Главная Обзор Помощь
Вход
txlyre
Репозитории Активность

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 7c2598fae9 feat: release-driven golden-image & unattended-install deployment pipeline (#5323) * feat(install): add non-interactive install path for cloud/golden-image use Trigger non-interactive mode when XUI_NONINTERACTIVE=1 or stdin is not a TTY (curl | bash, cloud-init). Every prompt is then replaced by an env var or a sane default; interactive prompts stay byte-for-byte identical. Honored env vars: XUI_USERNAME, XUI_PASSWORD, XUI_PANEL_PORT, XUI_WEB_BASE_PATH (unset => random, as before), XUI_SSL_MODE=none|ip|domain (default none), XUI_DOMAIN, XUI_ACME_EMAIL, XUI_DB_TYPE/XUI_DB_DSN, plus additive XUI_ACME_HTTP_PORT, XUI_SSL_IPV6, XUI_SERVER_IP. On success, write /etc/x-ui/install-result.env (mode 600) with the panel creds + access URL + api token, in both interactive and non-interactive modes, so cloud-init/MOTD can surface them. Postgres in non-interactive mode requires XUI_DB_DSN or installs locally; never silently downgrades. * feat(deploy): add first-boot per-instance credential generation Golden images ship with no x-ui.db. x-ui-firstboot.sh runs once (guarded by /etc/x-ui/.firstboot-done), before x-ui.service, and replaces the seeded admin/admin with fresh random username/password on a random high port, regenerates the session secret/panel GUID via 'x-ui setting -reset', mints an API token, and writes the creds to /etc/x-ui/credentials.txt (600) + /etc/motd. Idempotent: skips regeneration if a non-default admin already exists. The oneshot unit is ordered After=network-online/cloud-init and Before=x-ui.service so the panel never serves default credentials. * chore(deploy): force LF for cloud-image deploy assets (.service/.hcl/.yaml) * feat(deploy): add Packer config + provisioning scripts for golden image One build, two sources: amazon-ebs (AWS AMI, Canonical Ubuntu 24.04 base via source_ami_filter) and qemu (qcow2 + raw, NoCloud-seeded for build-time SSH). Provisioner order is fixed: provision.sh -> harden.sh -> cleanup.sh. - provision.sh: downloads the released x-ui tarball (no Go build), installs the panel + firstboot unit, enables but does NOT start services, creates NO DB. - harden.sh: key-only SSH, no root password login, locks default account passwords, enables unattended-upgrades (scanner-compliant). - cleanup.sh: wipes any DB/creds, SSH host keys, authorized_keys, machine-id, cloud-init state, logs and history; fails the build if any secret survives. packer fmt -check clean; packer validate passes for both sources. * feat(deploy): add generic cloud-init user-data for unattended install cloud-init.yaml installs the latest 3x-ui non-interactively (XUI_NONINTERACTIVE=1) on any cloud-init platform, generating unique per-instance credentials and surfacing them via /etc/x-ui/install-result.env, serial console and MOTD. README documents per-provider usage (Hetzner/AWS/DO/Vultr/GCP/Azure/Oracle) and all XUI_* knobs. * ci: add image.yml to build cloud images on release On release: published (or workflow_dispatch with a tag), waits for the x-ui-linux-amd64.tar.gz asset (handles the release-matrix upload race), then: - qemu-image (always): builds the qcow2 with Packer and attaches a compressed .qcow2.xz + sha256 to the GitHub release. Uses KVM when /dev/kvm exists, else TCG. - ami-image (gated): builds the AWS AMI only when AWS creds exist (OIDC role preferred, else access keys), so forks skip cleanly. Prints the AMI ID to the job summary. No secrets or AMI IDs are committed. * test(deploy): add container smoke tests for install + firstboot smoke-noninteractive.sh: runs install.sh piped (no TTY) with XUI_NONINTERACTIVE=1 in an Ubuntu container; asserts install-result.env (600) holds random non-default creds, hasDefaultCredential is false, and the panel serves HTTP. smoke-firstboot.sh: installs the released binary with no DB, runs x-ui-firstboot.sh; asserts per-instance creds + credentials.txt (600) + MOTD, no admin/admin, and that a second run is a no-op (sentinel honored). smoke.yml runs both as gated jobs on PRs/pushes touching install.sh or deploy/**. Both pass locally against the v3.3.1 release binary. * docs(deploy): add Packer/marketplace docs and link from README - deploy/README.md: index of the cloud-deploy tooling and the two models - deploy/packer/README.md: how to build locally, variables, first-boot behavior - deploy/marketplace/aws/README.md: seller registration -> AMI scan -> limited-visibility preview -> go-public checklist - deploy/marketplace/hetzner/README.md: cloud-init-first guidance + snapshot caveat (delete x-ui.db first) + hetznercloud/apps reference - README.md: link the unattended-install / cloud-image docs from Quick Start * feat(deploy): build golden images for arm64 as well as amd64 The install path was already multi-arch (install.sh auto-detects arch); this extends the golden image + CI to arm64: - packer: xui_arch (amd64|arm64, validated) now derives the base AMI filter and the Ubuntu cloud image; the qemu source switches to qemu-system-aarch64 + virt machine + AAVMF UEFI firmware for arm64. amd64 path unchanged. - image.yml: arch matrix. AMIs for amd64 (t3.small) + arm64 (t4g.small/Graviton) from one runner; qcow2 for amd64 on a standard runner and arm64 on a native ubuntu-24.04-arm runner. Waits for both release tarballs. - smoke.yml: run install + firstboot smoke tests on amd64 and arm64 runners; smoke-firstboot.sh now resolves the arch tarball via dpkg. - docs updated for both arches. packer fmt/validate pass for amd64 and arm64; actionlint + shellcheck clean. Verified locally: non-interactive install AND firstboot run on the real arm64 release binary under emulation (ELF aarch64, no admin/admin). * chore(deploy): default AWS region to eu-central-1 (Frankfurt) Replace the us-east-1 fallback in image.yml (4 sites) and the Packer 'region' default + doc examples. Still overridable via the AWS_REGION repo variable / the -var 'region=...' flag. * feat(deploy): add Amazon Lightsail support (launch script + snapshot builder) Lightsail can't launch from an EC2 AMI and its blueprint list isn't self-publishable, so add the two self-service paths instead: - launch-script.sh: paste into Lightsail 'Add launch script' (or --user-data) to install 3x-ui non-interactively with unique per-instance credentials. - snapshot-userdata.sh + build-snapshot.sh: AWS CLI pipeline that provisions a build instance (panel installed, NO DB, firstboot enabled), runs the shared cleanup.sh, then snapshots it. Instances launched from the snapshot mint their own credentials on first boot. Optional --panel-port pins a known port for the Lightsail firewall. - README documents both paths, the firewall caveat, and the blueprint reality. EC2 AMI / Marketplace path kept untouched alongside. All scripts shellcheck-clean. * fix(deploy): address Copilot PR review findings - install.sh + firstboot: write install-result.env / credentials.txt values with printf %q so the files stay safe to source even if creds are pinned with shell metacharacters (no-op for the alphanumeric random defaults). - firstboot: fail closed if 'x-ui setting -show' can't be parsed to true/false — exit without writing the sentinel so the next boot retries, instead of silently skipping regeneration and risking admin/admin. - firstboot + cloud-init + lightsail launch-script: keep secrets out of the world-readable /etc/motd (show URL + username only; full creds via the mode-600 file / serial console). - lightsail build-snapshot: handle download-default-key-pair returning either a PEM or base64, and assert a valid PEM before using it for SSH. - image.yml: pin hashicorp/setup-packer@v3 (was @main). - deploy/README: document XUI_ACME_HTTP_PORT / XUI_SSL_IPV6 / XUI_SERVER_IP. Both container smoke tests still pass; shellcheck + actionlint clean.

