A setting row whose value column is empty or NULL (seen on some migrated databases) was parsed directly, so getInt/getBool and the GetAllSetting reflection path crashed with 'strconv.Atoi: parsing "": invalid syntax'. This made the Inbounds page (/defaultSettings -> GetPageSize) and the Settings page fail to load.
Treat an empty stored value the same as a missing row and fall back to the built-in default at the int/bool parse sites. String getters are unchanged, so legitimately-empty string settings stay empty.
Closes#4830
resolveInboundAddress stopped using the inbound's bind Listen in 3.2.5/3.2.6, so a per-inbound Address/IP no longer appeared in generated subscription/share links - they always used the host the subscriber reached the panel on. The frontend QR path still honored Listen, so the panel and the subscription disagreed (issue #4798).
Restore advertising Listen when it is a routable host (real IP or hostname), reusing isRoutableHost and excluding unix-domain sockets. Loopback/wildcard binds still fall back to the subscriber host, keeping the earlier loopback-leak fix intact. Precedence is now node address > routable Listen > subscriber host; External Proxy still overrides everything.
Closes#4798
check_status() only recognized a systemd service or Alpine's
/etc/init.d/x-ui, neither of which exists in a container where the panel
runs as the foreground main process (PID 1 via "exec /app/x-ui"). Every
CLI command therefore failed with "Please install the panel first", and
restart/restart-xray relied on rc-service/systemctl that aren't present.
Detect the container (/.dockerenv or XUI_IN_DOCKER) and, when inside one:
- resolve the panel binary under /app instead of /usr/local/x-ui
- derive status from the running process instead of a service file
- restart via SIGHUP and restart-xray via SIGUSR1 to the panel process
- show Docker-appropriate guidance for start/stop/enable/disable
The Dockerfile sets XUI_IN_DOCKER/XUI_MAIN_FOLDER so detection is
explicit even though /.dockerenv alone suffices.
Closes#4817
Hysteria2 clients backed by Xray-core hex-decode the pinSHA256 URI param and crash on the base64 value the panel stores for pinnedPeerCertSha256 (xray-core native TLS format). Normalize each pin to bare lowercase hex when building the Hysteria link, accepting base64, bare hex, and colon-separated openssl fingerprints; values that are neither are passed through untouched. Applied in both the backend subscription generator and the frontend link builder. The pcs share-link and JSON-sub paths keep base64 for their consumers. Fixes#4818.
The inbounds page and Nodes page checked each client's email against a
single deduped union of every node's online clients, so a client connected
to one node showed as online on every inbound across every node. The local
online set was also derived from the email-keyed client_traffics.last_online
column, which remote-node syncs bump too, leaking remote-only clients onto
local inbounds.
Track online clients per node: the local panel's own xray clients under key
0 (derived from live traffic-poll deltas via RefreshLocalOnline, kept in
memory and independent of the shared last_online column) and each remote
node under its id. Add GetOnlineClientsByNode plus a /clients/onlinesByNode
endpoint and onlineByNode WS field; node.go and the inbounds rollup now scope
online by node. The flat GetOnlineClients union is kept for client-centric and
total-count views (Clients page, dashboard, telegram).
Closes#4809
The d414e186 template change only helps fresh configs; installs already on xray-core >=26.5 keep their stored finalRules of [{allow, geoip:private}], which blocks WAN egress for reverse-proxy traffic (refs #4782, XTLS/Xray-core#6248).
Add a FreedomFinalRulesReverseFix seeder that, on startup, rewrites any freedom outbound whose finalRules is exactly [{allow, ip:[geoip:private]}] to a no-condition [{allow}]. The match is exact, so custom rules (extra keys, other IPs, block actions, multiple rules) are left untouched. Runs once via history_of_seeders and is skipped on fresh installs.
xray-core >=26.5 makes the freedom finalRules context-aware: reverse-proxy traffic defaults to "block all targets". The template seeded finalRules with only allow geoip:private, so a bridge could not exit to WAN and reverse proxy silently broke
Switch the default direct freedom to a no-condition allow rule, the documented way to restore pre-policy behavior. Unlike an ip-based rule (0.0.0.0/0 or !geoip:private), it does not force per-connection OS DNS resolution under domainStrategy AsIs, so happyEyeballs/AsIs pass-through stay intact. LAN is still blocked by the geoip:private->blocked routing rule, and removing that rule still regains LAN access
Note: only affects new configs; existing installs keep their stored finalRules until reset or a follow-up migration.
