Update menu.sh

menu.sh

@@ -1271,241 +1271,85 @@ remove_ssh_banner() {
     echo -e "\nPress ${C_YELLOW}[Enter]${C_RESET} to return..." && read -r
 }
 
-ssh_banner_menu() {
-    while true; do
-        show_banner
-        local banner_status
-        if grep -q -E "^\s*Banner\s+$SSH_BANNER_FILE" /etc/ssh/sshd_config && [ -f "$SSH_BANNER_FILE" ]; then
-            banner_status="${C_STATUS_A}(Active)${C_RESET}"
-        else
-            banner_status="${C_STATUS_I}(Inactive)${C_RESET}"
-        fi
-        
-        echo -e "\n   ${C_TITLE}═════════════════[ ${C_BOLD}🎨 SSH Banner Management ${banner_status} ${C_RESET}${C_TITLE}]═════════════════${C_RESET}"
-        printf "     ${C_CHOICE}[ 1]${C_RESET} %-40s\n" "📋 Paste or Edit Banner"
-        printf "     ${C_CHOICE}[ 2]${C_RESET} %-40s\n" "👁️ View Current Banner"
-        printf "     ${C_DANGER}[ 3]${C_RESET} %-40s\n" "🗑️ Disable and Remove Banner"
-        echo -e "   ${C_DIM}~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~${C_RESET}"
-        echo -e "     ${C_WARN}[ 0]${C_RESET} ↩️ Return to Main Menu"
-        echo
-        read -p "$(echo -e ${C_PROMPT}"👉 Select an option: "${C_RESET})" choice
-        case $choice in
-            1) set_ssh_banner_paste ;;
-            2) view_ssh_banner ;;
-            3) remove_ssh_banner ;;
-            0) return ;;
-            *) echo -e "\n${C_RED}❌ Invalid option.${C_RESET}" && sleep 2 ;;
-        esac
-    done
-}
-
-install_udp_custom() {
-    clear; show_banner
-    echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Installing udp-custom ---${C_RESET}"
-    if [ -f "$UDP_CUSTOM_SERVICE_FILE" ]; then
-        echo -e "\n${C_YELLOW}ℹ️ udp-custom is already installed.${C_RESET}"
-        return
-    fi
-
-    echo -e "\n${C_GREEN}⚙️ Creating directory for udp-custom...${C_RESET}"
-    rm -rf "$UDP_CUSTOM_DIR"
-    mkdir -p "$UDP_CUSTOM_DIR"
-
-    echo -e "\n${C_GREEN}⚙️ Detecting system architecture...${C_RESET}"
-    local arch
-    arch=$(uname -m)
-    local binary_url=""
-    if [[ "$arch" == "x86_64" ]]; then
-        binary_url="https://github.com/firewallfalcons/FirewallFalcon-Manager/raw/main/udp/udp-custom-linux-amd64"
-        echo -e "${C_BLUE}ℹ️ Detected x86_64 (amd64) architecture.${C_RESET}"
-    elif [[ "$arch" == "aarch64" || "$arch" == "arm64" ]]; then
-        binary_url="https://github.com/firewallfalcons/FirewallFalcon-Manager/raw/main/udp/udp-custom-linux-arm"
-        echo -e "${C_BLUE}ℹ️ Detected ARM64 architecture.${C_RESET}"
-    else
-        echo -e "\n${C_RED}❌ Unsupported architecture: $arch. Cannot install udp-custom.${C_RESET}"
-        rm -rf "$UDP_CUSTOM_DIR"
-        return
-    fi
-
-    echo -e "\n${C_GREEN}📥 Downloading udp-custom binary...${C_RESET}"
-    wget -q --show-progress -O "$UDP_CUSTOM_DIR/udp-custom" "$binary_url"
-    if [ $? -ne 0 ]; then
-        echo -e "\n${C_RED}❌ Failed to download the udp-custom binary.${C_RESET}"
-        rm -rf "$UDP_CUSTOM_DIR"
-        return
-    fi
-    chmod +x "$UDP_CUSTOM_DIR/udp-custom"
-
-    echo -e "\n${C_GREEN}📝 Creating default config.json...${C_RESET}"
-    cat > "$UDP_CUSTOM_DIR/config.json" <<EOF
-{
-  "listen": ":36712",
-  "stream_buffer": 33554432,
-  "receive_buffer": 83886080,
-  "auth": {
-    "mode": "passwords"
-  }
-}
-EOF
-    chmod 644 "$UDP_CUSTOM_DIR/config.json"
-
-    echo -e "\n${C_GREEN}📝 Creating systemd service file...${C_RESET}"
-    cat > "$UDP_CUSTOM_SERVICE_FILE" <<EOF
-[Unit]
-Description=UDP Custom by FirewallFalcon
-After=network.target
-
-[Service]
-User=root
-Type=simple
-ExecStart=$UDP_CUSTOM_DIR/udp-custom server -exclude 53,5300
-WorkingDirectory=$UDP_CUSTOM_DIR/
-Restart=always
-RestartSec=2s
-
-[Install]
-WantedBy=default.target
-EOF
-
-    echo -e "\n${C_GREEN}▶️ Enabling and starting udp-custom service...${C_RESET}"
-    systemctl daemon-reload
-    systemctl enable udp-custom.service
-    systemctl start udp-custom.service
-    sleep 2
-    if systemctl is-active --quiet udp-custom; then
-        echo -e "\n${C_GREEN}✅ SUCCESS: udp-custom is installed and active.${C_RESET}"
-    else
-        echo -e "\n${C_RED}❌ ERROR: udp-custom service failed to start.${C_RESET}"
-        echo -e "${C_YELLOW}ℹ️ Displaying last 15 lines of the service log for diagnostics:${C_RESET}"
-        journalctl -u udp-custom.service -n 15 --no-pager
-    fi
-}
-
-uninstall_udp_custom() {
-    echo -e "\n${C_BOLD}${C_PURPLE}--- 🗑️ Uninstalling udp-custom ---${C_RESET}"
-    if [ ! -f "$UDP_CUSTOM_SERVICE_FILE" ]; then
-        echo -e "${C_YELLOW}ℹ️ udp-custom is not installed, skipping.${C_RESET}"
-        return
-    fi
