UDP Hop (finalmask.quicParams.udpHop.ports) was configurable but never surfaced in generated configs, so clients kept using the single listening port (#4789).
Share links (frontend genHysteriaLink + sub genHysteriaLink) now keep a numeric port in the authority and carry the hop range as the v2rayN-compatible mport query param, so v2rayN and other System.Uri-based importers can parse the link. Clash output sets mihomos native ports field.
Closes#4789
The pageSize setting described '(0 = disable)' and the inbounds table already treated 0 as show-all, but every validation layer enforced a minimum of 1. Relax the bound to gte=0 in the AllSetting struct tag (source of truth for the generated frontend schemas), regenerate zod, and lower the min on the hand-written schema and the InputNumber control.
The per-client IP log was only filled as a side effect of IP-limit enforcement: Run() scraped the access log only when some client had limitIp>0, so installs without a limit always showed an empty IP log (#4800).
Decouple collection from enforcement: scrape the access log whenever it is available and thread an enforce flag through processLogFile/updateInboundClientIps so banning still only happens for limited clients. The XUI_ENABLE_FAIL2BAN kill-switch is preserved.
Closes#4800
Surface a "Showing X of Y" counter in the clients filter bar that appears whenever a search term or any filter is active, using the server-provided filtered and total counts. Added the showingCount string across all 13 locales.
Closes#4808
Inbound pickers and chips across the Users area, the inbounds attach-clients modals, and the routing rule inbound-tags selector showed the auto-generated tag (in-443-tcp). Show the inbound remark when set, falling back to the tag.
Only display labels change; option values keep using the inbound id (or tag for routing rules, which match inbounds by tag), so filtering, attaching, and saved rules are unaffected. Routing reads remarks via a shared useInboundOptions hook that reuses the existing options query cache.
The pinnedCertSha256 form field unmounts for non-pin TLS modes, so antd dropped it from the onFinish values and Zod rejected the missing string (the user-facing "invalid input"). Make it optional with a default so saving works in every TLS mode.
Saving now runs the connection test first and only persists when the probe is online; the add/update endpoints enforce the same probe so an unreachable node cannot be stored via the API either.
Selecting the http scheme forces TLS verify mode to skip and disables the control, normalized on open for existing http nodes.
http-vs-https probe failures report a clear "set the node scheme to http" message across the test button, save, and the backend gate.
Closes#4794
SQLite to Postgres migration aborted with "copy *model.ClientInbound:
primary key required" on installs whose client_inbounds table exceeds
one read batch (500 rows). gorm's FindInBatches pages between batches
using a single PrioritizedPrimaryField, which composite-key tables
(client_id + inbound_id, no surrogate id) do not have, so it returns
ErrPrimaryKeyRequired once a table holds more than one batch.
Replace FindInBatches in copyTable with explicit LIMIT/OFFSET paging
ordered by the model's primary-key columns. This works for every table
including composite-key ones, keeps memory bounded, and changes no
schema.
Add a Postgres-gated regression test covering a >500-row composite-key
table.
BulkDetach removed one client per (email x inbound) pair, each with its own
settings rewrite, transaction and full SyncInbound. Add delInboundClients to
remove all targeted clients from an inbound in a single pass and group removals
by inbound, turning O(emails x inbounds) write cycles into O(inbounds).
BulkAttach ran the global getAllEmailSubIDs scan once per target inbound via
checkEmailsExistForClients. Compute that snapshot once per call and thread it
through a new internal addInboundClient; the duplicate check is unaffected
because attach reuses each client's existing identity (same subId).
Covered by bulk_clients_test.go: VLESS round-trip (linkage, settings JSON,
idempotency, record survival), skip-unattached, and Trojan key matching.
FetchCertFingerprint must accept any certificate by design: it fetches a
not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin
it. Disabling verification is inherent to that, so go/disabled-certificate-check
cannot be cleared by code changes. Suppress the finding inline, matching the
existing lgtm convention in custom_geo.go.
