#!/bin/bash red='\033[0;31m' green='\033[0;32m' blue='\033[0;34m' yellow='\033[0;33m' plain='\033[0m' cur_dir=$(pwd) xui_folder="${XUI_MAIN_FOLDER:=/usr/local/x-ui}" xui_service="${XUI_SERVICE:=/etc/systemd/system}" # check root [[ $EUID -ne 0 ]] && echo -e "${red}Fatal error: ${plain} Please run this script with root privilege \n " && exit 1 # Check OS and set release variable if [[ -f /etc/os-release ]]; then source /etc/os-release release=$ID elif [[ -f /usr/lib/os-release ]]; then source /usr/lib/os-release release=$ID else echo "Failed to check the system OS, please contact the author!" >&2 exit 1 fi echo "The OS release is: $release" arch() { case "$(uname -m)" in x86_64 | x64 | amd64) echo 'amd64' ;; i*86 | x86) echo '386' ;; armv8* | armv8 | arm64 | aarch64) echo 'arm64' ;; armv7* | armv7 | arm) echo 'armv7' ;; armv6* | armv6) echo 'armv6' ;; armv5* | armv5) echo 'armv5' ;; s390x) echo 's390x' ;; *) echo -e "${green}Unsupported CPU architecture! ${plain}" && rm -f install.sh && exit 1 ;; esac } echo "Arch: $(arch)" # Simple helpers is_ipv4() { [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && return 0 || return 1 } is_ipv6() { [[ "$1" =~ : ]] && return 0 || return 1 } is_ip() { is_ipv4 "$1" || is_ipv6 "$1" } is_domain() { [[ "$1" =~ ^([A-Za-z0-9](-*[A-Za-z0-9])*\.)+(xn--[a-z0-9]{2,}|[A-Za-z]{2,})$ ]] && return 0 || return 1 } # Port helpers is_port_in_use() { local port="$1" if command -v ss >/dev/null 2>&1; then ss -ltn 2>/dev/null | awk -v p=":${port}$" '$4 ~ p {exit 0} END {exit 1}' return fi if command -v netstat >/dev/null 2>&1; then netstat -lnt 2>/dev/null | awk -v p=":${port} " '$4 ~ p {exit 0} END {exit 1}' return fi if command -v lsof >/dev/null 2>&1; then lsof -nP -iTCP:${port} -sTCP:LISTEN >/dev/null 2>&1 && return 0 fi return 1 } install_base() { case "${release}" in ubuntu | debian | armbian) apt-get update && apt-get install -y -q curl tar tzdata socat ca-certificates git gcc make unzip ;; fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol) dnf -y update && dnf install -y -q curl tar tzdata socat ca-certificates git gcc make unzip ;; centos) if [[ "${VERSION_ID}" =~ ^7 ]]; then yum -y update && yum install -y curl tar tzdata socat ca-certificates git gcc make unzip else dnf -y update && dnf install -y -q curl tar tzdata socat ca-certificates git gcc make unzip fi ;; arch | manjaro | parch) pacman -Syu && pacman -Syu --noconfirm curl tar tzdata socat ca-certificates git gcc make unzip ;; opensuse-tumbleweed | opensuse-leap) zypper refresh && zypper -q install -y curl tar timezone socat ca-certificates git gcc make unzip ;; alpine) apk update && apk add curl tar tzdata socat ca-certificates git gcc musl-dev make unzip ;; *) apt-get update && apt-get install -y -q curl tar tzdata socat ca-certificates git gcc make unzip ;; esac } # Go version required for building GO_VERSION="1.22.5" install_go() { if command -v go >/dev/null 2>&1; then local current_go=$(go version 2>/dev/null | grep -oP 'go\K[0-9]+\.[0-9]+') local required="1.22" if [[ "$(printf '%s\n' "$required" "$current_go" | sort -V | head -n1)" == "$required" ]]; then echo -e "${green}Go ${current_go} is already installed${plain}" return 0 fi fi echo -e "${green}Installing Go ${GO_VERSION}...${plain}" local go_arch case "$(uname -m)" in x86_64 | x64 | amd64) go_arch="amd64" ;; i*86 | x86) go_arch="386" ;; armv8* | armv8 | arm64 | aarch64) go_arch="arm64" ;; armv7* | armv7 | arm) go_arch="armv6l" ;; armv6* | armv6) go_arch="armv6l" ;; s390x) go_arch="s390x" ;; *) echo -e "${red}Unsupported architecture for Go${plain}"; exit 1 ;; esac curl -4fLo /tmp/go.tar.gz "https://go.dev/dl/go${GO_VERSION}.linux-${go_arch}.tar.gz" if [[ $? -ne 0 ]]; then echo -e "${red}Failed to download Go${plain}" exit 1 fi rm -rf /usr/local/go tar -C /usr/local -xzf /tmp/go.tar.gz rm -f /tmp/go.tar.gz export PATH="/usr/local/go/bin:$PATH" echo -e "${green}Go $(go version) installed successfully${plain}" } gen_random_string() { local length="$1" local random_string=$(LC_ALL=C tr -dc 'a-zA-Z0-9' /dev/null 2>&1 if [ $? -ne 0 ]; then echo -e "${red}Failed to install acme.sh${plain}" return 1 else echo -e "${green}acme.sh installed successfully${plain}" fi return 0 } setup_ssl_certificate() { local domain="$1" local server_ip="$2" local existing_port="$3" local existing_webBasePath="$4" echo -e "${green}Setting up SSL certificate...