// © 2013 - 2016 Rob Wu // Released under the MIT license 'use strict'; var httpProxy = require('http-proxy'); var net = require('net'); var url = require('url'); var getProxyForUrl = require('proxy-from-env').getProxyForUrl; /** * Check whether the specified hostname is valid. * * @param hostname {string} Host name (excluding port) of requested resource. * @return {boolean} Whether the requested resource can be accessed. */ function isValidHostName(hostname) { return !!( hostname.indexOf('.') > 0 || net.isIPv4(hostname) || net.isIPv6(hostname) ); } /** * Adds CORS headers to the response headers. * * @param headers {object} Response headers * @param request {ServerRequest} */ function withCORS(headers, request) { headers['access-control-allow-origin'] = '*'; var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge; if (corsMaxAge) { headers['access-control-max-age'] = corsMaxAge; } if (request.headers['access-control-request-method']) { headers['access-control-allow-methods'] = request.headers['access-control-request-method']; delete request.headers['access-control-request-method']; } if (request.headers['access-control-request-headers']) { headers['access-control-allow-headers'] = request.headers['access-control-request-headers']; delete request.headers['access-control-request-headers']; } headers['access-control-expose-headers'] = Object.keys(headers).join(','); return headers; } /** * Performs the actual proxy request. * * @param req {ServerRequest} Incoming http request * @param res {ServerResponse} Outgoing (proxied) http request * @param proxy {HttpProxy} */ function proxyRequest(req, res, proxy) { var location = req.corsAnywhereRequestState.location; req.url = location.path; var proxyOptions = { changeOrigin: false, prependPath: false, target: location, headers: { host: location.host, }, // HACK: Get hold of the proxyReq object, because we need it later. // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L144 buffer: { pipe: function (proxyReq) { var proxyReqOn = proxyReq.on; // Intercepts the handler that connects proxyRes to res. // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L146-L158 proxyReq.on = function (eventName, listener) { if (eventName !== 'response') { return proxyReqOn.call(this, eventName, listener); } return proxyReqOn.call(this, 'response', function (proxyRes) { if (onProxyResponse(proxy, proxyReq, proxyRes, req, res)) { try { listener(proxyRes); } catch (err) { // Wrap in try-catch because an error could occur: // "RangeError: Invalid status code: 0" // https://github.com/Rob--W/cors-anywhere/issues/95 // https://github.com/nodejitsu/node-http-proxy/issues/1080 // Forward error (will ultimately emit the 'error' event on our proxy object): // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L134 proxyReq.emit('error', err); } } }); }; return req.pipe(proxyReq); }, }, }; var proxyThroughUrl = req.corsAnywhereRequestState.getProxyForUrl(location.href); if (proxyThroughUrl) { proxyOptions.target = proxyThroughUrl; proxyOptions.toProxy = true; // If a proxy URL was set, req.url must be an absolute URL. Then the request will not be sent // directly to the proxied URL, but through another proxy. req.url = location.href; } // Start proxying the request try { proxy.web(req, res, proxyOptions); } catch (err) { proxy.emit('error', err, req, res); } } /** * This method modifies the response headers of the proxied response. * If a redirect is detected, the response is not sent to the client, * and a new request is initiated. * * client (req) -> CORS Anywhere -> (proxyReq) -> other server * client (res) <- CORS Anywhere <- (proxyRes) <- other server * * @param proxy {HttpProxy} * @param proxyReq {ClientRequest} The outgoing request to the other server. * @param proxyRes {ServerResponse} The response from the other server. * @param req {IncomingMessage} Incoming HTTP request, augmented with property corsAnywhereRequestState * @param req.corsAnywhereRequestState {object} * @param req.corsAnywhereRequestState.location {object} See parseURL * @param req.corsAnywhereRequestState.getProxyForUrl {function} See proxyRequest * @param req.corsAnywhereRequestState.proxyBaseUrl {string} Base URL of the CORS API endpoint * @param req.corsAnywhereRequestState.maxRedirects {number} Maximum number of redirects * @param req.corsAnywhereRequestState.redirectCount_ {number} Internally used to count redirects * @param res {ServerResponse} Outgoing response to the client that wanted to proxy the HTTP request. * * @returns {boolean} true if http-proxy should continue to pipe proxyRes to res. */ function onProxyResponse(proxy, proxyReq, proxyRes, req, res) { var requestState = req.corsAnywhereRequestState; var statusCode = proxyRes.statusCode; if (!requestState.redirectCount_) { res.setHeader('x-request-url', requestState.location.href); } // Handle redirects if (statusCode === 301 || statusCode === 302 || statusCode === 303 || statusCode === 307 || statusCode === 308) { var locationHeader = proxyRes.headers.location; var parsedLocation; if (locationHeader) { locationHeader = url.resolve(requestState.location.href, locationHeader); parsedLocation = parseURL(locationHeader); } if (parsedLocation) { if (statusCode === 301 || statusCode === 302 || statusCode === 303) { // Exclude 307 & 308, because they are rare, and require preserving the method + request body requestState.redirectCount_ = requestState.redirectCount_ + 1 || 1; if (requestState.redirectCount_ <= requestState.maxRedirects) { // Handle redirects within the server, because some clients (e.g. Android Stock Browser) // cancel redirects. // Set header for debugging purposes. Do not try to parse it! res.setHeader('X-CORS-Redirect-' + requestState.redirectCount_, statusCode + ' ' + locationHeader); req.method = 'GET'; req.headers['content-length'] = '0'; delete req.headers['content-type']; requestState.location = parsedLocation; // Remove all listeners (=reset events to initial state) req.removeAllListeners(); // Remove the error listener so that the ECONNRESET "error" that // may occur after aborting a request does not propagate to res. // https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L134 proxyReq.removeAllListeners('error'); proxyReq.once('error', function catchAndIgnoreError() { }); proxyReq.abort(); // Initiate a new proxy request. proxyRequest(req, res, proxy); return false; } } proxyRes.headers.location = requestState.proxyBaseUrl + '/' + locationHeader; } } // Strip cookies delete proxyRes.headers['set-cookie']; delete proxyRes.headers['set-cookie2']; proxyRes.headers['x-final-url'] = requestState.location.href; withCORS(proxyRes.headers, req); return true; } /** * @param req_url {string} The requested URL (scheme is optional). * @return {object} URL parsed using url.parse */ function parseURL(req_url) { var host = req_url.slice(0, 8); if (host.startsWith('/')){ return null; } else if (host.includes("://")) { } else if (host.includes(':/')) { req_url = new URL(req_url).href; } else { req_url = "http://" + req_url; } return url.parse(req_url); } // Request handler factory function getHandler(options, proxy) { var corsAnywhere = { getProxyForUrl: getProxyForUrl, // Function that specifies the proxy to use maxRedirects: 5, // Maximum number of redirects to be followed. keywordBlacklist: [], // Requests from these keywords will be blocked. originBlacklist: [], // Requests from these origins will be blocked. originWhitelist: [], // If non-empty, requests not from an origin in this list will be blocked. checkRateLimit: null, // Function that may enforce a rate-limit by returning a non-empty string. redirectSameOrigin: false, // Redirect the client to the requested URL for same-origin requests. requireHeader: null, // Require a header to be set? removeHeaders: [], // Strip these request headers. setHeaders: {}, // Set these request headers. corsMaxAge: 0 // If set, an Access-Control-Max-Age header with this value (in seconds) will be added. }; Object.keys(corsAnywhere).forEach(function (option) { if (Object.prototype.hasOwnProperty.call(options, option)) { corsAnywhere[option] = options[option]; } }); // Convert corsAnywhere.requireHeader to an array of lowercase header names, or null. if (corsAnywhere.requireHeader) { if (typeof corsAnywhere.requireHeader === 'string') { corsAnywhere.requireHeader = [corsAnywhere.requireHeader.toLowerCase()]; } else if (!Array.isArray(corsAnywhere.requireHeader) || corsAnywhere.requireHeader.length === 0) { corsAnywhere.requireHeader = null; } else { corsAnywhere.requireHeader = corsAnywhere.requireHeader.map(function (headerName) { return headerName.toLowerCase(); }); } } var hasRequiredHeaders = function (headers) { return !corsAnywhere.requireHeader || corsAnywhere.requireHeader.some(function (headerName) { return Object.hasOwnProperty.call(headers, headerName); }); }; return function (req, res) { req.corsAnywhereRequestState = { getProxyForUrl: corsAnywhere.getProxyForUrl, maxRedirects: corsAnywhere.maxRedirects, corsMaxAge: corsAnywhere.corsMaxAge, }; let clientip = req.headers['x-forwarded-for'] || // 判断是否有反向代理 IP req.connection.remoteAddress || // 判断 connection 的远程 IP req.socket.remoteAddress || // 判断后端的 socket 的 IP req.connection.socket.remoteAddress; console.log(JSON.stringify([ new Date().toISOString(), req.method, req.url, clientip, req.headers["user-agent"] ])); var cors_headers = withCORS({}, req); if (req.method === 'OPTIONS') { // Pre-flight request. Reply successfully: res.writeHead(200, cors_headers); res.end(); return; } //var location = parseURL(decodeURIComponent(req.url.slice(1))); try { var raw = req.url; var idx = raw.indexOf('/', 1); var url = raw.slice(idx + 1); var location = parseURL(url); }catch(err){ console.log(err.message); } if (!location) { // Invalid API call. Show how to correctly use the API res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('404'); return; } if (location.host === 'iscorsneeded') { // Is CORS needed? This path is provided so that API consumers can test whether it's necessary // to use CORS. The server's reply is always No, because if they can read it, then CORS headers // are not necessary. res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('no'); return; } if (location.port > 65535) { // Port is higher than 65535 res.writeHead(400, 'Invalid port', cors_headers); res.end('Port number too large: ' + location.port); return; } if (!