Description
When creating or editing a Hysteria/Hysteria2 inbound through the Pasarguard panel UI, the system allows the user to check/select the "No TLS" option and successfully saves the configuration. However, upon restarting the panel or attempting to sync nodes, Xray-core fails to start on all connected nodes.
This happens because the Hysteria protocol fundamentally requires a valid TLS configuration to initialize. The panel backend lacks proper validation for this protocol-specific constraint, leading to a complete breakdown of node synchronization.
Steps to Reproduce
Open the Pasarguard panel and navigate to Inbounds -> Add Inbound (or edit an existing one).
Select Hysteria or Hysteria 2 as the protocol.
Toggle / Select the "No TLS" option.
Click Save.
Restart the Pasarguard docker containers or trigger a node health check/reconnect.
Check docker logs via docker logs pasarguard-pasarguard-1.
Expected Behavior
The panel UI should dynamically hide or disable the "No TLS" option when Hysteria/Hysteria2 protocols are selected. Alternatively, the backend should implement a validation check that throws a user-friendly error message (e.g., "Hysteria protocols strictly require a TLS configuration") and prevents saving a broken configuration.
Error logs
ERROR: 2026-06-18 16:35:00,710 - Node-operation - Failed to connect node de-fra-01 with id 4, Error: failed to start xray: Failed to start: app/proxyman/inbound: failed to listen TCP on 60970 > transport/internet: failed to listen on address: 0.0.0.0:60970 > transport/internet/hysteria: tls config is nil
ERROR: 2026-06-18 16:35:00,721 - Node-operation - Failed to connect node dk-cph-102 with id 18, Error: failed to start xray: Failed to start: app/proxyman/inbound: failed to listen TCP on 60970 > transport/internet: failed to listen on address: 0.0.0.0:60970 > transport/internet/hysteria: tls config is nil
Technical Context
Xray-core strictly expects a populated tlsSettings object inside the streamSettings block for Hysteria inbounds. When "No TLS" is selected in Pasarguard, the panel generates an incomplete Xray JSON config where the TLS configuration passed to the core is either null or completely omitted. This leads directly to a nil pointer panic (tls config is nil) inside Xray's transport/internet/hysteria module.
Description
When creating or editing a Hysteria/Hysteria2 inbound through the Pasarguard panel UI, the system allows the user to check/select the "No TLS" option and successfully saves the configuration. However, upon restarting the panel or attempting to sync nodes, Xray-core fails to start on all connected nodes.
This happens because the Hysteria protocol fundamentally requires a valid TLS configuration to initialize. The panel backend lacks proper validation for this protocol-specific constraint, leading to a complete breakdown of node synchronization.
Steps to Reproduce
Open the Pasarguard panel and navigate to Inbounds -> Add Inbound (or edit an existing one).
Select Hysteria or Hysteria 2 as the protocol.
Toggle / Select the "No TLS" option.
Click Save.
Restart the Pasarguard docker containers or trigger a node health check/reconnect.
Check docker logs via docker logs pasarguard-pasarguard-1.
Expected Behavior
The panel UI should dynamically hide or disable the "No TLS" option when Hysteria/Hysteria2 protocols are selected. Alternatively, the backend should implement a validation check that throws a user-friendly error message (e.g., "Hysteria protocols strictly require a TLS configuration") and prevents saving a broken configuration.
Error logs
ERROR: 2026-06-18 16:35:00,710 - Node-operation - Failed to connect node de-fra-01 with id 4, Error: failed to start xray: Failed to start: app/proxyman/inbound: failed to listen TCP on 60970 > transport/internet: failed to listen on address: 0.0.0.0:60970 > transport/internet/hysteria: tls config is nil
ERROR: 2026-06-18 16:35:00,721 - Node-operation - Failed to connect node dk-cph-102 with id 18, Error: failed to start xray: Failed to start: app/proxyman/inbound: failed to listen TCP on 60970 > transport/internet: failed to listen on address: 0.0.0.0:60970 > transport/internet/hysteria: tls config is nil
Technical Context
Xray-core strictly expects a populated tlsSettings object inside the streamSettings block for Hysteria inbounds. When "No TLS" is selected in Pasarguard, the panel generates an incomplete Xray JSON config where the TLS configuration passed to the core is either null or completely omitted. This leads directly to a nil pointer panic (tls config is nil) inside Xray's transport/internet/hysteria module.