Files
3x-ui/internal/sub/service.go
T
Sanaei 5e1cb7693b Repo-wide self-correcting audit: 54 verified bug fixes (#5970)
* fix(email): resolve a name-addr smtpFrom into bare envelope address and display name

The save-time validator accepts any RFC 5322 address form, so a value
like '3x-ui Panel <panel(at)example.com>' passes validation, but Send and
TestConnection fed that raw string to MAIL FROM, which strict servers
reject with 501, and buildMessage mangled it into a quoted local part.
Parse the configured sender at the point of use: the envelope gets the
bare address and, when no explicit sender name is set, the display name
embedded in the setting is used for the From header.

* fix(email): report a missing sender address from the SMTP connection test

TestConnection skipped the empty-from guard that Send enforces, so with
no sender and no username configured the test issued the null reverse-path
and could report success against a lenient relay while every real
notification send kept failing with the missing-sender error. Guard the
test path the same way and surface a dedicated translated message.

* fix(sub): fall back to the raw subscription when an auto-detected format has no content

With format auto-detection enabled, a client whose User-Agent matched the
Clash or JSON regex was routed straight to that format handler. For a
subscription whose entries convert to neither format (an MTProto-only
subscription, for example) the handler returns an empty document and the
request ended as 404, breaking a URL that served the raw list before the
toggle. The auto-detect branches now serve the detected format only when
it produces content and otherwise continue to the raw response; the
explicit format endpoints keep answering 404 for empty documents.

* fix(node): match prefixed central tags when filtering a selected-mode node snapshot

FilterNodeSnapshot compared a node snapshot's inbound tags against the
raw selected-tag list with an exact match, while its two siblings
(SnapshotHasUnadoptedInbounds and the reconcile tagToCentral map) expand
each selected tag to both its bare node-side form and its n<id>- prefixed
central form. A panel-created node inbound is recorded in the selected
list under the central prefixed tag but reported by the node under the
bare tag, so the exact match dropped it from every snapshot and the
orphan sweep then deleted its central row one tick after creation. Expand
the allowed set with the same prefix flip the siblings use.

* fix(client): refuse a bulk quota reduction that would fall to or below zero

BulkAdjust clamped a client's new traffic limit with max(total+addBytes, 0).
Because 0 is the unlimited sentinel, reducing a client's quota by more than
it had left silently granted that client unlimited traffic. The sibling
expiry branch already refuses an over-reduction; mirror it for quota so the
adjustment is skipped with a clear reason instead of crossing the sentinel.

* fix(client): persist a bulk adjustment's applied field even when the sibling field is skipped

In a mixed BulkAdjust (both a days delta and a bytes delta), a per-field
planning skip such as "unlimited expiry" or "unlimited traffic" was recorded
in the same map that gated the client_traffics write. The applied field was
already written to the inbound JSON and the clients table, but the enforcement
row was left untouched, so the depletion job cut the client on the old limit
while the panel showed the new one. Gate the traffic-row write on an actual
inbound-processing failure rather than on any planning-phase skip note.

* fix(inbound): always create in AddInbound instead of overwriting a row whose id was posted

The add controller binds the inbound model's id form field and never clears
it, and AddInbound persisted with GORM Save, which updates in place when the
primary key is non-zero. A client that reused an existing id (for instance by
duplicating an inbound fetched from /get and changing the port) silently
overwrote that stored row instead of creating a new inbound. Zero the id at
the top of AddInbound, matching how it already zeroes the client-stat ids.

* fix(inbound): accept WireGuard clients when creating an inbound

AddInbound's per-client validation switch had cases for every protocol
except WireGuard, so a WireGuard client fell through to the default branch
that requires a non-empty id. WireGuard clients are keyed by their public
key and carry no id, so importing a WireGuard inbound or re-adding one to a
reconciling node was rejected with "empty client ID". Add a wireguard case
that validates the client key, mirroring addInboundClient.

* fix(client): stop holding the inbound-lock registry mutex while waiting on one inbound

lockInbound acquired the global registry mutex and then blocked on the
per-inbound mutex without releasing the registry first. A slow client
operation holding one inbound's mutex (for example a bulk delete pushing to
an unreachable node) made the next waiter park on that inbound while still
holding the registry mutex, which in turn blocked lockInbound for every
other inbound — freezing client mutations panel-wide. Release the registry
mutex before taking the per-inbound lock.

* fix(client): honor keepTraffic when deleting a client that is attached to inbounds

Delete, DeleteByEmail and BulkDelete all pass keepTraffic to their final
cleanup transaction, but each called the per-inbound delete helper with a
hardcoded false. That helper purges the client's traffic, IP and stat rows
before the gated cleanup runs, so keepTraffic=true still destroyed all
traffic history for any client actually attached to an inbound (the pinned
test only covered a record with no inbound mappings). Thread the caller's
keepTraffic through to the per-inbound helper at all three call sites.

* fix(inbound): defer a local MTProto inbound edit's sidecar push until after commit

UpdateInbound applied a local MTProto inbound change by calling the runtime
UpdateInbound (which stops/starts the mtg sidecar or talks to it) from inside
runSerializedTx. That runs process and network I/O on the single traffic-writer
goroutine while a DB transaction is open, so a slow sidecar stalls traffic
accounting and every concurrent client mutation, and a later step failing the
transaction leaves the sidecar ahead of the rolled-back row. Move the push into
the post-commit hook, matching the xray branch. Adds a SetLocalRuntimeOverride
test seam mirroring the existing node override so the deferral is regression
tested.

* fix(client): delete external-link rows when bulk-deleting clients

The single-client Delete path removes a client's client_external_links rows,
but BulkDelete (and the DelDepleted reaper that routes through it) deleted the
record, mappings and traffic while leaving the external-link rows keyed by the
now-dead client id, so they accumulated as orphans. Delete them in the same
cleanup transaction, keyed by client id like the single path.

* fix(inbound): request an xray restart when toggling a routed MTProto inbound

AddInbound, DelInbound and UpdateInbound all flag needRestart when an inbound
routes MTProto through xray, so the egress SOCKS bridge is regenerated. Only
SetInboundEnable's local path omitted it, so toggling a routed MTProto inbound
off then on left the bridge out of the running config while the sidecar dialed
its loopback port, blackholing that inbound until an unrelated restart. Flag the
restart on the local enable path too.

* fix(client): apply enable-by-email to every inbound a client is attached to

ToggleClientEnableByEmail (Telegram bot) and SetClientEnableByEmail (LDAP sync)
resolved a single inbound via the legacy client_traffics pointer and flipped
enable only there. A client attached to several inbounds kept connecting through
the siblings' running Xray after being disabled, and the next edit could
re-enable it everywhere from a stale sibling. Route both through the
applyClientFieldByEmail fan-out (the #5039 fix path) so the whole multi-inbound
identity is toggled at once, dropping the circular Set/Toggle dependency.

* fix(traffic): commit a traffic tick even when a best-effort maintenance helper fails

addTrafficLocked stages the inbound and client deltas, then runs three helpers
(auto-renew, disable depleted clients, disable depleted inbounds) that are meant
to log and continue. All three reused the function-scope err that the deferred
commit/rollback inspects, so the last helper's error decided the whole tick: a
failure in disableInvalidInbounds rolled back the already-staged traffic while
AddTraffic reported success, and because xray had already advanced its counter
baseline that traffic was lost for good. Give each best-effort helper its own
error variable so only a genuine staging failure rolls the tick back.

* fix(traffic): re-enable clients and serialize the write in Reset All Client Traffic

ClientService.ResetAllTraffics zeroed up/down but, unlike every sibling reset
path, never restored enable=true, so clients that had been auto-disabled for
exceeding their quota stayed cut with zero usage after a reset. It also wrote
client_traffics directly on the shared DB handle instead of through the serial
traffic writer, reintroducing the cross-transaction lock-order deadlock the
writer exists to prevent. Restore enable and run the reset inside
submitTrafficWrite within one transaction.

* fix(traffic): keep node reset propagation out of the serial traffic writer

ResetAllTraffics and ResetInboundTraffic performed their remote-node reset HTTP
calls inside submitTrafficWrite. Each call can block up to the remote timeout,
and Reset All Traffics loops every node serially, so the single traffic-writer
goroutine was held for seconds — long enough that the concurrent 5s traffic poll
timed out submitting its own write and dropped the deltas it had already drained
from xray. Do the DB reset inside the writer, then propagate to the nodes after
it returns, matching how the mtproto quota reset is already sequenced.

* fix(sub): stop the subscription from 500ing on valid-but-unusual stream settings

The raw share-link generators used unchecked type assertions and unguarded
array indexing: an empty Reality shortIds/serverNames array (random.Num(0)
panics), a tcp-http header with no request block or an empty request.path, a
grpc block missing its keys, empty stream settings, and a non-string Host
header all panicked mid-generation. Because getSubs loops every client's link
with no recover, one such client 500s the entire subscription for everyone. The
sibling JSON, Clash and frontend generators already guard these; make the raw
generators match with comma-ok assertions and length checks.

* fix(sub): tolerate a hysteria inbound without hysteriaSettings in the JSON subscription

genHy asserted stream["hysteriaSettings"].(map[string]any) without the comma-ok
form, so a hysteria inbound whose StreamSettings omit the hysteriaSettings key
(a valid, representable shape the raw generator renders fine) panicked and 500ed
the entire JSON subscription. Use comma-ok; the downstream reads already guard
each key, so a nil map degrades gracefully.

* fix(sub): emit the pinned peer cert sha256 in Clash subscriptions

The Clash stream builder computed tlsSettings["pin-sha256"] from the inbound's
pinnedPeerCertSha256, but applySecurity's tls case never copied it onto the
proxy, so it was written with no reader and silently dropped. Clash subscribers
lost certificate pinning while JSON subscribers kept it. Surface pin-sha256 on
the proxy in the tls case, matching the JSON emitter.

* fix(link): parse the snake_case and extra-blob xhttp fields when importing a share link

The panel's share-link emitters (Go and TS) carry advanced xhttp knobs as a
snake_case x_padding_bytes plus an extra=<json> payload, but the Go parser's
xhttp branch read only top-level camelCase params, so importing an xhttp link
via the outbound-subscription feature dropped xPaddingBytes, scMaxEachPostBytes
and the rest, silently reverting them to the stream defaults and producing a
non-working outbound. Mirror the TS parser: read the snake_case alias, merge the
extra JSON blob, then let explicit camelCase params win.

* fix(frontend): decode URL-safe base64 when parsing an imported share link

Base64.decode called window.atob directly, which rejects the base64url
alphabet (- and _) and unpadded input. But the panel's own share-link emitter
uses Base64.encode(x, true) (URL-safe, unpadded), and real SIP002 links do too,
so importing a Shadowsocks link whose method:password encodes with a - or _ threw,
fell back to the raw undecoded string, and produced a wrong method and garbage
password (the vmess parser shared the same limitation). Normalize base64url and
re-pad before atob so decode round-trips every emitted link.

* fix(link): honor the vmess ws path and hysteria2 vcn params on import

Two Go/TS parser parity gaps in the outbound share-link import path: parseVmess
only applied a ws link's path when the inner JSON also carried a host key, so a
generator that omits host dropped the path back to the default; and parseHysteria2
hardcoded verifyPeerCertByName to empty, ignoring the vcn param the panel emits,
so a hysteria2 outbound with a decoy SNI and a distinct cert name failed TLS
verification after import. The TS parser handles both; make the Go parser match.

* fix(ui): stop the sniffing form island from clobbering unrendered fields

antd's Form.useWatch only reports registered fields, so while the
sniffing toggle was off the island emitted { enabled: false } upward and
replaced the full Sniffing object in form state. Saving a VLESS reverse
outbound then crashed in sniffingToWire on the missing ipsExcluded
array; the loopback outbound and the inbound sniffing tab shared the
same hole. Watch the store with preserve: true so unrendered fields
keep their values, and seed a missing value from the schema defaults
instead of an empty cast.

* fix(sub): drop empty remark segments instead of leaving a stray separator

expandSegment dropped a "|" segment only when its tokens rendered the unlimited
mark, so a segment whose only token resolved to the empty string (a client with
no comment, an unlimited client's expiry date) was kept as bare decoration,
leaving a trailing "|" or a dangling emoji on every share link's remark. Drop a
token-bearing segment whenever none of its tokens produce a real value, while
still keeping pure-literal segments.

* fix(xray): keep source- and domains-scoped routing rules when an inbound is deleted

removeInboundTagFromRules drops a routing rule whose inboundTag list becomes
empty only if the rule has no other matcher, but routingMatcherKeys omitted
xray-core's canonical source and domains keys. A rule scoped by source or domains
(common in hand-authored or imported configs) therefore lost its whole body —
including a security-relevant block — when its single listed inbound was deleted,
instead of just having the tag trimmed. Recognize source and domains as live
matchers.

* fix(xray): guard RemoveUser against an uninitialized handler client

Every XrayAPI handler method returns an error when HandlerServiceClient is nil,
except RemoveUser, which dereferenced it directly. A depletion sweep runs Init
with the port ignored and, during a restart window where the fresh process's
api port is still 0, Init fails and leaves the client nil — so RemoveUser
panicked (recovered by the traffic writer, but re-thrown every poll) instead of
returning an error. Add the same nil guard the siblings have.

* fix(xray): do not revive a manually stopped Xray on a background restart

RestartXray cleared isManuallyStopped unconditionally at its top, so the @30s
pending-config cron (and warp/ldap/outbound reconcile jobs) that call
RestartXray(false) resurrected an Xray the admin had deliberately stopped —
unlike the crash-detector, which honors the manual-stop flag. Skip a non-forced
restart while the stop flag is set; only an explicit forced restart clears it.

* fix(xray): retry a failed pending-restart instead of dropping the config change

The 30s cron consumed the need-restart flag with IsNeedRestartAndSetFalse before
calling RestartXray and only logged a failure. If RestartXray failed early (a
transient GetXrayConfig DB error) the old process kept running the old config,
the crash detector saw a running process and never retried, and the flag stayed
cleared — so an admin's saved change silently never reached the core. Move the
consume/restart/retry into ApplyPendingRestart, which re-arms the flag on
failure so the next tick retries.

* fix(xray): synchronize the process version and apiPort fields

Start writes p.version and p.apiPort (via refreshVersion/refreshAPIPort) after
flipping the process to running, while GetXrayVersion and GetAPIPort read them
lock-free from the status and traffic poll goroutines. The struct mutex
deliberately excluded these fields, so a restart racing a poll was a real data
race — a torn read of the version string header can crash. Extend the mutex to
cover version and apiPort, doing the blocking version probe before taking the
lock.

