Update app.py

app.py

@@ -1,43 +1,95 @@
+import re
 from flask import Flask, request, Response
 import requests
 
 app = Flask(__name__)
 
-GITHUB_URL = "https://github.com"
+# --- 白名单过滤规则 (保持不变) ---
+# 这些规则现在将应用到从路径中解析出的完整URL上
+ALLOWED_PATTERNS = [
+    re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:releases|archive)/.*$', re.IGNORECASE),
+    re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:blob|raw)/.*$', re.IGNORECASE),
+    re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:info|git-).*/.*$', re.IGNORECASE),
+    re.compile(r'^https://raw\.(?:githubusercontent|github)\.com/[^/]+/[^/]+/.*/.*$', re.IGNORECASE),
+    re.compile(r'^https://gist\.(?:githubusercontent|github)\.com/[^/]+/[^/]+/.*/.*$', re.IGNORECASE),
+    re.compile(r'^https://github\.com/[^/]+/[^/]+/tags.*$', re.IGNORECASE),
+    re.compile(r'^https://avatars\.githubusercontent\.com/.*$', re.IGNORECASE),
+    re.compile(r'^https://github\.githubassets\.com/.*$', re.IGNORECASE),
+    re.compile(r'^https://github\.com/[^/]+/?$', re.IGNORECASE),
+    re.compile(r'^https://github\.com/[^/]+/[^/]+/?$', re.IGNORECASE),
+]
 
-@app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE'])
+def is_url_allowed(url):
+    """检查给定的URL是否匹配白名单中的任何一个模式。"""
+    for pattern in ALLOWED_PATTERNS:
+        if pattern.match(url):
+            return True
+    return False
+
+# --- 核心代理逻辑 ---
+
+# 我们现在使用一个更通用的路由来捕获所有请求
+@app.route('/', defaults={'path': ''})
+@app.route('/<path:path>')
 def proxy(path):
     """
-    一个非常基础的 GitHub 反向代理。
+    一个通用的反向代理，它将目标URL作为路径的一部分。
+    例如: /https://github.com/user/repo
     """
-    # 构造完整的 GitHub URL
-    url = f"{GITHUB_URL}/{path}"
-
-    # 复制请求头，特别是对于私有仓库的认证头
-    headers = {key: value for (key, value) in request.headers if key != 'Host'}
     
+    # --- 1. 从请求路径中构建目标URL ---
+    # 使用 request.full_path 来获取完整的路径和查询参数, e.g., /https://github.com/user/repo?service=...
+    target_path = request.full_path
+    
+    # 移除开头的斜杠
+    if target_path.startswith('/'):
+        target_path = target_path[1:]
+
+    # 如果路径本身不是一个完整的URL，则为其添加 https://
+    if not target_path.startswith(('http://', 'https://')):
+        target_url = 'https://' + target_path
+    else:
+        target_url = target_path
+        
+    # --- 2. 执行安全过滤检查 ---
+    if not is_url_allowed(target_url):
+        error_message = (
+            "<h1>403 Forbidden</h1>"
+            "<p>This request is blocked by the proxy's security policy.</p>"
+            f"<p>Blocked URL: {target_url}</p>"
+        )
+        return error_message, 403
+
+    # --- 3. 转发请求 ---
+    # 从目标URL中解析出Host头
+    try:
+        from urllib.parse import urlparse
+        target_host = urlparse(target_url).hostname
+    except Exception:
+        return "Invalid target URL in path", 400
+
+    headers = {key: value for (key, value) in request.headers if key.lower() != 'host'}
+    headers['Host'] = target_host
+
     try:
-        # 使用流式传输，以处理大文件
         resp = requests.request(
             method=request.method,
-            url=url,
-            params=request.args,
+            url=target_url,
             headers=headers,
             data=request.get_data(),
             cookies=request.cookies,
-            allow_redirects=True,
+            allow_redirects=False,
             stream=True
         )
 
-        # 构造并返回响应
-        # 注意：需要仔细处理响应头，这里只是一个简化示例
         excluded_headers = ['content-encoding', 'content-length', 'transfer-encoding', 'connection']
         response_headers = [(name, value) for (name, value) in resp.raw.headers.items() if name.lower() not in excluded_headers]
 
         return Response(resp.iter_content(chunk_size=8192), status=resp.status_code, headers=response_headers)
 
     except requests.exceptions.RequestException as e:
-        return f"An error occurred: {e}", 502
+        return f"An error occurred while proxying: {e}", 502
+
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=7860)
+    app.run(host='0.0.0.0', port=7860)