check_client_ip_job.go 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747
  1. package job
  2. import (
  3. "context"
  4. "encoding/json"
  5. "errors"
  6. "log"
  7. "os"
  8. "os/exec"
  9. "runtime"
  10. "sort"
  11. "strings"
  12. "time"
  13. "github.com/mhsanaei/3x-ui/v3/internal/database"
  14. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  15. "github.com/mhsanaei/3x-ui/v3/internal/logger"
  16. "github.com/mhsanaei/3x-ui/v3/internal/web/service"
  17. "github.com/mhsanaei/3x-ui/v3/internal/xray"
  18. "gorm.io/gorm"
  19. )
  20. // IPWithTimestamp tracks an IP address with its last seen timestamp
  21. type IPWithTimestamp struct {
  22. IP string `json:"ip"`
  23. Timestamp int64 `json:"timestamp"`
  24. }
  25. // CheckClientIpJob monitors client IP addresses and manages IP blocking based
  26. // on configured limits. The per-client IPs come from the core's online-stats
  27. // API; no access log is involved. On a core too old to expose that API the job
  28. // simply skips the run (the bundled core always supports it).
  29. type CheckClientIpJob struct {
  30. disAllowedIps []string
  31. bannedSeen map[string]int64
  32. xrayService service.XrayService
  33. }
  34. var job *CheckClientIpJob
  35. const defaultXrayAPIPort = 62789
  36. const ipStaleAfterSeconds = int64(30 * 60)
  37. // NewCheckClientIpJob creates a new client IP monitoring job instance.
  38. func NewCheckClientIpJob() *CheckClientIpJob {
  39. job = new(CheckClientIpJob)
  40. return job
  41. }
  42. func (j *CheckClientIpJob) Run() {
  43. observed, apiMode := j.collectFromOnlineAPI()
  44. if !apiMode {
  45. // xray is down or predates the online-stats API. There is no access-log
  46. // fallback anymore, so there is nothing to do this run.
  47. logger.Debug("[LimitIP] online-stats API unavailable this run; skipping")
  48. return
  49. }
  50. if !isFail2BanEnabled() {
  51. return
  52. }
  53. hasLimit := j.hasLimitIp()
  54. f2bInstalled := false
  55. if hasLimit {
  56. f2bInstalled = j.checkFail2BanInstalled()
  57. }
  58. j.processObserved(observed, j.resolveEnforce(hasLimit, f2bInstalled), true)
  59. }
  60. // resolveEnforce decides whether limits can actually be enforced this run.
  61. // Without fail2ban on a platform that needs it the limit can't be applied, so
  62. // enforcement is skipped (the panel resets these limits to 0 on upgrade and
  63. // disables the field, so this is normally a no-op).
  64. func (j *CheckClientIpJob) resolveEnforce(hasLimit, f2bInstalled bool) bool {
  65. if hasLimit && runtime.GOOS != "windows" && !f2bInstalled {
  66. return false
  67. }
  68. return hasLimit
  69. }
  70. // collectFromOnlineAPI builds per-email IP observations (email -> ip ->
  71. // last-seen unix seconds) from the core's online-stats API. ok=false means the
  72. // API is unavailable — xray not running, an older core, or a transient gRPC
  73. // failure — and the caller skips the run (there is no access-log fallback).
  74. func (j *CheckClientIpJob) collectFromOnlineAPI() (map[string]map[string]int64, bool) {
  75. onlineUsers, ok, err := j.xrayService.GetOnlineUsers()
  76. if err != nil {
  77. logger.Debug("[LimitIP] online-stats API unavailable this run:", err)
  78. return nil, false
  79. }
  80. if !ok {
  81. return nil, false
  82. }
  83. now := time.Now().Unix()
  84. observed := make(map[string]map[string]int64, len(onlineUsers))
  85. for _, user := range onlineUsers {
  86. for _, entry := range user.IPs {
  87. // No localhost guard needed here: the core's OnlineMap.AddIP drops
  88. // 127.0.0.1/[::1] itself, so they never reach this list.
