Preloader
Scaling Guide

How to Install a XUI.ONE Load Balancer - The Complete Setup

Everything you need to add a load balancer to an existing XUI.ONE main server, including the paramiko, MySQL remote access, and firewall fixes the installer leaves out.

Table of Contents

What a XUI.ONE Load Balancer Actually Does

A XUI.ONE load balancer is a second server running the panel code in “load balancer” mode. It has no admin UI and no independent database. Instead, it connects back to the main server's MySQL, receives stream assignments from the admin, and serves HLS/TS/RTMP output to end users.

The pattern exists because a single server cannot handle both the admin PHP workload (resellers logging in, users authenticating, M3U playlists generating) AND the streaming bandwidth (gigabits of TS/HLS traffic). Splitting them across servers lets you scale streaming independently of admin traffic.

Architecture Overview

            [ End Users ]
                 |
                 v
     +------------------------+
     |   Load Balancer(s)     |  <-- serves HLS/TS/RTMP
     |   :8080 :25461         |
     +------------------------+
                 |
                 |   Paramiko (SSH) for sync
                 |   + remote MySQL :3306 for reads
                 v
     +------------------------+
     |     Main Server        |  <-- admin, DB, cron
     |   MySQL + admin UI     |
     +------------------------+

The LB talks to the main server in two ways:

  • MySQL on 3306 so the LB can read which streams, users, and permissions are current.
  • SSH + paramiko (Python 2) so the main server can push config changes, restart services, and run FFmpeg orchestration on the LB.

Before You Start

  • Main server: already running XUI.ONE (see the install guide).
  • LB server: a fresh Ubuntu 20.04 LTS VPS (20.04 is the safest LB OS - fewer compatibility issues than 22.04/24.04).
  • Network: both boxes on the public internet with a static public IPv4 each. Private networking is optional.
  • MySQL root password from the main server.
  • Root SSH access to both.
  • Bandwidth: the LB is only useful if its NIC and transit pipe are larger than your main server's. 10 Gbps uplink is typical for serious LBs.

1Open MySQL on the Main Server for Remote Access

On the main server, open MariaDB to connect from the LB's public IP:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Find and comment out bind-address:

#bind-address = 127.0.0.1

Grant remote privileges for the LB's IP (replace LB_PUBLIC_IP):

mysql -u root -p << EOF GRANT ALL PRIVILEGES ON xui_one.* TO 'xui_user'@'LB_PUBLIC_IP' IDENTIFIED BY 'STRONG_PASSWORD_HERE'; FLUSH PRIVILEGES; EOF systemctl restart mariadb
Do not open MySQL to % (anywhere). That is a popular shortcut that leaks your database to the open internet. Lock it to the LB's specific IP and firewall everything else.

Open port 3306 in UFW only to the LB IP:

ufw allow from LB_PUBLIC_IP to any port 3306 proto tcp

Confirm the main server is listening on 0.0.0.0:3306:

ss -ltn | grep :3306

2Prepare the LB Server

On the LB server, run a clean base install:

sudo -i apt-get update apt-get upgrade -y apt-get install -y nano wget curl unzip sudo ca-certificates software-properties-common ufw hostnamectl set-hostname lb1.yourdomain.tld echo "127.0.0.1 lb1.yourdomain.tld" >> /etc/hosts

Test the MySQL connection from the LB to the main server before doing anything else - it is the most common point of failure:

apt-get install -y mariadb-client mysql -h MAIN_SERVER_IP -u xui_user -p xui_one -e "SELECT 1;"

If this fails, fix it now. The XUI.ONE LB installer will fail in confusing ways otherwise.

File descriptor limits (same as main):

echo '* soft nofile 655350 * hard nofile 655350' >> /etc/security/limits.conf sed -i 's/^#DefaultLimitNOFILE.*/DefaultLimitNOFILE=655350/' /etc/systemd/system.conf systemctl daemon-reexec

Install paramiko for Python 2 (the main server will SSH into this box via paramiko):

add-apt-repository -y ppa:deadsnakes/ppa || true apt-get install -y python2 ln -sf /usr/bin/python2 /usr/bin/python curl -sSL https://bootstrap.pypa.io/pip/2.7/get-pip.py -o /tmp/get-pip.py python2 /tmp/get-pip.py python2 -m pip install "paramiko<2.9"

3Run the XUI.ONE LB Installer

Still on the LB, fetch and run the installer but pick load_balancer at the prompt:

cd /tmp wget -O install.sh https://xtream-masters.com/guide/resources.php?file=xui-one/install.sh chmod +x install.sh bash install.sh

At the prompts:

  1. Installation type: load_balancer
  2. MySQL host: the main server's public IP (or private IP if both boxes are on the same internal network)
  3. MySQL password: the XUI.ONE DB user password
  4. Server name: give it something descriptive (e.g., lb1-london)
  5. Server IP: the LB's own public IP
  6. Client port: match the main server's client port (usually 2086 or 25461)

The installer downloads the same content bundle as the main server (sans admin UI) and starts Nginx, PHP-FPM, and the stream workers.

