update.sh 51 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216
  1. #!/bin/bash
  2. red='\033[0;31m'
  3. green='\033[0;32m'
  4. blue='\033[0;34m'
  5. yellow='\033[0;33m'
  6. plain='\033[0m'
  7. xui_folder="${XUI_MAIN_FOLDER:=/usr/local/x-ui}"
  8. xui_service="${XUI_SERVICE:=/etc/systemd/system}"
  9. # Don't edit this config
  10. b_source="${BASH_SOURCE[0]}"
  11. while [ -h "$b_source" ]; do
  12. b_dir="$(cd -P "$(dirname "$b_source")" > /dev/null 2>&1 && pwd || pwd -P)"
  13. b_source="$(readlink "$b_source")"
  14. [[ $b_source != /* ]] && b_source="$b_dir/$b_source"
  15. done
  16. cur_dir="$(cd -P "$(dirname "$b_source")" > /dev/null 2>&1 && pwd || pwd -P)"
  17. script_name=$(basename "$0")
  18. # Check command exist function
  19. _command_exists() {
  20. type "$1" &> /dev/null
  21. }
  22. # Fail, log and exit script function
  23. _fail() {
  24. local msg=${1}
  25. echo -e "${red}${msg}${plain}"
  26. exit 2
  27. }
  28. # Records this run's outcome for the panel's web updater to poll, since it
  29. # launches this script detached and has no other way to learn whether it
  30. # finished. Written to a fixed path outside XUI_MAIN_FOLDER so it survives
  31. # the update regardless of what happens to that folder. The EXIT trap below
  32. # covers every exit path in this file, including the bare `exit 1`/`exit 2`
  33. # calls that don't go through _fail.
  34. xui_update_run_id="${XUI_UPDATE_RUN_ID:-0}"
  35. [[ "${xui_update_run_id}" =~ ^[0-9]+$ ]] || xui_update_run_id="0"
  36. xui_update_status_file="${XUI_UPDATE_STATUS_FILE:-/etc/x-ui/update-status.json}"
  37. _write_update_status() {
  38. local state="$1"
  39. local exit_code="$2"
  40. local status_dir
  41. status_dir="$(dirname "${xui_update_status_file}")"
  42. mkdir -p "${status_dir}" > /dev/null 2>&1
  43. local tmp_file="${xui_update_status_file}.tmp.$$"
  44. printf '{"runId":"%s","state":"%s","exitCode":%s,"finishedAt":%s}\n' \
  45. "${xui_update_run_id}" "${state}" "${exit_code}" "$(date +%s)" > "${tmp_file}" 2> /dev/null
  46. mv -f "${tmp_file}" "${xui_update_status_file}" > /dev/null 2>&1
  47. }
  48. _report_update_exit() {
  49. local code=$?
  50. if [[ "${code}" -eq 0 ]]; then
  51. _write_update_status "success" "0"
  52. else
  53. _write_update_status "failed" "${code}"
  54. fi
  55. }
  56. trap _report_update_exit EXIT
  57. trap 'exit 143' TERM
  58. trap 'exit 130' INT
  59. # check root
  60. [[ $EUID -ne 0 ]] && _fail "FATAL ERROR: Please run this script with root privilege."
  61. if _command_exists curl; then
  62. curl_bin=$(which curl)
  63. else
  64. _fail "ERROR: Command 'curl' not found."
  65. fi
  66. # Check OS and set release variable
  67. if [[ -f /etc/os-release ]]; then
  68. source /etc/os-release
  69. release=$ID
  70. elif [[ -f /usr/lib/os-release ]]; then
  71. source /usr/lib/os-release
  72. release=$ID
  73. else
  74. _fail "Failed to check the system OS, please contact the author!"
  75. fi
  76. echo "The OS release is: $release"
  77. arch() {
  78. case "$(uname -m)" in
  79. x86_64 | x64 | amd64) echo 'amd64' ;;
  80. i*86 | x86) echo '386' ;;
  81. armv8* | armv8 | arm64 | aarch64) echo 'arm64' ;;
  82. armv7* | armv7 | arm) echo 'armv7' ;;
  83. armv6* | armv6) echo 'armv6' ;;
  84. armv5* | armv5) echo 'armv5' ;;
  85. s390x) echo 's390x' ;;
  86. *) echo -e "${red}Unsupported CPU architecture!${plain}" && rm -f "${cur_dir}/${script_name}" > /dev/null 2>&1 && exit 2 ;;
  87. esac
  88. }
  89. echo "Arch: $(arch)"
  90. # Simple helpers
  91. is_ipv4() {
  92. [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1
  93. }
  94. is_ipv6() {
  95. [[ "$1" =~ : ]] && return 0 || return 1
  96. }
  97. is_ip() {
  98. is_ipv4 "$1" || is_ipv6 "$1"
  99. }
  100. is_domain() {
  101. [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1
  102. }
  103. # acme.sh's standalone server binds IPv4 by default; --listen-v6 makes it
  104. # v6-only, which breaks HTTP-01 validation when the domain's A record points
  105. # at this host's IPv4 (#4994). Only force IPv6 when the host has no global
  106. # IPv4 address at all.
