outbound.go 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911
  1. // Package link provides parsers for VPN share links (vmess://, vless://, etc.)
  2. // and subscription bodies (typically base64-encoded newline lists of such links).
  3. // The output shape matches the wire format used by the panel's Xray template
  4. // outbounds array so that parsed objects can be injected directly.
  5. package link
  6. import (
  7. "encoding/base64"
  8. "encoding/json"
  9. "fmt"
  10. "math"
  11. "net/url"
  12. "regexp"
  13. "strconv"
  14. "strings"
  15. "time"
  16. )
  17. // Outbound is the minimal shape we emit for each parsed link.
  18. // Extra fields (mux, etc.) are carried inside settings/streamSettings.
  19. type Outbound map[string]any
  20. // ParseResult holds a parsed outbound together with a stable identity string
  21. // that can be used to correlate the same logical server across refreshes
  22. // (even if the remark changes).
  23. type ParseResult struct {
  24. Outbound Outbound
  25. Identity string
  26. }
  27. // ParseSubscriptionBody accepts the raw body returned by a subscription URL.
  28. // It handles the common case where the body is a base64-encoded blob of
  29. // newline-separated links, and also tolerates an already-decoded text body.
  30. // It returns the list of successfully parsed outbounds (in order) and their
  31. // corresponding identities.
  32. func ParseSubscriptionBody(body []byte) ([]Outbound, []string, error) {
  33. text := strings.TrimSpace(string(body))
  34. if text == "" {
  35. return nil, nil, nil
  36. }
  37. // Try base64 decode first (standard and URL-safe variants).
  38. if decoded, ok := tryBase64(text); ok {
  39. text = strings.TrimSpace(decoded)
  40. }
  41. lines := splitLines(text)
  42. var outbounds []Outbound
  43. var identities []string
  44. for _, ln := range lines {
  45. ln = strings.TrimSpace(ln)
  46. if ln == "" || strings.HasPrefix(ln, "#") {
  47. continue
  48. }
  49. res, err := ParseLink(ln)
  50. if err != nil || res == nil {
  51. // Ignore unparseable lines (comments, unsupported protocols, etc.)
  52. continue
  53. }
  54. outbounds = append(outbounds, res.Outbound)
  55. identities = append(identities, res.Identity)
  56. }
  57. return outbounds, identities, nil
  58. }
  59. func tryBase64(s string) (string, bool) {
  60. // Remove whitespace that some providers insert.
  61. clean := strings.Map(func(r rune) rune {
  62. if r == ' ' || r == '\n' || r == '\r' || r == '\t' {
  63. return -1
  64. }
  65. return r
  66. }, s)
  67. // Common padding fix
  68. for len(clean)%4 != 0 {
  69. clean += "="
  70. }
  71. // Standard
  72. if b, err := base64.StdEncoding.DecodeString(clean); err == nil {
  73. return string(b), true
  74. }
  75. // URL-safe (no padding)
  76. if b, err := base64.RawURLEncoding.DecodeString(clean); err == nil {
  77. return string(b), true
  78. }
  79. // URL-safe with padding
  80. if b, err := base64.URLEncoding.DecodeString(clean); err == nil {
  81. return string(b), true
  82. }
  83. return "", false
  84. }
  85. func splitLines(s string) []string {
  86. // Accept \n, \r\n, and also some providers use literal \n in the text.