35 минут назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 1c0fdb4527 fix(outbounds): test subscriptions in Test All, skip direct/dns Test All only iterated the editable template outbounds, so subscription outbounds (the read-only "from subscriptions" table) were never probed in bulk. They are now queued too, keyed by tag in subscriptionTestStates so their rows light up live; the template and subscription HTTP lanes run serially to respect the backend's single-batch lock (TCP runs alongside). Also stop testing freedom ("direct") and dns outbounds: they aren't proxies, so an HTTP probe through them only measures the host's own reachability, not a tunnel. They are now untestable in every mode -- the per-row button is disabled and Test All skips them -- with a matching backend guard so a direct API caller can't HTTP-test them either.
  • 2d6dea4bf6 fix(settings): rename remark model 'Other' to 'External Proxy' (#5265) The 'o' remark block is sourced from an external proxy's remark, but the label 'Other' gave no hint where to set it. Rename the display label to 'External Proxy' to match the inbound form section; the stored 'o' key is unchanged so existing remarkModel values stay compatible.
  • 4c8d3cb625 fix(nodes): honor TLS verify mode skip/pin for remote node operations (#5264) The node probe honored the per-node TlsVerifyMode (skip/pin) but runtime.Remote used a shared client with no TLSClientConfig, so traffic sync and every other remote op fell back to system-CA verification and failed against self-signed nodes even after the operator set skip/pin. Move the TLS client builder into the runtime layer (HTTPClientForNode / DecodeCertPin) as the single source of truth, have Remote build and cache its per-node client through it, and delegate the service probe to the same builder so the two paths can no longer diverge.
  • 9a8247fa78 fix(tgbot): clear legacy panelProxy/tgBotProxy settings on upgrade v3.3.1 removed the Panel Proxy URL field from the UI but left the stored panelProxy/tgBotProxy values in the DB. The Telegram bot still reads tgBotProxy directly, so a stale value masked the panelOutbound egress fallback. Add a one-off seeder to drop both rows. Closes #5266
  • 355262e632 fix(clients): keep the client list live with a background poll (#5262) The paged client list is sorted/paginated server-side but fetched with staleTime: Infinity, so the WS client_stats patch only refreshed traffic on already-visible rows — newly connected clients never appeared and the sort order went stale until a manual refresh. Add a 5s refetchInterval so the current page tracks reality, and drive the table overlay off isPlaceholderData so the background poll does not flash it.
  • Просмотр сравнение для этих 6 коммитов »

