25w30c

2026-02-03 00:01:10 +08:00 · 2025-04-21 18:52:45 +08:00 · 2025-04-21 18:52:45 +08:00 · d79aeaaacd
commit d79aeaaacd
parent 558d3fbb0b
10 changed files with 214 additions and 215 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,12 @@
 # 更新日志
 25w30c - 2025-04-21
 ---
 - PRE-RELEASE: 此版本是v3.1.0预发布版本,请勿在生产环境中使用;
 - CHANGE: 改进handle, 复用共同部分
 - CHANGE: 细化url匹配的返回码处理
 - CHANGE: 增加404界面
 25w30b - 2025-04-21
 ---
 - PRE-RELEASE: 此版本是v3.1.0预发布版本,请勿在生产环境中使用;
--- a/2
+++ b/2
@ -1 +1 @@
-25w30b
+25w30c
--- a/auth/auth.go
+++ b/auth/auth.go
@ -1,7 +1,6 @@
 package auth
 import (
 	"context"
 	"fmt"
 	"ghproxy/config"
@ -36,7 +35,7 @@ func Init(cfg *config.Config) {
 	logDebug("Auth Init")
 }
-func AuthHandler(ctx context.Context, c *app.RequestContext, cfg *config.Config) (isValid bool, err error) {
+func AuthHandler(c *app.RequestContext, cfg *config.Config) (isValid bool, err error) {
 	if cfg.Auth.Method == "parameters" {
 		isValid, err = AuthParametersHandler(c, cfg)
 		return isValid, err
--- a/main.go
+++ b/main.go
@ -210,6 +210,12 @@ func loadEmbeddedPages(cfg *config.Config) (fs.FS, fs.FS, error) {
 		return nil, nil, fmt.Errorf("failed to load embedded pages: %w", err)
 	}
 	// 初始化errPagesFs
 	errPagesInitErr := proxy.InitErrPagesFS(pagesFS)
 	if errPagesInitErr != nil {
 		logWarning("errPagesInitErr: %s", errPagesInitErr)
 	}
 	var assets fs.FS
 	assets, err = fs.Sub(pagesFS, "pages/assets")
 	return pages, assets, nil
--- a/proxy/chunkreq.go
+++ b/proxy/chunkreq.go
@ -38,14 +38,12 @@ func ChunkedProxyRequest(ctx context.Context, c *app.RequestContext, u string, c
 	var (
 		method []byte
-		//bodyReader *bytes.Buffer
+		req    *http.Request
-		req  *http.Request
+		resp   *http.Response
-		resp *http.Response
+		err    error
 		err  error
 	)
 	method = c.Request.Method()
 	//bodyReader = bytes.NewBuffer(c.Request.Body())
 	req, err = client.NewRequest(string(method), u, c.Request.BodyStream())
 	if err != nil {
--- a/proxy/gitreq.go
+++ b/proxy/gitreq.go
@ -27,14 +27,8 @@ func GitReq(ctx context.Context, c *app.RequestContext, u string, cfg *config.Co
 	var (
 		resp *http.Response
 		//err  error
 	)
 	//body := c.Request.Body()
 	//bodyReader := bytes.NewBuffer(body)
 	// 创建请求
 	if cfg.GitClone.Mode == "cache" {
 		req, err := gitclient.NewRequest(method, u, c.Request.BodyStream())
 		if err != nil {
--- a/proxy/handler.go
+++ b/proxy/handler.go
@ -3,8 +3,6 @@ package proxy
 import (
 	"context"
 	"errors"
 	"fmt"
 	"ghproxy/auth"
 	"ghproxy/config"
 	"ghproxy/rate"
 	"net/http"
@ -19,43 +17,22 @@ var re = regexp.MustCompile(`^(http:|https:)?/?/?(.*)`) // 匹配http://或https
 func NoRouteHandler(cfg *config.Config, limiter *rate.RateLimiter, iplimiter *rate.IPRateLimiter) app.HandlerFunc {
 	return func(ctx context.Context, c *app.RequestContext) {
-		// 限制访问频率
+		rateCheck(cfg, c, limiter, iplimiter)
 		if cfg.RateLimit.Enabled {
 			var allowed bool
 			switch cfg.RateLimit.RateMethod {
 			case "ip":
 				allowed = iplimiter.Allow(c.ClientIP())
 			case "total":
 				allowed = limiter.Allow()
 			default:
 				logWarning("Invalid RateLimit Method")
 				return
 			}
 			if !allowed {
 				c.JSON(http.StatusTooManyRequests, map[string]string{"error": "Too Many Requests"})
 				logWarning("%s %s %s %s %s 429-TooManyRequests", c.ClientIP(), c.Method(), c.Request.RequestURI(), c.Request.Header.UserAgent(), c.Request.Header.GetProtocol())
 				return
 			}
 		}
 		var (
 			rawPath string
 			matches []string
 			errMsg  string
 		)
 		rawPath = strings.TrimPrefix(string(c.Request.RequestURI()), "/") // 去掉前缀/
 		matches = re.FindStringSubmatch(rawPath)                          // 匹配路径
-		logInfo("URL: %v", matches)
+		logDebug("URL: %v", matches)
 		// 匹配路径错误处理
 		if len(matches) < 3 {