-    echo -e "${C_GREEN}🛑 Stopping and disabling udp-custom service...${C_RESET}"
-    systemctl stop udp-custom.service >/dev/null 2>&1
-    systemctl disable udp-custom.service >/dev/null 2>&1
-    echo -e "${C_GREEN}🗑️ Removing systemd service file...${C_RESET}"
-    rm -f "$UDP_CUSTOM_SERVICE_FILE"
-    systemctl daemon-reload
-    echo -e "${C_GREEN}🗑️ Removing udp-custom directory and files...${C_RESET}"
-    rm -rf "$UDP_CUSTOM_DIR"
-    echo -e "${C_GREEN}✅ udp-custom has been uninstalled successfully.${C_RESET}"
-}
-
-
-install_badvpn() {
-    clear; show_banner
-    echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Installing badvpn (udpgw) ---${C_RESET}"
-    if [ -f "$BADVPN_SERVICE_FILE" ]; then
-        echo -e "\n${C_YELLOW}ℹ️ badvpn is already installed.${C_RESET}"
-        return
-    fi
-    check_and_open_firewall_port 7300 udp || return
-    echo -e "\n${C_GREEN}🔄 Updating package lists...${C_RESET}"
-    apt-get update
-    echo -e "\n${C_GREEN}📦 Installing all required packages...${C_RESET}"
-    apt-get install -y cmake g++ make screen git build-essential libssl-dev libnspr4-dev libnss3-dev pkg-config
-    echo -e "\n${C_GREEN}📥 Cloning badvpn from github...${C_RESET}"
-    git clone https://github.com/ambrop72/badvpn.git "$BADVPN_BUILD_DIR"
-    cd "$BADVPN_BUILD_DIR" || { echo -e "${C_RED}❌ Failed to change directory to build folder.${C_RESET}"; return; }
-    echo -e "\n${C_GREEN}⚙️ Running CMake...${C_RESET}"
-    cmake . || { echo -e "${C_RED}❌ CMake configuration failed.${C_RESET}"; rm -rf "$BADVPN_BUILD_DIR"; return; }
-    echo -e "\n${C_GREEN}🛠️ Compiling source...${C_RESET}"
-    make || { echo -e "${C_RED}❌ Compilation (make) failed.${C_RESET}"; rm -rf "$BADVPN_BUILD_DIR"; return; }
-    local badvpn_binary
-    badvpn_binary=$(find "$BADVPN_BUILD_DIR" -name "badvpn-udpgw" -type f | head -n 1)
-    if [[ -z "$badvpn_binary" || ! -f "$badvpn_binary" ]]; then
-        echo -e "${C_RED}❌ ERROR: Could not find the compiled 'badvpn-udpgw' binary after compilation.${C_RESET}"
-        rm -rf "$BADVPN_BUILD_DIR"
-        return
-    fi
-    echo -e "${C_GREEN}ℹ️ Found binary at: $badvpn_binary${C_RESET}"
-    chmod +x "$badvpn_binary"
-    echo -e "\n${C_GREEN}📝 Creating systemd service file...${C_RESET}"
-    cat > "$BADVPN_SERVICE_FILE" <<-EOF
-[Unit]
-Description=BadVPN UDP Gateway
-After=network.target
-[Service]
-ExecStart=$badvpn_binary --listen-addr 0.0.0.0:7300 --max-clients 1000 --max-connections-for-client 8
-User=root
-Restart=always
-RestartSec=3
-[Install]
-WantedBy=multi-user.target
-EOF
-    echo -e "\n${C_GREEN}▶️ Enabling and starting badvpn service...${C_RESET}"
-    systemctl daemon-reload
-    systemctl enable badvpn.service
-    systemctl start badvpn.service
-    sleep 2
-    if systemctl is-active --quiet badvpn; then
-        echo -e "\n${C_GREEN}✅ SUCCESS: badvpn (udpgw) is installed and active on port 7300.${C_RESET}"
-    else
-        echo -e "\n${C_RED}❌ ERROR: badvpn service failed to start.${C_RESET}"
-        echo -e "${C_YELLOW}ℹ️ Displaying last 15 lines of the service log for diagnostics:${C_RESET}"
-        journalctl -u badvpn.service -n 15 --no-pager
+_install_certbot() {
+    if command -v certbot &> /dev/null; then
+        echo -e "${C_GREEN}✅ Certbot is already installed.${C_RESET}"
+        return 0
     fi
-}
-
-uninstall_badvpn() {
-    echo -e "\n${C_BOLD}${C_PURPLE}--- 🗑️ Uninstalling badvpn (udpgw) ---${C_RESET}"
-    if [ ! -f "$BADVPN_SERVICE_FILE" ]; then
-        echo -e "${C_YELLOW}ℹ️ badvpn is not installed, skipping.${C_RESET}"
-        return
+    echo -e "${C_YELLOW}⚠️ Certbot (for SSL) is not found.${C_RESET}"
+    read -p "👉 Do you want to install Certbot now? (y/n): " confirm_install
+    if [[ "$confirm_install" != "y" ]]; then
+        echo -e "${C_RED}❌ Installation skipped. Cannot proceed.${C_RESET}"
+        return 1
     fi
-    echo -e "${C_GREEN}🛑 Stopping and disabling badvpn service...${C_RESET}"
-    systemctl stop badvpn.service >/dev/null 2>&1
-    systemctl disable badvpn.service >/dev/null 2>&1
-    echo -e "${C_GREEN}🗑️ Removing systemd service file...${C_RESET}"
-    rm -f "$BADVPN_SERVICE_FILE"
-    systemctl daemon-reload
-    echo -e "${C_GREEN}🗑️ Removing badvpn build directory...${C_RESET}"
-    rm -rf "$BADVPN_BUILD_DIR"
-    echo -e "${C_GREEN}✅ badvpn has been uninstalled successfully.${C_RESET}"
+    echo -e "${C_BLUE}📦 Installing Certbot...${C_RESET}"
+    apt-get update > /dev/null 2>&1
+    apt-get install -y certbot || {
+        echo -e "${C_RED}❌ Failed to install Certbot.${C_RESET}"
+        return 1
+    }
+    echo -e "${C_GREEN}✅ Certbot installed successfully.${C_RESET}"
+    return 0
 }
 