4Register the LB in the Admin Panel

Go to the main server's admin UI → Management → Streaming ServersAdd Server. Fill in:

  • Server name: matches what you typed during install.
  • IP address: LB's public IP.
  • SSH port: 22.
  • SSH user: root.
  • SSH password: the LB's root password (or drop an SSH key in /root/.ssh/authorized_keys on the LB).
  • Total bandwidth: the LB's uplink in Gbps.
  • Enabled for: tick the stream types this LB should serve (Live, VOD, HLS, RTMP).

Save. The admin will run an SSH check via paramiko. If it succeeds you will see online next to the server name.

Prefer SSH keys to passwords. On the main server run ssh-keygen -t ed25519 -N '' -f /root/.ssh/xui_lb, then ssh-copy-id -i /root/.ssh/xui_lb.pub root@LB_IP. Paste the private key content into the panel's SSH field and your sync is password-less.

5Route Streams to the LB and Test

In the admin go to Management → Streams → edit a test stream → Streaming servers. Add the new LB to the list. Save. The main server will push the FFmpeg command to the LB via paramiko.

On the LB, verify FFmpeg is running the stream:

ps auxf | grep ffmpeg | head

Test that the stream is reachable directly on the LB:

curl -I http://LB_IP:2086/live/USER/PASS/STREAM_ID.ts

You should get a 200 OK with a TS content type.

If your panel is using a DNS hostname (e.g. cdn.mypanel.tv) that load-balances across multiple LBs, add an A record for each LB IP and rely on DNS round-robin. For serious setups, use a front door like HAProxy or a managed CDN.

Troubleshooting

LB shows “offline” in the main panel

In 90 percent of cases: paramiko cannot SSH to the LB. On the main server run:

python2 -c "import paramiko; c=paramiko.SSHClient(); c.set_missing_host_key_policy(paramiko.AutoAddPolicy()); c.connect('LB_IP', username='root', password='PASS'); print(c.exec_command('hostname'))"

If this fails, the issue is on the LB (root SSH disabled, wrong password, UFW blocking port 22 from the main server).

“Permission denied (publickey)”

The LB has PermitRootLogin prohibit-password set. Open /etc/ssh/sshd_config, change to PermitRootLogin yes, then systemctl restart sshd. Or add the main server's SSH key to the LB's /root/.ssh/authorized_keys.

Streams run on LB but show offline on main panel

MySQL sync between LB and main is broken. Check the LB can reach MySQL:

mysql -h MAIN_IP -u xui_user -p xui_one -e "SELECT id FROM streams LIMIT 1;"

If this times out, open 3306 from LB IP on the main's firewall.

LB runs 100 percent CPU with one stream

Transcoding profile is wrong. The LB is re-encoding when the main server intended a copy. In the stream settings set Transcoding Profile to Copy for live TV.

“paramiko.ssh_exception.SSHException: Server '…' not found in known_hosts”

Xtream UI forks sometimes write a strict host policy. Force auto-add:

echo "StrictHostKeyChecking no" >> /root/.ssh/config chmod 600 /root/.ssh/config

Scaling Limits of XUI.ONE Load Balancers

A XUI.ONE LB handles 500-1500 concurrent HLS users per 10 Gbps of NIC, depending on bitrate. It does not:

  • Share nothing between LBs. Each LB runs its own FFmpeg workers. Restreaming the same channel on four LBs costs four times the source bandwidth.
  • Have automatic failover. If a LB dies, streams assigned to it go offline. You must manually re-assign or use external DNS health checks.
  • Support DRM. There is no Widevine key pipeline on the LB path.
  • Protect itself from DDoS. The LB's Nginx and PHP-FPM will fold under any serious Layer 7 attack. You need Cloudflare or a dedicated scrubber in front.

