add support for multi-target docker image(oci) proxy

2026-02-03 08:11:11 +08:00 · 2025-05-21 09:03:00 +08:00 · 2025-05-21 09:03:00 +08:00 · 11099176bf
commit 11099176bf
parent 5ddbf1d2a0
7 changed files with 633 additions and 63 deletions
--- a/proxy/docker.go
+++ b/proxy/docker.go
@ -2,39 +2,132 @@ package proxy

 import (
 	"context"
+	"encoding/json"
 	"fmt"
+
 	"ghproxy/config"
+	"ghproxy/weakcache"
+	"io"
 	"net/http"
 	"strconv"
+	"strings"

 	"github.com/WJQSERVER-STUDIO/go-utils/limitreader"
 	"github.com/cloudwego/hertz/pkg/app"
 )

+var (
+	dockerhubTarget = "registry-1.docker.io"
+	ghcrTarget      = "ghcr.io"
+)
+
+var cache *weakcache.Cache[string]
+
+type imageInfo struct {
+	User  string
+	Repo  string
+	Image string
+}
+
+func InitWeakCache() *weakcache.Cache[string] {
+	cache = weakcache.NewCache[string](weakcache.DefaultExpiration, 100)
+	return cache
+}
+
+/*
 func GhcrRouting(cfg *config.Config) app.HandlerFunc {
 	return func(ctx context.Context, c *app.RequestContext) {
-		if cfg.Docker.Enabled {
+
+		charToFind := '.'
+		reqTarget := c.Param("target")
+		path := ""
+		target := ""
+
+		if strings.ContainsRune(reqTarget, charToFind) {
+
+			path = c.Param("filepath")
+			if reqTarget == "docker.io" {
+				target = dockerhubTarget
+			} else if reqTarget == "ghcr.io" {
+				target = ghcrTarget
+			} else {
+				target = reqTarget
+			}
+		} else {
+			path = string(c.Request.RequestURI())
+		}
+
+		GhcrToTarget(ctx, c, cfg, target, path, nil)
+
+	}
+}
+*/
+
+func GhcrWithImageRouting(cfg *config.Config) app.HandlerFunc {
+	return func(ctx context.Context, c *app.RequestContext) {
+
+		charToFind := '.'
+		reqTarget := c.Param("target")
+		reqImageUser := c.Param("user")
+		reqImageName := c.Param("repo")
+		reqFilePath := c.Param("filepath")
+
+		path := fmt.Sprintf("%s/%s/%s", reqImageUser, reqImageName, reqFilePath)
+		target := ""
+
+		if strings.ContainsRune(reqTarget, charToFind) {
+
+			if reqTarget == "docker.io" {
+				target = dockerhubTarget
+			} else if reqTarget == "ghcr.io" {
+				target = ghcrTarget
+			} else {
+				target = reqTarget
+			}
+		} else {
+			path = string(c.Request.RequestURI())
+			reqImageUser = c.Param("target")
+			reqImageName = c.Param("user")
+		}
+		image := &imageInfo{
+			User:  reqImageUser,
+			Repo:  reqImageName,
+			Image: fmt.Sprintf("%s/%s", reqImageUser, reqImageName),
+		}
+
+		GhcrToTarget(ctx, c, cfg, target, path, image)
+
+	}
+
+}
+
+func GhcrToTarget(ctx context.Context, c *app.RequestContext, cfg *config.Config, target string, path string, image *imageInfo) {
+	if cfg.Docker.Enabled {
+		if target != "" {
+			GhcrRequest(ctx, c, "https://"+target+"/v2/"+path+string(c.Request.QueryString()), image, cfg, target)
+
+		} else {
 			if cfg.Docker.Target == "ghcr" {
-				GhcrRequest(ctx, c, "https://ghcr.io"+string(c.Request.RequestURI()), cfg, "ghcr")
+				GhcrRequest(ctx, c, "https://"+ghcrTarget+string(c.Request.RequestURI()), image, cfg, ghcrTarget)
 			} else if cfg.Docker.Target == "dockerhub" {
-				GhcrRequest(ctx, c, "https://registry-1.docker.io"+string(c.Request.RequestURI()), cfg, "dockerhub")
+				GhcrRequest(ctx, c, "https://"+dockerhubTarget+string(c.Request.RequestURI()), image, cfg, dockerhubTarget)
 			} else if cfg.Docker.Target != "" {
 				// 自定义taget
-				GhcrRequest(ctx, c, "https://"+cfg.Docker.Target+string(c.Request.RequestURI()), cfg, "custom")
+				GhcrRequest(ctx, c, "https://"+cfg.Docker.Target+string(c.Request.RequestURI()), image, cfg, cfg.Docker.Target)
 			} else {
 				// 配置为空
 				ErrorPage(c, NewErrorWithStatusLookup(403, "Docker Target is not set"))
 				return
 			}
-
-		} else {
-			ErrorPage(c, NewErrorWithStatusLookup(403, "Docker is not Allowed"))
-			return
 		}
+
+	} else {
+		ErrorPage(c, NewErrorWithStatusLookup(403, "Docker is not Allowed"))
+		return
 	}
 }

-func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, cfg *config.Config, matcher string) {
+func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, image *imageInfo, cfg *config.Config, target string) {

 	var (
 		method []byte
@ -55,12 +148,11 @@ func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, cfg *conf

 	method = c.Request.Method()

-	rb := client.NewRequestBuilder(string(method), u)
+	rb := ghcrclient.NewRequestBuilder(string(method), u)
 	rb.NoDefaultHeaders()
 	rb.SetBody(c.Request.BodyStream())
 	rb.WithContext(ctx)