 install_ssl_tunnel() {
     clear; show_banner
-    echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Installing SSL Tunnel (HAProxy) for SSH ---${C_RESET}"
+    echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Installing Multiplexed HAProxy (Ports 80 & 443) ---${C_RESET}"
     if ! command -v haproxy &> /dev/null; then
         echo -e "\n${C_YELLOW}⚠️ HAProxy not found. Installing...${C_RESET}"
         apt-get update && apt-get install -y haproxy || { echo -e "${C_RED}❌ Failed to install HAProxy.${C_RESET}"; return; }
     fi
-    read -p "👉 Enter the port for the SSL tunnel [444]: " ssl_port
-    ssl_port=${ssl_port:-444}
-    if ! [[ "$ssl_port" =~ ^[0-9]+$ ]] || [ "$ssl_port" -lt 1 ] || [ "$ssl_port" -gt 65535 ]; then
-        echo -e "\n${C_RED}❌ Invalid port number. Aborting.${C_RESET}"
-        return
-    fi
     
-    check_and_free_ports "$ssl_port" || return
-    check_and_open_firewall_port "$ssl_port" || return
+    echo -e "\n${C_BLUE}🔍 Ensuring required ports (80, 443, 10443) are free and open...${C_RESET}"
+    check_and_free_ports "80" "443" "10443" || return
+    check_and_open_firewall_port "80" tcp || return
+    check_and_open_firewall_port "443" tcp || return
 