${plain}" # Check if acme.sh is installed if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then install_acme if [ $? -ne 0 ]; then echo -e "${yellow}Failed to install acme.sh, skipping SSL setup${plain}" return 1 fi fi # Create certificate directory local certPath="/root/cert/${domain}" mkdir -p "$certPath" # Issue certificate echo -e "${green}Issuing SSL certificate for ${domain}...${plain}" echo -e "${yellow}Note: Port 80 must be open and accessible from the internet${plain}" ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force >/dev/null 2>&1 ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport 80 --force if [ $? -ne 0 ]; then echo -e "${yellow}Failed to issue certificate for ${domain}${plain}" echo -e "${yellow}Please ensure port 80 is open and try again later with: x-ui${plain}" rm -rf ~/.acme.sh/${domain} 2>/dev/null rm -rf "$certPath" 2>/dev/null return 1 fi # Install certificate ~/.acme.sh/acme.sh --installcert -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem \ --reloadcmd "systemctl restart x-ui" >/dev/null 2>&1 if [ $? -ne 0 ]; then echo -e "${yellow}Failed to install certificate${plain}" return 1 fi # Enable auto-renew ~/.acme.sh/acme.sh --upgrade --auto-upgrade >/dev/null 2>&1 # Secure permissions: private key readable only by owner chmod 600 $certPath/privkey.pem 2>/dev/null chmod 644 $certPath/fullchain.pem 2>/dev/null # Set certificate for panel local webCertFile="/root/cert/${domain}/fullchain.pem" local webKeyFile="/root/cert/${domain}/privkey.pem" if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then ${xui_folder}/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile" >/dev/null 2>&1 echo -e "${green}SSL certificate installed and configured successfully!${plain}" return 0 else echo -e "${yellow}Certificate files not found${plain}" return 1 fi } # Issue Let's Encrypt IP certificate with shortlived profile (~6 days validity) # Requires acme.sh and port 80 open for HTTP-01 challenge setup_ip_certificate() { local ipv4="$1" local ipv6="$2" # optional echo -e "${green}Setting up Let's Encrypt IP certificate (shortlived profile)...${plain}" echo -e "${yellow}Note: IP certificates are valid for ~6 days and will auto-renew.${plain}" echo -e "${yellow}Default listener is port 80. If you choose another port, ensure external port 80 forwards to it.${plain}" # Check for acme.sh if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then install_acme if [ $? -ne 0 ]; then echo -e "${red}Failed to install acme.sh${plain}" return 1 fi fi # Validate IP address if [[ -z "$ipv4" ]]; then echo -e "${red}IPv4 address is required${plain}" return 1 fi if ! is_ipv4 "$ipv4"; then echo -e "${red}Invalid IPv4 address: $ipv4${plain}" return 1 fi # Create certificate directory local certDir="/root/cert/ip" mkdir -p "$certDir" # Build domain arguments local domain_args="-d ${ipv4}" if [[ -n "$ipv6" ]] && is_ipv6 "$ipv6"; then domain_args="${domain_args} -d ${ipv6}" echo -e "${green}Including IPv6 address: ${ipv6}${plain}" fi # Set reload command for auto-renewal (add || true so it doesn't fail during first install) local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null || true" # Choose port for HTTP-01 listener (default 80, prompt override) local WebPort="" read -rp "Port to use for ACME HTTP-01 listener (default 80): " WebPort WebPort="${WebPort:-80}" if ! [[ "${WebPort}" =~ ^[0-9]+$ ]] || ((WebPort < 1 || WebPort > 65535)); then echo -e "${red}Invalid port provided. Falling back to 80.${plain}" WebPort=80 fi echo -e "${green}Using port ${WebPort} for standalone validation.${plain}" if [[ "${WebPort}" -ne 80 ]]; then echo -e "${yellow}Reminder: Let's Encrypt still connects on port 80; forward external port 80 to ${WebPort}.${plain}" fi # Ensure chosen port is available while true; do if is_port_in_use "${WebPort}"; then echo -e "${yellow}Port ${WebPort} is in use.${plain}" local alt_port="" read -rp "Enter another port for acme.sh standalone listener (leave empty to abort): " alt_port alt_port="${alt_port// /}" if [[ -z "${alt_port}" ]]; then echo -e "${red}Port ${WebPort} is busy; cannot proceed.${plain}" return 1 fi if ! [[ "${alt_port}" =~ ^[0-9]+$ ]] || ((alt_port < 1 || alt_port > 65535)); then echo -e "${red}Invalid port provided.${plain}" return 1 fi WebPort="${alt_port}" continue else echo -e "${green}Port ${WebPort} is free and ready for standalone validation.${plain}" break fi done # Issue certificate with shortlived profile echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}" ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force >/dev/null 2>&1 ~/.acme.sh/acme.sh --issue \ ${domain_args} \ --standalone \ --server letsencrypt \ --certificate-profile shortlived \ --days 6 \ --httpport ${WebPort} \ --force if [ $? -ne 0 ]; then echo -e "${red}Failed to issue IP certificate${plain}" echo -e "${yellow}Please ensure port ${WebPort} is reachable (or forwarded from external port 80)${plain}" # Cleanup acme.sh data for both IPv4 and IPv6 if specified rm -rf ~/.acme.sh/${ipv4} 2>/dev/null [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2>/dev/null rm -rf ${certDir} 2>/dev/null return 1 fi echo -e "${green}Certificate issued successfully, installing...${plain}" # Install certificate # Note: acme.sh may report "Reload error" and exit non-zero if reloadcmd fails, # but the cert files are still installed. We check for files instead of exit code. ~/.acme.sh/acme.sh --installcert -d ${ipv4} \ --key-file "${certDir}/privkey.pem" \ --fullchain-file "${certDir}/fullchain.pem" \ --reloadcmd "${reloadCmd}" 2>&1 || true # Verify certificate files exist (don't rely on exit code - reloadcmd failure causes non-zero) if [[ ! -f "${certDir}/fullchain.pem" || ! -f "${certDir}/privkey.pem" ]]; then echo -e "${red}Certificate files not found after installation${plain}" # Cleanup acme.sh data for both IPv4 and IPv6 if specified rm -rf ~/.acme.sh/${ipv4} 2>/dev/null [[ -n "$ipv6" ]] && rm -rf ~/.acme.sh/${ipv6} 2>/dev/null rm -rf ${certDir} 2>/dev/null return 1 fi echo -e "${green}Certificate files installed successfully${plain}" # Enable auto-upgrade for acme.sh (ensures cron job runs) ~/.acme.sh/acme.sh --upgrade --auto-upgrade >/dev/null 2>&1 # Secure permissions: private key readable only by owner chmod 600 ${certDir}/privkey.pem 2>/dev/null chmod 644 ${certDir}/fullchain.pem 2>/dev/null # Configure panel to use the certificate echo -e "${green}Setting certificate paths for the panel...${plain}" ${xui_folder}/x-ui cert -webCert "${certDir}/fullchain.pem" -webCertKey "${certDir}/privkey.pem" if [ $? -ne 0 ]; then echo -e "${yellow}Warning: Could not set certificate paths automatically${plain}" echo -e "${yellow}Certificate files are at:${plain}" echo -e " Cert: ${certDir}/fullchain.pem" echo -e " Key: ${certDir}/privkey.pem" else echo -e "${green}Certificate paths configured successfully${plain}" fi echo -e "${green}IP certificate installed and configured successfully!${plain}" echo -e "${green}Certificate valid for ~6 days, auto-renews via acme.sh cron job.${plain}" echo -e "${yellow}acme.sh will automatically renew and reload x-ui before expiry.${plain}" return 0 } # Comprehensive manual SSL certificate issuance via acme.sh ssl_cert_issue() { local existing_webBasePath=$(${xui_folder}/x-ui setting -show true | grep 'webBasePath:' | awk -F': ' '{print $2}' | tr -d '[:space:]' | sed 's#^/##') local existing_port=$(${xui_folder}/x-ui setting -show true | grep 'port:' | awk -F': ' '{print $2}' | tr -d '[:space:]') # check for acme.sh first if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then echo "acme.sh could not be found. Installing now..." cd ~ || return 1 curl -s https://get.acme.sh | sh if [ $? -ne 0 ]; then echo -e "${red}Failed to install acme.sh${plain}" return 1 else echo -e "${green}acme.sh installed successfully${plain}" fi fi # get the domain here, and we need to verify it local domain="" while true; do read -rp "Please enter your domain name: " domain domain="${domain// /}" # Trim whitespace if [[ -z "$domain" ]]; then echo -e "${red}Domain name cannot be empty. Please try again.