panel.mdx 4.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677
  1. ---
  2. title: Panel Settings
  3. description: Every 3x-ui panel setting — web server, TLS, display, security, and notifications — with defaults from the source.
  4. icon: SlidersHorizontal
  5. ---
  6. **Panel Settings** controls how the panel itself is served and secured (separate
  7. from your inbounds and clients). Settings are stored as key/value pairs; the
  8. defaults below come straight from the panel source. Secrets (tokens, passwords)
  9. are shown only as a "set / not set" indicator and are never returned to the
  10. browser in full.
  11. ## Web server
  12. | Setting | Default | Meaning |
  13. | ------------------- | ----------------------- | ----------------------------------------------------------------------- |
  14. | `webPort` | `2053` | Panel port (1–65535). The `XUI_PORT` env var overrides it at runtime. |
  15. | `webListen` | _(all interfaces)_ | Bind the panel to a specific IP. |
  16. | `webBasePath` | `/` | URL path the panel is served under (always normalized to `/…/`). |
  17. | `webCertFile` / `webKeyFile` | _(none)_ | TLS certificate + key. When both are set, the panel serves **HTTPS**. |
  18. | `sessionMaxAge` | `360` | Session lifetime in **minutes** (default 6 hours). |
  19. | `trustedProxyCIDRs` | `127.0.0.1/32,::1/128` | IPs/CIDRs whose forwarded headers (real client IP) are trusted. |
  20. | `panelOutbound` | _(none)_ | Route the panel's own egress (update checks, Telegram, geo/sub fetches) through a named Xray outbound. |
  21. After changing the port or base path, the panel URL becomes
  22. `http(s)://<server>:<port><web-base-path>`. You can preset the base path on first
  23. launch with [`XUI_INIT_WEB_BASE_PATH`](/docs/reference/env-vars).
  24. ### TLS
  25. Serving the panel over HTTPS protects your credentials in transit. Either set
  26. `webCertFile` + `webKeyFile` — the [`x-ui` SSL menu](/docs/config/ssl-certificates)
  27. can obtain a Let's Encrypt certificate for you — or terminate TLS at a
  28. [reverse proxy](/docs/operations/reverse-proxy).
  29. <Callout type="warn">
  30. Never expose the panel over plain HTTP on the public internet. Use TLS, a
  31. non-default port, and a long random web base path.
  32. </Callout>
  33. ## Display
  34. | Setting | Default | Meaning |
  35. | ---------------- | ------------------------------------------------ | ------------------------------------------------------------- |
  36. | `pageSize` | `25` | Rows per page in lists (`0` disables pagination). |
  37. | `expireDiff` | `0` | Days before expiry to start warning. |
  38. | `trafficDiff` | `0` | Percent of quota remaining at which to start warning. |
  39. | `remarkTemplate` | `{{INBOUND}}-{{EMAIL}}\|📊{{TRAFFIC_LEFT}}\|⏳{{DAYS_LEFT}}D` | Default client remark template (see [Share links](/docs/config/share-links#remark-template-variables)). |
  40. | `timeLocation` | `Local` | Time zone for stats and expiry. |
  41. | `datepicker` | `gregorian` | Calendar for date inputs (Gregorian or Jalali/Persian). |
  42. ## Security & authentication
  43. Credentials, two-factor auth, the brute-force limiter, sessions, and LDAP are
  44. covered in [First login](/docs/guide/first-login) and
  45. [Security](/docs/operations/security). In short:
  46. - Passwords are stored as **bcrypt** hashes; changing them logs out all sessions.
  47. - **2FA (TOTP)** can be required at login.
  48. - An **LDAP** fallback can authenticate users when the local password check fails.
  49. - API access uses **API tokens** managed under Panel Settings (see the
  50. [API reference](/docs/reference/api/api-tokens)).
  51. ## Notifications & subscription
  52. These have their own settings groups and pages:
  53. <Cards>
  54. <Card title="Telegram bot" href="/docs/operations/telegram-bot" description="Token, chat IDs, alerts, and reports." />
  55. <Card title="Subscription" href="/docs/config/subscription" description="Subscription server, formats, and paths." />
  56. <Card title="Security" href="/docs/operations/security" description="2FA, IP limits, and hardening." />
  57. </Cards>
  58. <Callout type="info">
  59. Email (SMTP) notifications are also configurable (host, port, encryption,
  60. recipients) with the same event types as the Telegram bot.
  61. </Callout>