Skip to content

v0.1.5

Choose a tag to compare

@Taironpal Taironpal released this 10 Jun 21:47

v0.1.5

Full Xray protocol matrix: VLESS, VMess and Trojan over any transport and any
security mode, behind a guided picker. Plus an update-available indicator and a
round of VPS hardening.

Security

  • nginx ships hardening headers. X-Frame-Options, X-Content-Type-Options,
    Referrer-Policy and server_tokens off on every response. CSP is left to the
    operator so a wrong policy can't silently break the SPA.

Added

  • Full Xray protocol matrix. A profile can now run VLESS, VMess or Trojan over
    any of the six transports (raw, WebSocket, gRPC, xHTTP, HTTPUpgrade, mKCP) and
    any security mode: REALITY, plain none (for a CDN that terminates TLS itself), or
    node-terminated TLS with your own certificate. A guided three-step picker reveals
    only the fields each combination needs, emitted correctly into the raw/base64,
    Clash, sing-box and Xray-JSON subscription formats.
  • Update-available indicator. The sidebar shows an accent dot linking to the
    release when a newer version ships. Best-effort GitHub-release check (cached 6h,
    never blocks a request, no token needed on the public repo).

Changed

  • Subscription formatters are security-aware. Clash, sing-box and Xray-JSON
    hardcoded REALITY for every Xray endpoint, so a none/tls profile would have
    produced a broken client config. They now render the correct security block per
    endpoint and carry all three subprotocols.
  • VPS resource and secret safety. Redis is capped (--maxmemory + noeviction),
    and deploy.sh snapshots .env.production (the only on-host copy of secrets + node
    mTLS CA) to a timestamped backup ring before each deploy.