xray.go 36 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199
  1. package service
  2. import (
  3. "encoding/json"
  4. "errors"
  5. "fmt"
  6. "path"
  7. "path/filepath"
  8. "runtime"
  9. "strings"
  10. "sync"
  11. "github.com/mhsanaei/3x-ui/v3/internal/config"
  12. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  13. "github.com/mhsanaei/3x-ui/v3/internal/logger"
  14. "github.com/mhsanaei/3x-ui/v3/internal/util/json_util"
  15. "github.com/mhsanaei/3x-ui/v3/internal/xray"
  16. "go.uber.org/atomic"
  17. )
  18. var (
  19. p *xray.Process
  20. lock sync.Mutex
  21. isNeedXrayRestart atomic.Bool // Indicates that restart was requested for Xray
  22. isManuallyStopped atomic.Bool // Indicates that Xray was stopped manually from the panel
  23. result string
  24. )
  25. // XrayService provides business logic for Xray process management.
  26. // It handles starting, stopping, restarting Xray, and managing its configuration.
  27. type XrayService struct {
  28. inboundService InboundService
  29. settingService SettingService
  30. nodeService NodeService
  31. xrayAPI xray.XrayAPI
  32. }
  33. // IsXrayRunning checks if the Xray process is currently running.
  34. func (s *XrayService) IsXrayRunning() bool {
  35. return p != nil && p.IsRunning()
  36. }
  37. // XrayProcess returns the current Xray process instance (may be nil when Xray
  38. // is not running). It exposes the package-level process to callers outside this
  39. // package (e.g. the tgbot subpackage) without changing access semantics.
  40. func XrayProcess() *xray.Process {
  41. return p
  42. }
  43. // GetXrayErr returns the error from the Xray process, if any.
  44. func (s *XrayService) GetXrayErr() error {
  45. if p == nil {
  46. return nil
  47. }
  48. err := p.GetErr()
  49. if err == nil {
  50. return nil
  51. }
  52. if runtime.GOOS == "windows" && err.Error() == "exit status 1" {
  53. // exit status 1 on Windows means that Xray process was killed
  54. // as we kill process to stop in on Windows, this is not an error
  55. return nil
  56. }
  57. return err
  58. }
  59. // GetXrayResult returns the result string from the Xray process.
  60. func (s *XrayService) GetXrayResult() string {
  61. if result != "" {
  62. return result
  63. }
  64. if s.IsXrayRunning() {
  65. return ""
  66. }
  67. if p == nil {
  68. return ""
  69. }
  70. result = p.GetResult()
  71. if runtime.GOOS == "windows" && result == "exit status 1" {
  72. // exit status 1 on Windows means that Xray process was killed
  73. // as we kill process to stop in on Windows, this is not an error
  74. return ""
  75. }
  76. return result
  77. }
  78. // GetXrayVersion returns the version of the running Xray process.
  79. func (s *XrayService) GetXrayVersion() string {
  80. if p == nil {
  81. return "Unknown"
  82. }
  83. return p.GetXrayVersion()
  84. }
  85. // RemoveIndex removes an element at the specified index from a slice.
  86. // Returns a new slice with the element removed.
  87. func RemoveIndex(s []any, index int) []any {
  88. return append(s[:index], s[index+1:]...)
  89. }
  90. // GetXrayConfig retrieves and builds the Xray configuration from settings and inbounds.
  91. func (s *XrayService) GetXrayConfig() (*xray.Config, error) {
  92. templateConfig, err := s.settingService.GetXrayConfigTemplate()
  93. if err != nil {
  94. return nil, err
  95. }
  96. xrayConfig := &xray.Config{}
  97. err = json.Unmarshal([]byte(templateConfig), xrayConfig)
  98. if err != nil {
  99. return nil, err
  100. }
  101. xrayConfig.LogConfig = resolveXrayLogPaths(xrayConfig.LogConfig)
  102. xrayConfig.API = ensureAPIServices(xrayConfig.API)
  103. xrayConfig.Policy = ensureStatsPolicy(xrayConfig.Policy)
  104. xrayConfig.RouterConfig = stripDisabledRules(xrayConfig.RouterConfig)
  105. // Template outbounds authored before the xray-core #6258 XHTTP rename may
  106. // still carry sessionPlacement/sessionKey; lift them too (same reason as
  107. // the per-inbound lift below).
