feat(security): 启用 Cloudflare 安全网关，全面重构节点发报链路，彻底消除明文 Token 隐患

2026-06-28 21:01:27 +08:00 · 2026-04-10 08:40:45 +00:00
parent 1b7d7e7b64
commit 90fc8adb74
3 changed files with 11 additions and 8 deletions
--- a/core/agent_daemon.sh
+++ b/core/agent_daemon.sh
@@ -36,7 +36,7 @@ if [ -n "$AGENT_IP" ]; then
    if [ "$AGENT_IP" != "$LAST_IP" ]; then
        REG_MSG="👋 **[边缘节点接入申请]**%0A节点: \`${NODE_NAME}\`%0A地址: \`${AGENT_IP}:${AGENT_PORT}\`%0A%0A⚠️ **安全验证**: 为防止非法节点接入，请长按复制下方代码，并**发送给我**以完成最终授权录入：%0A%0A\`#REGISTER#|${NODE_NAME}|${AGENT_IP}|${AGENT_PORT}\`"
        
-        curl -s -m 5 -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
+        curl -s -m 5 -X POST "${TG_API_URL}" \
            -d "chat_id=${CHAT_ID}" \
            -d "text=${REG_MSG}" \
            -d "parse_mode=Markdown" > /dev/null
@@ -106,7 +106,7 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
            source /opt/ip_sentinel/config.conf
            LOG_DATA=$(tail -n 15 /opt/ip_sentinel/logs/sentinel.log)
            NODE=$(hostname | cut -c 1-15)
-            curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
+            curl -s -X POST "${TG_API_URL}" \
                -d "chat_id=${CHAT_ID}" \
                -d "text=📄 **[${NODE}] 实时运行日志:**%0A\`\`\`log%0A${LOG_DATA}%0A\`\`\`" \
                -d "parse_mode=Markdown"
--- a/core/install.sh
+++ b/core/install.sh
@@ -145,11 +145,13 @@ if [[ "$TG_CHOICE" =~ ^[Yy]$ ]]; then
    read -p "请输入您的 Telegram Bot Token (回车使用官方默认): " USER_TOKEN
    
    if [ -z "$USER_TOKEN" ]; then
-        TG_TOKEN="8733029779:AAErXnFw45NCWZl4ylKQX-0OIC9SA_4XifM"
-        echo -e "\033[32m✅ 已自动配置官方机器人 (@OmniBeacon_bot)。\033[0m"
+        TG_TOKEN="OFFICIAL_GATEWAY_MODE" 
+        TG_API_URL="https://omni-gateway.yuezhongjun.workers.dev" 
+        echo -e "\033[32m✅ 已自动连接官方安全网关 (@OmniBeacon_bot)。\033[0m"
        echo -e "\033[33m👉 请确保您已关注官方机器人并发送过 /start，否则将无法接收消息。\033[0m"
    else
        TG_TOKEN="$USER_TOKEN"
+        TG_API_URL="https://api.telegram.org/bot${TG_TOKEN}/sendMessage"
        echo -e "\033[32m✅ 已记录您的私有机器人 Token。\033[0m"
    fi

@@ -191,6 +193,7 @@ ENABLE_GOOGLE="$ENABLE_GOOGLE"
 ENABLE_TRUST="$ENABLE_TRUST"

 TG_TOKEN="$TG_TOKEN"
+TG_API_URL="$TG_API_URL"
 CHAT_ID="$CHAT_ID"
 AGENT_PORT="$AGENT_PORT"
 INSTALL_DIR="$INSTALL_DIR"
@@ -254,8 +257,8 @@ if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
    # 构造注册暗号
    REG_MSG="#REGISTER#:${REGION_NAME}:${PUBLIC_IP}:${AGENT_PORT}"
    
-    # 执行主动推送
-    PUSH_RESULT=$(curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
+# 执行主动推送
+    PUSH_RESULT=$(curl -s -X POST "${TG_API_URL}" \
        -d "chat_id=${CHAT_ID}" \
        -d "parse_mode=Markdown" \
        -d "text=✨ *IP-Sentinel 部署成功！*
--- a/core/tg_report.sh
+++ b/core/tg_report.sh
@@ -116,8 +116,8 @@ else

 fi

-# 5. 调用 API 推送
-RESPONSE=$(curl -s -m 10 -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
+# 5. 调用 API 推送 (接入安全网关)
+RESPONSE=$(curl -s -m 10 -X POST "${TG_API_URL}" \
    -d "chat_id=${CHAT_ID}" \
    -d "text=${MSG}" \
    -d "parse_mode=Markdown")