Spaces:

BirkhoffLee
/

deno

Paused

deno / app.py

Chenghao

Update app.py

42175a7 verified 8 months ago

8.42 kB

	import re
	import os
	import logging
	from flask import Flask, request, Response
	import requests
	from urllib.parse import urlparse, unquote

	# --- Basic Configuration ---
	logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
	app = Flask(__name__)

	# --- Load Secret Key from Environment ---
	PROXY_SECRET_KEY = os.environ.get('PROXY_SECRET_KEY')
	if not PROXY_SECRET_KEY:
	logging.error("PROXY_SECRET_KEY environment variable is not set!")
	exit(1)

	logging.info(f"Proxy service initialized with secret key authentication")

	# --- Whitelisted URL Patterns for GitHub ---
	# This list defines all URL patterns that are permitted to be proxied.
	# It's a security measure to prevent the proxy from being used to access unintended domains.
	ALLOWED_PATTERNS = [
	# Repositories: releases, archives, blobs, raw content
	re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:releases\|archive)/.*$', re.IGNORECASE),
	re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:blob\|raw)/.*$', re.IGNORECASE),

	# Git operations (clone, pull, push)
	re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:info\|git-).*$', re.IGNORECASE),

	# Raw content from various GitHub domains
	re.compile(r'^https://raw\.(?:githubusercontent\|github)\.com/[^/]+/[^/]+/./.$', re.IGNORECASE),
	re.compile(r'^https://gist\.(?:githubusercontent\|github)\.com/[^/]+/[^/]+/./.$', re.IGNORECASE),

	# Repository tags and assets
	re.compile(r'^https://github\.com/[^/]+/[^/]+/tags.*$', re.IGNORECASE),
	re.compile(r'^https://avatars\.githubusercontent\.com/.*$', re.IGNORECASE),
	re.compile(r'^https://github\.githubassets\.com/.*$', re.IGNORECASE),

	# Main repository/user pages
	re.compile(r'^https://github\.com/[^/]+/?$', re.IGNORECASE),
	re.compile(r'^https://github\.com/[^/]+/[^/]+/?$', re.IGNORECASE),
	]

	# --- Custom Index Page ---
	INDEX_PAGE_HTML = """
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Private GitHub Proxy</title>
	<style>
	body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; line-height: 1.6; color: #333; max-width: 800px; margin: 40px auto; padding: 20px; }
	.container { border: 1px solid #ddd; border-radius: 8px; padding: 20px 40px; background-color: #f9f9f9; }
	.warning { color: #856404; background-color: #fff3cd; border: 1px solid #ffeeba; padding: 15px; border-radius: 4px; margin-bottom: 20px; }
	.security { color: #721c24; background-color: #f8d7da; border: 1px solid #f5c6cb; padding: 15px; border-radius: 4px; margin-bottom: 20px; }
	h1, h2 { border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; }
	code { background-color: #eef; padding: 2px 4px; border-radius: 3px; }
	</style>
	</head>
	<body>
	<div class="container">
	<h1>Private GitHub Reverse Proxy</h1>
	<div class="security">
	<strong>Security Notice:</strong> This is a private proxy service that requires authentication.
	</div>
	<div class="warning">
	<strong>Warning:</strong> You are accessing GitHub content through a reverse proxy.
	All content served from this page is provided directly by GitHub.
	</div>
	<h2>How to Use</h2>
	<p>To access GitHub content, you need to include the secret key in the URL path:</p>
	<p>For example, to clone a repository:</p>
	<code>git clone {YOUR_PROXY_URL}/<SECRET_KEY>/https://github.com/owner/repo.git</code>
	<p>Or to view a repository page:</p>
	<code>{YOUR_PROXY_URL}/<SECRET_KEY>/https://github.com/owner/repo</code>
	<p>Example:</p>
	<code>https://megatrump-deno.hf.space/<SECRER_KEY>/https://github.com/python/cpython.git</code>
	<h2>Authentication Required</h2>
	<p>This proxy requires a valid secret key to access. Contact the administrator for access credentials.</p>
	</div>
	</body>
	</html>
	"""

	def is_url_allowed(url):
	"""Check if the given URL matches any pattern in the whitelist."""
	for pattern in ALLOWED_PATTERNS:
	if pattern.match(url):
	return True
	return False

	def extract_secret_and_url(path):
	"""Extract secret key and target URL from the path."""
	# Remove leading slash if present
	if path.startswith('/'):
	path = path[1:]