  108. xrayConfig.OutboundConfigs = liftOutboundsXhttpSessionIDKeys(xrayConfig.OutboundConfigs)
  109. _, _, _ = s.inboundService.AddTraffic(nil, nil)
  110. inbounds, err := s.inboundService.GetAllInbounds()
  111. if err != nil {
  112. return nil, err
  113. }
  114. for _, inbound := range inbounds {
  115. if !inbound.Enable {
  116. continue
  117. }
  118. if inbound.NodeID != nil {
  119. continue
  120. }
  121. if inbound.Protocol == model.MTProto {
  122. continue
  123. }
  124. settings := map[string]any{}
  125. _ = json.Unmarshal([]byte(inbound.Settings), &settings)
  126. dbClients, listErr := s.inboundService.clientService.ListForInbound(nil, inbound.Id)
  127. if listErr != nil {
  128. return nil, listErr
  129. }
  130. clientStats := inbound.ClientStats
  131. enableMap := make(map[string]bool, len(clientStats))
  132. for _, clientTraffic := range clientStats {
  133. enableMap[clientTraffic.Email] = clientTraffic.Enable
  134. }
  135. var finalClients []any
  136. var wgPeers []any
  137. for i := range dbClients {
  138. c := dbClients[i]
  139. if enable, exists := enableMap[c.Email]; exists && !enable {
  140. logger.Infof("Remove Inbound User %s due to expiration or traffic limit", c.Email)
  141. continue
  142. }
  143. if !c.Enable {
  144. continue
  145. }
  146. flow := c.Flow
  147. if flow == "xtls-rprx-vision-udp443" {
  148. flow = "xtls-rprx-vision"
  149. }
  150. entry := map[string]any{"email": c.Email}
  151. switch inbound.Protocol {
  152. case model.VLESS:
  153. if c.ID != "" {
  154. entry["id"] = c.ID
  155. }
  156. if flow != "" {
  157. entry["flow"] = flow
  158. }
  159. if c.Reverse != nil {
  160. entry["reverse"] = c.Reverse
  161. }
  162. case model.VMESS:
  163. if c.ID != "" {
  164. entry["id"] = c.ID
  165. }
  166. if c.Security != "" {
  167. entry["security"] = c.Security
  168. }
  169. case model.Trojan:
  170. if c.Password != "" {
  171. entry["password"] = c.Password
  172. }
  173. if flow != "" {
  174. entry["flow"] = flow
  175. }
  176. case model.Shadowsocks:
  177. if c.Password != "" {
  178. entry["password"] = c.Password
  179. }
  180. case model.Hysteria:
  181. if c.Auth != "" {
  182. entry["auth"] = c.Auth
  183. }
  184. case model.WireGuard:
  185. peer := map[string]any{"email": c.Email, "level": 0}
  186. if c.PublicKey != "" {
  187. peer["publicKey"] = c.PublicKey
  188. }
  189. if len(c.AllowedIPs) > 0 {
  190. peer["allowedIPs"] = c.AllowedIPs
  191. }
  192. if c.PreSharedKey != "" {
  193. peer["preSharedKey"] = c.PreSharedKey
  194. }
  195. if c.KeepAlive > 0 {
  196. peer["keepAlive"] = c.KeepAlive
  197. }
  198. wgPeers = append(wgPeers, peer)
  199. continue
  200. }
  201. finalClients = append(finalClients, entry)
  202. }
  203. var mutated bool
  204. if inbound.Protocol == model.WireGuard {
  205. delete(settings, "clients")
  206. if wgPeers == nil {
  207. wgPeers = []any{}
  208. }
  209. settings["peers"] = wgPeers
  210. mutated = true
  211. } else {
  212. _, hadClients := settings["clients"]
  213. mutated = hadClients || len(finalClients) > 0
  214. if mutated {
  215. settings["clients"] = finalClients
  216. }
  217. }
  218. if inboundCanHostFallbacks(inbound) {
  219. fallbacks, fbErr := s.inboundService.fallbackService.BuildFallbacksJSON(nil, inbound.Id)
  220. if fbErr != nil {
  221. return nil, fbErr
  222. }
  223. if len(fallbacks) > 0 {
  224. generic := make([]any, 0, len(fallbacks))
  225. for _, f := range fallbacks {
  226. generic = append(generic, f)
  227. }
  228. settings["fallbacks"] = generic
  229. mutated = true
  230. }
  231. }
  232. if mutated {
  233. modifiedSettings, err := json.MarshalIndent(settings, "", " ")
  234. if err != nil {
  235. return nil, err
  236. }
  237. inbound.Settings = string(modifiedSettings)
  238. }
  239. if len(inbound.StreamSettings) > 0 {
  240. // Unmarshal stream JSON
  241. var stream map[string]any
  242. _ = json.Unmarshal([]byte(inbound.StreamSettings), &stream)
  243. // Remove the "settings" field under "tlsSettings" and "realitySettings"
  244. tlsSettings, ok1 := stream["tlsSettings"].(map[string]any)
  245. realitySettings, ok2 := stream["realitySettings"].(map[string]any)
  246. if ok1 || ok2 {
  247. if ok1 {
  248. delete(tlsSettings, "settings")
  249. } else if ok2 {
  250. delete(realitySettings, "settings")
  251. }
  252. }
  253. delete(stream, "externalProxy")
  254. // xray-core v26.6.22 (#6258) renamed the XHTTP session keys and
  255. // kept no fallback. Lift legacy sessionPlacement/sessionKey onto the
  256. // new names here so inbounds stored before the rename keep working
  257. // without the admin re-saving them.
  258. liftXhttpSessionIDKeys(stream)
  259. newStream, err := json.MarshalIndent(stream, "", " ")
  260. if err != nil {
  261. return nil, err
  262. }
  263. inbound.StreamSettings = string(newStream)
  264. }
  265. if inbound.Protocol == model.Shadowsocks {
  266. if healed, ok := model.HealShadowsocksClientMethods(inbound.Settings); ok {
  267. inbound.Settings = healed
  268. }
  269. }
  270. inboundConfig := inbound.GenXrayInboundConfig()
  271. xrayConfig.InboundConfigs = append(xrayConfig.InboundConfigs, *inboundConfig)
  272. }
  273. // Merge subscription-derived outbounds (if any) into the final outbounds array.
  274. // These are additive: each subscription is placed before or after the template
  275. // outbounds based on its Prepend flag, ordered by Priority. Tags assigned by the
  276. // subscription service are kept stable across refreshes so that balancers and
  277. // routing rules continue to work.
  278. subSvc := &OutboundSubscriptionService{}
  279. if prepend, appendList, err := subSvc.activeOutboundsSplit(); err == nil && (len(prepend) > 0 || len(appendList) > 0) {
  280. mergeSubscriptionOutbounds(xrayConfig, prepend, appendList)
  281. }
  282. // Route opted-in local mtproto inbounds through the core's router. Each one
  283. // gets a loopback SOCKS bridge — tagged with the inbound's own tag so it is
  284. // matchable in routing rules — that its mtg sidecar dials Telegram through.
  285. // Done after the subscription merge so a selected subscription outbound (or
  286. // balancer) is a valid rule target.
  287. for i := range inbounds {
  288. inbound := inbounds[i]
  289. if inbound.Protocol != model.MTProto || !inbound.Enable || inbound.NodeID != nil {
  290. continue
  291. }
  292. injectMtprotoEgress(xrayConfig, inbound)
  293. }
  294. // Wire the panel's own HTTP traffic through the configured outbound, after
  295. // the subscription merge so subscription outbound tags are valid targets.
