feat(tls,reality): port xray TLS/REALITY fields, cert-hash helpers, fallback UX

TLS: add verifyPeerCertByName (vcn) to inbound settings + emit in both share-link generators (frontend + Go sub) and outbound parser; the allowInsecure replacement xray removed after 2026-06-01. Add server-side curvePreferences, masterKeyLog, echSockopt (passthrough + form) at tlsSettings top-level so they survive the panel-only settings strip.

REALITY: add limitFallbackUpload/Download (afterBytes/bytesPerSec/burstBytesPerSec) with per-field tooltips, plus masterKeyLog. Verified field names/semantics against pinned xray v1.260327.1 (bytesPerSec=0 disables).

Hosts: fix verify_peer_cert_by_name column bool->string (xray expects comma-separated names) with an idempotent, history-gate-free migration (SQLite typeof blank; Postgres ALTER once); emit vcn for hosts/external proxies.

Server: add getCertHash (local cert DER SHA-256) and getRemoteCertHash (xray tls ping) endpoints + api-docs; wire pinned-cert field buttons. Drop the meaningless random-hash button.

Xray UI: metrics endpoint (listen/tag) config in Basics; import/export for routing rules and outbounds.

Fallbacks card: compact empty state, header-aligned actions, responsive labeled grid rows.

i18n: add all new keys to every locale; drop unused generateRandomPin.
This commit is contained in:
MHSanaei
2026-06-21 15:51:50 +02:00
parent 315ecc2588
commit 7c8889466b
48 changed files with 1316 additions and 173 deletions
@@ -16,6 +16,7 @@ exports[`inbound security forms > RealityForm field structure is stable 1`] = `
"Private Key",
"mldsa65 Seed",
"mldsa65 Verify",
"Master Key Log",
]
`;
@@ -26,13 +27,17 @@ exports[`inbound security forms > TlsForm field structure is stable 1`] = `
"Min/Max Version",
"uTLS",
"ALPN",
"Curve Preferences",
"Reject Unknown SNI",
"Disable System Root",
"Session Resumption",
"Digital Certificate",
"Master Key Log",
"ECH Sockopt",
"ECH key",
"ECH config",
"Pinned Peer Cert SHA-256",
"Verify Peer Cert By Name",
]
`;
@@ -74,6 +74,7 @@ exports[`InboundSchema (full) fixtures > parses hysteria-v1-tls byte-stably 1`]
"echConfigList": "",
"fingerprint": "chrome",
"pinnedPeerCertSha256": [],
"verifyPeerCertByName": "",
},
},
},
@@ -217,6 +218,7 @@ exports[`InboundSchema (full) fixtures > parses trojan-ws-tls byte-stably 1`] =
"echConfigList": "",
"fingerprint": "chrome",
"pinnedPeerCertSha256": [],
"verifyPeerCertByName": "",
},
},
"wsSettings": {
@@ -394,6 +396,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls byte-stably 1`] = `
"echConfigList": "",
"fingerprint": "chrome",
"pinnedPeerCertSha256": [],
"verifyPeerCertByName": "",
},
},
"wsSettings": {
@@ -488,6 +491,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls-pinned byte-stably
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=",
],
"verifyPeerCertByName": "",
},
},
"wsSettings": {
@@ -583,6 +587,7 @@ exports[`InboundSchema (full) fixtures > parses vmess-tcp-tls byte-stably 1`] =
"echConfigList": "",
"fingerprint": "chrome",
"pinnedPeerCertSha256": [],
"verifyPeerCertByName": "",
},
},
},
@@ -68,6 +68,7 @@ exports[`SecuritySettingsSchema fixtures > parses tls-cert-file byte-stably 1`]
"echConfigList": "",
"fingerprint": "chrome",
"pinnedPeerCertSha256": [],
"verifyPeerCertByName": "",
},
},
}
+2
View File
@@ -13,6 +13,7 @@ describe('hostToExternalProxyEntry', () => {
alpn: ['h2'] as ('h2' | 'h3' | 'http/1.1')[],
fingerprint: 'chrome' as const,
pinnedPeerCertSha256: ['AAAA'],
verifyPeerCertByName: 'verify.example.com',
echConfigList: 'ECH',
overrideSniFromAddress: false,
keepSniBlank: false,
@@ -28,6 +29,7 @@ describe('hostToExternalProxyEntry', () => {
expect(ep.alpn).toEqual(['h2']);
expect(ep.fingerprint).toBe('chrome');
expect(ep.pinnedPeerCertSha256).toEqual(['AAAA']);
expect(ep.verifyPeerCertByName).toBe('verify.example.com');
expect(ep.echConfigList).toBe('ECH');
});
@@ -85,7 +85,8 @@ describe('inbound security forms', () => {
saving={false}
setCertFromPanel={noop}
clearCertFiles={noop}
generateRandomPinHash={noop}
pinFromCert={noop}
pinFromRemote={noop}
getNewEchCert={noop}
clearEchCert={noop}
/>