Describe the bug

When using the "Get SSL for IP Address" feature (option 6 in SSL Certificate Management), the script detects the server IP using external services like api.ipify.org. However, if the server has a proxy configured via environment variables (ALL_PROXY, http_proxy, https_proxy), the detected IP is the proxy's exit IP, not the actual server IP.

This is particularly problematic in countries with restricted internet access (like Iran), where users must configure a proxy to access external services like Let's Encrypt. The proxy causes curl to return the proxy's IP address instead of the server's actual public IP.

Example scenario:

• Server actual IP: 1.1.1.1
• Proxy configured: export ALL_PROXY=socks5h://127.0.0.1:1080
• Proxy exit IP: 2.2.2.2
• Result: Certificate is issued for 2.2.2.2 (proxy IP) instead of 1.1.1.1 (server IP)

How to repeat the problem?

1. Configure a SOCKS5 proxy on the server:

   export ALL_PROXY=socks5h://127.0.0.1:1080

2. Run x-ui and navigate to menu option 19 (SSL Certificate Management)
3. Select option 6 (Get SSL for IP Address)
4. Observe the detected IP - it shows the proxy's exit IP, not the server's actual IP
5. Certificate is issued for the wrong IP

Expected action

The script should:

1. First try to detect the server IP from local network interfaces (e.g., ip -4 addr show scope global) which doesn't use proxy
2. Then fall back to external services if local detection fails
3. Always display the detected IP and allow the user to manually correct it if wrong

Received action

• The script only uses external curl-based services (api.ipify.org, etc.) to detect IP
• When proxy is configured, these services return the proxy's IP
• User has no opportunity to correct the detected IP before certificate issuance
• Certificate is issued for the wrong IP, causing SSL failures

Proposed Fix

Modify the IP detection logic in x-ui.sh to:

1. Add local interface detection first (proxy-independent):

   if command -v ip >/dev/null 2>&1; then
       ip=$(ip -4 addr show scope global | grep -oP 'inet \K[\d.]+' | head -n1)
   fi

2. Keep external services as fallback with multiple endpoints for reliability

3. Add interactive confirmation allowing users to override the detected IP:

   echo "Server IP detected: ${ip}"
   read -rp "Press Enter to use this IP, or type a different IP: " user_input
   if [ -n "$user_input" ]; then
       ip="$user_input"
   fi

Affected Functions

• ssl_cert_issue_for_ip() - Line ~1174
• check_config() - Line ~333
• SSH_port_forwarding() - Line ~2095

Additional Context

This issue affects users in regions with restricted internet who rely on proxies to access:

• Let's Encrypt ACME servers
• External IP detection services
• Package repositories

The fix ensures the script works correctly regardless of proxy configuration while still maintaining full functionality for users without proxy restrictions.

3x-ui Version

2.8.11 (current development)

Xray-core Version

N/A (script-level issue)

Checklist

• This bug report is written entirely in English.
• This bug report is new and no one has reported it before me.