mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-28 00:24:19 +00:00
Sanaei
41645255f1
* refactor(service): split client.go into focused files
client.go had grown to 4455 lines mixing ~10 responsibilities. Split it
verbatim into cohesive same-package files (no behavior change):
client.go foundation: ClientService, ClientWithAttachments,
ClientCreatePayload, ErrClientNotInInbound, sqlInChunk
client_locks.go inbound mutation locks, delete tombstones, compactOrphans
client_lookup.go read-only lookups (GetByID, List, EffectiveFlow, ...)
client_link.go inbound association sync (SyncInbound, DetachInbound, ...)
client_crud.go single-client CRUD + validation + protocol defaults
client_inbound_apply.go low-level inbound-settings mutators + by-email setters
client_bulk.go bulk attach/detach/adjust/delete/create + DelDepleted
client_traffic.go traffic-reset paths
client_groups.go client group management
client_paging.go paged listing, filtering, sorting, summary
Every declaration moved unchanged (verified: identical func/type/const/var
signature set before vs after). Imports redistributed per file via goimports.
go build ./..., go vet, and go test ./web/service/... all pass.
* refactor(service): split inbound.go into focused files
inbound.go was 4100 lines. Split it verbatim into cohesive same-package
files (no behavior change):
inbound.go core inbound CRUD + InboundService (keeps pkg doc)
inbound_protocol.go protocol / stream capability helpers
inbound_node.go node/runtime/remote coordination + online tracking
inbound_traffic.go traffic accounting, reset, client stats
inbound_client_ips.go per-client IP tracking
inbound_clients.go client lookups within inbounds + copy-clients
inbound_disable.go auto-disable invalid inbounds/clients
inbound_migration.go DB migrations
inbound_sublink.go subscription link providers
inbound_util.go generic slice/string helpers
Identical func/type/const/var signature set before vs after; package doc
comment preserved on inbound.go. Imports redistributed via goimports.
Build, vet, and go test ./web/service/... all pass.
* refactor(service): split tgbot.go into focused files
tgbot.go was 3738 lines dominated by a 1246-line answerCallback. Split it
verbatim into cohesive same-package files (no behavior change):
tgbot.go lifecycle, bot setup, caches, small utils
tgbot_router.go incoming update / command / callback dispatch
tgbot_send.go outbound messaging primitives
tgbot_client.go client views, actions, subscription links
tgbot_inbound.go inbound listing / pickers
tgbot_report.go server usage, exhausted, online, backups, notifications
Identical func/type/const/var signature set before vs after. Imports
redistributed via goimports. Build, vet, and go test ./web/service/... pass.
* refactor(client): dedupe single-field by-email setters
ResetClientIpLimitByEmail, ResetClientExpiryTimeByEmail, and
ResetClientTrafficLimitByEmail shared an identical ~50-line body that
resolves the inbound by email, confirms the client exists, rewrites a
single-client settings payload, and delegates to UpdateInboundClient.
Extract that into applyClientFieldByEmail(inboundSvc, email, mutate) and
reduce each setter to a 3-line wrapper. Behavior is unchanged: same checks
and error strings, same single-client payload contract, same totalGB guard.
SetClientTelegramUserID (resolves by traffic id, different error text) and
ToggleClientEnableByEmail/SetClientEnableByEmail (different return shape and
a pre-read of the old state) intentionally keep their own bodies.
* refactor(service): extract panel/ subpackage
Move the panel-administration leaf services out of the flat service
package into web/service/panel/ (package panel):
user.go UserService (auth / 2FA / LDAP)
panel.go PanelService (restart / self-update) + version helpers
panel_other.go non-unix RestartPanel
panel_unix.go unix RestartPanel
api_token.go ApiTokenService
websocket.go WebSocketService
panel_test.go version/shellQuote unit tests
These are leaves: they depend on core (SettingService, Release) but no
core file references them, so the extraction creates no import cycle.
Core references are now qualified (service.SettingService, service.Release);
callers in main.go, web/web.go, and web/controller/* updated to panel.*.
Build, vet, and go test ./web/... pass.
* refactor(service): extract integration/ subpackage
Move the external-provider integration leaves into web/service/integration/
(package integration):
warp.go WarpService (Cloudflare WARP)
nord.go NordService (NordVPN)
custom_geo.go CustomGeoService (custom geo asset management)
*_test.go custom_geo / panel-proxy tests
These depend on core (SettingService, ServerService, XraySettingService) but
no core file references them. xray_setting.go stays in core because it calls
the unexported SettingService.saveSetting. The shared isBlockedIP SSRF helper
(used by core url_safety.go and by custom_geo) now has a small copy in each
package rather than being exported. Core references qualified; callers in
web/web.go, web/job/*, and web/controller/* updated to integration.*.
Build, vet, and go test ./web/... pass.
* refactor(service): extract tgbot/ subpackage
Move the Telegram bot (6 files + test) into web/service/tgbot/ (package
tgbot). It is a leaf: it embeds five core services (Inbound/Client/Setting/
Server/Xray) and the core never references it, so no import cycle.
To support the package boundary without changing behavior:
- core exposes XrayProcess() *xray.Process so tgbot keeps calling the
exact same running-process methods it used via the package-level `p`;
- three core methods tgbot calls are exported: ClientService.checkIs-
EnabledByEmail -> CheckIsEnabledByEmail, InboundService.getAllEmails ->
GetAllEmails (callers updated in-package);
- tgbot's embedded-field types and the few core type refs (Status,
ClientCreatePayload, SanitizePublicHTTPURL) are now service-qualified.
Callers in main.go, web/web.go, web/job/*, and web/controller/* updated to
tgbot.*. Build, vet, and go test ./web/... pass.
* refactor(service): extract outbound/ subpackage
OutboundService (outbound.go) imports only neutral packages (config,
database, model, xray) and its production code is referenced by no core or
sibling service file — only by web/controller/xray_setting.go and
web/job/xray_traffic_job.go. Move it to web/service/outbound/ (package
outbound); no core qualification needed inside. Callers updated to outbound.*.
The one coupling was a tiny pure test helper, outboundsContainTag, used by
both outbound.go and the core outbound_subscription_test.go; it now has a
small copy in that test file rather than being shared across the boundary.
Build, vet, and go test ./web/... pass.
* refactor(util): move wireguard into its own subpackage
util/wireguard.go was the lone file of the root `util` package (24 lines,
one exported func GenerateWireguardKeypair), while every other util concern
lives in a focused subpackage (util/common, util/crypto, util/netsafe, ...).
Move it to util/wireguard/ (package wireguard) for consistency; its only
importer, web/service/integration/warp.go, is updated. The root `util`
package no longer exists.
* refactor(sub): drop redundant sub prefix from filenames
Inside package sub the subXxx.go prefix just repeats the package name
(like client_*.go did inside service). Rename for consistency; content and
type names are unchanged:
subController.go -> controller.go
subService.go -> service.go
subClashService.go -> clash_service.go
subJsonService.go -> json_service.go
(+ matching _test.go files)
* refactor(controller): rename xui.go -> spa.go
XUIController serves the panel's single-page-app shell; spa.go names that
role plainly (the other controller files are domain-named). File rename only
— the type stays XUIController. api_docs_test.go keys route base paths by
filename, so its "xui.go" case is updated to "spa.go".
* refactor: move backend packages under internal/
Adopt the idiomatic Go application layout: the backend packages now live
under internal/ (a boundary the toolchain enforces), signalling private
implementation instead of a library-style flat root. No runtime behavior
changes — only import paths and a few build/config paths move.
Moved: config, database, logger, mtproto, sub, util, web, xray -> internal/.
main.go stays at the repo root and tools/openapigen stays under tools/ (both
still import internal/* because the internal rule keys off the module root).
The module path github.com/mhsanaei/3x-ui/v3 is unchanged; 149 .go files had
their import prefix rewritten to .../internal/<pkg>.
