguard(link)
  113. default:
  114. return nil, fmt.Errorf("unsupported link scheme")
  115. }
  116. }
  117. // --- vmess ---
  118. func parseVmess(link string) (*ParseResult, error) {
  119. b64 := strings.TrimPrefix(link, "vmess://")
  120. // vmess:// base64(json)
  121. raw, err := base64.StdEncoding.DecodeString(padBase64(b64))
  122. if err != nil {
  123. // Some providers use raw URL-safe
  124. raw, err = base64.RawURLEncoding.DecodeString(b64)
  125. }
  126. if err != nil {
  127. return nil, fmt.Errorf("vmess decode: %w", err)
  128. }
  129. var j map[string]any
  130. if err := json.Unmarshal(raw, &j); err != nil {
  131. return nil, fmt.Errorf("vmess json: %w", err)
  132. }
  133. identity := vmessIdentity(j)
  134. network := getString(j, "net", "tcp")
  135. security := "none"
  136. if tls, _ := j["tls"].(string); tls == "tls" {
  137. security = "tls"
  138. }
  139. stream := buildStream(network, security)
  140. // Map known fields (best effort, matching frontend parser coverage)
  141. switch network {
  142. case "ws":
  143. if host, ok := j["host"].(string); ok {
  144. setWS(stream, host, getString(j, "path", "/"))
  145. }
  146. case "grpc":
  147. svc := getString(j, "path", "")
  148. if auth, ok := j["authority"].(string); ok && auth != "" {
  149. (stream["grpcSettings"].(map[string]any))["authority"] = auth
  150. }
  151. (stream["grpcSettings"].(map[string]any))["serviceName"] = svc
  152. (stream["grpcSettings"].(map[string]any))["multiMode"] = getString(j, "type", "") == "multi"
  153. case "httpupgrade":
  154. setHTTPUpgrade(stream, getString(j, "host", ""), getString(j, "path", "/"))
  155. case "xhttp":
  156. xh := stream["xhttpSettings"].(map[string]any)
  157. xh["host"] = getString(j, "host", "")
  158. xh["path"] = getString(j, "path", "/")
  159. if m := getString(j, "mode", ""); m != "" {
  160. xh["mode"] = m
  161. }
  162. // xhttp advanced keys are passed through if present in the json
  163. for _, k := range []string{"xPaddingBytes", "scMaxEachPostBytes", "scMinPostsIntervalMs"} {
  164. if v, ok := j[k]; ok {
  165. xh[k] = v
  166. }
  167. }
  168. case "tcp":
  169. if getString(j, "type", "") == "http" {
  170. stream["tcpSettings"] = map[string]any{
  171. "header": map[string]any{
  172. "type": "http",
  173. "request": map[string]any{
  174. "version": "1.1",
  175. "method": "GET",
  176. "path": splitComma(getString(j, "path", "/")),
  177. "headers": map[string]any{"Host": splitComma(getString(j, "host", ""))},
  178. },
  179. },
  180. }
  181. }
  182. }
  183. if security == "tls" {
  184. tls := stream["tlsSettings"].(map[string]any)
  185. tls["serverName"] = getString(j, "sni", "")
  186. tls["fingerprint"] = getString(j, "fp", "")
  187. if alpn := getString(j, "alpn", ""); alpn != "" {
  188. tls["alpn"] = splitComma(alpn)
  189. }
  190. }
  191. port := num(j["port"])
  192. scy := getString(j, "scy", "auto")
  193. if scy == "none" || scy == "zero" {
  194. scy = "auto"
  195. }
  196. ob := Outbound{
  197. "protocol": "vmess",
  198. "tag": getString(j, "ps", ""),
  199. "settings": map[string]any{
  200. "vnext": []any{
  201. map[string]any{
  202. "address": getString(j, "add", ""),
  203. "port": port,
  204. "users": []any{
  205. map[string]any{
  206. "id": getString(j, "id", ""),
  207. "security": scy,
  208. },
  209. },
  210. },
  211. },
  212. },
  213. "streamSettings": stream,
  214. }
  215. return &ParseResult{Outbound: ob, Identity: identity}, nil
  216. }
  217. func vmessIdentity(j map[string]any) string {