-			errMsg = fmt.Sprintf("%s %s %s %s %s Invalid URL", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol())
+			logWarning("%s %s %s %s %s Invalid URL", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol())
-			logWarning(errMsg)
+			//c.String(http.StatusForbidden, "Invalid URL Format. Path: %s", rawPath)
-			c.String(http.StatusForbidden, "Invalid URL Format. Path: %s", rawPath)
+			c.JSON(http.StatusForbidden, map[string]string{"error": "Invalid URL Format"})
 			return
 		}
@ -72,68 +49,35 @@ func NoRouteHandler(cfg *config.Config, limiter *rate.RateLimiter, iplimiter *ra
 		user, repo, matcher, err = Matcher(rawPath, cfg)
 		if err != nil {
 			if errors.Is(err, ErrInvalidURL) {
-				c.String(http.StatusForbidden, "Invalid URL Format. Path: %s", rawPath)
+				c.JSON(ErrInvalidURL.Code, map[string]string{"error": "Invalid URL Format, Path: " + rawPath})
 				logWarning(err.Error())
 				return
 			}
 			if errors.Is(err, ErrAuthHeaderUnavailable) {
-				c.String(http.StatusForbidden, "AuthHeader Unavailable")
+				c.JSON(ErrAuthHeaderUnavailable.Code, map[string]string{"error": "AuthHeader Unavailable"})
 				logWarning(err.Error())
 				return
 			}
 			if errors.Is(err, ErrNotFound) {
 				//c.JSON(ErrNotFound.Code, map[string]string{"error": "Not Found"})
 				NotFoundPage(c)
 				logWarning(err.Error())
 				return
 			}
 		}
 		logInfo("%s %s %s %s %s Matched-Username: %s, Matched-Repo: %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
-		// dump log 记录详细信息 c.ClientIP(), c.Method(), rawPath,c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), full Header
+		logDump("%s", c.Request.Header.Header())
 		logDump("%s %s %s %s %s %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), c.Request.Header.Header())
 		var repouser string
 		repouser = fmt.Sprintf("%s/%s", user, repo)
-		// 白名单检查
+		listCheck(cfg, c, user, repo, rawPath)
-		if cfg.Whitelist.Enabled {
+		authCheck(c, cfg, matcher, rawPath)
 			var whitelist bool
 			whitelist = auth.CheckWhitelist(user, repo)
 			if !whitelist {
 				errMsg = fmt.Sprintf("Whitelist Blocked repo: %s", repouser)
 				c.JSON(http.StatusForbidden, map[string]string{"error": errMsg})
 				logWarning("%s %s %s %s %s Whitelist Blocked repo: %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), repouser)
 				return
 			}
 		}
 		// 黑名单检查
 		if cfg.Blacklist.Enabled {
 			var blacklist bool
 			blacklist = auth.CheckBlacklist(user, repo)
 			if blacklist {
 				errMsg = fmt.Sprintf("Blacklist Blocked repo: %s", repouser)
 				c.JSON(http.StatusForbidden, map[string]string{"error": errMsg})
 				logWarning("%s %s %s %s %s Blacklist Blocked repo: %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), repouser)
 				return
 			}
 		}
 		// 若匹配api.github.com/repos/用户名/仓库名/路径, 则检查是否开启HeaderAuth
 		// 处理blob/raw路径
 		if matcher == "blob" {
 			rawPath = strings.Replace(rawPath, "/blob/", "/raw/", 1)
 		}
-		// 鉴权
+		logDebug("Matched: %v", matcher)
 		if cfg.Auth.Enabled {
 			var authcheck bool
 			authcheck, err = auth.AuthHandler(ctx, c, cfg)
 			if !authcheck {
 				//c.AbortWithStatusJSON(401, gin.H{"error": "Unauthorized"})
 				c.AbortWithStatusJSON(401, map[string]string{"error": "Unauthorized"})
 				logWarning("%s %s %s %s %s Auth-Error: %v", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), err)
 				return
 			}
 		}
 		// IP METHOD URL USERAGENT PROTO MATCHES
 		logDebug("%s %s %s %s %s Matched: %v", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), matcher)
 		switch matcher {
 		case "releases", "blob", "raw", "gist", "api":
@ -141,127 +85,8 @@ func NoRouteHandler(cfg *config.Config, limiter *rate.RateLimiter, iplimiter *ra
 		case "clone":
 			GitReq(ctx, c, rawPath, cfg, "git")
 		default:
-			c.String(http.StatusForbidden, "Invalid input.")