-    if [ -f "$SSL_CERT_FILE" ]; then
-        read -p "SSL certificate already exists. Overwrite? (y/n): " overwrite_cert
-        if [[ "$overwrite_cert" != "y" ]]; then
-            echo -e "${C_YELLOW}ℹ️ Using existing certificate.${C_RESET}"
+    echo -e "\n${C_CYAN}Select SSL Certificate Type for HAProxy Decryption Engine:${C_RESET}"
+    echo -e "  ${C_GREEN}[ 1]${C_RESET} Self-Signed Certificate (Default)"
+    echo -e "  ${C_GREEN}[ 2]${C_RESET} Let's Encrypt Certificate (Certbot/Port 80 req.)"
+    read -p "👉 Enter choice [1]: " cert_choice
+    cert_choice=${cert_choice:-1}
+
+    mkdir -p "$SSL_CERT_DIR"
+
+    if [[ "$cert_choice" == "2" ]]; then
+        _install_certbot || return
+        read -p "👉 Enter your domain name (e.g., vps.example.com): " domain_name
+        read -p "👉 Enter your email address: " email
+        
+        systemctl stop haproxy >/dev/null 2>&1
+        systemctl stop nginx >/dev/null 2>&1
+        
+        certbot certonly --standalone -d "$domain_name" --non-interactive --agree-tos -m "$email"
+        if [ $? -eq 0 ]; then
+            echo -e "${C_GREEN}✅ Certificate obtained successfully! Creating HAProxy PEM...${C_RESET}"
+            cat "/etc/letsencrypt/live/$domain_name/fullchain.pem" "/etc/letsencrypt/live/$domain_name/privkey.pem" > "$SSL_CERT_FILE"
         else
-            rm -f "$SSL_CERT_FILE"
+            echo -e "${C_RED}❌ Certbot failed. Falling back to self-signed certificate.${C_RESET}"
+            cert_choice=1
         fi
     fi
-    if [ ! -f "$SSL_CERT_FILE" ]; then
-        echo -e "\n${C_GREEN}🔐 Generating self-signed SSL certificate...${C_RESET}"
-        openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
-            -keyout "$SSL_CERT_FILE" -out "$SSL_CERT_FILE" \
-            -subj "/CN=@FIREWALLFALCON" \
-            >/dev/null 2>&1 || { echo -e "${C_RED}❌ Failed to generate SSL certificate.${C_RESET}"; return; }
-        echo -e "${C_GREEN}✅ Certificate created: ${C_YELLOW}$SSL_CERT_FILE${C_RESET}"
+
+    if [[ "$cert_choice" == "1" ]]; then
+        if [ -f "$SSL_CERT_FILE" ]; then
+            read -p "👉 A certificate already exists. Overwrite? (y/n): " overwrite_cert
+            if [[ "$overwrite_cert" == "y" || "$overwrite_cert" == "Y" ]]; then
+                rm -f "$SSL_CERT_FILE"
+            fi
+        fi
+        
+        if [ ! -f "$SSL_CERT_FILE" ]; then
+            echo -e "\n${C_GREEN}🔐 Generating internal loopback SSL certificate...${C_RESET}"
+            openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
+                -keyout "$SSL_CERT_FILE" -out "$SSL_CERT_FILE" \
+                -subj "/CN=@FIREWALLFALCON" \
+                >/dev/null 2>&1 || { echo -e "${C_RED}❌ Failed to generate SSL certificate.${C_RESET}"; return; }
+        fi
     fi
-    echo -e "\n${C_GREEN}📝 Creating HAProxy configuration for port $ssl_port...${C_RESET}"
-    cat > "$HAPROXY_CONFIG" <<-EOF
+
+    echo -e "\n${C_GREEN}📝 Applying Multiplexed HAProxy configuration...${C_RESET}"
+    cat > "$HAPROXY_CONFIG" << 'EOF'
 global
     log /dev/log    local0
     log /dev/log    local1 notice
@@ -1515,38 +1359,119 @@ global
     user haproxy
     group haproxy
     daemon
+
 defaults
     log     global
     mode    tcp
     option  tcplog
     option  dontlognull
-    timeout connect 5000
-    timeout client  50000
-    timeout server  50000
-frontend ssh_ssl_in
-    bind *:$ssl_port ssl crt $SSL_CERT_FILE
+    timeout connect 5s
+    timeout client  24h
+    timeout server  24h
+
+# ====================================================================
+# TIER 1: PORT 80 (Cleartext Payloads & Raw SSH)
+# ====================================================================
+frontend port_80_edge
+    bind *:80
+    mode tcp
+    tcp-request inspect-delay 2s
+    
+    # Check for SSH Hex
+    acl is_ssh payload(0,7) -m bin 5353482d322e30
+    
+    tcp-request content accept if is_ssh
+    tcp-request content accept if HTTP
+    
+    # 1. Raw SSH -> Port 22
+    use_backend direct_ssh if is_ssh
+    
+    # 2. Cleartext HTTP Payload -> Nginx 8880 -> Your 8080 Proxy
+    default_backend nginx_cleartext
+
+# ====================================================================
+# TIER 1: PORT 443 (TLS v2ray, SSL Payloads, Raw SSH)
+# ====================================================================
+frontend port_443_edge
+    bind *:443
     mode tcp
-    default_backend ssh_backend
-backend ssh_backend
+    tcp-request inspect-delay 2s
+    
+    acl is_ssh payload(0,7) -m bin 5353482d322e30
+    acl is_tls req.ssl_hello_type 1
+    
+    # Check ALPN before decryption to save v2ray!
+    acl has_web_alpn req.ssl_alpn -m sub h2 http/1.1
+    
+    tcp-request content accept if is_ssh
+    tcp-request content accept if HTTP
+    tcp-request content accept if is_tls
+    
+    # 1. Raw SSH directly on 443 -> Port 22
+    use_backend direct_ssh if is_ssh
+    
+    # 2. Cleartext Payload dropped on 443 -> Nginx 8880
+    use_backend nginx_cleartext if HTTP
+    
+    # 3. TLS with Web ALPN (v2ray / Web Payload) -> Pass RAW TLS to Nginx 8443!
+    use_backend nginx_tls if is_tls has_web_alpn
+    
+    # 4. TLS without ALPN (Any-SNI Stunnel/SSH-TLS) -> Decrypt internally
+    default_backend loopback_ssl_terminator
+
+# ====================================================================
+# TIER 2: INTERNAL DECRYPTOR (Only for Any-SNI SSH-TLS)
+# ====================================================================
+frontend internal_decryptor
+    bind 127.0.0.1:10443 ssl crt /etc/firewallfalcon/ssl/firewallfalcon.pem
+    mode tcp
+    tcp-request inspect-delay 2s
+    
+    acl is_ssh payload(0,7) -m bin 5353482d322e30
+    tcp-request content accept if is_ssh
+    tcp-request content accept if HTTP
+    
+    # 1. Inside the tunnel is pure SSH -> Port 22
+    use_backend direct_ssh if is_ssh
+    
+    # 2. Inside the tunnel is a Payload -> Nginx 8880
+    default_backend nginx_cleartext
+
+# ====================================================================
+# DESTINATION BACKENDS (Clean handoffs, no proxy headers)
+# ====================================================================
+backend direct_ssh
     mode tcp
     server ssh_server 127.0.0.1:22
+
+backend nginx_cleartext
+    mode tcp
+    server nginx_8880 127.0.0.1:8880
+
+backend nginx_tls
+    mode tcp
+    server nginx_8443 127.0.0.1:8443
+
+backend loopback_ssl_terminator
+    mode tcp
+    server haproxy_ssl 127.0.0.1:10443
 EOF
+
     echo -e "\n${C_GREEN}▶️ Reloading and starting HAProxy service...${C_RESET}"
     systemctl daemon-reload
     systemctl restart haproxy
     sleep 2
     if systemctl is-active --quiet haproxy; then
-        echo -e "\n${C_GREEN}✅ SUCCESS: SSL Tunnel is active.${C_RESET}"
-        echo -e "Clients can now connect to this server's IP on port ${C_YELLOW}${ssl_port}${C_RESET} using an SSL/TLS tunnel."
+        echo -e "\n${C_GREEN}✅ SUCCESS: Multiplexed HAProxy Tunnel is active.${C_RESET}"
+        echo -e "Clients can now connect to this server's IP directly on port ${C_YELLOW}80 or 443${C_RESET}."
     else
         echo -e "\n${C_RED}❌ ERROR: HAProxy service failed to start.${C_RESET}"
-        echo -e "${C_YELLOW}ℹ️ Displaying HAProxy status for diagnostics:${C_RESET}"
         systemctl status haproxy --no-pager
     fi
 }
 
 uninstall_ssl_tunnel() {
-    echo -e "\n${C_BOLD}${C_PURPLE}--- 🗑️ Uninstalling SSL Tunnel ---${C_RESET}"
+    echo -e "\n${C_BOLD}${C_PURPLE}--- 🗑️ Uninstalling HAProxy ---${C_RESET}"
     if ! command -v haproxy &> /dev/null; then
         echo -e "${C_YELLOW}ℹ️ HAProxy not installed, skipping.${C_RESET}"
         return
@@ -1573,7 +1498,7 @@ EOF
             rm -f "$SSL_CERT_FILE"
         fi
     fi
-    echo -e "${C_GREEN}✅ SSL Tunnel has been uninstalled.${C_RESET}"
+    echo -e "${C_GREEN}✅ HAProxy Tunnel has been uninstalled.${C_RESET}"
 }
 