  218. // Remove ps (remark) for identity
  219. core := map[string]any{}
  220. for k, v := range j {
  221. if k == "ps" {
  222. continue
  223. }
  224. core[k] = v
  225. }
  226. b, _ := json.Marshal(core)
  227. return "vmess:" + string(b)
  228. }
  229. // --- vless / trojan (URL forms) ---
  230. func parseVless(link string) (*ParseResult, error) {
  231. u, err := url.Parse(link)
  232. if err != nil {
  233. return nil, err
  234. }
  235. if u.Scheme != "vless" {
  236. return nil, fmt.Errorf("not vless")
  237. }
  238. id := u.User.Username()
  239. host := u.Hostname()
  240. port := defaultPort(u.Port(), 443)
  241. params := u.Query()
  242. network := params.Get("type")
  243. if network == "" {
  244. network = "tcp"
  245. }
  246. security := params.Get("security")
  247. if security == "" {
  248. security = "none"
  249. }
  250. stream := buildStream(network, security)
  251. applyTransport(stream, params)
  252. applySecurity(stream, params)
  253. applyFinalMask(stream, params)
  254. identity := "vless:" + u.Scheme + "://" + id + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  255. ob := Outbound{
  256. "protocol": "vless",
  257. "tag": decodeHash(u.Fragment),
  258. "settings": map[string]any{
  259. "address": host,
  260. "port": port,
  261. "id": id,
  262. "flow": params.Get("flow"),
  263. "encryption": firstNonEmpty(params.Get("encryption"), "none"),
  264. },
  265. "streamSettings": stream,
  266. }
  267. return &ParseResult{Outbound: ob, Identity: identity}, nil
  268. }
  269. func parseTrojan(link string) (*ParseResult, error) {
  270. u, err := url.Parse(link)
  271. if err != nil {
  272. return nil, err
  273. }
  274. if u.Scheme != "trojan" {
  275. return nil, fmt.Errorf("not trojan")
  276. }
  277. pw := u.User.Username()
  278. host := u.Hostname()
  279. port := defaultPort(u.Port(), 443)
  280. params := u.Query()
  281. network := params.Get("type")
  282. if network == "" {
  283. network = "tcp"
  284. }
  285. security := params.Get("security")
  286. if security == "" {
  287. security = "tls"
  288. }
  289. stream := buildStream(network, security)
  290. applyTransport(stream, params)
  291. applySecurity(stream, params)
  292. applyFinalMask(stream, params)
  293. identity := "trojan:" + u.Scheme + "://" + pw + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  294. ob := Outbound{
  295. "protocol": "trojan",
  296. "tag": decodeHash(u.Fragment),
  297. "settings": map[string]any{
  298. "servers": []any{
  299. map[string]any{"address": host, "port": port, "password": pw},
  300. },
  301. },
  302. "streamSettings": stream,
  303. }
  304. return &ParseResult{Outbound: ob, Identity: identity}, nil
  305. }
  306. // --- shadowsocks ---
  307. func parseShadowsocks(link string) (*ParseResult, error) {
  308. // Two shapes:
  309. // ss://base64(method:pass)@host:port#remark
  310. // ss://base64(method:pass@host:port)#remark
  311. remark := ""
  312. if i := strings.Index(link, "#"); i >= 0 {
  313. remark, _ = url.QueryUnescape(link[i+1:])
  314. link = link[:i]
  315. }
  316. if i := strings.Index(link, "?"); i >= 0 {
  317. link = link[:i]
  318. }
  319. core := strings.TrimPrefix(link, "ss://")
  320. at := strings.Index(core, "@")
  321. if at >= 0 {
  322. // modern
  323. userB64 := core[:at]
  324. hp := strings.TrimRight(core[at+1:], "/")
  325. userInfo, err := base64DecodeFlexible(userB64)
  326. if err != nil {
  327. // SIP022 (2022-blake3-*) userinfo is percent-encoded, not base64.
