From ccf08086ac7a921b3b1ace89749c886ca60d1553 Mon Sep 17 00:00:00 2001 From: Nebulosa <85841412+nebulosa2007@users.noreply.github.com> Date: Fri, 9 Jan 2026 19:03:53 +0300 Subject: [PATCH 1/4] refactor update geofiles fuctions (#3653) --- x-ui.sh | 37 ++++++++++++++++--------------------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/x-ui.sh b/x-ui.sh index 92d87c14..7a56c357 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -903,24 +903,21 @@ delete_ports() { } update_all_geofiles() { - update_main_geofiles - update_ir_geofiles - update_ru_geofiles + update_geofiles "main" + update_geofiles "IR" + update_geofiles "RU" } -update_main_geofiles() { - curl -fLRo geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat - curl -fLRo geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat -} - -update_ir_geofiles() { - curl -fLRo geoip_IR.dat https://github.com/chocolate4u/Iran-v2ray-rules/releases/latest/download/geoip.dat - curl -fLRo geosite_IR.dat https://github.com/chocolate4u/Iran-v2ray-rules/releases/latest/download/geosite.dat -} - -update_ru_geofiles() { - curl -fLRo geoip_RU.dat https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geoip.dat - curl -fLRo geosite_RU.dat https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geosite.dat +update_geofiles() { + case "${1}" in + "main") dat_files=(geoip geosite); dat_source="Loyalsoldier/v2ray-rules-dat";; + "IR") dat_files=(geoip_IR geosite_IR); dat_source="chocolate4u/Iran-v2ray-rules" ;; + "RU") dat_files=(geoip_RU geosite_RU); dat_source="runetfreedom/russia-v2ray-rules-dat";; + esac + for dat in "${dat_files[@]}"; do + curl -fLRo ${xui_folder}/bin/${dat}.dat -z ${xui_folder}/bin/${dat}.dat \ + https://github.com/${dat_source}/releases/latest/download/${dat%%_}.dat + done } update_geo() { @@ -931,24 +928,22 @@ update_geo() { echo -e "${green}\t0.${plain} Back to Main Menu" read -rp "Choose an option: " choice - cd ${xui_folder}/bin - case "$choice" in 0) show_menu ;; 1) - update_main_geofiles + update_geofiles "main" echo -e "${green}Loyalsoldier datasets have been updated successfully!${plain}" restart ;; 2) - update_ir_geofiles + update_geofiles "IR" echo -e "${green}chocolate4u datasets have been updated successfully!${plain}" restart ;; 3) - update_ru_geofiles + update_geofiles "RU" echo -e "${green}runetfreedom datasets have been updated successfully!${plain}" restart ;; From 427b7b67d8c67c75f7a98c84a24145118033ebd8 Mon Sep 17 00:00:00 2001 From: Nebulosa <85841412+nebulosa2007@users.noreply.github.com> Date: Fri, 9 Jan 2026 19:05:55 +0300 Subject: [PATCH 2/4] Refactor ca-certificate dependency (#3655) --- install.sh | 16 ++++++++-------- x-ui.sh | 30 ------------------------------ 2 files changed, 8 insertions(+), 38 deletions(-) diff --git a/install.sh b/install.sh index d0327635..4c68d2dc 100644 --- a/install.sh +++ b/install.sh @@ -59,29 +59,29 @@ is_domain() { install_base() { case "${release}" in ubuntu | debian | armbian) - apt-get update && apt-get install -y -q curl tar tzdata socat + apt-get update && apt-get install -y -q curl tar tzdata socat ca-certificates ;; fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol) - dnf -y update && dnf install -y -q curl tar tzdata socat + dnf -y update && dnf install -y -q curl tar tzdata socat ca-certificates ;; centos) if [[ "${VERSION_ID}" =~ ^7 ]]; then - yum -y update && yum install -y curl tar tzdata socat + yum -y update && yum install -y curl tar tzdata socat ca-certificates else - dnf -y update && dnf install -y -q curl tar tzdata socat + dnf -y update && dnf install -y -q curl tar tzdata socat ca-certificates fi ;; arch | manjaro | parch) - pacman -Syu && pacman -Syu --noconfirm curl tar tzdata socat + pacman -Syu && pacman -Syu --noconfirm curl tar tzdata socat ca-certificates ;; opensuse-tumbleweed | opensuse-leap) - zypper refresh && zypper -q install -y curl tar timezone socat + zypper refresh && zypper -q install -y curl tar timezone socat ca-certificates ;; alpine) - apk update && apk add curl tar tzdata socat + apk update && apk add curl tar tzdata socat ca-certificates ;; *) - apt-get update && apt-get install -y -q curl tar tzdata socat + apt-get update && apt-get install -y -q curl tar tzdata socat ca-certificates ;; esac } diff --git a/x-ui.sh b/x-ui.sh index 7a56c357..bdb48817 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -539,36 +539,6 @@ enable_bbr() { before_show_menu fi - # Check the OS and install necessary packages - case "${release}" in - ubuntu | debian | armbian) - apt-get update && apt-get install -yqq --no-install-recommends ca-certificates - ;; - fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol) - dnf -y update && dnf -y install ca-certificates - ;; - centos) - if [[ "${VERSION_ID}" =~ ^7 ]]; then - yum -y update && yum -y install ca-certificates - else - dnf -y update && dnf -y install ca-certificates - fi - ;; - arch | manjaro | parch) - pacman -Sy --noconfirm ca-certificates - ;; - opensuse-tumbleweed | opensuse-leap) - zypper refresh && zypper -q install -y ca-certificates - ;; - alpine) - apk add ca-certificates - ;; - *) - echo -e "${red}Unsupported operating system. Please check the script and install the necessary packages manually.