For multi-user inbounds (AnyTLS / Trojan / VLESS / VMess / Shadowsocks with named
users), there is currently no way to attribute active connections to a
specific user through the management APIs:
- Clash API
GET /connections exposes per-connection metadata
(sourceIP, destinationIP, network, host, processPath, sourcePort,
destinationPort, dnsMode, type) plus top-level rule / chains, but it
does not include the authenticated inbound user, nor the inbound tag.
- V2Ray API stats expose per-user traffic bytes (
user>>>name>>>traffic>>>…)
but not connections / online IPs.
As a result, a management dashboard cannot compute per-user online device / IP
counts (or enforce per-user connection limits) for these inbounds.
Tested on sing-box 1.13.12 (and a 1.13.12 build with with_v2ray_api): the
inbound user is absent from /connections metadata.
Describe the solution you'd like
Add the inbound user — e.g. inboundUser — and ideally the inbound tag
(inbound) to each connection's metadata in the Clash API /connections
response. This information is already available internally on
adapter.InboundContext (it carries User and the inbound), so it's a matter of
surfacing it.
Describe alternatives you've considered
Alternatively, implementing the V2Ray StatsService online-IP stats
(equivalent to v2ray/Xray's GetStatsOnline / online-IP map per user) would also
solve it by reporting the set/count of online source IPs per user.
Additional context
Use cases: per-user online-device dashboards, per-user concurrent-IP limits,
abuse detection. Clash-compatible UIs already render metadata per connection,
so an extra inboundUser field integrates cleanly.
需求背景 / 遇到的问题
对于多用户 inbound(AnyTLS / Trojan / VLESS / VMess / 带命名 users 的
Shadowsocks),目前无法通过管理 API 把活跃连接归属到具体某个用户:
- Clash API 的
GET /connections 暴露了每条连接的 metadata
(sourceIP、destinationIP、network、host、processPath、sourcePort、
destinationPort、dnsMode、type)以及顶层的 rule / chains,但不包含
已认证的 inbound 用户,也不包含 inbound tag。
- V2Ray API 的 stats 只提供每用户的流量字节数
(user>>>name>>>traffic>>>…),不提供连接 / 在线 IP 信息。
因此,管理面板无法计算这些 inbound 的每用户在线设备 / IP 数(也无法做
每用户并发连接限制)。
已在 sing-box 1.13.12(以及带 with_v2ray_api 的 1.13.12 自编译版)上验证:
/connections 的 metadata 中没有 inbound 用户字段。
期望的方案
在 Clash API /connections 响应里,为每条连接的 metadata 增加 inbound 用户
字段——例如 inboundUser——最好再加上 inbound tag(inbound)。这些信息在内部
已经存在于 adapter.InboundContext 上(它携带 User 与 inbound),所以只是把
已有信息透出来而已。
考虑过的替代方案
或者,实现 V2Ray StatsService 的在线 IP 统计(等价于 v2ray/Xray 的
GetStatsOnline / 每用户在线 IP 集合),也能解决——即按用户上报在线源 IP 的
集合/数量。
补充
使用场景:每用户在线设备看板、每用户并发 IP 限制、滥用检测。Clash 兼容的 UI
本来就会逐条渲染 metadata,新增一个 inboundUser 字段可无缝接入。
For multi-user inbounds (AnyTLS / Trojan / VLESS / VMess / Shadowsocks with named
users), there is currently no way to attribute active connections to aspecific user through the management APIs:
GET /connectionsexposes per-connectionmetadata(
sourceIP,destinationIP,network,host,processPath,sourcePort,destinationPort,dnsMode,type) plus top-levelrule/chains, but itdoes not include the authenticated inbound user, nor the inbound tag.
user>>>name>>>traffic>>>…)but not connections / online IPs.
As a result, a management dashboard cannot compute per-user online device / IP
counts (or enforce per-user connection limits) for these inbounds.
Tested on sing-box
1.13.12(and a1.13.12build withwith_v2ray_api): theinbound user is absent from
/connectionsmetadata.Describe the solution you'd like
Add the inbound user — e.g.
inboundUser— and ideally the inbound tag(
inbound) to each connection'smetadatain the Clash API/connectionsresponse. This information is already available internally on
adapter.InboundContext(it carriesUserand the inbound), so it's a matter ofsurfacing it.
Describe alternatives you've considered
Alternatively, implementing the V2Ray
StatsServiceonline-IP stats(equivalent to v2ray/Xray's
GetStatsOnline/ online-IP map per user) would alsosolve it by reporting the set/count of online source IPs per user.
Additional context
Use cases: per-user online-device dashboards, per-user concurrent-IP limits,
abuse detection. Clash-compatible UIs already render
metadataper connection,so an extra
inboundUserfield integrates cleanly.需求背景 / 遇到的问题
对于多用户 inbound(AnyTLS / Trojan / VLESS / VMess / 带命名
users的Shadowsocks),目前无法通过管理 API 把活跃连接归属到具体某个用户:
GET /connections暴露了每条连接的metadata(
sourceIP、destinationIP、network、host、processPath、sourcePort、destinationPort、dnsMode、type)以及顶层的rule/chains,但不包含已认证的 inbound 用户,也不包含 inbound tag。
(
user>>>name>>>traffic>>>…),不提供连接 / 在线 IP 信息。因此,管理面板无法计算这些 inbound 的每用户在线设备 / IP 数(也无法做
每用户并发连接限制)。
已在 sing-box
1.13.12(以及带with_v2ray_api的1.13.12自编译版)上验证:/connections的 metadata 中没有 inbound 用户字段。期望的方案
在 Clash API
/connections响应里,为每条连接的metadata增加 inbound 用户字段——例如
inboundUser——最好再加上 inbound tag(inbound)。这些信息在内部已经存在于
adapter.InboundContext上(它携带User与 inbound),所以只是把已有信息透出来而已。
考虑过的替代方案
或者,实现 V2Ray
StatsService的在线 IP 统计(等价于 v2ray/Xray 的GetStatsOnline/ 每用户在线 IP 集合),也能解决——即按用户上报在线源 IP 的集合/数量。
补充
使用场景:每用户在线设备看板、每用户并发 IP 限制、滥用检测。Clash 兼容的 UI
本来就会逐条渲染
metadata,新增一个inboundUser字段可无缝接入。