${plain}" continue fi if ! is_domain "$domain"; then echo -e "${red}Invalid domain format: ${domain}. Please enter a valid domain name.${plain}" continue fi break done echo -e "${green}Your domain is: ${domain}, checking it...${plain}" # check if there already exists a certificate local currentCert=$(~/.acme.sh/acme.sh --list | tail -1 | awk '{print $1}') if [ "${currentCert}" == "${domain}" ]; then local certInfo=$(~/.acme.sh/acme.sh --list) echo -e "${red}System already has certificates for this domain. Cannot issue again.${plain}" echo -e "${yellow}Current certificate details:${plain}" echo "$certInfo" return 1 else echo -e "${green}Your domain is ready for issuing certificates now...${plain}" fi # create a directory for the certificate certPath="/root/cert/${domain}" if [ ! -d "$certPath" ]; then mkdir -p "$certPath" else rm -rf "$certPath" mkdir -p "$certPath" fi # get the port number for the standalone server local WebPort=80 read -rp "Please choose which port to use (default is 80): " WebPort if [[ ${WebPort} -gt 65535 || ${WebPort} -lt 1 ]]; then echo -e "${yellow}Your input ${WebPort} is invalid, will use default port 80.${plain}" WebPort=80 fi echo -e "${green}Will use port: ${WebPort} to issue certificates. Please make sure this port is open.${plain}" # Stop panel temporarily echo -e "${yellow}Stopping panel temporarily...${plain}" systemctl stop x-ui 2>/dev/null || rc-service x-ui stop 2>/dev/null # issue the certificate ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force if [ $? -ne 0 ]; then echo -e "${red}Issuing certificate failed, please check logs.${plain}" rm -rf ~/.acme.sh/${domain} systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null return 1 else echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}" fi # Setup reload command reloadCmd="systemctl restart x-ui || rc-service x-ui restart" echo -e "${green}Default --reloadcmd for ACME is: ${yellow}systemctl restart x-ui || rc-service x-ui restart${plain}" echo -e "${green}This command will run on every certificate issue and renew.${plain}" read -rp "Would you like to modify --reloadcmd for ACME? (y/n): " setReloadcmd if [[ "$setReloadcmd" == "y" || "$setReloadcmd" == "Y" ]]; then echo -e "\n${green}\t1.${plain} Preset: systemctl reload nginx ; systemctl restart x-ui" echo -e "${green}\t2.${plain} Input your own command" echo -e "${green}\t0.${plain} Keep default reloadcmd" read -rp "Choose an option: " choice case "$choice" in 1) echo -e "${green}Reloadcmd is: systemctl reload nginx ; systemctl restart x-ui${plain}" reloadCmd="systemctl reload nginx ; systemctl restart x-ui" ;; 2) echo -e "${yellow}It's recommended to put x-ui restart at the end${plain}" read -rp "Please enter your custom reloadcmd: " reloadCmd echo -e "${green}Reloadcmd is: ${reloadCmd}${plain}" ;; *) echo -e "${green}Keeping default reloadcmd${plain}" ;; esac fi # install the certificate ~/.acme.sh/acme.sh --installcert -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" if [ $? -ne 0 ]; then echo -e "${red}Installing certificate failed, exiting.${plain}" rm -rf ~/.acme.sh/${domain} systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null return 1 else echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}" fi # enable auto-renew ~/.acme.sh/acme.sh --upgrade --auto-upgrade if [ $? -ne 0 ]; then echo -e "${yellow}Auto renew setup had issues, certificate details:${plain}" ls -lah /root/cert/${domain}/ # Secure permissions: private key readable only by owner chmod 600 $certPath/privkey.pem 2>/dev/null chmod 644 $certPath/fullchain.pem 2>/dev/null else echo -e "${green}Auto renew succeeded, certificate details:${plain}" ls -lah /root/cert/${domain}/ # Secure permissions: private key readable only by owner chmod 600 $certPath/privkey.pem 2>/dev/null chmod 644 $certPath/fullchain.pem 2>/dev/null fi # start panel systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null # Prompt user to set panel paths after successful certificate installation read -rp "Would you like to set this certificate for the panel? (y/n): " setPanel if [[ "$setPanel" == "y" || "$setPanel" == "Y" ]]; then local webCertFile="/root/cert/${domain}/fullchain.pem" local webKeyFile="/root/cert/${domain}/privkey.pem" if [[ -f "$webCertFile" && -f "$webKeyFile" ]]; then ${xui_folder}/x-ui cert -webCert "$webCertFile" -webCertKey "$webKeyFile" echo -e "${green}Certificate paths set for the panel${plain}" echo -e "${green}Certificate File: $webCertFile${plain}" echo -e "${green}Private Key File: $webKeyFile${plain}" echo "" echo -e "${green}Access URL: https://${domain}:${existing_port}/${existing_webBasePath}${plain}" echo -e "${yellow}Panel will restart to apply SSL certificate...${plain}" systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null else echo -e "${red}Error: Certificate or private key file not found for domain: $domain.${plain}" fi else echo -e "${yellow}Skipping panel path setting.${plain}" fi return 0 } # Reusable interactive SSL setup (domain or IP) # Sets global `SSL_HOST` to the chosen domain/IP for Access URL usage prompt_and_setup_ssl() { local panel_port="$1" local web_base_path="$2" # expected without leading slash local server_ip="$3" local ssl_choice="" echo -e "${yellow}Choose SSL certificate setup method:${plain}" echo -e "${green}1.${plain} Let's Encrypt for Domain (90-day validity, auto-renews)" echo -e "${green}2.${plain} Let's Encrypt for IP Address (6-day validity, auto-renews)" echo -e "${green}3.${plain} Custom SSL Certificate (Path to existing files)" echo -e "${blue}Note:${plain} Options 1 & 2 require port 80 open. Option 3 requires manual paths." read -rp "Choose an option (default 2 for IP): " ssl_choice ssl_choice="${ssl_choice// /}" # Trim whitespace # Default to 2 (IP cert) if input is empty or invalid (not 1 or 3) if [[ "$ssl_choice" != "1" && "$ssl_choice" != "3" ]]; then ssl_choice="2" fi case "$ssl_choice" in 1) # User chose Let's Encrypt domain option echo -e "${green}Using Let's Encrypt for domain certificate...${plain}" ssl_cert_issue # Extract the domain that was used from the certificate local cert_domain=$(~/.acme.sh/acme.sh --list 2>/dev/null | tail -1 | awk '{print $1}') if [[ -n "${cert_domain}" ]]; then SSL_HOST="${cert_domain}" echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}" else echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}" SSL_HOST="${server_ip}" fi ;; 2) # User chose Let's Encrypt IP certificate option echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}" # Ask for optional IPv6 local ipv6_addr="" read -rp "Do you have an IPv6 address to include? (leave empty to skip): " ipv6_addr ipv6_addr="${ipv6_addr// /}" # Trim whitespace # Stop panel if running (port 80 needed) if [[ $release == "alpine" ]]; then rc-service x-ui stop >/dev/null 2>&1 else systemctl stop x-ui >/dev/null 2>&1 fi setup_ip_certificate "${server_ip}" "${ipv6_addr}" if [ $? -eq 0 ]; then SSL_HOST="${server_ip}" echo -e "${green}✓ Let's Encrypt IP certificate configured successfully${plain}" else echo -e "${red}✗ IP certificate setup failed. Please check port 80 is open.${plain}" SSL_HOST="${server_ip}" fi ;; 3) # User chose Custom Paths (User Provided) option echo -e "${green}Using custom existing certificate...${plain}" local custom_cert="" local custom_key="" local custom_domain="" # 3.1 Request Domain to compose Panel URL later read -rp "Please enter domain name certificate issued for: " custom_domain custom_domain="${custom_domain// /}" # Убираем пробелы # 3.2 Loop for Certificate Path while true; do read -rp "Input certificate path (keywords: .crt / fullchain): " custom_cert # Strip quotes if present custom_cert=$(echo "$custom_cert" | tr -d '"' | tr -d "'") if [[ -f "$custom_cert" && -r "$custom_cert" && -s "$custom_cert" ]]; then break elif [[ ! -f "$custom_cert" ]]; then echo -e "${red}Error: File does not exist! Try again.${plain}" elif [[ ! -r "$custom_cert" ]]; then echo -e "${red}Error: File exists but is not readable (check permissions)!${plain}" else echo -e "${red}Error: File is empty!${plain}" fi done # 3.3 Loop for Private Key Path while true; do read -rp "Input private key path (keywords: .key / privatekey): " custom_key # Strip quotes if present custom_key=$(echo "$custom_key" | tr -d '"' | tr -d "'") if [[ -f "$custom_key" && -r "$custom_key" && -s "$custom_key" ]]; then break elif [[ ! -f "$custom_key" ]]; then echo -e "${red}Error: File does not exist! Try again.