Merge 3b262cf180 into 260eedf8c4

fix: add missing is_domain helper function to x-ui.sh (#3612 )
The is_domain function was being called in ssl_cert_issue() but was never defined in x-ui.sh, causing 'Invalid domain format' errors for valid domains. Added is_ipv4, is_ipv6, is_ip, and is_domain helper functions to match the definitions in install.sh and update.sh. Co-authored-by: wyatt <wyatt@Wyatts-MacBook-Air.local>
2026-01-15 10:09:34 +00:00 · 2025-12-28 19:46:52 +03:00 · 2025-12-28 16:38:26 +01:00 · 2025-12-28 00:03:33 +01:00 · 2025-09-24 21:27:55 +02:00 · 2025-09-21 23:55:26 +02:00
19 changed files with 1774 additions and 72 deletions
--- a/database/db.go
+++ b/database/db.go
@ -38,6 +38,7 @@ func initModels() error {
 		&model.InboundClientIps{},
 		&xray.ClientTraffic{},
 		&model.HistoryOfSeeders{},
+		&model.Server{},
 	}
 	for _, model := range models {
 		if err := db.AutoMigrate(model); err != nil {
--- a/database/model/model.go
+++ b/database/model/model.go
@ -119,3 +119,12 @@ type Client struct {
 	CreatedAt  int64  `json:"created_at,omitempty"`         // Creation timestamp
 	UpdatedAt  int64  `json:"updated_at,omitempty"`         // Last update timestamp
 }
+
+type Server struct {
+	Id      int    `json:"id" gorm:"primaryKey;autoIncrement"`
+	Name    string `json:"name" gorm:"unique;not null"`
+	Address string `json:"address" gorm:"not null"`
+	Port    int    `json:"port" gorm:"not null"`
+	APIKey  string `json:"apiKey" gorm:"not null"`
+	Enable  bool   `json:"enable" gorm:"default:true"`
+}
--- a/go.mod
+++ b/go.mod
@ -67,6 +67,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pires/go-proxyproto v0.8.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.57.1 // indirect
--- a/install.sh
+++ b/install.sh
@ -39,32 +39,46 @@ arch() {

 echo "Arch: $(arch)"

+# Simple helpers
+is_ipv4() {
+    [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1
+}
+is_ipv6() {
+    [[ "$1" =~ : ]] && return 0 || return 1
+}
+is_ip() {
+    is_ipv4 "$1" || is_ipv6 "$1"
+}
+is_domain() {
+    [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1
+}
+
 install_base() {
    case "${release}" in
        ubuntu | debian | armbian)
-            apt-get update && apt-get install -y -q wget curl tar tzdata
+            apt-get update && apt-get install -y -q wget curl tar tzdata openssl socat
        ;;
        fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
-            dnf -y update && dnf install -y -q wget curl tar tzdata
+            dnf -y update && dnf install -y -q wget curl tar tzdata openssl socat
        ;;
        centos)
            if [[ "${VERSION_ID}" =~ ^7 ]]; then
-                yum -y update && yum install -y wget curl tar tzdata
+                yum -y update && yum install -y wget curl tar tzdata openssl socat
            else
-                dnf -y update && dnf install -y -q wget curl tar tzdata
+                dnf -y update && dnf install -y -q wget curl tar tzdata openssl socat
            fi
        ;;
        arch | manjaro | parch)
-            pacman -Syu && pacman -Syu --noconfirm wget curl tar tzdata
+            pacman -Syu && pacman -Syu --noconfirm wget curl tar tzdata openssl socat
        ;;
        opensuse-tumbleweed | opensuse-leap)
-            zypper refresh && zypper -q install -y wget curl tar timezone
+            zypper refresh && zypper -q install -y wget curl tar timezone openssl socat
        ;;
        alpine)
-            apk update && apk add wget curl tar tzdata
+            apk update && apk add wget curl tar tzdata openssl socat
        ;;
        *)
-            apt-get update && apt-get install -y -q wget curl tar tzdata
+            apt-get update && apt-get install -y -q wget curl tar tzdata openssl socat
        ;;
    esac
 }
@ -75,10 +89,373 @@ gen_random_string() {
    echo "$random_string"
 }

