install.sh 75 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685
  1. #!/bin/bash
  2. red='\033[0;31m'
  3. green='\033[0;32m'
  4. blue='\033[0;34m'
  5. yellow='\033[0;33m'
  6. plain='\033[0m'
  7. cur_dir=$(pwd)
  8. xui_folder="${XUI_MAIN_FOLDER:=/usr/local/x-ui}"
  9. xui_service="${XUI_SERVICE:=/etc/systemd/system}"
  10. # check root
  11. [[ $EUID -ne 0 ]] && echo -e "${red}Fatal error: ${plain} Please run this script with root privilege \n " && exit 1
  12. # Check OS and set release variable
  13. if [[ -f /etc/os-release ]]; then
  14. source /etc/os-release
  15. release=$ID
  16. elif [[ -f /usr/lib/os-release ]]; then
  17. source /usr/lib/os-release
  18. release=$ID
  19. else
  20. echo "Failed to check the system OS, please contact the author!" >&2
  21. exit 1
  22. fi
  23. echo "The OS release is: $release"
  24. arch() {
  25. case "$(uname -m)" in
  26. x86_64 | x64 | amd64) echo 'amd64' ;;
  27. i*86 | x86) echo '386' ;;
  28. armv8* | armv8 | arm64 | aarch64) echo 'arm64' ;;
  29. armv7* | armv7 | arm) echo 'armv7' ;;
  30. armv6* | armv6) echo 'armv6' ;;
  31. armv5* | armv5) echo 'armv5' ;;
  32. s390x) echo 's390x' ;;
  33. *) echo -e "${green}Unsupported CPU architecture! ${plain}" && rm -f install.sh && exit 1 ;;
  34. esac
  35. }
  36. echo "Arch: $(arch)"
  37. # Non-interactive mode: triggered explicitly via XUI_NONINTERACTIVE=1, or
  38. # implicitly when stdin is not a TTY (e.g. `curl ... | bash`, cloud-init).
  39. # In this mode every prompt below is replaced by an env var or a sane default.
  40. if [[ "${XUI_NONINTERACTIVE:-0}" == "1" ]] || [[ ! -t 0 ]]; then
  41. NONINTERACTIVE=1
  42. else
  43. NONINTERACTIVE=0
  44. fi
  45. export NONINTERACTIVE
  46. # Simple helpers
  47. is_ipv4() {
  48. [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1
  49. }
  50. is_ipv6() {
  51. [[ "$1" =~ : ]] && return 0 || return 1
  52. }
  53. is_ip() {
  54. is_ipv4 "$1" || is_ipv6 "$1"
  55. }
  56. is_domain() {
  57. [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1
  58. }
  59. # acme.sh's standalone server binds IPv4 by default; --listen-v6 makes it
  60. # v6-only, which breaks HTTP-01 validation when the domain's A record points
  61. # at this host's IPv4 (#4994). Only force IPv6 when the host has no global
  62. # IPv4 address at all.
  63. acme_listen_flag() {
  64. if ip -4 addr show scope global 2> /dev/null | grep -q "inet "; then
  65. echo ""
  66. else
  67. echo "--listen-v6"
  68. fi
  69. }
  70. # Port helpers
  71. is_port_in_use() {
  72. local port="$1"
  73. if command -v ss > /dev/null 2>&1; then
  74. ss -ltn 2> /dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}'
  75. return
  76. fi
  77. if command -v netstat > /dev/null 2>&1; then
  78. netstat -lnt 2> /dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}'
  79. return
  80. fi
  81. if command -v lsof > /dev/null 2>&1; then
  82. lsof -nP -iTCP:${port} -sTCP:LISTEN > /dev/null 2>&1 && return 0
  83. fi
  84. return 1
  85. }
  86. install_base() {
  87. case "${release}" in
  88. ubuntu | debian | armbian)
  89. apt-get update && apt-get install -y -q cron curl tar tzdata socat ca-certificates openssl
  90. ;;
  91. fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
  92. dnf makecache -y && dnf install -y -q cronie curl tar tzdata socat ca-certificates openssl
  93. ;;
  94. centos)
  95. if [[ "${VERSION_ID}" =~ ^7 ]]; then
  96. yum makecache -y && yum install -y cronie curl tar tzdata socat ca-certificates openssl
  97. else
  98. dnf makecache -y && dnf install -y -q cronie curl tar tzdata socat ca-certificates openssl
  99. fi
  100. ;;
  101. arch | manjaro | parch)
  102. pacman -Sy --noconfirm cronie curl tar tzdata socat ca-certificates openssl
  103. ;;
  104. opensuse-tumbleweed | opensuse-leap)
  105. zypper refresh && zypper -q install -y cron curl tar timezone socat ca-certificates openssl
  106. ;;
  107. alpine)
  108. apk update && apk add dcron curl tar tzdata socat ca-certificates openssl
  109. ;;
  110. *)
  111. apt-get update && apt-get install -y -q cron curl tar tzdata socat ca-certificates openssl
  112. ;;
  113. esac
  114. }
  115. gen_random_string() {
  116. local length="$1"
  117. openssl rand -base64 $((length * 2)) \
  118. | tr -dc 'a-zA-Z0-9' \
  119. | head -c "$length"
  120. }
  121. # prompt_or_default VARNAME "prompt text" "default" [ENV_NAME]
  122. # Interactive: read into VARNAME. Non-interactive: VARNAME = ${ENV_NAME:-default}.
  123. # ENV_NAME defaults to VARNAME when omitted. Keeps every interactive prompt
  124. # string byte-for-byte identical to the original `read -rp`.
  125. prompt_or_default() {
  126. local __var="$1" __prompt="$2" __default="$3" __env="${4:-$1}"
  127. if [[ "$NONINTERACTIVE" == "1" ]]; then
  128. printf -v "$__var" '%s' "${!__env:-$__default}"
  129. else
  130. # shellcheck disable=SC2229
  131. read -rp "$__prompt" "$__var"
  132. fi
  133. }
  134. # write_install_result <user> <pass> <port> <webpath> <scheme> <host> <token> <dbtype>
  135. # Persists a parseable, root-only credentials file consumed by cloud-init/MOTD.
  136. # Values are written with printf '%q' so a pinned password/username containing
  137. # spaces, quotes, $(...) or backticks is shell-escaped and the file stays safely
  138. # source-able (consumers do '. install-result.env'). For the alphanumeric random
  139. # values gen_random_string emits, %q is a no-op. This is a DIFFERENT file from the
  140. # Postgres env file (/etc/default/x-ui).
  141. write_install_result() {
  142. local u="$1" p="$2" port="$3" wbp="$4" scheme="$5" host="$6" token="$7" dbtype="$8"
  143. local result_file="/etc/x-ui/install-result.env"
  144. local url_host="${host:-SERVER_IP_UNKNOWN}"
  145. install -d -m 755 /etc/x-ui 2> /dev/null
  146. local prev_umask
  147. prev_umask=$(umask)
  148. umask 077
  149. if ! {
  150. printf 'XUI_USERNAME=%q\n' "$u"
  151. printf 'XUI_PASSWORD=%q\n' "$p"
  152. printf 'XUI_PANEL_PORT=%q\n' "$port"
  153. printf 'XUI_WEB_BASE_PATH=%q\n' "$wbp"
  154. printf 'XUI_ACCESS_URL=%q\n' "${scheme}://${url_host}:${port}/${wbp}"
  155. printf 'XUI_API_TOKEN=%q\n' "$token"
  156. printf 'XUI_DB_TYPE=%q\n' "$dbtype"
  157. } > "$result_file"; then
  158. umask "$prev_umask"
  159. echo -e "${yellow}Warning: failed to write ${result_file}.${plain}" >&2
  160. return 1
  161. fi
  162. umask "$prev_umask"
  163. chmod 600 "$result_file" 2> /dev/null
  164. chown root:root "$result_file" 2> /dev/null || true
  165. echo -e "${green}Install result written to ${result_file} (mode 600).${plain}"
  166. }
  167. # RHEL-family initdb writes pg_hba.conf host rules with ident auth, which
  168. # compares the OS username against the Postgres role and always rejects the
  169. # randomly generated panel role over TCP (#5806). Prepend password-auth rules
  170. # scoped to the panel database; first match wins, and md5 also accepts
  171. # scram-sha-256-stored verifiers, so this works on every supported distro.
  172. pg_ensure_hba_password_auth() {
  173. local pg_db="$1"
  174. local hba_file
  175. hba_file=$(sudo -u postgres psql -tAc 'SHOW hba_file' 2> /dev/null | tr -d '[:space:]')
  176. [[ -n "${hba_file}" && -f "${hba_file}" ]] || return 0
  177. grep -Eq "^host[[:space:]]+${pg_db}[[:space:]]" "${hba_file}" && return 0
  178. local tmp
  179. tmp=$(mktemp) || return 1
  180. {
  181. echo "# Added by 3x-ui: allow password logins for the panel database."
