mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-14 16:46:07 +00:00
feat(mtproto): adopt dolonet/mtg-multi and make MTProto inbounds multi-client
Replace the upstream 9seconds/mtg sidecar with the dolonet/mtg-multi fork so a single MTProto inbound can serve many per-user secrets. Each panel client is now one named FakeTLS secret in the fork's [secrets] section: clients are first-class (attach/detach, limits, expiry, per-client tg:// links) exactly like every other protocol, mirroring the WireGuard multi-client model. Per-client traffic and online status come from the fork's /stats JSON API (its Prometheus output has no per-user label), fed into the existing email-keyed client_traffics accumulator; an optional throttle caps concurrent connections. A one-time seeder converts each legacy single-secret inbound into a one-client inbound. The fork ships only linux/darwin amd64/arm64 binaries but is pure Go, so provisioning builds it from source for every supported platform (release.yml, DockerInit.sh) while keeping the panel-expected mtg-<os>-<arch> filename and the 'run' verb, so process.go is untouched. Also fixes a pre-existing update.sh gap that never renamed the mtg binary for armv6/armv7 updates.
This commit is contained in:
+130
-1
@@ -370,6 +370,130 @@ func wireguardPeerEmail(remark string, peer map[string]any, index int, used map[
|
||||
}
|
||||
}
|
||||
|
||||
// seedMtprotoSecretsToClients converts each legacy single-secret mtproto inbound
|
||||
// into a one-client inbound so MTProto joins the shared multi-client model: the
|
||||
// inbound-level secret becomes the first client's FakeTLS secret, and a
|
||||
// ClientRecord + client_inbounds link are created so per-client traffic, limits,
|
||||
// and share links work exactly like every other protocol. One-time, self-gated
|
||||
// on the "MtprotoSecretsToClients" seeder row. Mirrors seedWireguardPeersToClients.
|
||||
func seedMtprotoSecretsToClients() error {
|
||||
var history []string
|
||||
if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
if slices.Contains(history, "MtprotoSecretsToClients") {
|
||||
return nil
|
||||
}
|
||||
|
||||
var inbounds []model.Inbound
|
||||
if err := db.Where("protocol = ?", string(model.MTProto)).Find(&inbounds).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return db.Transaction(func(tx *gorm.DB) error {
|
||||
usedEmails := map[string]struct{}{}
|
||||
var existingEmails []string
|
||||
if err := tx.Model(&model.ClientRecord{}).Pluck("email", &existingEmails).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
for _, e := range existingEmails {
|
||||
usedEmails[e] = struct{}{}
|
||||
}
|
||||
|
||||
for _, inbound := range inbounds {
|
||||
if strings.TrimSpace(inbound.Settings) == "" {
|
||||
continue
|
||||
}
|
||||
var settings map[string]any
|
||||
if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
|
||||
log.Printf("MtprotoSecretsToClients: skip inbound %d (invalid settings json): %v", inbound.Id, err)
|
||||
continue
|
||||
}
|
||||
if clients, ok := settings["clients"].([]any); ok && len(clients) > 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
var linkCount int64
|
||||
if err := tx.Model(&model.ClientInbound{}).Where("inbound_id = ?", inbound.Id).Count(&linkCount).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
if linkCount > 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
secret, _ := settings["secret"].(string)
|
||||
secret = strings.TrimSpace(secret)
|
||||
if secret == "" {
|
||||
domain, _ := settings["fakeTlsDomain"].(string)
|
||||
secret = model.GenerateFakeTLSSecret(strings.TrimSpace(domain))
|
||||
}
|
||||
|
||||
email := mtprotoInboundClientEmail(inbound.Remark, usedEmails)
|
||||
usedEmails[email] = struct{}{}
|
||||
|
||||
obj := map[string]any{
|
||||
"email": email,
|
||||
"secret": secret,
|
||||
"enable": true,
|
||||
"subId": random.NumLower(16),
|
||||
}
|
||||
c := model.Client{Email: email, Secret: secret, Enable: true, SubID: obj["subId"].(string)}
|
||||
|
||||
incoming := c.ToRecord()
|
||||
var row model.ClientRecord
|
||||
err := tx.Where("email = ?", email).First(&row).Error
|
||||
if errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
if err := tx.Create(incoming).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
row = *incoming
|
||||
} else if err != nil {
|
||||
return err
|
||||
} else {
|
||||
model.MergeClientRecord(&row, incoming)
|
||||
if err := tx.Save(&row).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
link := model.ClientInbound{ClientId: row.Id, InboundId: inbound.Id}
|
||||
if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
|
||||
FirstOrCreate(&link).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
delete(settings, "secret")
|
||||
settings["clients"] = []any{obj}
|
||||
newSettings, err := json.Marshal(settings)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
|
||||
Update("settings", string(newSettings)).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return tx.Create(&model.HistoryOfSeeders{SeederName: "MtprotoSecretsToClients"}).Error
|
||||
})
|
||||
}
|
||||
|
||||
// mtprotoInboundClientEmail derives a stable, unique client email for a migrated
|
||||
// mtproto inbound from its remark.
