fix(panel): normalize XHTTP/sockopt/Reality wire output and validate REALITY target (#4988)

* fix(panel): normalize XHTTP/sockopt/Reality wire output and validate REALITY target Strip mode-specific XHTTP fields for stream-one, reset harmful sockopt defaults to 0, split server/client Reality fields on save, validate target host:port in the inbound form, and expose Happy Eyeballs for the direct freedom outbound. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(panel): keep REALITY public key on the wire, guard freedom noises The REALITY server/client wire split deleted realitySettings.settings on save, but the panel stores the REALITY public key there and every share-link / subscription generator reads it back from that path (frontend inbound-link.ts, Go subService/subJsonService/subClashService). Stripping it produced empty pbk= links, breaking client connectivity after save+reload. Revert the reality normalization (drop normalizeRealityForWire and the key sets), restore the inbound REALITY form fields (uTLS, spiderX, publicKey, mldsa65Verify) while keeping the new validated target field, and restore the mldsa65Verify clear handler. Also guard freedomToWire against undefined noises/finalRules (same defensive treatment as the existing fragment guard, issue #4686) which the new freedom-outbound test surfaced as a crash. Tests now assert the public key is preserved. --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
2026-06-08 13:24:33 +00:00 · 2026-06-06 04:10:32 +03:30
parent e409bc305d
commit 6ed6f57b5c
11 changed files with 616 additions and 23 deletions
--- a/web/translation/en-US.json
+++ b/web/translation/en-US.json
@@ -560,6 +560,7 @@
        "tcpMaxSeg": "TCP Max Seg",
        "tcpUserTimeout": "TCP User Timeout",
        "tcpWindowClamp": "TCP Window Clamp",
+        "tcpWindowClampHint": "Leave 0 to use the OS default. Non-zero values cap the advertised TCP receive window; values like 600 (from the Xray docs example) can collapse throughput on high-latency links.",
        "tcpFastOpen": "TCP Fast Open",
        "multipathTcp": "Multipath TCP",
        "penetrate": "Penetrate",
@@ -598,6 +599,10 @@
        "minClientVer": "Min Client Ver",
        "maxClientVer": "Max Client Ver",
        "shortIds": "Short IDs",
+        "realityTargetHint": "Required. Must include a port (e.g. example.com:443). Without a port Xray-core refuses to start.",
+        "realityTargetRequired": "REALITY target is required",
+        "realityTargetNeedsPort": "REALITY target must include a port (e.g. example.com:443)",
+        "realityTargetInvalidPort": "REALITY target has an invalid port",
        "spiderX": "SpiderX",
        "getNewCert": "Get New Cert",
        "mldsa65Seed": "mldsa65 Seed",
@@ -1178,6 +1183,9 @@
      "TemplateDesc": "The final Xray config file will be generated based on this template.",
      "FreedomStrategy": "Freedom Protocol Strategy",
      "FreedomStrategyDesc": "Set the output strategy for the network in the Freedom Protocol.",
+      "FreedomHappyEyeballs": "Freedom Happy Eyeballs (IPv4/IPv6)",
+      "FreedomHappyEyeballsDesc": "Dual-stack dialing for the direct (freedom) outbound — useful on exit servers with both IPv4 and IPv6.",
+      "FreedomHappyEyeballsTryDelayDesc": "Milliseconds before trying the alternate address family. 150–250 ms is a good starting point.",
      "RoutingStrategy": "Overall Routing Strategy",
      "RoutingStrategyDesc": "Set the overall traffic routing strategy for resolving all requests.",
      "outboundTestUrl": "Outbound Test URL",