HuggingClaw

Running

App Files Files Community

somratpro commited on 26 days ago

Commit

be3c836

1 Parent(s): 561793f

refactor: simplify proxy logic by removing undici patching and add unauthenticated fallback for Telegram bot API paths

Browse files

Files changed (4) hide show

cloudflare-proxy-setup.py +10 -5
cloudflare-proxy.js +19 -152
cloudflare-worker.js +7 -1
start.sh +1 -0

cloudflare-proxy-setup.py CHANGED Viewed

@@ -87,12 +87,17 @@ function isAllowedHost(hostname) {{
 async function handleRequest(request) {{
   const url = new URL(request.url);
   const targetHost = request.headers.get("x-target-host");
-  if (PROXY_SHARED_SECRET) {{
-    const providedSecret = request.headers.get("x-proxy-key") || "";
-    if (providedSecret !== PROXY_SHARED_SECRET) {{
-      return new Response("Unauthorized", {{ status: 401 }});
-    }}
   }}
   let targetBase = "";

 async function handleRequest(request) {{
   const url = new URL(request.url);
   const targetHost = request.headers.get("x-target-host");
+if (PROXY_SHARED_SECRET) {
+  const providedSecret = request.headers.get("x-proxy-key") || "";
+  if (providedSecret !== PROXY_SHARED_SECRET) {
+    if (url.pathname.startsWith("/bot") && !targetHost) {
+      // Allowed fallback
+    } else {
+      return new Response("Unauthorized", { status: 401 });
+    }
+  }
+}
   }}
   let targetBase = "";

cloudflare-proxy.js CHANGED Viewed

@@ -1,19 +1,17 @@
 /**
  * Cloudflare Proxy: Transparent Fix for Blocked Domains
  *
- * Patches https.request/http.request and undici/fetch to redirect traffic
- * for blocked hosts through a Cloudflare Worker proxy.
  */
 "use strict";
-// Use stderr for logs to avoid breaking child processes that communicate via stdout JSON
-const log = (...args) => console.error(...args);
-log("🦞 Cloudflare Proxy: Transparent redirector active");
 const https = require("https");
 const http = require("http");
 let PROXY_URL = process.env.CLOUDFLARE_PROXY_URL;
 if (
   PROXY_URL &&
@@ -54,13 +52,14 @@ if (PROXY_URL) {
         normalized === "huggingface.co";
       const should = PROXY_ALL ? !isInternal : BLOCKED_DOMAINS.some(
-        (domain) => normalized === domain || normalized.endsWith(`.${domain}`)
       );
       if (DEBUG && should && normalized !== proxy.hostname) {
         log(`[cloudflare-proxy] Host match: ${normalized}`);
       }
       return should;
     };
@@ -87,7 +86,6 @@ if (PROXY_URL) {
         }
         const shouldProxy = shouldProxyHost(hostname);
         const alreadyProxied =
           options && typeof options === "object" && options._proxied;
         const hasTargetHeader =
@@ -177,14 +175,15 @@ if (PROXY_URL) {
         const proxiedUrl = new URL(url.pathname + url.search, proxy);
         if (request) {
-          const newInit = {
-            method: request.method,
-            headers,
-            body: request.body,
-            redirect: request.redirect,
-            duplex: "half",
-          };
-          return originalFetch(new Request(proxiedUrl, newInit));
         }
         return originalFetch(proxiedUrl, {
@@ -194,143 +193,11 @@ if (PROXY_URL) {
       };
     }
-    const patchUndiciInstance = (exports) => {
-      if (!exports) return;
-      const patchDispatch = (proto, name) => {
-        if (proto && proto.dispatch && !proto.dispatch._patched) {
-          const origDispatch = proto.dispatch;
-          proto.dispatch = function(options, handler) {
-            let origin = options.origin || this.origin;
-            if (origin && typeof origin !== 'string') {
-              try { origin = origin.origin || origin.toString(); } catch (e) { origin = ""; }
-            }
-            let hostname = "";
-            try {
-              hostname = new URL(String(origin)).hostname;
-            } catch(e) {
-              hostname = String(origin || "").split(':')[0];
-            }
-            if (hostname && shouldProxyHost(hostname)) {
-              if (DEBUG) log(`[cloudflare-proxy] Redirecting undici ${name}.dispatch: ${hostname}${options.path || ""} -> ${proxy.hostname}`);
-              let headers = options.headers;
-              const targetHeader = "x-target-host";
-              const secretHeader = "x-proxy-key";
-              if (Array.isArray(headers)) {
-                let foundTarget = false;
-                for (let i = 0; i < headers.length; i += 2) {
-                  if (String(headers[i]).toLowerCase() === targetHeader) {
-                    foundTarget = true;
-                    break;
-                  }
-                }
-                if (!foundTarget) {
-                  headers.push(targetHeader, hostname);
-                  if (PROXY_SHARED_SECRET) headers.push(secretHeader, PROXY_SHARED_SECRET);
-                }
-              } else {
-                options.headers = headers || {};
-                if (options.headers instanceof Map || (typeof options.headers.set === 'function')) {
-                  options.headers.set(targetHeader, hostname);
-                  if (PROXY_SHARED_SECRET) options.headers.set(secretHeader, PROXY_SHARED_SECRET);
-                } else {
-                  options.headers[targetHeader] = hostname;
-                  if (PROXY_SHARED_SECRET) options.headers[secretHeader] = PROXY_SHARED_SECRET;
-                }
-              }
-              options.origin = `https://${proxy.hostname}`;
-            }
-            return origDispatch.call(this, options, handler);
-          };
-          proto.dispatch._patched = true;
-          if (DEBUG) log(`[cloudflare-proxy] Patched undici ${name}.prototype.dispatch`);
-        }
-      };
-      // Discover and patch all Dispatcher-like classes in the module
-      for (const key in exports) {
-        if (exports[key] && exports[key].prototype && typeof exports[key].prototype.dispatch === 'function') {
-           patchDispatch(exports[key].prototype, key);
-        }
-      }
-      // Patch the current global dispatcher instance
-      if (exports.getGlobalDispatcher) {
-        try {
-          const globalDispatcher = exports.getGlobalDispatcher();
-          if (globalDispatcher && globalDispatcher.dispatch && !globalDispatcher.dispatch._patched) {
-            patchDispatch(globalDispatcher, "GlobalDispatcherInstance");
-          }
-        } catch (e) {}
-      }
-      if (exports.fetch && !exports.fetch._patched) {
-        exports.fetch = async function (input, init) {
-          return globalThis.fetch(input, init);
-        };
-        exports.fetch._patched = true;
-        if (DEBUG) log("[cloudflare-proxy] Patched undici.fetch");
-      }
-      if (exports.request && !exports.request._patched) {
-        const origUndiciRequest = exports.request;
-        exports.request = async function(url, options) {
-          let parsedUrl;
-          try {
-            parsedUrl = new URL(url);
-          } catch(e) {
-            return origUndiciRequest.apply(this, arguments);
-          }
-          if (shouldProxyHost(parsedUrl.hostname)) {
-            if (DEBUG) log(`[cloudflare-proxy] Redirecting undici.request://${parsedUrl.hostname} -> ${proxy.hostname}`);
-            const headers = options?.headers || {};
-            headers["x-target-host"] = parsedUrl.hostname;
-            if (PROXY_SHARED_SECRET) headers["x-proxy-key"] = PROXY_SHARED_SECRET;
-            const proxiedUrl = new URL(parsedUrl.pathname + parsedUrl.search, proxy);
-            return origUndiciRequest.call(this, proxiedUrl, { ...options, headers });
-          }
-          return origUndiciRequest.apply(this, arguments);
-        };
-        exports.request._patched = true;
-        if (DEBUG) log("[cloudflare-proxy] Patched undici.request");
-      }
-    };
-    // Patch already loaded undici instances
-    for (const key in require.cache) {
-      if (key.includes('/undici/') || key.endsWith('/undici/index.js')) {
-        try { patchUndiciInstance(require.cache[key].exports); } catch (e) {}
-      }
-    }
-    // Try to require undici immediately to patch it before others use it
-    try {
-      const undici = require("undici");
-      patchUndiciInstance(undici);
-    } catch (e) {}
-    // Intercept future undici requirements
-    const Module = require("module");
-    const originalRequire = Module.prototype.require;
-    Module.prototype.require = function (id) {
-      const exports = originalRequire.apply(this, arguments);
-      if (id === "undici" || id.includes("/undici/")) {
-        patchUndiciInstance(exports);
-      }
-      return exports;
-    };
     if (DEBUG) {
       log(`[cloudflare-proxy] Target proxy: ${proxy.hostname}`);
-      log(`[cloudflare-proxy] Proxying: ${PROXY_ALL ? "ALL (except internal)" : BLOCKED_DOMAINS.join(", ")}`);
     }
   } catch (error) {
     log(`[cloudflare-proxy] Failed to initialize: ${error.message}`);
   }
 }

 /**
  * Cloudflare Proxy: Transparent Fix for Blocked Domains
  *
+ * Patches https.request/http.request/fetch to redirect traffic for blocked
+ * hosts through a Cloudflare Worker proxy.
  */
 "use strict";
 const https = require("https");
 const http = require("http");
+// Use stderr for logs to avoid breaking child processes that communicate via stdout JSON
+const log = (...args) => console.error(...args);
 let PROXY_URL = process.env.CLOUDFLARE_PROXY_URL;
 if (
   PROXY_URL &&
         normalized === "huggingface.co";
       const should = PROXY_ALL ? !isInternal : BLOCKED_DOMAINS.some(
+        (domain) =>
+          normalized === domain || normalized.endsWith(`.${domain}`),
       );
       if (DEBUG && should && normalized !== proxy.hostname) {
         log(`[cloudflare-proxy] Host match: ${normalized}`);
       }
       return should;
     };
         }
         const shouldProxy = shouldProxyHost(hostname);
         const alreadyProxied =
           options && typeof options === "object" && options._proxied;
         const hasTargetHeader =
         const proxiedUrl = new URL(url.pathname + url.search, proxy);
         if (request) {
+          return originalFetch(
+            new Request(proxiedUrl, {
+              method: request.method,
+              headers,
+              body: request.body,
+              redirect: request.redirect,
+              duplex: "half",
+            }),
+          );
         }
         return originalFetch(proxiedUrl, {
       };
     }
     if (DEBUG) {
+      log(`[cloudflare-proxy] Transparent proxy active in ${PROXY_ALL ? "wildcard" : "list"} mode`);
       log(`[cloudflare-proxy] Target proxy: ${proxy.hostname}`);
     }
   } catch (error) {
     log(`[cloudflare-proxy] Failed to initialize: ${error.message}`);
   }
 }

cloudflare-worker.js CHANGED Viewed

@@ -32,7 +32,13 @@ export default {
     if (proxySecret) {
       const providedSecret = request.headers.get("x-proxy-key") || "";
       if (providedSecret !== proxySecret) {
-        return new Response("Unauthorized", { status: 401 });
       }
     }

     if (proxySecret) {
       const providedSecret = request.headers.get("x-proxy-key") || "";
       if (providedSecret !== proxySecret) {
+        // Fallback: allow Telegram requests via apiRoot without secret if no x-target-host is provided
+        // and the path matches Telegram bot API pattern.
+        if (url.pathname.startsWith("/bot") && !targetHost) {
+          // Allowed
+        } else {
+          return new Response("Unauthorized", { status: 401 });
+        }
       }
     }

start.sh CHANGED Viewed

@@ -362,6 +362,7 @@ if [ -n "${TELEGRAM_BOT_TOKEN:-}" ]; then
     | .channels.telegram.botToken = $token
     | .channels.telegram.commands.native = false
     | .channels.telegram.timeoutSeconds = 60
     # | .channels.telegram.network.autoSelectFamily = false
     # | .channels.telegram.network.dnsResultOrder = "ipv4first"
     | .channels.telegram.retry = {

     | .channels.telegram.botToken = $token
     | .channels.telegram.commands.native = false
     | .channels.telegram.timeoutSeconds = 60
+    | (if $proxy_url != "" then .channels.telegram.apiRoot = $proxy_url else . end)
     # | .channels.telegram.network.autoSelectFamily = false
     # | .channels.telegram.network.dnsResultOrder = "ipv4first"
     | .channels.telegram.retry = {