+install_acme() {
+    echo -e "${green}Installing acme.sh for SSL certificate management...${plain}"
+    cd ~ || return 1
+    curl -s https://get.acme.sh | sh >/dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        echo -e "${red}Failed to install acme.sh${plain}"
+        return 1
+    else
+        echo -e "${green}acme.sh installed successfully${plain}"
+    fi
+    return 0
+}
+
+setup_ssl_certificate() {
+    local domain="$1"
+    local server_ip="$2"
+    local existing_port="$3"
+    local existing_webBasePath="$4"
+    
+    echo -e "${green}Setting up SSL certificate...${plain}"
+    
+    # Check if acme.sh is installed
+    if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
+        install_acme
+        if [ $? -ne 0 ]; then
+            echo -e "${yellow}Failed to install acme.sh, skipping SSL setup${plain}"
+            return 1
+        fi
+    fi
+    
+    # Create certificate directory
+    local certPath="/root/cert/${domain}"
+    mkdir -p "$certPath"
+    
+    # Issue certificate
+    echo -e "${green}Issuing SSL certificate for ${domain}...${plain}"
+    echo -e "${yellow}Note: Port 80 must be open and accessible from the internet${plain}"
+    
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1
+    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport 80 --force
+    
+    if [ $? -ne 0 ]; then
+        echo -e "${yellow}Failed to issue certificate for ${domain}${plain}"
+        echo -e "${yellow}Please ensure port 80 is open and try again later with: x-ui${plain}"
+        rm -rf ~/.acme.sh/${domain} 2>/dev/null
+        rm -rf "$certPath" 2>/dev/null
+        return 1
+    fi
+    
+    # Install certificate
+    ~/.acme.sh/acme.sh --installcert -d ${domain} \
+        --key-file /root/cert/${domain}/privkey.pem \
+        --fullchain-file /root/cert/${domain}/fullchain.pem \
+        --reloadcmd "systemctl restart x-ui" >/dev/null 2>&1
+    
+    if [ $? -ne 0 ]; then
+        echo -e "${yellow}Failed to install certificate${plain}"
+        return 1
+    fi
+    
+    # Enable auto-renew
+    ~/.acme.sh/acme.sh --upgrade --auto-upgrade >/dev/null 2>&1
+    chmod 755 $certPath/* 2>/dev/null
+    
+    # Set certificate for panel
+    local webCertFile="/root/cert/${domain}/fullchain.pem"
+    local webKeyFile="/root/cert/${domain}/privkey.pem"
+    
+    if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
+        /usr/local/x-ui/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile" >/dev/null 2>&1
+        echo -e "${green}SSL certificate installed and configured successfully!${plain}"
+        return 0
+    else
+        echo -e "${yellow}Certificate files not found${plain}"
+        return 1
+    fi
+}
+
+# Fallback: generate a self-signed certificate (not publicly trusted)
+setup_self_signed_certificate() {
+    local name="$1"   # domain or IP to place in SAN
+    local certDir="/root/cert/selfsigned"
+
+    echo -e "${yellow}Generating a self-signed certificate (not publicly trusted)...${plain}"
+
+    mkdir -p "$certDir"
+
+    local sanExt=""
+    if is_ip "$name"; then
+        sanExt="IP:${name}"
+    else
+        sanExt="DNS:${name}"
+    fi
+
+    # Use -addext if supported; fallback to config file if needed
+    openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+        -keyout "${certDir}/privkey.pem" \
+        -out "${certDir}/fullchain.pem" \
+        -subj "/CN=${name}" \
+        -addext "subjectAltName=${sanExt}" >/dev/null 2>&1
+
+    if [[ $? -ne 0 ]]; then
+        # Fallback via temporary config file (for older OpenSSL versions)
+        local tmpCfg="${certDir}/openssl.cnf"
+        cat > "$tmpCfg" <<EOF
+[req]
+distinguished_name=req_distinguished_name
+req_extensions=v3_req
+[req_distinguished_name]
+[v3_req]
+subjectAltName=${sanExt}
+EOF
+        openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+            -keyout "${certDir}/privkey.pem" \
+            -out "${certDir}/fullchain.pem" \
+            -subj "/CN=${name}" \
+            -config "$tmpCfg" -extensions v3_req >/dev/null 2>&1
+        rm -f "$tmpCfg"
+    fi
+
+    if [[ ! -f "${certDir}/fullchain.pem" || ! -f "${certDir}/privkey.pem" ]]; then
+        echo -e "${red}Failed to generate self-signed certificate${plain}"
+        return 1
+    fi
+
+    chmod 755 ${certDir}/* 2>/dev/null
+    /usr/local/x-ui/x-ui cert -webCert "${certDir}/fullchain.pem" -webCertKey "${certDir}/privkey.pem" >/dev/null 2>&1
+    echo -e "${yellow}Self-signed certificate configured. Browsers will show a warning.${plain}"
+    return 0
+}
+
+# Comprehensive manual SSL certificate issuance via acme.sh
+ssl_cert_issue() {
+    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep 'webBasePath:' | awk -F': ' '{print $2}' | tr -d '[:space:]' | sed 's#^/##')
+    local existing_port=$(/usr/local/x-ui/x-ui setting -show true | grep 'port:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
+    
+    # check for acme.sh first
+    if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
+        echo "acme.sh could not be found. Installing now..."
+        cd ~ || return 1
+        curl -s https://get.acme.sh | sh
+        if [ $? -ne 0 ]; then
+            echo -e "${red}Failed to install acme.sh${plain}"
+            return 1
+        else
+            echo -e "${green}acme.sh installed successfully${plain}"
+        fi
+    fi
+
+    # get the domain here, and we need to verify it
+    local domain=""
+    while true; do
+        read -rp "Please enter your domain name: " domain
+        domain="${domain// /}"  # Trim whitespace
+        
+        if [[ -z "$domain" ]]; then
+            echo -e "${red}Domain name cannot be empty. Please try again.${plain}"
+            continue
+        fi
+        
+        if ! is_domain "$domain"; then
+            echo -e "${red}Invalid domain format: ${domain}. Please enter a valid domain name.${plain}"
+            continue
+        fi
+        
+        break
+    done
+    echo -e "${green}Your domain is: ${domain}, checking it...${plain}"
+
+    # check if there already exists a certificate
+    local currentCert=$(~/.acme.sh/acme.sh --list | tail -1 | awk '{print $1}')
+    if [ "${currentCert}" == "${domain}" ]; then
+        local certInfo=$(~/.acme.sh/acme.sh --list)
+        echo -e "${red}System already has certificates for this domain. Cannot issue again.${plain}"
+        echo -e "${yellow}Current certificate details:${plain}"
+        echo "$certInfo"
+        return 1
+    else
+        echo -e "${green}Your domain is ready for issuing certificates now...${plain}"
+    fi
+
+    # create a directory for the certificate
+    certPath="/root/cert/${domain}"
+    if [ ! -d "$certPath" ]; then
+        mkdir -p "$certPath"
+    else
+        rm -rf "$certPath"
+        mkdir -p "$certPath"
+    fi
+
+    # get the port number for the standalone server
+    local WebPort=80
+    read -rp "Please choose which port to use (default is 80): " WebPort
+    if [[ ${WebPort} -gt 65535 || ${WebPort} -lt 1 ]]; then
+        echo -e "${yellow}Your input ${WebPort} is invalid, will use default port 80.${plain}"
+        WebPort=80
+    fi
+    echo -e "${green}Will use port: ${WebPort} to issue certificates. Please make sure this port is open.${plain}"
+
+    # Stop panel temporarily
+    echo -e "${yellow}Stopping panel temporarily...${plain}"
+    systemctl stop x-ui 2>/dev/null || rc-service x-ui stop 2>/dev/null
+
+    # issue the certificate
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
+    if [ $? -ne 0 ]; then
+        echo -e "${red}Issuing certificate failed, please check logs.${plain}"
+        rm -rf ~/.acme.sh/${domain}
+        systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
+        return 1
+    else
+        echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}"
+    fi
+
+    # Setup reload command
+    reloadCmd="systemctl restart x-ui || rc-service x-ui restart"
+    echo -e "${green}Default --reloadcmd for ACME is: ${yellow}systemctl restart x-ui || rc-service x-ui restart${plain}"
+    echo -e "${green}This command will run on every certificate issue and renew.${plain}"
+    read -rp "Would you like to modify --reloadcmd for ACME? (y/n): " setReloadcmd
+    if [[ "$setReloadcmd" == "y" || "$setReloadcmd" == "Y" ]]; then
+        echo -e "\n${green}\t1.${plain} Preset: systemctl reload nginx ; systemctl restart x-ui"
+        echo -e "${green}\t2.${plain} Input your own command"
+        echo -e "${green}\t0.${plain} Keep default reloadcmd"
+        read -rp "Choose an option: " choice
+        case "$choice" in
+        1)
+            echo -e "${green}Reloadcmd is: systemctl reload nginx ; systemctl restart x-ui${plain}"
+            reloadCmd="systemctl reload nginx ; systemctl restart x-ui"
+            ;;
+        2)
+            echo -e "${yellow}It's recommended to put x-ui restart at the end${plain}"
+            read -rp "Please enter your custom reloadcmd: " reloadCmd
+            echo -e "${green}Reloadcmd is: ${reloadCmd}${plain}"
+            ;;
+        *)
+            echo -e "${green}Keeping default reloadcmd${plain}"
+            ;;
+        esac
+    fi
+
+    # install the certificate
+    ~/.acme.sh/acme.sh --installcert -d ${domain} \
+        --key-file /root/cert/${domain}/privkey.pem \
+        --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}"
+
+    if [ $? -ne 0 ]; then
+        echo -e "${red}Installing certificate failed, exiting.${plain}"
+        rm -rf ~/.acme.sh/${domain}
+        systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
+        return 1
+    else
+        echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}"
+    fi
+
+    # enable auto-renew
+    ~/.acme.sh/acme.sh --upgrade --auto-upgrade
+    if [ $? -ne 0 ]; then
+        echo -e "${yellow}Auto renew setup had issues, certificate details:${plain}"
+        ls -lah /root/cert/${domain}/
+        chmod 755 $certPath/*
+    else
+        echo -e "${green}Auto renew succeeded, certificate details:${plain}"
+        ls -lah /root/cert/${domain}/
+        chmod 755 $certPath/*
+    fi
+
+    # Restart panel
+    systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
+
+    # Prompt user to set panel paths after successful certificate installation
+    read -rp "Would you like to set this certificate for the panel? (y/n): " setPanel
+    if [[ "$setPanel" == "y" || "$setPanel" == "Y" ]]; then
+        local webCertFile="/root/cert/${domain}/fullchain.pem"
+        local webKeyFile="/root/cert/${domain}/privkey.pem"
+
+        if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
+            /usr/local/x-ui/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile"
+            echo -e "${green}Certificate paths set for the panel${plain}"
+            echo -e "${green}Certificate File: $webCertFile${plain}"
+            echo -e "${green}Private Key File: $webKeyFile${plain}"
+            echo ""
+            echo -e "${green}Access URL: https://${domain}:${existing_port}/${existing_webBasePath}${plain}"
+            echo -e "${yellow}Panel will restart to apply SSL certificate...${plain}"
+            systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null
+        else
+            echo -e "${red}Error: Certificate or private key file not found for domain: $domain.${plain}"
+        fi
+    else
+        echo -e "${yellow}Skipping panel path setting.${plain}"
+    fi
+    
+    return 0
+}
+
+# Reusable interactive SSL setup (domain or self-signed)
+# Sets global `SSL_HOST` to the chosen domain/IP for Access URL usage
+prompt_and_setup_ssl() {
+    local panel_port="$1"
+    local web_base_path="$2"   # expected without leading slash
+    local server_ip="$3"
+
+    local ssl_choice=""
+
+    echo -e "${yellow}Choose SSL certificate setup method:${plain}"
+    echo -e "${green}1.${plain} Let's Encrypt (domain required, recommended)"
+    echo -e "${green}2.${plain} Self-signed certificate (not publicly trusted)"
+    read -rp "Choose an option (default 2): " ssl_choice
+    ssl_choice="${ssl_choice// /}"  # Trim whitespace
+    
+    # Default to 2 (self-signed) if not 1
+    if [[ "$ssl_choice" != "1" ]]; then
+        ssl_choice="2"
+    fi
+
+    case "$ssl_choice" in
+    1)
+        # User chose Let's Encrypt domain option
+        echo -e "${green}Using ssl_cert_issue() for comprehensive domain setup...${plain}"
+        ssl_cert_issue
+        # Extract the domain that was used from the certificate
+        local cert_domain=$(~/.acme.sh/acme.sh --list 2>/dev/null | tail -1 | awk '{print $1}')
+        if [[ -n "${cert_domain}" ]]; then
+            SSL_HOST="${cert_domain}"
+            echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}"
+        else
+            echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}"
+            SSL_HOST="${server_ip}"
+        fi
+        ;;
+    2)
+        # User chose self-signed option
+        # Stop panel if running
+        if [[ $release == "alpine" ]]; then
+            rc-service x-ui stop >/dev/null 2>&1
+        else
+            systemctl stop x-ui >/dev/null 2>&1
+        fi
+        echo -e "${yellow}Using server IP for self-signed certificate: ${server_ip}${plain}"
+        setup_self_signed_certificate "${server_ip}"
+        if [ $? -eq 0 ]; then
+            SSL_HOST="${server_ip}"
+            echo -e "${green}✓ Self-signed SSL configured successfully${plain}"
+        else
+            echo -e "${red}✗ Self-signed SSL setup failed${plain}"
+            SSL_HOST="${server_ip}"
+        fi
+        # Start panel after SSL is configured
+        if [[ $release == "alpine" ]]; then
+            rc-service x-ui start >/dev/null 2>&1
+        else
+            systemctl start x-ui >/dev/null 2>&1
+        fi
+        ;;
+    *)
+        echo -e "${red}Invalid option. Skipping SSL setup.${plain}"
+        SSL_HOST="${server_ip}"
+        ;;
+    esac
+}
+
 config_after_install() {
    local existing_hasDefaultCredential=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'hasDefaultCredential: .+' | awk '{print $2}')
-    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}')
+    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}' | sed 's#^/##')
    local existing_port=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}')
+    # Properly detect empty cert by checking if cert: line exists and has content after it
+    local existing_cert=$(/usr/local/x-ui/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
    local URL_lists=(
        "https://api4.ipify.org"
        "https://ipv4.icanhazip.com"
@ -111,20 +488,50 @@ config_after_install() {
            fi
            
            /usr/local/x-ui/x-ui setting -username "${config_username}" -password "${config_password}" -port "${config_port}" -webBasePath "${config_webBasePath}"
-            echo -e "This is a fresh installation, generating random login info for security concerns:"
-            echo -e "###############################################"
-            echo -e "${green}Username: ${config_username}${plain}"
-            echo -e "${green}Password: ${config_password}${plain}"
-            echo -e "${green}Port: ${config_port}${plain}"
+            
+            echo ""
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${green}     SSL Certificate Setup (MANDATORY)     ${plain}"
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${yellow}For security, SSL certificate is required for all panels.${plain}"
+            echo -e "${yellow}Let's Encrypt requires a domain name (IP certificates are not issued).${plain}"
+            echo ""
+
+            prompt_and_setup_ssl "${config_port}" "${config_webBasePath}" "${server_ip}"
+            
+            # Display final credentials and access information
+            echo ""
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${green}     Panel Installation Complete!         ${plain}"
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${green}Username:    ${config_username}${plain}"
+            echo -e "${green}Password:    ${config_password}${plain}"
+            echo -e "${green}Port:        ${config_port}${plain}"
            echo -e "${green}WebBasePath: ${config_webBasePath}${plain}"
-            echo -e "${green}Access URL: http://${server_ip}:${config_port}/${config_webBasePath}${plain}"
-            echo -e "###############################################"
+            echo -e "${green}Access URL:  https://${SSL_HOST}:${config_port}/${config_webBasePath}${plain}"
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${yellow}⚠ IMPORTANT: Save these credentials securely!${plain}"
+            echo -e "${yellow}⚠ SSL Certificate: Enabled and configured${plain}"
        else
            local config_webBasePath=$(gen_random_string 18)
            echo -e "${yellow}WebBasePath is missing or too short. Generating a new one...${plain}"
            /usr/local/x-ui/x-ui setting -webBasePath "${config_webBasePath}"
            echo -e "${green}New WebBasePath: ${config_webBasePath}${plain}"
-            echo -e "${green}Access URL: http://${server_ip}:${existing_port}/${config_webBasePath}${plain}"
+
+            # If the panel is already installed but no certificate is configured, prompt for SSL now
+            if [[ -z "${existing_cert}" ]]; then
+                echo ""
+                echo -e "${green}═══════════════════════════════════════════${plain}"
+                echo -e "${green}     SSL Certificate Setup (RECOMMENDED)   ${plain}"
+                echo -e "${green}═══════════════════════════════════════════${plain}"
+                echo -e "${yellow}Let's Encrypt requires a domain name (IP certificates are not issued).${plain}"
+                echo ""
+                prompt_and_setup_ssl "${existing_port}" "${config_webBasePath}" "${server_ip}"
+                echo -e "${green}Access URL:  https://${SSL_HOST}:${existing_port}/${config_webBasePath}${plain}"
+            else
+                # If a cert already exists, just show the access URL
+                echo -e "${green}Access URL: https://${server_ip}:${existing_port}/${config_webBasePath}${plain}"
+            fi
        fi
    else
        if [[ "$existing_hasDefaultCredential" == "true" ]]; then
@ -139,11 +546,34 @@ config_after_install() {
            echo -e "${green}Password: ${config_password}${plain}"
            echo -e "###############################################"
        else
-            echo -e "${green}Username, Password, and WebBasePath are properly set. Exiting...${plain}"
+            echo -e "${green}Username, Password, and WebBasePath are properly set.${plain}"
+        fi
+
+        # Existing install: if no cert configured, prompt user to set domain or self-signed
+        # Properly detect empty cert by checking if cert: line exists and has content after it
+        existing_cert=$(/usr/local/x-ui/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
+        if [[ -z "$existing_cert" ]]; then
+            echo ""
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${green}     SSL Certificate Setup (RECOMMENDED)   ${plain}"
+            echo -e "${green}═══════════════════════════════════════════${plain}"
+            echo -e "${yellow}Let's Encrypt requires a domain name (IP certificates are not issued).${plain}"
+            echo ""
+            prompt_and_setup_ssl "${existing_port}" "${existing_webBasePath}" "${server_ip}"
+            echo -e "${green}Access URL:  https://${SSL_HOST}:${existing_port}/${existing_webBasePath}${plain}"
+        else
+            echo -e "${green}SSL certificate already configured. No action needed.${plain}"
        fi
    fi
    
