From 1bf9e5d544289dc8556167ba6146a957b4bbbe6f Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Sun, 5 Jul 2026 20:06:08 +0200 Subject: [PATCH] fix(script): make local PostgreSQL and fail2ban setup work on RHEL-family distros Fresh installs on Rocky/Alma/RHEL/Oracle failed twice (#5806): - postgresql-setup --initdb ships a pg_hba.conf whose TCP rules use ident auth, which matches the OS username against the Postgres role and always rejects the randomly generated panel role, so the panel could never connect ("Ident authentication failed"). Prepend password-auth rules scoped to the panel database (first match wins; md5 also accepts scram-stored verifiers) and reload, in both install.sh and the x-ui.sh mirror. - fail2ban only exists in EPEL on the RHEL family, but only the CentOS 7 branch enabled EPEL, so IP Limit setup failed with "No match for argument: fail2ban". Enable epel-release (with the dl.fedoraproject.org package as fallback for RHEL proper) before installing; Fedora ships fail2ban in its own repos and is skipped. Closes #5806 --- install.sh | 33 +++++++++++++++++++++++++++++++++ x-ui.sh | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/install.sh b/install.sh index cdd9e5bde..1f204a725 100644 --- a/install.sh +++ b/install.sh @@ -180,6 +180,36 @@ write_install_result() { echo -e "${green}Install result written to ${result_file} (mode 600).${plain}" } +# RHEL-family initdb writes pg_hba.conf host rules with ident auth, which +# compares the OS username against the Postgres role and always rejects the +# randomly generated panel role over TCP (#5806). Prepend password-auth rules +# scoped to the panel database; first match wins, and md5 also accepts +# scram-sha-256-stored verifiers, so this works on every supported distro. +pg_ensure_hba_password_auth() { + local pg_db="$1" + local hba_file + hba_file=$(sudo -u postgres psql -tAc 'SHOW hba_file' 2> /dev/null | tr -d '[:space:]') + [[ -n "${hba_file}" && -f "${hba_file}" ]] || return 0 + grep -Eq "^host[[:space:]]+${pg_db}[[:space:]]" "${hba_file}" && return 0 + local tmp + tmp=$(mktemp) || return 1 + { + echo "# Added by 3x-ui: allow password logins for the panel database." + echo "host ${pg_db} all 127.0.0.1/32 md5" + echo "host ${pg_db} all ::1/128 md5" + cat "${hba_file}" + } > "${tmp}" || { + rm -f "${tmp}" + return 1 + } + cat "${tmp}" > "${hba_file}" || { + rm -f "${tmp}" + return 1 + } + rm -f "${tmp}" + sudo -u postgres psql -tAc 'SELECT pg_reload_conf()' > /dev/null 2>&1 || true +} + install_postgres_local() { local pg_user pg_pass pg_pass=$(gen_random_string 24) @@ -263,6 +293,9 @@ install_postgres_local() { sudo -u postgres psql -c "ALTER USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1 + pg_ensure_hba_password_auth "${pg_db}" \ + || echo -e "${yellow}Warning: could not update pg_hba.conf; PostgreSQL may reject the panel's TCP login (ident auth).${plain}" >&2 + local pg_pass_enc pg_pass_enc=$(printf '%s' "${pg_pass}" | sed -e 's/%/%25/g' -e 's/:/%3A/g' -e 's/@/%40/g' -e 's|/|%2F|g' -e 's/?/%3F/g' -e 's/#/%23/g') diff --git a/x-ui.sh b/x-ui.sh index 75ed4efbf..ac45f8f51 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -2286,6 +2286,11 @@ setup_fail2ban_iplimit() { apt-get update && apt-get install fail2ban nftables -y ;; fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol) + if [[ "${release}" != "fedora" ]] && ! dnf repolist enabled 2> /dev/null | grep -qiw epel; then + dnf install -y epel-release \ + || dnf install -y "https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E %rhel).noarch.rpm" \ + || echo -e "${yellow}Could not enable the EPEL repository; fail2ban is only available from EPEL on this distro.${plain}" + fi dnf makecache -y && dnf -y install fail2ban nftables ;; centos) @@ -2846,6 +2851,37 @@ purge_postgresql() { LOGI "PostgreSQL has been purged." } +# RHEL-family initdb writes pg_hba.conf host rules with ident auth, which +# compares the OS username against the Postgres role and always rejects the +# randomly generated panel role over TCP (#5806). Prepend password-auth rules +# scoped to the panel database; first match wins, and md5 also accepts +# scram-sha-256-stored verifiers, so this works on every supported distro. +# Mirrors pg_ensure_hba_password_auth() from install.sh. +pg_ensure_hba_password_auth() { + local pg_db="$1" + local hba_file + hba_file=$(sudo -u postgres psql -tAc 'SHOW hba_file' 2> /dev/null | tr -d '[:space:]') + [[ -n "${hba_file}" && -f "${hba_file}" ]] || return 0 + grep -Eq "^host[[:space:]]+${pg_db}[[:space:]]" "${hba_file}" && return 0 + local tmp + tmp=$(mktemp) || return 1 + { + echo "# Added by 3x-ui: allow password logins for the panel database." + echo "host ${pg_db} all 127.0.0.1/32 md5" + echo "host ${pg_db} all ::1/128 md5" + cat "${hba_file}" + } > "${tmp}" || { + rm -f "${tmp}" + return 1 + } + cat "${tmp}" > "${hba_file}" || { + rm -f "${tmp}" + return 1 + } + rm -f "${tmp}" + sudo -u postgres psql -tAc 'SELECT pg_reload_conf()' > /dev/null 2>&1 || true +} + # Installs a local PostgreSQL server and creates a dedicated xui user/database. # Progress goes to stderr; on success the connection DSN is printed to stdout so # callers can capture it. Mirrors install_postgres_local() from install.sh, so the @@ -2930,6 +2966,9 @@ pg_install_local() { sudo -u postgres psql -c "ALTER USER \"${pg_user}\" WITH PASSWORD '${pg_pass}';" >&2 || return 1 + pg_ensure_hba_password_auth "${pg_db}" \ + || echo -e "${yellow}Warning: could not update pg_hba.conf; PostgreSQL may reject the panel's TCP login (ident auth).${plain}" >&2 + local pg_pass_enc pg_pass_enc=$(printf '%s' "${pg_pass}" | sed -e 's/%/%25/g' -e 's/:/%3A/g' -e 's/@/%40/g' -e 's|/|%2F|g' -e 's/?/%3F/g' -e 's/#/%23/g')