sub2api/deploy/docker-compose.tls-proxy.yml

# =============================================================================
# Node.js TLS Proxy + Sora Sidecar Overlay
# =============================================================================
# 用法：
#   docker compose -f docker-compose.yml -f docker-compose.tls-proxy.yml up -d
#
# 架构：
#   Anthropic: sub2api → node-tls-proxy (Node.js TLS) → api.anthropic.com
#   Sora:      sub2api → sora-curl-cffi-sidecar (Chrome TLS) → sora.chatgpt.com
# =============================================================================

services:
  # ===========================================================================
  # 覆盖 sub2api：加入 internal 网络 + 启用代理
  # ===========================================================================
  sub2api:
    networks:
      - sub2api-internal
      - sub2api-network    # 保留：访问 postgres/redis
    environment:
      # Node.js TLS 代理（Anthropic）
      - GATEWAY_NODE_TLS_PROXY_ENABLED=true
      - GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=3456
      - GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=node-tls-proxy
      - GATEWAY_NODE_TLS_PROXY_UPSTREAM_HOST=api.anthropic.com
      # Sora curl_cffi sidecar（Chrome 指纹绕过 Cloudflare）
      - SORA_CLIENT_CURL_CFFI_SIDECAR_ENABLED=true
      - SORA_CLIENT_CURL_CFFI_SIDECAR_BASE_URL=http://sora-curl-cffi-sidecar:8080
      - SORA_CLIENT_CURL_CFFI_SIDECAR_IMPERSONATE=chrome131
    depends_on:
      node-tls-proxy:
        condition: service_healthy
      sora-curl-cffi-sidecar:
        condition: service_healthy

  # ===========================================================================
  # Node.js TLS Forward Proxy (Anthropic)
  # ===========================================================================
  node-tls-proxy:
    image: zfc931912343/sub2api-tls-proxy:latest
    container_name: sub2api-node-tls-proxy
    restart: unless-stopped
    user: "1000:1000"
    read_only: true
    tmpfs:
      - /tmp:size=10M
    environment:
      - PROXY_PORT=3456
      - PROXY_HOST=0.0.0.0
      - UPSTREAM_HOST=api.anthropic.com
      - UPSTREAM_PROXY=${TLS_PROXY_UPSTREAM_PROXY:-}
      - TZ=${TZ:-Asia/Shanghai}
    networks:
      - sub2api-internal
      - sub2api-external
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.default.disable_ipv6=1
    healthcheck:
      test: ["CMD", "node", "-e", "const h=require('http');h.get('http://127.0.0.1:3456/__health',r=>{process.exit(r.statusCode===200?0:1)}).on('error',()=>process.exit(1))"]
      interval: 15s
      timeout: 5s
      retries: 3
      start_period: 5s
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: "1.0"

  # ===========================================================================
  # Sora curl_cffi Sidecar (Chrome TLS fingerprint for Cloudflare bypass)
  # ===========================================================================
  sora-curl-cffi-sidecar:
    image: zfc931912343/sora-curl-cffi-sidecar:latest
    container_name: sub2api-sora-sidecar
    restart: unless-stopped
    environment:
      - PORT=8080
      - IMPERSONATE=chrome131
      - TIMEOUT_SECONDS=60
      - SESSION_TTL_SECONDS=3600
      - TZ=${TZ:-Asia/Shanghai}
    networks:
      - sub2api-internal
      - sub2api-external
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8080/health')"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 15s
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: "1.0"

# =============================================================================
# Networks
# =============================================================================
networks:
  sub2api-internal:
    internal: true
    driver: bridge
  sub2api-external:
    driver: bridge