diff --git a/core/agent_daemon.sh b/core/agent_daemon.sh index 4ab526a..c7ab796 100755 --- a/core/agent_daemon.sh +++ b/core/agent_daemon.sh @@ -475,24 +475,25 @@ import socket # ================== [v3.0.3 变更: 引入多线程模型抵抗 Slowloris 攻击] ================== class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): allow_reuse_address = True # 开启端口复用,防止热重启时端口冲突 - - # [核心修复] 显式关闭 V6ONLY 参数,治愈大量云主机纯双栈下的 IPv4 耳聋现象 - def server_bind(self): - if self.address_family == socket.AF_INET6: - try: - self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0) - except Exception: - pass - super().server_bind() -try: - # 1. 优先尝试监听双栈/IPv6 - ThreadedServer.address_family = socket.AF_INET6 - httpd = ThreadedServer(("::", PORT), AgentHandler) -except Exception: - # 2. [核心修复 Issue #23] 若系统内核已禁用 IPv6,抛弃报错,智能回退至纯 IPv4 监听 - ThreadedServer.address_family = socket.AF_INET - httpd = ThreadedServer(("0.0.0.0", PORT), AgentHandler) +# [终极修复 Issue #53] 废除极易引发 LXC 容器 "IPv4 耳聋" 的模糊双栈监听 +# 改为精准探底:直接读取配置文件中的公网 IP 类型,动态决定单一监听协议 +bind_addr = "0.0.0.0" +ThreadedServer.address_family = socket.AF_INET + +config_path = '/opt/ip_sentinel/config.conf' +if os.path.exists(config_path): + with open(config_path, 'r', errors='ignore') as f: + for line in f: + if line.startswith('PUBLIC_IP='): + pub_ip = line.split('=', 1)[1].strip('"\'') + # 如果注册的是 IPv6 节点,则精准监听 IPv6,否则一律兜底监听 IPv4 + if ':' in pub_ip: + bind_addr = "::" + ThreadedServer.address_family = socket.AF_INET6 + break + +httpd = ThreadedServer((bind_addr, PORT), AgentHandler) # ================== [v3.6.3 核心: 挂载 TLS 加密隧道 (强制装甲版)] ================== import ssl diff --git a/master/tg_master.sh b/master/tg_master.sh index b719a95..80c40ed 100755 --- a/master/tg_master.sh +++ b/master/tg_master.sh @@ -323,7 +323,7 @@ while true; do send_msg "$CHAT_ID" "📢 **司令部指令下达:正在唤醒全舰队执行 OTA 升级...**%0A*(节点升级成功后会主动发回新的入库确认,请注意查收)*" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_ota") - curl -k -s -m 5 "$TARGET_URL" > /dev/null & + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 0.3 # 严格流量削峰 done fi @@ -384,7 +384,7 @@ while true; do send_msg "$CHAT_ID" "📢 **司令部指令下达:正在召唤所有哨兵回传简报...**%0A*(为防止触发 TG 官方限流,简报将排队依次送达,请耐心等待)*" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_report") - curl -k -s -m 5 "$TARGET_URL" > /dev/null & + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & # [致命修复] 强行休眠 2 秒!错开 TG 官方 1条/秒 的发信红线 sleep 2 done @@ -400,7 +400,7 @@ while true; do send_msg "$CHAT_ID" "📢 **司令部指令下达:正在唤醒所有哨兵执行系统维护...**" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_run") - curl -k -s -m 5 "$TARGET_URL" > /dev/null & + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 0.2 # [新增] 流量削峰:防止瞬间 fork 导致句柄耗尽 done fi @@ -428,7 +428,7 @@ while true; do # 动态 HMAC 签名防篡改 TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_quality") - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") # 结果判定 if [ "$RESPONSE" == "FAILED" ]; then @@ -600,7 +600,7 @@ while true; do TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_toggle") TARGET_URL="${TARGET_URL}&mod=${MOD_NAME}&state=${TARGET_STATE}" - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [[ "$RESPONSE" == *"Action Accepted"* ]]; then # 下发成功,更新 DB,原位重绘 @@ -707,7 +707,7 @@ while true; do ALIAS_B64=$(echo -n "$NEW_ALIAS" | base64 | tr -d '\n' | tr '+/' '-_') TARGET_URL="${TARGET_URL}&b64=${ALIAS_B64}" - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then send_msg "$CHAT_ID" "❌ 指令下发超时!为防范劫持风险,已终止请求。" @@ -747,7 +747,7 @@ while true; do fi TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_ota") - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then TEXT_RES="❌ OTA 指令下发彻底失败!链路异常或严禁使用 HTTP 降级通讯。" @@ -788,7 +788,7 @@ while true; do # 🛡️ [v3.0.4] 动态签名生成与触发 (防重放与防篡改) TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_${ACTION_TYPE}") - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") # 结果判定 if [ "$RESPONSE" == "FAILED" ]; then