  296. if egressTag, err := s.settingService.GetPanelOutbound(); err != nil {
  297. logger.Warning("read panelOutbound setting failed:", err)
  298. } else if egressTag != "" {
  299. injectPanelEgress(xrayConfig, egressTag)
  300. }
  301. nodes, err := s.nodeService.GetAll()
  302. if err != nil {
  303. logger.Warning("read nodes for egress injection failed:", err)
  304. } else {
  305. injectNodeEgresses(xrayConfig, nodes)
  306. }
  307. return xrayConfig, nil
  308. }
  309. // PanelEgressInboundTag is the tag of the loopback SOCKS inbound injected into
  310. // the generated config when a panel outbound is configured. The panel's own
  311. // HTTP clients dial through it to egress via the chosen outbound.
  312. const PanelEgressInboundTag = "panel-egress"
  313. // panelEgressBasePort is the first port tried for the egress bridge; ports
  314. // already taken by other inbounds in the generated config are skipped.
  315. const panelEgressBasePort = 62790
  316. // injectPanelEgress appends a loopback SOCKS inbound to the generated config
  317. // and prepends a routing rule sending it to outboundTag. Both live only in the
  318. // generated config — the stored template is never modified — and both are
  319. // hot-appliable, so changing the panel outbound never restarts the core.
  320. func injectPanelEgress(cfg *xray.Config, outboundTag string) {
  321. for i := range cfg.InboundConfigs {
  322. if cfg.InboundConfigs[i].Tag == PanelEgressInboundTag {
  323. logger.Warning("panel egress: inbound tag [", PanelEgressInboundTag, "] already exists, skipping injection")
  324. return
  325. }
  326. }
  327. // The rule must exist before the inbound takes traffic, otherwise the
  328. // bridge would silently egress through the default outbound instead.
  329. routing := map[string]any{}
  330. if len(cfg.RouterConfig) > 0 {
  331. if err := json.Unmarshal(cfg.RouterConfig, &routing); err != nil {
  332. logger.Warning("panel egress: routing section is unparsable, skipping injection:", err)
  333. return
  334. }
  335. }
  336. rules, _ := routing["rules"].([]any)
  337. rule := map[string]any{
  338. "type": "field",
  339. "inboundTag": []any{PanelEgressInboundTag},
  340. }
  341. // The configured tag may name a routing balancer instead of a concrete
  342. // outbound. A field rule can target either, so emit the matching key —
  343. // balancerTag load-balances the panel's own traffic across the balancer's
  344. // outbounds, while a plain outbound tag keeps the original behavior.
  345. if routingTagIsBalancer(routing, outboundTag) {
  346. rule["balancerTag"] = outboundTag
  347. } else {
  348. rule["outboundTag"] = outboundTag
  349. }
  350. routing["rules"] = append([]any{rule}, rules...)
  351. newRouting, err := json.Marshal(routing)
  352. if err != nil {
  353. logger.Warning("panel egress: failed to rebuild routing section, skipping injection:", err)
  354. return
  355. }
  356. cfg.RouterConfig = json_util.RawMessage(newRouting)
  357. used := make(map[int]struct{}, len(cfg.InboundConfigs))
  358. for i := range cfg.InboundConfigs {
  359. used[cfg.InboundConfigs[i].Port] = struct{}{}
  360. }
  361. port := panelEgressBasePort
  362. for {
  363. if _, taken := used[port]; !taken {
  364. break
  365. }
  366. port++
  367. }
  368. cfg.InboundConfigs = append(cfg.InboundConfigs, xray.InboundConfig{
  369. Listen: json_util.RawMessage(`"127.0.0.1"`),
  370. Port: port,
  371. Protocol: "socks",
  372. Settings: json_util.RawMessage(`{"auth":"noauth","udp":false}`),
  373. Tag: PanelEgressInboundTag,
  374. })
  375. }
  376. // NodeEgressInboundTag returns the loopback SOCKS inbound tag for a given node.
  377. func NodeEgressInboundTag(nodeID int) string {
  378. return fmt.Sprintf("node-egress-%d", nodeID)
  379. }
  380. // nodeEgressBasePort is the first port tried for node egress bridges.
  381. const nodeEgressBasePort = 62800
  382. // injectNodeEgresses appends a loopback SOCKS inbound per enabled node that has
  383. // an OutboundTag, and prepends a routing rule sending that inbound's traffic to
  384. // the selected outbound tag. These bridges are hot-appliable.
  385. func injectNodeEgresses(cfg *xray.Config, nodes []*model.Node) {
  386. routing := map[string]any{}
  387. if len(cfg.RouterConfig) > 0 {
  388. if err := json.Unmarshal(cfg.RouterConfig, &routing); err != nil {
  389. logger.Warning("node egress: routing section is unparsable, skipping injection:", err)
  390. return
  391. }
  392. }
  393. used := make(map[int]struct{}, len(cfg.InboundConfigs))
  394. usedTags := make(map[string]struct{}, len(cfg.InboundConfigs))
  395. for i := range cfg.InboundConfigs {
  396. used[cfg.InboundConfigs[i].Port] = struct{}{}
  397. usedTags[cfg.InboundConfigs[i].Tag] = struct{}{}
  398. }
  399. rules, _ := routing["rules"].([]any)
  400. newRules := make([]any, 0)
  401. for _, n := range nodes {
  402. if !n.Enable || n.OutboundTag == "" {
  403. continue
  404. }
  405. tag := NodeEgressInboundTag(n.Id)
  406. if _, exists := usedTags[tag]; exists {
  407. logger.Warning("node egress: inbound tag [", tag, "] already exists, skipping")
  408. continue
  409. }
  410. usedTags[tag] = struct{}{}
  411. rule := map[string]any{
  412. "type": "field",
  413. "inboundTag": []any{tag},
  414. }
  415. if routingTagIsBalancer(routing, n.OutboundTag) {
  416. rule["balancerTag"] = n.OutboundTag
  417. } else {
  418. rule["outboundTag"] = n.OutboundTag
  419. }
  420. newRules = append(newRules, rule)
  421. port := nodeEgressBasePort + n.Id
  422. for {
  423. if _, taken := used[port]; !taken {
  424. break
  425. }
  426. port++
  427. }
  428. used[port] = struct{}{}
  429. cfg.InboundConfigs = append(cfg.InboundConfigs, xray.InboundConfig{
  430. Listen: json_util.RawMessage(`"127.0.0.1"`),
  431. Port: port,
  432. Protocol: "socks",
  433. Settings: json_util.RawMessage(`{"auth":"noauth","udp":false}`),
  434. Tag: tag,
  435. })
  436. }
  437. if len(newRules) == 0 {
  438. return
  439. }
  440. routing["rules"] = append(newRules, rules...)