    /usr/local/x-ui/x-ui migrate
+
+    local existing_apiKey=$(/usr/local/x-ui/x-ui setting -show true | grep -oP 'ApiKey: \K.*')
+    if [[ -z "$existing_apiKey" ]]; then
+        local config_apiKey=$(gen_random_string 32)
+        /usr/local/x-ui/x-ui setting -apiKey "${config_apiKey}"
+        echo -e "${green}Generated random API Key: ${config_apiKey}${plain}"
+    fi
 }

 install_x-ui() {
--- a/main.go
+++ b/main.go
@ -248,7 +248,8 @@ func updateTgbotSetting(tgBotToken string, tgBotChatid string, tgBotRuntime stri
 }

 // updateSetting updates various panel settings including port, credentials, base path, listen IP, and two-factor authentication.
-func updateSetting(port int, username string, password string, webBasePath string, listenIP string, resetTwoFactor bool) {
+func updateSetting(port int, username string, password string, webBasePath string, listenIP string, resetTwoFactor bool, apiKey string) {
+
 	err := database.InitDB(config.GetDBPath())
 	if err != nil {
 		fmt.Println("Database initialization failed:", err)
@ -258,6 +259,15 @@ func updateSetting(port int, username string, password string, webBasePath strin
 	settingService := service.SettingService{}
 	userService := service.UserService{}

+	if apiKey != "" {
+		err := settingService.SetAPIKey(apiKey)
+		if err != nil {
+			fmt.Println("Failed to set API Key:", err)
+		} else {
+			fmt.Printf("API Key set successfully: %v\n", apiKey)
+		}
+	}
+
 	if port > 0 {
 		err := settingService.SetPort(port)
 		if err != nil {
@ -424,9 +434,11 @@ func main() {
 	var show bool
 	var getCert bool
 	var resetTwoFactor bool
+	var apiKey string
 	settingCmd.BoolVar(&reset, "reset", false, "Reset all settings")
 	settingCmd.BoolVar(&show, "show", false, "Display current settings")
 	settingCmd.IntVar(&port, "port", 0, "Set panel port number")
+	settingCmd.StringVar(&apiKey, "apiKey", "", "Set API Key")
 	settingCmd.StringVar(&username, "username", "", "Set login username")
 	settingCmd.StringVar(&password, "password", "", "Set login password")
 	settingCmd.StringVar(&webBasePath, "webBasePath", "", "Set base path for Panel")
@ -476,7 +488,7 @@ func main() {
 		if reset {
 			resetSetting()
 		} else {
-			updateSetting(port, username, password, webBasePath, listenIP, resetTwoFactor)
+			updateSetting(port, username, password, webBasePath, listenIP, resetTwoFactor, apiKey)
 		}
 		if show {
 			showSetting(show)
--- a/sub/subService.go
+++ b/sub/subService.go
@ -162,26 +162,43 @@ func (s *SubService) getFallbackMaster(dest string, streamSettings string) (stri
 }

 func (s *SubService) getLink(inbound *model.Inbound, email string) string {
-	switch inbound.Protocol {
-	case "vmess":
-		return s.genVmessLink(inbound, email)
-	case "vless":
-		return s.genVlessLink(inbound, email)
-	case "trojan":
-		return s.genTrojanLink(inbound, email)
-	case "shadowsocks":
-		return s.genShadowsocksLink(inbound, email)
+	serverService := service.MultiServerService{}
+	servers, err := serverService.GetServers()
+	if err != nil {
+		logger.Warning("Failed to get servers for subscription:", err)
+		return ""
 	}
-	return ""
+
+	var links []string
+	for _, server := range servers {
+		if !server.Enable {
+			continue
+		}
+		var link string
+		switch inbound.Protocol {
+		case "vmess":
+			link = s.genVmessLink(inbound, email, server)
+		case "vless":
+			link = s.genVlessLink(inbound, email, server)
+		case "trojan":
+			link = s.genTrojanLink(inbound, email, server)
+		case "shadowsocks":
+			link = s.genShadowsocksLink(inbound, email, server)
+		}
+		if link != "" {
+			links = append(links, link)
+		}
+	}
+	return strings.Join(links, "\n")
 }

-func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
+func (s *SubService) genVmessLink(inbound *model.Inbound, email string, server *model.Server) string {
 	if inbound.Protocol != model.VMESS {
 		return ""
 	}
 	obj := map[string]any{
 		"v":    "2",
-		"add":  s.address,
+		"add":  server.Address,
 		"port": inbound.Port,
 		"type": "none",
 	}
@ -294,7 +311,7 @@ func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
 					newObj[key] = value
 				}
 			}
-			newObj["ps"] = s.genRemark(inbound, email, ep["remark"].(string))
+			newObj["ps"] = s.genRemark(inbound, email, ep["remark"].(string), server.Name)
 			newObj["add"] = ep["dest"].(string)
 			newObj["port"] = int(ep["port"].(float64))

@ -310,14 +327,14 @@ func (s *SubService) genVmessLink(inbound *model.Inbound, email string) string {
 		return links
 	}

-	obj["ps"] = s.genRemark(inbound, email, "")
+	obj["ps"] = s.genRemark(inbound, email, "", server.Name)

 	jsonStr, _ := json.MarshalIndent(obj, "", "  ")
 	return "vmess://" + base64.StdEncoding.EncodeToString(jsonStr)
 }

-func (s *SubService) genVlessLink(inbound *model.Inbound, email string) string {
-	address := s.address
+func (s *SubService) genVlessLink(inbound *model.Inbound, email string, server *model.Server) string {
+	address := server.Address
 	if inbound.Protocol != model.VLESS {
 		return ""
 	}
@ -497,7 +514,7 @@ func (s *SubService) genVlessLink(inbound *model.Inbound, email string) string {
 			// Set the new query values on the URL
 			url.RawQuery = q.Encode()

-			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string))
+			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string), server.Name)

 			if index > 0 {
 				links += "\n"
@ -518,12 +535,12 @@ func (s *SubService) genVlessLink(inbound *model.Inbound, email string) string {
 	// Set the new query values on the URL
 	url.RawQuery = q.Encode()

-	url.Fragment = s.genRemark(inbound, email, "")
+	url.Fragment = s.genRemark(inbound, email, "", server.Name)
 	return url.String()
 }

-func (s *SubService) genTrojanLink(inbound *model.Inbound, email string) string {
-	address := s.address
+func (s *SubService) genTrojanLink(inbound *model.Inbound, email string, server *model.Server) string {
+	address := server.Address
 	if inbound.Protocol != model.Trojan {
 		return ""
 	}
@ -692,7 +709,7 @@ func (s *SubService) genTrojanLink(inbound *model.Inbound, email string) string
 			// Set the new query values on the URL
 			url.RawQuery = q.Encode()

-			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string))
+			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string), server.Name)

 			if index > 0 {
 				links += "\n"
@ -714,12 +731,12 @@ func (s *SubService) genTrojanLink(inbound *model.Inbound, email string) string
 	// Set the new query values on the URL
 	url.RawQuery = q.Encode()

-	url.Fragment = s.genRemark(inbound, email, "")
+	url.Fragment = s.genRemark(inbound, email, "", server.Name)
 	return url.String()
 }

-func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string) string {
-	address := s.address
+func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string, server *model.Server) string {
+	address := server.Address
 	if inbound.Protocol != model.Shadowsocks {
 		return ""
 	}
@ -859,7 +876,7 @@ func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string) st
 			// Set the new query values on the URL
 			url.RawQuery = q.Encode()

-			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string))
+			url.Fragment = s.genRemark(inbound, email, ep["remark"].(string), server.Name)

 			if index > 0 {
 				links += "\n"
@ -880,17 +897,18 @@ func (s *SubService) genShadowsocksLink(inbound *model.Inbound, email string) st
 	// Set the new query values on the URL
 	url.RawQuery = q.Encode()

-	url.Fragment = s.genRemark(inbound, email, "")
+	url.Fragment = s.genRemark(inbound, email, "", server.Name)
 	return url.String()
 }

-func (s *SubService) genRemark(inbound *model.Inbound, email string, extra string) string {
+func (s *SubService) genRemark(inbound *model.Inbound, email string, extra string, serverName string) string {
 	separationChar := string(s.remarkModel[0])
 	orderChars := s.remarkModel[1:]
 	orders := map[byte]string{
 		'i': "",
 		'e': "",
 		'o': "",
+		's': "",
 	}
 	if len(email) > 0 {
 		orders['e'] = email
@ -901,6 +919,9 @@ func (s *SubService) genRemark(inbound *model.Inbound, email string, extra strin
 	if len(extra) > 0 {
 		orders['o'] = extra
 	}
+	if len(serverName) > 0 {
+		orders['s'] = serverName
+	}

 	var remark []string
 	for i := 0; i < len(orderChars); i++ {
--- a/update.sh
+++ b/update.sh
@ -70,33 +70,415 @@ arch() {

 echo "Arch: $(arch)"

+# Simple helpers
+is_ipv4() {
+    [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1
+}
+is_ipv6() {
+    [[ "$1" =~ : ]] && return 0 || return 1
+}
+is_ip() {
+    is_ipv4 "$1" || is_ipv6 "$1"
+}
+is_domain() {
+    [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1
+}
+
+gen_random_string() {
+    local length="$1"
+    local random_string=$(LC_ALL=C tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w "$length" | head -n 1)
+    echo "$random_string"
+}
+
 install_base() {
    echo -e "${green}Updating and install dependency packages...${plain}"
    case "${release}" in
        ubuntu | debian | armbian)
-            apt-get update >/dev/null 2>&1 && apt-get install -y -q wget curl tar tzdata >/dev/null 2>&1
+            apt-get update >/dev/null 2>&1 && apt-get install -y -q wget curl tar tzdata openssl socat >/dev/null 2>&1
        ;;
        fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
-            dnf -y update >/dev/null 2>&1 && dnf install -y -q wget curl tar tzdata >/dev/null 2>&1
+            dnf -y update >/dev/null 2>&1 && dnf install -y -q wget curl tar tzdata openssl socat >/dev/null 2>&1
        ;;
        centos)
            if [[ "${VERSION_ID}" =~ ^7 ]]; then
-                yum -y update >/dev/null 2>&1 && yum install -y -q wget curl tar tzdata >/dev/null 2>&1
+                yum -y update >/dev/null 2>&1 && yum install -y -q wget curl tar tzdata openssl socat >/dev/null 2>&1
            else
-                dnf -y update >/dev/null 2>&1 && dnf install -y -q wget curl tar tzdata >/dev/null 2>&1
+                dnf -y update >/dev/null 2>&1 && dnf install -y -q wget curl tar tzdata openssl socat >/dev/null 2>&1
            fi
        ;;
        arch | manjaro | parch)
-            pacman -Syu >/dev/null 2>&1 && pacman -Syu --noconfirm wget curl tar tzdata >/dev/null 2>&1
+            pacman -Syu >/dev/null 2>&1 && pacman -Syu --noconfirm wget curl tar tzdata openssl socat >/dev/null 2>&1
        ;;
        opensuse-tumbleweed | opensuse-leap)
-            zypper refresh >/dev/null 2>&1 && zypper -q install -y wget curl tar timezone >/dev/null 2>&1
+            zypper refresh >/dev/null 2>&1 && zypper -q install -y wget curl tar timezone openssl socat >/dev/null 2>&1
        ;;
        alpine)
-            apk update >/dev/null 2>&1 && apk add wget curl tar tzdata >/dev/null 2>&1
+            apk update >/dev/null 2>&1 && apk add wget curl tar tzdata openssl socat >/dev/null 2>&1
        ;;
        *)
-            apt-get update >/dev/null 2>&1 && apt install -y -q wget curl tar tzdata >/dev/null 2>&1
+            apt-get update >/dev/null 2>&1 && apt install -y -q wget curl tar tzdata openssl socat >/dev/null 2>&1
+        ;;
+    esac
+}
+
+install_acme() {
+    echo -e "${green}Installing acme.sh for SSL certificate management...${plain}"
+    cd ~ || return 1
+    curl -s https://get.acme.sh | sh >/dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        echo -e "${red}Failed to install acme.sh${plain}"
+        return 1
+    else
+        echo -e "${green}acme.sh installed successfully${plain}"
+    fi
+    return 0
+}
+
+setup_ssl_certificate() {
+    local domain="$1"
+    local server_ip="$2"
+    local existing_port="$3"
+    local existing_webBasePath="$4"
+    
+    echo -e "${green}Setting up SSL certificate...${plain}"
+    
+    # Check if acme.sh is installed
+    if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
+        install_acme
+        if [ $? -ne 0 ]; then
+            echo -e "${yellow}Failed to install acme.sh, skipping SSL setup${plain}"
+            return 1
+        fi
+    fi
+    
+    # Create certificate directory
+    local certPath="/root/cert/${domain}"
+    mkdir -p "$certPath"
+    
+    # Issue certificate
+    echo -e "${green}Issuing SSL certificate for ${domain}...${plain}"
+    echo -e "${yellow}Note: Port 80 must be open and accessible from the internet${plain}"
+    
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1
+    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport 80 --force
+    
+    if [ $? -ne 0 ]; then
+        echo -e "${yellow}Failed to issue certificate for ${domain}${plain}"
+        echo -e "${yellow}Please ensure port 80 is open and try again later with: x-ui${plain}"
+        rm -rf ~/.acme.sh/${domain} 2>/dev/null
+        rm -rf "$certPath" 2>/dev/null
+        return 1
+    fi
+    
+    # Install certificate
+    ~/.acme.sh/acme.sh --installcert -d ${domain} \
+        --key-file /root/cert/${domain}/privkey.pem \
+        --fullchain-file /root/cert/${domain}/fullchain.pem \
+        --reloadcmd "systemctl restart x-ui" >/dev/null 2>&1
+    
+    if [ $? -ne 0 ]; then
+        echo -e "${yellow}Failed to install certificate${plain}"
+        return 1
+    fi
+    
+    # Enable auto-renew
+    ~/.acme.sh/acme.sh --upgrade --auto-upgrade >/dev/null 2>&1
+    chmod 755 $certPath/* 2>/dev/null
+    
+    # Set certificate for panel
+    local webCertFile="/root/cert/${domain}/fullchain.pem"
+    local webKeyFile="/root/cert/${domain}/privkey.pem"
+    
+    if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
+        /usr/local/x-ui/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile" >/dev/null 2>&1
+        echo -e "${green}SSL certificate installed and configured successfully!${plain}"
+        return 0
+    else
+        echo -e "${yellow}Certificate files not found${plain}"
+        return 1
+    fi
+}
+
+# Fallback: generate a self-signed certificate (not publicly trusted)
+setup_self_signed_certificate() {
+    local name="$1"   # domain or IP to place in SAN
+    local certDir="/root/cert/selfsigned"
+
+    echo -e "${yellow}Generating a self-signed certificate (not publicly trusted)...${plain}"
+
+    mkdir -p "$certDir"
+
+    local sanExt=""
+    if is_ip "$name"; then
+        sanExt="IP:${name}"
+    else
+        sanExt="DNS:${name}"
+    fi
+
+    # Try -addext; fallback to config if not supported
+    openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+        -keyout "${certDir}/privkey.pem" \
+        -out "${certDir}/fullchain.pem" \
+        -subj "/CN=${name}" \
+        -addext "subjectAltName=${sanExt}" >/dev/null 2>&1
+
+    if [[ $? -ne 0 ]]; then
+        local tmpCfg="${certDir}/openssl.cnf"
+        cat > "$tmpCfg" <<EOF
+[req]
+distinguished_name=req_distinguished_name
+req_extensions=v3_req
+[req_distinguished_name]
+[v3_req]
+subjectAltName=${sanExt}
+EOF
+        openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+            -keyout "${certDir}/privkey.pem" \
+            -out "${certDir}/fullchain.pem" \
+            -subj "/CN=${name}" \
+            -config "$tmpCfg" -extensions v3_req >/dev/null 2>&1
+        rm -f "$tmpCfg"
+    fi
+
+    if [[ ! -f "${certDir}/fullchain.pem" || ! -f "${certDir}/privkey.pem" ]]; then
+        echo -e "${red}Failed to generate self-signed certificate${plain}"
+        return 1
+    fi
+
+    chmod 755 ${certDir}/* 2>/dev/null
+    /usr/local/x-ui/x-ui cert -webCert "${certDir}/fullchain.pem" -webCertKey "${certDir}/privkey.pem" >/dev/null 2>&1
+    echo -e "${yellow}Self-signed certificate configured. Browsers will show a warning.${plain}"
+    return 0
+}
+# Comprehensive manual SSL certificate issuance via acme.sh
+ssl_cert_issue() {
+    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep 'webBasePath:' | awk -F': ' '{print $2}' | tr -d '[:space:]' | sed 's#^/##')
+    local existing_port=$(/usr/local/x-ui/x-ui setting -show true | grep 'port:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
+    
+    # check for acme.sh first
+    if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
+        echo "acme.sh could not be found. Installing now..."
+        cd ~ || return 1
+        curl -s https://get.acme.sh | sh
+        if [ $? -ne 0 ]; then
+            echo -e "${red}Failed to install acme.sh${plain}"
+            return 1
+        else
+            echo -e "${green}acme.sh installed successfully${plain}"
+        fi
+    fi
+
+    # get the domain here, and we need to verify it
+    local domain=""
+    while true; do
+        read -rp "Please enter your domain name: " domain
+        domain="${domain// /}"  # Trim whitespace
+        
+        if [[ -z "$domain" ]]; then
+            echo -e "${red}Domain name cannot be empty. Please try again.${plain}"
+            continue
+        fi
+        
+        if ! is_domain "$domain"; then
+            echo -e "${red}Invalid domain format: ${domain}. Please enter a valid domain name.${plain}"
+            continue
+        fi
+        
+        break
+    done
+    echo -e "${green}Your domain is: ${domain}, checking it...${plain}"
+
+    # check if there already exists a certificate
+    local currentCert=$(~/.acme.sh/acme.sh --list | tail -1 | awk '{print $1}')
+    if [ "${currentCert}" == "${domain}" ]; then
+        local certInfo=$(~/.acme.sh/acme.sh --list)
+        echo -e "${red}System already has certificates for this domain. Cannot issue again.${plain}"
+        echo -e "${yellow}Current certificate details:${plain}"
+        echo "$certInfo"
+        return 1
+    else
+        echo -e "${green}Your domain is ready for issuing certificates now...${plain}"
+    fi
+
+    # create a directory for the certificate
+    certPath="/root/cert/${domain}"
+    if [ ! -d "$certPath" ]; then
+        mkdir -p "$certPath"
+    else
+        rm -rf "$certPath"
+        mkdir -p "$certPath"
+    fi
+
+    # get the port number for the standalone server
+    local WebPort=80
+    read -rp "Please choose which port to use (default is 80): " WebPort
+    if [[ ${WebPort} -gt 65535 || ${WebPort} -lt 1 ]]; then
+        echo -e "${yellow}Your input ${WebPort} is invalid, will use default port 80.${plain}"
+        WebPort=80
+    fi
+    echo -e "${green}Will use port: ${WebPort} to issue certificates. Please make sure this port is open.${plain}"
+
+    # Stop panel temporarily
+    echo -e "${yellow}Stopping panel temporarily...${plain}"
+    systemctl stop x-ui 2>/dev/null || rc-service x-ui stop 2>/dev/null
+
+    # issue the certificate
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
+    if [ $? -ne 0 ]; then
+        echo -e "${red}Issuing certificate failed, please check logs.${plain}"
+        rm -rf ~/.acme.sh/${domain}
+        systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
+        return 1
+    else
+        echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}"
+    fi
+
+    # Setup reload command
+    reloadCmd="systemctl restart x-ui || rc-service x-ui restart"
+    echo -e "${green}Default --reloadcmd for ACME is: ${yellow}systemctl restart x-ui || rc-service x-ui restart${plain}"
+    echo -e "${green}This command will run on every certificate issue and renew.${plain}"
+    read -rp "Would you like to modify --reloadcmd for ACME? (y/n): " setReloadcmd
+    if [[ "$setReloadcmd" == "y" || "$setReloadcmd" == "Y" ]]; then
+        echo -e "\n${green}\t1.${plain} Preset: systemctl reload nginx ; systemctl restart x-ui"
+        echo -e "${green}\t2.${plain} Input your own command"
+        echo -e "${green}\t0.${plain} Keep default reloadcmd"
+        read -rp "Choose an option: " choice
+        case "$choice" in
+        1)
+            echo -e "${green}Reloadcmd is: systemctl reload nginx ; systemctl restart x-ui${plain}"
+            reloadCmd="systemctl reload nginx ; systemctl restart x-ui"
+            ;;
+        2)
+            echo -e "${yellow}It's recommended to put x-ui restart at the end${plain}"
+            read -rp "Please enter your custom reloadcmd: " reloadCmd
+            echo -e "${green}Reloadcmd is: ${reloadCmd}${plain}"
+            ;;
+        *)
+            echo -e "${green}Keeping default reloadcmd${plain}"
+            ;;
+        esac
+    fi
+
+    # install the certificate
+    ~/.acme.sh/acme.sh --installcert -d ${domain} \
+        --key-file /root/cert/${domain}/privkey.pem \
+        --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}"
+
+    if [ $? -ne 0 ]; then
+        echo -e "${red}Installing certificate failed, exiting.${plain}"
+        rm -rf ~/.acme.sh/${domain}
+        systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
+        return 1
+    else
+        echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}"
+    fi
+
+    # enable auto-renew
+    ~/.acme.sh/acme.sh --upgrade --auto-upgrade
+    if [ $? -ne 0 ]; then
+        echo -e "${yellow}Auto renew setup had issues, certificate details:${plain}"
+        ls -lah /root/cert/${domain}/
+        chmod 755 $certPath/*
+    else
+        echo -e "${green}Auto renew succeeded, certificate details:${plain}"
+        ls -lah /root/cert/${domain}/
+        chmod 755 $certPath/*
+    fi
+
+    # Restart panel
+    systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
+
+    # Prompt user to set panel paths after successful certificate installation
+    read -rp "Would you like to set this certificate for the panel? (y/n): " setPanel
+    if [[ "$setPanel" == "y" || "$setPanel" == "Y" ]]; then
+        local webCertFile="/root/cert/${domain}/fullchain.pem"
+        local webKeyFile="/root/cert/${domain}/privkey.pem"
+
+        if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
+            /usr/local/x-ui/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile"
+            echo -e "${green}Certificate paths set for the panel${plain}"
+            echo -e "${green}Certificate File: $webCertFile${plain}"
+            echo -e "${green}Private Key File: $webKeyFile${plain}"
+            echo ""
+            echo -e "${green}Access URL: https://${domain}:${existing_port}/${existing_webBasePath}${plain}"
+            echo -e "${yellow}Panel will restart to apply SSL certificate...${plain}"
+            systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null
+        else
+            echo -e "${red}Error: Certificate or private key file not found for domain: $domain.${plain}"
+        fi
+    else
+        echo -e "${yellow}Skipping panel path setting.${plain}"
+    fi
+    
+    return 0
+}
+# Unified interactive SSL setup (domain or self-signed)
+# Sets global `SSL_HOST` to the chosen domain/IP
+prompt_and_setup_ssl() {
+    local panel_port="$1"
+    local web_base_path="$2"   # expected without leading slash
+    local server_ip="$3"
+
+    local ssl_choice=""
+
+    echo -e "${yellow}Choose SSL certificate setup method:${plain}"
+    echo -e "${green}1.${plain} Let's Encrypt (domain required, recommended)"
+    echo -e "${green}2.${plain} Self-signed certificate (for testing/local use)"
+    read -rp "Choose an option (default 2): " ssl_choice
+    ssl_choice="${ssl_choice// /}"  # Trim whitespace
+    
+    # Default to 2 (self-signed) if not 1
+    if [[ "$ssl_choice" != "1" ]]; then
+        ssl_choice="2"
+    fi
+
+    case "$ssl_choice" in
+    1)
+        # User chose Let's Encrypt domain option
+        echo -e "${green}Using ssl_cert_issue() for comprehensive domain setup...${plain}"
+        ssl_cert_issue
+        # Extract the domain that was used from the certificate
+        local cert_domain=$(~/.acme.sh/acme.sh --list 2>/dev/null | tail -1 | awk '{print $1}')
+        if [[ -n "${cert_domain}" ]]; then
+            SSL_HOST="${cert_domain}"
+            echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}"
+        else
+            echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}"
+            SSL_HOST="${server_ip}"
+        fi
+        ;;
+    2)
+        # User chose self-signed option
+        # Stop panel if running
+        if [[ $release == "alpine" ]]; then
+            rc-service x-ui stop >/dev/null 2>&1
+        else
+            systemctl stop x-ui >/dev/null 2>&1
+        fi
+        echo -e "${yellow}Using server IP for self-signed certificate: ${server_ip}${plain}"
+        setup_self_signed_certificate "${server_ip}"
+        if [ $? -eq 0 ]; then
+            SSL_HOST="${server_ip}"
+            echo -e "${green}✓ Self-signed SSL configured successfully${plain}"
+        else
+            echo -e "${red}✗ Self-signed SSL setup failed${plain}"
+            SSL_HOST="${server_ip}"
+        fi
+        # Start panel after SSL is configured
+        if [[ $release == "alpine" ]]; then
+            rc-service x-ui start >/dev/null 2>&1
+        else
+            systemctl start x-ui >/dev/null 2>&1
+        fi
+        ;;
+    0)
+        echo -e "${yellow}Skipping SSL setup${plain}"
+        SSL_HOST="${server_ip}"
+        ;;
+    *)
+        echo -e "${red}Invalid option. Skipping SSL setup.${plain}"
+        SSL_HOST="${server_ip}"
        ;;
    esac
 }
@ -105,6 +487,75 @@ config_after_update() {
    echo -e "${yellow}x-ui settings:${plain}"
    /usr/local/x-ui/x-ui setting -show true
    /usr/local/x-ui/x-ui migrate
+    
+    # Properly detect empty cert by checking if cert: line exists and has content after it
+    local existing_cert=$(/usr/local/x-ui/x-ui setting -getCert true 2>/dev/null | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
+    local existing_port=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}')
+    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}' | sed 's#^/##')
+    
+    # Get server IP
+    local URL_lists=(
+        "https://api4.ipify.org"
+        "https://ipv4.icanhazip.com"
+        "https://v4.api.ipinfo.io/ip"
+        "https://ipv4.myexternalip.com/raw"
+        "https://4.ident.me"
+        "https://check-host.net/ip"
+    )
+    local server_ip=""
+    for ip_address in "${URL_lists[@]}"; do
+        server_ip=$(${curl_bin} -s --max-time 3 "${ip_address}" 2>/dev/null | tr -d '[:space:]')
+        if [[ -n "${server_ip}" ]]; then
+            break
+        fi
+    done
+    
+    # Handle missing/short webBasePath
+    if [[ ${#existing_webBasePath} -lt 4 ]]; then
+        echo -e "${yellow}WebBasePath is missing or too short. Generating a new one...${plain}"
+        local config_webBasePath=$(gen_random_string 18)
+        /usr/local/x-ui/x-ui setting -webBasePath "${config_webBasePath}"
+        existing_webBasePath="${config_webBasePath}"
+        echo -e "${green}New WebBasePath: ${config_webBasePath}${plain}"
+    fi
+    
+    # Check and prompt for SSL if missing
+    if [[ -z "$existing_cert" ]]; then
+        echo ""
+        echo -e "${red}═══════════════════════════════════════════${plain}"
+        echo -e "${red}      ⚠ NO SSL CERTIFICATE DETECTED ⚠     ${plain}"
+        echo -e "${red}═══════════════════════════════════════════${plain}"
+        echo -e "${yellow}For security, SSL certificate is MANDATORY for all panels.${plain}"
+        echo -e "${yellow}Let's Encrypt requires a domain name; IP certs are not issued. Use self-signed for IP.${plain}"
+        echo ""
+        
+        if [[ -z "${server_ip}" ]]; then
+            echo -e "${red}Failed to detect server IP${plain}"
+            echo -e "${yellow}Please configure SSL manually using: x-ui${plain}"
+            return
+        fi
+        
+        # Prompt and setup SSL (domain or self-signed)
+        prompt_and_setup_ssl "${existing_port}" "${existing_webBasePath}" "${server_ip}"
+        
+        echo ""
+        echo -e "${green}═══════════════════════════════════════════${plain}"
+        echo -e "${green}     Panel Access Information              ${plain}"
+        echo -e "${green}═══════════════════════════════════════════${plain}"
+        echo -e "${green}Access URL: https://${SSL_HOST}:${existing_port}/${existing_webBasePath}${plain}"
+        echo -e "${green}═══════════════════════════════════════════${plain}"
+        echo -e "${yellow}⚠ SSL Certificate: Enabled and configured${plain}"
+    else
+        echo -e "${green}SSL certificate is already configured${plain}"
+        # Show access URL with existing certificate
+        local cert_domain=$(basename "$(dirname "$existing_cert")")
+        echo ""
+        echo -e "${green}═══════════════════════════════════════════${plain}"
+        echo -e "${green}     Panel Access Information              ${plain}"
+        echo -e "${green}═══════════════════════════════════════════${plain}"
+        echo -e "${green}Access URL: https://${cert_domain}:${existing_port}/${existing_webBasePath}${plain}"
+        echo -e "${green}═══════════════════════════════════════════${plain}"
+    fi
 }