  87. s = strings.ReplaceAll(s, `\n`, "\n")
  88. return strings.FieldsFunc(s, func(r rune) bool { return r == '\n' || r == '\r' })
  89. }
  90. // ParseLink parses a single share link and returns the outbound object plus
  91. // a stable identity for tag correlation. Supported schemes:
  92. // - vmess://
  93. // - vless://
  94. // - trojan://
  95. // - ss:// (modern and legacy)
  96. // - hysteria2:// (also hy2://)
  97. // - wireguard:// (also wg://)
  98. func ParseLink(link string) (*ParseResult, error) {
  99. link = strings.TrimSpace(link)
  100. switch {
  101. case strings.HasPrefix(link, "vmess://"):
  102. return parseVmess(link)
  103. case strings.HasPrefix(link, "vless://"):
  104. return parseVless(link)
  105. case strings.HasPrefix(link, "trojan://"):
  106. return parseTrojan(link)
  107. case strings.HasPrefix(link, "ss://"):
  108. return parseShadowsocks(link)
  109. case strings.HasPrefix(link, "hysteria2://"), strings.HasPrefix(link, "hy2://"):
  110. return parseHysteria2(link)
  111. case strings.HasPrefix(link, "wireguard://"), strings.HasPrefix(link, "wg://"):
  112. return parseWireguard(link)
  113. default:
  114. return nil, fmt.Errorf("unsupported link scheme")
  115. }
  116. }
  117. // --- vmess ---
  118. func parseVmess(link string) (*ParseResult, error) {
  119. b64 := strings.TrimPrefix(link, "vmess://")
  120. // vmess:// base64(json)
  121. raw, err := base64.StdEncoding.DecodeString(padBase64(b64))
  122. if err != nil {
  123. // Some providers use raw URL-safe
  124. raw, err = base64.RawURLEncoding.DecodeString(b64)
  125. }
  126. if err != nil {
  127. return nil, fmt.Errorf("vmess decode: %w", err)
  128. }
  129. var j map[string]any
  130. if err := json.Unmarshal(raw, &j); err != nil {
  131. return nil, fmt.Errorf("vmess json: %w", err)
  132. }
  133. identity := vmessIdentity(j)
  134. network := getString(j, "net", "tcp")
  135. security := "none"
  136. if tls, _ := j["tls"].(string); tls == "tls" {
  137. security = "tls"
  138. }
  139. stream := buildStream(network, security)
  140. // Map known fields (best effort, matching frontend parser coverage)
  141. switch network {
  142. case "ws":
  143. if host, ok := j["host"].(string); ok {
  144. setWS(stream, host, getString(j, "path", "/"))
  145. }
  146. case "grpc":
  147. svc := getString(j, "path", "")
  148. if auth, ok := j["authority"].(string); ok && auth != "" {
  149. (stream["grpcSettings"].(map[string]any))["authority"] = auth
  150. }
  151. (stream["grpcSettings"].(map[string]any))["serviceName"] = svc
  152. (stream["grpcSettings"].(map[string]any))["multiMode"] = getString(j, "type", "") == "multi"
  153. case "httpupgrade":
  154. setHTTPUpgrade(stream, getString(j, "host", ""), getString(j, "path", "/"))
  155. case "xhttp":
  156. xh := stream["xhttpSettings"].(map[string]any)
  157. xh["host"] = getString(j, "host", "")
  158. xh["path"] = getString(j, "path", "/")
  159. if m := getString(j, "mode", ""); m != "" {
  160. xh["mode"] = m
  161. }
  162. // xhttp advanced keys are passed through if present in the json
  163. for _, k := range []string{"xPaddingBytes", "scMaxEachPostBytes", "scMinPostsIntervalMs"} {
  164. if v, ok := j[k]; ok {
  165. xh[k] = v
  166. }
  167. }
  168. case "tcp":
  169. if getString(j, "type", "") == "http" {
  170. stream["tcpSettings"] = map[string]any{
  171. "header": map[string]any{
  172. "type": "http",
  173. "request": map[string]any{
  174. "version": "1.1",
  175. "method": "GET",
  176. "path": splitComma(getString(j, "path", "/")),
  177. "headers": map[string]any{"Host": splitComma(getString(j, "host", ""))},
  178. },
  179. },
  180. }
  181. }
  182. }
  183. if security == "tls" {
  184. tls := stream["tlsSettings"].(map[string]any)
  185. tls["serverName"] = getString(j, "sni", "")
  186. tls["fingerprint"] = getString(j, "fp", "")
  187. if alpn := getString(j, "alpn", ""); alpn != "" {
  188. tls["alpn"] = splitComma(alpn)
  189. }
  190. }
  191. port := num(j["port"])
  192. ob := Outbound{
  193. "protocol": "vmess",