  89. ts := entry.LastSeen
  90. if ts <= 0 {
  91. ts = now
  92. }
  93. if _, exists := observed[user.Email]; !exists {
  94. observed[user.Email] = make(map[string]int64)
  95. }
  96. if existing, seen := observed[user.Email][entry.IP]; !seen || ts > existing {
  97. observed[user.Email][entry.IP] = ts
  98. }
  99. }
  100. }
  101. return observed, true
  102. }
  103. // hasLimitIp reports whether any client carries an IP limit. It probes the
  104. // normalized clients table (limit_ip is synced there by SyncInbound and the
  105. // legacy seeder), replacing the old `settings LIKE '%limitIp%'` scan that
  106. // loaded and JSON-parsed every inbound's settings blob on each 10s run.
  107. func (j *CheckClientIpJob) hasLimitIp() bool {
  108. db := database.GetDB()
  109. var probe int64
  110. err := db.Model(&model.ClientRecord{}).Where("limit_ip > 0").Limit(1).Count(&probe).Error
  111. return err == nil && probe > 0
  112. }
  113. const ipScanChunk = 400
  114. func chunkEmails(s []string, size int) [][]string {
  115. if len(s) == 0 {
  116. return nil
  117. }
  118. chunks := make([][]string, 0, (len(s)+size-1)/size)
  119. for size < len(s) {
  120. s, chunks = s[size:], append(chunks, s[:size])
  121. }
  122. return append(chunks, s)
  123. }
  124. // loadClientLimits maps each observed email to its clients.limit_ip in a few
  125. // chunked queries, replacing the per-email settings-JSON parse that previously
  126. // resolved the limit.
  127. func (j *CheckClientIpJob) loadClientLimits(emails []string) map[string]int {
  128. db := database.GetDB()
  129. out := make(map[string]int, len(emails))
  130. for _, batch := range chunkEmails(emails, ipScanChunk) {
  131. var rows []struct {
  132. Email string
  133. LimitIp int
  134. }
  135. if err := db.Model(&model.ClientRecord{}).
  136. Select("email, limit_ip").
  137. Where("email IN ?", batch).
  138. Scan(&rows).Error; err != nil {
  139. j.checkError(err)
  140. continue
  141. }
  142. for _, r := range rows {
  143. out[r.Email] = r.LimitIp
  144. }
  145. }
  146. return out
  147. }
  148. // loadInboundsByEmails resolves each email's owning inbound through the
  149. // clients/client_inbounds relation in chunked queries. Like the old per-email
  150. // First() it keeps the lowest inbound id when a client spans several inbounds.
  151. func (j *CheckClientIpJob) loadInboundsByEmails(emails []string) map[string]*model.Inbound {
  152. db := database.GetDB()
  153. minInboundByEmail := make(map[string]int, len(emails))
  154. for _, batch := range chunkEmails(emails, ipScanChunk) {
  155. var pairs []struct {
  156. Email string
  157. InboundId int
  158. }
  159. if err := db.Table("client_inbounds").
