zfc/sub2api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,401 Commits 3 Branches 0 Tags
Commit Graph

13 Commits

Author SHA1 Message Date
win
0bfd6edde6 feat: Sora curl_cffi sidecar — Chrome TLS 指纹绕过 Cloudflare
Some checks failed
CI / test (push) Failing after 3s
Details
CI / golangci-lint (push) Failing after 3s
Details
Security Scan / backend-security (push) Failing after 3s
Details
Security Scan / frontend-security (push) Failing after 3s
Details 
- 新增 sora-curl-cffi-sidecar 容器(Python + curl_cffi + chrome131)
- docker-compose.tls-proxy.yml 集成 sidecar,sub2api 自动连接
- 会话池复用,避免重复 TLS 握手
- 镜像 zfc931912343/sora-curl-cffi-sidecar:latest (amd64+arm64)
 2026-03-22 03:31:49 +08:00
win
5d476fbc09 fix: 重写 proxy.js — 预收集 body + H1/H2 自适应,本地测试 4/4 通过
Some checks failed
CI / golangci-lint (push) Has been cancelled
Details
Security Scan / backend-security (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
Security Scan / frontend-security (push) Has been cancelled
Details
2026-03-22 02:19:38 +08:00
win
88432f9438 feat: 智能 H1/H2 自适应 — 首次 H1 秒挂自动切 H2 并缓存
Some checks failed
CI / test (push) Failing after 3s
Details
CI / golangci-lint (push) Failing after 3s
Details
Security Scan / backend-security (push) Failing after 3s
Details
Security Scan / frontend-security (push) Failing after 3s
Details 
- 首次请求走 HTTP/1.1,如果 socket hang up < 2s 自动切 HTTP/2
- H2 主机缓存在内存中,后续请求直接走 H2(如 googleapis.com)
- H2 session 池复用 + 空闲超时自动清理
- 详细日志:proxy_request → proxy_response/error,含协议标识
- 解决 googleapis.com 强制 H2 导致请求失败的问题
 2026-03-22 02:06:10 +08:00
win
4ea945bb56 fix: 去掉 H2/ALPN 复杂度,回到纯 https.request + 动态主机 + 响应日志
Some checks failed
CI / test (push) Failing after 1m24s
Details
CI / golangci-lint (push) Failing after 4s
Details
Security Scan / backend-security (push) Failing after 4s
Details
Security Scan / frontend-security (push) Failing after 4s
Details
2026-03-22 02:03:19 +08:00
win
47066d4111 feat: Node.js TLS 代理支持 HTTP/2 + 动态主机路由
Some checks failed
CI / test (push) Failing after 1m32s
Details
CI / golangci-lint (push) Failing after 31s
Details
Security Scan / backend-security (push) Failing after 1m32s
Details
Security Scan / frontend-security (push) Failing after 32s
Details 
- proxy.js: 自动探测上游 ALPN (h2/http1.1),按需选择协议
- proxy.js: X-Forwarded-Host 动态路由,支持任意上游主机
- proxy.js: HTTP/2 session 缓存 + 空闲超时自动清理
- Go: 所有 HTTPS 上游请求统一走 Node.js 代理,无域名白名单
- 解决 googleapis.com 要求 HTTP/2 导致 socket hang up
 2026-03-22 01:49:30 +08:00
win
5c587c1095 fix: Node.js TLS 代理动态识别上游主机
Some checks failed
CI / test (push) Has been cancelled
Details
CI / golangci-lint (push) Has been cancelled
Details
Security Scan / backend-security (push) Has been cancelled
Details
Security Scan / frontend-security (push) Has been cancelled
Details 
- Go: 通过 X-Forwarded-Host 传递原始目标主机给 Node.js 代理
- Node.js: 读取 X-Forwarded-Host 动态连接到正确的上游主机
- 所有 HTTPS 上游请求统一走代理,不再固定绑定 api.anthropic.com
- Gemini/Sora 等不同上游自动识别,无需手动配置
 2026-03-22 01:09:39 +08:00
win
a72ba424cc feat: Node.js TLS 指纹代理 + 网络隔离防泄露
Some checks failed
CI / test (push) Failing after 1m32s
Details
CI / golangci-lint (push) Failing after 33s
Details
Security Scan / backend-security (push) Failing after 32s
Details
Security Scan / frontend-security (push) Failing after 32s
Details 
- 新增 Node.js TLS Forward Proxy (tools/node-tls-proxy/)
  原生 Node.js TLS 栈发起上游 HTTPS,JA3/JA4 天然匹配 Claude CLI
  SSE 流式透传,支持上游 HTTP CONNECT 代理
  零依赖,Node.js 24.13.0 锁定版本