 update_x-ui() {
--- a/web/controller/inbound.go
+++ b/web/controller/inbound.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strconv"

+
 	"github.com/mhsanaei/3x-ui/v2/database/model"
 	"github.com/mhsanaei/3x-ui/v2/web/service"
 	"github.com/mhsanaei/3x-ui/v2/web/session"
--- a/web/controller/multi_server_controller.go
+++ b/web/controller/multi_server_controller.go
@ -0,0 +1,89 @@
+package controller
+
+import (
+	"strconv"
+
+	"x-ui/database/model"
+	"x-ui/web/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+type MultiServerController struct {
+	multiServerService service.MultiServerService
+}
+
+func NewMultiServerController(g *gin.RouterGroup) *MultiServerController {
+	c := &MultiServerController{}
+	c.initRouter(g)
+	return c
+}
+
+func (c *MultiServerController) initRouter(g *gin.RouterGroup) {
+	g = g.Group("/server")
+
+	g.GET("/list", c.getServers)
+	g.POST("/add", c.addServer)
+	g.POST("/del/:id", c.delServer)
+	g.POST("/update/:id", c.updateServer)
+}
+
+func (c *MultiServerController) getServers(ctx *gin.Context) {
+	servers, err := c.multiServerService.GetServers()
+	if err != nil {
+		jsonMsg(ctx, "Failed to get servers", err)
+		return
+	}
+	jsonObj(ctx, servers, nil)
+}
+
+func (c *MultiServerController) addServer(ctx *gin.Context) {
+	server := &model.Server{}
+	err := ctx.ShouldBind(server)
+	if err != nil {
+		jsonMsg(ctx, "Invalid data", err)
+		return
+	}
+	err = c.multiServerService.AddServer(server)
+	if err != nil {
+		jsonMsg(ctx, "Failed to add server", err)
+		return
+	}
+	jsonMsg(ctx, "Server added successfully", nil)
+}
+
+func (c *MultiServerController) delServer(ctx *gin.Context) {
+	id, err := strconv.Atoi(ctx.Param("id"))
+	if err != nil {
+		jsonMsg(ctx, "Invalid ID", err)
+		return
+	}
+	err = c.multiServerService.DeleteServer(id)
+	if err != nil {
+		jsonMsg(ctx, "Failed to delete server", err)
+		return
+	}
+	jsonMsg(ctx, "Server deleted successfully", nil)
+}
+
+func (c *MultiServerController) updateServer(ctx *gin.Context) {
+	id, err := strconv.Atoi(ctx.Param("id"))
+	if err != nil {
+		jsonMsg(ctx, "Invalid ID", err)
+		return
+	}
+	server := &model.Server{
+		Id: id,
+	}
+	err = ctx.ShouldBind(server)
+	if err != nil {
+		jsonMsg(ctx, "Invalid data", err)
+		return
+	}
+	err = c.multiServerService.UpdateServer(server)
+	if err != nil {
+		jsonMsg(ctx, "Failed to update server", err)
+		return
+	}
+	jsonMsg(ctx, "Server updated successfully", nil)
+}
--- a/web/controller/xui.go
+++ b/web/controller/xui.go
@ -26,6 +26,7 @@ func (a *XUIController) initRouter(g *gin.RouterGroup) {

 	g.GET("/", a.index)
 	g.GET("/inbounds", a.inbounds)
+	g.GET("/servers", a.servers)
 	g.GET("/settings", a.settings)
 	g.GET("/xray", a.xraySettings)

