From 32aea06044234270efbae799688be539d373efd7 Mon Sep 17 00:00:00 2001 From: hotyue <52734432+hotyue@users.noreply.github.com> Date: Sat, 23 May 2026 00:56:09 +0000 Subject: [PATCH] =?UTF-8?q?fix(core):=20=E9=87=8D=E6=9E=84=20Webhook=20?= =?UTF-8?q?=E7=9B=91=E5=90=AC=E7=BB=95=E8=BF=87=20LXC=20=E5=AE=B9=E5=99=A8?= =?UTF-8?q?=20v4=20=E6=98=A0=E5=B0=84=E6=95=85=E9=9A=9C=EF=BC=9B=E6=94=BE?= =?UTF-8?q?=E5=AE=BD=20Master=20=E7=AB=AF=20TLS=20=E6=8F=A1=E6=89=8B?= =?UTF-8?q?=E5=AE=B9=E5=BF=8D=E5=BA=A6=E9=80=82=E9=85=8D=E5=BC=B1=E7=AE=97?= =?UTF-8?q?=E5=8A=9B=E8=8A=82=E7=82=B9=20(Closes=20#53)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/agent_daemon.sh | 35 ++++++++++++++++++----------------- master/tg_master.sh | 16 ++++++++-------- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/core/agent_daemon.sh b/core/agent_daemon.sh index 4ab526a..c7ab796 100755 --- a/core/agent_daemon.sh +++ b/core/agent_daemon.sh @@ -475,24 +475,25 @@ import socket # ================== [v3.0.3 变更: 引入多线程模型抵抗 Slowloris 攻击] ================== class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): allow_reuse_address = True # 开启端口复用,防止热重启时端口冲突 - - # [核心修复] 显式关闭 V6ONLY 参数,治愈大量云主机纯双栈下的 IPv4 耳聋现象 - def server_bind(self): - if self.address_family == socket.AF_INET6: - try: - self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0) - except Exception: - pass - super().server_bind() -try: - # 1. 优先尝试监听双栈/IPv6 - ThreadedServer.address_family = socket.AF_INET6 - httpd = ThreadedServer(("::", PORT), AgentHandler) -except Exception: - # 2. [核心修复 Issue #23] 若系统内核已禁用 IPv6,抛弃报错,智能回退至纯 IPv4 监听 - ThreadedServer.address_family = socket.AF_INET - httpd = ThreadedServer(("0.0.0.0", PORT), AgentHandler) +# [终极修复 Issue #53] 废除极易引发 LXC 容器 "IPv4 耳聋" 的模糊双栈监听 +# 改为精准探底:直接读取配置文件中的公网 IP 类型,动态决定单一监听协议 +bind_addr = "0.0.0.0" +ThreadedServer.address_family = socket.AF_INET + +config_path = '/opt/ip_sentinel/config.conf' +if os.path.exists(config_path): + with open(config_path, 'r', errors='ignore') as f: + for line in f: + if line.startswith('PUBLIC_IP='): + pub_ip = line.split('=', 1)[1].strip('"\'') + # 如果注册的是 IPv6 节点,则精准监听 IPv6,否则一律兜底监听 IPv4 + if ':' in pub_ip: + bind_addr = "::" + ThreadedServer.address_family = socket.AF_INET6 + break + +httpd = ThreadedServer((bind_addr, PORT), AgentHandler) # ================== [v3.6.3 核心: 挂载 TLS 加密隧道 (强制装甲版)] ================== import ssl diff --git a/master/tg_master.sh b/master/tg_master.sh index b719a95..80c40ed 100755 --- a/master/tg_master.sh +++ b/master/tg_master.sh @@ -323,7 +323,7 @@ while true; do send_msg "$CHAT_ID" "📢 **司令部指令下达:正在唤醒全舰队执行 OTA 升级...**%0A*(节点升级成功后会主动发回新的入库确认,请注意查收)*" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_ota") - curl -k -s -m 5 "$TARGET_URL" > /dev/null & + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 0.3 # 严格流量削峰 done fi @@ -384,7 +384,7 @@ while true; do send_msg "$CHAT_ID" "📢 **司令部指令下达:正在召唤所有哨兵回传简报...**%0A*(为防止触发 TG 官方限流,简报将排队依次送达,请耐心等待)*" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_report") - curl -k -s -m 5 "$TARGET_URL" > /dev/null & + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & # [致命修复] 强行休眠 2 秒!错开 TG 官方 1条/秒 的发信红线 sleep 2 done @@ -400,7 +400,7 @@ while true; do send_msg "$CHAT_ID" "📢 **司令部指令下达:正在唤醒所有哨兵执行系统维护...**" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_run") - curl -k -s -m 5 "$TARGET_URL" > /dev/null & + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 0.2 # [新增] 流量削峰:防止瞬间 fork 导致句柄耗尽 done fi @@ -428,7 +428,7 @@ while true; do # 动态 HMAC 签名防篡改 TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_quality") - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") # 结果判定 if [ "$RESPONSE" == "FAILED" ]; then @@ -600,7 +600,7 @@ while true; do TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_toggle") TARGET_URL="${TARGET_URL}&mod=${MOD_NAME}&state=${TARGET_STATE}" - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [[ "$RESPONSE" == *"Action Accepted"* ]]; then # 下发成功,更新 DB,原位重绘 @@ -707,7 +707,7 @@ while true; do ALIAS_B64=$(echo -n "$NEW_ALIAS" | base64 | tr -d '\n' | tr '+/' '-_') TARGET_URL="${TARGET_URL}&b64=${ALIAS_B64}" - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then send_msg "$CHAT_ID" "❌ 指令下发超时!为防范劫持风险,已终止请求。" @@ -747,7 +747,7 @@ while true; do fi TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_ota") - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then TEXT_RES="❌ OTA 指令下发彻底失败!链路异常或严禁使用 HTTP 降级通讯。" @@ -788,7 +788,7 @@ while true; do # 🛡️ [v3.0.4] 动态签名生成与触发 (防重放与防篡改) TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_${ACTION_TYPE}") - RESPONSE=$(curl -k -s -m 5 "$TARGET_URL" || echo "FAILED") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") # 结果判定 if [ "$RESPONSE" == "FAILED" ]; then