* fix(settings): detect a wildcard listen collision between the web and sub ports

The web/sub same-port check compared the two listen addresses as raw strings, so
binding both on all interfaces with different spellings (webListen 0.0.0.0 vs an
empty subListen) slipped past validation and only failed at startup with an
opaque bind error. Treat any wildcard listen ('', 0.0.0.0, ::) as overlapping so
the clash is reported up front, while still allowing two distinct specific
addresses to share a port.

* fix(db): mark the IP-limit cleanup seeder done on a fresh install

ResetIpLimitNoFail2ban is a one-time migration that, on a host without fail2ban,
zeroes every existing client's limitIp because the limit can't be enforced. It
was missing from the fresh-install fast-path seeder list, so on a brand-new DB it
did not run on the first boot but fired on the second — wiping any IP limits the
admin had set in between. Add it to the fast-path so a truly fresh install marks
it done up front (there is nothing to clean), leaving later admin-set limits
intact.

* fix(security): dial outbound subscriptions through the SSRF guard

The outbound-subscription fetch validated the URL host once (resolving DNS and
rejecting private targets) but then fetched with a plain HTTP client that
re-resolves the host at dial time, so a subscription domain the attacker controls
could pass validation as a public IP and rebind to 127.0.0.1 / a cloud metadata
endpoint / an internal host for the actual dial — a blind SSRF into the panel's
network. Route the direct fetch (and its redirects) through
netsafe.SSRFGuardedDialContext, which resolves, checks and dials the same IP
atomically, carrying the subscription's AllowPrivate flag on the request context;
a configured egress proxy still dials its loopback bridge unguarded.

* fix(security): bound the login-limiter attempts map

The login rate limiter keys its records on the caller-supplied username and only
evicted a record when that exact key was revisited or the login succeeded. An
unauthenticated attacker replaying one CSRF token while rotating a fresh username
per request seeded a record that was never revisited, growing the map without
bound until the panel OOMs. Cap the map: before inserting a new record, reclaim
records whose block has lapsed and whose failures aged out, and if the map is
still at the ceiling under a broad flood, drop one so memory can never grow past
the cap.

* fix(tgbot): require admin for privileged callbacks, not just the first switch

answerCallback wraps only its first callback switch in an isAdmin guard; the
second switch (server usage, inbound/online enumeration, database backup export,
ban logs, mass traffic reset, client creation) ran for every caller. Telegram
delivers a callback with the tapping user's id, so a non-admin who can see an
admin's inline keyboard — as when the bot runs in a group — could tap Backup and
receive the full database and config, or reset all traffic. Default-deny before
the second switch: a non-admin may only run the per-user client_* callbacks that
resolve their own data from their Telegram id.

* fix(eventbus): dispatch each subscriber in its own goroutine

The fan-out loop called every subscriber's handler sequentially on the
single dispatch goroutine. The email and Telegram notifiers block on
network I/O for tens of seconds (or minutes when the remote is slow), so
one slow subscriber stalled the whole loop: the 256-slot channel then
filled and Publish silently dropped later events — including high-value
xray.crash and node.down notifications unrelated to the slow handler.

Hand each delivered event to every handler in its own goroutine so a
blocking subscriber can no longer stall delivery to the others. safeCall
already recovers panics, so a detached handler cannot take down the bus.

* fix(integration): cap WARP API response body size

doWarpRequest read the response with an unbounded io.ReadAll, unlike the
sibling NordVPN client which already caps every read at maxResponseSize.
A hostile panel egress proxy or a MITM on the Cloudflare WARP endpoint
could stream an arbitrarily large body and force the panel into an
unbounded allocation. Wrap the body in an io.LimitReader(maxResponseSize)
to match the NordVPN client.

* fix(email): bound every SMTP step with a connection deadline

The "starttls"/"none" transport delivered through net/smtp.SendMail, which
dials with an untimed net.Dial and never sets a socket deadline. When an
SMTP server accepted the TCP connection but then stalled (or was a
blackhole), the caller was released by Send's 30s select, but the sender
goroutine and its socket stayed blocked until the OS TCP timeout — minutes
per notification, leaking a goroutine and a connection each time.
sendWithTLS dialed with a timeout but likewise armed no deadline on the
protocol phase, and TestConnection (called synchronously from the settings
handler, with no select guard) could hang the request indefinitely.

Replace SendMail with sendPlain, which dials with smtpConnectTimeout and
arms conn.SetDeadline(smtpDeadline) before the greeting read, preserving
SendMail's opportunistic STARTTLS upgrade. Arm the same deadline in
sendWithTLS and TestConnection so every SMTP step is bounded.

* fix(server): guard access-log parser against malformed lines

GetXrayLogs split each Xray access-log line on whitespace and then read
fixed offsets — parts[1] for the timestamp and parts[i+1] after the "from",
"accepted" and "email:" markers — without checking the line had that many
fields. A truncated or malformed line (the logged destination is
attacker-influenced) indexed past the slice and panicked; the panel handler
returned a 500 via Gin's recovery.

Extract the per-line field parsing into parseAccessLogFields and length
guard every positional lookup so a short line yields a partial entry
instead of panicking.

* fix(server): guard xray key-generator output parsing

GetNewX25519Cert, GetNewmldsa65 and GetNewmlkem768 parsed xray's stdout by
reading lines[0], lines[1] and each line's second colon-separated field
without any length check — unlike GetNewEchCert, which already guards its
line count. If the xray binary printed fewer than two lines or reformatted
its labels (a version change, or a silent failure that emitted nothing),
the fixed slice index panicked and the handler 500'd.

Extract the shared parsing into parseXrayKeyPairOutput, which length guards
the line count and each label split and returns an error instead of
panicking, then route all three generators through it.

* fix(tgbot): stop auto-deleted messages from resetting wizard state

SendMsgToTgbotDeleteAfter spawns a goroutine that, after the display delay,
deleted the transient message and then unconditionally cleared the chat's
conversation state. Every caller that ends a wizard step already clears the
state synchronously, so that call was redundant — and harmful: if within
the delay the user advanced to the next step (a callback sets a fresh
awaiting_* state), the late goroutine wiped it, and the user's next message
fell through unrecognized, silently dropping their input.

Move the delayed deletion into deleteMessageAfterDelay, which only removes
the message and no longer touches the conversation state. Guard
deleteMessageTgBot against a nil bot so the deletion path is unit-testable.

* fix(frontend): refetch a fresh CSRF token on 403 instead of reusing the stale meta tag

On a 403 to an unsafe method the client cleared its cached CSRF token and
called ensureCsrfToken to retry. But ensureCsrfToken prefers the
<meta name="csrf-token"> tag baked into the page, which the production
panel always injects, so the "refresh" re-read the same stale token and the
/csrf-token refetch was never reached — the retry re-sent the token that had
just been rejected and the save failed with an error toast.

The token lives in the session and rotates when the session is regenerated
(for example re-login in another tab), leaving the tab's baked-in meta token
stale. Fetch the current token straight from /csrf-token in the 403 branch so
the retry uses the authoritative server value. The existing tests only passed
because they strip the meta tag; the new test keeps a stale tag present.

* fix(frontend): surface backend error text from failed requests

HttpUtil.get/post read the thrown HttpError body as response.data.message,
but the backend error envelope (entity.Msg) serializes its text as msg. On
any non-2xx JSON response the real reason was therefore dropped and the
operator saw only the generic "Request failed with status N" toast.

Read response.data.msg first (keeping message and the native error text as
fallbacks). The sibling test had pinned the wrong body shape ({ message });
correct it to the real backend shape ({ success:false, msg }) so it exercises
the actual envelope.

* fix(frontend): share one WebSocket connection across bridge and hooks

websocketBridge.ts and useWebSocket.ts each declared their own
module-scoped sharedClient plus an identical getSharedClient, so the
"shared" client was not shared between them: whenever a page using
useWebSocket (Clients/Inbounds) mounted alongside the always-mounted
bridge, the panel opened two sockets to /ws. The server then pushed every
traffic/stats/nodes/inbounds snapshot to both, doubling WebSocket bandwidth
and running two independent reconnect loops, and the hook's socket was never
disconnected on unmount.

Hoist a single getSharedWebSocketClient into api/websocket.ts and route both
the bridge and the hook through it, so exactly one connection is opened.

* fix(frontend): guard the outbounds WebSocket handler against non-array payloads

onOutbounds wrote the raw WebSocket payload straight into the
outboundsTraffic cache, unlike the sibling onNodes/onInbounds handlers which
first check Array.isArray. A malformed non-array push (for example an object)
would land in the cache with staleTime Infinity; consumers that call
.find()/.map() on the outbounds list would then throw and crash the Outbounds
tab. Add the same Array.isArray guard so a bad push is ignored.

* fix(frontend): key the node table by the computed row key, not id

The desktop node table used rowKey="id", but transitive sub-nodes (the
read-only rows surfaced from downstream nodes) all carry id 0, so a topology
with two or more transitive rows gave React duplicate keys. antd's rowKey
prop overrides the row object's own computed `key` (`t-${guid}` for
transitive rows, the numeric id otherwise), so the unique key the code
already builds was ignored — causing row-state/DOM mis-association on any
re-render (heartbeat refetch, address-eye toggle). The mobile card path
already keyed by record.key.

Key the table by "key" so transitive rows get their distinct t-${guid}
identity; direct nodes keep key === id, so row selection (filtered to numeric
keys) is unchanged.

* fix(frontend): map routing row actions through the rule's real index

The routing table hides balancer-loopback rules (`_bl_*`) but keeps each
visible row's original index in `key`, then handed antd's positional row
index straight to edit/delete/toggle/move/drag — all of which mutate the
full, unfiltered routing.rules array. Once a hidden loopback rule precedes a
visible one (e.g. a balancer whose fallback is another balancer, plus any
rule added afterwards), the positional index no longer matches the array
index, so deleting or editing a rule silently hit the wrong one — including
destroying the loopback rule that keeps the balancer alive.

Add originalRuleIndex to translate a positional row index back through the
row's `key`, and route every mutating handler (openEdit, confirmDelete,
toggleRule, moveUp/moveDown, drag) through it. When no loopback rows are
hidden the mapping is the identity, so ordinary configs are unaffected.

* fix(frontend): map outbound row actions through the outbound's real index

The outbounds table hides balancer-loopback outbounds (`_bl_*`) but keeps
each visible row's original index in `key`, then passed antd's positional
row index to edit/delete/move and to the per-row probe (onTest) and its
result lookup — all of which address the full, unfiltered outbounds array.
Once a hidden loopback outbound precedes a visible one, the positional index
diverges from the array index, so deleting or editing an outbound hit the
wrong one (its deletion-impact plan and removal targeting the wrong entry),
and the test button probed / showed results against the wrong outbound.

Add originalOutboundIndex and route the mutating handlers through it; key
the probe trigger and test-result columns by record.key. With no loopback
rows hidden the mapping is the identity, so ordinary configs are unaffected.

* fix(frontend): tolerate a malformed happyEyeballs value in the Xray Basics tab

BasicsTab derived directHappyEyeballs by calling HappyEyeballsSchema.parse
during render, guarding only against null/non-object. A wrong-typed field
(e.g. happyEyeballs.tryDelayMs as a string) or any other shape mismatch —
reachable via the Complete Template JSON editor or an imported config — threw
straight out of render, white-screening the default Xray landing tab.

Use safeParse and fall back to null so a bad value degrades to "no override"
instead of crashing the page.

* fix(frontend): preserve routing-rule fields the form does not surface

The rule form rebuilt the rule from a fixed literal of only the fields it
edits, and RoutingTab replaces the rule wholesale on confirm. Fields the
form never exposes — localPort, localIP, process, ruleTag, webhook — are in
the rule schema and can arrive via the advanced JSON editor or Import Rules;
opening such a rule in the form and saving silently dropped them.

Carry over every key of the original rule the form does not manage before
applying the form-derived fields, so an edit only touches what it surfaces.

* fix(frontend): re-sync the sniffing island when its value changes externally

The sniffing config editor froze its seed value at mount and only watched
its own inner AntD form, never reflecting a later change to the shared RHF
`sniffing` path. Because the inbound form mounts every tab with
forceRender, the friendly Sniffing tab and the Advanced JSON editor are live
at once: editing sniffing in the JSON editor updated the RHF value but not
the frozen island, so the next interaction with the friendly tab emitted the
stale value and silently discarded the JSON edit.

Add an effect that pushes an external value change into the inner form,
guarded by the same lastEmitted marker the emit path uses so the island
never re-seeds from its own echo and no update loop forms.

* fix(frontend): don't drift a client's byte quota on a no-op save

The quota field shows the total in GB rounded to two decimals; editing a
client and saving converted that display value straight back to bytes. A
byte total not aligned to 0.01 GB — one set via the API or an import — was
therefore rewritten to the rounded value on any save that never touched the
field, losing a few MB each time.

Add resolveTotalBytes: keep the original byte total when the displayed GB
still matches it, and only re-derive from GB when the user actually changed
the field.

* fix(eventbus): deliver events on a bounded per-subscriber worker

The previous fix dispatched each event to every subscriber with a bare
`go safeCall`. That unblocked the dispatch loop, but removed the bus's
backpressure: under a login-attempt flood (which both notifier subscribers
process without rate-limiting) with email/Telegram enabled, every attempt
spawned handler goroutines that each block on network I/O for up to ~30s,
with no bound — a goroutine and outbound-connection storm. It also let a
subscriber's handler run concurrently with itself, racing the Telegram
notifier's lazily-cached hostname.

Give each subscriber its own bounded queue drained by a single worker
goroutine. Dispatch does a non-blocking send per subscriber (dropping only
that subscriber's event when its queue is full), so a slow subscriber still
can't stall the others, concurrency is bounded to one in-flight handler per
subscriber, per-subscriber event order is preserved, and Stop again waits
for in-flight handlers to finish.

* fix(frontend): map outbound mobile-card actions through the real index too

The desktop outbounds table was keyed by the outbound's real index, but the
mobile card list was left keying the probe trigger and every test-state
lookup by the positional row index. With a hidden balancer-loopback outbound
present, tapping Check on a mobile card probed the wrong outbound and the
Test-All results landed on the wrong card. Key onTest and the
testResult/isTesting reads by record.key, matching the desktop columns.

* fix(frontend): meet WCAG AA contrast on the config-block link text

The Storybook accessibility test flagged the share-link <code> block: with no
explicit color it inherited a muted grey that renders as #888888 on the
#f8f8f8 tertiary-fill background in CI's Chromium — a 3.33:1 contrast, below
the 4.5:1 AA threshold. Set the text to the theme's primary text token so the
colour is explicit and high-contrast in both light and dark themes instead of
depending on an inherited value that varies by browser.

* style(sub): simplify a negated conjunction to satisfy staticcheck QF1001

golangci-lint (staticcheck QF1001) flagged the `!(a && b)` guard in
expandSegment. Rewrite it via De Morgan's law to the equivalent
`!a || !b` form so the linter passes; behavior is unchanged.

* fix: close panics and races the audit's own fixes left nearby

Second-pass review of the 54-commit self-correcting audit. Each item below
was confirmed by reading the surrounding source (and, where practical, the
pre-fix code) before being changed; regression tests are included for every
behavioral fix.

Concurrency:
- eventbus: Bus.Subscribe called wg.Add with no synchronization against a
  concurrent Bus.Stop's wg.Wait, a real "WaitGroup misuse" panic risk (e.g. a
  Telegram-bot settings save racing panel shutdown/restart). Stop now flips a
  mu-guarded `stopped` flag before waiting, and Subscribe checks it under the
  same lock, so Add and Wait can no longer race.

Security:
- login_limiter: evictForRoom's fallback eviction picked an arbitrary map
  key, including ones still under an active cooldown - an attacker flooding
  /login with fresh usernames could evict their own (or anyone's) blocked
  record and reset the lockout. The fallback now skips actively-blocked
  records, only falling back to an unconditional evict if the map is
  somehow entirely full of active blocks (preserves the hard memory cap).

Subscription-endpoint panics (reachable by any client hitting /sub):
- internal/sub/service.go: applyPathAndHostParams/Obj (ws/httpupgrade/xhttp
  with no path settings object) and the TLS alpn readers in three places
  used unchecked type assertions - exactly the bug class abab7cd0 patched
  elsewhere in the same switch statements, just not these call sites.
- internal/sub/json_service.go, clash_service.go: the externalProxy loops
  in the JSON and Clash generators used unchecked assertions on a
  legacy/admin-supplied field (missing "port", non-object entry, etc.).
- internal/sub/json_service.go: realityData's shortId/serverName selection
  could assert a non-string array element.

Other correctness:
- client_traffic.go: ResetAllTraffics (touched by 3eb214d0) still skipped
  clearing NodeClientTraffic node-sync baselines, unlike its sibling reset
  paths in the same file - a node's next sync would re-add pre-reset delta
  on top of the freshly-zeroed counter.
- inbound_traffic.go: the traffic-tick tx's Commit/Rollback errors were
  silently discarded; now logged so a backend-level commit failure (e.g. an
  aborted Postgres tx from a best-effort helper) doesn't masquerade as a
  successful tick.
- outbound_subscription.go: the new subscriptionFetchClient doc comment was
  wedged between fetchAndStore's existing comment and fetchAndStore itself,
  leaving fetchAndStore undocumented and the comment describing the wrong
  function.

Convention cleanup:
- Removed narrative // comments added by the audit that violate this repo's
  no-inline-comment rule (mostly narrating the specific bug/fix rather than
  a lasting contract, and mostly on new Test functions, which this repo's
  existing tests never comment) - calibrated against this exact codebase's
  own pre-existing comment style so legitimate godoc-style doc comments
  were left alone.

