From aa4b6d9e6e9bde7ce2979e6fe0a8a7d1870f42ff Mon Sep 17 00:00:00 2001 From: hotyue <52734432+hotyue@users.noreply.github.com> Date: Mon, 1 Jun 2026 06:59:32 +0000 Subject: [PATCH] =?UTF-8?q?chore:=20=E5=9B=9E=E6=BB=9A=E8=87=B3=2093a9bcb?= =?UTF-8?q?=20=E7=89=88=E6=9C=AC=EF=BC=8C=E7=A7=BB=E9=99=A4=E6=89=80?= =?UTF-8?q?=E6=9C=89=20v4.2.x=20=E5=AE=9E=E9=AA=8C=E6=80=A7=E7=BD=91?= =?UTF-8?q?=E7=BB=9C=E6=9E=B6=E6=9E=84=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/agent_daemon.sh | 56 +++++++------------- core/install.sh | 108 ++++----------------------------------- master/install_master.sh | 2 +- master/tg_master.sh | 60 ++++++++-------------- version.txt | 4 +- 5 files changed, 54 insertions(+), 176 deletions(-) diff --git a/core/agent_daemon.sh b/core/agent_daemon.sh index e489a81..e4a327d 100755 --- a/core/agent_daemon.sh +++ b/core/agent_daemon.sh @@ -55,28 +55,23 @@ if [ -n "$AGENT_IP" ]; then fi fi +# [v4.1.8 核心修复] 彻底解决 IPv6 致命耳聋漏洞 (Socket Binding Mismatch) +# 在拉起 Python 引擎前,由 Bash 强行锁定底层网络栈监听维度,抛弃脆弱的内部解析 +if [[ "$AGENT_IP" == *":"* ]]; then + export BIND_ADDR="::" + echo "🌐 [Agent] 协议栈识别: 侦测到 IPv6 基因,底层路由强锁定至 [::]" +else + export BIND_ADDR="0.0.0.0" + echo "🌐 [Agent] 协议栈识别: 侦测到 IPv4 基因,底层路由强锁定至 0.0.0.0" +fi + # ========================================================== # [加密通信] 强制构建自签名 TLS 装甲,屏蔽中间人嗅探 # ========================================================== CERT_FILE="${INSTALL_DIR}/core/cert.pem" KEY_FILE="${INSTALL_DIR}/core/key.pem" - -# [v4.2.0 热修复] 检查证书是否过于陈旧或可能损坏,若是则强制销毁重铸 -if [ -f "$CERT_FILE" ]; then - # 提取证书创建时间,如果早于 2026-05-31(v4.2.0 架构升级前),则强制扬了它! - CERT_DATE=$(openssl x509 -noout -startdate -in "$CERT_FILE" 2>/dev/null | cut -d= -f2) - if [[ -n "$CERT_DATE" ]]; then - CERT_EPOCH=$(date -d "$CERT_DATE" +%s 2>/dev/null || echo 0) - V420_EPOCH=$(date -d "2026-05-31" +%s 2>/dev/null || echo 1780185600) - if [ "$CERT_EPOCH" -lt "$V420_EPOCH" ]; then - echo "🧹 [Agent] 侦测到旧版 (v4.2.0前) 遗留 TLS 装甲,正在执行强制物理销毁..." - rm -f "$CERT_FILE" "$KEY_FILE" - fi - fi -fi - if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then - echo "🔐 [Agent] 正在生成全新的本地自签名 TLS 加密证书 (2048位 RSA)..." + echo "🔐 [Agent] 正在生成本地自签名 TLS 加密证书 (2048位 RSA)..." openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ -keyout "$KEY_FILE" -out "$CERT_FILE" \ -subj "/C=US/O=IP-Sentinel/CN=Agent-Sec" >/dev/null 2>&1 || true @@ -484,30 +479,17 @@ import socket # ---------------------------------------------------------- # [核心架构] 多线程非阻塞 Socket 模型 (抵抗 Slowloris 及阻塞攻击) # ---------------------------------------------------------- -class DualStackServer(socketserver.ThreadingMixIn, socketserver.TCPServer): +class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): allow_reuse_address = True - def server_bind(self): - # 强行解除 IPv6 独占锁,实现一个 Socket 同时接管 IPv4 和 IPv6 (全域防漏接) - if self.address_family == socket.AF_INET6: - try: - self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0) - except Exception: - pass - super().server_bind() -# [v4.2.2 终极架构] 彻底抛弃配置文件的 IP 束缚,强行探测系统底层的双栈能力 -bind_addr = "::" -address_family = socket.AF_INET6 -try: - # 探针:如果机器是纯 IPv4 (连 v6 模块都没有),强绑 :: 会崩溃,自动降维 - s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) - s.close() -except OSError: - bind_addr = "0.0.0.0" - address_family = socket.AF_INET +# [v4.1.8 终极修复] 废除脆弱的 Python 内置解析,直接读取 Bash 注入的底层环境变量 +bind_addr = os.environ.get('BIND_ADDR', '0.0.0.0') +if bind_addr == "::": + ThreadedServer.address_family = socket.AF_INET6 +else: + ThreadedServer.address_family = socket.AF_INET -DualStackServer.address_family = address_family -httpd = DualStackServer((bind_addr, PORT), AgentHandler) +httpd = ThreadedServer((bind_addr, PORT), AgentHandler) # ---------------------------------------------------------- # [加密通信] 强制全网挂载 TLS 加密隧道上下文 diff --git a/core/install.sh b/core/install.sh index 8bf436c..8bc923d 100755 --- a/core/install.sh +++ b/core/install.sh @@ -67,7 +67,7 @@ CONFIG_FILE="${INSTALL_DIR}/config.conf" # [网络容灾] 挂载双栈并利用防抖重试护甲,从远端解析运行态版本约束 TARGET_VERSION=$( (curl -fsSL --connect-timeout 5 --retry 2 "${REPO_RAW_URL}/version.txt" || curl -4 -fsSL --connect-timeout 5 --retry 2 "${REPO_RAW_URL}/version.txt") 2>/dev/null | grep "^AGENT_VERSION=" | cut -d'=' -f2 | tr -d '[:space:]') -TARGET_VERSION=${TARGET_VERSION:-"4.2.0"} +TARGET_VERSION=${TARGET_VERSION:-"4.1.1"} version_lt() { test "$(printf '%s\n' "$1" "$2" | sort -V | head -n 1)" = "$1" && test "$1" != "$2" @@ -219,13 +219,9 @@ done rm -f /etc/local.d/ip_sentinel.start 2>/dev/null if [ "$UPGRADE_MODE" == "true" ]; then - # [v4.2.0 终极保障] 平滑升级时强制销毁旧版 TLS 证书与旧版 IP 缓存,逼迫下层组件重铸健康环境 - rm -f "${INSTALL_DIR}/core/cert.pem" "${INSTALL_DIR}/core/key.pem" "${INSTALL_DIR}/core/.last_ip" 2>/dev/null - echo -e "🧹 历史底层缓存及残旧 TLS 证书已强制销毁,准备重铸安全装甲。" - if [ "$KEEP_LOGS" == "false" ]; then rm -rf "${INSTALL_DIR}/logs" 2>/dev/null - echo -e "🗑️ 历史战地日志已按指令清空。" + echo -e "🗑️ 历史日志已按指令清空。" else echo -e "📦 历史配置与战地日志已妥善保留。" fi @@ -411,35 +407,12 @@ if [ "$UPGRADE_MODE" == "false" ]; then fi # ---------------------------------------------------------- - # [网络锚定] 冗余网络栈探测与多出口智能嗅探 (v4.2.0 完全体) + # [网络锚定] 冗余网络栈探测与多出口智能嗅探 # ---------------------------------------------------------- echo -e "\n\033[36m[4.5/7] 正在探测本机网络栈与可用出口 (多节点雷达扫描中)...\033[0m" - RAW_DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]') - RAW_DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]') - - # 引入工业级控制面网卡设备检测,双重过滤 WARP/TUN/桥接等假公网环境 - DETECT_V4="" - if [[ -n "$RAW_DETECT_V4" ]]; then - V4_DEV=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1) - if [[ "$V4_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || \ - [[ "$RAW_DETECT_V4" =~ ^104\.28\. ]] || \ - [[ "$RAW_DETECT_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then - echo -e " \033[33m⚠️ 雷达警告: 发现异常 IPv4 出口 ($RAW_DETECT_V4) 经由虚拟网卡 ($V4_DEV),已从通讯候选池中安全隔离。