feat: 切换到 FastAPI 门控

Caddyfile

@@ -1,15 +0,0 @@
-:7860 {
-    # 健康检查不需要认证
-    @health path /healthz
-    handle @health {
-        respond "ok" 200
-    }
-
-    # 其他请求走基础认证后转发到 pdf2zh_next
-    handle {
-        basic_auth {
-            import /etc/caddy/users.auth
-        }
-        reverse_proxy 127.0.0.1:7861
-    }
-}

Dockerfile

@@ -14,8 +14,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         libgomp1 \
     && rm -rf /var/lib/apt/lists/*
 
-# 从官方镜像直接复制 caddy 和 uv 二进制
-COPY --from=caddy:latest /usr/bin/caddy /usr/local/bin/caddy
+# 从官方镜像复制 uv 二进制
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
 
 ENV PATH="/root/.local/bin:${PATH}" \
@@ -27,8 +26,13 @@ ENV PATH="/root/.local/bin:${PATH}" \
 # 安装 pdf2zh-next
 RUN uv tool install --python 3.12 pdf2zh-next
 
-# 复制并启用配置
-COPY Caddyfile /etc/caddy/Caddyfile
+# 安装网关依赖
+RUN uv pip install --python 3.12 \
+    "fastapi>=0.115" "uvicorn[standard]>=0.32" "httpx>=0.28" \
+    python-multipart bcrypt itsdangerous websockets
+
+# 复制网关和启动脚本
+COPY gateway.py /gateway.py
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 

entrypoint.sh

@@ -1,67 +1,36 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# 解析 HF Secret，支持多行或 \n 形式
+# 验证必需的环境变量
 RAW_USERS="${BASIC_AUTH_USERS:-}"
 if [[ -z "${RAW_USERS}" ]]; then
     echo "[ERROR] BASIC_AUTH_USERS is required. Use one 'username:password' per line." >&2
     exit 1
 fi
-RAW_USERS="${RAW_USERS//\\n/$'\n'}"
 
-AUTH_FILE="/etc/caddy/users.auth"
-> "${AUTH_FILE}"
-chmod 600 "${AUTH_FILE}"
-
-# 逐行生成 caddy 可用的哈希密码
-while IFS= read -r line || [[ -n "${line}" ]]; do
-    line="${line%$'\r'}"
-    [[ -z "${line}" ]] && continue
-    [[ "${line}" == \#* ]] && continue
-
-    if [[ "${line}" != *:* ]]; then
-        echo "[ERROR] Invalid BASIC_AUTH_USERS line: '${line}'" >&2
-        exit 1
-    fi
-
-    user="${line%%:*}"
-    pass="${line#*:}"
-    if [[ -z "${user}" || -z "${pass}" ]]; then
-        echo "[ERROR] Empty username or password is not allowed: '${line}'" >&2
-        exit 1
-    fi
-
-    hash="$(caddy hash-password --plaintext "${pass}")"
-    printf "%s %s\n" "${user}" "${hash}" >> "${AUTH_FILE}"
-done <<< "${RAW_USERS}"
-
-if [[ ! -s "${AUTH_FILE}" ]]; then
-    echo "[ERROR] No valid user entries found in BASIC_AUTH_USERS." >&2
-    exit 1
-fi
-
-# 固定内部监听，确保只能经由 caddy 访问
+# 固定内部监听，确保 pdf2zh_next 只能经由网关访问
 export GRADIO_SERVER_NAME="${GRADIO_SERVER_NAME:-127.0.0.1}"
 export GRADIO_SERVER_PORT="${GRADIO_SERVER_PORT:-7861}"
-# 一些 gradio 应用会优先读取 PORT；这里强制覆盖避免与 caddy 的 7860 冲突
+# 部分 Gradio 应用优先读取 PORT；强制覆盖避免与网关的 7860 冲突
 export PORT="${GRADIO_SERVER_PORT}"
 
 echo "[INFO] Starting pdf2zh_next on ${GRADIO_SERVER_NAME}:${GRADIO_SERVER_PORT}"
 pdf2zh_next --gui --server-port "${GRADIO_SERVER_PORT}" &
 PDF_PID=$!
 
