mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-08 13:24:33 +00:00
e6c1ce9aa9
* feat(nodes): add stable panel GUID identity (multi-hop phase 0) Per-panel autoincrement node ids are meaningless one hop away, so in a chained topology (Node1 -> Node2 -> Node3) the master cannot attribute online clients or inbounds to the physical node that hosts them (#4983). Introduce a stable self-identifier: each panel generates and persists a panelGuid (settings table, mirroring GetSecret), returns it in panel/api/server/status, and the master learns it per node via the heartbeat into a new Node.Guid column. Guarded so an old-build node or a failed probe never clears a known GUID. No behavior change yet - this is the identity foundation Phases 1-2 key on. Refs #4983 * feat(nodes): attribute inbounds to their origin node by GUID (multi-hop phase 1) Add Inbound.OriginNodeGuid: the GUID of the panel that physically hosts an inbound. Empty means this panel's own xray; set means it was synced from a node. SetRemoteTraffic now fills it per synced inbound - keeping a non-empty value the node forwarded from its own sub-node (so a transitive inbound stays attributed to the deepest node across hops), and otherwise attributing the node's own local inbounds to that node's GUID. Empty (old-build node without a GUID) leaves the existing node_id-based attribution untouched. The field rides the existing inbound JSON, so /list propagates it up the chain with no serve-side change. Phase 2 will key per-node online off this instead of the panel-local node_id. Refs #4983 * feat(nodes): key online status by node GUID end-to-end (multi-hop phase 2) Replace the panel-local node-id keying of per-node online status with the stable panelGuid, so a client several hops down a node chain is attributed to the node that physically hosts it instead of the intermediate node it syncs through (#4983). xray/process.go stores each direct node's reported GUID-keyed subtree and merges them (correct at any depth); the service assembles GetOnlineClientsByGuid (own clients under this panel's GUID + every node under its GUID). FetchTrafficSnapshot fetches the new /clients/onlinesByGuid, falling back to the flat /onlines for old-build nodes (keyed under the node's GUID or a master-local synthetic id). The node rollup, the WS onlineByGuid/activeInbounds fields, and the inbounds-page rollup all scope by GUID; local inbounds get their OriginNodeGuid filled with the panel's GUID at serve time so the frontend keys uniformly. Old-build nodes degrade to the prior flat behaviour via the synthetic node:<id> key. Refs #4983 Refs #4983 * feat(nodes): surface transitive sub-nodes on the master (multi-hop phase 3a) Each panel publishes read-only summaries of the nodes it manages via GET /panel/api/server/descendants (node API token). The heartbeat job caches each direct node's summaries; GetNodeTree merges them as transitive model.Node projections (Id 0, Transitive=true, ParentGuid = their parent node's GUID) and recomputes InboundCount/OnlineCount/DepletedCount per origin GUID so a direct node shows only its own inbounds and each sub-node shows its own (#4983). The Nodes-page list endpoint and the heartbeat broadcast now return the tree; GetAll stays direct-only for probing/syncing. One transitive level is surfaced (covers Node1->Node2->Node3); deeper recursion is a follow-up. Backend only - the Nodes-page nested UI lands next. Refs #4983 * feat(nodes): render transitive sub-nodes nested + read-only on the Nodes page (multi-hop phase 3b) The Nodes page now shows a node's downstream sub-nodes (learned via the descendants tree) as indented, read-only rows ordered right under their parent: no enable toggle, probe, edit, delete, update, selection, or history expander - just a 'Sub-node' tag whose tooltip names the parent it is reached through. Desktop table and mobile cards both handle it. Transitive rows are keyed by GUID (their Id is 0) so they don't collide with real nodes (#4983). Rows nest by parentGuid rather than AntD tree-children to avoid clashing with the existing per-row history expander. New labels added to en-US (other locales fall back until translated). Refs #4983 Refs #4983 * i18n(nodes): translate subNode/subNodeTip across all locales Phase 3b added these two Nodes-page keys (read-only sub-node tag + tooltip) only to en-US; fill in the other 12 locales so the multi-hop sub-node UI is fully localized. The {parent} placeholder is preserved in every translation. Refs #4983
