xinyin025/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-28 00:24:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(iplimit): auto-install fail2ban on install and update

Browse Source 
IP limit enforcement is gated on fail2ban being present (ce8b1bed), but the bare-metal install.sh/update.sh never installed it, so the feature stayed disabled until the user ran the IP Limit menu by hand. Docker already auto-configures it; bare-metal hosts did not.

Extract the fail2ban install + jail setup out of install_iplimit into a non-interactive setup_fail2ban_iplimit() (no exit/before_show_menu, returns a status) exposed via 'x-ui setup-fail2ban', and call it from install.sh and update.sh after the panel is up. update.sh is the primary update path (x-ui update and the panel self-updater both run it). Honors XUI_ENABLE_FAIL2BAN (proceed only when unset or true, matching the Go gate) and is non-fatal so a fail2ban failure never aborts the install/update.
This commit is contained in:
MHSanaei
2026-06-22 23:49:09 +02:00
parent 683653674c
commit 0d764f1bb5
3 changed files with 84 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
install.sh
+30
View File
@@ -1300,6 +1300,32 @@ EOF
${xui_folder}/x-ui migrate
}
# setup_fail2ban auto-installs and configures fail2ban for the IP Limit feature
# by invoking the freshly installed x-ui CLI. IP Limit is load-bearing on
# fail2ban (without it the panel disables the limitIp field and zeroes existing
# limits), so a fresh install should make it work out of the box, just like the
# Docker image already does. Non-fatal by design: a fail2ban failure must never
# abort the panel install.
setup_fail2ban() {
if [[ -n "${XUI_ENABLE_FAIL2BAN+x}" && "${XUI_ENABLE_FAIL2BAN}" != "true" ]]; then
echo -e "${yellow}XUI_ENABLE_FAIL2BAN=${XUI_ENABLE_FAIL2BAN}, skipping Fail2ban auto-setup.${plain}"
return 0
fi
if [[ ! -x /usr/bin/x-ui ]]; then
echo -e "${yellow}x-ui CLI not found; skipping Fail2ban auto-setup.${plain}"
return 0
fi
echo -e "${green}Setting up Fail2ban for the IP Limit feature...${plain}"
if /usr/bin/x-ui setup-fail2ban; then
echo -e "${green}Fail2ban setup complete.${plain}"
else
echo -e "${yellow}Fail2ban setup did not finish; IP Limit stays disabled until you run 'x-ui' and open the IP Limit menu. Continuing.${plain}"
fi
return 0
}
install_x-ui() {
cd ${xui_folder%/x-ui}/
@@ -1487,6 +1513,10 @@ install_x-ui() {
fi
fi
# IP Limit relies on fail2ban; install + configure it now so the feature
# works out of the box (no-op when XUI_ENABLE_FAIL2BAN=false). Never fatal.
setup_fail2ban
echo -e "${green}x-ui ${tag_version}${plain} installation finished, it is running now..."
echo -e ""
echo -e "┌───────────────────────────────────────────────────────┐
update.sh
+32
View File
@@ -854,6 +854,33 @@ config_after_update() {
fi
}
# setup_fail2ban auto-installs and configures fail2ban for the IP Limit feature
# by invoking the freshly downloaded x-ui CLI. IP Limit is load-bearing on
# fail2ban (without it the panel disables the limitIp field and zeroes existing
# limits), so updating an older install should make it work without a manual
# trip through the IP Limit menu. Non-fatal: a fail2ban failure must never abort
# the update. XUI_ENABLE_FAIL2BAN is honored (load_xui_env exports it from the
# persisted env file, so a deliberate opt-out survives updates).
setup_fail2ban() {
if [[ -n "${XUI_ENABLE_FAIL2BAN+x}" && "${XUI_ENABLE_FAIL2BAN}" != "true" ]]; then
echo -e "${yellow}XUI_ENABLE_FAIL2BAN=${XUI_ENABLE_FAIL2BAN}, skipping Fail2ban auto-setup.${plain}"
return 0
fi
if [[ ! -x /usr/bin/x-ui ]]; then
echo -e "${yellow}x-ui CLI not found; skipping Fail2ban auto-setup.${plain}"
return 0
fi
echo -e "${green}Setting up Fail2ban for the IP Limit feature...${plain}"
if /usr/bin/x-ui setup-fail2ban; then
echo -e "${green}Fail2ban setup complete.${plain}"
else
echo -e "${yellow}Fail2ban setup did not finish; IP Limit stays disabled until you run 'x-ui' and open the IP Limit menu. Continuing.${plain}"
fi
return 0
}
update_x-ui() {
cd ${xui_folder%/x-ui}/
@@ -1037,6 +1064,11 @@ update_x-ui() {
config_after_update
# IP Limit relies on fail2ban; install + configure it now so the feature
# works out of the box on update too (no-op when XUI_ENABLE_FAIL2BAN=false).
# Never fatal.
setup_fail2ban
echo -e "${green}x-ui ${tag_version}${plain} updating finished, it is running now..."
echo -e ""
echo -e "┌───────────────────────────────────────────────────────┐
x-ui.sh
+22 -3
View File
@@ -2166,7 +2166,15 @@ iplimit_main() {
esac
}
install_iplimit() {
setup_fail2ban_iplimit() {
# Honor the same toggle the panel uses (isFail2BanEnabled): enabled when the
# var is unset or exactly "true"; any other explicit value means the operator
# opted out, so do nothing rather than install a fail2ban the panel ignores.
if [[ -n "${XUI_ENABLE_FAIL2BAN+x}" && "${XUI_ENABLE_FAIL2BAN}" != "true" ]]; then
echo -e "${yellow}XUI_ENABLE_FAIL2BAN=${XUI_ENABLE_FAIL2BAN}, skipping Fail2ban setup.${plain}\n"
return 0
fi
if ! command -v fail2ban-client &> /dev/null; then
echo -e "${green}Fail2ban is not installed. Installing now...!${plain}\n"
@@ -2216,13 +2224,13 @@ install_iplimit() {
;;
*)
echo -e "${red}Unsupported operating system. Please check the script and install the necessary packages manually.${plain}\n"
exit 1
return 1
;;
esac
if ! command -v fail2ban-client &> /dev/null; then
echo -e "${red}Fail2ban installation failed.${plain}\n"
exit 1
return 1
fi
echo -e "${green}Fail2ban installed successfully!${plain}\n"
@@ -2267,6 +2275,14 @@ install_iplimit() {
fi
echo -e "${green}IP Limit installed and configured successfully!${plain}\n"
return 0
}
# install_iplimit is the interactive (menu) entry point: it runs the shared
# setup and then returns to the menu. The non-interactive installer path uses
# setup_fail2ban_iplimit directly via `x-ui setup-fail2ban`.
install_iplimit() {
setup_fail2ban_iplimit
before_show_menu
}
@@ -3263,6 +3279,9 @@ if [[ $# > 0 ]]; then
"banlog")
check_install 0 && show_banlog 0
;;
"setup-fail2ban")
setup_fail2ban_iplimit
;;
"update")
check_install 0 && update 0
;;