fix(xray): default freedom finalRules to allow-all so reverse egress works

xray-core >=26.5 makes the freedom finalRules context-aware: reverse-proxy traffic defaults to "block all targets". The template seeded finalRules with only allow geoip:private, so a bridge could not exit to WAN and reverse proxy silently broke Switch the default direct freedom to a no-condition allow rule, the documented way to restore pre-policy behavior. Unlike an ip-based rule (0.0.0.0/0 or !geoip:private), it does not force per-connection OS DNS resolution under domainStrategy AsIs, so happyEyeballs/AsIs pass-through stay intact. LAN is still blocked by the geoip:private->blocked routing rule, and removing that rule still regains LAN access Note: only affects new configs; existing installs keep their stored finalRules until reset or a follow-up migration.
2026-06-03 02:49:36 +00:00 · 2026-06-02 15:58:48 +02:00
parent 1e3c186b2c
commit 8f5a7b9434
1 changed files with 1 additions and 1 deletions
--- a/web/service/config.json
+++ b/web/service/config.json
@@ -32,7 +32,7 @@
      "settings": {
        "domainStrategy": "AsIs",
        "finalRules": [
-          { "action": "allow", "ip": ["geoip:private"] }
+          { "action": "allow" }
        ]
      },
      "tag": "direct"