-	//req, err = client.NewRequest(string(method), u, c.Request.BodyStream())
 	req, err = rb.Build()
 	if err != nil {
 		HandleError(c, fmt.Sprintf("Failed to create request: %v", err))
@ -73,14 +165,62 @@ func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, cfg *conf
 		req.Header.Add(headerKey, headerValue)
 	})

-	resp, err = client.Do(req)
+	req.Header.Set("Host", target)
+	token, exist := cache.Get(image.Image)
+	if exist {
+		logDebug("Use Cache Token: %s", token)
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
+
+	resp, err = ghcrclient.Do(req)
 	if err != nil {
 		HandleError(c, fmt.Sprintf("Failed to send request: %v", err))
 		return
 	}

-	// 错误处理(404)
-	if resp.StatusCode == 404 {
+	// 处理状态码
+	if resp.StatusCode == 401 {
+		// 请求target /v2/路径
+		if string(c.Request.URI().Path()) != "/v2/" {
+			resp.Body.Close()
+			token := ChallengeReq(target, image, ctx, c)
+
+			// 更新kv
+			if token != "" {
+				logDump("Update Cache Token: %s", token)
+				cache.Put(image.Image, token)
+			}
+
+			rb := ghcrclient.NewRequestBuilder(string(method), u)
+			rb.NoDefaultHeaders()
+			rb.SetBody(c.Request.BodyStream())
+			rb.WithContext(ctx)
+
+			req, err = rb.Build()
+			if err != nil {
+				HandleError(c, fmt.Sprintf("Failed to create request: %v", err))
+				return
+			}
+
+			c.Request.Header.VisitAll(func(key, value []byte) {
+				headerKey := string(key)
+				headerValue := string(value)
+				req.Header.Add(headerKey, headerValue)
+			})
+
+			req.Header.Set("Host", target)
+			if token != "" {
+				req.Header.Set("Authorization", "Bearer "+token)
+			}
+
+			resp, err = ghcrclient.Do(req)
+			if err != nil {
+				HandleError(c, fmt.Sprintf("Failed to send request: %v", err))
+				return
+			}
+		}
+
+	} else if resp.StatusCode == 404 { // 错误处理(404)
 		ErrorPage(c, NewErrorWithStatusLookup(404, "Page Not Found (From Github)"))
 		return
 	}
@ -101,8 +241,7 @@ func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, cfg *conf
 			bodySize = -1
 		}
 		if err == nil && bodySize > sizelimit {
-			var finalURL string
-			finalURL = resp.Request.URL.String()
+			finalURL := resp.Request.URL.String()
 			err = resp.Body.Close()
 			if err != nil {
 				logError("Failed to close response body: %v", err)
@ -116,7 +255,6 @@ func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, cfg *conf
 	// 复制响应头，排除需要移除的 header
 	for key, values := range resp.Header {
 		for _, value := range values {
-			//c.Header(key, value)
 			c.Response.Header.Add(key, value)
 		}
 	}
@ -136,3 +274,78 @@ func GhcrRequest(ctx context.Context, c *app.RequestContext, u string, cfg *conf
 	c.SetBodyStream(bodyReader, -1)

 }
+
+type AuthToken struct {
+	Token string `json:"token"`
+}
+
+func ChallengeReq(target string, image *imageInfo, ctx context.Context, c *app.RequestContext) (token string) {
+	var resp401 *http.Response
+	var req401 *http.Request
+	var err error
+
+	rb401 := ghcrclient.NewRequestBuilder("GET", "https://"+target+"/v2/")
+	rb401.NoDefaultHeaders()
+	rb401.WithContext(ctx)
+	rb401.AddHeader("User-Agent", "docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/6.12.25-amd64 os/linux arch/amd64 UpstreamClient(Docker-Client/28.1.1 ")
+	req401, err = rb401.Build()
+	if err != nil {
+		HandleError(c, fmt.Sprintf("Failed to create request: %v", err))
+		return
+	}
+	req401.Header.Set("Host", target)
+
+	resp401, err = ghcrclient.Do(req401)
+	if err != nil {
+		HandleError(c, fmt.Sprintf("Failed to send request: %v", err))
+		return
+	}
+	defer resp401.Body.Close()
+	bearer, err := parseBearerWWWAuthenticateHeader(resp401.Header.Get("Www-Authenticate"))
+	if err != nil {
+		logError("Failed to parse Www-Authenticate header: %v", err)
+		return
+	}
+
+	scope := fmt.Sprintf("repository:%s:pull", image.Image)
+
+	getAuthRB := ghcrclient.NewRequestBuilder("GET", bearer.Realm).
+		NoDefaultHeaders().
+		WithContext(ctx).
+		AddHeader("User-Agent", "docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/6.12.25-amd64 os/linux arch/amd64 UpstreamClient(Docker-Client/28.1.1 ").
+		SetHeader("Host", bearer.Service).
+		AddQueryParam("service", bearer.Service).
+		AddQueryParam("scope", scope)
+
+	getAuthReq, err := getAuthRB.Build()
+	if err != nil {
+		logError("Failed to create request: %v", err)
+		return
+	}
+
+	authResp, err := ghcrclient.Do(getAuthReq)
+	if err != nil {
+		logError("Failed to send request: %v", err)
+		return
+	}
+
+	defer authResp.Body.Close()
+
+	bodyBytes, err := io.ReadAll(authResp.Body)
+	if err != nil {
+		logError("Failed to read auth response body: %v", err)
+		return
+	}
+
+	// 解码json
+	var authToken AuthToken
+	err = json.Unmarshal(bodyBytes, &authToken)
+	if err != nil {
+		logError("Failed to decode auth response body: %v", err)
+		return
+	}
+	token = authToken.Token
+
+	return token
+
+}