|
||||
func mtprotoInboundClientEmail(remark string, used map[string]struct{}) string {
|
||||
base := strings.TrimSpace(remark)
|
||||
if base == "" {
|
||||
base = "mtproto"
|
||||
}
|
||||
email := strings.ReplaceAll(base, " ", "-")
|
||||
candidate := email
|
||||
for n := 2; ; n++ {
|
||||
if _, taken := used[candidate]; !taken {
|
||||
return candidate
|
||||
}
|
||||
candidate = email + "-" + strconv.Itoa(n)
|
||||
}
|
||||
}
|
||||
|
||||
// CreateHostsFromExternalProxy parses a legacy streamSettings.externalProxy array
|
||||
// and inserts one Host row per entry on tx, returning the number of rows created.
|
||||
// It is the shared core of both the one-time seedHostsFromExternalProxy startup
|
||||
@@ -687,7 +811,7 @@ func runSeeders(isUsersEmpty bool) error {
|
||||
}
|
||||
|
||||
if empty && isUsersEmpty {
|
||||
seeders := []string{"UserPasswordHash", "ClientsTable", "InboundClientsArrayFix", "InboundClientTgIdFix", "InboundClientSubIdFix", "FreedomFinalRulesReverseFix", "ApiTokensHash", "LegacyProxySettingsCleanup", "WireguardPeersToClients"}
|
||||
seeders := []string{"UserPasswordHash", "ClientsTable", "InboundClientsArrayFix", "InboundClientTgIdFix", "InboundClientSubIdFix", "FreedomFinalRulesReverseFix", "ApiTokensHash", "LegacyProxySettingsCleanup", "WireguardPeersToClients", "MtprotoSecretsToClients"}
|
||||
for _, name := range seeders {
|
||||
if err := db.Create(&model.HistoryOfSeeders{SeederName: name}).Error; err != nil {
|
||||
return err
|
||||
@@ -796,6 +920,11 @@ func runSeeders(isUsersEmpty bool) error {
|
||||
return err
|
||||
}
|
||||
|
||||
// Self-gated on the "MtprotoSecretsToClients" row.
|
||||
if err := seedMtprotoSecretsToClients(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Idempotent, not seeder-gated: bad values can re-enter via a restored
|
||||
// backup, so re-check on every start.
|
||||
return normalizeSettingPaths()
|
||||
|
||||
@@ -487,6 +487,74 @@ func HealMtprotoSecret(settings string) (string, bool) {
|
||||
return string(out), true
|
||||
}
|
||||
|
||||
// mtprotoSecretDomain extracts the FakeTLS domain embedded in the tail of a
|
||||
// secret, returning an empty string when the secret is malformed. Each mtproto
|
||||
// client carries its own domain inside its secret, so healing preserves it
|
||||
// instead of forcing every client onto the inbound-level default.
|
||||
func mtprotoSecretDomain(secret string) string {
|
||||
s := secret
|
||||
if strings.HasPrefix(s, "ee") || strings.HasPrefix(s, "dd") {
|
||||
s = s[2:]
|
||||
}
|
||||
if len(s) <= 32 {
|
||||
return ""
|
||||
}
|
||||
decoded, err := hex.DecodeString(s[32:])
|
||||
if err != nil || len(decoded) == 0 {
|
||||
return ""
|
||||
}
|
||||
return string(decoded)
|
||||
}
|
||||
|
||||
// HealMtprotoClientSecrets normalises every client's FakeTLS secret in an
|
||||
// mtproto inbound's settings JSON: each secret is rebuilt so it stays a valid
|
||||
// FakeTLS value, keeping the client's own embedded domain when present and
|
||||
// falling back to the inbound-level fakeTlsDomain otherwise. Returns the
|
||||
// rewritten settings and true when anything changed.
|
||||
func HealMtprotoClientSecrets(settings string) (string, bool) {
|
||||
if settings == "" {
|
||||
return settings, false
|
||||
}
|
||||
var parsed map[string]any
|
||||
if err := json.Unmarshal([]byte(settings), &parsed); err != nil {
|
||||
return settings, false
|
||||
}
|
||||
clients, ok := parsed["clients"].([]any)
|
||||
if !ok || len(clients) == 0 {
|
||||
return settings, false
|
||||
}
|
||||
defaultDomain, _ := parsed["fakeTlsDomain"].(string)
|
||||
defaultDomain = strings.TrimSpace(defaultDomain)
|
||||
changed := false
|
||||
for _, raw := range clients {
|
||||
client, ok := raw.(map[string]any)
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
secret, _ := client["secret"].(string)
|
||||
domain := mtprotoSecretDomain(secret)
|
||||
if domain == "" {
|
||||
domain = defaultDomain
|
||||
}
|
||||
if domain == "" {
|
||||
continue
|
||||
}
|
||||
expected := "ee" + mtprotoSecretMiddle(secret) + hex.EncodeToString([]byte(domain))
|
||||
if secret != expected {
|
||||
client["secret"] = expected
|
||||
changed = true
|
||||
}
|
||||
}
|
||||
if !changed {
|
||||
return settings, false
|
||||
}
|
||||
out, err := json.MarshalIndent(parsed, "", " ")
|
||||
if err != nil {
|
||||
return settings, false
|
||||
}
|
||||
return string(out), true
|
||||
}
|
||||
|
||||
// Setting stores key-value configuration settings for the 3x-ui panel.
|
||||
type Setting struct {
|
||||
Id int `json:"id" form:"id" gorm:"primaryKey;autoIncrement"`
|
||||
@@ -603,6 +671,7 @@ type Client struct {
|
||||
AllowedIPs []string `json:"allowedIPs,omitempty"`
|
||||
PreSharedKey string `json:"preSharedKey,omitempty"`
|
||||
KeepAlive int `json:"keepAlive,omitempty"`
|
||||
Secret string `json:"secret,omitempty" example:"ee1234567890abcdef1234567890abcd7777772e636c6f7564666c6172652e636f6d"` // MTProto FakeTLS secret
|
||||
Email string `json:"email"` // Client email identifier
|
||||
LimitIP int `json:"limitIp"` // IP limit for this client
|
||||
TotalGB int64 `json:"totalGB" form:"totalGB"` // Total traffic limit in GB
|
||||
@@ -632,6 +701,7 @@ type ClientRecord struct {
|
||||
AllowedIPs string `json:"allowedIPs" gorm:"column:wg_allowed_ips"`
|
||||
PreSharedKey string `json:"preSharedKey" gorm:"column:wg_pre_shared_key"`
|
||||
KeepAlive int `json:"keepAlive" gorm:"column:wg_keep_alive;default:0"`
|
||||
Secret string `json:"secret" gorm:"column:secret"`
|
||||
LimitIP int `json:"limitIp" gorm:"column:limit_ip"`
|
||||
TotalGB int64 `json:"totalGB" gorm:"column:total_gb"`