  107. acme_listen_flag() {
  108. if ip -4 addr show scope global 2> /dev/null | grep -q "inet "; then
  109. echo ""
  110. else
  111. echo "--listen-v6"
  112. fi
  113. }
  114. # Port helpers
  115. is_port_in_use() {
  116. local port="$1"
  117. if command -v ss > /dev/null 2>&1; then
  118. ss -ltn 2> /dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}'
  119. return
  120. fi
  121. if command -v netstat > /dev/null 2>&1; then
  122. netstat -lnt 2> /dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}'
  123. return
  124. fi
  125. if command -v lsof > /dev/null 2>&1; then
  126. lsof -nP -iTCP:${port} -sTCP:LISTEN > /dev/null 2>&1 && return 0
  127. fi
  128. return 1
  129. }
  130. gen_random_string() {
  131. local length="$1"
  132. openssl rand -base64 $((length * 2)) \
  133. | tr -dc 'a-zA-Z0-9' \
  134. | head -c "$length"
  135. }
  136. xui_env_file_path() {
  137. case "${release}" in
  138. ubuntu | debian | armbian)
  139. echo "/etc/default/x-ui"
  140. ;;
  141. arch | manjaro | parch | alpine)
  142. echo "/etc/conf.d/x-ui"
  143. ;;
  144. *)
  145. echo "/etc/sysconfig/x-ui"
  146. ;;
  147. esac
  148. }
  149. load_xui_env() {
  150. local env_file
  151. env_file="$(xui_env_file_path)"
  152. if [[ -r "$env_file" ]]; then
  153. set -a
  154. # shellcheck disable=SC1090
  155. source "$env_file"
  156. set +a
  157. fi
  158. }
  159. install_base() {
  160. echo -e "${green}Updating and install dependency packages...${plain}"
  161. case "${release}" in
  162. ubuntu | debian | armbian)
  163. apt-get update > /dev/null 2>&1 && apt-get install -y -q cron curl tar tzdata socat openssl > /dev/null 2>&1
  164. ;;
  165. fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
  166. dnf makecache -y > /dev/null 2>&1 && dnf install -y -q cronie curl tar tzdata socat openssl > /dev/null 2>&1
  167. ;;
  168. centos)
  169. if [[ "${VERSION_ID}" =~ ^7 ]]; then
  170. yum makecache -y > /dev/null 2>&1 && yum install -y -q cronie curl tar tzdata socat openssl > /dev/null 2>&1
  171. else
  172. dnf makecache -y > /dev/null 2>&1 && dnf install -y -q cronie curl tar tzdata socat openssl > /dev/null 2>&1
  173. fi
  174. ;;
  175. arch | manjaro | parch)
  176. pacman -Sy --noconfirm cronie curl tar tzdata socat openssl > /dev/null 2>&1
  177. ;;
  178. opensuse-tumbleweed | opensuse-leap)
  179. zypper refresh > /dev/null 2>&1 && zypper -q install -y cron curl tar timezone socat openssl > /dev/null 2>&1
  180. ;;
  181. alpine)
  182. apk update > /dev/null 2>&1 && apk add dcron curl tar tzdata socat openssl > /dev/null 2>&1
  183. ;;
  184. *)
  185. apt-get update > /dev/null 2>&1 && apt install -y -q cron curl tar tzdata socat openssl > /dev/null 2>&1
  186. ;;
  187. esac
  188. }
  189. install_acme() {
  190. echo -e "${green}Installing acme.sh for SSL certificate management...${plain}"
  191. cd ~ || return 1
  192. curl -s https://get.acme.sh | sh > /dev/null 2>&1
  193. if [ $? -ne 0 ]; then
  194. echo -e "${red}Failed to install acme.sh${plain}"
  195. return 1
  196. else
  197. echo -e "${green}acme.sh installed successfully${plain}"
  198. fi
  199. return 0
  200. }
  201. setup_ssl_certificate() {
  202. local domain="$1"
  203. local server_ip="$2"
  204. local existing_port="$3"
  205. local existing_webBasePath="$4"
  206. echo -e "${green}Setting up SSL certificate...${plain}"
  207. # Check if acme.sh is installed
  208. if ! command -v ~/.acme.sh/acme.sh &> /dev/null; then
  209. install_acme
  210. if [ $? -ne 0 ]; then
  211. echo -e "${yellow}Failed to install acme.sh, skipping SSL setup${plain}"
  212. return 1
  213. fi
  214. fi
  215. # Create certificate directory
  216. local certPath="/root/cert/${domain}"
  217. mkdir -p "$certPath"
  218. # Issue certificate
  219. echo -e "${green}Issuing SSL certificate for ${domain}...${plain}"
  220. echo -e "${yellow}Note: Port 80 must be open and accessible from the internet${plain}"
  221. ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force > /dev/null 2>&1
  222. ~/.acme.sh/acme.sh --issue -d ${domain} $(acme_listen_flag) --standalone --httpport 80 --force
  223. if [ $? -ne 0 ]; then
  224. echo -e "${yellow}Failed to issue certificate for ${domain}${plain}"
  225. echo -e "${yellow}Please ensure port 80 is open and try again later with: x-ui${plain}"
  226. rm -rf ~/.acme.sh/${domain} 2> /dev/null
  227. rm -rf "$certPath" 2> /dev/null
  228. return 1
  229. fi
  230. # Install certificate
  231. ~/.acme.sh/acme.sh --installcert --force -d ${domain} \
  232. --key-file /root/cert/${domain}/privkey.pem \
  233. --fullchain-file /root/cert/${domain}/fullchain.pem \
  234. --reloadcmd "systemctl restart x-ui" > /dev/null 2>&1
  235. if [ $? -ne 0 ]; then
  236. echo -e "${yellow}Failed to install certificate${plain}"
  237. return 1
  238. fi
  239. # Enable auto-renew
  240. ~/.acme.sh/acme.sh --upgrade --auto-upgrade > /dev/null 2>&1
  241. chmod 600 $certPath/privkey.pem 2> /dev/null
  242. chmod 644 $certPath/fullchain.pem 2> /dev/null
  243. # Set certificate for panel
  244. local webCertFile="/root/cert/${domain}/fullchain.pem"
  245. local webKeyFile="/root/cert/${domain}/privkey.pem"
  246. if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
  247. ${xui_folder}/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile" > /dev/null 2>&1
  248. echo -e "${green}SSL certificate installed and configured successfully!${plain}"
  249. return 0
  250. else
  251. echo -e "${yellow}Certificate files not found${plain}"
  252. return 1
  253. fi
  254. }
  255. # Issue Let's Encrypt IP certificate with shortlived profile (~6 days validity)
  256. # Requires acme.sh and port 80 open for HTTP-01 challenge
  257. setup_ip_certificate() {
  258. local ipv4="$1"
  259. local ipv6="$2" # optional
  260. echo -e "${green}Setting up Let's Encrypt IP certificate (shortlived profile)...${plain}"
  261. echo -e "${yellow}Note: IP certificates are valid for ~6 days and will auto-renew.${plain}"
  262. echo -e "${yellow}Default listener is port 80. If you choose another port, ensure external port 80 forwards to it.${plain}"
  263. # Check for acme.sh
  264. if ! command -v ~/.acme.sh/acme.sh &> /dev/null; then
  265. install_acme
  266. if [ $? -ne 0 ]; then
  267. echo -e "${red}Failed to install acme.sh${plain}"
  268. return 1
  269. fi
  270. fi
  271. # Validate IP address
  272. if [[ -z "$ipv4" ]]; then
  273. echo -e "${red}IPv4 address is required${plain}"
  274. return 1
  275. fi
  276. if ! is_ipv4 "$ipv4"; then
  277. echo -e "${red}Invalid IPv4 address: $ipv4${plain}"
  278. return 1
  279. fi
  280. # Create certificate directory
  281. local certDir="/root/cert/ip"
  282. mkdir -p "$certDir"
  283. # Build domain arguments
  284. local domain_args="-d ${ipv4}"
  285. if [[ -n "$ipv6" ]] && is_ipv6 "$ipv6"; then
  286. domain_args="${domain_args} -d ${ipv6}"
  287. echo -e "${green}Including IPv6 address: ${ipv6}${plain}"
  288. fi
  289. # Set reload command for auto-renewal (add || true so it doesn't fail if service stopped)
  290. local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true"
  291. # Choose port for HTTP-01 listener (default 80, prompt override)
  292. local WebPort=""
  293. read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort
  294. WebPort="${WebPort:-80}"
  295. if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then
  296. echo -e "${red}Invalid port provided. Falling back to 80.${plain}"
  297. WebPort=80
  298. fi
  299. echo -e "${green}Using port ${WebPort} for standalone validation.${plain}"
  300. if [[ "${WebPort}" -ne 80 ]]; then
  301. echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}"
  302. fi
  303. # Ensure chosen port is available
  304. while true; do
  305. if is_port_in_use "${WebPort}"; then
  306. echo -e "${yellow}Port ${WebPort} is currently in use.${plain}"
  307. local alt_port=""
  308. read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port
  309. alt_port="${alt_port// /}"
  310. if [[ -z "${alt_port}" ]]; then
  311. echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}"
  312. return 1
  313. fi
  314. if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then
  315. echo -e "${red}Invalid port provided.${plain}"
  316. return 1
  317. fi
  318. WebPort="${alt_port}"
  319. continue
  320. else
  321. echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}"
  322. break
  323. fi
  324. done
  325. # Issue certificate with shortlived profile
  326. echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}"
  327. ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force > /dev/null 2>&1
  328. ~/.acme.sh/acme.sh --issue \
  329. ${domain_args} \
  330. --standalone \
  331. --server letsencrypt \
  332. --certificate-profile shortlived \
  333. --days 6 \
  334. --httpport ${WebPort} \
  335. --force
  336. if [ $? -ne 0 ]; then
  337. echo -e "${red}Failed to issue IP certificate${plain}"
  338. echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}"
  339. # Cleanup acme.sh data for both IPv4 and IPv6 if specified
  340. rm -rf ~/.acme.sh/${ipv4} 2> /dev/null
  341. [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2> /dev/null
  342. rm -rf ${certDir} 2> /dev/null
  343. return 1
  344. fi
  345. echo -e "${green}Certificate issued successfully, installing...${plain}"
  346. # Install certificate
  347. # Note: acme.sh may report "Reload error" and exit non-zero if reloadcmd fails,
  348. # but the cert files are still installed. We check for files instead of exit code.
