mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-14 08:36:07 +00:00
feat(mtproto): adopt dolonet/mtg-multi and make MTProto inbounds multi-client
Replace the upstream 9seconds/mtg sidecar with the dolonet/mtg-multi fork so a single MTProto inbound can serve many per-user secrets. Each panel client is now one named FakeTLS secret in the fork's [secrets] section: clients are first-class (attach/detach, limits, expiry, per-client tg:// links) exactly like every other protocol, mirroring the WireGuard multi-client model. Per-client traffic and online status come from the fork's /stats JSON API (its Prometheus output has no per-user label), fed into the existing email-keyed client_traffics accumulator; an optional throttle caps concurrent connections. A one-time seeder converts each legacy single-secret inbound into a one-client inbound. The fork ships only linux/darwin amd64/arm64 binaries but is pure Go, so provisioning builds it from source for every supported platform (release.yml, DockerInit.sh) while keeping the panel-expected mtg-<os>-<arch> filename and the 'run' verb, so process.go is untouched. Also fixes a pre-existing update.sh gap that never renamed the mtg binary for armv6/armv7 updates.
This commit is contained in:
@@ -487,6 +487,74 @@ func HealMtprotoSecret(settings string) (string, bool) {
|
||||
return string(out), true
|
||||
}
|
||||
|
||||
// mtprotoSecretDomain extracts the FakeTLS domain embedded in the tail of a
|
||||
// secret, returning an empty string when the secret is malformed. Each mtproto
|
||||
// client carries its own domain inside its secret, so healing preserves it
|
||||
// instead of forcing every client onto the inbound-level default.
|
||||
func mtprotoSecretDomain(secret string) string {
|
||||
s := secret
|
||||
if strings.HasPrefix(s, "ee") || strings.HasPrefix(s, "dd") {
|
||||
s = s[2:]
|
||||
}
|
||||
if len(s) <= 32 {
|
||||
return ""
|
||||
}
|
||||
decoded, err := hex.DecodeString(s[32:])
|
||||
if err != nil || len(decoded) == 0 {
|
||||
return ""
|
||||
}
|
||||
return string(decoded)
|
||||
}
|
||||
|
||||
// HealMtprotoClientSecrets normalises every client's FakeTLS secret in an
|
||||
// mtproto inbound's settings JSON: each secret is rebuilt so it stays a valid
|
||||
// FakeTLS value, keeping the client's own embedded domain when present and
|
||||
// falling back to the inbound-level fakeTlsDomain otherwise. Returns the
|
||||
// rewritten settings and true when anything changed.
|
||||
func HealMtprotoClientSecrets(settings string) (string, bool) {
|
||||
if settings == "" {
|
||||
return settings, false
|
||||
}
|
||||
var parsed map[string]any
|
||||
if err := json.Unmarshal([]byte(settings), &parsed); err != nil {
|
||||
return settings, false
|
||||
}
|
||||
clients, ok := parsed["clients"].([]any)
|
||||
if !ok || len(clients) == 0 {
|
||||
return settings, false
|
||||
}
|
||||
defaultDomain, _ := parsed["fakeTlsDomain"].(string)
|
||||
defaultDomain = strings.TrimSpace(defaultDomain)
|
||||
changed := false
|
||||
for _, raw := range clients {
|
||||
client, ok := raw.(map[string]any)
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
secret, _ := client["secret"].(string)
|
||||
domain := mtprotoSecretDomain(secret)
|
||||
if domain == "" {
|
||||
domain = defaultDomain
|
||||
}
|
||||
if domain == "" {
|
||||
continue
|
||||
}
|
||||
expected := "ee" + mtprotoSecretMiddle(secret) + hex.EncodeToString([]byte(domain))
|
||||
if secret != expected {
|
||||
client["secret"] = expected
|
||||
changed = true
|
||||
}
|
||||
}
|
||||
if !changed {
|
||||
return settings, false
|
||||
}
|
||||
out, err := json.MarshalIndent(parsed, "", " ")
|
||||
if err != nil {
|
||||
return settings, false
|
||||
}
|
||||
return string(out), true
|
||||
}
|
||||
|
||||
// Setting stores key-value configuration settings for the 3x-ui panel.