  182. echo "host ${pg_db} all 127.0.0.1/32 md5"
  183. echo "host ${pg_db} all ::1/128 md5"
  184. cat "${hba_file}"
  185. } > "${tmp}" || {
  186. rm -f "${tmp}"
  187. return 1
  188. }
  189. cat "${tmp}" > "${hba_file}" || {
  190. rm -f "${tmp}"
  191. return 1
  192. }
  193. rm -f "${tmp}"
  194. sudo -u postgres psql -tAc 'SELECT pg_reload_conf()' > /dev/null 2>&1 || true
  195. }
  196. install_postgres_local() {
  197. local pg_user pg_pass
  198. pg_pass=$(gen_random_string 24)
  199. local pg_db="xui"
  200. local pg_host="127.0.0.1"
  201. local pg_port="5432"
  202. case "${release}" in
  203. ubuntu | debian | armbian)
  204. apt-get update >&2 && apt-get install -y -q postgresql >&2 || return 1
  205. ;;
  206. fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
  207. dnf install -y -q postgresql-server postgresql-contrib >&2 || return 1
  208. [[ -d /var/lib/pgsql/data && -f /var/lib/pgsql/data/PG_VERSION ]] || postgresql-setup --initdb >&2 || return 1
  209. ;;
  210. centos)
  211. if [[ "${VERSION_ID}" =~ ^7 ]]; then
  212. yum install -y postgresql-server postgresql-contrib >&2 || return 1
  213. else
  214. dnf install -y -q postgresql-server postgresql-contrib >&2 || return 1
  215. fi
  216. [[ -d /var/lib/pgsql/data && -f /var/lib/pgsql/data/PG_VERSION ]] || postgresql-setup --initdb >&2 || return 1
  217. ;;
  218. arch | manjaro | parch)
  219. pacman -Sy --noconfirm postgresql >&2 || return 1
  220. if [[ ! -f /var/lib/postgres/data/PG_VERSION ]]; then
  221. sudo -u postgres initdb -D /var/lib/postgres/data >&2 || return 1
  222. fi
  223. ;;
  224. opensuse-tumbleweed | opensuse-leap)
  225. zypper -q install -y postgresql-server postgresql-contrib >&2 || return 1
  226. if [[ ! -f /var/lib/pgsql/data/PG_VERSION ]]; then
  227. install -d -o postgres -g postgres -m 700 /var/lib/pgsql/data >&2 || return 1
  228. su - postgres -c "initdb -D /var/lib/pgsql/data" >&2 || return 1
  229. fi
  230. ;;
  231. alpine)
  232. apk add --no-cache postgresql postgresql-contrib >&2 || return 1
  233. if [[ ! -f /var/lib/postgresql/data/PG_VERSION ]]; then
  234. /etc/init.d/postgresql setup >&2 || return 1
  235. fi
  236. rc-update add postgresql default >&2 2> /dev/null || true
  237. rc-service postgresql start >&2 || return 1
  238. ;;
  239. *)
  240. echo -e "${red}Unsupported distro for automatic PostgreSQL install: ${release}${plain}" >&2
  241. return 1
  242. ;;
  243. esac
  244. if [[ "${release}" != "alpine" ]]; then
  245. systemctl enable --now postgresql >&2 || return 1
  246. fi
  247. # Wait briefly for the server to accept connections.
  248. local i
  249. for i in 1 2 3 4 5; do
  250. sudo -u postgres psql -tAc 'SELECT 1' > /dev/null 2>&1 && break
  251. sleep 1
  252. done
  253. local existing_owner=""
  254. existing_owner=$(sudo -u postgres psql -tAc \
  255. "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_database WHERE datname='${pg_db}'" 2> /dev/null \
  256. | tr -d '[:space:]')
  257. if [[ -n "${existing_owner}" && "${existing_owner}" != "postgres" ]]; then
  258. pg_user="${existing_owner}"
  259. else
  260. pg_user=$(gen_random_string 8)
  261. fi
  262. # Idempotent role/db creation. Identifiers are double-quoted because a
  263. # random username may start with a digit, which Postgres rejects unquoted.
  264. sudo -u postgres psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${pg_user}'" 2> /dev/null \
  265. | grep -q 1 \
  266. || sudo -u postgres psql -c "CREATE USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1
  267. sudo -u postgres psql -tAc "SELECT 1 FROM pg_database WHERE datname='${pg_db}'" 2> /dev/null \
  268. | grep -q 1 \
  269. || sudo -u postgres psql -c "CREATE DATABASE \"${pg_db}\" OWNER \"${pg_user}\";" >&2 || return 1
  270. sudo -u postgres psql -c "ALTER USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1
  271. pg_ensure_hba_password_auth "${pg_db}" \
  272. || echo -e "${yellow}Warning: could not update pg_hba.conf; PostgreSQL may reject the panel's TCP login (ident auth).${plain}" >&2
  273. local pg_pass_enc
  274. pg_pass_enc=$(printf '%s' "${pg_pass}" | sed -e 's/%/%25/g' -e 's/:/%3A/g' -e 's/@/%40/g' -e 's|/|%2F|g' -e 's/?/%3F/g' -e 's/#/%23/g')
  275. if [[ -n "${PG_CRED_FILE:-}" ]]; then
  276. local prev_umask
  277. prev_umask=$(umask)
  278. umask 077
  279. if ! cat > "${PG_CRED_FILE}" << EOF; then
  280. PG_USER=${pg_user}
  281. PG_PASS=${pg_pass}
  282. PG_HOST=${pg_host}
  283. PG_PORT=${pg_port}
  284. PG_DB=${pg_db}
  285. EOF
  286. umask "${prev_umask}"
  287. echo -e "${red}Failed to write PostgreSQL credentials to ${PG_CRED_FILE}${plain}" >&2
  288. return 1
  289. fi
  290. umask "${prev_umask}"
  291. fi
  292. echo "postgres://${pg_user}:${pg_pass_enc}@${pg_host}:${pg_port}/${pg_db}?sslmode=disable"
  293. return 0
  294. }
  295. ensure_pg_client() {
  296. if command -v pg_dump > /dev/null 2>&1 && command -v pg_restore > /dev/null 2>&1; then
  297. return 0
  298. fi
  299. echo -e "${yellow}Installing PostgreSQL client tools (pg_dump/pg_restore) for in-panel backup...${plain}" >&2
  300. case "${release}" in
  301. ubuntu | debian | armbian)
  302. apt-get update >&2 && apt-get install -y -q postgresql-client >&2 || return 1
  303. ;;
  304. fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
  305. dnf install -y -q postgresql >&2 || return 1
  306. ;;
  307. centos)
  308. if [[ "${VERSION_ID}" =~ ^7 ]]; then
  309. yum install -y postgresql >&2 || return 1
  310. else
  311. dnf install -y -q postgresql >&2 || return 1
  312. fi
  313. ;;
  314. arch | manjaro | parch)
  315. pacman -Sy --noconfirm postgresql >&2 || return 1
  316. ;;
  317. opensuse-tumbleweed | opensuse-leap)
  318. zypper -q install -y postgresql >&2 || return 1
  319. ;;
  320. alpine)
  321. apk add --no-cache postgresql-client >&2 || return 1
  322. ;;
  323. *)
  324. return 1
  325. ;;
  326. esac
  327. command -v pg_dump > /dev/null 2>&1 && command -v pg_restore > /dev/null 2>&1
  328. }
  329. install_acme() {
  330. echo -e "${green}Installing acme.sh for SSL certificate management...${plain}"
  331. cd ~ || return 1
  332. curl -s https://get.acme.sh | sh > /dev/null 2>&1
  333. if [ $? -ne 0 ]; then
  334. echo -e "${red}Failed to install acme.sh${plain}"
  335. return 1
  336. else
  337. echo -e "${green}acme.sh installed successfully${plain}"
  338. fi
  339. return 0
  340. }
  341. setup_ssl_certificate() {
  342. local domain="$1"
  343. local server_ip="$2"
  344. local existing_port="$3"
  345. local existing_webBasePath="$4"
  346. echo -e "${green}Setting up SSL certificate...${plain}"
  347. # Check if acme.sh is installed
  348. if ! command -v ~/.acme.sh/acme.sh &> /dev/null; then
  349. install_acme
  350. if [ $? -ne 0 ]; then
  351. echo -e "${yellow}Failed to install acme.sh, skipping SSL setup${plain}"
  352. return 1
  353. fi
  354. fi
  355. # Create certificate directory
  356. local certPath="/root/cert/${domain}"
  357. mkdir -p "$certPath"
  358. # Issue certificate
  359. echo -e "${green}Issuing SSL certificate for ${domain}...${plain}"
  360. echo -e "${yellow}Note: Port 80 must be open and accessible from the internet${plain}"
  361. ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force > /dev/null 2>&1
  362. ~/.acme.sh/acme.sh --issue -d ${domain} $(acme_listen_flag) --standalone --httpport 80 --force
  363. if [ $? -ne 0 ]; then
  364. echo -e "${yellow}Failed to issue certificate for ${domain}${plain}"
  365. echo -e "${yellow}Please ensure port 80 is open and try again later with: x-ui${plain}"
  366. rm -rf ~/.acme.sh/${domain} ~/.acme.sh/${domain}_ecc 2> /dev/null
  367. rm -rf "$certPath" 2> /dev/null
  368. return 1
  369. fi
  370. # Install certificate
  371. ~/.acme.sh/acme.sh --installcert --force -d ${domain} \
  372. --key-file /root/cert/${domain}/privkey.pem \
  373. --fullchain-file /root/cert/${domain}/fullchain.pem \
  374. --reloadcmd "systemctl restart x-ui" > /dev/null 2>&1
  375. if [ $? -ne 0 ]; then
  376. echo -e "${yellow}Failed to install certificate${plain}"
  377. return 1
  378. fi
  379. # Enable auto-renew
  380. ~/.acme.sh/acme.sh --upgrade --auto-upgrade > /dev/null 2>&1
  381. # Secure permissions: private key readable only by owner
  382. chmod 600 $certPath/privkey.pem 2> /dev/null
  383. chmod 644 $certPath/fullchain.pem 2> /dev/null
  384. # Set certificate for panel
  385. local webCertFile="/root/cert/${domain}/fullchain.pem"
  386. local webKeyFile="/root/cert/${domain}/privkey.pem"
  387. if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
  388. ${xui_folder}/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile" > /dev/null 2>&1
  389. echo -e "${green}SSL certificate installed and configured successfully!${plain}"