1 день назад

txlyre синхронизированные коммиты с v3.3.1 на txlyre/3x-ui из зеркала

1 день назад

txlyre синхронизированные новые ссылки v3.3.1 к txlyre/3x-ui из зеркала

1 день назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • b770287995 fix(sub): stop appending the node name to subscription remarks (#5231) The #5035 change tagged node-hosted entries with the node name to disambiguate multi-node subscriptions, but the node name is panel-internal and leaked into the profile names end users see in their client apps. Drop the suffix entirely — remarks are the admin-set inbound remark again.
  • 3c68b039f6 fix(sub): deliver vision flow for VLESS+XHTTP+REALITY in share links and Clash (#5232) The vlessenc fix (#5185) enabled flow on XHTTP only in the security=none branch of genVlessLink, and the Clash builder still gated flow on network==tcp. With XHTTP+REALITY+vlessenc the panel accepts and stores the flow (inboundCanEnableTlsFlow passes), but subscriptions dropped it, so clients received configs without xtls-rprx-vision. Add vlessFlowAllowed mirroring inboundCanEnableTlsFlow — tcp with tls/reality, or xhttp with vlessenc regardless of security layer — and use it in both the vless:// link generator and the Clash proxy builder.
  • c200e248f7 fix(script): report per-file geo update status and skip restart when nothing changed Updating geo files printed raw curl progress meters showing 0 bytes when files were already current (curl -z conditional download), claimed success unconditionally, and restarted xray even when nothing was downloaded — confusing enough to be reported as a bug (#5230). Now each file reports updated / already up to date / download failed, failures no longer print a success message, and the restart (which drops live connections) only happens when a file actually changed. Same for the non-interactive 'x-ui update-all-geofiles' command.
  • b5ef412b8d v3.3.1
  • 41cb0b8ae7 fix(inbounds): show remark first, else inbound tag, in client labels Revert formatInboundLabel to the pre-#5151 behavior: display the inbound remark when set, otherwise the inbound tag, instead of "tag (remark)". Affects the Attach clients / Attached inbounds views and client lists. Routing keeps its own tag (remark) formatting.
  • Просмотр сравнение для этих 7 коммитов »

1 день назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 08bc481ae3 refactor(settings): reorganize subscription settings into clearer tabs - Split the Happ and Clash/Mihomo routing sections out of Information into their own dedicated tabs. - Extract the profile/branding fields (title, support URL, profile page, announcement, theme dir) out of the mislabeled "Subscription Title" divider into a new Profile tab. - Move the Update Interval setting into Information and drop the single-field Intervals tab. - Add the "profile" tab label across all locales.
  • 0f7da02a07 style(inbounds): show total up/down with directional arrows Replace the ambiguous swap icon on the total traffic statistic with explicit up/down arrows next to each value.
  • 0c73862bbe fix(clients): invalidate Xray config cache after client mutations Client add/update/remove also rewrite settings.clients on each attached inbound, so the Xray config query could go stale. Invalidate it alongside the clients and inbounds buckets.
  • c7a0188772 feat(settings): schedule picker, toggle placement, sub-theme docs link - Replace the Telegram "Notification Time" free-text field with a guided cron builder: @every + number + unit (s/m/h), the @hourly/@daily/@weekly/ @monthly macros, and a Custom option that seeds a valid 6-field crontab (cron runs with seconds enabled) as an escape hatch. - Move "Restart Xray After Auto Disable" from the External Traffic tab to Panel Settings, where it belongs. - Add a "Template guide" link to the Sub Theme Directory setting pointing at docs/custom-subscription-templates.md. - Localize all new strings across every locale.
  • 90e6217749 fix(inbound): preserve custom share strategy on edit (#5225)
  • Просмотр сравнение для этих 18 коммитов »

