infosave2007
2250 lines
97 KiB
PHP
2250 lines
97 KiB
PHP
<?php
|
|
require_once __DIR__ . '/Logger.php';
|
|
|
|
class InstallProtocolManager
|
|
{
|
|
private const DEFAULT_SLUG = 'amnezia-wg';
|
|
private const SESSION_KEY = 'pending_deploy_decisions';
|
|
|
|
private static function resolveAivpnContainerName(VpnServer $server, array $options = []): string
|
|
{
|
|
$serverData = $server->getData();
|
|
$candidates = array_values(array_unique(array_filter([
|
|
trim((string) ($options['container_name'] ?? '')),
|
|
trim((string) ($serverData['container_name'] ?? '')),
|
|
'aivpn-server',
|
|
], static function ($value) {
|
|
return is_string($value) && $value !== '';
|
|
})));
|
|
|
|
$namesRaw = (string) $server->executeCommand("docker ps -a --format '{{.Names}}' 2>/dev/null", true);
|
|
$names = array_values(array_filter(array_map('trim', preg_split('/\r?\n/', $namesRaw) ?: []), static function ($value) {
|
|
return $value !== '';
|
|
}));
|
|
|
|
foreach ($candidates as $candidate) {
|
|
if (in_array($candidate, $names, true)) {
|
|
return $candidate;
|
|
}
|
|
}
|
|
|
|
foreach ($candidates as $candidate) {
|
|
foreach ($names as $name) {
|
|
if (stripos($name, $candidate) !== false) {
|
|
self::persistServerContainerName($server->getId(), $name);
|
|
return $name;
|
|
}
|
|
}
|
|
}
|
|
|
|
foreach ($names as $name) {
|
|
if (stripos($name, 'aivpn-server') !== false || stripos($name, 'aivpn') !== false) {
|
|
self::persistServerContainerName($server->getId(), $name);
|
|
return $name;
|
|
}
|
|
}
|
|
|
|
return $candidates[0] ?? 'aivpn-server';
|
|
}
|
|
|
|
private static function persistServerContainerName(int $serverId, string $containerName): void
|
|
{
|
|
$containerName = trim($containerName);
|
|
if ($serverId <= 0 || $containerName === '') {
|
|
return;
|
|
}
|
|
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('UPDATE vpn_servers SET container_name = ? WHERE id = ?');
|
|
$stmt->execute([$containerName, $serverId]);
|
|
} catch (Throwable $e) {
|
|
}
|
|
}
|
|
|
|
public static function getDefaultSlug(): string
|
|
{
|
|
return self::DEFAULT_SLUG;
|
|
}
|
|
|
|
public static function ensureDefaults(): void
|
|
{
|
|
return;
|
|
}
|
|
|
|
public static function listActive(): array
|
|
{
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->query('SELECT * FROM protocols WHERE is_active = 1 ORDER BY name');
|
|
$rows = $stmt->fetchAll();
|
|
return array_map([self::class, 'hydrateProtocol'], $rows);
|
|
} catch (Throwable $e) {
|
|
return [];
|
|
}
|
|
}
|
|
|
|
public static function getAll(): array
|
|
{
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->query('SELECT * FROM protocols ORDER BY name');
|
|
$rows = $stmt->fetchAll();
|
|
return array_map([self::class, 'hydrateProtocol'], $rows);
|
|
} catch (Throwable $e) {
|
|
return [];
|
|
}
|
|
}
|
|
|
|
public static function getBySlug(string $slug): ?array
|
|
{
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('SELECT * FROM protocols WHERE slug = ? LIMIT 1');
|
|
$stmt->execute([$slug]);
|
|
$row = $stmt->fetch();
|
|
if ($row) {
|
|
return self::hydrateProtocol($row);
|
|
}
|
|
} catch (Throwable $e) {
|
|
}
|
|
return null;
|
|
}
|
|
|
|
public static function getById(int $id): ?array
|
|
{
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('SELECT * FROM protocols WHERE id = ? LIMIT 1');
|
|
$stmt->execute([$id]);
|
|
$row = $stmt->fetch();
|
|
return $row ? self::hydrateProtocol($row) : null;
|
|
} catch (Throwable $e) {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
public static function save(array $data): int
|
|
{
|
|
$pdo = DB::conn();
|
|
$definition = $data['definition'] ?? [];
|
|
if (is_string($definition)) {
|
|
$definition = json_decode($definition, true) ?: [];
|
|
}
|
|
|
|
$definitionJson = json_encode($definition, JSON_UNESCAPED_SLASHES);
|
|
$isActive = isset($data['is_active']) ? (int) $data['is_active'] : 1;
|
|
|
|
if (!empty($data['id'])) {
|
|
$stmt = $pdo->prepare('
|
|
UPDATE install_protocols
|
|
SET slug = ?, name = ?, description = ?, definition = ?, is_active = ?, updated_at = NOW()
|
|
WHERE id = ?
|
|
');
|
|
$stmt->execute([
|
|
$data['slug'],
|
|
$data['name'],
|
|
$data['description'] ?? null,
|
|
$definitionJson,
|
|
$isActive,
|
|
$data['id']
|
|
]);
|
|
return (int) $data['id'];
|
|
}
|
|
|
|
$stmt = $pdo->prepare('
|
|
INSERT INTO install_protocols (slug, name, description, definition, is_active)
|
|
VALUES (?, ?, ?, ?, ?)
|
|
');
|
|
$stmt->execute([
|
|
$data['slug'],
|
|
$data['name'],
|
|
$data['description'] ?? null,
|
|
$definitionJson,
|
|
$isActive
|
|
]);
|
|
|
|
return (int) $pdo->lastInsertId();
|
|
}
|
|
|
|
public static function delete(int $id): void
|
|
{
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('DELETE FROM install_protocols WHERE id = ?');
|
|
$stmt->execute([$id]);
|
|
}
|
|
|
|
public static function deploy(VpnServer $server, array $options = []): array
|
|
{
|
|
$serverData = $server->getData();
|
|
$protocolSlug = $serverData['install_protocol'] ?? null;
|
|
if (!$protocolSlug || trim((string) $protocolSlug) === '') {
|
|
throw new Exception('Install protocol not selected');
|
|
}
|
|
$protocol = self::getBySlug($protocolSlug);
|
|
|
|
Logger::appendInstall($server->getId(), 'Deploy start for protocol ' . $protocolSlug);
|
|
|
|
try {
|
|
if (!$protocol) {
|
|
throw new Exception('Install protocol not found: ' . $protocolSlug);
|
|
}
|
|
|
|
$installMode = $options['install_mode'] ?? null;
|
|
$decisionToken = $options['decision_token'] ?? null;
|
|
$serverId = $server->getId();
|
|
$detectionPayload = null;
|
|
|
|
if (empty($options['skip_connection_test'])) {
|
|
if (!$server->testConnection()) {
|
|
Logger::appendInstall($serverId, 'SSH connection test failed');
|
|
throw new Exception('SSH connection failed');
|
|
}
|
|
Logger::appendInstall($serverId, 'SSH connection test OK');
|
|
}
|
|
|
|
if ($installMode !== null && $decisionToken) {
|
|
$entry = self::consumeDecision($serverId, $decisionToken);
|
|
if ($entry && ($entry['protocol'] ?? '') === $protocol['slug']) {
|
|
$detectionPayload = $entry['detection'] ?? null;
|
|
Logger::appendInstall($serverId, 'Consumed decision token for restore/reinstall');
|
|
}
|
|
}
|
|
|
|
if ($installMode === null) {
|
|
Logger::appendInstall($serverId, 'Running detection...');
|
|
$detection = self::detect($server, $protocol, $options);
|
|
Logger::appendInstall($serverId, 'Detection result: ' . json_encode($detection));
|
|
|
|
if (in_array($detection['status'] ?? 'absent', ['existing', 'partial'], true)) {
|
|
$token = self::storeDecision($serverId, [
|
|
'protocol' => $protocol['slug'],
|
|
'detection' => $detection,
|
|
'stored_at' => time(),
|
|
]);
|
|
|
|
Logger::appendInstall($serverId, 'Existing/partial config found, awaiting decision. token=' . $token);
|
|
|
|
return [
|
|
'success' => false,
|
|
'requires_action' => true,
|
|
'action' => 'existing_configuration',
|
|
'details' => $detection,
|
|
'decision_token' => $token,
|
|
'options' => [
|
|
'restore' => [
|
|
'mode' => 'restore',
|
|
'label' => 'Восстановить существующую конфигурацию'
|
|
],
|
|
'reinstall' => [
|
|
'mode' => 'reinstall',
|
|
'label' => 'Переустановить заново'
|
|
]
|
|
]
|
|
];
|
|
}
|
|
|
|
$installMode = 'install';
|
|
Logger::appendInstall($serverId, 'Proceeding with clean install');
|
|
}
|
|
|
|
if ($installMode === 'restore') {
|
|
Logger::appendInstall($serverId, 'Restoring existing configuration...');
|
|
if ($detectionPayload === null) {
|
|
$detectionPayload = self::detect($server, $protocol, array_merge($options, ['force' => true]));
|
|
Logger::appendInstall($serverId, 'Forced detection for restore: ' . json_encode($detectionPayload));
|
|
}
|
|
|
|
if (!in_array($detectionPayload['status'] ?? '', ['existing', 'partial'], true)) {
|
|
throw new Exception('Существующая конфигурация на сервере не найдена');
|
|
}
|
|
|
|
$res = self::restore($server, $protocol, $detectionPayload, $options);
|
|
Logger::appendInstall($serverId, 'Restore finished: ' . json_encode($res));
|
|
return $res;
|
|
}
|
|
|
|
if ($installMode === 'reinstall') {
|
|
$serverData = $server->getData();
|
|
Logger::appendInstall($serverId, 'Reinstall mode selected');
|
|
if (($serverData['status'] ?? '') === 'active' && empty($options['skip_backup'])) {
|
|
try {
|
|
$server->createBackup((int) $serverData['user_id'], 'automatic');
|
|
Logger::appendInstall($serverId, 'Automatic backup created before reinstall');
|
|
} catch (Throwable $e) {
|
|
Logger::appendInstall($serverId, 'Backup before reinstall failed: ' . $e->getMessage());
|
|
// backup errors do not abort reinstall
|
|
}
|
|
}
|
|
}
|
|
|
|
return self::install($server, $protocol, $options);
|
|
} catch (Throwable $e) {
|
|
// Mark server error and log
|
|
self::markServerError($server->getId(), $e->getMessage());
|
|
Logger::appendInstall($server->getId(), 'Deploy failed: ' . $e->getMessage());
|
|
throw $e;
|
|
}
|
|
}
|
|
|
|
private static function detect(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
$engine = self::getEngine($protocol);
|
|
if ($engine === 'builtin_awg') {
|
|
return self::detectBuiltinAwg($server, $protocol);
|
|
}
|
|
|
|
$slug = $protocol['slug'] ?? '';
|
