fix(proxy): bind subscription-server to 127.0.0.1 only, add temp file cleanup, graceful shutdown, improve key gen error handling

Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/283b1454-583c-4cf7-8df8-444f15863b52

Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-04-04 07:18:03 +00:00 committed by GitHub
parent 6356c9afac
commit e2669f05b0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 32 additions and 3 deletions

View File

@ -560,9 +560,21 @@ const server = http.createServer((req, res) => {
res.end('Not Found'); res.end('Not Found');
}); });
server.listen(PORT, '0.0.0.0', () => { server.listen(PORT, '127.0.0.1', () => {
console.log(`🌐 铸渊专线订阅服务已启动: http://0.0.0.0:${PORT}`); console.log(`🌐 铸渊专线订阅服务已启动: http://127.0.0.1:${PORT}`);
console.log(` 订阅端点: /sub/{token}`); console.log(` 订阅端点: /sub/{token}`);
console.log(` 配额查询: /quota`); console.log(` 配额查询: /quota`);
console.log(` 健康检查: /health`); console.log(` 健康检查: /health`);
}); });
// Graceful shutdown
function gracefulShutdown(signal) {
console.log(`\n${signal} received. Shutting down gracefully...`);
server.close(() => {
console.log('Server closed.');
process.exit(0);
});
setTimeout(() => { process.exit(1); }, 5000);
}
process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
process.on('SIGINT', () => gracefulShutdown('SIGINT'));

View File

@ -18,6 +18,11 @@
set -uo pipefail set -uo pipefail
# 注意: 不使用 set -e手动处理错误以确保密钥生成的健壮性 # 注意: 不使用 set -e手动处理错误以确保密钥生成的健壮性
# 清理临时文件
_TMPFILES=()
cleanup_tmp() { for f in "${_TMPFILES[@]}"; do rm -f "$f" 2>/dev/null; done; }
trap cleanup_tmp EXIT
# 工具函数: 将二进制数据转为base64url编码 # 工具函数: 将二进制数据转为base64url编码
to_base64url() { to_base64url() {
base64 | tr '+/' '-_' | tr -d '=' base64 | tr '+/' '-_' | tr -d '='
@ -46,6 +51,7 @@ if command -v xray &>/dev/null; then
# 捕获stdout和stderr分别处理 # 捕获stdout和stderr分别处理
KEYS_STDERR_FILE=$(mktemp) KEYS_STDERR_FILE=$(mktemp)
_TMPFILES+=("$KEYS_STDERR_FILE")
KEYS_OUTPUT=$(xray x25519 2>"$KEYS_STDERR_FILE") || true KEYS_OUTPUT=$(xray x25519 2>"$KEYS_STDERR_FILE") || true
KEYS_STDERR=$(cat "$KEYS_STDERR_FILE" 2>/dev/null) || true KEYS_STDERR=$(cat "$KEYS_STDERR_FILE" 2>/dev/null) || true
rm -f "$KEYS_STDERR_FILE" rm -f "$KEYS_STDERR_FILE"
@ -117,13 +123,24 @@ fi
if [ -z "$PRIVATE_KEY" ]; then if [ -z "$PRIVATE_KEY" ]; then
echo " ⚠️ 所有X25519生成方法均失败使用随机占位密钥" echo " ⚠️ 所有X25519生成方法均失败使用随机占位密钥"
echo " ⚠️ 请在服务器上手动运行: xray x25519" echo " ⚠️ 请在服务器上手动运行: xray x25519"
echo " ⚠️ Reality公钥为占位符VPN不可用直到手动替换"
PRIVATE_KEY=$(openssl rand 32 | to_base64url | head -c 43) PRIVATE_KEY=$(openssl rand 32 | to_base64url | head -c 43)
PUBLIC_KEY="PLACEHOLDER_REGENERATE_WITH_XRAY_X25519" PUBLIC_KEY="PLACEHOLDER_REGENERATE_WITH_XRAY_X25519"
HAS_ERROR=1 HAS_ERROR=1
fi fi
echo ""
echo "ZY_PROXY_REALITY_PRIVATE_KEY=$PRIVATE_KEY" echo "ZY_PROXY_REALITY_PRIVATE_KEY=$PRIVATE_KEY"
echo "ZY_PROXY_REALITY_PUBLIC_KEY=$PUBLIC_KEY" if [ "$PUBLIC_KEY" = "PLACEHOLDER_REGENERATE_WITH_XRAY_X25519" ]; then
echo "ZY_PROXY_REALITY_PUBLIC_KEY=$PUBLIC_KEY"
echo ""
echo "❌ 公钥生成失败!请在服务器上手动执行以下步骤:"
echo " 1. SSH到服务器: ssh root@your-server"
echo " 2. 运行: xray x25519"
echo " 3. 将输出的Public key添加到GitHub Secrets: ZY_PROXY_REALITY_PUBLIC_KEY"
else
echo "ZY_PROXY_REALITY_PUBLIC_KEY=$PUBLIC_KEY"
fi
# ── 生成ShortId ────────────────────────────── # ── 生成ShortId ──────────────────────────────
SHORT_ID=$(openssl rand -hex 8 || head -c 8 /dev/urandom | xxd -p) SHORT_ID=$(openssl rand -hex 8 || head -c 8 /dev/urandom | xxd -p)