2 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 7ae3ea66d1 feat(ui): improve client form modal UX - Rename tabs: "Basic" → "Basics", "Config" → "Credentials" - Move reverseTag field from Credentials tab to Basics tab - Move IP log button inline with limitIp field (tooltip button, edit mode only) - Hide random email button when editing an existing client - Add tooltips to totalGB and limitIp fields with descriptive hints - Rename labels: "Total Sent/Received (GB)" → "Traffic Limit (GB)", "Duration" → "Duration (days)" - Add renewDays translation key for auto-renew label with unit hint - Remove redundant filterOption and width style from AutoComplete group selectors - Update all 15 locale files with new and renamed translation keys
  • 253063b785 feat: filter inbounds and clients by node (#4997) Multi-node panels had no way to narrow the inbounds or clients lists to a single node. Add a node filter to both pages: - Inbounds: a toolbar select (All / Local / each node) that filters the list client-side; shown only when the panel has nodes or node-attached inbounds. - Clients: a Nodes multi-select in the filter drawer. Node selections are mapped onto inbound IDs client-side and fed through the existing inbound CSV paging parameter, so the paging backend is untouched; an impossible id (-1) is sent when no inbound matches so the filter yields an honest empty result. InboundOption now carries nodeId to make the mapping possible. The local panel is selectable via a 0 sentinel (inbounds without a nodeId). New i18n keys in all 13 locales.
  • d04cb10971 feat(wireguard): per-peer comments for identifying devices (#5168) WG peers were only identifiable by their keys. Add an optional panel-side comment per peer: editable in the inbound form (echoed next to "Peer N" in the section header), stored in the settings JSON alongside the panel-only privateKey (xray-core ignores unknown peer fields), and appended to the share link / .conf remark so the device is identifiable in client apps too.
  • d1a13844b2 feat(api): include consumed traffic in the client-get response (#4973) GET /panel/api/clients/get/:email returned the quota (totalGB) but not the bytes the client has actually used, forcing API consumers to scrape it elsewhere. Add a sibling "usedTraffic" field (up+down, including the cross-node global overlay) next to "client" and "inboundIds".
  • bade1fcef6 feat(ui): allow custom fragment packets ranges, not just presets (#5075) The fragment "packets" field was a locked dropdown (tlshello / 1-3 / 1-5) in both the finalmask TCP-mask form and the Freedom outbound form, while xray-core accepts any "n-m" packet range. Replace both with an AutoComplete that keeps the presets as suggestions and validates free input as "tlshello" or a numeric range.
  • Просмотр сравнение для этих 5 коммитов »

2 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 0e0e41197f fix(settings): normalize tgCpu on load so a bad value can't block saving (#5091) The settings page validates the whole AllSetting object before saving, so a tgCpu value that isn't an integer in 0-100 (left over from an older or corrupt setting) failed validation with "tgCpu: Invalid input" and blocked saving every other setting too. Clamp/round tgCpu to a valid integer in the model constructor, defaulting to 80 when it isn't a finite number.
  • 5c29851be1 fix(nodes): "Invalid input" when saving a node with inbound sync mode "all" NodeFormSchema required inboundTags, but the inboundTags Form.Item is only mounted when inboundSyncMode is "selected" - antd onFinish omits unmounted fields, so saving with the default "all" mode failed schema validation with Zod generic "Invalid input" (regression from #5178; same class as the earlier pinnedCertSha256 fix). Also tolerate null inboundTags (Go nil slice) for nodes saved before #5178, both in the form schema and NodeRecordSchema, and normalize edit-mode values.
  • 60da6bed15 fix(xhttp): stop injecting scMaxEachPostBytes/scMinPostsIntervalMs defaults (#5141) The panel seeded xhttp configs with scMaxEachPostBytes=1000000 and scMinPostsIntervalMs=30 — xray-core''s own defaults — and emitted them into every generated config and share link. The literal scMinPostsIntervalMs=30 is a stable DPI fingerprint that Russia''s TSPU keys on to block connections on mobile networks. New configs no longer seed these values (empty schema/template defaults, so xray-core applies its internal defaults). For configs already stored with the old defaults, the link/subscription builders now drop values equal to xray-core''s defaults instead of advertising them — covering panel share links, the raw subscription, and the JSON subscription without requiring every inbound to be re-saved. Non-default values the user set deliberately are still emitted.
  • 7e87b7dc60 i18n: point API token hint at the Authentication page in all locales The remote panel's API token moved from Settings to the Authentication page; update the node form hint accordingly.
  • dbee150b33 fix(script): SSL management fixes (#4994, #5010, #5070) - Issue acme.sh HTTP-01 over IPv4 unless the host has no global IPv4 address: the hardcoded --listen-v6 started a v6-only standalone listener, so validation of a domain whose A record points at this host always failed (#4994). - Add a custom cert/key path option to the "Set Cert paths" menu so certificates living outside /root/cert (e.g. certbot under /etc/letsencrypt) can be wired to the panel from the CLI (#5010). - Derive the displayed Access URL from the certificate's actual SAN list instead of the cert folder name, list the other covered names, and show the panel's custom-path certificate in "Show Existing Domains" (#5070). Also silence find when /root/cert doesn't exist.
  • Просмотр сравнение для этих 24 коммитов »