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
2026-07-17 00:33:06 +02:00

2653 lines
82 KiB
Go

package sub
import (
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"fmt"
"maps"
"net"
"net/url"
"slices"
"strconv"
"strings"
"time"
"github.com/gin-gonic/gin"
"github.com/goccy/go-json"
"github.com/mhsanaei/3x-ui/v3/internal/database"
"github.com/mhsanaei/3x-ui/v3/internal/database/model"
"github.com/mhsanaei/3x-ui/v3/internal/logger"
"github.com/mhsanaei/3x-ui/v3/internal/util/common"
"github.com/mhsanaei/3x-ui/v3/internal/util/random"
wgutil "github.com/mhsanaei/3x-ui/v3/internal/util/wireguard"
"github.com/mhsanaei/3x-ui/v3/internal/web/service"
"github.com/mhsanaei/3x-ui/v3/internal/xray"
)
// SubService provides business logic for generating subscription links and managing subscription data.
type SubService struct {
address string
remarkTemplate string
datepicker string
// subscriptionBody is true only when rendering the actual subscription
// content a client app imports (raw /sub fetch, /json, /clash). The remark
// template's per-client info is emitted there (on the first link); every
// other context — the sub info page, the panel's link/QR displays — renders
// the name-only template, like Remnawave.
subscriptionBody bool
// usageShown tracks, per client email, whether the info part of the template
// has already been emitted this request, so it appears on the first body
// link only. Per-request state; reset in PrepareForRequest.
usageShown map[string]bool
inboundService service.InboundService
settingService service.SettingService
// nodesByID is populated per request from the Node table so
// resolveInboundAddress can return the node's address for any
// inbound whose NodeID is set. Keeps the per-link host derivation
// O(1) instead of O(N) DB hits.
nodesByID map[int]*model.Node
// statsByEmail maps a client email to its traffic row across ALL inbounds
// loaded for the request. client_traffics.email is globally unique, so this
// lets statsForClient resolve usage for a client even on an inbound that
// doesn't own its row (multi-inbound subscriptions). Filled in
// getInboundsBySubId; reset per request in PrepareForRequest.
statsByEmail map[string]xray.ClientTraffic
// clientsByInbound caches clients resolved for this request keyed by
// inbound id then email, so the per-protocol link generators look a client
// up without re-parsing the inbound's settings JSON per link.
// fullyPrimedInbounds marks inbounds whose complete client list is cached
// (a miss there is authoritative). Reset per request in PrepareForRequest.
clientsByInbound map[int]map[string]model.Client
fullyPrimedInbounds map[int]bool
// settingsByInbound caches each inbound's settings decoded once per request
// with the clients array left out; generators read only inbound-level
// fields (encryption, method, version, …) from it.
settingsByInbound map[int]map[string]any
}
// NewSubService creates a new subscription service with the given configuration.
func NewSubService(remarkTemplate string) *SubService {
return &SubService{
remarkTemplate: remarkTemplate,
}
}
// ForRequest returns a shallow copy with request-scoped state populated.
// Subscription controllers share one base SubService, so request-specific
// fields such as address and nodesByID must live on a per-request copy.
func (s *SubService) ForRequest(host string) *SubService {
req := *s
req.PrepareForRequest(host)
return &req
}
// PrepareForRequest sets per-request state (host + nodes map) on this
// SubService instance. HTTP handlers should call ForRequest instead so the
// controller's shared base service is never mutated by concurrent requests.
func (s *SubService) PrepareForRequest(host string) {
if !isRoutableHost(host) {
if d := s.configuredPublicHost(); d != "" {
host = d
} else if isLoopbackHost(host) {
host = "localhost"
}
}
s.address = host
s.usageShown = map[string]bool{}
s.statsByEmail = map[string]xray.ClientTraffic{}
s.clientsByInbound = map[int]map[string]model.Client{}
s.fullyPrimedInbounds = map[int]bool{}
s.settingsByInbound = map[int]map[string]any{}
s.loadNodes()
s.loadRemarkSettings()
}
// primeLinkClients caches clients (first occurrence per email, matching the
// old settings-JSON iteration order) so clientForLink resolves them without a
// parse. complete marks the inbound's whole client list as cached.
func (s *SubService) primeLinkClients(inboundId int, clients []model.Client, complete bool) {
if inboundId <= 0 {
return
}
if s.clientsByInbound == nil {
s.clientsByInbound = map[int]map[string]model.Client{}
}
m := s.clientsByInbound[inboundId]
if m == nil {
m = make(map[string]model.Client, len(clients))
s.clientsByInbound[inboundId] = m
}
for _, c := range clients {
if _, exists := m[c.Email]; !exists {
m[c.Email] = c
}
}
if complete {
if s.fullyPrimedInbounds == nil {
s.fullyPrimedInbounds = map[int]bool{}
}
s.fullyPrimedInbounds[inboundId] = true
}
}
// clientForLink resolves one client of an inbound by email for link
// generation: from the per-request cache when primed, otherwise by parsing
// the settings JSON once and caching every client from it.
func (s *SubService) clientForLink(inbound *model.Inbound, email string) (model.Client, bool) {
if m, ok := s.clientsByInbound[inbound.Id]; ok {
if c, hit := m[email]; hit {
return c, true
}
if s.fullyPrimedInbounds[inbound.Id] {
return model.Client{}, false
}
}
clients, err := s.inboundService.GetClients(inbound)
if err != nil {
return model.Client{}, false
}
s.primeLinkClients(inbound.Id, clients, true)
for i := range clients {
if clients[i].Email == email {
return clients[i], true
}
}
return model.Client{}, false
}
// linkSettings returns the inbound's settings decoded once per request with
// the clients array left out — the link generators read only inbound-level
// fields from it and resolve clients via clientForLink. The shallow
// RawMessage pass skips materializing a huge clients array entirely.
func (s *SubService) linkSettings(inbound *model.Inbound) map[string]any {
if inbound.Id > 0 {
if cached, ok := s.settingsByInbound[inbound.Id]; ok {
return cached
}
}
shallow := map[string]json.RawMessage{}
_ = json.Unmarshal([]byte(inbound.Settings), &shallow)
out := make(map[string]any, len(shallow))
for key, raw := range shallow {
if key == "clients" {
continue
}
var value any
_ = json.Unmarshal(raw, &value)
out[key] = value
}
if inbound.Id > 0 {
if s.settingsByInbound == nil {
s.settingsByInbound = map[int]map[string]any{}
}
s.settingsByInbound[inbound.Id] = out
}
return out
}
// loadRemarkSettings populates the per-request remark formatting state so
// every subscription format — raw, JSON, Clash — renders remarks the same way
// (the date formatter reads datepicker). Loading it only in getSubs left
// JSON/Clash with the zero value.
func (s *SubService) loadRemarkSettings() {
var err error
s.datepicker, err = s.settingService.GetDatepicker()
if err != nil {
s.datepicker = "gregorian"
}
}
func (s *SubService) configuredPublicHost() string {
if d, err := s.settingService.GetSubDomain(); err == nil && d != "" {
return d
}
if d, err := s.settingService.GetWebDomain(); err == nil && d != "" {
return d
}
return ""
}
func isRoutableHost(host string) bool {
if host == "" {
return false
}
if ip := net.ParseIP(strings.Trim(host, "[]")); ip != nil {
return !ip.IsLoopback() && !ip.IsUnspecified()
}
return true
}
func isLoopbackHost(host string) bool {
ip := net.ParseIP(strings.Trim(host, "[]"))
return ip != nil && ip.IsLoopback()
}
// listenIsInternalOnly reports whether a bind address is reachable only from
// the same host — a loopback IP or a unix-domain socket. Such an inbound can't
// be dialed directly by a remote client, so when it is the child side of a
// fallback its share link must be projected through the master. A public or
// wildcard listen (""/0.0.0.0/::) is reachable on its own port and advertises
// itself.
func listenIsInternalOnly(listen string) bool {
if listen == "" {
return false
}
if listen[0] == '@' || listen[0] == '/' {
return true
}
return isLoopbackHost(listen)
}
// matchingClients returns the inbound's clients whose SubID equals subId,
// resolved from the normalized clients/client_inbounds tables (both filter
// columns indexed) instead of parsing the settings JSON — at large client
// counts that parse made every subscription fetch cost seconds. The
// case-insensitive email dedupe stays as cheap insurance even though
// clients.email is unique, preserving the #5134 guarantee that duplicate
// settings entries never fan out into duplicate profiles. Resolved clients
// are primed into the per-request cache so the link generators don't parse
// settings either.
func (s *SubService) matchingClients(inbound *model.Inbound, subId string) []model.Client {
clients, err := s.inboundService.GetClientsBySubId(inbound.Id, subId)
if err != nil {
logger.Error("SubService - GetClientsBySubId: Unable to get clients from inbound")
return nil
}
var out []model.Client
seen := make(map[string]struct{}, len(clients))
for _, client := range clients {
key := strings.ToLower(client.Email)
if _, dup := seen[key]; dup {
continue
}
seen[key] = struct{}{}
out = append(out, client)
}
s.primeLinkClients(inbound.Id, out, false)
return out
}
// GetSubs retrieves subscription links for a given subscription ID and host.
func (s *SubService) GetSubs(subId string, host string) ([]string, []string, int64, xray.ClientTraffic, error) {
return s.ForRequest(host).getSubs(subId)
}
func (s *SubService) getSubs(subId string) ([]string, []string, int64, xray.ClientTraffic, error) {
var result []string
var emails []string
var traffic xray.ClientTraffic
var hasEnabledClient bool
inbounds, err := s.getInboundsBySubId(subId)
if err != nil {
return nil, nil, 0, traffic, err
}
externalLinks, err := s.getClientExternalLinksBySubId(subId)
if err != nil {
return nil, nil, 0, traffic, err
}
if len(inbounds) == 0 && len(externalLinks) == 0 {
return nil, nil, 0, traffic, nil
}
seenEmails := make(map[string]struct{})
for _, inbound := range inbounds {
clients := s.matchingClients(inbound, subId)
if len(clients) == 0 {
continue
}
s.projectThroughFallbackMaster(inbound)
// Host overrides apply AFTER fallback projection so a host's
// address/TLS wins over the projected master stream.
hostEps := s.hostEndpoints(inbound, "raw")
for _, client := range clients {
if client.Enable {
hasEnabledClient = true
}
var link string
if len(hostEps) > 0 {
link = s.linkFromHosts(inbound, client, hostEps)
} else {
link = s.GetLink(inbound, client.Email)
}
result = append(result, link)
emails = append(emails, client.Email)
seenEmails[client.Email] = struct{}{}
}
}
for _, ext := range externalLinks {
if ext.Enable {
hasEnabledClient = true
}
for _, el := range expandEntry(ext) {
if link := applyRemarkToLink(el.Link, el.Name); link != "" {
result = append(result, link)
emails = append(emails, ext.Email)
seenEmails[ext.Email] = struct{}{}
}
}
}
uniqueEmails := make([]string, 0, len(seenEmails))
for e := range seenEmails {
uniqueEmails = append(uniqueEmails, e)
}
traffic, lastOnline := s.AggregateTrafficByEmails(uniqueEmails)
traffic.Enable = hasEnabledClient
return result, emails, lastOnline, traffic, nil
}
// inboundLinks builds the share links for every distinct client of one inbound
// the same way getSubs does — managed Host endpoints win over the plain link so
// {{HOST}} and per-host variants render — but across all clients rather than a
// single subId. Dedups duplicate client JSON entries by email (#5134). Backs the
// panel's "Export all inbound links" so it matches the client/QR pages.
func (s *SubService) inboundLinks(inbound *model.Inbound) []string {
clients, err := s.inboundService.GetClients(inbound)
if err != nil {
return nil
}
s.primeLinkClients(inbound.Id, clients, true)
s.projectThroughFallbackMaster(inbound)
hostEps := s.hostEndpoints(inbound, "raw")
var out []string
seen := make(map[string]struct{}, len(clients))
for _, client := range clients {
key := strings.ToLower(client.Email)
if _, dup := seen[key]; dup {
continue
}
seen[key] = struct{}{}
var link string
if len(hostEps) > 0 {
link = s.linkFromHosts(inbound, client, hostEps)
} else {
link = s.GetLink(inbound, client.Email)
}
out = append(out, splitLinkLines(link)...)
}
return out
}
// AggregateTrafficByEmails resolves traffic for every email in one
// query and folds the rows into a single ClientTraffic + lastOnline.
// xray.ClientTraffic.Email is globally unique, so a multi-inbound
// client's single row is attached to exactly one inbound — iterating
// per-inbound ClientStats would miss it on the others. Used by GetSubs,
// SubClashService.GetClash, and SubJsonService.GetJson to keep the
// sub-info header consistent across all three formats.
func (s *SubService) AggregateTrafficByEmails(emails []string) (xray.ClientTraffic, int64) {
var agg xray.ClientTraffic
var lastOnline int64
if len(emails) == 0 {
return agg, 0
}
db := database.GetDB()
var rows []xray.ClientTraffic
if err := db.
Model(&xray.ClientTraffic{}).
Where("email IN ?", emails).
Find(&rows).Error; err != nil {
logger.Warning("SubService - AggregateTrafficByEmails: load by email:", err)
return agg, 0
}
// total/expiry are configured limits owned by the clients table, not the
// runtime traffic rows. In a multi-node setup the node snapshot can reset
// client_traffics.total/expiry_time to 0, so fall back to the clients
// table to keep the Subscription-Userinfo header in sync with the UI (#4645).
limits := make(map[string][2]int64, len(emails))
var records []model.ClientRecord
if err := db.Model(&model.ClientRecord{}).Where("email IN ?", emails).Find(&records).Error; err != nil {
logger.Warning("SubService - AggregateTrafficByEmails: load client limits:", err)
} else {
for _, r := range records {
limits[r.Email] = [2]int64{r.TotalGB, r.ExpiryTime}
}
}
now := time.Now().UnixMilli()
first := true
for _, ct := range rows {
if ct.LastOnline > lastOnline {
lastOnline = ct.LastOnline
}
total, expiry := ct.Total, ct.ExpiryTime
if lim, ok := limits[ct.Email]; ok {
if total == 0 {
total = lim[0]
}
if expiry == 0 {
expiry = lim[1]
}
}
if first {
agg.Up = ct.Up
agg.Down = ct.Down
agg.Total = total
agg.ExpiryTime = subscriptionExpiryFromClient(now, expiry)
first = false
continue
}
agg.Up += ct.Up
agg.Down += ct.Down
if agg.Total == 0 || total == 0 {
agg.Total = 0
} else {
agg.Total += total
}
normalized := subscriptionExpiryFromClient(now, expiry)
if normalized != agg.ExpiryTime {
agg.ExpiryTime = 0
}
}
return agg, lastOnline
}
func subscriptionExpiryFromClient(nowMs, expiryTime int64) int64 {
if expiryTime > 0 {
return expiryTime
}
if expiryTime < 0 {
return nowMs + (-expiryTime)
}
return 0
}
func (s *SubService) getInboundsBySubId(subId string) ([]*model.Inbound, error) {
db := database.GetDB()
var inbounds []*model.Inbound
err := db.Model(model.Inbound{}).Where(`id in (
SELECT DISTINCT inbounds.id
FROM inbounds
JOIN client_inbounds ON client_inbounds.inbound_id = inbounds.id
JOIN clients ON clients.id = client_inbounds.client_id
WHERE
inbounds.protocol in ('vmess','vless','trojan','shadowsocks','hysteria','wireguard','mtproto')
AND clients.sub_id = ? AND inbounds.enable = ?
)`, subId, true).Order("sub_sort_index ASC").Order("id ASC").Find(&inbounds).Error
if err != nil {
return nil, err
}
s.indexStatsBySubId(subId)
return inbounds, nil
}
// indexStatsBySubId loads the traffic rows for just this subscriber's clients
// into statsByEmail so statsForClient can resolve a client's usage on any of
// its inbounds. It replaces preloading every matched inbound's ClientStats,
// which read the entire client_traffics table on every subscription fetch of
// a large inbound; statsForClient's per-email DB fallback covers any miss.
func (s *SubService) indexStatsBySubId(subId string) {
if s.statsByEmail == nil {
s.statsByEmail = map[string]xray.ClientTraffic{}
}
db := database.GetDB()
var emails []string
if err := db.Model(&model.ClientRecord{}).Where("sub_id = ?", subId).Pluck("email", &emails).Error; err != nil {
logger.Error("SubService - indexStatsBySubId: load emails:", err)
return
}
const chunk = 400
for lo := 0; lo < len(emails); lo += chunk {
hi := min(lo+chunk, len(emails))
var rows []xray.ClientTraffic
if err := db.Where("email IN ?", emails[lo:hi]).Find(&rows).Error; err != nil {
logger.Error("SubService - indexStatsBySubId: load traffics:", err)
return
}
for _, st := range rows {
s.statsByEmail[st.Email] = st
}
}
}
// projectThroughFallbackMaster mutates the inbound in place so its
// Listen/Port/StreamSettings reflect the externally reachable master
// when applicable. Covers both fallback mechanisms:
// - panel-tracked: an inbound_fallbacks row where child_id = inbound.Id
// - legacy unix-socket: inbound.Listen begins with "@" and some VLESS/
// Trojan inbound's settings.fallbacks references that listen address
//
// Returns true when a projection happened; sub services call this before
// generating links so a child VLESS-WS bound to 127.0.0.1 emits the
// master's :443 + TLS state instead of its own loopback endpoint.
//
// Projection only applies to a child that is not directly reachable on its
// own listen (loopback or a unix-domain socket). An inbound on a public or
// wildcard listen is reachable on its own port, so it advertises its own
// port + security even when a stale fallback rule still names it as a child —
// otherwise its share link would leak the master's port and Reality/TLS
// settings (#4987).
func (s *SubService) projectThroughFallbackMaster(inbound *model.Inbound) bool {
if inbound == nil {
return false
}
if !listenIsInternalOnly(inbound.Listen) {
return false
}
db := database.GetDB()
var master *model.Inbound
var rule model.InboundFallback
if err := db.Where("child_id = ?", inbound.Id).
Order("sort_order ASC, id ASC").
First(&rule).Error; err == nil {
var m model.Inbound
if err := db.Where("id = ?", rule.MasterId).First(&m).Error; err == nil {
master = &m
}
}
if master == nil && len(inbound.Listen) > 0 && inbound.Listen[0] == '@' {
var m model.Inbound
if err := db.Model(model.Inbound{}).
Where("JSON_TYPE(settings, '$.fallbacks') = 'array'").
Where("EXISTS (SELECT * FROM json_each(settings, '$.fallbacks') WHERE json_extract(value, '$.dest') = ?)", inbound.Listen).
First(&m).Error; err == nil {
master = &m
}
}
if master == nil {
return false
}
inbound.StreamSettings = mergeStreamFromMaster(inbound.StreamSettings, master.StreamSettings)
inbound.Listen = master.Listen
inbound.Port = master.Port
return true
}
// mergeStreamFromMaster copies the master's security + tlsSettings +
// realitySettings + externalProxy onto the child's stream so the child's
// link advertises the master's TLS / Reality state. Transport (network
// + ws/grpc/etc. settings) stays the child's.
func mergeStreamFromMaster(childStream, masterStream string) string {
var stream map[string]any
_ = json.Unmarshal([]byte(childStream), &stream)
if stream == nil {
stream = map[string]any{}
}
var mst map[string]any
_ = json.Unmarshal([]byte(masterStream), &mst)
if mst == nil {
return childStream
}
stream["security"] = mst["security"]
if v, ok := mst["tlsSettings"]; ok {
stream["tlsSettings"] = v
} else {
delete(stream, "tlsSettings")
}
if v, ok := mst["realitySettings"]; ok {
stream["realitySettings"] = v
} else {
delete(stream, "realitySettings")
}
if v, ok := mst["externalProxy"]; ok {
stream["externalProxy"] = v
}
out, err := json.MarshalIndent(stream, "", " ")
if err != nil {
return childStream
}
return string(out)
}
// GetLink dispatches to the protocol-specific generator for one (inbound, client)
// pair. Returns "" when the inbound's protocol doesn't produce a subscription URL
// (socks, http, mixed, wireguard, dokodemo, tunnel). The returned string may
// contain multiple `\n`-separated URLs when the inbound has externalProxy set.
func (s *SubService) GetLink(inbound *model.Inbound, email string) string {
switch inbound.Protocol {
case "vmess":
return s.genVmessLink(inbound, email)
case "vless":
return s.genVlessLink(inbound, email)
case "trojan":
return s.genTrojanLink(inbound, email)
case "shadowsocks":
return s.genShadowsocksLink(inbound, email)
case "hysteria":
return s.genHysteriaLink(inbound, email)
case "mtproto":
return s.genMtprotoLink(inbound, email)
case "wireguard":
return s.genWireguardLink(inbound, email)
}
return ""
}
// genWireguardLink builds a per-client wireguard:// share link mirroring the
// frontend genWireguardLink: the client's private key is the userinfo, the
// server public key (derived from the inbound secretKey) and the client's
// tunnel address ride in the query. Returns "" when the client has no key.
func (s *SubService) genWireguardLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.WireGuard {
return ""
}
settings := s.linkSettings(inbound)
secretKey, _ := settings["secretKey"].(string)
resolved, ok := s.clientForLink(inbound, email)
if !ok || resolved.PrivateKey == "" {
return ""
}
client := &resolved
link := fmt.Sprintf("wireguard://%s@%s", encodeUserinfo(client.PrivateKey), joinHostPort(s.resolveInboundAddress(inbound), inbound.Port))
params := make(map[string]string)
if secretKey != "" {
if pub, err := wgutil.PublicKeyFromPrivate(secretKey); err == nil {
params["publickey"] = pub
}
}
if len(client.AllowedIPs) > 0 && client.AllowedIPs[0] != "" {
params["address"] = client.AllowedIPs[0]
}
if mtu, ok := settings["mtu"].(float64); ok && mtu > 0 {
params["mtu"] = strconv.Itoa(int(mtu))
}
if dns, ok := settings["dns"].(string); ok && dns != "" {
params["dns"] = dns
}
if client.PreSharedKey != "" {
params["presharedkey"] = client.PreSharedKey
}
if client.KeepAlive > 0 {
params["keepalive"] = strconv.Itoa(client.KeepAlive)
}
return buildLinkWithParams(link, params, s.genRemark(inbound, email, "", ""))
}
// genMtprotoLink builds a per-client Telegram proxy deep link for an mtproto
// inbound: the server/port pair plus the client's own FakeTLS secret. The link
// carries no remark fragment — Telegram proxy deep links have no name field, and
// a trailing "#remark" is appended to the last query value by lenient parsers,
// corrupting the server address. The remark is shown separately in the panel UI.
// Returns "" when the client has no secret.
func (s *SubService) genMtprotoLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.MTProto {
return ""
}
resolved, ok := s.clientForLink(inbound, email)
if !ok || resolved.Secret == "" {
return ""
}
params := map[string]string{
"server": s.resolveInboundAddress(inbound),
"port": fmt.Sprintf("%d", inbound.Port),
"secret": resolved.Secret,
}
return buildLinkWithParams("tg://proxy", params, "")
}
// Protocol link generators are intentionally ordered as:
// vmess -> vless -> trojan -> shadowsocks -> hysteria.
func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.VMESS {
return ""
}
address := s.resolveInboundAddress(inbound)
obj := map[string]any{
"v": "2",
"add": address,
"port": inbound.Port,
"type": "none",
}
stream := unmarshalStreamSettings(inbound.StreamSettings)
network, _ := stream["network"].(string)
applyVmessNetworkParams(stream, network, obj)
if finalmask, ok := stream["finalmask"].(map[string]any); ok {
applyFinalMaskObj(finalmask, obj)
}
security, _ := stream["security"].(string)
obj["tls"] = security
if security == "tls" {
applyVmessTLSParams(stream, obj)
}
client, ok := s.clientForLink(inbound, email)
if !ok {
return ""
}
obj["id"] = client.ID
obj["scy"] = normalizeVmessSecurity(client.Security)
externalProxies, _ := stream["externalProxy"].([]any)
if len(externalProxies) > 0 {
return s.buildVmessExternalProxyLinks(externalProxies, obj, inbound, email, network)
}
obj["ps"] = s.genRemark(inbound, email, "", network)
return buildVmessLink(obj)
}
// normalizeVmessSecurity maps the vmess security values xray-core v26.7.11
// removed ("none"/"zero"), plus the legacy empty string, to "auto" so links
// and subscriptions stop advertising values the upgraded server rejects on
// the wire.
func normalizeVmessSecurity(security string) string {
switch security {
case "", "none", "zero":
return "auto"
}
return security
}
// vlessEncryptionEnabled reports whether the VLESS inbound settings enable
// VLESS-level encryption (vlessenc / ML-KEM). When on, the encryption/decryption
// fields hold a generated dotted string (e.g. "mlkem768x25519plus.native.0rtt.<key>");
// "none" or empty means off. The value is never the literal "vlessenc" — that is
// the `xray vlessenc` CLI subcommand name, not a stored value.
func vlessEncryptionEnabled(settings map[string]any) bool {
for _, key := range []string{"encryption", "decryption"} {
if v, ok := settings[key].(string); ok && v != "" && v != "none" {
return true
}
}
return false
}
// vlessFlowAllowed reports whether a client's XTLS Vision flow belongs in
// generated links/configs. Mirrors inboundCanEnableTlsFlow in
// internal/web/service: Vision runs on TCP with tls/reality (classic), and on
// XHTTP whenever VLESS encryption (vlessenc / ML-KEM) is enabled — there the
// VLESS-level encryption stands in for the transport TLS that Vision relies
// on, regardless of the stream security layer (so XHTTP+REALITY+vlessenc
// keeps its flow too).
func vlessFlowAllowed(network, security string, settings map[string]any) bool {
switch network {
case "tcp":
return security == "tls" || security == "reality"
case "xhttp":
return vlessEncryptionEnabled(settings)
}
return false
}
func (s *SubService) genVlessLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.VLESS {
return ""
}
address := s.resolveInboundAddress(inbound)
stream := unmarshalStreamSettings(inbound.StreamSettings)
client, ok := s.clientForLink(inbound, email)
if !ok {
return ""
}
uuid := client.ID
port := inbound.Port
streamNetwork, _ := stream["network"].(string)
params := make(map[string]string)
params["type"] = streamNetwork
// Add encryption parameter for VLESS from inbound settings
settings := s.linkSettings(inbound)
if encryption, ok := settings["encryption"].(string); ok {
params["encryption"] = encryption
}
applyShareNetworkParams(stream, streamNetwork, params)
if finalmask, ok := stream["finalmask"].(map[string]any); ok {
applyFinalMaskParams(finalmask, params)
}
security, _ := stream["security"].(string)
switch security {
case "tls":
applyShareTLSParams(stream, params)
case "reality":
applyShareRealityParams(stream, params, subKey(client))
default:
params["security"] = "none"
}
if len(client.Flow) > 0 && vlessFlowAllowed(streamNetwork, security, settings) {
params["flow"] = client.Flow
}
externalProxies, _ := stream["externalProxy"].([]any)
if len(externalProxies) > 0 {
return s.buildExternalProxyURLLinks(
externalProxies,
params,
security,
func(ep map[string]any, dest string, port int) string {
return fmt.Sprintf("vless://%s@%s", applyVlessRoute(uuid, hostVlessRoute(ep)), joinHostPort(dest, port))
},
func(ep map[string]any) string {
return s.endpointRemark(inbound, email, ep, streamNetwork)
},
)
}
link := fmt.Sprintf("vless://%s@%s", uuid, joinHostPort(address, port))
return buildLinkWithParams(link, params, s.genRemark(inbound, email, "", streamNetwork))
}
func (s *SubService) genTrojanLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.Trojan {
return ""
}
address := s.resolveInboundAddress(inbound)
stream := unmarshalStreamSettings(inbound.StreamSettings)
client, ok := s.clientForLink(inbound, email)
if !ok {
return ""
}
password := encodeUserinfo(client.Password)
port := inbound.Port
streamNetwork, _ := stream["network"].(string)
params := make(map[string]string)
params["type"] = streamNetwork
applyShareNetworkParams(stream, streamNetwork, params)
if finalmask, ok := stream["finalmask"].(map[string]any); ok {
applyFinalMaskParams(finalmask, params)
}
security, _ := stream["security"].(string)
switch security {
case "tls":
applyShareTLSParams(stream, params)
case "reality":
applyShareRealityParams(stream, params, subKey(client))
if streamNetwork == "tcp" && len(client.Flow) > 0 {
params["flow"] = client.Flow
}
default:
params["security"] = "none"
}
externalProxies, _ := stream["externalProxy"].([]any)
if len(externalProxies) > 0 {
return s.buildExternalProxyURLLinks(
externalProxies,
params,
security,
func(_ map[string]any, dest string, port int) string {
return fmt.Sprintf("trojan://%s@%s", password, joinHostPort(dest, port))
},
func(ep map[string]any) string {
return s.endpointRemark(inbound, email, ep, streamNetwork)
},
)
}
link := fmt.Sprintf("trojan://%s@%s", password, joinHostPort(address, port))
return buildLinkWithParams(link, params, s.genRemark(inbound, email, "", streamNetwork))
}
// encodeUserinfo percent-encodes a userinfo (password/auth) value so it
// can be safely embedded in a `scheme://<value>@host:port` URL. RFC 3986
// allows `=` in userinfo as a sub-delim, but several Trojan and Hysteria
// clients reject share-links where the password contains literal `/`
// or `=` (notably the common base64-with-padding shape produced by the
// panel). Encode them too — this matches encodeURIComponent() on the
// frontend and round-trips cleanly through net/url's parser.
func encodeUserinfo(s string) string {
return strings.ReplaceAll(url.QueryEscape(s), "+", "%20")
}
// joinHostPort wraps an IPv6 host in square brackets the way RFC 3986
// requires for URI authorities, while leaving IPv4 addresses and hostnames
// untouched. It also strips any brackets already present on the input so
// callers don't have to normalize upstream.
func joinHostPort(host string, port int) string {
host = strings.Trim(host, "[]")
return net.JoinHostPort(host, strconv.Itoa(port))
}
func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.Shadowsocks {
return ""
}
address := s.resolveInboundAddress(inbound)
stream := unmarshalStreamSettings(inbound.StreamSettings)
client, ok := s.clientForLink(inbound, email)
if !ok {
return ""
}
settings := s.linkSettings(inbound)
inboundPassword, _ := settings["password"].(string)
method, _ := settings["method"].(string)
streamNetwork, _ := stream["network"].(string)
params := make(map[string]string)
params["type"] = streamNetwork
applyShareNetworkParams(stream, streamNetwork, params)
if finalmask, ok := stream["finalmask"].(map[string]any); ok {
applyFinalMaskParams(finalmask, params)
}
security, _ := stream["security"].(string)
if security == "tls" {
applyShareTLSParams(stream, params)
}
// SIP002 clients (v2rayN) ignore the xray-native type/headerType/host/path
// params and only read `plugin`. Re-encode a TCP http header as obfs-local so
// they build a matching tcp/http outbound (v2rayN forces request path "/").
if streamNetwork == "tcp" && params["headerType"] == "http" {
host := params["host"]
delete(params, "type")
delete(params, "headerType")
delete(params, "host")
delete(params, "path")
params["plugin"] = "obfs-local;obfs=http;obfs-host=" + host
}
// SIP002 userinfo is base64(method:password). For SIP022 (2022-blake3-*) the
// userinfo MUST NOT be base64-encoded; method and password are percent-encoded.
var userInfo string
if strings.HasPrefix(method, "2022") {
userInfo = fmt.Sprintf("%s:%s:%s",
url.QueryEscape(method),
url.QueryEscape(inboundPassword),
url.QueryEscape(client.Password))
} else {
userInfo = base64.RawURLEncoding.EncodeToString(fmt.Appendf(nil, "%s:%s", method, client.Password))
}
externalProxies, _ := stream["externalProxy"].([]any)
if len(externalProxies) > 0 {
proxyParams := cloneStringMap(params)
proxyParams["security"] = security
return s.buildExternalProxyURLLinks(
externalProxies,
proxyParams,
security,
func(_ map[string]any, dest string, port int) string {
return fmt.Sprintf("ss://%s@%s", userInfo, joinHostPort(dest, port))
},
func(ep map[string]any) string {
return s.endpointRemark(inbound, email, ep, streamNetwork)
},
)
}
link := fmt.Sprintf("ss://%s@%s", userInfo, joinHostPort(address, inbound.Port))
return buildLinkWithParams(link, params, s.genRemark(inbound, email, "", streamNetwork))
}
func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) string {
if inbound.Protocol != model.Hysteria {
return ""
}
var stream map[string]any
_ = json.Unmarshal([]byte(inbound.StreamSettings), &stream)