  390. return 0
  391. else
  392. echo -e "${yellow}Certificate files not found${plain}"
  393. return 1
  394. fi
  395. }
  396. # Issue Let's Encrypt IP certificate with shortlived profile (~6 days validity)
  397. # Requires acme.sh and port 80 open for HTTP-01 challenge
  398. setup_ip_certificate() {
  399. local ipv4="$1"
  400. local ipv6="$2" # optional
  401. echo -e "${green}Setting up Let's Encrypt IP certificate (shortlived profile)...${plain}"
  402. echo -e "${yellow}Note: IP certificates are valid for ~6 days and will auto-renew.${plain}"
  403. echo -e "${yellow}Default listener is port 80. If you choose another port, ensure external port 80 forwards to it.${plain}"
  404. # Check for acme.sh
  405. if ! command -v ~/.acme.sh/acme.sh &> /dev/null; then
  406. install_acme
  407. if [ $? -ne 0 ]; then
  408. echo -e "${red}Failed to install acme.sh${plain}"
  409. return 1
  410. fi
  411. fi
  412. # Validate IP address
  413. if [[ -z "$ipv4" ]]; then
  414. echo -e "${red}IPv4 address is required${plain}"
  415. return 1
  416. fi
  417. if ! is_ipv4 "$ipv4"; then
  418. echo -e "${red}Invalid IPv4 address: $ipv4${plain}"
  419. return 1
  420. fi
  421. # Create certificate directory
  422. local certDir="/root/cert/ip"
  423. mkdir -p "$certDir"
  424. # Build domain arguments
  425. local domain_args="-d ${ipv4}"
  426. if [[ -n "$ipv6" ]] && is_ipv6 "$ipv6"; then
  427. domain_args="${domain_args} -d ${ipv6}"
  428. echo -e "${green}Including IPv6 address: ${ipv6}${plain}"
  429. fi
  430. # Set reload command for auto-renewal (add || true so it doesn't fail during first install)
  431. local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true"
  432. # Choose port for HTTP-01 listener (default 80, prompt override)
  433. local WebPort=""
  434. prompt_or_default WebPort "Port to use for ACME HTTP-01 listener (default 80): " "80" XUI_ACME_HTTP_PORT
  435. WebPort="${WebPort:-80}"
  436. if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then
  437. echo -e "${red}Invalid port provided. Falling back to 80.${plain}"
  438. WebPort=80
  439. fi
  440. echo -e "${green}Using port ${WebPort} for standalone validation.${plain}"
  441. if [[ "${WebPort}" -ne 80 ]]; then
  442. echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}"
  443. fi
  444. # Ensure chosen port is available
  445. while true; do
  446. if is_port_in_use "${WebPort}"; then
  447. echo -e "${yellow}Port ${WebPort} is in use.${plain}"
  448. local alt_port=""
  449. if [[ "$NONINTERACTIVE" == "1" ]]; then
  450. echo -e "${red}Port ${WebPort} is busy; cannot proceed in non-interactive mode.${plain}"
  451. return 1
  452. fi
  453. read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port
  454. alt_port="${alt_port// /}"
  455. if [[ -z "${alt_port}" ]]; then
  456. echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}"
  457. return 1
  458. fi
  459. if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then
  460. echo -e "${red}Invalid port provided.${plain}"
  461. return 1
  462. fi
  463. WebPort="${alt_port}"
  464. continue
  465. else
  466. echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}"
  467. break
  468. fi
  469. done
  470. # Issue certificate with shortlived profile
  471. echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}"
  472. ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force > /dev/null 2>&1
  473. [[ -n "${XUI_ACME_EMAIL:-}" ]] && ~/.acme.sh/acme.sh --register-account -m "${XUI_ACME_EMAIL}" > /dev/null 2>&1
  474. ~/.acme.sh/acme.sh --issue \
  475. ${domain_args} \
  476. --standalone \
  477. --server letsencrypt \
  478. --certificate-profile shortlived \
  479. --days 6 \
  480. --httpport ${WebPort} \
  481. --force
  482. if [ $? -ne 0 ]; then
  483. echo -e "${red}Failed to issue IP certificate${plain}"
  484. echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}"
  485. # Cleanup acme.sh data for both IPv4 and IPv6 if specified
  486. rm -rf ~/.acme.sh/${ipv4} ~/.acme.sh/${ipv4}_ecc 2> /dev/null
  487. [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} ~/.acme.sh/${ipv6}_ecc 2> /dev/null
  488. rm -rf ${certDir} 2> /dev/null
  489. return 1
  490. fi
  491. echo -e "${green}Certificate issued successfully, installing...${plain}"
  492. # Install certificate
  493. # Note: acme.sh may report "Reload error" and exit non-zero if reloadcmd fails,
  494. # but the cert files are still installed. We check for files instead of exit code.
  495. ~/.acme.sh/acme.sh --installcert --force -d ${ipv4} \
  496. --key-file "${certDir}/privkey.pem" \
  497. --fullchain-file "${certDir}/fullchain.pem" \
  498. --reloadcmd "${reloadCmd}" 2>&1 || true
  499. # Verify certificate files exist (don't rely on exit code - reloadcmd failure causes non-zero)
  500. if [[ ! -f "${certDir}/fullchain.pem" || ! -f "${certDir}/privkey.pem" ]]; then
  501. echo -e "${red}Certificate files not found after installation${plain}"
  502. # Cleanup acme.sh data for both IPv4 and IPv6 if specified
  503. rm -rf ~/.acme.sh/${ipv4} ~/.acme.sh/${ipv4}_ecc 2> /dev/null
  504. [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} ~/.acme.sh/${ipv6}_ecc 2> /dev/null
  505. rm -rf ${certDir} 2> /dev/null
  506. return 1
  507. fi
  508. echo -e "${green}Certificate files installed successfully${plain}"
  509. # Enable auto-upgrade for acme.sh (ensures cron job runs)
  510. ~/.acme.sh/acme.sh --upgrade --auto-upgrade > /dev/null 2>&1
  511. # Secure permissions: private key readable only by owner
  512. chmod 600 ${certDir}/privkey.pem 2> /dev/null
  513. chmod 644 ${certDir}/fullchain.pem 2> /dev/null
  514. # Configure panel to use the certificate
  515. echo -e "${green}Setting certificate paths for the panel...${plain}"
  516. ${xui_folder}/x-ui cert -webCert "${certDir}/fullchain.pem" -webCertKey "${certDir}/privkey.pem"
  517. if [ $? -ne 0 ]; then
  518. echo -e "${yellow}Warning: Could not set certificate paths automatically${plain}"
  519. echo -e "${yellow}Certificate files are at:${plain}"
  520. echo -e " Cert: ${certDir}/fullchain.pem"
  521. echo -e " Key: ${certDir}/privkey.pem"
  522. else
  523. echo -e "${green}Certificate paths configured successfully${plain}"
  524. fi
  525. echo -e "${green}IP certificate installed and configured successfully!${plain}"
  526. echo -e "${green}Certificate valid for ~6 days, auto-renews via acme.sh cron job.${plain}"
  527. echo -e "${yellow}acme.sh will automatically renew and reload x-ui before expiry.${plain}"
  528. return 0
  529. }
  530. # Comprehensive manual SSL certificate issuance via acme.sh
  531. ssl_cert_issue() {
  532. local existing_webBasePath=$(${xui_folder}/x-ui setting -show true | grep 'webBasePath:' | awk -F': ' '{print $2}' | tr -d '[:space:]' | sed 's#^/##')
  533. local existing_port=$(${xui_folder}/x-ui setting -show true | grep 'port:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
  534. # check for acme.sh first
  535. if ! command -v ~/.acme.sh/acme.sh &> /dev/null; then
  536. echo "acme.sh could not be found. Installing now..."
  537. cd ~ || return 1
  538. curl -s https://get.acme.sh | sh
  539. if [ $? -ne 0 ]; then
  540. echo -e "${red}Failed to install acme.sh${plain}"
  541. return 1
  542. else
  543. echo -e "${green}acme.sh installed successfully${plain}"
  544. fi
  545. fi
  546. # get the domain here, and we need to verify it
  547. local domain=""
  548. if [[ "$NONINTERACTIVE" == "1" ]]; then
  549. domain="${XUI_DOMAIN// /}"
  550. if [[ -z "$domain" ]] || ! is_domain "$domain"; then
  551. echo -e "${red}XUI_SSL_MODE=domain requires a valid XUI_DOMAIN (got: '${XUI_DOMAIN:-}').${plain}"
  552. return 1
  553. fi
  554. else
  555. while true; do
  556. read -rp "Please enter your domain name: " domain
  557. domain="${domain// /}" # Trim whitespace
  558. if [[ -z "$domain" ]]; then
  559. echo -e "${red}Domain name cannot be empty. Please try again.${plain}"
  560. continue
  561. fi
  562. if ! is_domain "$domain"; then
  563. echo -e "${red}Invalid domain format: ${domain}. Please enter a valid domain name.${plain}"
  564. continue
  565. fi
  566. break
  567. done
  568. fi
  569. echo -e "${green}Your domain is: ${domain}, checking it...${plain}"
  570. SSL_ISSUED_DOMAIN="${domain}"
  571. # detect existing certificate and reuse it only if its files are actually
  572. # present and non-empty. acme.sh stores ECC certs under ${domain}_ecc and RSA
  573. # certs under ${domain}; a failed issuance can leave a domain entry in --list
  574. # with no usable cert files, which must not be reused (it produces a 0-byte
  575. # fullchain.pem). Broken partial state is cleaned up so issuance can proceed.