- Go 集成 (config.go + http_upstream.go)
  新增 NodeTLSProxyConfig 配置
  DoWithTLS 优先走 Node.js 代理模式,URL 重写 https→http://localhost:3456

- Docker 网络隔离 (docker-compose.tls-proxy.yml)
  sub2api 容器仅 internal 网络,物理隔离外网
  node-tls-proxy 唯一出站通道,IPv6 内核级禁用

- iptables 防泄露脚本 (tools/firewall/)
  QUIC/UDP 443 全局 DROP,仅 nodeproxy 用户可出站 TCP 443

- 镜像切换为 zfc931912343/ 仓库
 2026-03-22 00:18:43 +08:00
shaw
7d318aeefa fix: 恢复check_pnpm_audit_exceptions.py 2026-03-04 10:20:19 +08:00
shaw
0aa3cf677a chore: 清理一些无用的文件 2026-03-04 10:15:42 +08:00
yangjianbo
bb664d9bbf feat(sync): full code sync from release 2026-02-28 15:01:20 +08:00
yangjianbo
61a2bf469a feat(openai): 极致优化 OAuth 链路并补齐性能守护 
- 优化 /v1/responses 热路径,减少重复解析与不必要拷贝\n- 优化并发与 token 竞争路径并补齐运行指标\n- 补充 OpenAI/Ops 相关单元测试与回归用例\n- 新增灰度阈值守护与压测脚本,支撑发布验收
 2026-02-12 09:41:37 +08:00
yangjianbo
d7011163b8 fix: 修复代码审核发现的安全和质量问题 
安全修复(P0):
- 移除硬编码的 OAuth client_secret(Antigravity、Gemini CLI),
  改为通过环境变量注入(ANTIGRAVITY_OAUTH_CLIENT_SECRET、
  GEMINI_CLI_OAUTH_CLIENT_SECRET)
- 新增 logredact.RedactText() 对非结构化文本做敏感信息脱敏,
  覆盖 GOCSPX-*/AIza* 令牌和常见 key=value 模式
- 日志中不再打印 org_uuid、account_uuid、email_address 等敏感值

安全修复(P1):
- URL 验证增强:新增 ValidateHTTPURL 统一入口,支持 allowlist 和
  私网地址阻断(localhost/内网 IP)
- 代理回退安全:代理初始化失败时默认阻止直连回退,防止 IP 泄露,
  可通过 security.proxy_fallback.allow_direct_on_error 显式开启
- Gemini OAuth 配置校验:client_id 与 client_secret 必须同时
  设置或同时留空

其他改进:
- 新增 tools/secret_scan.py 密钥扫描工具和 Makefile secret-scan 目标
- 更新所有 docker-compose 和部署配置,传递 OAuth secret 环境变量
- google_one OAuth 类型使用固定 redirectURI,与 code_assist 对齐

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 09:58:13 +08:00
yangjianbo
3f0017d1f1 fix(安全): 修复依赖漏洞并强化安全扫描 
主要改动:
- 固定 Go 1.25.5 与 CI 校验并更新扫描流程
- 升级 quic-go、x/crypto、req 等依赖并通过 govulncheck
- 强化 JWT 校验、TLS 配置与 xlsx 动态加载
- 新增审计豁免清单与校验脚本
 2026-01-06 11:36:38 +08:00