335 lines
16 KiB
Bash
335 lines
16 KiB
Bash
#!/bin/bash
|
||
|
||
# ==========================================
|
||
# 标题:X-UI 终极自动安装脚本 (咸V咆哮·物理拔线+真实校验版)
|
||
# 特性:
|
||
# 1. 禁用多线程工具空间预分配,彻底解决空壳文件欺骗。
|
||
# 2. 引入 tar 内部结构模拟解压校验,100% 杜绝损坏包。
|
||
# 3. 15秒生死线:连不上瞬间强杀进程切换。
|
||
# 4. 强制全网 IPv4,规避 IPv6 路由黑洞。
|
||
# ==========================================
|
||
|
||
# --- 颜色配置 ---
|
||
Red="\033[31m"
|
||
Green="\033[32m"
|
||
Yellow="\033[33m"
|
||
Blue="\033[36m"
|
||
Font="\033[0m"
|
||
|
||
# --- 核心配置 ---
|
||
DB_URL="https://git.77582585.xyz/3344/dock/releases/download/3xui1/1.db"
|
||
PRIVATE_AUTH_CODE="7758258"
|
||
INSTALL_PATH="/usr/local/x-ui"
|
||
DB_PATH="/etc/x-ui/x-ui.db"
|
||
FAKE_UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
|
||
|
||
[[ $EUID -ne 0 ]] && echo -e "${Red}错误:请使用 root 权限运行此脚本!${Font}" && exit 1
|
||
|
||
gen_random_string() {
|
||
local length="$1"
|
||
echo $(LC_ALL=C tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w "$length" | head -n 1)
|
||
}
|
||
|
||
# 终极物理拔线 + 真实结构校验下载引擎
|
||
download_file() {
|
||
local url=$1
|
||
local file=$2
|
||
local fallback_url=$3
|
||
local file_type=$4 # 区分是 tar 包还是 db 数据库
|
||
|
||
rm -f "$file" "$file.aria2"
|
||
|
||
# 核心:暴力校验文件真实性
|
||
check_valid() {
|
||
if [ ! -f "$file" ]; then return 1; fi
|
||
|
||
if [ "$file_type" == "tar" ]; then
|
||
# 模拟解压校验:如果是个假包或者空壳,这句直接报错返回 1
|
||
if tar -tzf "$file" >/dev/null 2>&1; then return 0; fi
|
||
elif [ "$file_type" == "db" ]; then
|
||
# 数据库包校验大小即可,要求大于 10KB
|
||
local file_size=$(du -k "$file" | cut -f1)
|
||
if [ "$file_size" -ge 10 ]; then return 0; fi
|
||
fi
|
||
|
||
rm -f "$file" "$file.aria2" # 假包直接干掉
|
||
return 1
|
||
}
|
||
|
||
echo -e "${Yellow} -> 方案一:Aria2 (禁止预分配/15秒强杀)...${Font}"
|
||
if command -v aria2c >/dev/null; then
|
||
# 加入 --file-allocation=none 解决空壳文件 Bug
|
||
timeout 15 aria2c -x 4 -s 4 --file-allocation=none --connect-timeout=5 --timeout=5 --max-tries=1 --disable-ipv6=true --user-agent="$FAKE_UA" --allow-overwrite=true --dir="$(dirname "$file")" --out="$(basename "$file")" "$url" >/dev/null 2>&1
|
||
check_valid && return 0
|
||
fi
|
||
|
||
echo -e "${Yellow} -> 方案二:Wget (强制IPv4/15秒强杀)...${Font}"
|
||
timeout 15 wget -4 --no-check-certificate --user-agent="$FAKE_UA" -T 5 -t 1 -O "$file" "$url" >/dev/null 2>&1
|
||
check_valid && return 0
|
||
|
||
echo -e "${Yellow} -> 方案三:Curl (强力降级/15秒强杀)...${Font}"
|
||
timeout 15 curl -4 --http1.1 -L -k -A "$FAKE_UA" --connect-timeout 5 -m 15 --retry 1 -o "$file" "$url" >/dev/null 2>&1
|
||
check_valid && return 0
|
||
|
||
if [[ -n "$fallback_url" ]]; then
|
||
echo -e "${Red}!! 警告:直链节点全军覆没!启用方案四:GitHub 加速镜像池兜底 !!${Font}"
|
||
timeout 30 wget -4 --no-check-certificate --user-agent="$FAKE_UA" -T 10 -t 2 -O "$file" "$fallback_url" >/dev/null 2>&1