client, ok := s.clientForLink(inbound, email)
if !ok {
return ""
}
auth := encodeUserinfo(client.Auth)
params := make(map[string]string)
params["security"] = "tls"
tlsSetting, _ := stream["tlsSettings"].(map[string]any)
alpns, _ := tlsSetting["alpn"].([]any)
var alpn []string
for _, a := range alpns {
if s, ok := a.(string); ok {
alpn = append(alpn, s)
}
}
if len(alpn) > 0 {
params["alpn"] = strings.Join(alpn, ",")
}
if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
params["sni"], _ = sniValue.(string)
}
tlsSettings, _ := searchKey(tlsSetting, "settings")
if tlsSetting != nil {
if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
params["fp"], _ = fpValue.(string)
}
if echValue, ok := searchKey(tlsSettings, "echConfigList"); ok {
if ech, _ := echValue.(string); ech != "" {
params["ech"] = ech
}
}
if vcn, ok := verifyPeerCertByNameValue(tlsSettings); ok {
params["vcn"] = vcn
}
if pins, ok := pinnedSha256List(tlsSettings); ok {
for i, p := range pins {
pins[i] = hysteriaPinHex(p)
}
params["pinSHA256"] = strings.Join(pins, ",")
}
}
// salamander obfs (Hysteria2). The panel-side link generator already
// emits these; keep the subscription output in sync so a client has
// the obfs password to match the server.
if finalmask, ok := stream["finalmask"].(map[string]any); ok {
applyFinalMaskParams(finalmask, params)
if udpMasks, ok := finalmask["udp"].([]any); ok {
for _, m := range udpMasks {
mask, _ := m.(map[string]any)
if mask == nil || mask["type"] != "salamander" {
continue
}
settings, _ := mask["settings"].(map[string]any)
if pw, ok := settings["password"].(string); ok && pw != "" {
params["obfs"] = "salamander"
params["obfs-password"] = pw
break
}
}
}
}
settings := s.linkSettings(inbound)
version, _ := settings["version"].(float64)
protocol := "hysteria2"
if int(version) == 1 {
protocol = "hysteria"
}
// Fan out one link per External Proxy entry if any. Previously this
// generator ignored `externalProxy` entirely, so the link kept the
// server's own IP/port even when the admin configured an alternate
// endpoint (e.g. a CDN hostname + port that forwards to the node).
// Matches the behaviour of genVlessLink / genTrojanLink / ….
externalProxies, _ := stream["externalProxy"].([]any)
if len(externalProxies) > 0 {
links := make([]string, 0, len(externalProxies))
for _, externalProxy := range externalProxies {
ep, ok := externalProxy.(map[string]any)
if !ok {
continue
}
dest, _ := ep["dest"].(string)
portF, okPort := ep["port"].(float64)
if dest == "" || !okPort {
continue
}
epParams := cloneStringMap(params)
applyExternalProxyHysteriaParams(ep, epParams)
link := fmt.Sprintf("%s://%s@%s", protocol, auth, joinHostPort(dest, int(portF)))
links = append(links, buildLinkWithParams(link, epParams, s.endpointRemark(inbound, email, ep, "quic")))
}
return strings.Join(links, "\n")
}
// No external proxy configured — use the inbound's resolved address so
// node-managed inbounds get the node's host instead of the central panel's.
if hopPorts := hysteriaHopPorts(stream); hopPorts != "" {
params["mport"] = hopPorts
}
link := fmt.Sprintf("%s://%s@%s", protocol, auth, joinHostPort(s.resolveInboundAddress(inbound), inbound.Port))
return buildLinkWithParams(link, params, s.genRemark(inbound, email, "", "quic"))
}
// hysteriaHopPorts returns the configured Hysteria2 UDP port-hopping range
// (finalmask.quicParams.udpHop.ports), or "" when port hopping is off. The
// range is emitted as the v2rayN-compatible `mport` query param; the URL port
// field stays numeric so .NET-Uri-based importers (v2rayN) can parse the link.
func hysteriaHopPorts(stream map[string]any) string {
finalmask, _ := stream["finalmask"].(map[string]any)
quicParams, _ := finalmask["quicParams"].(map[string]any)
udpHop, _ := quicParams["udpHop"].(map[string]any)
ports, _ := udpHop["ports"].(string)
return strings.TrimSpace(ports)
}
// loadNodes refreshes nodesByID from the DB. Called once per request so
// the per-inbound resolveInboundAddress lookups are pure map reads.
// We filter to address != ” so a half-configured node row doesn't
// accidentally produce a useless host like "https://:2053".
func (s *SubService) loadNodes() {
db := database.GetDB()
var nodes []*model.Node
if err := db.Model(&model.Node{}).Where("address != ''").Find(&nodes).Error; err != nil {
logger.Warning("subscription: load nodes failed:", err)
s.nodesByID = nil
return
}
m := make(map[int]*model.Node, len(nodes))
for _, n := range nodes {
m[n.Id] = n
}
s.nodesByID = m
}
// resolveInboundAddress picks the host an external client should connect to,
// honoring the inbound's share address strategy the same way the panel's
// share/QR link builder does (#5208):
// - "listen": an explicit, client-reachable bind Listen wins, backed by the
// node's address for node-managed inbounds;
// - "custom": the inbound's ShareAddr wins, then node, then listen;
// - "node" (default, and any unknown value): the node's address for
// node-managed inbounds, then a routable Listen — the pre-strategy order.
//
// Every chain ends at the admin's configured public host (Sub/Web domain) and
// then the subscriber's request host (s.address). Preferring the configured
// host over the request host for this last resort keeps a wildcard local inbound
// from advertising a bogus client IP that leaked into the request Host header
// behind NAT/proxy/CDN (#5425). A loopback/wildcard bind or a unix-domain-socket
// listen is a server-side detail and is never advertised; External Proxy still
// overrides everything upstream of this call.
func (s *SubService) resolveInboundAddress(inbound *model.Inbound) string {
var nodeAddr string
if inbound.NodeID != nil && s.nodesByID != nil {
if n, ok := s.nodesByID[*inbound.NodeID]; ok {
nodeAddr = n.Address
}
}
var listenAddr string
if listen := inbound.Listen; listen != "" && listen[0] != '@' && listen[0] != '/' && isRoutableHost(listen) {
listenAddr = listen
}
candidates := []string{nodeAddr, listenAddr}
switch inbound.ShareAddrStrategy {
case "listen":
candidates = []string{listenAddr, nodeAddr}
case "custom":
candidates = []string{strings.TrimSpace(inbound.ShareAddr), nodeAddr, listenAddr}
}
for _, c := range candidates {
if c != "" {
return c
}
}
if d := s.configuredPublicHost(); d != "" {
return d
}
return s.address
}
func findClientIndex(clients []model.Client, email string) int {
for i, client := range clients {
if client.Email == email {
return i
}
}
return -1
}
func unmarshalStreamSettings(streamSettings string) map[string]any {
var stream map[string]any
_ = json.Unmarshal([]byte(streamSettings), &stream)
return stream
}
func applyPathAndHostParams(settings map[string]any, params map[string]string) {
params["path"], _ = settings["path"].(string)
if host, ok := settings["host"].(string); ok && len(host) > 0 {
params["host"] = host
} else {
headers, _ := settings["headers"].(map[string]any)
params["host"] = searchHost(headers)
}
}
func applyPathAndHostObj(settings map[string]any, obj map[string]any) {
obj["path"], _ = settings["path"].(string)
if host, ok := settings["host"].(string); ok && len(host) > 0 {
obj["host"] = host
} else {
headers, _ := settings["headers"].(map[string]any)
obj["host"] = searchHost(headers)
}
}
func applyShareNetworkParams(stream map[string]any, streamNetwork string, params map[string]string) {
switch streamNetwork {
case "tcp":
tcp, _ := stream["tcpSettings"].(map[string]any)
header, _ := tcp["header"].(map[string]any)
typeStr, _ := header["type"].(string)
if typeStr == "http" {
request, _ := header["request"].(map[string]any)
requestPath, _ := request["path"].([]any)
if len(requestPath) > 0 {
params["path"], _ = requestPath[0].(string)
}
host := ""
if response, ok := header["response"].(map[string]any); ok {
if respHeaders, ok := response["headers"].(map[string]any); ok {
host = searchHost(respHeaders)
}
}
if host == "" {
headers, _ := request["headers"].(map[string]any)
host = searchHost(headers)
}
params["host"] = host
params["headerType"] = "http"
}
case "kcp":
applyKcpShareParams(stream, params)
case "ws":
ws, _ := stream["wsSettings"].(map[string]any)
applyPathAndHostParams(ws, params)
case "grpc":
grpc, _ := stream["grpcSettings"].(map[string]any)
params["serviceName"], _ = grpc["serviceName"].(string)
params["authority"], _ = grpc["authority"].(string)
if mm, _ := grpc["multiMode"].(bool); mm {
params["mode"] = "multi"
}
case "httpupgrade":
httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
applyPathAndHostParams(httpupgrade, params)
case "xhttp":
xhttp, _ := stream["xhttpSettings"].(map[string]any)
applyXhttpExtraParams(xhttp, params)
}
}
// applyXhttpExtraObj copies the bidirectional xhttp settings into the
// VMess base64 JSON link object. VMess supports arbitrary keys, so we
// flatten the SplitHTTPConfig "extra" fields directly onto obj.
func applyXhttpExtraObj(xhttp map[string]any, obj map[string]any) {
if xpb, ok := xhttp["xPaddingBytes"].(string); ok && len(xpb) > 0 {
obj["x_padding_bytes"] = xpb
}
maps.Copy(obj, buildXhttpExtra(xhttp))
}
func applyVmessNetworkParams(stream map[string]any, network string, obj map[string]any) {
obj["net"] = network
switch network {
case "tcp":
tcp, _ := stream["tcpSettings"].(map[string]any)
header, _ := tcp["header"].(map[string]any)
typeStr, _ := header["type"].(string)
obj["type"] = typeStr
if typeStr == "http" {
request, _ := header["request"].(map[string]any)
requestPath, _ := request["path"].([]any)
if len(requestPath) > 0 {
obj["path"], _ = requestPath[0].(string)
}
host := ""
if response, ok := header["response"].(map[string]any); ok {
if respHeaders, ok := response["headers"].(map[string]any); ok {
host = searchHost(respHeaders)
}
}
if host == "" {
headers, _ := request["headers"].(map[string]any)
host = searchHost(headers)
}
obj["host"] = host
}
case "kcp":
applyKcpShareObj(stream, obj)
case "ws":
ws, _ := stream["wsSettings"].(map[string]any)
applyPathAndHostObj(ws, obj)
case "grpc":
grpc, _ := stream["grpcSettings"].(map[string]any)
obj["path"], _ = grpc["serviceName"].(string)
obj["authority"], _ = grpc["authority"].(string)
if mm, _ := grpc["multiMode"].(bool); mm {
obj["type"] = "multi"
}
case "httpupgrade":
httpupgrade, _ := stream["httpupgradeSettings"].(map[string]any)
applyPathAndHostObj(httpupgrade, obj)
case "xhttp":
xhttp, _ := stream["xhttpSettings"].(map[string]any)
applyPathAndHostObj(xhttp, obj)
if mode, ok := xhttp["mode"].(string); ok {
obj["mode"] = mode
}
applyXhttpExtraObj(xhttp, obj)
}
}
func applyShareTLSParams(stream map[string]any, params map[string]string) {
params["security"] = "tls"
tlsSetting, _ := stream["tlsSettings"].(map[string]any)
alpns, _ := tlsSetting["alpn"].([]any)
var alpn []string
for _, a := range alpns {
if s, ok := a.(string); ok {
alpn = append(alpn, s)
}
}
if len(alpn) > 0 {
params["alpn"] = strings.Join(alpn, ",")
}
if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
params["sni"], _ = sniValue.(string)
}
tlsSettings, _ := searchKey(tlsSetting, "settings")
if tlsSetting != nil {
if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
params["fp"], _ = fpValue.(string)
}
if echValue, ok := searchKey(tlsSettings, "echConfigList"); ok {
if ech, _ := echValue.(string); ech != "" {
params["ech"] = ech
}
}
if vcn, ok := verifyPeerCertByNameValue(tlsSettings); ok {
params["vcn"] = vcn
}
if pins, ok := pinnedSha256List(tlsSettings); ok {
params["pcs"] = strings.Join(pins, ",")
}
}
}
func applyVmessTLSParams(stream map[string]any, obj map[string]any) {
tlsSetting, _ := stream["tlsSettings"].(map[string]any)
alpns, _ := tlsSetting["alpn"].([]any)
if len(alpns) > 0 {
var alpn []string
for _, a := range alpns {
if s, ok := a.(string); ok {
alpn = append(alpn, s)
}
}
obj["alpn"] = strings.Join(alpn, ",")
}
if sniValue, ok := searchKey(tlsSetting, "serverName"); ok {
obj["sni"], _ = sniValue.(string)
}
tlsSettings, _ := searchKey(tlsSetting, "settings")
if tlsSetting != nil {
if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
obj["fp"], _ = fpValue.(string)
}
if echValue, ok := searchKey(tlsSettings, "echConfigList"); ok {
if ech, _ := echValue.(string); ech != "" {
obj["ech"] = ech
}
}
if vcn, ok := verifyPeerCertByNameValue(tlsSettings); ok {
obj["vcn"] = vcn
}
if pins, ok := pinnedSha256List(tlsSettings); ok {
obj["pcs"] = strings.Join(pins, ",")
}
}
}
// verifyPeerCertByNameValue extracts tlsSettings.settings.verifyPeerCertByName
// (the v2rayN `vcn` param) as a trimmed string. Like pinnedPeerCertSha256 it is
// panel-only and flows into share links so clients verify the server
// certificate by this name — the replacement for the removed allowInsecure.
func verifyPeerCertByNameValue(tlsClientSettings any) (string, bool) {
raw, ok := searchKey(tlsClientSettings, "verifyPeerCertByName")
if !ok {
return "", false
}
s, ok := raw.(string)
if !ok {
return "", false
}
if s = strings.TrimSpace(s); s == "" {
return "", false
}
return s, true
}
// pinnedSha256List extracts tlsSettings.settings.pinnedPeerCertSha256 as a
// []string. The field is panel-only (stripped before the run-config reaches
// xray-core via internal/web/service/xray.go) but flows into share links so clients
// can pin the server's certificate hash.
func pinnedSha256List(tlsClientSettings any) ([]string, bool) {
raw, ok := searchKey(tlsClientSettings, "pinnedPeerCertSha256")
if !ok {
return nil, false
}
arr, ok := raw.([]any)
if !ok || len(arr) == 0 {
return nil, false
}
out := make([]string, 0, len(arr))
for _, v := range arr {
s, ok := v.(string)
if !ok || s == "" {
continue
}
out = append(out, s)
}
if len(out) == 0 {
return nil, false
}
return out, true
}
// hysteriaPinHex normalises a pinnedPeerCertSha256 entry into the 64-character
// lowercase hex form that Xray-core's Hysteria2 pinSHA256 parser requires.
//
// The panel stores pins in several shapes: base64 (xray-core's native TLS
// format, used by the generate button and the JSON subscription) and hex —
// either bare or colon-separated as `openssl x509 -fingerprint -sha256` emits
// it. Hysteria2 clients hex-decode pinSHA256 and crash on a base64 value, so
// each entry is coerced to bare hex here. Anything that is neither a 32-byte
// hex nor a 32-byte base64 SHA-256 is returned unchanged so unexpected data is
// not silently dropped. Mirrors decodeCertPin in internal/web/service/node.go.
func hysteriaPinHex(pin string) string {
pin = strings.TrimSpace(pin)
if h := strings.ReplaceAll(pin, ":", ""); len(h) == hex.EncodedLen(sha256.Size) {
if _, err := hex.DecodeString(h); err == nil {
return strings.ToLower(h)
}
}
for _, enc := range []*base64.Encoding{
base64.StdEncoding,
base64.RawStdEncoding,
base64.URLEncoding,
base64.RawURLEncoding,
} {
if b, err := enc.DecodeString(pin); err == nil && len(b) == sha256.Size {
return hex.EncodeToString(b)
}
}
return pin
}
func applyShareRealityParams(stream map[string]any, params map[string]string, clientKey string) {
params["security"] = "reality"
realitySetting, _ := stream["realitySettings"].(map[string]any)
realitySettings, _ := searchKey(realitySetting, "settings")
if realitySetting != nil {
if sniValue, ok := searchKey(realitySetting, "serverNames"); ok {
if sNames, _ := sniValue.([]any); len(sNames) > 0 {
params["sni"], _ = sNames[random.Num(len(sNames))].(string)
}
}
if pbkValue, ok := searchKey(realitySettings, "publicKey"); ok {
params["pbk"], _ = pbkValue.(string)
}
if sidValue, ok := searchKey(realitySetting, "shortIds"); ok {
if shortIds, _ := sidValue.([]any); len(shortIds) > 0 {
params["sid"], _ = shortIds[random.Num(len(shortIds))].(string)
}
}
if fpValue, ok := searchKey(realitySettings, "fingerprint"); ok {
if fp, ok := fpValue.(string); ok && len(fp) > 0 {
params["fp"] = fp
}
}
if pqvValue, ok := searchKey(realitySettings, "mldsa65Verify"); ok {
if pqv, ok := pqvValue.(string); ok && len(pqv) > 0 {
params["pqv"] = pqv
}
}
seed := ""
if spxValue, ok := searchKey(realitySettings, "spiderX"); ok {
seed, _ = spxValue.(string)
}
params["spx"] = deriveSpiderX(seed, clientKey)
}
}
// subKey returns a stable per-client identity for deterministic derivations,