  441. newRouting, err := json.Marshal(routing)
  442. if err != nil {
  443. logger.Warning("node egress: failed to rebuild routing section, skipping injection:", err)
  444. return
  445. }
  446. cfg.RouterConfig = json_util.RawMessage(newRouting)
  447. }
  448. // routingTagIsBalancer reports whether tag names a balancer in the parsed
  449. // routing section. The panel-egress rule targets a balancer via balancerTag and
  450. // a concrete outbound via outboundTag, so the caller picks the key from this.
  451. func routingTagIsBalancer(routing map[string]any, tag string) bool {
  452. if tag == "" {
  453. return false
  454. }
  455. balancers, ok := routing["balancers"].([]any)
  456. if !ok {
  457. return false
  458. }
  459. for _, b := range balancers {
  460. bm, ok := b.(map[string]any)
  461. if !ok {
  462. continue
  463. }
  464. if t, ok := bm["tag"].(string); ok && t == tag {
  465. return true
  466. }
  467. }
  468. return false
  469. }
  470. // mtprotoEgressSocksSettings is the loopback SOCKS server a routed mtproto
  471. // inbound exposes for its mtg sidecar to dial Telegram through. mtg makes plain
  472. // TCP connections, so UDP is left off (matching the panel egress bridge).
  473. const mtprotoEgressSocksSettings = `{"auth":"noauth","udp":false}`
  474. // injectMtprotoEgress wires one routed mtproto inbound into the generated
  475. // config: it appends a loopback SOCKS inbound (tagged with the inbound's own tag,
  476. // on the egress port persisted in settings) and, when an outbound is selected,
  477. // prepends a routing rule sending that tag to it. Both live only in the generated
  478. // config — the stored template is untouched — and both are hot-appliable, so
  479. // toggling routing never forces a full Xray restart. Mirrors injectPanelEgress.
  480. func injectMtprotoEgress(cfg *xray.Config, inbound *model.Inbound) {
  481. var parsed struct {
  482. RouteThroughXray bool `json:"routeThroughXray"`
  483. RouteXrayPort int `json:"routeXrayPort"`
  484. OutboundTag string `json:"outboundTag"`
  485. }
  486. if err := json.Unmarshal([]byte(inbound.Settings), &parsed); err != nil {
  487. return
  488. }
  489. if !parsed.RouteThroughXray || parsed.RouteXrayPort <= 0 || inbound.Tag == "" {
  490. return
  491. }
  492. tag := inbound.Tag
  493. for i := range cfg.InboundConfigs {
  494. if cfg.InboundConfigs[i].Tag == tag {
  495. logger.Warning("mtproto egress: inbound tag [", tag, "] already present in generated config, skipping bridge")
  496. return
  497. }
  498. }
  499. if parsed.OutboundTag != "" {
  500. routing := map[string]any{}
  501. parseOK := true
  502. if len(cfg.RouterConfig) > 0 {
  503. if err := json.Unmarshal(cfg.RouterConfig, &routing); err != nil {
  504. logger.Warning("mtproto egress: routing section is unparsable, skipping rule:", err)
  505. parseOK = false
  506. }
  507. }
  508. if parseOK {
  509. rules, _ := routing["rules"].([]any)
  510. rule := map[string]any{
  511. "type": "field",
  512. "inboundTag": []any{tag},
  513. }
  514. if routingTagIsBalancer(routing, parsed.OutboundTag) {
  515. rule["balancerTag"] = parsed.OutboundTag
  516. } else {
  517. rule["outboundTag"] = parsed.OutboundTag
  518. }
  519. routing["rules"] = append([]any{rule}, rules...)
  520. if newRouting, err := json.Marshal(routing); err == nil {
  521. cfg.RouterConfig = json_util.RawMessage(newRouting)
  522. } else {
  523. logger.Warning("mtproto egress: failed to rebuild routing section, skipping rule:", err)
  524. }
  525. }
  526. }
  527. cfg.InboundConfigs = append(cfg.InboundConfigs, xray.InboundConfig{
  528. Listen: json_util.RawMessage(`"127.0.0.1"`),
  529. Port: parsed.RouteXrayPort,
  530. Protocol: "socks",
  531. Settings: json_util.RawMessage(mtprotoEgressSocksSettings),
  532. Tag: tag,
  533. })
  534. }
  535. // mergeSubscriptionOutbounds appends the subscription outbounds to the
  536. // OutboundConfigs array of the xray config. It works on the already-unmarshaled
  537. // template so that manually configured outbounds are never overwritten.
  538. //
  539. // Safety: if we cannot parse the template's outbounds array, we leave
  540. // OutboundConfigs exactly as it came from the template (we do not inject
  541. // subscription outbounds). This prevents us from accidentally dropping the
  542. // user's manually configured outbounds when the template is in a weird state.