|
||
check_valid && return 0
|
||
fi
|
||
|
||
return 1
|
||
}
|
||
|
||
clear
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e "${Blue} X-UI 终极自动安装脚本 (咸V咆哮专属) ${Font}"
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e "${Yellow}请选择安装模式:${Font}"
|
||
echo -e " 1. ${Green}官方纯净安装${Font} (直链下载主程序,随机生成安全账密)"
|
||
echo -e " 2. ${Red}载入自定义库${Font} (使用预设数据库,需授权码,自动增强安全)"
|
||
echo -e "──────────────────────────────────────────────────"
|
||
read -rp "请输入数字 [1-2] (默认1): " INSTALL_MODE
|
||
[[ -z "$INSTALL_MODE" ]] && INSTALL_MODE="1"
|
||
|
||
if [ "$INSTALL_MODE" == "2" ]; then
|
||
echo -e "──────────────────────────────────────────────────"
|
||
read -s -rp "请输入专属授权码: " INPUT_PWD
|
||
echo ""
|
||
if [ "$INPUT_PWD" != "$PRIVATE_AUTH_CODE" ]; then
|
||
echo -e "${Red}!! 授权码错误:拒绝安装,脚本已终止 !!${Font}"
|
||
exit 1
|
||
else
|
||
echo -e "${Green}>> 授权通过,准备部署自定义配置...${Font}"
|
||
fi
|
||
echo -e "──────────────────────────────────────────────────"
|
||
fi
|
||
|
||
# ==========================================
|
||
# 步骤 1:系统优化与 BBR 加速
|
||
# ==========================================
|
||
echo -e "${Yellow}>> [1/7] 正在清理系统并开启 BBR 网络加速...${Font}"
|
||
if command -v apt-get >/dev/null; then
|
||
apt-get autoremove -y >/dev/null 2>&1
|
||
apt-get clean >/dev/null 2>&1
|
||
elif command -v yum >/dev/null; then
|
||
yum clean all >/dev/null 2>&1
|
||
fi
|
||
if ! grep -q "bbr" /etc/sysctl.conf; then
|
||
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
|
||
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
|
||
sysctl -p >/dev/null 2>&1
|
||
echo -e "${Green}✓ BBR 加速已成功开启${Font}"
|
||
else
|
||
echo -e "${Green}✓ BBR 之前已开启,跳过${Font}"
|
||
fi
|
||
|
||
# ==========================================
|
||
# 步骤 2:安装基础依赖
|
||
# ==========================================
|
||
echo -e "${Yellow}>> [2/7] 正在安装极速下载器与必备依赖...${Font}"
|
||
if command -v apt-get >/dev/null; then
|
||
apt-get update -y -q >/dev/null 2>&1
|
||
apt-get install -y -q aria2 wget curl tar tzdata socat ca-certificates sqlite3 bc coreutils >/dev/null 2>&1
|
||
elif command -v yum >/dev/null; then
|
||
yum install -y -q epel-release >/dev/null 2>&1
|
||
yum install -y -q aria2 wget curl tar tzdata socat ca-certificates sqlite3 bc coreutils >/dev/null 2>&1
|
||
fi
|
||
|
||
SERVER_IP=$(curl -s4m5 api.ipify.org)
|
||
[[ -z "$SERVER_IP" ]] && SERVER_IP=$(curl -s6m5 api64.ipify.org)
|
||
|
||
# ==========================================
|
||
# 步骤 3:架构匹配与多源拉取
|
||
# ==========================================
|
||
echo -e "${Yellow}>> [3/7] 识别架构并拉取核心程序...${Font}"
|
||
ARCH=$(uname -m)
|
||
DOWNLOAD_URL=""
|
||
FILE_NAME=""
|
||
FALLBACK_URL=""
|
||
|
||
case $ARCH in
|
||
x86_64|amd64) DOWNLOAD_URL="https://git.77582585.xyz/attachments/40eeb013-5006-423f-ad74-a0541ab340f4"; FILE_NAME="x-ui-linux-amd64.tar.gz" ;;
|
||
aarch64|armv8|arm64) DOWNLOAD_URL="https://git.77582585.xyz/attachments/4ab708d5-6bc8-42c0-8494-ef5efe03e074"; FILE_NAME="x-ui-linux-arm64.tar.gz" ;;
|
||
i386|i686|x86) DOWNLOAD_URL="https://git.77582585.xyz/attachments/d1604006-c6b7-4c7c-9652-b42b229ef4cb"; FILE_NAME="x-ui-linux-386.tar.gz" ;;
|
||
armv5*) DOWNLOAD_URL="https://git.77582585.xyz/attachments/8a5c678c-4ae4-43c4-910d-7e47f7c21c22"; FILE_NAME="x-ui-linux-armv5.tar.gz" ;;
|
||
armv6*) DOWNLOAD_URL="https://git.77582585.xyz/attachments/0e7c7fd7-192e-44b3-9739-785a5fb1b51f"; FILE_NAME="x-ui-linux-armv6.tar.gz" ;;
|
||
armv7*) DOWNLOAD_URL="https://git.77582585.xyz/attachments/9d1bf416-afb6-4e9f-b46b-ab3a1913a998"; FILE_NAME="x-ui-linux-armv7.tar.gz" ;;
|
||
s390x) DOWNLOAD_URL="https://git.77582585.xyz/attachments/18784828-0d20-4bc5-908c-15f91bcf8eb5"; FILE_NAME="x-ui-linux-s390x.tar.gz" ;;
|
||
*) echo -e "${Red}不支持的架构: $ARCH${Font}" && exit 1 ;;
|
||
esac
|
||
|
||
FALLBACK_URL="https://ghproxy.net/https://github.com/MHSanaei/3x-ui/releases/latest/download/${FILE_NAME}"
|
||
|
||
echo -e "${Green}✓ 检测到架构: $ARCH,启动极速灾备下载引擎...${Font}"
|
||
systemctl stop x-ui >/dev/null 2>&1
|
||
rm -rf /usr/local/x-ui
|
||
mkdir -p /usr/local/
|
||
cd /usr/local/
|
||
|
||
# 注意这里多传了一个参数 "tar",要求它做模拟解压校验
|
||
if ! download_file "$DOWNLOAD_URL" "$FILE_NAME" "$FALLBACK_URL" "tar"; then
|
||
echo -e "${Red}!! 终极下载彻底失败:连加速镜像池也挂了,请检查服务器是否能连接外网 !!${Font}"
|
||
exit 1
|
||
fi
|
||
|
||
echo -e "${Green}✓ 核心程序下载成功,模拟解压校验通过!${Font}"
|
||
|
||
# 既然上面模拟解压过了,这里100%不会报错
|
||
tar zxvf "$FILE_NAME" >/dev/null
|
||
rm -f "$FILE_NAME"
|
||
cd x-ui
|
||
chmod +x x-ui x-ui.sh bin/xray-linux-*
|
||
|
||
ln -sf "$INSTALL_PATH/x-ui.sh" /usr/bin/x-ui
|
||
|
||
cat > /etc/systemd/system/x-ui.service <<EOF
|
||
[Unit]
|
||
Description=x-ui Service
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=root
|
||
WorkingDirectory=$INSTALL_PATH
|
||
ExecStart=$INSTALL_PATH/x-ui
|
||
Restart=on-failure
|
||
RestartSec=5s
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
EOF
|
||
|
||
# ==========================================
|
||
# 步骤 4:数据库部署与安全加固
|
||
# ==========================================
|
||
echo -e "${Yellow}>> [4/7] 正在部署数据库并进行安全加固...${Font}"
|
||
mkdir -p /etc/x-ui/
|
||
rm -f "$DB_PATH"
|
||
|
||
CONFIG_USER=""
|
||
CONFIG_PASS=""
|
||
CONFIG_PORT=""
|
||
CONFIG_PATH="$(gen_random_string 16)"
|
||
|
||
if [ "$INSTALL_MODE" == "1" ]; then
|
||
echo -e "${Green}✓ 模式一:初始化纯净数据库${Font}"
|
||
CONFIG_USER=$(gen_random_string 8)
|
||
CONFIG_PASS=$(gen_random_string 10)
|
||
CONFIG_PORT=$(shuf -i 10000-60000 -n 1)
|
||
|
||
