1.8.4 Can't access panel if setupped Listen URL parametr

alireza0 / x-ui

xray panel supporting multi-protocol multi-user expire day & traffic (Vmess & Vless & Trojan & Shadowsocks)

https://t.me/XrayUI

GNU General Public License v3.0

3.03k stars 477 forks source link

1.8.4 Can't access panel if setupped Listen URL parametr #1329

Closed UdoChudo closed 2 months ago

UdoChudo commented 3 months ago

Describe the bug After upgrading x-ui image from 1.8.3 to 1.8.4 i can't access to my panel

My setup: INTERNET -> NGINX with https://example.com/x-ui/ > http://ip:port/x-ui/

To Reproduce Steps to reproduce the behavior:

Setup x-ui to listen Domain (example.com)
Setup x-ui URI path

Setup nginx with example.com/x-ui/ location Nginx Config

location /x-ui/ {
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_read_timeout 52w;
    proxy_pass http://ip:port/x-ui/;
    }

Get access error

pulsarice commented 3 months ago

I have a similar problem on v1.8.4. When Listen Domain is set, access to the panel is not possible. Downgrading to v1.8.3 resolved the issue.

I don't know if this information is helpful: I'm not using Nginx reverse proxy. I'm using cloudflare CDN proxy to access the panel (on a non-standard port, utilizing cloudflare's origin rules to rewrite destination port number)

alireza0 commented 3 months ago

Using Listen Domian is to limit access to the panel only by this domain.

If you have problem, you should debug the proxy and receved requests. You can test it simply by a curl command:

curl -H "Host: example.com" http://ip:port/x-ui

pulsarice commented 3 months ago

x-ui installed on a test VM, no tls, webDomain example.com webBasePath /path/

Version 1.8.3

root@debian:~# curl http://127.0.0.1:54321/path/ -i
HTTP/1.1 403 Forbidden
Date: Sat, 29 Jun 2024 14:58:33 GMT
Content-Length: 0

root@debian:~# curl -H "Host: example.com" http://127.0.0.1:54321/path/ -i
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 29 Jun 2024 14:58:54 GMT
Transfer-Encoding: chunked

<!DOCTYPE html>
<html lang="en">
...

Upgraded to version 1.8.4

root@debian:~# curl http://127.0.0.1:54321/path/ -i
HTTP/1.1 403 Forbidden
Date: Sat, 29 Jun 2024 15:01:54 GMT
Content-Length: 0

root@debian:~# curl -H "Host: example.com" http://127.0.0.1:54321/path/ -i
HTTP/1.1 403 Forbidden
Date: Sat, 29 Jun 2024 15:09:25 GMT
Content-Length: 0

pulsarice commented 3 months ago

I tested something else, If I include port number in Host header, the request succeeds:

version 1.8.4

root@debian:~# curl -H "Host: example.com" http://127.0.0.1:54321/path/ -i
HTTP/1.1 403 Forbidden
Date: Sat, 29 Jun 2024 15:49:13 GMT
Content-Length: 0

root@debian:~# curl -H "Host: example.com:54321" http://127.0.0.1:54321/path/ -i
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 29 Jun 2024 15:49:27 GMT
Transfer-Encoding: chunked

<!DOCTYPE html>
<html lang="en">
...

alireza0 commented 3 months ago

OK! I have found it. It happened after this change: https://github.com/alireza0/x-ui/pull/1252/commits/6c36c19af60d825c64341965dfd055fa8015752b

It seems gin package has an issue with this from long time ago. I will role it back.

alireza0 commented 2 months ago

This problem is now solved and will be available in next release