|
|
|
// For AWG shell-based scenarios (amnezia-wg, amnezia-wg-advanced), use builtin AWG detection
|
|
if (self::isAwgProtocol($slug, $protocol)) {
|
|
return self::detectBuiltinAwg($server, $protocol);
|
|
}
|
|
|
|
// For X-Ray VLESS, use builtin detection
|
|
if ($slug === 'xray-vless') {
|
|
return self::detectBuiltinXray($server, $protocol);
|
|
}
|
|
|
|
return self::runScript($server, $protocol, 'detect', $options);
|
|
}
|
|
|
|
public static function install(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
$engine = self::getEngine($protocol);
|
|
$serverId = $server->getId();
|
|
if ($engine === 'builtin_awg') {
|
|
try {
|
|
Logger::appendInstall($serverId, 'Installing builtin AWG...');
|
|
$result = $server->runAwgInstall($options);
|
|
Logger::appendInstall($serverId, 'Builtin AWG install finished: ' . json_encode($result));
|
|
self::markServerActive($serverId, null, [
|
|
'vpn_port' => $result['vpn_port'] ?? null,
|
|
'server_public_key' => $result['public_key'] ?? ($result['server_public_key'] ?? null),
|
|
'preshared_key' => $result['preshared_key'] ?? null,
|
|
'awg_params' => $result['awg_params'] ?? null,
|
|
]);
|
|
return $result;
|
|
} catch (Throwable $e) {
|
|
Logger::appendInstall($serverId, 'AWG install failed: ' . $e->getMessage());
|
|
self::markServerError($serverId, $e->getMessage());
|
|
throw $e;
|
|
}
|
|
}
|
|
|
|
try {
|
|
Logger::appendInstall($serverId, 'Running scripted install...');
|
|
$metadata = $protocol['definition']['metadata'] ?? [];
|
|
// Choose/ensure VPN UDP port for script-driven installs
|
|
if (($protocol['slug'] ?? '') === 'xray-vless' && (!isset($options['server_port']) || !is_int($options['server_port']) || $options['server_port'] <= 0)) {
|
|
$options['server_port'] = 443;
|
|
}
|
|
if (!isset($options['server_port']) || !is_int($options['server_port'])) {
|
|
$options['server_port'] = self::chooseServerPort($server, $metadata);
|
|
}
|
|
$result = self::runScript($server, $protocol, 'install', $options);
|
|
if (!isset($result['success'])) {
|
|
$result['success'] = true;
|
|
}
|
|
Logger::appendInstall($serverId, 'Scripted install finished: ' . json_encode($result));
|
|
|
|
$rawPort = $result['vpn_port'] ?? null;
|
|
$resolvedPort = (is_numeric($rawPort) && (int) $rawPort > 0)
|
|
? (int) $rawPort
|
|
: ($options['server_port'] ?? null);
|
|
|
|
$awgParams = $result['awg_params'] ?? null;
|
|
if (!is_array($awgParams)) {
|
|
$flat = [];
|
|
foreach (['Jc', 'Jmin', 'Jmax', 'S1', 'S2', 'S3', 'S4', 'H1', 'H2', 'H3', 'H4'] as $k) {
|
|
if (array_key_exists($k, $result) && $result[$k] !== '' && $result[$k] !== null) {
|
|
$flat[$k] = $result[$k];
|
|
}
|
|
}
|
|
if (!empty($flat)) {
|
|
$awgParams = $flat;
|
|
}
|
|
}
|
|
|
|
$extras = [
|
|
'vpn_port' => $resolvedPort,
|
|
'server_public_key' => $result['server_public_key'] ?? null,
|
|
'preshared_key' => $result['preshared_key'] ?? null,
|
|
'awg_params' => $awgParams,
|
|
'secret' => $result['secret'] ?? null,
|
|
'server_host' => $result['server_host'] ?? null,
|
|
'container_name' => $result['container_name'] ?? ($metadata['container_name'] ?? null),
|
|
];
|
|
if (($protocol['slug'] ?? '') === 'aivpn' && array_key_exists('connection_key', $result)) {
|
|
$extras['connection_key'] = $result['connection_key'];
|
|
}
|
|
if (($protocol['slug'] ?? '') === 'xray-vless') {
|
|
foreach (['client_id', 'container_name', 'server_port', 'xray_port', 'reality_public_key', 'reality_private_key', 'reality_short_id', 'reality_server_name'] as $k) {
|
|
if (array_key_exists($k, $result)) {
|
|
$extras[$k] = $result[$k];
|
|
}
|
|
}
|
|
$extras['result'] = $result;
|
|
}
|
|
self::markServerActive($serverId, null, $extras);
|
|
return $result;
|
|
} catch (Throwable $e) {
|
|
Logger::appendInstall($serverId, 'Scripted install failed: ' . $e->getMessage());
|
|
self::markServerError($serverId, $e->getMessage());
|
|
throw $e;
|
|
}
|
|
}
|
|
|
|
private static function restore(VpnServer $server, array $protocol, array $detection, array $options = []): array
|
|
{
|
|
$engine = self::getEngine($protocol);
|
|
if ($engine === 'builtin_awg') {
|
|
return self::restoreBuiltinAwg($server, $protocol, $detection, $options);
|
|
}
|
|
|
|
$slug = $protocol['slug'] ?? '';
|
|
|
|
// For AWG shell-based scenarios, use builtin AWG restore
|
|
if (self::isAwgProtocol($slug, $protocol)) {
|
|
return self::restoreBuiltinAwg($server, $protocol, $detection, $options);
|
|
}
|
|
|
|
// For X-Ray VLESS, use builtin restore
|
|
if ($slug === 'xray-vless') {
|
|
return self::restoreBuiltinXray($server, $protocol, $detection, $options);
|
|
}
|
|
|
|
$result = self::runScript($server, $protocol, 'restore', array_merge($options, [
|
|
'detection' => $detection
|
|
]));
|
|
if (!isset($result['success'])) {
|
|
$result['success'] = true;
|
|
}
|
|
return $result;
|
|
}
|
|
|
|
private static function detectBuiltinAwg(VpnServer $server, array $protocol): array
|
|
{
|
|
$metadata = $protocol['definition']['metadata'] ?? [];
|
|
$serverData = $server->getData();
|
|
$containerName = $serverData['container_name'] ?? ($metadata['container_name'] ?? 'amnezia-awg');
|
|
$containerFilter = escapeshellarg('^' . $containerName . '$');
|
|
$containerArg = escapeshellarg($containerName);
|
|
|
|
$containerListRaw = trim($server->executeCommand("docker ps -a --filter name={$containerFilter} --format '{{.Names}}'", true));
|
|
if ($containerListRaw === '') {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Контейнер AmneziaWG не найден на сервере'
|
|
];
|
|
}
|
|
|
|
if (preg_match('/docker: command not found|command not found|cannot connect to the docker daemon|permission denied/i', $containerListRaw)) {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Docker CLI недоступен на сервере',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerListRaw,
|
|
]
|
|
];
|
|
}
|
|
|
|
$containerNames = array_values(array_filter(array_map('trim', preg_split('/\R+/', $containerListRaw))));
|
|
if (!in_array($containerName, $containerNames, true)) {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Контейнер AmneziaWG не найден на сервере'
|
|
];
|
|
}
|
|
|
|
$containerState = trim($server->executeCommand("docker inspect --format '{{.State.Status}}' {$containerArg}", true));
|
|
|
|
$wgConfig = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/wg0.conf 2>/dev/null", true);
|
|
if (trim($wgConfig) === '') {
|
|
return [
|
|
'status' => 'partial',
|
|
'message' => 'Контейнер найден, но конфигурация wg0.conf отсутствует',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
]
|
|
];
|
|
}
|
|
|
|
$parsedConfig = self::parseWireGuardConfig($wgConfig);
|
|
if (empty($parsedConfig['listen_port']) || empty($parsedConfig['awg_params'])) {
|
|
return [
|
|
'status' => 'partial',
|
|
'message' => 'Не удалось разобрать конфигурацию wg0.conf',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
]
|
|
];
|
|
}
|
|
|
|
$publicKey = trim($server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/wireguard_server_public_key.key 2>/dev/null", true));
|
|
$presharedKey = trim($server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/wireguard_psk.key 2>/dev/null", true));
|
|
|
|
if ($publicKey === '' || $presharedKey === '') {
|
|
return [
|
|
'status' => 'partial',
|
|
'message' => 'Не удалось прочитать ключи сервера',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
]
|
|
];
|
|
}
|
|
|
|
$clientsRaw = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/clientsTable 2>/dev/null", true);
|
|
$clients = json_decode(trim($clientsRaw), true);
|
|
$clientsCount = is_array($clients) ? count($clients) : 0;
|
|
|
|
return [
|
|
'status' => 'existing',
|
|
'message' => 'Найдена установленная конфигурация AmneziaWG',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
'vpn_port' => (int) $parsedConfig['listen_port'],
|
|
'server_public_key' => $publicKey,
|
|
'preshared_key' => $presharedKey,
|
|
'awg_params' => $parsedConfig['awg_params'],
|
|
'clients_count' => $clientsCount,
|
|
'summary' => sprintf('Container %s (%s), port %s, clients %d', $containerName, $containerState ?: 'unknown', $parsedConfig['listen_port'], $clientsCount)
|
|
]
|
|
];
|
|
}
|
|
|
|
private static function restoreBuiltinAwg(VpnServer $server, array $protocol, array $detection, array $options): array
|
|
{
|
|
$details = $detection['details'] ?? [];
|
|
$containerName = $details['container_name'] ?? ($protocol['definition']['metadata']['container_name'] ?? 'amnezia-awg');
|
|
$containerArg = escapeshellarg($containerName);
|
|
|
|
// Try to ensure container is running and wg is up
|
|
$server->executeCommand("docker start {$containerArg} 2>/dev/null || true", true);
|
|
$server->executeCommand("docker exec -i {$containerArg} wg-quick down /opt/amnezia/awg/wg0.conf 2>/dev/null || true", true);
|
|
$server->executeCommand("docker exec -i {$containerArg} wg-quick up /opt/amnezia/awg/wg0.conf 2>/dev/null || true", true);
|
|
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('
|
|
UPDATE vpn_servers
|
|
SET vpn_port = ?,
|
|
server_public_key = ?,
|
|
preshared_key = ?,
|
|
awg_params = ?,
|
|
status = ?,
|
|
error_message = NULL,
|
|
deployed_at = COALESCE(deployed_at, NOW())
|
|
WHERE id = ?
|
|
');
|
|
$stmt->execute([
|
|
$details['vpn_port'] ?? null,
|
|
$details['server_public_key'] ?? null,
|
|
$details['preshared_key'] ?? null,
|
|
isset($details['awg_params']) ? json_encode($details['awg_params']) : null,
|
|
'active',
|
|
$server->getId()
|
|
]);
|
|
|
|
$server->refresh();
|
|
$serverData = $server->getData();
|
|
|
|
// Import existing peers from wg0.conf into database as disabled clients
|
|
$wgConfig = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/wg0.conf 2>/dev/null", true);
|
|
$tableRaw = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/clientsTable 2>/dev/null", true);
|
|
$clientsTable = json_decode(trim($tableRaw), true);
|
|
$nameByPub = [];
|
|
if (is_array($clientsTable)) {
|
|
foreach ($clientsTable as $entry) {
|
|
$cid = $entry['clientId'] ?? '';
|
|
$uname = $entry['userData']['clientName'] ?? null;
|
|
if ($cid !== '' && $uname) {
|
|
$nameByPub[$cid] = $uname;
|
|
}
|
|
}
|
|
}
|
|
$restored = 0;
|
|
$pid = self::resolveProtocolId($protocol);
|
|
if (trim($wgConfig) !== '') {
|
|
$pattern = '/\[Peer\][^\[]*?PublicKey\s*=\s*(.+?)\s*[\r\n]+[\s\S]*?AllowedIPs\s*=\s*(.+?)(?:\r?\n|$)/';
|
|
if (preg_match_all($pattern, $wgConfig, $matches, PREG_SET_ORDER)) {
|
|
foreach ($matches as $m) {
|
|
$pub = trim($m[1]);
|
|
$allowed = trim($m[2]);
|
|
$clientIp = null;
|
|
foreach (explode(',', $allowed) as $ipSpec) {
|
|
$ipSpec = trim($ipSpec);
|
|
if (preg_match('/^([0-9\.]+)\/32$/', $ipSpec, $mm)) {
|
|
$clientIp = $mm[1];
|
|
break;
|
|
}
|
|
}
|
|
if (!$clientIp) {
|
|
continue;
|
|
}
|
|
$pdo = DB::conn();
|
|
$chk = $pdo->prepare('SELECT id FROM vpn_clients WHERE server_id = ? AND client_ip = ?');
|
|
$chk->execute([$server->getId(), $clientIp]);
|
|
if ($chk->fetch()) {
|
|
continue;
|
|
}
|
|
$name = $nameByPub[$pub] ?? ('import-' . str_replace('.', '_', $clientIp));
|
|
$ins = $pdo->prepare('INSERT INTO vpn_clients (server_id, user_id, name, client_ip, public_key, private_key, preshared_key, config, protocol_id, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())');
|
|
$ins->execute([
|
|
$server->getId(),
|
|
$serverData['user_id'] ?? null,
|
|
$name,
|
|
$clientIp,
|
|
$pub,
|
|
'',
|
|
$details['preshared_key'] ?? null,
|
|
'',
|
|
$pid ?: null,
|
|
'active' // Import as active since they already work on the server
|
|
]);
|
|
$restored++;
|
|
}
|
|
}
|
|
}
|
|
|
|
return [
|
|
'success' => true,
|
|
'mode' => 'restore',
|
|
'message' => 'Существующая конфигурация восстановлена',
|
|
'vpn_port' => $details['vpn_port'] ?? null,
|
|
'clients_count' => $details['clients_count'] ?? null,
|
|
'restored_clients' => $restored
|
|
];
|
|
}
|
|
|
|
public static function addClient(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
return self::runScript($server, $protocol, 'add_client', $options);
|
|
}
|
|
|
|
private static function runScript(VpnServer $server, array $protocol, string $phase, array $options = []): array
|
|
{
|
|
$definition = $protocol['definition'] ?? [];
|
|
$scripts = $definition['scripts'][$phase] ?? null;
|
|
if (!$scripts) {
|
|
if ($phase === 'install') {
|
|
$scripts = $protocol['install_script'] ?? null;
|
|
} elseif ($phase === 'uninstall') {
|
|
$scripts = $protocol['uninstall_script'] ?? null;
|
|
} elseif ($phase === 'add_client' && ($protocol['slug'] ?? '') === 'xray-vless') {
|
|
return self::runBuiltinXrayAddClient($server, $options);
|
|
}
|
|
}
|
|
if (!$scripts) {
|
|
if ($phase === 'detect') {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Скрипт обнаружения не настроен для протокола'
|
|
];
|
|
}
|
|
if ($phase === 'uninstall') {
|
|
return [
|
|
'success' => true,
|
|
'message' => 'Скрипт удаления не настроен для протокола'
|
|
];
|
|
}
|
|
if ($phase === 'add_client') {
|
|
if (($protocol['slug'] ?? '') === 'aivpn') {
|
|
return self::runBuiltinAivpnAddClient($server, $options);
|
|
}
|
|
// If no script and no builtin handler, we just skip it (assume not needed or manual)
|
|
// Or throw generic error? Better return success to not break flow if not implemented for other protocols
|
|
return ['success' => true, 'message' => 'No add_client script defined'];
|
|
}
|
|
throw new Exception('Скрипт ' . $phase . ' не настроен для протокола');
|
|
}
|
|
|
|
$context = self::buildContext($server, $protocol, $options);
|
|
$script = self::renderTemplate($scripts, $context);
|
|
$script = preg_replace('/\n\+\s*/', "\n", $script);
|
|
$exportLines = self::buildExports($context);
|
|
|
|
if ($phase === 'install') {
|
|
Logger::appendInstall($server->getId(), 'INSTALL phase: docker preflight start');
|
|
$bootstrapCmd = "bash -lc 'set -e; "
|
|
. "if command -v docker >/dev/null 2>&1; then command -v docker; docker --version || true; exit 0; fi; "
|
|
. "if command -v curl >/dev/null 2>&1; then curl -fsSL https://get.docker.com | sh; "
|
|
. "elif command -v wget >/dev/null 2>&1; then wget -qO- https://get.docker.com | sh; "
|
|
. "else echo \"curl/wget not found\"; exit 127; fi; "
|
|
. "(systemctl enable --now docker || service docker start || true); "
|
|
. "command -v docker >/dev/null 2>&1 || { echo \"docker bootstrap failed\"; exit 127; }; "
|
|
. "command -v docker; docker --version || true'";
|
|
$bootstrapOut = trim((string) $server->executeCommand($bootstrapCmd, true));
|
|
if ($bootstrapOut !== '') {
|
|
$bootstrapHead = substr(str_replace(["\r", "\n"], ' ', $bootstrapOut), 0, 280);
|
|
Logger::appendInstall($server->getId(), 'INSTALL phase: docker preflight output ' . $bootstrapHead);
|
|
}
|
|
|
|
$dockerCheckAfter = trim((string) $server->executeCommand('command -v docker || true', true));
|
|
if ($dockerCheckAfter === '') {
|
|
throw new Exception('Docker не установлен на сервере и авто-установка не удалась');
|
|
}
|
|
}
|
|
|
|
$wrapper = "bash <<'EOS'\nset -euo pipefail\n" . $exportLines . $script . "\nEOS";
|
|
Logger::appendInstall($server->getId(), strtoupper($phase) . ' phase: executing remote script');
|
|
$output = $server->executeCommand($wrapper, true);
|
|
Logger::appendInstall($server->getId(), strtoupper($phase) . ' phase: output size ' . strlen((string) $output) . ' bytes');
|
|
$head = substr(str_replace(["\r", "\n"], ' ', (string) $output), 0, 280);
|
|
if ($head !== '') {
|
|
Logger::appendInstall($server->getId(), strtoupper($phase) . ' phase: output head ' . $head);
|
|
}
|
|
$trimmed = trim($output);
|
|
$installProbeSummary = '';
|
|
|
|
if ($phase === 'install' && $trimmed === '') {
|
|
$probeCmd = "echo whoami:\$(whoami) 2>/dev/null || true; echo shell:\$SHELL; command -v docker || echo docker:not-found; docker --version 2>&1 || true; id 2>&1 || true";
|
|
$probeOut = trim((string) $server->executeCommand($probeCmd, true));
|
|
if ($probeOut !== '') {
|
|
$normalizedProbe = substr(str_replace(["\r", "\n"], ' | ', $probeOut), 0, 320);
|
|
Logger::appendInstall($server->getId(), strtoupper($phase) . ' phase: probe ' . $normalizedProbe);
|
|
$installProbeSummary = '; probe: ' . $normalizedProbe;
|
|
}
|
|
}
|
|
|
|
// Try JSON first
|
|
$decoded = json_decode($trimmed, true);
|
|
if (is_array($decoded)) {
|
|
Logger::appendInstall($server->getId(), strtoupper($phase) . ' phase: parsed JSON result');
|
|
return $decoded;
|
|
}
|
|
|
|
if ($phase === 'install') {
|
|
$lower = strtolower($trimmed);
|
|
$hardErrors = [
|
|
'connection refused',
|
|
'permission denied',
|
|
'command not found',
|
|
'no route to host',
|
|
'could not resolve hostname',
|
|
'host key verification failed',
|
|
'timed out',
|
|
'operation timed out',
|
|
];
|
|
foreach ($hardErrors as $needle) {
|
|
if ($needle !== '' && strpos($lower, $needle) !== false) {
|
|
throw new Exception('Ошибка установки (script): ' . $trimmed);
|
|
}
|
|
}
|
|
}
|
|
|
|
// Try key-value format (e.g., "Port: 123" or "Server Public Key: abc")
|
|
$result = self::parseKeyValueOutput($trimmed);
|
|
if (!empty($result)) {
|
|
Logger::appendInstall($server->getId(), strtoupper($phase) . ' phase: parsed key-value result with ' . count($result) . ' keys');
|
|
return array_merge(['success' => true], $result);
|
|
}
|
|
|
|
// Heuristic: treat obvious errors on install as failure to avoid false "active" status
|
|
if ($phase === 'install') {
|
|
$lower = strtolower($trimmed);
|
|
if ($lower === '' || strpos($lower, 'command not found') !== false || strpos($lower, 'error') !== false) {
|
|
throw new Exception('Ошибка установки (script): ' . ($trimmed !== '' ? $trimmed : 'empty output') . $installProbeSummary);
|
|
}
|
|
}
|
|
|
|
return [
|
|
'success' => true,
|
|
'output' => $output
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Parse key-value output from installation scripts
|
|
* Supports formats like:
|
|
* - "Port: 123"
|
|
* - "Server Public Key: abc123"
|
|
* - "PresharedKey = xyz789"
|
|
*/
|
|
private static function parseKeyValueOutput(string $output): array
|
|
{
|
|
$result = [];
|
|
$lines = preg_split('/\r?\n/', $output);
|
|
|
|
foreach ($lines as $line) {
|
|
$line = trim($line);
|
|
if ($line === '')
|
|
continue;
|
|
$line = preg_replace('/^\+\s*/', '', $line);
|
|
|
|
// Match "Variable: name=value" format (for protocol variables)
|
|
if (preg_match('/^Variable:\s*(\w+)=(.*)$/', $line, $matches)) {
|
|
$varName = trim($matches[1]);
|
|
$varValue = trim($matches[2]);
|
|
$result[$varName] = $varValue;
|
|
continue;
|
|
}
|
|
|
|
// Match "Key: Value" or "Key = Value" format
|
|
if (preg_match('/^([^:=]+?)[:=]\s*(.+)$/', $line, $matches)) {
|
|
$key = trim($matches[1]);
|
|
$value = trim($matches[2]);
|
|
|
|
// Normalize key names to snake_case
|
|
$normalizedKey = strtolower(preg_replace('/\s+/', '_', $key));
|
|
|
|
// Map common key names
|
|
$keyMap = [
|
|
'port' => 'vpn_port',
|
|
'server_public_key' => 'server_public_key',
|
|
'presharedkey' => 'preshared_key',
|
|
'preshared_key' => 'preshared_key',
|
|
'awg_params' => 'awg_params',
|
|
'clientid' => 'client_id',
|
|
'client_id' => 'client_id',
|
|
'server_port' => 'server_port',
|
|
'xray_port' => 'server_port',
|
|
'container_name' => 'container_name',
|
|
'containername' => 'container_name',
|
|
'publickey' => 'reality_public_key',
|
|
'privatekey' => 'reality_private_key',
|
|
'shortid' => 'reality_short_id',
|
|
'servername' => 'reality_server_name',
|
|
'secret' => 'secret',
|
|
'serverhost' => 'server_host',
|
|
'server_host' => 'server_host',
|
|
];
|
|
|
|
$finalKey = $keyMap[$normalizedKey] ?? $normalizedKey;
|
|
$result[$finalKey] = $value;
|
|
}
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
private static function markServerActive(int $serverId, ?string $message = null, array $extras = []): void
|
|
{
|
|
$pdo = DB::conn();
|
|
$setParts = ['status = ?', 'error_message = NULL', 'deployed_at = COALESCE(deployed_at, NOW())'];
|
|
$params = ['active'];
|
|
if (isset($extras['vpn_port']) && $extras['vpn_port'] !== null) {
|
|
$setParts[] = 'vpn_port = ?';
|
|
$params[] = (int) $extras['vpn_port'];
|
|
}
|
|
if (isset($extras['server_public_key']) && $extras['server_public_key'] !== null) {
|
|
$setParts[] = 'server_public_key = ?';
|
|
$params[] = (string) $extras['server_public_key'];
|
|
}
|
|
if (isset($extras['preshared_key']) && $extras['preshared_key'] !== null) {
|
|
$setParts[] = 'preshared_key = ?';
|
|
$params[] = (string) $extras['preshared_key'];
|
|
}
|
|
if (isset($extras['container_name']) && $extras['container_name'] !== null && $extras['container_name'] !== '') {
|
|
$setParts[] = 'container_name = ?';
|
|
$params[] = (string) $extras['container_name'];
|
|
}
|
|
if (array_key_exists('awg_params', $extras)) {
|
|
$awgParams = $extras['awg_params'];
|
|
if (is_array($awgParams)) {
|
|
$awgParams = json_encode($awgParams);
|
|
}
|
|
if (is_string($awgParams)) {
|
|
$setParts[] = 'awg_params = ?';
|
|
$params[] = $awgParams;
|
|
}
|
|
}
|
|
$params[] = $serverId;
|
|
$sql = 'UPDATE vpn_servers SET ' . implode(', ', $setParts) . ' WHERE id = ?';
|
|
$stmt = $pdo->prepare($sql);
|
|
$stmt->execute($params);
|
|
|
|
try {
|
|
$stmt2 = $pdo->prepare('SELECT install_protocol, host, vpn_port FROM vpn_servers WHERE id = ?');
|
|
$stmt2->execute([$serverId]);
|
|
$row = $stmt2->fetch();
|
|
$slug = $row['install_protocol'] ?? null;
|
|
if ($slug) {
|
|
$stmt3 = $pdo->prepare('SELECT id FROM protocols WHERE slug = ? LIMIT 1');
|
|
$stmt3->execute([$slug]);
|
|
$protocolId = $stmt3->fetchColumn();
|
|
if ($protocolId) {
|
|
$config = [
|
|
'server_host' => $row['host'] ?? null,
|
|
'server_port' => $row['vpn_port'] ?? null,
|
|
'extras' => $extras
|
|
];
|
|
$stmt4 = $pdo->prepare('INSERT INTO server_protocols (server_id, protocol_id, config_data, applied_at, created_at) VALUES (?, ?, ?, NOW(), NOW()) ON DUPLICATE KEY UPDATE config_data = VALUES(config_data), applied_at = NOW()');
|
|
$stmt4->execute([$serverId, (int) $protocolId, json_encode($config)]);
|
|
|
|
// Keep existing MTProxy client links in sync with current runtime port/secret after reinstall.
|
|
if ($slug === 'mtproxy') {
|
|
$mtHost = (string) ($config['server_host'] ?? '');
|
|
$mtPort = (string) ($config['server_port'] ?? '');
|
|
$mtSecret = '';
|
|
|
|
if (!empty($extras['secret']) && is_scalar($extras['secret'])) {
|
|
$mtSecret = trim((string) $extras['secret']);
|
|
}
|
|
if ($mtSecret === '' && isset($extras['result']) && is_array($extras['result'])) {
|
|
if (!empty($extras['result']['secret']) && is_scalar($extras['result']['secret'])) {
|
|
$mtSecret = trim((string) $extras['result']['secret']);
|
|
}
|
|
}
|
|
|
|
if ($mtHost !== '' && $mtPort !== '' && $mtSecret !== '') {
|
|
$mtLink = 'tg://proxy?server=' . $mtHost . '&port=' . $mtPort . '&secret=' . $mtSecret;
|
|
$stmtSync = $pdo->prepare('UPDATE vpn_clients SET config = ? WHERE server_id = ? AND protocol_id = ? AND (config IS NULL OR config = "" OR config LIKE "tg://proxy?%")');
|
|
$stmtSync->execute([$mtLink, $serverId, (int) $protocolId]);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} catch (Throwable $e) {
|
|
// ignore linkage errors
|
|
}
|
|
}
|
|
|
|
private static function markServerError(int $serverId, string $message): void
|
|
{
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('UPDATE vpn_servers SET status = ?, error_message = ? WHERE id = ?');
|
|
$stmt->execute(['error', $message, $serverId]);
|
|
}
|
|
|
|
private static function buildContext(VpnServer $server, array $protocol, array $options): array
|
|
{
|
|
return [
|
|
'server' => $server->getData(),
|
|
'protocol' => $protocol,
|
|
'metadata' => $protocol['definition']['metadata'] ?? [],
|
|
'options' => $options
|
|
];
|
|
}
|
|
|
|
private static function buildExports(array $context): string
|
|
{
|
|
$exports = [];
|
|
$serverData = $context['server'] ?? [];
|
|
$metadata = $context['metadata'] ?? [];
|
|
$options = $context['options'] ?? [];
|
|
|
|
$pairs = [
|
|
'SERVER_HOST' => $serverData['host'] ?? '',
|
|
'SERVER_USER' => $serverData['username'] ?? '',
|
|
// Prefer protocol-specific settings for scripted installs to avoid
|
|
// reusing a container name/port from another protocol on same server.
|
|
'SERVER_CONTAINER' => $options['container_name']
|
|
?? ($metadata['container_name'] ?? ($serverData['container_name'] ?? '')),
|
|
'SERVER_PORT' => isset($options['server_port']) && (int) $options['server_port'] > 0
|
|
? (int) $options['server_port']
|
|
: (isset($serverData['vpn_port']) && (int) $serverData['vpn_port'] > 0
|
|
? (int) $serverData['vpn_port']
|
|
: ''),
|
|
];
|
|
|
|
// Check for saved Reality keys in server_protocols table
|
|
$serverId = $serverData['id'] ?? null;
|
|
if ($serverId) {
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('SELECT config_data FROM server_protocols WHERE server_id = ? ORDER BY applied_at DESC LIMIT 1');
|
|
$stmt->execute([$serverId]);
|
|
$configJson = $stmt->fetchColumn();
|
|
if ($configJson) {
|
|
$config = json_decode($configJson, true);
|
|
$extras = $config['extras'] ?? [];
|
|
// Export saved Reality keys if reinstalling (allow script to reuse them)
|
|
if (!empty($extras['reality_private_key'])) {
|
|
$pairs['PRIVATE_KEY'] = $extras['reality_private_key'];
|
|
}
|
|
if (!empty($extras['reality_short_id'])) {
|
|
$pairs['SHORT_ID'] = $extras['reality_short_id'];
|
|
}
|
|
// Note: CLIENT_ID is per-client, not per-server, so we don't restore it here
|
|
}
|
|
} catch (Throwable $e) {
|
|
// Ignore errors, will generate new keys
|
|
}
|
|
}
|
|
|
|
foreach ($pairs as $key => $value) {
|
|
if ($value !== '' && $value !== null) {
|
|
$exports[] = sprintf('export %s=%s', $key, escapeshellarg((string) $value));
|
|
}
|
|
}
|
|
|
|
foreach ($metadata as $key => $value) {
|
|
if (!is_scalar($value)) {
|
|
continue;
|
|
}
|
|
$normalized = strtoupper(preg_replace('/[^A-Z0-9]+/i', '_', (string) $key));
|
|
if ($normalized === '') {
|
|
continue;
|
|
}
|
|
$exports[] = sprintf('export PROTOCOL_%s=%s', $normalized, escapeshellarg((string) $value));
|
|
}
|
|
|
|
return $exports ? implode("\n", $exports) . "\n" : '';
|
|
}
|
|
|
|
/**
|
|
* Choose a free UDP port on the remote server within metadata-defined range or defaults
|
|
*/
|
|
private static function chooseServerPort(VpnServer $server, array $metadata): int
|
|
{
|
|
$range = $metadata['port_range'] ?? [30000, 65000];
|
|
$min = 30000;
|
|
$max = 65000;
|
|
if (is_string($range)) {
|
|
// Accept formats like "[30000, 65000]" or "30000-65000"
|
|
if (preg_match('/(\d{2,})\D+(\d{2,})/', $range, $m)) {
|
|
$min = (int) $m[1];
|
|
$max = (int) $m[2];
|
|
}
|
|
} elseif (is_array($range) && count($range) >= 2) {
|
|
$min = (int) $range[0];
|
|
$max = (int) $range[1];
|
|
}
|
|
|
|
for ($attempt = 0; $attempt < 30; $attempt++) {
|
|
$candidate = random_int($min, $max);
|
|
$cmd = "ss -lun | awk '{print $4}' | grep -E ':(" . $candidate . ")($| )' || true";
|
|
$out = $server->executeCommand($cmd, false);
|
|
if (trim($out) === '') {
|
|
return $candidate;
|
|
}
|
|
}
|
|
|
|
return 40001; // fallback
|
|
}
|
|
|
|
private static function renderTemplate(string $template, array $context): string
|
|
{
|
|
return preg_replace_callback('/{{\s*([a-zA-Z0-9_.]+)\s*}}/', function ($matches) use ($context) {
|
|
$path = explode('.', $matches[1]);
|
|
$value = $context;
|
|
foreach ($path as $segment) {
|
|
if (is_array($value) && array_key_exists($segment, $value)) {
|
|
$value = $value[$segment];
|
|
} else {
|
|
return '';
|
|
}
|
|
}
|
|
return is_scalar($value) ? (string) $value : json_encode($value);
|
|
}, $template);
|
|
}
|
|
|
|
private static function parseWireGuardConfig(string $config): array
|
|
{
|
|
$lines = preg_split('/\r?\n/', $config);
|
|
$awgKeys = ['Jc', 'Jmin', 'Jmax', 'S1', 'S2', 'S3', 'S4', 'H1', 'H2', 'H3', 'H4'];
|
|
$awgParams = [];
|
|
$listenPort = null;
|
|
|
|
foreach ($lines as $line) {
|
|
$line = trim($line);
|
|
if ($line === '' || strpos($line, '=') === false) {
|
|
continue;
|
|
}
|
|
[$key, $value] = array_map('trim', explode('=', $line, 2));
|
|
if ($key === 'ListenPort') {
|
|
$listenPort = (int) $value;
|
|
}
|
|
if (in_array($key, $awgKeys, true)) {
|
|
$awgParams[$key] = is_numeric($value) ? (int) $value : $value;
|
|
}
|
|
}
|
|
|
|
return [
|
|
'listen_port' => $listenPort,
|
|
'awg_params' => $awgParams
|
|
];
|
|
}
|
|
|
|
private static function hydrateProtocol(array $row): array
|
|
{
|
|
if (isset($row['definition']) && is_string($row['definition'])) {
|
|
$decoded = json_decode($row['definition'], true);
|
|
if (json_last_error() === JSON_ERROR_NONE && is_array($decoded)) {
|
|
$row['definition'] = $decoded;
|
|
} else {
|
|
$row['definition'] = [];
|
|
}
|
|
}
|
|
return $row;
|
|
}
|
|
|
|
private static function getEngine(array $protocol): string
|
|
{
|
|
$definition = $protocol['definition'] ?? [];
|
|
if (!empty($protocol['install_script'])) {
|
|
return 'shell';
|
|
}
|
|
return $definition['engine'] ?? 'builtin_awg';
|
|
}
|
|
|
|
/**
|
|
* Check if a protocol is an AWG variant (by slug or install_script content)
|
|
* Used to route shell-based AWG scenarios to builtin AWG detection/restore
|
|
*/
|
|
private static function isAwgProtocol(string $slug, array $protocol): bool
|
|
{
|
|
if (in_array($slug, ['amnezia-wg', 'amnezia-wg-advanced', 'awg2'], true)) {
|
|
return true;
|
|
}
|
|
$installScript = (string) ($protocol['install_script'] ?? '');
|
|
if ($installScript !== '' && preg_match('/amneziavpn\/amnezia-wg|amnezia\/awg|amnezia-awg/i', $installScript)) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private static function fallbackProtocols(): array
|
|
{
|
|
return [
|
|
[
|
|
'id' => null,
|
|
'slug' => self::DEFAULT_SLUG,
|
|
'name' => 'AmneziaWG',
|
|
'description' => 'Default Amnezia WireGuard deployment scenario',
|
|
'definition' => [
|
|
'engine' => 'builtin_awg',
|
|
'metadata' => [
|
|
'container_name' => 'amnezia-awg',
|
|
'vpn_subnet' => '10.8.1.0/24',
|
|
'port_range' => [30000, 65000],
|
|
],
|
|
],
|
|
'is_active' => 1,
|
|
]
|
|
];
|
|
}
|
|
|
|
private static function storeDecision(int $serverId, array $payload): string
|
|
{
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
return '';
|
|
}
|
|
$token = bin2hex(random_bytes(16));
|
|
if (!isset($_SESSION[self::SESSION_KEY])) {
|
|
$_SESSION[self::SESSION_KEY] = [];
|
|
}
|
|
$_SESSION[self::SESSION_KEY][$serverId] = [
|
|
'token' => $token,
|
|
'payload' => $payload,
|
|
'expires_at' => time() + 600
|
|
];
|
|
return $token;
|
|
}
|
|
|
|
private static function consumeDecision(int $serverId, string $token): ?array
|
|
{
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
return null;
|
|
}
|
|
|
|
if (!isset($_SESSION[self::SESSION_KEY][$serverId])) {
|
|
return null;
|
|
}
|
|
|
|
$entry = $_SESSION[self::SESSION_KEY][$serverId];
|
|
if (($entry['token'] ?? '') !== $token) {
|
|
return null;
|
|
}
|
|
|
|
unset($_SESSION[self::SESSION_KEY][$serverId]);
|
|
|
|
if (($entry['expires_at'] ?? 0) < time()) {
|
|
return null;
|
|
}
|
|
|
|
return $entry['payload'] ?? null;
|
|
}
|
|
|
|
/**
|
|
* Run detection script for a scenario on a server
|
|
* Used for testing scenarios before deployment
|
|
*/
|
|
public static function runDetection(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
$engine = self::getEngine($protocol);
|
|
if ($engine === 'builtin_awg') {
|
|
return self::detectBuiltinAwg($server, $protocol);
|
|
}
|
|
|
|
$slug = $protocol['slug'] ?? '';
|
|
|
|
// For AWG shell-based scenarios (amnezia-wg, amnezia-wg-advanced), use builtin AWG detection
|
|
if (self::isAwgProtocol($slug, $protocol)) {
|
|
return self::detectBuiltinAwg($server, $protocol);
|
|
}
|
|
|
|
// For X-Ray VLESS, use builtin detection
|
|
if ($slug === 'xray-vless') {
|
|
return self::detectBuiltinXray($server, $protocol);
|
|
}
|
|
|
|
return self::runScript($server, $protocol, 'detect', $options);
|
|
}
|
|
|
|
/**
|
|
* Uninstall a protocol from the given server. Supports builtin AWG and scripted protocols
|
|
* Returns array with success and message keys on completion or throws on fatal error
|
|
*/
|
|
public static function uninstall(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
$engine = self::getEngine($protocol);
|
|
if ($engine === 'builtin_awg') {
|
|
return self::uninstallBuiltinAwg($server, $protocol, $options);
|
|
}
|
|
|
|
// For script-driven protocols, try to detect AWG scenario and fallback to builtin uninstall
|
|
$slug = $protocol['slug'] ?? '';
|
|
if (self::isAwgProtocol($slug, $protocol)) {
|
|
// Prefer builtin AWG uninstall by default because script variants may have CRLF issues
|
|
// or leave behind the canonical container name, causing install conflicts.