  576. local cert_exists=0
  577. if ~/.acme.sh/acme.sh --list 2> /dev/null | awk '{print $1}' | grep -Fxq "${domain}"; then
  578. local acmeCertDir=""
  579. if [[ -s ~/.acme.sh/${domain}_ecc/fullchain.cer && -s ~/.acme.sh/${domain}_ecc/${domain}.key ]]; then
  580. acmeCertDir=~/.acme.sh/${domain}_ecc
  581. elif [[ -s ~/.acme.sh/${domain}/fullchain.cer && -s ~/.acme.sh/${domain}/${domain}.key ]]; then
  582. acmeCertDir=~/.acme.sh/${domain}
  583. fi
  584. if [[ -n "${acmeCertDir}" ]]; then
  585. cert_exists=1
  586. local certInfo=$(~/.acme.sh/acme.sh --list 2> /dev/null | grep -F "${domain}")
  587. echo -e "${yellow}Existing certificate found for ${domain}, will reuse it.${plain}"
  588. [[ -n "${certInfo}" ]] && echo "$certInfo"
  589. else
  590. echo -e "${yellow}Found incomplete acme.sh state for ${domain} (no valid certificate files); cleaning it up and re-issuing.${plain}"
  591. rm -rf ~/.acme.sh/${domain} ~/.acme.sh/${domain}_ecc
  592. fi
  593. fi
  594. if [[ ${cert_exists} -eq 0 ]]; then
  595. echo -e "${green}Your domain is ready for issuing certificates now...${plain}"
  596. fi
  597. # create a directory for the certificate
  598. certPath="/root/cert/${domain}"
  599. if [ ! -d "$certPath" ]; then
  600. mkdir -p "$certPath"
  601. else
  602. rm -rf "$certPath"
  603. mkdir -p "$certPath"
  604. fi
  605. # get the port number for the standalone server
  606. local WebPort=80
  607. prompt_or_default WebPort "Please choose which port to use (default is 80): " "80" XUI_ACME_HTTP_PORT
  608. if [[ -z ${WebPort} ]]; then
  609. WebPort=80
  610. elif [[ ! ${WebPort} =~ ^[1-9][0-9]*$ || ${WebPort} -gt 65535 ]]; then
  611. echo -e "${yellow}Your input ${WebPort} is invalid, will use default port 80.${plain}"
  612. WebPort=80
  613. fi
  614. echo -e "${green}Will use port: ${WebPort} to issue certificates. Please make sure this port is open.${plain}"
  615. # Stop panel temporarily
  616. echo -e "${yellow}Stopping panel temporarily...${plain}"
  617. systemctl stop x-ui 2> /dev/null || rc-service x-ui stop 2> /dev/null
  618. if [[ ${cert_exists} -eq 0 ]]; then
  619. # issue the certificate
  620. ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
  621. [[ -n "${XUI_ACME_EMAIL:-}" ]] && ~/.acme.sh/acme.sh --register-account -m "${XUI_ACME_EMAIL}" > /dev/null 2>&1
  622. ~/.acme.sh/acme.sh --issue -d ${domain} $(acme_listen_flag) --standalone --httpport ${WebPort} --force
  623. if [ $? -ne 0 ]; then
  624. echo -e "${red}Issuing certificate failed, please check logs.${plain}"
  625. rm -rf ~/.acme.sh/${domain} ~/.acme.sh/${domain}_ecc
  626. systemctl start x-ui 2> /dev/null || rc-service x-ui start 2> /dev/null
  627. return 1
  628. else
  629. echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}"
  630. fi
  631. else
  632. echo -e "${green}Using existing certificate, installing certificates...${plain}"
  633. fi
  634. # Setup reload command
  635. reloadCmd="systemctl restart x-ui || rc-service x-ui restart"
  636. echo -e "${green}Default --reloadcmd for ACME is: ${yellow}systemctl restart x-ui || rc-service x-ui restart${plain}"
  637. echo -e "${green}This command will run on every certificate issue and renew.${plain}"
  638. if [[ "$NONINTERACTIVE" == "1" ]]; then
  639. setReloadcmd="n"
  640. else
  641. read -rp "Would you like to modify --reloadcmd for ACME? (y/n): " setReloadcmd
  642. fi
  643. if [[ "$setReloadcmd" == "y" || "$setReloadcmd" == "Y" ]]; then
  644. echo -e "\n${green}\t1.${plain} Preset: systemctl reload nginx ; systemctl restart x-ui"
  645. echo -e "${green}\t2.${plain} Input your own command"
  646. echo -e "${green}\t0.${plain} Keep default reloadcmd"
  647. read -rp "Choose an option: " choice
  648. case "$choice" in
  649. 1)
  650. echo -e "${green}Reloadcmd is: systemctl reload nginx ; systemctl restart x-ui${plain}"
  651. reloadCmd="systemctl reload nginx ; systemctl restart x-ui"
  652. ;;
  653. 2)
  654. echo -e "${yellow}It's recommended to put x-ui restart at the end${plain}"
  655. read -rp "Please enter your custom reloadcmd: " reloadCmd
  656. echo -e "${green}Reloadcmd is: ${reloadCmd}${plain}"
  657. ;;
  658. *)
  659. echo -e "${green}Keeping default reloadcmd${plain}"
  660. ;;
  661. esac
  662. fi
  663. # install the certificate
  664. local installOutput=""
  665. installOutput=$(~/.acme.sh/acme.sh --installcert --force -d ${domain} \
  666. --key-file /root/cert/${domain}/privkey.pem \
  667. --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" 2>&1)
  668. local installRc=$?
  669. echo "${installOutput}"
  670. local installWroteFiles=0
  671. if echo "${installOutput}" | grep -q "Installing key to:" && echo "${installOutput}" | grep -q "Installing full chain to:"; then
  672. installWroteFiles=1
  673. fi
  674. if [[ -f "/root/cert/${domain}/privkey.pem" && -f "/root/cert/${domain}/fullchain.pem" && (${installRc} -eq 0 || ${installWroteFiles} -eq 1) ]]; then
  675. echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}"
  676. else
  677. echo -e "${red}Installing certificate failed, exiting.${plain}"
  678. if [[ ${cert_exists} -eq 0 ]]; then
  679. rm -rf ~/.acme.sh/${domain} ~/.acme.sh/${domain}_ecc
  680. fi
  681. systemctl start x-ui 2> /dev/null || rc-service x-ui start 2> /dev/null
  682. return 1
  683. fi
  684. # enable auto-renew
  685. ~/.acme.sh/acme.sh --upgrade --auto-upgrade
  686. if [ $? -ne 0 ]; then
  687. echo -e "${yellow}Auto renew setup had issues, certificate details:${plain}"
  688. ls -lah /root/cert/${domain}/
  689. # Secure permissions: private key readable only by owner
  690. chmod 600 $certPath/privkey.pem 2> /dev/null
  691. chmod 644 $certPath/fullchain.pem 2> /dev/null
  692. else
  693. echo -e "${green}Auto renew succeeded, certificate details:${plain}"
  694. ls -lah /root/cert/${domain}/
  695. # Secure permissions: private key readable only by owner
  696. chmod 600 $certPath/privkey.pem 2> /dev/null
  697. chmod 644 $certPath/fullchain.pem 2> /dev/null
  698. fi
  699. # start panel
  700. systemctl start x-ui 2> /dev/null || rc-service x-ui start 2> /dev/null
  701. # Prompt user to set panel paths after successful certificate installation
  702. if [[ "$NONINTERACTIVE" == "1" ]]; then
  703. setPanel="y"
  704. else
  705. read -rp "Would you like to set this certificate for the panel? (y/n): " setPanel
  706. fi
  707. if [[ "$setPanel" == "y" || "$setPanel" == "Y" ]]; then
  708. local webCertFile="/root/cert/${domain}/fullchain.pem"
  709. local webKeyFile="/root/cert/${domain}/privkey.pem"
  710. if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
  711. ${xui_folder}/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile"
  712. echo -e "${green}Certificate paths set for the panel${plain}"
  713. echo -e "${green}Certificate File: $webCertFile${plain}"
  714. echo -e "${green}Private Key File: $webKeyFile${plain}"
  715. echo ""
  716. echo -e "${green}Access URL: https://${domain}:${existing_port}/${existing_webBasePath}${plain}"
  717. echo -e "${yellow}Panel will restart to apply SSL certificate...${plain}"
  718. systemctl restart x-ui 2> /dev/null || rc-service x-ui restart 2> /dev/null
  719. else
  720. echo -e "${red}Error: Certificate or private key file not found for domain: $domain.${plain}"
  721. fi
  722. else
  723. echo -e "${yellow}Skipping panel path setting.${plain}"
  724. fi
  725. return 0
  726. }
  727. # Reusable interactive SSL setup (domain or IP)
  728. # Sets global `SSL_HOST` to the chosen domain/IP for Access URL usage
  729. prompt_and_setup_ssl() {
  730. local panel_port="$1"
  731. local web_base_path="$2"
  732. local server_ip="$3"
  733. local ssl_choice=""
  734. SSL_SCHEME="https"
  735. echo -e "${yellow}Choose SSL certificate setup method:${plain}"
  736. echo -e "${green}1.${plain} Let's Encrypt for Domain (90-day validity, auto-renews)"
  737. echo -e "${green}2.${plain} Let's Encrypt for IP Address (6-day validity, auto-renews)"
  738. echo -e "${green}3.${plain} Custom SSL Certificate (Path to existing files)"
  739. echo -e "${green}4.${plain} Skip SSL (advanced — behind reverse proxy / SSH tunnel only)"
  740. echo -e "${blue}Note:${plain} Options 1 & 2 require port 80 open. Option 3 requires manual paths."
  741. echo -e "${blue}Note:${plain} Option 4 serves the panel over plain HTTP — only safe behind nginx/Caddy or an SSH tunnel."
  742. if [[ "$NONINTERACTIVE" == "1" ]]; then
  743. case "${XUI_SSL_MODE:-none}" in
  744. domain) ssl_choice="1" ;;
  745. ip) ssl_choice="2" ;;
  746. none | "") ssl_choice="4" ;;
  747. *)
  748. echo -e "${yellow}Unknown XUI_SSL_MODE='${XUI_SSL_MODE}', defaulting to none (HTTP).${plain}"
  749. ssl_choice="4"
  750. ;;
  751. esac
  752. else
  753. read -rp "Choose an option (default 2 for IP): " ssl_choice
  754. ssl_choice="${ssl_choice// /}" # Trim whitespace
  755. # Default to 2 (IP cert) if input is empty or invalid (not 1, 3 or 4)
  756. if [[ "$ssl_choice" != "1" && "$ssl_choice" != "3" && "$ssl_choice" != "4" ]]; then
  757. ssl_choice="2"
  758. fi
  759. fi
  760. case "$ssl_choice" in
  761. 1)
  762. # User chose Let's Encrypt domain option
  763. echo -e "${green}Using Let's Encrypt for domain certificate...${plain}"
  764. if ssl_cert_issue; then
  765. local cert_domain="${SSL_ISSUED_DOMAIN}"
  766. if [[ -z "${cert_domain}" ]]; then
  767. cert_domain=$(~/.acme.sh/acme.sh --list 2> /dev/null | tail -1 | awk '{print $1}')
  768. fi
  769. if [[ -n "${cert_domain}" ]]; then
  770. SSL_HOST="${cert_domain}"
  771. echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}"
  772. else
  773. echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}"
  774. SSL_HOST="${server_ip}"
  775. fi
  776. else
  777. echo -e "${red}SSL certificate setup failed for domain mode.${plain}"
  778. SSL_HOST="${server_ip}"
  779. fi
  780. ;;
  781. 2)
  782. # User chose Let's Encrypt IP certificate option
  783. echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}"
  784. # Confirm the auto-detected IP before issuing for it: with asymmetric
  785. # routing / multi-WAN the echo services can return a transit address.