@ -52,3 +53,7 @@ func (a *XUIController) settings(c *gin.Context) {
 func (a *XUIController) xraySettings(c *gin.Context) {
 	html(c, "xray.html", "pages.xray.title", nil)
 }
+
+func (a *XUIController) servers(c *gin.Context) {
+	html(c, "servers.html", "Servers", nil)
+}
--- a/web/html/component/aSidebar.html
+++ b/web/html/component/aSidebar.html
@ -54,6 +54,11 @@
                        icon: 'user',
                        title: '{{ i18n "menu.inbounds"}}'
                    },
+                    {
+                        key: '{{ .base_path }}panel/servers',
+                        icon: 'cloud-server',
+                        title: 'Servers'
+                    },
                    {
                        key: '{{ .base_path }}panel/settings',
                        icon: 'setting',
--- a/web/html/servers.html
+++ b/web/html/servers.html
@ -0,0 +1,165 @@
+{{template "header" .}}
+
+<div id="app" class="row" v-cloak>
+    <div class="col-md-12">
+        <div class="card">
+            <div class="card-header">
+                <h3 class="card-title">Server Management</h3>
+                <div class="card-tools">
+                    <button class="btn btn-primary" @click="showAddModal">Add Server</button>
+                </div>
+            </div>
+            <div class="card-body">
+                <table class="table table-bordered">
+                    <thead>
+                    <tr>
+                        <th>#</th>
+                        <th>Name</th>
+                        <th>Address</th>
+                        <th>Port</th>
+                        <th>Enabled</th>
+                        <th>Actions</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    <tr v-for="(server, index) in servers">
+                        <td>{{index + 1}}</td>
+                        <td>{{server.name}}</td>
+                        <td>{{server.address}}</td>
+                        <td>{{server.port}}</td>
+                        <td>
+                            <span v-if="server.enable" class="badge bg-success">Yes</span>
+                            <span v-else class="badge bg-danger">No</span>
+                        </td>
+                        <td>
+                            <button class="btn btn-info btn-sm" @click="showEditModal(server)">Edit</button>
+                            <button class="btn btn-danger btn-sm" @click="deleteServer(server.id)">Delete</button>
+                        </td>
+                    </tr>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+
+    <!-- Add/Edit Modal -->
+    <div class="modal fade" id="serverModal" tabindex="-1" role="dialog">
+        <div class="modal-dialog" role="document">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title">{{modal.title}}</h5>
+                    <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+                        <span aria-hidden="true">&times;</span>
+                    </button>
+                </div>
+                <div class="modal-body">
+                    <form>
+                        <div class="form-group">
+                            <label>Name</label>
+                            <input type="text" class="form-control" v-model="modal.server.name">
+                        </div>
+                        <div class="form-group">
+                            <label>Address (IP or Domain)</label>
+                            <input type="text" class="form-control" v-model="modal.server.address">
+                        </div>
+                        <div class="form-group">
+                            <label>Port</label>
+                            <input type="number" class="form-control" v-model.number="modal.server.port">
+                        </div>
+                        <div class="form-group">
+                            <label>API Key</label>
+                            <input type="text" class="form-control" v-model="modal.server.apiKey">
+                        </div>
+                        <div class="form-check">
+                            <input type="checkbox" class="form-check-input" v-model="modal.server.enable">
+                            <label class="form-check-label">Enabled</label>
+                        </div>
+                    </form>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
+                    <button type="button" class="btn btn-primary" @click="saveServer">Save</button>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+<script>
+    const app = new Vue({
+        el: '#app',
+        data: {
+            servers: [],
+            modal: {
+                title: '',
+                server: {
+                    name: '',
+                    address: '',
+                    port: 0,
+                    apiKey: '',
+                    enable: true
+                }
+            }
+        },
+        methods: {
+            loadServers() {
+                axios.get('{{.base_path}}server/list')
+                    .then(response => {
+                        this.servers = response.data.obj;
+                    })
+                    .catch(error => {
+                        alert(error.response.data.msg);
+                    });
+            },
+            showAddModal() {
+                this.modal.title = 'Add Server';
+                this.modal.server = {
+                    name: '',
+                    address: '',
+                    port: 0,
+                    apiKey: '',
+                    enable: true
+                };
+                $('#serverModal').modal('show');
+            },
+            showEditModal(server) {
+                this.modal.title = 'Edit Server';
+                this.modal.server = Object.assign({}, server);
+                $('#serverModal').modal('show');
+            },
+            saveServer() {
+                let url = '{{.base_path}}server/add';
+                if (this.modal.server.id) {
+                    url = `{{.base_path}}server/update/${this.modal.server.id}`;
+                }
+                axios.post(url, this.modal.server)
+                    .then(response => {
+                        alert(response.data.msg);
+                        $('#serverModal').modal('hide');
+                        this.loadServers();
+                    })
+                    .catch(error => {
+                        alert(error.response.data.msg);
+                    });
+            },
+            deleteServer(id) {
+                if (!confirm('Are you sure you want to delete this server?')) {
+                    return;
+                }
+                axios.post(`{{.base_path}}server/del/${id}`)
+                    .then(response => {
+                        alert(response.data.msg);
+                        this.loadServers();
+                    })
+                    .catch(error => {
+                        alert(error.response.data.msg);
+                    });
+            }
+        },
+        mounted() {
+            this.loadServers();
+        }
+    });
+</script>
+
+{{template "footer" .}}
--- a/web/middleware/auth.go
+++ b/web/middleware/auth.go
@ -0,0 +1,34 @@
+package middleware
+
+import (
+	"net/http"
+	"x-ui/web/service"
+	"github.com/gin-gonic/gin"
+)
+
+func ApiAuth() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		apiKey := c.GetHeader("Api-Key")
+		if apiKey == "" {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "API key is required"})
+			c.Abort()
+			return
+		}
+
+		settingService := service.SettingService{}
+		panelAPIKey, err := settingService.GetAPIKey()
+		if err != nil || panelAPIKey == "" {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "API key not configured on the panel"})
+			c.Abort()
+			return
+		}
+
+		if apiKey != panelAPIKey {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid API key"})
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/web/service/inbound.go
+++ b/web/service/inbound.go
@ -3,8 +3,11 @@
 package service

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
+	"io"
+	"net/http"
 	"sort"
 	"strconv"
 	"strings"
@ -673,6 +676,11 @@ func (s *InboundService) AddInboundClient(data *model.Inbound) (bool, error) {
 	}
 	s.xrayApi.Close()

+	if err == nil {
+		body, _ := json.Marshal(data)
+		s.syncWithSlaves("POST", "/panel/inbound/api/addClient", bytes.NewReader(body))
+	}
+
 	return needRestart, tx.Save(oldInbound).Error
 }

@ -761,6 +769,11 @@ func (s *InboundService) DelInboundClient(inboundId int, clientId string) (bool,
 			s.xrayApi.Close()
 		}
 	}
+
+	if err == nil {
+		s.syncWithSlaves("POST", fmt.Sprintf("/panel/inbound/api/%d/delClient/%s", inboundId, clientId), nil)
+	}
+
 	return needRestart, db.Save(oldInbound).Error
 }

@ -936,6 +949,12 @@ func (s *InboundService) UpdateInboundClient(data *model.Inbound, clientId strin
 		logger.Debug("Client old email not found")
 		needRestart = true
 	}
+
+	if err == nil {
+		body, _ := json.Marshal(data)
+		s.syncWithSlaves("POST", fmt.Sprintf("/panel/inbound/api/updateClient/%s", clientId), bytes.NewReader(body))
+	}
+
 	return needRestart, tx.Save(oldInbound).Error
 }

@ -2379,6 +2398,44 @@ func (s *InboundService) FilterAndSortClientEmails(emails []string) ([]string, [

 	return validEmails, extraEmails, nil
 }
+
+func (s *InboundService) syncWithSlaves(method string, path string, body io.Reader) {
+	serverService := MultiServerService{}
+	servers, err := serverService.GetServers()
+	if err != nil {
+		logger.Warning("Failed to get servers for syncing:", err)
+		return
+	}
+
+	for _, server := range servers {
+		if !server.Enable {
+			continue
+		}
+
+		url := fmt.Sprintf("http://%s:%d%s", server.Address, server.Port, path)
+		req, err := http.NewRequest(method, url, body)
+		if err != nil {
+			logger.Warningf("Failed to create request for server %s: %v", server.Name, err)
+			continue
+		}
+
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("Api-Key", server.APIKey)
+
+		client := &http.Client{}
+		resp, err := client.Do(req)
+		if err != nil {
+			logger.Warningf("Failed to send request to server %s: %v", server.Name, err)
+			continue
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			logger.Warningf("Failed to sync with server %s. Status: %s, Body: %s", server.Name, resp.Status, string(bodyBytes))
+		}
+	}
+  
 func (s *InboundService) DelInboundClientByEmail(inboundId int, email string) (bool, error) {
 	oldInbound, err := s.GetInbound(inboundId)
 	if err != nil {
@ -2470,4 +2527,5 @@ func (s *InboundService) DelInboundClientByEmail(inboundId int, email string) (b
 	}

