feat(xray): update xray-core to v26.7.11 and adapt panel

Bump xtls/xray-core to 50231eaf (v26.7.11) and the three binary pins
(DockerInit.sh, release.yml x2) in lockstep.

Adapt the panel to the upstream changes:

- Shadowsocks "none"/"plain" and VMess "none"/"zero" were removed from
  the core. A migration rewrites stored none/plain SS methods to a
  supported cipher and none/zero VMess security to "auto" (on both the
  clients column and inbound settings JSON); the SS build-time heal does
  the same so a row injected after boot cannot brick startup. The removed
  values are dropped from every frontend option list, schema and adapter,
  and coerced to "auto" at the Go link/sub/Clash emit sites and both link
  importers. Fix the CipherType_NONE sentinel that no longer compiles.

- Unencrypted vless/trojan outbounds to a public address are now refused
  by the core. Validate outbounds through the vendored config loader when
  saving the xray template and when storing/merging outbound
  subscriptions, so one such outbound cannot keep the core from starting.

- New TCP finalmask type "xmc" (Minecraft mimicry): add it to the sub
  link allowlist, the frontend enum and the FinalMask form (hostname,
  usernames, required password), and document it.

- streamSettings gained a "method" alias for "network"; canonicalize it
  to "network" at inbound save time and in the form adapters/schema so a
  method-keyed config keeps its transport.

- New root "env" config key is passed through xray.Config, compared in
  Equals, and forces a restart in the hot diff.

- REALITY now defaults minClientVer to 26.3.27; update the form
  placeholder.
This commit is contained in:
MHSanaei
2026-07-12 00:30:47 +02:00
parent affcf6c422
commit 814cda3fb4
39 changed files with 709 additions and 69 deletions
+125
View File
@@ -121,6 +121,12 @@ func initModels() error {
if err := migrateLegacySocksInboundsToMixed(); err != nil {
return err
}
if err := migrateShadowsocksRemovedCiphers(); err != nil {
return err
}
if err := migrateVmessRemovedSecurities(); err != nil {
return err
}
if IsPostgres() {
if err := resyncPostgresSequences(db, models); err != nil {
log.Printf("Error resyncing postgres sequences: %v", err)
@@ -754,6 +760,125 @@ func migrateLegacySocksInboundsToMixed() error {
return nil
}
// migrateShadowsocksRemovedCiphers rewrites shadowsocks inbounds still using
// the "none"/"plain" ciphers that xray-core v26.7.11 removed; one such row
// makes the whole generated config unbuildable and keeps xray from starting.
func migrateShadowsocksRemovedCiphers() error {
var inbounds []model.Inbound
if err := db.Where("protocol = ?", model.Shadowsocks).Find(&inbounds).Error; err != nil {
return err
}
migrated := int64(0)
for _, inbound := range inbounds {
if strings.TrimSpace(inbound.Settings) == "" {
continue
}
var settings map[string]any
if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
continue
}
changed := false
if method, _ := settings["method"].(string); method != "" {
if replacement, removed := model.ReplaceRemovedShadowsocksCipher(method); removed {
settings["method"] = replacement
changed = true
}
}
if clients, ok := settings["clients"].([]any); ok {
for i := range clients {
cm, ok := clients[i].(map[string]any)
if !ok {
continue
}
method, _ := cm["method"].(string)
if replacement, removed := model.ReplaceRemovedShadowsocksCipher(method); removed {
cm["method"] = replacement
clients[i] = cm
changed = true
}
}
}
if !changed {
continue
}
newSettings, err := json.MarshalIndent(settings, "", " ")
if err != nil {
log.Printf("migrateShadowsocksRemovedCiphers: skip inbound %d (marshal failed): %v", inbound.Id, err)
continue
}
if err := db.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
Update("settings", string(newSettings)).Error; err != nil {
return err
}
migrated++
}
if migrated > 0 {
log.Printf("Rewrote removed shadowsocks cipher on %d inbound(s)", migrated)
}
return nil
}
// migrateVmessRemovedSecurities rewrites the vmess "none"/"zero" security
// values that xray-core v26.7.11 removed to "auto" (what the core now treats
// them as), on both the clients column and each vmess inbound's settings.
func migrateVmessRemovedSecurities() error {
res := db.Exec("UPDATE clients SET security = 'auto' WHERE security IN ('none', 'zero')")
if res.Error != nil {
log.Printf("Error migrating removed vmess security values on clients: %v", res.Error)
return res.Error
}
if res.RowsAffected > 0 {
log.Printf("Migrated %d client(s) off removed vmess security values", res.RowsAffected)
}
var inbounds []model.Inbound
if err := db.Where("protocol = ?", model.VMESS).Find(&inbounds).Error; err != nil {
return err
}
migrated := int64(0)
for _, inbound := range inbounds {
if strings.TrimSpace(inbound.Settings) == "" {
continue
}
var settings map[string]any
if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
continue
}
clients, ok := settings["clients"].([]any)
if !ok {
continue
}
changed := false
for i := range clients {
cm, ok := clients[i].(map[string]any)
if !ok {
continue
}
if security, _ := cm["security"].(string); security == "none" || security == "zero" {
cm["security"] = "auto"
clients[i] = cm
changed = true
}
}
if !changed {
continue
}
newSettings, err := json.MarshalIndent(settings, "", " ")
if err != nil {
log.Printf("migrateVmessRemovedSecurities: skip inbound %d (marshal failed): %v", inbound.Id, err)
continue
}
if err := db.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
Update("settings", string(newSettings)).Error; err != nil {
return err
}
migrated++
}
if migrated > 0 {
log.Printf("Rewrote removed vmess security values on %d inbound(s)", migrated)
}
return nil
}
// normalizeInboundSubSortIndex lifts sub_sort_index values below the 1-based
// minimum (rows written by builds that defaulted the column to 0, or by nodes
// predating the field) so they cannot sort ahead of explicitly ranked inbounds.
+31 -4
View File
@@ -442,8 +442,23 @@ func StripVlessInboundEncryption(settings string) (string, bool) {
return string(out), true
}
// HealShadowsocksClientMethods normalises the per-client `method` field
// on a shadowsocks inbound's settings JSON before it leaves for xray-core:
// ReplaceRemovedShadowsocksCipher maps ciphers that xray-core v26.7.11
// deleted ("none"/"plain" make the whole config fail with "unknown cipher
// method") to a still-supported replacement. Returns the replacement and
// true when the given method is one of the removed ciphers.
func ReplaceRemovedShadowsocksCipher(method string) (string, bool) {
switch method {
case "none", "plain":
return "chacha20-ietf-poly1305", true
}
return method, false
}
// HealShadowsocksClientMethods normalises the `method` fields on a
// shadowsocks inbound's settings JSON before it leaves for xray-core:
// - Ciphers removed upstream (none/plain): rewritten via
// ReplaceRemovedShadowsocksCipher so one legacy row cannot prevent
// xray from starting.
// - Legacy ciphers (aes-*, chacha20-*): every client must carry a
// per-user `method` matching the inbound's top-level method, otherwise
// xray fails with "unsupported cipher method:".
@@ -462,12 +477,24 @@ func HealShadowsocksClientMethods(settings string) (string, bool) {
return settings, false
}
method, _ := parsed["method"].(string)
changed := false
if replacement, removed := ReplaceRemovedShadowsocksCipher(method); removed {
method = replacement
parsed["method"] = method
changed = true
}
clients, ok := parsed["clients"].([]any)
if !ok {
return settings, false
if !changed {
return settings, false
}
out, err := json.MarshalIndent(parsed, "", " ")
if err != nil {
return settings, false
}
return string(out), true
}
is2022 := strings.HasPrefix(method, "2022-blake3-")
changed := false
for i := range clients {
cm, ok := clients[i].(map[string]any)
if !ok {
@@ -0,0 +1,43 @@
package model
import (
"encoding/json"
"testing"
)
// TestHealShadowsocksClientMethods_RewritesRemovedCipher covers the last-gate
// build-time heal for xray-core v26.7.11's removed "none"/"plain" ciphers: a
// row that survives to config generation (restored backup, direct DB edit)
// must be rewritten to a supported cipher on both the inbound method and its
// clients so one such inbound cannot keep xray from starting.
