From e42c17f2b272c6236af55b948f37c38a66f82e70 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Fri, 9 Jan 2026 20:22:33 +0100 Subject: [PATCH 1/6] Default listen address to 0.0.0.0 in GenXrayInboundConfig When the listen address is empty, it now defaults to 0.0.0.0 to ensure proper dual-stack IPv4/IPv6 binding, improving compatibility on systems with bindv6only=0. --- database/model/model.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/database/model/model.go b/database/model/model.go index 4ca39d87..6225df52 100644 --- a/database/model/model.go +++ b/database/model/model.go @@ -80,9 +80,12 @@ type HistoryOfSeeders struct { // GenXrayInboundConfig generates an Xray inbound configuration from the Inbound model. func (i *Inbound) GenXrayInboundConfig() *xray.InboundConfig { listen := i.Listen - if listen != "" { - listen = fmt.Sprintf("\"%v\"", listen) + // Default to 0.0.0.0 (all interfaces) when listen is empty + // This ensures proper dual-stack IPv4/IPv6 binding in systems where bindv6only=0 + if listen == "" { + listen = "0.0.0.0" } + listen = fmt.Sprintf("\"%v\"", listen) return &xray.InboundConfig{ Listen: json_util.RawMessage(listen), Port: i.Port, From f8c9aac97cfe4bb38c4dad4b1bc5f9bb18a7ec68 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Sun, 11 Jan 2026 15:28:43 +0100 Subject: [PATCH 2/6] Add port selection and checks for ACME HTTP-01 listener Introduces user prompts to select the port for ACME HTTP-01 certificate validation (default 80), checks if the chosen port is available, and provides guidance for port forwarding. Adds is_port_in_use helper to all scripts and improves messaging for certificate issuance and error handling. --- install.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++---- update.sh | 60 +++++++++++++++++++++++++++++++++++++++++++++++++--- x-ui.sh | 58 ++++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 169 insertions(+), 11 deletions(-) diff --git a/install.sh b/install.sh index 4c68d2dc..59be30ce 100644 --- a/install.sh +++ b/install.sh @@ -53,7 +53,24 @@ is_ip() { is_ipv4 "$1" || is_ipv6 "$1" } is_domain() { - [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 + [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*)\.([A-Za-z]{2,})$ ]] && return 0 || return 1 +} + +# Port helpers +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 } install_base() { @@ -180,7 +197,7 @@ setup_ip_certificate() { echo -e "${green}Setting up Let's Encrypt IP certificate (shortlived profile)...${plain}" echo -e "${yellow}Note: IP certificates are valid for ~6 days and will auto-renew.${plain}" - echo -e "${yellow}Port 80 must be open and accessible from the internet.${plain}" + echo -e "${yellow}Default listener is port 80. If you choose another port, ensure external port 80 forwards to it.${plain}" # Check for acme.sh if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then @@ -216,6 +233,43 @@ setup_ip_certificate() { # Set reload command for auto-renewal (add || true so it doesn't fail during first install) local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true" + # Choose port for HTTP-01 listener (default 80, prompt override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + echo -e "${red}Invalid port provided. Falling back to 80.${plain}" + WebPort=80 + fi + echo -e "${green}Using port ${WebPort} for standalone validation.${plain}" + if [[ "${WebPort}" -ne 80 ]]; then + echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}" + fi + + # Ensure chosen port is available + while true; do + if is_port_in_use "${WebPort}"; then + echo -e "${yellow}Port ${WebPort} is in use.${plain}" + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}" + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + echo -e "${red}Invalid port provided.${plain}" + return 1 + fi + WebPort="${alt_port}" + continue + else + echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}" + break + fi + done + # Issue certificate with shortlived profile echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}" ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1 @@ -226,12 +280,12 @@ setup_ip_certificate() { --server letsencrypt \ --certificate-profile shortlived \ --days 6 \ - --httpport 80 \ + --httpport ${WebPort} \ --force if [ $? -ne 0 ]; then echo -e "${red}Failed to issue IP certificate${plain}" - echo -e "${yellow}Please ensure port 80 is open and accessible from the internet${plain}" + echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}" # Cleanup acme.sh data for both IPv4 and IPv6 if specified rm -rf ~/.acme.sh/${ipv4} 2>/dev/null [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2>/dev/null diff --git a/update.sh b/update.sh index 9f69f053..800841f5 100755 --- a/update.sh +++ b/update.sh @@ -81,6 +81,23 @@ is_domain() { [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 } +# Port helpers +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 +} + gen_random_string() { local length="$1" local random_string=$(LC_ALL=C tr -dc 'a-zA-Z0-9' /dev/null; then @@ -241,6 +258,43 @@ setup_ip_certificate() { # Set reload command for auto-renewal (add || true so it doesn't fail if service stopped) local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true" + # Choose port for HTTP-01 listener (default 80, prompt override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + echo -e "${red}Invalid port provided. Falling back to 80.