 show_dnstt_details() {
@@ -1654,8 +1579,6 @@ install_dnstt() {
 
     check_and_open_firewall_port 53 udp || return
 
-
-
     local forward_port=""
     local forward_desc=""
     echo -e "\n${C_BLUE}Please choose where DNSTT should forward traffic:${C_RESET}"
@@ -1667,9 +1590,6 @@ install_dnstt() {
         forward_port="22"
         forward_desc="SSH (port 22)"
         echo -e "${C_GREEN}ℹ️ DNSTT will forward to SSH on 127.0.0.1:22.${C_RESET}"
-        
-
-        
     elif [[ "$fwd_choice" == "2" ]]; then
         forward_port="8787"
         forward_desc="V2Ray (port 8787)"
@@ -1715,7 +1635,7 @@ install_dnstt() {
         NS_SUBDOMAIN="ns-$RANDOM_STR"
         TUNNEL_SUBDOMAIN="tun-$RANDOM_STR"
         NS_DOMAIN="$NS_SUBDOMAIN.$DESEC_DOMAIN"
-        TUNNEL_DOMAIN="$TUNNEL_SUBDOMAIN.$DESEC_DOMAIN"
+        TUNNEL_DOMAIN="$TUNNEL_DOMAIN.$DESEC_DOMAIN"
 
         local API_DATA
         API_DATA=$(printf '[{"subname": "%s", "type": "A", "ttl": 3600, "records": ["%s"]}, {"subname": "%s", "type": "NS", "ttl": 3600, "records": ["%s."]}]' \
@@ -2189,7 +2109,7 @@ purge_nginx() {
     local mode="$1"
     if [[ "$mode" != "silent" ]]; then
         clear; show_banner
-        echo -e "${C_BOLD}${C_PURPLE}--- 🔥 Purge Nginx Installation ---${C_RESET}"
+        echo -e "${C_BOLD}${C_PURPLE}--- 🔥 Purge Internal Nginx Installation ---${C_RESET}"
         if ! command -v nginx &> /dev/null; then
             echo -e "\n${C_YELLOW}ℹ️ Nginx is not installed. Nothing to do.${C_RESET}"
             return
@@ -2219,7 +2139,9 @@ purge_nginx() {
 
 install_nginx_proxy() {
     clear; show_banner
-    echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Installing Nginx Main Proxy (Ports 80 & 443) ---${C_RESET}"
+    echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Installing Internal Nginx Proxy ---${C_RESET}"
+    echo -e "${C_DIM}This acts as the internal traffic handler for HAProxy on ports 8443 and 8880.${C_RESET}"
+    
     if command -v nginx &> /dev/null; then
         echo -e "\n${C_YELLOW}⚠️ An existing Nginx installation was found.${C_RESET}"
         read -p "👉 To ensure a clean setup, the existing Nginx will be purged. Continue? (y/n): " confirm_purge
@@ -2231,17 +2153,15 @@ install_nginx_proxy() {
     fi
     echo -e "\n${C_BLUE}📦 Installing Nginx package...${C_RESET}"
     apt-get update && apt-get install -y nginx || { echo -e "${C_RED}❌ Failed to install Nginx.${C_RESET}"; return; }
-    
-    check_and_free_ports "80" "443" || return
 
-    # --- Custom Port Selection ---
+    # By default matching HAProxy configuration routing rules
     local tls_ports
-    read -p "👉 Enter TLS/SSL Port(s) [Default: 443]: " input_tls
-    if [[ -z "$input_tls" ]]; then tls_ports="443"; else tls_ports="$input_tls"; fi
+    read -p "👉 Enter internal TLS/SSL Port(s) [Default: 8443]: " input_tls
+    if [[ -z "$input_tls" ]]; then tls_ports="8443"; else tls_ports="$input_tls"; fi
 
     local http_ports
-    read -p "👉 Enter HTTP/Non-TLS Port(s) [Default: 80]: " input_http
-    if [[ -z "$input_http" ]]; then http_ports="80"; else http_ports="$input_http"; fi
+    read -p "👉 Enter internal HTTP/Non-TLS Port(s) [Default: 8880]: " input_http
+    if [[ -z "$input_http" ]]; then http_ports="8880"; else http_ports="$input_http"; fi
 
     # Convert to arrays
     read -a tls_ports_array <<< "$tls_ports"
@@ -2254,7 +2174,7 @@ install_nginx_proxy() {
         check_and_open_firewall_port "$port" tcp || return
     done
     
-    echo -e "\n${C_GREEN}🔐 Generating self-signed SSL certificate for Nginx...${C_RESET}"
+    echo -e "\n${C_GREEN}🔐 Generating self-signed SSL certificate for internal Nginx...${C_RESET}"
     local SSL_CERT="/etc/ssl/certs/nginx-selfsigned.pem"
     local SSL_KEY="/etc/ssl/private/nginx-selfsigned.key"
     mkdir -p /etc/ssl/certs /etc/ssl/private
@@ -2262,6 +2182,7 @@ install_nginx_proxy() {
         -keyout "$SSL_KEY" \
         -out "$SSL_CERT" \
         -subj "/CN=firewallfalcon.proxy" >/dev/null 2>&1 || { echo -e "${C_RED}❌ Failed to generate SSL certificate.${C_RESET}"; return; }
+        
     echo -e "\n${C_GREEN}📝 Applying Nginx reverse proxy configuration...${C_RESET}"
     mv "$NGINX_CONFIG_FILE" "${NGINX_CONFIG_FILE}.bak" 2>/dev/null
     
