Skip to content

Expose the authenticated inbound user on Clash API /connections (enable per-user online device/IP counting) #4247

Description

@lichang333

For multi-user inbounds (AnyTLS / Trojan / VLESS / VMess / Shadowsocks with named
users), there is currently no way to attribute active connections to a
specific user through the management APIs:

  • Clash API GET /connections exposes per-connection metadata
    (sourceIP, destinationIP, network, host, processPath, sourcePort,
    destinationPort, dnsMode, type) plus top-level rule / chains, but it
    does not include the authenticated inbound user, nor the inbound tag.
  • V2Ray API stats expose per-user traffic bytes (user>>>name>>>traffic>>>…)
    but not connections / online IPs.

As a result, a management dashboard cannot compute per-user online device / IP
counts
(or enforce per-user connection limits) for these inbounds.

Tested on sing-box 1.13.12 (and a 1.13.12 build with with_v2ray_api): the
inbound user is absent from /connections metadata.

Describe the solution you'd like

Add the inbound user — e.g. inboundUser — and ideally the inbound tag
(inbound) to each connection's metadata in the Clash API /connections
response. This information is already available internally on
adapter.InboundContext (it carries User and the inbound), so it's a matter of
surfacing it.

Describe alternatives you've considered

Alternatively, implementing the V2Ray StatsService online-IP stats
(equivalent to v2ray/Xray's GetStatsOnline / online-IP map per user) would also
solve it by reporting the set/count of online source IPs per user.

Additional context

Use cases: per-user online-device dashboards, per-user concurrent-IP limits,
abuse detection. Clash-compatible UIs already render metadata per connection,
so an extra inboundUser field integrates cleanly.

需求背景 / 遇到的问题

对于多用户 inbound(AnyTLS / Trojan / VLESS / VMess / 带命名 users
Shadowsocks),目前无法通过管理 API 把活跃连接归属到具体某个用户:

  • Clash APIGET /connections 暴露了每条连接的 metadata
    sourceIPdestinationIPnetworkhostprocessPathsourcePort
    destinationPortdnsModetype)以及顶层的 rule / chains,但不包含
    已认证的 inbound 用户,也不包含 inbound tag
  • V2Ray API 的 stats 只提供每用户的流量字节数
    user>>>name>>>traffic>>>…),不提供连接 / 在线 IP 信息。

因此,管理面板无法计算这些 inbound 的每用户在线设备 / IP 数(也无法做
每用户并发连接限制)。

已在 sing-box 1.13.12(以及带 with_v2ray_api1.13.12 自编译版)上验证:
/connections 的 metadata 中没有 inbound 用户字段。

期望的方案

在 Clash API /connections 响应里,为每条连接的 metadata 增加 inbound 用户
字段——例如 inboundUser——最好再加上 inbound tag(inbound)。这些信息在内部
已经存在于 adapter.InboundContext 上(它携带 User 与 inbound),所以只是把
已有信息透出来而已。

考虑过的替代方案

或者,实现 V2Ray StatsService在线 IP 统计(等价于 v2ray/Xray 的
GetStatsOnline / 每用户在线 IP 集合),也能解决——即按用户上报在线源 IP 的
集合/数量。

补充

使用场景:每用户在线设备看板、每用户并发 IP 限制、滥用检测。Clash 兼容的 UI
本来就会逐条渲染 metadata,新增一个 inboundUser 字段可无缝接入。

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions