diff --git a/install.sh b/install.sh index cdd9e5bde..1f204a725 100644 --- a/install.sh +++ b/install.sh @@ -180,6 +180,36 @@ write_install_result() { echo -e "${green}Install result written to ${result_file} (mode 600).${plain}" } +# RHEL-family initdb writes pg_hba.conf host rules with ident auth, which +# compares the OS username against the Postgres role and always rejects the +# randomly generated panel role over TCP (#5806). Prepend password-auth rules +# scoped to the panel database; first match wins, and md5 also accepts +# scram-sha-256-stored verifiers, so this works on every supported distro. +pg_ensure_hba_password_auth() { + local pg_db="$1" + local hba_file + hba_file=$(sudo -u postgres psql -tAc 'SHOW hba_file' 2> /dev/null | tr -d '[:space:]') + [[ -n "${hba_file}" && -f "${hba_file}" ]] || return 0 + grep -Eq "^host[[:space:]]+${pg_db}[[:space:]]" "${hba_file}" && return 0 + local tmp + tmp=$(mktemp) || return 1 + { + echo "# Added by 3x-ui: allow password logins for the panel database." + echo "host ${pg_db} all 127.0.0.1/32 md5" + echo "host ${pg_db} all ::1/128 md5" + cat "${hba_file}" + } > "${tmp}" || { + rm -f "${tmp}" + return 1 + } + cat "${tmp}" > "${hba_file}" || { + rm -f "${tmp}" + return 1 + } + rm -f "${tmp}" + sudo -u postgres psql -tAc 'SELECT pg_reload_conf()' > /dev/null 2>&1 || true +} + install_postgres_local() { local pg_user pg_pass pg_pass=$(gen_random_string 24) @@ -263,6 +293,9 @@ install_postgres_local() { sudo -u postgres psql -c "ALTER USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1 + pg_ensure_hba_password_auth "${pg_db}" \ + || echo -e "${yellow}Warning: could not update pg_hba.conf; PostgreSQL may reject the panel's TCP login (ident auth).${plain}" >&2 + local pg_pass_enc pg_pass_enc=$(printf '%s' "${pg_pass}" | sed -e 's/%/%25/g' -e 's/:/%3A/g' -e 's/@/%40/g' -e 's|/|%2F|g' -e 's/?/%3F/g' -e 's/#/%23/g') diff --git a/x-ui.sh b/x-ui.sh index 75ed4efbf..ac45f8f51 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -2286,6 +2286,11 @@ setup_fail2ban_iplimit() { apt-get update && apt-get install fail2ban nftables -y ;; fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol) + if [[ "${release}" != "fedora" ]] && ! dnf repolist enabled 2> /dev/null | grep -qiw epel; then + dnf install -y epel-release \ + || dnf install -y "https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E %rhel).noarch.rpm" \ + || echo -e "${yellow}Could not enable the EPEL repository; fail2ban is only available from EPEL on this distro.${plain}" + fi dnf makecache -y && dnf -y install fail2ban nftables ;; centos) @@ -2846,6 +2851,37 @@ purge_postgresql() { LOGI "PostgreSQL has been purged." } +# RHEL-family initdb writes pg_hba.conf host rules with ident auth, which +# compares the OS username against the Postgres role and always rejects the +# randomly generated panel role over TCP (#5806). Prepend password-auth rules +# scoped to the panel database; first match wins, and md5 also accepts +# scram-sha-256-stored verifiers, so this works on every supported distro. +# Mirrors pg_ensure_hba_password_auth() from install.sh. +pg_ensure_hba_password_auth() { + local pg_db="$1" + local hba_file + hba_file=$(sudo -u postgres psql -tAc 'SHOW hba_file' 2> /dev/null | tr -d '[:space:]') + [[ -n "${hba_file}" && -f "${hba_file}" ]] || return 0 + grep -Eq "^host[[:space:]]+${pg_db}[[:space:]]" "${hba_file}" && return 0 + local tmp + tmp=$(mktemp) || return 1 + { + echo "# Added by 3x-ui: allow password logins for the panel database." + echo "host ${pg_db} all 127.0.0.1/32 md5" + echo "host ${pg_db} all ::1/128 md5" + cat "${hba_file}" + } > "${tmp}" || { + rm -f "${tmp}" + return 1 + } + cat "${tmp}" > "${hba_file}" || { + rm -f "${tmp}" + return 1 + } + rm -f "${tmp}" + sudo -u postgres psql -tAc 'SELECT pg_reload_conf()' > /dev/null 2>&1 || true +} + # Installs a local PostgreSQL server and creates a dedicated xui user/database. # Progress goes to stderr; on success the connection DSN is printed to stdout so # callers can capture it. Mirrors install_postgres_local() from install.sh, so the @@ -2930,6 +2966,9 @@ pg_install_local() { sudo -u postgres psql -c "ALTER USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1 + pg_ensure_hba_password_auth "${pg_db}" \ + || echo -e "${yellow}Warning: could not update pg_hba.conf; PostgreSQL may reject the panel's TCP login (ident auth).${plain}" >&2 + local pg_pass_enc pg_pass_enc=$(printf '%s' "${pg_pass}" | sed -e 's/%/%25/g' -e 's/:/%3A/g' -e 's/@/%40/g' -e 's|/|%2F|g' -e 's/?/%3F/g' -e 's/#/%23/g')