- Android: clash://install-config (Clash Meta for Android)
- iOS: shadowrocket://add/sub/ (Shadowrocket)
- Desktop: clash-verge://install-config (Clash Verge)
- Extended API to return subEnable/subUrl for standard subscription
- New API endpoint /panel/api/inbounds/userSubscriptions for non-admin users
- Redesigned /panel/user with Clash link card (copy button) and Quick Import dropdown (Android/iOS/Desktop with icons)
- Added i18n keys for en_US and zh_CN
- Bumped version to v1.7.2.5
- Add splitTemplate() to split at proxies:/proxy-groups: markers (like mihomo-gen)
- Store clash_template.yaml and servers.yaml as files alongside x-ui.json
- Add Clash/Servers editors in Xray advanced config page
- Support multi-server proxy generation (each server × each client)
- Remove inline template editor from Clash settings panel
- Bump version to v1.7.2.1
When behind Cloudflare CDN, RemoteAddr shows CF's IP, breaking rate
limiting and logging. Trust CF-Connecting-IP (set by CF, cannot be
spoofed by clients) and fall back to RemoteAddr for direct connections.
- Add RateLimitMiddleware(10/min) to POST /login (previously unprotected)
- Use RemoteAddr instead of X-Real-IP/X-Forwarded-For in getRemoteIp() and rate limiter
- Prevents brute-force login and rate-limit bypass via spoofed headers
- ShouldBindJSON → ShouldBind with form tags (axios sends url-encoded)
- dbType dropdown value "mysql" → "mariadb" to match backend
- Replace inline styles with theme-aware CSS classes for dark mode
Silent error swallowing made it impossible to diagnose why worker
couldn't see master's heartbeat. Now logs errors from:
- updateNodeState upsert failures
- writeStateToSharedMariaDB connection/write failures
- getNodeStatesShared query failures
- list endpoint shows state count in logs
Also improved First() call to not overwrite state on error.
Bump version to v1.6.5.
In shared mode, the master may use SQLite locally while workers
write heartbeats to the shared MariaDB. The /list endpoint now
opens a temporary MariaDB connection to query node_states when
the local DB is not MariaDB.
- Add nodeController field and route group in api.go
- Add /panel/nodes page route in xui.go
- Verified node.go does not add duplicate checkAdmin middleware
Expose node management API endpoints for the cluster feature:
- GET /node/list — returns connected nodes with online status
- GET /node/config — returns current node + DB configuration
- POST /node/config — validates and persists node settings to x-ui.json
Add a simplified dashboard page for non-admin users showing username,
traffic usage, expiry time, and logout button. Implement role-based
routing so user-role accounts are redirected to their own dashboard
instead of the admin panel. Add getUserInfo API endpoint and i18n
translations across all 13 supported locales.
- Add per-IP rate limiter middleware (5 req/min) on /register endpoint
- Validate username (3-64 chars) and password (8-128 chars) with trim
- Use sentinel error ErrUsernameAlreadyExists instead of string matching
- Prevent TurnstileSecretKey exposure via admin settings API (json:"-")
- Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets
- Add SetTurnstileSecretKey setter for programmatic configuration
- Reuse package-level http.Client in Turnstile verification for connection pooling
- Add io.LimitReader to cap Turnstile response body size
- Log all Turnstile verification error paths for debugging
- Add invalidUsername/invalidPassword i18n keys to all 13 locales
Remove global unique constraint on client_traffics.email, change email
duplication check to per-inbound scope, and automatically register new
users as disabled clients in all existing inbounds within a transaction.
- Add Role field to User model (admin/user) with uniqueIndex on Username
- Add POST /register endpoint with optional Cloudflare Turnstile verification
- Add RegisterUser service with bcrypt password hashing and duplicate detection
- Set default admin user role to "admin", new registrations get "user"
- Add turnstileSecretKey setting and GetTurnstileSecretKey getter
- Add i18n keys (userExists, errorRegister) to all 13 translation files
Add a register tab on the login page with username, password, confirm
password fields and Cloudflare Turnstile widget. The site key is
configurable via x-ui.json and exposed through a public endpoint.
* feat: add support for trusted X-Forwarded-For and testseed parameters in VLESS settings
* chore: update Xray Core version to 25.12.8 in release workflow
* chore: update Xray Core version to 25.12.8 in Docker initialization script
* chore: bump version to 2.8.6 and add watcher for security changes in inbound modal
* refactor: remove default and random seed buttons from outbound form
* refactor: update VLESS form to rename 'Test Seed' to 'Vision Seed' and change button functionality for seed generation
* refactor: enhance TLS settings form layout with improved button styling and spacing
* feat: integrate WebSocket support for real-time updates on inbounds and Xray service status
* chore: downgrade version to 2.8.5
* refactor: translate comments to English
* fix: ensure testseed is initialized correctly for VLESS protocol and improve client handling in inbound modal
* refactor: simplify VLESS divider condition by removing unnecessary flow checks
* fix: add fallback date formatting for cases when IntlUtil is not available
* refactor: simplify WebSocket message handling by removing batching and ensuring individual message delivery
* refactor: disable WebSocket notifications in inbound and index HTML files
* refactor: enhance VLESS testseed initialization and button functionality in inbound modal
* fix:
* refactor: ensure proper WebSocket URL construction by normalizing basePath
* fix:
* fix:
* fix:
* refactor: update testseed methods for improved reactivity and binding in VLESS form
* logger info to debug
---------
Co-authored-by: lolka1333 <test123@gmail.com>