-echo "[INFO] Starting caddy on :7860"
-caddy run --config /etc/caddy/Caddyfile &
-CADDY_PID=$!
+echo "[INFO] Starting gateway on :7860"
+cd / && uv run --python 3.12 --no-project python -m uvicorn gateway:app \
+    --host 0.0.0.0 --port 7860 --log-level info &
+GW_PID=$!
 
 cleanup() {
-    kill "${PDF_PID}" "${CADDY_PID}" 2>/dev/null || true
+    kill "${PDF_PID}" "${GW_PID}" 2>/dev/null || true
 }
 trap cleanup INT TERM EXIT
 
 # 任一进程退出都结束容器
 set +e
-wait -n "${PDF_PID}" "${CADDY_PID}"
+wait -n "${PDF_PID}" "${GW_PID}"
 EXIT_CODE=$?
 set -e
 echo "[ERROR] A service exited unexpectedly. Shutting down."

gateway.py

@@ -0,0 +1,368 @@
+#!/usr/bin/env python3
+"""FastAPI 认证网关：Session 登录 + 反向代理到 pdf2zh_next(:7861)。
+
+架构：用户 → Gateway(:7860) [Session Auth] → pdf2zh_next(:7861)
+"""
+
+import asyncio
+import logging
+import os
+import secrets
+from typing import Optional
+
+import bcrypt
+import httpx
+import websockets
+import websockets.exceptions
+from fastapi import FastAPI, Form, Request, WebSocket
+from fastapi.responses import HTMLResponse, RedirectResponse, Response, StreamingResponse
+from itsdangerous import BadSignature, SignatureExpired, TimestampSigner
+from starlette.background import BackgroundTask
+
+# ── 配置 ──────────────────────────────────────────────────────────────────────
+UPSTREAM_HTTP = "http://127.0.0.1:7861"
+UPSTREAM_WS = "ws://127.0.0.1:7861"
+SESSION_COOKIE = "gw_session"
+SESSION_MAX_AGE = 86400  # 24 小时
+
+SECRET_KEY = os.environ.get("SESSION_SECRET") or secrets.token_hex(32)
+signer = TimestampSigner(SECRET_KEY)
+
+# hop-by-hop headers（不透传给上游或客户端）
+HOP_BY_HOP = frozenset(
+    [
+        "connection",
+        "keep-alive",
+        "proxy-authenticate",
+        "proxy-authorization",
+        "te",
+        "trailers",
+        "transfer-encoding",
+        "upgrade",
+    ]
+)
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s %(levelname)s %(name)s - %(message)s",
+)
+logger = logging.getLogger("gateway")
+
+
+# ── 用户加载与认证 ────────────────────────────────────────────────────────────
+def _load_users() -> dict[str, str]:
+    """从 BASIC_AUTH_USERS 环境变量加载用户名和明文密码。
+
+    支持格式：每行 `username:password`，支持 \\n 转义的单行形式。
+    """
+    raw = os.environ.get("BASIC_AUTH_USERS", "").replace("\\n", "\n")
+    users: dict[str, str] = {}
+    for line in raw.splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if ":" not in line:
+            logger.warning("Skipping invalid BASIC_AUTH_USERS line (no colon)")
+            continue
+        username, password = line.split(":", 1)
+        if username and password:
+            users[username] = password
+    if not users:
+        logger.error("No valid users found — authentication will always fail")
+    return users
+
+
+USERS = _load_users()
+
+
+def _verify_credentials(username: str, password: str) -> bool:
+    """验证用户名密码，使用 secrets.compare_digest 防止时序攻击。
+
+    支持明文密码和 bcrypt 哈希（以 $2b$ 开头）。
+    """
+    stored = USERS.get(username)
+    if stored is None:
+        return False
+    if stored.startswith("$2"):
+        # bcrypt 哈希
+        return bcrypt.checkpw(password.encode(), stored.encode())
+    # 明文对比
+    return secrets.compare_digest(stored, password)
+
+
+# ── Session 签名 ──────────────────────────────────────────────────────────────
+def _make_session(username: str) -> str:
+    return signer.sign(username).decode()
+
+
+def _verify_session(token: str) -> Optional[str]:
+    try:
+        return signer.unsign(token, max_age=SESSION_MAX_AGE).decode()
+    except (BadSignature, SignatureExpired):
+        return None
+
+
+def _get_session(request: Request) -> Optional[str]:
+    token = request.cookies.get(SESSION_COOKIE)
+    return _verify_session(token) if token else None
+
+
+# ── 登录页 HTML ───────────────────────────────────────────────────────────────
+_LOGIN_HTML = """\
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Sign In</title>
+<style>
+  *, *::before, *::after {{ box-sizing: border-box; margin: 0; padding: 0; }}
+  body {{
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: linear-gradient(135deg, #f0f2f5 0%, #e4e8f0 100%);
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+  }}
+  .card {{
+    background: #fff;
+    border-radius: 14px;
+    box-shadow: 0 6px 32px rgba(0, 0, 0, 0.10);
+    padding: 44px 40px;
+    width: 100%;
+    max-width: 400px;
+  }}
+  h1 {{ font-size: 1.5rem; font-weight: 700; color: #111827; margin-bottom: 6px; }}
+  p.sub {{ font-size: 0.875rem; color: #6b7280; margin-bottom: 30px; }}
+  label {{ display: block; font-size: 0.8rem; font-weight: 600; color: #374151; margin-bottom: 6px; }}
+  input[type=text], input[type=password] {{
+    width: 100%;
+    padding: 11px 14px;
+    border: 1.5px solid #e5e7eb;
+    border-radius: 8px;
+    font-size: 0.95rem;
+    outline: none;
+    transition: border-color 0.15s;
+    margin-bottom: 20px;
+    color: #111827;
+  }}
+  input:focus {{ border-color: #4f6ef7; box-shadow: 0 0 0 3px rgba(79,110,247,0.12); }}
+  button {{
+    width: 100%;
+    padding: 12px;
+    background: linear-gradient(135deg, #4f6ef7 0%, #3b5bdb 100%);
+    color: #fff;
+    border: none;
+    border-radius: 8px;
+    font-size: 1rem;
+    font-weight: 600;
+    cursor: pointer;
+    transition: opacity 0.15s;
+    letter-spacing: 0.01em;
+  }}
+  button:hover {{ opacity: 0.88; }}
+  .error {{
+    background: #fef2f2;
+    border: 1.5px solid #fecaca;
+    border-radius: 8px;
+    padding: 10px 14px;
+    font-size: 0.875rem;
+    color: #dc2626;
+    margin-bottom: 20px;
+  }}
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Welcome back</h1>
+  <p class="sub">Sign in to continue</p>
+  {error_block}
+  <form method="post" action="/login">
+    <label for="u">Username</label>
+    <input id="u" type="text" name="username" autocomplete="username" required autofocus>
+    <label for="p">Password</label>
+    <input id="p" type="password" name="password" autocomplete="current-password" required>
+    <button type="submit">Sign in</button>
+  </form>
+</div>
+</body>
+</html>
+"""
+
+
+def _login_page(error: str = "") -> str:
+    error_block = f'<div class="error">{error}</div>' if error else ""
+    return _LOGIN_HTML.format(error_block=error_block)
+
+
+# ── FastAPI App ───────────────────────────────────────────────────────────────
+app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
+
+_http_client: Optional[httpx.AsyncClient] = None
+
+
+@app.on_event("startup")
+async def _startup() -> None:
+    global _http_client
+    _http_client = httpx.AsyncClient(
+        base_url=UPSTREAM_HTTP,
+        follow_redirects=False,
+        timeout=httpx.Timeout(60.0),
+    )
+    logger.info("Gateway started. Upstream: %s", UPSTREAM_HTTP)
+
+
+@app.on_event("shutdown")
+async def _shutdown() -> None:
+    if _http_client:
+        await _http_client.aclose()
+
+
+# ── 路由：无需认证 ─────────────────────────────────────────────────────────────
+@app.get("/healthz")
+async def healthz() -> Response:
+    return Response("ok", media_type="text/plain")
+
+
+@app.get("/login", response_class=HTMLResponse)
+async def login_page(request: Request) -> HTMLResponse:
+    if _get_session(request):
+        return RedirectResponse("/", status_code=302)
+    return HTMLResponse(_login_page())
+
+
+@app.post("/login")
+async def login(
+    request: Request,
+    username: str = Form(...),
+    password: str = Form(...),
+) -> Response:
+    next_url = request.query_params.get("next", "/")
+    if _verify_credentials(username, password):
+        token = _make_session(username)
+        resp = RedirectResponse(next_url, status_code=303)
+        resp.set_cookie(
+            SESSION_COOKIE,
+            token,
+            max_age=SESSION_MAX_AGE,
+            httponly=True,
+            samesite="lax",
+        )
+        logger.info("Login successful: %s", username)
