mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-08 21:34:33 +00:00
feat(mtproto): add MTProto (FakeTLS) protocol via managed mtg sidecar (#5076)
* feat(mtproto): add MTProto (FakeTLS) protocol via managed mtg sidecar Xray-core has no mtproto proxy, so mtproto inbounds run as standalone mtg (9seconds/mtg) sidecar processes managed by the panel — one per inbound — and are excluded from the generated Xray config entirely. - model: MTProto protocol constant, validator, and FakeTLS secret helpers (GenerateFakeTLSSecret/HealMtprotoSecret) - mtproto package: per-inbound mtg process manager with reconcile, graceful stop, and best-effort Prometheus traffic scraping - runtime: delegate mtproto inbounds to the mtg manager instead of the Xray gRPC API; skip mtproto when building the Xray config - web: boot reconcile + StopAll wiring, periodic reconcile/traffic job, port-conflict transport, secret healing on inbound add/update - sub: tg:// proxy share-link generation - frontend: protocol option, Zod schema, Protocol tab (FakeTLS domain + regenerable secret), info-modal link, and i18n - provisioning: fetch mtg v2.2.8 in install.sh, DockerInit.sh, and the Linux + Windows release workflows * fix * fix * fix: address Copilot review comments on mtproto PR - web/web.go: create NewMtprotoJob once and reuse for cron + initial run - mtproto/manager.go: StopAll cleans up per-inbound config files on shutdown - mtproto/manager.go: CollectTraffic releases mutex before HTTP scrapes to avoid blocking Ensure/Reconcile/Remove during network I/O - database/model/model.go: panic on crypto/rand failure in mtprotoRandomMiddle instead of silently producing a weak all-zero secret - install.sh: fix chmod to handle renamed bin/mtg-linux-arm on armv5/v6/v7
This commit is contained in:
Sanaei
@@ -3,6 +3,8 @@ package model
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
@@ -29,6 +31,7 @@ const (
|
||||
Mixed Protocol = "mixed"
|
||||
WireGuard Protocol = "wireguard"
|
||||
Hysteria Protocol = "hysteria"
|
||||
MTProto Protocol = "mtproto"
|
||||
)
|
||||
|
||||
// User represents a user account in the 3x-ui panel.
|
||||
@@ -56,7 +59,7 @@ type Inbound struct {
|
||||
// Xray configuration fields
|
||||
Listen string `json:"listen" form:"listen"`
|
||||
Port int `json:"port" form:"port" validate:"gte=0,lte=65535" example:"443"`
|
||||
Protocol Protocol `json:"protocol" form:"protocol" validate:"required,oneof=vmess vless trojan shadowsocks wireguard hysteria http mixed tunnel tun" example:"vless"`
|
||||
Protocol Protocol `json:"protocol" form:"protocol" validate:"required,oneof=vmess vless trojan shadowsocks wireguard hysteria http mixed tunnel tun mtproto" example:"vless"`
|
||||
Settings string `json:"settings" form:"settings"`
|
||||
StreamSettings string `json:"streamSettings" form:"streamSettings"`
|
||||
Tag string `json:"tag" form:"tag" gorm:"unique" example:"in-443-tcp"`
|
||||
@@ -366,6 +369,70 @@ func HealShadowsocksClientMethods(settings string) (string, bool) {
|
||||
return string(out), true
|
||||
}
|
||||
|
||||
// GenerateFakeTLSSecret builds an MTProto FakeTLS secret for the given domain:
|
||||
// the "ee" FakeTLS marker, 16 random bytes, then the domain encoded as hex.
|
||||
// This single value is what mtg's config and the client tg:// link both use.
|
||||
func GenerateFakeTLSSecret(domain string) string {
|
||||
return "ee" + mtprotoRandomMiddle() + hex.EncodeToString([]byte(domain))
|
||||
}
|
||||
|
||||
func mtprotoRandomMiddle() string {
|
||||
buf := make([]byte, 16)
|
||||
if _, err := rand.Read(buf); err != nil {
|
||||
panic(fmt.Errorf("mtproto: crypto/rand read failed: %w", err))
|
||||
}
|
||||
return hex.EncodeToString(buf)
|
||||
}
|
||||
|
||||
// mtprotoSecretMiddle returns the 16-byte random middle of an existing secret
|
||||
// when it is well-formed, otherwise a freshly generated one. Reusing the middle
|
||||
// keeps the secret stable when only the FakeTLS domain changes.
|
||||
func mtprotoSecretMiddle(secret string) string {
|
||||
s := secret
|
||||
if strings.HasPrefix(s, "ee") || strings.HasPrefix(s, "dd") {
|
||||
s = s[2:]
|
||||
}
|
||||
if len(s) >= 32 {
|
||||
mid := s[:32]
|
||||
if _, err := hex.DecodeString(mid); err == nil {
|
||||
return mid
|
||||
}
|
||||
}
|
||||
return mtprotoRandomMiddle()
|
||||
}
|
||||
|
||||
// HealMtprotoSecret normalises an mtproto inbound's settings JSON before the
|
||||
// value leaves for the mtg sidecar or a share link: it rebuilds `secret` so it
|
||||
// is always a valid FakeTLS secret whose trailing domain matches
|
||||
// `fakeTlsDomain`, generating the random middle when one is missing and
|
||||
// rewriting the domain suffix when the domain changed. Returns the rewritten
|
||||
// settings and true when anything changed.
|
||||
func HealMtprotoSecret(settings string) (string, bool) {
|
||||
if settings == "" {
|
||||
return settings, false
|
||||
}
|
||||
var parsed map[string]any
|
||||
if err := json.Unmarshal([]byte(settings), &parsed); err != nil {
|
||||
return settings, false
|
||||
}
|
||||
domain, _ := parsed["fakeTlsDomain"].(string)
|
||||
domain = strings.TrimSpace(domain)
|
||||
if domain == "" {
|
||||
return settings, false
|
||||
}
|
||||
secret, _ := parsed["secret"].(string)
|
||||
expected := "ee" + mtprotoSecretMiddle(secret) + hex.EncodeToString([]byte(domain))
|
||||
if secret == expected {
|
||||
return settings, false
|
||||
}
|
||||
parsed["secret"] = expected
|
||||
out, err := json.MarshalIndent(parsed, "", " ")
|
||||
if err != nil {
|
||||
return settings, false
|
||||
}
|
||||
return string(out), true
|
||||
}
|
||||
|
||||
// Setting stores key-value configuration settings for the 3x-ui panel.
|
||||
type Setting struct {
|
||||
Id int `json:"id" form:"id" gorm:"primaryKey;autoIncrement"`
|
||||
|
||||
Reference in New Issue
Block a user