  328. if dec, uerr := url.QueryUnescape(userB64); uerr == nil {
  329. userInfo = dec
  330. } else {
  331. userInfo = userB64 // not b64, rare
  332. }
  333. }
  334. colon := strings.LastIndex(hp, ":")
  335. if colon < 0 {
  336. return nil, fmt.Errorf("bad ss host:port")
  337. }
  338. host := hp[:colon]
  339. port, err := strconv.Atoi(hp[colon+1:])
  340. if err != nil {
  341. return nil, fmt.Errorf("bad ss port %q: %w", hp[colon+1:], err)
  342. }
  343. method, pass := splitMethodPass(userInfo)
  344. identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
  345. ob := Outbound{
  346. "protocol": "shadowsocks",
  347. "tag": remark,
  348. "settings": map[string]any{
  349. "servers": []any{
  350. map[string]any{"address": host, "port": port, "password": pass, "method": method},
  351. },
  352. },
  353. }
  354. return &ParseResult{Outbound: ob, Identity: identity}, nil
  355. }
  356. // legacy: whole thing b64
  357. dec, err := base64DecodeFlexible(core)
  358. if err != nil {
  359. return nil, err
  360. }
  361. at = strings.Index(dec, "@")
  362. if at < 0 {
  363. return nil, fmt.Errorf("bad legacy ss")
  364. }
  365. userInfo := dec[:at]
  366. hp := dec[at+1:]
  367. colon := strings.LastIndex(hp, ":")
  368. if colon < 0 {
  369. return nil, fmt.Errorf("bad legacy ss hp")
  370. }
  371. host := hp[:colon]
  372. port, err := strconv.Atoi(hp[colon+1:])
  373. if err != nil {
  374. return nil, fmt.Errorf("bad legacy ss port %q: %w", hp[colon+1:], err)
  375. }
  376. method, pass := splitMethodPass(userInfo)
  377. identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
  378. ob := Outbound{
  379. "protocol": "shadowsocks",
  380. "tag": remark,
  381. "settings": map[string]any{
  382. "servers": []any{
  383. map[string]any{"address": host, "port": port, "password": pass, "method": method},
  384. },
  385. },
  386. }
  387. return &ParseResult{Outbound: ob, Identity: identity}, nil
  388. }
  389. func splitMethodPass(userInfo string) (string, string) {
  390. before, after, ok := strings.Cut(userInfo, ":")
  391. if !ok {
  392. return "2022-blake3-aes-128-gcm", userInfo // guess
  393. }
  394. return before, after
  395. }
  396. // --- hysteria2 ---
  397. func parseHysteria2(link string) (*ParseResult, error) {
  398. u, err := url.Parse(link)
  399. if err != nil {
  400. return nil, err
  401. }
  402. if u.Scheme != "hysteria2" && u.Scheme != "hy2" {
  403. return nil, fmt.Errorf("not hysteria2")
  404. }
  405. auth := u.User.Username()
  406. host := u.Hostname()
  407. port := defaultPort(u.Port(), 443)
  408. params := u.Query()
  409. stream := map[string]any{
  410. "network": "hysteria",
  411. "security": "tls",
  412. "hysteriaSettings": map[string]any{
  413. "version": 2,
  414. "auth": auth,
  415. "udpIdleTimeout": 60,
  416. },
  417. "tlsSettings": map[string]any{
  418. "serverName": params.Get("sni"),
  419. "alpn": splitCommaOrDefault(params.Get("alpn"), []string{"h3"}),
  420. "fingerprint": params.Get("fp"),
  421. "echConfigList": params.Get("ech"),
  422. "verifyPeerCertByName": "",
  423. "pinnedPeerCertSha256": params.Get("pinSHA256"),
  424. },
  425. }
  426. applyFinalMask(stream, params)
  427. identity := "hysteria2:" + auth + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  428. ob := Outbound{
  429. "protocol": "hysteria",
  430. "tag": decodeHash(u.Fragment),
  431. "settings": map[string]any{"address": host, "port": port, "version": 2},
  432. "streamSettings": stream,