${plain}" elif [[ ! -r "$custom_key" ]]; then echo -e "${red}Error: File exists but is not readable (check permissions)!${plain}" else echo -e "${red}Error: File is empty!${plain}" fi done # 3.4 Apply Settings via x-ui binary ${xui_folder}/x-ui cert -webCert "$custom_cert" -webCertKey "$custom_key" >/dev/null 2>&1 # Set SSL_HOST for composing Panel URL if [[ -n "$custom_domain" ]]; then SSL_HOST="$custom_domain" else SSL_HOST="${server_ip}" fi echo -e "${green}✓ Custom certificate paths applied.${plain}" echo -e "${yellow}Note: You are responsible for renewing these files externally.${plain}" systemctl restart x-ui >/dev/null 2>&1 || rc-service x-ui restart >/dev/null 2>&1 ;; *) echo -e "${red}Invalid option. Skipping SSL setup.${plain}" SSL_HOST="${server_ip}" ;; esac } config_after_install() { local existing_hasDefaultCredential=$(${xui_folder}/x-ui setting -show true | grep -Eo 'hasDefaultCredential: .+' | awk '{print $2}') local existing_webBasePath=$(${xui_folder}/x-ui setting -show true | grep -Eo 'webBasePath: .+' | awk '{print $2}' | sed 's#^/##') local existing_port=$(${xui_folder}/x-ui setting -show true | grep -Eo 'port: .+' | awk '{print $2}') # Properly detect empty cert by checking if cert: line exists and has content after it local existing_cert=$(${xui_folder}/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]') local URL_lists=( "https://api4.ipify.org" "https://ipv4.icanhazip.com" "https://v4.api.ipinfo.io/ip" "https://ipv4.myexternalip.com/raw" "https://4.ident.me" "https://check-host.net/ip" ) local server_ip="" for ip_address in "${URL_lists[@]}"; do local response=$(curl -s -w "\n%{http_code}" --max-time 3 "${ip_address}" 2>/dev/null) local http_code=$(echo "$response" | tail -n1) local ip_result=$(echo "$response" | head -n-1 | tr -d '[:space:]') if [[ "${http_code}" == "200" && -n "${ip_result}" ]]; then server_ip="${ip_result}" break fi done if [[ ${#existing_webBasePath} -lt 4 ]]; then if [[ "$existing_hasDefaultCredential" == "true" ]]; then local config_webBasePath=$(gen_random_string 18) local config_username=$(gen_random_string 10) local config_password=$(gen_random_string 10) read -rp "Would you like to customize the Panel Port settings? (If not, a random port will be applied) [y/n]: " config_confirm if [[ "${config_confirm}" == "y" || "${config_confirm}" == "Y" ]]; then read -rp "Please set up the panel port: " config_port echo -e "${yellow}Your Panel Port is: ${config_port}${plain}" else local config_port=$(shuf -i 1024-62000 -n 1) echo -e "${yellow}Generated random port: ${config_port}${plain}" fi ${xui_folder}/x-ui setting -username "${config_username}" -password "${config_password}" -port "${config_port}" -webBasePath "${config_webBasePath}" echo "" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${green} SSL Certificate Setup (MANDATORY) ${plain}" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${yellow}For security, SSL certificate is required for all panels.${plain}" echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}" echo "" prompt_and_setup_ssl "${config_port}" "${config_webBasePath}" "${server_ip}" # Display final credentials and access information echo "" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${green} Panel Installation Complete! ${plain}" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${green}Username: ${config_username}${plain}" echo -e "${green}Password: ${config_password}${plain}" echo -e "${green}Port: ${config_port}${plain}" echo -e "${green}WebBasePath: ${config_webBasePath}${plain}" echo -e "${green}Access URL: https://${SSL_HOST}:${config_port}/${config_webBasePath}${plain}" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${yellow}⚠ IMPORTANT: Save these credentials securely!${plain}" echo -e "${yellow}⚠ SSL Certificate: Enabled and configured${plain}" else local config_webBasePath=$(gen_random_string 18) echo -e "${yellow}WebBasePath is missing or too short. Generating a new one...