sub2api/deploy/docker-compose.tls-proxy.yml

# =============================================================================
# Node.js TLS Proxy Overlay
# =============================================================================
# 在现有 docker-compose.yml 基础上增加 Node.js TLS 代理。
#
# 用法：
#   docker compose -f docker-compose.yml -f docker-compose.tls-proxy.yml up -d
#
# 架构：
#   sub2api (Go) → HTTP 明文 → node-tls-proxy → HTTPS (原生 TLS) → api.anthropic.com
#
# 网络隔离：
#   - sub2api 仅连接 internal + sub2api-network（访问 pg/redis，但无外网）
#   - node-tls-proxy 双栈网络（internal + external），唯一的出站通道
#   - IPv6 内核级禁用
# =============================================================================

services:
  # ===========================================================================
  # 覆盖 sub2api：加入 internal 网络 + 启用 Node.js TLS 代理
  # ===========================================================================
  sub2api:
    networks:
      - sub2api-internal
      - sub2api-network    # 保留：访问 postgres/redis
    environment:
      # 启用 Node.js TLS 代理
      - GATEWAY_NODE_TLS_PROXY_ENABLED=true
      - GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=3456
      - GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=node-tls-proxy
      - GATEWAY_NODE_TLS_PROXY_UPSTREAM_HOST=api.anthropic.com
    depends_on:
      node-tls-proxy:
        condition: service_healthy

  # ===========================================================================
  # Node.js TLS Forward Proxy
  # 直接拉取预构建镜像，支持 amd64/arm64
  # ===========================================================================
  node-tls-proxy:
    image: zfc931912343/sub2api-tls-proxy:latest
    container_name: sub2api-node-tls-proxy
    restart: unless-stopped
    user: "1000:1000"
    read_only: true
    tmpfs:
      - /tmp:size=10M
    environment:
      - PROXY_PORT=3456
      - PROXY_HOST=0.0.0.0
      - UPSTREAM_HOST=api.anthropic.com
      # 可选：经过外部代理出站（HTTP CONNECT 隧道）
      - UPSTREAM_PROXY=${TLS_PROXY_UPSTREAM_PROXY:-}
      - TZ=${TZ:-Asia/Shanghai}
    networks:
      - sub2api-internal   # sub2api 可以访问
      - sub2api-external   # 可以访问外网
    sysctls:
      # 内核级禁用 IPv6（防 IPv6 泄露）
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.default.disable_ipv6=1
    healthcheck:
      test: ["CMD", "node", "-e", "const h=require('http');h.get('http://127.0.0.1:3456/__health',r=>{process.exit(r.statusCode===200?0:1)}).on('error',()=>process.exit(1))"]
      interval: 15s
      timeout: 5s
      retries: 3
      start_period: 5s
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: "1.0"

# =============================================================================
# Networks
# =============================================================================
networks:
  sub2api-internal:
    internal: true     # 关键：无外网访问
    driver: bridge
  sub2api-external:
    driver: bridge