// preferring the subscription id and falling back to the (unique) email.
func subKey(c model.Client) string {
if c.SubID != "" {
return c.SubID
}
return c.Email
}
// deriveSpiderX maps the inbound's spiderX seed plus a stable client key to a
// deterministic per-client "/path"; frontend/src/lib/xray/spider-x.ts mirrors it.
func deriveSpiderX(seed, clientKey string) string {
if seed == "" && clientKey == "" {
return "/" + random.Seq(15)
}
sum := sha256.Sum256([]byte(seed + "|" + clientKey))
return "/" + hex.EncodeToString(sum[:])[:15]
}
func buildVmessLink(obj map[string]any) string {
jsonStr, _ := json.MarshalIndent(obj, "", " ")
return "vmess://" + base64.StdEncoding.EncodeToString(jsonStr)
}
func cloneVmessShareObj(baseObj map[string]any, newSecurity string) map[string]any {
newObj := map[string]any{}
for key, value := range baseObj {
if newSecurity != "none" || (key != "alpn" && key != "sni" && key != "fp" && key != "pcs") {
newObj[key] = value
}
}
return newObj
}
func applyExternalProxyTLSObj(ep map[string]any, obj map[string]any, security string) {
if security != "tls" {
return
}
if sni, ok := externalProxySNI(ep); ok {
obj["sni"] = sni
}
if fp, ok := ep["fingerprint"].(string); ok && fp != "" {
obj["fp"] = fp
}
if alpn, ok := externalProxyALPN(ep["alpn"]); ok {
obj["alpn"] = alpn
}
if pins, ok := externalProxyPins(ep["pinnedPeerCertSha256"]); ok {
obj["pcs"] = joinAnyStrings(pins)
}
if vcn, ok := ep["verifyPeerCertByName"].(string); ok && vcn != "" {
obj["vcn"] = vcn
}
if ech, ok := ep["echConfigList"].(string); ok && ech != "" {
obj["ech"] = ech
}
}
func applyExternalProxyTLSParams(ep map[string]any, params map[string]string, security string) {
if security != "tls" {
return
}
if sni, ok := externalProxySNI(ep); ok {
params["sni"] = sni
}
if fp, ok := ep["fingerprint"].(string); ok && fp != "" {
params["fp"] = fp
}
if alpn, ok := externalProxyALPN(ep["alpn"]); ok {
params["alpn"] = alpn
}
if pins, ok := externalProxyPins(ep["pinnedPeerCertSha256"]); ok {
params["pcs"] = joinAnyStrings(pins)
}
if vcn, ok := ep["verifyPeerCertByName"].(string); ok && vcn != "" {
params["vcn"] = vcn
}
if ech, ok := ep["echConfigList"].(string); ok && ech != "" {
params["ech"] = ech
}
}
// applyExternalProxyHysteriaParams overrides the cert pin for a single
// external-proxy entry on a Hysteria link. Hysteria carries the pin as a hex
// `pinSHA256` (not the `pcs` the URL-param protocols use), so each entry is
// coerced through hysteriaPinHex like the main pin. sni/fp/alpn are left as
// the inbound's own — Hysteria external proxies are typically alternate
// endpoints (port-hop / CDN) fronting the same certificate.
func applyExternalProxyHysteriaParams(ep map[string]any, params map[string]string) {
if pins, ok := externalProxyPins(ep["pinnedPeerCertSha256"]); ok {
hexPins := make([]string, 0, len(pins))
for _, p := range pins {
if s, ok := p.(string); ok {
hexPins = append(hexPins, hysteriaPinHex(s))
}
}
params["pinSHA256"] = strings.Join(hexPins, ",")
}
if ai, ok := ep["allowInsecure"].(bool); ok && ai {
params["insecure"] = "1"
}
}
// cloneStreamForExternalProxy returns a shallow clone of stream with
// tlsSettings (and its nested settings map) deep-copied. The external
// proxy loop mutates tlsSettings per iteration, so without isolating
// those maps each proxy's SNI/fingerprint/ALPN would leak into the next.
func cloneStreamForExternalProxy(stream map[string]any) map[string]any {
out := cloneMap(stream)
ts, ok := out["tlsSettings"].(map[string]any)
if !ok || ts == nil {
return out
}
clonedTs := cloneMap(ts)
if inner, ok := clonedTs["settings"].(map[string]any); ok && inner != nil {
clonedTs["settings"] = cloneMap(inner)
}
out["tlsSettings"] = clonedTs
return out
}
func applyExternalProxyTLSToStream(ep map[string]any, stream map[string]any, security string) {
if security != "tls" {
return
}
tlsSettings, _ := stream["tlsSettings"].(map[string]any)
if tlsSettings == nil {
tlsSettings = map[string]any{}
stream["tlsSettings"] = tlsSettings
}
if sni, ok := externalProxySNI(ep); ok {
tlsSettings["serverName"] = sni
}
if fp, ok := ep["fingerprint"].(string); ok && fp != "" {
tlsSettings["fingerprint"] = fp
settings, _ := tlsSettings["settings"].(map[string]any)
if settings == nil {
settings = map[string]any{}
tlsSettings["settings"] = settings
}
settings["fingerprint"] = fp
}
if alpn, ok := externalProxyALPNList(ep["alpn"]); ok {
tlsSettings["alpn"] = alpn
}
if pins, ok := externalProxyPins(ep["pinnedPeerCertSha256"]); ok {
settings, _ := tlsSettings["settings"].(map[string]any)
if settings == nil {
settings = map[string]any{}
tlsSettings["settings"] = settings
}
settings["pinnedPeerCertSha256"] = pins
}
if ech, ok := ep["echConfigList"].(string); ok && ech != "" {
settings, _ := tlsSettings["settings"].(map[string]any)
if settings == nil {
settings = map[string]any{}
tlsSettings["settings"] = settings
}
settings["echConfigList"] = ech
}
if vcn, ok := ep["verifyPeerCertByName"].(string); ok && vcn != "" {
settings, _ := tlsSettings["settings"].(map[string]any)
if settings == nil {
settings = map[string]any{}
tlsSettings["settings"] = settings
}
settings["verifyPeerCertByName"] = vcn
}
if ai, ok := ep["allowInsecure"].(bool); ok && ai {
settings, _ := tlsSettings["settings"].(map[string]any)
if settings == nil {
settings = map[string]any{}
tlsSettings["settings"] = settings
}
settings["allowInsecure"] = true
}
}
func externalProxySNI(ep map[string]any) (string, bool) {
if sni, ok := ep["sni"].(string); ok && sni != "" {
return sni, true
}
return "", false
}
func externalProxyALPN(value any) (string, bool) {
switch v := value.(type) {
case string:
return v, v != ""
case []string:
if len(v) == 0 {
return "", false
}
return strings.Join(v, ","), true
case []any:
alpn := make([]string, 0, len(v))
for _, item := range v {
if s, ok := item.(string); ok && s != "" {
alpn = append(alpn, s)
}
}
if len(alpn) == 0 {
return "", false
}
return strings.Join(alpn, ","), true
default:
return "", false
}
}
func externalProxyALPNList(value any) ([]any, bool) {
switch v := value.(type) {
case string:
if v == "" {
return nil, false
}
parts := strings.Split(v, ",")
out := make([]any, 0, len(parts))
for _, part := range parts {
if part = strings.TrimSpace(part); part != "" {
out = append(out, part)
}
}
return out, len(out) > 0
case []string:
out := make([]any, 0, len(v))
for _, item := range v {
if item != "" {
out = append(out, item)
}
}
return out, len(out) > 0
case []any:
out := make([]any, 0, len(v))
for _, item := range v {
if s, ok := item.(string); ok && s != "" {
out = append(out, s)
}
}
return out, len(out) > 0
default:
return nil, false
}
}
// externalProxyPins extracts an external-proxy entry's pinnedPeerCertSha256
// as a []any of non-empty strings. The []any element type matches what the
// JSON/Clash sub builders expect when reading the value back off the cloned
// stream's tlsSettings.settings.
func externalProxyPins(value any) ([]any, bool) {
switch v := value.(type) {
case []string:
out := make([]any, 0, len(v))
for _, item := range v {
if item != "" {
out = append(out, item)
}
}
return out, len(out) > 0
case []any:
out := make([]any, 0, len(v))
for _, item := range v {
if s, ok := item.(string); ok && s != "" {
out = append(out, s)
}
}
return out, len(out) > 0
default:
return nil, false
}
}
func joinAnyStrings(items []any) string {
parts := make([]string, 0, len(items))
for _, item := range items {
if s, ok := item.(string); ok {
parts = append(parts, s)
}
}
return strings.Join(parts, ",")
}
// buildVmessExternalProxyLinks is a thin adapter: it maps the legacy
// externalProxy entries to []ShareEndpoint and renders them through the unified
// endpoint path. Kept as a thin shim over the unified endpoint builder so
// genVmessLink keeps calling one helper (now threading transport through).
func (s *SubService) buildVmessExternalProxyLinks(externalProxies []any, baseObj map[string]any, inbound *model.Inbound, email string, transport string) string {
eps := make([]ShareEndpoint, 0, len(externalProxies))
for _, externalProxy := range externalProxies {
ep, _ := externalProxy.(map[string]any)
eps = append(eps, externalProxyToEndpoint(ep))
}
return s.buildEndpointVmessLinks(eps, baseObj, inbound, email, transport)
}
// buildLinkWithParams appends ?query and #fragment to a pre-built
// scheme://userinfo@host:port string without re-parsing it. The caller
// has already escaped userinfo via encodeUserinfo (or chosen a base64
// alphabet with no reserved chars); a url.Parse + .String() round-trip
// would silently decode that escaping because Go's userinfo emitter
// leaves sub-delims (=, +, ;) literal, which breaks Trojan/Hysteria/SS
// clients that reject those chars in the password.
func buildLinkWithParams(link string, params map[string]string, fragment string) string {
return appendQueryAndFragment(link, params, fragment, "", false)
}
// buildLinkWithParamsAndSecurity is buildLinkWithParams plus an
// external-proxy override: the `security` key in params is replaced with
// the supplied value, and TLS hint fields (alpn/sni/fp/pcs) are stripped
// when the override is `none`.
func buildLinkWithParamsAndSecurity(link string, params map[string]string, fragment, security string, omitTLSFields bool) string {
return appendQueryAndFragment(link, params, fragment, security, omitTLSFields)
}
func appendQueryAndFragment(link string, params map[string]string, fragment, securityOverride string, omitTLSFields bool) string {
var sb strings.Builder
sb.WriteString(link)
if len(params) > 0 {
q := url.Values{}
for k, v := range params {
if securityOverride != "" && k == "security" {
v = securityOverride
}
if omitTLSFields && (k == "alpn" || k == "sni" || k == "fp" || k == "pcs") {
continue
}
q.Set(k, v)
}
encoded := q.Encode()
if encoded != "" {
if strings.Contains(link, "?") {
sb.WriteByte('&')
} else {
sb.WriteByte('?')
}
sb.WriteString(encoded)
}
}
if fragment != "" {
sb.WriteByte('#')
// Match the frontend's encodeURIComponent(remark): spaces become
// %20 (not + as in query strings).
sb.WriteString(strings.ReplaceAll(url.QueryEscape(fragment), "+", "%20"))
}
return sb.String()
}
// buildExternalProxyURLLinks is a thin adapter: it maps the legacy externalProxy
// entries to []ShareEndpoint and renders them through the unified endpoint path.
// Kept so the genVless/genTrojan/genShadowsocks call sites are unchanged.
func (s *SubService) buildExternalProxyURLLinks(
externalProxies []any,
params map[string]string,
baseSecurity string,
makeLink func(ep map[string]any, dest string, port int) string,
makeRemark func(ep map[string]any) string,
) string {
eps := make([]ShareEndpoint, 0, len(externalProxies))
for _, externalProxy := range externalProxies {
ep, _ := externalProxy.(map[string]any)
eps = append(eps, externalProxyToEndpoint(ep))
}
return s.buildEndpointLinks(eps, params, baseSecurity, func(e ShareEndpoint) string {
return makeLink(e.ep, e.Address, e.Port)
}, func(e ShareEndpoint) string {
return makeRemark(e.ep)
})
}
func cloneStringMap(source map[string]string) map[string]string {
cloned := make(map[string]string, len(source))
maps.Copy(cloned, source)
return cloned
}
// genRemark builds the remark for a non-host link (raw default / legacy
// externalProxy / synthetic JSON-Clash entry). A set remark template drives it
// in both the body and display contexts (genTemplatedRemark renders the
// name-only part on displays); with no template it falls back to the inbound
// remark, extra and email joined by "-".
func (s *SubService) genRemark(inbound *model.Inbound, email string, extra string, transport string) string {
if s.remarkTemplate != "" {
return s.genTemplatedRemark(inbound, s.lookupClient(inbound, email), extra, transport)
}
return fallbackRemark(inbound.Remark, extra, email)
}
func fallbackRemark(parts ...string) string {
out := make([]string, 0, len(parts))
for _, p := range parts {
if p != "" {
out = append(out, p)
}
}
return strings.Join(out, "-")
}
// findClientStats returns the inbound's traffic record for email, if present.
func (s *SubService) findClientStats(inbound *model.Inbound, email string) (xray.ClientTraffic, bool) {
for _, clientStat := range inbound.ClientStats {
if clientStat.Email == email {
return clientStat, true
}
}
return xray.ClientTraffic{}, false
}
// statsByEmailFromDB resolves a client's traffic row straight from the DB by its
// globally-unique email, caching the hit into statsByEmail for the rest of the
// request. It's the last-resort lookup behind statsForClient: the preloaded
// ClientStats and the statsByEmail index are both keyed by
// client_traffics.inbound_id, which is written once by AddClientStat and never
// updated. When an inbound is deleted and recreated it gets a new id, so the old
// row is orphaned from every loaded inbound and both in-memory paths miss —
// leaving {{TRAFFIC_USED}} stuck at 0 for pre-existing clients even though their
// usage is intact (#5567). Matching by email recovers it, the same way the
// sub-info header's AggregateTrafficByEmails already does.
func (s *SubService) statsByEmailFromDB(email string) (xray.ClientTraffic, bool) {
db := database.GetDB()
if db == nil {
return xray.ClientTraffic{}, false
}
var row xray.ClientTraffic
if err := db.Model(&xray.ClientTraffic{}).Where("email = ?", email).First(&row).Error; err != nil {
return xray.ClientTraffic{}, false
}
if s.statsByEmail == nil {
s.statsByEmail = map[string]xray.ClientTraffic{}
}
s.statsByEmail[email] = row
return row, true
}
func searchKey(data any, key string) (any, bool) {
switch val := data.(type) {
case map[string]any:
for k, v := range val {
if k == key {
return v, true
}
if result, ok := searchKey(v, key); ok {
return result, true
}
}
case []any:
for _, v := range val {
if result, ok := searchKey(v, key); ok {
return result, true
}
}
}
return nil, false
}
// buildXhttpExtra walks an xhttpSettings map and returns the JSON blob
// that goes into the URL's `extra` param (or, for VMess, the link
// object). Carries ONLY the bidirectional fields from xray-core's
// SplitHTTPConfig — i.e. the ones the server enforces and the client
// must match. Strictly one-sided fields are excluded:
//
// - server-only (noSSEHeader, scMaxBufferedPosts, scStreamUpServerSecs,
// serverMaxHeaderBytes) — client wouldn't read them, so emitting
// them just bloats the URL.
// - client-only values are included only when present in the inbound
// JSON. Some deployments/imported configs carry them there, and the
// subscription link is the only place clients can receive them.
//
// Truthy-only guards keep default inbounds emitting the same compact URL
// they did before this helper grew.
func buildXhttpExtra(xhttp map[string]any) map[string]any {
if xhttp == nil {
return nil
}
extra := map[string]any{}
if mode, ok := xhttp["mode"].(string); ok && len(mode) > 0 {
extra["mode"] = mode
}
if xpb, ok := xhttp["xPaddingBytes"].(string); ok && len(xpb) > 0 {
extra["xPaddingBytes"] = xpb
}
if obfs, ok := xhttp["xPaddingObfsMode"].(bool); ok && obfs {
extra["xPaddingObfsMode"] = true
for _, field := range []string{"xPaddingKey", "xPaddingHeader", "xPaddingPlacement", "xPaddingMethod"} {
if v, ok := xhttp[field].(string); ok && len(v) > 0 {
extra[field] = v
}
}
}
stringFields := []string{
"uplinkHTTPMethod",
"sessionIDPlacement", "sessionIDKey", "sessionIDTable", "sessionIDLength",
"seqPlacement", "seqKey",
"uplinkDataPlacement", "uplinkDataKey",
"scMaxEachPostBytes", "scMinPostsIntervalMs",
}
// Values matching xray-core's own defaults are redundant on the wire and
// the literal scMinPostsIntervalMs=30 is a known DPI fingerprint (#5141).
// Old panels seeded these defaults into every xhttp inbound, so filter
// them here instead of requiring every stored config to be re-saved.
coreDefaults := map[string]string{
"scMaxEachPostBytes": "1000000",
"scMinPostsIntervalMs": "30",
}
for _, field := range stringFields {
if v, ok := xhttp[field].(string); ok && len(v) > 0 && v != coreDefaults[field] {
extra[field] = v
}
}
// Legacy inbounds (pre xray-core #6258) stored sessionPlacement/sessionKey.