Remove the trailing .svg extension from shields.io badge image URLs to use content-negotiated badge endpoints (recommended by shields.io). Changes applied to README.md and localized files: README.ar_EG.md, README.es_ES.md, README.fa_IR.md, README.ru_RU.md, README.zh_CN.md.
FetchCertFingerprint read the leaf certificate from a bare insecure TLS
handshake, which CodeQL flagged as go/disabled-certificate-check. The
function intentionally accepts any cert (trust-on-first-use, so the admin
can pin a not-yet-trusted node), so verification cannot be enabled.
Capture the leaf cert inside a VerifyConnection callback instead, matching
the existing pattern in nodeHTTPClientFor that already clears the same
query. Behavior is unchanged.
Rewrite the five translated READMEs (fa, ar, zh, es, ru) to match the overhauled English README: centered badge layout plus Features, Screenshots, Supported Platforms, Database/Docker, Environment Variables, Supported Languages, and Contributing sections. Add Windows to supported platforms and a fallback feature (multiple protocols on one port). Refresh the referenced screenshots.
Open the modal near the top (top: 20) and let the body scroll internally (maxHeight + overflowY auto, overflowX hidden) so the tall vertical-layout form no longer leaves a large gap above and runs off the bottom.
Editing an outbound and re-saving it without real changes left the top Save button stuck enabled, and clicking it never cleared it. The form re-normalizes values into deeply-equal config, so react-query keeps the same configQuery.data reference on refetch and the seed effect that resets the dirty baseline never re-runs. Advance the baseline to the persisted value in saveMut.onSuccess instead of relying solely on the refetch.
Turn the outbound sockopt dialerProxy free-text input into a searchable Select populated with the other outbound tags, so users can build a proxy chain (route one outbound through another) without typing tags by hand. The list excludes the current outbound, so self-reference cycles cannot be selected. A tooltip and placeholder explain the chaining concept. Adds dialerProxyPlaceholder and dialerProxyHint to all 13 locales.
Closes#4446
Honor XUI_ENABLE_FAIL2BAN before running fail2ban-dependent IP-limit work. This avoids spawning fail2ban-client on disabled Docker installs while preserving the default enabled behavior when the env var is unset.
Co-authored-by: Mayurifag <Mayurifag@users.noreply.github.com>
Adds a per-node TLS verification mode to the Add/Edit Node dialog so the panel can reach nodes that serve HTTPS with a self-signed certificate:
- verify (default): normal CA validation.
- skip: InsecureSkipVerify, with a clear UI warning that it drops MITM protection.
- pin: validates the leaf certificate's SHA-256 (base64 or hex) via VerifyConnection while bypassing the default chain/name check — keeps MITM protection for self-signed certs, the secure alternative to skip.
New Node model fields tlsVerifyMode + pinnedCertSha256 (gorm auto-migrated). Probe() selects the HTTP client per node via nodeHTTPClientFor, keeping the SSRF-guarded dialer. A new POST /panel/api/nodes/certFingerprint endpoint (FetchCertFingerprint) lets the UI fetch and pin the node's current certificate in one click. Endpoint documented in api-docs/openapi; i18n added across all locales. Verified end-to-end in Docker (verify rejects, skip bypasses, fetch matches, pin accepts correct / rejects wrong).
UDS listen already worked for proxying (the listen string is passed to xray verbatim and port 0 is accepted), and the Go sub/link layer already ignores the bind listen. The only gap was the frontend resolveAddr, which would put a socket-path listen into share/sub links (e.g. vless://uuid@/run/xray/x.sock:0). resolveAddr now treats a path-style listen (starting with / or @) as having no client-reachable address and falls back to hostOverride/hostname. Adds a test and a Listen-field help hint across all locales.
Menu 20 only exported CF_Key/CF_Email, so a restricted Cloudflare API Token was misread as a Global Key and acme.sh failed with 'invalid domain'. Add a token-or-global-key prompt (default token): an API Token exports CF_Token, the Global Key keeps the previous CF_Key + CF_Email behavior. Also stop echoing the key/token value to the debug log.