\033[0m" - else - DETECT_V4="$RAW_DETECT_V4" - fi - fi - - DETECT_V6="" - if [[ -n "$RAW_DETECT_V6" ]]; then - V6_DEV=$(ip -6 route get 2001:4860:4860::8888 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1) - if [[ "$V6_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || [[ "$RAW_DETECT_V6" =~ ^fe80:|^::1 ]]; then - echo -e " \033[33m⚠️ 雷达警告: 发现异常 IPv6 出口 ($RAW_DETECT_V6) 经由虚拟网卡 ($V6_DEV),已从通讯候选池中安全隔离。\033[0m" - else - DETECT_V6="$RAW_DETECT_V6" - fi - fi + DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]') + DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]') IP_OPTIONS=() IP_PROTO=() @@ -488,28 +461,6 @@ if [ "$UPGRADE_MODE" == "false" ]; then SAFE_PUBLIC_IP="$PUBLIC_IP" fi - # ========================================================== - # [v4.2.2 终极架构] 智能主副容灾弹药装填 (Multi-IP Fallback) - # 不再纠结内网阻断,直接将所有存活 IP 以逗号拼接上报司令部,由司令部执行降级回退打击 - # ========================================================== - echo -e "\n\033[36m[4.6/7] 正在装填通讯容灾防线 (Multi-IP Fallback)...\033[0m" - COMM_IP="$SAFE_PUBLIC_IP" - FALLBACK_IP="" - - if [ "${IP_PREF}" == "6" ] && [ -n "$DETECT_V4" ]; then - FALLBACK_IP="$DETECT_V4" - elif [ "${IP_PREF}" == "4" ] && [ -n "$DETECT_V6" ]; then - [[ "$DETECT_V6" != *"["* ]] && FALLBACK_IP="[${DETECT_V6}]" || FALLBACK_IP="$DETECT_V6" - fi - - if [ -n "$FALLBACK_IP" ]; then - COMM_IP="${COMM_IP},${FALLBACK_IP}" - echo -e " \033[32m✅ 成功建立双向容灾通讯专线: 主通道 $SAFE_PUBLIC_IP,备用通道 $FALLBACK_IP\033[0m" - else - echo -e " \033[33m⚠️ 暂无可用备用公网 IP,建立单轨通讯模式: $SAFE_PUBLIC_IP\033[0m" - fi - SAFE_COMM_IP="$COMM_IP" - echo -n "🕵️ 正在进行出站链路试射 (NAT环境与双栈嗅探)..." RAW_TEST_IP=$(echo "$SAFE_PUBLIC_IP" | tr -d '[]') @@ -585,7 +536,6 @@ LOG_FILE="${INSTALL_DIR}/logs/sentinel.log" IP_PREF="$IP_PREF" PUBLIC_IP="$SAFE_PUBLIC_IP" BIND_IP="$BIND_IP" -COMM_IP="$SAFE_COMM_IP" NODE_NAME="$NODE_NAME" NODE_ALIAS="$NODE_ALIAS" @@ -632,34 +582,6 @@ if [ "$UPGRADE_MODE" == "true" ]; then SAFE_PUBLIC_IP="${PUBLIC_IP}" fi - # [v4.2.0 热修复] 为老版本司令部平滑补齐双轨通讯 IP (含设备路由与入站存活校验) - if ! grep -q "^COMM_IP=" "$CONFIG_FILE"; then - echo -e "\n🔄 [平滑迁移] 正在为老节点无损注入 v4.2.0 双轨通讯架构..." - TMP_PUB_IP=$(grep "^PUBLIC_IP=" "$CONFIG_FILE" | cut -d'"' -f2 | tr -d '[]') - - if [[ "$TMP_PUB_IP" == *":"* ]]; then - TMP_V4=$(curl -4 -s -m 3 api.ip.sb/ip 2>/dev/null | tr -d '[:space:]' ) - V4_MIG_DEV=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1) - - if [[ -n "$TMP_V4" ]] && \ - ! [[ "$V4_MIG_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] && \ - ! [[ "$TMP_V4" =~ ^104\.28\. ]] && \ - ! [[ "$TMP_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then - NEW_COMM_IP="$TMP_V4" - echo -e " \033[32m✅ 成功建立双轨架构: 养护走 IPv6,中枢控制走 IPv4 ($NEW_COMM_IP)\033[0m" - else - echo -e " \033[33m⚠️ 嗅探到的备用 IPv4 疑似为内网 NAT 或 WARP 伪装 IP,已安全退回纯 IPv6 单轨模式。