  194. "tag": getString(j, "ps", ""),
  195. "settings": map[string]any{
  196. "vnext": []any{
  197. map[string]any{
  198. "address": getString(j, "add", ""),
  199. "port": port,
  200. "users": []any{
  201. map[string]any{
  202. "id": getString(j, "id", ""),
  203. "security": getString(j, "scy", "auto"),
  204. },
  205. },
  206. },
  207. },
  208. },
  209. "streamSettings": stream,
  210. }
  211. return &ParseResult{Outbound: ob, Identity: identity}, nil
  212. }
  213. func vmessIdentity(j map[string]any) string {
  214. // Remove ps (remark) for identity
  215. core := map[string]any{}
  216. for k, v := range j {
  217. if k == "ps" {
  218. continue
  219. }
  220. core[k] = v
  221. }
  222. b, _ := json.Marshal(core)
  223. return "vmess:" + string(b)
  224. }
  225. // --- vless / trojan (URL forms) ---
  226. func parseVless(link string) (*ParseResult, error) {
  227. u, err := url.Parse(link)
  228. if err != nil {
  229. return nil, err
  230. }
  231. if u.Scheme != "vless" {
  232. return nil, fmt.Errorf("not vless")
  233. }
  234. id := u.User.Username()
  235. host := u.Hostname()
  236. port := defaultPort(u.Port(), 443)
  237. params := u.Query()
  238. network := params.Get("type")
  239. if network == "" {
  240. network = "tcp"
  241. }
  242. security := params.Get("security")
  243. if security == "" {
  244. security = "none"
  245. }
  246. stream := buildStream(network, security)
  247. applyTransport(stream, params)
  248. applySecurity(stream, params)
  249. applyFinalMask(stream, params)
  250. identity := "vless:" + u.Scheme + "://" + id + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  251. ob := Outbound{
  252. "protocol": "vless",
  253. "tag": decodeHash(u.Fragment),
  254. "settings": map[string]any{
  255. "address": host,
  256. "port": port,
  257. "id": id,
  258. "flow": params.Get("flow"),
  259. "encryption": firstNonEmpty(params.Get("encryption"), "none"),
  260. },
  261. "streamSettings": stream,
  262. }
  263. return &ParseResult{Outbound: ob, Identity: identity}, nil
  264. }
  265. func parseTrojan(link string) (*ParseResult, error) {
  266. u, err := url.Parse(link)
  267. if err != nil {
  268. return nil, err
  269. }
  270. if u.Scheme != "trojan" {
  271. return nil, fmt.Errorf("not trojan")
  272. }
  273. pw := u.User.Username()
  274. host := u.Hostname()
  275. port := defaultPort(u.Port(), 443)
  276. params := u.Query()
  277. network := params.Get("type")
  278. if network == "" {
  279. network = "tcp"
  280. }
  281. security := params.Get("security")
  282. if security == "" {
  283. security = "tls"
  284. }
  285. stream := buildStream(network, security)
  286. applyTransport(stream, params)
  287. applySecurity(stream, params)
  288. applyFinalMask(stream, params)
  289. identity := "trojan:" + u.Scheme + "://" + pw + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  290. ob := Outbound{
  291. "protocol": "trojan",
  292. "tag": decodeHash(u.Fragment),
  293. "settings": map[string]any{
  294. "servers": []any{
  295. map[string]any{"address": host, "port": port, "password": pw},
  296. },
  297. },
  298. "streamSettings": stream,
  299. }
  300. return &ParseResult{Outbound: ob, Identity: identity}, nil
  301. }
  302. // --- shadowsocks ---
  303. func parseShadowsocks(link string) (*ParseResult, error) {
  304. // Two shapes:
  305. // ss://base64(method:pass)@host:port#remark
  306. // ss://base64(method:pass@host:port)#remark
  307. remark := ""
  308. if i := strings.Index(link, "#"); i >= 0 {
  309. remark, _ = url.QueryUnescape(link[i+1:])
  310. link = link[:i]
  311. }
  312. if i := strings.Index(link, "?"); i >= 0 {
  313. link = link[:i]
  314. }
  315. core := strings.TrimPrefix(link, "ss://")
  316. at := strings.Index(core, "@")
  317. if at >= 0 {
  318. // modern
  319. userB64 := core[:at]
  320. hp := strings.TrimRight(core[at+1:], "/")
  321. userInfo, err := base64DecodeFlexible(userB64)
  322. if err != nil {
  323. // SIP022 (2022-blake3-*) userinfo is percent-encoded, not base64.