SyncInbound runs once per inbound and unconditionally overwrites the canonical clients.Flow column. A non-flow inbound (Hysteria, WS, gRPC) strips flow to "", so when it syncs after a VLESS Reality inbound the column is wiped, and the hydrate endpoint returned that empty value — the edit form loaded a blank flow for multi-inbound clients (#4792).
Derive the hydrate flow from the first flow-capable client_inbounds.flow_override instead, which is always correct and order-independent. A non-empty guard in SyncInbound was rejected because it would make flow impossible to clear.
Closes#4792
xray-core hex-decodes pinnedPeerCertSha256 and the panel forwards the value as-is into share links and the JSON subscription, so clients hex-decode it too. The tooltip/placeholder wrongly said base64 (copied from the retired pinnedPeerCertificateChainSha256 field), and the "generate random hash" button emitted base64 via btoa, producing an unusable pin. Tooltip/placeholder now say hex across all locales and the generator emits hex.
Closes#4793
UDP Hop (finalmask.quicParams.udpHop.ports) was configurable but never surfaced in generated configs, so clients kept using the single listening port (#4789).
Share links (frontend genHysteriaLink + sub genHysteriaLink) now keep a numeric port in the authority and carry the hop range as the v2rayN-compatible mport query param, so v2rayN and other System.Uri-based importers can parse the link. Clash output sets mihomos native ports field.
Closes#4789
The pageSize setting described '(0 = disable)' and the inbounds table already treated 0 as show-all, but every validation layer enforced a minimum of 1. Relax the bound to gte=0 in the AllSetting struct tag (source of truth for the generated frontend schemas), regenerate zod, and lower the min on the hand-written schema and the InputNumber control.
The per-client IP log was only filled as a side effect of IP-limit enforcement: Run() scraped the access log only when some client had limitIp>0, so installs without a limit always showed an empty IP log (#4800).
Decouple collection from enforcement: scrape the access log whenever it is available and thread an enforce flag through processLogFile/updateInboundClientIps so banning still only happens for limited clients. The XUI_ENABLE_FAIL2BAN kill-switch is preserved.
Closes#4800
Surface a "Showing X of Y" counter in the clients filter bar that appears whenever a search term or any filter is active, using the server-provided filtered and total counts. Added the showingCount string across all 13 locales.
Closes#4808
Inbound pickers and chips across the Users area, the inbounds attach-clients modals, and the routing rule inbound-tags selector showed the auto-generated tag (in-443-tcp). Show the inbound remark when set, falling back to the tag.
Only display labels change; option values keep using the inbound id (or tag for routing rules, which match inbounds by tag), so filtering, attaching, and saved rules are unaffected. Routing reads remarks via a shared useInboundOptions hook that reuses the existing options query cache.
The pinnedCertSha256 form field unmounts for non-pin TLS modes, so antd dropped it from the onFinish values and Zod rejected the missing string (the user-facing "invalid input"). Make it optional with a default so saving works in every TLS mode.
Saving now runs the connection test first and only persists when the probe is online; the add/update endpoints enforce the same probe so an unreachable node cannot be stored via the API either.
Selecting the http scheme forces TLS verify mode to skip and disables the control, normalized on open for existing http nodes.
http-vs-https probe failures report a clear "set the node scheme to http" message across the test button, save, and the backend gate.
Closes#4794
SQLite to Postgres migration aborted with "copy *model.ClientInbound:
primary key required" on installs whose client_inbounds table exceeds
one read batch (500 rows). gorm's FindInBatches pages between batches
using a single PrioritizedPrimaryField, which composite-key tables
(client_id + inbound_id, no surrogate id) do not have, so it returns
ErrPrimaryKeyRequired once a table holds more than one batch.