 	return needRestart, db.Save(oldInbound).Error
+
 }
--- a/web/service/inbound_service_sync_test.go
+++ b/web/service/inbound_service_sync_test.go
@ -0,0 +1,72 @@
+package service
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+	"x-ui/database"
+	"x-ui/database/model"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestInboundServiceSync(t *testing.T) {
+	setup()
+	defer teardown()
+
+	// Mock server to simulate a slave
+	var receivedApiKey string
+	var receivedBody []byte
+	mockSlave := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedApiKey = r.Header.Get("Api-Key")
+		receivedBody, _ = io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer mockSlave.Close()
+
+	// Add the mock slave to the database
+	multiServerService := MultiServerService{}
+	mockSlaveURL, _ := url.Parse(mockSlave.URL)
+	mockSlavePort, _ := strconv.Atoi(mockSlaveURL.Port())
+	slaveServer := &model.Server{
+		Name:    "mock-slave",
+		Address: mockSlaveURL.Hostname(),
+		Port:    mockSlavePort,
+		APIKey:  "slave-api-key",
+		Enable:  true,
+	}
+	multiServerService.AddServer(slaveServer)
+
+	// Create a test inbound and client
+	inboundService := InboundService{}
+	db := database.GetDB()
+	testInbound := &model.Inbound{
+		UserId:   1,
+		Remark:   "test-inbound",
+		Enable:   true,
+		Settings: `{"clients":[]}`,
+	}
+	db.Create(testInbound)
+
+	clientData := model.Client{
+		Email: "test@example.com",
+		ID:    "test-id",
+	}
+	clientBytes, _ := json.Marshal([]model.Client{clientData})
+	inboundData := &model.Inbound{
+		Id:       testInbound.Id,
+		Settings: string(clientBytes),
+	}
+
+	// Test AddInboundClient sync
+	inboundService.AddInboundClient(inboundData)
+
+	assert.Equal(t, "slave-api-key", receivedApiKey)
+	var receivedInbound model.Inbound
+	json.Unmarshal(receivedBody, &receivedInbound)
+	assert.Equal(t, 1, receivedInbound.Id)
+}
--- a/web/service/multi_server_service.go
+++ b/web/service/multi_server_service.go
@ -0,0 +1,37 @@
+package service
+
+import (
+	"x-ui/database"
+	"x-ui/database/model"
+)
+
+type MultiServerService struct{}
+
+func (s *MultiServerService) GetServers() ([]*model.Server, error) {
+	db := database.GetDB()
+	var servers []*model.Server
+	err := db.Find(&servers).Error
+	return servers, err
+}
+
+func (s *MultiServerService) GetServer(id int) (*model.Server, error) {
+	db := database.GetDB()
+	var server model.Server
+	err := db.First(&server, id).Error
+	return &server, err
+}
+
+func (s *MultiServerService) AddServer(server *model.Server) error {
+	db := database.GetDB()
+	return db.Create(server).Error
+}
+
+func (s *MultiServerService) UpdateServer(server *model.Server) error {
+	db := database.GetDB()
+	return db.Save(server).Error
+}
+
+func (s *MultiServerService) DeleteServer(id int) error {
+	db := database.GetDB()
+	return db.Delete(&model.Server{}, id).Error
+}
--- a/web/service/multi_server_service_test.go
+++ b/web/service/multi_server_service_test.go
@ -0,0 +1,63 @@
+package service
+
+import (
+	"os"
+	"testing"
+	"x-ui/database"
+	"x-ui/database/model"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func setup() {
+	dbPath := "test.db"
+	os.Remove(dbPath)
+	database.InitDB(dbPath)
+}
+
+func teardown() {
+	db, _ := database.GetDB().DB()
+	db.Close()
+	os.Remove("test.db")
+}
+
+func TestMultiServerService(t *testing.T) {
+	setup()
+	defer teardown()
+
+	service := MultiServerService{}
+
+	// Test AddServer
+	server := &model.Server{
+		Name:    "test-server",
+		Address: "127.0.0.1",
+		Port:    54321,
+		APIKey:  "test-key",
+		Enable:  true,
+	}
+	err := service.AddServer(server)
+	assert.NoError(t, err)
+
+	// Test GetServer
+	retrievedServer, err := service.GetServer(server.Id)
+	assert.NoError(t, err)
+	assert.Equal(t, server.Name, retrievedServer.Name)
+
+	// Test GetServers
+	servers, err := service.GetServers()
+	assert.NoError(t, err)
+	assert.Len(t, servers, 1)
+
+	// Test UpdateServer
+	retrievedServer.Name = "updated-server"
+	err = service.UpdateServer(retrievedServer)
+	assert.NoError(t, err)
+	updatedServer, _ := service.GetServer(server.Id)
+	assert.Equal(t, "updated-server", updatedServer.Name)
+
+	// Test DeleteServer
+	err = service.DeleteServer(server.Id)
+	assert.NoError(t, err)
+	_, err = service.GetServer(server.Id)
+	assert.Error(t, err)
+}
--- a/web/service/setting.go
+++ b/web/service/setting.go
@ -204,6 +204,21 @@ func (s *SettingService) getSetting(key string) (*model.Setting, error) {
 	return setting, nil
 }

+func (s *SettingService) GetAPIKey() (string, error) {
+	setting, err := s.getSetting("ApiKey")
+	if err != nil {
+		return "", err
+	}
+	if setting == nil {
+		return "", nil
+	}
+	return setting.Value, nil
+}
+
+func (s *SettingService) SetAPIKey(apiKey string) error {
+	return s.saveSetting("ApiKey", apiKey)
+}
+
 func (s *SettingService) saveSetting(key string, value string) error {
 	setting, err := s.getSetting(key)
 	db := database.GetDB()
--- a/x-ui.sh
+++ b/x-ui.sh
@ -19,6 +19,20 @@ function LOGI() {
    echo -e "${green}[INF] $* ${plain}"
 }

+# Simple helpers for domain/IP validation
+is_ipv4() {
+    [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1
+}
+is_ipv6() {
+    [[ "$1" =~ : ]] && return 0 || return 1
+}
+is_ip() {
+    is_ipv4 "$1" || is_ipv6 "$1"
+}
+is_domain() {
+    [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+[A-Za-z]{2,}$ ]] && return 0 || return 1
+}
+
 # check root
 [[ $EUID -ne 0 ]] && LOGE "ERROR: You must be root to run this script! \n" && exit 1

@ -213,6 +227,57 @@ gen_random_string() {
    echo "$random_string"
 }

+# Generate and configure a self-signed SSL certificate
+setup_self_signed_certificate() {
+    local name="$1"   # domain or IP to place in SAN
+    local certDir="/root/cert/selfsigned"
+
+    LOGI "Generating a self-signed certificate (not publicly trusted)..."
+
+    mkdir -p "$certDir"
+
+    local sanExt=""
+    if [[ "$name" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ || "$name" =~ : ]]; then
+        sanExt="IP:${name}"
+    else
+        sanExt="DNS:${name}"
+    fi
+
+    openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+        -keyout "${certDir}/privkey.pem" \
+        -out "${certDir}/fullchain.pem" \
+        -subj "/CN=${name}" \
+        -addext "subjectAltName=${sanExt}" >/dev/null 2>&1
+
+    if [[ $? -ne 0 ]]; then
+        local tmpCfg="${certDir}/openssl.cnf"
+        cat > "$tmpCfg" <<EOF
+[req]
+distinguished_name=req_distinguished_name
+req_extensions=v3_req
+[req_distinguished_name]
+[v3_req]
+subjectAltName=${sanExt}
+EOF
+        openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+            -keyout "${certDir}/privkey.pem" \
+            -out "${certDir}/fullchain.pem" \
+            -subj "/CN=${name}" \
+            -config "$tmpCfg" -extensions v3_req >/dev/null 2>&1
+        rm -f "$tmpCfg"
+    fi
+
+    if [[ ! -f "${certDir}/fullchain.pem" || ! -f "${certDir}/privkey.pem" ]]; then
+        LOGE "Failed to generate self-signed certificate"
+        return 1
+    fi
+
+    chmod 755 ${certDir}/* >/dev/null 2>&1
+    /usr/local/x-ui/x-ui cert -webCert "${certDir}/fullchain.pem" -webCertKey "${certDir}/privkey.pem" >/dev/null 2>&1
+    LOGI "Self-signed certificate configured. Browsers will show a warning."
+    return 0
+}
+
 reset_webbasepath() {
    echo -e "${yellow}Resetting Web Base Path${plain}"

@ -256,7 +321,7 @@ check_config() {

    local existing_webBasePath=$(echo "$info" | grep -Eo 'webBasePath: .+' | awk '{print $2}')
    local existing_port=$(echo "$info" | grep -Eo 'port: .+' | awk '{print $2}')
-    local existing_cert=$(/usr/local/x-ui/x-ui setting -getCert true | grep -Eo 'cert: .+' | awk '{print $2}')
+    local existing_cert=$(/usr/local/x-ui/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]')
    local server_ip=$(curl -s --max-time 3 https://api.ipify.org)
    if [ -z "$server_ip" ]; then
        server_ip=$(curl -s --max-time 3 https://4.ident.me)
@ -271,7 +336,22 @@ check_config() {
            echo -e "${green}Access URL: https://${server_ip}:${existing_port}${existing_webBasePath}${plain}"
        fi
    else
-        echo -e "${green}Access URL: http://${server_ip}:${existing_port}${existing_webBasePath}${plain}"
+        echo -e "${red}⚠ WARNING: No SSL certificate configured!${plain}"
+        read -rp "Generate a self-signed SSL certificate now? [y/N]: " gen_self
+        if [[ "$gen_self" == "y" || "$gen_self" == "Y" ]]; then
+            stop >/dev/null 2>&1
+            setup_self_signed_certificate "${server_ip}"
+            if [[ $? -eq 0 ]]; then
+                restart >/dev/null 2>&1
+                echo -e "${green}Access URL: https://${server_ip}:${existing_port}${existing_webBasePath}${plain}"
+            else
+                LOGE "Self-signed SSL setup failed."
+                echo -e "${yellow}You can try again via option 18 (SSL Certificate Management).${plain}"
+            fi
+        else
+            echo -e "${yellow}Access URL: http://${server_ip}:${existing_port}${existing_webBasePath}${plain}"
+            echo -e "${yellow}For security, please configure SSL certificate using option 18 (SSL Certificate Management)${plain}"
+        fi
    fi
 }

@ -958,6 +1038,7 @@ ssl_cert_issue_main() {
    echo -e "${green}\t3.${plain} Force Renew"
    echo -e "${green}\t4.${plain} Show Existing Domains"
    echo -e "${green}\t5.${plain} Set Cert paths for the panel"
+    echo -e "${green}\t6.${plain} Auto SSL for Server IP"
    echo -e "${green}\t0.${plain} Back to Main Menu"

    read -rp "Choose an option: " choice
@ -1051,6 +1132,16 @@ ssl_cert_issue_main() {
        fi
        ssl_cert_issue_main
        ;;
+    6)
+        echo -e "${yellow}Automatic SSL Certificate for Server IP${plain}"
+        echo -e "This will automatically obtain and configure an SSL certificate for your server's IP address."
+        echo -e "${yellow}Note: Let's Encrypt supports IP certificates. Make sure port 80 is open.${plain}"
+        confirm "Do you want to proceed?" "y"
+        if [[ $? == 0 ]]; then
+            ssl_cert_issue_for_ip
+        fi
+        ssl_cert_issue_main
+        ;;

    *)
        echo -e "${red}Invalid option. Please select a valid number.${plain}\n"
@ -1059,6 +1150,134 @@ ssl_cert_issue_main() {
    esac
 }

