v0.1.5
v0.1.5
Full Xray protocol matrix: VLESS, VMess and Trojan over any transport and any
security mode, behind a guided picker. Plus an update-available indicator and a
round of VPS hardening.
Security
- nginx ships hardening headers. X-Frame-Options, X-Content-Type-Options,
Referrer-Policy and server_tokens off on every response. CSP is left to the
operator so a wrong policy can't silently break the SPA.
Added
- Full Xray protocol matrix. A profile can now run VLESS, VMess or Trojan over
any of the six transports (raw, WebSocket, gRPC, xHTTP, HTTPUpgrade, mKCP) and
any security mode: REALITY, plain none (for a CDN that terminates TLS itself), or
node-terminated TLS with your own certificate. A guided three-step picker reveals
only the fields each combination needs, emitted correctly into the raw/base64,
Clash, sing-box and Xray-JSON subscription formats. - Update-available indicator. The sidebar shows an accent dot linking to the
release when a newer version ships. Best-effort GitHub-release check (cached 6h,
never blocks a request, no token needed on the public repo).
Changed
- Subscription formatters are security-aware. Clash, sing-box and Xray-JSON
hardcoded REALITY for every Xray endpoint, so a none/tls profile would have
produced a broken client config. They now render the correct security block per
endpoint and carry all three subprotocols. - VPS resource and secret safety. Redis is capped (--maxmemory + noeviction),
and deploy.sh snapshots .env.production (the only on-host copy of secrets + node
mTLS CA) to a timestamped backup ring before each deploy.