Couplings the Go compiler can't see, updated to the new layout:
- frontend i18n imports of web/translation (react.ts, setup.components.ts)
- vite outDir + eslint/tsconfig ignore globs -> internal/web/dist
- Dockerfile COPY paths for web/dist and web/translation
- locale.go os.DirFS("web") disk fallback -> "internal/web"
- .gitignore and ci.yml go:embed stub for internal/web/dist
- api_docs_test.go repo-root relative walk (one level deeper)
- tools/openapigen filesystem package paths; ApiTokenView repointed to the
web/service/panel subpackage and codegen regenerated (clears a stale
type the ci.yml codegen check was failing on)
Verified: go build/vet/test (all packages), and frontend typecheck, lint,
vitest (478 tests), and production build into internal/web/dist.
* fix(config): keep test runs from writing logs into the source tree
GetLogFolder() returns a CWD-relative "./log" on Windows. Under `go test`
the working directory is each package's own folder, so InitLogger (called by
tests in web/job, web/service, xray, web/websocket) created stray log/
directories scattered through the source tree (e.g. internal/web/job/log/).
Redirect to a shared temp folder when testing.Testing() reports a test run.
Production behavior is unchanged: Windows still uses ./log next to the binary
and Linux /var/log/x-ui. The log files were always gitignored (*.log) and
never committed; this just stops the noise at the source.
* docs: move subscription-template guide out of root into docs/
sub_templates/ was a top-level folder holding only a README and no actual
templates (3x-ui ships none by design), referenced nowhere and unlinked from
any doc — it read like an empty placeholder cluttering the repo root.
Move the guide to docs/custom-subscription-templates.md (a proper docs home),
reword its intro to read as documentation rather than a folder note, link it
from the Features list in README.md, and drop the empty sub_templates/ folder.
* fix: update stale web/ path references after the internal/ move
The internal/ migration rewrote Go import paths but left some references to
the old top-level layout in docs, comments, and a few runtime disk paths.
Functional (dev-mode only): the disk-serving fallbacks that read the Vite
build from disk when running from source still pointed at web/dist/, which
moved to internal/web/dist/ — so `os.DirFS`/`os.Stat`/`os.ReadFile` in
internal/web/web.go and internal/sub/{sub,controller}.go are corrected.
Production was unaffected (it serves the embedded FS; verified by the Docker
build), but `go run` with a live frontend build silently fell back to embed.
Docs/comments: frontend/README.md, CONTRIBUTING.md, the claude-issue-bot and
release workflows, the openapigen -root help text, and assorted Go comments
now reference internal/web, internal/database, internal/sub, internal/xray,
etc. Package-name mentions (the "web" package), root paths (main.go,
frontend/, install scripts, /etc/x-ui), routes (/panel/api/xray), and the
historical "web/assets no longer exists" note were intentionally left as-is.
* refactor(web): remove the legacy /xui -> /panel redirect middleware
RedirectMiddleware existed only for backward compatibility with the old
`/xui` URL scheme (301-redirecting /xui and /xui/API to /panel and
/panel/api). That cutover was long ago, so drop the middleware, its
registration in initRouter, and the now-inaccurate "URL redirection"
mention in the middleware package doc. Old /xui URLs now 404 like any other
unknown path. HTTPS auto-redirect and auth redirects are unrelated and stay.
* build: fix .dockerignore for internal/ layout and exclude runtime dir
- web/dist -> internal/web/dist: the embedded frontend moved under internal/,
so the stale exclude no longer matched and the locally-built dist could be
sent to the build context (the frontend stage rebuilds it fresh anyway).
- exclude x-ui/: the local runtime directory (SQLite db, geo .dat files, xray
binaries, certs — ~150MB) was being shipped into the build context for no
reason. Verified the pattern excludes only the directory and still keeps
x-ui.sh, which the Dockerfile copies to /usr/bin/x-ui.