  349. ~/.acme.sh/acme.sh --installcert --force -d ${ipv4} \
  350. --key-file "${certDir}/privkey.pem" \
  351. --fullchain-file "${certDir}/fullchain.pem" \
  352. --reloadcmd "${reloadCmd}" 2>&1 || true
  353. # Verify certificate files exist (don't rely on exit code - reloadcmd failure causes non-zero)
  354. if [[ ! -f "${certDir}/fullchain.pem" || ! -f "${certDir}/privkey.pem" ]]; then
  355. echo -e "${red}Certificate files not found after installation${plain}"
  356. # Cleanup acme.sh data for both IPv4 and IPv6 if specified
  357. rm -rf ~/.acme.sh/${ipv4} 2> /dev/null
  358. [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2> /dev/null
  359. rm -rf ${certDir} 2> /dev/null
  360. return 1
  361. fi
  362. echo -e "${green}Certificate files installed successfully${plain}"
  363. # Enable auto-upgrade for acme.sh (ensures cron job runs)
  364. ~/.acme.sh/acme.sh --upgrade --auto-upgrade > /dev/null 2>&1
  365. chmod 600 ${certDir}/privkey.pem 2> /dev/null
  366. chmod 644 ${certDir}/fullchain.pem 2> /dev/null
  367. # Configure panel to use the certificate
  368. echo -e "${green}Setting certificate paths for the panel...${plain}"
  369. ${xui_folder}/x-ui cert -webCert "${certDir}/fullchain.pem" -webCertKey "${certDir}/privkey.pem"
  370. if [ $? -ne 0 ]; then
  371. echo -e "${yellow}Warning: Could not set certificate paths automatically.${plain}"
  372. echo -e "${yellow}You may need to set them manually in the panel settings.${plain}"
  373. echo -e "${yellow}Cert path: ${certDir}/fullchain.pem${plain}"
  374. echo -e "${yellow}Key path: ${certDir}/privkey.pem${plain}"
  375. else
  376. echo -e "${green}Certificate paths set successfully!${plain}"
  377. fi
  378. echo -e "${green}IP certificate installed and configured successfully!${plain}"
  379. echo -e "${green}Certificate valid for ~6 days, auto-renews via acme.sh cron job.${plain}"
  380. echo -e "${yellow}Panel will automatically restart after each renewal.${plain}"
  381. return 0
  382. }
  383. # Comprehensive manual SSL certificate issuance via acme.sh
  384. ssl_cert_issue() {
  385. local existing_webBasePath=$(${xui_folder}/x-ui setting -show true | grep 'webBasePath:' | awk -F': ' '{print $2}' | tr -d '[:space:]' | sed 's#^/##')
  386. local existing_port=$(${xui_folder}/x-ui setting -show true | grep 'port:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
  387. # check for acme.sh first
  388. if ! command -v ~/.acme.sh/acme.sh &> /dev/null; then
  389. echo "acme.sh could not be found. Installing now..."
  390. cd ~ || return 1
  391. curl -s https://get.acme.sh | sh
  392. if [ $? -ne 0 ]; then
  393. echo -e "${red}Failed to install acme.sh${plain}"
  394. return 1
  395. else
  396. echo -e "${green}acme.sh installed successfully${plain}"
  397. fi
  398. fi
  399. # get the domain here, and we need to verify it
  400. local domain=""
  401. while true; do
  402. read -rp "Please enter your domain name: " domain
  403. domain="${domain// /}" # Trim whitespace
  404. if [[ -z "$domain" ]]; then
  405. echo -e "${red}Domain name cannot be empty. Please try again.${plain}"
  406. continue
  407. fi
  408. if ! is_domain "$domain"; then
  409. echo -e "${red}Invalid domain format: ${domain}. Please enter a valid domain name.${plain}"
  410. continue
  411. fi
  412. break
  413. done
  414. echo -e "${green}Your domain is: ${domain}, checking it...${plain}"
  415. SSL_ISSUED_DOMAIN="${domain}"
  416. # detect existing certificate and reuse it if present
  417. local cert_exists=0
  418. if ~/.acme.sh/acme.sh --list 2> /dev/null | awk '{print $1}' | grep -Fxq "${domain}"; then
  419. cert_exists=1
  420. local certInfo=$(~/.acme.sh/acme.sh --list 2> /dev/null | grep -F "${domain}")
  421. echo -e "${yellow}Existing certificate found for ${domain}, will reuse it.${plain}"
  422. [[ -n "${certInfo}" ]] && echo "$certInfo"
  423. else
  424. echo -e "${green}Your domain is ready for issuing certificates now...${plain}"
  425. fi
  426. # create a directory for the certificate
  427. certPath="/root/cert/${domain}"
  428. if [ ! -d "$certPath" ]; then
  429. mkdir -p "$certPath"
  430. else
  431. rm -rf "$certPath"
  432. mkdir -p "$certPath"
  433. fi
  434. # get the port number for the standalone server
  435. local WebPort=80
  436. read -rp "Please choose which port to use (default is 80): " WebPort
  437. if [[ -z ${WebPort} ]]; then
  438. WebPort=80
  439. elif [[ ! ${WebPort} =~ ^[1-9][0-9]*$ || ${WebPort} -gt 65535 ]]; then
  440. echo -e "${yellow}Your input ${WebPort} is invalid, will use default port 80.${plain}"
  441. WebPort=80
  442. fi
  443. echo -e "${green}Will use port: ${WebPort} to issue certificates. Please make sure this port is open.${plain}"
  444. # Stop panel temporarily
  445. echo -e "${yellow}Stopping panel temporarily...${plain}"
  446. systemctl stop x-ui 2> /dev/null || rc-service x-ui stop 2> /dev/null
  447. if [[ ${cert_exists} -eq 0 ]]; then
  448. # issue the certificate
  449. ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
  450. ~/.acme.sh/acme.sh --issue -d ${domain} $(acme_listen_flag) --standalone --httpport ${WebPort} --force
  451. if [ $? -ne 0 ]; then
  452. echo -e "${red}Issuing certificate failed, please check logs.${plain}"
  453. rm -rf ~/.acme.sh/${domain}
  454. systemctl start x-ui 2> /dev/null || rc-service x-ui start 2> /dev/null
  455. return 1
  456. else
  457. echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}"
  458. fi
  459. else
  460. echo -e "${green}Using existing certificate, installing certificates...${plain}"
  461. fi
  462. # Setup reload command
  463. reloadCmd="systemctl restart x-ui || rc-service x-ui restart"
  464. echo -e "${green}Default --reloadcmd for ACME is: ${yellow}systemctl restart x-ui || rc-service x-ui restart${plain}"
  465. echo -e "${green}This command will run on every certificate issue and renew.${plain}"
  466. read -rp "Would you like to modify --reloadcmd for ACME? (y/n): " setReloadcmd
  467. if [[ "$setReloadcmd" == "y" || "$setReloadcmd" == "Y" ]]; then
  468. echo -e "\n${green}\t1.${plain} Preset: systemctl reload nginx ; systemctl restart x-ui"
  469. echo -e "${green}\t2.${plain} Input your own command"
  470. echo -e "${green}\t0.${plain} Keep default reloadcmd"
  471. read -rp "Choose an option: " choice
  472. case "$choice" in
  473. 1)
  474. echo -e "${green}Reloadcmd is: systemctl reload nginx ; systemctl restart x-ui${plain}"
  475. reloadCmd="systemctl reload nginx ; systemctl restart x-ui"
  476. ;;
  477. 2)
  478. echo -e "${yellow}It's recommended to put x-ui restart at the end${plain}"
  479. read -rp "Please enter your custom reloadcmd: " reloadCmd
  480. echo -e "${green}Reloadcmd is: ${reloadCmd}${plain}"
  481. ;;
  482. *)
  483. echo -e "${green}Keeping default reloadcmd${plain}"
  484. ;;
  485. esac
  486. fi
  487. # install the certificate
  488. local installOutput=""
  489. installOutput=$(~/.acme.sh/acme.sh --installcert --force -d ${domain} \
  490. --key-file /root/cert/${domain}/privkey.pem \
  491. --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" 2>&1)
  492. local installRc=$?