Replace FindInBatches in copyTable with explicit LIMIT/OFFSET paging
ordered by the model's primary-key columns. This works for every table
including composite-key ones, keeps memory bounded, and changes no
schema.
Add a Postgres-gated regression test covering a >500-row composite-key
table.
BulkDetach removed one client per (email x inbound) pair, each with its own
settings rewrite, transaction and full SyncInbound. Add delInboundClients to
remove all targeted clients from an inbound in a single pass and group removals
by inbound, turning O(emails x inbounds) write cycles into O(inbounds).
BulkAttach ran the global getAllEmailSubIDs scan once per target inbound via
checkEmailsExistForClients. Compute that snapshot once per call and thread it
through a new internal addInboundClient; the duplicate check is unaffected
because attach reuses each client's existing identity (same subId).
Covered by bulk_clients_test.go: VLESS round-trip (linkage, settings JSON,
idempotency, record survival), skip-unattached, and Trojan key matching.
FetchCertFingerprint must accept any certificate by design: it fetches a
not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin
it. Disabling verification is inherent to that, so go/disabled-certificate-check
cannot be cleared by code changes. Suppress the finding inline, matching the
existing lgtm convention in custom_geo.go.
Remove the trailing .svg extension from shields.io badge image URLs to use content-negotiated badge endpoints (recommended by shields.io). Changes applied to README.md and localized files: README.ar_EG.md, README.es_ES.md, README.fa_IR.md, README.ru_RU.md, README.zh_CN.md.
FetchCertFingerprint read the leaf certificate from a bare insecure TLS
handshake, which CodeQL flagged as go/disabled-certificate-check. The
function intentionally accepts any cert (trust-on-first-use, so the admin
can pin a not-yet-trusted node), so verification cannot be enabled.
Capture the leaf cert inside a VerifyConnection callback instead, matching
the existing pattern in nodeHTTPClientFor that already clears the same
query. Behavior is unchanged.
Rewrite the five translated READMEs (fa, ar, zh, es, ru) to match the overhauled English README: centered badge layout plus Features, Screenshots, Supported Platforms, Database/Docker, Environment Variables, Supported Languages, and Contributing sections. Add Windows to supported platforms and a fallback feature (multiple protocols on one port). Refresh the referenced screenshots.
Open the modal near the top (top: 20) and let the body scroll internally (maxHeight + overflowY auto, overflowX hidden) so the tall vertical-layout form no longer leaves a large gap above and runs off the bottom.
Editing an outbound and re-saving it without real changes left the top Save button stuck enabled, and clicking it never cleared it. The form re-normalizes values into deeply-equal config, so react-query keeps the same configQuery.data reference on refetch and the seed effect that resets the dirty baseline never re-runs. Advance the baseline to the persisted value in saveMut.onSuccess instead of relying solely on the refetch.
Turn the outbound sockopt dialerProxy free-text input into a searchable Select populated with the other outbound tags, so users can build a proxy chain (route one outbound through another) without typing tags by hand. The list excludes the current outbound, so self-reference cycles cannot be selected. A tooltip and placeholder explain the chaining concept. Adds dialerProxyPlaceholder and dialerProxyHint to all 13 locales.
Closes#4446
Honor XUI_ENABLE_FAIL2BAN before running fail2ban-dependent IP-limit work. This avoids spawning fail2ban-client on disabled Docker installs while preserving the default enabled behavior when the env var is unset.
Co-authored-by: Mayurifag <Mayurifag@users.noreply.github.com>
Adds a per-node TLS verification mode to the Add/Edit Node dialog so the panel can reach nodes that serve HTTPS with a self-signed certificate:
- verify (default): normal CA validation.
- skip: InsecureSkipVerify, with a clear UI warning that it drops MITM protection.
- pin: validates the leaf certificate's SHA-256 (base64 or hex) via VerifyConnection while bypassing the default chain/name check — keeps MITM protection for self-signed certs, the secure alternative to skip.
