Spaces:

clash-linux
/

notion

Paused

App Files Files Community

clash-linux commited on Jun 11

Commit

c058c1e

verified ·

1 Parent(s): 15296c6

Upload 18 files

Browse files

Files changed (6) hide show

Dockerfile +21 -10
entrypoint.sh +48 -0
package-lock.json +0 -0
package.json +2 -1
redsocks.conf +20 -0
src/ProxyServer.js +1 -6

Dockerfile CHANGED Viewed

@@ -4,6 +4,14 @@ FROM node:18-slim
 # Set the working directory in the container
 WORKDIR /app
 # Copy package.json and package-lock.json to the working directory
 COPY package*.json ./
@@ -16,17 +24,15 @@ RUN npm install --production
 # Copy the rest of the application source code to the working directory
 COPY . .
-# Switch back to root user to install proxychains
-USER root
-# Install proxychains4
-RUN apt-get update && apt-get install -y proxychains4 && rm -rf /var/lib/apt/lists/*
-# Check if the binary is dynamically linked. If it is statically linked, ldd will fail.
-RUN ldd /app/src/proxy/chrome_proxy_server_linux_amd64 || echo "ldd check failed, the binary is likely statically linked."
-# Grant execute permission to the proxy server binary for the root user
-RUN chmod +x /app/src/proxy/chrome_proxy_server_linux_amd64
 # Change ownership of the app directory to the node user
 RUN chown -R node:node /app
@@ -37,5 +43,10 @@ USER node
 # Make port 7860 available to the world outside this container
 EXPOSE 7860
-# Define the command to run the app
 CMD ["npm", "start"]

 # Set the working directory in the container
 WORKDIR /app
+# Install dependencies needed for traffic redirection and privilege drop
+# And clean up apt-get lists to keep the image slim
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    iptables \
+    redsocks \
+    gosu \
+    && rm -rf /var/lib/apt/lists/*
 # Copy package.json and package-lock.json to the working directory
 COPY package*.json ./
 # Copy the rest of the application source code to the working directory
 COPY . .
+# Copy the configuration for redsocks
+COPY redsocks.conf /etc/redsocks.conf
+# Copy the entrypoint script
+COPY entrypoint.sh /app/entrypoint.sh
+# Grant execute permissions to scripts and the proxy binary
+RUN chmod +x /app/entrypoint.sh \
+    && chmod +x /app/src/proxy/chrome_proxy_server_linux_amd64
 # Change ownership of the app directory to the node user
 RUN chown -R node:node /app
 # Make port 7860 available to the world outside this container
 EXPOSE 7860
+# Set the entrypoint to our script.
+# This script will run as root to set up iptables.
+ENTRYPOINT ["/app/entrypoint.sh"]
+# Define the default command to run the app.
+# This will be executed by the entrypoint script using 'gosu' to drop to the 'node' user.
 CMD ["npm", "start"]

entrypoint.sh ADDED Viewed

	@@ -0,0 +1,48 @@

+#!/bin/sh
+# 确保在任何命令失败时立即退出
+set -e
+# --- 启动 redsocks ---
+# 在后台启动redsocks，并使用我们创建的配置文件
+echo "[Entrypoint] Starting redsocks..."
+redsocks -c /etc/redsocks.conf &
+# 等待片刻以确保redsocks服务已启动
+sleep 2
+# --- 配置 iptables ---
+echo "[Entrypoint] Configuring iptables..."
+# 您的代理服务器IP，我们需要避免将发往代理本身的流量再次重定向，防止死循环
+PROXY_IP="34.55.224.190"
+# 创建一个新的iptables链，专门用于处理我们的重定向逻辑
+iptables -t nat -N REDSOCKS
+# 规则1: 不重定向发往代理服务器本身的流量
+iptables -t nat -A REDSOCKS -d $PROXY_IP -j RETURN
+# 规则2: 不重定向发往本地网络和私有网络的流量
+iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
+iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
+iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
+# 规则3: 将所有其他TCP流量重定向到redsocks监听的端口 (12345)
+# 注意：我们重定向所有TCP流量，因为chrome_proxy_server可能连接任何端口，但主要是443
+iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
+# 规则4: 将OUTPUT链（容器内进程发出的流量）应用我们的REDSOCKS规则
+iptables -t nat -A OUTPUT -p tcp -j REDSOCKS
+echo "[Entrypoint] iptables configured."
+# --- 运行主程序 ---
+# 使用 gosu 切换到非root用户 'node' 来运行应用程序
+# 这是一种安全最佳实践，避免您的应用以root权限运行
+# $@ 会将 Dockerfile 中 CMD 定义的命令（即 "npm start"）作为参数传递给这里
+echo "[Entrypoint] Starting application as user 'node'..."
+exec gosu node "$@"

package-lock.json CHANGED Viewed

The diff for this file is too large to render. See raw diff

package.json CHANGED Viewed

@@ -29,7 +29,8 @@
     "https-proxy-agent": "^7.0.2",
     "jsdom": "^22.1.0",
     "node-fetch": "^3.3.2",
-    "playwright": "^1.40.1"
   },
   "devDependencies": {
     "nodemon": "^3.0.2"

     "https-proxy-agent": "^7.0.2",
     "jsdom": "^22.1.0",
     "node-fetch": "^3.3.2",
+    "playwright": "^1.40.1",
+    "tunnel": "^0.0.6"
   },
   "devDependencies": {
     "nodemon": "^3.0.2"

redsocks.conf ADDED Viewed

	@@ -0,0 +1,20 @@

+base {
+    log_debug = off;
+    log_info = on;
+    log = "stderr";
+    daemon = off;
+    redirector = iptables;
+}
+redsocks {
+    // redsocks 监听的本地地址和端口
+    local_ip = 127.0.0.1;
+    local_port = 12345;
+    // 您的上游HTTP代理服务器的IP和端口
+    ip = 34.55.224.190;
+    port = 8080;
+    // 代理类型：http-connect 用于代理HTTPS流量
+    type = http-connect;
+}

src/ProxyServer.js CHANGED Viewed

@@ -106,14 +106,9 @@ class ProxyServer {
       // 创建日志文件
       this.logStream = fs.createWriteStream(this.logPath, { flags: 'a' });
-      const proxyChainsConfigPath = join(dirname(__dirname), 'proxychains.conf');
       // 修复 stdio 参数问题
       // 启动代理服务器进程
-      this.proxyProcess = spawn('proxychains4', [
-        '-f',
-        proxyChainsConfigPath,
-        proxyServerPath,
         '--port', this.port.toString(),
         '--token', this.proxyAuthToken
       ], {

       // 创建日志文件
       this.logStream = fs.createWriteStream(this.logPath, { flags: 'a' });
       // 修复 stdio 参数问题
       // 启动代理服务器进程
+      this.proxyProcess = spawn(proxyServerPath, [
         '--port', this.port.toString(),
         '--token', this.proxyAuthToken
       ], {