2 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 58905d81a4 feat(node-sync): push global client usage to nodes for display and local enforcement A client attached to several panels has one aggregated row on each master, but a node only ever saw its local share: the node UI under-reported usage, and the node kept serving a client whose cross-panel total had already exceeded its quota — the master's disable push doesn't kill established connections unless the node restarts xray itself. Masters now push their aggregated per-client counters to each node from NodeTrafficSyncJob (throttled, scoped to the clients that node hosts). The node stores them in the new client_global_traffics side table keyed by (masterGuid, email), overwritten on every push so a master-side reset propagates, and: - overlays max(local, pushed) onto UI read paths (slim inbound list, inbound detail, clients list, WS stats, per-email lookups). The full /panel/api/inbounds/list stays un-overlaid on purpose: it doubles as the traffic snapshot masters poll, and overlaying it would corrupt every master's delta accounting; - trips disableInvalidClients when any master's pushed total exceeds the client's quota, so the existing RestartXrayOnClientDisable flow disconnects the client locally; - clears the side rows on traffic reset, auto-renew, and client delete, keeping a renewed quota window clean. Supersedes #5204, which folded pushed globals into client_traffics and compensated with read-back baselines — that double-counted first-sight emails and could not work with several masters sharing one node.
  • 8258a26fbf fix(node-sync): keep shared client traffic row when email still lives on other inbounds client_traffics is the per-email accumulator shared across every inbound and node the client is attached to. setRemoteTrafficLocked deleted it unguarded in two sweeps — when a node inbound vanished from the snapshot (node reinstall, tag change, another master's reconcile on a shared node) and when an email left one inbound's stats — even though the email was still attached elsewhere. The next sync then re-seeded the row with that node's counter alone, so the panel showed the last changed panel's number instead of the summed total. Guard both sweeps with emailUsedByOtherInbounds, matching what the manual-edit path (updateClientTraffics) already does. Truly removed clients are still cleaned up by the zero-attachment sweep.
  • dc52e725b6 fix(ui): blink the online dot in mobile client cards like desktop The mobile card rendered a static antd Badge for every bucket. When the client is enabled, online, and not depleted, render the same animated online-dot span the desktop Online column and the nodes list use.
  • aeb2217ae5 fix(ui): classify ended clients as depleted, not disabled, on inbounds page The auto-disable job flips client.enable off in the settings JSON when a client expires or exhausts its traffic, so the inbounds-page rollup filed every ended client under the gray Disabled badge (and double-counted it in Depleted when stats were present). Classify with depleted-first priority, matching computeClientsSummary and the client info modal. Also backfill cross-inbound client_traffics rows in GetInboundsSlim: the row is keyed on email and only preloads on the inbound the client was created on, so on every other attached inbound the depleted/expiring checks could never fire.
  • 9730561f20 ci(bot): update issue-bot repo map and tighten reply style - Refresh repository map: add internal/mtproto, web/entity, web/global, web/session, web/locale, frontend/, tools/openapigen, docs/, windows_files - Correct stack facts: Xray-core runs as a managed child process; full env var list incl. XUI_INIT_WEB_BASE_PATH, XUI_LOG_FOLDER, XUI_BIN_FOLDER, XUI_SKIP_HSTS; protocol list matches the model.go enum incl. MTProto - Add COMMENT STYLE section for professional, precise, answer-first replies - Raise --max-turns for both jobs
  • Просмотр сравнение для этих 11 коммитов »

3 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • eee652c4a5 chore(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 (#5199) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to 0.56.0. - [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.56.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • 1ad483ede6 fix: expose streamSettings for Tunnel inbounds to support TProxy (#5171) * fix: expose streamSettings for Tunnel inbounds to support TProxy * fix(ui): hide security tab for tunnel inbounds when stream is enabled tunnel (dokodemo-door) does not support TLS or Reality, so showing the security tab only results in a fully-disabled radio group. Exclude tunnel alongside wireguard from the security tab. * fix(tunnel): restrict stream tab to sockopt-only and fix transportless schema Tunnel (dokodemo-door) only needs sockopt.tproxy for TProxy mode — no user-selectable transport. Add hasSelectableTransport flag to hide the network picker, per-network sub-forms, ExternalProxy, and FinalMask for both tunnel and wireguard, matching the pattern already used for Hysteria. Fix a pre-existing Zod schema bug where NetworkSettingsSchema was a bare discriminatedUnion requiring `network` to be present. Wireguard and tunnel submit streamSettings without a `network` key, causing "Invalid discriminator value. Expected 'tcp' | ..." on every save. Fix by adding a transportless union branch (z.never().optional()) alongside the transport DU; also add ?? 'tcp' fallback in inbound-link.ts where stream.network is now string | undefined. Three regression tests added. --------- Co-authored-by: rqzbeh <[email protected]> Co-authored-by: MHSanaei <[email protected]>
  • Просмотр сравнение для этих 2 коммитов »