  493. echo "${installOutput}"
  494. local installWroteFiles=0
  495. if echo "${installOutput}" | grep -q "Installing key to:" && echo "${installOutput}" | grep -q "Installing full chain to:"; then
  496. installWroteFiles=1
  497. fi
  498. if [[ -f "/root/cert/${domain}/privkey.pem" && -f "/root/cert/${domain}/fullchain.pem" && (${installRc} -eq 0 || ${installWroteFiles} -eq 1) ]]; then
  499. echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}"
  500. else
  501. echo -e "${red}Installing certificate failed, exiting.${plain}"
  502. if [[ ${cert_exists} -eq 0 ]]; then
  503. rm -rf ~/.acme.sh/${domain}
  504. fi
  505. systemctl start x-ui 2> /dev/null || rc-service x-ui start 2> /dev/null
  506. return 1
  507. fi
  508. # enable auto-renew
  509. ~/.acme.sh/acme.sh --upgrade --auto-upgrade
  510. if [ $? -ne 0 ]; then
  511. echo -e "${yellow}Auto renew setup had issues, certificate details:${plain}"
  512. ls -lah /root/cert/${domain}/
  513. chmod 600 $certPath/privkey.pem
  514. chmod 644 $certPath/fullchain.pem
  515. else
  516. echo -e "${green}Auto renew succeeded, certificate details:${plain}"
  517. ls -lah /root/cert/${domain}/
  518. chmod 600 $certPath/privkey.pem
  519. chmod 644 $certPath/fullchain.pem
  520. fi
  521. # Restart panel
  522. systemctl start x-ui 2> /dev/null || rc-service x-ui start 2> /dev/null
  523. # Prompt user to set panel paths after successful certificate installation
  524. read -rp "Would you like to set this certificate for the panel? (y/n): " setPanel
  525. if [[ "$setPanel" == "y" || "$setPanel" == "Y" ]]; then
  526. local webCertFile="/root/cert/${domain}/fullchain.pem"
  527. local webKeyFile="/root/cert/${domain}/privkey.pem"
  528. if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
  529. ${xui_folder}/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile"
  530. echo -e "${green}Certificate paths set for the panel${plain}"
  531. echo -e "${green}Certificate File: $webCertFile${plain}"
  532. echo -e "${green}Private Key File: $webKeyFile${plain}"
  533. echo ""
  534. echo -e "${green}Access URL: https://${domain}:${existing_port}/${existing_webBasePath}${plain}"
  535. echo -e "${yellow}Panel will restart to apply SSL certificate...${plain}"
  536. systemctl restart x-ui 2> /dev/null || rc-service x-ui restart 2> /dev/null
  537. else
  538. echo -e "${red}Error: Certificate or private key file not found for domain: $domain.${plain}"
  539. fi
  540. else
  541. echo -e "${yellow}Skipping panel path setting.${plain}"
  542. fi
  543. return 0
  544. }
  545. # Unified interactive SSL setup (domain or IP)
  546. # Sets global `SSL_HOST` to the chosen domain/IP
  547. prompt_and_setup_ssl() {
  548. local panel_port="$1"
  549. local web_base_path="$2" # expected without leading slash
  550. local server_ip="$3"
  551. local ssl_choice=""
  552. echo -e "${yellow}Choose SSL certificate setup method:${plain}"
  553. echo -e "${green}1.${plain} Let's Encrypt for Domain (90-day validity, auto-renews)"
  554. echo -e "${green}2.${plain} Let's Encrypt for IP Address (6-day validity, auto-renews)"
  555. echo -e "${green}3.${plain} Custom SSL Certificate (Path to existing files)"
  556. echo -e "${green}4.${plain} Skip SSL (advanced — behind reverse proxy / SSH tunnel only)"
  557. echo -e "${blue}Note:${plain} Options 1 & 2 require port 80 open. Option 3 requires manual paths."
  558. echo -e "${blue}Note:${plain} Option 4 serves the panel over plain HTTP — only safe behind nginx/Caddy or an SSH tunnel."
  559. read -rp "Choose an option (default 2 for IP): " ssl_choice
  560. ssl_choice="${ssl_choice// /}" # Trim whitespace
  561. # Default to 2 (IP cert) if input is empty or invalid (not 1, 3 or 4)
  562. if [[ "$ssl_choice" != "1" && "$ssl_choice" != "3" && "$ssl_choice" != "4" ]]; then
  563. ssl_choice="2"
  564. fi
  565. case "$ssl_choice" in
  566. 1)
  567. # User chose Let's Encrypt domain option
  568. echo -e "${green}Using Let's Encrypt for domain certificate...${plain}"
  569. if ssl_cert_issue; then
  570. local cert_domain="${SSL_ISSUED_DOMAIN}"
  571. if [[ -z "${cert_domain}" ]]; then
  572. cert_domain=$(~/.acme.sh/acme.sh --list 2> /dev/null | tail -1 | awk '{print $1}')
  573. fi
  574. if [[ -n "${cert_domain}" ]]; then
  575. SSL_HOST="${cert_domain}"
  576. echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}"
  577. else
  578. echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}"
  579. SSL_HOST="${server_ip}"
  580. fi
  581. else
  582. echo -e "${red}SSL certificate setup failed for domain mode.${plain}"
  583. SSL_HOST="${server_ip}"
  584. fi
  585. ;;
  586. 2)
  587. # User chose Let's Encrypt IP certificate option
  588. echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}"
  589. # Ask for optional IPv6
  590. local ipv6_addr=""
  591. read -rp "Do you have an IPv6 address to include? (leave empty to skip): " ipv6_addr
  592. ipv6_addr="${ipv6_addr// /}" # Trim whitespace
  593. # Stop panel if running (port 80 needed)
  594. if [[ $release == "alpine" ]]; then
  595. rc-service x-ui stop > /dev/null 2>&1
  596. else
  597. systemctl stop x-ui > /dev/null 2>&1
  598. fi
  599. setup_ip_certificate "${server_ip}" "${ipv6_addr}"
  600. if [ $? -eq 0 ]; then
  601. SSL_HOST="${server_ip}"
  602. echo -e "${green}✓ Let's Encrypt IP certificate configured successfully${plain}"
  603. else
  604. echo -e "${red}✗ IP certificate setup failed. Please check port 80 is open.${plain}"
  605. SSL_HOST="${server_ip}"
  606. fi
  607. # Restart panel after SSL is configured (restart applies new cert settings)
  608. if [[ $release == "alpine" ]]; then
  609. rc-service x-ui restart > /dev/null 2>&1
  610. else
  611. systemctl restart x-ui > /dev/null 2>&1
  612. fi
  613. ;;
  614. 3)
  615. # User chose Custom Paths (User Provided) option
  616. echo -e "${green}Using custom existing certificate...${plain}"
  617. local custom_cert=""
  618. local custom_key=""
  619. local custom_domain=""
  620. # 3.1 Request Domain to compose Panel URL later
  621. read -rp "Please enter domain name certificate issued for: " custom_domain
  622. custom_domain="${custom_domain// /}" # Remove spaces
  623. # 3.2 Loop for Certificate Path
  624. while true; do
  625. read -rp "Input certificate path (keywords: .crt / fullchain): " custom_cert
  626. # Strip quotes if present
  627. custom_cert=$(echo "$custom_cert" | tr -d '"' | tr -d "'")
  628. if [[ -f "$custom_cert" && -r "$custom_cert" && -s "$custom_cert" ]]; then
  629. break
  630. elif [[ ! -f "$custom_cert" ]]; then
  631. echo -e "${red}Error: File does not exist! Try again.${plain}"
  632. elif [[ ! -r "$custom_cert" ]]; then
  633. echo -e "${red}Error: File exists but is not readable (check permissions)!${plain}"
  634. else
  635. echo -e "${red}Error: File is empty!${plain}"
  636. fi
  637. done
  638. # 3.3 Loop for Private Key Path
  639. while true; do
  640. read -rp "Input private key path (keywords: .key / privatekey): " custom_key
  641. # Strip quotes if present
  642. custom_key=$(echo "$custom_key" | tr -d '"' | tr -d "'")
  643. if [[ -f "$custom_key" && -r "$custom_key" && -s "$custom_key" ]]; then
  644. break
  645. elif [[ ! -f "$custom_key" ]]; then
  646. echo -e "${red}Error: File does not exist! Try again.${plain}"
  647. elif [[ ! -r "$custom_key" ]]; then
  648. echo -e "${red}Error: File exists but is not readable (check permissions)!${plain}"
  649. else
  650. echo -e "${red}Error: File is empty!${plain}"
  651. fi
  652. done
  653. # 3.4 Apply Settings via x-ui binary
  654. ${xui_folder}/x-ui cert -webCert "$custom_cert" -webCertKey "$custom_key" > /dev/null 2>&1
  655. # Set SSL_HOST for composing Panel URL
  656. if [[ -n "$custom_domain" ]]; then
  657. SSL_HOST="$custom_domain"
  658. else
  659. SSL_HOST="${server_ip}"
  660. fi
  661. echo -e "${green}✓ Custom certificate paths applied.${plain}"
  662. echo -e "${yellow}Note: You are responsible for renewing these files externally.${plain}"
  663. systemctl restart x-ui > /dev/null 2>&1 || rc-service x-ui restart > /dev/null 2>&1
  664. ;;
  665. 4)
  666. echo ""
  667. echo -e "${red}⚠ Panel will be installed WITHOUT SSL/TLS.${plain}"
  668. echo -e "${yellow}Login credentials and cookies will travel as plain HTTP.${plain}"
  669. echo -e "${yellow}Only safe when:${plain}"
  670. echo -e "${yellow} • A reverse proxy (nginx, Caddy, Traefik) terminates TLS for you, or${plain}"
  671. echo -e "${yellow} • You access the panel exclusively via SSH tunnel${plain}"
  672. echo ""
  673. SSL_SCHEME="http"
  674. SSL_HOST="${server_ip}"
  675. local bind_local=""
  676. read -rp "Bind the panel to 127.0.0.1 only? (recommended — forces SSH tunnel / reverse-proxy access) [y/N]: " bind_local
  677. if [[ "$bind_local" == "y" || "$bind_local" == "Y" ]]; then
  678. ${xui_folder}/x-ui setting -listenIP "127.0.0.1" > /dev/null 2>&1
  679. SSL_HOST="127.0.0.1"
  680. echo -e "${green}✓ Panel bound to 127.0.0.1 only. It is now unreachable from the public internet.${plain}"
  681. echo ""
  682. echo -e "${green}SSH Port Forwarding — open the panel from your local machine via:${plain}"
  683. echo -e " Standard SSH command:"
  684. echo -e " ${yellow}ssh -L 2222:127.0.0.1:${panel_port} root@${server_ip}${plain}"
  685. echo -e " If using an SSH key:"
  686. echo -e " ${yellow}ssh -i <sshkeypath> -L 2222:127.0.0.1:${panel_port} root@${server_ip}${plain}"
  687. echo -e " Then open in your browser:"
  688. echo -e " ${yellow}http://localhost:2222/${web_base_path}${plain}"
  689. echo ""
  690. echo -e "${yellow}Alternative: point a reverse proxy (nginx/Caddy) at 127.0.0.1:${panel_port} and let it terminate TLS.${plain}"
  691. else
  692. echo -e "${yellow}Panel will listen on all interfaces over plain HTTP. Make sure something else is terminating TLS in front of it.${plain}"
  693. fi
  694. systemctl restart x-ui > /dev/null 2>&1 || rc-service x-ui restart > /dev/null 2>&1
  695. echo -e "${green}✓ SSL setup skipped.${plain}"
  696. ;;
  697. *)
  698. echo -e "${red}Invalid option. Skipping SSL setup.${plain}"
  699. SSL_HOST="${server_ip}"
  700. ;;
  701. esac
  702. }
  703. config_after_update() {
  704. local panel_needs_restart=0
  705. echo -e "${yellow}x-ui settings:${plain}"
  706. ${xui_folder}/x-ui setting -show true
  707. ${xui_folder}/x-ui migrate
  708. # Properly detect empty cert by checking if cert: line exists and has content after it
  709. local existing_cert=$(${xui_folder}/x-ui setting -getCert true 2> /dev/null | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