247 lines
14 KiB
Go
247 lines
14 KiB
Go
// Package entity defines data structures and entities used by the web layer of the 3x-ui panel.
|
|
package entity
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"math"
|
|
"net"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/mhsanaei/3x-ui/v3/internal/util/common"
|
|
)
|
|
|
|
// Msg represents a standard API response message with success status, message text, and optional data object.
|
|
type Msg struct {
|
|
Success bool `json:"success"` // Indicates if the operation was successful
|
|
Msg string `json:"msg"` // Response message text
|
|
Obj any `json:"obj"` // Optional data object
|
|
}
|
|
|
|
// AllSetting contains all configuration settings for the 3x-ui panel including web server, Telegram bot, and subscription settings.
|
|
type AllSetting struct {
|
|
// Web server settings
|
|
WebListen string `json:"webListen" form:"webListen"` // Web server listen IP address
|
|
WebDomain string `json:"webDomain" form:"webDomain"` // Web server domain for domain validation
|
|
WebPort int `json:"webPort" form:"webPort" validate:"gte=1,lte=65535"` // Web server port number
|
|
WebCertFile string `json:"webCertFile" form:"webCertFile"` // Path to SSL certificate file for web server
|
|
WebKeyFile string `json:"webKeyFile" form:"webKeyFile"` // Path to SSL private key file for web server
|
|
WebBasePath string `json:"webBasePath" form:"webBasePath"` // Base path for web panel URLs
|
|
SessionMaxAge int `json:"sessionMaxAge" form:"sessionMaxAge" validate:"gte=1,lte=525600"` // Session maximum age in minutes (cap at one year)
|
|
TrustedProxyCIDRs string `json:"trustedProxyCIDRs" form:"trustedProxyCIDRs"` // Trusted reverse proxy IPs/CIDRs for forwarded headers
|
|
PanelProxy string `json:"panelProxy" form:"panelProxy"` // Proxy URL for the panel's own outbound requests (GitHub/Telegram)
|
|
|
|
// UI settings
|
|
PageSize int `json:"pageSize" form:"pageSize" validate:"gte=0,lte=1000"` // Number of items per page in lists (0 disables pagination)
|
|
ExpireDiff int `json:"expireDiff" form:"expireDiff" validate:"gte=0"` // Expiration warning threshold in days
|
|
TrafficDiff int `json:"trafficDiff" form:"trafficDiff" validate:"gte=0,lte=100"` // Traffic warning threshold percentage
|
|
RemarkModel string `json:"remarkModel" form:"remarkModel"` // Remark model pattern for inbounds
|
|
Datepicker string `json:"datepicker" form:"datepicker"` // Date picker format
|
|
|
|
// Telegram bot settings
|
|
TgBotEnable bool `json:"tgBotEnable" form:"tgBotEnable"` // Enable Telegram bot notifications
|
|
TgBotToken string `json:"tgBotToken" form:"tgBotToken"` // Telegram bot token
|
|
TgBotProxy string `json:"tgBotProxy" form:"tgBotProxy"` // Proxy URL for Telegram bot
|
|
TgBotAPIServer string `json:"tgBotAPIServer" form:"tgBotAPIServer"` // Custom API server for Telegram bot
|
|
TgBotChatId string `json:"tgBotChatId" form:"tgBotChatId"` // Telegram chat ID for notifications
|
|
TgRunTime string `json:"tgRunTime" form:"tgRunTime"` // Cron schedule for Telegram notifications
|
|
TgBotBackup bool `json:"tgBotBackup" form:"tgBotBackup"` // Enable database backup via Telegram
|
|
TgBotLoginNotify bool `json:"tgBotLoginNotify" form:"tgBotLoginNotify"` // Send login notifications
|
|
TgCpu int `json:"tgCpu" form:"tgCpu" validate:"gte=0,lte=100"` // CPU usage threshold for alerts (percent)
|
|
TgLang string `json:"tgLang" form:"tgLang"` // Telegram bot language
|
|
|
|
// Security settings
|
|
TimeLocation string `json:"timeLocation" form:"timeLocation"` // Time zone location
|
|
TwoFactorEnable bool `json:"twoFactorEnable" form:"twoFactorEnable"` // Enable two-factor authentication
|
|
TwoFactorToken string `json:"twoFactorToken" form:"twoFactorToken"` // Two-factor authentication token
|
|
|
|
// Subscription server settings
|
|
SubEnable bool `json:"subEnable" form:"subEnable"` // Enable subscription server
|
|
SubJsonEnable bool `json:"subJsonEnable" form:"subJsonEnable"` // Enable JSON subscription endpoint
|
|
SubTitle string `json:"subTitle" form:"subTitle"` // Subscription title
|
|
SubSupportUrl string `json:"subSupportUrl" form:"subSupportUrl"` // Subscription support URL
|
|
SubProfileUrl string `json:"subProfileUrl" form:"subProfileUrl"` // Subscription profile URL
|
|
SubAnnounce string `json:"subAnnounce" form:"subAnnounce"` // Subscription announce
|
|
SubEnableRouting bool `json:"subEnableRouting" form:"subEnableRouting"` // Enable routing for subscription
|
|
SubRoutingRules string `json:"subRoutingRules" form:"subRoutingRules"` // Subscription global routing rules (Only for Happ)
|
|
SubListen string `json:"subListen" form:"subListen"` // Subscription server listen IP
|
|
SubPort int `json:"subPort" form:"subPort" validate:"gte=1,lte=65535"` // Subscription server port
|
|
SubPath string `json:"subPath" form:"subPath"` // Base path for subscription URLs
|
|
SubDomain string `json:"subDomain" form:"subDomain"` // Domain for subscription server validation
|
|
SubCertFile string `json:"subCertFile" form:"subCertFile"` // SSL certificate file for subscription server
|
|
SubKeyFile string `json:"subKeyFile" form:"subKeyFile"` // SSL private key file for subscription server
|
|
SubUpdates int `json:"subUpdates" form:"subUpdates" validate:"gte=0,lte=525600"` // Subscription update interval in minutes
|
|
ExternalTrafficInformEnable bool `json:"externalTrafficInformEnable" form:"externalTrafficInformEnable"` // Enable external traffic reporting
|
|
ExternalTrafficInformURI string `json:"externalTrafficInformURI" form:"externalTrafficInformURI"` // URI for external traffic reporting
|
|
RestartXrayOnClientDisable bool `json:"restartXrayOnClientDisable" form:"restartXrayOnClientDisable"` // Restart Xray when clients are auto-disabled by expiry/traffic limit
|
|
SubEncrypt bool `json:"subEncrypt" form:"subEncrypt"` // Encrypt subscription responses
|
|
SubShowInfo bool `json:"subShowInfo" form:"subShowInfo"` // Show client information in subscriptions
|
|
SubEmailInRemark bool `json:"subEmailInRemark" form:"subEmailInRemark"` // Include email in subscription remark/name
|
|
SubURI string `json:"subURI" form:"subURI"` // Subscription server URI
|
|
SubJsonPath string `json:"subJsonPath" form:"subJsonPath"` // Path for JSON subscription endpoint
|
|
SubJsonURI string `json:"subJsonURI" form:"subJsonURI"` // JSON subscription server URI
|
|
SubClashEnable bool `json:"subClashEnable" form:"subClashEnable"` // Enable Clash/Mihomo subscription endpoint
|
|