  433. }
  434. return &ParseResult{Outbound: ob, Identity: identity}, nil
  435. }
  436. // --- wireguard ---
  437. func parseWireguard(link string) (*ParseResult, error) {
  438. u, err := url.Parse(link)
  439. if err != nil {
  440. return nil, err
  441. }
  442. if u.Scheme != "wireguard" && u.Scheme != "wg" {
  443. return nil, fmt.Errorf("not wireguard")
  444. }
  445. secret, _ := url.QueryUnescape(u.User.Username())
  446. params := u.Query()
  447. host := u.Hostname()
  448. portStr := u.Port()
  449. endpoint := host
  450. if portStr != "" {
  451. endpoint = host + ":" + portStr
  452. }
  453. addrRaw := firstParam(params, "address", "ip")
  454. allowedRaw := firstParam(params, "allowedips", "allowed_ips")
  455. addrs := splitComma(addrRaw)
  456. if len(addrs) == 0 {
  457. addrs = []string{"0.0.0.0/0", "::/0"}
  458. }
  459. allowed := splitComma(allowedRaw)
  460. if len(allowed) == 0 {
  461. allowed = []string{"0.0.0.0/0", "::/0"}
  462. }
  463. peer := map[string]any{
  464. "publicKey": firstParam(params, "publickey", "publicKey", "public_key", "peerPublicKey"),
  465. "endpoint": endpoint,
  466. "allowedIPs": allowed,
  467. }
  468. if psk := firstParam(params, "presharedkey", "preshared_key", "pre-shared-key", "psk"); psk != "" {
  469. peer["preSharedKey"] = psk
  470. }
  471. if ka := firstParam(params, "keepalive", "persistentkeepalive", "persistent_keepalive"); ka != "" {
  472. if n, err := strconv.Atoi(ka); err == nil {
  473. peer["keepAlive"] = n
  474. }
  475. }
  476. settings := map[string]any{
  477. "secretKey": secret,
  478. "address": addrs,
  479. "peers": []any{peer},
  480. }
  481. if mtu := params.Get("mtu"); mtu != "" {
  482. if n, err := strconv.Atoi(mtu); err == nil {
  483. settings["mtu"] = n
  484. }
  485. }
  486. if res := params.Get("reserved"); res != "" {
  487. parts := splitComma(res)
  488. var iv []int
  489. for _, p := range parts {
  490. if n, err := strconv.Atoi(strings.TrimSpace(p)); err == nil {
  491. iv = append(iv, n)
  492. }
  493. }
  494. if len(iv) > 0 {
  495. settings["reserved"] = iv
  496. }
  497. }
  498. identity := "wireguard:" + secret + "@" + endpoint + "?" + canonicalQuery(params)
  499. ob := Outbound{
  500. "protocol": "wireguard",
  501. "tag": decodeHash(u.Fragment),
  502. "settings": settings,
  503. }
  504. return &ParseResult{Outbound: ob, Identity: identity}, nil
  505. }
  506. // --- helpers ---
  507. func buildStream(network, security string) map[string]any {
  508. stream := map[string]any{"network": network, "security": security}
  509. switch network {
  510. case "tcp":
  511. stream["tcpSettings"] = map[string]any{"header": map[string]any{"type": "none"}}
  512. case "kcp":
  513. stream["kcpSettings"] = map[string]any{
  514. "mtu": 1350, "tti": 20, "uplinkCapacity": 5, "downlinkCapacity": 20,
  515. "cwndMultiplier": 1, "maxSendingWindow": 2097152,
  516. }
  517. case "ws":
  518. stream["wsSettings"] = map[string]any{"path": "/", "host": "", "headers": map[string]any{}, "heartbeatPeriod": 0}
  519. case "grpc":
  520. stream["grpcSettings"] = map[string]any{"serviceName": "", "authority": "", "multiMode": false}
  521. case "httpupgrade":
  522. stream["httpupgradeSettings"] = map[string]any{"path": "/", "host": "", "headers": map[string]any{}}
  523. case "xhttp":
  524. // No scMaxEachPostBytes/scMinPostsIntervalMs seed: xray-core's own
  525. // defaults apply, and the literal values fingerprint traffic (#5141).
