Advanced use of X-UI panel: faster, safer and more stable

X-UI advanced use, faster, safer and more stable experience~
Views: 2500
17 0
Read Time:1 Minute, 57 Second

I've been using the X-UI panel for a while, and overall I'm very satisfied. I made a summary while tossing. Today, this article will bring you an advanced tutorial on using X-UI to help you use X-UI better.

The highlights of today's blog include the following points:

  • Certificate Issue and Usage
  • Firewall settings
  • log configuration
  • Proxies setup

Certificate Issue and Usage

I submitted a PR a month ago, and added to the x-ui.sh script the function of prompting to modify the panel settings after installation (to avoid too many children’s shoes using the default settings and being exploited by others) and certificate application functions, please refer to thiscommit,Now you can update the script for issuing certificates by one-key

To use the integrated certificate application function, you need to obtain Cloudlfare's API and account email information. Since the script uses the DNS API to apply, it does not depend on any network port at all. For specific usage instructions, please refer to mypernel repoillustration.To put it simply, this script saves many links. You only need to enter the following information to complete the certificate application. The schematic diagram is as follows:

At the same time, the certificate applied for by the script is a generic domain name certificate, which means that you can use this certificate for unlimited second-level domain names except your own top-level domain name,,and you can copy it to other servers for use.

When using certificates in X-UI, it is recommended that you use fullchain certificates, What is a fullchain certificate? In fact, it is a certificate that contains the content of the entire certificate chain. As shown below:

The advantage of using the fullchain certificate is that it can avoid the connection failure caused by the certificate problem to the greatest extent.

In addition, when setting the node certificate, in addition to using the certificate path, you can also copy the contents of the public key and key certificate into the corresponding settings for use. However, this is inconvenient to use, and the best practice is to use the path, so that even if the certificate is updated, you do not need to perform secondary settings.

It should be noted that the currently applied certificate is actually RSA symmetric encryption. If you need to apply for an ECC certificate (personally think it is not necessary), you need to refer to the official documentation of acme to apply.

Firewall settings

In the use of X-UI, the firewall settings are very important. Setting up a firewall is to protect the security of our server, and it is also to protect the security of our panel. In the use of X-UI, the settings of the protective wall include:

1) Panel login port: It is generally recommended to set the X-UI panel login port to the HTTPS port permitted by Cloudflare, such as 443, 2053, 2083, 2087, 2096 and 8443. In this way, if we need to open the CDN, we can access the panel normally. Regarding the firewall settings, I recommend using UFW for management and settings. Take the Ubantu system as an example:

Install the UFW firewall tool:

sudo apt-get update && sudo apt install ufw

Enable UFW firewall

sudo ufw enable

Open panel port for listiening(Take port 8443 as an example):

ufw allow from xx.xxx.xx.xx to any port 8443

Here, the IP address xx.xxx.xx.xx is actually added to the whitelist (allow means firewall will let it go), which restricts only specific IPs to access the panel login port.When using X-UI, I recommend that you add several of your own servers to the whitelist, so that you can enter your panel through different server nodes. In fact, if you don't add any whitelists, then you only have access to control your panel through the nodes set on the panel. For the sake of insurance (such as the node set by the panel is blocked, the port or IP is blocked), you'd better add your other servers to the whitelist. Once an unexpected situation occurs, you can still access the panel through the nodes of other services. to modify. You can take a look at my UFW settings:

Here my panel listiening port is set to 2096, and my other servers are added to the whitelist.

It should be noted that after enabling UFW, be sure to open your SSH access port and your node port

Check out the current UFW settings:

sudo ufw status

log configuration

It should be noted that the log here is not the log of X-UI itself, but the log of the Xray program. Sometimes in order to troubleshoot problems or check status, we have to enable Xray logging. If we need to open the log, we need to modify the configuration template in the panel console, as shown in the following figure:

In the configuration template, we added log related fields, such as my settings are as follows:

"log": {
    "access": "/usr/local/x-ui/bin/access.log",
    "error": "/usr/local/x-ui/bin/error.log",
    "loglevel": "warning",
    "dnsLog": false
 }

Here access sets the access log, error sets the error log,loglevel is used to set the log level, warning is recommended, and dnsLog is used to set the DNS query log, which is recommended to be false. If you have requirements such as fakeDNS/DoH/DoT, it is recommended to set it to true.