  543. func mergeSubscriptionOutbounds(cfg *xray.Config, prepend, appendList []any) {
  544. if len(prepend) == 0 && len(appendList) == 0 {
  545. return
  546. }
  547. var templateOutbounds []any
  548. if len(cfg.OutboundConfigs) > 0 {
  549. if err := json.Unmarshal(cfg.OutboundConfigs, &templateOutbounds); err != nil {
  550. // Corrupt template outbounds — do not touch the field at all.
  551. // The user will see problems on Xray start / next save.
  552. return
  553. }
  554. }
  555. var merged []any
  556. merged = append(merged, prepend...)
  557. merged = append(merged, templateOutbounds...)
  558. merged = append(merged, appendList...)
  559. combined, err := json.MarshalIndent(merged, "", " ")
  560. if err != nil {
  561. return
  562. }
  563. cfg.OutboundConfigs = json_util.RawMessage(combined)
  564. }
  565. // ensureAPIServices guarantees the gRPC services the panel depends on are
  566. // listed in the generated config's api block: HandlerService and StatsService
  567. // have always been required for inbound/user management and traffic polling,
  568. // and RoutingService enables hot routing reload on templates saved before it
  569. // was added to the default template. The stored template itself is not
  570. // modified — only the generated runtime config.
  571. func ensureAPIServices(api json_util.RawMessage) json_util.RawMessage {
  572. if len(api) == 0 {
  573. // No api block means the panel's API integration is deliberately
  574. // disabled; don't resurrect it behind the user's back.
  575. return api
  576. }
  577. var parsed map[string]any
  578. if err := json.Unmarshal(api, &parsed); err != nil {
  579. return api
  580. }
  581. services, _ := parsed["services"].([]any)
  582. have := make(map[string]bool, len(services))
  583. for _, svc := range services {
  584. if name, ok := svc.(string); ok {
  585. have[name] = true
  586. }
  587. }
  588. added := false
  589. for _, name := range []string{"HandlerService", "StatsService", "RoutingService"} {
  590. if !have[name] {
  591. services = append(services, name)
  592. added = true
  593. }
  594. }
  595. if !added {
  596. return api
  597. }
  598. parsed["services"] = services
  599. out, err := json.Marshal(parsed)
  600. if err != nil {
  601. return api
  602. }
  603. return out
  604. }
  605. // ensureStatsPolicy guarantees every policy level in the generated config has
  606. // statsUserOnline enabled, so the core tracks per-email online IPs for the
  607. // panel's online view and access-log-free IP limiting. Generated clients carry
  608. // no explicit level, so level "0" is created when absent. The flag is panel
  609. // infrastructure and is forced on even over an explicit false in the template,
  610. // same as the api services above. An entirely missing or unparsable policy
  611. // block is left alone; the stored template itself is never modified — only the
  612. // generated runtime config.
  613. func ensureStatsPolicy(policy json_util.RawMessage) json_util.RawMessage {
  614. if len(policy) == 0 {
  615. return policy
  616. }
  617. var parsed map[string]any
  618. if err := json.Unmarshal(policy, &parsed); err != nil {
  619. return policy
  620. }
  621. levels, _ := parsed["levels"].(map[string]any)
  622. if levels == nil {
  623. levels = make(map[string]any)
  624. }
  625. if _, ok := levels["0"]; !ok {
  626. levels["0"] = map[string]any{}
  627. }
  628. changed := false
  629. for _, raw := range levels {
  630. level, ok := raw.(map[string]any)
  631. if !ok {
  632. continue
  633. }
  634. if enabled, ok := level["statsUserOnline"].(bool); !ok || !enabled {
  635. level["statsUserOnline"] = true
  636. changed = true
  637. }
  638. }
  639. if !changed {
  640. return policy
  641. }
  642. parsed["levels"] = levels
  643. out, err := json.Marshal(parsed)
  644. if err != nil {
  645. return policy
  646. }
  647. return out
  648. }
  649. func resolveXrayLogPaths(logCfg json_util.RawMessage) json_util.RawMessage {
  650. if len(logCfg) == 0 {
  651. return logCfg
  652. }
  653. var parsed map[string]any
  654. if err := json.Unmarshal(logCfg, &parsed); err != nil {
  655. return logCfg
  656. }
  657. changed := false
  658. for _, key := range []string{"access", "error"} {
  659. v, ok := parsed[key].(string)
  660. if !ok {
  661. continue
  662. }
  663. trimmed := strings.TrimSpace(v)
  664. if trimmed == "" || strings.EqualFold(trimmed, "none") {
  665. continue
  666. }
  667. base := path.Base(filepath.ToSlash(trimmed))
  668. if base == "" || base == "." || base == ".." || base == "/" {
  669. continue
  670. }
  671. confined := filepath.Join(config.GetLogFolder(), base)
  672. if confined == trimmed {
  673. continue
  674. }
  675. parsed[key] = confined
  676. changed = true
  677. }
  678. if !changed {
  679. return logCfg
  680. }
  681. out, err := json.Marshal(parsed)
  682. if err != nil {
  683. return logCfg
  684. }
  685. return out
  686. }
  687. // stripDisabledRules removes routing rules marked `enabled: false` from the
  688. // generated runtime config and strips the panel-only `enabled` key from the
  689. // rest, since xray-core has no such field. The internal api rule is always
  690. // kept (see isApiRule) so traffic stats can't be toggled off. The stored
  691. // template is untouched — only the generated config is filtered.
  692. func stripDisabledRules(routerCfg json_util.RawMessage) json_util.RawMessage {
  693. if len(routerCfg) == 0 {
  694. return routerCfg
  695. }
  696. var parsed map[string]any
  697. if err := json.Unmarshal(routerCfg, &parsed); err != nil {
  698. return routerCfg
  699. }
  700. rules, ok := parsed["rules"].([]any)
  701. if !ok || len(rules) == 0 {
  702. return routerCfg
  703. }
  704. var activeRules []any
  705. changed := false
  706. for _, rawRule := range rules {
  707. rule, ok := rawRule.(map[string]any)
  708. if !ok {
  709. activeRules = append(activeRules, rawRule)
  710. continue
  711. }
  712. if enabledRaw, exists := rule["enabled"]; exists {
  713. // The internal api rule carries traffic stats and must never be
  714. // dropped, even if it was somehow marked disabled.