\033[0m" - NEW_COMM_IP="[$TMP_PUB_IP]" - fi - else - NEW_COMM_IP="$TMP_PUB_IP" - fi - echo "COMM_IP=\"$NEW_COMM_IP\"" >> "$CONFIG_FILE" - SAFE_COMM_IP="$NEW_COMM_IP" - else - SAFE_COMM_IP=$(grep "^COMM_IP=" "$CONFIG_FILE" | cut -d'"' -f2) - fi - if ! grep -q "^NODE_NAME=" "$CONFIG_FILE"; then TMP_HASH=$(echo "${SAFE_PUBLIC_IP:-127.0.0.1}" | md5sum | cut -c 1-4 | tr 'a-z' 'A-Z') NODE_NAME="$(hostname | tr -cd 'a-zA-Z0-9' | cut -c 1-10)-${TMP_HASH}" @@ -951,7 +873,7 @@ EOF # ---------------------------------------------------------- if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then - REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_COMM_IP}|${AGENT_PORT}|${NODE_ALIAS}|${ENABLE_OTA}" + REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_PUBLIC_IP}|${AGENT_PORT}|${NODE_ALIAS}|${ENABLE_OTA}" if [ "$UPGRADE_MODE" == "true" ]; then OLD_VERSION=$(grep "^AGENT_VERSION=" "$CONFIG_FILE" | cut -d'"' -f2) @@ -996,8 +918,7 @@ if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then echo -e "\n📡 正在向指挥部发送注册暗号..." TEXT_MSG="✨ *IP-Sentinel 部署成功!* 📍 区域:${REGION_NAME} -🌐 养护 IP:${SAFE_PUBLIC_IP} -📡 通讯 IP:${SAFE_COMM_IP} +🌐 IP:${SAFE_PUBLIC_IP} 🔌 端口:${AGENT_PORT} 🔑 *请点击下方指令复制并回复给机器人:* @@ -1026,28 +947,19 @@ if [[ -n "$TG_TOKEN" ]]; then echo "📡 Webhook 监听已启动 (端口: $AGENT_PORT) 并向中枢发送了注册请求。" FW_MSG="" - # [v4.2.1 防火墙修正] 严格依据通讯面专线 (COMM_IP) 协议栈生成放行指令 - IS_V6_COMM="false" - [[ "$SAFE_COMM_IP" == *":"* ]] && IS_V6_COMM="true" - if command -v ufw >/dev/null 2>&1 && ufw status | grep -qw active; then - # UFW 默认同时添加双栈规则,无需特地区分,但注释中可指明 FW_MSG="ufw allow $AGENT_PORT/tcp" elif command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active firewalld | grep -qw active; then FW_MSG="firewall-cmd --zone=public --add-port=$AGENT_PORT/tcp --permanent && firewall-cmd --reload" elif command -v iptables >/dev/null 2>&1; then - if [ "$IS_V6_COMM" == "true" ]; then - if command -v ip6tables >/dev/null 2>&1; then - FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT" - else - FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT # 提示: 系统缺失 ip6tables 命令" - fi + if [[ "$SAFE_PUBLIC_IP" == *":"* ]]; then + FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT" else FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT" fi fi - echo -e "\n\033[31m⚠️ 【高危警告】您的节点通讯身份已永久锁定为公网 IP: $SAFE_COMM_IP\033[0m" + echo -e "\n\033[31m⚠️ 【高危警告】您的节点身份已永久锁定为公网 IP: $SAFE_PUBLIC_IP\033[0m" echo -e "\033[33m为确保 Master 司令部能够成功下发指令,您【必须】前往云服务商 (如 AWS/Oracle/阿里云 等) 的网页控制台中,将安全组 (Security Group) 防火墙的 TCP $AGENT_PORT 端口彻底放行!\033[0m" echo -e "\033[31m⛔ 禁止尝试通过修改脚本强行绑定局域网/内网 IP 来绕过通信阻断,这无异于掩耳盗铃,将彻底摧毁本系统“公网IP信用养护”的核心目标!