${plain}" + WebPort=80 + fi + echo -e "${green}Using port ${WebPort} for standalone validation.${plain}" + if [[ "${WebPort}" -ne 80 ]]; then + echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}" + fi + + # Ensure chosen port is available + while true; do + if is_port_in_use "${WebPort}"; then + echo -e "${yellow}Port ${WebPort} is currently in use.${plain}" + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}" + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + echo -e "${red}Invalid port provided.${plain}" + return 1 + fi + WebPort="${alt_port}" + continue + else + echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}" + break + fi + done + # Issue certificate with shortlived profile echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}" ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1 @@ -251,12 +305,12 @@ setup_ip_certificate() { --server letsencrypt \ --certificate-profile shortlived \ --days 6 \ - --httpport 80 \ + --httpport ${WebPort} \ --force if [ $? -ne 0 ]; then echo -e "${red}Failed to issue IP certificate${plain}" - echo -e "${yellow}Please ensure port 80 is open and accessible from the internet${plain}" + echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}" # Cleanup acme.sh data for both IPv4 and IPv6 if specified rm -rf ~/.acme.sh/${ipv4} 2>/dev/null [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2>/dev/null diff --git a/x-ui.sh b/x-ui.sh index bdb48817..4dda45a0 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -19,6 +19,23 @@ function LOGI() { echo -e "${green}[INF] $* ${plain}" } +# Port helpers: detect listener and owning process (best effort) +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 +} + # Simple helpers for domain/IP validation is_ipv4() { [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1 @@ -885,8 +902,10 @@ update_geofiles() { "RU") dat_files=(geoip_RU geosite_RU); dat_source="runetfreedom/russia-v2ray-rules-dat";; esac for dat in "${dat_files[@]}"; do + # Remove suffix for remote filename (e.g., geoip_IR -> geoip) + remote_file="${dat%%_*}" curl -fLRo ${xui_folder}/bin/${dat}.dat -z ${xui_folder}/bin/${dat}.dat \ - https://github.com/${dat_source}/releases/latest/download/${dat%%_}.dat + https://github.com/${dat_source}/releases/latest/download/${remote_file}.dat done } @@ -1146,10 +1165,41 @@ ssl_cert_issue_for_ip() { LOGI "Including IPv6 address: ${ipv6_addr}" fi - # Use port 80 for certificate issuance - local WebPort=80 + # Choose port for HTTP-01 listener (default 80, allow override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + LOGE "Invalid port provided. Falling back to 80." + WebPort=80 + fi LOGI "Using port ${WebPort} to issue certificate for IP: ${server_ip}" - LOGI "Make sure port ${WebPort} is open and not in use..." + if [[ "${WebPort}" -ne 80 ]]; then + LOGI "Reminder: Let's Encrypt still reaches port 80; forward external port 80 to ${WebPort} for validation." + fi + + while true; do + if is_port_in_use "${WebPort}"; then + LOGI "Port ${WebPort} is currently in use." + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + LOGE "Port ${WebPort} is busy; cannot proceed with issuance." + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + LOGE "Invalid port provided." + return 1 + fi + WebPort="${alt_port}" + continue + else + LOGI "Port ${WebPort} is free and ready for standalone validation." + break + fi + done # Reload command - restarts panel after renewal local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null" From da447e5669c3adaef688e8c361ed2c85426fcdeb Mon Sep 17 00:00:00 2001 From: VolgaIgor <43250768+VolgaIgor@users.noreply.github.com> Date: Sun, 11 Jan 2026 22:18:54 +0300 Subject: [PATCH 3/6] Added curl package to Dockerfile (#3665) --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ec7a6e7b..bdf877ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,8 @@ RUN apk add --no-cache --update \ ca-certificates \ tzdata \ fail2ban \ - bash + bash \ + curl COPY --from=builder /app/build/ /app/ COPY --from=builder /app/DockerEntrypoint.sh /app/ From a691eaea8dc2b08bba3f24ef4d97fb798204ad45 Mon Sep 17 00:00:00 2001 From: VolgaIgor <43250768+VolgaIgor@users.noreply.github.com> Date: Mon, 12 Jan 2026 04:53:43 +0300 Subject: [PATCH 4/6] Fixed incorrect filtering for IDN top-level domains (#3666) --- install.sh | 2 +- update.sh | 2 +- x-ui.