536 lines
15 KiB
Go
536 lines
15 KiB
Go
package runtime
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/mhsanaei/3x-ui/v3/database/model"
|
|
"github.com/mhsanaei/3x-ui/v3/logger"
|
|
"github.com/mhsanaei/3x-ui/v3/util/netsafe"
|
|
)
|
|
|
|
const remoteHTTPTimeout = 10 * time.Second
|
|
|
|
var remoteHTTPClient = &http.Client{
|
|
Transport: &http.Transport{
|
|
MaxIdleConns: 64,
|
|
MaxIdleConnsPerHost: 4,
|
|
IdleConnTimeout: 60 * time.Second,
|
|
DialContext: netsafe.SSRFGuardedDialContext,
|
|
},
|
|
}
|
|
|
|
type envelope struct {
|
|
Success bool `json:"success"`
|
|
Msg string `json:"msg"`
|
|
Obj json.RawMessage `json:"obj"`
|
|
}
|
|
|
|
type Remote struct {
|
|
node *model.Node
|
|
|
|
mu sync.RWMutex
|
|
remoteIDByTag map[string]int
|
|
}
|
|
|
|
func NewRemote(n *model.Node) *Remote {
|
|
return &Remote{
|
|
node: n,
|
|
remoteIDByTag: make(map[string]int),
|
|
}
|
|
}
|
|
|
|
func (r *Remote) Name() string { return "node:" + r.node.Name }
|
|
|
|
func (r *Remote) baseURL() (string, error) {
|
|
addr, err := netsafe.NormalizeHost(r.node.Address)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
scheme := r.node.Scheme
|
|
if scheme != "http" && scheme != "https" {
|
|
scheme = "https"
|
|
}
|
|
if r.node.Port <= 0 || r.node.Port > 65535 {
|
|
return "", fmt.Errorf("invalid node port %d", r.node.Port)
|
|
}
|
|
bp := r.node.BasePath
|
|
if bp == "" {
|
|
bp = "/"
|
|
}
|
|
if !strings.HasSuffix(bp, "/") {
|
|
bp += "/"
|
|
}
|
|
u := &url.URL{
|
|
Scheme: scheme,
|
|
Host: net.JoinHostPort(addr, strconv.Itoa(r.node.Port)),
|
|
Path: bp,
|
|
}
|
|
return u.String(), nil
|
|
}
|
|
|
|
func (r *Remote) do(ctx context.Context, method, path string, body any) (*envelope, error) {
|
|
if r.node.ApiToken == "" {
|
|
return nil, errors.New("node has no API token configured")
|
|
}
|
|
|
|
base, err := r.baseURL()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
target := base + strings.TrimPrefix(path, "/")
|
|
|
|
var (
|
|
reqBody io.Reader
|
|
contentType string
|
|
)
|
|
switch b := body.(type) {
|
|
case nil:
|
|
case url.Values:
|
|
reqBody = strings.NewReader(b.Encode())
|
|
contentType = "application/x-www-form-urlencoded"
|
|
default:
|
|
buf, jerr := json.Marshal(b)
|
|
if jerr != nil {
|
|
return nil, fmt.Errorf("marshal body: %w", jerr)
|
|
}
|
|
reqBody = bytes.NewReader(buf)
|
|
contentType = "application/json"
|
|
}
|
|
|
|
cctx, cancel := context.WithTimeout(netsafe.ContextWithAllowPrivate(ctx, r.node.AllowPrivateAddress), remoteHTTPTimeout)
|
|
defer cancel()
|
|
req, err := http.NewRequestWithContext(cctx, method, target, reqBody)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req.Header.Set("Authorization", "Bearer "+r.node.ApiToken)
|
|
req.Header.Set("Accept", "application/json")
|
|
if contentType != "" {
|
|
req.Header.Set("Content-Type", contentType)
|
|
}
|
|
|
|
resp, err := remoteHTTPClient.Do(req)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("%s %s: %w", method, path, err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
raw, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read body: %w", err)
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
return nil, fmt.Errorf("%s %s: HTTP %d", method, path, resp.StatusCode)
|
|
}
|
|
|
|
var env envelope
|
|
if err := json.Unmarshal(raw, &env); err != nil {
|
|
return nil, fmt.Errorf("decode envelope: %w", err)
|
|
}
|
|
if !env.Success {
|
|
return &env, fmt.Errorf("remote: %s", env.Msg)
|
|
}
|
|
return &env, nil
|
|
}
|
|
|
|
func (r *Remote) resolveRemoteID(ctx context.Context, tag string) (int, error) {
|
|
if id, ok := r.cacheGetTag(tag); ok {
|
|
return id, nil
|
|
}
|
|
if err := r.refreshRemoteIDs(ctx); err != nil {
|
|
return 0, err
|
|
}
|
|
if id, ok := r.cacheGetTag(tag); ok {
|
|
return id, nil
|
|
}
|
|
return 0, fmt.Errorf("remote inbound with tag %q not found on node %s", tag, r.node.Name)
|
|
}
|
|
|
|
// cacheGetTag looks up a remote inbound id by tag, tolerating an n<id>- prefix
|
|
// that lives on only one of the two panels: the node may carry the bare tag
|
|
// while the central panel stores the prefixed form, or vice versa.
