Update app.py

app.py

@@ -1,6 +1,6 @@
 import re
-import logging
 import os
+import logging
 from flask import Flask, request, Response
 import requests
 from urllib.parse import urlparse, unquote
@@ -9,15 +9,17 @@ from urllib.parse import urlparse, unquote
 logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
 app = Flask(__name__)
 
-# --- Authentication Configuration ---
-# Read the secret key from an environment variable.
-# The service will not start if this key is not set for security reasons.
-SECRET_KEY = os.environ.get('PROXY_SECRET_KEY')
-if not SECRET_KEY:
-    logging.critical("FATAL: Environment variable PROXY_SECRET_KEY is not set. Service cannot start.")
-    exit("Error: The PROXY_SECRET_KEY environment variable must be set.")
+# --- Load Secret Key from Environment ---
+PROXY_SECRET_KEY = os.environ.get('PROXY_SECRET_KEY')
+if not PROXY_SECRET_KEY:
+    logging.error("PROXY_SECRET_KEY environment variable is not set!")
+    exit(1)
+
+logging.info(f"Proxy service initialized with secret key authentication")
 
 # --- Whitelisted URL Patterns for GitHub ---
+# This list defines all URL patterns that are permitted to be proxied.
+# It's a security measure to prevent the proxy from being used to access unintended domains.
 ALLOWED_PATTERNS = [
     # Repositories: releases, archives, blobs, raw content
     re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:releases|archive)/.*$', re.IGNORECASE),
@@ -40,8 +42,8 @@ ALLOWED_PATTERNS = [
     re.compile(r'^https://github\.com/[^/]+/[^/]+/?$', re.IGNORECASE),
 ]
 
-# --- Custom Index Page (Updated with Authentication Info) ---
-INDEX_PAGE_HTML = f"""
+# --- Custom Index Page ---
+INDEX_PAGE_HTML = """
 <!DOCTYPE html>
 <html lang="en">
 <head>
@@ -49,25 +51,32 @@ INDEX_PAGE_HTML = f"""
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Private GitHub Proxy</title>
     <style>
-        body {{ font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; line-height: 1.6; color: #333; max-width: 800px; margin: 40px auto; padding: 20px; }}
-        .container {{ border: 1px solid #ddd; border-radius: 8px; padding: 20px 40px; background-color: #f9f9f9; }}
-        .warning {{ color: #856404; background-color: #fff3cd; border: 1px solid #ffeeba; padding: 15px; border-radius: 4px; margin-bottom: 20px; }}
-        h1, h2 {{ border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; }}
-        code {{ background-color: #eef; padding: 2px 4px; border-radius: 3px; font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; }}
+        body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; line-height: 1.6; color: #333; max-width: 800px; margin: 40px auto; padding: 20px; }
+        .container { border: 1px solid #ddd; border-radius: 8px; padding: 20px 40px; background-color: #f9f9f9; }
+        .warning { color: #856404; background-color: #fff3cd; border: 1px solid #ffeeba; padding: 15px; border-radius: 4px; margin-bottom: 20px; }
+        .security { color: #721c24; background-color: #f8d7da; border: 1px solid #f5c6cb; padding: 15px; border-radius: 4px; margin-bottom: 20px; }
+        h1, h2 { border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; }
+        code { background-color: #eef; padding: 2px 4px; border-radius: 3px; }
     </style>
 </head>
 <body>
     <div class="container">
         <h1>Private GitHub Reverse Proxy</h1>
+        <div class="security">
+            <strong>Security Notice:</strong> This is a private proxy service that requires authentication.
+        </div>
         <div class="warning">
-            <strong>Authentication Required:</strong> This is a private proxy. You must include your secret key in the URL to access content.
+            <strong>Warning:</strong> You are accessing GitHub content through a reverse proxy. 
+            All content served from this page is provided directly by GitHub.
         </div>
         <h2>How to Use</h2>
-        <p>To access GitHub content, prepend your secret key to the GitHub URL.</p>
+        <p>To access GitHub content, you need to include the secret key in the URL path:</p>
         <p>For example, to clone a repository:</p>
-        <code>git clone {{YOUR_PROXY_URL}}/{SECRET_KEY}/https://github.com/owner/repo.git</code>
+        <code>git clone {YOUR_PROXY_URL}/&lt;SECRET_KEY&gt;/https://github.com/owner/repo.git</code>
         <p>Or to view a repository page:</p>
-        <code>{{YOUR_PROXY_URL}}/{SECRET_KEY}/https://github.com/owner/repo</code>
+        <code>{YOUR_PROXY_URL}/&lt;SECRET_KEY&gt;/https://github.com/owner/repo</code>
+        <h2>Authentication Required</h2>
+        <p>This proxy requires a valid secret key to access. Contact the administrator for access credentials.</p>
     </div>
 </body>
 </html>
@@ -80,40 +89,61 @@ def is_url_allowed(url):
             return True
     return False
 