@@ -2328,9 +2249,9 @@ EOF
     systemctl restart nginx
     sleep 2
     if systemctl is-active --quiet nginx; then
-        echo -e "\n${C_GREEN}✅ SUCCESS: Nginx Reverse Proxy is active.${C_RESET}"
-        echo -e "   - TLS Ports: ${C_YELLOW}${tls_ports}${C_RESET}"
-        echo -e "   - HTTP Ports: ${C_YELLOW}${http_ports}${C_RESET}"
+        echo -e "\n${C_GREEN}✅ SUCCESS: Internal Nginx Reverse Proxy is active.${C_RESET}"
+        echo -e "   - Internal TLS Ports: ${C_YELLOW}${tls_ports}${C_RESET}"
+        echo -e "   - Internal HTTP Ports: ${C_YELLOW}${http_ports}${C_RESET}"
         
         # Save ports for future reference
         echo "TLS_PORTS=\"$tls_ports\"" > "$NGINX_PORTS_FILE"
@@ -2344,32 +2265,11 @@ EOF
     fi
 }
 
-_install_certbot() {
-    if command -v certbot &> /dev/null; then
-        echo -e "${C_GREEN}✅ Certbot is already installed.${C_RESET}"
-        return 0
-    fi
-    echo -e "${C_YELLOW}⚠️ Certbot (for SSL) is not found.${C_RESET}"
-    read -p "👉 Do you want to install Certbot now? (y/n): " confirm_install
-    if [[ "$confirm_install" != "y" ]]; then
-        echo -e "${C_RED}❌ Installation skipped. Cannot proceed.${C_RESET}"
-        return 1
-    fi
-    echo -e "${C_BLUE}📦 Installing Certbot...${C_RESET}"
-    apt-get update > /dev/null 2>&1
-    apt-get install -y certbot || {
-        echo -e "${C_RED}❌ Failed to install Certbot.${C_RESET}"
-        return 1
-    }
-    echo -e "${C_GREEN}✅ Certbot installed successfully.${C_RESET}"
-    return 0
-}
-
 request_certbot_ssl() {
     clear; show_banner
-    echo -e "${C_BOLD}${C_PURPLE}--- 🔒 Request Let's Encrypt SSL (Certbot) ---${C_RESET}"
-    if ! systemctl is-active --quiet nginx; then
-        echo -e "\n${C_RED}❌ Nginx is not running. Please ensure Nginx is installed and active.${C_RESET}"
+    echo -e "${C_BOLD}${C_PURPLE}--- 🔒 Request Let's Encrypt SSL for HAProxy ---${C_RESET}"
+    if ! systemctl is-active --quiet haproxy; then
+        echo -e "\n${C_RED}❌ HAProxy is not running. Please ensure HAProxy is installed and active on Port 80.${C_RESET}"
         return
     fi
 
@@ -2388,13 +2288,15 @@ request_certbot_ssl() {
         return
     fi
     
-    echo -e "\n${C_BLUE}🛑 Stopping Nginx temporarily for validation...${C_RESET}"
-    systemctl stop nginx
+    echo -e "\n${C_BLUE}🛑 Stopping Proxies temporarily for validation on Port 80...${C_RESET}"
+    systemctl stop haproxy >/dev/null 2>&1
+    systemctl stop nginx >/dev/null 2>&1
     sleep 2
 
     if ss -lntp | grep -q ":80\s"; then
          echo -e "${C_RED}❌ Failed to free port 80, another process might be using it. Aborting.${C_RESET}"
-         systemctl start nginx
+         systemctl start haproxy >/dev/null 2>&1
+         systemctl start nginx >/dev/null 2>&1
          return
     fi
 
@@ -2404,7 +2306,8 @@ request_certbot_ssl() {
     if [ $? -ne 0 ]; then
         echo -e "\n${C_RED}❌ Certbot failed to obtain a certificate.${C_RESET}"
         echo -e "${C_YELLOW}ℹ️ Please check your domain's DNS 'A' record points to this server's IP.${C_RESET}"
-        systemctl start nginx
+        systemctl start haproxy >/dev/null 2>&1
+        systemctl start nginx >/dev/null 2>&1
         return
     fi
 
@@ -2413,36 +2316,32 @@ request_certbot_ssl() {
 
     if [ ! -f "$SSL_CERT_LIVE" ] || [ ! -f "$SSL_KEY_LIVE" ]; then
         echo -e "\n${C_RED}❌ Certbot succeeded, but cert files not found at expected location.${C_RESET}"
-        systemctl start nginx
+        systemctl start haproxy >/dev/null 2>&1
+        systemctl start nginx >/dev/null 2>&1
         return
     fi
 
     echo -e "\n${C_GREEN}✅ Certificate obtained successfully!${C_RESET}"
-    echo -e "${C_BLUE}📝 Updating Nginx configuration...${C_RESET}"
+    echo -e "${C_BLUE}📝 Updating HAProxy certificate...${C_RESET}"
 
-    cp "$NGINX_CONFIG_FILE" "${NGINX_CONFIG_FILE}.bak.selfsigned"
-    
-    sed -i "s|server_name _;|server_name $domain_name;|" "$NGINX_CONFIG_FILE"
-    sed -i "s|ssl_certificate /etc/ssl/certs/nginx-selfsigned.pem;|ssl_certificate $SSL_CERT_LIVE;|" "$NGINX_CONFIG_FILE"
-    sed -i "s|ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;|ssl_certificate_key $SSL_KEY_LIVE;|" "$NGINX_CONFIG_FILE"
+    mkdir -p "$SSL_CERT_DIR"
+    cat "$SSL_CERT_LIVE" "$SSL_KEY_LIVE" > "$SSL_CERT_FILE"
 
