Xray panel supporting multi-protocol multi-user expire day & traffic & IP limit (Vmess, Vless, Trojan, ShadowSocks, Wireguard, Hysteria, Tunnel, Mixed, HTTP, Tun) https://t.me/XrayUI
Find a file
Volov Vyacheslav 6e0067fca3
Some checks are pending
CI / go-test (push) Waiting to run
CI / codegen (push) Waiting to run
CI / govulncheck (push) Waiting to run
CI / race (push) Waiting to run
CI / fuzz-smoke (push) Waiting to run
CI / golangci (push) Waiting to run
CI / frontend (push) Waiting to run
CodeQL Advanced / Analyze (go) (push) Waiting to run
CodeQL Advanced / Analyze (actions) (push) Waiting to run
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Release 3X-UI / build (386) (push) Waiting to run
Release 3X-UI / build (amd64) (push) Waiting to run
Release 3X-UI / build (arm64) (push) Waiting to run
Release 3X-UI / build (armv5) (push) Waiting to run
Release 3X-UI / build (armv6) (push) Waiting to run
Release 3X-UI / build (armv7) (push) Waiting to run
Release 3X-UI / build (s390x) (push) Waiting to run
Release 3X-UI / Build for Windows (push) Waiting to run
Release 3X-UI / Publish rolling dev release (push) Blocked by required conditions
Deploy Smoke Tests / noninteractive-install (ubuntu-24.04-arm) (push) Waiting to run
Deploy Smoke Tests / noninteractive-install (ubuntu-latest) (push) Waiting to run
docs(settings): clarify Sub Port/Sub Domain double as subscription-link fallback (#5721)
* docs(settings): clarify Sub Port/Sub Domain double as subscription-link fallback

subPort/subDomain are documented purely as the subscription service's own
listen address, but when "Reverse Proxy URI" is empty, GetDefaultSettings
silently reuses them (with the admin API request's own Host header as the
domain fallback) to build the subscription link/QR shown in the panel.
Behind a reverse proxy where the sub service listens on an internal port
and is exposed externally on a different port/domain, this produces a
broken link even though "Reverse Proxy URI" already solves it - nothing
in the UI text pointed to it. Clarify all locales.

* docs(settings): fix wording nits from review (punctuation, CJK parens, es-ES field name)

- en-US/id-ID/pt-BR/tr-TR/uk-UA/ar-EG: add terminating punctuation before
  the appended sentence so it doesn't run on directly after the closing
  parenthesis.
- zh-CN/zh-TW/ja-JP: restore full-width CJK parentheses around the
  pre-existing parenthetical, matching the rest of each file.
- es-ES: subURIDesc referenced "Dominio/Puerto de escucha", but the
  actual field labels in this locale are "Dominio de Escucha" and
  "Puerto de Suscripción".

