txlyre
синхронизированные коммиты с fix/issue-5865-hysteria2-host-allow-insecure на txlyre/3x-ui из зеркала
726fc3e7e2 test(sub): cover Hysteria2 Allow Insecure propagation to sub links
applyExternalProxyHysteriaParams and buildHysteriaProxy previously had no
direct test asserting insecure=1 / skip-cert-verify: true for a host/
external-proxy entry with allowInsecure set — the existing tests only
locked in the untouched pin/SNI behavior. Add positive and negative cases
for both the raw-link and Clash paths so the #5865 fix has a regression
test of its own.
a97d1c92e3 fix(sub): apply host Allow Insecure to Hysteria2 subscription links
Host.AllowInsecure was only wired into the shared VLESS/VMess/Trojan/Shadowsocks
endpoint path (applyEndpointAllowInsecure). Hysteria/Hysteria2 builds its links
through its own applyExternalProxyHysteriaParams (raw hysteria2:// link) and
buildHysteriaProxy (Clash/Mihomo proxy), neither of which read the host's
allowInsecure flag, so a self-signed Hysteria2 host never got insecure=1 or
skip-cert-verify: true. Fixes #5865.
2c28fa5f48 fix(inbound): scope port-conflict check to the stored node on update (#5833)
* fix(inbound): scope port-conflict check to the stored node on update
UpdateInbound called checkPortConflict before restoring the inbound's NodeID
from the database, so the check used the NodeID from the request body. That
value is unreliable for edits: clients omit it (nodeId is `json:",omitempty"`)
and the code already treats the stored NodeID as authoritative — an inbound
can't be moved between nodes via edit. With a nil request NodeID a node inbound
was mis-checked as a local/main-panel inbound and falsely collided with an
unrelated inbound that happened to reuse the same port on the central panel (or
another node). Symptom: editing a node inbound's listen address was rejected
with "port <p> (tcp) already used by inbound ... " and silently discarded.
Load the old inbound and restore inbound.NodeID *before* checkPortConflict, so
the check runs against the node the inbound actually lives on. checkPortConflict
already scopes candidates by node (sameNode); it was simply being fed the wrong
NodeID.
Add a regression test that seeds a main-panel and a node inbound on the same
port and asserts the node inbound stays editable (fails before this change with
the exact "already used" rejection).
* style(inbound): trim inline comments from port-conflict scoping
Repo convention forbids // line comments in committed Go; keep the scoping fix self-documenting.
f9cd7ac906 Add column sorting to inbounds table (#5661)
d2efe9b022 fix(sub): include native WireGuard clients in Clash and JSON subscriptions (#5676)
The Clash (buildProxy) and JSON (getConfig) subscription generators had no
WireGuard branch, so a native WireGuard inbound's clients were silently
dropped: buildProxy hit its default nil case, and getConfig emitted a config
with no proxy outbound. Only the raw subscription (genWireguardLink) and
external-link Clash path handled WireGuard.
Add a WireGuard case to both generators, mirroring genWireguardLink: the peer
public key is derived from the inbound secretKey, while the private key, tunnel
address (mihomo ip/ipv6, Xray settings.address), pre-shared key and keep-alive
come from the client. The peer routes the full tunnel (0.0.0.0/0, ::/0), which
both mihomo and Xray also default to.
Field names verified against the mihomo WireGuardOption source (private-key,
public-key, pre-shared-key, persistent-keepalive, ip, ipv6, mtu, dns) and the
Xray wireguard outbound schema (secretKey, address, peers[].publicKey/endpoint/
preSharedKey/keepAlive/allowedIPs, mtu).
- Просмотр сравнение для этих 10 коммитов »
3 часов назад