From 764623c7a07654f15147cfc7704103627af38ca7 Mon Sep 17 00:00:00 2001
From: win <win@windeMacBook-Pro.local>
Date: Sun, 22 Mar 2026 01:42:44 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20Node.js=20TLS=20=E4=BB=A3=E7=90=86?=
 =?UTF-8?q?=E5=AF=B9=E6=89=80=E6=9C=89=20HTTPS=20=E4=B8=8A=E6=B8=B8?=
 =?UTF-8?q?=E7=94=9F=E6=95=88=EF=BC=8C=E5=8E=BB=E6=8E=89=E5=9F=9F=E5=90=8D?=
 =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 移除 proxy_hosts 白名单限制和 shouldRouteViaNodeProxy
- 所有 HTTPS 上游请求统一走 Node.js 代理
- 通过 X-Forwarded-Host 动态识别目标主机
- Anthropic / Gemini / 任意上游自动适配
- 移除诊断日志（已定位问题）
---
 backend/internal/repository/http_upstream.go | 32 +++-----------------
 1 file changed, 5 insertions(+), 27 deletions(-)

diff --git a/backend/internal/repository/http_upstream.go b/backend/internal/repository/http_upstream.go
index ba6bb8fc..9e9f4e6e 100644
--- a/backend/internal/repository/http_upstream.go
+++ b/backend/internal/repository/http_upstream.go
@@ -124,19 +124,9 @@ func NewHTTPUpstream(cfg *config.Config) service.HTTPUpstream {
 //   - 调用方必须关闭 resp.Body，否则会导致 inFlight 计数泄漏
 //   - inFlight > 0 的客户端不会被淘汰，确保活跃请求不被中断
 func (s *httpUpstreamService) Do(req *http.Request, proxyURL string, accountID int64, accountConcurrency int) (*http.Response, error) {
-	// Node.js TLS 代理：仅拦截白名单内的上游主机
-	if s.isNodeTLSProxyEnabled() {
-		if req != nil && req.URL != nil {
-			slog.Warn("node_tls_proxy_check",
-				"scheme", req.URL.Scheme,
-				"host", req.URL.Host,
-				"hostname", req.URL.Hostname(),
-				"should_route", s.shouldRouteViaNodeProxy(req),
-			)
-		}
-		if s.shouldRouteViaNodeProxy(req) {
-			return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
-		}
+	// Node.js TLS 代理：所有 HTTPS 上游请求走 Node.js 代理
+	if s.isNodeTLSProxyEnabled() && req != nil && req.URL != nil && req.URL.Scheme == "https" {
+		return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
 	}
 
 	if err := s.validateRequestHost(req); err != nil {
@@ -191,20 +181,8 @@ func (s *httpUpstreamService) DoWithTLS(req *http.Request, proxyURL string, acco
 	}
 
 	// 优先使用 Node.js TLS 代理模式
-	if s.isNodeTLSProxyEnabled() {
-		shouldRoute := s.shouldRouteViaNodeProxy(req)
-		host := ""
-		if req != nil && req.URL != nil {
-			host = req.URL.Hostname()
-		}
-		slog.Warn("node_tls_proxy_check_tls_path",
-			"host", host,
-			"should_route", shouldRoute,
-			"tls_fingerprint_enabled", enableTLSFingerprint,
-		)
-		if shouldRoute {
-			return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
-		}
+	if s.isNodeTLSProxyEnabled() && req != nil && req.URL != nil && req.URL.Scheme == "https" {
+		return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
 	}
 
 	// TLS 指纹已启用，记录调试日志