func TestHealShadowsocksClientMethods_RewritesRemovedCipher(t *testing.T) {
settings := `{"method": "plain", "clients": [{"email": "a@x", "password": "p", "method": "plain"}]}`
healed, ok := HealShadowsocksClientMethods(settings)
if !ok {
t.Fatal("expected heal to report a change for a removed cipher")
}
var parsed struct {
Method string `json:"method"`
Clients []map[string]any `json:"clients"`
}
if err := json.Unmarshal([]byte(healed), &parsed); err != nil {
t.Fatalf("parse healed settings: %v", err)
}
if parsed.Method != "chacha20-ietf-poly1305" {
t.Fatalf("expected inbound method rewritten to a supported cipher, got %q", parsed.Method)
}
if parsed.Clients[0]["method"] != "chacha20-ietf-poly1305" {
t.Fatalf("expected client method to match the healed cipher, got %v", parsed.Clients[0]["method"])
}
}
func TestReplaceRemovedShadowsocksCipher(t *testing.T) {
for _, method := range []string{"none", "plain"} {
if got, removed := ReplaceRemovedShadowsocksCipher(method); !removed || got != "chacha20-ietf-poly1305" {
t.Fatalf("ReplaceRemovedShadowsocksCipher(%q) = (%q, %v), want a supported replacement", method, got, removed)
}
}
if got, removed := ReplaceRemovedShadowsocksCipher("aes-256-gcm"); removed || got != "aes-256-gcm" {
t.Fatalf("ReplaceRemovedShadowsocksCipher(aes-256-gcm) = (%q, %v), want it left untouched", got, removed)
}
}
@@ -0,0 +1,117 @@
package database
import (
"encoding/json"
"path/filepath"
"testing"
"github.com/mhsanaei/3x-ui/v3/internal/database/model"
)
// TestMigrateShadowsocksRemovedCiphers_RewritesNoneAndPlain covers the
// xray-core v26.7.11 removal of the shadowsocks "none"/"plain" ciphers: one
// such row makes the generated config unbuildable, so startup must rewrite
// both the inbound method and any per-client method to a supported cipher and
// leave a valid inbound untouched.
func TestMigrateShadowsocksRemovedCiphers_RewritesNoneAndPlain(t *testing.T) {
dbDir := t.TempDir()
t.Setenv("XUI_DB_FOLDER", dbDir)
if err := InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
t.Fatalf("InitDB failed: %v", err)
}
t.Cleanup(func() { _ = CloseDB() })
removed := `{"method": "none", "clients": [{"email": "a@x", "password": "p", "method": "plain"}]}`
dirty := model.Inbound{UserId: 1, Port: 31001, Protocol: model.Shadowsocks, Tag: "ss-removed", Settings: removed}
if err := db.Create(&dirty).Error; err != nil {
t.Fatalf("create dirty inbound: %v", err)
}
valid := `{"method": "aes-256-gcm", "clients": [{"email": "b@x", "password": "p"}]}`
clean := model.Inbound{UserId: 1, Port: 31002, Protocol: model.Shadowsocks, Tag: "ss-valid", Settings: valid}
if err := db.Create(&clean).Error; err != nil {
t.Fatalf("create clean inbound: %v", err)
}
if err := migrateShadowsocksRemovedCiphers(); err != nil {
t.Fatalf("migrateShadowsocksRemovedCiphers: %v", err)
}
var gotDirty model.Inbound
if err := db.First(&gotDirty, dirty.Id).Error; err != nil {
t.Fatalf("reload dirty inbound: %v", err)
}
var parsed struct {
Method string `json:"method"`
Clients []map[string]any `json:"clients"`
}
if err := json.Unmarshal([]byte(gotDirty.Settings), &parsed); err != nil {
t.Fatalf("parse repaired settings: %v", err)
}
if parsed.Method != "chacha20-ietf-poly1305" {
t.Fatalf("expected inbound method rewritten, got %q", parsed.Method)
}
if parsed.Clients[0]["method"] != "chacha20-ietf-poly1305" {
t.Fatalf("expected client method rewritten, got %v", parsed.Clients[0]["method"])
}
var gotClean model.Inbound
if err := db.First(&gotClean, clean.Id).Error; err != nil {
t.Fatalf("reload clean inbound: %v", err)
}
if gotClean.Settings != valid {
t.Fatalf("valid inbound was rewritten:\nbefore: %s\nafter: %s", valid, gotClean.Settings)
}
}
// TestMigrateVmessRemovedSecurities_RewritesNoneAndZero covers the v26.7.11
// removal of vmess "none"/"zero" security values: startup rewrites them to
// "auto" on both the clients column and each vmess inbound's settings JSON.
func TestMigrateVmessRemovedSecurities_RewritesNoneAndZero(t *testing.T) {
dbDir := t.TempDir()
t.Setenv("XUI_DB_FOLDER", dbDir)
if err := InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
t.Fatalf("InitDB failed: %v", err)
}
t.Cleanup(func() { _ = CloseDB() })
settings := `{"clients": [{"id": "u1", "email": "a@x", "security": "none"},` +
`{"id": "u2", "email": "b@x", "security": "zero"},` +
`{"id": "u3", "email": "c@x", "security": "aes-128-gcm"}]}`
inbound := model.Inbound{UserId: 1, Port: 32001, Protocol: model.VMESS, Tag: "vmess-removed", Settings: settings}
if err := db.Create(&inbound).Error; err != nil {
t.Fatalf("create vmess inbound: %v", err)
}
if err := db.Create(&model.ClientRecord{Email: "a@x", Security: "zero", Enable: true}).Error; err != nil {
t.Fatalf("create client record: %v", err)
}
if err := migrateVmessRemovedSecurities(); err != nil {
t.Fatalf("migrateVmessRemovedSecurities: %v", err)
}
var got model.Inbound
if err := db.First(&got, inbound.Id).Error; err != nil {
t.Fatalf("reload inbound: %v", err)
}
var parsed struct {
Clients []map[string]any `json:"clients"`
}
if err := json.Unmarshal([]byte(got.Settings), &parsed); err != nil {
t.Fatalf("parse settings: %v", err)
}
if parsed.Clients[0]["security"] != "auto" || parsed.Clients[1]["security"] != "auto" {
t.Fatalf("expected removed securities rewritten to auto, got %v", parsed.Clients)
}
if parsed.Clients[2]["security"] != "aes-128-gcm" {
t.Fatalf("expected valid security untouched, got %v", parsed.Clients[2]["security"])
}
var rec model.ClientRecord
if err := db.Where("email = ?", "a@x").First(&rec).Error; err != nil {
t.Fatalf("reload client record: %v", err)
}
if rec.Security != "auto" {
t.Fatalf("expected client record security rewritten to auto, got %q", rec.Security)
}
}
+1 -5
View File
@@ -236,11 +236,7 @@ func (s *SubClashService) buildProxy(subReq *SubService, inbound *model.Inbound,
proxy["type"] = "vmess"
proxy["uuid"] = client.ID
proxy["alterId"] = 0
cipher := client.Security
if cipher == "" {
cipher = "auto"
}
proxy["cipher"] = cipher
proxy["cipher"] = normalizeVmessSecurity(client.Security)
case model.VLESS:
proxy["type"] = "vless"
proxy["uuid"] = applyVlessRoute(client.ID, hostVlessRoute(ep))
+1 -4
View File
@@ -384,10 +384,7 @@ func (s *SubJsonService) genVnext(inbound *model.Inbound, streamSettings json_ut
}
outbound.StreamSettings = streamSettings
security := client.Security
if security == "" {
security = "auto"
}
security := normalizeVmessSecurity(client.Security)
outbound.Settings = map[string]any{
"address": inbound.Listen,
"port": inbound.Port,
+14 -1
View File
@@ -714,7 +714,7 @@ func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
return ""
}
obj["id"] = client.ID
obj["scy"] = client.Security
obj["scy"] = normalizeVmessSecurity(client.Security)
externalProxies, _ := stream["externalProxy"].([]any)
@@ -726,6 +726,18 @@ func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
return buildVmessLink(obj)
}
// normalizeVmessSecurity maps the vmess security values xray-core v26.7.11
// removed ("none"/"zero"), plus the legacy empty string, to "auto" so links
// and subscriptions stop advertising values the upgraded server rejects on
// the wire.
func normalizeVmessSecurity(security string) string {
switch security {
case "", "none", "zero":
return "auto"
}
return security
}
// vlessEncryptionEnabled reports whether the VLESS inbound settings enable
// VLESS-level encryption (vlessenc / ML-KEM). When on, the encryption/decryption
// fields hold a generated dotted string (e.g. "mlkem768x25519plus.native.0rtt.<key>");
@@ -2131,6 +2143,7 @@ var validFinalMaskTCPTypes = map[string]struct{}{
"header-custom": {},
"fragment": {},
"sudoku": {},
"xmc": {},
}
// applyKcpShareParams reconstructs legacy KCP share-link fields from either
+15
View File
@@ -1016,6 +1016,21 @@ func TestMarshalFinalMask_UnknownTypeIsDropped(t *testing.T) {
}
}
func TestMarshalFinalMask_KeepsXmcTcpMask(t *testing.T) {
fm := map[string]any{
"tcp": []any{
map[string]any{"type": "xmc", "settings": map[string]any{"password": "p"}},
},
}
out, ok := marshalFinalMask(fm)
if !ok {
t.Fatal("expected ok=true for an xmc tcp mask")
}
if !strings.Contains(out, "xmc") {
t.Fatalf("marshaled finalmask dropped the xmc mask: %s", out)
}
}
func TestHasFinalMaskContent(t *testing.T) {
if hasFinalMaskContent(nil) {
t.Fatal("nil should not count as content")
+5 -1
View File
@@ -208,6 +208,10 @@ func parseVmess(link string) (*ParseResult, error) {
}
port := num(j["port"])
scy := getString(j, "scy", "auto")
if scy == "none" || scy == "zero" {
scy = "auto"
}
ob := Outbound{
"protocol": "vmess",
"tag": getString(j, "ps", ""),
@@ -219,7 +223,7 @@ func parseVmess(link string) (*ParseResult, error) {
"users": []any{
map[string]any{
"id": getString(j, "id", ""),
"security": getString(j, "scy", "auto"),
"security": scy,
},
},
},
+29 -1
View File
@@ -503,7 +503,9 @@ func (s *InboundService) getAllEmailSubIDs() (map[string]string, error) {
// Only vmess, vless, trojan, shadowsocks, hysteria, wireguard, and tunnel
// protocols use streamSettings (wireguard for finalmask UDP masks and sockopt on
// its listener; tunnel for sockopt, notably sockopt.tproxy for its TProxy/redirect
// mode).
// mode). Streams keyed on "method" — xray-core v26.7.11's preferred alias for
// "network" — are canonicalized to "network", which every panel reader (link
// generation, port-conflict detection, flow eligibility) keys on.
func (s *InboundService) normalizeStreamSettings(inbound *model.Inbound) {
protocolsWithStream := map[model.Protocol]bool{
model.VMESS: true,
@@ -517,7 +519,33 @@ func (s *InboundService) normalizeStreamSettings(inbound *model.Inbound) {
if !protocolsWithStream[inbound.Protocol] {
inbound.StreamSettings = ""
return
}
inbound.StreamSettings = canonicalizeStreamNetworkKey(inbound.StreamSettings)
}
// canonicalizeStreamNetworkKey rewrites a streamSettings JSON that names its
// transport under "method" to the panel-canonical "network" key. When both
// keys are present, "method" wins — matching xray-core's own precedence.
func canonicalizeStreamNetworkKey(streamSettings string) string {
if streamSettings == "" {
return streamSettings
}
var stream map[string]any
if err := json.Unmarshal([]byte(streamSettings), &stream); err != nil {
return streamSettings
}
method, ok := stream["method"].(string)
if !ok || method == "" {
return streamSettings
}
stream["network"] = method
delete(stream, "method")
out, err := json.MarshalIndent(stream, "", " ")
if err != nil {
return streamSettings
}
return string(out)
}
// finalMaskRealityTcpMasks returns the stream's finalmask.tcp masks when the
+38 -7
View File
@@ -17,8 +17,34 @@ import (
"github.com/mhsanaei/3x-ui/v3/internal/logger"
"github.com/mhsanaei/3x-ui/v3/internal/util/common"
"github.com/mhsanaei/3x-ui/v3/internal/util/link"
"github.com/mhsanaei/3x-ui/v3/internal/xray"
)
// filterOutboundsRejectedByCore drops outbounds the vendored xray-core config
// loader refuses to build — since v26.7.11 that includes unencrypted
// vless/trojan outbounds to public addresses — because one such outbound in
// the merged config would keep the whole core from starting.
func filterOutboundsRejectedByCore(label string, outbounds []any) ([]any, []string) {
kept := make([]any, 0, len(outbounds))
var dropped []string
for _, ob := range outbounds {
raw, err := json.Marshal(ob)
if err == nil {
if buildErr := xray.ValidateOutboundConfig(raw); buildErr != nil {
tag := ""
if m, ok := ob.(map[string]any); ok {
tag, _ = m["tag"].(string)
}
logger.Warningf("%s: dropping outbound %q rejected by xray-core: %v", label, tag, buildErr)
dropped = append(dropped, fmt.Sprintf("%s: %v", tag, buildErr))
continue
}
}
kept = append(kept, ob)
}
return kept, dropped
}
// maxOutboundSubscriptionBytes caps a single outbound subscription response.
// It is larger than the 2 MiB user-facing subscription cap because an outbound
// subscription may aggregate many upstream outbounds into one document.
@@ -347,24 +373,28 @@ func (s *OutboundSubscriptionService) fetchAndStore(sub *model.OutboundSubscript
}
identJSON, _ := json.Marshal(newIdent)
asAny := make([]any, len(parsed))
for i := range parsed {
asAny[i] = map[string]any(parsed[i])
}
kept, droppedByCore := filterOutboundsRejectedByCore(fmt.Sprintf("outbound sub %d", sub.Id), asAny)
// Persist the outbounds (as compact JSON array)
obsJSON, _ := json.Marshal(parsed)
obsJSON, _ := json.Marshal(kept)
sub.LastFetchedOutbounds = string(obsJSON)
sub.LinkIdentities = string(identJSON)
sub.LastUpdated = time.Now().Unix()
sub.LastError = ""
if len(droppedByCore) > 0 {
sub.LastError = fmt.Sprintf("dropped %d outbound(s) the xray core rejects: %s", len(droppedByCore), droppedByCore[0])
}
if err := database.GetDB().Save(sub).Error; err != nil {
return nil, err
}
// Return as []any for the config merger
result := make([]any, len(parsed))
for i := range parsed {
result[i] = parsed[i]
}
return result, nil
return kept, nil
}
func (s *OutboundSubscriptionService) recordError(sub *model.OutboundSubscription, err error) {
@@ -456,6 +486,7 @@ func (s *OutboundSubscriptionService) activeOutboundsSplit() (prepend []any, app
logger.Warningf("outbound sub %d has corrupt LastFetchedOutbounds: %v", sub.Id, err)
continue
}
arr, _ = filterOutboundsRejectedByCore(fmt.Sprintf("outbound sub %d", sub.Id), arr)
if sub.Prepend {
prepend = append(prepend, arr...)
