feat(inbound): guard protocol/transport by node core; add http/h2 + xhttp transports

Author: iPmartNetwork

cmd/panel/main.go

@@ -203,7 +203,7 @@ func run(ctx context.Context, log *slog.Logger, logBuf *logbuf.Handler, cfg *con
 	nodeSvc := service.NewNodeService(nodes, h)
 	nodeSvc.SetLogQuerier(h)
 	nodeSvc.SetCoreController(h)
-	inboundSvc := service.NewInboundService(store.Inbounds(), syncSvc)
+	inboundSvc := service.NewInboundService(store.Inbounds(), nodes, syncSvc)
 	outboundSvc := service.NewOutboundService(store.Outbounds(), syncSvc)
 	routingSvc := service.NewRoutingService(store.Routing(), syncSvc)
 	balancerSvc := service.NewBalancerService(store.Balancers(), syncSvc)

internal/core/xray/config.go

@@ -390,6 +390,25 @@ func streamSettings(in domain.Inbound) json.RawMessage {
 			hu["host"] = in.Host[0]
 		}
 		ss["httpupgradeSettings"] = hu
+	case "http", "h2":
+		ss["network"] = "http" // xray's HTTP/2 transport token
+		h := map[string]any{}
+		if in.Path != "" {
+			h["path"] = in.Path
+		}
+		if len(in.Host) > 0 {
+			h["host"] = in.Host
+		}
+		ss["httpSettings"] = h
+	case "xhttp":
+		x := map[string]any{"mode": "auto"}
+		if in.Path != "" {
+			x["path"] = in.Path
+		}
+		if len(in.Host) > 0 {
+			x["host"] = in.Host[0]
+		}
+		ss["xhttpSettings"] = x
 	}
 	return mustRaw(ss)
 }

internal/panel/service/inbound.go

@@ -70,13 +70,47 @@ func provisionSecurity(in *domain.Inbound) {
 // InboundService manages inbounds and reconciles the owning node's live config
 // after every change via the SyncService.
 type InboundService struct {
-	repo port.InboundRepository
-	sync *SyncService
+	repo  port.InboundRepository
+	nodes port.NodeRepository
+	sync  *SyncService
 }
 
 // NewInboundService wires the service.
-func NewInboundService(repo port.InboundRepository, sync *SyncService) *InboundService {
-	return &InboundService{repo: repo, sync: sync}
+func NewInboundService(repo port.InboundRepository, nodes port.NodeRepository, sync *SyncService) *InboundService {
+	return &InboundService{repo: repo, nodes: nodes, sync: sync}
+}
+
+// coreSupports reports whether the given core can run this protocol+network,
+// returning a clear error describing the incompatibility (or nil if supported).
+func coreSupports(core domain.CoreType, proto domain.Protocol, network string) error {
+	if network == "" {
+		network = "tcp"
+	}
+	xrayProtos := map[domain.Protocol]bool{domain.ProtoVMess: true, domain.ProtoVLESS: true, domain.ProtoTrojan: true, domain.ProtoShadowsocks: true}
+	sbProtos := map[domain.Protocol]bool{domain.ProtoVMess: true, domain.ProtoVLESS: true, domain.ProtoTrojan: true, domain.ProtoShadowsocks: true, domain.ProtoHysteria2: true, domain.ProtoTUIC: true}
+	xrayNets := map[string]bool{"tcp": true, "ws": true, "grpc": true, "httpupgrade": true, "http": true, "h2": true, "xhttp": true}
+	sbNets := map[string]bool{"tcp": true, "ws": true, "grpc": true, "httpupgrade": true, "http": true, "h2": true}
+
+	if proto == domain.ProtoWireGuard {
+		return fmt.Errorf("protocol %q is not supported as an inbound on any core", proto)
+	}
+	switch core {
+	case domain.CoreSingbox:
+		if !sbProtos[proto] {
+			return fmt.Errorf("protocol %q is not supported on the sing-box core", proto)
+		}
+		if !sbNets[network] {
+			return fmt.Errorf("transport %q is not supported on the sing-box core", network)
+		}
+	default: // xray (and unspecified)
+		if !xrayProtos[proto] {
+			return fmt.Errorf("protocol %q is not supported on the xray core (use a sing-box node)", proto)
+		}
+		if !xrayNets[network] {
+			return fmt.Errorf("transport %q is not supported on the xray core", network)
+		}
+	}
+	return nil
 }
 
 // CreateInboundInput describes a new inbound.
@@ -103,6 +137,13 @@ func (s *InboundService) Create(ctx context.Context, in CreateInboundInput) (*do
 	if in.Tag == "" || in.Port == 0 {
 		return nil, errors.New("tag and port are required")
 	}
+	node, err := s.nodes.GetByID(ctx, in.NodeID)
+	if err != nil {
+		return nil, errors.New("node not found")
+	}
+	if err := coreSupports(node.Core, in.Protocol, orStr(in.Network, "tcp")); err != nil {
+		return nil, err
+	}
 	inbound := &domain.Inbound{
 		ID:       uuid.New(),
 		NodeID:   in.NodeID,
@@ -161,6 +202,13 @@ func (s *InboundService) Update(ctx context.Context, id uuid.UUID, in UpdateInbo
 	if err != nil {
 		return nil, err
 	}
+	node, err := s.nodes.GetByID(ctx, existing.NodeID)
+	if err != nil {
+		return nil, errors.New("node not found")
+	}
+	if err := coreSupports(node.Core, existing.Protocol, orStr(in.Network, "tcp")); err != nil {
+		return nil, err
+	}
 	existing.Listen = in.Listen
 	existing.Port = in.Port
 	existing.Network = orStr(in.Network, "tcp")

internal/subscription/clash.go

@@ -121,5 +121,15 @@ func applyNetwork(base map[string]any, p Proxy) {
 			opts["headers"] = map[string]any{"Host": p.HostHeader}
 		}
 		base["ws-opts"] = opts
+	case "http", "h2":
+		base["network"] = "h2"
+		opts := map[string]any{}
+		if p.Path != "" {
+			opts["path"] = p.Path
+		}
+		if p.HostHeader != "" {
+			opts["host"] = []string{p.HostHeader}
+		}
+		base["h2-opts"] = opts
 	}
 }

internal/subscription/links.go

@@ -92,6 +92,21 @@ func transportQuery(p Proxy) url.Values {
 		if p.HostHeader != "" {
 			q.Set("host", p.HostHeader)
 		}
+	case "http", "h2":
+		if p.Path != "" {
+			q.Set("path", p.Path)
+		}
+		if p.HostHeader != "" {
+			q.Set("host", p.HostHeader)
+		}
+	case "xhttp":
+		if p.Path != "" {
+			q.Set("path", p.Path)
+		}
+		if p.HostHeader != "" {
+			q.Set("host", p.HostHeader)
+		}
+		q.Set("mode", "auto")
 	}
 	return q
 }