+ssl_cert_issue_for_ip() {
+    LOGI "Starting automatic SSL certificate generation for server IP..."
+    
+    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}')
+    local existing_port=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}')
+    
+    # Get server IP
+    local server_ip=$(curl -s --max-time 3 https://api.ipify.org)
+    if [ -z "$server_ip" ]; then
+        server_ip=$(curl -s --max-time 3 https://4.ident.me)
+    fi
+    
+    if [ -z "$server_ip" ]; then
+        LOGE "Failed to get server IP address"
+        return 1
+    fi
+    
+    LOGI "Server IP detected: ${server_ip}"
+    
+    # check for acme.sh first
+    if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
+        LOGI "acme.sh not found, installing..."
+        install_acme
+        if [ $? -ne 0 ]; then
+            LOGE "Failed to install acme.sh"
+            return 1
+        fi
+    fi
+    
+    # install socat
+    case "${release}" in
+    ubuntu | debian | armbian)
+        apt-get update >/dev/null 2>&1 && apt-get install socat -y >/dev/null 2>&1
+        ;;
+    fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
+        dnf -y update >/dev/null 2>&1 && dnf -y install socat >/dev/null 2>&1
+        ;;
+    centos)
+        if [[ "${VERSION_ID}" =~ ^7 ]]; then
+            yum -y update >/dev/null 2>&1 && yum -y install socat >/dev/null 2>&1
+        else
+            dnf -y update >/dev/null 2>&1 && dnf -y install socat >/dev/null 2>&1
+        fi
+        ;;
+    arch | manjaro | parch)
+        pacman -Sy --noconfirm socat >/dev/null 2>&1
+        ;;
+    opensuse-tumbleweed | opensuse-leap)
+        zypper refresh >/dev/null 2>&1 && zypper -q install -y socat >/dev/null 2>&1
+        ;;
+    alpine)
+        apk add socat curl openssl >/dev/null 2>&1
+        ;;
+    *)
+        LOGW "Unsupported OS for automatic socat installation"
+        ;;
+    esac
+    
+    # check if certificate already exists for this IP
+    local currentCert=$(~/.acme.sh/acme.sh --list | tail -1 | awk '{print $1}')
+    if [ "${currentCert}" == "${server_ip}" ]; then
+        LOGI "Certificate already exists for IP: ${server_ip}"
+        certPath="/root/cert/${server_ip}"
+    else
+        # create directory for certificate
+        certPath="/root/cert/${server_ip}"
+        if [ ! -d "$certPath" ]; then
+            mkdir -p "$certPath"
+        else
+            rm -rf "$certPath"
+            mkdir -p "$certPath"
+        fi
+        
+        # Use port 80 for certificate issuance
+        local WebPort=80
+        LOGI "Using port ${WebPort} to issue certificate for IP: ${server_ip}"
+        LOGI "Make sure port ${WebPort} is open and not in use..."
+        
+        # issue the certificate for IP
+        ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+        ~/.acme.sh/acme.sh --issue -d ${server_ip} --listen-v6 --standalone --httpport ${WebPort} --force
+        if [ $? -ne 0 ]; then
+            LOGE "Failed to issue certificate for IP: ${server_ip}"
+            LOGE "Make sure port ${WebPort} is open and the server is accessible from the internet"
+            rm -rf ~/.acme.sh/${server_ip}
+            return 1
+        else
+            LOGI "Certificate issued successfully for IP: ${server_ip}"
+        fi
+        
+        # install the certificate
+        ~/.acme.sh/acme.sh --installcert -d ${server_ip} \
+            --key-file /root/cert/${server_ip}/privkey.pem \
+            --fullchain-file /root/cert/${server_ip}/fullchain.pem \
+            --reloadcmd "x-ui restart"
+        
+        if [ $? -ne 0 ]; then
+            LOGE "Failed to install certificate"
+            rm -rf ~/.acme.sh/${server_ip}
+            return 1
+        else
+            LOGI "Certificate installed successfully"
+        fi
+        
+        # enable auto-renew
+        ~/.acme.sh/acme.sh --upgrade --auto-upgrade >/dev/null 2>&1
+        chmod 755 $certPath/*
+    fi
+    
+    # Set certificate paths for the panel
+    local webCertFile="/root/cert/${server_ip}/fullchain.pem"
+    local webKeyFile="/root/cert/${server_ip}/privkey.pem"
+    
+    if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then
+        /usr/local/x-ui/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile"
+        LOGI "Certificate configured for panel"
+        LOGI "  - Certificate File: $webCertFile"
+        LOGI "  - Private Key File: $webKeyFile"
+        echo -e "${green}Access URL: https://${server_ip}:${existing_port}${existing_webBasePath}${plain}"
+        LOGI "Panel will restart to apply SSL certificate..."
+        restart
+        return 0
+    else
+        LOGE "Certificate files not found after installation"
+        return 1
+    fi
+}
+
 ssl_cert_issue() {
    local existing_webBasePath=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}')
    local existing_port=$(/usr/local/x-ui/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}')
@ -1072,33 +1291,32 @@ ssl_cert_issue() {
        fi
    fi

-    # install socat second
+    # install socat
    case "${release}" in
    ubuntu | debian | armbian)
-        apt-get update && apt-get install socat -y
+        apt-get update >/dev/null 2>&1 && apt-get install socat -y >/dev/null 2>&1
        ;;
    fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
-        dnf -y update && dnf -y install socat
+        dnf -y update >/dev/null 2>&1 && dnf -y install socat >/dev/null 2>&1
        ;;
    centos)
-            if [[ "${VERSION_ID}" =~ ^7 ]]; then
-                yum -y update && yum -y install socat
-            else
-                dnf -y update && dnf -y install socat
-            fi
+        if [[ "${VERSION_ID}" =~ ^7 ]]; then
+            yum -y update >/dev/null 2>&1 && yum -y install socat >/dev/null 2>&1
+        else
+            dnf -y update >/dev/null 2>&1 && dnf -y install socat >/dev/null 2>&1
+        fi
        ;;
    arch | manjaro | parch)
-        pacman -Sy --noconfirm socat
+        pacman -Sy --noconfirm socat >/dev/null 2>&1
        ;;
-	opensuse-tumbleweed | opensuse-leap)
-        zypper refresh && zypper -q install -y socat
+    opensuse-tumbleweed | opensuse-leap)
+        zypper refresh >/dev/null 2>&1 && zypper -q install -y socat >/dev/null 2>&1
        ;;
    alpine)
-        apk add socat curl openssl
+        apk add socat curl openssl >/dev/null 2>&1
        ;;
    *)
-        echo -e "${red}Unsupported operating system. Please check the script and install the necessary packages manually.${plain}\n"
-        exit 1
+        LOGW "Unsupported OS for automatic socat installation"
        ;;
    esac
    if [ $? -ne 0 ]; then
@ -1110,7 +1328,22 @@ ssl_cert_issue() {

    # get the domain here, and we need to verify it
    local domain=""
-    read -rp "Please enter your domain name: " domain
+    while true; do
+        read -rp "Please enter your domain name: " domain
+        domain="${domain// /}"  # Trim whitespace
+        
+        if [[ -z "$domain" ]]; then
+            LOGE "Domain name cannot be empty. Please try again."
+            continue
+        fi
+        
+        if ! is_domain "$domain"; then
+            LOGE "Invalid domain format: ${domain}. Please enter a valid domain name."
+            continue
+        fi
+        
+        break
+    done
    LOGD "Your domain is: ${domain}, checking it..."

    # check if there already exists a certificate
Author	SHA1	Message	Date
javadtgh	32f2e74a1c	Merge `3b262cf180` into `260eedf8c4`	2025-12-28 19:46:52 +03:00
Wyatt	260eedf8c4	fix: add missing is_domain helper function to x-ui.sh (#3612 ) Some checks failed Release 3X-UI / build (386) (push) Has been cancelled Details Release 3X-UI / build (amd64) (push) Has been cancelled Details Release 3X-UI / build (arm64) (push) Has been cancelled Details Release 3X-UI / build (armv5) (push) Has been cancelled Details Release 3X-UI / build (armv6) (push) Has been cancelled Details Release 3X-UI / build (armv7) (push) Has been cancelled Details Release 3X-UI / build (s390x) (push) Has been cancelled Details Release 3X-UI / Build for Windows (push) Has been cancelled Details The is_domain function was being called in ssl_cert_issue() but was never defined in x-ui.sh, causing 'Invalid domain format' errors for valid domains. Added is_ipv4, is_ipv6, is_ip, and is_domain helper functions to match the definitions in install.sh and update.sh. Co-authored-by: wyatt <wyatt@Wyatts-MacBook-Air.local>	2025-12-28 16:38:26 +01:00
Sanaei	69ccdba734	Self-signed SSL (#3611 ) Some checks are pending Release 3X-UI / build (386) (push) Waiting to run Details Release 3X-UI / build (amd64) (push) Waiting to run Details Release 3X-UI / build (arm64) (push) Waiting to run Details Release 3X-UI / build (armv5) (push) Waiting to run Details Release 3X-UI / build (armv6) (push) Waiting to run Details Release 3X-UI / build (armv7) (push) Waiting to run Details Release 3X-UI / build (s390x) (push) Waiting to run Details Release 3X-UI / Build for Windows (push) Waiting to run Details	2025-12-28 00:03:33 +01:00
Sanaei	3b262cf180	Merge branch 'main' into feature/multi-server-support	2025-09-24 21:27:55 +02:00
Sanaei	4c7249c451	Merge branch 'main' into feature/multi-server-support	2025-09-21 23:55:26 +02:00
Sanaei	edd8b12988	Merge branch 'main' into feature/multi-server-support	2025-09-19 13:24:09 +02:00
Sanaei	5e953bae45	Merge branch 'main' into feature/multi-server-support	2025-09-12 12:17:12 +02:00
Sanaei	747af376f2	Merge branch 'main' into feature/multi-server-support	2025-09-09 20:53:50 +02:00
Sanaei	a3ccccfe52	Merge branch 'main' into feature/multi-server-support	2025-09-08 14:45:59 +02:00
Sanaei	3299d15f28	Merge branch 'main' into feature/multi-server-support	2025-08-14 18:06:16 +02:00
Sanaei	ae82373457	Merge branch 'main' into feature/multi-server-support	2025-08-04 11:22:53 +02:00
Sanaei	d65233cc2c	Merge branch 'main' into feature/multi-server-support	2025-08-04 10:33:41 +02:00
google-labs-jules[bot]	11dc06863e	feat: Add multi-server support for Sanai panel This commit introduces a multi-server architecture to the Sanai panel, allowing you to manage clients across multiple servers from a central panel. Key changes include: - Database Schema: Added a `servers` table to store information about slave servers. - Server Management: Implemented a new service and controller (`MultiServerService` and `MultiServerController`) for CRUD operations on servers. - Web UI: Created a new web page for managing servers, accessible from the sidebar. - Client Synchronization: Modified the `InboundService` to synchronize client additions, updates, and deletions across all active slave servers via a REST API. - API Security: Added an API key authentication middleware to secure the communication between the master and slave panels. - Multi-Server Subscriptions: Updated the subscription service to generate links that include configurations for all active servers. - Installation Script: Modified the `install.sh` script to generate a random API key during installation. Known Issues: - The integration test for client synchronization (`TestInboundServiceSync`) is currently failing. It seems that the API request to the mock slave server is not being sent correctly or the API key is not being included in the request header. Further investigation is needed to resolve this issue.	2025-07-27 17:25:58 +02:00