3 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 57e9661758 fix: properly configure fail2ban backend and dependencies on Ubuntu 22.04+ (#5159) (#5184) Co-authored-by: rqzbeh <[email protected]>
  • 65fa40b819 fix: accurately retrieve and generate API tokens via CLI with hashed storage (#5145) (#5183) Co-authored-by: rqzbeh <[email protected]>
  • f88f53cd7b fix(update): restart panel after regenerating webBasePath to fix login desync When update.sh regenerates a short webBasePath, it writes the new path to the database after the panel is already running with the old path loaded in memory. Without a restart the server keeps serving the old path while the UI shows the new one, making the new path unreachable.
  • ca4f32e3da feat: replace panel proxy URL with outbound-based egress bridge Instead of requiring a manual SOCKS5/HTTP URL, the panel now lets the admin pick an Xray outbound from a dropdown (same UX as Geodata Auto-Update). At runtime, injectPanelEgress appends a loopback SOCKS inbound (tag: panel-egress) and prepends a routing rule so the panel's own HTTP traffic — version checks, Telegram, normal geo-file updates — is routed through the chosen outbound. Xray-native Geodata Auto-Update is unaffected (it uses its own geodata.outbound inside Xray). Blackhole outbounds are excluded from both picker dropdowns since routing any download through one just drops it. Translations updated for all 13 locales.
  • 6b16d8c37a feat: apply inbound/outbound/routing changes live via Xray gRPC API Add a hot-apply layer that computes a diff between the old and new generated config and applies only the changed parts through the Xray gRPC HandlerService and RoutingService, avoiding a full process restart whenever possible. A restart is still performed when sections that have no reload API (log, dns, policy, observatory, ...) actually change. Key additions: - internal/xray/hot_diff.go: ComputeHotDiff with canonical-JSON comparison (sorted keys, null=absent, full number precision) so UI reformatting never triggers a spurious restart - internal/xray/api.go: AddOutbound/DelOutbound, ApplyRoutingConfig, GetBalancerInfo, SetBalancerTarget, TestRoute gRPC wrappers - internal/web/service/xray.go: tryHotApply, ensureAPIServices, GetBalancersStatus, OverrideBalancer, TestRoute service methods - internal/web/controller/xray_setting.go: balancerStatus, balancerOverride, routeTest API endpoints - frontend: BalancersTab live-status/override columns, RouteTester component, Restart button removed (Save now hot-applies) - balancer-helpers.ts: syncObservatories never creates observatory sections for random/roundRobin balancers (no reload API → restart) - i18n: balancerLive/Override/routeTester keys added to all 13 locales
  • Просмотр сравнение для этих 5 коммитов »

3 дней назад

txlyre синхронизированные и удаленные ссылки copilot/fix-github-actions-build-windows на txlyre/3x-ui из зеркала

3 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 3092326d9e refactor: replace custom geo manager with Xray-core native geodata auto-update Remove the panel-side custom geo download feature (service, controller, /panel/api/custom-geo/* endpoints, CustomGeoResource model, UI tab) in favor of Xray-core's native geodata section (https://xtls.github.io/config/geodata.html). - pass the top-level "geodata" key through xray.Config so it survives the template round-trip into the generated config - add a Geodata Auto-Update section to the Xray Updates modal that edits geodata (cron schedule, download outbound, asset list) in the config template and restarts Xray on save - previously downloaded geo files in the bin folder keep working in ext: routing rules; the orphaned custom_geo_resources table is left in place so existing source URLs stay recoverable
  • 4002be4ade feat: support latest Wireguard features from Xray-core (PRs #5643, #5833, #5850) (#5131) * feat: support latest Wireguard features from Xray-core Implements support for Xray-core PRs #5833, #5643, and #5850 for Wireguard Inbounds: - Adds 'domainStrategy' and 'workers' to Wireguard inbound configuration. - Enables the Stream Settings tab for Wireguard inbounds to configure 'sockopt' and 'finalmask', hiding the irrelevant 'network' transmission dropdown. - Adds the 'randRange' field to the 'noise' UDP Finalmask obfuscation settings. * fix --------- Co-authored-by: Rqzbeh <[email protected]> Co-authored-by: Sanaei <[email protected]>
  • f9b275dd23 fix(ui): keep client IP log modal above edit modal (#5137) * fix: keep client IP log modal above edit modal * refactor: name client modal z-index values
  • dbb269cf6a fix(ui): correct inline style syntax between clients count and active clients count on inbounds page (#5114) * fix(ui): correct inline style syntax in client counts column on inbounds page * fix(ui): correct inline style syntax between clients count and active clients count on inbounds page
  • d047075f76 docs: add Turkish language link to other README files (#5138)
  • Просмотр сравнение для этих 6 коммитов »