---------

Co-authored-by: Volov <volovdata@google.com>
2026-07-03 00:03:35 +02:00
.github chore(ci): upgrade claude-bot to Sonnet 5 and set explicit effort levels 2026-07-01 00:43:27 +02:00
.vscode chore: bump dompurify to 3.4.11 and expand VS Code tasks 2026-06-20 22:40:24 +02:00
deploy chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
docs docs: move architecture map into docs/ and refresh it against the live tree 2026-07-02 14:21:21 +02:00
frontend feat(frontend): show client group in the client info modal 2026-07-02 23:58:58 +02:00
internal docs(settings): clarify Sub Port/Sub Domain double as subscription-link fallback (#5721) 2026-07-03 00:03:35 +02:00
media docs(readme): revamp README and sync all translations 2026-06-02 03:03:14 +02:00
tools/openapigen fix: make all self-managed file downloads/installs atomic, with real completion status (#5711) 2026-07-02 18:19:33 +02:00
windows_files Update OpenSSL installer to version 3.6.0 2026-01-05 18:49:30 +01:00
.dockerignore refactor: focused service files, leaf subpackages, and an internal/ layout (#5167) 2026-06-10 15:19:22 +02:00
.env.example feat(xray): add tunnel health monitor (#5480) 2026-06-24 22:01:37 +02:00
.gitattributes chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
.gitignore fix(xray): force full restart for inbounds with a VLESS reverse client 2026-07-01 14:02:13 +02:00
.golangci.yml style: adopt golangci-lint v2 and resolve all findings 2026-06-27 15:42:22 +02:00
.nvmrc Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) 2026-05-13 12:52:52 +02:00
CLAUDE.md docs: move architecture map into docs/ and refresh it against the live tree 2026-07-02 14:21:21 +02:00
CONTRIBUTING.md docs: correct false RTL claim and stale Vite version in CONTRIBUTING.md 2026-06-27 15:48:51 +02:00
docker-compose.yml perf(memory): report real RSS and cut footprint via GOGC + periodic release 2026-06-25 22:16:38 +02:00
DockerEntrypoint.sh fix(iplimit): ban UDP as well as TCP in fail2ban action (#5350) 2026-06-15 17:34:23 +02:00
Dockerfile refactor: focused service files, leaf subpackages, and an internal/ layout (#5167) 2026-06-10 15:19:22 +02:00
DockerInit.sh chore(deps): bump xray-core to v26.6.27 2026-06-27 20:25:45 +02:00
go.mod chore(deps): bump github.com/klauspost/compress from 1.18.6 to 1.19.0 (#5731) 2026-07-02 18:27:34 +02:00
go.sum chore(deps): bump github.com/klauspost/compress from 1.18.6 to 1.19.0 (#5731) 2026-07-02 18:27:34 +02:00
install.sh fix(scripts): avoid rpm package upgrades before installs (#5750) 2026-07-03 00:01:54 +02:00
LICENSE 3x-ui 2023-02-09 22:48:06 +03:30
main.go style: adopt golangci-lint v2 and resolve all findings 2026-06-27 15:42:22 +02:00
Makefile chore: add Makefile as canonical task runner 2026-06-27 15:42:23 +02:00
README.ar_EG.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
README.es_ES.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
README.fa_IR.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
README.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
README.ru_RU.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
README.tr_TR.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
README.zh_CN.md chore(deploy): drop the AWS golden-image build stack 2026-06-26 00:35:34 +02:00
update.sh fix(scripts): avoid rpm package upgrades before installs (#5750) 2026-07-03 00:01:54 +02:00
x-ui.rc fix(alpine): restart_xray uses rc-service; OpenRC reload reads pidfile contents 2026-05-11 09:05:36 +02:00
x-ui.service.arch Update ExecReload command in x-ui.service.debian (#5219) 2026-06-12 12:09:48 +02:00
x-ui.service.debian Update ExecReload command in x-ui.service.debian (#5219) 2026-06-12 12:09:48 +02:00
x-ui.service.rhel Update ExecReload command in x-ui.service.debian (#5219) 2026-06-12 12:09:48 +02:00
x-ui.sh fix(scripts): avoid rpm package upgrades before installs (#5750) 2026-07-03 00:01:54 +02:00

English | فارسی | العربية | 中文 | Español | Русский | Türkçe

3x-ui

Release Build GO Version Downloads License Go Reference Go Report Card

3X-UI is an advanced, open-source web control panel for managing Xray-core servers. It provides a clean, multi-language interface for deploying, configuring, and monitoring a wide range of proxy and VPN protocols — from a single VPS to multi-node deployments.

Built as an enhanced fork of the original X-UI project, 3X-UI adds broader protocol support, improved stability, per-client traffic accounting, and many quality-of-life features.

Important

This project is intended for personal use only. Please do not use it for illegal purposes or in a production environment.

Features

  • Multi-protocol inbounds — VLESS, VMess, Trojan, Shadowsocks, WireGuard, Hysteria2, HTTP, SOCKS (Mixed), Dokodemo-door / Tunnel, and TUN.
  • Modern transports & security — TCP (Raw), mKCP, WebSocket, gRPC, HTTPUpgrade, and XHTTP, secured with TLS, XTLS, and REALITY.
  • Fallbacks — serve multiple protocols on a single port (e.g. VLESS and Trojan on 443) using Xray's fallback support.
  • Per-client management — traffic quotas, expiry dates, IP limits, live online status, and one-click share links, QR codes, and subscriptions.
  • Traffic statistics — per inbound, per client, and per outbound, with reset controls.
  • Multi-node support — manage and scale across multiple servers from a single panel.
  • Outbound & routing — WARP, NordVPN, custom routing rules, load balancers, and outbound proxy chaining.
  • Built-in subscription server with multiple output formats and custom page templates.
  • Telegram bot for remote monitoring and management.
  • RESTful API with in-panel Swagger documentation.
  • Flexible storage — SQLite (default) or PostgreSQL.
  • 13 UI languages with dark and light themes.
  • Fail2ban integration for enforcing per-client IP limits.

Screenshots

Click to expand Overview Inbounds Add client Configs

Quick Start

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

To install a specific version, append its tag (e.g. v3.4.0):

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh) v3.4.0

To install the rolling dev build (latest per-commit pre-release from main, not a stable release), pass dev-latest:

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh) dev-latest

During installation a random username, password, and access path are generated. After installation, run x-ui to open the management menu, where you can start/stop the service, view or reset your login credentials, manage SSL certificates, and more.

For full documentation, please visit the project Wiki.