  715. enabled, ok := enabledRaw.(bool)
  716. if ok && !enabled && !isApiRule(rule) {
  717. changed = true
  718. continue
  719. }
  720. delete(rule, "enabled")
  721. changed = true
  722. }
  723. activeRules = append(activeRules, rule)
  724. }
  725. if !changed {
  726. return routerCfg
  727. }
  728. parsed["rules"] = activeRules
  729. out, err := json.Marshal(parsed)
  730. if err != nil {
  731. return routerCfg
  732. }
  733. return out
  734. }
  735. // GetXrayTraffic fetches the current traffic statistics from the running Xray process.
  736. func (s *XrayService) GetXrayTraffic() ([]*xray.Traffic, []*xray.ClientTraffic, error) {
  737. if !s.IsXrayRunning() {
  738. err := errors.New("xray is not running")
  739. logger.Debug("Attempted to fetch Xray traffic, but Xray is not running:", err)
  740. return nil, nil, err
  741. }
  742. apiPort := p.GetAPIPort()
  743. if err := s.xrayAPI.Init(apiPort); err != nil {
  744. logger.Debug("Failed to initialize Xray API:", err)
  745. return nil, nil, err
  746. }
  747. defer s.xrayAPI.Close()
  748. traffic, clientTraffic, err := s.xrayAPI.GetTraffic()
  749. if err != nil {
  750. logger.Debug("Failed to fetch Xray traffic:", err)
  751. return nil, nil, err
  752. }
  753. return traffic, clientTraffic, nil
  754. }
  755. // GetOnlineUsers returns connection-based online users (email + source IPs)
  756. // from the running core's online-stats API. ok=false means the API is not
  757. // available — xray isn't running or the core predates the online-stats RPCs —
  758. // and callers must use the legacy traffic-delta / access-log paths. The
  759. // capability is probed lazily per process: an Unimplemented answer pins this
  760. // core as unsupported until the next restart, while transient errors leave the
  761. // capability undecided so a flaky poll can't lock in legacy mode.
  762. func (s *XrayService) GetOnlineUsers() ([]xray.OnlineUser, bool, error) {
  763. if !s.IsXrayRunning() {
  764. return nil, false, nil
  765. }
  766. if p.OnlineAPISupport() == xray.OnlineAPIUnsupported {
  767. return nil, false, nil
  768. }
  769. if err := s.xrayAPI.Init(p.GetAPIPort()); err != nil {
  770. logger.Debug("Failed to initialize Xray API:", err)
  771. return nil, false, err
  772. }
  773. defer s.xrayAPI.Close()
  774. users, err := s.xrayAPI.GetOnlineUsers()
  775. if err != nil {
  776. if xray.IsUnimplementedErr(err) {
  777. p.SetOnlineAPISupport(xray.OnlineAPIUnsupported)
  778. logger.Info("xray core does not support the online-stats API; falling back to traffic-delta onlines and access-log IP limit")
  779. return nil, false, nil
  780. }
  781. logger.Debug("Failed to fetch Xray online users:", err)
  782. return nil, false, err
  783. }
  784. if p.OnlineAPISupport() == xray.OnlineAPIUnknown {
  785. p.SetOnlineAPISupport(xray.OnlineAPISupported)
  786. logger.Info("xray core supports the online-stats API; using connection-based onlines and access-log-free IP limit")
  787. }
  788. return users, true, nil
  789. }
  790. // BalancerStatus is the live view of one balancer for the panel UI. Running
  791. // is false when the balancer isn't present in the running core (e.g. xray is
  792. // stopped or the balancer hasn't been saved/applied yet).
  793. type BalancerStatus struct {
  794. Tag string `json:"tag"`
  795. Running bool `json:"running"`
  796. Override string `json:"override"`
  797. Selected []string `json:"selected"`
  798. }
  799. // GetBalancersStatus queries the running core for the live state of the
  800. // given balancer tags. Per-tag failures are reported as Running=false rather
  801. // than failing the whole call, so the UI can render saved-but-not-applied
  802. // balancers alongside live ones.
  803. func (s *XrayService) GetBalancersStatus(tags []string) ([]BalancerStatus, error) {
  804. statuses := make([]BalancerStatus, 0, len(tags))
  805. if !s.IsXrayRunning() {
  806. for _, tag := range tags {
  807. statuses = append(statuses, BalancerStatus{Tag: tag})
  808. }
  809. return statuses, nil
  810. }
  811. if err := s.xrayAPI.Init(p.GetAPIPort()); err != nil {
  812. return nil, err
  813. }
  814. defer s.xrayAPI.Close()
  815. for _, tag := range tags {
  816. info, err := s.xrayAPI.GetBalancerInfo(tag)
  817. if err != nil {
  818. logger.Debug("get balancer info [", tag, "] failed:", err)
  819. statuses = append(statuses, BalancerStatus{Tag: tag})
  820. continue
  821. }
  822. statuses = append(statuses, BalancerStatus{
  823. Tag: tag,
  824. Running: true,
  825. Override: info.Override,
  826. Selected: info.Selected,
  827. })
  828. }
  829. return statuses, nil
  830. }
  831. // OverrideBalancer forces a balancer in the running core to use the given
  832. // outbound tag; an empty target clears the override.
  833. func (s *XrayService) OverrideBalancer(tag, target string) error {
  834. if !s.IsXrayRunning() {
  835. return errors.New("xray is not running")
  836. }
  837. if err := s.xrayAPI.Init(p.GetAPIPort()); err != nil {
  838. return err
  839. }
  840. defer s.xrayAPI.Close()
  841. return s.xrayAPI.SetBalancerTarget(tag, target)
  842. }
  843. // TestRoute asks the running core which outbound its router picks for the
  844. // described connection.