4 дней назад

txlyre синхронизированные коммиты с copilot/fix-github-actions-build-windows на txlyre/3x-ui из зеркала

  • 4a782b5705 fix(ci): use pre-installed MSYS2 to avoid installer download failure on Windows build Add `release: false` to the msys2/setup-msys2@v2 step so the action uses the MSYS2 pre-installed on GitHub's windows-latest runner at C:\msys64 instead of downloading a fresh installer from GitHub Releases. The old behaviour (release: true, the default) fails when MSYS2 is not in the Actions tool cache — e.g. on fork PRs or fresh runners — because the installer download step crashes silently almost immediately. Setting release: false bypasses the download entirely and relies on the pre-installed copy that every windows-latest image ships with.
  • 0eb95008a5 Initial plan
  • 4002be4ade feat: support latest Wireguard features from Xray-core (PRs #5643, #5833, #5850) (#5131) * feat: support latest Wireguard features from Xray-core Implements support for Xray-core PRs #5833, #5643, and #5850 for Wireguard Inbounds: - Adds 'domainStrategy' and 'workers' to Wireguard inbound configuration. - Enables the Stream Settings tab for Wireguard inbounds to configure 'sockopt' and 'finalmask', hiding the irrelevant 'network' transmission dropdown. - Adds the 'randRange' field to the 'noise' UDP Finalmask obfuscation settings. * fix --------- Co-authored-by: Rqzbeh <[email protected]> Co-authored-by: Sanaei <[email protected]>
  • f9b275dd23 fix(ui): keep client IP log modal above edit modal (#5137) * fix: keep client IP log modal above edit modal * refactor: name client modal z-index values
  • dbb269cf6a fix(ui): correct inline style syntax between clients count and active clients count on inbounds page (#5114) * fix(ui): correct inline style syntax in client counts column on inbounds page * fix(ui): correct inline style syntax between clients count and active clients count on inbounds page
  • Просмотр сравнение для этих 10 коммитов »

4 дней назад

txlyre синхронизированные новые ссылки copilot/fix-github-actions-build-windows к txlyre/3x-ui из зеркала

4 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • 26c549a95a fix(client): match clients by email for delete/update, not credentials Delete/update located the client in an inbound's settings JSON by the record's credential (uuid/password/auth). When that credential drifted from the inbound JSON -- e.g. a rotated UUID left behind, or duplicated by a past partial-update bug -- the lookup failed with "Client Not Found In Inbound For ID: <uuid>" and aborted the whole operation, making the client impossible to remove from the panel. Key every delete/update/detach path on email, the client's stable identity. This survives credential drift and heals duplicate-email entries by removing all of them. - Delete/DeleteByEmail/Detach/DetachByEmailMany -> DelInboundClientByEmail - delInboundClients / bulkDelInboundClients: match settings by email - UpdateInboundClient: locate the entry to replace by email (param clientId -> oldEmail); update all callers to pass the email - bulkAdjustInboundClients: match by email - writeBackClientSubID: pass email; drop unused sourceProtocol param - make per-inbound deletion idempotent via ErrClientNotInInbound - remove now-orphaned DelInboundClient, clientKeyForProtocol and getClientPrimaryKey; scale test deletes by email

4 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • fe62c39a53 fix: inbound edit validation failure and legacy copy to clipboard (#5132) * fix: auto-enable clients when resetting traffic When a client's traffic is exhausted, the panel automatically disables the client and pushes enable: false to the nodes. However, when an admin clicked 'Reset Traffic' or used bulk reset, the counters were zeroed but the client was left disabled. This forced administrators to manually re-enable the client across the central panel and remote nodes. This patch updates ResetTrafficByEmail and BulkResetTraffic to automatically set Enable: true for any previously disabled client and push the updated settings to nodes, ensuring the client is instantly restored upon traffic reset. * fix: inbound edit validation failure and legacy copy to clipboard
  • 2969f6e91d fix(client): preserve UUID/password/auth on partial client update (#5111)
  • 0bed552292 fix(outbound): include tested outbound in HTTP probe config (#5120) HTTP-pinging a subscription outbound always reported "Probe timed out". The frontend sends only the template outbounds as allOutbounds, but subscription outbounds are injected at runtime and aren't in that list, so burstObservatory had no outbound matching the tag to probe. Append the tested outbound when its tag is missing instead of only when allOutbounds is empty, so the probe always has a target while preserving the template outbounds that back dialerProxy chains.
  • 6c1594693d feat(mtproto): add domain-fronting and essential mtg options Expose mtg's [domain-fronting] section (ip/port/proxy-protocol) plus proxy-protocol-listener, prefer-ip, and debug on MTProto inbounds. Each key is written to the generated mtg-<id>.toml only when set, so mtg's own defaults apply otherwise. The instance fingerprint now covers these fields, so editing an option restarts the sidecar. Since MTProto is mtg-served (not Xray), sniffing does not apply: hide the Sniffing tab and the Advanced sniffing sub-editor, drop it from the Advanced "All" JSON view, and emit empty sniffing in the wire payload, all gated by a new canEnableSniffing predicate.
  • Просмотр сравнение для этих 4 коммитов »