+        return resp
+    logger.warning("Login failed: %s", username)
+    return HTMLResponse(_login_page("Invalid username or password."), status_code=401)
+
+
+@app.get("/logout")
+async def logout() -> Response:
+    resp = RedirectResponse("/login", status_code=302)
+    resp.delete_cookie(SESSION_COOKIE)
+    return resp
+
+
+# ── 路由：WebSocket 透传（Gradio 依赖） ────────────────────────────────────────
+@app.websocket("/{path:path}")
+async def ws_proxy(websocket: WebSocket, path: str) -> None:
+    """WebSocket 透传：验证 session 后桥接到上游。"""
+    token = websocket.cookies.get(SESSION_COOKIE)
+    if not token or not _verify_session(token):
+        await websocket.close(code=1008)  # Policy Violation
+        return
+
+    await websocket.accept()
+
+    qs = websocket.scope.get("query_string", b"").decode()
+    upstream_url = f"{UPSTREAM_WS}/{path}"
+    if qs:
+        upstream_url += f"?{qs}"
+
+    try:
+        async with websockets.connect(upstream_url) as upstream:
+
+            async def _client_to_upstream() -> None:
+                try:
+                    while True:
+                        data = await websocket.receive()
+                        if data["type"] == "websocket.disconnect":
+                            break
+                        msg = data.get("bytes") or data.get("text")
+                        if msg is not None:
+                            await upstream.send(msg)
+                except Exception:
+                    pass
+                finally:
+                    await upstream.close()
+
+            async def _upstream_to_client() -> None:
+                try:
+                    async for msg in upstream:
+                        if isinstance(msg, bytes):
+                            await websocket.send_bytes(msg)
+                        else:
+                            await websocket.send_text(msg)
+                except Exception:
+                    pass
+
+            tasks = [
+                asyncio.create_task(_client_to_upstream()),
+                asyncio.create_task(_upstream_to_client()),
+            ]
+            _done, pending = await asyncio.wait(tasks, return_when=asyncio.FIRST_COMPLETED)
+            for t in pending:
+                t.cancel()
+
+    except websockets.exceptions.WebSocketException as exc:
+        logger.debug("WS proxy closed: %s", exc)
+    except Exception as exc:
+        logger.debug("WS proxy error: %s", exc)
+
+
+# ── 路由：HTTP 反向代理 ────────────────────────────────────────────────────────
+@app.api_route(
+    "/{path:path}",
+    methods=["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"],
+)
+async def http_proxy(request: Request, path: str) -> Response:
+    """HTTP 反向代理：需要 session，流式转发请求和响应。"""
+    if not _get_session(request):
+        if request.method == "GET":
+            dest = f"/{path}" if path else "/"
+            return RedirectResponse(f"/login?next={dest}", status_code=302)
+        return Response("Unauthorized", status_code=401)
+
+    # 构建上游请求头
+    headers = {
+        k: v
+        for k, v in request.headers.items()
+        if k.lower() not in HOP_BY_HOP and k.lower() != "host"
+    }
+
+    url = f"/{path}"
+    if request.url.query:
+        url += f"?{request.url.query}"
+
+    # 读取请求体（对于大文件可换成流式，但原型够用）
+    body = await request.body()
+
+    upstream_req = _http_client.build_request(
+        request.method,
+        url,
+        headers=headers,
+        content=body,
+    )
+    upstream_resp = await _http_client.send(upstream_req, stream=True)
+
+    resp_headers = {
+        k: v
+        for k, v in upstream_resp.headers.items()
+        if k.lower() not in HOP_BY_HOP
+    }
+
+    return StreamingResponse(
+        upstream_resp.aiter_bytes(),
+        status_code=upstream_resp.status_code,
+        headers=resp_headers,
+        background=BackgroundTask(upstream_resp.aclose),
+    )