mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-11 07:06:06 +00:00
* fix: enable XTLS vision flow for VLESS+XHTTP+vlessenc in UI and share links (#5157) * fix: enable xtls-rprx-vision flow for VLESS XHTTP with vlessenc encryption (#5157) The flow selector was hidden and the vless:// link omitted flow= because: 1. The backend gate (inboundCanEnableTlsFlow) only accepted tcp+tls/reality. 2. The PR #5185 frontend check used `encryption === 'vlessenc'`, which never matches — the stored value is a generated ML-KEM dotted string, not the CLI subcommand name. Fix: extend inboundCanEnableTlsFlow to also return true for XHTTP when a non-none vlessenc encryption/decryption value is present. Update all three call-sites (inbound.go TlsFlowCapable field, client_crud.go clientWithInboundFlow, inbound_clients.go copy-flow path) and the sub/service.go link generator. Scope is XHTTP-only: TCP without tls/reality is intentionally excluded. Add inbound_protocol_test.go covering the new and existing gate combinations, extend client_flow_isolation_test.go with xhttp+vlessenc cases, and add frontend tests for canEnableTlsFlow with real ML-KEM key values. --------- Co-authored-by: rqzbeh <rqzbeh@users.noreply.github.com> Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
This commit is contained in:
@@ -16,16 +16,16 @@ const SS_BLAKE3_CHACHA20 = '2022-blake3-chacha20-poly1305';
|
||||
|
||||
export interface CapabilityProtocolSlice {
|
||||
protocol: string;
|
||||
settings?: { encryption?: string; decryption?: string };
|
||||
streamSettings?: { network?: string; security?: string };
|
||||
}
|
||||
|
||||
export interface CapabilityVlessSlice extends CapabilityProtocolSlice {
|
||||
settings?: { clients?: { flow?: string }[] };
|
||||
settings?: { encryption?: string; decryption?: string; clients?: { flow?: string }[] };
|
||||
}
|
||||
|
||||
export interface CapabilityShadowsocksSlice {
|
||||
protocol: string;
|
||||
settings?: { method?: string };
|
||||
export interface CapabilityShadowsocksSlice extends CapabilityProtocolSlice {
|
||||
settings?: { encryption?: string; method?: string };
|
||||
}
|
||||
|
||||
export function canEnableTls(values: CapabilityProtocolSlice): boolean {
|
||||
@@ -39,11 +39,28 @@ export function canEnableReality(values: CapabilityProtocolSlice): boolean {
|
||||
return REALITY_NETWORKS.includes(values.streamSettings?.network ?? '');
|
||||
}
|
||||
|
||||
// VLESS encryption (vlessenc / ML-KEM) is on when encryption or decryption holds
|
||||
// a generated value (e.g. "mlkem768x25519plus.native.0rtt.<key>") rather than
|
||||
// the "none"/"" sentinel. The value is never the literal "vlessenc" (that is the
|
||||
// `xray vlessenc` subcommand). decryption is the server-side value; encryption is
|
||||
// stored for link generation — either being set means it is on.
|
||||
function hasVlessEncryption(settings: CapabilityProtocolSlice['settings']): boolean {
|
||||
const isSet = (v?: string) => v != null && v !== '' && v !== 'none';
|
||||
return isSet(settings?.encryption) || isSet(settings?.decryption);
|
||||
}
|
||||
|
||||
export function canEnableTlsFlow(values: CapabilityProtocolSlice): boolean {
|
||||
if (values.protocol !== 'vless') return false;
|
||||
const network = values.streamSettings?.network;
|
||||
const security = values.streamSettings?.security;
|
||||
if (security !== 'tls' && security !== 'reality') return false;
|
||||
if (values.streamSettings?.network !== 'tcp') return false;
|
||||
return values.protocol === 'vless';
|
||||
|
||||
// Classic XTLS Vision: raw TCP carried over TLS or REALITY.
|
||||
if (network === 'tcp' && (security === 'tls' || security === 'reality')) return true;
|
||||
|
||||
// vlessenc carries Vision over XHTTP without transport TLS.