|
|
func (r *Remote) cacheGetTag(tag string) (int, bool) {
|
|
if id, ok := r.cacheGet(tag); ok {
|
|
return id, true
|
|
}
|
|
prefix := fmt.Sprintf("n%d-", r.node.Id)
|
|
if stripped, found := strings.CutPrefix(tag, prefix); found {
|
|
return r.cacheGet(stripped)
|
|
}
|
|
return r.cacheGet(prefix + tag)
|
|
}
|
|
|
|
func (r *Remote) cacheGet(tag string) (int, bool) {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
id, ok := r.remoteIDByTag[tag]
|
|
return id, ok
|
|
}
|
|
|
|
func (r *Remote) cacheSet(tag string, id int) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
r.remoteIDByTag[tag] = id
|
|
}
|
|
|
|
func (r *Remote) cacheDel(tag string) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
delete(r.remoteIDByTag, tag)
|
|
}
|
|
|
|
func (r *Remote) ListRemoteTags(ctx context.Context) ([]string, error) {
|
|
if err := r.refreshRemoteIDs(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
tags := make([]string, 0, len(r.remoteIDByTag))
|
|
for tag := range r.remoteIDByTag {
|
|
tags = append(tags, tag)
|
|
}
|
|
return tags, nil
|
|
}
|
|
|
|
func (r *Remote) refreshRemoteIDs(ctx context.Context) error {
|
|
env, err := r.do(ctx, http.MethodGet, "panel/api/inbounds/list", nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
var list []struct {
|
|
Id int `json:"id"`
|
|
Tag string `json:"tag"`
|
|
}
|
|
if err := json.Unmarshal(env.Obj, &list); err != nil {
|
|
return fmt.Errorf("decode inbound list: %w", err)
|
|
}
|
|
next := make(map[string]int, len(list))
|
|
for _, ib := range list {
|
|
if ib.Tag == "" {
|
|
continue
|
|
}
|
|
next[ib.Tag] = ib.Id
|
|
}
|
|
r.mu.Lock()
|
|
r.remoteIDByTag = next
|
|
r.mu.Unlock()
|
|
return nil
|
|
}
|
|
|
|
func (r *Remote) AddInbound(ctx context.Context, ib *model.Inbound) error {
|
|
payload := wireInbound(ib)
|
|
env, err := r.do(ctx, http.MethodPost, "panel/api/inbounds/add", payload)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
var created struct {
|
|
Id int `json:"id"`
|
|
Tag string `json:"tag"`
|
|
}
|
|
if len(env.Obj) > 0 {
|
|
if err := json.Unmarshal(env.Obj, &created); err == nil && created.Id > 0 && created.Tag != "" {
|
|
r.cacheSet(created.Tag, created.Id)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (r *Remote) DelInbound(ctx context.Context, ib *model.Inbound) error {
|
|
id, err := r.resolveRemoteID(ctx, ib.Tag)
|
|
if err != nil {
|
|
logger.Warning("remote DelInbound: tag", ib.Tag, "not found on", r.node.Name)
|
|
return nil
|
|
}
|
|
if _, err := r.do(ctx, http.MethodPost, "panel/api/inbounds/del/"+strconv.Itoa(id), nil); err != nil {
|
|
return err
|
|
}
|
|
r.cacheDel(ib.Tag)
|
|
return nil
|
|
}
|
|
|
|
func (r *Remote) UpdateInbound(ctx context.Context, oldIb, newIb *model.Inbound) error {
|
|
id, err := r.resolveRemoteID(ctx, oldIb.Tag)
|
|
if err != nil {
|
|
return r.AddInbound(ctx, newIb)
|
|
}
|
|
payload := wireInbound(newIb)
|
|
if _, err := r.do(ctx, http.MethodPost, "panel/api/inbounds/update/"+strconv.Itoa(id), payload); err != nil {
|
|
return err
|
|
}
|
|
if oldIb.Tag != newIb.Tag {
|
|
r.cacheDel(oldIb.Tag)
|
|
}
|
|
r.cacheSet(newIb.Tag, id)
|
|
return nil
|
|
}
|
|
|
|
func (r *Remote) AddUser(ctx context.Context, ib *model.Inbound, _ map[string]any) error {
|
|
return r.UpdateInbound(ctx, ib, ib)
|
|
}
|
|
|
|
func (r *Remote) RemoveUser(ctx context.Context, ib *model.Inbound, _ string) error {
|
|
return r.UpdateInbound(ctx, ib, ib)
|
|
}
|
|
|
|
func (r *Remote) AddClient(ctx context.Context, ib *model.Inbound, client model.Client) error {
|
|
id, err := r.resolveRemoteID(ctx, ib.Tag)
|
|
if err != nil {
|
|
return fmt.Errorf("remote AddClient: resolve tag %q: %w", ib.Tag, err)
|
|
}
|
|
payload := map[string]any{
|
|
"client": client,
|
|
"inboundIds": []int{id},
|
|
}
|
|
if _, err := r.do(ctx, http.MethodPost, "panel/api/clients/add", payload); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (r *Remote) DeleteUser(ctx context.Context, ib *model.Inbound, email string) error {
|
|
if email == "" {
|
|
return nil
|
|
}
|
|
id, err := r.resolveRemoteID(ctx, ib.Tag)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
body := map[string]any{"inboundIds": []int{id}}
|
|
_, err = r.do(ctx, http.MethodPost,
|
|
"panel/api/clients/"+url.PathEscape(email)+"/detach", body)
|
|
if err == nil {
|
|
return nil
|
|
}
|
|
if strings.Contains(strings.ToLower(err.Error()), "not found") {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
func (r *Remote) UpdateUser(ctx context.Context, ib *model.Inbound, oldEmail string, payload model.Client) error {
|
|
if oldEmail == "" {
|
|
oldEmail = payload.Email
|
|
}
|
|
id, err := r.resolveRemoteID(ctx, ib.Tag)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
path := "panel/api/clients/update/" + url.PathEscape(oldEmail) +
|
|
"?inboundIds=" + strconv.Itoa(id)
|
|
if _, err := r.do(ctx, http.MethodPost, path, payload); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (r *Remote) RestartXray(ctx context.Context) error {
|
|
_, err := r.do(ctx, http.MethodPost, "panel/api/server/restartXrayService", nil)
|
|
return err
|
|
}
|
|
|
|
// UpdatePanel asks the node to run its own official self-updater (update.sh)
|
|
// and restart onto the latest release. The node returns as soon as the job is
|
|
// launched; the new version surfaces on the next heartbeat.
|
|
func (r *Remote) UpdatePanel(ctx context.Context) error {
|
|
_, err := r.do(ctx, http.MethodPost, "panel/api/server/updatePanel", nil)
|
|
return err
|
|
}
|
|
|
|
// WebCertFiles holds a node's own web TLS certificate and key file paths.
