mirror of
https://github.com/hotyue/IP-Sentinel.git
synced 2026-07-12 08:01:23 +08:00
chore: 回滚至 93a9bcb 版本,移除所有 v4.2.x 实验性网络架构修改
This commit is contained in:
108
core/install.sh
108
core/install.sh
@@ -67,7 +67,7 @@ CONFIG_FILE="${INSTALL_DIR}/config.conf"
|
||||
|
||||
# [网络容灾] 挂载双栈并利用防抖重试护甲,从远端解析运行态版本约束
|
||||
TARGET_VERSION=$( (curl -fsSL --connect-timeout 5 --retry 2 "${REPO_RAW_URL}/version.txt" || curl -4 -fsSL --connect-timeout 5 --retry 2 "${REPO_RAW_URL}/version.txt") 2>/dev/null | grep "^AGENT_VERSION=" | cut -d'=' -f2 | tr -d '[:space:]')
|
||||
TARGET_VERSION=${TARGET_VERSION:-"4.2.0"}
|
||||
TARGET_VERSION=${TARGET_VERSION:-"4.1.1"}
|
||||
|
||||
version_lt() {
|
||||
test "$(printf '%s\n' "$1" "$2" | sort -V | head -n 1)" = "$1" && test "$1" != "$2"
|
||||
@@ -219,13 +219,9 @@ done
|
||||
rm -f /etc/local.d/ip_sentinel.start 2>/dev/null
|
||||
|
||||
if [ "$UPGRADE_MODE" == "true" ]; then
|
||||
# [v4.2.0 终极保障] 平滑升级时强制销毁旧版 TLS 证书与旧版 IP 缓存,逼迫下层组件重铸健康环境
|
||||
rm -f "${INSTALL_DIR}/core/cert.pem" "${INSTALL_DIR}/core/key.pem" "${INSTALL_DIR}/core/.last_ip" 2>/dev/null
|
||||
echo -e "🧹 历史底层缓存及残旧 TLS 证书已强制销毁,准备重铸安全装甲。"
|
||||
|
||||
if [ "$KEEP_LOGS" == "false" ]; then
|
||||
rm -rf "${INSTALL_DIR}/logs" 2>/dev/null
|
||||
echo -e "🗑️ 历史战地日志已按指令清空。"
|
||||
echo -e "🗑️ 历史日志已按指令清空。"
|
||||
else
|
||||
echo -e "📦 历史配置与战地日志已妥善保留。"
|
||||
fi
|
||||
@@ -411,35 +407,12 @@ if [ "$UPGRADE_MODE" == "false" ]; then
|
||||
fi
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# [网络锚定] 冗余网络栈探测与多出口智能嗅探 (v4.2.0 完全体)
|
||||
# [网络锚定] 冗余网络栈探测与多出口智能嗅探
|
||||
# ----------------------------------------------------------
|
||||
echo -e "\n\033[36m[4.5/7] 正在探测本机网络栈与可用出口 (多节点雷达扫描中)...\033[0m"
|
||||
|
||||
RAW_DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]')
|
||||
RAW_DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]')
|
||||
|
||||
# 引入工业级控制面网卡设备检测,双重过滤 WARP/TUN/桥接等假公网环境
|
||||
DETECT_V4=""
|
||||
if [[ -n "$RAW_DETECT_V4" ]]; then
|
||||
V4_DEV=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
|
||||
if [[ "$V4_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || \
|
||||
[[ "$RAW_DETECT_V4" =~ ^104\.28\. ]] || \
|
||||
[[ "$RAW_DETECT_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then
|
||||
echo -e " \033[33m⚠️ 雷达警告: 发现异常 IPv4 出口 ($RAW_DETECT_V4) 经由虚拟网卡 ($V4_DEV),已从通讯候选池中安全隔离。\033[0m"
|
||||
else
|
||||
DETECT_V4="$RAW_DETECT_V4"
|
||||
fi
|
||||
fi
|
||||
|
||||
DETECT_V6=""
|
||||
if [[ -n "$RAW_DETECT_V6" ]]; then
|
||||
V6_DEV=$(ip -6 route get 2001:4860:4860::8888 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
|
||||
if [[ "$V6_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || [[ "$RAW_DETECT_V6" =~ ^fe80:|^::1 ]]; then
|
||||
echo -e " \033[33m⚠️ 雷达警告: 发现异常 IPv6 出口 ($RAW_DETECT_V6) 经由虚拟网卡 ($V6_DEV),已从通讯候选池中安全隔离。\033[0m"
|
||||
else
|
||||
DETECT_V6="$RAW_DETECT_V6"
|
||||
fi
|
||||
fi
|
||||
DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]')
|
||||
DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]')
|
||||
|
||||
IP_OPTIONS=()
|
||||
IP_PROTO=()
|
||||
@@ -488,28 +461,6 @@ if [ "$UPGRADE_MODE" == "false" ]; then
|
||||
SAFE_PUBLIC_IP="$PUBLIC_IP"
|
||||
fi
|
||||
|
||||
# ==========================================================
|
||||
# [v4.2.2 终极架构] 智能主副容灾弹药装填 (Multi-IP Fallback)
|
||||
# 不再纠结内网阻断,直接将所有存活 IP 以逗号拼接上报司令部,由司令部执行降级回退打击
|
||||
# ==========================================================
|
||||
echo -e "\n\033[36m[4.6/7] 正在装填通讯容灾防线 (Multi-IP Fallback)...\033[0m"
|
||||
COMM_IP="$SAFE_PUBLIC_IP"
|
||||
FALLBACK_IP=""
|
||||
|
||||
if [ "${IP_PREF}" == "6" ] && [ -n "$DETECT_V4" ]; then
|
||||
FALLBACK_IP="$DETECT_V4"
|
||||
elif [ "${IP_PREF}" == "4" ] && [ -n "$DETECT_V6" ]; then
|
||||
[[ "$DETECT_V6" != *"["* ]] && FALLBACK_IP="[${DETECT_V6}]" || FALLBACK_IP="$DETECT_V6"
|
||||
fi
|
||||
|
||||
if [ -n "$FALLBACK_IP" ]; then
|
||||
COMM_IP="${COMM_IP},${FALLBACK_IP}"
|
||||
echo -e " \033[32m✅ 成功建立双向容灾通讯专线: 主通道 $SAFE_PUBLIC_IP,备用通道 $FALLBACK_IP\033[0m"
|
||||
else
|
||||
echo -e " \033[33m⚠️ 暂无可用备用公网 IP,建立单轨通讯模式: $SAFE_PUBLIC_IP\033[0m"
|
||||
fi
|
||||
SAFE_COMM_IP="$COMM_IP"
|
||||
|
||||
echo -n "🕵️ 正在进行出站链路试射 (NAT环境与双栈嗅探)..."
|
||||
RAW_TEST_IP=$(echo "$SAFE_PUBLIC_IP" | tr -d '[]')
|
||||
|
||||
@@ -585,7 +536,6 @@ LOG_FILE="${INSTALL_DIR}/logs/sentinel.log"
|
||||
IP_PREF="$IP_PREF"
|
||||
PUBLIC_IP="$SAFE_PUBLIC_IP"
|
||||
BIND_IP="$BIND_IP"
|
||||
COMM_IP="$SAFE_COMM_IP"
|
||||
|
||||
NODE_NAME="$NODE_NAME"
|
||||
NODE_ALIAS="$NODE_ALIAS"
|
||||
@@ -632,34 +582,6 @@ if [ "$UPGRADE_MODE" == "true" ]; then
|
||||
SAFE_PUBLIC_IP="${PUBLIC_IP}"
|
||||
fi
|
||||
|
||||
# [v4.2.0 热修复] 为老版本司令部平滑补齐双轨通讯 IP (含设备路由与入站存活校验)
|
||||
if ! grep -q "^COMM_IP=" "$CONFIG_FILE"; then
|
||||
echo -e "\n🔄 [平滑迁移] 正在为老节点无损注入 v4.2.0 双轨通讯架构..."
|
||||
TMP_PUB_IP=$(grep "^PUBLIC_IP=" "$CONFIG_FILE" | cut -d'"' -f2 | tr -d '[]')
|
||||
|
||||
if [[ "$TMP_PUB_IP" == *":"* ]]; then
|
||||
TMP_V4=$(curl -4 -s -m 3 api.ip.sb/ip 2>/dev/null | tr -d '[:space:]' )
|
||||
V4_MIG_DEV=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
|
||||
|
||||
if [[ -n "$TMP_V4" ]] && \
|
||||
! [[ "$V4_MIG_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] && \
|
||||
! [[ "$TMP_V4" =~ ^104\.28\. ]] && \
|
||||
! [[ "$TMP_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then
|
||||
NEW_COMM_IP="$TMP_V4"
|
||||
echo -e " \033[32m✅ 成功建立双轨架构: 养护走 IPv6,中枢控制走 IPv4 ($NEW_COMM_IP)\033[0m"
|
||||
else
|
||||
echo -e " \033[33m⚠️ 嗅探到的备用 IPv4 疑似为内网 NAT 或 WARP 伪装 IP,已安全退回纯 IPv6 单轨模式。\033[0m"
|
||||
NEW_COMM_IP="[$TMP_PUB_IP]"
|
||||
fi
|
||||
else
|
||||
NEW_COMM_IP="$TMP_PUB_IP"
|
||||
fi
|
||||
echo "COMM_IP=\"$NEW_COMM_IP\"" >> "$CONFIG_FILE"
|
||||
SAFE_COMM_IP="$NEW_COMM_IP"
|
||||
else
|
||||
SAFE_COMM_IP=$(grep "^COMM_IP=" "$CONFIG_FILE" | cut -d'"' -f2)
|
||||
fi
|
||||
|
||||
if ! grep -q "^NODE_NAME=" "$CONFIG_FILE"; then
|
||||
TMP_HASH=$(echo "${SAFE_PUBLIC_IP:-127.0.0.1}" | md5sum | cut -c 1-4 | tr 'a-z' 'A-Z')
|
||||
NODE_NAME="$(hostname | tr -cd 'a-zA-Z0-9' | cut -c 1-10)-${TMP_HASH}"
|
||||
@@ -951,7 +873,7 @@ EOF
|
||||
# ----------------------------------------------------------
|
||||
if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
|
||||
|
||||
REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_COMM_IP}|${AGENT_PORT}|${NODE_ALIAS}|${ENABLE_OTA}"
|
||||
REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_PUBLIC_IP}|${AGENT_PORT}|${NODE_ALIAS}|${ENABLE_OTA}"
|
||||
|
||||
if [ "$UPGRADE_MODE" == "true" ]; then
|
||||
OLD_VERSION=$(grep "^AGENT_VERSION=" "$CONFIG_FILE" | cut -d'"' -f2)
|
||||
@@ -996,8 +918,7 @@ if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
|
||||
echo -e "\n📡 正在向指挥部发送注册暗号..."
|
||||
TEXT_MSG="✨ *IP-Sentinel 部署成功!*
|
||||
📍 区域:${REGION_NAME}
|
||||
🌐 养护 IP:${SAFE_PUBLIC_IP}
|
||||
📡 通讯 IP:${SAFE_COMM_IP}
|
||||
🌐 IP:${SAFE_PUBLIC_IP}
|
||||
🔌 端口:${AGENT_PORT}
|
||||
|
||||
🔑 *请点击下方指令复制并回复给机器人:*
|
||||
@@ -1026,28 +947,19 @@ if [[ -n "$TG_TOKEN" ]]; then
|
||||
echo "📡 Webhook 监听已启动 (端口: $AGENT_PORT) 并向中枢发送了注册请求。"
|
||||
|
||||
FW_MSG=""
|
||||
# [v4.2.1 防火墙修正] 严格依据通讯面专线 (COMM_IP) 协议栈生成放行指令
|
||||
IS_V6_COMM="false"
|
||||
[[ "$SAFE_COMM_IP" == *":"* ]] && IS_V6_COMM="true"
|
||||
|
||||
if command -v ufw >/dev/null 2>&1 && ufw status | grep -qw active; then
|
||||
# UFW 默认同时添加双栈规则,无需特地区分,但注释中可指明
|
||||
FW_MSG="ufw allow $AGENT_PORT/tcp"
|
||||
elif command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active firewalld | grep -qw active; then
|
||||
FW_MSG="firewall-cmd --zone=public --add-port=$AGENT_PORT/tcp --permanent && firewall-cmd --reload"
|
||||
elif command -v iptables >/dev/null 2>&1; then
|
||||
if [ "$IS_V6_COMM" == "true" ]; then
|
||||
if command -v ip6tables >/dev/null 2>&1; then
|
||||
FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
|
||||
else
|
||||
FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT # 提示: 系统缺失 ip6tables 命令"
|
||||
fi
|
||||
if [[ "$SAFE_PUBLIC_IP" == *":"* ]]; then
|
||||
FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
|
||||
else
|
||||
FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo -e "\n\033[31m⚠️ 【高危警告】您的节点通讯身份已永久锁定为公网 IP: $SAFE_COMM_IP\033[0m"
|
||||
echo -e "\n\033[31m⚠️ 【高危警告】您的节点身份已永久锁定为公网 IP: $SAFE_PUBLIC_IP\033[0m"
|
||||
echo -e "\033[33m为确保 Master 司令部能够成功下发指令,您【必须】前往云服务商 (如 AWS/Oracle/阿里云 等) 的网页控制台中,将安全组 (Security Group) 防火墙的 TCP $AGENT_PORT 端口彻底放行!\033[0m"
|
||||
echo -e "\033[31m⛔ 禁止尝试通过修改脚本强行绑定局域网/内网 IP 来绕过通信阻断,这无异于掩耳盗铃,将彻底摧毁本系统“公网IP信用养护”的核心目标!\033[0m\n"
|
||||
if [ -n "$FW_MSG" ]; then
|
||||
|
||||
Reference in New Issue
Block a user