SubClashPath string `json:"subClashPath" form:"subClashPath"` // Path for Clash/Mihomo subscription endpoint
|
|
SubClashURI string `json:"subClashURI" form:"subClashURI"` // Clash/Mihomo subscription server URI
|
|
SubClashEnableRouting bool `json:"subClashEnableRouting" form:"subClashEnableRouting"` // Enable global routing rules for Clash/Mihomo
|
|
SubClashRules string `json:"subClashRules" form:"subClashRules"` // Clash/Mihomo global routing rules
|
|
SubJsonMux string `json:"subJsonMux" form:"subJsonMux"` // JSON subscription mux configuration
|
|
SubJsonRules string `json:"subJsonRules" form:"subJsonRules"`
|
|
SubJsonFinalMask string `json:"subJsonFinalMask" form:"subJsonFinalMask"` // JSON subscription global finalmask (tcp/udp masks + quicParams)
|
|
SubThemeDir string `json:"subThemeDir" form:"subThemeDir"` // Absolute path to a folder containing a custom subscription page template
|
|
|
|
// LDAP settings
|
|
LdapEnable bool `json:"ldapEnable" form:"ldapEnable"`
|
|
LdapHost string `json:"ldapHost" form:"ldapHost"`
|
|
LdapPort int `json:"ldapPort" form:"ldapPort" validate:"gte=0,lte=65535"`
|
|
LdapUseTLS bool `json:"ldapUseTLS" form:"ldapUseTLS"`
|
|
LdapBindDN string `json:"ldapBindDN" form:"ldapBindDN"`
|
|
LdapPassword string `json:"ldapPassword" form:"ldapPassword"`
|
|
LdapBaseDN string `json:"ldapBaseDN" form:"ldapBaseDN"`
|
|
LdapUserFilter string `json:"ldapUserFilter" form:"ldapUserFilter"`
|
|
LdapUserAttr string `json:"ldapUserAttr" form:"ldapUserAttr"` // e.g., mail or uid
|
|
LdapVlessField string `json:"ldapVlessField" form:"ldapVlessField"`
|
|
LdapSyncCron string `json:"ldapSyncCron" form:"ldapSyncCron"`
|
|
// Generic flag configuration
|
|
LdapFlagField string `json:"ldapFlagField" form:"ldapFlagField"`
|
|
LdapTruthyValues string `json:"ldapTruthyValues" form:"ldapTruthyValues"`
|
|
LdapInvertFlag bool `json:"ldapInvertFlag" form:"ldapInvertFlag"`
|
|
LdapInboundTags string `json:"ldapInboundTags" form:"ldapInboundTags"`
|
|
LdapAutoCreate bool `json:"ldapAutoCreate" form:"ldapAutoCreate"`
|
|
LdapAutoDelete bool `json:"ldapAutoDelete" form:"ldapAutoDelete"`
|
|
LdapDefaultTotalGB int `json:"ldapDefaultTotalGB" form:"ldapDefaultTotalGB" validate:"gte=0"`
|
|
LdapDefaultExpiryDays int `json:"ldapDefaultExpiryDays" form:"ldapDefaultExpiryDays" validate:"gte=0"`
|
|
LdapDefaultLimitIP int `json:"ldapDefaultLimitIP" form:"ldapDefaultLimitIP" validate:"gte=0"`
|
|
// JSON subscription routing rules
|
|
|
|
// WARP
|
|
WarpUpdateInterval int `json:"warpUpdateInterval" form:"warpUpdateInterval" validate:"gte=0"`
|
|
}
|
|
|
|
// AllSettingView is the browser-safe settings read model. Secret values
|
|
// are redacted from the embedded write model and represented by presence
|
|
// flags so the UI can show configured/not configured state.
|
|
type AllSettingView struct {
|
|
AllSetting
|
|
|
|
HasTgBotToken bool `json:"hasTgBotToken"`
|
|
HasTwoFactorToken bool `json:"hasTwoFactorToken"`
|
|
HasLdapPassword bool `json:"hasLdapPassword"`
|
|
HasApiToken bool `json:"hasApiToken"`
|
|
HasWarpSecret bool `json:"hasWarpSecret"`
|
|
HasNordSecret bool `json:"hasNordSecret"`
|
|
}
|
|
|
|
// CheckValid validates all settings in the AllSetting struct, checking IP addresses, ports, SSL certificates, and other configuration values.
