GithubBackup/IP-Sentinel
1
0
Fork 0
mirror of https://github.com/hotyue/IP-Sentinel.git synced 2026-06-12 12:49:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(arch): 跃升 v4.2.2,重构控制面通讯链路,引入「客户端多宿主容灾寻址 (Multi-homing Fallback)」机制,支持全域双栈监听与毫秒级防黑洞重试打击,彻底免疫纯 IPv6、LXC、大内网 WARP 等高危阻断场景

Browse Source
This commit is contained in:
hotyue
2026-06-01 07:47:18 +00:00
parent aa4b6d9e6e
commit f218291720
3 changed files with 189 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
core/agent_daemon.sh
View File

@@ -55,21 +55,29 @@ if [ -n "$AGENT_IP" ]; then
fi
fi
# [v4.1.8 核心修复] 彻底解决 IPv6 致命耳聋漏洞 (Socket Binding Mismatch)
# 在拉起 Python 引擎前,由 Bash 强行锁定底层网络栈监听维度,抛弃脆弱的内部解析
if [[ "$AGENT_IP" == *":"* ]]; then
export BIND_ADDR="::"
echo "🌐 [Agent] 协议栈识别: 侦测到 IPv6 基因,底层路由强锁定至 [::]"
else
export BIND_ADDR="0.0.0.0"
echo "🌐 [Agent] 协议栈识别: 侦测到 IPv4 基因,底层路由强锁定至 0.0.0.0"
fi
# [v4.2.2 终极架构] 彻底剥离 Bash 对底层网络栈的干预,将控制权全权移交 Python 全域引擎
echo "🌐 [Agent] 底层网络栈已解锁,准备切入全域双栈监听模式 (Dual-Stack Universal Bind)"
# ==========================================================
# [加密通信] 强制构建自签名 TLS 装甲,屏蔽中间人嗅探
# ==========================================================
CERT_FILE="${INSTALL_DIR}/core/cert.pem"
KEY_FILE="${INSTALL_DIR}/core/key.pem"
# [v4.2.2 热修复] 检查证书是否过于陈旧,若是则强制销毁重铸 (保障平滑升级的 TLS 健康)
if [ -f "$CERT_FILE" ]; then
CERT_DATE=$(openssl x509 -noout -startdate -in "$CERT_FILE" 2>/dev/null | cut -d= -f2)
if [[ -n "$CERT_DATE" ]]; then
CERT_EPOCH=$(date -d "$CERT_DATE" +%s 2>/dev/null || echo 0)
V422_EPOCH=$(date -d "2026-05-31" +%s 2>/dev/null || echo 1780185600)
if [ "$CERT_EPOCH" -lt "$V422_EPOCH" ]; then
echo "🧹 [Agent] 侦测到旧版 (v4.2.2 前) 遗留 TLS 装甲,正在执行强制物理销毁..."
rm -f "$CERT_FILE" "$KEY_FILE"
fi
fi
fi
CERT_FILE="${INSTALL_DIR}/core/cert.pem"
KEY_FILE="${INSTALL_DIR}/core/key.pem"
if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then
echo "🔐 [Agent] 正在生成本地自签名 TLS 加密证书 (2048位 RSA)..."
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
@@ -479,17 +487,31 @@ import socket
# ----------------------------------------------------------
# [核心架构] 多线程非阻塞 Socket 模型 (抵抗 Slowloris 及阻塞攻击)
# ----------------------------------------------------------
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
class DualStackServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
allow_reuse_address = True
def server_bind(self):
# [核心魔改] 强行解除 Linux/Unix 的 IPv6 独占锁
# 实现一个 Socket 对象同时接管 IPv4 (0.0.0.0) 和 IPv6 (::) 的全域监听防漏接机制
if self.address_family == socket.AF_INET6:
try:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
except Exception:
pass
super().server_bind()
# [v4.1.8 终极修复] 废除脆弱的 Python 内置解析,直接读取 Bash 注入的底层环境变量
bind_addr = os.environ.get('BIND_ADDR', '0.0.0.0')
if bind_addr == "::":
ThreadedServer.address_family = socket.AF_INET6
else:
ThreadedServer.address_family = socket.AF_INET
# [v4.2.2 终极架构] 彻底抛弃配置文件的 IP 束缚,强行探测系统底层的双栈能力
bind_addr = "::"
address_family = socket.AF_INET6
try:
# 探针:如果机器是纯 IPv4 (连内核级的 IPv6 模块都没有被加载),强绑 :: 会引发 OSError此时自动降维
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.close()
except OSError:
bind_addr = "0.0.0.0"
address_family = socket.AF_INET
httpd = ThreadedServer((bind_addr, PORT), AgentHandler)
DualStackServer.address_family = address_family
httpd = DualStackServer((bind_addr, PORT), AgentHandler)
# ----------------------------------------------------------
# [加密通信] 强制全网挂载 TLS 加密隧道上下文

124
core/install.sh
View File

@@ -219,9 +219,13 @@ done
rm -f /etc/local.d/ip_sentinel.start 2>/dev/null
if [ "$UPGRADE_MODE" == "true" ]; then
# [v4.2.2 终极保障] 平滑升级时强制销毁旧版 TLS 证书与旧版 IP 缓存,逼迫下层组件重铸健康双栈装甲
rm -f "${INSTALL_DIR}/core/cert.pem" "${INSTALL_DIR}/core/key.pem" "${INSTALL_DIR}/core/.last_ip" 2>/dev/null
echo -e "🧹 历史底层缓存及残旧 TLS 证书已强制销毁,准备重铸安全装甲。"
if [ "$KEEP_LOGS" == "false" ]; then
rm -rf "${INSTALL_DIR}/logs" 2>/dev/null
echo -e "🗑️ 历史日志已按指令清空。"
echo -e "🗑️ 历史战地日志已按指令清空。"
else
echo -e "📦 历史配置与战地日志已妥善保留。"
fi
@@ -411,8 +415,31 @@ if [ "$UPGRADE_MODE" == "false" ]; then
# ----------------------------------------------------------
echo -e "\n\033[36m[4.5/7] 正在探测本机网络栈与可用出口 (多节点雷达扫描中)...\033[0m"
DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]')
DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]')
RAW_DETECT_V4=$( (curl -4 -s -m 3 api.ip.sb/ip || curl -4 -s -m 3 ifconfig.me || curl -4 -s -m 3 ipv4.icanhazip.com) 2>/dev/null | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -n 1 | tr -d '[:space:]')
RAW_DETECT_V6=$( (curl -6 -s -m 3 api.ip.sb/ip || curl -6 -s -m 3 ifconfig.me || curl -6 -s -m 3 ipv6.icanhazip.com) 2>/dev/null | grep -E "^[0-9a-fA-F:]+.*:" | head -n 1 | tr -d '[:space:]')
# [v4.2.2 源头防线] 引入工业级网卡追踪,双重过滤 WARP/TUN/NAT 等假公网环境
DETECT_V4=""
if [[ -n "$RAW_DETECT_V4" ]]; then
V4_DEV=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
if [[ "$V4_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || \
[[ "$RAW_DETECT_V4" =~ ^104\.28\. ]] || \
[[ "$RAW_DETECT_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then
echo -e " \033[33m⚠ 雷达警告: 发现异常 IPv4 出口 ($RAW_DETECT_V4) 经由虚拟网卡 ($V4_DEV),已从通讯候选池中隔离。\033[0m"
else
DETECT_V4="$RAW_DETECT_V4"
fi
fi
DETECT_V6=""
if [[ -n "$RAW_DETECT_V6" ]]; then
V6_DEV=$(ip -6 route get 2001:4860:4860::8888 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
if [[ "$V6_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || [[ "$RAW_DETECT_V6" =~ ^fe80:|^::1 ]]; then
echo -e " \033[33m⚠ 雷达警告: 发现异常 IPv6 出口 ($RAW_DETECT_V6) 经由虚拟网卡 ($V6_DEV),已从通讯候选池中隔离。\033[0m"
else
DETECT_V6="$RAW_DETECT_V6"
fi
fi
IP_OPTIONS=()
IP_PROTO=()
@@ -461,7 +488,34 @@ if [ "$UPGRADE_MODE" == "false" ]; then
SAFE_PUBLIC_IP="$PUBLIC_IP"
fi
# ==========================================================
# [v4.2.2 终极架构] 智能主副容灾弹药装填 (Multi-IP Fallback)
# 严格排序: 1.养护IP (SAFE_PUBLIC_IP) 2.可用IPv4 3.可用IPv6
# ==========================================================
echo -e "\n\033[36m[4.6/7] 正在装填通讯容灾防线 (Multi-IP Fallback)...\033[0m"
COMM_IP="$SAFE_PUBLIC_IP"
# 注入次发弹药 (可用 IPv4)
if [[ -n "$DETECT_V4" ]] && [[ "$DETECT_V4" != "$PUBLIC_IP" ]]; then
COMM_IP="${COMM_IP},${DETECT_V4}"
fi
# 注入保底弹药 (可用 IPv6带括号保护)
if [[ -n "$DETECT_V6" ]] && [[ "$DETECT_V6" != "$PUBLIC_IP" ]]; then
[[ "$DETECT_V6" != *"["* ]] && SAFE_V6="[${DETECT_V6}]" || SAFE_V6="$DETECT_V6"
COMM_IP="${COMM_IP},${SAFE_V6}"
fi
SAFE_COMM_IP="$COMM_IP"
if [[ "$COMM_IP" == *","* ]]; then
echo -e " \033[32m✅ 成功组装多宿主容灾通讯专线: $SAFE_COMM_IP\033[0m"
else
echo -e " \033[33m⚠ 本机仅有单一出口,建立单轨通讯模式: $SAFE_COMM_IP\033[0m"
fi
echo -n "🕵️ 正在进行出站链路试射 (NAT环境与双栈嗅探)..."