|
|
if (!empty($options['use_script_uninstall'])) {
|
|
$hasScript = isset($protocol['uninstall_script']) && trim((string) $protocol['uninstall_script']) !== '';
|
|
if ($hasScript) {
|
|
return self::runScript($server, $protocol, 'uninstall', $options);
|
|
}
|
|
}
|
|
return self::uninstallBuiltinAwg($server, $protocol, $options);
|
|
}
|
|
|
|
// For other script-driven protocols, look for an "uninstall" phase in scripts
|
|
return self::runScript($server, $protocol, 'uninstall', $options);
|
|
}
|
|
|
|
private static function uninstallBuiltinAwg(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
$metadata = $protocol['definition']['metadata'] ?? [];
|
|
$serverData = $server->getData();
|
|
$containerName = $serverData['container_name'] ?? ($metadata['container_name'] ?? 'amnezia-awg');
|
|
$configDir = trim((string) ($metadata['config_dir'] ?? ''));
|
|
if ($configDir === '') {
|
|
$configDir = (($protocol['slug'] ?? '') === 'awg2') ? '/opt/amnezia/awg2' : '/opt/amnezia/awg';
|
|
}
|
|
$candidateNames = array_values(array_unique(array_filter([
|
|
is_string($containerName) ? trim($containerName) : '',
|
|
is_string($metadata['container_name'] ?? null) ? trim((string) $metadata['container_name']) : '',
|
|
'amnezia-awg',
|
|
], function ($v) {
|
|
return is_string($v) && trim($v) !== '';
|
|
})));
|
|
|
|
// Attempt to stop and remove container, image and cleanup files
|
|
try {
|
|
foreach ($candidateNames as $name) {
|
|
$arg = escapeshellarg($name);
|
|
// Stop container if running
|
|
$server->executeCommand("docker stop {$arg} 2>/dev/null || true", true);
|
|
// Remove container
|
|
$server->executeCommand("docker rm -fv {$arg} 2>/dev/null || true", true);
|
|
}
|
|
// Remove known images (best-effort)
|
|
$server->executeCommand("docker rmi amneziavpn/amnezia-wg amneziavpn/amnezia-awg amnezia-awg2 2>/dev/null || true", true);
|
|
// Attempt to remove amnezia-dns-net network if present (best-effort)
|
|
$server->executeCommand("docker network rm amnezia-dns-net 2>/dev/null || true", true);
|
|
// Remove on-disk data for AWG protocol config to avoid stale restore paths.
|
|
$server->executeCommand("rm -rf " . escapeshellarg($configDir) . " 2>/dev/null || true", true);
|
|
$server->executeCommand("rm -rf /opt/amnezia/amnezia-awg 2>/dev/null || true", true);
|
|
|
|
// Clear server deployment metadata in database for this server
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('UPDATE vpn_servers SET vpn_port = NULL, server_public_key = NULL, preshared_key = NULL, awg_params = NULL, status = ?, error_message = NULL WHERE id = ?');
|
|
$stmt->execute(['stopped', $server->getId()]);
|
|
|
|
// Refresh server object data
|
|
$server->refresh();
|
|
|
|
return [
|
|
'success' => true,
|
|
'message' => 'Протокол успешно удалён',
|
|
'mode' => 'uninstall'
|
|
];
|
|
} catch (Throwable $e) {
|
|
throw new Exception('Uninstall failed: ' . $e->getMessage());
|
|
}
|
|
}
|
|
|
|
public static function activate(VpnServer $server, array $protocol, array $options = []): array
|
|
{
|
|
$engine = self::getEngine($protocol);
|
|
$serverId = $server->getId();
|
|
try {
|
|
Logger::appendInstall($serverId, 'Activate start for ' . ($protocol['slug'] ?? 'unknown') . ' engine ' . $engine);
|
|
|
|
// ── Check for existing installation before doing anything destructive ──
|
|
$slug = $protocol['slug'] ?? '';
|
|
$isAwg = $engine === 'builtin_awg' || self::isAwgProtocol($slug, $protocol);
|
|
$isXray = $slug === 'xray-vless';
|
|
|
|
if ($isAwg) {
|
|
$detection = self::detectBuiltinAwg($server, $protocol);
|
|
if (($detection['status'] ?? '') === 'existing') {
|
|
Logger::appendInstall($serverId, 'Existing AWG installation detected, restoring instead of reinstalling');
|
|
$restoreResult = self::restoreBuiltinAwg($server, $protocol, $detection, $options);
|
|
// Import existing clients into DB
|
|
self::importExistingAwgClients($server, $protocol, $detection);
|
|
$pdo = DB::conn();
|
|
$pid = self::resolveProtocolId($protocol);
|
|
if ($pid) {
|
|
$details = $detection['details'] ?? [];
|
|
$config = [
|
|
'server_host' => $server->getData()['host'] ?? null,
|
|
'server_port' => $details['vpn_port'] ?? null,
|
|
'extras' => [
|
|
'vpn_port' => $details['vpn_port'] ?? null,
|
|
'server_public_key' => $details['server_public_key'] ?? null,
|
|
'preshared_key' => $details['preshared_key'] ?? null,
|
|
'awg_params' => $details['awg_params'] ?? null,
|
|
]
|
|
];
|
|
$stmt2 = $pdo->prepare('INSERT INTO server_protocols (server_id, protocol_id, config_data, applied_at, created_at) VALUES (?, ?, ?, NOW(), NOW()) ON DUPLICATE KEY UPDATE config_data = VALUES(config_data), applied_at = NOW()');
|
|
$stmt2->execute([$serverId, $pid, json_encode($config)]);
|
|
}
|
|
return array_merge($restoreResult, ['mode' => 'restore_existing']);
|
|
}
|
|
}
|
|
|
|
if ($isXray) {
|
|
$xrayDetection = self::detectBuiltinXray($server, $protocol);
|
|
if (($xrayDetection['status'] ?? '') === 'existing') {
|
|
Logger::appendInstall($serverId, 'Existing X-Ray installation detected, restoring instead of reinstalling');
|
|
$restoreResult = self::restoreBuiltinXray($server, $protocol, $xrayDetection, $options);
|
|
return array_merge($restoreResult, ['mode' => 'restore_existing']);
|
|
}
|
|
}
|
|
|
|
// ── No existing installation found — proceed with fresh install ──
|
|
|
|
if ($engine === 'builtin_awg') {
|
|
$res = $server->runAwgInstall($options);
|
|
Logger::appendInstall($serverId, 'Builtin AWG install finished');
|
|
|
|
$resolvedPort = null;
|
|
if (isset($res['vpn_port']) && (int) $res['vpn_port'] > 0) {
|
|
$resolvedPort = (int) $res['vpn_port'];
|
|
} elseif (isset($res['server_port']) && (int) $res['server_port'] > 0) {
|
|
$resolvedPort = (int) $res['server_port'];
|
|
}
|
|
|
|
$resolvedAwgParams = $res['awg_params'] ?? null;
|
|
if (!is_array($resolvedAwgParams)) {
|
|
$candidate = [];
|
|
foreach (['Jc', 'Jmin', 'Jmax', 'S1', 'S2', 'H1', 'H2', 'H3', 'H4'] as $k) {
|
|
if (array_key_exists($k, $res)) {
|
|
$candidate[$k] = $res[$k];
|
|
}
|
|
}
|
|
if ($candidate) {
|
|
$resolvedAwgParams = $candidate;
|
|
}
|
|
}
|
|
|
|
self::markServerActive($serverId, null, [
|
|
'vpn_port' => $resolvedPort,
|
|
'server_public_key' => $res['server_public_key'] ?? null,
|
|
'preshared_key' => $res['preshared_key'] ?? null,
|
|
'container_name' => $res['container_name'] ?? null,
|
|
'awg_params' => $resolvedAwgParams,
|
|
]);
|
|
|
|
$pdo = DB::conn();
|
|
$pid = self::resolveProtocolId($protocol);
|
|
if ($pid) {
|
|
$config = [
|
|
'server_host' => $server->getData()['host'] ?? null,
|
|
'server_port' => $resolvedPort,
|
|
'extras' => $res
|
|
];
|
|
$stmt2 = $pdo->prepare('INSERT INTO server_protocols (server_id, protocol_id, config_data, applied_at, created_at) VALUES (?, ?, ?, NOW(), NOW()) ON DUPLICATE KEY UPDATE config_data = VALUES(config_data), applied_at = NOW()');
|
|
$stmt2->execute([$serverId, $pid, json_encode($config)]);
|
|
}
|
|
// Sync existing clients from DB to Container (Restore active clients)
|
|
self::syncClientsToContainer($server, $protocol);
|
|
return ['success' => true, 'mode' => 'install', 'details' => $res];
|
|
}
|
|
if (!isset($options['server_port']) || !is_int($options['server_port'])) {
|
|
$options['server_port'] = self::chooseServerPort($server, $protocol['definition']['metadata'] ?? []);
|
|
}
|
|
$res = self::runScript($server, $protocol, 'install', $options);
|
|
if (!isset($res['success'])) {
|
|
$res['success'] = true;
|
|
}
|
|
$port = null;
|
|
$password = null;
|
|
$clientId = null;
|
|
if (isset($res['vpn_port'])) {
|
|
$port = (int) $res['vpn_port'];
|
|
}
|
|
if (isset($res['server_port'])) {
|
|
$port = (int) $res['server_port'];
|
|
}
|
|
if (isset($res['client_id']) && is_string($res['client_id'])) {
|
|
$clientId = $res['client_id'];
|
|
}
|
|
if (is_string($res['output'] ?? '')) {
|
|
$out = $res['output'];
|
|
if (preg_match('/Port:\s*(\d+)/i', $out, $m)) {
|
|
$port = (int) $m[1];
|
|
}
|
|
if (preg_match('/Password:\s*([\w-]+)/i', $out, $m)) {
|
|
$password = $m[1];
|
|
}
|
|
if (preg_match('/ClientID:\s*([0-9a-fA-F-]+)/i', $out, $m)) {
|
|
$clientId = $m[1];
|
|
}
|
|
}
|
|
if (($protocol['slug'] ?? '') === 'xray-vless' && $clientId === null) {
|
|
$containerName = 'amnezia-xray';
|
|
if (isset($res['container_name']) && is_string($res['container_name']) && trim($res['container_name']) !== '') {
|
|
$containerName = trim($res['container_name']);
|
|
}
|
|
try {
|
|
$cfg = $server->executeCommand("docker exec -i " . escapeshellarg($containerName) . " cat /opt/amnezia/xray/server.json 2>/dev/null", true);
|
|
if (trim((string) $cfg) === '') {
|
|
$cfg = $server->executeCommand("docker exec -i " . escapeshellarg($containerName) . " cat /etc/xray/config.json 2>/dev/null", true);
|
|
}
|
|
$decoded = json_decode(trim((string) $cfg), true);
|
|
if (is_array($decoded)) {
|
|
$inbounds = $decoded['inbounds'] ?? [];
|
|
if (is_array($inbounds) && !empty($inbounds)) {
|
|
$settings = $inbounds[0]['settings'] ?? [];
|
|
$clients = $settings['clients'] ?? [];
|
|
if (is_array($clients) && !empty($clients)) {
|
|
$cid = $clients[0]['id'] ?? null;
|
|
if (is_string($cid) && $cid !== '') {
|
|
$clientId = $cid;
|
|
}
|
|
}
|
|
$stream = $inbounds[0]['streamSettings'] ?? [];
|
|
if (is_array($stream) && ($stream['security'] ?? '') === 'reality') {
|
|
$rs = $stream['realitySettings'] ?? [];
|
|
$serverNames = $rs['serverNames'] ?? ($rs['serverName'] ?? []);
|
|
$shortIds = $rs['shortIds'] ?? ($rs['shortId'] ?? []);
|
|
$serverName = is_array($serverNames) ? ($serverNames[0] ?? null) : (is_string($serverNames) ? $serverNames : null);
|
|
$shortId = is_array($shortIds) ? ($shortIds[0] ?? null) : (is_string($shortIds) ? $shortIds : null);
|
|
$privateKey = $rs['privateKey'] ?? null;
|
|
$publicKey = null;
|
|
if (is_string($privateKey) && $privateKey !== '' && function_exists('sodium_crypto_scalarmult_base')) {
|
|
$pk = $privateKey;
|
|
$b64 = strtr($pk, '-_', '+/');
|
|
$bin = base64_decode($b64, true);
|
|
if ($bin === false) {
|
|
$bin = base64_decode($pk, true);
|
|
}
|
|
if (is_string($bin) && strlen($bin) === 32) {
|
|
$pub = sodium_crypto_scalarmult_base($bin);
|
|
$publicKey = rtrim(strtr(base64_encode($pub), '+/', '-_'), '=');
|
|
}
|
|
}
|
|
if ($publicKey) {
|
|
$res['reality_public_key'] = $publicKey;
|
|
}
|
|
// Store private key for future restoration
|
|
if (is_string($privateKey) && $privateKey !== '') {
|
|
$res['reality_private_key'] = $privateKey;
|
|
}
|
|
if ($shortId) {
|
|
$res['reality_short_id'] = $shortId;
|
|
}
|
|
if ($serverName) {
|
|
$res['reality_server_name'] = $serverName;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} catch (Throwable $e) {
|
|
}
|