  845. func (s *XrayService) TestRoute(req xray.RouteTestRequest) (*xray.RouteTestResult, error) {
  846. if !s.IsXrayRunning() {
  847. return nil, errors.New("xray is not running")
  848. }
  849. if err := s.xrayAPI.Init(p.GetAPIPort()); err != nil {
  850. return nil, err
  851. }
  852. defer s.xrayAPI.Close()
  853. return s.xrayAPI.TestRoute(req)
  854. }
  855. // RestartXray reconciles the running Xray process with the current desired
  856. // config. When isForce is false it first tries to apply the changes through
  857. // the Xray gRPC API without restarting the process (inbounds, outbounds and
  858. // routing rules/balancers are hot-reloadable); only changes the core cannot
  859. // take at runtime — or a force request — stop and restart the process.
  860. func (s *XrayService) RestartXray(isForce bool) error {
  861. lock.Lock()
  862. defer lock.Unlock()
  863. logger.Debug("restart Xray, force:", isForce)
  864. isManuallyStopped.Store(false)
  865. xrayConfig, err := s.GetXrayConfig()
  866. if err != nil {
  867. return err
  868. }
  869. if s.IsXrayRunning() {
  870. configUnchanged := p.GetConfig().Equals(xrayConfig)
  871. if !isForce && configUnchanged && !isNeedXrayRestart.Load() {
  872. logger.Debug("It does not need to restart Xray")
  873. return nil
  874. }
  875. if !isForce && !configUnchanged && s.tryHotApply(xrayConfig) {
  876. logger.Info("Xray config changes applied through the core API, no restart needed")
  877. return nil
  878. }
  879. _ = p.Stop()
  880. }
  881. p = xray.NewProcess(xrayConfig)
  882. result = ""
  883. s.xrayAPI.StatsLastValues = nil
  884. err = p.Start()
  885. if err != nil {
  886. return err
  887. }
  888. return nil
  889. }
  890. // tryHotApply attempts to reconcile the running Xray instance with newCfg
  891. // through the core gRPC API (HandlerService for inbounds/outbounds,
  892. // RoutingService for rules/balancers). It returns true when the running
  893. // instance now matches newCfg; on any failure it returns false and the
  894. // caller falls back to a full process restart, which cleans up whatever was
  895. // partially applied. Callers must hold the package-level lock.
  896. func (s *XrayService) tryHotApply(newCfg *xray.Config) bool {
  897. oldCfg := p.GetConfig()
  898. diff, ok := xray.ComputeHotDiff(oldCfg, newCfg)
  899. if !ok {
  900. logger.Debug("hot apply: config change is not API-applicable, falling back to restart")
  901. return false
  902. }
  903. if diff.Empty() {
  904. p.SetConfig(newCfg)
  905. return true
  906. }
  907. apiPort := p.GetAPIPort()
  908. if apiPort <= 0 {
  909. return false
  910. }
  911. // A dedicated client: s.xrayAPI may be in use by traffic polling on other
  912. // service instances and is reset around restarts.
  913. hotAPI := xray.XrayAPI{}
  914. if err := hotAPI.Init(apiPort); err != nil {
  915. logger.Debug("hot apply: failed to init xray api:", err)
  916. return false
  917. }
  918. defer hotAPI.Close()
  919. // Removals first so changed handlers and port swaps never collide with
  920. // the additions that follow.
  921. for _, u := range diff.RemovedUsers {
  922. if err := hotAPI.RemoveUser(u.Tag, u.Email); err != nil && !xray.IsMissingHandlerErr(err) {
  923. logger.Info("hot apply: remove user [", u.Email, "] from [", u.Tag, "] failed:", err)
  924. return false
  925. }
  926. }
  927. for _, tag := range diff.RemovedInboundTags {
  928. if err := hotAPI.DelInbound(tag); err != nil && !xray.IsMissingHandlerErr(err) {
  929. logger.Info("hot apply: remove inbound [", tag, "] failed:", err)
  930. return false
  931. }
  932. }
  933. for _, tag := range diff.RemovedOutboundTags {
  934. if err := hotAPI.DelOutbound(tag); err != nil && !xray.IsMissingHandlerErr(err) {
  935. logger.Info("hot apply: remove outbound [", tag, "] failed:", err)
  936. return false
  937. }
  938. }
  939. for _, ob := range diff.AddedOutbounds {
  940. if err := addOutboundReconciling(&hotAPI, ob); err != nil {
  941. logger.Info("hot apply: add outbound failed:", err)
  942. return false
  943. }
  944. }
  945. for _, ib := range diff.AddedInbounds {
  946. if err := addInboundReconciling(&hotAPI, ib); err != nil {
  947. logger.Info("hot apply: add inbound failed:", err)
  948. return false
  949. }
  950. }
  951. for _, u := range diff.AddedUsers {
  952. if err := addUserReconciling(&hotAPI, u); err != nil {
  953. logger.Info("hot apply: add user [", u.Email, "] to [", u.Tag, "] failed:", err)
  954. return false
  955. }
  956. }
  957. if diff.RoutingConfig != nil {
  958. if err := hotAPI.ApplyRoutingConfig(diff.RoutingConfig); err != nil {
  959. logger.Info("hot apply: apply routing config failed:", err)
  960. return false
  961. }
  962. }
  963. p.SetConfig(newCfg)
  964. return true
  965. }
  966. // addUserReconciling adds a user, and on an email conflict (the user was
  967. // already applied through the runtime API) replaces the existing user instead.
  968. func addUserReconciling(api *xray.XrayAPI, u xray.UserOp) error {
  969. err := api.AddUser(u.Protocol, u.Tag, u.User)
  970. if err == nil || !xray.IsUserExistsErr(err) {
  971. return err
  972. }
  973. if delErr := api.RemoveUser(u.Tag, u.Email); delErr != nil && !xray.IsMissingHandlerErr(delErr) {
  974. return delErr
  975. }
  976. return api.AddUser(u.Protocol, u.Tag, u.User)
  977. }
  978. // addInboundReconciling adds an inbound, and on a tag conflict (the handler
  979. // was already created through the runtime API while the stored snapshot was
  980. // stale) replaces the existing handler instead.
  981. func addInboundReconciling(api *xray.XrayAPI, inbound []byte) error {
  982. err := api.AddInbound(inbound)
  983. if err == nil || !xray.IsExistingTagErr(err) {
  984. return err
  985. }
  986. var meta struct {
  987. Tag string `json:"tag"`
  988. }
  989. if jsonErr := json.Unmarshal(inbound, &meta); jsonErr != nil || meta.Tag == "" {
  990. return err
  991. }
  992. if delErr := api.DelInbound(meta.Tag); delErr != nil && !xray.IsMissingHandlerErr(delErr) {
  993. return delErr
  994. }
  995. return api.AddInbound(inbound)
  996. }
  997. // addOutboundReconciling mirrors addInboundReconciling for outbounds.
  998. func addOutboundReconciling(api *xray.XrayAPI, outbound []byte) error {
  999. err := api.AddOutbound(outbound)
  1000. if err == nil || !xray.IsExistingTagErr(err) {
  1001. return err
  1002. }
  1003. var meta struct {
  1004. Tag string `json:"tag"`
  1005. }
  1006. if jsonErr := json.Unmarshal(outbound, &meta); jsonErr != nil || meta.Tag == "" {
  1007. return err
  1008. }
  1009. if delErr := api.DelOutbound(meta.Tag); delErr != nil && !xray.IsMissingHandlerErr(delErr) {
  1010. return delErr
  1011. }
  1012. return api.AddOutbound(outbound)
  1013. }
  1014. // StopXray stops the running Xray process.
  1015. func (s *XrayService) StopXray() error {
  1016. lock.Lock()
  1017. defer lock.Unlock()
  1018. isManuallyStopped.Store(true)
  1019. logger.Debug("Attempting to stop Xray...")
  1020. if s.IsXrayRunning() {
  1021. return p.Stop()
  1022. }
  1023. return errors.New("xray is not running")
  1024. }
  1025. // SetToNeedRestart marks that Xray needs to be restarted.
  1026. func (s *XrayService) SetToNeedRestart() {
  1027. isNeedXrayRestart.Store(true)
  1028. }
  1029. // GetXrayAPIPort returns the port the local xray process is listening on
  1030. // for its gRPC HandlerService, or 0 when xray isn't currently running.
  1031. // Exposed for the runtime package's LocalRuntime adapter — runtime can't
  1032. // reach into the package-level `p` directly without a service-package
  1033. // import cycle.
  1034. func (s *XrayService) GetXrayAPIPort() int {
  1035. if p == nil || !p.IsRunning() {
  1036. return 0
  1037. }
  1038. return p.GetAPIPort()
  1039. }
  1040. // IsNeedRestartAndSetFalse checks if restart is needed and resets the flag to false.
  1041. func (s *XrayService) IsNeedRestartAndSetFalse() bool {
  1042. return isNeedXrayRestart.CompareAndSwap(true, false)
  1043. }
  1044. // DidXrayCrash checks if Xray crashed by verifying it's not running and wasn't manually stopped.
  1045. func (s *XrayService) DidXrayCrash() bool {
  1046. return !s.IsXrayRunning() && !isManuallyStopped.Load()
  1047. }
  1048. // liftXhttpSessionIDKeys renames the legacy XHTTP session keys
  1049. // (sessionPlacement/sessionKey) to the v26.6.22 #6258 names
  1050. // (sessionIDPlacement/sessionIDKey) inside a streamSettings map. xray-core kept
  1051. // no fallback for the old names, so a config stored before the rename would be
  1052. // silently ignored by the engine. Returns true if it changed anything.
  1053. func liftXhttpSessionIDKeys(stream map[string]any) bool {
  1054. xhttp, ok := stream["xhttpSettings"].(map[string]any)
  1055. if !ok {
  1056. return false
  1057. }
  1058. changed := false
  1059. for legacy, renamed := range map[string]string{
  1060. "sessionPlacement": "sessionIDPlacement",
  1061. "sessionKey": "sessionIDKey",
  1062. } {
  1063. v, has := xhttp[legacy]
  1064. if !has {
  1065. continue
  1066. }
  1067. if _, exists := xhttp[renamed]; !exists {
  1068. xhttp[renamed] = v
  1069. }
  1070. delete(xhttp, legacy)
  1071. changed = true
  1072. }
  1073. return changed
  1074. }
  1075. // liftOutboundsXhttpSessionIDKeys applies liftXhttpSessionIDKeys to every
  1076. // outbound's streamSettings in the raw outbounds array. The original bytes are
  1077. // returned untouched when nothing needs lifting, so an unchanged config never
  1078. // looks modified to the hot-reload diff.
  1079. func liftOutboundsXhttpSessionIDKeys(raw json_util.RawMessage) json_util.RawMessage {
  1080. if len(raw) == 0 {
  1081. return raw
  1082. }
  1083. var outbounds []map[string]any
  1084. if err := json.Unmarshal(raw, &outbounds); err != nil {
  1085. return raw
  1086. }
  1087. changed := false
  1088. for _, ob := range outbounds {
  1089. if stream, ok := ob["streamSettings"].(map[string]any); ok {
  1090. if liftXhttpSessionIDKeys(stream) {
  1091. changed = true
  1092. }
  1093. }
  1094. }
  1095. if !changed {
  1096. return raw
  1097. }
  1098. if rewritten, err := json.Marshal(outbounds); err == nil {
  1099. return rewritten
  1100. }
  1101. return raw
  1102. }