  160. Select("clients.email AS email, client_inbounds.inbound_id AS inbound_id").
  161. Joins("JOIN clients ON clients.id = client_inbounds.client_id").
  162. Where("clients.email IN ?", batch).
  163. Scan(&pairs).Error; err != nil {
  164. j.checkError(err)
  165. return nil
  166. }
  167. for _, p := range pairs {
  168. if cur, ok := minInboundByEmail[p.Email]; !ok || p.InboundId < cur {
  169. minInboundByEmail[p.Email] = p.InboundId
  170. }
  171. }
  172. }
  173. if len(minInboundByEmail) == 0 {
  174. return nil
  175. }
  176. idSet := make(map[int]struct{}, len(minInboundByEmail))
  177. ids := make([]int, 0, len(minInboundByEmail))
  178. for _, id := range minInboundByEmail {
  179. if _, seen := idSet[id]; !seen {
  180. idSet[id] = struct{}{}
  181. ids = append(ids, id)
  182. }
  183. }
  184. sort.Ints(ids)
  185. inboundsById := make(map[int]*model.Inbound, len(ids))
  186. for lo := 0; lo < len(ids); lo += ipScanChunk {
  187. hi := min(lo+ipScanChunk, len(ids))
  188. var page []*model.Inbound
  189. if err := db.Model(&model.Inbound{}).Where("id IN ?", ids[lo:hi]).Find(&page).Error; err != nil {
  190. j.checkError(err)
  191. return nil
  192. }
  193. for _, ib := range page {
  194. inboundsById[ib.Id] = ib
  195. }
  196. }
  197. out := make(map[string]*model.Inbound, len(minInboundByEmail))
  198. for email, id := range minInboundByEmail {
  199. if ib, ok := inboundsById[id]; ok {
  200. out[email] = ib
  201. }
  202. }
  203. return out
  204. }
  205. func (j *CheckClientIpJob) loadClientIpRows(emails []string) map[string]*model.InboundClientIps {
  206. db := database.GetDB()
  207. out := make(map[string]*model.InboundClientIps, len(emails))
  208. for _, batch := range chunkEmails(emails, ipScanChunk) {
  209. var rows []model.InboundClientIps
  210. if err := db.Where("client_email IN ?", batch).Find(&rows).Error; err != nil {
  211. j.checkError(err)
  212. continue
  213. }
  214. for i := range rows {
  215. out[rows[i].ClientEmail] = &rows[i]
  216. }
  217. }
  218. return out
  219. }
  220. // processObserved runs collection + enforcement for one scan's observations
  221. // (email -> ip -> last-seen unix seconds). observedAreLive marks the
  222. // observations as live connections, which bypass the stale cutoff: a connection
  223. // that opened hours ago is still live even though its timestamp is old. The
  224. // online-stats API always reports live connections, so the job passes true.
  225. // Lookups are batched up front and all inbound_client_ips writes share one
  226. // transaction, so a scan costs a handful of queries and one fsync instead of
  227. // several per observed email.
  228. func (j *CheckClientIpJob) processObserved(observed map[string]map[string]int64, enforce, observedAreLive bool) bool {
  229. shouldCleanLog := false
  230. now := time.Now().Unix()
  231. emails := make([]string, 0, len(observed))
  232. for email := range observed {
  233. emails = append(emails, email)
  234. }
  235. sort.Strings(emails)
  236. limitByEmail := j.loadClientLimits(emails)
  237. inboundByEmail := j.loadInboundsByEmails(emails)
  238. ipRowByEmail := j.loadClientIpRows(emails)
  239. // attribution accumulates this scan's local observations per email so they can
  240. // be recorded under this panel's own guid for cross-node IP attribution.
  241. attribution := make(map[string][]model.ClientIpEntry, len(observed))
  242. type pendingDisconnect struct {
  243. inbound *model.Inbound
  244. email string
  245. }
  246. var disconnects []pendingDisconnect
  247. db := database.GetDB()
  248. tx := db.Begin()
  249. if tx.Error != nil {
  250. j.checkError(tx.Error)
  251. return false
  252. }
  253. committed := false
  254. defer func() {
  255. if !committed {
  256. tx.Rollback()
  257. }
  258. }()
  259. for _, email := range emails {
  260. ipTimestamps := observed[email]
  261. // The observations can still reference a client that was just renamed
  262. // or deleted; its email no longer matches any inbound. Skip it (and
  263. // drop any orphaned tracking row) instead of recreating a row and
  264. // logging an ERROR every run (#4963). The batch map resolves through
  265. // the clients relation; the per-email fallback keeps its settings LIKE
  266. // net for clients not yet present there.