|
}
|
|
Logger::appendInstall($serverId, 'Scripted install parsed port ' . ($port ?? 0) . ' password ' . ($password ?? ''));
|
|
$pdo = DB::conn();
|
|
$pid = self::resolveProtocolId($protocol);
|
|
if ($pid) {
|
|
$config = [
|
|
'server_host' => $server->getData()['host'] ?? null,
|
|
'server_port' => $port,
|
|
'extras' => [
|
|
'password' => $password,
|
|
'client_id' => $clientId,
|
|
'result' => $res,
|
|
'reality_public_key' => $res['reality_public_key'] ?? null,
|
|
'reality_private_key' => $res['reality_private_key'] ?? null,
|
|
'reality_short_id' => $res['reality_short_id'] ?? null,
|
|
'reality_server_name' => $res['reality_server_name'] ?? null,
|
|
]
|
|
];
|
|
$stmt2 = $pdo->prepare('INSERT INTO server_protocols (server_id, protocol_id, config_data, applied_at, created_at) VALUES (?, ?, ?, NOW(), NOW()) ON DUPLICATE KEY UPDATE config_data = VALUES(config_data), applied_at = NOW()');
|
|
$stmt2->execute([$serverId, $pid, json_encode($config)]);
|
|
}
|
|
return $res;
|
|
} catch (Throwable $e) {
|
|
$message = (string) $e->getMessage();
|
|
if (
|
|
stripos($message, 'server_protocols_ibfk_1') !== false
|
|
|| (stripos($message, 'foreign key constraint fails') !== false && stripos($message, 'server_protocols') !== false)
|
|
) {
|
|
$message = 'Сервер был удален или пересоздан во время установки. Обновите страницу и запустите установку заново.';
|
|
}
|
|
|
|
self::markServerError($serverId, $message);
|
|
Logger::appendInstall($serverId, 'Activate failed: ' . $message);
|
|
throw new Exception($message, 0, $e);
|
|
}
|
|
}
|
|
|
|
private static function runBuiltinAivpnAddClient(VpnServer $server, array $options): array
|
|
{
|
|
$serverData = $server->getData();
|
|
$containerName = self::resolveAivpnContainerName($server, $options);
|
|
|
|
$clientName = trim((string) ($options['login'] ?? ($options['name'] ?? '')));
|
|
if ($clientName === '') {
|
|
$clientName = 'client-' . date('YmdHis');
|
|
}
|
|
|
|
$serverHostRaw = trim((string) ($options['server_host'] ?? ($serverData['host'] ?? '')));
|
|
$serverHostSanitized = preg_replace('#^https?://#i', '', $serverHostRaw);
|
|
$serverHostSanitized = preg_replace('#/.*$#', '', $serverHostSanitized ?? '');
|
|
$serverHost = $serverHostSanitized;
|
|
$embeddedPort = null;
|
|
if ($serverHostSanitized !== '' && preg_match('/^(.+?)(?::\d+)+$/', $serverHostSanitized, $m)) {
|
|
$serverHost = trim((string) $m[1]);
|
|
if (preg_match('/:(\d+)$/', $serverHostSanitized, $pm)) {
|
|
$embeddedPort = (int) $pm[1];
|
|
}
|
|
}
|
|
|
|
$defaultPort = 443;
|
|
if (stripos((string) ($serverData['install_protocol'] ?? ''), 'aivpn') !== false && (int) ($serverData['vpn_port'] ?? 0) > 0) {
|
|
$defaultPort = (int) $serverData['vpn_port'];
|
|
}
|
|
$serverPort = isset($options['server_port']) ? (int) $options['server_port'] : 0;
|
|
if ($serverPort <= 0 && $embeddedPort !== null && $embeddedPort > 0) {
|
|
$serverPort = $embeddedPort;
|
|
}
|
|
if ($serverPort <= 0) {
|
|
$serverPort = $defaultPort;
|
|
}
|
|
if (
|
|
stripos((string) ($serverData['install_protocol'] ?? ''), 'aivpn') === false &&
|
|
$embeddedPort === null &&
|
|
(int) ($serverData['vpn_port'] ?? 0) > 0 &&
|
|
$serverPort === (int) $serverData['vpn_port']
|
|
) {
|
|
$serverPort = 443;
|
|
}
|
|
if ($serverPort <= 0) {
|
|
$serverPort = 443;
|
|
}
|
|
|
|
$cmdParts = [
|
|
'docker',
|
|
'exec',
|
|
'-i',
|
|
escapeshellarg($containerName),
|
|
'aivpn-server',
|
|
'--add-client',
|
|
escapeshellarg($clientName),
|
|
'--key-file',
|
|
'/etc/aivpn/server.key',
|
|
'--clients-db',
|
|
'/etc/aivpn/clients.json',
|
|
];
|
|
|
|
if ($serverHost !== '') {
|
|
$cmdParts[] = '--server-ip';
|
|
$cmdParts[] = escapeshellarg($serverHost . ':' . $serverPort);
|
|
}
|
|
|
|
$cmd = implode(' ', $cmdParts);
|
|
Logger::appendInstall($server->getId(), 'Adding AIVPN client via builtin add_client: ' . $clientName . ' in ' . $containerName);
|
|
$output = (string) $server->executeCommand($cmd, true);
|
|
$parsed = self::parseAivpnAddClientOutput($output);
|
|
|
|
if (empty($parsed['connection_uri']) && empty($parsed['connection_key'])) {
|
|
$head = substr(str_replace(["\r", "\n"], ' ', trim($output)), 0, 220);
|
|
throw new Exception('AIVPN add_client succeeded but no connection key found in output: ' . $head);
|
|
}
|
|
|
|
$result = ['success' => true];
|
|
if (!empty($parsed['connection_uri'])) {
|
|
$result['connection_uri'] = $parsed['connection_uri'];
|
|
}
|
|
if (!empty($parsed['connection_key'])) {
|
|
$result['connection_key'] = $parsed['connection_key'];
|
|
}
|
|
if (!empty($parsed['client_ip'])) {
|
|
$result['client_ip'] = $parsed['client_ip'];
|
|
}
|
|
if (!empty($parsed['client_id'])) {
|
|
$result['client_id'] = $parsed['client_id'];
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
private static function parseAivpnAddClientOutput(string $output): array
|
|
{
|
|
$result = [];
|
|
$trimmed = trim($output);
|
|
if ($trimmed === '') {
|
|
return $result;
|
|
}
|
|
|
|
if (preg_match('/(aivpn:\/\/[A-Za-z0-9_\-+=\/]+)/', $trimmed, $m)) {
|
|
$uri = trim((string) $m[1]);
|
|
$result['connection_uri'] = $uri;
|
|
if (stripos($uri, 'aivpn://') === 0) {
|
|
$result['connection_key'] = substr($uri, strlen('aivpn://'));
|
|
}
|
|
}
|
|
|
|
if (preg_match('/\bID:\s*([a-zA-Z0-9]+)/', $trimmed, $m)) {
|
|
$result['client_id'] = trim((string) $m[1]);
|
|
}
|
|
|
|
if (preg_match('/\bVPN\s*IP:\s*([0-9.]+)/i', $trimmed, $m)) {
|
|
$result['client_ip'] = trim((string) $m[1]);
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
private static function runBuiltinXrayAddClient(VpnServer $server, array $options): array
|
|
{
|
|
$clientId = $options['client_id'] ?? null;
|
|
if (!$clientId) {
|
|
throw new Exception("Client ID is required for X-Ray add_client");
|
|
}
|
|
|
|
// Default container name if not provided
|
|
$containerName = 'amnezia-xray';
|
|
if (!empty($options['container_name'])) {
|
|
$containerName = $options['container_name'];
|
|
}
|
|
|
|
Logger::appendInstall($server->getId(), "Adding X-Ray client $clientId to container $containerName");
|
|
|
|
// 1. Read config
|
|
$catCmd = "docker exec -i " . escapeshellarg($containerName) . " cat /opt/amnezia/xray/server.json 2>/dev/null";
|
|
$configRaw = $server->executeCommand($catCmd, true);
|
|
|
|
if (trim($configRaw) === '') {
|
|
$catCmd = "docker exec -i " . escapeshellarg($containerName) . " cat /etc/xray/config.json 2>/dev/null";
|
|
$configRaw = $server->executeCommand($catCmd, true);
|
|
}
|
|
|
|
if (trim($configRaw) === '') {
|
|
throw new Exception("Could not read X-Ray config from $containerName");
|
|
}
|
|
|
|
$config = json_decode($configRaw, true);
|
|
if (!$config) {
|
|
throw new Exception("Invalid JSON in X-Ray config");
|
|
}
|
|
|
|
// 2. Modify config
|
|
|
|
// Ensure policy for 1 user 1 connection
|
|
if (!isset($config['policy'])) {
|
|
$config['policy'] = ['levels' => ['0' => []]];
|
|
}
|
|
if (!isset($config['policy']['levels'])) {
|
|
$config['policy']['levels'] = ['0' => []];
|
|
}
|
|
if (!isset($config['policy']['levels']['0'])) {
|
|
$config['policy']['levels']['0'] = [];
|
|
}
|
|
|
|
// Enforce stats and online tracking for user level 0
|
|
$config['policy']['levels']['0']['handshake'] = 4;
|
|
$config['policy']['levels']['0']['connIdle'] = 300;
|
|
$config['policy']['levels']['0']['uplinkOnly'] = 2;
|
|
$config['policy']['levels']['0']['downlinkOnly'] = 5;
|
|
$config['policy']['levels']['0']['statsUserUplink'] = true;
|
|
$config['policy']['levels']['0']['statsUserDownlink'] = true;
|
|
$config['policy']['levels']['0']['statsUserOnline'] = true; // Enable online tracking
|
|
$config['policy']['levels']['0']['bufferSize'] = 4;
|
|
|
|
// Ensure API services include StatsService and RoutingService
|
|
if (!isset($config['api'])) {
|
|
$config['api'] = ['tag' => 'api', 'services' => []];
|
|
}
|
|
if (!isset($config['api']['services'])) {
|
|
$config['api']['services'] = [];
|
|
}
|
|
if (!in_array('StatsService', $config['api']['services'])) {
|
|
$config['api']['services'][] = 'StatsService';
|
|
}
|
|
if (!in_array('RoutingService', $config['api']['services'])) {
|
|
$config['api']['services'][] = 'RoutingService';
|
|
}
|
|
|
|
// Ensure blocked outbound exists for IP blocking
|
|
if (!isset($config['outbounds'])) {
|
|
$config['outbounds'] = [];
|
|
}
|
|
$hasBlocked = false;
|
|
foreach ($config['outbounds'] as $ob) {
|
|
if (($ob['tag'] ?? '') === 'blocked') {
|
|
$hasBlocked = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!$hasBlocked) {
|
|
$config['outbounds'][] = ['protocol' => 'blackhole', 'tag' => 'blocked'];
|
|
}
|
|
|
|
// Ensure main inbound has a tag for routing rules
|
|
if (!isset($config['inbounds'][0]['tag'])) {
|
|
$config['inbounds'][0]['tag'] = 'vless-in';
|
|
}
|
|
|
|
// Assuming VLESS structure: inbounds[0] -> settings -> clients
|
|
|
|
if (!isset($config['inbounds'][0]['settings']['clients'])) {
|
|
// Might be different structure? But we stick to standard Amnezia XRay config
|
|
if (!isset($config['inbounds'][0]['settings'])) {
|
|
$config['inbounds'][0]['settings'] = [];
|
|
}
|
|
if (!isset($config['inbounds'][0]['settings']['clients'])) {
|
|
$config['inbounds'][0]['settings']['clients'] = [];
|
|
}
|
|
}
|
|
|
|
// Check if client exists
|
|
$clients = &$config['inbounds'][0]['settings']['clients'];
|
|
$duplicateFound = false;
|
|
foreach ($clients as $k => $c) {
|
|
if (($c['id'] ?? '') === $clientId) {
|
|
// Already exists by ID (exact match)
|
|
Logger::appendInstall($server->getId(), "Client $clientId already exists in X-Ray config");
|
|
return ['success' => true, 'message' => 'Client already exists'];
|
|
}
|
|
if (($c['email'] ?? '') === (!empty($options['login']) ? $options['login'] : $clientId)) {
|
|
// Email conflict! (Different ID but same email)
|
|
// This happens if user re-adds a client with same login but new UUID (after deleting from DB)
|
|
Logger::appendInstall($server->getId(), "Client email already exists in X-Ray config. Updating ID/Level.");
|
|
|
|
// Update existing client entry with new UUID
|
|
$clients[$k]['id'] = $clientId;
|
|
$clients[$k]['level'] = 0; // Ensure level 0
|
|
|
|
$duplicateFound = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!$duplicateFound) {
|
|
// Add new client (no conflict)
|
|
$email = !empty($options['login']) ? $options['login'] : $clientId;
|
|
$newClient = ['id' => $clientId, 'email' => $email];
|
|
|
|
// Detect flow from other clients or default
|
|
$flow = 'xtls-rprx-vision'; // Default for Reality
|
|
if (!empty($clients)) {
|
|
if (isset($clients[0]['flow'])) {
|
|
$flow = $clients[0]['flow'];
|
|
}
|
|
}
|
|
$newClient['flow'] = $flow;
|
|
$newClient['level'] = 0; // Explicitly set level 0
|
|
|
|
$clients[] = $newClient;
|
|
}
|
|
|
|
// Fix JSON encoding issues (empty objects becoming arrays)
|
|
if (isset($config['stats']) && empty($config['stats'])) {
|
|
$config['stats'] = new stdClass();
|
|
}
|
|
if (isset($config['policy']['levels']) && is_array($config['policy']['levels'])) {
|
|
// Check if it's an indexed array (0, 1...) which is wrong for X-ray levels map
|
|
if (array_keys($config['policy']['levels']) === range(0, count($config['policy']['levels']) - 1)) {
|
|
$newLevels = new stdClass();
|
|
foreach ($config['policy']['levels'] as $idx => $lvl) {
|
|
$newLevels->{(string) $idx} = $lvl;
|
|
}
|
|
$config['policy']['levels'] = $newLevels;
|
|
} elseif (empty($config['policy']['levels'])) {
|
|
$config['policy']['levels'] = new stdClass();
|
|
}
|
|
} else {
|
|
if (!isset($config['policy'])) {
|
|
$config['policy'] = new stdClass();
|
|
}
|
|
if (!isset($config['policy']['levels'])) {
|
|
$config['policy']['levels'] = new stdClass();
|
|
}
|
|
}
|
|
|
|
// Enforce Level 0 Policy with online tracking
|
|
if (!isset($config['policy']['levels']->{'0'})) {
|
|
$config['policy']['levels']->{'0'} = new stdClass();
|
|
}
|
|
$level0 = $config['policy']['levels']->{'0'};
|
|
// Cast to object if array
|
|
if (is_array($level0)) {
|
|
$level0 = (object) $level0;
|
|
$config['policy']['levels']->{'0'} = $level0;
|
|
}
|
|
|
|
// Set restriction parameters (statsUserOnline enables connection counting)
|
|
$level0->handshake = 4;
|
|
$level0->connIdle = 300;
|
|
$level0->uplinkOnly = 2;
|
|
$level0->downlinkOnly = 5;
|
|
$level0->statsUserUplink = true;
|
|
$level0->statsUserDownlink = true;
|
|
$level0->statsUserOnline = true; // Enable online tracking for enforcement
|
|
$level0->bufferSize = 4;
|
|
// It's an assoc array, duplicate it to stdClass to ensure object encoding
|
|
$config['policy']['levels'] = (object) $config['policy']['levels'];
|
|
|
|
|
|
// 3. Write config back
|
|
$newJson = json_encode($config, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
|
|
$b64 = base64_encode($newJson);
|
|
$writeCmd = "docker exec -i " . escapeshellarg($containerName) . " sh -c 'echo \"$b64\" | base64 -d > /opt/amnezia/xray/server.json'";
|
|
|
|
$server->executeCommand($writeCmd, true);
|
|
|
|
// 4. Restart container
|
|
$server->executeCommand("docker restart " . escapeshellarg($containerName), true);
|
|
|
|
Logger::appendInstall($server->getId(), "Updated X-Ray config and restarted container");
|
|
|
|
return ['success' => true];
|
|
}
|
|
|
|
/**
|
|
* Sync all active clients from DB to the Container configuration
|
|
*/
|
|
private static function syncClientsToContainer(VpnServer $server, array $protocol): void
|
|
{
|
|
$serverId = $server->getId();
|
|
$pdo = DB::conn();
|
|
|
|
// Fetch active clients
|
|
$stmt = $pdo->prepare("SELECT * FROM vpn_clients WHERE server_id = ? AND status = 'active'");
|
|
$stmt->execute([$serverId]);
|
|
$clients = $stmt->fetchAll();
|
|
|
|
if (empty($clients)) {
|
|
return;
|
|
}
|
|
|
|
$containerName = $server->getData()['container_name'] ?? 'amnezia-awg';
|
|
|
|
// Read existing config
|
|
$conf = $server->executeCommand("docker exec -i $containerName cat /opt/amnezia/awg/wg0.conf", true);
|
|
if (!$conf)
|
|
return;
|
|
|
|
$newPeersBlock = "";
|
|
$count = 0;
|
|
|
|
foreach ($clients as $client) {
|
|
$ip = $client['client_ip'];
|
|
// Check if peer already exists (simple check by IP)
|
|
if (strpos($conf, $ip) !== false) {
|
|
continue;
|
|
}
|
|
|
|
// Append Peer
|
|
$newPeersBlock .= "\n[Peer]\n";
|
|
$newPeersBlock .= "PublicKey = " . $client['public_key'] . "\n";
|
|
if (!empty($client['preshared_key'])) {
|
|
$newPeersBlock .= "PresharedKey = " . $client['preshared_key'] . "\n";
|
|
}
|
|
// Use AllowedIPs from DB or default to /32
|
|
$allowed = $client['allowed_ips'] ?? "$ip/32";
|
|
$newPeersBlock .= "AllowedIPs = $allowed\n";
|
|
$count++;
|
|
}
|
|
|
|
if ($count > 0) {
|
|
Logger::appendInstall($serverId, "Syncing $count existing clients to server config");
|
|
$conf .= $newPeersBlock;
|
|
$escaped = addslashes($conf);
|
|
$server->executeCommand("docker exec -i $containerName sh -c 'echo \"$escaped\" > /opt/amnezia/awg/wg0.conf'", true);
|
|
|
|
// Reload interface
|
|
$server->executeCommand("docker exec -i $containerName wg-quick down wg0 || true", true);
|
|
$server->executeCommand("docker exec -i $containerName wg-quick up wg0", true);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Resolve protocol ID from protocol array, looking up by slug if needed
|
|
*/
|
|
private static function resolveProtocolId(array $protocol): int
|
|
{
|
|
$pid = (int) ($protocol['id'] ?? 0);
|
|
if (!$pid) {
|
|
$slug = $protocol['slug'] ?? '';
|
|
if ($slug === '') {
|
|
return 0;
|
|
}
|
|
try {
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('SELECT id FROM protocols WHERE slug = ? LIMIT 1');
|
|
$stmt->execute([$slug]);
|
|
$pid = (int) $stmt->fetchColumn();
|
|
} catch (Throwable $e) {
|
|
return 0;
|
|
}
|
|
}
|
|
return $pid;
|
|
}
|
|
|
|
/**
|
|
* Detect existing X-Ray (VLESS Reality) installation on the server
|
|
*/
|
|
private static function detectBuiltinXray(VpnServer $server, array $protocol): array
|
|
{
|
|
$metadata = $protocol['definition']['metadata'] ?? [];
|
|
$containerName = $metadata['container_name'] ?? 'amnezia-xray';
|
|
$containerFilter = escapeshellarg('^' . $containerName . '$');
|
|
$containerArg = escapeshellarg($containerName);
|
|
|
|
$containerListRaw = trim($server->executeCommand("docker ps -a --filter name={$containerFilter} --format '{{.Names}}'", true));
|
|
if ($containerListRaw === '') {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Контейнер X-Ray не найден на сервере'
|
|
];
|
|
}
|
|
|
|
if (preg_match('/docker: command not found|command not found|cannot connect to the docker daemon|permission denied/i', $containerListRaw)) {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Docker CLI недоступен на сервере',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerListRaw,
|
|
]
|
|
];
|
|
}
|
|
|
|
$containerNames = array_values(array_filter(array_map('trim', preg_split('/\R+/', $containerListRaw))));
|
|
if (!in_array($containerName, $containerNames, true)) {
|
|
return [
|
|
'status' => 'absent',
|
|
'message' => 'Контейнер X-Ray не найден на сервере'
|
|
];
|
|
}
|
|
|
|
$containerState = trim($server->executeCommand("docker inspect --format '{{.State.Status}}' {$containerArg}", true));
|
|
|
|
// Read X-Ray config
|
|
$configRaw = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/xray/server.json 2>/dev/null", true);
|
|
if (trim($configRaw) === '') {
|
|
$configRaw = $server->executeCommand("docker exec -i {$containerArg} cat /etc/xray/config.json 2>/dev/null", true);
|
|
}
|
|
|
|
if (trim($configRaw) === '') {
|
|
return [
|
|
'status' => 'partial',
|
|
'message' => 'Контейнер X-Ray найден, но конфигурация server.json отсутствует',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
]
|
|
];
|
|
}
|
|
|
|
$config = json_decode(trim($configRaw), true);
|
|
if (!is_array($config)) {
|
|
return [
|
|
'status' => 'partial',
|
|
'message' => 'Не удалось разобрать JSON конфигурации X-Ray',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
]
|
|
];
|
|
}
|
|
|
|
// Extract port, clients, Reality keys
|
|
$inbounds = $config['inbounds'] ?? [];
|
|
$port = 443;
|
|
$xrayClients = [];
|
|
$realityPublicKey = null;
|
|
$realityPrivateKey = null;
|
|
$realityShortId = null;
|
|
$realityServerName = null;
|
|
|
|
if (is_array($inbounds) && !empty($inbounds)) {
|
|
$port = (int) ($inbounds[0]['port'] ?? 443);
|
|
$settings = $inbounds[0]['settings'] ?? [];
|
|
$xrayClients = $settings['clients'] ?? [];
|
|
|
|
$stream = $inbounds[0]['streamSettings'] ?? [];
|
|
if (is_array($stream) && ($stream['security'] ?? '') === 'reality') {
|
|
$rs = $stream['realitySettings'] ?? [];
|
|
$serverNames = $rs['serverNames'] ?? ($rs['serverName'] ?? []);
|
|
$shortIds = $rs['shortIds'] ?? ($rs['shortId'] ?? []);
|
|
$realityServerName = is_array($serverNames) ? ($serverNames[0] ?? null) : (is_string($serverNames) ? $serverNames : null);
|
|
$realityShortId = is_array($shortIds) ? ($shortIds[0] ?? null) : (is_string($shortIds) ? $shortIds : null);
|
|
$realityPrivateKey = $rs['privateKey'] ?? null;
|
|
|
|
// Derive public key from private
|
|
if (is_string($realityPrivateKey) && $realityPrivateKey !== '' && function_exists('sodium_crypto_scalarmult_base')) {
|
|
$b64 = strtr($realityPrivateKey, '-_', '+/');
|
|
$bin = base64_decode($b64, true);
|
|
if ($bin === false) {
|
|
$bin = base64_decode($realityPrivateKey, true);
|
|
}
|
|
if (is_string($bin) && strlen($bin) === 32) {
|
|
$pub = sodium_crypto_scalarmult_base($bin);
|
|
$realityPublicKey = rtrim(strtr(base64_encode($pub), '+/', '-_'), '=');
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Read clientsTable for names
|
|
$clientsTableRaw = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/xray/clientsTable 2>/dev/null", true);
|
|
$clientsTable = json_decode(trim($clientsTableRaw), true);
|
|
$clientsCount = is_array($xrayClients) ? count($xrayClients) : 0;
|
|
|
|
return [
|
|
'status' => 'existing',
|
|
'message' => 'Найдена установленная конфигурация X-Ray VLESS Reality',
|
|
'details' => [
|
|
'container_name' => $containerName,
|
|
'container_status' => $containerState,
|
|
'port' => $port,
|
|
'clients' => $xrayClients,
|
|
'clients_table' => is_array($clientsTable) ? $clientsTable : [],
|
|
'clients_count' => $clientsCount,
|
|
'reality_public_key' => $realityPublicKey,
|
|
'reality_private_key' => $realityPrivateKey,
|
|
'reality_short_id' => $realityShortId,
|
|
'reality_server_name' => $realityServerName,
|
|
'config' => $config,
|
|
'summary' => sprintf('Container %s (%s), port %d, clients %d', $containerName, $containerState ?: 'unknown', $port, $clientsCount)
|
|
]
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Restore existing X-Ray installation: save config to DB, import clients
|
|
*/
|
|
private static function restoreBuiltinXray(VpnServer $server, array $protocol, array $detection, array $options): array
|
|
{
|
|
$details = $detection['details'] ?? [];
|
|
$containerName = $details['container_name'] ?? 'amnezia-xray';
|
|
$containerArg = escapeshellarg($containerName);
|
|
$serverId = $server->getId();
|
|
|
|
// Ensure container is running
|
|
$server->executeCommand("docker start {$containerArg} 2>/dev/null || true", true);
|
|
|
|
// Update vpn_servers with X-Ray data
|
|
$port = $details['port'] ?? 443;
|
|
$pdo = DB::conn();
|
|
$stmt = $pdo->prepare('
|
|
UPDATE vpn_servers
|
|
SET vpn_port = ?,
|
|
status = ?,
|
|
error_message = NULL,
|
|
deployed_at = COALESCE(deployed_at, NOW())
|
|
WHERE id = ?
