feat: add Salamander obfuscation support for Hysteria 2

- Add obfs.type and obfs.password fields to node model
- Generate obfs block in server config when enabled
- Add obfs params to hysteria2:// URI (?obfs=salamander&obfs-password=xxx)
- Add obfs block to sing-box JSON outbounds
- Add obfs/obfs-password to Clash YAML proxies
- Add UI section for obfs configuration in node form

Author: ddddeadispose

src/models/hyNodeModel.js

@@ -76,6 +76,10 @@ const hyNodeSchema = new mongoose.Schema({
     port: { type: Number, default: 443 },
     portRange: { type: String, default: '20000-50000' },
     portConfigs: { type: [portConfigSchema], default: [] },
+    obfs: {
+        type: { type: String, enum: ['', 'salamander'], default: '' },
+        password: { type: String, default: '' },
+    },
     statsPort: { type: Number, default: 9999 },
     statsSecret: { type: String, default: '' },
 

src/routes/panel.js

@@ -463,6 +463,10 @@ router.post('/nodes', requireAuth, async (req, res) => {
             active: req.body.active === 'on',
             useCustomConfig: req.body.useCustomConfig === 'on',
             customConfig: req.body.customConfig || '',
+            obfs: {
+                type: req.body['obfs.type'] || '',
+                password: req.body['obfs.password'] || '',
+            },
             ssh: {
                 port: parseInt(req.body['ssh.port']) || 22,
                 username: req.body['ssh.username'] || 'root',
@@ -531,6 +535,8 @@ router.post('/nodes/:id', requireAuth, async (req, res) => {
             active: req.body.active === 'on',
             useCustomConfig: req.body.useCustomConfig === 'on',
             customConfig: req.body.customConfig || '',
+            'obfs.type': req.body['obfs.type'] || '',
+            'obfs.password': req.body['obfs.password'] || '',
             flag: req.body.flag || '',
             'ssh.port': parseInt(req.body['ssh.port']) || 22,
             'ssh.username': req.body['ssh.username'] || 'root',

src/routes/subscription.js

@@ -46,7 +46,7 @@ async function getUserByToken(token) {
             { userId: token }
         ]
     })
-        .populate('nodes', 'active name type status onlineUsers maxOnlineUsers rankingCoefficient domain sni ip port portRange portConfigs flag xray')
+        .populate('nodes', 'active name type status onlineUsers maxOnlineUsers rankingCoefficient domain sni ip port portRange portConfigs obfs flag xray')
         .populate('groups', '_id name subscriptionTitle');
 
     return user;
@@ -80,9 +80,9 @@ async function getActiveNodesWithCache() {
     const cached = await cache.getActiveNodes();
     if (cached) return cached;
 
-    // Include type and xray fields needed for VLESS URI generation
+    // Include type, xray, and obfs fields needed for URI generation
     const nodes = await HyNode.find({ active: true })
-        .select('name type flag ip domain sni port portRange portConfigs active status onlineUsers maxOnlineUsers rankingCoefficient groups xray')
+        .select('name type flag ip domain sni port portRange portConfigs obfs active status onlineUsers maxOnlineUsers rankingCoefficient groups xray')
         .lean();
     await cache.setActiveNodes(nodes);
     return nodes;
@@ -179,6 +179,9 @@ function getNodeConfigs(node) {
     // hasCert: true if domain is set (ACME = valid cert)
     const hasCert = !!node.domain;
 
+    const obfs = node.obfs?.type || '';
+    const obfsPassword = node.obfs?.password || '';
+
     if (node.portConfigs && node.portConfigs.length > 0) {
         node.portConfigs.filter(c => c.enabled).forEach(cfg => {
             configs.push({
@@ -188,13 +191,15 @@ function getNodeConfigs(node) {
                 portRange: cfg.portRange || '',
                 sni,
                 hasCert,
+                obfs,
+                obfsPassword,
             });
         });
     } else {
-        configs.push({ name: 'TLS', host, port: node.port || 443, portRange: '', sni, hasCert });
+        configs.push({ name: 'TLS', host, port: node.port || 443, portRange: '', sni, hasCert, obfs, obfsPassword });
         // Порт 80 убран (используется для ACME)
         if (node.portRange) {
-            configs.push({ name: 'Hopping', host, port: node.port || 443, portRange: node.portRange, sni, hasCert });
+            configs.push({ name: 'Hopping', host, port: node.port || 443, portRange: node.portRange, sni, hasCert, obfs, obfsPassword });
         }
     }
 
@@ -214,6 +219,10 @@ function generateURI(user, node, config) {
     // insecure=1 only if no valid certificate (self-signed without domain)
     params.push(`insecure=${config.hasCert ? '0' : '1'}`);
     if (config.portRange) params.push(`mport=${config.portRange}`);
+    if (config.obfs === 'salamander' && config.obfsPassword) {
+        params.push('obfs=salamander');
+        params.push(`obfs-password=${encodeURIComponent(config.obfsPassword)}`);
+    }
 
     const name = `${node.flag || ''} ${node.name} ${config.name}`.trim();
     const uri = `hysteria2://${auth}@${config.host}:${config.port}?${params.join('&')}#${encodeURIComponent(name)}`;
@@ -390,6 +399,9 @@ function generateClashYAML(user, nodes) {
       - h3`;
 
                 if (cfg.portRange) proxy += `\n    ports: ${cfg.portRange}`;
+                if (cfg.obfs === 'salamander' && cfg.obfsPassword) {
+                    proxy += `\n    obfs: salamander\n    obfs-password: "${cfg.obfsPassword}"`;
+                }
                 proxies.push(proxy);
             });
         }
@@ -499,6 +511,10 @@ function generateSingboxJSON(user, nodes) {
                     outbound.server_port = cfg.port;
                 }
 
+                if (cfg.obfs === 'salamander' && cfg.obfsPassword) {
+                    outbound.obfs = { type: 'salamander', password: cfg.obfsPassword };
+                }
+
                 proxyOutbounds.push(outbound);
             });
         }

src/services/configGenerator.js

@@ -82,6 +82,13 @@ function generateNodeConfig(node, authUrl, options = {}) {
         }
     }
 
+    if (node.obfs?.password) {
+        config.obfs = {
+            type: 'salamander',
+            salamander: { password: node.obfs.password },
+        };
+    }
+
     if (node.statsPort && node.statsSecret) {
         config.trafficStats = {
             listen: `:${node.statsPort}`,
@@ -207,6 +214,13 @@ function generateNodeConfigACME(node, authUrl, domain, email, options = {}) {
         },
     };
 
+    if (node.obfs?.password) {
+        config.obfs = {
+            type: 'salamander',
+            salamander: { password: node.obfs.password },
+        };
+    }
+
     if (node.statsPort && node.statsSecret) {
         config.trafficStats = {
             listen: `:${node.statsPort}`,

views/node-form.ejs

@@ -320,6 +320,30 @@
                 </div>
             </div>
             
+            <div class="form-section">
+                <h3>Obfuscation (obfs)</h3>
+                <small class="section-hint">Salamander скрывает QUIC-трафик от DPI. Включайте только если оператор блокирует Hysteria без обфускации — на мобильных сетях может работать хуже.</small>
+                <div class="form-row" style="margin-top:12px;">
+                    <div class="form-group">
+                        <label for="obfsType">Тип обфускации</label>
+                        <select id="obfsType" name="obfs.type" onchange="toggleObfsPassword()">
+                            <option value="" <%= !node?.obfs?.type ? 'selected' : '' %>>Отключено</option>
+                            <option value="salamander" <%= node?.obfs?.type === 'salamander' ? 'selected' : '' %>>Salamander</option>
+                        </select>
+                    </div>
+                    <div class="form-group" id="obfsPasswordGroup" style="<%= node?.obfs?.type === 'salamander' ? '' : 'display:none' %>">
+                        <label for="obfsPassword">Пароль obfs</label>
+                        <div class="input-with-button">
+                            <input type="text" id="obfsPassword" name="obfs.password"
+                                   value="<%= node?.obfs?.password || '' %>"
+                                   placeholder="cry_me_a_r1ver">
+                            <button type="button" class="btn btn-sm" onclick="generateObfsPassword()" title="Сгенерировать пароль"><i class="ti ti-dice"></i></button>
+                        </div>
+                        <small>Одинаковый пароль должен быть на сервере и в клиенте</small>
+                    </div>
+                </div>
+            </div>
+
             <div class="form-section">
                 <h3><%= t('nodes.hysteriaConfig') %></h3>
                 <div class="form-group">
@@ -819,6 +843,20 @@ function generateSecret() {
     document.getElementById('statsSecret').value = secret;
 }
 
+function toggleObfsPassword() {
+    const type = document.getElementById('obfsType').value;
+    document.getElementById('obfsPasswordGroup').style.display = type === 'salamander' ? '' : 'none';
+}
+
+function generateObfsPassword() {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
+    let pwd = '';
+    for (let i = 0; i < 24; i++) {
+        pwd += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    document.getElementById('obfsPassword').value = pwd;
+}
+
 function toggleCustomConfig() {
     const checked = document.getElementById('useCustomConfig').checked;
     document.getElementById('customConfigSection').style.display = checked ? 'block' : 'none';