GithubBackup/IP-Sentinel
1
0
Fork 0
mirror of https://github.com/hotyue/IP-Sentinel.git synced 2026-06-08 18:59:48 +08:00
Code Issues Packages Projects Releases Wiki Activity

chore: 回滚至 93a9bcb 版本,移除所有 v4.2.x 实验性网络架构修改

Browse Source
This commit is contained in:
hotyue
2026-06-01 06:59:32 +00:00
parent 21112796d0
commit aa4b6d9e6e
5 changed files with 54 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
core/agent_daemon.sh
View File

@@ -55,28 +55,23 @@ if [ -n "$AGENT_IP" ]; then
fi
fi
# [v4.1.8 核心修复] 彻底解决 IPv6 致命耳聋漏洞 (Socket Binding Mismatch)
# 在拉起 Python 引擎前,由 Bash 强行锁定底层网络栈监听维度,抛弃脆弱的内部解析
if [[ "$AGENT_IP" == *":"* ]]; then
export BIND_ADDR="::"
echo "🌐 [Agent] 协议栈识别: 侦测到 IPv6 基因,底层路由强锁定至 [::]"
else
export BIND_ADDR="0.0.0.0"
echo "🌐 [Agent] 协议栈识别: 侦测到 IPv4 基因,底层路由强锁定至 0.0.0.0"
fi
# ==========================================================
# [加密通信] 强制构建自签名 TLS 装甲,屏蔽中间人嗅探
# ==========================================================
CERT_FILE="${INSTALL_DIR}/core/cert.pem"
KEY_FILE="${INSTALL_DIR}/core/key.pem"
# [v4.2.0 热修复] 检查证书是否过于陈旧或可能损坏,若是则强制销毁重铸
if [ -f "$CERT_FILE" ]; then
# 提取证书创建时间,如果早于 2026-05-31v4.2.0 架构升级前),则强制扬了它!
CERT_DATE=$(openssl x509 -noout -startdate -in "$CERT_FILE" 2>/dev/null | cut -d= -f2)
if [[ -n "$CERT_DATE" ]]; then
CERT_EPOCH=$(date -d "$CERT_DATE" +%s 2>/dev/null || echo 0)
V420_EPOCH=$(date -d "2026-05-31" +%s 2>/dev/null || echo 1780185600)
if [ "$CERT_EPOCH" -lt "$V420_EPOCH" ]; then
echo "🧹 [Agent] 侦测到旧版 (v4.2.0前) 遗留 TLS 装甲,正在执行强制物理销毁..."
rm -f "$CERT_FILE" "$KEY_FILE"
fi
fi
fi
if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then
echo "🔐 [Agent] 正在生成全新的本地自签名 TLS 加密证书 (2048位 RSA)..."
echo "🔐 [Agent] 正在生成本地自签名 TLS 加密证书 (2048位 RSA)..."
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout "$KEY_FILE" -out "$CERT_FILE" \
-subj "/C=US/O=IP-Sentinel/CN=Agent-Sec" >/dev/null 2>&1 || true
@@ -484,30 +479,17 @@ import socket
# ----------------------------------------------------------
# [核心架构] 多线程非阻塞 Socket 模型 (抵抗 Slowloris 及阻塞攻击)
# ----------------------------------------------------------
class DualStackServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
allow_reuse_address = True
def server_bind(self):
# 强行解除 IPv6 独占锁,实现一个 Socket 同时接管 IPv4 和 IPv6 (全域防漏接)
if self.address_family == socket.AF_INET6:
try:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
except Exception:
pass
super().server_bind()
# [v4.2.2 终极架构] 彻底抛弃配置文件的 IP 束缚,强行探测系统底层的双栈能力
bind_addr = "::"
address_family = socket.AF_INET6
try:
# 探针:如果机器是纯 IPv4 (连 v6 模块都没有),强绑 :: 会崩溃,自动降维
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.close()
except OSError:
bind_addr = "0.0.0.0"
address_family = socket.AF_INET
# [v4.1.8 终极修复] 废除脆弱的 Python 内置解析,直接读取 Bash 注入的底层环境变量
bind_addr = os.environ.get('BIND_ADDR', '0.0.0.0')
if bind_addr == "::":
ThreadedServer.address_family = socket.AF_INET6
else:
ThreadedServer.address_family = socket.AF_INET
DualStackServer.address_family = address_family
httpd = DualStackServer((bind_addr, PORT), AgentHandler)
httpd = ThreadedServer((bind_addr, PORT), AgentHandler)
# ----------------------------------------------------------
# [加密通信] 强制全网挂载 TLS 加密隧道上下文