5 дней назад

txlyre синхронизированные коммиты с main на txlyre/3x-ui из зеркала

  • f8e89cc848 fix(mtproto): reap orphaned mtg, fix SysLog viewer, mtg log visibility, export remark (#5105) (#5107) * fix(logs): render journalctl output in the SysLog viewer The log viewer's parseLogLine only understood the app-log format (2006/01/02 15:04:05 LEVEL - body). With SysLog ticked the backend returns journalctl lines (Mon DD HH:MM:SS host ident[pid]: LEVEL - body), so the parser mistook the journal time for the level and dropped the body, leaving only timestamps. Detect and strip the journald prefix, keep the journal timestamp as the stamp, then parse the real level and body from the remainder. * feat(mtproto): surface mtg output and add status reporting mtg's stdout/stderr was captured by a writer that kept only the last line and showed it nowhere, so the reason a proxy could not reach Telegram was invisible. Stream mtg output line-by-line into the x-ui log, tagged per inbound, so it appears in the panel log viewer and journald. Also fix mangled log lines: logger.Info uses fmt.Sprint, which drops the space between adjacent string operands, producing output like 'inbound3on0.0.0.0:8443'. Switch the affected mtproto calls to the formatted (*f) variants. Add show_mtproto_status to x-ui.sh so 'x-ui status' reports each mtproto inbound's mtg process state and bind address. * fix(logs): parse all journalctl message shapes in SysLog viewer Real journalctl output mixes four message shapes after the 'Mon DD HH:MM:SS host ident[pid]:' prefix: go-logging 'LEVEL - msg' (x-ui/xray), Go std-log with an embedded date (net/http, runtime), telego's '[timestamp] LEVEL msg', and systemd lines. The viewer only understood the first, so std-log and telego lines — which never contain ' - ' — collapsed to a bare timestamp (e.g. the 8s telego 409 spam). Extract the parser into a pure, testable module and teach it the other shapes: strip the redundant Go std-log date, lift the level out of telego brackets, and always keep the message body. Add a unit test covering each shape with real captured lines. * fix(mtproto): reap orphaned mtg sidecars so a stale one can't break new clients On Linux x-ui does not kill its mtg children when it dies (no kill-on-exit, unlike the Windows job object). After a crash, OOM, kill -9, or update, a stale mtg keeps holding the inbound port with an OLD secret, so new clients fail the FakeTLS handshake and get silently domain-fronted to the fakeTLS domain instead of proxied to Telegram (a few MB of traffic, never connects). Sweep orphans at startup: on the first reconcile, before x-ui starts any of its own mtg, scan /proc and SIGKILL any process whose executable is our mtg-<goos>-<goarch> binary. x-ui is the sole owner of mtg, so anything alive then is an orphan. Runs once per process (swept guard), survives the binary-deleted-during-update case via /proc/<pid>/cmdline, and is a no-op on Windows (job object) and other platforms. Also clear stray mtg in update.sh/install.sh after stopping x-ui, anchored to the 'mtg-linux-<arch> run ' invocation so the pattern can't match unrelated command lines (e.g. x-ui.sh's own 'grep mtg-linux'). * fix(logs): drop dead body initializer flagged by eslint no-useless-assignment * fix(mtproto): drop remark fragment from tg://proxy export link The mtproto export link appended the inbound remark as a URL fragment (tg://proxy?server=...&port=...&secret=...#remark). Telegram Desktop rejects a proxy deep link with a trailing fragment as 'This proxy link is invalid', breaking one-click import, and a remark is meaningless for proxy links across clients. Stop adding it in both the panel link (genMtprotoLink) and the subscription service. Fixes #5105. * fix(x-ui.sh): remove unused check_mtproto_status helper show_mtproto_status does its own process check, so check_mtproto_status was dead code. Drop it (per Copilot review on #5107).

5 дней назад

txlyre синхронизированные коммиты с v3.3.0 на txlyre/3x-ui из зеркала

5 дней назад

txlyre синхронизированные новые ссылки v3.3.0 к txlyre/3x-ui из зеркала

5 дней назад