Previously, when the IP4 variable contained a domain name instead of an actual IP address, the SNI validation would fail and force the use of self-signed certificates. This update adds detection and resolution of domain names in the IP4 variable, ensuring proper DNS comparison when checking if the SNI domain points to the server.
- Add POST `/api/v1/config/hysteria/webpanel/decoy/setup` endpoint to configure the decoy site.
- Add POST `/api/v1/config/hysteria/webpanel/decoy/stop` endpoint to remove the decoy site configuration.
- Implement `BackgroundTasks` for both endpoints to prevent Caddy service restarts from interrupting the API response.
- Add `SetupDecoyRequest` Pydantic schema for the setup endpoint payload.
- Added corresponding wrapper functions (setup_webpanel_decoy,
stop_webpanel_decoy) in cli_api.py.
- Updated start_webpanel in cli_api.py to accept decoy_path.
- Exposed new commands (setup-webpanel-decoy, stop-webpanel-decoy)
in cli.py.
- Updated the webpanel start command in cli.py to accept a
--decoy-path option.
- Add ability to configure a decoy site on port 443 while hiding the web panel
- Support both same-port and separate-port configurations
- Add commands to manage decoy sites: 'decoy' to add/configure and 'stopdecoy' to remove
- Ensure clean reversion of Caddy configuration when stopping decoy sites
- Make decoy path optional during panel startup
This enhancement improves obfuscation capabilities by serving legitimate-looking
content on standard HTTPS port while keeping the actual panel hidden behind a
secret path.
feat: Add SNI checker and certificate manager
Key features:
- Domain-to-IP resolution verification
- Automatic Let's Encrypt certificate acquisition
- Self-signed fallback for domains not pointed to the server
- Updates insecure flag in config.json based on certificate type
- Updates SNI in environment config
- Generates and updates SHA-256 fingerprint
fix(urls): Update URI generator to respect TLS insecure flag
Changes:
- Added insecure parameter to generate_uri() function
- Read TLS insecure flag from config.json
- Set insecure=0 for valid certificates and insecure=1 for self-signed ones
- Updated all URI generation calls to include the insecure parameter