-# --- Core Proxy Logic (Updated with Authentication) ---
+def extract_secret_and_url(path):
+    """Extract secret key and target URL from the path."""
+    # Remove leading slash if present
+    if path.startswith('/'):
+        path = path[1:]
+    
+    # Split the path to extract secret key and URL
+    parts = path.split('/', 1)
+    if len(parts) < 2:
+        return None, None
+    
+    secret_key = parts[0]
+    target_url = parts[1]
+    
+    return secret_key, target_url
+
+# --- Core Proxy Logic ---
 @app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE'])
 @app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE'])
 def proxy(path):
     """
-    Authenticates the request via a secret key in the path, then proxies
-    the request to GitHub after validating it against a whitelist.
+    Proxies requests to GitHub after validating secret key and URL whitelist.
+    It streams the response back to the client.
     """
-    # Split the path to separate the secret key from the target URL.
-    # e.g., "mysecretkey/https://github.com/user/repo" -> ["mysecretkey", "https://..."]
-    path_parts = path.split('/', 1)
-
-    # --- Authentication Check ---
-    # The path must contain a key. If not, or if the key is wrong, deny access.
-    if len(path_parts) < 1 or path_parts[0] != SECRET_KEY:
-        logging.warning(f"Authentication failed for request from {request.remote_addr}. Path: '{path}'")
-        return "<h1>401 Unauthorized</h1><p>A valid secret key is required in the URL path.</p>", 401
-
-    # If the key is correct but there is no target URL, show the index page.
-    # This happens when accessing /<secret_key>/
-    if len(path_parts) == 1 or not path_parts[1]:
+    # The full path might be URL-encoded, so we decode it.
+    target_path = unquote(request.full_path)
+    if target_path.startswith('/'):
+        target_path = target_path[1:]
+
+    # For the root path, display the custom warning page.
+    # Handle both '' (for a request to '/') and '?' (for a request to '/?').
+    if not target_path or target_path == '?':
         return INDEX_PAGE_HTML, 200
 
-    target_path = unquote(path_parts[1])
+    # Extract secret key and target URL
+    provided_secret, target_url_path = extract_secret_and_url(target_path)
+    
+    # Validate secret key
+    if not provided_secret or provided_secret != PROXY_SECRET_KEY:
+        logging.warning(f"Access denied: Invalid or missing secret key from IP: {request.remote_addr}")
+        return "<h1>403 Forbidden</h1><p>Access denied: Invalid or missing authentication key.</p>", 403
     
+    if not target_url_path:
+        logging.warning(f"Access denied: No target URL provided from IP: {request.remote_addr}")
+        return "<h1>400 Bad Request</h1><p>No target URL provided.</p>", 400
+
     # Prepend 'https://' if the scheme is missing.
-    if not target_path.startswith(('http://', 'https://')):
-        target_url = 'https://' + target_path
+    if not target_url_path.startswith(('http://', 'https://')):
+        target_url = 'https://' + target_url_path
     else:
-        target_url = target_path
+        target_url = target_url_path
     
     # Security check: Ensure the URL is in the whitelist.
     if not is_url_allowed(target_url):
-        logging.warning(f"URL Denied! Key was correct, but pattern not matched: {target_url}")
+        logging.warning(f"URL Denied! No pattern matched: {target_url} from IP: {request.remote_addr}")
         return "<h1>403 Forbidden</h1><p>Request blocked by proxy security policy.</p>", 403
 
     try:
@@ -129,19 +159,27 @@ def proxy(path):
     headers['Host'] = target_host
 
     try:
+        # Log successful proxy request
+        logging.info(f"Proxying request to: {target_url} from IP: {request.remote_addr}")
+        
+        # Stream the request to handle large files efficiently.
         resp = requests.request(
             method=request.method,
             url=target_url,
             headers=headers,
             data=request.get_data(),
             cookies=request.cookies,
-            allow_redirects=False,
+            allow_redirects=False, # Redirects are handled by the client.
             stream=True,
-            timeout=30
+            timeout=30  # Timeout for the connection.
         )
+
+        # Exclude headers that can interfere with streaming.
         excluded_headers = ['content-encoding', 'content-length', 'transfer-encoding', 'connection']
         response_headers = [(name, value) for (name, value) in resp.raw.headers.items() 
                             if name.lower() not in excluded_headers]
+
+        # Stream the response back to the original client.
         return Response(resp.iter_content(chunk_size=8192), resp.status_code, response_headers)
     
     except requests.exceptions.RequestException as e:
@@ -149,4 +187,4 @@ def proxy(path):
         return "An error occurred while proxying the request.", 502
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=7860)
+    app.run(host='0.0.0.0', port=7860)