fix(sub): apply host Allow Insecure to Hysteria2 subscription links#5866
Merged
Conversation
Host.AllowInsecure was only wired into the shared VLESS/VMess/Trojan/Shadowsocks endpoint path (applyEndpointAllowInsecure). Hysteria/Hysteria2 builds its links through its own applyExternalProxyHysteriaParams (raw hysteria2:// link) and buildHysteriaProxy (Clash/Mihomo proxy), neither of which read the host's allowInsecure flag, so a self-signed Hysteria2 host never got insecure=1 or skip-cert-verify: true. Fixes #5865.
Contributor
|
Reviewed the diff against the surrounding subscription-rendering code (
The one gap: neither change had a test asserting the new behavior itself (the existing tests only proved the old pin/SNI behavior was undisturbed). Added in
Nothing else needed changing — no new routes, DB fields, or i18n keys are involved, and I didn't find any correctness issues in the original two hunks. This review was generated automatically; @MHSanaei may want to follow up. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
A subscription host's
Allow Insecuresetting (Host.AllowInsecureininternal/database/model/model.go) was never applied to Hysteria/Hysteria2 links, even though the same setting works for VLESS/VMess/Trojan/Shadowsocks.internal/sub/service.go—applyExternalProxyHysteriaParams(used bygenHysteriaLink's per-external-proxy/per-host loop) only carried over the cert pin. It now also emitsinsecure=1in the rawhysteria2://link when the host/external-proxy entry hasallowInsecure: true.internal/sub/clash_service.go—buildHysteriaProxybuilds the Clash/Mihomo proxy entry by re-reading the TLS settings straight frominbound.StreamSettings, ignoring the per-hostepoverride entirely (unlike every other protocol's Clash builder). It now also setsskip-cert-verify: truewhen the host/external-proxy entry hasallowInsecure: true.Why
For a Hysteria2 inbound fronted with a self-signed certificate, an admin can only express "skip certificate verification" through a subscription Host (there is no such field on the inbound's own TLS settings). Both Hysteria link generators build one link per host by projecting the
Hostrow onto anexternalProxy-shaped map (hostToExternalProxyMapininternal/sub/host_sub.go, which already setsep["allowInsecure"] = true), but neither Hysteria-specific renderer looked at that key, so the flag was silently dropped:insecure=1query param.skip-cert-verify: true.This left Hysteria2 nodes behind a self-signed cert unusable from the generated subscription until the user manually edited the client and enabled insecure certificate trust.
Scope
Both changes are additive
ifblocks gated onep["allowInsecure"]/ep's absence of that key, so behavior for hosts/external proxies withoutAllow Insecureset is unchanged (verified against the existingTestApplyExternalProxyHysteriaParams_*andTestChar_C6_HysteriaExternalProxycases, none of which set that key).Fixes #5865.