RAW_TEST_IP=$(echo "$SAFE_PUBLIC_IP" | tr -d '[]')
if [[ "$RAW_TEST_IP" == *":"* ]]; then
@@ -536,6 +590,7 @@ LOG_FILE="${INSTALL_DIR}/logs/sentinel.log"
IP_PREF="$IP_PREF"
PUBLIC_IP="$SAFE_PUBLIC_IP"
BIND_IP="$BIND_IP"
COMM_IP="$SAFE_COMM_IP"
NODE_NAME="$NODE_NAME"
NODE_ALIAS="$NODE_ALIAS"
@@ -582,6 +637,41 @@ if [ "$UPGRADE_MODE" == "true" ]; then
SAFE_PUBLIC_IP="${PUBLIC_IP}"
fi
# [v4.2.2 热修复] 为老版本平滑补齐多宿主容灾通讯 IP
if ! grep -q "^COMM_IP=" "$CONFIG_FILE"; then
echo -e "\n🔄 [平滑迁移] 正在为老节点无损注入 v4.2.2 容灾通讯架构..."
TMP_PUB_IP=$(grep "^PUBLIC_IP=" "$CONFIG_FILE" | cut -d'"' -f2 | tr -d '[]')
RAW_V4=$(curl -4 -s -m 3 api.ip.sb/ip 2>/dev/null | tr -d '[:space:]')
RAW_V6=$(curl -6 -s -m 3 api.ip.sb/ip 2>/dev/null | tr -d '[:space:]')
V4_DEV=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
if [[ "$V4_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || [[ "$RAW_V4" =~ ^104\.28\. ]] || [[ "$RAW_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then
RAW_V4=""
fi
V6_DEV=$(ip -6 route get 2001:4860:4860::8888 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n 1)
if [[ "$V6_DEV" =~ ^(warp|wgcf|tun|tap|docker|br-|lo) ]] || [[ "$RAW_V6" =~ ^fe80:|^::1 ]]; then
RAW_V6=""
fi
[[ "$TMP_PUB_IP" == *":"* ]] && NEW_COMM_IP="[${TMP_PUB_IP}]" || NEW_COMM_IP="$TMP_PUB_IP"
if [[ -n "$RAW_V4" ]] && [[ "$RAW_V4" != "$TMP_PUB_IP" ]]; then
NEW_COMM_IP="${NEW_COMM_IP},${RAW_V4}"
fi
if [[ -n "$RAW_V6" ]] && [[ "$RAW_V6" != "$TMP_PUB_IP" ]]; then
NEW_COMM_IP="${NEW_COMM_IP},[${RAW_V6}]"
fi
echo "COMM_IP=\"$NEW_COMM_IP\"" >> "$CONFIG_FILE"
SAFE_COMM_IP="$NEW_COMM_IP"
echo -e " \033[32m✅ 成功注入容灾通讯专线: $SAFE_COMM_IP\033[0m"
else
SAFE_COMM_IP=$(grep "^COMM_IP=" "$CONFIG_FILE" | cut -d'"' -f2)
fi
if ! grep -q "^NODE_NAME=" "$CONFIG_FILE"; then
TMP_HASH=$(echo "${SAFE_PUBLIC_IP:-127.0.0.1}" | md5sum | cut -c 1-4 | tr 'a-z' 'A-Z')
NODE_NAME="$(hostname | tr -cd 'a-zA-Z0-9' | cut -c 1-10)-${TMP_HASH}"
@@ -873,7 +963,8 @@ EOF
# ----------------------------------------------------------
if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_PUBLIC_IP}|${AGENT_PORT}|${NODE_ALIAS}|${ENABLE_OTA}"
# 注册报文中塞入多宿主弹匣 SAFE_COMM_IP
REG_MSG="#REGISTER#|${REGION_CODE}|${NODE_NAME}|${SAFE_COMM_IP}|${AGENT_PORT}|${NODE_ALIAS}|${ENABLE_OTA}"
if [ "$UPGRADE_MODE" == "true" ]; then
OLD_VERSION=$(grep "^AGENT_VERSION=" "$CONFIG_FILE" | cut -d'"' -f2)
@@ -883,7 +974,8 @@ if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
echo -e "\n📡 [路由枢纽] 正在执行跨代架构重组 (v${OLD_VERSION} -> v${TARGET_VERSION})..."
TEXT_MSG="✨ *IP-Sentinel 引擎热更新完成!*
📍 节点:\`${NODE_ALIAS}\`
🌐 IP\`${SAFE_PUBLIC_IP}\`
🌐 养护 IP\`${SAFE_PUBLIC_IP}\`
📡 容灾 IP\`${SAFE_COMM_IP}\`
🚀 状态v${TARGET_VERSION} OTA 动态活体引擎已部署
⚠️ *战区架构已重组,请务必点击下方指令并发送,以同步新的防撞档案:*
@@ -898,7 +990,8 @@ if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
echo -e "\n📡 [路由枢纽] 正在执行静默平滑升级 (v${OLD_VERSION} -> v${TARGET_VERSION})..."
TEXT_MSG="✨ *IP-Sentinel 引擎热更新完成!*
📍 节点:\`${NODE_ALIAS}\`
🌐 IP\`${SAFE_PUBLIC_IP}\`
🌐 养护 IP\`${SAFE_PUBLIC_IP}\`
📡 容灾 IP\`${SAFE_COMM_IP}\`
🚀 状态v${TARGET_VERSION} OTA 动态活体引擎已部署"
JSON_PAYLOAD=$(jq -n --arg cid "$CHAT_ID" --arg txt "$TEXT_MSG" --arg cb "manage:${NODE_NAME}" '{chat_id: $cid, text: $txt, parse_mode: "Markdown", reply_markup: {inline_keyboard: [[{text: "⚙️ 调出该节点控制台", callback_data: $cb}]]}}')
@@ -918,7 +1011,8 @@ if [[ -n "$TG_TOKEN" ]] && [[ -n "$CHAT_ID" ]]; then
echo -e "\n📡 正在向指挥部发送注册暗号..."
TEXT_MSG="✨ *IP-Sentinel 部署成功!*
📍 区域:${REGION_NAME}
🌐 IP${SAFE_PUBLIC_IP}
🌐 养护 IP${SAFE_PUBLIC_IP}
📡 容灾 IP${SAFE_COMM_IP}
🔌 端口:${AGENT_PORT}
🔑 *请点击下方指令复制并回复给机器人:*
@@ -946,22 +1040,30 @@ echo "⚙️ 哨兵现已开启 [每20分钟] 的高频高拟真养护循环。"
if [[ -n "$TG_TOKEN" ]]; then
echo "📡 Webhook 监听已启动 (端口: $AGENT_PORT) 并向中枢发送了注册请求。"
# [v4.2.2 防火墙修正] 适配多宿主 IP 提示
IS_V6_COMM="false"
[[ "$SAFE_COMM_IP" == *":"* ]] && IS_V6_COMM="true"
FW_MSG=""
if command -v ufw >/dev/null 2>&1 && ufw status | grep -qw active; then
FW_MSG="ufw allow $AGENT_PORT/tcp"
elif command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active firewalld | grep -qw active; then
FW_MSG="firewall-cmd --zone=public --add-port=$AGENT_PORT/tcp --permanent && firewall-cmd --reload"
elif command -v iptables >/dev/null 2>&1; then
if [[ "$SAFE_PUBLIC_IP" == *":"* ]]; then
FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
if [ "$IS_V6_COMM" == "true" ]; then
if command -v ip6tables >/dev/null 2>&1; then
FW_MSG="ip6tables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
else
FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT # 提示: 系统缺失 ip6tables"
fi
else
FW_MSG="iptables -I INPUT -p tcp --dport $AGENT_PORT -j ACCEPT"
fi
fi
echo -e "\n\033[31m⚠ 【高危警告】您的节点身份已永久锁定为公网 IP: $SAFE_PUBLIC_IP\033[0m"
echo -e "\n\033[31m⚠ 【高危警告】您的节点通讯寻址池已锁定为: $SAFE_COMM_IP\033[0m"
echo -e "\033[33m为确保 Master 司令部能够成功下发指令,您【必须】前往云服务商 (如 AWS/Oracle/阿里云 等) 的网页控制台中,将安全组 (Security Group) 防火墙的 TCP $AGENT_PORT 端口彻底放行!\033[0m"
echo -e "\033[31m⛔ 禁止尝试通过修改脚本强行绑定局域网/内网 IP 来绕过通信阻断这无异于掩耳盗铃将彻底摧毁本系统“公网IP信用养护”的核心目标\033[0m\n"
echo -e "\033[31m⛔ 本系统已开启全域双栈监听,禁止尝试通过修改脚本强行绑定局域网 IP 来绕过通信阻断!\033[0m\n"
if [ -n "$FW_MSG" ]; then
echo "💡 检测到本地系统防火墙开启,您可以尝试执行以下命令放行本机端口 (注意: 云端安全组仍需您手动放行)"
echo -e "\033[36m $FW_MSG\033[0m"