|
|
type WebCertFiles struct {
|
|
WebCertFile string `json:"webCertFile"`
|
|
WebKeyFile string `json:"webKeyFile"`
|
|
}
|
|
|
|
// GetWebCertFiles fetches the node's own web TLS certificate/key file paths so
|
|
// the central panel can offer them as the "Set Cert from Panel" default for a
|
|
// node-assigned inbound — those paths exist on the node, the central panel's
|
|
// don't. See issue #4854.
|
|
func (r *Remote) GetWebCertFiles(ctx context.Context) (*WebCertFiles, error) {
|
|
env, err := r.do(ctx, http.MethodGet, "panel/api/server/getWebCertFiles", nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var files WebCertFiles
|
|
if err := json.Unmarshal(env.Obj, &files); err != nil {
|
|
return nil, fmt.Errorf("decode web cert files: %w", err)
|
|
}
|
|
return &files, nil
|
|
}
|
|
|
|
// GetDescendants fetches the node's read-only summaries of the nodes IT
|
|
// manages, so this panel can surface them as transitive sub-nodes in a chained
|
|
// topology (#4983). Best-effort: an old-build node without the endpoint returns
|
|
// an error the caller ignores.
|
|
func (r *Remote) GetDescendants(ctx context.Context) ([]model.NodeSummary, error) {
|
|
env, err := r.do(ctx, http.MethodGet, "panel/api/server/descendants", nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var out []model.NodeSummary
|
|
if len(env.Obj) > 0 {
|
|
if err := json.Unmarshal(env.Obj, &out); err != nil {
|
|
return nil, fmt.Errorf("decode descendants: %w", err)
|
|
}
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (r *Remote) ResetClientTraffic(ctx context.Context, _ *model.Inbound, email string) error {
|
|
_, err := r.do(ctx, http.MethodPost,
|
|
"panel/api/clients/resetTraffic/"+url.PathEscape(email), nil)
|
|
return err
|
|
}
|
|
|
|
func (r *Remote) ResetAllTraffics(ctx context.Context) error {
|
|
_, err := r.do(ctx, http.MethodPost, "panel/api/inbounds/resetAllTraffics", nil)
|
|
return err
|
|
}
|
|
|
|
type TrafficSnapshot struct {
|
|
Inbounds []*model.Inbound
|
|
OnlineEmails []string
|
|
// OnlineTree is the node's GUID-keyed online subtree (its own clients under
|
|
// its panelGuid plus every descendant under theirs). Preferred over the flat
|
|
// OnlineEmails so the master can attribute deeply nested clients to the real
|
|
// node across a chain (#4983). Empty when the node is an old build without
|
|
// the per-GUID endpoint — OnlineEmails is the fallback then.
|
|
OnlineTree map[string][]string
|
|
LastOnlineMap map[string]int64
|
|
}
|
|
|
|
func (r *Remote) FetchTrafficSnapshot(ctx context.Context) (*TrafficSnapshot, error) {
|
|
snap := &TrafficSnapshot{LastOnlineMap: map[string]int64{}}
|
|
|
|
envList, err := r.do(ctx, http.MethodGet, "panel/api/inbounds/list", nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := json.Unmarshal(envList.Obj, &snap.Inbounds); err != nil {
|
|
return nil, fmt.Errorf("decode inbound list: %w", err)
|
|
}
|
|
|
|
// Prefer the GUID-keyed subtree; fall back to the flat list only when the
|
|
// node is an old build without the per-GUID endpoint (#4983).