$INSTALL_PATH/x-ui setting -username "${CONFIG_USER}" -password "${CONFIG_PASS}" -port "${CONFIG_PORT}" -webBasePath "${CONFIG_PATH}" >/dev/null 2>&1
|
||
else
|
||
echo -e "${Green}✓ 模式二:拉取自定义数据库...${Font}"
|
||
|
||
# 数据库拉取,传参 "db" 要求校验大小即可
|
||
if ! download_file "$DB_URL" "$DB_PATH" "" "db"; then
|
||
echo -e "${Red}警告:自定义数据库下载失败,退回初始状态!${Font}"
|
||
cp $INSTALL_PATH/bin/x-ui.db "$DB_PATH"
|
||
fi
|
||
|
||
CONFIG_USER=$(sqlite3 "$DB_PATH" "SELECT username FROM users WHERE id=1;")
|
||
CONFIG_PASS=$(sqlite3 "$DB_PATH" "SELECT password FROM users WHERE id=1;")
|
||
CONFIG_PORT=$(sqlite3 "$DB_PATH" "SELECT value FROM settings WHERE key='webPort';")
|
||
|
||
sqlite3 -cmd ".timeout 2000" "$DB_PATH" "UPDATE settings SET value='/${CONFIG_PATH}/' WHERE key='webBasePath';"
|
||
echo -e "${Green}✓ 已为自定义库注入随机网页路径:/${CONFIG_PATH}/${Font}"
|
||
fi
|
||
|
||
# ==========================================
|
||
# 步骤 5:启动服务与防火墙放行
|
||
# ==========================================
|
||
echo -e "${Yellow}>> [5/7] 启动面板并放行防火墙端口 (${CONFIG_PORT})...${Font}"
|
||
systemctl daemon-reload
|
||
systemctl enable x-ui >/dev/null 2>&1
|
||
systemctl restart x-ui
|
||
|
||
if command -v ufw >/dev/null 2>&1; then ufw allow ${CONFIG_PORT}/tcp >/dev/null 2>&1; fi
|
||
if command -v firewall-cmd >/dev/null 2>&1; then
|
||
firewall-cmd --zone=public --add-port=${CONFIG_PORT}/tcp --permanent >/dev/null 2>&1
|
||
firewall-cmd --reload >/dev/null 2>&1
|
||
fi
|
||
iptables -I INPUT -p tcp --dport ${CONFIG_PORT} -j ACCEPT 2>/dev/null
|
||
|
||
# ==========================================
|
||
# 步骤 6:SSL 证书配置
|
||
# ==========================================
|
||
echo ""
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e "${Yellow}>> [6/7] SSL 证书安全设置 (强烈推荐配置 HTTPS)${Font}"
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e " 1. ${Green}使用 Let's Encrypt 申请域名证书${Font} (需解析域名至本机,有效期90天)"
|
||
echo -e " 2. ${Green}使用 Let's Encrypt 申请 IP 证书${Font} (自动绑定本机IP,有效期6天自动续)"
|
||
echo -e " 3. ${Red}跳过,裸奔 HTTP${Font} (极易被墙探测,不推荐)"
|
||
read -rp "请选择 SSL 申请方式 [1-3]: " SSL_CHOICE
|
||
|
||
FINAL_HOST="$SERVER_IP"
|
||
|
||
if [[ "$SSL_CHOICE" == "1" || "$SSL_CHOICE" == "2" ]]; then
|
||
iptables -I INPUT -p tcp --dport 80 -j ACCEPT 2>/dev/null
|
||
|
||
if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
|
||
echo -e "${Yellow}>> 正在安装 acme.sh 证书工具...${Font}"
|
||
curl -s https://get.acme.sh | sh >/dev/null 2>&1
|
||
fi
|
||
|
||
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force >/dev/null 2>&1
|
||
systemctl stop x-ui
|
||
|
||
if [ "$SSL_CHOICE" == "1" ]; then
|
||
read -rp "请输入已解析到本机的域名: " DOMAIN_NAME
|
||
echo -e "${Yellow}>> 正在为 ${DOMAIN_NAME} 申请域名证书...${Font}"
|
||
~/.acme.sh/acme.sh --issue -d ${DOMAIN_NAME} --standalone --httpport 80 --force