+			c.JSON(http.StatusForbidden, map[string]string{"error": "Invalid input."})
-			fmt.Println("Invalid input.")
+			logError("Invalid input")
 			return
 		}
 	}
 }
 func RoutingHandler(cfg *config.Config, limiter *rate.RateLimiter, iplimiter *rate.IPRateLimiter) app.HandlerFunc {
 	return func(ctx context.Context, c *app.RequestContext) {
 		// 输出所有传入参数
 		logDebug("Context Params(Matcher): %v", c.GetString("matcher"))
 		// 限制访问频率
 		if cfg.RateLimit.Enabled {
 			var allowed bool
 			switch cfg.RateLimit.RateMethod {
 			case "ip":
 				allowed = iplimiter.Allow(c.ClientIP())
 			case "total":
 				allowed = limiter.Allow()
 			default:
 				logWarning("Invalid RateLimit Method")
 				return
 			}
 			if !allowed {
 				c.JSON(http.StatusTooManyRequests, map[string]string{"error": "Too Many Requests"})
 				logWarning("%s %s %s %s %s 429-TooManyRequests", c.ClientIP(), c.Method(), c.Request.RequestURI(), c.Request.Header.UserAgent(), c.Request.Header.GetProtocol())
 				return
 			}
 		}
 		var (
 			rawPath string
 			errMsg  string
 		)
 		rawPath = strings.TrimPrefix(string(c.Request.RequestURI()), "/") // 去掉前缀/
 		var (
 			user    string
 			repo    string
 			matcher string
 			err     error
 		)
 		user = c.Param("user")
 		repo = c.Param("repo")
 		matcher = c.GetString("matcher")
 		logInfo("%s %s %s %s %s Matched-Username: %s, Matched-Repo: %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
 		// dump log 记录详细信息 c.ClientIP(), c.Method(), rawPath,c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), full Header
 		logDump("%s %s %s %s %s %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), c.Request.Header.Header())
 		// 白名单检查
 		if cfg.Whitelist.Enabled {
 			var whitelist bool
 			whitelist = auth.CheckWhitelist(user, repo)
 			if !whitelist {
 				errMsg = fmt.Sprintf("Whitelist Blocked repo: %s/%s", user, repo)
 				c.JSON(http.StatusForbidden, map[string]string{"error": errMsg})
 				logWarning("%s %s %s %s %s Whitelist Blocked repo: %s/%s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
 				return
 			}
 		}
 		// 黑名单检查
 		if cfg.Blacklist.Enabled {
 			var blacklist bool
 			blacklist = auth.CheckBlacklist(user, repo)
 			if blacklist {
 				errMsg = fmt.Sprintf("Blacklist Blocked repo: %s/%s", user, repo)
 				c.JSON(http.StatusForbidden, map[string]string{"error": errMsg})
 				logWarning("%s %s %s %s %s Blacklist Blocked repo: %s/%s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
 				return
 			}
 		}
 		if matcher == "api" && !cfg.Auth.ForceAllowApi {
 			if cfg.Auth.Method != "header" || !cfg.Auth.Enabled {
 				c.JSON(http.StatusForbidden, map[string]string{"error": "Github API Req without AuthHeader is Not Allowed"})
 				logWarning("%s %s %s %s %s AuthHeader Unavailable", c.ClientIP(), c.Method(), rawPath)
 				return
 			}
 		}
 		// 鉴权
 		if cfg.Auth.Enabled {
 			var authcheck bool
 			authcheck, err = auth.AuthHandler(ctx, c, cfg)
 			if !authcheck {
 				//c.AbortWithStatusJSON(401, gin.H{"error": "Unauthorized"})
 				c.AbortWithStatusJSON(401, map[string]string{"error": "Unauthorized"})