|
|
envTree, err := r.do(ctx, http.MethodPost, "panel/api/clients/onlinesByGuid", nil)
|
|
if err == nil && len(envTree.Obj) > 0 {
|
|
_ = json.Unmarshal(envTree.Obj, &snap.OnlineTree)
|
|
}
|
|
if len(snap.OnlineTree) == 0 {
|
|
envOnlines, err := r.do(ctx, http.MethodPost, "panel/api/clients/onlines", nil)
|
|
if err != nil {
|
|
logger.Warning("remote", r.node.Name, "onlines fetch failed:", err)
|
|
} else if len(envOnlines.Obj) > 0 {
|
|
_ = json.Unmarshal(envOnlines.Obj, &snap.OnlineEmails)
|
|
}
|
|
}
|
|
|
|
envLastOnline, err := r.do(ctx, http.MethodPost, "panel/api/clients/lastOnline", nil)
|
|
if err != nil {
|
|
logger.Warning("remote", r.node.Name, "lastOnline fetch failed:", err)
|
|
} else if len(envLastOnline.Obj) > 0 {
|
|
_ = json.Unmarshal(envLastOnline.Obj, &snap.LastOnlineMap)
|
|
}
|
|
|
|
return snap, nil
|
|
}
|
|
|
|
func wireInbound(ib *model.Inbound) url.Values {
|
|
v := url.Values{}
|
|
v.Set("total", strconv.FormatInt(ib.Total, 10))
|
|
v.Set("remark", ib.Remark)
|
|
v.Set("enable", strconv.FormatBool(ib.Enable))
|
|
v.Set("expiryTime", strconv.FormatInt(ib.ExpiryTime, 10))
|
|
v.Set("listen", ib.Listen)
|
|
v.Set("port", strconv.Itoa(ib.Port))
|
|
v.Set("protocol", string(ib.Protocol))
|
|
v.Set("settings", ib.Settings)
|
|
v.Set("streamSettings", sanitizeStreamSettingsForRemote(ib.StreamSettings))
|
|
v.Set("tag", ib.Tag)
|
|
v.Set("sniffing", ib.Sniffing)
|
|
if ib.TrafficReset != "" {
|
|
v.Set("trafficReset", ib.TrafficReset)
|
|
}
|
|
return v
|
|
}
|
|
|
|
// sanitizeStreamSettingsForRemote strips file-based TLS certificate paths
|
|
// from the StreamSettings before sending to a remote node, but ONLY when
|
|
// inline certificate content (certificate / key) is also present in the same
|
|
// entry. In that case the file paths are redundant and stripping them avoids
|
|
// confusion when the central panel's local paths don't exist on the remote.
|
|
//
|
|
// When a certificate entry contains ONLY file paths (no inline content) the
|
|
// paths are left untouched: the user explicitly entered paths that exist on
|
|
// the remote node's filesystem, and removing them would leave Xray with TLS
|
|
// configured but no certificate, causing Xray to crash on the remote node.
|
|
func sanitizeStreamSettingsForRemote(streamSettings string) string {
|
|
if streamSettings == "" {
|
|
return streamSettings
|
|
}
|
|
|
|
var stream map[string]any
|
|
if err := json.Unmarshal([]byte(streamSettings), &stream); err != nil {
|
|
return streamSettings
|
|
}
|
|
|
|
tlsSettings, ok := stream["tlsSettings"].(map[string]any)
|
|
if !ok {
|
|
return streamSettings
|
|
}
|
|
|
|
certificates, ok := tlsSettings["certificates"].([]any)
|
|
if !ok {
|
|
return streamSettings
|
|
}
|
|
|
|
changed := false
|
|
for _, cert := range certificates {
|
|
c, ok := cert.(map[string]any)
|
|
if !ok {
|
|
continue
|
|
}
|
|
// Only strip file paths when inline content is present so that the
|
|
// remote Xray still has a valid certificate to use.
|
|
hasCertFile := c["certificateFile"] != nil && c["certificateFile"] != ""
|
|
hasKeyFile := c["keyFile"] != nil && c["keyFile"] != ""
|
|
hasCertInline := isNonEmptySlice(c["certificate"])
|
|
hasKeyInline := isNonEmptySlice(c["key"])
|
|
if hasCertFile && hasCertInline {
|
|
delete(c, "certificateFile")
|
|
changed = true
|
|
}
|
|
if hasKeyFile && hasKeyInline {
|
|
delete(c, "keyFile")
|
|
changed = true
|
|
}
|
|
}
|
|
|
|
if !changed {
|
|
return streamSettings
|
|
}
|
|
out, err := json.Marshal(stream)
|
|
if err != nil {
|
|
return streamSettings
|
|
}
|
|
return string(out)
|
|
}
|
|
|
|
// isNonEmptySlice reports whether v is a non-nil, non-empty JSON array value.
|
|
func isNonEmptySlice(v any) bool {
|
|
s, ok := v.([]any)
|
|
return ok && len(s) > 0
|
|
}
|