After setting, we restart the panel, enter the corresponding directory of the server to view the log, and you can see the following information:

The coded part here is the IP of the client, and the right side is the specific information of the access. Since the current X-UI will use Xray's API for traffic query later, it will cause many duplicate and useless logs in the log. We can use the following command to filter the output:

sudo cat access.log | grep -v 127.0.0.1 

View all rejected connections:

sudo cat access.log | grep rejected

The output is as shown in the figure:

I recommend that you check your node logs from time to time, especially for connections refused. To a large extent, it comes from the detection of the wall. If you find this kind of detection, it is recommended that you add it to the list through UFW or Fail2ban.

In addition, in order to make it easier for us to view the logs, it is recommended that you change the time zone of the server to your own time zone, which will be of great help for us to view the logs.

Here is another point to mention. After the log is turned on, the log will continue to accumulate. If it is not cleaned up for a long time, it will cause unnecessary memory consumption. Use my script to set, execute the following command in the root directory:

cd /usr/local/x-ui/bin &&  wget https://github.com/FranzKafkaYu/BashScripts/blob/main/FileManuplite/autoCheck.sh

It should be noted that if the directory set by your log is inconsistent with mine, please modify the script yourself to adapt. After modification, please use the command -crontab -e:to adds the following scheduled tasks:

00 0 * * 6 /usr/local/x-ui/bin/autoCheck.sh >> /usr/local/x-ui/bin/autoCheck.log

After the setting is completed, the log size can be automatically detected and deleted, and X-UI will be restarted by itself when deleting to ensure the smooth operation of X-UI.

Proxies setup

The node setting is actually a very complicated issue. Due to some limitations of the current X-UI, the advantages of Xray cannot be fully utilized. However, there are still some points to be aware of, including:

1. Try to choose a high port, if you need to set a fallback, try to use port 443 as the exposed port

2. Set the expiration time, change the password or port after the expiration

3. Try not to use xtls. According to the latest usage and issue submissions, xtls has certain risks.

Others

In addition to the above, there are some other points that can be noted, including

1. Regularly update the geoip.dat and geosite.dat resource files

This can be done by adding the following cron tasks:

30 9 * * * /usr/bin/curl -s -L -o /usr/local/x-ui/bin/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
30 9 * * * /usr/bin/curl -s -L -o /usr/local/x-ui/bin/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat

2. Please open CDN during emergency

At some important time points, the movement of the wall may increase. At this time, try to open the CDN for use. Although turning on CDN will inevitably reduce the speed, but it can ensure security to the greatest extent, don't forget to use ws+TLS to turn on CDN~

3. Be sure to turn on BBR acceleration

The gain of bbr is actually very large. The X-UI script integrates the function of turning on BBR with one click. Please be sure to turn it on.

The above is the content of this blog~

In addition, since the development progress of the original author has slowed down, I am also learning the go language myself, so I forked the original author's warehouse and updated the functions. The current expanded functions include

  • Panel settings query (implemented)
  • Traffic usage daily reminder (implemented)
  • Panel login reminder (to be implemented)
  • Node expiration reminder (to be implemented)
  • More certificate application methods (to be implemented)
  • Panel login whitelist setting (to be implemented)

At the same time, the issue area has also been opened. I hope you can use it and give me feedback. I will make PR to the original warehouse from time to time to improve X-UI together.,project rgithub address pleaseclick here

Happy
Happy
80 %
Sad
Sad
7 %
Excited
Excited
3 %
Sleepy
Sleepy
7 %
Angry
Angry
3 %
Surprise
Surprise
0 %
FranzKafka95
FranzKafka95

极客,文学爱好者。如果你也喜欢我,那你大可不必害羞。

Articles: 83

33 Comments

  1. I really enjoyed so much creativity and innovation you
    You’ve got all the right moves.

    There is only a small problem in popups display/value member not changing with selected index of combo box
    Overall, it’s great and of course useful , Thank you

  2. Hi, thanks alot for your explanation.
    I wanna take backup from inbound nodes and restore them on another server without creating and changing nodes one by one
    could you please help me?
    I`m using ubuntu.
    thank you inadvance.

  3. “需要说明的是,如果你的日志设定的目录与我的不一致,请自行修改该脚本进行适配。修改之后请通过conrtab -e命令加入如下定时任务:”
    bro,这里是crontab -e不是conrtab -e

  4. 您好,今天在看您的GitHub文档时顺手点了加入群组,但是由于在看GitHub,没看见无名机器人的验证,现在被ban了,用户名是@mumu9615,可否帮助解除禁止,谢谢您的付出!

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEN