diff --git a/Dockerfile.backend b/Dockerfile.backend index 81a8b399..61c77e30 100644 --- a/Dockerfile.backend +++ b/Dockerfile.backend @@ -22,6 +22,14 @@ RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -o /app/x-ui main.go FROM alpine:latest WORKDIR /app +RUN mkdir -p /app/bin +ARG XRAY_VERSION=v1.8.10 +ARG TARGETARCH=amd64 +RUN wget -O /tmp/Xray-linux-${TARGETARCH}.zip https://github.com/XTLS/Xray-core/releases/download/${XRAY_VERSION}/Xray-linux-${TARGETARCH}.zip && \ + unzip /tmp/Xray-linux-${TARGETARCH}.zip -d /app/bin xray geoip.dat geosite.dat && \ + mv /app/bin/xray /app/bin/xray-linux-${TARGETARCH} && \ + chmod +x /app/bin/xray-linux-${TARGETARCH} && \ + rm /tmp/Xray-linux-${TARGETARCH}.zip # Copy the binary from the builder stage COPY --from=builder /app/x-ui /app/x-ui @@ -45,6 +53,7 @@ RUN mkdir -p /etc/x-ui && \ # Let's assume the Go app listens on a port defined by an ENV or config, e.g., 2053 EXPOSE 2053 +COPY xui_fail2ban.local /etc/fail2ban/jail.local # Entrypoint ENTRYPOINT ["/app/DockerEntrypoint.sh"] CMD ["/app/x-ui"] # Default command if DockerEntrypoint.sh doesn't override diff --git a/docker-compose.yml b/docker-compose.yml index ace2c405..fb6fdd95 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.8' - services: backend: build: diff --git a/xui_fail2ban.local b/xui_fail2ban.local new file mode 100644 index 00000000..1bdf33c5 --- /dev/null +++ b/xui_fail2ban.local @@ -0,0 +1,38 @@ +[DEFAULT] +# Ban hosts for one hour: +bantime = 1h +# Override /etc/fail2ban/jail.d/00-firewalld.conf: +banaction = iptables-multiport +banaction_allports = iptables-allports + +[sshd] +enabled = false + +[3x-ipl] +enabled = true +# Adjust filter, action, logpath, maxretry, findtime, bantime as needed +# These should ideally be managed by the 3x-ui application logic if it creates its own filter/action +# For now, we ensure it's enabled, but specific parameters might be overwritten by 3x-ui's setup. +# Assuming 3x-ui will create /etc/fail2ban/filter.d/3x-ipl.conf and /etc/fail2ban/action.d/3x-ipl.conf +# and potentially /etc/fail2ban/jail.d/3x-ipl.conf +# If 3x-ui creates /etc/fail2ban/jail.d/3x-ipl.conf, this [3x-ipl] section might be redundant +# or could conflict. However, disabling sshd is the main goal here. +port = http,https,2053 # Example, adjust if your panel port is different +logpath = %(xui_iplimit_log_path)s # This variable would need to be defined or replaced +# Default log path from xray/process.go -> /app/log/3xipl.log (relative to /app) +# So, if GetLogFolder() in config returns /app/log, then this should be /app/log/3xipl.log. +# Let's use a placeholder that 3x-ui might populate or rely on its own jail.d file. +# For safety, we'll use the log path from xray/process.go which is /app/log/3xipl.log +# (assuming GetLogFolder is /app/log). +# The Dockerfile uses WORKDIR /app, so relative paths might be tricky. +# Let's assume /var/log/3xipl.log as seen in x-ui.sh, which is more standard for logs. +# The application itself writes to GetIPLimitLogPath(). +# From xray/process.go: GetIPLimitLogPath() returns config.GetLogFolder() + "/3xipl.log" +# config.GetLogFolder() by default is likely "log" relative to app dir, so "/app/log/3xipl.log". +# We need to ensure this log path is what fail2ban is configured to read. +# The original x-ui.sh sets log_folder="${XUI_LOG_FOLDER:=/var/log}" +# and iplimit_log_path="${log_folder}/3xipl.log" +# This suggests the application might be configurable or has different behaviors. + +# For now, let's make a simple [3x-ipl] and assume the main app configures it further. +# The critical part is disabling sshd.