	# Split the path to extract secret key and URL
	parts = path.split('/', 1)
	if len(parts) < 2:
	return None, None

	secret_key = parts[0]
	target_url = parts[1]

	return secret_key, target_url

	# --- Core Proxy Logic ---
	@app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE'])
	@app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE'])
	def proxy(path):
	"""
	Proxies requests to GitHub after validating secret key and URL whitelist.
	It streams the response back to the client.
	"""
	# The full path might be URL-encoded, so we decode it.
	target_path = unquote(request.full_path)
	if target_path.startswith('/'):
	target_path = target_path[1:]

	# For the root path, display the custom warning page.
	# Handle both '' (for a request to '/') and '?' (for a request to '/?').
	if not target_path or target_path == '?':
	return INDEX_PAGE_HTML, 200

	# Extract secret key and target URL
	provided_secret, target_url_path = extract_secret_and_url(target_path)

	# Validate secret key
	if not provided_secret or provided_secret != PROXY_SECRET_KEY:
	logging.warning(f"Access denied: Invalid or missing secret key from IP: {request.remote_addr}")
	return "<h1>403 Forbidden</h1><p>Access denied: Invalid or missing authentication key.</p>", 403

	if not target_url_path:
	logging.warning(f"Access denied: No target URL provided from IP: {request.remote_addr}")
	return "<h1>400 Bad Request</h1><p>No target URL provided.</p>", 400

	# Prepend 'https://' if the scheme is missing.
	if not target_url_path.startswith(('http://', 'https://')):
	target_url = 'https://' + target_url_path
	else:
	target_url = target_url_path

	# Security check: Ensure the URL is in the whitelist.
	if not is_url_allowed(target_url):
	logging.warning(f"URL Denied! No pattern matched: {target_url} from IP: {request.remote_addr}")
	return "<h1>403 Forbidden</h1><p>Request blocked by proxy security policy.</p>", 403

	try:
	target_host = urlparse(target_url).hostname
	if not target_host:
	raise ValueError("Hostname could not be parsed from the target URL.")
	except Exception as e:
	logging.error(f"Invalid target URL provided: {target_url} \| Error: {e}")
	return f"Invalid target URL in path: {e}", 400

	# Forward headers, but set the 'Host' header to the target's hostname.
	headers = {key: value for (key, value) in request.headers if key.lower() != 'host'}
	headers['Host'] = target_host

	try:
	# Log successful proxy request
	logging.info(f"Proxying request to: {target_url} from IP: {request.remote_addr}")

	# Stream the request to handle large files efficiently.
	resp = requests.request(
	method=request.method,
	url=target_url,
	headers=headers,
	data=request.get_data(),
	cookies=request.cookies,
	allow_redirects=False, # Redirects are handled by the client.
	stream=True,
	timeout=30 # Timeout for the connection.
	)

	# Exclude headers that can interfere with streaming.
	excluded_headers = ['content-encoding', 'content-length', 'transfer-encoding', 'connection']
	response_headers = [(name, value) for (name, value) in resp.raw.headers.items()
	if name.lower() not in excluded_headers]

	# Stream the response back to the original client.
	return Response(resp.iter_content(chunk_size=8192), resp.status_code, response_headers)

	except requests.exceptions.RequestException as e:
	logging.error(f"Error while proxying to {target_url}: {e}")
	return "An error occurred while proxying the request.", 502

	if __name__ == '__main__':
	app.run(host='0.0.0.0', port=7860)