  267. inbound, ok := inboundByEmail[email]
  268. if !ok {
  269. var err error
  270. inbound, err = j.getInboundByEmail(email)
  271. if err != nil {
  272. if errors.Is(err, gorm.ErrRecordNotFound) {
  273. logger.Debugf("[LimitIP] skipping stale observed email %q (renamed or deleted)", email)
  274. j.delInboundClientIps(tx, email)
  275. } else {
  276. j.checkError(err)
  277. }
  278. continue
  279. }
  280. }
  281. // Convert to IPWithTimestamp slice
  282. ipsWithTime := make([]IPWithTimestamp, 0, len(ipTimestamps))
  283. attrEntries := make([]model.ClientIpEntry, 0, len(ipTimestamps))
  284. for ip, timestamp := range ipTimestamps {
  285. ipsWithTime = append(ipsWithTime, IPWithTimestamp{IP: ip, Timestamp: timestamp})
  286. // Live API observations may carry an old lastSeen (connection start),
  287. // so stamp attribution with now; otherwise the stale cutoff would evict
  288. // an IP that is connected right now.
  289. attrTs := timestamp
  290. if observedAreLive {
  291. attrTs = now
  292. }
  293. attrEntries = append(attrEntries, model.ClientIpEntry{IP: ip, Timestamp: attrTs})
  294. }
  295. if len(attrEntries) > 0 {
  296. attribution[email] = attrEntries
  297. }
  298. clientIpsRecord, ok := ipRowByEmail[email]
  299. if !ok {
  300. jsonIps, err := json.Marshal(ipsWithTime)
  301. if err != nil {
  302. j.checkError(err)
  303. continue
  304. }
  305. if err := tx.Save(&model.InboundClientIps{ClientEmail: email, Ips: string(jsonIps)}).Error; err != nil {
  306. j.checkError(err)
  307. }
  308. continue
  309. }
  310. cleaned, banned := j.updateInboundClientIps(tx, clientIpsRecord, inbound, email, limitByEmail[email], ipsWithTime, enforce, observedAreLive)
  311. shouldCleanLog = cleaned || shouldCleanLog
  312. if banned {
  313. disconnects = append(disconnects, pendingDisconnect{inbound: inbound, email: email})
  314. }
  315. }
  316. if err := tx.Commit().Error; err != nil {
  317. j.checkError(err)
  318. return shouldCleanLog
  319. }
  320. committed = true
  321. // Xray disconnects run after the commit so their network round-trips never
  322. // extend the scan's write transaction (node syncs upsert the same table).
  323. clientsCache := make(map[int][]model.Client)
  324. for _, d := range disconnects {
  325. clients, cached := clientsCache[d.inbound.Id]
  326. if !cached {
  327. clients, _ = service.ParseInboundSettingsClients(d.inbound.Settings)
  328. clientsCache[d.inbound.Id] = clients
  329. }
  330. j.disconnectClientTemporarily(d.inbound, d.email, clients)
  331. }
  332. j.recordLocalAttribution(attribution)
  333. return shouldCleanLog
  334. }
  335. // recordLocalAttribution stores this scan's local observations under this panel's
  336. // own guid so a parent panel can attribute each IP to the node it is on.
  337. // Best-effort: attribution is advisory and must never block IP-limit enforcement.
  338. func (j *CheckClientIpJob) recordLocalAttribution(attribution map[string][]model.ClientIpEntry) {
  339. if len(attribution) == 0 {
  340. return
  341. }
  342. guid, err := (&service.SettingService{}).GetPanelGuid()
  343. if err != nil || guid == "" {
  344. return
  345. }
  346. if err := (&service.InboundService{}).RecordLocalClientIps(guid, attribution); err != nil {
  347. logger.Debug("[LimitIP] record local ip attribution failed:", err)
  348. }
  349. }
  350. // mergeClientIps folds this scan's observations into the persisted set,
  351. // dropping entries older than staleCutoff. newAlwaysLive exempts the new
  352. // entries from that cutoff: an API-observed IP is a live connection by
  353. // definition, even when its lastSeen (set at dispatch time) is hours old.