${plain}\n" - exit 1 - ;; - esac - # Enable BBR echo "net.core.default_qdisc=fq" | tee -a /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" | tee -a /etc/sysctl.conf From e42c17f2b272c6236af55b948f37c38a66f82e70 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Fri, 9 Jan 2026 20:22:33 +0100 Subject: [PATCH 3/4] Default listen address to 0.0.0.0 in GenXrayInboundConfig When the listen address is empty, it now defaults to 0.0.0.0 to ensure proper dual-stack IPv4/IPv6 binding, improving compatibility on systems with bindv6only=0. --- database/model/model.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/database/model/model.go b/database/model/model.go index 4ca39d87..6225df52 100644 --- a/database/model/model.go +++ b/database/model/model.go @@ -80,9 +80,12 @@ type HistoryOfSeeders struct { // GenXrayInboundConfig generates an Xray inbound configuration from the Inbound model. func (i *Inbound) GenXrayInboundConfig() *xray.InboundConfig { listen := i.Listen - if listen != "" { - listen = fmt.Sprintf("\"%v\"", listen) + // Default to 0.0.0.0 (all interfaces) when listen is empty + // This ensures proper dual-stack IPv4/IPv6 binding in systems where bindv6only=0 + if listen == "" { + listen = "0.0.0.0" } + listen = fmt.Sprintf("\"%v\"", listen) return &xray.InboundConfig{ Listen: json_util.RawMessage(listen), Port: i.Port, From f8c9aac97cfe4bb38c4dad4b1bc5f9bb18a7ec68 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Sun, 11 Jan 2026 15:28:43 +0100 Subject: [PATCH 4/4] Add port selection and checks for ACME HTTP-01 listener Introduces user prompts to select the port for ACME HTTP-01 certificate validation (default 80), checks if the chosen port is available, and provides guidance for port forwarding. Adds is_port_in_use helper to all scripts and improves messaging for certificate issuance and error handling. --- install.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++---- update.sh | 60 +++++++++++++++++++++++++++++++++++++++++++++++++--- x-ui.sh | 58 ++++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 169 insertions(+), 11 deletions(-) diff --git a/install.sh b/install.sh index 4c68d2dc..59be30ce 100644 --- a/install.sh +++ b/install.sh @@ -53,7 +53,24 @@ is_ip() { is_ipv4 "$1" || is_ipv6 "$1" } is_domain() { - [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 + [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*)\.([A-Za-z]{2,})$ ]] && return 0 || return 1 +} + +# Port helpers +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 } install_base() { @@ -180,7 +197,7 @@ setup_ip_certificate() { echo -e "${green}Setting up Let's Encrypt IP certificate (shortlived profile)...${plain}" echo -e "${yellow}Note: IP certificates are valid for ~6 days and will auto-renew.${plain}" - echo -e "${yellow}Port 80 must be open and accessible from the internet.${plain}" + echo -e "${yellow}Default listener is port 80. If you choose another port, ensure external port 80 forwards to it.${plain}" # Check for acme.sh if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then @@ -216,6 +233,43 @@ setup_ip_certificate() { # Set reload command for auto-renewal (add || true so it doesn't fail during first install) local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true" + # Choose port for HTTP-01 listener (default 80, prompt override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + echo -e "${red}Invalid port provided. Falling back to 80.${plain}" + WebPort=80 + fi + echo -e "${green}Using port ${WebPort} for standalone validation.${plain}" + if [[ "${WebPort}" -ne 80 ]]; then + echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}" + fi + + # Ensure chosen port is available + while true; do + if is_port_in_use "${WebPort}"; then + echo -e "${yellow}Port ${WebPort} is in use.${plain}" + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}" + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + echo -e "${red}Invalid port provided.${plain}" + return 1 + fi + WebPort="${alt_port}" + continue + else + echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}" + break + fi + done + # Issue certificate with shortlived profile echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}" ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1 @@ -226,12 +280,12 @@ setup_ip_certificate() { --server letsencrypt \ --certificate-profile shortlived \ --days 6 \ - --httpport 80 \ + --httpport ${WebPort} \ --force if [ $? -ne 0 ]; then echo -e "${red}Failed to issue IP certificate${plain}" - echo -e "${yellow}Please ensure port 80 is open and accessible from the internet${plain}" + echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}" # Cleanup acme.sh data for both IPv4 and IPv6 if specified rm -rf ~/.acme.sh/${ipv4} 2>/dev/null [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2>/dev/null diff --git a/update.sh b/update.sh index 9f69f053..800841f5 100755 --- a/update.sh +++ b/update.sh @@ -81,6 +81,23 @@ is_domain() { [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1 } +# Port helpers +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 +} + gen_random_string() { local length="$1" local random_string=$(LC_ALL=C tr -dc 'a-zA-Z0-9' /dev/null; then @@ -241,6 +258,43 @@ setup_ip_certificate() { # Set reload command for auto-renewal (add || true so it doesn't fail if service stopped) local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true" + # Choose port for HTTP-01 listener (default 80, prompt override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + echo -e "${red}Invalid port provided. Falling back to 80.${plain}" + WebPort=80 + fi + echo -e "${green}Using port ${WebPort} for standalone validation.${plain}" + if [[ "${WebPort}" -ne 80 ]]; then + echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}" + fi + + # Ensure chosen port is available + while true; do + if is_port_in_use "${WebPort}"; then + echo -e "${yellow}Port ${WebPort} is currently in use.${plain}" + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}" + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + echo -e "${red}Invalid port provided.${plain}" + return 1 + fi + WebPort="${alt_port}" + continue + else + echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}" + break + fi + done + # Issue certificate with shortlived profile echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}" ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1 @@ -251,12 +305,12 @@ setup_ip_certificate() { --server letsencrypt \ --certificate-profile shortlived \ --days 6 \ - --httpport 80 \ + --httpport ${WebPort} \ --force if [ $? -ne 0 ]; then echo -e "${red}Failed to issue IP certificate${plain}" - echo -e "${yellow}Please ensure port 80 is open and accessible from the internet${plain}" + echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}" # Cleanup acme.sh data for both IPv4 and IPv6 if specified rm -rf ~/.acme.sh/${ipv4} 2>/dev/null [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2>/dev/null diff --git a/x-ui.sh b/x-ui.sh index bdb48817..4dda45a0 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -19,6 +19,23 @@ function LOGI() { echo -e "${green}[INF] $* ${plain}" } +# Port helpers: detect listener and owning process (best effort) +is_port_in_use() { + local port="$1" + if command -v ss >/dev/null 2>&1; then + ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v netstat >/dev/null 2>&1; then + netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' + return + fi + if command -v lsof >/dev/null 2>&1; then + lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 + fi + return 1 +} + # Simple helpers for domain/IP validation is_ipv4() { [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1 @@ -885,8 +902,10 @@ update_geofiles() { "RU") dat_files=(geoip_RU geosite_RU); dat_source="runetfreedom/russia-v2ray-rules-dat";; esac for dat in "${dat_files[@]}"; do + # Remove suffix for remote filename (e.g., geoip_IR -> geoip) + remote_file="${dat%%_*}" curl -fLRo ${xui_folder}/bin/${dat}.dat -z ${xui_folder}/bin/${dat}.dat \ - https://github.com/${dat_source}/releases/latest/download/${dat%%_}.dat + https://github.com/${dat_source}/releases/latest/download/${remote_file}.dat done } @@ -1146,10 +1165,41 @@ ssl_cert_issue_for_ip() { LOGI "Including IPv6 address: ${ipv6_addr}" fi - # Use port 80 for certificate issuance - local WebPort=80 + # Choose port for HTTP-01 listener (default 80, allow override) + local WebPort="" + read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort + WebPort="${WebPort:-80}" + if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then + LOGE "Invalid port provided. Falling back to 80." + WebPort=80 + fi LOGI "Using port ${WebPort} to issue certificate for IP: ${server_ip}" - LOGI "Make sure port ${WebPort} is open and not in use..." + if [[ "${WebPort}" -ne 80 ]]; then + LOGI "Reminder: Let's Encrypt still reaches port 80; forward external port 80 to ${WebPort} for validation." + fi + + while true; do + if is_port_in_use "${WebPort}"; then + LOGI "Port ${WebPort} is currently in use." + + local alt_port="" + read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port + alt_port="${alt_port// /}" + if [[ -z "${alt_port}" ]]; then + LOGE "Port ${WebPort} is busy; cannot proceed with issuance." + return 1 + fi + if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then + LOGE "Invalid port provided." + return 1 + fi + WebPort="${alt_port}" + continue + else + LOGI "Port ${WebPort} is free and ready for standalone validation." + break + fi + done # Reload command - restarts panel after renewal local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null"