Upload 2 files

app.js

@@ -0,0 +1,473 @@
+// © 2013 - 2016 Rob Wu <rob@robwu.nl>
+// Released under the MIT license
+
+'use strict';
+
+var httpProxy = require('http-proxy');
+var net = require('net');
+var url = require('url');
+var getProxyForUrl = require('proxy-from-env').getProxyForUrl;
+
+/**
+ * Check whether the specified hostname is valid.
+ *
+ * @param hostname {string} Host name (excluding port) of requested resource.
+ * @return {boolean} Whether the requested resource can be accessed.
+ */
+function isValidHostName(hostname) {
+    return !!(
+        hostname.indexOf('.') > 0 ||
+        net.isIPv4(hostname) ||
+        net.isIPv6(hostname)
+    );
+}
+
+/**
+ * Adds CORS headers to the response headers.
+ *
+ * @param headers {object} Response headers
+ * @param request {ServerRequest}
+ */
+function withCORS(headers, request) {
+    headers['access-control-allow-origin'] = '*';
+    var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge;
+    if (corsMaxAge) {
+        headers['access-control-max-age'] = corsMaxAge;
+    }
+    if (request.headers['access-control-request-method']) {
+        headers['access-control-allow-methods'] = request.headers['access-control-request-method'];
+        delete request.headers['access-control-request-method'];
+    }
+    if (request.headers['access-control-request-headers']) {
+        headers['access-control-allow-headers'] = request.headers['access-control-request-headers'];
+        delete request.headers['access-control-request-headers'];
+    }
+
+    headers['access-control-expose-headers'] = Object.keys(headers).join(',');
+
+    return headers;
+}
+
+/**
+ * Performs the actual proxy request.
+ *
+ * @param req {ServerRequest} Incoming http request
+ * @param res {ServerResponse} Outgoing (proxied) http request
+ * @param proxy {HttpProxy}
+ */
+function proxyRequest(req, res, proxy) {
+    var location = req.corsAnywhereRequestState.location;
+    req.url = location.path;
+
+    var proxyOptions = {
+        changeOrigin: false,
+        prependPath: false,
+        target: location,
+        headers: {
+            host: location.host,
+        },
+        // HACK: Get hold of the proxyReq object, because we need it later.
+        // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L144
+        buffer: {
+            pipe: function (proxyReq) {
+                var proxyReqOn = proxyReq.on;
+                // Intercepts the handler that connects proxyRes to res.
+                // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L146-L158
+                proxyReq.on = function (eventName, listener) {
+                    if (eventName !== 'response') {
+                        return proxyReqOn.call(this, eventName, listener);
+                    }
+                    return proxyReqOn.call(this, 'response', function (proxyRes) {
+                        if (onProxyResponse(proxy, proxyReq, proxyRes, req, res)) {
+                            try {
+                                listener(proxyRes);
+                            } catch (err) {
+                                // Wrap in try-catch because an error could occur:
+                                // "RangeError: Invalid status code: 0"
+                                // https://github.com/Rob--W/cors-anywhere/issues/95
+                                // https://github.com/nodejitsu/node-http-proxy/issues/1080
+
+                                // Forward error (will ultimately emit the 'error' event on our proxy object):
+                                // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L134
+                                proxyReq.emit('error', err);
+                            }
+                        }
+                    });
+                };
+                return req.pipe(proxyReq);
+            },
+        },
+    };
+
+    var proxyThroughUrl = req.corsAnywhereRequestState.getProxyForUrl(location.href);
+    if (proxyThroughUrl) {
+        proxyOptions.target = proxyThroughUrl;
+        proxyOptions.toProxy = true;
+        // If a proxy URL was set, req.url must be an absolute URL. Then the request will not be sent
+        // directly to the proxied URL, but through another proxy.
+        req.url = location.href;
+    }
+
+    // Start proxying the request
+    try {
+        proxy.web(req, res, proxyOptions);
+    } catch (err) {
+        proxy.emit('error', err, req, res);
+    }
+}
+
+/**
+ * This method modifies the response headers of the proxied response.
+ * If a redirect is detected, the response is not sent to the client,
+ * and a new request is initiated.
+ *
+ * client (req) -> CORS Anywhere -> (proxyReq) -> other server
+ * client (res) <- CORS Anywhere <- (proxyRes) <- other server
+ *
+ * @param proxy {HttpProxy}
+ * @param proxyReq {ClientRequest} The outgoing request to the other server.
+ * @param proxyRes {ServerResponse} The response from the other server.
+ * @param req {IncomingMessage} Incoming HTTP request, augmented with property corsAnywhereRequestState
+ * @param req.corsAnywhereRequestState {object}
+ * @param req.corsAnywhereRequestState.location {object} See parseURL
+ * @param req.corsAnywhereRequestState.getProxyForUrl {function} See proxyRequest
+ * @param req.corsAnywhereRequestState.proxyBaseUrl {string} Base URL of the CORS API endpoint
+ * @param req.corsAnywhereRequestState.maxRedirects {number} Maximum number of redirects
+ * @param req.corsAnywhereRequestState.redirectCount_ {number} Internally used to count redirects
+ * @param res {ServerResponse} Outgoing response to the client that wanted to proxy the HTTP request.
+ *
+ * @returns {boolean} true if http-proxy should continue to pipe proxyRes to res.
+ */
+function onProxyResponse(proxy, proxyReq, proxyRes, req, res) {
+    var requestState = req.corsAnywhereRequestState;
+
+    var statusCode = proxyRes.statusCode;
+
+    if (!requestState.redirectCount_) {
+        res.setHeader('x-request-url', requestState.location.href);
+    }
+    // Handle redirects
+    if (statusCode === 301 || statusCode === 302 || statusCode === 303 || statusCode === 307 || statusCode === 308) {
+        var locationHeader = proxyRes.headers.location;
+        var parsedLocation;
+        if (locationHeader) {
+            locationHeader = url.resolve(requestState.location.href, locationHeader);
+            parsedLocation = parseURL(locationHeader);
+        }
+        if (parsedLocation) {
+            if (statusCode === 301 || statusCode === 302 || statusCode === 303) {
+                // Exclude 307 & 308, because they are rare, and require preserving the method + request body
+                requestState.redirectCount_ = requestState.redirectCount_ + 1 || 1;
+                if (requestState.redirectCount_ <= requestState.maxRedirects) {
+                    // Handle redirects within the server, because some clients (e.g. Android Stock Browser)
+                    // cancel redirects.
+                    // Set header for debugging purposes. Do not try to parse it!
+                    res.setHeader('X-CORS-Redirect-' + requestState.redirectCount_, statusCode + ' ' + locationHeader);
+
+                    req.method = 'GET';
+                    req.headers['content-length'] = '0';
+                    delete req.headers['content-type'];
+                    requestState.location = parsedLocation;
+
+                    // Remove all listeners (=reset events to initial state)
+                    req.removeAllListeners();
+
+                    // Remove the error listener so that the ECONNRESET "error" that
+                    // may occur after aborting a request does not propagate to res.
+                    // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L134
+                    proxyReq.removeAllListeners('error');
+                    proxyReq.once('error', function catchAndIgnoreError() { });
+                    proxyReq.abort();
+
+                    // Initiate a new proxy request.
+                    proxyRequest(req, res, proxy);
+                    return false;
+                }
+            }
+            proxyRes.headers.location = requestState.proxyBaseUrl + '/' + locationHeader;
+        }
+    }
+
+    // Strip cookies
+    delete proxyRes.headers['set-cookie'];
+    delete proxyRes.headers['set-cookie2'];
+
+    proxyRes.headers['x-final-url'] = requestState.location.href;
+    withCORS(proxyRes.headers, req);
+    return true;
+}
+
+/**
+ * @param req_url {string} The requested URL (scheme is optional).
+ * @return {object} URL parsed using url.parse
+ */
+function parseURL(req_url) {
+
+    var host = req_url.slice(0, 8);
+
+    if (host.startsWith('/')){
+        return null;
+    } else if (host.includes("://")) {
+
+    } else if (host.includes(':/')) {
+        req_url = new URL(req_url).href;
+    } else {
+        req_url = "http://" + req_url;
+    }
+
+    return url.parse(req_url);
+}
+
+// Request handler factory
+function getHandler(options, proxy) {
+    var corsAnywhere = {
+        getProxyForUrl: getProxyForUrl, // Function that specifies the proxy to use
+        maxRedirects: 5,                // Maximum number of redirects to be followed.
+        keywordBlacklist: [],           // Requests from these keywords will be blocked.
+        originBlacklist: [],            // Requests from these origins will be blocked.
+        originWhitelist: [],            // If non-empty, requests not from an origin in this list will be blocked.
+        checkRateLimit: null,           // Function that may enforce a rate-limit by returning a non-empty string.
+        redirectSameOrigin: false,      // Redirect the client to the requested URL for same-origin requests.
+        requireHeader: null,            // Require a header to be set?
+        removeHeaders: [],              // Strip these request headers.
+        setHeaders: {},                 // Set these request headers.
+        corsMaxAge: 0                   // If set, an Access-Control-Max-Age header with this value (in seconds) will be added.
+    };
+
+    Object.keys(corsAnywhere).forEach(function (option) {
+        if (Object.prototype.hasOwnProperty.call(options, option)) {
+            corsAnywhere[option] = options[option];
+        }
+    });
+
+    // Convert corsAnywhere.requireHeader to an array of lowercase header names, or null.
+    if (corsAnywhere.requireHeader) {
+        if (typeof corsAnywhere.requireHeader === 'string') {
+            corsAnywhere.requireHeader = [corsAnywhere.requireHeader.toLowerCase()];
+        } else if (!Array.isArray(corsAnywhere.requireHeader) || corsAnywhere.requireHeader.length === 0) {
+            corsAnywhere.requireHeader = null;
+        } else {
+            corsAnywhere.requireHeader = corsAnywhere.requireHeader.map(function (headerName) {
+                return headerName.toLowerCase();
+            });
+        }
+    }
+    var hasRequiredHeaders = function (headers) {
+        return !corsAnywhere.requireHeader || corsAnywhere.requireHeader.some(function (headerName) {
+            return Object.hasOwnProperty.call(headers, headerName);
+        });
+    };
+
+    return function (req, res) {
+        req.corsAnywhereRequestState = {
+            getProxyForUrl: corsAnywhere.getProxyForUrl,
+            maxRedirects: corsAnywhere.maxRedirects,
+            corsMaxAge: corsAnywhere.corsMaxAge,
+        };
+
+        let clientip = req.headers['x-forwarded-for'] || // 判断是否有反向代理 IP
+            req.connection.remoteAddress || // 判断 connection 的远程 IP
+            req.socket.remoteAddress || // 判断后端的 socket 的 IP
+            req.connection.socket.remoteAddress;
+
+        console.log(JSON.stringify([
+            new Date().toISOString(),
+            req.method,
+            req.url,
+            clientip,
+            req.headers["user-agent"]
+        ]));
+
+        var cors_headers = withCORS({}, req);
+        if (req.method === 'OPTIONS') {
+            // Pre-flight request. Reply successfully:
+            res.writeHead(200, cors_headers);
+            res.end();
+            return;
+        }
+
+        //var location = parseURL(decodeURIComponent(req.url.slice(1)));
+        try {
+            var raw = req.url;
+            var idx = raw.indexOf('/', 1);
+            var url = raw.slice(idx + 1);
+            var location = parseURL(url);
+        }catch(err){
+            console.log(err.message);
+        }
+
+        if (!location) {
+            // Invalid API call. Show how to correctly use the API
+            res.writeHead(200, { 'Content-Type': 'text/plain' });
+            res.end('404');
+            return;
+        }
+
+        if (location.host === 'iscorsneeded') {
+            // Is CORS needed? This path is provided so that API consumers can test whether it's necessary
+            // to use CORS. The server's reply is always No, because if they can read it, then CORS headers
+            // are not necessary.
+            res.writeHead(200, { 'Content-Type': 'text/plain' });
+            res.end('no');
+            return;
+        }
+
+        if (location.port > 65535) {
+            // Port is higher than 65535
+            res.writeHead(400, 'Invalid port', cors_headers);
+            res.end('Port number too large: ' + location.port);
+            return;
+        }
+
+        if (!/^\/https?:/.test(req.url) && !isValidHostName(location.hostname)) {
+            // Don't even try to proxy invalid hosts (such as /favicon.ico, /robots.txt)
+            res.writeHead(404, 'Invalid host', cors_headers);
+            res.end('Invalid host: ' + location.hostname);
+            return;
+        }
+        //location = new URL(location).href;
+
+        if (!hasRequiredHeaders(req.headers)) {
+            res.writeHead(400, 'Header required', cors_headers);
+            res.end('Missing required request header. Must specify one of: ' + corsAnywhere.requireHeader);
+            return;
+        }
+
+        if (corsAnywhere.keywordBlacklist.filter(x => location.href.indexOf(x) >= 0).length > 0) {
+            res.writeHead(403, 'Forbidden', cors_headers);
+            res.end('The keyword "' + corsAnywhere.keywordBlacklist.join(" ") + '" was blacklisted by the operator of this proxy.');
+            return;
+        }
+
+        if (corsAnywhere.originBlacklist.indexOf(location.hostname) >= 0) {
+            res.writeHead(403, 'Forbidden', cors_headers);
+            res.end('The origin "' + location.hostname + '" was blacklisted by the operator of this proxy.');
+            return;
+        }
+
+        if (corsAnywhere.originWhitelist.length && corsAnywhere.originWhitelist.indexOf(location.hostname) === -1) {
+            res.writeHead(403, 'Forbidden', cors_headers);
+            res.end('The origin "' + location.hostname + '" was not whitelisted by the operator of this proxy.');
+            return;
+        }
+
+        var origin = req.headers.origin || '';
+
+        if (corsAnywhere.redirectSameOrigin && origin && location.href[origin.length] === '/' &&
+            location.href.lastIndexOf(origin, 0) === 0) {
+            // Send a permanent redirect to offload the server. Badly coded clients should not waste our resources.