Since v3.1.0 every fallback row had to reference a panel inbound via childId, so rows with only a free-form dest (e.g. 8080 or 127.0.0.1:8080 to an external Nginx) were silently dropped at three layers: the frontend save filter, the backend SetByMaster guard, and BuildFallbacksJSON. A row is now valid when it has a child OR an explicit dest; self-references normalize to childId 0, and BuildFallbacksJSON prefers an explicit dest (also fixing rows whose child was deleted). UI gains allowClear on the child picker; help text updated across all locales. Verified end-to-end in Docker: a free-form dest fallback now persists and is injected into the live xray config. Refs #4554, #4639.
Align both raw (TCP) transport forms with the Xray docs: request {version, method, path, headers} + response {version, status, reason, headers}. The outbound form was missing the request.path input, so panel-created outbounds were stuck on GET / and could not match a custom inbound path; add it with the same comma-separated array handling as the inbound. Also drop a stale inbound comment that claimed xray-core ignores the inbound request object, which contradicts both the code and the docs (request and response must match on both sides).
Go's flag package parses '-resetTwoFactor false' as '-resetTwoFactor=true' with a dangling positional 'false', so two-factor auth was always wiped on username/password reset regardless of the prompt answer. Omit the flag in the preserve branch (default is false) and use '-resetTwoFactor=true' in the disable branch.
Unix Domain Socket inbounds (listen path starting with /) use port 0, which xray-core ignores. Validation was hard-locked to a minimum of 1 in three places: the shared Zod PortSchema, the AntD InputNumber, and the Go Inbound model tag. Adds an InboundPortSchema (min 0) for the inbound form/API schemas, makes the port InputNumber min UDS-aware, and relaxes the Inbound model validate tag to gte=0. PortSchema and the Node model stay min 1.
RegWarp now stores config.client_id from the Cloudflare registration, and WarpModal sources the reserved bytes from the live config response (falling back to stored creds). Previously reservedFor read an always-missing client_id, producing an empty reserved array.
Add a self-contained 'PostgreSQL Management' submenu (main-menu option 27) so the panel can be set up and migrated without re-running the remote install script:
- Install PostgreSQL locally (server + client tools + dedicated xui user/db), ported from install.sh so x-ui.sh stays standalone
- Migrate SQLite to PostgreSQL via 'x-ui migrate-db', then write XUI_DB_TYPE/XUI_DB_DSN to the service env file and restart the panel; client tools are ensured first so in-panel backup/restore works for local and external databases
- Service control: status (clusters + port 5432), start, stop, restart, enable autostart, view log, with auto-detected cluster version
A client shared across multiple nodes has a single email-keyed client_traffics row, but each node reports its cumulative up/down. setRemoteTrafficLocked overwrote the row with one node's cumulative, so non-owning nodes hit the create branch and OnConflict-DoNothing, silently dropping their traffic and under-counting the client.
Make the shared row a pure accumulator (like the local path): a new node_client_traffics(node_id, email) baseline table stores each node's last cumulative; the node path converts cumulative to a per-node delta (clamped to the post-reset value on a negative delta) and does up = up + delta. First observation seeds the baseline and adds 0 so upgrades and newly-shared clients are not double-counted. Create-vs-accumulate now keys off global email existence. Baselines are cleaned in DelClientStat, the node sweeps, and NodeService.Delete.
Hysteria links now carry the pinned peer cert under the hysteria2-standard pinSHA256 key instead of pcs (frontend genHysteriaLink + outbound importer round-trip), and the Go subscription generator emits ech from echConfigList. Also drops the dead allowInsecure guard in genHysteriaLink, which read a field that does not exist on TlsClientSettings.
The Subscription-Userinfo header read total/expiry from client_traffics, but in a multi-node setup the master's node sync overwrites those with the node snapshot's zeros, so the header reported total=0; expire=0 even though the panel UI (which reads the clients table) showed the configured limits. AggregateTrafficByEmails now falls back to the clients table for total/expiry when the traffic row is zero, keeping up/down/lastOnline from client_traffics.