|
||||
if (network === 'xhttp' && hasVlessEncryption(values.settings)) return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
export function canEnableStream(values: { protocol: string }): boolean {
|
||||
|
||||
@@ -122,7 +122,7 @@ export const sections: readonly Section[] = [
|
||||
{
|
||||
method: 'GET',
|
||||
path: '/panel/api/inbounds/options',
|
||||
summary: 'Lightweight picker projection of the authenticated user’s inbounds. Returns id, remark, tag, protocol, port, a server-computed tlsFlowCapable flag (true for VLESS / port-fallback on TCP with tls or reality), and ssMethod (the Shadowsocks cipher, empty for non-Shadowsocks inbounds — used by the client UI to generate a valid Shadowsocks 2022 PSK). Use this for dropdowns and attach pickers — it skips settings, streamSettings, and clientStats so the payload stays small even on panels with thousands of clients.',
|
||||
summary: 'Lightweight picker projection of the authenticated user’s inbounds. Returns id, remark, tag, protocol, port, a server-computed tlsFlowCapable flag (true for VLESS on TCP with tls or reality, or on XHTTP with VLESS encryption / vlessenc enabled), and ssMethod (the Shadowsocks cipher, empty for non-Shadowsocks inbounds — used by the client UI to generate a valid Shadowsocks 2022 PSK). Use this for dropdowns and attach pickers — it skips settings, streamSettings, and clientStats so the payload stays small even on panels with thousands of clients.',
|
||||
responseSchema: 'InboundOption',
|
||||
responseSchemaArray: true,
|
||||
},
|
||||
|
||||
@@ -121,6 +121,10 @@ export function buildInboundInfo(dbInbound: DBInboundLike): InboundInfo {
|
||||
}),
|
||||
isVlessTlsFlow: canEnableTlsFlow({
|
||||
protocol: dbInbound.protocol,
|
||||
settings: {
|
||||
encryption: settings.encryption as string | undefined,
|
||||
decryption: settings.decryption as string | undefined,
|
||||
},
|
||||
streamSettings: { network, security },
|
||||
}),
|
||||
host: readNetworkHost(stream, network),
|
||||
|
||||
@@ -180,6 +180,35 @@ describe('protocol-capability helpers with raw coerced shapes', () => {
|
||||
streamSettings: { network: 'tcp', security: 'tls' },
|
||||
})).toBe(false);
|
||||
});
|
||||
|
||||
it('canEnableTlsFlow allows vless + xhttp when vlessenc encryption is set', () => {
|
||||
const enc = 'mlkem768x25519plus.native.0rtt.G3cdPSd1-NnlpTbWNSM5vHsT5VNzWfFzYSKwbUMnV1Y';
|
||||
const dec = 'mlkem768x25519plus.native.600s.mMFxPe7lz5xoq2qBk22cQYefu5fpc_2dGR8lMOKem0E';
|
||||
// XHTTP + a real (generated) encryption value → Vision flow allowed.
|
||||
expect(canEnableTlsFlow({
|
||||
protocol: 'vless',
|
||||
settings: { encryption: enc },
|
||||
streamSettings: { network: 'xhttp', security: 'none' },
|
||||
})).toBe(true);
|
||||
// decryption alone (server-side value) is enough on XHTTP.
|
||||
expect(canEnableTlsFlow({
|
||||
protocol: 'vless',
|
||||
settings: { decryption: dec, encryption: 'none' },
|
||||
streamSettings: { network: 'xhttp', security: 'none' },
|
||||
})).toBe(true);
|
||||
// No encryption → stays gated off.
|
||||
expect(canEnableTlsFlow({
|
||||
protocol: 'vless',
|
||||
settings: { encryption: 'none' },
|
||||
streamSettings: { network: 'xhttp', security: 'none' },
|
||||
})).toBe(false);
|
||||
// vlessenc is XHTTP-only: TCP without tls/reality is not Vision-capable.
|
||||
expect(canEnableTlsFlow({
|
||||
protocol: 'vless',
|
||||
settings: { decryption: dec, encryption: enc },
|
||||
streamSettings: { network: 'tcp', security: 'none' },
|
||||
})).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
describe('getInboundClients with schema-shaped inbound', () => {
|
||||
|
||||
Reference in New Issue
Block a user