  354. func mergeClientIps(old, new []IPWithTimestamp, staleCutoff int64, newAlwaysLive bool) map[string]int64 {
  355. ipMap := make(map[string]int64, len(old)+len(new))
  356. for _, ipTime := range old {
  357. if ipTime.Timestamp < staleCutoff {
  358. continue
  359. }
  360. ipMap[ipTime.IP] = ipTime.Timestamp
  361. }
  362. for _, ipTime := range new {
  363. if !newAlwaysLive && ipTime.Timestamp < staleCutoff {
  364. continue
  365. }
  366. if existingTime, ok := ipMap[ipTime.IP]; !ok || ipTime.Timestamp > existingTime {
  367. ipMap[ipTime.IP] = ipTime.Timestamp
  368. }
  369. }
  370. return ipMap
  371. }
  372. // selectIpsToBan splits the live IPs (sorted oldest-first by partitionLiveIps)
  373. // into the newest `limit` entries to keep and the older remainder to ban.
  374. func selectIpsToBan(live []IPWithTimestamp, limit int) (kept, banned []IPWithTimestamp) {
  375. if limit <= 0 || len(live) <= limit {
  376. return live, nil
  377. }
  378. cutoff := len(live) - limit
  379. return live[cutoff:], live[:cutoff]
  380. }
  381. func partitionLiveIps(ipMap map[string]int64, observedThisScan map[string]bool) (live, historical []IPWithTimestamp) {
  382. live = make([]IPWithTimestamp, 0, len(observedThisScan))
  383. historical = make([]IPWithTimestamp, 0, len(ipMap))
  384. now := time.Now().Unix()
  385. for ip, ts := range ipMap {
  386. entry := IPWithTimestamp{IP: ip, Timestamp: ts}
  387. // Consider an IP "live" if it was seen locally in this scan, OR if its
  388. // timestamp from the synced database is very recent (e.g. within 2 minutes).
  389. // This ensures cluster-wide limits work even if the IP was seen on another node.
  390. if observedThisScan[ip] || now-ts < 120 {
  391. live = append(live, entry)
  392. } else {
  393. historical = append(historical, entry)
  394. }
  395. }
  396. sort.Slice(live, func(i, j int) bool { return live[i].Timestamp < live[j].Timestamp })
  397. sort.Slice(historical, func(i, j int) bool { return historical[i].Timestamp < historical[j].Timestamp })
  398. return live, historical
  399. }
  400. func (j *CheckClientIpJob) checkFail2BanInstalled() bool {
  401. if !isFail2BanEnabled() {
  402. return false
  403. }
  404. cmd := "fail2ban-client"
  405. args := []string{"-h"}
  406. err := exec.CommandContext(context.Background(), cmd, args...).Run()
  407. return err == nil
  408. }
  409. func isFail2BanEnabled() bool {
  410. value, ok := os.LookupEnv("XUI_ENABLE_FAIL2BAN")
  411. return !ok || value == "true"
  412. }
  413. func (j *CheckClientIpJob) checkError(e error) {
  414. if e != nil {
  415. logger.Warning("client ip job err:", e)
  416. }
  417. }
  418. // delInboundClientIps drops the inbound_client_ips tracking row for an email
  419. // that no longer maps to any inbound (a renamed or deleted client), so stale
  420. // access-log entries don't keep a ghost row alive (#4963).
  421. func (j *CheckClientIpJob) delInboundClientIps(tx *gorm.DB, clientEmail string) {
  422. if err := tx.Where("client_email = ?", clientEmail).Delete(&model.InboundClientIps{}).Error; err != nil {
  423. j.checkError(err)
  424. }
  425. }
  426. // updateInboundClientIps merges one email's observed IPs into its tracking row
  427. // and applies the IP limit. limitIp comes from the caller (the clients table);
  428. // writes go through the caller's transaction. banned=true asks the caller to
  429. // disconnect the client after the transaction commits.
  430. func (j *CheckClientIpJob) updateInboundClientIps(tx *gorm.DB, inboundClientIps *model.InboundClientIps, inbound *model.Inbound, clientEmail string, limitIp int, newIpsWithTime []IPWithTimestamp, enforce, observedAreLive bool) (shouldCleanLog, banned bool) {
  431. if inbound.Settings == "" {
  432. logger.Debug("wrong data:", inbound)
  433. return false, false
  434. }
  435. if !enforce || limitIp <= 0 || !inbound.Enable {
  436. // Nothing to enforce (collection-only run, no limit on the clients row,
  437. // or inbound disabled): record the observed IPs for the panel and return.
  438. jsonIps, _ := json.Marshal(newIpsWithTime)
  439. inboundClientIps.Ips = string(jsonIps)
  440. if err := tx.Save(inboundClientIps).Error; err != nil {
  441. logger.Error("failed to save inboundClientIps:", err)
  442. }
  443. return false, false
  444. }
  445. // Parse old IPs from database
  446. var oldIpsWithTime []IPWithTimestamp
  447. if inboundClientIps.Ips != "" {
  448. _ = json.Unmarshal([]byte(inboundClientIps.Ips), &oldIpsWithTime)
  449. }
  450. ipMap := mergeClientIps(oldIpsWithTime, newIpsWithTime, time.Now().Unix()-ipStaleAfterSeconds, observedAreLive)
  451. // only ips seen in this scan count toward the limit. see
  452. // partitionLiveIps.
  453. observedThisScan := make(map[string]bool, len(newIpsWithTime))
  454. for _, ipTime := range newIpsWithTime {
  455. observedThisScan[ipTime.IP] = true
  456. }
  457. liveIps, historicalIps := partitionLiveIps(ipMap, observedThisScan)
  458. j.disAllowedIps = []string{}
  459. // historical db-only ips are excluded from this count on purpose.
  460. keptLive, bannedLive := selectIpsToBan(liveIps, limitIp)
  461. actionable := j.filterAdvancedSinceLastBan(clientEmail, bannedLive)
  462. if len(actionable) > 0 {
  463. shouldCleanLog = true
  464. banned = true
  465. logIpFile, err := os.OpenFile(xray.GetIPLimitLogPath(), os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o644)
  466. if err != nil {
  467. logger.Errorf("failed to open IP limit log file: %s", err)
  468. return false, false
  469. }
  470. defer logIpFile.Close()
  471. ipLogger := log.New(logIpFile, "", log.LstdFlags)
  472. // log format is load-bearing: x-ui.sh create_iplimit_jails builds
  473. // filter.d/3x-ipl.conf with
  474. // failregex = \[LIMIT_IP\]\s*Email\s*=\s*<F-USER>.+</F-USER>\s*\|\|\s*Disconnecting OLD IP\s*=\s*<ADDR>\s*\|\|\s*Timestamp\s*=\s*\d+
  475. // don't change the wording.
  476. for _, ipTime := range actionable {
  477. j.disAllowedIps = append(j.disAllowedIps, ipTime.IP)
  478. ipLogger.Printf("[LIMIT_IP] Email = %s || Disconnecting OLD IP = %s || Timestamp = %d", clientEmail, ipTime.IP, ipTime.Timestamp)
  479. }
  480. }
  481. // keep kept-live + historical in the blob so the panel keeps showing
  482. // recently seen ips. banned live ips are already in the fail2ban log
  483. // and will reappear in the next scan if they reconnect.
  484. dbIps := make([]IPWithTimestamp, 0, len(keptLive)+len(historicalIps))
  485. dbIps = append(dbIps, keptLive...)
  486. dbIps = append(dbIps, historicalIps...)
  487. jsonIps, _ := json.Marshal(dbIps)
  488. inboundClientIps.Ips = string(jsonIps)
  489. if err := tx.Save(inboundClientIps).Error; err != nil {
  490. logger.Error("failed to save inboundClientIps:", err)
  491. return false, banned
  492. }
  493. if len(j.disAllowedIps) > 0 {
  494. logger.Infof("[LIMIT_IP] Client %s: Kept %d live IPs, queued %d old IPs for fail2ban", clientEmail, len(keptLive), len(j.disAllowedIps))
  495. }
  496. return shouldCleanLog, banned
  497. }
  498. // filterAdvancedSinceLastBan keeps only banned pairs whose lastSeen advanced since
  499. // the previous ban: the core refreshes lastSeen solely on a new dispatch, so a
  500. // frozen value is a dead connection it hasn't reaped yet, not a reconnect.
  501. func (j *CheckClientIpJob) filterAdvancedSinceLastBan(email string, banned []IPWithTimestamp) []IPWithTimestamp {
  502. if j.bannedSeen == nil {
  503. j.bannedSeen = make(map[string]int64)
  504. }
  505. current := make(map[string]struct{}, len(banned))
  506. actionable := make([]IPWithTimestamp, 0, len(banned))
  507. for _, ipTime := range banned {
  508. key := email + "|" + ipTime.IP
  509. current[key] = struct{}{}
  510. if last, ok := j.bannedSeen[key]; ok && ipTime.Timestamp <= last {
  511. continue
  512. }
  513. j.bannedSeen[key] = ipTime.Timestamp
  514. actionable = append(actionable, ipTime)
  515. }
  516. prefix := email + "|"
  517. for key := range j.bannedSeen {
  518. if strings.HasPrefix(key, prefix) {
  519. if _, still := current[key]; !still {
  520. delete(j.bannedSeen, key)
  521. }
  522. }
  523. }
  524. return actionable
  525. }
  526. // disconnectClientTemporarily removes and re-adds a client to force disconnect banned connections
  527. func (j *CheckClientIpJob) disconnectClientTemporarily(inbound *model.Inbound, clientEmail string, clients []model.Client) {
  528. var xrayAPI xray.XrayAPI
  529. apiPort := j.resolveXrayAPIPort()
  530. err := xrayAPI.Init(apiPort)
  531. if err != nil {
  532. logger.Warningf("[LIMIT_IP] Failed to init Xray API for disconnection: %v", err)
  533. return
  534. }
  535. defer xrayAPI.Close()
  536. // Find the client config
  537. var clientConfig map[string]any
  538. for _, client := range clients {
  539. if client.Email == clientEmail {
  540. // Convert client to map for API
  541. clientBytes, _ := json.Marshal(client)
  542. _ = json.Unmarshal(clientBytes, &clientConfig)
  543. break
  544. }
  545. }
  546. if clientConfig == nil {
  547. return
  548. }
  549. // Only perform remove/re-add for protocols supported by XrayAPI.AddUser
  550. protocol := string(inbound.Protocol)
  551. switch protocol {
  552. case "vmess", "vless", "trojan", "shadowsocks":
  553. // supported protocols, continue
  554. default:
  555. logger.Warningf("[LIMIT_IP] Temporary disconnect is not supported for protocol %s on inbound %s", protocol, inbound.Tag)
  556. return
  557. }
  558. // For Shadowsocks, ensure the required "cipher" field is present by
  559. // reading it from the inbound settings (e.g., settings["method"]).
  560. if string(inbound.Protocol) == "shadowsocks" {
  561. var inboundSettings map[string]any
  562. if err := json.Unmarshal([]byte(inbound.Settings), &inboundSettings); err != nil {
  563. logger.Warningf("[LIMIT_IP] Failed to parse inbound settings for shadowsocks cipher: %v", err)
  564. } else {
  565. if method, ok := inboundSettings["method"].(string); ok && method != "" {
  566. clientConfig["cipher"] = method
  567. }
  568. }
  569. }
  570. // Remove user to disconnect all connections
  571. err = xrayAPI.RemoveUser(inbound.Tag, clientEmail)
  572. if err != nil {
  573. logger.Warningf("[LIMIT_IP] Failed to remove user %s: %v", clientEmail, err)
  574. return
  575. }
  576. // Wait a moment for disconnection to take effect
  577. time.Sleep(100 * time.Millisecond)
  578. // Re-add user to allow new connections
  579. err = xrayAPI.AddUser(protocol, inbound.Tag, clientConfig)
  580. if err != nil {
  581. logger.Warningf("[LIMIT_IP] Failed to re-add user %s: %v", clientEmail, err)
  582. }
  583. }
  584. // resolveXrayAPIPort returns the API inbound port from running config, then template config, then default.