|
|
func pathHasForbiddenChar(s string) bool {
|
|
for _, r := range s {
|
|
if r == '\\' || r == ' ' || r < 0x20 || r == 0x7f {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func (s *AllSetting) CheckValid() error {
|
|
if s.WebListen != "" {
|
|
ip := net.ParseIP(s.WebListen)
|
|
if ip == nil {
|
|
return common.NewError("web listen is not valid ip:", s.WebListen)
|
|
}
|
|
}
|
|
|
|
if s.SubListen != "" {
|
|
ip := net.ParseIP(s.SubListen)
|
|
if ip == nil {
|
|
return common.NewError("Sub listen is not valid ip:", s.SubListen)
|
|
}
|
|
}
|
|
|
|
if s.WebPort <= 0 || s.WebPort > math.MaxUint16 {
|
|
return common.NewError("web port is not a valid port:", s.WebPort)
|
|
}
|
|
|
|
if s.SubPort <= 0 || s.SubPort > math.MaxUint16 {
|
|
return common.NewError("Sub port is not a valid port:", s.SubPort)
|
|
}
|
|
|
|
if (s.SubPort == s.WebPort) && (s.WebListen == s.SubListen) {
|
|
return common.NewError("Sub and Web could not use same ip:port, ", s.SubListen, ":", s.SubPort, " & ", s.WebListen, ":", s.WebPort)
|
|
}
|
|
|
|
if s.WebCertFile != "" || s.WebKeyFile != "" {
|
|
_, err := tls.LoadX509KeyPair(s.WebCertFile, s.WebKeyFile)
|
|
if err != nil {
|
|
return common.NewErrorf("cert file <%v> or key file <%v> invalid: %v", s.WebCertFile, s.WebKeyFile, err)
|
|
}
|
|
}
|
|
|
|
if s.SubCertFile != "" || s.SubKeyFile != "" {
|
|
_, err := tls.LoadX509KeyPair(s.SubCertFile, s.SubKeyFile)
|
|
if err != nil {
|
|
return common.NewErrorf("cert file <%v> or key file <%v> invalid: %v", s.SubCertFile, s.SubKeyFile, err)
|
|
}
|
|
}
|
|
|
|
for _, p := range []struct {
|
|
name string
|
|
value string
|
|
}{
|
|
{"web base path", s.WebBasePath},
|
|
{"subscription path", s.SubPath},
|
|
{"subscription JSON path", s.SubJsonPath},
|
|
{"subscription Clash path", s.SubClashPath},
|
|
} {
|
|
if pathHasForbiddenChar(p.value) {
|
|
return common.NewError("URI path contains an invalid character:", p.name)
|
|
}
|
|
}
|
|
|
|
if !strings.HasPrefix(s.WebBasePath, "/") {
|
|
s.WebBasePath = "/" + s.WebBasePath
|
|
}
|
|
if !strings.HasSuffix(s.WebBasePath, "/") {
|
|
s.WebBasePath += "/"
|
|
}
|
|
if !strings.HasPrefix(s.SubPath, "/") {
|
|
s.SubPath = "/" + s.SubPath
|
|
}
|
|
if !strings.HasSuffix(s.SubPath, "/") {
|
|
s.SubPath += "/"
|
|
}
|
|
|
|
if !strings.HasPrefix(s.SubJsonPath, "/") {
|
|
s.SubJsonPath = "/" + s.SubJsonPath
|
|
}
|
|
if !strings.HasSuffix(s.SubJsonPath, "/") {
|
|
s.SubJsonPath += "/"
|
|
}
|
|
|
|
if !strings.HasPrefix(s.SubClashPath, "/") {
|
|
s.SubClashPath = "/" + s.SubClashPath
|
|
}
|
|
if !strings.HasSuffix(s.SubClashPath, "/") {
|
|
s.SubClashPath += "/"
|
|
}
|
|
|
|
for cidr := range strings.SplitSeq(s.TrustedProxyCIDRs, ",") {
|
|
cidr = strings.TrimSpace(cidr)
|
|
if cidr == "" {
|
|
continue
|
|
}
|
|
if ip := net.ParseIP(cidr); ip != nil {
|
|
continue
|
|
}
|
|
if _, _, err := net.ParseCIDR(cidr); err != nil {
|
|
return common.NewError("trusted proxy CIDR is not valid:", cidr)
|
|
}
|
|
}
|
|
|
|
_, err := time.LoadLocation(s.TimeLocation)
|
|
if err != nil {
|
|
return common.NewError("time location not exist:", s.TimeLocation)
|
|
}
|
|
|
|
return nil
|
|
}
|