${plain}" ${xui_folder}/x-ui setting -webBasePath "${config_webBasePath}" echo -e "${green}New WebBasePath: ${config_webBasePath}${plain}" # If the panel is already installed but no certificate is configured, prompt for SSL now if [[ -z "${existing_cert}" ]]; then echo "" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${green} SSL Certificate Setup (RECOMMENDED) ${plain}" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}" echo "" prompt_and_setup_ssl "${existing_port}" "${config_webBasePath}" "${server_ip}" echo -e "${green}Access URL: https://${SSL_HOST}:${existing_port}/${config_webBasePath}${plain}" else # If a cert already exists, just show the access URL echo -e "${green}Access URL: https://${server_ip}:${existing_port}/${config_webBasePath}${plain}" fi fi else if [[ "$existing_hasDefaultCredential" == "true" ]]; then local config_username=$(gen_random_string 10) local config_password=$(gen_random_string 10) echo -e "${yellow}Default credentials detected. Security update required...${plain}" ${xui_folder}/x-ui setting -username "${config_username}" -password "${config_password}" echo -e "Generated new random login credentials:" echo -e "###############################################" echo -e "${green}Username: ${config_username}${plain}" echo -e "${green}Password: ${config_password}${plain}" echo -e "###############################################" else echo -e "${green}Username, Password, and WebBasePath are properly set.${plain}" fi # Existing install: if no cert configured, prompt user for SSL setup # Properly detect empty cert by checking if cert: line exists and has content after it existing_cert=$(${xui_folder}/x-ui setting -getCert true | grep 'cert:' | awk -F': ' '{print $2}' | tr -d '[:space:]') if [[ -z "$existing_cert" ]]; then echo "" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${green} SSL Certificate Setup (RECOMMENDED) ${plain}" echo -e "${green}═══════════════════════════════════════════${plain}" echo -e "${yellow}Let's Encrypt now supports both domains and IP addresses!${plain}" echo "" prompt_and_setup_ssl "${existing_port}" "${existing_webBasePath}" "${server_ip}" echo -e "${green}Access URL: https://${SSL_HOST}:${existing_port}/${existing_webBasePath}${plain}" else echo -e "${green}SSL certificate already configured. No action needed.${plain}" fi fi ${xui_folder}/x-ui migrate } install_x-ui() { # GitHub repo to build from local REPO_URL="https://github.com/yelloduxx/3x-ui.git" local BRANCH="claude/add-trusttunnel-protocol-vZFzn" local BUILD_DIR="/tmp/3x-ui-build" # Install Go if needed install_go # Clone and build from source echo -e "${green}Cloning repository...${plain}" rm -rf "${BUILD_DIR}" git clone --depth 1 --branch "${BRANCH}" "${REPO_URL}" "${BUILD_DIR}" if [[ $? -ne 0 ]]; then echo -e "${red}Failed to clone repository${plain}" exit 1 fi echo -e "${green}Building x-ui from source...${plain}" cd "${BUILD_DIR}" export CGO_ENABLED=1 export CGO_CFLAGS="-D_LARGEFILE64_SOURCE" export PATH="/usr/local/go/bin:$PATH" go build -ldflags "-w -s" -o build/x-ui main.go if [[ $? -ne 0 ]]; then echo -e "${red}Build failed${plain}" exit 1 fi echo -e "${green}Build successful${plain}" # Download Xray-core binary echo -e "${green}Downloading Xray-core...${plain}" local xray_arch case "$(uname -m)" in x86_64 | x64 | amd64) xray_arch="64" ;; i*86 | x86) xray_arch="32" ;; armv8* | armv8 | arm64 | aarch64) xray_arch="arm64-v8a" ;; armv7* | armv7 | arm) xray_arch="arm32-v7a" ;; armv6* | armv6) xray_arch="arm32-v6" ;; s390x) xray_arch="s390x" ;; *) echo -e "${red}Unsupported architecture for Xray${plain}"; exit 1 ;; esac mkdir -p build/bin cd build/bin curl -sfLRO "https://github.com/XTLS/Xray-core/releases/download/v26.2.6/Xray-linux-${xray_arch}.zip" unzip -o "Xray-linux-${xray_arch}.zip" rm -f "Xray-linux-${xray_arch}.zip" geoip.dat geosite.dat mv xray "xray-linux-$(arch)" curl -sfLRO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat curl -sfLRO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat curl -sfLRo geoip_IR.dat https://github.com/chocolate4u/Iran-v2ray-rules/releases/latest/download/geoip.dat curl -sfLRo geosite_IR.dat https://github.com/chocolate4u/Iran-v2ray-rules/releases/latest/download/geosite.dat