} else {
@@ -0,0 +1,57 @@
package service
import (
"encoding/json"
"testing"
)
// TestCanonicalizeStreamNetworkKey covers xray-core v26.7.11's "method" alias
// for streamSettings "network": a config keyed on "method" (from an imported
// or API-authored inbound) must be folded back to the panel-canonical
// "network" key that every downstream reader — link generation, port-conflict
// detection, flow eligibility — depends on.
func TestCanonicalizeStreamNetworkKey(t *testing.T) {
tests := []struct {
name string
in string
wantNetwork string
wantMethod bool
}{
{
name: "method alias becomes network",
in: `{"method": "ws", "security": "tls"}`,
wantNetwork: "ws",
},
{
name: "method wins when both present",
in: `{"method": "grpc", "network": "tcp"}`,
wantNetwork: "grpc",
},
{
name: "plain network untouched",
in: `{"network": "tcp"}`,
wantNetwork: "tcp",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got := canonicalizeStreamNetworkKey(tc.in)
var stream map[string]any
if err := json.Unmarshal([]byte(got), &stream); err != nil {
t.Fatalf("result is not valid JSON: %v", err)
}
if stream["network"] != tc.wantNetwork {
t.Fatalf("network = %v, want %q", stream["network"], tc.wantNetwork)
}
if _, hasMethod := stream["method"]; hasMethod {
t.Fatalf("method key must be removed, got %s", got)
}
})
}
}
func TestCanonicalizeStreamNetworkKey_EmptyPassthrough(t *testing.T) {
if got := canonicalizeStreamNetworkKey(""); got != "" {
t.Fatalf("empty stream must round-trip, got %q", got)
}
}
+15
View File
@@ -41,6 +41,21 @@ func (s *XraySettingService) CheckXrayConfig(XrayTemplateConfig string) error {
if err != nil {
return common.NewError("xray template config invalid:", err)
}
if len(xrayConfig.OutboundConfigs) > 0 {
var outbounds []json.RawMessage
if err := json.Unmarshal(xrayConfig.OutboundConfigs, &outbounds); err != nil {
return common.NewError("xray template config invalid: outbounds is not an array:", err)
}
for _, outbound := range outbounds {
if err := xray.ValidateOutboundConfig(outbound); err != nil {
tagged := struct {
Tag string `json:"tag"`
}{}
_ = json.Unmarshal(outbound, &tagged)
return common.NewError("xray core rejects outbound \""+tagged.Tag+"\":", err)
}
}
}
return nil
}
+17 -2
View File
@@ -171,6 +171,19 @@ func (x *XrayAPI) DelInbound(tag string) error {
return err
}
// ValidateOutboundConfig builds an outbound JSON object through the vendored
// xray-core config loader, surfacing the exact error the core would raise at
// startup — notably v26.7.11's refusal of unencrypted vless/trojan outbounds
// whose server address is a public IP or domain.
func ValidateOutboundConfig(outbound []byte) error {
detour := new(conf.OutboundDetourConfig)
if err := json.Unmarshal(outbound, detour); err != nil {
return err
}
_, err := detour.Build()
return err
}
// AddOutbound adds a new outbound configuration to the Xray core via gRPC.
func (x *XrayAPI) AddOutbound(outbound []byte) error {
if x.HandlerServiceClient == nil {
@@ -518,6 +531,8 @@ func buildUserAccount(protocolName string, user map[string]any) (*serial.TypedMe
var ssCipherType shadowsocks.CipherType
switch cipher {
case "aes-128-gcm":
ssCipherType = shadowsocks.CipherType_AES_128_GCM
case "aes-256-gcm":
ssCipherType = shadowsocks.CipherType_AES_256_GCM
case "chacha20-poly1305", "chacha20-ietf-poly1305":
@@ -525,10 +540,10 @@ func buildUserAccount(protocolName string, user map[string]any) (*serial.TypedMe
case "xchacha20-poly1305", "xchacha20-ietf-poly1305":
ssCipherType = shadowsocks.CipherType_XCHACHA20_POLY1305
default:
ssCipherType = shadowsocks.CipherType_NONE
ssCipherType = shadowsocks.CipherType_UNKNOWN
}
if ssCipherType != shadowsocks.CipherType_NONE {
if ssCipherType != shadowsocks.CipherType_UNKNOWN {
return serial.ToTypedMessage(&shadowsocks.Account{
Password: password,
CipherType: ssCipherType,
+4
View File
@@ -24,6 +24,7 @@ type Config struct {
BurstObservatory json_util.RawMessage `json:"burstObservatory,omitempty"`
Metrics json_util.RawMessage `json:"metrics"`
Geodata json_util.RawMessage `json:"geodata,omitempty"`
Env json_util.RawMessage `json:"env,omitempty"`
}
// Equals compares two Config instances for deep equality.