|
||||
type Setting struct {
|
||||
Id int `json:"id" form:"id" gorm:"primaryKey;autoIncrement"`
|
||||
@@ -603,6 +671,7 @@ type Client struct {
|
||||
AllowedIPs []string `json:"allowedIPs,omitempty"`
|
||||
PreSharedKey string `json:"preSharedKey,omitempty"`
|
||||
KeepAlive int `json:"keepAlive,omitempty"`
|
||||
Secret string `json:"secret,omitempty" example:"ee1234567890abcdef1234567890abcd7777772e636c6f7564666c6172652e636f6d"` // MTProto FakeTLS secret
|
||||
Email string `json:"email"` // Client email identifier
|
||||
LimitIP int `json:"limitIp"` // IP limit for this client
|
||||
TotalGB int64 `json:"totalGB" form:"totalGB"` // Total traffic limit in GB
|
||||
@@ -632,6 +701,7 @@ type ClientRecord struct {
|
||||
AllowedIPs string `json:"allowedIPs" gorm:"column:wg_allowed_ips"`
|
||||
PreSharedKey string `json:"preSharedKey" gorm:"column:wg_pre_shared_key"`
|
||||
KeepAlive int `json:"keepAlive" gorm:"column:wg_keep_alive;default:0"`
|
||||
Secret string `json:"secret" gorm:"column:secret"`
|
||||
LimitIP int `json:"limitIp" gorm:"column:limit_ip"`
|
||||
TotalGB int64 `json:"totalGB" gorm:"column:total_gb"`
|
||||
ExpiryTime int64 `json:"expiryTime" gorm:"column:expiry_time"`
|
||||
@@ -815,6 +885,7 @@ func (c *Client) ToRecord() *ClientRecord {
|
||||
AllowedIPs: strings.Join(c.AllowedIPs, ","),
|
||||
PreSharedKey: c.PreSharedKey,
|
||||
KeepAlive: c.KeepAlive,
|
||||
Secret: c.Secret,
|
||||
}
|
||||
if c.Reverse != nil {
|
||||
if b, err := json.Marshal(c.Reverse); err == nil {
|
||||
@@ -866,6 +937,7 @@ func (r *ClientRecord) ToClient() *Client {
|
||||
AllowedIPs: splitWireguardAllowedIPs(r.AllowedIPs),
|
||||
PreSharedKey: r.PreSharedKey,
|
||||
KeepAlive: r.KeepAlive,
|
||||
Secret: r.Secret,
|
||||
}
|
||||
if r.Reverse != "" {
|
||||
var rev ClientReverse
|
||||
@@ -1017,6 +1089,12 @@ func MergeClientRecord(existing *ClientRecord, incoming *ClientRecord) []ClientM
|
||||
keepSecret("preSharedKey")
|
||||
}
|
||||
}
|
||||
if existing.Secret != incoming.Secret && incoming.Secret != "" {
|
||||
if incomingNewer || existing.Secret == "" {
|
||||
existing.Secret = incoming.Secret
|
||||
keepSecret("secret")
|
||||
}
|
||||
}
|
||||
if existing.AllowedIPs != incoming.AllowedIPs && incoming.AllowedIPs != "" {
|
||||
if incomingNewer || existing.AllowedIPs == "" {
|
||||
keep("allowedIPs", existing.AllowedIPs, incoming.AllowedIPs, incoming.AllowedIPs)
|
||||
|
||||
@@ -69,3 +69,40 @@ func TestHealMtprotoSecret(t *testing.T) {
|
||||
t.Fatal("expected no change when fakeTlsDomain is missing")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHealMtprotoClientSecrets(t *testing.T) {
|
||||
// An empty client secret is filled from the inbound-level default domain.
|
||||
in := `{"fakeTlsDomain":"a.com","clients":[{"email":"x","secret":""}]}`
|
||||
out, changed := HealMtprotoClientSecrets(in)
|
||||
if !changed {
|
||||
t.Fatal("expected an empty client secret to be filled")
|
||||
}
|
||||
var parsed map[string]any
|
||||
if err := json.Unmarshal([]byte(out), &parsed); err != nil {
|
||||
t.Fatalf("healed settings not valid json: %v", err)
|
||||
}
|
||||
clients := parsed["clients"].([]any)
|
||||
got := clients[0].(map[string]any)["secret"].(string)
|
||||
if !strings.HasPrefix(got, "ee") || !strings.HasSuffix(got, hex.EncodeToString([]byte("a.com"))) {
|
||||
t.Fatalf("filled client secret malformed: %q", got)
|
||||
}
|
||||
|
||||
// Healing is idempotent once every client secret is valid.
|
||||
if _, changed2 := HealMtprotoClientSecrets(out); changed2 {
|
||||
t.Fatal("expected no change for already-valid client secrets")
|
||||
}
|
||||
|
||||
// A client's own embedded domain is preserved even when it differs from the
|
||||
// inbound-level default (per-client domain fronting).
|
||||
own := "ee00112233445566778899aabbccddeeff" + hex.EncodeToString([]byte("b.com"))
|
||||
in3 := `{"fakeTlsDomain":"a.com","clients":[{"email":"y","secret":"` + own + `"}]}`
|
||||
out3, changed3 := HealMtprotoClientSecrets(in3)
|
||||
if changed3 {
|
||||
t.Fatalf("a valid per-client secret must be left untouched, got %q", out3)
|
||||
}
|
||||
|
||||
// No clients array — nothing to heal.
|
||||
if _, changed4 := HealMtprotoClientSecrets(`{"fakeTlsDomain":"a.com"}`); changed4 {
|
||||
t.Fatal("expected no change when there are no clients")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user