// Lift them onto the renamed keys so links from not-yet-resaved configs
// still carry the session settings. Mirrors the frontend migration.
for legacy, renamed := range map[string]string{
"sessionPlacement": "sessionIDPlacement",
"sessionKey": "sessionIDKey",
} {
if _, exists := extra[renamed]; !exists {
if v, ok := xhttp[legacy].(string); ok && len(v) > 0 {
extra[renamed] = v
}
}
}
for _, field := range []string{"uplinkChunkSize"} {
if v, ok := nonZeroShareValue(xhttp[field]); ok {
extra[field] = v
}
}
for _, field := range []string{"noGRPCHeader"} {
if v, ok := xhttp[field].(bool); ok && v {
extra[field] = v
}
}
for _, field := range []string{"xmux", "downloadSettings"} {
if v, ok := nonEmptyShareObject(xhttp[field]); ok {
extra[field] = v
}
}
// Headers — emitted as the {name: value} map upstream's struct
// expects. The server runtime ignores this field, but the client
// (consuming the share link) honors it. Drop any "host" entry —
// host already wins as a top-level URL param.
if rawHeaders, ok := xhttp["headers"].(map[string]any); ok && len(rawHeaders) > 0 {
out := map[string]any{}
for k, v := range rawHeaders {
if strings.EqualFold(k, "host") {
continue
}
out[k] = v
}
if len(out) > 0 {
extra["headers"] = out
}
}
if len(extra) == 0 {
return nil
}
return extra
}
func nonZeroShareValue(v any) (any, bool) {
switch value := v.(type) {
case string:
return value, value != ""
case int:
return value, value != 0
case int32:
return value, value != 0
case int64:
return value, value != 0
case float32:
return value, value != 0
case float64:
return value, value != 0
default:
return nil, false
}
}
func nonEmptyShareObject(v any) (any, bool) {
switch value := v.(type) {
case map[string]any:
return value, len(value) > 0
case map[string]string:
return value, len(value) > 0
case []any:
return value, len(value) > 0
default:
return nil, false
}
}
// applyXhttpExtraParams emits the full xhttp config into the URL query
// params of a vless:// / trojan:// / ss:// link. Sets path/host/mode at
// top level (xray's Build() always lets these win over `extra`) and packs
// everything else into a JSON `extra` param. Also writes the flat
// `x_padding_bytes` param sing-box-family clients understand.
//
// Without this, the admin's custom xPaddingBytes / sessionKey / etc. never
// reach the client and handshakes are silently rejected with
// `invalid padding (...) length: 0` — the client-visible symptom is
// "xhttp doesn't connect" on OpenWRT / sing-box.
//
// Two encodings are written so every popular client can read at least one:
//
// - x_padding_bytes=<range> — flat param, understood by sing-box and its
// derivatives (Podkop, OpenWRT sing-box, Karing, NekoBox, …).
// - extra=<url-encoded-json> — full xhttp settings blob, which is how
// xray-core clients (v2rayNG, Happ, Furious, Exclave, …) pick up the
// bidirectional fields beyond path/host/mode.
func applyXhttpExtraParams(xhttp map[string]any, params map[string]string) {
if xhttp == nil {
return
}
applyPathAndHostParams(xhttp, params)
if mode, ok := xhttp["mode"].(string); ok {
params["mode"] = mode
}
if xpb, ok := xhttp["xPaddingBytes"].(string); ok && len(xpb) > 0 {
params["x_padding_bytes"] = xpb
}
extra := buildXhttpExtra(xhttp)
if extra != nil {
if b, err := json.Marshal(extra); err == nil {
params["extra"] = string(b)
}
}
}
var kcpMaskToHeaderType = map[string]string{
"dns": "dns",
"dtls": "dtls",
"srtp": "srtp",
"utp": "utp",
"wechat": "wechat-video",
"wireguard": "wireguard",
}
var validFinalMaskUDPTypes = map[string]struct{}{
"salamander": {},
"mkcp-legacy": {},
"xdns": {},
"xicmp": {},
"noise": {},
"header-custom": {},
"realm": {},
}
var validFinalMaskTCPTypes = map[string]struct{}{
"header-custom": {},
"fragment": {},
"sudoku": {},
"xmc": {},
}
// applyKcpShareParams reconstructs legacy KCP share-link fields from either
// the historical kcpSettings.header/seed shape or the current finalmask model.
// This keeps subscription output compatible while avoiding panics when older
// keys are absent from modern inbounds.
func applyKcpShareParams(stream map[string]any, params map[string]string) {
extractKcpShareFields(stream).applyToParams(params)
}
func applyKcpShareObj(stream map[string]any, obj map[string]any) {
extractKcpShareFields(stream).applyToObj(obj)
}
type kcpShareFields struct {
headerType string
seed string
mtu int
tti int
}
func (f kcpShareFields) applyToParams(params map[string]string) {
if f.headerType != "" && f.headerType != "none" {
params["headerType"] = f.headerType
}
setStringParam(params, "seed", f.seed)
setIntParam(params, "mtu", f.mtu)
setIntParam(params, "tti", f.tti)
}
func (f kcpShareFields) applyToObj(obj map[string]any) {
if f.headerType != "" && f.headerType != "none" {
obj["type"] = f.headerType
}
setStringField(obj, "path", f.seed)
setIntField(obj, "mtu", f.mtu)
setIntField(obj, "tti", f.tti)
}
func extractKcpShareFields(stream map[string]any) kcpShareFields {
fields := kcpShareFields{headerType: "none"}
if kcp, ok := stream["kcpSettings"].(map[string]any); ok {
if header, ok := kcp["header"].(map[string]any); ok {
if value, ok := header["type"].(string); ok && value != "" {
fields.headerType = value
}
}
if value, ok := kcp["seed"].(string); ok && value != "" {
fields.seed = value
}
if value, ok := readPositiveInt(kcp["mtu"]); ok {
fields.mtu = value
}
if value, ok := readPositiveInt(kcp["tti"]); ok {
fields.tti = value
}
}
for _, rawMask := range normalizedFinalMaskUDPMasks(stream["finalmask"]) {
mask, _ := rawMask.(map[string]any)
if mask == nil {
continue
}
if maskType, _ := mask["type"].(string); maskType != "mkcp-legacy" {
continue
}
settings, _ := mask["settings"].(map[string]any)
header, _ := settings["header"].(string)
value, _ := settings["value"].(string)
if header == "" {
fields.seed = value
continue
}
if mapped, ok := kcpMaskToHeaderType[header]; ok {
fields.headerType = mapped
}
}
return fields
}
func readPositiveInt(value any) (int, bool) {
switch number := value.(type) {
case int:
return number, number > 0
case int32:
return int(number), number > 0
case int64:
return int(number), number > 0
case float32:
parsed := int(number)
return parsed, parsed > 0
case float64:
parsed := int(number)
return parsed, parsed > 0
default:
return 0, false
}
}
func setStringParam(params map[string]string, key, value string) {
if value == "" {
delete(params, key)
return
}
params[key] = value
}
func setIntParam(params map[string]string, key string, value int) {
if value <= 0 {
delete(params, key)
return
}
params[key] = fmt.Sprintf("%d", value)
}
func setStringField(obj map[string]any, key, value string) {
if value == "" {
delete(obj, key)
return
}
obj[key] = value
}
func setIntField(obj map[string]any, key string, value int) {
if value <= 0 {
delete(obj, key)
return
}
obj[key] = value
}
// applyFinalMaskParams exports the finalmask payload as the compact
// `fm=<json>` share-link field used by v2rayN-compatible clients.
func applyFinalMaskParams(finalmask map[string]any, params map[string]string) {
if fm, ok := marshalFinalMask(finalmask); ok {
params["fm"] = fm
}
}
func applyFinalMaskObj(finalmask map[string]any, obj map[string]any) {
if fm, ok := marshalFinalMask(finalmask); ok {
obj["fm"] = fm
}
}
func marshalFinalMask(finalmask map[string]any) (string, bool) {
normalized := normalizeFinalMask(finalmask)
if !hasFinalMaskContent(normalized) {
return "", false
}
b, err := json.Marshal(normalized)
if err != nil || len(b) == 0 || string(b) == "null" {
return "", false
}
return string(b), true
}
func normalizeFinalMask(finalmask map[string]any) map[string]any {
tcpMasks := normalizedFinalMaskTCPMasks(finalmask)
udpMasks := normalizedFinalMaskUDPMasks(finalmask)
quicParams, hasQuicParams := finalmask["quicParams"].(map[string]any)
if len(tcpMasks) == 0 && len(udpMasks) == 0 && !hasQuicParams {
return nil
}
result := map[string]any{}
if len(tcpMasks) > 0 {
result["tcp"] = tcpMasks
}
if len(udpMasks) > 0 {
result["udp"] = udpMasks
}
if hasQuicParams && len(quicParams) > 0 {
result["quicParams"] = quicParams
}
return result
}
func normalizedFinalMaskTCPMasks(value any) []any {
finalmask, _ := value.(map[string]any)
if finalmask == nil {
return nil
}
rawMasks, _ := finalmask["tcp"].([]any)
if len(rawMasks) == 0 {
return nil
}
normalized := make([]any, 0, len(rawMasks))
for _, rawMask := range rawMasks {
mask, _ := rawMask.(map[string]any)
if mask == nil {
continue
}
maskType, _ := mask["type"].(string)
if _, ok := validFinalMaskTCPTypes[maskType]; !ok || maskType == "" {
continue
}
normalizedMask := map[string]any{"type": maskType}
if settings, ok := mask["settings"].(map[string]any); ok && len(settings) > 0 {
normalizedMask["settings"] = settings
}
normalized = append(normalized, normalizedMask)
}
if len(normalized) == 0 {
return nil
}
return normalized
}
func normalizedFinalMaskUDPMasks(value any) []any {
finalmask, _ := value.(map[string]any)
if finalmask == nil {
return nil
}
rawMasks, _ := finalmask["udp"].([]any)
if len(rawMasks) == 0 {
return nil
}
normalized := make([]any, 0, len(rawMasks))
for _, rawMask := range rawMasks {
mask, _ := rawMask.(map[string]any)
if mask == nil {
continue
}
maskType, _ := mask["type"].(string)
if _, ok := validFinalMaskUDPTypes[maskType]; !ok || maskType == "" {
continue
}
normalizedMask := map[string]any{"type": maskType}
if settings, ok := mask["settings"].(map[string]any); ok && len(settings) > 0 {
normalizedMask["settings"] = settings
}
normalized = append(normalized, normalizedMask)
}
if len(normalized) == 0 {
return nil
}
return normalized
}
func hasFinalMaskContent(value any) bool {
switch v := value.(type) {
case nil:
return false
case string:
return len(v) > 0
case map[string]any:
for _, item := range v {
if hasFinalMaskContent(item) {
return true
}
}
return false
case []any:
return slices.ContainsFunc(v, hasFinalMaskContent)
default:
return true
}
}
func searchHost(headers any) string {
data, _ := headers.(map[string]any)
for k, v := range data {
if strings.EqualFold(k, "host") {
switch v.(type) {
case []any:
hosts, _ := v.([]any)
if len(hosts) > 0 {
h, _ := hosts[0].(string)
return h
}
return ""
case any:
h, _ := v.(string)
return h
}
}
}
return ""
}
// PageData is a view model for subpage.html
// PageData contains data for rendering the subscription information page.
type PageData struct {
Host string
BasePath string
SId string
Enabled bool
Download string
Upload string
Total string
Used string
Remained string
Expire int64
LastOnline int64
Datepicker string
DownloadByte int64
UploadByte int64
TotalByte int64
SubUrl string
SubJsonUrl string
SubClashUrl string
SubTitle string
SubSupportUrl string
Result []string
Emails []string
}
// ResolveRequest extracts scheme and host info from request/headers consistently.
// ResolveRequest extracts scheme, host, and header information from an HTTP request.
func (s *SubService) ResolveRequest(c *gin.Context) (scheme string, host string, hostWithPort string, hostHeader string) {
// scheme
scheme = "http"
if c.Request.TLS != nil || strings.EqualFold(c.GetHeader("X-Forwarded-Proto"), "https") {
scheme = "https"
}
// base host (no port)
if h, err := getHostFromXFH(c.GetHeader("X-Forwarded-Host")); err == nil && h != "" {
host = h
}
if host == "" {
host = c.GetHeader("X-Real-IP")
}
if host == "" {
var err error
host, _, err = net.SplitHostPort(c.Request.Host)
if err != nil {
host = c.Request.Host
}
}
// host:port for URLs
hostWithPort = c.GetHeader("X-Forwarded-Host")
if hostWithPort == "" {
hostWithPort = c.Request.Host
}
if hostWithPort == "" {
hostWithPort = host
}
// header display host
hostHeader = c.GetHeader("X-Forwarded-Host")
if hostHeader == "" {
hostHeader = c.GetHeader("X-Real-IP")
}
if hostHeader == "" {
hostHeader = host
}
return
}
// BuildURLs constructs absolute subscription and JSON subscription URLs for a given subscription ID.
// It prioritizes configured URIs, then individual settings, and finally falls back to request-derived components.
func (s *SubService) BuildURLs(subPath, subJsonPath, subClashPath, subId string) (subURL, subJsonURL, subClashURL string) {
if subId == "" {
return "", "", ""
}
configuredSubURI, _ := s.settingService.GetSubURI()
configuredSubJsonURI, _ := s.settingService.GetSubJsonURI()
configuredSubClashURI, _ := s.settingService.GetSubClashURI()
// Same base as the panel's Client Information page; s.address is the
// subscriber's host already normalized away from any loopback/bind IP.
base := s.settingService.BuildSubURIBase(s.address)
subURL = s.buildSingleURL(configuredSubURI, base, subPath, subId)
// When subURI is explicitly configured (reverse-proxy setup), use its
// scheme+host as the base for JSON and Clash URLs so they match the
// reverse-proxy endpoint instead of the raw sub-server port. Fall back
// to the request-derived base if subURI is empty or can't be parsed
// into a scheme+host (e.g. a malformed value with no scheme).
jsonClashBase := base
if configuredSubURI != "" {
if derived := s.extractBaseFromURI(configuredSubURI); derived != "" {
jsonClashBase = derived
}
}
subJsonURL = s.buildSingleURL(configuredSubJsonURI, jsonClashBase, subJsonPath, subId)
subClashURL = s.buildSingleURL(configuredSubClashURI, jsonClashBase, subClashPath, subId)
return subURL, subJsonURL, subClashURL
}
// extractBaseFromURI extracts scheme://host from a configured URI.
// e.g., "https://example.com/sub-xxx/" → "https://example.com".
// Returns "" when the URI is empty or lacks a scheme/host, so callers can
// fall back to the request-derived base instead of emitting a broken value.
func (s *SubService) extractBaseFromURI(uri string) string {
u, err := url.Parse(uri)
if err != nil || u.Scheme == "" || u.Host == "" {
return ""
}
return fmt.Sprintf("%s://%s", u.Scheme, u.Host)
}
// buildSingleURL constructs a single URL using configured URI or base components
func (s *SubService) buildSingleURL(configuredURI, base, basePath, subId string) string {
if configuredURI != "" {
return s.joinPathWithID(configuredURI, subId)
}
return s.joinPathWithID(base+basePath, subId)
}
// joinPathWithID safely joins a base path with a subscription ID
func (s *SubService) joinPathWithID(basePath, subId string) string {
if strings.HasSuffix(basePath, "/") {
return basePath + subId
}
return basePath + "/" + subId
}
// BuildPageData parses header and prepares the template view model.
// BuildPageData constructs page data for rendering the subscription information page.
func (s *SubService) BuildPageData(subId string, hostHeader string, traffic xray.ClientTraffic, lastOnline int64, subs []string, emails []string, subURL, subJsonURL, subClashURL string, basePath string, subTitle string, subSupportUrl string) PageData {
download := common.FormatTraffic(traffic.Down)
upload := common.FormatTraffic(traffic.Up)
total := "∞"
used := common.FormatTraffic(traffic.Up + traffic.Down)
remained := ""
if traffic.Total > 0 {
total = common.FormatTraffic(traffic.Total)
left := max(traffic.Total-(traffic.Up+traffic.Down), 0)
remained = common.FormatTraffic(left)
}
datepicker := s.datepicker
if datepicker == "" {
datepicker = "gregorian"
}
pageLinks := make([]string, 0, len(subs))
pageEmails := make([]string, 0, len(subs))
for i, sub := range subs {
email := ""
if i < len(emails) {
email = emails[i]
}
for _, link := range splitLinkLines(sub) {
pageLinks = append(pageLinks, link)
pageEmails = append(pageEmails, email)
}
}
return PageData{
Host: hostHeader,
BasePath: basePath,
SId: subId,
Enabled: traffic.Enable,
Download: download,
Upload: upload,
Total: total,
Used: used,
Remained: remained,
Expire: traffic.ExpiryTime / 1000,
LastOnline: lastOnline,
Datepicker: datepicker,
DownloadByte: traffic.Down,
UploadByte: traffic.Up,
TotalByte: traffic.Total,
SubUrl: subURL,
SubJsonUrl: subJsonURL,
SubClashUrl: subClashURL,
SubTitle: subTitle,
SubSupportUrl: subSupportUrl,
Result: pageLinks,
Emails: pageEmails,
}
}
func getHostFromXFH(s string) (string, error) {
if strings.Contains(s, ":") {
realHost, _, err := net.SplitHostPort(s)
if err != nil {
return "", err
}
return realHost, nil
}
return s, nil
}