@@ -78,5 +79,8 @@ func (c *Config) Equals(other *Config) bool {
if !bytes.Equal(c.Geodata, other.Geodata) {
return false
}
if !bytes.Equal(c.Env, other.Env) {
return false
}
return true
}
+1
View File
@@ -70,6 +70,7 @@ func ComputeHotDiff(oldCfg, newCfg *Config) (*HotDiff, bool) {
{"burstObservatory", oldCfg.BurstObservatory, newCfg.BurstObservatory},
{"metrics", oldCfg.Metrics, newCfg.Metrics},
{"geodata", oldCfg.Geodata, newCfg.Geodata},
{"env", oldCfg.Env, newCfg.Env},
}
for _, section := range static {
if !rawEqualNormalized(section.old, section.new) {
+6
View File
@@ -143,6 +143,12 @@ func TestComputeHotDiff_StaticSectionChangeNeedsRestart(t *testing.T) {
if _, ok := ComputeHotDiff(makeHotConfig(), newCfg); ok {
t.Fatal("observatory change must force a restart")
}
newCfg = makeHotConfig()
newCfg.Env = json_util.RawMessage(`{"XRAY_DNS_PATH":"/tmp/dns"}`)
if _, ok := ComputeHotDiff(makeHotConfig(), newCfg); ok {
t.Fatal("env change must force a restart: env vars are read only at process start")
}
}
func TestComputeHotDiff_InboundAddRemoveChange(t *testing.T) {
+42
View File
@@ -0,0 +1,42 @@
package xray
import (
"strings"
"testing"
)
// TestValidateOutboundConfig_RejectsUnencryptedPublicVless covers xray-core
// v26.7.11's refusal to build an unencrypted vless outbound to a public
// address — the check now runs in-process, so the panel can surface it before
// a config reaches the core and bricks startup. A private-address outbound and
// a TLS outbound stay valid.
func TestValidateOutboundConfig_RejectsUnencryptedPublicVless(t *testing.T) {
publicPlaintext := `{
"protocol": "vless",
"settings": {"address": "1.2.3.4", "port": 443, "id": "b831381d-6324-4d53-ad4f-8cda48b30811", "encryption": "none"},
"streamSettings": {"network": "tcp", "security": "none"}
}`
if err := ValidateOutboundConfig([]byte(publicPlaintext)); err == nil {
t.Fatal("expected a public unencrypted vless outbound to be rejected")
} else if !strings.Contains(err.Error(), "prohibited") {
t.Fatalf("expected a prohibition error, got: %v", err)
}
privatePlaintext := `{
"protocol": "vless",
"settings": {"address": "10.0.0.1", "port": 443, "id": "b831381d-6324-4d53-ad4f-8cda48b30811", "encryption": "none"},
"streamSettings": {"network": "tcp", "security": "none"}
}`
if err := ValidateOutboundConfig([]byte(privatePlaintext)); err != nil {
t.Fatalf("a private-address plaintext vless outbound must stay valid, got: %v", err)
}
publicTLS := `{
"protocol": "vless",
"settings": {"address": "1.2.3.4", "port": 443, "id": "b831381d-6324-4d53-ad4f-8cda48b30811", "encryption": "none"},
"streamSettings": {"network": "tcp", "security": "tls", "tlsSettings": {"serverName": "example.com"}}
}`
if err := ValidateOutboundConfig([]byte(publicTLS)); err != nil {
t.Fatalf("a TLS-secured public vless outbound must stay valid, got: %v", err)
}
}