  786. if [[ "$NONINTERACTIVE" != "1" ]]; then
  787. local ip_confirm=""
  788. read -rp "Is ${server_ip} the correct incoming public IPv4 address for this server? [Default y]: " ip_confirm
  789. if [[ -n "$ip_confirm" && "$ip_confirm" != "y" && "$ip_confirm" != "Y" ]]; then
  790. server_ip=""
  791. while [[ -z "$server_ip" ]]; do
  792. read -rp "Please enter your server's public IPv4 address: " server_ip
  793. server_ip="${server_ip// /}"
  794. if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  795. echo -e "${red}Invalid IPv4 address. Please try again.${plain}"
  796. server_ip=""
  797. fi
  798. done
  799. fi
  800. fi
  801. # Ask for optional IPv6
  802. local ipv6_addr=""
  803. prompt_or_default ipv6_addr "Do you have an IPv6 address to include? (leave empty to skip): " "" XUI_SSL_IPV6
  804. ipv6_addr="${ipv6_addr// /}" # Trim whitespace
  805. # Stop panel if running (port 80 needed)
  806. if [[ $release == "alpine" ]]; then
  807. rc-service x-ui stop > /dev/null 2>&1
  808. else
  809. systemctl stop x-ui > /dev/null 2>&1
  810. fi
  811. setup_ip_certificate "${server_ip}" "${ipv6_addr}"
  812. if [ $? -eq 0 ]; then
  813. SSL_HOST="${server_ip}"
  814. echo -e "${green}✓ Let's Encrypt IP certificate configured successfully${plain}"
  815. else
  816. echo -e "${red}✗ IP certificate setup failed. Please check port 80 is open.${plain}"
  817. SSL_HOST="${server_ip}"
  818. fi
  819. ;;
  820. 3)
  821. # User chose Custom Paths (User Provided) option
  822. echo -e "${green}Using custom existing certificate...${plain}"
  823. local custom_cert=""
  824. local custom_key=""
  825. local custom_domain=""
  826. # 3.1 Request Domain to compose Panel URL later
  827. read -rp "Please enter domain name certificate issued for: " custom_domain
  828. custom_domain="${custom_domain// /}" # Remove spaces
  829. # 3.2 Loop for Certificate Path
  830. while true; do
  831. read -rp "Input certificate path (keywords: .crt / fullchain): " custom_cert
  832. # Strip quotes if present
  833. custom_cert=$(echo "$custom_cert" | tr -d '"' | tr -d "'")
  834. if [[ -f "$custom_cert" && -r "$custom_cert" && -s "$custom_cert" ]]; then
  835. break
  836. elif [[ ! -f "$custom_cert" ]]; then
  837. echo -e "${red}Error: File does not exist! Try again.${plain}"
  838. elif [[ ! -r "$custom_cert" ]]; then
  839. echo -e "${red}Error: File exists but is not readable (check permissions)!${plain}"
  840. else
  841. echo -e "${red}Error: File is empty!${plain}"
  842. fi
  843. done
  844. # 3.3 Loop for Private Key Path
  845. while true; do
  846. read -rp "Input private key path (keywords: .key / privatekey): " custom_key
  847. # Strip quotes if present
  848. custom_key=$(echo "$custom_key" | tr -d '"' | tr -d "'")
  849. if [[ -f "$custom_key" && -r "$custom_key" && -s "$custom_key" ]]; then
  850. break
  851. elif [[ ! -f "$custom_key" ]]; then
  852. echo -e "${red}Error: File does not exist! Try again.${plain}"
  853. elif [[ ! -r "$custom_key" ]]; then
  854. echo -e "${red}Error: File exists but is not readable (check permissions)!${plain}"
  855. else
  856. echo -e "${red}Error: File is empty!${plain}"
  857. fi
  858. done
  859. # 3.4 Apply Settings via x-ui binary
  860. ${xui_folder}/x-ui cert -webCert "$custom_cert" -webCertKey "$custom_key" > /dev/null 2>&1
  861. # Set SSL_HOST for composing Panel URL
  862. if [[ -n "$custom_domain" ]]; then
  863. SSL_HOST="$custom_domain"
  864. else
  865. SSL_HOST="${server_ip}"
  866. fi
  867. echo -e "${green}✓ Custom certificate paths applied.${plain}"
  868. echo -e "${yellow}Note: You are responsible for renewing these files externally.${plain}"
  869. systemctl restart x-ui > /dev/null 2>&1 || rc-service x-ui restart > /dev/null 2>&1
  870. ;;
  871. 4)
  872. echo ""
  873. echo -e "${red}⚠ Panel will be installed WITHOUT SSL/TLS.${plain}"
  874. echo -e "${yellow}Login credentials and cookies will travel as plain HTTP.${plain}"
  875. echo -e "${yellow}Only safe when:${plain}"
  876. echo -e "${yellow} • A reverse proxy (nginx, Caddy, Traefik) terminates TLS for you, or${plain}"
  877. echo -e "${yellow} • You access the panel exclusively via SSH tunnel${plain}"
  878. echo ""
  879. SSL_SCHEME="http"
  880. SSL_HOST="${server_ip}"
  881. local bind_local=""
  882. if [[ "$NONINTERACTIVE" == "1" ]]; then
  883. # Cloud images must stay reachable on their public interface.
  884. bind_local="n"
  885. else
  886. read -rp "Bind the panel to 127.0.0.1 only? (recommended — forces SSH tunnel / reverse-proxy access) [y/N]: " bind_local
  887. fi
  888. if [[ "$bind_local" == "y" || "$bind_local" == "Y" ]]; then
  889. ${xui_folder}/x-ui setting -listenIP "127.0.0.1" > /dev/null 2>&1
  890. SSL_HOST="127.0.0.1"
  891. echo -e "${green}✓ Panel bound to 127.0.0.1 only. It is now unreachable from the public internet.${plain}"
  892. echo ""
  893. echo -e "${green}SSH Port Forwarding — open the panel from your local machine via:${plain}"
  894. echo -e " Standard SSH command:"
  895. echo -e " ${yellow}ssh -L 2222:127.0.0.1:${panel_port} root@${server_ip}${plain}"
  896. echo -e " If using an SSH key:"
  897. echo -e " ${yellow}ssh -i <sshkeypath> -L 2222:127.0.0.1:${panel_port} root@${server_ip}${plain}"
  898. echo -e " Then open in your browser:"
  899. echo -e " ${yellow}http://localhost:2222/${web_base_path}${plain}"
  900. echo ""
  901. echo -e "${yellow}Alternative: point a reverse proxy (nginx/Caddy) at 127.0.0.1:${panel_port} and let it terminate TLS.${plain}"
  902. else
  903. echo -e "${yellow}Panel will listen on all interfaces over plain HTTP. Make sure something else is terminating TLS in front of it.${plain}"
  904. fi
  905. systemctl restart x-ui > /dev/null 2>&1 || rc-service x-ui restart > /dev/null 2>&1
  906. echo -e "${green}✓ SSL setup skipped.${plain}"
  907. ;;
  908. *)
  909. echo -e "${red}Invalid option. Skipping SSL setup.${plain}"
  910. SSL_HOST="${server_ip}"
  911. ;;
  912. esac
  913. }
  914. config_after_install() {
  915. local existing_hasDefaultCredential=$(${xui_folder}/x-ui setting -show true | grep -Eo 'hasDefaultCredential: .+' | awk '{print $2}')
  916. local existing_webBasePath=$(${xui_folder}/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}' | sed 's#^/##')
  917. local existing_port=$(${xui_folder}/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}')
  918. # Properly detect empty cert by checking if cert: line exists and has content after it
  919. local existing_cert=$(${xui_folder}/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
  920. local URL_lists=(
  921. "https://api4.ipify.org"
  922. "https://ipv4.icanhazip.com"
  923. "https://v4.api.ipinfo.io/ip"
  924. "https://ipv4.myexternalip.com/raw"
  925. "https://4.ident.me"
  926. "https://check-host.net/ip"
  927. )
  928. local server_ip=""
  929. for ip_address in "${URL_lists[@]}"; do
  930. local response=$(curl -s -w "\n%{http_code}" --max-time 3 "${ip_address}" 2> /dev/null)
  931. local http_code=$(echo "$response" | tail -n1)
  932. local ip_result=$(echo "$response" | head -n-1 | tr -d '[:space:]"')
  933. if [[ "${http_code}" == "200" && "${ip_result}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  934. server_ip="${ip_result}"
  935. break
  936. fi
  937. done
  938. if [[ -z "$server_ip" ]]; then
  939. if [[ "$NONINTERACTIVE" == "1" ]]; then
  940. # Panel binds 0.0.0.0 regardless; the IP is only used to compose the
  941. # displayed access URL. Fall back to XUI_SERVER_IP or leave blank.
