From 8f5a7b9434758e5cccc21ac278d501c68d110d0b Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Tue, 2 Jun 2026 15:58:48 +0200 Subject: [PATCH] fix(xray): default freedom finalRules to allow-all so reverse egress works xray-core >=26.5 makes the freedom finalRules context-aware: reverse-proxy traffic defaults to "block all targets". The template seeded finalRules with only allow geoip:private, so a bridge could not exit to WAN and reverse proxy silently broke Switch the default direct freedom to a no-condition allow rule, the documented way to restore pre-policy behavior. Unlike an ip-based rule (0.0.0.0/0 or !geoip:private), it does not force per-connection OS DNS resolution under domainStrategy AsIs, so happyEyeballs/AsIs pass-through stay intact. LAN is still blocked by the geoip:private->blocked routing rule, and removing that rule still regains LAN access Note: only affects new configs; existing installs keep their stored finalRules until reset or a follow-up migration. --- web/service/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/service/config.json b/web/service/config.json index c8b52d05..4fb17550 100644 --- a/web/service/config.json +++ b/web/service/config.json @@ -32,7 +32,7 @@ "settings": { "domainStrategy": "AsIs", "finalRules": [ - { "action": "allow", "ip": ["geoip:private"] } + { "action": "allow" } ] }, "tag": "direct"