|
||
|
||
if [ $? -eq 0 ]; then
|
||
CERT_DIR="/root/cert/${DOMAIN_NAME}"
|
||
mkdir -p "$CERT_DIR"
|
||
~/.acme.sh/acme.sh --installcert -d ${DOMAIN_NAME} --key-file ${CERT_DIR}/privkey.pem --fullchain-file ${CERT_DIR}/fullchain.pem --reloadcmd "systemctl restart x-ui" >/dev/null 2>&1
|
||
$INSTALL_PATH/x-ui cert -webCert "${CERT_DIR}/fullchain.pem" -webCertKey "${CERT_DIR}/privkey.pem" >/dev/null 2>&1
|
||
FINAL_HOST="${DOMAIN_NAME}"
|
||
echo -e "${Green}✓ 域名证书申请并部署成功!${Font}"
|
||
else
|
||
echo -e "${Red}!! 证书申请失败,请确保域名已解析且 80 端口未被占用。回退至 HTTP 模式。${Font}"
|
||
fi
|
||
|
||
elif [ "$SSL_CHOICE" == "2" ]; then
|
||
echo -e "${Yellow}>> 正在为本机 IP (${SERVER_IP}) 申请短效证书...${Font}"
|
||
CERT_DIR="/root/cert/ip"
|
||
mkdir -p "$CERT_DIR"
|
||
~/.acme.sh/acme.sh --issue -d ${SERVER_IP} --standalone --server letsencrypt --certificate-profile shortlived --days 6 --httpport 80 --force
|
||
|
||
if [ $? -eq 0 ]; then
|
||
~/.acme.sh/acme.sh --installcert -d ${SERVER_IP} --key-file "${CERT_DIR}/privkey.pem" --fullchain-file "${CERT_DIR}/fullchain.pem" --reloadcmd "systemctl restart x-ui" >/dev/null 2>&1
|
||
$INSTALL_PATH/x-ui cert -webCert "${CERT_DIR}/fullchain.pem" -webCertKey "${CERT_DIR}/privkey.pem" >/dev/null 2>&1
|
||
echo -e "${Green}✓ IP 证书申请并部署成功!(后台会自动续期)${Font}"
|
||
else
|
||
echo -e "${Red}!! 证书申请失败,请确保 80 端口未被占用。回退至 HTTP 模式。${Font}"
|
||
fi
|
||
fi
|
||
systemctl start x-ui
|
||
fi
|
||
|
||
# ==========================================
|
||
# 步骤 7:完成与信息展示
|
||
# ==========================================
|
||
PROTOCOL="http"
|
||
if [[ "$SSL_CHOICE" == "1" || "$SSL_CHOICE" == "2" ]]; then
|
||
if $INSTALL_PATH/x-ui setting -getCert true | grep -q "cert: /root/cert/"; then
|
||
PROTOCOL="https"
|
||
fi
|
||
fi
|
||
|
||
echo ""
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e "${Green} X-UI 面板安装部署完成 ${Font}"
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e "部署模式 : ${Yellow}$([ "$INSTALL_MODE" == "1" ] && echo "官方纯净模式" || echo "自定义数据库模式 (已注入随机路径防封)")${Font}"
|
||
echo -e "访问协议 : $([ "$PROTOCOL" == "https" ] && echo "${Green}HTTPS (SSL 安全加密)${Font}" || echo "${Red}HTTP (未加密)${Font}")"
|
||
echo -e "──────────────────────────────────────────────────"
|
||
echo -e "面板地址 : ${Green}${PROTOCOL}://${FINAL_HOST}:${CONFIG_PORT}/${CONFIG_PATH}/${Font}"
|
||
echo -e "登入账号 : ${Green}${CONFIG_USER}${Font}"
|
||
echo -e "登入密码 : ${Green}${CONFIG_PASS}${Font}"
|
||
echo -e "面板端口 : ${Green}${CONFIG_PORT}${Font}"
|
||
echo -e "安全路径 : ${Green}/${CONFIG_PATH}/${Font}"
|
||
echo -e "${Blue}══════════════════════════════════════════════════${Font}"
|
||
echo -e "${Yellow}⚠ 强烈建议:请立即保存上方的信息!${Font}"
|
||
echo -e "${Yellow}⚠ 日常管理:在终端输入 x-ui 即可呼出管理菜单。${Font}" |