  942. server_ip="${XUI_SERVER_IP:-}"
  943. else
  944. echo -e "${yellow}Could not auto-detect server IP from any provider.${plain}"
  945. while [[ -z "$server_ip" ]]; do
  946. read -rp "Please enter your server's public IPv4 address: " server_ip
  947. server_ip="${server_ip// /}"
  948. if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  949. echo -e "${red}Invalid IPv4 address. Please try again.${plain}"
  950. server_ip=""
  951. fi
  952. done
  953. fi
  954. fi
  955. if [[ ${#existing_webBasePath} -lt 4 ]]; then
  956. if [[ "$existing_hasDefaultCredential" == "true" ]]; then
  957. local config_webBasePath="${XUI_WEB_BASE_PATH:-$(gen_random_string 18)}"
  958. local config_username="${XUI_USERNAME:-$(gen_random_string 10)}"
  959. local config_password="${XUI_PASSWORD:-$(gen_random_string 10)}"
  960. local config_port=""
  961. local db_label="SQLite (/etc/x-ui/x-ui.db)"
  962. echo ""
  963. echo -e "${green}═══════════════════════════════════════════${plain}"
  964. echo -e "${green} Database Selection ${plain}"
  965. echo -e "${green}═══════════════════════════════════════════${plain}"
  966. echo -e " 1) SQLite (default — recommended for < 500 clients)"
  967. echo -e " 2) PostgreSQL (recommended for high client counts / many nodes)"
  968. if [[ "$NONINTERACTIVE" == "1" ]]; then
  969. if [[ "${XUI_DB_TYPE:-sqlite}" == "postgres" ]]; then
  970. db_choice="2"
  971. else
  972. db_choice="1"
  973. fi
  974. else
  975. read -rp "Choose [1]: " db_choice
  976. db_choice="${db_choice:-1}"
  977. fi
  978. if [[ "$db_choice" == "2" ]]; then
  979. local xui_env_file
  980. case "${release}" in
  981. ubuntu | debian | armbian)
  982. xui_env_file="/etc/default/x-ui"
  983. ;;
  984. arch | manjaro | parch | alpine)
  985. xui_env_file="/etc/conf.d/x-ui"
  986. ;;
  987. *)
  988. xui_env_file="/etc/sysconfig/x-ui"
  989. ;;
  990. esac
  991. local xui_dsn=""
  992. local pg_mode=""
  993. local pg_local_installed=0
  994. while [[ -z "$xui_dsn" ]]; do
  995. if [[ "$NONINTERACTIVE" == "1" ]]; then
  996. if [[ -n "${XUI_DB_DSN:-}" ]]; then
  997. xui_dsn="${XUI_DB_DSN}"
  998. db_label="PostgreSQL (external)"
  999. break
  1000. fi
  1001. echo -e "${yellow}Installing PostgreSQL locally (non-interactive)...${plain}"
  1002. local pg_cred_file
  1003. pg_cred_file=$(mktemp 2> /dev/null) || pg_cred_file=$(mktemp -t x-ui-pg-creds.XXXXXXXX)
  1004. if [[ -n "${pg_cred_file}" ]] && xui_dsn=$(PG_CRED_FILE="${pg_cred_file}" install_postgres_local); then
  1005. pg_local_installed=1
  1006. if [[ -r "${pg_cred_file}" ]]; then
  1007. # shellcheck disable=SC1090
  1008. source "${pg_cred_file}"
  1009. fi
  1010. rm -f "${pg_cred_file}"
  1011. db_label="PostgreSQL (${PG_USER}@${PG_HOST}:${PG_PORT}/${PG_DB})"
  1012. break
  1013. fi
  1014. rm -f "${pg_cred_file}"
  1015. echo -e "${red}PostgreSQL installation failed in non-interactive mode; aborting.${plain}"
  1016. echo -e "${yellow}Set XUI_DB_DSN to use an existing server, or XUI_DB_TYPE=sqlite.${plain}"
  1017. exit 1
  1018. fi
  1019. echo ""
  1020. echo -e " 1) Install PostgreSQL locally and create a dedicated user/db (recommended)"
  1021. echo -e " 2) Use an existing PostgreSQL server (enter DSN)"
  1022. read -rp "Choose [1]: " pg_mode
  1023. pg_mode="${pg_mode:-1}"
  1024. if [[ "$pg_mode" == "2" ]]; then
  1025. while [[ -z "$xui_dsn" ]]; do
  1026. read -rp "Enter PostgreSQL DSN (postgres://user:pass@host:port/dbname?sslmode=disable): " xui_dsn
  1027. xui_dsn="${xui_dsn// /}"
  1028. done
  1029. db_label="PostgreSQL (external)"
  1030. else
  1031. echo -e "${yellow}Installing PostgreSQL — this may take a moment...${plain}"
  1032. local pg_cred_file
  1033. pg_cred_file=$(mktemp 2> /dev/null) || pg_cred_file=$(mktemp -t x-ui-pg-creds.XXXXXXXX)
  1034. if [[ -z "${pg_cred_file}" ]]; then
  1035. echo -e "${red}Failed to create temporary credentials file.${plain}"
  1036. xui_dsn=""
  1037. continue
  1038. fi
  1039. if xui_dsn=$(PG_CRED_FILE="${pg_cred_file}" install_postgres_local); then
  1040. pg_local_installed=1
  1041. if [[ -r "${pg_cred_file}" ]]; then
  1042. # shellcheck disable=SC1090
  1043. source "${pg_cred_file}"
  1044. fi
  1045. rm -f "${pg_cred_file}"
  1046. db_label="PostgreSQL (${PG_USER}@${PG_HOST}:${PG_PORT}/${PG_DB})"
  1047. else
  1048. rm -f "${pg_cred_file}"
  1049. echo ""
  1050. echo -e "${red}PostgreSQL installation failed.${plain}"
  1051. echo -e " 1) Retry local install"
  1052. echo -e " 2) Enter an external DSN instead"
  1053. echo -e " 3) Abort install"
  1054. echo -e " 4) Fall back to SQLite"
  1055. read -rp "Choose [1]: " pg_fail
  1056. pg_fail="${pg_fail:-1}"
  1057. case "$pg_fail" in
  1058. 2) pg_mode="2" ;;
  1059. 3)
  1060. echo -e "${red}Install aborted.${plain}"
  1061. exit 1
  1062. ;;
  1063. 4)
  1064. db_choice="1"
  1065. xui_dsn=""
  1066. break
  1067. ;;
  1068. *) xui_dsn="" ;;
  1069. esac
  1070. fi
  1071. fi
  1072. done
  1073. if [[ -n "$xui_dsn" ]]; then
  1074. install -d -m 755 "$(dirname "$xui_env_file")"
  1075. umask 077
  1076. cat > "$xui_env_file" << EOF
  1077. XUI_DB_TYPE=postgres
  1078. XUI_DB_DSN=${xui_dsn}
  1079. EOF
  1080. chmod 600 "$xui_env_file"
  1081. umask 022
  1082. export XUI_DB_TYPE=postgres
  1083. export XUI_DB_DSN="${xui_dsn}"
  1084. ensure_pg_client || echo -e "${yellow}⚠ Could not install pg_dump/pg_restore. In-panel database backup/restore will be unavailable until you install the postgresql-client package.${plain}"
  1085. fi
  1086. fi
  1087. if [[ "$NONINTERACTIVE" == "1" ]]; then
  1088. if [[ -n "${XUI_PANEL_PORT:-}" ]]; then
  1089. config_port="${XUI_PANEL_PORT}"
  1090. echo -e "${yellow}Your Panel Port is: ${config_port}${plain}"
  1091. else
  1092. config_port=$(shuf -i 1024-62000 -n 1)
  1093. echo -e "${yellow}Generated random port: ${config_port}${plain}"
  1094. fi
  1095. else
  1096. read -rp "Would you like to customize the Panel Port settings? (If not, a random port will be applied) [y/n]: " config_confirm
  1097. if [[ "${config_confirm}" == "y" || "${config_confirm}" == "Y" ]]; then
  1098. read -rp "Please set up the panel port: " config_port
  1099. echo -e "${yellow}Your Panel Port is: ${config_port}${plain}"
  1100. else
  1101. config_port=$(shuf -i 1024-62000 -n 1)
  1102. echo -e "${yellow}Generated random port: ${config_port}${plain}"
  1103. fi
  1104. fi
  1105. ${xui_folder}/x-ui setting -username "${config_username}" -password "${config_password}" -port "${config_port}" -webBasePath "${config_webBasePath}"
  1106. echo ""
  1107. echo -e "${green}═══════════════════════════════════════════${plain}"
  1108. echo -e "${green} SSL Certificate Setup (RECOMMENDED) ${plain}"
  1109. echo -e "${green}═══════════════════════════════════════════${plain}"
  1110. echo -e "${yellow}SSL is strongly recommended. Skip only if a reverse proxy${plain}"
  1111. echo -e "${yellow}or SSH tunnel handles TLS for you.${plain}"
  1112. echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}"
  1113. echo ""
  1114. prompt_and_setup_ssl "${config_port}" "${config_webBasePath}" "${server_ip}"
  1115. # Retrieve the API token for display
  1116. local config_apiToken=$(${xui_folder}/x-ui setting -getApiToken true | grep -Eo 'apiToken: .+' | awk '{print $2}')
  1117. # Display final credentials and access information
  1118. echo ""
  1119. echo -e "${green}═══════════════════════════════════════════${plain}"
  1120. echo -e "${green} Panel Installation Complete! ${plain}"
  1121. echo -e "${green}═══════════════════════════════════════════${plain}"
  1122. echo -e "${green}Username: ${config_username}${plain}"
  1123. echo -e "${green}Password: ${config_password}${plain}"
  1124. echo -e "${green}Port: ${config_port}${plain}"
  1125. echo -e "${green}WebBasePath: ${config_webBasePath}${plain}"
  1126. echo -e "${green}Database: ${db_label}${plain}"
  1127. echo -e "${green}Access URL: ${SSL_SCHEME}://${SSL_HOST}:${config_port}/${config_webBasePath}${plain}"
  1128. echo -e "${green}API Token: ${config_apiToken}${plain}"
  1129. echo -e "${green}═══════════════════════════════════════════${plain}"
  1130. echo -e "${yellow}⚠ IMPORTANT: Save these credentials securely!${plain}"
  1131. if [[ "$SSL_SCHEME" == "https" ]]; then
  1132. echo -e "${yellow}⚠ SSL Certificate: Enabled and configured${plain}"
  1133. else
  1134. echo -e "${yellow}⚠ SSL Certificate: Skipped — panel is HTTP-only. Use a reverse proxy or SSH tunnel.${plain}"
  1135. fi
  1136. if [[ "$db_choice" == "2" ]]; then
  1137. echo ""
  1138. echo -e "${green}PostgreSQL backup & restore is built into the panel:${plain}"
  1139. echo -e " ${blue}${SSL_SCHEME}://${SSL_HOST}:${config_port}/${config_webBasePath}${plain} → Backup & Restore"
  1140. echo -e "${yellow} Back Up downloads a pg_dump .dump file; Restore reloads it via pg_restore.${plain}"
  1141. fi
  1142. if [[ "$db_choice" == "2" && "$pg_local_installed" == "1" ]]; then
  1143. echo ""
  1144. echo -e "${green}═══════════════════════════════════════════${plain}"
  1145. echo -e "${green} PostgreSQL Credentials ${plain}"
  1146. echo -e "${green}═══════════════════════════════════════════${plain}"
  1147. echo -e "${green}DB Name: ${PG_DB}${plain}"
  1148. echo -e "${green}Username: ${PG_USER}${plain}"
  1149. echo -e "${green}Password: ${PG_PASS}${plain}"
  1150. echo -e "${green}Host: ${PG_HOST}${plain}"
  1151. echo -e "${green}Port: ${PG_PORT}${plain}"
  1152. echo -e "${green}DSN: ${xui_dsn}${plain}"
  1153. echo -e "${green}Env file: ${xui_env_file}${plain}"
  1154. echo -e "${green}-------------------------------------------${plain}"
  1155. echo -e "${green}Connect from this server:${plain}"
  1156. echo -e " ${blue}sudo -u postgres psql -d ${PG_DB}${plain} (as the postgres superuser)"
  1157. echo -e " ${blue}PGPASSWORD='${PG_PASS}' psql -h ${PG_HOST} -p ${PG_PORT} -U ${PG_USER} -d ${PG_DB}${plain}"
  1158. echo -e "${green}═══════════════════════════════════════════${plain}"
  1159. echo -e "${yellow}⚠ The panel reads these credentials from ${xui_env_file}.${plain}"
  1160. echo -e "${yellow}⚠ Save the password — it is not stored anywhere else in plain text.${plain}"
  1161. unset PG_USER PG_PASS PG_HOST PG_PORT PG_DB
  1162. fi
  1163. # Persist a machine-parseable credentials file for cloud-init / MOTD.