|
||||
ExpiryTime int64 `json:"expiryTime" gorm:"column:expiry_time"`
|
||||
@@ -815,6 +885,7 @@ func (c *Client) ToRecord() *ClientRecord {
|
||||
AllowedIPs: strings.Join(c.AllowedIPs, ","),
|
||||
PreSharedKey: c.PreSharedKey,
|
||||
KeepAlive: c.KeepAlive,
|
||||
Secret: c.Secret,
|
||||
}
|
||||
if c.Reverse != nil {
|
||||
if b, err := json.Marshal(c.Reverse); err == nil {
|
||||
@@ -866,6 +937,7 @@ func (r *ClientRecord) ToClient() *Client {
|
||||
AllowedIPs: splitWireguardAllowedIPs(r.AllowedIPs),
|
||||
PreSharedKey: r.PreSharedKey,
|
||||
KeepAlive: r.KeepAlive,
|
||||
Secret: r.Secret,
|
||||
}
|
||||
if r.Reverse != "" {
|
||||
var rev ClientReverse
|
||||
@@ -1017,6 +1089,12 @@ func MergeClientRecord(existing *ClientRecord, incoming *ClientRecord) []ClientM
|
||||
keepSecret("preSharedKey")
|
||||
}
|
||||
}
|
||||
if existing.Secret != incoming.Secret && incoming.Secret != "" {
|
||||
if incomingNewer || existing.Secret == "" {
|
||||
existing.Secret = incoming.Secret
|
||||
keepSecret("secret")
|
||||
}
|
||||
}
|
||||
if existing.AllowedIPs != incoming.AllowedIPs && incoming.AllowedIPs != "" {
|
||||
if incomingNewer || existing.AllowedIPs == "" {
|
||||
keep("allowedIPs", existing.AllowedIPs, incoming.AllowedIPs, incoming.AllowedIPs)
|
||||
|
||||
@@ -69,3 +69,40 @@ func TestHealMtprotoSecret(t *testing.T) {
|
||||
t.Fatal("expected no change when fakeTlsDomain is missing")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHealMtprotoClientSecrets(t *testing.T) {
|
||||
// An empty client secret is filled from the inbound-level default domain.
|
||||
in := `{"fakeTlsDomain":"a.com","clients":[{"email":"x","secret":""}]}`
|
||||
out, changed := HealMtprotoClientSecrets(in)
|
||||
if !changed {
|
||||
t.Fatal("expected an empty client secret to be filled")
|
||||
}
|
||||
var parsed map[string]any
|
||||
if err := json.Unmarshal([]byte(out), &parsed); err != nil {
|
||||
t.Fatalf("healed settings not valid json: %v", err)
|
||||
}
|
||||
clients := parsed["clients"].([]any)
|
||||
got := clients[0].(map[string]any)["secret"].(string)
|
||||
if !strings.HasPrefix(got, "ee") || !strings.HasSuffix(got, hex.EncodeToString([]byte("a.com"))) {
|
||||
t.Fatalf("filled client secret malformed: %q", got)
|
||||
}
|
||||
|
||||
// Healing is idempotent once every client secret is valid.
|
||||
if _, changed2 := HealMtprotoClientSecrets(out); changed2 {
|
||||
t.Fatal("expected no change for already-valid client secrets")
|
||||
}
|
||||
|
||||
// A client's own embedded domain is preserved even when it differs from the
|
||||
// inbound-level default (per-client domain fronting).
|
||||
own := "ee00112233445566778899aabbccddeeff" + hex.EncodeToString([]byte("b.com"))
|
||||
in3 := `{"fakeTlsDomain":"a.com","clients":[{"email":"y","secret":"` + own + `"}]}`
|
||||
out3, changed3 := HealMtprotoClientSecrets(in3)
|
||||
if changed3 {
|
||||
t.Fatalf("a valid per-client secret must be left untouched, got %q", out3)
|
||||
}
|
||||
|
||||
// No clients array — nothing to heal.
|
||||
if _, changed4 := HealMtprotoClientSecrets(`{"fakeTlsDomain":"a.com"}`); changed4 {
|
||||
t.Fatal("expected no change when there are no clients")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user