v2.5.0: add shared 443 and per-user traffic

lib/common.sh

@@ -493,18 +493,25 @@ goTelegram Pro detected that 3x-ui/Xray already owns TCP/443. Two independent
 processes cannot bind the same IP:port at the same time. A safe shared setup
 needs one front TLS/SNI dispatcher on 443 and internal backends, for example:
 
-- dispatcher: 0.0.0.0:443
+- dispatcher: 0.0.0.0:443 (nginx stream ssl_preread)
 - goTelegram Pro telemt: 127.0.0.1:7443
 - 3x-ui/Xray inbound: 127.0.0.1:9443
 - goTelegram Pro nginx mask site: 127.0.0.1:8443
 
-The dispatcher must route Xray SNI domains to Xray and route the goTelegram Pro
-SNI domain to telemt. If Xray and goTelegram Pro use the same SNI domain, automatic
-sharing is not reliable: the first TLS ClientHello is intentionally identical.
+The dispatcher routes Xray SNI domains to Xray. Everything else goes to telemt;
+telemt then decides whether the session is MTProxy or regular HTTPS and forwards
+the website to nginx through dns_overrides.
 
-goTelegram Pro intentionally does not rewrite the 3x-ui SQLite database or generated
-Xray config without explicit operator confirmation, because 3x-ui can overwrite
-manual JSON edits on the next panel change.
+goTelegram Pro can generate the dispatcher with:
+
+    source /opt/gotelegram/lib/shared443.sh
+    shared443_enable <gotelegram-domain> <xray-sni-domain> 127.0.0.1:9443
+
+Move the 3x-ui/Xray inbound from 0.0.0.0:443 to 127.0.0.1:9443 in the panel first,
+or nginx will not be able to own the public 443 socket. goTelegram Pro intentionally
+does not rewrite the 3x-ui SQLite database or generated Xray config without explicit
+operator confirmation, because 3x-ui can overwrite manual JSON edits on the next
+panel change.
 EOF
     return 0
 }