-    echo -e "\n${C_BLUE}▶️ Restarting Nginx with new certificate...${C_RESET}"
-    systemctl start nginx
+    echo -e "\n${C_BLUE}▶️ Restarting Services with new certificate...${C_RESET}"
+    systemctl start haproxy >/dev/null 2>&1
+    systemctl start nginx >/dev/null 2>&1
     sleep 2
     
-    if systemctl is-active --quiet nginx; then
-        echo -e "\n${C_GREEN}✅ SUCCESS: Nginx is active with your new Let's Encrypt certificate!${C_RESET}"
+    if systemctl is-active --quiet haproxy; then
+        echo -e "\n${C_GREEN}✅ SUCCESS: HAProxy is active with your new Let's Encrypt certificate!${C_RESET}"
     else
-        echo -e "\n${C_RED}❌ ERROR: Nginx failed to start with the new certificate.${C_RESET}"
-        echo -e "${C_YELLOW}🔄 Restoring self-signed certificate config...${C_RESET}"
-        mv "${NGINX_CONFIG_FILE}.bak.selfsigned" "$NGINX_CONFIG_FILE"
-        systemctl restart nginx
+        echo -e "\n${C_RED}❌ ERROR: HAProxy failed to start with the new certificate.${C_RESET}"
     fi
 }
 
 nginx_proxy_menu() {
     clear; show_banner
-    echo -e "${C_BOLD}${C_PURPLE}--- 🌐 Nginx Main Proxy Management ---${C_RESET}"
+    echo -e "${C_BOLD}${C_PURPLE}--- 🌐 Internal Web Proxy Management ---${C_RESET}"
     
     local active_status="${C_STATUS_I}Inactive${C_RESET}"
     if systemctl is-active --quiet nginx; then
@@ -2453,23 +2352,23 @@ nginx_proxy_menu() {
     local ports_info=""
     if [ -f "$NGINX_PORTS_FILE" ]; then
         source "$NGINX_PORTS_FILE"
-        ports_info="\n    ${C_DIM}TLS: $TLS_PORTS | HTTP: $HTTP_PORTS${C_RESET}"
+        ports_info="\n    ${C_DIM}Internal TLS: $TLS_PORTS | Internal HTTP: $HTTP_PORTS${C_RESET}"
     fi
 
-    echo -e "\n${C_WHITE}Current Status: ${active_status}${ports_info}"
+    echo -e "\n${C_WHITE}Current Nginx Status: ${active_status}${ports_info}"
     
     echo -e "\n${C_BOLD}Select an action:${C_RESET}\n"
     
     if systemctl is-active --quiet nginx; then
-         printf "  ${C_CHOICE}[ 1]${C_RESET} %-40s\n" "🛑 Stop Nginx Service"
-         printf "  ${C_CHOICE}[ 2]${C_RESET} %-40s\n" "🔄 Restart Nginx Service"
+         printf "  ${C_CHOICE}[ 1]${C_RESET} %-40s\n" "🛑 Stop Internal Nginx Service"
+         printf "  ${C_CHOICE}[ 2]${C_RESET} %-40s\n" "🔄 Restart Internal Nginx Service"
          printf "  ${C_CHOICE}[ 3]${C_RESET} %-40s\n" "⚙️ Re-install/Re-configure (Change Ports)"
-         printf "  ${C_CHOICE}[ 4]${C_RESET} %-40s\n" "🔒 Request/Renew SSL (Certbot)"
-         printf "  ${C_CHOICE}[ 5]${C_RESET} %-40s\n" "🔥 Uninstall/Purge Nginx"
+         printf "  ${C_CHOICE}[ 4]${C_RESET} %-40s\n" "🔒 Request/Renew HAProxy SSL (Certbot)"
+         printf "  ${C_CHOICE}[ 5]${C_RESET} %-40s\n" "🔥 Uninstall/Purge Internal Nginx"
     else
-         printf "  ${C_CHOICE}[ 1]${C_RESET} %-40s\n" "▶️ Start Nginx Service"
-         printf "  ${C_CHOICE}[ 3]${C_RESET} %-40s\n" "⚙️ Install/Configure Nginx"
-         printf "  ${C_CHOICE}[ 5]${C_RESET} %-40s\n" "🔥 Uninstall/Purge Nginx"
+         printf "  ${C_CHOICE}[ 1]${C_RESET} %-40s\n" "▶️ Start Internal Nginx Service"
+         printf "  ${C_CHOICE}[ 3]${C_RESET} %-40s\n" "⚙️ Install/Configure Internal Nginx"
+         printf "  ${C_CHOICE}[ 5]${C_RESET} %-40s\n" "🔥 Uninstall/Purge Internal Nginx"
     fi
 
     echo -e "\n  ${C_WARN}[ 0]${C_RESET} ↩️ Return to previous menu"
@@ -2513,7 +2412,6 @@ install_xui_panel() {
     echo -e "${C_BOLD}${C_PURPLE}--- 🚀 Install X-UI Panel ---${C_RESET}"
     echo -e "\nThis will download and run the official installation script for X-UI."
     echo -e "Choose an installation option:\n"
-    echo -e "Choose an installation option:\n"
     printf "  ${C_GREEN}[ 1]${C_RESET} %-40s\n" "Install the latest version of X-UI"
     printf "  ${C_GREEN}[ 2]${C_RESET} %-40s\n" "Install a specific version of X-UI"
     echo -e "\n  ${C_RED}[ 0]${C_RESET} ❌ Cancel Installation"
@@ -2609,14 +2507,8 @@ protocol_menu() {
         local udp_custom_status; if systemctl is-active --quiet udp-custom; then udp_custom_status="${C_STATUS_A}(Active)${C_RESET}"; else udp_custom_status="${C_STATUS_I}(Inactive)${C_RESET}"; fi
         local zivpn_status; if systemctl is-active --quiet zivpn.service; then zivpn_status="${C_STATUS_A}(Active)${C_RESET}"; else zivpn_status="${C_STATUS_I}(Inactive)${C_RESET}"; fi
         