  710. local existing_port=$(${xui_folder}/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}')
  711. local existing_webBasePath=$(${xui_folder}/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}' | sed 's#^/##')
  712. # Get server IP
  713. local URL_lists=(
  714. "https://api4.ipify.org"
  715. "https://ipv4.icanhazip.com"
  716. "https://v4.api.ipinfo.io/ip"
  717. "https://ipv4.myexternalip.com/raw"
  718. "https://4.ident.me"
  719. "https://check-host.net/ip"
  720. )
  721. local server_ip=""
  722. for ip_address in "${URL_lists[@]}"; do
  723. local response=$(curl -s -w "\n%{http_code}" --max-time 3 "${ip_address}" 2> /dev/null)
  724. local http_code=$(echo "$response" | tail -n1)
  725. local ip_result=$(echo "$response" | head -n-1 | tr -d '[:space:]"')
  726. if [[ "${http_code}" == "200" && "${ip_result}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  727. server_ip="${ip_result}"
  728. break
  729. fi
  730. done
  731. if [[ -z "$server_ip" ]]; then
  732. echo -e "${yellow}Could not auto-detect server IP from any provider.${plain}"
  733. while [[ -z "$server_ip" ]]; do
  734. read -rp "Please enter your server's public IPv4 address: " server_ip
  735. server_ip="${server_ip// /}"
  736. if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  737. echo -e "${red}Invalid IPv4 address. Please try again.${plain}"
  738. server_ip=""
  739. fi
  740. done
  741. fi
  742. # Handle missing/short webBasePath
  743. if [[ ${#existing_webBasePath} -lt 4 ]]; then
  744. echo -e "${yellow}WebBasePath is missing or too short. Generating a new one...${plain}"
  745. local config_webBasePath=$(gen_random_string 18)
  746. ${xui_folder}/x-ui setting -webBasePath "${config_webBasePath}"
  747. existing_webBasePath="${config_webBasePath}"
  748. panel_needs_restart=1
  749. echo -e "${green}New WebBasePath: ${config_webBasePath}${plain}"
  750. fi
  751. # Check and prompt for SSL if missing
  752. if [[ -z "$existing_cert" ]]; then
  753. echo ""
  754. echo -e "${red}═══════════════════════════════════════════${plain}"
  755. echo -e "${red} ⚠ NO SSL CERTIFICATE DETECTED ⚠ ${plain}"
  756. echo -e "${red}═══════════════════════════════════════════${plain}"
  757. echo -e "${yellow}For security, SSL certificate is MANDATORY for all panels.${plain}"
  758. echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}"
  759. echo ""
  760. # Prompt and setup SSL (domain or IP)
  761. prompt_and_setup_ssl "${existing_port}" "${existing_webBasePath}" "${server_ip}"
  762. echo ""
  763. echo -e "${green}═══════════════════════════════════════════${plain}"
  764. echo -e "${green} Panel Access Information ${plain}"
  765. echo -e "${green}═══════════════════════════════════════════${plain}"
  766. echo -e "${green}Access URL: https://${SSL_HOST}:${existing_port}/${existing_webBasePath}${plain}"
  767. echo -e "${green}═══════════════════════════════════════════${plain}"
  768. echo -e "${yellow}⚠ SSL Certificate: Enabled and configured${plain}"
  769. else
  770. echo -e "${green}SSL certificate is already configured${plain}"
  771. # Show access URL with existing certificate
  772. local cert_domain=$(basename "$(dirname "$existing_cert")")
  773. echo ""
  774. echo -e "${green}═══════════════════════════════════════════${plain}"
  775. echo -e "${green} Panel Access Information ${plain}"
  776. echo -e "${green}═══════════════════════════════════════════${plain}"
  777. echo -e "${green}Access URL: https://${cert_domain}:${existing_port}/${existing_webBasePath}${plain}"
  778. echo -e "${green}═══════════════════════════════════════════${plain}"
  779. fi
  780. if [[ "$panel_needs_restart" -eq 1 ]]; then
  781. echo -e "${yellow}Restarting panel to apply the new web base path...${plain}"
  782. systemctl restart x-ui 2> /dev/null || rc-service x-ui restart 2> /dev/null
  783. fi
  784. }
  785. # setup_fail2ban auto-installs and configures fail2ban for the IP Limit feature
  786. # by invoking the freshly downloaded x-ui CLI. IP Limit is load-bearing on
  787. # fail2ban (without it the panel disables the limitIp field and zeroes existing
  788. # limits), so updating an older install should make it work without a manual
  789. # trip through the IP Limit menu. Non-fatal: a fail2ban failure must never abort
  790. # the update. XUI_ENABLE_FAIL2BAN is honored (load_xui_env exports it from the
  791. # persisted env file, so a deliberate opt-out survives updates).
  792. setup_fail2ban() {
  793. if [[ -n "${XUI_ENABLE_FAIL2BAN+x}" && "${XUI_ENABLE_FAIL2BAN}" != "true" ]]; then
  794. echo -e "${yellow}XUI_ENABLE_FAIL2BAN=${XUI_ENABLE_FAIL2BAN}, skipping Fail2ban auto-setup.${plain}"
  795. return 0
  796. fi
  797. if [[ ! -x /usr/bin/x-ui ]]; then
  798. echo -e "${yellow}x-ui CLI not found; skipping Fail2ban auto-setup.${plain}"
  799. return 0
  800. fi
  801. echo -e "${green}Setting up Fail2ban for the IP Limit feature...${plain}"
  802. if /usr/bin/x-ui setup-fail2ban; then
  803. echo -e "${green}Fail2ban setup complete.${plain}"
  804. else
  805. echo -e "${yellow}Fail2ban setup did not finish; IP Limit stays disabled until you run 'x-ui' and open the IP Limit menu. Continuing.${plain}"
  806. fi
  807. return 0
  808. }
  809. # Lands a systemd unit file at ${xui_service}/x-ui.service via a temp file +
  810. # atomic mv, so a failed cp/curl or an interrupted mv never leaves a
  811. # truncated unit file at the live path -- systemd would then fail to parse
  812. # it on the next daemon-reload/start. Same pattern already used for
  813. # /usr/bin/x-ui elsewhere in this script. source_is_url picks cp (from a
  814. # file already extracted from the release tarball) vs curl (GitHub fallback).
  815. _install_xui_service_unit() {
  816. local source="$1"
  817. local source_is_url="$2"
  818. local dest="${xui_service}/x-ui.service"
  819. local temp_file="${dest}.tmp.$$"
  820. rm -f "$temp_file"
  821. if [[ "$source_is_url" == "true" ]]; then
  822. ${curl_bin} -fLRo "$temp_file" "$source" > /dev/null 2>&1
  823. else
  824. cp -f "$source" "$temp_file" > /dev/null 2>&1
  825. fi
  826. if [[ $? -ne 0 ]]; then
  827. rm -f "$temp_file"
  828. return 1
  829. fi
  830. if [[ ! -s "$temp_file" ]]; then
  831. rm -f "$temp_file"
  832. return 1
  833. fi
  834. mv -f "$temp_file" "$dest"
  835. if [[ $? -ne 0 ]]; then
  836. rm -f "$temp_file"
  837. return 1
  838. fi
  839. return 0
  840. }
  841. update_x-ui() {
  842. cd ${xui_folder%/x-ui}/
  843. load_xui_env
  844. if [ -f "${xui_folder}/x-ui" ]; then
  845. current_xui_version=$(${xui_folder}/x-ui -v)
  846. echo -e "${green}Current x-ui version: ${current_xui_version}${plain}"
  847. else
  848. _fail "ERROR: Current x-ui version: unknown"
  849. fi
  850. echo -e "${green}Downloading new x-ui version...${plain}"
  851. # XUI_UPDATE_TAG lets the panel target a specific release tag (e.g. the
  852. # rolling dev-latest pre-release). Empty keeps the default latest-stable flow.
  853. if [[ -n "${XUI_UPDATE_TAG}" ]]; then
  854. tag_version="${XUI_UPDATE_TAG}"
  855. echo -e "${green}Using update tag: ${tag_version}${plain}"
  856. else
  857. tag_version=$(${curl_bin} -Ls "https://api.github.com/repos/MHSanaei/3x-ui/releases/latest" 2> /dev/null | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
  858. if [[ ! -n "$tag_version" ]]; then
  859. _fail "ERROR: Failed to fetch x-ui version, it may be due to GitHub API restrictions, please try it later"
  860. fi
  861. fi
  862. echo -e "Got x-ui latest version: ${tag_version}, beginning the installation..."
  863. ${curl_bin} -fLRo ${xui_folder}-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz 2> /dev/null
  864. if [[ $? -ne 0 ]]; then
  865. _fail "ERROR: Failed to download x-ui, please be sure that your server can access GitHub"
  866. fi
  867. if [[ ! -s ${xui_folder}-linux-$(arch).tar.gz ]]; then
  868. rm ${xui_folder}-linux-$(arch).tar.gz -f > /dev/null 2>&1
  869. _fail "ERROR: Downloaded x-ui release archive is empty, please be sure that your server can access GitHub"
  870. fi
  871. if [[ -e ${xui_folder}/ ]]; then
  872. echo -e "${green}Stopping x-ui...${plain}"
  873. if [[ $release == "alpine" ]]; then
  874. if [ -f "/etc/init.d/x-ui" ]; then
  875. rc-service x-ui stop > /dev/null 2>&1
  876. rc-update del x-ui > /dev/null 2>&1
  877. echo -e "${green}Removing old service unit version...${plain}"
  878. rm -f /etc/init.d/x-ui > /dev/null 2>&1
  879. else
  880. rm x-ui-linux-$(arch).tar.gz -f > /dev/null 2>&1
  881. _fail "ERROR: x-ui service unit not installed."
  882. fi
  883. else
  884. if [ -f "${xui_service}/x-ui.service" ]; then
  885. systemctl stop x-ui > /dev/null 2>&1
  886. systemctl disable x-ui > /dev/null 2>&1
  887. echo -e "${green}Removing old systemd unit version...${plain}"
  888. rm ${xui_service}/x-ui.service -f > /dev/null 2>&1
  889. systemctl daemon-reload > /dev/null 2>&1
  890. else
  891. rm x-ui-linux-$(arch).tar.gz -f > /dev/null 2>&1
  892. _fail "ERROR: x-ui systemd unit not installed."
  893. fi
  894. fi
  895. # Kill any leftover mtg (MTProto) sidecars. x-ui runs them outside its own
  896. # lifecycle, so on Linux a stale one can survive the stop and keep holding
  897. # an inbound port with an outdated secret, silently breaking new clients.
  898. # The new panel respawns a clean mtg per inbound on next start.
  899. pkill -f 'mtg-linux-[^ ]* run ' > /dev/null 2>&1 || true
  900. echo -e "${green}Removing old x-ui version...${plain}"
  901. rm ${xui_folder} -f > /dev/null 2>&1
  902. rm ${xui_folder}/x-ui.service -f > /dev/null 2>&1
  903. rm ${xui_folder}/x-ui.service.debian -f > /dev/null 2>&1
  904. rm ${xui_folder}/x-ui.service.arch -f > /dev/null 2>&1
  905. rm ${xui_folder}/x-ui.service.rhel -f > /dev/null 2>&1
  906. rm ${xui_folder}/x-ui -f > /dev/null 2>&1
  907. rm ${xui_folder}/x-ui.sh -f > /dev/null 2>&1
  908. echo -e "${green}Removing old xray version...${plain}"
  909. rm ${xui_folder}/bin/xray-linux-amd64 -f > /dev/null 2>&1
  910. rm ${xui_folder}/bin/xray-linux-arm -f > /dev/null 2>&1
  911. echo -e "${green}Removing old README and LICENSE file...${plain}"
  912. rm ${xui_folder}/bin/README.md -f > /dev/null 2>&1
  913. rm ${xui_folder}/bin/LICENSE -f > /dev/null 2>&1
  914. else
  915. rm x-ui-linux-$(arch).tar.gz -f > /dev/null 2>&1
  916. _fail "ERROR: x-ui not installed."
  917. fi
  918. echo -e "${green}Installing new x-ui version...${plain}"
  919. tar zxvf x-ui-linux-$(arch).tar.gz > /dev/null 2>&1
  920. if [[ $? -ne 0 ]]; then
  921. rm x-ui-linux-$(arch).tar.gz -f > /dev/null 2>&1
  922. _fail "ERROR: Failed to extract the x-ui release archive -- the previous installation has already been removed, so the panel will not start until this is fixed; try running the update again"
  923. fi
  924. rm x-ui-linux-$(arch).tar.gz -f > /dev/null 2>&1
  925. cd x-ui > /dev/null 2>&1
  926. if [[ $? -ne 0 || ! -s x-ui ]]; then
  927. _fail "ERROR: Extracted x-ui archive is missing the x-ui binary -- the previous installation has already been removed, so the panel will not start until this is fixed; try running the update again"
  928. fi
  929. chmod +x x-ui > /dev/null 2>&1
  930. # Check the system's architecture and rename the file accordingly.
  931. # The panel binary maps GOARCH=arm to "arm32" (internal/xray/process.go),
  932. # so the Xray binary must be named xray-linux-arm32; mtg keeps plain "arm".
  933. if [[ $(arch) == "armv5" || $(arch) == "armv6" || $(arch) == "armv7" ]]; then
  934. mv bin/xray-linux-$(arch) bin/xray-linux-arm32 > /dev/null 2>&1
  935. chmod +x bin/xray-linux-arm32 > /dev/null 2>&1
  936. if [[ -f bin/mtg-linux-$(arch) ]]; then
  937. mv bin/mtg-linux-$(arch) bin/mtg-linux-arm > /dev/null 2>&1
  938. chmod +x bin/mtg-linux-arm > /dev/null 2>&1
  939. fi
  940. fi
  941. chmod +x x-ui bin/xray-linux-$(arch) > /dev/null 2>&1
  942. if [[ -f bin/mtg-linux-arm ]]; then
  943. chmod +x bin/mtg-linux-arm > /dev/null 2>&1
  944. elif [[ -f bin/mtg-linux-$(arch) ]]; then
  945. chmod +x bin/mtg-linux-$(arch) > /dev/null 2>&1
  946. fi
  947. echo -e "${green}Downloading and installing x-ui.sh script...${plain}"
  948. local xui_script_temp="/usr/bin/x-ui-temp.$$"
  949. rm -f "${xui_script_temp}"
  950. ${curl_bin} -fLRo "${xui_script_temp}" https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh > /dev/null 2>&1
  951. if [[ $? -ne 0 ]]; then
  952. rm -f "${xui_script_temp}"
  953. _fail "ERROR: Failed to download x-ui.sh script, please be sure that your server can access GitHub"
  954. fi
  955. if [[ ! -s "${xui_script_temp}" ]]; then
  956. rm -f "${xui_script_temp}"
  957. _fail "ERROR: Downloaded x-ui.sh script is empty, please be sure that your server can access GitHub"
  958. fi
  959. mv -f "${xui_script_temp}" /usr/bin/x-ui
  960. if [[ $? -ne 0 ]]; then
  961. rm -f "${xui_script_temp}"
  962. _fail "ERROR: Failed to install x-ui.sh script"
  963. fi
  964. chmod +x ${xui_folder}/x-ui.sh > /dev/null 2>&1
  965. chmod +x /usr/bin/x-ui > /dev/null 2>&1
  966. mkdir -p /var/log/x-ui > /dev/null 2>&1
  967. echo -e "${green}Changing owner...${plain}"
  968. chown -R root:root ${xui_folder} > /dev/null 2>&1
  969. if [ -f "${xui_folder}/bin/config.json" ]; then
  970. echo -e "${green}Changing on config file permissions...${plain}"
  971. chmod 640 ${xui_folder}/bin/config.json > /dev/null 2>&1
  972. fi
  973. if [[ $release == "alpine" ]]; then
  974. echo -e "${green}Downloading and installing startup unit x-ui.rc...${plain}"
  975. xui_rc_temp="/etc/init.d/x-ui.tmp.$$"
  976. rm -f "${xui_rc_temp}"
  977. ${curl_bin} -fLRo "${xui_rc_temp}" https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc > /dev/null 2>&1
  978. if [[ $? -ne 0 ]]; then
  979. rm -f "${xui_rc_temp}"
  980. _fail "ERROR: Failed to download startup unit x-ui.rc, please be sure that your server can access GitHub"
  981. fi
  982. if [[ ! -s "${xui_rc_temp}" ]]; then
  983. rm -f "${xui_rc_temp}"
  984. _fail "ERROR: Downloaded startup unit x-ui.rc is empty, please be sure that your server can access GitHub"
  985. fi
  986. mv -f "${xui_rc_temp}" /etc/init.d/x-ui
  987. if [[ $? -ne 0 ]]; then
  988. rm -f "${xui_rc_temp}"
  989. _fail "ERROR: Failed to install startup unit x-ui.rc"
  990. fi
  991. chmod +x /etc/init.d/x-ui > /dev/null 2>&1
  992. chown root:root /etc/init.d/x-ui > /dev/null 2>&1
  993. rc-update add x-ui > /dev/null 2>&1
  994. rc-service x-ui start > /dev/null 2>&1
  995. else
  996. if [ -f "x-ui.service" ]; then
  997. echo -e "${green}Installing systemd unit...${plain}"
  998. if ! _install_xui_service_unit "x-ui.service" "false"; then
  999. echo -e "${red}Failed to copy x-ui.service${plain}"
  1000. exit 1
  1001. fi
  1002. else
  1003. service_installed=false
  1004. case "${release}" in
  1005. ubuntu | debian | armbian)
  1006. if [ -f "x-ui.service.debian" ]; then
  1007. echo -e "${green}Installing debian-like systemd unit...${plain}"
  1008. if _install_xui_service_unit "x-ui.service.debian" "false"; then
  1009. service_installed=true
  1010. fi
  1011. fi
  1012. ;;
  1013. arch | manjaro | parch)
  1014. if [ -f "x-ui.service.arch" ]; then
  1015. echo -e "${green}Installing arch-like systemd unit...${plain}"
  1016. if _install_xui_service_unit "x-ui.service.arch" "false"; then
  1017. service_installed=true
  1018. fi
  1019. fi
  1020. ;;
  1021. *)
  1022. if [ -f "x-ui.service.rhel" ]; then
  1023. echo -e "${green}Installing rhel-like systemd unit...${plain}"
  1024. if _install_xui_service_unit "x-ui.service.rhel" "false"; then
  1025. service_installed=true
  1026. fi
  1027. fi
  1028. ;;
  1029. esac
  1030. # If service file not found in tar.gz, download from GitHub
  1031. if [ "$service_installed" = false ]; then
  1032. echo -e "${yellow}Service files not found in tar.gz, downloading from GitHub...${plain}"
  1033. case "${release}" in
  1034. ubuntu | debian | armbian)
  1035. service_unit_url="https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.service.debian"
  1036. ;;
  1037. arch | manjaro | parch)
  1038. service_unit_url="https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.service.arch"
  1039. ;;
  1040. *)
  1041. service_unit_url="https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.service.rhel"
  1042. ;;
  1043. esac
  1044. if ! _install_xui_service_unit "$service_unit_url" "true"; then
  1045. echo -e "${red}Failed to install x-ui.service from GitHub${plain}"
  1046. exit 1
  1047. fi
  1048. fi
  1049. fi
  1050. chown root:root ${xui_service}/x-ui.service > /dev/null 2>&1
  1051. chmod 644 ${xui_service}/x-ui.service > /dev/null 2>&1
  1052. systemctl daemon-reload > /dev/null 2>&1
  1053. systemctl enable x-ui > /dev/null 2>&1
  1054. systemctl start x-ui > /dev/null 2>&1
  1055. fi
  1056. config_after_update
  1057. # IP Limit relies on fail2ban; install + configure it now so the feature
  1058. # works out of the box on update too (no-op when XUI_ENABLE_FAIL2BAN=false).
  1059. # Never fatal.
  1060. setup_fail2ban
  1061. echo -e "${green}x-ui ${tag_version}${plain} updating finished, it is running now..."
  1062. echo -e ""
  1063. echo -e "┌───────────────────────────────────────────────────────┐
  1064. │ ${blue}x-ui control menu usages (subcommands):${plain} │
  1065. │ │
  1066. │ ${blue}x-ui${plain} - Admin Management Script │
  1067. │ ${blue}x-ui start${plain} - Start │
  1068. │ ${blue}x-ui stop${plain} - Stop │
  1069. │ ${blue}x-ui restart${plain} - Restart │
  1070. │ ${blue}x-ui status${plain} - Current Status │
  1071. │ ${blue}x-ui settings${plain} - Current Settings │
  1072. │ ${blue}x-ui enable${plain} - Enable Autostart on OS Startup │
  1073. │ ${blue}x-ui disable${plain} - Disable Autostart on OS Startup │
  1074. │ ${blue}x-ui log${plain} - Check logs │
  1075. │ ${blue}x-ui banlog${plain} - Check Fail2ban ban logs │
  1076. │ ${blue}x-ui update${plain} - Update │
  1077. │ ${blue}x-ui legacy${plain} - Legacy version │
  1078. │ ${blue}x-ui install${plain} - Install │
  1079. │ ${blue}x-ui uninstall${plain} - Uninstall │
  1080. └───────────────────────────────────────────────────────┘"
  1081. }
  1082. echo -e "${green}Running...${plain}"
  1083. install_base
  1084. update_x-ui $1