  526. stream["xhttpSettings"] = map[string]any{
  527. "path": "/", "host": "", "mode": "auto", "headers": map[string]any{},
  528. "xPaddingBytes": "100-1000",
  529. }
  530. default:
  531. stream["tcpSettings"] = map[string]any{"header": map[string]any{"type": "none"}}
  532. }
  533. switch security {
  534. case "tls":
  535. stream["tlsSettings"] = map[string]any{
  536. "serverName": "", "alpn": []any{}, "fingerprint": "",
  537. "echConfigList": "", "verifyPeerCertByName": "", "pinnedPeerCertSha256": "",
  538. }
  539. case "reality":
  540. stream["realitySettings"] = map[string]any{
  541. "publicKey": "", "fingerprint": "chrome", "serverName": "",
  542. "shortId": "", "spiderX": "", "mldsa65Verify": "",
  543. }
  544. }
  545. return stream
  546. }
  547. func setWS(stream map[string]any, host, path string) {
  548. ws := stream["wsSettings"].(map[string]any)
  549. ws["host"] = host
  550. ws["path"] = path
  551. }
  552. func setHTTPUpgrade(stream map[string]any, host, path string) {
  553. h := stream["httpupgradeSettings"].(map[string]any)
  554. h["host"] = host
  555. h["path"] = path
  556. }
  557. func applyTransport(stream map[string]any, p url.Values) {
  558. net := stream["network"].(string)
  559. host := p.Get("host")
  560. path := firstNonEmpty(p.Get("path"), "/")
  561. switch net {
  562. case "ws":
  563. setWS(stream, host, path)
  564. case "grpc":
  565. gs := stream["grpcSettings"].(map[string]any)
  566. gs["serviceName"] = firstNonEmpty(p.Get("serviceName"), p.Get("path"))
  567. gs["authority"] = p.Get("authority")
  568. gs["multiMode"] = p.Get("mode") == "multi"
  569. case "httpupgrade":
  570. setHTTPUpgrade(stream, host, path)
  571. case "xhttp":
  572. xh := stream["xhttpSettings"].(map[string]any)
  573. xh["host"] = host
  574. xh["path"] = path
  575. if m := p.Get("mode"); m != "" {
  576. xh["mode"] = m
  577. }
  578. // A few advanced xhttp fields that are commonly carried
  579. for _, k := range []string{"xPaddingBytes", "scMaxEachPostBytes", "scMinPostsIntervalMs", "uplinkChunkSize"} {
  580. if v := p.Get(k); v != "" {
  581. xh[k] = v
  582. }
  583. }
  584. case "tcp":
  585. if p.Get("headerType") == "http" || p.Get("type") == "http" {
  586. stream["tcpSettings"] = map[string]any{
  587. "header": map[string]any{
  588. "type": "http",
  589. "request": map[string]any{
  590. "version": "1.1",
  591. "method": "GET",
  592. "path": splitComma(path),
  593. "headers": map[string]any{"Host": splitComma(host)},
  594. },
  595. },
  596. }
  597. }
  598. }
  599. }
  600. func applySecurity(stream map[string]any, p url.Values) {
  601. sec := stream["security"].(string)
  602. switch sec {
  603. case "tls":
  604. tls := stream["tlsSettings"].(map[string]any)
  605. tls["serverName"] = p.Get("sni")
  606. tls["fingerprint"] = p.Get("fp")
  607. if alpn := p.Get("alpn"); alpn != "" {
  608. tls["alpn"] = splitComma(alpn)
  609. }
  610. tls["echConfigList"] = p.Get("ech")
  611. tls["pinnedPeerCertSha256"] = p.Get("pcs")
  612. case "reality":
  613. re := stream["realitySettings"].(map[string]any)
  614. re["serverName"] = p.Get("sni")
  615. re["fingerprint"] = firstNonEmpty(p.Get("fp"), "chrome")
  616. re["publicKey"] = p.Get("pbk")
  617. re["shortId"] = p.Get("sid")
  618. re["spiderX"] = p.Get("spx")
  619. re["mldsa65Verify"] = p.Get("pqv")
  620. }
  621. }
  622. func applyFinalMask(stream map[string]any, p url.Values) {
  623. if fm := p.Get("fm"); fm != "" {
  624. var parsed any
  625. if json.Unmarshal([]byte(fm), &parsed) == nil {
  626. sanitizeFinalMaskQuicParams(parsed)
  627. stream["finalmask"] = parsed
  628. }
  629. }
  630. }
  631. // sanitizeFinalMaskQuicParams coerces the strictly numeric quicParams fields
  632. // of a finalmask blob taken verbatim from a share link's fm= parameter.