\033[0m\n" if [ -n "$FW_MSG" ]; then diff --git a/master/install_master.sh b/master/install_master.sh index cb05d61..1397b2b 100755 --- a/master/install_master.sh +++ b/master/install_master.sh @@ -64,7 +64,7 @@ REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main" # [链路容灾] 双栈冗余防抖抓取,确立本地态势版本号 TARGET_VERSION=$( (curl -fsSL --connect-timeout 5 --retry 2 "${REPO_RAW_URL}/version.txt" || curl -4 -fsSL --connect-timeout 5 --retry 2 "${REPO_RAW_URL}/version.txt") 2>/dev/null | grep "^MASTER_VERSION=" | cut -d'=' -f2 | tr -d '[:space:]') -TARGET_VERSION=${TARGET_VERSION:-"4.2.0"} +TARGET_VERSION=${TARGET_VERSION:-"4.0.7"} MASTER_DIR="/opt/ip_sentinel_master" DB_FILE="${MASTER_DIR}/sentinel.db" diff --git a/master/tg_master.sh b/master/tg_master.sh index 21e5aa0..171d3d8 100755 --- a/master/tg_master.sh +++ b/master/tg_master.sh @@ -76,36 +76,7 @@ generate_signed_url() { local current_t=$(date +%s) local payload="${action_path}:${current_t}" - -# ========================================================== -# [新增插入] v4.2.2 终极容灾火力网:自动解析多宿主 IP 并执行无缝降级重试 -# ========================================================== -call_agent() { - local ips="$1" - local port="$2" - local path="$3" - local suffix="$4" - local res="FAILED" - - # 拆解逗号分隔的 IP 列阵 (例如: [2a0b:...],66.181.x.x) - IFS=',' read -r -a ip_array <<< "$ips" - for ip in "${ip_array[@]}"; do - if [ -n "$ip" ]; then - local url=$(generate_signed_url "$ip" "$port" "$path") - [ -n "$suffix" ] && url="${url}${suffix}" - - # 缩短单次重试时间,实现用户无感知的秒级降级切换 - res=$(curl -k -s --connect-timeout 4 -m 12 "$url" || echo "FAILED") - if [ "$res" != "FAILED" ] && [ -n "$res" ]; then - echo "$res" - return - fi - fi - done - echo "FAILED" -} - -# [v4.1.7 致命修复] 弃用 -hmac,改用 -macopt 标准语法,彻底杜绝 TG 群组负数 ID 导致的 OpenSSL 参数注入崩溃 + # [v4.1.7 致命修复] 弃用 -hmac,改用 -macopt 标准语法,彻底杜绝 TG 群组负数 ID 导致的 OpenSSL 参数注入崩溃 local signature=$(echo -n "$payload" | openssl dgst -sha256 -mac HMAC -macopt key:"$CHAT_ID" | awk '{print $NF}') echo "https://${target_ip}:${target_port}${action_path}?t=${current_t}&sign=${signature}" @@ -327,7 +298,8 @@ while true; do else send_msg "$CHAT_ID" "📢 **司令部指令下达:正在唤醒全舰队执行 OTA 升级...**%0A*(节点升级成功后会主动发回新的入库确认,请注意查收)*" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do - call_agent "$AIP" "$APORT" "/trigger_ota" > /dev/null & + TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_ota") + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 0.3 done fi @@ -381,7 +353,8 @@ while true; do else send_msg "$CHAT_ID" "📢 **司令部指令下达:正在召唤所有哨兵回传简报...**%0A*(为防止触发 TG 官方限流,简报将排队依次送达,请耐心等待)*" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do - call_agent "$AIP" "$APORT" "/trigger_report" > /dev/null & + TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_report") + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 2 done fi @@ -394,7 +367,8 @@ while true; do else send_msg "$CHAT_ID" "📢 **司令部指令下达:正在唤醒所有哨兵执行系统维护...