|
|
');
|
|
$stmt->execute([$port, 'active', $serverId]);
|
|
$server->refresh();
|
|
|
|
// Save protocol binding
|
|
$pid = self::resolveProtocolId($protocol);
|
|
if ($pid) {
|
|
$config = [
|
|
'server_host' => $server->getData()['host'] ?? null,
|
|
'server_port' => $port,
|
|
'extras' => [
|
|
'reality_public_key' => $details['reality_public_key'] ?? null,
|
|
'reality_private_key' => $details['reality_private_key'] ?? null,
|
|
'reality_short_id' => $details['reality_short_id'] ?? null,
|
|
'reality_server_name' => $details['reality_server_name'] ?? null,
|
|
'container_name' => $containerName,
|
|
]
|
|
];
|
|
$stmt2 = $pdo->prepare('INSERT INTO server_protocols (server_id, protocol_id, config_data, applied_at, created_at) VALUES (?, ?, ?, NOW(), NOW()) ON DUPLICATE KEY UPDATE config_data = VALUES(config_data), applied_at = NOW()');
|
|
$stmt2->execute([$serverId, $pid, json_encode($config)]);
|
|
}
|
|
|
|
// Import X-Ray clients into database
|
|
$xrayClients = $details['clients'] ?? [];
|
|
$clientsTable = $details['clients_table'] ?? [];
|
|
$serverData = $server->getData();
|
|
$imported = 0;
|
|
|
|
// Build name lookup from clientsTable
|
|
$nameById = [];
|
|
if (is_array($clientsTable)) {
|
|
foreach ($clientsTable as $entry) {
|
|
$cid = $entry['clientId'] ?? '';
|
|
$cname = $entry['userData']['clientName'] ?? null;
|
|
if ($cid !== '' && $cname) {
|
|
$nameById[$cid] = $cname;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (is_array($xrayClients)) {
|
|
foreach ($xrayClients as $xClient) {
|
|
$uuid = $xClient['id'] ?? '';
|
|
if ($uuid === '') continue;
|
|
|
|
// Check if client already exists by public_key (UUID used as identifier)
|
|
$chk = $pdo->prepare('SELECT id FROM vpn_clients WHERE server_id = ? AND public_key = ?');
|
|
$chk->execute([$serverId, $uuid]);
|
|
if ($chk->fetch()) {
|
|
continue;
|
|
}
|
|
|
|
// Also check by name/email
|
|
$email = $xClient['email'] ?? '';
|
|
if ($email !== '') {
|
|
$chk2 = $pdo->prepare('SELECT id FROM vpn_clients WHERE server_id = ? AND name = ?');
|
|
$chk2->execute([$serverId, $email]);
|
|
if ($chk2->fetch()) {
|
|
continue;
|
|
}
|
|
}
|
|
|
|
$name = $nameById[$uuid] ?? ($email !== '' ? $email : 'xray-' . substr($uuid, 0, 8));
|
|
|
|
// X-Ray config does not store per-client tunnel IP like WireGuard.
|
|
// Keep client_ip deterministic from config client id (UUID) during restore.
|
|
$clientIp = $uuid;
|
|
|
|
// Generate VLESS config URL for the client
|
|
$host = $serverData['host'] ?? '';
|
|
$realityPub = $details['reality_public_key'] ?? '';
|
|
$shortId = $details['reality_short_id'] ?? '';
|
|
$sni = $details['reality_server_name'] ?? '';
|
|
$flow = $xClient['flow'] ?? 'xtls-rprx-vision';
|
|
|
|
$vlessUrl = sprintf(
|
|
'vless://%s@%s:%d?type=tcp&security=reality&pbk=%s&fp=chrome&sni=%s&sid=%s&spx=%%2F&flow=%s#%s',
|
|
$uuid,
|
|
$host,
|
|
$port,
|
|
urlencode($realityPub),
|
|
urlencode($sni),
|
|
urlencode($shortId),
|
|
urlencode($flow),
|
|
urlencode($name)
|
|
);
|
|
|
|
$ins = $pdo->prepare('INSERT INTO vpn_clients (server_id, user_id, name, client_ip, public_key, private_key, preshared_key, config, protocol_id, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())');
|
|
$ins->execute([
|
|
$serverId,
|
|
$serverData['user_id'] ?? null,
|
|
$name,
|
|
$clientIp,
|
|
$uuid,
|
|
'',
|
|
'',
|
|
$vlessUrl,
|
|
$pid ?: null,
|
|
'active' // Import as active since they work on the server
|
|
]);
|
|
$imported++;
|
|
Logger::appendInstall($serverId, "Imported X-Ray client: {$name} ({$uuid})");
|
|
}
|
|
}
|
|
|
|
Logger::appendInstall($serverId, "X-Ray restore complete: imported {$imported} clients");
|
|
|
|
return [
|
|
'success' => true,
|
|
'mode' => 'restore',
|
|
'message' => 'Существующая конфигурация X-Ray восстановлена',
|
|
'port' => $port,
|
|
'clients_count' => count($xrayClients),
|
|
'imported_clients' => $imported,
|
|
'reality_public_key' => $details['reality_public_key'] ?? null,
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Import existing AWG clients from server into database (called during activate with existing config)
|
|
*/
|
|
private static function importExistingAwgClients(VpnServer $server, array $protocol, array $detection): void
|
|
{
|
|
$details = $detection['details'] ?? [];
|
|
$containerName = $details['container_name'] ?? 'amnezia-awg';
|
|
$containerArg = escapeshellarg($containerName);
|
|
$serverId = $server->getId();
|
|
$pdo = DB::conn();
|
|
$serverData = $server->getData();
|
|
$pid = self::resolveProtocolId($protocol);
|
|
|
|
// Read wg0.conf and clientsTable
|
|
$wgConfig = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/wg0.conf 2>/dev/null", true);
|
|
$tableRaw = $server->executeCommand("docker exec -i {$containerArg} cat /opt/amnezia/awg/clientsTable 2>/dev/null", true);
|
|
$clientsTable = json_decode(trim($tableRaw), true);
|
|
|
|
// Build name lookup
|
|
$nameByPub = [];
|
|
if (is_array($clientsTable)) {
|
|
foreach ($clientsTable as $entry) {
|
|
$cid = $entry['clientId'] ?? '';
|
|
$uname = $entry['userData']['clientName'] ?? null;
|
|
if ($cid !== '' && $uname) {
|
|
$nameByPub[$cid] = $uname;
|
|
}
|
|
}
|
|
}
|
|
|
|
$imported = 0;
|
|
if (trim($wgConfig) !== '') {
|
|
$pattern = '/\[Peer\][^\[]*?PublicKey\s*=\s*(.+?)\s*[\r\n]+[\s\S]*?AllowedIPs\s*=\s*(.+?)(?:\r?\n|$)/';
|
|
if (preg_match_all($pattern, $wgConfig, $matches, PREG_SET_ORDER)) {
|
|
foreach ($matches as $m) {
|
|
$pub = trim($m[1]);
|
|
$allowed = trim($m[2]);
|
|
$clientIp = null;
|
|
foreach (explode(',', $allowed) as $ipSpec) {
|
|
$ipSpec = trim($ipSpec);
|
|
if (preg_match('/^([0-9\.]+)\/32$/', $ipSpec, $mm)) {
|
|
$clientIp = $mm[1];
|
|
break;
|
|
}
|
|
}
|
|
if (!$clientIp) continue;
|
|
|
|
// Check if client already exists
|
|
$chk = $pdo->prepare('SELECT id FROM vpn_clients WHERE server_id = ? AND (client_ip = ? OR public_key = ?)');
|
|
$chk->execute([$serverId, $clientIp, $pub]);
|
|
if ($chk->fetch()) continue;
|
|
|
|
$name = $nameByPub[$pub] ?? ('import-' . str_replace('.', '_', $clientIp));
|
|
$ins = $pdo->prepare('INSERT INTO vpn_clients (server_id, user_id, name, client_ip, public_key, private_key, preshared_key, config, protocol_id, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())');
|
|
$ins->execute([
|
|
$serverId,
|
|
$serverData['user_id'] ?? null,
|
|
$name,
|
|
$clientIp,
|
|
$pub,
|
|
'',
|
|
$details['preshared_key'] ?? null,
|
|
'',
|
|
$pid ?: null,
|
|
'active' // Import as active since they exist on the server
|
|
]);
|
|
$imported++;
|
|
Logger::appendInstall($serverId, "Imported AWG client: {$name} ({$clientIp})");
|
|
}
|
|
}
|
|
}
|
|
|
|
Logger::appendInstall($serverId, "AWG client import complete: imported {$imported} clients");
|
|
}
|
|
}
|