  1164. : "${SSL_SCHEME:=https}"
  1165. : "${SSL_HOST:=${server_ip}}"
  1166. local db_type_out="sqlite"
  1167. [[ "$db_choice" == "2" ]] && db_type_out="postgres"
  1168. write_install_result "${config_username}" "${config_password}" "${config_port}" \
  1169. "${config_webBasePath}" "${SSL_SCHEME}" "${SSL_HOST}" "${config_apiToken}" "${db_type_out}"
  1170. else
  1171. local config_webBasePath=$(gen_random_string 18)
  1172. echo -e "${yellow}WebBasePath is missing or too short. Generating a new one...${plain}"
  1173. ${xui_folder}/x-ui setting -webBasePath "${config_webBasePath}"
  1174. echo -e "${green}New WebBasePath: ${config_webBasePath}${plain}"
  1175. # If the panel is already installed but no certificate is configured, prompt for SSL now
  1176. if [[ -z "${existing_cert}" ]]; then
  1177. echo ""
  1178. echo -e "${green}═══════════════════════════════════════════${plain}"
  1179. echo -e "${green} SSL Certificate Setup (RECOMMENDED) ${plain}"
  1180. echo -e "${green}═══════════════════════════════════════════${plain}"
  1181. echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}"
  1182. echo ""
  1183. prompt_and_setup_ssl "${existing_port}" "${config_webBasePath}" "${server_ip}"
  1184. echo -e "${green}Access URL: ${SSL_SCHEME}://${SSL_HOST}:${existing_port}/${config_webBasePath}${plain}"
  1185. else
  1186. # If a cert already exists, just show the access URL
  1187. echo -e "${green}Access URL: https://${server_ip}:${existing_port}/${config_webBasePath}${plain}"
  1188. fi
  1189. fi
  1190. else
  1191. if [[ "$existing_hasDefaultCredential" == "true" ]]; then
  1192. local config_username="${XUI_USERNAME:-$(gen_random_string 10)}"
  1193. local config_password="${XUI_PASSWORD:-$(gen_random_string 10)}"
  1194. echo -e "${yellow}Default credentials detected. Security update required...${plain}"
  1195. ${xui_folder}/x-ui setting -username "${config_username}" -password "${config_password}"
  1196. echo -e "Generated new random login credentials:"
  1197. echo -e "###############################################"
  1198. echo -e "${green}Username: ${config_username}${plain}"
  1199. echo -e "${green}Password: ${config_password}${plain}"
  1200. echo -e "###############################################"
  1201. # Persist a machine-parseable credentials file for cloud-init / MOTD.
  1202. local config_apiToken
  1203. config_apiToken=$(${xui_folder}/x-ui setting -getApiToken true | grep -Eo 'apiToken: .+' | awk '{print $2}')
  1204. : "${SSL_SCHEME:=https}"
  1205. : "${SSL_HOST:=${server_ip}}"
  1206. write_install_result "${config_username}" "${config_password}" "${existing_port}" \
  1207. "${existing_webBasePath}" "${SSL_SCHEME}" "${SSL_HOST}" "${config_apiToken}" "${XUI_DB_TYPE:-sqlite}"
  1208. else
  1209. echo -e "${green}Username, Password, and WebBasePath are properly set.${plain}"
  1210. fi
  1211. # Existing install: if no cert configured, prompt user for SSL setup
  1212. # Properly detect empty cert by checking if cert: line exists and has content after it
  1213. existing_cert=$(${xui_folder}/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
  1214. if [[ -z "$existing_cert" ]]; then
  1215. echo ""
  1216. echo -e "${green}═══════════════════════════════════════════${plain}"
  1217. echo -e "${green} SSL Certificate Setup (RECOMMENDED) ${plain}"
  1218. echo -e "${green}═══════════════════════════════════════════${plain}"
  1219. echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}"
  1220. echo ""
  1221. prompt_and_setup_ssl "${existing_port}" "${existing_webBasePath}" "${server_ip}"
  1222. echo -e "${green}Access URL: ${SSL_SCHEME}://${SSL_HOST}:${existing_port}/${existing_webBasePath}${plain}"
  1223. else
  1224. echo -e "${green}SSL certificate already configured. No action needed.${plain}"
  1225. fi
  1226. fi
  1227. ${xui_folder}/x-ui migrate
  1228. }
  1229. # setup_fail2ban auto-installs and configures fail2ban for the IP Limit feature
  1230. # by invoking the freshly installed x-ui CLI. IP Limit is load-bearing on
  1231. # fail2ban (without it the panel disables the limitIp field and zeroes existing
  1232. # limits), so a fresh install should make it work out of the box, just like the
  1233. # Docker image already does. Non-fatal by design: a fail2ban failure must never
  1234. # abort the panel install.
  1235. setup_fail2ban() {
  1236. if [[ -n "${XUI_ENABLE_FAIL2BAN+x}" && "${XUI_ENABLE_FAIL2BAN}" != "true" ]]; then
  1237. echo -e "${yellow}XUI_ENABLE_FAIL2BAN=${XUI_ENABLE_FAIL2BAN}, skipping Fail2ban auto-setup.${plain}"
  1238. return 0
  1239. fi
  1240. if [[ ! -x /usr/bin/x-ui ]]; then
  1241. echo -e "${yellow}x-ui CLI not found; skipping Fail2ban auto-setup.${plain}"
  1242. return 0
  1243. fi
  1244. echo -e "${green}Setting up Fail2ban for the IP Limit feature...${plain}"
  1245. if /usr/bin/x-ui setup-fail2ban; then
  1246. echo -e "${green}Fail2ban setup complete.${plain}"
  1247. else
  1248. echo -e "${yellow}Fail2ban setup did not finish; IP Limit stays disabled until you run 'x-ui' and open the IP Limit menu. Continuing.${plain}"
  1249. fi
  1250. return 0
  1251. }
  1252. # Lands a systemd unit file at ${xui_service}/x-ui.service via a temp file +
  1253. # atomic mv, so a failed cp/curl or an interrupted mv never leaves a
  1254. # truncated unit file at the live path -- systemd would then fail to parse
  1255. # it on the next daemon-reload/start. Same pattern already used for
  1256. # /usr/bin/x-ui elsewhere in this script. source_is_url picks cp (from a
  1257. # file already extracted from the release tarball) vs curl (GitHub fallback).
  1258. _install_xui_service_unit() {
  1259. local source="$1"
  1260. local source_is_url="$2"
  1261. local dest="${xui_service}/x-ui.service"
  1262. local temp_file="${dest}.tmp.$$"
  1263. rm -f "$temp_file"
  1264. if [[ "$source_is_url" == "true" ]]; then
  1265. curl -fLRo "$temp_file" "$source" > /dev/null 2>&1
  1266. else
  1267. cp -f "$source" "$temp_file" > /dev/null 2>&1
  1268. fi
  1269. if [[ $? -ne 0 ]]; then
  1270. rm -f "$temp_file"
  1271. return 1
  1272. fi
  1273. if [[ ! -s "$temp_file" ]]; then
  1274. rm -f "$temp_file"
  1275. return 1
  1276. fi
  1277. mv -f "$temp_file" "$dest"
  1278. if [[ $? -ne 0 ]]; then
  1279. rm -f "$temp_file"
  1280. return 1
  1281. fi
  1282. return 0
  1283. }
  1284. install_x-ui() {
  1285. cd ${xui_folder%/x-ui}/
  1286. # Download resources
  1287. if [ $# == 0 ]; then
  1288. tag_version=$(curl -Ls --retry 5 --retry-delay 3 --connect-timeout 15 --max-time 60 "https://api.github.com/repos/MHSanaei/3x-ui/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
  1289. if [[ ! -n "$tag_version" ]]; then
  1290. echo -e "${red}Failed to fetch x-ui version, it may be due to GitHub API restrictions, please try it later${plain}"
  1291. exit 1
  1292. fi
  1293. echo -e "Got x-ui latest version: ${tag_version}, beginning the installation..."
  1294. curl -fLR --retry 5 --retry-delay 3 --connect-timeout 15 --max-time 300 -o ${xui_folder}-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz
  1295. if [[ $? -ne 0 ]]; then
  1296. echo -e "${red}Downloading x-ui failed, please be sure that your server can access GitHub ${plain}"
  1297. exit 1
  1298. fi
  1299. if [[ ! -s ${xui_folder}-linux-$(arch).tar.gz ]]; then
  1300. rm ${xui_folder}-linux-$(arch).tar.gz -f
  1301. echo -e "${red}Downloaded x-ui release archive is empty${plain}"
  1302. exit 1
  1303. fi
  1304. else
  1305. tag_version=$1
  1306. # The rolling dev channel ships under a fixed, non-semver tag that is
  1307. # force-moved to the latest main commit on every push. Accept `dev` as a
  1308. # convenient alias and skip the numeric floor check for it.
  1309. if [[ "$tag_version" == "dev" || "$tag_version" == "dev-latest" ]]; then
  1310. tag_version="dev-latest"
  1311. echo -e "${yellow}Installing the rolling dev build (tag: dev-latest). This is a per-commit pre-release, not a stable version.${plain}"
  1312. else
  1313. tag_version_numeric=${tag_version#v}
  1314. min_version="2.3.5"
  1315. if [[ "$(printf '%s\n' "$min_version" "$tag_version_numeric" | sort -V | head -n1)" != "$min_version" ]]; then
  1316. echo -e "${red}Please use a newer version (at least v2.3.5). Exiting installation.${plain}"
  1317. exit 1
  1318. fi
  1319. fi
  1320. url="https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz"
  1321. echo -e "Beginning to install x-ui ${tag_version}"
  1322. curl -fLR --retry 5 --retry-delay 3 --connect-timeout 15 --max-time 300 -o ${xui_folder}-linux-$(arch).tar.gz ${url}
  1323. if [[ $? -ne 0 ]]; then
  1324. echo -e "${red}Download x-ui ${tag_version} failed, please check if the version exists ${plain}"
  1325. exit 1
  1326. fi
  1327. if [[ ! -s ${xui_folder}-linux-$(arch).tar.gz ]]; then
  1328. rm ${xui_folder}-linux-$(arch).tar.gz -f
  1329. echo -e "${red}Downloaded x-ui release archive is empty${plain}"
  1330. exit 1
  1331. fi
  1332. fi
  1333. local xui_script_temp="/usr/bin/x-ui-temp.$$"
  1334. rm -f "${xui_script_temp}"
  1335. curl -fLRo "${xui_script_temp}" https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh
  1336. if [[ $? -ne 0 ]]; then
  1337. rm -f "${xui_script_temp}"
  1338. echo -e "${red}Failed to download x-ui.sh${plain}"
  1339. exit 1
  1340. fi
  1341. if [[ ! -s "${xui_script_temp}" ]]; then
  1342. rm -f "${xui_script_temp}"
  1343. echo -e "${red}Downloaded x-ui.sh is empty${plain}"
  1344. exit 1
  1345. fi
  1346. # Stop x-ui service and remove old resources
  1347. if [[ -e ${xui_folder}/ ]]; then
  1348. if [[ $release == "alpine" ]]; then
  1349. rc-service x-ui stop
  1350. else
  1351. systemctl stop x-ui
  1352. fi
  1353. # Kill any leftover mtg (MTProto) sidecars. x-ui runs them outside its own
  1354. # lifecycle, so on Linux a stale one can survive the stop and keep holding
  1355. # an inbound port with an outdated secret, silently breaking new clients.
