vzzoxo/xiaoyizi

xiaoyizi, with a README written in Chinese, is a self-hosted management panel for running a multi-protocol proxy service for one person or a small group. It is built on Node.js 22, Express 5, and SQLite via the better-sqlite3 driver, and runs under PM2. The README says it brings users, nodes, subscriptions, traffic accounting, and day-to-day operations into a single web panel, with support for the VLESS Reality, Shadowsocks, and Hysteria 2 protocols. On the user side the panel handles email signup and login, password recovery, invite codes, user groups, traffic quotas, and expiry freezing. The subscription endpoint auto-detects the client by User-Agent for Clash, Sing-box, v2ray, Shadowrocket, and similar tools, signs links to deter copy-paste theft, applies IP and token rate limits, and runs abuse detection. Nodes are deployed one-click onto any VPS over SSH password or key, with optional SOCKS5 chaining. Health is tracked through a long-lived WebSocket between the panel and a node-side agent, plus liveness checks on xray and Hysteria processes. The automation features are oriented around AWS. The panel manages multiple EC2 and Lightsail accounts, can create instances and rotate IPs (including the Wavelength edge zones), and uses a detection-rotate-sync loop when a node looks blocked from the user's network. UUIDs and subscription tokens rotate on a per-user-group schedule. A Telegram bot ties into all of this: daily check-ins grant traffic, consecutive days bump the user into family, SVIP, or SSVIP tiers at 7, 15, and 30-day thresholds, and three mini-games (a weekly wheel, daily card flip, and daily rock-paper-scissors) hand out small rewards. Bot commands include /me, /sub, and /adminstats. Deployment is a single bash one-liner that fetches install.sh from the repo and runs through system dependencies, Node 22, PM2, code checkout, a generated .env, Nginx with Let's Encrypt SSL, PM2 startup, and a health check, on Debian 11 or Ubuntu 20.04 and up. The first registered user becomes admin. Two required env vars are PANEL_DOMAIN and SESSION_SECRET. The stack also includes EJS templates, Tailwind CSS, AWS SDK v3, and the ws WebSocket library. The security section lists Helmet with a strict Content Security Policy and per-request nonce, CSRF double protection by Origin header and token, login rate limiting and captcha attempt caps, scrypt password hashing with bounded parameters, AES-256-GCM at rest for AWS credentials, optional HMAC-signed subscription links, multi-layer rate limiting by IP, token, and behaviour, and timing-safe comparisons. The project is MIT-licensed.