Security
Security notes for operating VGate responsibly.
Three separated auth domains
VGate deliberately keeps three auth mechanisms apart:
- User JWT — for the user portal and
/user/*. - Admin JWT — for the admin console and
/admin/*; refreshable, with one silent refresh on401. - Node token — for the
/server/*data plane, validated by thenode_authmiddleware.
Never reuse a node token as a user/admin credential or vice versa.
Secrets
- Set a strong
jwt.secretin the manager config. It is used to sign all JWTs. - The bootstrap admin password is printed only once at first start — store it securely, then rotate by creating a new admin and removing the bootstrap account.
- Node tokens are issued per node in the admin console; treat them like API keys.
Transport security
- For the
xtls-rprx-visionflow, configure TLS 1.3 or Reality on the node. Vision is incompatible with thev2AEAD flow. - Prefer Reality/TLS on internet-facing nodes to avoid passive inspection.
- The native
tcptransport applies TLS/Reality viatransport/security.Wrap.
Network exposure
- Manager: do not expose the manager port directly to the internet. Put it behind a reverse proxy and only forward the paths your clients need (
/api/v1, frontend assets). - Server nodes: only the VLESS listen port (assigned by the manager) needs to be reachable by clients. The manager connection is outbound from the node.
- Frontends: static assets only; they hold no secrets (the API base URL is runtime config).
CORS
When the manager and a frontend run on different origins, add the frontend origin to the manager's cors.allowed_origins (DB-backed, hot-reloadable). Avoid wildcard * in production.
Rate limiting
Enable the ratelimit middleware for public endpoints — especially /user/login and /billing/alipay/notify — to blunt brute force and abuse.
User portal hardening
- The user portal supports a Cloudflare Turnstile field on login — enable it to reduce bot signups.
- User access tokens are not refreshable; on
401the client clears the token and redirects to/login, limiting the blast radius of a leaked token.
Database
- Use Postgres (not the default SQLite file) for production durability and concurrency.
- Back up the database regularly — it holds users, orders, and traffic history.
- Restrict filesystem access to the SQLite file if you keep the default.
Updates
- Keep xray-core (via the server's
replacecheckout) and dependencies current for protocol and CVE fixes. - The manager auto-migrates safely; review migration code before major version bumps.