+            cors_headers.vary = 'origin';
+            cors_headers['cache-control'] = 'private';
+            cors_headers.location = location.href;
+            res.writeHead(301, 'Please use a direct request', cors_headers);
+            res.end();
+            return;
+        }
+
+        var isRequestedOverHttps = req.connection.encrypted || /^\s*https/.test(req.headers['x-forwarded-proto']);
+        var proxyBaseUrl = (isRequestedOverHttps ? 'https://' : 'http://') + req.headers.host;
+
+        corsAnywhere.removeHeaders.forEach(function (header) {
+            delete req.headers[header];
+        });
+
+        Object.keys(corsAnywhere.setHeaders).forEach(function (header) {
+            req.headers[header] = corsAnywhere.setHeaders[header];
+        });
+
+        var host = raw.slice(1, idx);
+        var referer = host.indexOf('.') != -1 ? 'https://' + host : location.href;
+        console.log('网址' + location.href + ' 来路' + referer)
+        req.headers.referer = referer;
+
+        req.corsAnywhereRequestState.location = location;
+        req.corsAnywhereRequestState.proxyBaseUrl = proxyBaseUrl;
+
+        proxyRequest(req, res, proxy);
+    };
+}
+
+// Create server with default and given values
+// Creator still needs to call .listen()
+function createServer(options) {
+    options = options || {};
+
+    // Default options:
+    var httpProxyOptions = {
+        xfwd: true,            // Append X-Forwarded-* headers
+    };
+    // Allow user to override defaults and add own options
+    if (options.httpProxyOptions) {
+        Object.keys(options.httpProxyOptions).forEach(function (option) {
+            httpProxyOptions[option] = options.httpProxyOptions[option];
+        });
+    }
+
+    var proxy = httpProxy.createServer(httpProxyOptions);
+    var requestHandler = getHandler(options, proxy);
+    var server;
+    if (options.httpsOptions) {
+        server = require('https').createServer(options.httpsOptions, requestHandler);
+    } else {
+        server = require('http').createServer(requestHandler);
+    }
+
+    // When the server fails, just show a 404 instead of Internal server error
+    proxy.on('error', function (err, req, res) {
+        if (res.headersSent) {
+            // This could happen when a protocol error occurs when an error occurs
+            // after the headers have been received (and forwarded). Do not write
+            // the headers because it would generate an error.
+            // Prior to Node 13.x, the stream would have ended.
+            // As of Node 13.x, we must explicitly close it.
+            if (res.writableEnded === false) {
+                res.end();
+            }
+            return;
+        }
+
+        // When the error occurs after setting headers but before writing the response,
+        // then any previously set headers must be removed.
+        var headerNames = res.getHeaderNames ? res.getHeaderNames() : Object.keys(res._headers || {});
+        headerNames.forEach(function (name) {
+            res.removeHeader(name);
+        });
+
+        res.writeHead(404, { 'Access-Control-Allow-Origin': '*' });
+        res.end('Not found because of proxy error: ' + err);
+    });
+
+    return server;
+};
+
+process.on('uncaughtException', function (exception) {
+    console.log(exception);
+});
+
+// ========================== Start ==========================
+
+// Listen on a specific host via the HOST environment variable
+var host = process.env.HOST || '0.0.0.0';
+// Listen on a specific port via the PORT environment variable
+var port = process.env.PORT || 3000;
+
+createServer({
+    // 移除头部的Key
+    removeHeaders: [
+        'x-heroku-queue-wait-time',
+        'x-heroku-queue-depth',
+        'x-heroku-dynos-in-use',
+        'x-request-start',
+    ],
+    keywordBlacklist: [".mpd", ".m4v"],// 阻断的关键字
+    originBlacklist: [],// 阻断的名单
+    originWhitelist: [],// 如果不为空，只允许白名单
+    redirectSameOrigin: true,
+    // http-proxy 组件选项配置
+    httpProxyOptions: {
+        xfwd: false,// 是否添加 X-Forwarded-For 头
+        secure: false // ignore ssl
+    },
+}).listen(port, host, function () {
+    console.log(new Date().toISOString() + ' Running CORS Anywhere on ' + host + ':' + port);
+});

package.json

@@ -0,0 +1,30 @@
+{
+  "name": "netnr-proxy",
+  "version": "0.0.2",
+  "description": "CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path",
+  "main": "app.js",
+  "scripts": {
+    "start": "node app.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/netnr/proxy.git"
+  },
+  "keywords": [
+    "cors",
+    "cross-domain",
+    "http-proxy",
+    "proxy"
+  ],
+  "author": "netnr",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/netnr/proxy/issues/"
+  },
+  "homepage": "https://github.com/netnr/proxy#readme",
+  "dependencies": {
+    "crypto-js": "^4.1.1",
+    "http-proxy": "1.18.1",
+    "proxy-from-env": "1.1.0"
+  }
+}