  633. // Xray-core rejects the whole config at startup when e.g. keepAlivePeriod
  634. // arrives as a duration string like "10s" or an out-of-range integer, so
  635. // numeric strings are parsed, duration strings are converted to whole
  636. // seconds, the ranged fields are clamped to what xray accepts, and anything
  637. // non-finite, negative, absurdly large, or unparseable is dropped so a bad
  638. // value falls back to xray's default instead of killing the config (#5783).
  639. func sanitizeFinalMaskQuicParams(parsed any) {
  640. fm, ok := parsed.(map[string]any)
  641. if !ok {
  642. return
  643. }
  644. qp, ok := fm["quicParams"].(map[string]any)
  645. if !ok {
  646. return
  647. }
  648. numericKeys := []string{
  649. "initStreamReceiveWindow", "maxStreamReceiveWindow",
  650. "initConnectionReceiveWindow", "maxConnectionReceiveWindow",
  651. "maxIdleTimeout", "keepAlivePeriod", "maxIncomingStreams",
  652. }
  653. for _, key := range numericKeys {
  654. raw, exists := qp[key]
  655. if !exists {
  656. continue
  657. }
  658. n, ok := coerceQuicNumeric(raw)
  659. if ok {
  660. n, ok = clampQuicNumeric(key, n)
  661. }
  662. if !ok {
  663. delete(qp, key)
  664. continue
  665. }
  666. qp[key] = int64(n)
  667. }
  668. }
  669. func coerceQuicNumeric(raw any) (float64, bool) {
  670. switch v := raw.(type) {
  671. case float64:
  672. return math.Trunc(v), true
  673. case string:
  674. if n, err := strconv.ParseFloat(v, 64); err == nil && !math.IsInf(n, 0) && !math.IsNaN(n) {
  675. return math.Trunc(n), true
  676. }
  677. if d, err := time.ParseDuration(v); err == nil {
  678. return math.Trunc(d.Seconds()), true
  679. }
  680. }
  681. return 0, false
  682. }
  683. // clampQuicNumeric enforces xray-core's QuicParamsConfig validation so a
  684. // coerced value cannot still fail the config load: keepAlivePeriod is 0 or
  685. // 2-60, maxIdleTimeout is 0 or 4-120, maxIncomingStreams is 0 or >= 8.
  686. // quicNumericMax keeps values in plain-integer JSON territory and far below
  687. // the uint64 window fields' range.