  324. if dec, uerr := url.QueryUnescape(userB64); uerr == nil {
  325. userInfo = dec
  326. } else {
  327. userInfo = userB64 // not b64, rare
  328. }
  329. }
  330. colon := strings.LastIndex(hp, ":")
  331. if colon < 0 {
  332. return nil, fmt.Errorf("bad ss host:port")
  333. }
  334. host := hp[:colon]
  335. port, err := strconv.Atoi(hp[colon+1:])
  336. if err != nil {
  337. return nil, fmt.Errorf("bad ss port %q: %w", hp[colon+1:], err)
  338. }
  339. method, pass := splitMethodPass(userInfo)
  340. identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
  341. ob := Outbound{
  342. "protocol": "shadowsocks",
  343. "tag": remark,
  344. "settings": map[string]any{
  345. "servers": []any{
  346. map[string]any{"address": host, "port": port, "password": pass, "method": method},
  347. },
  348. },
  349. }
  350. return &ParseResult{Outbound: ob, Identity: identity}, nil
  351. }
  352. // legacy: whole thing b64
  353. dec, err := base64DecodeFlexible(core)
  354. if err != nil {
  355. return nil, err
  356. }
  357. at = strings.Index(dec, "@")
  358. if at < 0 {
  359. return nil, fmt.Errorf("bad legacy ss")
  360. }
  361. userInfo := dec[:at]
  362. hp := dec[at+1:]
  363. colon := strings.LastIndex(hp, ":")
  364. if colon < 0 {
  365. return nil, fmt.Errorf("bad legacy ss hp")
  366. }
  367. host := hp[:colon]
  368. port, err := strconv.Atoi(hp[colon+1:])
  369. if err != nil {
  370. return nil, fmt.Errorf("bad legacy ss port %q: %w", hp[colon+1:], err)
  371. }
  372. method, pass := splitMethodPass(userInfo)
  373. identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
  374. ob := Outbound{
  375. "protocol": "shadowsocks",
  376. "tag": remark,
  377. "settings": map[string]any{
  378. "servers": []any{
  379. map[string]any{"address": host, "port": port, "password": pass, "method": method},
  380. },
  381. },
  382. }
  383. return &ParseResult{Outbound: ob, Identity: identity}, nil
  384. }
  385. func splitMethodPass(userInfo string) (string, string) {
  386. before, after, ok := strings.Cut(userInfo, ":")
  387. if !ok {
  388. return "2022-blake3-aes-128-gcm", userInfo // guess
  389. }
  390. return before, after
  391. }
  392. // --- hysteria2 ---
  393. func parseHysteria2(link string) (*ParseResult, error) {
  394. u, err := url.Parse(link)
  395. if err != nil {
  396. return nil, err
  397. }
  398. if u.Scheme != "hysteria2" && u.Scheme != "hy2" {
  399. return nil, fmt.Errorf("not hysteria2")
  400. }
  401. auth := u.User.Username()
  402. host := u.Hostname()
  403. port := defaultPort(u.Port(), 443)
  404. params := u.Query()
  405. stream := map[string]any{
  406. "network": "hysteria",
  407. "security": "tls",
  408. "hysteriaSettings": map[string]any{
  409. "version": 2,
  410. "auth": auth,
  411. "udpIdleTimeout": 60,
  412. },
  413. "tlsSettings": map[string]any{
  414. "serverName": params.Get("sni"),
  415. "alpn": splitCommaOrDefault(params.Get("alpn"), []string{"h3"}),
  416. "fingerprint": params.Get("fp"),
  417. "echConfigList": params.Get("ech"),
  418. "verifyPeerCertByName": "",
  419. "pinnedPeerCertSha256": params.Get("pinSHA256"),
  420. },
  421. }
  422. applyFinalMask(stream, params)
  423. identity := "hysteria2:" + auth + "@" + host + ":" + strconv.Itoa(port) + "?" + canonicalQuery(params)
  424. ob := Outbound{
  425. "protocol": "hysteria",
  426. "tag": decodeHash(u.Fragment),
  427. "settings": map[string]any{"address": host, "port": port, "version": 2},