curl -sfLRo geoip_RU.dat https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geoip.dat curl -sfLRo geosite_RU.dat https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geosite.dat cd "${BUILD_DIR}" # Stop x-ui service and remove old resources if [[ -e ${xui_folder}/ ]]; then if [[ $release == "alpine" ]]; then rc-service x-ui stop 2>/dev/null else systemctl stop x-ui 2>/dev/null fi rm ${xui_folder}/ -rf fi # Install built files mkdir -p ${xui_folder} cp build/x-ui ${xui_folder}/ cp -r build/bin ${xui_folder}/ cp x-ui.sh ${xui_folder}/ # Copy service files into install dir for later detection cp -f x-ui.service.debian ${xui_folder}/ 2>/dev/null cp -f x-ui.service.arch ${xui_folder}/ 2>/dev/null cp -f x-ui.service.rhel ${xui_folder}/ 2>/dev/null # Also copy as generic x-ui.service for fallback case "${release}" in ubuntu | debian | armbian) cp -f x-ui.service.debian ${xui_folder}/x-ui.service 2>/dev/null ;; arch | manjaro | parch) cp -f x-ui.service.arch ${xui_folder}/x-ui.service 2>/dev/null ;; *) cp -f x-ui.service.rhel ${xui_folder}/x-ui.service 2>/dev/null ;; esac cd ${xui_folder} chmod +x x-ui chmod +x x-ui.sh # Check the system's architecture and rename the file accordingly if [[ $(arch) == "armv5" || $(arch) == "armv6" || $(arch) == "armv7" ]]; then mv bin/xray-linux-$(arch) bin/xray-linux-arm chmod +x bin/xray-linux-arm fi chmod +x x-ui bin/xray-linux-$(arch) 2>/dev/null # Install x-ui CLI wrapper cp -f "${xui_folder}/x-ui.sh" /usr/bin/x-ui chmod +x /usr/bin/x-ui mkdir -p /var/log/x-ui # Cleanup build directory rm -rf "${BUILD_DIR}" tag_version="source-build" config_after_install # Etckeeper compatibility if [ -d "/etc/.git" ]; then if [ -f "/etc/.gitignore" ]; then if ! grep -q "x-ui/x-ui.db" "/etc/.gitignore"; then echo "" >> "/etc/.gitignore" echo "x-ui/x-ui.db" >> "/etc/.gitignore" echo -e "${green}Added x-ui.db to /etc/.gitignore for etckeeper${plain}" fi else echo "x-ui/x-ui.db" > "/etc/.gitignore" echo -e "${green}Created /etc/.gitignore and added x-ui.db for etckeeper${plain}" fi fi if [[ $release == "alpine" ]]; then if [ -f "${xui_folder}/x-ui.service.debian" ]; then # Use a simple OpenRC init script cp -f "${xui_folder}/x-ui.service.debian" /etc/init.d/x-ui 2>/dev/null fi # Create OpenRC init script cat > /etc/init.d/x-ui <<'INITEOF' #!/sbin/openrc-run name="x-ui" description="3x-ui panel" command="/usr/local/x-ui/x-ui" command_background=true pidfile="/run/x-ui.pid" directory="/usr/local/x-ui" output_log="/var/log/x-ui/x-ui.log" error_log="/var/log/x-ui/x-ui.log" INITEOF chmod +x /etc/init.d/x-ui rc-update add x-ui rc-service x-ui start else # Install systemd service file if [ -f "${xui_folder}/x-ui.service" ]; then echo -e "${green}Installing systemd service file...${plain}" cp -f "${xui_folder}/x-ui.service" ${xui_service}/x-ui.service else echo -e "${red}Service file not found${plain}" exit 1 fi echo -e "${green}Setting up systemd unit...${plain}" chown root:root ${xui_service}/x-ui.service >/dev/null 2>&1 chmod 644 ${xui_service}/x-ui.service >/dev/null 2>&1 systemctl daemon-reload systemctl enable x-ui systemctl start x-ui fi echo -e "${green}x-ui (built from source)${plain} installation finished, it is running now..." echo -e "" echo -e "┌───────────────────────────────────────────────────────┐ │ ${blue}x-ui control menu usages (subcommands):${plain} │ │ │ │ ${blue}x-ui${plain} - Admin Management Script │ │ ${blue}x-ui start${plain} - Start │ │ ${blue}x-ui stop${plain} - Stop │ │ ${blue}x-ui restart${plain} - Restart │ │ ${blue}x-ui status${plain} - Current Status │ │ ${blue}x-ui settings${plain} - Current Settings │ │ ${blue}x-ui enable${plain} - Enable Autostart on OS Startup │ │ ${blue}x-ui disable${plain} - Disable Autostart on OS Startup │ │ ${blue}x-ui log${plain} - Check logs │ │ ${blue}x-ui banlog${plain} - Check Fail2ban ban logs │ │ ${blue}x-ui update${plain} - Update │ │ ${blue}x-ui legacy${plain} - Legacy version │ │ ${blue}x-ui install${plain} - Install │ │ ${blue}x-ui uninstall${plain} - Uninstall │ └───────────────────────────────────────────────────────┘" } echo -e "${green}Running...${plain}" install_base install_x-ui