Skip to content

Hysteria Inbound with "No TLS" option crashes Xray core (tls config is nil) #628

Description

@mustfqyl

Description
When creating or editing a Hysteria/Hysteria2 inbound through the Pasarguard panel UI, the system allows the user to check/select the "No TLS" option and successfully saves the configuration. However, upon restarting the panel or attempting to sync nodes, Xray-core fails to start on all connected nodes.
This happens because the Hysteria protocol fundamentally requires a valid TLS configuration to initialize. The panel backend lacks proper validation for this protocol-specific constraint, leading to a complete breakdown of node synchronization.

Steps to Reproduce
Open the Pasarguard panel and navigate to Inbounds -> Add Inbound (or edit an existing one).
Select Hysteria or Hysteria 2 as the protocol.
Toggle / Select the "No TLS" option.
Click Save.
Restart the Pasarguard docker containers or trigger a node health check/reconnect.
Check docker logs via docker logs pasarguard-pasarguard-1.

Expected Behavior
The panel UI should dynamically hide or disable the "No TLS" option when Hysteria/Hysteria2 protocols are selected. Alternatively, the backend should implement a validation check that throws a user-friendly error message (e.g., "Hysteria protocols strictly require a TLS configuration") and prevents saving a broken configuration.

Error logs
ERROR: 2026-06-18 16:35:00,710 - Node-operation - Failed to connect node de-fra-01 with id 4, Error: failed to start xray: Failed to start: app/proxyman/inbound: failed to listen TCP on 60970 > transport/internet: failed to listen on address: 0.0.0.0:60970 > transport/internet/hysteria: tls config is nil
ERROR: 2026-06-18 16:35:00,721 - Node-operation - Failed to connect node dk-cph-102 with id 18, Error: failed to start xray: Failed to start: app/proxyman/inbound: failed to listen TCP on 60970 > transport/internet: failed to listen on address: 0.0.0.0:60970 > transport/internet/hysteria: tls config is nil

Technical Context
Xray-core strictly expects a populated tlsSettings object inside the streamSettings block for Hysteria inbounds. When "No TLS" is selected in Pasarguard, the panel generates an incomplete Xray JSON config where the TLS configuration passed to the core is either null or completely omitted. This leads directly to a nil pointer panic (tls config is nil) inside Xray's transport/internet/hysteria module.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions