Three layered fixes targeting the distinct causes of overage:
Bucket C (catastrophic): flush pending Xray stats to DB before every
scheduled Xray restart so in-memory counters are never silently zeroed.
- web/service/xray.go: add FlushTrafficToDB()
- web/web.go: call FlushTrafficToDB() in the 30 s restart cron before
RestartXray(false)
Bucket A (in-flight gap): drain per-user Xray stats counters immediately
after RemoveUser() succeeds, capturing bytes accumulated since the last
bulk GetTraffic(reset=true) cycle.
- xray/api.go: add DrainUserTraffic(email) using GetStats gRPC with reset
- web/service/inbound.go: call DrainUserTraffic and persist delta in
disableInvalidClients()
Bucket B (active TCP connections survive removal): insert iptables DROP
rules for each known client IP on the inbound port so established
connections are killed immediately, not just new ones.
- util/iptables/iptables.go: new package managing the 3X-UI-BLOCK chain
(EnsureChain, FlushChain, BlockIP, UnblockIP, ListRules); gracefully
degrades when iptables is unavailable
- web/job/unblock_ips_job.go: @every 5m cleanup job removes rules older
than maxBlockAgeSecs
- web/service/inbound.go: blockClientIPs() called after successful
RemoveUser(); unblockClientIPs() called after successful AddUser() in
autoRenewClients() so renewed clients can reconnect
- web/web.go: EnsureChain + FlushChain on startup; register unblock job
* feat: add support for trusted X-Forwarded-For and testseed parameters in VLESS settings
* chore: update Xray Core version to 25.12.8 in release workflow
* chore: update Xray Core version to 25.12.8 in Docker initialization script
* chore: bump version to 2.8.6 and add watcher for security changes in inbound modal
* refactor: remove default and random seed buttons from outbound form
* refactor: update VLESS form to rename 'Test Seed' to 'Vision Seed' and change button functionality for seed generation
* refactor: enhance TLS settings form layout with improved button styling and spacing
* feat: integrate WebSocket support for real-time updates on inbounds and Xray service status
* chore: downgrade version to 2.8.5
* refactor: translate comments to English
* fix: ensure testseed is initialized correctly for VLESS protocol and improve client handling in inbound modal
* refactor: simplify VLESS divider condition by removing unnecessary flow checks
* fix: add fallback date formatting for cases when IntlUtil is not available
* refactor: simplify WebSocket message handling by removing batching and ensuring individual message delivery
* refactor: disable WebSocket notifications in inbound and index HTML files
* refactor: enhance VLESS testseed initialization and button functionality in inbound modal
* fix:
* refactor: ensure proper WebSocket URL construction by normalizing basePath
* fix:
* fix:
* fix:
* refactor: update testseed methods for improved reactivity and binding in VLESS form
* logger info to debug
---------
Co-authored-by: lolka1333 <test123@gmail.com>
* [refactor] api controller
* [fix] access log path
better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log
* [fix] set select options from logs paths in xray settings
* [update] .gitignore
* [lint] all .go files
* [update] use status code for jsonMsg and 401 to unauthorize
* [update] handle response status code via axios
* [fix] set correct value if log paths is set to 'none'
we also use the default value for the paths if its set to none
* [fix] iplimit - only warning access log if f2b is installed