New Node model fields tlsVerifyMode + pinnedCertSha256 (gorm auto-migrated). Probe() selects the HTTP client per node via nodeHTTPClientFor, keeping the SSRF-guarded dialer. A new POST /panel/api/nodes/certFingerprint endpoint (FetchCertFingerprint) lets the UI fetch and pin the node's current certificate in one click. Endpoint documented in api-docs/openapi; i18n added across all locales. Verified end-to-end in Docker (verify rejects, skip bypasses, fetch matches, pin accepts correct / rejects wrong).
UDS listen already worked for proxying (the listen string is passed to xray verbatim and port 0 is accepted), and the Go sub/link layer already ignores the bind listen. The only gap was the frontend resolveAddr, which would put a socket-path listen into share/sub links (e.g. vless://uuid@/run/xray/x.sock:0). resolveAddr now treats a path-style listen (starting with / or @) as having no client-reachable address and falls back to hostOverride/hostname. Adds a test and a Listen-field help hint across all locales.
Menu 20 only exported CF_Key/CF_Email, so a restricted Cloudflare API Token was misread as a Global Key and acme.sh failed with 'invalid domain'. Add a token-or-global-key prompt (default token): an API Token exports CF_Token, the Global Key keeps the previous CF_Key + CF_Email behavior. Also stop echoing the key/token value to the debug log.
Since v3.1.0 every fallback row had to reference a panel inbound via childId, so rows with only a free-form dest (e.g. 8080 or 127.0.0.1:8080 to an external Nginx) were silently dropped at three layers: the frontend save filter, the backend SetByMaster guard, and BuildFallbacksJSON. A row is now valid when it has a child OR an explicit dest; self-references normalize to childId 0, and BuildFallbacksJSON prefers an explicit dest (also fixing rows whose child was deleted). UI gains allowClear on the child picker; help text updated across all locales. Verified end-to-end in Docker: a free-form dest fallback now persists and is injected into the live xray config. Refs #4554, #4639.
Align both raw (TCP) transport forms with the Xray docs: request {version, method, path, headers} + response {version, status, reason, headers}. The outbound form was missing the request.path input, so panel-created outbounds were stuck on GET / and could not match a custom inbound path; add it with the same comma-separated array handling as the inbound. Also drop a stale inbound comment that claimed xray-core ignores the inbound request object, which contradicts both the code and the docs (request and response must match on both sides).
Go's flag package parses '-resetTwoFactor false' as '-resetTwoFactor=true' with a dangling positional 'false', so two-factor auth was always wiped on username/password reset regardless of the prompt answer. Omit the flag in the preserve branch (default is false) and use '-resetTwoFactor=true' in the disable branch.
Unix Domain Socket inbounds (listen path starting with /) use port 0, which xray-core ignores. Validation was hard-locked to a minimum of 1 in three places: the shared Zod PortSchema, the AntD InputNumber, and the Go Inbound model tag. Adds an InboundPortSchema (min 0) for the inbound form/API schemas, makes the port InputNumber min UDS-aware, and relaxes the Inbound model validate tag to gte=0. PortSchema and the Node model stay min 1.
RegWarp now stores config.client_id from the Cloudflare registration, and WarpModal sources the reserved bytes from the live config response (falling back to stored creds). Previously reservedFor read an always-missing client_id, producing an empty reserved array.
Add a self-contained 'PostgreSQL Management' submenu (main-menu option 27) so the panel can be set up and migrated without re-running the remote install script:
- Install PostgreSQL locally (server + client tools + dedicated xui user/db), ported from install.sh so x-ui.sh stays standalone
- Migrate SQLite to PostgreSQL via 'x-ui migrate-db', then write XUI_DB_TYPE/XUI_DB_DSN to the service env file and restart the panel; client tools are ensured first so in-panel backup/restore works for local and external databases
- Service control: status (clusters + port 5432), start, stop, restart, enable autostart, view log, with auto-detected cluster version
A client shared across multiple nodes has a single email-keyed client_traffics row, but each node reports its cumulative up/down. setRemoteTrafficLocked overwrote the row with one node's cumulative, so non-owning nodes hit the create branch and OnConflict-DoNothing, silently dropping their traffic and under-counting the client.
Make the shared row a pure accumulator (like the local path): a new node_client_traffics(node_id, email) baseline table stores each node's last cumulative; the node path converts cumulative to a per-node delta (clamped to the post-reset value on a negative delta) and does up = up + delta. First observation seeds the baseline and adds 0 so upgrades and newly-shared clients are not double-counted. Create-vs-accumulate now keys off global email existence. Baselines are cleaned in DelClientStat, the node sweeps, and NodeService.Delete.
Hysteria links now carry the pinned peer cert under the hysteria2-standard pinSHA256 key instead of pcs (frontend genHysteriaLink + outbound importer round-trip), and the Go subscription generator emits ech from echConfigList. Also drops the dead allowInsecure guard in genHysteriaLink, which read a field that does not exist on TlsClientSettings.
The Subscription-Userinfo header read total/expiry from client_traffics, but in a multi-node setup the master's node sync overwrites those with the node snapshot's zeros, so the header reported total=0; expire=0 even though the panel UI (which reads the clients table) showed the configured limits. AggregateTrafficByEmails now falls back to the clients table for total/expiry when the traffic row is zero, keeping up/down/lastOnline from client_traffics.
The UserPasswordHash seeder bcrypt-hashed user.Password unconditionally, assuming plaintext. If it ran on an already-bcrypt value (DB restore, SQLite<->Postgres switch, history_of_seeders inconsistency on upgrade) it double-hashed the password, locking the admin out with both old and new passwords rejected. Skip any password that is already a bcrypt hash.
Hysteria doesn't use uTLS, but the outbound TLS form's uTLS dropdown only listed concrete fingerprints (chrome, firefox, ...) with no explicit empty entry. Add a None option, matching the inbound TLS form, so the fingerprint can be left empty.
parseHysteria2Link hardcoded alpn to h3 and never read fp, ech, or the fm (finalmask) param, so importing a Hysteria2 client URL as an outbound dropped the configured ALPN, fingerprint, and salamander UDP mask. Parse alpn (falling back to h3 only when absent), fp, ech, and the pcs pinned-cert key, and restore the UDP mask via applyFinalMaskParam.
xray-core reads the bind-interface sockopt as json:"interface", but the schema and forms used interfaceName. Go's JSON unmarshal is case-insensitive, yet interfacename != interface, so the value never reached xray and interface binding silently did nothing. Rename the field across the schema, the inbound/outbound forms, and the golden fixture to match xray-core and the official docs.
genRemark can return an empty string (remark-less inbound, or a remark model that depends on the email the Clash path drops), which was set verbatim as the proxy name. mihomo rejects the whole config on a duplicate name, so two such proxies made the Clash Verge profile vanish on refresh; a single one was dropped from the PROXY group, collapsing it to DIRECT so Rule mode stopped proxying while Global still worked. Guarantee every proxy carries a non-empty, unique name before assembling the group.
The trafficDiff InputNumber and form schema lacked an upper bound, so values above 100 were accepted in the UI but rejected by the backend (gte=0,lte=100), failing the entire settings save with a misleading 'request body failed validation' error. Add max=100 to the input and .max(100) to the schema.
The link-to-JSON importer dropped two VLESS Reality fields:
- pqv (post-quantum ML-DSA-65 verify key) was never parsed; map it back
to realitySettings.mldsa65Verify, matching the inbound link generator.
- encryption was force-reset to 'none' in the form adapter regardless of
the parsed value, discarding post-quantum encryption strings.
Add regression tests for both paths.
The image bundles fail2ban (enabled by default) to enforce per-client IP
limits via iptables, but docker-compose.yml granted no capabilities. The
job logs the ban and fail2ban reports it as banned, yet the iptables
action fails with "Permission denied (you must be root)" and no rule is
inserted, so the client is never actually blocked. Add cap_add
NET_ADMIN/NET_RAW to the service and document the docker run flags.
PR #4699 restored the "keep newest live IP, ban the oldest" policy in
check_client_ip_job.go but left the integration test asserting the old
"protect original, ban newcomer" behavior, so it failed. Update the test
to expect the oldest live IP banned and the newest kept, and fix the now
misleading name/comment on the partitionLiveIps concurrency unit test.