  1356. # The freshly installed panel respawns a clean mtg per inbound on start.
  1357. pkill -f 'mtg-linux-[^ ]* run ' > /dev/null 2>&1 || true
  1358. rm ${xui_folder}/ -rf
  1359. fi
  1360. # Extract resources and set permissions
  1361. tar zxvf x-ui-linux-$(arch).tar.gz
  1362. if [[ $? -ne 0 ]]; then
  1363. rm x-ui-linux-$(arch).tar.gz -f
  1364. rm -f "${xui_script_temp}"
  1365. echo -e "${red}Failed to extract the x-ui release archive -- the previous installation has already been removed, so the panel will not start until this is fixed; try running the installer again${plain}"
  1366. exit 1
  1367. fi
  1368. rm x-ui-linux-$(arch).tar.gz -f
  1369. cd x-ui
  1370. if [[ $? -ne 0 || ! -s x-ui ]]; then
  1371. rm -f "${xui_script_temp}"
  1372. echo -e "${red}Extracted x-ui archive is missing the x-ui binary -- the previous installation has already been removed, so the panel will not start until this is fixed; try running the installer again${plain}"
  1373. exit 1
  1374. fi
  1375. chmod +x x-ui
  1376. chmod +x x-ui.sh
  1377. # Check the system's architecture and rename the file accordingly.
  1378. # The panel binary maps GOARCH=arm to "arm32" (internal/xray/process.go),
  1379. # so the Xray binary must be named xray-linux-arm32; mtg keeps plain "arm".
  1380. if [[ $(arch) == "armv5" || $(arch) == "armv6" || $(arch) == "armv7" ]]; then
  1381. mv bin/xray-linux-$(arch) bin/xray-linux-arm32
  1382. chmod +x bin/xray-linux-arm32
  1383. if [[ -f bin/mtg-linux-$(arch) ]]; then
  1384. mv bin/mtg-linux-$(arch) bin/mtg-linux-arm
  1385. chmod +x bin/mtg-linux-arm
  1386. fi
  1387. fi
  1388. chmod +x x-ui bin/xray-linux-$(arch)
  1389. if [[ -f bin/mtg-linux-arm ]]; then
  1390. chmod +x bin/mtg-linux-arm
  1391. elif [[ -f bin/mtg-linux-$(arch) ]]; then
  1392. chmod +x bin/mtg-linux-$(arch)
  1393. fi
  1394. # Update x-ui cli and se set permission
  1395. mv -f "${xui_script_temp}" /usr/bin/x-ui
  1396. if [[ $? -ne 0 ]]; then
  1397. rm -f "${xui_script_temp}"
  1398. echo -e "${red}Failed to install x-ui.sh${plain}"
  1399. exit 1
  1400. fi
  1401. chmod +x /usr/bin/x-ui
  1402. mkdir -p /var/log/x-ui
  1403. config_after_install
  1404. # Etckeeper compatibility
  1405. if [ -d "/etc/.git" ]; then
  1406. if [ -f "/etc/.gitignore" ]; then
  1407. if ! grep -q "x-ui/x-ui.db" "/etc/.gitignore"; then
  1408. echo "" >> "/etc/.gitignore"
  1409. echo "x-ui/x-ui.db" >> "/etc/.gitignore"
  1410. echo -e "${green}Added x-ui.db to /etc/.gitignore for etckeeper${plain}"
  1411. fi
  1412. else
  1413. echo "x-ui/x-ui.db" > "/etc/.gitignore"
  1414. echo -e "${green}Created /etc/.gitignore and added x-ui.db for etckeeper${plain}"
  1415. fi
  1416. fi
  1417. if [[ $release == "alpine" ]]; then
  1418. xui_rc_temp="/etc/init.d/x-ui.tmp.$$"
  1419. rm -f "${xui_rc_temp}"
  1420. curl -fLRo "${xui_rc_temp}" https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc
  1421. if [[ $? -ne 0 ]]; then
  1422. rm -f "${xui_rc_temp}"
  1423. echo -e "${red}Failed to download x-ui.rc${plain}"
  1424. exit 1
  1425. fi
  1426. if [[ ! -s "${xui_rc_temp}" ]]; then
  1427. rm -f "${xui_rc_temp}"
  1428. echo -e "${red}Downloaded x-ui.rc is empty${plain}"
  1429. exit 1
  1430. fi
  1431. mv -f "${xui_rc_temp}" /etc/init.d/x-ui
  1432. if [[ $? -ne 0 ]]; then
  1433. rm -f "${xui_rc_temp}"
  1434. echo -e "${red}Failed to install x-ui.rc${plain}"
  1435. exit 1
  1436. fi
  1437. chmod +x /etc/init.d/x-ui
  1438. rc-update add x-ui
  1439. rc-service x-ui start
  1440. else
  1441. # Install systemd service file
  1442. service_installed=false
  1443. if [ -f "x-ui.service" ]; then
  1444. echo -e "${green}Found x-ui.service in extracted files, installing...${plain}"
  1445. if _install_xui_service_unit "x-ui.service" "false"; then
  1446. service_installed=true
  1447. fi
  1448. fi
  1449. if [ "$service_installed" = false ]; then
  1450. case "${release}" in
  1451. ubuntu | debian | armbian)
  1452. if [ -f "x-ui.service.debian" ]; then
  1453. echo -e "${green}Found x-ui.service.debian in extracted files, installing...${plain}"
  1454. if _install_xui_service_unit "x-ui.service.debian" "false"; then
  1455. service_installed=true
  1456. fi
  1457. fi
  1458. ;;
  1459. arch | manjaro | parch)
  1460. if [ -f "x-ui.service.arch" ]; then
  1461. echo -e "${green}Found x-ui.service.arch in extracted files, installing...${plain}"
  1462. if _install_xui_service_unit "x-ui.service.arch" "false"; then
  1463. service_installed=true
  1464. fi
  1465. fi
  1466. ;;
  1467. *)
  1468. if [ -f "x-ui.service.rhel" ]; then
  1469. echo -e "${green}Found x-ui.service.rhel in extracted files, installing...${plain}"
  1470. if _install_xui_service_unit "x-ui.service.rhel" "false"; then
  1471. service_installed=true
  1472. fi
  1473. fi
  1474. ;;
  1475. esac
  1476. fi
  1477. # If service file not found in tar.gz, download from GitHub
  1478. if [ "$service_installed" = false ]; then
  1479. echo -e "${yellow}Service files not found in tar.gz, downloading from GitHub...${plain}"
  1480. case "${release}" in
  1481. ubuntu | debian | armbian)
  1482. service_unit_url="https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.service.debian"
  1483. ;;
  1484. arch | manjaro | parch)
  1485. service_unit_url="https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.service.arch"
  1486. ;;
  1487. *)
  1488. service_unit_url="https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.service.rhel"
  1489. ;;
  1490. esac
  1491. if ! _install_xui_service_unit "$service_unit_url" "true"; then
  1492. echo -e "${red}Failed to install x-ui.service from GitHub${plain}"
  1493. exit 1
  1494. fi
  1495. service_installed=true
  1496. fi
  1497. if [ "$service_installed" = true ]; then
  1498. echo -e "${green}Setting up systemd unit...${plain}"
  1499. chown root:root ${xui_service}/x-ui.service > /dev/null 2>&1
  1500. chmod 644 ${xui_service}/x-ui.service > /dev/null 2>&1
  1501. systemctl daemon-reload
  1502. systemctl enable x-ui
  1503. systemctl start x-ui
  1504. else
  1505. echo -e "${red}Failed to install x-ui.service file${plain}"
  1506. exit 1
  1507. fi
  1508. fi
  1509. # IP Limit relies on fail2ban; install + configure it now so the feature
  1510. # works out of the box (no-op when XUI_ENABLE_FAIL2BAN=false). Never fatal.
  1511. setup_fail2ban
  1512. echo -e "${green}x-ui ${tag_version}${plain} installation finished, it is running now..."
  1513. echo -e ""
  1514. echo -e "┌───────────────────────────────────────────────────────┐
  1515. │ ${blue}x-ui control menu usages (subcommands):${plain} │
  1516. │ │
  1517. │ ${blue}x-ui${plain} - Admin Management Script │
  1518. │ ${blue}x-ui start${plain} - Start │
  1519. │ ${blue}x-ui stop${plain} - Stop │
  1520. │ ${blue}x-ui restart${plain} - Restart │
  1521. │ ${blue}x-ui status${plain} - Current Status │
  1522. │ ${blue}x-ui settings${plain} - Current Settings │
  1523. │ ${blue}x-ui enable${plain} - Enable Autostart on OS Startup │
  1524. │ ${blue}x-ui disable${plain} - Disable Autostart on OS Startup │
  1525. │ ${blue}x-ui log${plain} - Check logs │
  1526. │ ${blue}x-ui banlog${plain} - Check Fail2ban ban logs │
  1527. │ ${blue}x-ui update${plain} - Update │
  1528. │ ${blue}x-ui legacy${plain} - Legacy version │
  1529. │ ${blue}x-ui install${plain} - Install │
  1530. │ ${blue}x-ui uninstall${plain} - Uninstall │
  1531. └───────────────────────────────────────────────────────┘"
  1532. }
  1533. echo -e "${green}Running...${plain}"
  1534. install_base
  1535. install_x-ui $1