w3struk
d01d9867e4
* fix(sub): preserve non-default scMinPostsIntervalMs in inbound wire payload
The frontend wire normalizer unconditionally deleted scMinPostsIntervalMs
from inbound configs before persisting to the database, so JSON
subscriptions could never include it — even when the admin set a
non-default value like "50-150".
Only strip the xray-core default ("30") or empty values. The literal
"30" is a known DPI fingerprint (#5141) and must still be removed, but
custom tuning knobs must survive the round-trip so that buildXhttpExtra
and the JSON subscription generator can propagate them to clients.
Add tests for non-default preservation and empty-value stripping.
* fix(sub): use per-inbound xmux instead of global subJsonMux in JSON subscriptions
The JSON subscription generator always used the global subJsonMux panel
setting for outbound.Mux, even when the inbound carried per-inbound xmux
inside xhttpSettings. This meant XHTTP outbounds that configured their own
multiplexing via xmux still got the legacy mux.cool block injected — and
the inbound's own xmux was silently ignored.
Now getConfig() checks whether xmux is present in the inbound's
xhttpSettings. When it is, the per-inbound xmux handles multiplexing
and the legacy outbound.Mux is suppressed. When xmux is absent, the
global subJsonMux is used as before.
The mux selection is threaded through genVless, genVnext, genServer,
and genHy as an explicit parameter so each protocol handler can decide
independently.
Add tests:
- xmux present → outbound.Mux suppressed, xmux survives streamData()
- no xmux → global subJsonMux used as outbound.Mux
* feat(ui): add scMinPostsIntervalMs to inbound XHTTP form
The inbound XHTTP form was missing scMinPostsIntervalMs, making it impossible
for admins to configure this client-only tuning knob through the panel. The
field already existed in the Zod schema and outbound form, and the wire
normalizer (PR #5393) now preserves non-default values for subscription
propagation.
Add Form.Item for scMinPostsIntervalMs in the packet-up section of the
inbound XHTTP form, after scMaxEachPostBytes. Use the existing translation
key and a placeholder that shows the range format without endorsing the
DPI-fingerprinted default (30).
Update the Zod schema comment to clarify that scMinPostsIntervalMs is now
preserved on inbound for subscriptions, while uplinkChunkSize and
noGRPCHeader remain outbound-only.
Add two integration tests:
- Non-default value (50-150) preserved through formValuesToWirePayload
- Default value (30) stripped through the full pipeline
* fix(ui): show packet-up fields for auto mode in inbound XHTTP form
When mode is 'auto', the server accepts all three XHTTP modes including
packet-up. The packet-up-specific fields (scMaxBufferedPosts,
scMaxEachPostBytes, scMinPostsIntervalMs) are therefore relevant and
should be configurable.
Change the conditional from 'packet-up' only to
'packet-up || auto' so admins using the default 'auto' mode can
configure these fields.
* fix(outbound): show scMinPostsIntervalMs for auto mode, update placeholder
- Show scMinPostsIntervalMs field when mode is 'auto' in addition
to 'packet-up', since auto+TLS resolves to packet-up client-side
- Change placeholder from '30' (DPI fingerprint) to 'e.g. 50-150'
for consistency with inbound form
* fix(inbound): show scMaxEachPostBytes for all modes, gate scMaxBufferedPosts behind packet-up/auto
scMaxEachPostBytes is used by xray-core in every mode (both handlePacketUp
and handleStreamUp validate it) and must be visible regardless of mode.
scMaxBufferedPosts is only used by handlePacketUp, so it remains gated
behind the packet-up/auto conditional.
Also show scMinPostsIntervalMs for auto mode in outbound form and change
placeholder from '30' (DPI fingerprint) to 'e.g. 50-150'.
Update snapshot to reflect the new field order.
* fix(inbound): correct XHTTP field visibility per xray-core source verification
- scMaxEachPostBytes: move behind packet-up/auto gate (server only checks
it in handlePacketUp, not handleStreamUp)
- scMaxBufferedPosts: show for packet-up, stream-up, and auto (server
uses uploadQueue in both handlePacketUp and handleStreamUp)
- scStreamUpServerSecs: already correct (stream-up only)
Verified against xray-core hub.go and dialer.go source code.
---------
Co-authored-by: w3struk <w3struk@gmail.com>
Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
3x-ui frontend
React 19 + Ant Design 6 + TypeScript + Vite 8. Three SPA bundles —
index.html (admin panel SPA, all /panel/* routes), login.html
(login + 2FA), and subpage.html (public subscription viewer). All
three are built into ../internal/web/dist/ and embedded into the Go binary
via embed.FS.
State is split between local useState, TanStack Query for server
state, and useTheme / useWebSocket contexts. Form validation,
API parsing, and the xray config model all run through a single
shared Zod schema tree (see Schemas).
Dev
npm install
npm run dev
Vite serves on http://localhost:5173/. API calls and /panel/*
routes proxy to the Go panel at http://localhost:2053/, so start
the Go panel first (go run main.go) and then Vite. The proxy
auto-rewrites /panel, /panel/settings, /panel/inbounds,
/panel/xray to the matching Vite-served HTML, so the sidebar's
production-style links work without round-tripping through Go.
Scripts
| Command | What |
|---|---|
npm run dev |
Vite dev server with API + WS proxy to Go |
npm run build |
Regenerates OpenAPI + Zod, then builds into ../internal/web/dist/ |
npm run preview |
Serve the built bundle locally |
npm run typecheck |
tsc --noEmit (strict, no emit) |
npm run lint |
ESLint flat config (@typescript-eslint + react-hooks) |
npm run test |
Vitest single run (schema fixtures, link parsers, …) |
npm run test:watch |
Vitest watch mode |
npm run gen:api |
Build public/openapi.json from pages/api-docs/endpoints.ts |
npm run gen:zod |
Run the Go-side openapigen tool → src/generated/{zod,types}.ts |
CI runs typecheck, lint, test, and build on every PR
(see ../.github/workflows/ci.yml).
One-off: scan for deprecated APIs
Run this command to sweep the codebase for usages of APIs marked
with the JSDoc @deprecated tag (AntD prop renames, Zod renames,
removed Web APIs, etc.):
npx eslint --config eslint.deprecated.config.js src
It's a type-aware ESLint run against eslint.deprecated.config.js
and is not wired into npm run lint because typed linting triples
the wall-clock time.
Production build
npm run build
Outputs to ../internal/web/dist/ (HTML at the root, hashed JS/CSS under
assets/). manualChunks splits AntD, icons, codemirror, and
react-query into separate vendor bundles to keep the per-page
initial JS small. The Go binary embeds this directory at compile
time and internal/web/controller/dist.go serves the per-page HTML.
Layout
frontend/
├── index.html, login.html, subpage.html # 3 Vite entries
├── tsconfig.json
├── eslint.config.js
├── eslint.deprecated.config.js # On-demand type-aware lint config that flags
│ # usages of APIs marked with JSDoc @deprecated
├── vitest.config.ts
├── vite.config.js
├── scripts/
│ └── build-openapi.mjs # endpoints.ts → openapi.json
└── src/
├── entries/ # Per-page bootstrap (createRoot + render)
├── main.tsx # Shared root for the admin SPA (index.html)
├── routes.tsx # react-router routes mounted under /panel/
├── pages/ # One folder per route, page component + helpers
│ ├── index/, login/, inbounds/, clients/, xray/, nodes/,
│ ├── settings/, api-docs/, sub/
├── layouts/ # AdminLayout (sidebar + header + outlet)
├── components/ # Cross-page React components
├── hooks/ # useClients, useTheme, useWebSocket, …
├── api/ # Axios + CSRF interceptor, TanStack Query bridge,
│ # WebSocket client + queryClient.ts
├── i18n/ # react-i18next init (locales in internal/web/translation/)
├── lib/xray/ # Pure functions: link generation, defaults,
│ # form ⇄ wire adapters, protocol capabilities
├── schemas/ # Zod source-of-truth (see "Schemas" below)
├── generated/ # Code-generated zod + ts types from Go
│ # (DO NOT hand-edit — regenerated by gen:zod)
├── models/ # Thin legacy types still in transit
│ # (DBInbound, Status, AllSetting, reality-targets)
├── styles/ # Shared CSS modules
├── test/ # Vitest specs + golden fixtures
│ ├── *.test.ts
│ ├── __snapshots__/
│ └── golden/fixtures/ # Per-(protocol × network × security) JSON
└── utils/ # HttpUtil, ClipboardManager, SizeFormatter, …
Schemas
src/schemas/ is the single source of truth for the xray
configuration model. Every API response is parsed through it,
every form field is validated against it, and TypeScript types
are inferred via z.infer<typeof X> — never hand-written.
schemas/
├── primitives/ # Atomic reusable schemas (port, protocol, sniffing, …)
├── api/ # Backend response shapes (e.g. SlimInboundSchema)
├── forms/ # User-facing form shapes (narrower than api/)
├── protocols/
│ ├── inbound/ # Per-protocol settings (vmess, vless, trojan, …)
│ ├── outbound/
│ ├── stream/ # Network transports (tcp, ws, grpc, xhttp, kcp, …)
│ └── security/ # TLS, Reality, none
├── client.ts, dns.ts, routing.ts, setting.ts, status.ts, xray.ts
└── _envelope.ts # Generic `Msg<T>` envelope wrapper
Patterns:
- Discriminated unions for polymorphic data — inbound
settingsisz.discriminatedUnion('protocol', […]), same for stream and security. - Three validation layers, non-overlapping:
- API boundary:
parseMsg(msg, schema, ctx)inside TanStack QueryqueryFn— warn-only in prod, throws in dev - Form input:
antdRule(schema.shape.field)on every<Form.Item>— blocks submit + per-field inline error - Wire request:
Schema.parse(payload)insidemutationFn— throws, because a malformed payload here is always a developer bug
- API boundary:
- No
.loose()or[key: string]: anyin production schemas.@typescript-eslint/no-explicit-any: erroris enforced.
Form pattern (Pattern A)
All non-trivial modals use this single pattern:
const [form] = Form.useForm<InboundFormValues>();
const onFinish = async () => {
const values = await form.validateFields();
await createInbound.mutateAsync(values);
};
<Form form={form} onFinish={onFinish}>
<Form.Item
name="port"
label="Port"
rules={[antdRule(InboundFormSchema.shape.port, t)]}
>
<InputNumber min={1} max={65535} />
</Form.Item>
</Form>
No safeParse-on-submit handlers, no useRef<any> for form
references, no inline z.string().min(1) in rules. Conditional
fields use <Form.Item dependencies={...} shouldUpdate> with the
nested protocol schema.
Testing
Vitest runs everything under src/test/. Schemas have golden
fixture suites — one JSON per (protocol × network × security)
combination round-tripped through schema.parse → link generator
→ snapshot. Regenerate snapshots after intentional changes:
npx vitest run -u
Fixtures live in src/test/golden/fixtures/ and are auto-discovered
via import.meta.glob.
Adding a new page
Most new routes go inside the admin SPA (index.html) via
routes.tsx — no new HTML or Vite entry needed.
- Add the page component under
src/pages/<page>/. - Register it in
src/routes.tsxunder the/panel/...tree. - If you need a brand-new top-level bundle (login-style standalone
page), add the HTML at
frontend/<page>.html, an entry atsrc/entries/<page>.tsx, and register it inrollupOptions.inputinvite.config.js. Then add the Go controller call toserveDistPage(c, "<page>.html").