mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-04 07:01:32 +00:00
The image shipped busybox crond but the entrypoint never started it, and the acme.sh crontab entry vanished on every container recreation, so certificates issued via the panel's SSL menu silently expired after 90 days. The entrypoint now re-registers the acme.sh cron job and starts crond when acme.sh is installed, and docker-compose gains an acme volume so renewal state survives recreation. Closes #5116
82 lines
3.1 KiB
Bash
82 lines
3.1 KiB
Bash
#!/bin/sh
|
|
|
|
# Start fail2ban with the 3x-ipl jail
|
|
if [ "$XUI_ENABLE_FAIL2BAN" = "true" ]; then
|
|
LOG_FOLDER="${XUI_LOG_FOLDER:-/var/log/x-ui}"
|
|
mkdir -p "$LOG_FOLDER"
|
|
touch "$LOG_FOLDER/3xipl.log" "$LOG_FOLDER/3xipl-banned.log"
|
|
|
|
mkdir -p /etc/fail2ban/jail.d /etc/fail2ban/filter.d /etc/fail2ban/action.d
|
|
|
|
cat > /etc/fail2ban/jail.d/3x-ipl.conf << EOF
|
|
[3x-ipl]
|
|
enabled=true
|
|
backend=auto
|
|
filter=3x-ipl
|
|
action=3x-ipl
|
|
logpath=$LOG_FOLDER/3xipl.log
|
|
maxretry=1
|
|
findtime=32
|
|
bantime=30m
|
|
EOF
|
|
|
|
cat > /etc/fail2ban/filter.d/3x-ipl.conf << 'EOF'
|
|
[Definition]
|
|
datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S
|
|
failregex = \[LIMIT_IP\]\s*Email\s*=\s*<F-USER>.+</F-USER>\s*\|\|\s*Disconnecting OLD IP\s*=\s*<ADDR>\s*\|\|\s*Timestamp\s*=\s*\d+
|
|
ignoreregex =
|
|
EOF
|
|
|
|
# Ports to exempt from the ban so an over-limit proxy client can never lock
|
|
# the administrator out of SSH or the panel. The ban still covers every other
|
|
# TCP port (including all Xray inbounds), so IP-limit keeps working for inbounds
|
|
# added later without regenerating these files.
|
|
SSH_PORTS=$(grep -oE '^[[:space:]]*Port[[:space:]]+[0-9]+' /etc/ssh/sshd_config 2>/dev/null | grep -oE '[0-9]+' | paste -sd, -)
|
|
[ -z "$SSH_PORTS" ] && SSH_PORTS="22"
|
|
PANEL_PORT=$(/app/x-ui setting -show true 2>/dev/null | grep -Eo 'port: .+' | awk '{print $2}')
|
|
EXEMPT_PORTS="$SSH_PORTS"
|
|
[ -n "$PANEL_PORT" ] && EXEMPT_PORTS="$EXEMPT_PORTS,$PANEL_PORT"
|
|
|
|
cat > /etc/fail2ban/action.d/3x-ipl.conf << EOF
|
|
[INCLUDES]
|
|
before = iptables-allports.conf
|
|
|
|
[Definition]
|
|
actionstart = <iptables> -N f2b-<name>
|
|
<iptables> -A f2b-<name> -j <returntype>
|
|
<iptables> -I <chain> -j f2b-<name>
|
|
|
|
actionstop = <iptables> -D <chain> -j f2b-<name>
|
|
<actionflush>
|
|
<iptables> -X f2b-<name>
|
|
|
|
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
|
|
|
|
actionban = <iptables> -I f2b-<name> 1 -s <ip> -p tcp -m multiport ! --dports <exemptports> -j <blocktype>
|
|
<iptables> -I f2b-<name> 1 -s <ip> -p udp -m multiport ! --dports <exemptports> -j <blocktype>
|
|
echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") BAN [Email] = <F-USER> [IP] = <ip> banned for <bantime> seconds." >> $LOG_FOLDER/3xipl-banned.log
|
|
|
|
actionunban = <iptables> -D f2b-<name> -s <ip> -p tcp -m multiport ! --dports <exemptports> -j <blocktype>
|
|
<iptables> -D f2b-<name> -s <ip> -p udp -m multiport ! --dports <exemptports> -j <blocktype>
|
|
echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") UNBAN [Email] = <F-USER> [IP] = <ip> unbanned." >> $LOG_FOLDER/3xipl-banned.log
|
|
|
|
[Init]
|
|
name = default
|
|
chain = INPUT
|
|
exemptports = $EXEMPT_PORTS
|
|
EOF
|
|
|
|
fail2ban-client -x start
|
|
fi
|
|
|
|
# Certificate auto-renewal: acme.sh (installed by the panel's SSL menu) relies
|
|
# on a root crontab entry, but the crontab is lost when the container is
|
|
# recreated and crond was never started. Re-register the job and run crond so
|
|
# renewals actually fire; mount /root/.acme.sh as a volume to keep acme state.
|
|
if [ -f /root/.acme.sh/acme.sh ]; then
|
|
/root/.acme.sh/acme.sh --install-cronjob >/dev/null 2>&1
|
|
crond
|
|
fi
|
|
|
|
# Run x-ui
|
|
exec /app/x-ui
|