Unattended install

The installer also runs non-interactively for cloud-init. Set XUI_NONINTERACTIVE=1 (or pipe with no TTY) and it installs end-to-end with zero prompts, generating random credentials and writing them to /etc/x-ui/install-result.env. See deploy/ for:

Supported Platforms

Operating systems: Ubuntu, Debian, Armbian, Fedora, CentOS, RHEL, AlmaLinux, Rocky Linux, Oracle Linux, Amazon Linux, Virtuozzo, Arch, Manjaro, Parch, openSUSE (Tumbleweed / Leap), Alpine, and Windows.

Architectures: amd64 · 386 · arm64 (aarch64) · armv7 · armv6 · armv5 · s390x.

Database Options

3X-UI supports two backends, chosen during the install:

  • SQLite (default) — a single file at /etc/x-ui/x-ui.db. Zero setup, ideal for small and medium deployments.
  • PostgreSQL — recommended for high client counts or multi-node setups. The installer can install PostgreSQL locally for you, or accept a DSN to an existing server.

At runtime the backend is selected via environment variables (the installer writes these to /etc/default/x-ui for you):

XUI_DB_TYPE=postgres
XUI_DB_DSN=postgres://xui:password@127.0.0.1:5432/xui?sslmode=disable

Migrating an existing SQLite install to PostgreSQL

x-ui migrate-db --dsn "postgres://xui:password@127.0.0.1:5432/xui?sslmode=disable"
# then set XUI_DB_TYPE and XUI_DB_DSN in /etc/default/x-ui and restart:
systemctl restart x-ui

The source SQLite file is left untouched; remove it manually once you have verified the new backend.

Docker

The default docker compose up -d keeps using SQLite. To run with the bundled PostgreSQL service, uncomment the two XUI_DB_* env lines in docker-compose.yml and start with the profile:

docker compose --profile postgres up -d

The image bundles Fail2ban (enabled by default) to enforce per-client IP limits. Fail2ban bans offenders with iptables, which requires the NET_ADMIN capability. docker-compose.yml already grants it via cap_add; if you start the container with docker run instead, add the capabilities yourself, otherwise bans are logged but never applied:

docker run -d --cap-add=NET_ADMIN --cap-add=NET_RAW ... ghcr.io/mhsanaei/3x-ui

Environment Variables

Variable Description Default
XUI_DB_TYPE Database backend: sqlite or postgres sqlite
XUI_DB_DSN PostgreSQL connection string (when XUI_DB_TYPE=postgres)
XUI_DB_FOLDER Directory for the SQLite database file /etc/x-ui
XUI_DB_MAX_OPEN_CONNS Maximum open connections (PostgreSQL pool)
XUI_DB_MAX_IDLE_CONNS Maximum idle connections (PostgreSQL pool)
XUI_INIT_WEB_BASE_PATH The initial URI path for the web panel /
XUI_ENABLE_FAIL2BAN Enable Fail2ban-based IP-limit enforcement true
XUI_LOG_LEVEL Log verbosity (debug, info, warning, error) info
XUI_DEBUG Enable debug mode false
XUI_TUNNEL_HEALTH_MONITOR Enable the tunnel health monitor (probes a URL and restarts xray after repeated failures; a restart drops all clients) false
XUI_TUNNEL_HEALTH_PROXY Proxy the probe is sent through; point it at a local xray inbound so the probe tests the tunnel (e.g. socks5://127.0.0.1:1080). Empty means the probe only checks host connectivity
XUI_TUNNEL_HEALTH_URL URL probed for tunnel health https://www.cloudflare.com/cdn-cgi/trace
XUI_TUNNEL_HEALTH_INTERVAL Interval between probes 30s
XUI_TUNNEL_HEALTH_TIMEOUT Per-probe timeout 10s
XUI_TUNNEL_HEALTH_FAILURES Consecutive failures before a restart is triggered 3
XUI_TUNNEL_HEALTH_COOLDOWN Minimum delay between consecutive restarts 5m

Supported Languages

The panel UI is available in 13 languages:

English · فارسی · العربية · 中文(简体) · 中文(繁體) · Español · Русский · Українська · Türkçe · Tiếng Việt · 日本語 · Bahasa Indonesia · Português (Brasil)

Contributing

Contributions are welcome. Please read the Contributing Guide before opening an issue or pull request.

A Special Thanks to

Acknowledgment

  • Iran v2ray rules (License: GPL-3.0): Enhanced v2ray/xray and v2ray/xray-clients routing rules with built-in Iranian domains and a focus on security and adblocking.
  • Russia v2ray rules (License: GPL-3.0): This repository contains automatically updated V2Ray routing rules based on data on blocked domains and addresses in Russia.

Community Tools

Tools and integrations built by the community around 3x-ui.

  • terraform-provider-3x-ui (License: MIT): Manage inbounds, clients, panel settings, and Xray configuration as code with Terraform / OpenTofu.

Support project

If this project is helpful to you, you may wish to give it a🌟

Buy Me A Coffee
Crypto donation button by NOWPayments

Stargazers over Time

Stargazers over time