/^\/https?:/.test(req.url) && !isValidHostName(location.hostname)) { // Don't even try to proxy invalid hosts (such as /favicon.ico, /robots.txt) res.writeHead(404, 'Invalid host', cors_headers); res.end('Invalid host: ' + location.hostname); return; } //location = new URL(location).href; if (!hasRequiredHeaders(req.headers)) { res.writeHead(400, 'Header required', cors_headers); res.end('Missing required request header. Must specify one of: ' + corsAnywhere.requireHeader); return; } if (corsAnywhere.keywordBlacklist.filter(x => location.href.indexOf(x) >= 0).length > 0) { res.writeHead(403, 'Forbidden', cors_headers); res.end('The keyword "' + corsAnywhere.keywordBlacklist.join(" ") + '" was blacklisted by the operator of this proxy.'); return; } if (corsAnywhere.originBlacklist.indexOf(location.hostname) >= 0) { res.writeHead(403, 'Forbidden', cors_headers); res.end('The origin "' + location.hostname + '" was blacklisted by the operator of this proxy.'); return; } if (corsAnywhere.originWhitelist.length && corsAnywhere.originWhitelist.indexOf(location.hostname) === -1) { res.writeHead(403, 'Forbidden', cors_headers); res.end('The origin "' + location.hostname + '" was not whitelisted by the operator of this proxy.'); return; } var origin = req.headers.origin || ''; if (corsAnywhere.redirectSameOrigin && origin && location.href[origin.length] === '/' && location.href.lastIndexOf(origin, 0) === 0) { // Send a permanent redirect to offload the server. Badly coded clients should not waste our resources. cors_headers.vary = 'origin'; cors_headers['cache-control'] = 'private'; cors_headers.location = location.href; res.writeHead(301, 'Please use a direct request', cors_headers); res.end(); return; } var isRequestedOverHttps = req.connection.encrypted || /^\s*https/.test(req.headers['x-forwarded-proto']); var proxyBaseUrl = (isRequestedOverHttps ? 'https://' : 'http://') + req.headers.host; corsAnywhere.removeHeaders.forEach(function (header) { delete req.headers[header]; }); Object.keys(corsAnywhere.setHeaders).forEach(function (header) { req.headers[header] = corsAnywhere.setHeaders[header]; }); var host = raw.slice(1, idx); var referer = host.indexOf('.') != -1 ? 'https://' + host : location.href; console.log('网址' + location.href + ' 来路' + referer) req.headers.referer = referer; req.corsAnywhereRequestState.location = location; req.corsAnywhereRequestState.proxyBaseUrl = proxyBaseUrl; proxyRequest(req, res, proxy); }; } // Create server with default and given values // Creator still needs to call .listen() function createServer(options) { options = options || {}; // Default options: var httpProxyOptions = { xfwd: true, // Append X-Forwarded-* headers }; // Allow user to override defaults and add own options if (options.httpProxyOptions) { Object.keys(options.httpProxyOptions).forEach(function (option) { httpProxyOptions[option] = options.httpProxyOptions[option]; }); } var proxy = httpProxy.createServer(httpProxyOptions); var requestHandler = getHandler(options, proxy); var server; if (options.httpsOptions) { server = require('https').createServer(options.httpsOptions, requestHandler); } else { server = require('http').createServer(requestHandler); } // When the server fails, just show a 404 instead of Internal server error proxy.on('error', function (err, req, res) { if (res.headersSent) { // This could happen when a protocol error occurs when an error occurs // after the headers have been received (and forwarded). Do not write // the headers because it would generate an error. // Prior to Node 13.x, the stream would have ended. // As of Node 13.x, we must explicitly close it. if (res.writableEnded === false) { res.end(); } return; } // When the error occurs after setting headers but before writing the response, // then any previously set headers must be removed. var headerNames = res.getHeaderNames ? res.getHeaderNames() : Object.keys(res._headers || {}); headerNames.forEach(function (name) { res.removeHeader(name); }); res.writeHead(404, { 'Access-Control-Allow-Origin': '*' }); res.end('Not found because of proxy error: ' + err); }); return server; }; process.on('uncaughtException', function (exception) { console.log(exception); }); // ========================== Start ========================== // Listen on a specific host via the HOST environment variable var host = process.env.HOST || '0.0.0.0'; // Listen on a specific port via the PORT environment variable var port = process.env.PORT || 3000; createServer({ // 移除头部的Key removeHeaders: [ 'x-heroku-queue-wait-time', 'x-heroku-queue-depth', 'x-heroku-dynos-in-use', 'x-request-start', ], keywordBlacklist: [".mpd", ".m4v"],// 阻断的关键字 originBlacklist: [],// 阻断的名单 originWhitelist: [],// 如果不为空,只允许白名单 redirectSameOrigin: true, // http-proxy 组件选项配置 httpProxyOptions: { xfwd: false,// 是否添加 X-Forwarded-For 头 secure: false // ignore ssl }, }).listen(port, host, function () { console.log(new Date().toISOString() + ' Running CORS Anywhere on ' + host + ':' + port); });