  428. "streamSettings": stream,
  429. }
  430. return &ParseResult{Outbound: ob, Identity: identity}, nil
  431. }
  432. // --- wireguard ---
  433. func parseWireguard(link string) (*ParseResult, error) {
  434. u, err := url.Parse(link)
  435. if err != nil {
  436. return nil, err
  437. }
  438. if u.Scheme != "wireguard" && u.Scheme != "wg" {
  439. return nil, fmt.Errorf("not wireguard")
  440. }
  441. secret, _ := url.QueryUnescape(u.User.Username())
  442. params := u.Query()
  443. host := u.Hostname()
  444. portStr := u.Port()
  445. endpoint := host
  446. if portStr != "" {
  447. endpoint = host + ":" + portStr
  448. }
  449. addrRaw := firstParam(params, "address", "ip")
  450. allowedRaw := firstParam(params, "allowedips", "allowed_ips")
  451. addrs := splitComma(addrRaw)
  452. if len(addrs) == 0 {
  453. addrs = []string{"0.0.0.0/0", "::/0"}
  454. }
  455. allowed := splitComma(allowedRaw)
  456. if len(allowed) == 0 {
  457. allowed = []string{"0.0.0.0/0", "::/0"}
  458. }
  459. peer := map[string]any{
  460. "publicKey": firstParam(params, "publickey", "publicKey", "public_key", "peerPublicKey"),
  461. "endpoint": endpoint,
  462. "allowedIPs": allowed,
  463. }
  464. if psk := firstParam(params, "presharedkey", "preshared_key", "pre-shared-key", "psk"); psk != "" {
  465. peer["preSharedKey"] = psk
  466. }
  467. if ka := firstParam(params, "keepalive", "persistentkeepalive", "persistent_keepalive"); ka != "" {
  468. if n, err := strconv.Atoi(ka); err == nil {
  469. peer["keepAlive"] = n
  470. }
  471. }
  472. settings := map[string]any{
  473. "secretKey": secret,
  474. "address": addrs,
  475. "peers": []any{peer},
  476. }
  477. if mtu := params.Get("mtu"); mtu != "" {
  478. if n, err := strconv.Atoi(mtu); err == nil {
  479. settings["mtu"] = n
  480. }
  481. }
  482. if res := params.Get("reserved"); res != "" {
  483. parts := splitComma(res)
  484. var iv []int
  485. for _, p := range parts {
  486. if n, err := strconv.Atoi(strings.TrimSpace(p)); err == nil {
  487. iv = append(iv, n)
  488. }
  489. }
  490. if len(iv) > 0 {
  491. settings["reserved"] = iv
  492. }
  493. }
  494. identity := "wireguard:" + secret + "@" + endpoint + "?" + canonicalQuery(params)
  495. ob := Outbound{
  496. "protocol": "wireguard",
  497. "tag": decodeHash(u.Fragment),
  498. "settings": settings,
  499. }
  500. return &ParseResult{Outbound: ob, Identity: identity}, nil
  501. }
  502. // --- helpers ---
  503. func buildStream(network, security string) map[string]any {
  504. stream := map[string]any{"network": network, "security": security}
  505. switch network {
  506. case "tcp":
  507. stream["tcpSettings"] = map[string]any{"header": map[string]any{"type": "none"}}
  508. case "kcp":
  509. stream["kcpSettings"] = map[string]any{
  510. "mtu": 1350, "tti": 20, "uplinkCapacity": 5, "downlinkCapacity": 20,
  511. "cwndMultiplier": 1, "maxSendingWindow": 2097152,
  512. }
  513. case "ws":
  514. stream["wsSettings"] = map[string]any{"path": "/", "host": "", "headers": map[string]any{}, "heartbeatPeriod": 0}
  515. case "grpc":
  516. stream["grpcSettings"] = map[string]any{"serviceName": "", "authority": "", "multiMode": false}
  517. case "httpupgrade":
  518. stream["httpupgradeSettings"] = map[string]any{"path": "/", "host": "", "headers": map[string]any{}}
  519. case "xhttp":
  520. // No scMaxEachPostBytes/scMinPostsIntervalMs seed: xray-core's own
  521. // defaults apply, and the literal values fingerprint traffic (#5141).