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 59be30ce..d8e95e22 100644 --- a/install.sh +++ b/install.sh @@ -53,7 +53,7 @@ is_ip() { is_ipv4 "$1" || is_ipv6 "$1" } is_domain() { - [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*)\.([A-Za-z]{2,})$ ]] && return 0 || return 1 + [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1 } # Port helpers diff --git a/update.sh b/update.sh index 800841f5..91c37c37 100755 --- a/update.sh +++ b/update.sh @@ -78,7 +78,7 @@ is_ip() { is_ipv4 "$1" || is_ipv6 "$1" } is_domain() { - [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 + [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1 } # Port helpers diff --git a/x-ui.sh b/x-ui.sh index 4dda45a0..07aaddc6 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -47,7 +47,7 @@ is_ip() { is_ipv4 "$1" || is_ipv6 "$1" } is_domain() { - [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 + [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1 } # check root From 8098d2b1b1c028e4f3d220cc27f43c7a70115a0e Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Tue, 13 Jan 2026 17:40:52 +0100 Subject: [PATCH 5/6] Return nil if no error in GetXrayErr Added a check to return nil immediately if p.GetErr() returns nil in GetXrayErr, preventing further error handling when no error is present. --- web/service/xray.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/web/service/xray.go b/web/service/xray.go index 43178d2f..511ffdda 100644 --- a/web/service/xray.go +++ b/web/service/xray.go @@ -40,6 +40,9 @@ func (s *XrayService) GetXrayErr() error { } err := p.GetErr() + if err == nil { + return nil + } if runtime.GOOS == "windows" && err.Error() == "exit status 1" { // exit status 1 on Windows means that Xray process was killed From 3eeaf5a046d46af4e8daf002defa8c537328f848 Mon Sep 17 00:00:00 2001 From: Michael S2pac Date: Fri, 16 Jan 2026 15:49:05 +0300 Subject: [PATCH 6/6] Excepted commits from origin --- lib/common.sh | 2 +- lib/geo.sh | 4 +++- lib/ssl.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 55 insertions(+), 5 deletions(-) diff --git a/lib/common.sh b/lib/common.sh index ca1cc80d..3f442c79 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -39,7 +39,7 @@ is_ip() { } is_domain() { - [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 + [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1 } # Generate random string diff --git a/lib/geo.sh b/lib/geo.sh index 0280d691..5bb0dc57 100644 --- a/lib/geo.sh +++ b/lib/geo.sh @@ -22,8 +22,10 @@ update_geofiles() { "RU") dat_files=(geoip_RU geosite_RU); dat_source="runetfreedom/russia-v2ray-rules-dat";; esac for dat in "${dat_files[@]}"; do + # Remove suffix for remote filename (e.g., geoip_IR -> geoip) + remote_file="${dat%%_*}" curl -fLRo ${xui_folder}/bin/${dat}.dat -z ${xui_folder}/bin/${dat}.dat \ - https://github.com/${dat_source}/releases/latest/download/${dat%%_}.dat + https://github.com/${dat_source}/releases/latest/download/${remote_file}.dat done } diff --git a/lib/ssl.sh b/lib/ssl.sh index 5ba2bb19..6fefdfac 100644 --- a/lib/ssl.sh +++ b/lib/ssl.sh @@ -30,6 +30,23 @@ install_acme() { return 0 } +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 +} + + ssl_cert_issue_main() { echo -e "${green}\t1.${plain} Get SSL (Domain)" echo -e "${green}\t2.${plain} Revoke" @@ -224,10 +241,41 @@ ssl_cert_issue_for_ip() { LOGI "Including IPv6 address: ${ipv6_addr}" fi - # Use port 80 for certificate issuance - local WebPort=80 + # Choose port for HTTP-01 listener (default 80, allow override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + LOGE "Invalid port provided. Falling back to 80." + WebPort=80 + fi LOGI "Using port ${WebPort} to issue certificate for IP: ${server_ip}" - LOGI "Make sure port ${WebPort} is open and not in use..." + if [[ "${WebPort}" -ne 80 ]]; then + LOGI "Reminder: Let's Encrypt still reaches port 80; forward external port 80 to ${WebPort} for validation." + fi + + while true; do + if is_port_in_use "${WebPort}"; then + LOGI "Port ${WebPort} is currently in use." + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + LOGE "Port ${WebPort} is busy; cannot proceed with issuance." + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + LOGE "Invalid port provided." + return 1 + fi + WebPort="${alt_port}" + continue + else + LOGI "Port ${WebPort} is free and ready for standalone validation." + break + fi + done # Reload command - restarts panel after renewal local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null"