-        local ssl_tunnel_text="SSL Tunnel (Port 444)"
         local ssl_tunnel_status="${C_STATUS_I}(Inactive)${C_RESET}"
         if systemctl is-active --quiet haproxy; then
-            local active_port
-            active_port=$(grep -oP 'bind \*:(\d+)' "$HAPROXY_CONFIG" 2>/dev/null | awk -F: '{print $2}')
-            if [[ -n "$active_port" ]]; then
-                ssl_tunnel_text="SSL Tunnel (Port $active_port)"
-            fi
             ssl_tunnel_status="${C_STATUS_A}(Active)${C_RESET}"
         fi
         
@@ -2639,13 +2531,13 @@ protocol_menu() {
         printf "     ${C_CHOICE}[ 2]${C_RESET} %-45s\n" "🗑️ Uninstall badvpn"
         printf "     ${C_CHOICE}[ 3]${C_RESET} %-45s %s\n" "🚀 Install udp-custom" "$udp_custom_status"
         printf "     ${C_CHOICE}[ 4]${C_RESET} %-45s\n" "🗑️ Uninstall udp-custom"
-        printf "     ${C_CHOICE}[ 5]${C_RESET} %-45s %s\n" "🔒 Install ${ssl_tunnel_text}" "$ssl_tunnel_status"
-        printf "     ${C_CHOICE}[ 6]${C_RESET} %-45s\n" "🗑️ Uninstall SSL Tunnel"
+        printf "     ${C_CHOICE}[ 5]${C_RESET} %-45s %s\n" "🔒 Install Multiplexed HAProxy (80/443)" "$ssl_tunnel_status"
+        printf "     ${C_CHOICE}[ 6]${C_RESET} %-45s\n" "🗑️ Uninstall HAProxy"
         printf "     ${C_CHOICE}[ 7]${C_RESET} %-45s %s\n" "📡 Install/View DNSTT (Port 53)" "$dnstt_status"
         printf "     ${C_CHOICE}[ 8]${C_RESET} %-45s\n" "🗑️ Uninstall DNSTT"
         printf "     ${C_CHOICE}[ 9]${C_RESET} %-45s %s\n" "🦅 Install Falcon Proxy (Select Version)" "$falconproxy_status"
         printf "     ${C_CHOICE}[10]${C_RESET} %-45s\n" "🗑️ Uninstall Falcon Proxy"
-        printf "     ${C_CHOICE}[11]${C_RESET} %-45s %s\n" "🌐 Install/Manage Nginx Proxy (80/443)" "$nginx_status"
+        printf "     ${C_CHOICE}[11]${C_RESET} %-45s %s\n" "🌐 Install/Manage Internal Nginx" "$nginx_status"
         printf "     ${C_CHOICE}[16]${C_RESET} %-45s %s\n" "🛡️ Install ZiVPN (UDP 5667)" "$zivpn_status"
         printf "     ${C_CHOICE}[17]${C_RESET} %-45s\n" "🗑️ Uninstall ZiVPN"
         
@@ -2992,7 +2884,7 @@ generate_client_config() {
         local managed_domain=$(grep 'FULL_DOMAIN' "$DNS_INFO_FILE" | cut -d'"' -f2)
         if [[ -n "$managed_domain" ]]; then host_domain="$managed_domain"; fi
     fi
-    # Also check if Nginx Certbot is used
+    # Also check if HAProxy Certbot is used
     if [ -f "$NGINX_CONFIG_FILE" ]; then
         local nginx_domain=$(grep -oP 'server_name \K[^\s;]+' "$NGINX_CONFIG_FILE" | head -n 1)
         if [[ "$nginx_domain" != "_" && -n "$nginx_domain" ]]; then host_domain="$nginx_domain"; fi
@@ -3014,30 +2906,11 @@ generate_client_config() {
     echo -e "   • Port: 22"
     echo -e "   • payload: (Standard SSH)"
 
-    # 2. SSL/TLS Tunnel (HAProxy or Nginx)
-    local ssl_port=""
-    local ssl_type=""
-    
-    # Check HAProxy
+    # 2. SSL/TLS Tunnel (HAProxy Multiplexed)
     if systemctl is-active --quiet haproxy; then
-        local haproxy_port=$(grep -oP 'bind \*:(\d+)' "$HAPROXY_CONFIG" 2>/dev/null | awk -F: '{print $2}')
-        if [[ -n "$haproxy_port" ]]; then ssl_port="$haproxy_port"; ssl_type="HAProxy"; fi
-    fi
-    # Check Nginx (Override if both exist, or show both)
-    if systemctl is-active --quiet nginx && [ -f "$NGINX_PORTS_FILE" ]; then
-         source "$NGINX_PORTS_FILE"
-         # Take the first TLS port
-         local nginx_ssl_port=$(echo "$TLS_PORTS" | awk '{print $1}')
-         if [[ -n "$nginx_ssl_port" ]]; then 
-            if [[ -n "$ssl_port" ]]; then ssl_port="$ssl_port, $nginx_ssl_port"; else ssl_port="$nginx_ssl_port"; fi
-            ssl_type="Nginx/TLS"
-         fi
-    fi
-    
-    if [[ -n "$ssl_port" ]]; then
-        echo -e "\n🔹 ${C_BOLD}SSL/TLS Tunnel ($ssl_type)${C_RESET}:"
+        echo -e "\n🔹 ${C_BOLD}SSL/TLS Tunnel (Multiplexed HAProxy)${C_RESET}:"
         echo -e "   • Host: $host_domain"
-        echo -e "   • Port(s): $ssl_port"
+        echo -e "   • Port(s): 80 (HTTP/SSH), 443 (TLS/SSH)"
         echo -e "   • SNI (BugHost): $host_domain (or your preferred SNI)"
     fi