  522. stream["xhttpSettings"] = map[string]any{
  523. "path": "/", "host": "", "mode": "auto", "headers": map[string]any{},
  524. "xPaddingBytes": "100-1000",
  525. }
  526. default:
  527. stream["tcpSettings"] = map[string]any{"header": map[string]any{"type": "none"}}
  528. }
  529. switch security {
  530. case "tls":
  531. stream["tlsSettings"] = map[string]any{
  532. "serverName": "", "alpn": []any{}, "fingerprint": "",
  533. "echConfigList": "", "verifyPeerCertByName": "", "pinnedPeerCertSha256": "",
  534. }
  535. case "reality":
  536. stream["realitySettings"] = map[string]any{
  537. "publicKey": "", "fingerprint": "chrome", "serverName": "",
  538. "shortId": "", "spiderX": "", "mldsa65Verify": "",
  539. }
  540. }
  541. return stream
  542. }
  543. func setWS(stream map[string]any, host, path string) {
  544. ws := stream["wsSettings"].(map[string]any)
  545. ws["host"] = host
  546. ws["path"] = path
  547. }
  548. func setHTTPUpgrade(stream map[string]any, host, path string) {
  549. h := stream["httpupgradeSettings"].(map[string]any)
  550. h["host"] = host
  551. h["path"] = path
  552. }
  553. func applyTransport(stream map[string]any, p url.Values) {
  554. net := stream["network"].(string)
  555. host := p.Get("host")
  556. path := firstNonEmpty(p.Get("path"), "/")
  557. switch net {
  558. case "ws":
  559. setWS(stream, host, path)
  560. case "grpc":
  561. gs := stream["grpcSettings"].(map[string]any)
  562. gs["serviceName"] = firstNonEmpty(p.Get("serviceName"), p.Get("path"))
  563. gs["authority"] = p.Get("authority")
  564. gs["multiMode"] = p.Get("mode") == "multi"
  565. case "httpupgrade":
  566. setHTTPUpgrade(stream, host, path)
  567. case "xhttp":
  568. xh := stream["xhttpSettings"].(map[string]any)
  569. xh["host"] = host
  570. xh["path"] = path
  571. if m := p.Get("mode"); m != "" {
  572. xh["mode"] = m
  573. }
  574. // A few advanced xhttp fields that are commonly carried
  575. for _, k := range []string{"xPaddingBytes", "scMaxEachPostBytes", "scMinPostsIntervalMs", "uplinkChunkSize"} {
  576. if v := p.Get(k); v != "" {
  577. xh[k] = v
  578. }
  579. }
  580. case "tcp":
  581. if p.Get("headerType") == "http" || p.Get("type") == "http" {
  582. stream["tcpSettings"] = map[string]any{
  583. "header": map[string]any{
  584. "type": "http",
  585. "request": map[string]any{
  586. "version": "1.1",
  587. "method": "GET",
  588. "path": splitComma(path),
  589. "headers": map[string]any{"Host": splitComma(host)},
  590. },
  591. },
  592. }
  593. }
  594. }
  595. }
  596. func applySecurity(stream map[string]any, p url.Values) {
  597. sec := stream["security"].(string)
  598. switch sec {
  599. case "tls":
  600. tls := stream["tlsSettings"].(map[string]any)
  601. tls["serverName"] = p.Get("sni")
  602. tls["fingerprint"] = p.Get("fp")
  603. if alpn := p.Get("alpn"); alpn != "" {
  604. tls["alpn"] = splitComma(alpn)
  605. }
  606. tls["echConfigList"] = p.Get("ech")
  607. tls["pinnedPeerCertSha256"] = p.Get("pcs")
  608. case "reality":
  609. re := stream["realitySettings"].(map[string]any)
  610. re["serverName"] = p.Get("sni")
  611. re["fingerprint"] = firstNonEmpty(p.Get("fp"), "chrome")
  612. re["publicKey"] = p.Get("pbk")
  613. re["shortId"] = p.Get("sid")
  614. re["spiderX"] = p.Get("spx")
  615. re["mldsa65Verify"] = p.Get("pqv")
  616. }
  617. }
  618. func applyFinalMask(stream map[string]any, p url.Values) {
  619. if fm := p.Get("fm"); fm != "" {
  620. var parsed any
  621. if json.Unmarshal([]byte(fm), &parsed) == nil {
  622. sanitizeFinalMaskQuicParams(parsed)
  623. stream["finalmask"] = parsed
  624. }
  625. }
  626. }
  627. // sanitizeFinalMaskQuicParams coerces the strictly numeric quicParams fields
  628. // of a finalmask blob taken verbatim from a share link's fm= parameter.
  629. // Xray-core rejects the whole config at startup when e.g. keepAlivePeriod
  630. // arrives as a duration string like "10s" or an out-of-range integer, so
  631. // numeric strings are parsed, duration strings are converted to whole
  632. // seconds, the ranged fields are clamped to what xray accepts, and anything
  633. // non-finite, negative, absurdly large, or unparseable is dropped so a bad
  634. // value falls back to xray's default instead of killing the config (#5783).
  635. func sanitizeFinalMaskQuicParams(parsed any) {
  636. fm, ok := parsed.(map[string]any)
  637. if !ok {
  638. return
  639. }
  640. qp, ok := fm["quicParams"].(map[string]any)
  641. if !ok {
  642. return
  643. }
  644. numericKeys := []string{
  645. "initStreamReceiveWindow", "maxStreamReceiveWindow",
  646. "initConnectionReceiveWindow", "maxConnectionReceiveWindow",
  647. "maxIdleTimeout", "keepAlivePeriod", "maxIncomingStreams",
  648. }
  649. for _, key := range numericKeys {
  650. raw, exists := qp[key]
  651. if !exists {
  652. continue
  653. }
  654. n, ok := coerceQuicNumeric(raw)
  655. if ok {
  656. n, ok = clampQuicNumeric(key, n)
  657. }
  658. if !ok {
  659. delete(qp, key)
  660. continue
  661. }
  662. qp[key] = int64(n)
  663. }
  664. }
  665. func coerceQuicNumeric(raw any) (float64, bool) {
  666. switch v := raw.(type) {
  667. case float64:
  668. return math.Trunc(v), true
  669. case string:
  670. if n, err := strconv.ParseFloat(v, 64); err == nil && !math.IsInf(n, 0) && !math.IsNaN(n) {
  671. return math.Trunc(n), true
  672. }
  673. if d, err := time.ParseDuration(v); err == nil {
  674. return math.Trunc(d.Seconds()), true
  675. }
  676. }
  677. return 0, false
  678. }
  679. // clampQuicNumeric enforces xray-core's QuicParamsConfig validation so a
  680. // coerced value cannot still fail the config load: keepAlivePeriod is 0 or
  681. // 2-60, maxIdleTimeout is 0 or 4-120, maxIncomingStreams is 0 or >= 8.
  682. // quicNumericMax keeps values in plain-integer JSON territory and far below
  683. // the uint64 window fields' range.
  684. const quicNumericMax = float64(1e15)
  685. func clampQuicNumeric(key string, n float64) (float64, bool) {
  686. if n < 0 || n > quicNumericMax {
  687. return 0, false
  688. }
  689. if n == 0 {
  690. return 0, true
  691. }
  692. switch key {
  693. case "keepAlivePeriod":
  694. return math.Min(math.Max(n, 2), 60), true
  695. case "maxIdleTimeout":
  696. return math.Min(math.Max(n, 4), 120), true
  697. case "maxIncomingStreams":
  698. return math.Max(n, 8), true
  699. }
  700. return n, true
  701. }
  702. func firstNonEmpty(a, b string) string {
  703. if a != "" {
  704. return a
  705. }
  706. return b
  707. }
  708. func firstParam(p url.Values, keys ...string) string {
  709. for _, k := range keys {
  710. if v := p.Get(k); v != "" {
  711. return v
  712. }
  713. }
  714. return ""
  715. }
  716. func canonicalQuery(p url.Values) string {
  717. // Sort keys for stable identity
  718. keys := make([]string, 0, len(p))
  719. for k := range p {
  720. keys = append(keys, k)
  721. }
  722. // simple sort
  723. for i := 0; i < len(keys); i++ {
  724. for j := i + 1; j < len(keys); j++ {
  725. if keys[j] < keys[i] {
  726. keys[i], keys[j] = keys[j], keys[i]
  727. }
  728. }
  729. }
  730. parts := make([]string, 0, len(keys))
  731. for _, k := range keys {
  732. for _, v := range p[k] {
  733. parts = append(parts, k+"="+v)
  734. }
  735. }
  736. return strings.Join(parts, "&")
  737. }
  738. func decodeHash(h string) string {
  739. if h == "" {
  740. return ""
  741. }
  742. if dec, err := url.QueryUnescape(h); err == nil {
  743. return dec
  744. }
  745. return h
  746. }
  747. func defaultPort(p string, def int) int {
  748. if p == "" {
  749. return def
  750. }
  751. n, err := strconv.Atoi(p)
  752. if err != nil || n <= 0 {
  753. return def
  754. }
  755. return n
  756. }
  757. func num(v any) int {
  758. switch x := v.(type) {
  759. case float64:
  760. return int(x)
  761. case int:
  762. return x
  763. case int64:
  764. return int(x)
  765. case string:
  766. n, _ := strconv.Atoi(x)
  767. return n
  768. }
  769. return 0
  770. }
  771. func getString(m map[string]any, key, def string) string {
  772. if v, ok := m[key]; ok {
  773. if s, ok := v.(string); ok {
  774. return s
  775. }
  776. }
  777. return def
  778. }
  779. func splitComma(s string) []string {
  780. if s == "" {
  781. return nil
  782. }
  783. parts := strings.Split(s, ",")
  784. out := make([]string, 0, len(parts))
  785. for _, p := range parts {
  786. p = strings.TrimSpace(p)
  787. if p != "" {
  788. out = append(out, p)
  789. }
  790. }
  791. return out
  792. }
  793. func splitCommaOrDefault(s string, def []string) []string {
  794. if s == "" {
  795. return def
  796. }
  797. return splitComma(s)
  798. }
  799. func padBase64(s string) string {
  800. for len(s)%4 != 0 {
  801. s += "="
  802. }
  803. return s
  804. }
  805. func base64DecodeFlexible(s string) (string, error) {
  806. s = padBase64(s)
  807. if b, err := base64.StdEncoding.DecodeString(s); err == nil {
  808. return string(b), nil
  809. }
  810. if b, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(s, "=")); err == nil {
  811. return string(b), nil
  812. }
  813. return "", fmt.Errorf("base64 decode failed")
  814. }
  815. // SlugRemark turns a free-form remark into a tag segment, keeping Unicode
  816. // letters and digits (so non-ASCII remarks like Cyrillic stay readable) and
  817. // replacing every other run of characters with a single dash.
  818. var slugRe = regexp.MustCompile(`[^\p{L}\p{N}]+`)
  819. func SlugRemark(remark string) string {
  820. s := strings.ToLower(strings.TrimSpace(remark))
  821. s = slugRe.ReplaceAllString(s, "-")
  822. s = strings.Trim(s, "-")
  823. if s == "" {
  824. return ""
  825. }
  826. // collapse runs of dashes
  827. for strings.Contains(s, "--") {
  828. s = strings.ReplaceAll(s, "--", "-")
  829. }
  830. return s
  831. }
  832. // SuggestTag builds a tag from a prefix and a remark (or index fallback).
  833. // It is intended for initial assignment; stability is handled by the service layer.
  834. func SuggestTag(prefix, remark string, idx int) string {
  835. base := SlugRemark(remark)
  836. if base == "" {
  837. base = fmt.Sprintf("%d", idx)
  838. }
  839. p := strings.TrimSuffix(prefix, "-")
  840. if p != "" {
  841. return p + "-" + base
  842. }
  843. return base
  844. }