 				logWarning("%s %s %s %s %s Auth-Error: %v", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), err)
 				return
 			}
 		}
 		// 若匹配api.github.com/repos/用户名/仓库名/路径, 则检查是否开启HeaderAuth
 		// 处理blob/raw路径
 		if matcher == "blob" {
 			rawPath = strings.Replace(rawPath, "/blob/", "/raw/", 1)
 		}
 		// 为rawpath加入https:// 头
 		rawPath = "https://" + rawPath
 		// IP METHOD URL USERAGENT PROTO MATCHES
 		logDebug("%s %s %s %s %s Matched: %v", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), matcher)
 		switch matcher {
 		case "releases", "blob", "raw", "gist", "api":
 			ChunkedProxyRequest(ctx, c, rawPath, cfg, matcher)
 		case "clone":
 			GitReq(ctx, c, rawPath, cfg, "git")
 		default:
 			c.String(http.StatusForbidden, "Invalid input.")
 			fmt.Println("Invalid input.")
 			return
 		}
 	}
--- a/proxy/match.go
+++ b/proxy/match.go
@ -27,6 +27,10 @@ var (
 		Code: 403,
 		Msg:  "AuthHeader Unavailable",
 	}
 	ErrNotFound = &MatcherErrors{
 		Code: 404,
 		Msg:  "Not Found",
 	}
 )
 func (e *MatcherErrors) Error() string {
@ -122,7 +126,7 @@ func Matcher(rawPath string, cfg *config.Config) (string, string, string, error)
 		}
 		return user, repo, matcher, nil
 	}
-	return "", "", "", ErrInvalidURL
+	return "", "", "", ErrNotFound
 }
 func EditorMatcher(rawPath string, cfg *config.Config) (bool, string, error) {
@ -165,12 +169,6 @@ func EditorMatcher(rawPath string, cfg *config.Config) (bool, string, error) {
 // 匹配文件扩展名是sh的rawPath
 func MatcherShell(rawPath string) bool {
 	/*
 		if strings.HasSuffix(rawPath, ".sh") {
 			return true
 		}
 		return false
 	*/
 	return strings.HasSuffix(rawPath, ".sh")
 }
--- a/proxy/routing.go
+++ b/proxy/routing.go
@ -0,0 +1,62 @@
 package proxy
 import (
 	"context"
 	"ghproxy/config"
 	"ghproxy/rate"
 	"net/http"
 	"strings"
 	"github.com/cloudwego/hertz/pkg/app"
 )
 func RoutingHandler(cfg *config.Config, limiter *rate.RateLimiter, iplimiter *rate.IPRateLimiter) app.HandlerFunc {
 	return func(ctx context.Context, c *app.RequestContext) {
 		rateCheck(cfg, c, limiter, iplimiter)
 		var (
 			rawPath string
 		)
 		rawPath = strings.TrimPrefix(string(c.Request.RequestURI()), "/") // 去掉前缀/
 		var (
 			user    string
 			repo    string
 			matcher string
 		)
 		user = c.Param("user")
 		repo = c.Param("repo")
 		matcher = c.GetString("matcher")
 		logInfo("%s %s %s %s %s Matched-Username: %s, Matched-Repo: %s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
 		logDump("%s", c.Request.Header.Header())
 		listCheck(cfg, c, user, repo, rawPath)
 		authCheck(c, cfg, matcher, rawPath)
 		// 处理blob/raw路径
 		if matcher == "blob" {
 			rawPath = strings.Replace(rawPath, "/blob/", "/raw/", 1)
 		}
 		// 为rawpath加入https:// 头
 		rawPath = "https://" + rawPath
 		// IP METHOD URL USERAGENT PROTO MATCHES
 		logDebug("%s %s %s %s %s Matched: %v", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), matcher)
 		switch matcher {
 		case "releases", "blob", "raw", "gist", "api":
 			ChunkedProxyRequest(ctx, c, rawPath, cfg, matcher)
 		case "clone":
 			GitReq(ctx, c, rawPath, cfg, "git")
 		default:
 			c.JSON(http.StatusForbidden, map[string]string{"error": "Invalid input."})
 			logError("Invalid input")
 			return
 		}
 	}
 }
--- a/proxy/utils.go
+++ b/proxy/utils.go
@ -0,0 +1,110 @@
 package proxy
 import (
 	"fmt"
 	"ghproxy/auth"
 	"ghproxy/config"
 	"ghproxy/rate"
 	"io/fs"
 	"github.com/cloudwego/hertz/pkg/app"
 )
 func listCheck(cfg *config.Config, c *app.RequestContext, user string, repo string, rawPath string) {
 	var errMsg string
 	// 白名单检查
 	if cfg.Whitelist.Enabled {
 		var whitelist bool
 		whitelist = auth.CheckWhitelist(user, repo)
 		if !whitelist {
 			errMsg = fmt.Sprintf("Whitelist Blocked repo: %s/%s", user, repo)
 			c.JSON(403, map[string]string{"error": errMsg})
 			logWarning("%s %s %s %s %s Whitelist Blocked repo: %s/%s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
 			return
 		}
 	}
 	// 黑名单检查
 	if cfg.Blacklist.Enabled {
 		var blacklist bool
 		blacklist = auth.CheckBlacklist(user, repo)
 		if blacklist {
 			errMsg = fmt.Sprintf("Blacklist Blocked repo: %s/%s", user, repo)
 			c.JSON(403, map[string]string{"error": errMsg})
 			logWarning("%s %s %s %s %s Blacklist Blocked repo: %s/%s", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), user, repo)
 			return
 		}
 	}
 }
 // 鉴权
 func authCheck(c *app.RequestContext, cfg *config.Config, matcher string, rawPath string) {
 	var err error
 	if matcher == "api" && !cfg.Auth.ForceAllowApi {
 		if cfg.Auth.Method != "header" || !cfg.Auth.Enabled {
 			c.JSON(403, map[string]string{"error": "Github API Req without AuthHeader is Not Allowed"})
 			logWarning("%s %s %s %s %s AuthHeader Unavailable", c.ClientIP(), c.Method(), rawPath)
 			return
 		}
 	}
 	// 鉴权
 	if cfg.Auth.Enabled {
 		var authcheck bool
 		authcheck, err = auth.AuthHandler(c, cfg)
 		if !authcheck {
 			c.JSON(401, map[string]string{"error": "Unauthorized"})
 			logWarning("%s %s %s %s %s Auth-Error: %v", c.ClientIP(), c.Method(), rawPath, c.Request.Header.UserAgent(), c.Request.Header.GetProtocol(), err)
 			return
 		}
 	}
 }
 func rateCheck(cfg *config.Config, c *app.RequestContext, limiter *rate.RateLimiter, iplimiter *rate.IPRateLimiter) {
 	// 限制访问频率
 	if cfg.RateLimit.Enabled {
 		var allowed bool
 		switch cfg.RateLimit.RateMethod {
 		case "ip":
 			allowed = iplimiter.Allow(c.ClientIP())
 		case "total":
 			allowed = limiter.Allow()
 		default:
 			logWarning("Invalid RateLimit Method")
 			c.JSON(500, map[string]string{"error": "Invalid RateLimit Method"})
 			return
 		}
 		if !allowed {
 			c.JSON(429, map[string]string{"error": "Too Many Requests"})
 			logWarning("%s %s %s %s %s 429-TooManyRequests", c.ClientIP(), c.Method(), c.Request.RequestURI(), c.Request.Header.UserAgent(), c.Request.Header.GetProtocol())
 			return
 		}
 	}
 }
 var errPagesFs fs.FS
 func InitErrPagesFS(pages fs.FS) error {
 	var err error
 	errPagesFs, err = fs.Sub(pages, "pages/err")
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func NotFoundPage(c *app.RequestContext) {
 	pageData, err := fs.ReadFile(errPagesFs, "404.html")
 	if err != nil {
 		c.JSON(404, map[string]string{"error": "Not Found"})
 		logDebug("Error reading 404.html: %v", err)
 		return
 	}
 	c.Data(404, "text/html; charset=utf-8", pageData)
 	return
 }