  688. const quicNumericMax = float64(1e15)
  689. func clampQuicNumeric(key string, n float64) (float64, bool) {
  690. if n < 0 || n > quicNumericMax {
  691. return 0, false
  692. }
  693. if n == 0 {
  694. return 0, true
  695. }
  696. switch key {
  697. case "keepAlivePeriod":
  698. return math.Min(math.Max(n, 2), 60), true
  699. case "maxIdleTimeout":
  700. return math.Min(math.Max(n, 4), 120), true
  701. case "maxIncomingStreams":
  702. return math.Max(n, 8), true
  703. }
  704. return n, true
  705. }
  706. func firstNonEmpty(a, b string) string {
  707. if a != "" {
  708. return a
  709. }
  710. return b
  711. }
  712. func firstParam(p url.Values, keys ...string) string {
  713. for _, k := range keys {
  714. if v := p.Get(k); v != "" {
  715. return v
  716. }
  717. }
  718. return ""
  719. }
  720. func canonicalQuery(p url.Values) string {
  721. // Sort keys for stable identity
  722. keys := make([]string, 0, len(p))
  723. for k := range p {
  724. keys = append(keys, k)
  725. }
  726. // simple sort
  727. for i := 0; i < len(keys); i++ {
  728. for j := i + 1; j < len(keys); j++ {
  729. if keys[j] < keys[i] {
  730. keys[i], keys[j] = keys[j], keys[i]
  731. }
  732. }
  733. }
  734. parts := make([]string, 0, len(keys))
  735. for _, k := range keys {
  736. for _, v := range p[k] {
  737. parts = append(parts, k+"="+v)
  738. }
  739. }
  740. return strings.Join(parts, "&")
  741. }
  742. func decodeHash(h string) string {
  743. if h == "" {
  744. return ""
  745. }
  746. if dec, err := url.QueryUnescape(h); err == nil {
  747. return dec
  748. }
  749. return h
  750. }
  751. func defaultPort(p string, def int) int {
  752. if p == "" {
  753. return def
  754. }
  755. n, err := strconv.Atoi(p)
  756. if err != nil || n <= 0 {
  757. return def
  758. }
  759. return n
  760. }
  761. func num(v any) int {
  762. switch x := v.(type) {
  763. case float64:
  764. return int(x)
  765. case int:
  766. return x
  767. case int64:
  768. return int(x)
  769. case string:
  770. n, _ := strconv.Atoi(x)
  771. return n
  772. }
  773. return 0
  774. }
  775. func getString(m map[string]any, key, def string) string {
  776. if v, ok := m[key]; ok {
  777. if s, ok := v.(string); ok {
  778. return s
  779. }
  780. }
  781. return def
  782. }
  783. func splitComma(s string) []string {
  784. if s == "" {
  785. return nil
  786. }
  787. parts := strings.Split(s, ",")
  788. out := make([]string, 0, len(parts))
  789. for _, p := range parts {
  790. p = strings.TrimSpace(p)
  791. if p != "" {
  792. out = append(out, p)
  793. }
  794. }
  795. return out
  796. }
  797. func splitCommaOrDefault(s string, def []string) []string {
  798. if s == "" {
  799. return def
  800. }
  801. return splitComma(s)
  802. }
  803. func padBase64(s string) string {
  804. for len(s)%4 != 0 {
  805. s += "="
  806. }
  807. return s
  808. }
  809. func base64DecodeFlexible(s string) (string, error) {
  810. s = padBase64(s)
  811. if b, err := base64.StdEncoding.DecodeString(s); err == nil {
  812. return string(b), nil
  813. }
  814. if b, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(s, "=")); err == nil {
  815. return string(b), nil
  816. }
  817. return "", fmt.Errorf("base64 decode failed")
  818. }
  819. // SlugRemark turns a free-form remark into a tag segment, keeping Unicode
  820. // letters and digits (so non-ASCII remarks like Cyrillic stay readable) and
  821. // replacing every other run of characters with a single dash.
  822. var slugRe = regexp.MustCompile(`[^\p{L}\p{N}]+`)
  823. func SlugRemark(remark string) string {
  824. s := strings.ToLower(strings.TrimSpace(remark))
  825. s = slugRe.ReplaceAllString(s, "-")
  826. s = strings.Trim(s, "-")
  827. if s == "" {
  828. return ""
  829. }
  830. // collapse runs of dashes
  831. for strings.Contains(s, "--") {
  832. s = strings.ReplaceAll(s, "--", "-")
  833. }
  834. return s
  835. }
  836. // SuggestTag builds a tag from a prefix and a remark (or index fallback).
  837. // It is intended for initial assignment; stability is handled by the service layer.
  838. func SuggestTag(prefix, remark string, idx int) string {
  839. base := SlugRemark(remark)
  840. if base == "" {
  841. base = fmt.Sprintf("%d", idx)
  842. }
  843. p := strings.TrimSuffix(prefix, "-")
  844. if p != "" {
  845. return p + "-" + base
  846. }
  847. return base
  848. }