The UserPasswordHash seeder bcrypt-hashed user.Password unconditionally, assuming plaintext. If it ran on an already-bcrypt value (DB restore, SQLite<->Postgres switch, history_of_seeders inconsistency on upgrade) it double-hashed the password, locking the admin out with both old and new passwords rejected. Skip any password that is already a bcrypt hash.
Hysteria doesn't use uTLS, but the outbound TLS form's uTLS dropdown only listed concrete fingerprints (chrome, firefox, ...) with no explicit empty entry. Add a None option, matching the inbound TLS form, so the fingerprint can be left empty.
parseHysteria2Link hardcoded alpn to h3 and never read fp, ech, or the fm (finalmask) param, so importing a Hysteria2 client URL as an outbound dropped the configured ALPN, fingerprint, and salamander UDP mask. Parse alpn (falling back to h3 only when absent), fp, ech, and the pcs pinned-cert key, and restore the UDP mask via applyFinalMaskParam.
xray-core reads the bind-interface sockopt as json:"interface", but the schema and forms used interfaceName. Go's JSON unmarshal is case-insensitive, yet interfacename != interface, so the value never reached xray and interface binding silently did nothing. Rename the field across the schema, the inbound/outbound forms, and the golden fixture to match xray-core and the official docs.
genRemark can return an empty string (remark-less inbound, or a remark model that depends on the email the Clash path drops), which was set verbatim as the proxy name. mihomo rejects the whole config on a duplicate name, so two such proxies made the Clash Verge profile vanish on refresh; a single one was dropped from the PROXY group, collapsing it to DIRECT so Rule mode stopped proxying while Global still worked. Guarantee every proxy carries a non-empty, unique name before assembling the group.
The trafficDiff InputNumber and form schema lacked an upper bound, so values above 100 were accepted in the UI but rejected by the backend (gte=0,lte=100), failing the entire settings save with a misleading 'request body failed validation' error. Add max=100 to the input and .max(100) to the schema.
The link-to-JSON importer dropped two VLESS Reality fields:
- pqv (post-quantum ML-DSA-65 verify key) was never parsed; map it back
to realitySettings.mldsa65Verify, matching the inbound link generator.
- encryption was force-reset to 'none' in the form adapter regardless of
the parsed value, discarding post-quantum encryption strings.
Add regression tests for both paths.
The image bundles fail2ban (enabled by default) to enforce per-client IP
limits via iptables, but docker-compose.yml granted no capabilities. The
job logs the ban and fail2ban reports it as banned, yet the iptables
action fails with "Permission denied (you must be root)" and no rule is
inserted, so the client is never actually blocked. Add cap_add
NET_ADMIN/NET_RAW to the service and document the docker run flags.
PR #4699 restored the "keep newest live IP, ban the oldest" policy in
check_client_ip_job.go but left the integration test asserting the old
"protect original, ban newcomer" behavior, so it failed. Update the test
to expect the oldest live IP banned and the newest kept, and fix the now
misleading name/comment on the partitionLiveIps concurrency unit test.
Rename the DNS rule wire key qtype to qType (reading the legacy qtype on parse for back-compat), add the new rCode response-code field for the return action (omitted when zero), and rename the reject action to return. Align the DNS rule action set across the form dropdown, schema, and adapter to the core's valid values (direct/drop/return/hijack), dropping the never-valid rejectIPv4/rejectIPv6 entries.
Consolidate the eight legacy mKCP/header UDP mask types into a single mkcp-legacy type ({header, value}), simplify xicmp to {dgram, ips}, and add the new realm UDP mask type, matching the updated Xray-core wire format. Update the FinalMask schema enum, the transport form, the mKCP seeding default, and the backend KCP share-link translation. Refresh golden fixtures/snapshots and add backend coverage for the mapping.
The routing-rule tag picker reads inboundTags from the xray config query
(['xray','config']), but refresh() only invalidated the inbounds/clients
buckets. So after adding, editing or deleting an inbound the tag list stayed
stale until a hard refresh wiped the react-query cache. Invalidate the xray
config query too, alongside the existing inbounds-options fix.