For small setups (1-3 LBs, < 2000 total users) XUI.ONE's LB feature is workable. For anything larger, you run into the above limits hard.

Done. Your XUI.ONE load balancer is installed, authorized, and serving streams. Next step is monitoring - set up at least one Prometheus node_exporter on each LB to watch CPU, NIC, and connection count.

Unlimited Load Balancers, Single License

XUI.ONE allows you to add load balancers, but the commercial tier charges per LB and the free tier caps the count. More importantly, XUI.ONE LBs do not share stream state - every LB transcodes independently, multiplying your upstream bandwidth bill.

The Xtream-Masters OTT Panel includes unlimited load balancers in the €39.99/month license. LBs share stream state via a coordinator, so one source pulls feed the entire cluster. DRM is available on every LB. DDoS protection is built into each node.

Unlimited LB Scaling

Xtream-Masters OTT Panel

Load Balancers Done Right

One main license includes unlimited load balancers. Stream state shared across the cluster. DRM, ActiveCode, and DDoS protection on every node. Add a new LB in 5 minutes with a single installer call - no paramiko debugging, no MySQL remote-access config.

Buy Pro License Download Screenshots
Xtream-Masters Load Balancer Dashboard
Get License Instantly
IPTV Admin Panel €39.99/Month
  • Unlimited load balancers - never pay per LB again
  • Shared stream state across the cluster
  • DRM, ActiveCode & DDoS on every LB
  • Five-minute LB install, no paramiko issues
  • Encrypted cloud backup across the whole cluster

Scale Without Counting Licenses

Get Your License Now
LB Scaling, Solved

What XUI.ONE LBs Cannot Do

The gaps XUI.ONE's LB architecture hits at scale, and how Xtream-Masters closes each one.

Shared

Shared Stream State

One source pull feeds the whole cluster - you do not multiply upstream bandwidth per LB.

  • Source-once fan-out
  • Cluster coordinator
  • Cost efficient
Secure

DDoS on Every Node

Playlist probe blocker, Layer 7 filter, and GeoIP rules on each LB, not just the main.

  • Layer 7 on LBs
  • Probe blocker
  • GeoIP rules
Fast

Five-Minute LB Install

One installer command, no MySQL remote access to configure, no paramiko to debug. Done.

  • Single command
  • No manual MySQL
  • Auto registration
Support Center

XUI.ONE Load Balancer FAQ

Answers to the load-balancer questions operators send us weekly.

All
Installation
Scaling
Technical
01

Does the LB need the same Ubuntu version as the main server?

Strongly recommended. Mixing Ubuntu 20.04 main with 22.04 LB works but the paramiko/OpenSSL compat patches differ. Stay on 20.04 for both unless you have a reason.

02

How many LBs can one XUI.ONE main server handle?

Practically 8-12. The bottleneck is the paramiko sync loop - above a dozen LBs the main server spends most of its CPU just checking LB health. Xtream-Masters uses a push-based cluster coordinator instead and scales to hundreds.

03

Can the LB be in a different data center?

Yes - geographic LBs are a common pattern. MySQL latency matters: aim for < 50 ms between LB and main for healthy operation. Over 150 ms you will see sync delays.

04

Do I need to open MySQL to the internet?

Only to the LB's specific IP, via UFW. Never to 0.0.0.0. If you have a private network or VPN between main and LB, put MySQL on that and do not expose 3306 publicly at all.

05

Does traffic route automatically to the nearest LB?

Not by default in XUI.ONE. You use DNS round-robin, GeoDNS, or a front-door service. Xtream-Masters can do geo-aware LB selection at the stream URL level without external services.

06

Do I have to use port 8080 / 2086?

No. Many operators change the client port to 25461 or 80/443 for better compatibility with strict firewalls. Whatever you pick, it must match between main and LB.

Scale Without Per-LB Fees.

One license, unlimited load balancers, shared state. The way it should have worked in the first place.

Purchase License - €39.99/Month Download Review
Important Legal Notice
Xtream-Masters is a software development company. We build and license professional software tools — we do not host, store, stream, index, or distribute any audio, video, playlist, channel, or DRM-protected content of any kind. Every product we sell is an empty technical platform; all content processed through our software is supplied, configured, and controlled solely by the end user, who must hold the necessary rights and comply with applicable law. Copyright or DMCA notices must be directed to the operator or stream origin of the URL concerned — not to Xtream-Masters. See our Terms, Privacy Policy, and Refund Policy for full details.