**" echo "$NODE_DATA" | while IFS='|' read -r NNAME AIP APORT; do - call_agent "$AIP" "$APORT" "/trigger_run" > /dev/null & + TARGET_URL=$(generate_signed_url "$AIP" "$APORT" "/trigger_run") + curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" > /dev/null & sleep 0.2 done fi @@ -415,7 +389,8 @@ while true; do if [ -n "$AGENT_IP" ] && [ -n "$AGENT_PORT" ]; then send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` ($AGENT_IP) 下发 [quality] 指令,请稍候..." - RESPONSE=$(call_agent "$AGENT_IP" "$AGENT_PORT" "/trigger_quality") + TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_quality") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then send_msg "$CHAT_ID" "❌ 指令下发超时或失败!请检查节点公网 IP 或防火墙端口 ($AGENT_PORT) 是否放行。" @@ -565,7 +540,10 @@ while true; do AGENT_PORT=$(echo "$AGENT_INFO" | cut -d'|' -f2) if [ -n "$AGENT_IP" ] && [ -n "$AGENT_PORT" ]; then - RESPONSE=$(call_agent "$AGENT_IP" "$AGENT_PORT" "/trigger_toggle" "&mod=${MOD_NAME}&state=${TARGET_STATE}") + TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_toggle") + TARGET_URL="${TARGET_URL}&mod=${MOD_NAME}&state=${TARGET_STATE}" + + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [[ "$RESPONSE" == *"Action Accepted"* ]]; then db_exec "UPDATE nodes SET enable_${MOD_NAME}='$TARGET_STATE' WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE';" @@ -657,9 +635,13 @@ while true; do if [ -n "$AGENT_IP" ] && [ -n "$AGENT_PORT" ]; then send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` 下发重命名指令,正在建立加密隧道..." + TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_rename") + # [防线穿越] 借由 Base64 编码对下发特征进行混淆与防篡改护甲加持 ALIAS_B64=$(echo -n "$NEW_ALIAS" | base64 | tr -d '\n' | tr '+/' '-_') - RESPONSE=$(call_agent "$AGENT_IP" "$AGENT_PORT" "/trigger_rename" "&b64=${ALIAS_B64}") + TARGET_URL="${TARGET_URL}&b64=${ALIAS_B64}" + + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then send_msg "$CHAT_ID" "❌ 指令下发超时!为防范劫持风险,已终止请求。" @@ -695,7 +677,8 @@ while true; do send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` 发送 OTA 触发报文..." fi - RESPONSE=$(call_agent "$AGENT_IP" "$AGENT_PORT" "/trigger_ota") + TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_ota") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then TEXT_RES="❌ OTA 指令下发彻底失败!链路异常或严禁使用 HTTP 降级通讯。" @@ -731,7 +714,8 @@ while true; do send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` ($AGENT_IP) 下发 [$ACTION_TYPE] 指令,请稍候..." fi - RESPONSE=$(call_agent "$AGENT_IP" "$AGENT_PORT" "/trigger_${ACTION_TYPE}") + TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_${ACTION_TYPE}") + RESPONSE=$(curl -k -s --connect-timeout 5 -m 15 "$TARGET_URL" || echo "FAILED") if [ "$RESPONSE" == "FAILED" ]; then TEXT_RES="❌ 指令下发超时或失败!为保护链路安全,已终止通信 (严禁降级为 HTTP)。" diff --git a/version.txt b/version.txt index ec039ea..9535865 100644 --- a/version.txt +++ b/version.txt @@ -1,2 +1,2 @@ -MASTER_VERSION=4.2.0 -AGENT_VERSION=4.2.0 +MASTER_VERSION=4.1.7 +AGENT_VERSION=4.1.6