  585. func (j *CheckClientIpJob) resolveXrayAPIPort() int {
  586. var configErr error
  587. var templateErr error
  588. if port, err := getAPIPortFromConfigPath(xray.GetConfigPath()); err == nil {
  589. return port
  590. } else {
  591. configErr = err
  592. }
  593. db := database.GetDB()
  594. var template model.Setting
  595. if err := db.Where("key = ?", "xrayTemplateConfig").First(&template).Error; err == nil {
  596. if port, parseErr := getAPIPortFromConfigData([]byte(template.Value)); parseErr == nil {
  597. return port
  598. } else {
  599. templateErr = parseErr
  600. }
  601. } else {
  602. templateErr = err
  603. }
  604. logger.Warningf(
  605. "[LIMIT_IP] Could not determine Xray API port from config or template; falling back to default port %d (config error: %v, template error: %v)",
  606. defaultXrayAPIPort,
  607. configErr,
  608. templateErr,
  609. )
  610. return defaultXrayAPIPort
  611. }
  612. func getAPIPortFromConfigPath(configPath string) (int, error) {
  613. configData, err := os.ReadFile(configPath)
  614. if err != nil {
  615. return 0, err
  616. }
  617. return getAPIPortFromConfigData(configData)
  618. }
  619. func getAPIPortFromConfigData(configData []byte) (int, error) {
  620. xrayConfig := &xray.Config{}
  621. if err := json.Unmarshal(configData, xrayConfig); err != nil {
  622. return 0, err
  623. }
  624. for _, inboundConfig := range xrayConfig.InboundConfigs {
  625. if inboundConfig.Tag == "api" && inboundConfig.Port > 0 {
  626. return inboundConfig.Port, nil
  627. }
  628. }
  629. return 0, errors.New("api inbound port not found")
  630. }
  631. // getInboundByEmail resolves the inbound that owns a client email. It prefers
  632. // the exact clients/client_inbounds relation; a substring "settings LIKE
  633. // %email%" can match the wrong inbound (an email that is a substring of another,
  634. // or text that merely appears elsewhere in the settings JSON). The LIKE + JSON
  635. // scan stays only as a fallback for clients not yet present in the relation, so
  636. // nothing regresses when the join finds no row.
  637. func (j *CheckClientIpJob) getInboundByEmail(clientEmail string) (*model.Inbound, error) {
  638. db := database.GetDB()
  639. inbound := &model.Inbound{}
  640. err := db.Model(&model.Inbound{}).
  641. Joins("JOIN client_inbounds ON client_inbounds.inbound_id = inbounds.id").
  642. Joins("JOIN clients ON clients.id = client_inbounds.client_id").
  643. Where("clients.email = ?", clientEmail).
  644. First(inbound).Error
  645. if err == nil {
  646. return inbound, nil
  647. }
  648. var candidates []model.Inbound
  649. if listErr := db.Model(&model.Inbound{}).Where("settings LIKE ?", "%"+clientEmail+"%").Find(&candidates).Error; listErr != nil {
  650. return nil, listErr
  651. }
  652. for i := range candidates {
  653. clients, jsonErr := service.ParseInboundSettingsClients(candidates[i].Settings)
  654. if jsonErr != nil {
  655. continue
  656. }
  657. for _, client := range clients {
  658. if client.Email == clientEmail {
  659. return &candidates[i], nil
  660. }
  661. }
  662. }
  663. return nil, err
  664. }